Adds SecRemoteRules as an build option

SecRemoteRules adds a new dependency to libcurl. Before only mlogc was
depending on libcurl. SecRemoteRules also depends on the apr-tools with
crypto support, which (as reported by our buildbots) is not default in
some environments such as: MacOS X. This commit disable SecRemoteRules
support if apr-tools was not compiled with crypto support.

Author: Felipe Zimmerle

apache2/apache2_config.c

@@ -2217,7 +2217,7 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
 {
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
-
+#ifdef WITH_REMOTE_RULES_SUPPORT
     if (strncasecmp(p1, "warn", 4) == 0)
     {
         remote_rules_fail_action = REMOTE_RULES_WARN_ON_FAIL;
@@ -2231,6 +2231,10 @@ static const char *cmd_remote_rules_fail(cmd_parms *cmd, void *_dcfg, const char
         return apr_psprintf(cmd->pool, "ModSecurity: Invalid value for " \
                 "SecRemoteRulesFailAction, expected: Abort or Warn.");
     }
+#else
+    return apr_psprintf(cmd->pool, "ModSecurity: " \
+        "SecRemoteRules: ModSecurity was not compiled with such functionality.");
+#endif
 
     return NULL;
 }
@@ -2242,6 +2246,7 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
     directory_config *dcfg = (directory_config *)_dcfg;
     if (dcfg == NULL) return NULL;
 
+#ifdef WITH_REMOTE_RULES_SUPPORT
     // FIXME: make it https only.
     // if (strncasecmp(p1, "https", 5) != 0) {
     if (strncasecmp(p2, "http", 4) != 0) {
@@ -2274,6 +2279,10 @@ static const char *cmd_remote_rules(cmd_parms *cmd, void *_dcfg, const char *p1,
     {
         return error_msg;
     }
+#else
+    return apr_psprintf(cmd->pool, "ModSecurity:  " \
+        "SecRemoteRules: ModSecurity was not compiled with such functionality.");
+#endif
 
     return NULL;
 }

apache2/mod_security2.c

@@ -68,8 +68,10 @@ unsigned long int DSOLOCAL msc_pcre_match_limit = 0;
 
 unsigned long int DSOLOCAL msc_pcre_match_limit_recursion = 0;
 
+#ifdef WITH_REMOTE_RULES_SUPPORT
 msc_remote_rules_server DSOLOCAL *remote_rules_server = NULL;
 int DSOLOCAL remote_rules_fail_action = REMOTE_RULES_ABORT_ON_FAIL;
+#endif
 
 int DSOLOCAL status_engine_state = STATUS_ENGINE_DISABLED;
 
@@ -759,6 +761,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
         }
 #endif
 
+#ifdef WITH_REMOTE_RULES_SUPPORT
         if (remote_rules_server != NULL)
         {
             if (remote_rules_server->amount_of_rules == 1)
@@ -776,6 +779,7 @@ static int hook_post_config(apr_pool_t *mp, apr_pool_t *mp_log, apr_pool_t *mp_t
                     remote_rules_server->uri);
             }
         }
+#endif
     }
 
     srand((unsigned int)(time(NULL) * getpid()));

apache2/modsecurity.h

@@ -33,7 +33,6 @@ typedef struct msc_arg msc_arg;
 typedef struct msc_string msc_string;
 typedef struct msc_parm msc_parm;
 
-#include "msc_remote_rules.h"
 #include "msc_release.h"
 #include "msc_logging.h"
 #include "msc_multipart.h"
@@ -47,11 +46,13 @@ typedef struct msc_parm msc_parm;
 #include "msc_unicode.h"
 #include "re.h"
 #include "msc_crypt.h"
+#include "msc_remote_rules.h"
 
 #include "ap_config.h"
 #include "apr_md5.h"
 #include "apr_strings.h"
 #include "apr_hash.h"
+#include "apr_crypto.h"
 #include "httpd.h"
 #include "http_config.h"
 #include "http_log.h"
@@ -145,8 +146,10 @@ extern DSOLOCAL unsigned long int msc_pcre_match_limit;
 
 extern DSOLOCAL unsigned long int msc_pcre_match_limit_recursion;
 
+#ifdef WITH_REMOTE_RULES_SUPPORT
 extern DSOLOCAL msc_remote_rules_server *remote_rules_server;
 extern DSOLOCAL int remote_rules_fail_action;
+#endif
 
 extern DSOLOCAL int status_engine_state;
 

apache2/msc_remote_rules.c

@@ -26,9 +26,7 @@
 #define AP_MAX_ARGC 64
 #endif
 
-#ifndef APU_HAVE_CRYPTO
-#error Missing apu crypto module
-#endif
+#ifdef WITH_REMOTE_RULES_SUPPORT
 
 /**
  * @brief Insert a new SecRule to be processed by ModSecurity
@@ -716,3 +714,4 @@ int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk)
     return 0;
 }
 
+#endif

apache2/msc_remote_rules.h

@@ -12,22 +12,32 @@
 * directly using the email address security@modsecurity.org.
 */
 
+#if APU_HAVE_CRYPTO
+#define WITH_REMOTE_RULES_SUPPORT
+#endif
+
+#ifdef WITH_REMOTE_RULES_SUPPORT
+
 #ifndef MSC_REMOTE_RULES_H
 #define MSC_REMOTE_RULES_H
 
+/* forward declarations */
+typedef struct msc_remote_rules_server msc_remote_rules_server;
+struct msc_curl_memory_buffer_t;
+
+#include "modsecurity.h"
+
 #include <apr_general.h>
 #include <apr_optional.h>
 #include <apr_thread_pool.h>
-#include <curl/curl.h>
-
 #include <apr_sha1.h>
-#include <apr_crypto.h>
+
 #include "http_core.h"
+#include "http_config.h"
 
-typedef struct msc_remote_rules_server msc_remote_rules_server;
-struct msc_curl_memory_buffer_t;
+#include <curl/curl.h>
 
-#include "modsecurity.h"
+#include <apr_crypto.h>
 
 struct msc_remote_rules_server {
         directory_config *context;
@@ -38,7 +48,7 @@ struct msc_remote_rules_server {
 };
 
 const char *msc_remote_invoke_cmd(const command_rec *cmd, cmd_parms *parms,
-                              void *mconfig, const char *args);
+                             void *mconfig, const char *args);
 
 int msc_remote_grab_content(apr_pool_t *mp, const char *uri, const char *key,
     struct msc_curl_memory_buffer_t *chunk, char **error_msg);
@@ -64,4 +74,5 @@ int msc_remote_add_rules_from_uri(cmd_parms *orig_parms,
 int msc_remote_clean_chunk(struct msc_curl_memory_buffer_t *chunk);
 
 #endif
+#endif