kernel
/
dracut
mirror of https://git.kernel.org/pub/scm/boot/dracut/dracut.git/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

fix(url-lib): improve ca-bundle detection 

The current detection routine for openssl-based libcurl assumes that
libcurl has its own hardcoded path to the ca-bundle. Fix the
cases where curl is compiled with:

  --with-ca-fallback --without-ca-path --without-ca-bundle

In this case, we must also grep in OpenSSLs libcrypto.

Other changes:
  - Filter reported but non-existant paths.
  - Strip nul bytes returned by grep.
  - Consider that ca-bundles might use '.pem' instead of '.crt'.

Original-patch-by: Daniel Molkentin <daniel.molkentin@suse.com>
master
Antonio Alvarez Feijoo 2021-12-02 15:44:43 +01:00 committed by Jóhann B. Guðmundsson
parent d9c3c77437
commit e3bb1815bb
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules.d/45url-lib/module-setup.sh
View File

@ -15,10 +15,10 @@ depends() {


# called by dracut # called by dracut
install() { install() {
local _dir _crt _found _lib _nssckbi _p11roots _p11root local _dir _crt _crts _found _lib _nssckbi _p11roots _p11root
inst_simple "$moddir/url-lib.sh" "/lib/url-lib.sh" inst_simple "$moddir/url-lib.sh" "/lib/url-lib.sh"
inst_multiple -o ctorrent inst_multiple -o ctorrent
inst_multiple curl inst_multiple curl sed
if curl --version | grep -qi '\bNSS\b'; then if curl --version | grep -qi '\bNSS\b'; then
# also install libs for curl https # also install libs for curl https
inst_libdir_file "libnsspem.so*" inst_libdir_file "libnsspem.so*"
@ -29,21 +29,28 @@ install() {


for _dir in $libdirs; do for _dir in $libdirs; do
[[ -d $dracutsysrootdir$_dir ]] || continue [[ -d $dracutsysrootdir$_dir ]] || continue
for _lib in "$dracutsysrootdir$_dir"/libcurl.so.*; do for _lib in "$dracutsysrootdir$_dir"/libcurl.so.* "$dracutsysrootdir$_dir"/libcrypto.so.*; do
[[ -e $_lib ]] || continue [[ -e $_lib ]] || continue
if ! [[ $_nssckbi ]]; then if ! [[ $_nssckbi ]]; then
read -r -d '' _nssckbi < <(grep -F --binary-files=text -z libnssckbi "$_lib") read -r -d '' _nssckbi < <(grep -F --binary-files=text -z libnssckbi "$_lib")
fi fi
read -r -d '' _crt < <(grep -F --binary-files=text -z .crt "$_lib") read -r -d '' _crt < <(grep -E --binary-files=text -z "\.(pem|crt)" "$_lib" | sed 's/\x0//g')
[[ $_crt ]] || continue [[ $_crt ]] || continue
[[ $_crt == /*/* ]] || continue [[ $_crt == /*/* ]] || continue
if [[ -e $_crt ]]; then
_crts="$_crts $_crt"
_found=1
fi
done
done
if [[ $_found ]] && [[ -n $_crts ]]; then
for _crt in $_crts; do
if ! inst "${_crt#$dracutsysrootdir}"; then if ! inst "${_crt#$dracutsysrootdir}"; then
dwarn "Couldn't install '$_crt' SSL CA cert bundle; HTTPS might not work." dwarn "Couldn't install '$_crt' SSL CA cert bundle; HTTPS might not work."
continue continue
fi fi
_found=1
done done
done fi
# If we found no cert bundle files referenced in libcurl but we # If we found no cert bundle files referenced in libcurl but we
# *did* find a mention of libnssckbi (checked above), install it. # *did* find a mention of libnssckbi (checked above), install it.
# If its truly NSS libnssckbi, it includes its own trust bundle, # If its truly NSS libnssckbi, it includes its own trust bundle,