| Age | Commit message (Collapse) | Author |
|---|
|
Seen in a fedora:40 container, using --with-system-libcmis,
--with-system-liblangtag and --with-system-xmlsec.
Change-Id: I9d748d3dc0b70dbfdfcb6b99c9ce8440bda6f326
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/159980
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
This time try to do it in a way that doesn't re-introduce tdf#155034,
i.e. patch out code that would use NSS symbols which are in the RHEL7
baseline, but are not in Ubuntu 18.04. This is all code like RSA OAEP or
AES GCM which is relatively new, so not really required for our
signature needs.
It also helps that this release has a lowered baseline for NSS.
Change-Id: I5a8df6d98462e8173a5508e014bd2d515da2dc9d
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/152747
Tested-by: Justin Luth <jluth@mail.com>
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
This reverts commit 26bf26272bf525b59b4a4ce18b3ce14c1febfd7b.
Reason for revert: compiled version fails open/create some documents
on Ubuntu 20.04, which is still an Ubuntu-supported release.
Also fails to compile on 20.04 with built-in system NSS
The clinching reason is for running bibisects.
There was no compelling reason to make the change,
just routine maintenance. So if something breaks
or is annoying when doing routine maintenance, then revert it.
The previous version is still 1.2.37, released in Nov 2022.
So this will likely come up again relatively soon
if there is a security fix required.
But at least at the end of the 7.6 development cycle,
we can avoid the pain.
Change-Id: Ife387d6e4058b017ba18cba1fbcb2b2d50f52c12
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/151118
Tested-by: Jenkins
Reviewed-by: Justin Luth <jluth@mail.com>
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
See <https://github.com/lsh123/xmlsec/releases/tag/xmlsec_1_3_0> for the
upstream release notes, notably:
> (ABI breaking change) Switched xmlSecSize to use size_t by default.
Adapt xmlsec-wrapper.h accordingly.
Change-Id: If910e44441be65794d4441558e2838d00b4b927c
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/150647
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
x509.h includes cert.h. But that doesn't know of LO using
xmlsecurity/source/xmlsec/nss/nssrenam.h, which has a "#define
CERT_DecodeDERCertificate __CERT_DecodeDERCertificate". So the PCH
doesn't know of this rename and the compiler fails.
move the include line into the file that needs it and the --enable-pch=full
build works ok
Change-Id: I247bd219cf47964490ded439ad51bd8e8e120c48
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127744
Reviewed-by: Jan-Marek Glogowski <glogow@fbihome.de>
Reviewed-by: Caolán McNamara <caolanm@redhat.com>
Tested-by: Jenkins
|
|
Change-Id: I52e6588f5fac04bb26d77c1f3af470db73e41f72
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/127193
Tested-by: Jenkins
Reviewed-by: Miklos Vajna <vmiklos@collabora.com>
|
|
xmlhelp, xmloff, xmlsecurity
Change-Id: I80c6fa806387f3dcba8be7f93fe2fef146b033e3
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/112050
Tested-by: Jenkins
Reviewed-by: Ilmari Lauhakangas <ilmari.lauhakangas@libreoffice.org>
|
|
Since commit 9630a2dfc79b08e3417e6e69b083f5124614499c,
CppunitTest_xmlsecurity_signing on Win64 segfaults:
===
[CUT] xmlsecurity_signing
/usr/bin/sh: line 1: 10188 Segmentation fault ( PATH="C:\lo\src\core\instdir\program;C:\lo\src\core\instdir\program;C:\lo\src\core\workdir\LinkTarget\Library;C:\lo\src\core\workdir\UnpackedTarball\cppunit\src\cppunit\DebugDll;$PATH" $W/LinkTarget/Executable/cppunittester.exe $W/LinkTarget/CppunitTest/test_xmlsecurity_signing.dll --headless "-env:BRAND_BASE_DIR=file:///$S/instdir" "-env:BRAND_SHARE_SUBDIR=share" "-env:BRAND_SHARE_RESOURCE_SUBDIR=program/resource" "-env:UserInstallation=file:///$W/CppunitTest/xmlsecurity_signing.test.user" "-env:CONFIGURATION_LAYERS=xcsxcu:file:///$I/share/registry xcsxcu:file:///$W/unittest/registry" "-env:UNO_TYPES=file:///$I/program/types.rdb file:///$I/program/types/offapi.rdb" "-env:UNO_SERVICES=file:///$W/Rdb/ure/services.rdb file:///$W/Rdb/services.rdb" -env:URE_INTERNAL_LIB_DIR=file:///$I/program -env:LO_LIB_DIR=file:///$I/program -env:LO_JAVA_DIR=file:///$I/program/classes --protector $W/LinkTarget/Library/unoexceptionprotector.dll unoexceptionprotector --protector $W/LinkTarget/Library/unobootstrapprotector.dll unobootstrapprotector --protector $W/LinkTarget/Library/vclbootstrapprotector.dll vclbootstrapprotector "-env:CPPUNITTESTTARGET=$W/CppunitTest/xmlsecurity_signing.test" ) > $W/CppunitTest/xmlsecurity_signing.test.log 2>&1
warn:sfx.appl:18084:18824:sfx2/source/appl/app.cxx:191: No DDE-Service possible. Error: 16399
warn:vcl:18084:18824:vcl/win/window/salframe.cxx:1084: WinSalFrame::SetIcon(): Could not load large icon !
warn:vcl:18084:18824:vcl/win/window/salframe.cxx:1085: WinSalFrame::SetIcon(): Could not load small icon !
warn:basic:18084:18824:basic/source/uno/namecont.cxx:973: Cannot access extensions!
warn:basic:18084:18824:basic/source/uno/namecont.cxx:973: Cannot access extensions!
warn:xmlsecurity.xmlsec:18084:18824:xmlsecurity/source/xmlsec/errorcallback.cxx:51: ..\src\xmldsig.c:793: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL' Operation completed successfully.
warn:xmlsecurity.xmlsec:18084:18824:xmlsecurity/source/xmlsec/errorcallback.cxx:51: ..\src\xmldsig.c:508: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' ' Operation completed successfully.
warn:xmlsecurity.xmlsec:18084:18824:xmlsecurity/source/xmlsec/errorcallback.cxx:51: ..\src\xmldsig.c:291: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxProcessSignatureNode' 1 ' ' Operation completed successfully.
HEAP CORRUPTION DETECTED: after Normal block (#1570713) at 0x00000197AC7E5AB0.
CRT detected that the application wrote to memory after end of heap buffer.
warn:xmlsecurity.xmlsec:18084:18824:xmlsecurity/source/xmlsec/errorcallback.cxx:51: ..\src\xmldsig.c:793: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL' Operation completed successfully.
warn:xmlsecurity.xmlsec:18084:18824:xmlsecurity/source/xmlsec/errorcallback.cxx:51: ..\src\xmldsig.c:508: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' ' Operation completed successfully.
warn:xmlsecurity.xmlsec:18084:18824:xmlsecurity/source/xmlsec/errorcallback.cxx:51: ..\src\xmldsig.c:346: xmlSecDSigCtxVerify() '' 'xmlSecDSigCtxProcessSignatureNode' 1 ' ' Operation completed successfully.
HEAP CORRUPTION DETECTED: after Normal block (#1585431) at 0x00000197AC7E7BF0.
CRT detected that the application wrote to memory after end of heap buffer.
SigningTest::testDescription finished in: 3332ms
warn:vcl:18084:18824:vcl/win/window/salframe.cxx:1084: WinSalFrame::SetIcon(): Could not load large icon !
warn:vcl:18084:18824:vcl/win/window/salframe.cxx:1085: WinSalFrame::SetIcon(): Could not load small icon !
SigningTest::testECDSA finished in: 550ms
warn:vcl:18084:18824:vcl/win/window/salframe.cxx:1084: WinSalFrame::SetIcon(): Could not load large icon !
warn:vcl:18084:18824:vcl/win/window/salframe.cxx:1085: WinSalFrame::SetIcon(): Could not load small icon !
SigningTest::testECDSAOOXML finished in: 466ms
warn:vcl:18084:18824:vcl/win/window/salframe.cxx:1084: WinSalFrame::SetIcon(): Could not load large icon !
warn:vcl:18084:18824:vcl/win/window/salframe.cxx:1085: WinSalFrame::SetIcon(): Could not load small icon !
warn:vcl.gdi:18084:18824:vcl/source/outdev/map.cxx:694: Please record only relative MapModes!
warn:vcl.gdi:18084:18824:vcl/source/outdev/map.cxx:694: Please record only relative MapModes!
warn:vcl.gdi:18084:18824:vcl/source/outdev/map.cxx:694: Please record only relative MapModes!
warn:vcl.gdi:18084:18824:vcl/source/outdev/map.cxx:694: Please record only relative MapModes!
warn:vcl.gdi:18084:18824:vcl/source/outdev/map.cxx:694: Please record only relative MapModes!
warn:vcl.gdi:18084:18824:vcl/source/outdev/map.cxx:694: Please record only relative MapModes!
SigningTest::testECDSAPDF finished in: 433ms
warn:xmlsecurity.xmlsec:18084:18824:xmlsecurity/source/xmlsec/errorcallback.cxx:51: ..\src\xmldsig.c:793: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL' Operation completed successfully.
warn:xmlsecurity.xmlsec:18084:18824:xmlsecurity/source/xmlsec/errorcallback.cxx:51: ..\src\xmldsig.c:508: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' ' Operation completed successfully.
warn:xmlsecurity.xmlsec:18084:18824:xmlsecurity/source/xmlsec/errorcallback.cxx:51: ..\src\xmldsig.c:346: xmlSecDSigCtxVerify() '' 'xmlSecDSigCtxProcessSignatureNode' 1 ' ' Operation completed successfully.
===
The problem is mismatch between sizeof(xmlSecSize) in xmlsec and LO:
xmlsec uses 32-bit integer, while LO uses 64-bit. Crash happens in
XMLSignature_MSCryptImpl::validate(), when pDsigCtx->manifestReferences
address is incorrectly retrieved and passed to xmlSecPtrListGetSize.
Despite the comment in xmlsecurity/inc/xmlsec-wrapper.h mentioned that
the XMLSEC_NO_SIZE_T isn't used in xmlsec for MSVC, it's actually used
there since commit 1cf0cd6f0f19c34a23228f7de691187887081dff. So we need
to enable it for MSVC, too.
Change-Id: I05a4f4f6700c178d28886a7ac203469c41d7048b
Reviewed-on: https://gerrit.libreoffice.org/62676
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Mike Kaganski <mike.kaganski@collabora.com>
|
|
By making it possible to use libxmlsec's mscng backend instead of the old
mscrypto one which lacks ECDSA support.
make -sr CppunitTest_xmlsecurity_signing SVL_CRYPTO_CNG=1 CPPUNIT_TEST_NAME="SigningTest::testECDSA"
passes with these changes, while it failed in the SVL_CRYPTO_CNG=1 case previously.
Change-Id: Ic23e5af11d271ed84175abe3d5ad008c7cc9e071
Reviewed-on: https://gerrit.libreoffice.org/56370
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins
|
|
Change-Id: I9c3eca51fec52a255fcf280fe4e5ecc2ebbee5f3
|
|
The only remaining difference is that in the system-xmlsec case we work
with the default key manager, not with the one that's only added by our
xmlsec patches.
This works for me for the uses I know of (see
<https://lists.freedesktop.org/archives/libreoffice/2017-February/076947.html>
for the motivation): signing and verifying of different signatures (bad
signature, good with non-trusted CA, good with trusted CA) with
software-based certificates all behave as expected.
Change-Id: If3f3e2b8373ab7397db3f98070a5a2ce51fa7c06
Reviewed-on: https://gerrit.libreoffice.org/39075
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
xmlsec1-customkeymanage.patch.1 of our bundled xmlsec extends
xmlSecNssKeyDataX509VerifyAndExtractKey(), so that it calls
xmlSecNssPKIAdoptKey() for the private key of the signing certificate.
Make this explicit in xmlsecurity/ code, so we don't depend on the
patched xmlSecNssKeyDataX509VerifyAndExtractKey().
This is harmless for the patched xmlsec, but it prevents this error:
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: keys.c:1246: xmlSecKeysMngrGetKey() '' 'xmlSecKeysMngrFindKey' 1 ' '
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:790: xmlSecDSigCtxProcessKeyInfoNode() '' '' 45 'details=NULL'
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:503: xmlSecDSigCtxProcessSignatureNode() '' 'xmlSecDSigCtxProcessKeyInfoNode' 1 ' '
warn:xmlsecurity.xmlsec:26221:1:xmlsecurity/source/xmlsec/errorcallback.cxx:48: xmldsig.c:286: xmlSecDSigCtxSign() '' 'xmlSecDSigCtxSignatureProcessNode' 1 ' '
when xmlsec is not patched.
(This is needed, but not enough to build against system xmlsec.)
Change-Id: I5d68a8be7aefcb529566213f9b9c2985eab6a80a
Reviewed-on: https://gerrit.libreoffice.org/39023
Reviewed-by: Miklos Vajna <vmiklos@collabora.co.uk>
Tested-by: Jenkins <ci@libreoffice.org>
|
|
Change-Id: Ibf313b8948a493043006ebf3a8281487c1f67b48
Reviewed-on: https://gerrit.libreoffice.org/25532
Tested-by: Jenkins <ci@libreoffice.org>
Reviewed-by: Tor Lillqvist <tml@collabora.com>
Tested-by: Tor Lillqvist <tml@collabora.com>
|
