app-crypt/nss: upgrade to 3.73

Upgrade the app-crypt part of nss package to 3.73 to
get the fix for CVE-2021-43527.

BUG=b/209391468
TEST=presubmit
RELEASE_NOTE=Fixes CVE-2021-43527.

Change-Id: Icb69352313879f0e615145d34602eb8a8243ffbe
Reviewed-on: https://cos-review.googlesource.com/c/third_party/overlays/chromiumos-overlay/+/26660
Tested-by: Cusky Presubmit Bot <presubmit@cos-infra-prod.iam.gserviceaccount.com>
Reviewed-by: Vaibhav Rustagi <vaibhavrustagi@google.com>
diff --git a/app-crypt/nss/Manifest b/app-crypt/nss/Manifest
index 41bc2ef..7901893 100644
--- a/app-crypt/nss/Manifest
+++ b/app-crypt/nss/Manifest
@@ -1,3 +1,2 @@
-DIST nss-3.44.tar.gz 23474704 BLAKE2B 8e3b49c7dd4ca1795eff0af55bcf8c8586a5658f0d671306d166dd8d758cc056858dbaf028d5e4ea4bba40e473aa246251f07ed7108bc2f40990b53aea40a1a6 SHA512 c4d7343a66f91c5888a121e266d1f1471da798a21d608a29caf598a828725e4bf9ea7411a105b23335f20bd7c12788dad567922ceeaebeb0c98fbf9bbe4006f7
-DIST nss-cacert-class1-class3.patch 22950 BLAKE2B 9d5e60df5f161a3c27c41e5a9419440a54f888eda454e3cde5ebe626d4075b65cf9938b5144d0fb022377f4bd415bff5e5c67d104409860aa9391b3eb8872c68 SHA512 a5aa740bf110a3f0262e3f1ef2fc739ac2b44f042e220039d48aee8e97cd764d5c10718220364f4098aba955882bd02cadb5481512388971a8290312f88a7df0
-DIST nss-pem-20160329.tar.xz 27732 BLAKE2B 7c23133a7bfb969d8eac98fb6311e76ab60c5d6601c7329f3c492da30c017e66d64a1f8bc827dd36e52e65c1a1ec02b58816442aaf410345c5ed759a02264b84 SHA512 5834b06e4c64205447573d4f4c8989e20986ae67ee00eebce3817eb73794a6355a404143ba1c676ec302ceefaf9df103cb879b1d4ff14ba4e3790dbee3e40eb2
+DIST nss-3.73.tar.gz 83928905 BLAKE2B 64c95a04c366dc3d57c42ddb105b3afe5b4b579b3fdb554ffa684f74f5c203b136213a1a67a554756be605722ac03c15cee766afba6edf2c7c0b2162a8181ec5 SHA512 84b6e4ce8838f77674a5587cd227fa103c80f1b36c8bfb9b60a175157f131e59153c79ee77b29feffa57f49b217a90a8a091ee368eb0bc03312894e386a4c01b
+DIST nss-cacert-class1-class3-r2.patch 21925 BLAKE2B 7627ff9a09f084c19d72d0490676865e3cab3ca7c920ae1ce4bea2db664f37fd0aa84fcda919809a516891ab2a62e2e7a43a9d6ada4c231adfe4c216525fac7d SHA512 1ce6ff9ab310aaca9005eafb461338b291df8523cc7044e096cd75774ce746c26eed19ec6bb2643c6c67f94650f2f309463492d80a90568f38ce2557f8ada2f4
diff --git a/app-crypt/nss/files/nss-3.21-enable-pem.patch b/app-crypt/nss/files/nss-3.21-enable-pem.patch
deleted file mode 100644
index e6de275..0000000
--- a/app-crypt/nss/files/nss-3.21-enable-pem.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- nss/lib/ckfw/manifest.mn
-+++ nss/lib/ckfw/manifest.mn
-@@ -5,7 +5,7 @@
- 
- CORE_DEPTH = ../..
- 
--DIRS = builtins 
-+DIRS = builtins pem
- 
- PRIVATE_EXPORTS = \
- 	ck.h		  \
diff --git a/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set1.patch b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set1.patch
deleted file mode 100644
index e96739f0..0000000
--- a/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set1.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-
-# HG changeset patch
-# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
-# Date 1595031194 0
-# Node ID f282556e6cc7715f5754aeaadda6f902590e7e38
-# Parent  89733253df83ef7fe8dd0d49f6370b857e93d325
-Bug 1636771 - Disable PKCS11 incremental mode for ChaCha20. r=kjacobs,rrelyea
-
-Depends on D74801
-
-Differential Revision: https://phabricator.services.mozilla.com/D83994
-
-diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
---- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc
-+++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
-@@ -72,9 +72,58 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUn
-   ASSERT_EQ(GetBytes(ctx, outbuf, 17), SECSuccess);
- 
-   PK11_FreeSymKey(key);
-   PK11_FreeSlot(slot);
-   PK11_DestroyContext(ctx, PR_TRUE);
-   NSS_ShutdownContext(globalctx);
- }
- 
-+TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
-+  PK11SlotInfo* slot;
-+  PK11SymKey* key;
-+  PK11Context* ctx;
-+
-+  NSSInitContext* globalctx =
-+      NSS_InitContext("", "", "", "", NULL,
-+                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
-+                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
-+
-+  const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
-+
-+  slot = PK11_GetInternalSlot();
-+  ASSERT_TRUE(slot);
-+
-+  // Use arbitrary bytes for the ChaCha20 key and IV
-+  uint8_t key_bytes[32];
-+  for (size_t i = 0; i < 32; i++) {
-+    key_bytes[i] = i;
-+  }
-+  SECItem keyItem = {siBuffer, key_bytes, 32};
-+
-+  uint8_t iv_bytes[16];
-+  for (size_t i = 0; i < 16; i++) {
-+    key_bytes[i] = i;
-+  }
-+  SECItem ivItem = {siBuffer, iv_bytes, 16};
-+
-+  SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
-+
-+  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
-+                          &keyItem, NULL);
-+  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
-+  ASSERT_TRUE(key);
-+  ASSERT_TRUE(ctx);
-+
-+  uint8_t outbuf[128];
-+  // This is supposed to fail for Chacha20. This is because the underlying
-+  // PK11_CipherOp operation is calling the C_EncryptUpdate function for
-+  // which multi-part is disabled for ChaCha20 in counter mode.
-+  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
-+
-+  PK11_FreeSymKey(key);
-+  PK11_FreeSlot(slot);
-+  SECITEM_FreeItem(param, PR_TRUE);
-+  PK11_DestroyContext(ctx, PR_TRUE);
-+  NSS_ShutdownContext(globalctx);
-+}
-+
- }  // namespace nss_test
-diff --git a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
-index 38982fd..700750c 100644
---- a/gtests/pk11_gtest/pk11_cipherop_unittest.cc.org
-+++ b/gtests/pk11_gtest/pk11_cipherop_unittest.cc
-@@ -77,4 +77,53 @@ TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOps) {
-   NSS_ShutdownContext(globalctx);
- }
- 
-+TEST(Pkcs11CipherOp, SingleCtxMultipleUnalignedCipherOpsChaCha20) {
-+  PK11SlotInfo* slot;
-+  PK11SymKey* key;
-+  PK11Context* ctx;
-+
-+  NSSInitContext* globalctx =
-+      NSS_InitContext("", "", "", "", NULL,
-+                      NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB |
-+                          NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT);
-+
-+  const CK_MECHANISM_TYPE cipher = CKM_NSS_CHACHA20_CTR;
-+
-+  slot = PK11_GetInternalSlot();
-+  ASSERT_TRUE(slot);
-+
-+  // Use arbitrary bytes for the ChaCha20 key and IV
-+  uint8_t key_bytes[32];
-+  for (size_t i = 0; i < 32; i++) {
-+    key_bytes[i] = i;
-+  }
-+  SECItem keyItem = {siBuffer, key_bytes, 32};
-+
-+  uint8_t iv_bytes[16];
-+  for (size_t i = 0; i < 16; i++) {
-+    key_bytes[i] = i;
-+  }
-+  SECItem ivItem = {siBuffer, iv_bytes, 16};
-+
-+  SECItem* param = PK11_ParamFromIV(cipher, &ivItem);
-+
-+  key = PK11_ImportSymKey(slot, cipher, PK11_OriginUnwrap, CKA_ENCRYPT,
-+                          &keyItem, NULL);
-+  ctx = PK11_CreateContextBySymKey(cipher, CKA_ENCRYPT, key, param);
-+  ASSERT_TRUE(key);
-+  ASSERT_TRUE(ctx);
-+
-+  uint8_t outbuf[128];
-+  // This is supposed to fail for Chacha20. This is because the underlying
-+  // PK11_CipherOp operation is calling the C_EncryptUpdate function for
-+  // which multi-part is disabled for ChaCha20 in counter mode.
-+  ASSERT_EQ(GetBytes(ctx, outbuf, 7), SECFailure);
-+
-+  PK11_FreeSymKey(key);
-+  PK11_FreeSlot(slot);
-+  SECITEM_FreeItem(param, PR_TRUE);
-+  PK11_DestroyContext(ctx, PR_TRUE);
-+  NSS_ShutdownContext(globalctx);
-+}
-+
- }  // namespace nss_test
-
-diff --git a/lib/softoken/pkcs11c.c b/lib/softoken/pkcs11c.c
-index 003e2be..a3eecf5 100644
---- a/lib/softoken/pkcs11c.c
-+++ b/lib/softoken/pkcs11c.c
-@@ -1207,6 +1207,7 @@ sftk_CryptInit(CK_SESSION_HANDLE hSession, CK_MECHANISM_PTR pMechanism,
-             break;
-
-         case CKM_NSS_CHACHA20_CTR:
-+           context->multi = PR_FALSE;
-             if (key_type != CKK_NSS_CHACHA20) {
-                 crv = CKR_KEY_TYPE_INCONSISTENT;
-                 break;
-
diff --git a/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set2.patch b/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set2.patch
deleted file mode 100644
index a116da4..0000000
--- a/app-crypt/nss/files/nss-3.44-CVE-2020-12403-set2.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-
-# HG changeset patch
-# User Benjamin Beurdouche <bbeurdouche@mozilla.com>
-# Date 1595031218 0
-# Node ID c25adfdfab34ddb08d3262aac3242e3399de1095
-# Parent  f282556e6cc7715f5754aeaadda6f902590e7e38
-Bug 1636771 - Fix incorrect call to Chacha20Poly1305 by PKCS11. r=jcj,kjacobs,rrelyea
-
-Differential Revision: https://phabricator.services.mozilla.com/D74801
-
-diff --git a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
-index a041947..a92c28a 100644
---- a/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
-+++ b/gtests/pk11_gtest/pk11_chacha20poly1305_unittest.cc
-@@ -44,7 +44,15 @@ class Pkcs11ChaCha20Poly1305Test
-     SECItem params = {siBuffer, reinterpret_cast<unsigned char*>(&aead_params),
-                       sizeof(aead_params)};
- 
--    // Encrypt.
-+    // Encrypt with bad parameters (TagLen is too short).
-+    aead_params.ulTagLen = 2;
-+    rv = PK11_Encrypt(key.get(), kMech, &params, encrypted.data(),
-+                      &encrypted_len, encrypted.size(), data, data_len);
-+    EXPECT_EQ(SECFailure, rv);
-+    EXPECT_EQ(0U, encrypted_len);
-+
-+     // Encrypt.
-+    aead_params.ulTagLen = 16;
-     unsigned int outputLen = 0;
-     std::vector<uint8_t> output(data_len + aead_params.ulTagLen);
-     SECStatus rv = PK11_Encrypt(key.get(), kMech, &params, output.data(),
-
-diff --git a/lib/freebl/chacha20poly1305.c b/lib/freebl/chacha20poly1305.c
---- a/lib/freebl/chacha20poly1305.c
-+++ b/lib/freebl/chacha20poly1305.c
-@@ -76,17 +76,17 @@ ChaCha20Poly1305_InitContext(ChaCha20Pol
- {
- #ifdef NSS_DISABLE_CHACHAPOLY
-     return SECFailure;
- #else
-     if (keyLen != 32) {
-         PORT_SetError(SEC_ERROR_BAD_KEY);
-         return SECFailure;
-     }
--    if (tagLen == 0 || tagLen > 16) {
-+    if (tagLen != 16) {
-         PORT_SetError(SEC_ERROR_INPUT_LEN);
-         return SECFailure;
-     }
- 
-     PORT_Memcpy(ctx->key, key, sizeof(ctx->key));
-     ctx->tagLen = tagLen;
- 
-     return SECSuccess;
diff --git a/app-crypt/nss/files/nss-3.53-gentoo-fixups.patch b/app-crypt/nss/files/nss-3.53-gentoo-fixups.patch
new file mode 100644
index 0000000..2d8bdb6
--- /dev/null
+++ b/app-crypt/nss/files/nss-3.53-gentoo-fixups.patch
@@ -0,0 +1,290 @@
+From 1b3c48499abb000d708abe5f05413c1f4155e086 Mon Sep 17 00:00:00 2001
+From: Jory Pratt <anarchy@gentoo.org>
+Date: Mon, 8 Jun 2020 12:22:29 -0500
+Subject: [PATCH] Add pkg-config and nss-config for Gentoo
+
+---
+ Makefile             |  15 +----
+ config/Makefile      |  40 ++++++++++++
+ config/nss-config.in | 145 +++++++++++++++++++++++++++++++++++++++++++
+ config/nss.pc.in     |  12 ++++
+ manifest.mn          |   2 +-
+ 5 files changed, 200 insertions(+), 14 deletions(-)
+ create mode 100644 config/Makefile
+ create mode 100644 config/nss-config.in
+ create mode 100644 config/nss.pc.in
+
+diff --git a/Makefile b/Makefile
+index eb4ed1a..f979d90 100644
+--- a/Makefile
++++ b/Makefile
+@@ -4,6 +4,8 @@
+ # License, v. 2.0. If a copy of the MPL was not distributed with this
+ # file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ 
++default: nss_build_all
++
+ #######################################################################
+ # (1) Include initial platform-independent assignments (MANDATORY).   #
+ #######################################################################
+@@ -48,12 +50,9 @@ include $(CORE_DEPTH)/coreconf/rules.mk
+ #######################################################################
+ 
+ nss_build_all:
+-	$(MAKE) build_nspr
+ 	$(MAKE) all
+-	$(MAKE) latest
+ 
+ nss_clean_all:
+-	$(MAKE) clobber_nspr
+ 	$(MAKE) clobber
+ 
+ NSPR_CONFIG_STATUS = $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/config.status
+@@ -138,16 +137,6 @@ $(NSPR_CONFIG_STATUS): $(NSPR_CONFIGURE)
+ 	--prefix='$(NSS_GYP_PREFIX)'
+ endif
+ 
+-build_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
+-
+-install_nspr: build_nspr
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+-
+-clobber_nspr: $(NSPR_CONFIG_STATUS)
+-	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) clobber
+-
+ build_docs:
+ 	$(MAKE) -C $(CORE_DEPTH)/doc
+ 
+diff --git a/config/Makefile b/config/Makefile
+new file mode 100644
+index 0000000..aaf1991
+--- /dev/null
++++ b/config/Makefile
+@@ -0,0 +1,40 @@
++CORE_DEPTH = ..
++DEPTH      = ..
++
++include $(CORE_DEPTH)/coreconf/config.mk
++
++NSS_MAJOR_VERSION = $(shell grep -F "NSS_VMAJOR" ../lib/nss/nss.h | awk '{print $$3}')
++NSS_MINOR_VERSION = $(shell grep -F "NSS_VMINOR" ../lib/nss/nss.h | awk '{print $$3}')
++NSS_PATCH_VERSION = $(shell grep -F "NSS_VPATCH" ../lib/nss/nss.h | awk '{print $$3}')
++PREFIX = /usr
++
++all: export libs
++
++export:
++	# Create the nss.pc file
++	mkdir -p $(DIST)/lib/pkgconfig
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@exec_prefix@,\$${prefix}," \
++	    -e "s,@libdir@,\$${prefix}/lib64," \
++	    -e "s,@includedir@,\$${prefix}/include/nss," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION),g" \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss.pc.in > nss.pc
++	chmod 0644 nss.pc
++	ln -sf ../../../../config/nss.pc $(DIST)/lib/pkgconfig
++
++	# Create the nss-config script
++	mkdir -p $(DIST)/bin
++	sed -e "s,@prefix@,$(PREFIX)," \
++	    -e "s,@NSS_MAJOR_VERSION@,$(NSS_MAJOR_VERSION)," \
++	    -e "s,@NSS_MINOR_VERSION@,$(NSS_MINOR_VERSION)," \
++	    -e "s,@NSS_PATCH_VERSION@,$(NSS_PATCH_VERSION)," \
++	    nss-config.in > nss-config
++	chmod 0755 nss-config
++	ln -sf ../../../config/nss-config $(DIST)/bin
++
++libs:
++
++dummy: all export libs
++
+diff --git a/config/nss-config.in b/config/nss-config.in
+new file mode 100644
+index 0000000..3a957b8
+--- /dev/null
++++ b/config/nss-config.in
+@@ -0,0 +1,145 @@
++#!/bin/sh
++
++prefix=@prefix@
++
++major_version=@NSS_MAJOR_VERSION@
++minor_version=@NSS_MINOR_VERSION@
++patch_version=@NSS_PATCH_VERSION@
++
++usage()
++{
++	cat <<EOF
++Usage: nss-config [OPTIONS] [LIBRARIES]
++Options:
++	[--prefix[=DIR]]
++	[--exec-prefix[=DIR]]
++	[--includedir[=DIR]]
++	[--libdir[=DIR]]
++	[--version]
++	[--libs]
++	[--cflags]
++Dynamic Libraries:
++	nss
++	ssl
++	smime
++	nssutil
++EOF
++	exit $1
++}
++
++if test $# -eq 0; then
++	usage 1 1>&2
++fi
++
++lib_ssl=yes
++lib_smime=yes
++lib_nss=yes
++lib_nssutil=yes
++
++while test $# -gt 0; do
++  case "$1" in
++  -*=*) optarg=$(echo "$1" | sed 's/[-_a-zA-Z0-9]*=//') ;;
++  *) optarg= ;;
++  esac
++
++  case $1 in
++    --prefix=*)
++      prefix=${optarg}
++      ;;
++    --prefix)
++      echo_prefix=yes
++      ;;
++    --exec-prefix=*)
++      exec_prefix=${optarg}
++      ;;
++    --exec-prefix)
++      echo_exec_prefix=yes
++      ;;
++    --includedir=*)
++      includedir=${optarg}
++      ;;
++    --includedir)
++      echo_includedir=yes
++      ;;
++    --libdir=*)
++      libdir=${optarg}
++      ;;
++    --libdir)
++      echo_libdir=yes
++      ;;
++    --version)
++      echo ${major_version}.${minor_version}.${patch_version}
++      ;;
++    --cflags)
++      echo_cflags=yes
++      ;;
++    --libs)
++      echo_libs=yes
++      ;;
++    ssl)
++      lib_ssl=yes
++      ;;
++    smime)
++      lib_smime=yes
++      ;;
++    nss)
++      lib_nss=yes
++      ;;
++    nssutil)
++      lib_nssutil=yes
++      ;;
++    *)
++      usage 1 1>&2
++      ;;
++  esac
++  shift
++done
++
++# Set variables that may be dependent upon other variables
++if test -z "${exec_prefix}"; then
++    exec_prefix=$(pkg-config --variable=exec_prefix nss)
++fi
++if test -z "${includedir}"; then
++    includedir=$(pkg-config --variable=includedir nss)
++fi
++if test -z "${libdir}"; then
++    libdir=$(pkg-config --variable=libdir nss)
++fi
++
++if test "${echo_prefix}" = "yes"; then
++    echo ${prefix}
++fi
++
++if test "${echo_exec_prefix}" = "yes"; then
++    echo ${exec_prefix}
++fi
++
++if test "${echo_includedir}" = "yes"; then
++    echo ${includedir}
++fi
++
++if test "${echo_libdir}" = "yes"; then
++    echo ${libdir}
++fi
++
++if test "${echo_cflags}" = "yes"; then
++    echo -I${includedir}
++fi
++
++if test "${echo_libs}" = "yes"; then
++      libdirs=""
++      if test -n "${lib_ssl}"; then
++	libdirs="${libdirs} -lssl${major_version}"
++      fi
++      if test -n "${lib_smime}"; then
++	libdirs="${libdirs} -lsmime${major_version}"
++      fi
++      if test -n "${lib_nss}"; then
++	libdirs="${libdirs} -lnss${major_version}"
++      fi
++      if test -n "${lib_nssutil}"; then
++       libdirs="${libdirs} -lnssutil${major_version}"
++      fi
++      echo ${libdirs}
++fi
++
+diff --git a/config/nss.pc.in b/config/nss.pc.in
+new file mode 100644
+index 0000000..03f1e39
+--- /dev/null
++++ b/config/nss.pc.in
+@@ -0,0 +1,12 @@
++prefix=@prefix@
++exec_prefix=@exec_prefix@
++libdir=@libdir@
++includedir=@includedir@
++
++Name: NSS
++Description: Network Security Services
++Version: @NSS_MAJOR_VERSION@.@NSS_MINOR_VERSION@.@NSS_PATCH_VERSION@
++Requires: nspr >= 4.25
++Libs: -lssl3 -lsmime3 -lnss3 -lnssutil3
++Cflags: -I${includedir}
++
+diff --git a/manifest.mn b/manifest.mn
+index dada8ab..72dc9b3 100644
+--- a/manifest.mn
++++ b/manifest.mn
+@@ -10,7 +10,7 @@ IMPORTS =	nspr20/v4.8 \
+ 
+ RELEASE = nss
+ 
+-DIRS = coreconf lib cmd cpputil gtests
++DIRS = coreconf lib cmd cpputil config
+ 
+ lib: coreconf
+ cmd: lib
+-- 
+2.26.2
+
diff --git a/app-crypt/nss/nss-3.44-r5.ebuild b/app-crypt/nss/nss-3.44-r5.ebuild
deleted file mode 120000
index c39d1a0..0000000
--- a/app-crypt/nss/nss-3.44-r5.ebuild
+++ /dev/null
@@ -1 +0,0 @@
-nss-3.44-r2.ebuild
\ No newline at end of file
diff --git a/app-crypt/nss/nss-3.73-r1.ebuild b/app-crypt/nss/nss-3.73-r1.ebuild
new file mode 120000
index 0000000..84f63b0
--- /dev/null
+++ b/app-crypt/nss/nss-3.73-r1.ebuild
@@ -0,0 +1 @@
+nss-3.73.ebuild
\ No newline at end of file
diff --git a/app-crypt/nss/nss-3.44-r2.ebuild b/app-crypt/nss/nss-3.73.ebuild
similarity index 74%
rename from app-crypt/nss/nss-3.44-r2.ebuild
rename to app-crypt/nss/nss-3.73.ebuild
index c5365d7..2ed8e32 100644
--- a/app-crypt/nss/nss-3.44-r2.ebuild
+++ b/app-crypt/nss/nss-3.73.ebuild
@@ -1,35 +1,32 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2021 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
 
-inherit eutils flag-o-matic multilib toolchain-funcs multilib-minimal
+inherit flag-o-matic multilib toolchain-funcs multilib-minimal
 
-NSPR_VER="4.16"
+NSPR_VER="4.32"
 RTM_NAME="NSS_${PV//./_}_RTM"
-# Rev of https://git.fedorahosted.org/cgit/nss-pem.git
-PEM_GIT_REV="429b0222759d8ad8e6dcd29e62875ae3efd69116"
-PEM_P="${PN}-pem-20160329"
 
 DESCRIPTION="Mozilla's Network Security Services library that implements PKI support"
-HOMEPAGE="http://www.mozilla.org/projects/security/pki/nss/"
+HOMEPAGE="https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS"
 SRC_URI="https://archive.mozilla.org/pub/security/nss/releases/${RTM_NAME}/src/${P}.tar.gz
-	cacert? ( https://dev.gentoo.org/~axs/distfiles/${PN}-cacert-class1-class3.patch )
-	nss-pem? ( https://dev.gentoo.org/~polynomial-c/${PEM_P}.tar.xz )"
+	cacert? ( https://dev.gentoo.org/~whissi/dist/ca-certificates/nss-cacert-class1-class3-r2.patch )"
 
 LICENSE="|| ( MPL-2.0 GPL-2 LGPL-2.1 )"
 SLOT="0"
 KEYWORDS="*"
-IUSE="cacert +nss-pem utils"
-CDEPEND=">=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
-	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
-	>=dev-libs/nss-${PV}[${MULTILIB_USEDEP}]"
-DEPEND=">=virtual/pkgconfig-0-r1[${MULTILIB_USEDEP}]
+IUSE="cacert utils cpu_flags_ppc_altivec cpu_flags_ppc_vsx"
+# pkg-config called by nss-config -> virtual/pkgconfig in RDEPEND
+RDEPEND="
 	>=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}"
-RDEPEND=">=dev-libs/nspr-${NSPR_VER}[${MULTILIB_USEDEP}]
-	${CDEPEND}
+	>=dev-db/sqlite-3.8.2[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
+	>=dev-libs/nss-${PV}[${MULTILIB_USEDEP}]
+	virtual/pkgconfig
 "
+DEPEND="${RDEPEND}"
+BDEPEND="dev-lang/perl"
 
 RESTRICT="test"
 
@@ -37,41 +34,25 @@
 
 PATCHES=(
 	# Custom changes for gentoo
-	"${FILESDIR}/${PN}-3.32-gentoo-fixups.patch"
+	"${FILESDIR}/${PN}-3.53-gentoo-fixups.patch"
 	"${FILESDIR}/${PN}-3.21-gentoo-fixup-warnings.patch"
 	"${FILESDIR}/${PN}-3.23-hppa-byte_order.patch"
 	"${FILESDIR}/${PN}-3.44-prefer-writable-tokens-for-trust.patch"
-	"${FILESDIR}/${PN}-3.44-CVE-2020-12403-set1.patch"
-	"${FILESDIR}/${PN}-3.44-CVE-2020-12403-set2.patch"
 )
 
-src_unpack() {
-	unpack ${A}
-	if use nss-pem ; then
-		mv "${PN}"/lib/ckfw/pem/ "${S}"/lib/ckfw/ || die
-	fi
-}
-
 src_prepare() {
-	if use nss-pem ; then
-		PATCHES+=(
-			"${FILESDIR}/${PN}-3.21-enable-pem.patch"
-		)
+	default
+
+	if use cacert ; then
+		eapply -p2 "${DISTDIR}"/nss-cacert-class1-class3-r2.patch
 	fi
-	if use cacert ; then #521462
-		PATCHES+=(
-			"${DISTDIR}/${PN}-cacert-class1-class3.patch"
-		)
-	fi
-	# use host shlibsign if need be crbug.com/884946
+
 	if tc-is-cross-compiler ; then
 		PATCHES+=(
 			"${FILESDIR}/${PN}-3.38-shlibsign-path-pollution.patch"
 		)
 	fi
 
-	default
-
 	pushd coreconf >/dev/null || die
 	# hack nspr paths
 	echo 'INCLUDES += -I$(DIST)/include/dbm' \
@@ -116,11 +97,12 @@
 	# Most of the arches are the same as $ARCH
 	local t=${1:-${CHOST}}
 	case ${t} in
-		aarch64*)echo "aarch64";;
-		hppa*)   echo "parisc";;
-		i?86*)   echo "i686";;
-		x86_64*) echo "x86_64";;
-		*)       tc-arch ${t};;
+		*86*-pc-solaris2*) echo "i86pc"   ;;
+		aarch64*)          echo "aarch64" ;;
+		hppa*)             echo "parisc"  ;;
+		i?86*)             echo "i686"    ;;
+		x86_64*)           echo "x86_64"  ;;
+		*)                 tc-arch ${t}   ;;
 	esac
 }
 
@@ -171,24 +153,34 @@
 	local myCPPFLAGS="${CPPFLAGS} $($(tc-getPKG_CONFIG) nspr --cflags)"
 	unset NSPR_INCLUDE_DIR
 
-	# Do not let `uname` be used.
-	if use kernel_linux ; then
-		makeargs+=(
-			OS_TARGET=Linux
-			OS_RELEASE=2.6
-			OS_TEST="$(nssarch)"
-		)
-	fi
-
+	export NSS_ALLOW_SSLKEYLOGFILE=1
 	export NSS_ENABLE_WERROR=0 #567158
 	export BUILD_OPT=1
 	export NSS_USE_SYSTEM_SQLITE=1
 	export NSDISTMODE=copy
-	export NSS_ENABLE_ECC=1
 	export FREEBL_NO_DEPEND=1
 	export FREEBL_LOWHASH=1
 	export NSS_SEED_ONLY_DEV_URANDOM=1
+	export USE_SYSTEM_ZLIB=1
+	export ZLIB_LIBS=-lz
 	export ASFLAGS=""
+	# Fix build failure on arm64
+	export NS_USE_GCC=1
+	# Detect compiler type and set proper environment value
+	if tc-is-gcc; then
+		export CC_IS_GCC=1
+	elif tc-is-clang; then
+		export CC_IS_CLANG=1
+	fi
+
+	# explicitly disable altivec/vsx if not requested
+	# https://bugs.gentoo.org/789114
+	case ${ARCH} in
+		ppc*)
+			use cpu_flags_ppc_altivec || export NSS_DISABLE_ALTIVEC=1
+			use cpu_flags_ppc_vsx || export NSS_DISABLE_CRYPTO_VSX=1
+			;;
+	esac
 
 	local d
 
@@ -198,7 +190,7 @@
 	NSPR_LIB_DIR="${T}/fakedir" \
 	emake -j1 -C coreconf \
 		CC="$(tc-getBUILD_CC)" \
-		${buildbits:-${mybits}}
+		${buildbits-${mybits}}
 	makeargs+=( NSINSTALL="${PWD}/$(find -type f -name nsinstall)" )
 
 	# Then build the target tools.
@@ -206,7 +198,7 @@
 		CPPFLAGS="${myCPPFLAGS}" \
 		XCFLAGS="${CFLAGS} ${CPPFLAGS}" \
 		NSPR_LIB_DIR="${T}/fakedir" \
-		emake -j1 "${makeargs[@]}" -C ${d}
+		emake -j1 "${makeargs[@]}" -C ${d} OS_TEST="$(nssarch)"
 	done
 }
 
@@ -261,5 +253,6 @@
 	for f in ${nssutils[@]}; do
 		dobin ${f}
 	done
+
 	popd >/dev/null || die
 }