Merge pull request 'Land final NSS-gyp work' (#1850) from nss-gyp-work into master

Reviewed-on: https://repo.palemoon.org/MoonchildProductions/UXP/pulls/1850

7 files changed, 962 insertions, 7 deletions

diff --git a/security/Makefile.in b/security/Makefile.in
new file mode 100644
index 0000000000..6e6e7faa05
--- /dev/null
+++ b/security/Makefile.in
@@ -0,0 +1,2 @@
+NSS_DISABLE_AVX2 = 1
+export NSS_DISABLE_AVX2
\ No newline at end of file
diff --git a/security/generate_certdata.py b/security/generate_certdata.py
new file mode 100644
index 0000000000..96622e8d2a
--- /dev/null
+++ b/security/generate_certdata.py
@@ -0,0 +1,20 @@
+#!/usr/bin/env python
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#
+# This exists to paper over differences between gyp's `action` definitions
+# and moz.build `GENERATED_FILES` semantics.
+
+import buildconfig
+import os
+import subprocess
+
+
+def main(output, *inputs):
+    env = dict(os.environ)
+    env['PERL'] = str(buildconfig.substs['PERL'])
+    output.write(subprocess.check_output([buildconfig.substs['PYTHON'],
+                                          inputs[0], inputs[2]], env=env))
+    return None
diff --git a/security/generate_mapfile.py b/security/generate_mapfile.py
new file mode 100644
index 0000000000..71e5066e78
--- /dev/null
+++ b/security/generate_mapfile.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+# This script processes NSS .def files according to the rules defined in
+# a comment at the top of each one. The files are used to define the
+# exports from NSS shared libraries, with -DEFFILE on Windows, a linker
+# script on Linux, or with -exported_symbols_list on OS X.
+#
+# The NSS build system processes them using a series of sed replacements,
+# but the Mozilla build system is already running a Python script to generate
+# the file so it's simpler to just do the replacement in Python.
+
+import buildconfig
+
+
+def main(output, input):
+    # There's a check in old-configure.in under the system-nss handling
+    # that should match this.
+    if buildconfig.substs['OS_ARCH'] not in ('Linux', 'SunOS', 'Darwin'):
+        print "Error: unhandled OS_ARCH %s" % buildconfig.substs['OS_ARCH']
+        return 1
+    is_linux = buildconfig.substs['OS_ARCH'] in ('Linux', 'SunOS')
+
+    with open(input, 'rb') as f:
+        for line in f:
+            line = line.rstrip()
+            # Remove all lines containing ';-'
+            if ';-' in line:
+                continue
+            # On non-Linux, remove all lines containing ';+'
+            if not is_linux and ';+' in line:
+                continue
+            # Remove the string ' DATA '.
+            line = line.replace(' DATA ', '')
+            # Remove the string ';+'
+            line = line.replace(';+', '')
+            # Remove the string ';;'
+            line = line.replace(';;', '')
+            # If a ';' is present, remove everything after it,
+            # and on non-Linux, remove it as well.
+            i = line.find(';')
+            if i != -1:
+                if is_linux:
+                    line = line[:i+1]
+                else:
+                    line = line[:i]
+            # On non-Linux, symbols get an underscore in front.
+            if line and not is_linux:
+                output.write('_')
+            output.write(line)
+            output.write('\n')
\ No newline at end of file
diff --git a/security/moz.build b/security/moz.build
new file mode 100644
index 0000000000..13de8e62aa
--- /dev/null
+++ b/security/moz.build
@@ -0,0 +1,123 @@
+# -*- Mode: python; indent-tabs-mode: nil; tab-width: 40 -*-
+# vim: set filetype=python:
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+include('/build/gyp_base.mozbuild')
+if CONFIG['MOZ_FOLD_LIBS']:
+    GeckoSharedLibrary('nss', linkage=None)
+    # TODO: The library name can be changed when bug 845217 is fixed.
+    SHARED_LIBRARY_NAME = 'nss3'
+
+    SDK_LIBRARY = True
+
+    USE_LIBS += [
+        'nspr4',
+        'nss3_static',
+        'nssutil',
+        'plc4',
+        'plds4',
+        'smime3_static',
+        'ssl',
+    ]
+
+    OS_LIBS += CONFIG['REALTIME_LIBS']
+
+    SYMBOLS_FILE = 'nss.symbols'
+    # This changes the default targets in the NSS build, among
+    # other things.
+    gyp_vars['moz_fold_libs'] = 1
+    # Some things in NSS need to link against nssutil, which
+    # gets folded, so this tells them what to link against.
+    gyp_vars['moz_folded_library_name'] = 'nss'
+    # Force things in NSS that want to link against NSPR to link
+    # against the folded library.
+    gyp_vars['nspr_libs'] = 'nss'
+else:
+    Library('nss')
+    USE_LIBS += [
+        'nss3',
+        'nssutil3',
+        'smime3',
+        'sqlite',
+        'ssl3',
+    ]
+    gyp_vars['nspr_libs'] = 'nspr4 plc4 plds4'
+
+# This disables building some NSS tools.
+gyp_vars['mozilla_client'] = 1
+# We run shlibsign as part of packaging, not build.
+gyp_vars['sign_libs'] = 0
+gyp_vars['python'] = CONFIG['PYTHON']
+# The NSS gyp files do not have a default for this.
+gyp_vars['nss_dist_dir'] = '$PRODUCT_DIR/dist'
+# NSS wants to put public headers in $nss_dist_dir/public/nss by default,
+# which would wind up being mapped to dist/include/public/nss (by
+# gyp_reader's `handle_copies`).
+# This forces it to put them in dist/include/nss.
+gyp_vars['nss_public_dist_dir'] = '$PRODUCT_DIR/dist'
+gyp_vars['nss_dist_obj_dir'] = '$PRODUCT_DIR/dist/bin'
+# We don't currently build NSS tests.
+gyp_vars['disable_tests'] = 1
+if CONFIG['NSS_DISABLE_DBM']:
+    gyp_vars['disable_dbm'] = 1
+gyp_vars['disable_libpkix'] = 1
+gyp_vars['enable_sslkeylogfile'] = 1
+# pkg-config won't reliably find zlib on our builders, so just force it.
+# System zlib is only used for modutil and signtool unless
+# SSL zlib is enabled, which we are disabling immediately below this.
+gyp_vars['zlib_libs'] = '-lz'
+gyp_vars['ssl_enable_zlib'] = 0
+# System sqlite here is the in-tree mozsqlite.
+gyp_vars['use_system_sqlite'] = 1
+gyp_vars['sqlite_libs'] = 'sqlite'
+gyp_vars['nspr_include_dir'] = CONFIG['NSPR_INCLUDE_DIR']
+gyp_vars['nspr_lib_dir'] = CONFIG['NSPR_LIB_DIR']
+# The Python scripts that detect clang need it to be set as CC
+# in the environment, which isn't true here. I don't know that
+# setting that would be harmful, but we already have this information
+# anyway.
+gyp_vars['NSS_DISABLE_AVX2'] = 1
+if CONFIG['CLANG_CXX']:
+    gyp_vars['cc_is_clang'] = 1
+
+GYP_DIRS += ['nss']
+GYP_DIRS['nss'].input = 'nss/nss.gyp'
+GYP_DIRS['nss'].variables = gyp_vars
+
+sandbox_vars = {
+    # NSS explicitly exports its public symbols
+    # with linker scripts.
+    'NO_VISIBILITY_FLAGS': True,
+    # XXX: We should fix these warnings.
+    'ALLOW_COMPILER_WARNINGS': True,
+    # NSS' build system doesn't currently build NSS with PGO.
+    # We could probably do so, but not without a lot of
+    # careful consideration.
+    'NO_PGO': True,
+}
+if CONFIG['OS_TARGET'] == 'WINNT':
+    if CONFIG['CPU_ARCH'] == 'x86':
+        # This should really be the default.
+        sandbox_vars['ASFLAGS'] = ['-safeseh']
+if CONFIG['OS_TARGET'] == 'Android':
+    sandbox_vars['CFLAGS'] = [
+        '-include', TOPSRCDIR + '/security/manager/android_stub.h',
+        # Setting sandbox_vars['DEFINES'] is broken currently.
+        '-DCHECK_FORK_GETPID',
+    ]
+    if CONFIG['ANDROID_VERSION']:
+        sandbox_vars['CFLAGS'] += ['-DANDROID_VERSION=' + CONFIG['ANDROID_VERSION']]
+GYP_DIRS['nss'].sandbox_vars = sandbox_vars
+GYP_DIRS['nss'].no_chromium = True
+GYP_DIRS['nss'].no_unified = True
+# This maps action names from gyp files to
+# Python scripts that can be used in moz.build GENERATED_FILES.
+GYP_DIRS['nss'].action_overrides = {
+    'generate_certdata_c': 'generate_certdata.py',
+    'generate_mapfile': 'generate_mapfile.py',
+}
+
+if CONFIG['NSS_EXTRA_SYMBOLS_FILE']:
+    DEFINES['NSS_EXTRA_SYMBOLS_FILE'] = CONFIG['NSS_EXTRA_SYMBOLS_FILE']
\ No newline at end of file
diff --git a/security/nss.symbols b/security/nss.symbols
new file mode 100644
index 0000000000..83f5dc524c
--- /dev/null
+++ b/security/nss.symbols
@@ -0,0 +1,748 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+#ifndef XP_WIN
+# NSPR, unlike NSS, exports symbols with symbol visibility (Unix) or __declspec
+# (Windows).  When using a linker script, however, we need to explicitly
+# specify that NSPR's symbols should be globally visible.  Otherwise, NSPR's
+# exported symbols would be hidden.
+# .def files on Windows don't allow wildcards, of course, which is why this is
+# excluded on Windows, but it doesn't matter because the symbols are already
+# exported in NSPR (Windows peculiarity).
+PR_*
+PL_*
+#endif
+ATOB_AsciiToData
+ATOB_AsciiToData_Util
+ATOB_ConvertAsciiToItem
+ATOB_ConvertAsciiToItem_Util
+BTOA_ConvertItemToAscii_Util
+BTOA_DataToAscii
+BTOA_DataToAscii_Util
+CERT_AddCertToListHead
+CERT_AddCertToListTail
+CERT_AddExtension
+CERT_AddExtensionByOID
+__CERT_AddTempCertToPerm
+CERT_AsciiToName
+CERT_CacheOCSPResponseFromSideChannel
+CERT_CertChainFromCert
+CERT_CertificateRequestTemplate @DATA@
+CERT_CertificateTemplate @DATA@
+CERT_CertListFromCert
+CERT_ChangeCertTrust
+CERT_CheckCertUsage
+CERT_CheckCertValidTimes
+CERT_CheckNameSpace
+CERT_ClearOCSPCache
+CERT_CompareCerts
+CERT_CompareName
+CERT_ConvertAndDecodeCertificate
+CERT_CopyName
+CERT_CopyRDN
+CERT_CreateCertificate
+CERT_CreateCertificateRequest
+CERT_CreateSubjectCertList
+CERT_CreateValidity
+CERT_CrlTemplate @DATA@
+CERT_DecodeAltNameExtension
+CERT_DecodeAuthInfoAccessExtension
+CERT_DecodeAuthKeyID
+CERT_DecodeAVAValue
+CERT_DecodeBasicConstraintValue
+CERT_DecodeCertFromPackage
+CERT_DecodeCertificatePoliciesExtension
+CERT_DecodeCertPackage
+CERT_DecodeCRLDistributionPoints
+CERT_DecodeNameConstraintsExtension
+CERT_DecodeOidSequence
+CERT_DecodePrivKeyUsagePeriodExtension
+CERT_DecodeTrustString
+CERT_DecodeUserNotice
+CERT_DerNameToAscii
+CERT_DestroyCertArray
+CERT_DestroyCertificate
+CERT_DestroyCertificateList
+CERT_DestroyCertificatePoliciesExtension
+CERT_DestroyCertificateRequest
+CERT_DestroyCertList
+CERT_DestroyName
+CERT_DestroyOidSequence
+CERT_DestroyUserNotice
+CERT_DestroyValidity
+CERT_DisableOCSPChecking
+CERT_DisableOCSPDefaultResponder
+CERT_DupCertificate
+CERT_EnableOCSPChecking
+CERT_EncodeAltNameExtension
+CERT_EncodeAndAddBitStrExtension
+CERT_EncodeAuthKeyID
+CERT_EncodeBasicConstraintValue
+CERT_EncodeCertPoliciesExtension
+CERT_EncodeCRLDistributionPoints
+CERT_EncodeInfoAccessExtension
+CERT_EncodeInhibitAnyExtension
+CERT_EncodeNameConstraintsExtension
+CERT_EncodeNoticeReference
+CERT_EncodePolicyConstraintsExtension
+CERT_EncodePolicyMappingExtension
+CERT_EncodeSubjectKeyID
+CERT_EncodeUserNotice
+CERT_ExtractPublicKey
+CERT_FilterCertListByCANames
+CERT_FilterCertListByUsage
+CERT_FilterCertListForUserCerts
+CERT_FindCertByDERCert
+CERT_FindCertByIssuerAndSN
+CERT_FindCertByName
+CERT_FindCertByNickname
+CERT_FindCertByNicknameOrEmailAddr
+CERT_FindCertExtension
+CERT_FindCertIssuer
+CERT_FindKeyUsageExtension
+CERT_FindUserCertByUsage
+CERT_FindUserCertsByUsage
+CERT_FinishCertificateRequestAttributes
+CERT_FinishExtensions
+CERT_ForcePostMethodForOCSP
+CERT_FreeNicknames
+CERT_GenTime2FormattedAscii_Util
+CERT_GetCertChainFromCert
+CERT_GetCertEmailAddress
+CERT_GetCertificateDer
+CERT_GetCertificateRequestExtensions
+CERT_GetCertKeyType
+CERT_GetCertTimes
+CERT_GetCertTrust
+CERT_GetCommonName
+CERT_GetConstrainedCertificateNames
+CERT_GetCountryName
+CERT_GetDefaultCertDB
+CERT_GetFirstEmailAddress
+CERT_GetGeneralNameTypeFromString
+CERT_GetImposedNameConstraints
+CERT_GetLocalityName
+CERT_GetNextEmailAddress
+CERT_GetNextGeneralName
+CERT_GetNextNameConstraint
+CERT_GetOCSPAuthorityInfoAccessLocation
+CERT_GetOidString
+CERT_GetOrgName
+CERT_GetOrgUnitName
+CERT_GetStateName
+CERT_Hexify
+CERT_ImportCerts
+CERT_IsCACert
+CERT_IsUserCert
+CERT_MakeCANickname
+CERT_MergeExtensions
+CERT_NameTemplate @DATA@
+CERT_NameToAscii
+CERT_NewCertList
+CERT_NewTempCertificate
+CERT_NicknameStringsFromCertList
+CERT_OCSPCacheSettings
+CERT_RemoveCertListNode
+CERT_RFC1485_EscapeAndQuote
+CERT_SaveSMimeProfile
+CERT_SequenceOfCertExtensionTemplate @DATA@
+CERT_SetOCSPFailureMode
+CERT_SetOCSPTimeout
+CERT_SignedCrlTemplate @DATA@
+CERT_SignedDataTemplate @DATA@
+CERT_StartCertExtensions
+CERT_StartCertificateRequestAttributes
+CERT_SubjectPublicKeyInfoTemplate @DATA@
+CERT_TimeChoiceTemplate @DATA@
+CERT_VerifyCertificate
+CERT_VerifySignedDataWithPublicKeyInfo
+DER_AsciiToTime_Util
+DER_DecodeTimeChoice_Util
+DER_Encode
+DER_EncodeTimeChoice_Util
+DER_Encode_Util
+DER_GeneralizedTimeToTime
+DER_GeneralizedTimeToTime_Util
+DER_GetInteger
+DER_GetInteger_Util
+DER_SetUInteger
+DER_UTCTimeToTime_Util
+DSAU_DecodeDerSigToLen
+DSAU_EncodeDerSigWithLen
+DTLS_GetHandshakeTimeout
+DTLS_ImportFD
+HASH_Begin
+HASH_Create
+HASH_Destroy
+HASH_End
+HASH_GetHashObject
+HASH_GetHashOidTagByHashType
+HASH_GetType
+HASH_HashBuf
+HASH_ResultLenByOidTag
+HASH_Update
+NSSBase64_DecodeBuffer
+NSSBase64_EncodeItem
+NSSBase64_EncodeItem_Util
+NSS_CMSContentInfo_GetContent
+NSS_CMSContentInfo_GetContentTypeTag
+NSS_CMSContentInfo_SetContent_Data
+NSS_CMSContentInfo_SetContent_EnvelopedData
+NSS_CMSContentInfo_SetContent_SignedData
+NSS_CMSDecoder_Cancel
+NSS_CMSDecoder_Finish
+NSS_CMSDecoder_Start
+NSS_CMSDecoder_Update
+NSS_CMSEncoder_Cancel
+NSS_CMSEncoder_Finish
+NSS_CMSEncoder_Start
+NSS_CMSEncoder_Update
+NSS_CMSEnvelopedData_AddRecipient
+NSS_CMSEnvelopedData_Create
+NSS_CMSEnvelopedData_GetContentInfo
+NSS_CMSMessage_ContentLevel
+NSS_CMSMessage_ContentLevelCount
+NSS_CMSMessage_Create
+NSS_CMSMessage_CreateFromDER
+NSS_CMSMessage_Destroy
+NSS_CMSMessage_GetContent
+NSS_CMSMessage_GetContentInfo
+NSS_CMSMessage_IsEncrypted
+NSS_CMSMessage_IsSigned
+NSS_CMSRecipientInfo_Create
+NSS_CMSSignedData_AddCertificate
+NSS_CMSSignedData_AddCertList
+NSS_CMSSignedData_AddSignerInfo
+NSS_CMSSignedData_Create
+NSS_CMSSignedData_CreateCertsOnly
+NSS_CMSSignedData_Destroy
+NSS_CMSSignedData_GetContentInfo
+NSS_CMSSignedData_GetDigestAlgs
+NSS_CMSSignedData_GetSignerInfo
+NSS_CMSSignedData_HasDigests
+NSS_CMSSignedData_ImportCerts
+NSS_CMSSignedData_SetDigestValue
+NSS_CMSSignedData_SignerInfoCount
+NSS_CMSSignedData_VerifySignerInfo
+NSS_CMSSignerInfo_AddMSSMIMEEncKeyPrefs
+NSS_CMSSignerInfo_AddSigningTime
+NSS_CMSSignerInfo_AddSMIMECaps
+NSS_CMSSignerInfo_AddSMIMEEncKeyPrefs
+NSS_CMSSignerInfo_Create
+NSS_CMSSignerInfo_GetSignerCommonName
+NSS_CMSSignerInfo_GetSignerEmailAddress
+NSS_CMSSignerInfo_GetSigningCertificate
+NSS_CMSSignerInfo_IncludeCerts
+NSS_CMSSignerInfo_Verify
+NSS_FindCertKEAType
+NSS_GetAlgorithmPolicy
+NSS_Get_CERT_CertificateRequestTemplate
+NSS_Get_CERT_CertificateTemplate
+NSS_Get_CERT_CrlTemplate
+NSS_Get_CERT_NameTemplate
+NSS_Get_CERT_SequenceOfCertExtensionTemplate
+NSS_Get_CERT_SignedCrlTemplate
+NSS_Get_CERT_SignedDataTemplate
+NSS_Get_CERT_SubjectPublicKeyInfoTemplate
+NSS_Get_CERT_TimeChoiceTemplate
+NSS_Get_SEC_AnyTemplate_Util
+NSS_Get_SEC_BitStringTemplate
+NSS_Get_SEC_BitStringTemplate_Util
+NSS_Get_SEC_BMPStringTemplate
+NSS_Get_SEC_BooleanTemplate_Util
+NSS_Get_SEC_GeneralizedTimeTemplate_Util
+NSS_Get_SEC_IA5StringTemplate
+NSS_Get_SEC_IA5StringTemplate_Util
+NSS_Get_SEC_IntegerTemplate
+NSS_Get_SEC_IntegerTemplate_Util
+NSS_Get_SECKEY_RSAPSSParamsTemplate
+NSS_Get_SEC_NullTemplate_Util
+NSS_Get_SEC_ObjectIDTemplate_Util
+NSS_Get_SEC_OctetStringTemplate
+NSS_Get_SEC_OctetStringTemplate_Util
+NSS_Get_SECOID_AlgorithmIDTemplate
+NSS_Get_SECOID_AlgorithmIDTemplate_Util
+NSS_Get_SEC_SignedCertificateTemplate
+NSS_Get_SEC_UTF8StringTemplate
+NSS_Get_SEC_UTF8StringTemplate_Util
+NSS_GetVersion
+NSS_Init
+NSS_Initialize
+NSS_InitWithMerge
+NSS_IsInitialized
+NSS_OptionGet
+NSS_OptionSet
+NSS_NoDB_Init
+NSS_SecureMemcmp
+NSS_SetAlgorithmPolicy
+NSS_SetDomesticPolicy
+NSS_Shutdown
+NSSSMIME_GetVersion
+NSS_SMIMESignerInfo_SaveSMIMEProfile
+NSS_SMIMEUtil_FindBulkAlgForRecipients
+NSSSSL_GetVersion
+#ifdef XP_WIN
+_NSSUTIL_Access
+#endif
+NSSUTIL_ArgDecodeNumber
+NSSUTIL_ArgFetchValue
+NSSUTIL_ArgGetLabel
+NSSUTIL_ArgGetParamValue
+NSSUTIL_ArgHasFlag
+NSSUTIL_ArgIsBlank
+NSSUTIL_ArgParseCipherFlags
+NSSUTIL_ArgParseModuleSpec
+NSSUTIL_ArgParseSlotFlags
+NSSUTIL_ArgParseSlotInfo
+NSSUTIL_ArgReadLong
+NSSUTIL_ArgSkipParameter
+NSSUTIL_ArgStrip
+NSSUTIL_DoModuleDBFunction
+_NSSUTIL_EvaluateConfigDir
+_NSSUTIL_GetSecmodName
+NSSUTIL_GetVersion
+NSSUTIL_MkModuleSpec
+NSSUTIL_MkNSSString
+NSSUTIL_MkSlotString
+NSSUTIL_Quote
+#ifdef XP_WIN
+_NSSUTIL_UTF8ToWide
+#endif
+PK11_AlgtagToMechanism
+PK11_Authenticate
+PK11_ChangePW
+PK11_CheckUserPassword
+PK11_CipherOp
+PK11_ConfigurePKCS11
+PK11_CreateContextBySymKey
+PK11_CreateDigestContext
+PK11_CreateGenericObject
+PK11_CreateMergeLog
+PK11_CreatePBEV2AlgorithmID
+PK11_Decrypt
+PK11_DeleteTokenCertAndKey
+PK11_DeleteTokenPrivateKey
+PK11_DeleteTokenPublicKey
+PK11_DEREncodePublicKey
+PK11_Derive
+PK11_DeriveWithTemplate
+PK11_DestroyContext
+PK11_DestroyGenericObject
+PK11_DestroyMergeLog
+PK11_DestroyObject
+PK11_DestroyTokenObject
+PK11_DigestBegin
+PK11_DigestFinal
+PK11_DigestOp
+PK11_DoesMechanism
+PK11_Encrypt
+PK11_ExportDERPrivateKeyInfo
+PK11_ExportEncryptedPrivKeyInfo
+PK11_ExtractKeyValue
+PK11_FindCertFromNickname
+PK11_FindCertInSlot
+PK11_FindCertsFromEmailAddress
+PK11_FindCertsFromNickname
+PK11_FindKeyByAnyCert
+PK11_FindKeyByDERCert
+PK11_FindKeyByKeyID
+PK11_FindRawCertsWithSubject
+PK11_FindSlotByName
+PK11_FindSlotsByNames
+PK11_FreeSlot
+PK11_FreeSlotList
+PK11_FreeSlotListElement
+PK11_FreeSymKey
+PK11_GenerateKeyPair
+PK11_GenerateKeyPairWithFlags
+PK11_GenerateKeyPairWithOpFlags
+PK11_GenerateRandom
+PK11_GenerateRandomOnSlot
+PK11_GetAllSlotsForCert
+PK11_GetAllTokens
+PK11_GetBestSlot
+PK11_GetBestSlotMultiple
+PK11_GetBlockSize
+PK11_GetCertFromPrivateKey
+PK11_GetCertsMatchingPrivateKey
+PK11_GetDefaultArray
+PK11_GetDefaultFlags
+PK11_GetDisabledReason
+PK11_GetFirstSafe
+PK11_GetInternalKeySlot
+PK11_GetInternalSlot
+PK11_GetIVLength
+PK11_GetKeyData
+PK11_GetKeyGen
+PK11_GetLowLevelKeyIDForPrivateKey
+PK11_GetMechanism
+PK11_GetMinimumPwdLength
+PK11_GetModInfo
+PK11_GetModuleURI
+PK11_GetNextSafe
+PK11_GetNextSymKey
+PK11_GetPadMechanism
+PK11_GetPrivateKeyNickname
+PK11_GetPrivateModulusLen
+PK11_GetSlotFromPrivateKey
+PK11_GetSlotID
+PK11_GetSlotInfo
+PK11_GetSlotName
+PK11_GetSlotPWValues
+PK11_GetSlotSeries
+PK11_GetSymKeyNickname
+PK11_GetTokenInfo
+PK11_GetTokenName
+PK11_GetTokenURI
+PK11_HasAttributeSet
+PK11_HashBuf
+PK11_HasRootCerts
+PK11_ImportCert
+PK11_ImportCertForKey
+PK11_ImportCRL
+PK11_ImportDERPrivateKeyInfoAndReturnKey
+PK11_ImportPublicKey
+PK11_ImportSymKey
+PK11_InitPin
+PK11_IsDisabled
+PK11_IsFIPS
+PK11_IsFriendly
+PK11_IsHW
+PK11_IsInternal
+PK11_IsLoggedIn
+PK11_IsPresent
+PK11_IsReadOnly
+PK11_IsRemovable
+PK11_KeyForCertExists
+PK11_KeyGen
+PK11_KeyGenWithTemplate
+PK11_ListCerts
+PK11_ListCertsInSlot
+PK11_ListFixedKeysInSlot
+PK11_ListPrivateKeysInSlot
+PK11_ListPrivKeysInSlot
+PK11_LoadPrivKey
+PK11_Logout
+PK11_LogoutAll
+PK11_MakeIDFromPubKey
+PK11_MapSignKeyType
+PK11_MechanismToAlgtag
+PK11_MergeTokens
+PK11_NeedLogin
+PK11_NeedUserInit
+PK11_ParamFromIV
+PK11_PBEKeyGen
+PK11_PrivDecrypt
+PK11_PrivDecryptPKCS1
+PK11_ProtectedAuthenticationPath
+PK11_PubDeriveWithKDF
+PK11_PubEncrypt
+PK11_PubEncryptPKCS1
+PK11_PubUnwrapSymKey
+PK11_PubWrapSymKey
+PK11_RandomUpdate
+PK11_ReadRawAttribute
+PK11_ReferenceSlot
+PK11_ResetToken
+PK11SDR_Decrypt
+PK11SDR_Encrypt
+PK11_SetPasswordFunc
+PK11_SetSlotPWValues
+PK11_SetSymKeyNickname
+PK11_Sign
+PK11_SignatureLen
+PK11_SignWithMechanism
+PK11_TokenKeyGenWithFlags
+PK11_UnwrapPrivKey
+PK11_UnwrapSymKey
+PK11_UpdateSlotAttribute
+PK11_UserDisableSlot
+PK11_UserEnableSlot
+PK11_VerifyWithMechanism
+PK11_WrapPrivKey
+PK11_WrapSymKey
+PORT_Alloc
+PORT_Alloc_Util
+PORT_ArenaAlloc
+PORT_ArenaAlloc_Util
+PORT_ArenaGrow_Util
+PORT_ArenaMark_Util
+PORT_ArenaRelease_Util
+PORT_ArenaStrdup
+PORT_ArenaStrdup_Util
+PORT_ArenaUnmark_Util
+PORT_ArenaZAlloc
+PORT_ArenaZAlloc_Util
+PORT_DestroyCheapArena
+PORT_Free
+PORT_FreeArena
+PORT_FreeArena_Util
+PORT_Free_Util
+PORT_GetError
+PORT_GetError_Util
+PORT_InitCheapArena
+PORT_NewArena
+PORT_NewArena_Util
+PORT_Realloc_Util
+PORT_RegExpSearch
+PORT_SetError
+PORT_SetError_Util
+PORT_SetUCS2_ASCIIConversionFunction
+PORT_SetUCS2_ASCIIConversionFunction_Util
+PORT_Strdup
+PORT_Strdup_Util
+PORT_UCS2_ASCIIConversion_Util
+PORT_UCS2_UTF8Conversion
+PORT_UCS2_UTF8Conversion_Util
+PORT_ZAlloc
+PORT_ZAlloc_Util
+PORT_ZFree_Util
+SEC_AnyTemplate_Util @DATA@
+SEC_ASN1Decode
+SEC_ASN1DecodeInteger
+SEC_ASN1DecodeItem
+SEC_ASN1DecodeItem_Util
+SEC_ASN1Decode_Util
+SEC_ASN1EncodeInteger_Util
+SEC_ASN1EncodeItem
+SEC_ASN1EncodeItem_Util
+SEC_ASN1EncodeUnsignedInteger_Util
+SEC_ASN1Encode_Util
+SEC_BitStringTemplate @DATA@
+SEC_BitStringTemplate_Util @DATA@
+SEC_BMPStringTemplate @DATA@
+SEC_BooleanTemplate_Util @DATA@
+SEC_CertNicknameConflict
+SEC_DeletePermCertificate
+SEC_DerSignData
+SEC_DestroyCrl
+SEC_GeneralizedTimeTemplate_Util @DATA@
+SEC_GetSignatureAlgorithmOidTag
+SEC_IA5StringTemplate @DATA@
+SEC_IA5StringTemplate_Util @DATA@
+SEC_IntegerTemplate @DATA@
+SEC_IntegerTemplate_Util @DATA@
+SECITEM_AllocArray
+SECITEM_AllocItem
+SECITEM_AllocItem_Util
+SECITEM_ArenaDupItem_Util
+SECITEM_CompareItem
+SECITEM_CompareItem_Util
+SECITEM_CopyItem
+SECITEM_CopyItem_Util
+SECITEM_DupArray
+SECITEM_DupItem
+SECITEM_DupItem_Util
+SECITEM_FreeItem
+SECITEM_FreeItem_Util
+SECITEM_HashCompare
+SECITEM_ItemsAreEqual
+SECITEM_ItemsAreEqual_Util
+SECITEM_ReallocItemV2
+SECITEM_ZfreeItem
+SECITEM_ZfreeItem_Util
+SECKEY_ConvertToPublicKey
+SECKEY_CopyPrivateKey
+SECKEY_CopyPublicKey
+SECKEY_CopySubjectPublicKeyInfo
+SECKEY_CreateSubjectPublicKeyInfo
+SECKEY_DecodeDERSubjectPublicKeyInfo
+SECKEY_DestroyEncryptedPrivateKeyInfo
+SECKEY_DestroyPrivateKey
+SECKEY_DestroyPrivateKeyList
+SECKEY_DestroyPublicKey
+SECKEY_DestroySubjectPublicKeyInfo
+SECKEY_ECParamsToBasePointOrderLen
+SECKEY_ECParamsToKeySize
+SECKEY_EncodeDERSubjectPublicKeyInfo
+SECKEY_ExtractPublicKey
+SECKEY_GetPublicKeyType
+SECKEY_ImportDERPublicKey
+SECKEY_PublicKeyStrength
+SECKEY_RSAPSSParamsTemplate @DATA@
+SECKEY_SignatureLen
+SECMIME_DecryptionAllowed
+SECMOD_AddNewModule
+SECMOD_AddNewModuleEx
+SECMOD_CancelWait
+SECMOD_CanDeleteInternalModule
+SECMOD_CloseUserDB
+SECMOD_CreateModule
+SECMOD_DeleteInternalModule
+SECMOD_DeleteModule
+SECMOD_DestroyModule
+SECMOD_FindModule
+SECMOD_GetDeadModuleList
+SECMOD_GetDefaultModuleList
+SECMOD_GetDefaultModuleListLock
+SECMOD_GetInternalModule
+SECMOD_GetModuleSpecList
+SECMOD_GetReadLock
+SECMOD_HasRemovableSlots
+SECMOD_InternaltoPubMechFlags
+SECMOD_LoadModule
+SECMOD_LoadUserModule
+SECMOD_OpenUserDB
+SECMOD_PubCipherFlagstoInternal
+SECMOD_PubMechFlagstoInternal
+SECMOD_ReferenceModule
+SECMOD_ReleaseReadLock
+SECMOD_UnloadUserModule
+SECMOD_UpdateModule
+SECMOD_WaitForAnyTokenEvent
+SEC_NullTemplate_Util @DATA@
+SEC_ObjectIDTemplate_Util @DATA@
+SEC_OctetStringTemplate @DATA@
+SEC_OctetStringTemplate_Util @DATA@
+SECOID_AddEntry
+SECOID_AddEntry_Util
+SECOID_AlgorithmIDTemplate @DATA@
+SECOID_AlgorithmIDTemplate_Util @DATA@
+SECOID_CopyAlgorithmID_Util
+SECOID_DestroyAlgorithmID
+SECOID_DestroyAlgorithmID_Util
+SECOID_FindOID
+SECOID_FindOIDByMechanism
+SECOID_FindOIDByTag
+SECOID_FindOIDByTag_Util
+SECOID_FindOIDTag
+SECOID_FindOIDTagDescription_Util
+SECOID_FindOIDTag_Util
+SECOID_FindOID_Util
+SECOID_GetAlgorithmTag
+SECOID_GetAlgorithmTag_Util
+SECOID_Init
+SECOID_SetAlgorithmID
+SECOID_SetAlgorithmID_Util
+SECOID_Shutdown
+SEC_PKCS12AddCertAndKey
+SEC_PKCS12AddPasswordIntegrity
+SEC_PKCS12CreateExportContext
+SEC_PKCS12CreatePasswordPrivSafe
+SEC_PKCS12CreateUnencryptedSafe
+SEC_PKCS12DecoderFinish
+SEC_PKCS12DecoderImportBags
+SEC_PKCS12DecoderIterateInit
+SEC_PKCS12DecoderIterateNext
+SEC_PKCS12DecoderRenameCertNicknames
+SEC_PKCS12DecoderStart
+SEC_PKCS12DecoderUpdate
+SEC_PKCS12DecoderValidateBags
+SEC_PKCS12DecoderVerify
+SEC_PKCS12DestroyExportContext
+SEC_PKCS12EnableCipher
+SEC_PKCS12Encode
+SEC_PKCS12IsEncryptionAllowed
+SEC_PKCS12SetPreferredCipher
+SEC_PKCS5GetPBEAlgorithm
+SEC_PKCS5IsAlgorithmPBEAlgTag
+SEC_PKCS7AddSigningTime
+SEC_PKCS7ContentIsEncrypted
+SEC_PKCS7ContentIsSigned
+SEC_PKCS7CopyContentInfo
+SEC_PKCS7CreateSignedData
+SEC_PKCS7DecodeItem
+SEC_PKCS7DecoderFinish
+SEC_PKCS7DecoderStart
+SEC_PKCS7DecoderUpdate
+SEC_PKCS7DestroyContentInfo
+SEC_PKCS7Encode
+SEC_PKCS7IncludeCertChain
+SEC_PKCS7VerifyDetachedSignature
+SEC_QuickDERDecodeItem
+SEC_QuickDERDecodeItem_Util
+SEC_RegisterDefaultHttpClient
+SEC_SignData
+SEC_SignedCertificateTemplate @DATA@
+SEC_StringToOID
+SEC_UTF8StringTemplate @DATA@
+SEC_UTF8StringTemplate_Util @DATA@
+SGN_Begin
+SGN_CreateDigestInfo
+SGN_CreateDigestInfo_Util
+SGN_DecodeDigestInfo
+SGN_DestroyContext
+SGN_DestroyDigestInfo
+SGN_DestroyDigestInfo_Util
+SGN_End
+SGN_NewContext
+SGN_Update
+SSL_AuthCertificateComplete
+SSL_AuthCertificateHook
+SSL_CipherPrefGet
+SSL_CipherPrefSet
+SSL_CipherPrefSetDefault
+SSL_ClearSessionCache
+SSL_ConfigSecureServer
+SSL_ConfigSecureServerWithCertChain
+SSL_ConfigServerSessionIDCache
+SSL_ExportKeyingMaterial
+SSL_ForceHandshake
+SSL_GetChannelInfo
+SSL_GetCipherSuiteInfo
+SSL_GetClientAuthDataHook
+SSL_GetImplementedCiphers
+SSL_GetNextProto
+SSL_GetNumImplementedCiphers
+SSL_GetSRTPCipher
+SSL_GetStatistics
+SSL_HandshakeCallback
+SSL_HandshakeNegotiatedExtension
+SSL_ImplementedCiphers @DATA@
+SSL_ImportFD
+SSL_NamedGroupConfig
+SSL_NumImplementedCiphers @DATA@
+SSL_OptionSet
+SSL_OptionSetDefault
+SSL_PeerCertificate
+SSL_PeerCertificateChain
+SSL_PeerSignedCertTimestamps
+SSL_PeerStapledOCSPResponses
+SSL_ResetHandshake
+SSL_SendAdditionalKeyShares
+SSL_SetCanFalseStartCallback
+SSL_SetDowngradeCheckVersion
+SSL_SetNextProtoNego
+SSL_SetPKCS11PinArg
+SSL_SetSockPeerID
+SSL_SetSRTPCiphers
+SSL_SetStapledOCSPResponses
+SSL_SetTrustAnchors
+SSL_SetURL
+SSL_ShutdownServerSessionIDCache
+SSL_SignatureSchemePrefSet
+SSL_SNISocketConfigHook
+SSL_VersionRangeGet
+SSL_VersionRangeGetDefault
+SSL_VersionRangeGetSupported
+SSL_VersionRangeSet
+SSL_VersionRangeSetDefault
+UTIL_SetForkState
+VFY_Begin
+VFY_CreateContext
+VFY_DestroyContext
+VFY_End
+VFY_EndWithSignature
+VFY_Update
+VFY_VerifyData
+VFY_VerifyDataWithAlgorithmID
+VFY_VerifyDigestDirect
+_SGN_VerifyPKCS1DigestInfo
+__PK11_SetCertificateNickname
+# These symbols are not used by applications but are possibly used across
+# NSS library boundaries.
+NSS_SecureMemcmpZero
+PORT_ZAllocAlignedOffset_Util
+CERT_FindCertByNicknameOrEmailAddrCX
+SECKEY_GetPrivateKeyType
+SEC_DerSignDataWithAlgorithmID
+SEC_CreateSignatureAlgorithmParameters
+# These symbols are not used by applicatons themselves, but are used by
+# Java's security libraries, which in turn are used by Java
+# applets/plugins/etc.  Provide them to make Java code happy.
+NSS_VersionCheck
+NSS_Initialize
+#ifdef NSS_EXTRA_SYMBOLS_FILE
+#include @NSS_EXTRA_SYMBOLS_FILE@
+#endif
diff --git a/security/nss/coreconf/config.gypi b/security/nss/coreconf/config.gypi
index d188759653..30d9b254f0 100644
--- a/security/nss/coreconf/config.gypi
+++ b/security/nss/coreconf/config.gypi
@@ -37,7 +37,7 @@
         },{
           'use_system_sqlite%': 0,
         }],
-        ['OS=="mac" or OS=="ios" or OS=="win"', {
+        ['OS=="mac" or OS=="ios" or OS=="solaris" or OS=="win"', {
           'cc_use_gnu_ld%': 0,
         }, {
           'cc_use_gnu_ld%': 1,
@@ -100,6 +100,7 @@
     'disable_tests%': 0,
     'disable_chachapoly%': 0,
     'disable_dbm%': 1,
+    'disable_avx2%': 1,
     'disable_libpkix%': 1,
     'disable_werror%': 0,
     'disable_altivec%': 0,
@@ -392,6 +393,11 @@
               '_REENTRANT',
             ],
           }],
+          [ 'OS!="mac" and OS!="ios" and OS!="solaris" and OS!="win"', {
+            'ldflags': [
+              '-z', 'noexecstack',
+            ],
+          }],
           [ 'OS!="mac" and OS!="ios" and OS!="win"', {
             'cflags': [
               '-fPIC',
@@ -405,9 +411,6 @@
             'cflags_cc': [
               '-std=c++11',
             ],
-            'ldflags': [
-              '-z', 'noexecstack',
-            ],
             'conditions': [
               [ 'target_arch=="ia32"', {
                 'cflags': ['-m32'],
@@ -564,6 +567,11 @@
               'NSS_DISABLE_DBM',
             ],
           }],
+          [ 'disable_avx2==1', {
+            'defines': [
+              'NSS_DISABLE_AVX2',
+            ],
+          }],
           [ 'disable_libpkix==1', {
             'defines': [
               'NSS_DISABLE_LIBPKIX',
@@ -642,7 +650,7 @@
     },
   },
   'conditions': [
-    [ 'cc_use_gnu_ld==1', {
+    [ 'cc_use_gnu_ld==1 or OS=="solaris"', {
       'variables': {
         'process_map_file': ['/bin/sh', '-c', '/usr/bin/env grep -v ";-" >(mapfile) | sed -e "s,;+,," -e "s; DATA ;;" -e "s,;;,," -e "s,;.*,;," > >@(_outputs)'],
       },
diff --git a/security/nss/lib/freebl/freebl.gyp b/security/nss/lib/freebl/freebl.gyp
index dd9446da60..a5f5c8d0ec 100644
--- a/security/nss/lib/freebl/freebl.gyp
+++ b/security/nss/lib/freebl/freebl.gyp
@@ -129,7 +129,7 @@
         '<(DEPTH)/exports.gyp:nss_exports'
       ],
       'conditions': [
-        [ 'target_arch=="x64"', {
+        [ 'target_arch=="x64" and disable_avx2==0', {
           'cflags': [
             '-mssse3',
             '-msse4.1',
@@ -179,7 +179,7 @@
             '-mfpu=neon'
           ],
         }],
-        [ 'target_arch=="x64"', {
+        [ 'target_arch=="x64" and disable_avx2==0', {
           'sources': [
             'verified/Hacl_Poly1305_256.c',
             'verified/Hacl_Chacha20_Vec256.c',