[SCM] Debian packaging for XML-Security-C branch, master, updated. debian/1.7.0-1-11-gbbed522
Russ Allbery
rra at debian.org
Tue Jun 18 04:36:30 UTC 2013
The following commit has been merged in the master branch:
commit faf40d76b8142e959e85e9667064672d911cd878
Author: Russ Allbery <rra at debian.org>
Date: Mon Jun 17 20:35:29 2013 -0700
Imported Upstream version 1.7.1
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 5bb30c6..8fc01ec 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -1,3 +1,8 @@
+Changes since 1.7.0
+=====================================
+* Fixes for CVE-2013-2153, CVE-2013-2154, CVE-2013-2155, CVE-2013-2156
+* Reduced entity expansion limits when parsing
+
Changes since 1.6.1
=====================================
* [SANTUARIO-314] - AES-GCM support
diff --git a/Makefile.in b/Makefile.in
index 77bb459..338c203 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.12.2 from Makefile.am.
+# Makefile.in generated by automake 1.12.6 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2012 Free Software Foundation, Inc.
@@ -74,7 +74,7 @@ DIST_COMMON = $(am__configure_deps) $(srcdir)/Makefile.am \
$(top_srcdir)/build-aux/ltmain.sh \
$(top_srcdir)/build-aux/missing $(top_srcdir)/configure \
$(top_srcdir)/xsec/framework/XSECConfig.hpp.in \
- build-aux/config.guess build-aux/config.sub \
+ build-aux/config.guess build-aux/config.sub build-aux/depcomp \
build-aux/install-sh build-aux/ltmain.sh build-aux/missing
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/ax_pthread.m4 \
@@ -618,9 +618,9 @@ distcheck: dist
*.zip*) \
unzip $(distdir).zip ;;\
esac
- chmod -R a-w $(distdir); chmod u+w $(distdir)
- mkdir $(distdir)/_build
- mkdir $(distdir)/_inst
+ chmod -R a-w $(distdir)
+ chmod u+w $(distdir)
+ mkdir $(distdir)/_build $(distdir)/_inst
chmod a-w $(distdir)
test -d $(distdir)/_build || exit 0; \
dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \
diff --git a/NOTICE.txt b/NOTICE.txt
index 7189fd1..69617c7 100644
--- a/NOTICE.txt
+++ b/NOTICE.txt
@@ -1,5 +1,5 @@
Apache Santuario XML-Security-C Library
-Copyright 2010-2011 The Apache Software Foundation
+Copyright 2010-2013 The Apache Software Foundation
This product includes software developed at
The Apache Software Foundation (http://www.apache.org/).
diff --git a/aclocal.m4 b/aclocal.m4
index 6d3cddd..20a34ef 100644
--- a/aclocal.m4
+++ b/aclocal.m4
@@ -1,4 +1,4 @@
-# generated automatically by aclocal 1.12.2 -*- Autoconf -*-
+# generated automatically by aclocal 1.12.6 -*- Autoconf -*-
# Copyright (C) 1996-2012 Free Software Foundation, Inc.
@@ -25,8 +25,6 @@ To do so, use the procedure documented by the package, typically 'autoreconf'.])
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 8
-
# AM_AUTOMAKE_VERSION(VERSION)
# ----------------------------
# Automake X.Y traces this macro to ensure aclocal.m4 has been
@@ -36,7 +34,7 @@ AC_DEFUN([AM_AUTOMAKE_VERSION],
[am__api_version='1.12'
dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to
dnl require some minimum version. Point them to the right macro.
-m4_if([$1], [1.12.2], [],
+m4_if([$1], [1.12.6], [],
[AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl
])
@@ -52,7 +50,7 @@ m4_define([_AM_AUTOCONF_VERSION], [])
# Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced.
# This function is AC_REQUIREd by AM_INIT_AUTOMAKE.
AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION],
-[AM_AUTOMAKE_VERSION([1.12.2])dnl
+[AM_AUTOMAKE_VERSION([1.12.6])dnl
m4_ifndef([AC_AUTOCONF_VERSION],
[m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl
_AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
@@ -65,8 +63,6 @@ _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))])
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 2
-
# For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets
# $ac_aux_dir to '$srcdir/foo'. In other projects, it is set to
# '$srcdir', '$srcdir/..', or '$srcdir/../..'.
@@ -120,8 +116,6 @@ am_aux_dir=`cd $ac_aux_dir && pwd`
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 10
-
# AM_CONDITIONAL(NAME, SHELL-CONDITION)
# -------------------------------------
# Define a conditional.
@@ -153,7 +147,6 @@ fi])])
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 17
# There are a few dirty hacks below to avoid letting 'AC_PROG_CC' be
# written in clear, in which case automake, when reading aclocal.m4,
@@ -345,7 +338,6 @@ _AM_SUBST_NOTMAKE([am__nodep])dnl
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 6
# _AM_OUTPUT_DEPENDENCY_COMMANDS
# ------------------------------
@@ -422,8 +414,6 @@ AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS],
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 19
-
# This macro actually does too much. Some checks are only needed if
# your package does certain things. But this isn't really a big deal.
@@ -575,8 +565,6 @@ echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_co
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 8
-
# AM_PROG_INSTALL_SH
# ------------------
# Define $install_sh.
@@ -598,8 +586,6 @@ AC_SUBST([install_sh])])
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 2
-
# Check whether the underlying file-system supports filenames
# with a leading dot. For instance MS-DOS doesn't.
AC_DEFUN([AM_SET_LEADING_DOT],
@@ -621,8 +607,6 @@ AC_SUBST([am__leading_dot])])
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 5
-
# AM_MAKE_INCLUDE()
# -----------------
# Check to see how make treats includes.
@@ -673,8 +657,6 @@ rm -f confinc confmf
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 7
-
# AM_MISSING_PROG(NAME, PROGRAM)
# ------------------------------
AC_DEFUN([AM_MISSING_PROG],
@@ -682,7 +664,6 @@ AC_DEFUN([AM_MISSING_PROG],
$1=${$1-"${am_missing_run}$2"}
AC_SUBST($1)])
-
# AM_MISSING_HAS_RUN
# ------------------
# Define MISSING if not defined so far and test if it supports --run.
@@ -715,8 +696,6 @@ fi
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 6
-
# _AM_MANGLE_OPTION(NAME)
# -----------------------
AC_DEFUN([_AM_MANGLE_OPTION],
@@ -748,8 +727,6 @@ AC_DEFUN([_AM_IF_OPTION],
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 9
-
# AM_SANITY_CHECK
# ---------------
AC_DEFUN([AM_SANITY_CHECK],
@@ -831,8 +808,6 @@ rm -f conftest.file
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 2
-
# AM_PROG_INSTALL_STRIP
# ---------------------
# One issue with vendor 'install' (even GNU) is that you can't
@@ -861,8 +836,6 @@ AC_SUBST([INSTALL_STRIP_PROGRAM])])
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 3
-
# _AM_SUBST_NOTMAKE(VARIABLE)
# ---------------------------
# Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in.
@@ -882,8 +855,6 @@ AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)])
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
-# serial 3
-
# _AM_PROG_TAR(FORMAT)
# --------------------
# Check how to create a tarball in format FORMAT.
diff --git a/build-aux/depcomp b/build-aux/depcomp
index debb6ff..e1f51f4 100755
--- a/build-aux/depcomp
+++ b/build-aux/depcomp
@@ -1,7 +1,7 @@
#! /bin/sh
# depcomp - compile a program generating dependencies as side-effects
-scriptversion=2012-03-27.16; # UTC
+scriptversion=2012-07-12.20; # UTC
# Copyright (C) 1999-2012 Free Software Foundation, Inc.
@@ -74,6 +74,9 @@ tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`}
rm -f "$tmpdepfile"
+# Avoid interferences from the environment.
+gccflag= dashmflag=
+
# Some modes work just like other modes, but use different flags. We
# parameterize here, but still list the modes in the big case below,
# to make depend.m4 easier to write. Note that we *cannot* use a case
@@ -108,7 +111,7 @@ if test "$depmode" = msvc7msys; then
fi
if test "$depmode" = xlc; then
- # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency informations.
+ # IBM C/C++ Compilers xlc/xlC can output gcc-like dependency information.
gccflag=-qmakedep=gcc,-MF
depmode=gcc
fi
@@ -142,13 +145,17 @@ gcc3)
;;
gcc)
+## Note that this doesn't just cater to obsosete pre-3.x GCC compilers.
+## but also to in-use compilers like IMB xlc/xlC and the HP C compiler.
+## (see the conditional assignment to $gccflag above).
## There are various ways to get dependency output from gcc. Here's
## why we pick this rather obscure method:
## - Don't want to use -MD because we'd like the dependencies to end
## up in a subdir. Having to rename by hand is ugly.
## (We might end up doing this anyway to support other compilers.)
## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like
-## -MM, not -M (despite what the docs say).
+## -MM, not -M (despite what the docs say). Also, it might not be
+## supported by the other compilers which use the 'gcc' depmode.
## - Using -M directly means running the compiler twice (even worse
## than renaming).
if test -z "$gccflag"; then
@@ -334,6 +341,79 @@ icc)
rm -f "$tmpdepfile"
;;
+## The order of this option in the case statement is important, since the
+## shell code in configure will try each of these formats in the order
+## listed in this file. A plain '-MD' option would be understood by many
+## compilers, so we must ensure this comes after the gcc and icc options.
+pgcc)
+ # Portland's C compiler understands '-MD'.
+ # Will always output deps to 'file.d' where file is the root name of the
+ # source file under compilation, even if file resides in a subdirectory.
+ # The object file name does not affect the name of the '.d' file.
+ # pgcc 10.2 will output
+ # foo.o: sub/foo.c sub/foo.h
+ # and will wrap long lines using '\' :
+ # foo.o: sub/foo.c ... \
+ # sub/foo.h ... \
+ # ...
+ dir=`echo "$object" | sed -e 's|/[^/]*$|/|'`
+ test "x$dir" = "x$object" && dir=
+ # Use the source, not the object, to determine the base name, since
+ # that's sadly what pgcc will do too.
+ base=`echo "$source" | sed -e 's|^.*/||' -e 's/\.[-_a-zA-Z0-9]*$//'`
+ tmpdepfile="$base.d"
+
+ # For projects that build the same source file twice into different object
+ # files, the pgcc approach of using the *source* file root name can cause
+ # problems in parallel builds. Use a locking strategy to avoid stomping on
+ # the same $tmpdepfile.
+ lockdir="$base.d-lock"
+ trap "echo '$0: caught signal, cleaning up...' >&2; rm -rf $lockdir" 1 2 13 15
+ numtries=100
+ i=$numtries
+ while test $i -gt 0 ; do
+ # mkdir is a portable test-and-set.
+ if mkdir $lockdir 2>/dev/null; then
+ # This process acquired the lock.
+ "$@" -MD
+ stat=$?
+ # Release the lock.
+ rm -rf $lockdir
+ break
+ else
+ ## the lock is being held by a different process,
+ ## wait until the winning process is done or we timeout
+ while test -d $lockdir && test $i -gt 0; do
+ sleep 1
+ i=`expr $i - 1`
+ done
+ fi
+ i=`expr $i - 1`
+ done
+ trap - 1 2 13 15
+ if test $i -le 0; then
+ echo "$0: failed to acquire lock after $numtries attempts" >&2
+ echo "$0: check lockdir '$lockdir'" >&2
+ exit 1
+ fi
+
+ if test $stat -ne 0; then
+ rm -f "$tmpdepfile"
+ exit $stat
+ fi
+ rm -f "$depfile"
+ # Each line is of the form `foo.o: dependent.h',
+ # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'.
+ # Do two passes, one to just change these to
+ # `$object: dependent.h' and one to simply `dependent.h:'.
+ sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile"
+ # Some versions of the HPUX 10.20 sed can't process this invocation
+ # correctly. Breaking it into two sed invocations is a workaround.
+ sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" |
+ sed -e 's/$/ :/' >> "$depfile"
+ rm -f "$tmpdepfile"
+ ;;
+
hp2)
# The "hp" stanza above does not work with aCC (C++) and HP's ia64
# compilers, which have integrated preprocessors. The correct option
diff --git a/configure b/configure
index b71cd92..a9035af 100755
--- a/configure
+++ b/configure
@@ -1,8 +1,8 @@
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.69 for XML-Security-C 1.7.0.
+# Generated by GNU Autoconf 2.69 for XML-Security-C 1.7.1.
#
-# Report bugs to <santuario-dev at apache.org>.
+# Report bugs to <dev at santuario.apache.org>.
#
#
# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
@@ -275,7 +275,7 @@ fi
$as_echo "$0: be upgraded to zsh 4.3.4 or later."
else
$as_echo "$0: Please tell bug-autoconf at gnu.org and
-$0: santuario-dev at apache.org about your system, including
+$0: dev at santuario.apache.org about your system, including
$0: any error possibly output before this message. Then
$0: install a modern shell, or manually run the script
$0: under such a shell if you do have one."
@@ -590,9 +590,9 @@ MAKEFLAGS=
# Identity of this package.
PACKAGE_NAME='XML-Security-C'
PACKAGE_TARNAME='xml-security-c'
-PACKAGE_VERSION='1.7.0'
-PACKAGE_STRING='XML-Security-C 1.7.0'
-PACKAGE_BUGREPORT='santuario-dev at apache.org'
+PACKAGE_VERSION='1.7.1'
+PACKAGE_STRING='XML-Security-C 1.7.1'
+PACKAGE_BUGREPORT='dev at santuario.apache.org'
PACKAGE_URL=''
ac_unique_file="xsec"
@@ -1330,7 +1330,7 @@ if test "$ac_init_help" = "long"; then
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures XML-Security-C 1.7.0 to adapt to many kinds of systems.
+\`configure' configures XML-Security-C 1.7.1 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
@@ -1400,7 +1400,7 @@ fi
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of XML-Security-C 1.7.0:";;
+ short | recursive ) echo "Configuration of XML-Security-C 1.7.1:";;
esac
cat <<\_ACEOF
@@ -1451,7 +1451,7 @@ Some influential environment variables:
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
-Report bugs to <santuario-dev at apache.org>.
+Report bugs to <dev at santuario.apache.org>.
_ACEOF
ac_status=$?
fi
@@ -1514,7 +1514,7 @@ fi
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-XML-Security-C configure 1.7.0
+XML-Security-C configure 1.7.1
generated by GNU Autoconf 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
@@ -1981,7 +1981,7 @@ $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
( $as_echo "## --------------------------------------- ##
-## Report this to santuario-dev at apache.org ##
+## Report this to dev at santuario.apache.org ##
## --------------------------------------- ##"
) | sed "s/^/$as_me: WARNING: /" >&2
;;
@@ -2118,7 +2118,7 @@ $as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5
$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;}
( $as_echo "## --------------------------------------- ##
-## Report this to santuario-dev at apache.org ##
+## Report this to dev at santuario.apache.org ##
## --------------------------------------- ##"
) | sed "s/^/$as_me: WARNING: /" >&2
;;
@@ -2187,7 +2187,7 @@ cat >config.log <<_ACEOF
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by XML-Security-C $as_me 1.7.0, which was
+It was created by XML-Security-C $as_me 1.7.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
$ $0 $@
@@ -3013,7 +3013,7 @@ fi
# Define the identity of the package.
PACKAGE='xml-security-c'
- VERSION='1.7.0'
+ VERSION='1.7.1'
cat >>confdefs.h <<_ACEOF
@@ -17927,7 +17927,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by XML-Security-C $as_me 1.7.0, which was
+This file was extended by XML-Security-C $as_me 1.7.1, which was
generated by GNU Autoconf 2.69. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
@@ -17987,13 +17987,13 @@ $config_headers
Configuration commands:
$config_commands
-Report bugs to <santuario-dev at apache.org>."
+Report bugs to <dev at santuario.apache.org>."
_ACEOF
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-XML-Security-C config.status 1.7.0
+XML-Security-C config.status 1.7.1
configured by $0, generated by GNU Autoconf 2.69,
with options \\"\$ac_cs_config\\"
diff --git a/configure.ac b/configure.ac
index 78eea22..674b04a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,7 +17,7 @@
# Process this file with autoreconf
AC_PREREQ(2.50)
-AC_INIT([[XML-Security-C]],[1.7.0],[santuario-dev at apache.org],[xml-security-c])
+AC_INIT([[XML-Security-C]],[1.7.1],[dev at santuario.apache.org],[xml-security-c])
AC_CONFIG_SRCDIR(xsec)
AC_CONFIG_AUX_DIR(build-aux)
AC_CONFIG_MACRO_DIR(m4)
diff --git a/xml-security-c.spec b/xml-security-c.spec
index cd8071d..9e49fa0 100644
--- a/xml-security-c.spec
+++ b/xml-security-c.spec
@@ -1,5 +1,5 @@
Name: xml-security-c
-Version: 1.7.0
+Version: 1.7.1
Release: 1
Summary: Apache XML security C++ library
Group: Development/Libraries/C and C++
diff --git a/xsec/Makefile.am b/xsec/Makefile.am
index ff30357..0396c5c 100644
--- a/xsec/Makefile.am
+++ b/xsec/Makefile.am
@@ -16,7 +16,7 @@
AUTOMAKE_OPTIONS = foreign
-INCLUDES = -I..
+AM_CPPFLAGS = -I..
noinst_PROGRAMS = ${samples}
bin_PROGRAMS = ${tools}
@@ -590,7 +590,7 @@ nss_sources = \
#
# Now the library specific build items
#
-libxml_security_c_la_LDFLAGS = -version-info 17:0:0
+libxml_security_c_la_LDFLAGS = -version-info 17:1:0
install-exec-hook:
for la in $(lib_LTLIBRARIES) ; do rm -f $(DESTDIR)$(libdir)/$$la ; done
@@ -618,4 +618,4 @@ EXTRA_DIST = \
enc/WinCAPI/WinCAPICryptoSymmetricKey.cpp \
enc/WinCAPI/WinCAPICryptoKeyHMAC.cpp
-
\ No newline at end of file
+
diff --git a/xsec/Makefile.in b/xsec/Makefile.in
index 0af2477..f5ec449 100644
--- a/xsec/Makefile.in
+++ b/xsec/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.12.2 from Makefile.am.
+# Makefile.in generated by automake 1.12.6 from Makefile.am.
# @configure_input@
# Copyright (C) 1994-2012 Free Software Foundation, Inc.
@@ -583,7 +583,7 @@ top_build_prefix = @top_build_prefix@
top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
AUTOMAKE_OPTIONS = foreign
-INCLUDES = -I..
+AM_CPPFLAGS = -I..
LDADD = libxml-security-c.la
#
@@ -1109,7 +1109,7 @@ nss_sources = \
#
# Now the library specific build items
#
-libxml_security_c_la_LDFLAGS = -version-info 17:0:0
+libxml_security_c_la_LDFLAGS = -version-info 17:1:0
EXTRA_DIST = \
utils/winutils/XSECURIResolverGenericWin32.cpp \
utils/winutils/XSECSOAPRequestorSimpleWin32.cpp \
diff --git a/xsec/canon/XSECC14n20010315.cpp b/xsec/canon/XSECC14n20010315.cpp
index 5beb00d..0cc5a15 100644
--- a/xsec/canon/XSECC14n20010315.cpp
+++ b/xsec/canon/XSECC14n20010315.cpp
@@ -25,7 +25,7 @@
*
* Author(s): Berin Lautenbach
*
- * $Id: XSECC14n20010315.cpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: XSECC14n20010315.cpp 1493961 2013-06-17 22:29:13Z scantor $
*
*/
@@ -39,6 +39,7 @@
// Xerces includes
#include <xercesc/dom/DOMElement.hpp>
#include <xercesc/dom/DOMNamedNodeMap.hpp>
+#include <xercesc/util/Janitor.hpp>
#include <xercesc/util/XMLUniDefs.hpp>
XERCES_CPP_NAMESPACE_USE
@@ -240,6 +241,8 @@ void XSECC14n20010315::setExclusive(char * xmlnsList) {
}
+ ArrayJanitor<char> j_nsBuf(nsBuf);
+
int i, j;
i = 0;
@@ -247,21 +250,22 @@ void XSECC14n20010315::setExclusive(char * xmlnsList) {
while (xmlnsList[i] != '\0') {
while (xmlnsList[i] == ' ' ||
- xmlnsList[i] == '\0' ||
xmlnsList[i] == '\t' ||
xmlnsList[i] == '\r' ||
- xmlnsList[i] == '\n')
+ xmlnsList[i] == '\n') {
++i; // Skip white space
+ }
j = 0;
while (!(xmlnsList[i] == ' ' ||
xmlnsList[i] == '\0' ||
xmlnsList[i] == '\t' ||
xmlnsList[i] == '\r' ||
- xmlnsList[i] == '\n'))
+ xmlnsList[i] == '\n')) {
nsBuf[j++] = xmlnsList[i++]; // Copy name
+ }
// Terminate the string
nsBuf[j] = '\0';
@@ -281,8 +285,6 @@ void XSECC14n20010315::setExclusive(char * xmlnsList) {
}
- delete[] nsBuf;
-
}
diff --git a/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp b/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp
index d10c6dc..779e29d 100644
--- a/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp
+++ b/xsec/dsig/DSIGAlgorithmHandlerDefault.cpp
@@ -23,7 +23,7 @@
* XSECAlgorithmHandlerDefault := Interface class to define handling of
* default encryption algorithms
*
- * $Id: DSIGAlgorithmHandlerDefault.cpp 1125752 2011-05-21 17:50:17Z scantor $
+ * $Id: DSIGAlgorithmHandlerDefault.cpp 1493960 2013-06-17 22:27:28Z scantor $
*
*/
@@ -60,6 +60,15 @@ bool compareBase64StringToRaw(const char * b64Str,
// Compare at most maxCompare bits (if maxCompare > 0)
// Note - whilst the other parameters are bytes, maxCompare is bits
+ // The div function below takes signed int, so make sure the value
+ // is safe to cast.
+ if ((int) maxCompare < 0) {
+
+ throw XSECException(XSECException::CryptoProviderError,
+ "Comparison length was unsafe");
+
+ }
+
unsigned char outputStr[MAXB64BUFSIZE];
unsigned int outputLen = 0;
@@ -126,7 +135,7 @@ bool compareBase64StringToRaw(const char * b64Str,
char mask = 0x01;
if (maxCompare != 0) {
- for (j = 0 ; j < (unsigned int) d.rem; ++i) {
+ for (j = 0 ; j < (unsigned int) d.rem; ++j) {
if ((raw[i] & mask) != (outputStr[i] & mask))
return false;
@@ -516,7 +525,7 @@ unsigned int DSIGAlgorithmHandlerDefault::signToSafeBuffer(
// Signature already created, so just translate to base 64 and enter string
// FIX: CVE-2009-0217
- if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) {
+ if (outputLength > 0 && (outputLength > hashLen || outputLength < 80 || outputLength < hashLen / 2)) {
throw XSECException(XSECException::AlgorithmMapperError,
"HMACOutputLength set to unsafe value.");
}
@@ -641,7 +650,7 @@ bool DSIGAlgorithmHandlerDefault::verifyBase64Signature(
// Already done - just compare calculated value with read value
// FIX: CVE-2009-0217
- if (outputLength > 0 && (outputLength < 80 || outputLength < hashLen / 2)) {
+ if (outputLength > 0 && (outputLength > hashLen || outputLength < 80 || outputLength < hashLen / 2)) {
throw XSECException(XSECException::AlgorithmMapperError,
"HMACOutputLength set to unsafe value.");
}
diff --git a/xsec/dsig/DSIGReference.cpp b/xsec/dsig/DSIGReference.cpp
index edd3e48..b07cecb 100644
--- a/xsec/dsig/DSIGReference.cpp
+++ b/xsec/dsig/DSIGReference.cpp
@@ -22,7 +22,7 @@
*
* DSIG_Reference := Class for handling a DSIG reference element
*
- * $Id: DSIGReference.cpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: DSIGReference.cpp 1493959 2013-06-17 22:26:41Z scantor $
*
*/
@@ -516,17 +516,15 @@ TXFMBase * DSIGReference::getURIBaseTXFM(DOMDocument * doc,
}
else if (URI[9] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen &&
- URI[10] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_i &&
- URI[11] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_d &&
- URI[12] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen &&
- URI[13] == XERCES_CPP_NAMESPACE_QUALIFIER chSingleQuote) {
+ URI[10] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_i &&
+ URI[11] == XERCES_CPP_NAMESPACE_QUALIFIER chLatin_d &&
+ URI[12] == XERCES_CPP_NAMESPACE_QUALIFIER chOpenParen &&
+ URI[13] == XERCES_CPP_NAMESPACE_QUALIFIER chSingleQuote) {
xsecsize_t len = XMLString::stringLen(&URI[14]);
- XMLCh tmp[512];
-
- if (len > 511)
- len = 511;
+ XMLCh* tmp = new XMLCh[len + 1];
+ ArrayJanitor<XMLCh> j_tmp(tmp);
xsecsize_t j = 14, i = 0;
@@ -630,9 +628,14 @@ void DSIGReference::load(void) {
// Now check for Transforms
tmpElt = mp_referenceNode->getFirstChild();
- while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE))
+ while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) {
+ if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <Reference> are unsupported.");
+ }
// Skip text and comments
tmpElt = tmpElt->getNextSibling();
+ }
if (tmpElt == 0) {
@@ -651,13 +654,19 @@ void DSIGReference::load(void) {
// Find next node
tmpElt = tmpElt->getNextSibling();
- while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE))
+ while (tmpElt != 0 && (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE)) {
+ if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <Reference> are unsupported.");
+ }
tmpElt = tmpElt->getNextSibling();
+ }
} /* if tmpElt node type = transforms */
- else
+ else {
mp_transformList = NULL;
+ }
if (tmpElt == NULL || !strEquals(getDSIGLocalName(tmpElt), "DigestMethod")) {
@@ -692,8 +701,14 @@ void DSIGReference::load(void) {
tmpElt = tmpElt->getNextSibling();
- while (tmpElt != 0 && !(strEquals(getDSIGLocalName(tmpElt), "DigestValue")))
+ while (tmpElt != 0 &&
+ (tmpElt->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(tmpElt), "DigestValue"))) {
+ if (tmpElt->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <Reference> are unsupported.");
+ }
tmpElt = tmpElt->getNextSibling();
+ }
if (tmpElt == 0) {
@@ -731,8 +746,13 @@ void DSIGReference::load(void) {
// Find Manifest child
manifestNode = manifestNode->getFirstChild();
- while (manifestNode != 0 && manifestNode->getNodeType() != DOMNode::ELEMENT_NODE)
+ while (manifestNode != 0 && manifestNode->getNodeType() != DOMNode::ELEMENT_NODE) {
+ if (manifestNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <Reference> are unsupported.");
+ }
manifestNode = manifestNode->getNextSibling();
+ }
if (manifestNode == 0 || !strEquals(getDSIGLocalName(manifestNode), "Manifest"))
throw XSECException(XSECException::ExpectedDSIGChildNotFound,
@@ -743,8 +763,14 @@ void DSIGReference::load(void) {
// Now have the manifest node, find the first reference and load!
referenceNode = manifestNode->getFirstChild();
- while (referenceNode != 0 && !strEquals(getDSIGLocalName(referenceNode), "Reference"))
+ while (referenceNode != 0 &&
+ (referenceNode->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(referenceNode), "Reference"))) {
+ if (referenceNode->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <Reference> are unsupported.");
+ }
referenceNode = referenceNode->getNextSibling();
+ }
if (referenceNode == 0)
throw XSECException(XSECException::ExpectedDSIGChildNotFound,
@@ -797,8 +823,13 @@ DSIGReferenceList *DSIGReference::loadReferenceListFromXML(const XSECEnv * env,
// Find next element Node
tmpRef = tmpRef->getNextSibling();
- while (tmpRef != 0 && tmpRef->getNodeType() != DOMNode::ELEMENT_NODE)
+ while (tmpRef != 0 && tmpRef->getNodeType() != DOMNode::ELEMENT_NODE) {
+ if (tmpRef->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <Reference> are unsupported.");
+ }
tmpRef = tmpRef->getNextSibling();
+ }
}
diff --git a/xsec/dsig/DSIGSignature.cpp b/xsec/dsig/DSIGSignature.cpp
index 0947e60..f43a8ee 100644
--- a/xsec/dsig/DSIGSignature.cpp
+++ b/xsec/dsig/DSIGSignature.cpp
@@ -24,7 +24,7 @@
*
* Author(s): Berin Lautenbach
*
- * $Id: DSIGSignature.cpp 1357795 2012-07-05 18:37:09Z scantor $
+ * $Id: DSIGSignature.cpp 1478626 2013-05-03 01:34:21Z scantor $
*
*/
@@ -111,152 +111,6 @@ void DSIGSignature::Initialise(void) {
}
-// --------------------------------------------------------------------------------
-// Some useful utility functions
-// --------------------------------------------------------------------------------
-
-
-#if 0
-
-bool compareBase64StringToRaw(safeBuffer &b64SB,
- unsigned char * raw,
- unsigned int rawLen,
- unsigned int maxCompare = 0) {
- // Decode a base64 buffer and then compare the result to a raw buffer
- // Compare at most maxCompare bits (if maxComare > 0)
- // Note - whilst the other parameters are bytes, maxCompare is bits
-
- unsigned char outputStr[1024];
- unsigned char b64Str[1024];
- unsigned int outputLen = 0;
-
- XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64();
-
- if (!b64) {
-
- throw XSECException(XSECException::CryptoProviderError,
- "Error requesting Base64 object from Crypto Provider");
-
- }
-
- Janitor<XSECCryptoBase64> j_b64(b64);
-
- strncpy((char *) b64Str, (char *) b64SB.rawBuffer(), 1023);
- b64Str[1023] = '\0'; // Just in case
-
- b64->decodeInit();
- outputLen = b64->decode((unsigned char *) b64Str, (unsigned int) strlen((char *) b64Str), outputStr, 1024);
- outputLen += b64->decodeFinish(&outputStr[outputLen], 1024 - outputLen);
-
- // Compare
-
- div_t d;
- unsigned int maxCompareBytes, maxCompareBits;
- maxCompareBits = 0;
-
- unsigned int size;
-
- if (maxCompare > 0) {
- d = div(maxCompare, 8);
- maxCompareBytes = d.quot;
- if (d.rem != 0)
- maxCompareBytes++;
-
- if (rawLen < maxCompareBytes && outputLen < maxCompareBytes) {
- if (rawLen != outputLen)
- return false;
- size = rawLen;
- }
- else if (rawLen < maxCompareBytes || outputLen < maxCompareBytes) {
- return false;
- }
- else
- size = maxCompareBytes;
- }
- else {
-
- if (rawLen != outputLen)
- return false;
-
- size = rawLen;
-
- }
-
- // Compare bytes
- unsigned int i, j;
- for (i = 0; i < size; ++ i) {
- if (raw[i] != outputStr[i])
- return false;
- }
-
- // Compare bits
-
- char mask = 0x01;
- if (maxCompare != 0) {
- for (j = 0 ; j < (unsigned int) d.rem; ++i) {
-
- if ((raw[i] & mask) != (outputStr[i] & mask))
- return false;
-
- mask = mask << 1;
- }
- }
-
- return true;
-
-}
-
-
-void convertRawToBase64String(safeBuffer &b64SB,
- unsigned char * raw,
- unsigned int rawLen,
- unsigned int maxBits = 0) {
-
- // Translate the rawbuffer (at most maxBits or rawLen - whichever is smaller)
- // to a base64 string
-
- unsigned char b64Str[1024];
- unsigned int outputLen = 0;
-
- XSECCryptoBase64 * b64 = XSECPlatformUtils::g_cryptoProvider->base64();
-
- if (!b64) {
-
- throw XSECException(XSECException::CryptoProviderError,
- "Error requesting Base64 object from Crypto Provider");
-
- }
-
- Janitor<XSECCryptoBase64> j_b64(b64);
-
- // Determine length to translate
- unsigned int size;
-
- if (maxBits > 0) {
- div_t d = div(maxBits, 8);
- size = d.quot;
- if (d.rem != 0)
- ++size;
-
- if (size > rawLen)
- size = rawLen;
- }
-
- else
- size = rawLen;
-
- b64->encodeInit();
- outputLen = b64->encode((unsigned char *) raw, rawLen, b64Str, 1024);
- outputLen += b64->encodeFinish(&b64Str[outputLen], 1024 - outputLen);
- b64Str[outputLen] = '\0';
-
- // Copy out
-
- b64SB.sbStrcpyIn((char *) b64Str);
-
-}
-
-#endif /* 0 */
// --------------------------------------------------------------------------------
// Get the Canonicalised BYTE_STREAM of the SignedInfo
diff --git a/xsec/dsig/DSIGSignedInfo.cpp b/xsec/dsig/DSIGSignedInfo.cpp
index 7d3e266..9c64ef6 100644
--- a/xsec/dsig/DSIGSignedInfo.cpp
+++ b/xsec/dsig/DSIGSignedInfo.cpp
@@ -22,7 +22,7 @@
*
* DSIGSignedInfo := Class for checking and setting up signed Info nodes in a DSIG signature
*
- * $Id: DSIGSignedInfo.cpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: DSIGSignedInfo.cpp 1493959 2013-06-17 22:26:41Z scantor $
*
*/
@@ -299,9 +299,14 @@ void DSIGSignedInfo::load(void) {
// Check for CanonicalizationMethod
- while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE))
+ while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) {
+ if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <SignedInfo> are unsupported.");
+ }
// Skip text and comments
tmpSI = tmpSI->getNextSibling();
+ }
if (tmpSI == 0 || !strEquals(getDSIGLocalName(tmpSI), "CanonicalizationMethod")) {
@@ -362,17 +367,23 @@ void DSIGSignedInfo::load(void) {
}
- else
+ else {
throw XSECException(XSECException::UnknownCanonicalization);
+ }
// Now load the SignatureMethod
tmpSI = tmpSI->getNextSibling();
- while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE))
+ while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) {
+ if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <SignedInfo> are unsupported.");
+ }
// Skip text and comments
tmpSI = tmpSI->getNextSibling();
+ }
if (tmpSI == 0 || !strEquals(getDSIGLocalName(tmpSI), "SignatureMethod")) {
@@ -406,10 +417,14 @@ void DSIGSignedInfo::load(void) {
* longer know at this point if this is an HMAC, we need to check. */
DOMNode *tmpSOV = tmpSI->getFirstChild();
- while (tmpSOV != NULL &&
- tmpSOV->getNodeType() != DOMNode::ELEMENT_NODE &&
- !strEquals(getDSIGLocalName(tmpSOV), "HMACOutputLength"))
+ while (tmpSOV != NULL &&
+ (tmpSOV->getNodeType() != DOMNode::ELEMENT_NODE || !strEquals(getDSIGLocalName(tmpSOV), "HMACOutputLength"))) {
+ if (tmpSOV->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <SignedInfo> are unsupported.");
+ }
tmpSOV = tmpSOV->getNextSibling();
+ }
if (tmpSOV != NULL) {
@@ -433,9 +448,14 @@ void DSIGSignedInfo::load(void) {
// Run through the rest of the elements until done
- while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE))
+ while (tmpSI != 0 && (tmpSI->getNodeType() != DOMNode::ELEMENT_NODE)) {
+ if (tmpSI->getNodeType() == DOMNode::ENTITY_REFERENCE_NODE) {
+ throw XSECException(XSECException::ExpectedDSIGChildNotFound,
+ "EntityReference nodes in <SignedInfo> are unsupported.");
+ }
// Skip text and comments
tmpSI = tmpSI->getNextSibling();
+ }
if (tmpSI != NULL) {
diff --git a/xsec/framework/XSECDefs.hpp b/xsec/framework/XSECDefs.hpp
index 6e84529..513ebc1 100644
--- a/xsec/framework/XSECDefs.hpp
+++ b/xsec/framework/XSECDefs.hpp
@@ -24,7 +24,7 @@
*
* Author(s): Berin Lautenbach
*
- * $Id: XSECDefs.hpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: XSECDefs.hpp 1493962 2013-06-17 22:32:41Z scantor $
*
*/
@@ -69,6 +69,9 @@
typedef unsigned int xsecsize_t;
#endif
+// Pending API change, compile in a limit for Xerces SecurityManager entity expansion
+#define XSEC_ENTITY_EXPANSION_LIMIT 1000
+
// --------------------------------------------------------------------------------
// Namespace Handling
diff --git a/xsec/framework/XSECEnv.cpp b/xsec/framework/XSECEnv.cpp
index 3b8bc2a..6e31522 100644
--- a/xsec/framework/XSECEnv.cpp
+++ b/xsec/framework/XSECEnv.cpp
@@ -23,7 +23,7 @@
* XSECEnv := Configuration class - used by the other classes to retrieve
* information on the environment they are working under
*
- * $Id: XSECEnv.cpp 1350043 2012-06-13 22:31:04Z scantor $
+ * $Id: XSECEnv.cpp 1478615 2013-05-03 00:07:02Z scantor $
*
*/
diff --git a/xsec/framework/XSECVersion.hpp b/xsec/framework/XSECVersion.hpp
index 5cfb3fa..c55f769 100644
--- a/xsec/framework/XSECVersion.hpp
+++ b/xsec/framework/XSECVersion.hpp
@@ -30,7 +30,7 @@
#define XSEC_VERSION_MAJOR 1
#define XSEC_VERSION_MEDIUM 7
-#define XSEC_VERSION_MINOR 0
+#define XSEC_VERSION_MINOR 1
// --------------------------------------------------------------------------------
// Version Handling
diff --git a/xsec/framework/version.rc b/xsec/framework/version.rc
index 52721aa..a4ddbac 100644
--- a/xsec/framework/version.rc
+++ b/xsec/framework/version.rc
@@ -54,8 +54,8 @@ END
//
VS_VERSION_INFO VERSIONINFO
- FILEVERSION 1,7,0,0
- PRODUCTVERSION 1,7,0,0
+ FILEVERSION 1,7,1,0
+ PRODUCTVERSION 1,7,1,0
FILEFLAGSMASK 0x3fL
#ifdef _DEBUG
FILEFLAGS 0x1L
@@ -73,13 +73,13 @@ BEGIN
VALUE "Comments", "\0"
VALUE "CompanyName", "The Apache Software Foundation\0"
VALUE "FileDescription", "Santuario C++ XML Security Library\0"
- VALUE "FileVersion", "1, 7, 0, 0\0"
+ VALUE "FileVersion", "1, 7, 1, 0\0"
#ifdef _DEBUG
VALUE "InternalName", "xsec_1_7D\0"
#else
VALUE "InternalName", "xsec_1_7\0"
#endif
- VALUE "LegalCopyright", "Copyright © 2002-2012 The Apache Software Foundation\0"
+ VALUE "LegalCopyright", "Copyright © 2002-2013 The Apache Software Foundation\0"
VALUE "LegalTrademarks", "\0"
#ifdef _DEBUG
VALUE "OriginalFilename", "xsec_1_7D.dll\0"
@@ -88,7 +88,7 @@ BEGIN
#endif
VALUE "PrivateBuild", "\0"
VALUE "ProductName", "Santuario C++ XML Security Library\0"
- VALUE "ProductVersion", "1, 7, 0, 0\0"
+ VALUE "ProductVersion", "1, 7, 1, 0\0"
VALUE "SpecialBuild", "\0"
END
END
diff --git a/xsec/tools/checksig/checksig.cpp b/xsec/tools/checksig/checksig.cpp
index cd5074d..db81d27 100644
--- a/xsec/tools/checksig/checksig.cpp
+++ b/xsec/tools/checksig/checksig.cpp
@@ -22,7 +22,7 @@
*
* checkSig := (Very ugly) tool to check a signature embedded in an XML file
*
- * $Id: checksig.cpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: checksig.cpp 1478616 2013-05-03 00:07:57Z scantor $
*
*/
@@ -147,6 +147,8 @@ void printUsage(void) {
cerr << " Set an hmac key using the <string>\n\n";
cerr << " --xsecresolver/-x\n";
cerr << " Use the xml-security test XMLDSig URI resolver\n\n";
+ cerr << " --id <name>\n";
+ cerr << " Define an attribute Id by name\n\n";
cerr << " --idns/-d <ns uri> <name>\n";
cerr << " Define an attribute Id by namespace URI and name\n\n";
#if defined (XSEC_HAVE_OPENSSL)
@@ -208,6 +210,14 @@ int evaluate(int argc, char ** argv) {
useXSECURIResolver = true;
paramCount++;
}
+ else if (_stricmp(argv[paramCount], "--id") == 0) {
+ if (paramCount +1 >= argc) {
+ printUsage();
+ return 2;
+ }
+ paramCount++;
+ useIdAttributeName = argv[paramCount++];
+ }
else if (_stricmp(argv[paramCount], "--idns") == 0 || _stricmp(argv[paramCount], "-d") == 0) {
if (paramCount +2 >= argc) {
printUsage();
@@ -399,12 +409,17 @@ int evaluate(int argc, char ** argv) {
// so we add a KeyInfoResolverDefault to the Signature.
sig->setKeyInfoResolver(&theKeyInfoResolver);
- sig->registerIdAttributeName(MAKE_UNICODE_STRING("ID"));
// Register defined attribute name
- if (useIdAttributeName != NULL)
- sig->registerIdAttributeNameNS(MAKE_UNICODE_STRING(useIdAttributeNS),
- MAKE_UNICODE_STRING(useIdAttributeName));
+ if (useIdAttributeName != NULL) {
+ sig->setIdByAttributeName(true);
+ if (useIdAttributeNS != NULL) {
+ sig->registerIdAttributeNameNS(MAKE_UNICODE_STRING(useIdAttributeNS),
+ MAKE_UNICODE_STRING(useIdAttributeName));
+ } else {
+ sig->registerIdAttributeName(MAKE_UNICODE_STRING(useIdAttributeName));
+ }
+ }
// Check whether we should use the internal resolver
diff --git a/xsec/transformers/TXFMParser.cpp b/xsec/transformers/TXFMParser.cpp
index 705644b..abccda7 100644
--- a/xsec/transformers/TXFMParser.cpp
+++ b/xsec/transformers/TXFMParser.cpp
@@ -24,7 +24,7 @@
*
* Author(s): Berin Lautenbach
*
- * $Id: TXFMParser.cpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: TXFMParser.cpp 1493962 2013-06-17 22:32:41Z scantor $
*
*/
@@ -114,8 +114,11 @@ void TXFMParser::setInput(TXFMBase *newInput) {
XercesDOMParser parser;
parser.setDoNamespaces(true);
- parser.setCreateEntityReferenceNodes(true);
- parser.setDoSchema(true);
+ parser.setLoadExternalDTD(false);
+
+ SecurityManager securityManager;
+ securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT);
+ parser.setSecurityManager(&securityManager);
parser.parse(is);
xsecsize_t errorCount = parser.getErrorCount();
diff --git a/xsec/transformers/TXFMXSL.cpp b/xsec/transformers/TXFMXSL.cpp
index 51e205a..e22aeec 100644
--- a/xsec/transformers/TXFMXSL.cpp
+++ b/xsec/transformers/TXFMXSL.cpp
@@ -22,7 +22,7 @@
*
* TXFMXSL := Class that performs XPath transforms
*
- * $Id: TXFMXSL.cpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: TXFMXSL.cpp 1493962 2013-06-17 22:32:41Z scantor $
*
*/
@@ -187,8 +187,12 @@ void TXFMXSL::evaluateStyleSheet(const safeBuffer &sbStyleSheet) {
parser->setDoNamespaces(true);
parser->setCreateEntityReferenceNodes(true);
+ parser->setLoadExternalDTD(false);
parser->setDoSchema(true);
+ SecurityManager securityManager;
+ parser->setSecurityManager(&securityManager);
+
// Create an input source
MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) txoh.buffer.rawBuffer(), txoh.offset, "XSECMem");
diff --git a/xsec/utils/XSECSOAPRequestorSimple.cpp b/xsec/utils/XSECSOAPRequestorSimple.cpp
index a27d345..a910f91 100644
--- a/xsec/utils/XSECSOAPRequestorSimple.cpp
+++ b/xsec/utils/XSECSOAPRequestorSimple.cpp
@@ -24,7 +24,7 @@
* HTTP wrapper for testing the client code.
*
*
- * $Id: XSECSOAPRequestorSimple.cpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: XSECSOAPRequestorSimple.cpp 1493962 2013-06-17 22:32:41Z scantor $
*
*/
@@ -218,31 +218,31 @@ char * XSECSOAPRequestorSimple::wrapAndSerialise(DOMDocument * request) {
DOMDocument * XSECSOAPRequestorSimple::parseAndUnwrap(const char * buf, unsigned int len) {
- XercesDOMParser * parser = new XercesDOMParser;
- Janitor<XercesDOMParser> j_parser(parser);
+ XercesDOMParser parser;
+ parser.setDoNamespaces(true);
+ parser.setLoadExternalDTD(false);
- parser->setDoNamespaces(true);
- parser->setCreateEntityReferenceNodes(true);
- parser->setDoSchema(true);
+ SecurityManager securityManager;
+ securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT);
+ parser.setSecurityManager(&securityManager);
// Create an input source
- MemBufInputSource* memIS = new MemBufInputSource ((const XMLByte*) buf, len, "XSECMem");
- Janitor<MemBufInputSource> j_memIS(memIS);
+ MemBufInputSource memIS((const XMLByte*) buf, len, "XSECMem");
- parser->parse(*memIS);
- xsecsize_t errorCount = parser->getErrorCount();
+ parser.parse(memIS);
+ xsecsize_t errorCount = parser.getErrorCount();
if (errorCount > 0)
throw XSECException(XSECException::HTTPURIInputStreamError,
"Error parsing response message");
if (m_envelopeType == ENVELOPE_NONE) {
- return parser->adoptDocument();
+ return parser.adoptDocument();
}
- DOMDocument * responseDoc = parser->getDocument();
+ DOMDocument * responseDoc = parser.getDocument();
// Must be a SOAP message of some kind - so lets remove the wrapper.
// First create a new document for the Response message
diff --git a/xsec/utils/XSECSafeBufferFormatter.hpp b/xsec/utils/XSECSafeBufferFormatter.hpp
index 5c2a02b..83a143b 100644
--- a/xsec/utils/XSECSafeBufferFormatter.hpp
+++ b/xsec/utils/XSECSafeBufferFormatter.hpp
@@ -24,7 +24,7 @@
*
* Author(s): Berin Lautenbach
*
- * $Id: XSECSafeBufferFormatter.hpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: XSECSafeBufferFormatter.hpp 1482601 2013-05-14 21:31:27Z scantor $
*
*/
@@ -86,8 +86,7 @@ private:
* to perform encoding translations with a safeBuffer as a target
*/
-
-class XSECSafeBufferFormatter {
+class CANON_EXPORT XSECSafeBufferFormatter {
XERCES_CPP_NAMESPACE_QUALIFIER XMLFormatter
* formatter; // To actually perform the formatting
diff --git a/xsec/xenc/impl/XENCAlgorithmHandlerDefault.cpp b/xsec/xenc/impl/XENCAlgorithmHandlerDefault.cpp
index b57b19a..e3985e8 100644
--- a/xsec/xenc/impl/XENCAlgorithmHandlerDefault.cpp
+++ b/xsec/xenc/impl/XENCAlgorithmHandlerDefault.cpp
@@ -23,7 +23,7 @@
* XSECAlgorithmHandlerDefault := Interface class to define handling of
* default encryption algorithms
*
- * $Id: XENCAlgorithmHandlerDefault.cpp 1363191 2012-07-19 00:33:46Z scantor $
+ * $Id: XENCAlgorithmHandlerDefault.cpp 1482595 2013-05-14 21:24:14Z scantor $
*
*/
@@ -1133,24 +1133,27 @@ XSECCryptoKey * XENCAlgorithmHandlerDefault::createKeyForURI(
XSECCryptoSymmetricKey * sk = NULL;
if (strEquals(uri, DSIGConstants::s_unicodeStrURI3DES_CBC)) {
+ if (keyLen < 192 / 8)
+ throw XSECException(XSECException::CipherError,
+ "XENCAlgorithmHandlerDefault - key size was invalid");
sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_3DES_192);
}
- else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES128_CBC)) {
+ else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES128_CBC) || strEquals(uri, DSIGConstants::s_unicodeStrURIAES128_GCM)) {
+ if (keyLen < 128 / 8)
+ throw XSECException(XSECException::CipherError,
+ "XENCAlgorithmHandlerDefault - key size was invalid");
sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_128);
}
- else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES192_CBC)) {
+ else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES192_CBC) || strEquals(uri, DSIGConstants::s_unicodeStrURIAES192_GCM)) {
+ if (keyLen < 192 / 8)
+ throw XSECException(XSECException::CipherError,
+ "XENCAlgorithmHandlerDefault - key size was invalid");
sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_192);
}
- else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES256_CBC)) {
- sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_256);
- }
- else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES128_GCM)) {
- sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_128);
- }
- else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES192_GCM)) {
- sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_192);
- }
- else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES256_GCM)) {
+ else if (strEquals(uri, DSIGConstants::s_unicodeStrURIAES256_CBC) || strEquals(uri, DSIGConstants::s_unicodeStrURIAES256_GCM)) {
+ if (keyLen < 256 / 8)
+ throw XSECException(XSECException::CipherError,
+ "XENCAlgorithmHandlerDefault - key size was invalid");
sk = XSECPlatformUtils::g_cryptoProvider->keySymmetric(XSECCryptoSymmetricKey::KEY_AES_256);
}
diff --git a/xsec/xenc/impl/XENCCipherImpl.cpp b/xsec/xenc/impl/XENCCipherImpl.cpp
index 44cf029..136c6aa 100644
--- a/xsec/xenc/impl/XENCCipherImpl.cpp
+++ b/xsec/xenc/impl/XENCCipherImpl.cpp
@@ -22,7 +22,7 @@
*
* XENCCipherImpl := Implementation of the main encryption worker class
*
- * $Id: XENCCipherImpl.cpp 1363191 2012-07-19 00:33:46Z scantor $
+ * $Id: XENCCipherImpl.cpp 1493962 2013-06-17 22:32:41Z scantor $
*
*/
@@ -270,8 +270,9 @@ DOMDocumentFragment * XENCCipherImpl::deSerialise(safeBuffer &content, DOMNode *
sb.sbXMLChAppendCh(chCloseAngle);
char* prefix = transcodeToUTF8(sb.rawXMLChBuffer());
-
sbt = prefix;
+ XSEC_RELEASE_XMLCH(prefix);
+
const char * crcb = content.rawCharBuffer();
int offset = 0;
if (crcb[0] == '<' && crcb[1] == '?') {
@@ -286,9 +287,6 @@ DOMDocumentFragment * XENCCipherImpl::deSerialise(safeBuffer &content, DOMNode *
sbt.sbStrcatIn(&crcb[offset]);
- // Now transform the content to UTF-8
- //sb.sbXMLChCat8(content.rawCharBuffer());
-
// Terminate the string
sb.sbXMLChIn(DSIGConstants::s_unicodeStrEmpty);
sb.sbXMLChAppendCh(chOpenAngle);
@@ -300,37 +298,24 @@ DOMDocumentFragment * XENCCipherImpl::deSerialise(safeBuffer &content, DOMNode *
sbt.sbStrcatIn(trailer);
XSEC_RELEASE_XMLCH(trailer);
- // Now we need to parse the document
- XercesDOMParser* parser = NULL;
- MemBufInputSource* memIS = NULL;
- try {
- parser = new XercesDOMParser;
+ // Create an input source
+ xsecsize_t bytes = XMLString::stringLen(sbt.rawCharBuffer());
+ MemBufInputSource memIS((const XMLByte*) sbt.rawBuffer(), bytes, "XSECMem");
- parser->setDoNamespaces(true);
- parser->setCreateEntityReferenceNodes(true);
- parser->setDoSchema(false);
+ XercesDOMParser parser;
+ parser.setDoNamespaces(true);
+ parser.setLoadExternalDTD(false);
- // Create an input source
- xsecsize_t bytes = XMLString::stringLen(sbt.rawCharBuffer());
- memIS = new MemBufInputSource((const XMLByte*) sbt.rawBuffer(), bytes, "XSECMem");
- }
- catch (...) {
- delete memIS;
- delete parser;
- XSEC_RELEASE_XMLCH(prefix);
- throw;
- }
-
- XSEC_RELEASE_XMLCH(prefix);
- Janitor<XercesDOMParser> j_parser(parser);
- Janitor<MemBufInputSource> j_memIS(memIS);
+ SecurityManager securityManager;
+ securityManager.setEntityExpansionLimit(XSEC_ENTITY_EXPANSION_LIMIT);
+ parser.setSecurityManager(&securityManager);
- parser->parse(*memIS);
- xsecsize_t errorCount = parser->getErrorCount();
+ parser.parse(memIS);
+ xsecsize_t errorCount = parser.getErrorCount();
if (errorCount > 0)
throw XSECException(XSECException::CipherError, "Errors occured during de-serialisation of decrypted element content");
- DOMDocument * doc = parser->getDocument();
+ DOMDocument * doc = parser.getDocument();
// Create a DocumentFragment to hold the children of the parsed doc element
DOMDocument *ctxDocument = ctx->getOwnerDocument();
diff --git a/xsec/xkms/impl/XKMSRecoverResultImpl.cpp b/xsec/xkms/impl/XKMSRecoverResultImpl.cpp
index 88ded2e..4cdbfba 100644
--- a/xsec/xkms/impl/XKMSRecoverResultImpl.cpp
+++ b/xsec/xkms/impl/XKMSRecoverResultImpl.cpp
@@ -1,20 +1,20 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
*/
/*
@@ -277,7 +277,7 @@ XKMSRSAKeyPair * XKMSRecoverResultImpl::getRSAKeyPair(const char * passPhrase) {
XSECCryptoKey * sk = handler->createKeyForURI(
xed->getEncryptionMethod()->getAlgorithm(),
(XMLByte *) kbuf,
- XSEC_MAX_HASH_SIZE);
+ len);
memset(kbuf, 0, XSEC_MAX_HASH_SIZE);
@@ -350,7 +350,7 @@ XENCEncryptedData * XKMSRecoverResultImpl::setRSAKeyPair(const char * passPhrase
XSECCryptoKey * sk = handler->createKeyForURI(
uri,
(XMLByte *) kbuf,
- XSEC_MAX_HASH_SIZE);
+ len);
memset(kbuf, 0, XSEC_MAX_HASH_SIZE);
diff --git a/xsec/xkms/impl/XKMSRegisterResultImpl.cpp b/xsec/xkms/impl/XKMSRegisterResultImpl.cpp
index 4d426ac..d51f2ef 100644
--- a/xsec/xkms/impl/XKMSRegisterResultImpl.cpp
+++ b/xsec/xkms/impl/XKMSRegisterResultImpl.cpp
@@ -22,7 +22,7 @@
*
* XKMSRegisterResultImpl := Implementation of RegisterResult Messages
*
- * $Id: XKMSRegisterResultImpl.cpp 1125514 2011-05-20 19:08:33Z scantor $
+ * $Id: XKMSRegisterResultImpl.cpp 1375700 2012-08-21 18:08:00Z scantor $
*
*/
@@ -277,7 +277,7 @@ XKMSRSAKeyPair * XKMSRegisterResultImpl::getRSAKeyPair(const char * passPhrase)
XSECCryptoKey * sk = handler->createKeyForURI(
xed->getEncryptionMethod()->getAlgorithm(),
(XMLByte *) kbuf,
- XSEC_MAX_HASH_SIZE);
+ len);
memset(kbuf, 0, XSEC_MAX_HASH_SIZE);
@@ -351,7 +351,7 @@ XENCEncryptedData * XKMSRegisterResultImpl::setRSAKeyPair(const char * passPhras
XSECCryptoKey * sk = handler->createKeyForURI(
uri,
(XMLByte *) kbuf,
- XSEC_MAX_HASH_SIZE);
+ len);
memset(kbuf, 0, XSEC_MAX_HASH_SIZE);
--
Debian packaging for XML-Security-C
More information about the Pkg-shibboleth-devel
mailing list