summaryrefslogtreecommitdiffstats
path: root/external/xmlsec
diff options
context:
space:
mode:
Diffstat (limited to 'external/xmlsec')
-rw-r--r--external/xmlsec/ExternalPackage_xmlsec.mk19
-rw-r--r--external/xmlsec/ExternalProject_xmlsec.mk79
-rw-r--r--external/xmlsec/Makefile7
-rw-r--r--external/xmlsec/Module_xmlsec.mk18
-rw-r--r--external/xmlsec/README5
-rw-r--r--external/xmlsec/UnpackedTarball_xmlsec.mk24
-rw-r--r--external/xmlsec/old-nss.patch.166
7 files changed, 218 insertions, 0 deletions
diff --git a/external/xmlsec/ExternalPackage_xmlsec.mk b/external/xmlsec/ExternalPackage_xmlsec.mk
new file mode 100644
index 0000000000..68ddfaff8c
--- /dev/null
+++ b/external/xmlsec/ExternalPackage_xmlsec.mk
@@ -0,0 +1,19 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+$(eval $(call gb_ExternalPackage_ExternalPackage,xmlsec,xmlsec))
+
+$(eval $(call gb_ExternalPackage_use_external_project,xmlsec,xmlsec))
+
+ifeq ($(OS),WNT)
+$(eval $(call gb_ExternalPackage_add_file,xmlsec,$(LIBO_LIB_FOLDER)/libxmlsec-mscng.dll,win32/binaries/libxmlsec-mscng.dll))
+$(eval $(call gb_ExternalPackage_add_file,xmlsec,$(LIBO_LIB_FOLDER)/libxmlsec.dll,win32/binaries/libxmlsec.dll))
+endif
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/xmlsec/ExternalProject_xmlsec.mk b/external/xmlsec/ExternalProject_xmlsec.mk
new file mode 100644
index 0000000000..64b9a18626
--- /dev/null
+++ b/external/xmlsec/ExternalProject_xmlsec.mk
@@ -0,0 +1,79 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+$(eval $(call gb_ExternalProject_ExternalProject,xmlsec))
+
+$(eval $(call gb_ExternalProject_use_externals,xmlsec,\
+ libxml2 \
+ $(if $(ENABLE_NSS),nss3,$(if $(ENABLE_OPENSSL),openssl)) \
+))
+
+$(eval $(call gb_ExternalProject_register_targets,xmlsec,\
+ build \
+))
+
+# note: it's possible to use XSLT in XML signatures - that appears to be a
+# really bad idea from a security point of view though, because it will run
+# an XSLT script supplied as untrusted input, and XSLT implementations
+# tend to have extension functions, and some of these trivially allow
+# running arbitrary code... so investigate the situation with libxslt
+# before enabling it here; hopefully nobody uses XSLT in practice anyway.
+
+ifeq ($(OS),WNT)
+
+$(eval $(call gb_ExternalProject_use_nmake,xmlsec,build))
+
+$(call gb_ExternalProject_get_state_target,xmlsec,build) :
+ $(call gb_Trace_StartRange,xmlsec,EXTERNAL)
+ $(call gb_ExternalProject_run,build,\
+ cscript /e:javascript configure.js crypto=mscng xslt=no iconv=no static=no \
+ lib=$(call gb_UnpackedTarball_get_dir,libxml2)/win32/bin.msvc \
+ $(if $(filter TRUE,$(ENABLE_DBGUTIL)),debug=yes cruntime=/MDd) \
+ cflags="$(SOLARINC) -I$(WORKDIR)/UnpackedTarball/libxml2/include -I$(WORKDIR)/UnpackedTarball/icu/source/i18n -I$(WORKDIR)/UnpackedTarball/icu/source/common" \
+ && nmake \
+ ,win32)
+ $(call gb_Trace_EndRange,xmlsec,EXTERNAL)
+
+else
+
+$(call gb_ExternalProject_get_state_target,xmlsec,build) :
+ $(call gb_Trace_StartRange,xmlsec,EXTERNAL)
+ $(call gb_ExternalProject_run,build,\
+ $(if $(filter iOS MACOSX,$(OS_FOR_BUILD)),ACLOCAL="aclocal -I $(SRCDIR)/m4/mac") \
+ autoreconf \
+ && $(gb_RUN_CONFIGURE) ./configure \
+ --with-pic --disable-shared --disable-crypto-dl --without-libxslt --without-gnutls --without-gcrypt --disable-apps --disable-docs --disable-pedantic \
+ $(if $(verbose),--disable-silent-rules,--enable-silent-rules) \
+ $(if $(filter -fsanitize=undefined,$(CC)),CC='$(CC) -fno-sanitize=function') \
+ CFLAGS="$(CFLAGS) $(call gb_ExternalProject_get_build_flags,xmlsec) $(gb_VISIBILITY_FLAGS)" \
+ $(if $(filter MACOSX,$(OS)),--prefix=/@.__________________________________________________OOO) \
+ $(if $(ENABLE_NSS), \
+ --without-openssl \
+ $(if $(SYSTEM_NSS),, \
+ $(if $(filter MACOSX,$(OS_FOR_BUILD)),--disable-pkgconfig) \
+ NSPR_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,nss)/dist/out/include" NSPR_LIBS="-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib -lnspr4" \
+ NSS_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,nss)/dist/public/nss" NSS_LIBS="-L$(call gb_UnpackedTarball_get_dir,nss)/dist/out/lib -lsmime3 -lnss3 -lnssutil3" \
+ ), \
+ $(if $(ENABLE_OPENSSL), \
+ $(if $(SYSTEM_OPENSSL),, \
+ OPENSSL_CFLAGS="-I$(call gb_UnpackedTarball_get_dir,openssl)/include" \
+ OPENSSL_LIBS="-L$(call gb_UnpackedTarball_get_dir,openssl) -lcrypto -lssl" \
+ ), \
+ --without-openssl) \
+ ) \
+ $(gb_CONFIGURE_PLATFORMS) \
+ $(if $(SYSBASE),CFLAGS="-I$(SYSBASE)/usr/include" \
+ LDFLAGS="$(call gb_ExternalProject_get_link_flags,xmlsec) -L$(SYSBASE)/usr/lib $(if $(filter-out LINUX FREEBSD,$(OS)),",-Wl$(COMMA)-z$(COMMA)origin -Wl$(COMMA)-rpath$(COMMA)\\"\$$\$$ORIGIN)) \
+ && $(MAKE) \
+ )
+ $(call gb_Trace_EndRange,xmlsec,EXTERNAL)
+
+endif
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/xmlsec/Makefile b/external/xmlsec/Makefile
new file mode 100644
index 0000000000..e4968cf85f
--- /dev/null
+++ b/external/xmlsec/Makefile
@@ -0,0 +1,7 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+
+module_directory:=$(dir $(realpath $(firstword $(MAKEFILE_LIST))))
+
+include $(module_directory)/../../solenv/gbuild/partial_build.mk
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/xmlsec/Module_xmlsec.mk b/external/xmlsec/Module_xmlsec.mk
new file mode 100644
index 0000000000..55b0a46547
--- /dev/null
+++ b/external/xmlsec/Module_xmlsec.mk
@@ -0,0 +1,18 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+$(eval $(call gb_Module_Module,xmlsec))
+
+$(eval $(call gb_Module_add_targets,xmlsec,\
+ UnpackedTarball_xmlsec \
+ ExternalPackage_xmlsec \
+ ExternalProject_xmlsec \
+))
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/xmlsec/README b/external/xmlsec/README
new file mode 100644
index 0000000000..9f2c5e5e71
--- /dev/null
+++ b/external/xmlsec/README
@@ -0,0 +1,5 @@
+XML signing, etc. From [http://www.aleksey.com/xmlsec/].
+
+The certificate vertification functionality of libxmlsec is not used, both the
+mscng and nss backends specify the
+XMLSEC_KEYINFO_FLAGS_X509DATA_DONT_VERIFY_CERTS flag during verification.
diff --git a/external/xmlsec/UnpackedTarball_xmlsec.mk b/external/xmlsec/UnpackedTarball_xmlsec.mk
new file mode 100644
index 0000000000..77d3386b27
--- /dev/null
+++ b/external/xmlsec/UnpackedTarball_xmlsec.mk
@@ -0,0 +1,24 @@
+# -*- Mode: makefile-gmake; tab-width: 4; indent-tabs-mode: t -*-
+#
+# This file is part of the LibreOffice project.
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+#
+
+xmlsec_patches :=
+# Remove this when Ubuntu 20.04 is EOL in 2025.
+xmlsec_patches += old-nss.patch.1
+
+$(eval $(call gb_UnpackedTarball_UnpackedTarball,xmlsec))
+
+$(eval $(call gb_UnpackedTarball_set_tarball,xmlsec,$(XMLSEC_TARBALL),,xmlsec))
+
+$(eval $(call gb_UnpackedTarball_update_autoconf_configs,xmlsec))
+
+$(eval $(call gb_UnpackedTarball_add_patches,xmlsec,\
+ $(foreach patch,$(xmlsec_patches),external/xmlsec/$(patch)) \
+))
+
+# vim: set noet sw=4 ts=4:
diff --git a/external/xmlsec/old-nss.patch.1 b/external/xmlsec/old-nss.patch.1
new file mode 100644
index 0000000000..b464535863
--- /dev/null
+++ b/external/xmlsec/old-nss.patch.1
@@ -0,0 +1,66 @@
+diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h
+index bb64c5f2..fe9904be 100644
+--- a/include/xmlsec/nss/crypto.h
++++ b/include/xmlsec/nss/crypto.h
+@@ -105,6 +105,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes192CbcGetKlass(void
+ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes256CbcGetKlass(void);
+
+
++#if 0
+ /**
+ * xmlSecNssTransformAes128GcmId:
+ *
+@@ -131,6 +132,7 @@ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes192GcmGetKlass(void
+ #define xmlSecNssTransformAes256GcmId \
+ xmlSecNssTransformAes256GcmGetKlass()
+ XMLSEC_CRYPTO_EXPORT xmlSecTransformId xmlSecNssTransformAes256GcmGetKlass(void);
++#endif
+
+
+ /**
+diff --git a/src/nss/ciphers_gcm.c b/src/nss/ciphers_gcm.c
+index 5763a756..7b50e5fd 100644
+--- a/src/nss/ciphers_gcm.c
++++ b/src/nss/ciphers_gcm.c
+@@ -31,6 +31,7 @@
+ #include "../cast_helpers.h"
+ #include "../kw_aes_des.h"
+
++#if 0
+ /* https://www.w3.org/TR/xmlenc-core1/#sec-AES-GCM
+ *
+ * For the purposes of this specification, AES-GCM shall be used with
+@@ -591,3 +592,4 @@ xmlSecNssTransformAes256GcmGetKlass(void) {
+ }
+
+ #endif /* XMLSEC_NO_AES */
++#endif
+diff --git a/src/nss/crypto.c b/src/nss/crypto.c
+index 429d209f..e0296bda 100644
+--- a/src/nss/crypto.c
++++ b/src/nss/crypto.c
+@@ -131,9 +131,11 @@ xmlSecCryptoGetFunctions_nss(void) {
+ gXmlSecNssFunctions->transformAes192CbcGetKlass = xmlSecNssTransformAes192CbcGetKlass;
+ gXmlSecNssFunctions->transformAes256CbcGetKlass = xmlSecNssTransformAes256CbcGetKlass;
+
++#if 0
+ gXmlSecNssFunctions->transformAes128GcmGetKlass = xmlSecNssTransformAes128GcmGetKlass;
+ gXmlSecNssFunctions->transformAes192GcmGetKlass = xmlSecNssTransformAes192GcmGetKlass;
+ gXmlSecNssFunctions->transformAes256GcmGetKlass = xmlSecNssTransformAes256GcmGetKlass;
++#endif
+
+ gXmlSecNssFunctions->transformKWAes128GetKlass = xmlSecNssTransformKWAes128GetKlass;
+ gXmlSecNssFunctions->transformKWAes192GetKlass = xmlSecNssTransformKWAes192GetKlass;
+diff --git a/include/xmlsec/nss/crypto.h b/include/xmlsec/nss/crypto.h
+index bb64c5f2..4c3dc4d3 100644
+--- a/include/xmlsec/nss/crypto.h
++++ b/include/xmlsec/nss/crypto.h
+@@ -26,7 +26,7 @@
+ * RSA OAEP requires https://bugzilla.mozilla.org/show_bug.cgi?id=1666891
+ * which was fixed in NSS 3.59 (https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_releases/nss_3.59_release_notes/index.html)
+ */
+-#if (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59))
++#if 1
+ #define XMLSEC_NO_RSA_OAEP 1
+ #else /* (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59)) */
+ #define XMLSEC_NO_MD5 1