valitydev/osquery-1
14
0
Fork 0
mirror of https://github.com/valitydev/osquery-1.git synced 2024-11-06 17:45:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Build OpenSSL with no-asm to remove AVX2 dependency (#2493)

Browse Source 
To support machines without AVX2 features we need to avoid compiling
and linking the dependent instructions found the ASM implementations
of some OpenSSL crypto algorithms.

Additionally, we are removing the SSL3 methods from our OpenSSL build.
The osquery TLS plugins explicitly define a cipher list that excludes
SSL3, but as an extra measure (for plugins not using our transports)
we remove it from ASIO and Thrift too.
This commit is contained in:
Teddy Reed 2016-09-21 10:37:07 -07:00 committed by GitHub
parent f87e9df38f
commit 94df7cb691
5 changed files with 52 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Makefile
View File

@ -150,7 +150,7 @@ ifeq ($(PLATFORM),Linux)
@ln -snf $(BUILD_DIR) build/linux @ln -snf $(BUILD_DIR) build/linux
@ln -snf debug_$(BUILD_DIR) build/debug_linux @ln -snf debug_$(BUILD_DIR) build/debug_linux
endif endif
@export PYTHONPATH="$DEPS_DIR/lib/python2.7/site-packages"
package: .setup package: .setup
# Alias for packages (do not use CPack) # Alias for packages (do not use CPack)

15
tools/provision/formula/asio.rb
View File

@ -3,9 +3,10 @@ require File.expand_path("../Abstract/abstract-osquery-formula", __FILE__)
class Asio < AbstractOsqueryFormula class Asio < AbstractOsqueryFormula
desc "Cross-platform C++ Library for asynchronous programming" desc "Cross-platform C++ Library for asynchronous programming"
homepage "https://think-async.com/Asio" homepage "https://think-async.com/Asio"
url "https://downloads.sourceforge.net/project/asio/asio/1.10.6%20%28Stable%29/asio-1.10.6.tar.bz2" url "https://github.com/chriskohlhoff/asio/archive/asio-1-10-8.tar.gz"
sha256 "e0d71c40a7b1f6c1334008fb279e7361b32a063e020efd21e40d9d8ff037195e" sha256 "fc475c6b737ad92b944babdc3e5dcf5837b663f54ba64055dc3d8fc4a3061372"
head "https://github.com/chriskohlhoff/asio.git" head "https://github.com/chriskohlhoff/asio.git"
version "1.10.8"
bottle do bottle do
root_url "https://osquery-packages.s3.amazonaws.com/bottles" root_url "https://osquery-packages.s3.amazonaws.com/bottles"
@ -23,13 +24,8 @@ class Asio < AbstractOsqueryFormula
def install def install
ENV.cxx11 ENV.cxx11
ENV.append "CPPFLAGS", "-DOPENSSL_NO_SSL3"
if build.head?
cd "asio"
system "./autogen.sh"
else
system "autoconf" unless OS.mac?
end
args = %W[ args = %W[
--disable-dependency-tracking --disable-dependency-tracking
--disable-silent-rules --disable-silent-rules
@ -37,8 +33,9 @@ class Asio < AbstractOsqueryFormula
] ]
args << "--enable-boost-coroutine" if build.with? "boost-coroutine" args << "--enable-boost-coroutine" if build.with? "boost-coroutine"
cd "asio"
system "./autogen.sh"
system "./configure", *args system "./configure", *args
system "make", "install" system "make", "install"
#pkgshare.install "src/examples"
end end
end end

16
tools/provision/formula/openssl.rb
View File

@ -7,6 +7,7 @@ class Openssl < AbstractOsqueryFormula
mirror "https://dl.bintray.com/homebrew/mirror/openssl-1.0.2h.tar.gz" mirror "https://dl.bintray.com/homebrew/mirror/openssl-1.0.2h.tar.gz"
mirror "https://www.mirrorservice.org/sites/ftp.openssl.org/source/openssl-1.0.2h.tar.gz" mirror "https://www.mirrorservice.org/sites/ftp.openssl.org/source/openssl-1.0.2h.tar.gz"
sha256 "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919" sha256 "1d4007e53aad94a5b2002fe045ee7bb0b3d98f1a47f8b2bc851dcd1c74332919"
revision 1
bottle do bottle do
root_url "https://osquery-packages.s3.amazonaws.com/bottles" root_url "https://osquery-packages.s3.amazonaws.com/bottles"
@ -22,10 +23,6 @@ class Openssl < AbstractOsqueryFormula
sha256 "2c6d4960579b0d4fd46c6cbf135545116e76f2dbb7490e24cf330f2565770362" sha256 "2c6d4960579b0d4fd46c6cbf135545116e76f2dbb7490e24cf330f2565770362"
end end
keg_only :provided_by_osx,
"Apple has deprecated use of OpenSSL in favor of its own TLS and crypto libraries"
option :universal
option "without-test", "Skip build-time tests (not recommended)" option "without-test", "Skip build-time tests (not recommended)"
deprecated_option "without-check" => "without-test" deprecated_option "without-check" => "without-test"
@ -46,6 +43,8 @@ class Openssl < AbstractOsqueryFormula
--prefix=#{prefix} --prefix=#{prefix}
--openssldir=#{openssldir} --openssldir=#{openssldir}
no-ssl2 no-ssl2
no-ssl3
no-asm
zlib-dynamic zlib-dynamic
shared shared
enable-cms enable-cms
@ -62,14 +61,7 @@ class Openssl < AbstractOsqueryFormula
'zlib_dso = DSO_load(NULL, "z", NULL, 0);', 'zlib_dso = DSO_load(NULL, "z", NULL, 0);',
'zlib_dso = DSO_load(NULL, "/usr/lib/libz.dylib", NULL, DSO_FLAG_NO_NAME_TRANSLATION);' if OS.mac? 'zlib_dso = DSO_load(NULL, "/usr/lib/libz.dylib", NULL, DSO_FLAG_NO_NAME_TRANSLATION);' if OS.mac?
if build.universal? archs = [Hardware::CPU.arch_64_bit]
ENV.permit_arch_flags
archs = Hardware::CPU.universal_archs
elsif MacOS.prefer_64_bit?
archs = [Hardware::CPU.arch_64_bit]
else
archs = [Hardware::CPU.arch_32_bit]
end
dirs = [] dirs = []

29
tools/provision/formula/thrift.rb
View File

@ -5,6 +5,7 @@ class Thrift < AbstractOsqueryFormula
homepage "https://thrift.apache.org/" homepage "https://thrift.apache.org/"
url "https://www.apache.org/dyn/closer.cgi?path=/thrift/0.9.3/thrift-0.9.3.tar.gz" url "https://www.apache.org/dyn/closer.cgi?path=/thrift/0.9.3/thrift-0.9.3.tar.gz"
sha256 "b0740a070ac09adde04d43e852ce4c320564a292f26521c46b78e0641564969e" sha256 "b0740a070ac09adde04d43e852ce4c320564a292f26521c46b78e0641564969e"
revision 1
bottle do bottle do
root_url "https://osquery-packages.s3.amazonaws.com/bottles" root_url "https://osquery-packages.s3.amazonaws.com/bottles"
@ -17,9 +18,16 @@ class Thrift < AbstractOsqueryFormula
depends_on "openssl" depends_on "openssl"
depends_on :python => :optional depends_on :python => :optional
# Remove SSLv3
# See https://github.com/apache/thrift/commit/b819260c653f6fd9602419ee2541060ecb930c4c
patch :DATA
def install def install
ENV.cxx11 ENV.cxx11
ENV["PY_PREFIX"] = prefix ENV["PY_PREFIX"] = prefix
ENV.append "CPPFLAGS", "-DOPENSSL_NO_SSL3"
rm_rf Dir["#{HOMEBREW_PREFIX}/lib/python2.7/site-packages/thrift"]
exclusions = [ exclusions = [
"--without-ruby", "--without-ruby",
@ -33,10 +41,10 @@ class Thrift < AbstractOsqueryFormula
"--without-go", "--without-go",
"--without-qt", "--without-qt",
"--without-qt4", "--without-qt4",
"--without-node", "--without-nodejs",
"--with-cpp", "--with-cpp",
"--with-python", "--with-python",
"--with-openssl=#{Formula["openssl"]}" "--with-openssl=#{HOMEBREW_PREFIX}"
] ]
system "./bootstrap.sh" unless build.stable? system "./bootstrap.sh" unless build.stable?
@ -48,3 +56,20 @@ class Thrift < AbstractOsqueryFormula
system "make", "install" system "make", "install"
end end
end end
__END__
diff --git a/lib/cpp/src/thrift/transport/TSSLSocket.cpp b/lib/cpp/src/thrift/transport/TSSLSocket.cpp
index 98c5326..7c73f4e 100644
--- a/lib/cpp/src/thrift/transport/TSSLSocket.cpp
+++ b/lib/cpp/src/thrift/transport/TSSLSocket.cpp
@@ -139,8 +139,10 @@ static char uppercase(char c);
SSLContext::SSLContext(const SSLProtocol& protocol) {
if (protocol == SSLTLS) {
ctx_ = SSL_CTX_new(SSLv23_method());
+#ifndef OPENSSL_NO_SSL3
} else if (protocol == SSLv3) {
ctx_ = SSL_CTX_new(SSLv3_method());
+#endif
} else if (protocol == TLSv1_0) {
ctx_ = SSL_CTX_new(TLSv1_method());
} else if (protocol == TLSv1_1) {

15
tools/provision/lib.sh
View File

@ -48,6 +48,7 @@ function setup_brew() {
export HOMEBREW_CACHE="$DEPS/.cache/" export HOMEBREW_CACHE="$DEPS/.cache/"
export HOMEBREW_MAKE_JOBS=$THREADS export HOMEBREW_MAKE_JOBS=$THREADS
export HOMEBREW_NO_EMOJI=1 export HOMEBREW_NO_EMOJI=1
export HOMEBREW_BOTTLE_ARCH=core2
export BREW="$DEPS/bin/brew" export BREW="$DEPS/bin/brew"
TAPS="$DEPS/Library/Taps/" TAPS="$DEPS/Library/Taps/"
@ -110,7 +111,7 @@ function brew_internal() {
shift shift
shift shift
if [[ "$TYPE" = "upstream" || "$TYPE" = "upstream-link" ]]; then if [[ "$TYPE" = "upstream" || "$TYPE" = "upstream-link" || "$TYPE" = "uninstall" ]]; then
FORMULA="$TOOL" FORMULA="$TOOL"
else else
FORMULA="osquery/homebrew-osquery-local/${TOOL}" FORMULA="osquery/homebrew-osquery-local/${TOOL}"
@ -127,6 +128,14 @@ function brew_internal() {
# Add build arguments depending on requested from-source or default build. # Add build arguments depending on requested from-source or default build.
ARGS="$@" ARGS="$@"
if [[ "$TYPE" = "uninstall" ]]; then
if [[ ! "$INSTALLED" = "NAN" ]]; then
log "brew package $TOOL uninstalling version: ${STABLE}"
$BREW uninstall --force "${FORMULA}"
fi
return
fi
# Configure additional arguments if installing from a local formula. # Configure additional arguments if installing from a local formula.
ARGS="$ARGS --ignore-dependencies --env=inherit" ARGS="$ARGS --ignore-dependencies --env=inherit"
if [[ ! "$TYPE" = "upstream" ]]; then if [[ ! "$TYPE" = "upstream" ]]; then
@ -192,6 +201,10 @@ function local_brew_unlink() {
brew_internal "unlink" $@ brew_internal "unlink" $@
} }
function local_brew_uninstall() {
brew_internal "uninstall" $@
}
function brew_tool() { function brew_tool() {
brew_internal "upstream" $@ brew_internal "upstream" $@
} }