nss: Fix referencePath to security modules.

This adds a patch from Debian, as they're already have security modules from NSS
in it's own library directory rather than /usr/lib{,64}/ and patch in loading of
libsoftokn as well.

The patch and our own fix of the patch (well, they hardcode Debian specific
stuff in there) ensures that SECMOD_AddNewModule() will find the right module
from the derivation's output path, so the built-in CA root certificates are
recognized and verified correctly.

pkgs/development/libraries/nss/default.nix

@@ -15,9 +15,12 @@ let
     sha256 = "e4a9396d90e50e8b3cceff45f312eda9aaf356423f4eddd354a0e1afbbfd4cf8";
   };
 
-in
+  secLoadPatch = fetchurl {
+    url = "http://patch-tracker.debian.org/patch/series/dl/nss/2:3.13.5-1/85_security_load.patch";
+    sha256 = "8a8d0ae4ebbd7c389973fa5d26d8bc5f473046c6cb1d8283cb9a3c1f4c565c47";
+  };
 
-stdenv.mkDerivation rec {
+in stdenv.mkDerivation rec {
   name = "nss-${version}";
   version = "3.13.6";
 
@@ -37,7 +40,11 @@ stdenv.mkDerivation rec {
     chmod -R u+w "$sourceRoot/mozilla/security/nss/lib/ckfw/pem"
   '';
 
-  patches = [ ./nss-3.12.5-gentoo-fixups.diff ];
+  patches = [
+    ./nss-3.12.5-gentoo-fixups.diff
+    secLoadPatch
+    ./nix_secload_fixup.patch
+  ];
 
   postPatch = ''
     sed -i -e 's/^DIRS.*$/& pem/' mozilla/security/nss/lib/ckfw/manifest.mn

pkgs/development/libraries/nss/nix_secload_fixup.patch

@@ -0,0 +1,50 @@
+diff --git a/mozilla/security/coreconf/config.mk b/mozilla/security/coreconf/config.mk
+index 72557c6..bdcbf88 100644
+--- a/mozilla/security/coreconf/config.mk
++++ b/mozilla/security/coreconf/config.mk
+@@ -207,3 +207,5 @@ endif
+ DEFINES += -DUSE_UTIL_DIRECTLY
+ USE_UTIL_DIRECTLY = 1
+ 
++# nix specific stuff:
++DEFINES += -DNIX_NSS_LIBDIR=\"$(out)/lib/\"
+diff --git a/mozilla/security/nss/cmd/shlibsign/shlibsign.c b/mozilla/security/nss/cmd/shlibsign/shlibsign.c
+index 5ce626e..e1e8039 100644
+--- a/mozilla/security/nss/cmd/shlibsign/shlibsign.c
++++ b/mozilla/security/nss/cmd/shlibsign/shlibsign.c
+@@ -770,7 +770,7 @@ int main(int argc, char **argv)
+     assert(libname != NULL);
+     lib = PR_LoadLibrary(libname);
+     if (!lib)
+-        lib = PR_LoadLibrary("/usr/lib/nss/libsoftokn3.so");
++        lib = PR_LoadLibrary(NIX_NSS_LIBDIR"libsoftokn3.so");
+     assert(lib != NULL);
+     PR_FreeLibraryName(libname);
+ 
+diff --git a/mozilla/security/nss/lib/util/secload.c b/mozilla/security/nss/lib/util/secload.c
+index 7d6fc22..0b7759b 100644
+--- a/mozilla/security/nss/lib/util/secload.c
++++ b/mozilla/security/nss/lib/util/secload.c
+@@ -105,9 +105,9 @@ loader_LoadLibInReferenceDir(const char *referencePath, const char *name)
+     /* Remove the trailing filename from referencePath and add the new one */
+     c = strrchr(referencePath, PR_GetDirectorySeparator());
+     if (!c) { /* referencePath doesn't contain a / means that dladdr gave us argv[0]
+-               * and program was called from $PATH. Hack to get libs from /usr/lib */
+-        referencePath = "/usr/lib/";
+-        c = &referencePath[8]; /* last / */
++               * and program was called from $PATH. Hack to get libs from NIX_NSS_LIBDIR */
++        referencePath = NIX_NSS_LIBDIR;
++        c = &referencePath[sizeof(NIX_NSS_LIBDIR) - 1]; /* last / */
+     }
+     if (c) {
+         size_t referencePathSize = 1 + c - referencePath;
+@@ -125,8 +125,7 @@ loader_LoadLibInReferenceDir(const char *referencePath, const char *name)
+                 (strncmp(fullName + referencePathSize - 4, "bin", 3) == 0)) {
+                 memcpy(fullName + referencePathSize -4, "lib", 3);
+             }
+-            strcpy(fullName + referencePathSize, "nss/");
+-            strcpy(fullName + referencePathSize + 4, name);
++            strcpy(fullName + referencePathSize, name);
+             dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL
+ #ifdef PR_LD_ALT_SEARCH_PATH
+             /* allow library's dependencies to be found in the same directory