From 892b1fe6b74a04e7901db306231136a430326ee3 Mon Sep 17 00:00:00 2001

From: Adam Williamson <awilliam@redhat.com>

Date: Wed, 3 May 2017 12:32:43 -0700

Subject: [PATCH] Handle curl using libnssckbi for TLS (RHBZ #1447777)

curl in Fedora recently changed its default CA trust store. The

Fedora package no longer specifies an OpenSSL-format bundle file

during build, and curl itself has been patched to use an NSS

plugin called libnssckbi.so when no bundle file or directory is

specified. There are (at present) two possible providers of the

libnssckbi.so module: the original NSS implementation, which

uses a trust bundle built in at build time, and a compatible

implementation from the p11-kit project, which reads a trust

bundle at run time. So if we find a string in libcurl.so that

suggests libnssckbi might be in use, we must both install it and

make an effort to install any trust bundle files it may use.

The p11-kit libnssckbi implementation does include a string that

lists the top-level trust directories it will use, so we try to

find that string, though the best effort I can come up with will

also find many false positives too. To weed out the false

positives, we check whether the matches actually exist as dirs,

and if so, whether they contain some specific subdirectories we

know p11-kit trust dirs must have (thanks, @kaie). For the NSS

libnssckbi implementation, we will likely wind up not finding any

dirs that match the requirements, so we will simply install the

libnssckbi.so file itself, which is the correct action.

This fixes TLS transactions in the initramfs environment when

using a curl that's built this new way; it's significant for

use of kickstarts and update images with the Fedora / RHEL

installer, as these are retrieved in the initramfs environment,

and are frequently retrieved via HTTPS.

---

 modules.d/45url-lib/module-setup.sh | 38 +++++++++++++++++++++++++++++++++++--

 1 file changed, 36 insertions(+), 2 deletions(-)

diff --git a/modules.d/45url-lib/module-setup.sh b/modules.d/45url-lib/module-setup.sh

index 1ece400f..b3fe55a6 100755

--- a/modules.d/45url-lib/module-setup.sh

+++ b/modules.d/45url-lib/module-setup.sh

@@ -15,7 +15,7 @@ depends() {

 # called by dracut

 install() {

-    local _dir _crt _found _lib

+    local _dir _crt _found _lib _nssckbi _p11roots _p11root _p11item

     inst_simple "$moddir/url-lib.sh" "/lib/url-lib.sh"

     inst_multiple -o ctorrent

     inst_multiple curl

@@ -29,6 +29,7 @@ install() {

 	[[ -d $_dir ]] || continue

         for _lib in $_dir/libcurl.so.*; do

 	    [[ -e $_lib ]] || continue

+            [[ $_nssckbi ]] || _nssckbi=$(grep -F --binary-files=text -z libnssckbi $_lib)

             _crt=$(grep -F --binary-files=text -z .crt $_lib)

             [[ $_crt ]] || continue

             [[ $_crt == /*/* ]] || continue

@@ -39,6 +40,39 @@ install() {

             _found=1

         done

     done

-    [[ $_found ]] || dwarn "Couldn't find SSL CA cert bundle; HTTPS won't work."

+    # If we found no cert bundle files referenced in libcurl but we

+    # *did* find a mention of libnssckbi (checked above), install it.

+    # If its truly NSS libnssckbi, it includes its own trust bundle,

+    # but if it's really p11-kit-trust.so, we need to find the dirs

+    # where it will look for a trust bundle and install them too.

+    if ! [[ $_found ]] && [[ $_nssckbi ]] ; then

+        _found=1

+        inst_libdir_file "libnssckbi.so*" || _found=

+        for _dir in $libdirs; do

+            [[ -e $_dir/libnssckbi.so ]] || continue

+            # this looks for directory-ish strings in the file

+            for _p11roots in $(grep -o --binary-files=text "/[[:alpha:]][[:print:]]*" $_dir/libnssckbi.so) ; do

+                # the string can be a :-separated list of dirs

+                for _p11root in $(echo "$_p11roots" | tr ':' '\n') ; do

+                    # check if it's actually a directory (there are

+                    # several false positives in the results)

+                    [[ -d "$_p11root" ]] || continue

+                    # check if it has some specific subdirs that all

+                    # p11-kit trust dirs have

+                    [[ -d "${_p11root}/anchors" ]] || continue

+                    [[ -d "${_p11root}/blacklist" ]] || continue

+                    # so now we know it's really a p11-kit trust dir;

+                    # install everything in it

+                    for _p11item in $(find "$_p11root") ; do

+                        if ! inst "$_p11item" ; then

+                            dwarn "Couldn't install '$_p11item' from p11-kit trust dir '$_p11root'; HTTPS might not work."

+                            continue

+                        fi

+                    done

+                done

+            done

+        done

+    fi

+    [[ $_found ]] || dwarn "Couldn't find SSL CA cert bundle or libnssckbi.so; HTTPS won't work."

 }