head	1.1;
access;
symbols;
locks; strict;
comment	@ * @;


1.1
date	2026.06.07.17.45.46;	author adam;	state Exp;
branches;
next	;
commitid	ad7Ke4zF9fmOnTIG;


desc
@@


1.1
log
@radsecproxy: updated to 1.11.2

1.11.2
Bug Fixes:
- Fix Message-Authenticator validation for Accounting-Response

1.11.1
Bug Fixes:
- Fix wrong DN in certificate request
- Fix memory leak when using SIGHUP
- Fix exit when dyndisc script returns illegal PSKkey
- Fix logging during config check
- Fix invalid realm configs are ignored
- Fix default tls block selection

Misc:
- Improve message-authenticator logging

1.11.0
New features:
- TLS-PSK
- Long hex-strings in config
- Reload complete TLS context on SIGHUP, reload client/server cert and key
- Implement SSLKEYLOGFILE mechanism
- Options to require Message-Authenticator

Misc:
- Re-verify certificates on SIGHUP and terminate invalid connections
- Implement recommendations for deprecating insecure transports
- verify EAP message content length
- Close connection on radius attribute decode errors

Bug Fixes:
- Fix correct secret for DTLS (radius/dtls)
- Fix infinite loop when listening on tcp socket fails
- Fix crashes under high load
@
text
@$NetBSD$

Add support for Nettle 4.0
https://github.com/radsecproxy/radsecproxy/pull/197

--- radsecproxy.c.orig	2025-03-24 07:29:17.000000000 +0000
+++ radsecproxy.c
@@@@ -65,6 +65,7 @@@@
 #include <errno.h>
 #include <libgen.h>
 #include <nettle/md5.h>
+#include <nettle/version.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
@@@@ -601,7 +602,11 @@@@ static int pwdcrypt(char encrypt_flag, u
             md5_update(&mdctx, saltlen, salt);
             salt = NULL;
         }
+#if NETTLE_VERSION_MAJOR >= 4
+        md5_digest(&mdctx, hash);
+#else
         md5_digest(&mdctx, sizeof(hash), hash);
+#endif
         for (i = 0; i < 16; i++)
             out[offset + i] = hash[i] ^ in[offset + i];
         if (encrypt_flag)
@@@@ -636,7 +641,11 @@@@ static int msmppencrypt(uint8_t *text, u
     md5_update(&mdctx, sharedlen, shared);
     md5_update(&mdctx, 16, auth);
     md5_update(&mdctx, 2, salt);
+#if NETTLE_VERSION_MAJOR >= 4
+    md5_digest(&mdctx, hash);
+#else
     md5_digest(&mdctx, sizeof(hash), hash);
+#endif
 
 #if 0
     printfchars(NULL, "msppencrypt hash", "%02x ", hash, 16);
@@@@ -652,7 +661,11 @@@@ static int msmppencrypt(uint8_t *text, u
 #endif
         md5_update(&mdctx, sharedlen, shared);
         md5_update(&mdctx, 16, text + offset - 16);
+#if NETTLE_VERSION_MAJOR >= 4
+        md5_digest(&mdctx, hash);
+#else
         md5_digest(&mdctx, sizeof(hash), hash);
+#endif
 #if 0
 	printfchars(NULL, "msppencrypt hash", "%02x ", hash, 16);
 #endif
@@@@ -688,7 +701,11 @@@@ static int msmppdecrypt(uint8_t *text, u
     md5_update(&mdctx, sharedlen, shared);
     md5_update(&mdctx, 16, auth);
     md5_update(&mdctx, 2, salt);
+#if NETTLE_VERSION_MAJOR >= 4
+    md5_digest(&mdctx, hash);
+#else
     md5_digest(&mdctx, sizeof(hash), hash);
+#endif
 
 #if 0
     printfchars(NULL, "msppdecrypt hash", "%02x ", hash, 16);
@@@@ -704,7 +721,11 @@@@ static int msmppdecrypt(uint8_t *text, u
 #endif
         md5_update(&mdctx, sharedlen, shared);
         md5_update(&mdctx, 16, text + offset - 16);
+#if NETTLE_VERSION_MAJOR >= 4
+        md5_digest(&mdctx, hash);
+#else
         md5_digest(&mdctx, sizeof(hash), hash);
+#endif
 #if 0
 	printfchars(NULL, "msppdecrypt hash", "%02x ", hash, 16);
 #endif
@