rpms
/
cjose
20
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: rpms:c9
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i9c
rpms:c9
rpms:i10cs
rpms:cs10
rpms:i8c-stream-2.3
rpms:c8-stream-2.3
rpms:i9c-beta
rpms:c9-beta
..
compare: rpms:i10cs
Branches Tags
rpms:i10c-beta
rpms:c10-beta
rpms:i9c
rpms:c9
rpms:i10cs
rpms:cs10
rpms:i8c-stream-2.3
rpms:c8-stream-2.3
rpms:i9c-beta
rpms:c9-beta

No commits in common. 'c9' and 'i10cs' have entirely different histories.
c9 ... i10cs

7 changed files with 51 additions and 292 deletions
Show Stats

2
.cjose.metadata
Unescape View File

@ -1 +1 @@
0dd6efca729f1190f66855523c3920c3f7ddd482 SOURCES/cjose-0.6.1.tar.gz 4037d1a8ebef22d9fea22dd9e236a91bf1c6166c SOURCES/cjose-0.6.2.2.tar.gz

2
.gitignore vendored
Unescape View File

@ -1 +1 @@
SOURCES/cjose-0.6.1.tar.gz SOURCES/cjose-0.6.2.2.tar.gz

53
SOURCES/0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch
Unescape View File

@ -1,53 +0,0 @@
From b339a18aa06c78d64ac33d891d400eac7b86fff3 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Mon, 17 May 2021 13:30:24 +0200
Subject: [PATCH] Define OPENSSL_API_COMPAT to 0x10101000L
---
src/jwe.c | 2 ++
src/jwk.c | 2 ++
src/jws.c | 2 ++
3 files changed, 6 insertions(+)
diff --git a/src/jwe.c b/src/jwe.c
index 822d408..d6f3149 100644
--- a/src/jwe.c
+++ b/src/jwe.c
@@ -5,6 +5,8 @@
* Copyright (c) 2014-2016 Cisco Systems, Inc. All Rights Reserved.
*/
+#define OPENSSL_API_COMPAT 0x10101000L
+
#include <cjose/base64.h>
#include <cjose/header.h>
#include <cjose/jwe.h>
diff --git a/src/jwk.c b/src/jwk.c
index 860f0e7..87408e9 100644
--- a/src/jwk.c
+++ b/src/jwk.c
@@ -5,6 +5,8 @@
* Copyright (c) 2014-2016 Cisco Systems, Inc. All Rights Reserved.
*/
+#define OPENSSL_API_COMPAT 0x10101000L
+
#include "include/jwk_int.h"
#include "include/util_int.h"
diff --git a/src/jws.c b/src/jws.c
index 4e03554..9d682a0 100644
--- a/src/jws.c
+++ b/src/jws.c
@@ -5,6 +5,8 @@
* Copyright (c) 2014-2016 Cisco Systems, Inc. All Rights Reserved.
*/
+#define OPENSSL_API_COMPAT 0x10101000L
+
#include <cjose/base64.h>
#include <cjose/header.h>
#include <cjose/jws.h>
--
2.31.1

25
SOURCES/0002-check-cjose_get_alloc.patch
Unescape View File

@ -1,25 +0,0 @@
commit 54d449473b21e93805070264791e80f84f601b4d
Author: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
Date: Tue Apr 5 20:51:20 2022 +0200
check result of cek = cjose_get_alloc()(cek_len) in jwe.c
see: https://github.com/cisco/cjose/issues/110
Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
diff --git a/src/jwe.c b/src/jwe.c
index 4285097..157ddec 100644
--- a/src/jwe.c
+++ b/src/jwe.c
@@ -2064,6 +2064,10 @@ uint8_t *cjose_jwe_decrypt_multi(cjose_jwe_t *jwe, cjose_key_locator key_locator
{
cek_len = jwe->cek_len;
cek = cjose_get_alloc()(cek_len);
+ if (!cek) {
+ CJOSE_ERROR(err, CJOSE_ERR_NO_MEMORY);
+ return NULL;
+ }
memcpy(cek, jwe->cek, cek_len);
}
else

91
SOURCES/0003-CVE-2023-37464.patch
Unescape View File

@ -1,91 +0,0 @@
diff -up cjose-0.6.1/src/jwe.c.orig cjose-0.6.1/src/jwe.c
--- cjose-0.6.1/src/jwe.c.orig 2023-07-19 16:23:44.658712950 +0200
+++ cjose-0.6.1/src/jwe.c 2023-07-19 16:55:02.173914437 +0200
@@ -1227,6 +1227,12 @@ static bool _cjose_jwe_decrypt_dat_a256g
goto _cjose_jwe_decrypt_dat_a256gcm_fail;
}
+ if (jwe->enc_auth_tag.raw_len != 16)
+ {
+ CJOSE_ERROR(err, CJOSE_ERR_CRYPTO);
+ goto _cjose_jwe_decrypt_dat_a256gcm_fail;
+ }
+
// set the expected GCM-mode authentication tag
if (EVP_CIPHER_CTX_ctrl(ctx, CJOSE_EVP_CTRL_GCM_SET_TAG, jwe->enc_auth_tag.raw_len, jwe->enc_auth_tag.raw) != 1)
{
diff -up cjose-0.6.1/test/check_jwe.c.orig cjose-0.6.1/test/check_jwe.c
--- cjose-0.6.1/test/check_jwe.c.orig 2018-04-12 00:39:58.000000000 +0200
+++ cjose-0.6.1/test/check_jwe.c 2023-07-19 16:38:45.412336742 +0200
@@ -809,6 +809,63 @@ START_TEST(test_cjose_jwe_decrypt_aes)
}
END_TEST
+START_TEST(test_cjose_jwe_decrypt_aes_gcm)
+{
+ cjose_err err;
+
+ const char *key = JWK_OCT_32;
+ const char *plain1 = "Live long and prosper.";
+ char *compact1 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.GpeKGEqd8KQ0v6JNea5aSA";
+ char *compact2 = "eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..Du_9fxxV-zrReaWC.aS_rpokeuxkaPc2sykcQDCQuJCYoww.Gp";
+
+ cjose_jwk_t *jwk = cjose_jwk_import(key, strlen(key), &err);
+ ck_assert_msg(NULL != jwk,
+ "cjose_jwk_import failed: "
+ "%s, file: %s, function: %s, line: %ld",
+ err.message, err.file, err.function, err.line);
+
+ cjose_jwe_t *jwe1 = cjose_jwe_import(compact1, strlen(compact1), &err);
+ ck_assert_msg(NULL != jwe1,
+ "cjose_jwe_import failed: "
+ "%s, file: %s, function: %s, line: %ld",
+ err.message, err.file, err.function, err.line);
+
+ uint8_t *plain2 = NULL;
+ size_t plain2_len = 0;
+ plain2 = cjose_jwe_decrypt(jwe1, jwk, &plain2_len, &err);
+ ck_assert_msg(NULL != plain2,
+ "cjose_jwe_decrypt failed: "
+ "%s, file: %s, function: %s, line: %ld",
+ err.message, err.file, err.function, err.line);
+
+ ck_assert_msg(plain2_len == strlen(plain1),
+ "length of decrypted plaintext does not match length of original, "
+ "expected: %lu, found: %lu",
+ strlen(plain1), plain2_len);
+ ck_assert_msg(strncmp(plain1, plain2, plain2_len) == 0, "decrypted plaintext does not match encrypted plaintext");
+
+ cjose_get_dealloc()(plain2);
+ cjose_jwe_release(jwe1);
+
+ cjose_jwe_t *jwe2 = cjose_jwe_import(compact2, strlen(compact2), &err);
+ ck_assert_msg(NULL != jwe2,
+ "cjose_jwe_import failed: "
+ "%s, file: %s, function: %s, line: %ld",
+ err.message, err.file, err.function, err.line);
+
+ uint8_t *plain3 = NULL;
+ size_t plain3_len = 0;
+ plain3 = cjose_jwe_decrypt(jwe2, jwk, &plain3_len, &err);
+ ck_assert_msg(NULL == plain3,
+ "cjose_jwe_decrypt succeeded where it should have failed: "
+ "%s, file: %s, function: %s, line: %ld",
+ err.message, err.file, err.function, err.line);
+
+ cjose_jwe_release(jwe2);
+ cjose_jwk_release(jwk);
+}
+END_TEST
+
START_TEST(test_cjose_jwe_decrypt_rsa)
{
struct cjose_jwe_decrypt_rsa
@@ -1210,6 +1267,7 @@ Suite *cjose_jwe_suite()
tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_large);
tcase_add_test(tc_jwe, test_cjose_jwe_self_encrypt_self_decrypt_many);
tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes);
+ tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_aes_gcm);
tcase_add_test(tc_jwe, test_cjose_jwe_decrypt_rsa);
tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_header);
tcase_add_test(tc_jwe, test_cjose_jwe_encrypt_with_bad_key);

74
SOURCES/concatkdf.patch
Unescape View File

@ -1,74 +0,0 @@
commit 0238eb8f3612515f4374381b593dd79116169330
Author: John Dennis <jdennis@redhat.com>
Date: Thu Aug 2 16:21:33 2018 -0400
fix concatkdf failures on big endian architectures
Several of the elements used to compute the digest in ECDH-ES key
agreement computation are represented in binary form as a 32-bit
integer length followed by that number of octets. the length
field. The 32-bit length integer is represented in big endian
format (the 8 most significant bits are in the first octet.).
The conversion to a 4 byte big endian integer was being computed
in a manner that only worked on little endian architectures. The
function htonl() returns a 32-bit integer whose octet sequence given
the address of the integer is big endian. There is no need for any
further manipulation.
The existing code used bit shifting on a 32-bit value. In C bit
shifting is endian agnostic for multi-octet values, a right shift
moves most significant bits toward least significant bits. The result
of a bit shift of a multi-octet value on either big or little
archictures will always be the same provided you "view" it as the same
data type (e.g. 32-bit integer). But indexing the octets of that
mulit-octet value will be different depending on endianness, hence the
assembled octets differed depending on endianness.
Issue: #77
Signed-off-by: John Dennis <jdennis@redhat.com>
diff --git a/src/concatkdf.c b/src/concatkdf.c
index ec064ab..59b845a 100644
--- a/src/concatkdf.c
+++ b/src/concatkdf.c
@@ -29,15 +29,9 @@
////////////////////////////////////////////////////////////////////////////////
static uint8_t *_apply_uint32(const uint32_t value, uint8_t *buffer)
{
- const uint32_t formatted = htonl(value);
- const uint8_t data[4] = {
- (formatted >> 0) & 0xff,
- (formatted >> 8) & 0xff,
- (formatted >> 16) & 0xff,
- (formatted >> 24) & 0xff
- };
- memcpy(buffer, data, 4);
+ const uint32_t big_endian_int32 = htonl(value);
+ memcpy(buffer, &big_endian_int32, 4);
return buffer + 4;
}
diff --git a/test/check_concatkdf.c b/test/check_concatkdf.c
index e4325fc..41d0f1c 100644
--- a/test/check_concatkdf.c
+++ b/test/check_concatkdf.c
@@ -60,14 +60,9 @@ _create_otherinfo_header_finish:
static bool _cmp_uint32(uint8_t **actual, uint32_t expected)
{
- uint32_t value = htonl(expected);
- uint8_t expectedData[] = {
- (value >> 0) & 0xff,
- (value >> 8) & 0xff,
- (value >> 16) & 0xff,
- (value >> 24) & 0xff
- };
- bool result = (0 == memcmp(*actual, expectedData, 4));
+ uint32_t big_endian_int32 = htonl(expected);
+
+ bool result = (0 == memcmp(*actual, &big_endian_int32, 4));
(*actual) += 4;
return result;
}

96
SPECS/cjose.spec
Unescape View File

@ -1,16 +1,11 @@
Name: cjose Name: cjose
Version: 0.6.1 Version: 0.6.2.2
Release: 17%{?dist} Release: 7%{?dist}
Summary: C library implementing the Javascript Object Signing and Encryption (JOSE) Summary: C library implementing the Javascript Object Signing and Encryption (JOSE)
License: MIT License: MIT
URL: https://github.com/cisco/cjose URL: https://github.com/OpenIDC/cjose
Source0: https://github.com/cisco/%{name}/archive/%{version}/%{name}-%{version}.tar.gz Source0: https://github.com/OpenIDC/cjose/releases/download/v%{version}/cjose-%{version}.tar.gz
Patch1: concatkdf.patch
Patch2: 0001-Define-OPENSSL_API_COMPAT-to-0x10101000L.patch
Patch3: 0002-check-cjose_get_alloc.patch
Patch4: 0003-CVE-2023-37464.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: doxygen BuildRequires: doxygen
@ -66,44 +61,51 @@ make check || (cat test/test-suite.log; exit 1)
%changelog %changelog
* Tue May 14 2024 <thalman@redhat.com> - 0.6.1-17 * Tue Oct 29 2024 Troy Dawson <tdawson@redhat.com> - 0.6.2.2-7
- Publishing cjose devel package - Bump release for October 2024 mass rebuild:
Resolves: RHEL-18066 Resolves: RHEL-64018
* Wed Jul 19 2023 <thalman@redhat.com> - 0.6.1-16 * Fri Oct 25 2024 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 0.6.2.2-6
- CVE-2023-37464 cjose: AES GCM decryption uses the Tag length from the actual - Rebuilt for MSVSphere 10
Authentication Tag provided in the JWE
Resolves: rhbz#2223308 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 0.6.2.2-6
- Bump release for June 2024 mass rebuild
* Wed May 3 2023 <spoore@redhat.com> - 0.6.1-15
- Rebuilt for gating * Thu Mar 28 2024 Tomas Halman <thalman@redhat.com> - 0.6.2.2-2
Related: rhbz#2180445 - Add gating tests configuration
* Tue May 2 2023 <thalman@redhat.com> - 0.6.1-14 * Tue Jan 23 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.2.2-4
- Rebuilt for gating - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
Related: rhbz#2180445
* Fri Jan 19 2024 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.2.2-3
* Tue Mar 21 2023 <thalman@redhat.com> - 0.6.1-13 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
- Random memory override
Resolves: rhbz#2180445 * Fri Sep 1 2023 Tomas Halman <thalman@redhat.com> - 0.6.2.2-2
- migrated to SPDX license
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 0.6.1-12
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags * Wed Jul 26 2023 Tomas Halman <thalman@redhat.com> - 0.6.2.2-1
Related: rhbz#1991688 - Rebase to version 0.6.2.2. Solves CVE-2023-37464.
* Wed Jul 28 2021 Florian Weimer <fweimer@redhat.com> - 0.6.1-11 * Wed Jul 19 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-14
- Rebuild to pick up OpenSSL 3.0 Beta ABI (#1984097) - Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 0.6.1-10 * Wed Jan 18 2023 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-13
- Rebuilt for RHEL 9 BETA for openssl 3.0 - Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
Related: rhbz#1971065
* Fri Oct 28 2022 Stephen Gallagher <sgallagh@redhat.com> - 0.6.1-12
* Mon May 17 2021 Jakub Hrozek <jhrozek@redhat.com> - 0.6.1-9 - Enable build on OpenSSL 3.0
- enable build with openssl 3.0
- Resolves: rhbz#1958026 * Wed Jul 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
* Thu Apr 15 2021 Mohan Boddu <mboddu@redhat.com> - 0.6.1-8
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937 * Wed Jan 19 2022 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-10
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
* Tue Sep 14 2021 Sahana Prasad <sahana@redhat.com> - 0.6.1-9
- Rebuilt with OpenSSL 3.0.0
* Wed Jul 21 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-7 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 0.6.1-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild

Write Preview
Loading…
Cancel
Save