Package: release.debian.org Severity: normal Tags: bookworm User: release.debian....@packages.debian.org Usertags: pu X-Debbugs-Cc: freerad...@packages.debian.org Control: affects -1 + src:freeradius
[ Reason ] I would like to fix a regression in the bookworm release of FreeRADIUS where the TLS-Client-Cert-Common-Name attribute contains the wrong value, breaking some use-cases (Bug#1043282) It has been fixed in the new upstream version in sid, the two relevant commits apply cleanly. The reporter has confirmed that this fixes his problem. [ Impact ] Attribute not usable for filtering/policy decisions [ Tests ] no additional CI tests covering _this_ specific feature. Reporter has confirmed the fix. [ Risks ] Change is small and has been part of two upstream releases [ Checklist ] [X] *all* changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in (old)stable [X] the issue is verified as fixed in unstable [ Changes ] See above + d/gbp.conf for the correct stable branch [ Other info ] none
diff -Nru freeradius-3.2.1+dfsg/debian/changelog freeradius-3.2.1+dfsg/debian/changelog --- freeradius-3.2.1+dfsg/debian/changelog 2023-05-16 00:04:23.000000000 +0200 +++ freeradius-3.2.1+dfsg/debian/changelog 2023-08-19 00:26:34.000000000 +0200 @@ -1,3 +1,11 @@ +freeradius (3.2.1+dfsg-4+deb12u1) bookworm; urgency=medium + + * Add d/gbp.conf for bookworm stable branch + * Cherry-Pick two upstream commits to fix TLS-Client-Cert-Common-Name + contains incorrect value (Closes: #1043282) + + -- Bernhard Schmidt <be...@debian.org> Sat, 19 Aug 2023 00:26:34 +0200 + freeradius (3.2.1+dfsg-4) unstable; urgency=medium * Don't install symlink for cache_eap module no longer shipped diff -Nru freeradius-3.2.1+dfsg/debian/gbp.conf freeradius-3.2.1+dfsg/debian/gbp.conf --- freeradius-3.2.1+dfsg/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100 +++ freeradius-3.2.1+dfsg/debian/gbp.conf 2023-08-19 00:26:34.000000000 +0200 @@ -0,0 +1,2 @@ +[DEFAULT] +debian-branch = debian/bookworm diff -Nru freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch --- freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch 1970-01-01 01:00:00.000000000 +0100 +++ freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch 2023-08-19 00:26:34.000000000 +0200 @@ -0,0 +1,40 @@ +From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <al...@freeradius.org> +Date: Tue, 25 Oct 2022 10:51:02 -0400 +Subject: [PATCH] set partial chain always. Helps with #4785 + +--- + src/main/tls.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index aa6395d8391f..a33699cbb66e 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf) + if (conf->check_all_crl) + X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL); + #endif ++ ++#if defined(X509_V_FLAG_PARTIAL_CHAIN) ++ X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN); ++#endif ++ + return store; + } + +@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_ + if (conf->ca_file || conf->ca_path) { + if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL; + SSL_CTX_set_cert_store(ctx, certstore); +- } +- ++ } else { + #if defined(X509_V_FLAG_PARTIAL_CHAIN) +- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); ++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN); + #endif ++ } + + if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file)); + diff -Nru freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch --- freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch 1970-01-01 01:00:00.000000000 +0100 +++ freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch 2023-08-19 00:26:34.000000000 +0200 @@ -0,0 +1,29 @@ +From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001 +From: "Alan T. DeKok" <al...@freeradius.org> +Date: Wed, 26 Oct 2022 07:31:43 -0400 +Subject: [PATCH] fix cert order only for lookup=0. Fixes #4785 + +--- + src/main/tls.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/src/main/tls.c b/src/main/tls.c +index a33699cbb66e..c67148cf12c7 100644 +--- a/src/main/tls.c ++++ b/src/main/tls.c +@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx) + */ + if (lookup > 1) { + if (!my_ok) lookup = 1; +- } else { ++ ++ } else if (lookup == 0) { ++ /* ++ * This flag is only set for outbound ++ * connections. And then allows us to remap SSL ++ * offset 0 (server) to our offset 1 (also ++ * server). ++ */ + lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL); + } + diff -Nru freeradius-3.2.1+dfsg/debian/patches/series freeradius-3.2.1+dfsg/debian/patches/series --- freeradius-3.2.1+dfsg/debian/patches/series 2023-05-16 00:04:23.000000000 +0200 +++ freeradius-3.2.1+dfsg/debian/patches/series 2023-08-19 00:26:34.000000000 +0200 @@ -8,3 +8,5 @@ #python_config_script_update.diff fix-ttls-mschapv2.patch fix-intermediate-ca.patch +fix-tls-client-cert-common-name-1.patch +fix-tls-client-cert-common-name-2.patch