CVS commit: pkgsrc/net/radsecproxy

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/net/radsecproxy
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Sun, 7 Jun 2026 17:45:46 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Sun Jun  7 17:45:46 UTC 2026

Modified Files:
        pkgsrc/net/radsecproxy: Makefile distinfo
Added Files:
        pkgsrc/net/radsecproxy/patches: patch-fticks__hashmac.c patch-radmsg.c
            patch-radsecproxy.c
Removed Files:
        pkgsrc/net/radsecproxy/patches: patch-rewrite.c

Log Message:
radsecproxy: updated to 1.11.2

1.11.2
Bug Fixes:
- Fix Message-Authenticator validation for Accounting-Response

1.11.1
Bug Fixes:
- Fix wrong DN in certificate request
- Fix memory leak when using SIGHUP
- Fix exit when dyndisc script returns illegal PSKkey
- Fix logging during config check
- Fix invalid realm configs are ignored
- Fix default tls block selection

Misc:
- Improve message-authenticator logging

1.11.0
New features:
- TLS-PSK
- Long hex-strings in config
- Reload complete TLS context on SIGHUP, reload client/server cert and key
- Implement SSLKEYLOGFILE mechanism
- Options to require Message-Authenticator

Misc:
- Re-verify certificates on SIGHUP and terminate invalid connections
- Implement recommendations for deprecating insecure transports
- verify EAP message content length
- Close connection on radius attribute decode errors

Bug Fixes:
- Fix correct secret for DTLS (radius/dtls)
- Fix infinite loop when listening on tcp socket fails
- Fix crashes under high load


To generate a diff of this commit:
cvs rdiff -u -r1.18 -r1.19 pkgsrc/net/radsecproxy/Makefile
cvs rdiff -u -r1.12 -r1.13 pkgsrc/net/radsecproxy/distinfo
cvs rdiff -u -r0 -r1.1 pkgsrc/net/radsecproxy/patches/patch-fticks__hashmac.c \
    pkgsrc/net/radsecproxy/patches/patch-radmsg.c \
    pkgsrc/net/radsecproxy/patches/patch-radsecproxy.c
cvs rdiff -u -r1.1 -r0 pkgsrc/net/radsecproxy/patches/patch-rewrite.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/radsecproxy/Makefile
diff -u pkgsrc/net/radsecproxy/Makefile:1.18 pkgsrc/net/radsecproxy/Makefile:1.19
--- pkgsrc/net/radsecproxy/Makefile:1.18        Thu May 14 16:41:50 2026
+++ pkgsrc/net/radsecproxy/Makefile     Sun Jun  7 17:45:46 2026
@@ -1,22 +1,20 @@
-# $NetBSD: Makefile,v 1.18 2026/05/14 16:41:50 ryoon Exp $
+# $NetBSD: Makefile,v 1.19 2026/06/07 17:45:46 adam Exp $
 
-VERSION=       1.10.0
+VERSION=       1.11.2
 DISTNAME=      radsecproxy-${VERSION}
-PKGREVISION=   3
 CATEGORIES=    net
 MASTER_SITES=  ${MASTER_SITE_GITHUB:=radsecproxy/}
+GITHUB_RELEASE=        ${VERSION}
 
 MAINTAINER=    pkgsrc-users%NetBSD.org@localhost
-COMMENT=       Secure radius proxy
 HOMEPAGE=      https://radsecproxy.github.io/
-GITHUB_RELEASE=        ${VERSION}
+COMMENT=       Secure radius proxy
 LICENSE=       modified-bsd
 
-USE_TOOLS+=    gmake
-
-GNU_CONFIGURE=         YES
-CONFIGURE_ARGS+=       --sysconfdir=${PKG_SYSCONFBASEDIR:Q}
-CONFIGURE_ARGS+=       --with-ssl=${BUILDLINK_PREFIX.openssl}
+USE_TOOLS+=            gmake
+GNU_CONFIGURE=         yes
+CONFIGURE_ARGS+=       --with-openssl=${BUILDLINK_PREFIX.openssl}
+TEST_TARGET=           check
 
 EGDIR=         ${PREFIX}/share/examples/radsecproxy
 INSTALLATION_DIRS+=    ${EGDIR}

Index: pkgsrc/net/radsecproxy/distinfo
diff -u pkgsrc/net/radsecproxy/distinfo:1.12 pkgsrc/net/radsecproxy/distinfo:1.13
--- pkgsrc/net/radsecproxy/distinfo:1.12        Fri May 26 15:06:05 2023
+++ pkgsrc/net/radsecproxy/distinfo     Sun Jun  7 17:45:46 2026
@@ -1,6 +1,8 @@
-$NetBSD: distinfo,v 1.12 2023/05/26 15:06:05 he Exp $
+$NetBSD: distinfo,v 1.13 2026/06/07 17:45:46 adam Exp $
 
-BLAKE2s (radsecproxy-1.10.0.tar.gz) = e753db6477a500802eb383fa19972a7db50a0c5295e10f375abd30f4ab87a9fe
-SHA512 (radsecproxy-1.10.0.tar.gz) = ba9967015561ef8ee3fbff68f58da785861d5213f5df9e1a27603dcb7688a26e927cbcb8b9845220bf436d99b170c5ce375cee6f5578ec193ac58e32e9c960df
-Size (radsecproxy-1.10.0.tar.gz) = 257188 bytes
-SHA1 (patch-rewrite.c) = 2b8b8f450b6591d3c21c19748dc4656b3b3d2646
+BLAKE2s (radsecproxy-1.11.2.tar.gz) = 978cac4e56fd0bdb6b42add866a4523e12c9da2155a6bc2cfcfc92742a010466
+SHA512 (radsecproxy-1.11.2.tar.gz) = 8de56c086afa270a7eabd97bca8c9d48f5ad2aca04b703820a523ce2f0a446d711714fe9d8f5ef479456e345b9fa04e9d9660d84de14c15097293e717187abf6
+Size (radsecproxy-1.11.2.tar.gz) = 273056 bytes
+SHA1 (patch-fticks__hashmac.c) = bc1777466e53c506fb098820eb6e94467b863cc1
+SHA1 (patch-radmsg.c) = d3b8facc29cbcd89ccdc7aaa0499ab86c68e83a4
+SHA1 (patch-radsecproxy.c) = e47c558da9ff935cf620fe0ce6977653517aa1a4

Added files:

Index: pkgsrc/net/radsecproxy/patches/patch-fticks__hashmac.c
diff -u /dev/null pkgsrc/net/radsecproxy/patches/patch-fticks__hashmac.c:1.1
--- /dev/null   Sun Jun  7 17:45:46 2026
+++ pkgsrc/net/radsecproxy/patches/patch-fticks__hashmac.c      Sun Jun  7 17:45:46 2026
@@ -0,0 +1,41 @@
+$NetBSD: patch-fticks__hashmac.c,v 1.1 2026/06/07 17:45:46 adam Exp $
+
+Add support for Nettle 4.0
+https://github.com/radsecproxy/radsecproxy/pull/197
+
+--- fticks_hashmac.c.orig      2025-03-24 07:29:17.000000000 +0000
++++ fticks_hashmac.c
+@@ -5,7 +5,8 @@
+ #include <ctype.h>
+ #include <errno.h>
+ #include <nettle/hmac.h>
+-#include <nettle/sha.h>
++#include <nettle/sha2.h>
++#include <nettle/version.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <string.h>
+@@ -35,7 +36,11 @@ static void _hash(const uint8_t *in,
+ 
+         sha256_init(&ctx);
+         sha256_update(&ctx, strlen((char *)in), in);
++#if NETTLE_VERSION_MAJOR >= 4
++        sha256_digest(&ctx, hash);
++#else
+         sha256_digest(&ctx, sizeof(hash), hash);
++#endif
+         _format_hash(hash, out_len, out);
+     } else {
+         struct hmac_sha256_ctx ctx;
+@@ -43,7 +48,11 @@ static void _hash(const uint8_t *in,
+ 
+         hmac_sha256_set_key(&ctx, strlen((char *)key), key);
+         hmac_sha256_update(&ctx, strlen((char *)in), in);
++#if NETTLE_VERSION_MAJOR >= 4
++        hmac_sha256_digest(&ctx, hash);
++#else
+         hmac_sha256_digest(&ctx, sizeof(hash), hash);
++#endif
+         _format_hash(hash, out_len, out);
+     }
+ }
Index: pkgsrc/net/radsecproxy/patches/patch-radmsg.c
diff -u /dev/null pkgsrc/net/radsecproxy/patches/patch-radmsg.c:1.1
--- /dev/null   Sun Jun  7 17:45:46 2026
+++ pkgsrc/net/radsecproxy/patches/patch-radmsg.c       Sun Jun  7 17:45:46 2026
@@ -0,0 +1,63 @@
+$NetBSD: patch-radmsg.c,v 1.1 2026/06/07 17:45:46 adam Exp $
+
+Add support for Nettle 4.0
+https://github.com/radsecproxy/radsecproxy/pull/197
+
+--- radmsg.c.orig      2025-03-25 13:15:57.000000000 +0000
++++ radmsg.c
+@@ -9,6 +9,7 @@
+ #include "util.h"
+ #include <arpa/inet.h>
+ #include <nettle/hmac.h>
++#include <nettle/version.h>
+ #include <openssl/rand.h>
+ #include <pthread.h>
+ #include <stdlib.h>
+@@ -146,7 +147,11 @@ int _checkmsgauth(unsigned char *rad, in
+ 
+     hmac_md5_set_key(&hmacctx, secret_len, secret);
+     hmac_md5_update(&hmacctx, radlen, rad);
++#if NETTLE_VERSION_MAJOR >= 4
++    hmac_md5_digest(&hmacctx, hash);
++#else
+     hmac_md5_digest(&hmacctx, sizeof(hash), hash);
++#endif
+ 
+     memcpy(authattr, auth, MD5_DIGEST_SIZE);
+ 
+@@ -169,7 +174,11 @@ int _validauth(unsigned char *rad, int l
+     if (len > 20)
+         md5_update(&mdctx, len - 20, rad + 20);
+     md5_update(&mdctx, sec_len, sec);
++#if NETTLE_VERSION_MAJOR >= 4
++    md5_digest(&mdctx, hash);
++#else
+     md5_digest(&mdctx, sizeof(hash), hash);
++#endif
+ 
+     result = !memcmp(hash, rad + 4, 16);
+ 
+@@ -189,7 +198,11 @@ int _createmessageauth(unsigned char *ra
+     memset(authattrval, 0, 16);
+     hmac_md5_set_key(&hmacctx, secret_len, secret);
+     hmac_md5_update(&hmacctx, radlen, rad);
++#if NETTLE_VERSION_MAJOR >= 4
++    hmac_md5_digest(&hmacctx, authattrval);
++#else
+     hmac_md5_digest(&hmacctx, MD5_DIGEST_SIZE, authattrval);
++#endif
+ 
+     pthread_mutex_unlock(&lock);
+     return 1;
+@@ -204,7 +217,11 @@ int _radsign(unsigned char *rad, int rad
+     md5_init(&mdctx);
+     md5_update(&mdctx, radlen, rad);
+     md5_update(&mdctx, sec_len, sec);
++#if NETTLE_VERSION_MAJOR >= 4
++    md5_digest(&mdctx, rad + 4);
++#else
+     md5_digest(&mdctx, MD5_DIGEST_SIZE, rad + 4);
++#endif
+ 
+     pthread_mutex_unlock(&lock);
+     return 1;
Index: pkgsrc/net/radsecproxy/patches/patch-radsecproxy.c
diff -u /dev/null pkgsrc/net/radsecproxy/patches/patch-radsecproxy.c:1.1
--- /dev/null   Sun Jun  7 17:45:46 2026
+++ pkgsrc/net/radsecproxy/patches/patch-radsecproxy.c  Sun Jun  7 17:45:46 2026
@@ -0,0 +1,75 @@
+$NetBSD: patch-radsecproxy.c,v 1.1 2026/06/07 17:45:46 adam Exp $
+
+Add support for Nettle 4.0
+https://github.com/radsecproxy/radsecproxy/pull/197
+
+--- radsecproxy.c.orig 2025-03-24 07:29:17.000000000 +0000
++++ radsecproxy.c
+@@ -65,6 +65,7 @@
+ #include <errno.h>
+ #include <libgen.h>
+ #include <nettle/md5.h>
++#include <nettle/version.h>
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
+ #include <openssl/ssl.h>
+@@ -601,7 +602,11 @@ static int pwdcrypt(char encrypt_flag, u
+             md5_update(&mdctx, saltlen, salt);
+             salt = NULL;
+         }
++#if NETTLE_VERSION_MAJOR >= 4
++        md5_digest(&mdctx, hash);
++#else
+         md5_digest(&mdctx, sizeof(hash), hash);
++#endif
+         for (i = 0; i < 16; i++)
+             out[offset + i] = hash[i] ^ in[offset + i];
+         if (encrypt_flag)
+@@ -636,7 +641,11 @@ static int msmppencrypt(uint8_t *text, u
+     md5_update(&mdctx, sharedlen, shared);
+     md5_update(&mdctx, 16, auth);
+     md5_update(&mdctx, 2, salt);
++#if NETTLE_VERSION_MAJOR >= 4
++    md5_digest(&mdctx, hash);
++#else
+     md5_digest(&mdctx, sizeof(hash), hash);
++#endif
+ 
+ #if 0
+     printfchars(NULL, "msppencrypt hash", "%02x ", hash, 16);
+@@ -652,7 +661,11 @@ static int msmppencrypt(uint8_t *text, u
+ #endif
+         md5_update(&mdctx, sharedlen, shared);
+         md5_update(&mdctx, 16, text + offset - 16);
++#if NETTLE_VERSION_MAJOR >= 4
++        md5_digest(&mdctx, hash);
++#else
+         md5_digest(&mdctx, sizeof(hash), hash);
++#endif
+ #if 0
+       printfchars(NULL, "msppencrypt hash", "%02x ", hash, 16);
+ #endif
+@@ -688,7 +701,11 @@ static int msmppdecrypt(uint8_t *text, u
+     md5_update(&mdctx, sharedlen, shared);
+     md5_update(&mdctx, 16, auth);
+     md5_update(&mdctx, 2, salt);
++#if NETTLE_VERSION_MAJOR >= 4
++    md5_digest(&mdctx, hash);
++#else
+     md5_digest(&mdctx, sizeof(hash), hash);
++#endif
+ 
+ #if 0
+     printfchars(NULL, "msppdecrypt hash", "%02x ", hash, 16);
+@@ -704,7 +721,11 @@ static int msmppdecrypt(uint8_t *text, u
+ #endif
+         md5_update(&mdctx, sharedlen, shared);
+         md5_update(&mdctx, 16, text + offset - 16);
++#if NETTLE_VERSION_MAJOR >= 4
++        md5_digest(&mdctx, hash);
++#else
+         md5_digest(&mdctx, sizeof(hash), hash);
++#endif
+ #if 0
+       printfchars(NULL, "msppdecrypt hash", "%02x ", hash, 16);
+ #endif

Prev by Date: CVS commit: pkgsrc/net/chrony
Next by Date: CVS commit: pkgsrc/www
Previous by Thread: CVS commit: pkgsrc/net/chrony
Next by Thread: CVS commit: pkgsrc/www
Indexes:

Home | Main Index | Thread Index | Old Index