From d77df0ab3fceaca84932f90948a24eec4f576fb0 Mon Sep 17 00:00:00 2001
From: dequis <dx@dxzone.com.ar>
Date: Wed, 9 Jul 2014 07:58:30 -0300
Subject: [PATCH] Fix the NSS init after fork bug, and clean up lies in unix.c
This might look like a simple diff, but those 'lies' made this not very
straightforward.
The NSS bug itself is simple: NSS detects a fork happened after the
initialization, and refuses to work because shared CSPRNG state is bad.
The bug has been around for long time. I've been aware of it for 5
months, which says something about this mess. Trac link:
http://bugs.bitlbee.org/bitlbee/ticket/785
This wasn't a big deal because the main users of NSS (redhat) already
applied a different patch in their packages that workarounded the issue
somewhat accidentally. And this is the ticket for the 'lies' in unix.c:
http://bugs.bitlbee.org/bitlbee/ticket/1159
Basically a conflict with libotr that doesn't happen anymore. Read that
ticket for details on why ignoring those comments is acceptable.
Anyway: yay!
---
irc.c | 6 ++++++
unix.c | 9 ---------
2 files changed, 6 insertions(+), 9 deletions(-)
diff --git a/irc.c b/irc.c
index 187004c..f864e31 100644
--- a/irc.c
+++ b/irc.c
@@ -26,6 +26,7 @@
#include "bitlbee.h"
#include "ipc.h"
#include "dcc.h"
+#include "lib/ssl_client.h"
GSList *irc_connection_list;
GSList *irc_plugins;
@@ -170,6 +171,11 @@ irc_t *irc_new( int fd )
#ifdef WITH_PURPLE
nogaim_init();
#endif
+
+ /* SSL library initialization also should be done after the fork, to
+ avoid shared CSPRNG state. This is required by NSS, which refuses to
+ work if a fork is detected */
+ ssl_init();
for( l = irc_plugins; l; l = l->next )
{
diff --git a/unix.c b/unix.c
index 1ea24af..329b33c 100644
--- a/unix.c
+++ b/unix.c
@@ -31,7 +31,6 @@
#include "protocols/nogaim.h"
#include "help.h"
#include "ipc.h"
-#include "lib/ssl_client.h"
#include "md5.h"
#include "misc.h"
#include <signal.h>
@@ -81,17 +80,9 @@ int main( int argc, char *argv[] )
nogaim_init();
#endif
- /* Ugly Note: libotr and gnutls both use libgcrypt. libgcrypt
- has a process-global config state whose initialization happpens
- twice if libotr and gnutls are used together. libotr installs custom
- memory management functions for libgcrypt while our gnutls module
- uses the defaults. Therefore we initialize OTR after SSL. *sigh* */
- ssl_init();
#ifdef OTR_BI
otr_init();
#endif
- /* And in case OTR is loaded as a plugin, it'll also get loaded after
- this point. */
srand( time( NULL ) ^ getpid() );
--
2.0.0