Sync master branch with upstream

.github/workflows/make-check.yml

@@ -11,15 +11,21 @@ on:
           - xmlsec-1_2_x
 
 jobs:
+  # linux: check against latest versions of everything
   check-ubuntu:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         include:
+          # default build
           - config_flags:
-          - config_flags: --enable-static --enable-static-linking --disable-openssl3-engines --without-nss --without-gcrypt --without-gnutls
-          - config_flags: --enable-static --enable-static-linking --enable-ftp --enable-md5 --enable-gost --enable-gost2012 --without-openssl --without-nss --without-gcrypt
+          # default build with all legacy features
+          - config_flags: --enable-legacy-features --enable-ftp --enable-http
+          # static openssl build
+          - config_flags: --enable-static --enable-static-linking --disable-openssl3-engines --without-nss --without-gnutls --without-gcrypt --enable-legacy-features
+          # static gnutls build with GOST
+          - config_flags: --enable-static --enable-static-linking --without-openssl --without-nss --without-gcrypt --enable-gost --enable-gost2012 --enable-legacy-features
     steps:
     - name: install dependencies
       run: |
@@ -48,14 +54,17 @@ jobs:
       run: |
           make install
 
+  # linux: check against old versions including openssl 1.1.1
   check-ubuntu-openssl-111:
     runs-on: ubuntu-20.04
     strategy:
       fail-fast: false
       matrix:
         include:
+          # default build
           - config_flags:
-          - config_flags: --enable-static-linking=yes --without-nss --without-gcrypt --without-gnutls
+          # static openssl build
+          - config_flags: --enable-static --enable-static-linking --without-nss --without-gnutls --without-gcrypt --enable-legacy-features
     steps:
     - name: install dependencies
       run: |
@@ -86,13 +95,17 @@ jobs:
       run: |
           make install
 
+  # macosx
   check-osx:
     runs-on: macos-latest
     strategy:
       fail-fast: false
       matrix:
         include:
+          # default build
           - config_flags:
+          # default build with all legacy features -- not possible because MacOSX disables RIPEMD160 in OpenSSL
+          # - config_flags: --enable-legacy-features --enable-ftp --enable-http
     steps:
     - name: Set up Homebrew
       id: set-up-homebrew
@@ -135,18 +148,25 @@ jobs:
       run: |
           make install
 
+  # mingw
   check-mingw:
     runs-on: windows-latest
     strategy:
       fail-fast: false
       matrix:
         include:
+          # default build
           - msystem: MINGW64
             arch: x86_64
-            config_flags: --enable-unicode=yes
+            config_flags:
+          # default build with all legacy features
           - msystem: MINGW64
             arch: x86_64
-            config_flags: --enable-static --enable-static-linking --enable-unicode=no --enable-md5 --enable-ftp
+            config_flags: --enable-legacy-features --enable-ftp --enable-http
+          # no unicode static build for mscng
+          - msystem: MINGW64
+            arch: x86_64
+            config_flags: --enable-static --enable-static-linking --enable-unicode=no --without-openssl --without-nss --without-gnutls --without-gcrypt --disable-mscrypto
     defaults:
       run:
         shell: msys2 {0}
@@ -198,28 +218,35 @@ jobs:
       run: |
           make install
 
+  # msvc
   check-msvc:
     runs-on: windows-latest
     strategy:
       fail-fast: false
       matrix:
         include:
+          # mscng: default build
           - crypto: mscng
             config_flags: unicode=yes with-dl=yes
+          # mscng: no unicode, legacy crypto
           - crypto: mscng
-            config_flags: unicode=no with-dl=no static=yes legacy-crypto=yes
+            config_flags: unicode=no with-dl=no static=yes legacy-features=yes
+          # mscrypto: default build
           - crypto: mscrypto
-            config_flags: unicode=yes with-dl=yes
+            config_flags:
+          # mscrypto: no unicode, legacy crypto
           - crypto: mscrypto
-            config_flags:  unicode=no with-dl=no static=yes legacy-crypto=yes
+            config_flags:  unicode=no with-dl=no static=yes legacy-features=yes
+          # mscng: default build
           - crypto: openssl-300
-            config_flags: unicode=yes with-dl=yes
+            config_flags:
+          # mscng: no unicode, legacy crypto
           - crypto: openssl-300
             config_flags: unicode=no with-dl=no static=yes
     env:
       VISUAL_STUDIO_ROOT: "C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise"
       INSTALL_FOLDER: c:\install.dir
-      LIBS_VERSION: 1.3.5
+      LIBS_VERSION: 1.3.6
     steps:
     - name: create-dirs
       run: |

apps/xmlsec.c

@@ -945,6 +945,17 @@ static xmlSecAppCmdLineParam verificationGmtTimeParam = {
     NULL
 };
 
+static xmlSecAppCmdLineParam X509SkipTimeChecksParam = {
+    xmlSecAppCmdLineTopicX509Certs,
+    "--X509-skip-time-checks",
+    NULL,
+    "--X509-skip-time-checks"
+    "\n\tskip time checking of X509 certificates and CLRs",
+    xmlSecAppCmdLineParamTypeFlag,
+    xmlSecAppCmdLineParamFlagNone,
+    NULL
+};
+
 static xmlSecAppCmdLineParam depthParam = {
     xmlSecAppCmdLineTopicX509Certs,
     "--depth",
@@ -1065,6 +1076,7 @@ static xmlSecAppCmdLineParamPtr parameters[] = {
     &crlDerParam,
     &verificationTimeParam,
     &verificationGmtTimeParam,
+    &X509SkipTimeChecksParam,
     &depthParam,
     &X509SkipStrictChecksParam,
     &X509DontVerifyCerts,
@@ -2272,6 +2284,9 @@ xmlSecAppPrepareKeyInfoCtx(xmlSecKeyInfoCtxPtr keyInfoCtx) {
     if(xmlSecAppCmdLineParamIsSet(&verificationGmtTimeParam)) {
         keyInfoCtx->certsVerificationTime = xmlSecAppCmdLineParamGetTime(&verificationGmtTimeParam, 0);
     }
+    if(xmlSecAppCmdLineParamIsSet(&X509SkipTimeChecksParam)) {
+        keyInfoCtx->flags |= XMLSEC_KEYINFO_FLAGS_X509DATA_SKIP_TIME_CHECKS;
+    }
     if(xmlSecAppCmdLineParamIsSet(&depthParam)) {
         keyInfoCtx->certsVerificationDepth = xmlSecAppCmdLineParamGetInt(&depthParam, 0);
     }

configure.ac

@@ -1,10 +1,10 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_INIT([xmlsec1],[1.3.6],[http://www.aleksey.com/xmlsec])
+AC_INIT([xmlsec1],[1.3.7],[http://www.aleksey.com/xmlsec])
 
 XMLSEC_PACKAGE=xmlsec1
 XMLSEC_VERSION_MAJOR=1
 XMLSEC_VERSION_MINOR=3
-XMLSEC_VERSION_SUBMINOR=6
+XMLSEC_VERSION_SUBMINOR=7
 XMLSEC_VERSION="$XMLSEC_VERSION_MAJOR.$XMLSEC_VERSION_MINOR.$XMLSEC_VERSION_SUBMINOR"
 XMLSEC_VERSION_INFO=`echo $XMLSEC_VERSION | awk -F. '{ printf "%d:%d:%d", $1+$2, $3, $2 }'`
 XMLSEC_VERSION_SAFE=`echo $XMLSEC_VERSION | sed 's/\./_/g'`
@@ -182,13 +182,30 @@ if test "z$enable_development" = "zyes" ; then
     enable_manpages_build="no"
     enable_docs_build="no"
     enable_crypto_dl="no"
+    enable_legacy_features="yes"
+    AC_MSG_RESULT([yes])
+else
+    AC_MSG_RESULT([no])
+fi
 
-    dnl legacy crypto
+dnl ==========================================================================
+dnl Do we want to with legacy features?
+dnl ==========================================================================
+AC_MSG_CHECKING(for legacy features support)
+AC_ARG_ENABLE([legacy_features], [AS_HELP_STRING([--enable-legacy_features],[legacy features (no)])])
+if test "z$enable_legacy_features" = "zyes" ; then
+
+    dnl legacy crypto engines
+    enable_mscrypto="yes"
+    with_gcrypt="yes"
+
+    dnl legacy crypto algos
     enable_md5="yes"
+    enable_ripemd160="yes"
 
     AC_MSG_RESULT([yes])
 else
-    AC_MSG_RESULT([disabled])
+    AC_MSG_RESULT([no])
 fi
 
 dnl ==========================================================================
@@ -1362,7 +1379,6 @@ AC_SUBST(GNUTLS_CRYPTO_LIB)
 AC_SUBST(GNUTLS_MIN_VERSION)
 
 
-
 dnl ==========================================================================
 dnl See if we can find MSCng
 dnl ==========================================================================
@@ -1377,7 +1393,7 @@ AC_ARG_ENABLE([mscng], [AS_HELP_STRING([--enable-mscng],[enable mscng (no)])])
 AC_MSG_CHECKING(for mscng)
 
 dnl Priority 0: Check if library is not needed
-if test "z$enable_mscng" != "zyes" ; then
+if test "z$enable_mscng" = "zno" ; then
     MSCNG_FOUND="disabled"
     AC_MSG_RESULT([disabled])
 fi
@@ -1459,7 +1475,7 @@ esac
 
 XMLSEC_NO_MSCRYPTO="1"
 MSCRYPTO_FOUND="no"
-AC_ARG_ENABLE([mscrypto], [AS_HELP_STRING([--enable-mscrypto],[enable mscrypto (no)])])
+AC_ARG_ENABLE([mscrypto], [AS_HELP_STRING([--enable-mscrypto],[enable mscrypto (no,deprecated)])])
 AC_MSG_CHECKING(for mscrypto)
 
 dnl Priority 0: Check if library is not needed
@@ -1538,10 +1554,10 @@ GCRYPT_VERSION=
 GCRYPT_INCLUDE_PATH=
 GCRYPT_LIB_PATH=
 GCRYPT_FOUND="no"
-AC_ARG_WITH([gcrypt], [AS_HELP_STRING([--with-gcrypt@<:@=PFX@:>@],[gcrypt location])])
+AC_ARG_WITH([gcrypt], [AS_HELP_STRING([--with-gcrypt@<:@=PFX@:>@],[gcrypt location (no,deprecated)])])
 
 dnl Priority 0: Check if library is not needed
-if test "z$with_gcrypt" = "zno" ; then
+if test "z$with_gcrypt" = "z" -o "z$with_gcrypt" = "zno" ; then
     GCRYPT_FOUND="disabled"
 fi
 
@@ -1913,14 +1929,14 @@ dnl ==========================================================================
 dnl Check if we need RIPEMD-160 support
 dnl ==========================================================================
 AC_MSG_CHECKING(for RIPEMD-160 support)
-AC_ARG_ENABLE([ripemd160], [AS_HELP_STRING([--enable-ripemd160],[enable RIPEMD-160 support (yes)])])
-if test "z$enable_ripemd160" = "zno" ; then
+AC_ARG_ENABLE([ripemd160], [AS_HELP_STRING([--enable-ripemd160],[enable RIPEMD-160 support (no, deprecated))])])
+if test "z$enable_ripemd160" = "zyes" ; then
+    XMLSEC_NO_RIPEMD160="0"
+    AC_MSG_RESULT([yes (deprecated)])
+else
     XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_NO_RIPEMD160=1"
     XMLSEC_NO_RIPEMD160="1"
     AC_MSG_RESULT([disabled])
-else
-    XMLSEC_NO_RIPEMD160="0"
-    AC_MSG_RESULT([yes])
 fi
 AM_CONDITIONAL(XMLSEC_NO_RIPEMD160, test "z$XMLSEC_NO_RIPEMD160" = "z1")
 AC_SUBST(XMLSEC_NO_RIPEMD160)
@@ -2058,14 +2074,14 @@ dnl ==========================================================================
 dnl Check if we need DSA support
 dnl ==========================================================================
 AC_MSG_CHECKING(for DSA support)
-AC_ARG_ENABLE([dsa], [AS_HELP_STRING([--enable-dsa],[enable DSA support (yes)])])
+AC_ARG_ENABLE([dsa], [AS_HELP_STRING([--enable-dsa],[enable DSA support (yes, use discouraged)])])
 if test "z$enable_dsa" = "zno" ; then
     XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_NO_DSA=1"
     XMLSEC_NO_DSA="1"
     AC_MSG_RESULT([disabled])
 else
     XMLSEC_NO_DSA="0"
-    AC_MSG_RESULT([yes])
+    AC_MSG_RESULT([yes (use discouraged)])
 fi
 AM_CONDITIONAL(XMLSEC_NO_DSA, test "z$XMLSEC_NO_DSA" = "z1")
 AC_SUBST(XMLSEC_NO_DSA)
@@ -2154,14 +2170,14 @@ dnl ==========================================================================
 dnl Check if we need DES support
 dnl ==========================================================================
 AC_MSG_CHECKING(for DES support)
-AC_ARG_ENABLE([des], [AS_HELP_STRING([--enable-des],[enable DES support (yes, deprecated)])])
+AC_ARG_ENABLE([des], [AS_HELP_STRING([--enable-des],[enable DES support (yes, use discouraged)])])
 if test "z$enable_des" = "zno" ; then
     XMLSEC_DEFINES="$XMLSEC_DEFINES -DXMLSEC_NO_DES=1"
     XMLSEC_NO_DES="1"
     AC_MSG_RESULT([disabled])
 else
     XMLSEC_NO_DES="0"
-    AC_MSG_RESULT([yes (deprecated)])
+    AC_MSG_RESULT([yes (use discouraged)])
 fi
 AM_CONDITIONAL(XMLSEC_NO_DES, test "z$XMLSEC_NO_DES" = "z1")
 AC_SUBST(XMLSEC_NO_DES)
@@ -2385,7 +2401,7 @@ if test "z$LIBLTDL_FOUND" = "zno" -a "z$PKGCONFIG_FOUND" = "zyes" ; then
         [LIBLTDL_FOUND=no])
 fi
 
-dnl Priority 4: on MacOSX libltdl is in the 'libtool' brew package 
+dnl Priority 4: on MacOSX libltdl is in the 'libtool' brew package
 if test "z$LIBLTDL_FOUND" = "zno" -a "z$build_on_mac" = "zyes" ; then
     AC_MSG_CHECKING(for libltdl library installation in 'brew')
     LIBTOOL_PATH=`brew --prefix libtool`

docs/api/xmlsec-version.html

@@ -78,7 +78,7 @@ <h2><span class="refentrytitle"><a name="xmlsec-version.top_of_page"></a>version
 <a name="xmlsec-version.other_details"></a><h2>Types and Values</h2>
 <div class="refsect2">
 <a name="XMLSEC-VERSION:CAPS"></a><h3>XMLSEC_VERSION</h3>
-<pre class="programlisting">#define XMLSEC_VERSION            "1.3.6"
+<pre class="programlisting">#define XMLSEC_VERSION            "1.3.7"
 </pre>
 <p>The library version string in the format
 "$major_number.$minor_number.$sub_minor_number".</p>
@@ -100,14 +100,14 @@ <h2><span class="refentrytitle"><a name="xmlsec-version.top_of_page"></a>version
 <hr>
 <div class="refsect2">
 <a name="XMLSEC-VERSION-SUBMINOR:CAPS"></a><h3>XMLSEC_VERSION_SUBMINOR</h3>
-<pre class="programlisting">#define XMLSEC_VERSION_SUBMINOR        6
+<pre class="programlisting">#define XMLSEC_VERSION_SUBMINOR        7
 </pre>
 <p>The library sub-minor version number.</p>
 </div>
 <hr>
 <div class="refsect2">
 <a name="XMLSEC-VERSION-INFO:CAPS"></a><h3>XMLSEC_VERSION_INFO</h3>
-<pre class="programlisting">#define XMLSEC_VERSION_INFO        "4:6:3"
+<pre class="programlisting">#define XMLSEC_VERSION_INFO        "4:7:3"
 </pre>
 <p>The library version info string in the format
 "$major_number+$minor_number:$sub_minor_number:$minor_number".</p>

docs/api/xmlsec-xmlsec.html

@@ -110,6 +110,10 @@ <h2><span class="refentrytitle"><a name="xmlsec-xmlsec.top_of_page"></a>xmlsec</
 </colgroup>
 <tbody>
 <tr>
+<td class="define_keyword">#define</td>
+<td class="function_name"><a class="link" href="xmlsec-xmlsec.html#XMLSEC-DEPRECATED:CAPS" title="XMLSEC_DEPRECATED">XMLSEC_DEPRECATED</a></td>
+</tr>
+<tr>
 <td class="typedef_keyword">typedef</td>
 <td class="function_name"><font>xmlSecPtr</font></td>
 </tr>
@@ -138,10 +142,6 @@ <h2><span class="refentrytitle"><a name="xmlsec-xmlsec.top_of_page"></a>xmlsec</
 <td class="function_name"><a class="link" href="xmlsec-xmlsec.html#xmlSecByte" title="xmlSecByte">xmlSecByte</a></td>
 </tr>
 <tr>
-<td class="define_keyword">#define</td>
-<td class="function_name"><a class="link" href="xmlsec-xmlsec.html#XMLSEC-DEPRECATED:CAPS" title="XMLSEC_DEPRECATED">XMLSEC_DEPRECATED</a></td>
-</tr>
-<tr>
 <td class="datatype_keyword">enum</td>
 <td class="function_name"><a class="link" href="xmlsec-xmlsec.html#xmlSecCheckVersionMode" title="enum xmlSecCheckVersionMode">xmlSecCheckVersionMode</a></td>
 </tr>
@@ -302,6 +302,13 @@ <h2><span class="refentrytitle"><a name="xmlsec-xmlsec.top_of_page"></a>xmlsec</
 <div class="refsect1">
 <a name="xmlsec-xmlsec.other_details"></a><h2>Types and Values</h2>
 <div class="refsect2">
+<a name="XMLSEC-DEPRECATED:CAPS"></a><h3>XMLSEC_DEPRECATED</h3>
+<pre class="programlisting">#define XMLSEC_DEPRECATED __attribute__((deprecated))
+</pre>
+<p>Marks function as deprecated.</p>
+</div>
+<hr>
+<div class="refsect2">
 <a name="xmlSecPtr"></a><h3>xmlSecPtr</h3>
 <pre class="programlisting">typedef void*                                   xmlSecPtr;
 </pre>
@@ -349,13 +356,6 @@ <h2><span class="refentrytitle"><a name="xmlsec-xmlsec.top_of_page"></a>xmlsec</
 </div>
 <hr>
 <div class="refsect2">
-<a name="XMLSEC-DEPRECATED:CAPS"></a><h3>XMLSEC_DEPRECATED</h3>
-<pre class="programlisting">#define XMLSEC_DEPRECATED __attribute__((deprecated))
-</pre>
-<p>Marks function as deprecated.</p>
-</div>
-<hr>
-<div class="refsect2">
 <a name="xmlSecCheckVersionMode"></a><h3>enum xmlSecCheckVersionMode</h3>
 <p>The xmlsec library version mode.</p>
 <div class="refsect3">