download.lst | 4 - external/xmlsec/UnpackedTarball_xmlsec.mk | 2 external/xmlsec/old-nss.patch.1 | 66 ++++++++++++++++++++++++++++++ xmlsecurity/inc/xmlsec-wrapper.h | 5 -- 4 files changed, 70 insertions(+), 7 deletions(-)
New commits: commit bfd479abf0d1d8ce36c3b0dcc6c824216f88a95b Author: Miklos Vajna <vmik...@collabora.com> AuthorDate: Thu Jun 8 16:45:53 2023 +0200 Commit: Miklos Vajna <vmik...@collabora.com> CommitDate: Fri Jun 9 08:11:34 2023 +0200 Update libxmlsec to 1.3.1 This time try to do it in a way that doesn't re-introduce tdf#155034, i.e. patch out code that would use NSS symbols which are in the RHEL7 baseline, but are not in Ubuntu 18.04. This is all code like RSA OAEP or AES GCM which is relatively new, so not really required for our signature needs. It also helps that this release has a lowered baseline for NSS. Change-Id: I5a8df6d98462e8173a5508e014bd2d515da2dc9d Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152747 Tested-by: Justin Luth <jl...@mail.com> Tested-by: Jenkins Reviewed-by: Miklos Vajna <vmik...@collabora.com> diff --git a/download.lst b/download.lst index 5366f5e1bbbd..1b40709f0858 100644 --- a/download.lst +++ b/download.lst @@ -334,8 +334,8 @@ LIBWEBP_TARBALL := libwebp-1.3.0.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts -XMLSEC_SHA256SUM := 5f8dfbcb6d1e56bddd0b5ec2e00a3d0ca5342a9f57c24dffde5c796b2be2871c -XMLSEC_TARBALL := xmlsec1-1.2.37.tar.gz +XMLSEC_SHA256SUM := 10f48384d4fd1afc05fea545b74fbf7c152582f0a895c189f164d55270400c63 +XMLSEC_TARBALL := xmlsec1-1.3.1.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/xmlsec/UnpackedTarball_xmlsec.mk b/external/xmlsec/UnpackedTarball_xmlsec.mk index 3ad978cdb829..77d3386b27dc 100644 --- a/external/xmlsec/UnpackedTarball_xmlsec.mk +++ b/external/xmlsec/UnpackedTarball_xmlsec.mk @@ -8,6 +8,8 @@ # xmlsec_patches := +# Remove this when Ubuntu 20.04 is EOL in 2025. +xmlsec_patches += old-nss.patch.1 $(eval $(call gb_UnpackedTarball_UnpackedTarball,xmlsec)) diff --git a/external/xmlsec/old-nss.patch.1 b/external/xmlsec/old-nss.patch.1 new file mode 100644 index 000000000000..b46453586351 --- /dev/null +++ b/external/xmlsec/old-nss.patch.1 @@ -0,0 +1,66 @@ +diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h +index bb64c5f2..fe9904be 100644 +--- a/include/xmlsec/nss/crypto.h ++++ b/include/xmlsec/nss/crypto.h +@@ -105,6 +105,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes192CbcGetKlass(void + XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes256CbcGetKlass(void); + + ++#if 0 + /** + * xmlSecNssTransformAes128GcmId: + * +@@ -131,6 +132,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes192GcmGetKlass(void + #define xmlSecNssTransformAes256GcmId \ + xmlSecNssTransformAes256GcmGetKlass() + XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes256GcmGetKlass(void); ++#endif + + + /** +diff --git a/src/nss/ciphers_gcm.c b/src/nss/ciphers_gcm.c +index 5763a756..7b50e5fd 100644 +--- a/src/nss/ciphers_gcm.c ++++ b/src/nss/ciphers_gcm.c +@@ -31,6 +31,7 @@ + #include "../cast_helpers.h" + #include "../kw_aes_des.h" + ++#if 0 + /* https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM + * + * For the purposes of this specification, AES-GCM shall be used with +@@ -591,3 +592,4 @@ xmlSecNssTransformAes256GcmGetKlass(void) { + } + + #endif /* XMLSEC_NO_AES */ ++#endif +diff --git a/src/nss/crypto.c b/src/nss/crypto.c +index 429d209f..e0296bda 100644 +--- a/src/nss/crypto.c ++++ b/src/nss/crypto.c +@@ -131,9 +131,11 @@ xmlSecCryptoGetFunctions_nss(void) { + gXmlSecNssFunctions->transformAes192CbcGetKlass = xmlSecNssTransformAes192CbcGetKlass; + gXmlSecNssFunctions->transformAes256CbcGetKlass = xmlSecNssTransformAes256CbcGetKlass; + ++#if 0 + gXmlSecNssFunctions->transformAes128GcmGetKlass = xmlSecNssTransformAes128GcmGetKlass; + gXmlSecNssFunctions->transformAes192GcmGetKlass = xmlSecNssTransformAes192GcmGetKlass; + gXmlSecNssFunctions->transformAes256GcmGetKlass = xmlSecNssTransformAes256GcmGetKlass; ++#endif + + gXmlSecNssFunctions->transformKWAes128GetKlass = xmlSecNssTransformKWAes128GetKlass; + gXmlSecNssFunctions->transformKWAes192GetKlass = xmlSecNssTransformKWAes192GetKlass; +diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h +index bb64c5f2..4c3dc4d3 100644 +--- a/include/xmlsec/nss/crypto.h ++++ b/include/xmlsec/nss/crypto.h +@@ -26,7 +26,7 @@ + * RSA OAEP requires https://bugzilla.mozilla.org/show_bug.cgi?id=1666891 + * which was fixed in NSS 3.59 (https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_releases/nss_3.59_release_notes/index.html) + */ +-#if (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59)) ++#if 1 + #define XMLSEC_NO_RSA_OAEP 1 + #else /* (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59)) */ + #define XMLSEC_NO_MD5 1 diff --git a/xmlsecurity/inc/xmlsec-wrapper.h b/xmlsecurity/inc/xmlsec-wrapper.h index e4048de94bf2..7c6d267e8b73 100644 --- a/xmlsecurity/inc/xmlsec-wrapper.h +++ b/xmlsecurity/inc/xmlsec-wrapper.h @@ -23,11 +23,6 @@ #include <sal/types.h> -// Cf. xmlsec's configure.in: -#if SAL_TYPES_SIZEOFPOINTER != 4 && !defined SYSTEM_XMLSEC -#define XMLSEC_NO_SIZE_T -#endif - #include <xmlsec/base64.h> #include <xmlsec/bn.h> #include <xmlsec/errors.h>