Incorporate more changes requested in upstream review and commited upstream (#1157720)

- still keeping two separate patches
2016-07-14 10:41:00 -07:00 · 2016-07-14 10:41:00 -07:00 · 7854e70d7e
commit 7854e70d7e
parent ff192a931a
2 changed files with 108 additions and 10 deletions
--- a/nss-conditionally-ignore-system-policy.patch
+++ b/nss-conditionally-ignore-system-policy.patch
@ -1,6 +1,54 @@
--- ./lib/nss/nssinit.c.cond_ignore	2016-07-01 16:09:21.187499579 -0700
-+++ ./lib/nss/nssinit.c	2016-07-01 16:19:16.095862425 -0700
-@@ -529,16 +529,19 @@
+--- ./lib/nss/nssinit.c.cond_ignore	2016-07-14 06:07:08.607951998 -0700
+++ ./lib/nss/nssinit.c	2016-07-14 06:11:07.698966728 -0700
+@@ -427,23 +427,21 @@
+     if (lsecmodName) PORT_Free(lsecmodName);
+     if (lupdateDir) PORT_Free(lupdateDir);
+     if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
+     if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
+     if (lupdateID) PORT_Free(lupdateID);
+     if (lupdateName) PORT_Free(lupdateName);
+ 
+     if (moduleSpec) {
+-	module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
+	module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
+ 	PR_smprintf_free(moduleSpec);
+-	if (module) {
+-	    if (!module->loaded) {
+-	        SECMOD_DestroyModule(module);
+-		module = NULL;
+-	    }
+	if (module && !module->loaded) {
+	    SECMOD_DestroyModule(module);
+	    return NULL;
+ 	}
+     }
+     return module;
+ }
+ 
+ /*
+  * OK there are now lots of options here, lets go through them all:
+  *
+@@ -511,41 +509,44 @@
+ 	return PR_FAILURE;
+     }
+     return PR_SUCCESS;
+ }
+ 
+ 
+ static SECStatus
+ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
+-		 const char *secmodName, const char *updateDir, 
+		 const char *secmodName, const char *updateDir,
+ 		 const char *updCertPrefix, const char *updKeyPrefix,
+ 		 const char *updateID, const char *updateName,
+ 		 NSSInitContext ** initContextPtr,
+ 		 NSSInitParameters *initParams,
+-		 PRBool readOnly, PRBool noCertDB, 
+		 PRBool readOnly, PRBool noCertDB,
+ 		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
+ 		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
+ 		 PRBool allowAlreadyInitializedModules,
+ 		 PRBool dontFinalizeModules)
 {
     SECMODModule *parent = NULL;
     PKIX_UInt32 actualMinorVersion = 0;
@ -18,9 +66,41 @@
     if (!initContextPtr && nssIsInitted) {
 	return SECSuccess;
     }
-   
+-  
+
     /* make sure our lock and condition variable are initialized one and only
-@@ -678,32 +681,38 @@
+      * one time */ 
+     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
+ 	return SECFailure;
+     }
+ 
+     /*
+      * if we haven't done basic initialization, single thread the 
+@@ -632,20 +633,20 @@
+ 	configStrings = pk11_config_strings;
+ 	configName = pk11_config_name;
+ 	passwordRequired = pk11_password_required;
+     }
+ 
+     /* Skip the module init if we are already initted and we are trying
+      * to init with noCertDB and noModDB */
+     if (!(isReallyInitted && noCertDB && noModDB)) {
+-	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
+-		updateDir, updCertPrefix, updKeyPrefix, updateID, 
+	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
+		updateDir, updCertPrefix, updKeyPrefix, updateID,
+ 		updateName, configName, configStrings, passwordRequired,
+-		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
+		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
+ 		(initContextPtr != NULL));
+ 
+ 	if (parent == NULL) {
+ 	    goto loser;
+ 	}
+     }
+ 
+ 
+@@ -678,50 +679,54 @@
 		    dbpath = NULL;
 		}
 		if (dbpath) {
@ -30,12 +110,12 @@
 	}
 #ifdef POLICY_FILE
 -        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
-+	/* Load the system crypo policy file if it exists,
+	/* Load the system crypto policy file if it exists,
 +	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
 +	 * variable has been set to 1. */
 +	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
-+	if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
-+	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+	if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
+	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
 	    SECMODModule *module = SECMOD_LoadModule(
 		"name=\"Policy File\" "
 		"parameters=\"configdir='sql:" POLICY_PATH "' "
@ -61,3 +141,21 @@
 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
 
+ 	if (pkixError != NULL) {
+ 	    goto loser;
+ 	} else {
+             char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
+             if (ev && ev[0]) {
+                 CERT_SetUsePKIXForValidation(PR_TRUE);
+             }
+         }
+-
+-
+     }
+ 
+     /*
+      * Now mark the appropriate init state. If initContextPtr was passed
+      * in, then return the new context pointer and add it to the
+      * nssInitContextList. Otherwise set the global nss_isInitted flag
+      */
+     PZ_Lock(nssInitLock);
--- a/nss.spec
+++ b/nss.spec
@ -794,7 +794,7 @@ fi


 %changelog
-* Wed Jul 13 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
+* Thu Jul 14 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
 - Incorporate some changes requested in upstream review and commited upstream (#1157720)

 * Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
@ -824,7 +824,7 @@ fi
 - Resolves: Bug 1342158 - nss-3.24 does no longer support ssl V2, installation of IPA fails because nss init fails

 * Sun May 29 2016 Elio Maldonado <emaldona@redhat.com> - 3.24.0-2.1
- Rebase to NSS 3.24.0 
+- Rebase to NSS 3.24.0
 - Restore setting the policy file location
 - Make ssl tests scripts aware of policy
 - Ajust tests data expected result for policy