Based on http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/nss/patches/nss-static.patch --- a/a/nss/lib/certhigh/certvfy.c Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/certhigh/certvfy.c Fri May 31 17:44:06 2013 -0700 @@ -13,9 +13,11 @@ #include "certdb.h" #include "certi.h" #include "cryptohi.h" +#ifndef NSS_DISABLE_LIBPKIX #include "pkix.h" /*#include "pkix_sample_modules.h" */ #include "pkix_pl_cert.h" +#endif /* NSS_DISABLE_LIBPKIX */ #include "nsspki.h" @@ -24,6 +26,47 @@ #include "pki3hack.h" #include "base.h" +#ifdef NSS_DISABLE_LIBPKIX +SECStatus +cert_VerifyCertChainPkix( + CERTCertificate *cert, + PRBool checkSig, + SECCertUsage requiredUsage, + PRTime time, + void *wincx, + CERTVerifyLog *log, + PRBool *pSigerror, + PRBool *pRevoked) +{ + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + return SECFailure; +} + +SECStatus +CERT_SetUsePKIXForValidation(PRBool enable) +{ + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + return SECFailure; +} + +PRBool +CERT_GetUsePKIXForValidation() +{ + return PR_FALSE; +} + +SECStatus CERT_PKIXVerifyCert( + CERTCertificate *cert, + SECCertificateUsage usages, + CERTValInParam *paramsIn, + CERTValOutParam *paramsOut, + void *wincx) +{ + PORT_SetError(PR_NOT_IMPLEMENTED_ERROR); + return SECFailure; +} +#endif /* NSS_DISABLE_LIBPKIX */ + /* * Check the validity times of a certificate */ --- a/a/nss/lib/ckfw/nssck.api Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/ckfw/nssck.api Fri May 31 17:44:06 2013 -0700 @@ -1752,7 +1752,7 @@ } #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */ -static CK_RV CK_ENTRY +CK_RV CK_ENTRY __ADJOIN(MODULE_NAME,C_GetFunctionList) ( CK_FUNCTION_LIST_PTR_PTR ppFunctionList @@ -1830,7 +1830,7 @@ __ADJOIN(MODULE_NAME,C_WaitForSlotEvent) }; -static CK_RV CK_ENTRY +CK_RV CK_ENTRY __ADJOIN(MODULE_NAME,C_GetFunctionList) ( CK_FUNCTION_LIST_PTR_PTR ppFunctionList @@ -1840,6 +1840,8 @@ return CKR_OK; } +#define NSS_STATIC +#ifndef NSS_STATIC /* This one is always present */ CK_RV CK_ENTRY C_GetFunctionList @@ -1849,6 +1850,7 @@ { return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList); } +#endif #undef __ADJOIN --- a/a/nss/lib/freebl/rsa.c Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/freebl/rsa.c Fri May 31 17:44:06 2013 -0700 @@ -1559,6 +1559,14 @@ RSA_Cleanup(); } +#define NSS_STATIC +#ifdef NSS_STATIC +void +BL_Unload(void) +{ +} +#endif + PRBool bl_parentForkedAfterC_Initialize; /* --- a/a/nss/lib/freebl/shvfy.c Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/freebl/shvfy.c Fri May 31 17:44:06 2013 -0700 @@ -273,9 +273,22 @@ return SECSuccess; } +/* + * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g., + * if you're using NSS as static libraries), but want to conform to the + * rest of the FIPS requirements. + */ +#define NSS_STATIC +#ifdef NSS_STATIC +#define PSEUDO_FIPS +#endif + PRBool BLAPI_SHVerify(const char *name, PRFuncPtr addr) { +#ifdef PSEUDO_FIPS + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ +#else PRBool result = PR_FALSE; /* if anything goes wrong, * the signature does not verify */ /* find our shared library name */ @@ -291,11 +303,15 @@ } return result; +#endif /* PSEUDO_FIPS */ } PRBool BLAPI_SHVerifyFile(const char *shName) { +#ifdef PSEUDO_FIPS + return PR_TRUE; /* a lie, hence *pseudo* FIPS */ +#else char *checkName = NULL; PRFileDesc *checkFD = NULL; PRFileDesc *shFD = NULL; @@ -492,6 +508,7 @@ } return result; +#endif /* PSEUDO_FIPS */ } PRBool --- a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Fri May 31 17:44:06 2013 -0700 @@ -201,7 +201,11 @@ typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen, CERTImportCertificateFunc f, void *arg); - +#define NSS_STATIC +#ifdef NSS_STATIC +extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen, + CERTImportCertificateFunc f, void* arg); +#endif struct pkix_DecodeFuncStr { pkix_DecodeCertsFunc func; /* function pointer to the @@ -223,6 +226,11 @@ */ static PRStatus PR_CALLBACK pkix_getDecodeFunction(void) { +#ifdef NSS_STATIC + pkix_decodeFunc.smimeLib = NULL; + pkix_decodeFunc.func = CERT_DecodeCertPackage; + return PR_SUCCESS; +#else pkix_decodeFunc.smimeLib = PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX); if (pkix_decodeFunc.smimeLib == NULL) { @@ -235,7 +243,7 @@ return PR_FAILURE; } return PR_SUCCESS; - +#endif } /* --- a/a/nss/lib/nss/nssinit.c Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/nss/nssinit.c Fri May 31 17:44:06 2013 -0700 @@ -20,9 +20,11 @@ #include "secerr.h" #include "nssbase.h" #include "nssutil.h" +#ifndef NSS_DISABLE_LIBPKIX #include "pkixt.h" #include "pkix.h" #include "pkix_tools.h" +#endif /* NSS_DISABLE_LIBPKIX */ #include "pki3hack.h" #include "certi.h" @@ -530,8 +532,10 @@ PRBool dontFinalizeModules) { SECStatus rv = SECFailure; +#ifndef NSS_DISABLE_LIBPKIX PKIX_UInt32 actualMinorVersion = 0; PKIX_Error *pkixError = NULL; +#endif PRBool isReallyInitted; char *configStrings = NULL; char *configName = NULL; @@ -685,6 +689,7 @@ pk11sdr_Init(); cert_CreateSubjectKeyIDHashTable(); +#ifndef NSS_DISABLE_LIBPKIX pkixError = PKIX_Initialize (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION, PKIX_MINOR_VERSION, &actualMinorVersion, &plContext); @@ -697,6 +702,7 @@ CERT_SetUsePKIXForValidation(PR_TRUE); } } +#endif /* NSS_DISABLE_LIBPKIX */ } @@ -1081,7 +1087,9 @@ cert_DestroyLocks(); ShutdownCRLCache(); OCSP_ShutdownGlobal(); +#ifndef NSS_DISABLE_LIBPKIX PKIX_Shutdown(plContext); +#endif SECOID_Shutdown(); status = STAN_Shutdown(); cert_DestroySubjectKeyIDHashTable(); --- a/a/nss/lib/pk11wrap/pk11load.c Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/pk11wrap/pk11load.c Fri May 31 17:44:06 2013 -0700 @@ -318,6 +318,13 @@ } } +#define NSS_STATIC +#ifdef NSS_STATIC +extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); +extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); +extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args); +extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList); +#else static const char* my_shlib_name = SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX; static const char* softoken_shlib_name = @@ -326,12 +332,14 @@ static PRCallOnceType loadSoftokenOnce; static PRLibrary* softokenLib; static PRInt32 softokenLoadCount; +#endif /* NSS_STATIC */ #include "prio.h" #include "prprf.h" #include #include "prsystem.h" +#ifndef NSS_STATIC /* This function must be run only once. */ /* determine if hybrid platform, then actually load the DSO. */ static PRStatus @@ -348,6 +356,7 @@ } return PR_FAILURE; } +#endif /* !NSS_STATIC */ /* * load a new module into our address space and initialize it. @@ -366,6 +375,16 @@ /* intenal modules get loaded from their internal list */ if (mod->internal && (mod->dllName == NULL)) { +#ifdef NSS_STATIC + if (mod->isFIPS) { + entry = FC_GetFunctionList; + } else { + entry = NSC_GetFunctionList; + } + if (mod->isModuleDB) { + mod->moduleDBFunc = NSC_ModuleDBFunc; + } +#else /* * Loads softoken as a dynamic library, * even though the rest of NSS assumes this as the "internal" module. @@ -391,6 +410,7 @@ mod->moduleDBFunc = (CK_C_GetFunctionList) PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc"); } +#endif if (mod->moduleDBOnly) { mod->loaded = PR_TRUE; @@ -401,6 +421,15 @@ if (mod->dllName == NULL) { return SECFailure; } +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) + if (strstr(mod->dllName, "nssckbi") != NULL) { + mod->library = NULL; + PORT_Assert(!mod->moduleDBOnly); + entry = builtinsC_GetFunctionList; + PORT_Assert(!mod->isModuleDB); + goto library_loaded; + } +#endif /* load the library. If this succeeds, then we have to remember to * unload the library if anything goes wrong from here on out... @@ -423,6 +452,9 @@ mod->moduleDBFunc = (void *) PR_FindSymbol(library, "NSS_ReturnModuleSpecData"); } +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) +library_loaded: +#endif if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE; if (entry == NULL) { if (mod->isModuleDB) { @@ -562,6 +594,7 @@ * if not, we should change this to SECFailure and move it above the * mod->loaded = PR_FALSE; */ if (mod->internal && (mod->dllName == NULL)) { +#ifndef NSS_STATIC if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) { if (softokenLib) { disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); @@ -573,12 +606,18 @@ } loadSoftokenOnce = pristineCallOnce; } +#endif return SECSuccess; } library = (PRLibrary *)mod->library; /* paranoia */ if (library == NULL) { +#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS) + if (strstr(mod->dllName, "nssckbi") != NULL) { + return SECSuccess; + } +#endif return SECFailure; } --- a/a/nss/lib/softoken/lgglue.c Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/softoken/lgglue.c Fri May 31 17:44:06 2013 -0700 @@ -23,6 +23,8 @@ static LGAddSecmodFunc legacy_glue_addSecmod = NULL; static LGShutdownFunc legacy_glue_shutdown = NULL; +#define NSS_STATIC +#ifndef NSS_STATIC /* * The following 3 functions duplicate the work done by bl_LoadLibrary. * We should make bl_LoadLibrary a global and replace the call to @@ -160,6 +161,7 @@ return lib; } +#endif /* STATIC LIBRARIES */ /* * stub files for legacy db's to be able to encrypt and decrypt @@ -272,6 +274,21 @@ return SECSuccess; } +#ifdef NSS_STATIC +#ifdef NSS_DISABLE_DBM + return SECFailure; +#else + lib = (PRLibrary *) 0x8; + + legacy_glue_open = legacy_Open; + legacy_glue_readSecmod = legacy_ReadSecmodDB; + legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData; + legacy_glue_deleteSecmod = legacy_DeleteSecmodDB; + legacy_glue_addSecmod = legacy_AddSecmodDB; + legacy_glue_shutdown = legacy_Shutdown; + setCryptFunction = legacy_SetCryptFunctions; +#endif +#else lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME); if (lib == NULL) { return SECFailure; @@ -297,11 +314,14 @@ PR_UnloadLibrary(lib); return SECFailure; } +#endif /* NSS_STATIC */ /* verify the loaded library if we are in FIPS mode */ if (isFIPS) { if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) { +#ifndef NSS_STATIC PR_UnloadLibrary(lib); +#endif return SECFailure; } legacy_glue_libCheckSucceeded = PR_TRUE; @@ -418,10 +438,12 @@ #endif crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize); } +#ifndef NSS_STATIC disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD"); if (!disableUnload) { PR_UnloadLibrary(legacy_glue_lib); } +#endif legacy_glue_lib = NULL; legacy_glue_open = NULL; legacy_glue_readSecmod = NULL; --- a/a/nss/lib/softoken/lgglue.h Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/softoken/lgglue.h Fri May 31 17:44:06 2013 -0700 @@ -38,6 +38,25 @@ typedef void (*LGSetForkStateFunc)(PRBool); typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc); +extern CK_RV legacy_Open(const char *dir, const char *certPrefix, + const char *keyPrefix, + int certVersion, int keyVersion, int flags, + SDB **certDB, SDB **keyDB); +extern char ** legacy_ReadSecmodDB(const char *appName, + const char *filename, + const char *dbname, char *params, PRBool rw); +extern SECStatus legacy_ReleaseSecmodDBData(const char *appName, + const char *filename, + const char *dbname, char **params, PRBool rw); +extern SECStatus legacy_DeleteSecmodDB(const char *appName, + const char *filename, + const char *dbname, char *params, PRBool rw); +extern SECStatus legacy_AddSecmodDB(const char *appName, + const char *filename, + const char *dbname, char *params, PRBool rw); +extern SECStatus legacy_Shutdown(PRBool forked); +extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc); + /* * Softoken Glue Functions */ --- a/a/nss/lib/util/secport.h Tue May 28 23:37:46 2013 +0200 +++ a/a/nss/lib/util/secport.h Fri May 31 17:44:06 2013 -0700 @@ -210,6 +210,8 @@ extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n); +#define NSS_STATIC +#ifndef NSS_STATIC /* * Load a shared library called "newShLibName" in the same directory as * a shared library that is already loaded, called existingShLibName. @@ -244,6 +245,7 @@ PORT_LoadLibraryFromOrigin(const char* existingShLibName, PRFuncPtr staticShLibFunc, const char *newShLibName); +#endif /* NSS_STATIC */ SEC_END_PROTOS