Delay NSS initialization until actually used

- since NSS is allergic (ie becomes non-functional) after forking, delay
  it's initialization until really needed, ie lazy init in rpmDigestInit()
- however as NSS init can fail if attempted in completely empty chroot,
  we force crypto init to happen at transaction set create time, forking
  past that is pretty much doomed anyway
- this is the other half of the fix for rhbz#476737, and similar case
  noticed by Pixel in Mandriva (due to urpm forking)

lib/rpmrc.c

@@ -1665,10 +1665,6 @@ int rpmReadConfigFiles(const char * file, const char * target)
     /* Reset umask to its default umask(2) value. */
     mode = umask(mode);
 
-    /* Initialize crypto engine as early as possible */
-    if (rpmInitCrypto() < 0) {
-	return -1;
-    }	
     /* Force preloading of name service libraries in case we go chrooting */
     (void) gethostbyname("localhost");
 

lib/rpmts.c

@@ -1148,6 +1148,9 @@ rpmts rpmtsCreate(void)
 
     ts->nrefs = 0;
 
+    /* make sure crypto gets initialized before we might go chrooting */
+    rpmInitCrypto();
+
     return rpmtsLink(ts, RPMDBG_M("tsCreate"));
 }
 

rpmio/digest.c

@@ -75,8 +75,12 @@ DIGEST_CTX
 rpmDigestInit(pgpHashAlgo hashalgo, rpmDigestFlags flags)
 {
     HASH_HashType type;
-    DIGEST_CTX ctx = xcalloc(1, sizeof(*ctx));
+    DIGEST_CTX ctx;
 
+    if (rpmInitCrypto() < 0)
+	return NULL;
+
+    ctx = xcalloc(1, sizeof(*ctx));
     ctx->flags = flags;
 
     type = getHashType(hashalgo);

tools/debugedit.c

@@ -1348,8 +1348,6 @@ handle_build_id (DSO *dso, Elf_Data *build_id,
   void *digest = NULL;
   size_t len;
 
-  rpmInitCrypto();
-
   while (i-- > 0)
     {
       algorithm = algorithms[i];