Delete bundled copy of NSS and replace with README.

patches/nss-static.patch

Index: patches/nss-static.patch
diff --git a/patches/nss-static.patch b/patches/nss-static.patch
deleted file mode 100644
index b897b6e4a21c48dfbc2e586d38534793a3d0213e..0000000000000000000000000000000000000000
--- a/patches/nss-static.patch
+++ /dev/null
@@ -1,498 +0,0 @@
-diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c
-index a86f8a0..eff77fc 100644
---- a/nss/lib/certhigh/certvfy.c
-+++ b/nss/lib/certhigh/certvfy.c
-@@ -12,9 +12,11 @@
- #include "certdb.h"
- #include "certi.h"
- #include "cryptohi.h"
-+#ifndef NSS_DISABLE_LIBPKIX
- #include "pkix.h"
- /*#include "pkix_sample_modules.h" */
- #include "pkix_pl_cert.h"
-+#endif  /* NSS_DISABLE_LIBPKIX */
- 
- #include "nsspki.h"
- #include "pkitm.h"
-@@ -23,6 +25,47 @@
- #include "base.h"
- #include "keyhi.h"
- 
-+#ifdef NSS_DISABLE_LIBPKIX
-+SECStatus
-+cert_VerifyCertChainPkix(
-+    CERTCertificate *cert,
-+    PRBool           checkSig,
-+    SECCertUsage     requiredUsage,
-+    PRTime           time,
-+    void            *wincx,
-+    CERTVerifyLog   *log,
-+    PRBool          *pSigerror,
-+    PRBool          *pRevoked)
-+{
-+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-+    return SECFailure;
-+}
-+
-+SECStatus
-+CERT_SetUsePKIXForValidation(PRBool enable)
-+{
-+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-+    return SECFailure;
-+}
-+
-+PRBool
-+CERT_GetUsePKIXForValidation()
-+{
-+    return PR_FALSE;
-+}
-+
-+SECStatus CERT_PKIXVerifyCert(
-+    CERTCertificate *cert,
-+    SECCertificateUsage usages,
-+    CERTValInParam *paramsIn,
-+    CERTValOutParam *paramsOut,
-+    void *wincx)
-+{
-+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-+    return SECFailure;
-+}
-+#endif  /* NSS_DISABLE_LIBPKIX */
-+
- /*
-  * Check the validity times of a certificate
-  */
-diff --git a/nss/lib/ckfw/nssck.api b/nss/lib/ckfw/nssck.api
-index 55b4351..8364258 100644
---- a/nss/lib/ckfw/nssck.api
-+++ b/nss/lib/ckfw/nssck.api
-@@ -1752,7 +1752,7 @@ C_WaitForSlotEvent
- }
- #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
- 
--static CK_RV CK_ENTRY
-+CK_RV CK_ENTRY
- __ADJOIN(MODULE_NAME,C_GetFunctionList)
- (
-   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-@@ -1830,7 +1830,7 @@ __ADJOIN(MODULE_NAME,C_CancelFunction),
- __ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
- };
- 
--static CK_RV CK_ENTRY
-+CK_RV CK_ENTRY
- __ADJOIN(MODULE_NAME,C_GetFunctionList)
- (
-   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-@@ -1840,6 +1840,7 @@ __ADJOIN(MODULE_NAME,C_GetFunctionList)
-   return CKR_OK;
- }
- 
-+#ifndef NSS_STATIC
- /* This one is always present */
- CK_RV CK_ENTRY
- C_GetFunctionList
-@@ -1849,6 +1850,7 @@ C_GetFunctionList
- {
-   return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
- }
-+#endif
- 
- #undef __ADJOIN
- 
-diff --git a/nss/lib/freebl/rsa.c b/nss/lib/freebl/rsa.c
-index 823d8de..48b557b 100644
---- a/nss/lib/freebl/rsa.c
-+++ b/nss/lib/freebl/rsa.c
-@@ -1532,6 +1532,13 @@ void BL_Cleanup(void)
-     RSA_Cleanup();
- }
- 
-+#ifdef NSS_STATIC
-+void
-+BL_Unload(void)
-+{
-+}
-+#endif
-+
- PRBool bl_parentForkedAfterC_Initialize;
- 
- /*
-diff --git a/nss/lib/freebl/shvfy.c b/nss/lib/freebl/shvfy.c
-index ad64a26..33714b8 100644
---- a/nss/lib/freebl/shvfy.c
-+++ b/nss/lib/freebl/shvfy.c
-@@ -273,9 +273,21 @@ readItem(PRFileDesc *fd, SECItem *item)
-     return SECSuccess;
- }
- 
-+/*
-+ * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g.,
-+ * if you're using NSS as static libraries), but want to conform to the
-+ * rest of the FIPS requirements.
-+ */
-+#ifdef NSS_STATIC
-+#define PSEUDO_FIPS
-+#endif
-+
- PRBool
- BLAPI_SHVerify(const char *name, PRFuncPtr addr)
- {
-+#ifdef PSEUDO_FIPS
-+    return PR_TRUE;  /* a lie, hence *pseudo* FIPS */
-+#else
-     PRBool result = PR_FALSE; /* if anything goes wrong,
- 			       * the signature does not verify */
-     /* find our shared library name */
-@@ -291,11 +303,15 @@ loser:
-     }
- 
-     return result;
-+#endif  /* PSEUDO_FIPS */
- }
- 
- PRBool
- BLAPI_SHVerifyFile(const char *shName)
- {
-+#ifdef PSEUDO_FIPS
-+    return PR_TRUE;  /* a lie, hence *pseudo* FIPS */
-+#else
-     char *checkName = NULL;
-     PRFileDesc *checkFD = NULL;
-     PRFileDesc *shFD = NULL;
-@@ -492,6 +508,7 @@ loser:
-     }
- 
-     return result;
-+#endif  /* PSEUDO_FIPS */
- }
- 
- PRBool
-diff --git a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c b/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
-index 471f920..ecf58ce 100755
---- a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
-+++ b/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
-@@ -201,7 +201,10 @@ certCallback(void *arg, SECItem **secitemCerts, int numcerts)
- 
- typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen,
-                                           CERTImportCertificateFunc f, void *arg);
--
-+#ifdef NSS_STATIC
-+extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen,
-+                                        CERTImportCertificateFunc f, void* arg);
-+#endif
- 
- struct pkix_DecodeFuncStr {
-     pkix_DecodeCertsFunc func;          /* function pointer to the 
-@@ -223,6 +226,11 @@ static const PRCallOnceType pkix_pristine;
-  */
- static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
- {
-+#ifdef NSS_STATIC
-+    pkix_decodeFunc.smimeLib = NULL;
-+    pkix_decodeFunc.func = CERT_DecodeCertPackage;
-+    return PR_SUCCESS;
-+#else
-     pkix_decodeFunc.smimeLib = 
- 		PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
-     if (pkix_decodeFunc.smimeLib == NULL) {
-@@ -235,7 +243,7 @@ static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
- 	return PR_FAILURE;
-     }
-     return PR_SUCCESS;
--
-+#endif
- }
- 
- /*
-diff --git a/nss/lib/nss/nssinit.c b/nss/lib/nss/nssinit.c
-index b73d447..7150cf5 100644
---- a/nss/lib/nss/nssinit.c
-+++ b/nss/lib/nss/nssinit.c
-@@ -20,9 +20,11 @@
- #include "secerr.h"
- #include "nssbase.h"
- #include "nssutil.h"
-+#ifndef NSS_DISABLE_LIBPKIX
- #include "pkixt.h"
- #include "pkix.h"
- #include "pkix_tools.h"
-+#endif  /* NSS_DISABLE_LIBPKIX */
- 
- #include "pki3hack.h"
- #include "certi.h"
-@@ -526,8 +528,10 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
- 		 PRBool dontFinalizeModules)
- {
-     SECStatus rv = SECFailure;
-+#ifndef NSS_DISABLE_LIBPKIX
-     PKIX_UInt32 actualMinorVersion = 0;
-     PKIX_Error *pkixError = NULL;
-+#endif
-     PRBool isReallyInitted;
-     char *configStrings = NULL;
-     char *configName = NULL;
-@@ -684,6 +688,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
- 	pk11sdr_Init();
- 	cert_CreateSubjectKeyIDHashTable();
- 
-+#ifndef NSS_DISABLE_LIBPKIX
- 	pkixError = PKIX_Initialize
- 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
- 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
-@@ -696,6 +701,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
-                 CERT_SetUsePKIXForValidation(PR_TRUE);
-             }
-         }
-+#endif  /* NSS_DISABLE_LIBPKIX */
- 
- 
-     }
-@@ -1080,7 +1086,9 @@ nss_Shutdown(void)
-     cert_DestroyLocks();
-     ShutdownCRLCache();
-     OCSP_ShutdownGlobal();
-+#ifndef NSS_DISABLE_LIBPKIX
-     PKIX_Shutdown(plContext);
-+#endif
-     SECOID_Shutdown();
-     status = STAN_Shutdown();
-     cert_DestroySubjectKeyIDHashTable();
-diff --git a/nss/lib/pk11wrap/pk11load.c b/nss/lib/pk11wrap/pk11load.c
-index 5c5d2ca..bfc4886 100644
---- a/nss/lib/pk11wrap/pk11load.c
-+++ b/nss/lib/pk11wrap/pk11load.c
-@@ -341,6 +341,12 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) {
-     }
- }
- 
-+#ifdef NSS_STATIC
-+extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
-+extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
-+extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args);
-+extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
-+#else
- static const char* my_shlib_name =
-     SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX;
- static const char* softoken_shlib_name =
-@@ -349,12 +355,14 @@ static const PRCallOnceType pristineCallOnce;
- static PRCallOnceType loadSoftokenOnce;
- static PRLibrary* softokenLib;
- static PRInt32 softokenLoadCount;
-+#endif  /* NSS_STATIC */
- 
- #include "prio.h"
- #include "prprf.h"
- #include <stdio.h>
- #include "prsystem.h"
- 
-+#ifndef NSS_STATIC
- /* This function must be run only once. */
- /*  determine if hybrid platform, then actually load the DSO. */
- static PRStatus
-@@ -371,6 +379,7 @@ softoken_LoadDSO( void )
-   }
-   return PR_FAILURE;
- }
-+#endif  /* !NSS_STATIC */
- 
- /*
-  * load a new module into our address space and initialize it.
-@@ -389,6 +398,16 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
- 
-     /* intenal modules get loaded from their internal list */
-     if (mod->internal && (mod->dllName == NULL)) {
-+#ifdef NSS_STATIC
-+    if (mod->isFIPS) {
-+        entry = FC_GetFunctionList;
-+    } else {
-+        entry = NSC_GetFunctionList;
-+    }
-+    if (mod->isModuleDB) {
-+        mod->moduleDBFunc = NSC_ModuleDBFunc;
-+    }
-+#else
-     /*
-      * Loads softoken as a dynamic library,
-      * even though the rest of NSS assumes this as the "internal" module.
-@@ -414,6 +433,7 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
-         mod->moduleDBFunc = (CK_C_GetFunctionList) 
-                     PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
-     }
-+#endif
- 
-     if (mod->moduleDBOnly) {
-         mod->loaded = PR_TRUE;
-@@ -424,6 +444,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
- 	if (mod->dllName == NULL) {
- 	    return SECFailure;
- 	}
-+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
-+	if (strstr(mod->dllName, "nssckbi") != NULL) {
-+	    mod->library = NULL;
-+	    PORT_Assert(!mod->moduleDBOnly);
-+	    entry = builtinsC_GetFunctionList;
-+	    PORT_Assert(!mod->isModuleDB);
-+	    goto library_loaded;
-+	}
-+#endif
- 
- 	/* load the library. If this succeeds, then we have to remember to
- 	 * unload the library if anything goes wrong from here on out...
-@@ -446,6 +475,9 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) {
- 	    mod->moduleDBFunc = (void *)
- 			PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
- 	}
-+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
-+library_loaded:
-+#endif
- 	if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
- 	if (entry == NULL) {
- 	    if (mod->isModuleDB) {
-@@ -585,6 +617,7 @@ SECMOD_UnloadModule(SECMODModule *mod) {
-      * if not, we should change this to SECFailure and move it above the
-      * mod->loaded = PR_FALSE; */
-     if (mod->internal && (mod->dllName == NULL)) {
-+#ifndef NSS_STATIC
-         if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
-           if (softokenLib) {
-               disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
-@@ -600,12 +633,18 @@ SECMOD_UnloadModule(SECMODModule *mod) {
-           }
-           loadSoftokenOnce = pristineCallOnce;
-         }
-+#endif
- 	return SECSuccess;
-     }
- 
-     library = (PRLibrary *)mod->library;
-     /* paranoia */
-     if (library == NULL) {
-+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
-+	if (strstr(mod->dllName, "nssckbi") != NULL) {
-+	    return SECSuccess;
-+	}
-+#endif
- 	return SECFailure;
-     }
- 
-diff --git a/nss/lib/softoken/lgglue.c b/nss/lib/softoken/lgglue.c
-index 653501c..155991b 100644
---- a/nss/lib/softoken/lgglue.c
-+++ b/nss/lib/softoken/lgglue.c
-@@ -23,6 +23,7 @@ static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL;
- static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
- static LGShutdownFunc legacy_glue_shutdown = NULL;
- 
-+#ifndef NSS_STATIC
- /*
-  * The following 3 functions duplicate the work done by bl_LoadLibrary.
-  * We should make bl_LoadLibrary a global and replace the call to
-@@ -160,6 +161,7 @@ done:
- 
-     return lib;
- }
-+#endif  /* STATIC LIBRARIES */
- 
- /*
-  * stub files for legacy db's to be able to encrypt and decrypt
-@@ -272,6 +274,21 @@ sftkdbLoad_Legacy(PRBool isFIPS)
- 	return SECSuccess;
-     }
- 
-+#ifdef NSS_STATIC
-+#ifdef NSS_DISABLE_DBM
-+    return SECFailure;
-+#else
-+    lib = (PRLibrary *) 0x8;
-+
-+    legacy_glue_open = legacy_Open;
-+    legacy_glue_readSecmod = legacy_ReadSecmodDB;
-+    legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData;
-+    legacy_glue_deleteSecmod = legacy_DeleteSecmodDB;
-+    legacy_glue_addSecmod = legacy_AddSecmodDB;
-+    legacy_glue_shutdown = legacy_Shutdown;
-+    setCryptFunction = legacy_SetCryptFunctions;
-+#endif
-+#else
-     lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
-     if (lib == NULL) {
- 	return SECFailure;
-@@ -297,11 +314,14 @@ sftkdbLoad_Legacy(PRBool isFIPS)
- 	PR_UnloadLibrary(lib);
- 	return SECFailure;
-     }
-+#endif  /* NSS_STATIC */
- 
-     /* verify the loaded library if we are in FIPS mode */
-     if (isFIPS) {
- 	if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
-+#ifndef NSS_STATIC
- 	    PR_UnloadLibrary(lib);
-+#endif
- 	    return SECFailure;
- 	}
-     	legacy_glue_libCheckSucceeded = PR_TRUE;
-@@ -418,10 +438,12 @@ sftkdbCall_Shutdown(void)
- #endif
- 	crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
-     }
-+#ifndef NSS_STATIC
-     disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
-     if (!disableUnload) {
-         PR_UnloadLibrary(legacy_glue_lib);
-     }
-+#endif
-     legacy_glue_lib = NULL;
-     legacy_glue_open = NULL;
-     legacy_glue_readSecmod = NULL;
-diff --git a/nss/lib/softoken/lgglue.h b/nss/lib/softoken/lgglue.h
-index b87f756..c8c562f 100644
---- a/nss/lib/softoken/lgglue.h
-+++ b/nss/lib/softoken/lgglue.h
-@@ -38,6 +38,25 @@ typedef SECStatus (*LGShutdownFunc)(PRBool forked);
- typedef void (*LGSetForkStateFunc)(PRBool);
- typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
- 
-+extern CK_RV legacy_Open(const char *dir, const char *certPrefix, 
-+		const char *keyPrefix, 
-+		int certVersion, int keyVersion, int flags, 
-+		SDB **certDB, SDB **keyDB);
-+extern char ** legacy_ReadSecmodDB(const char *appName, 
-+			const char *filename, 
-+			const char *dbname, char *params, PRBool rw);
-+extern SECStatus legacy_ReleaseSecmodDBData(const char *appName,
-+			const char *filename, 
-+			const char *dbname, char **params, PRBool rw);
-+extern SECStatus legacy_DeleteSecmodDB(const char *appName,
-+			const char *filename, 
-+			const char *dbname, char *params, PRBool rw);
-+extern SECStatus legacy_AddSecmodDB(const char *appName, 
-+			const char *filename, 
-+			const char *dbname, char *params, PRBool rw);
-+extern SECStatus legacy_Shutdown(PRBool forked);
-+extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc);
-+
- /*
-  * Softoken Glue Functions
-  */
-diff --git a/nss/lib/util/secport.h b/nss/lib/util/secport.h
-index 7d2f5e0..95c73c8 100644
---- a/nss/lib/util/secport.h
-+++ b/nss/lib/util/secport.h
-@@ -223,6 +223,7 @@ extern int NSS_PutEnv(const char * envVarName, const char * envValue);
- 
- extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
- 
-+#ifndef NSS_STATIC
- /*
-  * Load a shared library called "newShLibName" in the same directory as
-  * a shared library that is already loaded, called existingShLibName.
-@@ -257,6 +258,7 @@ PRLibrary *
- PORT_LoadLibraryFromOrigin(const char* existingShLibName,
-                  PRFuncPtr staticShLibFunc,
-                  const char *newShLibName);
-+#endif  /* NSS_STATIC */
- 
- SEC_END_PROTOS
-