Ticket #785: Fix-the-NSS-init-after-fork-bug-and-clean-up-lies.patch

File Fix-the-NSS-init-after-fork-bug-and-clean-up-lies.patch, 2.5 KB (added by dx, at 2014-07-09T11:34:47Z)

A hopefully working and secure version of the patch!

  • irc.c 

    From d77df0ab3fceaca84932f90948a24eec4f576fb0 Mon Sep 17 00:00:00 2001
From: dequis <dx@dxzone.com.ar>
Date: Wed, 9 Jul 2014 07:58:30 -0300
Subject: [PATCH] Fix the NSS init after fork bug, and clean up lies in unix.c

This might look like a simple diff, but those 'lies' made this not very
straightforward.

The NSS bug itself is simple: NSS detects a fork happened after the
initialization, and refuses to work because shared CSPRNG state is bad.
The bug has been around for long time. I've been aware of it for 5
months, which says something about this mess. Trac link:

http://bugs.bitlbee.org/bitlbee/ticket/785

This wasn't a big deal because the main users of NSS (redhat) already
applied a different patch in their packages that workarounded the issue
somewhat accidentally. And this is the ticket for the 'lies' in unix.c:

http://bugs.bitlbee.org/bitlbee/ticket/1159

Basically a conflict with libotr that doesn't happen anymore. Read that
ticket for details on why ignoring those comments is acceptable.

Anyway: yay!
---
 irc.c  | 6 ++++++
 unix.c | 9 ---------
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/irc.c b/irc.c
index 187004c..f864e31 100644
    a b  
    2626#include "bitlbee.h"
    2727#include "ipc.h"
    2828#include "dcc.h"
     29#include "lib/ssl_client.h"
    2930
    3031GSList *irc_connection_list;
    3132GSList *irc_plugins;
    irc_t *irc_new( int fd ) 
    170171#ifdef WITH_PURPLE
    171172        nogaim_init();
    172173#endif
     174
     175        /* SSL library initialization also should be done after the fork, to
     176           avoid shared CSPRNG state. This is required by NSS, which refuses to
     177           work if a fork is detected */
     178        ssl_init();
    173179       
    174180        for( l = irc_plugins; l; l = l->next )
    175181        {

  • unix.c 

    diff --git a/unix.c b/unix.c
index 1ea24af..329b33c 100644
    a b  
    3131#include "protocols/nogaim.h"
    3232#include "help.h"
    3333#include "ipc.h"
    34 #include "lib/ssl_client.h"
    3534#include "md5.h"
    3635#include "misc.h"
    3736#include <signal.h>
    int main( int argc, char *argv[] ) 
    8180        nogaim_init();
    8281#endif
    8382       
    84         /* Ugly Note: libotr and gnutls both use libgcrypt. libgcrypt
    85            has a process-global config state whose initialization happpens
    86            twice if libotr and gnutls are used together. libotr installs custom
    87            memory management functions for libgcrypt while our gnutls module
    88            uses the defaults. Therefore we initialize OTR after SSL. *sigh* */
    89         ssl_init();
    9083#ifdef OTR_BI
    9184        otr_init();
    9285#endif
    93         /* And in case OTR is loaded as a plugin, it'll also get loaded after
    94            this point. */
    9586       
    9687        srand( time( NULL ) ^ getpid() );
    9788