summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Stahl <Michael.Stahl@cib.de>2019-07-10 12:20:00 +0200
committerJan-Marek Glogowski <jan-marek.glogowski@extern.cib.de>2019-08-16 13:54:59 +0200
commited8c2d23a376c40f71248d760dfc3a4aed0bbd06 (patch)
tree0b6a69670707f1eab9582deb25568fc383fb597b
parent21b482f2a29f623212d81fc96bc6876cd8f48f72 (diff)
nss: upgrade to release 3.45
Fixes CVE-2019-11729 CVE-2019-11719 CVE-2019-11727, and the less important CVE-2018-12384 and CVE-2018-12404 from intermediate releases. Since NSS 3.44 it's possible to build as static libraries and for iOS; drop the nss-chromium-nss-static.patch and nss-more-static.patch and hope that it works. Drop one hunk from nss.patch that looks fixed upstream. Change-Id: I7f37ac36f7f8dfd49d0bfb4a6185ca49d4f618a3 Reviewed-on: https://gerrit.libreoffice.org/75344 Tested-by: Jenkins Reviewed-by: Michael Stahl <Michael.Stahl@cib.de> (cherry picked from commit 6efc8a33f69bc7f4be45b7b81f67cd74c163b99e) Reviewed-on: https://gerrit.libreoffice.org/75411 Tested-by: Michael Stahl <Michael.Stahl@cib.de>
-rw-r--r--download.lst4
-rw-r--r--external/nss/UnpackedTarball_nss.mk2
-rw-r--r--external/nss/clang-cl.patch.014
-rw-r--r--external/nss/nss-chromium-nss-static.patch487
-rw-r--r--external/nss/nss-more-static.patch39
-rw-r--r--external/nss/nss.patch13
6 files changed, 9 insertions, 550 deletions
diff --git a/download.lst b/download.lst
index 761d5bf28abb..70d73e76f35a 100644
--- a/download.lst
+++ b/download.lst
@@ -112,8 +112,8 @@ export MWAW_TARBALL := libmwaw-0.3.$(MWAW_VERSION_MICRO).tar.bz2
export MYSQLCPPCONN_TARBALL := 7239a4430efd4d0189c4f24df67f08e5-mysql-connector-c++-1.1.4.tar.gz
export MYTHES_TARBALL := a8c2c5b8f09e7ede322d5c602ff6a4b6-mythes-1.2.4.tar.gz
export NEON_TARBALL := 231adebe5c2f78fded3e3df6e958878e-neon-0.30.1.tar.gz
-export NSS_MD5SUM := cd649be8ee61fe15d64d7bef361b37ba
-export NSS_TARBALL := nss-3.38-with-nspr-4.19.tar.gz
+export NSS_MD5SUM := 2f7dab8f5b85b1494f6bec2cc32a1f5c
+export NSS_TARBALL := nss-3.45-with-nspr-4.21.tar.gz
export ODFGEN_MD5SUM := 32572ea48d9021bbd6fa317ddb697abc
export ODFGEN_VERSION_MICRO := 6
export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.bz2
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index 1a7ed1373230..a38e8cf1c52f 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -26,8 +26,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
external/nss/ubsan.patch.0 \
external/nss/clang-cl.patch.0 \
$(if $(filter IOS,$(OS)), \
- external/nss/nss-chromium-nss-static.patch \
- external/nss/nss-more-static.patch \
external/nss/nss-ios.patch) \
$(if $(filter MSC-INTEL,$(COM)-$(CPUNAME)), \
external/nss/nss.cygwin64.in32bit.patch) \
diff --git a/external/nss/clang-cl.patch.0 b/external/nss/clang-cl.patch.0
index 98786d49971c..7326c5a807d0 100644
--- a/external/nss/clang-cl.patch.0
+++ b/external/nss/clang-cl.patch.0
@@ -15,11 +15,11 @@
--- nspr/pr/include/prbit.h
+++ nspr/pr/include/prbit.h
@@ -14,7 +14,7 @@
- ** functions.
*/
#if defined(_WIN32) && (_MSC_VER >= 1300) && \
-- (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_ARM))
-+ (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_ARM)) && !defined __clang__
+ (defined(_M_IX86) || defined(_M_X64) || defined(_M_ARM) || \
+- defined(_M_ARM64))
++ defined(_M_ARM64)) && !defined __clang__
# include <intrin.h>
# pragma intrinsic(_BitScanForward,_BitScanReverse)
__forceinline static int __prBitScanForward32(unsigned int val)
@@ -29,15 +29,15 @@
# define PR_HAVE_BUILTIN_BITSCAN32
-#elif ((__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)) && \
+#elif defined __GNUC__ && ((__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)) && \
- (defined(__i386__) || defined(__x86_64__) || defined(__arm__))
+ (defined(__i386__) || defined(__x86_64__) || defined(__arm__) || \
+ defined(__aarch64__))
# define pr_bitscan_ctz32(val) __builtin_ctz(val)
- # define pr_bitscan_clz32(val) __builtin_clz(val)
@@ -136,7 +136,7 @@
*/
#if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || \
-- defined(_M_X64) || defined(_M_ARM))
-+ defined(_M_X64) || defined(_M_ARM)) && !defined __clang__
+- defined(_M_X64) || defined(_M_ARM) || defined(_M_ARM64))
++ defined(_M_X64) || defined(_M_ARM) || defined(_M_ARM64)) && !defined __clang__
#include <stdlib.h>
#pragma intrinsic(_rotl, _rotr)
#define PR_ROTATE_LEFT32(a, bits) _rotl(a, bits)
diff --git a/external/nss/nss-chromium-nss-static.patch b/external/nss/nss-chromium-nss-static.patch
deleted file mode 100644
index 9d7a4e4352b1..000000000000
--- a/external/nss/nss-chromium-nss-static.patch
+++ /dev/null
@@ -1,487 +0,0 @@
-Based on http://src.chromium.org/viewvc/chrome/trunk/deps/third_party/nss/patches/nss-static.patch
-
---- a/a/nss/lib/certhigh/certvfy.c Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/certhigh/certvfy.c Fri May 31 17:44:06 2013 -0700
-@@ -13,9 +13,11 @@
- #include "certdb.h"
- #include "certi.h"
- #include "cryptohi.h"
-+#ifndef NSS_DISABLE_LIBPKIX
- #include "pkix.h"
- /*#include "pkix_sample_modules.h" */
- #include "pkix_pl_cert.h"
-+#endif /* NSS_DISABLE_LIBPKIX */
-
-
- #include "nsspki.h"
-@@ -24,6 +26,47 @@
- #include "pki3hack.h"
- #include "base.h"
-
-+#ifdef NSS_DISABLE_LIBPKIX
-+SECStatus
-+cert_VerifyCertChainPkix(
-+ CERTCertificate *cert,
-+ PRBool checkSig,
-+ SECCertUsage requiredUsage,
-+ PRTime time,
-+ void *wincx,
-+ CERTVerifyLog *log,
-+ PRBool *pSigerror,
-+ PRBool *pRevoked)
-+{
-+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-+ return SECFailure;
-+}
-+
-+SECStatus
-+CERT_SetUsePKIXForValidation(PRBool enable)
-+{
-+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-+ return SECFailure;
-+}
-+
-+PRBool
-+CERT_GetUsePKIXForValidation()
-+{
-+ return PR_FALSE;
-+}
-+
-+SECStatus CERT_PKIXVerifyCert(
-+ CERTCertificate *cert,
-+ SECCertificateUsage usages,
-+ CERTValInParam *paramsIn,
-+ CERTValOutParam *paramsOut,
-+ void *wincx)
-+{
-+ PORT_SetError(PR_NOT_IMPLEMENTED_ERROR);
-+ return SECFailure;
-+}
-+#endif /* NSS_DISABLE_LIBPKIX */
-+
- /*
- * Check the validity times of a certificate
- */
---- a/a/nss/lib/ckfw/nssck.api Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/ckfw/nssck.api Fri May 31 17:44:06 2013 -0700
-@@ -1752,7 +1752,7 @@
- }
- #endif /* DECLARE_STRICT_CRYPTOKI_NAMES */
-
--static CK_RV CK_ENTRY
-+CK_RV CK_ENTRY
- __ADJOIN(MODULE_NAME,C_GetFunctionList)
- (
- CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-@@ -1830,7 +1830,7 @@
- __ADJOIN(MODULE_NAME,C_WaitForSlotEvent)
- };
-
--static CK_RV CK_ENTRY
-+CK_RV CK_ENTRY
- __ADJOIN(MODULE_NAME,C_GetFunctionList)
- (
- CK_FUNCTION_LIST_PTR_PTR ppFunctionList
-@@ -1840,6 +1840,8 @@
- return CKR_OK;
- }
-
-+#define NSS_STATIC
-+#ifndef NSS_STATIC
- /* This one is always present */
- CK_RV CK_ENTRY
- C_GetFunctionList
-@@ -1849,6 +1850,7 @@
- {
- return __ADJOIN(MODULE_NAME,C_GetFunctionList)(ppFunctionList);
- }
-+#endif
-
- #undef __ADJOIN
-
---- a/a/nss/lib/freebl/rsa.c Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/freebl/rsa.c Fri May 31 17:44:06 2013 -0700
-@@ -1559,6 +1559,14 @@
- RSA_Cleanup();
- }
-
-+#define NSS_STATIC
-+#ifdef NSS_STATIC
-+void
-+BL_Unload(void)
-+{
-+}
-+#endif
-+
- PRBool bl_parentForkedAfterC_Initialize;
-
- /*
---- a/a/nss/lib/freebl/shvfy.c Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/freebl/shvfy.c Fri May 31 17:44:06 2013 -0700
-@@ -273,9 +273,22 @@
- return SECSuccess;
- }
-
-+/*
-+ * Define PSEUDO_FIPS if you can't do FIPS software integrity test (e.g.,
-+ * if you're using NSS as static libraries), but want to conform to the
-+ * rest of the FIPS requirements.
-+ */
-+#define NSS_STATIC
-+#ifdef NSS_STATIC
-+#define PSEUDO_FIPS
-+#endif
-+
- PRBool
- BLAPI_SHVerify(const char *name, PRFuncPtr addr)
- {
-+#ifdef PSEUDO_FIPS
-+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */
-+#else
- PRBool result = PR_FALSE; /* if anything goes wrong,
- * the signature does not verify */
- /* find our shared library name */
-@@ -291,11 +303,15 @@
- }
-
- return result;
-+#endif /* PSEUDO_FIPS */
- }
-
- PRBool
- BLAPI_SHVerifyFile(const char *shName)
- {
-+#ifdef PSEUDO_FIPS
-+ return PR_TRUE; /* a lie, hence *pseudo* FIPS */
-+#else
- char *checkName = NULL;
- PRFileDesc *checkFD = NULL;
- PRFileDesc *shFD = NULL;
-@@ -492,6 +508,7 @@
- }
-
- return result;
-+#endif /* PSEUDO_FIPS */
- }
-
- PRBool
---- a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c Fri May 31 17:44:06 2013 -0700
-@@ -201,7 +201,11 @@
-
- typedef SECStatus (*pkix_DecodeCertsFunc)(char *certbuf, int certlen,
- CERTImportCertificateFunc f, void *arg);
--
-+#define NSS_STATIC
-+#ifdef NSS_STATIC
-+extern SECStatus CERT_DecodeCertPackage(char* certbuf, int certlen,
-+ CERTImportCertificateFunc f, void* arg);
-+#endif
-
- struct pkix_DecodeFuncStr {
- pkix_DecodeCertsFunc func; /* function pointer to the
-@@ -223,6 +226,11 @@
- */
- static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
- {
-+#ifdef NSS_STATIC
-+ pkix_decodeFunc.smimeLib = NULL;
-+ pkix_decodeFunc.func = CERT_DecodeCertPackage;
-+ return PR_SUCCESS;
-+#else
- pkix_decodeFunc.smimeLib =
- PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
- if (pkix_decodeFunc.smimeLib == NULL) {
-@@ -235,7 +243,7 @@
- return PR_FAILURE;
- }
- return PR_SUCCESS;
--
-+#endif
- }
-
- /*
---- a/a/nss/lib/nss/nssinit.c Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/nss/nssinit.c Fri May 31 17:44:06 2013 -0700
-@@ -20,9 +20,11 @@
- #include "secerr.h"
- #include "nssbase.h"
- #include "nssutil.h"
-+#ifndef NSS_DISABLE_LIBPKIX
- #include "pkixt.h"
- #include "pkix.h"
- #include "pkix_tools.h"
-+#endif /* NSS_DISABLE_LIBPKIX */
-
- #include "pki3hack.h"
- #include "certi.h"
-@@ -530,8 +532,10 @@
- PRBool dontFinalizeModules)
- {
- SECStatus rv = SECFailure;
-+#ifndef NSS_DISABLE_LIBPKIX
- PKIX_UInt32 actualMinorVersion = 0;
- PKIX_Error *pkixError = NULL;
-+#endif
- PRBool isReallyInitted;
- char *configStrings = NULL;
- char *configName = NULL;
-@@ -685,6 +689,7 @@
- pk11sdr_Init();
- cert_CreateSubjectKeyIDHashTable();
-
-+#ifndef NSS_DISABLE_LIBPKIX
- pkixError = PKIX_Initialize
- (PKIX_FALSE, PKIX_MAJOR_VERSION, PKIX_MINOR_VERSION,
- PKIX_MINOR_VERSION, &actualMinorVersion, &plContext);
-@@ -697,6 +702,7 @@
- CERT_SetUsePKIXForValidation(PR_TRUE);
- }
- }
-+#endif /* NSS_DISABLE_LIBPKIX */
-
-
- }
-@@ -1081,7 +1087,9 @@
- cert_DestroyLocks();
- ShutdownCRLCache();
- OCSP_ShutdownGlobal();
-+#ifndef NSS_DISABLE_LIBPKIX
- PKIX_Shutdown(plContext);
-+#endif
- SECOID_Shutdown();
- status = STAN_Shutdown();
- cert_DestroySubjectKeyIDHashTable();
---- a/a/nss/lib/pk11wrap/pk11load.c Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/pk11wrap/pk11load.c Fri May 31 17:44:06 2013 -0700
-@@ -318,6 +318,13 @@
- }
- }
-
-+#define NSS_STATIC
-+#ifdef NSS_STATIC
-+extern CK_RV NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
-+extern CK_RV FC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
-+extern char **NSC_ModuleDBFunc(unsigned long function,char *parameters, void *args);
-+extern CK_RV builtinsC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList);
-+#else
- static const char* my_shlib_name =
- SHLIB_PREFIX"nss"SHLIB_VERSION"."SHLIB_SUFFIX;
- static const char* softoken_shlib_name =
-@@ -326,12 +332,14 @@
- static PRCallOnceType loadSoftokenOnce;
- static PRLibrary* softokenLib;
- static PRInt32 softokenLoadCount;
-+#endif /* NSS_STATIC */
-
- #include "prio.h"
- #include "prprf.h"
- #include <stdio.h>
- #include "prsystem.h"
-
-+#ifndef NSS_STATIC
- /* This function must be run only once. */
- /* determine if hybrid platform, then actually load the DSO. */
- static PRStatus
-@@ -348,6 +356,7 @@
- }
- return PR_FAILURE;
- }
-+#endif /* !NSS_STATIC */
-
- /*
- * load a new module into our address space and initialize it.
-@@ -366,6 +375,16 @@
-
- /* intenal modules get loaded from their internal list */
- if (mod->internal && (mod->dllName == NULL)) {
-+#ifdef NSS_STATIC
-+ if (mod->isFIPS) {
-+ entry = FC_GetFunctionList;
-+ } else {
-+ entry = NSC_GetFunctionList;
-+ }
-+ if (mod->isModuleDB) {
-+ mod->moduleDBFunc = NSC_ModuleDBFunc;
-+ }
-+#else
- /*
- * Loads softoken as a dynamic library,
- * even though the rest of NSS assumes this as the "internal" module.
-@@ -391,6 +410,7 @@
- mod->moduleDBFunc = (CK_C_GetFunctionList)
- PR_FindSymbol(softokenLib, "NSC_ModuleDBFunc");
- }
-+#endif
-
- if (mod->moduleDBOnly) {
- mod->loaded = PR_TRUE;
-@@ -401,6 +421,15 @@
- if (mod->dllName == NULL) {
- return SECFailure;
- }
-+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
-+ if (strstr(mod->dllName, "nssckbi") != NULL) {
-+ mod->library = NULL;
-+ PORT_Assert(!mod->moduleDBOnly);
-+ entry = builtinsC_GetFunctionList;
-+ PORT_Assert(!mod->isModuleDB);
-+ goto library_loaded;
-+ }
-+#endif
-
- /* load the library. If this succeeds, then we have to remember to
- * unload the library if anything goes wrong from here on out...
-@@ -423,6 +452,9 @@
- mod->moduleDBFunc = (void *)
- PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
- }
-+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
-+library_loaded:
-+#endif
- if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE;
- if (entry == NULL) {
- if (mod->isModuleDB) {
-@@ -562,6 +594,7 @@
- * if not, we should change this to SECFailure and move it above the
- * mod->loaded = PR_FALSE; */
- if (mod->internal && (mod->dllName == NULL)) {
-+#ifndef NSS_STATIC
- if (0 == PR_ATOMIC_DECREMENT(&softokenLoadCount)) {
- if (softokenLib) {
- disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
-@@ -573,12 +606,18 @@
- }
- loadSoftokenOnce = pristineCallOnce;
- }
-+#endif
- return SECSuccess;
- }
-
- library = (PRLibrary *)mod->library;
- /* paranoia */
- if (library == NULL) {
-+#if defined(NSS_STATIC) && !defined(NSS_DISABLE_ROOT_CERTS)
-+ if (strstr(mod->dllName, "nssckbi") != NULL) {
-+ return SECSuccess;
-+ }
-+#endif
- return SECFailure;
- }
-
---- a/a/nss/lib/softoken/lgglue.c Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/softoken/lgglue.c Fri May 31 17:44:06 2013 -0700
-@@ -23,6 +23,8 @@
- static LGAddSecmodFunc legacy_glue_addSecmod = NULL;
- static LGShutdownFunc legacy_glue_shutdown = NULL;
-
-+#define NSS_STATIC
-+#ifndef NSS_STATIC
- /*
- * The following 3 functions duplicate the work done by bl_LoadLibrary.
- * We should make bl_LoadLibrary a global and replace the call to
-@@ -160,6 +161,7 @@
-
- return lib;
- }
-+#endif /* STATIC LIBRARIES */
-
- /*
- * stub files for legacy db's to be able to encrypt and decrypt
-@@ -272,6 +274,21 @@
- return SECSuccess;
- }
-
-+#ifdef NSS_STATIC
-+#ifdef NSS_DISABLE_DBM
-+ return SECFailure;
-+#else
-+ lib = (PRLibrary *) 0x8;
-+
-+ legacy_glue_open = legacy_Open;
-+ legacy_glue_readSecmod = legacy_ReadSecmodDB;
-+ legacy_glue_releaseSecmod = legacy_ReleaseSecmodDBData;
-+ legacy_glue_deleteSecmod = legacy_DeleteSecmodDB;
-+ legacy_glue_addSecmod = legacy_AddSecmodDB;
-+ legacy_glue_shutdown = legacy_Shutdown;
-+ setCryptFunction = legacy_SetCryptFunctions;
-+#endif
-+#else
- lib = sftkdb_LoadLibrary(LEGACY_LIB_NAME);
- if (lib == NULL) {
- return SECFailure;
-@@ -297,11 +314,14 @@
- PR_UnloadLibrary(lib);
- return SECFailure;
- }
-+#endif /* NSS_STATIC */
-
- /* verify the loaded library if we are in FIPS mode */
- if (isFIPS) {
- if (!BLAPI_SHVerify(LEGACY_LIB_NAME,(PRFuncPtr)legacy_glue_open)) {
-+#ifndef NSS_STATIC
- PR_UnloadLibrary(lib);
-+#endif
- return SECFailure;
- }
- legacy_glue_libCheckSucceeded = PR_TRUE;
-@@ -418,10 +438,12 @@
- #endif
- crv = (*legacy_glue_shutdown)(parentForkedAfterC_Initialize);
- }
-+#ifndef NSS_STATIC
- disableUnload = PR_GetEnv("NSS_DISABLE_UNLOAD");
- if (!disableUnload) {
- PR_UnloadLibrary(legacy_glue_lib);
- }
-+#endif
- legacy_glue_lib = NULL;
- legacy_glue_open = NULL;
- legacy_glue_readSecmod = NULL;
---- a/a/nss/lib/softoken/lgglue.h Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/softoken/lgglue.h Fri May 31 17:44:06 2013 -0700
-@@ -38,6 +38,25 @@
- typedef void (*LGSetForkStateFunc)(PRBool);
- typedef void (*LGSetCryptFunc)(LGEncryptFunc, LGDecryptFunc);
-
-+extern CK_RV legacy_Open(const char *dir, const char *certPrefix,
-+ const char *keyPrefix,
-+ int certVersion, int keyVersion, int flags,
-+ SDB **certDB, SDB **keyDB);
-+extern char ** legacy_ReadSecmodDB(const char *appName,
-+ const char *filename,
-+ const char *dbname, char *params, PRBool rw);
-+extern SECStatus legacy_ReleaseSecmodDBData(const char *appName,
-+ const char *filename,
-+ const char *dbname, char **params, PRBool rw);
-+extern SECStatus legacy_DeleteSecmodDB(const char *appName,
-+ const char *filename,
-+ const char *dbname, char *params, PRBool rw);
-+extern SECStatus legacy_AddSecmodDB(const char *appName,
-+ const char *filename,
-+ const char *dbname, char *params, PRBool rw);
-+extern SECStatus legacy_Shutdown(PRBool forked);
-+extern void legacy_SetCryptFunctions(LGEncryptFunc, LGDecryptFunc);
-+
- /*
- * Softoken Glue Functions
- */
---- a/a/nss/lib/util/secport.h Tue May 28 23:37:46 2013 +0200
-+++ a/a/nss/lib/util/secport.h Fri May 31 17:44:06 2013 -0700
-@@ -210,6 +210,8 @@
-
- extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
-
-+#define NSS_STATIC
-+#ifndef NSS_STATIC
- /*
- * Load a shared library called "newShLibName" in the same directory as
- * a shared library that is already loaded, called existingShLibName.
-@@ -244,6 +245,7 @@
- PORT_LoadLibraryFromOrigin(const char* existingShLibName,
- PRFuncPtr staticShLibFunc,
- const char *newShLibName);
-+#endif /* NSS_STATIC */
-
- SEC_END_PROTOS
-
diff --git a/external/nss/nss-more-static.patch b/external/nss/nss-more-static.patch
deleted file mode 100644
index 26948f0be24c..000000000000
--- a/external/nss/nss-more-static.patch
+++ /dev/null
@@ -1,39 +0,0 @@
---- a/a/nss/lib/freebl/loader.c
-+++ a/a/nss/lib/freebl/loader.c
-@@ -114,6 +114,7 @@
-
- #include "genload.c"
-
-+extern FREEBLGetVectorFn FREEBL_GetVector;
- /* This function must be run only once. */
- /* determine if hybrid platform, then actually load the DSO. */
- static PRStatus
-@@ -136,9 +136,9 @@
- return PR_FAILURE;
- }
-
-- handle = loader_LoadLibrary(name);
-- if (handle) {
-- PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
-+ handle = 0;
-+ {
-+ PRFuncPtr address = FREEBL_GetVector;
- if (address) {
- FREEBLGetVectorFn *getVector = (FREEBLGetVectorFn *)address;
- const FREEBLVector *dsoVector = getVector();
-@@ -887,6 +887,7 @@
- void
- BL_Unload(void)
- {
-+#if 0
- /* This function is not thread-safe, but doesn't need to be, because it is
- * only called from functions that are also defined as not thread-safe,
- * namely C_Finalize in softoken, and the SSL bypass shutdown callback called
-@@ -905,6 +905,7 @@
- }
- blLib = NULL;
- loadFreeBLOnce = pristineCallOnce;
-+#endif
- }
-
- /* ============== New for 3.003 =============================== */
diff --git a/external/nss/nss.patch b/external/nss/nss.patch
index 1eb0bf70d866..3f76fc52436d 100644
--- a/external/nss/nss.patch
+++ b/external/nss/nss.patch
@@ -153,16 +153,3 @@
#! gmake
#
# This Source Code Form is subject to the terms of the Mozilla Public
-@@ -89,10 +91,10 @@
- NSPR_CONFIGURE_ENV = CC=gcc CXX=g++
- endif
- ifdef CC
--NSPR_CONFIGURE_ENV = CC=$(CC)
-+NSPR_CONFIGURE_ENV = CC="$(CC) "
- endif
- ifdef CCC
--NSPR_CONFIGURE_ENV += CXX=$(CCC)
-+NSPR_CONFIGURE_ENV += CXX="$(CCC) "
- endif
- # Remove -arch definitions. NSPR can't handle that.
- NSPR_CONFIGURE_ENV := $(filter-out -arch x86_64,$(NSPR_CONFIGURE_ENV))