update to freeradius-3.2.8

net/freeradius/Makefile

@@ -7,7 +7,7 @@ COMMENT-mysql=	freeradius mysql rlm addon
 COMMENT-pgsql=	freeradius pgsql rlm addon
 COMMENT-python3= freeradius python3 rlm addon
 
-V=		3.2.6
+V=		3.2.8
 DISTNAME=	freeradius-server-$V
 EXTRACT_SUFX=	.tar.bz2
 
@@ -75,11 +75,11 @@ LIB_DEPENDS-main=	databases/gdbm \
 			net/libunbound \
 			security/yubico/yubico-c \
 			security/yubico/yubico-c-client \
-			devel/pcre \
+			devel/pcre2 \
 			net/curl
 
 WANTLIB-main += c crypto curl execinfo gdbm hiredis json-c m
-WANTLIB-main += pcap pcre perl pthread readline sqlite3 ssl talloc
+WANTLIB-main += pcap pcre2-8 perl pthread readline sqlite3 ssl talloc
 WANTLIB-main += unbound ykclient yubikey
 
 .for i in ${MULTI_PACKAGES:N-main}

net/freeradius/distinfo

@@ -1,2 +1,2 @@
-SHA256 (freeradius-server-3.2.6.tar.bz2) = GLuyMYRI8TkYiXrno4s2r9PbfdXGb3itJNLgBRJp2bI=
-SIZE (freeradius-server-3.2.6.tar.bz2) = 3500878
+SHA256 (freeradius-server-3.2.8.tar.bz2) = LGSDuuumX5OXNEc/r6McT3J+jhOd2IRWMSFBK2q6aBs=
+SIZE (freeradius-server-3.2.8.tar.bz2) = 3671952

net/freeradius/patches/patch-configure

@@ -4,7 +4,7 @@ library detection doesn't offer a nice way to do it.
 Index: configure
 --- configure.orig
 +++ configure
-@@ -8432,7 +8432,7 @@ if test "x$smart_lib" != "x"; then
+@@ -8509,7 +8509,7 @@ if test "x$smart_lib" != "x"; then
    SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS"
  fi
  

net/freeradius/patches/patch-raddb_radiusd_conf_in

@@ -1,7 +1,7 @@
 Index: raddb/radiusd.conf.in
 --- raddb/radiusd.conf.in.orig
 +++ raddb/radiusd.conf.in
-@@ -135,7 +135,7 @@ db_dir = ${raddbdir}
+@@ -168,7 +168,7 @@ db_dir = ${raddbdir}
  #	make
  #	make install
  #
@@ -10,7 +10,7 @@ Index: raddb/radiusd.conf.in
  
  #  pidfile: Where to place the PID of the RADIUS server.
  #
-@@ -541,8 +541,8 @@ security {
+@@ -603,8 +603,8 @@ security {
  	#  member.  This can allow for some finer-grained access
  	#  controls.
  	#

net/freeradius/patches/patch-src_main_cb_c

@@ -1,7 +1,7 @@
 Index: src/main/cb.c
 --- src/main/cb.c.orig
 +++ src/main/cb.c
-@@ -61,7 +61,7 @@ void cbtls_info(SSL const *s, int where, int ret)
+@@ -62,7 +62,7 @@ void cbtls_info(SSL const *s, int where, int ret)
  			/*
  			 *	After a ClientHello, list all the proposed ciphers from the client
  			 */
@@ -10,7 +10,7 @@ Index: src/main/cb.c
  			if (SSL_get_state(s) == TLS_ST_SR_CLNT_HELLO) {
  				int i;
  				int num_ciphers;
-@@ -121,7 +121,7 @@ void cbtls_info(SSL const *s, int where, int ret)
+@@ -122,7 +122,7 @@ void cbtls_info(SSL const *s, int where, int ret)
  				return;
  			}
  			RERROR("(TLS) %s - %s: Error in %s", conf->name, role, state);
@@ -19,7 +19,7 @@ Index: src/main/cb.c
  			if (RDEBUG_ENABLED3 && (SSL_get_state(s) == TLS_ST_SR_CLNT_HELLO)) goto report_ciphers;
  #endif
  		}
-@@ -208,7 +208,7 @@ void cbtls_msg(int write_p, int msg_version, int conte
+@@ -209,7 +209,7 @@ void cbtls_msg(int write_p, int msg_version, int conte
  		state->info.alert_level = 0x00;
  		state->info.alert_description = 0x00;
  

net/freeradius/patches/patch-src_main_command_c

@@ -0,0 +1,20 @@
+Index: src/main/command.c
+--- src/main/command.c.orig
++++ src/main/command.c
+@@ -2727,11 +2727,11 @@ static int command_stats_pool(rad_listen_t *listener, 
+ 		return CMD_FAIL;
+ 	}
+ 
+-	cprintf(listener, "last_checked\t\t%zu\n", stats->last_checked);
+-	cprintf(listener, "last_opened\t\t%zu\n", stats->last_opened);
+-	cprintf(listener, "last_closed\t\t%zu\n", stats->last_closed);
+-	cprintf(listener, "last_failed\t\t%zu\n", stats->last_failed);
+-	cprintf(listener, "last_throttled\t\t%zu\n", stats->last_throttled);
++	cprintf(listener, "last_checked\t\t%" PRIu64 "\n", (long long)stats->last_checked);
++	cprintf(listener, "last_opened\t\t%" PRIu64 "\n", (long long)stats->last_opened);
++	cprintf(listener, "last_closed\t\t%" PRIu64 "\n", (long long)stats->last_closed);
++	cprintf(listener, "last_failed\t\t%" PRIu64 "\n", (long long)stats->last_failed);
++	cprintf(listener, "last_throttled\t\t%" PRIu64 "\n", (long long)stats->last_throttled);
+ 	cprintf(listener, "total_opened\t\t%" PRIu64 "\n", stats->opened);
+ 	cprintf(listener, "total_closed\t\t%" PRIu64 "\n", stats->closed);
+ 	cprintf(listener, "total_failed\t\t%" PRIu64 "\n", stats->failed);

net/freeradius/patches/patch-src_main_tls_c

@@ -1,7 +1,7 @@
 Index: src/main/tls.c
 --- src/main/tls.c.orig
 +++ src/main/tls.c
-@@ -701,7 +701,7 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls
+@@ -605,7 +605,7 @@ tls_session_t *tls_new_session(TALLOC_CTX *ctx, fr_tls
  				/*
  				 * Swap empty store with the old one.
  				 */
@@ -10,7 +10,7 @@ Index: src/main/tls.c
  				conf->old_x509_store = SSL_CTX_get_cert_store(conf->ctx);
  				/* Bump refcnt so the store is kept allocated till next store replacement */
  				X509_STORE_up_ref(conf->old_x509_store);
-@@ -2069,7 +2069,7 @@ done:
+@@ -1978,7 +1978,7 @@ done:
  	return 0;
  }
  
@@ -19,7 +19,7 @@ Index: src/main/tls.c
  static SSL_SESSION *cbtls_get_session(SSL *ssl, unsigned char *data, int len, int *copy)
  #else
  static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int len, int *copy)
-@@ -2453,7 +2453,7 @@ static int cbtls_cache_refresh(SSL *ssl, SSL_SESSION *
+@@ -2362,7 +2362,7 @@ static int cbtls_cache_refresh(SSL *ssl, SSL_SESSION *
  	return 0;
  }
  
@@ -28,7 +28,7 @@ Index: src/main/tls.c
  static SSL_SESSION *cbtls_cache_load(SSL *ssl, unsigned char *data, int len, int *copy)
  #else
  static SSL_SESSION *cbtls_cache_load(SSL *ssl, const unsigned char *data, int len, int *copy)
-@@ -2985,7 +2985,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+@@ -2932,7 +2932,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
  	char		cn_str[1024];
  	char		buf[64];
  	X509		*client_cert;
@@ -37,7 +37,7 @@ Index: src/main/tls.c
  	const STACK_OF(X509_EXTENSION) *ext_list;
  #else
  	STACK_OF(X509_EXTENSION) *ext_list;
-@@ -3220,7 +3220,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+@@ -3207,7 +3207,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
  	}
  
  	if (lookup == 0) {
@@ -46,7 +46,7 @@ Index: src/main/tls.c
  		ext_list = X509_get0_extensions(client_cert);
  #else
  		X509_CINF	*client_inf;
-@@ -3273,7 +3273,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
+@@ -3260,7 +3260,7 @@ int cbtls_verify(int ok, X509_STORE_CTX *ctx)
  				value[0] = '0';
  				value[1] = 'x';
  				const unsigned char *srcp;
@@ -55,7 +55,7 @@ Index: src/main/tls.c
  				const ASN1_STRING *srcasn1p;
  				srcasn1p = X509_EXTENSION_get_data(ext);
  				srcp = ASN1_STRING_get0_data(srcasn1p);
-@@ -4346,7 +4346,7 @@ post_ca:
+@@ -4351,7 +4351,7 @@ post_ca:
  		}
  	}
  

net/freeradius/patches/patch-src_modules_rlm_pap_rlm_pap_c

@@ -1,7 +1,7 @@
 Index: src/modules/rlm_pap/rlm_pap.c
 --- src/modules/rlm_pap/rlm_pap.c.orig
 +++ src/modules/rlm_pap/rlm_pap.c
-@@ -934,7 +934,7 @@ static inline rlm_rcode_t CC_HINT(nonnull) pap_auth_pb
+@@ -912,7 +912,7 @@ static inline rlm_rcode_t CC_HINT(nonnull) pap_auth_pb
  		digest_len = SHA512_DIGEST_LENGTH;
  		break;
  

net/freeradius/patches/patch-src_modules_rlm_rest_rest_c

@@ -0,0 +1,50 @@
+fix types passed to curl_easy_setopt()
+
+Index: src/modules/rlm_rest/rest.c
+--- src/modules/rlm_rest/rest.c.orig
++++ src/modules/rlm_rest/rest.c
+@@ -409,11 +409,11 @@ void *mod_conn_create(TALLOC_CTX *ctx, void *instance)
+ 		 *  done on the first request, but we do it here to minimise
+ 		 *  latency.
+ 		 */
+-		SET_OPTION(CURLOPT_SSL_VERIFYPEER, 0);
+-		SET_OPTION(CURLOPT_SSL_VERIFYHOST, 0);
+-		SET_OPTION(CURLOPT_CONNECT_ONLY, 1);
++		SET_OPTION(CURLOPT_SSL_VERIFYPEER, 0L);
++		SET_OPTION(CURLOPT_SSL_VERIFYHOST, 0L);
++		SET_OPTION(CURLOPT_CONNECT_ONLY, 1L);
+ 		SET_OPTION(CURLOPT_URL, inst->connect_uri);
+-		SET_OPTION(CURLOPT_NOSIGNAL, 1);
++		SET_OPTION(CURLOPT_NOSIGNAL, 1L);
+ 
+ 		DEBUG("rlm_rest (%s): Connecting to \"%s\"", inst->xlat_name, inst->connect_uri);
+ 
+@@ -1974,7 +1974,7 @@ static int rest_request_config_body(UNUSED rlm_rest_t 
+ 	 *  no body should be sent.
+ 	 */
+ 	if (!func) {
+-		SET_OPTION(CURLOPT_POSTFIELDSIZE, 0);
++		SET_OPTION(CURLOPT_POSTFIELDSIZE, 0L);
+ 		return 0;
+ 	}
+ 
+@@ -2062,7 +2062,7 @@ int rest_request_config(rlm_rest_t *instance, rlm_rest
+ 	 *	Setup any header options and generic headers.
+ 	 */
+ 	SET_OPTION(CURLOPT_URL, uri);
+-	SET_OPTION(CURLOPT_NOSIGNAL, 1);
++	SET_OPTION(CURLOPT_NOSIGNAL, 1L);
+ 	SET_OPTION(CURLOPT_USERAGENT, "FreeRADIUS " RADIUSD_VERSION_STRING);
+ 
+ 	/*
+@@ -2253,8 +2253,8 @@ int rest_request_config(rlm_rest_t *instance, rlm_rest
+ 	}
+ #endif
+ 
+-	SET_OPTION(CURLOPT_SSL_VERIFYPEER, (section->tls_check_cert == true) ? 1 : 0);
+-	SET_OPTION(CURLOPT_SSL_VERIFYHOST, (section->tls_check_cert_cn == true) ? 2 : 0);
++	SET_OPTION(CURLOPT_SSL_VERIFYPEER, (long)(section->tls_check_cert == true) ? 1 : 0);
++	SET_OPTION(CURLOPT_SSL_VERIFYHOST, (long)(section->tls_check_cert_cn == true) ? 2 : 0);
+ 
+ 	/*
+ 	 *	Tell CURL how to get HTTP body content, and how to process incoming data.

net/freeradius/pkg/PLIST-main

@@ -137,6 +137,7 @@ lib/freeradius/
 @so lib/freeradius/rlm_passwd.so
 @so lib/freeradius/rlm_perl.so
 @so lib/freeradius/rlm_preprocess.so
+@so lib/freeradius/rlm_proxy_rate_limit.so
 @so lib/freeradius/rlm_radutmp.so
 @so lib/freeradius/rlm_realm.so
 @so lib/freeradius/rlm_redis.so
@@ -331,7 +332,6 @@ share/doc/freeradius/rfc/rfc6930.txt
 share/doc/freeradius/rfc/rfc7055.txt
 share/doc/freeradius/rfc/rfc7268.txt
 share/doc/freeradius/rfc/rfc7542.txt
-share/doc/freeradius/rfc/rfc7599.txt
 share/doc/freeradius/schemas/
 share/doc/freeradius/schemas/logstash/
 share/doc/freeradius/schemas/logstash/README
@@ -459,6 +459,10 @@ share/examples/freeradius/mods-available/ippool
 @sample ${FREERADIUS_ETC}/mods-available/ippool
 share/examples/freeradius/mods-available/json
 @sample ${FREERADIUS_ETC}/mods-available/json
+share/examples/freeradius/mods-available/kafka
+@sample ${FREERADIUS_ETC}/mods-available/kafka
+share/examples/freeradius/mods-available/kafka_async
+@sample ${FREERADIUS_ETC}/mods-available/kafka_async
 share/examples/freeradius/mods-available/krb5
 @sample ${FREERADIUS_ETC}/mods-available/krb5
 share/examples/freeradius/mods-available/linelog
@@ -486,6 +490,8 @@ share/examples/freeradius/mods-available/perl
 @sample ${FREERADIUS_ETC}/mods-available/perl
 share/examples/freeradius/mods-available/preprocess
 @sample ${FREERADIUS_ETC}/mods-available/preprocess
+share/examples/freeradius/mods-available/proxy_rate_limit
+@sample ${FREERADIUS_ETC}/mods-available/proxy_rate_limit
 share/examples/freeradius/mods-available/radutmp
 @sample ${FREERADIUS_ETC}/mods-available/radutmp
 share/examples/freeradius/mods-available/realm
@@ -557,6 +563,10 @@ share/examples/freeradius/mods-config/files/dhcp
 @sample ${FREERADIUS_ETC}/mods-config/files/dhcp
 share/examples/freeradius/mods-config/files/pre-proxy
 @sample ${FREERADIUS_ETC}/mods-config/files/pre-proxy
+share/examples/freeradius/mods-config/kafka/
+@sample ${FREERADIUS_ETC}/mods-config/kafka/
+share/examples/freeradius/mods-config/kafka/messages-json.conf
+@sample ${FREERADIUS_ETC}/mods-config/kafka/messages-json.conf
 share/examples/freeradius/mods-config/perl/
 @sample ${FREERADIUS_ETC}/mods-config/perl/
 share/examples/freeradius/mods-config/perl/example.pl
@@ -673,6 +683,7 @@ share/examples/freeradius/mods-enabled/ntlm_auth
 share/examples/freeradius/mods-enabled/pap
 share/examples/freeradius/mods-enabled/passwd
 share/examples/freeradius/mods-enabled/preprocess
+share/examples/freeradius/mods-enabled/proxy_rate_limit
 share/examples/freeradius/mods-enabled/radutmp
 share/examples/freeradius/mods-enabled/realm
 share/examples/freeradius/mods-enabled/replicate
@@ -885,9 +896,11 @@ share/freeradius/dictionary.h3c
 share/freeradius/dictionary.hillstone
 share/freeradius/dictionary.hp
 share/freeradius/dictionary.huawei
+share/freeradius/dictionary.huawei.v2
 share/freeradius/dictionary.iana
 share/freeradius/dictionary.iea
 share/freeradius/dictionary.infinera
+share/freeradius/dictionary.infinera.broken
 share/freeradius/dictionary.infoblox
 share/freeradius/dictionary.infonet
 share/freeradius/dictionary.ipunplugged