import UBI cjose-0.6.2.2-7.el10

2025-05-14 17:39:43 +00:00
8 changed files with 138 additions and 284 deletions
--- a/.cjose.metadata
+++ b/.cjose.metadata
@ -1 +0,0 @@
-0dd6efca729f1190f66855523c3920c3f7ddd482 SOURCES/cjose-0.6.1.tar.gz
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/cjose-0.6.1.tar.gz
+cjose-0.6.2.2.tar.gz
--- a/SOURCES/0002-check-cjose_get_alloc.patch
+++ b/SOURCES/0002-check-cjose_get_alloc.patch
@ -1,25 +0,0 @@
-commit 54d449473b21e93805070264791e80f84f601b4d
-Author: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
-Date:   Tue Apr 5 20:51:20 2022 +0200
-
-    check result of cek = cjose_get_alloc()(cek_len) in jwe.c
-    
-    see: https://github.com/cisco/cjose/issues/110
-    
-    Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
-
-diff --git a/src/jwe.c b/src/jwe.c
-index 4285097..157ddec 100644
--- a/src/jwe.c
-+++ b/src/jwe.c
-@@ -2064,6 +2064,10 @@ uint8_t *cjose_jwe_decrypt_multi(cjose_jwe_t *jwe, cjose_key_locator key_locator
-         {
-             cek_len = jwe->cek_len;
-             cek = cjose_get_alloc()(cek_len);
-+            if (!cek) {
-+               CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
-+               return NULL;
-+            }
-             memcpy(cek, jwe->cek, cek_len);
-         }
-         else
--- a/SOURCES/0003-CVE-2023-37464.patch
+++ b/SOURCES/0003-CVE-2023-37464.patch
@ -1,91 +0,0 @@
-diff -up cjose-0.6.1/src/jwe.c.orig cjose-0.6.1/src/jwe.c
--- cjose-0.6.1/src/jwe.c.orig	2023-07-19 16:23:44.658712950 +0200
-+++ cjose-0.6.1/src/jwe.c	2023-07-19 16:55:02.173914437 +0200
-@@ -1227,6 +1227,12 @@ static bool _cjose_jwe_decrypt_dat_a256g
-         goto _cjose_jwe_decrypt_dat_a256gcm_fail;
-     }
- 
-+    if (jwe->enc_auth_tag.raw_len != 16)
-+    {
-+        CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
-+        goto _cjose_jwe_decrypt_dat_a256gcm_fail;
-+    }
-+
-     // set the expected GCM-mode authentication tag
-     if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)
-     {
-diff -up cjose-0.6.1/test/check_jwe.c.orig cjose-0.6.1/test/check_jwe.c
--- cjose-0.6.1/test/check_jwe.c.orig	2018-04-12 00:39:58.000000000 +0200
-+++ cjose-0.6.1/test/check_jwe.c	2023-07-19 16:38:45.412336742 +0200
-@@ -809,6 +809,63 @@ START_TEST(test_cjose_jwe_decrypt_aes)
- }
- END_TEST
- 
-+START_TEST(test_cjose_jwe_decrypt_aes_gcm)
-+{
-+    cjose_err err;
-+
-+    const char *key = JWK_OCT_32;
-+    const char *plain1 = "Live long and prosper.";
-+    char *compact1 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.GpeKGEqd8KQ0v6JNea5aSA";
-+    char *compact2 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.Gp";
-+
-+    cjose_jwk_t *jwk = cjose_jwk_import(key, strlen(key), &err);
-+    ck_assert_msg(NULL != jwk,
-+                  "cjose_jwk_import failed: "
-+                  "%s, file: %s, function: %s, line: %ld",
-+                  err.message, err.file, err.function, err.line);
-+
-+    cjose_jwe_t *jwe1 = cjose_jwe_import(compact1, strlen(compact1), &err);
-+    ck_assert_msg(NULL != jwe1,
-+                  "cjose_jwe_import failed: "
-+                  "%s, file: %s, function: %s, line: %ld",
-+                  err.message, err.file, err.function, err.line);
-+
-+    uint8_t *plain2 = NULL;
-+    size_t plain2_len = 0;
-+    plain2 = cjose_jwe_decrypt(jwe1, jwk, &plain2_len, &err);
-+    ck_assert_msg(NULL != plain2,
-+                  "cjose_jwe_decrypt failed: "
-+                  "%s, file: %s, function: %s, line: %ld",
-+                  err.message, err.file, err.function, err.line);
-+
-+    ck_assert_msg(plain2_len == strlen(plain1),
-+                  "length of decrypted plaintext does not match length of original, "
-+                  "expected: %lu, found: %lu",
-+                  strlen(plain1), plain2_len);
-+    ck_assert_msg(strncmp(plain1, plain2, plain2_len) == 0, "decrypted plaintext does not match encrypted plaintext");
-+
-+    cjose_get_dealloc()(plain2);
-+    cjose_jwe_release(jwe1);
-+
-+    cjose_jwe_t *jwe2 = cjose_jwe_import(compact2, strlen(compact2), &err);
-+    ck_assert_msg(NULL != jwe2,
-+                   "cjose_jwe_import failed: "
-+                   "%s, file: %s, function: %s, line: %ld",
-+                   err.message, err.file, err.function, err.line);
-+
-+    uint8_t *plain3 = NULL;
-+    size_t plain3_len = 0;
-+    plain3 = cjose_jwe_decrypt(jwe2, jwk, &plain3_len, &err);
-+    ck_assert_msg(NULL == plain3,
-+                   "cjose_jwe_decrypt succeeded where it should have failed: "
-+                   "%s, file: %s, function: %s, line: %ld",
-+                   err.message, err.file, err.function, err.line);
-+
-+    cjose_jwe_release(jwe2);
-+    cjose_jwk_release(jwk);
-+}
-+END_TEST
-+
- START_TEST(test_cjose_jwe_decrypt_rsa)
- {
-     struct cjose_jwe_decrypt_rsa
-@@ -1210,6 +1267,7 @@ Suite *cjose_jwe_suite()
-     tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_large);
-     tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_many);
-     tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes);
-+    tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes_gcm);
-     tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_rsa);
-     tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_header);
-     tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_key);
--- a/SOURCES/concatkdf.patch
+++ b/SOURCES/concatkdf.patch
@ -1,74 +0,0 @@
-commit 0238eb8f3612515f4374381b593dd79116169330
-Author: John Dennis <jdennis@redhat.com>
-Date:   Thu Aug 2 16:21:33 2018 -0400
-
-    fix concatkdf failures on big endian architectures
-    
-    Several of the elements used to compute the digest in ECDH-ES key
-    agreement computation are represented in binary form as a 32-bit
-    integer length followed by that number of octets.  the length
-    field. The 32-bit length integer is represented in big endian
-    format (the 8 most significant bits are in the first octet.).
-    
-    The conversion to a 4 byte big endian integer was being computed
-    in a manner that only worked on little endian architectures. The
-    function htonl() returns a 32-bit integer whose octet sequence given
-    the address of the integer is big endian. There is no need for any
-    further manipulation.
-    
-    The existing code used bit shifting on a 32-bit value. In C bit
-    shifting is endian agnostic for multi-octet values, a right shift
-    moves most significant bits toward least significant bits. The result
-    of a bit shift of a multi-octet value on either big or little
-    archictures will always be the same provided you "view" it as the same
-    data type (e.g. 32-bit integer). But indexing the octets of that
-    mulit-octet value will be different depending on endianness, hence the
-    assembled octets differed depending on endianness.
-    
-    Issue: #77
-    Signed-off-by: John Dennis <jdennis@redhat.com>
-
-diff --git a/src/concatkdf.c b/src/concatkdf.c
-index ec064ab..59b845a 100644
--- a/src/concatkdf.c
-+++ b/src/concatkdf.c
-@@ -29,15 +29,9 @@
- ////////////////////////////////////////////////////////////////////////////////
- static uint8_t *_apply_uint32(const uint32_t value, uint8_t *buffer)
- {
-    const uint32_t formatted = htonl(value);
-    const uint8_t data[4] = {
-        (formatted >> 0) & 0xff,
-        (formatted >> 8) & 0xff,
-        (formatted >> 16) & 0xff,
-        (formatted >> 24) & 0xff
-    };
-    memcpy(buffer, data, 4);
-+    const uint32_t big_endian_int32 = htonl(value);
- 
-+    memcpy(buffer, &big_endian_int32, 4);
-     return buffer + 4;
- }
- 
-diff --git a/test/check_concatkdf.c b/test/check_concatkdf.c
-index e4325fc..41d0f1c 100644
--- a/test/check_concatkdf.c
-+++ b/test/check_concatkdf.c
-@@ -60,14 +60,9 @@ _create_otherinfo_header_finish:
- 
- static bool _cmp_uint32(uint8_t **actual, uint32_t expected)
- {
-    uint32_t value = htonl(expected);
-    uint8_t expectedData[] = {
-        (value >> 0) & 0xff,
-        (value >> 8) & 0xff,
-        (value >> 16) & 0xff,
-        (value >> 24) & 0xff
-    };
-    bool result = (0 == memcmp(*actual, expectedData, 4));
-+    uint32_t big_endian_int32 = htonl(expected);
-+
-+    bool result = (0 == memcmp(*actual, &big_endian_int32, 4));
-     (*actual) += 4;
-     return result;
- }
--- a/SPECS/cjose.spec
+++ b/SPECS/cjose.spec
@ -1,92 +0,0 @@
-Name:           cjose
-Version:        0.6.1
-Release:        4%{?dist}
-Summary:        C library implementing the Javascript Object Signing and Encryption (JOSE)
-
-License:        MIT
-URL:            https://github.com/cisco/cjose
-Source0:  	https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version}.tar.gz
-
-Patch1: concatkdf.patch
-Patch2: 0002-check-cjose_get_alloc.patch
-Patch3: 0003-CVE-2023-37464.patch
-
-BuildRequires:  gcc
-BuildRequires:  doxygen
-BuildRequires:  openssl-devel
-BuildRequires:  jansson-devel
-BuildRequires:  check-devel
-
-%description
-Implementation of JOSE for C/C++
-
-
-%package        devel
-Summary:        Development files for %{name}
-Requires:       %{name}%{?_isa} = %{version}-%{release}
-
-%description    devel
-The %{name}-devel package contains libraries and header files for
-developing applications that use %{name}.
-
-
-%prep
-%autosetup -n %{name}-%{version} -p1
-
-%build
-%configure
-%make_build
-
-
-%install
-%make_install
-find %{buildroot} -name '*.a' -exec rm -f {} ';'
-find %{buildroot} -name '*.la' -exec rm -f {} ';'
-
-
-%post -p /sbin/ldconfig
-
-%postun -p /sbin/ldconfig
-
-
-%check
-make check || (cat test/test-suite.log; exit 1)
-
-%files
-%license LICENSE
-%doc CHANGELOG.md README.md
-%doc /usr/share/doc/cjose
-%{_libdir}/*.so.*
-
-
-%files devel
-%{_includedir}/*
-%{_libdir}/*.so
-%{_libdir}/pkgconfig/cjose.pc
-
-
-%changelog
-* Wed Jul 19 2023 <thalman@redhat.com> - 0.6.1-4
- CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual
-  Authentication Tag provided in the JWE
-  Resolves: rhbz#2223308
-
-* Fri Mar 17 2023 <thalman@redhat.com> - 0.6.1-3
- Random memory override
-  Resolves: rhbz#2072469
-
-* Thu Aug  2 2018  <jdennis@redhat.com> - 0.6.1-2
- fix concatkdf big endian architecture problem.
-  Upstream issue #77.
-
-* Wed Aug  1 2018  <jdennis@redhat.com> - 0.6.1-1
- upgrade to latest upstream 0.6.1
-
-* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.1-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
-
-* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
-
-* Fri Jan 26 2018 Patrick Uiterwijk <patrick@puiterwijk.org> - 0.5.1-1
- Initial packaging
--- a/cjose.spec
+++ b/cjose.spec
@ -0,0 +1,136 @@
+Name:           cjose
+Version:        0.6.2.2
+Release:        7%{?dist}
+Summary:        C library implementing the Javascript Object Signing and Encryption (JOSE)
+
+License:        MIT
+URL:            https://github.com/OpenIDC/cjose
+Source0:        https://github.com/OpenIDC/cjose/releases/download/v%{version}/cjose-%{version}.tar.gz
+
+BuildRequires:  gcc
+BuildRequires:  doxygen
+BuildRequires:  openssl-devel
+BuildRequires:  jansson-devel
+BuildRequires:  check-devel
+BuildRequires: make
+
+%description
+Implementation of JOSE for C/C++
+
+
+%package        devel
+Summary:        Development files for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
+%description    devel
+The %{name}-devel package contains libraries and header files for
+developing applications that use %{name}.
+
+
+%prep
+%autosetup -n %{name}-%{version} -p1
+
+%build
+%configure
+%make_build
+
+
+%install
+%make_install
+find %{buildroot} -name '*.a' -exec rm -f {} ';'
+find %{buildroot} -name '*.la' -exec rm -f {} ';'
+
+
+%ldconfig_scriptlets
+
+
+%check
+make check || (cat test/test-suite.log; exit 1)
+
+%files
+%license LICENSE
+%doc CHANGELOG.md README.md
+%doc /usr/share/doc/cjose
+%{_libdir}/*.so.*
+
+
+%files devel
+%{_includedir}/*
+%{_libdir}/*.so
+%{_libdir}/pkgconfig/cjose.pc
+
+
+%changelog
+* Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.6.2.2-7
+- Bump release for October 2024 mass rebuild:
+  Resolves: RHEL-64018
+
+* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.6.2.2-6
+- Bump release for June 2024 mass rebuild
+
+* Thu Mar 28 2024 Tomas Halman <thalman@redhat.com> - 0.6.2.2-2
+- Add gating tests configuration
+
+* Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.2.2-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.2.2-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
+
+* Fri Sep 1 2023 Tomas Halman <thalman@redhat.com> - 0.6.2.2-2
+- migrated to SPDX license
+
+* Wed Jul 26 2023 Tomas Halman <thalman@redhat.com> - 0.6.2.2-1
+- Rebase to version 0.6.2.2. Solves CVE-2023-37464.
+
+* Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-14
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
+
+* Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-13
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
+
+* Fri Oct 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 0.6.1-12
+- Enable build on OpenSSL 3.0
+
+* Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-11
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
+
+* Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-10
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
+
+* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.6.1-9
+- Rebuilt with OpenSSL 3.0.0
+
+* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
+
+* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-7
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jul 27 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-5
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Thu Aug  2 2018  <jdennis@redhat.com> - 0.6.1-2
+- fix concatkdf big endian architecture problem.
+  Upstream issue #77.
+
+* Wed Aug  1 2018  <jdennis@redhat.com> - 0.6.1-1
+- upgrade to latest upstream 0.6.1
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 0.5.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Fri Jan 26 2018 Patrick Uiterwijk <patrick@puiterwijk.org> - 0.5.1-1
+- Initial packaging
--- a/1
+++ b/1
@ -0,0 +1 @@
+SHA512 (cjose-0.6.2.2.tar.gz) = 71a087709816f0aac060a7c5f037068e981366b1809f6ee32e39eaded02ad8be061b0e2fa5093515a8acec10c7f4aca232281004426221b4b7e5edbd203eb49c
				`@ -1 +0,0 @@`
				`0dd6efca729f1190f66855523c3920c3f7ddd482 SOURCES/cjose-0.6.1.tar.gz`
				`@ -0,0 +1 @@`
				`SHA512 (cjose-0.6.2.2.tar.gz) = 71a087709816f0aac060a7c5f037068e981366b1809f6ee32e39eaded02ad8be061b0e2fa5093515a8acec10c7f4aca232281004426221b4b7e5edbd203eb49c`