Rebase to vesrion 0.6.2.2

.gitignore

@@ -1,2 +1,3 @@
 /cjose-0.5.1.tar.gz
 /cjose-0.6.1.tar.gz
+/cjose-0.6.2.2.tar.gz

0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch

@@ -1,53 +0,0 @@
-From b339a18aa06c78d64ac33d891d400eac7b86fff3 Mon Sep 17 00:00:00 2001
-From: Jakub Hrozek <jhrozek@redhat.com>
-Date: Mon, 17 May 2021 13:30:24 +0200
-Subject: [PATCH] Define OPENSSL_API_COMPAT to 0x10101000L
-
----
- src/jwe.c | 2 ++
- src/jwk.c | 2 ++
- src/jws.c | 2 ++
- 3 files changed, 6 insertions(+)
-
-diff --git a/src/jwe.c b/src/jwe.c
-index 822d408..d6f3149 100644
---- a/src/jwe.c
-+++ b/src/jwe.c
-@@ -5,6 +5,8 @@
-  * Copyright (c) 2014-2016 Cisco Systems, Inc.  All Rights Reserved.
-  */
- 
-+#define OPENSSL_API_COMPAT 0x10101000L
-+
- #include <cjose/base64.h>
- #include <cjose/header.h>
- #include <cjose/jwe.h>
-diff --git a/src/jwk.c b/src/jwk.c
-index 860f0e7..87408e9 100644
---- a/src/jwk.c
-+++ b/src/jwk.c
-@@ -5,6 +5,8 @@
-  * Copyright (c) 2014-2016 Cisco Systems, Inc.  All Rights Reserved.
-  */
- 
-+#define OPENSSL_API_COMPAT 0x10101000L
-+
- #include "include/jwk_int.h"
- #include "include/util_int.h"
- 
-diff --git a/src/jws.c b/src/jws.c
-index 4e03554..9d682a0 100644
---- a/src/jws.c
-+++ b/src/jws.c
-@@ -5,6 +5,8 @@
-  * Copyright (c) 2014-2016 Cisco Systems, Inc.  All Rights Reserved.
-  */
- 
-+#define OPENSSL_API_COMPAT 0x10101000L
-+
- #include <cjose/base64.h>
- #include <cjose/header.h>
- #include <cjose/jws.h>
--- 
-2.31.1
-

cjose.spec

@@ -1,17 +1,11 @@
 Name:           cjose
-Version:        0.6.1
+Version:        0.6.2.2
-Release:        14%{?dist}
+Release:        1%{?dist}
 Summary:        C library implementing the Javascript Object Signing and Encryption (JOSE)
 
 License:        MIT
-URL:            https://github.com/cisco/cjose
+URL:            https://github.com/OpenIDC/cjose
-Source0:  	https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
+Source0:        https://github.com/OpenIDC/cjose/releases/download/v%{version}/cjose-%{version}.tar.gz
-
-Patch1: concatkdf.patch
-
-# Patch taken from CentOS Stream:
-# https://gitlab.com/redhat/centos-stream/rpms/cjose/-/blob/c9s/0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch
-Patch2: 0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch
 
 BuildRequires:  gcc
 BuildRequires:  doxygen
@@ -67,6 +61,9 @@ make check || (cat test/test-suite.log; exit 1)
 
 
 %changelog
+* Wed Jul 26 2023 Tomas Halman <thalman@redhat.com> - 0.6.2.2-1
+- Rebase to version 0.6.2.2. Solves CVE-2023-37464.
+
 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-14
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
 

concatkdf.patch

@@ -1,74 +0,0 @@
-commit 0238eb8f3612515f4374381b593dd79116169330
-Author: John Dennis <jdennis@redhat.com>
-Date:   Thu Aug 2 16:21:33 2018 -0400
-
-    fix concatkdf failures on big endian architectures
-    
-    Several of the elements used to compute the digest in ECDH-ES key
-    agreement computation are represented in binary form as a 32-bit
-    integer length followed by that number of octets.  the length
-    field. The 32-bit length integer is represented in big endian
-    format (the 8 most significant bits are in the first octet.).
-    
-    The conversion to a 4 byte big endian integer was being computed
-    in a manner that only worked on little endian architectures. The
-    function htonl() returns a 32-bit integer whose octet sequence given
-    the address of the integer is big endian. There is no need for any
-    further manipulation.
-    
-    The existing code used bit shifting on a 32-bit value. In C bit
-    shifting is endian agnostic for multi-octet values, a right shift
-    moves most significant bits toward least significant bits. The result
-    of a bit shift of a multi-octet value on either big or little
-    archictures will always be the same provided you "view" it as the same
-    data type (e.g. 32-bit integer). But indexing the octets of that
-    mulit-octet value will be different depending on endianness, hence the
-    assembled octets differed depending on endianness.
-    
-    Issue: #77
-    Signed-off-by: John Dennis <jdennis@redhat.com>
-
-diff --git a/src/concatkdf.c b/src/concatkdf.c
-index ec064ab..59b845a 100644
---- a/src/concatkdf.c
-+++ b/src/concatkdf.c
-@@ -29,15 +29,9 @@
- ////////////////////////////////////////////////////////////////////////////////
- static uint8_t *_apply_uint32(const uint32_t value, uint8_t *buffer)
- {
--    const uint32_t formatted = htonl(value);
--    const uint8_t data[4] = {
--        (formatted >> 0) & 0xff,
--        (formatted >> 8) & 0xff,
--        (formatted >> 16) & 0xff,
--        (formatted >> 24) & 0xff
--    };
--    memcpy(buffer, data, 4);
-+    const uint32_t big_endian_int32 = htonl(value);
- 
-+    memcpy(buffer, &big_endian_int32, 4);
-     return buffer + 4;
- }
- 
-diff --git a/test/check_concatkdf.c b/test/check_concatkdf.c
-index e4325fc..41d0f1c 100644
---- a/test/check_concatkdf.c
-+++ b/test/check_concatkdf.c
-@@ -60,14 +60,9 @@ _create_otherinfo_header_finish:
- 
- static bool _cmp_uint32(uint8_t **actual, uint32_t expected)
- {
--    uint32_t value = htonl(expected);
--    uint8_t expectedData[] = {
--        (value >> 0) & 0xff,
--        (value >> 8) & 0xff,
--        (value >> 16) & 0xff,
--        (value >> 24) & 0xff
--    };
--    bool result = (0 == memcmp(*actual, expectedData, 4));
-+    uint32_t big_endian_int32 = htonl(expected);
-+
-+    bool result = (0 == memcmp(*actual, &big_endian_int32, 4));
-     (*actual) += 4;
-     return result;
- }

sources

@@ -1 +1 @@
-SHA512 (cjose-0.6.1.tar.gz) = 7ae67a6d19591b3d19b888270ec0ca17df399bea117e42686fc1de39b3741ed9a8816f96d33d090687c49c3123cdc95430a781835a525a02d22561ebf5aaa653
+SHA512 (cjose-0.6.2.2.tar.gz) = 71a087709816f0aac060a7c5f037068e981366b1809f6ee32e39eaded02ad8be061b0e2fa5093515a8acec10c7f4aca232281004426221b4b7e5edbd203eb49c