| diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c |
| index a86f8a0..eff77fc 100644 |
| --- a/nss/lib/certhigh/certvfy.c |
| +++ b/nss/lib/certhigh/certvfy.c |
| @@ -12,9 +12,11 @@ |
| #include "certdb.h" |
| #include "certi.h" |
| #include "cryptohi.h" |
| +#ifndef NSS_DISABLE_LIBPKIX |
| #include "pkix.h" |
| /*#include "pkix_sample_modules.h" */ |
| #include "pkix_pl_cert.h" |
| +#endif /* NSS_DISABLE_LIBPKIX */ |
| |
| #include "nsspki.h" |
| #include "pkitm.h" |
| @@ -23,6 +25,47 @@ |
| #include "base.h" |
| #include "keyhi.h" |
| |
| +#ifdef NSS_DISABLE_LIBPKIX |
| +SECStatus |
| +cert_VerifyCertChainPkix( |
| + CERTCertificate *cert, |
| + PRBool checkSig, |
| + SECCertUsage requiredUsage, |
| + PRTime time, |
| + void *wincx, |
| + CERTVerifyLog *log, |
| + PRBool *pSigerror, |
| + PRBool *pRevoked) |
| +{ |
| + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| + return SECFailure; |
| +} |
| + |
| +SECStatus |
| +CERT_SetUsePKIXForValidation(PRBool enable) |
| +{ |
| + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| + return SECFailure; |
| +} |
| + |
| +PRBool |
| +CERT_GetUsePKIXForValidation() |
| +{ |
| + return PR_FALSE; |
| +} |
| + |
| +SECStatus CERT_PKIXVerifyCert( |
| + CERTCertificate *cert, |
| + SECCertificateUsage usages, |
| + CERTValInParam *paramsIn, |
| + CERTValOutParam *paramsOut, |
| + void *wincx) |
| +{ |
| + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| + return SECFailure; |
| +} |
| +#endif /* NSS_DISABLE_LIBPKIX */ |
| + |
| /* |
| * Check the validity times of a certificate |
| */ |
| diff --git a/nss/lib/ckfw/nssck.api b/nss/lib/ckfw/nssck.api |
| index 55b4351..8364258 100644 |
| --- a/nss/lib/ckfw/nssck.api |
| +++ b/nss/lib/ckfw/nssck.api |
| @@ -1752,7 +1752,7 @@ C_WaitForSlotEvent |
| } |
| #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */ |
| |
| -static CK_RV CK_ENTRY |
| +CK_RV CK_ENTRY |
| __ADJOIN(MODULE_NAME,C_GetFunctionList) |
| ( |
| CK_FUNCTION_LIST_PTR_PTR ppFunctionList |
| @@ -1830,7 +1830,7 @@ __ADJOIN(MODULE_NAME,C_CancelFunction), |
| __ADJOIN(MODULE_NAME,C_WaitForSlotEvent) |
| }; |
| |
| -static CK_RV CK_ENTRY |
| +CK_RV CK_ENTRY |
| __ADJOIN(MODULE_NAME,C_GetFunctionList) |
| ( |
| CK_FUNCTION_LIST_PTR_PTR ppFunctionList |
| @@ -1840,6 +1840,7 @@ __ADJOIN(MODULE_NAME,C_GetFunctionList) |
| return CKR_OK; |
| } |
| |
| +#ifndef NSS_STATIC |
| /* This one is always present */ |
| CK_RV CK_ENTRY |
| C_GetFunctionList |
| @@ -1849,6 +1850,7 @@ C_GetFunctionList |
| { |
| return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList); |
| } |
| +#endif |
| |
| #undef __ADJOIN |
| |
| diff --git a/nss/lib/freebl/rsa.c b/nss/lib/freebl/rsa.c |
| index 823d8de..48b557b 100644 |
| --- a/nss/lib/freebl/rsa.c |
| +++ b/nss/lib/freebl/rsa.c |
| @@ -1532,6 +1532,13 @@ void BL_Cleanup(void) |
| RSA_Cleanup(); |
| } |
| |
| +#ifdef NSS_STATIC |
| +void |
| +BL_Unload(void) |
| +{ |
| +} |
| +#endif |
| + |
| PRBool bl_parentForkedAfterC_Initialize; |
| |
| /* |
| diff --git a/nss/lib/freebl/shvfy.c b/nss/lib/freebl/shvfy.c |
| index ad64a26..33714b8 100644 |
| --- a/nss/lib/freebl/shvfy.c |
| +++ b/nss/lib/freebl/shvfy.c |
| @@ -273,9 +273,21 @@ readItem(PRFileDesc *fd, SECItem *item) |
| return SECSuccess; |
| } |
| |
| +/* |
| + * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g., |
| + * if you're using NSS as static libraries), but want to conform to the |
| + * rest of the FIPS requirements. |
| + */ |
| +#ifdef NSS_STATIC |
| +#define PSEUDO_FIPS |
| +#endif |
| + |
| PRBool |
| BLAPI_SHVerify(const char *name, PRFuncPtr addr) |
| { |
| +#ifdef PSEUDO_FIPS |
| + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ |
| +#else |
| PRBool result = PR_FALSE; /* if anything goes wrong, |
| * the signature does not verify */ |
| /* find our shared library name */ |
| @@ -291,11 +303,15 @@ loser: |
| } |
| |
| return result; |
| +#endif /* PSEUDO_FIPS */ |
| } |
| |
| PRBool |
| BLAPI_SHVerifyFile(const char *shName) |
| { |
| +#ifdef PSEUDO_FIPS |
| + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ |
| +#else |
| char *checkName = NULL; |
| PRFileDesc *checkFD = NULL; |
| PRFileDesc *shFD = NULL; |
| @@ -492,6 +508,7 @@ loser: |
| } |
| |
| return result; |
| +#endif /* PSEUDO_FIPS */ |
| } |
| |
| PRBool |
| diff --git a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c b/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c |
| index 471f920..ecf58ce 100755 |
| --- a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c |
| +++ b/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c |
| @@ -201,7 +201,10 @@ certCallback(void *arg, SECItem **secitemCerts, int numcerts) |
| |
| typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen, |
| CERTImportCertificateFunc f, void *arg); |
| - |
| +#ifdef NSS_STATIC |
| +extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen, |
| + CERTImportCertificateFunc f, void* arg); |
| +#endif |
| |
| struct pkix_DecodeFuncStr { |
| pkix_DecodeCertsFunc func; /* function pointer to the |
| @@ -223,6 +226,11 @@ static const PRCallOnceType pkix_pristine; |
| */ |
| static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) |
| { |
| +#ifdef NSS_STATIC |
| + pkix_decodeFunc.smimeLib = NULL; |
| + pkix_decodeFunc.func = CERT_DecodeCertPackage; |
| + return PR_SUCCESS; |
| +#else |
| pkix_decodeFunc.smimeLib = |
| PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX); |
| if (pkix_decodeFunc.smimeLib == NULL) { |
| @@ -235,7 +243,7 @@ static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) |
| return PR_FAILURE; |
| } |
| return PR_SUCCESS; |
| - |
| +#endif |
| } |
| |
| /* |
| diff --git a/nss/lib/nss/nssinit.c b/nss/lib/nss/nssinit.c |
| index b73d447..7150cf5 100644 |
| --- a/nss/lib/nss/nssinit.c |
| +++ b/nss/lib/nss/nssinit.c |
| @@ -20,9 +20,11 @@ |
| #include "secerr.h" |
| #include "nssbase.h" |
| #include "nssutil.h" |
| +#ifndef NSS_DISABLE_LIBPKIX |
| #include "pkixt.h" |
| #include "pkix.h" |
| #include "pkix_tools.h" |
| +#endif /* NSS_DISABLE_LIBPKIX */ |
| |
| #include "pki3hack.h" |
| #include "certi.h" |
| @@ -526,8 +528,10 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, |
| PRBool dontFinalizeModules) |
| { |
| SECStatus rv = SECFailure; |
| +#ifndef NSS_DISABLE_LIBPKIX |
| PKIX_UInt32 actualMinorVersion = 0; |
| PKIX_Error *pkixError = NULL; |
| +#endif |
| PRBool isReallyInitted; |
| char *configStrings = NULL; |
| char *configName = NULL; |
| @@ -684,6 +688,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, |
| pk11sdr_Init(); |
| cert_CreateSubjectKeyIDHashTable(); |
| |
| +#ifndef NSS_DISABLE_LIBPKIX |
| pkixError = PKIX_Initialize |
| (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, |
| PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); |
| @@ -696,6 +701,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, |
| CERT_SetUsePKIXForValidation(PR_TRUE); |
| } |
| } |
| +#endif /* NSS_DISABLE_LIBPKIX */ |
| |
| |
| } |
| @@ -1080,7 +1086,9 @@ nss_Shutdown(void) |
| cert_DestroyLocks(); |
| ShutdownCRLCache(); |
| OCSP_ShutdownGlobal(); |
| +#ifndef NSS_DISABLE_LIBPKIX |
| PKIX_Shutdown(plContext); |
| +#endif |
| SECOID_Shutdown(); |
| status = STAN_Shutdown(); |
| cert_DestroySubjectKeyIDHashTable(); |
| diff --git a/nss/lib/pk11wrap/pk11load.c b/nss/lib/pk11wrap/pk11load.c |
| index 5c5d2ca..bfc4886 100644 |
| --- a/nss/lib/pk11wrap/pk11load.c |
| +++ b/nss/lib/pk11wrap/pk11load.c |
| @@ -341,6 +341,12 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) { |
| } |
| } |
| |
| +#ifdef NSS_STATIC |
| +extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); |
| +extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); |
| +extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args); |
| +extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); |
| +#else |
| static const char* my_shlib_name = |
| SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX; |
| static const char* softoken_shlib_name = |
| @@ -349,12 +355,14 @@ static const PRCallOnceType pristineCallOnce; |
| static PRCallOnceType loadSoftokenOnce; |
| static PRLibrary* softokenLib; |
| static PRInt32 softokenLoadCount; |
| +#endif /* NSS_STATIC */ |
| |
| #include "prio.h" |
| #include "prprf.h" |
| #include <stdio.h> |
| #include "prsystem.h" |
| |
| +#ifndef NSS_STATIC |
| /* This function must be run only once. */ |
| /* determine if hybrid platform, then actually load the DSO. */ |
| static PRStatus |
| @@ -371,6 +379,7 @@ softoken_LoadDSO( void ) |
| } |
| return PR_FAILURE; |
| } |
| +#endif /* !NSS_STATIC */ |
| |
| /* |
| * load a new module into our address space and initialize it. |
| @@ -389,6 +398,16 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { |
| |
| /* intenal modules get loaded from their internal list */ |
| if (mod->internal && (mod->dllName == NULL)) { |
| +#ifdef NSS_STATIC |
| + if (mod->isFIPS) { |
| + entry = FC_GetFunctionList; |
| + } else { |
| + entry = NSC_GetFunctionList; |
| + } |
| + if (mod->isModuleDB) { |
| + mod->moduleDBFunc = NSC_ModuleDBFunc; |
| + } |
| +#else |
| /* |
| * Loads softoken as a dynamic library, |
| * even though the rest of NSS assumes this as the "internal" module. |
| @@ -414,6 +433,7 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { |
| mod->moduleDBFunc = (CK_C_GetFunctionList) |
| PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); |
| } |
| +#endif |
| |
| if (mod->moduleDBOnly) { |
| mod->loaded = PR_TRUE; |
| @@ -424,6 +444,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { |
| if (mod->dllName == NULL) { |
| return SECFailure; |
| } |
| +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) |
| + if (strstr(mod->dllName, "nssckbi") != NULL) { |
| + mod->library = NULL; |
| + PORT_Assert(!mod->moduleDBOnly); |
| + entry = builtinsC_GetFunctionList; |
| + PORT_Assert(!mod->isModuleDB); |
| + goto library_loaded; |
| + } |
| +#endif |
| |
| /* load the library. If this succeeds, then we have to remember to |
| * unload the library if anything goes wrong from here on out... |
| @@ -446,6 +475,9 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { |
| mod->moduleDBFunc = (void *) |
| PR_FindSymbol(library, "NSS_ReturnModuleSpecData"); |
| } |
| +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) |
| +library_loaded: |
| +#endif |
| if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE; |
| if (entry == NULL) { |
| if (mod->isModuleDB) { |
| @@ -585,6 +617,7 @@ SECMOD_UnloadModule(SECMODModule *mod) { |
| * if not, we should change this to SECFailure and move it above the |
| * mod->loaded = PR_FALSE; */ |
| if (mod->internal && (mod->dllName == NULL)) { |
| +#ifndef NSS_STATIC |
| if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) { |
| if (softokenLib) { |
| disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); |
| @@ -600,12 +633,18 @@ SECMOD_UnloadModule(SECMODModule *mod) { |
| } |
| loadSoftokenOnce = pristineCallOnce; |
| } |
| +#endif |
| return SECSuccess; |
| } |
| |
| library = (PRLibrary *)mod->library; |
| /* paranoia */ |
| if (library == NULL) { |
| +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) |
| + if (strstr(mod->dllName, "nssckbi") != NULL) { |
| + return SECSuccess; |
| + } |
| +#endif |
| return SECFailure; |
| } |
| |
| diff --git a/nss/lib/softoken/lgglue.c b/nss/lib/softoken/lgglue.c |
| index 653501c..155991b 100644 |
| --- a/nss/lib/softoken/lgglue.c |
| +++ b/nss/lib/softoken/lgglue.c |
| @@ -23,6 +23,7 @@ static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL; |
| static LGAddSecmodFunc legacy_glue_addSecmod = NULL; |
| static LGShutdownFunc legacy_glue_shutdown = NULL; |
| |
| +#ifndef NSS_STATIC |
| /* |
| * The following 3 functions duplicate the work done by bl_LoadLibrary. |
| * We should make bl_LoadLibrary a global and replace the call to |
| @@ -160,6 +161,7 @@ done: |
| |
| return lib; |
| } |
| +#endif /* STATIC LIBRARIES */ |
| |
| /* |
| * stub files for legacy db's to be able to encrypt and decrypt |
| @@ -272,6 +274,21 @@ sftkdbLoad_Legacy(PRBool isFIPS) |
| return SECSuccess; |
| } |
| |
| +#ifdef NSS_STATIC |
| +#ifdef NSS_DISABLE_DBM |
| + return SECFailure; |
| +#else |
| + lib = (PRLibrary *) 0x8; |
| + |
| + legacy_glue_open = legacy_Open; |
| + legacy_glue_readSecmod = legacy_ReadSecmodDB; |
| + legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData; |
| + legacy_glue_deleteSecmod = legacy_DeleteSecmodDB; |
| + legacy_glue_addSecmod = legacy_AddSecmodDB; |
| + legacy_glue_shutdown = legacy_Shutdown; |
| + setCryptFunction = legacy_SetCryptFunctions; |
| +#endif |
| +#else |
| lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME); |
| if (lib == NULL) { |
| return SECFailure; |
| @@ -297,11 +314,14 @@ sftkdbLoad_Legacy(PRBool isFIPS) |
| PR_UnloadLibrary(lib); |
| return SECFailure; |
| } |
| +#endif /* NSS_STATIC */ |
| |
| /* verify the loaded library if we are in FIPS mode */ |
| if (isFIPS) { |
| if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) { |
| +#ifndef NSS_STATIC |
| PR_UnloadLibrary(lib); |
| +#endif |
| return SECFailure; |
| } |
| legacy_glue_libCheckSucceeded = PR_TRUE; |
| @@ -418,10 +438,12 @@ sftkdbCall_Shutdown(void) |
| #endif |
| crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize); |
| } |
| +#ifndef NSS_STATIC |
| disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); |
| if (!disableUnload) { |
| PR_UnloadLibrary(legacy_glue_lib); |
| } |
| +#endif |
| legacy_glue_lib = NULL; |
| legacy_glue_open = NULL; |
| legacy_glue_readSecmod = NULL; |
| diff --git a/nss/lib/softoken/lgglue.h b/nss/lib/softoken/lgglue.h |
| index b87f756..c8c562f 100644 |
| --- a/nss/lib/softoken/lgglue.h |
| +++ b/nss/lib/softoken/lgglue.h |
| @@ -38,6 +38,25 @@ typedef SECStatus (*LGShutdownFunc)(PRBool forked); |
| typedef void (*LGSetForkStateFunc)(PRBool); |
| typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc); |
| |
| +extern CK_RV legacy_Open(const char *dir, const char *certPrefix, |
| + const char *keyPrefix, |
| + int certVersion, int keyVersion, int flags, |
| + SDB **certDB, SDB **keyDB); |
| +extern char ** legacy_ReadSecmodDB(const char *appName, |
| + const char *filename, |
| + const char *dbname, char *params, PRBool rw); |
| +extern SECStatus legacy_ReleaseSecmodDBData(const char *appName, |
| + const char *filename, |
| + const char *dbname, char **params, PRBool rw); |
| +extern SECStatus legacy_DeleteSecmodDB(const char *appName, |
| + const char *filename, |
| + const char *dbname, char *params, PRBool rw); |
| +extern SECStatus legacy_AddSecmodDB(const char *appName, |
| + const char *filename, |
| + const char *dbname, char *params, PRBool rw); |
| +extern SECStatus legacy_Shutdown(PRBool forked); |
| +extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc); |
| + |
| /* |
| * Softoken Glue Functions |
| */ |
| diff --git a/nss/lib/util/secport.h b/nss/lib/util/secport.h |
| index 7d2f5e0..95c73c8 100644 |
| --- a/nss/lib/util/secport.h |
| +++ b/nss/lib/util/secport.h |
| @@ -223,6 +223,7 @@ extern int NSS_PutEnv(const char * envVarName, const char * envValue); |
| |
| extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n); |
| |
| +#ifndef NSS_STATIC |
| /* |
| * Load a shared library called "newShLibName" in the same directory as |
| * a shared library that is already loaded, called existingShLibName. |
| @@ -257,6 +258,7 @@ PRLibrary * |
| PORT_LoadLibraryFromOrigin(const char* existingShLibName, |
| PRFuncPtr staticShLibFunc, |
| const char *newShLibName); |
| +#endif /* NSS_STATIC */ |
| |
| SEC_END_PROTOS |
| |