SHA-256 Implementierung on ModSecurity (mbed TLS 4.x)

Easton97-Jens · Easton97-Jens · commit 4e705e7213c6 · 2025-12-16T11:17:06.000+01:00
diff --git a/src/unique_id.cc b/src/unique_id.cc
@@ -56,7 +56,9 @@
 #endif
 #include <string.h>
 
-#include "src/utils/sha1.h"
+/*#include "src/utils/sha1.h"*/
+#include "src/utils/sha256.h"
+
 
 namespace modsecurity {
 
@@ -72,7 +74,9 @@ void UniqueId::fillUniqueId() {
 
     data = macAddress + name;
 
-    this->uniqueId_str = Utils::Sha1::hexdigest(data);
+    /*this->uniqueId_str = Utils::Sha1::hexdigest(data);*/
+    this->uniqueId_str = Utils::Sha256::hexdigest(data);
+
 }
 
 // Based on:
@@ -235,4 +239,4 @@ std::string UniqueId::ethernetMacAddress() {
 }
 
 
-}  // namespace modsecurity
+}  // namespace modsecurity
diff --git a/src/utils/md5.h b/src/utils/md5.h
@@ -8,27 +8,20 @@
 #ifndef SRC_UTILS_MD5_H_
 #define SRC_UTILS_MD5_H_
 
-#include "src/utils/sha1.h"   // bringt DigestImpl und psa/crypto.h rein
+#include "src/utils/sha1.h"   // nutzt DigestImpl + detail::ensure_psa_init()
 #include <string>
 
+#include <psa/crypto.h>       // optional (weil sha1.h es schon inkludiert), aber ok
+
 namespace modsecurity::Utils {
 
-// Wrapper mit gleicher Signatur wie mbedtls_md5,
-// intern aber PSA-API.
+// PSA-Wrapper mit alter Signatur
 inline int modsec_psa_md5(const unsigned char *input,
                           size_t ilen,
                           unsigned char output[16])
 {
-    // sha1.h macht bereits ein lazy psa_crypto_init() in modsec_psa_sha1,
-    // aber falls MD5 vor SHA1 benutzt wird, sorgen wir hier auch nochmal vor.
-    static bool psa_initialized = false;
-
-    if (!psa_initialized) {
-        psa_status_t init_status = psa_crypto_init();
-        if (init_status != PSA_SUCCESS) {
-            return -1;
-        }
-        psa_initialized = true;
+    if (!detail::ensure_psa_init()) {
+        return -1;
     }
 
     size_t out_len = 0;
@@ -41,17 +34,11 @@ inline int modsec_psa_md5(const unsigned char *input,
         &out_len
     );
 
-    if (status != PSA_SUCCESS || out_len != 16) {
-        return -1;
-    }
-
-    return 0;
+    return (status == PSA_SUCCESS && out_len == 16) ? 0 : -1;
 }
 
-// Statt &mbedtls_md5 benutzen wir jetzt &modsec_psa_md5.
-class Md5 : public DigestImpl<&modsec_psa_md5, 16> {
-};
+class Md5 : public DigestImpl<&modsec_psa_md5, 16> {};
 
 }  // namespace modsecurity::Utils
 
-#endif  // SRC_UTILS_MD5_H_
+#endif  // SRC_UTILS_MD5_H_
diff --git a/src/utils/sha1.h b/src/utils/sha1.h
@@ -10,69 +10,85 @@
 
 #include <string>
 #include <string_view>
-#include <cassert>
+#include <mutex>      // NEW: std::once_flag, std::call_once
 
 #include "src/utils/string.h"
 
-// NEU: PSA statt mbedtls/sha1.h
+// PSA statt mbedtls/sha1.h
 #include <psa/crypto.h>
 
 namespace modsecurity::Utils {
 
 using DigestOp = int (*)(const unsigned char *, size_t, unsigned char []);
 
+// Gemeinsamer, thread-sicherer PSA-Init für alle Digests
+namespace detail {
+inline bool ensure_psa_init() {
+    static std::once_flag once;
+    static psa_status_t init_status = PSA_ERROR_GENERIC_ERROR;
+
+    std::call_once(once, []() {
+        init_status = psa_crypto_init();
+    });
+
+    return init_status == PSA_SUCCESS;
+}
+}  // namespace detail
+
 
 template<DigestOp digestOp, int DigestSize>
 class DigestImpl {
  public:
     static std::string digest(const std::string& input) {
-        return digestHelper(input, [](const auto digest) {
+        return digestHelper(input, [](std::string_view digest) {
             return std::string(digest);
         });
     }
 
     static void digestReplace(std::string& value) {
-        digestHelper(value, [&value](const auto digest) mutable {
-            value = digest;
+        digestHelper(value, [&value](std::string_view digest) mutable {
+            value.assign(digest.data(), digest.size());
         });
     }
 
     static std::string hexdigest(const std::string &input) {
-        return digestHelper(input, [](const auto digest) {
+        return digestHelper(input, [](std::string_view digest) {
             return utils::string::string_to_hex(digest);
         });
     }
 
  private:
     template<typename ConvertOp>
-    static auto digestHelper(const std::string &input,
-                             ConvertOp convertOp) -> auto {
-        char digest[DigestSize];
+    static auto digestHelper(const std::string &input, ConvertOp convertOp)
+        -> decltype(convertOp(std::string_view{})) {
 
-        const auto ret = (*digestOp)(
-            reinterpret_cast<const unsigned char *>(input.c_str()),
+        unsigned char digest[DigestSize];
+
+        const int ret = (*digestOp)(
+            reinterpret_cast<const unsigned char *>(input.data()),
             input.size(),
-            reinterpret_cast<unsigned char *>(digest)
+            digest
         );
-        assert(ret == 0);
 
-        return convertOp(std::string_view(digest, DigestSize));
+        // NEW: kein assert-only; in Release sonst potentiell UB.
+        if (ret != 0) {
+            return convertOp(std::string_view{}); // leerer Digest signalisiert Fehler
+        }
+
+        return convertOp(std::string_view(
+            reinterpret_cast<const char*>(digest), DigestSize
+        ));
     }
 };
 
-// NEU: Wrapper, der die PSA-API in die alte Signatur presst.
+
+// PSA-Wrapper mit alter Signatur
 inline int modsec_psa_sha1(const unsigned char *input,
                            size_t ilen,
                            unsigned char output[20])
 {
-    static bool psa_initialized = false;
-
-    if (!psa_initialized) {
-        psa_status_t init_status = psa_crypto_init();
-        if (init_status != PSA_SUCCESS) {
-            return -1;
-        }
-        psa_initialized = true;
+    if (!detail::ensure_psa_init()) {
+        return -1;
     }
 
     size_t out_len = 0;
@@ -85,17 +101,11 @@ inline int modsec_psa_sha1(const unsigned char *input,
         &out_len
     );
 
-    if (status != PSA_SUCCESS || out_len != 20) {
-        return -1;
-    }
-
-    return 0;
+    return (status == PSA_SUCCESS && out_len == 20) ? 0 : -1;
 }
 
-// Statt &mbedtls_sha1 nehmen wir jetzt unseren PSA-Wrapper
-class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {
-};
+class Sha1 : public DigestImpl<&modsec_psa_sha1, 20> {};
 
 }  // namespace modsecurity::Utils
 
-#endif  // SRC_UTILS_SHA1_H_
+#endif  // SRC_UTILS_SHA1_H_
diff --git a/src/utils/sha256.h b/src/utils/sha256.h
@@ -0,0 +1,34 @@
+#ifndef SRC_UTILS_SHA256_H_
+#define SRC_UTILS_SHA256_H_
+
+#include "src/utils/sha1.h"   // bringt DigestImpl + detail::ensure_psa_init()
+#include <psa/crypto.h>
+
+namespace modsecurity::Utils {
+
+inline int modsec_psa_sha256(const unsigned char *input,
+                             size_t ilen,
+                             unsigned char output[32])
+{
+    if (!detail::ensure_psa_init()) {
+        return -1;
+    }
+
+    size_t out_len = 0;
+    psa_status_t status = psa_hash_compute(
+        PSA_ALG_SHA_256,
+        input,
+        ilen,
+        output,
+        32,
+        &out_len
+    );
+
+    return (status == PSA_SUCCESS && out_len == 32) ? 0 : -1;
+}
+
+class Sha256 : public DigestImpl<&modsec_psa_sha256, 32> {};
+
+}  // namespace modsecurity::Utils
+
+#endif  // SRC_UTILS_SHA256_H_
