feat: add openssl module

.distro/dracut.spec

@@ -35,6 +35,7 @@ BuildRequires: gcc
 BuildRequires: pkgconfig
 BuildRequires: systemd
 BuildRequires: bash-completion
+BuildRequires: openssl-devel
 
 %if %{with doc}
 BuildRequires: docbook-style-xsl docbook-dtds libxslt
@@ -234,6 +235,8 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
 %{dracutlibdir}/dracut-initramfs-restore
 %{dracutlibdir}/dracut-install
 %{dracutlibdir}/dracut-util
+%{dracutlibdir}/ossl-config
+%{dracutlibdir}/ossl-files
 %{dracutlibdir}/skipcpio
 %config(noreplace) %{_sysconfdir}/dracut.conf
 %{dracutlibdir}/dracut.conf.d/01-dist.conf
@@ -358,6 +361,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
 %{dracutlibdir}/modules.d/99busybox
 %{dracutlibdir}/modules.d/99memstrack
 %{dracutlibdir}/modules.d/99fs-lib
+%{dracutlibdir}/modules.d/99openssl
 %{dracutlibdir}/modules.d/99shutdown
 %attr(0644,root,root) %ghost %config(missingok,noreplace) %{_localstatedir}/log/dracut.log
 %dir %{_sharedstatedir}/initramfs
@@ -438,6 +442,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/
 %changelog
 * Wed Jan 29 2025 Pavel Valena <[email protected]> - 105-1
 - build: upgrade to dracut 105
+- feat: add openssl module
 
 * Mon Sep 16 2024 Pavel Valena <[email protected]> - 103-1
 - Update to dracut 103.

Makefile

@@ -50,7 +50,7 @@ manpages = $(man1pages) $(man5pages) $(man7pages) $(man8pages)
 
 .PHONY: install clean archive testimage test all check AUTHORS CONTRIBUTORS doc
 
-all: dracut.pc dracut-install src/skipcpio/skipcpio dracut-util
+all: dracut.pc dracut-install src/skipcpio/skipcpio dracut-util ossl-config ossl-files
 
 %.o : %.c
 	$(CC) -c $(CFLAGS) $(CPPFLAGS) $(KMOD_CFLAGS) $< -o $@
@@ -88,6 +88,12 @@ util/util: $(UTIL_OBJECTS)
 dracut-util: src/util/util
 	cp -a $< $@
 
+ossl: src/ossl/Makefile
+	$(MAKE) -C src/ossl
+
+ossl-config: ossl
+ossl-files: ossl
+
 .PHONY: indent-c
 indent-c:
 	astyle -n --quiet --options=.astylerc $(wildcard *.[ch] */*.[ch] src/*/*.[ch])
@@ -208,6 +214,12 @@ endif
 	if [ -f dracut-util ]; then \
 		install -m 0755 dracut-util $(DESTDIR)$(pkglibdir)/dracut-util; \
 	fi
+	if [ -f src/ossl/src/ossl-config ]; then \
+		install -m 0755 src/ossl/src/ossl-config $(DESTDIR)$(pkglibdir)/ossl-config; \
+	fi
+	if [ -f src/ossl/src/ossl-files ]; then \
+		install -m 0755 src/ossl/src/ossl-files $(DESTDIR)$(pkglibdir)/ossl-files; \
+	fi
 ifeq ($(enable_dracut_cpio),yes)
 	install -m 0755 dracut-cpio $(DESTDIR)$(pkglibdir)/dracut-cpio
 endif
@@ -234,6 +246,7 @@ clean:
 	$(RM) dracut.pc
 	$(RM) dracut-cpio src/dracut-cpio/target/release/dracut-cpio*
 	$(MAKE) -C test clean
+	$(MAKE) -C src/ossl clean
 
 syncheck:
 	@ret=0;for i in dracut-initramfs-restore.sh modules.d/*/*.sh; do \

modules.d/01fips/module-setup.sh

@@ -5,6 +5,10 @@ check() {
     return 0
 }
 
+depends() {
+    echo openssl
+}
+
 # called by dracut
 installkernel() {
     local _fipsmodules _mod _bootfstype

modules.d/99openssl/module-setup.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+
+check() {
+    return 255
+}
+
+install() {
+
+    local ossl_files openssl_cnf initrd_openssl_cnf
+
+    ossl_files="${dracutbasedir}/ossl-files"
+
+    openssl_cnf="$($ossl_files --config)"
+
+    initrd_openssl_cnf="${initdir}/${openssl_cnf}"
+
+    if [[ ! -r $openssl_cnf ]]; then
+        dfatal "'$ossl_files --config' does not return a path!!"
+        exit 1
+    fi
+
+    # ossl-files gives us one line per file
+    # shellcheck disable=SC2046
+    inst_multiple -o \
+        /etc/crypto-policies/back-ends/opensslcnf.config \
+        $($ossl_files --engines --providers)
+
+    mkdir -p "${initrd_openssl_cnf%/*}"
+
+    "${dracutbasedir}/ossl-config" > "${initrd_openssl_cnf}"
+}

modules.d/99openssl/openssl-check.sh

@@ -0,0 +1,29 @@
+#!/bin/sh
+
+eok() {
+
+    {
+        [ "$1" -eq 0 ] && echo OK || echo FAIL
+
+        echo
+
+    } 2> /dev/null
+}
+
+echo
+
+set -x
+
+openssl list -providers
+
+eok "$?"
+
+#openssl s_client -connect “$dns_server_ip:$dns_server_port” -servername “$dns_server_name” </dev/null
+
+#openssl s_client -connect “$test_hostname:$test_port” </dev/null
+
+#openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:2048 -out localhost.key
+
+#openssl req -x509 -new -key localhost.key -subj /CN=localhost -days 365 -addext "subjectAltName = DNS:localhost" -out localhost.crt
+
+#openssl s_server -cert localhost.crt -key localhost.key -port “$test_port”

src/install/dracut-install.c

@@ -1681,7 +1681,7 @@ static void find_suppliers_for_sys_node(Hashmap *suppliers, const char *node_pat
 
 static void find_suppliers(struct kmod_ctx *ctx)
 {
-        _cleanup_fts_close_ FTS *fts;
+        _cleanup_fts_close_ FTS *fts = NULL;
         char *paths[] = { "/sys/devices/platform", NULL };
         fts = fts_open(paths, FTS_NOSTAT | FTS_PHYSICAL, NULL);
 

src/ossl/Makefile

@@ -0,0 +1,35 @@
+.PHONY: all clean tests
+
+CFLAGS ?= -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600
+CRYPTO_FLAGS = -lcrypto
+TARGETS = src/ossl-config src/ossl-files
+
+TESTS_CONFIG = $(wildcard tests/config/*.cnf)
+TESTS_FILES = $(wildcard tests/files/*.cnf)
+
+all: $(TARGETS)
+
+clean:
+	$(RM) $(TARGETS)
+	$(RM) tests/config/*.1 tests/config/*.2
+	$(RM) tests/files/*.1
+
+%: %.c
+	$(CC) $(CFLAGS) $(CRYPTO_FLAGS) -o $@ $<
+
+test: $(TARGETS)
+	@for TEST in $(TESTS_CONFIG); do \
+		echo "Test $$TEST..."; \
+		OPENSSL_CONF="$$TEST" src/ossl-config >"$$TEST.1" && \
+		OPENSSL_CONF="$$TEST.1" src/ossl-config >"$$TEST.2" && \
+		diff -u "$$TEST.expected" "$$TEST.1" && \
+		diff -u <(sed 1d "$$TEST.1") <(sed 1d "$$TEST.2") && \
+		echo "PASS" || (echo "FAIL"; exit 1); \
+	done
+
+	@for TEST in $(TESTS_FILES); do \
+		echo "Test $$TEST..."; \
+		OPENSSL_CONF="$$TEST" src/ossl-files --engines --providers >"$$TEST.1" && \
+		diff -u "$$TEST.expected" "$$TEST.1" && \
+		echo "PASS" || (echo "FAIL"; exit 1); \
+	done

src/ossl/src/ossl-config.c

@@ -0,0 +1,144 @@
+// cc -std=c99 -Wall -Werror -Wno-error=deprecated-declarations -pedantic -D_XOPEN_SOURCE=600 -o ossl-config ossl-config.c -lcrypto
+
+#include <openssl/conf.h>
+#include <openssl/err.h>
+#include <openssl/safestack.h>
+
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 202311L
+#  define FALLTHROUGH [[fallthrough]]
+#elif (defined(__GNUC__) && __GNUC__ >= 7) || (defined(__clang__) && __clang_major__ >= 12)
+#  define FALLTHROUGH __attribute__((fallthrough))
+#else
+#  define FALLTHROUGH ((void) 0)
+#endif
+
+#define cleanup(type) \
+    __attribute__((cleanup(type##_ptr_free)))
+
+#define cleanupfunc(type, func) \
+    static void type##_ptr_free(type **ptr) { \
+        func(*ptr); \
+        *ptr = NULL; \
+    }
+
+typedef STACK_OF(OPENSSL_CSTRING) ossl_sk_cstring_t;
+
+cleanupfunc(char, OPENSSL_free)
+cleanupfunc(CONF, NCONF_free)
+cleanupfunc(ossl_sk_cstring_t, sk_OPENSSL_CSTRING_free)
+
+/**
+ * Print the given value to stdout escaped for the OpenSSL configuration file
+ * format.
+ */
+static void print_escaped_value(const char *value) {
+	for (const char *p = value; *p; p++) {
+		switch (*p) {
+			case '"':
+			case '\'':
+			case '#':
+			case '\\':
+			case '$':
+				putchar('\\');
+				putchar(*p);
+				break;
+			case '\n':
+				fputs("\\n", stdout);
+				break;
+			case '\r':
+				fputs("\\r", stdout);
+				break;
+			case '\b':
+				fputs("\\b", stdout);
+				break;
+			case '\t':
+				fputs("\\t", stdout);
+				break;
+			case ' ':
+				if (p == value || p[1] == '\0') {
+					/* Quote spaces if they are the first or last char of the
+					 * value. We could quote the entire string (and it would
+					 * certainly produce nicer output), but in quoted strings
+					 * the escape sequences for \n, \r, \t, and \b do not work.
+					 * To make sure we're producing correct results we'd thus
+					 * have to selectively not use those in quoted strings and
+					 * close and re-open the quotes if they appear, which is
+					 * more trouble than adding the quotes just around the
+					 * first and last leading and trailing space. */
+					fputs("\" \"", stdout);
+					break;
+				}
+				FALLTHROUGH;
+			default:
+				putchar(*p);
+				break;
+		}
+	}
+}
+
+/**
+ * Print all values in in the configuration section identified by section_name to stdout.
+ */
+static void print_section(const CONF *cnf, OPENSSL_CSTRING section_name) {
+	STACK_OF(CONF_VALUE) *values = NCONF_get_section(cnf, section_name);
+	for (int idx = 0; idx < sk_CONF_VALUE_num(values); idx++) {
+		CONF_VALUE *value = sk_CONF_VALUE_value(values, idx);
+		printf("%s = ", value->name);
+		print_escaped_value(value->value);
+		putchar('\n');
+	}
+}
+
+/**
+ * Parse the default OpenSSL configuration file (or the one specified in the
+ * OPENSSL_CONF environment variable) and write it back to stdout in
+ * a canonical format with all includes and variables expanded.
+ */
+int main(int argc, char *argv[]) {
+	char *configfile cleanup(char) = CONF_get1_default_config_file();
+	if (configfile == NULL) {
+		ERR_print_errors_fp(stderr);
+		exit(EXIT_FAILURE);
+	}
+
+	CONF *cnf cleanup(CONF) = NCONF_new(NULL);
+	if (cnf == NULL) {
+		ERR_print_errors_fp(stderr);
+		exit(EXIT_FAILURE);
+	}
+
+	long eline = 0;
+	if (NCONF_load(cnf, configfile, &eline) == 0) {
+		fprintf(stderr, "Error on line %ld of configuration file\n", eline);
+		ERR_print_errors_fp(stderr);
+		exit(EXIT_FAILURE);
+	}
+
+	STACK_OF(OPENSSL_CSTRING) *sections cleanup(ossl_sk_cstring_t) = NCONF_get_section_names(cnf);
+	if (sections == NULL) {
+		ERR_print_errors_fp(stderr);
+		exit(EXIT_FAILURE);
+	}
+
+	printf("# This configuration file was linarized and expanded from %s\n", configfile);
+
+	int default_section_idx = sk_OPENSSL_CSTRING_find(sections, "default");
+	if (default_section_idx != -1) {
+		print_section(cnf, "default");
+	}
+	for (int idx = 0; idx < sk_OPENSSL_CSTRING_num(sections); idx++) {
+		if (idx == default_section_idx) {
+			continue;
+		}
+		OPENSSL_CSTRING section_name = sk_OPENSSL_CSTRING_value(sections, idx);
+		printf("\n[%s]\n", section_name);
+		print_section(cnf, section_name);
+	}
+
+	return EXIT_SUCCESS;
+}