From 21d9cd13e15c0db167554728c8bd9a7a39738840 Mon Sep 17 00:00:00 2001
From: Elio Maldonado <emaldona@redhat.com>
Date: Wed, 20 Apr 2016 08:49:00 -0700
Subject: [PATCH] Change the POLICY_PATH to "/etc/crypto-policies/back-ends"

- Regenerate the check policy patch with hg to provide more context
- the nss-util portion included though not applied here but in nss-util
- todo: file bug upstream once we have done some testing
---
 nss-check-policy-file.patch | 194 +++++++++++++++++++++++++++++++-----
 nss.spec                    |  10 +-
 2 files changed, 178 insertions(+), 26 deletions(-)

diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch
index 51db5bf..6b0bf58 100644
--- a/nss-check-policy-file.patch
+++ b/nss-check-policy-file.patch
@@ -1,7 +1,12 @@
-diff -up ./nss/lib/nss/config.mk.check_policy_file ./nss/lib/nss/config.mk
---- ./nss/lib/nss/config.mk.check_policy_file	2016-03-16 14:44:30.254078910 -0700
-+++ ./nss/lib/nss/config.mk	2016-03-16 14:44:30.290079522 -0700
-@@ -104,3 +104,7 @@ DEFINES += -DWIN32_NSS3_DLL_COMPAT
+diff --git a/lib/nss/config.mk b/lib/nss/config.mk
+--- a/lib/nss/config.mk
++++ b/lib/nss/config.mk
+@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
+ ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
+ ifndef NS_USE_GCC
+ # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
+ # but do not put it in the import library.  See bug 142575.
+ DEFINES += -DWIN32_NSS3_DLL_COMPAT
  DLLFLAGS += -EXPORT:mktemp=nss_mktemp,PRIVATE
  endif
  endif
@@ -9,10 +14,15 @@ diff -up ./nss/lib/nss/config.mk.check_policy_file ./nss/lib/nss/config.mk
 +ifdef POLICY_FILE
 +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
 +endif
-diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
---- ./nss/lib/nss/nssinit.c.check_policy_file	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/nss/nssinit.c	2016-03-16 15:08:54.455301088 -0700
-@@ -335,7 +335,7 @@ nss_FindExternalRoot(const char *dbpath,
+diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
+--- a/lib/nss/nssinit.c
++++ b/lib/nss/nssinit.c
+@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
+ 
+ /*
+  * see nss_Init for definitions of the various options.
+  *
+  * this function builds a moduleSpec string from the options and previously
   * set statics (from PKCS11_Configure, for instance), and uses it to kick off
   * the loading of the various PKCS #11 modules.
   */
@@ -21,7 +31,9 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
  nss_InitModules(const char *configdir, const char *certPrefix, 
  		const char *keyPrefix, const char *secmodName, 
  		const char *updateDir, const char *updCertPrefix, 
-@@ -345,7 +345,7 @@ nss_InitModules(const char *configdir, c
+ 		const char *updKeyPrefix, const char *updateID, 
+ 		const char *updateName, char *configName, char *configStrings,
+ 		PRBool pwRequired, PRBool readOnly, PRBool noCertDB,
  		PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace,
  		PRBool isContextInit)
  {
@@ -30,7 +42,14 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
      char *moduleSpec = NULL;
      char *flags = NULL;
      char *lconfigdir = NULL;
-@@ -360,12 +360,12 @@ nss_InitModules(const char *configdir, c
+     char *lcertPrefix = NULL;
+     char *lkeyPrefix = NULL;
+     char *lsecmodName = NULL;
+     char *lupdateDir = NULL;
+     char *lupdCertPrefix = NULL;
+     char *lupdKeyPrefix = NULL;
+     char *lupdateID = NULL;
+     char *lupdateName = NULL;
  
      if (NSS_InitializePRErrorTable() != SECSuccess) {
  	PORT_SetError(SEC_ERROR_NO_MEMORY);
@@ -45,7 +64,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
  
      /*
       * configdir is double nested, and Windows uses the same character
-@@ -432,14 +432,16 @@ loser:
+      * for file seps as we use for escapes! (sigh).
+      */
+     lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
+     if (lconfigdir == NULL) {
+ 	goto loser;
+@@ -427,24 +427,26 @@ loser:
+     if (lsecmodName) PORT_Free(lsecmodName);
+     if (lupdateDir) PORT_Free(lupdateDir);
+     if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
+     if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
+     if (lupdateID) PORT_Free(lupdateID);
      if (lupdateName) PORT_Free(lupdateName);
  
      if (moduleSpec) {
@@ -66,7 +95,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
  }
  
  /*
-@@ -525,7 +527,7 @@ nss_Init(const char *configdir, const ch
+  * OK there are now lots of options here, lets go through them all:
+  *
+  * configdir - base directory where all the cert, key, and module datbases live.
+  * certPrefix - prefix added to the beginning of the cert database example: "
+  * 			"https-server1-"
+@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch
+ 		 NSSInitContext ** initContextPtr,
+ 		 NSSInitParameters *initParams,
+ 		 PRBool readOnly, PRBool noCertDB, 
+ 		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
+ 		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
  		 PRBool allowAlreadyInitializedModules,
  		 PRBool dontFinalizeModules)
  {
@@ -75,7 +114,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
      PKIX_UInt32 actualMinorVersion = 0;
      PKIX_Error *pkixError = NULL;
      PRBool isReallyInitted;
-@@ -635,13 +637,13 @@ nss_Init(const char *configdir, const ch
+     char *configStrings = NULL;
+     char *configName = NULL;
+     PRBool passwordRequired = PR_FALSE;
+ 
+     /* if we are trying to init with a traditional NSS_Init call, maintain
+@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch
+ 	configStrings = pk11_config_strings;
+ 	configName = pk11_config_name;
+ 	passwordRequired = pk11_password_required;
+     }
+ 
      /* Skip the module init if we are already initted and we are trying
       * to init with noCertDB and noModDB */
      if (!(isReallyInitted && noCertDB && noModDB)) {
@@ -91,7 +140,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
  	    goto loser;
  	}
      }
-@@ -680,7 +682,24 @@ nss_Init(const char *configdir, const ch
+ 
+ 
+     /* finish up initialization */
+     if (!isReallyInitted) {
+ 	if (SECOID_Init() != SECSuccess) {
+@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch
+ 		     * path. Skip it */
+ 		    dbpath = NULL;
+ 		}
+ 		if (dbpath) {
+ 		    nss_FindExternalRoot(dbpath, secmodName);
  		}
  	    }
  	}
@@ -117,7 +176,17 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
  	pk11sdr_Init();
  	cert_CreateSubjectKeyIDHashTable();
  
-@@ -721,6 +740,9 @@ nss_Init(const char *configdir, const ch
+ 	pkixError = PKIX_Initialize
+ 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
+ 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
+ 
+ 	if (pkixError != NULL) {
+@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch
+     nssIsInInit--;
+     /* now that we are inited, all waiters can move forward */
+     PZ_NotifyAllCondVar(nssInitCondition);
+     PZ_Unlock(nssInitLock);
+ 
      if (initContextPtr && configStrings) {
  	PR_smprintf_free(configStrings);
      }
@@ -127,7 +196,16 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
  
      return SECSuccess;
  
-@@ -737,6 +759,9 @@ loser:
+ loser:
+     if (initContextPtr && *initContextPtr) {
+ 	PORT_Free(*initContextPtr);
+ 	*initContextPtr = NULL;
+ 	if (configStrings) {
+ 	   PR_smprintf_free(configStrings);
+ 	}
+     }
+     PZ_Lock(nssInitLock);
+     nssIsInInit--;
      /* We failed to init, allow one to move forward */
      PZ_NotifyCondVar(nssInitCondition);
      PZ_Unlock(nssInitLock);
@@ -137,10 +215,20 @@ diff -up ./nss/lib/nss/nssinit.c.check_policy_file ./nss/lib/nss/nssinit.c
      return SECFailure;
  }
  
-diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11pars.c
---- ./nss/lib/pk11wrap/pk11pars.c.check_policy_file	2016-02-26 12:51:11.000000000 -0800
-+++ ./nss/lib/pk11wrap/pk11pars.c	2016-03-16 14:44:30.291079539 -0700
-@@ -110,6 +110,7 @@ secmod_NewModule(void)
+ 
+ SECStatus
+ NSS_Init(const char *configdir)
+ {
+     return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
+diff --git a/lib/pk11wrap/pk11pars.c b/lib/pk11wrap/pk11pars.c
+--- a/lib/pk11wrap/pk11pars.c
++++ b/lib/pk11wrap/pk11pars.c
+@@ -105,16 +105,17 @@ secmod_NewModule(void)
+  *   This  allows system NSS to delegate those changes to the user's module DB, 
+  *   preserving the user's ability to load new PKCS #11 modules (which only 
+  *   affect him), from existing applications like Firefox.
+  */
+ #define SECMOD_FLAG_MODULE_DB_IS_MODULE_DB  0x01 /* must be set if any of the 
  						  *other flags are set */
  #define SECMOD_FLAG_MODULE_DB_SKIP_FIRST    0x02
  #define SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB 0x04
@@ -148,17 +236,37 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11
  
  
  /* private flags for internal (field in SECMODModule). */
-@@ -704,6 +705,9 @@ SECMOD_CreateModuleEx(const char *librar
+ /* The meaing of these flags is as follows:
+  *
+  * SECMOD_FLAG_INTERNAL_IS_INTERNAL - This is a marks the the module is
+  *   the internal module (that is, softoken). This bit is the same as the 
+  *   already existing meaning of internal = PR_TRUE. None of the other 
+@@ -699,16 +700,19 @@ SECMOD_CreateModuleEx(const char *librar
+     if (mod->isModuleDB) {
+ 	char flags = SECMOD_FLAG_MODULE_DB_IS_MODULE_DB;
+ 	if (NSSUTIL_ArgHasFlag("flags","skipFirst",nssc)) {
+ 	    flags |= SECMOD_FLAG_MODULE_DB_SKIP_FIRST;
+ 	}
  	if (NSSUTIL_ArgHasFlag("flags","defaultModDB",nssc)) {
  	    flags |= SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB;
  	}
-+	if (NSSUTIL_ArgHasFlag("flags","policyOnly",nssc)) {
++	if (NSSUTIL_ArgHasFlag("flags", "policyOnly", nssc)) {
 +	    flags |= SECMOD_FLAG_MODULE_DB_POLICY_ONLY;
 +	}
  	/* additional moduleDB flags could be added here in the future */
  	mod->isModuleDB = (PRBool) flags;
      }
-@@ -743,6 +747,14 @@ SECMOD_GetDefaultModDBFlag(SECMODModule
+ 
+     if (mod->internal) {
+ 	char flags = SECMOD_FLAG_INTERNAL_IS_INTERNAL;
+ 
+ 	if (NSSUTIL_ArgHasFlag("flags", "internalKeySlot", nssc)) {
+@@ -738,16 +742,24 @@ PRBool
+ SECMOD_GetDefaultModDBFlag(SECMODModule *mod)
+ {
+    char flags = (char) mod->isModuleDB;
+ 
+    return (flags & SECMOD_FLAG_MODULE_DB_DEFAULT_MODDB) ? PR_TRUE : PR_FALSE;
  }
  
  PRBool
@@ -173,7 +281,17 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11
  secmod_IsInternalKeySlot(SECMODModule *mod)
  {
     char flags = (char) mod->internal;
-@@ -1526,6 +1538,12 @@ SECMOD_LoadModule(char *modulespec,SECMO
+ 
+    return (flags & SECMOD_FLAG_INTERNAL_KEY_SLOT) ? PR_TRUE : PR_FALSE;
+ }
+ 
+ void
+@@ -1521,16 +1533,22 @@ SECMOD_LoadModule(char *modulespec,SECMO
+     if (library) PORT_Free(library);
+     if (moduleName) PORT_Free(moduleName);
+     if (parameters) PORT_Free(parameters);
+     if (nss) PORT_Free(nss);
+     if (config) PORT_Free(config);
      if (!module) {
  	goto loser;
      }
@@ -186,3 +304,31 @@ diff -up ./nss/lib/pk11wrap/pk11pars.c.check_policy_file ./nss/lib/pk11wrap/pk11
      if (parent) {
      	module->parent = SECMOD_ReferenceModule(parent);
  	if (module->internal && secmod_IsInternalKeySlot(parent)) {
+ 	    module->internal = parent->internal;
+ 	}
+     }
+ 
+     /* load it */
+diff --git a/lib/util/utilpars.c b/lib/util/utilpars.c
+--- a/lib/util/utilpars.c
++++ b/lib/util/utilpars.c
+@@ -1139,17 +1139,18 @@ char *
+ 	*dbType = NSS_DB_TYPE_SQL;
+ 	PORT_Free(*filename);
+ 	*filename = NULL;
+         *rw = PR_FALSE;
+    }
+ 
+    /* only use the renamed secmod for legacy databases */
+    if ((*dbType != NSS_DB_TYPE_LEGACY) && 
+-	(*dbType != NSS_DB_TYPE_MULTIACCESS)) {
++	(*dbType != NSS_DB_TYPE_MULTIACCESS) &&
++	  !NSSUTIL_ArgHasFlag("flags", "forceSecmodChoice", save_params)) {
+ 	secmodName="pkcs11.txt";
+    }
+ 
+    if (noModDB) {
+ 	value = NULL;
+    } else if (lconfigdir && lconfigdir[0] != '\0') {
+ 	value = PR_smprintf("%s" NSSUTIL_PATH_SEPARATOR "%s",
+ 			lconfigdir,secmodName);
diff --git a/nss.spec b/nss.spec
index 6f6650b..56b24d3 100644
--- a/nss.spec
+++ b/nss.spec
@@ -21,7 +21,7 @@ Name:             nss
 Version:          3.23.0
 # for Rawhide, please always use release >= 2
 # for Fedora release branches, please use release < 2 (1.0, 1.1, ...)
-Release:          6%{?dist}
+Release:          7%{?dist}
 License:          MPLv2.0
 URL:              http://www.mozilla.org/projects/security/pki/nss/
 Group:            System Environment/Libraries
@@ -189,7 +189,9 @@ popd
 %patch54 -p0 -b .ssl2_off
 %patch55 -p1 -b .skip_stress_tls_rc4_128_with_md5
 %patch58 -p0 -b .1185708_3des
+pushd nss
 %patch59 -p1 -b .check_policy_file
+popd
 
 #########################################################
 # Higher-level libraries and test tools need access to
@@ -308,7 +310,7 @@ export NSS_BLTEST_NOT_AVAILABLE=1
 # if set NSS will always check for the policy file and load it if it exists
 export POLICY_FILE="policy.cfg"
 # location of the policy file
-export POLICY_PATH="/etc/pki/nssdb"
+export POLICY_PATH="/etc/crypto-policies/back-ends"
 
 # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
 # need nss/lib/util/verref.h which is which is exported privately,
@@ -824,6 +826,10 @@ fi
 
 
 %changelog
+* Wed Apr 20 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-7
+- Change the POLICY_PATH to "/etc/crypto-policies/back-ends"
+- Regenerate the check policy patch with hg to provide more context
+
 * Thu Apr 14 2016 Elio Maldonado <emaldona@redhat.com> - 3.23.0-6
 - Fix typo in the last %%changelog entry