diff options
Diffstat (limited to 'external/xmlsec')
-rw-r--r-- | external/xmlsec/BCryptKeyDerivation.patch.1 | 51 | ||||
-rw-r--r-- | external/xmlsec/ExternalProject_xmlsec.mk | 44 | ||||
-rw-r--r-- | external/xmlsec/UnpackedTarball_xmlsec.mk | 4 | ||||
-rw-r--r-- | external/xmlsec/old-nss.patch.1 | 67 |
4 files changed, 153 insertions, 13 deletions
diff --git a/external/xmlsec/BCryptKeyDerivation.patch.1 b/external/xmlsec/BCryptKeyDerivation.patch.1 new file mode 100644 index 000000000000..3747915f87d2 --- /dev/null +++ b/external/xmlsec/BCryptKeyDerivation.patch.1 @@ -0,0 +1,51 @@ +tdf#159519 Windows 7 does not have BCryptKeyDerivation + +It just occurred to me that these functions would of course not be called +by LibreOffice so this is untested. + +--- xmlsec/src/mscng/pbkdf2.c.orig 2024-02-21 19:02:56.539534152 +0100 ++++ xmlsec/src/mscng/pbkdf2.c 2024-02-21 19:01:03.282270354 +0100 +@@ -318,7 +318,20 @@ + } + + /* generate the output key */ ++#if 1 // _WIN32_WINNT <= 0x0601 ++ typedef NTSTATUS (WINAPI * BCryptKeyDerivationPtr)( ++ BCRYPT_KEY_HANDLE, BCryptBufferDesc *, PUCHAR, ULONG, ULONG *, ULONG); ++ HMODULE hBCrypt = GetModuleHandle("bcrypt.dll"); ++ BCryptKeyDerivationPtr pBCryptKeyDerivation = ++ (BCryptKeyDerivationPtr) GetProcAddress(hBCrypt, "BCryptKeyDerivation"); ++ if(NULL == pBCryptKeyDerivation) { ++ xmlSecMSCngNtError("BCryptKeyDerivation", NULL, status); ++ goto done; ++ } ++ status = (*pBCryptKeyDerivation)( ++#else + status = BCryptKeyDerivation( ++#endif + hKey, + ¶msPBKDF2, + pbOut, +--- xmlsec/src/mscng/concatkdf.c.orig 2024-02-21 19:02:37.962490885 +0100 ++++ xmlsec/src/mscng/concatkdf.c 2024-02-21 19:01:37.961351134 +0100 +@@ -318,7 +318,20 @@ + } + + /* generate the output key */ ++#if 1 // _WIN32_WINNT <= 0x0601 ++ typedef NTSTATUS (WINAPI * BCryptKeyDerivationPtr)( ++ BCRYPT_KEY_HANDLE, BCryptBufferDesc *, PUCHAR, ULONG, ULONG *, ULONG); ++ HMODULE hBCrypt = GetModuleHandle("bcrypt.dll"); ++ BCryptKeyDerivationPtr pBCryptKeyDerivation = ++ (BCryptKeyDerivationPtr) GetProcAddress(hBCrypt, "BCryptKeyDerivation"); ++ if(NULL == pBCryptKeyDerivation) { ++ xmlSecMSCngNtError("BCryptKeyDerivation", NULL, status); ++ goto done; ++ } ++ status = (*pBCryptKeyDerivation)( ++#else + status = BCryptKeyDerivation( ++#endif + hKey, + ¶msCONCATKDF2, + pbOut, diff --git a/external/xmlsec/ExternalProject_xmlsec.mk b/external/xmlsec/ExternalProject_xmlsec.mk index 8fb0ef56fa09..64b9a18626c6 100644 --- a/external/xmlsec/ExternalProject_xmlsec.mk +++ b/external/xmlsec/ExternalProject_xmlsec.mk @@ -9,14 +9,22 @@ $(eval $(call gb_ExternalProject_ExternalProject,xmlsec)) -$(eval $(call gb_ExternalProject_use_external,xmlsec,libxml2)) - -$(eval $(call gb_ExternalProject_use_external,xmlsec,nss3)) +$(eval $(call gb_ExternalProject_use_externals,xmlsec,\ + libxml2 \ + $(if $(ENABLE_NSS),nss3,$(if $(ENABLE_OPENSSL),openssl)) \ +)) $(eval $(call gb_ExternalProject_register_targets,xmlsec,\ build \ )) +# note: it's possible to use XSLT in XML signatures - that appears to be a +# really bad idea from a security point of view though, because it will run +# an XSLT script supplied as untrusted input, and XSLT implementations +# tend to have extension functions, and some of these trivially allow +# running arbitrary code... so investigate the situation with libxslt +# before enabling it here; hopefully nobody uses XSLT in practice anyway. + ifeq ($(OS),WNT) $(eval $(call gb_ExternalProject_use_nmake,xmlsec,build)) @@ -38,20 +46,30 @@ $(call gb_ExternalProject_get_state_target,xmlsec,build) : $(call gb_Trace_StartRange,xmlsec,EXTERNAL) $(call gb_ExternalProject_run,build,\ $(if $(filter iOS MACOSX,$(OS_FOR_BUILD)),ACLOCAL="aclocal -I $(SRCDIR)/m4/mac") \ - $(if $(filter AIX,$(OS)),ACLOCAL="aclocal -I /opt/freeware/share/aclocal") \ autoreconf \ - && ./configure \ - --with-pic --disable-shared --disable-crypto-dl --without-libxslt --without-gnutls --without-gcrypt --disable-apps --disable-docs \ + && $(gb_RUN_CONFIGURE) ./configure \ + --with-pic --disable-shared --disable-crypto-dl --without-libxslt --without-gnutls --without-gcrypt --disable-apps --disable-docs --disable-pedantic \ $(if $(verbose),--disable-silent-rules,--enable-silent-rules) \ - CFLAGS="$(CFLAGS) $(if $(ENABLE_OPTIMIZED),$(gb_COMPILEROPTFLAGS),$(gb_COMPILERNOOPTFLAGS)) $(if $(debug),$(gb_DEBUGINFO_FLAGS)) $(gb_VISIBILITY_FLAGS)" \ - --without-openssl \ + $(if $(filter -fsanitize=undefined,$(CC)),CC='$(CC) -fno-sanitize=function') \ + CFLAGS="$(CFLAGS) $(call gb_ExternalProject_get_build_flags,xmlsec) $(gb_VISIBILITY_FLAGS)" \ $(if $(filter MACOSX,$(OS)),--prefix=/@.__________________________________________________OOO) \ - $(if $(SYSTEM_NSS),,$(if $(filter MACOSX,$(OS_FOR_BUILD)),--disable-pkgconfig)) \ - $(if $(SYSTEM_NSS),,NSPR_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include" NSPR_LIBS="-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib -lnspr4") \ - $(if $(SYSTEM_NSS),,NSS_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss" NSS_LIBS="-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib -lsmime3 -lnss3 -lnssutil3") \ - $(if $(CROSS_COMPILING),--build=$(BUILD_PLATFORM) --host=$(HOST_PLATFORM)) \ + $(if $(ENABLE_NSS), \ + --without-openssl \ + $(if $(SYSTEM_NSS),, \ + $(if $(filter MACOSX,$(OS_FOR_BUILD)),--disable-pkgconfig) \ + NSPR_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include" NSPR_LIBS="-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib -lnspr4" \ + NSS_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss" NSS_LIBS="-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib -lsmime3 -lnss3 -lnssutil3" \ + ), \ + $(if $(ENABLE_OPENSSL), \ + $(if $(SYSTEM_OPENSSL),, \ + OPENSSL_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,openssl)/include" \ + OPENSSL_LIBS="-L$(call gb_UnpackedTarball_get_dir,openssl) -lcrypto -lssl" \ + ), \ + --without-openssl) \ + ) \ + $(gb_CONFIGURE_PLATFORMS) \ $(if $(SYSBASE),CFLAGS="-I$(SYSBASE)/usr/include" \ - LDFLAGS="-L$(SYSBASE)/usr/lib $(if $(filter-out LINUX FREEBSD,$(OS)),",-Wl$(COMMA)-z$(COMMA)origin -Wl$(COMMA)-rpath$(COMMA)\\"\$$\$$ORIGIN)) \ + LDFLAGS="$(call gb_ExternalProject_get_link_flags,xmlsec) -L$(SYSBASE)/usr/lib $(if $(filter-out LINUX FREEBSD,$(OS)),",-Wl$(COMMA)-z$(COMMA)origin -Wl$(COMMA)-rpath$(COMMA)\\"\$$\$$ORIGIN)) \ && $(MAKE) \ ) $(call gb_Trace_EndRange,xmlsec,EXTERNAL) diff --git a/external/xmlsec/UnpackedTarball_xmlsec.mk b/external/xmlsec/UnpackedTarball_xmlsec.mk index 3ad978cdb829..906aece5f7ed 100644 --- a/external/xmlsec/UnpackedTarball_xmlsec.mk +++ b/external/xmlsec/UnpackedTarball_xmlsec.mk @@ -8,6 +8,10 @@ # xmlsec_patches := +# Remove this when Ubuntu 20.04 is EOL in 2025. +xmlsec_patches += old-nss.patch.1 +# Remove this when Windows 7 is no longer supported +xmlsec_patches += BCryptKeyDerivation.patch.1 $(eval $(call gb_UnpackedTarball_UnpackedTarball,xmlsec)) diff --git a/external/xmlsec/old-nss.patch.1 b/external/xmlsec/old-nss.patch.1 new file mode 100644 index 000000000000..0da576b59920 --- /dev/null +++ b/external/xmlsec/old-nss.patch.1 @@ -0,0 +1,67 @@ +diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h +index bb64c5f2..fe9904be 100644 +--- a/include/xmlsec/nss/crypto.h ++++ b/include/xmlsec/nss/crypto.h +@@ -105,6 +105,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes192CbcGetKlass(void + XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes256CbcGetKlass(void); + + ++#if 0 + /** + * xmlSecNssTransformAes128GcmId: + * +@@ -131,6 +132,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes192GcmGetKlass(void + #define xmlSecNssTransformAes256GcmId \ + xmlSecNssTransformAes256GcmGetKlass() + XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes256GcmGetKlass(void); ++#endif + + + /** +diff --git a/src/nss/ciphers_gcm.c b/src/nss/ciphers_gcm.c +index 5763a756..7b50e5fd 100644 +--- a/src/nss/ciphers_gcm.c ++++ b/src/nss/ciphers_gcm.c +@@ -31,6 +31,7 @@ + #include "../cast_helpers.h" + #include "../kw_aes_des.h" + ++#if 0 + /* https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM + * + * For the purposes of this specification, AES-GCM shall be used with +@@ -591,3 +592,4 @@ xmlSecNssTransformAes256GcmGetKlass(void) { + } + + #endif /* XMLSEC_NO_AES */ ++#endif +diff --git a/src/nss/crypto.c b/src/nss/crypto.c +index 429d209f..e0296bda 100644 +--- a/src/nss/crypto.c ++++ b/src/nss/crypto.c +@@ -162,10 +162,12 @@ xmlSecCryptoGetFunctions_nss(void) { + gXmlSecNssFunctions->transformAes192CbcGetKlass = xmlSecNssTransformAes192CbcGetKlass; + gXmlSecNssFunctions->transformAes256CbcGetKlass = xmlSecNssTransformAes256CbcGetKlass; + ++#if 0 + /* gcm */ + gXmlSecNssFunctions->transformAes128GcmGetKlass = xmlSecNssTransformAes128GcmGetKlass; + gXmlSecNssFunctions->transformAes192GcmGetKlass = xmlSecNssTransformAes192GcmGetKlass; + gXmlSecNssFunctions->transformAes256GcmGetKlass = xmlSecNssTransformAes256GcmGetKlass; ++#endif + + /* kw: uses AES ECB */ + gXmlSecNssFunctions->transformKWAes128GetKlass = xmlSecNssTransformKWAes128GetKlass; +diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h +index bb64c5f2..4c3dc4d3 100644 +--- a/include/xmlsec/nss/crypto.h ++++ b/include/xmlsec/nss/crypto.h +@@ -26,7 +26,7 @@ + * RSA OAEP requires https://bugzilla.mozilla.org/show_bug.cgi?id=1666891 + * which was fixed in NSS 3.59 (https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_releases/nss_3.59_release_notes/index.html) + */ +-#if (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59)) ++#if 1 + #define XMLSEC_NO_RSA_OAEP 1 + #else /* (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59)) */ + #define XMLSEC_NO_MD5 1 |