Update libinjection & Mbed TLS

.github/workflows/ci.yml

@@ -57,8 +57,11 @@ jobs:
           sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \
                                   libfuzzy-dev:${{ matrix.platform.arch }}
       - uses: actions/checkout@v4
-        with:
-          submodules: true
+      - name: get submodules
+        # get submodules manually for git describe to work during build
+        run: |
+          git submodule init
+          git submodule update
       - name: build.sh
         run: ./build.sh
       - name: configure
@@ -105,8 +108,11 @@ jobs:
                        bison \
                        flex
       - uses: actions/checkout@v4
-        with:
-          submodules: true
+      - name: get submodules
+        # get submodules manually for git describe to work during build
+        run: |
+          git submodule init
+          git submodule update
       - name: build.sh
         run: ./build.sh
       - name: configure
@@ -135,8 +141,11 @@ jobs:
           - {label: "wo libxml",  opt: "-WITHOUT_LIBXML2=ON" }
     steps:
       - uses: actions/checkout@v4
-        with:
-          submodules: true
+      - name: Get submodules
+        # get submodules manually for git describe to work during build
+        run: |
+          git submodule init
+          git submodule update
       - name: Install Conan
         run: |
           pip3 install conan --upgrade

.gitmodules

@@ -7,3 +7,6 @@
 [submodule "bindings/python"]
 	path = bindings/python
 	url = https://github.com/owasp-modsecurity/ModSecurity-Python-bindings.git
+[submodule "others/mbedtls"]
+	path = others/mbedtls
+	url = https://github.com/Mbed-TLS/mbedtls.git

Makefile.am

@@ -63,7 +63,7 @@ cppcheck:
 		--enable=warning,style,performance,portability,unusedFunction,missingInclude \
 		--inconclusive \
 		--template="warning: {file},{line},{severity},{id},{message}" \
-		-I headers -I . -I others -I src -I others/mbedtls -I src/parser \
+		-I headers -I . -I others -I src -I others/mbedtls/include -I src/parser \
 		--error-exitcode=1 \
 		-i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \
 		--force --verbose .

build/win32/CMakeLists.txt

@@ -14,7 +14,7 @@ option(USE_ASAN        "Build with Address Sanitizer" OFF)
 
 # NOTE: MBEDTLS_CONFIG_FILE is not only required to compile the mbedtls subset in others, but also
 # when their headers are included while compiling libModSecurity
-add_compile_definitions(WIN32 _CRT_SECURE_NO_WARNINGS MBEDTLS_CONFIG_FILE="mbed-tls-config.h")
+add_compile_definitions(WIN32 _CRT_SECURE_NO_WARNINGS MBEDTLS_CONFIG_FILE="mbedtls/mbedtls_config.h")
 
 # set standards conformance preprocessor & compiler to align with cross-compiled codebase
 # NOTE: otherwise visual c++'s default compiler/preprocessor behaviour generates C4067 warnings
@@ -30,15 +30,41 @@ endif()
 
 project(libinjection C)
 
-add_library(libinjection STATIC ${BASE_DIR}/others/libinjection/src/libinjection_sqli.c ${BASE_DIR}/others/libinjection/src/libinjection_xss.c ${BASE_DIR}/others/libinjection/src/libinjection_html5.c)
+set(LIBINJECTION_DIR ${BASE_DIR}/others/libinjection)
 
-# mbedtls
+add_library(libinjection STATIC ${LIBINJECTION_DIR}/src/libinjection_sqli.c ${LIBINJECTION_DIR}/src/libinjection_xss.c ${LIBINJECTION_DIR}/src/libinjection_html5.c)
 
-project(mbedtls C)
+# get libinjection version with git describe
+execute_process(
+    COMMAND git describe
+    WORKING_DIRECTORY ${LIBINJECTION_DIR}
+    OUTPUT_VARIABLE LIBINJECTION_VERSION
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+)
+
+message("-- Detecting libinjection version - ${LIBINJECTION_VERSION}")
+
+target_compile_definitions(libinjection PRIVATE LIBINJECTION_VERSION="${LIBINJECTION_VERSION}")
+
+# mbedtls (mbedcrypto)
+
+project(mbedcrypto C)
 
-add_library(mbedtls STATIC ${BASE_DIR}/others/mbedtls/base64.c ${BASE_DIR}/others/mbedtls/sha1.c ${BASE_DIR}/others/mbedtls/md5.c)
+set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls)
+
+add_library(mbedcrypto STATIC ${MBEDTLS_DIR}/library/base64.c ${MBEDTLS_DIR}/library/sha1.c ${MBEDTLS_DIR}/library/md5.c ${MBEDTLS_DIR}/library/platform_util.c ${MBEDTLS_DIR}/library/constant_time.c)
+
+target_include_directories(mbedcrypto PRIVATE ${MBEDTLS_DIR}/include)
+
+# get mbedtls version with git describe
+execute_process(
+    COMMAND git describe
+    WORKING_DIRECTORY ${MBEDTLS_DIR}
+    OUTPUT_VARIABLE MBEDTLS_VERSION
+    OUTPUT_STRIP_TRAILING_WHITESPACE
+)
 
-target_include_directories(mbedtls PRIVATE ${BASE_DIR}/others)
+message("-- Detecting Mbed TLS version - ${MBEDTLS_VERSION}")
 
 #
 # libModSecurity
@@ -112,8 +138,8 @@ file(GLOB_RECURSE libModSecuritySources ${BASE_DIR}/src/*.cc)
 add_library(libModSecurity SHARED ${libModSecuritySources})
 
 target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2)
-target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others)
-target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 pthreads4w::pthreads4w libinjection mbedtls Poco::Poco Iphlpapi.lib)
+target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include)
+target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 pthreads4w::pthreads4w libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
 
 macro(add_package_dependency project compile_definition link_library flag)
   if(${flag})

configure.ac

@@ -75,6 +75,28 @@ AC_MSG_ERROR([\
 fi
 # Libinjection version
 AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git describe && cd ../..))
+AC_SUBST([LIBINJECTION_VERSION])
+
+# Check for Mbed TLS
+if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
+AC_MSG_ERROR([\
+
+
+  Mbed TLS was not found within ModSecurity source directory.
+
+  Mbed TLS code is available as part of ModSecurity source code in a format
+  of a git-submodule. git-submodule allow us to specify the correct version of
+  Mbed TLS and still uses the Mbed TLS repository to download it.
+
+  You can download Mbed TLS using git:
+
+     $ git submodule init
+     $ git submodule update
+
+   ])
+fi
+# Mbed TLS version
+AC_DEFUN([MBEDTLS_VERSION], m4_esyscmd_s(cd "others/mbedtls" && git describe && cd ../..))
 
 # SecLang test version
 AC_DEFUN([SECLANG_TEST_VERSION], m4_esyscmd_s(cd "test/test-cases/secrules-language-tests" && git log -1 --format="%h" --abbrev-commit && cd ../../..))
@@ -425,6 +447,8 @@ echo " "
 echo " Mandatory dependencies"
 AS_ECHO_N("   + libInjection                                  ....")
 echo LIBINJECTION_VERSION
+AS_ECHO_N("   + Mbed TLS                                      ....")
+echo MBEDTLS_VERSION
 AS_ECHO_N("   + SecLang tests                                 ....")
 echo SECLANG_TEST_VERSION
 

others/Makefile.am

@@ -1,28 +1,33 @@
 
 noinst_LTLIBRARIES = libinjection.la libmbedtls.la
+
 libinjection_la_SOURCES = \
 	libinjection/src/libinjection_html5.c \
 	libinjection/src/libinjection_sqli.c \
 	libinjection/src/libinjection_xss.c
 
+libinjection_la_CFLAGS = -D LIBINJECTION_VERSION=\"${LIBINJECTION_VERSION}\"
+libinjection_la_LIBADD =
+
 noinst_HEADERS = \
 	libinjection/src/libinjection.h \
 	libinjection/src/libinjection_html5.h \
 	libinjection/src/libinjection_sqli.h \
 	libinjection/src/libinjection_sqli_data.h \
 	libinjection/src/libinjection_xss.h \
-	mbedtls/base64.h \
-	mbedtls/check_config.h \
-	mbedtls/mbed-tls-config.h \
-	mbedtls/md5.h \
-	mbedtls/platform.h \
-	mbedtls/sha1.h
+	mbedtls/include/mbedtls/base64.h \
+	mbedtls/include/mbedtls/check_config.h \
+	mbedtls/include/mbedtls/mbedtls_config.h \
+	mbedtls/include/mbedtls/md5.h \
+	mbedtls/include/mbedtls/platform.h \
+	mbedtls/include/mbedtls/sha1.h
 
 libmbedtls_la_SOURCES = \
-	mbedtls/base64.c \
-	mbedtls/md5.c \
-	mbedtls/sha1.c
+	mbedtls/library/base64.c \
+	mbedtls/library/md5.c \
+	mbedtls/library/sha1.c \
+	mbedtls/library/platform_util.c
 
-libmbedtls_la_CFLAGS = -D MBEDTLS_CONFIG_FILE=\"mbed-tls-config.h\" -Iothers
+libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -Imbedtls/include
 libmbedtls_la_CPPFLAGS =
 libmbedtls_la_LIBADD =