Merge commit '99665eb45f58d959d2cb9e49ddb960c79d596f33'

4 files changed, 108 insertions, 11 deletions

diff --git a/nixpkgs/pkgs/development/libraries/nss/85_security_load_3.77+.patch b/nixpkgs/pkgs/development/libraries/nss/85_security_load_3.77+.patch
new file mode 100644
index 000000000000..bae86c9d26ad
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/nss/85_security_load_3.77+.patch
@@ -0,0 +1,76 @@
+diff --git nss/cmd/shlibsign/shlibsign.c nss/cmd/shlibsign/shlibsign.c
+index ad8f3b84e..74676d039 100644
+--- nss/cmd/shlibsign/shlibsign.c
++++ nss/cmd/shlibsign/shlibsign.c
+@@ -875,6 +875,8 @@ main(int argc, char **argv)
+         goto cleanup;
+     }
+     lib = PR_LoadLibrary(libname);
++    if (!lib)
++        lib = PR_LoadLibrary(NIX_NSS_LIBDIR"libsoftokn3.so");
+     assert(lib != NULL);
+     if (!lib) {
+         PR_fprintf(PR_STDERR, "loading softokn3 failed");
+diff --git nss/lib/pk11wrap/pk11load.c nss/lib/pk11wrap/pk11load.c
+index 119c8c512..720d39ccc 100644
+--- nss/lib/pk11wrap/pk11load.c
++++ nss/lib/pk11wrap/pk11load.c
+@@ -486,6 +486,15 @@ secmod_LoadPKCS11Module(SECMODModule *mod, SECMODModule **oldModule)
+ #else
+         library = PR_LoadLibrary(mod->dllName);
+ #endif // defined(_WIN32)
++#ifndef NSS_STATIC_SOFTOKEN
++        if ((library == NULL) &&
++            !rindex(mod->dllName, PR_GetDirectorySeparator())) {
++            library = PORT_LoadLibraryFromOrigin(my_shlib_name,
++                (PRFuncPtr) &softoken_LoadDSO,
++                mod->dllName);
++        }
++#endif
++
+         mod->library = (void *)library;
+ 
+         if (library == NULL) {
+diff --git nss/lib/util/secload.c nss/lib/util/secload.c
+index 12efd2f75..8b74478f6 100644
+--- nss/lib/util/secload.c
++++ nss/lib/util/secload.c
+@@ -70,9 +70,14 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name)
+ 
+     /* Remove the trailing filename from referencePath and add the new one */
+     c = strrchr(referencePath, PR_GetDirectorySeparator());
++    if (!c) { /* referencePath doesn't contain a / means that dladdr gave us argv[0]
++               * and program was called from $PATH. Hack to get libs from NIX_NSS_LIBDIR */
++        referencePath = NIX_NSS_LIBDIR;
++        c = (char*) &referencePath[sizeof(NIX_NSS_LIBDIR) - 1]; /* last / */
++    }
+     if (c) {
+         size_t referencePathSize = 1 + c - referencePath;
+-        fullName = (char*)PORT_Alloc(strlen(name) + referencePathSize + 1);
++        fullName = (char*) PORT_Alloc(strlen(name) + referencePathSize + 5);
+         if (fullName) {
+             memcpy(fullName, referencePath, referencePathSize);
+             strcpy(fullName + referencePathSize, name);
+@@ -82,6 +87,11 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name)
+ #endif
+             libSpec.type = PR_LibSpec_Pathname;
+             libSpec.value.pathname = fullName;
++            if ((referencePathSize >= 4) &&
++                (strncmp(fullName + referencePathSize - 4, "bin", 3) == 0)) {
++                memcpy(fullName + referencePathSize -4, "lib", 3);
++            }
++            strcpy(fullName + referencePathSize, name);
+             dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL
+ #ifdef PR_LD_ALT_SEARCH_PATH
+                                                        /* allow library's dependencies to be found in the same directory
+@@ -89,6 +99,10 @@ loader_LoadLibInReferenceDir(const char* referencePath, const char* name)
+                                                        | PR_LD_ALT_SEARCH_PATH
+ #endif
+                                           );
++            if (! dlh) {
++                strcpy(fullName + referencePathSize, name);
++                dlh = PR_LoadLibraryWithFlags(libSpec, PR_LD_NOW | PR_LD_LOCAL);
++            }
+             PORT_Free(fullName);
+         }
+     }
diff --git a/nixpkgs/pkgs/development/libraries/nss/esr.nix b/nixpkgs/pkgs/development/libraries/nss/esr.nix
new file mode 100644
index 000000000000..a789f0306d32
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/nss/esr.nix
@@ -0,0 +1,4 @@
+import ./generic.nix {
+  version = "3.68.4";
+  hash = "sha256-K5/T9aG0nzs7KdEgAmdPcEgRViV1b7R3KELsfDm+Fgs=";
+}
diff --git a/nixpkgs/pkgs/development/libraries/nss/default.nix b/nixpkgs/pkgs/development/libraries/nss/generic.nix
index d17f4c4a7835..febc2423388e 100644
--- a/nixpkgs/pkgs/development/libraries/nss/default.nix
+++ b/nixpkgs/pkgs/development/libraries/nss/generic.nix
@@ -1,3 +1,4 @@
+{ version, hash }:
 { lib
 , stdenv
 , fetchurl
@@ -14,6 +15,7 @@
 , # allow FIPS mode. Note that this makes the output non-reproducible.
   # https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_Tech_Notes/nss_tech_note6
   enableFIPS ? false
+, nixosTests
 }:
 
 let
@@ -22,21 +24,15 @@ let
     sha256 = "10ibz6y0hknac15zr6dw4gv9nb5r5z9ym6gq18j3xqx7v7n3vpdw";
   };
 
-  # NOTE: Whenever you updated this version check if the `cacert` package also
-  #       needs an update. You can run the regular updater script for cacerts.
-  #       It will rebuild itself using the version of this package (NSS) and if
-  #       an update is required do the required changes to the expression.
-  #       Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
-  version = "3.75";
-
+  underscoreVersion = lib.replaceStrings [ "." ] [ "_" ] version;
 in
 stdenv.mkDerivation rec {
   pname = "nss";
   inherit version;
 
   src = fetchurl {
-    url = "mirror://mozilla/security/nss/releases/NSS_${lib.replaceStrings [ "." ] [ "_" ] version}_RTM/src/${pname}-${version}.tar.gz";
-    sha256 = "10l5qn68gly2l4ifv0v6by1qc8nsmhra08nm9m7n913jh83iamzx";
+    url = "mirror://mozilla/security/nss/releases/NSS_${underscoreVersion}_RTM/src/${pname}-${version}.tar.gz";
+    inherit hash;
   };
 
   depsBuildBuild = [ buildPackages.stdenv.cc ];
@@ -67,7 +63,11 @@ stdenv.mkDerivation rec {
 
   patches = [
     # Based on http://patch-tracker.debian.org/patch/series/dl/nss/2:3.15.4-1/85_security_load.patch
-    ./85_security_load.patch
+    (if (lib.versionOlder version "3.77") then
+      ./85_security_load.patch
+    else
+      ./85_security_load_3.77+.patch
+    )
     ./ckpem.patch
     ./fix-cross-compilation.patch
   ];
@@ -187,10 +187,17 @@ stdenv.mkDerivation rec {
 
   passthru.updateScript = ./update.sh;
 
+  passthru.tests = lib.optionalAttrs (lib.versionOlder version "3.69") {
+    inherit (nixosTests) firefox-esr-91;
+  } // lib.optionalAttrs (lib.versionAtLeast version "3.69") {
+    inherit (nixosTests) firefox firefox-esr-102;
+  };
+
   meta = with lib; {
     homepage = "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS";
     description = "A set of libraries for development of security-enabled client and server applications";
-    maintainers = with maintainers; [ ];
+    changelog = "https://github.com/nss-dev/nss/blob/master/doc/rst/releases/nss_${underscoreVersion}.rst";
+    maintainers = with maintainers; [ hexa ajs124 ];
     license = licenses.mpl20;
     platforms = platforms.all;
   };
diff --git a/nixpkgs/pkgs/development/libraries/nss/latest.nix b/nixpkgs/pkgs/development/libraries/nss/latest.nix
new file mode 100644
index 000000000000..f313cc328822
--- /dev/null
+++ b/nixpkgs/pkgs/development/libraries/nss/latest.nix
@@ -0,0 +1,10 @@
+# NOTE: Whenever you updated this version check if the `cacert` package also
+#       needs an update. You can run the regular updater script for cacerts.
+#       It will rebuild itself using the version of this package (NSS) and if
+#       an update is required do the required changes to the expression.
+#       Example: nix-shell ./maintainers/scripts/update.nix --argstr package cacert
+
+import ./generic.nix {
+  version = "3.82";
+  hash = "sha256-Mr9nO3LC+ZU+07THAzq/WmytMChUokrliMV1plZ8FXM=";
+}