Google Git
Sign in
chromium / chromium / deps / nss / ccb083050bac653bd6b98c38237fdf93c5d64a7a / . / patches / nss-static.patch
blob: b897b6e4a21c48dfbc2e586d38534793a3d0213e [file] [log] [blame]
diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c
index a86f8a0..eff77fc 100644
--- a/nss/lib/certhigh/certvfy.c
+++ b/nss/lib/certhigh/certvfy.c
@@ -12,9 +12,11 @@
#include "certdb.h"
#include "certi.h"
#include "cryptohi.h"
+#ifndef NSS_DISABLE_LIBPKIX
#include "pkix.h"
/*#include "pkix_sample_modules.h" */
#include "pkix_pl_cert.h"
+#endif /* NSS_DISABLE_LIBPKIX */
#include "nsspki.h"
#include "pkitm.h"
@@ -23,6 +25,47 @@
#include "base.h"
#include "keyhi.h"
+#ifdef NSS_DISABLE_LIBPKIX
+SECStatus
+cert_VerifyCertChainPkix(
+ CERTCertificate *cert,
+ PRBool checkSig,
+ SECCertUsage requiredUsage,
+ PRTime time,
+ void *wincx,
+ CERTVerifyLog *log,
+ PRBool *pSigerror,
+ PRBool *pRevoked)
+{
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+}
+
+SECStatus
+CERT_SetUsePKIXForValidation(PRBool enable)
+{
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+}
+
+PRBool
+CERT_GetUsePKIXForValidation()
+{
+ return PR_FALSE;
+}
+
+SECStatus CERT_PKIXVerifyCert(
+ CERTCertificate *cert,
+ SECCertificateUsage usages,
+ CERTValInParam *paramsIn,
+ CERTValOutParam *paramsOut,
+ void *wincx)
+{
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+}
+#endif /* NSS_DISABLE_LIBPKIX */
+
/*
* Check the validity times of a certificate
*/
diff --git a/nss/lib/ckfw/nssck.api b/nss/lib/ckfw/nssck.api
index 55b4351..8364258 100644
--- a/nss/lib/ckfw/nssck.api
+++ b/nss/lib/ckfw/nssck.api
@@ -1752,7 +1752,7 @@ C_WaitForSlotEvent
}
#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-static CK_RV CK_ENTRY
+CK_RV CK_ENTRY
__ADJOIN(MODULE_NAME,C_GetFunctionList)
(
CK_FUNCTION_LIST_PTR_PTR ppFunctionList
@@ -1830,7 +1830,7 @@ __ADJOIN(MODULE_NAME,C_CancelFunction),
__ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
};
-static CK_RV CK_ENTRY
+CK_RV CK_ENTRY
__ADJOIN(MODULE_NAME,C_GetFunctionList)
(
CK_FUNCTION_LIST_PTR_PTR ppFunctionList
@@ -1840,6 +1840,7 @@ __ADJOIN(MODULE_NAME,C_GetFunctionList)
return CKR_OK;
}
+#ifndef NSS_STATIC
/* This one is always present */
CK_RV CK_ENTRY
C_GetFunctionList
@@ -1849,6 +1850,7 @@ C_GetFunctionList
{
return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
}
+#endif
#undef __ADJOIN
diff --git a/nss/lib/freebl/rsa.c b/nss/lib/freebl/rsa.c
index 823d8de..48b557b 100644
--- a/nss/lib/freebl/rsa.c
+++ b/nss/lib/freebl/rsa.c
@@ -1532,6 +1532,13 @@ void BL_Cleanup(void)
RSA_Cleanup();
}
+#ifdef NSS_STATIC
+void
+BL_Unload(void)
+{
+}
+#endif
+
PRBool bl_parentForkedAfterC_Initialize;
/*
diff --git a/nss/lib/freebl/shvfy.c b/nss/lib/freebl/shvfy.c
index ad64a26..33714b8 100644
--- a/nss/lib/freebl/shvfy.c
+++ b/nss/lib/freebl/shvfy.c
@@ -273,9 +273,21 @@ readItem(PRFileDesc *fd, SECItem *item)
return SECSuccess;
}
+/*
+ * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g.,
+ * if you're using NSS as static libraries), but want to conform to the
+ * rest of the FIPS requirements.
+ */
+#ifdef NSS_STATIC
+#define PSEUDO_FIPS
+#endif
+
PRBool
BLAPI_SHVerify(const char *name, PRFuncPtr addr)
{
+#ifdef PSEUDO_FIPS
+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */
+#else
PRBool result = PR_FALSE; /* if anything goes wrong,
* the signature does not verify */
/* find our shared library name */
@@ -291,11 +303,15 @@ loser:
}
return result;
+#endif /* PSEUDO_FIPS */
}
PRBool
BLAPI_SHVerifyFile(const char *shName)
{
+#ifdef PSEUDO_FIPS
+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */
+#else
char *checkName = NULL;
PRFileDesc *checkFD = NULL;
PRFileDesc *shFD = NULL;
@@ -492,6 +508,7 @@ loser:
}
return result;
+#endif /* PSEUDO_FIPS */
}
PRBool
diff --git a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c b/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
index 471f920..ecf58ce 100755
--- a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
+++ b/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
@@ -201,7 +201,10 @@ certCallback(void *arg, SECItem **secitemCerts, int numcerts)
typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen,
CERTImportCertificateFunc f, void *arg);
-
+#ifdef NSS_STATIC
+extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen,
+ CERTImportCertificateFunc f, void* arg);
+#endif
struct pkix_DecodeFuncStr {
pkix_DecodeCertsFunc func; /* function pointer to the
@@ -223,6 +226,11 @@ static const PRCallOnceType pkix_pristine;
*/
static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
{
+#ifdef NSS_STATIC
+ pkix_decodeFunc.smimeLib = NULL;
+ pkix_decodeFunc.func = CERT_DecodeCertPackage;
+ return PR_SUCCESS;
+#else
pkix_decodeFunc.smimeLib =
PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
if (pkix_decodeFunc.smimeLib == NULL) {
@@ -235,7 +243,7 @@ static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
return PR_FAILURE;
}
return PR_SUCCESS;
-
+#endif
}
/*
diff --git a/nss/lib/nss/nssinit.c b/nss/lib/nss/nssinit.c
index b73d447..7150cf5 100644
--- a/nss/lib/nss/nssinit.c
+++ b/nss/lib/nss/nssinit.c
@@ -20,9 +20,11 @@
#include "secerr.h"
#include "nssbase.h"
#include "nssutil.h"
+#ifndef NSS_DISABLE_LIBPKIX
#include "pkixt.h"
#include "pkix.h"
#include "pkix_tools.h"
+#endif /* NSS_DISABLE_LIBPKIX */
#include "pki3hack.h"
#include "certi.h"
@@ -526,8 +528,10 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
PRBool dontFinalizeModules)
{
SECStatus rv = SECFailure;
+#ifndef NSS_DISABLE_LIBPKIX
PKIX_UInt32 actualMinorVersion = 0;
PKIX_Error *pkixError = NULL;
+#endif
PRBool isReallyInitted;
char *configStrings = NULL;
char *configName = NULL;
@@ -684,6 +688,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
pk11sdr_Init();
cert_CreateSubjectKeyIDHashTable();
+#ifndef NSS_DISABLE_LIBPKIX
pkixError = PKIX_Initialize
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
@@ -696,6 +701,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
CERT_SetUsePKIXForValidation(PR_TRUE);
}
}
+#endif /* NSS_DISABLE_LIBPKIX */
}
@@ -1080,7 +1086,9 @@ nss_Shutdown(void)
cert_DestroyLocks();
ShutdownCRLCache();
OCSP_ShutdownGlobal();
+#ifndef NSS_DISABLE_LIBPKIX
PKIX_Shutdown(plContext);
+#endif
SECOID_Shutdown();
status = STAN_Shutdown();
cert_DestroySubjectKeyIDHashTable();
diff --git a/nss/lib/pk11wrap/pk11load.c b/nss/lib/pk11wrap/pk11load.c
index 5c5d2ca..bfc4886 100644
--- a/nss/lib/pk11wrap/pk11load.c
+++ b/nss/lib/pk11wrap/pk11load.c
@@ -341,6 +341,12 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) {
}
}
+#ifdef NSS_STATIC
+extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args);
+extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+#else
static const char* my_shlib_name =
SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX;
static const char* softoken_shlib_name =
@@ -349,12 +355,14 @@ static const PRCallOnceType pristineCallOnce;
static PRCallOnceType loadSoftokenOnce;
static PRLibrary* softokenLib;
static PRInt32 softokenLoadCount;
+#endif /* NSS_STATIC */
#include "prio.h"
#include "prprf.h"
#include <stdio.h>
#include "prsystem.h"
+#ifndef NSS_STATIC
/* This function must be run only once. */
/* determine if hybrid platform, then actually load the DSO. */
static PRStatus
@@ -371,6 +379,7 @@ softoken_LoadDSO( void )
}
return PR_FAILURE;
}
+#endif /* !NSS_STATIC */
/*
* load a new module into our address space and initialize it.
@@ -389,6 +398,16 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
/* intenal modules get loaded from their internal list */
if (mod->internal && (mod->dllName == NULL)) {
+#ifdef NSS_STATIC
+ if (mod->isFIPS) {
+ entry = FC_GetFunctionList;
+ } else {
+ entry = NSC_GetFunctionList;
+ }
+ if (mod->isModuleDB) {
+ mod->moduleDBFunc = NSC_ModuleDBFunc;
+ }
+#else
/*
* Loads softoken as a dynamic library,
* even though the rest of NSS assumes this as the "internal" module.
@@ -414,6 +433,7 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
mod->moduleDBFunc = (CK_C_GetFunctionList)
PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
}
+#endif
if (mod->moduleDBOnly) {
mod->loaded = PR_TRUE;
@@ -424,6 +444,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
if (mod->dllName == NULL) {
return SECFailure;
}
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
+ if (strstr(mod->dllName, "nssckbi") != NULL) {
+ mod->library = NULL;
+ PORT_Assert(!mod->moduleDBOnly);
+ entry = builtinsC_GetFunctionList;
+ PORT_Assert(!mod->isModuleDB);
+ goto library_loaded;
+ }
+#endif
/* load the library. If this succeeds, then we have to remember to
* unload the library if anything goes wrong from here on out...
@@ -446,6 +475,9 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
mod->moduleDBFunc = (void *)
PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
}
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
+library_loaded:
+#endif
if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
if (entry == NULL) {
if (mod->isModuleDB) {
@@ -585,6 +617,7 @@ SECMOD_UnloadModule(SECMODModule *mod) {
* if not, we should change this to SECFailure and move it above the
* mod->loaded = PR_FALSE; */
if (mod->internal && (mod->dllName == NULL)) {
+#ifndef NSS_STATIC
if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
if (softokenLib) {
disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
@@ -600,12 +633,18 @@ SECMOD_UnloadModule(SECMODModule *mod) {
}
loadSoftokenOnce = pristineCallOnce;
}
+#endif
return SECSuccess;
}
library = (PRLibrary *)mod->library;
/* paranoia */
if (library == NULL) {
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
+ if (strstr(mod->dllName, "nssckbi") != NULL) {
+ return SECSuccess;
+ }
+#endif
return SECFailure;
}
diff --git a/nss/lib/softoken/lgglue.c b/nss/lib/softoken/lgglue.c
index 653501c..155991b 100644
--- a/nss/lib/softoken/lgglue.c
+++ b/nss/lib/softoken/lgglue.c
@@ -23,6 +23,7 @@ static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL;
static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
static LGShutdownFunc legacy_glue_shutdown = NULL;
+#ifndef NSS_STATIC
/*
* The following 3 functions duplicate the work done by bl_LoadLibrary.
* We should make bl_LoadLibrary a global and replace the call to
@@ -160,6 +161,7 @@ done:
return lib;
}
+#endif /* STATIC LIBRARIES */
/*
* stub files for legacy db's to be able to encrypt and decrypt
@@ -272,6 +274,21 @@ sftkdbLoad_Legacy(PRBool isFIPS)
return SECSuccess;
}
+#ifdef NSS_STATIC
+#ifdef NSS_DISABLE_DBM
+ return SECFailure;
+#else
+ lib = (PRLibrary *) 0x8;
+
+ legacy_glue_open = legacy_Open;
+ legacy_glue_readSecmod = legacy_ReadSecmodDB;
+ legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData;
+ legacy_glue_deleteSecmod = legacy_DeleteSecmodDB;
+ legacy_glue_addSecmod = legacy_AddSecmodDB;
+ legacy_glue_shutdown = legacy_Shutdown;
+ setCryptFunction = legacy_SetCryptFunctions;
+#endif
+#else
lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
if (lib == NULL) {
return SECFailure;
@@ -297,11 +314,14 @@ sftkdbLoad_Legacy(PRBool isFIPS)
PR_UnloadLibrary(lib);
return SECFailure;
}
+#endif /* NSS_STATIC */
/* verify the loaded library if we are in FIPS mode */
if (isFIPS) {
if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
+#ifndef NSS_STATIC
PR_UnloadLibrary(lib);
+#endif
return SECFailure;
}
legacy_glue_libCheckSucceeded = PR_TRUE;
@@ -418,10 +438,12 @@ sftkdbCall_Shutdown(void)
#endif
crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
}
+#ifndef NSS_STATIC
disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
if (!disableUnload) {
PR_UnloadLibrary(legacy_glue_lib);
}
+#endif
legacy_glue_lib = NULL;
legacy_glue_open = NULL;
legacy_glue_readSecmod = NULL;
diff --git a/nss/lib/softoken/lgglue.h b/nss/lib/softoken/lgglue.h
index b87f756..c8c562f 100644
--- a/nss/lib/softoken/lgglue.h
+++ b/nss/lib/softoken/lgglue.h
@@ -38,6 +38,25 @@ typedef SECStatus (*LGShutdownFunc)(PRBool forked);
typedef void (*LGSetForkStateFunc)(PRBool);
typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
+extern CK_RV legacy_Open(const char *dir, const char *certPrefix,
+ const char *keyPrefix,
+ int certVersion, int keyVersion, int flags,
+ SDB **certDB, SDB **keyDB);
+extern char ** legacy_ReadSecmodDB(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_ReleaseSecmodDBData(const char *appName,
+ const char *filename,
+ const char *dbname, char **params, PRBool rw);
+extern SECStatus legacy_DeleteSecmodDB(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_AddSecmodDB(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_Shutdown(PRBool forked);
+extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc);
+
/*
* Softoken Glue Functions
*/
diff --git a/nss/lib/util/secport.h b/nss/lib/util/secport.h
index 7d2f5e0..95c73c8 100644
--- a/nss/lib/util/secport.h
+++ b/nss/lib/util/secport.h
@@ -223,6 +223,7 @@ extern int NSS_PutEnv(const char * envVarName, const char * envValue);
extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
+#ifndef NSS_STATIC
/*
* Load a shared library called "newShLibName" in the same directory as
* a shared library that is already loaded, called existingShLibName.
@@ -257,6 +258,7 @@ PRLibrary *
PORT_LoadLibraryFromOrigin(const char* existingShLibName,
PRFuncPtr staticShLibFunc,
const char *newShLibName);
+#endif /* NSS_STATIC */
SEC_END_PROTOS