d308eda13d
Change-Id: Ica2cf641bc54f6e924b759cd4cf96dd96347c53b
487 lines
13 KiB
Diff
487 lines
13 KiB
Diff
Based on http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/nss/patches/nss-static.patch
|
|
|
|
--- a/a/nss/lib/certhigh/certvfy.c Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/certhigh/certvfy.c Fri May 31 17:44:06 2013 -0700
|
|
@@ -13,9 +13,11 @@
|
|
#include "certdb.h"
|
|
#include "certi.h"
|
|
#include "cryptohi.h"
|
|
+#ifndef NSS_DISABLE_LIBPKIX
|
|
#include "pkix.h"
|
|
/*#include "pkix_sample_modules.h" */
|
|
#include "pkix_pl_cert.h"
|
|
+#endif /* NSS_DISABLE_LIBPKIX */
|
|
|
|
|
|
#include "nsspki.h"
|
|
@@ -24,6 +26,47 @@
|
|
#include "pki3hack.h"
|
|
#include "base.h"
|
|
|
|
+#ifdef NSS_DISABLE_LIBPKIX
|
|
+SECStatus
|
|
+cert_VerifyCertChainPkix(
|
|
+ CERTCertificate *cert,
|
|
+ PRBool checkSig,
|
|
+ SECCertUsage requiredUsage,
|
|
+ PRTime time,
|
|
+ void *wincx,
|
|
+ CERTVerifyLog *log,
|
|
+ PRBool *pSigerror,
|
|
+ PRBool *pRevoked)
|
|
+{
|
|
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
|
|
+ return SECFailure;
|
|
+}
|
|
+
|
|
+SECStatus
|
|
+CERT_SetUsePKIXForValidation(PRBool enable)
|
|
+{
|
|
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
|
|
+ return SECFailure;
|
|
+}
|
|
+
|
|
+PRBool
|
|
+CERT_GetUsePKIXForValidation()
|
|
+{
|
|
+ return PR_FALSE;
|
|
+}
|
|
+
|
|
+SECStatus CERT_PKIXVerifyCert(
|
|
+ CERTCertificate *cert,
|
|
+ SECCertificateUsage usages,
|
|
+ CERTValInParam *paramsIn,
|
|
+ CERTValOutParam *paramsOut,
|
|
+ void *wincx)
|
|
+{
|
|
+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
|
|
+ return SECFailure;
|
|
+}
|
|
+#endif /* NSS_DISABLE_LIBPKIX */
|
|
+
|
|
/*
|
|
* Check the validity times of a certificate
|
|
*/
|
|
--- a/a/nss/lib/ckfw/nssck.api Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/ckfw/nssck.api Fri May 31 17:44:06 2013 -0700
|
|
@@ -1752,7 +1752,7 @@
|
|
}
|
|
#endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
|
|
|
|
-static CK_RV CK_ENTRY
|
|
+CK_RV CK_ENTRY
|
|
__ADJOIN(MODULE_NAME,C_GetFunctionList)
|
|
(
|
|
CK_FUNCTION_LIST_PTR_PTR ppFunctionList
|
|
@@ -1830,7 +1830,7 @@
|
|
__ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
|
|
};
|
|
|
|
-static CK_RV CK_ENTRY
|
|
+CK_RV CK_ENTRY
|
|
__ADJOIN(MODULE_NAME,C_GetFunctionList)
|
|
(
|
|
CK_FUNCTION_LIST_PTR_PTR ppFunctionList
|
|
@@ -1840,6 +1840,8 @@
|
|
return CKR_OK;
|
|
}
|
|
|
|
+#define NSS_STATIC
|
|
+#ifndef NSS_STATIC
|
|
/* This one is always present */
|
|
CK_RV CK_ENTRY
|
|
C_GetFunctionList
|
|
@@ -1849,6 +1850,7 @@
|
|
{
|
|
return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
|
|
}
|
|
+#endif
|
|
|
|
#undef __ADJOIN
|
|
|
|
--- a/a/nss/lib/freebl/rsa.c Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/freebl/rsa.c Fri May 31 17:44:06 2013 -0700
|
|
@@ -1559,6 +1559,14 @@
|
|
RSA_Cleanup();
|
|
}
|
|
|
|
+#define NSS_STATIC
|
|
+#ifdef NSS_STATIC
|
|
+void
|
|
+BL_Unload(void)
|
|
+{
|
|
+}
|
|
+#endif
|
|
+
|
|
PRBool bl_parentForkedAfterC_Initialize;
|
|
|
|
/*
|
|
--- a/a/nss/lib/freebl/shvfy.c Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/freebl/shvfy.c Fri May 31 17:44:06 2013 -0700
|
|
@@ -273,9 +273,22 @@
|
|
return SECSuccess;
|
|
}
|
|
|
|
+/*
|
|
+ * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g.,
|
|
+ * if you're using NSS as static libraries), but want to conform to the
|
|
+ * rest of the FIPS requirements.
|
|
+ */
|
|
+#define NSS_STATIC
|
|
+#ifdef NSS_STATIC
|
|
+#define PSEUDO_FIPS
|
|
+#endif
|
|
+
|
|
PRBool
|
|
BLAPI_SHVerify(const char *name, PRFuncPtr addr)
|
|
{
|
|
+#ifdef PSEUDO_FIPS
|
|
+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */
|
|
+#else
|
|
PRBool result = PR_FALSE; /* if anything goes wrong,
|
|
* the signature does not verify */
|
|
/* find our shared library name */
|
|
@@ -291,11 +303,15 @@
|
|
}
|
|
|
|
return result;
|
|
+#endif /* PSEUDO_FIPS */
|
|
}
|
|
|
|
PRBool
|
|
BLAPI_SHVerifyFile(const char *shName)
|
|
{
|
|
+#ifdef PSEUDO_FIPS
|
|
+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */
|
|
+#else
|
|
char *checkName = NULL;
|
|
PRFileDesc *checkFD = NULL;
|
|
PRFileDesc *shFD = NULL;
|
|
@@ -492,6 +508,7 @@
|
|
}
|
|
|
|
return result;
|
|
+#endif /* PSEUDO_FIPS */
|
|
}
|
|
|
|
PRBool
|
|
--- a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Fri May 31 17:44:06 2013 -0700
|
|
@@ -201,7 +201,11 @@
|
|
|
|
typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen,
|
|
CERTImportCertificateFunc f, void *arg);
|
|
-
|
|
+#define NSS_STATIC
|
|
+#ifdef NSS_STATIC
|
|
+extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen,
|
|
+ CERTImportCertificateFunc f, void* arg);
|
|
+#endif
|
|
|
|
struct pkix_DecodeFuncStr {
|
|
pkix_DecodeCertsFunc func; /* function pointer to the
|
|
@@ -223,6 +226,11 @@
|
|
*/
|
|
static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
|
|
{
|
|
+#ifdef NSS_STATIC
|
|
+ pkix_decodeFunc.smimeLib = NULL;
|
|
+ pkix_decodeFunc.func = CERT_DecodeCertPackage;
|
|
+ return PR_SUCCESS;
|
|
+#else
|
|
pkix_decodeFunc.smimeLib =
|
|
PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
|
|
if (pkix_decodeFunc.smimeLib == NULL) {
|
|
@@ -235,7 +243,7 @@
|
|
return PR_FAILURE;
|
|
}
|
|
return PR_SUCCESS;
|
|
-
|
|
+#endif
|
|
}
|
|
|
|
/*
|
|
--- a/a/nss/lib/nss/nssinit.c Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/nss/nssinit.c Fri May 31 17:44:06 2013 -0700
|
|
@@ -20,9 +20,11 @@
|
|
#include "secerr.h"
|
|
#include "nssbase.h"
|
|
#include "nssutil.h"
|
|
+#ifndef NSS_DISABLE_LIBPKIX
|
|
#include "pkixt.h"
|
|
#include "pkix.h"
|
|
#include "pkix_tools.h"
|
|
+#endif /* NSS_DISABLE_LIBPKIX */
|
|
|
|
#include "pki3hack.h"
|
|
#include "certi.h"
|
|
@@ -530,8 +532,10 @@
|
|
PRBool dontFinalizeModules)
|
|
{
|
|
SECStatus rv = SECFailure;
|
|
+#ifndef NSS_DISABLE_LIBPKIX
|
|
PKIX_UInt32 actualMinorVersion = 0;
|
|
PKIX_Error *pkixError = NULL;
|
|
+#endif
|
|
PRBool isReallyInitted;
|
|
char *configStrings = NULL;
|
|
char *configName = NULL;
|
|
@@ -685,6 +689,7 @@
|
|
pk11sdr_Init();
|
|
cert_CreateSubjectKeyIDHashTable();
|
|
|
|
+#ifndef NSS_DISABLE_LIBPKIX
|
|
pkixError = PKIX_Initialize
|
|
(PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
|
|
PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
|
|
@@ -697,6 +702,7 @@
|
|
CERT_SetUsePKIXForValidation(PR_TRUE);
|
|
}
|
|
}
|
|
+#endif /* NSS_DISABLE_LIBPKIX */
|
|
|
|
|
|
}
|
|
@@ -1081,7 +1087,9 @@
|
|
cert_DestroyLocks();
|
|
ShutdownCRLCache();
|
|
OCSP_ShutdownGlobal();
|
|
+#ifndef NSS_DISABLE_LIBPKIX
|
|
PKIX_Shutdown(plContext);
|
|
+#endif
|
|
SECOID_Shutdown();
|
|
status = STAN_Shutdown();
|
|
cert_DestroySubjectKeyIDHashTable();
|
|
--- a/a/nss/lib/pk11wrap/pk11load.c Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/pk11wrap/pk11load.c Fri May 31 17:44:06 2013 -0700
|
|
@@ -318,6 +318,13 @@
|
|
}
|
|
}
|
|
|
|
+#define NSS_STATIC
|
|
+#ifdef NSS_STATIC
|
|
+extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
|
|
+extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
|
|
+extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args);
|
|
+extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
|
|
+#else
|
|
static const char* my_shlib_name =
|
|
SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX;
|
|
static const char* softoken_shlib_name =
|
|
@@ -326,12 +332,14 @@
|
|
static PRCallOnceType loadSoftokenOnce;
|
|
static PRLibrary* softokenLib;
|
|
static PRInt32 softokenLoadCount;
|
|
+#endif /* NSS_STATIC */
|
|
|
|
#include "prio.h"
|
|
#include "prprf.h"
|
|
#include <stdio.h>
|
|
#include "prsystem.h"
|
|
|
|
+#ifndef NSS_STATIC
|
|
/* This function must be run only once. */
|
|
/* determine if hybrid platform, then actually load the DSO. */
|
|
static PRStatus
|
|
@@ -348,6 +356,7 @@
|
|
}
|
|
return PR_FAILURE;
|
|
}
|
|
+#endif /* !NSS_STATIC */
|
|
|
|
/*
|
|
* load a new module into our address space and initialize it.
|
|
@@ -366,6 +375,16 @@
|
|
|
|
/* intenal modules get loaded from their internal list */
|
|
if (mod->internal && (mod->dllName == NULL)) {
|
|
+#ifdef NSS_STATIC
|
|
+ if (mod->isFIPS) {
|
|
+ entry = FC_GetFunctionList;
|
|
+ } else {
|
|
+ entry = NSC_GetFunctionList;
|
|
+ }
|
|
+ if (mod->isModuleDB) {
|
|
+ mod->moduleDBFunc = NSC_ModuleDBFunc;
|
|
+ }
|
|
+#else
|
|
/*
|
|
* Loads softoken as a dynamic library,
|
|
* even though the rest of NSS assumes this as the "internal" module.
|
|
@@ -391,6 +410,7 @@
|
|
mod->moduleDBFunc = (CK_C_GetFunctionList)
|
|
PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
|
|
}
|
|
+#endif
|
|
|
|
if (mod->moduleDBOnly) {
|
|
mod->loaded = PR_TRUE;
|
|
@@ -401,6 +421,15 @@
|
|
if (mod->dllName == NULL) {
|
|
return SECFailure;
|
|
}
|
|
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
|
|
+ if (strstr(mod->dllName, "nssckbi") != NULL) {
|
|
+ mod->library = NULL;
|
|
+ PORT_Assert(!mod->moduleDBOnly);
|
|
+ entry = builtinsC_GetFunctionList;
|
|
+ PORT_Assert(!mod->isModuleDB);
|
|
+ goto library_loaded;
|
|
+ }
|
|
+#endif
|
|
|
|
/* load the library. If this succeeds, then we have to remember to
|
|
* unload the library if anything goes wrong from here on out...
|
|
@@ -423,6 +452,9 @@
|
|
mod->moduleDBFunc = (void *)
|
|
PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
|
|
}
|
|
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
|
|
+library_loaded:
|
|
+#endif
|
|
if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
|
|
if (entry == NULL) {
|
|
if (mod->isModuleDB) {
|
|
@@ -562,6 +594,7 @@
|
|
* if not, we should change this to SECFailure and move it above the
|
|
* mod->loaded = PR_FALSE; */
|
|
if (mod->internal && (mod->dllName == NULL)) {
|
|
+#ifndef NSS_STATIC
|
|
if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
|
|
if (softokenLib) {
|
|
disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
|
|
@@ -573,12 +606,18 @@
|
|
}
|
|
loadSoftokenOnce = pristineCallOnce;
|
|
}
|
|
+#endif
|
|
return SECSuccess;
|
|
}
|
|
|
|
library = (PRLibrary *)mod->library;
|
|
/* paranoia */
|
|
if (library == NULL) {
|
|
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
|
|
+ if (strstr(mod->dllName, "nssckbi") != NULL) {
|
|
+ return SECSuccess;
|
|
+ }
|
|
+#endif
|
|
return SECFailure;
|
|
}
|
|
|
|
--- a/a/nss/lib/softoken/lgglue.c Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/softoken/lgglue.c Fri May 31 17:44:06 2013 -0700
|
|
@@ -23,6 +23,8 @@
|
|
static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
|
|
static LGShutdownFunc legacy_glue_shutdown = NULL;
|
|
|
|
+#define NSS_STATIC
|
|
+#ifndef NSS_STATIC
|
|
/*
|
|
* The following 3 functions duplicate the work done by bl_LoadLibrary.
|
|
* We should make bl_LoadLibrary a global and replace the call to
|
|
@@ -160,6 +161,7 @@
|
|
|
|
return lib;
|
|
}
|
|
+#endif /* STATIC LIBRARIES */
|
|
|
|
/*
|
|
* stub files for legacy db's to be able to encrypt and decrypt
|
|
@@ -272,6 +274,21 @@
|
|
return SECSuccess;
|
|
}
|
|
|
|
+#ifdef NSS_STATIC
|
|
+#ifdef NSS_DISABLE_DBM
|
|
+ return SECFailure;
|
|
+#else
|
|
+ lib = (PRLibrary *) 0x8;
|
|
+
|
|
+ legacy_glue_open = legacy_Open;
|
|
+ legacy_glue_readSecmod = legacy_ReadSecmodDB;
|
|
+ legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData;
|
|
+ legacy_glue_deleteSecmod = legacy_DeleteSecmodDB;
|
|
+ legacy_glue_addSecmod = legacy_AddSecmodDB;
|
|
+ legacy_glue_shutdown = legacy_Shutdown;
|
|
+ setCryptFunction = legacy_SetCryptFunctions;
|
|
+#endif
|
|
+#else
|
|
lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
|
|
if (lib == NULL) {
|
|
return SECFailure;
|
|
@@ -297,11 +314,14 @@
|
|
PR_UnloadLibrary(lib);
|
|
return SECFailure;
|
|
}
|
|
+#endif /* NSS_STATIC */
|
|
|
|
/* verify the loaded library if we are in FIPS mode */
|
|
if (isFIPS) {
|
|
if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
|
|
+#ifndef NSS_STATIC
|
|
PR_UnloadLibrary(lib);
|
|
+#endif
|
|
return SECFailure;
|
|
}
|
|
legacy_glue_libCheckSucceeded = PR_TRUE;
|
|
@@ -418,10 +438,12 @@
|
|
#endif
|
|
crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
|
|
}
|
|
+#ifndef NSS_STATIC
|
|
disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
|
|
if (!disableUnload) {
|
|
PR_UnloadLibrary(legacy_glue_lib);
|
|
}
|
|
+#endif
|
|
legacy_glue_lib = NULL;
|
|
legacy_glue_open = NULL;
|
|
legacy_glue_readSecmod = NULL;
|
|
--- a/a/nss/lib/softoken/lgglue.h Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/softoken/lgglue.h Fri May 31 17:44:06 2013 -0700
|
|
@@ -38,6 +38,25 @@
|
|
typedef void (*LGSetForkStateFunc)(PRBool);
|
|
typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
|
|
|
|
+extern CK_RV legacy_Open(const char *dir, const char *certPrefix,
|
|
+ const char *keyPrefix,
|
|
+ int certVersion, int keyVersion, int flags,
|
|
+ SDB **certDB, SDB **keyDB);
|
|
+extern char ** legacy_ReadSecmodDB(const char *appName,
|
|
+ const char *filename,
|
|
+ const char *dbname, char *params, PRBool rw);
|
|
+extern SECStatus legacy_ReleaseSecmodDBData(const char *appName,
|
|
+ const char *filename,
|
|
+ const char *dbname, char **params, PRBool rw);
|
|
+extern SECStatus legacy_DeleteSecmodDB(const char *appName,
|
|
+ const char *filename,
|
|
+ const char *dbname, char *params, PRBool rw);
|
|
+extern SECStatus legacy_AddSecmodDB(const char *appName,
|
|
+ const char *filename,
|
|
+ const char *dbname, char *params, PRBool rw);
|
|
+extern SECStatus legacy_Shutdown(PRBool forked);
|
|
+extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc);
|
|
+
|
|
/*
|
|
* Softoken Glue Functions
|
|
*/
|
|
--- a/a/nss/lib/util/secport.h Tue May 28 23:37:46 2013 +0200
|
|
+++ a/a/nss/lib/util/secport.h Fri May 31 17:44:06 2013 -0700
|
|
@@ -210,6 +210,8 @@
|
|
|
|
extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
|
|
|
|
+#define NSS_STATIC
|
|
+#ifndef NSS_STATIC
|
|
/*
|
|
* Load a shared library called "newShLibName" in the same directory as
|
|
* a shared library that is already loaded, called existingShLibName.
|
|
@@ -244,6 +245,7 @@
|
|
PORT_LoadLibraryFromOrigin(const char* existingShLibName,
|
|
PRFuncPtr staticShLibFunc,
|
|
const char *newShLibName);
|
|
+#endif /* NSS_STATIC */
|
|
|
|
SEC_END_PROTOS
|
|
|