updater: get the signature verification working on Windows

The updater itself does not link to NSS on Windows and instead uses the
Windows-internal crypto libraries. However the mar executable needs to
link against NSS, so we need to split the code a bit.

Change-Id: Iea61c716aa507a876fdb444eb28ad828bdea18bd
Reviewed-on: https://gerrit.libreoffice.org/40608
Reviewed-by: Markus Mohrhard <markus.mohrhard@googlemail.com>
Tested-by: Markus Mohrhard <markus.mohrhard@googlemail.com>

8 files changed, 77 insertions, 30 deletions

diff --git a/onlineupdate/Executable_mar.mk b/onlineupdate/Executable_mar.mk
index 3711809b1885..2c8adc47c15d 100644
--- a/onlineupdate/Executable_mar.mk
+++ b/onlineupdate/Executable_mar.mk
@@ -18,13 +18,9 @@ $(eval $(call gb_Executable_set_include,mar,\
 
 $(eval $(call gb_Executable_use_static_libraries,mar,\
     libmar \
+    libmarverify \
 ))
 
-$(eval $(call gb_Executable_use_externals,mar,\
-	nss3 \
-))
-
-
 ifeq ($(OS),WNT)
 $(eval $(call gb_Executable_add_libs,mar,\
     ws2_32.lib \
@@ -32,9 +28,13 @@ $(eval $(call gb_Executable_add_libs,mar,\
 ))
 endif
 
+$(eval $(call gb_Executable_use_externals,mar,\
+	nss3 \
+))
+
 $(eval $(call gb_Executable_add_defs,mar,\
-	-DMAR_NSS \
 	-DUNICODE \
+	-DMAR_NSS \
 ))
 
 $(eval $(call gb_Executable_add_defs,mar,\
diff --git a/onlineupdate/Executable_updater.mk b/onlineupdate/Executable_updater.mk
index ed20b19410d4..6071ae54837a 100644
--- a/onlineupdate/Executable_updater.mk
+++ b/onlineupdate/Executable_updater.mk
@@ -19,12 +19,17 @@ $(eval $(call gb_Executable_set_include,updater,\
 $(eval $(call gb_Executable_use_custom_headers,updater,onlineupdate/generated))
 
 $(eval $(call gb_Executable_use_static_libraries,updater,\
-    libmar \
+	libmar \
+    libmarverify \
     updatehelper \
 	$(if $(filter WNT,$(OS)), \
 		winhelper )\
 ))
 
+$(eval $(call gb_Executable_use_externals,updater,\
+	bzip2 \
+))
+
 ifeq ($(OS),WNT)
 $(eval $(call gb_Executable_add_libs,updater,\
 	Ws2_32.lib \
@@ -32,8 +37,26 @@ $(eval $(call gb_Executable_add_libs,updater,\
 	Comctl32.lib \
 	Shell32.lib \
 	Shlwapi.lib \
+	Crypt32.lib \
+))
+
+$(eval $(call gb_Executable_add_defs,updater,\
+	-DVERIFY_MAR_SIGNATURE \
+	-DUNICODE \
 ))
+
 else
+
+$(eval $(call gb_Executable_add_defs,updater,\
+	-DVERIFY_MAR_SIGNATURE \
+	-DNSS3 \
+))
+
+$(eval $(call gb_Executable_use_externals,updater,\
+	nss3 \
+	gtk \
+))
+
 $(eval $(call gb_Executable_add_libs,updater,\
 	-lX11 \
 	-lXext \
@@ -44,19 +67,6 @@ $(eval $(call gb_Executable_add_libs,updater,\
 ))
 endif
 
-$(eval $(call gb_Executable_use_externals,updater,\
-	bzip2 \
-	nss3 \
-	$(if $(filter LINUX,$(OS)), \
-		gtk )\
-))
-
-$(eval $(call gb_Executable_add_defs,updater,\
-	-DVERIFY_MAR_SIGNATURE \
-	-DNSS3 \
-	-DUNICODE \
-))
-
 $(eval $(call gb_Executable_add_exception_objects,updater,\
 	onlineupdate/source/update/updater/xpcom/glue/nsVersionComparator \
 	onlineupdate/source/update/updater/archivereader \
diff --git a/onlineupdate/Module_onlineupdate.mk b/onlineupdate/Module_onlineupdate.mk
index 8222be7a4ea6..2f3817182e03 100644
--- a/onlineupdate/Module_onlineupdate.mk
+++ b/onlineupdate/Module_onlineupdate.mk
@@ -13,6 +13,7 @@ $(eval $(call gb_Module_Module,onlineupdate))
 ifneq ($(ENABLE_ONLINE_UPDATE_MAR),)
 $(eval $(call gb_Module_add_targets,onlineupdate,\
 	StaticLibrary_libmar \
+	StaticLibrary_libmarverify \
 	StaticLibrary_updatehelper \
 	$(if $(filter WNT,$(OS)),\
 		Executable_update_service \
diff --git a/onlineupdate/README b/onlineupdate/README
index c3a944fd75ea..485a718499b3 100644
--- a/onlineupdate/README
+++ b/onlineupdate/README
@@ -11,6 +11,8 @@ The source/service directory contains the code for the silent windows updater th
 == NOTE ==
 The updater executable should not depend on any other dynamic library in the LibreOffice installation as we would need to copy that one also to a temporary directory during update. We can't update any library or executable that is currently in use. For the updater executable we solve this problem by copying the updater before using it to a temporary directory.
 
+On Windows we use the system to provide us with a crypto library whereas on Linux we use NSS.
+
 == Update procedure ==
 
 The updater executable is run two times. In a first run, the current installation is copied to a "update" directory and the update is applied in this "update" directory. During the next run, a replacement request is executed. The replacement request removes the old installation directory and replaces it with the content of the "update" directory.
diff --git a/onlineupdate/StaticLibrary_libmar.mk b/onlineupdate/StaticLibrary_libmar.mk
index ee62c5d20a2a..1e0fc605566d 100644
--- a/onlineupdate/StaticLibrary_libmar.mk
+++ b/onlineupdate/StaticLibrary_libmar.mk
@@ -15,19 +15,17 @@ $(eval $(call gb_StaticLibrary_set_include,libmar,\
 ))
 
 $(eval $(call gb_StaticLibrary_add_defs,libmar,\
-	-DMAR_NSS \
-))
-
-$(eval $(call gb_StaticLibrary_use_externals,libmar,\
-	nss3 \
+	-DUNICODE \
 ))
 
 $(eval $(call gb_StaticLibrary_add_cobjects,libmar,\
 	onlineupdate/source/libmar/src/mar_create \
 	onlineupdate/source/libmar/src/mar_extract \
 	onlineupdate/source/libmar/src/mar_read \
-	onlineupdate/source/libmar/verify/mar_verify \
-	onlineupdate/source/libmar/verify/cryptox \
+))
+
+$(eval $(call gb_StaticLibrary_use_static_libraries,\
+	libmarverify \
 ))
 
 # vim:set shiftwidth=4 tabstop=4 noexpandtab: */
diff --git a/onlineupdate/StaticLibrary_libmarverify.mk b/onlineupdate/StaticLibrary_libmarverify.mk
new file mode 100644
index 000000000000..d95aeb44f79c
--- /dev/null
+++ b/onlineupdate/StaticLibrary_libmarverify.mk
@@ -0,0 +1,36 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+$(eval $(call gb_StaticLibrary_StaticLibrary,libmarverify))
+
+$(eval $(call gb_StaticLibrary_set_include,libmarverify,\
+	-I$(SRCDIR)/onlineupdate/source/libmar/src/ \
+	$$(INCLUDE) \
+))
+
+ifeq ($(OS),WNT)
+$(eval $(call gb_StaticLibrary_add_defs,libmarverify,\
+	-DUNICODE \
+))
+else
+$(eval $(call gb_StaticLibrary_add_defs,libmar,\
+	-DMAR_NSS \
+))
+
+$(eval $(call gb_StaticLibrary_use_externals,libmarverify,\
+	nss3 \
+))
+endif
+
+$(eval $(call gb_StaticLibrary_add_cobjects,libmarverify,\
+	onlineupdate/source/libmar/verify/mar_verify \
+	onlineupdate/source/libmar/verify/cryptox \
+))
+
+# vim:set shiftwidth=4 tabstop=4 noexpandtab: */
diff --git a/onlineupdate/qa/single_step/Makefile b/onlineupdate/qa/single_step/Makefile
index 24879f1e7e6e..f303992baa0f 100644
--- a/onlineupdate/qa/single_step/Makefile
+++ b/onlineupdate/qa/single_step/Makefile
@@ -8,7 +8,7 @@ all : call
 unpack:
 	@echo "Unpacking the updater test project"
 	@rm -r $(UPDATER_DIR) || true
-	@mkdir -p $(WORKDIR)/updater/
+	@mkdir -p $(UPDATER_DIR)
 	@unzip single_step.zip -d $(WORKDIR)/updater > /dev/null
 	@mkdir -p $(UPDATER_DIR)/patch
 
diff --git a/onlineupdate/source/libmar/verify/cryptox.c b/onlineupdate/source/libmar/verify/cryptox.c
index 7edf8bea233d..5cda191dec7e 100644
--- a/onlineupdate/source/libmar/verify/cryptox.c
+++ b/onlineupdate/source/libmar/verify/cryptox.c
@@ -11,13 +11,13 @@
 #include <stdlib.h>
 #include "cryptox.h"
 
-#if defined(MAR_NSS)
-
 #ifdef _WIN32
 #pragma warning(push)
 #pragma warning(disable: 4204)
 #endif
 
+#if defined(MAR_NSS)
+
 /**
  * Loads the public key for the specified cert name from the NSS store.
  *