Bug#1050180: bookworm-pu: package freeradius/3.2.1+dfsg-4+deb12u1
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian.org@packages.debian.org
Usertags: pu
X-Debbugs-Cc: freeradius@packages.debian.org
Control: affects -1 + src:freeradius
[ Reason ]
I would like to fix a regression in the bookworm release of FreeRADIUS where
the TLS-Client-Cert-Common-Name attribute contains the wrong value, breaking
some use-cases (Bug#1043282)
It has been fixed in the new upstream version in sid, the two relevant commits
apply cleanly. The reporter has confirmed that this fixes his problem.
[ Impact ]
Attribute not usable for filtering/policy decisions
[ Tests ]
no additional CI tests covering _this_ specific feature. Reporter has confirmed
the fix.
[ Risks ]
Change is small and has been part of two upstream releases
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
See above + d/gbp.conf for the correct stable branch
[ Other info ]
none
diff -Nru freeradius-3.2.1+dfsg/debian/changelog freeradius-3.2.1+dfsg/debian/changelog
--- freeradius-3.2.1+dfsg/debian/changelog 2023-05-16 00:04:23.000000000 +0200
+++ freeradius-3.2.1+dfsg/debian/changelog 2023-08-19 00:26:34.000000000 +0200
@@ -1,3 +1,11 @@
+freeradius (3.2.1+dfsg-4+deb12u1) bookworm; urgency=medium
+
+ * Add d/gbp.conf for bookworm stable branch
+ * Cherry-Pick two upstream commits to fix TLS-Client-Cert-Common-Name
+ contains incorrect value (Closes: #1043282)
+
+ -- Bernhard Schmidt <berni@debian.org> Sat, 19 Aug 2023 00:26:34 +0200
+
freeradius (3.2.1+dfsg-4) unstable; urgency=medium
* Don't install symlink for cache_eap module no longer shipped
diff -Nru freeradius-3.2.1+dfsg/debian/gbp.conf freeradius-3.2.1+dfsg/debian/gbp.conf
--- freeradius-3.2.1+dfsg/debian/gbp.conf 1970-01-01 01:00:00.000000000 +0100
+++ freeradius-3.2.1+dfsg/debian/gbp.conf 2023-08-19 00:26:34.000000000 +0200
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch
--- freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch 1970-01-01 01:00:00.000000000 +0100
+++ freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch 2023-08-19 00:26:34.000000000 +0200
@@ -0,0 +1,40 @@
+From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 10:51:02 -0400
+Subject: [PATCH] set partial chain always. Helps with #4785
+
+---
+ src/main/tls.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index aa6395d8391f..a33699cbb66e 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf)
+ if (conf->check_all_crl)
+ X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+ #endif
++
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++ X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ return store;
+ }
+
+@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ if (conf->ca_file || conf->ca_path) {
+ if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ SSL_CTX_set_cert_store(ctx, certstore);
+- }
+-
++ } else {
+ #if defined(X509_V_FLAG_PARTIAL_CHAIN)
+- X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++ X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+ #endif
++ }
+
+ if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+
diff -Nru freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch
--- freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch 2023-08-19 00:26:34.000000000 +0200
@@ -0,0 +1,29 @@
+From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 26 Oct 2022 07:31:43 -0400
+Subject: [PATCH] fix cert order only for lookup=0. Fixes #4785
+
+---
+ src/main/tls.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index a33699cbb66e..c67148cf12c7 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ */
+ if (lookup > 1) {
+ if (!my_ok) lookup = 1;
+- } else {
++
++ } else if (lookup == 0) {
++ /*
++ * This flag is only set for outbound
++ * connections. And then allows us to remap SSL
++ * offset 0 (server) to our offset 1 (also
++ * server).
++ */
+ lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL);
+ }
+
diff -Nru freeradius-3.2.1+dfsg/debian/patches/series freeradius-3.2.1+dfsg/debian/patches/series
--- freeradius-3.2.1+dfsg/debian/patches/series 2023-05-16 00:04:23.000000000 +0200
+++ freeradius-3.2.1+dfsg/debian/patches/series 2023-08-19 00:26:34.000000000 +0200
@@ -8,3 +8,5 @@
#python_config_script_update.diff
fix-ttls-mschapv2.patch
fix-intermediate-ca.patch
+fix-tls-client-cert-common-name-1.patch
+fix-tls-client-cert-common-name-2.patch
Reply to: