xmlsec: replace revert with an upstream fix

The problem in the new code was that previously xmlSecNssInit() didn't
require an already initialized NSS, but 1.3.3 did.

Backport upstream fix that restores the old behavior that NSS init is
not needed, which allows no longer reverting the
xmlSecNssUpdateAvailableCryptoTransforms() call that upstream added
recently.

Change-Id: Ie33ccbff0149e3c406d5574e889d90da4fdbbfb5
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/162292
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
Tested-by: Jenkins

3 files changed, 35 insertions, 15 deletions

diff --git a/external/xmlsec/UnpackedTarball_xmlsec.mk b/external/xmlsec/UnpackedTarball_xmlsec.mk
index 77d3386b27dc..51d4f013bc0a 100644
--- a/external/xmlsec/UnpackedTarball_xmlsec.mk
+++ b/external/xmlsec/UnpackedTarball_xmlsec.mk
@@ -10,6 +10,8 @@
 xmlsec_patches :=
 # Remove this when Ubuntu 20.04 is EOL in 2025.
 xmlsec_patches += old-nss.patch.1
+# Backport of https://github.com/lsh123/xmlsec/pull/754
+xmlsec_patches += xmlsec-nss-Ensure-NSS-algorithms-are-initialized-754.patch.1
 
 $(eval $(call gb_UnpackedTarball_UnpackedTarball,xmlsec))
 
diff --git a/external/xmlsec/old-nss.patch.1 b/external/xmlsec/old-nss.patch.1
index 19ac8ffe6c5a..0da576b59920 100644
--- a/external/xmlsec/old-nss.patch.1
+++ b/external/xmlsec/old-nss.patch.1
@@ -65,18 +65,3 @@ index bb64c5f2..4c3dc4d3 100644
  #define XMLSEC_NO_RSA_OAEP 1
  #else  /* (NSS_VMAJOR < 3) || ((NSS_VMAJOR == 3) && (NSS_VMINOR < 59)) */
  #define XMLSEC_NO_MD5 1
-diff --git a/src/nss/crypto.c b/src/nss/crypto.c
-index 6455ec72..a6c46350 100644
---- a/src/nss/crypto.c
-+++ b/src/nss/crypto.c
-@@ -546,8 +546,10 @@ xmlSecNssInit (void)  {
-     /* set default errors callback for xmlsec to us */
-     xmlSecErrorsSetCallback(xmlSecNssErrorsDefaultCallback);
- 
-+#if 0
-     /* update the avaialble algos based on NSS configs */
-     xmlSecNssUpdateAvailableCryptoTransforms(xmlSecCryptoGetFunctions_nss());
-+#endif
- 
-     /* register our klasses */
-     if(xmlSecCryptoDLFunctionsRegisterKeyDataAndTransforms(xmlSecCryptoGetFunctions_nss()) < 0) {
diff --git a/external/xmlsec/xmlsec-nss-Ensure-NSS-algorithms-are-initialized-754.patch.1 b/external/xmlsec/xmlsec-nss-Ensure-NSS-algorithms-are-initialized-754.patch.1
new file mode 100644
index 000000000000..bf397bfb9178
--- /dev/null
+++ b/external/xmlsec/xmlsec-nss-Ensure-NSS-algorithms-are-initialized-754.patch.1
@@ -0,0 +1,33 @@
+From 356fdcfaf6e126835ac3bd7f410a3fa4d4a6877b Mon Sep 17 00:00:00 2001
+From: lsh123 <aleksey@aleksey.com>
+Date: Sat, 13 Jan 2024 18:07:49 -0500
+Subject: [PATCH] (xmlsec-nss) Ensure NSS algorithms are initialized (#754)
+
+---
+ src/nss/crypto.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/nss/crypto.c b/src/nss/crypto.c
+index 6455ec72..7ba0c77a 100644
+--- a/src/nss/crypto.c
++++ b/src/nss/crypto.c
+@@ -361,8 +361,16 @@ xmlSecCryptoGetFunctions_nss(void) {
+ 
+ static void
+ xmlSecNssUpdateAvailableCryptoTransforms(xmlSecCryptoDLFunctionsPtr functions) {
++    SECStatus rv;
+     xmlSecAssert(functions != NULL);
+ 
++    /* in theory NSS should be already initialized but just in case */
++    rv = SECOID_Init();
++    if (rv != SECSuccess) {
++        xmlSecNssError("SECOID_Init", NULL);
++        return;
++    }
++
+     /******************************* AES ********************************/
+     /* cbc */
+     if (xmlSecNssCryptoCheckAlgorithm(SEC_OID_AES_128_CBC) == 0) {
+-- 
+2.35.3
+