view patches/nss-static.patch @ 2:a945361df361

Fix NSS_LIBRARIES variable
author Andre Heinecke <andre.heinecke@intevation.de>
date Wed, 30 Jul 2014 16:20:44 +0200
parents 1e5118fa0cb1
children
line wrap: on
line source
diff -r db5b7e3c69a5 lib/certhigh/certvfy.c
--- a/lib/certhigh/certvfy.c	Tue May 28 23:37:46 2013 +0200
+++ b/lib/certhigh/certvfy.c	Fri May 31 17:44:06 2013 -0700
@@ -13,9 +13,11 @@
 #include "certdb.h"
 #include "certi.h"
 #include "cryptohi.h"
+#ifndef NSS_DISABLE_LIBPKIX
 #include "pkix.h"
 /*#include "pkix_sample_modules.h" */
 #include "pkix_pl_cert.h"
+#endif  /* NSS_DISABLE_LIBPKIX */
 
 
 #include "nsspki.h"
@@ -24,6 +26,47 @@
 #include "pki3hack.h"
 #include "base.h"
 
+#ifdef NSS_DISABLE_LIBPKIX
+SECStatus
+cert_VerifyCertChainPkix(
+    CERTCertificate *cert,
+    PRBool           checkSig,
+    SECCertUsage     requiredUsage,
+    PRTime           time,
+    void            *wincx,
+    CERTVerifyLog   *log,
+    PRBool          *pSigerror,
+    PRBool          *pRevoked)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+SECStatus
+CERT_SetUsePKIXForValidation(PRBool enable)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+
+PRBool
+CERT_GetUsePKIXForValidation()
+{
+    return PR_FALSE;
+}
+
+SECStatus CERT_PKIXVerifyCert(
+    CERTCertificate *cert,
+    SECCertificateUsage usages,
+    CERTValInParam *paramsIn,
+    CERTValOutParam *paramsOut,
+    void *wincx)
+{
+    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
+    return SECFailure;
+}
+#endif  /* NSS_DISABLE_LIBPKIX */
+
 /*
  * Check the validity times of a certificate
  */
diff -r db5b7e3c69a5 lib/ckfw/nssck.api
--- a/lib/ckfw/nssck.api	Tue May 28 23:37:46 2013 +0200
+++ b/lib/ckfw/nssck.api	Fri May 31 17:44:06 2013 -0700
@@ -1752,7 +1752,7 @@
 }
 #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
 
-static CK_RV CK_ENTRY
+CK_RV CK_ENTRY
 __ADJOIN(MODULE_NAME,C_GetFunctionList)
 (
   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
@@ -1830,7 +1830,7 @@
 __ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
 };
 
-static CK_RV CK_ENTRY
+CK_RV CK_ENTRY
 __ADJOIN(MODULE_NAME,C_GetFunctionList)
 (
   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
@@ -1840,6 +1840,7 @@
   return CKR_OK;
 }
 
+#ifndef NSS_STATIC
 /* This one is always present */
 CK_RV CK_ENTRY
 C_GetFunctionList
@@ -1849,6 +1850,7 @@
 {
   return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
 }
+#endif
 
 #undef __ADJOIN
 
diff -r db5b7e3c69a5 lib/freebl/rsa.c
--- a/lib/freebl/rsa.c	Tue May 28 23:37:46 2013 +0200
+++ b/lib/freebl/rsa.c	Fri May 31 17:44:06 2013 -0700
@@ -1559,6 +1559,13 @@
     RSA_Cleanup();
 }
 
+#ifdef NSS_STATIC
+void
+BL_Unload(void)
+{
+}
+#endif
+
 PRBool bl_parentForkedAfterC_Initialize;
 
 /*
diff -r db5b7e3c69a5 lib/freebl/shvfy.c
--- a/lib/freebl/shvfy.c	Tue May 28 23:37:46 2013 +0200
+++ b/lib/freebl/shvfy.c	Fri May 31 17:44:06 2013 -0700
@@ -273,9 +273,21 @@
     return SECSuccess;
 }
 
+/*
+ * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g.,
+ * if you're using NSS as static libraries), but want to conform to the
+ * rest of the FIPS requirements.
+ */
+#ifdef NSS_STATIC
+#define PSEUDO_FIPS
+#endif
+
 PRBool
 BLAPI_SHVerify(const char *name, PRFuncPtr addr)
 {
+#ifdef PSEUDO_FIPS
+    return PR_TRUE;  /* a lie, hence *pseudo* FIPS */
+#else
     PRBool result = PR_FALSE; /* if anything goes wrong,
 			       * the signature does not verify */
     /* find our shared library name */
@@ -291,11 +303,15 @@
     }
 
     return result;
+#endif  /* PSEUDO_FIPS */
 }
 
 PRBool
 BLAPI_SHVerifyFile(const char *shName)
 {
+#ifdef PSEUDO_FIPS
+    return PR_TRUE;  /* a lie, hence *pseudo* FIPS */
+#else
     char *checkName = NULL;
     PRFileDesc *checkFD = NULL;
     PRFileDesc *shFD = NULL;
@@ -492,6 +508,7 @@
     }
 
     return result;
+#endif  /* PSEUDO_FIPS */
 }
 
 PRBool
diff -r db5b7e3c69a5 lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
--- a/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c	Tue May 28 23:37:46 2013 +0200
+++ b/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c	Fri May 31 17:44:06 2013 -0700
@@ -201,7 +201,10 @@
 
 typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen,
                                           CERTImportCertificateFunc f, void *arg);
-
+#ifdef NSS_STATIC
+extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen,
+                                        CERTImportCertificateFunc f, void* arg);
+#endif
 
 struct pkix_DecodeFuncStr {
     pkix_DecodeCertsFunc func;          /* function pointer to the 
@@ -223,6 +226,11 @@
  */
 static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
 {
+#ifdef NSS_STATIC
+    pkix_decodeFunc.smimeLib = NULL;
+    pkix_decodeFunc.func = CERT_DecodeCertPackage;
+    return PR_SUCCESS;
+#else
     pkix_decodeFunc.smimeLib = 
 		PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
     if (pkix_decodeFunc.smimeLib == NULL) {
@@ -235,7 +243,7 @@
 	return PR_FAILURE;
     }
     return PR_SUCCESS;
-
+#endif
 }
 
 /*
diff -r db5b7e3c69a5 lib/nss/nssinit.c
--- a/lib/nss/nssinit.c	Tue May 28 23:37:46 2013 +0200
+++ b/lib/nss/nssinit.c	Fri May 31 17:44:06 2013 -0700
@@ -20,9 +20,11 @@
 #include "secerr.h"
 #include "nssbase.h"
 #include "nssutil.h"
+#ifndef NSS_DISABLE_LIBPKIX
 #include "pkixt.h"
 #include "pkix.h"
 #include "pkix_tools.h"
+#endif  /* NSS_DISABLE_LIBPKIX */
 
 #include "pki3hack.h"
 #include "certi.h"
@@ -530,8 +532,10 @@
 		 PRBool dontFinalizeModules)
 {
     SECStatus rv = SECFailure;
+#ifndef NSS_DISABLE_LIBPKIX
     PKIX_UInt32 actualMinorVersion = 0;
     PKIX_Error *pkixError = NULL;
+#endif
     PRBool isReallyInitted;
     char *configStrings = NULL;
     char *configName = NULL;
@@ -685,6 +689,7 @@
 	pk11sdr_Init();
 	cert_CreateSubjectKeyIDHashTable();
 
+#ifndef NSS_DISABLE_LIBPKIX
 	pkixError = PKIX_Initialize
 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
@@ -697,6 +702,7 @@
                 CERT_SetUsePKIXForValidation(PR_TRUE);
             }
         }
+#endif  /* NSS_DISABLE_LIBPKIX */
 
 
     }
@@ -1081,7 +1087,9 @@
     cert_DestroyLocks();
     ShutdownCRLCache();
     OCSP_ShutdownGlobal();
+#ifndef NSS_DISABLE_LIBPKIX
     PKIX_Shutdown(plContext);
+#endif
     SECOID_Shutdown();
     status = STAN_Shutdown();
     cert_DestroySubjectKeyIDHashTable();
diff -r db5b7e3c69a5 lib/pk11wrap/pk11load.c
--- a/lib/pk11wrap/pk11load.c	Tue May 28 23:37:46 2013 +0200
+++ b/lib/pk11wrap/pk11load.c	Fri May 31 17:44:06 2013 -0700
@@ -318,6 +318,12 @@
     }
 }
 
+#ifdef NSS_STATIC
+extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args);
+extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
+#else
 static const char* my_shlib_name =
     SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX;
 static const char* softoken_shlib_name =
@@ -326,12 +332,14 @@
 static PRCallOnceType loadSoftokenOnce;
 static PRLibrary* softokenLib;
 static PRInt32 softokenLoadCount;
+#endif  /* NSS_STATIC */
 
 #include "prio.h"
 #include "prprf.h"
 #include <stdio.h>
 #include "prsystem.h"
 
+#ifndef NSS_STATIC
 /* This function must be run only once. */
 /*  determine if hybrid platform, then actually load the DSO. */
 static PRStatus
@@ -348,6 +356,7 @@
   }
   return PR_FAILURE;
 }
+#endif  /* !NSS_STATIC */
 
 /*
  * load a new module into our address space and initialize it.
@@ -366,6 +375,16 @@
 
     /* intenal modules get loaded from their internal list */
     if (mod->internal && (mod->dllName == NULL)) {
+#ifdef NSS_STATIC
+    if (mod->isFIPS) {
+        entry = FC_GetFunctionList;
+    } else {
+        entry = NSC_GetFunctionList;
+    }
+    if (mod->isModuleDB) {
+        mod->moduleDBFunc = NSC_ModuleDBFunc;
+    }
+#else
     /*
      * Loads softoken as a dynamic library,
      * even though the rest of NSS assumes this as the "internal" module.
@@ -391,6 +410,7 @@
         mod->moduleDBFunc = (CK_C_GetFunctionList) 
                     PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
     }
+#endif
 
     if (mod->moduleDBOnly) {
         mod->loaded = PR_TRUE;
@@ -401,6 +421,15 @@
 	if (mod->dllName == NULL) {
 	    return SECFailure;
 	}
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
+	if (strstr(mod->dllName, "nssckbi") != NULL) {
+	    mod->library = NULL;
+	    PORT_Assert(!mod->moduleDBOnly);
+	    entry = builtinsC_GetFunctionList;
+	    PORT_Assert(!mod->isModuleDB);
+	    goto library_loaded;
+	}
+#endif
 
 	/* load the library. If this succeeds, then we have to remember to
 	 * unload the library if anything goes wrong from here on out...
@@ -423,6 +452,9 @@
 	    mod->moduleDBFunc = (void *)
 			PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
 	}
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
+library_loaded:
+#endif
 	if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
 	if (entry == NULL) {
 	    if (mod->isModuleDB) {
@@ -562,6 +594,7 @@
      * if not, we should change this to SECFailure and move it above the
      * mod->loaded = PR_FALSE; */
     if (mod->internal && (mod->dllName == NULL)) {
+#ifndef NSS_STATIC
         if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
           if (softokenLib) {
               disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
@@ -573,12 +606,18 @@
           }
           loadSoftokenOnce = pristineCallOnce;
         }
+#endif
 	return SECSuccess;
     }
 
     library = (PRLibrary *)mod->library;
     /* paranoia */
     if (library == NULL) {
+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
+	if (strstr(mod->dllName, "nssckbi") != NULL) {
+	    return SECSuccess;
+	}
+#endif
 	return SECFailure;
     }
 
diff -r db5b7e3c69a5 lib/softoken/lgglue.c
--- a/lib/softoken/lgglue.c	Tue May 28 23:37:46 2013 +0200
+++ b/lib/softoken/lgglue.c	Fri May 31 17:44:06 2013 -0700
@@ -23,6 +23,7 @@
 static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
 static LGShutdownFunc legacy_glue_shutdown = NULL;
 
+#ifndef NSS_STATIC
 /*
  * The following 3 functions duplicate the work done by bl_LoadLibrary.
  * We should make bl_LoadLibrary a global and replace the call to
@@ -160,6 +161,7 @@
 
     return lib;
 }
+#endif  /* STATIC LIBRARIES */
 
 /*
  * stub files for legacy db's to be able to encrypt and decrypt
@@ -272,6 +274,21 @@
 	return SECSuccess;
     }
 
+#ifdef NSS_STATIC
+#ifdef NSS_DISABLE_DBM
+    return SECFailure;
+#else
+    lib = (PRLibrary *) 0x8;
+
+    legacy_glue_open = legacy_Open;
+    legacy_glue_readSecmod = legacy_ReadSecmodDB;
+    legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData;
+    legacy_glue_deleteSecmod = legacy_DeleteSecmodDB;
+    legacy_glue_addSecmod = legacy_AddSecmodDB;
+    legacy_glue_shutdown = legacy_Shutdown;
+    setCryptFunction = legacy_SetCryptFunctions;
+#endif
+#else
     lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
     if (lib == NULL) {
 	return SECFailure;
@@ -297,11 +314,14 @@
 	PR_UnloadLibrary(lib);
 	return SECFailure;
     }
+#endif  /* NSS_STATIC */
 
     /* verify the loaded library if we are in FIPS mode */
     if (isFIPS) {
 	if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
+#ifndef NSS_STATIC
 	    PR_UnloadLibrary(lib);
+#endif
 	    return SECFailure;
 	}
     	legacy_glue_libCheckSucceeded = PR_TRUE;
@@ -418,10 +438,12 @@
 #endif
 	crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
     }
+#ifndef NSS_STATIC
     disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
     if (!disableUnload) {
         PR_UnloadLibrary(legacy_glue_lib);
     }
+#endif
     legacy_glue_lib = NULL;
     legacy_glue_open = NULL;
     legacy_glue_readSecmod = NULL;
diff -r db5b7e3c69a5 lib/softoken/lgglue.h
--- a/lib/softoken/lgglue.h	Tue May 28 23:37:46 2013 +0200
+++ b/lib/softoken/lgglue.h	Fri May 31 17:44:06 2013 -0700
@@ -38,6 +38,25 @@
 typedef void (*LGSetForkStateFunc)(PRBool);
 typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
 
+extern CK_RV legacy_Open(const char *dir, const char *certPrefix, 
+		const char *keyPrefix, 
+		int certVersion, int keyVersion, int flags, 
+		SDB **certDB, SDB **keyDB);
+extern char ** legacy_ReadSecmodDB(const char *appName, 
+			const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_ReleaseSecmodDBData(const char *appName,
+			const char *filename, 
+			const char *dbname, char **params, PRBool rw);
+extern SECStatus legacy_DeleteSecmodDB(const char *appName,
+			const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_AddSecmodDB(const char *appName, 
+			const char *filename, 
+			const char *dbname, char *params, PRBool rw);
+extern SECStatus legacy_Shutdown(PRBool forked);
+extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc);
+
 /*
  * Softoken Glue Functions
  */
diff -r db5b7e3c69a5 lib/util/secport.h
--- a/lib/util/secport.h	Tue May 28 23:37:46 2013 +0200
+++ b/lib/util/secport.h	Fri May 31 17:44:06 2013 -0700
@@ -210,6 +210,7 @@
 
 extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
 
+#ifndef NSS_STATIC
 /*
  * Load a shared library called "newShLibName" in the same directory as
  * a shared library that is already loaded, called existingShLibName.
@@ -244,6 +245,7 @@
 PORT_LoadLibraryFromOrigin(const char* existingShLibName,
                  PRFuncPtr staticShLibFunc,
                  const char *newShLibName);
+#endif  /* NSS_STATIC */
 
 SEC_END_PROTOS
 
This site is hosted by Intevation GmbH (Datenschutzerklärung und Impressum | Privacy Policy and Imprint)