From da7272436cff4459a0480924f8b7d805f1a6facb Mon Sep 17 00:00:00 2001
From: Elio Maldonado <emaldona@redhat.com>
Date: Tue, 12 Jul 2016 14:54:51 -0700
Subject: [PATCH] Incorporate some upstream review suggestions

---
 nss-check-policy-file.patch | 87 ++++++++++++++++++++++++++-----------
 nss.spec                    |  8 ++--
 2 files changed, 66 insertions(+), 29 deletions(-)

diff --git a/nss-check-policy-file.patch b/nss-check-policy-file.patch
index 6b0bf58..f7e3c43 100644
--- a/nss-check-policy-file.patch
+++ b/nss-check-policy-file.patch
@@ -1,7 +1,6 @@
-diff --git a/lib/nss/config.mk b/lib/nss/config.mk
---- a/lib/nss/config.mk
-+++ b/lib/nss/config.mk
-@@ -95,8 +95,12 @@ SHARED_LIBRARY_DIRS = \
+--- ./lib/nss/config.mk.check_policy_file	2016-07-12 09:11:01.198867052 -0700
++++ ./lib/nss/config.mk	2016-07-12 09:15:58.739946540 -0700
+@@ -99,8 +99,15 @@
  ifeq (,$(filter-out WINNT WIN95,$(OS_TARGET)))
  ifndef NS_USE_GCC
  # Export 'mktemp' to be backward compatible with NSS 3.2.x and 3.3.x
@@ -12,12 +11,14 @@ diff --git a/lib/nss/config.mk b/lib/nss/config.mk
  endif
 +
 +ifdef POLICY_FILE
++ifndef POLICY_PATH
++$(error You must define POLICY_PATH if you set POLICY_FILE)
++endif
 +DEFINES += -DPOLICY_FILE=\"$(POLICY_FILE)\" -DPOLICY_PATH=\"$(POLICY_PATH)\"
 +endif
-diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
---- a/lib/nss/nssinit.c
-+++ b/lib/nss/nssinit.c
-@@ -330,47 +330,47 @@ nss_FindExternalRoot(const char *dbpath,
+--- ./lib/nss/nssinit.c.check_policy_file	2016-06-20 10:11:28.000000000 -0700
++++ ./lib/nss/nssinit.c	2016-07-12 09:18:14.821671331 -0700
+@@ -330,47 +330,47 @@
  
  /*
   * see nss_Init for definitions of the various options.
@@ -69,7 +70,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
      lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
      if (lconfigdir == NULL) {
  	goto loser;
-@@ -427,24 +427,26 @@ loser:
+@@ -427,24 +427,24 @@
      if (lsecmodName) PORT_Free(lsecmodName);
      if (lupdateDir) PORT_Free(lupdateDir);
      if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
@@ -79,15 +80,13 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
  
      if (moduleSpec) {
 -	SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
-+	module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
++	module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
  	PR_smprintf_free(moduleSpec);
- 	if (module) {
+-	if (module) {
 -	    if (module->loaded) rv=SECSuccess;
--	    SECMOD_DestroyModule(module);
-+	    if (!module->loaded) {
-+	        SECMOD_DestroyModule(module);
-+		module = NULL;
-+	    }
++	if (module && !module->loaded) {
+ 	    SECMOD_DestroyModule(module);
++	    return NULL;
  	}
      }
 -    return rv;
@@ -100,10 +99,23 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
   * configdir - base directory where all the cert, key, and module datbases live.
   * certPrefix - prefix added to the beginning of the cert database example: "
   * 			"https-server1-"
-@@ -520,17 +522,17 @@ nss_Init(const char *configdir, const ch
+@@ -509,41 +509,44 @@
+ 	return PR_FAILURE;
+     }
+     return PR_SUCCESS;
+ }
+ 
+ 
+ static SECStatus
+ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
+-		 const char *secmodName, const char *updateDir, 
++		 const char *secmodName, const char *updateDir,
+ 		 const char *updCertPrefix, const char *updKeyPrefix,
+ 		 const char *updateID, const char *updateName,
  		 NSSInitContext ** initContextPtr,
  		 NSSInitParameters *initParams,
- 		 PRBool readOnly, PRBool noCertDB, 
+-		 PRBool readOnly, PRBool noCertDB, 
++		 PRBool readOnly, PRBool noCertDB,
  		 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
  		 PRBool optimizeSpace, PRBool noSingleThreadedModules,
  		 PRBool allowAlreadyInitializedModules,
@@ -117,9 +129,26 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
      char *configStrings = NULL;
      char *configName = NULL;
      PRBool passwordRequired = PR_FALSE;
++#ifdef POLICY_FILE
++    char *ignoreVar;
++#endif
  
      /* if we are trying to init with a traditional NSS_Init call, maintain
-@@ -630,23 +632,23 @@ nss_Init(const char *configdir, const ch
+      * the traditional idempotent behavior. */
+     if (!initContextPtr && nssIsInitted) {
+ 	return SECSuccess;
+     }
+-  
++
+     /* make sure our lock and condition variable are initialized one and only
+      * one time */ 
+     if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
+ 	return SECFailure;
+     }
+ 
+     /*
+      * if we haven't done basic initialization, single thread the 
+@@ -630,23 +633,23 @@
  	configStrings = pk11_config_strings;
  	configName = pk11_config_name;
  	passwordRequired = pk11_password_required;
@@ -129,10 +158,12 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
       * to init with noCertDB and noModDB */
      if (!(isReallyInitted && noCertDB && noModDB)) {
 -	rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
+-		updateDir, updCertPrefix, updKeyPrefix, updateID, 
 +	parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName, 
- 		updateDir, updCertPrefix, updKeyPrefix, updateID, 
++		updateDir, updCertPrefix, updKeyPrefix, updateID,
  		updateName, configName, configStrings, passwordRequired,
- 		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
+-		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace, 
++		readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
  		(initContextPtr != NULL));
  
 -	if (rv != SECSuccess) {
@@ -145,7 +176,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
      /* finish up initialization */
      if (!isReallyInitted) {
  	if (SECOID_Init() != SECSuccess) {
-@@ -675,17 +677,34 @@ nss_Init(const char *configdir, const ch
+@@ -675,17 +678,40 @@
  		     * path. Skip it */
  		    dbpath = NULL;
  		}
@@ -156,14 +187,19 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
  	}
 -
 +#ifdef POLICY_FILE
-+        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
++	/* Load the system crypto policy file if it exists,
++	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
++	 * variable has been set to 1. */
++	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
++	if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
++	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
 +	    SECMODModule *module = SECMOD_LoadModule(
 +		"name=\"Policy File\" "
 +		"parameters=\"configdir='sql:" POLICY_PATH "' "
 +		"secmod='" POLICY_FILE "' "
 +		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
 +		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-+		parent, PR_TRUE); 
++		parent, PR_TRUE);
 +	    if (module) {
 +		PRBool isLoaded = module->loaded;
 +		SECMOD_DestroyModule(module);
@@ -172,6 +208,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
 +		}
 +	    }
 +	}
++    }
 +#endif
  	pk11sdr_Init();
  	cert_CreateSubjectKeyIDHashTable();
@@ -181,7 +218,7 @@ diff --git a/lib/nss/nssinit.c b/lib/nss/nssinit.c
  	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
  
  	if (pkixError != NULL) {
-@@ -716,32 +735,38 @@ nss_Init(const char *configdir, const ch
+@@ -716,32 +742,38 @@
      nssIsInInit--;
      /* now that we are inited, all waiters can move forward */
      PZ_NotifyAllCondVar(nssInitCondition);
diff --git a/nss.spec b/nss.spec
index ed9e6e5..ac57ec1 100644
--- a/nss.spec
+++ b/nss.spec
@@ -183,7 +183,6 @@ low level services.
 %patch58 -p0 -b .1185708_3des
 pushd nss
 %patch59 -p1 -b .check_policy_file
-%patch60 -p1 -b .cond_ignore
 %patch62 -p0 -b .skip_util_gtest
 %patch70 -p1 -b .skip_ecperf
 %patch71 -p1 -b .do_queries
@@ -233,7 +232,7 @@ FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
 # Enable compiler optimizations and disable debugging code
-export BUILD_OPT=1
+#export BUILD_OPT=1
 
 # Uncomment to disable optimizations
 #RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed -e 's/-O2/-O0/g'`
@@ -390,7 +389,7 @@ fi
 FREEBL_NO_DEPEND=1
 export FREEBL_NO_DEPEND
 
-export BUILD_OPT=1
+#export BUILD_OPT=1
 
 %ifnarch noarch
 %if 0%{__isa_bits} == 64
@@ -796,13 +795,14 @@ fi
 
 
 %changelog
-* Fri Jul 08 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
+* Tue Jul 12 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-6
 - Cherry-pick merge from master branch
 - Add support for conditionally ignoring the system policy (#1157720)
 - Remove unneeded test scripts patches in order to run more tests
 - Remove unneeded test data modifications from the spec file
 - Remove obsolete patch and spurious lines from the spec file (#1347336)
 - Add support to listsuites to list ciphers allowed by policy
+- Incorporate some upstream review suggestions
 
 * Sun Jun 26 2016 Elio Maldonado <emaldona@redhat.com> - 3.25.0-3
 - Cleanup spec file and patches and add references to bugs filed upstream