nss: upgrade 3.119 -> 3.121

Adapt patch 0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch to new version of the code. Remove code which not exist and adapt to new code. Changelog: v3.121: https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_121.html Bugs: - update vendored zlib to v1.3.2. - Revert the unnecessary changes to intel-gcm-wrap.gyp. - Use C fallback for AES-GCM on MinGW builds. - fix ML-KEM PCT. - Extend NSS Fuzzing docs. - avoid integer overflow in platform-independent ghash. - Fix errant whitespace in OISTE Server Root RSA G1 nickname. - fix build with glibc-2.43 assignment discards ‘const’ qualifier from pointer. - add gcm.gyp dependency for Solaris SPARC builds. - Set nssckbi version to 2.84. - Add e-Szigno TLS Root CA 2023 to NSS. - allow manual selection of CPU_ARCH=x86_64 and ppc64 in coreconf/Darwin.mk. - Update cryptofuzz version. - Paranoia assert. - Darwin compatibility for intel-aes.S and intel-gcm.S. - rename intel-{aes,gcm}.s to .S. - rename C files for platform-specific ghash implementations. - simplify compilation of platform-specific GCM and GHASH. - FORWARD_NULL null deref of worker in p7decode.c (sec_pkcs7_decoder_abort_digests). - Out-of-Bounds Read in ML-DSA Private Key Parsing (zero-length privateKey). v3.120: https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_120.html Bugs: - Fix docs generation bug. - CID 1678226: Dereferencing null pointer plaintext.data(). - Run PKCS12 fuzz target with –fuzz=tls in CI. - Allowing RT be started several times. - move linux decision and build tasks to d2g worker pools. v3.119.1: https://firefox-source-docs.mozilla.org/security/nss/releases/nss_3_119_1.html Bugs: - restore coreconf/Darwin.mk behavior for intel archs. Signed-off-by: Andrej Kozemcak <andrej.kozemcak@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Andrej Kozemcak <andrej.kozemcak@siemens.com> 2026-03-12 15:04:57 +0100
committer: Khem Raj <raj.khem@gmail.com> 2026-03-17 22:02:52 -0700
commit: 84e05a05d9c8e965be07088a51889e9191bbaabb (patch)
tree: a2af199b6728f84f31471b14b81005c998646298
parent: 4dc8384995347f2c0d1b4054854851ac7ee49519 (diff)
download: meta-openembedded-84e05a05d9c8e965be07088a51889e9191bbaabb.tar.gz
2 files changed, 5 insertions, 26 deletions
diff --git a/meta-oe/recipes-support/nss/nss/0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch b/meta-oe/recipes-support/nss/nss/0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
index 63f822be25..2a14dffbea 100644
--- a/meta-oe/recipes-support/nss/nss/0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
+++ b/meta-oe/recipes-support/nss/nss/0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch
@@ -11,14 +11,13 @@ Upstream-Status: Pending
 Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
 ---
 nss/lib/freebl/Makefile | 3 +++
- nss/lib/freebl/gcm.c    | 2 ++
+ 1 file changed, 3 insertions(+)
- 2 files changed, 5 insertions(+)
 diff --git a/nss/lib/freebl/Makefile b/nss/lib/freebl/Makefile
 index 0ebfc92..3ee7623 100644
 --- a/nss/lib/freebl/Makefile
 +++ b/nss/lib/freebl/Makefile
-@@ -142,6 +142,8 @@ endif
+@@ -136,6 +136,8 @@ endif
         endif
     endif
 endif
@@ -26,8 +25,8 @@ index 0ebfc92..3ee7623 100644
 +    DEFINES += -DNSS_USE_ARM_HW_CRYPTO
 ifeq ($(CPU_ARCH),aarch64)
     ifdef CC_IS_CLANG
-         DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2
+         DEFINES += -DUSE_HW_AES -DUSE_HW_SHA1 -DUSE_HW_SHA2 -DHAVE_PLATFORM_GHASH
-@@ -183,6 +185,7 @@ endif
+@@ -178,6 +180,7 @@ endif
         endif
     endif
 endif
@@ -35,23 +34,3 @@ index 0ebfc92..3ee7623 100644
 
 ifeq (,$(filter-out WINNT,$(OS_TARGET)))
 ifndef USE_64
-diff --git a/nss/lib/freebl/gcm.c b/nss/lib/freebl/gcm.c
-index a2f63a6..743158e 100644
--- a/nss/lib/freebl/gcm.c
-+++ b/nss/lib/freebl/gcm.c
-@@ -18,6 +18,7 @@
- 
- #include <limits.h>
- 
-+#ifdef NSS_USE_ARM_HW_CRYPTO
- /* old gcc doesn't support some poly64x2_t intrinsic */
- #if defined(__aarch64__) && defined(IS_LITTLE_ENDIAN) && \
-     (defined(__clang__) || defined(__GNUC__) && __GNUC__ > 6)
-@@ -27,6 +28,7 @@
- /* We don't test on big endian platform, so disable this on big endian. */
- #define USE_ARM_GCM
- #endif
-+#endif
- 
- #if defined(__ARM_NEON) || defined(__ARM_NEON__)
- #include <arm_neon.h>
diff --git a/meta-oe/recipes-support/nss/nss_3.119.bb b/meta-oe/recipes-support/nss/nss_3.121.bb
index a0345eb8aa..99f54c948a 100644
--- a/meta-oe/recipes-support/nss/nss_3.119.bb
+++ b/meta-oe/recipes-support/nss/nss_3.121.bb
@@ -33,7 +33,7 @@ SRC_URI = "https://ftp.mozilla.org/pub/security/nss/releases/${VERSION_DIR}/src/
           file://0006-Fix-nss-multilib-build-on-openSUSE-11.x-32bit.patch \
           file://0007-freebl-add-a-configure-option-to-disable-ARM-HW-cryp.patch \
           "
-SRC_URI[sha256sum] = "e8412db6c9d6f531e8adfe8a122ec33a8fae920681ff47231a1349bdd399f0e9"
+SRC_URI[sha256sum] = "cb3a8f8781bea78b7b8edd3afb7a2cb58e4881bb0160d189a39b98216ba7632e"
 UPSTREAM_CHECK_URI = "https://ftp.mozilla.org/pub/security/nss/releases/"
 UPSTREAM_CHECK_REGEX = "NSS_(?P<pver>\d+(\_\d+)+)"
author	Andrej Kozemcak <andrej.kozemcak@siemens.com>	2026-03-12 15:04:57 +0100
committer	Khem Raj <raj.khem@gmail.com>	2026-03-17 22:02:52 -0700
commit	84e05a05d9c8e965be07088a51889e9191bbaabb (patch)
tree	a2af199b6728f84f31471b14b81005c998646298
parent	4dc8384995347f2c0d1b4054854851ac7ee49519 (diff)
download	meta-openembedded-84e05a05d9c8e965be07088a51889e9191bbaabb.tar.gz