From c54bb746c6a46716b30ef746371de04a1ae22311 Mon Sep 17 00:00:00 2001 From: Felipe Zimmerle Date: Wed, 12 Nov 2014 11:44:45 -0300 Subject: [PATCH] Adds SecRemoteRules as an build option SecRemoteRules adds a new dependency to libcurl. Before only mlogc was depending on libcurl. SecRemoteRules also depends on the apr-tools with crypto support, which (as reported by our buildbots) is not default in some environments such as: MacOS X. This commit disable SecRemoteRules support if apr-tools was not compiled with crypto support. --- apache2/apache2_config.c | 11 ++++++++++- apache2/mod_security2.c | 4 ++++ apache2/modsecurity.h | 5 ++++- apache2/msc_remote_rules.c | 5 ++--- apache2/msc_remote_rules.h | 31 +++++++++++++++++++++---------- 5 files changed, 41 insertions(+), 15 deletions(-) diff --git a/apache2/apache2_config.c b/apache2/apache2_config.c index e9052455..dbdf9ff8 100644 --- a/apache2/apache2_config.c +++ b/apache2/apache2_config.c @@ -2217,7 +2217,7 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char { directory_config *dcfg = (directory_config *)_dcfg; if (dcfg == NULL) return NULL; - +#ifdef WITH_REMOTE_RULES_SUPPORT if (strncasecmp(p1, "warn", 4) == 0) { remote_rules_fail_action = REMOTE_RULES_WARN_ON_FAIL; @@ -2231,6 +2231,10 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \ "SecRemoteRulesFailAction, expected: Abort or Warn."); } +#else + return apr_psprintf(cmd->pool, "ModSecurity: " \ + "SecRemoteRules: ModSecurity was not compiled with such functionality."); +#endif return NULL; } @@ -2242,6 +2246,7 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1, directory_config *dcfg = (directory_config *)_dcfg; if (dcfg == NULL) return NULL; +#ifdef WITH_REMOTE_RULES_SUPPORT // FIXME: make it https only. // if (strncasecmp(p1, "https", 5) != 0) { if (strncasecmp(p2, "http", 4) != 0) { @@ -2274,6 +2279,10 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1, { return error_msg; } +#else + return apr_psprintf(cmd->pool, "ModSecurity: " \ + "SecRemoteRules: ModSecurity was not compiled with such functionality."); +#endif return NULL; } diff --git a/apache2/mod_security2.c b/apache2/mod_security2.c index 86109e30..a69724b8 100644 --- a/apache2/mod_security2.c +++ b/apache2/mod_security2.c @@ -68,8 +68,10 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0; unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0; +#ifdef WITH_REMOTE_RULES_SUPPORT msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL; int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL; +#endif int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED; @@ -759,6 +761,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t } #endif +#ifdef WITH_REMOTE_RULES_SUPPORT if (remote_rules_server != NULL) { if (remote_rules_server->amount_of_rules == 1) @@ -776,6 +779,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t remote_rules_server->uri); } } +#endif } srand((unsigned int)(time(NULL) * getpid())); diff --git a/apache2/modsecurity.h b/apache2/modsecurity.h index fa19605b..19f519c6 100644 --- a/apache2/modsecurity.h +++ b/apache2/modsecurity.h @@ -33,7 +33,6 @@ typedef struct msc_arg msc_arg; typedef struct msc_string msc_string; typedef struct msc_parm msc_parm; -#include "msc_remote_rules.h" #include "msc_release.h" #include "msc_logging.h" #include "msc_multipart.h" @@ -47,11 +46,13 @@ typedef struct msc_parm msc_parm; #include "msc_unicode.h" #include "re.h" #include "msc_crypt.h" +#include "msc_remote_rules.h" #include "ap_config.h" #include "apr_md5.h" #include "apr_strings.h" #include "apr_hash.h" +#include "apr_crypto.h" #include "httpd.h" #include "http_config.h" #include "http_log.h" @@ -145,8 +146,10 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit; extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion; +#ifdef WITH_REMOTE_RULES_SUPPORT extern DSOLOCAL msc_remote_rules_server *remote_rules_server; extern DSOLOCAL int remote_rules_fail_action; +#endif extern DSOLOCAL int status_engine_state; diff --git a/apache2/msc_remote_rules.c b/apache2/msc_remote_rules.c index 1d19864d..4e826d14 100644 --- a/apache2/msc_remote_rules.c +++ b/apache2/msc_remote_rules.c @@ -26,9 +26,7 @@ #define AP_MAX_ARGC 64 #endif -#ifndef APU_HAVE_CRYPTO -#error Missing apu crypto module -#endif +#ifdef WITH_REMOTE_RULES_SUPPORT /** * @brief Insert a new SecRule to be processed by ModSecurity @@ -716,3 +714,4 @@ end: return 0; } +#endif diff --git a/apache2/msc_remote_rules.h b/apache2/msc_remote_rules.h index 20de8080..7cea1580 100644 --- a/apache2/msc_remote_rules.h +++ b/apache2/msc_remote_rules.h @@ -12,23 +12,33 @@ * directly using the email address security@modsecurity.org. */ +#if APU_HAVE_CRYPTO +#define WITH_REMOTE_RULES_SUPPORT +#endif + +#ifdef WITH_REMOTE_RULES_SUPPORT + #ifndef MSC_REMOTE_RULES_H #define MSC_REMOTE_RULES_H -#include -#include -#include -#include - -#include -#include -#include "http_core.h" - +/* forward declarations */ typedef struct msc_remote_rules_server msc_remote_rules_server; struct msc_curl_memory_buffer_t; #include "modsecurity.h" +#include +#include +#include +#include + +#include "http_core.h" +#include "http_config.h" + +#include + +#include + struct msc_remote_rules_server { directory_config *context; const char *context_label; @@ -38,7 +48,7 @@ struct msc_remote_rules_server { }; const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms, - void *mconfig, const char *args); + void *mconfig, const char *args); int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key, struct msc_curl_memory_buffer_t *chunk, char **error_msg); @@ -64,4 +74,5 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms, int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk); #endif +#endif