Bug#1050180: bookworm-pu: package freeradius/3.2.1+dfsg-4+deb12u1

[Bernhard Schmidt]

Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
X-Debbugs-Cc: freerad...@packages.debian.org
Control: affects -1 + src:freeradius

[ Reason ]
I would like to fix a regression in the bookworm release of FreeRADIUS where
the TLS-Client-Cert-Common-Name attribute contains the wrong value, breaking
some use-cases (Bug#1043282)

It has been fixed in the new upstream version in sid, the two relevant commits
apply cleanly. The reporter has confirmed that this fixes his problem.

[ Impact ]
Attribute not usable for filtering/policy decisions

[ Tests ]
no additional CI tests covering _this_ specific feature. Reporter has confirmed
the fix.

[ Risks ]
Change is small and has been part of two upstream releases

[ Checklist ]
  [X] *all* changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in (old)stable
  [X] the issue is verified as fixed in unstable

[ Changes ]
See above + d/gbp.conf for the correct stable branch

[ Other info ]
none

diff -Nru freeradius-3.2.1+dfsg/debian/changelog 
freeradius-3.2.1+dfsg/debian/changelog
--- freeradius-3.2.1+dfsg/debian/changelog      2023-05-16 00:04:23.000000000 
+0200
+++ freeradius-3.2.1+dfsg/debian/changelog      2023-08-19 00:26:34.000000000 
+0200
@@ -1,3 +1,11 @@
+freeradius (3.2.1+dfsg-4+deb12u1) bookworm; urgency=medium
+
+  * Add d/gbp.conf for bookworm stable branch
+  * Cherry-Pick two upstream commits to fix TLS-Client-Cert-Common-Name
+    contains incorrect value (Closes: #1043282)
+
+ -- Bernhard Schmidt <be...@debian.org>  Sat, 19 Aug 2023 00:26:34 +0200
+
 freeradius (3.2.1+dfsg-4) unstable; urgency=medium
 
   * Don't install symlink for cache_eap module no longer shipped
diff -Nru freeradius-3.2.1+dfsg/debian/gbp.conf 
freeradius-3.2.1+dfsg/debian/gbp.conf
--- freeradius-3.2.1+dfsg/debian/gbp.conf       1970-01-01 01:00:00.000000000 
+0100
+++ freeradius-3.2.1+dfsg/debian/gbp.conf       2023-08-19 00:26:34.000000000 
+0200
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru 
freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch 
freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch
--- 
freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch    
    1970-01-01 01:00:00.000000000 +0100
+++ 
freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch    
    2023-08-19 00:26:34.000000000 +0200
@@ -0,0 +1,40 @@
+From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <al...@freeradius.org>
+Date: Tue, 25 Oct 2022 10:51:02 -0400
+Subject: [PATCH] set partial chain always.  Helps with #4785
+
+---
+ src/main/tls.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index aa6395d8391f..a33699cbb66e 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t 
*conf)
+       if (conf->check_all_crl)
+               X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+ #endif
++
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++      X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+       return store;
+ }
+ 
+@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int 
client, char const *chain_
+       if (conf->ca_file || conf->ca_path) {
+               if ((certstore = fr_init_x509_store(conf)) == NULL ) return 
NULL;
+               SSL_CTX_set_cert_store(ctx, certstore);
+-      }
+-
++      } else {
+ #if defined(X509_V_FLAG_PARTIAL_CHAIN)
+-      X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), 
X509_V_FLAG_PARTIAL_CHAIN);
++              X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), 
X509_V_FLAG_PARTIAL_CHAIN);
+ #endif
++      }
+ 
+       if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, 
SSL_load_client_CA_file(conf->ca_file));
+ 
diff -Nru 
freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch 
freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch
--- 
freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch    
    1970-01-01 01:00:00.000000000 +0100
+++ 
freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch    
    2023-08-19 00:26:34.000000000 +0200
@@ -0,0 +1,29 @@
+From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <al...@freeradius.org>
+Date: Wed, 26 Oct 2022 07:31:43 -0400
+Subject: [PATCH] fix cert order only for lookup=0.  Fixes #4785
+
+---
+ src/main/tls.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index a33699cbb66e..c67148cf12c7 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+        */
+       if (lookup > 1) {
+               if (!my_ok) lookup = 1;
+-      } else {
++
++      } else if (lookup == 0) {
++              /*
++               *      This flag is only set for outbound
++               *      connections.  And then allows us to remap SSL
++               *      offset 0 (server) to our offset 1 (also
++               *      server).
++               */
+               lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) 
!= NULL);
+       }
+ 
diff -Nru freeradius-3.2.1+dfsg/debian/patches/series 
freeradius-3.2.1+dfsg/debian/patches/series
--- freeradius-3.2.1+dfsg/debian/patches/series 2023-05-16 00:04:23.000000000 
+0200
+++ freeradius-3.2.1+dfsg/debian/patches/series 2023-08-19 00:26:34.000000000 
+0200
@@ -8,3 +8,5 @@
 #python_config_script_update.diff
 fix-ttls-mschapv2.patch
 fix-intermediate-ca.patch
+fix-tls-client-cert-common-name-1.patch
+fix-tls-client-cert-common-name-2.patch