Index: patches/nss-static.patch |
diff --git a/patches/nss-static.patch b/patches/nss-static.patch |
deleted file mode 100644 |
index b897b6e4a21c48dfbc2e586d38534793a3d0213e..0000000000000000000000000000000000000000 |
--- a/patches/nss-static.patch |
+++ /dev/null |
@@ -1,498 +0,0 @@ |
-diff --git a/nss/lib/certhigh/certvfy.c b/nss/lib/certhigh/certvfy.c |
-index a86f8a0..eff77fc 100644 |
---- a/nss/lib/certhigh/certvfy.c |
-+++ b/nss/lib/certhigh/certvfy.c |
-@@ -12,9 +12,11 @@ |
- #include "certdb.h" |
- #include "certi.h" |
- #include "cryptohi.h" |
-+#ifndef NSS_DISABLE_LIBPKIX |
- #include "pkix.h" |
- /*#include "pkix_sample_modules.h" */ |
- #include "pkix_pl_cert.h" |
-+#endif /* NSS_DISABLE_LIBPKIX */ |
- |
- #include "nsspki.h" |
- #include "pkitm.h" |
-@@ -23,6 +25,47 @@ |
- #include "base.h" |
- #include "keyhi.h" |
- |
-+#ifdef NSS_DISABLE_LIBPKIX |
-+SECStatus |
-+cert_VerifyCertChainPkix( |
-+ CERTCertificate *cert, |
-+ PRBool checkSig, |
-+ SECCertUsage requiredUsage, |
-+ PRTime time, |
-+ void *wincx, |
-+ CERTVerifyLog *log, |
-+ PRBool *pSigerror, |
-+ PRBool *pRevoked) |
-+{ |
-+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
-+ return SECFailure; |
-+} |
-+ |
-+SECStatus |
-+CERT_SetUsePKIXForValidation(PRBool enable) |
-+{ |
-+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
-+ return SECFailure; |
-+} |
-+ |
-+PRBool |
-+CERT_GetUsePKIXForValidation() |
-+{ |
-+ return PR_FALSE; |
-+} |
-+ |
-+SECStatus CERT_PKIXVerifyCert( |
-+ CERTCertificate *cert, |
-+ SECCertificateUsage usages, |
-+ CERTValInParam *paramsIn, |
-+ CERTValOutParam *paramsOut, |
-+ void *wincx) |
-+{ |
-+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); |
-+ return SECFailure; |
-+} |
-+#endif /* NSS_DISABLE_LIBPKIX */ |
-+ |
- /* |
- * Check the validity times of a certificate |
- */ |
-diff --git a/nss/lib/ckfw/nssck.api b/nss/lib/ckfw/nssck.api |
-index 55b4351..8364258 100644 |
---- a/nss/lib/ckfw/nssck.api |
-+++ b/nss/lib/ckfw/nssck.api |
-@@ -1752,7 +1752,7 @@ C_WaitForSlotEvent |
- } |
- #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */ |
- |
--static CK_RV CK_ENTRY |
-+CK_RV CK_ENTRY |
- __ADJOIN(MODULE_NAME,C_GetFunctionList) |
- ( |
- CK_FUNCTION_LIST_PTR_PTR ppFunctionList |
-@@ -1830,7 +1830,7 @@ __ADJOIN(MODULE_NAME,C_CancelFunction), |
- __ADJOIN(MODULE_NAME,C_WaitForSlotEvent) |
- }; |
- |
--static CK_RV CK_ENTRY |
-+CK_RV CK_ENTRY |
- __ADJOIN(MODULE_NAME,C_GetFunctionList) |
- ( |
- CK_FUNCTION_LIST_PTR_PTR ppFunctionList |
-@@ -1840,6 +1840,7 @@ __ADJOIN(MODULE_NAME,C_GetFunctionList) |
- return CKR_OK; |
- } |
- |
-+#ifndef NSS_STATIC |
- /* This one is always present */ |
- CK_RV CK_ENTRY |
- C_GetFunctionList |
-@@ -1849,6 +1850,7 @@ C_GetFunctionList |
- { |
- return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList); |
- } |
-+#endif |
- |
- #undef __ADJOIN |
- |
-diff --git a/nss/lib/freebl/rsa.c b/nss/lib/freebl/rsa.c |
-index 823d8de..48b557b 100644 |
---- a/nss/lib/freebl/rsa.c |
-+++ b/nss/lib/freebl/rsa.c |
-@@ -1532,6 +1532,13 @@ void BL_Cleanup(void) |
- RSA_Cleanup(); |
- } |
- |
-+#ifdef NSS_STATIC |
-+void |
-+BL_Unload(void) |
-+{ |
-+} |
-+#endif |
-+ |
- PRBool bl_parentForkedAfterC_Initialize; |
- |
- /* |
-diff --git a/nss/lib/freebl/shvfy.c b/nss/lib/freebl/shvfy.c |
-index ad64a26..33714b8 100644 |
---- a/nss/lib/freebl/shvfy.c |
-+++ b/nss/lib/freebl/shvfy.c |
-@@ -273,9 +273,21 @@ readItem(PRFileDesc *fd, SECItem *item) |
- return SECSuccess; |
- } |
- |
-+/* |
-+ * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g., |
-+ * if you're using NSS as static libraries), but want to conform to the |
-+ * rest of the FIPS requirements. |
-+ */ |
-+#ifdef NSS_STATIC |
-+#define PSEUDO_FIPS |
-+#endif |
-+ |
- PRBool |
- BLAPI_SHVerify(const char *name, PRFuncPtr addr) |
- { |
-+#ifdef PSEUDO_FIPS |
-+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */ |
-+#else |
- PRBool result = PR_FALSE; /* if anything goes wrong, |
- * the signature does not verify */ |
- /* find our shared library name */ |
-@@ -291,11 +303,15 @@ loser: |
- } |
- |
- return result; |
-+#endif /* PSEUDO_FIPS */ |
- } |
- |
- PRBool |
- BLAPI_SHVerifyFile(const char *shName) |
- { |
-+#ifdef PSEUDO_FIPS |
-+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */ |
-+#else |
- char *checkName = NULL; |
- PRFileDesc *checkFD = NULL; |
- PRFileDesc *shFD = NULL; |
-@@ -492,6 +508,7 @@ loser: |
- } |
- |
- return result; |
-+#endif /* PSEUDO_FIPS */ |
- } |
- |
- PRBool |
-diff --git a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c b/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c |
-index 471f920..ecf58ce 100755 |
---- a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c |
-+++ b/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c |
-@@ -201,7 +201,10 @@ certCallback(void *arg, SECItem **secitemCerts, int numcerts) |
- |
- typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen, |
- CERTImportCertificateFunc f, void *arg); |
-- |
-+#ifdef NSS_STATIC |
-+extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen, |
-+ CERTImportCertificateFunc f, void* arg); |
-+#endif |
- |
- struct pkix_DecodeFuncStr { |
- pkix_DecodeCertsFunc func; /* function pointer to the |
-@@ -223,6 +226,11 @@ static const PRCallOnceType pkix_pristine; |
- */ |
- static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) |
- { |
-+#ifdef NSS_STATIC |
-+ pkix_decodeFunc.smimeLib = NULL; |
-+ pkix_decodeFunc.func = CERT_DecodeCertPackage; |
-+ return PR_SUCCESS; |
-+#else |
- pkix_decodeFunc.smimeLib = |
- PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX); |
- if (pkix_decodeFunc.smimeLib == NULL) { |
-@@ -235,7 +243,7 @@ static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) |
- return PR_FAILURE; |
- } |
- return PR_SUCCESS; |
-- |
-+#endif |
- } |
- |
- /* |
-diff --git a/nss/lib/nss/nssinit.c b/nss/lib/nss/nssinit.c |
-index b73d447..7150cf5 100644 |
---- a/nss/lib/nss/nssinit.c |
-+++ b/nss/lib/nss/nssinit.c |
-@@ -20,9 +20,11 @@ |
- #include "secerr.h" |
- #include "nssbase.h" |
- #include "nssutil.h" |
-+#ifndef NSS_DISABLE_LIBPKIX |
- #include "pkixt.h" |
- #include "pkix.h" |
- #include "pkix_tools.h" |
-+#endif /* NSS_DISABLE_LIBPKIX */ |
- |
- #include "pki3hack.h" |
- #include "certi.h" |
-@@ -526,8 +528,10 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, |
- PRBool dontFinalizeModules) |
- { |
- SECStatus rv = SECFailure; |
-+#ifndef NSS_DISABLE_LIBPKIX |
- PKIX_UInt32 actualMinorVersion = 0; |
- PKIX_Error *pkixError = NULL; |
-+#endif |
- PRBool isReallyInitted; |
- char *configStrings = NULL; |
- char *configName = NULL; |
-@@ -684,6 +688,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, |
- pk11sdr_Init(); |
- cert_CreateSubjectKeyIDHashTable(); |
- |
-+#ifndef NSS_DISABLE_LIBPKIX |
- pkixError = PKIX_Initialize |
- (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, |
- PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); |
-@@ -696,6 +701,7 @@ nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix, |
- CERT_SetUsePKIXForValidation(PR_TRUE); |
- } |
- } |
-+#endif /* NSS_DISABLE_LIBPKIX */ |
- |
- |
- } |
-@@ -1080,7 +1086,9 @@ nss_Shutdown(void) |
- cert_DestroyLocks(); |
- ShutdownCRLCache(); |
- OCSP_ShutdownGlobal(); |
-+#ifndef NSS_DISABLE_LIBPKIX |
- PKIX_Shutdown(plContext); |
-+#endif |
- SECOID_Shutdown(); |
- status = STAN_Shutdown(); |
- cert_DestroySubjectKeyIDHashTable(); |
-diff --git a/nss/lib/pk11wrap/pk11load.c b/nss/lib/pk11wrap/pk11load.c |
-index 5c5d2ca..bfc4886 100644 |
---- a/nss/lib/pk11wrap/pk11load.c |
-+++ b/nss/lib/pk11wrap/pk11load.c |
-@@ -341,6 +341,12 @@ SECMOD_SetRootCerts(PK11SlotInfo *slot, SECMODModule *mod) { |
- } |
- } |
- |
-+#ifdef NSS_STATIC |
-+extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); |
-+extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); |
-+extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args); |
-+extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); |
-+#else |
- static const char* my_shlib_name = |
- SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX; |
- static const char* softoken_shlib_name = |
-@@ -349,12 +355,14 @@ static const PRCallOnceType pristineCallOnce; |
- static PRCallOnceType loadSoftokenOnce; |
- static PRLibrary* softokenLib; |
- static PRInt32 softokenLoadCount; |
-+#endif /* NSS_STATIC */ |
- |
- #include "prio.h" |
- #include "prprf.h" |
- #include <stdio.h> |
- #include "prsystem.h" |
- |
-+#ifndef NSS_STATIC |
- /* This function must be run only once. */ |
- /* determine if hybrid platform, then actually load the DSO. */ |
- static PRStatus |
-@@ -371,6 +379,7 @@ softoken_LoadDSO( void ) |
- } |
- return PR_FAILURE; |
- } |
-+#endif /* !NSS_STATIC */ |
- |
- /* |
- * load a new module into our address space and initialize it. |
-@@ -389,6 +398,16 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { |
- |
- /* intenal modules get loaded from their internal list */ |
- if (mod->internal && (mod->dllName == NULL)) { |
-+#ifdef NSS_STATIC |
-+ if (mod->isFIPS) { |
-+ entry = FC_GetFunctionList; |
-+ } else { |
-+ entry = NSC_GetFunctionList; |
-+ } |
-+ if (mod->isModuleDB) { |
-+ mod->moduleDBFunc = NSC_ModuleDBFunc; |
-+ } |
-+#else |
- /* |
- * Loads softoken as a dynamic library, |
- * even though the rest of NSS assumes this as the "internal" module. |
-@@ -414,6 +433,7 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { |
- mod->moduleDBFunc = (CK_C_GetFunctionList) |
- PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); |
- } |
-+#endif |
- |
- if (mod->moduleDBOnly) { |
- mod->loaded = PR_TRUE; |
-@@ -424,6 +444,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { |
- if (mod->dllName == NULL) { |
- return SECFailure; |
- } |
-+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) |
-+ if (strstr(mod->dllName, "nssckbi") != NULL) { |
-+ mod->library = NULL; |
-+ PORT_Assert(!mod->moduleDBOnly); |
-+ entry = builtinsC_GetFunctionList; |
-+ PORT_Assert(!mod->isModuleDB); |
-+ goto library_loaded; |
-+ } |
-+#endif |
- |
- /* load the library. If this succeeds, then we have to remember to |
- * unload the library if anything goes wrong from here on out... |
-@@ -446,6 +475,9 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule) { |
- mod->moduleDBFunc = (void *) |
- PR_FindSymbol(library, "NSS_ReturnModuleSpecData"); |
- } |
-+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) |
-+library_loaded: |
-+#endif |
- if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE; |
- if (entry == NULL) { |
- if (mod->isModuleDB) { |
-@@ -585,6 +617,7 @@ SECMOD_UnloadModule(SECMODModule *mod) { |
- * if not, we should change this to SECFailure and move it above the |
- * mod->loaded = PR_FALSE; */ |
- if (mod->internal && (mod->dllName == NULL)) { |
-+#ifndef NSS_STATIC |
- if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) { |
- if (softokenLib) { |
- disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); |
-@@ -600,12 +633,18 @@ SECMOD_UnloadModule(SECMODModule *mod) { |
- } |
- loadSoftokenOnce = pristineCallOnce; |
- } |
-+#endif |
- return SECSuccess; |
- } |
- |
- library = (PRLibrary *)mod->library; |
- /* paranoia */ |
- if (library == NULL) { |
-+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) |
-+ if (strstr(mod->dllName, "nssckbi") != NULL) { |
-+ return SECSuccess; |
-+ } |
-+#endif |
- return SECFailure; |
- } |
- |
-diff --git a/nss/lib/softoken/lgglue.c b/nss/lib/softoken/lgglue.c |
-index 653501c..155991b 100644 |
---- a/nss/lib/softoken/lgglue.c |
-+++ b/nss/lib/softoken/lgglue.c |
-@@ -23,6 +23,7 @@ static LGDeleteSecmodFunc legacy_glue_deleteSecmod = NULL; |
- static LGAddSecmodFunc legacy_glue_addSecmod = NULL; |
- static LGShutdownFunc legacy_glue_shutdown = NULL; |
- |
-+#ifndef NSS_STATIC |
- /* |
- * The following 3 functions duplicate the work done by bl_LoadLibrary. |
- * We should make bl_LoadLibrary a global and replace the call to |
-@@ -160,6 +161,7 @@ done: |
- |
- return lib; |
- } |
-+#endif /* STATIC LIBRARIES */ |
- |
- /* |
- * stub files for legacy db's to be able to encrypt and decrypt |
-@@ -272,6 +274,21 @@ sftkdbLoad_Legacy(PRBool isFIPS) |
- return SECSuccess; |
- } |
- |
-+#ifdef NSS_STATIC |
-+#ifdef NSS_DISABLE_DBM |
-+ return SECFailure; |
-+#else |
-+ lib = (PRLibrary *) 0x8; |
-+ |
-+ legacy_glue_open = legacy_Open; |
-+ legacy_glue_readSecmod = legacy_ReadSecmodDB; |
-+ legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData; |
-+ legacy_glue_deleteSecmod = legacy_DeleteSecmodDB; |
-+ legacy_glue_addSecmod = legacy_AddSecmodDB; |
-+ legacy_glue_shutdown = legacy_Shutdown; |
-+ setCryptFunction = legacy_SetCryptFunctions; |
-+#endif |
-+#else |
- lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME); |
- if (lib == NULL) { |
- return SECFailure; |
-@@ -297,11 +314,14 @@ sftkdbLoad_Legacy(PRBool isFIPS) |
- PR_UnloadLibrary(lib); |
- return SECFailure; |
- } |
-+#endif /* NSS_STATIC */ |
- |
- /* verify the loaded library if we are in FIPS mode */ |
- if (isFIPS) { |
- if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) { |
-+#ifndef NSS_STATIC |
- PR_UnloadLibrary(lib); |
-+#endif |
- return SECFailure; |
- } |
- legacy_glue_libCheckSucceeded = PR_TRUE; |
-@@ -418,10 +438,12 @@ sftkdbCall_Shutdown(void) |
- #endif |
- crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize); |
- } |
-+#ifndef NSS_STATIC |
- disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD"); |
- if (!disableUnload) { |
- PR_UnloadLibrary(legacy_glue_lib); |
- } |
-+#endif |
- legacy_glue_lib = NULL; |
- legacy_glue_open = NULL; |
- legacy_glue_readSecmod = NULL; |
-diff --git a/nss/lib/softoken/lgglue.h b/nss/lib/softoken/lgglue.h |
-index b87f756..c8c562f 100644 |
---- a/nss/lib/softoken/lgglue.h |
-+++ b/nss/lib/softoken/lgglue.h |
-@@ -38,6 +38,25 @@ typedef SECStatus (*LGShutdownFunc)(PRBool forked); |
- typedef void (*LGSetForkStateFunc)(PRBool); |
- typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc); |
- |
-+extern CK_RV legacy_Open(const char *dir, const char *certPrefix, |
-+ const char *keyPrefix, |
-+ int certVersion, int keyVersion, int flags, |
-+ SDB **certDB, SDB **keyDB); |
-+extern char ** legacy_ReadSecmodDB(const char *appName, |
-+ const char *filename, |
-+ const char *dbname, char *params, PRBool rw); |
-+extern SECStatus legacy_ReleaseSecmodDBData(const char *appName, |
-+ const char *filename, |
-+ const char *dbname, char **params, PRBool rw); |
-+extern SECStatus legacy_DeleteSecmodDB(const char *appName, |
-+ const char *filename, |
-+ const char *dbname, char *params, PRBool rw); |
-+extern SECStatus legacy_AddSecmodDB(const char *appName, |
-+ const char *filename, |
-+ const char *dbname, char *params, PRBool rw); |
-+extern SECStatus legacy_Shutdown(PRBool forked); |
-+extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc); |
-+ |
- /* |
- * Softoken Glue Functions |
- */ |
-diff --git a/nss/lib/util/secport.h b/nss/lib/util/secport.h |
-index 7d2f5e0..95c73c8 100644 |
---- a/nss/lib/util/secport.h |
-+++ b/nss/lib/util/secport.h |
-@@ -223,6 +223,7 @@ extern int NSS_PutEnv(const char * envVarName, const char * envValue); |
- |
- extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n); |
- |
-+#ifndef NSS_STATIC |
- /* |
- * Load a shared library called "newShLibName" in the same directory as |
- * a shared library that is already loaded, called existingShLibName. |
-@@ -257,6 +258,7 @@ PRLibrary * |
- PORT_LoadLibraryFromOrigin(const char* existingShLibName, |
- PRFuncPtr staticShLibFunc, |
- const char *newShLibName); |
-+#endif /* NSS_STATIC */ |
- |
- SEC_END_PROTOS |
- |