lok: use of lok random hook in NSS.

This allows us to avoid opening /dev/urandom which may not be there. Change-Id: I51727fe4a2a28be802afdf6d9ccca5a198167b7d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/165851 Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com> Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com> (cherry picked from commit 708663da401e1cc5c4531c8cbb3370c4cf2843d6) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/167670 Reviewed-by: Michael Meeks <michael.meeks@collabora.com> Tested-by: Jenkins
author: Michael Meeks <michael.meeks@collabora.com> 2024-04-05 15:23:22 +0100
committer: Michael Meeks <michael.meeks@collabora.com> 2024-05-15 14:37:19 +0200
commit: 06f1787d50fd6dd510917e53f4842d88725b32d1 (patch)
tree: 3d740a2b33b64771e320017cc8cb493e8b69e628 /external
parent: ea49dde289c9c5799c8b85983bae1c0ab294a3cb (diff)
2 files changed, 99 insertions, 0 deletions
diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk
index bf2a93233e60..6b69dd9b1631 100644
--- a/external/nss/UnpackedTarball_nss.mk
+++ b/external/nss/UnpackedTarball_nss.mk
@@ -26,6 +26,8 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\
     external/nss/macos-dlopen.patch.0 \
     external/nss/nss-restore-manual-pre-dependencies.patch.1 \
     external/nss/Wincompatible-function-pointer-types.patch.0 \
+    $(if $(filter LINUX,$(OS)), \
+        external/nss/nss.getrandom.patch) \
     $(if $(filter iOS,$(OS)), \
         external/nss/nss-ios.patch) \
     $(if $(filter ANDROID,$(OS)), \
diff --git a/external/nss/nss.getrandom.patch b/external/nss/nss.getrandom.patch
new file mode 100644
index 000000000000..b7f883b64d5a
--- /dev/null
+++ b/external/nss/nss.getrandom.patch
@@ -0,0 +1,97 @@
+--- a/nss/nspr/pr/src/md/unix/uxrng.c
++++ b/nss/nspr/pr/src/md/unix/uxrng.c
+@@ -68,13 +68,18 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ #include <fcntl.h>
++#include <dlfcn.h>
+ 
+ static int      fdDevURandom;
+ static PRCallOnceType coOpenDevURandom;
+ 
+ static PRStatus OpenDevURandom( void )
+ {
+-    fdDevURandom = open( "/dev/urandom", O_RDONLY );
++    static int (*lok_open_urandom)();
++    if (!lok_open_urandom)
++      lok_open_urandom = dlsym(RTLD_DEFAULT, "lok_open_urandom");
++    if (!lok_open_urandom || (fdDevURandom = lok_open_urandom()) < 0)
++      fdDevURandom = open( "/dev/urandom", O_RDONLY );
+     return((-1 == fdDevURandom)? PR_FAILURE : PR_SUCCESS );
+ } /* end OpenDevURandom() */
+ 
+--- a/nss/nss/lib/freebl/unix_rand.c
++++ b/nss/nss/lib/freebl/unix_rand.c
+@@ -13,6 +13,7 @@
+ #include <sys/wait.h>
+ #include <sys/stat.h>
+ #include <sys/types.h>
++#include <dlfcn.h>
+ #include <dirent.h>
+ #include "secrng.h"
+ #include "secerr.h"
+@@ -650,11 +651,21 @@
+         RNG_RandomUpdate(buf, strlen(buf));
+     }
+ 
++    {
++        unsigned char buffer[SYSTEM_RNG_SEED_COUNT];
++        bytes = RNG_SystemRNG(buffer, sizeof (buffer));
++        if (bytes == SYSTEM_RNG_SEED_COUNT) /* success */
++	       RNG_RandomUpdate(buffer, bytes);
++    }
++
++    if (bytes != SYSTEM_RNG_SEED_COUNT) /* fail */
++    {
+     /* grab some data from system's PRNG before any other files. */
+     bytes = RNG_FileUpdate("/dev/urandom", SYSTEM_RNG_SEED_COUNT);
+     if (!bytes) {
+         PORT_SetError(SEC_ERROR_NEED_RANDOM);
+     }
++    }
+ 
+     /* If the user points us to a random file, pass it through the rng */
+     randfile = PR_GetEnvSecure("NSRANDFILE");
+@@ -781,11 +794,19 @@
+     size_t fileBytes = 0;
+     unsigned char *buffer = dest;
+ 
++    static int (*lok_open_urandom)();
++    if (!lok_open_urandom)
++      lok_open_urandom = dlsym(NULL, "lok_open_urandom");
++    if (!lok_open_urandom || (fd = lok_open_urandom()) < 0)
++    {
+     file = fopen("/dev/urandom", "r");
+     if (file == NULL) {
+         PORT_SetError(SEC_ERROR_NEED_RANDOM);
+         return 0;
+     }
++    }
++    else
++      file = fdopen(fd, "r");
+     /* Read from the underlying file descriptor directly to bypass stdio
+      * buffering and avoid reading more bytes than we need from /dev/urandom.
+      * NOTE: we can't use fread with unbuffered I/O because fread may return
+--- a/nss/nss/lib/freebl/unix_urandom.c
++++ b/nss/nss/lib/freebl/unix_urandom.c
+@@ -5,6 +5,7 @@
+ #include <fcntl.h>
+ #include <unistd.h>
+ #include <errno.h>
++#include <dlfcn.h>
+ #include "secerr.h"
+ #include "secrng.h"
+ #include "prprf.h"
+@@ -62,7 +63,11 @@
+      * Reset the number of bytes to get and fall back to /dev/urandom. */
+     fileBytes = 0;
+ #endif
+-    fd = open("/dev/urandom", O_RDONLY);
++    static int (*lok_open_urandom)();
++    if (!lok_open_urandom)
++      lok_open_urandom = dlsym(NULL, "lok_open_urandom");
++    if (!lok_open_urandom || (fd = lok_open_urandom()) < 0)
++        fd = open("/dev/urandom", O_RDONLY);
+     if (fd < 0) {
+         PORT_SetError(SEC_ERROR_NEED_RANDOM);
+         return 0;
author	Michael Meeks <michael.meeks@collabora.com>	2024-04-05 15:23:22 +0100
committer	Michael Meeks <michael.meeks@collabora.com>	2024-05-15 14:37:19 +0200
commit	06f1787d50fd6dd510917e53f4842d88725b32d1 (patch)
tree	3d740a2b33b64771e320017cc8cb493e8b69e628 /external
parent	ea49dde289c9c5799c8b85983bae1c0ab294a3cb (diff)