diff options
Diffstat (limited to 'external/xmlsec')
-rw-r--r-- | external/xmlsec/ExternalPackage_xmlsec.mk | 19 | ||||
-rw-r--r-- | external/xmlsec/ExternalProject_xmlsec.mk | 79 | ||||
-rw-r--r-- | external/xmlsec/Makefile | 7 | ||||
-rw-r--r-- | external/xmlsec/Module_xmlsec.mk | 18 | ||||
-rw-r--r-- | external/xmlsec/README | 5 | ||||
-rw-r--r-- | external/xmlsec/UnpackedTarball_xmlsec.mk | 24 | ||||
-rw-r--r-- | external/xmlsec/old-nss.patch.1 | 66 |
7 files changed, 218 insertions, 0 deletions
diff --git a/external/xmlsec/ExternalPackage_xmlsec.mk b/external/xmlsec/ExternalPackage_xmlsec.mk new file mode 100644 index 0000000000..68ddfaff8c --- /dev/null +++ b/external/xmlsec/ExternalPackage_xmlsec.mk @@ -0,0 +1,19 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# + +$(eval $(call gb_ExternalPackage_ExternalPackage,xmlsec,xmlsec)) + +$(eval $(call gb_ExternalPackage_use_external_project,xmlsec,xmlsec)) + +ifeq ($(OS),WNT) +$(eval $(call gb_ExternalPackage_add_file,xmlsec,$(LIBO_LIB_FOLDER)/libxmlsec-mscng.dll,win32/binaries/libxmlsec-mscng.dll)) +$(eval $(call gb_ExternalPackage_add_file,xmlsec,$(LIBO_LIB_FOLDER)/libxmlsec.dll,win32/binaries/libxmlsec.dll)) +endif + +# vim: set noet sw=4 ts=4: diff --git a/external/xmlsec/ExternalProject_xmlsec.mk b/external/xmlsec/ExternalProject_xmlsec.mk new file mode 100644 index 0000000000..64b9a18626 --- /dev/null +++ b/external/xmlsec/ExternalProject_xmlsec.mk @@ -0,0 +1,79 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# + +$(eval $(call gb_ExternalProject_ExternalProject,xmlsec)) + +$(eval $(call gb_ExternalProject_use_externals,xmlsec,\ + libxml2 \ + $(if $(ENABLE_NSS),nss3,$(if $(ENABLE_OPENSSL),openssl)) \ +)) + +$(eval $(call gb_ExternalProject_register_targets,xmlsec,\ + build \ +)) + +# note: it's possible to use XSLT in XML signatures - that appears to be a +# really bad idea from a security point of view though, because it will run +# an XSLT script supplied as untrusted input, and XSLT implementations +# tend to have extension functions, and some of these trivially allow +# running arbitrary code... so investigate the situation with libxslt +# before enabling it here; hopefully nobody uses XSLT in practice anyway. + +ifeq ($(OS),WNT) + +$(eval $(call gb_ExternalProject_use_nmake,xmlsec,build)) + +$(call gb_ExternalProject_get_state_target,xmlsec,build) : + $(call gb_Trace_StartRange,xmlsec,EXTERNAL) + $(call gb_ExternalProject_run,build,\ + cscript /e:javascript configure.js crypto=mscng xslt=no iconv=no static=no \ + lib=$(call gb_UnpackedTarball_get_dir,libxml2)/win32/bin.msvc \ + $(if $(filter TRUE,$(ENABLE_DBGUTIL)),debug=yes cruntime=/MDd) \ + cflags="$(SOLARINC) -I$(WORKDIR)/UnpackedTarball/libxml2/include -I$(WORKDIR)/UnpackedTarball/icu/source/i18n -I$(WORKDIR)/UnpackedTarball/icu/source/common" \ + && nmake \ + ,win32) + $(call gb_Trace_EndRange,xmlsec,EXTERNAL) + +else + +$(call gb_ExternalProject_get_state_target,xmlsec,build) : + $(call gb_Trace_StartRange,xmlsec,EXTERNAL) + $(call gb_ExternalProject_run,build,\ + $(if $(filter iOS MACOSX,$(OS_FOR_BUILD)),ACLOCAL="aclocal -I $(SRCDIR)/m4/mac") \ + autoreconf \ + && $(gb_RUN_CONFIGURE) ./configure \ + --with-pic --disable-shared --disable-crypto-dl --without-libxslt --without-gnutls --without-gcrypt --disable-apps --disable-docs --disable-pedantic \ + $(if $(verbose),--disable-silent-rules,--enable-silent-rules) \ + $(if $(filter -fsanitize=undefined,$(CC)),CC='$(CC) -fno-sanitize=function') \ + CFLAGS="$(CFLAGS) $(call gb_ExternalProject_get_build_flags,xmlsec) $(gb_VISIBILITY_FLAGS)" \ + $(if $(filter MACOSX,$(OS)),--prefix=/@.__________________________________________________OOO) \ + $(if $(ENABLE_NSS), \ + --without-openssl \ + $(if $(SYSTEM_NSS),, \ + $(if $(filter MACOSX,$(OS_FOR_BUILD)),--disable-pkgconfig) \ + NSPR_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include" NSPR_LIBS="-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib -lnspr4" \ + NSS_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss" NSS_LIBS="-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib -lsmime3 -lnss3 -lnssutil3" \ + ), \ + $(if $(ENABLE_OPENSSL), \ + $(if $(SYSTEM_OPENSSL),, \ + OPENSSL_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,openssl)/include" \ + OPENSSL_LIBS="-L$(call gb_UnpackedTarball_get_dir,openssl) -lcrypto -lssl" \ + ), \ + --without-openssl) \ + ) \ + $(gb_CONFIGURE_PLATFORMS) \ + $(if $(SYSBASE),CFLAGS="-I$(SYSBASE)/usr/include" \ + LDFLAGS="$(call gb_ExternalProject_get_link_flags,xmlsec) -L$(SYSBASE)/usr/lib $(if $(filter-out LINUX FREEBSD,$(OS)),",-Wl$(COMMA)-z$(COMMA)origin -Wl$(COMMA)-rpath$(COMMA)\\"\$$\$$ORIGIN)) \ + && $(MAKE) \ + ) + $(call gb_Trace_EndRange,xmlsec,EXTERNAL) + +endif + +# vim: set noet sw=4 ts=4: diff --git a/external/xmlsec/Makefile b/external/xmlsec/Makefile new file mode 100644 index 0000000000..e4968cf85f --- /dev/null +++ b/external/xmlsec/Makefile @@ -0,0 +1,7 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- + +module_directory:=$(dir $(realpath $(firstword $(MAKEFILE_LIST)))) + +include $(module_directory)/../../solenv/gbuild/partial_build.mk + +# vim: set noet sw=4 ts=4: diff --git a/external/xmlsec/Module_xmlsec.mk b/external/xmlsec/Module_xmlsec.mk new file mode 100644 index 0000000000..55b0a46547 --- /dev/null +++ b/external/xmlsec/Module_xmlsec.mk @@ -0,0 +1,18 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# + +$(eval $(call gb_Module_Module,xmlsec)) + +$(eval $(call gb_Module_add_targets,xmlsec,\ + UnpackedTarball_xmlsec \ + ExternalPackage_xmlsec \ + ExternalProject_xmlsec \ +)) + +# vim: set noet sw=4 ts=4: diff --git a/external/xmlsec/README b/external/xmlsec/README new file mode 100644 index 0000000000..9f2c5e5e71 --- /dev/null +++ b/external/xmlsec/README @@ -0,0 +1,5 @@ +XML signing, etc. From [http://www.aleksey.com/xmlsec/]. + +The certificate vertification functionality of libxmlsec is not used, both the +mscng and nss backends specify the +XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS flag during verification. diff --git a/external/xmlsec/UnpackedTarball_xmlsec.mk b/external/xmlsec/UnpackedTarball_xmlsec.mk new file mode 100644 index 0000000000..77d3386b27 --- /dev/null +++ b/external/xmlsec/UnpackedTarball_xmlsec.mk @@ -0,0 +1,24 @@ +# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*- +# +# This file is part of the LibreOffice project. +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# + +xmlsec_patches := +# Remove this when Ubuntu 20.04 is EOL in 2025. +xmlsec_patches += old-nss.patch.1 + +$(eval $(call gb_UnpackedTarball_UnpackedTarball,xmlsec)) + +$(eval $(call gb_UnpackedTarball_set_tarball,xmlsec,$(XMLSEC_TARBALL),,xmlsec)) + +$(eval $(call gb_UnpackedTarball_update_autoconf_configs,xmlsec)) + +$(eval $(call gb_UnpackedTarball_add_patches,xmlsec,\ + $(foreach patch,$(xmlsec_patches),external/xmlsec/$(patch)) \ +)) + +# vim: set noet sw=4 ts=4: diff --git a/external/xmlsec/old-nss.patch.1 b/external/xmlsec/old-nss.patch.1 new file mode 100644 index 0000000000..b464535863 --- /dev/null +++ b/external/xmlsec/old-nss.patch.1 @@ -0,0 +1,66 @@ +diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h +index bb64c5f2..fe9904be 100644 +--- a/include/xmlsec/nss/crypto.h ++++ b/include/xmlsec/nss/crypto.h +@@ -105,6 +105,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes192CbcGetKlass(void + XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes256CbcGetKlass(void); + + ++#if 0 + /** + * xmlSecNssTransformAes128GcmId: + * +@@ -131,6 +132,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes192GcmGetKlass(void + #define xmlSecNssTransformAes256GcmId \ + xmlSecNssTransformAes256GcmGetKlass() + XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes256GcmGetKlass(void); ++#endif + + + /** +diff --git a/src/nss/ciphers_gcm.c b/src/nss/ciphers_gcm.c +index 5763a756..7b50e5fd 100644 +--- a/src/nss/ciphers_gcm.c ++++ b/src/nss/ciphers_gcm.c +@@ -31,6 +31,7 @@ + #include "../cast_helpers.h" + #include "../kw_aes_des.h" + ++#if 0 + /* https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM + * + * For the purposes of this specification, AES-GCM shall be used with +@@ -591,3 +592,4 @@ xmlSecNssTransformAes256GcmGetKlass(void) { + } + + #endif /* XMLSEC_NO_AES */ ++#endif +diff --git a/src/nss/crypto.c b/src/nss/crypto.c +index 429d209f..e0296bda 100644 +--- a/src/nss/crypto.c ++++ b/src/nss/crypto.c +@@ -131,9 +131,11 @@ xmlSecCryptoGetFunctions_nss(void) { + gXmlSecNssFunctions->transformAes192CbcGetKlass = xmlSecNssTransformAes192CbcGetKlass; + gXmlSecNssFunctions->transformAes256CbcGetKlass = xmlSecNssTransformAes256CbcGetKlass; + ++#if 0 + gXmlSecNssFunctions->transformAes128GcmGetKlass = xmlSecNssTransformAes128GcmGetKlass; + gXmlSecNssFunctions->transformAes192GcmGetKlass = xmlSecNssTransformAes192GcmGetKlass; + gXmlSecNssFunctions->transformAes256GcmGetKlass = xmlSecNssTransformAes256GcmGetKlass; ++#endif + + gXmlSecNssFunctions->transformKWAes128GetKlass = xmlSecNssTransformKWAes128GetKlass; + gXmlSecNssFunctions->transformKWAes192GetKlass = xmlSecNssTransformKWAes192GetKlass; +diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h +index bb64c5f2..4c3dc4d3 100644 +--- a/include/xmlsec/nss/crypto.h ++++ b/include/xmlsec/nss/crypto.h +@@ -26,7 +26,7 @@ + * RSA OAEP requires https://bugzilla.mozilla.org/show_bug.cgi?id=1666891 + * which was fixed in NSS 3.59 (https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_releases/nss_3.59_release_notes/index.html) + */ +-#if (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59)) ++#if 1 + #define XMLSEC_NO_RSA_OAEP 1 + #else /* (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59)) */ + #define XMLSEC_NO_MD5 1 |