diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index dbdf9ff8..af35b3a1 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -2240,18 +2240,37 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char } static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1, - const char *p2) + const char *p2, const char *p3) { char *error_msg = NULL; directory_config *dcfg = (directory_config *)_dcfg; +#ifdef WITH_REMOTE_RULES_SUPPORT + int crypto = 0; + const char *uri = p2; + const char *key = p1; +#endif + if (dcfg == NULL) return NULL; #ifdef WITH_REMOTE_RULES_SUPPORT + if (strncasecmp(p1, "crypto", 6) == 0) + { + uri = p3; + key = p2; + crypto = 1; + } + + if (uri == NULL || key == NULL) + { + return apr_psprintf(cmd->pool, "ModSecurity: Use SecRemoteRule with " \ + "Key and URI"); + } + // FIXME: make it https only. // if (strncasecmp(p1, "https", 5) != 0) { - if (strncasecmp(p2, "http", 4) != 0) { - return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \ - " %s, expected an HTTPS address.", p2); + if (strncasecmp(uri, "http", 4) != 0) { + return apr_psprintf(cmd->pool, "ModSecurity: Invalid URI:" \ + " %s, expected an HTTPS address.", uri); } // FIXME: Should we handle more then one server at once? @@ -2270,9 +2289,10 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1, remote_rules_server->context = dcfg; remote_rules_server->context_label = apr_pstrdup(cmd->pool, "Unkwon context"); - remote_rules_server->key = p1; - remote_rules_server->uri = p2; + remote_rules_server->key = key; + remote_rules_server->uri = uri; remote_rules_server->amount_of_rules = 0; + remote_rules_server->crypto = crypto; msc_remote_add_rules_from_uri(cmd, remote_rules_server, &error_msg); if (error_msg != NULL) @@ -3575,7 +3595,7 @@ const command_rec module_directives[] = { "On or Off" ), - AP_INIT_TAKE2 ( + AP_INIT_TAKE23 ( "SecRemoteRules", cmd_remote_rules, NULL, diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c index 4e826d14..25922977 100644 --- a/apache2/msc_remote_rules.c +++ b/apache2/msc_remote_rules.c @@ -607,16 +607,24 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms, return res; } - msc_remote_decrypt(mp, remote_rules_server->key, &chunk_encrypted, + if (remote_rules_server->crypto == 1) + { + msc_remote_decrypt(mp, remote_rules_server->key, &chunk_encrypted, &plain_text, &plain_text_len, error_msg); - if (*error_msg != NULL) - { - return -1; - } + if (*error_msg != NULL) + { + return -1; + } - msc_remote_clean_chunk(&chunk_encrypted); + msc_remote_clean_chunk(&chunk_encrypted); + } + else + { + plain_text = chunk_encrypted.memory; + plain_text_len = strlen(plain_text); + } len = 0; plain_text_len = strlen(plain_text); @@ -679,7 +687,7 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms, } __except(EXCEPTION_EXECUTE_HANDLER) { - error_msg = "Command failed to execute (check file/folder" \ + *error_msg = "Command failed to execute (check file/folder" \ "permissions, syntax, etc.)."; return -1; } @@ -692,6 +700,11 @@ next: } remote_rules_server->amount_of_rules = added_rules; + + if (remote_rules_server->crypto == 1) + { + msc_remote_clean_chunk(&chunk_encrypted); + } } diff --git a/apache2/msc_remote_rules.h b/apache2/msc_remote_rules.h index 7cea1580..248e3cd2 100644 --- a/apache2/msc_remote_rules.h +++ b/apache2/msc_remote_rules.h @@ -45,6 +45,7 @@ struct msc_remote_rules_server { const char *uri; const char *key; int amount_of_rules; + int crypto; }; const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,