Use Chromium's patch to build NSS statically for iOS

Change-Id: Ica2cf641bc54f6e924b759cd4cf96dd96347c53b
author: Tor Lillqvist <tml@collabora.com> 2014-08-12 16:55:13 +0300
committer: Tor Lillqvist <tml@collabora.com> 2014-08-12 17:03:45 +0300
commit: d308eda13dc2168d166e51ec55e1655fb546f3f1 (patch)
tree: e533c9759cd2258cef86ba276e3d722390e03bec /external
parent: 3442b004e6263cb0526b0c2d96318d21623eec2b (diff)
2 files changed, 488 insertions, 0 deletions
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index 4e14e3529cde..0ca3de2af3f3 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -25,6 +25,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
     external/nss/nspr-build-config.patch \
     external/nss/ubsan.patch.0 \
     $(if $(filter IOS,$(OS)), \
+        external/nss/nss-chromium-nss-static.patch \
         external/nss/nss-ios.patch) \
 ))
 
diff --git a/external/nss/nss-chromium-nss-static.patch b/external/nss/nss-chromium-nss-static.patch
new file mode 100644
index 000000000000..9d7a4e4352b1
--- /dev/null
+++ b/external/nss/nss-chromium-nss-static.patch
@@ -0,0 +1,487 @@
+Based on http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/nss/patches/nss-static.patch
+
+--- a/a/nss/lib/certhigh/certvfy.c    Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/certhigh/certvfy.c    Fri May 31 17:44:06 2013 -0700
+@@ -13,9 +13,11 @@
+ #include "certdb.h"
+ #include "certi.h"
+ #include "cryptohi.h"
++#ifndef NSS_DISABLE_LIBPKIX
+ #include "pkix.h"
+ /*#include "pkix_sample_modules.h" */
+ #include "pkix_pl_cert.h"
++#endif  /* NSS_DISABLE_LIBPKIX */
+ 
+ 
+ #include "nsspki.h"
+@@ -24,6 +26,47 @@
+ #include "pki3hack.h"
+ #include "base.h"
+ 
++#ifdef NSS_DISABLE_LIBPKIX
++SECStatus
++cert_VerifyCertChainPkix(
++    CERTCertificate *cert,
++    PRBool           checkSig,
++    SECCertUsage     requiredUsage,
++    PRTime           time,
++    void            *wincx,
++    CERTVerifyLog   *log,
++    PRBool          *pSigerror,
++    PRBool          *pRevoked)
++{
++    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
++    return SECFailure;
++}
++
++SECStatus
++CERT_SetUsePKIXForValidation(PRBool enable)
++{
++    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
++    return SECFailure;
++}
++
++PRBool
++CERT_GetUsePKIXForValidation()
++{
++    return PR_FALSE;
++}
++
++SECStatus CERT_PKIXVerifyCert(
++    CERTCertificate *cert,
++    SECCertificateUsage usages,
++    CERTValInParam *paramsIn,
++    CERTValOutParam *paramsOut,
++    void *wincx)
++{
++    PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
++    return SECFailure;
++}
++#endif  /* NSS_DISABLE_LIBPKIX */
++
+ /*
+  * Check the validity times of a certificate
+  */
+--- a/a/nss/lib/ckfw/nssck.api        Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/ckfw/nssck.api        Fri May 31 17:44:06 2013 -0700
+@@ -1752,7 +1752,7 @@
+ }
+ #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
+ 
+-static CK_RV CK_ENTRY
++CK_RV CK_ENTRY
+ __ADJOIN(MODULE_NAME,C_GetFunctionList)
+ (
+   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+@@ -1830,7 +1830,7 @@
+ __ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
+ };
+ 
+-static CK_RV CK_ENTRY
++CK_RV CK_ENTRY
+ __ADJOIN(MODULE_NAME,C_GetFunctionList)
+ (
+   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+@@ -1840,6 +1840,8 @@
+   return CKR_OK;
+ }
+ 
++#define NSS_STATIC
++#ifndef NSS_STATIC
+ /* This one is always present */
+ CK_RV CK_ENTRY
+ C_GetFunctionList
+@@ -1849,6 +1850,7 @@
+ {
+   return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
+ }
++#endif
+ 
+ #undef __ADJOIN
+ 
+--- a/a/nss/lib/freebl/rsa.c  Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/freebl/rsa.c  Fri May 31 17:44:06 2013 -0700
+@@ -1559,6 +1559,14 @@
+     RSA_Cleanup();
+ }
+ 
++#define NSS_STATIC
++#ifdef NSS_STATIC
++void
++BL_Unload(void)
++{
++}
++#endif
++
+ PRBool bl_parentForkedAfterC_Initialize;
+ 
+ /*
+--- a/a/nss/lib/freebl/shvfy.c        Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/freebl/shvfy.c        Fri May 31 17:44:06 2013 -0700
+@@ -273,9 +273,22 @@
+     return SECSuccess;
+ }
+ 
++/*
++ * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g.,
++ * if you're using NSS as static libraries), but want to conform to the
++ * rest of the FIPS requirements.
++ */
++#define NSS_STATIC
++#ifdef NSS_STATIC
++#define PSEUDO_FIPS
++#endif
++
+ PRBool
+ BLAPI_SHVerify(const char *name, PRFuncPtr addr)
+ {
++#ifdef PSEUDO_FIPS
++    return PR_TRUE;  /* a lie, hence *pseudo* FIPS */
++#else
+     PRBool result = PR_FALSE; /* if anything goes wrong,
+ 			       * the signature does not verify */
+     /* find our shared library name */
+@@ -291,11 +303,15 @@
+     }
+ 
+     return result;
++#endif  /* PSEUDO_FIPS */
+ }
+ 
+ PRBool
+ BLAPI_SHVerifyFile(const char *shName)
+ {
++#ifdef PSEUDO_FIPS
++    return PR_TRUE;  /* a lie, hence *pseudo* FIPS */
++#else
+     char *checkName = NULL;
+     PRFileDesc *checkFD = NULL;
+     PRFileDesc *shFD = NULL;
+@@ -492,6 +508,7 @@
+     }
+ 
+     return result;
++#endif  /* PSEUDO_FIPS */
+ }
+ 
+ PRBool
+--- a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c    Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c    Fri May 31 17:44:06 2013 -0700
+@@ -201,7 +201,11 @@
+ 
+ typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen,
+                                           CERTImportCertificateFunc f, void *arg);
+-
++#define NSS_STATIC
++#ifdef NSS_STATIC
++extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen,
++                                        CERTImportCertificateFunc f, void* arg);
++#endif
+ 
+ struct pkix_DecodeFuncStr {
+     pkix_DecodeCertsFunc func;          /* function pointer to the 
+@@ -223,6 +226,11 @@
+  */
+ static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
+ {
++#ifdef NSS_STATIC
++    pkix_decodeFunc.smimeLib = NULL;
++    pkix_decodeFunc.func = CERT_DecodeCertPackage;
++    return PR_SUCCESS;
++#else
+     pkix_decodeFunc.smimeLib = 
+ 		PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
+     if (pkix_decodeFunc.smimeLib == NULL) {
+@@ -235,7 +243,7 @@
+ 	return PR_FAILURE;
+     }
+     return PR_SUCCESS;
+-
++#endif
+ }
+ 
+ /*
+--- a/a/nss/lib/nss/nssinit.c Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/nss/nssinit.c Fri May 31 17:44:06 2013 -0700
+@@ -20,9 +20,11 @@
+ #include "secerr.h"
+ #include "nssbase.h"
+ #include "nssutil.h"
++#ifndef NSS_DISABLE_LIBPKIX
+ #include "pkixt.h"
+ #include "pkix.h"
+ #include "pkix_tools.h"
++#endif  /* NSS_DISABLE_LIBPKIX */
+ 
+ #include "pki3hack.h"
+ #include "certi.h"
+@@ -530,8 +532,10 @@
+ 		 PRBool dontFinalizeModules)
+ {
+     SECStatus rv = SECFailure;
++#ifndef NSS_DISABLE_LIBPKIX
+     PKIX_UInt32 actualMinorVersion = 0;
+     PKIX_Error *pkixError = NULL;
++#endif
+     PRBool isReallyInitted;
+     char *configStrings = NULL;
+     char *configName = NULL;
+@@ -685,6 +689,7 @@
+ 	pk11sdr_Init();
+ 	cert_CreateSubjectKeyIDHashTable();
+ 
++#ifndef NSS_DISABLE_LIBPKIX
+ 	pkixError = PKIX_Initialize
+ 	    (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
+ 	    PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
+@@ -697,6 +702,7 @@
+                 CERT_SetUsePKIXForValidation(PR_TRUE);
+             }
+         }
++#endif  /* NSS_DISABLE_LIBPKIX */
+ 
+ 
+     }
+@@ -1081,7 +1087,9 @@
+     cert_DestroyLocks();
+     ShutdownCRLCache();
+     OCSP_ShutdownGlobal();
++#ifndef NSS_DISABLE_LIBPKIX
+     PKIX_Shutdown(plContext);
++#endif
+     SECOID_Shutdown();
+     status = STAN_Shutdown();
+     cert_DestroySubjectKeyIDHashTable();
+--- a/a/nss/lib/pk11wrap/pk11load.c   Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/pk11wrap/pk11load.c   Fri May 31 17:44:06 2013 -0700
+@@ -318,6 +318,13 @@
+     }
+ }
+ 
++#define NSS_STATIC
++#ifdef NSS_STATIC
++extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
++extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
++extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args);
++extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
++#else
+ static const char* my_shlib_name =
+     SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX;
+ static const char* softoken_shlib_name =
+@@ -326,12 +332,14 @@
+ static PRCallOnceType loadSoftokenOnce;
+ static PRLibrary* softokenLib;
+ static PRInt32 softokenLoadCount;
++#endif  /* NSS_STATIC */
+ 
+ #include "prio.h"
+ #include "prprf.h"
+ #include <stdio.h>
+ #include "prsystem.h"
+ 
++#ifndef NSS_STATIC
+ /* This function must be run only once. */
+ /*  determine if hybrid platform, then actually load the DSO. */
+ static PRStatus
+@@ -348,6 +356,7 @@
+   }
+   return PR_FAILURE;
+ }
++#endif  /* !NSS_STATIC */
+ 
+ /*
+  * load a new module into our address space and initialize it.
+@@ -366,6 +375,16 @@
+ 
+     /* intenal modules get loaded from their internal list */
+     if (mod->internal && (mod->dllName == NULL)) {
++#ifdef NSS_STATIC
++    if (mod->isFIPS) {
++        entry = FC_GetFunctionList;
++    } else {
++        entry = NSC_GetFunctionList;
++    }
++    if (mod->isModuleDB) {
++        mod->moduleDBFunc = NSC_ModuleDBFunc;
++    }
++#else
+     /*
+      * Loads softoken as a dynamic library,
+      * even though the rest of NSS assumes this as the "internal" module.
+@@ -391,6 +410,7 @@
+         mod->moduleDBFunc = (CK_C_GetFunctionList) 
+                     PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
+     }
++#endif
+ 
+     if (mod->moduleDBOnly) {
+         mod->loaded = PR_TRUE;
+@@ -401,6 +421,15 @@
+ 	if (mod->dllName == NULL) {
+ 	    return SECFailure;
+ 	}
++#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
++       if (strstr(mod->dllName, "nssckbi") != NULL) {
++           mod->library = NULL;
++           PORT_Assert(!mod->moduleDBOnly);
++           entry = builtinsC_GetFunctionList;
++           PORT_Assert(!mod->isModuleDB);
++           goto library_loaded;
++       }
++#endif
+ 
+ 	/* load the library. If this succeeds, then we have to remember to
+ 	 * unload the library if anything goes wrong from here on out...
+@@ -423,6 +452,9 @@
+ 	    mod->moduleDBFunc = (void *)
+ 			PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
+ 	}
++#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
++library_loaded:
++#endif
+ 	if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
+ 	if (entry == NULL) {
+ 	    if (mod->isModuleDB) {
+@@ -562,6 +594,7 @@
+      * if not, we should change this to SECFailure and move it above the
+      * mod->loaded = PR_FALSE; */
+     if (mod->internal && (mod->dllName == NULL)) {
++#ifndef NSS_STATIC
+         if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
+           if (softokenLib) {
+               disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+@@ -573,12 +606,18 @@
+           }
+           loadSoftokenOnce = pristineCallOnce;
+         }
++#endif
+ 	return SECSuccess;
+     }
+ 
+     library = (PRLibrary *)mod->library;
+     /* paranoia */
+     if (library == NULL) {
++#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
++       if (strstr(mod->dllName, "nssckbi") != NULL) {
++           return SECSuccess;
++       }
++#endif
+ 	return SECFailure;
+     }
+ 
+--- a/a/nss/lib/softoken/lgglue.c     Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/softoken/lgglue.c     Fri May 31 17:44:06 2013 -0700
+@@ -23,6 +23,8 @@
+ static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
+ static LGShutdownFunc legacy_glue_shutdown = NULL;
+ 
++#define NSS_STATIC
++#ifndef NSS_STATIC
+ /*
+  * The following 3 functions duplicate the work done by bl_LoadLibrary.
+  * We should make bl_LoadLibrary a global and replace the call to
+@@ -160,6 +161,7 @@
+ 
+     return lib;
+ }
++#endif  /* STATIC LIBRARIES */
+ 
+ /*
+  * stub files for legacy db's to be able to encrypt and decrypt
+@@ -272,6 +274,21 @@
+ 	return SECSuccess;
+     }
+ 
++#ifdef NSS_STATIC
++#ifdef NSS_DISABLE_DBM
++    return SECFailure;
++#else
++    lib = (PRLibrary *) 0x8;
++
++    legacy_glue_open = legacy_Open;
++    legacy_glue_readSecmod = legacy_ReadSecmodDB;
++    legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData;
++    legacy_glue_deleteSecmod = legacy_DeleteSecmodDB;
++    legacy_glue_addSecmod = legacy_AddSecmodDB;
++    legacy_glue_shutdown = legacy_Shutdown;
++    setCryptFunction = legacy_SetCryptFunctions;
++#endif
++#else
+     lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
+     if (lib == NULL) {
+ 	return SECFailure;
+@@ -297,11 +314,14 @@
+ 	PR_UnloadLibrary(lib);
+ 	return SECFailure;
+     }
++#endif  /* NSS_STATIC */
+ 
+     /* verify the loaded library if we are in FIPS mode */
+     if (isFIPS) {
+ 	if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
++#ifndef NSS_STATIC
+ 	    PR_UnloadLibrary(lib);
++#endif
+ 	    return SECFailure;
+ 	}
+     	legacy_glue_libCheckSucceeded = PR_TRUE;
+@@ -418,10 +438,12 @@
+ #endif
+ 	crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
+     }
++#ifndef NSS_STATIC
+     disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
+     if (!disableUnload) {
+         PR_UnloadLibrary(legacy_glue_lib);
+     }
++#endif
+     legacy_glue_lib = NULL;
+     legacy_glue_open = NULL;
+     legacy_glue_readSecmod = NULL;
+--- a/a/nss/lib/softoken/lgglue.h     Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/softoken/lgglue.h     Fri May 31 17:44:06 2013 -0700
+@@ -38,6 +38,25 @@
+ typedef void (*LGSetForkStateFunc)(PRBool);
+ typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
+ 
++extern CK_RV legacy_Open(const char *dir, const char *certPrefix, 
++               const char *keyPrefix, 
++               int certVersion, int keyVersion, int flags, 
++               SDB **certDB, SDB **keyDB);
++extern char ** legacy_ReadSecmodDB(const char *appName, 
++                       const char *filename, 
++                       const char *dbname, char *params, PRBool rw);
++extern SECStatus legacy_ReleaseSecmodDBData(const char *appName,
++                       const char *filename, 
++                       const char *dbname, char **params, PRBool rw);
++extern SECStatus legacy_DeleteSecmodDB(const char *appName,
++                       const char *filename, 
++                       const char *dbname, char *params, PRBool rw);
++extern SECStatus legacy_AddSecmodDB(const char *appName, 
++                       const char *filename, 
++                       const char *dbname, char *params, PRBool rw);
++extern SECStatus legacy_Shutdown(PRBool forked);
++extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc);
++
+ /*
+  * Softoken Glue Functions
+  */
+--- a/a/nss/lib/util/secport.h        Tue May 28 23:37:46 2013 +0200
++++ a/a/nss/lib/util/secport.h        Fri May 31 17:44:06 2013 -0700
+@@ -210,6 +210,8 @@
+ 
+ extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
+ 
++#define NSS_STATIC
++#ifndef NSS_STATIC
+ /*
+  * Load a shared library called "newShLibName" in the same directory as
+  * a shared library that is already loaded, called existingShLibName.
+@@ -244,6 +245,7 @@
+ PORT_LoadLibraryFromOrigin(const char* existingShLibName,
+                  PRFuncPtr staticShLibFunc,
+                  const char *newShLibName);
++#endif  /* NSS_STATIC */
+ 
+ SEC_END_PROTOS
+
author	Tor Lillqvist <tml@collabora.com>	2014-08-12 16:55:13 +0300
committer	Tor Lillqvist <tml@collabora.com>	2014-08-12 17:03:45 +0300
commit	d308eda13dc2168d166e51ec55e1655fb546f3f1 (patch)
tree	e533c9759cd2258cef86ba276e3d722390e03bec /external
parent	3442b004e6263cb0526b0c2d96318d21623eec2b (diff)