github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-16 07:56:12 +03:00
Code Issues Packages Projects Releases Wiki Activity

Improves the CA validation

Browse Source 
On IIS CA validation was not working as libcurl on windows does not look for a
certificate store, unless it is specified. The resource downloads are now
respecting the SecRemoteRulesFailAction.
This commit is contained in:
Felipe Zimmerle 2014-11-17 04:16:29 -08:00
parent b02256cf1e
commit 9fe72b72de
9 changed files with 3969 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apache2/apache2_config.c
View File

@ -2217,7 +2217,6 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
{ {
directory_config *dcfg = (directory_config *)_dcfg; directory_config *dcfg = (directory_config *)_dcfg;
if (dcfg == NULL) return NULL; if (dcfg == NULL) return NULL;
#ifdef WITH_REMOTE_RULES_SUPPORT
if (strncasecmp(p1, "warn", 4) == 0) if (strncasecmp(p1, "warn", 4) == 0)
{ {
remote_rules_fail_action = REMOTE_RULES_WARN_ON_FAIL; remote_rules_fail_action = REMOTE_RULES_WARN_ON_FAIL;
@ -2231,10 +2230,6 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \ return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
"SecRemoteRulesFailAction, expected: Abort or Warn."); "SecRemoteRulesFailAction, expected: Abort or Warn.");
} }
#else
return apr_psprintf(cmd->pool, "ModSecurity: " \
"SecRemoteRules: ModSecurity was not compiled with such functionality.");
#endif
return NULL; return NULL;
} }

2
apache2/mod_security2.c
View File

@ -70,8 +70,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
#ifdef WITH_REMOTE_RULES_SUPPORT #ifdef WITH_REMOTE_RULES_SUPPORT
msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL; msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
#endif #endif
int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED; int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;

2
apache2/modsecurity.h
View File

@ -148,8 +148,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
#ifdef WITH_REMOTE_RULES_SUPPORT #ifdef WITH_REMOTE_RULES_SUPPORT
extern DSOLOCAL msc_remote_rules_server *remote_rules_server; extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
extern DSOLOCAL int remote_rules_fail_action;
#endif #endif
extern DSOLOCAL int remote_rules_fail_action;
extern DSOLOCAL int status_engine_state; extern DSOLOCAL int status_engine_state;

13
apache2/msc_remote_rules.c
View File

@ -274,6 +274,11 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
if (curl) if (curl)
{ {
struct curl_slist *headers_chunk = NULL; struct curl_slist *headers_chunk = NULL;
#ifdef WIN32
char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
char *ptr = NULL;
DWORD res_len;
#endif
curl_easy_setopt(curl, CURLOPT_URL, remote_rules_server->uri); curl_easy_setopt(curl, CURLOPT_URL, remote_rules_server->uri);
headers_chunk = curl_slist_append(headers_chunk, apr_id); headers_chunk = curl_slist_append(headers_chunk, apr_id);
@ -286,6 +291,14 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
/* Make it TLS 1.x only. */ /* Make it TLS 1.x only. */
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
#ifdef WIN32
res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
if (res_len > 0) {
curl_easy_setopt(curl, CURLOPT_CAINFO, strdup(buf));
}
free(buf);
#endif
/* those are the default options, but lets make sure */ /* those are the default options, but lets make sure */
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);

29
apache2/msc_util.c
View File

@ -2673,6 +2673,11 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
if (curl) { if (curl) {
struct curl_slist *headers_chunk = NULL; struct curl_slist *headers_chunk = NULL;
#ifdef WIN32
char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
char *ptr = NULL;
DWORD res_len;
#endif
curl_easy_setopt(curl, CURLOPT_URL, uri); curl_easy_setopt(curl, CURLOPT_URL, uri);
headers_chunk = curl_slist_append(headers_chunk, apr_id); headers_chunk = curl_slist_append(headers_chunk, apr_id);
@ -2687,7 +2692,15 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
/* Make it TLS 1.x only. */ /* Make it TLS 1.x only. */
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
/* those are the default options, but lets make sure */ #ifdef WIN32
res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
if (res_len > 0) {
curl_easy_setopt(curl, CURLOPT_CAINFO, strdup(buf));
}
free(buf);
#endif
/* thoseeare the default options, but lets make sure */
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
@ -2700,9 +2713,21 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
if (res != CURLE_OK) if (res != CURLE_OK)
{ {
*error_msg = apr_psprintf(mp, "Failed to fetch \"%s\" error: %s ", uri, curl_easy_strerror(res)); if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
{
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
"Failed to fetch \"%s\" error: %s ",
uri, curl_easy_strerror(res));
return 0;
}
else
{
*error_msg = apr_psprintf(mp, "Failed to fetch \"%s\" " \
"error: %s ", uri,
curl_easy_strerror(res));
return -1; return -1;
} }
}
curl_easy_cleanup(curl); curl_easy_cleanup(curl);
curl_slist_free_all(headers_chunk); curl_slist_free_all(headers_chunk);

31
apache2/re_operators.c
View File

@ -12,6 +12,7 @@
* directly using the email address security@modsecurity.org. * directly using the email address security@modsecurity.org.
*/ */
#include "modsecurity.h"
#include "re.h" #include "re.h"
#include "msc_pcre.h" #include "msc_pcre.h"
#include "msc_geo.h" #include "msc_geo.h"
@ -1307,6 +1308,11 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
if (curl) { if (curl) {
struct curl_slist *headers_chunk = NULL; struct curl_slist *headers_chunk = NULL;
#ifdef WIN32
char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
char *ptr = NULL;
DWORD res_len;
#endif
curl_easy_setopt(curl, CURLOPT_URL, fn); curl_easy_setopt(curl, CURLOPT_URL, fn);
headers_chunk = curl_slist_append(headers_chunk, apr_id); headers_chunk = curl_slist_append(headers_chunk, apr_id);
@ -1321,6 +1327,14 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
/* Make it TLS 1.x only. */ /* Make it TLS 1.x only. */
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1); curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
#ifdef WIN32
res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
if (res_len > 0) {
curl_easy_setopt(curl, CURLOPT_CAINFO, strdup(buf));
}
free(buf);
#endif
/* those are the default options, but lets make sure */ /* those are the default options, but lets make sure */
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1); curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
@ -1333,7 +1347,22 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
res = curl_easy_perform(curl); res = curl_easy_perform(curl);
if (res != CURLE_OK) if (res != CURLE_OK)
fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res)); {
if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
{
ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
"Failed to fetch \"%s\" error: %s ", fn,
curl_easy_strerror(res));
return 1;
}
else
{
*error_msg = apr_psprintf(rule->ruleset->mp,
"Failed to fetch \"%s\" error: %s ", fn,
curl_easy_strerror(res));
return 0;
}
}
curl_easy_cleanup(curl); curl_easy_cleanup(curl);
curl_slist_free_all(headers_chunk); curl_slist_free_all(headers_chunk);

3894
iis/curl-ca-bundle.crt Normal file
View File

File diff suppressed because it is too large Load Diff

2
iis/dependencies/build_curl.bat
View File

@ -13,7 +13,7 @@ echo "Cd..."
:: copy /y CMakeLists.txt "curl" :: copy /y CMakeLists.txt "curl"
CD "curl" CD "curl"
echo "Cmake..." echo "Cmake..."
CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True -DCURL_ZLIB=True CMAKE -G "NMake Makefiles" -DCMAKE_BUILD_TYPE=RelWithDebInfo -DBUILD_SHARED_LIBS=True -DCURL_ZLIB=True -DUSE_SSLEAY=dll -DUSE_OPENSSL=dll -DOPENSSL_ROOT_DIR=%WORK_DIR%/openssl_inst
@if NOT (%ERRORLEVEL%) == (0) goto build_failed @if NOT (%ERRORLEVEL%) == (0) goto build_failed
:: "%WORK_DIR%\fart.exe" -r -C "%WORK_DIR%\curl\include\curl\curlbuild.h" LLU ULL :: "%WORK_DIR%\fart.exe" -r -C "%WORK_DIR%\curl\include\curl\curlbuild.h" LLU ULL
NMAKE NMAKE

1
tests/msc_test.c
View File

@ -78,6 +78,7 @@ msc_engine *modsecurity = NULL;
unsigned long int DSOLOCAL msc_pcre_match_limit = 0; unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0; unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
char DSOLOCAL *real_server_signature = NULL; char DSOLOCAL *real_server_signature = NULL;
int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
/* Stubs */ /* Stubs */
char *format_error_log_message(apr_pool_t *mp, error_message_t *em) { char *format_error_log_message(apr_pool_t *mp, error_message_t *em) {