Improves the CA validation

On IIS CA validation was not working as libcurl on windows does not look for a
certificate store, unless it is specified. The resource downloads are now
respecting the SecRemoteRulesFailAction.

Author: Felipe Zimmerle

apache2/apache2_config.c

@@ -2217,7 +2217,6 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
 {
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
-#ifdef WITH_REMOTE_RULES_SUPPORT
     if (strncasecmp(p1, "warn", 4) == 0)
     {
         remote_rules_fail_action = REMOTE_RULES_WARN_ON_FAIL;
@@ -2231,10 +2230,6 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
         return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
                 "SecRemoteRulesFailAction, expected: Abort or Warn.");
     }
-#else
-    return apr_psprintf(cmd->pool, "ModSecurity: " \
-        "SecRemoteRules: ModSecurity was not compiled with such functionality.");
-#endif
 
     return NULL;
 }

apache2/mod_security2.c

@@ -70,8 +70,8 @@ unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
 
 #ifdef WITH_REMOTE_RULES_SUPPORT
 msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
-int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
 #endif
+int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
 
 int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
 

apache2/modsecurity.h

@@ -148,8 +148,8 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
 
 #ifdef WITH_REMOTE_RULES_SUPPORT
 extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
-extern DSOLOCAL int remote_rules_fail_action;
 #endif
+extern DSOLOCAL int remote_rules_fail_action;
 
 extern DSOLOCAL int status_engine_state;
 

apache2/msc_remote_rules.c

@@ -274,6 +274,11 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
     if (curl)
     {
         struct curl_slist *headers_chunk = NULL;
+#ifdef WIN32
+        char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
+        char *ptr = NULL;
+        DWORD res_len;
+#endif
         curl_easy_setopt(curl, CURLOPT_URL, remote_rules_server->uri);
 
         headers_chunk = curl_slist_append(headers_chunk, apr_id);
@@ -286,6 +291,14 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
         /* Make it TLS 1.x only. */
         curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
 
+#ifdef WIN32
+        res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
+        if (res_len > 0) {
+            curl_easy_setopt(curl, CURLOPT_CAINFO, strdup(buf));
+        }
+        free(buf);
+#endif
+
         /* those are the default options, but lets make sure */
         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);

apache2/msc_util.c

@@ -2673,6 +2673,11 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
 
     if (curl) {
         struct curl_slist *headers_chunk = NULL;
+#ifdef WIN32
+        char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
+        char *ptr = NULL;
+        DWORD res_len;
+#endif
         curl_easy_setopt(curl, CURLOPT_URL, uri);
 
         headers_chunk = curl_slist_append(headers_chunk, apr_id);
@@ -2687,7 +2692,15 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
         /* Make it TLS 1.x only. */
         curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
 
-        /* those are the default options, but lets make sure */
+#ifdef WIN32
+        res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
+        if (res_len > 0) {
+            curl_easy_setopt(curl, CURLOPT_CAINFO, strdup(buf));
+        }
+        free(buf);
+#endif
+
+        /* thoseeare the default options, but lets make sure */
         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
         curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
 
@@ -2700,8 +2713,20 @@ int ip_tree_from_uri(TreeRoot **rtree, char *uri,
 
         if (res != CURLE_OK)
         {
-            *error_msg = apr_psprintf(mp, "Failed to fetch \"%s\" error: %s ", uri, curl_easy_strerror(res));
-            return -1;
+            if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
+            {
+                ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                    "Failed to fetch \"%s\" error: %s ",
+                    uri, curl_easy_strerror(res));
+                return 0;
+            }
+            else
+            {
+                *error_msg = apr_psprintf(mp, "Failed to fetch \"%s\" " \
+                    "error: %s ", uri,
+                    curl_easy_strerror(res));
+                return -1;
+            }
         }
 
         curl_easy_cleanup(curl);

apache2/re_operators.c

@@ -12,6 +12,7 @@
 * directly using the email address [email protected].
 */
 
+#include "modsecurity.h"
 #include "re.h"
 #include "msc_pcre.h"
 #include "msc_geo.h"
@@ -1307,6 +1308,11 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
 
             if (curl) {
                 struct curl_slist *headers_chunk = NULL;
+#ifdef WIN32
+                char *buf = malloc(sizeof(TCHAR) * (2048 + 1));
+                char *ptr = NULL;
+                DWORD res_len;
+#endif
                 curl_easy_setopt(curl, CURLOPT_URL, fn);
 
                 headers_chunk = curl_slist_append(headers_chunk, apr_id);
@@ -1321,6 +1327,14 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
                 /* Make it TLS 1.x only. */
                 curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
 
+#ifdef WIN32
+                res_len = SearchPathA(NULL, "curl-ca-bundle.crt", NULL, (2048 + 1), buf, &ptr);
+                if (res_len > 0) {
+                    curl_easy_setopt(curl, CURLOPT_CAINFO, strdup(buf));
+                }
+                free(buf);
+#endif
+
                 /* those are the default options, but lets make sure */
                 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 1);
                 curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST, 1);
@@ -1333,7 +1347,22 @@ static int msre_op_pmFromFile_param_init(msre_rule *rule, char **error_msg) {
                 res = curl_easy_perform(curl);
 
                 if (res != CURLE_OK)
-                    fprintf(stderr, "curl_easy_perform() failed: %s\n", curl_easy_strerror(res));
+                {
+                    if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
+                    {
+                        ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
+                            "Failed to fetch \"%s\" error: %s ", fn,
+                            curl_easy_strerror(res));
+                        return 1;
+                    }
+                    else
+                    {
+                        *error_msg = apr_psprintf(rule->ruleset->mp,
+                            "Failed to fetch \"%s\" error: %s ", fn,
+                            curl_easy_strerror(res));
+                        return 0;
+                    }
+                }
 
                 curl_easy_cleanup(curl);
                 curl_slist_free_all(headers_chunk);