| diff -r db5b7e3c69a5 lib/certhigh/certvfy.c |
| --- a/lib/certhigh/certvfy.c Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/certhigh/certvfy.c Fri May 31 17:44:06 2013 -0700 |
| @@ -13,9 +13,11 @@ |
| #include "certdb.h" |
| #include "certi.h" |
| #include "cryptohi.h" |
| +#ifndef NSS_DISABLE_LIBPKIX |
| #include "pkix.h" |
| /*#include "pkix_sample_modules.h" */ |
| #include "pkix_pl_cert.h" |
| +#endif /* NSS_DISABLE_LIBPKIX */ |
| |
| |
| #include "nsspki.h" |
| @@ -24,6 +26,47 @@ |
| #include "pki3hack.h" |
| #include "base.h" |
| |
| +#ifdef NSS_DISABLE_LIBPKIX |
| +SECStatus |
| +cert_VerifyCertChainPkix( |
| + CERTCertificate *cert, |
| + PRBool checkSig, |
| + SECCertUsage requiredUsage, |
| + PRTime time, |
| + void *wincx, |
| + CERTVerifyLog *log, |
| + PRBool *pSigerror, |
| + PRBool *pRevoked) |
| +{ |
| + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| + return SECFailure; |
| +} |
| + |
| +SECStatus |
| +CERT_SetUsePKIXForValidation(PRBool enable) |
| +{ |
| + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| + return SECFailure; |
| +} |
| + |
| +PRBool |
| +CERT_GetUsePKIXForValidation() |
| +{ |
| + return PR_FALSE; |
| +} |
| + |
| +SECStatus CERT_PKIXVerifyCert( |
| + CERTCertificate *cert, |
| + SECCertificateUsage usages, |
| + CERTValInParam *paramsIn, |
| + CERTValOutParam *paramsOut, |
| + void *wincx) |
| +{ |
| + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
| + return SECFailure; |
| +} |
| +#endif /* NSS_DISABLE_LIBPKIX */ |
| + |
| /* |
| * Check the validity times of a certificate |
| */ |
| diff -r db5b7e3c69a5 lib/ckfw/nssck.api |
| --- a/lib/ckfw/nssck.api Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/ckfw/nssck.api Fri May 31 17:44:06 2013 -0700 |
| @@ -1752,7 +1752,7 @@ |
| } |
| #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */ |
| |
| -static CK_RV CK_ENTRY |
| +CK_RV CK_ENTRY |
| __ADJOIN(MODULE_NAME,C_GetFunctionList) |
| ( |
| CK_FUNCTION_LIST_PTR_PTR ppFunctionList |
| @@ -1830,7 +1830,7 @@ |
| __ADJOIN(MODULE_NAME,C_WaitForSlotEvent) |
| }; |
| |
| -static CK_RV CK_ENTRY |
| +CK_RV CK_ENTRY |
| __ADJOIN(MODULE_NAME,C_GetFunctionList) |
| ( |
| CK_FUNCTION_LIST_PTR_PTR ppFunctionList |
| @@ -1840,6 +1840,7 @@ |
| return CKR_OK; |
| } |
| |
| +#ifndef NSS_STATIC |
| /* This one is always present */ |
| CK_RV CK_ENTRY |
| C_GetFunctionList |
| @@ -1849,6 +1850,7 @@ |
| { |
| return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList); |
| } |
| +#endif |
| |
| #undef __ADJOIN |
| |
| diff -r db5b7e3c69a5 lib/freebl/rsa.c |
| --- a/lib/freebl/rsa.c Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/freebl/rsa.c Fri May 31 17:44:06 2013 -0700 |
| @@ -1559,6 +1559,13 @@ |
| RSA_Cleanup(); |
| } |
| |
| +#ifdef NSS_STATIC |
| +void |
| +BL_Unload(void) |
| +{ |
| +} |
| +#endif |
| + |
| PRBool bl_parentForkedAfterC_Initialize; |
| |
| /* |
| diff -r db5b7e3c69a5 lib/freebl/shvfy.c |
| --- a/lib/freebl/shvfy.c Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/freebl/shvfy.c Fri May 31 17:44:06 2013 -0700 |
| @@ -273,9 +273,21 @@ |
| return SECSuccess; |
| } |
| |
| +/* |
| + * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g., |
| + * if you're using NSS as static libraries), but want to conform to the |
| + * rest of the FIPS requirements. |
| + */ |
| +#ifdef NSS_STATIC |
| +#define PSEUDO_FIPS |
| +#endif |
| + |
| PRBool |
| BLAPI_SHVerify(const char *name, PRFuncPtr addr) |
| { |
| +#ifdef PSEUDO_FIPS |
| + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ |
| +#else |
| PRBool result = PR_FALSE; /* if anything goes wrong, |
| * the signature does not verify */ |
| /* find our shared library name */ |
| @@ -291,11 +303,15 @@ |
| } |
| |
| return result; |
| +#endif /* PSEUDO_FIPS */ |
| } |
| |
| PRBool |
| BLAPI_SHVerifyFile(const char *shName) |
| { |
| +#ifdef PSEUDO_FIPS |
| + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ |
| +#else |
| char *checkName = NULL; |
| PRFileDesc *checkFD = NULL; |
| PRFileDesc *shFD = NULL; |
| @@ -492,6 +508,7 @@ |
| } |
| |
| return result; |
| +#endif /* PSEUDO_FIPS */ |
| } |
| |
| PRBool |
| diff -r db5b7e3c69a5 lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c |
| --- a/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Fri May 31 17:44:06 2013 -0700 |
| @@ -201,7 +201,10 @@ |
| |
| typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen, |
| CERTImportCertificateFunc f, void *arg); |
| - |
| +#ifdef NSS_STATIC |
| +extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen, |
| + CERTImportCertificateFunc f, void* arg); |
| +#endif |
| |
| struct pkix_DecodeFuncStr { |
| pkix_DecodeCertsFunc func; /* function pointer to the |
| @@ -223,6 +226,11 @@ |
| */ |
| static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) |
| { |
| +#ifdef NSS_STATIC |
| + pkix_decodeFunc.smimeLib = NULL; |
| + pkix_decodeFunc.func = CERT_DecodeCertPackage; |
| + return PR_SUCCESS; |
| +#else |
| pkix_decodeFunc.smimeLib = |
| PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX); |
| if (pkix_decodeFunc.smimeLib == NULL) { |
| @@ -235,7 +243,7 @@ |
| return PR_FAILURE; |
| } |
| return PR_SUCCESS; |
| - |
| +#endif |
| } |
| |
| /* |
| diff -r db5b7e3c69a5 lib/nss/nssinit.c |
| --- a/lib/nss/nssinit.c Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/nss/nssinit.c Fri May 31 17:44:06 2013 -0700 |
| @@ -20,9 +20,11 @@ |
| #include "secerr.h" |
| #include "nssbase.h" |
| #include "nssutil.h" |
| +#ifndef NSS_DISABLE_LIBPKIX |
| #include "pkixt.h" |
| #include "pkix.h" |
| #include "pkix_tools.h" |
| +#endif /* NSS_DISABLE_LIBPKIX */ |
| |
| #include "pki3hack.h" |
| #include "certi.h" |
| @@ -530,8 +532,10 @@ |
| PRBool dontFinalizeModules) |
| { |
| SECStatus rv = SECFailure; |
| +#ifndef NSS_DISABLE_LIBPKIX |
| PKIX_UInt32 actualMinorVersion = 0; |
| PKIX_Error *pkixError = NULL; |
| +#endif |
| PRBool isReallyInitted; |
| char *configStrings = NULL; |
| char *configName = NULL; |
| @@ -685,6 +689,7 @@ |
| pk11sdr_Init(); |
| cert_CreateSubjectKeyIDHashTable(); |
| |
| +#ifndef NSS_DISABLE_LIBPKIX |
| pkixError = PKIX_Initialize |
| (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, |
| PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); |
| @@ -697,6 +702,7 @@ |
| CERT_SetUsePKIXForValidation(PR_TRUE); |
| } |
| } |
| +#endif /* NSS_DISABLE_LIBPKIX */ |
| |
| |
| } |
| @@ -1081,7 +1087,9 @@ |
| cert_DestroyLocks(); |
| ShutdownCRLCache(); |
| OCSP_ShutdownGlobal(); |
| +#ifndef NSS_DISABLE_LIBPKIX |
| PKIX_Shutdown(plContext); |
| +#endif |
| SECOID_Shutdown(); |
| status = STAN_Shutdown(); |
| cert_DestroySubjectKeyIDHashTable(); |
| diff -r db5b7e3c69a5 lib/pk11wrap/pk11load.c |
| --- a/lib/pk11wrap/pk11load.c Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/pk11wrap/pk11load.c Fri May 31 17:44:06 2013 -0700 |
| @@ -318,6 +318,12 @@ |
| } |
| } |
| |
| +#ifdef NSS_STATIC |
| +extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); |
| +extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); |
| +extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args); |
| +extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); |
| +#else |
| static const char* my_shlib_name = |
| SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX; |
| static const char* softoken_shlib_name = |
| @@ -326,12 +332,14 @@ |
| static PRCallOnceType loadSoftokenOnce; |
| static PRLibrary* softokenLib; |
| static PRInt32 softokenLoadCount; |
| +#endif /* NSS_STATIC */ |
| |
| #include "prio.h" |
| #include "prprf.h" |
| #include <stdio.h> |
| #include "prsystem.h" |
| |
| +#ifndef NSS_STATIC |
| /* This function must be run only once. */ |
| /* determine if hybrid platform, then actually load the DSO. */ |
| static PRStatus |
| @@ -348,6 +356,7 @@ |
| } |
| return PR_FAILURE; |
| } |
| +#endif /* !NSS_STATIC */ |
| |
| /* |
| * load a new module into our address space and initialize it. |
| @@ -366,6 +375,16 @@ |
| |
| /* intenal modules get loaded from their internal list */ |
| if (mod->internal && (mod->dllName == NULL)) { |
| +#ifdef NSS_STATIC |
| + if (mod->isFIPS) { |
| + entry = FC_GetFunctionList; |
| + } else { |
| + entry = NSC_GetFunctionList; |
| + } |
| + if (mod->isModuleDB) { |
| + mod->moduleDBFunc = NSC_ModuleDBFunc; |
| + } |
| +#else |
| /* |
| * Loads softoken as a dynamic library, |
| * even though the rest of NSS assumes this as the "internal" module. |
| @@ -391,6 +410,7 @@ |
| mod->moduleDBFunc = (CK_C_GetFunctionList) |
| PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); |
| } |
| +#endif |
| |
| if (mod->moduleDBOnly) { |
| mod->loaded = PR_TRUE; |
| @@ -401,6 +421,15 @@ |
| if (mod->dllName == NULL) { |
| return SECFailure; |
| } |
| +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) |
| + if (strstr(mod->dllName, "nssckbi") != NULL) { |
| + mod->library = NULL; |
| + PORT_Assert(!mod->moduleDBOnly); |
| + entry = builtinsC_GetFunctionList; |
| + PORT_Assert(!mod->isModuleDB); |
| + goto library_loaded; |
| + } |
| +#endif |
| |
| /* load the library. If this succeeds, then we have to remember to |
| * unload the library if anything goes wrong from here on out... |
| @@ -423,6 +452,9 @@ |
| mod->moduleDBFunc = (void *) |
| PR_FindSymbol(library, "NSS_ReturnModuleSpecData"); |
| } |
| +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) |
| +library_loaded: |
| +#endif |
| if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE; |
| if (entry == NULL) { |
| if (mod->isModuleDB) { |
| @@ -562,6 +594,7 @@ |
| * if not, we should change this to SECFailure and move it above the |
| * mod->loaded = PR_FALSE; */ |
| if (mod->internal && (mod->dllName == NULL)) { |
| +#ifndef NSS_STATIC |
| if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) { |
| if (softokenLib) { |
| disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); |
| @@ -573,12 +606,18 @@ |
| } |
| loadSoftokenOnce = pristineCallOnce; |
| } |
| +#endif |
| return SECSuccess; |
| } |
| |
| library = (PRLibrary *)mod->library; |
| /* paranoia */ |
| if (library == NULL) { |
| +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) |
| + if (strstr(mod->dllName, "nssckbi") != NULL) { |
| + return SECSuccess; |
| + } |
| +#endif |
| return SECFailure; |
| } |
| |
| diff -r db5b7e3c69a5 lib/softoken/lgglue.c |
| --- a/lib/softoken/lgglue.c Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/softoken/lgglue.c Fri May 31 17:44:06 2013 -0700 |
| @@ -23,6 +23,7 @@ |
| static LGAddSecmodFunc legacy_glue_addSecmod = NULL; |
| static LGShutdownFunc legacy_glue_shutdown = NULL; |
| |
| +#ifndef NSS_STATIC |
| /* |
| * The following 3 functions duplicate the work done by bl_LoadLibrary. |
| * We should make bl_LoadLibrary a global and replace the call to |
| @@ -160,6 +161,7 @@ |
| |
| return lib; |
| } |
| +#endif /* STATIC LIBRARIES */ |
| |
| /* |
| * stub files for legacy db's to be able to encrypt and decrypt |
| @@ -272,6 +274,21 @@ |
| return SECSuccess; |
| } |
| |
| +#ifdef NSS_STATIC |
| +#ifdef NSS_DISABLE_DBM |
| + return SECFailure; |
| +#else |
| + lib = (PRLibrary *) 0x8; |
| + |
| + legacy_glue_open = legacy_Open; |
| + legacy_glue_readSecmod = legacy_ReadSecmodDB; |
| + legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData; |
| + legacy_glue_deleteSecmod = legacy_DeleteSecmodDB; |
| + legacy_glue_addSecmod = legacy_AddSecmodDB; |
| + legacy_glue_shutdown = legacy_Shutdown; |
| + setCryptFunction = legacy_SetCryptFunctions; |
| +#endif |
| +#else |
| lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME); |
| if (lib == NULL) { |
| return SECFailure; |
| @@ -297,11 +314,14 @@ |
| PR_UnloadLibrary(lib); |
| return SECFailure; |
| } |
| +#endif /* NSS_STATIC */ |
| |
| /* verify the loaded library if we are in FIPS mode */ |
| if (isFIPS) { |
| if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) { |
| +#ifndef NSS_STATIC |
| PR_UnloadLibrary(lib); |
| +#endif |
| return SECFailure; |
| } |
| legacy_glue_libCheckSucceeded = PR_TRUE; |
| @@ -418,10 +438,12 @@ |
| #endif |
| crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize); |
| } |
| +#ifndef NSS_STATIC |
| disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); |
| if (!disableUnload) { |
| PR_UnloadLibrary(legacy_glue_lib); |
| } |
| +#endif |
| legacy_glue_lib = NULL; |
| legacy_glue_open = NULL; |
| legacy_glue_readSecmod = NULL; |
| diff -r db5b7e3c69a5 lib/softoken/lgglue.h |
| --- a/lib/softoken/lgglue.h Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/softoken/lgglue.h Fri May 31 17:44:06 2013 -0700 |
| @@ -38,6 +38,25 @@ |
| typedef void (*LGSetForkStateFunc)(PRBool); |
| typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc); |
| |
| +extern CK_RV legacy_Open(const char *dir, const char *certPrefix, |
| + const char *keyPrefix, |
| + int certVersion, int keyVersion, int flags, |
| + SDB **certDB, SDB **keyDB); |
| +extern char ** legacy_ReadSecmodDB(const char *appName, |
| + const char *filename, |
| + const char *dbname, char *params, PRBool rw); |
| +extern SECStatus legacy_ReleaseSecmodDBData(const char *appName, |
| + const char *filename, |
| + const char *dbname, char **params, PRBool rw); |
| +extern SECStatus legacy_DeleteSecmodDB(const char *appName, |
| + const char *filename, |
| + const char *dbname, char *params, PRBool rw); |
| +extern SECStatus legacy_AddSecmodDB(const char *appName, |
| + const char *filename, |
| + const char *dbname, char *params, PRBool rw); |
| +extern SECStatus legacy_Shutdown(PRBool forked); |
| +extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc); |
| + |
| /* |
| * Softoken Glue Functions |
| */ |
| diff -r db5b7e3c69a5 lib/util/secport.h |
| --- a/lib/util/secport.h Tue May 28 23:37:46 2013 +0200 |
| +++ b/lib/util/secport.h Fri May 31 17:44:06 2013 -0700 |
| @@ -210,6 +210,7 @@ |
| |
| extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n); |
| |
| +#ifndef NSS_STATIC |
| /* |
| * Load a shared library called "newShLibName" in the same directory as |
| * a shared library that is already loaded, called existingShLibName. |
| @@ -244,6 +245,7 @@ |
| PORT_LoadLibraryFromOrigin(const char* existingShLibName, |
| PRFuncPtr staticShLibFunc, |
| const char *newShLibName); |
| +#endif /* NSS_STATIC */ |
| |
| SEC_END_PROTOS |
| |
