Your message dated Sun, 02 Nov 2025 07:49:08 +0000
with message-id <[email protected]>
and subject line Bug#1061080: fixed in git-crypt 0.8.0-1
has caused the Debian Bug report #1061080,
regarding Building with OpenSSL 3.0 uses deprecated API
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1061080: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1061080
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package:git-crypt
Version:0.7.0-0.1
When git-crypt is built with openssl 3.0 or later it uses API which have been
deprecated.
In our derived distribution we build without deprecated API which causes
git-crypt to completely fail to build.
To resolve this a patch is attached (formatted to be added to
debian/patches/series) which builds using the "modern" EVP openssl API.
--- a/crypto-openssl-11.cpp
+++ b/crypto-openssl-11.cpp
@@ -30,7 +30,7 @@
#include <openssl/opensslconf.h>
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && OPENSSL_VERSION_NUMBER < 0x30000000L
#include "crypto.hpp"
#include "key.hpp"
--- a/Makefile
+++ b/Makefile
@@ -24,7 +24,7 @@
coprocess.o \
fhstream.o
-OBJFILES += crypto-openssl-10.o crypto-openssl-11.o
+OBJFILES += crypto-openssl-10.o crypto-openssl-11.o crypto-openssl-30.o
LDFLAGS += -lcrypto
XSLTPROC ?= xsltproc
--- /dev/null
+++ b/crypto-openssl-30.cpp
@@ -0,0 +1,145 @@
+/*
+ * Copyright 2012, 2014 Andrew Ayer
+ *
+ * This file is part of git-crypt.
+ *
+ * git-crypt is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * git-crypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with git-crypt. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * Additional permission under GNU GPL version 3 section 7:
+ *
+ * If you modify the Program, or any covered work, by linking or
+ * combining it with the OpenSSL project's OpenSSL library (or a
+ * modified version of that library), containing parts covered by the
+ * terms of the OpenSSL or SSLeay licenses, the licensors of the Program
+ * grant you additional permission to convey the resulting work.
+ * Corresponding Source for a non-source form of such a combination
+ * shall include the source code for the parts of OpenSSL used as well
+ * as that of the covered work.
+ */
+
+#include <openssl/opensslconf.h>
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+
+#include "crypto.hpp"
+#include "key.hpp"
+#include "util.hpp"
+#include <openssl/evp.h>
+#include <openssl/rand.h>
+#include <openssl/err.h>
+#include <sstream>
+#include <cstring>
+
+void init_crypto ()
+{
+}
+
+struct Aes_ecb_encryptor::Aes_impl {
+ EVP_CIPHER_CTX *ctx;
+};
+
+Aes_ecb_encryptor::Aes_ecb_encryptor (const unsigned char* raw_key)
+: impl(new Aes_impl)
+{
+
+ impl->ctx = EVP_CIPHER_CTX_new();
+ if(impl->ctx == NULL) {
+ throw Crypto_error("Aes_ctr_encryptor::Aes_ctr_encryptor", "EVP_CIPHER_CTX_new failed");
+ }
+
+ /* convert key length into cipher specifier */
+ const EVP_CIPHER *cipher=NULL;
+ switch (KEY_LEN) {
+ case 16: /* 128 bits */
+ cipher = EVP_aes_128_ecb();
+ break;
+ case 24: /* 192 bits */
+ cipher = EVP_aes_192_ecb();
+ break;
+ case 32: /* 256 bits */
+ cipher = EVP_aes_256_ecb();
+ break;
+ default:
+ throw Crypto_error("Aes_ctr_encryptor::Aes_ctr_encryptor", "Unknown AES cipher key length");
+ }
+
+
+ if (EVP_EncryptInit_ex(impl->ctx, cipher, NULL, raw_key, NULL) != 1) {
+ throw Crypto_error("Aes_ctr_encryptor::Aes_ctr_encryptor", "EVP_EncryptInit_ex failed");
+ }
+}
+
+Aes_ecb_encryptor::~Aes_ecb_encryptor ()
+{
+ EVP_CIPHER_CTX_free(impl->ctx);
+}
+
+void Aes_ecb_encryptor::encrypt(const unsigned char* plain, unsigned char* cipher)
+{
+ int len;
+ // TODO: original implementation did not check error code, this should
+ EVP_EncryptUpdate(impl->ctx, cipher, &len, plain, BLOCK_LEN);
+}
+
+struct Hmac_sha1_state::Hmac_impl {
+ EVP_MAC *mac;
+ EVP_MAC_CTX *ctx;
+};
+
+Hmac_sha1_state::Hmac_sha1_state (const unsigned char* key, size_t key_len)
+: impl(new Hmac_impl)
+{
+ OSSL_PARAM params[2];
+ char digest_name[] = "SHA1";
+ params[0] = OSSL_PARAM_construct_utf8_string("digest", digest_name, 0);
+ params[1] = OSSL_PARAM_construct_end();
+
+ impl->mac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+ impl->ctx = EVP_MAC_CTX_new(impl->mac);
+ EVP_MAC_init(impl->ctx, key, key_len, params);
+}
+
+Hmac_sha1_state::~Hmac_sha1_state ()
+{
+ EVP_MAC_CTX_free(impl->ctx);
+ EVP_MAC_free(impl->mac);
+}
+
+void Hmac_sha1_state::add (const unsigned char* buffer, size_t buffer_len)
+{
+ EVP_MAC_update(impl->ctx, buffer, buffer_len);
+}
+
+void Hmac_sha1_state::get (unsigned char* digest)
+{
+ // TODO: original implementation did not check error code, this should
+ size_t final_l;
+ EVP_MAC_final(impl->ctx, digest, &final_l, Hmac_sha1_state::LEN);
+}
+
+
+void random_bytes (unsigned char* buffer, size_t len)
+{
+ if (RAND_bytes(buffer, len) != 1) {
+ std::ostringstream message;
+ while (unsigned long code = ERR_get_error()) {
+ char error_string[120];
+ ERR_error_string_n(code, error_string, sizeof(error_string));
+ message << "OpenSSL Error: " << error_string << "; ";
+ }
+ throw Crypto_error("random_bytes", message.str());
+ }
+}
+
+#endif
--- End Message ---
--- Begin Message ---
Source: git-crypt
Source-Version: 0.8.0-1
Done: Andreas Tille <[email protected]>
We believe that the bug you reported is fixed in the latest version of
git-crypt, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Tille <[email protected]> (supplier of updated git-crypt package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 23 Oct 2025 09:06:36 +0200
Source: git-crypt
Architecture: source
Version: 0.8.0-1
Distribution: unstable
Urgency: medium
Maintainer: Package Salvaging Team <[email protected]>
Changed-By: Andreas Tille <[email protected]>
Closes: 1061080 1117032
Changes:
git-crypt (0.8.0-1) unstable; urgency=medium
.
* Team upload.
* New upstream version
Closes: #1061080
* Maintain in Salvage team
Closes: #1117032
* Standards-Version: 4.7.2 (routine-update)
* debhelper-compat 13 (routine-update)
* Secure URI in copyright format (routine-update)
* Update watch file format version to 4.
* Set upstream metadata fields: Bug-Database, Repository.
* Set upstream metadata fields: Bug-Submit.
* d/watch:
- Upstream does not provide a signature on web page
- Version: 5
* d/rules: hardening options
Checksums-Sha1:
55865a31188c0b691ff151503ff5f48213c79b3c 1991 git-crypt_0.8.0-1.dsc
d77984aea1f76ebff7f57270d6c5823eb04b7e77 57457 git-crypt_0.8.0.orig.tar.gz
dbe383c679b30062219f9f50b7fb2abd1bd72652 10228 git-crypt_0.8.0-1.debian.tar.xz
88db620a00124bf0cc16d0217613ca560394418d 6030 git-crypt_0.8.0-1_amd64.buildinfo
Checksums-Sha256:
6ba1958464130adfcf785c74694b0dc837eb68de652d98ce27f3858ad68a9dbc 1991
git-crypt_0.8.0-1.dsc
540d424f87bed7994a4551a8c24b16e50d3248a5b7c3fd8ceffe94bfd4af0ad9 57457
git-crypt_0.8.0.orig.tar.gz
2711251697b47ad919acd4745faaaa211412ca1acf30f1dba5309b3e45309756 10228
git-crypt_0.8.0-1.debian.tar.xz
d06d5a8103ee974c3b2598f97e258ed093a7a1a5cf0bad2ba5bd5e3f4b6a6c4e 6030
git-crypt_0.8.0-1_amd64.buildinfo
Files:
a69b46555187b88b54f817b7774547f6 1991 vcs optional git-crypt_0.8.0-1.dsc
fb7cae94cab749bb745e0a39fe6bd6e0 57457 vcs optional git-crypt_0.8.0.orig.tar.gz
b28fc660219b40bbd8f3a5719cd75d5f 10228 vcs optional
git-crypt_0.8.0-1.debian.tar.xz
5cb4c9f433cbd9dab9d8b369a2c5cffe 6030 vcs optional
git-crypt_0.8.0-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJFBAEBCgAvFiEE8fAHMgoDVUHwpmPKV4oElNHGRtEFAmj51IQRHHRpbGxlQGRl
Ymlhbi5vcmcACgkQV4oElNHGRtFcKQ/8DLrS36ysOXEXyeR76dEuptGFOKppVOWJ
sZViU/v2Os65r/8IVx3wbdQomD5WG70GjIV7trIkidUG8REYYgOUgiBkoJTIf3LD
yPR3/va61fpww9KzveS/3UW7gh5TjwAsSauLyLQMl/LCkNaaR4DysEK0xFw2co0z
9jNymgjm9MtpLUvYNC6TrNwW7QCrpRC2rj/lR5l53sjd4SqH2LoU72Ma+zbj1Jwn
AKx/+EwcKySQ7VXFf2AY3KwSkldolw/3SQawmxVxEopCl0Jgmv44eQ2sIpmAPg3l
UOxuyJ0dY5/UGOmeUfHdUSokR0K/JFGNgyu/jDZWZIerRzp7u9EYbU8U38ri7inf
GD/F+PjJ6bTke75X8xJ/vGaMIv8cSI35I6HYpmKW7lJfu+UMID2Jpjd5Y6MjhrgC
bPzJoTVAxiMsf5UbK+hVKhmsqbx7jRr0BKCSksvpeAGkhZRbdHB3HJDB79AeWxur
jHxnn1A4mn7BeEQe+NF8+Y/6ihzbsskN8oiv97+Wq+1vIV2AcSihIlzhCsr5Y5WU
tYrj5bm052c5vCr675d/ejaH66VLHYBRgLV1sy9+z9i8e2NNPob00qPvLVZxqqb/
MW9vDm31zx/2boIPvFj7/etX157lKtvVv6eBZl92lbel84ydolwFW5kJpjUYKzk+
eHJBYQxQIxo=
=+eQD
-----END PGP SIGNATURE-----
pgpJFrdAODeio.pgp
Description: PGP signature
--- End Message ---
