diff --git a/.cjose.metadata b/.cjose.metadata deleted file mode 100644 index 8a1ae75..0000000 --- a/.cjose.metadata +++ /dev/null @@ -1 +0,0 @@ -0dd6efca729f1190f66855523c3920c3f7ddd482 SOURCES/cjose-0.6.1.tar.gz diff --git a/.gitignore b/.gitignore index 8b3f913..869b3ac 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/cjose-0.6.1.tar.gz +cjose-0.6.2.2.tar.gz diff --git a/SOURCES/0002-check-cjose_get_alloc.patch b/SOURCES/0002-check-cjose_get_alloc.patch deleted file mode 100644 index bcf02f5..0000000 --- a/SOURCES/0002-check-cjose_get_alloc.patch +++ /dev/null @@ -1,25 +0,0 @@ -commit 54d449473b21e93805070264791e80f84f601b4d -Author: Hans Zandbelt -Date: Tue Apr 5 20:51:20 2022 +0200 - - check result of cek = cjose_get_alloc()(cek_len) in jwe.c - - see: https://github.com/cisco/cjose/issues/110 - - Signed-off-by: Hans Zandbelt - -diff --git a/src/jwe.c b/src/jwe.c -index 4285097..157ddec 100644 ---- a/src/jwe.c -+++ b/src/jwe.c -@@ -2064,6 +2064,10 @@ uint8_t *cjose_jwe_decrypt_multi(cjose_jwe_t *jwe, cjose_key_locator key_locator - { - cek_len = jwe->cek_len; - cek = cjose_get_alloc()(cek_len); -+ if (!cek) { -+ CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY); -+ return NULL; -+ } - memcpy(cek, jwe->cek, cek_len); - } - else diff --git a/SOURCES/0003-CVE-2023-37464.patch b/SOURCES/0003-CVE-2023-37464.patch deleted file mode 100644 index 0b77cba..0000000 --- a/SOURCES/0003-CVE-2023-37464.patch +++ /dev/null @@ -1,91 +0,0 @@ -diff -up cjose-0.6.1/src/jwe.c.orig cjose-0.6.1/src/jwe.c ---- cjose-0.6.1/src/jwe.c.orig 2023-07-19 16:23:44.658712950 +0200 -+++ cjose-0.6.1/src/jwe.c 2023-07-19 16:55:02.173914437 +0200 -@@ -1227,6 +1227,12 @@ static bool _cjose_jwe_decrypt_dat_a256g - goto _cjose_jwe_decrypt_dat_a256gcm_fail; - } - -+ if (jwe->enc_auth_tag.raw_len != 16) -+ { -+ CJOSE_ERROR(err, CJOSE_ERR_CRYPTO); -+ goto _cjose_jwe_decrypt_dat_a256gcm_fail; -+ } -+ - // set the expected GCM-mode authentication tag - if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1) - { -diff -up cjose-0.6.1/test/check_jwe.c.orig cjose-0.6.1/test/check_jwe.c ---- cjose-0.6.1/test/check_jwe.c.orig 2018-04-12 00:39:58.000000000 +0200 -+++ cjose-0.6.1/test/check_jwe.c 2023-07-19 16:38:45.412336742 +0200 -@@ -809,6 +809,63 @@ START_TEST(test_cjose_jwe_decrypt_aes) - } - END_TEST - -+START_TEST(test_cjose_jwe_decrypt_aes_gcm) -+{ -+ cjose_err err; -+ -+ const char *key = JWK_OCT_32; -+ const char *plain1 = "Live long and prosper."; -+ char *compact1 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.GpeKGEqd8KQ0v6JNea5aSA"; -+ char *compact2 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.Gp"; -+ -+ cjose_jwk_t *jwk = cjose_jwk_import(key, strlen(key), &err); -+ ck_assert_msg(NULL != jwk, -+ "cjose_jwk_import failed: " -+ "%s, file: %s, function: %s, line: %ld", -+ err.message, err.file, err.function, err.line); -+ -+ cjose_jwe_t *jwe1 = cjose_jwe_import(compact1, strlen(compact1), &err); -+ ck_assert_msg(NULL != jwe1, -+ "cjose_jwe_import failed: " -+ "%s, file: %s, function: %s, line: %ld", -+ err.message, err.file, err.function, err.line); -+ -+ uint8_t *plain2 = NULL; -+ size_t plain2_len = 0; -+ plain2 = cjose_jwe_decrypt(jwe1, jwk, &plain2_len, &err); -+ ck_assert_msg(NULL != plain2, -+ "cjose_jwe_decrypt failed: " -+ "%s, file: %s, function: %s, line: %ld", -+ err.message, err.file, err.function, err.line); -+ -+ ck_assert_msg(plain2_len == strlen(plain1), -+ "length of decrypted plaintext does not match length of original, " -+ "expected: %lu, found: %lu", -+ strlen(plain1), plain2_len); -+ ck_assert_msg(strncmp(plain1, plain2, plain2_len) == 0, "decrypted plaintext does not match encrypted plaintext"); -+ -+ cjose_get_dealloc()(plain2); -+ cjose_jwe_release(jwe1); -+ -+ cjose_jwe_t *jwe2 = cjose_jwe_import(compact2, strlen(compact2), &err); -+ ck_assert_msg(NULL != jwe2, -+ "cjose_jwe_import failed: " -+ "%s, file: %s, function: %s, line: %ld", -+ err.message, err.file, err.function, err.line); -+ -+ uint8_t *plain3 = NULL; -+ size_t plain3_len = 0; -+ plain3 = cjose_jwe_decrypt(jwe2, jwk, &plain3_len, &err); -+ ck_assert_msg(NULL == plain3, -+ "cjose_jwe_decrypt succeeded where it should have failed: " -+ "%s, file: %s, function: %s, line: %ld", -+ err.message, err.file, err.function, err.line); -+ -+ cjose_jwe_release(jwe2); -+ cjose_jwk_release(jwk); -+} -+END_TEST -+ - START_TEST(test_cjose_jwe_decrypt_rsa) - { - struct cjose_jwe_decrypt_rsa -@@ -1210,6 +1267,7 @@ Suite *cjose_jwe_suite() - tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_large); - tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_many); - tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes); -+ tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes_gcm); - tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_rsa); - tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_header); - tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_key); diff --git a/SOURCES/concatkdf.patch b/SOURCES/concatkdf.patch deleted file mode 100644 index abeccaf..0000000 --- a/SOURCES/concatkdf.patch +++ /dev/null @@ -1,74 +0,0 @@ -commit 0238eb8f3612515f4374381b593dd79116169330 -Author: John Dennis -Date: Thu Aug 2 16:21:33 2018 -0400 - - fix concatkdf failures on big endian architectures - - Several of the elements used to compute the digest in ECDH-ES key - agreement computation are represented in binary form as a 32-bit - integer length followed by that number of octets. the length - field. The 32-bit length integer is represented in big endian - format (the 8 most significant bits are in the first octet.). - - The conversion to a 4 byte big endian integer was being computed - in a manner that only worked on little endian architectures. The - function htonl() returns a 32-bit integer whose octet sequence given - the address of the integer is big endian. There is no need for any - further manipulation. - - The existing code used bit shifting on a 32-bit value. In C bit - shifting is endian agnostic for multi-octet values, a right shift - moves most significant bits toward least significant bits. The result - of a bit shift of a multi-octet value on either big or little - archictures will always be the same provided you "view" it as the same - data type (e.g. 32-bit integer). But indexing the octets of that - mulit-octet value will be different depending on endianness, hence the - assembled octets differed depending on endianness. - - Issue: #77 - Signed-off-by: John Dennis - -diff --git a/src/concatkdf.c b/src/concatkdf.c -index ec064ab..59b845a 100644 ---- a/src/concatkdf.c -+++ b/src/concatkdf.c -@@ -29,15 +29,9 @@ - //////////////////////////////////////////////////////////////////////////////// - static uint8_t *_apply_uint32(const uint32_t value, uint8_t *buffer) - { -- const uint32_t formatted = htonl(value); -- const uint8_t data[4] = { -- (formatted >> 0) & 0xff, -- (formatted >> 8) & 0xff, -- (formatted >> 16) & 0xff, -- (formatted >> 24) & 0xff -- }; -- memcpy(buffer, data, 4); -+ const uint32_t big_endian_int32 = htonl(value); - -+ memcpy(buffer, &big_endian_int32, 4); - return buffer + 4; - } - -diff --git a/test/check_concatkdf.c b/test/check_concatkdf.c -index e4325fc..41d0f1c 100644 ---- a/test/check_concatkdf.c -+++ b/test/check_concatkdf.c -@@ -60,14 +60,9 @@ _create_otherinfo_header_finish: - - static bool _cmp_uint32(uint8_t **actual, uint32_t expected) - { -- uint32_t value = htonl(expected); -- uint8_t expectedData[] = { -- (value >> 0) & 0xff, -- (value >> 8) & 0xff, -- (value >> 16) & 0xff, -- (value >> 24) & 0xff -- }; -- bool result = (0 == memcmp(*actual, expectedData, 4)); -+ uint32_t big_endian_int32 = htonl(expected); -+ -+ bool result = (0 == memcmp(*actual, &big_endian_int32, 4)); - (*actual) += 4; - return result; - } diff --git a/SPECS/cjose.spec b/SPECS/cjose.spec deleted file mode 100644 index aa46140..0000000 --- a/SPECS/cjose.spec +++ /dev/null @@ -1,92 +0,0 @@ -Name: cjose -Version: 0.6.1 -Release: 4%{?dist} -Summary: C library implementing the Javascript Object Signing and Encryption (JOSE) - -License: MIT -URL: https://github.com/cisco/cjose -Source0: https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version}.tar.gz - -Patch1: concatkdf.patch -Patch2: 0002-check-cjose_get_alloc.patch -Patch3: 0003-CVE-2023-37464.patch - -BuildRequires: gcc -BuildRequires: doxygen -BuildRequires: openssl-devel -BuildRequires: jansson-devel -BuildRequires: check-devel - -%description -Implementation of JOSE for C/C++ - - -%package devel -Summary: Development files for %{name} -Requires: %{name}%{?_isa} = %{version}-%{release} - -%description devel -The %{name}-devel package contains libraries and header files for -developing applications that use %{name}. - - -%prep -%autosetup -n %{name}-%{version} -p1 - -%build -%configure -%make_build - - -%install -%make_install -find %{buildroot} -name '*.a' -exec rm -f {} ';' -find %{buildroot} -name '*.la' -exec rm -f {} ';' - - -%post -p /sbin/ldconfig - -%postun -p /sbin/ldconfig - - -%check -make check || (cat test/test-suite.log; exit 1) - -%files -%license LICENSE -%doc CHANGELOG.md README.md -%doc /usr/share/doc/cjose -%{_libdir}/*.so.* - - -%files devel -%{_includedir}/* -%{_libdir}/*.so -%{_libdir}/pkgconfig/cjose.pc - - -%changelog -* Wed Jul 19 2023 - 0.6.1-4 -- CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual - Authentication Tag provided in the JWE - Resolves: rhbz#2223308 - -* Fri Mar 17 2023 - 0.6.1-3 -- Random memory override - Resolves: rhbz#2072469 - -* Thu Aug 2 2018 - 0.6.1-2 -- fix concatkdf big endian architecture problem. - Upstream issue #77. - -* Wed Aug 1 2018 - 0.6.1-1 -- upgrade to latest upstream 0.6.1 - -* Thu Jul 12 2018 Fedora Release Engineering - 0.5.1-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild - -* Wed Feb 07 2018 Fedora Release Engineering - 0.5.1-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild - -* Fri Jan 26 2018 Patrick Uiterwijk - 0.5.1-1 -- Initial packaging diff --git a/cjose.spec b/cjose.spec new file mode 100644 index 0000000..865cdfc --- /dev/null +++ b/cjose.spec @@ -0,0 +1,136 @@ +Name: cjose +Version: 0.6.2.2 +Release: 7%{?dist} +Summary: C library implementing the Javascript Object Signing and Encryption (JOSE) + +License: MIT +URL: https://github.com/OpenIDC/cjose +Source0: https://github.com/OpenIDC/cjose/releases/download/v%{version}/cjose-%{version}.tar.gz + +BuildRequires: gcc +BuildRequires: doxygen +BuildRequires: openssl-devel +BuildRequires: jansson-devel +BuildRequires: check-devel +BuildRequires: make + +%description +Implementation of JOSE for C/C++ + + +%package devel +Summary: Development files for %{name} +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +The %{name}-devel package contains libraries and header files for +developing applications that use %{name}. + + +%prep +%autosetup -n %{name}-%{version} -p1 + +%build +%configure +%make_build + + +%install +%make_install +find %{buildroot} -name '*.a' -exec rm -f {} ';' +find %{buildroot} -name '*.la' -exec rm -f {} ';' + + +%ldconfig_scriptlets + + +%check +make check || (cat test/test-suite.log; exit 1) + +%files +%license LICENSE +%doc CHANGELOG.md README.md +%doc /usr/share/doc/cjose +%{_libdir}/*.so.* + + +%files devel +%{_includedir}/* +%{_libdir}/*.so +%{_libdir}/pkgconfig/cjose.pc + + +%changelog +* Tue Oct 29 2024 Troy Dawson - 0.6.2.2-7 +- Bump release for October 2024 mass rebuild: + Resolves: RHEL-64018 + +* Mon Jun 24 2024 Troy Dawson - 0.6.2.2-6 +- Bump release for June 2024 mass rebuild + +* Thu Mar 28 2024 Tomas Halman - 0.6.2.2-2 +- Add gating tests configuration + +* Tue Jan 23 2024 Fedora Release Engineering - 0.6.2.2-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 0.6.2.2-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Sep 1 2023 Tomas Halman - 0.6.2.2-2 +- migrated to SPDX license + +* Wed Jul 26 2023 Tomas Halman - 0.6.2.2-1 +- Rebase to version 0.6.2.2. Solves CVE-2023-37464. + +* Wed Jul 19 2023 Fedora Release Engineering - 0.6.1-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Jan 18 2023 Fedora Release Engineering - 0.6.1-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Fri Oct 28 2022 Stephen Gallagher - 0.6.1-12 +- Enable build on OpenSSL 3.0 + +* Wed Jul 20 2022 Fedora Release Engineering - 0.6.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Wed Jan 19 2022 Fedora Release Engineering - 0.6.1-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Tue Sep 14 2021 Sahana Prasad - 0.6.1-9 +- Rebuilt with OpenSSL 3.0.0 + +* Wed Jul 21 2021 Fedora Release Engineering - 0.6.1-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Tue Jan 26 2021 Fedora Release Engineering - 0.6.1-7 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Mon Jul 27 2020 Fedora Release Engineering - 0.6.1-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Tue Jan 28 2020 Fedora Release Engineering - 0.6.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Wed Jul 24 2019 Fedora Release Engineering - 0.6.1-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Thu Jan 31 2019 Fedora Release Engineering - 0.6.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Thu Aug 2 2018 - 0.6.1-2 +- fix concatkdf big endian architecture problem. + Upstream issue #77. + +* Wed Aug 1 2018 - 0.6.1-1 +- upgrade to latest upstream 0.6.1 + +* Thu Jul 12 2018 Fedora Release Engineering - 0.5.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Wed Feb 07 2018 Fedora Release Engineering - 0.5.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Fri Jan 26 2018 Patrick Uiterwijk - 0.5.1-1 +- Initial packaging diff --git a/sources b/sources new file mode 100644 index 0000000..aba9fa0 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (cjose-0.6.2.2.tar.gz) = 71a087709816f0aac060a7c5f037068e981366b1809f6ee32e39eaded02ad8be061b0e2fa5093515a8acec10c7f4aca232281004426221b4b7e5edbd203eb49c