CVS commit: pkgsrc/net/freeradius

["Adam Ciarcinski" <adam%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   adam
Date:           Tue Jun  2 09:12:54 UTC 2026

Modified Files:
        pkgsrc/net/freeradius: Makefile.common PLIST distinfo

Log Message:
freeradius: updated to 3.2.9

3.2.9

Configuration changes

Add protocol_error = yes configuration to clients. If set, the server can return Protocol-Error responses to the client.
radclient can now suppress Message-Authenticator in Access-Request, when the input packet contains Message-Authenticator !* ANY Don't use this in production!
Set suppress_secrets = true by default.
Add connect_fail_interval to home_server configuration. If a connection fails, the server will wait this time before trying to connect again.
Add certificate_fail_interval to home_server configuration. If a connection succeeds but the home_server certificate is invalid, the server will wait this time before trying to connect again.
Add update section to home_server configuration. Status-Server packets can therefore be customized.
Add cipher_suites to tls{} configuration. See raddb/sites-available/tls. This is mainly used to set the cipher suites for TLS-PSK with TLS 1.3.

Feature improvements

Initial implementation of Protocol-Failure as per IETF draft. The functionality is disabled by default, but can be enabled via new configuration flags.
Always allow Protocol-Error packet as valid response to any packet.
Add Error-Cause attributes to CoA-NAK and Disconnect-NAK
Added filter_username_nai to policy.d/filter, mainly for use in eduroam.
Updates to VSCode default configuration.
Cleanups and add log messages for rlm_proxy_rate_limit.
Allow 389ds legacy PBKDF2_SHA256 to use arbitrary iteration count.
Amend policy insert_acct_class/acct_unique to work in environments with multiple Class attributes
Tweak sqlippool messages to make them clearer.
Print log message if the server receives a correct authenticated proxy response packet, but which has an unexpected code. e.g. received Access-Accept in response to an Accounting-Request.
New installations now set "suppress_secrets=true" by default. The server also prints messages in debug mode which explains why the secrets are being suppressed.
Allow parallel build for Debian.
Add RTBrick and other dictionaries.
Add documentation for ntlm_auth and spaces in passwords.

Bug fixes

Many minor bug fixes and cleanups.
Fixes to RadSec.
Many other fixes to socket and event handling, which enable increased scalability.
Fix issues found with EAP-MSCHAPv2, EAP-PWD, and EAP-MD5.
Fix run_dir
Disable the PCRE JIT at run time if it can't allocate executable memory.
Set selinux boolean to allow PCRE2 JIT
If you set the clock 25 years in the future, don't spam systemd.
Don't load the OpenSSL legacy provider when built with --enable-fips-workaround.
Address potential leaks when opening many RADIUS/TLS proxy sockets.
Encode multiple DHCP Option 82 as one option, instead of as multiple options.
Update the rlm_cache_redis driver to reconnect on connection failure.
Tweaks to the processing state machine to handle more corner cases / race conditions. Thanks to Paul Dekkers for testing.
Don't close the main listen socket for TCP.
Fix rlm_dspk to properly support dynamic filenames.
Don't crash in corner cases when running Post-Proxy-Type Fail.
Use correct name offsets in proxy_rate_limit.
push fallback virtual server to child thread.
Correct corner case in hash table.
Allow new proxy sockets after reaching "too many sockets", when we close an existing proxy connection.
fix consistent load balancing.
Address pthread APIs.
Install headers needed to build modules.
Initialize scope in IPv6 address lookups.
Don't load legacy provider on --enable-fips-workaround.
Hoist mutex lock in TLS sockets.
Fix occasional EAP-PWD authentication failure.
Fix memcache storing of dates.
Add more debugging information for TEAP. TEAP has limited utility, due to the incompleteness of the spec, and the severe limitations of the Windows TEAP supplicant.
Return stats for "auth+acct" home servers.


To generate a diff of this commit:
cvs rdiff -u -r1.17 -r1.18 pkgsrc/net/freeradius/Makefile.common
cvs rdiff -u -r1.42 -r1.43 pkgsrc/net/freeradius/PLIST
cvs rdiff -u -r1.51 -r1.52 pkgsrc/net/freeradius/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/net/freeradius/Makefile.common
diff -u pkgsrc/net/freeradius/Makefile.common:1.17 pkgsrc/net/freeradius/Makefile.common:1.18
--- pkgsrc/net/freeradius/Makefile.common:1.17  Wed May 13 09:30:42 2026
+++ pkgsrc/net/freeradius/Makefile.common       Tue Jun  2 09:12:54 2026
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile.common,v 1.17 2026/05/13 09:30:42 adam Exp $
+# $NetBSD: Makefile.common,v 1.18 2026/06/02 09:12:54 adam Exp $
 # used by net/freeradius/Makefile.module
 
-DISTNAME=      freeradius-server-3.2.8
+DISTNAME=      freeradius-server-3.2.9
 CATEGORIES=    net
 MASTER_SITES=  https://www.freeradius.org/ftp/pub/freeradius/
 EXTRACT_SUFX=  .tar.bz2

Index: pkgsrc/net/freeradius/PLIST
diff -u pkgsrc/net/freeradius/PLIST:1.42 pkgsrc/net/freeradius/PLIST:1.43
--- pkgsrc/net/freeradius/PLIST:1.42    Wed May 13 09:30:42 2026
+++ pkgsrc/net/freeradius/PLIST Tue Jun  2 09:12:54 2026
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.42 2026/05/13 09:30:42 adam Exp $
+@comment $NetBSD: PLIST,v 1.43 2026/06/02 09:12:54 adam Exp $
 bin/dhcpclient
 bin/map_unit
 bin/rad_counter
@@ -18,10 +18,13 @@ bin/rlm_sqlippool_tool
 bin/smbencrypt
 include/freeradius/attributes.h
 include/freeradius/autoconf.h
+include/freeradius/automask.h
 include/freeradius/base64.h
 include/freeradius/build.h
+include/freeradius/clients.h
 include/freeradius/conf.h
 include/freeradius/conffile.h
+include/freeradius/connection.h
 include/freeradius/detail.h
 include/freeradius/event.h
 include/freeradius/features.h
@@ -29,6 +32,8 @@ include/freeradius/freeradius.h
 include/freeradius/hash.h
 include/freeradius/heap.h
 include/freeradius/libradius.h
+include/freeradius/listen.h
+include/freeradius/log.h
 include/freeradius/map.h
 include/freeradius/md4.h
 include/freeradius/md5.h
@@ -36,6 +41,7 @@ include/freeradius/missing.h
 include/freeradius/modcall.h
 include/freeradius/modules.h
 include/freeradius/packet.h
+include/freeradius/process.h
 include/freeradius/rad_assert.h
 include/freeradius/radius.h
 include/freeradius/radiusd.h
@@ -83,9 +89,11 @@ include/freeradius/sysutmp.h
 include/freeradius/tcp.h
 include/freeradius/threads.h
 include/freeradius/tls.h
+include/freeradius/tmpl.h
 include/freeradius/token.h
 include/freeradius/udpfromto.h
 include/freeradius/vqp.h
+include/freeradius/xlat.h
 lib/libfreeradius-dhcp.${SHLIB_EXT}
 lib/libfreeradius-eap.${SHLIB_EXT}
 lib/libfreeradius-radius.${SHLIB_EXT}
@@ -239,6 +247,7 @@ share/doc/freeradius/antora/modules/deve
 share/doc/freeradius/antora/modules/developers/pages/coverage.adoc
 share/doc/freeradius/antora/modules/developers/pages/index.adoc
 share/doc/freeradius/antora/modules/developers/pages/profile.adoc
+share/doc/freeradius/antora/modules/developers/pages/protocol-error.adoc
 share/doc/freeradius/antora/modules/developers/pages/release-method.adoc
 share/doc/freeradius/antora/modules/howto/nav.adoc
 share/doc/freeradius/antora/modules/howto/pages/index.adoc
@@ -426,7 +435,6 @@ share/doc/freeradius/rfc/attributes.html
 share/doc/freeradius/rfc/draft-kamath-pppext-eap-mschapv2-00.txt
 share/doc/freeradius/rfc/draft-sterman-aaa-sip-00.txt
 share/doc/freeradius/rfc/genref.pl
-share/doc/freeradius/rfc/leap.txt
 share/doc/freeradius/rfc/per-rfc.pl
 share/doc/freeradius/rfc/rewrite.pl
 share/doc/freeradius/rfc/rfc1157.txt
@@ -733,6 +741,7 @@ share/examples/freeradius/mods-enabled/d
 share/examples/freeradius/mods-enabled/detail
 share/examples/freeradius/mods-enabled/detail.log
 share/examples/freeradius/mods-enabled/digest
+share/examples/freeradius/mods-enabled/dpsk
 share/examples/freeradius/mods-enabled/dynamic_clients
 share/examples/freeradius/mods-enabled/eap
 share/examples/freeradius/mods-enabled/echo
@@ -1003,6 +1012,7 @@ share/freeradius/dictionary.rfc8559
 share/freeradius/dictionary.riverbed
 share/freeradius/dictionary.riverstone
 share/freeradius/dictionary.roaringpenguin
+share/freeradius/dictionary.rtbrick
 share/freeradius/dictionary.ruckus
 share/freeradius/dictionary.ruggedcom
 share/freeradius/dictionary.sangoma

Index: pkgsrc/net/freeradius/distinfo
diff -u pkgsrc/net/freeradius/distinfo:1.51 pkgsrc/net/freeradius/distinfo:1.52
--- pkgsrc/net/freeradius/distinfo:1.51 Wed May 13 09:30:42 2026
+++ pkgsrc/net/freeradius/distinfo      Tue Jun  2 09:12:54 2026
@@ -1,8 +1,8 @@
-$NetBSD: distinfo,v 1.51 2026/05/13 09:30:42 adam Exp $
+$NetBSD: distinfo,v 1.52 2026/06/02 09:12:54 adam Exp $
 
-BLAKE2s (freeradius-server-3.2.8.tar.bz2) = f77cd9dacb608fcdc465244f76a3fcd7c0cfafd736f9a24518517a768ff8c2b9
-SHA512 (freeradius-server-3.2.8.tar.bz2) = 31db199c3847bfdb80b726e16cece0d660bd741fae0fca8ba96aaaee30972c657438c4e1fdaa7ef070f84d8b7889a8da8db1defc542b0c0e18f247156f17e0ae
-Size (freeradius-server-3.2.8.tar.bz2) = 3671952 bytes
+BLAKE2s (freeradius-server-3.2.9.tar.bz2) = a612f5d55bbf6d4dfb731aeb5251d4cf7d8ccba4c486eeeede7316214548aa8c
+SHA512 (freeradius-server-3.2.9.tar.bz2) = 17973e4e0815c81a0963d040afba30ccd2f509aecfeeea882cb98fd772c8e3155d07183f5d3149ea1440c24353c5e86982852533143c8e863bbc749c186b1b71
+Size (freeradius-server-3.2.9.tar.bz2) = 3722656 bytes
 SHA1 (patch-configure) = ddafb5aafec43d2c9d2c81a824fa514224243ac0
 SHA1 (patch-configure.ac) = ffec1f851d23f560797c12eba5092f2940e4d662
 SHA1 (patch-raddb_radiusd.conf.in) = 353cbed35013777bf055a77cc610b50a637ae7b7