Overview

File nss-CC-rng_selection.patch of Package mozilla-nss.972

# HG changeset patch
# Parent caf89e493d2399b020726712c467828f21dfe380
# Parent  b23545dfd7a5ba83bb7117a98821f092ebfd7bc4
Choose the appropriate RNG (/dev/random) in FIPS mode

diff --git a/lib/freebl/unix_rand.c b/lib/freebl/unix_rand.c
--- a/lib/freebl/unix_rand.c
+++ b/lib/freebl/unix_rand.c
@@ -12,16 +12,17 @@
 #include <sys/time.h>
 #include <sys/wait.h>
 #include <sys/stat.h>
 #include "secrng.h"
 #include "secerr.h"
 #include "prerror.h"
 #include "prthread.h"
 #include "prprf.h"
+#include "fips.h"
 
 size_t RNG_FileUpdate(const char *fileName, size_t limit);
 
 /*
  * When copying data to the buffer we want the least signicant bytes
  * from the input since those bits are changing the fastest. The address
  * of least significant byte depends upon whether we are running on
  * a big-endian or little-endian machine.
@@ -880,17 +881,17 @@ void RNG_SystemInfoForRNG(void)
 
     /* Give in system information */
     if (gethostname(buf, sizeof(buf)) == 0) {
 	RNG_RandomUpdate(buf, strlen(buf));
     }
     GiveSystemInfo();
 
     /* grab some data from system's PRNG before any other files. */
-    bytes = RNG_FileUpdate("/dev/urandom", SYSTEM_RNG_SEED_COUNT);
+    bytes = RNG_FileUpdate(FIPS_rngDev(), SYSTEM_RNG_SEED_COUNT);
 
     /* If the user points us to a random file, pass it through the rng */
     randfile = getenv("NSRANDFILE");
     if ( ( randfile != NULL ) && ( randfile[0] != '\0') ) {
 	char *randCountString = getenv("NSRANDCOUNT");
 	int randCount = randCountString ? atoi(randCountString) : 0;
 	if (randCount != 0) {
 	    RNG_FileUpdate(randfile, randCount);
@@ -1137,17 +1138,17 @@ static void rng_systemJitter(void)
 size_t RNG_SystemRNG(void *dest, size_t maxLen)
 {
     FILE *file;
     int fd;
     int bytes;
     size_t fileBytes = 0;
     unsigned char *buffer = dest;
 
-    file = fopen("/dev/urandom", "r");
+    file = fopen(FIPS_rngDev(), "r");
     if (file == NULL) {
 	return rng_systemFromNoise(dest, maxLen);
     }
     /* Read from the underlying file descriptor directly to bypass stdio
      * buffering and avoid reading more bytes than we need from /dev/urandom.
      * NOTE: we can't use fread with unbuffered I/O because fread may return
      * EOF in unbuffered I/O mode on Android.
      */
openSUSE Build Service is sponsored by
Places