nss: upgrade to release 3.73

Fixes: CVE-2021-43527 Memory corruption via DER-encoded DSA and RSA-PSS signatures Includes: nss: upgrade to release 3.71 * external/nss/nss.getopt.patch.0: fixed upstream * external/nss/nss-win-arm64.patch: fixed upstream * external/nss/nss_macosx.patch: one hunk was fixed upstream Conflicts: download.lst Change-Id: I5c3f169c57fc2763029b07ad7e325b2f53b7e28f Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126218 Tested-by: Thorsten Behrens <thorsten.behrens@allotropia.de> Reviewed-by: Thorsten Behrens <thorsten.behrens@allotropia.de> (cherry picked from commit c8e21d246bcb4289cb25c82be440cd07b7418436) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/126252 Tested-by: Jenkins Reviewed-by: Michael Stahl <michael.stahl@allotropia.de>
author: Michael Stahl <michael.stahl@allotropia.de> 2021-10-19 15:17:39 +0200
committer: Andras Timar <andras.timar@collabora.com> 2022-01-02 21:19:33 +0100
commit: df733806129c54ff25ca8dbf4cc26d51107bee7a (patch)
tree: 22fad5124264a2ec98f4f6c699a7de361473750c
parent: f18b9277af617049a51f59b069df28121de11e27 (diff)
7 files changed, 209 insertions, 61 deletions
diff --git a/download.lst b/download.lst
index 42c3ad26bfa0..f6a0836c8128 100644
--- a/download.lst
+++ b/download.lst
@@ -191,8 +191,8 @@ export MYTHES_SHA256SUM := 1e81f395d8c851c3e4e75b568e20fa2fa549354e75ab397f9de4b
 export MYTHES_TARBALL := a8c2c5b8f09e7ede322d5c602ff6a4b6-mythes-1.2.4.tar.gz
 export NEON_SHA256SUM := db0bd8cdec329b48f53a6f00199c92d5ba40b0f015b153718d1b15d3d967fbca
 export NEON_TARBALL := neon-0.30.2.tar.gz
-export NSS_SHA256SUM := ec6032d78663c6ef90b4b83eb552dedf721d2bce208cec3bf527b8f637db7e45
-export NSS_TARBALL := nss-3.55-with-nspr-4.27.tar.gz
+export NSS_SHA256SUM := 07a9e5b70f121a62706140d4cacc3006d3efb869da40f3a2bf7a65d37847f4d9
+export NSS_TARBALL := nss-3.73-with-nspr-4.32.tar.gz
 export ODFGEN_SHA256SUM := 2c7b21892f84a4c67546f84611eccdad6259875c971e98ddb027da66ea0ac9c2
 export ODFGEN_VERSION_MICRO := 6
 export ODFGEN_TARBALL := libodfgen-0.1.$(ODFGEN_VERSION_MICRO).tar.bz2
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index dab244c867b8..4f8499e8a835 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -27,7 +27,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
 	external/nss/nss-bz1646594.patch.1 \
     external/nss/macos-dlopen.patch.0 \
     external/nss/nss-restore-manual-pre-dependencies.patch.1 \
-	external/nss/nss.getopt.patch.0 \
     $(if $(filter iOS,$(OS)), \
         external/nss/nss-ios.patch) \
     $(if $(filter ANDROID,$(OS)), \
diff --git a/external/nss/nss-android.patch.1 b/external/nss/nss-android.patch.1
index b77663c59eb3..7fb10ae522c7 100644
--- a/external/nss/nss-android.patch.1
+++ b/external/nss/nss-android.patch.1
@@ -10,9 +10,9 @@ diff -ur nss.org/nspr/build/autoconf/config.sub nss/nspr/build/autoconf/config.s
 +if test $1 = "i686-pc-linux-android"; then echo $1; exit; fi
 +if test $1 = "x86_64-pc-linux-android"; then echo $1; exit; fi
 +
- # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
- # Here we must recognize all the valid KERNEL-OS combinations.
- maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
+ # Split fields of configuration type
+ # shellcheck disable=SC2162
+ IFS="-" read field1 field2 field3 field4 <<EOF
 diff -ur nss.org/nspr/configure nss/nspr/configure
 --- nss.org/nspr/configure	2017-09-07 15:29:45.018246359 +0200
 +++ nss/nspr/configure	2017-09-07 15:31:47.604075663 +0200
diff --git a/external/nss/nss-ios.patch b/external/nss/nss-ios.patch
index 9d4af2c724e9..4263ecbe5f3d 100644
--- a/external/nss/nss-ios.patch
+++ b/external/nss/nss-ios.patch
@@ -1,3 +1,201 @@
+--- a/a/nss/Makefile
++++ a/a/nss/Makefile
+@@ -96,13 +96,11 @@
+ ifdef NS_USE_GCC
+ NSPR_CONFIGURE_ENV = CC=gcc CXX=g++
+ endif
+-# Make sure to remove -arch arguments. NSPR can't handle that.
+-remove_arch = $(filter-out __REMOVEME%,$(subst $(NULL) -arch , __REMOVEME,$(1)))
+ ifdef CC
+-NSPR_CONFIGURE_ENV = CC="$(call remove_arch,$(CC))"
++NSPR_CONFIGURE_ENV = CC="$(CC)"
+ endif
+ ifdef CCC
+-NSPR_CONFIGURE_ENV += CXX="$(call remove_arch,$(CCC))"
++NSPR_CONFIGURE_ENV += CXX="$(CCC)"
+ endif
+ 
+ #
+@@ -140,7 +140,6 @@
+ 
+ build_nspr: $(NSPR_CONFIG_STATUS)
+ 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
+ 
+ install_nspr: build_nspr
+ 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+--- a/a/nss/lib/ckfw/builtins/manifest.mn
++++ a/a/nss/lib/ckfw/builtins/manifest.mn
+@@ -5,7 +5,7 @@
+ 
+ CORE_DEPTH = ../../..
+ 
+-DIRS = testlib
++DIRS =
+ 
+ MODULE = nss
+ 
+--- a/a/nss/lib/nss/nssinit.c
++++ a/a/nss/lib/nss/nssinit.c
+@@ -278,6 +278,7 @@
+                           const char *secmodprefix,
+                           char **retoldpath, char **retnewpath)
+ {
++#ifndef NSS_STATIC_PKCS11
+     char *path, *oldpath = NULL, *lastsep;
+     int len, path_len, secmod_len, dll_len;
+ 
+@@ -309,6 +309,10 @@
+     }
+     *retoldpath = oldpath;
+     *retnewpath = path;
++#else
++    *retoldpath = NULL;
++    *retnewpath = PORT_Strdup("NSSCKBI");
++#endif
+     return;
+ }
+ 
+--- a/a/nss/lib/pk11wrap/pk11load.c
++++ a/a/nss/lib/pk11wrap/pk11load.c
+@@ -389,6 +389,8 @@
+ /*
+  * load a new module into our address space and initialize it.
+  */
++extern CK_RV NSSCKBI_C_GetFunctionList();
++
+ SECStatus
+ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule)
+ {
+@@ -465,6 +465,7 @@
+         /* load the library. If this succeeds, then we have to remember to
+          * unload the library if anything goes wrong from here on out...
+          */
++#ifndef NSS_STATIC_PKCS11 // With NSS_STATIC_PKCS11, the only module wodule we load here is nssckbi
+         library = PR_LoadLibrary(mod->dllName);
+         mod->library = (void *)library;
+ 
+@@ -487,6 +487,11 @@
+             mod->moduleDBFunc = (void *)
+                 PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
+         }
++#else
++        if (strcmp(mod->dllName, "NSSCKBI") == 0)
++            fentry = NSSCKBI_C_GetFunctionList;
++#endif
++
+         if (mod->moduleDBFunc == NULL)
+             mod->isModuleDB = PR_FALSE;
+         if ((ientry == NULL) && (fentry == NULL)) {
+@@ -624,10 +624,12 @@
+     }
+ fail:
+     mod->functionList = NULL;
++#ifndef NSS_STATIC_PKCS11
+     disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
+     if (library && !disableUnload) {
+         PR_UnloadLibrary(library);
+     }
++#endif
+     return SECFailure;
+ }
+ 
+--- a/a/nss/lib/ckfw/nssck.api
++++ a/a/nss/lib/ckfw/nssck.api
+@@ -1842,7 +1842,11 @@
+ 
+ /* This one is always present */
+ CK_RV CK_ENTRY
++#ifndef NSS_STATIC_PKCS11
+ C_GetFunctionList
++#else
++NSSCKBI_C_GetFunctionList
++#endif
+ (
+   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+ )
+--- a/a/nss/lib/freebl/loader.c
++++ a/a/nss/lib/freebl/loader.c
+@@ -35,6 +35,7 @@
+ static PRStatus
+ freebl_LoadDSO(void)
+ {
++#ifndef NSS_STATIC_FREEBL
+     PRLibrary *handle;
+     const char *name = getLibName();
+ 
+@@ -47,32 +47,42 @@
+     if (handle) {
+         PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
+         if (address) {
+-            FREEBLGetVectorFn *getVector = (FREEBLGetVectorFn *)address;
++#else
++            FREEBLGetVectorFn *getVector = FREEBL_GetVector;
++#endif
+             const FREEBLVector *dsoVector = getVector();
+             if (dsoVector) {
+                 unsigned short dsoVersion = dsoVector->version;
+                 unsigned short myVersion = FREEBL_VERSION;
+                 if (MSB(dsoVersion) == MSB(myVersion) &&
+                     LSB(dsoVersion) >= LSB(myVersion) &&
+                     dsoVector->length >= sizeof(FREEBLVector)) {
+                     vector = dsoVector;
++#ifndef NSS_STATIC_FREEBL
+                     libraryName = name;
+                     blLib = handle;
++#else
++                    libraryName = "self";
++#endif
+                     return PR_SUCCESS;
+                 }
+             }
++            else
++                return PR_FAILURE;
++#ifndef NSS_STATIC_FREEBL
+         }
+ #ifdef DEBUG
+         if (blLib) {
+             PRStatus status = PR_UnloadLibrary(blLib);
+             PORT_Assert(PR_SUCCESS == status);
+         }
+ #else
+         if (blLib)
+             PR_UnloadLibrary(blLib);
+ #endif
+     }
+     return PR_FAILURE;
++#endif
+ }
+ 
+ static const PRCallOnceType pristineCallOnce;
+@@ -837,6 +837,7 @@
+ void
+ BL_Unload(void)
+ {
++#ifndef NSS_STATIC_FREEBL
+     /* This function is not thread-safe, but doesn't need to be, because it is
+      * only called from functions that are also defined as not thread-safe,
+      * namely C_Finalize in softoken, and the SSL bypass shutdown callback called
+@@ -852,6 +852,7 @@
+         PR_UnloadLibrary(blLib);
+ #endif
+     }
++#endif
+     blLib = NULL;
+     loadFreeBLOnce = pristineCallOnce;
+ }
+--- a/a/nspr/build/autoconf/config.sub	2017-09-07 15:29:45.031246453 +0200
++++ a/a/nspr/build/autoconf/config.sub	2017-09-07 15:32:13.087235423 +0200
+@@ -111,6 +111,9 @@
+     exit 1;;
+ esac
+ 
++if test $1 = "arm64-apple-darwin"; then echo $1; exit; fi
++if test $1 = "aarch64-apple-darwin"; then echo $1; exit; fi
++
+ # Split fields of configuration type
+ # shellcheck disable=SC2162
+ IFS="-" read field1 field2 field3 field4 <<EOF
 --- a/a/nspr/config/autoconf.mk.in
 +++ a/a/nspr/config/autoconf.mk.in
 @@ -67,7 +67,7 @@
@@ -62,7 +260,7 @@
  	MKSHLIB += -exported_symbols_list $(MAPFILE)
 --- a/a/nss/coreconf/UNIX.mk
 +++ a/a/nss/coreconf/UNIX.mk
-@@ -21,10 +21,14 @@
+@@ -19,10 +19,14 @@
  
  ifdef BUILD_TREE
  NSINSTALL_DIR  = $(BUILD_TREE)/nss
@@ -76,7 +274,7 @@
 +endif
  endif
  
- MKDEPEND_DIR    = $(CORE_DEPTH)/coreconf/mkdepend
+ ####################################################################
 --- a/a/nspr/pr/include/md/_darwin.h
 +++ a/a/nspr/pr/include/md/_darwin.h
 @@ -26,6 +26,8 @@
@@ -88,24 +286,14 @@
  #elif defined(__aarch64__)
  #define _PR_SI_ARCHITECTURE "aarch64"
  #else
---- a/a/nspr/pr/src/Makefile.in
-+++ a/a/nspr/pr/src/Makefile.in
-@@ -180,7 +180,7 @@
- endif
- 
- ifeq ($(OS_TARGET),MacOSX)
--OS_LIBS		= -framework CoreServices -framework CoreFoundation
-+OS_LIBS		= -framework CoreFoundation
- endif
- 
- EXTRA_LIBS += $(OS_LIBS)
 --- a/a/nss/cmd/shlibsign/sign.sh
 +++ a/a/nss/cmd/shlibsign/sign.sh
-@@ -2,6 +2,8 @@
+@@ -2,6 +2,9 @@
  # This Source Code Form is subject to the terms of the Mozilla Public
  # License, v. 2.0. If a copy of the MPL was not distributed with this
  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 +
++# Pointless to sign anything for iOS as we don't build any real shared libraries
 +exit 0
  
  # arguments:
diff --git a/external/nss/nss-restore-manual-pre-dependencies.patch.1 b/external/nss/nss-restore-manual-pre-dependencies.patch.1
index ebcc5b48c540..06691b1ec957 100644
--- a/external/nss/nss-restore-manual-pre-dependencies.patch.1
+++ b/external/nss/nss-restore-manual-pre-dependencies.patch.1
@@ -79,5 +79,5 @@ summary:     Bug 1637083 Replace pre-dependency with shell hack r=rrelyea
 +	$(MAKE) -C lib/base libs
 +	IGNORE_DIRS=1 $(MAKE) -C lib/ckfw/builtins libs
  
- all: prepare_build
- 	$(MAKE) libs
+ lib: coreconf
+ cmd: lib
diff --git a/external/nss/nss.getopt.patch.0 b/external/nss/nss.getopt.patch.0
deleted file mode 100644
index aeabb33f9b97..000000000000
--- a/external/nss/nss.getopt.patch.0
+++ /dev/null
@@ -1,25 +0,0 @@
-# pr/tests/sel_spd.c:427:20: error: implicit declaration of function 'getopt' is invalid in C99 [-Werror,-Wimplicit-function-declaration]
---- nspr/pr/tests/sel_spd.c
-+++ nspr/pr/tests/sel_spd.c
-@@ -15,6 +15,9 @@
- #include <stdio.h>
- #include <errno.h>
- #include <string.h>
-+
-+extern char *optarg;
-+int getopt(int argc, char *const argv[], const char *optstring);
- 
- #ifdef DEBUG
- #define PORT_INC_DO +100
---- nspr/pr/tests/testfile.c
-+++ nspr/pr/tests/testfile.c
-@@ -23,6 +23,9 @@
- #include <getopt.h>
- #include <errno.h>
- #endif /* XP_OS2 */
-+
-+extern char *optarg;
-+int getopt(int argc, char *const argv[], const char *optstring);
- 
- static int _debug_on = 0;
-
diff --git a/external/nss/nss_macosx.patch b/external/nss/nss_macosx.patch
index 07b60a5ed00d..1e7599be6133 100644
--- a/external/nss/nss_macosx.patch
+++ b/external/nss/nss_macosx.patch
@@ -88,17 +88,3 @@ diff -ru a/nss/Makefile b/nss/Makefile
  ifdef USE_DEBUG_RTL
  NSPR_CONFIGURE_OPTS += --enable-debug-rtl
  endif
---- a/a/nspr/pr/include/md/_darwin.h
-+++ b/b/nspr/pr/include/md/_darwin.h
-@@ -40,11 +40,7 @@
- 
- #undef  HAVE_STACK_GROWING_UP
- #define HAVE_DLL
--#if defined(__x86_64__) || TARGET_OS_IPHONE
- #define USE_DLFCN
--#else
--#define USE_MACH_DYLD
--#endif
- #define _PR_HAVE_SOCKADDR_LEN
- #define _PR_STAT_HAS_ST_ATIMESPEC
- #define _PR_HAVE_LARGE_OFF_T
author	Michael Stahl <michael.stahl@allotropia.de>	2021-10-19 15:17:39 +0200
committer	Andras Timar <andras.timar@collabora.com>	2022-01-02 21:19:33 +0100
commit	df733806129c54ff25ca8dbf4cc26d51107bee7a (patch)
tree	22fad5124264a2ec98f4f6c699a7de361473750c
parent	f18b9277af617049a51f59b069df28121de11e27 (diff)