diff --git a/0079.patch b/0079.patch new file mode 100644 index 0000000..78449da --- /dev/null +++ b/0079.patch @@ -0,0 +1,34 @@ +From a5b07e49259b201374124ba1e23b931da6e741e0 Mon Sep 17 00:00:00 2001 +From: packit-public-repos-bot + <125959684+packit-public-repos-bot@users.noreply.github.com> +Date: Wed, 11 Dec 2024 11:47:15 +0100 +Subject: [PATCH] Fix configuration for Packit 1.0.0 + +This commit fixes the configuration for the forthcoming Packit 1.0.0. +See [our blog post](https://packit.dev/posts/packit_1_0_0_action_required) for more details. + - Job type `build` has been changed to `copr_build`. + - Job type `production_build` has been changed to `upstream_koji_build`. + - Key `upstream_project_name` has been changed to `upstream_package_name`. + - Key `synced_files` has been changed to `files_to_sync`. + +Please review and merge me before January 2025 otherwise packit-service jobs will fail because of an invalid configuration. + +Resolves: RHEL-65249 +--- + .packit.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.packit.yml b/.packit.yml +index 86ba83d2..1439a44e 100644 +--- a/.packit.yml ++++ b/.packit.yml +@@ -7,7 +7,7 @@ + # Docs: https://packit.dev/docs/ + + specfile_path: pkgbuild/dracut.spec +-synced_files: ++files_to_sync: + - .packit.yaml + upstream_package_name: dracut + downstream_package_name: dracut + diff --git a/0080.patch b/0080.patch new file mode 100644 index 0000000..6a575ad --- /dev/null +++ b/0080.patch @@ -0,0 +1,24 @@ +From 78f56fa46b05409fb49f9c5ba776783aabb89d15 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Thu, 30 Jan 2025 12:43:01 +0100 +Subject: [PATCH] test: fix url for btrfs-progs + +Resolves: RHEL-65249 +--- + test/container/Dockerfile-CentOS-9-Stream | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/test/container/Dockerfile-CentOS-9-Stream b/test/container/Dockerfile-CentOS-9-Stream +index 26d308d2..3f0cdf6c 100644 +--- a/test/container/Dockerfile-CentOS-9-Stream ++++ b/test/container/Dockerfile-CentOS-9-Stream +@@ -11,7 +11,7 @@ RUN echo 'export DRACUT_NO_XATTR=1 KVERSION=$(cd /lib/modules; ls -1 | tail -1)' + # FIXME: add dmraid, scsi-target-utils (e.g. from COPR) + RUN dnf -y install --enablerepo crb --setopt=install_weak_deps=False \ + https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/d/dash-0.5.11.5-4.el9.x86_64.rpm \ +- https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/btrfs-progs-6.10-1.el9.x86_64.rpm \ ++ https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/b/btrfs-progs-6.12-3.el9.x86_64.rpm \ + qemu-kvm \ + NetworkManager \ + asciidoc \ + diff --git a/0081.patch b/0081.patch new file mode 100644 index 0000000..869f32b --- /dev/null +++ b/0081.patch @@ -0,0 +1,32 @@ +From 4c327d4d5f3dd08bce7a704e2e4e45e2a838dc93 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 17 Feb 2025 02:50:26 +0100 +Subject: [PATCH] fix(35network-manager): remove duplicate installkernel + function + +Issue introduced in commit: 0a264651d148b543c0c5d6b0a07909cdcb1abfba + +Resolves: RHEL-64754 + +rhel-only +--- + modules.d/35network-manager/module-setup.sh | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/modules.d/35network-manager/module-setup.sh b/modules.d/35network-manager/module-setup.sh +index 4fd3d051..80ca21bd 100755 +--- a/modules.d/35network-manager/module-setup.sh ++++ b/modules.d/35network-manager/module-setup.sh +@@ -14,11 +14,6 @@ depends() { + return 0 + } + +-# called by dracut +-installkernel() { +- return 0 +-} +- + # called by dracut + installkernel() { + instmods nf_tables nfnetlink nft_fwd_netdev + diff --git a/0082.patch b/0082.patch new file mode 100644 index 0000000..4620410 --- /dev/null +++ b/0082.patch @@ -0,0 +1,28 @@ +From 31a612d5a1cc8c2f0fcc7db82a6f8c9106c8bb63 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 17 Feb 2025 09:15:11 +0100 +Subject: [PATCH] ci: bump actions/upload-artifact version to v4 + +as v3 is deprecated. + +https://github.blog/changelog/2024-04-16-deprecation-notice-v3-of-the-artifact-actions/ + +rhel-only +--- + .github/workflows/gather-metadata.yml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/.github/workflows/gather-metadata.yml b/.github/workflows/gather-metadata.yml +index e4cbc486..d11c90d1 100644 +--- a/.github/workflows/gather-metadata.yml ++++ b/.github/workflows/gather-metadata.yml +@@ -22,7 +22,7 @@ jobs: + uses: redhat-plumbers-in-action/gather-pull-request-metadata@v1 + + - name: Upload artifact with gathered metadata +- uses: actions/upload-artifact@v3 ++ uses: actions/upload-artifact@v4 + with: + name: pr-metadata + path: ${{ steps.Metadata.outputs.metadata-file }} + diff --git a/0083.patch b/0083.patch new file mode 100644 index 0000000..c9a446d --- /dev/null +++ b/0083.patch @@ -0,0 +1,26 @@ +From 379b1eafcfb6b4e34b6689bc8f8eab5ecb27aac7 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 19 Aug 2024 09:41:27 +0200 +Subject: [PATCH] feat(fips): include fips module unconditionally + +rhel-only + +Resolves: RHEL-53364 +--- + modules.d/01fips/module-setup.sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index a090bc88..91bbe785 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -2,7 +2,7 @@ + + # called by dracut + check() { +- return 255 ++ return 0 + } + + # called by dracut + diff --git a/0084.patch b/0084.patch new file mode 100644 index 0000000..3d9f404 --- /dev/null +++ b/0084.patch @@ -0,0 +1,51 @@ +From acbb003a63809ed870598eee7171a5c188e80113 Mon Sep 17 00:00:00 2001 +From: Laszlo Gombos +Date: Wed, 24 Aug 2022 19:16:26 +0000 +Subject: [PATCH] fix(dracut.sh): make omit-drivers option do exact match for + names + +Modify the basic test case to use --omit-drivers and make it fail +without the PR and make it pass with the PR. + +The test would fail with the following error without the PR: +FATAL: iscsiroot requested but kernel/initrd does not support iscsi + +(cherry picked from commit a7f5cdbccbbd4d8c406ea7c4b3e6f25cd747e648) + +Resolves: RHEL-57094 +--- + dracut.sh | 2 +- + test/TEST-01-BASIC/test.sh | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +diff --git a/dracut.sh b/dracut.sh +index f748a073..dcdeaf5f 100755 +--- a/dracut.sh ++++ b/dracut.sh +@@ -1379,7 +1379,7 @@ omit_drivers_corrected="" + for d in $omit_drivers; do + [[ " $drivers $add_drivers " == *\ $d\ * ]] && continue + [[ " $drivers $force_drivers " == *\ $d\ * ]] && continue +- omit_drivers_corrected+="$d|" ++ omit_drivers_corrected+="^$d$|" + done + omit_drivers="${omit_drivers_corrected%|}" + unset omit_drivers_corrected +diff --git a/test/TEST-01-BASIC/test.sh b/test/TEST-01-BASIC/test.sh +index 9f98af2c..877f6534 100755 +--- a/test/TEST-01-BASIC/test.sh ++++ b/test/TEST-01-BASIC/test.sh +@@ -110,9 +110,12 @@ test_setup() { + inst_hook shutdown-emergency 000 ./hard-off.sh + inst_hook emergency 000 ./hard-off.sh + ) ++ ++ # make sure --omit-drivers does not filter out drivers using regexp to test for an earlier regression (assuming there is no one letter linux kernel module needed to run the test) + "$basedir"/dracut.sh -l -i "$TESTDIR"/overlay / \ + -a "debug watchdog" \ + -d "piix ide-gd_mod ata_piix ext3 sd_mod i6300esb ib700wdt" \ ++ --omit-drivers 'a b c d e f g h i j k l m n o p q r s t u v w x y z' \ + --no-hostonly-cmdline -N \ + -f "$TESTDIR"/initramfs.testing "$KVERSION" || return 1 + } + diff --git a/0085.patch b/0085.patch new file mode 100644 index 0000000..5bc55a6 --- /dev/null +++ b/0085.patch @@ -0,0 +1,1079 @@ +From ecb3af0fddfcfe91d8ba8edd6d9fe9c4b1704842 Mon Sep 17 00:00:00 2001 +From: Pavel Valena +Date: Mon, 20 Jan 2025 14:16:38 +0100 +Subject: [PATCH] feat: add openssl module + + + fix(openssl): harden ossl build CFLAGS + + + fix(ossl): copy executables for the test suite + + + and also fix CFLAGS in case of std=c99. + +Resolves: RHEL-79815 + +rhel-only +--- + Makefile | 25 +- + modules.d/01fips/module-setup.sh | 16 +- + modules.d/99openssl/module-setup.sh | 31 +++ + modules.d/99openssl/openssl-check.sh | 29 +++ + pkgbuild/dracut.spec | 4 + + src/ossl/Makefile | 35 +++ + src/ossl/src/ossl-config.c | 144 +++++++++++ + src/ossl/src/ossl-files.c | 280 +++++++++++++++++++++ + src/ossl/tests/config/escapes.cnf | 11 + + src/ossl/tests/config/escapes.cnf.expected | 12 + + src/ossl/tests/config/included-file.noncnf | 2 + + src/ossl/tests/config/includes.1.d/includes1.cnf | 2 + + src/ossl/tests/config/includes.1.d/includes1.conf | 2 + + src/ossl/tests/config/includes.1.d/nonconf.bak | 2 + + src/ossl/tests/config/includes.2.d/main.cnf | 4 + + .../config/includes.2.d/subincludes.d/subconf.cnf | 2 + + src/ossl/tests/config/includes.cnf | 6 + + src/ossl/tests/config/includes.cnf.expected | 12 + + .../config/leading-and-trailing-whitespace.cnf | 6 + + .../leading-and-trailing-whitespace.cnf.expected | 7 + + src/ossl/tests/config/order.cnf | 21 ++ + src/ossl/tests/config/order.cnf.expected | 16 ++ + src/ossl/tests/config/variables.cnf | 33 +++ + src/ossl/tests/config/variables.cnf.expected | 27 ++ + src/ossl/tests/files/engines.cnf | 22 ++ + src/ossl/tests/files/engines.cnf.expected | 4 + + src/ossl/tests/files/providers.cnf | 31 +++ + src/ossl/tests/files/providers.cnf.expected | 4 + + test/container/Dockerfile-CentOS-9-Stream | 1 + + 29 files changed, 772 insertions(+), 19 deletions(-) + +diff --git a/Makefile b/Makefile +index 97e189b4..bc26d7c7 100644 +--- a/Makefile ++++ b/Makefile +@@ -51,7 +51,7 @@ manpages = $(man1pages) $(man5pages) $(man7pages) $(man8pages) + + .PHONY: install clean archive rpm srpm testimage test all check AUTHORS CONTRIBUTORS doc dracut-version.sh + +-all: dracut-version.sh dracut.pc dracut-install src/skipcpio/skipcpio dracut-util ++all: dracut-version.sh dracut.pc dracut-install src/skipcpio/skipcpio dracut-util ossl-config ossl-files + + %.o : %.c + $(CC) -c $(CFLAGS) $(CPPFLAGS) $(KMOD_CFLAGS) $< -o $@ +@@ -92,6 +92,15 @@ util/util: $(UTIL_OBJECTS) + dracut-util: src/util/util + cp -a $< $@ + ++ossl: ++ $(MAKE) -C src/ossl ++ ++ossl-config: ossl ++ cp -a src/ossl/src/ossl-config $@ ++ ++ossl-files: ossl ++ cp -a src/ossl/src/ossl-files $@ ++ + .PHONY: indent-c + indent-c: + astyle -n --quiet --options=.astylerc $(wildcard *.[ch] */*.[ch] src/*/*.[ch]) +@@ -198,15 +207,21 @@ endif + $(DESTDIR)$(systemdsystemunitdir)/initrd.target.wants/$$i; \ + done \ + fi +- if [ -f src/install/dracut-install ]; then \ ++ if [ -r src/install/dracut-install ]; then \ + install -m 0755 src/install/dracut-install $(DESTDIR)$(pkglibdir)/dracut-install; \ + fi +- if [ -f src/skipcpio/skipcpio ]; then \ ++ if [ -r src/skipcpio/skipcpio ]; then \ + install -m 0755 src/skipcpio/skipcpio $(DESTDIR)$(pkglibdir)/skipcpio; \ + fi +- if [ -f dracut-util ]; then \ ++ if [ -r dracut-util ]; then \ + install -m 0755 dracut-util $(DESTDIR)$(pkglibdir)/dracut-util; \ + fi ++ if [ -r ossl-config ]; then \ ++ install -m 0755 ossl-config $(DESTDIR)$(pkglibdir)/ossl-config; \ ++ fi ++ if [ -r ossl-files ]; then \ ++ install -m 0755 ossl-files $(DESTDIR)$(pkglibdir)/ossl-files; \ ++ fi + ifeq ($(enable_dracut_cpio),yes) + install -m 0755 dracut-cpio $(DESTDIR)$(pkglibdir)/dracut-cpio + endif +@@ -237,7 +252,9 @@ clean: + $(RM) $(manpages) dracut.html + $(RM) dracut.pc + $(RM) dracut-cpio src/dracut-cpio/target/release/dracut-cpio* ++ $(RM) ossl-files ossl-config + $(MAKE) -C test clean ++ $(MAKE) -C src/ossl clean + + dist: dracut-$(DRACUT_MAIN_VERSION).tar.xz + +diff --git a/modules.d/01fips/module-setup.sh b/modules.d/01fips/module-setup.sh +index 91bbe785..0b6d3a27 100755 +--- a/modules.d/01fips/module-setup.sh ++++ b/modules.d/01fips/module-setup.sh +@@ -5,9 +5,8 @@ check() { + return 0 + } + +-# called by dracut + depends() { +- return 0 ++ echo openssl + } + + # called by dracut +@@ -70,17 +69,4 @@ install() { + inst_multiple sha512hmac rmmod insmod mount uname umount grep sed cut find sort cat tail tr + + inst_simple /etc/system-fips +- +- # if we have openssl we need to install their fips library and configuration +- [ -x /usr/bin/openssl ] && { +- read -r _ conf < <(openssl version -d) +- conf=${conf#\"} +- conf=${conf%\"} +- inst_simple "${moddir}/openssl.cnf" "$conf/openssl.cnf" +- +- read -r _ mod < <(openssl version -m) +- mod=${mod#\"} +- mod=${mod%\"} +- inst_simple "$mod/fips.so" +- } + } +diff --git a/modules.d/99openssl/module-setup.sh b/modules.d/99openssl/module-setup.sh +new file mode 100755 +index 00000000..8614f254 +--- /dev/null ++++ b/modules.d/99openssl/module-setup.sh +@@ -0,0 +1,31 @@ ++#!/bin/bash ++ ++check() { ++ return 255 ++} ++ ++install() { ++ ++ local ossl_files openssl_cnf initrd_openssl_cnf ++ ++ ossl_files="${dracutbasedir}/ossl-files" ++ ++ openssl_cnf="$($ossl_files --config)" ++ ++ initrd_openssl_cnf="${initdir}/${openssl_cnf}" ++ ++ if [[ ! -r $openssl_cnf ]]; then ++ dfatal "'$ossl_files --config' does not return a path!!" ++ exit 1 ++ fi ++ ++ # ossl-files gives us one line per file ++ # shellcheck disable=SC2046 ++ inst_multiple -o \ ++ /etc/crypto-policies/back-ends/opensslcnf.config \ ++ $($ossl_files --engines --providers) ++ ++ mkdir -p "${initrd_openssl_cnf%/*}" ++ ++ "${dracutbasedir}/ossl-config" > "${initrd_openssl_cnf}" ++} +diff --git a/modules.d/99openssl/openssl-check.sh b/modules.d/99openssl/openssl-check.sh +new file mode 100755 +index 00000000..67951f45 +--- /dev/null ++++ b/modules.d/99openssl/openssl-check.sh +@@ -0,0 +1,29 @@ ++#!/bin/sh ++ ++eok() { ++ ++ { ++ [ "$1" -eq 0 ] && echo OK || echo FAIL ++ ++ echo ++ ++ } 2> /dev/null ++} ++ ++echo ++ ++set -x ++ ++openssl list -providers ++ ++eok "$?" ++ ++#openssl s_client -connect “$dns_server_ip:$dns_server_port” -servername “$dns_server_name” $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ + %{dracutlibdir}/dracut-initramfs-restore + %{dracutlibdir}/dracut-install + %{dracutlibdir}/dracut-util ++%{dracutlibdir}/ossl-config ++%{dracutlibdir}/ossl-files + %{dracutlibdir}/skipcpio + %config(noreplace) %{_sysconfdir}/dracut.conf + %if 0%{?fedora} || 0%{?suse_version} || 0%{?rhel} +@@ -402,6 +405,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ + %{dracutlibdir}/modules.d/99base + %{dracutlibdir}/modules.d/99memstrack + %{dracutlibdir}/modules.d/99fs-lib ++%{dracutlibdir}/modules.d/99openssl + %{dracutlibdir}/modules.d/99shutdown + %attr(0644,root,root) %ghost %config(missingok,noreplace) %{_localstatedir}/log/dracut.log + %dir %{_sharedstatedir}/initramfs +diff --git a/src/ossl/Makefile b/src/ossl/Makefile +new file mode 100644 +index 00000000..43e7b464 +--- /dev/null ++++ b/src/ossl/Makefile +@@ -0,0 +1,35 @@ ++.PHONY: all clean tests ++ ++CFLAGS ?= -std=c99 -Wall -Werror -pedantic -D_XOPEN_SOURCE=600 ++CRYPTO_FLAGS = -lcrypto -Wl,-pie -Wl,-z,now -fPIE ++TARGETS = src/ossl-config src/ossl-files ++ ++TESTS_CONFIG = $(wildcard tests/config/*.cnf) ++TESTS_FILES = $(wildcard tests/files/*.cnf) ++ ++all: $(TARGETS) ++ ++clean: ++ $(RM) $(TARGETS) ++ $(RM) tests/config/*.1 tests/config/*.2 ++ $(RM) tests/files/*.1 ++ ++%: %.c ++ $(CC) $(CFLAGS) $(CRYPTO_FLAGS) -o $@ $< ++ ++test: $(TARGETS) ++ @for TEST in $(TESTS_CONFIG); do \ ++ echo "Test $$TEST..."; \ ++ OPENSSL_CONF="$$TEST" src/ossl-config >"$$TEST.1" && \ ++ OPENSSL_CONF="$$TEST.1" src/ossl-config >"$$TEST.2" && \ ++ diff -u "$$TEST.expected" "$$TEST.1" && \ ++ diff -u <(sed 1d "$$TEST.1") <(sed 1d "$$TEST.2") && \ ++ echo "PASS" || (echo "FAIL"; exit 1); \ ++ done ++ ++ @for TEST in $(TESTS_FILES); do \ ++ echo "Test $$TEST..."; \ ++ OPENSSL_CONF="$$TEST" src/ossl-files --engines --providers >"$$TEST.1" && \ ++ diff -u "$$TEST.expected" "$$TEST.1" && \ ++ echo "PASS" || (echo "FAIL"; exit 1); \ ++ done +diff --git a/src/ossl/src/ossl-config.c b/src/ossl/src/ossl-config.c +new file mode 100644 +index 00000000..4324341c +--- /dev/null ++++ b/src/ossl/src/ossl-config.c +@@ -0,0 +1,144 @@ ++// cc -std=c99 -Wall -Werror -Wno-error=deprecated-declarations -pedantic -D_XOPEN_SOURCE=600 -o ossl-config ossl-config.c -lcrypto ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++ ++#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 202311L ++# define FALLTHROUGH [[fallthrough]] ++#elif (defined(__GNUC__) && __GNUC__ >= 7) || (defined(__clang__) && __clang_major__ >= 12) ++# define FALLTHROUGH __attribute__((fallthrough)) ++#else ++# define FALLTHROUGH ((void) 0) ++#endif ++ ++#define cleanup(type) \ ++ __attribute__((cleanup(type##_ptr_free))) ++ ++#define cleanupfunc(type, func) \ ++ static void type##_ptr_free(type **ptr) { \ ++ func(*ptr); \ ++ *ptr = NULL; \ ++ } ++ ++typedef STACK_OF(OPENSSL_CSTRING) ossl_sk_cstring_t; ++ ++cleanupfunc(char, OPENSSL_free) ++cleanupfunc(CONF, NCONF_free) ++cleanupfunc(ossl_sk_cstring_t, sk_OPENSSL_CSTRING_free) ++ ++/** ++ * Print the given value to stdout escaped for the OpenSSL configuration file ++ * format. ++ */ ++static void print_escaped_value(const char *value) { ++ for (const char *p = value; *p; p++) { ++ switch (*p) { ++ case '"': ++ case '\'': ++ case '#': ++ case '\\': ++ case '$': ++ putchar('\\'); ++ putchar(*p); ++ break; ++ case '\n': ++ fputs("\\n", stdout); ++ break; ++ case '\r': ++ fputs("\\r", stdout); ++ break; ++ case '\b': ++ fputs("\\b", stdout); ++ break; ++ case '\t': ++ fputs("\\t", stdout); ++ break; ++ case ' ': ++ if (p == value || p[1] == '\0') { ++ /* Quote spaces if they are the first or last char of the ++ * value. We could quote the entire string (and it would ++ * certainly produce nicer output), but in quoted strings ++ * the escape sequences for \n, \r, \t, and \b do not work. ++ * To make sure we're producing correct results we'd thus ++ * have to selectively not use those in quoted strings and ++ * close and re-open the quotes if they appear, which is ++ * more trouble than adding the quotes just around the ++ * first and last leading and trailing space. */ ++ fputs("\" \"", stdout); ++ break; ++ } ++ FALLTHROUGH; ++ default: ++ putchar(*p); ++ break; ++ } ++ } ++} ++ ++/** ++ * Print all values in in the configuration section identified by section_name to stdout. ++ */ ++static void print_section(const CONF *cnf, OPENSSL_CSTRING section_name) { ++ STACK_OF(CONF_VALUE) *values = NCONF_get_section(cnf, section_name); ++ for (int idx = 0; idx < sk_CONF_VALUE_num(values); idx++) { ++ CONF_VALUE *value = sk_CONF_VALUE_value(values, idx); ++ printf("%s = ", value->name); ++ print_escaped_value(value->value); ++ putchar('\n'); ++ } ++} ++ ++/** ++ * Parse the default OpenSSL configuration file (or the one specified in the ++ * OPENSSL_CONF environment variable) and write it back to stdout in ++ * a canonical format with all includes and variables expanded. ++ */ ++int main(int argc, char *argv[]) { ++ char *configfile cleanup(char) = CONF_get1_default_config_file(); ++ if (configfile == NULL) { ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ CONF *cnf cleanup(CONF) = NCONF_new(NULL); ++ if (cnf == NULL) { ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ long eline = 0; ++ if (NCONF_load(cnf, configfile, &eline) == 0) { ++ fprintf(stderr, "Error on line %ld of configuration file\n", eline); ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ STACK_OF(OPENSSL_CSTRING) *sections cleanup(ossl_sk_cstring_t) = NCONF_get_section_names(cnf); ++ if (sections == NULL) { ++ ERR_print_errors_fp(stderr); ++ exit(EXIT_FAILURE); ++ } ++ ++ printf("# This configuration file was linarized and expanded from %s\n", configfile); ++ ++ int default_section_idx = sk_OPENSSL_CSTRING_find(sections, "default"); ++ if (default_section_idx != -1) { ++ print_section(cnf, "default"); ++ } ++ for (int idx = 0; idx < sk_OPENSSL_CSTRING_num(sections); idx++) { ++ if (idx == default_section_idx) { ++ continue; ++ } ++ OPENSSL_CSTRING section_name = sk_OPENSSL_CSTRING_value(sections, idx); ++ printf("\n[%s]\n", section_name); ++ print_section(cnf, section_name); ++ } ++ ++ return EXIT_SUCCESS; ++} +diff --git a/src/ossl/src/ossl-files.c b/src/ossl/src/ossl-files.c +new file mode 100644 +index 00000000..4f252800 +--- /dev/null ++++ b/src/ossl/src/ossl-files.c +@@ -0,0 +1,280 @@ ++// cc -std=c99 -Wall -Werror -Wno-error=deprecated-declarations -pedantic -D_XOPEN_SOURCE=600 -o ossl-files ossl-files.c -lcrypto ++ ++#include ++#include ++#include ++#include ++ ++#include ++ ++#include ++#include ++#include ++#include ++#include ++ ++#define cleanup(type) \ ++ __attribute__((cleanup(type##_ptr_free))) ++ ++#define cleanupfunc(type, func) \ ++ static void type##_ptr_free(type **ptr) { \ ++ func(*ptr); \ ++ *ptr = NULL; \ ++ } ++ ++typedef STACK_OF(OPENSSL_CSTRING) ossl_sk_cstring_t; ++ ++cleanupfunc(char, OPENSSL_free) ++cleanupfunc(CONF, NCONF_free) ++ ++typedef enum flag { ++ CONFIG_FILE = 1, ++ ENGINES, ++ PROVIDERS, ++ PKCS11_MODULES, ++} flag_t; ++ ++static const OPENSSL_CSTRING get_option(STACK_OF(CONF_VALUE) *section, const OPENSSL_CSTRING name) { ++ for (size_t idx = 0; idx < sk_CONF_VALUE_num(section); ++idx) { ++ const CONF_VALUE *value = sk_CONF_VALUE_value(section, idx); ++ if (strcmp(name, value->name) == 0) { ++ return value->value; ++ } ++ } ++ ++ return NULL; ++} ++ ++/** ++ * Locate a section in the OpenSSL configuration file given its path ++ * components, separated by dots. ++ * ++ * Returns the STACK_OF(CONF_VALUE) that represents the section, if it exists ++ * and NULL otherwise. ++ */ ++static STACK_OF(CONF_VALUE) *locate_section(const CONF* cnf, const OPENSSL_CSTRING path) { ++ STACK_OF(CONF_VALUE) *sect = NCONF_get_section(cnf, "default"); ++ if (sect == NULL) ++ return NULL; ++ ++ char *pathbuf cleanup(char) = OPENSSL_strdup(path); ++ char *curpath = pathbuf; ++ while (curpath) { ++ char *split = strchr(curpath, '.'); ++ char *nextpath = NULL; ++ ++ if (split != NULL) { ++ *split = '\0'; ++ nextpath = split + 1; ++ } ++ ++ const OPENSSL_CSTRING next_section_name = get_option(sect, curpath); ++ if (next_section_name == NULL) ++ return NULL; ++ ++ sect = NCONF_get_section(cnf, next_section_name); ++ if (sect == NULL) ++ return NULL; ++ ++ curpath = nextpath; ++ } ++ ++ return sect; ++} ++ ++static void list_providers(const CONF *cnf) { ++ const char *modulesdir = OPENSSL_info(OPENSSL_INFO_MODULES_DIR); ++ ++ { ++ struct stat st; ++ size_t pathlen = strlen(modulesdir) + 1 /* "/" */ + strlen("fips.so") + 1; ++ char pathbuf[pathlen]; ++ ++ snprintf(pathbuf, pathlen, "%s/fips.so", modulesdir); ++ pathbuf[pathlen - 1] = '\0'; ++ ++ if (stat(pathbuf, &st) == 0) { ++ /* Print the path to the FIPS provider if it exists on disk, ++ * regardless of whether it is enabled or not. This is because some ++ * distributions (like Fedora and RHEL) auto-enable the FIPS ++ * provider if the kernel command line contains fips=1. */ ++ puts(pathbuf); ++ } ++ } ++ ++ STACK_OF(CONF_VALUE) *providers_sect = locate_section(cnf, "openssl_conf.providers"); ++ if (providers_sect == NULL) ++ return; ++ ++ for (size_t idx = 0; idx < sk_CONF_VALUE_num(providers_sect); ++idx) { ++ const CONF_VALUE *value = sk_CONF_VALUE_value(providers_sect, idx); ++ /* The section name in the providers section is typically the basename ++ * of the loadable module, unless the section for this provider ++ * contains a 'module' option. */ ++ const OPENSSL_CSTRING provider_name = value->name; ++ const OPENSSL_CSTRING section_name = value->value; ++ ++ if (strcmp(provider_name, "default") == 0 ++ || strcmp(provider_name, "base") == 0 ++ || strcmp(provider_name, "fips") == 0) { ++ /* This is either a builtin provider, which does not exist on disk, ++ * or it was handled earlier. */ ++ continue; ++ } ++ ++ STACK_OF(CONF_VALUE) *section = NCONF_get_section(cnf, section_name); ++ if (section == NULL) { ++ printf("%s/%s.so\n", modulesdir, provider_name); ++ } else { ++ OPENSSL_CSTRING module_path = get_option(section, "module"); ++ if (module_path) { ++ if (*module_path == '/') { ++ puts(module_path); ++ } else { ++ printf("%s/%s\n", modulesdir, module_path); ++ } ++ } else { ++ printf("%s/%s.so\n", modulesdir, provider_name); ++ } ++ } ++ } ++} ++ ++static void list_engines(const CONF *cnf) { ++ const char *enginesdir = OPENSSL_info(OPENSSL_INFO_ENGINES_DIR); ++ ++ STACK_OF(CONF_VALUE) *engines_sect = locate_section(cnf, "openssl_conf.engines"); ++ if (engines_sect == NULL) ++ return; ++ ++ for (size_t idx = 0; idx < sk_CONF_VALUE_num(engines_sect); ++idx) { ++ const CONF_VALUE *value = sk_CONF_VALUE_value(engines_sect, idx); ++ const OPENSSL_CSTRING section_name = value->value; ++ ++ STACK_OF(CONF_VALUE) *section = NCONF_get_section(cnf, section_name); ++ if (section == NULL) ++ continue; ++ OPENSSL_CSTRING dynamic_path = get_option(section, "dynamic_path"); ++ if (dynamic_path == NULL) ++ continue; ++ ++ if (*dynamic_path == '/') { ++ puts(dynamic_path); ++ } else { ++ printf("%s/%s\n", enginesdir, dynamic_path); ++ } ++ } ++} ++ ++ ++/** ++ * Parse the default OpenSSL configuration file (or the one specified in the ++ * OPENSSL_CONF environment variable) and write it back to stdout in ++ * a canonical format with all includes and variables expanded. ++ */ ++int main(int argc, char *argv[]) { ++ struct option long_options[] = { ++ {"config", no_argument, NULL, CONFIG_FILE}, ++ {"engines", no_argument, NULL, ENGINES}, ++ {"providers", no_argument, NULL, PROVIDERS}, ++ {"help", no_argument, NULL, 'h'}, ++ {NULL, 0, NULL, 0}, ++ }; ++ int chosen_options[sizeof(long_options) / sizeof(*long_options) - 2] = {0}; ++ ++ for (size_t idx = 0; idx < sizeof(chosen_options) / sizeof(*chosen_options); idx++) { ++ long_options[idx].flag = &chosen_options[idx]; ++ } ++ ++ int c; ++ char *configfile cleanup(char) = NULL; ++ while (1) { ++ c = getopt_long(argc, argv, "", long_options, NULL); ++ switch (c) { ++ case -1: ++ // end of options ++ goto options_parsed; ++ break; ++ case 0: ++ /* option detected, we use flags to react, so no need for ++ * custom code here. */ ++ break; ++ case 'h': ++ // --help output requested ++ fprintf(stderr, "Usage: %s OPTIONS\n\n", argv[0]); ++ fputs( ++ "OPTIONS are:\n" ++ " --config\n" ++ " Print the path of the OpenSSL configuration file on\n" ++ " this system\n" ++ " --engines\n" ++ " Print the path of any OpenSSL ENGINEs configured in\n" ++ " the configuration file\n" ++ " --providers\n" ++ " Print the path of any OpenSSL providers configured in\n" ++ " the configuration file\n" ++ " --help\n" ++ " Print this help output\n", ++ stderr ++ ); ++ return EXIT_FAILURE; ++ break; ++ case '?': ++ case ':': ++ // error, getopt(3) already printed a message ++ return EXIT_FAILURE; ++ break; ++ default: ++ fprintf(stderr, "getopt(3) returned unexpected character code 0%o\n", c); ++ return EXIT_FAILURE; ++ break; ++ } ++ } ++options_parsed: ++ ++ configfile = CONF_get1_default_config_file(); ++ if (configfile == NULL) { ++ ERR_print_errors_fp(stderr); ++ return EXIT_FAILURE; ++ } ++ ++ CONF *cnf cleanup(CONF) = NCONF_new(NULL); ++ if (cnf == NULL) { ++ ERR_print_errors_fp(stderr); ++ return EXIT_FAILURE; ++ } ++ ++ long eline = 0; ++ if (NCONF_load(cnf, configfile, &eline) == 0) { ++ fprintf(stderr, "Error on line %ld of configuration file\n", eline); ++ ERR_print_errors_fp(stderr); ++ return EXIT_FAILURE; ++ } ++ ++ bool any_chosen = false; ++ for (size_t idx = 0; idx < sizeof(chosen_options) / sizeof(*chosen_options); idx++) { ++ if (chosen_options[idx] != 0) { ++ any_chosen = true; ++ } ++ switch (chosen_options[idx]) { ++ case CONFIG_FILE: ++ puts(configfile); ++ break; ++ case ENGINES: ++ list_engines(cnf); ++ break; ++ case PROVIDERS: ++ list_providers(cnf); ++ break; ++ case PKCS11_MODULES: ++ break; ++ } ++ } ++ ++ if (!any_chosen) { ++ fprintf(stderr, "No options were provided, so no output was produced. See --help for instructions.\n"); ++ return EXIT_FAILURE; ++ } ++ ++ return EXIT_SUCCESS; ++} +diff --git a/src/ossl/tests/config/escapes.cnf b/src/ossl/tests/config/escapes.cnf +new file mode 100644 +index 00000000..9fe2fbc8 +--- /dev/null ++++ b/src/ossl/tests/config/escapes.cnf +@@ -0,0 +1,11 @@ ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = "/C=FI/O=Insta # Demo/CN=Insta Demo CA" ++1.recipient = /C=FI/O=Insta \n Demo/CN=Insta Demo CA ++2.recipient = /C=FI/O=Insta \b Demo/CN=Insta Demo CA ++3.recipient = /C=FI/O=Insta \r Demo/CN=Insta Demo CA ++4.recipient = /C=FI/O=Insta \t Demo/CN=Insta Demo CA ++5.recipient = "/C=FI/O=Insta ' Demo/CN=Insta Demo CA" ++6.recipient = '/C=FI/O=Insta " Demo/CN=Insta Demo CA' ++7.recipient = /C=FI/O=Insta \\ Demo/CN=Insta Demo CA +diff --git a/src/ossl/tests/config/escapes.cnf.expected b/src/ossl/tests/config/escapes.cnf.expected +new file mode 100644 +index 00000000..eff959fc +--- /dev/null ++++ b/src/ossl/tests/config/escapes.cnf.expected +@@ -0,0 +1,12 @@ ++# This configuration file was linarized and expanded from tests/config/escapes.cnf ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = /C=FI/O=Insta \# Demo/CN=Insta Demo CA ++1.recipient = /C=FI/O=Insta \n Demo/CN=Insta Demo CA ++2.recipient = /C=FI/O=Insta \b Demo/CN=Insta Demo CA ++3.recipient = /C=FI/O=Insta \r Demo/CN=Insta Demo CA ++4.recipient = /C=FI/O=Insta \t Demo/CN=Insta Demo CA ++5.recipient = /C=FI/O=Insta \' Demo/CN=Insta Demo CA ++6.recipient = /C=FI/O=Insta \" Demo/CN=Insta Demo CA ++7.recipient = /C=FI/O=Insta \\ Demo/CN=Insta Demo CA +diff --git a/src/ossl/tests/config/included-file.noncnf b/src/ossl/tests/config/included-file.noncnf +new file mode 100644 +index 00000000..51089f51 +--- /dev/null ++++ b/src/ossl/tests/config/included-file.noncnf +@@ -0,0 +1,2 @@ ++[included-file] ++present = true +diff --git a/src/ossl/tests/config/includes.1.d/includes1.cnf b/src/ossl/tests/config/includes.1.d/includes1.cnf +new file mode 100644 +index 00000000..44c17ecd +--- /dev/null ++++ b/src/ossl/tests/config/includes.1.d/includes1.cnf +@@ -0,0 +1,2 @@ ++[includes1] ++cnf-file = present +diff --git a/src/ossl/tests/config/includes.1.d/includes1.conf b/src/ossl/tests/config/includes.1.d/includes1.conf +new file mode 100644 +index 00000000..c6e3c0c6 +--- /dev/null ++++ b/src/ossl/tests/config/includes.1.d/includes1.conf +@@ -0,0 +1,2 @@ ++[includes1] ++conf-file = present +diff --git a/src/ossl/tests/config/includes.1.d/nonconf.bak b/src/ossl/tests/config/includes.1.d/nonconf.bak +new file mode 100644 +index 00000000..f5835c63 +--- /dev/null ++++ b/src/ossl/tests/config/includes.1.d/nonconf.bak +@@ -0,0 +1,2 @@ ++[includes1] ++nonconf = not present +diff --git a/src/ossl/tests/config/includes.2.d/main.cnf b/src/ossl/tests/config/includes.2.d/main.cnf +new file mode 100644 +index 00000000..a9141010 +--- /dev/null ++++ b/src/ossl/tests/config/includes.2.d/main.cnf +@@ -0,0 +1,4 @@ ++[includes2] ++main = present ++ ++.include tests/config/include.2.d/subincludes.d +diff --git a/src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf b/src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf +new file mode 100644 +index 00000000..9cbf6c7e +--- /dev/null ++++ b/src/ossl/tests/config/includes.2.d/subincludes.d/subconf.cnf +@@ -0,0 +1,2 @@ ++[includes2] ++subconf = absent +diff --git a/src/ossl/tests/config/includes.cnf b/src/ossl/tests/config/includes.cnf +new file mode 100644 +index 00000000..fd243487 +--- /dev/null ++++ b/src/ossl/tests/config/includes.cnf +@@ -0,0 +1,6 @@ ++openssl_conf = openssl_init ++ ++.include = tests/config/includes.1.d ++.include tests/config/includes.2.d ++.include tests/config/nonexistant.d ++.include tests/config/included-file.noncnf +diff --git a/src/ossl/tests/config/includes.cnf.expected b/src/ossl/tests/config/includes.cnf.expected +new file mode 100644 +index 00000000..519729f1 +--- /dev/null ++++ b/src/ossl/tests/config/includes.cnf.expected +@@ -0,0 +1,12 @@ ++# This configuration file was linarized and expanded from tests/config/includes.cnf ++openssl_conf = openssl_init ++ ++[included-file] ++present = true ++ ++[includes1] ++cnf-file = present ++conf-file = present ++ ++[includes2] ++main = present +diff --git a/src/ossl/tests/config/leading-and-trailing-whitespace.cnf b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf +new file mode 100644 +index 00000000..2801bd72 +--- /dev/null ++++ b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf +@@ -0,0 +1,6 @@ ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = " /C=FI/O=Insta Demo/CN=Insta Demo CA" ++1.recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA " ++2.recipient = " /C=FI/O=Insta Demo/CN=Insta Demo CA " +diff --git a/src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected +new file mode 100644 +index 00000000..3dd985cc +--- /dev/null ++++ b/src/ossl/tests/config/leading-and-trailing-whitespace.cnf.expected +@@ -0,0 +1,7 @@ ++# This configuration file was linarized and expanded from tests/config/leading-and-trailing-whitespace.cnf ++openssl_conf = openssl_init ++ ++[test] ++0.recipient = " "/C=FI/O=Insta Demo/CN=Insta Demo CA ++1.recipient = /C=FI/O=Insta Demo/CN=Insta Demo CA" " ++2.recipient = " "/C=FI/O=Insta Demo/CN=Insta Demo CA" " +diff --git a/src/ossl/tests/config/order.cnf b/src/ossl/tests/config/order.cnf +new file mode 100644 +index 00000000..89662a1a +--- /dev/null ++++ b/src/ossl/tests/config/order.cnf +@@ -0,0 +1,21 @@ ++# vim:ft=conf ++openssl_conf = openssl_init ++ ++[def] ++# Sections are alphabetically ordered ++0.recipient = 0 ++ ++[abc] ++# Order within sections is preserved, even if it isn't sorted ++7.recipient = 7 ++6.recipient = 6 ++4.recipient = 4 ++3.recipient = 3 ++5.recipient = 5 ++2.recipient = 2 ++1.recipient = 1 ++0.recipient = 0 ++ ++[default] ++# The default section is consolidated and always printed first ++aaatest = value +diff --git a/src/ossl/tests/config/order.cnf.expected b/src/ossl/tests/config/order.cnf.expected +new file mode 100644 +index 00000000..50a62c90 +--- /dev/null ++++ b/src/ossl/tests/config/order.cnf.expected +@@ -0,0 +1,16 @@ ++# This configuration file was linarized and expanded from tests/config/order.cnf ++openssl_conf = openssl_init ++aaatest = value ++ ++[abc] ++7.recipient = 7 ++6.recipient = 6 ++4.recipient = 4 ++3.recipient = 3 ++5.recipient = 5 ++2.recipient = 2 ++1.recipient = 1 ++0.recipient = 0 ++ ++[def] ++0.recipient = 0 +diff --git a/src/ossl/tests/config/variables.cnf b/src/ossl/tests/config/variables.cnf +new file mode 100644 +index 00000000..04916116 +--- /dev/null ++++ b/src/ossl/tests/config/variables.cnf +@@ -0,0 +1,33 @@ ++# vim:ft=conf ++openssl_conf = openssl_init ++ ++default_var = ABC ++nested = "\${default_var}" ++ ++[othersection] ++ ++[test] ++# These should expand to ABC read from the default section ++0.recipient = ${default_var} ++1.recipient = $default_var ++2.recipient = $(default_var) ++# These should expand to DEF as the other section was explicitly referenced ++3.recipient = ${othersection::default_var} ++4.recipient = $othersection::default_var ++5.recipient = $(othersection::default_var) ++ ++[test2] ++default_var = GHI ++# These should expand to GHI since the local section is always searched first ++0.recipient = ${default_var} ++1.recipient = $default_var ++ ++[test3] ++.pragma dollarid:on ++# Out of these, the first should contain the literal "$default_var", the others should expand ++0.recipient = literal$default_var ++1.recipient = expanded${default_var} ++2.recipient = expanded$(default_var) ++ ++[test4] ++recipient = literal$nested +diff --git a/src/ossl/tests/config/variables.cnf.expected b/src/ossl/tests/config/variables.cnf.expected +new file mode 100644 +index 00000000..a2bccf23 +--- /dev/null ++++ b/src/ossl/tests/config/variables.cnf.expected +@@ -0,0 +1,27 @@ ++# This configuration file was linarized and expanded from tests/config/variables.cnf ++openssl_conf = openssl_init ++default_var = ABC ++nested = \${default_var} ++ ++[othersection] ++ ++[test] ++0.recipient = ABC ++1.recipient = ABC ++2.recipient = ABC ++3.recipient = ABC ++4.recipient = ABC ++5.recipient = ABC ++ ++[test2] ++default_var = GHI ++0.recipient = GHI ++1.recipient = GHI ++ ++[test3] ++0.recipient = literal\$default_var ++1.recipient = expandedABC ++2.recipient = expandedABC ++ ++[test4] ++recipient = literal\$nested +diff --git a/src/ossl/tests/files/engines.cnf b/src/ossl/tests/files/engines.cnf +new file mode 100644 +index 00000000..5ca8be01 +--- /dev/null ++++ b/src/ossl/tests/files/engines.cnf +@@ -0,0 +1,22 @@ ++openssl_conf = openssl_init ++ ++[openssl_init] ++engines = engines_sect ++ ++[engines_sect] ++afalg = afalg_sect ++loader_attic = loader_attic_sect ++pkcs11 = pkcs11_sect ++ ++[afalg_sect] ++dynamic_path = afalg.so ++ ++[loader_attic_sect] ++dynamic_path = /usr/lib64/engines-3/loader_attic.so ++init = 1 ++ ++[pkcs11_sect] ++engine_id = pkcs11 ++dynamic_path = /usr/lib64/engines-3/libpkcs11.so ++MODULE_PATH = opensc-pkcs11.so ++init = 1 +diff --git a/src/ossl/tests/files/engines.cnf.expected b/src/ossl/tests/files/engines.cnf.expected +new file mode 100644 +index 00000000..2d60cc52 +--- /dev/null ++++ b/src/ossl/tests/files/engines.cnf.expected +@@ -0,0 +1,4 @@ ++/usr/lib64/engines-3/afalg.so ++/usr/lib64/engines-3/loader_attic.so ++/usr/lib64/engines-3/libpkcs11.so ++/usr/lib64/ossl-modules/fips.so +diff --git a/src/ossl/tests/files/providers.cnf b/src/ossl/tests/files/providers.cnf +new file mode 100644 +index 00000000..fee4c826 +--- /dev/null ++++ b/src/ossl/tests/files/providers.cnf +@@ -0,0 +1,31 @@ ++openssl_conf = openssl_init ++ ++[openssl_init] ++providers = providers_sect ++ ++[providers_sect] ++default = default_sect ++fips = fips_sect ++legacy = legacy_sect ++base = base_sect ++pkcs11 = pkcs11_sect ++oqs = oqs_sect ++ ++[default_sect] ++activate = 1 ++ ++[fips_sect] ++activate = 1 ++ ++[legacy_sect] ++activate = 1 ++ ++[base_sect] ++activate = 1 ++ ++[pkcs11_sect] ++activate = 1 ++ ++[oqs_sect] ++activate = 1 ++module = /usr/lib64/ossl-modules/oqsprovider.so.0.6.0 +diff --git a/src/ossl/tests/files/providers.cnf.expected b/src/ossl/tests/files/providers.cnf.expected +new file mode 100644 +index 00000000..23b1b7de +--- /dev/null ++++ b/src/ossl/tests/files/providers.cnf.expected +@@ -0,0 +1,4 @@ ++/usr/lib64/ossl-modules/fips.so ++/usr/lib64/ossl-modules/legacy.so ++/usr/lib64/ossl-modules/pkcs11.so ++/usr/lib64/ossl-modules/oqsprovider.so.0.6.0 +diff --git a/test/container/Dockerfile-CentOS-9-Stream b/test/container/Dockerfile-CentOS-9-Stream +index 3f0cdf6c..337a38ef 100644 +--- a/test/container/Dockerfile-CentOS-9-Stream ++++ b/test/container/Dockerfile-CentOS-9-Stream +@@ -45,6 +45,7 @@ RUN dnf -y install --enablerepo crb --setopt=install_weak_deps=False \ + wget \ + which \ + xz \ ++ openssl-devel \ + && dnf -y update && dnf clean all + + # C9S ships only qemu-kvm, but it disables the KVM accel when it's not diff --git a/dracut.spec b/dracut.spec index aa29476..3c7efbf 100644 --- a/dracut.spec +++ b/dracut.spec @@ -5,7 +5,7 @@ # strip the automatically generated dep here and instead co-own the # directory. %global __requires_exclude pkg-config -%define dist_free_release 79.git20241127 +%define dist_free_release 86.git20250217 Name: dracut Version: 057 @@ -107,6 +107,13 @@ Patch75: 0075.patch Patch76: 0076.patch Patch77: 0077.patch Patch78: 0078.patch +Patch79: 0079.patch +Patch80: 0080.patch +Patch81: 0081.patch +Patch82: 0082.patch +Patch83: 0083.patch +Patch84: 0084.patch +Patch85: 0085.patch Source1: https://www.gnu.org/licenses/lgpl-2.1.txt @@ -118,6 +125,7 @@ BuildRequires: gcc %if 0%{?fedora} || 0%{?rhel} BuildRequires: pkgconfig BuildRequires: systemd +BuildRequires: openssl-devel %endif %if 0%{?fedora} BuildRequires: bash-completion @@ -356,6 +364,8 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/dracut-initramfs-restore %{dracutlibdir}/dracut-install %{dracutlibdir}/dracut-util +%{dracutlibdir}/ossl-config +%{dracutlibdir}/ossl-files %{dracutlibdir}/skipcpio %config(noreplace) %{_sysconfdir}/dracut.conf %if 0%{?fedora} || 0%{?suse_version} || 0%{?rhel} @@ -481,6 +491,7 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{dracutlibdir}/modules.d/99base %{dracutlibdir}/modules.d/99memstrack %{dracutlibdir}/modules.d/99fs-lib +%{dracutlibdir}/modules.d/99openssl %{dracutlibdir}/modules.d/99shutdown %attr(0644,root,root) %ghost %config(missingok,noreplace) %{_localstatedir}/log/dracut.log %dir %{_sharedstatedir}/initramfs @@ -559,6 +570,12 @@ echo 'dracut_rescue_image="yes"' > $RPM_BUILD_ROOT%{dracutlibdir}/dracut.conf.d/ %{_prefix}/lib/kernel/install.d/51-dracut-rescue.install %changelog +* Mon Feb 17 2025 Pavel Valena - 057-86.git20250217 +- fix(35network-manager): remove duplicate installkernel +- feat(fips): include fips module unconditionally +- fix(dracut.sh): make omit-drivers option do exact match for +- feat: add openssl module + * Wed Nov 27 2024 Pavel Valena - 057-79.git20241127 - fix(35network-manager): install nftables kernel modules - fix(35network-manager): install nft binary during module