andre@0: diff -r db5b7e3c69a5 lib/certhigh/certvfy.c andre@0: --- a/lib/certhigh/certvfy.c Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/certhigh/certvfy.c Fri May 31 17:44:06 2013 -0700 andre@0: @@ -13,9 +13,11 @@ andre@0: #include "certdb.h" andre@0: #include "certi.h" andre@0: #include "cryptohi.h" andre@0: +#ifndef NSS_DISABLE_LIBPKIX andre@0: #include "pkix.h" andre@0: /*#include "pkix_sample_modules.h" */ andre@0: #include "pkix_pl_cert.h" andre@0: +#endif /* NSS_DISABLE_LIBPKIX */ andre@0: andre@0: andre@0: #include "nsspki.h" andre@0: @@ -24,6 +26,47 @@ andre@0: #include "pki3hack.h" andre@0: #include "base.h" andre@0: andre@0: +#ifdef NSS_DISABLE_LIBPKIX andre@0: +SECStatus andre@0: +cert_VerifyCertChainPkix( andre@0: + CERTCertificate *cert, andre@0: + PRBool checkSig, andre@0: + SECCertUsage requiredUsage, andre@0: + PRTime time, andre@0: + void *wincx, andre@0: + CERTVerifyLog *log, andre@0: + PRBool *pSigerror, andre@0: + PRBool *pRevoked) andre@0: +{ andre@0: + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); andre@0: + return SECFailure; andre@0: +} andre@0: + andre@0: +SECStatus andre@0: +CERT_SetUsePKIXForValidation(PRBool enable) andre@0: +{ andre@0: + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); andre@0: + return SECFailure; andre@0: +} andre@0: + andre@0: +PRBool andre@0: +CERT_GetUsePKIXForValidation() andre@0: +{ andre@0: + return PR_FALSE; andre@0: +} andre@0: + andre@0: +SECStatus CERT_PKIXVerifyCert( andre@0: + CERTCertificate *cert, andre@0: + SECCertificateUsage usages, andre@0: + CERTValInParam *paramsIn, andre@0: + CERTValOutParam *paramsOut, andre@0: + void *wincx) andre@0: +{ andre@0: + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); andre@0: + return SECFailure; andre@0: +} andre@0: +#endif /* NSS_DISABLE_LIBPKIX */ andre@0: + andre@0: /* andre@0: * Check the validity times of a certificate andre@0: */ andre@0: diff -r db5b7e3c69a5 lib/ckfw/nssck.api andre@0: --- a/lib/ckfw/nssck.api Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/ckfw/nssck.api Fri May 31 17:44:06 2013 -0700 andre@0: @@ -1752,7 +1752,7 @@ andre@0: } andre@0: #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */ andre@0: andre@0: -static CK_RV CK_ENTRY andre@0: +CK_RV CK_ENTRY andre@0: __ADJOIN(MODULE_NAME,C_GetFunctionList) andre@0: ( andre@0: CK_FUNCTION_LIST_PTR_PTR ppFunctionList andre@0: @@ -1830,7 +1830,7 @@ andre@0: __ADJOIN(MODULE_NAME,C_WaitForSlotEvent) andre@0: }; andre@0: andre@0: -static CK_RV CK_ENTRY andre@0: +CK_RV CK_ENTRY andre@0: __ADJOIN(MODULE_NAME,C_GetFunctionList) andre@0: ( andre@0: CK_FUNCTION_LIST_PTR_PTR ppFunctionList andre@0: @@ -1840,6 +1840,7 @@ andre@0: return CKR_OK; andre@0: } andre@0: andre@0: +#ifndef NSS_STATIC andre@0: /* This one is always present */ andre@0: CK_RV CK_ENTRY andre@0: C_GetFunctionList andre@0: @@ -1849,6 +1850,7 @@ andre@0: { andre@0: return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList); andre@0: } andre@0: +#endif andre@0: andre@0: #undef __ADJOIN andre@0: andre@0: diff -r db5b7e3c69a5 lib/freebl/rsa.c andre@0: --- a/lib/freebl/rsa.c Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/freebl/rsa.c Fri May 31 17:44:06 2013 -0700 andre@0: @@ -1559,6 +1559,13 @@ andre@0: RSA_Cleanup(); andre@0: } andre@0: andre@0: +#ifdef NSS_STATIC andre@0: +void andre@0: +BL_Unload(void) andre@0: +{ andre@0: +} andre@0: +#endif andre@0: + andre@0: PRBool bl_parentForkedAfterC_Initialize; andre@0: andre@0: /* andre@0: diff -r db5b7e3c69a5 lib/freebl/shvfy.c andre@0: --- a/lib/freebl/shvfy.c Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/freebl/shvfy.c Fri May 31 17:44:06 2013 -0700 andre@0: @@ -273,9 +273,21 @@ andre@0: return SECSuccess; andre@0: } andre@0: andre@0: +/* andre@0: + * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g., andre@0: + * if you're using NSS as static libraries), but want to conform to the andre@0: + * rest of the FIPS requirements. andre@0: + */ andre@0: +#ifdef NSS_STATIC andre@0: +#define PSEUDO_FIPS andre@0: +#endif andre@0: + andre@0: PRBool andre@0: BLAPI_SHVerify(const char *name, PRFuncPtr addr) andre@0: { andre@0: +#ifdef PSEUDO_FIPS andre@0: + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ andre@0: +#else andre@0: PRBool result = PR_FALSE; /* if anything goes wrong, andre@0: * the signature does not verify */ andre@0: /* find our shared library name */ andre@0: @@ -291,11 +303,15 @@ andre@0: } andre@0: andre@0: return result; andre@0: +#endif /* PSEUDO_FIPS */ andre@0: } andre@0: andre@0: PRBool andre@0: BLAPI_SHVerifyFile(const char *shName) andre@0: { andre@0: +#ifdef PSEUDO_FIPS andre@0: + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ andre@0: +#else andre@0: char *checkName = NULL; andre@0: PRFileDesc *checkFD = NULL; andre@0: PRFileDesc *shFD = NULL; andre@0: @@ -492,6 +508,7 @@ andre@0: } andre@0: andre@0: return result; andre@0: +#endif /* PSEUDO_FIPS */ andre@0: } andre@0: andre@0: PRBool andre@0: diff -r db5b7e3c69a5 lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c andre@0: --- a/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Fri May 31 17:44:06 2013 -0700 andre@0: @@ -201,7 +201,10 @@ andre@0: andre@0: typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen, andre@0: CERTImportCertificateFunc f, void *arg); andre@0: - andre@0: +#ifdef NSS_STATIC andre@0: +extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen, andre@0: + CERTImportCertificateFunc f, void* arg); andre@0: +#endif andre@0: andre@0: struct pkix_DecodeFuncStr { andre@0: pkix_DecodeCertsFunc func; /* function pointer to the andre@0: @@ -223,6 +226,11 @@ andre@0: */ andre@0: static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) andre@0: { andre@0: +#ifdef NSS_STATIC andre@0: + pkix_decodeFunc.smimeLib = NULL; andre@0: + pkix_decodeFunc.func = CERT_DecodeCertPackage; andre@0: + return PR_SUCCESS; andre@0: +#else andre@0: pkix_decodeFunc.smimeLib = andre@0: PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX); andre@0: if (pkix_decodeFunc.smimeLib == NULL) { andre@0: @@ -235,7 +243,7 @@ andre@0: return PR_FAILURE; andre@0: } andre@0: return PR_SUCCESS; andre@0: - andre@0: +#endif andre@0: } andre@0: andre@0: /* andre@0: diff -r db5b7e3c69a5 lib/nss/nssinit.c andre@0: --- a/lib/nss/nssinit.c Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/nss/nssinit.c Fri May 31 17:44:06 2013 -0700 andre@0: @@ -20,9 +20,11 @@ andre@0: #include "secerr.h" andre@0: #include "nssbase.h" andre@0: #include "nssutil.h" andre@0: +#ifndef NSS_DISABLE_LIBPKIX andre@0: #include "pkixt.h" andre@0: #include "pkix.h" andre@0: #include "pkix_tools.h" andre@0: +#endif /* NSS_DISABLE_LIBPKIX */ andre@0: andre@0: #include "pki3hack.h" andre@0: #include "certi.h" andre@0: @@ -530,8 +532,10 @@ andre@0: PRBool dontFinalizeModules) andre@0: { andre@0: SECStatus rv = SECFailure; andre@0: +#ifndef NSS_DISABLE_LIBPKIX andre@0: PKIX_UInt32 actualMinorVersion = 0; andre@0: PKIX_Error *pkixError = NULL; andre@0: +#endif andre@0: PRBool isReallyInitted; andre@0: char *configStrings = NULL; andre@0: char *configName = NULL; andre@0: @@ -685,6 +689,7 @@ andre@0: pk11sdr_Init(); andre@0: cert_CreateSubjectKeyIDHashTable(); andre@0: andre@0: +#ifndef NSS_DISABLE_LIBPKIX andre@0: pkixError = PKIX_Initialize andre@0: (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, andre@0: PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); andre@0: @@ -697,6 +702,7 @@ andre@0: CERT_SetUsePKIXForValidation(PR_TRUE); andre@0: } andre@0: } andre@0: +#endif /* NSS_DISABLE_LIBPKIX */ andre@0: andre@0: andre@0: } andre@0: @@ -1081,7 +1087,9 @@ andre@0: cert_DestroyLocks(); andre@0: ShutdownCRLCache(); andre@0: OCSP_ShutdownGlobal(); andre@0: +#ifndef NSS_DISABLE_LIBPKIX andre@0: PKIX_Shutdown(plContext); andre@0: +#endif andre@0: SECOID_Shutdown(); andre@0: status = STAN_Shutdown(); andre@0: cert_DestroySubjectKeyIDHashTable(); andre@0: diff -r db5b7e3c69a5 lib/pk11wrap/pk11load.c andre@0: --- a/lib/pk11wrap/pk11load.c Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/pk11wrap/pk11load.c Fri May 31 17:44:06 2013 -0700 andre@0: @@ -318,6 +318,12 @@ andre@0: } andre@0: } andre@0: andre@0: +#ifdef NSS_STATIC andre@0: +extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); andre@0: +extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); andre@0: +extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args); andre@0: +extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); andre@0: +#else andre@0: static const char* my_shlib_name = andre@0: SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX; andre@0: static const char* softoken_shlib_name = andre@0: @@ -326,12 +332,14 @@ andre@0: static PRCallOnceType loadSoftokenOnce; andre@0: static PRLibrary* softokenLib; andre@0: static PRInt32 softokenLoadCount; andre@0: +#endif /* NSS_STATIC */ andre@0: andre@0: #include "prio.h" andre@0: #include "prprf.h" andre@0: #include andre@0: #include "prsystem.h" andre@0: andre@0: +#ifndef NSS_STATIC andre@0: /* This function must be run only once. */ andre@0: /* determine if hybrid platform, then actually load the DSO. */ andre@0: static PRStatus andre@0: @@ -348,6 +356,7 @@ andre@0: } andre@0: return PR_FAILURE; andre@0: } andre@0: +#endif /* !NSS_STATIC */ andre@0: andre@0: /* andre@0: * load a new module into our address space and initialize it. andre@0: @@ -366,6 +375,16 @@ andre@0: andre@0: /* intenal modules get loaded from their internal list */ andre@0: if (mod->internal && (mod->dllName == NULL)) { andre@0: +#ifdef NSS_STATIC andre@0: + if (mod->isFIPS) { andre@0: + entry = FC_GetFunctionList; andre@0: + } else { andre@0: + entry = NSC_GetFunctionList; andre@0: + } andre@0: + if (mod->isModuleDB) { andre@0: + mod->moduleDBFunc = NSC_ModuleDBFunc; andre@0: + } andre@0: +#else andre@0: /* andre@0: * Loads softoken as a dynamic library, andre@0: * even though the rest of NSS assumes this as the "internal" module. andre@0: @@ -391,6 +410,7 @@ andre@0: mod->moduleDBFunc = (CK_C_GetFunctionList) andre@0: PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); andre@0: } andre@0: +#endif andre@0: andre@0: if (mod->moduleDBOnly) { andre@0: mod->loaded = PR_TRUE; andre@0: @@ -401,6 +421,15 @@ andre@0: if (mod->dllName == NULL) { andre@0: return SECFailure; andre@0: } andre@0: +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) andre@0: + if (strstr(mod->dllName, "nssckbi") != NULL) { andre@0: + mod->library = NULL; andre@0: + PORT_Assert(!mod->moduleDBOnly); andre@0: + entry = builtinsC_GetFunctionList; andre@0: + PORT_Assert(!mod->isModuleDB); andre@0: + goto library_loaded; andre@0: + } andre@0: +#endif andre@0: andre@0: /* load the library. If this succeeds, then we have to remember to andre@0: * unload the library if anything goes wrong from here on out... andre@0: @@ -423,6 +452,9 @@ andre@0: mod->moduleDBFunc = (void *) andre@0: PR_FindSymbol(library, "NSS_ReturnModuleSpecData"); andre@0: } andre@0: +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) andre@0: +library_loaded: andre@0: +#endif andre@0: if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE; andre@0: if (entry == NULL) { andre@0: if (mod->isModuleDB) { andre@0: @@ -562,6 +594,7 @@ andre@0: * if not, we should change this to SECFailure and move it above the andre@0: * mod->loaded = PR_FALSE; */ andre@0: if (mod->internal && (mod->dllName == NULL)) { andre@0: +#ifndef NSS_STATIC andre@0: if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) { andre@0: if (softokenLib) { andre@0: disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); andre@0: @@ -573,12 +606,18 @@ andre@0: } andre@0: loadSoftokenOnce = pristineCallOnce; andre@0: } andre@0: +#endif andre@0: return SECSuccess; andre@0: } andre@0: andre@0: library = (PRLibrary *)mod->library; andre@0: /* paranoia */ andre@0: if (library == NULL) { andre@0: +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) andre@0: + if (strstr(mod->dllName, "nssckbi") != NULL) { andre@0: + return SECSuccess; andre@0: + } andre@0: +#endif andre@0: return SECFailure; andre@0: } andre@0: andre@0: diff -r db5b7e3c69a5 lib/softoken/lgglue.c andre@0: --- a/lib/softoken/lgglue.c Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/softoken/lgglue.c Fri May 31 17:44:06 2013 -0700 andre@0: @@ -23,6 +23,7 @@ andre@0: static LGAddSecmodFunc legacy_glue_addSecmod = NULL; andre@0: static LGShutdownFunc legacy_glue_shutdown = NULL; andre@0: andre@0: +#ifndef NSS_STATIC andre@0: /* andre@0: * The following 3 functions duplicate the work done by bl_LoadLibrary. andre@0: * We should make bl_LoadLibrary a global and replace the call to andre@0: @@ -160,6 +161,7 @@ andre@0: andre@0: return lib; andre@0: } andre@0: +#endif /* STATIC LIBRARIES */ andre@0: andre@0: /* andre@0: * stub files for legacy db's to be able to encrypt and decrypt andre@0: @@ -272,6 +274,21 @@ andre@0: return SECSuccess; andre@0: } andre@0: andre@0: +#ifdef NSS_STATIC andre@0: +#ifdef NSS_DISABLE_DBM andre@0: + return SECFailure; andre@0: +#else andre@0: + lib = (PRLibrary *) 0x8; andre@0: + andre@0: + legacy_glue_open = legacy_Open; andre@0: + legacy_glue_readSecmod = legacy_ReadSecmodDB; andre@0: + legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData; andre@0: + legacy_glue_deleteSecmod = legacy_DeleteSecmodDB; andre@0: + legacy_glue_addSecmod = legacy_AddSecmodDB; andre@0: + legacy_glue_shutdown = legacy_Shutdown; andre@0: + setCryptFunction = legacy_SetCryptFunctions; andre@0: +#endif andre@0: +#else andre@0: lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME); andre@0: if (lib == NULL) { andre@0: return SECFailure; andre@0: @@ -297,11 +314,14 @@ andre@0: PR_UnloadLibrary(lib); andre@0: return SECFailure; andre@0: } andre@0: +#endif /* NSS_STATIC */ andre@0: andre@0: /* verify the loaded library if we are in FIPS mode */ andre@0: if (isFIPS) { andre@0: if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) { andre@0: +#ifndef NSS_STATIC andre@0: PR_UnloadLibrary(lib); andre@0: +#endif andre@0: return SECFailure; andre@0: } andre@0: legacy_glue_libCheckSucceeded = PR_TRUE; andre@0: @@ -418,10 +438,12 @@ andre@0: #endif andre@0: crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize); andre@0: } andre@0: +#ifndef NSS_STATIC andre@0: disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); andre@0: if (!disableUnload) { andre@0: PR_UnloadLibrary(legacy_glue_lib); andre@0: } andre@0: +#endif andre@0: legacy_glue_lib = NULL; andre@0: legacy_glue_open = NULL; andre@0: legacy_glue_readSecmod = NULL; andre@0: diff -r db5b7e3c69a5 lib/softoken/lgglue.h andre@0: --- a/lib/softoken/lgglue.h Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/softoken/lgglue.h Fri May 31 17:44:06 2013 -0700 andre@0: @@ -38,6 +38,25 @@ andre@0: typedef void (*LGSetForkStateFunc)(PRBool); andre@0: typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc); andre@0: andre@0: +extern CK_RV legacy_Open(const char *dir, const char *certPrefix, andre@0: + const char *keyPrefix, andre@0: + int certVersion, int keyVersion, int flags, andre@0: + SDB **certDB, SDB **keyDB); andre@0: +extern char ** legacy_ReadSecmodDB(const char *appName, andre@0: + const char *filename, andre@0: + const char *dbname, char *params, PRBool rw); andre@0: +extern SECStatus legacy_ReleaseSecmodDBData(const char *appName, andre@0: + const char *filename, andre@0: + const char *dbname, char **params, PRBool rw); andre@0: +extern SECStatus legacy_DeleteSecmodDB(const char *appName, andre@0: + const char *filename, andre@0: + const char *dbname, char *params, PRBool rw); andre@0: +extern SECStatus legacy_AddSecmodDB(const char *appName, andre@0: + const char *filename, andre@0: + const char *dbname, char *params, PRBool rw); andre@0: +extern SECStatus legacy_Shutdown(PRBool forked); andre@0: +extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc); andre@0: + andre@0: /* andre@0: * Softoken Glue Functions andre@0: */ andre@0: diff -r db5b7e3c69a5 lib/util/secport.h andre@0: --- a/lib/util/secport.h Tue May 28 23:37:46 2013 +0200 andre@0: +++ b/lib/util/secport.h Fri May 31 17:44:06 2013 -0700 andre@0: @@ -210,6 +210,7 @@ andre@0: andre@0: extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n); andre@0: andre@0: +#ifndef NSS_STATIC andre@0: /* andre@0: * Load a shared library called "newShLibName" in the same directory as andre@0: * a shared library that is already loaded, called existingShLibName. andre@0: @@ -244,6 +245,7 @@ andre@0: PORT_LoadLibraryFromOrigin(const char* existingShLibName, andre@0: PRFuncPtr staticShLibFunc, andre@0: const char *newShLibName); andre@0: +#endif /* NSS_STATIC */ andre@0: andre@0: SEC_END_PROTOS andre@0: