OLD | NEW |
| (Empty) |
1 diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c | |
2 index a86f8a0..eff77fc 100644 | |
3 --- a/nss/lib/certhigh/certvfy.c | |
4 +++ b/nss/lib/certhigh/certvfy.c | |
5 @@ -12,9 +12,11 @@ | |
6 #include "certdb.h" | |
7 #include "certi.h" | |
8 #include "cryptohi.h" | |
9 +#ifndef NSS_DISABLE_LIBPKIX | |
10 #include "pkix.h" | |
11 /*#include "pkix_sample_modules.h" */ | |
12 #include "pkix_pl_cert.h" | |
13 +#endif /* NSS_DISABLE_LIBPKIX */ | |
14 | |
15 #include "nsspki.h" | |
16 #include "pkitm.h" | |
17 @@ -23,6 +25,47 @@ | |
18 #include "base.h" | |
19 #include "keyhi.h" | |
20 | |
21 +#ifdef NSS_DISABLE_LIBPKIX | |
22 +SECStatus | |
23 +cert_VerifyCertChainPkix( | |
24 + CERTCertificate *cert, | |
25 + PRBool checkSig, | |
26 + SECCertUsage requiredUsage, | |
27 + PRTime time, | |
28 + void *wincx, | |
29 + CERTVerifyLog *log, | |
30 + PRBool *pSigerror, | |
31 + PRBool *pRevoked) | |
32 +{ | |
33 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | |
34 + return SECFailure; | |
35 +} | |
36 + | |
37 +SECStatus | |
38 +CERT_SetUsePKIXForValidation(PRBool enable) | |
39 +{ | |
40 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | |
41 + return SECFailure; | |
42 +} | |
43 + | |
44 +PRBool | |
45 +CERT_GetUsePKIXForValidation() | |
46 +{ | |
47 + return PR_FALSE; | |
48 +} | |
49 + | |
50 +SECStatus CERT_PKIXVerifyCert( | |
51 + CERTCertificate *cert, | |
52 + SECCertificateUsage usages, | |
53 + CERTValInParam *paramsIn, | |
54 + CERTValOutParam *paramsOut, | |
55 + void *wincx) | |
56 +{ | |
57 + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); | |
58 + return SECFailure; | |
59 +} | |
60 +#endif /* NSS_DISABLE_LIBPKIX */ | |
61 + | |
62 /* | |
63 * Check the validity times of a certificate | |
64 */ | |
65 diff --git a/nss/lib/ckfw/nssck.api b/nss/lib/ckfw/nssck.api | |
66 index 55b4351..8364258 100644 | |
67 --- a/nss/lib/ckfw/nssck.api | |
68 +++ b/nss/lib/ckfw/nssck.api | |
69 @@ -1752,7 +1752,7 @@ C_WaitForSlotEvent | |
70 } | |
71 #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */ | |
72 | |
73 -static CK_RV CK_ENTRY | |
74 +CK_RV CK_ENTRY | |
75 __ADJOIN(MODULE_NAME,C_GetFunctionList) | |
76 ( | |
77 CK_FUNCTION_LIST_PTR_PTR ppFunctionList | |
78 @@ -1830,7 +1830,7 @@ __ADJOIN(MODULE_NAME,C_CancelFunction), | |
79 __ADJOIN(MODULE_NAME,C_WaitForSlotEvent) | |
80 }; | |
81 | |
82 -static CK_RV CK_ENTRY | |
83 +CK_RV CK_ENTRY | |
84 __ADJOIN(MODULE_NAME,C_GetFunctionList) | |
85 ( | |
86 CK_FUNCTION_LIST_PTR_PTR ppFunctionList | |
87 @@ -1840,6 +1840,7 @@ __ADJOIN(MODULE_NAME,C_GetFunctionList) | |
88 return CKR_OK; | |
89 } | |
90 | |
91 +#ifndef NSS_STATIC | |
92 /* This one is always present */ | |
93 CK_RV CK_ENTRY | |
94 C_GetFunctionList | |
95 @@ -1849,6 +1850,7 @@ C_GetFunctionList | |
96 { | |
97 return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList); | |
98 } | |
99 +#endif | |
100 | |
101 #undef __ADJOIN | |
102 | |
103 diff --git a/nss/lib/freebl/rsa.c b/nss/lib/freebl/rsa.c | |
104 index 823d8de..48b557b 100644 | |
105 --- a/nss/lib/freebl/rsa.c | |
106 +++ b/nss/lib/freebl/rsa.c | |
107 @@ -1532,6 +1532,13 @@ void BL_Cleanup(void) | |
108 RSA_Cleanup(); | |
109 } | |
110 | |
111 +#ifdef NSS_STATIC | |
112 +void | |
113 +BL_Unload(void) | |
114 +{ | |
115 +} | |
116 +#endif | |
117 + | |
118 PRBool bl_parentForkedAfterC_Initialize; | |
119 | |
120 /* | |
121 diff --git a/nss/lib/freebl/shvfy.c b/nss/lib/freebl/shvfy.c | |
122 index ad64a26..33714b8 100644 | |
123 --- a/nss/lib/freebl/shvfy.c | |
124 +++ b/nss/lib/freebl/shvfy.c | |
125 @@ -273,9 +273,21 @@ readItem(PRFileDesc *fd, SECItem *item) | |
126 return SECSuccess; | |
127 } | |
128 | |
129 +/* | |
130 + * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g., | |
131 + * if you're using NSS as static libraries), but want to conform to the | |
132 + * rest of the FIPS requirements. | |
133 + */ | |
134 +#ifdef NSS_STATIC | |
135 +#define PSEUDO_FIPS | |
136 +#endif | |
137 + | |
138 PRBool | |
139 BLAPI_SHVerify(const char *name, PRFuncPtr addr) | |
140 { | |
141 +#ifdef PSEUDO_FIPS | |
142 + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ | |
143 +#else | |
144 PRBool result = PR_FALSE; /* if anything goes wrong, | |
145 * the signature does not verify */ | |
146 /* find our shared library name */ | |
147 @@ -291,11 +303,15 @@ loser: | |
148 } | |
149 | |
150 return result; | |
151 +#endif /* PSEUDO_FIPS */ | |
152 } | |
153 | |
154 PRBool | |
155 BLAPI_SHVerifyFile(const char *shName) | |
156 { | |
157 +#ifdef PSEUDO_FIPS | |
158 + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ | |
159 +#else | |
160 char *checkName = NULL; | |
161 PRFileDesc *checkFD = NULL; | |
162 PRFileDesc *shFD = NULL; | |
163 @@ -492,6 +508,7 @@ loser: | |
164 } | |
165 | |
166 return result; | |
167 +#endif /* PSEUDO_FIPS */ | |
168 } | |
169 | |
170 PRBool | |
171 diff --git a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c b/nss/li
b/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c | |
172 index 471f920..ecf58ce 100755 | |
173 --- a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c | |
174 +++ b/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c | |
175 @@ -201,7 +201,10 @@ certCallback(void *arg, SECItem **secitemCerts, int numcert
s) | |
176 | |
177 typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen, | |
178 CERTImportCertificateFunc f, void *ar
g); | |
179 - | |
180 +#ifdef NSS_STATIC | |
181 +extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen, | |
182 + CERTImportCertificateFunc f, void* arg)
; | |
183 +#endif | |
184 | |
185 struct pkix_DecodeFuncStr { | |
186 pkix_DecodeCertsFunc func; /* function pointer to the | |
187 @@ -223,6 +226,11 @@ static const PRCallOnceType pkix_pristine; | |
188 */ | |
189 static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) | |
190 { | |
191 +#ifdef NSS_STATIC | |
192 + pkix_decodeFunc.smimeLib = NULL; | |
193 + pkix_decodeFunc.func = CERT_DecodeCertPackage; | |
194 + return PR_SUCCESS; | |
195 +#else | |
196 pkix_decodeFunc.smimeLib = | |
197 PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX); | |
198 if (pkix_decodeFunc.smimeLib == NULL) { | |
199 @@ -235,7 +243,7 @@ static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) | |
200 return PR_FAILURE; | |
201 } | |
202 return PR_SUCCESS; | |
203 - | |
204 +#endif | |
205 } | |
206 | |
207 /* | |
208 diff --git a/nss/lib/nss/nssinit.c b/nss/lib/nss/nssinit.c | |
209 index b73d447..7150cf5 100644 | |
210 --- a/nss/lib/nss/nssinit.c | |
211 +++ b/nss/lib/nss/nssinit.c | |
212 @@ -20,9 +20,11 @@ | |
213 #include "secerr.h" | |
214 #include "nssbase.h" | |
215 #include "nssutil.h" | |
216 +#ifndef NSS_DISABLE_LIBPKIX | |
217 #include "pkixt.h" | |
218 #include "pkix.h" | |
219 #include "pkix_tools.h" | |
220 +#endif /* NSS_DISABLE_LIBPKIX */ | |
221 | |
222 #include "pki3hack.h" | |
223 #include "certi.h" | |
224 @@ -526,8 +528,10 @@ nss_Init(const char *configdir, const char *certPrefix, con
st char *keyPrefix, | |
225 PRBool dontFinalizeModules) | |
226 { | |
227 SECStatus rv = SECFailure; | |
228 +#ifndef NSS_DISABLE_LIBPKIX | |
229 PKIX_UInt32 actualMinorVersion = 0; | |
230 PKIX_Error *pkixError = NULL; | |
231 +#endif | |
232 PRBool isReallyInitted; | |
233 char *configStrings = NULL; | |
234 char *configName = NULL; | |
235 @@ -684,6 +688,7 @@ nss_Init(const char *configdir, const char *certPrefix, cons
t char *keyPrefix, | |
236 pk11sdr_Init(); | |
237 cert_CreateSubjectKeyIDHashTable(); | |
238 | |
239 +#ifndef NSS_DISABLE_LIBPKIX | |
240 pkixError = PKIX_Initialize | |
241 (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, | |
242 PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); | |
243 @@ -696,6 +701,7 @@ nss_Init(const char *configdir, const char *certPrefix, cons
t char *keyPrefix, | |
244 CERT_SetUsePKIXForValidation(PR_TRUE); | |
245 } | |
246 } | |
247 +#endif /* NSS_DISABLE_LIBPKIX */ | |
248 | |
249 | |
250 } | |
251 @@ -1080,7 +1086,9 @@ nss_Shutdown(void) | |
252 cert_DestroyLocks(); | |
253 ShutdownCRLCache(); | |
254 OCSP_ShutdownGlobal(); | |
255 +#ifndef NSS_DISABLE_LIBPKIX | |
256 PKIX_Shutdown(plContext); | |
257 +#endif | |
258 SECOID_Shutdown(); | |
259 status = STAN_Shutdown(); | |
260 cert_DestroySubjectKeyIDHashTable(); | |
261 diff --git a/nss/lib/pk11wrap/pk11load.c b/nss/lib/pk11wrap/pk11load.c | |
262 index 5c5d2ca..bfc4886 100644 | |
263 --- a/nss/lib/pk11wrap/pk11load.c | |
264 +++ b/nss/lib/pk11wrap/pk11load.c | |
265 @@ -341,6 +341,12 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod)
{ | |
266 } | |
267 } | |
268 | |
269 +#ifdef NSS_STATIC | |
270 +extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); | |
271 +extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); | |
272 +extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *a
rgs); | |
273 +extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); | |
274 +#else | |
275 static const char* my_shlib_name = | |
276 SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX; | |
277 static const char* softoken_shlib_name = | |
278 @@ -349,12 +355,14 @@ static const PRCallOnceType pristineCallOnce; | |
279 static PRCallOnceType loadSoftokenOnce; | |
280 static PRLibrary* softokenLib; | |
281 static PRInt32 softokenLoadCount; | |
282 +#endif /* NSS_STATIC */ | |
283 | |
284 #include "prio.h" | |
285 #include "prprf.h" | |
286 #include <stdio.h> | |
287 #include "prsystem.h" | |
288 | |
289 +#ifndef NSS_STATIC | |
290 /* This function must be run only once. */ | |
291 /* determine if hybrid platform, then actually load the DSO. */ | |
292 static PRStatus | |
293 @@ -371,6 +379,7 @@ softoken_LoadDSO( void ) | |
294 } | |
295 return PR_FAILURE; | |
296 } | |
297 +#endif /* !NSS_STATIC */ | |
298 | |
299 /* | |
300 * load a new module into our address space and initialize it. | |
301 @@ -389,6 +398,16 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **o
ldModule) { | |
302 | |
303 /* intenal modules get loaded from their internal list */ | |
304 if (mod->internal && (mod->dllName == NULL)) { | |
305 +#ifdef NSS_STATIC | |
306 + if (mod->isFIPS) { | |
307 + entry = FC_GetFunctionList; | |
308 + } else { | |
309 + entry = NSC_GetFunctionList; | |
310 + } | |
311 + if (mod->isModuleDB) { | |
312 + mod->moduleDBFunc = NSC_ModuleDBFunc; | |
313 + } | |
314 +#else | |
315 /* | |
316 * Loads softoken as a dynamic library, | |
317 * even though the rest of NSS assumes this as the "internal" module. | |
318 @@ -414,6 +433,7 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **ol
dModule) { | |
319 mod->moduleDBFunc = (CK_C_GetFunctionList) | |
320 PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); | |
321 } | |
322 +#endif | |
323 | |
324 if (mod->moduleDBOnly) { | |
325 mod->loaded = PR_TRUE; | |
326 @@ -424,6 +444,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **o
ldModule) { | |
327 if (mod->dllName == NULL) { | |
328 return SECFailure; | |
329 } | |
330 +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) | |
331 + if (strstr(mod->dllName, "nssckbi") != NULL) { | |
332 + mod->library = NULL; | |
333 + PORT_Assert(!mod->moduleDBOnly); | |
334 + entry = builtinsC_GetFunctionList; | |
335 + PORT_Assert(!mod->isModuleDB); | |
336 + goto library_loaded; | |
337 + } | |
338 +#endif | |
339 | |
340 /* load the library. If this succeeds, then we have to remember to | |
341 * unload the library if anything goes wrong from here on out... | |
342 @@ -446,6 +475,9 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **ol
dModule) { | |
343 mod->moduleDBFunc = (void *) | |
344 PR_FindSymbol(library, "NSS_ReturnModuleSpecData"); | |
345 } | |
346 +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) | |
347 +library_loaded: | |
348 +#endif | |
349 if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE; | |
350 if (entry == NULL) { | |
351 if (mod->isModuleDB) { | |
352 @@ -585,6 +617,7 @@ SECMOD_UnloadModule(SECMODModule *mod) { | |
353 * if not, we should change this to SECFailure and move it above the | |
354 * mod->loaded = PR_FALSE; */ | |
355 if (mod->internal && (mod->dllName == NULL)) { | |
356 +#ifndef NSS_STATIC | |
357 if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) { | |
358 if (softokenLib) { | |
359 disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); | |
360 @@ -600,12 +633,18 @@ SECMOD_UnloadModule(SECMODModule *mod) { | |
361 } | |
362 loadSoftokenOnce = pristineCallOnce; | |
363 } | |
364 +#endif | |
365 return SECSuccess; | |
366 } | |
367 | |
368 library = (PRLibrary *)mod->library; | |
369 /* paranoia */ | |
370 if (library == NULL) { | |
371 +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) | |
372 + if (strstr(mod->dllName, "nssckbi") != NULL) { | |
373 + return SECSuccess; | |
374 + } | |
375 +#endif | |
376 return SECFailure; | |
377 } | |
378 | |
379 diff --git a/nss/lib/softoken/lgglue.c b/nss/lib/softoken/lgglue.c | |
380 index 653501c..155991b 100644 | |
381 --- a/nss/lib/softoken/lgglue.c | |
382 +++ b/nss/lib/softoken/lgglue.c | |
383 @@ -23,6 +23,7 @@ static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL; | |
384 static LGAddSecmodFunc legacy_glue_addSecmod = NULL; | |
385 static LGShutdownFunc legacy_glue_shutdown = NULL; | |
386 | |
387 +#ifndef NSS_STATIC | |
388 /* | |
389 * The following 3 functions duplicate the work done by bl_LoadLibrary. | |
390 * We should make bl_LoadLibrary a global and replace the call to | |
391 @@ -160,6 +161,7 @@ done: | |
392 | |
393 return lib; | |
394 } | |
395 +#endif /* STATIC LIBRARIES */ | |
396 | |
397 /* | |
398 * stub files for legacy db's to be able to encrypt and decrypt | |
399 @@ -272,6 +274,21 @@ sftkdbLoad_Legacy(PRBool isFIPS) | |
400 return SECSuccess; | |
401 } | |
402 | |
403 +#ifdef NSS_STATIC | |
404 +#ifdef NSS_DISABLE_DBM | |
405 + return SECFailure; | |
406 +#else | |
407 + lib = (PRLibrary *) 0x8; | |
408 + | |
409 + legacy_glue_open = legacy_Open; | |
410 + legacy_glue_readSecmod = legacy_ReadSecmodDB; | |
411 + legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData; | |
412 + legacy_glue_deleteSecmod = legacy_DeleteSecmodDB; | |
413 + legacy_glue_addSecmod = legacy_AddSecmodDB; | |
414 + legacy_glue_shutdown = legacy_Shutdown; | |
415 + setCryptFunction = legacy_SetCryptFunctions; | |
416 +#endif | |
417 +#else | |
418 lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME); | |
419 if (lib == NULL) { | |
420 return SECFailure; | |
421 @@ -297,11 +314,14 @@ sftkdbLoad_Legacy(PRBool isFIPS) | |
422 PR_UnloadLibrary(lib); | |
423 return SECFailure; | |
424 } | |
425 +#endif /* NSS_STATIC */ | |
426 | |
427 /* verify the loaded library if we are in FIPS mode */ | |
428 if (isFIPS) { | |
429 if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) { | |
430 +#ifndef NSS_STATIC | |
431 PR_UnloadLibrary(lib); | |
432 +#endif | |
433 return SECFailure; | |
434 } | |
435 legacy_glue_libCheckSucceeded = PR_TRUE; | |
436 @@ -418,10 +438,12 @@ sftkdbCall_Shutdown(void) | |
437 #endif | |
438 crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize); | |
439 } | |
440 +#ifndef NSS_STATIC | |
441 disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); | |
442 if (!disableUnload) { | |
443 PR_UnloadLibrary(legacy_glue_lib); | |
444 } | |
445 +#endif | |
446 legacy_glue_lib = NULL; | |
447 legacy_glue_open = NULL; | |
448 legacy_glue_readSecmod = NULL; | |
449 diff --git a/nss/lib/softoken/lgglue.h b/nss/lib/softoken/lgglue.h | |
450 index b87f756..c8c562f 100644 | |
451 --- a/nss/lib/softoken/lgglue.h | |
452 +++ b/nss/lib/softoken/lgglue.h | |
453 @@ -38,6 +38,25 @@ typedef SECStatus (*LGShutdownFunc)(PRBool forked); | |
454 typedef void (*LGSetForkStateFunc)(PRBool); | |
455 typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc); | |
456 | |
457 +extern CK_RV legacy_Open(const char *dir, const char *certPrefix, | |
458 + const char *keyPrefix, | |
459 + int certVersion, int keyVersion, int flags, | |
460 + SDB **certDB, SDB **keyDB); | |
461 +extern char ** legacy_ReadSecmodDB(const char *appName, | |
462 + const char *filename, | |
463 + const char *dbname, char *params, PRBool rw); | |
464 +extern SECStatus legacy_ReleaseSecmodDBData(const char *appName, | |
465 + const char *filename, | |
466 + const char *dbname, char **params, PRBool rw); | |
467 +extern SECStatus legacy_DeleteSecmodDB(const char *appName, | |
468 + const char *filename, | |
469 + const char *dbname, char *params, PRBool rw); | |
470 +extern SECStatus legacy_AddSecmodDB(const char *appName, | |
471 + const char *filename, | |
472 + const char *dbname, char *params, PRBool rw); | |
473 +extern SECStatus legacy_Shutdown(PRBool forked); | |
474 +extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc); | |
475 + | |
476 /* | |
477 * Softoken Glue Functions | |
478 */ | |
479 diff --git a/nss/lib/util/secport.h b/nss/lib/util/secport.h | |
480 index 7d2f5e0..95c73c8 100644 | |
481 --- a/nss/lib/util/secport.h | |
482 +++ b/nss/lib/util/secport.h | |
483 @@ -223,6 +223,7 @@ extern int NSS_PutEnv(const char * envVarName, const char *
envValue); | |
484 | |
485 extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n); | |
486 | |
487 +#ifndef NSS_STATIC | |
488 /* | |
489 * Load a shared library called "newShLibName" in the same directory as | |
490 * a shared library that is already loaded, called existingShLibName. | |
491 @@ -257,6 +258,7 @@ PRLibrary * | |
492 PORT_LoadLibraryFromOrigin(const char* existingShLibName, | |
493 PRFuncPtr staticShLibFunc, | |
494 const char *newShLibName); | |
495 +#endif /* NSS_STATIC */ | |
496 | |
497 SEC_END_PROTOS | |
498 | |
OLD | NEW |