From: YASUOKA Masahiko Subject: Update devel/cjose To: ports@openbsd.org Date: Tue, 28 Apr 2026 09:11:58 +0900 Hi, devel/cjose fixed some issues some hours ago. https://github.com/cisco/cjose/commits/master I understand the tree is locked. I'll commit this after the lock is released. * * * Update devel/cjose to db7d26ef2bd02572128c7cdaa4066f39af2b42da 51e8a23 Update function prototypes for current toolchains b87064a Check ECDH secret allocation result f4d65be Check base64 decode length bounds b0c9a10 Guard JWK retain count overflow bb9ef93 Enforce JOSE IV lengths 1ecb145 Check JOSE algorithms against key types 1daa23d Validate critical JOSE headers f4106a7 Cleanse sensitive buffers before release 87537b6 Guard JWE buffer length calculations e3113b5 Use OpenSSL constant-time comparisons 7881496 Validate EC inputs before key agreement f12e1c5 Fix JWS import allocation handling Index: Makefile =================================================================== RCS file: /disk/cvs/openbsd/ports/devel/cjose/Makefile,v diff -u -p -r1.7 Makefile --- Makefile 9 Mar 2025 16:02:56 -0000 1.7 +++ Makefile 27 Apr 2026 23:33:13 -0000 @@ -1,9 +1,12 @@ COMMENT = Javascript Object Signing and Encryption library +V = 0.6.1 +DISTNAME = ${GH_PROJECT}-${V} + GH_ACCOUNT = cisco GH_PROJECT = cjose -GH_TAGNAME = 0.6.1 -REVISION = 2 +GH_COMMIT = db7d26ef2bd02572128c7cdaa4066f39af2b42da +REVISION = 3 SHARED_LIBS = cjose 0.0 Index: distinfo =================================================================== RCS file: /disk/cvs/openbsd/ports/devel/cjose/distinfo,v diff -u -p -r1.1.1.1 distinfo --- distinfo 30 Jan 2019 07:58:19 -0000 1.1.1.1 +++ distinfo 27 Apr 2026 23:33:13 -0000 @@ -1,2 +1,2 @@ -SHA256 (cjose-0.6.1.tar.gz) = II6qD6YWtEpx2KoVXECxTHydD6K7kdFAiCRSDS/BtN0= -SIZE (cjose-0.6.1.tar.gz) = 1586963 +SHA256 (cjose-0.6.1-db7d26ef.tar.gz) = //HJclJXJ+FzA9MPOKEDuDlSKhXA7yOshIXgkdu6UNM= +SIZE (cjose-0.6.1-db7d26ef.tar.gz) = 1589696 Index: patches/patch-src_Makefile_am =================================================================== RCS file: /disk/cvs/openbsd/ports/devel/cjose/patches/patch-src_Makefile_am,v diff -u -p -r1.2 patch-src_Makefile_am --- patches/patch-src_Makefile_am 11 Mar 2022 18:49:49 -0000 1.2 +++ patches/patch-src_Makefile_am 27 Apr 2026 23:33:13 -0000 @@ -1,9 +1,13 @@ Index: src/Makefile.am --- src/Makefile.am.orig +++ src/Makefile.am -@@ -1,4 +1,4 @@ +@@ -1,7 +1,7 @@ -AM_CFLAGS =-std=gnu99 --pedantic -Wall -Werror -g -O2 -I$(top_builddir)/include +AM_CFLAGS =-std=gnu99 --pedantic -Wall -I$(top_builddir)/include lib_LTLIBRARIES=libcjose.la - libcjose_la_CPPFLAGS= -I$(topdir)/include +-libcjose_la_CPPFLAGS= -I$(topdir)/include ++libcjose_la_CPPFLAGS= -I$(top_builddir)/include + libcjose_la_LDFLAGS= -lm + libcjose_la_SOURCES=version.c \ + util.c \ Index: patches/patch-src_concatkdf_c =================================================================== RCS file: patches/patch-src_concatkdf_c diff -N patches/patch-src_concatkdf_c --- patches/patch-src_concatkdf_c 11 Mar 2022 18:49:49 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -Index: src/concatkdf.c ---- src/concatkdf.c.orig -+++ src/concatkdf.c -@@ -16,15 +16,9 @@ - //////////////////////////////////////////////////////////////////////////////// - static uint8_t *_apply_uint32(const uint32_t value, uint8_t *buffer) - { -- const uint32_t formatted = htonl(value); -- const uint8_t data[4] = { -- (formatted >> 0) & 0xff, -- (formatted >> 8) & 0xff, -- (formatted >> 16) & 0xff, -- (formatted >> 24) & 0xff -- }; -- memcpy(buffer, data, 4); -+ const uint32_t big_endian_int32 = htonl(value); - -+ memcpy(buffer, &big_endian_int32, 4); - return buffer + 4; - } - Index: patches/patch-src_jws_c =================================================================== RCS file: /disk/cvs/openbsd/ports/devel/cjose/patches/patch-src_jws_c,v diff -u -p -r1.2 patch-src_jws_c --- patches/patch-src_jws_c 11 Mar 2022 18:49:49 -0000 1.2 +++ patches/patch-src_jws_c 27 Apr 2026 23:33:13 -0000 @@ -1,8 +1,8 @@ Index: src/jws.c --- src/jws.c.orig +++ src/jws.c -@@ -171,6 +171,12 @@ static bool _cjose_jws_build_dig_sha(cjose_jws_t *jws, - goto _cjose_jws_build_dig_sha_cleanup; +@@ -192,6 +192,12 @@ static bool _cjose_jws_build_dig_sha(cjose_jws_t *jws, + jws->dig = NULL; } + if (NULL != jws->dig) Index: patches/patch-test_check_concatkdf_c =================================================================== RCS file: patches/patch-test_check_concatkdf_c diff -N patches/patch-test_check_concatkdf_c --- patches/patch-test_check_concatkdf_c 11 Mar 2022 18:49:49 -0000 1.2 +++ /dev/null 1 Jan 1970 00:00:00 -0000 @@ -1,21 +0,0 @@ -Index: test/check_concatkdf.c ---- test/check_concatkdf.c.orig -+++ test/check_concatkdf.c -@@ -60,14 +60,9 @@ _create_otherinfo_header_finish: - - static bool _cmp_uint32(uint8_t **actual, uint32_t expected) - { -- uint32_t value = htonl(expected); -- uint8_t expectedData[] = { -- (value >> 0) & 0xff, -- (value >> 8) & 0xff, -- (value >> 16) & 0xff, -- (value >> 24) & 0xff -- }; -- bool result = (0 == memcmp(*actual, expectedData, 4)); -+ uint32_t big_endian_int32 = htonl(expected); -+ -+ bool result = (0 == memcmp(*actual, &big_endian_int32, 4)); - (*actual) += 4; - return result; - }