Hello Sebastian,

Thanks for driving the patch through with upsteam. I'm good with the
NMU so there is no reason to add any additional delay.

Troy

On 12/06/16 21:19, Sebastian Andrzej Siewior wrote:
> Control: tags 828371 + patch
> Control: tags 828371 + pending
> 
> Dear maintainer,
> 
> I've prepared an NMU for lastpass-cli (versioned as 1.0.0-1.1) and
> uploaded it to DELAYED/4. Please feel free to tell me if I
> should delay it longer.
> 
> Regards.
> Sebastian

> diff -Nru lastpass-cli-1.0.0/debian/changelog 
> lastpass-cli-1.0.0/debian/changelog
> --- lastpass-cli-1.0.0/debian/changelog       2016-10-20 16:17:08.000000000 
> +0200
> +++ lastpass-cli-1.0.0/debian/changelog       2016-12-06 21:10:47.000000000 
> +0100
> @@ -1,3 +1,10 @@
> +lastpass-cli (1.0.0-1.1) unstable; urgency=medium
> +
> +  * Non-maintainer upload.
> +  * Get it built against openssl 1.1.0 (Closes: #828371).
> +
> + -- Sebastian Andrzej Siewior <[email protected]>  Tue, 06 Dec 2016 
> 21:10:47 +0100
> +
>  lastpass-cli (1.0.0-1) unstable; urgency=medium
>  
>    * New upstream 1.0.0
> diff -Nru 
> lastpass-cli-1.0.0/debian/patches/0001-cipher-support-opaque-EVP_CIPHER_CTX.patch
>  
> lastpass-cli-1.0.0/debian/patches/0001-cipher-support-opaque-EVP_CIPHER_CTX.patch
> --- 
> lastpass-cli-1.0.0/debian/patches/0001-cipher-support-opaque-EVP_CIPHER_CTX.patch
>  1970-01-01 01:00:00.000000000 +0100
> +++ 
> lastpass-cli-1.0.0/debian/patches/0001-cipher-support-opaque-EVP_CIPHER_CTX.patch
>  2016-12-06 21:09:03.000000000 +0100
> @@ -0,0 +1,214 @@
> +From 6e4ff62df789b55b80c14b2e7b15c25154fbf9fe Mon Sep 17 00:00:00 2001
> +From: Bob Copeland <[email protected]>
> +Date: Mon, 5 Dec 2016 09:55:19 -0500
> +Subject: [PATCH 1/3] cipher: support opaque EVP_CIPHER_CTX
> +
> +In OpenSSL 1.1+, EVP_CIPHER_CTX can no longer be declared on
> +the stack; instead you have to declare a pointer and then
> +use _new()/_free() to allocate or free it.  These functions
> +continue to work on older OpenSSL, so switch to the new
> +method.
> +
> +Signed-off-by: Bob Copeland <[email protected]>
> +---
> + cipher.c | 36 +++++++++++++++++++++---------------
> + config.c | 33 +++++++++++++++++++--------------
> + 2 files changed, 40 insertions(+), 29 deletions(-)
> +
> +diff --git a/cipher.c b/cipher.c
> +index 71487787af5a..ebae92e0431c 100644
> +--- a/cipher.c
> ++++ b/cipher.c
> +@@ -147,36 +147,39 @@ int cipher_rsa_encrypt(const char *plaintext,
> + 
> + char *cipher_aes_decrypt(const unsigned char *ciphertext, size_t len, const 
> unsigned char key[KDF_HASH_LEN])
> + {
> +-    EVP_CIPHER_CTX ctx;
> ++    EVP_CIPHER_CTX *ctx;
> +     char *plaintext;
> +     int out_len;
> + 
> +     if (!len)
> +             return NULL;
> + 
> +-    EVP_CIPHER_CTX_init(&ctx);
> ++    ctx = EVP_CIPHER_CTX_new();
> ++    if (!ctx)
> ++            return NULL;
> ++
> +     plaintext = xcalloc(len + AES_BLOCK_SIZE + 1, 1);
> +     if (len >= 33 && len % 16 == 1 && ciphertext[0] == '!') {
> +-            if (!EVP_DecryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, 
> (unsigned char *)(ciphertext + 1)))
> ++            if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, 
> (unsigned char *)(ciphertext + 1)))
> +                     goto error;
> +             ciphertext += 17;
> +             len -= 17;
> +     } else {
> +-            if (!EVP_DecryptInit_ex(&ctx, EVP_aes_256_ecb(), NULL, key, 
> NULL))
> ++            if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_ecb(), NULL, key, 
> NULL))
> +                     goto error;
> +     }
> +-    if (!EVP_DecryptUpdate(&ctx, (unsigned char *)plaintext, &out_len, 
> (unsigned char *)ciphertext, len))
> ++    if (!EVP_DecryptUpdate(ctx, (unsigned char *)plaintext, &out_len, 
> (unsigned char *)ciphertext, len))
> +             goto error;
> +     len = out_len;
> +-    if (!EVP_DecryptFinal_ex(&ctx, (unsigned char *)(plaintext + out_len), 
> &out_len))
> ++    if (!EVP_DecryptFinal_ex(ctx, (unsigned char *)(plaintext + out_len), 
> &out_len))
> +             goto error;
> +     len += out_len;
> +     plaintext[len] = '\0';
> +-    EVP_CIPHER_CTX_cleanup(&ctx);
> ++    EVP_CIPHER_CTX_free(ctx);
> +     return plaintext;
> + 
> + error:
> +-    EVP_CIPHER_CTX_cleanup(&ctx);
> ++    EVP_CIPHER_CTX_free(ctx);
> +     secure_clear(plaintext, len + AES_BLOCK_SIZE + 1);
> +     free(plaintext);
> +     return NULL;
> +@@ -188,7 +191,7 @@ size_t cipher_aes_encrypt_bytes(const unsigned char 
> *bytes, size_t len,
> +                             const unsigned char *iv,
> +                             unsigned char **out)
> + {
> +-    EVP_CIPHER_CTX ctx;
> ++    EVP_CIPHER_CTX *ctx;
> +     int out_len;
> +     size_t ret_len = 0;
> +     unsigned char *ctext;
> +@@ -197,24 +200,27 @@ size_t cipher_aes_encrypt_bytes(const unsigned char 
> *bytes, size_t len,
> +     if (!ctext)
> +             ctext = xcalloc(len + AES_BLOCK_SIZE * 2 + 1, 1);
> + 
> +-    EVP_CIPHER_CTX_init(&ctx);
> +-    if (!EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, iv))
> ++    ctx = EVP_CIPHER_CTX_new();
> ++    if (!ctx)
> +             goto error;
> + 
> +-    if (!EVP_EncryptUpdate(&ctx, ctext, &out_len, bytes, len))
> ++    if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
> ++            goto error;
> ++
> ++    if (!EVP_EncryptUpdate(ctx, ctext, &out_len, bytes, len))
> +             goto error;
> + 
> +     ret_len += out_len;
> +-    if (!EVP_EncryptFinal_ex(&ctx, ctext + ret_len, &out_len))
> ++    if (!EVP_EncryptFinal_ex(ctx, ctext + ret_len, &out_len))
> +             goto error;
> +     ret_len += out_len;
> + 
> +-    EVP_CIPHER_CTX_cleanup(&ctx);
> ++    EVP_CIPHER_CTX_free(ctx);
> +     *out = ctext;
> +     return ret_len;
> + 
> + error:
> +-    EVP_CIPHER_CTX_cleanup(&ctx);
> ++    EVP_CIPHER_CTX_free(ctx);
> +     if (!*out)
> +             free(ctext);
> +     die("Failed to encrypt data.");
> +diff --git a/config.c b/config.c
> +index bd68cfe8b21b..976202c5d6ad 100644
> +--- a/config.c
> ++++ b/config.c
> +@@ -319,7 +319,7 @@ size_t config_read_buffer(const char *name, unsigned 
> char **out)
> + 
> + static size_t encrypt_buffer(const char *buffer, size_t in_len, unsigned 
> const char key[KDF_HASH_LEN], char **out)
> + {
> +-    EVP_CIPHER_CTX ctx;
> ++    EVP_CIPHER_CTX *ctx;
> +     char *ciphertext;
> +     unsigned char iv[AES_BLOCK_SIZE];
> +     int out_len;
> +@@ -329,31 +329,34 @@ static size_t encrypt_buffer(const char *buffer, 
> size_t in_len, unsigned const c
> +     if (!RAND_bytes(iv, AES_BLOCK_SIZE))
> +             die("Could not generate random bytes for CBC IV.");
> + 
> +-    EVP_CIPHER_CTX_init(&ctx);
> +     ciphertext = xcalloc(in_len + AES_BLOCK_SIZE * 2 + 
> SHA256_DIGEST_LENGTH, 1);
> + 
> ++    ctx = EVP_CIPHER_CTX_new();
> ++    if (!ctx)
> ++            goto error;
> ++
> +     len = SHA256_DIGEST_LENGTH;
> +     memcpy(ciphertext + len, iv, AES_BLOCK_SIZE);
> +     len += AES_BLOCK_SIZE;
> + 
> +-    if (!EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, iv))
> ++    if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv))
> +             goto error;
> +-    if (!EVP_EncryptUpdate(&ctx, (unsigned char *)(ciphertext + len), 
> &out_len, (unsigned char *)buffer, in_len))
> ++    if (!EVP_EncryptUpdate(ctx, (unsigned char *)(ciphertext + len), 
> &out_len, (unsigned char *)buffer, in_len))
> +             goto error;
> +     len += out_len;
> +-    if (!EVP_EncryptFinal_ex(&ctx, (unsigned char *)(ciphertext + len), 
> &out_len))
> ++    if (!EVP_EncryptFinal_ex(ctx, (unsigned char *)(ciphertext + len), 
> &out_len))
> +             goto error;
> +     len += out_len;
> +-    EVP_CIPHER_CTX_cleanup(&ctx);
> + 
> +     if (!HMAC(EVP_sha256(), key, KDF_HASH_LEN, (unsigned char *)(ciphertext 
> + SHA256_DIGEST_LENGTH), len - SHA256_DIGEST_LENGTH, (unsigned char 
> *)ciphertext, &hmac_len))
> +             goto error;
> + 
> ++    EVP_CIPHER_CTX_free(ctx);
> +     *out = ciphertext;
> +     return len;
> + 
> + error:
> +-    EVP_CIPHER_CTX_cleanup(&ctx);
> ++    EVP_CIPHER_CTX_free(ctx);
> +     free(ciphertext);
> +     die("Failed to encrypt data.");
> + 
> +@@ -361,14 +364,16 @@ static size_t encrypt_buffer(const char *buffer, 
> size_t in_len, unsigned const c
> + 
> + static size_t decrypt_buffer(const unsigned char *buffer, size_t in_len, 
> unsigned const char key[KDF_HASH_LEN], unsigned char **out)
> + {
> +-    EVP_CIPHER_CTX ctx;
> ++    EVP_CIPHER_CTX *ctx;
> +     unsigned char *plaintext = NULL;
> +     int out_len;
> +     unsigned int hmac_len;
> +     size_t len;
> +     unsigned char hmac[SHA256_DIGEST_LENGTH];
> + 
> +-    EVP_CIPHER_CTX_init(&ctx);
> ++    ctx = EVP_CIPHER_CTX_new();
> ++    if (!ctx)
> ++            goto error;
> + 
> +     if (in_len < (SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE * 2))
> +             goto error;
> +@@ -379,20 +384,20 @@ static size_t decrypt_buffer(const unsigned char 
> *buffer, size_t in_len, unsigne
> +             goto error;
> + 
> +     plaintext = xcalloc(in_len + AES_BLOCK_SIZE, 1);
> +-    if (!EVP_DecryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, (unsigned 
> char *)(buffer + SHA256_DIGEST_LENGTH)))
> ++    if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, (unsigned 
> char *)(buffer + SHA256_DIGEST_LENGTH)))
> +             goto error;
> +-    if (!EVP_DecryptUpdate(&ctx, (unsigned char *)plaintext, &out_len, 
> (unsigned char *)(buffer + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE), in_len - 
> SHA256_DIGEST_LENGTH - AES_BLOCK_SIZE))
> ++    if (!EVP_DecryptUpdate(ctx, (unsigned char *)plaintext, &out_len, 
> (unsigned char *)(buffer + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE), in_len - 
> SHA256_DIGEST_LENGTH - AES_BLOCK_SIZE))
> +             goto error;
> +     len = out_len;
> +-    if (!EVP_DecryptFinal_ex(&ctx, (unsigned char *)(plaintext + out_len), 
> &out_len))
> ++    if (!EVP_DecryptFinal_ex(ctx, (unsigned char *)(plaintext + out_len), 
> &out_len))
> +             goto error;
> +     len += out_len;
> +-    EVP_CIPHER_CTX_cleanup(&ctx);
> ++    EVP_CIPHER_CTX_free(ctx);
> +     *out = plaintext;
> +     return len;
> + 
> + error:
> +-    EVP_CIPHER_CTX_cleanup(&ctx);
> ++    EVP_CIPHER_CTX_free(ctx);
> +     free(plaintext);
> +     *out = NULL;
> +     return 0;
> +-- 
> +2.11.0
> +
> diff -Nru 
> lastpass-cli-1.0.0/debian/patches/0002-cipher-drop-p8inf-broken-flag-check.patch
>  
> lastpass-cli-1.0.0/debian/patches/0002-cipher-drop-p8inf-broken-flag-check.patch
> --- 
> lastpass-cli-1.0.0/debian/patches/0002-cipher-drop-p8inf-broken-flag-check.patch
>   1970-01-01 01:00:00.000000000 +0100
> +++ 
> lastpass-cli-1.0.0/debian/patches/0002-cipher-drop-p8inf-broken-flag-check.patch
>   2016-12-06 21:09:03.000000000 +0100
> @@ -0,0 +1,37 @@
> +From 390c01a8111a4f2fc5b2abb3691c4a0238365922 Mon Sep 17 00:00:00 2001
> +From: Bob Copeland <[email protected]>
> +Date: Mon, 5 Dec 2016 09:58:07 -0500
> +Subject: [PATCH 2/3] cipher: drop p8inf->broken flag check
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +struct pkcs8_priv_key_info_st is now opaque as of OpenSSL 1.1
> +so we cannot look directly at its flags going forward.
> +
> +./cipher.c: In function ‘cipher_rsa_decrypt’: ./cipher.c:73:11: error: 
> dereferencing pointer to incomplete type ‘PKCS8_PRIV_KEY_INFO {aka struct
> +pkcs8_priv_key_info_st}’
> +  if (p8inf->broken)
> +           ^
> +
> +Signed-off-by: Bob Copeland <[email protected]>
> +---
> + cipher.c | 2 --
> + 1 file changed, 2 deletions(-)
> +
> +diff --git a/cipher.c b/cipher.c
> +index ebae92e0431c..86d19eead546 100644
> +--- a/cipher.c
> ++++ b/cipher.c
> +@@ -70,8 +70,6 @@ char *cipher_rsa_decrypt(const unsigned char *ciphertext, 
> size_t len, const stru
> +     pkey = EVP_PKCS82PKEY(p8inf);
> +     if (!pkey)
> +             goto out;
> +-    if (p8inf->broken)
> +-            goto out;
> +     rsa = EVP_PKEY_get1_RSA(pkey);
> +     if (!rsa)
> +             goto out;
> +-- 
> +2.11.0
> +
> diff -Nru 
> lastpass-cli-1.0.0/debian/patches/0003-pbkdf2-support-openssl-1.1.patch 
> lastpass-cli-1.0.0/debian/patches/0003-pbkdf2-support-openssl-1.1.patch
> --- lastpass-cli-1.0.0/debian/patches/0003-pbkdf2-support-openssl-1.1.patch   
> 1970-01-01 01:00:00.000000000 +0100
> +++ lastpass-cli-1.0.0/debian/patches/0003-pbkdf2-support-openssl-1.1.patch   
> 2016-12-06 21:09:03.000000000 +0100
> @@ -0,0 +1,93 @@
> +From 0f9e3d940fa2abee3f7dcedceec192e45e471bc6 Mon Sep 17 00:00:00 2001
> +From: Bob Copeland <[email protected]>
> +Date: Mon, 5 Dec 2016 10:55:49 -0500
> +Subject: [PATCH 3/3] pbkdf2: support openssl 1.1+
> +
> +In OpenSSL 1.1, HMAC_CTX is now opaque and _init/_cleanup functions
> +are history.  Change the pbkdf2 implementation to conditionally
> +use HMAX_CTX_new()/_free() and use context pointers throughout.
> +
> +Signed-off-by: Bob Copeland <[email protected]>
> +---
> + pbkdf2.c | 36 +++++++++++++++++++++++++-----------
> + 1 file changed, 25 insertions(+), 11 deletions(-)
> +
> +diff --git a/pbkdf2.c b/pbkdf2.c
> +index f3c763420bbc..de15bae0d430 100644
> +--- a/pbkdf2.c
> ++++ b/pbkdf2.c
> +@@ -1,5 +1,6 @@
> + /*
> +  * Copyright (c) 2014-2016 Thomas Hurst.
> ++ * Copyright (c) 2016 LastPass.
> +  *
> +  * Permission is hereby granted, free of charge, to any person obtaining a 
> copy
> +  * of this software and associated documentation files (the "Software"), to 
> deal
> +@@ -40,7 +41,7 @@ int fallback_pkcs5_pbkdf2_hmac(const char *pass, size_t 
> pass_len,
> +     const unsigned char *salt, size_t salt_len, unsigned int iterations,
> +     const EVP_MD *digest, size_t key_len, unsigned char *output)
> + {
> +-    HMAC_CTX ctx;
> ++    HMAC_CTX *ctx;
> +     unsigned char *out = output;
> +     unsigned int iter = 1, count = 1;
> +     unsigned int cp_len, i, ret = 0;
> +@@ -52,8 +53,17 @@ int fallback_pkcs5_pbkdf2_hmac(const char *pass, size_t 
> pass_len,
> + 
> +     unsigned char tmp_md[md_len];
> + 
> +-    HMAC_CTX_init(&ctx);
> +-    ERR_IFZERO(HMAC_Init_ex(&ctx, pass, pass_len, digest, NULL));
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ++    HMAC_CTX real_ctx;
> ++    ctx = &real_ctx;
> ++    HMAC_CTX_init(ctx);
> ++#else
> ++    ctx = HMAC_CTX_new();
> ++    if (!ctx)
> ++            return 0;
> ++#endif
> ++
> ++    ERR_IFZERO(HMAC_Init_ex(ctx, pass, pass_len, digest, NULL));
> + 
> +     while (key_left) {
> +             cp_len = min(key_left, md_len);
> +@@ -64,16 +74,16 @@ int fallback_pkcs5_pbkdf2_hmac(const char *pass, size_t 
> pass_len,
> +             c[2] = (count >> 8) & 0xff;
> +             c[3] = (count) & 0xff;
> + 
> +-            ERR_IFZERO(HMAC_Init_ex(&ctx, NULL, 0, digest, NULL));
> +-            ERR_IFZERO(HMAC_Update(&ctx, salt, salt_len));
> +-            ERR_IFZERO(HMAC_Update(&ctx, c, 4));
> +-            ERR_IFZERO(HMAC_Final(&ctx, tmp_md, NULL));
> ++            ERR_IFZERO(HMAC_Init_ex(ctx, NULL, 0, digest, NULL));
> ++            ERR_IFZERO(HMAC_Update(ctx, salt, salt_len));
> ++            ERR_IFZERO(HMAC_Update(ctx, c, 4));
> ++            ERR_IFZERO(HMAC_Final(ctx, tmp_md, NULL));
> +             memcpy(out, tmp_md, cp_len);
> + 
> +             for (iter=1; iter < iterations; iter++) {
> +-                    ERR_IFZERO(HMAC_Init_ex(&ctx, NULL, 0, digest, NULL));
> +-                    ERR_IFZERO(HMAC_Update(&ctx, tmp_md, md_len));
> +-                    ERR_IFZERO(HMAC_Final(&ctx, tmp_md, NULL));
> ++                    ERR_IFZERO(HMAC_Init_ex(ctx, NULL, 0, digest, NULL));
> ++                    ERR_IFZERO(HMAC_Update(ctx, tmp_md, md_len));
> ++                    ERR_IFZERO(HMAC_Final(ctx, tmp_md, NULL));
> + 
> +                     for (i = 0; i < cp_len; i++) {
> +                             out[i] ^= tmp_md[i];
> +@@ -87,6 +97,10 @@ int fallback_pkcs5_pbkdf2_hmac(const char *pass, size_t 
> pass_len,
> +     ret = 1;
> + 
> + ERR_LABEL
> +-    HMAC_CTX_cleanup(&ctx);
> ++#if OPENSSL_VERSION_NUMBER < 0x10100000L
> ++    HMAC_CTX_cleanup(ctx);
> ++#else
> ++    HMAC_CTX_free(ctx);
> ++#endif
> +     return ret;
> + }
> +-- 
> +2.11.0
> +
> diff -Nru lastpass-cli-1.0.0/debian/patches/series 
> lastpass-cli-1.0.0/debian/patches/series
> --- lastpass-cli-1.0.0/debian/patches/series  2016-10-20 16:16:48.000000000 
> +0200
> +++ lastpass-cli-1.0.0/debian/patches/series  2016-12-06 21:10:47.000000000 
> +0100
> @@ -1 +1,4 @@
>  01_build_manpage
> +0001-cipher-support-opaque-EVP_CIPHER_CTX.patch
> +0002-cipher-drop-p8inf-broken-flag-check.patch
> +0003-pbkdf2-support-openssl-1.1.patch

Reply via email to