Google Git
Sign in
chromium / chromium / third_party / nss / fe067e57da7bd24431c53ca3b29bfcda4000fe5b / . / patches / nss-static.patch
blob: 2b3383240890b27c7b828bf52130913c4d347c62 [file] [log] [blame]
Index: mozilla/security/nss/lib/certhigh/certvfy.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/certhigh/certvfy.c,v
retrieving revision 1.69
diff -p -u -8 -r1.69 certvfy.c
--- mozilla/security/nss/lib/certhigh/certvfy.c 13 Mar 2009 02:59:04 -0000 1.69
+++ mozilla/security/nss/lib/certhigh/certvfy.c 9 Jan 2010 03:02:21 -0000
@@ -40,27 +40,71 @@
#include "secoid.h"
#include "sslerr.h"
#include "genname.h"
#include "keyhi.h"
#include "cert.h"
#include "certdb.h"
#include "certi.h"
#include "cryptohi.h"
+#define NO_LIBPKIX
+#ifndef NO_LIBPKIX
#include "pkix.h"
/*#include "pkix_sample_modules.h" */
#include "pkix_pl_cert.h"
+#endif /* NO_LIBPKIX */
#include "nsspki.h"
#include "pkitm.h"
#include "pkim.h"
#include "pki3hack.h"
#include "base.h"
+#ifdef NO_LIBPKIX
+SECStatus
+cert_VerifyCertChainPkix(
+ CERTCertificate *cert,
+ PRBool checkSig,
+ SECCertUsage requiredUsage,
+ PRTime time,
+ void *wincx,
+ CERTVerifyLog *log,
+ PRBool *pSigerror,
+ PRBool *pRevoked)
+{
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+}
+
+SECStatus
+CERT_SetUsePKIXForValidation(PRBool enable)
+{
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+}
+
+PRBool
+CERT_GetUsePKIXForValidation()
+{
+ return PR_FALSE;
+}
+
+SECStatus CERT_PKIXVerifyCert(
+ CERTCertificate *cert,
+ SECCertificateUsage usages,
+ CERTValInParam *paramsIn,
+ CERTValOutParam *paramsOut,
+ void *wincx)
+{
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+}
+#endif /* NO_LIBPKIX */
+
/*
* Check the validity times of a certificate
*/
SECStatus
CERT_CertTimesValid(CERTCertificate *c)
{
SECCertTimeValidity valid = CERT_CheckCertValidTimes(c, PR_Now(), PR_TRUE);
return (valid == secCertTimeValid) ? SECSuccess : SECFailure;
Index: mozilla/security/nss/lib/freebl/blapii.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/freebl/blapii.h,v
retrieving revision 1.1
diff -p -u -8 -r1.1 blapii.h
--- mozilla/security/nss/lib/freebl/blapii.h 3 Feb 2009 05:34:40 -0000 1.1
+++ mozilla/security/nss/lib/freebl/blapii.h 9 Jan 2010 03:02:21 -0000
@@ -39,19 +39,19 @@
#define _BLAPII_H_
#include "blapit.h"
SEC_BEGIN_PROTOS
#if defined(XP_UNIX) && !defined(NO_CHECK_FORK)
-extern PRBool parentForkedAfterC_Initialize;
+extern PRBool bl_parentForkedAfterC_Initialize;
-#define SKIP_AFTER_FORK(x) if (!parentForkedAfterC_Initialize) x
+#define SKIP_AFTER_FORK(x) if (!bl_parentForkedAfterC_Initialize) x
#else
#define SKIP_AFTER_FORK(x) x
#endif
SEC_END_PROTOS
Index: mozilla/security/nss/lib/freebl/rsa.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/freebl/rsa.c,v
retrieving revision 1.39
diff -p -u -8 -r1.39 rsa.c
--- mozilla/security/nss/lib/freebl/rsa.c 3 Feb 2009 05:34:41 -0000 1.39
+++ mozilla/security/nss/lib/freebl/rsa.c 9 Jan 2010 03:02:22 -0000
@@ -967,18 +967,25 @@ void RSA_Cleanup(void)
* free_bl may have allocated along the way. Currently only RSA does this,
* so I've put it here for now.
*/
void BL_Cleanup(void)
{
RSA_Cleanup();
}
-PRBool parentForkedAfterC_Initialize;
+#if 1 /* STATIC LIBRARIES */
+void
+BL_Unload(void)
+{
+}
+#endif
+
+PRBool bl_parentForkedAfterC_Initialize;
/*
* Set fork flag so it can be tested in SKIP_AFTER_FORK on relevant platforms.
*/
void BL_SetForkState(PRBool forked)
{
- parentForkedAfterC_Initialize = forked;
+ bl_parentForkedAfterC_Initialize = forked;
}
Index: mozilla/security/nss/lib/freebl/shvfy.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/freebl/shvfy.c,v
retrieving revision 1.11
diff -p -u -8 -r1.11 shvfy.c
--- mozilla/security/nss/lib/freebl/shvfy.c 18 Nov 2008 19:48:24 -0000 1.11
+++ mozilla/security/nss/lib/freebl/shvfy.c 9 Jan 2010 03:02:22 -0000
@@ -97,19 +97,29 @@ readItem(PRFileDesc *fd, SECItem *item)
PORT_Free(item->data);
item->data = NULL;
item->len = 0;
return SECFailure;
}
return SECSuccess;
}
+/*
+ * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g.,
+ * if you're using NSS as static libraries), but want to confirm to the
+ * rest of the FIPS requirements.
+ */
+#define PSEUDO_FIPS
+
PRBool
BLAPI_SHVerify(const char *name, PRFuncPtr addr)
{
+#ifdef PSEUDO_FIPS
+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */
+#else
/* find our shared library name */
char *shName = PR_GetLibraryFilePathname(name, addr);
char *checkName = NULL;
PRFileDesc *checkFD = NULL;
PRFileDesc *shFD = NULL;
SHA1Context *hashcx = NULL;
SECItem signature = { 0, NULL, 0 };
SECItem hash;
@@ -282,19 +292,23 @@ loser:
if (key.params.base.data != NULL) {
PORT_Free(key.params.base.data);
}
if (key.publicValue.data != NULL) {
PORT_Free(key.publicValue.data);
}
return result;
+#endif /* PSEUDO_FIPS */
}
PRBool
BLAPI_VerifySelf(const char *name)
{
- /* to separate shlib to verify if name is NULL */
if (name == NULL) {
+ /*
+ * If name is NULL, freebl is statically linked into softoken.
+ * softoken will call BLAPI_SHVerify next to verify itself.
+ */
return PR_TRUE;
}
return BLAPI_SHVerify(name, (PRFuncPtr) decodeInt);
}
Index: mozilla/security/nss/lib/nss/nssinit.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/nss/nssinit.c,v
retrieving revision 1.103
diff -p -u -8 -r1.103 nssinit.c
--- mozilla/security/nss/lib/nss/nssinit.c 29 Oct 2009 21:33:10 -0000 1.103
+++ mozilla/security/nss/lib/nss/nssinit.c 9 Jan 2010 03:02:22 -0000
@@ -49,19 +49,22 @@
#include "ssl.h"
#include "sslproto.h"
#include "secmod.h"
#include "secoid.h"
#include "nss.h"
#include "pk11func.h"
#include "secerr.h"
#include "nssbase.h"
+#define NO_LIBPKIX
+#ifndef NO_LIBPKIX
#include "pkixt.h"
#include "pkix.h"
#include "pkix_tools.h"
+#endif /* NO_LIBPKIX */
#include "pki3hack.h"
#include "certi.h"
#include "secmodi.h"
#include "ocspti.h"
#include "ocspi.h"
/*
@@ -532,18 +535,20 @@ nss_Init(const char *configdir, const ch
NSSInitParameters *initParams,
PRBool readOnly, PRBool noCertDB,
PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
PRBool optimizeSpace, PRBool noSingleThreadedModules,
PRBool allowAlreadyInitializedModules,
PRBool dontFinalizeModules)
{
SECStatus rv = SECFailure;
+#ifndef NO_LIBPKIX
PKIX_UInt32 actualMinorVersion = 0;
PKIX_Error *pkixError = NULL;
+#endif
PRBool isReallyInitted;
char *configStrings = NULL;
char *configName = NULL;
PRBool passwordRequired = PR_FALSE;
/* if we are trying to init with a traditional NSS_Init call, maintain
* the traditional idempotent behavior. */
if (!initContextPtr && nssIsInitted) {
@@ -662,28 +667,30 @@ nss_Init(const char *configdir, const ch
nss_FindExternalRoot(dbpath, secmodName);
}
}
}
pk11sdr_Init();
cert_CreateSubjectKeyIDHashTable();
+#ifndef NO_LIBPKIX
pkixError = PKIX_Initialize
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
if (pkixError != NULL) {
goto loser;
} else {
char *ev = getenv("NSS_ENABLE_PKIX_VERIFY");
if (ev && ev[0]) {
CERT_SetUsePKIXForValidation(PR_TRUE);
}
}
+#endif /* NO_LIBPKIX */
}
/*
* Now mark the appropriate init state. If initContextPtr was passed
* in, then return the new context pointer and add it to the
* nssInitContextList. Otherwise set the global nss_isInitted flag
@@ -1026,17 +1033,19 @@ nss_Shutdown(void)
rv = nss_ShutdownShutdownList();
if (rv != SECSuccess) {
shutdownRV = SECFailure;
}
cert_DestroyLocks();
ShutdownCRLCache();
OCSP_ShutdownGlobal();
+#ifndef NO_LIBPKIX
PKIX_Shutdown(plContext);
+#endif
SECOID_Shutdown();
status = STAN_Shutdown();
cert_DestroySubjectKeyIDHashTable();
pk11_SetInternalKeySlot(NULL);
rv = SECMOD_Shutdown();
if (rv != SECSuccess) {
shutdownRV = SECFailure;
}
Index: mozilla/security/nss/lib/pk11wrap/pk11load.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/pk11wrap/pk11load.c,v
retrieving revision 1.28
diff -p -u -8 -r1.28 pk11load.c
--- mozilla/security/nss/lib/pk11wrap/pk11load.c 30 Oct 2009 09:44:45 -0000 1.28
+++ mozilla/security/nss/lib/pk11wrap/pk11load.c 9 Jan 2010 03:02:22 -0000
@@ -344,46 +344,54 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot,
mod->slotInfo = psi_list;
mod->slotInfoCount++;
}
psi->hasRootCerts = 1;
}
}
+#if 1 /* STATIC LIBRARIES */
+extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args);
+#else
static const char* my_shlib_name =
SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX;
static const char* softoken_shlib_name =
SHLIB_PREFIX"softokn"SOFTOKEN_SHLIB_VERSION"."SHLIB_SUFFIX;
static const PRCallOnceType pristineCallOnce;
static PRCallOnceType loadSoftokenOnce;
static PRLibrary* softokenLib;
static PRInt32 softokenLoadCount;
+#endif /* STATIC LIBRARIES */
#include "prio.h"
#include "prprf.h"
#include <stdio.h>
#include "prsystem.h"
+#if 0 /* STATIC LIBRARIES */
/* This function must be run only once. */
/* determine if hybrid platform, then actually load the DSO. */
static PRStatus
softoken_LoadDSO( void )
{
PRLibrary * handle;
handle = PORT_LoadLibraryFromOrigin(my_shlib_name,
(PRFuncPtr) &softoken_LoadDSO,
softoken_shlib_name);
if (handle) {
softokenLib = handle;
return PR_SUCCESS;
}
return PR_FAILURE;
}
+#endif /* STATIC LIBRARIES */
/*
* load a new module into our address space and initialize it.
*/
SECStatus
secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
PRLibrary *library = NULL;
CK_C_GetFunctionList entry = NULL;
@@ -393,16 +401,26 @@ secmod_LoadPKCS11Module(SECMODModule *mo
SECStatus rv;
PRBool alreadyLoaded = PR_FALSE;
char *disableUnload = NULL;
if (mod->loaded) return SECSuccess;
/* intenal modules get loaded from their internal list */
if (mod->internal && (mod->dllName == NULL)) {
+#if 1 /* STATIC LIBRARIES */
+ if (mod->isFIPS) {
+ entry = FC_GetFunctionList;
+ } else {
+ entry = NSC_GetFunctionList;
+ }
+ if (mod->isModuleDB) {
+ mod->moduleDBFunc = NSC_ModuleDBFunc;
+ }
+#else
/*
* Loads softoken as a dynamic library,
* even though the rest of NSS assumes this as the "internal" module.
*/
if (!softokenLib &&
PR_SUCCESS != PR_CallOnce(&loadSoftokenOnce, &softoken_LoadDSO))
return SECFailure;
@@ -418,16 +436,17 @@ secmod_LoadPKCS11Module(SECMODModule *mo
if (!entry)
return SECFailure;
if (mod->isModuleDB) {
mod->moduleDBFunc = (CK_C_GetFunctionList)
PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
}
+#endif
if (mod->moduleDBOnly) {
mod->loaded = PR_TRUE;
return SECSuccess;
}
} else {
/* Not internal, load the DLL and look up C_GetFunctionList */
if (mod->dllName == NULL) {
@@ -587,27 +606,29 @@ SECMOD_UnloadModule(SECMODModule *mod) {
}
mod->moduleID = 0;
mod->loaded = PR_FALSE;
/* do we want the semantics to allow unloading the internal library?
* if not, we should change this to SECFailure and move it above the
* mod->loaded = PR_FALSE; */
if (mod->internal) {
+#if 0 /* STATIC LIBRARIES */
if (0 == PR_AtomicDecrement(&softokenLoadCount)) {
if (softokenLib) {
disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
if (!disableUnload) {
PRStatus status = PR_UnloadLibrary(softokenLib);
PORT_Assert(PR_SUCCESS == status);
}
softokenLib = NULL;
}
loadSoftokenOnce = pristineCallOnce;
}
+#endif
return SECSuccess;
}
library = (PRLibrary *)mod->library;
/* paranoia */
if (library == NULL) {
return SECFailure;
}
Index: mozilla/security/nss/lib/softoken/lgglue.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/softoken/lgglue.c,v
retrieving revision 1.13
diff -p -u -8 -r1.13 lgglue.c
--- mozilla/security/nss/lib/softoken/lgglue.c 16 Apr 2009 18:19:26 -0000 1.13
+++ mozilla/security/nss/lib/softoken/lgglue.c 9 Jan 2010 03:02:23 -0000
@@ -50,16 +50,17 @@
static LGOpenFunc legacy_glue_open = NULL;
static LGReadSecmodFunc legacy_glue_readSecmod = NULL;
static LGReleaseSecmodFunc legacy_glue_releaseSecmod = NULL;
static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL;
static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
static LGShutdownFunc legacy_glue_shutdown = NULL;
+#if 0 /* STATIC LIBRARIES */
/*
* The following 3 functions duplicate the work done by bl_LoadLibrary.
* We should make bl_LoadLibrary a global and replace the call to
* sftkdb_LoadLibrary(const char *libname) with it.
*/
#ifdef XP_UNIX
#include <unistd.h>
#define LG_MAX_LINKS 20
@@ -187,16 +188,17 @@ done:
PRLibSpec libSpec;
libSpec.type = PR_LibSpec_Pathname;
libSpec.value.pathname = libname;
lib = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
}
return lib;
}
+#endif /* STATIC LIBRARIES */
/*
* stub files for legacy db's to be able to encrypt and decrypt
* various keys and attributes.
*/
static SECStatus
sftkdb_encrypt_stub(PRArenaPool *arena, SDB *sdb, SECItem *plainText,
SECItem **cipherText)
@@ -299,16 +301,33 @@ sftkdbLoad_Legacy(PRBool isFIPS)
* get cleared in shutdown */
return SECFailure;
}
legacy_glue_libCheckSucceeded = PR_TRUE;
}
return SECSuccess;
}
+#undef TRY_TO_USE_NSSDBM
+#if 1 /* STATIC LIBRARIES */
+#ifdef TRY_TO_USE_NSSDBM
+ lib = (PRLibrary *) 0x8;
+
+ legacy_glue_open = legacy_Open;
+ legacy_glue_readSecmod = legacy_ReadSecmodDB;
+ legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData;
+ legacy_glue_deleteSecmod = legacy_DeleteSecmodDB;
+ legacy_glue_addSecmod = legacy_AddSecmodDB;
+ legacy_glue_shutdown = legacy_Shutdown;
+ setCryptFunction = legacy_SetCryptFunctions;
+#else
+ fprintf(stderr, "NSSDBM omitted!\n");
+ return SECFailure;
+#endif
+#else
lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
if (lib == NULL) {
return SECFailure;
}
legacy_glue_open = (LGOpenFunc)PR_FindFunctionSymbol(lib, "legacy_Open");
legacy_glue_readSecmod = (LGReadSecmodFunc) PR_FindFunctionSymbol(lib,
"legacy_ReadSecmodDB");
@@ -324,21 +343,24 @@ sftkdbLoad_Legacy(PRBool isFIPS)
"legacy_SetCryptFunctions");
if (!legacy_glue_open || !legacy_glue_readSecmod ||
!legacy_glue_releaseSecmod || !legacy_glue_deleteSecmod ||
!legacy_glue_addSecmod || !setCryptFunction) {
PR_UnloadLibrary(lib);
return SECFailure;
}
+#endif /* STATIC LIBRARIES */
/* verify the loaded library if we are in FIPS mode */
if (isFIPS) {
if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
+#if 0 /* STATIC LIBRARIES */
PR_UnloadLibrary(lib);
+#endif
return SECFailure;
}
legacy_glue_libCheckSucceeded = PR_TRUE;
}
setCryptFunction(sftkdb_encrypt_stub,sftkdb_decrypt_stub);
legacy_glue_lib = lib;
return SECSuccess;
@@ -445,20 +467,22 @@ sftkdbCall_Shutdown(void)
return CKR_OK;
}
if (legacy_glue_shutdown) {
#ifdef NO_FORK_CHECK
PRBool parentForkedAfterC_Initialize = PR_FALSE;
#endif
crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
}
+#if 0 /* STATIC LIBRARIES */
disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
if (!disableUnload) {
PR_UnloadLibrary(legacy_glue_lib);
}
+#endif
legacy_glue_lib = NULL;
legacy_glue_open = NULL;
legacy_glue_readSecmod = NULL;
legacy_glue_releaseSecmod = NULL;
legacy_glue_deleteSecmod = NULL;
legacy_glue_addSecmod = NULL;
legacy_glue_libCheckFailed = PR_FALSE;
legacy_glue_libCheckSucceeded = PR_FALSE;
Index: mozilla/security/nss/lib/softoken/lgglue.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/softoken/lgglue.h,v
retrieving revision 1.4
diff -p -u -8 -r1.4 lgglue.h
--- mozilla/security/nss/lib/softoken/lgglue.h 16 Apr 2009 18:19:26 -0000 1.4
+++ mozilla/security/nss/lib/softoken/lgglue.h 9 Jan 2010 03:02:23 -0000
@@ -65,16 +65,35 @@ typedef SECStatus (*LGDeleteSecmodFunc)(
const char *dbname, char *params, PRBool rw);
typedef SECStatus (*LGAddSecmodFunc)(const char *appName,
const char *filename,
const char *dbname, char *params, PRBool rw);
typedef SECStatus (*LGShutdownFunc)(PRBool forked);
typedef void (*LGSetForkStateFunc)(PRBool);
typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
+extern CK_RV legacy_Open(const char *dir, const char *certPrefix,
+ const char *keyPrefix,
+ int certVersion, int keyVersion, int flags,
+ SDB **certDB, SDB **keyDB);
+extern char ** legacy_ReadSecmodDB(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_ReleaseSecmodDBData(const char *appName,
+ const char *filename,
+ const char *dbname, char **params, PRBool rw);
+extern SECStatus legacy_DeleteSecmodDB(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_AddSecmodDB(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_Shutdown(PRBool forked);
+extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc);
+
/*
* Softoken Glue Functions
*/
CK_RV sftkdbCall_open(const char *dir, const char *certPrefix,
const char *keyPrefix,
int certVersion, int keyVersion, int flags, PRBool isFIPS,
SDB **certDB, SDB **keyDB);
char ** sftkdbCall_ReadSecmodDB(const char *appName, const char *filename,
Index: mozilla/security/nss/lib/util/secport.h
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/util/secport.h,v
retrieving revision 1.23
diff -p -u -8 -r1.23 secport.h
--- mozilla/security/nss/lib/util/secport.h 30 Oct 2009 09:44:47 -0000 1.23
+++ mozilla/security/nss/lib/util/secport.h 9 Jan 2010 03:02:23 -0000
@@ -238,16 +238,17 @@ sec_port_iso88591_utf8_conversion_functi
unsigned int maxOutBufLen,
unsigned int *outBufLen
);
extern int NSS_PutEnv(const char * envVarName, const char * envValue);
extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
+#if 0 /* STATIC LIBRARIES */
/*
* Load a shared library called "newShLibName" in the same directory as
* a shared library that is already loaded, called existingShLibName.
* A pointer to a static function in that shared library,
* staticShLibFunc, is required.
*
* existingShLibName:
* The file name of the shared library that shall be used as the
@@ -272,12 +273,13 @@ extern int NSS_SecureMemcmp(const void *
*
* If the new shared library is not found in the same location as the reference
* library, it will then be loaded from the normal system library path.
*/
PRLibrary *
PORT_LoadLibraryFromOrigin(const char* existingShLibName,
PRFuncPtr staticShLibFunc,
const char *newShLibName);
+#endif /* STATIC LIBRARIES */
SEC_END_PROTOS
#endif /* _SECPORT_H_ */