comphelper/source/misc/hash.cxx | 16 +++++++++++++++- download.lst | 4 ++-- external/nss/ExternalProject_nss.mk | 1 + external/nss/UnpackedTarball_nss.mk | 4 ++-- external/nss/nspr-win95-target.patch | 11 +++++++++++ external/nss/nss-android.patch.1 | 14 ++++++-------- external/nss/nss-ios.patch | 15 +++++++-------- external/nss/nss.cygwin64.in32bit.patch | 14 -------------- external/nss/winnt.patch.0 | 10 ++++++++++ include/comphelper/hash.hxx | 2 ++ vcl/source/gdi/pdfwriter_impl.cxx | 5 +++++ 11 files changed, 61 insertions(+), 35 deletions(-)
New commits: commit ba50a1a762aaa1840578c1a9d19bdc8fdf6c7038 Author: Xisco Fauli <[email protected]> AuthorDate: Mon Mar 24 13:21:02 2025 +0100 Commit: Stephan Bergmann <[email protected]> CommitDate: Mon Nov 10 08:22:06 2025 +0100 nss: change target from WIN95 to WINNT In preparation for the upgrade to nss 3.104 In nss 3.103 or older, when OS_TARGET is not specified, it defaults to WIN95, See comment - When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build configuration, specify OS_TARGET=WINNT. in doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst However, in nss 3.104 or newer, WIN95 support has been dropped and the WINNT has become the default. It needs some tweaks though: * Add external/nss/nspr-win95-target.patch to keep building nspr with WIN95 target, which is still available in nspr. Explicitly pass --enable-win32-target=WIN95 to NSPR_CONFIGURE_OPTS, otherwise, it would use WINNT, as nss, and it will fail with make[7]: *** No rule to make target 'libnspr4.lib', needed by 'build'. Stop. make[7]: *** Waiting for unfinished jobs.... * Add external/nss/winnt.patch.0 to remove the 'lib' prefix as WIN95 does, otherwise it fails with LINK : fatal error LNK1181: cannot open input file '..\..\..\..\dist\out\lib\libplc4.lib' Change-Id: Ifaf19eeb1398389256a5c441a056f542b409622a Reviewed-on: https://gerrit.libreoffice.org/c/core/+/183262 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit 81b820a7ea7fded7c30a71a799b9fe1fac1915f9) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193485 Reviewed-by: Michael Stahl <[email protected]> Tested-by: Jenkins CollaboraOffice <[email protected]> (cherry picked from commit dd8f76a4c8aa24afa2b736e51d7cc64d913cf53c) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193591 Reviewed-by: Stephan Bergmann <[email protected]> diff --git a/external/nss/ExternalProject_nss.mk b/external/nss/ExternalProject_nss.mk index fa7f780522b1..63e8a3a87a86 100644 --- a/external/nss/ExternalProject_nss.mk +++ b/external/nss/ExternalProject_nss.mk @@ -30,6 +30,7 @@ $(call gb_ExternalProject_get_state_target,nss,build): \ MOZ_DEBUG_SYMBOLS=1 \ MOZ_DEBUG_FLAGS=" " \ OPT_CODE_SIZE=0) \ + OS_TARGET=WINNT \ USE_SYSTEM_ZLIB=1 \ $(if $(filter X86_64,$(CPUNAME)),USE_64=1) \ $(if $(filter AARCH64,$(CPUNAME)),USE_64=1 CPU_ARCH=aarch64) \ diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk index 5d8b88694bfb..5915af095a54 100644 --- a/external/nss/UnpackedTarball_nss.mk +++ b/external/nss/UnpackedTarball_nss.mk @@ -19,6 +19,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\ external/nss/nss-win32-make.patch.1 \ external/nss/ubsan.patch.0 \ external/nss/clang-cl.patch.0 \ + external/nss/winnt.patch.0 \ external/nss/nss.vs2015.patch \ external/nss/nss.vs2015.pdb.patch \ external/nss/nss.bzmozilla1238154.patch \ @@ -26,6 +27,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\ external/nss/macos-dlopen.patch.0 \ external/nss/nss-restore-manual-pre-dependencies.patch.1 \ external/nss/Wincompatible-function-pointer-types.patch.0 \ + external/nss/nspr-win95-target.patch \ $(if $(filter LINUX,$(OS)), \ external/nss/nss.disablefsync.patch \ external/nss/nss.getrandom.patch) \ diff --git a/external/nss/nspr-win95-target.patch b/external/nss/nspr-win95-target.patch new file mode 100644 index 000000000000..92da84ba0b85 --- /dev/null +++ b/external/nss/nspr-win95-target.patch @@ -0,0 +1,11 @@ +--- a/nss/nss/Makefile 2025-03-24 15:04:03.270924656 +0100 ++++ b/nss/nss/Makefile 2025-03-24 15:04:03.270924656 +0100 +@@ -63,6 +63,8 @@ + # Translate coreconf build options to NSPR configure options. + # + ++NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95 ++ + ifeq ($(OS_TARGET),Android) + NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) \ + --target=$(ANDROID_PREFIX) \ diff --git a/external/nss/winnt.patch.0 b/external/nss/winnt.patch.0 new file mode 100644 index 000000000000..666d12deeb60 --- /dev/null +++ b/external/nss/winnt.patch.0 @@ -0,0 +1,10 @@ +--- nss/coreconf/WINNT.mk 2025-03-24 14:11:13.771104127 +0100 ++++ nss/coreconf/WINNT.mk 2025-03-24 14:11:13.771104127 +0100 +@@ -15,6 +15,3 @@ + # Win NT needs -GT so that fibers can work + # + OS_CFLAGS += -GT +- +-# WINNT uses the lib prefix, Win95 doesn't +-NSPR31_LIB_PREFIX = lib + commit 6cf5fe5aea4615e8355884b90cd3eeb0136791c0 Author: Xisco Fauli <[email protected]> AuthorDate: Tue Mar 25 00:02:06 2025 +0100 Commit: Stephan Bergmann <[email protected]> CommitDate: Mon Nov 10 08:21:59 2025 +0100 nss: remove unneded patch This is a follow-up to commit acf84f9e21999327b831580691430db8c8fe8a71 Author: Xisco Fauli <[email protected]> Date: Fri Mar 14 12:28:51 2025 +0100 nss: remove obsolete target In nss 3.103 or older, when OS_TARGET is not specified, it defaults to WIN95 anyway. See comment - When building on Windows, OS_TARGET now defaults to WIN95. To use the WINNT build configuration, specify OS_TARGET=WINNT. in doc/rst/legacy/nss_releases/nss_3.15.4_release_notes/index.rst thus, nspr is built with --enable-win32-target=WIN95 as the Makefile does ifeq ($(OS_TARGET),WIN95) NSPR_CONFIGURE_OPTS += --enable-win32-target=WIN95 endif consequently, the patch added in commit 486c91147c587febdacf3fa95d56633dbd703d5f Author: David Ostrovsky <[email protected]> Date: Tue Feb 23 22:25:06 2016 +0100 Bump nss to 3.22.1 and nspr to 4.12 can be removed. The reason why it was added initially is unclear to me though Change-Id: I9a2acc2b2cdd560fce9166c2e6e11c71ee21b5e1 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/183282 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit 31eaf2686a1017729d7f7075ce3330b8ea719b56) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193484 Reviewed-by: Michael Stahl <[email protected]> Tested-by: Jenkins CollaboraOffice <[email protected]> (cherry picked from commit 75361bcf29cc274bcb0b93a2632bddb0ef477c8b) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193590 Reviewed-by: Stephan Bergmann <[email protected]> diff --git a/external/nss/UnpackedTarball_nss.mk b/external/nss/UnpackedTarball_nss.mk index 7a9010bdf743..5d8b88694bfb 100644 --- a/external/nss/UnpackedTarball_nss.mk +++ b/external/nss/UnpackedTarball_nss.mk @@ -33,8 +33,6 @@ $(eval $(call gb_UnpackedTarball_add_patches,nss,\ external/nss/nss-ios.patch) \ $(if $(filter ANDROID,$(OS)), \ external/nss/nss-android.patch.1) \ - $(if $(filter MSC-INTEL,$(COM)-$(CPUNAME)), \ - external/nss/nss.cygwin64.in32bit.patch) \ $(if $(filter WNT,$(OS)), \ external/nss/nss.windows.patch \ external/nss/nss.nowerror.patch \ diff --git a/external/nss/nss.cygwin64.in32bit.patch b/external/nss/nss.cygwin64.in32bit.patch deleted file mode 100644 index bce0f1d09403..000000000000 --- a/external/nss/nss.cygwin64.in32bit.patch +++ /dev/null @@ -1,14 +0,0 @@ -This fixes architecture mismatch, when building -on Cygwin 64bit and in 32bit mode -diff -ru nss.orig/nss/Makefile nss/nss/Makefile ---- a/nss.orig/nss/Makefile 2016-02-26 01:00:52.146713100 +0100 -+++ b/nss/nss/Makefile 2016-02-26 01:02:05.303560100 +0100 -@@ -63,6 +63,8 @@ - # Translate coreconf build options to NSPR configure options. - # - -+NSPR_CONFIGURE_OPTS += --host=i686-pc-cygwin -+ - ifeq ($(OS_TARGET),Android) - NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) \ - --target=$(ANDROID_PREFIX) \ commit 89bc5f35055d5af1d54ce546617bf4c36de374d7 Author: Xisco Fauli <[email protected]> AuthorDate: Tue Mar 18 12:49:20 2025 +0100 Commit: Stephan Bergmann <[email protected]> CommitDate: Mon Nov 10 08:21:51 2025 +0100 nss: upgrade to 3.103 Add initialize() method to hash class: in PDFWriterImpl::emitTrailer we need to re-initialize the hash after calling finalize(), otherwise update() inside writeBuffer will fail with Assertion failure: rv == SECSuccess, at sechash.c:140 See https://lists.freedesktop.org/archives/libreoffice/2025-March/093075.html Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_103_RTM/src/nss-3.103-with-nspr-4.35.tar.gz Change-Id: Iebf144be7bce9f45900b427adedc7465e4b2e4e3 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/183075 Tested-by: Jenkins Reviewed-by: Xisco Fauli <[email protected]> (cherry picked from commit c8bfafbbf802a690d94807b6292852bb754818e0) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/193563 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Stephan Bergmann <[email protected]> diff --git a/comphelper/source/misc/hash.cxx b/comphelper/source/misc/hash.cxx index 96e125cac23d..164a15b01cdf 100644 --- a/comphelper/source/misc/hash.cxx +++ b/comphelper/source/misc/hash.cxx @@ -105,9 +105,18 @@ struct HashImpl } } mpContext = HASH_Create(getNSSType()); - HASH_Begin(mpContext); #elif USE_TLS_OPENSSL mpContext = EVP_MD_CTX_create(); +#endif + + initialize(); + } + + void initialize() + { +#if USE_TLS_NSS + HASH_Begin(mpContext); +#elif USE_TLS_OPENSSL EVP_DigestInit_ex(mpContext, getOpenSSLType(), nullptr); #endif } @@ -143,6 +152,11 @@ void Hash::update(const unsigned char* pInput, size_t length) #endif } +void Hash::initialize() +{ + mpImpl->initialize(); +} + std::vector<unsigned char> Hash::finalize() { std::vector<unsigned char> hash(getLength(), 0); diff --git a/download.lst b/download.lst index c654660bda47..5b9528c006aa 100644 --- a/download.lst +++ b/download.lst @@ -580,8 +580,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz # three static lines # so that git cherry-pick # will not run into conflicts -NSS_SHA256SUM := ddfdec73fb4b0eedce5fc4de09de9ba14d2ddbfbf67e42372903e1510f2d3d65 -NSS_TARBALL := nss-3.102.1-with-nspr-4.35.tar.gz +NSS_SHA256SUM := 1636c8c85794e779855183997805b6edfe2dfb43cdf5b6cf1934bf16b1b32520 +NSS_TARBALL := nss-3.103-with-nspr-4.35.tar.gz # three static lines # so that git cherry-pick # will not run into conflicts diff --git a/external/nss/nss-android.patch.1 b/external/nss/nss-android.patch.1 index 707fcf99afe0..aeb690666450 100644 --- a/external/nss/nss-android.patch.1 +++ b/external/nss/nss-android.patch.1 @@ -41,7 +41,7 @@ diff -ur nss.org/nspr/configure nss/nspr/configure diff -ur nss.org/nss/Makefile nss/nss/Makefile --- nss.org/nss/Makefile 2017-09-07 15:29:44.933245745 +0200 +++ nss/nss/Makefile 2017-09-07 15:32:04.347181076 +0200 -@@ -65,7 +65,7 @@ +@@ -67,7 +67,7 @@ ifeq ($(OS_TARGET),Android) NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) \ @@ -50,16 +50,14 @@ diff -ur nss.org/nss/Makefile nss/nss/Makefile --with-android-version=$(OS_TARGET_RELEASE) \ --with-android-toolchain=$(ANDROID_TOOLCHAIN) \ --with-android-platform=$(ANDROID_SYSROOT) ---- nss/nss/Makefile.orig 2019-11-26 14:52:15.934561202 +0100 -+++ nss/nss/Makefile 2019-11-26 14:52:20.538559612 +0100 -@@ -140,7 +140,6 @@ - +@@ -143,7 +143,6 @@ + ifndef NSS_DISABLE_NSPR_TESTS build_nspr: $(NSPR_CONFIG_STATUS) $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) - $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests - - install_nspr: build_nspr - $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install + else + build_nspr: $(NSPR_CONFIG_STATUS) + $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) --- nss/nss/lib/ckfw/builtins/manifest.mn.orig 2019-11-26 15:18:22.185985193 +0100 +++ nss/nss/lib/ckfw/builtins/manifest.mn 2019-11-26 15:18:29.281982387 +0100 @@ -5,7 +5,7 @@ diff --git a/external/nss/nss-ios.patch b/external/nss/nss-ios.patch index 58239f718978..6f6b149cead5 100644 --- a/external/nss/nss-ios.patch +++ b/external/nss/nss-ios.patch @@ -16,14 +16,14 @@ endif # -@@ -140,7 +138,6 @@ - +@@ -141,7 +143,6 @@ + ifndef NSS_DISABLE_NSPR_TESTS build_nspr: $(NSPR_CONFIG_STATUS) $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) - $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests - - install_nspr: build_nspr - $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install + else + build_nspr: $(NSPR_CONFIG_STATUS) + $(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) --- a/a/nss/lib/ckfw/builtins/manifest.mn +++ a/a/nss/lib/ckfw/builtins/manifest.mn @@ -5,7 +5,7 @@ @@ -75,7 +75,7 @@ #if defined(_WIN32) if (nssUTF8_Length(mod->dllName, NULL)) { wchar_t *dllNameWide = _NSSUTIL_UTF8ToWide(mod->dllName); -@@ -507,6 +510,11 @@ +@@ -507,6 +510,10 @@ mod->moduleDBFunc = (void *) PR_FindSymbol(library, "NSS_ReturnModuleSpecData"); } @@ -83,11 +83,10 @@ + if (strcmp(mod->dllName, "NSSCKBI") == 0) + fentry = NSSCKBI_C_GetFunctionList; +#endif -+ if (mod->moduleDBFunc == NULL) mod->isModuleDB = PR_FALSE; if ((ientry == NULL) && (fentry == NULL)) { -@@ -643,10 +651,12 @@ +@@ -643,10 +650,12 @@ } fail: mod->functionList = NULL; diff --git a/include/comphelper/hash.hxx b/include/comphelper/hash.hxx index 9567904e6080..30bcb289ec97 100644 --- a/include/comphelper/hash.hxx +++ b/include/comphelper/hash.hxx @@ -66,6 +66,8 @@ public: update(rInput.data(), rInput.size()); } + void initialize(); + std::vector<unsigned char> finalize(); static std::vector<unsigned char> calculateHash(const unsigned char* pInput, size_t length, HashType eType); diff --git a/vcl/source/gdi/pdfwriter_impl.cxx b/vcl/source/gdi/pdfwriter_impl.cxx index 3060557b13fb..2a73e4896f3f 100644 --- a/vcl/source/gdi/pdfwriter_impl.cxx +++ b/vcl/source/gdi/pdfwriter_impl.cxx @@ -6125,6 +6125,11 @@ bool PDFWriterImpl::emitTrailer() aLine.append( "] " ); } + // After calling m_DocDigest.finalize(), we need to initialize the hash again, + // otherwise, m_DocDigest.update() inside writeBuffer will fail with + // Assertion failure: rv == SECSuccess, at sechash.c:140 + m_DocDigest.initialize(); + aLine.append( ">> " "startxref " ); aLine.append( static_cast<sal_Int64>(nXRefOffset) );
