[Libreoffice-commits] core.git: Branch 'feature/cib_contract891' - 8 commits - download.lst external/nss xmlsecurity/source

Michael Stahl (via logerrit) logerrit at kemper.freedesktop.org
Thu Oct 1 13:39:41 UTC 2020


Rebased ref, commits from common ancestor:
commit 7fc932945585f11dc766d0d8610f286b39fce2d2
Author:     Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Fri Aug 7 18:57:00 2020 +0200
Commit:     Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
CommitDate: Thu Oct 1 15:35:32 2020 +0200

    nss: upgrade to release 3.55.0
    
    Fixes CVE-2020-6829, CVE-2020-12400 CVE-2020-12401 CVE-2020-12403.
    (also CVE-2020-12402 CVE-2020-12399 in older releases since 3.47)
    
    * external/nss/nss.nspr-parallel-win-debug_build.patch:
      remove, merged upstream
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100345
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.stahl at cib.de>
    (cherry picked from commit 495a5944a3d442cfe748a3bb0dcef76f6a961d30)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100420
    Reviewed-by: Xisco Fauli <xiscofauli at libreoffice.org>
    (cherry picked from commit 227d30a3a17f2fffb1a166cdc3e2a796bb335214)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100590
    Reviewed-by: Caolán McNamara <caolanm at redhat.com>
    (cherry picked from commit 94cecbfdf3cf01fe3d5658c7edf78696da2a249f)
    
    Conflicts:
            download.lst
            external/nss/UnpackedTarball_nss.mk
    
    Change-Id: I8b48e25ce68a2327cde1420abdaea8f9e51a7888

diff --git a/download.lst b/download.lst
index f268b74c5722..82a49260fb41 100644
--- a/download.lst
+++ b/download.lst
@@ -34,8 +34,8 @@ LIBEOT_MD5SUM := aa24f5dd2a2992f4a116aa72af817548
 export LIBEOT_TARBALL := libeot-0.01.tar.bz2
 LANGTAGREG_MD5SUM := 504af523f5d1a5590bbeb6a4b55e8a97
 export LANGTAGREG_TARBALL := language-subtag-registry-2014-03-27.tar.bz2
-NSS_MD5SUM := 22fa83bfedda5fde047a714d8a4d8968
-export NSS_TARBALL := nss-3.53-with-nspr-4.25.tar.gz
+NSS_MD5SUM := d18bfd181e345cd07c0213d62bdf9ad7
+export NSS_TARBALL := nss-3.55-with-nspr-4.27.tar.gz
 PYTHON_MD5SUM := 803a75927f8f241ca78633890c798021
 export PYTHON_TARBALL := Python-3.3.5.tgz
 OPENSSL_MD5SUM := 44279b8557c3247cbe324e2322ecd114
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index db6bdd4640c8..cf7ad65803a1 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -20,7 +20,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
     $(if $(findstring 120_70,$(VCVER)_$(WINDOWS_SDK_VERSION)), \
         external/nss/nss-winXP-sdk.patch.1) \
 	$(if $(filter WNTMSC,$(OS)$(COM)),external/nss/nss-no-c99.patch) \
-	external/nss/nss.nspr-parallel-win-debug_build.patch \
 ))
 
 # vim: set noet sw=4 ts=4:
diff --git a/external/nss/nss.nspr-parallel-win-debug_build.patch b/external/nss/nss.nspr-parallel-win-debug_build.patch
deleted file mode 100644
index 86b55e1ccf7f..000000000000
--- a/external/nss/nss.nspr-parallel-win-debug_build.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-Änderung:        4866:23940b78e965
-Nutzer:          Jan-Marek Glogowski <glogow at fbihome.de>
-Datum:           Fri May 01 22:50:55 2020 +0000
-Dateien:         pr/tests/Makefile.in
-Beschreibung:
-Bug 290526 Write separate PDBs for test OBJs r=glandium
-
-Quite often when running a parallel NSS build, I get the following
-compiler error message, resulting in a build failure, despite
-compiling with the -FS flag:
-
-.../nss/nspr/pr/tests/zerolen.c: fatal error C1041:
-Programmdatenbank "...\nss\nspr\out\pr\tests\vc140.pdb" kann nicht
-ge<94>ffnet werden; verwenden Sie /FS, wenn mehrere CL.EXE in
-dieselbe .PDB-Datei schreiben.
-
-The failing source file is always one of the last test object
-files. But the actual problem is not the compiler accessing the
-PDB file, but the linker already linking the first test
-executables accessing the shared PDB; at least that's my guess.
-
-So instead of using a shared PDB for all test object files, this
-uses -Fd$(@:.$(OBJ_SUFFIX)=.pdb) to write a separate PDB for every
-test's object file. The linker works fine with the shared OBJ PDB.
-
-Differential Revision: https://phabricator.services.mozilla.com/D68693
-
-
-diff -r 219d131499d5 -r 23940b78e965 nss/nspr/pr/tests/Makefile.in
---- a/nss/nspr/pr/tests/Makefile.in	Mon Feb 10 20:58:42 2020 +0000
-+++ b/nss/nspr/pr/tests/Makefile.in	Fri May 01 22:50:55 2020 +0000
-@@ -211,6 +211,7 @@
- else
-   EXTRA_LIBS += ws2_32.lib
-   LDOPTS = -NOLOGO -DEBUG -DEBUGTYPE:CV -INCREMENTAL:NO
-+  CFLAGS += -Fd$(@:.$(OBJ_SUFFIX)=.pdb)
-   ifdef PROFILE
-     LDOPTS += -PROFILE -MAP
-   endif # profile
-
commit 85a59a30359cd454830b3403f8dcdc01584f3e13
Author:     Jan-Marek Glogowski <glogow at fbihome.de>
AuthorDate: Wed Jun 26 18:09:19 2019 +0200
Commit:     Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
CommitDate: Thu Oct 1 15:32:17 2020 +0200

    NSS: enable parallel build
    
    Since NSS 3.53, the Makefile based build should be fixed (upstream
    bug 290526). The only missing patch is a minimal NSPR fix for the
    "NSPR, configure + make, parallel, Windows, MS VS, debug" build.
    That patch isn't incuded in the NSPR 4.25 release (but it's already
    in the mercurial repo for NSPR 4.26).
    
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/95218
    Tested-by: Jenkins
    Reviewed-by: Jan-Marek Glogowski <glogow at fbihome.de>
    (cherry picked from commit b56e8d6def26a0430853835e997f1be841840a61)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100419
    Reviewed-by: Michael Stahl <michael.stahl at cib.de>
    (cherry picked from commit c1bce55faebd9ad8751d7b6b9a7f77dff7b3d507)
    Reviewed-on: https://gerrit.libreoffice.org/c/core/+/100589
    (cherry picked from commit 3e4dbb1708d4b3b7619602b63602b884a7bb2caa)
    
    Conflicts:
            download.lst
            external/nss/ExternalProject_nss.mk
            external/nss/UnpackedTarball_nss.mk
            external/nss/nss-win32-make.patch.1
    
    Change-Id: I8eaa3792a12bdff734e56ac3f552991478957e23

diff --git a/download.lst b/download.lst
index 43082bcb044e..f268b74c5722 100644
--- a/download.lst
+++ b/download.lst
@@ -34,8 +34,8 @@ LIBEOT_MD5SUM := aa24f5dd2a2992f4a116aa72af817548
 export LIBEOT_TARBALL := libeot-0.01.tar.bz2
 LANGTAGREG_MD5SUM := 504af523f5d1a5590bbeb6a4b55e8a97
 export LANGTAGREG_TARBALL := language-subtag-registry-2014-03-27.tar.bz2
-NSS_MD5SUM := 9bc54feb6f1e39c60932f668d3caab5e
-export NSS_TARBALL := nss-3.47.1-with-nspr-4.23.tar.gz
+NSS_MD5SUM := 22fa83bfedda5fde047a714d8a4d8968
+export NSS_TARBALL := nss-3.53-with-nspr-4.25.tar.gz
 PYTHON_MD5SUM := 803a75927f8f241ca78633890c798021
 export PYTHON_TARBALL := Python-3.3.5.tgz
 OPENSSL_MD5SUM := 44279b8557c3247cbe324e2322ecd114
diff --git a/external/nss/ExternalProject_nss.mk b/external/nss/ExternalProject_nss.mk
index 46e0cf218546..18b07d63c6c4 100644
--- a/external/nss/ExternalProject_nss.mk
+++ b/external/nss/ExternalProject_nss.mk
@@ -30,11 +30,11 @@ $(call gb_ExternalProject_get_state_target,nss,build): $(call gb_ExternalProject
 		$(if $(MSVC_USE_DEBUG_RUNTIME),USE_DEBUG_RTL=1,BUILD_OPT=1) \
 		NSS_DISABLE_GTESTS=1 \
 		NSS_ENABLE_WERROR=0 \
-		MOZ_MSVCVERSION=9 OS_TARGET=WIN95 \
+		OS_TARGET=WIN95 \
 		$(if $(filter X86_64,$(CPUNAME)),USE_64=1) \
 		LIB="$(ILIB)" \
 		XCFLAGS="$(SOLARINC)" \
-		$(MAKE) -j1 nss_build_all RC="rc.exe $(SOLARINC)" \
+		$(MAKE) nss_build_all RC="rc.exe $(SOLARINC)" \
 			NSINSTALL='$(call gb_ExternalExecutable_get_command,python) $(SRCDIR)/external/nss/nsinstall.py' \
 	,nss)
 
@@ -68,7 +68,7 @@ $(call gb_ExternalProject_get_state_target,nss,build): $(call gb_ExternalProject
 		$(if $(filter YES,$(CROSS_COMPILING)),\
 		NSINSTALL="$(call gb_ExternalExecutable_get_command,python) $(SRCDIR)/external/nss/nsinstall.py") \
 		NSDISTMODE=copy \
-		$(MAKE) -j1 AR=$(AR) RANLIB=$(RANLIB) CCC="$(CXX)" NMEDIT=$(NM)edit nss_build_all \
+		$(MAKE) AR=$(AR) RANLIB=$(RANLIB) CCC="$(CXX)" NMEDIT=$(NM)edit nss_build_all \
 		&& rm -f $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/*.a \
 		$(if $(filter MACOSX,$(OS)),\
 			&& chmod u+w $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/*.dylib \
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index cf7ad65803a1..db6bdd4640c8 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -20,6 +20,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
     $(if $(findstring 120_70,$(VCVER)_$(WINDOWS_SDK_VERSION)), \
         external/nss/nss-winXP-sdk.patch.1) \
 	$(if $(filter WNTMSC,$(OS)$(COM)),external/nss/nss-no-c99.patch) \
+	external/nss/nss.nspr-parallel-win-debug_build.patch \
 ))
 
 # vim: set noet sw=4 ts=4:
diff --git a/external/nss/nsinstall.py b/external/nss/nsinstall.py
index 31b3de3450c5..80e9c1679373 100644
--- a/external/nss/nsinstall.py
+++ b/external/nss/nsinstall.py
@@ -155,7 +155,12 @@ def nsinstall(argv):
   target = args.pop()
   # ensure target directory
   if not os.path.isdir(target):
-    os.makedirs(target)
+    try:
+      os.makedirs(target)
+    except FileExistsError:
+      if not os.path.isdir(target):
+        sys.stderr.write('nsinstall: ' + target + ' is not a directoy!\n')
+        return 1
 
   copy_all_entries(args, target)
   return 0
diff --git a/external/nss/nss-3.13.5-zlib-werror.patch b/external/nss/nss-3.13.5-zlib-werror.patch
index 6cda50023f1b..0cdbf7808f81 100644
--- a/external/nss/nss-3.13.5-zlib-werror.patch
+++ b/external/nss/nss-3.13.5-zlib-werror.patch
@@ -1,9 +1,10 @@
 --- a/a/nss/lib/zlib/gzguts.h	2010-08-22 03:07:03.000000000 +0200
 +++ b/b/nss/lib/zlib/gzguts.h	2012-07-17 08:52:14.821552788 +0200
-@@ -26,6 +26,9 @@
- #  include <limits.h>
+@@ -26,6 +26,10 @@
+ #  define write _write
+ #  define close _close
  #endif
- #include <fcntl.h>
++
 +#ifndef _WIN32
 +#include <unistd.h>
 +#endif
diff --git a/external/nss/nss-win32-make.patch.1 b/external/nss/nss-win32-make.patch.1
new file mode 100644
index 000000000000..7ba3df451ee6
--- /dev/null
+++ b/external/nss/nss-win32-make.patch.1
@@ -0,0 +1,20 @@
+--- nss/nss/coreconf/rules.mk.orig2	2014-06-03 15:30:01.667200000 +0200
++++ nss/nss/coreconf/rules.mk	2014-06-03 15:30:14.537200000 +0200
+@@ -259,7 +259,7 @@
+ $(LIBRARY): $(OBJS) | $$(@D)/d
+ 	rm -f $@
+ ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
+-	$(AR) $(subst /,\\,$(OBJS))
++	$(AR) $(OBJS)
+ else
+ 	$(AR) cr $@ $(OBJS)
+ endif
+@@ -297,7 +297,7 @@
+ ifdef NS_USE_GCC
+ 	$(LINK_DLL) $(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES)
+ else
+-	$(LINK_DLL) -MAP $(DLLBASE) $(subst /,\\,$(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES))
++	$(LINK_DLL) -MAP $(DLLBASE) $(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES)
+ ifdef MT
+ 	if test -f $@.manifest; then \
+ 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;2; \
diff --git a/external/nss/nss.nspr-parallel-win-debug_build.patch b/external/nss/nss.nspr-parallel-win-debug_build.patch
new file mode 100644
index 000000000000..86b55e1ccf7f
--- /dev/null
+++ b/external/nss/nss.nspr-parallel-win-debug_build.patch
@@ -0,0 +1,40 @@
+Änderung:        4866:23940b78e965
+Nutzer:          Jan-Marek Glogowski <glogow at fbihome.de>
+Datum:           Fri May 01 22:50:55 2020 +0000
+Dateien:         pr/tests/Makefile.in
+Beschreibung:
+Bug 290526 Write separate PDBs for test OBJs r=glandium
+
+Quite often when running a parallel NSS build, I get the following
+compiler error message, resulting in a build failure, despite
+compiling with the -FS flag:
+
+.../nss/nspr/pr/tests/zerolen.c: fatal error C1041:
+Programmdatenbank "...\nss\nspr\out\pr\tests\vc140.pdb" kann nicht
+ge<94>ffnet werden; verwenden Sie /FS, wenn mehrere CL.EXE in
+dieselbe .PDB-Datei schreiben.
+
+The failing source file is always one of the last test object
+files. But the actual problem is not the compiler accessing the
+PDB file, but the linker already linking the first test
+executables accessing the shared PDB; at least that's my guess.
+
+So instead of using a shared PDB for all test object files, this
+uses -Fd$(@:.$(OBJ_SUFFIX)=.pdb) to write a separate PDB for every
+test's object file. The linker works fine with the shared OBJ PDB.
+
+Differential Revision: https://phabricator.services.mozilla.com/D68693
+
+
+diff -r 219d131499d5 -r 23940b78e965 nss/nspr/pr/tests/Makefile.in
+--- a/nss/nspr/pr/tests/Makefile.in	Mon Feb 10 20:58:42 2020 +0000
++++ b/nss/nspr/pr/tests/Makefile.in	Fri May 01 22:50:55 2020 +0000
+@@ -211,6 +211,7 @@
+ else
+   EXTRA_LIBS += ws2_32.lib
+   LDOPTS = -NOLOGO -DEBUG -DEBUGTYPE:CV -INCREMENTAL:NO
++  CFLAGS += -Fd$(@:.$(OBJ_SUFFIX)=.pdb)
+   ifdef PROFILE
+     LDOPTS += -PROFILE -MAP
+   endif # profile
+
diff --git a/external/nss/nss.windows.patch b/external/nss/nss.windows.patch
index 9dbeaa946520..901846e7bc1f 100644
--- a/external/nss/nss.windows.patch
+++ b/external/nss/nss.windows.patch
@@ -18,8 +18,8 @@
 -core_abspath = '$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD)/$(1)))'
 +core_abspath = '$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(shell cygpath -m $(1))),$(1),$(shell cygpath -m $(PWD)/$(1))))'
  
- $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c
- 	@$(MAKE_OBJDIR)
+ $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c | $$(@D)/d
+ ifdef USE_NT_C_SYNTAX
 --- a/a/nspr/pr/include/md/_win95.h
 +++ b/b/nspr/pr/include/md/_win95.h
 @@ -312,7 +312,7 @@
commit 0fa883069c269308482d960de5897707f22561e8
Author:     Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Mon Nov 25 12:34:28 2019 +0100
Commit:     Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
CommitDate: Thu Oct 1 15:31:50 2020 +0200

    nss: upgrade to release 3.47.1
    
    Fixes CVE-2019-11745.
    
    Remove nss.fix-freebl-add-lcc-support.patch.1, fixed upstream.
    
    Reviewed-on: https://gerrit.libreoffice.org/83673
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <michael.stahl at cib.de>
    (cherry picked from commit a6238c3fba80889f9090d997e2a4979b78b34ac7)
    
    Conflicts:
            download.lst
            external/nss/UnpackedTarball_nss.mk
            external/nss/clang-cl.patch.0
            external/nss/nss.vs2015.pdb.patch
    
    Change-Id: I72e35c90fabb0a83f547a787dbaee774e35f9c08

diff --git a/download.lst b/download.lst
index ce9e29550e04..43082bcb044e 100644
--- a/download.lst
+++ b/download.lst
@@ -34,8 +34,8 @@ LIBEOT_MD5SUM := aa24f5dd2a2992f4a116aa72af817548
 export LIBEOT_TARBALL := libeot-0.01.tar.bz2
 LANGTAGREG_MD5SUM := 504af523f5d1a5590bbeb6a4b55e8a97
 export LANGTAGREG_TARBALL := language-subtag-registry-2014-03-27.tar.bz2
-NSS_MD5SUM := 2f7dab8f5b85b1494f6bec2cc32a1f5c
-export NSS_TARBALL := nss-3.45-with-nspr-4.21.tar.gz
+NSS_MD5SUM := 9bc54feb6f1e39c60932f668d3caab5e
+export NSS_TARBALL := nss-3.47.1-with-nspr-4.23.tar.gz
 PYTHON_MD5SUM := 803a75927f8f241ca78633890c798021
 export PYTHON_TARBALL := Python-3.3.5.tgz
 OPENSSL_MD5SUM := 44279b8557c3247cbe324e2322ecd114
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index 4ea30b339b06..cf7ad65803a1 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -15,7 +15,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
 	external/nss/nss.patch \
 	external/nss/nss-3.13.5-zlib-werror.patch \
 	$(if $(filter WNTMSC,$(OS)$(COM)),nss/nss.windows.patch) \
-    external/nss/nss.fix-freebl-add-lcc-support.patch.1 \
 	$(if $(filter MSC-INTEL,$(COM)-$(CPUNAME)), \
 		external/nss/nss.cygwin64.in32bit.patch) \
     $(if $(findstring 120_70,$(VCVER)_$(WINDOWS_SDK_VERSION)), \
diff --git a/external/nss/nss.aix.patch b/external/nss/nss.aix.patch
index da9aacb10e84..4b0c6bfb3261 100644
--- a/external/nss/nss.aix.patch
+++ b/external/nss/nss.aix.patch
@@ -38,7 +38,7 @@ diff -ru a/nspr/pr/src/Makefile.in b/nspr/pr/src/Makefile.in
 --- a/a/nspr/pr/src/Makefile.in	2014-09-29 16:46:35.281395079 +0100
 +++ b/b/nspr/pr/src/Makefile.in	2014-09-29 16:50:33.909375948 +0100
 @@ -74,7 +74,6 @@
- endif
+ endif	# SunOS
  
  ifeq ($(OS_ARCH),AIX)
 -DSO_LDOPTS	+= -binitfini::_PR_Fini
diff --git a/external/nss/nss.fix-freebl-add-lcc-support.patch.1 b/external/nss/nss.fix-freebl-add-lcc-support.patch.1
deleted file mode 100644
index 3e3c06327dde..000000000000
--- a/external/nss/nss.fix-freebl-add-lcc-support.patch.1
+++ /dev/null
@@ -1,11 +0,0 @@
---- b/nss/lib/freebl/Makefile
-+++ a/nss/lib/freebl/Makefile
-@@ -495,7 +495,7 @@
- ifdef USE_64
- # no __int128 at least up to lcc 1.23 (pretending to be gcc5)
- # NB: CC_NAME is not defined here
--ifneq ($(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q'),lcc)
-+ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
-     ifdef CC_IS_CLANG
-             HAVE_INT128_SUPPORT = 1
-             DEFINES += -DHAVE_INT128_SUPPORT
diff --git a/external/nss/nss.patch b/external/nss/nss.patch
index 8121658dbdd4..53ec83cee5ce 100644
--- a/external/nss/nss.patch
+++ b/external/nss/nss.patch
@@ -12,14 +12,14 @@
 --- a/nss.orig/nspr/pr/src/misc/prnetdb.c	2017-08-29 23:44:13.690045031 +0530
 +++ b/nss/nspr/pr/src/misc/prnetdb.c	2017-08-29 23:47:03.810814019 +0530
 @@ -438,7 +438,7 @@
- 	char *buf = *bufp;
- 	PRIntn buflen = *buflenp;
+     char *buf = *bufp;
+     PRIntn buflen = *buflenp;
  
--	if (align && ((long)buf & (align - 1))) {
-+	if (align && ((ptrdiff_t)buf & (align - 1))) {
- 		PRIntn skip = align - ((ptrdiff_t)buf & (align - 1));
- 		if (buflen < skip) {
- 			return 0;
+-    if (align && ((long)buf & (align - 1))) {
++    if (align && ((ptrdiff_t)buf & (align - 1))) {
+         PRIntn skip = align - ((ptrdiff_t)buf & (align - 1));
+         if (buflen < skip) {
+             return 0;
 --- a/a/nss/cmd/platlibs.mk	2017-08-29 23:44:13.554044416 +0530
 +++ b/b/nss/cmd/platlibs.mk	2017-08-29 23:46:09.638569150 +0530
 @@ -10,17 +10,22 @@
commit caa3d02a20ec369e887c828a3a37df8ed6fd7311
Author:     Jan-Marek Glogowski <glogow at fbihome.de>
AuthorDate: Fri Jul 12 15:01:41 2019 +0200
Commit:     Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
CommitDate: Thu Oct 1 15:31:49 2020 +0200

    NSS fix lcc support patch
    
    This hangs the build process with current MSVC cl.exe. It even
    hangs when just calling "cl -? >/dev/null". Probably
    a cl.exe bug to detect redirection properly?
    
    This adds stdin redirection to /dev/null, like in configure.ac checks.
    
    Reviewed-on: https://gerrit.libreoffice.org/75495
    Reviewed-by: Jan-Marek Glogowski <glogow at fbihome.de>
    Reviewed-by: Tor Lillqvist <tml at collabora.com>
    Tested-by: Tor Lillqvist <tml at collabora.com>
    (cherry picked from commit b11ea5e9c37b19f0d60a4075146668954a7bf728)
    
    Conflicts:
            external/nss/UnpackedTarball_nss.mk
    
    Change-Id: Ie03c3103ac68cd131dc280755621a8ce0417314f

diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index cf7ad65803a1..4ea30b339b06 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -15,6 +15,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
 	external/nss/nss.patch \
 	external/nss/nss-3.13.5-zlib-werror.patch \
 	$(if $(filter WNTMSC,$(OS)$(COM)),nss/nss.windows.patch) \
+    external/nss/nss.fix-freebl-add-lcc-support.patch.1 \
 	$(if $(filter MSC-INTEL,$(COM)-$(CPUNAME)), \
 		external/nss/nss.cygwin64.in32bit.patch) \
     $(if $(findstring 120_70,$(VCVER)_$(WINDOWS_SDK_VERSION)), \
diff --git a/external/nss/nss.fix-freebl-add-lcc-support.patch.1 b/external/nss/nss.fix-freebl-add-lcc-support.patch.1
new file mode 100644
index 000000000000..3e3c06327dde
--- /dev/null
+++ b/external/nss/nss.fix-freebl-add-lcc-support.patch.1
@@ -0,0 +1,11 @@
+--- b/nss/lib/freebl/Makefile
++++ a/nss/lib/freebl/Makefile
+@@ -495,7 +495,7 @@
+ ifdef USE_64
+ # no __int128 at least up to lcc 1.23 (pretending to be gcc5)
+ # NB: CC_NAME is not defined here
+-ifneq ($(shell $(CC) -? 2>&1 >/dev/null | sed -e 's/:.*//;1q'),lcc)
++ifneq ($(shell $(CC) -? 2>&1 >/dev/null </dev/null | sed -e 's/:.*//;1q'),lcc)
+     ifdef CC_IS_CLANG
+             HAVE_INT128_SUPPORT = 1
+             DEFINES += -DHAVE_INT128_SUPPORT
commit 92850a3628402abe36c1240b2835f1840bcff211
Author:     Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Wed Jul 10 12:20:00 2019 +0200
Commit:     Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
CommitDate: Thu Oct 1 15:31:48 2020 +0200

    nss: upgrade to release 3.45
    
    Fixes CVE-2019-11729 CVE-2019-11719 CVE-2019-11727, and the less
    important CVE-2018-12384 and CVE-2018-12404 from intermediate releases.
    
    Since NSS 3.44 it's possible to build as static libraries and for iOS;
    drop the nss-chromium-nss-static.patch and nss-more-static.patch and
    hope that it works.
    
    Drop one hunk from nss.patch that looks fixed upstream.
    
    Reviewed-on: https://gerrit.libreoffice.org/75344
    Tested-by: Jenkins
    Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>
    (cherry picked from commit 6efc8a33f69bc7f4be45b7b81f67cd74c163b99e)
    Reviewed-on: https://gerrit.libreoffice.org/75411
    Tested-by: Michael Stahl <Michael.Stahl at cib.de>
    
    Conflicts:
            download.lst
            external/nss/UnpackedTarball_nss.mk
            external/nss/clang-cl.patch.0
    
    Change-Id: I7f37ac36f7f8dfd49d0bfb4a6185ca49d4f618a3

diff --git a/download.lst b/download.lst
index 62f4fc850947..ce9e29550e04 100644
--- a/download.lst
+++ b/download.lst
@@ -34,8 +34,8 @@ LIBEOT_MD5SUM := aa24f5dd2a2992f4a116aa72af817548
 export LIBEOT_TARBALL := libeot-0.01.tar.bz2
 LANGTAGREG_MD5SUM := 504af523f5d1a5590bbeb6a4b55e8a97
 export LANGTAGREG_TARBALL := language-subtag-registry-2014-03-27.tar.bz2
-NSS_MD5SUM := cd649be8ee61fe15d64d7bef361b37ba
-export NSS_TARBALL := nss-3.38-with-nspr-4.19.tar.gz
+NSS_MD5SUM := 2f7dab8f5b85b1494f6bec2cc32a1f5c
+export NSS_TARBALL := nss-3.45-with-nspr-4.21.tar.gz
 PYTHON_MD5SUM := 803a75927f8f241ca78633890c798021
 export PYTHON_TARBALL := Python-3.3.5.tgz
 OPENSSL_MD5SUM := 44279b8557c3247cbe324e2322ecd114
diff --git a/external/nss/nss.patch b/external/nss/nss.patch
index 18985e680e92..8121658dbdd4 100644
--- a/external/nss/nss.patch
+++ b/external/nss/nss.patch
@@ -153,16 +153,3 @@
  #! gmake
  #
  # This Source Code Form is subject to the terms of the Mozilla Public
-@@ -89,10 +91,10 @@
- NSPR_CONFIGURE_ENV = CC=gcc CXX=g++
- endif
- ifdef CC
--NSPR_CONFIGURE_ENV = CC=$(CC)
-+NSPR_CONFIGURE_ENV = CC="$(CC) "
- endif
- ifdef CCC
--NSPR_CONFIGURE_ENV += CXX=$(CCC)
-+NSPR_CONFIGURE_ENV += CXX="$(CCC) "
- endif
- # Remove -arch definitions. NSPR can't handle that.
- NSPR_CONFIGURE_ENV := $(filter-out -arch x86_64,$(NSPR_CONFIGURE_ENV))
commit 0e3f353a6307e981ef4cd561c2b65e716e4b054a
Author:     Thorsten Behrens <Thorsten.Behrens at CIB.de>
AuthorDate: Thu Oct 11 16:04:39 2018 +0200
Commit:     Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
CommitDate: Thu Oct 1 15:31:48 2020 +0200

    nss: fix initialisation order, and system zlib
    
    Change-Id: Ia2d01d384b13c3b293599a186899d8e5bb381064
    Reviewed-on: https://gerrit.libreoffice.org/61679
    Reviewed-by: Michael Stahl <Michael.Stahl at cib.de>
    Tested-by: Michael Stahl <Michael.Stahl at cib.de>

diff --git a/external/nss/nss-no-c99.patch b/external/nss/nss-no-c99.patch
index b695683f6d0e..bb8085456c51 100644
--- a/external/nss/nss-no-c99.patch
+++ b/external/nss/nss-no-c99.patch
@@ -1492,7 +1492,6 @@
                  if (!pubValue) {
                      crv = CKR_ARGUMENTS_BAD;
                      goto ecgn_done;
-diff -ur nss/nss/cmd/lib/secutil.c nss_new/nss/cmd/lib/secutil.c
 --- a/nss/nss/cmd/lib/secutil.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/cmd/lib/secutil.c	2018-09-19 13:53:21.922607000 +0200
 @@ -217,6 +217,7 @@
@@ -1512,7 +1511,6 @@ diff -ur nss/nss/cmd/lib/secutil.c nss_new/nss/cmd/lib/secutil.c
              PORT_Free(pw);
          /* Fall Through */
          case PW_PLAINTEXT:
-diff -ur nss/nss/cmd/signtool/javascript.c nss_new/nss/cmd/signtool/javascript.c
 --- a/nss/nss/cmd/signtool/javascript.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/cmd/signtool/javascript.c	2018-09-21 18:09:42.429614100 +0200
 @@ -6,6 +6,7 @@
@@ -1532,7 +1530,6 @@ diff -ur nss/nss/cmd/signtool/javascript.c nss_new/nss/cmd/signtool/javascript.c
      if (c >= sizeof(fn)) {
          return PR_FAILURE;
      }
-diff -ur nss/nss/cmd/signtool/sign.c nss_new/nss/cmd/signtool/sign.c
 --- a/nss/nss/cmd/signtool/sign.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/cmd/signtool/sign.c	2018-09-21 18:12:32.664160400 +0200
 @@ -5,6 +5,7 @@
@@ -1609,7 +1606,6 @@ diff -ur nss/nss/cmd/signtool/sign.c nss_new/nss/cmd/signtool/sign.c
      if (count >= sizeof(fullname)) {
          return 1;
      }
-diff -ur nss/nss/lib/freebl/blake2b.c nss_new/nss/lib/freebl/blake2b.c
 --- a/nss/nss/lib/freebl/blake2b.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/freebl/blake2b.c	2018-09-06 16:22:55.312309800 +0200
 @@ -147,6 +147,7 @@
@@ -1644,7 +1640,6 @@ diff -ur nss/nss/lib/freebl/blake2b.c nss_new/nss/lib/freebl/blake2b.c
      if (ctx == NULL) {
          PORT_SetError(SEC_ERROR_INVALID_ARGS);
          return NULL;
-diff -ur nss/nss/lib/freebl/chacha20poly1305.c nss_new/nss/lib/freebl/chacha20poly1305.c
 --- a/nss/nss/lib/freebl/chacha20poly1305.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/freebl/chacha20poly1305.c	2018-09-07 03:48:50.608015600 +0200
 @@ -75,6 +75,8 @@
@@ -1665,7 +1660,6 @@ diff -ur nss/nss/lib/freebl/chacha20poly1305.c nss_new/nss/lib/freebl/chacha20po
      for (i = 0, j = adLen; i < 8; i++, j >>= 8) {
          block[i] = j;
      }
-diff -ur nss/nss/lib/freebl/ecl/ecp_25519.c nss_new/nss/lib/freebl/ecl/ecp_25519.c
 --- a/nss/nss/lib/freebl/ecl/ecp_25519.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/freebl/ecl/ecp_25519.c	2018-09-07 04:22:09.320906200 +0200
 @@ -104,6 +104,7 @@
@@ -1685,7 +1679,6 @@ diff -ur nss/nss/lib/freebl/ecl/ecp_25519.c nss_new/nss/lib/freebl/ecl/ecp_25519
      if (NSS_SecureMemcmpZero(X->data, X->len) == 0) {
          return SECFailure;
      }
-diff -ur nss/nss/lib/freebl/verified/FStar.c nss_new/nss/lib/freebl/verified/FStar.c
 --- a/nss/nss/lib/freebl/verified/FStar.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/freebl/verified/FStar.c	2018-09-10 01:27:51.192382800 +0200
 @@ -32,37 +32,45 @@
@@ -1931,7 +1924,6 @@ diff -ur nss/nss/lib/freebl/verified/FStar.c nss_new/nss/lib/freebl/verified/FSt
  }
  
  FStar_UInt128_uint128
-diff -ur nss/nss/lib/freebl/verified/Hacl_Chacha20.c nss_new/nss/lib/freebl/verified/Hacl_Chacha20.c
 --- a/nss/nss/lib/freebl/verified/Hacl_Chacha20.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/freebl/verified/Hacl_Chacha20.c	2018-09-07 05:07:09.660750000 +0200
 @@ -18,7 +18,8 @@
@@ -2084,7 +2076,6 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Chacha20.c nss_new/nss/lib/freebl/veri
          uint8_t *b = plain + (uint32_t)64U * i;
          uint8_t *o = output + (uint32_t)64U * i;
          Hacl_Impl_Chacha20_update(o, b, st, ctr + i);
-diff -ur nss/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c nss_new/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c
 --- a/nss/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c	2018-09-07 05:31:17.778914000 +0200
 @@ -42,53 +42,83 @@
@@ -2364,9 +2355,9 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Chacha20_Vec128.c nss_new/nss/lib/free
      Hacl_Impl_Chacha20_Vec128_init(st, k, n1, ctr);
      Hacl_Impl_Chacha20_Vec128_chacha20_counter_mode(output, plain, len, st);
  }
-diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/verified/Hacl_Curve25519.c
---- a/nss/nss/lib/freebl/verified/Hacl_Curve25519.c	2018-06-21 11:24:45.000000000 +0200
-+++ b/nss/nss/lib/freebl/verified/Hacl_Curve25519.c	2018-09-07 06:13:30.375593700 +0200
+diff -u b/nss/nss/lib/freebl/verified/Hacl_Curve25519.c b/nss/nss/lib/freebl/verified/Hacl_Curve25519.c
+--- b/nss/nss/lib/freebl/verified/Hacl_Curve25519.c	2018-09-07 06:13:30.375593700 +0200
++++ b/nss/nss/lib/freebl/verified/Hacl_Curve25519.c	2018-10-11 02:49:07.152343700 +0200
 @@ -129,6 +129,7 @@
  Hacl_Bignum_Fmul_shift_reduce(uint64_t *output)
  {
@@ -2384,7 +2375,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      output[0U] = (uint64_t)19U * b0;
  }
  
-@@ -177,38 +178,43 @@
+@@ -177,38 +178,45 @@
          Hacl_Bignum_Fproduct_sum_scalar_multiplication_(output, input, input2i);
          Hacl_Bignum_Fmul_shift_reduce(input);
      }
@@ -2407,8 +2398,8 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      FStar_UInt128_t t[5U];
 -    for (uint32_t _i = 0U; _i < (uint32_t)5U; ++_i)
 +    uint32_t _i;
-+    FStar_UInt128_t b4 = t[4U];
-+    FStar_UInt128_t b0 = t[0U];
++    FStar_UInt128_t b4;
++    FStar_UInt128_t b0;
 +    FStar_UInt128_t b4_;
 +    FStar_UInt128_t b0_;
 +    uint64_t i0;
@@ -2420,6 +2411,8 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
          t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
      Hacl_Bignum_Fmul_mul_shift_reduce_(t, tmp, input21);
      Hacl_Bignum_Fproduct_carry_wide_(t);
++    b4 = t[4U];
++    b0 = t[0U];
 -    FStar_UInt128_t b4 = t[4U];
 -    FStar_UInt128_t b0 = t[0U];
 -    FStar_UInt128_t
@@ -2445,27 +2438,29 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      output[0U] = i0_;
      output[1U] = i1_;
  }
-@@ -261,24 +267,27 @@
+@@ -261,24 +269,29 @@
  inline static void
  Hacl_Bignum_Fsquare_fsquare_(FStar_UInt128_t *tmp, uint64_t *output)
  {
--    Hacl_Bignum_Fsquare_fsquare__(tmp, output);
--    Hacl_Bignum_Fproduct_carry_wide_(tmp);
-     FStar_UInt128_t b4 = tmp[4U];
-     FStar_UInt128_t b0 = tmp[0U];
--    FStar_UInt128_t
--        b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
--    FStar_UInt128_t
--        b0_ =
--            FStar_UInt128_add(b0,
++    FStar_UInt128_t b4;
++    FStar_UInt128_t b0;
 +    FStar_UInt128_t b4_;
 +    FStar_UInt128_t b0_;
 +    uint64_t i0;
 +    uint64_t i1;
 +    uint64_t i0_;
 +    uint64_t i1_;
-+    Hacl_Bignum_Fsquare_fsquare__(tmp, output);
-+    Hacl_Bignum_Fproduct_carry_wide_(tmp);
+     Hacl_Bignum_Fsquare_fsquare__(tmp, output);
+     Hacl_Bignum_Fproduct_carry_wide_(tmp);
+-    FStar_UInt128_t b4 = tmp[4U];
+-    FStar_UInt128_t b0 = tmp[0U];
+-    FStar_UInt128_t
+-        b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
+-    FStar_UInt128_t
+-        b0_ =
+-            FStar_UInt128_add(b0,
++    b4 = tmp[4U];
++    b0 = tmp[0U];
 +    b4_ = FStar_UInt128_logand(b4, FStar_UInt128_uint64_to_uint128((uint64_t)0x7ffffffffffffU));
 +    b0_ = FStar_UInt128_add(b0,
                                FStar_UInt128_mul_wide((uint64_t)19U,
@@ -2484,7 +2479,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      output[0U] = i0_;
      output[1U] = i1_;
  }
-@@ -286,17 +295,19 @@
+@@ -286,17 +299,19 @@
  static void
  Hacl_Bignum_Fsquare_fsquare_times_(uint64_t *input, FStar_UInt128_t *tmp, uint32_t count1)
  {
@@ -2507,7 +2502,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
          t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
      memcpy(output, input, (uint32_t)5U * sizeof input[0U]);
      Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
-@@ -305,9 +316,10 @@
+@@ -305,9 +320,10 @@
  inline static void
  Hacl_Bignum_Fsquare_fsquare_times_inplace(uint64_t *output, uint32_t count1)
  {
@@ -2520,7 +2515,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
          t[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
      Hacl_Bignum_Fsquare_fsquare_times_(output, t, count1);
  }
-@@ -319,6 +331,14 @@
+@@ -319,6 +335,14 @@
      uint64_t *a = buf;
      uint64_t *t00 = buf + (uint32_t)5U;
      uint64_t *b0 = buf + (uint32_t)10U;
@@ -2535,7 +2530,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      Hacl_Bignum_Fsquare_fsquare_times(a, z, (uint32_t)1U);
      Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)2U);
      Hacl_Bignum_Fmul_fmul(b0, t00, z);
-@@ -326,9 +346,9 @@
+@@ -326,9 +350,9 @@
      Hacl_Bignum_Fsquare_fsquare_times(t00, a, (uint32_t)1U);
      Hacl_Bignum_Fmul_fmul(b0, t00, b0);
      Hacl_Bignum_Fsquare_fsquare_times(t00, b0, (uint32_t)5U);
@@ -2548,7 +2543,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      Hacl_Bignum_Fmul_fmul(b1, t01, b1);
      Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)10U);
      Hacl_Bignum_Fmul_fmul(c0, t01, b1);
-@@ -337,10 +357,10 @@
+@@ -337,10 +361,10 @@
      Hacl_Bignum_Fsquare_fsquare_times_inplace(t01, (uint32_t)10U);
      Hacl_Bignum_Fmul_fmul(b1, t01, b1);
      Hacl_Bignum_Fsquare_fsquare_times(t01, b1, (uint32_t)50U);
@@ -2563,7 +2558,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      Hacl_Bignum_Fmul_fmul(c, t0, b);
      Hacl_Bignum_Fsquare_fsquare_times(t0, c, (uint32_t)100U);
      Hacl_Bignum_Fmul_fmul(t0, t0, c);
-@@ -384,12 +404,17 @@
+@@ -384,12 +408,17 @@
  Hacl_Bignum_fdifference(uint64_t *a, uint64_t *b)
  {
      uint64_t tmp[5U] = { 0U };
@@ -2586,7 +2581,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      tmp[0U] = b0 + (uint64_t)0x3fffffffffff68U;
      tmp[1U] = b1 + (uint64_t)0x3ffffffffffff8U;
      tmp[2U] = b2 + (uint64_t)0x3ffffffffffff8U;
-@@ -425,9 +450,10 @@
+@@ -425,9 +454,10 @@
  inline static void
  Hacl_Bignum_fscalar(uint64_t *output, uint64_t *b, uint64_t s)
  {
@@ -2599,7 +2594,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
          tmp[_i] = FStar_UInt128_uint64_to_uint128((uint64_t)0U);
      {
          uint64_t xi = b[0U];
-@@ -450,6 +476,7 @@
+@@ -450,6 +480,7 @@
          tmp[4U] = FStar_UInt128_mul_wide(xi, s);
      }
      Hacl_Bignum_Fproduct_carry_wide_(tmp);
@@ -2607,7 +2602,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      FStar_UInt128_t b4 = tmp[4U];
      FStar_UInt128_t b0 = tmp[0U];
      FStar_UInt128_t
-@@ -462,6 +489,7 @@
+@@ -462,6 +493,7 @@
      tmp[4U] = b4_;
      tmp[0U] = b0_;
      Hacl_Bignum_Fproduct_copy_from_wide_(output, tmp);
@@ -2615,7 +2610,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
  }
  
  inline static void
-@@ -493,8 +521,9 @@
+@@ -493,8 +525,9 @@
  Hacl_EC_Point_swap_conditional_(uint64_t *a, uint64_t *b, uint64_t swap1, uint32_t ctr)
  {
      if (!(ctr == (uint32_t)0U)) {
@@ -2626,7 +2621,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
          Hacl_EC_Point_swap_conditional_(a, b, swap1, i);
      }
  }
-@@ -538,6 +567,16 @@
+@@ -538,6 +571,16 @@
      uint64_t *origxprime = buf + (uint32_t)5U;
      uint64_t *xxprime0 = buf + (uint32_t)25U;
      uint64_t *zzprime0 = buf + (uint32_t)30U;
@@ -2643,7 +2638,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      memcpy(origx, x, (uint32_t)5U * sizeof x[0U]);
      Hacl_Bignum_fsum(x, z);
      Hacl_Bignum_fdifference(z, origx);
-@@ -546,12 +585,12 @@
+@@ -546,12 +589,12 @@
      Hacl_Bignum_fdifference(zprime, origxprime);
      Hacl_Bignum_fmul(xxprime0, xprime, z);
      Hacl_Bignum_fmul(zzprime0, x, zprime);
@@ -2662,7 +2657,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      memcpy(origxprime0, xxprime, (uint32_t)5U * sizeof xxprime[0U]);
      Hacl_Bignum_fsum(xxprime, zzprime);
      Hacl_Bignum_fdifference(zzprime, origxprime0);
-@@ -560,12 +599,12 @@
+@@ -560,12 +603,12 @@
      Hacl_Bignum_fmul(z3, zzzprime, qx);
      Hacl_Bignum_Fsquare_fsquare_times(xx0, x, (uint32_t)1U);
      Hacl_Bignum_Fsquare_fsquare_times(zz0, z, (uint32_t)1U);
@@ -2679,7 +2674,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      Hacl_Bignum_fscalar(zzz, zz, scalar);
      Hacl_Bignum_fsum(zzz, xx);
      Hacl_Bignum_fmul(z2, zzz, zz);
-@@ -581,9 +620,10 @@
+@@ -581,9 +624,10 @@
      uint8_t byt)
  {
      uint64_t bit = (uint64_t)(byt >> (uint32_t)7U);
@@ -2691,7 +2686,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      Hacl_EC_Point_swap_conditional(nq2, nqpq2, bit0);
  }
  
-@@ -596,8 +636,9 @@
+@@ -596,8 +640,9 @@
      uint64_t *q,
      uint8_t byt)
  {
@@ -2702,7 +2697,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      Hacl_EC_Ladder_SmallLoop_cmult_small_loop_step(nq2, nqpq2, nq, nqpq, q, byt1);
  }
  
-@@ -613,8 +654,9 @@
+@@ -613,8 +658,9 @@
  {
      if (!(i == (uint32_t)0U)) {
          uint32_t i_ = i - (uint32_t)1U;
@@ -2713,7 +2708,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
          Hacl_EC_Ladder_SmallLoop_cmult_small_loop(nq, nqpq, nq2, nqpq2, q, byt_, i_);
      }
  }
-@@ -731,12 +773,16 @@
+@@ -731,12 +777,16 @@
  static void
  Hacl_EC_Format_fcontract_second_carry_full(uint64_t *input)
  {
@@ -2734,7 +2729,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      input[0U] = i0_;
      input[1U] = i1_;
  }
-@@ -817,22 +863,32 @@
+@@ -817,22 +867,32 @@
      uint64_t buf0[10U] = { 0U };
      uint64_t *x0 = buf0;
      uint64_t *z = buf0 + (uint32_t)5U;
@@ -2778,9 +2773,9 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Curve25519.c nss_new/nss/lib/freebl/ve
      x[0U] = (uint64_t)1U;
      Hacl_EC_Ladder_cmult(nq, scalar, q);
      Hacl_EC_Format_scalar_of_point(mypublic, nq);
-diff -ur nss/nss/lib/freebl/verified/Hacl_Poly1305_32.c nss_new/nss/lib/freebl/verified/Hacl_Poly1305_32.c
---- a/nss/nss/lib/freebl/verified/Hacl_Poly1305_32.c	2018-06-21 11:24:45.000000000 +0200
-+++ b/nss/nss/lib/freebl/verified/Hacl_Poly1305_32.c	2018-09-14 18:37:50.838682200 +0200
+diff -u b/nss/nss/lib/freebl/verified/Hacl_Poly1305_32.c b/nss/nss/lib/freebl/verified/Hacl_Poly1305_32.c
+--- b/nss/nss/lib/freebl/verified/Hacl_Poly1305_32.c	2018-09-14 18:37:50.838682200 +0200
++++ b/nss/nss/lib/freebl/verified/Hacl_Poly1305_32.c	2018-10-11 15:49:18.984000000 +0200
 @@ -47,7 +47,8 @@
  inline static void
  Hacl_Bignum_Fproduct_copy_from_wide_(uint32_t *output, uint64_t *input)
@@ -2911,7 +2906,7 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Poly1305_32.c nss_new/nss/lib/freebl/v
 +    Hacl_Impl_Poly1305_32_State_poly1305_state scrut0;
 +    uint32_t *h;
 +    Hacl_Impl_Poly1305_32_State_poly1305_state scrut;
-+    uint32_t *r = scrut.r;
++    uint32_t *r;
      tmp[0U] = r0;
      tmp[1U] = r1;
      tmp[2U] = r2;
@@ -3228,7 +3223,6 @@ diff -ur nss/nss/lib/freebl/verified/Hacl_Poly1305_32.c nss_new/nss/lib/freebl/v
      Hacl_Impl_Poly1305_32_poly1305_last_pass(acc);
  }
  
-diff -ur nss/nss/lib/freebl/verified/kremlib.h nss_new/nss/lib/freebl/verified/kremlib.h
 --- a/nss/nss/lib/freebl/verified/kremlib.h	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/freebl/verified/kremlib.h	2018-09-07 03:48:09.669539000 +0200
 @@ -592,7 +592,7 @@
@@ -3240,7 +3234,6 @@ diff -ur nss/nss/lib/freebl/verified/kremlib.h nss_new/nss/lib/freebl/verified/k
  }
  
  static inline void
-diff -ur nss/nss/lib/freebl/verified/kremlib_base.h nss_new/nss/lib/freebl/verified/kremlib_base.h
 --- a/nss/nss/lib/freebl/verified/kremlib_base.h	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/freebl/verified/kremlib_base.h	2018-09-07 03:11:39.712507800 +0200
 @@ -16,9 +16,17 @@
@@ -3263,7 +3256,6 @@ diff -ur nss/nss/lib/freebl/verified/kremlib_base.h nss_new/nss/lib/freebl/verif
  #include <stdio.h>
  #include <stdlib.h>
  #include <string.h>
-diff -ur nss/nss/lib/pk11wrap/pk11skey.c nss_new/nss/lib/pk11wrap/pk11skey.c
 --- a/nss/nss/lib/pk11wrap/pk11skey.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/pk11wrap/pk11skey.c	2018-09-18 11:33:52.253969200 +0200
 @@ -2217,12 +2217,13 @@
@@ -3281,7 +3273,6 @@ diff -ur nss/nss/lib/pk11wrap/pk11skey.c nss_new/nss/lib/pk11wrap/pk11skey.c
                                                 &pubKey->u.ec.publicValue,
                                                 SEC_ASN1_GET(SEC_OctetStringTemplate));
          if (pubValue == NULL) {
-diff -ur nss/nss/lib/pkcs7/p7create.c nss_new/nss/lib/pkcs7/p7create.c
 --- a/nss/nss/lib/pkcs7/p7create.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/pkcs7/p7create.c	2018-09-19 13:40:41.437890500 +0200
 @@ -1263,6 +1263,7 @@
@@ -3300,7 +3291,6 @@ diff -ur nss/nss/lib/pkcs7/p7create.c nss_new/nss/lib/pkcs7/p7create.c
      pbe_algid = PK11_CreatePBEV2AlgorithmID(pbe_algorithm,
                                              cipher_algorithm,
                                              prf_algorithm,
-diff -ur nss/nss/lib/softoken/sdb.c nss_new/nss/lib/softoken/sdb.c
 --- a/nss/nss/lib/softoken/sdb.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/softoken/sdb.c	2018-09-14 18:47:11.826781200 +0200
 @@ -206,12 +206,13 @@
@@ -3318,7 +3308,6 @@ diff -ur nss/nss/lib/softoken/sdb.c nss_new/nss/lib/softoken/sdb.c
      if (!filenameWide) {
          return -1;
      }
-diff -ur nss/nss/lib/ssl/dtls13con.c nss_new/nss/lib/ssl/dtls13con.c
 --- a/nss/nss/lib/ssl/dtls13con.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/dtls13con.c	2018-09-18 12:37:53.795110600 +0200
 @@ -64,7 +64,7 @@
@@ -3330,7 +3319,6 @@ diff -ur nss/nss/lib/ssl/dtls13con.c nss_new/nss/lib/ssl/dtls13con.c
  dtls_CombineSequenceNumber(DTLSEpoch epoch, sslSequenceNumber seqNum)
  {
      PORT_Assert(seqNum <= RECORD_SEQ_MAX);
-diff -ur nss/nss/lib/ssl/selfencrypt.c nss_new/nss/lib/ssl/selfencrypt.c
 --- a/nss/nss/lib/ssl/selfencrypt.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/selfencrypt.c	2018-09-19 01:42:46.230591100 +0200
 @@ -197,30 +197,35 @@
@@ -3399,7 +3387,6 @@ diff -ur nss/nss/lib/ssl/selfencrypt.c nss_new/nss/lib/ssl/selfencrypt.c
  
      return SECSuccess;
  }
-diff -ur nss/nss/lib/ssl/ssl3con.c nss_new/nss/lib/ssl/ssl3con.c
 --- a/nss/nss/lib/ssl/ssl3con.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/ssl3con.c	2018-09-18 12:54:26.104920200 +0200
 @@ -5563,6 +5563,7 @@
@@ -3452,7 +3439,6 @@ diff -ur nss/nss/lib/ssl/ssl3con.c nss_new/nss/lib/ssl/ssl3con.c
          SSL3_SendAlert(ss, alert_fatal, alert);
          /* Reset the error code in case SSL3_SendAlert called
           * PORT_SetError(). */
-diff -ur nss/nss/lib/ssl/ssl3exthandle.c nss_new/nss/lib/ssl/ssl3exthandle.c
 --- a/nss/nss/lib/ssl/ssl3exthandle.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/ssl3exthandle.c	2018-09-18 14:20:01.612911900 +0200
 @@ -1914,6 +1914,8 @@
@@ -3475,7 +3461,6 @@ diff -ur nss/nss/lib/ssl/ssl3exthandle.c nss_new/nss/lib/ssl/ssl3exthandle.c
      if (rv != SECSuccess) {
          return SECFailure;
      }
-diff -ur nss/nss/lib/ssl/sslbloom.c nss_new/nss/lib/ssl/sslbloom.c
 --- a/nss/nss/lib/ssl/sslbloom.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/sslbloom.c	2018-09-18 13:09:01.900866100 +0200
 @@ -10,7 +10,7 @@
@@ -3487,7 +3472,6 @@ diff -ur nss/nss/lib/ssl/sslbloom.c nss_new/nss/lib/ssl/sslbloom.c
  sslBloom_Size(unsigned int bits)
  {
      return (bits >= 3) ? (1 << (bits - 3)) : 1;
-diff -ur nss/nss/lib/ssl/sslencode.c nss_new/nss/lib/ssl/sslencode.c
 --- a/nss/nss/lib/ssl/sslencode.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/sslencode.c	2018-09-18 13:43:20.673756400 +0200
 @@ -214,6 +214,8 @@
@@ -3509,7 +3493,6 @@ diff -ur nss/nss/lib/ssl/sslencode.c nss_new/nss/lib/ssl/sslencode.c
      for (i = 0; i < bytes; i++) {
          number = (number << 8) + reader->buf.buf[i + reader->offset];
      }
-diff -ur nss/nss/lib/ssl/sslnonce.c nss_new/nss/lib/ssl/sslnonce.c
 --- a/nss/nss/lib/ssl/sslnonce.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/sslnonce.c	2018-09-18 23:16:11.660366800 +0200
 @@ -439,6 +439,10 @@
@@ -3654,7 +3637,6 @@ diff -ur nss/nss/lib/ssl/sslnonce.c nss_new/nss/lib/ssl/sslnonce.c
      PORT_Assert(sec);
  
      if (sec->ci.sid) {
-diff -ur nss/nss/lib/ssl/sslsnce.c nss_new/nss/lib/ssl/sslsnce.c
 --- a/nss/nss/lib/ssl/sslsnce.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/sslsnce.c	2018-09-18 23:29:00.521322700 +0200
 @@ -732,12 +732,12 @@
@@ -3672,7 +3654,6 @@ diff -ur nss/nss/lib/ssl/sslsnce.c nss_new/nss/lib/ssl/sslsnce.c
      if (sid->u.ssl3.sessionIDLength == 0) {
          return;
      }
-diff -ur nss/nss/lib/ssl/sslsock.c nss_new/nss/lib/ssl/sslsock.c
 --- a/nss/nss/lib/ssl/sslsock.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/sslsock.c	2018-09-19 00:07:12.192937500 +0200
 @@ -53,36 +53,36 @@
@@ -3792,7 +3773,6 @@ diff -ur nss/nss/lib/ssl/sslsock.c nss_new/nss/lib/ssl/sslsock.c
  
      /* Populate sid values */
      if (ssl_DecodeResumptionToken(&sid, tokenData, tokenLen) != SECSuccess) {
-diff -ur nss/nss/lib/ssl/tls13hashstate.c nss_new/nss/lib/ssl/tls13hashstate.c
 --- a/nss/nss/lib/ssl/tls13hashstate.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/ssl/tls13hashstate.c	2018-09-19 13:22:23.746451600 +0200
 @@ -102,7 +102,10 @@
@@ -3829,7 +3809,6 @@ diff -ur nss/nss/lib/ssl/tls13hashstate.c nss_new/nss/lib/ssl/tls13hashstate.c
      return SECSuccess;
 +    }
  }
-diff -ur nss/nss/lib/util/quickder.c nss_new/nss/lib/util/quickder.c
 --- a/nss/nss/lib/util/quickder.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/util/quickder.c	2018-09-06 15:30:17.340172300 +0200
 @@ -406,13 +406,14 @@
@@ -3848,7 +3827,6 @@ diff -ur nss/nss/lib/util/quickder.c nss_new/nss/lib/util/quickder.c
      *(void**)((char*)dest + templateEntry->offset) = subdata;
      if (subdata) {
          return DecodeItem(subdata, ptrTemplate, src, arena, checkTag);
-diff -ur nss/nss/lib/util/secport.c nss_new/nss/lib/util/secport.c
 --- a/nss/nss/lib/util/secport.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/util/secport.c	2018-09-06 15:59:21.837141800 +0200
 @@ -150,13 +150,14 @@
@@ -3868,7 +3846,6 @@ diff -ur nss/nss/lib/util/secport.c nss_new/nss/lib/util/secport.c
      if (!v) {
          return NULL;
      }
-diff -ur nss/nss/lib/util/utilmod.c nss_new/nss/lib/util/utilmod.c
 --- a/nss/nss/lib/util/utilmod.c	2018-06-21 11:24:45.000000000 +0200
 +++ b/nss/nss/lib/util/utilmod.c	2018-09-06 16:12:23.959424800 +0200
 @@ -75,12 +75,13 @@
diff --git a/external/nss/nss.patch b/external/nss/nss.patch
index 1eb0bf70d866..18985e680e92 100644
--- a/external/nss/nss.patch
+++ b/external/nss/nss.patch
@@ -96,7 +96,7 @@
  endif
  endif
  
-+ifneq ($(SYSTEM_ZLIB),)
++ifeq ($(SYSTEM_ZLIB),YES)
 +# Currently (3.12.4) only the tools modutil and signtool are linked with libz
 +# If USE_SYSTEM_ZLIB is not set then the tools link statically libzlib.a which
 +# is also built in nss.
commit 59d8d367a81fe71bd5fc81326eb43ca4fdf6063f
Author:     Michael Stahl <Michael.Stahl at cib.de>
AuthorDate: Thu Aug 9 11:55:09 2018 +0200
Commit:     Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
CommitDate: Thu Oct 1 15:31:47 2020 +0200

    xmlsecurity: nsscrypto_initialize: try to avoid profile migration
    
    https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.35_release_notes
    
    NSS 3.35 and later will automatically migrate migrate profiles from the
    old "dbm:" BDB format to the new "sql:" SQLite format.
    
    The new format can be read by NSS 3.12 and later, which is old enough that
    it can be assumed to be available.
    
    However LibreOffice still shouldn't migrate the profile on its own:
    LO typically uses a Mozilla Firefox or Thunderbird profile, and if it is
    a system Firefox with system NSS libraries, then it's probably a bad
    idea for LO to migrate the profile under Firefox's nose, particularly
    considering the "partial migration" scenario if the profile is
    password-protected.
    
    Try to avoid this by checking if the profile is the old format and
    explicitly using the "dbm:" prefix to prevent the migration.
    
    Change-Id: I06480522f830ce74e2fb7bf79fee84ad80979b82
    Reviewed-on: https://gerrit.libreoffice.org/58756
    Tested-by: Jenkins
    Reviewed-by: Miklos Vajna <vmiklos at collabora.co.uk>
    (cherry picked from commit 61688aa1abd9db9adbb8dc5d5aacc6269b21fd27)

diff --git a/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx b/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
index 0799c23eca6e..024ee03c38a1 100644
--- a/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
+++ b/xmlsecurity/source/xmlsec/nss/nssinitializer.cxx
@@ -263,6 +263,20 @@ bool nsscrypto_initialize( const css::uno::Reference< css::uno::XComponentContex
     // there might be no profile
     if ( !sCertDir.isEmpty() )
     {
+        if (sCertDir.indexOf(':') == -1) //might be env var with explicit prefix
+        {
+            OUString sCertDirURL;
+            osl::FileBase::getFileURLFromSystemPath(
+                OStringToOUString(sCertDir, osl_getThreadTextEncoding()),
+                sCertDirURL);
+            osl::DirectoryItem item;
+            if (osl::FileBase::E_NOENT != osl::DirectoryItem::get(sCertDirURL + "/cert8.db", item) &&
+                osl::FileBase::E_NOENT == osl::DirectoryItem::get(sCertDirURL + "/cert9.db", item))
+            {
+                SAL_INFO("xmlsecurity.xmlsec", "nsscrypto_initialize: trying to avoid profile migration");
+                sCertDir = "dbm:" + sCertDir;
+            }
+        }
         if( NSS_InitReadWrite( sCertDir.getStr() ) != SECSuccess )
         {
             xmlsec_trace("Initializing NSS with profile failed.");
commit fc1c056a749a6161ab73cff0fd6c88cc2c2f7ce5
Author:     Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
AuthorDate: Thu Oct 1 15:04:48 2020 +0200
Commit:     Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
CommitDate: Thu Oct 1 15:04:48 2020 +0200

    nss: Fix linux build
    
    Change-Id: I2e3998f4a49a57997e5ee7ea9e8fbe4b4c13b08a

diff --git a/external/nss/nss.patch b/external/nss/nss.patch
index 4e54aa287523..1eb0bf70d866 100644
--- a/external/nss/nss.patch
+++ b/external/nss/nss.patch
@@ -113,7 +113,7 @@
  	$(AR) $(subst /,\\,$(OBJS))
  else
 -	$(AR) $(OBJS)
-+	$(AR) -c $@ $(OBJS)
++	$(AR) cr $@ $(OBJS)
  endif
  	$(RANLIB) $@
  


More information about the Libreoffice-commits mailing list