|
Packit |
284210 |
/*
|
|
Packit |
284210 |
* ModSecurity for Apache 2.x, http://www.modsecurity.org/
|
|
Packit |
284210 |
* Copyright (c) 2004-2013 Trustwave Holdings, Inc. (http://www.trustwave.com/)
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* You may not use this file except in compliance with
|
|
Packit |
284210 |
* the License. You may obtain a copy of the License at
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* http://www.apache.org/licenses/LICENSE-2.0
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* If any of the files related to licensing are missing or if you have any
|
|
Packit |
284210 |
* other questions related to licensing please contact Trustwave Holdings, Inc.
|
|
Packit |
284210 |
* directly using the email address security@modsecurity.org.
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include "msc_remote_rules.h"
|
|
Packit |
284210 |
#include "msc_status_engine.h"
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include <apr_thread_pool.h>
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifdef WITH_CURL
|
|
Packit |
284210 |
#include <curl/curl.h>
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#include <apu.h>
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifdef WITH_REMOTE_RULES
|
|
Packit |
284210 |
#ifdef WITH_APU_CRYPTO
|
|
Packit |
284210 |
#include <apr_crypto.h>
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
#include <apr_sha1.h>
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifndef AP_MAX_ARGC
|
|
Packit |
284210 |
#define AP_MAX_ARGC 64
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/**
|
|
Packit |
284210 |
* @brief Find command in a list.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* This is a duplicate of `ap_find_command', which is part of the standalone module.
|
|
Packit |
284210 |
* Apache versions does not include the standalone, thus, this is necessary for
|
|
Packit |
284210 |
* the Apache versions. Once it is here it may not be necessary to be part of
|
|
Packit |
284210 |
* the standalone module, but, for this version both function will co-exist
|
|
Packit |
284210 |
* avoiding problems with 3rd parties that are extending the standalone module.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @note Prefer this function instead of `ap_finc_command` which is part of the
|
|
Packit |
284210 |
* standalone module.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @param parms char pointer, function name.
|
|
Packit |
284210 |
* @param cmds pointer to command_rec[].
|
|
Packit |
284210 |
* @retval NULL if command was not found.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
const command_rec *msc_remote_find_command(const char *name, const command_rec *cmds)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
while (cmds->name) {
|
|
Packit |
284210 |
if (!strcasecmp(name, cmds->name))
|
|
Packit |
284210 |
return cmds;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
++cmds;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return NULL;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/**
|
|
Packit |
284210 |
* @brief Insert a new SecRule to be processed by ModSecurity
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* This is a duplicate of `invoke_cmd', which is part of the standalone module.
|
|
Packit |
284210 |
* Apache versions does not include the standalone, thus, this is necessary for
|
|
Packit |
284210 |
* the Apache versions. Once it is here it may not be necessary to be part of
|
|
Packit |
284210 |
* the standalone module, but, for this version both function will co-exist
|
|
Packit |
284210 |
* avoiding problems with 3rd parties that are extending the standalone module.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @note Prefer this function instead of `invoke_cmd` which is part of the
|
|
Packit |
284210 |
* standalone module.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @param cmd pointer to command_rec structure.
|
|
Packit |
284210 |
* @param parms pointer to cmd_params strucutre.
|
|
Packit |
284210 |
* @param mconfig pointer to main config structure.
|
|
Packit |
284210 |
* @param args SecRule arguments.
|
|
Packit |
284210 |
* @retval NULL if everything worked as expected otherwise an error message.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,
|
|
Packit |
284210 |
void *mconfig, const char *args)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
char *w, *w2, *w3;
|
|
Packit |
284210 |
const char *errmsg = NULL;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if ((parms->override & cmd->req_override) == 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name, " not allowed here", NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
parms->info = cmd->cmd_data;
|
|
Packit |
284210 |
parms->cmd = cmd;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
switch (cmd->args_how) {
|
|
Packit |
284210 |
case RAW_ARGS:
|
|
Packit |
284210 |
#ifdef RESOLVE_ENV_PER_TOKEN
|
|
Packit |
284210 |
args = ap_resolve_env(parms->pool,args);
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
return cmd->AP_RAW_ARGS(parms, mconfig, args);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
case TAKE_ARGV:
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
char *argv[AP_MAX_ARGC];
|
|
Packit |
284210 |
int argc = 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
do {
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
if (*w == '\0' && *args == '\0') {
|
|
Packit |
284210 |
break;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
argv[argc] = w;
|
|
Packit |
284210 |
argc++;
|
|
Packit |
284210 |
} while (argc < AP_MAX_ARGC && *args != '\0');
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_TAKE_ARGV(parms, mconfig, argc, argv);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
case NO_ARGS:
|
|
Packit |
284210 |
if (*args != 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name, " takes no arguments",
|
|
Packit |
284210 |
NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_NO_ARGS(parms, mconfig);
|
|
Packit |
284210 |
case TAKE1:
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*w == '\0' || *args != 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name, " takes one argument",
|
|
Packit |
284210 |
cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_TAKE1(parms, mconfig, w);
|
|
Packit |
284210 |
case TAKE2:
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
w2 = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*w == '\0' || *w2 == '\0' || *args != 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name, " takes two arguments",
|
|
Packit |
284210 |
cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_TAKE2(parms, mconfig, w, w2);
|
|
Packit |
284210 |
case TAKE12:
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
w2 = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*w == '\0' || *args != 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name, " takes 1-2 arguments",
|
|
Packit |
284210 |
cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_TAKE2(parms, mconfig, w, *w2 ? w2 : NULL);
|
|
Packit |
284210 |
case TAKE3:
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
w2 = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
w3 = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*w == '\0' || *w2 == '\0' || *w3 == '\0' || *args != 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name,
|
|
Packit |
284210 |
" takes three arguments",
|
|
Packit |
284210 |
cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_TAKE3(parms, mconfig, w, w2, w3);
|
|
Packit |
284210 |
case TAKE23:
|
|
Packit |
284210 |
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
w2 = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*w == '\0' || *w2 == '\0' || *args != 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name,
|
|
Packit |
284210 |
" takes two or three arguments",
|
|
Packit |
284210 |
cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_TAKE3(parms, mconfig, w, w2, w3);
|
|
Packit |
284210 |
case TAKE123:
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
w2 = *args ? ap_getword_conf(parms->pool, &args) : NULL;
|
|
Packit |
284210 |
w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*w == '\0' || *args != 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name,
|
|
Packit |
284210 |
" takes one, two or three arguments",
|
|
Packit |
284210 |
cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_TAKE3(parms, mconfig, w, w2, w3);
|
|
Packit |
284210 |
case TAKE13:
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
w2 = *args ? ap_getword_conf(parms->pool, &args) : NULL;
|
|
Packit |
284210 |
w3 = *args ? ap_getword_conf(parms->pool, &args) : NULL;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*w == '\0' || (w2 && *w2 && !w3) || *args != 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name,
|
|
Packit |
284210 |
" takes one or three arguments",
|
|
Packit |
284210 |
cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_TAKE3(parms, mconfig, w, w2, w3);
|
|
Packit |
284210 |
case ITERATE:
|
|
Packit |
284210 |
while (*(w = ap_getword_conf(parms->pool, &args)) != '\0') {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
errmsg = cmd->AP_TAKE1(parms, mconfig, w);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0)
|
|
Packit |
284210 |
return errmsg;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return errmsg;
|
|
Packit |
284210 |
case ITERATE2:
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*w == '\0' || *args == 0)
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name,
|
|
Packit |
284210 |
" requires at least two arguments",
|
|
Packit |
284210 |
cmd->errmsg ? ", " : NULL, cmd->errmsg, NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
while (*(w2 = ap_getword_conf(parms->pool, &args)) != '\0') {
|
|
Packit |
284210 |
|
|
Packit |
284210 |
errmsg = cmd->AP_TAKE2(parms, mconfig, w, w2);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (errmsg && strcmp(errmsg, DECLINE_CMD) != 0)
|
|
Packit |
284210 |
return errmsg;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return errmsg;
|
|
Packit |
284210 |
case FLAG:
|
|
Packit |
284210 |
w = ap_getword_conf(parms->pool, &args);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*w == '\0' || (strcasecmp(w, "on") && strcasecmp(w, "off")))
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name, " must be On or Off",
|
|
Packit |
284210 |
NULL);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return cmd->AP_FLAG(parms, mconfig, strcasecmp(w, "off") != 0);
|
|
Packit |
284210 |
default:
|
|
Packit |
284210 |
return apr_pstrcat(parms->pool, cmd->name,
|
|
Packit |
284210 |
" is improperly configured internally (server bug)",
|
|
Packit |
284210 |
NULL);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/**
|
|
Packit |
284210 |
* @brief Fetch an URL and fill the content into a memory buffer.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* Fill an msc_curl_memory_buffer_t structure with the content of an given
|
|
Packit |
284210 |
* URL.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @note While fetching the content, it will present the ModSecurity instance
|
|
Packit |
284210 |
* to the remote server, trough: ModSecurity Unique ID, ModSecurity
|
|
Packit |
284210 |
* status line and also, if given, key that can be used to
|
|
Packit |
284210 |
* authentication. Such data is presented in the following HTTP headers:
|
|
Packit |
284210 |
* - ModSec-status
|
|
Packit |
284210 |
* - ModSec-unique-id
|
|
Packit |
284210 |
* - ModSec-key
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @warning Cleanup the memory after use it.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @param mp pointer to the memory pool.
|
|
Packit |
284210 |
* @param uri URI to be fetched.
|
|
Packit |
284210 |
* @param key KEY to be present as ModSec-key.
|
|
Packit |
284210 |
* @param chunk pointer to an msc_curl_memory_buffer_t struct.
|
|
Packit |
284210 |
* @param error_msg pointer an char pointer, filled is something went wrong.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @retval n>=0 everything went fine.
|
|
Packit |
284210 |
* @retval n<-1 Something wrong happened, further details on error_msg.
|
|
Packit |
284210 |
* n=-2 Download failed, but operation should not be aborted.
|
|
Packit |
284210 |
* n=-3 ModSecurity was not compiled with curl support.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key,
|
|
Packit |
284210 |
struct msc_curl_memory_buffer_t *chunk, char **error_msg)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
#ifdef WITH_CURL
|
|
Packit |
284210 |
CURL *curl;
|
|
Packit |
284210 |
CURLcode res;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
char id[(APR_SHA1_DIGESTSIZE*2) + 1];
|
|
Packit |
284210 |
char *apr_id = NULL;
|
|
Packit |
284210 |
char *beacon_str = NULL;
|
|
Packit |
284210 |
char *beacon_apr = NULL;
|
|
Packit |
284210 |
int beacon_str_len = 0;
|
|
Packit |
284210 |
int ret = 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
chunk->size = 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
memset(id, '\0', sizeof(id));
|
|
Packit |
284210 |
if (msc_status_engine_unique_id(id))
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
sprintf(id, "no unique id");
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_id = apr_psprintf(mp, "ModSec-unique-id: %s", id);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
curl = curl_easy_init();
|
|
Packit |
284210 |
|
|
Packit |
284210 |
beacon_str_len = msc_beacon_string(NULL, 0);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
beacon_str = malloc(sizeof(char) * beacon_str_len + 1);
|
|
Packit |
284210 |
if (beacon_str == NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
beacon_str = "Failed to retrieve beacon string";
|
|
Packit |
284210 |
beacon_apr = apr_psprintf(mp, "ModSec-status: %s", beacon_str);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
msc_beacon_string(beacon_str, beacon_str_len);
|
|
Packit |
284210 |
beacon_apr = apr_psprintf(mp, "ModSec-status: %s", beacon_str);
|
|
Packit |
284210 |
free(beacon_str);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (curl)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
struct curl_slist *headers_chunk = NULL;
|
|
Packit |
284210 |
#ifdef WIN32
|
|
Packit |
284210 |
char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
|
|
Packit |
284210 |
char *ptr = NULL;
|
|
Packit |
284210 |
DWORD res_len;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_URL, uri);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
headers_chunk = curl_slist_append(headers_chunk, apr_id);
|
|
Packit |
284210 |
headers_chunk = curl_slist_append(headers_chunk, beacon_apr);
|
|
Packit |
284210 |
if (key != NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
char *header_key = NULL;
|
|
Packit |
284210 |
header_key = apr_psprintf(mp, "ModSec-key: %s", key);
|
|
Packit |
284210 |
headers_chunk = curl_slist_append(headers_chunk, header_key);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* Make it TLS 1.x only. */
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifdef WIN32
|
|
Packit |
284210 |
res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
|
|
Packit |
284210 |
if (res_len > 0) {
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_CAINFO, strdup(buf));
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
free(buf);
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* those are the default options, but lets make sure */
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* send all data to this function */
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, msc_curl_write_memory_cb);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* we pass our 'chunk' struct to the callback function */
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_WRITEDATA, (void *)chunk);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_USERAGENT, "modesecurity");
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers_chunk);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* We want Curl to return error in case there is an HTTP error code */
|
|
Packit |
284210 |
curl_easy_setopt(curl, CURLOPT_FAILONERROR, 1);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
res = curl_easy_perform(curl);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (res != CURLE_OK)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
if (remote_rules_fail_message == NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
remote_rules_fail_message = "";
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
remote_rules_fail_message = apr_psprintf(mp, "%sFailed to " \
|
|
Packit |
284210 |
"download: \"%s\" error: %s. ",
|
|
Packit |
284210 |
remote_rules_fail_message, uri,
|
|
Packit |
284210 |
curl_easy_strerror(res));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ret = -2;
|
|
Packit |
284210 |
goto failed;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = apr_psprintf(mp, "Failed to download: \"%s\" " \
|
|
Packit |
284210 |
"error: %s ",
|
|
Packit |
284210 |
uri, curl_easy_strerror(res));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ret = -1;
|
|
Packit |
284210 |
goto failed;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
curl_slist_free_all(headers_chunk);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
failed:
|
|
Packit |
284210 |
curl_easy_cleanup(curl);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return ret;
|
|
Packit |
284210 |
#else
|
|
Packit |
284210 |
return -3;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/**
|
|
Packit |
284210 |
* @brief Setup an apr_crypto_key_t from a given password and salt.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* apr_crypto_* demands the key to be in a format of an apr_crypto_key_t which
|
|
Packit |
284210 |
* is an structure that may be defined depending on the crypto provider, thus,
|
|
Packit |
284210 |
* making necessary for us to create this structure using apr internal
|
|
Packit |
284210 |
* functions.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @warning We trust that the paramenter used in apr, such as the algorithm,
|
|
Packit |
284210 |
* key size and other parameters won't change, if they do it may
|
|
Packit |
284210 |
* break the interoperability with this function with others
|
|
Packit |
284210 |
* implementations, as the key will end up with a different value
|
|
Packit |
284210 |
* than the one expected.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @param pool pointer to the memory pool to be used.
|
|
Packit |
284210 |
* @param key password to be used while creating the key.
|
|
Packit |
284210 |
* @param apr_key pointer to the pointer of an apr_crypto_key_t structure.
|
|
Packit |
284210 |
* @param f pointer to apr_crypto_t.
|
|
Packit |
284210 |
* @param salt string to be used as salt of the key generation
|
|
Packit |
284210 |
* @param error_msg pointer to char pointer, which is filled if something
|
|
Packit |
284210 |
* went wrong.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @retval n>=0 everything went fine.
|
|
Packit |
284210 |
* @retval n<-1 Something wrong happened, check error_msg for further details.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
#ifdef WITH_APU_CRYPTO
|
|
Packit |
284210 |
int msc_remote_enc_key_setup(apr_pool_t *pool,
|
|
Packit |
284210 |
const char *key,
|
|
Packit |
284210 |
apr_crypto_key_t **apr_key,
|
|
Packit |
284210 |
apr_crypto_t *f,
|
|
Packit |
284210 |
unsigned char *salt,
|
|
Packit |
284210 |
char **error_msg)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
apr_size_t key_len = strlen(key);
|
|
Packit |
284210 |
apr_size_t salt_len = 16; //FIXME: salt_len should not be hard coded.
|
|
Packit |
284210 |
|
|
Packit |
284210 |
const int do_pad = 1;
|
|
Packit |
284210 |
apr_status_t rv;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rv = apr_crypto_passphrase(
|
|
Packit |
284210 |
(apr_crypto_key_t **) apr_key,
|
|
Packit |
284210 |
NULL,
|
|
Packit |
284210 |
(const char *) key,
|
|
Packit |
284210 |
(apr_size_t) key_len,
|
|
Packit |
284210 |
(const unsigned char *) salt,
|
|
Packit |
284210 |
(apr_size_t) salt_len,
|
|
Packit |
284210 |
APR_KEY_AES_256,
|
|
Packit |
284210 |
APR_MODE_CBC,
|
|
Packit |
284210 |
(const int) do_pad,
|
|
Packit |
284210 |
(const int) 4096,
|
|
Packit |
284210 |
(const apr_crypto_t *) f,
|
|
Packit |
284210 |
(apr_pool_t *) pool);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (rv == APR_ENOKEY)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_passphrase: Missing key";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else if (rv == APR_EPADDING)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_passphrase: APR_EPADDING";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else if (rv == APR_EKEYTYPE)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_passphrase: APR_EKEYTYPE";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else if (rv != APR_SUCCESS)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_passphrase: Unknown error";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/**
|
|
Packit |
284210 |
* @brief Decrypt an buffer into a memory buffer.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* Decrypt an msc_curl_memory_buffer_t structure into another
|
|
Packit |
284210 |
* msc_curl_memory_buffer_t.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* Using the key provided, it creates and apr_key and uses it to decript the
|
|
Packit |
284210 |
* content provided on chunk. The plain text content is saved under
|
|
Packit |
284210 |
* chunk_plain.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @warning Cleanup memory after usage.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @param pool pointer to the memory pool to be used.
|
|
Packit |
284210 |
* @param key pointer to the char array to be used as the key.
|
|
Packit |
284210 |
* @param chunk msc_curl_memory_buffer_t that contains the encrypted content.
|
|
Packit |
284210 |
* @param plain_text unsigned char which will hold the content of an url
|
|
Packit |
284210 |
* @param plain_text_len size of the plain_text buffer
|
|
Packit |
284210 |
* @param error_msg pointer to char pointer that is filled if something went
|
|
Packit |
284210 |
* wrong.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @retval n>=0 everything went fine.
|
|
Packit |
284210 |
* @retval n<-1 Something wrong happened, further details on error_msg.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
#ifdef WITH_APU_CRYPTO
|
|
Packit |
284210 |
int msc_remote_decrypt(apr_pool_t *pool,
|
|
Packit |
284210 |
const char *key,
|
|
Packit |
284210 |
struct msc_curl_memory_buffer_t *chunk,
|
|
Packit |
284210 |
unsigned char **plain_text,
|
|
Packit |
284210 |
apr_size_t *plain_text_len,
|
|
Packit |
284210 |
char **error_msg)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
apr_crypto_key_t *apr_key = NULL;
|
|
Packit |
284210 |
apr_crypto_t *f = NULL;
|
|
Packit |
284210 |
const apr_crypto_driver_t *driver = NULL;
|
|
Packit |
284210 |
const apu_err_t *err = NULL;
|
|
Packit |
284210 |
apr_status_t rv;
|
|
Packit |
284210 |
unsigned char *iv = NULL;
|
|
Packit |
284210 |
unsigned char *ciphered_text = NULL;
|
|
Packit |
284210 |
unsigned char *salt = NULL;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_crypto_block_t *block = NULL;
|
|
Packit |
284210 |
apr_size_t block_size = 0;
|
|
Packit |
284210 |
apr_size_t len = 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
// FIXME: size should not be hardcoded.
|
|
Packit |
284210 |
// at least size of IV + Salt
|
|
Packit |
284210 |
if (chunk->size < 16+16+1)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Failed to download rules from a remote server: " \
|
|
Packit |
284210 |
"Unexpected content.";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
iv = chunk->memory;
|
|
Packit |
284210 |
salt = chunk->memory + 16;
|
|
Packit |
284210 |
ciphered_text = chunk->memory + (16 + 16);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rv = apr_crypto_init(pool);
|
|
Packit |
284210 |
if (rv != APR_SUCCESS)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error: failed to init crypto";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rv = apr_crypto_get_driver(&driver, APU_CRYPTO_RECOMMENDED_DRIVER, NULL,
|
|
Packit |
284210 |
&err, pool);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (rv != APR_SUCCESS || driver == NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_get_driver: Unknown error";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rv = apr_crypto_make(&f, driver, NULL, pool);
|
|
Packit |
284210 |
if (rv != APR_SUCCESS)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_make: Unknown error";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
msc_remote_enc_key_setup(pool, key, &apr_key, f, salt, error_msg);
|
|
Packit |
284210 |
if (*error_msg != NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rv = apr_crypto_block_decrypt_init(&block, &block_size, iv, apr_key, pool);
|
|
Packit |
284210 |
if (rv == APR_ENOKEY)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_block_decrypt_init: " \
|
|
Packit |
284210 |
"Missing key";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else if (rv == APR_ENOIV)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_block_decrypt_init: " \
|
|
Packit |
284210 |
"Missing IV";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else if (rv == APR_EKEYTYPE)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_block_decrypt_init: " \
|
|
Packit |
284210 |
"Wrong key type";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else if (rv == APR_EKEYLENGTH)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_block_decrypt_init: " \
|
|
Packit |
284210 |
"Wrong key length";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else if (rv != APR_SUCCESS)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_block_decrypt_init: " \
|
|
Packit |
284210 |
"Unknown error";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
//FIXME: size should not be hardcoded like that.
|
|
Packit |
284210 |
// 32 = iv + salt size.
|
|
Packit |
284210 |
rv = apr_crypto_block_decrypt(plain_text, plain_text_len,
|
|
Packit |
284210 |
ciphered_text, (apr_size_t) chunk->size - (16 + 16) ,
|
|
Packit |
284210 |
block);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (rv != APR_SUCCESS)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_block_decrypt: Failed to " \
|
|
Packit |
284210 |
"decrypt";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/* finalise the decryption */
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rv = apr_crypto_block_decrypt_finish(*plain_text + *plain_text_len, &len,
|
|
Packit |
284210 |
block);
|
|
Packit |
284210 |
if (rv != APR_SUCCESS)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Internal error - apr_crypto_block_decrypt_finish: " \
|
|
Packit |
284210 |
"Failed to decrypt";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_crypto_block_cleanup(block);
|
|
Packit |
284210 |
apr_crypto_cleanup(f);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
// Shutdown the apr_crypto seems to be the correct thing to do.
|
|
Packit |
284210 |
// However it seems to add instability especially if mod_ssl is enabled.
|
|
Packit |
284210 |
// apr_crypto_shutdown(driver);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
/**
|
|
Packit |
284210 |
* @brief Add SecRules from a given URI.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* Fetch the URI and using the key provided into params decrypt and install
|
|
Packit |
284210 |
* the downloaded set of rules.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @warning Cleanup the memory may be necessary.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @param orig_parms origin parms used at SecRemoteRule
|
|
Packit |
284210 |
* @param remote_rules_server pointer to the filled msc_remote_rules_server
|
|
Packit |
284210 |
* structure.
|
|
Packit |
284210 |
* @param error_msg pointer to char pointer that will be filled if something
|
|
Packit |
284210 |
* went wrong.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
* @retval n>=0 everything went fine.
|
|
Packit |
284210 |
* @retval n<-1 Something wrong happened, further details on error_msg.
|
|
Packit |
284210 |
*
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
|
|
Packit |
284210 |
msc_remote_rules_server *remote_rules_server,
|
|
Packit |
284210 |
char **error_msg)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifdef WITH_REMOTE_RULES
|
|
Packit |
284210 |
struct msc_curl_memory_buffer_t downloaded_content;
|
|
Packit |
284210 |
unsigned char *plain_text = NULL;
|
|
Packit |
284210 |
int len = 0;
|
|
Packit |
284210 |
int start = 0;
|
|
Packit |
284210 |
int end = 0;
|
|
Packit |
284210 |
int added_rules = 0;
|
|
Packit |
284210 |
int res = 0;
|
|
Packit |
284210 |
apr_size_t plain_text_len = 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
apr_pool_t *mp = orig_parms->pool;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
downloaded_content.size = 0;
|
|
Packit |
284210 |
downloaded_content.memory = NULL;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
res = msc_remote_download_content(mp, remote_rules_server->uri,
|
|
Packit |
284210 |
remote_rules_server->key, &downloaded_content, error_msg);
|
|
Packit |
284210 |
if (*error_msg != NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
/* error_msg is not filled when the user set SecRemoteRulesFailAction
|
|
Packit |
284210 |
* to warn
|
|
Packit |
284210 |
*/
|
|
Packit |
284210 |
if (res != 0)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
return res;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (remote_rules_server->crypto == 1)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
#ifdef WITH_APU_CRYPTO
|
|
Packit |
284210 |
msc_remote_decrypt(mp, remote_rules_server->key, &downloaded_content,
|
|
Packit |
284210 |
&plain_text,
|
|
Packit |
284210 |
&plain_text_len,
|
|
Packit |
284210 |
error_msg);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*error_msg != NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
msc_remote_clean_chunk(&downloaded_content);
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
#else
|
|
Packit |
284210 |
*error_msg = "ModSecurity was not compiled with crypto support.\n";
|
|
Packit |
284210 |
msc_remote_clean_chunk(&downloaded_content);
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
msc_remote_clean_chunk(&downloaded_content);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
else
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
plain_text = downloaded_content.memory;
|
|
Packit |
284210 |
plain_text_len = strlen(plain_text);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
len = 0;
|
|
Packit |
284210 |
plain_text_len = strlen(plain_text);
|
|
Packit |
284210 |
while (len < plain_text_len)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
if (plain_text[len] == '\n')
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
const char *rule = NULL;
|
|
Packit |
284210 |
int tmp = len;
|
|
Packit |
284210 |
char *cmd_name = NULL;
|
|
Packit |
284210 |
char *word = NULL;
|
|
Packit |
284210 |
const command_rec *cmd;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
ap_directive_t *newdir;
|
|
Packit |
284210 |
cmd_parms *parms = apr_pcalloc(mp, sizeof (cmd_parms));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
rule = plain_text + start;
|
|
Packit |
284210 |
end = len;
|
|
Packit |
284210 |
plain_text[len] = '\0';
|
|
Packit |
284210 |
|
|
Packit |
284210 |
memcpy(parms, orig_parms, sizeof(cmd_parms));
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (*rule == '#' || *rule == '\0')
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
goto next;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
cmd_name = ap_getword_conf(mp, &rule;;
|
|
Packit |
284210 |
cmd = msc_remote_find_command(cmd_name, security2_module.cmds);
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (cmd == NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = apr_pstrcat(mp, "Unknown command in config: ",
|
|
Packit |
284210 |
cmd_name, NULL);
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
newdir = apr_pcalloc(mp, sizeof(ap_directive_t));
|
|
Packit |
284210 |
newdir->filename = "remote server";
|
|
Packit |
284210 |
newdir->line_num = -1;
|
|
Packit |
284210 |
newdir->directive = cmd_name;
|
|
Packit |
284210 |
newdir->args = apr_pstrdup(mp, rule);
|
|
Packit |
284210 |
parms->directive = newdir;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
#ifdef WIN32
|
|
Packit |
284210 |
// some config commands fail in APR when there are file
|
|
Packit |
284210 |
// permission issues or other OS-specific problems
|
|
Packit |
284210 |
//
|
|
Packit |
284210 |
__try
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
*error_msg = (char *) msc_remote_invoke_cmd(cmd, parms,
|
|
Packit |
284210 |
remote_rules_server->context, rule);
|
|
Packit |
284210 |
if (*error_msg != NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
added_rules++;
|
|
Packit |
284210 |
#ifdef WIN32
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
__except(EXCEPTION_EXECUTE_HANDLER)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
*error_msg = "Command failed to execute (check file/folder" \
|
|
Packit |
284210 |
"permissions, syntax, etc.).";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
|
|
Packit |
284210 |
next:
|
|
Packit |
284210 |
start = end + 1;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
len++;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
remote_rules_server->amount_of_rules = added_rules;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (remote_rules_server->crypto != 1)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
msc_remote_clean_chunk(&downloaded_content);
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
#else
|
|
Packit |
284210 |
*error_msg = "SecRemoteRules was not enabled during ModSecurity " \
|
|
Packit |
284210 |
"compilation.";
|
|
Packit |
284210 |
return -1;
|
|
Packit |
284210 |
#endif
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
|
|
Packit |
284210 |
int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
if (chunk->size == 0)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
goto end;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
if (chunk->memory == NULL)
|
|
Packit |
284210 |
{
|
|
Packit |
284210 |
goto end;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|
|
Packit |
284210 |
free(chunk->memory);
|
|
Packit |
284210 |
chunk->size = 0;
|
|
Packit |
284210 |
|
|
Packit |
284210 |
end:
|
|
Packit |
284210 |
return 0;
|
|
Packit |
284210 |
}
|
|
Packit |
284210 |
|