security/nss/lib/nss/nssinit.c@6474c204b198
security/nss/lib/nss/nssinit.c
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 /*
2 * NSS utility functions
3 *
4 * This Source Code Form is subject to the terms of the Mozilla Public
5 * License, v. 2.0. If a copy of the MPL was not distributed with this
6 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
8 #include <ctype.h>
9 #include <string.h>
10 #include "seccomon.h"
11 #include "prinit.h"
12 #include "prprf.h"
13 #include "prmem.h"
14 #include "cert.h"
15 #include "key.h"
16 #include "secmod.h"
17 #include "secoid.h"
18 #include "nss.h"
19 #include "pk11func.h"
20 #include "secerr.h"
21 #include "nssbase.h"
22 #include "nssutil.h"
23 #include "pkixt.h"
24 #include "pkix.h"
25 #include "pkix_tools.h"
27 #include "pki3hack.h"
28 #include "certi.h"
29 #include "secmodi.h"
30 #include "ocspti.h"
31 #include "ocspi.h"
32 #include "utilpars.h"
34 /*
35 * On Windows nss3.dll needs to export the symbol 'mktemp' to be
36 * fully backward compatible with the nss3.dll in NSS 3.2.x and
37 * 3.3.x. This symbol was unintentionally exported and its
38 * definition (in DBM) was moved from nss3.dll to softokn3.dll
39 * in NSS 3.4. See bug 142575.
40 */
41 #ifdef WIN32_NSS3_DLL_COMPAT
42 #include <io.h>
44 /* exported as 'mktemp' */
45 char *
46 nss_mktemp(char *path)
47 {
48 return _mktemp(path);
49 }
50 #endif
52 #define NSS_MAX_FLAG_SIZE sizeof("readOnly")+sizeof("noCertDB")+ \
53 sizeof("noModDB")+sizeof("forceOpen")+sizeof("passwordRequired")+ \
54 sizeof ("optimizeSpace")
55 #define NSS_DEFAULT_MOD_NAME "NSS Internal Module"
57 static char *
58 nss_makeFlags(PRBool readOnly, PRBool noCertDB,
59 PRBool noModDB, PRBool forceOpen,
60 PRBool passwordRequired, PRBool optimizeSpace)
61 {
62 char *flags = (char *)PORT_Alloc(NSS_MAX_FLAG_SIZE);
63 PRBool first = PR_TRUE;
65 PORT_Memset(flags,0,NSS_MAX_FLAG_SIZE);
66 if (readOnly) {
67 PORT_Strcat(flags,"readOnly");
68 first = PR_FALSE;
69 }
70 if (noCertDB) {
71 if (!first) PORT_Strcat(flags,",");
72 PORT_Strcat(flags,"noCertDB");
73 first = PR_FALSE;
74 }
75 if (noModDB) {
76 if (!first) PORT_Strcat(flags,",");
77 PORT_Strcat(flags,"noModDB");
78 first = PR_FALSE;
79 }
80 if (forceOpen) {
81 if (!first) PORT_Strcat(flags,",");
82 PORT_Strcat(flags,"forceOpen");
83 first = PR_FALSE;
84 }
85 if (passwordRequired) {
86 if (!first) PORT_Strcat(flags,",");
87 PORT_Strcat(flags,"passwordRequired");
88 first = PR_FALSE;
89 }
90 if (optimizeSpace) {
91 if (!first) PORT_Strcat(flags,",");
92 PORT_Strcat(flags,"optimizeSpace");
93 first = PR_FALSE;
94 }
95 return flags;
96 }
99 /*
100 * build config string from individual internationalized strings
101 */
102 char *
103 nss_MkConfigString(const char *man, const char *libdesc, const char *tokdesc,
104 const char *ptokdesc, const char *slotdesc, const char *pslotdesc,
105 const char *fslotdesc, const char *fpslotdesc, int minPwd)
106 {
107 char *strings = NULL;
108 char *newStrings;
110 /* make sure the internationalization was done correctly... */
111 strings = PR_smprintf("");
112 if (strings == NULL) return NULL;
114 if (man) {
115 newStrings = PR_smprintf("%s manufacturerID='%s'",strings,man);
116 PR_smprintf_free(strings);
117 strings = newStrings;
118 }
119 if (strings == NULL) return NULL;
121 if (libdesc) {
122 newStrings = PR_smprintf("%s libraryDescription='%s'",strings,libdesc);
123 PR_smprintf_free(strings);
124 strings = newStrings;
125 }
126 if (strings == NULL) return NULL;
128 if (tokdesc) {
129 newStrings = PR_smprintf("%s cryptoTokenDescription='%s'",strings,
130 tokdesc);
131 PR_smprintf_free(strings);
132 strings = newStrings;
133 }
134 if (strings == NULL) return NULL;
136 if (ptokdesc) {
137 newStrings = PR_smprintf("%s dbTokenDescription='%s'",strings,ptokdesc);
138 PR_smprintf_free(strings);
139 strings = newStrings;
140 }
141 if (strings == NULL) return NULL;
143 if (slotdesc) {
144 newStrings = PR_smprintf("%s cryptoSlotDescription='%s'",strings,
145 slotdesc);
146 PR_smprintf_free(strings);
147 strings = newStrings;
148 }
149 if (strings == NULL) return NULL;
151 if (pslotdesc) {
152 newStrings = PR_smprintf("%s dbSlotDescription='%s'",strings,pslotdesc);
153 PR_smprintf_free(strings);
154 strings = newStrings;
155 }
156 if (strings == NULL) return NULL;
158 if (fslotdesc) {
159 newStrings = PR_smprintf("%s FIPSSlotDescription='%s'",
160 strings,fslotdesc);
161 PR_smprintf_free(strings);
162 strings = newStrings;
163 }
164 if (strings == NULL) return NULL;
166 if (fpslotdesc) {
167 newStrings = PR_smprintf("%s FIPSTokenDescription='%s'",
168 strings,fpslotdesc);
169 PR_smprintf_free(strings);
170 strings = newStrings;
171 }
172 if (strings == NULL) return NULL;
174 newStrings = PR_smprintf("%s minPS=%d", strings, minPwd);
175 PR_smprintf_free(strings);
176 strings = newStrings;
178 return(strings);
179 }
181 /*
182 * statics to remember the PK11_ConfigurePKCS11()
183 * info.
184 */
185 static char * pk11_config_strings = NULL;
186 static char * pk11_config_name = NULL;
187 static PRBool pk11_password_required = PR_FALSE;
189 /*
190 * this is a legacy configuration function which used to be part of
191 * the PKCS #11 internal token.
192 */
193 void
194 PK11_ConfigurePKCS11(const char *man, const char *libdesc, const char *tokdesc,
195 const char *ptokdesc, const char *slotdesc, const char *pslotdesc,
196 const char *fslotdesc, const char *fpslotdesc, int minPwd,
197 int pwRequired)
198 {
199 char * strings;
201 strings = nss_MkConfigString(man,libdesc,tokdesc,ptokdesc,slotdesc,
202 pslotdesc,fslotdesc,fpslotdesc,minPwd);
203 if (strings == NULL) {
204 return;
205 }
207 if (libdesc) {
208 if (pk11_config_name != NULL) {
209 PORT_Free(pk11_config_name);
210 }
211 pk11_config_name = PORT_Strdup(libdesc);
212 }
214 if (pk11_config_strings != NULL) {
215 PR_smprintf_free(pk11_config_strings);
216 }
217 pk11_config_strings = strings;
218 pk11_password_required = pwRequired;
220 return;
221 }
223 void PK11_UnconfigurePKCS11(void)
224 {
225 if (pk11_config_strings != NULL) {
226 PR_smprintf_free(pk11_config_strings);
227 pk11_config_strings = NULL;
228 }
229 if (pk11_config_name) {
230 PORT_Free(pk11_config_name);
231 pk11_config_name = NULL;
232 }
233 }
235 /*
236 * The following code is an attempt to automagically find the external root
237 * module.
238 * Note: Keep the #if-defined chunks in order. HPUX must select before UNIX.
239 */
241 static const char *dllname =
242 #if defined(XP_WIN32) || defined(XP_OS2)
243 "nssckbi.dll";
244 #elif defined(HPUX) && !defined(__ia64) /* HP-UX PA-RISC */
245 "libnssckbi.sl";
246 #elif defined(DARWIN)
247 "libnssckbi.dylib";
248 #elif defined(XP_UNIX) || defined(XP_BEOS)
249 "libnssckbi.so";
250 #else
251 #error "Uh! Oh! I don't know about this platform."
252 #endif
254 /* Should we have platform ifdefs here??? */
255 #define FILE_SEP '/'
257 static void nss_FindExternalRootPaths(const char *dbpath,
258 const char* secmodprefix,
259 char** retoldpath, char** retnewpath)
260 {
261 char *path, *oldpath = NULL, *lastsep;
262 int len, path_len, secmod_len, dll_len;
264 path_len = PORT_Strlen(dbpath);
265 secmod_len = secmodprefix ? PORT_Strlen(secmodprefix) : 0;
266 dll_len = PORT_Strlen(dllname);
267 len = path_len + secmod_len + dll_len + 2; /* FILE_SEP + NULL */
269 path = PORT_Alloc(len);
270 if (path == NULL) return;
272 /* back up to the top of the directory */
273 PORT_Memcpy(path,dbpath,path_len);
274 if (path[path_len-1] != FILE_SEP) {
275 path[path_len++] = FILE_SEP;
276 }
277 PORT_Strcpy(&path[path_len],dllname);
278 if (secmod_len > 0) {
279 lastsep = PORT_Strrchr(secmodprefix, FILE_SEP);
280 if (lastsep) {
281 int secmoddir_len = lastsep-secmodprefix+1; /* FILE_SEP */
282 oldpath = PORT_Alloc(len);
283 if (oldpath == NULL) {
284 PORT_Free(path);
285 return;
286 }
287 PORT_Memcpy(oldpath,path,path_len);
288 PORT_Memcpy(&oldpath[path_len],secmodprefix,secmoddir_len);
289 PORT_Strcpy(&oldpath[path_len+secmoddir_len],dllname);
290 }
291 }
292 *retoldpath = oldpath;
293 *retnewpath = path;
294 return;
295 }
297 static void nss_FreeExternalRootPaths(char* oldpath, char* path)
298 {
299 if (path) {
300 PORT_Free(path);
301 }
302 if (oldpath) {
303 PORT_Free(oldpath);
304 }
305 }
307 static void
308 nss_FindExternalRoot(const char *dbpath, const char* secmodprefix)
309 {
310 char *path = NULL;
311 char *oldpath = NULL;
312 PRBool hasrootcerts = PR_FALSE;
314 /*
315 * 'oldpath' is the external root path in NSS 3.3.x or older.
316 * For backward compatibility we try to load the root certs
317 * module with the old path first.
318 */
319 nss_FindExternalRootPaths(dbpath, secmodprefix, &oldpath, &path);
320 if (oldpath) {
321 (void) SECMOD_AddNewModule("Root Certs",oldpath, 0, 0);
322 hasrootcerts = SECMOD_HasRootCerts();
323 }
324 if (path && !hasrootcerts) {
325 (void) SECMOD_AddNewModule("Root Certs",path, 0, 0);
326 }
327 nss_FreeExternalRootPaths(oldpath, path);
328 return;
329 }
331 /*
332 * see nss_Init for definitions of the various options.
333 *
334 * this function builds a moduleSpec string from the options and previously
335 * set statics (from PKCS11_Configure, for instance), and uses it to kick off
336 * the loading of the various PKCS #11 modules.
337 */
338 static SECStatus
339 nss_InitModules(const char *configdir, const char *certPrefix,
340 const char *keyPrefix, const char *secmodName,
341 const char *updateDir, const char *updCertPrefix,
342 const char *updKeyPrefix, const char *updateID,
343 const char *updateName, char *configName, char *configStrings,
344 PRBool pwRequired, PRBool readOnly, PRBool noCertDB,
345 PRBool noModDB, PRBool forceOpen, PRBool optimizeSpace,
346 PRBool isContextInit)
347 {
348 SECStatus rv = SECFailure;
349 char *moduleSpec = NULL;
350 char *flags = NULL;
351 char *lconfigdir = NULL;
352 char *lcertPrefix = NULL;
353 char *lkeyPrefix = NULL;
354 char *lsecmodName = NULL;
355 char *lupdateDir = NULL;
356 char *lupdCertPrefix = NULL;
357 char *lupdKeyPrefix = NULL;
358 char *lupdateID = NULL;
359 char *lupdateName = NULL;
361 if (NSS_InitializePRErrorTable() != SECSuccess) {
362 PORT_SetError(SEC_ERROR_NO_MEMORY);
363 return rv;
364 }
366 flags = nss_makeFlags(readOnly,noCertDB,noModDB,forceOpen,
367 pwRequired, optimizeSpace);
368 if (flags == NULL) return rv;
370 /*
371 * configdir is double nested, and Windows uses the same character
372 * for file seps as we use for escapes! (sigh).
373 */
374 lconfigdir = NSSUTIL_DoubleEscape(configdir, '\'', '\"');
375 if (lconfigdir == NULL) {
376 goto loser;
377 }
378 lcertPrefix = NSSUTIL_DoubleEscape(certPrefix, '\'', '\"');
379 if (lcertPrefix == NULL) {
380 goto loser;
381 }
382 lkeyPrefix = NSSUTIL_DoubleEscape(keyPrefix, '\'', '\"');
383 if (lkeyPrefix == NULL) {
384 goto loser;
385 }
386 lsecmodName = NSSUTIL_DoubleEscape(secmodName, '\'', '\"');
387 if (lsecmodName == NULL) {
388 goto loser;
389 }
390 lupdateDir = NSSUTIL_DoubleEscape(updateDir, '\'', '\"');
391 if (lupdateDir == NULL) {
392 goto loser;
393 }
394 lupdCertPrefix = NSSUTIL_DoubleEscape(updCertPrefix, '\'', '\"');
395 if (lupdCertPrefix == NULL) {
396 goto loser;
397 }
398 lupdKeyPrefix = NSSUTIL_DoubleEscape(updKeyPrefix, '\'', '\"');
399 if (lupdKeyPrefix == NULL) {
400 goto loser;
401 }
402 lupdateID = NSSUTIL_DoubleEscape(updateID, '\'', '\"');
403 if (lupdateID == NULL) {
404 goto loser;
405 }
406 lupdateName = NSSUTIL_DoubleEscape(updateName, '\'', '\"');
407 if (lupdateName == NULL) {
408 goto loser;
409 }
411 moduleSpec = PR_smprintf(
412 "name=\"%s\" parameters=\"configdir='%s' certPrefix='%s' keyPrefix='%s' "
413 "secmod='%s' flags=%s updatedir='%s' updateCertPrefix='%s' "
414 "updateKeyPrefix='%s' updateid='%s' updateTokenDescription='%s' %s\" "
415 "NSS=\"flags=internal,moduleDB,moduleDBOnly,critical%s\"",
416 configName ? configName : NSS_DEFAULT_MOD_NAME,
417 lconfigdir,lcertPrefix,lkeyPrefix,lsecmodName,flags,
418 lupdateDir, lupdCertPrefix, lupdKeyPrefix, lupdateID,
419 lupdateName, configStrings ? configStrings : "",
420 isContextInit ? "" : ",defaultModDB,internalKeySlot");
422 loser:
423 PORT_Free(flags);
424 if (lconfigdir) PORT_Free(lconfigdir);
425 if (lcertPrefix) PORT_Free(lcertPrefix);
426 if (lkeyPrefix) PORT_Free(lkeyPrefix);
427 if (lsecmodName) PORT_Free(lsecmodName);
428 if (lupdateDir) PORT_Free(lupdateDir);
429 if (lupdCertPrefix) PORT_Free(lupdCertPrefix);
430 if (lupdKeyPrefix) PORT_Free(lupdKeyPrefix);
431 if (lupdateID) PORT_Free(lupdateID);
432 if (lupdateName) PORT_Free(lupdateName);
434 if (moduleSpec) {
435 SECMODModule *module = SECMOD_LoadModule(moduleSpec,NULL,PR_TRUE);
436 PR_smprintf_free(moduleSpec);
437 if (module) {
438 if (module->loaded) rv=SECSuccess;
439 SECMOD_DestroyModule(module);
440 }
441 }
442 return rv;
443 }
445 /*
446 * OK there are now lots of options here, lets go through them all:
447 *
448 * configdir - base directory where all the cert, key, and module datbases live.
449 * certPrefix - prefix added to the beginning of the cert database example: "
450 * "https-server1-"
451 * keyPrefix - prefix added to the beginning of the key database example: "
452 * "https-server1-"
453 * secmodName - name of the security module database (usually "secmod.db").
454 * updateDir - used in initMerge, old directory to update from.
455 * updateID - used in initMerge, unique ID to represent the updated directory.
456 * updateName - used in initMerge, token name when updating.
457 * initContextPtr - used in initContext, pointer to return a unique context
458 * value.
459 * readOnly - Boolean: true if the databases are to be opened read only.
460 * nocertdb - Don't open the cert DB and key DB's, just initialize the
461 * Volatile certdb.
462 * nomoddb - Don't open the security module DB, just initialize the
463 * PKCS #11 module.
464 * forceOpen - Continue to force initializations even if the databases cannot
465 * be opened.
466 * noRootInit - don't try to automatically load the root cert store if one is
467 * not found.
468 * optimizeSpace - tell NSS to use fewer hash table buckets.
469 *
470 * The next three options are used in an attempt to share PKCS #11 modules
471 * with other loaded, running libraries. PKCS #11 was not designed with this
472 * sort of sharing in mind, so use of these options may lead to questionable
473 * results. These options are may be incompatible with NSS_LoadContext() calls.
474 *
475 * noSingleThreadedModules - don't load modules that are not thread safe (many
476 * smart card tokens will not work).
477 * allowAlreadyInitializedModules - if a module has already been loaded and
478 * initialize try to use it.
479 * don'tFinalizeModules - dont shutdown modules we may have loaded.
480 */
482 static PRBool nssIsInitted = PR_FALSE;
483 static NSSInitContext *nssInitContextList = NULL;
484 static void* plContext = NULL;
486 struct NSSInitContextStr {
487 NSSInitContext *next;
488 PRUint32 magic;
489 };
491 #define NSS_INIT_MAGIC 0x1413A91C
492 static SECStatus nss_InitShutdownList(void);
494 #ifdef DEBUG
495 static CERTCertificate dummyCert;
496 #endif
498 /* All initialized to zero in BSS */
499 static PRCallOnceType nssInitOnce;
500 static PZLock *nssInitLock;
501 static PZCondVar *nssInitCondition;
502 static int nssIsInInit;
504 static PRStatus
505 nss_doLockInit(void)
506 {
507 nssInitLock = PZ_NewLock(nssILockOther);
508 if (nssInitLock == NULL) {
509 return PR_FAILURE;
510 }
511 nssInitCondition = PZ_NewCondVar(nssInitLock);
512 if (nssInitCondition == NULL) {
513 return PR_FAILURE;
514 }
515 return PR_SUCCESS;
516 }
519 static SECStatus
520 nss_Init(const char *configdir, const char *certPrefix, const char *keyPrefix,
521 const char *secmodName, const char *updateDir,
522 const char *updCertPrefix, const char *updKeyPrefix,
523 const char *updateID, const char *updateName,
524 NSSInitContext ** initContextPtr,
525 NSSInitParameters *initParams,
526 PRBool readOnly, PRBool noCertDB,
527 PRBool noModDB, PRBool forceOpen, PRBool noRootInit,
528 PRBool optimizeSpace, PRBool noSingleThreadedModules,
529 PRBool allowAlreadyInitializedModules,
530 PRBool dontFinalizeModules)
531 {
532 SECStatus rv = SECFailure;
533 PKIX_UInt32 actualMinorVersion = 0;
534 PKIX_Error *pkixError = NULL;
535 PRBool isReallyInitted;
536 char *configStrings = NULL;
537 char *configName = NULL;
538 PRBool passwordRequired = PR_FALSE;
540 /* if we are trying to init with a traditional NSS_Init call, maintain
541 * the traditional idempotent behavior. */
542 if (!initContextPtr && nssIsInitted) {
543 return SECSuccess;
544 }
546 /* make sure our lock and condition variable are initialized one and only
547 * one time */
548 if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
549 return SECFailure;
550 }
552 /*
553 * if we haven't done basic initialization, single thread the
554 * initializations.
555 */
556 PZ_Lock(nssInitLock);
557 isReallyInitted = NSS_IsInitialized();
558 if (!isReallyInitted) {
559 while (!isReallyInitted && nssIsInInit) {
560 PZ_WaitCondVar(nssInitCondition,PR_INTERVAL_NO_TIMEOUT);
561 isReallyInitted = NSS_IsInitialized();
562 }
563 /* once we've completed basic initialization, we can allow more than
564 * one process initialize NSS at a time. */
565 }
566 nssIsInInit++;
567 PZ_Unlock(nssInitLock);
569 /* this tells us whether or not some library has already initialized us.
570 * if so, we don't want to double call some of the basic initialization
571 * functions */
573 if (!isReallyInitted) {
574 /* New option bits must not change the size of CERTCertificate. */
575 PORT_Assert(sizeof(dummyCert.options) == sizeof(void *));
577 if (SECSuccess != cert_InitLocks()) {
578 goto loser;
579 }
581 if (SECSuccess != InitCRLCache()) {
582 goto loser;
583 }
585 if (SECSuccess != OCSP_InitGlobal()) {
586 goto loser;
587 }
588 }
590 if (noSingleThreadedModules || allowAlreadyInitializedModules ||
591 dontFinalizeModules) {
592 pk11_setGlobalOptions(noSingleThreadedModules,
593 allowAlreadyInitializedModules,
594 dontFinalizeModules);
595 }
597 if (initContextPtr) {
598 *initContextPtr = PORT_ZNew(NSSInitContext);
599 if (*initContextPtr == NULL) {
600 goto loser;
601 }
602 /*
603 * For traditional NSS_Init, we used the PK11_Configure() call to set
604 * globals. with InitContext, we pass those strings in as parameters.
605 *
606 * This allows old NSS_Init calls to work as before, while at the same
607 * time new calls and old calls will not interfere with each other.
608 */
609 if (initParams) {
610 if (initParams->length < sizeof(NSSInitParameters)) {
611 PORT_SetError(SEC_ERROR_INVALID_ARGS);
612 goto loser;
613 }
614 configStrings = nss_MkConfigString(initParams->manufactureID,
615 initParams->libraryDescription,
616 initParams->cryptoTokenDescription,
617 initParams->dbTokenDescription,
618 initParams->cryptoSlotDescription,
619 initParams->dbSlotDescription,
620 initParams->FIPSSlotDescription,
621 initParams->FIPSTokenDescription,
622 initParams->minPWLen);
623 if (configStrings == NULL) {
624 PORT_SetError(SEC_ERROR_NO_MEMORY);
625 goto loser;
626 }
627 configName = initParams->libraryDescription;
628 passwordRequired = initParams->passwordRequired;
629 }
630 } else {
631 configStrings = pk11_config_strings;
632 configName = pk11_config_name;
633 passwordRequired = pk11_password_required;
634 }
636 /* Skip the module init if we are already initted and we are trying
637 * to init with noCertDB and noModDB */
638 if (!(isReallyInitted && noCertDB && noModDB)) {
639 rv = nss_InitModules(configdir, certPrefix, keyPrefix, secmodName,
640 updateDir, updCertPrefix, updKeyPrefix, updateID,
641 updateName, configName, configStrings, passwordRequired,
642 readOnly, noCertDB, noModDB, forceOpen, optimizeSpace,
643 (initContextPtr != NULL));
645 if (rv != SECSuccess) {
646 goto loser;
647 }
648 }
651 /* finish up initialization */
652 if (!isReallyInitted) {
653 if (SECOID_Init() != SECSuccess) {
654 goto loser;
655 }
656 if (STAN_LoadDefaultNSS3TrustDomain() != PR_SUCCESS) {
657 goto loser;
658 }
659 if (nss_InitShutdownList() != SECSuccess) {
660 goto loser;
661 }
662 CERT_SetDefaultCertDB((CERTCertDBHandle *)
663 STAN_GetDefaultTrustDomain());
664 if ((!noModDB) && (!noCertDB) && (!noRootInit)) {
665 if (!SECMOD_HasRootCerts()) {
666 const char *dbpath = configdir;
667 /* handle supported database modifiers */
668 if (strncmp(dbpath, "sql:", 4) == 0) {
669 dbpath += 4;
670 } else if(strncmp(dbpath, "dbm:", 4) == 0) {
671 dbpath += 4;
672 } else if(strncmp(dbpath, "extern:", 7) == 0) {
673 dbpath += 7;
674 } else if(strncmp(dbpath, "rdb:", 4) == 0) {
675 /* if rdb: is specified, the configdir isn't really a
676 * path. Skip it */
677 dbpath = NULL;
678 }
679 if (dbpath) {
680 nss_FindExternalRoot(dbpath, secmodName);
681 }
682 }
683 }
685 pk11sdr_Init();
686 cert_CreateSubjectKeyIDHashTable();
688 pkixError = PKIX_Initialize
689 (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
690 PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
692 if (pkixError != NULL) {
693 goto loser;
694 } else {
695 char *ev = getenv("NSS_ENABLE_PKIX_VERIFY");
696 if (ev && ev[0]) {
697 CERT_SetUsePKIXForValidation(PR_TRUE);
698 }
699 }
702 }
704 /*
705 * Now mark the appropriate init state. If initContextPtr was passed
706 * in, then return the new context pointer and add it to the
707 * nssInitContextList. Otherwise set the global nss_isInitted flag
708 */
709 PZ_Lock(nssInitLock);
710 if (!initContextPtr) {
711 nssIsInitted = PR_TRUE;
712 } else {
713 (*initContextPtr)->magic = NSS_INIT_MAGIC;
714 (*initContextPtr)->next = nssInitContextList;
715 nssInitContextList = (*initContextPtr);
716 }
717 nssIsInInit--;
718 /* now that we are inited, all waiters can move forward */
719 PZ_NotifyAllCondVar(nssInitCondition);
720 PZ_Unlock(nssInitLock);
722 if (initContextPtr && configStrings) {
723 PR_smprintf_free(configStrings);
724 }
726 return SECSuccess;
728 loser:
729 if (initContextPtr && *initContextPtr) {
730 PORT_Free(*initContextPtr);
731 *initContextPtr = NULL;
732 if (configStrings) {
733 PR_smprintf_free(configStrings);
734 }
735 }
736 PZ_Lock(nssInitLock);
737 nssIsInInit--;
738 /* We failed to init, allow one to move forward */
739 PZ_NotifyCondVar(nssInitCondition);
740 PZ_Unlock(nssInitLock);
741 return SECFailure;
742 }
745 SECStatus
746 NSS_Init(const char *configdir)
747 {
748 return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
749 NULL, PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE,
750 PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
751 }
753 SECStatus
754 NSS_InitReadWrite(const char *configdir)
755 {
756 return nss_Init(configdir, "", "", SECMOD_DB, "", "", "", "", "", NULL,
757 NULL, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE, PR_FALSE,
758 PR_TRUE, PR_FALSE, PR_FALSE, PR_FALSE);
759 }
761 /*
762 * OK there are now lots of options here, lets go through them all:
763 *
764 * configdir - base directory where all the cert, key, and module datbases live.
765 * certPrefix - prefix added to the beginning of the cert database example: "
766 * "https-server1-"
767 * keyPrefix - prefix added to the beginning of the key database example: "
768 * "https-server1-"
769 * secmodName - name of the security module database (usually "secmod.db").
770 * flags - change the open options of NSS_Initialize as follows:
771 * NSS_INIT_READONLY - Open the databases read only.
772 * NSS_INIT_NOCERTDB - Don't open the cert DB and key DB's, just
773 * initialize the volatile certdb.
774 * NSS_INIT_NOMODDB - Don't open the security module DB, just
775 * initialize the PKCS #11 module.
776 * NSS_INIT_FORCEOPEN - Continue to force initializations even if the
777 * databases cannot be opened.
778 * NSS_INIT_PK11THREADSAFE - only load PKCS#11 modules that are
779 * thread-safe, ie. that support locking - either OS
780 * locking or NSS-provided locks . If a PKCS#11
781 * module isn't thread-safe, don't serialize its
782 * calls; just don't load it instead. This is necessary
783 * if another piece of code is using the same PKCS#11
784 * modules that NSS is accessing without going through
785 * NSS, for example the Java SunPKCS11 provider.
786 * NSS_INIT_PK11RELOAD - ignore the CKR_CRYPTOKI_ALREADY_INITIALIZED
787 * error when loading PKCS#11 modules. This is necessary
788 * if another piece of code is using the same PKCS#11
789 * modules that NSS is accessing without going through
790 * NSS, for example Java SunPKCS11 provider.
791 * NSS_INIT_NOPK11FINALIZE - never call C_Finalize on any
792 * PKCS#11 module. This may be necessary in order to
793 * ensure continuous operation and proper shutdown
794 * sequence if another piece of code is using the same
795 * PKCS#11 modules that NSS is accessing without going
796 * through NSS, for example Java SunPKCS11 provider.
797 * The following limitation applies when this is set :
798 * SECMOD_WaitForAnyTokenEvent will not use
799 * C_WaitForSlotEvent, in order to prevent the need for
800 * C_Finalize. This call will be emulated instead.
801 * NSS_INIT_RESERVED - Currently has no effect, but may be used in the
802 * future to trigger better cooperation between PKCS#11
803 * modules used by both NSS and the Java SunPKCS11
804 * provider. This should occur after a new flag is defined
805 * for C_Initialize by the PKCS#11 working group.
806 * NSS_INIT_COOPERATE - Sets 4 recommended options for applications that
807 * use both NSS and the Java SunPKCS11 provider.
808 */
809 SECStatus
810 NSS_Initialize(const char *configdir, const char *certPrefix,
811 const char *keyPrefix, const char *secmodName, PRUint32 flags)
812 {
813 return nss_Init(configdir, certPrefix, keyPrefix, secmodName,
814 "", "", "", "", "", NULL, NULL,
815 ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
816 ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
817 ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
818 ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
819 ((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT),
820 ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
821 ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
822 ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
823 ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
824 }
826 NSSInitContext *
827 NSS_InitContext(const char *configdir, const char *certPrefix,
828 const char *keyPrefix, const char *secmodName,
829 NSSInitParameters *initParams, PRUint32 flags)
830 {
831 SECStatus rv;
832 NSSInitContext *context;
834 rv = nss_Init(configdir, certPrefix, keyPrefix, secmodName,
835 "", "", "", "", "", &context, initParams,
836 ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
837 ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
838 ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
839 ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN), PR_TRUE,
840 ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
841 ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
842 ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
843 ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
844 return (rv == SECSuccess) ? context : NULL;
845 }
847 SECStatus
848 NSS_InitWithMerge(const char *configdir, const char *certPrefix,
849 const char *keyPrefix, const char *secmodName,
850 const char *updateDir, const char *updCertPrefix,
851 const char *updKeyPrefix, const char *updateID,
852 const char *updateName, PRUint32 flags)
853 {
854 return nss_Init(configdir, certPrefix, keyPrefix, secmodName,
855 updateDir, updCertPrefix, updKeyPrefix, updateID, updateName,
856 NULL, NULL,
857 ((flags & NSS_INIT_READONLY) == NSS_INIT_READONLY),
858 ((flags & NSS_INIT_NOCERTDB) == NSS_INIT_NOCERTDB),
859 ((flags & NSS_INIT_NOMODDB) == NSS_INIT_NOMODDB),
860 ((flags & NSS_INIT_FORCEOPEN) == NSS_INIT_FORCEOPEN),
861 ((flags & NSS_INIT_NOROOTINIT) == NSS_INIT_NOROOTINIT),
862 ((flags & NSS_INIT_OPTIMIZESPACE) == NSS_INIT_OPTIMIZESPACE),
863 ((flags & NSS_INIT_PK11THREADSAFE) == NSS_INIT_PK11THREADSAFE),
864 ((flags & NSS_INIT_PK11RELOAD) == NSS_INIT_PK11RELOAD),
865 ((flags & NSS_INIT_NOPK11FINALIZE) == NSS_INIT_NOPK11FINALIZE));
866 }
868 /*
869 * initialize NSS without a creating cert db's, key db's, or secmod db's.
870 */
871 SECStatus
872 NSS_NoDB_Init(const char * configdir)
873 {
874 return nss_Init("","","","", "", "", "", "", "", NULL, NULL,
875 PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,PR_TRUE,
876 PR_FALSE,PR_FALSE,PR_FALSE);
877 }
880 #define NSS_SHUTDOWN_STEP 10
882 struct NSSShutdownFuncPair {
883 NSS_ShutdownFunc func;
884 void *appData;
885 };
887 static struct NSSShutdownListStr {
888 PZLock *lock;
889 int allocatedFuncs;
890 int peakFuncs;
891 struct NSSShutdownFuncPair *funcs;
892 } nssShutdownList = { 0 };
894 /*
895 * find and existing shutdown function
896 */
897 static int
898 nss_GetShutdownEntry(NSS_ShutdownFunc sFunc, void *appData)
899 {
900 int count, i;
901 count = nssShutdownList.peakFuncs;
903 for (i=0; i < count; i++) {
904 if ((nssShutdownList.funcs[i].func == sFunc) &&
905 (nssShutdownList.funcs[i].appData == appData)){
906 return i;
907 }
908 }
909 return -1;
910 }
912 /*
913 * register a callback to be called when NSS shuts down
914 */
915 SECStatus
916 NSS_RegisterShutdown(NSS_ShutdownFunc sFunc, void *appData)
917 {
918 int i;
920 /* make sure our lock and condition variable are initialized one and only
921 * one time */
922 if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
923 return SECFailure;
924 }
926 PZ_Lock(nssInitLock);
927 if (!NSS_IsInitialized()) {
928 PZ_Unlock(nssInitLock);
929 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
930 return SECFailure;
931 }
932 PZ_Unlock(nssInitLock);
933 if (sFunc == NULL) {
934 PORT_SetError(SEC_ERROR_INVALID_ARGS);
935 return SECFailure;
936 }
938 PORT_Assert(nssShutdownList.lock);
939 PZ_Lock(nssShutdownList.lock);
941 /* make sure we don't have a duplicate */
942 i = nss_GetShutdownEntry(sFunc, appData);
943 if (i >= 0) {
944 PZ_Unlock(nssShutdownList.lock);
945 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
946 return SECFailure;
947 }
948 /* find an empty slot */
949 i = nss_GetShutdownEntry(NULL, NULL);
950 if (i >= 0) {
951 nssShutdownList.funcs[i].func = sFunc;
952 nssShutdownList.funcs[i].appData = appData;
953 PZ_Unlock(nssShutdownList.lock);
954 return SECSuccess;
955 }
956 if (nssShutdownList.allocatedFuncs == nssShutdownList.peakFuncs) {
957 struct NSSShutdownFuncPair *funcs =
958 (struct NSSShutdownFuncPair *)PORT_Realloc
959 (nssShutdownList.funcs,
960 (nssShutdownList.allocatedFuncs + NSS_SHUTDOWN_STEP)
961 *sizeof(struct NSSShutdownFuncPair));
962 if (!funcs) {
963 PZ_Unlock(nssShutdownList.lock);
964 return SECFailure;
965 }
966 nssShutdownList.funcs = funcs;
967 nssShutdownList.allocatedFuncs += NSS_SHUTDOWN_STEP;
968 }
969 nssShutdownList.funcs[nssShutdownList.peakFuncs].func = sFunc;
970 nssShutdownList.funcs[nssShutdownList.peakFuncs].appData = appData;
971 nssShutdownList.peakFuncs++;
972 PZ_Unlock(nssShutdownList.lock);
973 return SECSuccess;
974 }
976 /*
977 * unregister a callback so it won't get called on shutdown.
978 */
979 SECStatus
980 NSS_UnregisterShutdown(NSS_ShutdownFunc sFunc, void *appData)
981 {
982 int i;
984 /* make sure our lock and condition variable are initialized one and only
985 * one time */
986 if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
987 return SECFailure;
988 }
989 PZ_Lock(nssInitLock);
990 if (!NSS_IsInitialized()) {
991 PZ_Unlock(nssInitLock);
992 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
993 return SECFailure;
994 }
995 PZ_Unlock(nssInitLock);
997 PORT_Assert(nssShutdownList.lock);
998 PZ_Lock(nssShutdownList.lock);
999 i = nss_GetShutdownEntry(sFunc, appData);
1000 if (i >= 0) {
1001 nssShutdownList.funcs[i].func = NULL;
1002 nssShutdownList.funcs[i].appData = NULL;
1003 }
1004 PZ_Unlock(nssShutdownList.lock);
1006 if (i < 0) {
1007 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
1008 return SECFailure;
1009 }
1010 return SECSuccess;
1011 }
1013 /*
1014 * bring up and shutdown the shutdown list
1015 */
1016 static SECStatus
1017 nss_InitShutdownList(void)
1018 {
1019 if (nssShutdownList.lock != NULL) {
1020 return SECSuccess;
1021 }
1022 nssShutdownList.lock = PZ_NewLock(nssILockOther);
1023 if (nssShutdownList.lock == NULL) {
1024 return SECFailure;
1025 }
1026 nssShutdownList.funcs = PORT_ZNewArray(struct NSSShutdownFuncPair,
1027 NSS_SHUTDOWN_STEP);
1028 if (nssShutdownList.funcs == NULL) {
1029 PZ_DestroyLock(nssShutdownList.lock);
1030 nssShutdownList.lock = NULL;
1031 return SECFailure;
1032 }
1033 nssShutdownList.allocatedFuncs = NSS_SHUTDOWN_STEP;
1034 nssShutdownList.peakFuncs = 0;
1036 return SECSuccess;
1037 }
1039 static SECStatus
1040 nss_ShutdownShutdownList(void)
1041 {
1042 SECStatus rv = SECSuccess;
1043 int i;
1045 /* call all the registerd functions first */
1046 for (i=0; i < nssShutdownList.peakFuncs; i++) {
1047 struct NSSShutdownFuncPair *funcPair = &nssShutdownList.funcs[i];
1048 if (funcPair->func) {
1049 if ((*funcPair->func)(funcPair->appData,NULL) != SECSuccess) {
1050 rv = SECFailure;
1051 }
1052 }
1053 }
1055 nssShutdownList.peakFuncs = 0;
1056 nssShutdownList.allocatedFuncs = 0;
1057 PORT_Free(nssShutdownList.funcs);
1058 nssShutdownList.funcs = NULL;
1059 if (nssShutdownList.lock) {
1060 PZ_DestroyLock(nssShutdownList.lock);
1061 }
1062 nssShutdownList.lock = NULL;
1063 return rv;
1064 }
1067 extern const NSSError NSS_ERROR_BUSY;
1069 SECStatus
1070 nss_Shutdown(void)
1071 {
1072 SECStatus shutdownRV = SECSuccess;
1073 SECStatus rv;
1074 PRStatus status;
1075 NSSInitContext *temp;
1077 rv = nss_ShutdownShutdownList();
1078 if (rv != SECSuccess) {
1079 shutdownRV = SECFailure;
1080 }
1081 cert_DestroyLocks();
1082 ShutdownCRLCache();
1083 OCSP_ShutdownGlobal();
1084 PKIX_Shutdown(plContext);
1085 SECOID_Shutdown();
1086 status = STAN_Shutdown();
1087 cert_DestroySubjectKeyIDHashTable();
1088 pk11_SetInternalKeySlot(NULL);
1089 rv = SECMOD_Shutdown();
1090 if (rv != SECSuccess) {
1091 shutdownRV = SECFailure;
1092 }
1093 pk11sdr_Shutdown();
1094 nssArena_Shutdown();
1095 if (status == PR_FAILURE) {
1096 if (NSS_GetError() == NSS_ERROR_BUSY) {
1097 PORT_SetError(SEC_ERROR_BUSY);
1098 }
1099 shutdownRV = SECFailure;
1100 }
1101 /*
1102 * A thread's error stack is automatically destroyed when the thread
1103 * terminates, except for the primordial thread, whose error stack is
1104 * destroyed by PR_Cleanup. Since NSS is usually shut down by the
1105 * primordial thread and many NSS-based apps don't call PR_Cleanup,
1106 * we destroy the calling thread's error stack here. This must be
1107 * done after any NSS_GetError call, otherwise NSS_GetError will
1108 * create the error stack again.
1109 */
1110 nss_DestroyErrorStack();
1111 nssIsInitted = PR_FALSE;
1112 temp = nssInitContextList;
1113 nssInitContextList = NULL;
1114 /* free the old list. This is necessary when we are called from
1115 * NSS_Shutdown(). */
1116 while (temp) {
1117 NSSInitContext *next = temp->next;
1118 temp->magic = 0;
1119 PORT_Free(temp);
1120 temp = next;
1121 }
1122 return shutdownRV;
1123 }
1125 SECStatus
1126 NSS_Shutdown(void)
1127 {
1128 SECStatus rv;
1129 /* make sure our lock and condition variable are initialized one and only
1130 * one time */
1131 if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
1132 return SECFailure;
1133 }
1134 PZ_Lock(nssInitLock);
1136 if (!nssIsInitted) {
1137 PZ_Unlock(nssInitLock);
1138 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
1139 return SECFailure;
1140 }
1142 /* If one or more threads are in the middle of init, wait for them
1143 * to complete */
1144 while (nssIsInInit) {
1145 PZ_WaitCondVar(nssInitCondition,PR_INTERVAL_NO_TIMEOUT);
1146 }
1147 rv = nss_Shutdown();
1148 PZ_Unlock(nssInitLock);
1149 return rv;
1150 }
1152 /*
1153 * remove the context from a list. return true if found, false if not
1154 */
1155 PRBool
1156 nss_RemoveList(NSSInitContext *context) {
1157 NSSInitContext *this = nssInitContextList;
1158 NSSInitContext **last = &nssInitContextList;
1160 while (this) {
1161 if (this == context) {
1162 *last = this->next;
1163 this->magic = 0;
1164 PORT_Free(this);
1165 return PR_TRUE;
1166 }
1167 last = &this->next;
1168 this=this->next;
1169 }
1170 return PR_FALSE;
1171 }
1173 /*
1174 * This form of shutdown is safe in the case where we may have multiple
1175 * entities using NSS in a single process. Each entity calls shutdown with
1176 * it's own context. The application (which doesn't get a context), calls
1177 * shutdown with NULL. Once all users have 'checked in' NSS will shutdown.
1178 * This is different than NSS_Shutdown, where calling it will shutdown NSS
1179 * irreguardless of who else may have NSS open.
1180 */
1181 SECStatus
1182 NSS_ShutdownContext(NSSInitContext *context)
1183 {
1184 SECStatus rv = SECSuccess;
1186 /* make sure our lock and condition variable are initialized one and only
1187 * one time */
1188 if (PR_CallOnce(&nssInitOnce, nss_doLockInit) != PR_SUCCESS) {
1189 return SECFailure;
1190 }
1191 PZ_Lock(nssInitLock);
1192 /* If one or more threads are in the middle of init, wait for them
1193 * to complete */
1194 while (nssIsInInit) {
1195 PZ_WaitCondVar(nssInitCondition,PR_INTERVAL_NO_TIMEOUT);
1196 }
1198 /* OK, we are the only thread now either initializing or shutting down */
1200 if (!context) {
1201 if (!nssIsInitted) {
1202 PZ_Unlock(nssInitLock);
1203 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
1204 return SECFailure;
1205 }
1206 nssIsInitted = 0;
1207 } else if (! nss_RemoveList(context)) {
1208 PZ_Unlock(nssInitLock);
1209 /* context was already freed or wasn't valid */
1210 PORT_SetError(SEC_ERROR_NOT_INITIALIZED);
1211 return SECFailure;
1212 }
1213 if ((nssIsInitted == 0) && (nssInitContextList == NULL)) {
1214 rv = nss_Shutdown();
1215 }
1217 /* NOTE: we don't try to free the nssInitLocks to prevent races against
1218 * the locks. There may be a thread, right now, waiting in NSS_Init for us
1219 * to free the lock below. If we delete the locks, bad things would happen
1220 * to that thread */
1221 PZ_Unlock(nssInitLock);
1223 return rv;
1224 }
1226 PRBool
1227 NSS_IsInitialized(void)
1228 {
1229 return (nssIsInitted) || (nssInitContextList != NULL);
1230 }
1233 extern const char __nss_base_rcsid[];
1234 extern const char __nss_base_sccsid[];
1236 PRBool
1237 NSS_VersionCheck(const char *importedVersion)
1238 {
1239 /*
1240 * This is the secret handshake algorithm.
1241 *
1242 * This release has a simple version compatibility
1243 * check algorithm. This release is not backward
1244 * compatible with previous major releases. It is
1245 * not compatible with future major, minor, or
1246 * patch releases or builds.
1247 */
1248 int vmajor = 0, vminor = 0, vpatch = 0, vbuild = 0;
1249 const char *ptr = importedVersion;
1250 volatile char c; /* force a reference that won't get optimized away */
1252 c = __nss_base_rcsid[0] + __nss_base_sccsid[0];
1254 while (isdigit(*ptr)) {
1255 vmajor = 10 * vmajor + *ptr - '0';
1256 ptr++;
1257 }
1258 if (*ptr == '.') {
1259 ptr++;
1260 while (isdigit(*ptr)) {
1261 vminor = 10 * vminor + *ptr - '0';
1262 ptr++;
1263 }
1264 if (*ptr == '.') {
1265 ptr++;
1266 while (isdigit(*ptr)) {
1267 vpatch = 10 * vpatch + *ptr - '0';
1268 ptr++;
1269 }
1270 if (*ptr == '.') {
1271 ptr++;
1272 while (isdigit(*ptr)) {
1273 vbuild = 10 * vbuild + *ptr - '0';
1274 ptr++;
1275 }
1276 }
1277 }
1278 }
1280 if (vmajor != NSS_VMAJOR) {
1281 return PR_FALSE;
1282 }
1283 if (vmajor == NSS_VMAJOR && vminor > NSS_VMINOR) {
1284 return PR_FALSE;
1285 }
1286 if (vmajor == NSS_VMAJOR && vminor == NSS_VMINOR && vpatch > NSS_VPATCH) {
1287 return PR_FALSE;
1288 }
1289 if (vmajor == NSS_VMAJOR && vminor == NSS_VMINOR &&
1290 vpatch == NSS_VPATCH && vbuild > NSS_VBUILD) {
1291 return PR_FALSE;
1292 }
1293 return PR_TRUE;
1294 }
1296 const char *
1297 NSS_GetVersion(void)
1298 {
1299 return NSS_VERSION;
1300 }
