nss/nss-conditionally-ignore-system-policy.patch

--- ./lib/nss/nssinit.c.cond_ignore	2016-07-01 16:09:21.187499579 -0700
+++ ./lib/nss/nssinit.c	2016-07-01 16:19:16.095862425 -0700
@@ -529,16 +529,19 @@
 {
     SECMODModule *parent = NULL;
     PKIX_UInt32 actualMinorVersion = 0;
     PKIX_Error *pkixError = NULL;
     PRBool isReallyInitted;
     char *configStrings = NULL;
     char *configName = NULL;
     PRBool passwordRequired = PR_FALSE;
+#ifdef POLICY_FILE
+    char *ignoreVar;
+#endif
 
     /* if we are trying to init with a traditional NSS_Init call, maintain
      * the traditional idempotent behavior. */
     if (!initContextPtr && nssIsInitted) {
 	return SECSuccess;
     }
   
     /* make sure our lock and condition variable are initialized one and only
@@ -678,32 +681,38 @@
 		    dbpath = NULL;
 		}
 		if (dbpath) {
 		    nss_FindExternalRoot(dbpath, secmodName);
 		}
 	    }
 	}
 #ifdef POLICY_FILE
-        if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
+	/* Load the system crypo policy file if it exists,
+	 * unless the NSS_IGNORE_SYSTEM_POLICY environment
+	 * variable has been set to 1. */
+	ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");
+	if (ignoreVar == NULL || strncmp(ignoreVar, "1", strlen("1")) != 0) {
+	    if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {
 	    SECMODModule *module = SECMOD_LoadModule(
 		"name=\"Policy File\" "
 		"parameters=\"configdir='sql:" POLICY_PATH "' "
 		"secmod='" POLICY_FILE "' "
 		"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "
 		"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",
-		parent, PR_TRUE); 
+		parent, PR_TRUE);
 	    if (module) {
 		PRBool isLoaded = module->loaded;
 		SECMOD_DestroyModule(module);
 		if (!isLoaded) {
 		    goto loser;
 		}
 	    }
 	}
+    }
 #endif
 	pk11sdr_Init();
 	cert_CreateSubjectKeyIDHashTable();
 
 	pkixError = PKIX_Initialize
 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
Add support for conditionally ignoring the system policy (#1157720) - Remove unneeded test scripts patches in order to run more tests - Remove unneeded test data modifications from the spec file 2016-07-02 01:22:06 +00:00			`--- ./lib/nss/nssinit.c.cond_ignore 2016-07-01 16:09:21.187499579 -0700`
			`+++ ./lib/nss/nssinit.c 2016-07-01 16:19:16.095862425 -0700`
			`@@ -529,16 +529,19 @@`
			`{`
			`SECMODModule *parent = NULL;`
			`PKIX_UInt32 actualMinorVersion = 0;`
			`PKIX_Error *pkixError = NULL;`
			`PRBool isReallyInitted;`
			`char *configStrings = NULL;`
			`char *configName = NULL;`
			`PRBool passwordRequired = PR_FALSE;`
			`+#ifdef POLICY_FILE`
			`+ char *ignoreVar;`
			`+#endif`

			`/* if we are trying to init with a traditional NSS_Init call, maintain`
			`* the traditional idempotent behavior. */`
			`if (!initContextPtr && nssIsInitted) {`
			`return SECSuccess;`
			`}`

			`/* make sure our lock and condition variable are initialized one and only`
			`@@ -678,32 +681,38 @@`
			`dbpath = NULL;`
			`}`
			`if (dbpath) {`
			`nss_FindExternalRoot(dbpath, secmodName);`
			`}`
			`}`
			`}`
			`#ifdef POLICY_FILE`
			`- if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {`
			`+ /* Load the system crypo policy file if it exists,`
			`+ * unless the NSS_IGNORE_SYSTEM_POLICY environment`
			`+ * variable has been set to 1. */`
			`+ ignoreVar = PR_GetEnvSecure("NSS_IGNORE_SYSTEM_POLICY");`
			`+ if (ignoreVar == NULL \|\| strncmp(ignoreVar, "1", strlen("1")) != 0) {`
			`+ if (PR_Access(POLICY_PATH "/" POLICY_FILE, PR_ACCESS_READ_OK) == PR_SUCCESS ) {`
			`SECMODModule *module = SECMOD_LoadModule(`
			`"name=\"Policy File\" "`
			`"parameters=\"configdir='sql:" POLICY_PATH "' "`
			`"secmod='" POLICY_FILE "' "`
			`"flags=readOnly,noCertDB,forceSecmodChoice,forceOpen\" "`
			`"NSS=\"flags=internal,moduleDB,skipFirst,moduleDBOnly,critical\"",`
			`- parent, PR_TRUE);`
			`+ parent, PR_TRUE);`
			`if (module) {`
			`PRBool isLoaded = module->loaded;`
			`SECMOD_DestroyModule(module);`
			`if (!isLoaded) {`
			`goto loser;`
			`}`
			`}`
			`}`
			`+ }`
			`#endif`
			`pk11sdr_Init();`
			`cert_CreateSubjectKeyIDHashTable();`

			`pkixError = PKIX_Initialize`
			`(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,`
			`PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);`