diff options
Diffstat (limited to 'modules.d/45url-lib/module-setup.sh')
| -rwxr-xr-x | modules.d/45url-lib/module-setup.sh | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/modules.d/45url-lib/module-setup.sh b/modules.d/45url-lib/module-setup.sh new file mode 100755 index 0000000..65da87e --- /dev/null +++ b/modules.d/45url-lib/module-setup.sh @@ -0,0 +1,88 @@ +#!/bin/bash +# module-setup for url-lib + +# called by dracut +check() { + require_binaries curl || return 1 + return 255 +} + +# called by dracut +depends() { + echo network + return 0 +} + +# called by dracut +install() { + local _dir _crt _crts _found _lib _nssckbi _p11roots _p11root + inst_simple "$moddir/url-lib.sh" "/lib/url-lib.sh" + inst_multiple -o ctorrent + inst_multiple curl sed + if curl --version | grep -qi '\bNSS\b'; then + # also install libs for curl https + inst_libdir_file "libnsspem.so*" + inst_libdir_file "libnsssysinit.so*" + inst_libdir_file "libsoftokn3.so*" + inst_libdir_file "libsqlite3.so*" + fi + + for _dir in $libdirs; do + [[ -d $dracutsysrootdir$_dir ]] || continue + for _lib in "$dracutsysrootdir$_dir"/libcurl.so.* "$dracutsysrootdir$_dir"/libcrypto.so.*; do + [[ -e $_lib ]] || continue + if ! [[ $_nssckbi ]]; then + read -r -d '' _nssckbi < <(grep -F --binary-files=text -z libnssckbi "$_lib") + fi + read -r -d '' _crt < <(grep -E --binary-files=text -z "\.(pem|crt)" "$_lib" | sed 's/\x0//g') + [[ $_crt ]] || continue + [[ $_crt == /*/* ]] || continue + if [[ -e $_crt ]]; then + _crts="$_crts $_crt" + _found=1 + fi + done + done + if [[ $_found ]] && [[ -n $_crts ]]; then + for _crt in $_crts; do + if ! inst "${_crt#"$dracutsysrootdir"}"; then + dwarn "Couldn't install '$_crt' SSL CA cert bundle; HTTPS might not work." + continue + fi + done + fi + # If we found no cert bundle files referenced in libcurl but we + # *did* find a mention of libnssckbi (checked above), install it. + # If its truly NSS libnssckbi, it includes its own trust bundle, + # but if it's really p11-kit-trust.so, we need to find the dirs + # where it will look for a trust bundle and install them too. + if ! [[ $_found ]] && [[ $_nssckbi ]]; then + _found=1 + inst_libdir_file "libnssckbi.so*" || _found= + for _dir in $libdirs; do + [[ -e $dracutsysrootdir$_dir/libnssckbi.so ]] || continue + # this looks for directory-ish strings in the file + grep -z -o --binary-files=text '/[[:alpha:]][[:print:]]*' "${dracutsysrootdir}${_dir}"/libnssckbi.so \ + | while read -r -d '' _p11roots || [[ $_p11roots ]]; do + IFS=":" read -r -a _p11roots <<< "$_p11roots" + # the string can be a :-separated list of dirs + for _p11root in "${_p11roots[@]}"; do + # check if it's actually a directory (there are + # several false positives in the results) + [[ -d "$dracutsysrootdir$_p11root" ]] || continue + # check if it has some specific subdirs that all + # p11-kit trust dirs have + [[ -d "$dracutsysrootdir${_p11root}/anchors" ]] || continue + [[ -d "$dracutsysrootdir${_p11root}/blacklist" ]] || continue + # so now we know it's really a p11-kit trust dir; + # install everything in it + mkdir -p -- "${initdir}/${_p11root}" + if ! $DRACUT_CP -L -t "${initdir}/${_p11root}" "${dracutsysrootdir}${_p11root}"/*; then + dwarn "Couldn't install from p11-kit trust dir '${_p11root#"$dracutsysrootdir"}'; HTTPS might not work." + fi + done + done + done + fi + [[ $_found ]] || dwarn "Couldn't find SSL CA cert bundle or libnssckbi.so; HTTPS won't work." +} |