Makes Curl no longer a mandatory depedency for ModSecurity core

	As reported by Rainer Jung, Curl may not be mandatory to build
	ModSecurity core. This patch make it optional by:
	- Concentrate all downloads using curl on msc_remote_rules.c
	- Split Curl build definitions checks into: WITH_CURL, WITH_REMOTE_RULES
	and WITH_CRYPTO.
	  - WITH_CURL: Contains Culr headers and binaries during the build time.
	  - WITH_REMOTE_RULES: Currently enabled if Curl is present.
	  - WITH_CRYPTO: Set if apr tool was compiled with crypto support.
	- Renames msc_remote_grab_content to msc_remote_download_content

Author: Felipe Zimmerle

CHANGES

@@ -1,3 +1,9 @@
+DD mmm YYYY - 2.9.????? (To be released)
+-----------------------
+
+ * Curl is not a mandatory dependency to ModSecurity core anymore.
+   [Rainer Jung and ModSecurity team]
+
 18 Nov 2014 - 2.9.0-RC1
 -----------------------
 

apache2/apache2_config.c

@@ -2239,20 +2239,26 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
 {
     char *error_msg = NULL;
     directory_config *dcfg = (directory_config *)_dcfg;
-#ifdef WITH_REMOTE_RULES_SUPPORT
+#ifdef WITH_REMOTE_RULES
     int crypto = 0;
     const char *uri = p2;
     const char *key = p1;
 #endif
 
     if (dcfg == NULL) return NULL;
 
-#ifdef WITH_REMOTE_RULES_SUPPORT
+#ifdef WITH_REMOTE_RULES
     if (strncasecmp(p1, "crypto", 6) == 0)
     {
+#ifdef WITH_APU_CRYPTO
         uri = p3;
         key = p2;
         crypto = 1;
+#else
+        return apr_psprintf(cmd->pool, "ModSecurity: SecRemoteRule using " \
+                "`crypto' but ModSecurity was not compiled with crypto " \
+                "support.");
+#endif
     }
 
     if (uri == NULL || key == NULL)
@@ -2269,14 +2275,14 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
     // FIXME: Should we handle more then one server at once?
     if (remote_rules_server != NULL)
     {
-        return apr_psprintf(cmd->pool, "ModSecurity:  " \
+        return apr_psprintf(cmd->pool, "ModSecurity: " \
                 "SecRemoteRules cannot be used more than once.");
     }
 
     remote_rules_server = apr_pcalloc(cmd->pool, sizeof(msc_remote_rules_server));
     if (remote_rules_server == NULL)
     {
-        return apr_psprintf(cmd->pool, "ModSecurity:  " \
+        return apr_psprintf(cmd->pool, "ModSecurity: " \
                 "SecRemoteRules: Internal failure. Not enougth memory.");
     }
 
@@ -2293,8 +2299,8 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
         return error_msg;
     }
 #else
-    return apr_psprintf(cmd->pool, "ModSecurity:  " \
-        "SecRemoteRules: ModSecurity was not compiled with such functionality.");
+    return apr_psprintf(cmd->pool, "ModSecurity: SecRemoteRules: " \
+            "ModSecurity was not compiled with SecRemoteRules support.");
 #endif
 
     return NULL;

apache2/mod_security2.c

@@ -68,7 +68,7 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
 
 unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
 
-#ifdef WITH_REMOTE_RULES_SUPPORT
+#ifdef WITH_REMOTE_RULES
 msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
 #endif
 int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
@@ -761,7 +761,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
         }
 #endif
 
-#ifdef WITH_REMOTE_RULES_SUPPORT
+#ifdef WITH_REMOTE_RULES
         if (remote_rules_server != NULL)
         {
             if (remote_rules_server->amount_of_rules == 1)

apache2/modsecurity.h

@@ -146,7 +146,7 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit;
 
 extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
 
-#ifdef WITH_REMOTE_RULES_SUPPORT
+#ifdef WITH_REMOTE_RULES
 extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
 #endif
 extern DSOLOCAL int remote_rules_fail_action;

apache2/msc_remote_rules.c

@@ -16,17 +16,22 @@
 #include "msc_status_engine.h"
 
 #include <apr_thread_pool.h>
+
+#ifdef WITH_CURL
 #include <curl/curl.h>
+#endif
 
 #include <apu.h>
+
+#ifdef WITH_REMOTE_RULES
 #include <apr_crypto.h>
 #include <apr_sha1.h>
+#endif
 
 #ifndef AP_MAX_ARGC
 #define AP_MAX_ARGC 64
 #endif
 
-#ifdef WITH_REMOTE_RULES_SUPPORT
 
 /**
  * @brief Insert a new SecRule to be processed by ModSecurity
@@ -201,6 +206,7 @@ const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,
                            NULL);
     }
 }
+
 /**
  * @brief Fetch an URL and fill the content into a memory buffer.
  *
@@ -225,21 +231,25 @@ const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,
  *
  * @retval n>=0 everything went fine.
  * @retval n<-1 Something wrong happened, further details on error_msg.
+ *         n=-2 Download failed, but operation should not be aborted.
+ *         n=-3 ModSecurity was not compiled with curl support.
  *
  */
-int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
+int msc_remote_download_content(apr_pool_t *mp, const char *uri, const char *key,
     struct msc_curl_memory_buffer_t *chunk, char **error_msg)
 {
+#ifdef WITH_CURL
     CURL *curl;
     CURLcode res;
 
     char id[(APR_SHA1_DIGESTSIZE*2) + 1];
     char *apr_id = NULL;
     char *beacon_str = NULL;
     char *beacon_apr = NULL;
-    char *header_key = NULL;
     int beacon_str_len = 0;
 
+    chunk->size = 0;
+
     memset(id, '\0', sizeof(id));
     if (msc_status_engine_unique_id(id))
     {
@@ -266,11 +276,6 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
         free(beacon_str);
     }
 
-    if (key != NULL)
-    {
-        header_key = apr_psprintf(mp, "ModSec-key: %s", key);
-    }
-
     if (curl)
     {
         struct curl_slist *headers_chunk = NULL;
@@ -279,12 +284,14 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
         char *ptr = NULL;
         DWORD res_len;
 #endif
-        curl_easy_setopt(curl, CURLOPT_URL, remote_rules_server->uri);
+        curl_easy_setopt(curl, CURLOPT_URL, uri);
 
         headers_chunk = curl_slist_append(headers_chunk, apr_id);
         headers_chunk = curl_slist_append(headers_chunk, beacon_apr);
         if (key != NULL)
         {
+            char *header_key = NULL;
+            header_key = apr_psprintf(mp, "ModSec-key: %s", key);
             headers_chunk = curl_slist_append(headers_chunk, header_key);
         }
 
@@ -321,17 +328,19 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
             if (remote_rules_fail_action == REMOTE_RULES_WARN_ON_FAIL)
             {
                  ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
-                         "Failed to fetch \"%s\" error: %s ",
-                         remote_rules_server->uri, curl_easy_strerror(res));
+                         "Failed to download \"%s\" error: %s ",
+                         uri, curl_easy_strerror(res));
+
+                 return -2;
             }
             else
             {
-                *error_msg = apr_psprintf(mp, "Failed to fetch \"%s\" " \
+                *error_msg = apr_psprintf(mp, "Failed to download \"%s\" " \
                     "error: %s ",
-                    remote_rules_server->uri, curl_easy_strerror(res));
-            }
+                    uri, curl_easy_strerror(res));
 
-            return -1;
+                return -1;
+            }
         }
 
         curl_slist_free_all(headers_chunk);
@@ -341,8 +350,12 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
 
     curl_global_cleanup();
     return 0;
+#else
+    return -3;
+#endif
 }
 
+
 /**
  * @brief Setup an apr_crypto_key_t from a given password and salt.
  *
@@ -369,6 +382,7 @@ int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
  * @retval n<-1 Something wrong happened, check error_msg for further details.
  *
  */
+#ifdef WITH_APU_CRYPTO
 int msc_remote_enc_key_setup(apr_pool_t *pool,
     const char *key,
     apr_crypto_key_t **apr_key,
@@ -411,11 +425,6 @@ int msc_remote_enc_key_setup(apr_pool_t *pool,
         *error_msg = "Internal error - apr_crypto_passphrase: APR_EKEYTYPE";
         return -1;
     }
-    else if (rv == APR_EKEYTYPE)
-    {
-        *error_msg = "Internal error - apr_crypto_passphrase: APR_EKEYTYPE";
-        return -1;
-    }
     else if (rv != APR_SUCCESS)
     {
         *error_msg = "Internal error - apr_crypto_passphrase: Unknown error";
@@ -424,6 +433,7 @@ int msc_remote_enc_key_setup(apr_pool_t *pool,
 
     return 0;
 }
+#endif
 
 /**
  * @brief Decrypt an buffer into a memory buffer.
@@ -449,6 +459,7 @@ int msc_remote_enc_key_setup(apr_pool_t *pool,
  * @retval n<-1 Something wrong happened, further details on error_msg.
  *
  */
+#ifdef WITH_APU_CRYPTO
 int msc_remote_decrypt(apr_pool_t *pool,
         const char *key,
         struct msc_curl_memory_buffer_t *chunk,
@@ -488,12 +499,9 @@ int msc_remote_decrypt(apr_pool_t *pool,
         return -1;
     }
 
-#ifndef APU_CRYPTO_RECOMMENDED_DRIVER
-    rv = apr_crypto_get_driver(&driver, "openssl", NULL, &err, pool);
-#else
     rv = apr_crypto_get_driver(&driver, APU_CRYPTO_RECOMMENDED_DRIVER, NULL,
             &err, pool);
-#endif
+
     if (rv != APR_SUCCESS || driver == NULL)
     {
         *error_msg = "Internal error - apr_crypto_get_driver: Unknown error";
@@ -573,7 +581,7 @@ int msc_remote_decrypt(apr_pool_t *pool,
 
     return 0;
 }
-
+#endif
 
 /**
  * @brief Add SecRules from a given URI.
@@ -598,6 +606,8 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
         msc_remote_rules_server *remote_rules_server,
         char **error_msg)
 {
+
+#ifdef WITH_REMOTE_RULES
     struct msc_curl_memory_buffer_t chunk_encrypted;
     unsigned char *plain_text = NULL;
     int len = 0;
@@ -612,13 +622,12 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
     chunk_encrypted.size = 0;
     chunk_encrypted.memory = NULL;
 
-    res = msc_remote_grab_content(mp, remote_rules_server->uri,
+    res = msc_remote_download_content(mp, remote_rules_server->uri,
             remote_rules_server->key, &chunk_encrypted, error_msg);
     if (*error_msg != NULL)
     {
         return -1;
     }
-
     /* error_msg is not filled when the user set SecRemoteRulesFailAction
      * to warn
      */
@@ -629,14 +638,21 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
 
     if (remote_rules_server->crypto == 1)
     {
+#ifdef WITH_APU_CRYPTO
         msc_remote_decrypt(mp, remote_rules_server->key, &chunk_encrypted,
             &plain_text,
             &plain_text_len,
             error_msg);
         if (*error_msg != NULL)
         {
+            msc_remote_clean_chunk(&chunk_encrypted);
             return -1;
         }
+#else
+        *error_msg = "ModSecurity was not compiled with crypto support.\n";
+        msc_remote_clean_chunk(&chunk_encrypted);
+        return -1;
+#endif
 
         msc_remote_clean_chunk(&chunk_encrypted);
     }
@@ -725,12 +741,17 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
     {
         msc_remote_clean_chunk(&chunk_encrypted);
     }
+#else
+    *error_msg = "SecRemoteRules was not enabled during ModSecurity " \
+        "compilation.";
+    return -1;
+#endif
 }
 
 
 int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk)
 {
-    if (chunk->size <= 0)
+    if (chunk->size == 0)
     {
         goto end;
     }
@@ -747,4 +768,3 @@ int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk)
     return 0;
 }
 
-#endif