tls: Disable TLS 1.0 and TLS 1.1

- Disable support for TLS 1.0 and TLS 1.1 which are deprecated protocols. - Updated Thrift to 0.19.0 and patched out use of TLS 1.0 and 1.1 functions, to make the library compile.
Smjert · Jan 19, 2024 · e5ae2ac · e5ae2ac
1 parent 612656b
commit e5ae2ac
Show file tree

Hide file tree

Showing 8 changed files with 75 additions and 20 deletions.
diff --git a/libraries/cmake/formula/openssl/CMakeLists.txt b/libraries/cmake/formula/openssl/CMakeLists.txt
@@ -11,6 +11,11 @@ function(opensslMain)
 
   set(common_options
     no-ssl3
+    no-ssl3-method
+    no-tls1
+    no-tls1-method
+    no-tls1_1
+    no-tls1_1-method
     no-asm
     no-shared
     no-weak-ssl-ciphers

diff --git a/libraries/cmake/source/modules/Findthrift.cmake b/libraries/cmake/source/modules/Findthrift.cmake
@@ -12,4 +12,7 @@ importSourceSubmodule(
 
   SHALLOW_SUBMODULES
     "src"
+
+  PATCH
+    "src"
 )
diff --git a/libraries/cmake/source/thrift/CMakeLists.txt b/libraries/cmake/source/thrift/CMakeLists.txt
@@ -6,7 +6,7 @@
 # SPDX-License-Identifier: (Apache-2.0 OR GPL-2.0-only)
 
 function(thriftMain)
-  set(library_root "${CMAKE_CURRENT_SOURCE_DIR}/src/lib/cpp")
+  set(library_root "${OSQUERY_thrift_ROOT_DIR}/lib/cpp")
 
   if(PLATFORM_WINDOWS)
     set(thrift_config_path "${CMAKE_CURRENT_SOURCE_DIR}/config/windows/${TARGET_PROCESSOR}")
@@ -42,7 +42,6 @@ function(thriftMain)
     "${library_root}/src/thrift/async/TAsyncChannel.cpp"
     "${library_root}/src/thrift/async/TAsyncProtocolProcessor.cpp"
     "${library_root}/src/thrift/async/TConcurrentClientSyncInfo.cpp"
-    "${library_root}/src/thrift/async/TConcurrentClientSyncInfo.h"
     "${library_root}/src/thrift/concurrency/Monitor.cpp"
     "${library_root}/src/thrift/concurrency/Mutex.cpp"
     "${library_root}/src/thrift/concurrency/Thread.cpp"
@@ -56,6 +55,7 @@ function(thriftMain)
     "${library_root}/src/thrift/protocol/TMultiplexedProtocol.cpp"
     "${library_root}/src/thrift/protocol/TProtocol.cpp"
     "${library_root}/src/thrift/server/TConnectedClient.cpp"
+    "${library_root}/src/thrift/server/TServer.cpp"
     "${library_root}/src/thrift/server/TServerFramework.cpp"
     "${library_root}/src/thrift/server/TSimpleServer.cpp"
     "${library_root}/src/thrift/server/TThreadedServer.cpp"
@@ -80,7 +80,7 @@ function(thriftMain)
     "${library_root}/src/thrift/transport/TTransportException.cpp"
     "${library_root}/src/thrift/transport/TTransportUtils.cpp"
     "${library_root}/src/thrift/transport/TWebSocketServer.cpp"
-    "${library_root}/src/thrift/transport/TWebSocketServer.h"
+    "${library_root}/src/thrift/VirtualProfiling.cpp"
   )
 
   if(PLATFORM_POSIX)

diff --git a/libraries/cmake/source/thrift/README.md b/libraries/cmake/source/thrift/README.md
@@ -1,5 +1,26 @@
 # thrift library build notes
 
+Keep a build of the osquery `openssl` target ready, one for each architecture and platform, since it will need to be used to properly configure Thrift.
+
+Prepare a directory with the boost headers in the install structure, which should create a `include` directory toplevel, which is supposed to be saved into the env var `BOOST_HEADERS`.
+The structure of the folder can be obtained with the following script, after having moved inside of it:
+```sh
+#!/bin/bash
+mkdir -p include/boost
+libs=$(find <osquery source path>/libraries/cmake/source/boost/src/libs -mindepth 1 -maxdepth 1)
+
+for lib in $libs; do
+  if ! [ -d "$lib/include/boost" ]; then
+    continue
+  fi
+
+  rsync -av "$lib/include/boost/"* include/boost
+
+done
+```
+
+This can be then used on all platforms.
+
 ## Linux
 
 Integrate the osquery-toolchain; you can use the `cmake/toolchain.cmake` as a reference.
@@ -16,6 +37,7 @@ cmake \
   -DBUILD_SHARED_LIBS=OFF \
   -DWITH_OPENSSL=ON \
   -DWITH_ZLIB=ON \
+  -DWITH_LIBEVENT=OFF \
   -DOSQUERY_TOOLCHAIN_SYSROOT=/usr/local/osquery-toolchain
 ```
 
@@ -24,53 +46,61 @@ cmake \
 ### macOS x86_64
 
 ```sh
+export OSQUERY_SRC="<osquery source directory>"
+export OSQUERY_BUILD="<osquery build directory>"
+
 cmake \
   -S . \
   -B b \
   -DBUILD_SHARED_LIBS=OFF \
   -DBoost_USE_STATIC_LIBS=ON \
-  -DBoost_INCLUDE_DIR=path/to/osquery/libraries/cmake/source/boost/src/libs/config/include/ \
+  -DBoost_INCLUDE_DIR=${BOOST_HEADERS} \
   -DWITH_OPENSSL=ON \
   -DWITH_ZLIB=ON \
+  -DWITH_LIBEVENT=OFF \
   -DBUILD_COMPILER=OFF \
   -DBUILD_C_GLIB=OFF \
   -DBUILD_JAVA=OFF \
   -DBUILD_JAVASCRIPT=OFF \
   -DBUILD_NODEJS=OFF \
   -DBUILD_KOTLIN=OFF \
   -DBUILD_PYTHON=OFF \
+  -DBUILD_TESTING=OFF \
   -DCMAKE_BUILD_TYPE=Release \
-  -DCMAKE_OSX_SYSROOT=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX12.3.sdk \
-  -DCMAKE_OSX_DEPLOYMENT_TARGET=10.14 \
+  -DCMAKE_OSX_SYSROOT=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk \
+  -DCMAKE_OSX_DEPLOYMENT_TARGET=10.15 \
   -DCMAKE_OSX_ARCHITECTURES=x86_64 \
-  -DOPENSSL_ROOT_DIR=/usr/local/Cellar/openssl@1.1/1.1.1s
+  -DOPENSSL_ROOT_DIR=${OSQUERY_BUILD}/installed_formulas/openssl
 ```
 
 ### macOS ARM (M1, M2, etc.)
 
-Pre-requisite: `brew install [email protected]`
-
 ```sh
+export OSQUERY_SRC="<osquery source directory>"
+export OSQUERY_BUILD="<osquery build directory>"
+
 cmake \
   -S . \
   -B b \
   -DBUILD_SHARED_LIBS=OFF \
   -DBoost_USE_STATIC_LIBS=ON \
-  -DBoost_INCLUDE_DIR=path/to/osquery/libraries/cmake/source/boost/src/libs/config/include \
+  -DBoost_INCLUDE_DIR=${BOOST_HEADERS} \
   -DWITH_OPENSSL=ON \
   -DWITH_ZLIB=ON \
+  -DWITH_LIBEVENT=OFF \
   -DBUILD_COMPILER=OFF \
   -DBUILD_C_GLIB=OFF \
   -DBUILD_JAVA=OFF \
   -DBUILD_JAVASCRIPT=OFF \
   -DBUILD_NODEJS=OFF \
   -DBUILD_KOTLIN=OFF \
   -DBUILD_PYTHON=OFF \
+  -DBUILD_TESTING=OFF \
   -DCMAKE_BUILD_TYPE=Release \
-  -DCMAKE_OSX_SYSROOT=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.sdk \
+  -DCMAKE_OSX_SYSROOT=/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX14.2.sdk \
   -DCMAKE_OSX_DEPLOYMENT_TARGET=10.15 \
   -DCMAKE_OSX_ARCHITECTURES=arm64 \
-  -DOPENSSL_ROOT_DIR=/opt/homebrew/Cellar/openssl@1.1/1.1.1s
+  -DOPENSSL_ROOT_DIR=${OSQUERY_BUILD}/installed_formulas/openssl
 ```
 
 ## Windows
@@ -85,6 +115,7 @@ cmake ^
   -DBoost_USE_STATIC_LIBS=ON ^
   -DWITH_OPENSSL=ON ^
   -DWITH_ZLIB=ON ^
+  -DWITH_LIBEVENT=OFF ^
   -DBUILD_COMPILER=OFF ^
   -DBUILD_C_GLIB=OFF ^
   -DBUILD_JAVA=OFF ^
@@ -107,6 +138,7 @@ cmake ^
   -DBoost_USE_STATIC_LIBS=ON ^
   -DWITH_OPENSSL=ON ^
   -DWITH_ZLIB=ON ^
+  -DWITH_LIBEVENT=OFF ^
   -DBUILD_COMPILER=OFF ^
   -DBUILD_C_GLIB=OFF ^
   -DBUILD_JAVA=OFF ^

diff --git a/libraries/cmake/source/thrift/config/macos/aarch64/thrift/config.h b/libraries/cmake/source/thrift/config/macos/aarch64/thrift/config.h
@@ -39,10 +39,10 @@
 /* #undef PACKAGE_URL */
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.17.0"
+#define PACKAGE_VERSION "0.19.0"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING " 0.17.0"
+#define PACKAGE_STRING " 0.19.0"
 
 /************************** DEFINES *************************/
 
@@ -133,9 +133,9 @@
 /* Define to 1 if you have the <strings.h> header file. */
 #define HAVE_STRINGS_H 1
 
-/* Define to 1 if you have the <afunix.h> header file. */
-/* #undef HAVE_AF_UNIX_H */
-
+/* Define to 1 if you have the <afunix.h> header file. */
+/* #undef HAVE_AF_UNIX_H */
+
 /*************************** FUNCTIONS ***************************/
 
 /* Define to 1 if you have the `gethostbyname' function. */

diff --git a/libraries/cmake/source/thrift/config/macos/x86_64/thrift/config.h b/libraries/cmake/source/thrift/config/macos/x86_64/thrift/config.h
@@ -39,10 +39,10 @@
 /* #undef PACKAGE_URL */
 
 /* Define to the version of this package. */
-#define PACKAGE_VERSION "0.17.0"
+#define PACKAGE_VERSION "0.19.0"
 
 /* Define to the full name and version of this package. */
-#define PACKAGE_STRING " 0.17.0"
+#define PACKAGE_STRING " 0.19.0"
 
 /************************** DEFINES *************************/
 

diff --git a/libraries/cmake/source/thrift/patches/src/disable-tlsv1.0-1.1.patch b/libraries/cmake/source/thrift/patches/src/disable-tlsv1.0-1.1.patch
@@ -0,0 +1,15 @@
+diff --git a/lib/cpp/src/thrift/transport/TSSLSocket.cpp b/lib/cpp/src/thrift/transport/TSSLSocket.cpp
+index dc8fcd9a6..c4588ef4f 100644
+--- a/lib/cpp/src/thrift/transport/TSSLSocket.cpp
++++ b/lib/cpp/src/thrift/transport/TSSLSocket.cpp
+@@ -178,10 +178,6 @@ SSLContext::SSLContext(const SSLProtocol& protocol) {
+   } else if (protocol == SSLv3) {
+     ctx_ = SSL_CTX_new(SSLv3_method());
+ #endif
+-  } else if (protocol == TLSv1_0) {
+-    ctx_ = SSL_CTX_new(TLSv1_method());
+-  } else if (protocol == TLSv1_1) {
+-    ctx_ = SSL_CTX_new(TLSv1_1_method());
+   } else if (protocol == TLSv1_2) {
+     ctx_ = SSL_CTX_new(TLSv1_2_method());
+   } else {
diff --git a/libraries/cmake/source/thrift/src b/libraries/cmake/source/thrift/src
-Original file line number
+Diff line change
@@ Expand Up / @@ -12,4 +12,7 @@ importSourceSubmodule( @@
       SHALLOW_SUBMODULES
         "src"
+      PATCH
+        "src"
     )