Version in base suite: 3.2.1+dfsg-4

Base version: freeradius_3.2.1+dfsg-4
Target version: freeradius_3.2.1+dfsg-4+deb12u1
Base file: /srv/ftp-master.debian.org/ftp/pool/main/f/freeradius/freeradius_3.2.1+dfsg-4.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/f/freeradius/freeradius_3.2.1+dfsg-4+deb12u1.dsc

 changelog                                       |    8 ++++
 gbp.conf                                        |    2 +
 patches/fix-tls-client-cert-common-name-1.patch |   40 ++++++++++++++++++++++++
 patches/fix-tls-client-cert-common-name-2.patch |   29 +++++++++++++++++
 patches/series                                  |    2 +
 5 files changed, 81 insertions(+)

diff -Nru freeradius-3.2.1+dfsg/debian/changelog freeradius-3.2.1+dfsg/debian/changelog
--- freeradius-3.2.1+dfsg/debian/changelog	2023-05-15 22:04:23.000000000 +0000
+++ freeradius-3.2.1+dfsg/debian/changelog	2023-08-18 22:26:34.000000000 +0000
@@ -1,3 +1,11 @@
+freeradius (3.2.1+dfsg-4+deb12u1) bookworm; urgency=medium
+
+  * Add d/gbp.conf for bookworm stable branch
+  * Cherry-Pick two upstream commits to fix TLS-Client-Cert-Common-Name
+    contains incorrect value (Closes: #1043282)
+
+ -- Bernhard Schmidt <berni@debian.org>  Sat, 19 Aug 2023 00:26:34 +0200
+
 freeradius (3.2.1+dfsg-4) unstable; urgency=medium
 
   * Don't install symlink for cache_eap module no longer shipped
diff -Nru freeradius-3.2.1+dfsg/debian/gbp.conf freeradius-3.2.1+dfsg/debian/gbp.conf
--- freeradius-3.2.1+dfsg/debian/gbp.conf	1970-01-01 00:00:00.000000000 +0000
+++ freeradius-3.2.1+dfsg/debian/gbp.conf	2023-08-18 22:26:34.000000000 +0000
@@ -0,0 +1,2 @@
+[DEFAULT]
+debian-branch = debian/bookworm
diff -Nru freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch
--- freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch	1970-01-01 00:00:00.000000000 +0000
+++ freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-1.patch	2023-08-18 22:26:34.000000000 +0000
@@ -0,0 +1,40 @@
+From d23987cbf55821dc56ab70d5ce6af3305cf83289 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Tue, 25 Oct 2022 10:51:02 -0400
+Subject: [PATCH] set partial chain always.  Helps with #4785
+
+---
+ src/main/tls.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index aa6395d8391f..a33699cbb66e 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3546,6 +3546,11 @@ X509_STORE *fr_init_x509_store(fr_tls_server_conf_t *conf)
+ 	if (conf->check_all_crl)
+ 		X509_STORE_set_flags(store, X509_V_FLAG_CRL_CHECK_ALL);
+ #endif
++
++#if defined(X509_V_FLAG_PARTIAL_CHAIN)
++	X509_STORE_set_flags(store, X509_V_FLAG_PARTIAL_CHAIN);
++#endif
++
+ 	return store;
+ }
+ 
+@@ -4011,11 +4016,11 @@ SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client, char const *chain_
+ 	if (conf->ca_file || conf->ca_path) {
+ 		if ((certstore = fr_init_x509_store(conf)) == NULL ) return NULL;
+ 		SSL_CTX_set_cert_store(ctx, certstore);
+-	}
+-
++	} else {
+ #if defined(X509_V_FLAG_PARTIAL_CHAIN)
+-	X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
++		X509_STORE_set_flags(SSL_CTX_get_cert_store(ctx), X509_V_FLAG_PARTIAL_CHAIN);
+ #endif
++	}
+ 
+ 	if (conf->ca_file && *conf->ca_file) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(conf->ca_file));
+ 
diff -Nru freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch
--- freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch	1970-01-01 00:00:00.000000000 +0000
+++ freeradius-3.2.1+dfsg/debian/patches/fix-tls-client-cert-common-name-2.patch	2023-08-18 22:26:34.000000000 +0000
@@ -0,0 +1,29 @@
+From 3d08027f30c6d9c1eaccf7d60c68c8f7d78017c3 Mon Sep 17 00:00:00 2001
+From: "Alan T. DeKok" <aland@freeradius.org>
+Date: Wed, 26 Oct 2022 07:31:43 -0400
+Subject: [PATCH] fix cert order only for lookup=0.  Fixes #4785
+
+---
+ src/main/tls.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/tls.c b/src/main/tls.c
+index a33699cbb66e..c67148cf12c7 100644
+--- a/src/main/tls.c
++++ b/src/main/tls.c
+@@ -3015,7 +3015,14 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+ 	 */
+ 	if (lookup > 1) {
+ 		if (!my_ok) lookup = 1;
+-	} else {
++
++	} else if (lookup == 0) {
++		/*
++		 *	This flag is only set for outbound
++		 *	connections.  And then allows us to remap SSL
++		 *	offset 0 (server) to our offset 1 (also
++		 *	server).
++		 */
+ 		lookup = (SSL_get_ex_data(ssl, FR_TLS_EX_INDEX_FIX_CERT_ORDER) != NULL);
+ 	}
+ 
diff -Nru freeradius-3.2.1+dfsg/debian/patches/series freeradius-3.2.1+dfsg/debian/patches/series
--- freeradius-3.2.1+dfsg/debian/patches/series	2023-05-15 22:04:23.000000000 +0000
+++ freeradius-3.2.1+dfsg/debian/patches/series	2023-08-18 22:26:34.000000000 +0000
@@ -8,3 +8,5 @@
 #python_config_script_update.diff
 fix-ttls-mschapv2.patch
 fix-intermediate-ca.patch
+fix-tls-client-cert-common-name-1.patch
+fix-tls-client-cert-common-name-2.patch