github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 13:26:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'v3/master' into v3/sonarmemleakfix

Browse Source
This commit is contained in:
Ervin Hegedus 2024-08-05 14:04:04 +02:00 committed by GitHub
commit 82801752d4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
123 changed files with 1971 additions and 5864 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
.github/PULL_REQUEST_TEMPLATE.md vendored Normal file
View File

@ -0,0 +1,24 @@
<!-- Thank you for contributing to OWASP ModSecurity, your effort is greatly appreciated -->
<!-- Please help us by adding the information below in this PR so it aids reviewers -->
## what
<!--
- Describe high-level what changed as a result of these commits (i.e. in plain-english, what do these changes mean?)
- Use bullet points to be concise and to the point.
-->
## why
<!--
- Provide the justifications for the changes (e.g. business case).
- Describe why these changes were made (e.g. why do these commits fix the problem?)
- Use bullet points to be concise and to the point.
-->
## references
<!--
- Link to any supporting github issues or helpful documentation to add some context (e.g. stackoverflow).
- Use `closes #123`, if this PR closes a GitHub issue `#123`
-->

167
.github/workflows/ci.yml vendored
View File

@ -6,69 +6,190 @@ on:
jobs:
build-linux:
name: Linux (${{ matrix.platform.label }}, ${{ matrix.compiler.label }}, ${{ matrix.configure.label }})
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [ubuntu-22.04]
platform: [x32, x64]
compiler: [gcc, clang]
platform:
- {label: "x64", arch: "amd64", configure: "--enable-assertions=yes"}
- {label: "x32", arch: "i386", configure: "PKG_CONFIG_PATH=/usr/lib/i386-linux-gnu/pkgconfig CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32 --enable-assertions=yes"}
compiler:
- {label: "gcc", cc: "gcc", cxx: "g++"}
- {label: "clang", cc: "clang", cxx: "clang++"}
configure:
- {label: "with parser generation", opt: "--enable-parser-generation" }
- {label: "wo curl", opt: "--without-curl" }
- {label: "wo yajl", opt: "--without-yajl" }
- {label: "wo geoip", opt: "--without-geoip" }
- {label: "wo lmdb", opt: "--without-lmdb" }
- {label: "with pcre2", opt: "--with-pcre2" }
- {label: "wo lua", opt: "--without-lua" }
- {label: "without maxmind", opt: "--without-maxmind" }
- {label: "wo maxmind", opt: "--without-maxmind" }
- {label: "wo libxml", opt: "--without-libxml" }
- {label: "wo geoip", opt: "--without-geoip" }
- {label: "wo ssdeep", opt: "--without-ssdeep" }
- {label: "with lmdb", opt: "--with-lmdb" }
- {label: "with pcre2", opt: "--with-pcre2" }
exclude:
- platform: {label: "x32"}
configure: {label: "wo geoip"}
- platform: {label: "x32"}
configure: {label: "wo ssdeep"}
steps:
- name: Setup Dependencies
- name: Setup Dependencies (common)
run: |
sudo dpkg --add-architecture ${{ matrix.platform.arch }}
sudo apt-get update -y -qq
sudo apt-get install -y libfuzzy-dev libyajl-dev libgeoip-dev liblua5.2-dev liblmdb-dev cppcheck libmaxminddb-dev libcurl4-openssl-dev libpcre2-dev pcre2-utils
- uses: actions/checkout@v2
sudo apt-get install -y libyajl-dev:${{ matrix.platform.arch }} \
libcurl4-openssl-dev:${{ matrix.platform.arch }} \
liblmdb-dev:${{ matrix.platform.arch }} \
liblua5.2-dev:${{ matrix.platform.arch }} \
libmaxminddb-dev:${{ matrix.platform.arch }} \
libpcre2-dev:${{ matrix.platform.arch }} \
pcre2-utils:${{ matrix.platform.arch }} \
bison flex
- name: Setup Dependencies (x32)
if: ${{ matrix.platform.label == 'x32' }}
run: |
sudo apt-get install g++-multilib
sudo apt-get install -y libxml2-dev:${{ matrix.platform.arch }} \
libpcre3-dev:${{ matrix.platform.arch }}
- name: Setup Dependencies (x64)
if: ${{ matrix.platform.label == 'x64' }}
run: |
sudo apt-get install -y libgeoip-dev:${{ matrix.platform.arch }} \
libfuzzy-dev:${{ matrix.platform.arch }}
- uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- name: build.sh
run: ./build.sh
- name: configure ${{ matrix.configure.label }}
run: ./configure ${{ matrix.configure.opt }}
- name: configure
env:
CC: ${{ matrix.compiler.cc }}
CXX: ${{ matrix.compiler.cxx }}
run: ./configure ${{ matrix.platform.configure }} ${{ matrix.configure.opt }}
- uses: ammaraskar/gcc-problem-matcher@master
- name: make
run: make -j `nproc`
- name: check
run: make check
- name: check-static
run: make check-static
build-macos:
name: macOS (${{ matrix.configure.label }})
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [macos-12]
compiler: [clang]
configure:
- {label: "with parser generation", opt: "--enable-parser-generation" }
- {label: "wo curl", opt: "--without-curl" }
- {label: "wo yajl", opt: "--without-yajl" }
- {label: "wo geoip", opt: "--without-geoip" }
- {label: "wo lmdb", opt: "--without-lmdb" }
- {label: "wo ssdeep", opt: "--without-ssdeep" }
- {label: "wo lua", opt: "--without-lua" }
- {label: "wo maxmind", opt: "--without-maxmind" }
- {label: "wo libxml", opt: "--without-libxml" }
- {label: "wo geoip", opt: "--without-geoip" }
- {label: "wo ssdeep", opt: "--without-ssdeep" }
- {label: "with lmdb", opt: "--with-lmdb" }
- {label: "with pcre2", opt: "--with-pcre2" }
steps:
- name: Setup Dependencies
# autoconf, curl, pcre2 not installed because they're already
# included in the image
run: |
brew install autoconf automake cppcheck lmdb libyaml lua ssdeep libmaxminddb bison
- uses: actions/checkout@v2
brew install automake \
yajl \
lmdb \
lua \
libmaxminddb \
libxml2 \
geoip \
ssdeep \
pcre \
bison \
flex
- uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- name: build.sh
run: ./build.sh
- name: configure ${{ matrix.configure.label }}
run: ./configure ${{ matrix.configure.opt }}
- name: configure
run: ./configure ${{ matrix.configure.opt }} --enable-assertions=yes
- uses: ammaraskar/gcc-problem-matcher@master
- name: make
run: make -j `sysctl -n hw.logicalcpu`
- name: check
run: make check
build-windows:
name: Windows (${{ matrix.platform.label }}, ${{ matrix.configure.label }})
runs-on: ${{ matrix.os }}
strategy:
matrix:
os: [windows-2022]
platform:
- {label: "x64", arch: "x86_64"}
configuration: [Release]
configure:
- {label: "full", opt: "" }
- {label: "wo curl", opt: "-DWITHOUT_CURL=ON" }
- {label: "wo lmdb", opt: "-DWITHOUT_LMDB=ON" }
- {label: "wo lua", opt: "-DWITHOUT_LUA=ON" }
- {label: "wo maxmind", opt: "-DWITHOUT_MAXMIND=ON" }
- {label: "wo libxml", opt: "-WITHOUT_LIBXML2=ON" }
steps:
- uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- name: Install Conan
run: |
pip3 install conan --upgrade
conan profile detect
- uses: ammaraskar/msvc-problem-matcher@master
- name: Build ${{ matrix.configuration }} ${{ matrix.platform.arch }} ${{ matrix.configure.label }}
shell: cmd
run: vcbuild.bat ${{ matrix.configuration }} ${{ matrix.platform.arch }} NO_ASAN "${{ matrix.configure.opt }}"
- name: Set up test environment
working-directory: build\win32\build\${{ matrix.configuration }}
env:
BASE_DIR: ..\..\..\..
shell: cmd
run: |
copy unit_tests.exe %BASE_DIR%\test
copy regression_tests.exe %BASE_DIR%\test
copy libModSecurity.dll %BASE_DIR%\test
copy %BASE_DIR%\unicode.mapping %BASE_DIR%\test
md \tmp
md \bin
copy "C:\Program Files\Git\usr\bin\echo.exe" \bin
copy "C:\Program Files\Git\usr\bin\echo.exe" \bin\echo
- name: Disable tests that don't work on Windows
working-directory: test\test-cases\regression
shell: cmd
run: |
jq "map(if .title == \"Test match variable (1/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json
jq "map(if .title == \"Test match variable (2/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json
jq "map(if .title == \"Test match variable (3/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json
jq "map(if .title == \"Variable offset - FILES_NAMES\" then .enabled = 0 else . end)" offset-variable.json > tmp.json && move /Y tmp.json offset-variable.json
- name: Run tests
working-directory: build\win32\build
run: |
ctest -C ${{ matrix.configuration }} --output-on-failure
cppcheck:
runs-on: [ubuntu-22.04]
steps:
- name: Setup Dependencies
run: |
sudo apt-get update -y -qq
sudo apt-get install -y cppcheck
- name: Checkout source
uses: actions/checkout@v4
with:
submodules: true
fetch-depth: 0
- name: Configure libModSecurity
run: |
./build.sh
./configure
- name: Run cppcheck on libModSecurity
run: make check-static

5
.gitignore vendored
View File

@ -11,13 +11,18 @@ build/ltoptions.m4
build/ltsugar.m4
build/ltversion.m4
build/lt~obsolete.m4
build/win32/build
build/win32/CMakeUserPresets.json
compile
config.guess
config.log
config.status
config.sub
config.h.in~
configure
configure~
depcomp
modsecurity.pc
.deps
.libs
.dirstamp

7
.gitmodules vendored
View File

@ -1,9 +1,12 @@
[submodule "test/test-cases/secrules-language-tests"]
path = test/test-cases/secrules-language-tests
url = https://github.com/SpiderLabs/secrules-language-tests
url = https://github.com/owasp-modsecurity/secrules-language-tests
[submodule "others/libinjection"]
path = others/libinjection
url = https://github.com/libinjection/libinjection.git
[submodule "bindings/python"]
path = bindings/python
url = https://github.com/SpiderLabs/ModSecurity-Python-bindings.git
url = https://github.com/owasp-modsecurity/ModSecurity-Python-bindings.git
[submodule "others/mbedtls"]
path = others/mbedtls
url = https://github.com/Mbed-TLS/mbedtls.git

260
Makefile.am
View File

@ -59,10 +59,11 @@ cppcheck:
@cppcheck -U YYSTYPE -U MBEDTLS_MD5_ALT -U MBEDTLS_SHA1_ALT \
-D MS_CPPCHECK_DISABLED_FOR_PARSER -U YY_USER_INIT \
--suppressions-list=./test/cppcheck_suppressions.txt \
--inline-suppr \
--enable=warning,style,performance,portability,unusedFunction,missingInclude \
--inconclusive \
--template="warning: {file},{line},{severity},{id},{message}" \
-I headers -I . -I others -I src -I others/mbedtls -I src/parser \
-I headers -I . -I others -I src -I others/mbedtls/include -I src/parser \
--error-exitcode=1 \
-i "src/parser/seclang-parser.cc" -i "src/parser/seclang-scanner.cc" \
--force --verbose .
@ -88,263 +89,8 @@ LOG_DRIVER = env $(SHELL) $(top_srcdir)/test/custom-test-driver
AM_TESTS_ENVIRONMENT=AUTOMAKE_TESTS=true; export AUTOMAKE_TESTS;
LOG_COMPILER=test/test-suite.sh
# for i in `find test/test-cases -iname *.json`; do echo TESTS+=$i; done
TESTS=
TESTS+=test/test-cases/regression/action-allow.json
TESTS+=test/test-cases/regression/action-block.json
TESTS+=test/test-cases/regression/action-ctl_request_body_access.json
TESTS+=test/test-cases/regression/action-ctl_request_body_processor.json
TESTS+=test/test-cases/regression/action-ctl_request_body_processor_urlencoded.json
TESTS+=test/test-cases/regression/action-ctl_rule_engine.json
TESTS+=test/test-cases/regression/action-ctl_audit_engine.json
TESTS+=test/test-cases/regression/action-ctl_rule_remove_by_id.json
TESTS+=test/test-cases/regression/action-ctl_rule_remove_by_tag.json
TESTS+=test/test-cases/regression/action-ctl_rule_remove_target_by_id.json
TESTS+=test/test-cases/regression/action-ctl_rule_remove_target_by_tag.json
TESTS+=test/test-cases/regression/action-disruptive.json
TESTS+=test/test-cases/regression/action-exec.json
TESTS+=test/test-cases/regression/action-expirevar.json
TESTS+=test/test-cases/regression/action-id.json
TESTS+=test/test-cases/regression/action-initcol.json
TESTS+=test/test-cases/regression/action-msg.json
TESTS+=test/test-cases/regression/action-setenv.json
TESTS+=test/test-cases/regression/action-setrsc.json
TESTS+=test/test-cases/regression/action-setsid.json
TESTS+=test/test-cases/regression/action-setuid.json
TESTS+=test/test-cases/regression/actions.json
TESTS+=test/test-cases/regression/action-skip.json
TESTS+=test/test-cases/regression/action-tag.json
TESTS+=test/test-cases/regression/action-tnf-base64.json
TESTS+=test/test-cases/regression/action-xmlns.json
TESTS+=test/test-cases/regression/auditlog.json
TESTS+=test/test-cases/regression/collection-case-insensitive.json
TESTS+=test/test-cases/regression/collection-lua.json
TESTS+=test/test-cases/regression/collection-regular_expression_selection.json
TESTS+=test/test-cases/regression/collection-resource.json
TESTS+=test/test-cases/regression/collection-tx.json
TESTS+=test/test-cases/regression/collection-tx-with-macro.json
TESTS+=test/test-cases/regression/config-body_limits.json
TESTS+=test/test-cases/regression/config-calling_phases_by_name.json
TESTS+=test/test-cases/regression/config-include-bad.json
TESTS+=test/test-cases/regression/config-include.json
TESTS+=test/test-cases/regression/config-remove_by_id.json
TESTS+=test/test-cases/regression/config-remove_by_msg.json
TESTS+=test/test-cases/regression/config-remove_by_tag.json
TESTS+=test/test-cases/regression/config-response_type.json
TESTS+=test/test-cases/regression/config-secdefaultaction.json
TESTS+=test/test-cases/regression/config-secremoterules.json
TESTS+=test/test-cases/regression/config-update-action-by-id.json
TESTS+=test/test-cases/regression/config-update-target-by-id.json
TESTS+=test/test-cases/regression/config-update-target-by-msg.json
TESTS+=test/test-cases/regression/config-update-target-by-tag.json
TESTS+=test/test-cases/regression/config-xml_external_entity.json
TESTS+=test/test-cases/regression/debug_log.json
TESTS+=test/test-cases/regression/directive-sec_rule_script.json
TESTS+=test/test-cases/regression/issue-1152.json
TESTS+=test/test-cases/regression/issue-1528.json
TESTS+=test/test-cases/regression/issue-1565.json
TESTS+=test/test-cases/regression/issue-1576.json
TESTS+=test/test-cases/regression/issue-1591.json
TESTS+=test/test-cases/regression/issue-1725.json
TESTS+=test/test-cases/regression/issue-1743.json
TESTS+=test/test-cases/regression/issue-1785.json
TESTS+=test/test-cases/regression/issue-1812.json
TESTS+=test/test-cases/regression/issue-1831.json
TESTS+=test/test-cases/regression/issue-1844.json
TESTS+=test/test-cases/regression/issue-1850.json
TESTS+=test/test-cases/regression/issue-1941.json
TESTS+=test/test-cases/regression/issue-1943.json
TESTS+=test/test-cases/regression/issue-1956.json
TESTS+=test/test-cases/regression/issue-1960.json
TESTS+=test/test-cases/regression/issue-2099.json
TESTS+=test/test-cases/regression/issue-2000.json
TESTS+=test/test-cases/regression/issue-2111.json
TESTS+=test/test-cases/regression/issue-2196.json
TESTS+=test/test-cases/regression/issue-2423-msg-in-chain.json
TESTS+=test/test-cases/regression/issue-2427.json
TESTS+=test/test-cases/regression/issue-2296.json
TESTS+=test/test-cases/regression/issue-394.json
TESTS+=test/test-cases/regression/issue-849.json
TESTS+=test/test-cases/regression/issue-960.json
TESTS+=test/test-cases/regression/misc.json
TESTS+=test/test-cases/regression/misc-variable-under-quotes.json
TESTS+=test/test-cases/regression/offset-variable.json
TESTS+=test/test-cases/regression/operator-detectsqli.json
TESTS+=test/test-cases/regression/operator-detectxss.json
TESTS+=test/test-cases/regression/operator-fuzzyhash.json
TESTS+=test/test-cases/regression/operator-inpectFile.json
TESTS+=test/test-cases/regression/operator-ipMatchFromFile.json
TESTS+=test/test-cases/regression/operator-pm.json
TESTS+=test/test-cases/regression/operator-rx.json
TESTS+=test/test-cases/regression/operator-rxGlobal.json
TESTS+=test/test-cases/regression/operator-UnconditionalMatch.json
TESTS+=test/test-cases/regression/operator-validate-byte-range.json
TESTS+=test/test-cases/regression/operator-verifycc.json
TESTS+=test/test-cases/regression/operator-verifycpf.json
TESTS+=test/test-cases/regression/operator-verifyssn.json
TESTS+=test/test-cases/regression/operator-verifysvnr.json
TESTS+=test/test-cases/regression/request-body-parser-json.json
TESTS+=test/test-cases/regression/request-body-parser-multipart-crlf.json
TESTS+=test/test-cases/regression/request-body-parser-multipart.json
TESTS+=test/test-cases/regression/request-body-parser-xml.json
TESTS+=test/test-cases/regression/request-body-parser-xml-validade-dtd.json
TESTS+=test/test-cases/regression/rule-920120.json
TESTS+=test/test-cases/regression/rule-920200.json
TESTS+=test/test-cases/regression/rule-920274.json
TESTS+=test/test-cases/regression/secaction.json
TESTS+=test/test-cases/regression/secargumentslimit.json
TESTS+=test/test-cases/regression/sec_component_signature.json
TESTS+=test/test-cases/regression/secmarker.json
TESTS+=test/test-cases/regression/secruleengine.json
TESTS+=test/test-cases/regression/transformation-none.json
TESTS+=test/test-cases/regression/transformations.json
TESTS+=test/test-cases/regression/variable-ARGS_COMBINED_SIZE.json
TESTS+=test/test-cases/regression/variable-ARGS_GET.json
TESTS+=test/test-cases/regression/variable-ARGS_GET_NAMES.json
TESTS+=test/test-cases/regression/variable-ARGS.json
TESTS+=test/test-cases/regression/variable-ARGS_NAMES.json
TESTS+=test/test-cases/regression/variable-ARGS_POST.json
TESTS+=test/test-cases/regression/variable-ARGS_POST_NAMES.json
TESTS+=test/test-cases/regression/variable-AUTH_TYPE.json
TESTS+=test/test-cases/regression/variable-DURATION.json
TESTS+=test/test-cases/regression/variable-ENV.json
TESTS+=test/test-cases/regression/variable-FILES_COMBINED_SIZE.json
TESTS+=test/test-cases/regression/variable-FILES.json
TESTS+=test/test-cases/regression/variable-FILES_NAMES.json
TESTS+=test/test-cases/regression/variable-FILES_SIZES.json
TESTS+=test/test-cases/regression/variable-FULL_REQUEST.json
TESTS+=test/test-cases/regression/variable-FULL_REQUEST_LENGTH.json
TESTS+=test/test-cases/regression/variable-GEO.json
TESTS+=test/test-cases/regression/variable-HIGHEST_SEVERITY.json
TESTS+=test/test-cases/regression/variable-INBOUND_DATA_ERROR.json
TESTS+=test/test-cases/regression/variable-MATCHED_VAR.json
TESTS+=test/test-cases/regression/variable-MATCHED_VAR_NAME.json
TESTS+=test/test-cases/regression/variable-MATCHED_VARS.json
TESTS+=test/test-cases/regression/variable-MATCHED_VARS_NAMES.json
TESTS+=test/test-cases/regression/variable-MODSEC_BUILD.json
TESTS+=test/test-cases/regression/variable-MULTIPART_CRLF_LF_LINES.json
TESTS+=test/test-cases/regression/variable-MULTIPART_FILENAME.json
TESTS+=test/test-cases/regression/variable-MULTIPART_INVALID_HEADER_FOLDING.json
TESTS+=test/test-cases/regression/variable-MULTIPART_NAME.json
TESTS+=test/test-cases/regression/variable-MULTIPART_PART_HEADERS.json
TESTS+=test/test-cases/regression/variable-MULTIPART_STRICT_ERROR.json
TESTS+=test/test-cases/regression/variable-MULTIPART_UNMATCHED_BOUNDARY.json
TESTS+=test/test-cases/regression/variable-OUTBOUND_DATA_ERROR.json
TESTS+=test/test-cases/regression/variable-PATH_INFO.json
TESTS+=test/test-cases/regression/variable-QUERY_STRING.json
TESTS+=test/test-cases/regression/variable-REMOTE_ADDR.json
TESTS+=test/test-cases/regression/variable-REMOTE_HOST.json
TESTS+=test/test-cases/regression/variable-REMOTE_PORT.json
TESTS+=test/test-cases/regression/variable-REMOTE_USER.json
TESTS+=test/test-cases/regression/variable-REQBODY_PROCESSOR_ERROR.json
TESTS+=test/test-cases/regression/variable-REQBODY_PROCESSOR.json
TESTS+=test/test-cases/regression/variable-REQUEST_BASENAME.json
TESTS+=test/test-cases/regression/variable-REQUEST_BODY.json
TESTS+=test/test-cases/regression/variable-REQUEST_BODY_LENGTH.json
TESTS+=test/test-cases/regression/variable-REQUEST_COOKIES.json
TESTS+=test/test-cases/regression/variable-REQUEST_COOKIES_NAMES.json
TESTS+=test/test-cases/regression/variable-REQUEST_FILENAME.json
TESTS+=test/test-cases/regression/variable-REQUEST_HEADERS.json
TESTS+=test/test-cases/regression/variable-REQUEST_HEADERS_NAMES.json
TESTS+=test/test-cases/regression/variable-REQUEST_LINE.json
TESTS+=test/test-cases/regression/variable-REQUEST_METHOD.json
TESTS+=test/test-cases/regression/variable-REQUEST_PROTOCOL.json
TESTS+=test/test-cases/regression/variable-REQUEST_URI.json
TESTS+=test/test-cases/regression/variable-REQUEST_URI_RAW.json
TESTS+=test/test-cases/regression/variable-RESPONSE_BODY.json
TESTS+=test/test-cases/regression/variable-RESPONSE_CONTENT_LENGTH.json
TESTS+=test/test-cases/regression/variable-RESPONSE_CONTENT_TYPE.json
TESTS+=test/test-cases/regression/variable-RESPONSE_HEADERS.json
TESTS+=test/test-cases/regression/variable-RESPONSE_HEADERS_NAMES.json
TESTS+=test/test-cases/regression/variable-RESPONSE_PROTOCOL.json
TESTS+=test/test-cases/regression/variable-RULE.json
TESTS+=test/test-cases/regression/variable-SERVER_ADDR.json
TESTS+=test/test-cases/regression/variable-SERVER_NAME.json
TESTS+=test/test-cases/regression/variable-SERVER_PORT.json
TESTS+=test/test-cases/regression/variable-SESSIONID.json
TESTS+=test/test-cases/regression/variable-STATUS.json
TESTS+=test/test-cases/regression/variable-TIME_DAY.json
TESTS+=test/test-cases/regression/variable-TIME_EPOCH.json
TESTS+=test/test-cases/regression/variable-TIME_HOUR.json
TESTS+=test/test-cases/regression/variable-TIME.json
TESTS+=test/test-cases/regression/variable-TIME_MIN.json
TESTS+=test/test-cases/regression/variable-TIME_MON.json
TESTS+=test/test-cases/regression/variable-TIME_SEC.json
TESTS+=test/test-cases/regression/variable-TIME_WDAY.json
TESTS+=test/test-cases/regression/variable-TIME_YEAR.json
TESTS+=test/test-cases/regression/variable-TX.json
TESTS+=test/test-cases/regression/variable-UNIQUE_ID.json
TESTS+=test/test-cases/regression/variable-URLENCODED_ERROR.json
TESTS+=test/test-cases/regression/variable-USERID.json
TESTS+=test/test-cases/regression/variable-variation-count.json
TESTS+=test/test-cases/regression/variable-variation-exclusion.json
TESTS+=test/test-cases/regression/variable-WEBAPPID.json
TESTS+=test/test-cases/regression/variable-WEBSERVER_ERROR_LOG.json
TESTS+=test/test-cases/regression/variable-XML.json
TESTS+=test/test-cases/secrules-language-tests/operators/beginsWith.json
TESTS+=test/test-cases/secrules-language-tests/operators/contains.json
TESTS+=test/test-cases/secrules-language-tests/operators/containsWord.json
TESTS+=test/test-cases/secrules-language-tests/operators/detectSQLi.json
TESTS+=test/test-cases/secrules-language-tests/operators/detectXSS.json
TESTS+=test/test-cases/secrules-language-tests/operators/endsWith.json
TESTS+=test/test-cases/secrules-language-tests/operators/eq.json
TESTS+=test/test-cases/secrules-language-tests/operators/ge.json
TESTS+=test/test-cases/secrules-language-tests/operators/geoLookup.json
TESTS+=test/test-cases/secrules-language-tests/operators/gt.json
TESTS+=test/test-cases/secrules-language-tests/operators/ipMatch.json
TESTS+=test/test-cases/secrules-language-tests/operators/le.json
TESTS+=test/test-cases/secrules-language-tests/operators/lt.json
TESTS+=test/test-cases/secrules-language-tests/operators/noMatch.json
TESTS+=test/test-cases/secrules-language-tests/operators/pmFromFile.json
TESTS+=test/test-cases/secrules-language-tests/operators/pm.json
TESTS+=test/test-cases/secrules-language-tests/operators/rx.json
TESTS+=test/test-cases/secrules-language-tests/operators/rxGlobal.json
TESTS+=test/test-cases/secrules-language-tests/operators/streq.json
TESTS+=test/test-cases/secrules-language-tests/operators/strmatch.json
TESTS+=test/test-cases/secrules-language-tests/operators/unconditionalMatch.json
TESTS+=test/test-cases/secrules-language-tests/operators/validateByteRange.json
TESTS+=test/test-cases/secrules-language-tests/operators/validateUrlEncoding.json
TESTS+=test/test-cases/secrules-language-tests/operators/validateUtf8Encoding.json
TESTS+=test/test-cases/secrules-language-tests/operators/verifyCC.json
TESTS+=test/test-cases/secrules-language-tests/operators/verifycpf.json
TESTS+=test/test-cases/secrules-language-tests/operators/verifyssn.json
TESTS+=test/test-cases/secrules-language-tests/operators/verifysvnr.json
TESTS+=test/test-cases/secrules-language-tests/operators/within.json
TESTS+=test/test-cases/secrules-language-tests/transformations/base64DecodeExt.json
TESTS+=test/test-cases/secrules-language-tests/transformations/base64Decode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/base64Encode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/cmdLine.json
TESTS+=test/test-cases/secrules-language-tests/transformations/compressWhitespace.json
TESTS+=test/test-cases/secrules-language-tests/transformations/cssDecode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/escapeSeqDecode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/hexDecode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/hexEncode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/htmlEntityDecode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/jsDecode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/length.json
TESTS+=test/test-cases/secrules-language-tests/transformations/lowercase.json
TESTS+=test/test-cases/secrules-language-tests/transformations/md5.json
TESTS+=test/test-cases/secrules-language-tests/transformations/normalisePath.json
TESTS+=test/test-cases/secrules-language-tests/transformations/normalisePathWin.json
TESTS+=test/test-cases/secrules-language-tests/transformations/parityEven7bit.json
TESTS+=test/test-cases/secrules-language-tests/transformations/parityOdd7bit.json
TESTS+=test/test-cases/secrules-language-tests/transformations/parityZero7bit.json
TESTS+=test/test-cases/secrules-language-tests/transformations/removeCommentsChar.json
TESTS+=test/test-cases/secrules-language-tests/transformations/removeComments.json
TESTS+=test/test-cases/secrules-language-tests/transformations/removeNulls.json
TESTS+=test/test-cases/secrules-language-tests/transformations/removeWhitespace.json
TESTS+=test/test-cases/secrules-language-tests/transformations/replaceComments.json
TESTS+=test/test-cases/secrules-language-tests/transformations/replaceNulls.json
TESTS+=test/test-cases/secrules-language-tests/transformations/sha1.json
TESTS+=test/test-cases/secrules-language-tests/transformations/sqlHexDecode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/trim.json
TESTS+=test/test-cases/secrules-language-tests/transformations/trimLeft.json
TESTS+=test/test-cases/secrules-language-tests/transformations/trimRight.json
TESTS+=test/test-cases/secrules-language-tests/transformations/urlDecode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/urlDecodeUni.json
TESTS+=test/test-cases/secrules-language-tests/transformations/urlEncode.json
TESTS+=test/test-cases/secrules-language-tests/transformations/utf8toUnicode.json
include test/test-suite.in
pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = modsecurity.pc

95
README.md
View File

@ -57,7 +57,13 @@ As a dynamic library, dont forget that libmodsecurity must be installed to a
### Unix (Linux, MacOS, FreeBSD, …)
On unix the project uses autotools to help the compilation process.
On unix the project uses autotools to help the compilation process. Please note that if you are working with `git`, don't forget to initialize and update the submodules. Here's a quick how-to:
```shell
$ git clone --recursive https://github.com/owasp-modsecurity/ModSecurity ModSecurity
$ cd ModSecurity
```
You can then start the build process:
```shell
$ ./build.sh
@ -71,8 +77,7 @@ Details on distribution specific builds can be found in our Wiki:
### Windows
Windows build is not ready yet.
Windows build information can be found [here](build/win32/README.md).
## Dependencies
@ -231,11 +236,90 @@ CFLAGS to disable the compilation optimization parameters:
```shell
$ export CFLAGS="-g -O0"
$ ./build.sh
$ ./configure
$ ./configure --enable-assertions=yes
$ make
$ sudo make install
```
"Assertions allow us to document assumptions and to spot violations early in the
development process. What is more, assertions allow us to spot violations with a
minimum of effort." https://dl.acm.org/doi/pdf/10.1145/240964.240969
It is recommended to use assertions where applicable, and to enable them with
'--enable-assertions=yes' during the testing and debugging workflow.
### Benchmarking
The source tree includes a Benchmark tool that can help measure library performance. The tool is located in the `test/benchmark/` directory. The build process also creates the binary here, so you will have the tool after the compilation is finished.
To run, just type:
```shell
cd test/benchmark
$ ./benchmark
Doing 1000000 transactions...
```
You can also pass a lower value:
```shell
$ ./benchmark 1000
Doing 1000 transactions...
```
To measure the time:
```shell
$ time ./benchmark 1000
Doing 1000 transactions...
real 0m0.351s
user 0m0.337s
sys 0m0.022s
```
This is very fast because the benchmark uses the minimal `modsecurity.conf.default` configuration, which doesn't include too many rules:
```shell
$ cat basic_rules.conf
Include "../../modsecurity.conf-recommended"
```
To measure with real rules, run one of the download scripts in the same directory:
```shell
$ ./download-owasp-v3-rules.sh
Cloning into 'owasp-v3'...
remote: Enumerating objects: 33007, done.
remote: Counting objects: 100% (2581/2581), done.
remote: Compressing objects: 100% (907/907), done.
remote: Total 33007 (delta 2151), reused 2004 (delta 1638), pack-reused 30426
Receiving objects: 100% (33007/33007), 9.02 MiB | 16.21 MiB/s, done.
Resolving deltas: 100% (25927/25927), done.
Switched to a new branch 'tag3.0.2'
/path/to/ModSecurity/test/benchmark
Done.
$ cat basic_rules.conf
Include "../../modsecurity.conf-recommended"
Include "owasp-v3/crs-setup.conf.example"
Include "owasp-v3/rules/*.conf"
```
Now the command will give much higher value.
#### How the benchmark works
The tool is a straightforward wrapper application that utilizes the library. It creates a ModSecurity instance and a RuleSet instance, then runs a loop based on the specified number. Within this loop, it creates a Transaction object to emulate real HTTP transactions.
Each transaction is an HTTP/1.1 GET request with some GET parameters. Common headers are added, followed by the response headers and an XML body. Between phases, the tool checks whether an intervention has occurred. All transactions are created with the same data.
Note that the tool does not call the last phase (logging).
Please remember to reset `basic_rules.conf` if you want to try with a different ruleset.
## Reporting Issues
@ -262,8 +346,9 @@ new issue, please check if there is one already opened on the same topic.
## Bindings
The libModSecurity design allows the integration with bindings. There is an effort to avoid breaking API [binary] compatibility to make an easy integration with possible bindings. Currently, there are two notable projects maintained by the community:
The libModSecurity design allows the integration with bindings. There is an effort to avoid breaking API [binary] compatibility to make an easy integration with possible bindings. Currently, there are a few notable projects maintained by the community:
* Python - https://github.com/actions-security/pymodsecurity
* Rust - https://github.com/rkrishn7/rust-modsecurity
* Varnish - https://github.com/xdecock/vmod-modsecurity
## Packaging

270
build/win32/CMakeLists.txt Normal file
View File

@ -0,0 +1,270 @@
cmake_minimum_required(VERSION 3.24)
set(BASE_DIR ${CMAKE_CURRENT_LIST_DIR}/../..)
option(WITHOUT_LMDB "Include LMDB support" OFF)
option(WITHOUT_LUA "Include LUA support" OFF)
option(WITHOUT_LIBXML2 "Include LibXML2 support" OFF)
option(WITHOUT_MAXMIND "Include MaxMind support" OFF)
option(WITHOUT_CURL "Include CURL support" OFF)
option(USE_ASAN "Build with Address Sanitizer" OFF)
# common compiler settings
# NOTE: MBEDTLS_CONFIG_FILE is not only required to compile the mbedtls subset in others, but also
# when their headers are included while compiling libModSecurity
add_compile_definitions(WIN32 _CRT_SECURE_NO_WARNINGS MBEDTLS_CONFIG_FILE="mbedtls/mbedtls_config.h")
# set standards conformance preprocessor & compiler to align with cross-compiled codebase
# NOTE: otherwise visual c++'s default compiler/preprocessor behaviour generates C4067 warnings
# (unexpected tokens following preprocessor directive - expected a newline)
add_compile_options(/Zc:preprocessor /permissive-)
if(USE_ASAN)
add_compile_options(/fsanitize=address)
add_link_options(/INFERASANLIBS /INCREMENTAL:no)
endif()
# libinjection
project(libinjection C)
set(LIBINJECTION_DIR ${BASE_DIR}/others/libinjection)
add_library(libinjection STATIC ${LIBINJECTION_DIR}/src/libinjection_sqli.c ${LIBINJECTION_DIR}/src/libinjection_xss.c ${LIBINJECTION_DIR}/src/libinjection_html5.c)
# get libinjection version with git describe
execute_process(
COMMAND git describe
WORKING_DIRECTORY ${LIBINJECTION_DIR}
OUTPUT_VARIABLE LIBINJECTION_VERSION
OUTPUT_STRIP_TRAILING_WHITESPACE
)
message("-- Detecting libinjection version - ${LIBINJECTION_VERSION}")
target_compile_definitions(libinjection PRIVATE LIBINJECTION_VERSION="${LIBINJECTION_VERSION}")
# mbedtls (mbedcrypto)
project(mbedcrypto C)
set(MBEDTLS_DIR ${BASE_DIR}/others/mbedtls)
add_library(mbedcrypto STATIC ${MBEDTLS_DIR}/library/base64.c ${MBEDTLS_DIR}/library/sha1.c ${MBEDTLS_DIR}/library/md5.c ${MBEDTLS_DIR}/library/platform_util.c ${MBEDTLS_DIR}/library/constant_time.c)
target_include_directories(mbedcrypto PRIVATE ${MBEDTLS_DIR}/include)
# get mbedtls version with git describe
execute_process(
COMMAND git describe
WORKING_DIRECTORY ${MBEDTLS_DIR}
OUTPUT_VARIABLE MBEDTLS_VERSION
OUTPUT_STRIP_TRAILING_WHITESPACE
)
message("-- Detecting Mbed TLS version - ${MBEDTLS_VERSION}")
#
# libModSecurity
#
project(libModSecurity
VERSION
3.0.12
LANGUAGES
CXX
)
set(CMAKE_CXX_STANDARD 17)
set(CMAKE_CXX_STANDARD_REQUIRED On)
set(CMAKE_CXX_EXTENSIONS Off)
set(PACKAGE_BUGREPORT "security@modsecurity.org")
set(PACKAGE_NAME "modsecurity")
set(PACKAGE_VERSION "${PROJECT_VERSION}")
set(PACKAGE_STRING "${PACKAGE_NAME} ${PACKAGE_VERSION}")
set(PACKAGE_TARNAME "${PACKAGE_NAME}")
set(HAVE_YAJL 1) # should always be one, mandatory dependency
set(HAVE_GEOIP 0) # should always be zero, no conan package available
set(HAVE_SSDEEP 0) # should always be zero, no conan package available
macro(enable_feature flag option)
if(${option})
set(${flag} 0)
else()
set(${flag} 1)
endif()
endmacro()
enable_feature(HAVE_LMDB ${WITHOUT_LMDB})
enable_feature(HAVE_LUA ${WITHOUT_LUA})
enable_feature(HAVE_LIBXML2 ${WITHOUT_LIBXML2})
enable_feature(HAVE_MAXMIND ${WITHOUT_MAXMIND})
enable_feature(HAVE_CURL ${WITHOUT_CURL})
include(${CMAKE_CURRENT_LIST_DIR}/ConfigureChecks.cmake)
configure_file(config.h.cmake ${BASE_DIR}/src/config.h)
find_package(PCRE2 REQUIRED)
find_package(PThreads4W REQUIRED)
find_package(Poco REQUIRED)
find_package(dirent REQUIRED) # used only by tests (check dirent::dirent refernces)
macro(include_package package flag)
if(${flag})
find_package(${package} REQUIRED)
endif()
endmacro()
include_package(yajl HAVE_YAJL)
include_package(libxml2 HAVE_LIBXML2)
include_package(lua HAVE_LUA)
include_package(CURL HAVE_CURL)
include_package(lmdb HAVE_LMDB)
include_package(maxminddb HAVE_MAXMIND)
# library
#
# NOTE: required to generate libModSecurity's import library (libModSecurity.lib), used by tests to link with shared library
set(CMAKE_WINDOWS_EXPORT_ALL_SYMBOLS ON)
file(GLOB_RECURSE libModSecuritySources ${BASE_DIR}/src/*.cc)
add_library(libModSecurity SHARED ${libModSecuritySources})
target_compile_definitions(libModSecurity PRIVATE WITH_PCRE2)
target_include_directories(libModSecurity PRIVATE ${BASE_DIR} ${BASE_DIR}/headers ${BASE_DIR}/others ${MBEDTLS_DIR}/include)
target_link_libraries(libModSecurity PRIVATE pcre2::pcre2 pthreads4w::pthreads4w libinjection mbedcrypto Poco::Poco Iphlpapi.lib)
macro(add_package_dependency project compile_definition link_library flag)
if(${flag})
target_compile_definitions(${project} PRIVATE ${compile_definition})
target_link_libraries(${project} PRIVATE ${link_library})
endif()
endmacro()
add_package_dependency(libModSecurity WITH_YAJL yajl::yajl HAVE_YAJL)
add_package_dependency(libModSecurity WITH_LIBXML2 LibXml2::LibXml2 HAVE_LIBXML2)
add_package_dependency(libModSecurity WITH_LUA lua::lua HAVE_LUA)
if(HAVE_LUA)
target_compile_definitions(libModSecurity PRIVATE WITH_LUA_5_4)
endif()
add_package_dependency(libModSecurity MSC_WITH_CURL CURL::libcurl HAVE_CURL)
add_package_dependency(libModSecurity WITH_LMDB lmdb::lmdb HAVE_LMDB)
add_package_dependency(libModSecurity WITH_MAXMIND maxminddb::maxminddb HAVE_MAXMIND)
# tests
#
project(libModSecurityTests)
function(setTestTargetProperties executable)
target_compile_definitions(${executable} PRIVATE WITH_PCRE2)
target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers)
target_link_libraries(${executable} PRIVATE libModSecurity pcre2::pcre2 dirent::dirent)
add_package_dependency(${executable} WITH_YAJL yajl::yajl HAVE_YAJL)
endfunction()
# unit tests
file(GLOB unitTestSources ${BASE_DIR}/test/unit/*.cc)
add_executable(unit_tests ${unitTestSources})
setTestTargetProperties(unit_tests)
target_compile_options(unit_tests PRIVATE /wd4805)
# regression tests
file(GLOB regressionTestsSources ${BASE_DIR}/test/regression/*.cc)
add_executable(regression_tests ${regressionTestsSources})
setTestTargetProperties(regression_tests)
macro(add_regression_test_capability compile_definition flag)
if(${flag})
target_compile_definitions(regression_tests PRIVATE ${compile_definition})
endif()
endmacro()
add_regression_test_capability(WITH_LUA HAVE_LUA)
add_regression_test_capability(WITH_CURL HAVE_CURL)
add_regression_test_capability(WITH_LMDB HAVE_LMDB)
add_regression_test_capability(WITH_MAXMIND HAVE_MAXMIND)
enable_testing()
file(READ ${BASE_DIR}/test/test-suite.in TEST_FILES_RAW)
string(REPLACE "\n" ";" TEST_FILES ${TEST_FILES_RAW})
foreach(TEST_FILE ${TEST_FILES})
# ignore comment lines
string(FIND ${TEST_FILE} "#" is_comment)
if(NOT is_comment EQUAL 0)
string(FIND ${TEST_FILE} "TESTS+=" is_valid_prefix)
if(NOT is_valid_prefix EQUAL 0)
message(FATAL_ERROR "Invalid prefix in line: ${TEST_FILE}")
endif()
# remove 'TESTS+=' prefix and 'test/' too because tests are launched
# from that directory
string(SUBSTRING ${TEST_FILE} 12 -1 TEST_FILE)
# test name
get_filename_component(TEST_NAME ${TEST_FILE} NAME_WE)
# determine test runner based on test path prefix
string(FIND ${TEST_FILE} "test-cases/regression/" is_regression_test)
if(is_regression_test EQUAL 0)
set(TEST_RUNNER "regression_tests")
else()
set(TEST_RUNNER "unit_tests")
endif()
add_test(NAME ${TEST_NAME} COMMAND ${TEST_RUNNER} ${TEST_FILE} WORKING_DIRECTORY ${BASE_DIR}/test)
endif()
endforeach()
# benchmark
add_executable(benchmark ${BASE_DIR}/test/benchmark/benchmark.cc)
setTestTargetProperties(benchmark)
# rules_optimization
add_executable(rules_optimization ${BASE_DIR}/test/optimization/optimization.cc)
setTestTargetProperties(rules_optimization)
# examples
#
project(libModSecurityExamples)
function(setExampleTargetProperties executable)
target_include_directories(${executable} PRIVATE ${BASE_DIR} ${BASE_DIR}/headers)
target_link_libraries(${executable} PRIVATE libModSecurity)
endfunction()
# simple_example_using_c
add_executable(simple_example_using_c ${BASE_DIR}/examples/simple_example_using_c/test.c)
setExampleTargetProperties(simple_example_using_c)
# using_bodies_in_chunks
add_executable(using_bodies_in_chunks ${BASE_DIR}/examples/using_bodies_in_chunks/simple_request.cc)
setExampleTargetProperties(using_bodies_in_chunks)
# reading_logs_via_rule_message
add_executable(reading_logs_via_rule_message ${BASE_DIR}/examples/reading_logs_via_rule_message/simple_request.cc)
setExampleTargetProperties(reading_logs_via_rule_message)
target_link_libraries(reading_logs_via_rule_message PRIVATE libModSecurity pthreads4w::pthreads4w)
# reading_logs_with_offset
add_executable(reading_logs_with_offset ${BASE_DIR}/examples/reading_logs_with_offset/read.cc)
setExampleTargetProperties(reading_logs_with_offset)
# tools
#
# rules_check
add_executable(rules_check ${BASE_DIR}/tools/rules-check/rules-check.cc)
target_include_directories(rules_check PRIVATE ${BASE_DIR} ${BASE_DIR}/headers)
target_link_libraries(rules_check PRIVATE libModSecurity)

18
build/win32/ConfigureChecks.cmake Normal file
View File

@ -0,0 +1,18 @@
include(CheckIncludeFile)
include(CheckIncludeFiles)
check_include_file("dlfcn.h" HAVE_DLFCN_H)
check_include_file("inttypes.h" HAVE_INTTYPES_H)
check_include_file("stdint.h" HAVE_STDINT_H)
check_include_file("stdio.h" HAVE_STDIO_H)
check_include_file("stdlib.h" HAVE_STDLIB_H)
check_include_file("string" HAVE_STRING)
check_include_file("strings.h" HAVE_STRINGS_H)
check_include_file("string.h" HAVE_STRING_H)
check_include_file("sys/stat.h" HAVE_SYS_STAT_H)
check_include_file("sys/types.h" HAVE_SYS_TYPES_H)
check_include_file("sys/utsname.h" HAVE_SYS_UTSNAME_H)
check_include_file("unistd.h" HAVE_UNISTD_H)
#/* Define to 1 if you have the ANSI C header files. */
check_include_files("stdlib.h;stdarg.h;string.h;float.h" STDC_HEADERS)

111
build/win32/README.md Normal file
View File

@ -0,0 +1,111 @@
# libModSecurity Windows build information <!-- omit from toc -->
The Windows build of libModSecurity uses Build Tools for Visual Studio 2022 (for Visual C++ & CMake) and Conan package manager.
## Contents <!-- omit from toc -->
- [Prerequisites](#prerequisites)
- [Build](#build)
- [Optional features](#optional-features)
- [Address Sanitizer](#address-sanitizer)
- [Docker container](#docker-container)
## Prerequisites
* [Build Tools for Visual Studio 2022](https://aka.ms/vs/17/release/vs_buildtools.exe)
* Install *Desktop development with C++* workload, which includes:
* MSVC C++ compiler
* Windows SDK
* CMake
* Address Sanitizer
* [Conan package manager 2.2.2](https://github.com/conan-io/conan/releases/download/2.2.2/conan-2.2.2-windows-x86_64-installer.exe)
* Install and then setup the default Conan profile to use the MSVC C++ compiler:
1. Open a command-prompt and set the MSVC C++ compiler environment by executing: `C:\BuildTools\VC\Auxiliary\Build\vcvars64.bat`
2. Execute: `conan profile detect --force`
* [Git for Windows 2.44.0](https://github.com/git-for-windows/git/releases/download/v2.44.0.windows.1/Git-2.44.0-64-bit.exe)
* To clone the libModSecurity repository.
* NOTE: Make sure to initialize and update submodules (to get `libinjection` and regression tests)
* `git submodule init`
* `git submodule update`
## Build
Install the prerequisites listsed in the previous section, checkout libModSecurity and from the directory where it's located execute:
```
vcbuild.bat [build_configuration] [arch] [USE_ASAN]
```
where `[build_configuration]` can be: `Release` (default), `RelWithDebInfo`, `MinSizeRel` or `Debug`, and `[arch]` can be: `x86_64` (default) or `x86`.
Built files will be located in the directory: `build\win32\build\[build_configuration]` and include:
* `libModSecurity.dll`
* Executable files for test projects
* `unit_tests.exe`
* `regression_tests.exe`
* `benchmark.exe`
* `rules_optimization.exe`
* Executable files for examples
* `simple_example_using_c.exe`
* `using_bodies_in_chunks.exe`
* `reading_logs_via_rule_message.exe`
* `reading_logs_with_offset.exe`
* Executable files for tools
* `rules_check.exe`
NOTE: When building a different configuration, it's recommended to reset:
* the build directory: `build\win32\build`
* previously built conan packages executing the command:
* `conan remove * -c`
### Optional features
By default the following all the following features are enabled by including the associated third-party library through a Conan package:
* libxml2 2.12.6 for XML processing support
* libcurl 8.6.0 to support http requests from rules
* libmaxminddb 1.9.1 to support reading MaxMind DB files.
* LUA 5.4.6 to enable rules to run scripts in this language for extensibility
* lmdb 0.9.31 in-memory database
Each of these can be turned off by updating the associated `HAVE_xxx` variable (setting it to zero) in the beginning of the libModSecurity section of `CMakeLists.txt`.
### Address Sanitizer
[AddressSanitizer](https://github.com/google/sanitizers/wiki/AddressSanitizer) (aka ASan) is a memory error detector for C/C++.
To generate a build with *Address Sanitizer*, add the `USE_ASAN` optional third argument to `vcbuild.bat`. For example:
* `vcbuild.bat Debug x86_64 USE_ASAN`
NOTE: `USE_ASAN` does not work with `Release` & `MinSizeRel` configurations because they do not include debug info (it is only compatible with `Debug` & `RelWithDebInfo` builds).
* References
* [AddressSanitizer | Microsoft Learn](https://learn.microsoft.com/en-us/cpp/sanitizers/asan?view=msvc-170)
* [AddressSanitizer for Windows: x64 and Debug Build Support - C++ Team Blog (microsoft.com)](https://devblogs.microsoft.com/cppblog/asan-for-windows-x64-and-debug-build-support/)
* [AddressSanitizer language, build, and debugging reference | Microsoft Learn](https://learn.microsoft.com/en-us/cpp/sanitizers/asan-building?view=msvc-170)
### Docker container
A `Dockerfile` configuration file is provided in the `docker` subdir that creates a Windows container image which installs the [prerequisites](#prerequisites) and builds libModSecurity and other binaries.
NOTE: Windows containers are supported in Docker Desktop for Windows, using the *Switch to Windows containers...* option on the context menu of the system tray icon.
To build the docker image, execute the following command (from the `build\win32\docker` directory):
* `docker build -t libmodsecurity:latest -m 4GB .`
* Build type, architecture and build with Address Sanitizer can be configured through build arguments (`BUILD_TYPE`, `ARCH` & `USE_ASAN` respectively). For example, to generate a debug build, add the following argument:
* `--build-arg BUILD_TYPE=Debug`
Once the image is generated, the library and associated binaries (tests & examples) are located in the `C:\src\ModSecurity\build\win32\build\[build_type]` directory.
To extract the library (`libModSecurity.dll`) from the image, you can execute the following commands:
* `docker container create --name [container_name] libmodsecurity`
* `docker cp [container_name]:C:\src\ModSecurity\build\win32\build\[build_type]\libModSecurity.dll .`
* NOTE: If you leave out the `libModSecurity.dll` filename out, you can copy all the built binaries (including examples & tests).
Additionally, the image can be used interactively for additional development work by executing:
* `docker run -it libmodsecurity`

15
build/win32/conanfile.txt Normal file
View File

@ -0,0 +1,15 @@
[requires]
yajl/2.1.0
pcre2/10.42
pthreads4w/3.0.0
libxml2/2.12.6
lua/5.4.6
libcurl/8.6.0
lmdb/0.9.31
libmaxminddb/1.9.1
dirent/1.24
poco/1.13.3
[generators]
CMakeDeps
CMakeToolchain

92
build/win32/config.h.cmake Normal file
View File

@ -0,0 +1,92 @@
/* config.h.cmake. Based upon generated config.h.in. */
#ifndef MODSECURITY_CONFIG_H
#define MODSECURITY_CONFIG_H 1
/* Define to 1 if you have the <dlfcn.h> header file. */
#cmakedefine HAVE_DLFCN_H
/* Define to 1 if you have the <inttypes.h> header file. */
#cmakedefine HAVE_INTTYPES_H
/* Define to 1 if you have the <iostream> header file. */
#cmakedefine HAVE_IOSTREAM
/* Define to 1 if you have the <stdint.h> header file. */
#cmakedefine HAVE_STDINT_H
/* Define to 1 if you have the <stdio.h> header file. */
#cmakedefine HAVE_STDIO_H
/* Define to 1 if you have the <stdlib.h> header file. */
#cmakedefine HAVE_STDLIB_H
/* Define to 1 if you have the <string> header file. */
#cmakedefine HAVE_STRING
/* Define to 1 if you have the <strings.h> header file. */
#cmakedefine HAVE_STRINGS_H
/* Define to 1 if you have the <string.h> header file. */
#cmakedefine HAVE_STRING_H
/* Define to 1 if you have the <sys/stat.h> header file. */
#cmakedefine HAVE_SYS_STAT_H
/* Define to 1 if you have the <sys/types.h> header file. */
#cmakedefine HAVE_SYS_TYPES_H
/* Define to 1 if you have the <sys/utsname.h> header file. */
#cmakedefine HAVE_SYS_UTSNAME_H
/* Define to 1 if you have the <unistd.h> header file. */
#cmakedefine HAVE_UNISTD_H
/* Define if GeoIP is available */
#cmakedefine HAVE_GEOIP
/* Define if LMDB is available */
#cmakedefine HAVE_LMDB
/* Define if LUA is available */
#cmakedefine HAVE_LUA
/* Define if MaxMind is available */
#cmakedefine HAVE_MAXMIND
/* Define if SSDEEP is available */
#cmakedefine HAVE_SSDEEP
/* Define if YAJL is available */
#cmakedefine HAVE_YAJL
/* Define if libcurl is available */
#cmakedefine HAVE_CURL
/* Name of package */
#define PACKAGE "@PACKAGE_NAME@"
/* Define to the address where bug reports for this package should be sent. */
#cmakedefine PACKAGE_BUGREPORT "@PACKAGE_BUGREPORT@"
/* Define to the full name of this package. */
#cmakedefine PACKAGE_NAME "@PACKAGE_NAME@"
/* Define to the full name and version of this package. */
#cmakedefine PACKAGE_STRING "@PACKAGE_STRING@"
/* Define to the one symbol short name of this package. */
#cmakedefine PACKAGE_TARNAME "@PACKAGE_TARNAME@"
/* Define to the home page for this package. */
#define PACKAGE_URL ""
/* Define to the version of this package. */
#cmakedefine PACKAGE_VERSION "@PACKAGE_VERSION@"
/* Define to 1 if you have the ANSI C header files. */
#ifndef STDC_HEADERS
#cmakedefine STDC_HEADERS
#endif
#endif // ndef MODSECURITY_CONFIG_H

115
build/win32/docker/Dockerfile Normal file
View File

@ -0,0 +1,115 @@
# escape=`
ARG FROM_IMAGE=mcr.microsoft.com/windows/servercore:ltsc2022
FROM ${FROM_IMAGE}
# reset the shell.
SHELL ["cmd", "/S", "/C"]
# set up environment to collect install errors.
COPY InstallBuildTools.cmd C:\TEMP\
ADD https://aka.ms/vscollect.exe C:\TEMP\collect.exe
# download channel for fixed install.
ARG CHANNEL_URL=https://aka.ms/vs/17/release/channel
ADD ${CHANNEL_URL} C:\TEMP\VisualStudio.chman
# download and install Build Tools for Visual Studio 2022 for native desktop workload.
ADD https://aka.ms/vs/17/release/vs_buildtools.exe C:\TEMP\vs_buildtools.exe
RUN C:\TEMP\InstallBuildTools.cmd C:\TEMP\vs_buildtools.exe --quiet --wait --norestart --nocache `
--channelUri C:\TEMP\VisualStudio.chman `
--installChannelUri C:\TEMP\VisualStudio.chman `
--add Microsoft.VisualStudio.Workload.VCTools `
--includeRecommended `
--installPath C:\BuildTools
# download & install GIT
ARG GIT_VERSION=2.44.0
ARG GIT_BINARY=Git-${GIT_VERSION}-64-bit.exe
ARG GIT_URL=https://github.com/git-for-windows/git/releases/download/v${GIT_VERSION}.windows.1/${GIT_BINARY}
COPY git.inf C:\TEMP\
ARG INSTALLER=C:\TEMP\${GIT_BINARY}
ADD ${GIT_URL} ${INSTALLER}
RUN %INSTALLER% /SP- /VERYSILENT /SUPPRESSMSGBOXES /NOCANCEL `
/NORESTART /CLOSEAPPLICATIONS /RESTARTAPPLICATIONS /LOADINF=git.inf
# download & setup conan
ARG CONAN_VERSION=2.2.2
ARG CONAN_BINARY=conan-${CONAN_VERSION}-windows-x86_64-installer.exe
ARG CONAN_URL=https://github.com/conan-io/conan/releases/download/${CONAN_VERSION}/${CONAN_BINARY}
ARG INSTALLER=C:\TEMP\${CONAN_BINARY}
ADD ${CONAN_URL} ${INSTALLER}
RUN %INSTALLER% /SP- /VERYSILENT /SUPPRESSMSGBOXES
# setup conan profile
RUN C:\BuildTools\VC\Auxiliary\Build\vcvars64.bat && conan profile detect --force
# download libModSecurity
#
# create src dir
ARG SRC_DIR=C:\src
WORKDIR C:\
RUN cmd.exe /C md %SRC_DIR%
# libModSecurity
WORKDIR ${SRC_DIR}
ARG MOD_SECURITY_TAG=v3/master
RUN git clone -c advice.detachedHead=false --depth 1 --branch %MOD_SECURITY_TAG% https://github.com/owasp-modsecurity/ModSecurity.git
ARG MOD_SECURITY_DIR=${SRC_DIR}\ModSecurity
WORKDIR ${MOD_SECURITY_DIR}
# fetch submodules (bindings/python, others/libinjection, test/test-cases/secrules-language-tests)
RUN git submodule init
RUN git submodule update
# build libraries
#
ARG BUILD_TYPE=Release
ARG ARCH=x86_64
ARG USE_ASAN=
RUN C:\BuildTools\VC\Auxiliary\Build\vcvars64.bat && vcbuild.bat %BUILD_TYPE% %ARCH% %USE_ASAN%
# test suite
#
# setup test environment
RUN cmd.exe /C md \tmp
RUN cmd.exe /C md \bin
RUN cmd.exe /C copy "C:\Program Files\GIT\usr\bin" \bin > NUL
RUN cmd.exe /C copy "C:\Program Files\GIT\usr\bin\echo.exe" \bin\echo > NUL
# disable tests that don't work on windows
ARG JQ_VERSION=1.7.1
ARG JQ_BINARY=jq-windows-amd64.exe
ARG JQ_URL=https://github.com/jqlang/jq/releases/download/jq-${JQ_VERSION}/${JQ_BINARY}
ARG JQ_BIN=C:\TEMP\jq.exe
ADD ${JQ_URL} ${JQ_BIN}
WORKDIR ${MOD_SECURITY_DIR}\test\test-cases\regression
RUN %JQ_BIN% "map(if .title == \"Test match variable (1/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json
RUN %JQ_BIN% "map(if .title == \"Test match variable (2/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json
RUN %JQ_BIN% "map(if .title == \"Test match variable (3/n)\" then .enabled = 0 else . end)" issue-2423-msg-in-chain.json > tmp.json && move /Y tmp.json issue-2423-msg-in-chain.json
RUN %JQ_BIN% "map(if .title == \"Variable offset - FILES_NAMES\" then .enabled = 0 else . end)" offset-variable.json > tmp.json && move /Y tmp.json offset-variable.json
# run tests
WORKDIR ${MOD_SECURITY_DIR}\build\win32\build
RUN C:\BuildTools\VC\Auxiliary\Build\vcvars64.bat && ctest -C %BUILD_TYPE% --output-on-failure
# setup container's entrypoint
#
WORKDIR C:\
# Use developer command prompt and start PowerShell if no other command specified.
ENTRYPOINT ["C:\\BuildTools\\VC\\Auxiliary\\Build\\vcvars64.bat", "&&", "powershell.exe", "-NoLogo", "-ExecutionPolicy", "Bypass"]

17
build/win32/docker/InstallBuildTools.cmd Normal file
View File

@ -0,0 +1,17 @@
@rem Copyright (C) Microsoft Corporation. All rights reserved.
@rem Licensed under the MIT license. See LICENSE.txt in the project root for license information.
@if not defined _echo echo off
setlocal enabledelayedexpansion
call %*
if "%ERRORLEVEL%"=="3010" (
exit /b 0
) else (
if not "%ERRORLEVEL%"=="0" (
set ERR=%ERRORLEVEL%
call C:\TEMP\collect.exe -zip:C:\vslogs.zip
exit /b !ERR!
)
)

20
build/win32/docker/git.inf Normal file
View File

@ -0,0 +1,20 @@
[Setup]
Lang=default
Dir=C:\Program Files\Git
Group=Git
NoIcons=0
SetupType=default
Components=ext,ext\shellhere,ext\guihere,gitlfs,assoc,autoupdate
Tasks=
EditorOption=VIM
CustomEditorPath=
PathOption=Cmd
SSHOption=OpenSSH
TortoiseOption=false
CURLOption=WinSSL
CRLFOption=LFOnly
BashTerminalOption=ConHost
PerformanceTweaksFSCache=Enabled
UseCredentialManager=Enabled
EnableSymlinks=Disabled
EnableBuiltinInteractiveAdd=Disabled

48
configure.ac
View File

@ -75,6 +75,28 @@ AC_MSG_ERROR([\
fi
# Libinjection version
AC_DEFUN([LIBINJECTION_VERSION], m4_esyscmd_s(cd "others/libinjection" && git describe && cd ../..))
AC_SUBST([LIBINJECTION_VERSION])
# Check for Mbed TLS
if ! test -f "${srcdir}/others/mbedtls/library/base64.c"; then
AC_MSG_ERROR([\
Mbed TLS was not found within ModSecurity source directory.
Mbed TLS code is available as part of ModSecurity source code in a format
of a git-submodule. git-submodule allow us to specify the correct version of
Mbed TLS and still uses the Mbed TLS repository to download it.
You can download Mbed TLS using git:
$ git submodule init
$ git submodule update
])
fi
# Mbed TLS version
AC_DEFUN([MBEDTLS_VERSION], m4_esyscmd_s(cd "others/mbedtls" && git describe && cd ../..))
# SecLang test version
AC_DEFUN([SECLANG_TEST_VERSION], m4_esyscmd_s(cd "test/test-cases/secrules-language-tests" && git log -1 --format="%h" --abbrev-commit && cd ../../..))
@ -226,6 +248,17 @@ AC_SUBST([MSC_VERSION])
MSC_GIT_VERSION=msc_version_git
AC_SUBST([MSC_GIT_VERSION])
AC_ARG_ENABLE(assertions,
[AS_HELP_STRING([--enable-assertions],[Turn on assertions feature: undefine NDEBUG])],
[case "${enableval}" in
yes) assertions=true ;;
no) assertions=false ;;
*) AC_MSG_ERROR(bad value ${enableval} for --enable-assertions) ;;
esac],
[assertions=false]
)
AC_ARG_ENABLE(debug-logs,
[AS_HELP_STRING([--disable-debug-logs],[Turn off the SecDebugLog feature])],
@ -355,6 +388,14 @@ if test "$aflFuzzer" == "true"; then
GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $FUZZ_CPPCFLAGS"
$buildExamples = false
fi
case $assertions in
false) ASSERTIONS_CPPCFLAGS="-DNDEBUG" ;;
true) ASSERTIONS_CPPCFLAGS="-UNDEBUG" ;;
*) AC_MSG_ERROR(bad value ${assertions} for assertions) ;;
esac
GLOBAL_CPPFLAGS="$GLOBAL_CPPFLAGS $ASSERTIONS_CPPCFLAGS"
AC_SUBST(GLOBAL_LDADD)
AC_SUBST(GLOBAL_CPPFLAGS)
@ -425,6 +466,8 @@ echo " "
echo " Mandatory dependencies"
AS_ECHO_N(" + libInjection ....")
echo LIBINJECTION_VERSION
AS_ECHO_N(" + Mbed TLS ....")
echo MBEDTLS_VERSION
AS_ECHO_N(" + SecLang tests ....")
echo SECLANG_TEST_VERSION
@ -589,6 +632,11 @@ if test $buildTestUtilities = true; then
else
echo " + Test Utilities ....disabled"
fi
if test $assertions = true; then
echo " + Assertions ....enabled"
else
echo " + Assertions ....disabled"
fi
if test $debugLogs = true; then
echo " + SecDebugLog ....enabled"
else

4
examples/multiprocess_c/multi.c
View File

@ -19,7 +19,11 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifndef WIN32
#include <unistd.h>
#else
#include <io.h>
#endif
#include <sys/types.h>
#include <sys/wait.h>
#include <sys/time.h>

33
examples/reading_logs_via_rule_message/reading_logs_via_rule_message.h
View File

@ -13,10 +13,11 @@
*
*/
#include <unistd.h>
#include <string>
#include <memory>
#include <thread>
#include <chrono>
#include <pthread.h>
#define NUM_THREADS 100
@ -72,6 +73,11 @@ struct data_ms {
modsecurity::RulesSet *rules;
};
#if defined _MSC_VER
#pragma warning(push)
#pragma warning(disable:4716) // avoid error C4716: 'process_request': must return a value, as MSVC C++ compiler doesn't support [[noreturn]]
#pragma warning(disable:4715) // avoid warning c4715: 'process_request' : not all control paths return a value
#endif
[[noreturn]] static void *process_request(void *data) {
struct data_ms *a = (struct data_ms *)data;
@ -85,7 +91,7 @@ struct data_ms {
modsecTransaction->processConnection(ip, 12345, "127.0.0.1", 80);
modsecTransaction->processURI(request_uri, "GET", "1.1");
usleep(10);
std::this_thread::sleep_for(std::chrono::microseconds(10));
modsecTransaction->addRequestHeader("Host",
"net.tutsplus.com");
modsecTransaction->processRequestHeaders();
@ -105,6 +111,9 @@ struct data_ms {
pthread_exit(nullptr);
}
#if defined _MSC_VER
#pragma warning(pop)
#endif
class ReadingLogsViaRuleMessage {
public:
@ -124,46 +133,40 @@ class ReadingLogsViaRuleMessage {
m_rules(rules)
{ }
int process() {
int process() const {
pthread_t threads[NUM_THREADS];
int i;
struct data_ms dms;
void *status;
modsecurity::ModSecurity *modsec;
modsecurity::RulesSet *rules;
modsec = new modsecurity::ModSecurity();
auto modsec = std::make_unique<modsecurity::ModSecurity>();
modsec->setConnectorInformation("ModSecurity-test v0.0.1-alpha" \
" (ModSecurity test)");
modsec->setServerLogCb(logCb, modsecurity::RuleMessageLogProperty
| modsecurity::IncludeFullHighlightLogProperty);
rules = new modsecurity::RulesSet();
auto rules = std::make_unique<modsecurity::RulesSet>();
if (rules->loadFromUri(m_rules.c_str()) < 0) {
std::cout << "Problems loading the rules..." << std::endl;
std::cout << rules->m_parserError.str() << std::endl;
return -1;
}
dms.modsec = modsec;
dms.rules = rules;
dms.modsec = modsec.get();
dms.rules = rules.get();
for (i = 0; i < NUM_THREADS; i++) {
pthread_create(&threads[i], NULL, process_request,
reinterpret_cast<void *>(&dms));
// process_request((void *)&dms);
}
usleep(10000);
std::this_thread::sleep_for(std::chrono::microseconds(10000));
for (i=0; i < NUM_THREADS; i++) {
pthread_join(threads[i], &status);
std::cout << "Main: completed thread id :" << i << std::endl;
}
delete rules;
delete modsec;
return 0;
}

4
examples/using_bodies_in_chunks/simple_request.cc
View File

@ -13,7 +13,11 @@
*
*/
#ifndef WIN32
#include <unistd.h>
#else
#include <io.h>
#endif
#include <stdio.h>
#include <string.h>

9
headers/modsecurity/anchored_set_variable_translation_proxy.h
View File

@ -47,11 +47,12 @@ class AnchoredSetVariableTranslationProxy {
VariableValue *newVariableValue = new VariableValue(name, &l->at(i)->getKey(), &l->at(i)->getKey());
const VariableValue *oldVariableValue = l->at(i);
l->at(i) = newVariableValue;
newVariableValue->reserveOrigin(oldVariableValue->getOrigin().size());
for (const auto &oldOrigin : oldVariableValue->getOrigin()) {
std::unique_ptr<VariableOrigin> newOrigin(new VariableOrigin);
newOrigin->m_length = oldVariableValue->getKey().size();
newOrigin->m_offset = oldOrigin->m_offset - oldVariableValue->getKey().size() - 1;
newVariableValue->addOrigin(std::move(newOrigin));
newVariableValue->addOrigin(
oldVariableValue->getKey().size(),
oldOrigin.m_offset - oldVariableValue->getKey().size() - 1
);
}
delete oldVariableValue;
}

16
headers/modsecurity/anchored_variable.h
View File

@ -47,23 +47,11 @@ class AnchoredVariable {
AnchoredVariable(const AnchoredVariable &a) = delete;
AnchoredVariable &operator= (const AnchoredVariable &a) = delete;
/*
: m_transaction(a.m_transaction),
m_offset(a.m_offset),
m_name(a.m_name),
m_value(a.m_value),
m_var(a.m_var) { }
*/
~AnchoredVariable();
~AnchoredVariable() = default;
void unset();
void set(const std::string &a, size_t offset);
void set(const std::string &a, size_t offset, size_t offsetLen);
void append(const std::string &a, size_t offset,
bool spaceSeparator = false);
void append(const std::string &a, size_t offset,
bool spaceSeparator, int size);
void evaluate(std::vector<const VariableValue *> *l);
std::string * evaluate();
@ -75,7 +63,7 @@ class AnchoredVariable {
std::string m_value;
private:
VariableValue *m_var;
VariableValue m_var;
};
} // namespace modsecurity

5
headers/modsecurity/rule_message.h
View File

@ -67,6 +67,7 @@ class RuleMessage {
m_ruleLine(rule->getLineNumber()),
m_saveMessage(true),
m_serverIpAddress(trans->m_serverIpAddress),
m_requestHostName(trans->m_requestHostName),
m_severity(0),
m_uriNoQueryStringDecoded(trans->m_uri_no_query_string_decoded),
m_ver(rule->m_ver),
@ -92,6 +93,7 @@ class RuleMessage {
m_ruleLine(rule->m_ruleLine),
m_saveMessage(rule->m_saveMessage),
m_serverIpAddress(rule->m_serverIpAddress),
m_requestHostName(rule->m_requestHostName),
m_severity(rule->m_severity),
m_uriNoQueryStringDecoded(rule->m_uriNoQueryStringDecoded),
m_ver(rule->m_ver),
@ -117,6 +119,7 @@ class RuleMessage {
m_ruleLine(ruleMessage.m_ruleLine),
m_saveMessage(ruleMessage.m_saveMessage),
m_serverIpAddress(ruleMessage.m_serverIpAddress),
m_requestHostName(ruleMessage.m_requestHostName),
m_severity(ruleMessage.m_severity),
m_uriNoQueryStringDecoded(ruleMessage.m_uriNoQueryStringDecoded),
m_ver(ruleMessage.m_ver),
@ -142,6 +145,7 @@ class RuleMessage {
m_ruleLine = ruleMessage.m_ruleLine;
m_saveMessage = ruleMessage.m_saveMessage;
m_serverIpAddress = ruleMessage.m_serverIpAddress;
m_requestHostName = ruleMessage.m_requestHostName;
m_severity = ruleMessage.m_severity;
m_uriNoQueryStringDecoded = ruleMessage.m_uriNoQueryStringDecoded;
m_ver = ruleMessage.m_ver;
@ -201,6 +205,7 @@ class RuleMessage {
int m_ruleLine;
bool m_saveMessage;
std::shared_ptr<std::string> m_serverIpAddress;
std::shared_ptr<std::string> m_requestHostName;
int m_severity;
std::shared_ptr<std::string> m_uriNoQueryStringDecoded;
std::string m_ver;

20
headers/modsecurity/transaction.h
View File

@ -14,6 +14,7 @@
*/
#ifdef __cplusplus
#include <cassert>
#include <ctime>
#include <fstream>
#include <iomanip>
@ -307,11 +308,8 @@ class TransactionSecMarkerManagement {
}
std::shared_ptr<std::string> getCurrentMarker() const {
if (m_marker) {
return m_marker;
} else {
throw;
}
assert((m_marker != nullptr) && "You might have forgotten to call and evaluate isInsideAMarker() before calling getCurrentMarker().");
return m_marker;
}
void removeMarker() {
@ -393,6 +391,8 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
int processLogging();
int updateStatusCode(int status);
int setRequestHostName(const std::string& hostname);
bool intervention(ModSecurityIntervention *it);
bool addArgument(const std::string& orig, const std::string& key,
@ -405,7 +405,7 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
size_t getRequestBodyLength();
#ifndef NO_LOGS
void debug(int, const std::string&) const;
void debug(int, const std::string &) const; // cppcheck-suppress functionStatic
#endif
void serverLog(std::shared_ptr<RuleMessage> rm);
@ -443,6 +443,11 @@ class Transaction : public TransactionAnchoredVariables, public TransactionSecMa
*/
std::shared_ptr<std::string> m_serverIpAddress;
/**
* Holds the request's hostname
*/
std::shared_ptr<std::string> m_requestHostName;
/**
* Holds the raw URI that was requested.
*/
@ -724,6 +729,9 @@ int msc_process_logging(Transaction *transaction);
/** @ingroup ModSecurity_C_API */
int msc_update_status_code(Transaction *transaction, int status);
/** @ingroup ModSecurity_C_API */
int msc_set_request_hostname(Transaction *transaction, const unsigned char *hostname);
#ifdef __cplusplus
}
} // namespace modsecurity

12
headers/modsecurity/variable_origin.h
View File

@ -15,6 +15,7 @@
#ifdef __cplusplus
#include <string>
#include <memory>
#endif
#ifndef HEADERS_MODSECURITY_VARIABLE_ORIGIN_H_
@ -36,14 +37,17 @@ class VariableOrigin {
VariableOrigin()
: m_length(0),
m_offset(0) { }
VariableOrigin(size_t length, size_t offset)
: m_length(length),
m_offset(offset) { }
std::string toText() {
std::string offset = std::to_string(m_offset);
std::string len = std::to_string(m_length);
std::string toText() const {
const auto offset = std::to_string(m_offset);
const auto len = std::to_string(m_length);
return "v" + offset + "," + len;
}
int m_length;
size_t m_length;
size_t m_offset;
};

26
headers/modsecurity/variable_value.h
View File

@ -18,7 +18,7 @@
#include <string>
#include <iostream>
#include <memory>
#include <list>
#include <vector>
#include <utility>
#endif
@ -37,7 +37,7 @@ namespace modsecurity {
class Collection;
class VariableValue {
public:
using Origins = std::list<std::unique_ptr<VariableOrigin>>;
using Origins = std::vector<VariableOrigin>;
explicit VariableValue(const std::string *key,
const std::string *value = nullptr)
@ -62,11 +62,9 @@ class VariableValue {
m_keyWithCollection(o->m_keyWithCollection),
m_value(o->m_value)
{
reserveOrigin(o->m_orign.size());
for (const auto &i : o->m_orign) {
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
origin->m_offset = i->m_offset;
origin->m_length = i->m_length;
m_orign.push_back(std::move(origin));
addOrigin(i);
}
}
@ -98,8 +96,14 @@ class VariableValue {
}
void addOrigin(std::unique_ptr<VariableOrigin> origin) {
m_orign.push_back(std::move(origin));
void addOrigin(const VariableOrigin &origin) {
m_orign.emplace_back(origin);
}
template<typename... Args>
void addOrigin(Args&&... args) {
m_orign.emplace_back(args...);
}
@ -107,6 +111,12 @@ class VariableValue {
return m_orign;
}
void reserveOrigin(Origins::size_type additionalSize) {
m_orign.reserve(m_orign.size() + additionalSize);
}
private:
Origins m_orign;
std::string m_collection;

25
others/Makefile.am
View File

@ -1,28 +1,33 @@
noinst_LTLIBRARIES = libinjection.la libmbedtls.la
libinjection_la_SOURCES = \
libinjection/src/libinjection_html5.c \
libinjection/src/libinjection_sqli.c \
libinjection/src/libinjection_xss.c
libinjection_la_CFLAGS = -D LIBINJECTION_VERSION=\"${LIBINJECTION_VERSION}\"
libinjection_la_LIBADD =
noinst_HEADERS = \
libinjection/src/libinjection.h \
libinjection/src/libinjection_html5.h \
libinjection/src/libinjection_sqli.h \
libinjection/src/libinjection_sqli_data.h \
libinjection/src/libinjection_xss.h \
mbedtls/base64.h \
mbedtls/check_config.h \
mbedtls/mbed-tls-config.h \
mbedtls/md5.h \
mbedtls/platform.h \
mbedtls/sha1.h
mbedtls/include/mbedtls/base64.h \
mbedtls/include/mbedtls/check_config.h \
mbedtls/include/mbedtls/mbedtls_config.h \
mbedtls/include/mbedtls/md5.h \
mbedtls/include/mbedtls/platform.h \
mbedtls/include/mbedtls/sha1.h
libmbedtls_la_SOURCES = \
mbedtls/base64.c \
mbedtls/md5.c \
mbedtls/sha1.c
mbedtls/library/base64.c \
mbedtls/library/md5.c \
mbedtls/library/sha1.c \
mbedtls/library/platform_util.c
libmbedtls_la_CFLAGS = -D MBEDTLS_CONFIG_FILE=\"mbed-tls-config.h\" -Iothers
libmbedtls_la_CFLAGS = -DMBEDTLS_CONFIG_FILE=\"mbedtls/mbedtls_config.h\" -Imbedtls/include
libmbedtls_la_CPPFLAGS =
libmbedtls_la_LIBADD =

2
others/libinjection

@ -1 +1 @@
Subproject commit bfba51f5af8f1f6cf5d6c4bf862f1e2474e018e3
Subproject commit b9fcaaf9e50e9492807b23ffcc6af46ee1f203b9

1
others/mbedtls Submodule

@ -0,0 +1 @@
Subproject commit 2ca6c285a0dd3f33982dd57299012dacab1ff206

289
others/mbedtls/base64.c
View File

@ -1,289 +0,0 @@
/*
* RFC 1521 base64 encoding/decoding
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#if defined(MBEDTLS_BASE64_C)
#include "mbedtls/base64.h"
#include <stdint.h>
#if defined(MBEDTLS_SELF_TEST)
#include <string.h>
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#define mbedtls_printf printf
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
static const unsigned char base64_enc_map[64] =
{
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T',
'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd',
'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n',
'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x',
'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', '+', '/'
};
static const unsigned char base64_dec_map[128] =
{
127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
127, 127, 127, 127, 127, 127, 127, 127, 127, 127,
127, 127, 127, 62, 127, 127, 127, 63, 52, 53,
54, 55, 56, 57, 58, 59, 60, 61, 127, 127,
127, 64, 127, 127, 127, 0, 1, 2, 3, 4,
5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
15, 16, 17, 18, 19, 20, 21, 22, 23, 24,
25, 127, 127, 127, 127, 127, 127, 26, 27, 28,
29, 30, 31, 32, 33, 34, 35, 36, 37, 38,
39, 40, 41, 42, 43, 44, 45, 46, 47, 48,
49, 50, 51, 127, 127, 127, 127, 127
};
#define BASE64_SIZE_T_MAX ( (size_t) -1 ) /* SIZE_T_MAX is not standard */
/*
* Encode a buffer into base64 format
*/
int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
const unsigned char *src, size_t slen )
{
size_t i, n;
int C1, C2, C3;
unsigned char *p;
if( slen == 0 )
{
*olen = 0;
return( 0 );
}
n = slen / 3 + ( slen % 3 != 0 );
if( n > ( BASE64_SIZE_T_MAX - 1 ) / 4 )
{
*olen = BASE64_SIZE_T_MAX;
return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
}
n *= 4;
if( dlen < n + 1 )
{
*olen = n + 1;
return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
}
n = ( slen / 3 ) * 3;
for( i = 0, p = dst; i < n; i += 3 )
{
C1 = *src++;
C2 = *src++;
C3 = *src++;
*p++ = base64_enc_map[(C1 >> 2) & 0x3F];
*p++ = base64_enc_map[(((C1 & 3) << 4) + (C2 >> 4)) & 0x3F];
*p++ = base64_enc_map[(((C2 & 15) << 2) + (C3 >> 6)) & 0x3F];
*p++ = base64_enc_map[C3 & 0x3F];
}
if( i < slen )
{
C1 = *src++;
C2 = ( ( i + 1 ) < slen ) ? *src++ : 0;
*p++ = base64_enc_map[(C1 >> 2) & 0x3F];
*p++ = base64_enc_map[(((C1 & 3) << 4) + (C2 >> 4)) & 0x3F];
if( ( i + 1 ) < slen )
*p++ = base64_enc_map[((C2 & 15) << 2) & 0x3F];
else *p++ = '=';
*p++ = '=';
}
*olen = p - dst;
*p = 0;
return( 0 );
}
/*
* Decode a base64-formatted buffer
*/
int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
const unsigned char *src, size_t slen )
{
size_t i, n;
uint32_t j, x;
unsigned char *p;
/* First pass: check for validity and get output length */
for( i = n = j = 0; i < slen; i++ )
{
/* Skip spaces before checking for EOL */
x = 0;
while( i < slen && src[i] == ' ' )
{
++i;
++x;
}
/* Spaces at end of buffer are OK */
if( i == slen )
break;
if( ( slen - i ) >= 2 &&
src[i] == '\r' && src[i + 1] == '\n' )
continue;
if( src[i] == '\n' )
continue;
/* Space inside a line is an error */
if( x != 0 )
return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
if( src[i] == '=' && ++j > 2 )
return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
if( src[i] > 127 || base64_dec_map[src[i]] == 127 )
return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
if( base64_dec_map[src[i]] < 64 && j != 0 )
return( MBEDTLS_ERR_BASE64_INVALID_CHARACTER );
n++;
}
if( n == 0 )
{
*olen = 0;
return( 0 );
}
n = ( ( n * 6 ) + 7 ) >> 3;
n -= j;
if( dst == NULL || dlen < n )
{
*olen = n;
return( MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL );
}
for( j = 3, n = x = 0, p = dst; i > 0; i--, src++ )
{
if( *src == '\r' || *src == '\n' || *src == ' ' )
continue;
j -= ( base64_dec_map[*src] == 64 );
x = ( x << 6 ) | ( base64_dec_map[*src] & 0x3F );
if( ++n == 4 )
{
n = 0;
if( j > 0 ) *p++ = (unsigned char)( x >> 16 );
if( j > 1 ) *p++ = (unsigned char)( x >> 8 );
if( j > 2 ) *p++ = (unsigned char)( x );
}
}
*olen = p - dst;
return( 0 );
}
#if defined(MBEDTLS_SELF_TEST)
static const unsigned char base64_test_dec[64] =
{
0x24, 0x48, 0x6E, 0x56, 0x87, 0x62, 0x5A, 0xBD,
0xBF, 0x17, 0xD9, 0xA2, 0xC4, 0x17, 0x1A, 0x01,
0x94, 0xED, 0x8F, 0x1E, 0x11, 0xB3, 0xD7, 0x09,
0x0C, 0xB6, 0xE9, 0x10, 0x6F, 0x22, 0xEE, 0x13,
0xCA, 0xB3, 0x07, 0x05, 0x76, 0xC9, 0xFA, 0x31,
0x6C, 0x08, 0x34, 0xFF, 0x8D, 0xC2, 0x6C, 0x38,
0x00, 0x43, 0xE9, 0x54, 0x97, 0xAF, 0x50, 0x4B,
0xD1, 0x41, 0xBA, 0x95, 0x31, 0x5A, 0x0B, 0x97
};
static const unsigned char base64_test_enc[] =
"JEhuVodiWr2/F9mixBcaAZTtjx4Rs9cJDLbpEG8i7hPK"
"swcFdsn6MWwINP+Nwmw4AEPpVJevUEvRQbqVMVoLlw==";
/*
* Checkup routine
*/
int mbedtls_base64_self_test( int verbose )
{
size_t len;
const unsigned char *src;
unsigned char buffer[128];
if( verbose != 0 )
mbedtls_printf( " Base64 encoding test: " );
src = base64_test_dec;
if( mbedtls_base64_encode( buffer, sizeof( buffer ), &len, src, 64 ) != 0 ||
memcmp( base64_test_enc, buffer, 88 ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
return( 1 );
}
if( verbose != 0 )
mbedtls_printf( "passed\n Base64 decoding test: " );
src = base64_test_enc;
if( mbedtls_base64_decode( buffer, sizeof( buffer ), &len, src, 88 ) != 0 ||
memcmp( base64_test_dec, buffer, 64 ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
return( 1 );
}
if( verbose != 0 )
mbedtls_printf( "passed\n\n" );
return( 0 );
}
#endif /* MBEDTLS_SELF_TEST */
#endif /* MBEDTLS_BASE64_C */

88
others/mbedtls/base64.h
View File

@ -1,88 +0,0 @@
/**
* \file base64.h
*
* \brief RFC 1521 base64 encoding/decoding
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_BASE64_H
#define MBEDTLS_BASE64_H
#include <stddef.h>
#define MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL -0x002A /**< Output buffer too small. */
#define MBEDTLS_ERR_BASE64_INVALID_CHARACTER -0x002C /**< Invalid character in input. */
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief Encode a buffer into base64 format
*
* \param dst destination buffer
* \param dlen size of the destination buffer
* \param olen number of bytes written
* \param src source buffer
* \param slen amount of data to be encoded
*
* \return 0 if successful, or MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL.
* *olen is always updated to reflect the amount
* of data that has (or would have) been written.
* If that length cannot be represented, then no data is
* written to the buffer and *olen is set to the maximum
* length representable as a size_t.
*
* \note Call this function with dlen = 0 to obtain the
* required buffer size in *olen
*/
int mbedtls_base64_encode( unsigned char *dst, size_t dlen, size_t *olen,
const unsigned char *src, size_t slen );
/**
* \brief Decode a base64-formatted buffer
*
* \param dst destination buffer (can be NULL for checking size)
* \param dlen size of the destination buffer
* \param olen number of bytes written
* \param src source buffer
* \param slen amount of data to be decoded
*
* \return 0 if successful, MBEDTLS_ERR_BASE64_BUFFER_TOO_SMALL, or
* MBEDTLS_ERR_BASE64_INVALID_CHARACTER if the input data is
* not correct. *olen is always updated to reflect the amount
* of data that has (or would have) been written.
*
* \note Call this function with *dst = NULL or dlen = 0 to obtain
* the required buffer size in *olen
*/
int mbedtls_base64_decode( unsigned char *dst, size_t dlen, size_t *olen,
const unsigned char *src, size_t slen );
/**
* \brief Checkup routine
*
* \return 0 if successful, or 1 if the test failed
*/
int mbedtls_base64_self_test( int verbose );
#ifdef __cplusplus
}
#endif
#endif /* base64.h */

540
others/mbedtls/check_config.h
View File

@ -1,540 +0,0 @@
/**
* \file check_config.h
*
* \brief Consistency checks for configuration options
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* It is recommended to include this file from your config.h
* in order to catch dependency issues early.
*/
#ifndef MBEDTLS_CHECK_CONFIG_H
#define MBEDTLS_CHECK_CONFIG_H
/*
* We assume CHAR_BIT is 8 in many places. In practice, this is true on our
* target platforms, so not an issue, but let's just be extra sure.
*/
#include <limits.h>
#if CHAR_BIT != 8
#error "mbed TLS requires a platform with 8-bit chars"
#endif
#if defined(_WIN32)
#if !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_C is required on Windows"
#endif
/* Fix the config here. Not convenient to put an #ifdef _WIN32 in config.h as
* it would confuse config.pl. */
#if !defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && \
!defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
#define MBEDTLS_PLATFORM_SNPRINTF_ALT
#endif
#endif /* _WIN32 */
#if defined(TARGET_LIKE_MBED) && \
( defined(MBEDTLS_NET_C) || defined(MBEDTLS_TIMING_C) )
#error "The NET and TIMING modules are not available for mbed OS - please use the network and timing functions provided by mbed OS"
#endif
#if defined(MBEDTLS_DEPRECATED_WARNING) && \
!defined(__GNUC__) && !defined(__clang__)
#error "MBEDTLS_DEPRECATED_WARNING only works with GCC and Clang"
#endif
#if defined(MBEDTLS_HAVE_TIME_DATE) && !defined(MBEDTLS_HAVE_TIME)
#error "MBEDTLS_HAVE_TIME_DATE without MBEDTLS_HAVE_TIME does not make sense"
#endif
#if defined(MBEDTLS_AESNI_C) && !defined(MBEDTLS_HAVE_ASM)
#error "MBEDTLS_AESNI_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_DHM_C) && !defined(MBEDTLS_BIGNUM_C)
#error "MBEDTLS_DHM_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
#error "MBEDTLS_ECDH_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECDSA_C) && \
( !defined(MBEDTLS_ECP_C) || \
!defined(MBEDTLS_ASN1_PARSE_C) || \
!defined(MBEDTLS_ASN1_WRITE_C) )
#error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECJPAKE_C) && \
( !defined(MBEDTLS_ECP_C) || !defined(MBEDTLS_MD_C) )
#error "MBEDTLS_ECJPAKE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECDSA_DETERMINISTIC) && !defined(MBEDTLS_HMAC_DRBG_C)
#error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \
!defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) && \
!defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) ) )
#error "MBEDTLS_ECP_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ENTROPY_C) && (!defined(MBEDTLS_SHA512_C) && \
!defined(MBEDTLS_SHA256_C))
#error "MBEDTLS_ENTROPY_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_SHA512_C) && \
defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 64)
#error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
#endif
#if defined(MBEDTLS_ENTROPY_C) && \
( !defined(MBEDTLS_SHA512_C) || defined(MBEDTLS_ENTROPY_FORCE_SHA256) ) \
&& defined(MBEDTLS_CTR_DRBG_ENTROPY_LEN) && (MBEDTLS_CTR_DRBG_ENTROPY_LEN > 32)
#error "MBEDTLS_CTR_DRBG_ENTROPY_LEN value too high"
#endif
#if defined(MBEDTLS_ENTROPY_C) && \
defined(MBEDTLS_ENTROPY_FORCE_SHA256) && !defined(MBEDTLS_SHA256_C)
#error "MBEDTLS_ENTROPY_FORCE_SHA256 defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_GCM_C) && ( \
!defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) )
#error "MBEDTLS_GCM_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_HAVEGE_C) && !defined(MBEDTLS_TIMING_C)
#error "MBEDTLS_HAVEGE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_HMAC_DRBG_C) && !defined(MBEDTLS_MD_C)
#error "MBEDTLS_HMAC_DRBG_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) && \
( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
#error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) )
#error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) && !defined(MBEDTLS_DHM_C)
#error "MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) && \
!defined(MBEDTLS_ECDH_C)
#error "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
( !defined(MBEDTLS_DHM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
#error "MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_PKCS1_V15) )
#error "MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
( !defined(MBEDTLS_ECDH_C) || !defined(MBEDTLS_ECDSA_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) )
#error "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_PKCS1_V15) )
#error "MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_PKCS1_V15) )
#error "MBEDTLS_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) || \
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) && \
( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
#error "MBEDTLS_MEMORY_BUFFER_ALLOC_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PADLOCK_C) && !defined(MBEDTLS_HAVE_ASM)
#error "MBEDTLS_PADLOCK_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PEM_PARSE_C) && !defined(MBEDTLS_BASE64_C)
#error "MBEDTLS_PEM_PARSE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PEM_WRITE_C) && !defined(MBEDTLS_BASE64_C)
#error "MBEDTLS_PEM_WRITE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PK_C) && \
( !defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_ECP_C) )
#error "MBEDTLS_PK_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_PK_C)
#error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PK_WRITE_C) && !defined(MBEDTLS_PK_C)
#error "MBEDTLS_PK_WRITE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PKCS11_C) && !defined(MBEDTLS_PK_C)
#error "MBEDTLS_PKCS11_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_EXIT_ALT) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_EXIT_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_EXIT_MACRO) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_EXIT_MACRO defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_EXIT_MACRO) &&\
( defined(MBEDTLS_PLATFORM_STD_EXIT) ||\
defined(MBEDTLS_PLATFORM_EXIT_ALT) )
#error "MBEDTLS_PLATFORM_EXIT_MACRO and MBEDTLS_PLATFORM_STD_EXIT/MBEDTLS_PLATFORM_EXIT_ALT cannot be defined simultaneously"
#endif
#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_FPRINTF_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_FPRINTF_MACRO defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO) &&\
( defined(MBEDTLS_PLATFORM_STD_FPRINTF) ||\
defined(MBEDTLS_PLATFORM_FPRINTF_ALT) )
#error "MBEDTLS_PLATFORM_FPRINTF_MACRO and MBEDTLS_PLATFORM_STD_FPRINTF/MBEDTLS_PLATFORM_FPRINTF_ALT cannot be defined simultaneously"
#endif
#if defined(MBEDTLS_PLATFORM_FREE_MACRO) &&\
( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
#error "MBEDTLS_PLATFORM_FREE_MACRO defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_FREE_MACRO) &&\
defined(MBEDTLS_PLATFORM_STD_FREE)
#error "MBEDTLS_PLATFORM_FREE_MACRO and MBEDTLS_PLATFORM_STD_FREE cannot be defined simultaneously"
#endif
#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && !defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
#error "MBEDTLS_PLATFORM_CALLOC_MACRO must be defined if MBEDTLS_PLATFORM_FREE_MACRO is"
#endif
#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&\
( !defined(MBEDTLS_PLATFORM_C) || !defined(MBEDTLS_PLATFORM_MEMORY) )
#error "MBEDTLS_PLATFORM_CALLOC_MACRO defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) &&\
defined(MBEDTLS_PLATFORM_STD_CALLOC)
#error "MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_STD_CALLOC cannot be defined simultaneously"
#endif
#if defined(MBEDTLS_PLATFORM_CALLOC_MACRO) && !defined(MBEDTLS_PLATFORM_FREE_MACRO)
#error "MBEDTLS_PLATFORM_FREE_MACRO must be defined if MBEDTLS_PLATFORM_CALLOC_MACRO is"
#endif
#if defined(MBEDTLS_PLATFORM_MEMORY) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_MEMORY defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_PRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_PRINTF_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_PRINTF_MACRO defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO) &&\
( defined(MBEDTLS_PLATFORM_STD_PRINTF) ||\
defined(MBEDTLS_PLATFORM_PRINTF_ALT) )
#error "MBEDTLS_PLATFORM_PRINTF_MACRO and MBEDTLS_PLATFORM_STD_PRINTF/MBEDTLS_PLATFORM_PRINTF_ALT cannot be defined simultaneously"
#endif
#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_SNPRINTF_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) && !defined(MBEDTLS_PLATFORM_C)
#error "MBEDTLS_PLATFORM_SNPRINTF_MACRO defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO) &&\
( defined(MBEDTLS_PLATFORM_STD_SNPRINTF) ||\
defined(MBEDTLS_PLATFORM_SNPRINTF_ALT) )
#error "MBEDTLS_PLATFORM_SNPRINTF_MACRO and MBEDTLS_PLATFORM_STD_SNPRINTF/MBEDTLS_PLATFORM_SNPRINTF_ALT cannot be defined simultaneously"
#endif
#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR) &&\
!defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
#error "MBEDTLS_PLATFORM_STD_MEM_HDR defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_STD_CALLOC) && !defined(MBEDTLS_PLATFORM_MEMORY)
#error "MBEDTLS_PLATFORM_STD_CALLOC defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_STD_CALLOC) && !defined(MBEDTLS_PLATFORM_MEMORY)
#error "MBEDTLS_PLATFORM_STD_CALLOC defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_STD_FREE) && !defined(MBEDTLS_PLATFORM_MEMORY)
#error "MBEDTLS_PLATFORM_STD_FREE defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_STD_EXIT) &&\
!defined(MBEDTLS_PLATFORM_EXIT_ALT)
#error "MBEDTLS_PLATFORM_STD_EXIT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_STD_FPRINTF) &&\
!defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
#error "MBEDTLS_PLATFORM_STD_FPRINTF defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_STD_PRINTF) &&\
!defined(MBEDTLS_PLATFORM_PRINTF_ALT)
#error "MBEDTLS_PLATFORM_STD_PRINTF defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_PLATFORM_STD_SNPRINTF) &&\
!defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
#error "MBEDTLS_PLATFORM_STD_SNPRINTF defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) || \
!defined(MBEDTLS_OID_C) )
#error "MBEDTLS_RSA_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
( !defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_PKCS1_V21) )
#error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_PROTO_SSL3) && ( !defined(MBEDTLS_MD5_C) || \
!defined(MBEDTLS_SHA1_C) )
#error "MBEDTLS_SSL_PROTO_SSL3 defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1) && ( !defined(MBEDTLS_MD5_C) || \
!defined(MBEDTLS_SHA1_C) )
#error "MBEDTLS_SSL_PROTO_TLS1 defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) && ( !defined(MBEDTLS_MD5_C) || \
!defined(MBEDTLS_SHA1_C) )
#error "MBEDTLS_SSL_PROTO_TLS1_1 defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && ( !defined(MBEDTLS_SHA1_C) && \
!defined(MBEDTLS_SHA256_C) && !defined(MBEDTLS_SHA512_C) )
#error "MBEDTLS_SSL_PROTO_TLS1_2 defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_PROTO_DTLS) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_2)
#error "MBEDTLS_SSL_PROTO_DTLS defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_CLI_C) && !defined(MBEDTLS_SSL_TLS_C)
#error "MBEDTLS_SSL_CLI_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_TLS_C) && ( !defined(MBEDTLS_CIPHER_C) || \
!defined(MBEDTLS_MD_C) )
#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_SRV_C) && !defined(MBEDTLS_SSL_TLS_C)
#error "MBEDTLS_SSL_SRV_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_TLS_C) && (!defined(MBEDTLS_SSL_PROTO_SSL3) && \
!defined(MBEDTLS_SSL_PROTO_TLS1) && !defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_2))
#error "MBEDTLS_SSL_TLS_C defined, but no protocols are active"
#endif
#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
defined(MBEDTLS_SSL_PROTO_TLS1_1) && !defined(MBEDTLS_SSL_PROTO_TLS1))
#error "Illegal protocol selection"
#endif
#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_TLS1) && \
defined(MBEDTLS_SSL_PROTO_TLS1_2) && !defined(MBEDTLS_SSL_PROTO_TLS1_1))
#error "Illegal protocol selection"
#endif
#if defined(MBEDTLS_SSL_TLS_C) && (defined(MBEDTLS_SSL_PROTO_SSL3) && \
defined(MBEDTLS_SSL_PROTO_TLS1_2) && (!defined(MBEDTLS_SSL_PROTO_TLS1) || \
!defined(MBEDTLS_SSL_PROTO_TLS1_1)))
#error "Illegal protocol selection"
#endif
#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && !defined(MBEDTLS_SSL_PROTO_DTLS)
#error "MBEDTLS_SSL_DTLS_HELLO_VERIFY defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && \
!defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
#error "MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) && \
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_DTLS_ANTI_REPLAY defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) && \
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
#error "MBEDTLS_SSL_DTLS_BADMAC_LIMIT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
!defined(MBEDTLS_SSL_PROTO_TLS1) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_2)
#error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequsites"
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
!defined(MBEDTLS_SSL_PROTO_TLS1) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_1) && \
!defined(MBEDTLS_SSL_PROTO_TLS1_2)
#error "MBEDTLS_SSL_EXTENDED_MASTER_SECRET defined, but not all prerequsites"
#endif
#if defined(MBEDTLS_SSL_TICKET_C) && !defined(MBEDTLS_CIPHER_C)
#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) && \
!defined(MBEDTLS_SSL_PROTO_SSL3) && !defined(MBEDTLS_SSL_PROTO_TLS1)
#error "MBEDTLS_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
!defined(MBEDTLS_X509_CRT_PARSE_C)
#error "MBEDTLS_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_THREADING_PTHREAD)
#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
#error "MBEDTLS_THREADING_PTHREAD defined, but not all prerequisites"
#endif
#define MBEDTLS_THREADING_IMPL
#endif
#if defined(MBEDTLS_THREADING_ALT)
#if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
#error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"
#endif
#define MBEDTLS_THREADING_IMPL
#endif
#if defined(MBEDTLS_THREADING_C) && !defined(MBEDTLS_THREADING_IMPL)
#error "MBEDTLS_THREADING_C defined, single threading implementation required"
#endif
#undef MBEDTLS_THREADING_IMPL
#if defined(MBEDTLS_VERSION_FEATURES) && !defined(MBEDTLS_VERSION_C)
#error "MBEDTLS_VERSION_FEATURES defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_USE_C) && ( !defined(MBEDTLS_BIGNUM_C) || \
!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_PARSE_C) || \
!defined(MBEDTLS_PK_PARSE_C) )
#error "MBEDTLS_X509_USE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CREATE_C) && ( !defined(MBEDTLS_BIGNUM_C) || \
!defined(MBEDTLS_OID_C) || !defined(MBEDTLS_ASN1_WRITE_C) || \
!defined(MBEDTLS_PK_WRITE_C) )
#error "MBEDTLS_X509_CREATE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
#error "MBEDTLS_X509_CRT_PARSE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CRL_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
#error "MBEDTLS_X509_CRL_PARSE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CSR_PARSE_C) && ( !defined(MBEDTLS_X509_USE_C) )
#error "MBEDTLS_X509_CSR_PARSE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CRT_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
#error "MBEDTLS_X509_CRT_WRITE_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_X509_CSR_WRITE_C) && ( !defined(MBEDTLS_X509_CREATE_C) )
#error "MBEDTLS_X509_CSR_WRITE_C defined, but not all prerequisites"
#endif
/*
* Avoid warning from -pedantic. This is a convenient place for this
* workaround since this is included by every single file before the
* #if defined(MBEDTLS_xxx_C) that results in emtpy translation units.
*/
typedef int mbedtls_iso_c_forbids_empty_translation_units;
#endif /* MBEDTLS_CHECK_CONFIG_H */

2511
others/mbedtls/mbed-tls-config.h
View File

File diff suppressed because it is too large Load Diff

404
others/mbedtls/md5.c
View File

@ -1,404 +0,0 @@
/*
* RFC 1321 compliant MD5 implementation
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The MD5 algorithm was designed by Ron Rivest in 1991.
*
* http://www.ietf.org/rfc/rfc1321.txt
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#if defined(MBEDTLS_MD5_C)
#include "mbedtls/md5.h"
#include <string.h>
#if defined(MBEDTLS_SELF_TEST)
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#define mbedtls_printf printf
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_MD5_ALT)
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
/*
* 32-bit integer manipulation macros (little endian)
*/
#ifndef GET_UINT32_LE
#define GET_UINT32_LE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] ) \
| ( (uint32_t) (b)[(i) + 1] << 8 ) \
| ( (uint32_t) (b)[(i) + 2] << 16 ) \
| ( (uint32_t) (b)[(i) + 3] << 24 ); \
}
#endif
#ifndef PUT_UINT32_LE
#define PUT_UINT32_LE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( ( (n) ) & 0xFF ); \
(b)[(i) + 1] = (unsigned char) ( ( (n) >> 8 ) & 0xFF ); \
(b)[(i) + 2] = (unsigned char) ( ( (n) >> 16 ) & 0xFF ); \
(b)[(i) + 3] = (unsigned char) ( ( (n) >> 24 ) & 0xFF ); \
}
#endif
void mbedtls_md5_init( mbedtls_md5_context *ctx )
{
memset( ctx, 0, sizeof( mbedtls_md5_context ) );
}
void mbedtls_md5_free( mbedtls_md5_context *ctx )
{
if( ctx == NULL )
return;
mbedtls_zeroize( ctx, sizeof( mbedtls_md5_context ) );
}
void mbedtls_md5_clone( mbedtls_md5_context *dst,
const mbedtls_md5_context *src )
{
*dst = *src;
}
/*
* MD5 context setup
*/
void mbedtls_md5_starts( mbedtls_md5_context *ctx )
{
ctx->total[0] = 0;
ctx->total[1] = 0;
ctx->state[0] = 0x67452301;
ctx->state[1] = 0xEFCDAB89;
ctx->state[2] = 0x98BADCFE;
ctx->state[3] = 0x10325476;
}
#if !defined(MBEDTLS_MD5_PROCESS_ALT)
void mbedtls_md5_process( mbedtls_md5_context *ctx, const unsigned char data[64] )
{
uint32_t X[16], A, B, C, D;
GET_UINT32_LE( X[ 0], data, 0 );
GET_UINT32_LE( X[ 1], data, 4 );
GET_UINT32_LE( X[ 2], data, 8 );
GET_UINT32_LE( X[ 3], data, 12 );
GET_UINT32_LE( X[ 4], data, 16 );
GET_UINT32_LE( X[ 5], data, 20 );
GET_UINT32_LE( X[ 6], data, 24 );
GET_UINT32_LE( X[ 7], data, 28 );
GET_UINT32_LE( X[ 8], data, 32 );
GET_UINT32_LE( X[ 9], data, 36 );
GET_UINT32_LE( X[10], data, 40 );
GET_UINT32_LE( X[11], data, 44 );
GET_UINT32_LE( X[12], data, 48 );
GET_UINT32_LE( X[13], data, 52 );
GET_UINT32_LE( X[14], data, 56 );
GET_UINT32_LE( X[15], data, 60 );
#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
#define P(a,b,c,d,k,s,t) \
{ \
a += F(b,c,d) + X[k] + t; a = S(a,s) + b; \
}
A = ctx->state[0];
B = ctx->state[1];
C = ctx->state[2];
D = ctx->state[3];
#define F(x,y,z) (z ^ (x & (y ^ z)))
P( A, B, C, D, 0, 7, 0xD76AA478 );
P( D, A, B, C, 1, 12, 0xE8C7B756 );
P( C, D, A, B, 2, 17, 0x242070DB );
P( B, C, D, A, 3, 22, 0xC1BDCEEE );
P( A, B, C, D, 4, 7, 0xF57C0FAF );
P( D, A, B, C, 5, 12, 0x4787C62A );
P( C, D, A, B, 6, 17, 0xA8304613 );
P( B, C, D, A, 7, 22, 0xFD469501 );
P( A, B, C, D, 8, 7, 0x698098D8 );
P( D, A, B, C, 9, 12, 0x8B44F7AF );
P( C, D, A, B, 10, 17, 0xFFFF5BB1 );
P( B, C, D, A, 11, 22, 0x895CD7BE );
P( A, B, C, D, 12, 7, 0x6B901122 );
P( D, A, B, C, 13, 12, 0xFD987193 );
P( C, D, A, B, 14, 17, 0xA679438E );
P( B, C, D, A, 15, 22, 0x49B40821 );
#undef F
#define F(x,y,z) (y ^ (z & (x ^ y)))
P( A, B, C, D, 1, 5, 0xF61E2562 );
P( D, A, B, C, 6, 9, 0xC040B340 );
P( C, D, A, B, 11, 14, 0x265E5A51 );
P( B, C, D, A, 0, 20, 0xE9B6C7AA );
P( A, B, C, D, 5, 5, 0xD62F105D );
P( D, A, B, C, 10, 9, 0x02441453 );
P( C, D, A, B, 15, 14, 0xD8A1E681 );
P( B, C, D, A, 4, 20, 0xE7D3FBC8 );
P( A, B, C, D, 9, 5, 0x21E1CDE6 );
P( D, A, B, C, 14, 9, 0xC33707D6 );
P( C, D, A, B, 3, 14, 0xF4D50D87 );
P( B, C, D, A, 8, 20, 0x455A14ED );
P( A, B, C, D, 13, 5, 0xA9E3E905 );
P( D, A, B, C, 2, 9, 0xFCEFA3F8 );
P( C, D, A, B, 7, 14, 0x676F02D9 );
P( B, C, D, A, 12, 20, 0x8D2A4C8A );
#undef F
#define F(x,y,z) (x ^ y ^ z)
P( A, B, C, D, 5, 4, 0xFFFA3942 );
P( D, A, B, C, 8, 11, 0x8771F681 );
P( C, D, A, B, 11, 16, 0x6D9D6122 );
P( B, C, D, A, 14, 23, 0xFDE5380C );
P( A, B, C, D, 1, 4, 0xA4BEEA44 );
P( D, A, B, C, 4, 11, 0x4BDECFA9 );
P( C, D, A, B, 7, 16, 0xF6BB4B60 );
P( B, C, D, A, 10, 23, 0xBEBFBC70 );
P( A, B, C, D, 13, 4, 0x289B7EC6 );
P( D, A, B, C, 0, 11, 0xEAA127FA );
P( C, D, A, B, 3, 16, 0xD4EF3085 );
P( B, C, D, A, 6, 23, 0x04881D05 );
P( A, B, C, D, 9, 4, 0xD9D4D039 );
P( D, A, B, C, 12, 11, 0xE6DB99E5 );
P( C, D, A, B, 15, 16, 0x1FA27CF8 );
P( B, C, D, A, 2, 23, 0xC4AC5665 );
#undef F
#define F(x,y,z) (y ^ (x | ~z))
P( A, B, C, D, 0, 6, 0xF4292244 );
P( D, A, B, C, 7, 10, 0x432AFF97 );
P( C, D, A, B, 14, 15, 0xAB9423A7 );
P( B, C, D, A, 5, 21, 0xFC93A039 );
P( A, B, C, D, 12, 6, 0x655B59C3 );
P( D, A, B, C, 3, 10, 0x8F0CCC92 );
P( C, D, A, B, 10, 15, 0xFFEFF47D );
P( B, C, D, A, 1, 21, 0x85845DD1 );
P( A, B, C, D, 8, 6, 0x6FA87E4F );
P( D, A, B, C, 15, 10, 0xFE2CE6E0 );
P( C, D, A, B, 6, 15, 0xA3014314 );
P( B, C, D, A, 13, 21, 0x4E0811A1 );
P( A, B, C, D, 4, 6, 0xF7537E82 );
P( D, A, B, C, 11, 10, 0xBD3AF235 );
P( C, D, A, B, 2, 15, 0x2AD7D2BB );
P( B, C, D, A, 9, 21, 0xEB86D391 );
#undef F
ctx->state[0] += A;
ctx->state[1] += B;
ctx->state[2] += C;
ctx->state[3] += D;
}
#endif /* !MBEDTLS_MD5_PROCESS_ALT */
/*
* MD5 process buffer
*/
void mbedtls_md5_update( mbedtls_md5_context *ctx, const unsigned char *input, size_t ilen )
{
size_t fill;
uint32_t left;
if( ilen == 0 )
return;
left = ctx->total[0] & 0x3F;
fill = 64 - left;
ctx->total[0] += (uint32_t) ilen;
ctx->total[0] &= 0xFFFFFFFF;
if( ctx->total[0] < (uint32_t) ilen )
ctx->total[1]++;
if( left && ilen >= fill )
{
memcpy( (void *) (ctx->buffer + left), input, fill );
mbedtls_md5_process( ctx, ctx->buffer );
input += fill;
ilen -= fill;
left = 0;
}
while( ilen >= 64 )
{
mbedtls_md5_process( ctx, input );
input += 64;
ilen -= 64;
}
if( ilen > 0 )
{
memcpy( (void *) (ctx->buffer + left), input, ilen );
}
}
static const unsigned char md5_padding[64] =
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
/*
* MD5 final digest
*/
void mbedtls_md5_finish( mbedtls_md5_context *ctx, unsigned char output[16] )
{
uint32_t last, padn;
uint32_t high, low;
unsigned char msglen[8];
high = ( ctx->total[0] >> 29 )
| ( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );
PUT_UINT32_LE( low, msglen, 0 );
PUT_UINT32_LE( high, msglen, 4 );
last = ctx->total[0] & 0x3F;
padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
mbedtls_md5_update( ctx, md5_padding, padn );
mbedtls_md5_update( ctx, msglen, 8 );
PUT_UINT32_LE( ctx->state[0], output, 0 );
PUT_UINT32_LE( ctx->state[1], output, 4 );
PUT_UINT32_LE( ctx->state[2], output, 8 );
PUT_UINT32_LE( ctx->state[3], output, 12 );
}
#endif /* !MBEDTLS_MD5_ALT */
/*
* output = MD5( input buffer )
*/
void mbedtls_md5( const unsigned char *input, size_t ilen, unsigned char output[16] )
{
mbedtls_md5_context ctx;
mbedtls_md5_init( &ctx );
mbedtls_md5_starts( &ctx );
mbedtls_md5_update( &ctx, input, ilen );
mbedtls_md5_finish( &ctx, output );
mbedtls_md5_free( &ctx );
}
#if defined(MBEDTLS_SELF_TEST)
/*
* RFC 1321 test vectors
*/
static const unsigned char md5_test_buf[7][81] =
{
{ "" },
{ "a" },
{ "abc" },
{ "message digest" },
{ "abcdefghijklmnopqrstuvwxyz" },
{ "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" },
{ "12345678901234567890123456789012345678901234567890123456789012" \
"345678901234567890" }
};
static const int md5_test_buflen[7] =
{
0, 1, 3, 14, 26, 62, 80
};
static const unsigned char md5_test_sum[7][16] =
{
{ 0xD4, 0x1D, 0x8C, 0xD9, 0x8F, 0x00, 0xB2, 0x04,
0xE9, 0x80, 0x09, 0x98, 0xEC, 0xF8, 0x42, 0x7E },
{ 0x0C, 0xC1, 0x75, 0xB9, 0xC0, 0xF1, 0xB6, 0xA8,
0x31, 0xC3, 0x99, 0xE2, 0x69, 0x77, 0x26, 0x61 },
{ 0x90, 0x01, 0x50, 0x98, 0x3C, 0xD2, 0x4F, 0xB0,
0xD6, 0x96, 0x3F, 0x7D, 0x28, 0xE1, 0x7F, 0x72 },
{ 0xF9, 0x6B, 0x69, 0x7D, 0x7C, 0xB7, 0x93, 0x8D,
0x52, 0x5A, 0x2F, 0x31, 0xAA, 0xF1, 0x61, 0xD0 },
{ 0xC3, 0xFC, 0xD3, 0xD7, 0x61, 0x92, 0xE4, 0x00,
0x7D, 0xFB, 0x49, 0x6C, 0xCA, 0x67, 0xE1, 0x3B },
{ 0xD1, 0x74, 0xAB, 0x98, 0xD2, 0x77, 0xD9, 0xF5,
0xA5, 0x61, 0x1C, 0x2C, 0x9F, 0x41, 0x9D, 0x9F },
{ 0x57, 0xED, 0xF4, 0xA2, 0x2B, 0xE3, 0xC9, 0x55,
0xAC, 0x49, 0xDA, 0x2E, 0x21, 0x07, 0xB6, 0x7A }
};
/*
* Checkup routine
*/
int mbedtls_md5_self_test( int verbose )
{
int i;
unsigned char md5sum[16];
for( i = 0; i < 7; i++ )
{
if( verbose != 0 )
mbedtls_printf( " MD5 test #%d: ", i + 1 );
mbedtls_md5( md5_test_buf[i], md5_test_buflen[i], md5sum );
if( memcmp( md5sum, md5_test_sum[i], 16 ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
return( 1 );
}
if( verbose != 0 )
mbedtls_printf( "passed\n" );
}
if( verbose != 0 )
mbedtls_printf( "\n" );
return( 0 );
}
#endif /* MBEDTLS_SELF_TEST */
#endif /* MBEDTLS_MD5_C */

136
others/mbedtls/md5.h
View File

@ -1,136 +0,0 @@
/**
* \file md5.h
*
* \brief MD5 message digest algorithm (hash function)
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_MD5_H
#define MBEDTLS_MD5_H
#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include <stddef.h>
#include <stdint.h>
#if !defined(MBEDTLS_MD5_ALT)
// Regular implementation
//
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief MD5 context structure
*/
typedef struct
{
uint32_t total[2]; /*!< number of bytes processed */
uint32_t state[4]; /*!< intermediate digest state */
unsigned char buffer[64]; /*!< data block being processed */
}
mbedtls_md5_context;
/**
* \brief Initialize MD5 context
*
* \param ctx MD5 context to be initialized
*/
void mbedtls_md5_init( mbedtls_md5_context *ctx );
/**
* \brief Clear MD5 context
*
* \param ctx MD5 context to be cleared
*/
void mbedtls_md5_free( mbedtls_md5_context *ctx );
/**
* \brief Clone (the state of) an MD5 context
*
* \param dst The destination context
* \param src The context to be cloned
*/
void mbedtls_md5_clone( mbedtls_md5_context *dst,
const mbedtls_md5_context *src );
/**
* \brief MD5 context setup
*
* \param ctx context to be initialized
*/
void mbedtls_md5_starts( mbedtls_md5_context *ctx );
/**
* \brief MD5 process buffer
*
* \param ctx MD5 context
* \param input buffer holding the data
* \param ilen length of the input data
*/
void mbedtls_md5_update( mbedtls_md5_context *ctx, const unsigned char *input, size_t ilen );
/**
* \brief MD5 final digest
*
* \param ctx MD5 context
* \param output MD5 checksum result
*/
void mbedtls_md5_finish( mbedtls_md5_context *ctx, unsigned char output[16] );
/* Internal use */
void mbedtls_md5_process( mbedtls_md5_context *ctx, const unsigned char data[64] );
#ifdef __cplusplus
}
#endif
#else /* MBEDTLS_MD5_ALT */
#include "md5_alt.h"
#endif /* MBEDTLS_MD5_ALT */
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief Output = MD5( input buffer )
*
* \param input buffer holding the data
* \param ilen length of the input data
* \param output MD5 checksum result
*/
void mbedtls_md5( const unsigned char *input, size_t ilen, unsigned char output[16] );
/**
* \brief Checkup routine
*
* \return 0 if successful, or 1 if the test failed
*/
int mbedtls_md5_self_test( int verbose );
#ifdef __cplusplus
}
#endif
#endif /* mbedtls_md5.h */

214
others/mbedtls/platform.h
View File

@ -1,214 +0,0 @@
/**
* \file platform.h
*
* \brief mbed TLS Platform abstraction layer
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_PLATFORM_H
#define MBEDTLS_PLATFORM_H
#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#ifdef __cplusplus
extern "C" {
#endif
/**
* \name SECTION: Module settings
*
* The configuration options you can set for this module are in this section.
* Either change them in config.h or define them on the compiler command line.
* \{
*/
#if !defined(MBEDTLS_PLATFORM_NO_STD_FUNCTIONS)
#include <stdio.h>
#include <stdlib.h>
#if !defined(MBEDTLS_PLATFORM_STD_SNPRINTF)
#if defined(_WIN32)
#define MBEDTLS_PLATFORM_STD_SNPRINTF mbedtls_platform_win32_snprintf /**< Default snprintf to use */
#else
#define MBEDTLS_PLATFORM_STD_SNPRINTF snprintf /**< Default snprintf to use */
#endif
#endif
#if !defined(MBEDTLS_PLATFORM_STD_PRINTF)
#define MBEDTLS_PLATFORM_STD_PRINTF printf /**< Default printf to use */
#endif
#if !defined(MBEDTLS_PLATFORM_STD_FPRINTF)
#define MBEDTLS_PLATFORM_STD_FPRINTF fprintf /**< Default fprintf to use */
#endif
#if !defined(MBEDTLS_PLATFORM_STD_CALLOC)
#define MBEDTLS_PLATFORM_STD_CALLOC calloc /**< Default allocator to use */
#endif
#if !defined(MBEDTLS_PLATFORM_STD_FREE)
#define MBEDTLS_PLATFORM_STD_FREE free /**< Default free to use */
#endif
#if !defined(MBEDTLS_PLATFORM_STD_EXIT)
#define MBEDTLS_PLATFORM_STD_EXIT exit /**< Default free to use */
#endif
#else /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
#if defined(MBEDTLS_PLATFORM_STD_MEM_HDR)
#include MBEDTLS_PLATFORM_STD_MEM_HDR
#endif
#endif /* MBEDTLS_PLATFORM_NO_STD_FUNCTIONS */
/* \} name SECTION: Module settings */
/*
* The function pointers for calloc and free
*/
#if defined(MBEDTLS_PLATFORM_MEMORY)
#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
#define mbedtls_free MBEDTLS_PLATFORM_FREE_MACRO
#define mbedtls_calloc MBEDTLS_PLATFORM_CALLOC_MACRO
#else
/* For size_t */
#include <stddef.h>
extern void * (*mbedtls_calloc)( size_t n, size_t size );
extern void (*mbedtls_free)( void *ptr );
/**
* \brief Set your own memory implementation function pointers
*
* \param calloc_func the calloc function implementation
* \param free_func the free function implementation
*
* \return 0 if successful
*/
int mbedtls_platform_set_calloc_free( void * (*calloc_func)( size_t, size_t ),
void (*free_func)( void * ) );
#endif /* MBEDTLS_PLATFORM_FREE_MACRO && MBEDTLS_PLATFORM_CALLOC_MACRO */
#else /* !MBEDTLS_PLATFORM_MEMORY */
#define mbedtls_free free
#define mbedtls_calloc calloc
#endif /* MBEDTLS_PLATFORM_MEMORY && !MBEDTLS_PLATFORM_{FREE,CALLOC}_MACRO */
/*
* The function pointers for fprintf
*/
#if defined(MBEDTLS_PLATFORM_FPRINTF_ALT)
/* We need FILE * */
#include <stdio.h>
extern int (*mbedtls_fprintf)( FILE *stream, const char *format, ... );
/**
* \brief Set your own fprintf function pointer
*
* \param fprintf_func the fprintf function implementation
*
* \return 0
*/
int mbedtls_platform_set_fprintf( int (*fprintf_func)( FILE *stream, const char *,
... ) );
#else
#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO)
#define mbedtls_fprintf MBEDTLS_PLATFORM_FPRINTF_MACRO
#else
#define mbedtls_fprintf fprintf
#endif /* MBEDTLS_PLATFORM_FPRINTF_MACRO */
#endif /* MBEDTLS_PLATFORM_FPRINTF_ALT */
/*
* The function pointers for printf
*/
#if defined(MBEDTLS_PLATFORM_PRINTF_ALT)
extern int (*mbedtls_printf)( const char *format, ... );
/**
* \brief Set your own printf function pointer
*
* \param printf_func the printf function implementation
*
* \return 0
*/
int mbedtls_platform_set_printf( int (*printf_func)( const char *, ... ) );
#else /* !MBEDTLS_PLATFORM_PRINTF_ALT */
#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO)
#define mbedtls_printf MBEDTLS_PLATFORM_PRINTF_MACRO
#else
#define mbedtls_printf printf
#endif /* MBEDTLS_PLATFORM_PRINTF_MACRO */
#endif /* MBEDTLS_PLATFORM_PRINTF_ALT */
/*
* The function pointers for snprintf
*
* The snprintf implementation should conform to C99:
* - it *must* always correctly zero-terminate the buffer
* (except when n == 0, then it must leave the buffer untouched)
* - however it is acceptable to return -1 instead of the required length when
* the destination buffer is too short.
*/
#if defined(_WIN32)
/* For Windows (inc. MSYS2), we provide our own fixed implementation */
int mbedtls_platform_win32_snprintf( char *s, size_t n, const char *fmt, ... );
#endif
#if defined(MBEDTLS_PLATFORM_SNPRINTF_ALT)
extern int (*mbedtls_snprintf)( char * s, size_t n, const char * format, ... );
/**
* \brief Set your own snprintf function pointer
*
* \param snprintf_func the snprintf function implementation
*
* \return 0
*/
int mbedtls_platform_set_snprintf( int (*snprintf_func)( char * s, size_t n,
const char * format, ... ) );
#else /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
#define mbedtls_snprintf MBEDTLS_PLATFORM_SNPRINTF_MACRO
#else
#define mbedtls_snprintf snprintf
#endif /* MBEDTLS_PLATFORM_SNPRINTF_MACRO */
#endif /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
/*
* The function pointers for exit
*/
#if defined(MBEDTLS_PLATFORM_EXIT_ALT)
extern void (*mbedtls_exit)( int status );
/**
* \brief Set your own exit function pointer
*
* \param exit_func the exit function implementation
*
* \return 0
*/
int mbedtls_platform_set_exit( void (*exit_func)( int status ) );
#else
#if defined(MBEDTLS_PLATFORM_EXIT_MACRO)
#define mbedtls_exit MBEDTLS_PLATFORM_EXIT_MACRO
#else
#define mbedtls_exit exit
#endif /* MBEDTLS_PLATFORM_EXIT_MACRO */
#endif /* MBEDTLS_PLATFORM_EXIT_ALT */
#ifdef __cplusplus
}
#endif
#endif /* platform.h */

448
others/mbedtls/sha1.c
View File

@ -1,448 +0,0 @@
/*
* FIPS-180-1 compliant SHA-1 implementation
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
/*
* The SHA-1 standard was published by NIST in 1993.
*
* http://www.itl.nist.gov/fipspubs/fip180-1.htm
*/
#if !defined(MBEDTLS_CONFIG_FILE)
#include "mbedtls/config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#if defined(MBEDTLS_SHA1_C)
#include "mbedtls/sha1.h"
#include <string.h>
#if defined(MBEDTLS_SELF_TEST)
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else
#include <stdio.h>
#define mbedtls_printf printf
#endif /* MBEDTLS_PLATFORM_C */
#endif /* MBEDTLS_SELF_TEST */
#if !defined(MBEDTLS_SHA1_ALT)
/* Implementation that should never be optimized out by the compiler */
static void mbedtls_zeroize( void *v, size_t n ) {
volatile unsigned char *p = v; while( n-- ) *p++ = 0;
}
/*
* 32-bit integer manipulation macros (big endian)
*/
#ifndef GET_UINT32_BE
#define GET_UINT32_BE(n,b,i) \
{ \
(n) = ( (uint32_t) (b)[(i) ] << 24 ) \
| ( (uint32_t) (b)[(i) + 1] << 16 ) \
| ( (uint32_t) (b)[(i) + 2] << 8 ) \
| ( (uint32_t) (b)[(i) + 3] ); \
}
#endif
#ifndef PUT_UINT32_BE
#define PUT_UINT32_BE(n,b,i) \
{ \
(b)[(i) ] = (unsigned char) ( (n) >> 24 ); \
(b)[(i) + 1] = (unsigned char) ( (n) >> 16 ); \
(b)[(i) + 2] = (unsigned char) ( (n) >> 8 ); \
(b)[(i) + 3] = (unsigned char) ( (n) ); \
}
#endif
void mbedtls_sha1_init( mbedtls_sha1_context *ctx )
{
memset( ctx, 0, sizeof( mbedtls_sha1_context ) );
}
void mbedtls_sha1_free( mbedtls_sha1_context *ctx )
{
if( ctx == NULL )
return;
mbedtls_zeroize( ctx, sizeof( mbedtls_sha1_context ) );
}
void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
const mbedtls_sha1_context *src )
{
*dst = *src;
}
/*
* SHA-1 context setup
*/
void mbedtls_sha1_starts( mbedtls_sha1_context *ctx )
{
ctx->total[0] = 0;
ctx->total[1] = 0;
ctx->state[0] = 0x67452301;
ctx->state[1] = 0xEFCDAB89;
ctx->state[2] = 0x98BADCFE;
ctx->state[3] = 0x10325476;
ctx->state[4] = 0xC3D2E1F0;
}
#if !defined(MBEDTLS_SHA1_PROCESS_ALT)
void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] )
{
uint32_t temp, W[16], A, B, C, D, E;
GET_UINT32_BE( W[ 0], data, 0 );
GET_UINT32_BE( W[ 1], data, 4 );
GET_UINT32_BE( W[ 2], data, 8 );
GET_UINT32_BE( W[ 3], data, 12 );
GET_UINT32_BE( W[ 4], data, 16 );
GET_UINT32_BE( W[ 5], data, 20 );
GET_UINT32_BE( W[ 6], data, 24 );
GET_UINT32_BE( W[ 7], data, 28 );
GET_UINT32_BE( W[ 8], data, 32 );
GET_UINT32_BE( W[ 9], data, 36 );
GET_UINT32_BE( W[10], data, 40 );
GET_UINT32_BE( W[11], data, 44 );
GET_UINT32_BE( W[12], data, 48 );
GET_UINT32_BE( W[13], data, 52 );
GET_UINT32_BE( W[14], data, 56 );
GET_UINT32_BE( W[15], data, 60 );
#define S(x,n) ((x << n) | ((x & 0xFFFFFFFF) >> (32 - n)))
#define R(t) \
( \
temp = W[( t - 3 ) & 0x0F] ^ W[( t - 8 ) & 0x0F] ^ \
W[( t - 14 ) & 0x0F] ^ W[ t & 0x0F], \
( W[t & 0x0F] = S(temp,1) ) \
)
#define P(a,b,c,d,e,x) \
{ \
e += S(a,5) + F(b,c,d) + K + x; b = S(b,30); \
}
A = ctx->state[0];
B = ctx->state[1];
C = ctx->state[2];
D = ctx->state[3];
E = ctx->state[4];
#define F(x,y,z) (z ^ (x & (y ^ z)))
#define K 0x5A827999
P( A, B, C, D, E, W[0] );
P( E, A, B, C, D, W[1] );
P( D, E, A, B, C, W[2] );
P( C, D, E, A, B, W[3] );
P( B, C, D, E, A, W[4] );
P( A, B, C, D, E, W[5] );
P( E, A, B, C, D, W[6] );
P( D, E, A, B, C, W[7] );
P( C, D, E, A, B, W[8] );
P( B, C, D, E, A, W[9] );
P( A, B, C, D, E, W[10] );
P( E, A, B, C, D, W[11] );
P( D, E, A, B, C, W[12] );
P( C, D, E, A, B, W[13] );
P( B, C, D, E, A, W[14] );
P( A, B, C, D, E, W[15] );
P( E, A, B, C, D, R(16) );
P( D, E, A, B, C, R(17) );
P( C, D, E, A, B, R(18) );
P( B, C, D, E, A, R(19) );
#undef K
#undef F
#define F(x,y,z) (x ^ y ^ z)
#define K 0x6ED9EBA1
P( A, B, C, D, E, R(20) );
P( E, A, B, C, D, R(21) );
P( D, E, A, B, C, R(22) );
P( C, D, E, A, B, R(23) );
P( B, C, D, E, A, R(24) );
P( A, B, C, D, E, R(25) );
P( E, A, B, C, D, R(26) );
P( D, E, A, B, C, R(27) );
P( C, D, E, A, B, R(28) );
P( B, C, D, E, A, R(29) );
P( A, B, C, D, E, R(30) );
P( E, A, B, C, D, R(31) );
P( D, E, A, B, C, R(32) );
P( C, D, E, A, B, R(33) );
P( B, C, D, E, A, R(34) );
P( A, B, C, D, E, R(35) );
P( E, A, B, C, D, R(36) );
P( D, E, A, B, C, R(37) );
P( C, D, E, A, B, R(38) );
P( B, C, D, E, A, R(39) );
#undef K
#undef F
#define F(x,y,z) ((x & y) | (z & (x | y)))
#define K 0x8F1BBCDC
P( A, B, C, D, E, R(40) );
P( E, A, B, C, D, R(41) );
P( D, E, A, B, C, R(42) );
P( C, D, E, A, B, R(43) );
P( B, C, D, E, A, R(44) );
P( A, B, C, D, E, R(45) );
P( E, A, B, C, D, R(46) );
P( D, E, A, B, C, R(47) );
P( C, D, E, A, B, R(48) );
P( B, C, D, E, A, R(49) );
P( A, B, C, D, E, R(50) );
P( E, A, B, C, D, R(51) );
P( D, E, A, B, C, R(52) );
P( C, D, E, A, B, R(53) );
P( B, C, D, E, A, R(54) );
P( A, B, C, D, E, R(55) );
P( E, A, B, C, D, R(56) );
P( D, E, A, B, C, R(57) );
P( C, D, E, A, B, R(58) );
P( B, C, D, E, A, R(59) );
#undef K
#undef F
#define F(x,y,z) (x ^ y ^ z)
#define K 0xCA62C1D6
P( A, B, C, D, E, R(60) );
P( E, A, B, C, D, R(61) );
P( D, E, A, B, C, R(62) );
P( C, D, E, A, B, R(63) );
P( B, C, D, E, A, R(64) );
P( A, B, C, D, E, R(65) );
P( E, A, B, C, D, R(66) );
P( D, E, A, B, C, R(67) );
P( C, D, E, A, B, R(68) );
P( B, C, D, E, A, R(69) );
P( A, B, C, D, E, R(70) );
P( E, A, B, C, D, R(71) );
P( D, E, A, B, C, R(72) );
P( C, D, E, A, B, R(73) );
P( B, C, D, E, A, R(74) );
P( A, B, C, D, E, R(75) );
P( E, A, B, C, D, R(76) );
P( D, E, A, B, C, R(77) );
P( C, D, E, A, B, R(78) );
P( B, C, D, E, A, R(79) );
#undef K
#undef F
ctx->state[0] += A;
ctx->state[1] += B;
ctx->state[2] += C;
ctx->state[3] += D;
ctx->state[4] += E;
}
#endif /* !MBEDTLS_SHA1_PROCESS_ALT */
/*
* SHA-1 process buffer
*/
void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen )
{
size_t fill;
uint32_t left;
if( ilen == 0 )
return;
left = ctx->total[0] & 0x3F;
fill = 64 - left;
ctx->total[0] += (uint32_t) ilen;
ctx->total[0] &= 0xFFFFFFFF;
if( ctx->total[0] < (uint32_t) ilen )
ctx->total[1]++;
if( left && ilen >= fill )
{
memcpy( (void *) (ctx->buffer + left), input, fill );
mbedtls_sha1_process( ctx, ctx->buffer );
input += fill;
ilen -= fill;
left = 0;
}
while( ilen >= 64 )
{
mbedtls_sha1_process( ctx, input );
input += 64;
ilen -= 64;
}
if( ilen > 0 )
memcpy( (void *) (ctx->buffer + left), input, ilen );
}
static const unsigned char sha1_padding[64] =
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
/*
* SHA-1 final digest
*/
void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] )
{
uint32_t last, padn;
uint32_t high, low;
unsigned char msglen[8];
high = ( ctx->total[0] >> 29 )
| ( ctx->total[1] << 3 );
low = ( ctx->total[0] << 3 );
PUT_UINT32_BE( high, msglen, 0 );
PUT_UINT32_BE( low, msglen, 4 );
last = ctx->total[0] & 0x3F;
padn = ( last < 56 ) ? ( 56 - last ) : ( 120 - last );
mbedtls_sha1_update( ctx, sha1_padding, padn );
mbedtls_sha1_update( ctx, msglen, 8 );
PUT_UINT32_BE( ctx->state[0], output, 0 );
PUT_UINT32_BE( ctx->state[1], output, 4 );
PUT_UINT32_BE( ctx->state[2], output, 8 );
PUT_UINT32_BE( ctx->state[3], output, 12 );
PUT_UINT32_BE( ctx->state[4], output, 16 );
}
#endif /* !MBEDTLS_SHA1_ALT */
/*
* output = SHA-1( input buffer )
*/
void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[20] )
{
mbedtls_sha1_context ctx;
mbedtls_sha1_init( &ctx );
mbedtls_sha1_starts( &ctx );
mbedtls_sha1_update( &ctx, input, ilen );
mbedtls_sha1_finish( &ctx, output );
mbedtls_sha1_free( &ctx );
}
#if defined(MBEDTLS_SELF_TEST)
/*
* FIPS-180-1 test vectors
*/
static const unsigned char sha1_test_buf[3][57] =
{
{ "abc" },
{ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" },
{ "" }
};
static const int sha1_test_buflen[3] =
{
3, 56, 1000
};
static const unsigned char sha1_test_sum[3][20] =
{
{ 0xA9, 0x99, 0x3E, 0x36, 0x47, 0x06, 0x81, 0x6A, 0xBA, 0x3E,
0x25, 0x71, 0x78, 0x50, 0xC2, 0x6C, 0x9C, 0xD0, 0xD8, 0x9D },
{ 0x84, 0x98, 0x3E, 0x44, 0x1C, 0x3B, 0xD2, 0x6E, 0xBA, 0xAE,
0x4A, 0xA1, 0xF9, 0x51, 0x29, 0xE5, 0xE5, 0x46, 0x70, 0xF1 },
{ 0x34, 0xAA, 0x97, 0x3C, 0xD4, 0xC4, 0xDA, 0xA4, 0xF6, 0x1E,
0xEB, 0x2B, 0xDB, 0xAD, 0x27, 0x31, 0x65, 0x34, 0x01, 0x6F }
};
/*
* Checkup routine
*/
int mbedtls_sha1_self_test( int verbose )
{
int i, j, buflen, ret = 0;
unsigned char buf[1024];
unsigned char sha1sum[20];
mbedtls_sha1_context ctx;
mbedtls_sha1_init( &ctx );
/*
* SHA-1
*/
for( i = 0; i < 3; i++ )
{
if( verbose != 0 )
mbedtls_printf( " SHA-1 test #%d: ", i + 1 );
mbedtls_sha1_starts( &ctx );
if( i == 2 )
{
memset( buf, 'a', buflen = 1000 );
for( j = 0; j < 1000; j++ )
mbedtls_sha1_update( &ctx, buf, buflen );
}
else
mbedtls_sha1_update( &ctx, sha1_test_buf[i],
sha1_test_buflen[i] );
mbedtls_sha1_finish( &ctx, sha1sum );
if( memcmp( sha1sum, sha1_test_sum[i], 20 ) != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
ret = 1;
goto exit;
}
if( verbose != 0 )
mbedtls_printf( "passed\n" );
}
if( verbose != 0 )
mbedtls_printf( "\n" );
exit:
mbedtls_sha1_free( &ctx );
return( ret );
}
#endif /* MBEDTLS_SELF_TEST */
#endif /* MBEDTLS_SHA1_C */

136
others/mbedtls/sha1.h
View File

@ -1,136 +0,0 @@
/**
* \file sha1.h
*
* \brief SHA-1 cryptographic hash function
*
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
* SPDX-License-Identifier: Apache-2.0
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may
* not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
* This file is part of mbed TLS (https://tls.mbed.org)
*/
#ifndef MBEDTLS_SHA1_H
#define MBEDTLS_SHA1_H
#if !defined(MBEDTLS_CONFIG_FILE)
#include "config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include <stddef.h>
#include <stdint.h>
#if !defined(MBEDTLS_SHA1_ALT)
// Regular implementation
//
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief SHA-1 context structure
*/
typedef struct
{
uint32_t total[2]; /*!< number of bytes processed */
uint32_t state[5]; /*!< intermediate digest state */
unsigned char buffer[64]; /*!< data block being processed */
}
mbedtls_sha1_context;
/**
* \brief Initialize SHA-1 context
*
* \param ctx SHA-1 context to be initialized
*/
void mbedtls_sha1_init( mbedtls_sha1_context *ctx );
/**
* \brief Clear SHA-1 context
*
* \param ctx SHA-1 context to be cleared
*/
void mbedtls_sha1_free( mbedtls_sha1_context *ctx );
/**
* \brief Clone (the state of) a SHA-1 context
*
* \param dst The destination context
* \param src The context to be cloned
*/
void mbedtls_sha1_clone( mbedtls_sha1_context *dst,
const mbedtls_sha1_context *src );
/**
* \brief SHA-1 context setup
*
* \param ctx context to be initialized
*/
void mbedtls_sha1_starts( mbedtls_sha1_context *ctx );
/**
* \brief SHA-1 process buffer
*
* \param ctx SHA-1 context
* \param input buffer holding the data
* \param ilen length of the input data
*/
void mbedtls_sha1_update( mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen );
/**
* \brief SHA-1 final digest
*
* \param ctx SHA-1 context
* \param output SHA-1 checksum result
*/
void mbedtls_sha1_finish( mbedtls_sha1_context *ctx, unsigned char output[20] );
/* Internal use */
void mbedtls_sha1_process( mbedtls_sha1_context *ctx, const unsigned char data[64] );
#ifdef __cplusplus
}
#endif
#else /* MBEDTLS_SHA1_ALT */
#include "sha1_alt.h"
#endif /* MBEDTLS_SHA1_ALT */
#ifdef __cplusplus
extern "C" {
#endif
/**
* \brief Output = SHA-1( input buffer )
*
* \param input buffer holding the data
* \param ilen length of the input data
* \param output SHA-1 checksum result
*/
void mbedtls_sha1( const unsigned char *input, size_t ilen, unsigned char output[20] );
/**
* \brief Checkup routine
*
* \return 0 if successful, or 1 if the test failed
*/
int mbedtls_sha1_self_test( int verbose );
#ifdef __cplusplus
}
#endif
#endif /* mbedtls_sha1.h */

1
src/Makefile.am
View File

@ -315,6 +315,7 @@ libmodsecurity_la_CPPFLAGS = \
-I.. \
-g \
-I../others \
-I../others/mbedtls/include \
-fPIC \
-O3 \
-I../headers \

4
src/actions/set_env.cc
View File

@ -37,7 +37,11 @@ bool SetENV::evaluate(RuleWithActions *rule, Transaction *t) {
auto pair = utils::string::ssplit_pair(colNameExpanded, '=');
ms_dbg_a(t, 8, "Setting environment variable: "
+ pair.first + " to " + pair.second);
#ifndef WIN32
setenv(pair.first.c_str(), pair.second.c_str(), /*overwrite*/ 1);
#else
_putenv_s(pair.first.c_str(), pair.second.c_str());
#endif
return true;
}

4
src/actions/transformations/html_entity_decode.cc
View File

@ -27,6 +27,10 @@
#include "modsecurity/transaction.h"
#include "src/actions/transformations/transformation.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace actions {

1
src/actions/transformations/lower_case.cc
View File

@ -17,6 +17,7 @@
#include <algorithm>
#include <string>
#include <locale>
#include "modsecurity/transaction.h"
#include "src/actions/transformations/transformation.h"

1
src/actions/transformations/upper_case.cc
View File

@ -17,6 +17,7 @@
#include <algorithm>
#include <string>
#include <locale>
#include "modsecurity/transaction.h"
#include "src/actions/transformations/transformation.h"

23
src/anchored_set_variable.cc
View File

@ -52,26 +52,16 @@ void AnchoredSetVariable::unset() {
void AnchoredSetVariable::set(const std::string &key,
const std::string &value, size_t offset, size_t len) {
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
VariableValue *var = new VariableValue(&m_name, &key, &value);
origin->m_offset = offset;
origin->m_length = len;
var->addOrigin(std::move(origin));
var->addOrigin(len, offset);
emplace(key, var);
}
void AnchoredSetVariable::set(const std::string &key,
const std::string &value, size_t offset) {
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
VariableValue *var = new VariableValue(&m_name, &key, &value);
origin->m_offset = offset;
origin->m_length = value.size();
var->addOrigin(std::move(origin));
var->addOrigin(value.size(), offset);
emplace(key, var);
}
@ -109,12 +99,11 @@ void AnchoredSetVariable::resolve(const std::string &key,
std::unique_ptr<std::string> AnchoredSetVariable::resolveFirst(
const std::string &key) {
auto range = equal_range(key);
for (auto it = range.first; it != range.second; ++it) {
std::unique_ptr<std::string> b(new std::string());
b->assign(it->second->getValue());
return b;
if (auto search = this->find(key); search != this->end()) {
return std::make_unique<std::string>(search->second->getValue());
}
return nullptr;
}

69
src/anchored_variable.cc
View File

@ -31,19 +31,9 @@ AnchoredVariable::AnchoredVariable(Transaction *t,
const std::string &name)
: m_transaction(t),
m_offset(0),
m_name(""),
m_name(name),
m_value(""),
m_var(NULL) {
m_name.append(name);
m_var = new VariableValue(&m_name);
}
AnchoredVariable::~AnchoredVariable() {
if (m_var) {
delete (m_var);
m_var = NULL;
}
m_var(&name) {
}
@ -54,58 +44,16 @@ void AnchoredVariable::unset() {
void AnchoredVariable::set(const std::string &a, size_t offset,
size_t offsetLen) {
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
m_offset = offset;
m_value.assign(a.c_str(), a.size());
origin->m_offset = offset;
origin->m_length = offsetLen;
m_var->addOrigin(std::move(origin));
m_var.addOrigin(offsetLen, offset);
}
void AnchoredVariable::set(const std::string &a, size_t offset) {
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
m_offset = offset;
m_value.assign(a.c_str(), a.size());
origin->m_offset = offset;
origin->m_length = m_value.size();
m_var->addOrigin(std::move(origin));
}
void AnchoredVariable::append(const std::string &a, size_t offset,
bool spaceSeparator) {
std::unique_ptr<VariableOrigin> origin(
new VariableOrigin());
if (spaceSeparator && !m_value.empty()) {
m_value.append(" " + a);
} else {
m_value.append(a);
}
m_offset = offset;
origin->m_offset = offset;
origin->m_length = a.size();
m_var->addOrigin(std::move(origin));
}
void AnchoredVariable::append(const std::string &a, size_t offset,
bool spaceSeparator, int size) {
std::unique_ptr<VariableOrigin> origin(
new VariableOrigin());
if (spaceSeparator && !m_value.empty()) {
m_value.append(" " + a);
} else {
m_value.append(a);
}
m_offset = offset;
origin->m_offset = offset;
origin->m_length = size;
m_var->addOrigin(std::move(origin));
m_var.addOrigin(m_value.size(), offset);
}
@ -114,9 +62,8 @@ void AnchoredVariable::evaluate(std::vector<const VariableValue *> *l) {
return;
}
m_var->setValue(m_value);
VariableValue *m_var2 = new VariableValue(m_var);
l->push_back(m_var2);
m_var.setValue(m_value);
l->push_back(new VariableValue(&m_var));
}
@ -129,9 +76,7 @@ std::unique_ptr<std::string> AnchoredVariable::resolveFirst() {
if (m_value.empty()) {
return nullptr;
}
std::unique_ptr<std::string> a(new std::string());
a->append(m_value);
return a;
return std::make_unique<std::string>(m_value);
}

7
src/audit_log/writer/parallel.cc
View File

@ -21,7 +21,12 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#ifndef WIN32
#include <unistd.h>
#else
#include <io.h>
#include "src/compat/msvc.h"
#endif
#include <stdlib.h>
#include <fstream>
@ -118,7 +123,7 @@ bool Parallel::write(Transaction *transaction, int parts, std::string *error) {
log = transaction->toOldAuditLogFormat(parts, "-" + boundary + "--");
}
std::string logPath = m_audit->m_storage_dir;
const auto &logPath = m_audit->m_storage_dir;
fileName = logPath + fileName + "-" + *transaction->m_id.get();
if (logPath.empty()) {

2
src/audit_log/writer/writer.h
View File

@ -18,8 +18,10 @@
#include <stdio.h>
#ifndef WIN32
#include <sys/ipc.h>
#include <sys/shm.h>
#endif
#include <sys/types.h>
#include <iostream>

14
src/collection/backend/in_memory-per_process.cc
View File

@ -67,13 +67,13 @@ bool InMemoryPerProcess::storeOrUpdateFirst(const std::string &key,
bool InMemoryPerProcess::updateFirst(const std::string &key,
const std::string &value) {
pthread_mutex_lock(&m_lock);
auto range = this->equal_range(key);
for (auto it = range.first; it != range.second; ++it) {
it->second.setValue(value);
if (auto search = this->find(key); search != this->end()) {
search->second.setValue(value);
pthread_mutex_unlock(&m_lock);
return true;
}
pthread_mutex_unlock(&m_lock);
return false;
}
@ -97,11 +97,11 @@ void InMemoryPerProcess::delIfExpired(const std::string& key) {
void InMemoryPerProcess::setExpiry(const std::string& key, int32_t expiry_seconds) {
pthread_mutex_lock(&m_lock);
auto range = this->equal_range(key);
for (auto it = range.first; it != range.second; ++it) {
it->second.setExpiry(expiry_seconds);
if (auto search = this->find(key); search != this->end()) {
search->second.setExpiry(expiry_seconds);
pthread_mutex_unlock(&m_lock);
return;
return;
}
// We allow an expiry value to be set for a key that has not (yet) had a value set.

1
src/collection/backend/in_memory-per_process.h
View File

@ -12,6 +12,7 @@
* directly using the email address security@modsecurity.org.
*
*/
#include <pthread.h>
#ifdef __cplusplus

6
src/collection/backend/lmdb.cc
View File

@ -18,7 +18,11 @@
#include "src/collection/backend/collection_data.h"
#include <sys/types.h>
#ifndef WIN32
#include <unistd.h>
#else
#include <io.h>
#endif
#include <string>
#include <memory>
@ -659,7 +663,7 @@ MDB_dbi* MDBEnvProvider::GetDBI() {
return &m_dbi;
}
bool MDBEnvProvider::isValid() {
bool MDBEnvProvider::isValid() const {
return valid;
}

2
src/collection/backend/lmdb.h
View File

@ -83,7 +83,7 @@ class MDBEnvProvider {
}
MDB_env* GetEnv();
MDB_dbi* GetDBI();
bool isValid();
bool isValid() const;
~MDBEnvProvider();
private:

22
src/compat/msvc.h Normal file
View File

@ -0,0 +1,22 @@
#ifndef __COMPAT_MSVC
#define __COMPAT_MSVC
#include <time.h>
#if !defined(S_ISREG) && defined(S_IFMT) && defined(S_IFREG)
#define S_ISREG(m) (((m) & S_IFMT) == S_IFREG)
#endif
#define strcasecmp _stricmp
#define strncasecmp _strnicmp
#define strtok_r strtok_s
#define popen _popen
#define pclose _pclose
inline tm* localtime_r(const time_t* tin, tm* tout) {
if (!localtime_s(tout, tin)) return tout;
return nullptr;
}
#endif

4
src/debug_log/debug_log.cc
View File

@ -15,10 +15,6 @@
#include "modsecurity/debug_log.h"
#include <stddef.h>
#include <fstream>
#include "src/debug_log/debug_log_writer.h"
#include "src/debug_log_writer_agent.h"

12
src/debug_log/debug_log_writer.cc
View File

@ -15,18 +15,6 @@
#include "src/debug_log/debug_log_writer.h"
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <stdio.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <fstream>
#include "src/utils/shared_files.h"
namespace modsecurity {

18
src/debug_log/debug_log_writer.h
View File

@ -13,15 +13,7 @@
*
*/
#include <stdio.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/types.h>
#include <iostream>
#include <map>
#include <string>
#include <cstring>
#ifndef SRC_DEBUG_LOG_DEBUG_LOG_WRITER_H_
@ -45,18 +37,16 @@ class DebugLogWriter {
static int open(const std::string& m_fileName, std::string *error);
private:
DebugLogWriter() : m_first(NULL) { }
~DebugLogWriter() { }
DebugLogWriter() = default;
~DebugLogWriter() = default;
// C++ 03
// ========
// Dont forget to declare these two. You want to make sure they
// are unacceptable otherwise you may accidentally get copies of
// your singleton appearing.
DebugLogWriter(DebugLogWriter const&);
void operator=(DebugLogWriter const&);
struct debug_log_file_handler *m_first;
DebugLogWriter(DebugLogWriter const&) = delete;
void operator=(DebugLogWriter const&) = delete;
};

4
src/engine/lua.h
View File

@ -67,8 +67,8 @@ class Lua {
public:
Lua() { }
bool load(const std::string &script, std::string *err);
int run(Transaction *t, const std::string &str="");
bool load(const std::string &script, std::string *err); // cppcheck-suppress functionStatic ; triggered when compiling without LUA
int run(Transaction *t, const std::string &str = ""); // cppcheck-suppress functionStatic ; triggered when compiling without LUA
static bool isCompatible(const std::string &script, Lua *l, std::string *error);
#ifdef WITH_LUA

32
src/modsecurity.cc
View File

@ -202,7 +202,7 @@ void ModSecurity::serverLog(void *data, std::shared_ptr<RuleMessage> rm) {
}
if (m_logProperties & TextLogProperty) {
std::string &&d = rm->log();
auto d = rm->log();
const void *a = static_cast<const void *>(d.c_str());
m_logCb(data, a);
return;
@ -210,10 +210,6 @@ void ModSecurity::serverLog(void *data, std::shared_ptr<RuleMessage> rm) {
if (m_logProperties & RuleMessageLogProperty) {
const void *a = static_cast<const void *>(rm.get());
if (m_logProperties & IncludeFullHighlightLogProperty) {
m_logCb(data, a);
return;
}
m_logCb(data, a);
return;
}
@ -258,14 +254,11 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
strlen("highlight"));
yajl_gen_array_open(g);
while (vars.size() > 3) {
std::string value;
for(auto [it, pending] = std::tuple{vars.rbegin(), vars.size()}; pending > 3; pending -= 3) {
yajl_gen_map_open(g);
vars.pop_back();
const std::string &startingAt = vars.back().str();
vars.pop_back();
const std::string &size = vars.back().str();
vars.pop_back();
it++;
const std::string &startingAt = it->str(); it++;
const std::string &size = it->str(); it++;
yajl_gen_string(g,
reinterpret_cast<const unsigned char*>("startingAt"),
strlen("startingAt"));
@ -284,7 +277,7 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
return -1;
}
value = std::string(content, stoi(startingAt), stoi(size));
const auto value = std::string(content, stoi(startingAt), stoi(size));
if (varValue.size() > 0) {
varValue.append(" " + value);
} else {
@ -340,16 +333,13 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
yajl_gen_map_open(g);
while (ops.size() > 3) {
std::string value;
for(auto [it, pending] = std::tuple{ops.rbegin(), ops.size()}; pending > 3; pending -= 3) {
yajl_gen_string(g, reinterpret_cast<const unsigned char*>("highlight"),
strlen("highlight"));
yajl_gen_map_open(g);
ops.pop_back();
std::string startingAt = ops.back().str();
ops.pop_back();
std::string size = ops.back().str();
ops.pop_back();
it++;
const std::string &startingAt = it->str(); it++;
const std::string &size = ops.back().str(); it++;
yajl_gen_string(g,
reinterpret_cast<const unsigned char*>("startingAt"),
strlen("startingAt"));
@ -371,7 +361,7 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
reinterpret_cast<const unsigned char*>("value"),
strlen("value"));
value = std::string(varValue, stoi(startingAt), stoi(size));
const auto value = std::string(varValue, stoi(startingAt), stoi(size));
yajl_gen_string(g,
reinterpret_cast<const unsigned char*>(value.c_str()),

2
src/operators/detect_sqli.cc
View File

@ -19,7 +19,7 @@
#include <list>
#include "src/operators/operator.h"
#include "others/libinjection/src/libinjection.h"
#include "libinjection/src/libinjection.h"
namespace modsecurity {
namespace operators {

2
src/operators/detect_xss.cc
View File

@ -18,7 +18,7 @@
#include <string>
#include "src/operators/operator.h"
#include "others/libinjection/src/libinjection.h"
#include "libinjection/src/libinjection.h"
namespace modsecurity {

1
src/operators/geo_lookup.h
View File

@ -32,6 +32,7 @@ class GeoLookup : public Operator {
bool evaluate(Transaction *transaction, const std::string &exp) override;
protected:
// cppcheck-suppress functionStatic
bool debug(Transaction *transaction, int x, const std::string &a) {
ms_dbg_a(transaction, x, a);
return true;

4
src/operators/inspect_file.cc
View File

@ -23,6 +23,10 @@
#include "src/operators/operator.h"
#include "src/utils/system.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace operators {

5
src/operators/rbl.cc
View File

@ -16,10 +16,15 @@
#include "src/operators/rbl.h"
#include <sys/types.h>
#ifndef WIN32
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#else
#include <WinSock2.h>
#include <WS2tcpip.h>
#endif
#include <string>

17
src/operators/rbl.h
View File

@ -17,10 +17,14 @@
#define SRC_OPERATORS_RBL_H_
#include <sys/types.h>
#ifndef WIN32
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#else
#include <WinSock2.h>
#endif
#include <string>
#include <memory>
@ -66,14 +70,15 @@ class Rbl : public Operator {
m_demandsPassword(false),
m_provider(RblProvider::UnknownProvider),
Operator("Rbl", std::move(param)) {
m_service = m_string->evaluate();
if (m_service.find("httpbl.org") != std::string::npos) {
m_demandsPassword = true;
m_provider = RblProvider::httpbl;
m_service = m_string->evaluate(); // cppcheck-suppress useInitializationList
if (m_service.find("httpbl.org") != std::string::npos)
{
m_demandsPassword = true;
m_provider = RblProvider::httpbl;
} else if (m_service.find("uribl.com") != std::string::npos) {
m_provider = RblProvider::httpbl;
m_provider = RblProvider::uribl;
} else if (m_service.find("spamhaus.org") != std::string::npos) {
m_provider = RblProvider::httpbl;
m_provider = RblProvider::spamhaus;
}
}
bool evaluate(Transaction *transaction, RuleWithActions *rule,

2
src/operators/validate_url_encoding.cc
View File

@ -74,7 +74,7 @@ bool ValidateUrlEncoding::evaluate(Transaction *transaction, RuleWithActions *ru
bool res = false;
if (input.empty() == true) {
return res;
return res; // cppcheck-suppress knownConditionTrueFalse
}
int rc = validate_url_encoding(input.c_str(), input.size(), &offset);

5
src/operators/validate_utf8_encoding.cc
View File

@ -132,7 +132,6 @@ bool ValidateUtf8Encoding::evaluate(Transaction *transaction, RuleWithActions *r
std::to_string(i) + "\"]");
}
return true;
break;
case UNICODE_ERROR_INVALID_ENCODING :
if (transaction) {
ms_dbg_a(transaction, 8, "Invalid UTF-8 encoding: "
@ -142,7 +141,6 @@ bool ValidateUtf8Encoding::evaluate(Transaction *transaction, RuleWithActions *r
logOffset(ruleMessage, i, str.size());
}
return true;
break;
case UNICODE_ERROR_OVERLONG_CHARACTER :
if (transaction) {
ms_dbg_a(transaction, 8, "Invalid UTF-8 encoding: "
@ -152,7 +150,6 @@ bool ValidateUtf8Encoding::evaluate(Transaction *transaction, RuleWithActions *r
logOffset(ruleMessage, i, str.size());
}
return true;
break;
case UNICODE_ERROR_RESTRICTED_CHARACTER :
if (transaction) {
ms_dbg_a(transaction, 8, "Invalid UTF-8 encoding: "
@ -162,7 +159,6 @@ bool ValidateUtf8Encoding::evaluate(Transaction *transaction, RuleWithActions *r
logOffset(ruleMessage, i, str.size());
}
return true;
break;
case UNICODE_ERROR_DECODING_ERROR :
if (transaction) {
ms_dbg_a(transaction, 8, "Error validating UTF-8 decoding "
@ -171,7 +167,6 @@ bool ValidateUtf8Encoding::evaluate(Transaction *transaction, RuleWithActions *r
logOffset(ruleMessage, i, str.size());
}
return true;
break;
}
if (rc <= 0) {

2
src/operators/verify_cpf.cc
View File

@ -74,7 +74,7 @@ bool VerifyCPF::verify(const char *cpfnumber, int len) {
c = cpf_len;
for (i = 0; i < 9; i++) {
sum += (cpf[i] * --c);
sum += (cpf[i] * --c); // cppcheck-suppress uninitvar
}
factor = (sum % cpf_len);

4
src/operators/verify_svnr.cc
View File

@ -64,7 +64,7 @@ bool VerifySVNR::verify(const char *svnrnumber, int len) {
}
//Laufnummer mit 3, 7, 9
//Geburtsdatum mit 5, 8, 4, 2, 1, 6
sum = svnr[0] * 3 + svnr[1] * 7 + svnr[2] * 9 + svnr[4] * 5 + svnr[5] * 8 + svnr[6] * 4 + svnr[7] * 2 + svnr[8] * 1 + svnr[9] * 6;
sum = svnr[0] * 3 + svnr[1] * 7 + svnr[2] * 9 + svnr[4] * 5 + svnr[5] * 8 + svnr[6] * 4 + svnr[7] * 2 + svnr[8] * 1 + svnr[9] * 6; // cppcheck-suppress uninitvar
sum %= 11;
if(sum == 10){
sum = 0;
@ -84,7 +84,7 @@ bool VerifySVNR::evaluate(Transaction *t, RuleWithActions *rule,
int i;
if (m_param.empty()) {
return is_svnr;
return is_svnr; // cppcheck-suppress knownConditionTrueFalse
}
for (i = 0; i < input.size() - 1 && is_svnr == false; i++) {

9
src/parser/seclang-scanner.cc
View File

@ -4900,13 +4900,14 @@ static std::stack<int> YY_PREVIOUS_STATE;
// The location of the current token.
#line 4902 "seclang-scanner.cc"
#define YY_NO_INPUT 1
#define YY_NO_UNISTD_H 1
#line 494 "seclang-scanner.ll"
// Code run each time a pattern is matched.
# define YY_USER_ACTION driver.loc.back()->columns (yyleng);
#line 4909 "seclang-scanner.cc"
#line 4910 "seclang-scanner.cc"
#line 4911 "seclang-scanner.cc"
#define INITIAL 0
#define EXPECTING_ACTION_PREDICATE_VARIABLE 1
@ -5228,7 +5229,7 @@ YY_DECL
// Code run each time yylex is called.
driver.loc.back()->step();
#line 5232 "seclang-scanner.cc"
#line 5233 "seclang-scanner.cc"
while ( /*CONSTCOND*/1 ) /* loops until end-of-file is reached */
{
@ -8334,7 +8335,7 @@ YY_RULE_SETUP
#line 1340 "seclang-scanner.ll"
ECHO;
YY_BREAK
#line 8338 "seclang-scanner.cc"
#line 8339 "seclang-scanner.cc"
case YY_END_OF_BUFFER:
{
@ -8956,7 +8957,7 @@ static void yy_load_buffer_state (void)
/* %if-c-only */
b->yy_is_interactive = file ? (isatty( fileno(file) ) > 0) : 0;
b->yy_is_interactive = 0;
/* %endif */
/* %if-c++-only */

2
src/parser/seclang-scanner.ll
View File

@ -73,7 +73,7 @@ static std::stack<int> YY_PREVIOUS_STATE;
// The location of the current token.
%}
%option noyywrap nounput batch debug noinput
%option noyywrap nounput batch debug noinput nounistd never-interactive

17
src/request_body_processor/multipart.cc
View File

@ -21,7 +21,12 @@
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#ifndef WIN32
#include <unistd.h>
#else
#include <io.h>
#include "src/compat/msvc.h"
#endif
#include <list>
#include <iostream>
#include <string>
@ -61,12 +66,11 @@ MultipartPartTmpFile::~MultipartPartTmpFile() {
void MultipartPartTmpFile::Open() {
struct tm timeinfo;
char tstr[300];
time_t tt = time(NULL);
localtime_r(&tt, &timeinfo);
memset(tstr, '\0', 300);
char tstr[300] {};
strftime(tstr, 299, "/%Y%m%d-%H%M%S", &timeinfo);
std::string path = m_transaction->m_rules->m_uploadDirectory.m_value;
@ -74,14 +78,23 @@ void MultipartPartTmpFile::Open() {
path += "-file-XXXXXX";
char* tmp = strdup(path.c_str());
#ifndef WIN32
m_tmp_file_fd = mkstemp(tmp);
#else
_mktemp_s(tmp, path.length()+1);
m_tmp_file_fd = _open(tmp, _O_CREAT | _O_EXCL | _O_RDWR);
#endif
m_tmp_file_name.assign(tmp);
free(tmp);
ms_dbg_a(m_transaction, 4, "MultipartPartTmpFile: Create filename= " + m_tmp_file_name);
int mode = m_transaction->m_rules->m_uploadFileMode.m_value;
if ((m_tmp_file_fd != -1) && (mode != 0)) {
#ifndef WIN32
if (fchmod(m_tmp_file_fd, mode) == -1) {
#else
if (_chmod(m_tmp_file_name.c_str(), mode) == -1) {
#endif
m_tmp_file_fd = -1;
}
}

4
src/rule_message.cc
View File

@ -42,8 +42,8 @@ std::string RuleMessage::_details(const RuleMessage *rm) {
msg.append(" [tag \"" + utils::string::toHexIfNeeded(a, true) + "\"]");
}
msg.append(" [hostname \"" + *rm->m_serverIpAddress.get() \
+ "\"]");
msg.append(" [hostname \"" + *rm->m_requestHostName.get() + "\"]");
msg.append(" [uri \"" + utils::string::limitTo(200, *rm->m_uriNoQueryStringDecoded.get()) + "\"]");
msg.append(" [unique_id \"" + *rm->m_id + "\"]");
msg.append(" [ref \"" + utils::string::limitTo(200, rm->m_reference) + "\"]");

100
src/rule_with_actions.cc
View File

@ -17,6 +17,7 @@
#include <stdio.h>
#include <cassert>
#include <algorithm>
#include <iostream>
#include <string>
@ -86,45 +87,51 @@ RuleWithActions::RuleWithActions(
if (actions) {
for (Action *a : *actions) {
if (a->action_kind == Action::ConfigurationKind) {
a->evaluate(this, NULL);
delete a;
} else if (a->action_kind == Action::RunTimeOnlyIfMatchKind) {
if (dynamic_cast<actions::Capture *>(a)) {
m_containsCaptureAction = true;
switch (a->action_kind) {
case Action::ConfigurationKind:
a->evaluate(this, NULL);
delete a;
} else if (dynamic_cast<actions::MultiMatch *>(a)) {
m_containsMultiMatchAction = true;
delete a;
} else if (dynamic_cast<actions::Severity *>(a)) {
m_severity = dynamic_cast<actions::Severity *>(a);
} else if (dynamic_cast<actions::LogData *>(a)) {
m_logData = dynamic_cast<actions::LogData*>(a);
} else if (dynamic_cast<actions::Msg *>(a)) {
m_msg = dynamic_cast<actions::Msg*>(a);
} else if (dynamic_cast<actions::SetVar *>(a)) {
m_actionsSetVar.push_back(
dynamic_cast<actions::SetVar *>(a));
} else if (dynamic_cast<actions::Tag *>(a)) {
m_actionsTag.push_back(dynamic_cast<actions::Tag *>(a));
} else if (dynamic_cast<actions::Block *>(a)) {
m_actionsRuntimePos.push_back(a);
m_containsStaticBlockAction = true;
} else if (a->isDisruptive() == true) {
if (m_disruptiveAction != nullptr) {
delete m_disruptiveAction;
m_disruptiveAction = nullptr;
break;
case Action::RunTimeOnlyIfMatchKind:
if (dynamic_cast<actions::Capture *>(a)) {
m_containsCaptureAction = true;
delete a;
} else if (dynamic_cast<actions::MultiMatch *>(a)) {
m_containsMultiMatchAction = true;
delete a;
} else if (dynamic_cast<actions::Severity *>(a)) {
m_severity = dynamic_cast<actions::Severity *>(a);
} else if (dynamic_cast<actions::LogData *>(a)) {
m_logData = dynamic_cast<actions::LogData*>(a);
} else if (dynamic_cast<actions::Msg *>(a)) {
m_msg = dynamic_cast<actions::Msg*>(a);
} else if (dynamic_cast<actions::SetVar *>(a)) {
m_actionsSetVar.push_back(
dynamic_cast<actions::SetVar *>(a));
} else if (dynamic_cast<actions::Tag *>(a)) {
m_actionsTag.push_back(dynamic_cast<actions::Tag *>(a));
} else if (dynamic_cast<actions::Block *>(a)) {
m_actionsRuntimePos.push_back(a);
m_containsStaticBlockAction = true;
} else if (a->isDisruptive() == true) {
if (m_disruptiveAction != nullptr) {
delete m_disruptiveAction;
m_disruptiveAction = nullptr;
}
m_disruptiveAction = a;
} else {
m_actionsRuntimePos.push_back(a);
}
m_disruptiveAction = a;
} else {
m_actionsRuntimePos.push_back(a);
}
} else {
delete a;
std::cout << "General failure, action: " << a->m_name;
std::cout << " has an unknown type." << std::endl;
throw;
break;
default:
std::cout << "General failure, action: " << a->m_name;
std::cout << " has an unknown type." << std::endl;
delete a;
#ifdef NDEBUG
break;
#else
assert(false);
#endif
}
}
delete actions;
@ -172,9 +179,7 @@ RuleWithActions::~RuleWithActions() {
bool RuleWithActions::evaluate(Transaction *transaction) {
RuleMessage rm(this, transaction);
std::shared_ptr<RuleMessage> rm2 = std::make_shared<RuleMessage>(&rm);
return evaluate(transaction, rm2);
return evaluate(transaction, std::make_shared<RuleMessage>(this, transaction));
}
@ -241,7 +246,7 @@ void RuleWithActions::executeActionsAfterFullMatch(Transaction *trans,
bool containsBlock, std::shared_ptr<RuleMessage> ruleMessage) {
bool disruptiveAlreadyExecuted = false;
for (auto &a : trans->m_rules->m_defaultActions[getPhase()]) {
for (const auto &a : trans->m_rules->m_defaultActions[getPhase()]) { // cppcheck-suppress ctunullpointer
if (a.get()->action_kind != actions::Action::RunTimeOnlyIfMatchKind) {
continue;
}
@ -330,7 +335,7 @@ inline void RuleWithActions::executeTransformation(
std::string newValue = a->evaluate(*oldValue, trans);
if (newValue != *oldValue) {
std::shared_ptr<std::string> u(new std::string(newValue));
auto u = std::make_shared<std::string>(newValue);
if (m_containsMultiMatchAction) {
ret->push_back(std::make_pair(u, a->m_name));
(*nth)++;
@ -355,14 +360,13 @@ void RuleWithActions::executeTransformations(
int none = 0;
int transformations = 0;
std::string path("");
std::shared_ptr<std::string> value =
std::shared_ptr<std::string>(new std::string(in));
auto value = std::make_shared<std::string>(in);
if (m_containsMultiMatchAction == true) {
/* keep the original value */
ret.push_back(std::make_pair(
std::shared_ptr<std::string>(new std::string(*value)),
std::shared_ptr<std::string>(new std::string(path))));
std::make_shared<std::string>(*value),
std::make_shared<std::string>(path)));
}
for (Action *a : m_transformations) {
@ -436,8 +440,8 @@ void RuleWithActions::executeTransformations(
if (!m_containsMultiMatchAction) {
ret.push_back(std::make_pair(
std::shared_ptr<std::string>(new std::string(*value)),
std::shared_ptr<std::string>(new std::string(path))));
std::make_shared<std::string>(*value),
std::make_shared<std::string>(path)));
}
}

11
src/rule_with_operator.cc
View File

@ -92,6 +92,7 @@ void RuleWithOperator::updateMatchedVars(Transaction *trans, const std::string &
void RuleWithOperator::cleanMatchedVars(Transaction *trans) {
ms_dbg_a(trans, 9, "Matched vars cleaned.");
// cppcheck-suppress ctunullpointer
trans->m_variableMatchedVar.unset();
trans->m_variableMatchedVars.unset();
trans->m_variableMatchedVarName.unset();
@ -132,7 +133,7 @@ bool RuleWithOperator::executeOperatorAt(Transaction *trans, const std::string &
void RuleWithOperator::getVariablesExceptions(Transaction *t,
variables::Variables *exclusion, variables::Variables *addition) {
for (auto &a : t->m_rules->m_exceptions.m_variable_update_target_by_tag) {
for (const auto &a : t->m_rules->m_exceptions.m_variable_update_target_by_tag) { // cppcheck-suppress ctunullpointer
if (containsTag(*a.first.get(), t) == false) {
continue;
}
@ -146,7 +147,7 @@ void RuleWithOperator::getVariablesExceptions(Transaction *t,
}
}
for (auto &a : t->m_rules->m_exceptions.m_variable_update_target_by_msg) {
for (const auto &a : t->m_rules->m_exceptions.m_variable_update_target_by_msg) {
if (containsMsg(*a.first.get(), t) == false) {
continue;
}
@ -160,7 +161,7 @@ void RuleWithOperator::getVariablesExceptions(Transaction *t,
}
}
for (auto &a : t->m_rules->m_exceptions.m_variable_update_target_by_id) {
for (const auto &a : t->m_rules->m_exceptions.m_variable_update_target_by_id) {
if (m_ruleId != a.first) {
continue;
}
@ -316,8 +317,8 @@ bool RuleWithOperator::evaluate(Transaction *trans,
if (ret == true) {
ruleMessage->m_match = m_operator->resolveMatchMessage(trans,
key, value);
for (auto &i : v->getOrigin()) {
ruleMessage->m_reference.append(i->toText());
for (const auto &i : v->getOrigin()) {
ruleMessage->m_reference.append(i.toText());
}
ruleMessage->m_reference.append(*valueTemp.second);

8
src/rules_set_properties.cc
View File

@ -19,6 +19,10 @@
#include "src/utils/string.h"
#include "src/variables/variable.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
@ -98,8 +102,8 @@ void ConfigUnicodeMap::loadConfig(std::string f, double configCodePage,
if (mapping != NULL) {
ucode = strtok_r(mapping, ":", &hmap);
sscanf(ucode, "%x", &code);
sscanf(hmap, "%x", &Map);
sscanf(ucode, "%x", &code); // cppcheck-suppress invalidScanfArgType_int
sscanf(hmap, "%x", &Map); // cppcheck-suppress invalidScanfArgType_int
if (code >= 0 && code <= 65535) {
driver->m_unicodeMapTable.m_unicodeMapTable->change(code, Map);
}

53
src/transaction.cc
View File

@ -53,6 +53,9 @@
#include "src/actions/disruptive/allow.h"
#include "src/variables/remote_user.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
using modsecurity::actions::Action;
@ -104,6 +107,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, void *logCbData)
m_clientIpAddress(std::make_shared<std::string>("")),
m_httpVersion(""),
m_serverIpAddress(std::make_shared<std::string>("")),
m_requestHostName(std::make_shared<std::string>("")),
m_uri(""),
m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
m_ARGScombinedSizeDouble(0),
@ -180,6 +184,7 @@ Transaction::Transaction(ModSecurity *ms, RulesSet *rules, char *id, void *logCb
m_clientIpAddress(std::make_shared<std::string>("")),
m_httpVersion(""),
m_serverIpAddress(std::make_shared<std::string>("")),
m_requestHostName(std::make_shared<std::string>("")),
m_uri(""),
m_uri_no_query_string_decoded(std::make_shared<std::string>("")),
m_ARGScombinedSizeDouble(0),
@ -316,6 +321,7 @@ int Transaction::processConnection(const char *client, int cPort,
const char *server, int sPort) {
m_clientIpAddress = std::unique_ptr<std::string>(new std::string(client));
m_serverIpAddress = std::unique_ptr<std::string>(new std::string(server));
m_requestHostName = std::unique_ptr<std::string>(new std::string(server));
this->m_clientPort = cPort;
this->m_serverPort = sPort;
ms_dbg(4, "Transaction context created.");
@ -2355,5 +2361,52 @@ extern "C" int msc_update_status_code(Transaction *transaction, int status) {
}
/**
* @name setRequestHostName
* @brief Set request's host name
*
* With this method it is possible to set the request's hostname.
*
* @note This function expects a NULL terminated string.
*
* @param hostname hostname.
*
* @returns If the operation was successful or not.
* @retval true Operation was successful.
* @retval false Operation failed.
*
*/
int Transaction::setRequestHostName(const std::string& hostname) {
if (hostname != "") {
m_requestHostName = std::unique_ptr<std::string>(new std::string(hostname));
}
return true;
}
/**
* @name msc_set_request_hostname
* @brief Set request's host name
*
* With this method it is possible to set request's hostname.
*
* @note This function expects a NULL terminated string.
*
* @param transaction ModSecurity transaction.
* @param hostname hostname.
*
* @returns If the operation was successful or not.
* @retval 1 Operation was successful.
* @retval 0 Operation failed.
*
*/
extern "C" int msc_set_request_hostname(Transaction *transaction,
const unsigned char *hostname) {
return transaction->setRequestHostName(reinterpret_cast<const char *>(hostname));
}
} // namespace modsecurity

9
src/unique_id.cc
View File

@ -17,7 +17,8 @@
#include "src/config.h"
#ifdef WIN32
#include <winsock2.h>
#include "src/compat/msvc.h"
#include <WinSock2.h>
#include <iphlpapi.h>
#endif
@ -48,7 +49,11 @@
#endif
#include <stdio.h>
#ifndef WIN32
#include <unistd.h>
#else
#include <io.h>
#endif
#include <string.h>
#include "src/utils/sha1.h"
@ -207,7 +212,7 @@ std::string UniqueId::ethernetMacAddress() {
pAdapter = pAdapterInfo;
while (pAdapter && !mac[0] && !mac[1] && !mac[2]) {
if (pAdapter->AddressLength > 4) {
apr_snprintf(mac, MAC_ADDRESS_SIZE, "%02x:%02x:%02x:%02x:%02x:%02x",
snprintf(mac, MAC_ADDRESS_SIZE, "%02x:%02x:%02x:%02x:%02x:%02x",
(unsigned char)pAdapter->Address[0],
(unsigned char)pAdapter->Address[1],
(unsigned char)pAdapter->Address[2],

5
src/utils/geo_lookup.cc
View File

@ -13,10 +13,13 @@
*
*/
#ifndef WIN32
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#else
#include <WinSock2.h>
#endif
#include <string>
#include <fstream>

9
src/utils/https_client.cc
View File

@ -20,10 +20,14 @@
#include <curl/curl.h>
#endif
#ifndef WIN32
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#else
#include <WinSock2.h>
#endif
#include <string>
#include <fstream>
@ -94,6 +98,11 @@ bool HttpsClient::download(const std::string &uri) {
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
#ifdef WIN32
/* use the operating system's native CA store for certificate verification.*/
curl_easy_setopt(curl, CURLOPT_SSL_OPTIONS, (long)CURLSSLOPT_NATIVE_CA);
#endif
/* send all data to this function */
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &HttpsClient::handle);

4
src/utils/ip_tree.cc
View File

@ -15,10 +15,14 @@
#include "src/utils/ip_tree.h"
#ifndef WIN32
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#else
#include <WinSock2.h>
#endif
#include <string>
#include <fstream>

2
src/utils/md5.cc
View File

@ -1,7 +1,7 @@
#include "src/utils/md5.h"
#include "others/mbedtls/md5.h"
#include "mbedtls/md5.h"
namespace modsecurity {
namespace Utils {

6
src/utils/msc_tree.cc
View File

@ -15,9 +15,15 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#ifndef WIN32
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#else
#include "src/compat/msvc.h"
#include <WinSock2.h>
#include <WS2tcpip.h>
#endif
#include "src/utils/msc_tree.h"

2
src/utils/sha1.cc
View File

@ -15,7 +15,7 @@
#include "src/utils/sha1.h"
#include "others/mbedtls/sha1.h"
#include "mbedtls/sha1.h"
#include <fstream>
#include <iostream>
#include <cstring>

227
src/utils/shared_files.cc
View File

@ -15,236 +15,103 @@
#include "src/utils/shared_files.h"
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <stdio.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#ifdef WIN32
#include <windows.h>
#include <io.h>
#endif
#include <utility>
#include <fstream>
#include <string>
namespace modsecurity {
namespace utils {
std::pair<msc_file_handler *, FILE *> SharedFiles::find_handler(
const std::string &fileName) {
for (const auto &i : m_handlers) {
if (i.first == fileName) {
return i.second;
}
}
return std::pair<modsecurity::utils::msc_file_handler *,
FILE *>(NULL, NULL);
}
std::pair<msc_file_handler *, FILE *> SharedFiles::add_new_handler(
SharedFiles::handlers_map::iterator SharedFiles::add_new_handler(
const std::string &fileName, std::string *error) {
int shm_id;
int ret;
key_t mem_key_structure;
msc_file_handler_t *new_debug_log = NULL;
struct shmid_ds shared_mem_info;
FILE *fp;
bool toBeCreated = true;
fp = fopen(fileName.c_str(), "a");
FILE *fp = fopen(fileName.c_str(), "a");
if (fp == 0) {
error->assign("Failed to open file: " + fileName);
goto err_fh;
return m_handlers.end();
}
mem_key_structure = ftok(fileName.c_str(), 1);
if (mem_key_structure < 0) {
error->assign("Failed to select key for the shared memory (1): ");
error->append(strerror(errno));
goto err_mem_key;
}
shm_id = shmget(mem_key_structure, sizeof (msc_file_handler_t) \
+ fileName.size() + 1, IPC_CREAT | IPC_EXCL | 0666);
if (shm_id < 0) {
shm_id = shmget(mem_key_structure, sizeof (msc_file_handler_t)
+ fileName.size() + 1, IPC_CREAT | 0666);
toBeCreated = false;
if (shm_id < 0) {
error->assign("Failed to allocate shared memory (1): ");
error->append(strerror(errno));
goto err_shmget1;
}
}
ret = shmctl(shm_id, IPC_STAT, &shared_mem_info);
if (ret < 0) {
error->assign("Failed to get information on shared memory (1): ");
error->append(strerror(errno));
goto err_shmctl1;
}
new_debug_log = reinterpret_cast<msc_file_handler_t *>(
shmat(shm_id, NULL, 0));
if ((reinterpret_cast<char *>(new_debug_log)[0]) == -1) {
error->assign("Failed to attach shared memory (1): ");
error->append(strerror(errno));
goto err_shmat1;
}
if (toBeCreated == false && shared_mem_info.shm_nattch == 0) {
toBeCreated = true;
}
if (toBeCreated) {
memset(new_debug_log, '\0', sizeof(msc_file_handler_t));
new_debug_log->shm_id_structure = shm_id;
memcpy(new_debug_log->file_name, fileName.c_str(), fileName.size());
new_debug_log->file_name[fileName.size()] = '\0';
}
m_handlers.push_back(std::make_pair(fileName,
std::make_pair(new_debug_log, fp)));
return std::make_pair(new_debug_log, fp);
err_shmat1:
shmdt(new_debug_log);
err_shmctl1:
err_shmget1:
err_mem_key:
fclose(fp);
err_fh:
return std::pair<modsecurity::utils::msc_file_handler *,
FILE *>(NULL, NULL);
return m_handlers.insert({ fileName, {fp, 0} }).first;
}
bool SharedFiles::open(const std::string& fileName, std::string *error) {
std::pair<msc_file_handler *, FILE *> a;
bool ret = true;
#if MODSEC_USE_GENERAL_LOCK
pthread_mutex_lock(m_generalLock);
#endif
a = find_handler(fileName);
if (a.first == NULL) {
a = add_new_handler(fileName, error);
if (error->size() > 0) {
ret = false;
goto out;
}
auto it = m_handlers.find(fileName);
if (it == m_handlers.end()) {
it = add_new_handler(fileName, error);
if (error->size() > 0)
return false;
}
if (a.first == NULL) {
if (it == m_handlers.end()) {
error->assign("Not able to open: " + fileName);
ret = false;
goto out;
return false;
}
out:
#if MODSEC_USE_GENERAL_LOCK
pthread_mutex_unlock(m_generalLock);
#endif
it->second.cnt++;
return ret;
return true;
}
void SharedFiles::close(const std::string& fileName) {
std::pair<msc_file_handler *, FILE *> a;
/* int ret; */
/* int shm_id; */
/* struct shmid_ds shared_mem_info; */
/* int j = 0; */
if (fileName.empty())
return;
#if MODSEC_USE_GENERAL_LOCK
pthread_mutex_lock(m_generalLock);
#endif
auto it = m_handlers.find(fileName);
if (it == m_handlers.end())
return;
if (fileName.empty()) {
goto out;
it->second.cnt--;
if (it->second.cnt == 0)
{
fclose(it->second.fp);
m_handlers.erase(it);
}
a = find_handler(fileName);
if (a.first == NULL || a.second == NULL) {
goto out;
}
/* fclose(a.second); */
a.second = 0;
/*
* Delete the file structure will be welcomed, but we cannot delay
* while the process is being killed.
*
for (std::pair<std::string,
std::pair<msc_file_handler *, FILE *>> i : m_handlers) {
if (i.first == fileName) {
j++;
}
}
m_handlers.erase(m_handlers.begin()+j);
*/
/* hmdt(a.second); */
shmctl(a.first->shm_id_structure, IPC_RMID, NULL);
/*
*
* We could check to see how many process attached to the shared memory
* we have, prior to the deletion of the shared memory.
*
ret = shmctl(a.first->shm_id_structure, IPC_STAT, &shared_mem_info);
if (ret < 0) {
goto out;
}
ret = shared_mem_info.shm_nattch;
shm_id = a.first->shm_id_structure;
*/
out:
#if MODSEC_USE_GENERAL_LOCK
pthread_mutex_unlock(m_generalLock);
#endif
return;
}
bool SharedFiles::write(const std::string& fileName,
const std::string &msg, std::string *error) {
std::pair<msc_file_handler *, FILE *> a;
std::string lmsg = msg;
size_t wrote;
struct flock lock{};
bool ret = true;
a = find_handler(fileName);
if (a.first == NULL) {
auto it = m_handlers.find(fileName);
if (it == m_handlers.end()) {
error->assign("file is not open: " + fileName);
return false;
}
//Exclusively lock whole file
#ifndef WIN32
struct flock lock {};
lock.l_start = lock.l_len = lock.l_whence = 0;
lock.l_type = F_WRLCK;
fcntl(fileno(a.second), F_SETLKW, &lock);
fcntl(fileno(it->second.fp), F_SETLKW, &lock);
#else
auto handle = reinterpret_cast<HANDLE>(_get_osfhandle(fileno(it->second.fp)));
OVERLAPPED overlapped = { 0 };
::LockFileEx(handle, LOCKFILE_EXCLUSIVE_LOCK, 0, MAXDWORD, MAXDWORD, &overlapped);
#endif
wrote = fwrite(lmsg.c_str(), 1, lmsg.size(), a.second);
auto wrote = fwrite(msg.c_str(), 1, msg.size(), it->second.fp);
if (wrote < msg.size()) {
error->assign("failed to write: " + fileName);
ret = false;
}
fflush(a.second);
fflush(it->second.fp);
//Remove exclusive lock
#ifndef WIN32
lock.l_type = F_UNLCK;
fcntl(fileno(a.second), F_SETLKW, &lock);
fcntl(fileno(it->second.fp), F_SETLKW, &lock);
#else
overlapped = { 0 };
::UnlockFileEx(handle, 0, MAXDWORD, MAXDWORD, &overlapped);
#endif
return ret;
}

119
src/utils/shared_files.h
View File

@ -17,45 +17,18 @@
#define SRC_UTILS_SHARED_FILES_H_
#include <errno.h>
#include <fcntl.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/ipc.h>
#include <sys/shm.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <unistd.h>
#include <utility>
#include <vector>
#include <fstream>
#include <unordered_map>
#include <string>
#include "modsecurity/transaction.h"
#include "modsecurity/audit_log.h"
/**
* Not using this critical section yet.
*
*/
/* #define MODSEC_USE_GENERAL_LOCK */
namespace modsecurity {
namespace utils {
typedef struct msc_file_handler {
int shm_id_structure;
char file_name[];
} msc_file_handler_t;
class SharedFiles {
public:
public:
bool open(const std::string& fileName, std::string *error);
void close(const std::string& fileName);
bool write(const std::string& fileName, const std::string &msg,
@ -66,86 +39,28 @@ class SharedFiles {
return instance;
}
protected:
std::pair<msc_file_handler *, FILE *> find_handler(
const std::string &fileName);
std::pair<msc_file_handler *, FILE *> add_new_handler(
const std::string &fileName, std::string *error);
private:
SharedFiles()
#ifdef MODSEC_USE_GENERAL_LOCK
: m_generalLock(NULL),
m_memKeyStructure(0)
#endif
{
#ifdef MODSEC_USE_GENERAL_LOCK
int shm_id;
bool toBeCreated(false);
bool err = false;
m_memKeyStructure = ftok(".", 1);
if (m_memKeyStructure < 0) {
err = true;
goto err_mem_key;
}
shm_id = shmget(m_memKeyStructure, sizeof(pthread_mutex_t),
IPC_CREAT | IPC_EXCL | 0666);
if (shm_id < 0) {
shm_id = shmget(m_memKeyStructure, sizeof(pthread_mutex_t),
IPC_CREAT | 0666);
toBeCreated = false;
if (shm_id < 0) {
err = true;
goto err_shmget1;
}
}
m_generalLock = reinterpret_cast<pthread_mutex_t *>(
shmat(shm_id, NULL, 0));
if ((reinterpret_cast<char *>(m_generalLock)[0]) == -1) {
err = true;
goto err_shmat1;
}
if (toBeCreated) {
memset(m_generalLock, '\0', sizeof(pthread_mutex_t));
pthread_mutex_init(m_generalLock, NULL);
pthread_mutex_unlock(m_generalLock);
}
if (err) {
err_mem_key:
std::cerr << strerror(errno) << std::endl;
err_shmget1:
std::cerr << "err_shmget1" << std::endl;
err_shmat1:
std::cerr << "err_shmat1" << std::endl;
}
#endif
}
~SharedFiles() {
#if MODSEC_USE_GENERAL_LOCK
shmdt(m_generalLock);
shmctl(m_memKeyStructure, IPC_RMID, NULL);
#endif
}
private:
SharedFiles() = default;
~SharedFiles() = default;
// C++ 03
// ========
// Dont forget to declare these two. You want to make sure they
// are unacceptable otherwise you may accidentally get copies of
// your singleton appearing.
SharedFiles(SharedFiles const&);
void operator=(SharedFiles const&);
SharedFiles(SharedFiles const&) = delete;
void operator=(SharedFiles const&) = delete;
std::vector<std::pair<std::string,
std::pair<msc_file_handler *, FILE *>>> m_handlers;
#if MODSEC_USE_GENERAL_LOCK
pthread_mutex_t *m_generalLock;
key_t m_memKeyStructure;
#endif
struct handler_info {
FILE* fp;
unsigned int cnt;
};
using handlers_map = std::unordered_map<std::string, handler_info>;
handlers_map m_handlers;
handlers_map::iterator add_new_handler(
const std::string &fileName, std::string *error);
};

5
src/utils/string.cc
View File

@ -17,11 +17,6 @@
#include <stdlib.h>
#include <stddef.h>
#include <string.h>
#ifdef __OpenBSD__
#include <glob.h>
#else
#include <wordexp.h>
#endif
#include <stdint.h>
#include <inttypes.h>

77
src/utils/system.cc
View File

@ -19,6 +19,9 @@
#include <string.h>
#ifdef __OpenBSD__
#include <glob.h>
#elif defined(WIN32)
#include "Poco/Glob.h"
#include <algorithm>
#else
#include <wordexp.h>
#endif
@ -31,6 +34,7 @@
#include <vector>
#if defined _MSC_VER
#include "src/compat/msvc.h"
#include <direct.h>
#elif defined __GNUC__
#include <sys/types.h>
@ -40,6 +44,36 @@
#include "src/utils/system.h"
#include "src/config.h"
#ifdef WIN32
// Public domain code from mingw-w64's winpthreads
// https://sourceforge.net/p/mingw-w64/code/HEAD/tree/trunk/mingw-w64-libraries/winpthreads/src/clock.c
//
#define CLOCK_PROCESS_CPUTIME_ID 2
#define POW10_7 10000000
// NOTE: includes only CLOCK_PROCESS_CPUTIME_ID implementation, ignores clock_id argument
static int clock_gettime(int clock_id, struct timespec *tp)
{
unsigned __int64 t;
LARGE_INTEGER pf, pc;
union {
unsigned __int64 u64;
FILETIME ft;
} ct, et, kt, ut;
if(0 == GetProcessTimes(GetCurrentProcess(), &ct.ft, &et.ft, &kt.ft, &ut.ft))
return -1;
t = kt.u64 + ut.u64;
tp->tv_sec = t / POW10_7;
tp->tv_nsec = ((int) (t % POW10_7)) * 100;
return 0;
}
#endif
namespace modsecurity {
namespace utils {
@ -64,19 +98,15 @@ double cpu_seconds(void) {
std::string find_resource(const std::string& resource,
const std::string& config, std::string *err) {
std::ifstream *iss;
err->assign("Looking at: ");
// Trying absolute or relative to the current dir.
iss = new std::ifstream(resource, std::ios::in);
if (iss->is_open()) {
iss->close();
delete iss;
auto iss = std::ifstream(resource, std::ios::in);
if (iss.is_open()) {
return resource;
} else {
err->append("'" + resource + "', ");
}
delete iss;
// What about `*' ?
if (utils::expandEnv(resource, 0).size() > 0) {
@ -87,15 +117,12 @@ std::string find_resource(const std::string& resource,
// Trying the same path of the configuration file.
std::string f = get_path(config) + "/" + resource;
iss = new std::ifstream(f, std::ios::in);
if (iss->is_open()) {
iss->close();
delete iss;
iss = std::ifstream(f, std::ios::in);
if (iss.is_open()) {
return f;
} else {
err->append("'" + f + "', ");
}
delete iss;
// What about `*' ?
if (utils::expandEnv(f, 0).size() > 0) {
@ -122,8 +149,16 @@ std::string get_path(const std::string& file) {
std::list<std::string> expandEnv(const std::string& var, int flags) {
std::list<std::string> vars;
#ifdef __OpenBSD__
#ifdef WIN32
// NOTE: align scopes with if & if in other versions
{
{
std::set<std::string> files;
Poco::Glob::glob(var, files);
for(auto file : files) {
std::replace(file.begin(), file.end(), '\\', '/'); // preserve unix-like paths
const char* exp[] = { file.c_str() };
#elif defined(__OpenBSD__)
glob_t p;
if (glob(var.c_str(), flags, NULL, &p) == false) {
if (p.gl_pathc) {
@ -135,15 +170,13 @@ std::list<std::string> expandEnv(const std::string& var, int flags) {
if (p.we_wordc) {
for (char** exp = p.we_wordv; *exp; ++exp) {
#endif
std::ifstream *iss = new std::ifstream(exp[0], std::ios::in);
if (iss->is_open()) {
iss->close();
auto iss = std::ifstream(exp[0], std::ios::in);
if (iss.is_open())
vars.push_back(exp[0]);
}
delete iss;
}
}
#ifdef __OpenBSD__
#ifdef WIN32
#elif defined(__OpenBSD__)
globfree(&p);
#else
wordfree(&p);
@ -153,7 +186,13 @@ std::list<std::string> expandEnv(const std::string& var, int flags) {
}
bool createDir(const std::string& dir, int mode, std::string *error) {
#ifndef WIN32
int ret = mkdir(dir.data(), mode);
#else
if (dir == ".")
return true;
int ret = _mkdir(dir.c_str());
#endif
if (ret != 0 && errno != EEXIST) {
error->assign("Not able to create directory: " + dir + ": " \
+ strerror(errno) + ".");

2
src/utils/system.h
View File

@ -13,8 +13,6 @@
*
*/
#include <ctime>
#include <iostream>
#include <string>
#include <list>

20
src/variables/env.cc
View File

@ -25,9 +25,15 @@
#include <utility>
#include <map>
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
#include "modsecurity/transaction.h"
#ifndef WIN32
extern char **environ;
#endif
namespace modsecurity {
namespace variables {
@ -47,12 +53,20 @@ void Env::evaluate(Transaction *transaction,
transaction->m_variableEnvs.insert(a);
}
const auto hasName = m_name.length() > 0;
for (auto& x : transaction->m_variableEnvs) {
if (x.first != m_name && m_name.length() > 0) {
#ifndef WIN32
if (hasName && x.first != m_name) {
#else
if (hasName && strcasecmp(x.first.c_str(), m_name.c_str()) != 0) {
#endif
continue;
}
if (!m_keyExclusion.toOmit(x.first)) {
l->push_back(new VariableValue(&m_collectionName, &x.first,
// (Windows) we need to keep the case from the rule in case that from
// the environment differs.
const auto &key = hasName ? m_name : x.first;
if (!m_keyExclusion.toOmit(key)) {
l->push_back(new VariableValue(&m_collectionName, &key,
&x.second));
}
}

73
src/variables/remote_user.cc
View File

@ -39,50 +39,41 @@ namespace variables {
void RemoteUser::evaluate(Transaction *transaction,
RuleWithActions *rule,
std::vector<const VariableValue *> *l) {
size_t pos;
std::string base64;
VariableValue *var;
std::string header;
std::vector<const VariableValue *> l2;
std::vector<const VariableValue *> *l2 = \
new std::vector<const VariableValue *>();
transaction->m_variableRequestHeaders.resolve("authorization", l2);
transaction->m_variableRequestHeaders.resolve("authorization", &l2);
if (l2->size() < 1) {
goto clear;
if (!l2.empty()) {
const auto *v = l2[0];
const auto &header = v->getValue();
std::string base64;
if (header.compare(0, 6, "Basic ") == 0) {
base64 = std::string(header, 6, header.length());
}
base64 = Utils::Base64::decode(base64);
const auto pos = base64.find(":");
if (pos != std::string::npos) {
transaction->m_variableRemoteUser.assign(std::string(base64, 0, pos));
auto var = std::make_unique<VariableValue>(&v->getKeyWithCollection(),
&transaction->m_variableRemoteUser);
var->reserveOrigin(v->getOrigin().size());
for (const auto &i : v->getOrigin()) {
var->addOrigin(i);
}
l->push_back(var.release());
}
for (auto &a : l2) {
delete a;
}
}
header = std::string(l2->at(0)->getValue());
if (header.compare(0, 6, "Basic ") == 0) {
base64 = std::string(header, 6, header.length());
}
base64 = Utils::Base64::decode(base64);
pos = base64.find(":");
if (pos == std::string::npos) {
goto clear;
}
transaction->m_variableRemoteUser.assign(std::string(base64, 0, pos));
var = new VariableValue(&l2->at(0)->getKeyWithCollection(),
&transaction->m_variableRemoteUser);
for (const auto &i : l2->at(0)->getOrigin()) {
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
origin->m_offset = i->m_offset;
origin->m_length = i->m_length;
var->addOrigin(std::move(origin));
}
l->push_back(var);
clear:
for (auto &a : *l2) {
delete a;
}
l2->clear();
delete l2;
}

25
src/variables/rule.h
View File

@ -49,15 +49,12 @@ class Rule_DictElement : public VariableDictElement { \
if (!r || r->m_ruleId == 0) {
return;
}
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
std::string *a = new std::string(std::to_string(r->m_ruleId));
VariableValue *var = new VariableValue(&m_rule, &m_rule_id,
a
);
delete a;
origin->m_offset = 0;
origin->m_length = 0;
var->addOrigin(std::move(origin));
var->addOrigin();
l->push_back(var);
}
@ -75,15 +72,12 @@ class Rule_DictElement : public VariableDictElement { \
return;
}
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
std::string *a = new std::string(r->m_rev);
VariableValue *var = new VariableValue(&m_rule, &m_rule_rev,
a
);
delete a;
origin->m_offset = 0;
origin->m_length = 0;
var->addOrigin(std::move(origin));
var->addOrigin();
l->push_back(var);
}
@ -98,15 +92,12 @@ class Rule_DictElement : public VariableDictElement { \
}
if (r && r->hasSeverity()) {
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
std::string *a = new std::string(std::to_string(r->severity()));
VariableValue *var = new VariableValue(&m_rule, &m_rule_severity,
a
);
delete a;
origin->m_offset = 0;
origin->m_length = 0;
var->addOrigin(std::move(origin));
var->addOrigin();
l->push_back(var);
}
}
@ -122,15 +113,12 @@ class Rule_DictElement : public VariableDictElement { \
}
if (r && r->hasLogData()) {
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
std::string *a = new std::string(r->logData(t));
VariableValue *var = new VariableValue(&m_rule, &m_rule_logdata,
a
);
delete a;
origin->m_offset = 0;
origin->m_length = 0;
var->addOrigin(std::move(origin));
var->addOrigin();
l->push_back(var);
}
}
@ -145,15 +133,12 @@ class Rule_DictElement : public VariableDictElement { \
}
if (r && r->hasMsg()) {
std::unique_ptr<VariableOrigin> origin(new VariableOrigin());
std::string *a = new std::string(r->msg(t));
VariableValue *var = new VariableValue(&m_rule, &m_rule_msg,
a
);
delete a;
origin->m_offset = 0;
origin->m_length = 0;
var->addOrigin(std::move(origin));
var->addOrigin();
l->push_back(var);
}
}

4
src/variables/time.cc
View File

@ -30,6 +30,10 @@
#include "modsecurity/transaction.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace variables {

4
src/variables/time_day.cc
View File

@ -30,6 +30,10 @@
#include "modsecurity/transaction.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace variables {

4
src/variables/time_hour.cc
View File

@ -30,6 +30,10 @@
#include "modsecurity/transaction.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace variables {

4
src/variables/time_min.cc
View File

@ -30,6 +30,10 @@
#include "modsecurity/transaction.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace variables {

4
src/variables/time_mon.cc
View File

@ -30,6 +30,10 @@
#include "modsecurity/transaction.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace variables {

4
src/variables/time_sec.cc
View File

@ -30,6 +30,10 @@
#include "modsecurity/transaction.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace variables {

4
src/variables/time_wday.cc
View File

@ -30,6 +30,10 @@
#include "modsecurity/transaction.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace variables {

4
src/variables/time_year.cc
View File

@ -30,6 +30,10 @@
#include "modsecurity/transaction.h"
#ifdef WIN32
#include "src/compat/msvc.h"
#endif
namespace modsecurity {
namespace variables {

2
test/benchmark/basic_rules.conf
View File

@ -1,5 +1,3 @@
Include "../../modsecurity.conf-recommended"
Include "owasp-v3/crs-setup.conf.example"
Include "owasp-v3/rules/*.conf"

53
test/benchmark/download-owasp-v2-rules.sh
View File

@ -1,53 +0,0 @@
#!/bin/bash
#
#
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git owasp-v2
echo 'Include "owasp-v2/base_rules/*.conf"' >> basic_rules.conf
echo 'Include "owasp-v2/optional_rules/*.conf"' >> basic_rules.conf
echo 'Include "owasp-v2/experimental_rules/*.conf"' >> basic_rules.conf
echo 'Include "owasp-v2/slr_rules/modsecurity_crs_46_slr_et_xss_attacks.conf"' >> basic_rules.conf
echo 'Include "owasp-v2/slr_rules/modsecurity_crs_46_slr_et_sqli_attacks.conf"' >> basic_rules.conf
echo 'Include "owasp-v2/slr_rules/modsecurity_crs_46_slr_et_rfi_attacks.conf"' >> basic_rules.conf
# Content injection not support in modsec v3
rm owasp-v2/optional_rules/modsecurity_crs_43_csrf_protection.conf
# Slow dos is not yet supported
rm owasp-v2/experimental_rules/modsecurity_crs_11_slow_dos_protection.conf
# WEBSERVER_ERROR_LOG is not supported in v3.
cat owasp-v2/base_rules/modsecurity_crs_20_protocol_violations.conf | sed 's/SecRule WEBSERVER_ERROR_LOG/#SecRule WEBSERVER_ERROR_LOG/g' > owasp-v2/base_rules/modsecurity_crs_20_protocol_violations.conf.tmp
mv owasp-v2/base_rules/modsecurity_crs_20_protocol_violations.conf.tmp owasp-v2/base_rules/modsecurity_crs_20_protocol_violations.conf
# Apache specific configuration.
cat owasp-v2/optional_rules/modsecurity_crs_49_header_tagging.conf | sed 's/RequestHeader/#RequestHeader/g' > owasp-v2/optional_rules/modsecurity_crs_49_header_tagging.conf.tmp
mv owasp-v2/optional_rules/modsecurity_crs_49_header_tagging.conf.tmp owasp-v2/optional_rules/modsecurity_crs_49_header_tagging.conf
cat owasp-v2/optional_rules/modsecurity_crs_55_application_defects.conf | sed 's/Header edit/#Header edit/g' > owasp-v2/optional_rules/modsecurity_crs_55_application_defects.conf.tmp
mv owasp-v2/optional_rules/modsecurity_crs_55_application_defects.conf.tmp owasp-v2/optional_rules/modsecurity_crs_55_application_defects.conf
cat owasp-v2/experimental_rules/modsecurity_crs_42_csp_enforcement.conf | sed 's/Header set/#Header set/g' > owasp-v2/experimental_rules/modsecurity_crs_42_csp_enforcement.conf.tmp
mv owasp-v2/experimental_rules/modsecurity_crs_42_csp_enforcement.conf.tmp owasp-v2/experimental_rules/modsecurity_crs_42_csp_enforcement.conf
# Disables SecGeoLookupDb
cat owasp-v2/experimental_rules/modsecurity_crs_61_ip_forensics.conf | sed 's/SecGeoLookupDb/#SecGeoLookupDb/g' > owasp-v2/experimental_rules/modsecurity_crs_61_ip_forensics.conf.tmp
mv owasp-v2/experimental_rules/modsecurity_crs_61_ip_forensics.conf.tmp owasp-v2/experimental_rules/modsecurity_crs_61_ip_forensics.conf
cat owasp-v2/experimental_rules/modsecurity_crs_11_proxy_abuse.conf | sed 's/SecGeoLookupDb/#SecGeoLookupDb/g' > owasp-v2/experimental_rules/modsecurity_crs_11_proxy_abuse.conf.tmp
mv owasp-v2/experimental_rules/modsecurity_crs_11_proxy_abuse.conf.tmp owasp-v2/experimental_rules/modsecurity_crs_11_proxy_abuse.conf
# STREAM_OUTPUT_BODY is not supported
cat owasp-v2/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf | sed 's/SecRule STREAM_OUTPUT_BODY/#SecRule STREAM_OUTPUT_BODY/g' > owasp-v2/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf.tmp
mv owasp-v2/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf.tmp owasp-v2/experimental_rules/modsecurity_crs_40_appsensor_detection_point_2.9_honeytrap.conf
echo "Done."

6
test/benchmark/download-owasp-v3-rules.sh
View File

@ -1,10 +1,6 @@
#!/bin/bash
git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git owasp-v3
cd owasp-v3
git checkout v3.0.2 -b tag3.0.2
cd -
git clone -c advice.detachedHead=false --depth 1 --branch v3.0.2 https://github.com/coreruleset/coreruleset.git owasp-v3
echo 'Include "owasp-v3/crs-setup.conf.example"' >> basic_rules.conf
echo 'Include "owasp-v3/rules/*.conf"' >> basic_rules.conf

9
test/benchmark/download-owasp-v4-rules.sh Executable file
View File

@ -0,0 +1,9 @@
#!/bin/bash
git clone -c advice.detachedHead=false --depth 1 --branch v4.3.0 https://github.com/coreruleset/coreruleset.git owasp-v4
echo 'Include "owasp-v4/crs-setup.conf.example"' >> basic_rules.conf
echo 'Include "owasp-v4/rules/*.conf"' >> basic_rules.conf
echo "Done."

Some files were not shown because too many files have changed in this diff Show More