162 lines
4.9 KiB
Diff
162 lines
4.9 KiB
Diff
--- ./lib/nss/nssinit.c.cond_ignore 2016-07-14 06:07:08.607951998 -0700
|
|
+++ ./lib/nss/nssinit.c 2016-07-14 06:11:07.698966728 -0700
|
|
@@ -427,23 +427,21 @@
|
|
if (lsecmodName) PORT_Free(lsecmodName);
|
|
if (lupdateDir) PORT_Free(lupdateDir);
|
|
if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
|
|
if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
|
|
if (lupdateID) PORT_Free(lupdateID);
|
|
if (lupdateName) PORT_Free(lupdateName);
|
|
|
|
if (moduleSpec) {
|
|
- module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
|
|
+ module = SECMOD_LoadModule(moduleSpec, NULL, PR_TRUE);
|
|
PR_smprintf_free(moduleSpec);
|
|
- if (module) {
|
|
- if (!module->loaded) {
|
|
- SECMOD_DestroyModule(module);
|
|
- module = NULL;
|
|
- }
|
|
+ if (module && !module->loaded) {
|
|
+ SECMOD_DestroyModule(module);
|
|
+ return NULL;
|
|
}
|
|
}
|
|
return module;
|
|
}
|
|
|
|
/*
|
|
* OK there are now lots of options here, lets go through them all:
|
|
*
|
|
@@ -511,41 +509,44 @@
|
|
return PR_FAILURE;
|
|
}
|
|
return PR_SUCCESS;
|
|
}
|
|
|
|
|
|
static SECStatus
|
|
nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
|
|
- const char *secmodName, const char *updateDir,
|
|
+ const char *secmodName, const char *updateDir,
|
|
const char *updCertPrefix, const char *updKeyPrefix,
|
|
const char *updateID, const char *updateName,
|
|
NSSInitContext ** initContextPtr,
|
|
NSSInitParameters *initParams,
|
|
- PRBool readOnly, PRBool noCertDB,
|
|
+ PRBool readOnly, PRBool noCertDB,
|
|
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
|
|
PRBool optimizeSpace, PRBool noSingleThreadedModules,
|
|
PRBool allowAlreadyInitializedModules,
|
|
PRBool dontFinalizeModules)
|
|
{
|
|
SECMODModule *parent = NULL;
|
|
PKIX_UInt32 actualMinorVersion = 0;
|
|
PKIX_Error *pkixError = NULL;
|
|
PRBool isReallyInitted;
|
|
char *configStrings = NULL;
|
|
char *configName = NULL;
|
|
PRBool passwordRequired = PR_FALSE;
|
|
+#ifdef POLICY_FILE
|
|
+ char *ignoreVar;
|
|
+#endif
|
|
|
|
/* if we are trying to init with a traditional NSS_Init call, maintain
|
|
* the traditional idempotent behavior. */
|
|
if (!initContextPtr && nssIsInitted) {
|
|
return SECSuccess;
|
|
}
|
|
-
|
|
+
|
|
/* make sure our lock and condition variable are initialized one and only
|
|
* one time */
|
|
if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
|
|
return SECFailure;
|
|
}
|
|
|
|
/*
|
|
* if we haven't done basic initialization, single thread the
|
|
@@ -632,20 +633,20 @@
|
|
configStrings = pk11_config_strings;
|
|
configName = pk11_config_name;
|
|
passwordRequired = pk11_password_required;
|
|
}
|
|
|
|
/* Skip the module init if we are already initted and we are trying
|
|
* to init with noCertDB and noModDB */
|
|
if (!(isReallyInitted && noCertDB && noModDB)) {
|
|
- parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
|
- updateDir, updCertPrefix, updKeyPrefix, updateID,
|
|
+ parent = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
|
|
+ updateDir, updCertPrefix, updKeyPrefix, updateID,
|
|
updateName, configName, configStrings, passwordRequired,
|
|
- readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
|
|
+ readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
|
|
(initContextPtr != NULL));
|
|
|
|
if (parent == NULL) {
|
|
goto loser;
|
|
}
|
|
}
|
|
|
|
|
|
@@ -678,50 +679,54 @@
|
|
dbpath = NULL;
|
|
}
|
|
if (dbpath) {
|
|
nss_FindExternalRoot(dbpath, secmodName);
|
|
}
|
|
}
|
|
}
|
|
#ifdef POLICY_FILE
|
|
- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
|
|
+ /* Load the system crypto policy file if it exists,
|
|
+ * unless the NSS_IGNORE_SYSTEM_POLICY environment
|
|
+ * variable has been set to 1. */
|
|
+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
|
|
+ if (ignoreVar == NULL || strncmp(ignoreVar, "1", sizeof("1")) != 0) {
|
|
+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS) {
|
|
SECMODModule *module = SECMOD_LoadModule(
|
|
"name=\"Policy File\" "
|
|
"parameters=\"configdir='sql:" POLICY_PATH "' "
|
|
"secmod='" POLICY_FILE "' "
|
|
"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
|
|
"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
|
|
- parent, PR_TRUE);
|
|
+ parent, PR_TRUE);
|
|
if (module) {
|
|
PRBool isLoaded = module->loaded;
|
|
SECMOD_DestroyModule(module);
|
|
if (!isLoaded) {
|
|
goto loser;
|
|
}
|
|
}
|
|
}
|
|
+ }
|
|
#endif
|
|
pk11sdr_Init();
|
|
cert_CreateSubjectKeyIDHashTable();
|
|
|
|
pkixError = PKIX_Initialize
|
|
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
|
|
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
|
|
|
if (pkixError != NULL) {
|
|
goto loser;
|
|
} else {
|
|
char *ev = PR_GetEnvSecure("NSS_ENABLE_PKIX_VERIFY");
|
|
if (ev && ev[0]) {
|
|
CERT_SetUsePKIXForValidation(PR_TRUE);
|
|
}
|
|
}
|
|
-
|
|
-
|
|
}
|
|
|
|
/*
|
|
* Now mark the appropriate init state. If initContextPtr was passed
|
|
* in, then return the new context pointer and add it to the
|
|
* nssInitContextList. Otherwise set the global nss_isInitted flag
|
|
*/
|
|
PZ_Lock(nssInitLock);
|