office-gobmx/external/nss/nss-chromium-nss-static.patch
Tor Lillqvist d308eda13d Use Chromium's patch to build NSS statically for iOS
Change-Id: Ica2cf641bc54f6e924b759cd4cf96dd96347c53b
2014-08-12 17:03:45 +03:00

487 lines
13 KiB
Diff

Based on http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/nss/patches/nss-static.patch
--- a/a/nss/lib/certhigh/certvfy.c Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/certhigh/certvfy.c Fri May 31 17:44:06 2013 -0700
@@ -13,9 +13,11 @@
#include "certdb.h"
#include "certi.h"
#include "cryptohi.h"
+#ifndef NSS_DISABLE_LIBPKIX
#include "pkix.h"
/*#include "pkix_sample_modules.h" */
#include "pkix_pl_cert.h"
+#endif /* NSS_DISABLE_LIBPKIX */
#include "nsspki.h"
@@ -24,6 +26,47 @@
#include "pki3hack.h"
#include "base.h"
+#ifdef NSS_DISABLE_LIBPKIX
+SECStatus
+cert_VerifyCertChainPkix(
+ CERTCertificate *cert,
+ PRBool checkSig,
+ SECCertUsage requiredUsage,
+ PRTime time,
+ void *wincx,
+ CERTVerifyLog *log,
+ PRBool *pSigerror,
+ PRBool *pRevoked)
+{
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+}
+
+SECStatus
+CERT_SetUsePKIXForValidation(PRBool enable)
+{
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+}
+
+PRBool
+CERT_GetUsePKIXForValidation()
+{
+ return PR_FALSE;
+}
+
+SECStatus CERT_PKIXVerifyCert(
+ CERTCertificate *cert,
+ SECCertificateUsage usages,
+ CERTValInParam *paramsIn,
+ CERTValOutParam *paramsOut,
+ void *wincx)
+{
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+ return SECFailure;
+}
+#endif /* NSS_DISABLE_LIBPKIX */
+
/*
* Check the validity times of a certificate
*/
--- a/a/nss/lib/ckfw/nssck.api Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/ckfw/nssck.api Fri May 31 17:44:06 2013 -0700
@@ -1752,7 +1752,7 @@
}
#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-static CK_RV CK_ENTRY
+CK_RV CK_ENTRY
__ADJOIN(MODULE_NAME,C_GetFunctionList)
(
CK_FUNCTION_LIST_PTR_PTR ppFunctionList
@@ -1830,7 +1830,7 @@
__ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
};
-static CK_RV CK_ENTRY
+CK_RV CK_ENTRY
__ADJOIN(MODULE_NAME,C_GetFunctionList)
(
CK_FUNCTION_LIST_PTR_PTR ppFunctionList
@@ -1840,6 +1840,8 @@
return CKR_OK;
}
+#define NSS_STATIC
+#ifndef NSS_STATIC
/* This one is always present */
CK_RV CK_ENTRY
C_GetFunctionList
@@ -1849,6 +1850,7 @@
{
return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
}
+#endif
#undef __ADJOIN
--- a/a/nss/lib/freebl/rsa.c Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/freebl/rsa.c Fri May 31 17:44:06 2013 -0700
@@ -1559,6 +1559,14 @@
RSA_Cleanup();
}
+#define NSS_STATIC
+#ifdef NSS_STATIC
+void
+BL_Unload(void)
+{
+}
+#endif
+
PRBool bl_parentForkedAfterC_Initialize;
/*
--- a/a/nss/lib/freebl/shvfy.c Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/freebl/shvfy.c Fri May 31 17:44:06 2013 -0700
@@ -273,9 +273,22 @@
return SECSuccess;
}
+/*
+ * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g.,
+ * if you're using NSS as static libraries), but want to conform to the
+ * rest of the FIPS requirements.
+ */
+#define NSS_STATIC
+#ifdef NSS_STATIC
+#define PSEUDO_FIPS
+#endif
+
PRBool
BLAPI_SHVerify(const char *name, PRFuncPtr addr)
{
+#ifdef PSEUDO_FIPS
+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */
+#else
PRBool result = PR_FALSE; /* if anything goes wrong,
* the signature does not verify */
/* find our shared library name */
@@ -291,11 +303,15 @@
}
return result;
+#endif /* PSEUDO_FIPS */
}
PRBool
BLAPI_SHVerifyFile(const char *shName)
{
+#ifdef PSEUDO_FIPS
+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */
+#else
char *checkName = NULL;
PRFileDesc *checkFD = NULL;
PRFileDesc *shFD = NULL;
@@ -492,6 +508,7 @@
}
return result;
+#endif /* PSEUDO_FIPS */
}
PRBool
--- a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Fri May 31 17:44:06 2013 -0700
@@ -201,7 +201,11 @@
typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen,
CERTImportCertificateFunc f, void *arg);
-
+#define NSS_STATIC
+#ifdef NSS_STATIC
+extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen,
+ CERTImportCertificateFunc f, void* arg);
+#endif
struct pkix_DecodeFuncStr {
pkix_DecodeCertsFunc func; /* function pointer to the
@@ -223,6 +226,11 @@
*/
static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
{
+#ifdef NSS_STATIC
+ pkix_decodeFunc.smimeLib = NULL;
+ pkix_decodeFunc.func = CERT_DecodeCertPackage;
+ return PR_SUCCESS;
+#else
pkix_decodeFunc.smimeLib =
PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
if (pkix_decodeFunc.smimeLib == NULL) {
@@ -235,7 +243,7 @@
return PR_FAILURE;
}
return PR_SUCCESS;
-
+#endif
}
/*
--- a/a/nss/lib/nss/nssinit.c Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/nss/nssinit.c Fri May 31 17:44:06 2013 -0700
@@ -20,9 +20,11 @@
#include "secerr.h"
#include "nssbase.h"
#include "nssutil.h"
+#ifndef NSS_DISABLE_LIBPKIX
#include "pkixt.h"
#include "pkix.h"
#include "pkix_tools.h"
+#endif /* NSS_DISABLE_LIBPKIX */
#include "pki3hack.h"
#include "certi.h"
@@ -530,8 +532,10 @@
PRBool dontFinalizeModules)
{
SECStatus rv = SECFailure;
+#ifndef NSS_DISABLE_LIBPKIX
PKIX_UInt32 actualMinorVersion = 0;
PKIX_Error *pkixError = NULL;
+#endif
PRBool isReallyInitted;
char *configStrings = NULL;
char *configName = NULL;
@@ -685,6 +689,7 @@
pk11sdr_Init();
cert_CreateSubjectKeyIDHashTable();
+#ifndef NSS_DISABLE_LIBPKIX
pkixError = PKIX_Initialize
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
@@ -697,6 +702,7 @@
CERT_SetUsePKIXForValidation(PR_TRUE);
}
}
+#endif /* NSS_DISABLE_LIBPKIX */
}
@@ -1081,7 +1087,9 @@
cert_DestroyLocks();
ShutdownCRLCache();
OCSP_ShutdownGlobal();
+#ifndef NSS_DISABLE_LIBPKIX
PKIX_Shutdown(plContext);
+#endif
SECOID_Shutdown();
status = STAN_Shutdown();
cert_DestroySubjectKeyIDHashTable();
--- a/a/nss/lib/pk11wrap/pk11load.c Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/pk11wrap/pk11load.c Fri May 31 17:44:06 2013 -0700
@@ -318,6 +318,13 @@
}
}
+#define NSS_STATIC
+#ifdef NSS_STATIC
+extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args);
+extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+#else
static const char* my_shlib_name =
SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX;
static const char* softoken_shlib_name =
@@ -326,12 +332,14 @@
static PRCallOnceType loadSoftokenOnce;
static PRLibrary* softokenLib;
static PRInt32 softokenLoadCount;
+#endif /* NSS_STATIC */
#include "prio.h"
#include "prprf.h"
#include <stdio.h>
#include "prsystem.h"
+#ifndef NSS_STATIC
/* This function must be run only once. */
/* determine if hybrid platform, then actually load the DSO. */
static PRStatus
@@ -348,6 +356,7 @@
}
return PR_FAILURE;
}
+#endif /* !NSS_STATIC */
/*
* load a new module into our address space and initialize it.
@@ -366,6 +375,16 @@
/* intenal modules get loaded from their internal list */
if (mod->internal && (mod->dllName == NULL)) {
+#ifdef NSS_STATIC
+ if (mod->isFIPS) {
+ entry = FC_GetFunctionList;
+ } else {
+ entry = NSC_GetFunctionList;
+ }
+ if (mod->isModuleDB) {
+ mod->moduleDBFunc = NSC_ModuleDBFunc;
+ }
+#else
/*
* Loads softoken as a dynamic library,
* even though the rest of NSS assumes this as the "internal" module.
@@ -391,6 +410,7 @@
mod->moduleDBFunc = (CK_C_GetFunctionList)
PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
}
+#endif
if (mod->moduleDBOnly) {
mod->loaded = PR_TRUE;
@@ -401,6 +421,15 @@
if (mod->dllName == NULL) {
return SECFailure;
}
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
+ if (strstr(mod->dllName, "nssckbi") != NULL) {
+ mod->library = NULL;
+ PORT_Assert(!mod->moduleDBOnly);
+ entry = builtinsC_GetFunctionList;
+ PORT_Assert(!mod->isModuleDB);
+ goto library_loaded;
+ }
+#endif
/* load the library. If this succeeds, then we have to remember to
* unload the library if anything goes wrong from here on out...
@@ -423,6 +452,9 @@
mod->moduleDBFunc = (void *)
PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
}
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
+library_loaded:
+#endif
if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
if (entry == NULL) {
if (mod->isModuleDB) {
@@ -562,6 +594,7 @@
* if not, we should change this to SECFailure and move it above the
* mod->loaded = PR_FALSE; */
if (mod->internal && (mod->dllName == NULL)) {
+#ifndef NSS_STATIC
if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
if (softokenLib) {
disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
@@ -573,12 +606,18 @@
}
loadSoftokenOnce = pristineCallOnce;
}
+#endif
return SECSuccess;
}
library = (PRLibrary *)mod->library;
/* paranoia */
if (library == NULL) {
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
+ if (strstr(mod->dllName, "nssckbi") != NULL) {
+ return SECSuccess;
+ }
+#endif
return SECFailure;
}
--- a/a/nss/lib/softoken/lgglue.c Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/softoken/lgglue.c Fri May 31 17:44:06 2013 -0700
@@ -23,6 +23,8 @@
static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
static LGShutdownFunc legacy_glue_shutdown = NULL;
+#define NSS_STATIC
+#ifndef NSS_STATIC
/*
* The following 3 functions duplicate the work done by bl_LoadLibrary.
* We should make bl_LoadLibrary a global and replace the call to
@@ -160,6 +161,7 @@
return lib;
}
+#endif /* STATIC LIBRARIES */
/*
* stub files for legacy db's to be able to encrypt and decrypt
@@ -272,6 +274,21 @@
return SECSuccess;
}
+#ifdef NSS_STATIC
+#ifdef NSS_DISABLE_DBM
+ return SECFailure;
+#else
+ lib = (PRLibrary *) 0x8;
+
+ legacy_glue_open = legacy_Open;
+ legacy_glue_readSecmod = legacy_ReadSecmodDB;
+ legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData;
+ legacy_glue_deleteSecmod = legacy_DeleteSecmodDB;
+ legacy_glue_addSecmod = legacy_AddSecmodDB;
+ legacy_glue_shutdown = legacy_Shutdown;
+ setCryptFunction = legacy_SetCryptFunctions;
+#endif
+#else
lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
if (lib == NULL) {
return SECFailure;
@@ -297,11 +314,14 @@
PR_UnloadLibrary(lib);
return SECFailure;
}
+#endif /* NSS_STATIC */
/* verify the loaded library if we are in FIPS mode */
if (isFIPS) {
if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
+#ifndef NSS_STATIC
PR_UnloadLibrary(lib);
+#endif
return SECFailure;
}
legacy_glue_libCheckSucceeded = PR_TRUE;
@@ -418,10 +438,12 @@
#endif
crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
}
+#ifndef NSS_STATIC
disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
if (!disableUnload) {
PR_UnloadLibrary(legacy_glue_lib);
}
+#endif
legacy_glue_lib = NULL;
legacy_glue_open = NULL;
legacy_glue_readSecmod = NULL;
--- a/a/nss/lib/softoken/lgglue.h Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/softoken/lgglue.h Fri May 31 17:44:06 2013 -0700
@@ -38,6 +38,25 @@
typedef void (*LGSetForkStateFunc)(PRBool);
typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
+extern CK_RV legacy_Open(const char *dir, const char *certPrefix,
+ const char *keyPrefix,
+ int certVersion, int keyVersion, int flags,
+ SDB **certDB, SDB **keyDB);
+extern char ** legacy_ReadSecmodDB(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_ReleaseSecmodDBData(const char *appName,
+ const char *filename,
+ const char *dbname, char **params, PRBool rw);
+extern SECStatus legacy_DeleteSecmodDB(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_AddSecmodDB(const char *appName,
+ const char *filename,
+ const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_Shutdown(PRBool forked);
+extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc);
+
/*
* Softoken Glue Functions
*/
--- a/a/nss/lib/util/secport.h Tue May 28 23:37:46 2013 +0200
+++ a/a/nss/lib/util/secport.h Fri May 31 17:44:06 2013 -0700
@@ -210,6 +210,8 @@
extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
+#define NSS_STATIC
+#ifndef NSS_STATIC
/*
* Load a shared library called "newShLibName" in the same directory as
* a shared library that is already loaded, called existingShLibName.
@@ -244,6 +245,7 @@
PORT_LoadLibraryFromOrigin(const char* existingShLibName,
PRFuncPtr staticShLibFunc,
const char *newShLibName);
+#endif /* NSS_STATIC */
SEC_END_PROTOS