From d77df0ab3fceaca84932f90948a24eec4f576fb0 Mon Sep 17 00:00:00 2001 From: dequis <dx@dxzone.com.ar> Date: Wed, 9 Jul 2014 07:58:30 -0300 Subject: [PATCH] Fix the NSS init after fork bug, and clean up lies in unix.c This might look like a simple diff, but those 'lies' made this not very straightforward. The NSS bug itself is simple: NSS detects a fork happened after the initialization, and refuses to work because shared CSPRNG state is bad. The bug has been around for long time. I've been aware of it for 5 months, which says something about this mess. Trac link: http://bugs.bitlbee.org/bitlbee/ticket/785 This wasn't a big deal because the main users of NSS (redhat) already applied a different patch in their packages that workarounded the issue somewhat accidentally. And this is the ticket for the 'lies' in unix.c: http://bugs.bitlbee.org/bitlbee/ticket/1159 Basically a conflict with libotr that doesn't happen anymore. Read that ticket for details on why ignoring those comments is acceptable. Anyway: yay! --- irc.c | 6 ++++++ unix.c | 9 --------- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/irc.c b/irc.c index 187004c..f864e31 100644 --- a/irc.c +++ b/irc.c @@ -26,6 +26,7 @@ #include "bitlbee.h" #include "ipc.h" #include "dcc.h" +#include "lib/ssl_client.h" GSList *irc_connection_list; GSList *irc_plugins; @@ -170,6 +171,11 @@ irc_t *irc_new( int fd ) #ifdef WITH_PURPLE nogaim_init(); #endif + + /* SSL library initialization also should be done after the fork, to + avoid shared CSPRNG state. This is required by NSS, which refuses to + work if a fork is detected */ + ssl_init(); for( l = irc_plugins; l; l = l->next ) { diff --git a/unix.c b/unix.c index 1ea24af..329b33c 100644 --- a/unix.c +++ b/unix.c @@ -31,7 +31,6 @@ #include "protocols/nogaim.h" #include "help.h" #include "ipc.h" -#include "lib/ssl_client.h" #include "md5.h" #include "misc.h" #include <signal.h> @@ -81,17 +80,9 @@ int main( int argc, char *argv[] ) nogaim_init(); #endif - /* Ugly Note: libotr and gnutls both use libgcrypt. libgcrypt - has a process-global config state whose initialization happpens - twice if libotr and gnutls are used together. libotr installs custom - memory management functions for libgcrypt while our gnutls module - uses the defaults. Therefore we initialize OTR after SSL. *sigh* */ - ssl_init(); #ifdef OTR_BI otr_init(); #endif - /* And in case OTR is loaded as a plugin, it'll also get loaded after - this point. */ srand( time( NULL ) ^ getpid() ); -- 2.0.0