0.6.2.4

Bugfixes

• fix memory leak in ECDH-ES JWE encryption/decryption in jwe.c (1b2af41)
• fix rsa_q = NULL initialization in _RSA_private_fields in jwk.c (ce26265)
• fix memory allocation check (typo) in jwk.c (https://github.com/OpenIDC/cjose/security/code-scanning/2)
• fix gcc10 errors for -Werror=ignored-qualifiers and remove unused includes (#26); thanks @s-ymgch228

Other

• re-generate automake/autoconf files with automake v1.17 and libtool v2.5.4
• added RHEL 10 RPMs

the RPM packages are signed with the following 2048 bit RSA PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBGh53lgBCADCyoOkfnE5h5rBLlf02oFpI/z2vUXK5W4T56xnNPu0/iIOxbBk
YX9rSypZFhfjv28lhGgelWEg28Ab/Yxs6l0obCgDEuFUDQ5Dv+N+YSMy67vtLwYW
9LM5p9fMN9bXOa62PwvtzRzh+xRyRBcIfMacGJC+SqUK6QhzC0lNwCsr1OaWjzon
mkaodwrloNMxEZVvFn63PvuQDZ3wwQty+0XpYiiChMssGBn6nmPDQJ7pDtQDkhfD
Z5FKY6K7AQJ4fneiVCLGngPBwTXBGcfWa+Y0HCS2ghQwDO6jYXd5GjowVDTjfMK3
QJ3e26Ox9X3V0Fl04R1i5EthEkAWGfy1lksvABEBAAG0HU9wZW5JREMgPHN1cHBv
cnRAb3BlbmlkYy5jb20+iQFRBBMBCgA7FiEEFdjWJA1IGDkAITSxnyZY1L0OSOMF
Amh53lgCGwMFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQnyZY1L0OSONG
Jgf+II0wG96R0g28Kp+R4AYzSdX0CEqr6OhwHHw4cFpLsHxZNhojo7I4OnLKEdfc
lFl37rE+hG3QpzD/b4S/fpPjd4hcLkguBQxtdxqZZVAIT8HWbveHRkI8MNnjOPwv
Hy6jBncMs1IT/URV2si/Q34+PLo8tvo/lXNa16svVl2DoYXO8MCszgCE1bx055EF
XPh4Teu5Y4OLHECSicMxrmN746dAD121zy4bLLx9mZ0erhLjvkj1vkFmlHFKyvwY
/pbSqXs9hW/wweW1oQ/xEIJWWS71PeoutUBjr0WC4sILnR5PBPZplgNh297Qex6g
qaW3io0tCH9KxU1tXYn/iL/hbQ==
=mlOy
-----END PGP PUBLIC KEY BLOCK-----

0.6.2.3

Security

• disable RSA PKCS 1.5 by default (#22); thanks @thalman

Other

• avoid using empty prototypes; support Clang 15 and XCode 14.3
• build shared library on Cygwin by adding -no-undefined to LDFLAGS (#20); thanks @fd00
• reformat using clang-format-18.1.3
• regenerate autoconf files using autoconf 2.72
• update github actions to avoid warnings

0.6.2.2

Security

• use fixed authentication tag length of 16 octets in AES GCM decryption (cisco#125)

Other

• avoid use of assert (cisco#123) ; thanks @groovyfeng
• fix make on srcdir != builddir (#17) ; thanks @fd00

0.6.2.1

Features

• preserve key order in cjose_header_get_raw as well (#16)

Bugfixes

• fix a memory leak in cjose_jws_import() for invalid JWS (#14)

Other

• don't use STACK_ALLOC in cjose_concatkdf_derive (#15)

Packaging

• add packages for RHEL 9, Debian Bookworm and Ubuntu Jammy

0.6.2

Security

• use fixed size of IV size of 16 bytes for AES-CBC (#11) ; thanks @securedimensions

Features

• allow compilation against OpenSSL 3 with #define OPENSSL_API_COMPAT 0x10000000L
• add support for A128GCM and A192GCM encryption (#4)
• extract cjose_jwe_encrypt_iv to allow explicit IV (#9) ; thanks @rnapier
• preserve key order in order to be able to compare serialized JWTs (#2)

Bugfixes

• fix memory leak already addressed in cjose_jws_build_dig_sha when a JWS is reused for validation (#12) ; thanks @traeak
• fix double free on decrypt ek rsa padding failure (#6)
• fix buffer overflow in test_cjose_jwe_multiple_recipients (#10) ; thanks @mpsun
• check that JWE object has any CEK at all, return error if it doesn't (#5) ; thanks @veselov
• check result of cek = cjose_get_alloc()(cek_len) in jwe.c (cisco#110) ; thanks @marcstern
• replace calls to free() with cjose_get_dealloc() in _cjose_jws_build_hdr (#7) ; thanks @zachmann

Other

• cleanup some warnings about \param lines in header files (#1) ; thanks @jogu
• minor updates for conformance (#3) ; thanks @ajishna
• compile against older versions of check (cisco#91) ; thanks @treydock
• rename free() to free_func() in struct key_fntable for memory leak detectors (cisco#109) ; thanks @marcstern