From 8a15af84efbff3019dd21a87931e774212cc027d Mon Sep 17 00:00:00 2001
From: Daniel Baumann <daniel.baumann@progress-linux.org>
Date: Fri, 19 Apr 2024 07:35:20 +0200
Subject: Merging debian version 2.9.4-2.

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
---
 debian/changelog                                   | 11 ++++++
 debian/libnss-sss.install                          |  2 +-
 debian/libpam-sss.install                          |  4 +-
 debian/patches/series                              |  1 +
 ...extensions-from-openssl-command-if-there-.patch | 45 ++++++++++++++++++++++
 debian/rules                                       |  4 +-
 debian/tests/sssd-softhism2-certificates-tests.sh  |  2 -
 7 files changed, 62 insertions(+), 7 deletions(-)
 create mode 100644 debian/patches/tests-Drop-extensions-from-openssl-command-if-there-.patch

diff --git a/debian/changelog b/debian/changelog
index 785ce0a..581ae88 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+sssd (2.9.4-2) unstable; urgency=medium
+
+  [ Michael Biebl ]
+  * Install PAM and NSS modules into /usr. (Closes: #1061350)
+
+  [ Timo Aaltonen ]
+  * tests: Drop -extensions from openssl command if there is no -x509.
+    Thanks, Sebastian Andrzej Siewior! (Closes: #1061869)
+
+ -- Timo Aaltonen <tjaalton@debian.org>  Wed, 10 Apr 2024 15:56:46 +0300
+
 sssd (2.9.4-1.1~progress7.99u1) graograman-backports; urgency=medium
 
   * Uploading to graograman-backports, remaining changes:
diff --git a/debian/libnss-sss.install b/debian/libnss-sss.install
index 655f705..1f712e1 100644
--- a/debian/libnss-sss.install
+++ b/debian/libnss-sss.install
@@ -1 +1 @@
-lib/*/libnss_sss.so.2
+usr/lib/*/libnss_sss.so.2
diff --git a/debian/libpam-sss.install b/debian/libpam-sss.install
index 907b29c..07ccba3 100644
--- a/debian/libpam-sss.install
+++ b/debian/libpam-sss.install
@@ -1,4 +1,4 @@
-lib/*/security/pam_sss.so
-lib/*/security/pam_sss_gss.so
+usr/lib/*/security/pam_sss.so
+usr/lib/*/security/pam_sss_gss.so
 usr/share/man/man8/pam_sss.8*
 usr/share/man/man8/pam_sss_gss.8*
diff --git a/debian/patches/series b/debian/patches/series
index cf4c5c2..566ab08 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 fix-whitespace-test.diff
 default-to-socket-activated-services.diff
 fix-shebang-on-sss_analyze.patch
+tests-Drop-extensions-from-openssl-command-if-there-.patch
diff --git a/debian/patches/tests-Drop-extensions-from-openssl-command-if-there-.patch b/debian/patches/tests-Drop-extensions-from-openssl-command-if-there-.patch
new file mode 100644
index 0000000..407c9d5
--- /dev/null
+++ b/debian/patches/tests-Drop-extensions-from-openssl-command-if-there-.patch
@@ -0,0 +1,45 @@
+From: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+Date: Wed, 24 Jan 2024 23:03:04 +0100
+Subject: [PATCH] tests: Drop -extensions from openssl command if there is no
+ -x509
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The 'openssl req' ignores the '-extensions' option without '-x509'.
+OpenSSL versions prior 3.2 simply ignored it. Starting with version 3.2
+an error is generated:
+
+| /usr/bin/openssl req -batch -config
+| ../../../../../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA.config
+| -new -nodes -key
+| …/build/../src/tests/test_CA/intermediate_CA/SSSD_test_intermediate_CA_key.pem
+-sha256 -extensions v3_ca -out SSSD_test_intermediate_CA_req.pem
+| Error adding request extensions from section v3_ca
+| 003163BAB27F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509/v3_akid.c:156:
+| 003163BAB27F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:../crypto/x509/v3_conf.c:48:section=v3_ca, name=authorityKeyIdentifier, value=keyid:always,issuer:always
+|
+
+Remove the '-extensions' option.
+
+Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
+---
+ src/tests/test_CA/intermediate_CA/Makefile.am | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/tests/test_CA/intermediate_CA/Makefile.am b/src/tests/test_CA/intermediate_CA/Makefile.am
+index b439f82cb03e5..50fcddb8d2221 100644
+--- a/src/tests/test_CA/intermediate_CA/Makefile.am
++++ b/src/tests/test_CA/intermediate_CA/Makefile.am
+@@ -33,7 +33,7 @@ ca_all: clean SSSD_test_intermediate_CA.pem SSSD_test_intermediate_CA_full_db.pe
+ 	ln -s $(builddir)/../$@
+ 
+ SSSD_test_intermediate_CA_req.pem: $(openssl_intermediate_ca_key) $(openssl_intermediate_ca_config) SSSD_test_CA.pem
+-	$(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -extensions v3_ca -out $@
++	$(OPENSSL) req -batch -config ${openssl_intermediate_ca_config} -new -nodes -key $< -sha256 -out $@
+ 
+ SSSD_test_intermediate_CA.pem: SSSD_test_intermediate_CA_req.pem $(openssl_root_ca_config) $(openssl_root_ca_key)
+ 	cd .. && $(OPENSSL) ca -config ${openssl_root_ca_config} -batch -notext -keyfile $(openssl_root_ca_key) -in $(abs_builddir)/$< -days 200 -extensions v3_intermediate_ca -out $(abs_builddir)/$@
+-- 
+2.43.0
+
diff --git a/debian/rules b/debian/rules
index d6c2e79..cff6d75 100755
--- a/debian/rules
+++ b/debian/rules
@@ -31,8 +31,8 @@ override_dh_auto_configure:
 	--datadir=/usr/share/ \
 	--with-environment-file=/etc/default/sssd \
 	--with-krb5-plugin-path=/usr/lib/$(DEB_HOST_MULTIARCH)/krb5/plugins/libkrb5 \
-	--enable-nsslibdir=/lib/$(DEB_HOST_MULTIARCH) \
-	--enable-pammoddir=/lib/$(DEB_HOST_MULTIARCH)/security \
+	--enable-nsslibdir=/usr/lib/$(DEB_HOST_MULTIARCH) \
+	--enable-pammoddir=/usr/lib/$(DEB_HOST_MULTIARCH)/security \
 	--enable-systemtap \
 	--disable-static \
 	--disable-rpath \
diff --git a/debian/tests/sssd-softhism2-certificates-tests.sh b/debian/tests/sssd-softhism2-certificates-tests.sh
index a067674..2c3d167 100644
--- a/debian/tests/sssd-softhism2-certificates-tests.sh
+++ b/debian/tests/sssd-softhism2-certificates-tests.sh
@@ -222,7 +222,6 @@ openssl req \
   -key "$tmpdir/test-intermediate-CA-key.pem" \
   -passout "$root_ca_key_pass" \
   -sha256 \
-  -extensions v3_ca \
   -out "$tmpdir/test-intermediate-CA-certificate-request.pem"
 
 openssl req -text -noout -in "$tmpdir/test-intermediate-CA-certificate-request.pem"
@@ -311,7 +310,6 @@ openssl req \
   -key "$tmpdir/test-sub-intermediate-CA-key.pem" \
   -passout "$intermediate_ca_key_pass" \
   -sha256 \
-  -extensions v3_ca \
   -out "$tmpdir/test-sub-intermediate-CA-certificate-request.pem"
 
 openssl req -text -noout -in "$tmpdir/test-sub-intermediate-CA-certificate-request.pem"
-- 
cgit v1.2.3