From ed5640d8b587fbcfed7dd7967f3de04b37a76f26 Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Sun, 7 Apr 2024 11:06:44 +0200
Subject: Adding upstream version 4:7.4.7.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 external/nss/ExternalPackage_nss.mk                |  67 +++++
 external/nss/ExternalProject_nss.mk                | 103 +++++++
 external/nss/Makefile                              |   7 +
 external/nss/Module_nss.mk                         |  18 ++
 external/nss/README                                |  37 +++
 external/nss/UnpackedTarball_nss.mk                |  49 ++++
 external/nss/asan.patch.1                          |  12 +
 external/nss/clang-cl.patch.0                      | 122 +++++++++
 external/nss/macos-dlopen.patch.0                  |  25 ++
 external/nss/nsinstall.py                          | 169 ++++++++++++
 external/nss/nss-android.patch.1                   |  93 +++++++
 external/nss/nss-bz1646594.patch.1                 |  15 ++
 external/nss/nss-ios.patch                         | 300 +++++++++++++++++++++
 .../nss-restore-manual-pre-dependencies.patch.1    |  83 ++++++
 external/nss/nss-win32-make.patch.1                |  20 ++
 external/nss/nss.aix.patch                         | 140 ++++++++++
 external/nss/nss.bzmozilla1238154.patch            |  12 +
 external/nss/nss.cygwin64.in32bit.patch            |  14 +
 external/nss/nss.nowerror.patch                    |  12 +
 external/nss/nss.patch                             | 155 +++++++++++
 external/nss/nss.utf8bom.patch.1                   |  21 ++
 external/nss/nss.vs2015.patch                      |  12 +
 external/nss/nss.vs2015.pdb.patch                  |  22 ++
 external/nss/nss.windows.patch                     |  33 +++
 external/nss/nss_macosx.patch                      |  90 +++++++
 external/nss/ubsan.patch.0                         |  38 +++
 26 files changed, 1669 insertions(+)
 create mode 100644 external/nss/ExternalPackage_nss.mk
 create mode 100644 external/nss/ExternalProject_nss.mk
 create mode 100644 external/nss/Makefile
 create mode 100644 external/nss/Module_nss.mk
 create mode 100644 external/nss/README
 create mode 100644 external/nss/UnpackedTarball_nss.mk
 create mode 100644 external/nss/asan.patch.1
 create mode 100644 external/nss/clang-cl.patch.0
 create mode 100644 external/nss/macos-dlopen.patch.0
 create mode 100644 external/nss/nsinstall.py
 create mode 100644 external/nss/nss-android.patch.1
 create mode 100644 external/nss/nss-bz1646594.patch.1
 create mode 100644 external/nss/nss-ios.patch
 create mode 100644 external/nss/nss-restore-manual-pre-dependencies.patch.1
 create mode 100644 external/nss/nss-win32-make.patch.1
 create mode 100644 external/nss/nss.aix.patch
 create mode 100644 external/nss/nss.bzmozilla1238154.patch
 create mode 100644 external/nss/nss.cygwin64.in32bit.patch
 create mode 100644 external/nss/nss.nowerror.patch
 create mode 100644 external/nss/nss.patch
 create mode 100644 external/nss/nss.utf8bom.patch.1
 create mode 100644 external/nss/nss.vs2015.patch
 create mode 100644 external/nss/nss.vs2015.pdb.patch
 create mode 100644 external/nss/nss.windows.patch
 create mode 100644 external/nss/nss_macosx.patch
 create mode 100644 external/nss/ubsan.patch.0

(limited to 'external/nss')

diff --git a/external/nss/ExternalPackage_nss.mk b/external/nss/ExternalPackage_nss.mk
new file mode 100644
index 000000000..2b15fc3eb
--- /dev/null
+++ b/external/nss/ExternalPackage_nss.mk
@@ -0,0 +1,67 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+$(eval $(call gb_ExternalPackage_ExternalPackage,nss,nss))
+
+$(eval $(call gb_ExternalPackage_use_external_project,nss,nss))
+
+ifeq ($(OS),iOS)
+# nothing...
+else ifeq ($(OS),MACOSX)
+$(eval $(call gb_ExternalPackage_add_files,nss,$(LIBO_LIB_FOLDER),\
+		dist/out/lib/libfreebl3.dylib \
+		dist/out/lib/libnspr4.dylib \
+		dist/out/lib/libnss3.dylib \
+		dist/out/lib/libnssckbi.dylib \
+		dist/out/lib/libnssdbm3.dylib \
+		dist/out/lib/libnssutil3.dylib \
+		dist/out/lib/libplc4.dylib \
+		dist/out/lib/libplds4.dylib \
+		dist/out/lib/libsmime3.dylib \
+		dist/out/lib/libsoftokn3.dylib \
+		dist/out/lib/libssl3.dylib \
+))
+else ifeq ($(OS),WNT)
+$(eval $(call gb_ExternalPackage_add_files,nss,$(LIBO_LIB_FOLDER),\
+		dist/out/lib/freebl3.dll \
+		dist/out/lib/nspr4.dll \
+		dist/out/lib/nss3.dll \
+		dist/out/lib/nssckbi.dll \
+		dist/out/lib/nssdbm3.dll \
+		dist/out/lib/nssutil3.dll \
+		dist/out/lib/plc4.dll \
+		dist/out/lib/plds4.dll \
+		dist/out/lib/smime3.dll \
+		dist/out/lib/softokn3.dll \
+		dist/out/lib/sqlite3.dll \
+		dist/out/lib/ssl3.dll \
+))
+else # OS!=WNT/MACOSX
+$(eval $(call gb_ExternalPackage_add_files,nss,$(LIBO_LIB_FOLDER),\
+		dist/out/lib/libfreebl3.so \
+		dist/out/lib/libnspr4.so \
+		dist/out/lib/libnss3.so \
+		dist/out/lib/libnssckbi.so \
+		dist/out/lib/libnssdbm3.so \
+		dist/out/lib/libnssutil3.so \
+		dist/out/lib/libplc4.so \
+		dist/out/lib/libplds4.so \
+		dist/out/lib/libsmime3.so \
+		dist/out/lib/libsoftokn3.so \
+		dist/out/lib/libssl3.so \
+		dist/out/lib/libsqlite3.so \
+))
+endif
+ifeq ($(OS),LINUX)
+$(eval $(call gb_ExternalPackage_add_files,nss,$(LIBO_LIB_FOLDER),\
+		dist/out/lib/libfreeblpriv3.so \
+))
+endif
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/nss/ExternalProject_nss.mk b/external/nss/ExternalProject_nss.mk
new file mode 100644
index 000000000..ee3c7839f
--- /dev/null
+++ b/external/nss/ExternalProject_nss.mk
@@ -0,0 +1,103 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+$(eval $(call gb_ExternalProject_ExternalProject,nss))
+
+# nss build calls configure for nspr itself - if for some reason the configure step should be split out,
+# make sure to create config.status (aka run configure) in dir specified with OBJDIR_NAME (nspr/out)
+$(eval $(call gb_ExternalProject_register_targets,nss,\
+	build \
+))
+
+$(eval $(call gb_ExternalProject_use_externals,nss,\
+	zlib \
+))
+
+ifeq ($(OS),WNT)
+$(call gb_ExternalProject_get_state_target,nss,build): \
+		$(call gb_ExternalExecutable_get_dependencies,python) \
+		$(SRCDIR)/external/nss/nsinstall.py
+	$(call gb_Trace_StartRange,nss,EXTERNAL)
+	$(call gb_ExternalProject_run,build,\
+		$(if $(MSVC_USE_DEBUG_RUNTIME),USE_DEBUG_RTL=1,BUILD_OPT=1) \
+		$(if $(gb_Module_CURRENTMODULE_SYMBOLS_ENABLED), \
+			MOZ_DEBUG_SYMBOLS=1 \
+			MOZ_DEBUG_FLAGS=" " \
+			OPT_CODE_SIZE=0) \
+		OS_TARGET=WIN95 \
+		USE_SYSTEM_ZLIB=1 \
+		$(if $(filter X86_64,$(CPUNAME)),USE_64=1) \
+		$(if $(filter AARCH64,$(CPUNAME)),USE_64=1 CPU_ARCH=aarch64) \
+		LIB="$(ILIB)" \
+		XCFLAGS="$(SOLARINC) $(ZLIB_CFLAGS)" \
+		NSPR_CONFIGURE_OPTS="$(gb_CONFIGURE_PLATFORMS)" \
+		$(if $(CROSS_COMPILING),\
+			CROSS_COMPILE=1 \
+			$(if $(filter AARCH64,$(CPUNAME)),CPU_ARCH=aarch64)) \
+		$(MAKE) nss_build_all RC="rc.exe $(SOLARINC)" \
+			NSINSTALL='$(call gb_ExternalExecutable_get_command,python) $(SRCDIR)/external/nss/nsinstall.py' \
+			NSS_DISABLE_GTESTS=1 \
+			CCC="$(CXX)" \
+	,nss)
+	$(call gb_Trace_EndRange,nss,EXTERNAL)
+
+else # OS!=WNT
+# make sure to specify NSPR_CONFIGURE_OPTS as env (before make command), so nss can append it's own defaults
+# OTOH specify e.g. CC and NSINSTALL as arguments (after make command), so they will overrule nss makefile values
+$(call gb_ExternalProject_get_state_target,nss,build): \
+		$(call gb_ExternalExecutable_get_dependencies,python) \
+		$(SRCDIR)/external/nss/nsinstall.py
+	$(call gb_Trace_StartRange,nss,EXTERNAL)
+	$(call gb_ExternalProject_run,build,\
+		$(if $(filter ANDROID FREEBSD LINUX MACOSX,$(OS)),$(if $(filter X86_64,$(CPUNAME)),USE_64=1)) \
+		$(if $(filter AARCH64,$(CPUNAME)),USE_64=1 CPU_ARCH=aarch64) \
+		$(if $(filter POWERPC64,$(CPUNAME)),USE_64=1 CPU_ARCH=ppc64le) \
+		$(if $(filter MACOSX,$(OS)),\
+			MACOS_SDK_DIR=$(MACOSX_SDK_PATH) \
+			NSS_USE_SYSTEM_SQLITE=1) \
+		$(if $(filter LINUX,$(OS)),$(if $(ENABLE_DBGUTIL),,BUILD_OPT=1)) \
+		$(if $(filter SOLARIS,$(OS)),NS_USE_GCC=1) \
+		$(if $(filter ARM,$(CPUNAME)),NSS_DISABLE_ARM32_NEON=1) \
+		NSPR_CONFIGURE_OPTS="$(gb_CONFIGURE_PLATFORMS)" \
+		$(if $(CROSS_COMPILING),CROSS_COMPILE=1) \
+		$(if $(filter MACOSX-X86_64-arm64,$(OS)-$(CPUNAME)-$(shell uname -m)), \
+			CPU_ARCH=x86_64) \
+		NSDISTMODE=copy \
+		$(MAKE) \
+			AR="$(AR)" \
+			RANLIB="$(RANLIB)" \
+			NMEDIT="$(NM)edit" \
+			COMMA=$(COMMA) \
+			CC="$(CC)$(if $(filter iOS,$(OS)), -DNSS_STATIC_SOFTOKEN=1 -DNSS_STATIC_FREEBL=1 -DNSS_STATIC_PKCS11=1)$(if $(filter ANDROID,$(OS)), -D_PR_NO_LARGE_FILES=1 -DSQLITE_DISABLE_LFS=1)" CCC="$(CXX)" \
+			$(if $(CROSS_COMPILING),NSINSTALL="$(if $(filter MACOSX,$(OS_FOR_BUILD)),xcrun python3,$(call gb_ExternalExecutable_get_command,python)) $(SRCDIR)/external/nss/nsinstall.py") \
+			$(if $(filter ANDROID,$(OS)),OS_TARGET=Android OS_TARGET_RELEASE=16 ARCHFLAG="" DEFAULT_COMPILER=clang ANDROID_NDK=$(ANDROID_NDK_DIR) ANDROID_TOOLCHAIN_VERSION=$(ANDROID_GCC_TOOLCHAIN_VERSION) ANDROID_PREFIX=$(HOST_PLATFORM) ANDROID_SYSROOT=$(ANDROID_NDK_DIR)/sysroot ANDROID_TOOLCHAIN=$(ANDROID_BINUTILS_PREBUILT_ROOT)) \
+			NSS_DISABLE_GTESTS=1 \
+			nss_build_all \
+		&& rm -f $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/*.a \
+		$(if $(filter MACOSX,$(OS)),\
+			&& chmod u+w $(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib/*.dylib \
+			&& $(PERL) \
+				$(SRCDIR)/solenv/bin/macosx-change-install-names.pl shl OOO \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libfreebl3.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libnspr4.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libnss3.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libnssckbi.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libnssdbm3.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libnssutil3.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libplc4.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libplds4.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libsmime3.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libsoftokn3.dylib \
+				$(EXTERNAL_WORKDIR)/dist/out/lib/libssl3.dylib) \
+	,nss)
+	$(call gb_Trace_EndRange,nss,EXTERNAL)
+
+endif
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/nss/Makefile b/external/nss/Makefile
new file mode 100644
index 000000000..e4968cf85
--- /dev/null
+++ b/external/nss/Makefile
@@ -0,0 +1,7 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+
+module_directory:=$(dir $(realpath $(firstword $(MAKEFILE_LIST))))
+
+include $(module_directory)/../../solenv/gbuild/partial_build.mk
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/nss/Module_nss.mk b/external/nss/Module_nss.mk
new file mode 100644
index 000000000..eae9e9524
--- /dev/null
+++ b/external/nss/Module_nss.mk
@@ -0,0 +1,18 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+$(eval $(call gb_Module_Module,nss))
+
+$(eval $(call gb_Module_add_targets,nss,\
+	UnpackedTarball_nss \
+	ExternalPackage_nss \
+	ExternalProject_nss \
+))
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/nss/README b/external/nss/README
new file mode 100644
index 000000000..6997cea6c
--- /dev/null
+++ b/external/nss/README
@@ -0,0 +1,37 @@
+Contains the Network Security Services (NSS) libraries from Mozilla
+
+== Fips 140 and signed libraries ==
+
+Fips 140 mode is not supported. That is, the *.chk files containing the
+checksums for the cryptographic module are not delivered into instdir and will
+not be part of the OOo installation sets.
+
+Signing has been turned off because
+- we change the rpath (install names)  after signing which breaks the signatures
+(Mac)
+- sqlite conflicts with the system sqlite when signing which breaks the build
+
+See also
+[https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6]
+
+== libsqlite3 ==
+
+With all supported macOS SDK we use
+NSS_USE_SYSTEM_SQLITE=1
+to build using the system sqlite.
+
+== system NSS on Linux ==
+
+Note that different Linux distributions use different SONAMEs for the
+NSS libraries, so it is not possible to use --with-system-nss and build
+a portable generic LO installation set, despite NSS upstream apparently
+maintaining ABI compatibility.
+
+Debian Squeeze:
+0x000000000000000e (SONAME)             Library soname: [libnss3.so.1d]
+Fedora 20:
+0x000000000000000e (SONAME)             Library soname: [libnss3.so]
+
+For the record, the LSB specified SONAME is libnss3.so
+http://refspecs.linuxfoundation.org/LSB_4.1.0/LSB-Core-generic/LSB-Core-generic/libnss3.html
+
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
new file mode 100644
index 000000000..ab64f95de
--- /dev/null
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -0,0 +1,49 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+$(eval $(call gb_UnpackedTarball_UnpackedTarball,nss))
+
+$(eval $(call gb_UnpackedTarball_set_tarball,nss,$(NSS_TARBALL)))
+
+$(eval $(call gb_UnpackedTarball_update_autoconf_configs,nss,nspr/build/autoconf))
+
+$(eval $(call gb_UnpackedTarball_add_patches,nss,\
+    external/nss/nss.patch \
+    external/nss/nss.aix.patch \
+    external/nss/nss_macosx.patch \
+    external/nss/nss-win32-make.patch.1 \
+    external/nss/ubsan.patch.0 \
+    external/nss/clang-cl.patch.0 \
+    external/nss/nss.vs2015.patch \
+    external/nss/nss.vs2015.pdb.patch \
+    external/nss/nss.bzmozilla1238154.patch \
+    external/nss/nss-bz1646594.patch.1 \
+    external/nss/macos-dlopen.patch.0 \
+    external/nss/nss-restore-manual-pre-dependencies.patch.1 \
+    $(if $(filter iOS,$(OS)), \
+        external/nss/nss-ios.patch) \
+    $(if $(filter ANDROID,$(OS)), \
+        external/nss/nss-android.patch.1) \
+    $(if $(filter MSC-INTEL,$(COM)-$(CPUNAME)), \
+        external/nss/nss.cygwin64.in32bit.patch) \
+    $(if $(filter WNT,$(OS)), \
+        external/nss/nss.windows.patch \
+        external/nss/nss.nowerror.patch \
+        external/nss/nss.utf8bom.patch.1) \
+))
+
+ifeq ($(COM_IS_CLANG),TRUE)
+ifneq ($(filter -fsanitize=%,$(CC)),)
+$(eval $(call gb_UnpackedTarball_add_patches,nss,\
+    external/nss/asan.patch.1 \
+))
+endif
+endif
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/nss/asan.patch.1 b/external/nss/asan.patch.1
new file mode 100644
index 000000000..ccabd446e
--- /dev/null
+++ b/external/nss/asan.patch.1
@@ -0,0 +1,12 @@
+diff -ur nss.org/nss/coreconf/Linux.mk nss/nss/coreconf/Linux.mk
+--- nss.org/nss/coreconf/Linux.mk	2014-05-06 04:36:01.817838877 +0200
++++ nss/nss/coreconf/Linux.mk	2014-05-06 04:37:25.387835456 +0200
+@@ -157,7 +157,7 @@
+ # we don't use -z defs there.
+ # Also, -z defs conflicts with Address Sanitizer, which emits relocations
+ # against the libsanitizer runtime built into the main executable.
+-ZDEFS_FLAG		= -Wl,-z,defs
++ZDEFS_FLAG		=
+ DSO_LDOPTS     += $(if $(findstring 2.11.90.0.8,$(shell $(LD) -v)),,$(ZDEFS_FLAG)) $(if $(filter-out $(OS),ANDROID),-Wl$(COMMA)-z$(COMMA)origin '-Wl$(COMMA)-rpath$(COMMA)$$ORIGIN')
+ LDFLAGS		   += $(ARCHFLAG) -z noexecstack
+ 
diff --git a/external/nss/clang-cl.patch.0 b/external/nss/clang-cl.patch.0
new file mode 100644
index 000000000..e20aab3b9
--- /dev/null
+++ b/external/nss/clang-cl.patch.0
@@ -0,0 +1,122 @@
+# "#pragma deprecated" and "#pragma intrinsic" not (yet?) handled in the "if
+# (LangOpts.MicrosoftExt)" block in Preprocessor::RegisterBuiltinPragmas in
+# Clang's lib/Lex/Pragma.cpp:
+--- nspr/pr/include/pratom.h
++++ nspr/pr/include/pratom.h
+@@ -83,7 +83,7 @@
+ 
+ #include <intrin.h>
+ 
+-#ifdef _MSC_VER
++#if defined _WIN32 && !defined __clang__
+ #pragma intrinsic(_InterlockedIncrement)
+ #pragma intrinsic(_InterlockedDecrement)
+ #pragma intrinsic(_InterlockedExchange)
+--- nspr/pr/include/prbit.h
++++ nspr/pr/include/prbit.h
+@@ -15,7 +15,7 @@
+ */
+ #if defined(_WIN32) && (_MSC_VER >= 1300) && \
+     (defined(_M_IX86) || defined(_M_X64) || defined(_M_ARM) || \
+-     defined(_M_ARM64))
++     defined(_M_ARM64)) && !defined __clang__
+ # include <intrin.h>
+ # pragma  intrinsic(_BitScanForward,_BitScanReverse)
+ __forceinline static int __prBitScanForward32(unsigned int val)
+@@ -33,7 +33,7 @@
+ # define pr_bitscan_ctz32(val)  __prBitScanForward32(val)
+ # define pr_bitscan_clz32(val)  __prBitScanReverse32(val)
+ # define  PR_HAVE_BUILTIN_BITSCAN32
+-#elif ((__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)) && \
++#elif defined __GNUC__ && ((__GNUC__ >= 4) || (__GNUC__ == 3 && __GNUC_MINOR__ >= 4)) && \
+        (defined(__i386__) || defined(__x86_64__) || defined(__arm__) || \
+         defined(__aarch64__))
+ # define pr_bitscan_ctz32(val)  __builtin_ctz(val)
+@@ -138,7 +138,7 @@
+ */
+ 
+ #if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || \
+-    defined(_M_X64) || defined(_M_ARM) || defined(_M_ARM64))
++    defined(_M_X64) || defined(_M_ARM) || defined(_M_ARM64)) && !defined __clang__
+ #include <stdlib.h>
+ #pragma intrinsic(_rotl, _rotr)
+ #define PR_ROTATE_LEFT32(a, bits) _rotl(a, bits)
+--- nss/lib/certdb/certdb.h
++++ nss/lib/certdb/certdb.h
+@@ -21,7 +21,7 @@
+ /* On Windows, Mac, and Linux (and other gcc platforms), we can give compile
+  * time deprecation warnings when applications use the old CERTDB_VALID_PEER
+  * define */
+-#if __GNUC__ > 3
++#if defined __GNUC__ && __GNUC__ > 3
+ #if (__GNUC__ == 4) && (__GNUC_MINOR__ < 5)
+ typedef unsigned int __CERTDB_VALID_PEER __attribute__((deprecated));
+ #else
+@@ -30,7 +30,7 @@
+ #endif
+ #define CERTDB_VALID_PEER ((__CERTDB_VALID_PEER)CERTDB_TERMINAL_RECORD)
+ #else
+-#ifdef _WIN32
++#if defined _WIN32 && !defined __clang__
+ #pragma deprecated(CERTDB_VALID_PEER)
+ #endif
+ #define CERTDB_VALID_PEER CERTDB_TERMINAL_RECORD
+--- nss/lib/freebl/blapit.h
++++ nss/lib/freebl/blapit.h
+@@ -53,7 +53,7 @@
+  * Mark the old defines as deprecated. This will warn code that expected
+  * DSA1 only that they need to change if the are to support DSA2.
+  */
+-#if defined(__GNUC__) && (__GNUC__ > 3)
++#if defined(__GNUC__) && (__GNUC__ > 3) || defined __clang__
+ /* make GCC warn when we use these #defines */
+ typedef int __BLAPI_DEPRECATED __attribute__((deprecated));
+ #define DSA_SUBPRIME_LEN ((__BLAPI_DEPRECATED)DSA1_SUBPRIME_LEN)
+--- nss/lib/util/pkcs11n.h
++++ nss/lib/util/pkcs11n.h
+@@ -563,7 +563,7 @@
+ /* keep the old value for compatibility reasons*/
+ #define CKT_NSS_MUST_VERIFY ((__CKT_NSS_MUST_VERIFY)(CKT_NSS + 4))
+ #else
+-#ifdef _WIN32
++#if defined _WIN32 && !defined __clang__
+ /* This magic gets the windows compiler to give us a deprecation
+  * warning */
+ #pragma deprecated(CKT_NSS_UNTRUSTED, CKT_NSS_MUST_VERIFY, CKT_NSS_VALID)
+
+# While MSVC uses
+#  #pragma warning(disable : 4103)
+# in the inner pkcs11p.h, clang-cl wants
+#  #pragma clang diagnostic ignored "-Wpragma-pack"
+# in the outer pkcs11t.h:
+--- nss/lib/util/pkcs11t.h
++++ nss/lib/util/pkcs11t.h
+@@ -78,7 +78,14 @@
+ #define CK_INVALID_HANDLE 0
+ 
+ /* pack */
++#if defined __clang__ && defined _MSC_VER
++#pragma clang diagnostic push
++#pragma clang diagnostic ignored "-Wpragma-pack"
++#endif
+ #include "pkcs11p.h"
++#if defined __clang__ && defined _MSC_VER
++#pragma clang diagnostic pop
++#endif
+ 
+ typedef struct CK_VERSION {
+     CK_BYTE major; /* integer portion of version number */
+@@ -2586,6 +2593,13 @@
+ #include "pkcs11n.h"
+ 
+ /* undo packing */
++#if defined __clang__ && defined _MSC_VER
++#pragma clang diagnostic push
++#pragma clang diagnostic ignored "-Wpragma-pack"
++#endif
+ #include "pkcs11u.h"
++#if defined __clang__ && defined _MSC_VER
++#pragma clang diagnostic pop
++#endif
+ 
+ #endif
diff --git a/external/nss/macos-dlopen.patch.0 b/external/nss/macos-dlopen.patch.0
new file mode 100644
index 000000000..e8abc8f59
--- /dev/null
+++ b/external/nss/macos-dlopen.patch.0
@@ -0,0 +1,25 @@
+--- nspr/pr/src/linking/prlink.c
++++ nspr/pr/src/linking/prlink.c
+@@ -555,7 +555,7 @@
+          * The reason is that DARWIN's dlopen ignores the provided path
+          * and checks for the plain filename in DYLD_LIBRARY_PATH,
+          * which could load an unexpected version of a library. */
+-        if (strchr(name, PR_DIRECTORY_SEPARATOR) == NULL) {
++        if (strchr(name, PR_DIRECTORY_SEPARATOR) == NULL || strncmp(name, "@loader_path/", 13) == 0) {
+           /* no slash, allow to load from any location */
+           okToLoad = PR_TRUE;
+         } else {
+--- nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
++++ nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpcertstore.c
+@@ -224,7 +224,11 @@
+ static PRStatus PR_CALLBACK pkix_getDecodeFunction(void)
+ {
+     pkix_decodeFunc.smimeLib = 
++#if defined DARWIN
++		PR_LoadLibrary("@loader_path/" SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
++#else
+ 		PR_LoadLibrary(SHLIB_PREFIX"smime3."SHLIB_SUFFIX);
++#endif
+     if (pkix_decodeFunc.smimeLib == NULL) {
+ 	return PR_FAILURE;
+     }
diff --git a/external/nss/nsinstall.py b/external/nss/nsinstall.py
new file mode 100644
index 000000000..d90a85e6c
--- /dev/null
+++ b/external/nss/nsinstall.py
@@ -0,0 +1,169 @@
+# ***** BEGIN LICENSE BLOCK *****
+# Version: MPL 1.1/GPL 2.0/LGPL 2.1
+#
+# The contents of this file are subject to the Mozilla Public License Version
+# 1.1 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# http://www.mozilla.org/MPL/
+#
+# Software distributed under the License is distributed on an "AS IS" basis,
+# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+# for the specific language governing rights and limitations under the
+# License.
+#
+# The Original Code is Mozilla.
+#
+# The Initial Developer of the Original Code is
+# the Mozilla Foundation.
+# Portions created by the Initial Developer are Copyright (C) 2007
+# the Initial Developer. All Rights Reserved.
+#
+# Contributor(s):
+#   Axel Hecht <axel@pike.org>
+#
+# Alternatively, the contents of this file may be used under the terms of
+# either the GNU General Public License Version 2 or later (the "GPL"), or
+# the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+# in which case the provisions of the GPL or the LGPL are applicable instead
+# of those above. If you wish to allow use of your version of this file only
+# under the terms of either the GPL or the LGPL, and not to allow others to
+# use your version of this file under the terms of the MPL, indicate your
+# decision by deleting the provisions above and replace them with the notice
+# and other provisions required by the GPL or the LGPL. If you do not delete
+# the provisions above, a recipient may use your version of this file under
+# the terms of any one of the MPL, the GPL or the LGPL.
+#
+# ***** END LICENSE BLOCK *****
+
+# This is a partial python port of nsinstall.
+# It's intended to be used when there's no natively compile nsinstall
+# available, and doesn't intend to be fully equivalent.
+# Its major use is for l10n repackaging on systems that don't have
+# a full build environment set up.
+# The basic limitation is, it doesn't even try to link and ignores
+# all related options.
+
+from optparse import OptionParser
+import os
+import os.path
+import sys
+import shutil
+
+def nsinstall(argv):
+  usage = "usage: %prog [options] arg1 [arg2 ...] target-directory"
+  p = OptionParser(usage=usage)
+
+  p.add_option('-D', action="store_true",
+               help="Create a single directory only")
+  p.add_option('-t', action="store_true",
+               help="Preserve time stamp")
+  p.add_option('-m', action="store",
+               help="Set mode", metavar="mode")
+  p.add_option('-d', action="store_true",
+               help="Create directories in target")
+  p.add_option('-R', action="store_true",
+               help="Use relative symbolic links (ignored)")
+  p.add_option('-l', action="store_true",
+               help="Create link (ignored)")
+  p.add_option('-L', action="store", metavar="linkprefix",
+               help="Link prefix (ignored)")
+
+  # The remaining arguments are not used in our tree, thus they're not
+  # implented.
+  def BadArg(option, opt, value, parser):
+    parser.error('option not supported: %s' % opt)
+    
+  p.add_option('-C', action="callback", metavar="CWD",
+               callback=BadArg,
+               help="NOT SUPPORTED")
+  p.add_option('-o', action="callback", callback=BadArg,
+               help="Set owner (NOT SUPPORTED)", metavar="owner")
+  p.add_option('-g', action="callback", callback=BadArg,
+               help="Set group (NOT SUPPORTED)", metavar="group")
+
+  (options, args) = p.parse_args(argv)
+
+  if options.m:
+    # mode is specified
+    try:
+      options.m = int(options.m, 8)
+      # I have no idea why nss insists on using this mode for installed headers.
+      # It causes problems with updating the files during a rebuild.
+      if options.m == 0o444:
+        options.m = 0o644
+    except:
+      sys.stderr.write('nsinstall: ' + options.m + ' is not a valid mode\n')
+      return 1
+
+  # just create one directory?
+  if options.D:
+    if len(args) != 1:
+      return 1
+    try:
+      if options.m:
+        os.makedirs(args[0], options.m)
+      else:
+        os.makedirs(args[0])
+    except FileExistsError:
+      if not os.path.isdir(args[0]):
+        sys.stderr.write('nsinstall: ' + args[0] + ' is not a directory\n')
+        sys.exit(1)
+      if options.m:
+        os.chmod(args[0], options.m)
+    return 0
+
+  # nsinstall arg1 [...] directory
+  if len(args) < 2:
+    p.error('not enough arguments')
+
+  def copy_all_entries(entries, target):
+    for e in entries:
+      dest = os.path.join(target,
+                          os.path.basename(os.path.normpath(e)))
+      handleTarget(e, dest)
+      if options.m:
+        os.chmod(dest, options.m)
+
+  # set up handler
+  if options.d:
+    # we're supposed to create directories
+    def handleTarget(srcpath, targetpath):
+      # target directory was already created, just use mkdir
+      os.mkdir(targetpath)
+  else:
+    # we're supposed to copy files
+    def handleTarget(srcpath, targetpath):
+      if os.path.isdir(srcpath):
+        if not os.path.exists(targetpath):
+          os.mkdir(targetpath)
+        entries = [os.path.join(srcpath, e) for e in os.listdir(srcpath)]
+        copy_all_entries(entries, targetpath)
+        # options.t is not relevant for directories
+        if options.m:
+          os.chmod(targetpath, options.m)
+      elif options.t:
+        if os.path.exists(targetpath):
+          os.remove(targetpath)
+        shutil.copy2(srcpath, targetpath)
+      else:
+        if os.path.exists(targetpath):
+          os.chmod(targetpath, 0o755)
+          os.remove(targetpath)
+        shutil.copy(srcpath, targetpath)
+
+  # the last argument is the target directory
+  target = args.pop()
+  # ensure target directory
+  if not os.path.isdir(target):
+    try:
+      os.makedirs(target)
+    except FileExistsError:
+      if not os.path.isdir(target):
+        sys.stderr.write('nsinstall: ' + target + ' is not a directoy!\n')
+        return 1
+
+  copy_all_entries(args, target)
+  return 0
+
+if __name__ == '__main__':
+  sys.exit(nsinstall(sys.argv[1:]))
diff --git a/external/nss/nss-android.patch.1 b/external/nss/nss-android.patch.1
new file mode 100644
index 000000000..707fcf99a
--- /dev/null
+++ b/external/nss/nss-android.patch.1
@@ -0,0 +1,93 @@
+diff -ur nss.org/nspr/build/autoconf/config.sub nss/nspr/build/autoconf/config.sub
+--- nss.org/nspr/build/autoconf/config.sub	2017-09-07 15:29:45.031246453 +0200
++++ nss/nspr/build/autoconf/config.sub	2017-09-07 15:32:13.087235423 +0200
+@@ -110,6 +110,11 @@
+     exit 1;;
+ esac
+ 
++if test $1 = "arm-unknown-linux-androideabi"; then echo $1; exit; fi
++if test $1 = "aarch64-unknown-linux-android"; then echo $1; exit; fi
++if test $1 = "i686-pc-linux-android"; then echo $1; exit; fi
++if test $1 = "x86_64-pc-linux-android"; then echo $1; exit; fi
++
+ # Split fields of configuration type
+ # shellcheck disable=SC2162
+ IFS="-" read field1 field2 field3 field4 <<EOF
+diff -ur nss.org/nspr/configure nss/nspr/configure
+--- nss.org/nspr/configure	2017-09-07 15:29:45.018246359 +0200
++++ nss/nspr/configure	2017-09-07 15:31:47.604075663 +0200
+@@ -2728,18 +2728,15 @@
+     esac
+ 
+         AS="$android_toolchain"/bin/"$android_tool_prefix"-as
+-    CC="$android_toolchain"/bin/"$android_tool_prefix"-gcc
+-    CXX="$android_toolchain"/bin/"$android_tool_prefix"-g++
+-    CPP="$android_toolchain"/bin/"$android_tool_prefix"-cpp
++    CC="$CC"
++    CXX="$CXX"
++    CPP="$CC" -E
+     LD="$android_toolchain"/bin/"$android_tool_prefix"-ld
+     AR="$android_toolchain"/bin/"$android_tool_prefix"-ar
+     RANLIB="$android_toolchain"/bin/"$android_tool_prefix"-ranlib
+     STRIP="$android_toolchain"/bin/"$android_tool_prefix"-strip
+ 
+     CPPFLAGS="-I$android_platform/usr/include $CPPFLAGS"
+-    CFLAGS="-mandroid -I$android_platform/usr/include -fno-short-enums -fno-exceptions $CFLAGS"
+-    CXXFLAGS="-mandroid -I$android_platform/usr/include -fpic -fno-short-enums -fno-exceptions $CXXFLAGS"
+-    LDFLAGS="-mandroid -L$android_platform/usr/lib -Wl,-rpath-link=$android_platform/usr/lib --sysroot=$android_platform $LDFLAGS"
+ 
+     $as_echo "#define ANDROID 1" >>confdefs.h
+ 
+diff -ur nss.org/nss/Makefile nss/nss/Makefile
+--- nss.org/nss/Makefile	2017-09-07 15:29:44.933245745 +0200
++++ nss/nss/Makefile	2017-09-07 15:32:04.347181076 +0200
+@@ -65,7 +65,7 @@
+ 
+ ifeq ($(OS_TARGET),Android)
+ NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) \
+-                       --target=$(ANDROID_PREFIX) \
++                       --with-arch=toolchain-default \
+                        --with-android-version=$(OS_TARGET_RELEASE) \
+                        --with-android-toolchain=$(ANDROID_TOOLCHAIN) \
+                        --with-android-platform=$(ANDROID_SYSROOT)
+--- nss/nss/Makefile.orig	2019-11-26 14:52:15.934561202 +0100
++++ nss/nss/Makefile	2019-11-26 14:52:20.538559612 +0100
+@@ -140,7 +140,6 @@
+ 
+ build_nspr: $(NSPR_CONFIG_STATUS)
+ 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
+ 
+ install_nspr: build_nspr
+ 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+--- nss/nss/lib/ckfw/builtins/manifest.mn.orig	2019-11-26 15:18:22.185985193 +0100
++++ nss/nss/lib/ckfw/builtins/manifest.mn	2019-11-26 15:18:29.281982387 +0100
+@@ -5,7 +5,7 @@
+ 
+ CORE_DEPTH = ../../..
+ 
+-DIRS = testlib
++DIRS =
+ 
+ MODULE = nss
+ 
+diff -ur nss/nss/coreconf/arch.mk nss/nss/coreconf/arch.mk
+--- nss/nss/coreconf/arch.mk	2019-11-01 10:29:44.933245745 +0100
++++ nss/nss/coreconf/arch.mk	2019-11-01 10:32:04.347181076 +0100
+@@ -213,7 +213,15 @@
+ #
+ # this should be  configurable from the user
+ #
+-   OS_TEST := arm
++   ifneq (,$(filter x86 x86_64,$(ANDROID_APP_ABI)))
++       OS_TEST := $(ANDROID_APP_ABI)
++   else
++       ifeq ($(USE_64),1)
++          OS_TEST := aarch64
++       else
++          OS_TEST := arm
++       endif
++   endif
+    OS_ARCH = Android
+    ifndef OS_TARGET_RELEASE
+ 	OS_TARGET_RELEASE := 8
diff --git a/external/nss/nss-bz1646594.patch.1 b/external/nss/nss-bz1646594.patch.1
new file mode 100644
index 000000000..cffb9f5fe
--- /dev/null
+++ b/external/nss/nss-bz1646594.patch.1
@@ -0,0 +1,15 @@
+regression from https://bugzilla.mozilla.org/show_bug.cgi?id=1646594
+
+--- nss/nss/coreconf/arch.mk.orig2	2020-08-18 14:33:21.295252404 +0200
++++ nss/nss/coreconf/arch.mk	2020-08-18 14:33:46.360320806 +0200
+@@ -94,8 +94,10 @@
+ 	OS_RELEASE := $(word 1,$(OS_RELEASE)).$(word 2,$(OS_RELEASE))
+     endif
+     KERNEL = Linux
++ifneq ($(OS_TARGET),Android)
+     include $(CORE_DEPTH)/coreconf/Linux.mk
+ endif
++endif
+ 
+ # Since all uses of OS_ARCH that follow affect only userland, we can
+ # merge other Glibc systems with Linux here.
diff --git a/external/nss/nss-ios.patch b/external/nss/nss-ios.patch
new file mode 100644
index 000000000..58239f718
--- /dev/null
+++ b/external/nss/nss-ios.patch
@@ -0,0 +1,300 @@
+--- a/a/nss/Makefile
++++ a/a/nss/Makefile
+@@ -91,13 +91,11 @@
+ ifdef NS_USE_GCC
+ NSPR_CONFIGURE_ENV = CC=gcc CXX=g++
+ endif
+-# Make sure to remove -arch arguments. NSPR can't handle that.
+-remove_arch = $(filter-out __REMOVEME%,$(subst $(NULL) -arch , __REMOVEME,$(1)))
+ ifdef CC
+-NSPR_CONFIGURE_ENV = CC="$(call remove_arch,$(CC))"
++NSPR_CONFIGURE_ENV = CC="$(CC)"
+ endif
+ ifdef CCC
+-NSPR_CONFIGURE_ENV += CXX="$(call remove_arch,$(CCC))"
++NSPR_CONFIGURE_ENV += CXX="$(CCC)"
+ endif
+ 
+ #
+@@ -140,7 +138,6 @@
+ 
+ build_nspr: $(NSPR_CONFIG_STATUS)
+ 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
+ 
+ install_nspr: build_nspr
+ 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+--- a/a/nss/lib/ckfw/builtins/manifest.mn
++++ a/a/nss/lib/ckfw/builtins/manifest.mn
+@@ -5,7 +5,7 @@
+ 
+ CORE_DEPTH = ../../..
+ 
+-DIRS = testlib
++DIRS =
+ 
+ MODULE = nss
+ 
+--- a/a/nss/lib/nss/nssinit.c
++++ a/a/nss/lib/nss/nssinit.c
+@@ -275,6 +275,7 @@
+                           const char *secmodprefix,
+                           char **retoldpath, char **retnewpath)
+ {
++#ifndef NSS_STATIC_PKCS11
+     char *path, *oldpath = NULL, *lastsep;
+     int len, path_len, secmod_len, dll_len;
+ 
+@@ -309,6 +310,10 @@
+     }
+     *retoldpath = oldpath;
+     *retnewpath = path;
++#else
++    *retoldpath = NULL;
++    *retnewpath = PORT_Strdup("NSSCKBI");
++#endif
+     return;
+ }
+ 
+--- a/a/nss/lib/pk11wrap/pk11load.c
++++ a/a/nss/lib/pk11wrap/pk11load.c
+@@ -390,6 +390,8 @@
+ /*
+  * load a new module into our address space and initialize it.
+  */
++extern CK_RV NSSCKBI_C_GetFunctionList();
++
+ SECStatus
+ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule)
+ {
+@@ -468,6 +470,7 @@
+ /* load the library. If this succeeds, then we have to remember to
+          * unload the library if anything goes wrong from here on out...
+          */
++#ifndef NSS_STATIC_PKCS11 // With NSS_STATIC_PKCS11, the only module wodule we load here is nssckbi
+ #if defined(_WIN32)
+         if (nssUTF8_Length(mod->dllName, NULL)) {
+             wchar_t *dllNameWide = _NSSUTIL_UTF8ToWide(mod->dllName);
+@@ -507,6 +510,11 @@
+             mod->moduleDBFunc = (void *)
+                 PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
+         }
++#else
++        if (strcmp(mod->dllName, "NSSCKBI") == 0)
++            fentry = NSSCKBI_C_GetFunctionList;
++#endif
++
+         if (mod->moduleDBFunc == NULL)
+             mod->isModuleDB = PR_FALSE;
+         if ((ientry == NULL) && (fentry == NULL)) {
+@@ -643,10 +651,12 @@
+     }
+ fail:
+     mod->functionList = NULL;
++#ifndef NSS_STATIC_PKCS11
+     disableUnload = PR_GetEnvSecure("NSS_DISABLE_UNLOAD");
+     if (library && !disableUnload) {
+         PR_UnloadLibrary(library);
+     }
++#endif
+     return SECFailure;
+ }
+ 
+--- a/a/nss/lib/ckfw/nssck.api
++++ a/a/nss/lib/ckfw/nssck.api
+@@ -1842,7 +1842,11 @@
+ 
+ /* This one is always present */
+ CK_RV CK_ENTRY
++#ifndef NSS_STATIC_PKCS11
+ C_GetFunctionList
++#else
++NSSCKBI_C_GetFunctionList
++#endif
+ (
+   CK_FUNCTION_LIST_PTR_PTR ppFunctionList
+ )
+--- a/a/nss/lib/freebl/loader.c
++++ a/a/nss/lib/freebl/loader.c
+@@ -35,6 +35,7 @@
+ static PRStatus
+ freebl_LoadDSO(void)
+ {
++#ifndef NSS_STATIC_FREEBL
+     PRLibrary *handle;
+     const char *name = getLibName();
+ 
+@@ -47,32 +48,42 @@
+     if (handle) {
+         PRFuncPtr address = PR_FindFunctionSymbol(handle, "FREEBL_GetVector");
+         if (address) {
+-            FREEBLGetVectorFn *getVector = (FREEBLGetVectorFn *)address;
++#else
++            FREEBLGetVectorFn *getVector = FREEBL_GetVector;
++#endif
+             const FREEBLVector *dsoVector = getVector();
+             if (dsoVector) {
+                 unsigned short dsoVersion = dsoVector->version;
+                 unsigned short myVersion = FREEBL_VERSION;
+                 if (MSB(dsoVersion) == MSB(myVersion) &&
+                     LSB(dsoVersion) >= LSB(myVersion) &&
+                     dsoVector->length >= sizeof(FREEBLVector)) {
+                     vector = dsoVector;
++#ifndef NSS_STATIC_FREEBL
+                     libraryName = name;
+                     blLib = handle;
++#else
++                    libraryName = "self";
++#endif
+                     return PR_SUCCESS;
+                 }
+             }
++            else
++                return PR_FAILURE;
++#ifndef NSS_STATIC_FREEBL
+         }
+ #ifdef DEBUG
+         if (blLib) {
+             PRStatus status = PR_UnloadLibrary(blLib);
+             PORT_Assert(PR_SUCCESS == status);
+         }
+ #else
+         if (blLib)
+             PR_UnloadLibrary(blLib);
+ #endif
+     }
+     return PR_FAILURE;
++#endif
+ }
+ 
+ static const PRCallOnceType pristineCallOnce;
+@@ -860,6 +871,7 @@
+ void
+ BL_Unload(void)
+ {
++#ifndef NSS_STATIC_FREEBL
+     /* This function is not thread-safe, but doesn't need to be, because it is
+      * only called from functions that are also defined as not thread-safe,
+      * namely C_Finalize in softoken, and the SSL bypass shutdown callback called
+@@ -872,6 +884,7 @@
+         PR_UnloadLibrary(blLib);
+ #endif
+     }
++#endif
+     blLib = NULL;
+     loadFreeBLOnce = pristineCallOnce;
+ }
+--- a/a/nspr/build/autoconf/config.sub	2017-09-07 15:29:45.031246453 +0200
++++ a/a/nspr/build/autoconf/config.sub	2017-09-07 15:32:13.087235423 +0200
+@@ -110,6 +110,9 @@
+     exit 1;;
+ esac
+ 
++if test $1 = "arm64-apple-darwin"; then echo $1; exit; fi
++if test $1 = "aarch64-apple-darwin"; then echo $1; exit; fi
++
+ # Split fields of configuration type
+ # shellcheck disable=SC2162
+ IFS="-" read field1 field2 field3 field4 <<EOF
+--- a/a/nspr/config/autoconf.mk.in
++++ a/a/nspr/config/autoconf.mk.in
+@@ -69,7 +69,7 @@
+ MSC_VER		= @MSC_VER@
+ AR		= @AR@
+ AR_FLAGS	= @AR_FLAGS@
+-LD		= @LD@
++LD		= echo
+ RANLIB		= @RANLIB@
+ PERL		= @PERL@
+ RC		= @RC@
+--- a/a/nspr/configure
++++ a/a/nspr/configure
+@@ -2507,7 +2507,7 @@
+ OBJDIR='$(OBJDIR_NAME)'
+ OBJDIR_NAME=.
+ OBJDIR_SUFFIX=OBJ
+-NSINSTALL='$(MOD_DEPTH)/config/$(OBJDIR_NAME)/nsinstall'
++NSINSTALL=${NSINSTALL?'$(MOD_DEPTH)/config/$(OBJDIR_NAME)/nsinstall'}
+ NOSUCHFILE=/no-such-file
+ LIBNSPR='-L$(dist_libdir) -lnspr$(MOD_MAJOR_VERSION)'
+ LIBPLC='-L$(dist_libdir) -lplc$(MOD_MAJOR_VERSION)'
+@@ -5571,7 +5571,7 @@
+ LIB_SUFFIX=a
+ DLL_SUFFIX=so
+ ASM_SUFFIX=s
+-MKSHLIB='$(LD) $(DSO_LDOPTS) -o $@'
++MKSHLIB='touch $@; echo'
+ PR_MD_ASFILES=
+ PR_MD_CSRCS=
+ PR_MD_ARCH_DIR=unix
+@@ -6485,7 +6485,7 @@
+     DSO_CFLAGS=-fPIC
+     DSO_LDOPTS='-dynamiclib -compatibility_version 1 -current_version 1 -all_load -install_name @__________________________________________________OOO/$@ -headerpad_max_install_names'
+     _OPTIMIZE_FLAGS=-O2
+-    MKSHLIB='$(CC) $(DSO_LDOPTS) -o $@'
++    MKSHLIB=touch $@
+     STRIP="$STRIP -x -S"
+     DLL_SUFFIX=dylib
+     USE_PTHREADS=1
+--- a/a/nss/coreconf/ruleset.mk
++++ a/a/nss/coreconf/ruleset.mk
+@@ -45,7 +45,7 @@
+ endif
+ 
+ ifeq ($(MKPROG),)
+-    MKPROG = $(CC)
++    MKPROG = touch $@; echo
+ endif
+ 
+ #
+--- a/a/nss/coreconf/Darwin.mk
++++ a/a/nss/coreconf/Darwin.mk
+@@ -116,7 +116,7 @@
+    DSO_LDOPTS += --coverage
+ endif
+ 
+-MKSHLIB		= $(CC) $(DSO_LDOPTS) $(DARWIN_SDK_SHLIBFLAGS)
++MKSHLIB		= touch $@; echo
+ DLL_SUFFIX	= dylib
+ ifdef MAPFILE
+ 	MKSHLIB += -exported_symbols_list $(MAPFILE)
+--- a/a/nss/coreconf/UNIX.mk
++++ a/a/nss/coreconf/UNIX.mk
+@@ -19,10 +19,14 @@
+ 
+ ifdef BUILD_TREE
+ NSINSTALL_DIR  = $(BUILD_TREE)/nss
++ifndef NSINSTALL
+ NSINSTALL      = $(BUILD_TREE)/nss/nsinstall
++endif
+ else
+ NSINSTALL_DIR  = $(CORE_DEPTH)/coreconf/nsinstall
++ifndef NSINSTALL
+ NSINSTALL      = $(NSINSTALL_DIR)/$(OBJDIR_NAME)/nsinstall
++endif
+ endif
+ 
+ ####################################################################
+--- a/a/nspr/pr/include/md/_darwin.h
++++ a/a/nspr/pr/include/md/_darwin.h
+@@ -26,6 +26,8 @@
+ #define _PR_SI_ARCHITECTURE "ppc"
+ #elif defined(__arm__)
+ #define _PR_SI_ARCHITECTURE "arm"
++#elif defined(__arm64__)
++#define _PR_SI_ARCHITECTURE "arm64"
+ #elif defined(__aarch64__)
+ #define _PR_SI_ARCHITECTURE "aarch64"
+ #else
+--- a/a/nss/cmd/shlibsign/sign.sh
++++ a/a/nss/cmd/shlibsign/sign.sh
+@@ -2,6 +2,9 @@
+ # This Source Code Form is subject to the terms of the Mozilla Public
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
++
++# Pointless to sign anything for iOS as we don't build any real shared libraries
++exit 0
+ 
+ # arguments:
+ # 1: full path to DIST/OBJDIR (parent dir of "lib")
diff --git a/external/nss/nss-restore-manual-pre-dependencies.patch.1 b/external/nss/nss-restore-manual-pre-dependencies.patch.1
new file mode 100644
index 000000000..ea034f0dc
--- /dev/null
+++ b/external/nss/nss-restore-manual-pre-dependencies.patch.1
@@ -0,0 +1,83 @@
+Revert of upstream:
+
+changeset:   15608:744881490c78
+user:        Jan-Marek Glogowski <glogow@fbihome.de>
+date:        Wed May 13 19:00:40 2020 +0000
+summary:     Bug 1637083 Replace pre-dependency with shell hack r=rrelyea
+
+--- b/nss/coreconf/rules.mk	Wed May 13 19:00:40 2020 +0000
++++ a/nss/coreconf/rules.mk	Tue May 12 21:33:43 2020 +0000
+@@ -31,21 +31,10 @@
+ USE_NT_C_SYNTAX=1
+ endif
+ 
+-# For whatever reason, "." can't be handled using make conditionals.
+-# Based on automake's SUBDIRS "." handling.
+ ifdef DIRS
+ ifndef IGNORE_DIRS
+-ifneq (,$(filter .,$(DIRS)))
+-TARGETS = $(NULL)
+-ALL_TRASH = $(NULL)
+-endif
+-
+ $(DIRS):
++	$(IGNORE_ERROR)@$(MAKE) -C $@ $(MAKECMDGOALS)
+-	$(IGNORE_ERROR)@if [ "$@" != "." ]; then \
+-		$(MAKE) -C $@ $(MAKECMDGOALS) ; \
+-	else \
+-		IGNORE_DIRS=1 $(MAKE) -C $@ $(MAKECMDGOALS) ; \
+-	fi
+ 	@$(CLICK_STOPWATCH)
+ endif
+ endif
+@@ -84,9 +73,7 @@
+ check: $(DIRS)
+ 
+ clean clobber: $(DIRS)
+-ifneq (,$(ALL_TRASH))
+ 	rm -rf $(ALL_TRASH)
+-endif
+ 
+ realclean clobber_all: $(DIRS)
+ 	rm -rf $(wildcard *.OBJ) dist $(ALL_TRASH)
+--- b/nss/lib/ckfw/builtins/manifest.mn	Wed May 13 19:00:40 2020 +0000
++++ a/nss/lib/ckfw/builtins/manifest.mn	Tue May 12 21:33:43 2020 +0000
+@@ -5,9 +5,7 @@
+ 
+ CORE_DEPTH = ../../..
+ 
++DIRS = testlib
+-DIRS = . testlib
+-
+-testlib: .
+ 
+ MODULE = nss
+ 
+--- b/nss/lib/ckfw/manifest.mn	Wed May 13 19:00:40 2020 +0000
++++ a/nss/lib/ckfw/manifest.mn	Tue May 12 21:33:43 2020 +0000
+@@ -5,9 +5,7 @@
+ 
+ CORE_DEPTH = ../..
+ 
++DIRS = builtins
+-DIRS = . builtins
+-
+-builtins: .
+ 
+ PRIVATE_EXPORTS = \
+ 	ck.h		  \
+--- b/nss/manifest.mn	Wed May 13 19:00:40 2020 +0000
++++ a/nss/manifest.mn	Tue May 12 21:33:43 2020 +0000
+@@ -24,6 +24,12 @@
+ 	# no real way to encode these in any sensible way
+ 	$(MAKE) -C coreconf/nsinstall program
+ 	$(MAKE) export
++	# pre-build child dir -> parent dir dependencies
++	# ckfw/builtins -> ckfw
++	IGNORE_DIRS=1 $(MAKE) -C lib/ckfw libs
++	# ckfw/builtins/testlib -> ckfw/builtins + base
++	$(MAKE) -C lib/base libs
++	IGNORE_DIRS=1 $(MAKE) -C lib/ckfw/builtins libs
+ 
+ lib: coreconf
+ cmd: lib
diff --git a/external/nss/nss-win32-make.patch.1 b/external/nss/nss-win32-make.patch.1
new file mode 100644
index 000000000..6a3201a08
--- /dev/null
+++ b/external/nss/nss-win32-make.patch.1
@@ -0,0 +1,20 @@
+--- nss/nss/coreconf/rules.mk.orig2	2014-06-03 15:30:01.667200000 +0200
++++ nss/nss/coreconf/rules.mk	2014-06-03 15:30:14.537200000 +0200
+@@ -174,7 +174,7 @@
+ $(LIBRARY): $(OBJS) | $$(@D)/d
+ 	rm -f $@
+ ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
+-	$(AR) $(subst /,\\,$(OBJS))
++	$(AR) $(OBJS)
+ else
+ 	$(AR) cr $@ $(OBJS)
+ endif
+@@ -214,7 +214,7 @@
+ ifdef NS_USE_GCC
+ 	$(LINK_DLL) $(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES)
+ else
+-	$(LINK_DLL) -MAP $(DLLBASE) $(subst /,\\,$(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES))
++	$(LINK_DLL) -MAP $(DLLBASE) $(OBJS) $(SUB_SHLOBJS) $(EXTRA_LIBS) $(EXTRA_SHARED_LIBS) $(OS_LIBS) $(LD_LIBS) $(RES)
+ ifdef MT
+ 	if test -f $@.manifest; then \
+ 		$(MT) -NOLOGO -MANIFEST $@.manifest -OUTPUTRESOURCE:$@\;2; \
diff --git a/external/nss/nss.aix.patch b/external/nss/nss.aix.patch
new file mode 100644
index 000000000..10572f947
--- /dev/null
+++ b/external/nss/nss.aix.patch
@@ -0,0 +1,140 @@
+diff -ru a/nspr/configure b/nspr/configure
+--- a/a/nspr/configure	2014-09-29 16:47:42.984012225 +0100
++++ b/b/nspr/configure	2014-09-29 16:50:33.907375937 +0100
+@@ -6325,7 +6325,6 @@
+         AIX_LINK_OPTS='-brtl -bnso -berok'
+         ;;
+     esac
+-    CFLAGS="$CFLAGS -qro -qroconst"
+     AIX_WRAP='$(DIST)/lib/aixwrap.o'
+     AIX_TMP='./_aix_tmp.o'
+     if test -n "$USE_64"; then
+diff -ru a/nspr/configure.in b/nspr/configure.in
+--- a/a/nspr/configure.in	2014-09-29 16:46:35.257394860 +0100
++++ b/b/nspr/configure.in	2014-09-29 16:50:33.908375942 +0100
+@@ -1180,7 +1180,8 @@
+     AC_DEFINE(XP_UNIX)
+     AC_DEFINE(AIX)
+     AC_DEFINE(SYSV)
+-    DSO_LDOPTS='-brtl -bnortllib -bM:SRE -bnoentry -bexpall -blibpath:/usr/lib:/lib'
++    DSO_LDOPTS='-Wl,-brtl -Wl,-bnortllib -Wl,-blibpath:/usr/lib:/lib'
++    MKSHLIB='$(CCC) -shared $(DSO_LDOPTS) -o $@'
+     AC_CHECK_HEADER(sys/atomic_op.h, AC_DEFINE(AIX_HAVE_ATOMIC_OP_H))
+     case "${target_os}" in
+     aix3.2*)
+@@ -1220,10 +1221,9 @@
+         AC_DEFINE(HAVE_SOCKLEN_T)
+         AC_DEFINE(HAVE_FCNTL_FILE_LOCKING)
+         USE_IPV6=1
+-        AIX_LINK_OPTS='-brtl -bnso -berok'
++        AIX_LINK_OPTS='-Wl,-brtl -Wl,-bnso -Wl,-berok'
+         ;;
+     esac
+-    CFLAGS="$CFLAGS -qro -qroconst"
+     AIX_WRAP='$(DIST)/lib/aixwrap.o'
+     AIX_TMP='./_aix_tmp.o'
+     if test -n "$USE_64"; then
+diff -ru a/nspr/pr/src/Makefile.in b/nspr/pr/src/Makefile.in
+--- a/a/nspr/pr/src/Makefile.in	2014-09-29 16:46:35.281395079 +0100
++++ b/b/nspr/pr/src/Makefile.in	2014-09-29 16:50:33.909375948 +0100
+@@ -74,7 +74,6 @@
+ endif	# SunOS
+ 
+ ifeq ($(OS_ARCH),AIX)
+-DSO_LDOPTS	+= -binitfini::_PR_Fini
+ OS_LIBS		= -lodm -lcfg
+ ifeq ($(CLASSIC_NSPR),1)
+ ifeq ($(OS_RELEASE),4.1)
+diff -ru a/nss/cmd/platlibs.mk b/nss/cmd/platlibs.mk
+--- a/a/nss/cmd/platlibs.mk	2014-09-29 16:47:42.987012253 +0100
++++ b/b/nss/cmd/platlibs.mk	2014-09-29 16:50:33.910375955 +0100
+@@ -171,7 +171,7 @@
+ 	$(NULL)
+ 
+ ifeq ($(OS_ARCH), AIX) 
+-EXTRA_SHARED_LIBS += -brtl 
++EXTRA_SHARED_LIBS += -Wl,-brtl 
+ endif
+ 
+ # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+@@ -217,7 +217,7 @@
+ 	$(NULL)
+ 
+ ifeq ($(OS_ARCH), AIX) 
+-EXTRA_SHARED_LIBS += -brtl 
++EXTRA_SHARED_LIBS += -Wl,-brtl 
+ endif
+ 
+ # $(PROGRAM) has NO explicit dependencies on $(EXTRA_SHARED_LIBS)
+diff -ru a/nss/cmd/shlibsign/Makefile b/nss/cmd/shlibsign/Makefile
+--- a/a/nss/cmd/shlibsign/Makefile	2014-09-29 16:46:35.139393785 +0100
++++ b/b/nss/cmd/shlibsign/Makefile	2014-09-29 16:50:33.910375955 +0100
+@@ -43,6 +43,9 @@
+ 
+ endif
+ 
++ifeq ($(OS), AIX)
++EXTRA_SHARED_LIBS += -lpthreads
++endif
+ 
+ # sign any and all shared libraries that contain the word freebl
+ ifeq ($(NSS_BUILD_WITHOUT_SOFTOKEN),1)
+diff -ru a/nss/cmd/shlibsign/mangle/Makefile b/nss/cmd/shlibsign/mangle/Makefile
+--- a/a/nss/cmd/shlibsign/mangle/Makefile	2014-09-29 16:46:35.139393785 +0100
++++ b/b/nss/cmd/shlibsign/mangle/Makefile	2014-09-29 16:50:33.910375955 +0100
+@@ -43,7 +43,9 @@
+ 
+ endif
+ 
+-
++ifeq ($(OS), AIX)
++EXTRA_SHARED_LIBS += -lpthreads
++endif
+ 
+ #######################################################################
+ # (5) Execute "global" rules. (OPTIONAL)                              #
+diff -ru a/nss/coreconf/AIX.mk b/nss/coreconf/AIX.mk
+--- a/a/nss/coreconf/AIX.mk	2014-09-29 16:46:35.040392883 +0100
++++ b/b/nss/coreconf/AIX.mk	2014-09-29 16:50:33.909375948 +0100
+@@ -30,35 +30,30 @@
+ 
+ DEFAULT_COMPILER = xlc_r
+ 
+-CC		= xlc_r
+-CCC		= xlC_r
++CCC		= $(CXX)
+ 
+ CPU_ARCH	= rs6000
+ 
+ RANLIB		= ranlib
+ 
+ OS_CFLAGS	= -DAIX -DSYSV
+-OS_LIBS 	+= -blibpath:/usr/lib:/lib -lc -lm
++OS_LIBS 	+= -Wl,-blibpath:/usr/lib:/lib -lc -lm
+ 
+-DSO_LDOPTS	= -brtl -bnortllib -bM:SRE -bnoentry
+-MKSHLIB 	= $(LD) $(DSO_LDOPTS) -blibpath:/usr/lib:/lib -lc -lm
++DSO_LDOPTS	= -Wl,-brtl -Wl,-bnortllib
++MKSHLIB 	= $(CC) --shared $(DSO_LDOPTS) -Wl,-blibpath:/usr/lib:/lib -lc -lm
+ 
+ AIX_WRAP	= $(DIST)/lib/aixwrap.o
+ AIX_TMP		= $(OBJDIR)/_aix_tmp.o
+ 
+ ifdef MAPFILE
+-DSO_LDOPTS	+= -bexport:$(MAPFILE)
++DSO_LDOPTS	+= -Wl,-bexport:$(MAPFILE)
+ else
+-DSO_LDOPTS	+= -bexpall
++DSO_LDOPTS	+= -Wl,-bexpall
+ endif
+ 
+ PROCESS_MAP_FILE = grep -v ';+' $< | grep -v ';-' | \
+                 sed -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,,' > $@
+ 
+-ifdef BUILD_OPT
+-	OPTIMIZER += -qmaxmem=-1
+-endif
+-
+ ifeq ($(USE_64), 1)
+ 	OS_CFLAGS	+= -DAIX_64BIT
+ 	OBJECT_MODE=64
diff --git a/external/nss/nss.bzmozilla1238154.patch b/external/nss/nss.bzmozilla1238154.patch
new file mode 100644
index 000000000..425f38257
--- /dev/null
+++ b/external/nss/nss.bzmozilla1238154.patch
@@ -0,0 +1,12 @@
+diff -ru a/nspr/configure b/nspr/configure
+--- a/a/nspr/configure	2019-01-26 12:23:06.589389910 +0100
++++ b/b/nspr/configure	2019-01-26 12:26:56.566222293 +0100
+@@ -6883,7 +6883,7 @@
+ 
+         # Determine compiler version
+ 
+-        _MSVC_VER_FILTER='s|.* \([0-9]\+\.[0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*|\1|p'
++        _MSVC_VER_FILTER='s|.*[^!-~]\([0-9]\+\.[0-9]\+\.[0-9]\+\(\.[0-9]\+\)\?\).*|\1|p'
+ 
+         CC_VERSION=`${CC} -v 2>&1 | sed -ne "$_MSVC_VER_FILTER"`
+         if test -z "$CC_VERSION"; then
diff --git a/external/nss/nss.cygwin64.in32bit.patch b/external/nss/nss.cygwin64.in32bit.patch
new file mode 100644
index 000000000..bce0f1d09
--- /dev/null
+++ b/external/nss/nss.cygwin64.in32bit.patch
@@ -0,0 +1,14 @@
+This fixes architecture mismatch, when building
+on Cygwin 64bit and in 32bit mode
+diff -ru nss.orig/nss/Makefile nss/nss/Makefile
+--- a/nss.orig/nss/Makefile       2016-02-26 01:00:52.146713100 +0100
++++ b/nss/nss/Makefile    2016-02-26 01:02:05.303560100 +0100
+@@ -63,6 +63,8 @@
+ # Translate coreconf build options to NSPR configure options.
+ #
+
++NSPR_CONFIGURE_OPTS += --host=i686-pc-cygwin
++
+ ifeq ($(OS_TARGET),Android)
+ NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) \
+                        --target=$(ANDROID_PREFIX) \
diff --git a/external/nss/nss.nowerror.patch b/external/nss/nss.nowerror.patch
new file mode 100644
index 000000000..bdf7a33a8
--- /dev/null
+++ b/external/nss/nss.nowerror.patch
@@ -0,0 +1,12 @@
+diff -ur nss.org/nss/coreconf/WIN32.mk nss/nss/coreconf/WIN32.mk
+--- a/nss.org/nss/coreconf/WIN32.mk	2016-04-13 11:33:09.322294523 +0200
++++ b/nss/nss/coreconf/WIN32.mk	2016-04-13 11:33:27.744323969 +0200
+@@ -121,7 +121,7 @@
+                       -D_CRT_NONSTDC_NO_WARNINGS
+     OS_DLLFLAGS += -nologo -DLL -SUBSYSTEM:WINDOWS
+     ifndef NSS_ENABLE_WERROR
+-        NSS_ENABLE_WERROR = 1
++        NSS_ENABLE_WERROR = 0
+     endif
+     ifeq ($(NSS_ENABLE_WERROR),1)
+         WARNING_CFLAGS += -WX
diff --git a/external/nss/nss.patch b/external/nss/nss.patch
new file mode 100644
index 000000000..cc9eeed1b
--- /dev/null
+++ b/external/nss/nss.patch
@@ -0,0 +1,155 @@
+--- a/a/nspr/configure	2017-08-29 23:44:13.686045013 +0530
++++ b/b/nspr/configure	2017-08-29 23:46:53.774768655 +0530
+@@ -6794,7 +6794,7 @@
+     PR_MD_CSRCS=linux.c
+     MKSHLIB='$(CC) $(DSO_LDOPTS) -o $@'
+     DSO_CFLAGS=-fPIC
+-    DSO_LDOPTS='-shared -Wl,-soname -Wl,$(notdir $@)'
++    DSO_LDOPTS='-shared -Wl,-soname -Wl,$(notdir $@) $(if $(filter-out $(OS),ANDROID),-Wl$(COMMA)-z$(COMMA)origin -Wl$(COMMA)-rpath$(COMMA)\$$ORIGIN)'
+     _OPTIMIZE_FLAGS=-O2
+     _DEBUG_FLAGS="-g -fno-inline"  # most people on linux use gcc/gdb, and that
+                                    # combo is not yet good at debugging inlined
+--- a/nss.orig/nspr/pr/src/misc/prnetdb.c	2017-08-29 23:44:13.690045031 +0530
++++ b/nss/nspr/pr/src/misc/prnetdb.c	2017-08-29 23:47:03.810814019 +0530
+@@ -441,7 +441,7 @@
+     char *buf = *bufp;
+     PRIntn buflen = *buflenp;
+ 
+-    if (align && ((long)buf & (align - 1))) {
++    if (align && ((ptrdiff_t)buf & (align - 1))) {
+         PRIntn skip = align - ((ptrdiff_t)buf & (align - 1));
+         if (buflen < skip) {
+             return 0;
+--- a/a/nss/cmd/platlibs.mk	2017-08-29 23:44:13.554044416 +0530
++++ b/b/nss/cmd/platlibs.mk	2017-08-29 23:46:09.638569150 +0530
+@@ -10,17 +10,22 @@
+ 
+ ifeq ($(OS_ARCH), SunOS) 
+ ifeq ($(USE_64), 1)
+-EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1/64:/usr/lib/mps/64'
++#In OOo we would probable put the executables next to libs
++EXTRA_SHARED_LIBS += -R '$$ORIGIN'
+ else
+-EXTRA_SHARED_LIBS += -R '$$ORIGIN/../lib:/usr/lib/mps/secv1:/usr/lib/mps'
++EXTRA_SHARED_LIBS += -R '$$ORIGIN'
+ endif
+ endif
+ 
++ifeq ($(OS_ARCH), FreeBSD)
++EXTRA_SHARED_LIBS += -Wl,-z,origin -Wl,-rpath,'$$ORIGIN'
++endif
++
+ ifeq ($(OS_ARCH), Linux)
+ ifeq ($(USE_64), 1)
+-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib64:/opt/sun/private/lib64:$$ORIGIN/../lib'
++EXTRA_SHARED_LIBS += -Wl,-z,origin -Wl,-rpath,'$$ORIGIN'
+ else
+-EXTRA_SHARED_LIBS += -Wl,-rpath,'$$ORIGIN/../lib:/opt/sun/private/lib'
++EXTRA_SHARED_LIBS += -Wl,-z,origin -Wl,-rpath,'$$ORIGIN'
+ endif
+ endif
+ 
+--- a/nss.org/nss/coreconf/arch.mk	2017-08-29 23:44:13.646044832 +0530
++++ b/nss/nss/coreconf/arch.mk	2017-08-29 23:45:51.494487134 +0530
+@@ -284,11 +284,17 @@
+     OBJDIR_NAME_COMPILER = $(COMPILER_TAG)
+ endif
+ OBJDIR_NAME_BASE = $(OS_TARGET)$(OS_RELEASE)$(CPU_TAG)$(OBJDIR_NAME_COMPILER)$(LIBC_TAG)$(IMPL_STRATEGY)$(OBJDIR_TAG)
+-OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ
++# OBJDIR_NAME is used to build the directory containing the built objects, for 
++# example mozilla/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ
++# We need to deliver the contents of that folder into instdir. To make that 
++# easier in the makefile we rename this directory to "out". 
++#OBJDIR_NAME = $(OBJDIR_NAME_BASE).OBJ
++OBJDIR_NAME = out
+ 
+ 
+ ifeq (,$(filter-out WIN%,$(OS_TARGET)))
+-ifndef BUILD_OPT
++ifdef THIS_HAS_BEEN_DISABLED_TO_GET_out
++
+ #
+ # Define USE_DEBUG_RTL if you want to use the debug runtime library
+ # (RTL) in the debug build
+--- a/nss.org/nss/coreconf/FreeBSD.mk	2017-08-29 23:44:13.642044814 +0530
++++ b/nss/nss/coreconf/FreeBSD.mk	2017-08-29 23:45:20.850348615 +0530
+@@ -25,6 +25,7 @@
+ 
+ DSO_CFLAGS		= -fPIC
+ DSO_LDOPTS		= -shared -Wl,-soname -Wl,$(notdir $@)
++DSO_LDOPTS		+= -Wl,-z,origin '-Wl,-rpath,$$ORIGIN'
+ 
+ #
+ # The default implementation strategy for FreeBSD is pthreads.
+--- a/nss.org/nss/coreconf/Linux.mk	2017-08-29 23:44:13.642044814 +0530
++++ b/nss/nss/coreconf/Linux.mk	2017-08-29 23:47:26.318915759 +0530
+@@ -158,7 +158,7 @@
+ # Also, -z defs conflicts with Address Sanitizer, which emits relocations
+ # against the libsanitizer runtime built into the main executable.
+ ZDEFS_FLAG		= -Wl,-z,defs
+-DSO_LDOPTS     += $(if $(findstring 2.11.90.0.8,$(shell $(LD) -v)),,$(ZDEFS_FLAG))
++DSO_LDOPTS     += $(if $(findstring 2.11.90.0.8,$(shell $(LD) -v)),,$(ZDEFS_FLAG)) $(if $(filter-out $(OS),ANDROID),-Wl$(COMMA)-z$(COMMA)origin '-Wl$(COMMA)-rpath$(COMMA)$$ORIGIN')
+ LDFLAGS		   += $(ARCHFLAG) -z noexecstack
+ 
+ # On Maemo, we need to use the -rpath-link flag for even the standard system
+@@ -188,8 +188,13 @@
+ endif
+ endif
+ 
++ifneq ($(SYSTEM_ZLIB),)
++# Currently (3.12.4) only the tools modutil and signtool are linked with libz
++# If USE_SYSTEM_ZLIB is not set then the tools link statically libzlib.a which
++# is also built in nss.
+ USE_SYSTEM_ZLIB = 1
+ ZLIB_LIBS = -lz
++endif
+ 
+ # The -rpath '$$ORIGIN' linker option instructs this library to search for its
+ # dependencies in the same directory where it resides.
+--- a/nss.org/nss/coreconf/rules.mk	2017-08-29 23:44:13.646044832 +0530
++++ b/nss/nss/coreconf/rules.mk	2017-08-29 23:47:37.442966042 +0530
+@@ -176,7 +176,7 @@
+ ifeq (,$(filter-out _WIN%,$(NS_USE_GCC)_$(OS_TARGET)))
+ 	$(AR) $(subst /,\\,$(OBJS))
+ else
+-	$(AR) $(OBJS)
++	$(AR) cr $@ $(OBJS)
+ endif
+ 	$(RANLIB) $@
+ 
+--- a/nss.org/nss/coreconf/SunOS5.mk	2017-08-29 23:44:13.646044832 +0530
++++ b/nss/nss/coreconf/SunOS5.mk	2017-08-29 23:45:00.902258445 +0530
+@@ -46,8 +46,11 @@
+ 	    # OPTIMIZER += -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer
+ 	endif
+ else
+-	CC         = cc
+-	CCC        = CC
++	# CC is taken from environment automatically.
++	#	CC         = cc
++	# Use CXX from environment.
++	#	CCC        = CC
++    CCC       = $(CXX)
+ 	ASFLAGS   += -Wa,-P
+ 	OS_CFLAGS += $(NOMD_OS_CFLAGS) $(ARCHFLAG)
+ 	ifndef BUILD_OPT
+--- a/nss.org/nss/coreconf/Werror.mk	2017-08-29 23:44:13.646044832 +0530
++++ b/nss/nss/coreconf/Werror.mk	2017-08-29 23:44:23.994091608 +0530
+@@ -96,7 +96,8 @@
+     endif #ndef NSS_ENABLE_WERROR
+ 
+     ifeq ($(NSS_ENABLE_WERROR),1)
+-      WARNING_CFLAGS += -Werror
++      # We do not treat warnings as errors.
++	  # WARNING_CFLAGS += -Werror
+     else
+       # Old versions of gcc (< 4.8) don't support #pragma diagnostic in functions.
+       # Use this to disable use of that #pragma and the warnings it suppresses.
+--- a/nss.org/nss/Makefile	2017-08-29 23:44:13.402043729 +0530
++++ b/nss/nss/Makefile	2017-08-29 23:44:39.774162939 +0530
+@@ -1,3 +1,5 @@
++export AR
++export RANLIB
+ #! gmake
+ #
+ # This Source Code Form is subject to the terms of the Mozilla Public
diff --git a/external/nss/nss.utf8bom.patch.1 b/external/nss/nss.utf8bom.patch.1
new file mode 100644
index 000000000..f474adf6f
--- /dev/null
+++ b/external/nss/nss.utf8bom.patch.1
@@ -0,0 +1,21 @@
+diff -ur nss.org/nss/lib/ckfw/builtins/certdata.perl nss/nss/lib/ckfw/builtins/certdata.perl
+--- nss.org/nss/lib/ckfw/builtins/certdata.perl	2016-03-31 18:26:07.890190900 +0800
++++ nss/nss/lib/ckfw/builtins/certdata.perl	2016-03-31 19:16:16.727269600 +0800
+@@ -122,6 +122,9 @@
+ sub doprint {
+ my $i;
+ 
++print chr(0xEF);
++print chr(0xBB);
++print chr(0xBF);
+ print <<EOD
+ /* THIS IS A GENERATED FILE */
+ /* This Source Code Form is subject to the terms of the Mozilla Public
+@@ -131,6 +134,7 @@
+ #ifndef BUILTINS_H
+ #include "builtins.h"
+ #endif /* BUILTINS_H */
++#pragma execution_character_set("utf-8")
+ 
+ EOD
+     ;
diff --git a/external/nss/nss.vs2015.patch b/external/nss/nss.vs2015.patch
new file mode 100644
index 000000000..73cff7c83
--- /dev/null
+++ b/external/nss/nss.vs2015.patch
@@ -0,0 +1,12 @@
+diff -ru nss.org/nss/coreconf/WIN32.mk nss/nss/coreconf/WIN32.mk
+--- a/nss.org/nss/coreconf/WIN32.mk	2016-02-12 15:36:18.000000000 +0100
++++ b/nss/nss/coreconf/WIN32.mk	2016-02-26 00:42:43.170809600 +0100
+@@ -192,7 +192,7 @@
+     # Disable C4244: conversion from 'type1' to 'type2', possible loss of data
+     # Disable C4018: 'expression' : signed/unsigned mismatch
+     # Disable C4312: 'type cast': conversion from 'type1' to 'type2' of greater size
+-    OS_CFLAGS += -w44267 -w44244 -w44018 -w44312
++    OS_CFLAGS += -w44267 -w44244 -w44018 -w44312 -wd4996 -wd4554
+     ifeq ($(_MSC_VER_GE_12),1)
+ 	OS_CFLAGS += -FS
+     endif
diff --git a/external/nss/nss.vs2015.pdb.patch b/external/nss/nss.vs2015.pdb.patch
new file mode 100644
index 000000000..3b498f976
--- /dev/null
+++ b/external/nss/nss.vs2015.pdb.patch
@@ -0,0 +1,22 @@
+diff -ru nss.orig/nss/coreconf/WIN32.mk nss/nss/coreconf/WIN32.mk
+--- a/nss.orig/nss/coreconf/WIN32.mk	2016-03-04 08:30:16.306639400 +0100
++++ b/nss/nss/coreconf/WIN32.mk	2016-03-04 08:31:17.987233200 +0100
+@@ -163,15 +163,15 @@
+ 	DLLFLAGS   += -OUT:$@
+ 	ifdef MOZ_DEBUG_SYMBOLS
+ 		ifdef MOZ_DEBUG_FLAGS
+-			OPTIMIZER += $(MOZ_DEBUG_FLAGS) -Fd$(OBJDIR)/
++			OPTIMIZER += $(MOZ_DEBUG_FLAGS) -Fd./
+ 		else
+-			OPTIMIZER += -Zi -Fd$(OBJDIR)/
++			OPTIMIZER += -Zi -Fd./
+ 		endif
+ 		DLLFLAGS += -DEBUG -OPT:REF
+ 		LDFLAGS += -DEBUG -OPT:REF
+ 	endif
+     else
+-	OPTIMIZER += -Zi -Fd$(OBJDIR)/ -Od
++	OPTIMIZER += -Zi -Fd./ -Od
+ 	NULLSTRING :=
+ 	DEFINES    += -DDEBUG -UNDEBUG
+ 	DLLFLAGS   += -DEBUG -OUT:$@
diff --git a/external/nss/nss.windows.patch b/external/nss/nss.windows.patch
new file mode 100644
index 000000000..27a440458
--- /dev/null
+++ b/external/nss/nss.windows.patch
@@ -0,0 +1,33 @@
+--- a/a/nspr/config/rules.mk	2008-12-03 00:24:39.000000000 +0100
++++ b/b/nspr/config/rules.mk	2009-11-27 13:36:22.662753328 +0100
+@@ -423,7 +423,7 @@
+ 
+ ifdef NEED_ABSOLUTE_PATH
+ # The quotes allow absolute paths to contain spaces.
+-pr_abspath = "$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(CURDIR)/$(1)))"
++pr_abspath = "$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(shell cygpath -m $(1))),$(1),$(shell cygpath -m $(CURDIR)/$(1))))"
+ endif
+ 
+ $(OBJDIR)/%.$(OBJ_SUFFIX): %.cpp
+--- a/a/nss/coreconf/rules.mk	2008-12-03 00:24:39.000000000 +0100
++++ b/b/nss/coreconf/rules.mk	2009-11-27 13:36:22.662753328 +0100
+@@ -280,7 +280,7 @@
+ endif
+ 
+ # The quotes allow absolute paths to contain spaces.
+-core_abspath = '$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(1)),$(1),$(PWD)/$(1)))'
++core_abspath = '$(if $(findstring :,$(1)),$(1),$(if $(filter /%,$(shell cygpath -m $(1))),$(1),$(shell cygpath -m $(PWD)/$(1))))'
+ 
+ $(OBJDIR)/$(PROG_PREFIX)%$(OBJ_SUFFIX): %.c | $$(@D)/d
+ ifdef USE_NT_C_SYNTAX
+--- a/a/nspr/pr/include/md/_win95.h
++++ b/b/nspr/pr/include/md/_win95.h
+@@ -317,7 +317,7 @@
+ #define _MD_ATOMIC_ADD(ptr,val)    (InterlockedExchangeAdd((PLONG)ptr, (LONG)val) + val)
+ #define _MD_ATOMIC_DECREMENT(x)       InterlockedDecrement((PLONG)x)
+ #endif /* x86 */
+-#define _MD_ATOMIC_SET(x,y)           InterlockedExchange((PLONG)x, (LONG)y)
++#define _MD_ATOMIC_SET(x,y)           _InterlockedExchange((PLONG)x, (LONG)y)
+ 
+ #define _MD_INIT_IO                   _PR_MD_INIT_IO
+ 
diff --git a/external/nss/nss_macosx.patch b/external/nss/nss_macosx.patch
new file mode 100644
index 000000000..456bd62d5
--- /dev/null
+++ b/external/nss/nss_macosx.patch
@@ -0,0 +1,90 @@
+diff -ru a/nspr/configure b/nspr/configure
+--- a/a/nspr/configure	2014-09-29 16:50:33.907375937 +0100
++++ b/b/nspr/configure	2014-09-29 16:51:59.213931947 +0100
+@@ -6448,6 +6448,9 @@
+     AS='$(CC) -x assembler-with-cpp'
+     CFLAGS="$CFLAGS -Wall -fno-common"
+     case "${target_cpu}" in
++        aarch64)
++            CPU_ARCH=arm64
++            ;;
+         arm*)
+             CPU_ARCH=arm
+             ;;
+@@ -6483,7 +6486,7 @@
+ 
+ 
+     DSO_CFLAGS=-fPIC
+-    DSO_LDOPTS='-dynamiclib -compatibility_version 1 -current_version 1 -all_load -install_name @executable_path/$@ -headerpad_max_install_names'
++    DSO_LDOPTS='-dynamiclib -compatibility_version 1 -current_version 1 -all_load -install_name @__________________________________________________OOO/$@ -headerpad_max_install_names'
+     _OPTIMIZE_FLAGS=-O2
+     MKSHLIB='$(CC) $(DSO_LDOPTS) -o $@'
+     STRIP="$STRIP -x -S"
+diff -ru a/nss/coreconf/Darwin.mk b/nss/coreconf/Darwin.mk
+--- a/a/nss/coreconf/Darwin.mk	2014-09-29 16:50:22.992304799 +0100
++++ b/b/nss/coreconf/Darwin.mk	2014-09-29 16:51:59.214931953 +0100
+@@ -20,13 +20,17 @@
+ 
+ ifeq (,$(filter-out i%86,$(CPU_ARCH)))
+ ifdef USE_64
++ifeq (,$(findstring -arch ,$(CC)))
+ CC              += -arch x86_64
+ CCC             += -arch x86_64
++endif
+ override CPU_ARCH	= x86_64
+ else
+ OS_REL_CFLAGS	= -Di386
++ifeq (,$(findstring -arch ,$(CC)))
+ CC              += -arch i386
+ CCC             += -arch i386
++endif
+ override CPU_ARCH	= x86
+ endif
+ else
+@@ -33,19 +37,20 @@
+ ifeq (arm,$(CPU_ARCH))
+ # Nothing set for arm currently.
+ else
+-OS_REL_CFLAGS	= -Dppc
+-CC              += -arch ppc
+-CCC             += -arch ppc
+ endif
+ endif
+ 
+ ifneq (,$(MACOS_SDK_DIR))
++    CLANG_VERSION_FULL := $(shell $(CC) -v 2>&1 | grep "clang version" | sed -e "s/^.*clang version[  ]*//" | awk '{ print $$1 }')
+     GCC_VERSION_FULL := $(shell $(CC) -dumpversion)
+     GCC_VERSION_MAJOR := $(shell echo $(GCC_VERSION_FULL) | awk -F. '{ print $$1 }')
+     GCC_VERSION_MINOR := $(shell echo $(GCC_VERSION_FULL) | awk -F. '{ print $$2 }')
+     GCC_VERSION = $(GCC_VERSION_MAJOR).$(GCC_VERSION_MINOR)
++    ifneq (,$(CLANG_VERSION_FULL))
++        DARWIN_SDK_CFLAGS = -isysroot $(MACOS_SDK_DIR)
++        DARWIN_SDK_SHLIBFLAGS = -isysroot $(MACOS_SDK_DIR)
+ 
+-    ifeq (,$(filter-out 2 3,$(GCC_VERSION_MAJOR)))
++    else ifeq (,$(filter-out 2 3,$(GCC_VERSION_MAJOR)))
+         # GCC <= 3
+         DARWIN_SDK_FRAMEWORKS = -F$(MACOS_SDK_DIR)/System/Library/Frameworks
+         ifneq (,$(shell find $(MACOS_SDK_DIR)/Library/Frameworks -maxdepth 0))
+@@ -108,7 +113,7 @@
+ # May override this with different compatibility and current version numbers.
+ DARWIN_DYLIB_VERSIONS = -compatibility_version 1 -current_version 1
+ # May override this with -bundle to create a loadable module.
+-DSO_LDOPTS	= -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @executable_path/$(notdir $@) -headerpad_max_install_names
++DSO_LDOPTS	= -dynamiclib $(DARWIN_DYLIB_VERSIONS) -install_name @__________________________________________________OOO/$(notdir $@) -headerpad_max_install_names
+ 
+ ifdef USE_GCOV
+    OS_CFLAGS += --coverage
+diff -ru a/nss/Makefile b/nss/Makefile
+--- a/a/nss/Makefile	2014-09-29 16:50:22.990304789 +0100
++++ b/b/nss/Makefile	2014-09-29 16:51:59.207931908 +0100
+@@ -82,6 +82,9 @@
+ ifeq ($(OS_TARGET),WIN95)
+ NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95
+ endif
++ifdef MACOS_SDK_DIR
++NSPR_CONFIGURE_OPTS += --with-macos-sdk=$(MACOS_SDK_DIR)
++endif
+ ifdef USE_DEBUG_RTL
+ NSPR_CONFIGURE_OPTS += --enable-debug-rtl
+ endif
diff --git a/external/nss/ubsan.patch.0 b/external/nss/ubsan.patch.0
new file mode 100644
index 000000000..5f97d3e9d
--- /dev/null
+++ b/external/nss/ubsan.patch.0
@@ -0,0 +1,38 @@
+--- nss/lib/base/item.c
++++ nss/lib/base/item.c
+@@ -182,5 +182,5 @@
+         return PR_FALSE;
+     }
+ 
+-    return nsslibc_memequal(one->data, two->data, one->size, statusOpt);
++    return one->size == 0 || nsslibc_memequal(one->data, two->data, one->size, statusOpt);
+ }
+--- nss/lib/softoken/legacydb/pk11db.c
++++ nss/lib/softoken/legacydb/pk11db.c
+@@ -65,7 +65,7 @@
+     unsigned char isModuleDBOnly;
+     unsigned char isCritical;
+     unsigned char reserved[4];
+-    unsigned char names[6]; /* enough space for the length fields */
++    unsigned char names[1]; /* +5: enough space for the length fields */
+ };
+ 
+ struct lgdbSlotDataStr {
+@@ -148,7 +148,7 @@
+         goto loser;
+     }
+ 
+-    dataLen = sizeof(lgdbData) + len + len2 + len3 + sizeof(unsigned short) +
++    dataLen = sizeof(lgdbData)+5 + len + len2 + len3 + sizeof(unsigned short) +
+               count * sizeof(lgdbSlotData);
+ 
+     data->data = (unsigned char *)PORT_ZAlloc(dataLen);
+@@ -329,7 +329,7 @@
+     }
+     if ((encoded->major == LGDB_DB_EXT1_VERSION_MAJOR) &&
+         (encoded->minor >= LGDB_DB_EXT1_VERSION_MINOR)) {
+-        CHECK_SIZE(sizeof(lgdbData));
++        CHECK_SIZE(sizeof(lgdbData)+5);
+         trustOrder = LGDB_GETLONG(encoded->trustOrder);
+         cipherOrder = LGDB_GETLONG(encoded->cipherOrder);
+         isModuleDB = (encoded->isModuleDB != 0) ? PR_TRUE : PR_FALSE;
-- 
cgit v1.2.3