NSS softoken presents a PKCS #11 API to the NSS low level crypto. This allows NSS to have native support for replacement PKCS #11 libraries, and is also the FIPS boundary, allowing the rest of NSS to change without affecting any FIPS validations.

Some applications that need crypto, but have their own higher level implementations of SSL or S/MIME use NSS softoken. Softoken has 2 general APIs: NSC_xxxx calls which implement the normal NSS interface, but does not include any FIPS restrictions, The FC_xxx interfaces which implements FIPS restrictions on the semantics of the calls and additional FIPS requirements (like self-tests and software integrity checks). The official PKCS #11 APIs are C_xxx interfaces, and NSS exports those as aliases for NSC_xxxx calls.

Right now applications that use softoken have to know the NSS names if they want to access the FIPS api. This bugs removes this restriction and causes calls to C_xxxx to alias to FC_xxxxx if the system is in FIPS mode. If the system has no system FIPS indicator, or the that indicator is off, the C_xxxx will continue to call NSC_xxxxx. NSS itself will continue to use NSC_xxxx or FC_xxxx according to the NSS internal FIPS settings.

NSS softoken presents a PKCS #11 API to the NSS low level crypto. This allows NSS to have native support for replacement PKCS #11 libraries, and is also the FIPS boundary, allowing the rest of NSS to change without affecting any FIPS validations.

Some applications that need crypto, but have their own higher level implementations of SSL or S/MIME use NSS softoken. Softoken has 2 general APIs: NSC_xxxx calls which implement the normal NSS interface, but does not include any FIPS restrictions, The FC_xxx interfaces which implements FIPS restrictions on the semantics of the calls and additional FIPS requirements (like self-tests and software integrity checks). The official PKCS #11 APIs are C_xxx interfaces, and NSS exports those as aliases for NSC_xxxx calls.

Right now applications that use softoken have to know the NSS names if they want to access the FIPS api. This bugs removes this restriction and causes calls to C_xxxx to alias to FC_xxxxx if the system is in FIPS mode. If the system has no system FIPS indicator, or the that indicator is off, the C_xxxx will continue to call NSC_xxxxx. NSS itself will continue to use NSC_xxxx or FC_xxxx according to the NSS internal FIPS settings.

Currently there are 3 layers in NSS with code that identifies the whether the system is in NSS: nss proper (which is also exported to applications), and freebl for the Freebl hash direct case. This code would add a 3rd (in softoken). Rather than adding a third, this patch relocates the main function to nssutil where softoken, nss, and freebl can all access it. The exception is when building freebl with 'NODEPEND' (freebl can provide hashing without dependencies on NSPR or NSSUTIL), there needs to be a stub implementation. In most platforms and cases this stub is never compiled.

https://hg.mozilla.org/projects/nss/rev/762cb673ca8c5c8be861ead872d1c48e9d654f98

What exactly is the environment where the build fail. It succeeds on my Linux box?