Merge branch 'master' into private-emaldona-crypto-policy-work

nss-check-policy-file.patch

@@ -1,7 +1,7 @@
 diff --git a/lib/nss/config.mk b/lib/nss/config.mk
 --- a/lib/nss/config.mk
 +++ b/lib/nss/config.mk
-@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
+@@ -95,8 +95,15 @@ SHARED_LIBRARY_DIRS = \
  ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
  ifndef NS_USE_GCC
  # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
@@ -12,6 +12,9 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk
  endif
 +
 +ifdef POLICY_FILE
++ifndef POLICY_PATH
++$(error You must define POLICY_PATH if you set POLICY_FILE)
++endif
 +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
 +endif
 diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c

nss-conditionally-ignore-system-policy.patch

@@ -1,11 +1,54 @@
-<<<<<<< HEAD
+--- ./lib/nss/nssinit.c.cond_ignore	2016-07-14 06:07:08.607951998 -0700
---- ./lib/nss/nssinit.c.ignore_system_policy	2016-06-06 07:57:54.924457084 -0700
++++ ./lib/nss/nssinit.c	2016-07-14 06:11:07.698966728 -0700
-+++ ./lib/nss/nssinit.c	2016-06-06 08:01:27.753830455 -0700
+@@ -427,23 +427,21 @@
-@@ -678,17 +678,18 @@
+     if (lsecmodName) PORT_Free(lsecmodName);
-=======
+     if (lupdateDir) PORT_Free(lupdateDir);
---- ./lib/nss/nssinit.c.cond_ignore	2016-07-01 16:09:21.187499579 -0700
+     if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
-+++ ./lib/nss/nssinit.c	2016-07-01 16:19:16.095862425 -0700
+     if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
-@@ -529,16 +529,19 @@
+     if (lupdateID) PORT_Free(lupdateID);
+     if (lupdateName) PORT_Free(lupdateName);
+ 
+     if (moduleSpec) {
+-	module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
++	module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
+ 	PR_smprintf_free(moduleSpec);
+-	if (module) {
+-	    if (!module->loaded) {
+-	        SECMOD_DestroyModule(module);
+-		module = NULL;
+-	    }
++	if (module && !module->loaded) {
++	    SECMOD_DestroyModule(module);
++	    return NULL;
+ 	}
+     }
+     return module;
+ }
+ 
+ /*
+  * OK there are now lots of options here, lets go through them all:
+  *
+@@ -511,41 +509,44 @@
+ 	return PR_FAILURE;
+     }
+     return PR_SUCCESS;
+ }
+ 
+ 
+ static SECStatus
+ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
+-		 const char *secmodName, const char *updateDir, 
++		 const char *secmodName, const char *updateDir,
+ 		 const char *updCertPrefix, const char *updKeyPrefix,
+ 		 const char *updateID, const char *updateName,
+ 		 NSSInitContext ** initContextPtr,
+ 		 NSSInitParameters *initParams,
+-		 PRBool readOnly, PRBool noCertDB, 
++		 PRBool readOnly, PRBool noCertDB,
+ 		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
+ 		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
+ 		 PRBool allowAlreadyInitializedModules,
+ 		 PRBool dontFinalizeModules)
  {
      SECMODModule *parent = NULL;
      PKIX_UInt32 actualMinorVersion = 0;
@@ -23,10 +66,41 @@
      if (!initContextPtr && nssIsInitted) {
  	return SECSuccess;
      }
-   
+-  
++
      /* make sure our lock and condition variable are initialized one and only
-@@ -678,32 +681,38 @@
+      * one time */ 
->>>>>>> origin/private-rebase-work-fedora-rawhide
+     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
+ 	return SECFailure;
+     }
+ 
+     /*
+      * if we haven't done basic initialization, single thread the 
+@@ -632,20 +633,20 @@
+ 	configStrings = pk11_config_strings;
+ 	configName = pk11_config_name;
+ 	passwordRequired = pk11_password_required;
+     }
+ 
+     /* Skip the module init if we are already initted and we are trying
+      * to init with noCertDB and noModDB */
+     if (!(isReallyInitted && noCertDB && noModDB)) {
+-	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
+-		updateDir, updCertPrefix, updKeyPrefix, updateID, 
++	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
++		updateDir, updCertPrefix, updKeyPrefix, updateID,
+ 		updateName, configName, configStrings, passwordRequired,
+-		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
++		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
+ 		(initContextPtr != NULL));
+ 
+ 	if (parent == NULL) {
+ 	    goto loser;
+ 	}
+     }
+ 
+ 
+@@ -678,50 +679,54 @@
  		    dbpath = NULL;
  		}
  		if (dbpath) {
@@ -36,27 +110,18 @@
  	}
  #ifdef POLICY_FILE
 -        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
-<<<<<<< HEAD
++	/* Load the system crypto policy file if it exists,
-+        if (!PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY") &&
-+            PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
-=======
-+	/* Load the system crypo policy file if it exists,
 +	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
 +	 * variable has been set to 1. */
 +	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
-+	if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
++	if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
 +	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
->>>>>>> origin/private-rebase-work-fedora-rawhide
  	    SECMODModule *module = SECMOD_LoadModule(
  		"name=\"Policy File\" "
  		"parameters=\"configdir='sql:" POLICY_PATH "' "
  		"secmod='" POLICY_FILE "' "
  		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
  		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-<<<<<<< HEAD
- 		parent, PR_TRUE); 
- 	    if (module) {
-=======
 -		parent, PR_TRUE); 
 +		parent, PR_TRUE);
  	    if (module) {
@@ -76,4 +141,21 @@
  	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
  	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
  
->>>>>>> origin/private-rebase-work-fedora-rawhide
+ 	if (pkixError != NULL) {
+ 	    goto loser;
+ 	} else {
+             char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
+             if (ev && ev[0]) {
+                 CERT_SetUsePKIXForValidation(PR_TRUE);
+             }
+         }
+-
+-
+     }
+ 
+     /*
+      * Now mark the appropriate init state. If initContextPtr was passed
+      * in, then return the new context pointer and add it to the
+      * nssInitContextList. Otherwise set the global nss_isInitted flag
+      */
+     PZ_Lock(nssInitLock);

nss.spec

@@ -4,9 +4,6 @@
 %global unsupported_tools_directory %{_libdir}/nss/unsupported-tools
 %global allTools "certutil cmsutil crlutil derdump modutil pk12util signtool signver ssltap vfychain vfyserv"
 
-# uncomment to make nss ignore the system policy file
-%global nss_ignore_system_policy 1
-
 # solution taken from icedtea-web.spec
 %define multilib_arches %{power64} sparc64 x86_64 mips64 mips64el
 %ifarch %{multilib_arches}
@@ -97,26 +94,11 @@ Patch50:          iquote.patch
 Patch58: rhbz1185708-enable-ecc-3des-ciphers-by-default.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch59: nss-check-policy-file.patch
-<<<<<<< HEAD
-# TODO: file a bug usptream
-# Upstream commit that caused problems with gtests
-# https://git.fedorahosted.org/cgit/nss-pem.git/commit/
-Patch62: nss-skip-util-gtest.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
-Patch63: tests-check-policy-file.patch
-# TODO: Under test and could be merged with nss-check-policy-file.patch
-Patch64: nss-conditionally-ignore-system-policy.patch
-# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
-Patch65: tests-data-adjust-for-policy.patch
-Patch66: listsuites-do-queries.patch
-# TODO: file a bug upstream
-=======
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1279520
 Patch60: nss-conditionally-ignore-system-policy.patch
 # Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1280846
 Patch62: nss-skip-util-gtest.patch
 # TODO: file a bug upstream similar to the one for rsaperf
->>>>>>> origin/private-rebase-work-fedora-rawhide
 Patch70: nss-skip-ecperf.patch
 Patch71: listsuites-do-queries.patch
 
@@ -203,14 +185,8 @@ pushd nss
 %patch59 -p1 -b .check_policy_file
 %patch60 -p1 -b .cond_ignore
 %patch62 -p0 -b .skip_util_gtest
-<<<<<<< HEAD
-%patch63 -p1 -b .check_policy
-%patch64 -p0 -b .ignore_system_policy
-%patch66 -p1 -b .do_queries
-=======
 %patch70 -p1 -b .skip_ecperf
 %patch71 -p1 -b .do_queries
->>>>>>> origin/private-rebase-work-fedora-rawhide
 popd
 
 #########################################################
@@ -326,17 +302,6 @@ export POLICY_FILE="nss.config"
 # location of the policy file
 export POLICY_PATH="/etc/crypto-policies/back-ends"
 
-# to keep nss from loading the policy file
-%if %{nss_ignore_system_policy}
-export NSS_IGNORE_SYSTEM_POLICY=1
-%else
-# system policy is enforced
-pushd nss
-# change some sslauth.txt entries to expect failure when enforcing policy
-patch -p1 -b .expected_result < %{PATCH65}
-popd
-%endif
-
 # nss/nssinit.c, ssl/sslcon.c, smime/smimeutil.c and ckfw/builtins/binst.c
 # need nss/lib/util/verref.h which is exported privately,
 # copy the one we saved during prep so it they can find it.
@@ -439,11 +404,6 @@ export NSS_BLTEST_NOT_AVAILABLE=1
 # needed for the fips mangling test
 export SOFTOKEN_LIB_DIR=%{_libdir}
 
-# tests need to know we kept nss from loading the policy file
-%if %{nss_ignore_system_policy}
-export NSS_IGNORE_SYSTEM_POLICY=1
-%endif
-
 # End -- copied from the build section
 
 export NSS_IGNORE_SYSTEM_POLICY=1
@@ -836,8 +796,8 @@ fi
 
 
 %changelog
-* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
+* Thu Jul 14 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
-- Add support to listsuites to list ciphers allowed by policy
+- Incorporate some changes requested in upstream review and commited upstream (#1157720)
 
 * Fri Jul 01 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-5
 - Add support for conditionally ignoring the system policy (#1157720)
@@ -852,7 +812,6 @@ fi
 
 * Fri Jun 24 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-2
 - Rebase to nss 3.25
-- Add support for conditionally ignoring the system policy (#1157720)
 
 * Thu Jun 16 2016 Kamil Dudka <kdudka@redhat.com> - 3.24.0-3
 - decouple nss-pem from the nss package (#1347336)