download.lst | 4 -
external/xmlsec/UnpackedTarball_xmlsec.mk | 2
external/xmlsec/old-nss.patch.1 | 66 ++++++++++++++++++++++++++++++
xmlsecurity/inc/xmlsec-wrapper.h | 5 --
4 files changed, 70 insertions(+), 7 deletions(-)
New commits:
commit bfd479abf0d1d8ce36c3b0dcc6c824216f88a95b
Author: Miklos Vajna <vmik...@collabora.com>
AuthorDate: Thu Jun 8 16:45:53 2023 +0200
Commit: Miklos Vajna <vmik...@collabora.com>
CommitDate: Fri Jun 9 08:11:34 2023 +0200
Update libxmlsec to 1.3.1
This time try to do it in a way that doesn't re-introduce tdf#155034,
i.e. patch out code that would use NSS symbols which are in the RHEL7
baseline, but are not in Ubuntu 18.04. This is all code like RSA OAEP or
AES GCM which is relatively new, so not really required for our
signature needs.
It also helps that this release has a lowered baseline for NSS.
Change-Id: I5a8df6d98462e8173a5508e014bd2d515da2dc9d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152747
Tested-by: Justin Luth <jl...@mail.com>
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmik...@collabora.com>
diff --git a/download.lst b/download.lst
index 5366f5e1bbbd..1b40709f0858 100644
--- a/download.lst
+++ b/download.lst
@@ -334,8 +334,8 @@ LIBWEBP_TARBALL := libwebp-1.3.0.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
-XMLSEC_SHA256SUM :=
5f8dfbcb6d1e56bddd0b5ec2e00a3d0ca5342a9f57c24dffde5c796b2be2871c
-XMLSEC_TARBALL := xmlsec1-1.2.37.tar.gz
+XMLSEC_SHA256SUM :=
10f48384d4fd1afc05fea545b74fbf7c152582f0a895c189f164d55270400c63
+XMLSEC_TARBALL := xmlsec1-1.3.1.tar.gz
# three static lines
# so that git cherry-pick
# will not run into conflicts
diff --git a/external/xmlsec/UnpackedTarball_xmlsec.mk
b/external/xmlsec/UnpackedTarball_xmlsec.mk
index 3ad978cdb829..77d3386b27dc 100644
--- a/external/xmlsec/UnpackedTarball_xmlsec.mk
+++ b/external/xmlsec/UnpackedTarball_xmlsec.mk
@@ -8,6 +8,8 @@
#
xmlsec_patches :=
+# Remove this when Ubuntu 20.04 is EOL in 2025.
+xmlsec_patches += old-nss.patch.1
$(eval $(call gb_UnpackedTarball_UnpackedTarball,xmlsec))
diff --git a/external/xmlsec/old-nss.patch.1 b/external/xmlsec/old-nss.patch.1
new file mode 100644
index 000000000000..b46453586351
--- /dev/null
+++ b/external/xmlsec/old-nss.patch.1
@@ -0,0 +1,66 @@
+diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h
+index bb64c5f2..fe9904be 100644
+--- a/include/xmlsec/nss/crypto.h
++++ b/include/xmlsec/nss/crypto.h
+@@ -105,6 +105,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId
xmlSecNssTransformAes192CbcGetKlass(void
+ XMLSEC_CRYPTO_EXPORT xmlSecTransformId
xmlSecNssTransformAes256CbcGetKlass(void);
+
+
++#if 0
+ /**
+ * xmlSecNssTransformAes128GcmId:
+ *
+@@ -131,6 +132,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId
xmlSecNssTransformAes192GcmGetKlass(void
+ #define xmlSecNssTransformAes256GcmId \
+ xmlSecNssTransformAes256GcmGetKlass()
+ XMLSEC_CRYPTO_EXPORT xmlSecTransformId
xmlSecNssTransformAes256GcmGetKlass(void);
++#endif
+
+
+ /**
+diff --git a/src/nss/ciphers_gcm.c b/src/nss/ciphers_gcm.c
+index 5763a756..7b50e5fd 100644
+--- a/src/nss/ciphers_gcm.c
++++ b/src/nss/ciphers_gcm.c
+@@ -31,6 +31,7 @@
+ #include "../cast_helpers.h"
+ #include "../kw_aes_des.h"
+
++#if 0
+ /* https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM
+ *
+ * For the purposes of this specification, AES-GCM shall be used with
+@@ -591,3 +592,4 @@ xmlSecNssTransformAes256GcmGetKlass(void) {
+ }
+
+ #endif /* XMLSEC_NO_AES */
++#endif
+diff --git a/src/nss/crypto.c b/src/nss/crypto.c
+index 429d209f..e0296bda 100644
+--- a/src/nss/crypto.c
++++ b/src/nss/crypto.c
+@@ -131,9 +131,11 @@ xmlSecCryptoGetFunctions_nss(void) {
+ gXmlSecNssFunctions->transformAes192CbcGetKlass =
xmlSecNssTransformAes192CbcGetKlass;
+ gXmlSecNssFunctions->transformAes256CbcGetKlass =
xmlSecNssTransformAes256CbcGetKlass;
+
++#if 0
+ gXmlSecNssFunctions->transformAes128GcmGetKlass =
xmlSecNssTransformAes128GcmGetKlass;
+ gXmlSecNssFunctions->transformAes192GcmGetKlass =
xmlSecNssTransformAes192GcmGetKlass;
+ gXmlSecNssFunctions->transformAes256GcmGetKlass =
xmlSecNssTransformAes256GcmGetKlass;
++#endif
+
+ gXmlSecNssFunctions->transformKWAes128GetKlass =
xmlSecNssTransformKWAes128GetKlass;
+ gXmlSecNssFunctions->transformKWAes192GetKlass =
xmlSecNssTransformKWAes192GetKlass;
+diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h
+index bb64c5f2..4c3dc4d3 100644
+--- a/include/xmlsec/nss/crypto.h
++++ b/include/xmlsec/nss/crypto.h
+@@ -26,7 +26,7 @@
+ * RSA OAEP requires https://bugzilla.mozilla.org/show_bug.cgi?id=1666891
+ * which was fixed in NSS 3.59
(https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_releases/nss_3.59_release_notes/index.html)
+ */
+-#if (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59))
++#if 1
+ #define XMLSEC_NO_RSA_OAEP 1
+ #else /* (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59)) */
+ #define XMLSEC_NO_MD5 1
diff --git a/xmlsecurity/inc/xmlsec-wrapper.h b/xmlsecurity/inc/xmlsec-wrapper.h
index e4048de94bf2..7c6d267e8b73 100644
--- a/xmlsecurity/inc/xmlsec-wrapper.h
+++ b/xmlsecurity/inc/xmlsec-wrapper.h
@@ -23,11 +23,6 @@
#include <sal/types.h>
-// Cf. xmlsec's configure.in:
-#if SAL_TYPES_SIZEOFPOINTER != 4 && !defined SYSTEM_XMLSEC
-#define XMLSEC_NO_SIZE_T
-#endif
-
#include <xmlsec/base64.h>
#include <xmlsec/bn.h>
#include <xmlsec/errors.h>
