Merge pull request #10261 from heitbaum/security12.2b

[le12.2] additional security library updates

packages/security/gnutls/package.mk

@@ -3,18 +3,17 @@
 # Copyright (C) 2018-present Team LibreELEC (https://libreelec.tv)
 
 PKG_NAME="gnutls"
-PKG_VERSION="3.8.3"
-PKG_SHA256="f74fc5954b27d4ec6dfbb11dea987888b5b124289a3703afcada0ee520f4173e"
+PKG_VERSION="3.8.10"
+PKG_SHA256="db7fab7cce791e7727ebbef2334301c821d79a550ec55c9ef096b610b03eb6b7"
 PKG_LICENSE="LGPL2.1"
 PKG_SITE="https://gnutls.org"
 PKG_URL="https://www.gnupg.org/ftp/gcrypt/gnutls/v${PKG_VERSION:0:3}/${PKG_NAME}-${PKG_VERSION}.tar.xz"
-PKG_DEPENDS_HOST="toolchain:host libidn2:host nettle:host zlib:host"
-PKG_DEPENDS_TARGET="toolchain libidn2 nettle zlib"
+PKG_DEPENDS_HOST="autotools:host libidn2:host nettle:host zlib:host"
+PKG_DEPENDS_TARGET="autotools:host gcc:host libidn2 nettle zlib"
 PKG_LONGDESC="A library which provides a secure layer over a reliable transport layer."
 
 PKG_CONFIGURE_OPTS_COMMON="--disable-doc \
                            --disable-full-test-suite \
-                           --disable-guile \
                            --disable-libdane \
                            --disable-padlock \
                            --disable-rpath \

packages/security/libgcrypt/package.mk

@@ -3,12 +3,12 @@
 # Copyright (C) 2018-present Team LibreELEC (https://libreelec.tv)
 
 PKG_NAME="libgcrypt"
-PKG_VERSION="1.10.3"
-PKG_SHA256="8b0870897ac5ac67ded568dcfadf45969cfa8a6beb0fd60af2a9eadc2a3272aa"
+PKG_VERSION="1.11.1"
+PKG_SHA256="24e91c9123a46c54e8371f3a3a2502f1198f2893fbfbf59af95bc1c21499b00e"
 PKG_LICENSE="GPLv2"
 PKG_SITE="https://www.gnupg.org/"
 PKG_URL="https://www.gnupg.org/ftp/gcrypt/libgcrypt/${PKG_NAME}-${PKG_VERSION}.tar.bz2"
-PKG_DEPENDS_TARGET="toolchain libgpg-error"
+PKG_DEPENDS_TARGET="autotools:host gcc:host libgpg-error"
 PKG_LONGDESC="A General purpose cryptographic library."
 PKG_TOOLCHAIN="autotools"
 # libgcrypt-1.7.x fails to build with LTO support

packages/security/libgcrypt/patches/libgcrypt-01-dont_replace_parts_of_path-0.1.patch

@@ -1,24 +1,25 @@
-diff -Naur libgcrypt-1.4.6/cipher/Makefile.am libgcrypt-1.4.6.patch/cipher/Makefile.am
---- libgcrypt-1.4.6/cipher/Makefile.am	2009-12-11 16:31:38.000000000 +0100
-+++ libgcrypt-1.4.6.patch/cipher/Makefile.am	2011-05-08 03:21:56.463021968 +0200
-@@ -153,7 +153,7 @@
+diff -Naur libgcrypt-1.11.0/cipher/Makefile.am libgcrypt-1.11.0.patch/cipher/Makefile.am
+--- libgcrypt-1.11.0/cipher/Makefile.am	2009-12-11 16:31:38.000000000 +0100
++++ libgcrypt-1.11.0.patch/cipher/Makefile.am	2011-05-08 03:21:56.463021968 +0200
+@@ -174,7 +174,7 @@
  
  
  if ENABLE_O_FLAG_MUNGING
--o_flag_munging = sed -e 's/-O\([2-9sgz][2-9sgz]*\)/-O1/' -e 's/-Ofast/-O1/g'
-+o_flag_munging = sed -e 's/-O\([2-9sgz][2-9sgz]\)/-O1/' -e 's/-Ofast/-O1/g'
+-o_flag_munging = sed -e 's/[[:blank:]]-O\([2-9sgz][2-9sgz]*\)/ -O1 /g' -e 's/[[:blank:]]-Ofast/ -O1 /g'
++o_flag_munging = sed -e 's/[[:blank:]]-O\([2-9sgz][2-9sgz]\)/ -O1 /g' -e 's/[[:blank:]]-Ofast/ -O1 /g'
  else
  o_flag_munging = cat
  endif
-diff -Naur libgcrypt-1.4.6/cipher/Makefile.in libgcrypt-1.4.6.patch/cipher/Makefile.in
---- libgcrypt-1.4.6/cipher/Makefile.in	2010-07-13 17:42:20.000000000 +0200
-+++ libgcrypt-1.4.6.patch/cipher/Makefile.in	2011-05-08 03:22:12.059208971 +0200
-@@ -602,7 +602,7 @@
- 	blake2b-amd64-avx2.S blake2s-amd64-avx.S
+diff -Naur libgcrypt-1.11.0/cipher/Makefile.in libgcrypt-1.11.0.patch/cipher/Makefile.in
+--- libgcrypt-1.11.0/cipher/Makefile.in	2010-07-13 17:42:20.000000000 +0200
++++ libgcrypt-1.11.0.patch/cipher/Makefile.in	2011-05-08 03:22:12.059208971 +0200
+@ENABLE_O_FLAG_MUNGING_TRUE@o_flag_munging = sed -e 's/[[:blank:]]-O\([2-9sgz][2-9sgz]*\)/ -O1 /' -e 's/[[:blank:]]-Ofast/ -O1 /g'
+@@ -654,7 +654,7 @@
+ 	blake2s-amd64-avx.S blake2s-amd64-avx512.S
  
  @ENABLE_O_FLAG_MUNGING_FALSE@o_flag_munging = cat
--@ENABLE_O_FLAG_MUNGING_TRUE@o_flag_munging = sed -e 's/-O\([2-9sgz][2-9sgz]*\)/-O1/' -e 's/-Ofast/-O1/g'
-+@ENABLE_O_FLAG_MUNGING_TRUE@o_flag_munging = sed -e 's/-O\([2-9sgz][2-9sgz]\)/-O1/' -e 's/-Ofast/-O1/g'
+-@ENABLE_O_FLAG_MUNGING_TRUE@o_flag_munging = sed -e 's/[[:blank:]]-O\([2-9sgz][2-9sgz]*\)/ -O1 /g' -e 's/[[:blank:]]-Ofast/ -O1 /g'
++@ENABLE_O_FLAG_MUNGING_TRUE@o_flag_munging = sed -e 's/[[:blank:]]-O\([2-9sgz][2-9sgz]\)/ -O1 /g' -e 's/[[:blank:]]-Ofast/ -O1 /g'
  @ENABLE_INSTRUMENTATION_MUNGING_FALSE@instrumentation_munging = cat
  
  # We need to disable instrumentation for these modules as they use cc as

packages/security/libgpg-error/package.mk

@@ -3,12 +3,12 @@
 # Copyright (C) 2018-present Team LibreELEC (https://libreelec.tv)
 
 PKG_NAME="libgpg-error"
-PKG_VERSION="1.48"
-PKG_SHA256="89ce1ae893e122924b858de84dc4f67aae29ffa610ebf668d5aa539045663d6f"
+PKG_VERSION="1.55"
+PKG_SHA256="95b178148863f07d45df0cea67e880a79b9ef71f5d230baddc0071128516ef78"
 PKG_LICENSE="GPLv2"
 PKG_SITE="https://www.gnupg.org"
 PKG_URL="https://www.gnupg.org/ftp/gcrypt/libgpg-error/${PKG_NAME}-${PKG_VERSION}.tar.bz2"
-PKG_DEPENDS_TARGET="toolchain"
+PKG_DEPENDS_TARGET="autotools:host gcc:host"
 PKG_LONGDESC="A library that defines common error values for all GnuPG components."
 
 pre_configure_target() {

packages/security/libxcrypt/package.mk

@@ -2,8 +2,8 @@
 # Copyright (C) 2023-present Team LibreELEC (https://libreelec.tv)
 
 PKG_NAME="libxcrypt"
-PKG_VERSION="4.4.36"
-PKG_SHA256="e5e1f4caee0a01de2aee26e3138807d6d3ca2b8e67287966d1fefd65e1fd8943"
+PKG_VERSION="4.4.38"
+PKG_SHA256="80304b9c306ea799327f01d9a7549bdb28317789182631f1b54f4511b4206dd6"
 PKG_LICENSE="LGPL-2.1"
 PKG_SITE="https://github.com/besser82/libxcrypt"
 PKG_URL="https://github.com/besser82/libxcrypt/releases/download/v${PKG_VERSION}/${PKG_NAME}-${PKG_VERSION}.tar.xz"

packages/security/nettle/package.mk

@@ -3,13 +3,13 @@
 # Copyright (C) 2018-present Team LibreELEC (https://libreelec.tv)
 
 PKG_NAME="nettle"
-PKG_VERSION="3.9.1"
-PKG_SHA256="ccfeff981b0ca71bbd6fbcb054f407c60ffb644389a5be80d6716d5b550c6ce3"
+PKG_VERSION="3.10.2"
+PKG_SHA256="fe9ff51cb1f2abb5e65a6b8c10a92da0ab5ab6eaf26e7fc2b675c45f1fb519b5"
 PKG_LICENSE="GPL2"
 PKG_SITE="http://www.lysator.liu.se/~nisse/nettle"
 PKG_URL="https://ftp.gnu.org/gnu/nettle/nettle-${PKG_VERSION}.tar.gz"
-PKG_DEPENDS_HOST="toolchain:host gmp:host"
-PKG_DEPENDS_TARGET="toolchain gmp"
+PKG_DEPENDS_HOST="autotools:host gmp:host"
+PKG_DEPENDS_TARGET="autotools:host gcc:host gmp"
 PKG_LONGDESC="A low-level cryptographic library."
 
 PKG_CONFIGURE_OPTS_COMMON="--disable-documentation \

packages/security/nspr/package.mk

@@ -3,11 +3,11 @@
 # Copyright (C) 2019-present Team LibreELEC (https://libreelec.tv)
 
 PKG_NAME="nspr"
-PKG_VERSION="4.35"
+PKG_VERSION="4.37"
 PKG_LICENSE="Mozilla Public License"
 PKG_SITE="http://www.linuxfromscratch.org/blfs/view/svn/general/nspr.html"
 PKG_DEPENDS_HOST="ccache:host"
-PKG_DEPENDS_TARGET="toolchain nss:host nspr:host"
+PKG_DEPENDS_TARGET="autotools:host gcc:host nss:host nspr:host"
 PKG_DEPENDS_UNPACK="nss"
 PKG_LONGDESC="Netscape Portable Runtime (NSPR) provides a platform-neutral API for system level and libc like functions"
 PKG_TOOLCHAIN="configure"

packages/security/nss/package.mk

@@ -3,17 +3,21 @@
 # Copyright (C) 2019-present Team LibreELEC (https://libreelec.tv)
 
 PKG_NAME="nss"
-PKG_VERSION="3.98"
-PKG_SHA256="59bb55a59b02e4004fc26ad0aa1a13fe8d73c6c90c447dd2f2efb73fb81083ed"
+PKG_VERSION="3.114"
+PKG_SHA256="aa927a8610354483b52fdb3c9445f3e2f4a231cc03754ed47e96d2697c2e2329"
 PKG_LICENSE="Mozilla Public License"
 PKG_SITE="http://ftp.mozilla.org/"
 PKG_URL="https://ftp.mozilla.org/pub/security/nss/releases/NSS_${PKG_VERSION//./_}_RTM/src/nss-${PKG_VERSION}-with-nspr-$(get_pkg_version nspr).tar.gz"
 PKG_DEPENDS_HOST="nspr:host zlib:host"
-PKG_DEPENDS_TARGET="toolchain nss:host nspr zlib sqlite"
+PKG_DEPENDS_TARGET="make:host gcc:host nss:host nspr zlib sqlite"
 PKG_LONGDESC="The Network Security Services (NSS) package is a set of libraries designed to support cross-platform development of security-enabled client and server applications"
 PKG_TOOLCHAIN="manual"
 PKG_BUILD_FLAGS="-parallel"
 
+post_patch() {
+  echo "DEFINES += -DNSS_FIPS_DISABLED" >> ${PKG_BUILD}/nss/coreconf/config.mk
+}
+
 make_host() {
   cd ${PKG_BUILD}/nss
 

packages/security/nss/patches/0001-Revert-Bug-1827303-Softoken-C_-calls-should-use-syst.patch

@@ -1,329 +0,0 @@
-From 4d40ae4e120bf69e27f9f9331c3fedaf01a48edd Mon Sep 17 00:00:00 2001
-From: Rudi Heitbaum <rudi@heitbaum.com>
-Date: Tue, 3 Oct 2023 15:57:07 +0000
-Subject: [PATCH] Revert "Bug 1827303 Softoken C_ calls should use system FIPS
- setting to select NSC_ or FC_ variants."
-
-This reverts commit e91f174eeb34e5acfa9f01bb194905168c82bef9.
----
- lib/freebl/nsslowhash.c                       | 32 ++++++++++++-
- lib/freebl/stubs.c                            | 44 ------------------
- lib/freebl/stubs.h                            |  1 -
- lib/pk11wrap/pk11util.c                       | 23 +++++++++-
- lib/softoken/pkcs11.c                         | 35 --------------
- lib/util/nssutil.def                          |  6 ---
- lib/util/secport.c                            | 46 -------------------
- lib/util/secport.h                            |  1 -
- 9 files changed, 53 insertions(+), 140 deletions(-)
-
-diff --git a/nss/lib/freebl/nsslowhash.c b/nss/lib/freebl/nsslowhash.c
-index cf9e8ac52..7a22a357e 100644
---- a/nss/lib/freebl/nsslowhash.c
-+++ b/nss/lib/freebl/nsslowhash.c
-@@ -23,6 +23,36 @@ struct NSSLOWHASHContextStr {
-     void *hashCtxt;
- };
- 
-+#ifndef NSS_FIPS_DISABLED
-+static int
-+nsslow_GetFIPSEnabled(void)
-+{
-+#ifdef LINUX
-+    FILE *f;
-+    char d;
-+    size_t size;
-+    const char *env;
-+
-+    env = PR_GetEnvSecure("NSS_FIPS");
-+    if (env && (*env == 'y' || *env == 'f' || *env == '1' || *env == 't')) {
-+        return 1;
-+    }
-+
-+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
-+    if (!f)
-+        return 0;
-+
-+    size = fread(&d, 1, 1, f);
-+    fclose(f);
-+    if (size != 1)
-+        return 0;
-+    if (d != '1')
-+        return 0;
-+#endif /* LINUX */
-+    return 1;
-+}
-+#endif /* NSS_FIPS_DISABLED */
-+
- static NSSLOWInitContext dummyContext = { 0 };
- static PRBool post_failed = PR_TRUE;
- 
-@@ -36,7 +66,7 @@ NSSLOW_Init(void)
- #ifndef NSS_FIPS_DISABLED
-     /* make sure the FIPS product is installed if we are trying to
-      * go into FIPS mode */
--    if (NSS_GetSystemFIPSEnabled()) {
-+    if (nsslow_GetFIPSEnabled()) {
-         if (BL_FIPSEntryOK(PR_TRUE, PR_FALSE) != SECSuccess) {
-             PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
-             post_failed = PR_TRUE;
-diff --git a/nss/lib/freebl/stubs.c b/nss/lib/freebl/stubs.c
-index a79cf69a2..a20d7abf3 100644
---- a/nss/lib/freebl/stubs.c
-+++ b/nss/lib/freebl/stubs.c
-@@ -182,9 +182,6 @@ STUB_DECLARE(SECOidTag, SECOID_FindOIDTag_Util, (const SECItem *oid));
- STUB_DECLARE(int, NSS_SecureMemcmp, (const void *a, const void *b, size_t n));
- STUB_DECLARE(unsigned int, NSS_SecureMemcmpZero, (const void *mem, size_t n));
- STUB_DECLARE(void, NSS_SecureSelect, (void *dest, const void *src0, const void *src1, size_t n, unsigned char b));
--#ifndef NSS_FIPS_DISABLED
--STUB_DECLARE(PRBool, NSS_GetSystemFIPSEnabled, (void));
--#endif
- 
- #define PORT_ZNew_stub(type) (type *)PORT_ZAlloc_stub(sizeof(type))
- #define PORT_New_stub(type) (type *)PORT_Alloc_stub(sizeof(type))
-@@ -715,47 +712,6 @@ NSS_SecureSelect_stub(void *dest, const void *src0, const void *src1, size_t n,
-     abort();
- }
- 
--#ifndef NSS_FIPS_DISABLED
--PRBool
--NSS_GetSystemFIPSEnabled_stub(void)
--{
--    STUB_SAFE_CALL0(NSS_GetSystemFIPSEnabled);
--    const char *env;
--
--    /* The environment variable is active for all platforms */
--    env = PR_GetEnvSecure_stub("NSS_FIPS");
--    /* we generally accept y, Y, 1, FIPS, TRUE, and ON as turning on FIPS
--     * mode. Anything else is considered 'off' */
--    if (env && (*env == 'y' || *env == '1' || *env == 'Y' ||
--                (strcasecmp(env, "fips") == 0) ||
--                (strcasecmp(env, "true") == 0) ||
--                (strcasecmp(env, "on") == 0))) {
--        return PR_TRUE;
--    }
--
--/* currently only Linux has a system FIPS indicator. Add others here
-- * as they become available/known */
--#ifdef LINUX
--    {
--        FILE *f;
--        char d;
--        size_t size;
--        f = fopen("/proc/sys/crypto/fips_enabled", "r");
--        if (!f)
--            return PR_FALSE;
--
--        size = fread(&d, 1, 1, f);
--        fclose(f);
--        if (size != 1)
--            return PR_FALSE;
--        if (d == '1')
--            return PR_TRUE;
--    }
--#endif /* LINUX */
--    return PR_FALSE;
--}
--#endif /* NSS_FIPS_DISABLED = 0 */
--
- #ifdef FREEBL_NO_WEAK
- 
- static const char *nsprLibName = SHLIB_PREFIX "nspr4." SHLIB_SUFFIX;
-diff --git a/nss/lib/freebl/stubs.h b/nss/lib/freebl/stubs.h
-index 58cb9d085..f773e1043 100644
---- a/nss/lib/freebl/stubs.h
-+++ b/nss/lib/freebl/stubs.h
-@@ -43,7 +43,6 @@
- #define NSS_SecureMemcmp NSS_SecureMemcmp_stub
- #define NSS_SecureMemcmpZero NSS_SecureMemcmpZero_stub
- #define NSS_SecureSelect NSS_SecureSelect_stub
--#define NSS_GetSystemFIPSEnabled NSS_GetSystemFIPSEnabled_stub
- 
- #define PR_Assert PR_Assert_stub
- #define PR_Access PR_Access_stub
-diff --git a/nss/lib/pk11wrap/pk11util.c b/nss/lib/pk11wrap/pk11util.c
-index e15a0774e..2584ec3e8 100644
---- a/nss/lib/pk11wrap/pk11util.c
-+++ b/nss/lib/pk11wrap/pk11util.c
-@@ -99,7 +99,28 @@ SECMOD_Shutdown()
- PRBool
- SECMOD_GetSystemFIPSEnabled(void)
- {
--    return NSS_GetSystemFIPSEnabled();
-+#ifdef LINUX
-+#ifndef NSS_FIPS_DISABLED
-+    FILE *f;
-+    char d;
-+    size_t size;
-+
-+    f = fopen("/proc/sys/crypto/fips_enabled", "r");
-+    if (!f) {
-+        return PR_FALSE;
-+    }
-+
-+    size = fread(&d, 1, sizeof(d), f);
-+    fclose(f);
-+    if (size != sizeof(d)) {
-+        return PR_FALSE;
-+    }
-+    if (d == '1') {
-+        return PR_TRUE;
-+    }
-+#endif
-+#endif
-+    return PR_FALSE;
- }
- 
- /*
-diff --git a/nss/lib/softoken/pkcs11.c b/nss/lib/softoken/pkcs11.c
-index 8e7872f8b..64b7892d0 100644
---- a/nss/lib/softoken/pkcs11.c
-+++ b/nss/lib/softoken/pkcs11.c
-@@ -93,17 +93,6 @@ static PRIntervalTime loginWaitTime;
- 
- #include "pkcs11f.h"
- 
--#ifndef NSS_FIPS_DISABLE
--/* ------------- forward declare all the FIPS functions ------------- */
--#undef CK_NEED_ARG_LIST
--#undef CK_PKCS11_FUNCTION_INFO
--
--#define CK_PKCS11_FUNCTION_INFO(name) CK_RV __PASTE(F, name)
--#define CK_NEED_ARG_LIST 1
--
--#include "pkcs11f.h"
--#endif
--
- /* build the crypto module table */
- static CK_FUNCTION_LIST_3_0 sftk_funcList = {
-     { CRYPTOKI_VERSION_MAJOR, CRYPTOKI_VERSION_MINOR },
-@@ -2508,15 +2497,7 @@ NSC_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
- CK_RV
- C_GetFunctionList(CK_FUNCTION_LIST_PTR *pFunctionList)
- {
--#ifdef NSS_FIPS_DISABLED
-     return NSC_GetFunctionList(pFunctionList);
--#else
--    if (NSS_GetSystemFIPSEnabled()) {
--        return FC_GetFunctionList(pFunctionList);
--    } else {
--        return NSC_GetFunctionList(pFunctionList);
--    }
--#endif
- }
- 
- CK_RV
-@@ -2537,15 +2518,7 @@ NSC_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount)
- CK_RV
- C_GetInterfaceList(CK_INTERFACE_PTR interfaces, CK_ULONG_PTR pulCount)
- {
--#ifdef NSS_FIPS_DISABLED
-     return NSC_GetInterfaceList(interfaces, pulCount);
--#else
--    if (NSS_GetSystemFIPSEnabled()) {
--        return FC_GetInterfaceList(interfaces, pulCount);
--    } else {
--        return NSC_GetInterfaceList(interfaces, pulCount);
--    }
--#endif
- }
- 
- /*
-@@ -2578,15 +2551,7 @@ CK_RV
- C_GetInterface(CK_UTF8CHAR_PTR pInterfaceName, CK_VERSION_PTR pVersion,
-                CK_INTERFACE_PTR_PTR ppInterface, CK_FLAGS flags)
- {
--#ifdef NSS_FIPS_DISABLED
-     return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags);
--#else
--    if (NSS_GetSystemFIPSEnabled()) {
--        return FC_GetInterface(pInterfaceName, pVersion, ppInterface, flags);
--    } else {
--        return NSC_GetInterface(pInterfaceName, pVersion, ppInterface, flags);
--    }
--#endif
- }
- 
- static PLHashNumber
-diff --git a/nss/lib/util/nssutil.def b/nss/lib/util/nssutil.def
-index 01f362c2a..a48794e47 100644
---- a/nss/lib/util/nssutil.def
-+++ b/nss/lib/util/nssutil.def
-@@ -354,9 +354,3 @@ NSS_SecureSelect;
- ;+    local:
- ;+       *;
- ;+};
--;+NSSUTIL_3.94 {         # NSS Utilities 3.94 release
--;+    global:
--NSS_GetSystemFIPSEnabled;
--;+    local:
--;+       *;
--;+};
-diff --git a/nss/lib/util/secport.c b/nss/lib/util/secport.c
-index 30215a80f..fb5223d64 100644
---- a/nss/lib/util/secport.c
-+++ b/nss/lib/util/secport.c
-@@ -877,49 +877,3 @@ NSS_SecureSelect(void *dest, const void *src0, const void *src1, size_t n, unsig
-         ((unsigned char *)dest)[i] = s0i ^ (mask & (s0i ^ s1i));
-     }
- }
--
--/*
-- * consolidate all the calls to get the system FIPS status in one spot.
-- * This function allows an environment variable to override what is returned.
-- */
--PRBool
--NSS_GetSystemFIPSEnabled(void)
--{
--/* if FIPS is disabled in NSS, always return FALSE, even if the environment
-- * variable is set, or the system is in FIPS mode */
--#ifndef NSS_FIPS_DISABLED
--    const char *env;
--
--    /* The environment variable is active for all platforms */
--    env = PR_GetEnvSecure("NSS_FIPS");
--    /* we generally accept y, Y, 1, FIPS, TRUE, and ON as turning on FIPS
--     * mode. Anything else is considered 'off' */
--    if (env && (*env == 'y' || *env == '1' || *env == 'Y' ||
--                (PORT_Strcasecmp(env, "fips") == 0) ||
--                (PORT_Strcasecmp(env, "true") == 0) ||
--                (PORT_Strcasecmp(env, "on") == 0))) {
--        return PR_TRUE;
--    }
--
--/* currently only Linux has a system FIPS indicator. Add others here
-- * as they become available/known */
--#ifdef LINUX
--    {
--        FILE *f;
--        char d;
--        size_t size;
--        f = fopen("/proc/sys/crypto/fips_enabled", "r");
--        if (!f)
--            return PR_FALSE;
--
--        size = fread(&d, 1, 1, f);
--        fclose(f);
--        if (size != 1)
--            return PR_FALSE;
--        if (d == '1')
--            return PR_TRUE;
--    }
--#endif /* LINUX */
--#endif /* NSS_FIPS_DISABLED == 0 */
--    return PR_FALSE;
--}
-diff --git a/nss/lib/util/secport.h b/nss/lib/util/secport.h
-index d58b3f2f9..fa587b28a 100644
---- a/nss/lib/util/secport.h
-+++ b/nss/lib/util/secport.h
-@@ -262,7 +262,6 @@ extern int NSS_PutEnv(const char *envVarName, const char *envValue);
- extern int NSS_SecureMemcmp(const void *a, const void *b, size_t n);
- extern unsigned int NSS_SecureMemcmpZero(const void *mem, size_t n);
- extern void NSS_SecureSelect(void *dest, const void *src0, const void *src1, size_t n, unsigned char b);
--extern PRBool NSS_GetSystemFIPSEnabled(void);
- 
- /*
-  * Load a shared library called "newShLibName" in the same directory as
--- 
-2.34.1
-

packages/security/nss/patches/nss-09-gcc-warning-workaround.patch

@@ -1,11 +0,0 @@
-diff -r ab04fd73fd6d coreconf/nsinstall/nsinstall.c
---- a/nss/coreconf/nsinstall/nsinstall.c	Mon Aug 24 22:52:43 2020 +0000
-+++ b/nss/coreconf/nsinstall/nsinstall.c	Wed Aug 26 13:04:16 2020 +0200
-@@ -50,6 +50,7 @@
- extern int fchmod(int fildes, mode_t mode);
- #endif
- 
-+#define GETCWD_CANT_MALLOC 1
- 
- #ifdef GETCWD_CANT_MALLOC
- /*

packages/security/nss/patches/nss-12-fix-build-of-cmd-with-nssutil.patch

@@ -0,0 +1,18 @@
+--- a/nss/cmd/platlibs.mk	2024-08-24 11:00:43.573034453 +0000
++++ b/nss/cmd/platlibs.mk	2024-08-24 11:00:46.506390708 +0000
+@@ -181,6 +181,7 @@
+ 	-l$(SQLITE_LIB_NAME) \
+ 	-L$(NSSUTIL_LIB_DIR) \
+ 	-lnssutil3 \
++	-lnssutil \
+ 	-L$(NSPR_LIB_DIR) \
+ 	-lplc4 \
+ 	-lplds4 \
+@@ -226,6 +227,7 @@
+ 	-L$(DIST)/lib \
+ 	-L$(NSSUTIL_LIB_DIR) \
+ 	-lnssutil3 \
++	-lnssutil \
+ 	-L$(NSPR_LIB_DIR) \
+ 	-lplc4 \
+ 	-lplds4 \