github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adds the `crypto' option to SecRemoteRules directive

Browse Source 
Originally the SecRemoteRules fetch the rules from an remote server in an
specific format, using cryptography. This patch adds the possibility to
load rules in plain/text format.
This commit is contained in:
Felipe Zimmerle 2014-11-12 10:41:39 -08:00
parent c54bb746c6
commit 59fc243503
3 changed files with 48 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
apache2/apache2_config.c
View File

@ -2240,18 +2240,37 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
}
static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
const char *p2)
const char *p2, const char *p3)
{
char *error_msg = NULL;
directory_config *dcfg = (directory_config *)_dcfg;
#ifdef WITH_REMOTE_RULES_SUPPORT
int crypto = 0;
const char *uri = p2;
const char *key = p1;
#endif
if (dcfg == NULL) return NULL;
#ifdef WITH_REMOTE_RULES_SUPPORT
if (strncasecmp(p1, "crypto", 6) == 0)
{
uri = p3;
key = p2;
crypto = 1;
}
if (uri == NULL || key == NULL)
{
return apr_psprintf(cmd->pool, "ModSecurity: Use SecRemoteRule with " \
"Key and URI");
}
// FIXME: make it https only.
// if (strncasecmp(p1, "https", 5) != 0) {
if (strncasecmp(p2, "http", 4) != 0) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
" %s, expected an HTTPS address.", p2);
if (strncasecmp(uri, "http", 4) != 0) {
return apr_psprintf(cmd->pool, "ModSecurity: Invalid URI:" \
" %s, expected an HTTPS address.", uri);
}
// FIXME: Should we handle more then one server at once?
@ -2270,9 +2289,10 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
remote_rules_server->context = dcfg;
remote_rules_server->context_label = apr_pstrdup(cmd->pool, "Unkwon context");
remote_rules_server->key = p1;
remote_rules_server->uri = p2;
remote_rules_server->key = key;
remote_rules_server->uri = uri;
remote_rules_server->amount_of_rules = 0;
remote_rules_server->crypto = crypto;
msc_remote_add_rules_from_uri(cmd, remote_rules_server, &error_msg);
if (error_msg != NULL)
@ -3575,7 +3595,7 @@ const command_rec module_directives[] = {
"On or Off"
),
AP_INIT_TAKE2 (
AP_INIT_TAKE23 (
"SecRemoteRules",
cmd_remote_rules,
NULL,

27
apache2/msc_remote_rules.c
View File

@ -607,16 +607,24 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
return res;
}
msc_remote_decrypt(mp, remote_rules_server->key, &chunk_encrypted,
if (remote_rules_server->crypto == 1)
{
msc_remote_decrypt(mp, remote_rules_server->key, &chunk_encrypted,
&plain_text,
&plain_text_len,
error_msg);
if (*error_msg != NULL)
{
return -1;
}
if (*error_msg != NULL)
{
return -1;
}
msc_remote_clean_chunk(&chunk_encrypted);
msc_remote_clean_chunk(&chunk_encrypted);
}
else
{
plain_text = chunk_encrypted.memory;
plain_text_len = strlen(plain_text);
}
len = 0;
plain_text_len = strlen(plain_text);
@ -679,7 +687,7 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
error_msg = "Command failed to execute (check file/folder" \
*error_msg = "Command failed to execute (check file/folder" \
"permissions, syntax, etc.).";
return -1;
}
@ -692,6 +700,11 @@ next:
}
remote_rules_server->amount_of_rules = added_rules;
if (remote_rules_server->crypto == 1)
{
msc_remote_clean_chunk(&chunk_encrypted);
}
}

1
apache2/msc_remote_rules.h
View File

@ -45,6 +45,7 @@ struct msc_remote_rules_server {
const char *uri;
const char *key;
int amount_of_rules;
int crypto;
};
const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,