github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-15 23:55:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Change names of HMAC feature to HASH

Browse Source
This commit is contained in:
Breno Silva 2012-10-30 18:02:22 -04:00
parent af22ddf87e
commit 53d422e9de
7 changed files with 162 additions and 160 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@ -1,6 +1,8 @@
29 Oct 2012 - 2.7.1 29 Oct 2012 - 2.7.1
------------------- -------------------
* Changed "Encryption" name of directives and options related to hmac feature to "Hash".
* Added a better random bytes generator using apr_generate_random_bytes() to create * Added a better random bytes generator using apr_generate_random_bytes() to create
the HMAC key. the HMAC key.

116
apache2/apache2_config.c
View File

@ -67,7 +67,7 @@ void *create_directory_config(apr_pool_t *mp, char *path)
dcfg->rule_inheritance = NOT_SET; dcfg->rule_inheritance = NOT_SET;
dcfg->rule_exceptions = apr_array_make(mp, 16, sizeof(rule_exception *)); dcfg->rule_exceptions = apr_array_make(mp, 16, sizeof(rule_exception *));
dcfg->encryption_method = apr_array_make(mp, 16, sizeof(encryption_method *)); dcfg->hash_method = apr_array_make(mp, 16, sizeof(hash_method *));
/* audit log variables */ /* audit log variables */
dcfg->auditlog_flag = NOT_SET; dcfg->auditlog_flag = NOT_SET;
@ -139,8 +139,8 @@ void *create_directory_config(apr_pool_t *mp, char *path)
dcfg->crypto_key_len = NOT_SET; dcfg->crypto_key_len = NOT_SET;
dcfg->crypto_key_add = NOT_SET; dcfg->crypto_key_add = NOT_SET;
dcfg->crypto_param_name = NOT_SET_P; dcfg->crypto_param_name = NOT_SET_P;
dcfg->encryption_is_enabled = NOT_SET; dcfg->hash_is_enabled = NOT_SET;
dcfg->encryption_enforcement = NOT_SET; dcfg->hash_enforcement = NOT_SET;
dcfg->crypto_hash_href_rx = NOT_SET; dcfg->crypto_hash_href_rx = NOT_SET;
dcfg->crypto_hash_faction_rx = NOT_SET; dcfg->crypto_hash_faction_rx = NOT_SET;
dcfg->crypto_hash_location_rx = NOT_SET; dcfg->crypto_hash_location_rx = NOT_SET;
@ -446,8 +446,8 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
merged->rule_exceptions = apr_array_append(mp, parent->rule_exceptions, merged->rule_exceptions = apr_array_append(mp, parent->rule_exceptions,
child->rule_exceptions); child->rule_exceptions);
merged->encryption_method = apr_array_append(mp, parent->encryption_method, merged->hash_method = apr_array_append(mp, parent->hash_method,
child->encryption_method); child->hash_method);
/* audit log variables */ /* audit log variables */
merged->auditlog_flag = (child->auditlog_flag == NOT_SET merged->auditlog_flag = (child->auditlog_flag == NOT_SET
@ -552,7 +552,7 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
merged->col_timeout = (child->col_timeout == NOT_SET merged->col_timeout = (child->col_timeout == NOT_SET
? parent->col_timeout : child->col_timeout); ? parent->col_timeout : child->col_timeout);
/* Encryption */ /* Hash */
merged->crypto_key = (child->crypto_key == NOT_SET_P merged->crypto_key = (child->crypto_key == NOT_SET_P
? parent->crypto_key : child->crypto_key); ? parent->crypto_key : child->crypto_key);
merged->crypto_key_len = (child->crypto_key_len == NOT_SET merged->crypto_key_len = (child->crypto_key_len == NOT_SET
@ -561,10 +561,10 @@ void *merge_directory_configs(apr_pool_t *mp, void *_parent, void *_child)
? parent->crypto_key_add : child->crypto_key_add); ? parent->crypto_key_add : child->crypto_key_add);
merged->crypto_param_name = (child->crypto_param_name == NOT_SET_P merged->crypto_param_name = (child->crypto_param_name == NOT_SET_P
? parent->crypto_param_name : child->crypto_param_name); ? parent->crypto_param_name : child->crypto_param_name);
merged->encryption_is_enabled = (child->encryption_is_enabled == NOT_SET merged->hash_is_enabled = (child->hash_is_enabled == NOT_SET
? parent->encryption_is_enabled : child->encryption_is_enabled); ? parent->hash_is_enabled : child->hash_is_enabled);
merged->encryption_enforcement = (child->encryption_enforcement == NOT_SET merged->hash_enforcement = (child->hash_enforcement == NOT_SET
? parent->encryption_enforcement : child->encryption_enforcement); ? parent->hash_enforcement : child->hash_enforcement);
merged->crypto_hash_href_rx = (child->crypto_hash_href_rx == NOT_SET merged->crypto_hash_href_rx = (child->crypto_hash_href_rx == NOT_SET
? parent->crypto_hash_href_rx : child->crypto_hash_href_rx); ? parent->crypto_hash_href_rx : child->crypto_hash_href_rx);
merged->crypto_hash_faction_rx = (child->crypto_hash_faction_rx == NOT_SET merged->crypto_hash_faction_rx = (child->crypto_hash_faction_rx == NOT_SET
@ -687,13 +687,13 @@ void init_directory_config(directory_config *dcfg)
if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600; if (dcfg->col_timeout == NOT_SET) dcfg->col_timeout = 3600;
/* Encryption */ /* Hash */
if (dcfg->crypto_key == NOT_SET_P) dcfg->crypto_key = getkey(dcfg->mp); if (dcfg->crypto_key == NOT_SET_P) dcfg->crypto_key = getkey(dcfg->mp);
if (dcfg->crypto_key_len == NOT_SET) dcfg->crypto_key_len = strlen(dcfg->crypto_key); if (dcfg->crypto_key_len == NOT_SET) dcfg->crypto_key_len = strlen(dcfg->crypto_key);
if (dcfg->crypto_key_add == NOT_SET) dcfg->crypto_key_add = ENCRYPTION_KEYONLY; if (dcfg->crypto_key_add == NOT_SET) dcfg->crypto_key_add = HASH_KEYONLY;
if (dcfg->crypto_param_name == NOT_SET_P) dcfg->crypto_param_name = "crypt"; if (dcfg->crypto_param_name == NOT_SET_P) dcfg->crypto_param_name = "crypt";
if (dcfg->encryption_is_enabled == NOT_SET) dcfg->encryption_is_enabled = ENCRYPTION_DISABLED; if (dcfg->hash_is_enabled == NOT_SET) dcfg->hash_is_enabled = HASH_DISABLED;
if (dcfg->encryption_enforcement == NOT_SET) dcfg->encryption_enforcement = ENCRYPTION_DISABLED; if (dcfg->hash_enforcement == NOT_SET) dcfg->hash_enforcement = HASH_DISABLED;
if (dcfg->crypto_hash_href_rx == NOT_SET) dcfg->crypto_hash_href_rx = 0; if (dcfg->crypto_hash_href_rx == NOT_SET) dcfg->crypto_hash_href_rx = 0;
if (dcfg->crypto_hash_faction_rx == NOT_SET) dcfg->crypto_hash_faction_rx = 0; if (dcfg->crypto_hash_faction_rx == NOT_SET) dcfg->crypto_hash_faction_rx = 0;
if (dcfg->crypto_hash_location_rx == NOT_SET) dcfg->crypto_hash_location_rx = 0; if (dcfg->crypto_hash_location_rx == NOT_SET) dcfg->crypto_hash_location_rx = 0;
@ -2255,7 +2255,7 @@ static const char *cmd_sensor_id(cmd_parms *cmd, void *_dcfg, const char *p1)
/** /**
* \brief Add SecEncryption configuration option * \brief Add SecHash configuration option
* *
* \param cmd Pointer to configuration data * \param cmd Pointer to configuration data
* \param _dcfg Pointer to directory configuration * \param _dcfg Pointer to directory configuration
@ -2264,18 +2264,18 @@ static const char *cmd_sensor_id(cmd_parms *cmd, void *_dcfg, const char *p1)
* \retval NULL On failure * \retval NULL On failure
* \retval apr_psprintf On Success * \retval apr_psprintf On Success
*/ */
static const char *cmd_encryption_engine(cmd_parms *cmd, void *_dcfg, const char *p1) static const char *cmd_hash_engine(cmd_parms *cmd, void *_dcfg, const char *p1)
{ {
directory_config *dcfg = (directory_config *)_dcfg; directory_config *dcfg = (directory_config *)_dcfg;
if (dcfg == NULL) return NULL; if (dcfg == NULL) return NULL;
if (strcasecmp(p1, "on") == 0) { if (strcasecmp(p1, "on") == 0) {
dcfg->encryption_is_enabled = ENCRYPTION_ENABLED; dcfg->hash_is_enabled = HASH_ENABLED;
dcfg->encryption_enforcement = ENCRYPTION_ENABLED; dcfg->hash_enforcement = HASH_ENABLED;
} }
else if (strcasecmp(p1, "off") == 0) { else if (strcasecmp(p1, "off") == 0) {
dcfg->encryption_is_enabled = ENCRYPTION_DISABLED; dcfg->hash_is_enabled = HASH_DISABLED;
dcfg->encryption_enforcement = ENCRYPTION_DISABLED; dcfg->hash_enforcement = HASH_DISABLED;
} }
else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1); else return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for SecRuleEngine: %s", p1);
@ -2283,7 +2283,7 @@ static const char *cmd_encryption_engine(cmd_parms *cmd, void *_dcfg, const char
} }
/** /**
* \brief Add SecEncryptionPram configuration option * \brief Add SecHashPram configuration option
* *
* \param cmd Pointer to configuration data * \param cmd Pointer to configuration data
* \param _dcfg Pointer to directory configuration * \param _dcfg Pointer to directory configuration
@ -2291,7 +2291,7 @@ static const char *cmd_encryption_engine(cmd_parms *cmd, void *_dcfg, const char
* *
* \retval NULL On success * \retval NULL On success
*/ */
static const char *cmd_encryption_param(cmd_parms *cmd, void *_dcfg, const char *p1) static const char *cmd_hash_param(cmd_parms *cmd, void *_dcfg, const char *p1)
{ {
directory_config *dcfg = (directory_config *)_dcfg; directory_config *dcfg = (directory_config *)_dcfg;
@ -2304,7 +2304,7 @@ static const char *cmd_encryption_param(cmd_parms *cmd, void *_dcfg, const char
} }
/** /**
* \brief Add SecEncryptionKey configuration option * \brief Add SecHashKey configuration option
* *
* \param cmd Pointer to configuration data * \param cmd Pointer to configuration data
* \param _dcfg Pointer to directory configuration * \param _dcfg Pointer to directory configuration
@ -2313,7 +2313,7 @@ static const char *cmd_encryption_param(cmd_parms *cmd, void *_dcfg, const char
* *
* \retval NULL On success * \retval NULL On success
*/ */
static const char *cmd_encryption_key(cmd_parms *cmd, void *_dcfg, const char *_p1, const char *_p2) static const char *cmd_hash_key(cmd_parms *cmd, void *_dcfg, const char *_p1, const char *_p2)
{ {
directory_config *dcfg = (directory_config *)_dcfg; directory_config *dcfg = (directory_config *)_dcfg;
char *p1 = NULL; char *p1 = NULL;
@ -2335,17 +2335,17 @@ static const char *cmd_encryption_key(cmd_parms *cmd, void *_dcfg, const char *_
return NULL; return NULL;
} else { } else {
if (strcasecmp(_p2, "KeyOnly") == 0) if (strcasecmp(_p2, "KeyOnly") == 0)
dcfg->crypto_key_add = ENCRYPTION_KEYONLY; dcfg->crypto_key_add = HASH_KEYONLY;
else if (strcasecmp(_p2, "SessionID") == 0) else if (strcasecmp(_p2, "SessionID") == 0)
dcfg->crypto_key_add = ENCRYPTION_SESSIONID; dcfg->crypto_key_add = HASH_SESSIONID;
else if (strcasecmp(_p2, "RemoteIP") == 0) else if (strcasecmp(_p2, "RemoteIP") == 0)
dcfg->crypto_key_add = ENCRYPTION_REMOTEIP; dcfg->crypto_key_add = HASH_REMOTEIP;
} }
return NULL; return NULL;
} }
/** /**
* \brief Add SecEncryptionMethodPm configuration option * \brief Add SecHashMethodPm configuration option
* *
* \param cmd Pointer to configuration data * \param cmd Pointer to configuration data
* \param _dcfg Pointer to directory configuration * \param _dcfg Pointer to directory configuration
@ -2355,11 +2355,11 @@ static const char *cmd_encryption_key(cmd_parms *cmd, void *_dcfg, const char *_
* \retval NULL On failure * \retval NULL On failure
* \retval apr_psprintf On Success * \retval apr_psprintf On Success
*/ */
static const char *cmd_encryption_method_pm(cmd_parms *cmd, void *_dcfg, static const char *cmd_hash_method_pm(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2) const char *p1, const char *p2)
{ {
directory_config *dcfg = (directory_config *)_dcfg; directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd->pool, sizeof(encryption_method)); rule_exception *re = apr_pcalloc(cmd->pool, sizeof(hash_method));
const char *_p2 = apr_pstrdup(cmd->pool, p2); const char *_p2 = apr_pstrdup(cmd->pool, p2);
ACMP *p = NULL; ACMP *p = NULL;
const char *phrase = NULL; const char *phrase = NULL;
@ -2385,7 +2385,7 @@ static const char *cmd_encryption_method_pm(cmd_parms *cmd, void *_dcfg,
acmp_prepare(p); acmp_prepare(p);
if (strcasecmp(p1, "HashHref") == 0) { if (strcasecmp(p1, "HashHref") == 0) {
re->type = ENCRYPTION_URL_HREF_HASH_PM; re->type = HASH_URL_HREF_HASH_PM;
re->param = _p2; re->param = _p2;
re->param_data = (void *)p; re->param_data = (void *)p;
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2394,7 +2394,7 @@ static const char *cmd_encryption_method_pm(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_href_pm = 1; dcfg->crypto_hash_href_pm = 1;
} }
else if (strcasecmp(p1, "HashFormAction") == 0) { else if (strcasecmp(p1, "HashFormAction") == 0) {
re->type = ENCRYPTION_URL_FACTION_HASH_PM; re->type = HASH_URL_FACTION_HASH_PM;
re->param = _p2; re->param = _p2;
re->param_data = (void *)p; re->param_data = (void *)p;
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2403,7 +2403,7 @@ static const char *cmd_encryption_method_pm(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_faction_pm = 1; dcfg->crypto_hash_faction_pm = 1;
} }
else if (strcasecmp(p1, "HashLocation") == 0) { else if (strcasecmp(p1, "HashLocation") == 0) {
re->type = ENCRYPTION_URL_LOCATION_HASH_PM; re->type = HASH_URL_LOCATION_HASH_PM;
re->param = _p2; re->param = _p2;
re->param_data = (void *)p; re->param_data = (void *)p;
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2412,7 +2412,7 @@ static const char *cmd_encryption_method_pm(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_location_pm = 1; dcfg->crypto_hash_location_pm = 1;
} }
else if (strcasecmp(p1, "HashIframeSrc") == 0) { else if (strcasecmp(p1, "HashIframeSrc") == 0) {
re->type = ENCRYPTION_URL_IFRAMESRC_HASH_PM; re->type = HASH_URL_IFRAMESRC_HASH_PM;
re->param = _p2; re->param = _p2;
re->param_data = (void *)p; re->param_data = (void *)p;
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2421,7 +2421,7 @@ static const char *cmd_encryption_method_pm(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_iframesrc_pm = 1; dcfg->crypto_hash_iframesrc_pm = 1;
} }
else if (strcasecmp(p1, "HashFrameSrc") == 0) { else if (strcasecmp(p1, "HashFrameSrc") == 0) {
re->type = ENCRYPTION_URL_FRAMESRC_HASH_PM; re->type = HASH_URL_FRAMESRC_HASH_PM;
re->param = _p2; re->param = _p2;
re->param_data = (void *)p; re->param_data = (void *)p;
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2430,13 +2430,13 @@ static const char *cmd_encryption_method_pm(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_framesrc_pm = 1; dcfg->crypto_hash_framesrc_pm = 1;
} }
*(encryption_method **)apr_array_push(dcfg->encryption_method) = re; *(hash_method **)apr_array_push(dcfg->hash_method) = re;
return NULL; return NULL;
} }
/** /**
* \brief Add SecEncryptionMethodRx configuration option * \brief Add SecHashMethodRx configuration option
* *
* \param cmd Pointer to configuration data * \param cmd Pointer to configuration data
* \param _dcfg Pointer to directory configuration * \param _dcfg Pointer to directory configuration
@ -2446,16 +2446,16 @@ static const char *cmd_encryption_method_pm(cmd_parms *cmd, void *_dcfg,
* \retval NULL On failure * \retval NULL On failure
* \retval apr_psprintf On Success * \retval apr_psprintf On Success
*/ */
static const char *cmd_encryption_method_rx(cmd_parms *cmd, void *_dcfg, static const char *cmd_hash_method_rx(cmd_parms *cmd, void *_dcfg,
const char *p1, const char *p2) const char *p1, const char *p2)
{ {
directory_config *dcfg = (directory_config *)_dcfg; directory_config *dcfg = (directory_config *)_dcfg;
rule_exception *re = apr_pcalloc(cmd->pool, sizeof(encryption_method)); rule_exception *re = apr_pcalloc(cmd->pool, sizeof(hash_method));
const char *_p2 = apr_pstrdup(cmd->pool, p2); const char *_p2 = apr_pstrdup(cmd->pool, p2);
if (dcfg == NULL) return NULL; if (dcfg == NULL) return NULL;
if (strcasecmp(p1, "HashHref") == 0) { if (strcasecmp(p1, "HashHref") == 0) {
re->type = ENCRYPTION_URL_HREF_HASH_RX; re->type = HASH_URL_HREF_HASH_RX;
re->param = _p2; re->param = _p2;
re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL); re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL);
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2464,7 +2464,7 @@ static const char *cmd_encryption_method_rx(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_href_rx = 1; dcfg->crypto_hash_href_rx = 1;
} }
else if (strcasecmp(p1, "HashFormAction") == 0) { else if (strcasecmp(p1, "HashFormAction") == 0) {
re->type = ENCRYPTION_URL_FACTION_HASH_RX; re->type = HASH_URL_FACTION_HASH_RX;
re->param = _p2; re->param = _p2;
re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL); re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL);
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2473,7 +2473,7 @@ static const char *cmd_encryption_method_rx(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_faction_rx = 1; dcfg->crypto_hash_faction_rx = 1;
} }
else if (strcasecmp(p1, "HashLocation") == 0) { else if (strcasecmp(p1, "HashLocation") == 0) {
re->type = ENCRYPTION_URL_LOCATION_HASH_RX; re->type = HASH_URL_LOCATION_HASH_RX;
re->param = _p2; re->param = _p2;
re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL); re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL);
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2482,7 +2482,7 @@ static const char *cmd_encryption_method_rx(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_location_rx = 1; dcfg->crypto_hash_location_rx = 1;
} }
else if (strcasecmp(p1, "HashIframeSrc") == 0) { else if (strcasecmp(p1, "HashIframeSrc") == 0) {
re->type = ENCRYPTION_URL_IFRAMESRC_HASH_RX; re->type = HASH_URL_IFRAMESRC_HASH_RX;
re->param = _p2; re->param = _p2;
re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL); re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL);
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2491,7 +2491,7 @@ static const char *cmd_encryption_method_rx(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_iframesrc_rx = 1; dcfg->crypto_hash_iframesrc_rx = 1;
} }
else if (strcasecmp(p1, "HashFrameSrc") == 0) { else if (strcasecmp(p1, "HashFrameSrc") == 0) {
re->type = ENCRYPTION_URL_FRAMESRC_HASH_RX; re->type = HASH_URL_FRAMESRC_HASH_RX;
re->param = _p2; re->param = _p2;
re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL); re->param_data = msc_pregcomp(cmd->pool, p2, 0, NULL, NULL);
if (re->param_data == NULL) { if (re->param_data == NULL) {
@ -2500,7 +2500,7 @@ static const char *cmd_encryption_method_rx(cmd_parms *cmd, void *_dcfg,
dcfg->crypto_hash_framesrc_rx = 1; dcfg->crypto_hash_framesrc_rx = 1;
} }
*(encryption_method **)apr_array_push(dcfg->encryption_method) = re; *(hash_method **)apr_array_push(dcfg->hash_method) = re;
return NULL; return NULL;
} }
@ -3203,19 +3203,19 @@ const command_rec module_directives[] = {
), ),
AP_INIT_TAKE2 ( AP_INIT_TAKE2 (
"SecEncryptionMethodPm", "SecHashMethodPm",
cmd_encryption_method_pm, cmd_hash_method_pm,
NULL, NULL,
CMD_SCOPE_ANY, CMD_SCOPE_ANY,
"Encryption method and pattern" "Hash method and pattern"
), ),
AP_INIT_TAKE2 ( AP_INIT_TAKE2 (
"SecEncryptionMethodRx", "SecHashMethodRx",
cmd_encryption_method_rx, cmd_hash_method_rx,
NULL, NULL,
CMD_SCOPE_ANY, CMD_SCOPE_ANY,
"Encryption method and regex" "Hash method and regex"
), ),
AP_INIT_TAKE2 ( AP_INIT_TAKE2 (
@ -3324,27 +3324,27 @@ const command_rec module_directives[] = {
), ),
AP_INIT_TAKE1 ( AP_INIT_TAKE1 (
"SecEncryptionEngine", "SecHashEngine",
cmd_encryption_engine, cmd_hash_engine,
NULL, NULL,
CMD_SCOPE_ANY, CMD_SCOPE_ANY,
"On or Off" "On or Off"
), ),
AP_INIT_TAKE2 ( AP_INIT_TAKE2 (
"SecEncryptionKey", "SecHashKey",
cmd_encryption_key, cmd_hash_key,
NULL, NULL,
CMD_SCOPE_ANY, CMD_SCOPE_ANY,
"Set Encrytion key" "Set Encrytion key"
), ),
AP_INIT_TAKE1 ( AP_INIT_TAKE1 (
"SecEncryptionParam", "SecHashParam",
cmd_encryption_param, cmd_hash_param,
NULL, NULL,
CMD_SCOPE_ANY, CMD_SCOPE_ANY,
"Set Encryption parameter" "Set Hash parameter"
), ),
{ NULL } { NULL }

6
apache2/apache2_io.c
View File

@ -577,7 +577,7 @@ static int flatten_response_body(modsec_rec *msr) {
msr->resbody_data[msr->resbody_length] = '\0'; msr->resbody_data[msr->resbody_length] = '\0';
msr->resbody_status = RESBODY_STATUS_READ; msr->resbody_status = RESBODY_STATUS_READ;
if (msr->txcfg->stream_outbody_inspection && msr->txcfg->encryption_is_enabled == ENCRYPTION_DISABLED) { if (msr->txcfg->stream_outbody_inspection && msr->txcfg->hash_is_enabled == HASH_DISABLED) {
msr->stream_output_length = msr->resbody_length; msr->stream_output_length = msr->resbody_length;
@ -590,7 +590,7 @@ static int flatten_response_body(modsec_rec *msr) {
memset(msr->stream_output_data, 0, msr->stream_output_length+1); memset(msr->stream_output_data, 0, msr->stream_output_length+1);
strncpy(msr->stream_output_data, msr->resbody_data, msr->stream_output_length); strncpy(msr->stream_output_data, msr->resbody_data, msr->stream_output_length);
msr->stream_output_data[msr->stream_output_length] = '\0'; msr->stream_output_data[msr->stream_output_length] = '\0';
} else if (msr->txcfg->stream_outbody_inspection && msr->txcfg->encryption_is_enabled == ENCRYPTION_ENABLED) { } else if (msr->txcfg->stream_outbody_inspection && msr->txcfg->hash_is_enabled == HASH_ENABLED) {
int retval = 0; int retval = 0;
apr_time_t time1 = apr_time_now(); apr_time_t time1 = apr_time_now();
@ -601,7 +601,7 @@ static int flatten_response_body(modsec_rec *msr) {
if(retval > 0) { if(retval > 0) {
retval = inject_encrypted_response_body(msr, retval); retval = inject_encrypted_response_body(msr, retval);
if (msr->txcfg->debuglog_level >= 4) { if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Encryption completed in %" APR_TIME_T_FMT " usec.", (apr_time_now() - time1)); msr_log(msr, 4, "Hash completed in %" APR_TIME_T_FMT " usec.", (apr_time_now() - time1));
} }
} }

40
apache2/modsecurity.h
View File

@ -23,7 +23,7 @@
#include <libxml/HTMLparser.h> #include <libxml/HTMLparser.h>
typedef struct rule_exception rule_exception; typedef struct rule_exception rule_exception;
typedef struct rule_exception encryption_method; typedef struct rule_exception hash_method;
typedef struct modsec_rec modsec_rec; typedef struct modsec_rec modsec_rec;
typedef struct directory_config directory_config; typedef struct directory_config directory_config;
typedef struct error_message_t error_message_t; typedef struct error_message_t error_message_t;
@ -182,23 +182,23 @@ extern DSOLOCAL int *unicode_map_table;
#define MODSEC_DETECTION_ONLY 1 #define MODSEC_DETECTION_ONLY 1
#define MODSEC_ENABLED 2 #define MODSEC_ENABLED 2
#define ENCRYPTION_DISABLED 0 #define HASH_DISABLED 0
#define ENCRYPTION_ENABLED 1 #define HASH_ENABLED 1
#define ENCRYPTION_URL_HREF_HASH_RX 0 #define HASH_URL_HREF_HASH_RX 0
#define ENCRYPTION_URL_HREF_HASH_PM 1 #define HASH_URL_HREF_HASH_PM 1
#define ENCRYPTION_URL_FACTION_HASH_RX 2 #define HASH_URL_FACTION_HASH_RX 2
#define ENCRYPTION_URL_FACTION_HASH_PM 3 #define HASH_URL_FACTION_HASH_PM 3
#define ENCRYPTION_URL_LOCATION_HASH_RX 4 #define HASH_URL_LOCATION_HASH_RX 4
#define ENCRYPTION_URL_LOCATION_HASH_PM 5 #define HASH_URL_LOCATION_HASH_PM 5
#define ENCRYPTION_URL_IFRAMESRC_HASH_RX 6 #define HASH_URL_IFRAMESRC_HASH_RX 6
#define ENCRYPTION_URL_IFRAMESRC_HASH_PM 7 #define HASH_URL_IFRAMESRC_HASH_PM 7
#define ENCRYPTION_URL_FRAMESRC_HASH_RX 8 #define HASH_URL_FRAMESRC_HASH_RX 8
#define ENCRYPTION_URL_FRAMESRC_HASH_PM 9 #define HASH_URL_FRAMESRC_HASH_PM 9
#define ENCRYPTION_KEYONLY 0 #define HASH_KEYONLY 0
#define ENCRYPTION_SESSIONID 1 #define HASH_SESSIONID 1
#define ENCRYPTION_REMOTEIP 2 #define HASH_REMOTEIP 2
#define MODSEC_CACHE_DISABLED 0 #define MODSEC_CACHE_DISABLED 0
#define MODSEC_CACHE_ENABLED 1 #define MODSEC_CACHE_ENABLED 1
@ -571,13 +571,13 @@ struct directory_config {
/* Collection timeout */ /* Collection timeout */
int col_timeout; int col_timeout;
/* Encryption */ /* Hash */
apr_array_header_t *encryption_method; apr_array_header_t *hash_method;
const char *crypto_key; const char *crypto_key;
int crypto_key_len; int crypto_key_len;
const char *crypto_param_name; const char *crypto_param_name;
int encryption_is_enabled; int hash_is_enabled;
int encryption_enforcement; int hash_enforcement;
int crypto_key_add; int crypto_key_add;
int crypto_hash_href_rx; int crypto_hash_href_rx;
int crypto_hash_faction_rx; int crypto_hash_faction_rx;

100
apache2/msc_crypt.c
View File

@ -304,18 +304,18 @@ int init_response_body_html_parser(modsec_rec *msr) {
} }
/** /**
* \brief Execute all encryption methods * \brief Execute all hash methods
* *
* \param msr ModSecurity transaction resource * \param msr ModSecurity transaction resource
* \param link The html attr value to be checked * \param link The html attr value to be checked
* \param type The encryption method type * \param type The hash method type
* *
* \retval 1 Match * \retval 1 Match
* \retval 0 No Match * \retval 0 No Match
* \retval -1 on fail * \retval -1 on fail
*/ */
int do_encryption_method(modsec_rec *msr, char *link, int type) { int do_hash_method(modsec_rec *msr, char *link, int type) {
encryption_method **em = NULL; hash_method **em = NULL;
int i = 0; int i = 0;
char *error_msg = NULL; char *error_msg = NULL;
char *my_error_msg = NULL; char *my_error_msg = NULL;
@ -324,18 +324,18 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
if(msr == NULL) return -1; if(msr == NULL) return -1;
em = (encryption_method **)msr->txcfg->encryption_method->elts; em = (hash_method **)msr->txcfg->hash_method->elts;
if(msr->txcfg->encryption_method->nelts == 0) if(msr->txcfg->hash_method->nelts == 0)
return 1; return 1;
for (i = 0; i < msr->txcfg->encryption_method->nelts; i++) { for (i = 0; i < msr->txcfg->hash_method->nelts; i++) {
if(em[i] != NULL && em[i]->param_data != NULL){ if(em[i] != NULL && em[i]->param_data != NULL){
switch(type) { switch(type) {
case ENCRYPTION_URL_HREF_HASH_PM: case HASH_URL_HREF_HASH_PM:
if(em[i]->type == ENCRYPTION_URL_HREF_HASH_PM) { if(em[i]->type == HASH_URL_HREF_HASH_PM) {
const char *match = NULL; const char *match = NULL;
apr_status_t rc = 0; apr_status_t rc = 0;
ACMPT pt; ACMPT pt;
@ -352,8 +352,8 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
} }
} }
break; break;
case ENCRYPTION_URL_HREF_HASH_RX: case HASH_URL_HREF_HASH_RX:
if(em[i]->type == ENCRYPTION_URL_HREF_HASH_RX) { if(em[i]->type == HASH_URL_HREF_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg); rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) { if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
@ -389,8 +389,8 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
} }
} }
break; break;
case ENCRYPTION_URL_FACTION_HASH_PM: case HASH_URL_FACTION_HASH_PM:
if(em[i]->type == ENCRYPTION_URL_FACTION_HASH_PM) { if(em[i]->type == HASH_URL_FACTION_HASH_PM) {
const char *match = NULL; const char *match = NULL;
apr_status_t rc = 0; apr_status_t rc = 0;
ACMPT pt; ACMPT pt;
@ -407,8 +407,8 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
} }
} }
break; break;
case ENCRYPTION_URL_FACTION_HASH_RX: case HASH_URL_FACTION_HASH_RX:
if(em[i]->type == ENCRYPTION_URL_FACTION_HASH_RX) { if(em[i]->type == HASH_URL_FACTION_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg); rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) { if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
@ -444,8 +444,8 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
} }
} }
break; break;
case ENCRYPTION_URL_LOCATION_HASH_PM: case HASH_URL_LOCATION_HASH_PM:
if(em[i]->type == ENCRYPTION_URL_LOCATION_HASH_PM) { if(em[i]->type == HASH_URL_LOCATION_HASH_PM) {
const char *match = NULL; const char *match = NULL;
apr_status_t rc = 0; apr_status_t rc = 0;
ACMPT pt; ACMPT pt;
@ -462,8 +462,8 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
} }
} }
break; break;
case ENCRYPTION_URL_LOCATION_HASH_RX: case HASH_URL_LOCATION_HASH_RX:
if(em[i]->type == ENCRYPTION_URL_LOCATION_HASH_RX) { if(em[i]->type == HASH_URL_LOCATION_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg); rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) { if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
@ -499,8 +499,8 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
} }
} }
break; break;
case ENCRYPTION_URL_IFRAMESRC_HASH_PM: case HASH_URL_IFRAMESRC_HASH_PM:
if(em[i]->type == ENCRYPTION_URL_IFRAMESRC_HASH_PM) { if(em[i]->type == HASH_URL_IFRAMESRC_HASH_PM) {
const char *match = NULL; const char *match = NULL;
apr_status_t rc = 0; apr_status_t rc = 0;
ACMPT pt; ACMPT pt;
@ -517,8 +517,8 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
} }
} }
break; break;
case ENCRYPTION_URL_IFRAMESRC_HASH_RX: case HASH_URL_IFRAMESRC_HASH_RX:
if(em[i]->type == ENCRYPTION_URL_IFRAMESRC_HASH_RX) { if(em[i]->type == HASH_URL_IFRAMESRC_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg); rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) { if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
@ -554,8 +554,8 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
} }
} }
break; break;
case ENCRYPTION_URL_FRAMESRC_HASH_PM: case HASH_URL_FRAMESRC_HASH_PM:
if(em[i]->type == ENCRYPTION_URL_FRAMESRC_HASH_PM) { if(em[i]->type == HASH_URL_FRAMESRC_HASH_PM) {
const char *match = NULL; const char *match = NULL;
apr_status_t rc = 0; apr_status_t rc = 0;
ACMPT pt; ACMPT pt;
@ -572,8 +572,8 @@ int do_encryption_method(modsec_rec *msr, char *link, int type) {
} }
} }
break; break;
case ENCRYPTION_URL_FRAMESRC_HASH_RX: case HASH_URL_FRAMESRC_HASH_RX:
if(em[i]->type == ENCRYPTION_URL_FRAMESRC_HASH_RX) { if(em[i]->type == HASH_URL_FRAMESRC_HASH_RX) {
rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg); rc = msc_regexec_capture(em[i]->param_data, link, strlen(link), ovector, 30, &my_error_msg);
if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) { if ((rc == PCRE_ERROR_MATCHLIMIT) || (rc == PCRE_ERROR_RECURSIONLIMIT)) {
msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); msc_string *s = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
@ -679,7 +679,7 @@ int encrypt_response_body_links(modsec_rec *msr) {
if(content_href != NULL && strstr(content_href,msr->txcfg->crypto_param_name) == NULL) { if(content_href != NULL && strstr(content_href,msr->txcfg->crypto_param_name) == NULL) {
if(msr->txcfg->crypto_hash_href_rx == 1) { if(msr->txcfg->crypto_hash_href_rx == 1) {
rc = do_encryption_method(msr, (char *)content_href, ENCRYPTION_URL_HREF_HASH_RX); rc = do_hash_method(msr, (char *)content_href, HASH_URL_HREF_HASH_RX);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;
mac_link = do_hash_link(msr, (char *)content_href, FULL_LINK); mac_link = do_hash_link(msr, (char *)content_href, FULL_LINK);
@ -695,7 +695,7 @@ int encrypt_response_body_links(modsec_rec *msr) {
} }
} }
if(msr->txcfg->crypto_hash_href_pm == 1) { if(msr->txcfg->crypto_hash_href_pm == 1) {
rc = do_encryption_method(msr, (char *)content_href, ENCRYPTION_URL_HREF_HASH_PM); rc = do_hash_method(msr, (char *)content_href, HASH_URL_HREF_HASH_PM);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;
mac_link = do_hash_link(msr, (char *)content_href, FULL_LINK); mac_link = do_hash_link(msr, (char *)content_href, FULL_LINK);
@ -750,7 +750,7 @@ int encrypt_response_body_links(modsec_rec *msr) {
if(content_action != NULL && content_option == NULL && strstr(content_action,msr->txcfg->crypto_param_name) == NULL) { if(content_action != NULL && content_option == NULL && strstr(content_action,msr->txcfg->crypto_param_name) == NULL) {
if(msr->txcfg->crypto_hash_faction_rx == 1) { if(msr->txcfg->crypto_hash_faction_rx == 1) {
rc = do_encryption_method(msr, (char *)content_action, ENCRYPTION_URL_FACTION_HASH_RX); rc = do_hash_method(msr, (char *)content_action, HASH_URL_FACTION_HASH_RX);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;
mac_link = do_hash_link(msr, (char *)content_action, FULL_LINK); mac_link = do_hash_link(msr, (char *)content_action, FULL_LINK);
@ -766,7 +766,7 @@ int encrypt_response_body_links(modsec_rec *msr) {
} }
} }
if(msr->txcfg->crypto_hash_faction_pm == 1) { if(msr->txcfg->crypto_hash_faction_pm == 1) {
rc = do_encryption_method(msr, (char *)content_action, ENCRYPTION_URL_FACTION_HASH_PM); rc = do_hash_method(msr, (char *)content_action, HASH_URL_FACTION_HASH_PM);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;
mac_link = do_hash_link(msr, (char *)content_action, FULL_LINK); mac_link = do_hash_link(msr, (char *)content_action, FULL_LINK);
@ -820,7 +820,7 @@ int encrypt_response_body_links(modsec_rec *msr) {
if(content_src != NULL && strstr(content_src,msr->txcfg->crypto_param_name) == NULL) { if(content_src != NULL && strstr(content_src,msr->txcfg->crypto_param_name) == NULL) {
if(msr->txcfg->crypto_hash_iframesrc_rx == 1) { if(msr->txcfg->crypto_hash_iframesrc_rx == 1) {
rc = do_encryption_method(msr, (char *)content_src, ENCRYPTION_URL_IFRAMESRC_HASH_RX); rc = do_hash_method(msr, (char *)content_src, HASH_URL_IFRAMESRC_HASH_RX);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;
mac_link = do_hash_link(msr, (char *)content_src, FULL_LINK); mac_link = do_hash_link(msr, (char *)content_src, FULL_LINK);
@ -836,7 +836,7 @@ int encrypt_response_body_links(modsec_rec *msr) {
} }
} }
if(msr->txcfg->crypto_hash_iframesrc_pm == 1) { if(msr->txcfg->crypto_hash_iframesrc_pm == 1) {
rc = do_encryption_method(msr, (char *)content_src, ENCRYPTION_URL_IFRAMESRC_HASH_PM); rc = do_hash_method(msr, (char *)content_src, HASH_URL_IFRAMESRC_HASH_PM);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;
mac_link = do_hash_link(msr, (char *)content_src, FULL_LINK); mac_link = do_hash_link(msr, (char *)content_src, FULL_LINK);
@ -885,7 +885,7 @@ int encrypt_response_body_links(modsec_rec *msr) {
if(content_src != NULL && strstr(content_src,msr->txcfg->crypto_param_name) == NULL) { if(content_src != NULL && strstr(content_src,msr->txcfg->crypto_param_name) == NULL) {
if(msr->txcfg->crypto_hash_framesrc_rx == 1) { if(msr->txcfg->crypto_hash_framesrc_rx == 1) {
rc = do_encryption_method(msr, (char *)content_src, ENCRYPTION_URL_FRAMESRC_HASH_RX); rc = do_hash_method(msr, (char *)content_src, HASH_URL_FRAMESRC_HASH_RX);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;
mac_link = do_hash_link(msr, (char *)content_src, FULL_LINK); mac_link = do_hash_link(msr, (char *)content_src, FULL_LINK);
@ -901,7 +901,7 @@ int encrypt_response_body_links(modsec_rec *msr) {
} }
} }
if(msr->txcfg->crypto_hash_framesrc_pm == 1) { if(msr->txcfg->crypto_hash_framesrc_pm == 1) {
rc = do_encryption_method(msr, (char *)content_src, ENCRYPTION_URL_FRAMESRC_HASH_PM); rc = do_hash_method(msr, (char *)content_src, HASH_URL_FRAMESRC_HASH_PM);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;
mac_link = do_hash_link(msr, (char *)content_src, FULL_LINK); mac_link = do_hash_link(msr, (char *)content_src, FULL_LINK);
@ -1192,7 +1192,7 @@ int inject_encrypted_response_body(modsec_rec *msr, int elts) {
* *
* \param msr ModSecurity transaction resource * \param msr ModSecurity transaction resource
* \param link The html attr value to be checked * \param link The html attr value to be checked
* \param type The encryption method type * \param type The hash method type
* *
* \retval mac_link MACed link * \retval mac_link MACed link
* \retval NULL on fail * \retval NULL on fail
@ -1211,10 +1211,10 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
if (msr->txcfg->debuglog_level >= 4) if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Signing data [%s]", path_chunk+1); msr_log(msr, 4, "Signing data [%s]", path_chunk+1);
if(msr->txcfg->crypto_key_add == ENCRYPTION_KEYONLY) if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1); hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
if(msr->txcfg->crypto_key_add == ENCRYPTION_SESSIONID) { if(msr->txcfg->crypto_key_add == HASH_SESSIONID) {
if(strlen(msr->sessionid) == 0) { if(strlen(msr->sessionid) == 0) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip); const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
@ -1234,7 +1234,7 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
} }
} }
if(msr->txcfg->crypto_key_add == ENCRYPTION_REMOTEIP) { if(msr->txcfg->crypto_key_add == HASH_REMOTEIP) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip); const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
#else #else
@ -1253,10 +1253,10 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
if (msr->txcfg->debuglog_level >= 4) if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Signing data [%s]", path_chunk+1); msr_log(msr, 4, "Signing data [%s]", path_chunk+1);
if(msr->txcfg->crypto_key_add == ENCRYPTION_KEYONLY) if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1); hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) path_chunk+1, strlen((char*)path_chunk)-1);
if(msr->txcfg->crypto_key_add == ENCRYPTION_SESSIONID) { if(msr->txcfg->crypto_key_add == HASH_SESSIONID) {
if(strlen(msr->sessionid) == 0) { if(strlen(msr->sessionid) == 0) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip); const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
@ -1276,7 +1276,7 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
} }
} }
if(msr->txcfg->crypto_key_add == ENCRYPTION_REMOTEIP) { if(msr->txcfg->crypto_key_add == HASH_REMOTEIP) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip); const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
#else #else
@ -1293,10 +1293,10 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
if (msr->txcfg->debuglog_level >= 4) if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Signing data [%s]", link+1); msr_log(msr, 4, "Signing data [%s]", link+1);
if(msr->txcfg->crypto_key_add == ENCRYPTION_KEYONLY) if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1); hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) link+1, strlen((char*)link)-1);
if(msr->txcfg->crypto_key_add == ENCRYPTION_SESSIONID) { if(msr->txcfg->crypto_key_add == HASH_SESSIONID) {
if(strlen(msr->sessionid) == 0) { if(strlen(msr->sessionid) == 0) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip); const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
@ -1316,7 +1316,7 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
} }
} }
if(msr->txcfg->crypto_key_add == ENCRYPTION_REMOTEIP) { if(msr->txcfg->crypto_key_add == HASH_REMOTEIP) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip); const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
#else #else
@ -1346,10 +1346,10 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
if (msr->txcfg->debuglog_level >= 4) if (msr->txcfg->debuglog_level >= 4)
msr_log(msr, 4, "Signing data [%s] size %d", relative_link, strlen(relative_link)); msr_log(msr, 4, "Signing data [%s] size %d", relative_link, strlen(relative_link));
if(msr->txcfg->crypto_key_add == ENCRYPTION_KEYONLY) if(msr->txcfg->crypto_key_add == HASH_KEYONLY)
hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link)); hash_value = hmac(msr, msr->txcfg->crypto_key, msr->txcfg->crypto_key_len, (unsigned char *) relative_link, strlen((char*)relative_link));
if(msr->txcfg->crypto_key_add == ENCRYPTION_SESSIONID) { if(msr->txcfg->crypto_key_add == HASH_SESSIONID) {
if(strlen(msr->sessionid) == 0) { if(strlen(msr->sessionid) == 0) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip); const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
@ -1369,7 +1369,7 @@ char *do_hash_link(modsec_rec *msr, char *link, int type) {
} }
} }
if(msr->txcfg->crypto_key_add == ENCRYPTION_REMOTEIP) { if(msr->txcfg->crypto_key_add == HASH_REMOTEIP) {
#if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2 #if AP_SERVER_MAJORVERSION_NUMBER > 1 && AP_SERVER_MINORVERSION_NUMBER > 2
const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip); const char *new_pwd = apr_psprintf(msr->mp,"%s%s", msr->txcfg->crypto_key, msr->r->connection->client_ip);
#else #else
@ -1430,7 +1430,7 @@ int modify_response_header(modsec_rec *msr) {
msr_log(msr, 4, "Processing reponse header location [%s]", location); msr_log(msr, 4, "Processing reponse header location [%s]", location);
if(msr->txcfg->crypto_hash_location_rx == 1) { if(msr->txcfg->crypto_hash_location_rx == 1) {
rc = do_encryption_method(msr, (char *)location, ENCRYPTION_URL_LOCATION_HASH_RX); rc = do_hash_method(msr, (char *)location, HASH_URL_LOCATION_HASH_RX);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;
@ -1440,7 +1440,7 @@ int modify_response_header(modsec_rec *msr) {
} }
} else if(msr->txcfg->crypto_hash_location_pm == 1) { } else if(msr->txcfg->crypto_hash_location_pm == 1) {
rc = do_encryption_method(msr, (char *)location, ENCRYPTION_URL_LOCATION_HASH_PM); rc = do_hash_method(msr, (char *)location, HASH_URL_LOCATION_HASH_PM);
if(rc > 0) { if(rc > 0) {
mac_link = NULL; mac_link = NULL;

32
apache2/re_actions.c
View File

@ -921,15 +921,15 @@ static char *msre_action_ctl_validate(msre_engine *engine, msre_action *action)
} }
return NULL; return NULL;
} else } else
if (strcasecmp(name, "EncryptionEnforcement") == 0) { if (strcasecmp(name, "HashEnforcement") == 0) {
if (strcasecmp(value, "on") == 0) return NULL; if (strcasecmp(value, "on") == 0) return NULL;
if (strcasecmp(value, "off") == 0) return NULL; if (strcasecmp(value, "off") == 0) return NULL;
return apr_psprintf(engine->mp, "Invalid setting for ctl name EncryptionEnforcement: %s", value); return apr_psprintf(engine->mp, "Invalid setting for ctl name HashEnforcement: %s", value);
} else } else
if (strcasecmp(name, "EncryptionEngine") == 0) { if (strcasecmp(name, "HashEngine") == 0) {
if (strcasecmp(value, "on") == 0) return NULL; if (strcasecmp(value, "on") == 0) return NULL;
if (strcasecmp(value, "off") == 0) return NULL; if (strcasecmp(value, "off") == 0) return NULL;
return apr_psprintf(engine->mp, "Invalid setting for ctl name EncryptionEngine: %s", value); return apr_psprintf(engine->mp, "Invalid setting for ctl name HashEngine: %s", value);
} else { } else {
return apr_psprintf(engine->mp, "Invalid ctl name setting: %s", name); return apr_psprintf(engine->mp, "Invalid ctl name setting: %s", name);
} }
@ -979,31 +979,31 @@ static apr_status_t msre_action_ctl_execute(modsec_rec *msr, apr_pool_t *mptmp,
return 1; return 1;
} else } else
if (strcasecmp(name, "EncryptionEnforcement") == 0) { if (strcasecmp(name, "HashEnforcement") == 0) {
if (strcasecmp(value, "on") == 0) { if (strcasecmp(value, "on") == 0) {
msr->txcfg->encryption_enforcement = ENCRYPTION_ENABLED; msr->txcfg->hash_enforcement = HASH_ENABLED;
msr->usercfg->encryption_enforcement = ENCRYPTION_ENABLED; msr->usercfg->hash_enforcement = HASH_ENABLED;
} }
if (strcasecmp(value, "off") == 0) { if (strcasecmp(value, "off") == 0) {
msr->txcfg->encryption_enforcement = ENCRYPTION_DISABLED; msr->txcfg->hash_enforcement = HASH_DISABLED;
msr->usercfg->encryption_enforcement = ENCRYPTION_DISABLED; msr->usercfg->hash_enforcement = HASH_DISABLED;
} }
if (msr->txcfg->debuglog_level >= 4) { if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Ctl: Set EncryptionEnforcement to %s.", value); msr_log(msr, 4, "Ctl: Set HashEnforcement to %s.", value);
} }
return 1; return 1;
} else } else
if (strcasecmp(name, "EncryptionEngine") == 0) { if (strcasecmp(name, "HashEngine") == 0) {
if (strcasecmp(value, "on") == 0) { if (strcasecmp(value, "on") == 0) {
msr->txcfg->encryption_is_enabled = ENCRYPTION_ENABLED; msr->txcfg->hash_is_enabled = HASH_ENABLED;
msr->usercfg->encryption_is_enabled = ENCRYPTION_ENABLED; msr->usercfg->hash_is_enabled = HASH_ENABLED;
} }
if (strcasecmp(value, "off") == 0) { if (strcasecmp(value, "off") == 0) {
msr->txcfg->encryption_is_enabled = ENCRYPTION_DISABLED; msr->txcfg->hash_is_enabled = HASH_DISABLED;
msr->usercfg->encryption_is_enabled = ENCRYPTION_DISABLED; msr->usercfg->hash_is_enabled = HASH_DISABLED;
} }
if (msr->txcfg->debuglog_level >= 4) { if (msr->txcfg->debuglog_level >= 4) {
msr_log(msr, 4, "Ctl: Set EncryptionEngine to %s.", value); msr_log(msr, 4, "Ctl: Set HashEngine to %s.", value);
} }
return 1; return 1;
} else } else

26
apache2/re_operators.c
View File

@ -721,7 +721,7 @@ nextround:
#endif /* MSC_TEST */ #endif /* MSC_TEST */
/** /**
* \brief Init function to validateEncryption * \brief Init function to validateHash
* *
* \param rule ModSecurity rule struct * \param rule ModSecurity rule struct
* \param error_msg Error message * \param error_msg Error message
@ -729,7 +729,7 @@ nextround:
* \retval 1 On success * \retval 1 On success
* \retval 0 On fail * \retval 0 On fail
*/ */
static int msre_op_validateEncryption_param_init(msre_rule *rule, char **error_msg) { static int msre_op_validateHash_param_init(msre_rule *rule, char **error_msg) {
const char *errptr = NULL; const char *errptr = NULL;
int erroffset; int erroffset;
msc_regex_t *regex; msc_regex_t *regex;
@ -778,7 +778,7 @@ static int msre_op_validateEncryption_param_init(msre_rule *rule, char **error_m
} }
/** /**
* \brief Execute function to validateEncryption * \brief Execute function to validateHash
* *
* \param msr ModSecurity transaction resource * \param msr ModSecurity transaction resource
* \param rule ModSecurity rule struct * \param rule ModSecurity rule struct
@ -788,7 +788,7 @@ static int msre_op_validateEncryption_param_init(msre_rule *rule, char **error_m
* \retval 1 On success * \retval 1 On success
* \retval 0 On fail * \retval 0 On fail
*/ */
static int msre_op_validateEncryption_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) { static int msre_op_validateHash_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
msc_regex_t *regex = (msc_regex_t *)rule->op_param_data; msc_regex_t *regex = (msc_regex_t *)rule->op_param_data;
msc_string *re_pattern = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string)); msc_string *re_pattern = (msc_string *)apr_pcalloc(msr->mp, sizeof(msc_string));
const char *target; const char *target;
@ -809,7 +809,7 @@ static int msre_op_validateEncryption_execute(modsec_rec *msr, msre_rule *rule,
if (error_msg == NULL) return -1; if (error_msg == NULL) return -1;
*error_msg = NULL; *error_msg = NULL;
if (msr->txcfg->encryption_enforcement == ENCRYPTION_DISABLED || msr->txcfg->encryption_is_enabled == ENCRYPTION_DISABLED) if (msr->txcfg->hash_enforcement == HASH_DISABLED || msr->txcfg->hash_is_enabled == HASH_DISABLED)
return 0; return 0;
if (regex == NULL) { if (regex == NULL) {
@ -926,13 +926,13 @@ static int msre_op_validateEncryption_execute(modsec_rec *msr, msre_rule *rule,
if(valid == NULL) { if(valid == NULL) {
if (msr->txcfg->debuglog_level >= 9) if (msr->txcfg->debuglog_level >= 9)
msr_log(msr, 9, "Request URI without encryption parameter [%s]", target); msr_log(msr, 9, "Request URI without hash parameter [%s]", target);
if (strlen(pattern) > 252) { if (strlen(pattern) > 252) {
*error_msg = apr_psprintf(msr->mp, "Request URI matched \"%.252s ...\" at %s. No Encryption parameter", *error_msg = apr_psprintf(msr->mp, "Request URI matched \"%.252s ...\" at %s. No Hash parameter",
pattern, var->name); pattern, var->name);
} else { } else {
*error_msg = apr_psprintf(msr->mp, "Request URI matched \"%s\" at %s. No Encryption parameter", *error_msg = apr_psprintf(msr->mp, "Request URI matched \"%s\" at %s. No Hash parameter",
pattern, var->name); pattern, var->name);
} }
return 1; return 1;
@ -952,10 +952,10 @@ static int msre_op_validateEncryption_execute(modsec_rec *msr, msre_rule *rule,
if(strcmp(hmac, hash_link) != 0) { if(strcmp(hmac, hash_link) != 0) {
if (strlen(pattern) > 252) { if (strlen(pattern) > 252) {
*error_msg = apr_psprintf(msr->mp, "Request URI matched \"%.252s ...\" at %s. Encryption parameter hash value = [%s] Requested URI hash value = [%s]", *error_msg = apr_psprintf(msr->mp, "Request URI matched \"%.252s ...\" at %s. Hash parameter hash value = [%s] Requested URI hash value = [%s]",
pattern, var->name, hmac, hash_link); pattern, var->name, hmac, hash_link);
} else { } else {
*error_msg = apr_psprintf(msr->mp, "Request URI matched \"%s\" at %s. Encryption parameter hash value = [%s] Requested URI hash value = [%s]", *error_msg = apr_psprintf(msr->mp, "Request URI matched \"%s\" at %s. Hash parameter hash value = [%s] Requested URI hash value = [%s]",
pattern, var->name, hmac, hash_link); pattern, var->name, hmac, hash_link);
} }
return 1; return 1;
@ -4434,9 +4434,9 @@ void msre_engine_register_default_operators(msre_engine *engine) {
/* validateEncyption */ /* validateEncyption */
msre_engine_op_register(engine, msre_engine_op_register(engine,
"validateEncryption", "validateHash",
msre_op_validateEncryption_param_init, msre_op_validateHash_param_init,
msre_op_validateEncryption_execute msre_op_validateHash_execute
); );
/* pm */ /* pm */