Hello Sebastian, Thanks for driving the patch through with upsteam. I'm good with the NMU so there is no reason to add any additional delay.
Troy On 12/06/16 21:19, Sebastian Andrzej Siewior wrote: > Control: tags 828371 + patch > Control: tags 828371 + pending > > Dear maintainer, > > I've prepared an NMU for lastpass-cli (versioned as 1.0.0-1.1) and > uploaded it to DELAYED/4. Please feel free to tell me if I > should delay it longer. > > Regards. > Sebastian > diff -Nru lastpass-cli-1.0.0/debian/changelog > lastpass-cli-1.0.0/debian/changelog > --- lastpass-cli-1.0.0/debian/changelog 2016-10-20 16:17:08.000000000 > +0200 > +++ lastpass-cli-1.0.0/debian/changelog 2016-12-06 21:10:47.000000000 > +0100 > @@ -1,3 +1,10 @@ > +lastpass-cli (1.0.0-1.1) unstable; urgency=medium > + > + * Non-maintainer upload. > + * Get it built against openssl 1.1.0 (Closes: #828371). > + > + -- Sebastian Andrzej Siewior <[email protected]> Tue, 06 Dec 2016 > 21:10:47 +0100 > + > lastpass-cli (1.0.0-1) unstable; urgency=medium > > * New upstream 1.0.0 > diff -Nru > lastpass-cli-1.0.0/debian/patches/0001-cipher-support-opaque-EVP_CIPHER_CTX.patch > > lastpass-cli-1.0.0/debian/patches/0001-cipher-support-opaque-EVP_CIPHER_CTX.patch > --- > lastpass-cli-1.0.0/debian/patches/0001-cipher-support-opaque-EVP_CIPHER_CTX.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > lastpass-cli-1.0.0/debian/patches/0001-cipher-support-opaque-EVP_CIPHER_CTX.patch > 2016-12-06 21:09:03.000000000 +0100 > @@ -0,0 +1,214 @@ > +From 6e4ff62df789b55b80c14b2e7b15c25154fbf9fe Mon Sep 17 00:00:00 2001 > +From: Bob Copeland <[email protected]> > +Date: Mon, 5 Dec 2016 09:55:19 -0500 > +Subject: [PATCH 1/3] cipher: support opaque EVP_CIPHER_CTX > + > +In OpenSSL 1.1+, EVP_CIPHER_CTX can no longer be declared on > +the stack; instead you have to declare a pointer and then > +use _new()/_free() to allocate or free it. These functions > +continue to work on older OpenSSL, so switch to the new > +method. > + > +Signed-off-by: Bob Copeland <[email protected]> > +--- > + cipher.c | 36 +++++++++++++++++++++--------------- > + config.c | 33 +++++++++++++++++++-------------- > + 2 files changed, 40 insertions(+), 29 deletions(-) > + > +diff --git a/cipher.c b/cipher.c > +index 71487787af5a..ebae92e0431c 100644 > +--- a/cipher.c > ++++ b/cipher.c > +@@ -147,36 +147,39 @@ int cipher_rsa_encrypt(const char *plaintext, > + > + char *cipher_aes_decrypt(const unsigned char *ciphertext, size_t len, const > unsigned char key[KDF_HASH_LEN]) > + { > +- EVP_CIPHER_CTX ctx; > ++ EVP_CIPHER_CTX *ctx; > + char *plaintext; > + int out_len; > + > + if (!len) > + return NULL; > + > +- EVP_CIPHER_CTX_init(&ctx); > ++ ctx = EVP_CIPHER_CTX_new(); > ++ if (!ctx) > ++ return NULL; > ++ > + plaintext = xcalloc(len + AES_BLOCK_SIZE + 1, 1); > + if (len >= 33 && len % 16 == 1 && ciphertext[0] == '!') { > +- if (!EVP_DecryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, > (unsigned char *)(ciphertext + 1))) > ++ if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, > (unsigned char *)(ciphertext + 1))) > + goto error; > + ciphertext += 17; > + len -= 17; > + } else { > +- if (!EVP_DecryptInit_ex(&ctx, EVP_aes_256_ecb(), NULL, key, > NULL)) > ++ if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_ecb(), NULL, key, > NULL)) > + goto error; > + } > +- if (!EVP_DecryptUpdate(&ctx, (unsigned char *)plaintext, &out_len, > (unsigned char *)ciphertext, len)) > ++ if (!EVP_DecryptUpdate(ctx, (unsigned char *)plaintext, &out_len, > (unsigned char *)ciphertext, len)) > + goto error; > + len = out_len; > +- if (!EVP_DecryptFinal_ex(&ctx, (unsigned char *)(plaintext + out_len), > &out_len)) > ++ if (!EVP_DecryptFinal_ex(ctx, (unsigned char *)(plaintext + out_len), > &out_len)) > + goto error; > + len += out_len; > + plaintext[len] = '\0'; > +- EVP_CIPHER_CTX_cleanup(&ctx); > ++ EVP_CIPHER_CTX_free(ctx); > + return plaintext; > + > + error: > +- EVP_CIPHER_CTX_cleanup(&ctx); > ++ EVP_CIPHER_CTX_free(ctx); > + secure_clear(plaintext, len + AES_BLOCK_SIZE + 1); > + free(plaintext); > + return NULL; > +@@ -188,7 +191,7 @@ size_t cipher_aes_encrypt_bytes(const unsigned char > *bytes, size_t len, > + const unsigned char *iv, > + unsigned char **out) > + { > +- EVP_CIPHER_CTX ctx; > ++ EVP_CIPHER_CTX *ctx; > + int out_len; > + size_t ret_len = 0; > + unsigned char *ctext; > +@@ -197,24 +200,27 @@ size_t cipher_aes_encrypt_bytes(const unsigned char > *bytes, size_t len, > + if (!ctext) > + ctext = xcalloc(len + AES_BLOCK_SIZE * 2 + 1, 1); > + > +- EVP_CIPHER_CTX_init(&ctx); > +- if (!EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, iv)) > ++ ctx = EVP_CIPHER_CTX_new(); > ++ if (!ctx) > + goto error; > + > +- if (!EVP_EncryptUpdate(&ctx, ctext, &out_len, bytes, len)) > ++ if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) > ++ goto error; > ++ > ++ if (!EVP_EncryptUpdate(ctx, ctext, &out_len, bytes, len)) > + goto error; > + > + ret_len += out_len; > +- if (!EVP_EncryptFinal_ex(&ctx, ctext + ret_len, &out_len)) > ++ if (!EVP_EncryptFinal_ex(ctx, ctext + ret_len, &out_len)) > + goto error; > + ret_len += out_len; > + > +- EVP_CIPHER_CTX_cleanup(&ctx); > ++ EVP_CIPHER_CTX_free(ctx); > + *out = ctext; > + return ret_len; > + > + error: > +- EVP_CIPHER_CTX_cleanup(&ctx); > ++ EVP_CIPHER_CTX_free(ctx); > + if (!*out) > + free(ctext); > + die("Failed to encrypt data."); > +diff --git a/config.c b/config.c > +index bd68cfe8b21b..976202c5d6ad 100644 > +--- a/config.c > ++++ b/config.c > +@@ -319,7 +319,7 @@ size_t config_read_buffer(const char *name, unsigned > char **out) > + > + static size_t encrypt_buffer(const char *buffer, size_t in_len, unsigned > const char key[KDF_HASH_LEN], char **out) > + { > +- EVP_CIPHER_CTX ctx; > ++ EVP_CIPHER_CTX *ctx; > + char *ciphertext; > + unsigned char iv[AES_BLOCK_SIZE]; > + int out_len; > +@@ -329,31 +329,34 @@ static size_t encrypt_buffer(const char *buffer, > size_t in_len, unsigned const c > + if (!RAND_bytes(iv, AES_BLOCK_SIZE)) > + die("Could not generate random bytes for CBC IV."); > + > +- EVP_CIPHER_CTX_init(&ctx); > + ciphertext = xcalloc(in_len + AES_BLOCK_SIZE * 2 + > SHA256_DIGEST_LENGTH, 1); > + > ++ ctx = EVP_CIPHER_CTX_new(); > ++ if (!ctx) > ++ goto error; > ++ > + len = SHA256_DIGEST_LENGTH; > + memcpy(ciphertext + len, iv, AES_BLOCK_SIZE); > + len += AES_BLOCK_SIZE; > + > +- if (!EVP_EncryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, iv)) > ++ if (!EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) > + goto error; > +- if (!EVP_EncryptUpdate(&ctx, (unsigned char *)(ciphertext + len), > &out_len, (unsigned char *)buffer, in_len)) > ++ if (!EVP_EncryptUpdate(ctx, (unsigned char *)(ciphertext + len), > &out_len, (unsigned char *)buffer, in_len)) > + goto error; > + len += out_len; > +- if (!EVP_EncryptFinal_ex(&ctx, (unsigned char *)(ciphertext + len), > &out_len)) > ++ if (!EVP_EncryptFinal_ex(ctx, (unsigned char *)(ciphertext + len), > &out_len)) > + goto error; > + len += out_len; > +- EVP_CIPHER_CTX_cleanup(&ctx); > + > + if (!HMAC(EVP_sha256(), key, KDF_HASH_LEN, (unsigned char *)(ciphertext > + SHA256_DIGEST_LENGTH), len - SHA256_DIGEST_LENGTH, (unsigned char > *)ciphertext, &hmac_len)) > + goto error; > + > ++ EVP_CIPHER_CTX_free(ctx); > + *out = ciphertext; > + return len; > + > + error: > +- EVP_CIPHER_CTX_cleanup(&ctx); > ++ EVP_CIPHER_CTX_free(ctx); > + free(ciphertext); > + die("Failed to encrypt data."); > + > +@@ -361,14 +364,16 @@ static size_t encrypt_buffer(const char *buffer, > size_t in_len, unsigned const c > + > + static size_t decrypt_buffer(const unsigned char *buffer, size_t in_len, > unsigned const char key[KDF_HASH_LEN], unsigned char **out) > + { > +- EVP_CIPHER_CTX ctx; > ++ EVP_CIPHER_CTX *ctx; > + unsigned char *plaintext = NULL; > + int out_len; > + unsigned int hmac_len; > + size_t len; > + unsigned char hmac[SHA256_DIGEST_LENGTH]; > + > +- EVP_CIPHER_CTX_init(&ctx); > ++ ctx = EVP_CIPHER_CTX_new(); > ++ if (!ctx) > ++ goto error; > + > + if (in_len < (SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE * 2)) > + goto error; > +@@ -379,20 +384,20 @@ static size_t decrypt_buffer(const unsigned char > *buffer, size_t in_len, unsigne > + goto error; > + > + plaintext = xcalloc(in_len + AES_BLOCK_SIZE, 1); > +- if (!EVP_DecryptInit_ex(&ctx, EVP_aes_256_cbc(), NULL, key, (unsigned > char *)(buffer + SHA256_DIGEST_LENGTH))) > ++ if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, (unsigned > char *)(buffer + SHA256_DIGEST_LENGTH))) > + goto error; > +- if (!EVP_DecryptUpdate(&ctx, (unsigned char *)plaintext, &out_len, > (unsigned char *)(buffer + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE), in_len - > SHA256_DIGEST_LENGTH - AES_BLOCK_SIZE)) > ++ if (!EVP_DecryptUpdate(ctx, (unsigned char *)plaintext, &out_len, > (unsigned char *)(buffer + SHA256_DIGEST_LENGTH + AES_BLOCK_SIZE), in_len - > SHA256_DIGEST_LENGTH - AES_BLOCK_SIZE)) > + goto error; > + len = out_len; > +- if (!EVP_DecryptFinal_ex(&ctx, (unsigned char *)(plaintext + out_len), > &out_len)) > ++ if (!EVP_DecryptFinal_ex(ctx, (unsigned char *)(plaintext + out_len), > &out_len)) > + goto error; > + len += out_len; > +- EVP_CIPHER_CTX_cleanup(&ctx); > ++ EVP_CIPHER_CTX_free(ctx); > + *out = plaintext; > + return len; > + > + error: > +- EVP_CIPHER_CTX_cleanup(&ctx); > ++ EVP_CIPHER_CTX_free(ctx); > + free(plaintext); > + *out = NULL; > + return 0; > +-- > +2.11.0 > + > diff -Nru > lastpass-cli-1.0.0/debian/patches/0002-cipher-drop-p8inf-broken-flag-check.patch > > lastpass-cli-1.0.0/debian/patches/0002-cipher-drop-p8inf-broken-flag-check.patch > --- > lastpass-cli-1.0.0/debian/patches/0002-cipher-drop-p8inf-broken-flag-check.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ > lastpass-cli-1.0.0/debian/patches/0002-cipher-drop-p8inf-broken-flag-check.patch > 2016-12-06 21:09:03.000000000 +0100 > @@ -0,0 +1,37 @@ > +From 390c01a8111a4f2fc5b2abb3691c4a0238365922 Mon Sep 17 00:00:00 2001 > +From: Bob Copeland <[email protected]> > +Date: Mon, 5 Dec 2016 09:58:07 -0500 > +Subject: [PATCH 2/3] cipher: drop p8inf->broken flag check > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +struct pkcs8_priv_key_info_st is now opaque as of OpenSSL 1.1 > +so we cannot look directly at its flags going forward. > + > +./cipher.c: In function ‘cipher_rsa_decrypt’: ./cipher.c:73:11: error: > dereferencing pointer to incomplete type ‘PKCS8_PRIV_KEY_INFO {aka struct > +pkcs8_priv_key_info_st}’ > + if (p8inf->broken) > + ^ > + > +Signed-off-by: Bob Copeland <[email protected]> > +--- > + cipher.c | 2 -- > + 1 file changed, 2 deletions(-) > + > +diff --git a/cipher.c b/cipher.c > +index ebae92e0431c..86d19eead546 100644 > +--- a/cipher.c > ++++ b/cipher.c > +@@ -70,8 +70,6 @@ char *cipher_rsa_decrypt(const unsigned char *ciphertext, > size_t len, const stru > + pkey = EVP_PKCS82PKEY(p8inf); > + if (!pkey) > + goto out; > +- if (p8inf->broken) > +- goto out; > + rsa = EVP_PKEY_get1_RSA(pkey); > + if (!rsa) > + goto out; > +-- > +2.11.0 > + > diff -Nru > lastpass-cli-1.0.0/debian/patches/0003-pbkdf2-support-openssl-1.1.patch > lastpass-cli-1.0.0/debian/patches/0003-pbkdf2-support-openssl-1.1.patch > --- lastpass-cli-1.0.0/debian/patches/0003-pbkdf2-support-openssl-1.1.patch > 1970-01-01 01:00:00.000000000 +0100 > +++ lastpass-cli-1.0.0/debian/patches/0003-pbkdf2-support-openssl-1.1.patch > 2016-12-06 21:09:03.000000000 +0100 > @@ -0,0 +1,93 @@ > +From 0f9e3d940fa2abee3f7dcedceec192e45e471bc6 Mon Sep 17 00:00:00 2001 > +From: Bob Copeland <[email protected]> > +Date: Mon, 5 Dec 2016 10:55:49 -0500 > +Subject: [PATCH 3/3] pbkdf2: support openssl 1.1+ > + > +In OpenSSL 1.1, HMAC_CTX is now opaque and _init/_cleanup functions > +are history. Change the pbkdf2 implementation to conditionally > +use HMAX_CTX_new()/_free() and use context pointers throughout. > + > +Signed-off-by: Bob Copeland <[email protected]> > +--- > + pbkdf2.c | 36 +++++++++++++++++++++++++----------- > + 1 file changed, 25 insertions(+), 11 deletions(-) > + > +diff --git a/pbkdf2.c b/pbkdf2.c > +index f3c763420bbc..de15bae0d430 100644 > +--- a/pbkdf2.c > ++++ b/pbkdf2.c > +@@ -1,5 +1,6 @@ > + /* > + * Copyright (c) 2014-2016 Thomas Hurst. > ++ * Copyright (c) 2016 LastPass. > + * > + * Permission is hereby granted, free of charge, to any person obtaining a > copy > + * of this software and associated documentation files (the "Software"), to > deal > +@@ -40,7 +41,7 @@ int fallback_pkcs5_pbkdf2_hmac(const char *pass, size_t > pass_len, > + const unsigned char *salt, size_t salt_len, unsigned int iterations, > + const EVP_MD *digest, size_t key_len, unsigned char *output) > + { > +- HMAC_CTX ctx; > ++ HMAC_CTX *ctx; > + unsigned char *out = output; > + unsigned int iter = 1, count = 1; > + unsigned int cp_len, i, ret = 0; > +@@ -52,8 +53,17 @@ int fallback_pkcs5_pbkdf2_hmac(const char *pass, size_t > pass_len, > + > + unsigned char tmp_md[md_len]; > + > +- HMAC_CTX_init(&ctx); > +- ERR_IFZERO(HMAC_Init_ex(&ctx, pass, pass_len, digest, NULL)); > ++#if OPENSSL_VERSION_NUMBER < 0x10100000L > ++ HMAC_CTX real_ctx; > ++ ctx = &real_ctx; > ++ HMAC_CTX_init(ctx); > ++#else > ++ ctx = HMAC_CTX_new(); > ++ if (!ctx) > ++ return 0; > ++#endif > ++ > ++ ERR_IFZERO(HMAC_Init_ex(ctx, pass, pass_len, digest, NULL)); > + > + while (key_left) { > + cp_len = min(key_left, md_len); > +@@ -64,16 +74,16 @@ int fallback_pkcs5_pbkdf2_hmac(const char *pass, size_t > pass_len, > + c[2] = (count >> 8) & 0xff; > + c[3] = (count) & 0xff; > + > +- ERR_IFZERO(HMAC_Init_ex(&ctx, NULL, 0, digest, NULL)); > +- ERR_IFZERO(HMAC_Update(&ctx, salt, salt_len)); > +- ERR_IFZERO(HMAC_Update(&ctx, c, 4)); > +- ERR_IFZERO(HMAC_Final(&ctx, tmp_md, NULL)); > ++ ERR_IFZERO(HMAC_Init_ex(ctx, NULL, 0, digest, NULL)); > ++ ERR_IFZERO(HMAC_Update(ctx, salt, salt_len)); > ++ ERR_IFZERO(HMAC_Update(ctx, c, 4)); > ++ ERR_IFZERO(HMAC_Final(ctx, tmp_md, NULL)); > + memcpy(out, tmp_md, cp_len); > + > + for (iter=1; iter < iterations; iter++) { > +- ERR_IFZERO(HMAC_Init_ex(&ctx, NULL, 0, digest, NULL)); > +- ERR_IFZERO(HMAC_Update(&ctx, tmp_md, md_len)); > +- ERR_IFZERO(HMAC_Final(&ctx, tmp_md, NULL)); > ++ ERR_IFZERO(HMAC_Init_ex(ctx, NULL, 0, digest, NULL)); > ++ ERR_IFZERO(HMAC_Update(ctx, tmp_md, md_len)); > ++ ERR_IFZERO(HMAC_Final(ctx, tmp_md, NULL)); > + > + for (i = 0; i < cp_len; i++) { > + out[i] ^= tmp_md[i]; > +@@ -87,6 +97,10 @@ int fallback_pkcs5_pbkdf2_hmac(const char *pass, size_t > pass_len, > + ret = 1; > + > + ERR_LABEL > +- HMAC_CTX_cleanup(&ctx); > ++#if OPENSSL_VERSION_NUMBER < 0x10100000L > ++ HMAC_CTX_cleanup(ctx); > ++#else > ++ HMAC_CTX_free(ctx); > ++#endif > + return ret; > + } > +-- > +2.11.0 > + > diff -Nru lastpass-cli-1.0.0/debian/patches/series > lastpass-cli-1.0.0/debian/patches/series > --- lastpass-cli-1.0.0/debian/patches/series 2016-10-20 16:16:48.000000000 > +0200 > +++ lastpass-cli-1.0.0/debian/patches/series 2016-12-06 21:10:47.000000000 > +0100 > @@ -1 +1,4 @@ > 01_build_manpage > +0001-cipher-support-opaque-EVP_CIPHER_CTX.patch > +0002-cipher-drop-p8inf-broken-flag-check.patch > +0003-pbkdf2-support-openssl-1.1.patch

