radsecproxy-1.6.2/0000775000175100017510000000000012042223271011063 500000000000000radsecproxy-1.6.2/fticks.c0000664000175100017510000001235112042223225012433 00000000000000/* Copyright (C) 2011 NORDUnet A/S * See LICENSE for information about licensing. */ #include "radsecproxy.h" #include "debug.h" #include "fticks.h" #include "fticks_hashmac.h" int fticks_configure(struct options *options, uint8_t **reportingp, uint8_t **macp, uint8_t **keyp) { int r = 0; const char *reporting = (const char *) *reportingp; const char *mac = (const char *) *macp; /* Set defaults. */ options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; if (reporting != NULL) { if (strcasecmp(reporting, "None") == 0) options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; else if (strcasecmp(reporting, "Basic") == 0) options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC; else if (strcasecmp(reporting, "Full") == 0) options->fticks_reporting = RSP_FTICKS_REPORTING_FULL; else { debugx(1, DBG_ERR, "config error: invalid FTicksReporting value: %s", reporting); r = 1; } } if (mac != NULL) { if (strcasecmp(mac, "Static") == 0) options->fticks_mac = RSP_FTICKS_MAC_STATIC; else if (strcasecmp(mac, "Original") == 0) options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL; else if (strcasecmp(mac, "VendorHashed") == 0) options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; else if (strcasecmp(mac, "VendorKeyHashed") == 0) options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; else if (strcasecmp(mac, "FullyHashed") == 0) options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; else if (strcasecmp(mac, "FullyKeyHashed") == 0) options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; else { debugx(1, DBG_ERR, "config error: invalid FTicksMAC value: %s", mac); r = 1; } } if (*keyp != NULL) { options->fticks_key = *keyp; if (options->fticks_mac != RSP_FTICKS_MAC_VENDOR_KEY_HASHED && options->fticks_mac != RSP_FTICKS_MAC_FULLY_KEY_HASHED) debugx(1, DBG_WARN, "config warning: FTicksKey not used"); } else if (options->fticks_reporting != RSP_FTICKS_REPORTING_NONE && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { debugx(1, DBG_ERR, "config error: FTicksMAC values VendorKeyHashed and " "FullyKeyHashed require an FTicksKey"); options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; r = 1; } if (*reportingp != NULL) { free(*reportingp); *reportingp = NULL; } if (*macp != NULL) { free(*macp); *macp = NULL; } return r; } void fticks_log(const struct options *options, const struct client *client, const struct radmsg *msg, const struct rqout *rqout) { uint8_t *username = NULL; uint8_t *realm = NULL; uint8_t visinst[8+40+1+1]; /* Room for 40 octets of VISINST. */ uint8_t *macin = NULL; uint8_t macout[2*32+1]; /* Room for ASCII representation of SHA256. */ username = radattr2ascii(radmsg_gettype(rqout->rq->msg, RAD_Attr_User_Name)); if (username != NULL) { realm = (uint8_t *) strrchr((char *) username, '@'); if (realm != NULL) realm++; } if (realm == NULL) realm = (uint8_t *) ""; memset(visinst, 0, sizeof(visinst)); if (options->fticks_reporting == RSP_FTICKS_REPORTING_FULL) { if (client->conf->fticks_visinst != NULL ) { snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#", client->conf->fticks_visinst); } else { snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#", client->conf->name); } } memset(macout, 0, sizeof(macout)); if (options->fticks_mac == RSP_FTICKS_MAC_STATIC) { strncpy((char *) macout, "undisclosed", sizeof(macout) - 1); } else { macin = radattr2ascii(radmsg_gettype(rqout->rq->msg, RAD_Attr_Calling_Station_Id)); if (macin) { switch (options->fticks_mac) { case RSP_FTICKS_MAC_ORIGINAL: memcpy(macout, macin, sizeof(macout)); break; case RSP_FTICKS_MAC_VENDOR_HASHED: memcpy(macout, macin, 9); fticks_hashmac(macin, NULL, sizeof(macout) - 9, macout + 9); break; case RSP_FTICKS_MAC_VENDOR_KEY_HASHED: memcpy(macout, macin, 9); /* We are hashing the first nine octets too for easier * correlation between vendor-key-hashed and * fully-key-hashed log records. This opens up for a * known plaintext attack on the key but the * consequences of that is considered outweighed by * the convenience gained. */ fticks_hashmac(macin, options->fticks_key, sizeof(macout) - 9, macout + 9); break; case RSP_FTICKS_MAC_FULLY_HASHED: fticks_hashmac(macin, NULL, sizeof(macout), macout); break; case RSP_FTICKS_MAC_FULLY_KEY_HASHED: fticks_hashmac(macin, options->fticks_key, sizeof(macout), macout); break; default: debugx(2, DBG_ERR, "invalid fticks mac configuration: %d", options->fticks_mac); } } } fticks_debug( "F-TICKS/eduroam/1.0#REALM=%s#VISCOUNTRY=%s#%sCSI=%s#RESULT=%s#", realm, client->conf->fticks_viscountry, visinst, macout, msg->code == RAD_Access_Accept ? "OK" : "FAIL"); if (macin != NULL) free(macin); if (username != NULL) free(username); } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/radsecproxy.conf-example0000664000175100017510000002014212042223225015644 00000000000000# Master config file, must be in /etc/radsecproxy or specified with -c option # All possible config options are listed below # First you may define any global options, these are: # # You can optionally specify addresses and ports to listen on # Multiple statements can be used for multiple ports/addresses #ListenUDP *:1814 #ListenUDP localhost #ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 #ListenTLS 10.10.10.10:2084 #ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 #ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 # To specify a certain address/port for UDP/TLS requests you can use e.g. #SourceUDP 127.0.0.1:33000 #SourceTCP *:33000 #SourceTLS *:33001 #SourceDTLS *:33001 # Optional log level. 3 is default, 1 is less, 5 is more #LogLevel 3 # Optional LogDestination, else stderr used for logging # Logging to file #LogDestination file:///tmp/rp.log # Or logging with Syslog. LOG_DAEMON used if facility not specified # The supported facilities are LOG_DAEMON, LOG_MAIL, LOG_USER and # LOG_LOCAL0, ..., LOG_LOCAL7 #LogDestination x-syslog:/// #LogDestination x-syslog:///log_local2 # For generating log entries conforming to the F-Ticks system, specify # FTicksReporting with one of the following values. # None -- Do not log in F-Ticks format. This is the default. # Basic -- Do log in F-Ticks format but do not log VISINST. # Full -- Do log in F-Ticks format and do log VISINST. # Please note that in order to get F-Ticks logging for a given client, # its matching client configuration block has to contain the # fticksVISCOUNTRY option. # You can optionally specify FTicksMAC in order to determine if and # how Calling-Station-Id (users Ethernet MAC address) is being logged. # Static -- Use a static string as a placeholder for # Calling-Station-Id. # Original -- Log Calling-Station-Id as-is. # VendorHashed -- Keep first three segments as-is, hash the rest. # VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. This # is the default. # FullyHashed -- Hash the entire string. # FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. # In order to use FTicksMAC with one of VendorKeyHashed or # FullyKeyHashed, specify a key with FTicksKey. # FTicksKey # Default F-Ticks configuration: #FTicksReporting None #FTicksMAC Static # You can optionally specify FTicksSyslogFacility to use a dedicated # syslog facility for F-Ticks messages. This allows for easier filtering # of F-Ticks messages. # F-Ticks messages are always logged using the log level LOG_DEBUG. # Note that specifying a file (using the file:/// prefix) is not supported. #FTicksSyslogFacility log_local1 #FTicksSyslogFacility x-syslog:///log_local1 # There is an option for doing some simple loop prevention. Note that # the LoopPrevention directive can be used in server blocks too, # overriding what's set here in the basic settings. #LoopPrevention on # Add TTL attribute with value 20 if not present (prevents endless loops) #AddTTL 20 # If we have TLS clients or servers we must define at least one tls block. # You can name them whatever you like and then reference them by name when # specifying clients or servers later. There are however three special names # "default", "defaultclient" and "defaultserver". If no name is defined for # a client, the "defaultclient" block will be used if it exists, if not the # "default" will be used. For a server, "defaultserver" followed by "default" # will be checked. # # The simplest configuration you can do is: tls default { # You must specify at least one of CACertificateFile or CACertificatePath # for TLS to work. We always verify peer certificate (client and server) # CACertificateFile /etc/cacerts/CA.pem CACertificatePath /etc/cacerts # You must specify the below for TLS, we always present our certificate CertificateFile /etc/hostcertkey/host.example.com.pem CertificateKeyFile /etc/hostcertkey/host.example.com.key.pem # Optionally specify password if key is encrypted (not very secure) CertificateKeyPassword "follow the white rabbit" # Optionally enable CRL checking # CRLCheck on # Optionally specify how long CAs and CRLs are cached, default forever # CacheExpiry 3600 # Optionally require that peer certs have one of the specified policyOIDs # policyoid 1.2.3 # this option can be used multiple times # policyoid 1.3.4 } # If you want one cert for all clients and another for all servers, use # defaultclient and defaultserver instead of default. If we wanted some # particular server to use something else you could specify a block # "tls myserver" and then reference that for that server. If you always # name the tls block in the client/server config you don't need a default # Now we configure clients, servers and realms. Note that these and # also the lines above may be in any order, except that a realm # can only be configured to use a server that is previously configured. # A realm can be a literal domain name, * which matches all, or a # regexp. A regexp is specified by the character prefix / # For regexp we do case insensitive matching of the entire username string. # The matching of realms is done in the order they are specified, using the # first match found. Some examples are # "@example\.com$", "\.com$", ".*" and "^[a-z].*@example\.com$". # To treat local users separately you might try first specifying "@" # and after that "*". # Configure a rewrite block if you want to add/remove/modify attributes # rewrite example { # # Remove NAS-Port. # removeAttribute 5 # # Remove vendor attribute 100. # removeVendorAttribute 99:100 # # Called-Station-Id = "123456" # addAttribute 30:123456 # # Vendor-99-Attr-101 = 0x0f # addVendorAttribute 99:101:%0f # # Change users @local to @example.com. # modifyAttribute 1:/^(.*)@local$/\1@example.com/ # } client [2001:db8::1] { type tls secret verysecret # we could specify tls here, e.g. # tls myclient # in order to use tls parameters named myclient. We don't, so we will # use "tls defaultclient" if defined, or look for "tls default" as a # last resort } client 127.0.0.1 { type udp secret secret # Might do rewriting of incoming messages using rewrite block example # rewriteIn example # Can also do rewriting of outgoing messages # rewriteOut example } client 127.0.0.1 { type tcp secret secret } client radius.example.com { type tls # secret is optional for TLS } client radius.example.com { type dtls # secret is optional for DTLS } server 127.0.0.1 { type UDP secret secret # Might do rewriting of incoming messages using rewrite block example # rewriteIn example # Can also do rewriting of outgoing messages # rewriteOut example # Might override loop prevention here too: # LoopPrevention off } realm eduroam.cc { server 127.0.0.1 # If also want to use this server for accounting, specify # accountingServer 127.0.0.1 } server [2001:db8::1] { type TLS port 2283 # secret is optional for TLS # we could specify tls here, e.g. # tls myserver # in order to use tls parameters named myserver. We don't, so we will # use "tls defaultserver" if defined, or look for "tls default" as a # last resort } server radius.example.com { type tls secret verysecret StatusServer on # statusserver is optional, can be on or off. Off is default } #server radius.example.com { # type dtls # secret verysecret # StatusServer on ## statusserver is optional, can be on or off. Off is default #} # Equivalent to example.com realm /@example\.com$ { server 2001:db8::1 } # One can define a realm without servers, the proxy will then reject # and requests matching this. Optionally one can specify ReplyMessage # attribute to be included in the reject message. One can also use # AccountingResponse option to specify that the proxy should send such. realm /\.com$ { } realm /^anonymous$ { replymessage "No Access" # AccountingResponse On } # The realm below is equivalent to /.* realm * { server radius.example.com } # If you don't have a default server you probably want to # reject all unknowns. Optionally you can also include a message #realm * { # replymessage "User unknown" #} radsecproxy-1.6.2/config.sub0000755000175100017510000010460612042223267013000 00000000000000#! /bin/sh # Configuration validation subroutine script. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, # 2011 Free Software Foundation, Inc. timestamp='2011-03-23' # This file is (in principle) common to ALL GNU software. # The presence of a machine in this file suggests that SOME GNU software # can handle that machine. It does not imply ALL GNU software can. # # This file is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA # 02110-1301, USA. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # Please send patches to . Submit a context # diff and a properly formatted GNU ChangeLog entry. # # Configuration subroutine to validate and canonicalize a configuration type. # Supply the specified configuration type as an argument. # If it is invalid, we print an error message on stderr and exit with code 1. # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub;hb=HEAD # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases # that are meaningful with *any* GNU software. # Each package is responsible for reporting which valid configurations # it does not support. The user should be able to distinguish # a failure to support a valid configuration from a meaningless # configuration. # The goal of this file is to map all the various variations of a given # machine specification into a single specification in the form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM # or in some cases, the newer four-part form: # CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM # It is wrong to echo any other type of specification. me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] CPU-MFR-OPSYS $0 [OPTION] ALIAS Canonicalize a configuration name. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.sub ($timestamp) Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" exit 1 ;; *local*) # First pass through any local machine types. echo $1 exit ;; * ) break ;; esac done case $# in 0) echo "$me: missing argument$help" >&2 exit 1;; 1) ;; *) echo "$me: too many arguments$help" >&2 exit 1;; esac # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). # Here we must recognize all the valid KERNEL-OS combinations. maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` case $maybe_os in nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ knetbsd*-gnu* | netbsd*-gnu* | \ kopensolaris*-gnu* | \ storm-chaos* | os2-emx* | rtmk-nova*) os=-$maybe_os basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` ;; *) basic_machine=`echo $1 | sed 's/-[^-]*$//'` if [ $basic_machine != $1 ] then os=`echo $1 | sed 's/.*-/-/'` else os=; fi ;; esac ### Let's recognize common machines as not being operating systems so ### that things like config.sub decstation-3100 work. We also ### recognize some manufacturers as not being operating systems, so we ### can provide default operating systems below. case $os in -sun*os*) # Prevent following clause from handling this invalid input. ;; -dec* | -mips* | -sequent* | -encore* | -pc532* | -sgi* | -sony* | \ -att* | -7300* | -3300* | -delta* | -motorola* | -sun[234]* | \ -unicom* | -ibm* | -next | -hp | -isi* | -apollo | -altos* | \ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ -apple | -axis | -knuth | -cray | -microblaze) os= basic_machine=$1 ;; -bluegene*) os=-cnk ;; -sim | -cisco | -oki | -wec | -winbond) os= basic_machine=$1 ;; -scout) ;; -wrs) os=-vxworks basic_machine=$1 ;; -chorusos*) os=-chorusos basic_machine=$1 ;; -chorusrdb) os=-chorusrdb basic_machine=$1 ;; -hiux*) os=-hiuxwe2 ;; -sco6) os=-sco5v6 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5) os=-sco3.2v5 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco4) os=-sco3.2v4 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2.[4-9]*) os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco3.2v[4-9]*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco5v6*) # Don't forget version if it is 3.2v4 or newer. basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -sco*) os=-sco3.2v2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -udk*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -isc) os=-isc2.2 basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -clix*) basic_machine=clipper-intergraph ;; -isc*) basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'` ;; -lynx*) os=-lynxos ;; -ptx*) basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` ;; -windowsnt*) os=`echo $os | sed -e 's/windowsnt/winnt/'` ;; -psos*) os=-psos ;; -mint | -mint[0-9]*) basic_machine=m68k-atari os=-mint ;; esac # Decode aliases for certain CPU-COMPANY combinations. case $basic_machine in # Recognize the basic CPU types without company name. # Some are omitted here because they have special meanings below. 1750a | 580 \ | a29k \ | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ | am33_2.0 \ | arc | arm | arm[bl]e | arme[lb] | armv[2345] | armv[345][lb] | avr | avr32 \ | bfin \ | c4x | clipper \ | d10v | d30v | dlx | dsp16xx \ | fido | fr30 | frv \ | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ | i370 | i860 | i960 | ia64 \ | ip2k | iq2000 \ | lm32 \ | m32c | m32r | m32rle | m68000 | m68k | m88k \ | maxq | mb | microblaze | mcore | mep | metag \ | mips | mipsbe | mipseb | mipsel | mipsle \ | mips16 \ | mips64 | mips64el \ | mips64octeon | mips64octeonel \ | mips64orion | mips64orionel \ | mips64r5900 | mips64r5900el \ | mips64vr | mips64vrel \ | mips64vr4100 | mips64vr4100el \ | mips64vr4300 | mips64vr4300el \ | mips64vr5000 | mips64vr5000el \ | mips64vr5900 | mips64vr5900el \ | mipsisa32 | mipsisa32el \ | mipsisa32r2 | mipsisa32r2el \ | mipsisa64 | mipsisa64el \ | mipsisa64r2 | mipsisa64r2el \ | mipsisa64sb1 | mipsisa64sb1el \ | mipsisa64sr71k | mipsisa64sr71kel \ | mipstx39 | mipstx39el \ | mn10200 | mn10300 \ | moxie \ | mt \ | msp430 \ | nds32 | nds32le | nds32be \ | nios | nios2 \ | ns16k | ns32k \ | open8 \ | or32 \ | pdp10 | pdp11 | pj | pjl \ | powerpc | powerpc64 | powerpc64le | powerpcle \ | pyramid \ | rx \ | score \ | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[34]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ | sh64 | sh64le \ | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ | spu \ | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ | ubicom32 \ | v850 | v850e \ | we32k \ | x86 | xc16x | xstormy16 | xtensa \ | z8k | z80) basic_machine=$basic_machine-unknown ;; c54x) basic_machine=tic54x-unknown ;; c55x) basic_machine=tic55x-unknown ;; c6x) basic_machine=tic6x-unknown ;; m6811 | m68hc11 | m6812 | m68hc12 | picochip) # Motorola 68HC11/12. basic_machine=$basic_machine-unknown os=-none ;; m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) ;; ms1) basic_machine=mt-unknown ;; strongarm | thumb | xscale) basic_machine=arm-unknown ;; xscaleeb) basic_machine=armeb-unknown ;; xscaleel) basic_machine=armel-unknown ;; # We use `pc' rather than `unknown' # because (1) that's what they normally are, and # (2) the word "unknown" tends to confuse beginning users. i*86 | x86_64) basic_machine=$basic_machine-pc ;; # Object if more than one company name word. *-*-*) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; # Recognize the basic CPU types with company name. 580-* \ | a29k-* \ | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ | alphapca5[67]-* | alpha64pca5[67]-* | arc-* \ | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ | avr-* | avr32-* \ | bfin-* | bs2000-* \ | c[123]* | c30-* | [cjt]90-* | c4x-* \ | clipper-* | craynv-* | cydra-* \ | d10v-* | d30v-* | dlx-* \ | elxsi-* \ | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ | h8300-* | h8500-* \ | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ | i*86-* | i860-* | i960-* | ia64-* \ | ip2k-* | iq2000-* \ | lm32-* \ | m32c-* | m32r-* | m32rle-* \ | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ | m88110-* | m88k-* | maxq-* | mcore-* | metag-* | microblaze-* \ | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ | mips16-* \ | mips64-* | mips64el-* \ | mips64octeon-* | mips64octeonel-* \ | mips64orion-* | mips64orionel-* \ | mips64r5900-* | mips64r5900el-* \ | mips64vr-* | mips64vrel-* \ | mips64vr4100-* | mips64vr4100el-* \ | mips64vr4300-* | mips64vr4300el-* \ | mips64vr5000-* | mips64vr5000el-* \ | mips64vr5900-* | mips64vr5900el-* \ | mipsisa32-* | mipsisa32el-* \ | mipsisa32r2-* | mipsisa32r2el-* \ | mipsisa64-* | mipsisa64el-* \ | mipsisa64r2-* | mipsisa64r2el-* \ | mipsisa64sb1-* | mipsisa64sb1el-* \ | mipsisa64sr71k-* | mipsisa64sr71kel-* \ | mipstx39-* | mipstx39el-* \ | mmix-* \ | mt-* \ | msp430-* \ | nds32-* | nds32le-* | nds32be-* \ | nios-* | nios2-* \ | none-* | np1-* | ns16k-* | ns32k-* \ | open8-* \ | orion-* \ | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ | pyramid-* \ | romp-* | rs6000-* | rx-* \ | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ | sparclite-* \ | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx?-* \ | tahoe-* \ | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ | tile-* | tilegx-* \ | tron-* \ | ubicom32-* \ | v850-* | v850e-* | vax-* \ | we32k-* \ | x86-* | x86_64-* | xc16x-* | xps100-* \ | xstormy16-* | xtensa*-* \ | ymp-* \ | z8k-* | z80-*) ;; # Recognize the basic CPU types without company name, with glob match. xtensa*) basic_machine=$basic_machine-unknown ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. 386bsd) basic_machine=i386-unknown os=-bsd ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) basic_machine=m68000-att ;; 3b*) basic_machine=we32k-att ;; a29khif) basic_machine=a29k-amd os=-udi ;; abacus) basic_machine=abacus-unknown ;; adobe68k) basic_machine=m68010-adobe os=-scout ;; alliant | fx80) basic_machine=fx80-alliant ;; altos | altos3068) basic_machine=m68k-altos ;; am29k) basic_machine=a29k-none os=-bsd ;; amd64) basic_machine=x86_64-pc ;; amd64-*) basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; amdahl) basic_machine=580-amdahl os=-sysv ;; amiga | amiga-*) basic_machine=m68k-unknown ;; amigaos | amigados) basic_machine=m68k-unknown os=-amigaos ;; amigaunix | amix) basic_machine=m68k-unknown os=-sysv4 ;; apollo68) basic_machine=m68k-apollo os=-sysv ;; apollo68bsd) basic_machine=m68k-apollo os=-bsd ;; aros) basic_machine=i386-pc os=-aros ;; aux) basic_machine=m68k-apple os=-aux ;; balance) basic_machine=ns32k-sequent os=-dynix ;; blackfin) basic_machine=bfin-unknown os=-linux ;; blackfin-*) basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; bluegene*) basic_machine=powerpc-ibm os=-cnk ;; c54x-*) basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c55x-*) basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c6x-*) basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` ;; c90) basic_machine=c90-cray os=-unicos ;; cegcc) basic_machine=arm-unknown os=-cegcc ;; convex-c1) basic_machine=c1-convex os=-bsd ;; convex-c2) basic_machine=c2-convex os=-bsd ;; convex-c32) basic_machine=c32-convex os=-bsd ;; convex-c34) basic_machine=c34-convex os=-bsd ;; convex-c38) basic_machine=c38-convex os=-bsd ;; cray | j90) basic_machine=j90-cray os=-unicos ;; craynv) basic_machine=craynv-cray os=-unicosmp ;; cr16 | cr16-*) basic_machine=cr16-unknown os=-elf ;; crds | unos) basic_machine=m68k-crds ;; crisv32 | crisv32-* | etraxfs*) basic_machine=crisv32-axis ;; cris | cris-* | etrax*) basic_machine=cris-axis ;; crx) basic_machine=crx-unknown os=-elf ;; da30 | da30-*) basic_machine=m68k-da30 ;; decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) basic_machine=mips-dec ;; decsystem10* | dec10*) basic_machine=pdp10-dec os=-tops10 ;; decsystem20* | dec20*) basic_machine=pdp10-dec os=-tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) basic_machine=m68k-motorola ;; delta88) basic_machine=m88k-motorola os=-sysv3 ;; dicos) basic_machine=i686-pc os=-dicos ;; djgpp) basic_machine=i586-pc os=-msdosdjgpp ;; dpx20 | dpx20-*) basic_machine=rs6000-bull os=-bosx ;; dpx2* | dpx2*-bull) basic_machine=m68k-bull os=-sysv3 ;; ebmon29k) basic_machine=a29k-amd os=-ebmon ;; elxsi) basic_machine=elxsi-elxsi os=-bsd ;; encore | umax | mmax) basic_machine=ns32k-encore ;; es1800 | OSE68k | ose68k | ose | OSE) basic_machine=m68k-ericsson os=-ose ;; fx2800) basic_machine=i860-alliant ;; genix) basic_machine=ns32k-ns ;; gmicro) basic_machine=tron-gmicro os=-sysv ;; go32) basic_machine=i386-pc os=-go32 ;; h3050r* | hiux*) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; h8300hms) basic_machine=h8300-hitachi os=-hms ;; h8300xray) basic_machine=h8300-hitachi os=-xray ;; h8500hms) basic_machine=h8500-hitachi os=-hms ;; harris) basic_machine=m88k-harris os=-sysv3 ;; hp300-*) basic_machine=m68k-hp ;; hp300bsd) basic_machine=m68k-hp os=-bsd ;; hp300hpux) basic_machine=m68k-hp os=-hpux ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) basic_machine=m68000-hp ;; hp9k3[2-9][0-9]) basic_machine=m68k-hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) basic_machine=hppa1.0-hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) basic_machine=hppa1.1-hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp basic_machine=hppa1.1-hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) basic_machine=hppa1.1-hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) basic_machine=hppa1.0-hp ;; hppa-next) os=-nextstep3 ;; hppaosf) basic_machine=hppa1.1-hp os=-osf ;; hppro) basic_machine=hppa1.1-hp os=-proelf ;; i370-ibm* | ibm*) basic_machine=i370-ibm ;; # I'm not sure what "Sysv32" means. Should this be sysv3.2? i*86v32) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv32 ;; i*86v4*) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv4 ;; i*86v) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-sysv ;; i*86sol2) basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` os=-solaris2 ;; i386mach) basic_machine=i386-mach os=-mach ;; i386-vsta | vsta) basic_machine=i386-unknown os=-vsta ;; iris | iris4d) basic_machine=mips-sgi case $os in -irix*) ;; *) os=-irix4 ;; esac ;; isi68 | isi) basic_machine=m68k-isi os=-sysv ;; m68knommu) basic_machine=m68k-unknown os=-linux ;; m68knommu-*) basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; m88k-omron*) basic_machine=m88k-omron ;; magnum | m3230) basic_machine=mips-mips os=-sysv ;; merlin) basic_machine=ns32k-utek os=-sysv ;; microblaze) basic_machine=microblaze-xilinx ;; mingw32) basic_machine=i386-pc os=-mingw32 ;; mingw32ce) basic_machine=arm-unknown os=-mingw32ce ;; miniframe) basic_machine=m68000-convergent ;; *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) basic_machine=m68k-atari os=-mint ;; mips3*-*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` ;; mips3*) basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown ;; monitor) basic_machine=m68k-rom68k os=-coff ;; morphos) basic_machine=powerpc-unknown os=-morphos ;; msdos) basic_machine=i386-pc os=-msdos ;; ms1-*) basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` ;; mvs) basic_machine=i370-ibm os=-mvs ;; ncr3000) basic_machine=i486-ncr os=-sysv4 ;; netbsd386) basic_machine=i386-unknown os=-netbsd ;; netwinder) basic_machine=armv4l-rebel os=-linux ;; news | news700 | news800 | news900) basic_machine=m68k-sony os=-newsos ;; news1000) basic_machine=m68030-sony os=-newsos ;; news-3600 | risc-news) basic_machine=mips-sony os=-newsos ;; necv70) basic_machine=v70-nec os=-sysv ;; next | m*-next ) basic_machine=m68k-next case $os in -nextstep* ) ;; -ns2*) os=-nextstep2 ;; *) os=-nextstep3 ;; esac ;; nh3000) basic_machine=m68k-harris os=-cxux ;; nh[45]000) basic_machine=m88k-harris os=-cxux ;; nindy960) basic_machine=i960-intel os=-nindy ;; mon960) basic_machine=i960-intel os=-mon960 ;; nonstopux) basic_machine=mips-compaq os=-nonstopux ;; np1) basic_machine=np1-gould ;; neo-tandem) basic_machine=neo-tandem ;; nse-tandem) basic_machine=nse-tandem ;; nsr-tandem) basic_machine=nsr-tandem ;; op50n-* | op60c-*) basic_machine=hppa1.1-oki os=-proelf ;; openrisc | openrisc-*) basic_machine=or32-unknown ;; os400) basic_machine=powerpc-ibm os=-os400 ;; OSE68000 | ose68000) basic_machine=m68000-ericsson os=-ose ;; os68k) basic_machine=m68k-none os=-os68k ;; pa-hitachi) basic_machine=hppa1.1-hitachi os=-hiuxwe2 ;; paragon) basic_machine=i860-intel os=-osf ;; parisc) basic_machine=hppa-unknown os=-linux ;; parisc-*) basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` os=-linux ;; pbd) basic_machine=sparc-tti ;; pbb) basic_machine=m68k-tti ;; pc532 | pc532-*) basic_machine=ns32k-pc532 ;; pc98) basic_machine=i386-pc ;; pc98-*) basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium | p5 | k5 | k6 | nexgen | viac3) basic_machine=i586-pc ;; pentiumpro | p6 | 6x86 | athlon | athlon_*) basic_machine=i686-pc ;; pentiumii | pentium2 | pentiumiii | pentium3) basic_machine=i686-pc ;; pentium4) basic_machine=i786-pc ;; pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumpro-* | p6-* | 6x86-* | athlon-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pentium4-*) basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` ;; pn) basic_machine=pn-gould ;; power) basic_machine=power-ibm ;; ppc | ppcbe) basic_machine=powerpc-unknown ;; ppc-* | ppcbe-*) basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppcle | powerpclittle | ppc-le | powerpc-little) basic_machine=powerpcle-unknown ;; ppcle-* | powerpclittle-*) basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64) basic_machine=powerpc64-unknown ;; ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ppc64le | powerpc64little | ppc64-le | powerpc64-little) basic_machine=powerpc64le-unknown ;; ppc64le-* | powerpc64little-*) basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` ;; ps2) basic_machine=i386-ibm ;; pw32) basic_machine=i586-unknown os=-pw32 ;; rdos) basic_machine=i386-pc os=-rdos ;; rom68k) basic_machine=m68k-rom68k os=-coff ;; rm[46]00) basic_machine=mips-siemens ;; rtpc | rtpc-*) basic_machine=romp-ibm ;; s390 | s390-*) basic_machine=s390-ibm ;; s390x | s390x-*) basic_machine=s390x-ibm ;; sa29200) basic_machine=a29k-amd os=-udi ;; sb1) basic_machine=mipsisa64sb1-unknown ;; sb1el) basic_machine=mipsisa64sb1el-unknown ;; sde) basic_machine=mipsisa32-sde os=-elf ;; sei) basic_machine=mips-sei os=-seiux ;; sequent) basic_machine=i386-sequent ;; sh) basic_machine=sh-hitachi os=-hms ;; sh5el) basic_machine=sh5le-unknown ;; sh64) basic_machine=sh64-unknown ;; sparclite-wrs | simso-wrs) basic_machine=sparclite-wrs os=-vxworks ;; sps7) basic_machine=m68k-bull os=-sysv2 ;; spur) basic_machine=spur-unknown ;; st2000) basic_machine=m68k-tandem ;; stratus) basic_machine=i860-stratus os=-sysv4 ;; strongarm-* | thumb-*) basic_machine=arm-`echo $basic_machine | sed 's/^[^-]*-//'` ;; sun2) basic_machine=m68000-sun ;; sun2os3) basic_machine=m68000-sun os=-sunos3 ;; sun2os4) basic_machine=m68000-sun os=-sunos4 ;; sun3os3) basic_machine=m68k-sun os=-sunos3 ;; sun3os4) basic_machine=m68k-sun os=-sunos4 ;; sun4os3) basic_machine=sparc-sun os=-sunos3 ;; sun4os4) basic_machine=sparc-sun os=-sunos4 ;; sun4sol2) basic_machine=sparc-sun os=-solaris2 ;; sun3 | sun3-*) basic_machine=m68k-sun ;; sun4) basic_machine=sparc-sun ;; sun386 | sun386i | roadrunner) basic_machine=i386-sun ;; sv1) basic_machine=sv1-cray os=-unicos ;; symmetry) basic_machine=i386-sequent os=-dynix ;; t3e) basic_machine=alphaev5-cray os=-unicos ;; t90) basic_machine=t90-cray os=-unicos ;; # This must be matched before tile*. tilegx*) basic_machine=tilegx-unknown os=-linux-gnu ;; tile*) basic_machine=tile-unknown os=-linux-gnu ;; tx39) basic_machine=mipstx39-unknown ;; tx39el) basic_machine=mipstx39el-unknown ;; toad1) basic_machine=pdp10-xkl os=-tops20 ;; tower | tower-32) basic_machine=m68k-ncr ;; tpf) basic_machine=s390x-ibm os=-tpf ;; udi29k) basic_machine=a29k-amd os=-udi ;; ultra3) basic_machine=a29k-nyu os=-sym1 ;; v810 | necv810) basic_machine=v810-nec os=-none ;; vaxv) basic_machine=vax-dec os=-sysv ;; vms) basic_machine=vax-dec os=-vms ;; vpp*|vx|vx-*) basic_machine=f301-fujitsu ;; vxworks960) basic_machine=i960-wrs os=-vxworks ;; vxworks68) basic_machine=m68k-wrs os=-vxworks ;; vxworks29k) basic_machine=a29k-wrs os=-vxworks ;; w65*) basic_machine=w65-wdc os=-none ;; w89k-*) basic_machine=hppa1.1-winbond os=-proelf ;; xbox) basic_machine=i686-pc os=-mingw32 ;; xps | xps100) basic_machine=xps100-honeywell ;; xscale-* | xscalee[bl]-*) basic_machine=`echo $basic_machine | sed 's/^xscale/arm/'` ;; ymp) basic_machine=ymp-cray os=-unicos ;; z8k-*-coff) basic_machine=z8k-unknown os=-sim ;; z80-*-coff) basic_machine=z80-unknown os=-sim ;; none) basic_machine=none-none os=-none ;; # Here we handle the default manufacturer of certain CPU types. It is in # some cases the only manufacturer, in others, it is the most popular. w89k) basic_machine=hppa1.1-winbond ;; op50n) basic_machine=hppa1.1-oki ;; op60c) basic_machine=hppa1.1-oki ;; romp) basic_machine=romp-ibm ;; mmix) basic_machine=mmix-knuth ;; rs6000) basic_machine=rs6000-ibm ;; vax) basic_machine=vax-dec ;; pdp10) # there are many clones, so DEC is not a safe bet basic_machine=pdp10-unknown ;; pdp11) basic_machine=pdp11-dec ;; we32k) basic_machine=we32k-att ;; sh[1234] | sh[24]a | sh[24]aeb | sh[34]eb | sh[1234]le | sh[23]ele) basic_machine=sh-unknown ;; sparc | sparcv8 | sparcv9 | sparcv9b | sparcv9v) basic_machine=sparc-sun ;; cydra) basic_machine=cydra-cydrome ;; orion) basic_machine=orion-highlevel ;; orion105) basic_machine=clipper-highlevel ;; mac | mpw | mac-mpw) basic_machine=m68k-apple ;; pmac | pmac-mpw) basic_machine=powerpc-apple ;; *-unknown) # Make sure to match an already-canonicalized machine name. ;; *) echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 exit 1 ;; esac # Here we canonicalize certain aliases for manufacturers. case $basic_machine in *-digital*) basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` ;; *-commodore*) basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` ;; *) ;; esac # Decode manufacturer-specific aliases for certain operating systems. if [ x"$os" != x"" ] then case $os in # First match some system type aliases # that might get confused with valid system types. # -solaris* is a basic system type, with this one exception. -auroraux) os=-auroraux ;; -solaris1 | -solaris1.*) os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; -solaris) os=-solaris2 ;; -svr4*) os=-sysv4 ;; -unixware*) os=-sysv4.2uw ;; -gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; # First accept the basic system types. # The portable systems comes first. # Each alternative MUST END IN A *, to match a version number. # -sysv* is not here because it comes later, after sysvr4. -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ | -sym* | -kopensolaris* \ | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ | -aos* | -aros* \ | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ | -openbsd* | -solidbsd* \ | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ | -chorusos* | -chorusrdb* | -cegcc* \ | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ | -mingw32* | -linux-gnu* | -linux-android* \ | -linux-newlib* | -linux-uclibc* \ | -uxpv* | -beos* | -mpeix* | -udk* \ | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es*) # Remember, each alternative MUST END IN *, to match a version number. ;; -qnx*) case $basic_machine in x86-* | i*86-*) ;; *) os=-nto$os ;; esac ;; -nto-qnx*) ;; -nto*) os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) ;; -mac*) os=`echo $os | sed -e 's|mac|macos|'` ;; -linux-dietlibc) os=-linux-dietlibc ;; -linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; -sunos5*) os=`echo $os | sed -e 's|sunos5|solaris2|'` ;; -sunos6*) os=`echo $os | sed -e 's|sunos6|solaris3|'` ;; -opened*) os=-openedition ;; -os400*) os=-os400 ;; -wince*) os=-wince ;; -osfrose*) os=-osfrose ;; -osf*) os=-osf ;; -utek*) os=-bsd ;; -dynix*) os=-bsd ;; -acis*) os=-aos ;; -atheos*) os=-atheos ;; -syllable*) os=-syllable ;; -386bsd) os=-bsd ;; -ctix* | -uts*) os=-sysv ;; -nova*) os=-rtmk-nova ;; -ns2 ) os=-nextstep2 ;; -nsk*) os=-nsk ;; # Preserve the version number of sinix5. -sinix5.*) os=`echo $os | sed -e 's|sinix|sysv|'` ;; -sinix*) os=-sysv4 ;; -tpf*) os=-tpf ;; -triton*) os=-sysv3 ;; -oss*) os=-sysv3 ;; -svr4) os=-sysv4 ;; -svr3) os=-sysv3 ;; -sysvr4) os=-sysv4 ;; # This must come after -sysvr4. -sysv*) ;; -ose*) os=-ose ;; -es1800*) os=-ose ;; -xenix) os=-xenix ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) os=-mint ;; -aros*) os=-aros ;; -kaos*) os=-kaos ;; -zvmoe) os=-zvmoe ;; -dicos*) os=-dicos ;; -nacl*) ;; -none) ;; *) # Get rid of the `-' at the beginning of $os. os=`echo $os | sed 's/[^-]*-//'` echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 exit 1 ;; esac else # Here we handle the default operating systems that come with various machines. # The value should be what the vendor currently ships out the door with their # machine or put another way, the most popular os provided with the machine. # Note that if you're going to try to match "-MANUFACTURER" here (say, # "-sun"), then you have to tell the case statement up towards the top # that MANUFACTURER isn't an operating system. Otherwise, code above # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. case $basic_machine in score-*) os=-elf ;; spu-*) os=-elf ;; *-acorn) os=-riscix1.2 ;; arm*-rebel) os=-linux ;; arm*-semi) os=-aout ;; c4x-* | tic4x-*) os=-coff ;; tic54x-*) os=-coff ;; tic55x-*) os=-coff ;; tic6x-*) os=-coff ;; # This must come before the *-dec entry. pdp10-*) os=-tops20 ;; pdp11-*) os=-none ;; *-dec | vax-*) os=-ultrix4.2 ;; m68*-apollo) os=-domain ;; i386-sun) os=-sunos4.0.2 ;; m68000-sun) os=-sunos3 # This also exists in the configure program, but was not the # default. # os=-sunos4 ;; m68*-cisco) os=-aout ;; mep-*) os=-elf ;; mips*-cisco) os=-elf ;; mips*-*) os=-elf ;; or32-*) os=-coff ;; *-tti) # must be before sparc entry or we get the wrong os. os=-sysv3 ;; sparc-* | *-sun) os=-sunos4.1.1 ;; *-be) os=-beos ;; *-haiku) os=-haiku ;; *-ibm) os=-aix ;; *-knuth) os=-mmixware ;; *-wec) os=-proelf ;; *-winbond) os=-proelf ;; *-oki) os=-proelf ;; *-hp) os=-hpux ;; *-hitachi) os=-hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) os=-sysv ;; *-cbm) os=-amigaos ;; *-dg) os=-dgux ;; *-dolphin) os=-sysv3 ;; m68k-ccur) os=-rtu ;; m88k-omron*) os=-luna ;; *-next ) os=-nextstep ;; *-sequent) os=-ptx ;; *-crds) os=-unos ;; *-ns) os=-genix ;; i370-*) os=-mvs ;; *-next) os=-nextstep3 ;; *-gould) os=-sysv ;; *-highlevel) os=-bsd ;; *-encore) os=-bsd ;; *-sgi) os=-irix ;; *-siemens) os=-sysv4 ;; *-masscomp) os=-rtu ;; f30[01]-fujitsu | f700-fujitsu) os=-uxpv ;; *-rom68k) os=-coff ;; *-*bug) os=-coff ;; *-apple) os=-macos ;; *-atari*) os=-mint ;; *) os=-none ;; esac fi # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. vendor=unknown case $basic_machine in *-unknown) case $os in -riscix*) vendor=acorn ;; -sunos*) vendor=sun ;; -cnk*|-aix*) vendor=ibm ;; -beos*) vendor=be ;; -hpux*) vendor=hp ;; -mpeix*) vendor=hp ;; -hiux*) vendor=hitachi ;; -unos*) vendor=crds ;; -dgux*) vendor=dg ;; -luna*) vendor=omron ;; -genix*) vendor=ns ;; -mvs* | -opened*) vendor=ibm ;; -os400*) vendor=ibm ;; -ptx*) vendor=sequent ;; -tpf*) vendor=ibm ;; -vxsim* | -vxworks* | -windiss*) vendor=wrs ;; -aux*) vendor=apple ;; -hms*) vendor=hitachi ;; -mpw* | -macos*) vendor=apple ;; -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) vendor=atari ;; -vos*) vendor=stratus ;; esac basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac echo $basic_machine$os exit # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: radsecproxy-1.6.2/COPYING0000664000175100017510000000014312042223225012033 00000000000000Copyright (C) 2006-2009 Stig Venaas See the LICENSE file for licensing terms. radsecproxy-1.6.2/fticks_hashmac.h0000664000175100017510000000035112042223225014121 00000000000000/* Copyright (C) 2011 NORDUnet A/S * See LICENSE for information about licensing. */ #include #include int fticks_hashmac(const uint8_t *in, const uint8_t *key, size_t out_len, uint8_t *out); radsecproxy-1.6.2/util.c0000664000175100017510000001357312042223225012134 00000000000000/* * Copyright (C) 2006-2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ /* Code contributions from: * * Stefan Winter */ #include #include #include #include #include #include #include #include #include #include #include #include "debug.h" #include "util.h" char *stringcopy(const char *s, int len) { char *r; if (!s) return NULL; if (!len) len = strlen(s); r = malloc(len + 1); if (!r) debug(DBG_ERR, "stringcopy: malloc failed"); memcpy(r, s, len); r[len] = '\0'; return r; } void printfchars(char *prefixfmt, char *prefix, char *charfmt, char *chars, int len) { int i; unsigned char *s = (unsigned char *)chars; if (prefix) printf(prefixfmt ? prefixfmt : "%s: ", prefix); for (i = 0; i < len; i++) printf(charfmt ? charfmt : "%c", s[i]); printf("\n"); } void port_set(struct sockaddr *sa, uint16_t port) { switch (sa->sa_family) { case AF_INET: ((struct sockaddr_in *)sa)->sin_port = htons(port); break; case AF_INET6: ((struct sockaddr_in6 *)sa)->sin6_port = htons(port); break; } } struct sockaddr *addr_copy(struct sockaddr *in) { struct sockaddr *out = NULL; switch (in->sa_family) { case AF_INET: out = malloc(sizeof(struct sockaddr_in)); if (out) { memset(out, 0, sizeof(struct sockaddr_in)); ((struct sockaddr_in *)out)->sin_addr = ((struct sockaddr_in *)in)->sin_addr; } break; case AF_INET6: out = malloc(sizeof(struct sockaddr_in6)); if (out) { memset(out, 0, sizeof(struct sockaddr_in6)); ((struct sockaddr_in6 *)out)->sin6_addr = ((struct sockaddr_in6 *)in)->sin6_addr; } break; } out->sa_family = in->sa_family; #ifdef SIN6_LEN out->sa_len = in->sa_len; #endif return out; } char *addr2string(struct sockaddr *addr) { struct sockaddr_in6 *sa6; struct sockaddr_in sa4; static char addr_buf[2][INET6_ADDRSTRLEN]; static int i = 0; i = !i; if (addr->sa_family == AF_INET6) { sa6 = (struct sockaddr_in6 *)addr; if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { memset(&sa4, 0, sizeof(sa4)); sa4.sin_family = AF_INET; sa4.sin_port = sa6->sin6_port; memcpy(&sa4.sin_addr, &sa6->sin6_addr.s6_addr[12], 4); addr = (struct sockaddr *)&sa4; } } if (getnameinfo(addr, SOCKADDRP_SIZE(addr), addr_buf[i], sizeof(addr_buf[i]), NULL, 0, NI_NUMERICHOST)) { debug(DBG_WARN, "getnameinfo failed"); return "getnameinfo_failed"; } return addr_buf[i]; } /* Disable the "Don't Fragment" bit for UDP sockets. It is set by default, which may cause an "oversized" RADIUS packet to be discarded on first attempt (due to Path MTU discovery). */ void disable_DF_bit(int socket, struct addrinfo *res) { if ((res->ai_family == AF_INET) && (res->ai_socktype == SOCK_DGRAM)) { #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT) /* * Turn off Path MTU discovery on IPv4/UDP sockets, Linux variant. */ int r, action; debug(DBG_INFO, "disable_DF_bit: disabling DF bit (Linux variant)"); action = IP_PMTUDISC_DONT; r = setsockopt(socket, IPPROTO_IP, IP_MTU_DISCOVER, &action, sizeof(action)); if (r == -1) debug(DBG_WARN, "Failed to set IP_MTU_DISCOVER"); #else debug(DBG_INFO, "Non-Linux platform, unable to unset DF bit for UDP. You should check with tcpdump whether radsecproxy will send its UDP packets with DF bit set!"); #endif } } int bindtoaddr(struct addrinfo *addrinfo, int family, int reuse, int v6only) { int s, on = 1; struct addrinfo *res; for (res = addrinfo; res; res = res->ai_next) { if (family != AF_UNSPEC && family != res->ai_family) continue; s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (s < 0) { debug(DBG_WARN, "bindtoaddr: socket failed"); continue; } disable_DF_bit(s,res); if (reuse) setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); #ifdef IPV6_V6ONLY if (v6only) setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)); #endif if (!bind(s, res->ai_addr, res->ai_addrlen)) return s; debug(DBG_WARN, "bindtoaddr: bind failed"); close(s); } return -1; } int connectnonblocking(int s, const struct sockaddr *addr, socklen_t addrlen, struct timeval *timeout) { int origflags, error = 0, r = -1; fd_set writefds; socklen_t len; origflags = fcntl(s, F_GETFL, 0); fcntl(s, F_SETFL, origflags | O_NONBLOCK); if (!connect(s, addr, addrlen)) { r = 0; goto exit; } if (errno != EINPROGRESS) goto exit; FD_ZERO(&writefds); FD_SET(s, &writefds); if (select(s + 1, NULL, &writefds, NULL, timeout) < 1) goto exit; len = sizeof(error); if (!getsockopt(s, SOL_SOCKET, SO_ERROR, (char*)&error, &len) && !error) r = 0; exit: fcntl(s, F_SETFL, origflags); return r; } int connecttcp(struct addrinfo *addrinfo, struct addrinfo *src, uint16_t timeout) { int s; struct addrinfo *res; struct timeval to; s = -1; if (timeout) { if (addrinfo && addrinfo->ai_next && timeout > 5) timeout = 5; to.tv_sec = timeout; to.tv_usec = 0; } for (res = addrinfo; res; res = res->ai_next) { s = bindtoaddr(src, res->ai_family, 1, 1); if (s < 0) { debug(DBG_WARN, "connecttoserver: socket failed"); continue; } if ((timeout ? connectnonblocking(s, res->ai_addr, res->ai_addrlen, &to) : connect(s, res->ai_addr, res->ai_addrlen)) == 0) break; debug(DBG_WARN, "connecttoserver: connect failed"); close(s); s = -1; } return s; } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/tls.h0000664000175100017510000000061612042223225011760 00000000000000/* * Copyright (C) 2006-2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ const struct protodefs *tlsinit(uint8_t h); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/LICENSE0000664000175100017510000000351112042223225012007 00000000000000The radsecproxy source code is subject to two licenses, you may pick the one that best suits your needs. The radsecproxy source code is subject to the terms of the GNU General Public License Version 2 or later (GPL). Alternatively the radsecproxy source code is subject to the terms of the below BSD style license. * Copyright (c) 2006-2010, UNINETT AS * Copyright (c) 2010,2011, NORDUnet A/S * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * * Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with distribution. * * Neither the name of the UNINETT AS nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY UNINETT AS ``AS IS'' AND ANY * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL UNINETT AS BE LIABLE FOR ANY * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. radsecproxy-1.6.2/hash.h0000664000175100017510000000246712042223225012107 00000000000000/* * Copyright (C) 2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #ifndef SYS_SOLARIS9 #include #endif struct hash { struct list *hashlist; pthread_mutex_t mutex; }; struct hash_entry { void *key; uint32_t keylen; void *data; struct list_node *next; /* used when walking through hash */ }; /* allocates and initialises hash structure; returns NULL if malloc fails */ struct hash *hash_create(); /* frees all memory associated with the hash */ void hash_destroy(struct hash *hash); /* insert entry in hash; returns 1 if ok, 0 if malloc fails */ int hash_insert(struct hash *hash, void *key, uint32_t keylen, void *data); /* reads entry from hash */ void *hash_read(struct hash *hash, void *key, uint32_t keylen); /* extracts (read and remove) entry from hash */ void *hash_extract(struct hash *hash, void *key, uint32_t keylen); /* returns first entry */ struct hash_entry *hash_first(struct hash *hash); /* returns the next entry after the argument */ struct hash_entry *hash_next(struct hash_entry *entry); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/util.h0000664000175100017510000000221612042223225012131 00000000000000/* * Copyright (C) 2006-2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #define SOCKADDR_SIZE(addr) ((addr).ss_family == AF_INET ? \ sizeof(struct sockaddr_in) : \ sizeof(struct sockaddr_in6)) #define SOCKADDRP_SIZE(addr) ((addr)->sa_family == AF_INET ? \ sizeof(struct sockaddr_in) : \ sizeof(struct sockaddr_in6)) char *stringcopy(const char *s, int len); char *addr2string(struct sockaddr *addr); struct sockaddr *addr_copy(struct sockaddr *in); void port_set(struct sockaddr *sa, uint16_t port); void printfchars(char *prefixfmt, char *prefix, char *charfmt, char *chars, int len); void disable_DF_bit(int socket, struct addrinfo *res); int bindtoaddr(struct addrinfo *addrinfo, int family, int reuse, int v6only); int connecttcp(struct addrinfo *addrinfo, struct addrinfo *src, uint16_t timeout); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/hostport.c0000664000175100017510000002132312042223225013031 00000000000000/* * Copyright (C) 2006-2009 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ /* Code contributions from: * * Simon Leinen */ #include #include #include #include #include #include "debug.h" #include "util.h" #include "list.h" #include "hostport.h" void freehostport(struct hostportres *hp) { if (hp) { free(hp->host); free(hp->port); if (hp->addrinfo) freeaddrinfo(hp->addrinfo); free(hp); } } static int parsehostport(struct hostportres *hp, char *hostport, char *default_port) { char *p, *field; int ipv6 = 0; if (!hostport) { hp->port = default_port ? stringcopy(default_port, 0) : NULL; return 1; } p = hostport; /* allow literal addresses and port, e.g. [2001:db8::1]:1812 */ if (*p == '[') { p++; field = p; for (; *p && *p != ']' && *p != ' ' && *p != '\t' && *p != '\n'; p++); if (*p != ']') { debug(DBG_ERR, "no ] matching initial ["); return 0; } ipv6 = 1; } else { field = p; for (; *p && *p != ':' && *p != '/' && *p != ' ' && *p != '\t' && *p != '\n'; p++); } if (field == p) { debug(DBG_ERR, "missing host/address"); return 0; } hp->host = stringcopy(field, p - field); if (ipv6) { p++; if (*p && *p != ':' && *p != '/' && *p != ' ' && *p != '\t' && *p != '\n') { debug(DBG_ERR, "unexpected character after ]"); return 0; } } if (*p == ':') { /* port number or service name is specified */; field = ++p; for (; *p && *p != ' ' && *p != '\t' && *p != '\n'; p++); if (field == p) { debug(DBG_ERR, "syntax error, : but no following port"); return 0; } hp->port = stringcopy(field, p - field); } else hp->port = default_port ? stringcopy(default_port, 0) : NULL; return 1; } struct hostportres *newhostport(char *hostport, char *default_port, uint8_t prefixok) { struct hostportres *hp; char *slash, *s; int plen; hp = malloc(sizeof(struct hostportres)); if (!hp) { debug(DBG_ERR, "resolve_newhostport: malloc failed"); goto errexit; } memset(hp, 0, sizeof(struct hostportres)); if (!parsehostport(hp, hostport, default_port)) goto errexit; if (hp->host && !strcmp(hp->host, "*")) { free(hp->host); hp->host = NULL; } slash = hostport ? strchr(hostport, '/') : NULL; if (slash) { if (!prefixok) { debug(DBG_WARN, "newhostport: prefix not allowed here", hp->host); goto errexit; } s = slash + 1; if (!*s) { debug(DBG_WARN, "newhostport: prefix length must be specified after the / in %s", hp->host); goto errexit; } for (; *s; s++) if (*s < '0' || *s > '9') { debug(DBG_WARN, "newhostport: %s in %s is not a valid prefix length", slash + 1, hp->host); goto errexit; } plen = atoi(slash + 1); if (plen < 0 || plen > 128) { debug(DBG_WARN, "newhostport: %s in %s is not a valid prefix length", slash + 1, hp->host); goto errexit; } hp->prefixlen = plen; } else hp->prefixlen = 255; return hp; errexit: freehostport(hp); return NULL; } int resolvehostport(struct hostportres *hp, int af, int socktype, uint8_t passive) { struct addrinfo hints, *res; memset(&hints, 0, sizeof(hints)); hints.ai_socktype = socktype; hints.ai_family = af; if (passive) hints.ai_flags = AI_PASSIVE; if (!hp->host && !hp->port) { /* getaddrinfo() doesn't like host and port to be NULL */ if (getaddrinfo(hp->host, "1812" /* can be anything */, &hints, &hp->addrinfo)) { debug(DBG_WARN, "resolvehostport: can't resolve (null) port (null)"); goto errexit; } for (res = hp->addrinfo; res; res = res->ai_next) port_set(res->ai_addr, 0); } else { if (hp->prefixlen != 255) hints.ai_flags |= AI_NUMERICHOST; if (getaddrinfo(hp->host, hp->port, &hints, &hp->addrinfo)) { debug(DBG_WARN, "resolvehostport: can't resolve %s port %s", hp->host ? hp->host : "(null)", hp->port ? hp->port : "(null)"); goto errexit; } if (hp->prefixlen != 255) { switch (hp->addrinfo->ai_family) { case AF_INET: if (hp->prefixlen > 32) { debug(DBG_WARN, "resolvehostport: prefix length must be <= 32 in %s", hp->host); goto errexit; } break; case AF_INET6: break; default: debug(DBG_WARN, "resolvehostport: prefix must be IPv4 or IPv6 in %s", hp->host); goto errexit; } } } debug(DBG_DBG, "%s: %s -> %s", __func__, hp->host, addr2string(hp->addrinfo->ai_addr)); return 1; errexit: if (hp->addrinfo) freeaddrinfo(hp->addrinfo); return 0; } int addhostport(struct list **hostports, char **hostport, char *portdefault, uint8_t prefixok) { struct hostportres *hp; int i; if (!*hostports) { *hostports = list_create(); if (!*hostports) { debug(DBG_ERR, "addhostport: malloc failed"); return 0; } } for (i = 0; hostport[i]; i++) { hp = newhostport(hostport[i], portdefault, prefixok); if (!hp) return 0; if (!list_push(*hostports, hp)) { freehostport(hp); debug(DBG_ERR, "addhostport: malloc failed"); return 0; } } return 1; } void freehostports(struct list *hostports) { struct hostportres *hp; while ((hp = (struct hostportres *)list_shift(hostports))) freehostport(hp); list_destroy(hostports); } int resolvehostports(struct list *hostports, int af, int socktype) { struct list_node *entry; struct hostportres *hp; for (entry = list_first(hostports); entry; entry = list_next(entry)) { hp = (struct hostportres *)entry->data; if (!hp->addrinfo && !resolvehostport(hp, af, socktype, 0)) return 0; } return 1; } struct addrinfo *resolvepassiveaddrinfo(char *hostport, int af, char *default_port, int socktype) { struct addrinfo *ai = NULL; struct hostportres *hp = newhostport(hostport, default_port, 0); if (hp && resolvehostport(hp, af, socktype, 1)) { ai = hp->addrinfo; hp->addrinfo = NULL; } freehostport(hp); return ai; } /* returns 1 if the len first bits are equal, else 0 */ static int prefixmatch(void *a1, void *a2, uint8_t len) { static uint8_t mask[] = { 0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe }; uint8_t r, l = len / 8; if (l && memcmp(a1, a2, l)) return 0; r = len % 8; if (!r) return 1; return (((uint8_t *)a1)[l] & mask[r]) == (((uint8_t *)a2)[l] & mask[r]); } int addressmatches(struct list *hostports, struct sockaddr *addr, uint8_t checkport) { struct sockaddr_in6 *sa6 = NULL; struct in_addr *a4 = NULL; struct addrinfo *res; struct list_node *entry; struct hostportres *hp = NULL; if (addr->sa_family == AF_INET6) { sa6 = (struct sockaddr_in6 *)addr; if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { a4 = (struct in_addr *)&sa6->sin6_addr.s6_addr[12]; sa6 = NULL; } } else a4 = &((struct sockaddr_in *)addr)->sin_addr; for (entry = list_first(hostports); entry; entry = list_next(entry)) { hp = (struct hostportres *)entry->data; for (res = hp->addrinfo; res; res = res->ai_next) if (hp->prefixlen == 255) { if ((a4 && res->ai_family == AF_INET && !memcmp(a4, &((struct sockaddr_in *)res->ai_addr)->sin_addr, 4) && (!checkport || ((struct sockaddr_in *)res->ai_addr)->sin_port == ((struct sockaddr_in *)addr)->sin_port)) || (sa6 && res->ai_family == AF_INET6 && !memcmp(&sa6->sin6_addr, &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, 16) && (!checkport || ((struct sockaddr_in6 *)res->ai_addr)->sin6_port == ((struct sockaddr_in6 *)addr)->sin6_port))) return 1; } else { if ((a4 && res->ai_family == AF_INET && prefixmatch(a4, &((struct sockaddr_in *)res->ai_addr)->sin_addr, hp->prefixlen)) || (sa6 && res->ai_family == AF_INET6 && prefixmatch(&sa6->sin6_addr, &((struct sockaddr_in6 *)res->ai_addr)->sin6_addr, hp->prefixlen))) return 1; } } return 0; } int connecttcphostlist(struct list *hostports, struct addrinfo *src) { int s; struct list_node *entry; struct hostportres *hp = NULL; for (entry = list_first(hostports); entry; entry = list_next(entry)) { hp = (struct hostportres *)entry->data; debug(DBG_WARN, "connecttcphostlist: trying to open TCP connection to %s port %s", hp->host, hp->port); if ((s = connecttcp(hp->addrinfo, src, list_count(hostports) > 1 ? 5 : 30)) >= 0) { debug(DBG_WARN, "connecttcphostlist: TCP connection to %s port %s up", hp->host, hp->port); return s; } } debug(DBG_ERR, "connecttcphostlist: failed"); return -1; } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/radmsg.c0000664000175100017510000001775612042223225012443 00000000000000/* * Copyright (C) 2006-2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #ifdef SYS_SOLARIS9 #include #else #include #endif #include #include #include #include "list.h" #include "tlv11.h" #include "radmsg.h" #include "debug.h" #include #include #include #define RADLEN(x) ntohs(((uint16_t *)(x))[1]) void radmsg_free(struct radmsg *msg) { if (msg) { freetlvlist(msg->attrs); free(msg); } } struct radmsg *radmsg_init(uint8_t code, uint8_t id, uint8_t *auth) { struct radmsg *msg; msg = malloc(sizeof(struct radmsg)); if (!msg) return NULL; memset(msg, 0, sizeof(struct radmsg)); msg->attrs = list_create(); if (!msg->attrs) { free(msg); return NULL; } msg->code = code; msg->id = id; if (auth) memcpy(msg->auth, auth, 16); else if (!RAND_bytes(msg->auth, 16)) { free(msg); return NULL; } return msg; } int radmsg_add(struct radmsg *msg, struct tlv *attr) { if (!msg || !msg->attrs) return 1; if (!attr) return 0; return list_push(msg->attrs, attr); } /* returns first tlv of the given type */ struct tlv *radmsg_gettype(struct radmsg *msg, uint8_t type) { struct list_node *node; struct tlv *tlv; if (!msg) return NULL; for (node = list_first(msg->attrs); node; node = list_next(node)) { tlv = (struct tlv *)node->data; if (tlv->t == type) return tlv; } return NULL; } int _checkmsgauth(unsigned char *rad, uint8_t *authattr, uint8_t *secret) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; static unsigned char first = 1; static HMAC_CTX hmacctx; unsigned int md_len; uint8_t auth[16], hash[EVP_MAX_MD_SIZE]; pthread_mutex_lock(&lock); if (first) { HMAC_CTX_init(&hmacctx); first = 0; } memcpy(auth, authattr, 16); memset(authattr, 0, 16); md_len = 0; HMAC_Init_ex(&hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL); HMAC_Update(&hmacctx, rad, RADLEN(rad)); HMAC_Final(&hmacctx, hash, &md_len); memcpy(authattr, auth, 16); if (md_len != 16) { debug(DBG_WARN, "message auth computation failed"); pthread_mutex_unlock(&lock); return 0; } if (memcmp(auth, hash, 16)) { debug(DBG_WARN, "message authenticator, wrong value"); pthread_mutex_unlock(&lock); return 0; } pthread_mutex_unlock(&lock); return 1; } int _validauth(unsigned char *rad, unsigned char *reqauth, unsigned char *sec) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; static unsigned char first = 1; static EVP_MD_CTX mdctx; unsigned char hash[EVP_MAX_MD_SIZE]; unsigned int len; int result; pthread_mutex_lock(&lock); if (first) { EVP_MD_CTX_init(&mdctx); first = 0; } len = RADLEN(rad); result = (EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) && EVP_DigestUpdate(&mdctx, rad, 4) && EVP_DigestUpdate(&mdctx, reqauth, 16) && (len <= 20 || EVP_DigestUpdate(&mdctx, rad + 20, len - 20)) && EVP_DigestUpdate(&mdctx, sec, strlen((char *)sec)) && EVP_DigestFinal_ex(&mdctx, hash, &len) && len == 16 && !memcmp(hash, rad + 4, 16)); pthread_mutex_unlock(&lock); return result; } int _createmessageauth(unsigned char *rad, unsigned char *authattrval, uint8_t *secret) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; static unsigned char first = 1; static HMAC_CTX hmacctx; unsigned int md_len; if (!authattrval) return 1; pthread_mutex_lock(&lock); if (first) { HMAC_CTX_init(&hmacctx); first = 0; } memset(authattrval, 0, 16); md_len = 0; HMAC_Init_ex(&hmacctx, secret, strlen((char *)secret), EVP_md5(), NULL); HMAC_Update(&hmacctx, rad, RADLEN(rad)); HMAC_Final(&hmacctx, authattrval, &md_len); if (md_len != 16) { debug(DBG_WARN, "message auth computation failed"); pthread_mutex_unlock(&lock); return 0; } pthread_mutex_unlock(&lock); return 1; } int _radsign(unsigned char *rad, unsigned char *sec) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; static unsigned char first = 1; static EVP_MD_CTX mdctx; unsigned int md_len; int result; pthread_mutex_lock(&lock); if (first) { EVP_MD_CTX_init(&mdctx); first = 0; } result = (EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) && EVP_DigestUpdate(&mdctx, rad, RADLEN(rad)) && EVP_DigestUpdate(&mdctx, sec, strlen((char *)sec)) && EVP_DigestFinal_ex(&mdctx, rad + 4, &md_len) && md_len == 16); pthread_mutex_unlock(&lock); return result; } uint8_t *radmsg2buf(struct radmsg *msg, uint8_t *secret) { struct list_node *node; struct tlv *tlv; int size; uint8_t *buf, *p, *msgauth = NULL; if (!msg || !msg->attrs) return NULL; size = 20; for (node = list_first(msg->attrs); node; node = list_next(node)) size += 2 + ((struct tlv *)node->data)->l; if (size > 65535) return NULL; buf = malloc(size); if (!buf) return NULL; p = buf; *p++ = msg->code; *p++ = msg->id; *(uint16_t *)p = htons(size); p += 2; memcpy(p, msg->auth, 16); p += 16; for (node = list_first(msg->attrs); node; node = list_next(node)) { tlv = (struct tlv *)node->data; p = tlv2buf(p, tlv); p[-1] += 2; if (tlv->t == RAD_Attr_Message_Authenticator && secret) msgauth = p; p += tlv->l; } if (msgauth && !_createmessageauth(buf, msgauth, secret)) { free(buf); return NULL; } if (secret) { if ((msg->code == RAD_Access_Accept || msg->code == RAD_Access_Reject || msg->code == RAD_Access_Challenge || msg->code == RAD_Accounting_Response || msg->code == RAD_Accounting_Request) && !_radsign(buf, secret)) { free(buf); return NULL; } if (msg->code == RAD_Accounting_Request) memcpy(msg->auth, buf + 4, 16); } return buf; } /* if secret set we also validate message authenticator if present */ struct radmsg *buf2radmsg(uint8_t *buf, uint8_t *secret, uint8_t *rqauth) { struct radmsg *msg; uint8_t t, l, *v = NULL, *p, auth[16]; uint16_t len; struct tlv *attr; len = RADLEN(buf); if (len < 20) return NULL; if (secret && buf[0] == RAD_Accounting_Request) { memset(auth, 0, 16); if (!_validauth(buf, auth, secret)) { debug(DBG_WARN, "buf2radmsg: Accounting-Request message authentication failed"); return NULL; } } if (rqauth && !_validauth(buf, rqauth, secret)) { debug(DBG_WARN, "buf2radmsg: Invalid auth, ignoring reply"); return NULL; } msg = radmsg_init(buf[0], buf[1], (uint8_t *)buf + 4); if (!msg) return NULL; p = buf + 20; while (p - buf + 2 <= len) { t = *p++; l = *p++; if (l < 2) { debug(DBG_WARN, "buf2radmsg: invalid attribute length %d", l); radmsg_free(msg); return NULL; } l -= 2; if (l) { if (p - buf + l > len) { debug(DBG_WARN, "buf2radmsg: attribute length %d exceeds packet length", l + 2); radmsg_free(msg); return NULL; } v = p; p += l; } if (t == RAD_Attr_Message_Authenticator && secret) { if (rqauth) memcpy(buf + 4, rqauth, 16); if (l != 16 || !_checkmsgauth(buf, v, secret)) { debug(DBG_WARN, "buf2radmsg: message authentication failed"); if (rqauth) memcpy(buf + 4, msg->auth, 16); radmsg_free(msg); return NULL; } if (rqauth) memcpy(buf + 4, msg->auth, 16); debug(DBG_DBG, "buf2radmsg: message auth ok"); } attr = maketlv(t, l, v); if (!attr || !radmsg_add(msg, attr)) { freetlv(attr); radmsg_free(msg); return NULL; } } return msg; } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/ChangeLog0000664000175100017510000001601512042223225012557 000000000000002012-10-25 1.6.2 Bug fixes (security): - Fix the issue with verification of clients when using multiple 'tls' config blocks (RADSECPROXY-43) for DTLS too. Fixes CVE-2012-4523. Reported by Raphael Geissert. 2012-09-14 1.6.1 Bug fixes (security): - When verifying clients, don't consider config blocks with CA settings ('tls') which differ from the one used for verifying the certificate chain. Reported by Ralf Paffrath. (RADSECPROXY-43, CVE-2012-4523). Bug fixes: - Make naptr-eduroam.sh check NAPTR type case insensitively. Fix from Adam Osuchowski. 2012-04-27 1.6 Incompatible changes: - The default shared secret for TLS and DTLS connections change from "mysecret" to "radsec" as per draft-ietf-radext-radsec-12 section 2.3 (4). Please make sure to specify a secret in both client and server blocks to avoid unwanted surprises. (RADSECPROXY-19) - The default place to look for a configuration file has changed from /etc to /usr/local/etc. Let radsecproxy know where your configuration file can be found by using the `-c' command line option. Or configure radsecproxy with --sysconfdir=/etc to restore the old behaviour. (RADSECPROXY-31) New features: - Improved F-Ticks logging options. F-Ticks can now be sent to a separate syslog facility and the VISINST label can now be configured explicitly. This was implemented by Maja Gorecka-Wolniewicz and PaweÅ‚ GoÅ‚aszewski. (RADSECPROXY-29) - New config option PidFile. (RADSECPROXY-32) - Preliminary support for DynamicLookupCommand added. It's for TLS servers only at this point. Also, beware of risks for memory leaks. In addition to this, for extra adventurous users, there's a new configure option --enable-experimental-dyndisc which enables even more new code for handling of dynamic discovery of TLS servers. - Address family (IPv4 or IPv6) can now be specified for clients and servers. (RADSECPROXY-37) Bug fixes: - Stop the autoconfery from warning about defining variables conditionally and unconditionally. - Honour configure option --sysconfdir. (RADSECPROXY-31) - Don't crash on failing DynamicLookupCommand scripts. Fix made with help from Ralf Paffrath. (RADSECPROXY-33) - When a DynamicLookupCommand script is failing, fall back to other server(s) in the realm. The timeout depends on the kind of failure. - Other bugs. (RADSECPROXY-26, -28, -34, -35, -39, -40) 2011-10-08 1.5 New features: - Support for F-Ticks logging. - New binary radsecproxy-hash. - A DynamicLookupCommand script can now signal "server not found" by exiting with code 10. The scripts in the tools directory now do this. Incompatible changes: - catgconf renamed to radsecproxy-conf. Bug fixes: - All compiler warnings removed. Now compiling with -Werror. 2011-07-22 1.4.3 Notes: - The default secret for TLS and DTLS will change in a future release. Please make sure to specify a secret in both client and server blocks to avoid surprises. Bug fixes: - Debug printout issue. 2010-11-23 1.4.2 Bug fixes: - Don't disable OpenSSL session caching for 0.9.8p and newer in the 0.9.x track. - Detect OpenSSL version at runtime rather than at compile time. 2010-11-17 1.4.1 Bug fixes: - OpenSSL session caching is disabled when built against OpenSSL older than 1.0.0b to mitigate possible effects of http://openssl.org/news/secadv_20101116.txt (RADSECPROXY-14). - Crash bug when reading improper config file fixed. 2010-06-12 1.4 Incompatible changes: - Log level 4 used to be DBG_DBG but is now DBG_NOTICE. In order to keep the same behaviour as in previous versions of radsecproxy, those who have LogLevel set to 4 need to change this to 5. Log levels 1, 2 and 3 are unaffected. New features and various improvements: - LoopPrevention per server has been added. - AddVendorAttribute rewrite configuration has been added. - New log level, DBG_NOTICE, added. - Diagnostics improved for errors resulting from failing syscalls. - Removed all compiler warnings (compiling with -Wall). Bug fixes: - A UDP fragmentation issue. - Build on Solaris when compiling with gcc. - A bug in pwdencrypt() with passwords of a length greater than 16 octets. 2009-07-22 1.3.1 Fixed header files for FreeBSD Fix for multiple UDP servers on same IP address, solves accounting problems. 2009-03-12 1.3 Fixed some very minor bugs Changed log levels for some messages, made loglevel 2 default 2009-02-18 1.3-beta Client and Server blocks may contain multiple host options. Configure (Makefile) options for specifying which transports should be supported in a build. 2008-12-04 1.3-alpha Support for TCP and DTLS transports (type tcp, type dtls) Listen... options can be specified multiple times Dynamic server discovery DuplicateInterval option in client block for specifying for how long a request/reply shall be stored for duplicate detection Support for RADIUS TTL (hopcount) attribute. Decrements value of the TTL attribute if present, discards message if becomes 0. If addTTL option is used, the TTL attribute is added with the specified value if the forwarded message does not have one. PolicyOID option can be used to require certain CA policies. 2008-10-07 1.2 listenTCP and sourceTCP options renamed to listenTLS and sourceTLS Old options deprecated but available for backwards compatiblity Logging reply-message attribute from Reject messages Contribution from Arne Schwabe Rewrite blocks have new options addAttribute and modifyAttribute rewriteIn (replacing rewrite) and rewriteOut in client and server blocks for specifying rewrite on input/output. rewrite deprecated but available as an alias for rewriteIn for backwards compatibility. rewritein rewriteout rewrite regular expressions in realms etc can now be more advanced, including use of "or". cacheExpiry option in tls blocks for specifying expiry time for the cache of CA certificates and CRLs. This is particularly useful for regularly updating CRLs. Some logging has been made more informative 2008-07-24 1.1 Logging stationid attribute Added LoopPrevention option Failover also without status-server Options for RetryCount and RetryInterval Working accounting and AccountingResponse option CRL checking and option for enabling it 2008-05-14 1.1-beta No longer looks for radsecproxy.conf in current directory Rewrite block that allows removal of specified attributes certificateNameCheck option for disabling CN/SubjectAltName check matchCertificateAttribute now also supports CN matching Forwarding of accounting messages, accountingServer option for realms Supports multiple client blocks for same source address with different certificate checks Removed weekday from log timestamps 2007-12-24 1.1-alpha Pretend option for validating configuration Include option for including additional config files Allows clients configured by IP prefix, dynamic clients Server failover support Rewriting of username attribute Source address and port can be specified for requests 2007-10-16 1.0p1 Fixed crash when servers were configured after first realm block 2007-09-21 1.0 radsecproxy-1.6.2/Makefile.in0000664000175100017510000011111712042223267013057 00000000000000# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, # 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, # Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ target_triplet = @target@ sbin_PROGRAMS = radsecproxy$(EXEEXT) bin_PROGRAMS = radsecproxy-conf$(EXEEXT) $(am__EXEEXT_1) subdir = . DIST_COMMON = README $(am__configure_deps) $(dist_man_MANS) \ $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ $(top_srcdir)/configure AUTHORS COPYING ChangeLog INSTALL NEWS \ THANKS compile config.guess config.sub depcomp install-sh \ missing ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/acinclude.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ configure.lineno config.status.lineno mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = LIBRARIES = $(noinst_LIBRARIES) AR = ar ARFLAGS = cru librsp_a_AR = $(AR) $(ARFLAGS) librsp_a_LIBADD = am__librsp_a_SOURCES_DIST = fticks.c fticks.h fticks_hashmac.c \ fticks_hashmac.h debug.c debug.h dtls.c dtls.h gconfig.c \ gconfig.h hash.c hash.h hostport.c hostport.h list.c list.h \ radmsg.c radmsg.h radsecproxy.c radsecproxy.h tcp.c tcp.h \ tls.c tls.h tlscommon.c tlscommon.h tlv11.c tlv11.h udp.c \ udp.h util.c util.h @WANT_FTICKS_TRUE@am__objects_1 = fticks.$(OBJEXT) \ @WANT_FTICKS_TRUE@ fticks_hashmac.$(OBJEXT) am_librsp_a_OBJECTS = $(am__objects_1) debug.$(OBJEXT) dtls.$(OBJEXT) \ gconfig.$(OBJEXT) hash.$(OBJEXT) hostport.$(OBJEXT) \ list.$(OBJEXT) radmsg.$(OBJEXT) radsecproxy.$(OBJEXT) \ tcp.$(OBJEXT) tls.$(OBJEXT) tlscommon.$(OBJEXT) \ tlv11.$(OBJEXT) udp.$(OBJEXT) util.$(OBJEXT) librsp_a_OBJECTS = $(am_librsp_a_OBJECTS) @WANT_FTICKS_TRUE@am__EXEEXT_1 = radsecproxy-hash$(EXEEXT) am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" \ "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)" PROGRAMS = $(bin_PROGRAMS) $(sbin_PROGRAMS) am_radsecproxy_OBJECTS = main.$(OBJEXT) radsecproxy_OBJECTS = $(am_radsecproxy_OBJECTS) radsecproxy_DEPENDENCIES = librsp.a radsecproxy_LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(radsecproxy_LDFLAGS) $(LDFLAGS) -o $@ am_radsecproxy_conf_OBJECTS = catgconf.$(OBJEXT) debug.$(OBJEXT) \ gconfig.$(OBJEXT) util.$(OBJEXT) radsecproxy_conf_OBJECTS = $(am_radsecproxy_conf_OBJECTS) radsecproxy_conf_LDADD = $(LDADD) radsecproxy_conf_LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(radsecproxy_conf_LDFLAGS) $(LDFLAGS) -o $@ radsecproxy_hash_SOURCES = radsecproxy-hash.c radsecproxy_hash_OBJECTS = radsecproxy-hash.$(OBJEXT) @WANT_FTICKS_TRUE@radsecproxy_hash_DEPENDENCIES = fticks_hashmac.o \ @WANT_FTICKS_TRUE@ hash.o list.o DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ SOURCES = $(librsp_a_SOURCES) $(radsecproxy_SOURCES) \ $(radsecproxy_conf_SOURCES) radsecproxy-hash.c DIST_SOURCES = $(am__librsp_a_SOURCES_DIST) $(radsecproxy_SOURCES) \ $(radsecproxy_conf_SOURCES) radsecproxy-hash.c RECURSIVE_TARGETS = all-recursive check-recursive dvi-recursive \ html-recursive info-recursive install-data-recursive \ install-dvi-recursive install-exec-recursive \ install-html-recursive install-info-recursive \ install-pdf-recursive install-ps-recursive install-recursive \ installcheck-recursive installdirs-recursive pdf-recursive \ ps-recursive uninstall-recursive am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; am__install_max = 40 am__nobase_strip_setup = \ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` am__nobase_strip = \ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" am__nobase_list = $(am__nobase_strip_setup); \ for p in $$list; do echo "$$p $$p"; done | \ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ if (++n[$$2] == $(am__install_max)) \ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ END { for (dir in files) print dir, files[dir] }' am__base_list = \ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' man1dir = $(mandir)/man1 man5dir = $(mandir)/man5 NROFF = nroff MANS = $(dist_man_MANS) RECURSIVE_CLEAN_TARGETS = mostlyclean-recursive clean-recursive \ distclean-recursive maintainer-clean-recursive AM_RECURSIVE_TARGETS = $(RECURSIVE_TARGETS:-recursive=) \ $(RECURSIVE_CLEAN_TARGETS:-recursive=) tags TAGS ctags CTAGS \ distdir dist dist-all distcheck ETAGS = etags CTAGS = ctags DIST_SUBDIRS = $(SUBDIRS) DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) distdir = $(PACKAGE)-$(VERSION) top_distdir = $(distdir) am__remove_distdir = \ { test ! -d "$(distdir)" \ || { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ && rm -fr "$(distdir)"; }; } am__relativize = \ dir0=`pwd`; \ sed_first='s,^\([^/]*\)/.*$$,\1,'; \ sed_rest='s,^[^/]*/*,,'; \ sed_last='s,^.*/\([^/]*\)$$,\1,'; \ sed_butlast='s,/*[^/]*$$,,'; \ while test -n "$$dir1"; do \ first=`echo "$$dir1" | sed -e "$$sed_first"`; \ if test "$$first" != "."; then \ if test "$$first" = ".."; then \ dir2=`echo "$$dir0" | sed -e "$$sed_last"`/"$$dir2"; \ dir0=`echo "$$dir0" | sed -e "$$sed_butlast"`; \ else \ first2=`echo "$$dir2" | sed -e "$$sed_first"`; \ if test "$$first2" = "$$first"; then \ dir2=`echo "$$dir2" | sed -e "$$sed_rest"`; \ else \ dir2="../$$dir2"; \ fi; \ dir0="$$dir0"/"$$first"; \ fi; \ fi; \ dir1=`echo "$$dir1" | sed -e "$$sed_rest"`; \ done; \ reldir="$$dir2" DIST_ARCHIVES = $(distdir).tar.gz GZIP_ENV = --best distuninstallcheck_listfiles = find . -type f -print distcleancheck_listfiles = find . -type f -print ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DOCBOOK2X_MAN = @DOCBOOK2X_MAN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EXEEXT = @EXEEXT@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SSL_CFLAGS = @SSL_CFLAGS@ SSL_LDFLAGS = @SSL_LDFLAGS@ SSL_LIBS = @SSL_LIBS@ STRIP = @STRIP@ TARGET_CFLAGS = @TARGET_CFLAGS@ TARGET_LDFLAGS = @TARGET_LDFLAGS@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target = @target@ target_alias = @target_alias@ target_cpu = @target_cpu@ target_os = @target_os@ target_vendor = @target_vendor@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign @WANT_FTICKS_TRUE@fticks_sources = fticks.c fticks.h fticks_hashmac.c fticks_hashmac.h @WANT_FTICKS_TRUE@fticks_programs = radsecproxy-hash @WANT_FTICKS_TRUE@radsecproxy_hash_LDADD = fticks_hashmac.o hash.o list.o @HAVE_DOCBOOK2X_MAN_TRUE@GENMANPAGES = radsecproxy.conf.5 SUBDIRS = tests noinst_LIBRARIES = librsp.a radsecproxy_SOURCES = main.c librsp_a_SOURCES = \ $(fticks_sources) \ debug.c debug.h \ dtls.c dtls.h \ gconfig.c gconfig.h \ hash.c hash.h \ hostport.c hostport.h \ list.c list.h \ radmsg.c radmsg.h \ radsecproxy.c radsecproxy.h \ tcp.c tcp.h \ tls.c tls.h \ tlscommon.c tlscommon.h \ tlv11.c tlv11.h \ udp.c udp.h \ util.c util.h radsecproxy_conf_SOURCES = \ catgconf.c \ debug.c debug.h \ gconfig.c gconfig.h \ util.c util.h #################### AM_CPPFLAGS = -DSYSCONFDIR=\"$(sysconfdir)\" AM_CFLAGS = \ -g -Wall -Werror -fno-strict-aliasing @SSL_CFLAGS@ @TARGET_CFLAGS@ radsecproxy_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@ radsecproxy_LDADD = librsp.a @SSL_LIBS@ radsecproxy_conf_LDFLAGS = @TARGET_LDFLAGS@ dist_man_MANS = radsecproxy.1 radsecproxy-hash.1 $(GENMANPAGES) EXTRA_DIST = \ LICENSE THANKS \ configure Makefile.in tests/Makefile.in \ compile config.guess config.sub install-sh missing depcomp \ radsecproxy.conf.5.xml radsecproxy.conf-example \ tools/README tools/naptr-eduroam.sh tools/radsec-dynsrv.sh DISTCHECK_CONFIGURE_FLAGS = --enable-fticks all: all-recursive .SUFFIXES: .SUFFIXES: .c .o .obj am--refresh: @: $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ echo ' cd $(srcdir) && $(AUTOMAKE) --foreign'; \ $(am__cd) $(srcdir) && $(AUTOMAKE) --foreign \ && exit 0; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ echo ' $(SHELL) ./config.status'; \ $(SHELL) ./config.status;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) $(SHELL) ./config.status --recheck $(top_srcdir)/configure: $(am__configure_deps) $(am__cd) $(srcdir) && $(AUTOCONF) $(ACLOCAL_M4): $(am__aclocal_m4_deps) $(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) $(am__aclocal_m4_deps): clean-noinstLIBRARIES: -test -z "$(noinst_LIBRARIES)" || rm -f $(noinst_LIBRARIES) librsp.a: $(librsp_a_OBJECTS) $(librsp_a_DEPENDENCIES) -rm -f librsp.a $(librsp_a_AR) librsp.a $(librsp_a_OBJECTS) $(librsp_a_LIBADD) $(RANLIB) librsp.a install-binPROGRAMS: $(bin_PROGRAMS) @$(NORMAL_INSTALL) test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p; \ then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ } \ ; done uninstall-binPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(bindir)" && rm -f $$files clean-binPROGRAMS: -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) install-sbinPROGRAMS: $(sbin_PROGRAMS) @$(NORMAL_INSTALL) test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)" @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ for p in $$list; do echo "$$p $$p"; done | \ sed 's/$(EXEEXT)$$//' | \ while read p p1; do if test -f $$p; \ then echo "$$p"; echo "$$p"; else :; fi; \ done | \ sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ sed 'N;N;N;s,\n, ,g' | \ $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ if ($$2 == $$4) files[d] = files[d] " " $$1; \ else { print "f", $$3 "/" $$4, $$1; } } \ END { for (d in files) print "f", d, files[d] }' | \ while read type dir files; do \ if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ test -z "$$files" || { \ echo " $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ } \ ; done uninstall-sbinPROGRAMS: @$(NORMAL_UNINSTALL) @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ files=`for p in $$list; do echo "$$p"; done | \ sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ -e 's/$$/$(EXEEXT)/' `; \ test -n "$$list" || exit 0; \ echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(sbindir)" && rm -f $$files clean-sbinPROGRAMS: -test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS) radsecproxy$(EXEEXT): $(radsecproxy_OBJECTS) $(radsecproxy_DEPENDENCIES) @rm -f radsecproxy$(EXEEXT) $(radsecproxy_LINK) $(radsecproxy_OBJECTS) $(radsecproxy_LDADD) $(LIBS) radsecproxy-conf$(EXEEXT): $(radsecproxy_conf_OBJECTS) $(radsecproxy_conf_DEPENDENCIES) @rm -f radsecproxy-conf$(EXEEXT) $(radsecproxy_conf_LINK) $(radsecproxy_conf_OBJECTS) $(radsecproxy_conf_LDADD) $(LIBS) radsecproxy-hash$(EXEEXT): $(radsecproxy_hash_OBJECTS) $(radsecproxy_hash_DEPENDENCIES) @rm -f radsecproxy-hash$(EXEEXT) $(LINK) $(radsecproxy_hash_OBJECTS) $(radsecproxy_hash_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/catgconf.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/debug.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/dtls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fticks.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/fticks_hashmac.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/gconfig.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hash.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/hostport.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/list.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/main.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radmsg.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-hash.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tcp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tls.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tlscommon.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tlv11.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/udp.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/util.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` install-man1: $(dist_man_MANS) @$(NORMAL_INSTALL) test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)" @list=''; test -n "$(man1dir)" || exit 0; \ { for i in $$list; do echo "$$i"; done; \ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.1[a-z]*$$/p'; \ } | while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ done | \ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ sed 'N;N;s,\n, ,g' | { \ list=; while read file base inst; do \ if test "$$base" = "$$inst"; then list="$$list $$file"; else \ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \ fi; \ done; \ for i in $$list; do echo "$$i"; done | $(am__base_list) | \ while read files; do \ test -z "$$files" || { \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \ done; } uninstall-man1: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man1dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.1[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ test -z "$$files" || { \ echo " ( cd '$(DESTDIR)$(man1dir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(man1dir)" && rm -f $$files; } install-man5: $(dist_man_MANS) @$(NORMAL_INSTALL) test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" @list=''; test -n "$(man5dir)" || exit 0; \ { for i in $$list; do echo "$$i"; done; \ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | while read p; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ echo "$$d$$p"; echo "$$p"; \ done | \ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ sed 'N;N;s,\n, ,g' | { \ list=; while read file base inst; do \ if test "$$base" = "$$inst"; then list="$$list $$file"; else \ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ fi; \ done; \ for i in $$list; do echo "$$i"; done | $(am__base_list) | \ while read files; do \ test -z "$$files" || { \ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ done; } uninstall-man5: @$(NORMAL_UNINSTALL) @list=''; test -n "$(man5dir)" || exit 0; \ files=`{ for i in $$list; do echo "$$i"; done; \ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ sed -n '/\.5[a-z]*$$/p'; \ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ test -z "$$files" || { \ echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \ cd "$(DESTDIR)$(man5dir)" && rm -f $$files; } # This directory's subdirectories are mostly independent; you can cd # into them and run `make' without going through this Makefile. # To change the values of `make' variables: instead of editing Makefiles, # (1) if the variable is set in `config.status', edit `config.status' # (which will cause the Makefiles to be regenerated when you run `make'); # (2) otherwise, pass the desired values on the `make' command line. $(RECURSIVE_TARGETS): @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ *k*) failcom='fail=yes';; \ esac; \ done; \ dot_seen=no; \ target=`echo $@ | sed s/-recursive//`; \ list='$(SUBDIRS)'; for subdir in $$list; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ dot_seen=yes; \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done; \ if test "$$dot_seen" = "no"; then \ $(MAKE) $(AM_MAKEFLAGS) "$$target-am" || exit 1; \ fi; test -z "$$fail" $(RECURSIVE_CLEAN_TARGETS): @fail= failcom='exit 1'; \ for f in x $$MAKEFLAGS; do \ case $$f in \ *=* | --[!k]*);; \ *k*) failcom='fail=yes';; \ esac; \ done; \ dot_seen=no; \ case "$@" in \ distclean-* | maintainer-clean-*) list='$(DIST_SUBDIRS)' ;; \ *) list='$(SUBDIRS)' ;; \ esac; \ rev=''; for subdir in $$list; do \ if test "$$subdir" = "."; then :; else \ rev="$$subdir $$rev"; \ fi; \ done; \ rev="$$rev ."; \ target=`echo $@ | sed s/-recursive//`; \ for subdir in $$rev; do \ echo "Making $$target in $$subdir"; \ if test "$$subdir" = "."; then \ local_target="$$target-am"; \ else \ local_target="$$target"; \ fi; \ ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) $$local_target) \ || eval $$failcom; \ done && test -z "$$fail" tags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) tags); \ done ctags-recursive: list='$(SUBDIRS)'; for subdir in $$list; do \ test "$$subdir" = . || ($(am__cd) $$subdir && $(MAKE) $(AM_MAKEFLAGS) ctags); \ done ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: tags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) set x; \ here=`pwd`; \ if ($(ETAGS) --etags-include --version) >/dev/null 2>&1; then \ include_option=--etags-include; \ empty_fix=.; \ else \ include_option=--include; \ empty_fix=; \ fi; \ list='$(SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test ! -f $$subdir/TAGS || \ set "$$@" "$$include_option=$$here/$$subdir/TAGS"; \ fi; \ done; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: CTAGS CTAGS: ctags-recursive $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags distdir: $(DISTFILES) @list='$(MANS)'; if test -n "$$list"; then \ list=`for p in $$list; do \ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ if test -n "$$list" && \ grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ echo " typically \`make maintainer-clean' will remove them" >&2; \ exit 1; \ else :; fi; \ else :; fi $(am__remove_distdir) test -d "$(distdir)" || mkdir "$(distdir)" @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ test -d "$(distdir)/$$subdir" \ || $(MKDIR_P) "$(distdir)/$$subdir" \ || exit 1; \ fi; \ done @list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ if test "$$subdir" = .; then :; else \ dir1=$$subdir; dir2="$(distdir)/$$subdir"; \ $(am__relativize); \ new_distdir=$$reldir; \ dir1=$$subdir; dir2="$(top_distdir)"; \ $(am__relativize); \ new_top_distdir=$$reldir; \ echo " (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) top_distdir="$$new_top_distdir" distdir="$$new_distdir" \\"; \ echo " am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir)"; \ ($(am__cd) $$subdir && \ $(MAKE) $(AM_MAKEFLAGS) \ top_distdir="$$new_top_distdir" \ distdir="$$new_distdir" \ am__remove_distdir=: \ am__skip_length_check=: \ am__skip_mode_fix=: \ distdir) \ || exit 1; \ fi; \ done -test -n "$(am__skip_mode_fix)" \ || find "$(distdir)" -type d ! -perm -755 \ -exec chmod u+rwx,go+rx {} \; -o \ ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ || chmod -R a+r "$(distdir)" dist-gzip: distdir tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz $(am__remove_distdir) dist-bzip2: distdir tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2 $(am__remove_distdir) dist-lzma: distdir tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma $(am__remove_distdir) dist-xz: distdir tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz $(am__remove_distdir) dist-tarZ: distdir tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z $(am__remove_distdir) dist-shar: distdir shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz $(am__remove_distdir) dist-zip: distdir -rm -f $(distdir).zip zip -rq $(distdir).zip $(distdir) $(am__remove_distdir) dist dist-all: distdir tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz $(am__remove_distdir) # This target untars the dist file and tries a VPATH configuration. Then # it guarantees that the distribution is self-contained by making another # tarfile. distcheck: dist case '$(DIST_ARCHIVES)' in \ *.tar.gz*) \ GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ *.tar.bz2*) \ bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ *.tar.lzma*) \ lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\ *.tar.xz*) \ xz -dc $(distdir).tar.xz | $(am__untar) ;;\ *.tar.Z*) \ uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ *.shar.gz*) \ GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ *.zip*) \ unzip $(distdir).zip ;;\ esac chmod -R a-w $(distdir); chmod a+w $(distdir) mkdir $(distdir)/_build mkdir $(distdir)/_inst chmod a-w $(distdir) test -d $(distdir)/_build || exit 0; \ dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ && am__cwd=`pwd` \ && $(am__cd) $(distdir)/_build \ && ../configure --srcdir=.. --prefix="$$dc_install_base" \ $(DISTCHECK_CONFIGURE_FLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) \ && $(MAKE) $(AM_MAKEFLAGS) dvi \ && $(MAKE) $(AM_MAKEFLAGS) check \ && $(MAKE) $(AM_MAKEFLAGS) install \ && $(MAKE) $(AM_MAKEFLAGS) installcheck \ && $(MAKE) $(AM_MAKEFLAGS) uninstall \ && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \ distuninstallcheck \ && chmod -R a-w "$$dc_install_base" \ && ({ \ (cd ../.. && umask 077 && mkdir "$$dc_destdir") \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \ && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \ distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \ } || { rm -rf "$$dc_destdir"; exit 1; }) \ && rm -rf "$$dc_destdir" \ && $(MAKE) $(AM_MAKEFLAGS) dist \ && rm -rf $(DIST_ARCHIVES) \ && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \ && cd "$$am__cwd" \ || exit 1 $(am__remove_distdir) @(echo "$(distdir) archives ready for distribution: "; \ list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' distuninstallcheck: @$(am__cd) '$(distuninstallcheck_dir)' \ && test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \ || { echo "ERROR: files left after uninstall:" ; \ if test -n "$(DESTDIR)"; then \ echo " (check DESTDIR support)"; \ fi ; \ $(distuninstallcheck_listfiles) ; \ exit 1; } >&2 distcleancheck: distclean @if test '$(srcdir)' = . ; then \ echo "ERROR: distcleancheck can only run from a VPATH build" ; \ exit 1 ; \ fi @test `$(distcleancheck_listfiles) | wc -l` -eq 0 \ || { echo "ERROR: files left in build directory after distclean:" ; \ $(distcleancheck_listfiles) ; \ exit 1; } >&2 check-am: all-am check: check-recursive all-am: Makefile $(LIBRARIES) $(PROGRAMS) $(MANS) installdirs: installdirs-recursive installdirs-am: for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)"; do \ test -z "$$dir" || $(MKDIR_P) "$$dir"; \ done install: install-recursive install-exec: install-exec-recursive install-data: install-data-recursive uninstall: uninstall-recursive install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-recursive install-strip: $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ `test -z '$(STRIP)' || \ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-recursive clean-am: clean-binPROGRAMS clean-generic clean-local \ clean-noinstLIBRARIES clean-sbinPROGRAMS mostlyclean-am distclean: distclean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-recursive dvi-am: html-am: info: info-recursive info-am: install-data-am: install-man install-dvi: install-dvi-recursive install-dvi-am: install-exec-am: install-binPROGRAMS install-sbinPROGRAMS install-html: install-html-recursive install-html-am: install-info: install-info-recursive install-info-am: install-man: install-man1 install-man5 install-pdf: install-pdf-recursive install-pdf-am: install-ps: install-ps-recursive install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive -rm -f $(am__CONFIG_DISTCLEAN_FILES) -rm -rf $(top_srcdir)/autom4te.cache -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-recursive mostlyclean-am: mostlyclean-compile mostlyclean-generic pdf: pdf-recursive pdf-am: ps: ps-recursive ps-am: uninstall-am: uninstall-binPROGRAMS uninstall-man \ uninstall-sbinPROGRAMS uninstall-man: uninstall-man1 uninstall-man5 .MAKE: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) ctags-recursive \ install-am install-strip tags-recursive .PHONY: $(RECURSIVE_CLEAN_TARGETS) $(RECURSIVE_TARGETS) CTAGS GTAGS \ all all-am am--refresh check check-am clean clean-binPROGRAMS \ clean-generic clean-local clean-noinstLIBRARIES \ clean-sbinPROGRAMS ctags ctags-recursive dist dist-all \ dist-bzip2 dist-gzip dist-lzma dist-shar dist-tarZ dist-xz \ dist-zip distcheck distclean distclean-compile \ distclean-generic distclean-tags distcleancheck distdir \ distuninstallcheck dvi dvi-am html html-am info info-am \ install install-am install-binPROGRAMS install-data \ install-data-am install-dvi install-dvi-am install-exec \ install-exec-am install-html install-html-am install-info \ install-info-am install-man install-man1 install-man5 \ install-pdf install-pdf-am install-ps install-ps-am \ install-sbinPROGRAMS install-strip installcheck \ installcheck-am installdirs installdirs-am maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic pdf pdf-am ps ps-am tags tags-recursive \ uninstall uninstall-am uninstall-binPROGRAMS uninstall-man \ uninstall-man1 uninstall-man5 uninstall-sbinPROGRAMS #################### radsecproxy.conf.5: $(srcdir)/radsecproxy.conf.5.xml docbook2x-man $< # Build HTML version of radsecproxy.conf.5. NOTE: Only tested with # 'openjade' package installed on Ubuntu 9.10. html: $(srcdir)/radsecproxy.conf.5.xml -openjade -E2000 -t sgml-raw -d /usr/share/sgml/docbook/stylesheet/dsssl/modular/html/docbook.dsl -o radsecproxy.conf.html $< clean-local: -rm $(GENMANPAGES) # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: radsecproxy-1.6.2/tlv11.h0000664000175100017510000000143112042223225012121 00000000000000/* * Copyright (C) 2008 Stig Venaas * Copyright (C) 2010 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ struct tlv { uint8_t t; uint8_t l; uint8_t *v; }; struct tlv *maketlv(uint8_t, uint8_t, void *); struct tlv *copytlv(struct tlv *); void freetlv(struct tlv *); int eqtlv(struct tlv *, struct tlv *); struct list *copytlvlist(struct list *); void freetlvlist(struct list *); void rmtlv(struct list *, uint8_t); uint8_t *tlv2str(struct tlv *tlv); uint8_t *tlv2buf(uint8_t *, const struct tlv *tlv); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/install-sh0000755000175100017510000003253712042223267013024 00000000000000#!/bin/sh # install - install a program, script, or datafile scriptversion=2009-04-28.21; # UTC # This originates from X11R5 (mit/util/scripts/install.sh), which was # later released in X11R6 (xc/config/util/install.sh) with the # following copyright and license. # # Copyright (C) 1994 X Consortium # # Permission is hereby granted, free of charge, to any person obtaining a copy # of this software and associated documentation files (the "Software"), to # deal in the Software without restriction, including without limitation the # rights to use, copy, modify, merge, publish, distribute, sublicense, and/or # sell copies of the Software, and to permit persons to whom the Software is # furnished to do so, subject to the following conditions: # # The above copyright notice and this permission notice shall be included in # all copies or substantial portions of the Software. # # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN # AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- # TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. # # Except as contained in this notice, the name of the X Consortium shall not # be used in advertising or otherwise to promote the sale, use or other deal- # ings in this Software without prior written authorization from the X Consor- # tium. # # # FSF changes to this file are in the public domain. # # Calling this script install-sh is preferred over install.sh, to prevent # `make' implicit rules from creating a file called install from it # when there is no Makefile. # # This script is compatible with the BSD install script, but was written # from scratch. nl=' ' IFS=" "" $nl" # set DOITPROG to echo to test this script # Don't use :- since 4.3BSD and earlier shells don't like it. doit=${DOITPROG-} if test -z "$doit"; then doit_exec=exec else doit_exec=$doit fi # Put in absolute file names if you don't have them in your path; # or use environment vars. chgrpprog=${CHGRPPROG-chgrp} chmodprog=${CHMODPROG-chmod} chownprog=${CHOWNPROG-chown} cmpprog=${CMPPROG-cmp} cpprog=${CPPROG-cp} mkdirprog=${MKDIRPROG-mkdir} mvprog=${MVPROG-mv} rmprog=${RMPROG-rm} stripprog=${STRIPPROG-strip} posix_glob='?' initialize_posix_glob=' test "$posix_glob" != "?" || { if (set -f) 2>/dev/null; then posix_glob= else posix_glob=: fi } ' posix_mkdir= # Desired mode of installed file. mode=0755 chgrpcmd= chmodcmd=$chmodprog chowncmd= mvcmd=$mvprog rmcmd="$rmprog -f" stripcmd= src= dst= dir_arg= dst_arg= copy_on_change=false no_target_directory= usage="\ Usage: $0 [OPTION]... [-T] SRCFILE DSTFILE or: $0 [OPTION]... SRCFILES... DIRECTORY or: $0 [OPTION]... -t DIRECTORY SRCFILES... or: $0 [OPTION]... -d DIRECTORIES... In the 1st form, copy SRCFILE to DSTFILE. In the 2nd and 3rd, copy all SRCFILES to DIRECTORY. In the 4th, create DIRECTORIES. Options: --help display this help and exit. --version display version info and exit. -c (ignored) -C install only if different (preserve the last data modification time) -d create directories instead of installing files. -g GROUP $chgrpprog installed files to GROUP. -m MODE $chmodprog installed files to MODE. -o USER $chownprog installed files to USER. -s $stripprog installed files. -t DIRECTORY install into DIRECTORY. -T report an error if DSTFILE is a directory. Environment variables override the default commands: CHGRPPROG CHMODPROG CHOWNPROG CMPPROG CPPROG MKDIRPROG MVPROG RMPROG STRIPPROG " while test $# -ne 0; do case $1 in -c) ;; -C) copy_on_change=true;; -d) dir_arg=true;; -g) chgrpcmd="$chgrpprog $2" shift;; --help) echo "$usage"; exit $?;; -m) mode=$2 case $mode in *' '* | *' '* | *' '* | *'*'* | *'?'* | *'['*) echo "$0: invalid mode: $mode" >&2 exit 1;; esac shift;; -o) chowncmd="$chownprog $2" shift;; -s) stripcmd=$stripprog;; -t) dst_arg=$2 shift;; -T) no_target_directory=true;; --version) echo "$0 $scriptversion"; exit $?;; --) shift break;; -*) echo "$0: invalid option: $1" >&2 exit 1;; *) break;; esac shift done if test $# -ne 0 && test -z "$dir_arg$dst_arg"; then # When -d is used, all remaining arguments are directories to create. # When -t is used, the destination is already specified. # Otherwise, the last argument is the destination. Remove it from $@. for arg do if test -n "$dst_arg"; then # $@ is not empty: it contains at least $arg. set fnord "$@" "$dst_arg" shift # fnord fi shift # arg dst_arg=$arg done fi if test $# -eq 0; then if test -z "$dir_arg"; then echo "$0: no input file specified." >&2 exit 1 fi # It's OK to call `install-sh -d' without argument. # This can happen when creating conditional directories. exit 0 fi if test -z "$dir_arg"; then trap '(exit $?); exit' 1 2 13 15 # Set umask so as not to create temps with too-generous modes. # However, 'strip' requires both read and write access to temps. case $mode in # Optimize common cases. *644) cp_umask=133;; *755) cp_umask=22;; *[0-7]) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw='% 200' fi cp_umask=`expr '(' 777 - $mode % 1000 ')' $u_plus_rw`;; *) if test -z "$stripcmd"; then u_plus_rw= else u_plus_rw=,u+rw fi cp_umask=$mode$u_plus_rw;; esac fi for src do # Protect names starting with `-'. case $src in -*) src=./$src;; esac if test -n "$dir_arg"; then dst=$src dstdir=$dst test -d "$dstdir" dstdir_status=$? else # Waiting for this to be detected by the "$cpprog $src $dsttmp" command # might cause directories to be created, which would be especially bad # if $src (and thus $dsttmp) contains '*'. if test ! -f "$src" && test ! -d "$src"; then echo "$0: $src does not exist." >&2 exit 1 fi if test -z "$dst_arg"; then echo "$0: no destination specified." >&2 exit 1 fi dst=$dst_arg # Protect names starting with `-'. case $dst in -*) dst=./$dst;; esac # If destination is a directory, append the input filename; won't work # if double slashes aren't ignored. if test -d "$dst"; then if test -n "$no_target_directory"; then echo "$0: $dst_arg: Is a directory" >&2 exit 1 fi dstdir=$dst dst=$dstdir/`basename "$src"` dstdir_status=0 else # Prefer dirname, but fall back on a substitute if dirname fails. dstdir=` (dirname "$dst") 2>/dev/null || expr X"$dst" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$dst" : 'X\(//\)[^/]' \| \ X"$dst" : 'X\(//\)$' \| \ X"$dst" : 'X\(/\)' \| . 2>/dev/null || echo X"$dst" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q' ` test -d "$dstdir" dstdir_status=$? fi fi obsolete_mkdir_used=false if test $dstdir_status != 0; then case $posix_mkdir in '') # Create intermediate dirs using mode 755 as modified by the umask. # This is like FreeBSD 'install' as of 1997-10-28. umask=`umask` case $stripcmd.$umask in # Optimize common cases. *[2367][2367]) mkdir_umask=$umask;; .*0[02][02] | .[02][02] | .[02]) mkdir_umask=22;; *[0-7]) mkdir_umask=`expr $umask + 22 \ - $umask % 100 % 40 + $umask % 20 \ - $umask % 10 % 4 + $umask % 2 `;; *) mkdir_umask=$umask,go-w;; esac # With -d, create the new directory with the user-specified mode. # Otherwise, rely on $mkdir_umask. if test -n "$dir_arg"; then mkdir_mode=-m$mode else mkdir_mode= fi posix_mkdir=false case $umask in *[123567][0-7][0-7]) # POSIX mkdir -p sets u+wx bits regardless of umask, which # is incompatible with FreeBSD 'install' when (umask & 300) != 0. ;; *) tmpdir=${TMPDIR-/tmp}/ins$RANDOM-$$ trap 'ret=$?; rmdir "$tmpdir/d" "$tmpdir" 2>/dev/null; exit $ret' 0 if (umask $mkdir_umask && exec $mkdirprog $mkdir_mode -p -- "$tmpdir/d") >/dev/null 2>&1 then if test -z "$dir_arg" || { # Check for POSIX incompatibilities with -m. # HP-UX 11.23 and IRIX 6.5 mkdir -m -p sets group- or # other-writeable bit of parent directory when it shouldn't. # FreeBSD 6.1 mkdir -m -p sets mode of existing directory. ls_ld_tmpdir=`ls -ld "$tmpdir"` case $ls_ld_tmpdir in d????-?r-*) different_mode=700;; d????-?--*) different_mode=755;; *) false;; esac && $mkdirprog -m$different_mode -p -- "$tmpdir" && { ls_ld_tmpdir_1=`ls -ld "$tmpdir"` test "$ls_ld_tmpdir" = "$ls_ld_tmpdir_1" } } then posix_mkdir=: fi rmdir "$tmpdir/d" "$tmpdir" else # Remove any dirs left behind by ancient mkdir implementations. rmdir ./$mkdir_mode ./-p ./-- 2>/dev/null fi trap '' 0;; esac;; esac if $posix_mkdir && ( umask $mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir" ) then : else # The umask is ridiculous, or mkdir does not conform to POSIX, # or it failed possibly due to a race condition. Create the # directory the slow way, step by step, checking for races as we go. case $dstdir in /*) prefix='/';; -*) prefix='./';; *) prefix='';; esac eval "$initialize_posix_glob" oIFS=$IFS IFS=/ $posix_glob set -f set fnord $dstdir shift $posix_glob set +f IFS=$oIFS prefixes= for d do test -z "$d" && continue prefix=$prefix$d if test -d "$prefix"; then prefixes= else if $posix_mkdir; then (umask=$mkdir_umask && $doit_exec $mkdirprog $mkdir_mode -p -- "$dstdir") && break # Don't fail if two instances are running concurrently. test -d "$prefix" || exit 1 else case $prefix in *\'*) qprefix=`echo "$prefix" | sed "s/'/'\\\\\\\\''/g"`;; *) qprefix=$prefix;; esac prefixes="$prefixes '$qprefix'" fi fi prefix=$prefix/ done if test -n "$prefixes"; then # Don't fail if two instances are running concurrently. (umask $mkdir_umask && eval "\$doit_exec \$mkdirprog $prefixes") || test -d "$dstdir" || exit 1 obsolete_mkdir_used=true fi fi fi if test -n "$dir_arg"; then { test -z "$chowncmd" || $doit $chowncmd "$dst"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dst"; } && { test "$obsolete_mkdir_used$chowncmd$chgrpcmd" = false || test -z "$chmodcmd" || $doit $chmodcmd $mode "$dst"; } || exit 1 else # Make a couple of temp file names in the proper directory. dsttmp=$dstdir/_inst.$$_ rmtmp=$dstdir/_rm.$$_ # Trap to clean up those temp files at exit. trap 'ret=$?; rm -f "$dsttmp" "$rmtmp" && exit $ret' 0 # Copy the file name to the temp name. (umask $cp_umask && $doit_exec $cpprog "$src" "$dsttmp") && # and set any options; do chmod last to preserve setuid bits. # # If any of these fail, we abort the whole thing. If we want to # ignore errors from any of these, just make sure not to ignore # errors from the above "$doit $cpprog $src $dsttmp" command. # { test -z "$chowncmd" || $doit $chowncmd "$dsttmp"; } && { test -z "$chgrpcmd" || $doit $chgrpcmd "$dsttmp"; } && { test -z "$stripcmd" || $doit $stripcmd "$dsttmp"; } && { test -z "$chmodcmd" || $doit $chmodcmd $mode "$dsttmp"; } && # If -C, don't bother to copy if it wouldn't change the file. if $copy_on_change && old=`LC_ALL=C ls -dlL "$dst" 2>/dev/null` && new=`LC_ALL=C ls -dlL "$dsttmp" 2>/dev/null` && eval "$initialize_posix_glob" && $posix_glob set -f && set X $old && old=:$2:$4:$5:$6 && set X $new && new=:$2:$4:$5:$6 && $posix_glob set +f && test "$old" = "$new" && $cmpprog "$dst" "$dsttmp" >/dev/null 2>&1 then rm -f "$dsttmp" else # Rename the file to the real destination. $doit $mvcmd -f "$dsttmp" "$dst" 2>/dev/null || # The rename failed, perhaps because mv can't rename something else # to itself, or perhaps because mv is so ancient that it does not # support -f. { # Now remove or move aside any old file at destination location. # We try this two ways since rm can't unlink itself on some # systems and the destination file might be busy for other # reasons. In this case, the final cleanup might fail but the new # file should still install successfully. { test ! -f "$dst" || $doit $rmcmd -f "$dst" 2>/dev/null || { $doit $mvcmd -f "$dst" "$rmtmp" 2>/dev/null && { $doit $rmcmd -f "$rmtmp" 2>/dev/null; :; } } || { echo "$0: cannot unlink or rename $dst" >&2 (exit 1); exit 1 } } && # Now rename the file to the real destination. $doit $mvcmd "$dsttmp" "$dst" } fi || exit 1 trap '' 0 fi done # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: radsecproxy-1.6.2/tls.c0000664000175100017510000003162312042223225011755 00000000000000/* * Copyright (C) 2006-2009 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include #include #include #include #include #ifdef SYS_SOLARIS9 #include #endif #include #include #include #include #include #include #include #include #include #include #include "radsecproxy.h" #include "hostport.h" #ifdef RADPROT_TLS #include "debug.h" #include "util.h" static void setprotoopts(struct commonprotoopts *opts); static char **getlistenerargs(); void *tlslistener(void *arg); int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text); void *tlsclientrd(void *arg); int clientradputtls(struct server *server, unsigned char *rad); void tlssetsrcres(); static const struct protodefs protodefs = { "tls", "radsec", /* secretdefault */ SOCK_STREAM, /* socktype */ "2083", /* portdefault */ 0, /* retrycountdefault */ 0, /* retrycountmax */ REQUEST_RETRY_INTERVAL * REQUEST_RETRY_COUNT, /* retryintervaldefault */ 60, /* retryintervalmax */ DUPLICATE_INTERVAL, /* duplicateintervaldefault */ setprotoopts, /* setprotoopts */ getlistenerargs, /* getlistenerargs */ tlslistener, /* listener */ tlsconnect, /* connecter */ tlsclientrd, /* clientconnreader */ clientradputtls, /* clientradput */ NULL, /* addclient */ NULL, /* addserverextra */ tlssetsrcres, /* setsrcres */ NULL /* initextra */ }; static struct addrinfo *srcres = NULL; static uint8_t handle; static struct commonprotoopts *protoopts = NULL; const struct protodefs *tlsinit(uint8_t h) { handle = h; return &protodefs; } static void setprotoopts(struct commonprotoopts *opts) { protoopts = opts; } static char **getlistenerargs() { return protoopts ? protoopts->listenargs : NULL; } void tlssetsrcres() { if (!srcres) srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, AF_UNSPEC, NULL, protodefs.socktype); } int tlsconnect(struct server *server, struct timeval *when, int timeout, char *text) { struct timeval now; time_t elapsed; X509 *cert; SSL_CTX *ctx = NULL; unsigned long error; debug(DBG_DBG, "tlsconnect: called from %s", text); pthread_mutex_lock(&server->lock); if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) { /* already reconnected, nothing to do */ debug(DBG_DBG, "tlsconnect(%s): seems already reconnected", text); pthread_mutex_unlock(&server->lock); return 1; } for (;;) { gettimeofday(&now, NULL); elapsed = now.tv_sec - server->lastconnecttry.tv_sec; if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) { debug(DBG_DBG, "tlsconnect: timeout"); if (server->sock >= 0) close(server->sock); SSL_free(server->ssl); server->ssl = NULL; pthread_mutex_unlock(&server->lock); return 0; } if (server->connectionok) { server->connectionok = 0; sleep(2); } else if (elapsed < 1) sleep(2); else if (elapsed < 60) { debug(DBG_INFO, "tlsconnect: sleeping %lds", elapsed); sleep(elapsed); } else if (elapsed < 100000) { debug(DBG_INFO, "tlsconnect: sleeping %ds", 60); sleep(60); } else server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */ if (server->sock >= 0) close(server->sock); if ((server->sock = connecttcphostlist(server->conf->hostports, srcres)) < 0) continue; SSL_free(server->ssl); server->ssl = NULL; ctx = tlsgetctx(handle, server->conf->tlsconf); if (!ctx) continue; server->ssl = SSL_new(ctx); if (!server->ssl) continue; SSL_set_fd(server->ssl, server->sock); if (SSL_connect(server->ssl) <= 0) { while ((error = ERR_get_error())) debug(DBG_ERR, "tlsconnect: TLS: %s", ERR_error_string(error, NULL)); continue; } cert = verifytlscert(server->ssl); if (!cert) continue; if (verifyconfcert(cert, server->conf)) { X509_free(cert); break; } X509_free(cert); } debug(DBG_WARN, "tlsconnect: TLS connection to %s up", server->conf->name); server->connectionok = 1; gettimeofday(&server->lastconnecttry, NULL); pthread_mutex_unlock(&server->lock); return 1; } /* timeout in seconds, 0 means no timeout (blocking), returns when num bytes have been read, or timeout */ /* returns 0 on timeout, -1 on error and num if ok */ int sslreadtimeout(SSL *ssl, unsigned char *buf, int num, int timeout) { int s, ndesc, cnt, len; fd_set readfds, writefds; struct timeval timer; s = SSL_get_fd(ssl); if (s < 0) return -1; /* make socket non-blocking? */ for (len = 0; len < num; len += cnt) { FD_ZERO(&readfds); FD_SET(s, &readfds); writefds = readfds; if (timeout) { timer.tv_sec = timeout; timer.tv_usec = 0; } ndesc = select(s + 1, &readfds, &writefds, NULL, timeout ? &timer : NULL); if (ndesc < 1) return ndesc; cnt = SSL_read(ssl, buf + len, num - len); if (cnt <= 0) switch (SSL_get_error(ssl, cnt)) { case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_WRITE: cnt = 0; continue; case SSL_ERROR_ZERO_RETURN: /* remote end sent close_notify, send one back */ SSL_shutdown(ssl); return -1; default: return -1; } } return num; } /* timeout in seconds, 0 means no timeout (blocking) */ unsigned char *radtlsget(SSL *ssl, int timeout) { int cnt, len; unsigned char buf[4], *rad; for (;;) { cnt = sslreadtimeout(ssl, buf, 4, timeout); if (cnt < 1) { debug(DBG_DBG, cnt ? "radtlsget: connection lost" : "radtlsget: timeout"); return NULL; } len = RADLEN(buf); rad = malloc(len); if (!rad) { debug(DBG_ERR, "radtlsget: malloc failed"); continue; } memcpy(rad, buf, 4); cnt = sslreadtimeout(ssl, rad + 4, len - 4, timeout); if (cnt < 1) { debug(DBG_DBG, cnt ? "radtlsget: connection lost" : "radtlsget: timeout"); free(rad); return NULL; } if (len >= 20) break; free(rad); debug(DBG_WARN, "radtlsget: packet smaller than minimum radius size"); } debug(DBG_DBG, "radtlsget: got %d bytes", len); return rad; } int clientradputtls(struct server *server, unsigned char *rad) { int cnt; size_t len; unsigned long error; struct clsrvconf *conf = server->conf; if (!server->connectionok) return 0; len = RADLEN(rad); if ((cnt = SSL_write(server->ssl, rad, len)) <= 0) { while ((error = ERR_get_error())) debug(DBG_ERR, "clientradputtls: TLS: %s", ERR_error_string(error, NULL)); return 0; } debug(DBG_DBG, "clientradputtls: Sent %d bytes, Radius packet of length %d to TLS peer %s", cnt, len, conf->name); return 1; } void *tlsclientrd(void *arg) { struct server *server = (struct server *)arg; unsigned char *buf; struct timeval now, lastconnecttry; for (;;) { /* yes, lastconnecttry is really necessary */ lastconnecttry = server->lastconnecttry; buf = radtlsget(server->ssl, server->dynamiclookuparg ? IDLE_TIMEOUT : 0); if (!buf) { if (server->dynamiclookuparg) break; tlsconnect(server, &lastconnecttry, 0, "tlsclientrd"); continue; } replyh(server, buf); if (server->dynamiclookuparg) { gettimeofday(&now, NULL); if (now.tv_sec - server->lastreply.tv_sec > IDLE_TIMEOUT) { debug(DBG_INFO, "tlsclientrd: idle timeout for %s", server->conf->name); break; } } } ERR_remove_state(0); server->clientrdgone = 1; return NULL; } void *tlsserverwr(void *arg) { int cnt; unsigned long error; struct client *client = (struct client *)arg; struct gqueue *replyq; struct request *reply; debug(DBG_DBG, "tlsserverwr: starting for %s", addr2string(client->addr)); replyq = client->replyq; for (;;) { pthread_mutex_lock(&replyq->mutex); while (!list_first(replyq->entries)) { if (client->ssl) { debug(DBG_DBG, "tlsserverwr: waiting for signal"); pthread_cond_wait(&replyq->cond, &replyq->mutex); debug(DBG_DBG, "tlsserverwr: got signal"); } if (!client->ssl) { /* ssl might have changed while waiting */ pthread_mutex_unlock(&replyq->mutex); debug(DBG_DBG, "tlsserverwr: exiting as requested"); ERR_remove_state(0); pthread_exit(NULL); } } reply = (struct request *)list_shift(replyq->entries); pthread_mutex_unlock(&replyq->mutex); cnt = SSL_write(client->ssl, reply->replybuf, RADLEN(reply->replybuf)); if (cnt > 0) debug(DBG_DBG, "tlsserverwr: sent %d bytes, Radius packet of length %d to %s", cnt, RADLEN(reply->replybuf), addr2string(client->addr)); else while ((error = ERR_get_error())) debug(DBG_ERR, "tlsserverwr: SSL: %s", ERR_error_string(error, NULL)); freerq(reply); } } void tlsserverrd(struct client *client) { struct request *rq; uint8_t *buf; pthread_t tlsserverwrth; debug(DBG_DBG, "tlsserverrd: starting for %s", addr2string(client->addr)); if (pthread_create(&tlsserverwrth, NULL, tlsserverwr, (void *)client)) { debug(DBG_ERR, "tlsserverrd: pthread_create failed"); return; } for (;;) { buf = radtlsget(client->ssl, 0); if (!buf) { debug(DBG_ERR, "tlsserverrd: connection from %s lost", addr2string(client->addr)); break; } debug(DBG_DBG, "tlsserverrd: got Radius message from %s", addr2string(client->addr)); rq = newrequest(); if (!rq) { free(buf); continue; } rq->buf = buf; rq->from = client; if (!radsrv(rq)) { debug(DBG_ERR, "tlsserverrd: message authentication/validation failed, closing connection from %s", addr2string(client->addr)); break; } } /* stop writer by setting ssl to NULL and give signal in case waiting for data */ client->ssl = NULL; pthread_mutex_lock(&client->replyq->mutex); pthread_cond_signal(&client->replyq->cond); pthread_mutex_unlock(&client->replyq->mutex); debug(DBG_DBG, "tlsserverrd: waiting for writer to end"); pthread_join(tlsserverwrth, NULL); debug(DBG_DBG, "tlsserverrd: reader for %s exiting", addr2string(client->addr)); } void *tlsservernew(void *arg) { int s; struct sockaddr_storage from; socklen_t fromlen = sizeof(from); struct clsrvconf *conf; struct list_node *cur = NULL; SSL *ssl = NULL; X509 *cert = NULL; SSL_CTX *ctx = NULL; unsigned long error; struct client *client; struct tls *accepted_tls = NULL; s = *(int *)arg; if (getpeername(s, (struct sockaddr *)&from, &fromlen)) { debug(DBG_DBG, "tlsservernew: getpeername failed, exiting"); goto exit; } debug(DBG_WARN, "tlsservernew: incoming TLS connection from %s", addr2string((struct sockaddr *)&from)); conf = find_clconf(handle, (struct sockaddr *)&from, &cur); if (conf) { ctx = tlsgetctx(handle, conf->tlsconf); if (!ctx) goto exit; ssl = SSL_new(ctx); if (!ssl) goto exit; SSL_set_fd(ssl, s); if (SSL_accept(ssl) <= 0) { while ((error = ERR_get_error())) debug(DBG_ERR, "tlsservernew: SSL: %s", ERR_error_string(error, NULL)); debug(DBG_ERR, "tlsservernew: SSL_accept failed"); goto exit; } cert = verifytlscert(ssl); if (!cert) goto exit; accepted_tls = conf->tlsconf; } while (conf) { if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) { X509_free(cert); client = addclient(conf, 1); if (client) { client->ssl = ssl; client->addr = addr_copy((struct sockaddr *)&from); tlsserverrd(client); removeclient(client); } else debug(DBG_WARN, "tlsservernew: failed to create new client instance"); goto exit; } conf = find_clconf(handle, (struct sockaddr *)&from, &cur); } debug(DBG_WARN, "tlsservernew: ignoring request, no matching TLS client"); if (cert) X509_free(cert); exit: if (ssl) { SSL_shutdown(ssl); SSL_free(ssl); } ERR_remove_state(0); shutdown(s, SHUT_RDWR); close(s); pthread_exit(NULL); } void *tlslistener(void *arg) { pthread_t tlsserverth; int s, *sp = (int *)arg; struct sockaddr_storage from; socklen_t fromlen = sizeof(from); listen(*sp, 0); for (;;) { s = accept(*sp, (struct sockaddr *)&from, &fromlen); if (s < 0) { debug(DBG_WARN, "accept failed"); continue; } if (pthread_create(&tlsserverth, NULL, tlsservernew, (void *)&s)) { debug(DBG_ERR, "tlslistener: pthread_create failed"); shutdown(s, SHUT_RDWR); close(s); continue; } pthread_detach(tlsserverth); } free(sp); return NULL; } #else const struct protodefs *tlsinit(uint8_t h) { return NULL; } #endif /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/tcp.h0000664000175100017510000000061112042223225011737 00000000000000/* * Copyright (C) 2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ const struct protodefs *tcpinit(uint8_t h); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/README0000664000175100017510000000341412042223225011664 00000000000000This is radsecproxy 1.6.2 from Oct 25 2012. radsecproxy is a generic RADIUS proxy that supports both UDP and TLS (RadSec) RADIUS transports. There is also experimental support for TCP and DTLS. It should build on most Unix and OSX platforms by simply typing "./configure && make". It is possible to specify which RADIUS transport the build should support. Without any special options to configure, all transports supported by the system will be enabled. See the output from "configure --help" for how to change this. Known build issues: - Older BSD's (like NetBSD 4.x) need newer OpenSSL in order to support DTLS. Workaround: ./configure --disable-dtls. - FreeBSD 6.x need newer OpenSSL to build at all. OpenSSL 1.0.0c from ports is fine f.ex., configure radsecproxy with `--with-ssl=/usr/local'. To use radsecproxy you need to create a config file which normally is called "/etc/radsecproxy.conf". You can also specify the location with the "-c" command line option (see below). For further instructions, please see the enclosed example file and the documentation at http://software.uninett.no/radsecproxy/?page=documentation The following options may be specified on the command line: "-c configfile" to specify a non-default config file path. "-d loglevel" to set a loglevel of 1, 2, 3, 4 and 5 where 5 is the most detailed. "-f" to run the proxy in the foreground with logging to stderr. Without "-f" the default is to detach as a daemon and log to syslog. "-i pidfile" to name a file to which the PID is written. "-v" just prints version information and exits. "-p" (pretend) makes the proxy go through the configuration files as normal, but stops before creating any sockets or doing any serious work. This is useful for validating config files. radsecproxy-1.6.2/radsecproxy-hash.c0000664000175100017510000000370712042223225014441 00000000000000/* * Copyright (C) 2011 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include #include "radsecproxy.h" #include "fticks_hashmac.h" void usage() { fprintf(stderr, "usage: radsecproxy-hash [-h] [-k key] [-t type]\n" #if defined (READ_CONFIG) " -c configfile\tuse configuration from CONFIGFILE\n" #endif " -h\t\t\tdisplay this help and exit\n" " -k key\t\tuse KEY for HMAC\n" " -t type\t\tprint digest of type TYPE [mac|hmac]\n"); exit(1); } #define MYNAME "radsecproxy-hash" int main(int argc, char *argv[]) { int opt; #if defined(READ_CONFIG) char *config = NULL; #endif uint8_t buf[256]; char mac[80+1]; uint8_t *key = NULL; enum { TYPE_HASH, TYPE_HMAC } type = TYPE_HASH; while ((opt = getopt(argc, argv, "hk:t:")) != -1) { switch (opt) { #if defined(READ_CONFIG) case 'c': config = optarg; break; #endif case 'h': usage(); case 'k': key = (uint8_t *) optarg; break; case 't': if (strcmp(optarg, "hash") == 0) type = TYPE_HASH; else if (strcmp(optarg, "hmac") == 0) type = TYPE_HMAC; else usage(); break; default: usage(); } } while (fgets(mac, sizeof(mac), stdin) != NULL) { if (type == TYPE_HASH) { if (fticks_hashmac((uint8_t *) mac, NULL, sizeof(buf), buf) != 0) { fprintf(stderr, "%s: out of memory\n", MYNAME); return 3; } } else if (type == TYPE_HMAC) { if (key == NULL) { fprintf(stderr, "%s: generating HMAC requires a key, use `-k'\n", MYNAME); return 2; } if (fticks_hashmac((uint8_t *) mac, key, sizeof(buf), buf) != 0) { fprintf(stderr, "%s: out of memory\n", MYNAME); return 3; } } puts((const char *) buf); } return 0; } radsecproxy-1.6.2/hash.c0000664000175100017510000000652712042223225012103 00000000000000/* * Copyright (C) 2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include #include "list.h" #include "hash.h" /* allocates and initialises hash structure; returns NULL if malloc fails */ struct hash *hash_create() { struct hash *h = malloc(sizeof(struct hash)); if (!h) return NULL; h->hashlist = list_create(); if (!h->hashlist) { free(h); return NULL; } pthread_mutex_init(&h->mutex, NULL); return h; } /* frees all memory associated with the hash */ void hash_destroy(struct hash *h) { struct list_node *ln; if (!h) return; for (ln = list_first(h->hashlist); ln; ln = list_next(ln)) { free(((struct hash_entry *)ln->data)->key); free(((struct hash_entry *)ln->data)->data); } list_destroy(h->hashlist); pthread_mutex_destroy(&h->mutex); } /* insert entry in hash; returns 1 if ok, 0 if malloc fails */ int hash_insert(struct hash *h, void *key, uint32_t keylen, void *data) { struct hash_entry *e; if (!h) return 0; e = malloc(sizeof(struct hash_entry)); if (!e) return 0; memset(e, 0, sizeof(struct hash_entry)); e->key = malloc(keylen); if (!e->key) { free(e); return 0; } memcpy(e->key, key, keylen); e->keylen = keylen; e->data = data; pthread_mutex_lock(&h->mutex); if (!list_push(h->hashlist, e)) { pthread_mutex_unlock(&h->mutex); free(e->key); free(e); return 0; } pthread_mutex_unlock(&h->mutex); return 1; } /* reads entry from hash */ void *hash_read(struct hash *h, void *key, uint32_t keylen) { struct list_node *ln; struct hash_entry *e; if (!h) return 0; pthread_mutex_lock(&h->mutex); for (ln = list_first(h->hashlist); ln; ln = list_next(ln)) { e = (struct hash_entry *)ln->data; if (e->keylen == keylen && !memcmp(e->key, key, keylen)) { pthread_mutex_unlock(&h->mutex); return e->data; } } pthread_mutex_unlock(&h->mutex); return NULL; } /* extracts entry from hash */ void *hash_extract(struct hash *h, void *key, uint32_t keylen) { struct list_node *ln; struct hash_entry *e; if (!h) return 0; pthread_mutex_lock(&h->mutex); for (ln = list_first(h->hashlist); ln; ln = list_next(ln)) { e = (struct hash_entry *)ln->data; if (e->keylen == keylen && !memcmp(e->key, key, keylen)) { free(e->key); list_removedata(h->hashlist, e); free(e); pthread_mutex_unlock(&h->mutex); return e->data; } } pthread_mutex_unlock(&h->mutex); return NULL; } /* returns first entry */ struct hash_entry *hash_first(struct hash *hash) { struct list_node *ln; struct hash_entry *e; if (!hash || !((ln = list_first(hash->hashlist)))) return NULL; e = (struct hash_entry *)ln->data; e->next = ln->next; return e; } /* returns the next node after the argument */ struct hash_entry *hash_next(struct hash_entry *entry) { struct hash_entry *e; if (!entry || !entry->next) return NULL; e = (struct hash_entry *)entry->next->data; e->next = (struct list_node *)entry->next->next; return e; } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/udp.c0000664000175100017510000002405312042223225011742 00000000000000/* * Copyright (C) 2006-2009 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include #include #include #include #include #ifdef SYS_SOLARIS9 #include #endif #include #include #include #include #include #include #include #include #include #include "radsecproxy.h" #include "hostport.h" #ifdef RADPROT_UDP #include "debug.h" #include "util.h" static void setprotoopts(struct commonprotoopts *opts); static char **getlistenerargs(); void *udpserverrd(void *arg); int clientradputudp(struct server *server, unsigned char *rad); void addclientudp(struct client *client); void addserverextraudp(struct clsrvconf *conf); void udpsetsrcres(); void initextraudp(); static const struct protodefs protodefs = { "udp", NULL, /* secretdefault */ SOCK_DGRAM, /* socktype */ "1812", /* portdefault */ REQUEST_RETRY_COUNT, /* retrycountdefault */ 10, /* retrycountmax */ REQUEST_RETRY_INTERVAL, /* retryintervaldefault */ 60, /* retryintervalmax */ DUPLICATE_INTERVAL, /* duplicateintervaldefault */ setprotoopts, /* setprotoopts */ getlistenerargs, /* getlistenerargs */ udpserverrd, /* listener */ NULL, /* connecter */ NULL, /* clientconnreader */ clientradputudp, /* clientradput */ addclientudp, /* addclient */ addserverextraudp, /* addserverextra */ udpsetsrcres, /* setsrcres */ initextraudp /* initextra */ }; static int client4_sock = -1; static int client6_sock = -1; static struct gqueue *server_replyq = NULL; static struct addrinfo *srcres = NULL; static uint8_t handle; static struct commonprotoopts *protoopts = NULL; const struct protodefs *udpinit(uint8_t h) { handle = h; return &protodefs; } static void setprotoopts(struct commonprotoopts *opts) { protoopts = opts; } static char **getlistenerargs() { return protoopts ? protoopts->listenargs : NULL; } void udpsetsrcres() { if (!srcres) srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, AF_UNSPEC, NULL, protodefs.socktype); } void removeudpclientfromreplyq(struct client *c) { struct list_node *n; struct request *r; /* lock the common queue and remove replies for this client */ pthread_mutex_lock(&c->replyq->mutex); for (n = list_first(c->replyq->entries); n; n = list_next(n)) { r = (struct request *)n->data; if (r->from == c) r->from = NULL; } pthread_mutex_unlock(&c->replyq->mutex); } static int addr_equal(struct sockaddr *a, struct sockaddr *b) { switch (a->sa_family) { case AF_INET: return !memcmp(&((struct sockaddr_in*)a)->sin_addr, &((struct sockaddr_in*)b)->sin_addr, sizeof(struct in_addr)); case AF_INET6: return IN6_ARE_ADDR_EQUAL(&((struct sockaddr_in6*)a)->sin6_addr, &((struct sockaddr_in6*)b)->sin6_addr); default: /* Must not reach */ return 0; } } uint16_t port_get(struct sockaddr *sa) { switch (sa->sa_family) { case AF_INET: return ntohs(((struct sockaddr_in *)sa)->sin_port); case AF_INET6: return ntohs(((struct sockaddr_in6 *)sa)->sin6_port); } return 0; } /* exactly one of client and server must be non-NULL */ /* return who we received from in *client or *server */ /* return from in sa if not NULL */ unsigned char *radudpget(int s, struct client **client, struct server **server, uint16_t *port) { int cnt, len; unsigned char buf[4], *rad = NULL; struct sockaddr_storage from; struct sockaddr *fromcopy; socklen_t fromlen = sizeof(from); struct clsrvconf *p; struct list_node *node; fd_set readfds; struct client *c = NULL; struct timeval now; for (;;) { if (rad) { free(rad); rad = NULL; } FD_ZERO(&readfds); FD_SET(s, &readfds); if (select(s + 1, &readfds, NULL, NULL, NULL) < 1) continue; cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen); if (cnt == -1) { debug(DBG_WARN, "radudpget: recv failed"); continue; } p = client ? find_clconf(handle, (struct sockaddr *)&from, NULL) : find_srvconf(handle, (struct sockaddr *)&from, NULL); if (!p) { debug(DBG_WARN, "radudpget: got packet from wrong or unknown UDP peer %s, ignoring", addr2string((struct sockaddr *)&from)); recv(s, buf, 4, 0); continue; } len = RADLEN(buf); if (len < 20) { debug(DBG_WARN, "radudpget: length too small"); recv(s, buf, 4, 0); continue; } rad = malloc(len); if (!rad) { debug(DBG_ERR, "radudpget: malloc failed"); recv(s, buf, 4, 0); continue; } cnt = recv(s, rad, len, MSG_TRUNC); debug(DBG_DBG, "radudpget: got %d bytes from %s", cnt, addr2string((struct sockaddr *)&from)); if (cnt < len) { debug(DBG_WARN, "radudpget: packet smaller than length field in radius header"); continue; } if (cnt > len) debug(DBG_DBG, "radudpget: packet was padded with %d bytes", cnt - len); if (client) { *client = NULL; pthread_mutex_lock(p->lock); for (node = list_first(p->clients); node;) { c = (struct client *)node->data; node = list_next(node); if (s != c->sock) continue; gettimeofday(&now, NULL); if (!*client && addr_equal((struct sockaddr *)&from, c->addr)) { c->expiry = now.tv_sec + 60; *client = c; } if (c->expiry >= now.tv_sec) continue; debug(DBG_DBG, "radudpget: removing expired client (%s)", addr2string(c->addr)); removeudpclientfromreplyq(c); c->replyq = NULL; /* stop removeclient() from removing common udp replyq */ removelockedclient(c); break; } if (!*client) { fromcopy = addr_copy((struct sockaddr *)&from); if (!fromcopy) { pthread_mutex_unlock(p->lock); continue; } c = addclient(p, 0); if (!c) { free(fromcopy); pthread_mutex_unlock(p->lock); continue; } c->sock = s; c->addr = fromcopy; gettimeofday(&now, NULL); c->expiry = now.tv_sec + 60; *client = c; } pthread_mutex_unlock(p->lock); } else if (server) *server = p->servers; break; } if (port) *port = port_get((struct sockaddr *)&from); return rad; } int clientradputudp(struct server *server, unsigned char *rad) { size_t len; struct clsrvconf *conf = server->conf; struct addrinfo *ai; len = RADLEN(rad); ai = ((struct hostportres *)list_first(conf->hostports)->data)->addrinfo; if (sendto(server->sock, rad, len, 0, ai->ai_addr, ai->ai_addrlen) >= 0) { debug(DBG_DBG, "clienradputudp: sent UDP of length %d to %s port %d", len, addr2string(ai->ai_addr), port_get(ai->ai_addr)); return 1; } debug(DBG_WARN, "clientradputudp: send failed"); return 0; } void *udpclientrd(void *arg) { struct server *server; unsigned char *buf; int *s = (int *)arg; for (;;) { server = NULL; buf = radudpget(*s, NULL, &server, NULL); replyh(server, buf); } } void *udpserverrd(void *arg) { struct request *rq; int *sp = (int *)arg; for (;;) { rq = newrequest(); if (!rq) { sleep(5); /* malloc failed */ continue; } rq->buf = radudpget(*sp, &rq->from, NULL, &rq->udpport); rq->udpsock = *sp; radsrv(rq); } free(sp); return NULL; } void *udpserverwr(void *arg) { struct gqueue *replyq = (struct gqueue *)arg; struct request *reply; struct sockaddr_storage to; for (;;) { pthread_mutex_lock(&replyq->mutex); while (!(reply = (struct request *)list_shift(replyq->entries))) { debug(DBG_DBG, "udp server writer, waiting for signal"); pthread_cond_wait(&replyq->cond, &replyq->mutex); debug(DBG_DBG, "udp server writer, got signal"); } /* do this with lock, udpserverrd may set from = NULL if from expires */ if (reply->from) memcpy(&to, reply->from->addr, SOCKADDRP_SIZE(reply->from->addr)); pthread_mutex_unlock(&replyq->mutex); if (reply->from) { port_set((struct sockaddr *)&to, reply->udpport); if (sendto(reply->udpsock, reply->replybuf, RADLEN(reply->replybuf), 0, (struct sockaddr *)&to, SOCKADDR_SIZE(to)) < 0) debug(DBG_WARN, "udpserverwr: send failed"); } debug(DBG_DBG, "udpserverwr: refcount %d", reply->refcount); freerq(reply); } } void addclientudp(struct client *client) { client->replyq = server_replyq; } void addserverextraudp(struct clsrvconf *conf) { assert(list_first(conf->hostports) != NULL); switch (((struct hostportres *)list_first(conf->hostports)->data)->addrinfo->ai_family) { case AF_INET: if (client4_sock < 0) { client4_sock = bindtoaddr(srcres, AF_INET, 0, 1); if (client4_sock < 0) debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name); } conf->servers->sock = client4_sock; break; case AF_INET6: if (client6_sock < 0) { client6_sock = bindtoaddr(srcres, AF_INET6, 0, 1); if (client6_sock < 0) debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name); } conf->servers->sock = client6_sock; break; default: debugx(1, DBG_ERR, "addserver: unsupported address family"); } } void initextraudp() { pthread_t cl4th, cl6th, srvth; if (srcres) { freeaddrinfo(srcres); srcres = NULL; } if (client4_sock >= 0) if (pthread_create(&cl4th, NULL, udpclientrd, (void *)&client4_sock)) debugx(1, DBG_ERR, "pthread_create failed"); if (client6_sock >= 0) if (pthread_create(&cl6th, NULL, udpclientrd, (void *)&client6_sock)) debugx(1, DBG_ERR, "pthread_create failed"); if (find_clconf_type(handle, NULL)) { server_replyq = newqueue(); if (pthread_create(&srvth, NULL, udpserverwr, (void *)server_replyq)) debugx(1, DBG_ERR, "pthread_create failed"); } } #else const struct protodefs *udpinit(uint8_t h) { return NULL; } #endif /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/NEWS0000664000175100017510000000001712042223264011502 00000000000000See ChangeLog. radsecproxy-1.6.2/main.c0000664000175100017510000000032112042223225012066 00000000000000/* Copyright (C) 2011 NORDUnet A/S * See LICENSE for information about licensing. */ int radsecproxy_main(int argc, char **argv); int main(int argc, char **argv) { return radsecproxy_main(argc, argv); } radsecproxy-1.6.2/dtls.h0000664000175100017510000000061212042223225012120 00000000000000/* * Copyright (C) 2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ const struct protodefs *dtlsinit(uint8_t h); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/compile0000775000175100017510000000727112042223225012367 00000000000000#! /bin/sh # Wrapper for compilers which do not understand `-c -o'. scriptversion=2009-10-06.20; # UTC # Copyright (C) 1999, 2000, 2003, 2004, 2005, 2009 Free Software # Foundation, Inc. # Written by Tom Tromey . # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # This file is maintained in Automake, please report # bugs to or send patches to # . case $1 in '') echo "$0: No command. Try \`$0 --help' for more information." 1>&2 exit 1; ;; -h | --h*) cat <<\EOF Usage: compile [--help] [--version] PROGRAM [ARGS] Wrapper for compilers which do not understand `-c -o'. Remove `-o dest.o' from ARGS, run PROGRAM with the remaining arguments, and rename the output as expected. If you are trying to build a whole package this is not the right script to run: please start by reading the file `INSTALL'. Report bugs to . EOF exit $? ;; -v | --v*) echo "compile $scriptversion" exit $? ;; esac ofile= cfile= eat= for arg do if test -n "$eat"; then eat= else case $1 in -o) # configure might choose to run compile as `compile cc -o foo foo.c'. # So we strip `-o arg' only if arg is an object. eat=1 case $2 in *.o | *.obj) ofile=$2 ;; *) set x "$@" -o "$2" shift ;; esac ;; *.c) cfile=$1 set x "$@" "$1" shift ;; *) set x "$@" "$1" shift ;; esac fi shift done if test -z "$ofile" || test -z "$cfile"; then # If no `-o' option was seen then we might have been invoked from a # pattern rule where we don't need one. That is ok -- this is a # normal compilation that the losing compiler can handle. If no # `.c' file was seen then we are probably linking. That is also # ok. exec "$@" fi # Name of file we expect compiler to create. cofile=`echo "$cfile" | sed 's|^.*[\\/]||; s|^[a-zA-Z]:||; s/\.c$/.o/'` # Create the lock directory. # Note: use `[/\\:.-]' here to ensure that we don't use the same name # that we are using for the .o file. Also, base the name on the expected # object file name, since that is what matters with a parallel build. lockdir=`echo "$cofile" | sed -e 's|[/\\:.-]|_|g'`.d while true; do if mkdir "$lockdir" >/dev/null 2>&1; then break fi sleep 1 done # FIXME: race condition here if user kills between mkdir and trap. trap "rmdir '$lockdir'; exit 1" 1 2 15 # Run the compile. "$@" ret=$? if test -f "$cofile"; then test "$cofile" = "$ofile" || mv "$cofile" "$ofile" elif test -f "${cofile}bj"; then test "${cofile}bj" = "$ofile" || mv "${cofile}bj" "$ofile" fi rmdir "$lockdir" exit $ret # Local Variables: # mode: shell-script # sh-indentation: 2 # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: radsecproxy-1.6.2/debug.h0000664000175100017510000000210412042223225012236 00000000000000/* * Copyright (C) 2007 Stig Venaas * Copyright (C) 2010,2011 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #ifndef SYS_SOLARIS9 #include #endif #define DBG_DBG 8 #define DBG_INFO 16 #define DBG_NOTICE 32 #define DBG_WARN 64 #define DBG_ERR 128 #define LOG_TYPE_DEBUG 0 #define LOG_TYPE_FTICKS 1 void debug_init(char *ident); void debug_set_level(uint8_t level); void debug_timestamp_on(); uint8_t debug_get_level(); void debug(uint8_t level, char *format, ...); void debugx(int status, uint8_t level, char *format, ...); void debugerrno(int err, uint8_t level, char *format, ...); void debugerrnox(int err, uint8_t level, char *format, ...); int debug_set_destination(char *dest, int log_type); void debug_reopen_log(); #if defined(WANT_FTICKS) void fticks_debug(const char *format, ...); #endif /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/THANKS0000664000175100017510000000130012042223225011707 00000000000000Thanks to Stefan Winter and Andreas Solberg for talking me into doing this, and the funding from GEANT2. Stefan as well as Kolbjørn Barmen, Ralf Paffrath and Maja Wolniewicz have helped with early testing of the code. Thanks for contributing code goes to Arne Schwabe, Maja Wolniewicz, Simon Leinen and Stefan Winter. All of the above plus Milan Sova have provided good feedback on several implementation choices. Finally thanks to Hans Zandbelt for providing the autoconf stuff. I may have forgotten someone, let me know if you feel left out. For more information, feedback etc. please see the information at http://software.uninett.no/radsecproxy/ Stig Venaas -- 2009.07.22 radsecproxy-1.6.2/catgconf.c0000664000175100017510000000370412042223225012736 00000000000000/* * Copyright (C) 2008 Stig Venaas * Copyright (C) 2010,2011,2012 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include #include #include "debug.h" #include "gconfig.h" int listconfig(struct gconffile **cf, char *block, int compact) { char *opt = NULL, *val = NULL; int conftype; for (;;) { free(opt); free(val); if (!getconfigline(cf, block, &opt, &val, &conftype)) return -1; if (!opt) return 0; /* Success. */ if (conftype == CONF_STR && !strcasecmp(opt, "include")) { if (!pushgconfpaths(cf, val)) debugx(1, DBG_ERR, "failed to include config file %s", val); continue; } switch (conftype) { case CONF_STR: if (block) printf(compact ? "%s=%s;" : "\t%s=%s\n", opt, val); else printf("%s=%s\n", opt, val); break; case CONF_CBK: printf("%s %s {%s", opt, val, compact ? "" : "\n"); if (listconfig(cf, val, compact)) return -1; printf("}\n"); break; default: printf("Unsupported config type\n"); return -1; } } return 0; /* Success. */ } int main(int argc, char **argv) { int c, compact = 0; struct gconffile *cfs; debug_init("radsecproxy-conf"); debug_set_level(DBG_WARN); while ((c = getopt(argc, argv, "c")) != -1) { switch (c) { case 'c': compact = 1; break; default: goto usage; } } if (argc - optind != 1) goto usage; cfs = openconfigfile(argv[optind]); return listconfig(&cfs, NULL, compact); usage: debug(DBG_ERR, "Usage:\n%s [ -c ] configfile", argv[0]); exit(1); } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/debug.c0000664000175100017510000001407212042223225012240 00000000000000/* * Copyright (C) 2007 Stig Venaas * Copyright (C) 2010,2011 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #ifndef SYS_SOLARIS9 #include #endif #include #include #include #include #include #include #include #include #include #include #include "debug.h" #include "util.h" static char *debug_ident = NULL; static uint8_t debug_level = DBG_INFO; static char *debug_filepath = NULL; static FILE *debug_file = NULL; static int debug_syslogfacility = 0; #if defined(WANT_FTICKS) static int fticks_syslogfacility = 0; #endif static uint8_t debug_timestamp = 0; void debug_init(char *ident) { debug_file = stderr; setvbuf(debug_file, NULL, _IONBF, 0); debug_ident = ident; } void debug_set_level(uint8_t level) { switch (level) { case 1: debug_level = DBG_ERR; return; case 2: debug_level = DBG_WARN; return; case 3: debug_level = DBG_NOTICE; return; case 4: debug_level = DBG_INFO; return; case 5: debug_level = DBG_DBG; return; } } void debug_timestamp_on() { debug_timestamp = 1; } uint8_t debug_get_level() { return debug_level; } int debug_set_destination(char *dest, int log_type) { static const char *facstrings[] = { "LOG_DAEMON", "LOG_MAIL", "LOG_USER", "LOG_LOCAL0", "LOG_LOCAL1", "LOG_LOCAL2", "LOG_LOCAL3", "LOG_LOCAL4", "LOG_LOCAL5", "LOG_LOCAL6", "LOG_LOCAL7", NULL }; static const int facvals[] = { LOG_DAEMON, LOG_MAIL, LOG_USER, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6, LOG_LOCAL7 }; extern int errno; int i; if (!strncasecmp(dest, "file:///", 8)) { if (log_type != LOG_TYPE_FTICKS) { debug_filepath = stringcopy(dest + 7, 0); debug_file = fopen(debug_filepath, "a"); if (!debug_file) { debug_file = stderr; debugx(1, DBG_ERR, "Failed to open logfile %s\n%s", debug_filepath, strerror(errno)); } setvbuf(debug_file, NULL, _IONBF, 0); } else { debug(DBG_WARN, "FTicksSyslogFacility starting with file:/// not " "permitted, assuming default F-Ticks destination"); } return 1; } if (!strncasecmp(dest, "x-syslog://", 11) || log_type == LOG_TYPE_FTICKS) { if (!strncasecmp(dest, "x-syslog://", 11)) { dest += 11; if (*dest == '/') dest++; } if (*dest) { for (i = 0; facstrings[i]; i++) if (!strcasecmp(dest, facstrings[i])) break; if (!facstrings[i]) debugx(1, DBG_ERR, "Unknown syslog facility %s", dest); if (log_type != LOG_TYPE_FTICKS) debug_syslogfacility = facvals[i]; #if defined(WANT_FTICKS) else if (log_type == LOG_TYPE_FTICKS) fticks_syslogfacility = facvals[i]; #endif } else { if (log_type != LOG_TYPE_FTICKS) debug_syslogfacility = LOG_DAEMON; #if defined(WANT_FTICKS) else if (log_type == LOG_TYPE_FTICKS) fticks_syslogfacility = 0; #endif } openlog(debug_ident, LOG_PID, debug_syslogfacility); return 1; } debug(DBG_ERR, "Unknown log destination, exiting %s", dest); exit(1); } void debug_reopen_log() { extern int errno; /* not a file, noop, return success */ if (!debug_filepath) { debug(DBG_ERR, "skipping reopen"); return; } if (debug_file != stderr) fclose(debug_file); debug_file = fopen(debug_filepath, "a"); if (debug_file) debug(DBG_ERR, "Reopened logfile %s", debug_filepath); else { debug_file = stderr; debug(DBG_ERR, "Failed to open logfile %s, using stderr\n%s", debug_filepath, strerror(errno)); } setvbuf(debug_file, NULL, _IONBF, 0); } void debug_logit(uint8_t level, const char *format, va_list ap) { struct timeval now; char *timebuf; int priority; if (debug_syslogfacility) { switch (level) { case DBG_DBG: priority = LOG_DEBUG; break; case DBG_INFO: priority = LOG_INFO; break; case DBG_NOTICE: priority = LOG_NOTICE; break; case DBG_WARN: priority = LOG_WARNING; break; case DBG_ERR: priority = LOG_ERR; break; default: priority = LOG_DEBUG; } vsyslog(priority, format, ap); } else { if (debug_timestamp && (timebuf = malloc(256))) { gettimeofday(&now, NULL); ctime_r(&now.tv_sec, timebuf); timebuf[strlen(timebuf) - 1] = '\0'; fprintf(debug_file, "%s: ", timebuf + 4); free(timebuf); } vfprintf(debug_file, format, ap); fprintf(debug_file, "\n"); } } void debug(uint8_t level, char *format, ...) { va_list ap; if (level < debug_level) return; va_start(ap, format); debug_logit(level, format, ap); va_end(ap); } void debugx(int status, uint8_t level, char *format, ...) { if (level >= debug_level) { va_list ap; va_start(ap, format); debug_logit(level, format, ap); va_end(ap); } exit(status); } void debugerrno(int err, uint8_t level, char *format, ...) { if (level >= debug_level) { va_list ap; size_t len = strlen(format); char *tmp = malloc(len + 1024 + 2); assert(tmp); strcpy(tmp, format); tmp[len++] = ':'; tmp[len++] = ' '; if (strerror_r(err, tmp + len, 1024)) tmp = format; va_start(ap, format); debug_logit(level, tmp, ap); va_end(ap); } } void debugerrnox(int err, uint8_t level, char *format, ...) { if (level >= debug_level) { va_list ap; va_start(ap, format); debugerrno(err, level, format, ap); va_end(ap); } exit(err); } #if defined(WANT_FTICKS) void fticks_debug(const char *format, ...) { int priority; va_list ap; va_start(ap, format); if (!debug_syslogfacility && !fticks_syslogfacility) debug_logit(0xff, format, ap); else { priority = LOG_DEBUG | fticks_syslogfacility; vsyslog(priority, format, ap); va_end(ap); } } #endif /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/radsecproxy.h0000664000175100017510000001436512042223225013527 00000000000000/* * Copyright (C) 2006-2009 Stig Venaas * Copyright (C) 2010,2011,2012 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include #include #include "list.h" #include "tlv11.h" #include "radmsg.h" #include "gconfig.h" #define DEBUG_LEVEL 2 #define CONFIG_MAIN SYSCONFDIR"/radsecproxy.conf" /* MAX_REQUESTS must be 256 due to Radius' 8 bit ID field */ #define MAX_REQUESTS 256 #define REQUEST_RETRY_INTERVAL 5 #define REQUEST_RETRY_COUNT 2 #define DUPLICATE_INTERVAL REQUEST_RETRY_INTERVAL * REQUEST_RETRY_COUNT #define MAX_CERT_DEPTH 5 #define STATUS_SERVER_PERIOD 25 #define IDLE_TIMEOUT 300 /* 27262 is vendor DANTE Ltd. */ #define DEFAULT_TTL_ATTR "27262:1" #define RAD_UDP 0 #define RAD_TLS 1 #define RAD_TCP 2 #define RAD_DTLS 3 #define RAD_PROTOCOUNT 4 enum rsp_fticks_reporting_type { RSP_FTICKS_REPORTING_NONE = 0, /* Default. */ RSP_FTICKS_REPORTING_BASIC, RSP_FTICKS_REPORTING_FULL }; enum rsp_fticks_mac_type { RSP_FTICKS_MAC_STATIC = 0, RSP_FTICKS_MAC_ORIGINAL, RSP_FTICKS_MAC_VENDOR_HASHED, RSP_FTICKS_MAC_VENDOR_KEY_HASHED, /* Default. */ RSP_FTICKS_MAC_FULLY_HASHED, RSP_FTICKS_MAC_FULLY_KEY_HASHED }; struct options { char *pidfile; char *logdestination; char *ftickssyslogfacility; char *ttlattr; uint32_t ttlattrtype[2]; uint8_t addttl; uint8_t loglevel; uint8_t loopprevention; enum rsp_fticks_reporting_type fticks_reporting; enum rsp_fticks_mac_type fticks_mac; uint8_t *fticks_key; uint8_t ipv4only; uint8_t ipv6only; }; struct commonprotoopts { char **listenargs; char *sourcearg; }; struct request { struct timeval created; uint32_t refcount; uint8_t *buf, *replybuf; struct radmsg *msg; struct client *from; struct server *to; char *origusername; uint8_t rqid; uint8_t rqauth[16]; uint8_t newid; int udpsock; /* only for UDP */ uint16_t udpport; /* only for UDP */ }; /* requests that our client will send */ struct rqout { pthread_mutex_t *lock; struct request *rq; uint8_t tries; struct timeval expiry; }; struct gqueue { struct list *entries; pthread_mutex_t mutex; pthread_cond_t cond; }; struct clsrvconf { char *name; uint8_t type; /* RAD_UDP/RAD_TLS/RAD_TCP */ const struct protodefs *pdef; char **hostsrc; int hostaf; char *portsrc; struct list *hostports; char *secret; char *tls; char *matchcertattr; regex_t *certcnregex; regex_t *certuriregex; char *confrewritein; char *confrewriteout; char *confrewriteusername; struct modattr *rewriteusername; char *dynamiclookupcommand; uint8_t statusserver; uint8_t retryinterval; uint8_t retrycount; uint8_t dupinterval; uint8_t certnamecheck; uint8_t addttl; uint8_t loopprevention; struct rewrite *rewritein; struct rewrite *rewriteout; pthread_mutex_t *lock; /* only used for updating clients so far */ struct tls *tlsconf; struct list *clients; struct server *servers; char *fticks_viscountry; char *fticks_visinst; }; #include "tlscommon.h" struct client { struct clsrvconf *conf; int sock; SSL *ssl; struct request *rqs[MAX_REQUESTS]; struct gqueue *replyq; struct gqueue *rbios; /* for dtls */ struct sockaddr *addr; time_t expiry; /* for udp */ }; struct server { struct clsrvconf *conf; int sock; SSL *ssl; pthread_mutex_t lock; pthread_t clientth; uint8_t clientrdgone; struct timeval lastconnecttry; struct timeval lastreply; uint8_t connectionok; uint8_t lostrqs; uint8_t dynstartup; uint8_t dynfailing; #if defined ENABLE_EXPERIMENTAL_DYNDISC uint8_t in_use; #endif char *dynamiclookuparg; int nextid; struct timeval lastrcv; struct rqout *requests; uint8_t newrq; pthread_mutex_t newrq_mutex; pthread_cond_t newrq_cond; struct gqueue *rbios; /* for dtls */ }; struct realm { char *name; char *message; uint8_t accresp; regex_t regex; uint32_t refcount; pthread_mutex_t mutex; struct realm *parent; struct list *subrealms; struct list *srvconfs; struct list *accsrvconfs; }; struct modattr { uint8_t t; char *replacement; regex_t *regex; }; struct rewrite { uint8_t *removeattrs; uint32_t *removevendorattrs; struct list *addattrs; struct list *modattrs; }; struct protodefs { char *name; char *secretdefault; int socktype; char *portdefault; uint8_t retrycountdefault; uint8_t retrycountmax; uint8_t retryintervaldefault; uint8_t retryintervalmax; uint8_t duplicateintervaldefault; void (*setprotoopts)(struct commonprotoopts *); char **(*getlistenerargs)(); void *(*listener)(void*); int (*connecter)(struct server *, struct timeval *, int, char *); void *(*clientconnreader)(void*); int (*clientradput)(struct server *, unsigned char *); void (*addclient)(struct client *); void (*addserverextra)(struct clsrvconf *); void (*setsrcres)(); void (*initextra)(); }; #define RADLEN(x) ntohs(((uint16_t *)(x))[1]) #define ATTRTYPE(x) ((x)[0]) #define ATTRLEN(x) ((x)[1]) #define ATTRVAL(x) ((x) + 2) #define ATTRVALLEN(x) ((x)[1] - 2) struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur); struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur); struct clsrvconf *find_clconf_type(uint8_t type, struct list_node **cur); struct client *addclient(struct clsrvconf *conf, uint8_t lock); void removelockedclient(struct client *client); void removeclient(struct client *client); struct gqueue *newqueue(); void freebios(struct gqueue *q); struct request *newrequest(); void freerq(struct request *rq); int radsrv(struct request *rq); void replyh(struct server *server, unsigned char *buf); struct addrinfo *resolve_hostport_addrinfo(uint8_t type, char *hostport); uint8_t *radattr2ascii(struct tlv *attr); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/tools/0000775000175100017510000000000012042223271012223 500000000000000radsecproxy-1.6.2/tools/radsec-dynsrv.sh0000775000175100017510000000232112042223225015263 00000000000000#! /bin/sh # Example script! # This script looks up radsec srv records in DNS for the one # realm given as argument, and creates a server template based # on that. It currently ignores weight markers, but does sort # servers on priority marker, lowest number first. # For host command this is coloumn 5, for dig it is coloumn 1. usage() { echo "Usage: ${0} " exit 1 } test -n "${1}" || usage REALM="${1}" DIGCMD=$(command -v digaaa) HOSTCMD=$(command -v host) PRINTCMD=$(command -v printf) dig_it() { ${DIGCMD} +short srv _radsec._tcp.${REALM} | sort -n -k1 | while read line ; do set $line ; PORT=$3 ; HOST=$4 $PRINTCMD "\thost ${HOST%.}:${PORT}\n" done } host_it() { ${HOSTCMD} -t srv _radsec._tcp.${REALM} | sort -n -k5 | while read line ; do set $line ; PORT=$7 ; HOST=$8 $PRINTCMD "\thost ${HOST%.}:${PORT}\n" done } if test -x "${DIGCMD}" ; then SERVERS=$(dig_it) elif test -x "${HOSTCMD}" ; then SERVERS=$(host_it) else echo "${0} requires either \"dig\" or \"host\" command." exit 1 fi if test -n "${SERVERS}" ; then $PRINTCMD "server dynamic_radsec.${REALM} {\n${SERVERS}\n\ttype TLS\n}\n" exit 0 fi exit 10 # No server found. radsecproxy-1.6.2/tools/naptr-eduroam.sh0000775000175100017510000000327312042223225015264 00000000000000#! /bin/sh # Example script! # This script looks up radsec srv records in DNS for the one # realm given as argument, and creates a server template based # on that. It currently ignores weight markers, but does sort # servers on priority marker, lowest number first. # For host command this is column 5, for dig it is column 1. usage() { echo "Usage: ${0} " exit 1 } test -n "${1}" || usage REALM="${1}" DIGCMD=$(command -v dig) HOSTCMD=$(command -v host) PRINTCMD=$(command -v printf) dig_it_srv() { ${DIGCMD} +short srv $SRV_HOST | sort -n -k1 | while read line; do set $line ; PORT=$3 ; HOST=$4 $PRINTCMD "\thost ${HOST%.}:${PORT}\n" done } dig_it_naptr() { ${DIGCMD} +short naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k1 | while read line; do set $line ; TYPE=$3 ; HOST=$6 if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then SRV_HOST=${HOST%.} dig_it_srv fi done } host_it_srv() { ${HOSTCMD} -t srv $SRV_HOST | sort -n -k5 | while read line; do set $line ; PORT=$7 ; HOST=$8 $PRINTCMD "\thost ${HOST%.}:${PORT}\n" done } host_it_naptr() { ${HOSTCMD} -t naptr ${REALM} | grep x-eduroam:radius.tls | sort -n -k5 | while read line; do set $line ; TYPE=$7 ; HOST=${10} if [ "$TYPE" = "\"s\"" -o "$TYPE" = "\"S\"" ]; then SRV_HOST=${HOST%.} host_it_srv fi done } if [ -x "${DIGCMD}" ]; then SERVERS=$(dig_it_naptr) elif [ -x "${HOSTCMD}" ]; then SERVERS=$(host_it_naptr) else echo "${0} requires either \"dig\" or \"host\" command." exit 1 fi if [ -n "${SERVERS}" ]; then $PRINTCMD "server dynamic_radsec.${REALM} {\n${SERVERS}\n\ttype TLS\n}\n" exit 0 fi exit 10 # No server found. radsecproxy-1.6.2/tools/README0000664000175100017510000000270112042223225013022 00000000000000Mail[1] to the radsecproxy mailing list Wed, 14 Apr 2010 from Stefan Winter explaining the radsec-dynsrv.sh and naptr-eduroam.sh scripts. ------------------------------------------------------------ Hi, the radsec-dynsrv.sh script right now looks up _radsec._tcp.$REALM. For eduroam, the production discovery will rely on S-NAPTRs of "s" type and subsequent SRVs. I have attached a preliminary version of the discovery script which takes this logic into account. It could use some public scrutiny (where "public" might very well evaluate to Kolbjørn Barmen, who wrote the SRV script and knows much more about bash scripting than I do *cough cough*). As with the other script, you call naptr-eduroam.sh If you need a test case, the DNS domain restena.lu has the NAPTR and the SRV record live in place. On my system, you get: > ./naptr-eduroam.sh restena.lu server dynamic_radsec.restena.lu { host radius-1.restena.lu:2083 type TLS } with our live DNS data (radius-1.restena.lu isn't really production-ready yet though). If you're curious, the S-NAPTR for eduroam right now is x-eduroam:radius.tls with a possibility of a later IETF allocation of either aaa:radius.tls (probable) eduroam:radius.tls (wishful thinking) , in which case changing the script to use the new ones is trivial. Greetings, Stefan Winter ------------------------------------------------------------ [1] https://postlister.uninett.no/sympa/arc/radsecproxy/2010-04/msg00011.html radsecproxy-1.6.2/gconfig.h0000664000175100017510000000154312042223225012572 00000000000000#define CONF_STR 1 #define CONF_CBK 2 #define CONF_MSTR 3 #define CONF_BLN 4 #define CONF_LINT 5 #include struct gconffile { char *path; FILE *file; const char *data; size_t datapos; }; int getconfigline(struct gconffile **cf, char *block, char **opt, char **val, int *conftype); int getgenericconfig(struct gconffile **cf, char *block, ...); int pushgconfdata(struct gconffile **cf, const char *data); FILE *pushgconfpath(struct gconffile **cf, const char *path); FILE *pushgconffile(struct gconffile **cf, FILE *file, const char *description); FILE *pushgconfpaths(struct gconffile **cf, const char *path); int popgconf(struct gconffile **cf); void freegconfmstr(char **mstr); void freegconf(struct gconffile **cf); struct gconffile *openconfigfile(const char *file); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/list.h0000664000175100017510000000245312042223225012132 00000000000000/* * Copyright (C) 2006-2009 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #ifdef SYS_SOLARIS9 #include #else #include #endif struct list_node { struct list_node *next; void *data; }; struct list { struct list_node *first, *last; uint32_t count; }; /* allocates and initialises list structure; returns NULL if malloc fails */ struct list *list_create(); /* frees all memory associated with the list */ void list_destroy(struct list *list); /* appends entry to list; returns 1 if ok, 0 if malloc fails */ int list_push(struct list *list, void *data); /* removes first entry from list and returns data */ void *list_shift(struct list *list); /* removes first entry with matching data pointer */ void list_removedata(struct list *list, void *data); /* returns first node */ struct list_node *list_first(struct list *list); /* returns the next node after the argument */ struct list_node *list_next(struct list_node *node); /* returns number of nodes */ uint32_t list_count(struct list *list); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/tests/0000775000175100017510000000000012042223271012225 500000000000000radsecproxy-1.6.2/tests/Makefile.in0000664000175100017510000003673212042223267014232 00000000000000# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, # 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, # Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. @SET_MAKE@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ pkglibdir = $(libdir)/@PACKAGE@ pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c install_sh_SCRIPT = $(install_sh) -c INSTALL_HEADER = $(INSTALL_DATA) transform = $(program_transform_name) NORMAL_INSTALL = : PRE_INSTALL = : POST_INSTALL = : NORMAL_UNINSTALL = : PRE_UNINSTALL = : POST_UNINSTALL = : build_triplet = @build@ host_triplet = @host@ target_triplet = @target@ check_PROGRAMS = $(am__EXEEXT_1) subdir = tests DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/acinclude.m4 \ $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) mkinstalldirs = $(install_sh) -d CONFIG_CLEAN_FILES = CONFIG_CLEAN_VPATH_FILES = @WANT_FTICKS_TRUE@am__EXEEXT_1 = t_fticks$(EXEEXT) t_fticks_SOURCES = t_fticks.c t_fticks_OBJECTS = t_fticks.$(OBJEXT) t_fticks_LDADD = $(LDADD) t_fticks_DEPENDENCIES = $(top_builddir)/librsp.a DEFAULT_INCLUDES = -I.@am__isrc@ depcomp = $(SHELL) $(top_srcdir)/depcomp am__depfiles_maybe = depfiles am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) CCLD = $(CC) LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ SOURCES = t_fticks.c DIST_SOURCES = t_fticks.c ETAGS = etags CTAGS = ctags am__tty_colors = \ red=; grn=; lgn=; blu=; std= DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ AUTOCONF = @AUTOCONF@ AUTOHEADER = @AUTOHEADER@ AUTOMAKE = @AUTOMAKE@ AWK = @AWK@ CC = @CC@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CPPFLAGS = @CPPFLAGS@ CYGPATH_W = @CYGPATH_W@ DEFS = @DEFS@ DEPDIR = @DEPDIR@ DOCBOOK2X_MAN = @DOCBOOK2X_MAN@ ECHO_C = @ECHO_C@ ECHO_N = @ECHO_N@ ECHO_T = @ECHO_T@ EXEEXT = @EXEEXT@ INSTALL = @INSTALL@ INSTALL_DATA = @INSTALL_DATA@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ INSTALL_SCRIPT = @INSTALL_SCRIPT@ INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ LDFLAGS = @LDFLAGS@ LIBOBJS = @LIBOBJS@ LIBS = @LIBS@ LTLIBOBJS = @LTLIBOBJS@ MAKEINFO = @MAKEINFO@ MKDIR_P = @MKDIR_P@ OBJEXT = @OBJEXT@ PACKAGE = @PACKAGE@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ RANLIB = @RANLIB@ SET_MAKE = @SET_MAKE@ SHELL = @SHELL@ SSL_CFLAGS = @SSL_CFLAGS@ SSL_LDFLAGS = @SSL_LDFLAGS@ SSL_LIBS = @SSL_LIBS@ STRIP = @STRIP@ TARGET_CFLAGS = @TARGET_CFLAGS@ TARGET_LDFLAGS = @TARGET_LDFLAGS@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ abs_top_builddir = @abs_top_builddir@ abs_top_srcdir = @abs_top_srcdir@ ac_ct_CC = @ac_ct_CC@ am__include = @am__include@ am__leading_dot = @am__leading_dot@ am__quote = @am__quote@ am__tar = @am__tar@ am__untar = @am__untar@ bindir = @bindir@ build = @build@ build_alias = @build_alias@ build_cpu = @build_cpu@ build_os = @build_os@ build_vendor = @build_vendor@ builddir = @builddir@ datadir = @datadir@ datarootdir = @datarootdir@ docdir = @docdir@ dvidir = @dvidir@ exec_prefix = @exec_prefix@ host = @host@ host_alias = @host_alias@ host_cpu = @host_cpu@ host_os = @host_os@ host_vendor = @host_vendor@ htmldir = @htmldir@ includedir = @includedir@ infodir = @infodir@ install_sh = @install_sh@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ pdfdir = @pdfdir@ prefix = @prefix@ program_transform_name = @program_transform_name@ psdir = @psdir@ sbindir = @sbindir@ sharedstatedir = @sharedstatedir@ srcdir = @srcdir@ sysconfdir = @sysconfdir@ target = @target@ target_alias = @target_alias@ target_cpu = @target_cpu@ target_os = @target_os@ target_vendor = @target_vendor@ top_build_prefix = @top_build_prefix@ top_builddir = @top_builddir@ top_srcdir = @top_srcdir@ AUTOMAKE_OPTIONS = foreign @WANT_FTICKS_TRUE@fticks_programs = t_fticks AM_CFLAGS = -g -Wall -Werror @TARGET_CFLAGS@ LDADD = $(top_builddir)/librsp.a @SSL_LIBS@ TESTS = $(check_PROGRAMS) all: all-am .SUFFIXES: .SUFFIXES: .c .o .obj $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign tests/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign tests/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ *) \ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ esac; $(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(am__aclocal_m4_deps): clean-checkPROGRAMS: -test -z "$(check_PROGRAMS)" || rm -f $(check_PROGRAMS) t_fticks$(EXEEXT): $(t_fticks_OBJECTS) $(t_fticks_DEPENDENCIES) @rm -f t_fticks$(EXEEXT) $(LINK) $(t_fticks_OBJECTS) $(t_fticks_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) distclean-compile: -rm -f *.tab.c @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/t_fticks.Po@am__quote@ .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ shift; \ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ if test $$# -gt 0; then \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ "$$@" $$unique; \ else \ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ $$unique; \ fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ && $(am__cd) $(top_srcdir) \ && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags check-TESTS: $(TESTS) @failed=0; all=0; xfail=0; xpass=0; skip=0; \ srcdir=$(srcdir); export srcdir; \ list=' $(TESTS) '; \ $(am__tty_colors); \ if test -n "$$list"; then \ for tst in $$list; do \ if test -f ./$$tst; then dir=./; \ elif test -f $$tst; then dir=; \ else dir="$(srcdir)/"; fi; \ if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xpass=`expr $$xpass + 1`; \ failed=`expr $$failed + 1`; \ col=$$red; res=XPASS; \ ;; \ *) \ col=$$grn; res=PASS; \ ;; \ esac; \ elif test $$? -ne 77; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ *[\ \ ]$$tst[\ \ ]*) \ xfail=`expr $$xfail + 1`; \ col=$$lgn; res=XFAIL; \ ;; \ *) \ failed=`expr $$failed + 1`; \ col=$$red; res=FAIL; \ ;; \ esac; \ else \ skip=`expr $$skip + 1`; \ col=$$blu; res=SKIP; \ fi; \ echo "$${col}$$res$${std}: $$tst"; \ done; \ if test "$$all" -eq 1; then \ tests="test"; \ All=""; \ else \ tests="tests"; \ All="All "; \ fi; \ if test "$$failed" -eq 0; then \ if test "$$xfail" -eq 0; then \ banner="$$All$$all $$tests passed"; \ else \ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ fi; \ else \ if test "$$xpass" -eq 0; then \ banner="$$failed of $$all $$tests failed"; \ else \ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ fi; \ fi; \ dashes="$$banner"; \ skipped=""; \ if test "$$skip" -ne 0; then \ if test "$$skip" -eq 1; then \ skipped="($$skip test was not run)"; \ else \ skipped="($$skip tests were not run)"; \ fi; \ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$skipped"; \ fi; \ report=""; \ if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ report="Please report to $(PACKAGE_BUGREPORT)"; \ test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$report"; \ fi; \ dashes=`echo "$$dashes" | sed s/./=/g`; \ if test "$$failed" -eq 0; then \ echo "$$grn$$dashes"; \ else \ echo "$$red$$dashes"; \ fi; \ echo "$$banner"; \ test -z "$$skipped" || echo "$$skipped"; \ test -z "$$report" || echo "$$report"; \ echo "$$dashes$$std"; \ test "$$failed" -eq 0; \ else :; fi distdir: $(DISTFILES) @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ dist_files=`for file in $$list; do echo $$file; done | \ sed -e "s|^$$srcdirstrip/||;t" \ -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ case $$dist_files in \ */*) $(MKDIR_P) `echo "$$dist_files" | \ sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ sort -u` ;; \ esac; \ for file in $$dist_files; do \ if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ if test -d "$(distdir)/$$file"; then \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ test -f "$(distdir)/$$file" \ || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done check-am: all-am $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(MAKE) $(AM_MAKEFLAGS) check-TESTS check: check-am all-am: Makefile installdirs: install: install-am install-exec: install-exec-am install-data: install-data-am uninstall: uninstall-am install-am: all-am @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am installcheck: installcheck-am install-strip: $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ `test -z '$(STRIP)' || \ echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install mostlyclean-generic: clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @echo "it deletes files that may require special tools to rebuild." clean: clean-am clean-am: clean-checkPROGRAMS clean-generic mostlyclean-am distclean: distclean-am -rm -rf ./$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags dvi: dvi-am dvi-am: html: html-am html-am: info: info-am info-am: install-data-am: install-dvi: install-dvi-am install-dvi-am: install-exec-am: install-html: install-html-am install-html-am: install-info: install-info-am install-info-am: install-man: install-pdf: install-pdf-am install-pdf-am: install-ps: install-ps-am install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-am -rm -rf ./$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic mostlyclean: mostlyclean-am mostlyclean-am: mostlyclean-compile mostlyclean-generic pdf: pdf-am pdf-am: ps: ps-am ps-am: uninstall-am: .MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ clean-checkPROGRAMS clean-generic ctags distclean \ distclean-compile distclean-generic distclean-tags distdir dvi \ dvi-am html html-am info info-am install install-am \ install-data install-data-am install-dvi install-dvi-am \ install-exec install-exec-am install-html install-html-am \ install-info install-info-am install-man install-pdf \ install-pdf-am install-ps install-ps-am install-strip \ installcheck installcheck-am installdirs maintainer-clean \ maintainer-clean-generic mostlyclean mostlyclean-compile \ mostlyclean-generic pdf pdf-am ps ps-am tags uninstall \ uninstall-am # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: radsecproxy-1.6.2/tests/Makefile.am0000664000175100017510000000034512042223225014202 00000000000000AUTOMAKE_OPTIONS = foreign if WANT_FTICKS fticks_programs = t_fticks endif check_PROGRAMS = $(fticks_programs) AM_CFLAGS = -g -Wall -Werror @TARGET_CFLAGS@ LDADD = $(top_builddir)/librsp.a @SSL_LIBS@ TESTS = $(check_PROGRAMS) radsecproxy-1.6.2/tests/t_fticks.c0000664000175100017510000000330712042223225014121 00000000000000/* Copyright (C) 2011 NORDUnet A/S * See LICENSE for information about licensing. */ #include #include #include "../radsecproxy.h" #include "../fticks_hashmac.h" static int _check_hash(const char *mac, const char *key, const char *hash, const char*hmac) { int rv = 0; uint8_t buf[128]; if (fticks_hashmac((const uint8_t *) mac, NULL, sizeof(buf), buf) != 0) return -ENOMEM; if (strcmp(hash, (const char *) buf) != 0) rv = !!fprintf(stderr, "%s: bad hash: %s\n", mac, buf); if (fticks_hashmac((const uint8_t *) mac, (const uint8_t *) key, sizeof(buf), buf) != 0) return -ENOMEM; if (strcmp(hmac, (const char *) buf) != 0) rv = !!fprintf(stderr, "%s: bad hash (key=\"%s\"): %s\n", mac, key, buf); return rv; } #define MAC1 "00:23:14:0a:f7:24" #define MAC1_UC "00:23:14:0A:F7:24" #define MAC1_APPENDED "00:23:14:0a:f7:24;cruft" #define MAC1_WEIRD "00:23:-[?xyzzy!]-14:0a:f7:24" #define KEY1 "magic passphrase" #define HASH1 "29c0ee9d9c41771795a11ff75fefe9f5ccaab523ad31fc4fd8e776c707ad158129c0ee9d9c41771795a11ff75fefe9f5ccaab523ad31fc4fd8e776c707ad15" #define HMAC1 "57c8cd8031142c51ac9747370f48a5aa731006729d0cdf589ba101864f35f39057c8cd8031142c51ac9747370f48a5aa731006729d0cdf589ba101864f35f3" int main (int argc, char *argv[]) { if (_check_hash(MAC1, KEY1, HASH1, HMAC1) != 0) return 1; /* Again, for good measure. (Or rather to make sure there's no state left.) */ if (_check_hash(MAC1, KEY1, HASH1, HMAC1) != 0) return 1; if (_check_hash(MAC1_UC, KEY1, HASH1, HMAC1) != 0) return 1; if (_check_hash(MAC1_APPENDED, KEY1, HASH1, HMAC1) != 0) return 1; if (_check_hash(MAC1_WEIRD, KEY1, HASH1, HMAC1) != 0) return 1; return 0; } radsecproxy-1.6.2/radsecproxy.10000664000175100017510000000624412042223225013435 00000000000000.TH radsecproxy 1 "1 Jun 2010" .SH "NAME" radsecproxy - a generic RADIUS proxy that provides both RADIUS UDP and TCP/TLS (RadSec) transport. .SH "SYNOPSIS" .HP 12 radsecproxy [\-c configfile] [\-d debuglevel] [\-f] [\-i pidfile] [\-p] [\-v] .sp .SH "DESCRIPTION" radsecproxy is a \fBgeneric RADIUS proxy\fR that in addition to to usual \fBRADIUS UDP\fR transport, also supports \fBTLS (RadSec)\fR. The aim is for the proxy to have sufficient features to be flexible, while at the same time to be small, efficient and easy to configure. Currently the executable on Linux is only about \fI48 KB\fR, and it uses about \fI64 KB\fR (depending on the number of peers) while running. .sp The proxy was initially made to be able to deploy \fBRadSec\fR (RADIUS over TLS) so that all RADIUS communication across network links could be done using TLS, without modifying existing RADIUS software. This can be done by running this proxy on the same host as an existing RADIUS server or client, and configure the existing client/server to talk to localhost (the proxy) rather than other clients and servers directly. .sp There are however other situations where a RADIUS proxy might be useful. Some people deploy RADIUS topologies where they want to route RADIUS messages to the right server. The nodes that do purely routing could be using a proxy. Some people may also wish to deploy a proxy on a site boundary. Since the proxy \fBsupports both IPv4 and IPv6\fR, it could also be used to allow communication in cases where some RADIUS nodes use only IPv4 and some only IPv6. .SH "OPTIONS" .TP .B \-f .sp \fIRun in foreground\fR .sp By specifying this option, the proxy will run in foreground mode. That is, it won't detach. Also all logging will be done to stderr. .TP .B \-d .sp \fIDebug level\fR .sp This specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5 logs everything. The default is 2 which logs errors, warnings and a few informational messages. .TP .B \-p .sp \fIPretend\fR .sp The proxy reads configuration files and performs initialisation as usual, but exits prior to creating any sockets. It will return different exit codes depending on whether the configuration files are okay. This may be used to verify configuration files, and can be done while another instance is running. .TP .B \-v .sp \fIPrint version\fR .sp When this option is specified, the proxy will simply print version information and exit. .TP .B \-c .sp \fIConfig file path\fR .sp This option allows you to specify which config file to use. This is useful if you want to use a config file that is not in any of the default locations. .TP .B \-i .sp \fIPID file path\fR .sp This option tells the proxy to create a PID file with the specified path. .SH "SIGNALS" The proxy generally exits on all signals. The exceptions are listed below. .TP .B SIGHUP .sp When logging to a file, this signal forces a reopen of the log file. .TP .B SIGPIPE .sp This signal is ignored. .SH "FILES" .TP .B /etc/radsecproxy.conf .sp The default configuration file. .SH "SEE ALSO" radsecproxy.conf(5), RadSec internet draft http://tools.ietf.org/html/draft-ietf-radext-radsec radsecproxy-1.6.2/config.guess0000755000175100017510000012673012042223267013337 00000000000000#! /bin/sh # Attempt to guess a canonical system name. # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, # 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, # 2011 Free Software Foundation, Inc. timestamp='2011-05-11' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU # General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street - Fifth Floor, Boston, MA # 02110-1301, USA. # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # Originally written by Per Bothner. Please send patches (context # diff format) to and include a ChangeLog # entry. # # This script attempts to guess a canonical system name similar to # config.sub. If it succeeds, it prints the system name on stdout, and # exits with 0. Otherwise, it exits with 1. # # You can get the latest version of this script from: # http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess;hb=HEAD me=`echo "$0" | sed -e 's,.*/,,'` usage="\ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. Operation modes: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit Report bugs and patches to ." version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." help=" Try \`$me --help' for more information." # Parse command line while test $# -gt 0 ; do case $1 in --time-stamp | --time* | -t ) echo "$timestamp" ; exit ;; --version | -v ) echo "$version" ; exit ;; --help | --h* | -h ) echo "$usage"; exit ;; -- ) # Stop option processing shift; break ;; - ) # Use stdin as input. break ;; -* ) echo "$me: invalid option $1$help" >&2 exit 1 ;; * ) break ;; esac done if test $# != 0; then echo "$me: too many arguments$help" >&2 exit 1 fi trap 'exit 1' 1 2 15 # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a # headache to deal with in a portable fashion. # Historically, `CC_FOR_BUILD' used to be named `HOST_CC'. We still # use `HOST_CC' if defined, but it is deprecated. # Portable tmp directory creation inspired by the Autoconf team. set_cc_for_build=' trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; : ${TMPDIR=/tmp} ; { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; dummy=$tmp/dummy ; tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; case $CC_FOR_BUILD,$HOST_CC,$CC in ,,) echo "int x;" > $dummy.c ; for c in cc gcc c89 c99 ; do if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then CC_FOR_BUILD="$c"; break ; fi ; done ; if test x"$CC_FOR_BUILD" = x ; then CC_FOR_BUILD=no_compiler_found ; fi ;; ,,*) CC_FOR_BUILD=$CC ;; ,*,*) CC_FOR_BUILD=$HOST_CC ;; esac ; set_cc_for_build= ;' # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) if (test -f /.attbin/uname) >/dev/null 2>&1 ; then PATH=$PATH:/.attbin ; export PATH fi UNAME_MACHINE=`(uname -m) 2>/dev/null` || UNAME_MACHINE=unknown UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown # Note: order is significant - the case branches are not exclusive. case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*, # *-*-netbsdecoff* and *-*-netbsd*. For targets that recently # switched to ELF, *-*-netbsd* would select the old # object file format. This provides both forward # compatibility and a consistent mechanism for selecting the # object file format. # # Note: NetBSD doesn't particularly care about the vendor # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(/sbin/$sysctl 2>/dev/null || \ /usr/sbin/$sysctl 2>/dev/null || echo unknown)` case "${UNAME_MACHINE_ARCH}" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; *) machine=${UNAME_MACHINE_ARCH}-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently, or will in the future. case "${UNAME_MACHINE_ARCH}" in arm*|i386|m68k|ns32k|sh3*|sparc|vax) eval $set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout). # Return netbsd for either. FIX? os=netbsd else os=netbsdelf fi ;; *) os=netbsd ;; esac # The OS release # Debian GNU/NetBSD machines have a different userland, and # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. case "${UNAME_VERSION}" in Debian*) release='-gnu' ;; *) release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. echo "${machine}-${os}${release}" exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} exit ;; *:ekkoBSD:*:*) echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} exit ;; *:SolidBSD:*:*) echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} exit ;; macppc:MirBSD:*:*) echo powerpc-unknown-mirbsd${UNAME_RELEASE} exit ;; *:MirBSD:*:*) echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'` ;; *5.*) UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $4}'` ;; esac # According to Compaq, /usr/sbin/psrinfo has been available on # OSF/1 and Tru64 systems produced since 1995. I hope that # covers most systems running today. This code pipes the CPU # types through head -n 1, so we only detect the type of CPU 0. ALPHA_CPU_TYPE=`/usr/sbin/psrinfo -v | sed -n -e 's/^ The alpha \(.*\) processor.*$/\1/p' | head -n 1` case "$ALPHA_CPU_TYPE" in "EV4 (21064)") UNAME_MACHINE="alpha" ;; "EV4.5 (21064)") UNAME_MACHINE="alpha" ;; "LCA4 (21066/21068)") UNAME_MACHINE="alpha" ;; "EV5 (21164)") UNAME_MACHINE="alphaev5" ;; "EV5.6 (21164A)") UNAME_MACHINE="alphaev56" ;; "EV5.6 (21164PC)") UNAME_MACHINE="alphapca56" ;; "EV5.7 (21164PC)") UNAME_MACHINE="alphapca57" ;; "EV6 (21264)") UNAME_MACHINE="alphaev6" ;; "EV6.7 (21264A)") UNAME_MACHINE="alphaev67" ;; "EV6.8CB (21264C)") UNAME_MACHINE="alphaev68" ;; "EV6.8AL (21264B)") UNAME_MACHINE="alphaev68" ;; "EV6.8CX (21264D)") UNAME_MACHINE="alphaev68" ;; "EV6.9A (21264/EV69A)") UNAME_MACHINE="alphaev69" ;; "EV7 (21364)") UNAME_MACHINE="alphaev7" ;; "EV7.9 (21364A)") UNAME_MACHINE="alphaev79" ;; esac # A Pn.n version is a patched version. # A Vn.n version is a released version. # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; Alpha\ *:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # Should we change UNAME_MACHINE based on the output of uname instead # of the specific Alpha model? echo alpha-pc-interix exit ;; 21064:Windows_NT:50:3) echo alpha-dec-winnt3.5 exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) echo ${UNAME_MACHINE}-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition exit ;; *:z/VM:*:*) echo s390-ibm-zvmoe exit ;; *:OS400:*:*) echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) echo arm-acorn-riscix${UNAME_RELEASE} exit ;; arm:riscos:*:*|arm:RISCOS:*:*) echo arm-unknown-riscos exit ;; SR2?01:HI-UX/MPP:*:* | SR8000:HI-UX/MPP:*:*) echo hppa1.1-hitachi-hiuxmpp exit ;; Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*) # akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE. if test "`(/bin/universe) 2>/dev/null`" = att ; then echo pyramid-pyramid-sysv3 else echo pyramid-pyramid-bsd fi exit ;; NILE*:*:*:dcosx) echo pyramid-pyramid-svr4 exit ;; DRS?6000:unix:4.0:6*) echo sparc-icl-nx6 exit ;; DRS?6000:UNIX_SV:4.2*:7* | DRS?6000:isis:4.2*:7*) case `/usr/bin/uname -p` in sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4H:SunOS:5.*:*) echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) echo i386-pc-auroraux${UNAME_RELEASE} exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) eval $set_cc_for_build SUN_ARCH="i386" # If there is a compiler, see if it is configured for 64-bit objects. # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. # This test works for both compilers. if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then SUN_ARCH="x86_64" fi fi echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in Series*|S4*) UNAME_RELEASE=`uname -v` ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` exit ;; sun3*:SunOS:*:*) echo m68k-sun-sunos${UNAME_RELEASE} exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` test "x${UNAME_RELEASE}" = "x" && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) echo m68k-sun-sunos${UNAME_RELEASE} ;; sun4) echo sparc-sun-sunos${UNAME_RELEASE} ;; esac exit ;; aushp:SunOS:*:*) echo sparc-auspex-sunos${UNAME_RELEASE} exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not # "atarist" or "atariste" at least should have a processor # > m68000). The system name ranges from "MiNT" over "FreeMiNT" # to the lowercase version "mint" (or "freemint"). Finally # the system name "TOS" denotes a system which is actually not # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) echo m68k-atari-mint${UNAME_RELEASE} exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) echo m68k-milan-mint${UNAME_RELEASE} exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) echo m68k-hades-mint${UNAME_RELEASE} exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) echo m68k-unknown-mint${UNAME_RELEASE} exit ;; m68k:machten:*:*) echo m68k-apple-machten${UNAME_RELEASE} exit ;; powerpc:machten:*:*) echo powerpc-apple-machten${UNAME_RELEASE} exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) echo mips-dec-ultrix${UNAME_RELEASE} exit ;; VAX*:ULTRIX*:*:*) echo vax-dec-ultrix${UNAME_RELEASE} exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) echo clipper-intergraph-clix${UNAME_RELEASE} exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { #else int main (argc, argv) int argc; char *argv[]; { #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && SYSTEM_NAME=`$dummy $dummyarg` && { echo "$SYSTEM_NAME"; exit; } echo mips-mips-riscos${UNAME_RELEASE} exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax exit ;; Motorola:*:4.3:PL8-*) echo powerpc-harris-powermax exit ;; Night_Hawk:*:*:PowerMAX_OS | Synergy:PowerMAX_OS:*:*) echo powerpc-harris-powermax exit ;; Night_Hawk:Power_UNIX:*:*) echo powerpc-harris-powerunix exit ;; m88k:CX/UX:7*:*) echo m88k-harris-cxux7 exit ;; m88k:*:4*:R4*) echo m88k-motorola-sysv4 exit ;; m88k:*:3*:R3*) echo m88k-motorola-sysv3 exit ;; AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] then if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ [ ${TARGET_BINARY_INTERFACE}x = x ] then echo m88k-dg-dgux${UNAME_RELEASE} else echo m88k-dg-dguxbcs${UNAME_RELEASE} fi else echo i586-dg-dgux${UNAME_RELEASE} fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) echo m88k-dolphin-sysv3 exit ;; M88*:*:R3*:*) # Delta 88k system running SVR3 echo m88k-motorola-sysv3 exit ;; XD88*:*:*:*) # Tektronix XD88 system running UTekV (SVR3) echo m88k-tektronix-sysv3 exit ;; Tek43[0-9][0-9]:UTek:*:*) # Tektronix 4300 system running UTek (BSD) echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id exit ;; # Note that: echo "'`uname -s`'" gives 'AIX ' i*86:AIX:*:*) echo i386-ibm-aix exit ;; ia64:AIX:*:*) if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include main() { if (!__power_pc()) exit(1); puts("powerpc-ibm-aix3.2.5"); exit(0); } EOF if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` then echo "$SYSTEM_NAME" else echo rs6000-ibm-aix3.2.5 fi elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then echo rs6000-ibm-aix3.2.4 else echo rs6000-ibm-aix3.2 fi exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc fi if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} fi echo ${IBM_ARCH}-ibm-aix${IBM_REV} exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; ibmrt:4.4BSD:*|romp-ibm:BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx exit ;; DPX/2?00:B.O.S.:*:*) echo m68k-bull-sysv3 exit ;; 9000/[34]??:4.3bsd:1.*:*) echo m68k-hp-bsd exit ;; hp300:4.4BSD:*:* | 9000/[34]??:4.3bsd:2.*:*) echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` case "${UNAME_MACHINE}" in 9000/31? ) HP_ARCH=m68000 ;; 9000/[34]?? ) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` case "${sc_cpu_version}" in 523) HP_ARCH="hppa1.0" ;; # CPU_PA_RISC1_0 528) HP_ARCH="hppa1.1" ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 case "${sc_kernel_bits}" in 32) HP_ARCH="hppa2.0n" ;; 64) HP_ARCH="hppa2.0w" ;; '') HP_ARCH="hppa2.0" ;; # HP-UX 10.20 esac ;; esac fi if [ "${HP_ARCH}" = "" ]; then eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #define _HPUX_SOURCE #include #include int main () { #if defined(_SC_KERNEL_BITS) long bits = sysconf(_SC_KERNEL_BITS); #endif long cpu = sysconf (_SC_CPU_VERSION); switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0"); break; case CPU_PA_RISC1_1: puts ("hppa1.1"); break; case CPU_PA_RISC2_0: #if defined(_SC_KERNEL_BITS) switch (bits) { case 64: puts ("hppa2.0w"); break; case 32: puts ("hppa2.0n"); break; default: puts ("hppa2.0"); break; } break; #else /* !defined(_SC_KERNEL_BITS) */ puts ("hppa2.0"); break; #endif default: puts ("hppa1.0"); break; } exit (0); } EOF (CCOPTS= $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac if [ ${HP_ARCH} = "hppa2.0w" ] then eval $set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler # generating 64-bit code. GNU and HP use different nomenclature: # # $ CC_FOR_BUILD=cc ./config.guess # => hppa2.0w-hp-hpux11.23 # $ CC_FOR_BUILD="cc +DA2.0w" ./config.guess # => hppa64-hp-hpux11.23 if echo __LP64__ | (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | grep -q __LP64__ then HP_ARCH="hppa2.0w" else HP_ARCH="hppa64" fi fi echo ${HP_ARCH}-hp-hpux${HPUX_REV} exit ;; ia64:HP-UX:*:*) HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` echo ia64-hp-hpux${HPUX_REV} exit ;; 3050*:HI-UX:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #include int main () { long cpu = sysconf (_SC_CPU_VERSION); /* The order matters, because CPU_IS_HP_MC68K erroneously returns true for CPU_PA_RISC1_0. CPU_IS_PA_RISC returns correct results, however. */ if (CPU_IS_PA_RISC (cpu)) { switch (cpu) { case CPU_PA_RISC1_0: puts ("hppa1.0-hitachi-hiuxwe2"); break; case CPU_PA_RISC1_1: puts ("hppa1.1-hitachi-hiuxwe2"); break; case CPU_PA_RISC2_0: puts ("hppa2.0-hitachi-hiuxwe2"); break; default: puts ("hppa-hitachi-hiuxwe2"); break; } } else if (CPU_IS_HP_MC68K (cpu)) puts ("m68k-hitachi-hiuxwe2"); else puts ("unknown-hitachi-hiuxwe2"); exit (0); } EOF $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) echo hppa1.0-hp-bsd exit ;; *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) echo hppa1.0-hp-osf exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then echo ${UNAME_MACHINE}-unknown-osf1mk else echo ${UNAME_MACHINE}-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) echo hppa1.1-hp-lites exit ;; C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*) echo c1-convex-bsd exit ;; C2*:ConvexOS:*:* | convex:ConvexOS:C2*:*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; C34*:ConvexOS:*:* | convex:ConvexOS:C34*:*) echo c34-convex-bsd exit ;; C38*:ConvexOS:*:* | convex:ConvexOS:C38*:*) echo c38-convex-bsd exit ;; C4*:ConvexOS:*:* | convex:ConvexOS:C4*:*) echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'` FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'` FUJITSU_REL=`echo ${UNAME_RELEASE} | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} exit ;; sparc*:BSD/OS:*:*) echo sparc-unknown-bsdi${UNAME_RELEASE} exit ;; *:BSD/OS:*:*) echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} exit ;; *:FreeBSD:*:*) case ${UNAME_MACHINE} in pc98) echo i386-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; amd64) echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; *) echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; esac exit ;; i*:CYGWIN*:*) echo ${UNAME_MACHINE}-pc-cygwin exit ;; *:MINGW*:*) echo ${UNAME_MACHINE}-pc-mingw32 exit ;; i*:windows32*:*) # uname -m includes "-pc" on this system. echo ${UNAME_MACHINE}-mingw32 exit ;; i*:PW*:*) echo ${UNAME_MACHINE}-pc-pw32 exit ;; *:Interix*:*) case ${UNAME_MACHINE} in x86) echo i586-pc-interix${UNAME_RELEASE} exit ;; authenticamd | genuineintel | EM64T) echo x86_64-unknown-interix${UNAME_RELEASE} exit ;; IA64) echo ia64-unknown-interix${UNAME_RELEASE} exit ;; esac ;; [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) echo i${UNAME_MACHINE}-pc-mks exit ;; 8664:Windows_NT:*) echo x86_64-pc-mks exit ;; i*:Windows_NT*:* | Pentium*:Windows_NT*:*) # How do we know it's Interix rather than the generic POSIX subsystem? # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we # UNAME_MACHINE based on the output of uname instead of i386? echo i586-pc-interix exit ;; i*:UWIN*:*) echo ${UNAME_MACHINE}-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) echo x86_64-unknown-cygwin exit ;; p*:CYGWIN*:*) echo powerpcle-unknown-cygwin exit ;; prep*:SunOS:5.*:*) echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` exit ;; *:GNU:*:*) # the GNU system echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr '[A-Z]' '[a-z]'``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-gnu exit ;; i*86:Minix:*:*) echo ${UNAME_MACHINE}-pc-minix exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in EV5) UNAME_MACHINE=alphaev5 ;; EV56) UNAME_MACHINE=alphaev56 ;; PCA56) UNAME_MACHINE=alphapca56 ;; PCA57) UNAME_MACHINE=alphapca56 ;; EV6) UNAME_MACHINE=alphaev6 ;; EV67) UNAME_MACHINE=alphaev67 ;; EV68*) UNAME_MACHINE=alphaev68 ;; esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC="libc1" ; else LIBC="" ; fi echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} exit ;; arm*:Linux:*:*) eval $set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then echo ${UNAME_MACHINE}-unknown-linux-gnu else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then echo ${UNAME_MACHINE}-unknown-linux-gnueabi else echo ${UNAME_MACHINE}-unknown-linux-gnueabihf fi fi exit ;; avr32*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; cris:Linux:*:*) echo cris-axis-linux-gnu exit ;; crisv32:Linux:*:*) echo crisv32-axis-linux-gnu exit ;; frv:Linux:*:*) echo frv-unknown-linux-gnu exit ;; i*86:Linux:*:*) LIBC=gnu eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #ifdef __dietlibc__ LIBC=dietlibc #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC'` echo "${UNAME_MACHINE}-pc-linux-${LIBC}" exit ;; ia64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; m32r*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; m68*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; mips:Linux:*:* | mips64:Linux:*:*) eval $set_cc_for_build sed 's/^ //' << EOF >$dummy.c #undef CPU #undef ${UNAME_MACHINE} #undef ${UNAME_MACHINE}el #if defined(__MIPSEL__) || defined(__MIPSEL) || defined(_MIPSEL) || defined(MIPSEL) CPU=${UNAME_MACHINE}el #else #if defined(__MIPSEB__) || defined(__MIPSEB) || defined(_MIPSEB) || defined(MIPSEB) CPU=${UNAME_MACHINE} #else CPU= #endif #endif EOF eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` test x"${CPU}" != x && { echo "${CPU}-unknown-linux-gnu"; exit; } ;; or32:Linux:*:*) echo or32-unknown-linux-gnu exit ;; padre:Linux:*:*) echo sparc-unknown-linux-gnu exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) echo hppa64-unknown-linux-gnu exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in PA7*) echo hppa1.1-unknown-linux-gnu ;; PA8*) echo hppa2.0-unknown-linux-gnu ;; *) echo hppa-unknown-linux-gnu ;; esac exit ;; ppc64:Linux:*:*) echo powerpc64-unknown-linux-gnu exit ;; ppc:Linux:*:*) echo powerpc-unknown-linux-gnu exit ;; s390:Linux:*:* | s390x:Linux:*:*) echo ${UNAME_MACHINE}-ibm-linux exit ;; sh64*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; sh*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; tile*:Linux:*:*) echo ${UNAME_MACHINE}-tilera-linux-gnu exit ;; vax:Linux:*:*) echo ${UNAME_MACHINE}-dec-linux-gnu exit ;; x86_64:Linux:*:*) echo x86_64-unknown-linux-gnu exit ;; xtensa*:Linux:*:*) echo ${UNAME_MACHINE}-unknown-linux-gnu exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. # earlier versions are messed up and put the nodename in both # sysname and nodename. echo i386-sequent-sysv4 exit ;; i*86:UNIX_SV:4.2MP:2.*) # Unixware is an offshoot of SVR4, but it has its own version # number series starting with 2... # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. echo ${UNAME_MACHINE}-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) echo ${UNAME_MACHINE}-unknown-stop exit ;; i*86:atheos:*:*) echo ${UNAME_MACHINE}-unknown-atheos exit ;; i*86:syllable:*:*) echo ${UNAME_MACHINE}-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) echo i386-unknown-lynxos${UNAME_RELEASE} exit ;; i*86:*DOS:*:*) echo ${UNAME_MACHINE}-pc-msdosdjgpp exit ;; i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} else echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} fi exit ;; i*86:*:5:[678]*) # UnixWare 7.x, OpenUNIX and OpenServer 6. case `/bin/uname -X | grep "^Machine"` in *486*) UNAME_MACHINE=i486 ;; *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 (/bin/uname -X|grep '^Machine.*Pentium' >/dev/null) \ && UNAME_MACHINE=i586 (/bin/uname -X|grep '^Machine.*Pent *II' >/dev/null) \ && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 echo ${UNAME_MACHINE}-pc-sco$UNAME_REL else echo ${UNAME_MACHINE}-pc-sysv32 fi exit ;; pc:*:*:*) # Left here for compatibility: # uname -m prints for DJGPP always 'pc', but it prints nothing about # the processor, so we play safe by assuming i586. # Note: whatever this is, it MUST be the same as what config.sub # prints for the "djgpp" host, or else GDB configury will decide that # this is a cross-build. echo i586-pc-msdosdjgpp exit ;; Intel:Mach:3*:*) echo i386-pc-mach3 exit ;; paragon:*:*:*) echo i860-intel-osf1 exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) # "miniframe" echo m68010-convergent-sysv exit ;; mc68k:UNIX:SYSTEM5:3.51m) echo m68k-convergent-sysv exit ;; M680?0:D-NIX:5.3:*) echo m68k-diab-dnix exit ;; M68*:*:R3V[5678]*:*) test -r /sysV68 && { echo 'm68k-motorola-sysv'; exit; } ;; 3[345]??:*:4.0:3.0 | 3[34]??A:*:4.0:3.0 | 3[34]??,*:*:4.0:3.0 | 3[34]??/*:*:4.0:3.0 | 4400:*:4.0:3.0 | 4850:*:4.0:3.0 | SKA40:*:4.0:3.0 | SDS2:*:4.0:3.0 | SHG2:*:4.0:3.0 | S7501*:*:4.0:3.0) OS_REL='' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; NCR*:*:4.2:* | MPRAS*:*:4.2:*) OS_REL='.3' test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) echo m68k-unknown-lynxos${UNAME_RELEASE} exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) echo sparc-unknown-lynxos${UNAME_RELEASE} exit ;; rs6000:LynxOS:2.*:*) echo rs6000-unknown-lynxos${UNAME_RELEASE} exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) echo powerpc-unknown-lynxos${UNAME_RELEASE} exit ;; SM[BE]S:UNIX_SV:*:*) echo mips-dde-sysv${UNAME_RELEASE} exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 exit ;; RM*:SINIX-*:*:*) echo mips-sni-sysv4 exit ;; *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` echo ${UNAME_MACHINE}-sni-sysv4 else echo ns32k-sni-sysv fi exit ;; PENTIUM:*:4.0*:*) # Unisys `ClearPath HMP IX 4000' SVR4/MP effort # says echo i586-unisys-sysv4 exit ;; *:UNIX_System_V:4*:FTX*) # From Gerald Hewes . # How about differentiating between stratus architectures? -djm echo hppa1.1-stratus-sysv4 exit ;; *:*:*:FTX*) # From seanf@swdc.stratus.com. echo i860-stratus-sysv4 exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. echo ${UNAME_MACHINE}-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) echo m68k-apple-aux${UNAME_RELEASE} exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then echo mips-nec-sysv${UNAME_RELEASE} else echo mips-unknown-sysv${UNAME_RELEASE} fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. echo powerpc-be-beos exit ;; BeMac:BeOS:*:*) # BeOS running on Mac or Mac clone, PPC only. echo powerpc-apple-beos exit ;; BePC:BeOS:*:*) # BeOS running on Intel PC compatible. echo i586-pc-beos exit ;; BePC:Haiku:*:*) # Haiku running on Intel PC compatible. echo i586-pc-haiku exit ;; SX-4:SUPER-UX:*:*) echo sx4-nec-superux${UNAME_RELEASE} exit ;; SX-5:SUPER-UX:*:*) echo sx5-nec-superux${UNAME_RELEASE} exit ;; SX-6:SUPER-UX:*:*) echo sx6-nec-superux${UNAME_RELEASE} exit ;; SX-7:SUPER-UX:*:*) echo sx7-nec-superux${UNAME_RELEASE} exit ;; SX-8:SUPER-UX:*:*) echo sx8-nec-superux${UNAME_RELEASE} exit ;; SX-8R:SUPER-UX:*:*) echo sx8r-nec-superux${UNAME_RELEASE} exit ;; Power*:Rhapsody:*:*) echo powerpc-apple-rhapsody${UNAME_RELEASE} exit ;; *:Rhapsody:*:*) echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown case $UNAME_PROCESSOR in i386) eval $set_cc_for_build if [ "$CC_FOR_BUILD" != 'no_compiler_found' ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ (CCOPTS= $CC_FOR_BUILD -E - 2>/dev/null) | \ grep IS_64BIT_ARCH >/dev/null then UNAME_PROCESSOR="x86_64" fi fi ;; unknown) UNAME_PROCESSOR=powerpc ;; esac echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` if test "$UNAME_PROCESSOR" = "x86"; then UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; NEO-?:NONSTOP_KERNEL:*:*) echo neo-tandem-nsk${UNAME_RELEASE} exit ;; NSE-?:NONSTOP_KERNEL:*:*) echo nse-tandem-nsk${UNAME_RELEASE} exit ;; NSR-?:NONSTOP_KERNEL:*:*) echo nsr-tandem-nsk${UNAME_RELEASE} exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux exit ;; BS2000:POSIX*:*:*) echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. if test "$cputype" = "386"; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" fi echo ${UNAME_MACHINE}-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 exit ;; *:TENEX:*:*) echo pdp10-unknown-tenex exit ;; KS10:TOPS-20:*:* | KL10:TOPS-20:*:* | TYPE4:TOPS-20:*:*) echo pdp10-dec-tops20 exit ;; XKL-1:TOPS-20:*:* | TYPE5:TOPS-20:*:*) echo pdp10-xkl-tops20 exit ;; *:TOPS-20:*:*) echo pdp10-unknown-tops20 exit ;; *:ITS:*:*) echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) echo mips-sei-seiux${UNAME_RELEASE} exit ;; *:DragonFly:*:*) echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` case "${UNAME_MACHINE}" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; esac ;; *:XENIX:*:SysV) echo i386-pc-xenix exit ;; i*86:skyos:*:*) echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE}` | sed -e 's/ .*$//' exit ;; i*86:rdos:*:*) echo ${UNAME_MACHINE}-pc-rdos exit ;; i*86:AROS:*:*) echo ${UNAME_MACHINE}-pc-aros exit ;; esac #echo '(No uname command or uname output not recognized.)' 1>&2 #echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2 eval $set_cc_for_build cat >$dummy.c < # include #endif main () { #if defined (sony) #if defined (MIPSEB) /* BFD wants "bsd" instead of "newsos". Perhaps BFD should be changed, I don't know.... */ printf ("mips-sony-bsd\n"); exit (0); #else #include printf ("m68k-sony-newsos%s\n", #ifdef NEWSOS4 "4" #else "" #endif ); exit (0); #endif #endif #if defined (__arm) && defined (__acorn) && defined (__unix) printf ("arm-acorn-riscix\n"); exit (0); #endif #if defined (hp300) && !defined (hpux) printf ("m68k-hp-bsd\n"); exit (0); #endif #if defined (NeXT) #if !defined (__ARCHITECTURE__) #define __ARCHITECTURE__ "m68k" #endif int version; version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`; if (version < 4) printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version); else printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version); exit (0); #endif #if defined (MULTIMAX) || defined (n16) #if defined (UMAXV) printf ("ns32k-encore-sysv\n"); exit (0); #else #if defined (CMU) printf ("ns32k-encore-mach\n"); exit (0); #else printf ("ns32k-encore-bsd\n"); exit (0); #endif #endif #endif #if defined (__386BSD__) printf ("i386-pc-bsd\n"); exit (0); #endif #if defined (sequent) #if defined (i386) printf ("i386-sequent-dynix\n"); exit (0); #endif #if defined (ns32000) printf ("ns32k-sequent-dynix\n"); exit (0); #endif #endif #if defined (_SEQUENT_) struct utsname un; uname(&un); if (strncmp(un.version, "V2", 2) == 0) { printf ("i386-sequent-ptx2\n"); exit (0); } if (strncmp(un.version, "V1", 2) == 0) { /* XXX is V1 correct? */ printf ("i386-sequent-ptx1\n"); exit (0); } printf ("i386-sequent-ptx\n"); exit (0); #endif #if defined (vax) # if !defined (ultrix) # include # if defined (BSD) # if BSD == 43 printf ("vax-dec-bsd4.3\n"); exit (0); # else # if BSD == 199006 printf ("vax-dec-bsd4.3reno\n"); exit (0); # else printf ("vax-dec-bsd\n"); exit (0); # endif # endif # else printf ("vax-dec-bsd\n"); exit (0); # endif # else printf ("vax-dec-ultrix\n"); exit (0); # endif #endif #if defined (alliant) && defined (i860) printf ("i860-alliant-bsd\n"); exit (0); #endif exit (1); } EOF $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null && SYSTEM_NAME=`$dummy` && { echo "$SYSTEM_NAME"; exit; } # Apollos put the system type in the environment. test -d /usr/apollo && { echo ${ISP}-apollo-${SYSTYPE}; exit; } # Convex versions that predate uname can use getsysinfo(1) if [ -x /usr/convex/getsysinfo ] then case `getsysinfo -f cpu_type` in c1*) echo c1-convex-bsd exit ;; c2*) if getsysinfo -f scalar_acc then echo c32-convex-bsd else echo c2-convex-bsd fi exit ;; c34*) echo c34-convex-bsd exit ;; c38*) echo c38-convex-bsd exit ;; c4*) echo c4-convex-bsd exit ;; esac fi cat >&2 < in order to provide the needed information to handle your system. config.guess timestamp = $timestamp uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null` /bin/uname -X = `(/bin/uname -X) 2>/dev/null` hostinfo = `(hostinfo) 2>/dev/null` /bin/universe = `(/bin/universe) 2>/dev/null` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null` /bin/arch = `(/bin/arch) 2>/dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` UNAME_MACHINE = ${UNAME_MACHINE} UNAME_RELEASE = ${UNAME_RELEASE} UNAME_SYSTEM = ${UNAME_SYSTEM} UNAME_VERSION = ${UNAME_VERSION} EOF exit 1 # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" # End: radsecproxy-1.6.2/configure0000775000175100017510000045003312042223267012724 00000000000000#! /bin/sh # Guess values for system-dependent variables and create Makefiles. # Generated by GNU Autoconf 2.68 for radsecproxy 1.6.2. # # Report bugs to . # # # Copyright (C) 1992, 1993, 1994, 1995, 1996, 1998, 1999, 2000, 2001, # 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 Free Software # Foundation, Inc. # # # This configure script is free software; the Free Software Foundation # gives unlimited permission to copy, distribute and modify it. ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH if test "x$CONFIG_SHELL" = x; then as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which # is contrary to our usage. Disable this feature. alias -g '\${1+\"\$@\"}'='\"\$@\"' setopt NO_GLOB_SUBST else case \`(set -o) 2>/dev/null\` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi " as_required="as_fn_return () { (exit \$1); } as_fn_success () { as_fn_return 0; } as_fn_failure () { as_fn_return 1; } as_fn_ret_success () { return 0; } as_fn_ret_failure () { return 1; } exitcode=0 as_fn_success || { exitcode=1; echo as_fn_success failed.; } as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : else exitcode=1; echo positional parameters were not saved. fi test x\$exitcode = x0 || exit 1" as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1" if (eval "$as_required") 2>/dev/null; then : as_have_required=yes else as_have_required=no fi if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR as_found=false for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. as_found=: case $as_dir in #( /*) for as_base in sh bash ksh sh5; do # Try only shells that exist, to save several forks. as_shell=$as_dir/$as_base if { test -f "$as_shell" || test -f "$as_shell.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : CONFIG_SHELL=$as_shell as_have_required=yes if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : break 2 fi fi done;; esac as_found=false done $as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : CONFIG_SHELL=$SHELL as_have_required=yes fi; } IFS=$as_save_IFS if test "x$CONFIG_SHELL" != x; then : # We cannot yet assume a decent shell, so we have to provide a # neutralization value for shells without unset; and this also # works around shells that cannot unset nonexistent variables. # Preserve -v and -x to the replacement shell. BASH_ENV=/dev/null ENV=/dev/null (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV export CONFIG_SHELL case $- in # (((( *v*x* | *x*v* ) as_opts=-vx ;; *v* ) as_opts=-v ;; *x* ) as_opts=-x ;; * ) as_opts= ;; esac exec "$CONFIG_SHELL" $as_opts "$as_myself" ${1+"$@"} fi if test x$as_have_required = xno; then : $as_echo "$0: This script requires a shell more modern than all" $as_echo "$0: the shells that I found on your system." if test x${ZSH_VERSION+set} = xset ; then $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" $as_echo "$0: be upgraded to zsh 4.3.4 or later." else $as_echo "$0: Please tell bug-autoconf@gnu.org and $0: radsecproxy@uninett.no about your system, including any $0: error possibly output before this message. Then install $0: a modern shell, or manually run the script under such a $0: shell if you do have one." fi exit 1 fi fi fi SHELL=${CONFIG_SHELL-/bin/sh} export SHELL # Unset more variables known to interfere with behavior of common tools. CLICOLOR_FORCE= GREP_OPTIONS= unset CLICOLOR_FORCE GREP_OPTIONS ## --------------------- ## ## M4sh Shell Functions. ## ## --------------------- ## # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits as_lineno_1=$LINENO as_lineno_1a=$LINENO as_lineno_2=$LINENO as_lineno_2a=$LINENO eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) sed -n ' p /[$]LINENO/= ' <$as_myself | sed ' s/[$]LINENO.*/&-/ t lineno b :lineno N :loop s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ t loop s/-\n.*// ' >$as_me.lineno && chmod +x "$as_me.lineno" || { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } # Don't try to exec as it changes $[0], causing all sort of problems # (the dirname of $[0] is not the place where we might find the # original and so on. Autoconf is especially sensitive to this). . "./$as_me.lineno" # Exit status is that of the last command. exit } ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -p'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -p' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -p' fi else as_ln_s='cp -p' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi if test -x / >/dev/null 2>&1; then as_test_x='test -x' else if ls -dL / >/dev/null 2>&1; then as_ls_L_option=L else as_ls_L_option= fi as_test_x=' eval sh -c '\'' if test -d "$1"; then test -d "$1/."; else case $1 in #( -*)set "./$1";; esac; case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( ???[sx]*):;;*)false;;esac;fi '\'' sh ' fi as_executable_p=$as_test_x # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" test -n "$DJDIR" || exec 7<&0 &1 # Name of the host. # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, # so uname gets run too. ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` # # Initializations. # ac_default_prefix=/usr/local ac_clean_files= ac_config_libobj_dir=. LIBOBJS= cross_compiling=no subdirs= MFLAGS= MAKEFLAGS= # Identity of this package. PACKAGE_NAME='radsecproxy' PACKAGE_TARNAME='radsecproxy' PACKAGE_VERSION='1.6.2' PACKAGE_STRING='radsecproxy 1.6.2' PACKAGE_BUGREPORT='radsecproxy@uninett.no' PACKAGE_URL='' ac_subst_vars='am__EXEEXT_FALSE am__EXEEXT_TRUE LTLIBOBJS LIBOBJS SSL_LIBS SSL_LDFLAGS SSL_CFLAGS TARGET_LDFLAGS TARGET_CFLAGS HAVE_DOCBOOK2X_MAN_FALSE HAVE_DOCBOOK2X_MAN_TRUE DOCBOOK2X_MAN ENABLE_EXPERIMENTAL_DYNDISC_FALSE ENABLE_EXPERIMENTAL_DYNDISC_TRUE WANT_FTICKS_FALSE WANT_FTICKS_TRUE RANLIB am__fastdepCC_FALSE am__fastdepCC_TRUE CCDEPMODE AMDEPBACKSLASH AMDEP_FALSE AMDEP_TRUE am__quote am__include DEPDIR OBJEXT EXEEXT ac_ct_CC CPPFLAGS LDFLAGS CFLAGS CC am__untar am__tar AMTAR am__leading_dot SET_MAKE AWK mkdir_p MKDIR_P INSTALL_STRIP_PROGRAM STRIP install_sh MAKEINFO AUTOHEADER AUTOMAKE AUTOCONF ACLOCAL VERSION PACKAGE CYGPATH_W am__isrc INSTALL_DATA INSTALL_SCRIPT INSTALL_PROGRAM target_os target_vendor target_cpu target host_os host_vendor host_cpu host build_os build_vendor build_cpu build target_alias host_alias build_alias LIBS ECHO_T ECHO_N ECHO_C DEFS mandir localedir libdir psdir pdfdir dvidir htmldir infodir docdir oldincludedir includedir localstatedir sharedstatedir sysconfdir datadir datarootdir libexecdir sbindir bindir program_transform_name prefix exec_prefix PACKAGE_URL PACKAGE_BUGREPORT PACKAGE_STRING PACKAGE_VERSION PACKAGE_TARNAME PACKAGE_NAME PATH_SEPARATOR SHELL' ac_subst_files='' ac_user_opts=' enable_option_checking enable_dependency_tracking enable_udp enable_tcp enable_tls enable_dtls enable_fticks enable_experimental_dyndisc with_ssl ' ac_precious_vars='build_alias host_alias target_alias CC CFLAGS LDFLAGS LIBS CPPFLAGS DOCBOOK2X_MAN' # Initialize some variables set by options. ac_init_help= ac_init_version=false ac_unrecognized_opts= ac_unrecognized_sep= # The variables have the same names as the options, with # dashes changed to underlines. cache_file=/dev/null exec_prefix=NONE no_create= no_recursion= prefix=NONE program_prefix=NONE program_suffix=NONE program_transform_name=s,x,x, silent= site= srcdir= verbose= x_includes=NONE x_libraries=NONE # Installation directory options. # These are left unexpanded so users can "make install exec_prefix=/foo" # and all the variables that are supposed to be based on exec_prefix # by default will actually change. # Use braces instead of parens because sh, perl, etc. also accept them. # (The list follows the same order as the GNU Coding Standards.) bindir='${exec_prefix}/bin' sbindir='${exec_prefix}/sbin' libexecdir='${exec_prefix}/libexec' datarootdir='${prefix}/share' datadir='${datarootdir}' sysconfdir='${prefix}/etc' sharedstatedir='${prefix}/com' localstatedir='${prefix}/var' includedir='${prefix}/include' oldincludedir='/usr/include' docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' infodir='${datarootdir}/info' htmldir='${docdir}' dvidir='${docdir}' pdfdir='${docdir}' psdir='${docdir}' libdir='${exec_prefix}/lib' localedir='${datarootdir}/locale' mandir='${datarootdir}/man' ac_prev= ac_dashdash= for ac_option do # If the previous option needs an argument, assign it. if test -n "$ac_prev"; then eval $ac_prev=\$ac_option ac_prev= continue fi case $ac_option in *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; *=) ac_optarg= ;; *) ac_optarg=yes ;; esac # Accept the important Cygnus configure options, so we can diagnose typos. case $ac_dashdash$ac_option in --) ac_dashdash=yes ;; -bindir | --bindir | --bindi | --bind | --bin | --bi) ac_prev=bindir ;; -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) bindir=$ac_optarg ;; -build | --build | --buil | --bui | --bu) ac_prev=build_alias ;; -build=* | --build=* | --buil=* | --bui=* | --bu=*) build_alias=$ac_optarg ;; -cache-file | --cache-file | --cache-fil | --cache-fi \ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) ac_prev=cache_file ;; -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) cache_file=$ac_optarg ;; --config-cache | -C) cache_file=config.cache ;; -datadir | --datadir | --datadi | --datad) ac_prev=datadir ;; -datadir=* | --datadir=* | --datadi=* | --datad=*) datadir=$ac_optarg ;; -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | --dataroo | --dataro | --datar) ac_prev=datarootdir ;; -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) datarootdir=$ac_optarg ;; -disable-* | --disable-*) ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=no ;; -docdir | --docdir | --docdi | --doc | --do) ac_prev=docdir ;; -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) docdir=$ac_optarg ;; -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) ac_prev=dvidir ;; -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) dvidir=$ac_optarg ;; -enable-* | --enable-*) ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid feature name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "enable_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval enable_$ac_useropt=\$ac_optarg ;; -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | --exec | --exe | --ex) ac_prev=exec_prefix ;; -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | --exec=* | --exe=* | --ex=*) exec_prefix=$ac_optarg ;; -gas | --gas | --ga | --g) # Obsolete; use --with-gas. with_gas=yes ;; -help | --help | --hel | --he | -h) ac_init_help=long ;; -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) ac_init_help=recursive ;; -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) ac_init_help=short ;; -host | --host | --hos | --ho) ac_prev=host_alias ;; -host=* | --host=* | --hos=* | --ho=*) host_alias=$ac_optarg ;; -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) ac_prev=htmldir ;; -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | --ht=*) htmldir=$ac_optarg ;; -includedir | --includedir | --includedi | --included | --include \ | --includ | --inclu | --incl | --inc) ac_prev=includedir ;; -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | --includ=* | --inclu=* | --incl=* | --inc=*) includedir=$ac_optarg ;; -infodir | --infodir | --infodi | --infod | --info | --inf) ac_prev=infodir ;; -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) infodir=$ac_optarg ;; -libdir | --libdir | --libdi | --libd) ac_prev=libdir ;; -libdir=* | --libdir=* | --libdi=* | --libd=*) libdir=$ac_optarg ;; -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | --libexe | --libex | --libe) ac_prev=libexecdir ;; -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | --libexe=* | --libex=* | --libe=*) libexecdir=$ac_optarg ;; -localedir | --localedir | --localedi | --localed | --locale) ac_prev=localedir ;; -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) localedir=$ac_optarg ;; -localstatedir | --localstatedir | --localstatedi | --localstated \ | --localstate | --localstat | --localsta | --localst | --locals) ac_prev=localstatedir ;; -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) localstatedir=$ac_optarg ;; -mandir | --mandir | --mandi | --mand | --man | --ma | --m) ac_prev=mandir ;; -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) mandir=$ac_optarg ;; -nfp | --nfp | --nf) # Obsolete; use --without-fp. with_fp=no ;; -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | --no-cr | --no-c | -n) no_create=yes ;; -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) no_recursion=yes ;; -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | --oldin | --oldi | --old | --ol | --o) ac_prev=oldincludedir ;; -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) oldincludedir=$ac_optarg ;; -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) ac_prev=prefix ;; -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) prefix=$ac_optarg ;; -program-prefix | --program-prefix | --program-prefi | --program-pref \ | --program-pre | --program-pr | --program-p) ac_prev=program_prefix ;; -program-prefix=* | --program-prefix=* | --program-prefi=* \ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) program_prefix=$ac_optarg ;; -program-suffix | --program-suffix | --program-suffi | --program-suff \ | --program-suf | --program-su | --program-s) ac_prev=program_suffix ;; -program-suffix=* | --program-suffix=* | --program-suffi=* \ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) program_suffix=$ac_optarg ;; -program-transform-name | --program-transform-name \ | --program-transform-nam | --program-transform-na \ | --program-transform-n | --program-transform- \ | --program-transform | --program-transfor \ | --program-transfo | --program-transf \ | --program-trans | --program-tran \ | --progr-tra | --program-tr | --program-t) ac_prev=program_transform_name ;; -program-transform-name=* | --program-transform-name=* \ | --program-transform-nam=* | --program-transform-na=* \ | --program-transform-n=* | --program-transform-=* \ | --program-transform=* | --program-transfor=* \ | --program-transfo=* | --program-transf=* \ | --program-trans=* | --program-tran=* \ | --progr-tra=* | --program-tr=* | --program-t=*) program_transform_name=$ac_optarg ;; -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) ac_prev=pdfdir ;; -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) pdfdir=$ac_optarg ;; -psdir | --psdir | --psdi | --psd | --ps) ac_prev=psdir ;; -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) psdir=$ac_optarg ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) silent=yes ;; -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) ac_prev=sbindir ;; -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | --sbi=* | --sb=*) sbindir=$ac_optarg ;; -sharedstatedir | --sharedstatedir | --sharedstatedi \ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | --sharedst | --shareds | --shared | --share | --shar \ | --sha | --sh) ac_prev=sharedstatedir ;; -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | --sha=* | --sh=*) sharedstatedir=$ac_optarg ;; -site | --site | --sit) ac_prev=site ;; -site=* | --site=* | --sit=*) site=$ac_optarg ;; -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) ac_prev=srcdir ;; -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) srcdir=$ac_optarg ;; -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | --syscon | --sysco | --sysc | --sys | --sy) ac_prev=sysconfdir ;; -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) sysconfdir=$ac_optarg ;; -target | --target | --targe | --targ | --tar | --ta | --t) ac_prev=target_alias ;; -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) target_alias=$ac_optarg ;; -v | -verbose | --verbose | --verbos | --verbo | --verb) verbose=yes ;; -version | --version | --versio | --versi | --vers | -V) ac_init_version=: ;; -with-* | --with-*) ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=\$ac_optarg ;; -without-* | --without-*) ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` # Reject names that are not valid shell variable names. expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && as_fn_error $? "invalid package name: $ac_useropt" ac_useropt_orig=$ac_useropt ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` case $ac_user_opts in *" "with_$ac_useropt" "*) ;; *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" ac_unrecognized_sep=', ';; esac eval with_$ac_useropt=no ;; --x) # Obsolete; use --with-x. with_x=yes ;; -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | --x-incl | --x-inc | --x-in | --x-i) ac_prev=x_includes ;; -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) x_includes=$ac_optarg ;; -x-libraries | --x-libraries | --x-librarie | --x-librari \ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) ac_prev=x_libraries ;; -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) x_libraries=$ac_optarg ;; -*) as_fn_error $? "unrecognized option: \`$ac_option' Try \`$0 --help' for more information" ;; *=*) ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` # Reject names that are not valid shell variable names. case $ac_envvar in #( '' | [0-9]* | *[!_$as_cr_alnum]* ) as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; esac eval $ac_envvar=\$ac_optarg export $ac_envvar ;; *) # FIXME: should be removed in autoconf 3.0. $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" ;; esac done if test -n "$ac_prev"; then ac_option=--`echo $ac_prev | sed 's/_/-/g'` as_fn_error $? "missing argument to $ac_option" fi if test -n "$ac_unrecognized_opts"; then case $enable_option_checking in no) ;; fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; esac fi # Check all directory arguments for consistency. for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ datadir sysconfdir sharedstatedir localstatedir includedir \ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ libdir localedir mandir do eval ac_val=\$$ac_var # Remove trailing slashes. case $ac_val in */ ) ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` eval $ac_var=\$ac_val;; esac # Be sure to have absolute directory names. case $ac_val in [\\/$]* | ?:[\\/]* ) continue;; NONE | '' ) case $ac_var in *prefix ) continue;; esac;; esac as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" done # There might be people who depend on the old broken behavior: `$host' # used to hold the argument of --host etc. # FIXME: To remove some day. build=$build_alias host=$host_alias target=$target_alias # FIXME: To remove some day. if test "x$host_alias" != x; then if test "x$build_alias" = x; then cross_compiling=maybe $as_echo "$as_me: WARNING: if you wanted to set the --build type, don't use --host. If a cross compiler is detected then cross compile mode will be used" >&2 elif test "x$build_alias" != "x$host_alias"; then cross_compiling=yes fi fi ac_tool_prefix= test -n "$host_alias" && ac_tool_prefix=$host_alias- test "$silent" = yes && exec 6>/dev/null ac_pwd=`pwd` && test -n "$ac_pwd" && ac_ls_di=`ls -di .` && ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || as_fn_error $? "working directory cannot be determined" test "X$ac_ls_di" = "X$ac_pwd_ls_di" || as_fn_error $? "pwd does not report name of working directory" # Find the source files, if location was not specified. if test -z "$srcdir"; then ac_srcdir_defaulted=yes # Try the directory containing this script, then the parent directory. ac_confdir=`$as_dirname -- "$as_myself" || $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_myself" : 'X\(//\)[^/]' \| \ X"$as_myself" : 'X\(//\)$' \| \ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_myself" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` srcdir=$ac_confdir if test ! -r "$srcdir/$ac_unique_file"; then srcdir=.. fi else ac_srcdir_defaulted=no fi if test ! -r "$srcdir/$ac_unique_file"; then test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" fi ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" ac_abs_confdir=`( cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" pwd)` # When building in place, set srcdir=. if test "$ac_abs_confdir" = "$ac_pwd"; then srcdir=. fi # Remove unnecessary trailing slashes from srcdir. # Double slashes in file names in object file debugging info # mess up M-x gdb in Emacs. case $srcdir in */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; esac for ac_var in $ac_precious_vars; do eval ac_env_${ac_var}_set=\${${ac_var}+set} eval ac_env_${ac_var}_value=\$${ac_var} eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} eval ac_cv_env_${ac_var}_value=\$${ac_var} done # # Report the --help message. # if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF \`configure' configures radsecproxy 1.6.2 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... To assign environment variables (e.g., CC, CFLAGS...), specify them as VAR=VALUE. See below for descriptions of some of the useful variables. Defaults for the options are specified in brackets. Configuration: -h, --help display this help and exit --help=short display options specific to this package --help=recursive display the short help of all the included packages -V, --version display version information and exit -q, --quiet, --silent do not print \`checking ...' messages --cache-file=FILE cache test results in FILE [disabled] -C, --config-cache alias for \`--cache-file=config.cache' -n, --no-create do not create output files --srcdir=DIR find the sources in DIR [configure dir or \`..'] Installation directories: --prefix=PREFIX install architecture-independent files in PREFIX [$ac_default_prefix] --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX [PREFIX] By default, \`make install' will install all the files in \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify an installation prefix other than \`$ac_default_prefix' using \`--prefix', for instance \`--prefix=\$HOME'. For better control, use the options below. Fine tuning of the installation directories: --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --includedir=DIR C header files [PREFIX/include] --oldincludedir=DIR C header files for non-gcc [/usr/include] --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] --datadir=DIR read-only architecture-independent data [DATAROOTDIR] --infodir=DIR info documentation [DATAROOTDIR/info] --localedir=DIR locale-dependent data [DATAROOTDIR/locale] --mandir=DIR man documentation [DATAROOTDIR/man] --docdir=DIR documentation root [DATAROOTDIR/doc/radsecproxy] --htmldir=DIR html documentation [DOCDIR] --dvidir=DIR dvi documentation [DOCDIR] --pdfdir=DIR pdf documentation [DOCDIR] --psdir=DIR ps documentation [DOCDIR] _ACEOF cat <<\_ACEOF Program names: --program-prefix=PREFIX prepend PREFIX to installed program names --program-suffix=SUFFIX append SUFFIX to installed program names --program-transform-name=PROGRAM run sed PROGRAM on installed program names System types: --build=BUILD configure for building on BUILD [guessed] --host=HOST cross-compile to build programs to run on HOST [BUILD] --target=TARGET configure for building compilers for TARGET [HOST] _ACEOF fi if test -n "$ac_init_help"; then case $ac_init_help in short | recursive ) echo "Configuration of radsecproxy 1.6.2:";; esac cat <<\_ACEOF Optional Features: --disable-option-checking ignore unrecognized --enable/--with options --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) --enable-FEATURE[=ARG] include FEATURE [ARG=yes] --disable-dependency-tracking speeds up one-time build --enable-dependency-tracking do not reject slow dependency extractors --enable-udp whether to enable UDP transport: yes/no; default yes --enable-tcp whether to enable TCP transport: yes/no; default yes --enable-tls whether to enable TLS (RadSec) transport: yes/no; default yes --enable-dtls whether to enable DTLS transport: yes/no; default yes --enable-fticks build with F-Ticks support [default=no] --enable-experimental-dyndisc enable experimental code for dynamic discovery [default=no] Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) --with-ssl Use SSL (in specified installation directory) Some influential environment variables: CC C compiler command CFLAGS C compiler flags LDFLAGS linker flags, e.g. -L if you have libraries in a nonstandard directory LIBS libraries to pass to the linker, e.g. -l CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if you have headers in a nonstandard directory DOCBOOK2X_MAN docbook2x-man Use these variables to override the choices made by `configure' or to help it to find libraries and programs with nonstandard names/locations. Report bugs to . _ACEOF ac_status=$? fi if test "$ac_init_help" = "recursive"; then # If there are subdirs, report their specific --help. for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue test -d "$ac_dir" || { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || continue ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix cd "$ac_dir" || { ac_status=$?; continue; } # Check for guested configure. if test -f "$ac_srcdir/configure.gnu"; then echo && $SHELL "$ac_srcdir/configure.gnu" --help=recursive elif test -f "$ac_srcdir/configure"; then echo && $SHELL "$ac_srcdir/configure" --help=recursive else $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 fi || ac_status=$? cd "$ac_pwd" || { ac_status=$?; break; } done fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF radsecproxy configure 1.6.2 generated by GNU Autoconf 2.68 Copyright (C) 2010 Free Software Foundation, Inc. This configure script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. _ACEOF exit fi ## ------------------------ ## ## Autoconf initialization. ## ## ------------------------ ## # ac_fn_c_try_compile LINENO # -------------------------- # Try to compile conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_compile () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest.$ac_objext; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_compile # ac_fn_c_try_link LINENO # ----------------------- # Try to link conftest.$ac_ext, and return whether this succeeded. ac_fn_c_try_link () { as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack rm -f conftest.$ac_objext conftest$ac_exeext if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>conftest.err ac_status=$? if test -s conftest.err; then grep -v '^ *+' conftest.err >conftest.er1 cat conftest.er1 >&5 mv -f conftest.er1 conftest.err fi $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } && { test -z "$ac_c_werror_flag" || test ! -s conftest.err } && test -s conftest$ac_exeext && { test "$cross_compiling" = yes || $as_test_x conftest$ac_exeext }; then : ac_retval=0 else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 ac_retval=1 fi # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would # interfere with the next link command; also delete a directory that is # left behind by Apple's compiler. We do this before executing the actions. rm -rf conftest.dSYM conftest_ipa8_conftest.oo eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno as_fn_set_status $ac_retval } # ac_fn_c_try_link cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by radsecproxy $as_me 1.6.2, which was generated by GNU Autoconf 2.68. Invocation command line was $ $0 $@ _ACEOF exec 5>>config.log { cat <<_ASUNAME ## --------- ## ## Platform. ## ## --------- ## hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` uname -m = `(uname -m) 2>/dev/null || echo unknown` uname -r = `(uname -r) 2>/dev/null || echo unknown` uname -s = `(uname -s) 2>/dev/null || echo unknown` uname -v = `(uname -v) 2>/dev/null || echo unknown` /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` _ASUNAME as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. $as_echo "PATH: $as_dir" done IFS=$as_save_IFS } >&5 cat >&5 <<_ACEOF ## ----------- ## ## Core tests. ## ## ----------- ## _ACEOF # Keep a trace of the command line. # Strip out --no-create and --no-recursion so they do not pile up. # Strip out --silent because we don't want to record it for future runs. # Also quote any args containing shell meta-characters. # Make two passes to allow for proper duplicate-argument suppression. ac_configure_args= ac_configure_args0= ac_configure_args1= ac_must_keep_next=false for ac_pass in 1 2 do for ac_arg do case $ac_arg in -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil) continue ;; *\'*) ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; esac case $ac_pass in 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; 2) as_fn_append ac_configure_args1 " '$ac_arg'" if test $ac_must_keep_next = true; then ac_must_keep_next=false # Got value, back to normal. else case $ac_arg in *=* | --config-cache | -C | -disable-* | --disable-* \ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | -with-* | --with-* | -without-* | --without-* | --x) case "$ac_configure_args0 " in "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; esac ;; -* ) ac_must_keep_next=true ;; esac fi as_fn_append ac_configure_args " '$ac_arg'" ;; esac done done { ac_configure_args0=; unset ac_configure_args0;} { ac_configure_args1=; unset ac_configure_args1;} # When interrupted or exit'd, cleanup temporary files, and complete # config.log. We remove comments because anyway the quotes in there # would cause problems or look ugly. # WARNING: Use '\'' to represent an apostrophe within the trap. # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. trap 'exit_status=$? # Save into config.log some information that might help in debugging. { echo $as_echo "## ---------------- ## ## Cache variables. ## ## ---------------- ##" echo # The following way of writing the cache mishandles newlines in values, ( for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( *${as_nl}ac_space=\ *) sed -n \ "s/'\''/'\''\\\\'\'''\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" ;; #( *) sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) echo $as_echo "## ----------------- ## ## Output variables. ## ## ----------------- ##" echo for ac_var in $ac_subst_vars do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo if test -n "$ac_subst_files"; then $as_echo "## ------------------- ## ## File substitutions. ## ## ------------------- ##" echo for ac_var in $ac_subst_files do eval ac_val=\$$ac_var case $ac_val in *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; esac $as_echo "$ac_var='\''$ac_val'\''" done | sort echo fi if test -s confdefs.h; then $as_echo "## ----------- ## ## confdefs.h. ## ## ----------- ##" echo cat confdefs.h echo fi test "$ac_signal" != 0 && $as_echo "$as_me: caught signal $ac_signal" $as_echo "$as_me: exit $exit_status" } >&5 rm -f core *.core core.conftest.* && rm -f -r conftest* confdefs* conf$$* $ac_clean_files && exit $exit_status ' 0 for ac_signal in 1 2 13 15; do trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal done ac_signal=0 # confdefs.h avoids OS command line length limits that DEFS can exceed. rm -f -r conftest* confdefs.h $as_echo "/* confdefs.h */" > confdefs.h # Predefined preprocessor variables. cat >>confdefs.h <<_ACEOF #define PACKAGE_NAME "$PACKAGE_NAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_TARNAME "$PACKAGE_TARNAME" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_VERSION "$PACKAGE_VERSION" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_STRING "$PACKAGE_STRING" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" _ACEOF cat >>confdefs.h <<_ACEOF #define PACKAGE_URL "$PACKAGE_URL" _ACEOF # Let the site file select an alternate cache file if it wants to. # Prefer an explicitly selected file to automatically selected ones. ac_site_file1=NONE ac_site_file2=NONE if test -n "$CONFIG_SITE"; then # We do not want a PATH search for config.site. case $CONFIG_SITE in #(( -*) ac_site_file1=./$CONFIG_SITE;; */*) ac_site_file1=$CONFIG_SITE;; *) ac_site_file1=./$CONFIG_SITE;; esac elif test "x$prefix" != xNONE; then ac_site_file1=$prefix/share/config.site ac_site_file2=$prefix/etc/config.site else ac_site_file1=$ac_default_prefix/share/config.site ac_site_file2=$ac_default_prefix/etc/config.site fi for ac_site_file in "$ac_site_file1" "$ac_site_file2" do test "x$ac_site_file" = xNONE && continue if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 $as_echo "$as_me: loading site script $ac_site_file" >&6;} sed 's/^/| /' "$ac_site_file" >&5 . "$ac_site_file" \ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "failed to load site script $ac_site_file See \`config.log' for more details" "$LINENO" 5; } fi done if test -r "$cache_file"; then # Some versions of bash will fail to source /dev/null (special files # actually), so we avoid doing that. DJGPP emulates it as a regular file. if test /dev/null != "$cache_file" && test -f "$cache_file"; then { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 $as_echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . "$cache_file";; *) . "./$cache_file";; esac fi else { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 $as_echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi # Check that the precious variables saved in the cache have kept the same # value. ac_cache_corrupted=false for ac_var in $ac_precious_vars; do eval ac_old_set=\$ac_cv_env_${ac_var}_set eval ac_new_set=\$ac_env_${ac_var}_set eval ac_old_val=\$ac_cv_env_${ac_var}_value eval ac_new_val=\$ac_env_${ac_var}_value case $ac_old_set,$ac_new_set in set,) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then # differences in whitespace do not lead to failure. ac_old_val_w=`echo x $ac_old_val` ac_new_val_w=`echo x $ac_new_val` if test "$ac_old_val_w" != "$ac_new_val_w"; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} ac_cache_corrupted=: else { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} eval $ac_var=\$ac_old_val fi { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 $as_echo "$as_me: former value: \`$ac_old_val'" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 $as_echo "$as_me: current value: \`$ac_new_val'" >&2;} fi;; esac # Pass precious variables to config.status. if test "$ac_new_set" = set; then case $ac_new_val in *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; *) ac_arg=$ac_var=$ac_new_val ;; esac case " $ac_configure_args " in *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. *) as_fn_append ac_configure_args " '$ac_arg'" ;; esac fi done if $ac_cache_corrupted; then { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 fi ## -------------------- ## ## Main body of script. ## ## -------------------- ## ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu ac_aux_dir= for ac_dir in "$srcdir" "$srcdir/.." "$srcdir/../.."; do if test -f "$ac_dir/install-sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install-sh -c" break elif test -f "$ac_dir/install.sh"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/install.sh -c" break elif test -f "$ac_dir/shtool"; then ac_aux_dir=$ac_dir ac_install_sh="$ac_aux_dir/shtool install -c" break fi done if test -z "$ac_aux_dir"; then as_fn_error $? "cannot find install-sh, install.sh, or shtool in \"$srcdir\" \"$srcdir/..\" \"$srcdir/../..\"" "$LINENO" 5 fi # These three variables are undocumented and unsupported, # and are intended to be withdrawn in a future Autoconf release. # They can cause serious problems if a builder's source tree is in a directory # whose full name contains unusual characters. ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. # Make sure we can run config.sub. $SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 { $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 $as_echo_n "checking build system type... " >&6; } if ${ac_cv_build+:} false; then : $as_echo_n "(cached) " >&6 else ac_build_alias=$build_alias test "x$ac_build_alias" = x && ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` test "x$ac_build_alias" = x && as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 $as_echo "$ac_cv_build" >&6; } case $ac_cv_build in *-*-*) ;; *) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; esac build=$ac_cv_build ac_save_IFS=$IFS; IFS='-' set x $ac_cv_build shift build_cpu=$1 build_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: build_os=$* IFS=$ac_save_IFS case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 $as_echo_n "checking host system type... " >&6; } if ${ac_cv_host+:} false; then : $as_echo_n "(cached) " >&6 else if test "x$host_alias" = x; then ac_cv_host=$ac_cv_build else ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 $as_echo "$ac_cv_host" >&6; } case $ac_cv_host in *-*-*) ;; *) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; esac host=$ac_cv_host ac_save_IFS=$IFS; IFS='-' set x $ac_cv_host shift host_cpu=$1 host_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: host_os=$* IFS=$ac_save_IFS case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking target system type" >&5 $as_echo_n "checking target system type... " >&6; } if ${ac_cv_target+:} false; then : $as_echo_n "(cached) " >&6 else if test "x$target_alias" = x; then ac_cv_target=$ac_cv_host else ac_cv_target=`$SHELL "$ac_aux_dir/config.sub" $target_alias` || as_fn_error $? "$SHELL $ac_aux_dir/config.sub $target_alias failed" "$LINENO" 5 fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_target" >&5 $as_echo "$ac_cv_target" >&6; } case $ac_cv_target in *-*-*) ;; *) as_fn_error $? "invalid value of canonical target" "$LINENO" 5;; esac target=$ac_cv_target ac_save_IFS=$IFS; IFS='-' set x $ac_cv_target shift target_cpu=$1 target_vendor=$2 shift; shift # Remember, the first character of IFS is used to create $*, # except with old shells: target_os=$* IFS=$ac_save_IFS case $target_os in *\ *) target_os=`echo "$target_os" | sed 's/ /-/g'`;; esac # The aliases save the names the user supplied, while $host etc. # will get canonicalized. test -n "$target_alias" && test "$program_prefix$program_suffix$program_transform_name" = \ NONENONEs,x,x, && program_prefix=${target_alias}- am__api_version='1.11' # Find a good install program. We prefer a C program (faster), # so one script is as good as another. But avoid the broken or # incompatible versions: # SysV /etc/install, /usr/sbin/install # SunOS /usr/etc/install # IRIX /sbin/install # AIX /bin/install # AmigaOS /C/install, which installs bootblocks on floppy discs # AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # OS/2's system install, which has a completely different semantic # ./install, which can be erroneously created by make from ./install.sh. # Reject install programs that cannot install multiple files. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 $as_echo_n "checking for a BSD-compatible install... " >&6; } if test -z "$INSTALL"; then if ${ac_cv_path_install+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. # Account for people who put trailing slashes in PATH elements. case $as_dir/ in #(( ./ | .// | /[cC]/* | \ /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ /usr/ucb/* ) ;; *) # OSF1 and SCO ODT 3.0 have their own names for install. # Don't use installbsd from OSF since it installs stuff as root # by default. for ac_prog in ginstall scoinst install; do for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; }; then if test $ac_prog = install && grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # AIX install. It has an incompatible calling convention. : elif test $ac_prog = install && grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then # program-specific install script used by HP pwplus--don't use. : else rm -rf conftest.one conftest.two conftest.dir echo one > conftest.one echo two > conftest.two mkdir conftest.dir if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && test -s conftest.one && test -s conftest.two && test -s conftest.dir/conftest.one && test -s conftest.dir/conftest.two then ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" break 3 fi fi fi done done ;; esac done IFS=$as_save_IFS rm -rf conftest.one conftest.two conftest.dir fi if test "${ac_cv_path_install+set}" = set; then INSTALL=$ac_cv_path_install else # As a last resort, use the slow shell script. Don't cache a # value for INSTALL within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. INSTALL=$ac_install_sh fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 $as_echo "$INSTALL" >&6; } # Use test -z because SunOS4 sh mishandles braces in ${var-val}. # It thinks the first close brace ends the variable substitution. test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether build environment is sane" >&5 $as_echo_n "checking whether build environment is sane... " >&6; } # Just in case sleep 1 echo timestamp > conftest.file # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' ' case `pwd` in *[\\\"\#\$\&\'\`$am_lf]*) as_fn_error $? "unsafe absolute working directory name" "$LINENO" 5;; esac case $srcdir in *[\\\"\#\$\&\'\`$am_lf\ \ ]*) as_fn_error $? "unsafe srcdir value: \`$srcdir'" "$LINENO" 5;; esac # Do `set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$*" = "X"; then # -L didn't work. set X `ls -t "$srcdir/configure" conftest.file` fi rm -f conftest.file if test "$*" != "X $srcdir/configure conftest.file" \ && test "$*" != "X conftest.file $srcdir/configure"; then # If neither matched, then we have a broken ls. This can happen # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". as_fn_error $? "ls -t appears to fail. Make sure there is not a broken alias in your environment" "$LINENO" 5 fi test "$2" = conftest.file ) then # Ok. : else as_fn_error $? "newly created file is older than distributed files! Check your system clock" "$LINENO" 5 fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } test "$program_prefix" != NONE && program_transform_name="s&^&$program_prefix&;$program_transform_name" # Use a double $ so make ignores it. test "$program_suffix" != NONE && program_transform_name="s&\$&$program_suffix&;$program_transform_name" # Double any \ or $. # By default was `s,x,x', remove it if useless. ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` # expand $ac_aux_dir to an absolute path am_aux_dir=`cd $ac_aux_dir && pwd` if test x"${MISSING+set}" != xset; then case $am_aux_dir in *\ * | *\ *) MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; *) MISSING="\${SHELL} $am_aux_dir/missing" ;; esac fi # Use eval to expand $SHELL if eval "$MISSING --run true"; then am_missing_run="$MISSING --run " else am_missing_run= { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \`missing' script is too old or missing" >&5 $as_echo "$as_me: WARNING: \`missing' script is too old or missing" >&2;} fi if test x"${install_sh}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; *) install_sh="\${SHELL} $am_aux_dir/install-sh" esac fi # Installed binaries are usually stripped using `strip' when the user # run `make install-strip'. However `strip' might not be the right # tool to use in cross-compilation environments, therefore Automake # will honor the `STRIP' environment variable to overrule this program. if test "$cross_compiling" != no; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}strip", so it can be a program name with args. set dummy ${ac_tool_prefix}strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$STRIP"; then ac_cv_prog_STRIP="$STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_STRIP="${ac_tool_prefix}strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi STRIP=$ac_cv_prog_STRIP if test -n "$STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $STRIP" >&5 $as_echo "$STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_STRIP"; then ac_ct_STRIP=$STRIP # Extract the first word of "strip", so it can be a program name with args. set dummy strip; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_STRIP+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_STRIP"; then ac_cv_prog_ac_ct_STRIP="$ac_ct_STRIP" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_STRIP="strip" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_STRIP=$ac_cv_prog_ac_ct_STRIP if test -n "$ac_ct_STRIP"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_STRIP" >&5 $as_echo "$ac_ct_STRIP" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_STRIP" = x; then STRIP=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac STRIP=$ac_ct_STRIP fi else STRIP="$ac_cv_prog_STRIP" fi fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a thread-safe mkdir -p" >&5 $as_echo_n "checking for a thread-safe mkdir -p... " >&6; } if test -z "$MKDIR_P"; then if ${ac_cv_path_mkdir+:} false; then : $as_echo_n "(cached) " >&6 else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH$PATH_SEPARATOR/opt/sfw/bin do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_prog in mkdir gmkdir; do for ac_exec_ext in '' $ac_executable_extensions; do { test -f "$as_dir/$ac_prog$ac_exec_ext" && $as_test_x "$as_dir/$ac_prog$ac_exec_ext"; } || continue case `"$as_dir/$ac_prog$ac_exec_ext" --version 2>&1` in #( 'mkdir (GNU coreutils) '* | \ 'mkdir (coreutils) '* | \ 'mkdir (fileutils) '4.1*) ac_cv_path_mkdir=$as_dir/$ac_prog$ac_exec_ext break 3;; esac done done done IFS=$as_save_IFS fi test -d ./--version && rmdir ./--version if test "${ac_cv_path_mkdir+set}" = set; then MKDIR_P="$ac_cv_path_mkdir -p" else # As a last resort, use the slow shell script. Don't cache a # value for MKDIR_P within a source directory, because that will # break other packages using the cache if that directory is # removed, or if the value is a relative name. MKDIR_P="$ac_install_sh -d" fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MKDIR_P" >&5 $as_echo "$MKDIR_P" >&6; } mkdir_p="$MKDIR_P" case $mkdir_p in [\\/$]* | ?:[\\/]*) ;; */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;; esac for ac_prog in gawk mawk nawk awk do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_AWK+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$AWK"; then ac_cv_prog_AWK="$AWK" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_AWK="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi AWK=$ac_cv_prog_AWK if test -n "$AWK"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 $as_echo "$AWK" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$AWK" && break done { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ${MAKE-make} sets \$(MAKE)" >&5 $as_echo_n "checking whether ${MAKE-make} sets \$(MAKE)... " >&6; } set x ${MAKE-make} ac_make=`$as_echo "$2" | sed 's/+/p/g; s/[^a-zA-Z0-9_]/_/g'` if eval \${ac_cv_prog_make_${ac_make}_set+:} false; then : $as_echo_n "(cached) " >&6 else cat >conftest.make <<\_ACEOF SHELL = /bin/sh all: @echo '@@@%%%=$(MAKE)=@@@%%%' _ACEOF # GNU make sometimes prints "make[1]: Entering ...", which would confuse us. case `${MAKE-make} -f conftest.make 2>/dev/null` in *@@@%%%=?*=@@@%%%*) eval ac_cv_prog_make_${ac_make}_set=yes;; *) eval ac_cv_prog_make_${ac_make}_set=no;; esac rm -f conftest.make fi if eval test \$ac_cv_prog_make_${ac_make}_set = yes; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } SET_MAKE= else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } SET_MAKE="MAKE=${MAKE-make}" fi rm -rf .tst 2>/dev/null mkdir .tst 2>/dev/null if test -d .tst; then am__leading_dot=. else am__leading_dot=_ fi rmdir .tst 2>/dev/null if test "`cd $srcdir && pwd`" != "`pwd`"; then # Use -I$(srcdir) only when $(srcdir) != ., so that make's output # is not polluted with repeated "-I." am__isrc=' -I$(srcdir)' # test to see if srcdir already configured if test -f $srcdir/config.status; then as_fn_error $? "source directory already configured; run \"make distclean\" there first" "$LINENO" 5 fi fi # test whether we have cygpath if test -z "$CYGPATH_W"; then if (cygpath --version) >/dev/null 2>/dev/null; then CYGPATH_W='cygpath -w' else CYGPATH_W=echo fi fi # Define the identity of the package. PACKAGE='radsecproxy' VERSION='1.6.2' cat >>confdefs.h <<_ACEOF #define PACKAGE "$PACKAGE" _ACEOF cat >>confdefs.h <<_ACEOF #define VERSION "$VERSION" _ACEOF # Some tools Automake needs. ACLOCAL=${ACLOCAL-"${am_missing_run}aclocal-${am__api_version}"} AUTOCONF=${AUTOCONF-"${am_missing_run}autoconf"} AUTOMAKE=${AUTOMAKE-"${am_missing_run}automake-${am__api_version}"} AUTOHEADER=${AUTOHEADER-"${am_missing_run}autoheader"} MAKEINFO=${MAKEINFO-"${am_missing_run}makeinfo"} # We need awk for the "check" target. The system "awk" is bad on # some platforms. # Always define AMTAR for backward compatibility. AMTAR=${AMTAR-"${am_missing_run}tar"} am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -' ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_CC"; then ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="gcc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi else CC="$ac_cv_prog_CC" fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="${ac_tool_prefix}cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi fi if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else ac_prog_rejected=no as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then ac_prog_rejected=yes continue fi ac_cv_prog_CC="cc" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS if test $ac_prog_rejected = yes; then # We found a bogon in the path, so make sure we never use it. set dummy $ac_cv_prog_CC shift if test $# != 0; then # We chose a different compiler from the bogus one. # However, it has the same basename, so the bogon will be chosen # first if we set CC to just the basename; use the full file name. shift ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" fi fi fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$CC"; then if test -n "$ac_tool_prefix"; then for ac_prog in cl.exe do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$CC"; then ac_cv_prog_CC="$CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_CC="$ac_tool_prefix$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi CC=$ac_cv_prog_CC if test -n "$CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 $as_echo "$CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$CC" && break done fi if test -z "$CC"; then ac_ct_CC=$CC for ac_prog in cl.exe do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_CC+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_CC"; then ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_CC="$ac_prog" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 $as_echo "$ac_ct_CC" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi test -n "$ac_ct_CC" && break done if test "x$ac_ct_CC" = x; then CC="" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac CC=$ac_ct_CC fi fi fi test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "no acceptable C compiler found in \$PATH See \`config.log' for more details" "$LINENO" 5; } # Provide some information about the compiler. $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 set X $ac_compile ac_compiler=$2 for ac_option in --version -v -V -qversion; do { { ac_try="$ac_compiler $ac_option >&5" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compiler $ac_option >&5") 2>conftest.err ac_status=$? if test -s conftest.err; then sed '10a\ ... rest of stderr output deleted ... 10q' conftest.err >conftest.er1 cat conftest.er1 >&5 fi rm -f conftest.er1 conftest.err $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } done cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 $as_echo_n "checking whether the C compiler works... " >&6; } ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` # The possible output files: ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" ac_rmfiles= for ac_file in $ac_files do case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; * ) ac_rmfiles="$ac_rmfiles $ac_file";; esac done rm -f $ac_rmfiles if { { ac_try="$ac_link_default" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link_default") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' # in a Makefile. We should not override ac_cv_exeext if it was cached, # so that the user can short-circuit this test for compilers unknown to # Autoconf. for ac_file in $ac_files '' do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; [ab].out ) # We found the default executable, but exeext='' is most # certainly right. break;; *.* ) if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; then :; else ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` fi # We set ac_cv_exeext here because the later test for it is not # safe: cross compilers may not add the suffix if given an `-o' # argument, so we may need to know it at that point already. # Even if this section looks crufty: it has the advantage of # actually working. break;; * ) break;; esac done test "$ac_cv_exeext" = no && ac_cv_exeext= else ac_file='' fi if test -z "$ac_file"; then : { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error 77 "C compiler cannot create executables See \`config.log' for more details" "$LINENO" 5; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 $as_echo_n "checking for C compiler default output file name... " >&6; } { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 $as_echo "$ac_file" >&6; } ac_exeext=$ac_cv_exeext rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 $as_echo_n "checking for suffix of executables... " >&6; } if { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will # work properly (i.e., refer to `conftest.exe'), while it won't with # `rm'. for ac_file in conftest.exe conftest conftest.*; do test -f "$ac_file" || continue case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` break;; * ) break;; esac done else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of executables: cannot compile and link See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest conftest$ac_cv_exeext { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 $as_echo "$ac_cv_exeext" >&6; } rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include int main () { FILE *f = fopen ("conftest.out", "w"); return ferror (f) || fclose (f) != 0; ; return 0; } _ACEOF ac_clean_files="$ac_clean_files conftest.out" # Check that the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 $as_echo_n "checking whether we are cross compiling... " >&6; } if test "$cross_compiling" != yes; then { { ac_try="$ac_link" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_link") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; } if { ac_try='./conftest$ac_cv_exeext' { { case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_try") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot run C compiled programs. If you meant to cross compile, use \`--host'. See \`config.log' for more details" "$LINENO" 5; } fi fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 $as_echo "$cross_compiling" >&6; } rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out ac_clean_files=$ac_clean_files_save { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 $as_echo_n "checking for suffix of object files... " >&6; } if ${ac_cv_objext+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF rm -f conftest.o conftest.obj if { { ac_try="$ac_compile" case "(($ac_try" in *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; *) ac_try_echo=$ac_try;; esac eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" $as_echo "$ac_try_echo"; } >&5 (eval "$ac_compile") 2>&5 ac_status=$? $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 test $ac_status = 0; }; then : for ac_file in conftest.o conftest.obj conftest.*; do test -f "$ac_file" || continue; case $ac_file in *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` break;; esac done else $as_echo "$as_me: failed program was:" >&5 sed 's/^/| /' conftest.$ac_ext >&5 { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} as_fn_error $? "cannot compute suffix of object files: cannot compile See \`config.log' for more details" "$LINENO" 5; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 $as_echo "$ac_cv_objext" >&6; } OBJEXT=$ac_cv_objext ac_objext=$OBJEXT { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } if ${ac_cv_c_compiler_gnu+:} false; then : $as_echo_n "(cached) " >&6 else cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { #ifndef __GNUC__ choke me #endif ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_compiler_gnu=yes else ac_compiler_gnu=no fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_cv_c_compiler_gnu=$ac_compiler_gnu fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 $as_echo "$ac_cv_c_compiler_gnu" >&6; } if test $ac_compiler_gnu = yes; then GCC=yes else GCC= fi ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 $as_echo_n "checking whether $CC accepts -g... " >&6; } if ${ac_cv_prog_cc_g+:} false; then : $as_echo_n "(cached) " >&6 else ac_save_c_werror_flag=$ac_c_werror_flag ac_c_werror_flag=yes ac_cv_prog_cc_g=no CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes else CFLAGS="" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : else ac_c_werror_flag=$ac_save_c_werror_flag CFLAGS="-g" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ int main () { ; return 0; } _ACEOF if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_g=yes fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext ac_c_werror_flag=$ac_save_c_werror_flag fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 $as_echo "$ac_cv_prog_cc_g" >&6; } if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS elif test $ac_cv_prog_cc_g = yes; then if test "$GCC" = yes; then CFLAGS="-g -O2" else CFLAGS="-g" fi else if test "$GCC" = yes; then CFLAGS="-O2" else CFLAGS= fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } if ${ac_cv_prog_cc_c89+:} false; then : $as_echo_n "(cached) " >&6 else ac_cv_prog_cc_c89=no ac_save_CC=$CC cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include #include #include #include /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ struct buf { int x; }; FILE * (*rcsopen) (struct buf *, struct stat *, int); static char *e (p, i) char **p; int i; { return p[i]; } static char *f (char * (*g) (char **, int), char **p, ...) { char *s; va_list v; va_start (v,p); s = g (p, va_arg (v,int)); va_end (v); return s; } /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has function prototypes and stuff, but not '\xHH' hex character constants. These don't provoke an error unfortunately, instead are silently treated as 'x'. The following induces an error, until -std is added to get proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an array size at least. It's necessary to write '\x00'==0 to get something that's true only with -std. */ int osf4_cc_array ['\x00' == 0 ? 1 : -1]; /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters inside strings and character constants. */ #define FOO(x) 'x' int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; int test (int i, double x); struct s1 {int (*f) (int a);}; struct s2 {int (*f) (double a);}; int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); int argc; char **argv; int main () { return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; ; return 0; } _ACEOF for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" do CC="$ac_save_CC $ac_arg" if ac_fn_c_try_compile "$LINENO"; then : ac_cv_prog_cc_c89=$ac_arg fi rm -f core conftest.err conftest.$ac_objext test "x$ac_cv_prog_cc_c89" != "xno" && break done rm -f conftest.$ac_ext CC=$ac_save_CC fi # AC_CACHE_VAL case "x$ac_cv_prog_cc_c89" in x) { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 $as_echo "none needed" >&6; } ;; xno) { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 $as_echo "unsupported" >&6; } ;; *) CC="$CC $ac_cv_prog_cc_c89" { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; esac if test "x$ac_cv_prog_cc_c89" != xno; then : fi ac_ext=c ac_cpp='$CPP $CPPFLAGS' ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu DEPDIR="${am__leading_dot}deps" ac_config_commands="$ac_config_commands depfiles" am_make=${MAKE-make} cat > confinc << 'END' am__doit: @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. { $as_echo "$as_me:${as_lineno-$LINENO}: checking for style of include used by $am_make" >&5 $as_echo_n "checking for style of include used by $am_make... " >&6; } am__include="#" am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf # Ignore all kinds of additional output from `make'. case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=include am__quote= _am_result=GNU ;; esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=.include am__quote="\"" _am_result=BSD ;; esac fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $_am_result" >&5 $as_echo "$_am_result" >&6; } rm -f confinc confmf # Check whether --enable-dependency-tracking was given. if test "${enable_dependency_tracking+set}" = set; then : enableval=$enable_dependency_tracking; fi if test "x$enable_dependency_tracking" != xno; then am_depcomp="$ac_aux_dir/depcomp" AMDEPBACKSLASH='\' fi if test "x$enable_dependency_tracking" != xno; then AMDEP_TRUE= AMDEP_FALSE='#' else AMDEP_TRUE='#' AMDEP_FALSE= fi depcc="$CC" am_compiler_list= { $as_echo "$as_me:${as_lineno-$LINENO}: checking dependency style of $depcc" >&5 $as_echo_n "checking dependency style of $depcc... " >&6; } if ${am_cv_CC_dependencies_compiler_type+:} false; then : $as_echo_n "(cached) " >&6 else if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then # We make a subdir and do the tests there. Otherwise we can end up # making bogus files that we don't know about and never remove. For # instance it was reported that on HP-UX the gcc test will end up # making a dummy file named `D' -- because `-MD' means `put the output # in D'. mkdir conftest.dir # Copy depcomp to subdir because otherwise we won't find it if we're # using a relative directory. cp "$am_depcomp" conftest.dir cd conftest.dir # We will build objects and dependencies in a subdirectory because # it helps to detect inapplicable dependency modes. For instance # both Tru64's cc and ICC support -MD to output dependencies as a # side effect of compilation, but ICC will put the dependencies in # the current directory while Tru64 will put them in the object # directory. mkdir sub am_cv_CC_dependencies_compiler_type=none if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n 's/^#*\([a-zA-Z0-9]*\))$/\1/p' < ./depcomp` fi am__universal=false case " $depcc " in #( *\ -arch\ *\ -arch\ *) am__universal=true ;; esac for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and # we should not choose a depcomp mode which is confused by this. # # We need to recreate these files for each test, as the compiler may # overwrite some of them when testing with obscure command lines. # This happens at least with the AIX C compiler. : > sub/conftest.c for i in 1 2 3 4 5 6; do echo '#include "conftst'$i'.h"' >> sub/conftest.c # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with # Solaris 8's {/usr,}/bin/sh. touch sub/conftst$i.h done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf # We check with `-c' and `-o' for the sake of the "dashmstdout" # mode. It turns out that the SunPro C++ compiler does not properly # handle `-M -o', and we need to detect this. Also, some Intel # versions had trouble with output in subdirs am__obj=sub/conftest.${OBJEXT-o} am__minus_obj="-o $am__obj" case $depmode in gcc) # This depmode causes a compiler race in universal mode. test "$am__universal" = false || continue ;; nosideeffect) # after this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested if test "x$enable_dependency_tracking" = xyes; then continue else break fi ;; msvisualcpp | msvcmsys) # This compiler won't grok `-c -o', but also, the minuso test has # not run yet. These depmodes are late enough in the game, and # so weak that their functioning should not be impacted. am__obj=conftest.${OBJEXT-o} am__minus_obj= ;; none) break ;; esac if depmode=$depmode \ source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message # that says an option was ignored or not supported. # When given -MP, icc 7.0 and 7.1 complain thusly: # icc: Command line warning: ignoring option '-M'; no argument required # The diagnosis changed in icc 8.0: # icc: Command line remark: option '-MP' not supported if (grep 'ignoring option' conftest.err || grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else am_cv_CC_dependencies_compiler_type=$depmode break fi fi done cd .. rm -rf conftest.dir else am_cv_CC_dependencies_compiler_type=none fi fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $am_cv_CC_dependencies_compiler_type" >&5 $as_echo "$am_cv_CC_dependencies_compiler_type" >&6; } CCDEPMODE=depmode=$am_cv_CC_dependencies_compiler_type if test "x$enable_dependency_tracking" != xno \ && test "$am_cv_CC_dependencies_compiler_type" = gcc3; then am__fastdepCC_TRUE= am__fastdepCC_FALSE='#' else am__fastdepCC_TRUE='#' am__fastdepCC_FALSE= fi if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$RANLIB"; then ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 $as_echo "$RANLIB" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi fi if test -z "$ac_cv_prog_RANLIB"; then ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_ac_ct_RANLIB+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$ac_ct_RANLIB"; then ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_ac_ct_RANLIB="ranlib" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 $as_echo "$ac_ct_RANLIB" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "x$ac_ct_RANLIB" = x; then RANLIB=":" else case $cross_compiling:$ac_tool_warned in yes:) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} ac_tool_warned=yes ;; esac RANLIB=$ac_ct_RANLIB fi else RANLIB="$ac_cv_prog_RANLIB" fi udp=yes # Check whether --enable-udp was given. if test "${enable_udp+set}" = set; then : enableval=$enable_udp; if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then udp=$enableval else echo "--enable-udp argument must be yes or no" exit -1 fi fi tcp=yes # Check whether --enable-tcp was given. if test "${enable_tcp+set}" = set; then : enableval=$enable_tcp; if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then tcp=$enableval else echo "--enable-tcp argument must be yes or no" exit -1 fi fi tls=yes # Check whether --enable-tls was given. if test "${enable_tls+set}" = set; then : enableval=$enable_tls; if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then tls=$enableval else echo "--enable-tls argument must be yes or no" exit -1 fi fi dtls=yes # Check whether --enable-dtls was given. if test "${enable_dtls+set}" = set; then : enableval=$enable_dtls; if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then dtls=$enableval else echo "--enable-dtls argument must be yes or no" exit -1 fi fi # Check whether --enable-fticks was given. if test "${enable_fticks+set}" = set; then : enableval=$enable_fticks; case $enableval in yes|no) ;; *) as_fn_error $? "bad value $enableval for --enable-fticks, need yes or no" "$LINENO" 5 ;; esac else enable_fticks=no fi if test "$enable_fticks" = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: checking for nettle_sha256_init in -lnettle" >&5 $as_echo_n "checking for nettle_sha256_init in -lnettle... " >&6; } if ${ac_cv_lib_nettle_nettle_sha256_init+:} false; then : $as_echo_n "(cached) " >&6 else ac_check_lib_save_LIBS=$LIBS LIBS="-lnettle $LIBS" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ /* Override any GCC internal prototype to avoid an error. Use char because int might match the return type of a GCC builtin and then its argument prototype would still apply. */ #ifdef __cplusplus extern "C" #endif char nettle_sha256_init (); int main () { return nettle_sha256_init (); ; return 0; } _ACEOF if ac_fn_c_try_link "$LINENO"; then : ac_cv_lib_nettle_nettle_sha256_init=yes else ac_cv_lib_nettle_nettle_sha256_init=no fi rm -f core conftest.err conftest.$ac_objext \ conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nettle_nettle_sha256_init" >&5 $as_echo "$ac_cv_lib_nettle_nettle_sha256_init" >&6; } if test "x$ac_cv_lib_nettle_nettle_sha256_init" = xyes; then : cat >>confdefs.h <<_ACEOF #define HAVE_LIBNETTLE 1 _ACEOF LIBS="-lnettle $LIBS" else { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: required library nettle not found, fticks support disabled" >&5 $as_echo "$as_me: WARNING: required library nettle not found, fticks support disabled" >&2;} enable_fticks=no fi fi if test "$enable_fticks" = "yes"; then $as_echo "#define WANT_FTICKS 1" >>confdefs.h fi if test "$enable_fticks" = "yes"; then WANT_FTICKS_TRUE= WANT_FTICKS_FALSE='#' else WANT_FTICKS_TRUE='#' WANT_FTICKS_FALSE= fi case "${target_os}" in solaris*) TARGET_CFLAGS="-DSYS_SOLARIS9 -D_POSIX_PTHREAD_SEMANTICS" if test "$GCC" != yes ; then TARGET_CFLAGS="$TARGET_CFLAGS -mt" else TARGET_CFLAGS="$TARGET_CFLAGS -pthreads" fi TARGET_LDFLAGS="-lpthread -lsocket -lnsl" ;; *) TARGET_CFLAGS="-Wall -pedantic -Wno-long-long -pthread" TARGET_LDFLAGS="" esac if test "x$udp" = "xyes" ; then echo "UDP transport enabled" TARGET_CFLAGS="$TARGET_CFLAGS -DRADPROT_UDP" fi if test "x$tcp" = "xyes" ; then echo "TCP transport enabled" TARGET_CFLAGS="$TARGET_CFLAGS -DRADPROT_TCP" fi if test "x$tls" = "xyes" ; then echo "TLS (RadSec) transport enabled" TARGET_CFLAGS="$TARGET_CFLAGS -DRADPROT_TLS" fi if test "x$dtls" = "xyes" ; then echo "DTLS transport enabled" TARGET_CFLAGS="$TARGET_CFLAGS -DRADPROT_DTLS" fi # Check whether --enable-experimental_dyndisc was given. if test "${enable_experimental_dyndisc+set}" = set; then : enableval=$enable_experimental_dyndisc; case $enableval in yes|no) ;; *) as_fn_error $? "bad value $enableval for --enable-experimental-dyndisc, need yes or no" "$LINENO" 5 ;; esac else enable_experimental_dyndisc=no fi if test "$enable_experimental_dyndisc" = "yes"; then $as_echo "#define ENABLE_EXPERIMENTAL_DYNDISC 1" >>confdefs.h fi if test "$enable_experimental_dyndisc" = "yes"; then ENABLE_EXPERIMENTAL_DYNDISC_TRUE= ENABLE_EXPERIMENTAL_DYNDISC_FALSE='#' else ENABLE_EXPERIMENTAL_DYNDISC_TRUE='#' ENABLE_EXPERIMENTAL_DYNDISC_FALSE= fi # Extract the first word of "docbook2x-man", so it can be a program name with args. set dummy docbook2x-man; ac_word=$2 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 $as_echo_n "checking for $ac_word... " >&6; } if ${ac_cv_prog_DOCBOOK2X_MAN+:} false; then : $as_echo_n "(cached) " >&6 else if test -n "$DOCBOOK2X_MAN"; then ac_cv_prog_DOCBOOK2X_MAN="$DOCBOOK2X_MAN" # Let the user override the test. else as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. for ac_exec_ext in '' $ac_executable_extensions; do if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then ac_cv_prog_DOCBOOK2X_MAN="yes" $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 break 2 fi done done IFS=$as_save_IFS fi fi DOCBOOK2X_MAN=$ac_cv_prog_DOCBOOK2X_MAN if test -n "$DOCBOOK2X_MAN"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DOCBOOK2X_MAN" >&5 $as_echo "$DOCBOOK2X_MAN" >&6; } else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } fi if test "$DOCBOOK2X_MAN" = "yes"; then HAVE_DOCBOOK2X_MAN_TRUE= HAVE_DOCBOOK2X_MAN_FALSE='#' else HAVE_DOCBOOK2X_MAN_TRUE='#' HAVE_DOCBOOK2X_MAN_FALSE= fi { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL" >&5 $as_echo_n "checking for OpenSSL... " >&6; } SSL_DIR= found_ssl="no" # Check whether --with-ssl was given. if test "${with_ssl+set}" = set; then : withval=$with_ssl; check_ssl_dir="$withval" else check_ssl_dir= fi for dir in $check_ssl_dir /usr /usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local ; do ssldir="$dir" if test -f "$dir/include/openssl/ssl.h"; then found_ssl="yes"; SSL_DIR="${ssldir}" SSL_CFLAGS="-I$ssldir/include -I$ssldir/include/openssl"; break; fi if test -f "$dir/include/ssl.h"; then found_ssl="yes"; SSL_DIR="${ssldir}" SSL_CFLAGS="-I$ssldir/include/"; break fi done { $as_echo "$as_me:${as_lineno-$LINENO}: result: $found_ssl" >&5 $as_echo "$found_ssl" >&6; } if test x_$found_ssl != x_yes; then as_fn_error $? " ---------------------------------------------------------------------- Cannot find SSL libraries. Please install OpenSSL or specify installation directory with --with-ssl=(dir). ---------------------------------------------------------------------- " "$LINENO" 5 else printf "OpenSSL found in $ssldir\n"; SSL_LIBS="-lssl -lcrypto"; SSL_LDFLAGS="-L$ssldir/lib"; cat >>confdefs.h <<_ACEOF #define USE_OPENSSL 1 _ACEOF fi ac_config_files="$ac_config_files Makefile tests/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure # tests run on this system so they can be shared between configure # scripts and configure runs, see configure's option --config-cache. # It is not useful on other systems. If it contains results you don't # want to keep, you may remove or edit it. # # config.status only pays attention to the cache file if you give it # the --recheck option to rerun configure. # # `ac_cv_env_foo' variables (set or unset) will be overridden when # loading this file, other *unset* `ac_cv_foo' will be assigned the # following values. _ACEOF # The following way of writing the cache mishandles newlines in values, # but we know of no workaround that is simple, portable, and efficient. # So, we kill variables containing newlines. # Ultrix sh set writes to stderr and can't be redirected directly, # and sets the high bit in the cache file unless we assign to the vars. ( for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do eval ac_val=\$$ac_var case $ac_val in #( *${as_nl}*) case $ac_var in #( *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; esac case $ac_var in #( _ | IFS | as_nl) ;; #( BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( *) { eval $ac_var=; unset $ac_var;} ;; esac ;; esac done (set) 2>&1 | case $as_nl`(ac_space=' '; set) 2>&1` in #( *${as_nl}ac_space=\ *) # `set' does not quote correctly, so add quotes: double-quote # substitution turns \\\\ into \\, and sed turns \\ into \. sed -n \ "s/'/'\\\\''/g; s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" ;; #( *) # `set' quotes correctly as required by POSIX, so do not add quotes. sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" ;; esac | sort ) | sed ' /^ac_cv_env_/b end t clear :clear s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ t end s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ :end' >>confcache if diff "$cache_file" confcache >/dev/null 2>&1; then :; else if test -w "$cache_file"; then if test "x$cache_file" != "x/dev/null"; then { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 $as_echo "$as_me: updating cache $cache_file" >&6;} if test ! -f "$cache_file" || test -h "$cache_file"; then cat confcache >"$cache_file" else case $cache_file in #( */* | ?:*) mv -f confcache "$cache_file"$$ && mv -f "$cache_file"$$ "$cache_file" ;; #( *) mv -f confcache "$cache_file" ;; esac fi fi else { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} fi fi rm -f confcache test "x$prefix" = xNONE && prefix=$ac_default_prefix # Let make expand exec_prefix. test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' # Transform confdefs.h into DEFS. # Protect against shell expansion while executing Makefile rules. # Protect against Makefile macro expansion. # # If the first sed substitution is executed (which looks for macros that # take arguments), then branch to the quote section. Otherwise, # look for a macro that doesn't take arguments. ac_script=' :mline /\\$/{ N s,\\\n,, b mline } t clear :clear s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g t quote s/^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)/-D\1=\2/g t quote b any :quote s/[ `~#$^&*(){}\\|;'\''"<>?]/\\&/g s/\[/\\&/g s/\]/\\&/g s/\$/$$/g H :any ${ g s/^\n// s/\n/ /g p } ' DEFS=`sed -n "$ac_script" confdefs.h` ac_libobjs= ac_ltlibobjs= U= for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue # 1. Remove the extension, and $U if already installed. ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' ac_i=`$as_echo "$ac_i" | sed "$ac_script"` # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR # will be set to the directory where LIBOBJS objects are built. as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' done LIBOBJS=$ac_libobjs LTLIBOBJS=$ac_ltlibobjs if test -n "$EXEEXT"; then am__EXEEXT_TRUE= am__EXEEXT_FALSE='#' else am__EXEEXT_TRUE='#' am__EXEEXT_FALSE= fi if test -z "${AMDEP_TRUE}" && test -z "${AMDEP_FALSE}"; then as_fn_error $? "conditional \"AMDEP\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then as_fn_error $? "conditional \"am__fastdepCC\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${WANT_FTICKS_TRUE}" && test -z "${WANT_FTICKS_FALSE}"; then as_fn_error $? "conditional \"WANT_FTICKS\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${ENABLE_EXPERIMENTAL_DYNDISC_TRUE}" && test -z "${ENABLE_EXPERIMENTAL_DYNDISC_FALSE}"; then as_fn_error $? "conditional \"ENABLE_EXPERIMENTAL_DYNDISC\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi if test -z "${HAVE_DOCBOOK2X_MAN_TRUE}" && test -z "${HAVE_DOCBOOK2X_MAN_FALSE}"; then as_fn_error $? "conditional \"HAVE_DOCBOOK2X_MAN\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi : "${CONFIG_STATUS=./config.status}" ac_write_fail=0 ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} as_write_fail=0 cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 #! $SHELL # Generated by $as_me. # Run this file to recreate the current configuration. # Compiler output produced by configure, useful for debugging # configure, is in config.log if it exists. debug=false ac_cs_recheck=false ac_cs_silent=false SHELL=\${CONFIG_SHELL-$SHELL} export SHELL _ASEOF cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 ## -------------------- ## ## M4sh Initialization. ## ## -------------------- ## # Be more Bourne compatible DUALCASE=1; export DUALCASE # for MKS sh if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : emulate sh NULLCMD=: # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which # is contrary to our usage. Disable this feature. alias -g '${1+"$@"}'='"$@"' setopt NO_GLOB_SUBST else case `(set -o) 2>/dev/null` in #( *posix*) : set -o posix ;; #( *) : ;; esac fi as_nl=' ' export as_nl # Printing a long string crashes Solaris 7 /usr/bin/printf. as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo # Prefer a ksh shell builtin over an external printf program on Solaris, # but without wasting forks for bash or zsh. if test -z "$BASH_VERSION$ZSH_VERSION" \ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='print -r --' as_echo_n='print -rn --' elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then as_echo='printf %s\n' as_echo_n='printf %s' else if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' as_echo_n='/usr/ucb/echo -n' else as_echo_body='eval expr "X$1" : "X\\(.*\\)"' as_echo_n_body='eval arg=$1; case $arg in #( *"$as_nl"*) expr "X$arg" : "X\\(.*\\)$as_nl"; arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; esac; expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" ' export as_echo_n_body as_echo_n='sh -c $as_echo_n_body as_echo' fi export as_echo_body as_echo='sh -c $as_echo_body as_echo' fi # The user is always right. if test "${PATH_SEPARATOR+set}" != set; then PATH_SEPARATOR=: (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || PATH_SEPARATOR=';' } fi # IFS # We need space, tab and new line, in precisely that order. Quoting is # there to prevent editors from complaining about space-tab. # (If _AS_PATH_WALK were called with IFS unset, it would disable word # splitting by setting IFS to empty value.) IFS=" "" $as_nl" # Find who we are. Look in the path if we contain no directory separator. as_myself= case $0 in #(( *[\\/]* ) as_myself=$0 ;; *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR for as_dir in $PATH do IFS=$as_save_IFS test -z "$as_dir" && as_dir=. test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break done IFS=$as_save_IFS ;; esac # We did not find ourselves, most probably we were run as `sh COMMAND' # in which case we are not to be found in the path. if test "x$as_myself" = x; then as_myself=$0 fi if test ! -f "$as_myself"; then $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 exit 1 fi # Unset variables that we do not need and which cause bugs (e.g. in # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" # suppresses any "Segmentation fault" message there. '((' could # trigger a bug in pdksh 5.2.14. for as_var in BASH_ENV ENV MAIL MAILPATH do eval test x\${$as_var+set} = xset \ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : done PS1='$ ' PS2='> ' PS4='+ ' # NLS nuisances. LC_ALL=C export LC_ALL LANGUAGE=C export LANGUAGE # CDPATH. (unset CDPATH) >/dev/null 2>&1 && unset CDPATH # as_fn_error STATUS ERROR [LINENO LOG_FD] # ---------------------------------------- # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are # provided, also output the error to LOG_FD, referencing LINENO. Then exit the # script with STATUS, using 1 if that was 0. as_fn_error () { as_status=$1; test $as_status -eq 0 && as_status=1 if test "$4"; then as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 fi $as_echo "$as_me: error: $2" >&2 as_fn_exit $as_status } # as_fn_error # as_fn_set_status STATUS # ----------------------- # Set $? to STATUS, without forking. as_fn_set_status () { return $1 } # as_fn_set_status # as_fn_exit STATUS # ----------------- # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. as_fn_exit () { set +e as_fn_set_status $1 exit $1 } # as_fn_exit # as_fn_unset VAR # --------------- # Portably unset VAR. as_fn_unset () { { eval $1=; unset $1;} } as_unset=as_fn_unset # as_fn_append VAR VALUE # ---------------------- # Append the text in VALUE to the end of the definition contained in VAR. Take # advantage of any shell optimizations that allow amortized linear growth over # repeated appends, instead of the typical quadratic growth present in naive # implementations. if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : eval 'as_fn_append () { eval $1+=\$2 }' else as_fn_append () { eval $1=\$$1\$2 } fi # as_fn_append # as_fn_arith ARG... # ------------------ # Perform arithmetic evaluation on the ARGs, and store the result in the # global $as_val. Take advantage of shells that can avoid forks. The arguments # must be portable across $(()) and expr. if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : eval 'as_fn_arith () { as_val=$(( $* )) }' else as_fn_arith () { as_val=`expr "$@" || test $? -eq 1` } fi # as_fn_arith if expr a : '\(a\)' >/dev/null 2>&1 && test "X`expr 00001 : '.*\(...\)'`" = X001; then as_expr=expr else as_expr=false fi if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then as_basename=basename else as_basename=false fi if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then as_dirname=dirname else as_dirname=false fi as_me=`$as_basename -- "$0" || $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ X"$0" : 'X\(//\)$' \| \ X"$0" : 'X\(/\)' \| . 2>/dev/null || $as_echo X/"$0" | sed '/^.*\/\([^/][^/]*\)\/*$/{ s//\1/ q } /^X\/\(\/\/\)$/{ s//\1/ q } /^X\/\(\/\).*/{ s//\1/ q } s/.*/./; q'` # Avoid depending upon Character Ranges. as_cr_letters='abcdefghijklmnopqrstuvwxyz' as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' as_cr_Letters=$as_cr_letters$as_cr_LETTERS as_cr_digits='0123456789' as_cr_alnum=$as_cr_Letters$as_cr_digits ECHO_C= ECHO_N= ECHO_T= case `echo -n x` in #((((( -n*) case `echo 'xy\c'` in *c*) ECHO_T=' ';; # ECHO_T is single tab character. xy) ECHO_C='\c';; *) echo `echo ksh88 bug on AIX 6.1` > /dev/null ECHO_T=' ';; esac;; *) ECHO_N='-n';; esac rm -f conf$$ conf$$.exe conf$$.file if test -d conf$$.dir; then rm -f conf$$.dir/conf$$.file else rm -f conf$$.dir mkdir conf$$.dir 2>/dev/null fi if (echo >conf$$.file) 2>/dev/null; then if ln -s conf$$.file conf$$ 2>/dev/null; then as_ln_s='ln -s' # ... but there are two gotchas: # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. # In both cases, we have to default to `cp -p'. ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || as_ln_s='cp -p' elif ln conf$$.file conf$$ 2>/dev/null; then as_ln_s=ln else as_ln_s='cp -p' fi else as_ln_s='cp -p' fi rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file rmdir conf$$.dir 2>/dev/null # as_fn_mkdir_p # ------------- # Create "$as_dir" as a directory, including parents if necessary. as_fn_mkdir_p () { case $as_dir in #( -*) as_dir=./$as_dir;; esac test -d "$as_dir" || eval $as_mkdir_p || { as_dirs= while :; do case $as_dir in #( *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( *) as_qdir=$as_dir;; esac as_dirs="'$as_qdir' $as_dirs" as_dir=`$as_dirname -- "$as_dir" || $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$as_dir" : 'X\(//\)[^/]' \| \ X"$as_dir" : 'X\(//\)$' \| \ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$as_dir" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` test -d "$as_dir" && break done test -z "$as_dirs" || eval "mkdir $as_dirs" } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" } # as_fn_mkdir_p if mkdir -p . 2>/dev/null; then as_mkdir_p='mkdir -p "$as_dir"' else test -d ./-p && rmdir ./-p as_mkdir_p=false fi if test -x / >/dev/null 2>&1; then as_test_x='test -x' else if ls -dL / >/dev/null 2>&1; then as_ls_L_option=L else as_ls_L_option= fi as_test_x=' eval sh -c '\'' if test -d "$1"; then test -d "$1/."; else case $1 in #( -*)set "./$1";; esac; case `ls -ld'$as_ls_L_option' "$1" 2>/dev/null` in #(( ???[sx]*):;;*)false;;esac;fi '\'' sh ' fi as_executable_p=$as_test_x # Sed expression to map a string onto a valid CPP name. as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" # Sed expression to map a string onto a valid variable name. as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" exec 6>&1 ## ----------------------------------- ## ## Main body of $CONFIG_STATUS script. ## ## ----------------------------------- ## _ASEOF test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Save the log message, to keep $0 and so on meaningful, and to # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" This file was extended by radsecproxy $as_me 1.6.2, which was generated by GNU Autoconf 2.68. Invocation command line was CONFIG_FILES = $CONFIG_FILES CONFIG_HEADERS = $CONFIG_HEADERS CONFIG_LINKS = $CONFIG_LINKS CONFIG_COMMANDS = $CONFIG_COMMANDS $ $0 $@ on `(hostname || uname -n) 2>/dev/null | sed 1q` " _ACEOF case $ac_config_files in *" "*) set x $ac_config_files; shift; ac_config_files=$*;; esac cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # Files that config.status was made for. config_files="$ac_config_files" config_commands="$ac_config_commands" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 ac_cs_usage="\ \`$as_me' instantiates files and other configuration actions from templates according to the current configuration. Unless the files and actions are specified as TAGs, all are instantiated by default. Usage: $0 [OPTION]... [TAG]... -h, --help print this help, then exit -V, --version print version number and configuration settings, then exit --config print configuration, then exit -q, --quiet, --silent do not print progress messages -d, --debug don't remove temporary files --recheck update $as_me by reconfiguring in the same conditions --file=FILE[:TEMPLATE] instantiate the configuration file FILE Configuration files: $config_files Configuration commands: $config_commands Report bugs to ." _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ radsecproxy config.status 1.6.2 configured by $0, generated by GNU Autoconf 2.68, with options \\"\$ac_cs_config\\" Copyright (C) 2010 Free Software Foundation, Inc. This config.status script is free software; the Free Software Foundation gives unlimited permission to copy, distribute and modify it." ac_pwd='$ac_pwd' srcdir='$srcdir' INSTALL='$INSTALL' MKDIR_P='$MKDIR_P' AWK='$AWK' test -n "\$AWK" || AWK=awk _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # The default lists apply if the user does not specify any file. ac_need_defaults=: while test $# != 0 do case $1 in --*=?*) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` ac_shift=: ;; --*=) ac_option=`expr "X$1" : 'X\([^=]*\)='` ac_optarg= ac_shift=: ;; *) ac_option=$1 ac_optarg=$2 ac_shift=shift ;; esac case $ac_option in # Handling of the options. -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) ac_cs_recheck=: ;; --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) $as_echo "$ac_cs_version"; exit ;; --config | --confi | --conf | --con | --co | --c ) $as_echo "$ac_cs_config"; exit ;; --debug | --debu | --deb | --de | --d | -d ) debug=: ;; --file | --fil | --fi | --f ) $ac_shift case $ac_optarg in *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; '') as_fn_error $? "missing file argument" ;; esac as_fn_append CONFIG_FILES " '$ac_optarg'" ac_need_defaults=false;; --he | --h | --help | --hel | -h ) $as_echo "$ac_cs_usage"; exit ;; -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | -silent | --silent | --silen | --sile | --sil | --si | --s) ac_cs_silent=: ;; # This is an error. -*) as_fn_error $? "unrecognized option: \`$1' Try \`$0 --help' for more information." ;; *) as_fn_append ac_config_targets " $1" ac_need_defaults=false ;; esac shift done ac_configure_extra_args= if $ac_cs_silent; then exec 6>/dev/null ac_configure_extra_args="$ac_configure_extra_args --silent" fi _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 if \$ac_cs_recheck; then set X '$SHELL' '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion shift \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 CONFIG_SHELL='$SHELL' export CONFIG_SHELL exec "\$@" fi _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 exec 5>>config.log { echo sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX ## Running $as_me. ## _ASBOX $as_echo "$ac_log" } >&5 _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 # # INIT-COMMANDS # AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir" _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # Handling of arguments. for ac_config_target in $ac_config_targets do case $ac_config_target in "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; esac done # If the user did not use the arguments to specify the items to instantiate, # then the envvar interface is used. Set only those that are not. # We use the long form for the default assignment because of an extremely # bizarre bug on SunOS 4.1.3. if $ac_need_defaults; then test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands fi # Have a temporary directory for convenience. Make it in the build tree # simply because there is no reason against having it here, and in addition, # creating and moving files from /tmp can sometimes cause problems. # Hook for its removal unless debugging. # Note that there is a small window in which the directory will not be cleaned: # after its creation but before its name has been assigned to `$tmp'. $debug || { tmp= ac_tmp= trap 'exit_status=$? : "${ac_tmp:=$tmp}" { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status ' 0 trap 'as_fn_exit 1' 1 2 13 15 } # Create a (secure) tmp directory for tmp files. { tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && test -d "$tmp" } || { tmp=./conf$$-$RANDOM (umask 077 && mkdir "$tmp") } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 ac_tmp=$tmp # Set up the scripts for CONFIG_FILES section. # No need to generate them if there are no CONFIG_FILES. # This happens for instance with `./config.status config.h'. if test -n "$CONFIG_FILES"; then ac_cr=`echo X | tr X '\015'` # On cygwin, bash can eat \r inside `` if the user requested igncr. # But we know of no other shell where ac_cr would be empty at this # point, so we can use a bashism as a fallback. if test "x$ac_cr" = x; then eval ac_cr=\$\'\\r\' fi ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then ac_cs_awk_cr='\\r' else ac_cs_awk_cr=$ac_cr fi echo 'BEGIN {' >"$ac_tmp/subs1.awk" && _ACEOF { echo "cat >conf$$subs.awk <<_ACEOF" && echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && echo "_ACEOF" } >conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` ac_delim='%!_!# ' for ac_last_try in false false false false false :; do . ./conf$$subs.sh || as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` if test $ac_delim_n = $ac_delim_num; then break elif $ac_last_try; then as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 else ac_delim="$ac_delim!$ac_delim _$ac_delim!! " fi done rm -f conf$$subs.sh cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && _ACEOF sed -n ' h s/^/S["/; s/!.*/"]=/ p g s/^[^!]*!// :repl t repl s/'"$ac_delim"'$// t delim :nl h s/\(.\{148\}\)..*/\1/ t more1 s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ p n b repl :more1 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t nl :delim h s/\(.\{148\}\)..*/\1/ t more2 s/["\\]/\\&/g; s/^/"/; s/$/"/ p b :more2 s/["\\]/\\&/g; s/^/"/; s/$/"\\/ p g s/.\{148\}// t delim ' >$CONFIG_STATUS || ac_write_fail=1 rm -f conf$$subs.awk cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 _ACAWK cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && for (key in S) S_is_set[key] = 1 FS = "" } { line = $ 0 nfields = split(line, field, "@") substed = 0 len = length(field[1]) for (i = 2; i < nfields; i++) { key = field[i] keylen = length(key) if (S_is_set[key]) { value = S[key] line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) len += length(value) + length(field[++i]) substed = 1 } else len += 1 + keylen } print line } _ACAWK _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" else cat fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 _ACEOF # VPATH may cause trouble with some makes, so we remove sole $(srcdir), # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and # trailing colons and then remove the whole line if VPATH becomes empty # (actually we leave an empty line to preserve line numbers). if test "x$srcdir" = x.; then ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ h s/// s/^/:/ s/[ ]*$/:/ s/:\$(srcdir):/:/g s/:\${srcdir}:/:/g s/:@srcdir@:/:/g s/^:*// s/:*$// x s/\(=[ ]*\).*/\1/ G s/\n// s/^[^=]*=[ ]*$// }' fi cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 fi # test -n "$CONFIG_FILES" eval set X " :F $CONFIG_FILES :C $CONFIG_COMMANDS" shift for ac_tag do case $ac_tag in :[FHLC]) ac_mode=$ac_tag; continue;; esac case $ac_mode$ac_tag in :[FHL]*:*);; :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; :[FH]-) ac_tag=-:-;; :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; esac ac_save_IFS=$IFS IFS=: set x $ac_tag IFS=$ac_save_IFS shift ac_file=$1 shift case $ac_mode in :L) ac_source=$1;; :[FH]) ac_file_inputs= for ac_f do case $ac_f in -) ac_f="$ac_tmp/stdin";; *) # Look for the file first in the build tree, then in the source tree # (if the path is not absolute). The absolute path cannot be DOS-style, # because $ac_f cannot contain `:'. test -f "$ac_f" || case $ac_f in [\\/$]*) false;; *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; esac || as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; esac case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac as_fn_append ac_file_inputs " '$ac_f'" done # Let's still pretend it is `configure' which instantiates (i.e., don't # use $as_me), people would be surprised to read: # /* config.h. Generated by config.status. */ configure_input='Generated from '` $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' `' by configure.' if test x"$ac_file" != x-; then configure_input="$ac_file. $configure_input" { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 $as_echo "$as_me: creating $ac_file" >&6;} fi # Neutralize special characters interpreted by sed in replacement strings. case $configure_input in #( *\&* | *\|* | *\\* ) ac_sed_conf_input=`$as_echo "$configure_input" | sed 's/[\\\\&|]/\\\\&/g'`;; #( *) ac_sed_conf_input=$configure_input;; esac case $ac_tag in *:-:* | *:-) cat >"$ac_tmp/stdin" \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; esac ;; esac ac_dir=`$as_dirname -- "$ac_file" || $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$ac_file" : 'X\(//\)[^/]' \| \ X"$ac_file" : 'X\(//\)$' \| \ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$ac_file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir="$ac_dir"; as_fn_mkdir_p ac_builddir=. case "$ac_dir" in .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` # A ".." for each directory in $ac_dir_suffix. ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` case $ac_top_builddir_sub in "") ac_top_builddir_sub=. ac_top_build_prefix= ;; *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; esac ;; esac ac_abs_top_builddir=$ac_pwd ac_abs_builddir=$ac_pwd$ac_dir_suffix # for backward compatibility: ac_top_builddir=$ac_top_build_prefix case $srcdir in .) # We are building in place. ac_srcdir=. ac_top_srcdir=$ac_top_builddir_sub ac_abs_top_srcdir=$ac_pwd ;; [\\/]* | ?:[\\/]* ) # Absolute name. ac_srcdir=$srcdir$ac_dir_suffix; ac_top_srcdir=$srcdir ac_abs_top_srcdir=$srcdir ;; *) # Relative name. ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix ac_top_srcdir=$ac_top_build_prefix$srcdir ac_abs_top_srcdir=$ac_pwd/$srcdir ;; esac ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix case $ac_mode in :F) # # CONFIG_FILE # case $INSTALL in [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; esac ac_MKDIR_P=$MKDIR_P case $MKDIR_P in [\\/$]* | ?:[\\/]* ) ;; */*) ac_MKDIR_P=$ac_top_build_prefix$MKDIR_P ;; esac _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # If the template does not know about datarootdir, expand it. # FIXME: This hack should be removed a few years after 2.60. ac_datarootdir_hack=; ac_datarootdir_seen= ac_sed_dataroot=' /datarootdir/ { p q } /@datadir@/p /@docdir@/p /@infodir@/p /@localedir@/p /@mandir@/p' case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in *datarootdir*) ac_datarootdir_seen=yes;; *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_datarootdir_hack=' s&@datadir@&$datadir&g s&@docdir@&$docdir&g s&@infodir@&$infodir&g s&@localedir@&$localedir&g s&@mandir@&$mandir&g s&\\\${datarootdir}&$datarootdir&g' ;; esac _ACEOF # Neutralize VPATH when `$srcdir' = `.'. # Shell code in configure.ac might set extrasub. # FIXME: do we really want to maintain this feature? cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_sed_extra="$ac_vpsub $extrasub _ACEOF cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 :t /@[a-zA-Z_][a-zA-Z_0-9]*@/!b s|@configure_input@|$ac_sed_conf_input|;t t s&@top_builddir@&$ac_top_builddir_sub&;t t s&@top_build_prefix@&$ac_top_build_prefix&;t t s&@srcdir@&$ac_srcdir&;t t s&@abs_srcdir@&$ac_abs_srcdir&;t t s&@top_srcdir@&$ac_top_srcdir&;t t s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t s&@builddir@&$ac_builddir&;t t s&@abs_builddir@&$ac_abs_builddir&;t t s&@abs_top_builddir@&$ac_abs_top_builddir&;t t s&@INSTALL@&$ac_INSTALL&;t t s&@MKDIR_P@&$ac_MKDIR_P&;t t $ac_datarootdir_hack " eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ "$ac_tmp/out"`; test -z "$ac_out"; } && { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&5 $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' which seems to be undefined. Please make sure it is defined" >&2;} rm -f "$ac_tmp/stdin" case $ac_file in -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; esac \ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; :C) { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5 $as_echo "$as_me: executing $ac_file commands" >&6;} ;; esac case $ac_file$ac_mode in "depfiles":C) test x"$AMDEP_TRUE" != x"" || { # Autoconf 2.62 quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. case $CONFIG_FILES in *\'*) eval set x "$CONFIG_FILES" ;; *) set x $CONFIG_FILES ;; esac shift for mf do # Strip MF so we end up with the name of the file. mf=`echo "$mf" | sed -e 's/:.*$//'` # Check whether this is an Automake generated Makefile or not. # We used to match only the files named `Makefile.in', but # some people rename them; so instead we look at the file content. # Grep'ing the first line is not enough: some people post-process # each Makefile.in and add a new line on top of each file to say so. # Grep'ing the whole file is not good either: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then dirpart=`$as_dirname -- "$mf" || $as_expr X"$mf" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$mf" : 'X\(//\)[^/]' \| \ X"$mf" : 'X\(//\)$' \| \ X"$mf" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$mf" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` else continue fi # Extract the definition of DEPDIR, am__include, and am__quote # from the Makefile without running `make'. DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` test -z "$DEPDIR" && continue am__include=`sed -n 's/^am__include = //p' < "$mf"` test -z "am__include" && continue am__quote=`sed -n 's/^am__quote = //p' < "$mf"` # When using ansi2knr, U may be empty or an underscore; expand it U=`sed -n 's/^U = //p' < "$mf"` # Find all dependency output files, they are included files with # $(DEPDIR) in their names. We invoke sed twice because it is the # simplest approach to changing $(DEPDIR) to its actual value in the # expansion. for file in `sed -n " s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do # Make sure the directory exists. test -f "$dirpart/$file" && continue fdir=`$as_dirname -- "$file" || $as_expr X"$file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ X"$file" : 'X\(//\)[^/]' \| \ X"$file" : 'X\(//\)$' \| \ X"$file" : 'X\(/\)' \| . 2>/dev/null || $as_echo X"$file" | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ s//\1/ q } /^X\(\/\/\)[^/].*/{ s//\1/ q } /^X\(\/\/\)$/{ s//\1/ q } /^X\(\/\).*/{ s//\1/ q } s/.*/./; q'` as_dir=$dirpart/$fdir; as_fn_mkdir_p # echo "creating $dirpart/$file" echo '# dummy' > "$dirpart/$file" done done } ;; esac done # for ac_tag as_fn_exit 0 _ACEOF ac_clean_files=$ac_clean_files_save test $ac_write_fail = 0 || as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 # configure is writing to config.log, and then calls config.status. # config.status does its own redirection, appending to config.log. # Unfortunately, on DOS this fails, as config.log is still kept open # by configure, so config.status won't be able to write to it; its # output is simply discarded. So we exec the FD to /dev/null, # effectively closing config.log, so it can be properly (re)opened and # appended to by config.status. When coming back to configure, we # need to make the FD available again. if test "$no_create" != yes; then ac_cs_success=: ac_config_status_args= test "$silent" = yes && ac_config_status_args="$ac_config_status_args --quiet" exec 5>/dev/null $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false exec 5>>config.log # Use ||, not &&, to avoid exiting from the if with $? = 1, which # would make configure fail if this is the last instruction. $ac_cs_success || as_fn_exit 1 fi if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} fi radsecproxy-1.6.2/AUTHORS0000664000175100017510000000066412042223225012060 00000000000000Radsecproxy was written by Stig Venaas . Radsecproxy is currently being maintained by Linus Nordberg . The following people have contributed to Radsecproxy in one way or another: Adam Osuchowski Andreas Solberg Arne Schwabe Faidon Liambotis Hans Zandbelt Kolbjørn Barmen Linus Nordberg Maja Wolniewicz Milan Sova Paul Dekkers PaweÅ‚ GoÅ‚aszewski Ralf Paffrath Simon Leinen Stefan Winter Stig Venaas radsecproxy-1.6.2/fticks.h0000664000175100017510000000053212042223225012436 00000000000000/* Copyright (C) 2011 NORDUnet A/S * See LICENSE for information about licensing. */ int fticks_configure(struct options *options, uint8_t **reportingp, uint8_t **macp, uint8_t **keyp); void fticks_log(const struct options *options, const struct client *client, const struct radmsg *msg, const struct rqout *rqout); radsecproxy-1.6.2/gconfig.c0000664000175100017510000003066012042223225012567 00000000000000/* * Copyright (C) 2007, 2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include #include #include #include #include #include #include #include #include "debug.h" #include "util.h" #include "gconfig.h" /* returns NULL on error, where to continue parsing if token and ok. E.g. "" will return token with empty string */ char *strtokenquote(char *s, char **token, char *del, char *quote, char *comment) { char *t = s, *q, *r; if (!t || !token || !del) return NULL; while (*t && strchr(del, *t)) t++; if (!*t || (comment && strchr(comment, *t))) { *token = NULL; return t + 1; /* needs to be non-NULL, but value doesn't matter */ } if (quote && (q = strchr(quote, *t))) { t++; r = t; while (*t && *t != *q) t++; if (!*t || (t[1] && !strchr(del, t[1]))) return NULL; *t = '\0'; *token = r; return t + 1; } *token = t; t++; while (*t && !strchr(del, *t)) t++; *t = '\0'; return t + 1; } int pushgconfdata(struct gconffile **cf, const char *data) { int i; struct gconffile *newcf; if (!*cf) { newcf = malloc(sizeof(struct gconffile) * 2); if (!newcf) return 0; memset(newcf, 0, sizeof(struct gconffile) * 2); } else { for (i = 0; (*cf)[i].data || (*cf)[i].path; i++); newcf = realloc(*cf, sizeof(struct gconffile) * (i + 2)); if (!newcf) return 0; memmove(newcf + 1, newcf, sizeof(struct gconffile) * (i + 1)); memset(newcf, 0, sizeof(struct gconffile)); } newcf[0].data = data; *cf = newcf; return 1; } FILE *pushgconffile(struct gconffile **cf, FILE *file, const char *description) { int i; struct gconffile *newcf; char *desc; if (!file) { debug(DBG_INFO, "could not read config from %s", description); return NULL; } debug(DBG_DBG, "reading config from %s", description); desc = stringcopy(description, 0); if (!desc) goto errmalloc; if (!*cf) { newcf = malloc(sizeof(struct gconffile) * 2); if (!newcf) goto errmalloc; memset(newcf, 0, sizeof(struct gconffile) * 2); } else { for (i = 0; (*cf)[i].data || (*cf)[i].path; i++); newcf = realloc(*cf, sizeof(struct gconffile) * (i + 2)); if (!newcf) goto errmalloc; memmove(newcf + 1, newcf, sizeof(struct gconffile) * (i + 1)); memset(newcf, 0, sizeof(struct gconffile)); } newcf[0].file = file; newcf[0].path = desc; *cf = newcf; return file; errmalloc: free(desc); fclose(file); debug(DBG_ERR, "malloc failed"); return NULL; } FILE *pushgconfpath(struct gconffile **cf, const char *path) { FILE *f; f = fopen(path, "r"); return pushgconffile(cf, f, path); } FILE *pushgconfpaths(struct gconffile **cf, const char *cfgpath) { int i; FILE *f = NULL; glob_t globbuf; char *path, *curfile = NULL, *dir; /* if cfgpath is relative, make it relative to current config */ if (*cfgpath == '/') path = (char *)cfgpath; else { /* dirname may modify its argument */ curfile = stringcopy((*cf)->path, 0); if (!curfile) { debug(DBG_ERR, "malloc failed"); goto exit; } dir = dirname(curfile); path = malloc(strlen(dir) + strlen(cfgpath) + 2); if (!path) { debug(DBG_ERR, "malloc failed"); goto exit; } strcpy(path, dir); path[strlen(dir)] = '/'; strcpy(path + strlen(dir) + 1, cfgpath); } memset(&globbuf, 0, sizeof(glob_t)); if (glob(path, 0, NULL, &globbuf)) { debug(DBG_WARN, "could not glob %s", path); goto exit; } for (i = globbuf.gl_pathc - 1; i >= 0; i--) { f = pushgconfpath(cf, globbuf.gl_pathv[i]); if (!f) break; } globfree(&globbuf); exit: if (curfile) { free(curfile); free(path); } return f; } int popgconf(struct gconffile **cf) { int i; if (!*cf) return 0; for (i = 0; (*cf)[i].data || (*cf)[i].path; i++); if (i && (*cf)[0].file) { fclose((*cf)[0].file); if ((*cf)[0].path) { debug(DBG_DBG, "closing config file %s", (*cf)[0].path); free((*cf)[0].path); } } if (i < 2) { free(*cf); *cf = NULL; return 0; } memmove(*cf, *cf + 1, sizeof(struct gconffile) * i); return 1; } void freegconfmstr(char **mstr) { int i; if (mstr) { for (i = 0; mstr[i]; i++) free(mstr[i]); free(mstr); } } void freegconf(struct gconffile **cf) { int i; if (!*cf) return; for (i = 0; (*cf)[i].data || (*cf)[i].path; i++) { if ((*cf)[i].file) { fclose((*cf)[i].file); if ((*cf)[i].path) { debug(DBG_DBG, "closing config file %s", (*cf)[i].path); free((*cf)[i].path); } } } free(*cf); *cf = NULL; } struct gconffile *openconfigfile(const char *file) { struct gconffile *cf = NULL; if (!pushgconfpath(&cf, file)) { debug(DBG_ERR, "could not read config file %s\n%s", file, strerror(errno)); return NULL; } debug(DBG_DBG, "reading config file %s", file); return cf; } /* Parses config with following syntax: * One of these: * option-name value * option-name = value * Or: * option-name value { * option-name [=] value * ... * } */ int getlinefromcf(struct gconffile *cf, char *line, const size_t size) { size_t i, pos; if (!cf) return 0; if (cf->file) return fgets(line, size, cf->file) ? 1 : 0; else if (cf->data) { pos = cf->datapos; if (!cf->data[pos]) return 0; for (i = pos; cf->data[i] && cf->data[i] != '\n'; i++); if (cf->data[i] == '\n') i++; if (i - pos > size - 1) i = size - 1 + pos; memcpy(line, cf->data + pos, i - pos); line[i - pos] = '\0'; cf->datapos = i; return 1; } return 0; } int getconfigline(struct gconffile **cf, char *block, char **opt, char **val, int *conftype) { char line[1024]; char *tokens[3], *s; int tcount; *opt = NULL; *val = NULL; *conftype = 0; if (!cf || !*cf || (!(*cf)->file && !(*cf)->data)) return 1; for (;;) { if (!getlinefromcf(*cf, line, 1024)) { if (popgconf(cf)) continue; return 1; } s = line; for (tcount = 0; tcount < 3; tcount++) { s = strtokenquote(s, &tokens[tcount], " \t\r\n", "\"'", tcount ? NULL : "#"); if (!s) { debug(DBG_ERR, "Syntax error in line starting with: %s", line); return 0; } if (!tokens[tcount]) break; } if (!tcount || **tokens == '#') continue; if (**tokens == '}') { if (block) return 1; debug(DBG_ERR, "configuration error, found } with no matching {"); return 0; } break; } switch (tcount) { case 2: *opt = stringcopy(tokens[0], 0); if (!*opt) goto errmalloc; *val = stringcopy(tokens[1], 0); if (!*val) goto errmalloc; *conftype = CONF_STR; break; case 3: if (tokens[1][0] == '=' && tokens[1][1] == '\0') { *opt = stringcopy(tokens[0], 0); if (!*opt) goto errmalloc; *val = stringcopy(tokens[2], 0); if (!*val) goto errmalloc; *conftype = CONF_STR; break; } if (tokens[2][0] == '{' && tokens[2][1] == '\0') { *opt = stringcopy(tokens[0], 0); if (!*opt) goto errmalloc; *val = stringcopy(tokens[1], 0); if (!*val) goto errmalloc; *conftype = CONF_CBK; break; } /* fall through */ default: if (block) debug(DBG_ERR, "configuration error in block %s, line starting with %s", block, tokens[0]); else debug(DBG_ERR, "configuration error, syntax error in line starting with %s", tokens[0]); return 0; } if (**val) return 1; debug(DBG_ERR, "configuration error, option %s needs a non-empty value", *opt); goto errexit; errmalloc: debug(DBG_ERR, "malloc failed"); errexit: free(*opt); *opt = NULL; free(*val); *val = NULL; return 0; } uint8_t hexdigit2int(char d) { if (d >= '0' && d <= '9') return d - '0'; if (d >= 'a' && d <= 'f') return 10 + d - 'a'; if (d >= 'A' && d <= 'F') return 10 + d - 'A'; return 0; } void unhex(char *s) { char *t; for (t = s; *t; s++) { if (*t == '%' && isxdigit((int)t[1]) && isxdigit((int)t[2])) { *s = 16 * hexdigit2int(t[1]) + hexdigit2int(t[2]); t += 3; } else *s = *t++; } *s = '\0'; } typedef int (*t_fptr)(struct gconffile **, void *, char *, char *, char *); /* returns 1 if ok, 0 on error */ /* caller must free returned values also on error */ int getgenericconfig(struct gconffile **cf, char *block, ...) { va_list ap; char *opt = NULL, *val, *word, *optval, **str = NULL, ***mstr = NULL, **newmstr, *endptr; uint8_t *bln = NULL; long int *lint = NULL; int type = 0, conftype = 0, n; t_fptr cbk = NULL; void *cbkarg = NULL; for (;;) { free(opt); if (!getconfigline(cf, block, &opt, &val, &conftype)) return 0; if (!opt) return 1; if (conftype == CONF_STR && !strcasecmp(opt, "include")) { if (!pushgconfpaths(cf, val)) { debug(DBG_ERR, "failed to include config file %s", val); goto errexit; } free(val); continue; } va_start(ap, block); while ((word = va_arg(ap, char *))) { type = va_arg(ap, int); switch (type) { case CONF_STR: str = va_arg(ap, char **); if (!str) goto errparam; break; case CONF_MSTR: mstr = va_arg(ap, char ***); if (!mstr) goto errparam; break; case CONF_BLN: bln = va_arg(ap, uint8_t *); if (!bln) goto errparam; break; case CONF_LINT: lint = va_arg(ap, long int *); if (!lint) goto errparam; break; case CONF_CBK: cbk = va_arg(ap, t_fptr); if (!cbk) goto errparam; cbkarg = va_arg(ap, void *); break; default: goto errparam; } if (!strcasecmp(opt, word)) break; } va_end(ap); if (!word) { if (block) debug(DBG_ERR, "configuration error in block %s, unknown option %s", block, opt); debug(DBG_ERR, "configuration error, unknown option %s", opt); goto errexit; } if (((type == CONF_STR || type == CONF_MSTR || type == CONF_BLN || type == CONF_LINT) && conftype != CONF_STR) || (type == CONF_CBK && conftype != CONF_CBK)) { if (block) debug(DBG_ERR, "configuration error in block %s, wrong syntax for option %s", block, opt); debug(DBG_ERR, "configuration error, wrong syntax for option %s", opt); goto errexit; } switch (type) { case CONF_STR: if (*str) { debug(DBG_ERR, "configuration error, option %s already set to %s", opt, *str); goto errexit; } unhex(val); *str = val; break; case CONF_MSTR: if (*mstr) for (n = 0; (*mstr)[n]; n++); else n = 0; newmstr = realloc(*mstr, sizeof(char *) * (n + 2)); if (!newmstr) { debug(DBG_ERR, "malloc failed"); goto errexit; } unhex(val); newmstr[n] = val; newmstr[n + 1] = NULL; *mstr = newmstr; break; case CONF_BLN: if (!strcasecmp(val, "on")) *bln = 1; else if (!strcasecmp(val, "off")) *bln = 0; else { if (block) debug(DBG_ERR, "configuration error in block %s, value for option %s must be on or off, not %s", block, opt, val); else debug(DBG_ERR, "configuration error, value for option %s must be on or off, not %s", opt, val); goto errexit; } break; case CONF_LINT: endptr = NULL; *lint = strtol(val, &endptr, 0); if (*lint == LONG_MIN || *lint == LONG_MAX || !endptr || endptr == val || *endptr != '\0') { if (block) debug(DBG_ERR, "configuration error in block %s, value for option %s must be an integer, not %s", block, opt, val); else debug(DBG_ERR, "configuration error, value for option %s must be an integer, not %s", opt, val); goto errexit; } break; case CONF_CBK: optval = malloc(strlen(opt) + strlen(val) + 2); if (!optval) { debug(DBG_ERR, "malloc failed"); goto errexit; } sprintf(optval, "%s %s", opt, val); if (!cbk(cf, cbkarg, optval, opt, val)) { free(optval); goto errexit; } free(val); free(optval); continue; default: goto errparam; } if (block) debug(DBG_DBG, "getgenericconfig: block %s: %s = %s", block, opt, val); else debug(DBG_DBG, "getgenericconfig: %s = %s", opt, val); if (type == CONF_BLN || type == CONF_LINT) free(val); } errparam: debug(DBG_ERR, "getgenericconfig: internal parameter error"); errexit: free(opt); free(val); return 0; } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/list.c0000664000175100017510000000512212042223225012121 00000000000000/* * Copyright (C) 2006-2009 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include "list.h" /* allocates and initialises list structure; returns NULL if malloc fails */ struct list *list_create() { struct list *list = malloc(sizeof(struct list)); if (list) memset(list, 0, sizeof(struct list)); return list; } /* frees all memory associated with the list */ void list_destroy(struct list *list) { struct list_node *node, *next; if (!list) return; for (node = list->first; node; node = next) { free(node->data); next = node->next; free(node); } free(list); } /* appends entry to list; returns 1 if ok, 0 if malloc fails */ int list_push(struct list *list, void *data) { struct list_node *node; node = malloc(sizeof(struct list_node)); if (!node) return 0; node->next = NULL; node->data = data; if (list->first) list->last->next = node; else list->first = node; list->last = node; list->count++; return 1; } /* removes first entry from list and returns data */ void *list_shift(struct list *list) { struct list_node *node; void *data; if (!list || !list->first) return NULL; node = list->first; list->first = node->next; if (!list->first) list->last = NULL; data = node->data; free(node); list->count--; return data; } /* removes all entries with matching data pointer */ void list_removedata(struct list *list, void *data) { struct list_node *node, *t; if (!list || !list->first) return; node = list->first; while (node->data == data) { list->first = node->next; free(node); list->count--; node = list->first; if (!node) { list->last = NULL; return; } } for (; node->next; node = node->next) if (node->next->data == data) { t = node->next; node->next = t->next; free(t); list->count--; if (!node->next) { /* we removed the last one */ list->last = node; return; } } } /* returns first node */ struct list_node *list_first(struct list *list) { return list ? list->first : NULL; } /* returns the next node after the argument */ struct list_node *list_next(struct list_node *node) { return node->next; } /* returns number of nodes */ uint32_t list_count(struct list *list) { return list->count; } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/fticks_hashmac.c0000664000175100017510000000450212042223225014116 00000000000000/* Copyright (C) 2011 NORDUnet A/S * See LICENSE for information about licensing. */ #include #include #include #include #include #include #include #include "fticks_hashmac.h" static void _format_hash(const uint8_t *hash, size_t out_len, uint8_t *out) { int ir, iw; for (ir = 0, iw = 0; iw <= out_len - 3; ir++, iw += 2) sprintf((char *) out + iw, "%02x", hash[ir % SHA256_DIGEST_SIZE]); } static void _hash(const uint8_t *in, const uint8_t *key, size_t out_len, uint8_t *out) { if (key == NULL) { struct sha256_ctx ctx; uint8_t hash[SHA256_DIGEST_SIZE]; sha256_init(&ctx); sha256_update(&ctx, strlen((char *) in), in); sha256_digest(&ctx, sizeof(hash), hash); _format_hash(hash, out_len, out); } else { struct hmac_sha256_ctx ctx; uint8_t hash[SHA256_DIGEST_SIZE]; hmac_sha256_set_key(&ctx, strlen((char *) key), key); hmac_sha256_update(&ctx, strlen((char *) in), in); hmac_sha256_digest(&ctx, sizeof(hash), hash); _format_hash(hash, out_len, out); } } /** Hash the Ethernet MAC address in \a IN, keying a HMAC with \a KEY unless \a KEY is NULL. If \a KEY is null \a IN is hashed with an ordinary cryptographic hash function such as SHA-2. \a IN and \a KEY are NULL terminated strings. \a IN is supposed to be an Ethernet MAC address and is sanitised by lowercasing it, removing all but [0-9a-f] and truncating it at the first ';' found. The truncation is done because RADIUS supposedly has a praxis of tacking on SSID to the MAC address in Calling-Station-Id. \return 0 on success, -ENOMEM on out of memory. */ int fticks_hashmac(const uint8_t *in, const uint8_t *key, size_t out_len, uint8_t *out) { uint8_t *in_copy = NULL; uint8_t *p = NULL; int i; in_copy = calloc(1, strlen((const char *) in) + 1); if (in_copy == NULL) return -ENOMEM; /* Sanitise and lowercase 'in' into 'in_copy'. */ for (i = 0, p = in_copy; in[i] != '\0'; i++) { if (in[i] == ';') { *p++ = '\0'; break; } if (in[i] >= '0' && in[i] <= '9') { *p++ = in[i]; } else if (tolower(in[i]) >= 'a' && tolower(in[i]) <= 'f') { *p++ = tolower(in[i]); } } _hash(in_copy, key, out_len, out); free(in_copy); return 0; } radsecproxy-1.6.2/Makefile.am0000664000175100017510000000356012042223225013042 00000000000000AUTOMAKE_OPTIONS = foreign if WANT_FTICKS fticks_sources = fticks.c fticks.h fticks_hashmac.c fticks_hashmac.h fticks_programs = radsecproxy-hash radsecproxy_hash_LDADD = fticks_hashmac.o hash.o list.o endif if HAVE_DOCBOOK2X_MAN GENMANPAGES = radsecproxy.conf.5 endif SUBDIRS = tests sbin_PROGRAMS = radsecproxy bin_PROGRAMS = radsecproxy-conf $(fticks_programs) noinst_LIBRARIES = librsp.a radsecproxy_SOURCES = main.c librsp_a_SOURCES = \ $(fticks_sources) \ debug.c debug.h \ dtls.c dtls.h \ gconfig.c gconfig.h \ hash.c hash.h \ hostport.c hostport.h \ list.c list.h \ radmsg.c radmsg.h \ radsecproxy.c radsecproxy.h \ tcp.c tcp.h \ tls.c tls.h \ tlscommon.c tlscommon.h \ tlv11.c tlv11.h \ udp.c udp.h \ util.c util.h radsecproxy_conf_SOURCES = \ catgconf.c \ debug.c debug.h \ gconfig.c gconfig.h \ util.c util.h #################### AM_CPPFLAGS = -DSYSCONFDIR=\"$(sysconfdir)\" AM_CFLAGS = \ -g -Wall -Werror -fno-strict-aliasing @SSL_CFLAGS@ @TARGET_CFLAGS@ radsecproxy_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@ radsecproxy_LDADD = librsp.a @SSL_LIBS@ radsecproxy_conf_LDFLAGS = @TARGET_LDFLAGS@ dist_man_MANS = radsecproxy.1 radsecproxy-hash.1 $(GENMANPAGES) EXTRA_DIST = \ LICENSE THANKS \ configure Makefile.in tests/Makefile.in \ compile config.guess config.sub install-sh missing depcomp \ radsecproxy.conf.5.xml radsecproxy.conf-example \ tools/README tools/naptr-eduroam.sh tools/radsec-dynsrv.sh DISTCHECK_CONFIGURE_FLAGS = --enable-fticks #################### radsecproxy.conf.5: $(srcdir)/radsecproxy.conf.5.xml docbook2x-man $< # Build HTML version of radsecproxy.conf.5. NOTE: Only tested with # 'openjade' package installed on Ubuntu 9.10. html: $(srcdir)/radsecproxy.conf.5.xml -openjade -E2000 -t sgml-raw -d /usr/share/sgml/docbook/stylesheet/dsssl/modular/html/docbook.dsl -o radsecproxy.conf.html $< clean-local: -rm $(GENMANPAGES) radsecproxy-1.6.2/depcomp0000755000175100017510000004426712042223267012400 00000000000000#! /bin/sh # depcomp - compile a program generating dependencies as side-effects scriptversion=2009-04-28.21; # UTC # Copyright (C) 1999, 2000, 2003, 2004, 2005, 2006, 2007, 2009 Free # Software Foundation, Inc. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. # Originally written by Alexandre Oliva . case $1 in '') echo "$0: No command. Try \`$0 --help' for more information." 1>&2 exit 1; ;; -h | --h*) cat <<\EOF Usage: depcomp [--help] [--version] PROGRAM [ARGS] Run PROGRAMS ARGS to compile a file, generating dependencies as side-effects. Environment variables: depmode Dependency tracking mode. source Source file read by `PROGRAMS ARGS'. object Object file output by `PROGRAMS ARGS'. DEPDIR directory where to store dependencies. depfile Dependency file to output. tmpdepfile Temporary file to use when outputing dependencies. libtool Whether libtool is used (yes/no). Report bugs to . EOF exit $? ;; -v | --v*) echo "depcomp $scriptversion" exit $? ;; esac if test -z "$depmode" || test -z "$source" || test -z "$object"; then echo "depcomp: Variables source, object and depmode must be set" 1>&2 exit 1 fi # Dependencies for sub/bar.o or sub/bar.obj go into sub/.deps/bar.Po. depfile=${depfile-`echo "$object" | sed 's|[^\\/]*$|'${DEPDIR-.deps}'/&|;s|\.\([^.]*\)$|.P\1|;s|Pobj$|Po|'`} tmpdepfile=${tmpdepfile-`echo "$depfile" | sed 's/\.\([^.]*\)$/.T\1/'`} rm -f "$tmpdepfile" # Some modes work just like other modes, but use different flags. We # parameterize here, but still list the modes in the big case below, # to make depend.m4 easier to write. Note that we *cannot* use a case # here, because this file can only contain one case statement. if test "$depmode" = hp; then # HP compiler uses -M and no extra arg. gccflag=-M depmode=gcc fi if test "$depmode" = dashXmstdout; then # This is just like dashmstdout with a different argument. dashmflag=-xM depmode=dashmstdout fi cygpath_u="cygpath -u -f -" if test "$depmode" = msvcmsys; then # This is just like msvisualcpp but w/o cygpath translation. # Just convert the backslash-escaped backslashes to single forward # slashes to satisfy depend.m4 cygpath_u="sed s,\\\\\\\\,/,g" depmode=msvisualcpp fi case "$depmode" in gcc3) ## gcc 3 implements dependency tracking that does exactly what ## we want. Yay! Note: for some reason libtool 1.4 doesn't like ## it if -MD -MP comes after the -MF stuff. Hmm. ## Unfortunately, FreeBSD c89 acceptance of flags depends upon ## the command line argument order; so add the flags where they ## appear in depend2.am. Note that the slowdown incurred here ## affects only configure: in makefiles, %FASTDEP% shortcuts this. for arg do case $arg in -c) set fnord "$@" -MT "$object" -MD -MP -MF "$tmpdepfile" "$arg" ;; *) set fnord "$@" "$arg" ;; esac shift # fnord shift # $arg done "$@" stat=$? if test $stat -eq 0; then : else rm -f "$tmpdepfile" exit $stat fi mv "$tmpdepfile" "$depfile" ;; gcc) ## There are various ways to get dependency output from gcc. Here's ## why we pick this rather obscure method: ## - Don't want to use -MD because we'd like the dependencies to end ## up in a subdir. Having to rename by hand is ugly. ## (We might end up doing this anyway to support other compilers.) ## - The DEPENDENCIES_OUTPUT environment variable makes gcc act like ## -MM, not -M (despite what the docs say). ## - Using -M directly means running the compiler twice (even worse ## than renaming). if test -z "$gccflag"; then gccflag=-MD, fi "$@" -Wp,"$gccflag$tmpdepfile" stat=$? if test $stat -eq 0; then : else rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" echo "$object : \\" > "$depfile" alpha=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ## The second -e expression handles DOS-style file names with drive letters. sed -e 's/^[^:]*: / /' \ -e 's/^['$alpha']:\/[^:]*: / /' < "$tmpdepfile" >> "$depfile" ## This next piece of magic avoids the `deleted header file' problem. ## The problem is that when a header file which appears in a .P file ## is deleted, the dependency causes make to die (because there is ## typically no way to rebuild the header). We avoid this by adding ## dummy dependencies for each header file. Too bad gcc doesn't do ## this for us directly. tr ' ' ' ' < "$tmpdepfile" | ## Some versions of gcc put a space before the `:'. On the theory ## that the space means something, we add a space to the output as ## well. ## Some versions of the HPUX 10.20 sed can't process this invocation ## correctly. Breaking it into two sed invocations is a workaround. sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; hp) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; sgi) if test "$libtool" = yes; then "$@" "-Wp,-MDupdate,$tmpdepfile" else "$@" -MDupdate "$tmpdepfile" fi stat=$? if test $stat -eq 0; then : else rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" if test -f "$tmpdepfile"; then # yes, the sourcefile depend on other files echo "$object : \\" > "$depfile" # Clip off the initial element (the dependent). Don't try to be # clever and replace this with sed code, as IRIX sed won't handle # lines with more than a fixed number of characters (4096 in # IRIX 6.2 sed, 8192 in IRIX 6.5). We also remove comment lines; # the IRIX cc adds comments like `#:fec' to the end of the # dependency line. tr ' ' ' ' < "$tmpdepfile" \ | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' | \ tr ' ' ' ' >> "$depfile" echo >> "$depfile" # The second pass generates a dummy entry for each header file. tr ' ' ' ' < "$tmpdepfile" \ | sed -e 's/^.*\.o://' -e 's/#.*$//' -e '/^$/ d' -e 's/$/:/' \ >> "$depfile" else # The sourcefile does not contain any dependencies, so just # store a dummy comment line, to avoid errors with the Makefile # "include basename.Plo" scheme. echo "#dummy" > "$depfile" fi rm -f "$tmpdepfile" ;; aix) # The C for AIX Compiler uses -M and outputs the dependencies # in a .u file. In older versions, this file always lives in the # current directory. Also, the AIX compiler puts `$object:' at the # start of each line; $object doesn't have directory information. # Version 6 uses the directory in both cases. dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` test "x$dir" = "x$object" && dir= base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` if test "$libtool" = yes; then tmpdepfile1=$dir$base.u tmpdepfile2=$base.u tmpdepfile3=$dir.libs/$base.u "$@" -Wc,-M else tmpdepfile1=$dir$base.u tmpdepfile2=$dir$base.u tmpdepfile3=$dir$base.u "$@" -M fi stat=$? if test $stat -eq 0; then : else rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" exit $stat fi for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" do test -f "$tmpdepfile" && break done if test -f "$tmpdepfile"; then # Each line is of the form `foo.o: dependent.h'. # Do two passes, one to just change these to # `$object: dependent.h' and one to simply `dependent.h:'. sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" # That's a tab and a space in the []. sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" else # The sourcefile does not contain any dependencies, so just # store a dummy comment line, to avoid errors with the Makefile # "include basename.Plo" scheme. echo "#dummy" > "$depfile" fi rm -f "$tmpdepfile" ;; icc) # Intel's C compiler understands `-MD -MF file'. However on # icc -MD -MF foo.d -c -o sub/foo.o sub/foo.c # ICC 7.0 will fill foo.d with something like # foo.o: sub/foo.c # foo.o: sub/foo.h # which is wrong. We want: # sub/foo.o: sub/foo.c # sub/foo.o: sub/foo.h # sub/foo.c: # sub/foo.h: # ICC 7.1 will output # foo.o: sub/foo.c sub/foo.h # and will wrap long lines using \ : # foo.o: sub/foo.c ... \ # sub/foo.h ... \ # ... "$@" -MD -MF "$tmpdepfile" stat=$? if test $stat -eq 0; then : else rm -f "$tmpdepfile" exit $stat fi rm -f "$depfile" # Each line is of the form `foo.o: dependent.h', # or `foo.o: dep1.h dep2.h \', or ` dep3.h dep4.h \'. # Do two passes, one to just change these to # `$object: dependent.h' and one to simply `dependent.h:'. sed "s,^[^:]*:,$object :," < "$tmpdepfile" > "$depfile" # Some versions of the HPUX 10.20 sed can't process this invocation # correctly. Breaking it into two sed invocations is a workaround. sed 's,^[^:]*: \(.*\)$,\1,;s/^\\$//;/^$/d;/:$/d' < "$tmpdepfile" | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; hp2) # The "hp" stanza above does not work with aCC (C++) and HP's ia64 # compilers, which have integrated preprocessors. The correct option # to use with these is +Maked; it writes dependencies to a file named # 'foo.d', which lands next to the object file, wherever that # happens to be. # Much of this is similar to the tru64 case; see comments there. dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` test "x$dir" = "x$object" && dir= base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` if test "$libtool" = yes; then tmpdepfile1=$dir$base.d tmpdepfile2=$dir.libs/$base.d "$@" -Wc,+Maked else tmpdepfile1=$dir$base.d tmpdepfile2=$dir$base.d "$@" +Maked fi stat=$? if test $stat -eq 0; then : else rm -f "$tmpdepfile1" "$tmpdepfile2" exit $stat fi for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" do test -f "$tmpdepfile" && break done if test -f "$tmpdepfile"; then sed -e "s,^.*\.[a-z]*:,$object:," "$tmpdepfile" > "$depfile" # Add `dependent.h:' lines. sed -ne '2,${ s/^ *// s/ \\*$// s/$/:/ p }' "$tmpdepfile" >> "$depfile" else echo "#dummy" > "$depfile" fi rm -f "$tmpdepfile" "$tmpdepfile2" ;; tru64) # The Tru64 compiler uses -MD to generate dependencies as a side # effect. `cc -MD -o foo.o ...' puts the dependencies into `foo.o.d'. # At least on Alpha/Redhat 6.1, Compaq CCC V6.2-504 seems to put # dependencies in `foo.d' instead, so we check for that too. # Subdirectories are respected. dir=`echo "$object" | sed -e 's|/[^/]*$|/|'` test "x$dir" = "x$object" && dir= base=`echo "$object" | sed -e 's|^.*/||' -e 's/\.o$//' -e 's/\.lo$//'` if test "$libtool" = yes; then # With Tru64 cc, shared objects can also be used to make a # static library. This mechanism is used in libtool 1.4 series to # handle both shared and static libraries in a single compilation. # With libtool 1.4, dependencies were output in $dir.libs/$base.lo.d. # # With libtool 1.5 this exception was removed, and libtool now # generates 2 separate objects for the 2 libraries. These two # compilations output dependencies in $dir.libs/$base.o.d and # in $dir$base.o.d. We have to check for both files, because # one of the two compilations can be disabled. We should prefer # $dir$base.o.d over $dir.libs/$base.o.d because the latter is # automatically cleaned when .libs/ is deleted, while ignoring # the former would cause a distcleancheck panic. tmpdepfile1=$dir.libs/$base.lo.d # libtool 1.4 tmpdepfile2=$dir$base.o.d # libtool 1.5 tmpdepfile3=$dir.libs/$base.o.d # libtool 1.5 tmpdepfile4=$dir.libs/$base.d # Compaq CCC V6.2-504 "$@" -Wc,-MD else tmpdepfile1=$dir$base.o.d tmpdepfile2=$dir$base.d tmpdepfile3=$dir$base.d tmpdepfile4=$dir$base.d "$@" -MD fi stat=$? if test $stat -eq 0; then : else rm -f "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4" exit $stat fi for tmpdepfile in "$tmpdepfile1" "$tmpdepfile2" "$tmpdepfile3" "$tmpdepfile4" do test -f "$tmpdepfile" && break done if test -f "$tmpdepfile"; then sed -e "s,^.*\.[a-z]*:,$object:," < "$tmpdepfile" > "$depfile" # That's a tab and a space in the []. sed -e 's,^.*\.[a-z]*:[ ]*,,' -e 's,$,:,' < "$tmpdepfile" >> "$depfile" else echo "#dummy" > "$depfile" fi rm -f "$tmpdepfile" ;; #nosideeffect) # This comment above is used by automake to tell side-effect # dependency tracking mechanisms from slower ones. dashmstdout) # Important note: in order to support this mode, a compiler *must* # always write the preprocessed file to stdout, regardless of -o. "$@" || exit $? # Remove the call to Libtool. if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi # Remove `-o $object'. IFS=" " for arg do case $arg in -o) shift ;; $object) shift ;; *) set fnord "$@" "$arg" shift # fnord shift # $arg ;; esac done test -z "$dashmflag" && dashmflag=-M # Require at least two characters before searching for `:' # in the target name. This is to cope with DOS-style filenames: # a dependency such as `c:/foo/bar' could be seen as target `c' otherwise. "$@" $dashmflag | sed 's:^[ ]*[^: ][^:][^:]*\:[ ]*:'"$object"'\: :' > "$tmpdepfile" rm -f "$depfile" cat < "$tmpdepfile" > "$depfile" tr ' ' ' ' < "$tmpdepfile" | \ ## Some versions of the HPUX 10.20 sed can't process this invocation ## correctly. Breaking it into two sed invocations is a workaround. sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; dashXmstdout) # This case only exists to satisfy depend.m4. It is never actually # run, as this mode is specially recognized in the preamble. exit 1 ;; makedepend) "$@" || exit $? # Remove any Libtool call if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi # X makedepend shift cleared=no eat=no for arg do case $cleared in no) set ""; shift cleared=yes ;; esac if test $eat = yes; then eat=no continue fi case "$arg" in -D*|-I*) set fnord "$@" "$arg"; shift ;; # Strip any option that makedepend may not understand. Remove # the object too, otherwise makedepend will parse it as a source file. -arch) eat=yes ;; -*|$object) ;; *) set fnord "$@" "$arg"; shift ;; esac done obj_suffix=`echo "$object" | sed 's/^.*\././'` touch "$tmpdepfile" ${MAKEDEPEND-makedepend} -o"$obj_suffix" -f"$tmpdepfile" "$@" rm -f "$depfile" cat < "$tmpdepfile" > "$depfile" sed '1,2d' "$tmpdepfile" | tr ' ' ' ' | \ ## Some versions of the HPUX 10.20 sed can't process this invocation ## correctly. Breaking it into two sed invocations is a workaround. sed -e 's/^\\$//' -e '/^$/d' -e '/:$/d' | sed -e 's/$/ :/' >> "$depfile" rm -f "$tmpdepfile" "$tmpdepfile".bak ;; cpp) # Important note: in order to support this mode, a compiler *must* # always write the preprocessed file to stdout. "$@" || exit $? # Remove the call to Libtool. if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi # Remove `-o $object'. IFS=" " for arg do case $arg in -o) shift ;; $object) shift ;; *) set fnord "$@" "$arg" shift # fnord shift # $arg ;; esac done "$@" -E | sed -n -e '/^# [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' \ -e '/^#line [0-9][0-9]* "\([^"]*\)".*/ s:: \1 \\:p' | sed '$ s: \\$::' > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" cat < "$tmpdepfile" >> "$depfile" sed < "$tmpdepfile" '/^$/d;s/^ //;s/ \\$//;s/$/ :/' >> "$depfile" rm -f "$tmpdepfile" ;; msvisualcpp) # Important note: in order to support this mode, a compiler *must* # always write the preprocessed file to stdout. "$@" || exit $? # Remove the call to Libtool. if test "$libtool" = yes; then while test "X$1" != 'X--mode=compile'; do shift done shift fi IFS=" " for arg do case "$arg" in -o) shift ;; $object) shift ;; "-Gm"|"/Gm"|"-Gi"|"/Gi"|"-ZI"|"/ZI") set fnord "$@" shift shift ;; *) set fnord "$@" "$arg" shift shift ;; esac done "$@" -E 2>/dev/null | sed -n '/^#line [0-9][0-9]* "\([^"]*\)"/ s::\1:p' | $cygpath_u | sort -u > "$tmpdepfile" rm -f "$depfile" echo "$object : \\" > "$depfile" sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s:: \1 \\:p' >> "$depfile" echo " " >> "$depfile" sed < "$tmpdepfile" -n -e 's% %\\ %g' -e '/^\(.*\)$/ s::\1\::p' >> "$depfile" rm -f "$tmpdepfile" ;; msvcmsys) # This case exists only to let depend.m4 do its work. It works by # looking at the text of this script. This case will never be run, # since it is checked for above. exit 1 ;; none) exec "$@" ;; *) echo "Unknown depmode $depmode" 1>&2 exit 1 ;; esac exit 0 # Local Variables: # mode: shell-script # sh-indentation: 2 # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: radsecproxy-1.6.2/INSTALL0000664000175100017510000002713612042223225012044 00000000000000Installation Instructions ************************* Copyright (C) 1994, 1995, 1996, 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. This file is free documentation; the Free Software Foundation gives unlimited permission to copy, distribute and modify it. Basic Installation ================== Briefly, the shell commands `./configure; make; make install' should configure, build, and install this package. The following more-detailed instructions are generic; see the `README' file for instructions specific to this package. The `configure' shell script attempts to guess correct values for various system-dependent variables used during compilation. It uses those values to create a `Makefile' in each directory of the package. It may also create one or more `.h' files containing system-dependent definitions. Finally, it creates a shell script `config.status' that you can run in the future to recreate the current configuration, and a file `config.log' containing compiler output (useful mainly for debugging `configure'). It can also use an optional file (typically called `config.cache' and enabled with `--cache-file=config.cache' or simply `-C') that saves the results of its tests to speed up reconfiguring. Caching is disabled by default to prevent problems with accidental use of stale cache files. If you need to do unusual things to compile the package, please try to figure out how `configure' could check whether to do them, and mail diffs or instructions to the address given in the `README' so they can be considered for the next release. If you are using the cache, and at some point `config.cache' contains results you don't want to keep, you may remove or edit it. The file `configure.ac' (or `configure.in') is used to create `configure' by a program called `autoconf'. You need `configure.ac' if you want to change it or regenerate `configure' using a newer version of `autoconf'. The simplest way to compile this package is: 1. `cd' to the directory containing the package's source code and type `./configure' to configure the package for your system. Running `configure' might take a while. While running, it prints some messages telling which features it is checking for. 2. Type `make' to compile the package. 3. Optionally, type `make check' to run any self-tests that come with the package. 4. Type `make install' to install the programs and any data files and documentation. 5. You can remove the program binaries and object files from the source code directory by typing `make clean'. To also remove the files that `configure' created (so you can compile the package for a different kind of computer), type `make distclean'. There is also a `make maintainer-clean' target, but that is intended mainly for the package's developers. If you use it, you may have to get all sorts of other programs in order to regenerate files that came with the distribution. 6. Often, you can also type `make uninstall' to remove the installed files again. Compilers and Options ===================== Some systems require unusual options for compilation or linking that the `configure' script does not know about. Run `./configure --help' for details on some of the pertinent environment variables. You can give `configure' initial values for configuration parameters by setting variables in the command line or in the environment. Here is an example: ./configure CC=c99 CFLAGS=-g LIBS=-lposix *Note Defining Variables::, for more details. Compiling For Multiple Architectures ==================================== You can compile the package for more than one kind of computer at the same time, by placing the object files for each architecture in their own directory. To do this, you can use GNU `make'. `cd' to the directory where you want the object files and executables to go and run the `configure' script. `configure' automatically checks for the source code in the directory that `configure' is in and in `..'. With a non-GNU `make', it is safer to compile the package for one architecture at a time in the source code directory. After you have installed the package for one architecture, use `make distclean' before reconfiguring for another architecture. On MacOS X 10.5 and later systems, you can create libraries and executables that work on multiple system types--known as "fat" or "universal" binaries--by specifying multiple `-arch' options to the compiler but only a single `-arch' option to the preprocessor. Like this: ./configure CC="gcc -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CXX="g++ -arch i386 -arch x86_64 -arch ppc -arch ppc64" \ CPP="gcc -E" CXXCPP="g++ -E" This is not guaranteed to produce working output in all cases, you may have to build one architecture at a time and combine the results using the `lipo' tool if you have problems. Installation Names ================== By default, `make install' installs the package's commands under `/usr/local/bin', include files under `/usr/local/include', etc. You can specify an installation prefix other than `/usr/local' by giving `configure' the option `--prefix=PREFIX'. You can specify separate installation prefixes for architecture-specific files and architecture-independent files. If you pass the option `--exec-prefix=PREFIX' to `configure', the package uses PREFIX as the prefix for installing programs and libraries. Documentation and other data files still use the regular prefix. In addition, if you use an unusual directory layout you can give options like `--bindir=DIR' to specify different values for particular kinds of files. Run `configure --help' for a list of the directories you can set and what kinds of files go in them. If the package supports it, you can cause programs to be installed with an extra prefix or suffix on their names by giving `configure' the option `--program-prefix=PREFIX' or `--program-suffix=SUFFIX'. Optional Features ================= Some packages pay attention to `--enable-FEATURE' options to `configure', where FEATURE indicates an optional part of the package. They may also pay attention to `--with-PACKAGE' options, where PACKAGE is something like `gnu-as' or `x' (for the X Window System). The `README' should mention any `--enable-' and `--with-' options that the package recognizes. For packages that use the X Window System, `configure' can usually find the X include and library files automatically, but if it doesn't, you can use the `configure' options `--x-includes=DIR' and `--x-libraries=DIR' to specify their locations. Particular systems ================== On HP-UX, the default C compiler is not ANSI C compatible. If GNU CC is not installed, it is recommended to use the following options in order to use an ANSI C compiler: ./configure CC="cc -Ae -D_XOPEN_SOURCE=500" and if that doesn't work, install pre-built binaries of GCC for HP-UX. On OSF/1 a.k.a. Tru64, some versions of the default C compiler cannot parse its `' header file. The option `-nodtk' can be used as a workaround. If GNU CC is not installed, it is therefore recommended to try ./configure CC="cc" and if that doesn't work, try ./configure CC="cc -nodtk" On Solaris, don't put `/usr/ucb' early in your `PATH'. This directory contains several dysfunctional programs; working variants of these programs are available in `/usr/bin'. So, if you need `/usr/ucb' in your `PATH', put it _after_ `/usr/bin'. On Haiku, software installed for all users goes in `/boot/common', not `/usr/local'. It is recommended to use the following options: ./configure --prefix=/boot/common Specifying the System Type ========================== There may be some features `configure' cannot figure out automatically, but needs to determine by the type of machine the package will run on. Usually, assuming the package is built to be run on the _same_ architectures, `configure' can figure that out, but if it prints a message saying it cannot guess the machine type, give it the `--build=TYPE' option. TYPE can either be a short name for the system type, such as `sun4', or a canonical name which has the form: CPU-COMPANY-SYSTEM where SYSTEM can have one of these forms: OS KERNEL-OS See the file `config.sub' for the possible values of each field. If `config.sub' isn't included in this package, then this package doesn't need to know the machine type. If you are _building_ compiler tools for cross-compiling, you should use the option `--target=TYPE' to select the type of system they will produce code for. If you want to _use_ a cross compiler, that generates code for a platform different from the build platform, you should specify the "host" platform (i.e., that on which the generated programs will eventually be run) with `--host=TYPE'. Sharing Defaults ================ If you want to set default values for `configure' scripts to share, you can create a site shell script called `config.site' that gives default values for variables like `CC', `cache_file', and `prefix'. `configure' looks for `PREFIX/share/config.site' if it exists, then `PREFIX/etc/config.site' if it exists. Or, you can set the `CONFIG_SITE' environment variable to the location of the site script. A warning: not all `configure' scripts look for a site script. Defining Variables ================== Variables not defined in a site shell script can be set in the environment passed to `configure'. However, some packages may run configure again during the build, and the customized values of these variables may be lost. In order to avoid this problem, you should set them in the `configure' command line, using `VAR=value'. For example: ./configure CC=/usr/local2/bin/gcc causes the specified `gcc' to be used as the C compiler (unless it is overridden in the site shell script). Unfortunately, this technique does not work for `CONFIG_SHELL' due to an Autoconf bug. Until the bug is fixed you can use this workaround: CONFIG_SHELL=/bin/bash /bin/bash ./configure CONFIG_SHELL=/bin/bash `configure' Invocation ====================== `configure' recognizes the following options to control how it operates. `--help' `-h' Print a summary of all of the options to `configure', and exit. `--help=short' `--help=recursive' Print a summary of the options unique to this package's `configure', and exit. The `short' variant lists options used only in the top level, while the `recursive' variant lists options also present in any nested packages. `--version' `-V' Print the version of Autoconf used to generate the `configure' script, and exit. `--cache-file=FILE' Enable the cache: use and save the results of the tests in FILE, traditionally `config.cache'. FILE defaults to `/dev/null' to disable caching. `--config-cache' `-C' Alias for `--cache-file=config.cache'. `--quiet' `--silent' `-q' Do not print messages saying which checks are being made. To suppress all normal output, redirect it to `/dev/null' (any error messages will still be shown). `--srcdir=DIR' Look for the package's source code in directory DIR. Usually `configure' can determine that directory automatically. `--prefix=DIR' Use DIR as the installation prefix. *Note Installation Names:: for more details, including other options available for fine-tuning the installation locations. `--no-create' `-n' Run the configure checks, but stop before creating any output files. `configure' also accepts some other, not widely useful, options. Run `configure --help' for more details. radsecproxy-1.6.2/aclocal.m40000664000175100017510000010351612042223266012655 00000000000000# generated automatically by aclocal 1.11.1 -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, # 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc. # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY, to the extent permitted by law; without # even the implied warranty of MERCHANTABILITY or FITNESS FOR A # PARTICULAR PURPOSE. m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl m4_if(m4_defn([AC_AUTOCONF_VERSION]), [2.68],, [m4_warning([this file was generated for autoconf 2.68. You have another version of autoconf. It may work, but is not guaranteed to. If you have problems, you may need to regenerate the build system entirely. To do so, use the procedure documented by the package, typically `autoreconf'.])]) # Copyright (C) 2002, 2003, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_AUTOMAKE_VERSION(VERSION) # ---------------------------- # Automake X.Y traces this macro to ensure aclocal.m4 has been # generated from the m4 files accompanying Automake X.Y. # (This private macro should not be called outside this file.) AC_DEFUN([AM_AUTOMAKE_VERSION], [am__api_version='1.11' dnl Some users find AM_AUTOMAKE_VERSION and mistake it for a way to dnl require some minimum version. Point them to the right macro. m4_if([$1], [1.11.1], [], [AC_FATAL([Do not call $0, use AM_INIT_AUTOMAKE([$1]).])])dnl ]) # _AM_AUTOCONF_VERSION(VERSION) # ----------------------------- # aclocal traces this macro to find the Autoconf version. # This is a private macro too. Using m4_define simplifies # the logic in aclocal, which can simply ignore this definition. m4_define([_AM_AUTOCONF_VERSION], []) # AM_SET_CURRENT_AUTOMAKE_VERSION # ------------------------------- # Call AM_AUTOMAKE_VERSION and AM_AUTOMAKE_VERSION so they can be traced. # This function is AC_REQUIREd by AM_INIT_AUTOMAKE. AC_DEFUN([AM_SET_CURRENT_AUTOMAKE_VERSION], [AM_AUTOMAKE_VERSION([1.11.1])dnl m4_ifndef([AC_AUTOCONF_VERSION], [m4_copy([m4_PACKAGE_VERSION], [AC_AUTOCONF_VERSION])])dnl _AM_AUTOCONF_VERSION(m4_defn([AC_AUTOCONF_VERSION]))]) # AM_AUX_DIR_EXPAND -*- Autoconf -*- # Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # For projects using AC_CONFIG_AUX_DIR([foo]), Autoconf sets # $ac_aux_dir to `$srcdir/foo'. In other projects, it is set to # `$srcdir', `$srcdir/..', or `$srcdir/../..'. # # Of course, Automake must honor this variable whenever it calls a # tool from the auxiliary directory. The problem is that $srcdir (and # therefore $ac_aux_dir as well) can be either absolute or relative, # depending on how configure is run. This is pretty annoying, since # it makes $ac_aux_dir quite unusable in subdirectories: in the top # source directory, any form will work fine, but in subdirectories a # relative path needs to be adjusted first. # # $ac_aux_dir/missing # fails when called from a subdirectory if $ac_aux_dir is relative # $top_srcdir/$ac_aux_dir/missing # fails if $ac_aux_dir is absolute, # fails when called from a subdirectory in a VPATH build with # a relative $ac_aux_dir # # The reason of the latter failure is that $top_srcdir and $ac_aux_dir # are both prefixed by $srcdir. In an in-source build this is usually # harmless because $srcdir is `.', but things will broke when you # start a VPATH build or use an absolute $srcdir. # # So we could use something similar to $top_srcdir/$ac_aux_dir/missing, # iff we strip the leading $srcdir from $ac_aux_dir. That would be: # am_aux_dir='\$(top_srcdir)/'`expr "$ac_aux_dir" : "$srcdir//*\(.*\)"` # and then we would define $MISSING as # MISSING="\${SHELL} $am_aux_dir/missing" # This will work as long as MISSING is not called from configure, because # unfortunately $(top_srcdir) has no meaning in configure. # However there are other variables, like CC, which are often used in # configure, and could therefore not use this "fixed" $ac_aux_dir. # # Another solution, used here, is to always expand $ac_aux_dir to an # absolute PATH. The drawback is that using absolute paths prevent a # configured tree to be moved without reconfiguration. AC_DEFUN([AM_AUX_DIR_EXPAND], [dnl Rely on autoconf to set up CDPATH properly. AC_PREREQ([2.50])dnl # expand $ac_aux_dir to an absolute path am_aux_dir=`cd $ac_aux_dir && pwd` ]) # AM_CONDITIONAL -*- Autoconf -*- # Copyright (C) 1997, 2000, 2001, 2003, 2004, 2005, 2006, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 9 # AM_CONDITIONAL(NAME, SHELL-CONDITION) # ------------------------------------- # Define a conditional. AC_DEFUN([AM_CONDITIONAL], [AC_PREREQ(2.52)dnl ifelse([$1], [TRUE], [AC_FATAL([$0: invalid condition: $1])], [$1], [FALSE], [AC_FATAL([$0: invalid condition: $1])])dnl AC_SUBST([$1_TRUE])dnl AC_SUBST([$1_FALSE])dnl _AM_SUBST_NOTMAKE([$1_TRUE])dnl _AM_SUBST_NOTMAKE([$1_FALSE])dnl m4_define([_AM_COND_VALUE_$1], [$2])dnl if $2; then $1_TRUE= $1_FALSE='#' else $1_TRUE='#' $1_FALSE= fi AC_CONFIG_COMMANDS_PRE( [if test -z "${$1_TRUE}" && test -z "${$1_FALSE}"; then AC_MSG_ERROR([[conditional "$1" was never defined. Usually this means the macro was only invoked conditionally.]]) fi])]) # Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2009 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 10 # There are a few dirty hacks below to avoid letting `AC_PROG_CC' be # written in clear, in which case automake, when reading aclocal.m4, # will think it sees a *use*, and therefore will trigger all it's # C support machinery. Also note that it means that autoscan, seeing # CC etc. in the Makefile, will ask for an AC_PROG_CC use... # _AM_DEPENDENCIES(NAME) # ---------------------- # See how the compiler implements dependency checking. # NAME is "CC", "CXX", "GCJ", or "OBJC". # We try a few techniques and use that to set a single cache variable. # # We don't AC_REQUIRE the corresponding AC_PROG_CC since the latter was # modified to invoke _AM_DEPENDENCIES(CC); we would have a circular # dependency, and given that the user is not expected to run this macro, # just rely on AC_PROG_CC. AC_DEFUN([_AM_DEPENDENCIES], [AC_REQUIRE([AM_SET_DEPDIR])dnl AC_REQUIRE([AM_OUTPUT_DEPENDENCY_COMMANDS])dnl AC_REQUIRE([AM_MAKE_INCLUDE])dnl AC_REQUIRE([AM_DEP_TRACK])dnl ifelse([$1], CC, [depcc="$CC" am_compiler_list=], [$1], CXX, [depcc="$CXX" am_compiler_list=], [$1], OBJC, [depcc="$OBJC" am_compiler_list='gcc3 gcc'], [$1], UPC, [depcc="$UPC" am_compiler_list=], [$1], GCJ, [depcc="$GCJ" am_compiler_list='gcc3 gcc'], [depcc="$$1" am_compiler_list=]) AC_CACHE_CHECK([dependency style of $depcc], [am_cv_$1_dependencies_compiler_type], [if test -z "$AMDEP_TRUE" && test -f "$am_depcomp"; then # We make a subdir and do the tests there. Otherwise we can end up # making bogus files that we don't know about and never remove. For # instance it was reported that on HP-UX the gcc test will end up # making a dummy file named `D' -- because `-MD' means `put the output # in D'. mkdir conftest.dir # Copy depcomp to subdir because otherwise we won't find it if we're # using a relative directory. cp "$am_depcomp" conftest.dir cd conftest.dir # We will build objects and dependencies in a subdirectory because # it helps to detect inapplicable dependency modes. For instance # both Tru64's cc and ICC support -MD to output dependencies as a # side effect of compilation, but ICC will put the dependencies in # the current directory while Tru64 will put them in the object # directory. mkdir sub am_cv_$1_dependencies_compiler_type=none if test "$am_compiler_list" = ""; then am_compiler_list=`sed -n ['s/^#*\([a-zA-Z0-9]*\))$/\1/p'] < ./depcomp` fi am__universal=false m4_case([$1], [CC], [case " $depcc " in #( *\ -arch\ *\ -arch\ *) am__universal=true ;; esac], [CXX], [case " $depcc " in #( *\ -arch\ *\ -arch\ *) am__universal=true ;; esac]) for depmode in $am_compiler_list; do # Setup a source with many dependencies, because some compilers # like to wrap large dependency lists on column 80 (with \), and # we should not choose a depcomp mode which is confused by this. # # We need to recreate these files for each test, as the compiler may # overwrite some of them when testing with obscure command lines. # This happens at least with the AIX C compiler. : > sub/conftest.c for i in 1 2 3 4 5 6; do echo '#include "conftst'$i'.h"' >> sub/conftest.c # Using `: > sub/conftst$i.h' creates only sub/conftst1.h with # Solaris 8's {/usr,}/bin/sh. touch sub/conftst$i.h done echo "${am__include} ${am__quote}sub/conftest.Po${am__quote}" > confmf # We check with `-c' and `-o' for the sake of the "dashmstdout" # mode. It turns out that the SunPro C++ compiler does not properly # handle `-M -o', and we need to detect this. Also, some Intel # versions had trouble with output in subdirs am__obj=sub/conftest.${OBJEXT-o} am__minus_obj="-o $am__obj" case $depmode in gcc) # This depmode causes a compiler race in universal mode. test "$am__universal" = false || continue ;; nosideeffect) # after this tag, mechanisms are not by side-effect, so they'll # only be used when explicitly requested if test "x$enable_dependency_tracking" = xyes; then continue else break fi ;; msvisualcpp | msvcmsys) # This compiler won't grok `-c -o', but also, the minuso test has # not run yet. These depmodes are late enough in the game, and # so weak that their functioning should not be impacted. am__obj=conftest.${OBJEXT-o} am__minus_obj= ;; none) break ;; esac if depmode=$depmode \ source=sub/conftest.c object=$am__obj \ depfile=sub/conftest.Po tmpdepfile=sub/conftest.TPo \ $SHELL ./depcomp $depcc -c $am__minus_obj sub/conftest.c \ >/dev/null 2>conftest.err && grep sub/conftst1.h sub/conftest.Po > /dev/null 2>&1 && grep sub/conftst6.h sub/conftest.Po > /dev/null 2>&1 && grep $am__obj sub/conftest.Po > /dev/null 2>&1 && ${MAKE-make} -s -f confmf > /dev/null 2>&1; then # icc doesn't choke on unknown options, it will just issue warnings # or remarks (even with -Werror). So we grep stderr for any message # that says an option was ignored or not supported. # When given -MP, icc 7.0 and 7.1 complain thusly: # icc: Command line warning: ignoring option '-M'; no argument required # The diagnosis changed in icc 8.0: # icc: Command line remark: option '-MP' not supported if (grep 'ignoring option' conftest.err || grep 'not supported' conftest.err) >/dev/null 2>&1; then :; else am_cv_$1_dependencies_compiler_type=$depmode break fi fi done cd .. rm -rf conftest.dir else am_cv_$1_dependencies_compiler_type=none fi ]) AC_SUBST([$1DEPMODE], [depmode=$am_cv_$1_dependencies_compiler_type]) AM_CONDITIONAL([am__fastdep$1], [ test "x$enable_dependency_tracking" != xno \ && test "$am_cv_$1_dependencies_compiler_type" = gcc3]) ]) # AM_SET_DEPDIR # ------------- # Choose a directory name for dependency files. # This macro is AC_REQUIREd in _AM_DEPENDENCIES AC_DEFUN([AM_SET_DEPDIR], [AC_REQUIRE([AM_SET_LEADING_DOT])dnl AC_SUBST([DEPDIR], ["${am__leading_dot}deps"])dnl ]) # AM_DEP_TRACK # ------------ AC_DEFUN([AM_DEP_TRACK], [AC_ARG_ENABLE(dependency-tracking, [ --disable-dependency-tracking speeds up one-time build --enable-dependency-tracking do not reject slow dependency extractors]) if test "x$enable_dependency_tracking" != xno; then am_depcomp="$ac_aux_dir/depcomp" AMDEPBACKSLASH='\' fi AM_CONDITIONAL([AMDEP], [test "x$enable_dependency_tracking" != xno]) AC_SUBST([AMDEPBACKSLASH])dnl _AM_SUBST_NOTMAKE([AMDEPBACKSLASH])dnl ]) # Generate code to set up dependency tracking. -*- Autoconf -*- # Copyright (C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. #serial 5 # _AM_OUTPUT_DEPENDENCY_COMMANDS # ------------------------------ AC_DEFUN([_AM_OUTPUT_DEPENDENCY_COMMANDS], [{ # Autoconf 2.62 quotes --file arguments for eval, but not when files # are listed without --file. Let's play safe and only enable the eval # if we detect the quoting. case $CONFIG_FILES in *\'*) eval set x "$CONFIG_FILES" ;; *) set x $CONFIG_FILES ;; esac shift for mf do # Strip MF so we end up with the name of the file. mf=`echo "$mf" | sed -e 's/:.*$//'` # Check whether this is an Automake generated Makefile or not. # We used to match only the files named `Makefile.in', but # some people rename them; so instead we look at the file content. # Grep'ing the first line is not enough: some people post-process # each Makefile.in and add a new line on top of each file to say so. # Grep'ing the whole file is not good either: AIX grep has a line # limit of 2048, but all sed's we know have understand at least 4000. if sed -n 's,^#.*generated by automake.*,X,p' "$mf" | grep X >/dev/null 2>&1; then dirpart=`AS_DIRNAME("$mf")` else continue fi # Extract the definition of DEPDIR, am__include, and am__quote # from the Makefile without running `make'. DEPDIR=`sed -n 's/^DEPDIR = //p' < "$mf"` test -z "$DEPDIR" && continue am__include=`sed -n 's/^am__include = //p' < "$mf"` test -z "am__include" && continue am__quote=`sed -n 's/^am__quote = //p' < "$mf"` # When using ansi2knr, U may be empty or an underscore; expand it U=`sed -n 's/^U = //p' < "$mf"` # Find all dependency output files, they are included files with # $(DEPDIR) in their names. We invoke sed twice because it is the # simplest approach to changing $(DEPDIR) to its actual value in the # expansion. for file in `sed -n " s/^$am__include $am__quote\(.*(DEPDIR).*\)$am__quote"'$/\1/p' <"$mf" | \ sed -e 's/\$(DEPDIR)/'"$DEPDIR"'/g' -e 's/\$U/'"$U"'/g'`; do # Make sure the directory exists. test -f "$dirpart/$file" && continue fdir=`AS_DIRNAME(["$file"])` AS_MKDIR_P([$dirpart/$fdir]) # echo "creating $dirpart/$file" echo '# dummy' > "$dirpart/$file" done done } ])# _AM_OUTPUT_DEPENDENCY_COMMANDS # AM_OUTPUT_DEPENDENCY_COMMANDS # ----------------------------- # This macro should only be invoked once -- use via AC_REQUIRE. # # This code is only required when automatic dependency tracking # is enabled. FIXME. This creates each `.P' file that we will # need in order to bootstrap the dependency handling code. AC_DEFUN([AM_OUTPUT_DEPENDENCY_COMMANDS], [AC_CONFIG_COMMANDS([depfiles], [test x"$AMDEP_TRUE" != x"" || _AM_OUTPUT_DEPENDENCY_COMMANDS], [AMDEP_TRUE="$AMDEP_TRUE" ac_aux_dir="$ac_aux_dir"]) ]) # Do all the work for Automake. -*- Autoconf -*- # Copyright (C) 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, # 2005, 2006, 2008, 2009 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 16 # This macro actually does too much. Some checks are only needed if # your package does certain things. But this isn't really a big deal. # AM_INIT_AUTOMAKE(PACKAGE, VERSION, [NO-DEFINE]) # AM_INIT_AUTOMAKE([OPTIONS]) # ----------------------------------------------- # The call with PACKAGE and VERSION arguments is the old style # call (pre autoconf-2.50), which is being phased out. PACKAGE # and VERSION should now be passed to AC_INIT and removed from # the call to AM_INIT_AUTOMAKE. # We support both call styles for the transition. After # the next Automake release, Autoconf can make the AC_INIT # arguments mandatory, and then we can depend on a new Autoconf # release and drop the old call support. AC_DEFUN([AM_INIT_AUTOMAKE], [AC_PREREQ([2.62])dnl dnl Autoconf wants to disallow AM_ names. We explicitly allow dnl the ones we care about. m4_pattern_allow([^AM_[A-Z]+FLAGS$])dnl AC_REQUIRE([AM_SET_CURRENT_AUTOMAKE_VERSION])dnl AC_REQUIRE([AC_PROG_INSTALL])dnl if test "`cd $srcdir && pwd`" != "`pwd`"; then # Use -I$(srcdir) only when $(srcdir) != ., so that make's output # is not polluted with repeated "-I." AC_SUBST([am__isrc], [' -I$(srcdir)'])_AM_SUBST_NOTMAKE([am__isrc])dnl # test to see if srcdir already configured if test -f $srcdir/config.status; then AC_MSG_ERROR([source directory already configured; run "make distclean" there first]) fi fi # test whether we have cygpath if test -z "$CYGPATH_W"; then if (cygpath --version) >/dev/null 2>/dev/null; then CYGPATH_W='cygpath -w' else CYGPATH_W=echo fi fi AC_SUBST([CYGPATH_W]) # Define the identity of the package. dnl Distinguish between old-style and new-style calls. m4_ifval([$2], [m4_ifval([$3], [_AM_SET_OPTION([no-define])])dnl AC_SUBST([PACKAGE], [$1])dnl AC_SUBST([VERSION], [$2])], [_AM_SET_OPTIONS([$1])dnl dnl Diagnose old-style AC_INIT with new-style AM_AUTOMAKE_INIT. m4_if(m4_ifdef([AC_PACKAGE_NAME], 1)m4_ifdef([AC_PACKAGE_VERSION], 1), 11,, [m4_fatal([AC_INIT should be called with package and version arguments])])dnl AC_SUBST([PACKAGE], ['AC_PACKAGE_TARNAME'])dnl AC_SUBST([VERSION], ['AC_PACKAGE_VERSION'])])dnl _AM_IF_OPTION([no-define],, [AC_DEFINE_UNQUOTED(PACKAGE, "$PACKAGE", [Name of package]) AC_DEFINE_UNQUOTED(VERSION, "$VERSION", [Version number of package])])dnl # Some tools Automake needs. AC_REQUIRE([AM_SANITY_CHECK])dnl AC_REQUIRE([AC_ARG_PROGRAM])dnl AM_MISSING_PROG(ACLOCAL, aclocal-${am__api_version}) AM_MISSING_PROG(AUTOCONF, autoconf) AM_MISSING_PROG(AUTOMAKE, automake-${am__api_version}) AM_MISSING_PROG(AUTOHEADER, autoheader) AM_MISSING_PROG(MAKEINFO, makeinfo) AC_REQUIRE([AM_PROG_INSTALL_SH])dnl AC_REQUIRE([AM_PROG_INSTALL_STRIP])dnl AC_REQUIRE([AM_PROG_MKDIR_P])dnl # We need awk for the "check" target. The system "awk" is bad on # some platforms. AC_REQUIRE([AC_PROG_AWK])dnl AC_REQUIRE([AC_PROG_MAKE_SET])dnl AC_REQUIRE([AM_SET_LEADING_DOT])dnl _AM_IF_OPTION([tar-ustar], [_AM_PROG_TAR([ustar])], [_AM_IF_OPTION([tar-pax], [_AM_PROG_TAR([pax])], [_AM_PROG_TAR([v7])])]) _AM_IF_OPTION([no-dependencies],, [AC_PROVIDE_IFELSE([AC_PROG_CC], [_AM_DEPENDENCIES(CC)], [define([AC_PROG_CC], defn([AC_PROG_CC])[_AM_DEPENDENCIES(CC)])])dnl AC_PROVIDE_IFELSE([AC_PROG_CXX], [_AM_DEPENDENCIES(CXX)], [define([AC_PROG_CXX], defn([AC_PROG_CXX])[_AM_DEPENDENCIES(CXX)])])dnl AC_PROVIDE_IFELSE([AC_PROG_OBJC], [_AM_DEPENDENCIES(OBJC)], [define([AC_PROG_OBJC], defn([AC_PROG_OBJC])[_AM_DEPENDENCIES(OBJC)])])dnl ]) _AM_IF_OPTION([silent-rules], [AC_REQUIRE([AM_SILENT_RULES])])dnl dnl The `parallel-tests' driver may need to know about EXEEXT, so add the dnl `am__EXEEXT' conditional if _AM_COMPILER_EXEEXT was seen. This macro dnl is hooked onto _AC_COMPILER_EXEEXT early, see below. AC_CONFIG_COMMANDS_PRE(dnl [m4_provide_if([_AM_COMPILER_EXEEXT], [AM_CONDITIONAL([am__EXEEXT], [test -n "$EXEEXT"])])])dnl ]) dnl Hook into `_AC_COMPILER_EXEEXT' early to learn its expansion. Do not dnl add the conditional right here, as _AC_COMPILER_EXEEXT may be further dnl mangled by Autoconf and run in a shell conditional statement. m4_define([_AC_COMPILER_EXEEXT], m4_defn([_AC_COMPILER_EXEEXT])[m4_provide([_AM_COMPILER_EXEEXT])]) # When config.status generates a header, we must update the stamp-h file. # This file resides in the same directory as the config header # that is generated. The stamp files are numbered to have different names. # Autoconf calls _AC_AM_CONFIG_HEADER_HOOK (when defined) in the # loop where config.status creates the headers, so we can generate # our stamp files there. AC_DEFUN([_AC_AM_CONFIG_HEADER_HOOK], [# Compute $1's index in $config_headers. _am_arg=$1 _am_stamp_count=1 for _am_header in $config_headers :; do case $_am_header in $_am_arg | $_am_arg:* ) break ;; * ) _am_stamp_count=`expr $_am_stamp_count + 1` ;; esac done echo "timestamp for $_am_arg" >`AS_DIRNAME(["$_am_arg"])`/stamp-h[]$_am_stamp_count]) # Copyright (C) 2001, 2003, 2005, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_INSTALL_SH # ------------------ # Define $install_sh. AC_DEFUN([AM_PROG_INSTALL_SH], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl if test x"${install_sh}" != xset; then case $am_aux_dir in *\ * | *\ *) install_sh="\${SHELL} '$am_aux_dir/install-sh'" ;; *) install_sh="\${SHELL} $am_aux_dir/install-sh" esac fi AC_SUBST(install_sh)]) # Copyright (C) 2003, 2005 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 2 # Check whether the underlying file-system supports filenames # with a leading dot. For instance MS-DOS doesn't. AC_DEFUN([AM_SET_LEADING_DOT], [rm -rf .tst 2>/dev/null mkdir .tst 2>/dev/null if test -d .tst; then am__leading_dot=. else am__leading_dot=_ fi rmdir .tst 2>/dev/null AC_SUBST([am__leading_dot])]) # Check to see how 'make' treats includes. -*- Autoconf -*- # Copyright (C) 2001, 2002, 2003, 2005, 2009 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 4 # AM_MAKE_INCLUDE() # ----------------- # Check to see how make treats includes. AC_DEFUN([AM_MAKE_INCLUDE], [am_make=${MAKE-make} cat > confinc << 'END' am__doit: @echo this is the am__doit target .PHONY: am__doit END # If we don't find an include directive, just comment out the code. AC_MSG_CHECKING([for style of include used by $am_make]) am__include="#" am__quote= _am_result=none # First try GNU make style include. echo "include confinc" > confmf # Ignore all kinds of additional output from `make'. case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=include am__quote= _am_result=GNU ;; esac # Now try BSD make style include. if test "$am__include" = "#"; then echo '.include "confinc"' > confmf case `$am_make -s -f confmf 2> /dev/null` in #( *the\ am__doit\ target*) am__include=.include am__quote="\"" _am_result=BSD ;; esac fi AC_SUBST([am__include]) AC_SUBST([am__quote]) AC_MSG_RESULT([$_am_result]) rm -f confinc confmf ]) # Fake the existence of programs that GNU maintainers use. -*- Autoconf -*- # Copyright (C) 1997, 1999, 2000, 2001, 2003, 2004, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 6 # AM_MISSING_PROG(NAME, PROGRAM) # ------------------------------ AC_DEFUN([AM_MISSING_PROG], [AC_REQUIRE([AM_MISSING_HAS_RUN]) $1=${$1-"${am_missing_run}$2"} AC_SUBST($1)]) # AM_MISSING_HAS_RUN # ------------------ # Define MISSING if not defined so far and test if it supports --run. # If it does, set am_missing_run to use it, otherwise, to nothing. AC_DEFUN([AM_MISSING_HAS_RUN], [AC_REQUIRE([AM_AUX_DIR_EXPAND])dnl AC_REQUIRE_AUX_FILE([missing])dnl if test x"${MISSING+set}" != xset; then case $am_aux_dir in *\ * | *\ *) MISSING="\${SHELL} \"$am_aux_dir/missing\"" ;; *) MISSING="\${SHELL} $am_aux_dir/missing" ;; esac fi # Use eval to expand $SHELL if eval "$MISSING --run true"; then am_missing_run="$MISSING --run " else am_missing_run= AC_MSG_WARN([`missing' script is too old or missing]) fi ]) # Copyright (C) 2003, 2004, 2005, 2006 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_MKDIR_P # --------------- # Check for `mkdir -p'. AC_DEFUN([AM_PROG_MKDIR_P], [AC_PREREQ([2.60])dnl AC_REQUIRE([AC_PROG_MKDIR_P])dnl dnl Automake 1.8 to 1.9.6 used to define mkdir_p. We now use MKDIR_P, dnl while keeping a definition of mkdir_p for backward compatibility. dnl @MKDIR_P@ is magic: AC_OUTPUT adjusts its value for each Makefile. dnl However we cannot define mkdir_p as $(MKDIR_P) for the sake of dnl Makefile.ins that do not define MKDIR_P, so we do our own dnl adjustment using top_builddir (which is defined more often than dnl MKDIR_P). AC_SUBST([mkdir_p], ["$MKDIR_P"])dnl case $mkdir_p in [[\\/$]]* | ?:[[\\/]]*) ;; */*) mkdir_p="\$(top_builddir)/$mkdir_p" ;; esac ]) # Helper functions for option handling. -*- Autoconf -*- # Copyright (C) 2001, 2002, 2003, 2005, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 4 # _AM_MANGLE_OPTION(NAME) # ----------------------- AC_DEFUN([_AM_MANGLE_OPTION], [[_AM_OPTION_]m4_bpatsubst($1, [[^a-zA-Z0-9_]], [_])]) # _AM_SET_OPTION(NAME) # ------------------------------ # Set option NAME. Presently that only means defining a flag for this option. AC_DEFUN([_AM_SET_OPTION], [m4_define(_AM_MANGLE_OPTION([$1]), 1)]) # _AM_SET_OPTIONS(OPTIONS) # ---------------------------------- # OPTIONS is a space-separated list of Automake options. AC_DEFUN([_AM_SET_OPTIONS], [m4_foreach_w([_AM_Option], [$1], [_AM_SET_OPTION(_AM_Option)])]) # _AM_IF_OPTION(OPTION, IF-SET, [IF-NOT-SET]) # ------------------------------------------- # Execute IF-SET if OPTION is set, IF-NOT-SET otherwise. AC_DEFUN([_AM_IF_OPTION], [m4_ifset(_AM_MANGLE_OPTION([$1]), [$2], [$3])]) # Check to make sure that the build environment is sane. -*- Autoconf -*- # Copyright (C) 1996, 1997, 2000, 2001, 2003, 2005, 2008 # Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 5 # AM_SANITY_CHECK # --------------- AC_DEFUN([AM_SANITY_CHECK], [AC_MSG_CHECKING([whether build environment is sane]) # Just in case sleep 1 echo timestamp > conftest.file # Reject unsafe characters in $srcdir or the absolute working directory # name. Accept space and tab only in the latter. am_lf=' ' case `pwd` in *[[\\\"\#\$\&\'\`$am_lf]]*) AC_MSG_ERROR([unsafe absolute working directory name]);; esac case $srcdir in *[[\\\"\#\$\&\'\`$am_lf\ \ ]]*) AC_MSG_ERROR([unsafe srcdir value: `$srcdir']);; esac # Do `set' in a subshell so we don't clobber the current shell's # arguments. Must try -L first in case configure is actually a # symlink; some systems play weird games with the mod time of symlinks # (eg FreeBSD returns the mod time of the symlink's containing # directory). if ( set X `ls -Lt "$srcdir/configure" conftest.file 2> /dev/null` if test "$[*]" = "X"; then # -L didn't work. set X `ls -t "$srcdir/configure" conftest.file` fi rm -f conftest.file if test "$[*]" != "X $srcdir/configure conftest.file" \ && test "$[*]" != "X conftest.file $srcdir/configure"; then # If neither matched, then we have a broken ls. This can happen # if, for instance, CONFIG_SHELL is bash and it inherits a # broken ls alias from the environment. This has actually # happened. Such a system could not be considered "sane". AC_MSG_ERROR([ls -t appears to fail. Make sure there is not a broken alias in your environment]) fi test "$[2]" = conftest.file ) then # Ok. : else AC_MSG_ERROR([newly created file is older than distributed files! Check your system clock]) fi AC_MSG_RESULT(yes)]) # Copyright (C) 2001, 2003, 2005 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # AM_PROG_INSTALL_STRIP # --------------------- # One issue with vendor `install' (even GNU) is that you can't # specify the program used to strip binaries. This is especially # annoying in cross-compiling environments, where the build's strip # is unlikely to handle the host's binaries. # Fortunately install-sh will honor a STRIPPROG variable, so we # always use install-sh in `make install-strip', and initialize # STRIPPROG with the value of the STRIP variable (set by the user). AC_DEFUN([AM_PROG_INSTALL_STRIP], [AC_REQUIRE([AM_PROG_INSTALL_SH])dnl # Installed binaries are usually stripped using `strip' when the user # run `make install-strip'. However `strip' might not be the right # tool to use in cross-compilation environments, therefore Automake # will honor the `STRIP' environment variable to overrule this program. dnl Don't test for $cross_compiling = yes, because it might be `maybe'. if test "$cross_compiling" != no; then AC_CHECK_TOOL([STRIP], [strip], :) fi INSTALL_STRIP_PROGRAM="\$(install_sh) -c -s" AC_SUBST([INSTALL_STRIP_PROGRAM])]) # Copyright (C) 2006, 2008 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 2 # _AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- # Prevent Automake from outputting VARIABLE = @VARIABLE@ in Makefile.in. # This macro is traced by Automake. AC_DEFUN([_AM_SUBST_NOTMAKE]) # AM_SUBST_NOTMAKE(VARIABLE) # --------------------------- # Public sister of _AM_SUBST_NOTMAKE. AC_DEFUN([AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE($@)]) # Check how to create a tarball. -*- Autoconf -*- # Copyright (C) 2004, 2005 Free Software Foundation, Inc. # # This file is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. # serial 2 # _AM_PROG_TAR(FORMAT) # -------------------- # Check how to create a tarball in format FORMAT. # FORMAT should be one of `v7', `ustar', or `pax'. # # Substitute a variable $(am__tar) that is a command # writing to stdout a FORMAT-tarball containing the directory # $tardir. # tardir=directory && $(am__tar) > result.tar # # Substitute a variable $(am__untar) that extract such # a tarball read from stdin. # $(am__untar) < result.tar AC_DEFUN([_AM_PROG_TAR], [# Always define AMTAR for backward compatibility. AM_MISSING_PROG([AMTAR], [tar]) m4_if([$1], [v7], [am__tar='${AMTAR} chof - "$$tardir"'; am__untar='${AMTAR} xf -'], [m4_case([$1], [ustar],, [pax],, [m4_fatal([Unknown tar format])]) AC_MSG_CHECKING([how to create a $1 tar archive]) # Loop over all known methods to create a tar archive until one works. _am_tools='gnutar m4_if([$1], [ustar], [plaintar]) pax cpio none' _am_tools=${am_cv_prog_tar_$1-$_am_tools} # Do not fold the above two line into one, because Tru64 sh and # Solaris sh will not grok spaces in the rhs of `-'. for _am_tool in $_am_tools do case $_am_tool in gnutar) for _am_tar in tar gnutar gtar; do AM_RUN_LOG([$_am_tar --version]) && break done am__tar="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$$tardir"' am__tar_="$_am_tar --format=m4_if([$1], [pax], [posix], [$1]) -chf - "'"$tardir"' am__untar="$_am_tar -xf -" ;; plaintar) # Must skip GNU tar: if it does not support --format= it doesn't create # ustar tarball either. (tar --version) >/dev/null 2>&1 && continue am__tar='tar chf - "$$tardir"' am__tar_='tar chf - "$tardir"' am__untar='tar xf -' ;; pax) am__tar='pax -L -x $1 -w "$$tardir"' am__tar_='pax -L -x $1 -w "$tardir"' am__untar='pax -r' ;; cpio) am__tar='find "$$tardir" -print | cpio -o -H $1 -L' am__tar_='find "$tardir" -print | cpio -o -H $1 -L' am__untar='cpio -i -H $1 -d' ;; none) am__tar=false am__tar_=false am__untar=false ;; esac # If the value was cached, stop now. We just wanted to have am__tar # and am__untar set. test -n "${am_cv_prog_tar_$1}" && break # tar/untar a dummy directory, and stop if the command works rm -rf conftest.dir mkdir conftest.dir echo GrepMe > conftest.dir/file AM_RUN_LOG([tardir=conftest.dir && eval $am__tar_ >conftest.tar]) rm -rf conftest.dir if test -s conftest.tar; then AM_RUN_LOG([$am__untar /dev/null 2>&1 && break fi done rm -rf conftest.dir AC_CACHE_VAL([am_cv_prog_tar_$1], [am_cv_prog_tar_$1=$_am_tool]) AC_MSG_RESULT([$am_cv_prog_tar_$1])]) AC_SUBST([am__tar]) AC_SUBST([am__untar]) ]) # _AM_PROG_TAR m4_include([acinclude.m4]) radsecproxy-1.6.2/configure.ac0000664000175100017510000000700712042223225013274 00000000000000AC_INIT(radsecproxy, 1.6.2, radsecproxy@uninett.no) AC_CANONICAL_TARGET AM_INIT_AUTOMAKE AC_PROG_CC AC_PROG_RANLIB udp=yes AC_ARG_ENABLE(udp, [ --enable-udp whether to enable UDP transport: yes/no; default yes ], [ if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then udp=$enableval else echo "--enable-udp argument must be yes or no" exit -1 fi ]) tcp=yes AC_ARG_ENABLE(tcp, [ --enable-tcp whether to enable TCP transport: yes/no; default yes ], [ if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then tcp=$enableval else echo "--enable-tcp argument must be yes or no" exit -1 fi ]) tls=yes AC_ARG_ENABLE(tls, [ --enable-tls whether to enable TLS (RadSec) transport: yes/no; default yes ], [ if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then tls=$enableval else echo "--enable-tls argument must be yes or no" exit -1 fi ]) dtls=yes AC_ARG_ENABLE(dtls, [ --enable-dtls whether to enable DTLS transport: yes/no; default yes ], [ if test "x$enableval" = "xyes" -o "x$enableval" = "xno" ; then dtls=$enableval else echo "--enable-dtls argument must be yes or no" exit -1 fi ]) AC_ARG_ENABLE(fticks, AC_HELP_STRING([--enable-fticks],[build with F-Ticks support [default=no]]), [case $enableval in yes|no) ;; *) AC_MSG_ERROR([bad value $enableval for --enable-fticks, need yes or no]) ;; esac], [enable_fticks=no]) if test "$enable_fticks" = "yes"; then AC_CHECK_LIB([nettle], [nettle_sha256_init],, [AC_MSG_WARN([required library nettle not found, fticks support disabled]) enable_fticks=no]) fi if test "$enable_fticks" = "yes"; then AC_DEFINE([WANT_FTICKS], [1]) fi AM_CONDITIONAL(WANT_FTICKS, test "$enable_fticks" = "yes") dnl Check if we're on Solaris and set CFLAGS accordingly AC_CANONICAL_SYSTEM case "${target_os}" in solaris*) TARGET_CFLAGS="-DSYS_SOLARIS9 -D_POSIX_PTHREAD_SEMANTICS" if test "$GCC" != yes ; then TARGET_CFLAGS="$TARGET_CFLAGS -mt" else TARGET_CFLAGS="$TARGET_CFLAGS -pthreads" fi TARGET_LDFLAGS="-lpthread -lsocket -lnsl" ;; *) TARGET_CFLAGS="-Wall -pedantic -Wno-long-long -pthread" TARGET_LDFLAGS="" esac dnl Adding enabled options if test "x$udp" = "xyes" ; then echo "UDP transport enabled" TARGET_CFLAGS="$TARGET_CFLAGS -DRADPROT_UDP" fi if test "x$tcp" = "xyes" ; then echo "TCP transport enabled" TARGET_CFLAGS="$TARGET_CFLAGS -DRADPROT_TCP" fi if test "x$tls" = "xyes" ; then echo "TLS (RadSec) transport enabled" TARGET_CFLAGS="$TARGET_CFLAGS -DRADPROT_TLS" fi if test "x$dtls" = "xyes" ; then echo "DTLS transport enabled" TARGET_CFLAGS="$TARGET_CFLAGS -DRADPROT_DTLS" fi AC_ARG_ENABLE( experimental_dyndisc, AC_HELP_STRING([--enable-experimental-dyndisc], [enable experimental code for dynamic discovery [default=no]]), [case $enableval in yes|no) ;; *) AC_MSG_ERROR([bad value $enableval for --enable-experimental-dyndisc, need yes or no]) ;; esac], [enable_experimental_dyndisc=no]) if test "$enable_experimental_dyndisc" = "yes"; then AC_DEFINE([ENABLE_EXPERIMENTAL_DYNDISC], [1]) fi AM_CONDITIONAL(ENABLE_EXPERIMENTAL_DYNDISC, test "$enable_experimental_dyndisc" = "yes") AC_ARG_VAR([DOCBOOK2X_MAN], [docbook2x-man]) AC_CHECK_PROG([DOCBOOK2X_MAN], [docbook2x-man], [yes]) AM_CONDITIONAL(HAVE_DOCBOOK2X_MAN, test "$DOCBOOK2X_MAN" = "yes") AC_SUBST(TARGET_CFLAGS) AC_SUBST(TARGET_LDFLAGS) AX_CHECK_SSL AC_OUTPUT([ Makefile tests/Makefile ]) radsecproxy-1.6.2/udp.h0000664000175100017510000000061612042223225011746 00000000000000/* * Copyright (C) 2006-2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ const struct protodefs *udpinit(uint8_t h); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/hostport.h0000664000175100017510000000216712042223225013043 00000000000000/* * Copyright (C) 2006-2009 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ struct hostportres { char *host; char *port; uint8_t prefixlen; struct addrinfo *addrinfo; }; struct hostportres *newhostport(char *hostport, char *default_port, uint8_t prefixok); int addhostport(struct list **hostports, char **hostport, char *portdefault, uint8_t prefixok); void freehostport(struct hostportres *hp); void freehostports(struct list *hostports); int resolvehostport(struct hostportres *hp, int af, int socktype, uint8_t passive); int resolvehostports(struct list *hostports, int af, int socktype); struct addrinfo *resolvepassiveaddrinfo(char *hostport, int af, char *default_port, int socktype); int addressmatches(struct list *hostports, struct sockaddr *addr, uint8_t checkport); int connecttcphostlist(struct list *hostports, struct addrinfo *src); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/tlscommon.h0000664000175100017510000000207412042223225013171 00000000000000/* * Copyright (C) 2006-2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include struct tls { char *name; char *cacertfile; char *cacertpath; char *certfile; char *certkeyfile; char *certkeypwd; uint8_t crlcheck; char **policyoids; uint32_t cacheexpiry; uint32_t tlsexpiry; uint32_t dtlsexpiry; X509_VERIFY_PARAM *vpm; SSL_CTX *tlsctx; SSL_CTX *dtlsctx; }; #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) struct tls *tlsgettls(char *alt1, char *alt2); SSL_CTX *tlsgetctx(uint8_t type, struct tls *t); X509 *verifytlscert(SSL *ssl); int verifyconfcert(X509 *cert, struct clsrvconf *conf); int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val); int addmatchcertattr(struct clsrvconf *conf); #endif /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/radsecproxy-hash.10000664000175100017510000000073412042223225014354 00000000000000.TH radsecproxy-hash 1 "29 Sep 2011" .SH "NAME" radsecproxy-hash - print digests of Ethernet MAC addresses .SH "SYNOPSIS" .HP 12 radsecproxy-hash [\-h] [\-k key] [\-t type] .sp .SH "DESCRIPTION" Print the hash or hmac of Ethernet MAC addresses read from standard input. .SH "OPTIONS" .TP .B \-h \fIdisplay help and exit\fR .TP .B \-k key \fIuse KEY for HMAC calculation\fR .TP .B \-t type \fIprint digest of type TYPE [hash|hmac]\fR .SH "SEE ALSO" radsecproxy.conf(5) radsecproxy-1.6.2/tcp.c0000664000175100017510000002444212042223225011742 00000000000000/* * Copyright (C) 2008-2009 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include #include #include #include #include #ifdef SYS_SOLARIS9 #include #endif #include #include #include #include #include #include #include #include #include "radsecproxy.h" #include "hostport.h" #ifdef RADPROT_TCP #include "debug.h" #include "util.h" static void setprotoopts(struct commonprotoopts *opts); static char **getlistenerargs(); void *tcplistener(void *arg); int tcpconnect(struct server *server, struct timeval *when, int timeout, char * text); void *tcpclientrd(void *arg); int clientradputtcp(struct server *server, unsigned char *rad); void tcpsetsrcres(); static const struct protodefs protodefs = { "tcp", NULL, /* secretdefault */ SOCK_STREAM, /* socktype */ "1812", /* portdefault */ 0, /* retrycountdefault */ 0, /* retrycountmax */ REQUEST_RETRY_INTERVAL * REQUEST_RETRY_COUNT, /* retryintervaldefault */ 60, /* retryintervalmax */ DUPLICATE_INTERVAL, /* duplicateintervaldefault */ setprotoopts, /* setprotoopts */ getlistenerargs, /* getlistenerargs */ tcplistener, /* listener */ tcpconnect, /* connecter */ tcpclientrd, /* clientconnreader */ clientradputtcp, /* clientradput */ NULL, /* addclient */ NULL, /* addserverextra */ tcpsetsrcres, /* setsrcres */ NULL /* initextra */ }; static struct addrinfo *srcres = NULL; static uint8_t handle; static struct commonprotoopts *protoopts = NULL; const struct protodefs *tcpinit(uint8_t h) { handle = h; return &protodefs; } static void setprotoopts(struct commonprotoopts *opts) { protoopts = opts; } static char **getlistenerargs() { return protoopts ? protoopts->listenargs : NULL; } void tcpsetsrcres() { if (!srcres) srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, AF_UNSPEC, NULL, protodefs.socktype); } int tcpconnect(struct server *server, struct timeval *when, int timeout, char *text) { struct timeval now; time_t elapsed; debug(DBG_DBG, "tcpconnect: called from %s", text); pthread_mutex_lock(&server->lock); if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) { /* already reconnected, nothing to do */ debug(DBG_DBG, "tcpconnect(%s): seems already reconnected", text); pthread_mutex_unlock(&server->lock); return 1; } for (;;) { gettimeofday(&now, NULL); elapsed = now.tv_sec - server->lastconnecttry.tv_sec; if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) { debug(DBG_DBG, "tcpconnect: timeout"); if (server->sock >= 0) close(server->sock); pthread_mutex_unlock(&server->lock); return 0; } if (server->connectionok) { server->connectionok = 0; sleep(2); } else if (elapsed < 1) sleep(2); else if (elapsed < 60) { debug(DBG_INFO, "tcpconnect: sleeping %lds", elapsed); sleep(elapsed); } else if (elapsed < 100000) { debug(DBG_INFO, "tcpconnect: sleeping %ds", 60); sleep(60); } else server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */ if (server->sock >= 0) close(server->sock); if ((server->sock = connecttcphostlist(server->conf->hostports, srcres)) >= 0) break; } server->connectionok = 1; gettimeofday(&server->lastconnecttry, NULL); pthread_mutex_unlock(&server->lock); return 1; } /* timeout in seconds, 0 means no timeout (blocking), returns when num bytes have been read, or timeout */ /* returns 0 on timeout, -1 on error and num if ok */ int tcpreadtimeout(int s, unsigned char *buf, int num, int timeout) { int ndesc, cnt, len; fd_set readfds, writefds; struct timeval timer; if (s < 0) return -1; /* make socket non-blocking? */ for (len = 0; len < num; len += cnt) { FD_ZERO(&readfds); FD_SET(s, &readfds); writefds = readfds; if (timeout) { timer.tv_sec = timeout; timer.tv_usec = 0; } ndesc = select(s + 1, &readfds, &writefds, NULL, timeout ? &timer : NULL); if (ndesc < 1) return ndesc; cnt = read(s, buf + len, num - len); if (cnt <= 0) return -1; } return num; } /* timeout in seconds, 0 means no timeout (blocking) */ unsigned char *radtcpget(int s, int timeout) { int cnt, len; unsigned char buf[4], *rad; for (;;) { cnt = tcpreadtimeout(s, buf, 4, timeout); if (cnt < 1) { debug(DBG_DBG, cnt ? "radtcpget: connection lost" : "radtcpget: timeout"); return NULL; } len = RADLEN(buf); rad = malloc(len); if (!rad) { debug(DBG_ERR, "radtcpget: malloc failed"); continue; } memcpy(rad, buf, 4); cnt = tcpreadtimeout(s, rad + 4, len - 4, timeout); if (cnt < 1) { debug(DBG_DBG, cnt ? "radtcpget: connection lost" : "radtcpget: timeout"); free(rad); return NULL; } if (len >= 20) break; free(rad); debug(DBG_WARN, "radtcpget: packet smaller than minimum radius size"); } debug(DBG_DBG, "radtcpget: got %d bytes", len); return rad; } int clientradputtcp(struct server *server, unsigned char *rad) { int cnt; size_t len; struct clsrvconf *conf = server->conf; if (!server->connectionok) return 0; len = RADLEN(rad); if ((cnt = write(server->sock, rad, len)) <= 0) { debug(DBG_ERR, "clientradputtcp: write error"); return 0; } debug(DBG_DBG, "clientradputtcp: Sent %d bytes, Radius packet of length %d to TCP peer %s", cnt, len, conf->name); return 1; } void *tcpclientrd(void *arg) { struct server *server = (struct server *)arg; unsigned char *buf; struct timeval lastconnecttry; for (;;) { /* yes, lastconnecttry is really necessary */ lastconnecttry = server->lastconnecttry; buf = radtcpget(server->sock, 0); if (!buf) { tcpconnect(server, &lastconnecttry, 0, "tcpclientrd"); continue; } replyh(server, buf); } server->clientrdgone = 1; return NULL; } void *tcpserverwr(void *arg) { int cnt; struct client *client = (struct client *)arg; struct gqueue *replyq; struct request *reply; debug(DBG_DBG, "tcpserverwr: starting for %s", addr2string(client->addr)); replyq = client->replyq; for (;;) { pthread_mutex_lock(&replyq->mutex); while (!list_first(replyq->entries)) { if (client->sock >= 0) { debug(DBG_DBG, "tcpserverwr: waiting for signal"); pthread_cond_wait(&replyq->cond, &replyq->mutex); debug(DBG_DBG, "tcpserverwr: got signal"); } if (client->sock < 0) { /* s might have changed while waiting */ pthread_mutex_unlock(&replyq->mutex); debug(DBG_DBG, "tcpserverwr: exiting as requested"); pthread_exit(NULL); } } reply = (struct request *)list_shift(replyq->entries); pthread_mutex_unlock(&replyq->mutex); cnt = write(client->sock, reply->replybuf, RADLEN(reply->replybuf)); if (cnt > 0) debug(DBG_DBG, "tcpserverwr: sent %d bytes, Radius packet of length %d to %s", cnt, RADLEN(reply->replybuf), addr2string(client->addr)); else debug(DBG_ERR, "tcpserverwr: write error for %s", addr2string(client->addr)); freerq(reply); } } void tcpserverrd(struct client *client) { struct request *rq; uint8_t *buf; pthread_t tcpserverwrth; debug(DBG_DBG, "tcpserverrd: starting for %s", addr2string(client->addr)); if (pthread_create(&tcpserverwrth, NULL, tcpserverwr, (void *)client)) { debug(DBG_ERR, "tcpserverrd: pthread_create failed"); return; } for (;;) { buf = radtcpget(client->sock, 0); if (!buf) { debug(DBG_ERR, "tcpserverrd: connection from %s lost", addr2string(client->addr)); break; } debug(DBG_DBG, "tcpserverrd: got Radius message from %s", addr2string(client->addr)); rq = newrequest(); if (!rq) { free(buf); continue; } rq->buf = buf; rq->from = client; if (!radsrv(rq)) { debug(DBG_ERR, "tcpserverrd: message authentication/validation failed, closing connection from %s", addr2string(client->addr)); break; } } /* stop writer by setting s to -1 and give signal in case waiting for data */ client->sock = -1; pthread_mutex_lock(&client->replyq->mutex); pthread_cond_signal(&client->replyq->cond); pthread_mutex_unlock(&client->replyq->mutex); debug(DBG_DBG, "tcpserverrd: waiting for writer to end"); pthread_join(tcpserverwrth, NULL); debug(DBG_DBG, "tcpserverrd: reader for %s exiting", addr2string(client->addr)); } void *tcpservernew(void *arg) { int s; struct sockaddr_storage from; socklen_t fromlen = sizeof(from); struct clsrvconf *conf; struct client *client; s = *(int *)arg; if (getpeername(s, (struct sockaddr *)&from, &fromlen)) { debug(DBG_DBG, "tcpservernew: getpeername failed, exiting"); goto exit; } debug(DBG_WARN, "tcpservernew: incoming TCP connection from %s", addr2string((struct sockaddr *)&from)); conf = find_clconf(handle, (struct sockaddr *)&from, NULL); if (conf) { client = addclient(conf, 1); if (client) { client->sock = s; client->addr = addr_copy((struct sockaddr *)&from); tcpserverrd(client); removeclient(client); } else debug(DBG_WARN, "tcpservernew: failed to create new client instance"); } else debug(DBG_WARN, "tcpservernew: ignoring request, no matching TCP client"); exit: shutdown(s, SHUT_RDWR); close(s); pthread_exit(NULL); } void *tcplistener(void *arg) { pthread_t tcpserverth; int s, *sp = (int *)arg; struct sockaddr_storage from; socklen_t fromlen = sizeof(from); listen(*sp, 0); for (;;) { s = accept(*sp, (struct sockaddr *)&from, &fromlen); if (s < 0) { debug(DBG_WARN, "accept failed"); continue; } if (pthread_create(&tcpserverth, NULL, tcpservernew, (void *)&s)) { debug(DBG_ERR, "tcplistener: pthread_create failed"); shutdown(s, SHUT_RDWR); close(s); continue; } pthread_detach(tcpserverth); } free(sp); return NULL; } #else const struct protodefs *tcpinit(uint8_t h) { return NULL; } #endif /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/radsecproxy.conf.50000664000175100017510000010346512042223271014371 00000000000000'\" -*- coding: us-ascii -*- .if \n(.g .ds T< \\FC .if \n(.g .ds T> \\F[\n[.fam]] .de URL \\$2 \(la\\$1\(ra\\$3 .. .if \n(.g .mso www.tmac .TH "radsecproxy.conf " 5 2012-10-25 "radsecproxy 1.6.2" "" .SH NAME radsecproxy.conf \- Radsec proxy configuration file .SH DESCRIPTION When the proxy server starts, it will first check the command line arguments, and then read the configuration file. Normally radsecproxy will read the configuration file \*(T<\fI/usr/local/etc/radsecproxy.conf\fR\*(T>. The command line \*(T<\fB\-c\fR\*(T> option can be used to instead read an alternate file (see \fBradsecproxy\fR(1) for details). .PP If the configuration file can not be found, the proxy will exit with an error message. Note that there is also an include facility so that any configuration file may include other configuration files. The proxy will also exit on configuration errors. .SH "CONFIGURATION SYNTAX" When the configuration file is processed, whitespace (spaces and tabs) are generally ignored. For each line, leading and trailing whitespace are ignored. A line is ignored if it is empty, only consists of whitespace, or if the first non-whitespace character is a \*(T<#\*(T>. The configuration is generally case insensitive, but in some cases the option values (see below) are not. .PP There are two types of configuration structures than can be used. The first and simplest are lines on the format \fIoption value\fR. That is, an option name, see below for a list of valid options, followed by whitespace (at least one space or tab character), followed by a value. Note that if the value contains whitespace, then it must be quoted using \*(T<""\*(T> or \*(T<''\*(T>. Any whitespace in front of the option or after the value will be ignored. .PP The other type of structure is a block. A block spans at least two lines, and has the format: .RS .nf blocktype name { option value option value ... } .fi .RE That is, some blocktype, see below for a list of the different block types, and then enclosed in braces you have zero or more lines that each have the previously described \fIoption value\fR format. Different block types have different rules for which options can be specified, they are listed below. The rules regarding white space, comments and quotes are as above. Hence you may do things like: .RS .nf blocktype name { # option value option "value with space" ... } .fi .RE .PP Option value characters can also be written in hex. This is done by writing the character \*(T<%\*(T> followed by two hexadecimal digits. If a \*(T<%\*(T> is used without two following hexadecimal digits, the \*(T<%\*(T> and the following characters are used as written. If you want to write a \*(T<%\*(T> and not use this decoding, you may of course write \*(T<%\*(T> in hex; i.e., \*(T<%25\*(T>. .PP There is one special option that can be used both as a basic option and inside all blocks. That is the option \*(T where the value specifies files to be included. The value can be a single file, or it can use normal shell globbing to specify multiple files, e.g.: .RS include /usr/local/etc/radsecproxy.conf.d/*.conf .RE The files are sorted alphabetically. Included files are read in the order they are specified, when reaching the end of a file, the next file is read. When reaching the end of the last included file, the proxy returns to read the next line following the \*(T option. Included files may again include other files. .SH "BASIC OPTIONS" The following basic options may be specified in the configuration file. Note that blocktypes and options inside blocks are discussed later. Note that none of these options are required, and indeed in many cases they are not needed. Note that you should specify each at most once. The behaviour with multiple occurences is undefined. .TP \*(T The PidFile option specifies the name of a file to which the process id (PID) will be written. This is overridden by the \*(T<\fB\-i\fR\*(T> command line option. There is no default value for the PidFile option. .TP \*(T This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5 logs everything. The default is 2 which logs errors, warnings and a few informational messages. Note that the command line option \*(T<\fB\-d\fR\*(T> overrides this. .TP \*(T This specifies where the log messages should go. By default the messages go to syslog with facility \*(T. Using this option you can specify another syslog facility, or you may specify that logging should be to a particular file, not using syslog. The value must be either a file or syslog URL. The file URL is the standard one, specifying a local file that should be used. For syslog, you must use the syntax: \*(T where \*(T must be one of \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T or \*(T. You may omit the facility from the URL to specify logging to the default facility, but this is not very useful since this is the default log destination. Note that this option is ignored if \*(T<\fB\-f\fR\*(T> is specified on the command line. .TP \*(T The FTicksReporting option is used to enable F-Ticks logging and can be set to \*(T, \*(T or \*(T. Its default value is \*(T. If FTicksReporting is set to anything other than \*(T, note that the default value for FTicksMAC is \*(T which needs FTicksKey to be set. See \*(T for details. Note that radsecproxy has to be configured with F-Ticks support (\*(T<\-\-enable\-fticks\*(T>) for this option to have any effect. .TP \*(T The FTicksMAC option can be used to control if and how Calling-Station-Id (the users Ethernet MAC address) is being logged. It can be set to one of \*(T, \*(T, \*(T, \*(T, \*(T or \*(T. The default value for FTicksMAC is \*(T. This means that FTicksKey has to be set. Before chosing any of \*(T, \*(T or \*(T, consider the implications for user privacy when MAC addresses are collected. How will the logs be stored, transferred and accessed? See \*(T for details. Note that radsecproxy has to be configured with F-Ticks support (\*(T<\-\-enable\-fticks\*(T>) for this option to have any effect. .TP \*(T The FTicksKey option is used to specify the key to use when producing HMAC's as an effect of specifying VendorKeyHashed or FullyKeyHashed for the FTicksMAC option. Note that radsecproxy has to be configured with F-Ticks support (\*(T<\-\-enable\-fticks\*(T>) for this option to have any effect. .TP \*(T The FTicksSyslogFacility option is used to specify a dedicated syslog facility for F-Ticks messages. This allows for easier filtering of F-Ticks messages. If no FTicksSyslogFacility option is given, F-Ticks messages are written to what the LogDestination option specifies. F-Ticks messages are always logged using the log level LOG_DEBUG. Note that specifying a file in FTicksSyslogFacility (using the file:/// prefix) is not supported. .TP \*(T Normally the proxy will listen to the standard RADIUS UDP port \*(T<1812\*(T> if configured to handle UDP clients. On most systems it will do this for all of the system's IP addresses (both IPv4 and IPv6). On some systems however, it may respond to only IPv4 or only IPv6. To specify an alternate port you may use a value on the form \*(T<*:port\*(T> where port is any valid port number. If you also want to specify a specific address you can do e.g. \*(T<192.168.1.1:1812\*(T> or \*(T<[2001:db8::1]:1812\*(T>. The port may be omitted if you want the default one (like in these examples). These examples are equivalent to \*(T<192.168.1.1\*(T> and \*(T<2001:db8::1\*(T>. Note that you must use brackets around the IPv6 address. This option may be specified multiple times to listen to multiple addresses and/or ports. .TP \*(T This option is similar to the \*(T option, except that it is used for receiving connections from TCP clients. The default port number is \*(T<1812\*(T>. .TP \*(T This is similar to the \*(T option, except that it is used for receiving connections from TLS clients. The default port number is \*(T<2083\*(T>. Note that this option was previously called \*(T. .TP \*(T This is similar to the \*(T option, except that it is used for receiving connections from DTLS clients. The default port number is \*(T<2083\*(T>. .TP \*(T This can be used to specify source address and/or source port that the proxy will use for sending UDP client messages (e.g. Access Request). .TP \*(T This can be used to specify source address and/or source port that the proxy will use for TCP connections. .TP \*(T This can be used to specify source address and/or source port that the proxy will use for TLS connections. .TP \*(T This can be used to specify source address and/or source port that the proxy will use for DTLS connections. .TP \*(T This can be used to change the default TTL attribute. Only change this if you know what you are doing. The syntax is either a numerical value denoting the TTL attribute, or two numerical values separated by column specifying a vendor attribute, i.e. \*(T. .TP \*(T If a TTL attribute is present, the proxy will decrement the value and discard the message if zero. Normally the proxy does nothing if no TTL attribute is present. If you use the AddTTL option with a value 1-255, the proxy will when forwarding a message with no TTL attribute, add one with the specified value. Note that this option can also be specified for a client/server. It will then override this setting when forwarding a message to that client/server. .TP \*(T This can be set to \*(T or \*(T with \*(T being the default. When this is enabled, a request will never be sent to a server named the same as the client it was received from. I.e., the names of the client block and the server block are compared. Note that this only gives limited protection against loops. It can be used as a basic option and inside server blocks where it overrides the basic setting. .TP \*(T These can be set to \*(T or \*(T with \*(T being the default. At most one of \*(T and \*(T can be enabled. Enabling \*(T or \*(T makes radsecproxy resolve DNS names to the corresponding address family only, and not the other. This is done for both clients and servers. Note that this can be overridden in \*(T and \*(T blocks, see below. .TP \*(T This is not a normal configuration option; it can be specified multiple times. It can both be used as a basic option and inside blocks. For the full description, see the configuration syntax section above. .SH BLOCKS There are five types of blocks, they are \*(T, \*(T, \*(T, \*(T and \*(T. At least one instance of each of \*(T and \*(T is required. This is necessary for the proxy to do anything useful, and it will exit if not. The \*(T block is required if at least one TLS/DTLS client or server is configured. Note that there can be multiple blocks for each type. For each type, the block names should be unique. The behaviour with multiple occurences of the same name for the same block type is undefined. Also note that some block option values may reference a block by name, in which case the block name must be previously defined. Hence the order of the blocks may be significant. .SH "CLIENT BLOCK" The client block is used to configure a client. That is, tell the proxy about a client, and what parameters should be used for that client. The name of the client block must (with one exception, see below) be either the IP address (IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form IpAddress/PrefixLength, or a domain name (FQDN). The way an FQDN is resolved into an IP address may be influenced by the use of the \*(T and \*(T options. Note that literal IPv6 addresses must be enclosed in brackets. .PP If a domain name is specified, then this will be resolved immediately to all the addresses associated with the name, and the proxy will not care about any possible DNS changes that might occur later. Hence there is no dependency on DNS after startup. .PP When some client later sends a request to the proxy, the proxy will look at the IP address the request comes from, and then go through all the addresses of each of the configured clients (in the order they are defined), to determine which (if any) of the clients this is. .PP In the case of TLS/DTLS, the name of the client must match the FQDN or IP address in the client certificate. Note that this is not required when the client name is an IP prefix. .PP Alternatively one may use the \*(T option inside a client block. In that case, the value of the \*(T option is used as above, while the name of the block is only used as a descriptive name for the administrator. The host option may be used multiple times, and can be a mix of addresses, FQDNs and prefixes. .PP The allowed options in a client block are \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, and \*(T. We already discussed the \*(T option. To specify how radsecproxy should resolve a \*(T given as a DNS name, the \*(T or the \*(T can be set to \*(T. At most one of these options can be enabled. Enabling \*(T or \*(T here overrides any basic settings set at the top level. The value of \*(T must be one of \*(T, \*(T, \*(T or \*(T. The value of \*(T is the shared RADIUS key used with this client. If the secret contains whitespace, the value must be quoted. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".) .PP For a TLS/DTLS client you may also specify the \*(T option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name \*(T will be used if defined. If not defined, it will try to use the TLS block named \*(T. If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error. NOTE: All versions of radsecproxy up to and including 1.6 erroneously verify client certificate chains using the CA in the very first matching client block regardless of which block is used for the final decision. This was changed in version 1.6.1 so that a client block with a different \*(T option than the first matching client block is no longer considered for verification of clients. .PP For a TLS/DTLS client, the option \*(T can be set to \*(T, to disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address. .PP Additional validation of certificate attributes can be done by use of the \*(T option. Currently one can only do some matching of CN and SubjectAltName. For regexp matching on CN, one can use the value \*(T. For SubjectAltName one can only do regexp matching of the URI, this is specified as \*(T. Note that currently this option can only be specified once in a client block. .PP The \*(T option can be used to specify for how many seconds duplicate checking should be done. If a proxy receives a new request within a few seconds of a previous one, it may be treated the same if from the same client, with the same authenticator etc. The proxy will then ignore the new request (if it is still processing the previous one), or returned a copy of the previous reply. .PP The \*(T option is similar to the \*(T option used in the basic config. See that for details. Any value configured here overrides the basic one when sending messages to this client. .PP The \*(T option configures clients eligible to F-Ticks logging as defined by the \*(T basic option. .PP The \*(T option overwrites the default \*(T value taken from the client block name. .PP The \*(T option is deprecated. Use \*(T instead. .PP The \*(T option can be used to refer to a rewrite block that specifies certain rewrite operations that should be performed on incoming messages from the client. The rewriting is done before other processing. For details, see the rewrite block text below. Similarly to \*(T discussed above, if this option is not used, there is a fallback to using the \*(T block named \*(T if it exists; and if not, a fallback to a block named \*(T. .PP The \*(T option is used in the same way as \*(T, except that it specifies rewrite operations that should be performed on outgoing messages to the client. The rewriting is done after other processing. Also, there is no rewrite fallback if this option is not used. .PP The \*(T option currently makes it possible to specify that the User-Name attribute in a client request shall be rewritten in the request sent by the proxy. The User-Name attribute is written back to the original value if a matching response is later sent back to the client. The value must be on the form User-Name:/regexpmatch/replacement/. Example usage: .RS rewriteAttribute User-Name:/^(.*)@local$/\e1@example.com/ .RE .SH "SERVER BLOCK" The server block is used to configure a server. That is, tell the proxy about a server, and what parameters should be used when communicating with that server. The name of the server block must (with one exception, see below) be either the IP address (IPv4 or IPv6) of the server, or a domain name (FQDN). If a domain name is specified, then this will be resolved immediately to all the addresses associated with the name, and the proxy will not care about any possible DNS changes that might occur later. Hence there is no dependency on DNS after startup. If the domain name resolves to multiple addresses, then for UDP/DTLS the first address is used. For TCP/TLS, the proxy will loop through the addresses until it can connect to one of them. The way an FQDN is resolved into an IP address may be influenced by the use of the \*(T and \*(T options. In the case of TLS/DTLS, the name of the server must match the FQDN or IP address in the server certificate. .PP Alternatively one may use the \*(T option inside a server block. In that case, the value of the \*(T option is used as above, while the name of the block is only used as a descriptive name for the administrator. Note that multiple host options may be used. This will then be treated as multiple names/addresses for the same server. When initiating a TCP/TLS connection, all addresses of all names may be attempted, but there is no failover between the different host values. For failover one must use separate server blocks. .PP Note that the name of the block, or values of host options may include a port number (separated with a column). This port number will then override the default port or a port option in the server block. Also note that literal IPv6 addresses must be enclosed in brackets. .PP The allowed options in a server block are \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T and \*(T and \*(T. .PP We already discussed the \*(T option. To specify how radsecproxy should resolve a \*(T given as a DNS name, the \*(T or the \*(T can be set to \*(T. At most one of these options can be enabled. Enabling \*(T or \*(T here overrides any basic settings set at the top level. The \*(T option allows you to specify which port number the server uses. The usage of \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T and \*(T are just as specified for the \*(T above, except that \*(T (and not \*(T) is the fallback for the \*(T, \*(T and \*(T options. .PP \*(T can be specified to enable the use of status-server messages for this server. The value must be either \*(T or \*(T. The default when not specified, is \*(T. If statusserver is enabled, the proxy will during idle periods send regular status-server messages to the server to verify that it is alive. This should only be enabled if the server supports it. .PP The options \*(T and \*(T can be used to specify how many times the proxy should retry sending a request and how long it should wait between each retry. The defaults are 2 retries and an interval of 5s. .PP The option \*(T can be used to specify a command that should be executed to dynamically configure a server. The executable file should be given with full path and will be invoked with the name of the realm as its first and only argument. It should either print a valid \*(T option on stdout and exit with a code of 0 or print nothing and exit with a non-zero exit code. An example of a shell script resolving the DNS NAPTR records for the realm and then the SRV records for each NAPTR matching \&'x-eduroam:radius.tls' is provided in \*(T. This option was added in radsecproxy-1.3 but tends to crash radsecproxy versions earlier than 1.6. .PP Using the \*(T option here overrides any basic setting of this option. See section \*(T for details on this option. .SH "REALM BLOCK" When the proxy receives an Access-Request it needs to figure out to which server it should be forwarded. This is done by looking at the Username attribute in the request, and matching that against the names of the defined realm blocks. The proxy will match against the blocks in the order they are specified, using the first match if any. If no realm matches, the proxy will simply ignore the request. Each realm block specifies what the server should do when a match is found. A realm block may contain none, one or multiple \*(T options, and similarly \*(T options. There are also \*(T and \*(T options. We will discuss these later. .SS "REALM BLOCK NAMES AND MATCHING" In the general case the proxy will look for a \*(T<@\*(T> in the username attribute, and try to do an exact case insensitive match between what comes after the \*(T<@\*(T> and the name of the realm block. So if you get a request with the attribute value \*(T, the proxy will go through the realm names in the order they are specified, looking for a realm block named \*(T. .PP There are two exceptions to this, one is the realm name \*(T<*\*(T> which means match everything. Hence if you have a realm block named \*(T<*\*(T>, then it will always match. This should then be the last realm block defined, since any blocks after this would never be checked. This is useful for having a default. .PP The other exception is regular expression matching. If the realm name starts with a \*(T, the name is treated as an regular expression. A case insensitive regexp match will then be done using this regexp on the value of the entire Username attribute. Optionally you may also have a trailing \*(T after the regexp. So as an example, if you want to use regexp matching the domain \*(T you could have a realm block named \*(T. Optinally this can also be written \*(T. If you want to match all domains under the \*(T<.com\*(T> top domain, you could do \*(T. Note that since the matching is done on the entire attribute value, you can also use rules like \*(T to get some of the users in this domain to use one server, while other users could be matched by another realm block and use another server. .SS "REALM BLOCK OPTIONS" A realm block may contain none, one or multiple \*(T options. If defined, the values of the \*(T options must be the names of previously defined server blocks. Normally requests will be forwarded to the first server option defined. If there are multiple server options, the proxy will do fail-over and use the second server if the first is down. If the two first are down, it will try the third etc. If say the first server comes back up, it will go back to using that one. Currently detection of servers being up or down is based on the use of StatusServer (if enabled), and that TCP/TLS/DTLS connections are up. .PP A realm block may also contain none, one or multiple \*(T options. This is used exactly like the \*(T option, except that it is used for specifying where to send matching accounting requests. The values must be the names of previously defined server blocks. When multiple accounting servers are defined, there is a failover mechanism similar to the one for the \*(T option. .PP If there is no \*(T option, the proxy will if \*(T is specified, reply back to the client with an Access Reject message. The message contains a replyMessage attribute with the value as specified by the \*(T option. Note that this is different from having no match since then the request is simply ignored. You may wonder why this is useful. One example is if you handle say all domains under say \*(T<\&.bv\*(T>. Then you may have several realm blocks matching the domains that exists, while for other domains under \*(T<.bv\*(T> you want to send a reject. At the same time you might want to send all other requests to some default server. After the realms for the subdomains, you would then have two realm definitions. One with the name \*(T with no servers, followed by one with the name \*(T<*\*(T> with the default server defined. This may also be useful for blocking particular usernames. .PP If there is no \*(T option, the proxy will normally do nothing, ignoring accounting requests. There is however an option called \*(T. If this is set to \*(T, the proxy will log some of the accounting information and send an Accounting-Response back. This is useful if you do not care much about accounting, but want to stop clients from retransmitting accounting requests. By default this option is set to \*(T. .SH "TLS BLOCK" The TLS block specifies TLS configuration options and you need at least one of these if you have clients or servers using TLS/DTLS. As discussed in the client and server block descriptions, a client or server block may reference a particular TLS block by name. There are also however the special TLS block names \*(T, \*(T and \*(T which are used as defaults if the client or server block does not reference a TLS block. Also note that a TLS block must be defined before the client or server block that would use it. If you want the same TLS configuration for all TLS/DTLS clients and servers, you need just a single tls block named \*(T, and the client and servers need not refer to it. If you want all TLS/DTLS clients to use one config, and all TLS/DTLS servers to use another, then you would be fine only defining two TLS blocks named \*(T and \*(T. If you want different clients (or different servers) to have different TLS parameters, then you may need to create other TLS blocks with other names, and reference those from the client or server definitions. Note that you could also have say a client block refer to a default, even \*(T if you really want to. .PP The available TLS block options are \*(T, \*(T, \*(T, \*(T, \*(T, \*(T, \*(T and \*(T. When doing RADIUS over TLS/DTLS, both the client and the server present certificates, and they are both verified by the peer. Hence you must always specify \*(T and \*(T options, as well as \*(T if a password is needed to decrypt the private key. Note that \*(T may be a certificate chain. In order to verify certificates, or send a chain of certificates to a peer, you also always need to specify \*(T or \*(T. Note that you may specify both, in which case the certificates in \*(T are checked first. By default CRLs are not checked. This can be changed by setting \*(T to \*(T. One can require peer certificates to adhere to certain policies by specifying one or multiple policyOIDs using one or multiple \*(T options. .PP CA certificates and CRLs are normally cached permanently. That is, once a CA or CRL has been read, the proxy will never attempt to re-read it. CRLs may change relatively often and the proxy should ideally always use the latest CRLs. Rather than restarting the proxy, there is an option \*(T that specifies how many seconds the CA and CRL information should be cached. Reasonable values might be say 3600 (1 hour) or 86400 (24 hours), depending on how frequently CRLs are updated and how critical it is to be up to date. This option may be set to zero to disable caching. .SH "REWRITE BLOCK" The rewrite block specifies rules that may rewrite RADIUS messages. It can be used to add, remove and modify specific attributes from messages received from and sent to clients and servers. As discussed in the client and server block descriptions, a client or server block may reference a particular rewrite block by name. There are however also the special rewrite block names \*(T, \*(T and \*(T which are used as defaults if the client or server block does not reference a block. Also note that a rewrite block must be defined before the client or server block that would use it. If you want the same rewrite rules for input from all clients and servers, you need just a single rewrite block named \*(T, and the client and servers need not refer to it. If you want all clients to use one config, and all servers to use another, then you would be fine only defining two rewrite blocks named \*(T and \*(T. Note that these defaults are only used for rewrite on input. No rewriting is done on output unless explicitly specified using the \*(T option. .PP The available rewrite block options are \*(T, \*(T, \*(T, \*(T and \*(T. They can all be specified none, one or multiple times. .PP \*(T is used to add attributes to a message. The option value must be on the form \*(T where attribute is a numerical value specifying the attribute. Simliarly, the \*(T is used to specify a vendor attribute to be added. The option value must be on the form \*(T, where vendor and subattribute are numerical values. .PP The \*(T option is used to specify an attribute that should be removed from received messages. The option value must be a numerical value specifying which attribute is to be removed. Similarly, \*(T is used to specify a vendor attribute that is to be removed. The value can be a numerical value for removing all attributes from a given vendor, or on the form \*(T, where vendor and subattribute are numerical values, for removing a specific subattribute for a specific vendor. .PP \*(T is used to specify modification of attributes. The value must be on the form \*(T where attribute is a numerical attribute type, regexpmatch is regexp matching rule and replacement specifies how to replace the matching regexp. Example usage: .RS modifyAttribute 1:/^(.*)@local$/\e1@example.com/ .RE .SH "SEE ALSO" \fBradsecproxy\fR(1), .URL http://tools.ietf.org/html/draft-ietf-radext-radsec " RadSec internet draft " radsecproxy-1.6.2/radmsg.h0000664000175100017510000000246512042223225012437 00000000000000/* * Copyright (C) 2006-2008 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #define RAD_Access_Request 1 #define RAD_Access_Accept 2 #define RAD_Access_Reject 3 #define RAD_Accounting_Request 4 #define RAD_Accounting_Response 5 #define RAD_Access_Challenge 11 #define RAD_Status_Server 12 #define RAD_Status_Client 13 #define RAD_Attr_User_Name 1 #define RAD_Attr_User_Password 2 #define RAD_Attr_Reply_Message 18 #define RAD_Attr_Vendor_Specific 26 #define RAD_Attr_Calling_Station_Id 31 #define RAD_Attr_Tunnel_Password 69 #define RAD_Attr_Message_Authenticator 80 #define RAD_VS_ATTR_MS_MPPE_Send_Key 16 #define RAD_VS_ATTR_MS_MPPE_Recv_Key 17 struct radmsg { uint8_t code; uint8_t id; uint8_t auth[20]; struct list *attrs; }; void radmsg_free(struct radmsg *); struct radmsg *radmsg_init(uint8_t, uint8_t, uint8_t *); int radmsg_add(struct radmsg *, struct tlv *); struct tlv *radmsg_gettype(struct radmsg *, uint8_t); uint8_t *radmsg2buf(struct radmsg *msg, uint8_t *); struct radmsg *buf2radmsg(uint8_t *, uint8_t *, uint8_t *); /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/radsecproxy.c0000664000175100017510000027555112042223225013530 00000000000000/* * Copyright (C) 2006-2009 Stig Venaas * Copyright (C) 2010,2011,2012 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ /* Code contributions from: * * Arne Schwabe * Maja Wolniewicz * Simon Leinen * Stefan Winter */ /* For UDP there is one server instance consisting of udpserverrd and udpserverth * rd is responsible for init and launching wr * For TLS there is a server instance that launches tlsserverrd for each TLS peer * each tlsserverrd launches tlsserverwr * For each UDP/TLS peer there is clientrd and clientwr, clientwr is responsible * for init and launching rd * * serverrd will receive a request, processes it and puts it in the requestq of * the appropriate clientwr * clientwr monitors its requestq and sends requests * clientrd looks for responses, processes them and puts them in the replyq of * the peer the request came from * serverwr monitors its reply and sends replies * * In addition to the main thread, we have: * If UDP peers are configured, there will be 2 + 2 * #peers UDP threads * If TLS peers are configured, there will initially be 2 * #peers TLS threads * For each TLS peer connecting to us there will be 2 more TLS threads * This is only for connected peers * Example: With 3 UDP peers and 30 TLS peers, there will be a max of * 1 + (2 + 2 * 3) + (2 * 30) + (2 * 30) = 129 threads */ /* Bugs: * May segfault when dtls connections go down? More testing needed * Remove expired stuff from clients request list? * Multiple outgoing connections if not enough IDs? (multiple servers per conf?) * Useful for TCP accounting? Now we require separate server config for alt port */ #include #include #include #include #include #include #include #ifdef SYS_SOLARIS9 #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "debug.h" #include "hash.h" #include "util.h" #include "hostport.h" #include "radsecproxy.h" #include "udp.h" #include "tcp.h" #include "tls.h" #include "dtls.h" #if defined(WANT_FTICKS) #include "fticks.h" #endif static struct options options; static struct list *clconfs, *srvconfs; static struct list *realms; static struct hash *rewriteconfs; static pthread_mutex_t *ssl_locks = NULL; static long *ssl_lock_count; extern int optind; extern char *optarg; static const struct protodefs *protodefs[RAD_PROTOCOUNT]; /* minimum required declarations to avoid reordering code */ struct realm *adddynamicrealmserver(struct realm *realm, char *id); int dynamicconfig(struct server *server); int confserver_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val); void freerealm(struct realm *realm); void freeclsrvconf(struct clsrvconf *conf); void freerq(struct request *rq); void freerqoutdata(struct rqout *rqout); void rmclientrq(struct request *rq, uint8_t id); static const struct protodefs *(*protoinits[])(uint8_t) = { udpinit, tlsinit, tcpinit, dtlsinit }; uint8_t protoname2int(const char *name) { uint8_t i; for (i = 0; i < RAD_PROTOCOUNT; i++) if (protodefs[i] && protodefs[i]->name && !strcasecmp(protodefs[i]->name, name)) return i; return 255; } /* callbacks for making OpenSSL thread safe */ unsigned long ssl_thread_id() { return (unsigned long)pthread_self(); } void ssl_locking_callback(int mode, int type, const char *file, int line) { if (mode & CRYPTO_LOCK) { pthread_mutex_lock(&ssl_locks[type]); ssl_lock_count[type]++; } else pthread_mutex_unlock(&ssl_locks[type]); } /* returns 1 if the len first bits are equal, else 0 */ int prefixmatch(void *a1, void *a2, uint8_t len) { static uint8_t mask[] = { 0, 0x80, 0xc0, 0xe0, 0xf0, 0xf8, 0xfc, 0xfe }; uint8_t r, l = len / 8; if (l && memcmp(a1, a2, l)) return 0; r = len % 8; if (!r) return 1; return (((uint8_t *)a1)[l] & mask[r]) == (((uint8_t *)a2)[l] & mask[r]); } /* returns next config with matching address, or NULL */ struct clsrvconf *find_conf(uint8_t type, struct sockaddr *addr, struct list *confs, struct list_node **cur, uint8_t server_p) { struct list_node *entry; struct clsrvconf *conf; for (entry = (cur && *cur ? list_next(*cur) : list_first(confs)); entry; entry = list_next(entry)) { conf = (struct clsrvconf *)entry->data; if (conf->type == type && addressmatches(conf->hostports, addr, server_p)) { if (cur) *cur = entry; return conf; } } return NULL; } struct clsrvconf *find_clconf(uint8_t type, struct sockaddr *addr, struct list_node **cur) { return find_conf(type, addr, clconfs, cur, 0); } struct clsrvconf *find_srvconf(uint8_t type, struct sockaddr *addr, struct list_node **cur) { return find_conf(type, addr, srvconfs, cur, 1); } /* returns next config of given type, or NULL */ struct clsrvconf *find_clconf_type(uint8_t type, struct list_node **cur) { struct list_node *entry; struct clsrvconf *conf; for (entry = (cur && *cur ? list_next(*cur) : list_first(clconfs)); entry; entry = list_next(entry)) { conf = (struct clsrvconf *)entry->data; if (conf->type == type) { if (cur) *cur = entry; return conf; } } return NULL; } struct gqueue *newqueue() { struct gqueue *q; q = malloc(sizeof(struct gqueue)); if (!q) debugx(1, DBG_ERR, "malloc failed"); q->entries = list_create(); if (!q->entries) debugx(1, DBG_ERR, "malloc failed"); pthread_mutex_init(&q->mutex, NULL); pthread_cond_init(&q->cond, NULL); return q; } void removequeue(struct gqueue *q) { struct list_node *entry; if (!q) return; pthread_mutex_lock(&q->mutex); for (entry = list_first(q->entries); entry; entry = list_next(entry)) freerq((struct request *)entry); list_destroy(q->entries); pthread_cond_destroy(&q->cond); pthread_mutex_unlock(&q->mutex); pthread_mutex_destroy(&q->mutex); free(q); } void freebios(struct gqueue *q) { BIO *bio; pthread_mutex_lock(&q->mutex); while ((bio = (BIO *)list_shift(q->entries))) BIO_free(bio); pthread_mutex_unlock(&q->mutex); removequeue(q); } struct client *addclient(struct clsrvconf *conf, uint8_t lock) { struct client *new = malloc(sizeof(struct client)); if (!new) { debug(DBG_ERR, "malloc failed"); return NULL; } if (lock) pthread_mutex_lock(conf->lock); if (!conf->clients) { conf->clients = list_create(); if (!conf->clients) { if (lock) pthread_mutex_unlock(conf->lock); debug(DBG_ERR, "malloc failed"); return NULL; } } memset(new, 0, sizeof(struct client)); new->conf = conf; if (conf->pdef->addclient) conf->pdef->addclient(new); else new->replyq = newqueue(); list_push(conf->clients, new); if (lock) pthread_mutex_unlock(conf->lock); return new; } void removeclientrqs_sendrq_freeserver_lock(uint8_t wantlock) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; if (wantlock) pthread_mutex_lock(&lock); else pthread_mutex_unlock(&lock); } void removeclientrqs(struct client *client) { struct request *rq; struct rqout *rqout; int i; removeclientrqs_sendrq_freeserver_lock(1); for (i = 0; i < MAX_REQUESTS; i++) { rq = client->rqs[i]; if (!rq) continue; if (rq->to) { rqout = rq->to->requests + rq->newid; pthread_mutex_lock(rqout->lock); if (rqout->rq == rq) /* still pointing to our request */ freerqoutdata(rqout); pthread_mutex_unlock(rqout->lock); } freerq(rq); } removeclientrqs_sendrq_freeserver_lock(0); } void removelockedclient(struct client *client) { struct clsrvconf *conf; conf = client->conf; if (conf->clients) { removeclientrqs(client); removequeue(client->replyq); list_removedata(conf->clients, client); free(client->addr); free(client); } } void removeclient(struct client *client) { struct clsrvconf *conf; if (!client) return; conf = client->conf; pthread_mutex_lock(conf->lock); removelockedclient(client); pthread_mutex_unlock(conf->lock); } void freeserver(struct server *server, uint8_t destroymutex) { struct rqout *rqout, *end; if (!server) return; removeclientrqs_sendrq_freeserver_lock(1); if (server->requests) { rqout = server->requests; for (end = rqout + MAX_REQUESTS; rqout < end; rqout++) { if (rqout->rq) rqout->rq->to = NULL; freerqoutdata(rqout); pthread_mutex_destroy(rqout->lock); free(rqout->lock); } free(server->requests); } if (server->rbios) freebios(server->rbios); free(server->dynamiclookuparg); if (server->ssl) { #if defined ENABLE_EXPERIMENTAL_DYNDISC if (server->sock >= 0) close(server->sock); #endif SSL_free(server->ssl); } if (destroymutex) { pthread_mutex_destroy(&server->lock); pthread_cond_destroy(&server->newrq_cond); pthread_mutex_destroy(&server->newrq_mutex); } removeclientrqs_sendrq_freeserver_lock(0); free(server); } int addserver(struct clsrvconf *conf) { int i; if (conf->servers) { debug(DBG_ERR, "addserver: currently works with just one server per conf"); return 0; } conf->servers = malloc(sizeof(struct server)); if (!conf->servers) { debug(DBG_ERR, "malloc failed"); return 0; } memset(conf->servers, 0, sizeof(struct server)); conf->servers->conf = conf; #ifdef RADPROT_DTLS if (conf->type == RAD_DTLS) conf->servers->rbios = newqueue(); #endif conf->pdef->setsrcres(); conf->servers->sock = -1; if (conf->pdef->addserverextra) conf->pdef->addserverextra(conf); conf->servers->requests = calloc(MAX_REQUESTS, sizeof(struct rqout)); if (!conf->servers->requests) { debug(DBG_ERR, "malloc failed"); goto errexit; } for (i = 0; i < MAX_REQUESTS; i++) { conf->servers->requests[i].lock = malloc(sizeof(pthread_mutex_t)); if (!conf->servers->requests[i].lock) { debug(DBG_ERR, "malloc failed"); goto errexit; } if (pthread_mutex_init(conf->servers->requests[i].lock, NULL)) { debugerrno(errno, DBG_ERR, "mutex init failed"); free(conf->servers->requests[i].lock); conf->servers->requests[i].lock = NULL; goto errexit; } } if (pthread_mutex_init(&conf->servers->lock, NULL)) { debugerrno(errno, DBG_ERR, "mutex init failed"); goto errexit; } conf->servers->newrq = 0; if (pthread_mutex_init(&conf->servers->newrq_mutex, NULL)) { debugerrno(errno, DBG_ERR, "mutex init failed"); pthread_mutex_destroy(&conf->servers->lock); goto errexit; } if (pthread_cond_init(&conf->servers->newrq_cond, NULL)) { debugerrno(errno, DBG_ERR, "mutex init failed"); pthread_mutex_destroy(&conf->servers->newrq_mutex); pthread_mutex_destroy(&conf->servers->lock); goto errexit; } return 1; errexit: freeserver(conf->servers, 0); conf->servers = NULL; return 0; } unsigned char *attrget(unsigned char *attrs, int length, uint8_t type) { while (length > 1) { if (ATTRTYPE(attrs) == type) return attrs; length -= ATTRLEN(attrs); attrs += ATTRLEN(attrs); } return NULL; } struct request *newrqref(struct request *rq) { if (rq) rq->refcount++; return rq; } void freerq(struct request *rq) { if (!rq) return; debug(DBG_DBG, "freerq: called with refcount %d", rq->refcount); if (--rq->refcount) return; if (rq->origusername) free(rq->origusername); if (rq->buf) free(rq->buf); if (rq->replybuf) free(rq->replybuf); if (rq->msg) radmsg_free(rq->msg); free(rq); } void freerqoutdata(struct rqout *rqout) { if (!rqout) return; if (rqout->rq) { if (rqout->rq->buf) { free(rqout->rq->buf); rqout->rq->buf = NULL; } freerq(rqout->rq); rqout->rq = NULL; } rqout->tries = 0; memset(&rqout->expiry, 0, sizeof(struct timeval)); } void sendrq(struct request *rq) { int i, start; struct server *to; removeclientrqs_sendrq_freeserver_lock(1); to = rq->to; if (!to) goto errexit; start = to->conf->statusserver ? 1 : 0; pthread_mutex_lock(&to->newrq_mutex); if (start && rq->msg->code == RAD_Status_Server) { pthread_mutex_lock(to->requests[0].lock); if (to->requests[0].rq) { pthread_mutex_unlock(to->requests[0].lock); debug(DBG_INFO, "sendrq: status server already in queue, dropping request"); goto errexit; } i = 0; } else { if (!to->nextid) to->nextid = start; /* might simplify if only try nextid, might be ok */ for (i = to->nextid; i < MAX_REQUESTS; i++) { if (!to->requests[i].rq) { pthread_mutex_lock(to->requests[i].lock); if (!to->requests[i].rq) break; pthread_mutex_unlock(to->requests[i].lock); } } if (i == MAX_REQUESTS) { for (i = start; i < to->nextid; i++) { if (!to->requests[i].rq) { pthread_mutex_lock(to->requests[i].lock); if (!to->requests[i].rq) break; pthread_mutex_unlock(to->requests[i].lock); } } if (i == to->nextid) { debug(DBG_INFO, "sendrq: no room in queue, dropping request"); goto errexit; } } } rq->newid = (uint8_t)i; rq->msg->id = (uint8_t)i; rq->buf = radmsg2buf(rq->msg, (uint8_t *)to->conf->secret); if (!rq->buf) { pthread_mutex_unlock(to->requests[i].lock); debug(DBG_ERR, "sendrq: radmsg2buf failed"); goto errexit; } debug(DBG_DBG, "sendrq: inserting packet with id %d in queue for %s", i, to->conf->name); to->requests[i].rq = rq; pthread_mutex_unlock(to->requests[i].lock); if (i >= start) /* i is not reserved for statusserver */ to->nextid = i + 1; if (!to->newrq) { to->newrq = 1; debug(DBG_DBG, "sendrq: signalling client writer"); pthread_cond_signal(&to->newrq_cond); } pthread_mutex_unlock(&to->newrq_mutex); removeclientrqs_sendrq_freeserver_lock(0); return; errexit: if (rq->from) rmclientrq(rq, rq->msg->id); freerq(rq); pthread_mutex_unlock(&to->newrq_mutex); removeclientrqs_sendrq_freeserver_lock(0); } void sendreply(struct request *rq) { uint8_t first; struct client *to = rq->from; if (!rq->replybuf) rq->replybuf = radmsg2buf(rq->msg, (uint8_t *)to->conf->secret); radmsg_free(rq->msg); rq->msg = NULL; if (!rq->replybuf) { freerq(rq); debug(DBG_ERR, "sendreply: radmsg2buf failed"); return; } pthread_mutex_lock(&to->replyq->mutex); first = list_first(to->replyq->entries) == NULL; if (!list_push(to->replyq->entries, rq)) { pthread_mutex_unlock(&to->replyq->mutex); freerq(rq); debug(DBG_ERR, "sendreply: malloc failed"); return; } if (first) { debug(DBG_DBG, "signalling server writer"); pthread_cond_signal(&to->replyq->cond); } pthread_mutex_unlock(&to->replyq->mutex); } int pwdcrypt(char encrypt_flag, uint8_t *in, uint8_t len, char *shared, uint8_t sharedlen, uint8_t *auth) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; static unsigned char first = 1; static EVP_MD_CTX mdctx; unsigned char hash[EVP_MAX_MD_SIZE], *input; unsigned int md_len; uint8_t i, offset = 0, out[128]; pthread_mutex_lock(&lock); if (first) { EVP_MD_CTX_init(&mdctx); first = 0; } input = auth; for (;;) { if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || !EVP_DigestUpdate(&mdctx, (uint8_t *)shared, sharedlen) || !EVP_DigestUpdate(&mdctx, input, 16) || !EVP_DigestFinal_ex(&mdctx, hash, &md_len) || md_len != 16) { pthread_mutex_unlock(&lock); return 0; } for (i = 0; i < 16; i++) out[offset + i] = hash[i] ^ in[offset + i]; if (encrypt_flag) input = out + offset; else input = in + offset; offset += 16; if (offset == len) break; } memcpy(in, out, len); pthread_mutex_unlock(&lock); return 1; } int msmppencrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; static unsigned char first = 1; static EVP_MD_CTX mdctx; unsigned char hash[EVP_MAX_MD_SIZE]; unsigned int md_len; uint8_t i, offset; pthread_mutex_lock(&lock); if (first) { EVP_MD_CTX_init(&mdctx); first = 0; } #if 0 printfchars(NULL, "msppencrypt auth in", "%02x ", auth, 16); printfchars(NULL, "msppencrypt salt in", "%02x ", salt, 2); printfchars(NULL, "msppencrypt in", "%02x ", text, len); #endif if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || !EVP_DigestUpdate(&mdctx, shared, sharedlen) || !EVP_DigestUpdate(&mdctx, auth, 16) || !EVP_DigestUpdate(&mdctx, salt, 2) || !EVP_DigestFinal_ex(&mdctx, hash, &md_len)) { pthread_mutex_unlock(&lock); return 0; } #if 0 printfchars(NULL, "msppencrypt hash", "%02x ", hash, 16); #endif for (i = 0; i < 16; i++) text[i] ^= hash[i]; for (offset = 16; offset < len; offset += 16) { #if 0 printf("text + offset - 16 c(%d): ", offset / 16); printfchars(NULL, NULL, "%02x ", text + offset - 16, 16); #endif if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || !EVP_DigestUpdate(&mdctx, shared, sharedlen) || !EVP_DigestUpdate(&mdctx, text + offset - 16, 16) || !EVP_DigestFinal_ex(&mdctx, hash, &md_len) || md_len != 16) { pthread_mutex_unlock(&lock); return 0; } #if 0 printfchars(NULL, "msppencrypt hash", "%02x ", hash, 16); #endif for (i = 0; i < 16; i++) text[offset + i] ^= hash[i]; } #if 0 printfchars(NULL, "msppencrypt out", "%02x ", text, len); #endif pthread_mutex_unlock(&lock); return 1; } int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen, uint8_t *auth, uint8_t *salt) { static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER; static unsigned char first = 1; static EVP_MD_CTX mdctx; unsigned char hash[EVP_MAX_MD_SIZE]; unsigned int md_len; uint8_t i, offset; char plain[255]; pthread_mutex_lock(&lock); if (first) { EVP_MD_CTX_init(&mdctx); first = 0; } #if 0 printfchars(NULL, "msppdecrypt auth in", "%02x ", auth, 16); printfchars(NULL, "msppdecrypt salt in", "%02x ", salt, 2); printfchars(NULL, "msppdecrypt in", "%02x ", text, len); #endif if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || !EVP_DigestUpdate(&mdctx, shared, sharedlen) || !EVP_DigestUpdate(&mdctx, auth, 16) || !EVP_DigestUpdate(&mdctx, salt, 2) || !EVP_DigestFinal_ex(&mdctx, hash, &md_len)) { pthread_mutex_unlock(&lock); return 0; } #if 0 printfchars(NULL, "msppdecrypt hash", "%02x ", hash, 16); #endif for (i = 0; i < 16; i++) plain[i] = text[i] ^ hash[i]; for (offset = 16; offset < len; offset += 16) { #if 0 printf("text + offset - 16 c(%d): ", offset / 16); printfchars(NULL, NULL, "%02x ", text + offset - 16, 16); #endif if (!EVP_DigestInit_ex(&mdctx, EVP_md5(), NULL) || !EVP_DigestUpdate(&mdctx, shared, sharedlen) || !EVP_DigestUpdate(&mdctx, text + offset - 16, 16) || !EVP_DigestFinal_ex(&mdctx, hash, &md_len) || md_len != 16) { pthread_mutex_unlock(&lock); return 0; } #if 0 printfchars(NULL, "msppdecrypt hash", "%02x ", hash, 16); #endif for (i = 0; i < 16; i++) plain[offset + i] = text[offset + i] ^ hash[i]; } memcpy(text, plain, len); #if 0 printfchars(NULL, "msppdecrypt out", "%02x ", text, len); #endif pthread_mutex_unlock(&lock); return 1; } struct realm *newrealmref(struct realm *r) { if (r) r->refcount++; return r; } /* returns with lock on realm */ struct realm *id2realm(struct list *realmlist, char *id) { struct list_node *entry; struct realm *realm, *subrealm; /* need to do locking for subrealms and check subrealm timers */ for (entry = list_first(realmlist); entry; entry = list_next(entry)) { realm = (struct realm *)entry->data; if (!regexec(&realm->regex, id, 0, NULL, 0)) { pthread_mutex_lock(&realm->mutex); if (realm->subrealms) { subrealm = id2realm(realm->subrealms, id); if (subrealm) { pthread_mutex_unlock(&realm->mutex); return subrealm; } } return newrealmref(realm); } } return NULL; } int hasdynamicserver(struct list *srvconfs) { struct list_node *entry; for (entry = list_first(srvconfs); entry; entry = list_next(entry)) #if defined ENABLE_EXPERIMENTAL_DYNDISC if (((struct clsrvconf *)entry->data)->dynamiclookupcommand || ((struct clsrvconf *)entry->data)->servers->in_use) #else if (((struct clsrvconf *)entry->data)->dynamiclookupcommand) #endif return 1; return 0; } /* helper function, only used by removeserversubrealms() */ void _internal_removeserversubrealms(struct list *realmlist, struct clsrvconf *srv) { struct list_node *entry, *entry2; struct realm *realm; for (entry = list_first(realmlist); entry;) { realm = newrealmref((struct realm *)entry->data); pthread_mutex_lock(&realm->mutex); entry = list_next(entry); if (realm->srvconfs) { for (entry2 = list_first(realm->srvconfs); entry2; entry2 = list_next(entry2)) if (entry2->data == srv) freerealm(realm); list_removedata(realm->srvconfs, srv); } if (realm->accsrvconfs) { for (entry2 = list_first(realm->accsrvconfs); entry2; entry2 = list_next(entry2)) if (entry2->data == srv) freerealm(realm); list_removedata(realm->accsrvconfs, srv); } /* remove subrealm if no dynamic servers left */ if (!hasdynamicserver(realm->srvconfs) && !hasdynamicserver(realm->accsrvconfs)) { while (list_shift(realm->srvconfs)) freerealm(realm); list_destroy(realm->srvconfs); realm->srvconfs = NULL; while (list_shift(realm->accsrvconfs)) freerealm(realm); list_destroy(realm->accsrvconfs); realm->accsrvconfs = NULL; list_removedata(realmlist, realm); } pthread_mutex_unlock(&realm->mutex); freerealm(realm); } } void removeserversubrealms(struct list *realmlist, struct clsrvconf *srv) { struct list_node *entry; struct realm *realm; for (entry = list_first(realmlist); entry; entry = list_next(entry)) { realm = (struct realm *)entry->data; pthread_mutex_lock(&realm->mutex); if (realm->subrealms) { _internal_removeserversubrealms(realm->subrealms, srv); if (!list_first(realm->subrealms)) { list_destroy(realm->subrealms); realm->subrealms = NULL; } } pthread_mutex_unlock(&realm->mutex); } } int attrvalidate(unsigned char *attrs, int length) { while (length > 1) { if (ATTRLEN(attrs) < 2) { debug(DBG_INFO, "attrvalidate: invalid attribute length %d", ATTRLEN(attrs)); return 0; } length -= ATTRLEN(attrs); if (length < 0) { debug(DBG_INFO, "attrvalidate: attribute length %d exceeds packet length", ATTRLEN(attrs)); return 0; } attrs += ATTRLEN(attrs); } if (length) debug(DBG_INFO, "attrvalidate: malformed packet? remaining byte after last attribute"); return 1; } int pwdrecrypt(uint8_t *pwd, uint8_t len, char *oldsecret, char *newsecret, uint8_t *oldauth, uint8_t *newauth) { if (len < 16 || len > 128 || len % 16) { debug(DBG_WARN, "pwdrecrypt: invalid password length"); return 0; } if (!pwdcrypt(0, pwd, len, oldsecret, strlen(oldsecret), oldauth)) { debug(DBG_WARN, "pwdrecrypt: cannot decrypt password"); return 0; } #ifdef DEBUG printfchars(NULL, "pwdrecrypt: password", "%02x ", pwd, len); #endif if (!pwdcrypt(1, pwd, len, newsecret, strlen(newsecret), newauth)) { debug(DBG_WARN, "pwdrecrypt: cannot encrypt password"); return 0; } return 1; } int msmpprecrypt(uint8_t *msmpp, uint8_t len, char *oldsecret, char *newsecret, uint8_t *oldauth, uint8_t *newauth) { if (len < 18) return 0; if (!msmppdecrypt(msmpp + 2, len - 2, (uint8_t *)oldsecret, strlen(oldsecret), oldauth, msmpp)) { debug(DBG_WARN, "msmpprecrypt: failed to decrypt msppe key"); return 0; } if (!msmppencrypt(msmpp + 2, len - 2, (uint8_t *)newsecret, strlen(newsecret), newauth, msmpp)) { debug(DBG_WARN, "msmpprecrypt: failed to encrypt msppe key"); return 0; } return 1; } int msmppe(unsigned char *attrs, int length, uint8_t type, char *attrtxt, struct request *rq, char *oldsecret, char *newsecret) { unsigned char *attr; for (attr = attrs; (attr = attrget(attr, length - (attr - attrs), type)); attr += ATTRLEN(attr)) { debug(DBG_DBG, "msmppe: Got %s", attrtxt); if (!msmpprecrypt(ATTRVAL(attr), ATTRVALLEN(attr), oldsecret, newsecret, rq->buf + 4, rq->rqauth)) return 0; } return 1; } int findvendorsubattr(uint32_t *attrs, uint32_t vendor, uint32_t subattr) { if (!attrs) return 0; for (; attrs[0]; attrs += 2) if (attrs[0] == vendor && attrs[1] == subattr) return 1; return 0; } /* returns 1 if entire element is to be removed, else 0 */ int dovendorrewriterm(struct tlv *attr, uint32_t *removevendorattrs) { uint8_t alen, sublen; uint32_t vendor; uint8_t *subattrs; if (!removevendorattrs) return 0; memcpy(&vendor, attr->v, 4); vendor = ntohl(vendor); while (*removevendorattrs && *removevendorattrs != vendor) removevendorattrs += 2; if (!*removevendorattrs) return 0; if (findvendorsubattr(removevendorattrs, vendor, 256)) return 1; /* remove entire vendor attribute */ sublen = attr->l - 4; subattrs = attr->v + 4; if (!attrvalidate(subattrs, sublen)) { debug(DBG_INFO, "dovendorrewrite: vendor attribute validation failed, no rewrite"); return 0; } while (sublen > 1) { alen = ATTRLEN(subattrs); sublen -= alen; if (findvendorsubattr(removevendorattrs, vendor, ATTRTYPE(subattrs))) { memmove(subattrs, subattrs + alen, sublen); attr->l -= alen; } else subattrs += alen; } return 0; } void dorewriterm(struct radmsg *msg, uint8_t *rmattrs, uint32_t *rmvattrs) { struct list_node *n, *p; struct tlv *attr; p = NULL; n = list_first(msg->attrs); while (n) { attr = (struct tlv *)n->data; if ((rmattrs && strchr((char *)rmattrs, attr->t)) || (rmvattrs && attr->t == RAD_Attr_Vendor_Specific && dovendorrewriterm(attr, rmvattrs))) { list_removedata(msg->attrs, attr); freetlv(attr); n = p ? list_next(p) : list_first(msg->attrs); } else { p = n; n = list_next(n); } } } int dorewriteadd(struct radmsg *msg, struct list *addattrs) { struct list_node *n; struct tlv *a; for (n = list_first(addattrs); n; n = list_next(n)) { a = copytlv((struct tlv *)n->data); if (!a) return 0; if (!radmsg_add(msg, a)) { freetlv(a); return 0; } } return 1; } int resizeattr(struct tlv *attr, uint8_t newlen) { uint8_t *newv; if (newlen != attr->l) { newv = realloc(attr->v, newlen); if (!newv) return 0; attr->v = newv; attr->l = newlen; } return 1; } int dorewritemodattr(struct tlv *attr, struct modattr *modattr) { size_t nmatch = 10, reslen = 0, start = 0; regmatch_t pmatch[10], *pfield; int i; char *in, *out; in = stringcopy((char *)attr->v, attr->l); if (!in) return 0; if (regexec(modattr->regex, in, nmatch, pmatch, 0)) { free(in); return 1; } out = modattr->replacement; for (i = start; out[i]; i++) { if (out[i] == '\\' && out[i + 1] >= '1' && out[i + 1] <= '9') { pfield = &pmatch[out[i + 1] - '0']; if (pfield->rm_so >= 0) { reslen += i - start + pfield->rm_eo - pfield->rm_so; start = i + 2; } i++; } } reslen += i - start; if (reslen > 253) { debug(DBG_INFO, "rewritten attribute length would be %d, max possible is 253, discarding message", reslen); free(in); return 0; } if (!resizeattr(attr, reslen)) { free(in); return 0; } start = 0; reslen = 0; for (i = start; out[i]; i++) { if (out[i] == '\\' && out[i + 1] >= '1' && out[i + 1] <= '9') { pfield = &pmatch[out[i + 1] - '0']; if (pfield->rm_so >= 0) { memcpy(attr->v + reslen, out + start, i - start); reslen += i - start; memcpy(attr->v + reslen, in + pfield->rm_so, pfield->rm_eo - pfield->rm_so); reslen += pfield->rm_eo - pfield->rm_so; start = i + 2; } i++; } } memcpy(attr->v + reslen, out + start, i - start); return 1; } int dorewritemod(struct radmsg *msg, struct list *modattrs) { struct list_node *n, *m; for (n = list_first(msg->attrs); n; n = list_next(n)) for (m = list_first(modattrs); m; m = list_next(m)) if (((struct tlv *)n->data)->t == ((struct modattr *)m->data)->t && !dorewritemodattr((struct tlv *)n->data, (struct modattr *)m->data)) return 0; return 1; } int dorewrite(struct radmsg *msg, struct rewrite *rewrite) { int rv = 1; /* Success. */ if (rewrite) { if (rewrite->removeattrs || rewrite->removevendorattrs) dorewriterm(msg, rewrite->removeattrs, rewrite->removevendorattrs); if (rewrite->modattrs) if (!dorewritemod(msg, rewrite->modattrs)) rv = 0; if (rewrite->addattrs) if (!dorewriteadd(msg, rewrite->addattrs)) rv = 0; } return rv; } int rewriteusername(struct request *rq, struct tlv *attr) { char *orig = (char *)tlv2str(attr); if (!dorewritemodattr(attr, rq->from->conf->rewriteusername)) { free(orig); return 0; } if (strlen(orig) != attr->l || memcmp(orig, attr->v, attr->l)) rq->origusername = (char *)orig; else free(orig); return 1; } /** Create vendor specific tlv with ATTR. ATTR is consumed (freed) if * all is well with the new tlv, i.e. if the function returns * !NULL. */ static struct tlv * makevendortlv(uint32_t vendor, struct tlv *attr) { struct tlv *newtlv = NULL; uint8_t l, *v; if (!attr) return NULL; l = attr->l + 6; v = malloc(l); if (v) { vendor = htonl(vendor & 0x00ffffff); /* MSB=0 according to RFC 2865. */ memcpy(v, &vendor, 4); tlv2buf(v + 4, attr); v[5] += 2; /* Vendor length increased for type and length fields. */ newtlv = maketlv(RAD_Attr_Vendor_Specific, l, v); if (newtlv == NULL) free(v); else freetlv(attr); } return newtlv; } /** Ad vendor attribute with VENDOR + ATTR and push it on MSG. ATTR * is consumed. */ int addvendorattr(struct radmsg *msg, uint32_t vendor, struct tlv *attr) { struct tlv *vattr; vattr = makevendortlv(vendor, attr); if (!vattr) { freetlv(attr); return 0; } if (!radmsg_add(msg, vattr)) { freetlv(vattr); return 0; } return 1; } void addttlattr(struct radmsg *msg, uint32_t *attrtype, uint8_t addttl) { uint8_t ttl[4]; struct tlv *attr; memset(ttl, 0, 4); ttl[3] = addttl; if (attrtype[1] == 256) { /* not vendor */ attr = maketlv(attrtype[0], 4, ttl); if (attr && !radmsg_add(msg, attr)) freetlv(attr); } else { attr = maketlv(attrtype[1], 4, ttl); if (attr) addvendorattr(msg, attrtype[0], attr); } } int decttl(uint8_t l, uint8_t *v) { int i; i = l - 1; if (v[i]) { if (--v[i--]) return 1; while (i >= 0 && !v[i]) i--; return i >= 0; } for (i--; i >= 0 && !v[i]; i--); if (i < 0) return 0; v[i]--; while (++i < l) v[i] = 255; return 1; } /* returns -1 if no ttl, 0 if exceeded, 1 if ok */ int checkttl(struct radmsg *msg, uint32_t *attrtype) { uint8_t alen, *subattrs; struct tlv *attr; struct list_node *node; uint32_t vendor; int sublen; if (attrtype[1] == 256) { /* not vendor */ attr = radmsg_gettype(msg, attrtype[0]); if (attr) return decttl(attr->l, attr->v); } else for (node = list_first(msg->attrs); node; node = list_next(node)) { attr = (struct tlv *)node->data; if (attr->t != RAD_Attr_Vendor_Specific || attr->l <= 4) continue; memcpy(&vendor, attr->v, 4); if (ntohl(vendor) != attrtype[0]) continue; sublen = attr->l - 4; subattrs = attr->v + 4; if (!attrvalidate(subattrs, sublen)) continue; while (sublen > 1) { if (ATTRTYPE(subattrs) == attrtype[1]) return decttl(ATTRVALLEN(subattrs), ATTRVAL(subattrs)); alen = ATTRLEN(subattrs); sublen -= alen; subattrs += alen; } } return -1; } const char *radmsgtype2string(uint8_t code) { static const char *rad_msg_names[] = { "", "Access-Request", "Access-Accept", "Access-Reject", "Accounting-Request", "Accounting-Response", "", "", "", "", "", "Access-Challenge", "Status-Server", "Status-Client" }; return code < 14 && *rad_msg_names[code] ? rad_msg_names[code] : "Unknown"; } void char2hex(char *h, unsigned char c) { static const char hexdigits[] = { '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f' }; h[0] = hexdigits[c / 16]; h[1] = hexdigits[c % 16]; return; } uint8_t *radattr2ascii(struct tlv *attr) { int i, l; uint8_t *a, *d; if (!attr) return NULL; l = attr->l; for (i = 0; i < attr->l; i++) if (attr->v[i] < 32 || attr->v[i] > 126) l += 2; if (l == attr->l) return (uint8_t *)stringcopy((char *)attr->v, attr->l); a = malloc(l + 1); if (!a) return NULL; d = a; for (i = 0; i < attr->l; i++) if (attr->v[i] < 32 || attr->v[i] > 126) { *d++ = '%'; char2hex((char *)d, attr->v[i]); d += 2; } else *d++ = attr->v[i]; *d = '\0'; return a; } void acclog(struct radmsg *msg, struct client *from) { struct tlv *attr; uint8_t *username; attr = radmsg_gettype(msg, RAD_Attr_User_Name); if (!attr) { debug(DBG_INFO, "acclog: accounting-request from client %s (%s) without username attribute", from->conf->name, addr2string(from->addr)); return; } username = radattr2ascii(attr); if (username) { debug(DBG_INFO, "acclog: accounting-request from client %s (%s) with username: %s", from->conf->name, addr2string(from->addr), username); free(username); } } void respond(struct request *rq, uint8_t code, char *message) { struct radmsg *msg; struct tlv *attr; msg = radmsg_init(code, rq->msg->id, rq->msg->auth); if (!msg) { debug(DBG_ERR, "respond: malloc failed"); return; } if (message && *message) { attr = maketlv(RAD_Attr_Reply_Message, strlen(message), message); if (!attr || !radmsg_add(msg, attr)) { freetlv(attr); radmsg_free(msg); debug(DBG_ERR, "respond: malloc failed"); return; } } radmsg_free(rq->msg); rq->msg = msg; debug(DBG_DBG, "respond: sending %s to %s (%s)", radmsgtype2string(msg->code), rq->from->conf->name, addr2string(rq->from->addr)); sendreply(newrqref(rq)); } struct clsrvconf *choosesrvconf(struct list *srvconfs) { struct list_node *entry; struct clsrvconf *server, *best = NULL, *first = NULL; for (entry = list_first(srvconfs); entry; entry = list_next(entry)) { server = (struct clsrvconf *)entry->data; if (!server->servers) return server; if (server->servers->dynfailing) continue; if (!first) first = server; if (!server->servers->connectionok && !server->servers->dynstartup) continue; if (!server->servers->lostrqs) return server; if (!best) { best = server; continue; } if (server->servers->lostrqs < best->servers->lostrqs) best = server; } return best ? best : first; } /* returns with lock on realm, protects from server changes while in use by radsrv/sendrq */ struct server *findserver(struct realm **realm, struct tlv *username, uint8_t acc) { struct clsrvconf *srvconf; struct realm *subrealm; struct server *server = NULL; char *id = (char *)tlv2str(username); if (!id) return NULL; /* returns with lock on realm */ *realm = id2realm(realms, id); if (!*realm) goto exit; debug(DBG_DBG, "found matching realm: %s", (*realm)->name); srvconf = choosesrvconf(acc ? (*realm)->accsrvconfs : (*realm)->srvconfs); if (srvconf && !(*realm)->parent && !srvconf->servers && srvconf->dynamiclookupcommand) { subrealm = adddynamicrealmserver(*realm, id); if (subrealm) { pthread_mutex_lock(&subrealm->mutex); pthread_mutex_unlock(&(*realm)->mutex); freerealm(*realm); *realm = subrealm; debug(DBG_DBG, "added realm: %s", (*realm)->name); srvconf = choosesrvconf(acc ? (*realm)->accsrvconfs : (*realm)->srvconfs); debug(DBG_DBG, "found conf for new realm: %s", srvconf->name); } } if (srvconf) { debug(DBG_DBG, "found matching conf: %s", srvconf->name); server = srvconf->servers; } exit: free(id); return server; } struct request *newrequest() { struct request *rq; rq = malloc(sizeof(struct request)); if (!rq) { debug(DBG_ERR, "newrequest: malloc failed"); return NULL; } memset(rq, 0, sizeof(struct request)); rq->refcount = 1; gettimeofday(&rq->created, NULL); return rq; } int addclientrq(struct request *rq) { struct request *r; struct timeval now; r = rq->from->rqs[rq->rqid]; if (r) { if (rq->udpport == r->udpport && !memcmp(rq->rqauth, r->rqauth, 16)) { gettimeofday(&now, NULL); if (now.tv_sec - r->created.tv_sec < r->from->conf->dupinterval) { if (r->replybuf) { debug(DBG_INFO, "addclientrq: already sent reply to request with id %d from %s, resending", rq->rqid, addr2string(r->from->addr)); sendreply(newrqref(r)); } else debug(DBG_INFO, "addclientrq: already got request with id %d from %s, ignoring", rq->rqid, addr2string(r->from->addr)); return 0; } } freerq(r); } rq->from->rqs[rq->rqid] = newrqref(rq); return 1; } void rmclientrq(struct request *rq, uint8_t id) { struct request *r; r = rq->from->rqs[id]; if (r) { freerq(r); rq->from->rqs[id] = NULL; } } /* returns 0 if validation/authentication fails, else 1 */ int radsrv(struct request *rq) { struct radmsg *msg = NULL; struct tlv *attr; uint8_t *userascii = NULL; struct realm *realm = NULL; struct server *to = NULL; struct client *from = rq->from; int ttlres; msg = buf2radmsg(rq->buf, (uint8_t *)from->conf->secret, NULL); free(rq->buf); rq->buf = NULL; if (!msg) { debug(DBG_INFO, "radsrv: message validation failed, ignoring packet"); freerq(rq); return 0; } rq->msg = msg; rq->rqid = msg->id; memcpy(rq->rqauth, msg->auth, 16); debug(DBG_DBG, "radsrv: code %d, id %d", msg->code, msg->id); if (msg->code != RAD_Access_Request && msg->code != RAD_Status_Server && msg->code != RAD_Accounting_Request) { debug(DBG_INFO, "radsrv: server currently accepts only access-requests, accounting-requests and status-server, ignoring"); goto exit; } if (!addclientrq(rq)) goto exit; if (msg->code == RAD_Status_Server) { respond(rq, RAD_Access_Accept, NULL); goto exit; } /* below: code == RAD_Access_Request || code == RAD_Accounting_Request */ if (from->conf->rewritein && !dorewrite(msg, from->conf->rewritein)) goto rmclrqexit; ttlres = checkttl(msg, options.ttlattrtype); if (!ttlres) { debug(DBG_INFO, "radsrv: ignoring request from client %s (%s), ttl exceeded", from->conf->name, addr2string(from->addr)); goto exit; } attr = radmsg_gettype(msg, RAD_Attr_User_Name); if (!attr) { if (msg->code == RAD_Accounting_Request) { acclog(msg, from); respond(rq, RAD_Accounting_Response, NULL); } else debug(DBG_INFO, "radsrv: ignoring access request, no username attribute"); goto exit; } if (from->conf->rewriteusername && !rewriteusername(rq, attr)) { debug(DBG_WARN, "radsrv: username malloc failed, ignoring request"); goto rmclrqexit; } userascii = radattr2ascii(attr); if (!userascii) goto rmclrqexit; debug(DBG_DBG, "%s with username: %s", radmsgtype2string(msg->code), userascii); /* will return with lock on the realm */ to = findserver(&realm, attr, msg->code == RAD_Accounting_Request); if (!realm) { debug(DBG_INFO, "radsrv: ignoring request, don't know where to send it"); goto exit; } if (!to) { if (realm->message && msg->code == RAD_Access_Request) { debug(DBG_INFO, "radsrv: sending reject to %s (%s) for %s", from->conf->name, addr2string(from->addr), userascii); respond(rq, RAD_Access_Reject, realm->message); } else if (realm->accresp && msg->code == RAD_Accounting_Request) { acclog(msg, from); respond(rq, RAD_Accounting_Response, NULL); } goto exit; } if ((to->conf->loopprevention == 1 || (to->conf->loopprevention == UCHAR_MAX && options.loopprevention == 1)) && !strcmp(from->conf->name, to->conf->name)) { debug(DBG_INFO, "radsrv: Loop prevented, not forwarding request from client %s (%s) to server %s, discarding", from->conf->name, addr2string(from->addr), to->conf->name); goto exit; } if (msg->code == RAD_Accounting_Request) memset(msg->auth, 0, 16); else if (!RAND_bytes(msg->auth, 16)) { debug(DBG_WARN, "radsrv: failed to generate random auth"); goto rmclrqexit; } #ifdef DEBUG printfchars(NULL, "auth", "%02x ", auth, 16); #endif attr = radmsg_gettype(msg, RAD_Attr_User_Password); if (attr) { debug(DBG_DBG, "radsrv: found userpwdattr with value length %d", attr->l); if (!pwdrecrypt(attr->v, attr->l, from->conf->secret, to->conf->secret, rq->rqauth, msg->auth)) goto rmclrqexit; } attr = radmsg_gettype(msg, RAD_Attr_Tunnel_Password); if (attr) { debug(DBG_DBG, "radsrv: found tunnelpwdattr with value length %d", attr->l); if (!pwdrecrypt(attr->v, attr->l, from->conf->secret, to->conf->secret, rq->rqauth, msg->auth)) goto rmclrqexit; } if (to->conf->rewriteout && !dorewrite(msg, to->conf->rewriteout)) goto rmclrqexit; if (ttlres == -1 && (options.addttl || to->conf->addttl)) addttlattr(msg, options.ttlattrtype, to->conf->addttl ? to->conf->addttl : options.addttl); free(userascii); rq->to = to; sendrq(rq); pthread_mutex_unlock(&realm->mutex); freerealm(realm); return 1; rmclrqexit: rmclientrq(rq, msg->id); exit: freerq(rq); free(userascii); if (realm) { pthread_mutex_unlock(&realm->mutex); freerealm(realm); } return 1; } void replyh(struct server *server, unsigned char *buf) { struct client *from; struct rqout *rqout; int sublen, ttlres; unsigned char *subattrs; uint8_t *username, *stationid, *replymsg; struct radmsg *msg = NULL; struct tlv *attr; struct list_node *node; server->connectionok = 1; server->lostrqs = 0; rqout = server->requests + buf[1]; pthread_mutex_lock(rqout->lock); if (!rqout->tries) { free(buf); buf = NULL; debug(DBG_INFO, "replyh: no outstanding request with this id, ignoring reply"); goto errunlock; } msg = buf2radmsg(buf, (uint8_t *)server->conf->secret, rqout->rq->msg->auth); free(buf); buf = NULL; if (!msg) { debug(DBG_INFO, "replyh: message validation failed, ignoring packet"); goto errunlock; } if (msg->code != RAD_Access_Accept && msg->code != RAD_Access_Reject && msg->code != RAD_Access_Challenge && msg->code != RAD_Accounting_Response) { debug(DBG_INFO, "replyh: discarding message type %s, accepting only access accept, access reject, access challenge and accounting response messages", radmsgtype2string(msg->code)); goto errunlock; } debug(DBG_DBG, "got %s message with id %d", radmsgtype2string(msg->code), msg->id); gettimeofday(&server->lastrcv, NULL); if (rqout->rq->msg->code == RAD_Status_Server) { freerqoutdata(rqout); debug(DBG_DBG, "replyh: got status server response from %s", server->conf->name); goto errunlock; } gettimeofday(&server->lastreply, NULL); from = rqout->rq->from; if (server->conf->rewritein && !dorewrite(msg, from->conf->rewritein)) { debug(DBG_INFO, "replyh: rewritein failed"); goto errunlock; } ttlres = checkttl(msg, options.ttlattrtype); if (!ttlres) { debug(DBG_INFO, "replyh: ignoring reply from server %s, ttl exceeded", server->conf->name); goto errunlock; } /* MS MPPE */ for (node = list_first(msg->attrs); node; node = list_next(node)) { attr = (struct tlv *)node->data; if (attr->t != RAD_Attr_Vendor_Specific) continue; if (attr->l <= 4) break; if (attr->v[0] != 0 || attr->v[1] != 0 || attr->v[2] != 1 || attr->v[3] != 55) /* 311 == MS */ continue; sublen = attr->l - 4; subattrs = attr->v + 4; if (!attrvalidate(subattrs, sublen) || !msmppe(subattrs, sublen, RAD_VS_ATTR_MS_MPPE_Send_Key, "MS MPPE Send Key", rqout->rq, server->conf->secret, from->conf->secret) || !msmppe(subattrs, sublen, RAD_VS_ATTR_MS_MPPE_Recv_Key, "MS MPPE Recv Key", rqout->rq, server->conf->secret, from->conf->secret)) break; } if (node) { debug(DBG_WARN, "replyh: MS attribute handling failed, ignoring reply"); goto errunlock; } if (msg->code == RAD_Access_Accept || msg->code == RAD_Access_Reject || msg->code == RAD_Accounting_Response) { username = radattr2ascii(radmsg_gettype(rqout->rq->msg, RAD_Attr_User_Name)); if (username) { stationid = radattr2ascii(radmsg_gettype(rqout->rq->msg, RAD_Attr_Calling_Station_Id)); replymsg = radattr2ascii(radmsg_gettype(msg, RAD_Attr_Reply_Message)); if (stationid) { if (replymsg) { debug(DBG_NOTICE, "%s for user %s stationid %s from %s (%s) to %s (%s)", radmsgtype2string(msg->code), username, stationid, server->conf->name, replymsg, from->conf->name, addr2string(from->addr)); free(replymsg); } else debug(DBG_NOTICE, "%s for user %s stationid %s from %s to %s (%s)", radmsgtype2string(msg->code), username, stationid, server->conf->name, from->conf->name, addr2string(from->addr)); free(stationid); } else { if (replymsg) { debug(DBG_NOTICE, "%s for user %s from %s (%s) to %s (%s)", radmsgtype2string(msg->code), username, server->conf->name, replymsg, from->conf->name, addr2string(from->addr)); free(replymsg); } else debug(DBG_NOTICE, "%s for user %s from %s to %s (%s)", radmsgtype2string(msg->code), username, server->conf->name, from->conf->name, addr2string(from->addr)); } free(username); } } #if defined(WANT_FTICKS) if (msg->code == RAD_Access_Accept || msg->code == RAD_Access_Reject) if (options.fticks_reporting && from->conf->fticks_viscountry != NULL) fticks_log(&options, from, msg, rqout); #endif msg->id = (char)rqout->rq->rqid; memcpy(msg->auth, rqout->rq->rqauth, 16); #ifdef DEBUG printfchars(NULL, "origauth/buf+4", "%02x ", buf + 4, 16); #endif if (rqout->rq->origusername && (attr = radmsg_gettype(msg, RAD_Attr_User_Name))) { if (!resizeattr(attr, strlen(rqout->rq->origusername))) { debug(DBG_WARN, "replyh: malloc failed, ignoring reply"); goto errunlock; } memcpy(attr->v, rqout->rq->origusername, strlen(rqout->rq->origusername)); } if (from->conf->rewriteout && !dorewrite(msg, from->conf->rewriteout)) { debug(DBG_WARN, "replyh: rewriteout failed"); goto errunlock; } if (ttlres == -1 && (options.addttl || from->conf->addttl)) addttlattr(msg, options.ttlattrtype, from->conf->addttl ? from->conf->addttl : options.addttl); debug(msg->code == RAD_Access_Accept || msg->code == RAD_Access_Reject || msg->code == RAD_Accounting_Response ? DBG_WARN : DBG_INFO, "replyh: passing %s to client %s (%s)", radmsgtype2string(msg->code), from->conf->name, addr2string(from->addr)); radmsg_free(rqout->rq->msg); rqout->rq->msg = msg; sendreply(newrqref(rqout->rq)); freerqoutdata(rqout); pthread_mutex_unlock(rqout->lock); return; errunlock: radmsg_free(msg); pthread_mutex_unlock(rqout->lock); return; } struct request *createstatsrvrq() { struct request *rq; struct tlv *attr; rq = newrequest(); if (!rq) return NULL; rq->msg = radmsg_init(RAD_Status_Server, 0, NULL); if (!rq->msg) goto exit; attr = maketlv(RAD_Attr_Message_Authenticator, 16, NULL); if (!attr) goto exit; if (!radmsg_add(rq->msg, attr)) { freetlv(attr); goto exit; } return rq; exit: freerq(rq); return NULL; } /* code for removing state not finished */ void *clientwr(void *arg) { struct server *server = (struct server *)arg; struct rqout *rqout = NULL; pthread_t clientrdth; int i, dynconffail = 0; time_t secs; uint8_t rnd; struct timeval now, laststatsrv; struct timespec timeout; struct request *statsrvrq; struct clsrvconf *conf; conf = server->conf; #define ZZZ 900 if (server->dynamiclookuparg && !dynamicconfig(server)) { dynconffail = 1; server->dynstartup = 0; server->dynfailing = 1; #if defined ENABLE_EXPERIMENTAL_DYNDISC pthread_mutex_unlock(&server->lock); #endif debug(DBG_WARN, "%s: dynamicconfig(%s) failed, sleeping %ds", __func__, server->conf->name, ZZZ); sleep(ZZZ); goto errexit; } #if defined ENABLE_EXPERIMENTAL_DYNDISC pthread_mutex_unlock(&server->lock); #endif /* FIXME: Is resolving not always done by compileserverconfig(), * either as part of static configuration setup or by * dynamicconfig() above? */ if (!resolvehostports(conf->hostports, conf->hostaf, conf->pdef->socktype)) { debug(DBG_WARN, "%s: resolve failed, sleeping %ds", __func__, ZZZ); sleep(ZZZ); goto errexit; } memset(&timeout, 0, sizeof(struct timespec)); if (conf->statusserver) { gettimeofday(&server->lastrcv, NULL); gettimeofday(&laststatsrv, NULL); } if (conf->pdef->connecter) { if (!conf->pdef->connecter(server, NULL, server->dynamiclookuparg ? 5 : 0, "clientwr")) { if (server->dynamiclookuparg) { server->dynstartup = 0; server->dynfailing = 1; debug(DBG_WARN, "%s: connect failed, sleeping %ds", __func__, ZZZ); sleep(ZZZ); } goto errexit; } server->connectionok = 1; #if defined ENABLE_EXPERIMENTAL_DYNDISC server->in_use = 1; #endif if (pthread_create(&clientrdth, NULL, conf->pdef->clientconnreader, (void *)server)) { debugerrno(errno, DBG_ERR, "clientwr: pthread_create failed"); goto errexit; } } else server->connectionok = 1; server->dynstartup = 0; for (;;) { pthread_mutex_lock(&server->newrq_mutex); if (!server->newrq) { gettimeofday(&now, NULL); /* random 0-7 seconds */ RAND_bytes(&rnd, 1); rnd /= 32; if (conf->statusserver) { secs = server->lastrcv.tv_sec > laststatsrv.tv_sec ? server->lastrcv.tv_sec : laststatsrv.tv_sec; if (now.tv_sec - secs > STATUS_SERVER_PERIOD) secs = now.tv_sec; if (!timeout.tv_sec || timeout.tv_sec > secs + STATUS_SERVER_PERIOD + rnd) timeout.tv_sec = secs + STATUS_SERVER_PERIOD + rnd; } else { if (!timeout.tv_sec || timeout.tv_sec > now.tv_sec + STATUS_SERVER_PERIOD + rnd) timeout.tv_sec = now.tv_sec + STATUS_SERVER_PERIOD + rnd; } #if 0 if (timeout.tv_sec > now.tv_sec) debug(DBG_DBG, "clientwr: waiting up to %ld secs for new request", timeout.tv_sec - now.tv_sec); #endif pthread_cond_timedwait(&server->newrq_cond, &server->newrq_mutex, &timeout); timeout.tv_sec = 0; } if (server->newrq) { debug(DBG_DBG, "clientwr: got new request"); server->newrq = 0; } #if 0 else debug(DBG_DBG, "clientwr: request timer expired, processing request queue"); #endif pthread_mutex_unlock(&server->newrq_mutex); for (i = 0; i < MAX_REQUESTS; i++) { if (server->clientrdgone) { pthread_join(clientrdth, NULL); goto errexit; } for (; i < MAX_REQUESTS; i++) { rqout = server->requests + i; if (rqout->rq) { pthread_mutex_lock(rqout->lock); if (rqout->rq) break; pthread_mutex_unlock(rqout->lock); } } if (i == MAX_REQUESTS) break; gettimeofday(&now, NULL); if (now.tv_sec < rqout->expiry.tv_sec) { if (!timeout.tv_sec || rqout->expiry.tv_sec < timeout.tv_sec) timeout.tv_sec = rqout->expiry.tv_sec; pthread_mutex_unlock(rqout->lock); continue; } if (rqout->tries == (*rqout->rq->buf == RAD_Status_Server ? 1 : conf->retrycount + 1)) { debug(DBG_DBG, "clientwr: removing expired packet from queue"); if (conf->statusserver) { if (*rqout->rq->buf == RAD_Status_Server) { debug(DBG_WARN, "clientwr: no status server response, %s dead?", conf->name); if (server->lostrqs < 255) server->lostrqs++; } } else { debug(DBG_WARN, "clientwr: no server response, %s dead?", conf->name); if (server->lostrqs < 255) server->lostrqs++; } freerqoutdata(rqout); pthread_mutex_unlock(rqout->lock); continue; } rqout->expiry.tv_sec = now.tv_sec + conf->retryinterval; if (!timeout.tv_sec || rqout->expiry.tv_sec < timeout.tv_sec) timeout.tv_sec = rqout->expiry.tv_sec; rqout->tries++; conf->pdef->clientradput(server, rqout->rq->buf); pthread_mutex_unlock(rqout->lock); } if (conf->statusserver && server->connectionok) { secs = server->lastrcv.tv_sec > laststatsrv.tv_sec ? server->lastrcv.tv_sec : laststatsrv.tv_sec; gettimeofday(&now, NULL); if (now.tv_sec - secs > STATUS_SERVER_PERIOD) { laststatsrv = now; statsrvrq = createstatsrvrq(); if (statsrvrq) { statsrvrq->to = server; debug(DBG_DBG, "clientwr: sending status server to %s", conf->name); sendrq(statsrvrq); } } } } errexit: #if defined ENABLE_EXPERIMENTAL_DYNDISC server->in_use = 0; #endif conf->servers = NULL; if (server->dynamiclookuparg) { removeserversubrealms(realms, conf); if (dynconffail) free(conf); else freeclsrvconf(conf); } freeserver(server, 1); ERR_remove_state(0); return NULL; } void createlistener(uint8_t type, char *arg) { pthread_t th; struct addrinfo *res; int s = -1, on = 1, *sp = NULL; struct hostportres *hp = newhostport(arg, protodefs[type]->portdefault, 0); if (!hp || !resolvehostport(hp, AF_UNSPEC, protodefs[type]->socktype, 1)) debugx(1, DBG_ERR, "createlistener: failed to resolve %s", arg); for (res = hp->addrinfo; res; res = res->ai_next) { s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); if (s < 0) { debugerrno(errno, DBG_WARN, "createlistener: socket failed"); continue; } setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); disable_DF_bit(s, res); #ifdef IPV6_V6ONLY if (res->ai_family == AF_INET6) setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)); #endif if (bind(s, res->ai_addr, res->ai_addrlen)) { debugerrno(errno, DBG_WARN, "createlistener: bind failed"); close(s); s = -1; continue; } sp = malloc(sizeof(int)); if (!sp) debugx(1, DBG_ERR, "malloc failed"); *sp = s; if (pthread_create(&th, NULL, protodefs[type]->listener, (void *)sp)) debugerrnox(errno, DBG_ERR, "pthread_create failed"); pthread_detach(th); } if (!sp) debugx(1, DBG_ERR, "createlistener: socket/bind failed"); debug(DBG_WARN, "createlistener: listening for %s on %s:%s", protodefs[type]->name, hp->host ? hp->host : "*", hp->port); freehostport(hp); } void createlisteners(uint8_t type) { int i; char **args; args = protodefs[type]->getlistenerargs(); if (args) for (i = 0; args[i]; i++) createlistener(type, args[i]); else createlistener(type, NULL); } void sslinit() { int i; time_t t; pid_t pid; ssl_locks = calloc(CRYPTO_num_locks(), sizeof(pthread_mutex_t)); ssl_lock_count = OPENSSL_malloc(CRYPTO_num_locks() * sizeof(long)); for (i = 0; i < CRYPTO_num_locks(); i++) { ssl_lock_count[i] = 0; pthread_mutex_init(&ssl_locks[i], NULL); } CRYPTO_set_id_callback(ssl_thread_id); CRYPTO_set_locking_callback(ssl_locking_callback); SSL_load_error_strings(); SSL_library_init(); while (!RAND_status()) { t = time(NULL); pid = getpid(); RAND_seed((unsigned char *)&t, sizeof(time_t)); RAND_seed((unsigned char *)&pid, sizeof(pid)); } } struct list *addsrvconfs(char *value, char **names) { struct list *conflist; int n; struct list_node *entry; struct clsrvconf *conf = NULL; if (!names || !*names) return NULL; conflist = list_create(); if (!conflist) { debug(DBG_ERR, "malloc failed"); return NULL; } for (n = 0; names[n]; n++) { for (entry = list_first(srvconfs); entry; entry = list_next(entry)) { conf = (struct clsrvconf *)entry->data; if (!strcasecmp(names[n], conf->name)) break; } if (!entry) { debug(DBG_ERR, "addsrvconfs failed for realm %s, no server named %s", value, names[n]); list_destroy(conflist); return NULL; } if (!list_push(conflist, conf)) { debug(DBG_ERR, "malloc failed"); list_destroy(conflist); return NULL; } debug(DBG_DBG, "addsrvconfs: added server %s for realm %s", conf->name, value); } return conflist; } void freerealm(struct realm *realm) { if (!realm) return; debug(DBG_DBG, "freerealm: called with refcount %d", realm->refcount); if (--realm->refcount) return; free(realm->name); free(realm->message); regfree(&realm->regex); pthread_mutex_destroy(&realm->mutex); /* if refcount == 0, all subrealms gone */ list_destroy(realm->subrealms); /* if refcount == 0, all srvconfs gone */ list_destroy(realm->srvconfs); /* if refcount == 0, all accsrvconfs gone */ list_destroy(realm->accsrvconfs); freerealm(realm->parent); free(realm); } struct realm *addrealm(struct list *realmlist, char *value, char **servers, char **accservers, char *message, uint8_t accresp) { int n; struct realm *realm; char *s, *regex = NULL; if (*value == '/') { /* regexp, remove optional trailing / if present */ if (value[strlen(value) - 1] == '/') value[strlen(value) - 1] = '\0'; } else { /* not a regexp, let us make it one */ if (*value == '*' && !value[1]) regex = stringcopy(".*", 0); else { for (n = 0, s = value; *s;) if (*s++ == '.') n++; regex = malloc(strlen(value) + n + 3); if (regex) { regex[0] = '@'; for (n = 1, s = value; *s; s++) { if (*s == '.') regex[n++] = '\\'; regex[n++] = *s; } regex[n++] = '$'; regex[n] = '\0'; } } if (!regex) { debug(DBG_ERR, "malloc failed"); realm = NULL; goto exit; } debug(DBG_DBG, "addrealm: constructed regexp %s from %s", regex, value); } realm = malloc(sizeof(struct realm)); if (!realm) { debug(DBG_ERR, "malloc failed"); goto exit; } memset(realm, 0, sizeof(struct realm)); if (pthread_mutex_init(&realm->mutex, NULL)) { debugerrno(errno, DBG_ERR, "mutex init failed"); free(realm); realm = NULL; goto exit; } realm->name = stringcopy(value, 0); if (!realm->name) { debug(DBG_ERR, "malloc failed"); goto errexit; } if (message && strlen(message) > 253) { debug(DBG_ERR, "ReplyMessage can be at most 253 bytes"); goto errexit; } realm->message = message; realm->accresp = accresp; if (regcomp(&realm->regex, regex ? regex : value + 1, REG_EXTENDED | REG_ICASE | REG_NOSUB)) { debug(DBG_ERR, "addrealm: failed to compile regular expression %s", regex ? regex : value + 1); goto errexit; } if (servers && *servers) { realm->srvconfs = addsrvconfs(value, servers); if (!realm->srvconfs) goto errexit; } if (accservers && *accservers) { realm->accsrvconfs = addsrvconfs(value, accservers); if (!realm->accsrvconfs) goto errexit; } if (!list_push(realmlist, realm)) { debug(DBG_ERR, "malloc failed"); pthread_mutex_destroy(&realm->mutex); goto errexit; } debug(DBG_DBG, "addrealm: added realm %s", value); goto exit; errexit: while (list_shift(realm->srvconfs)); while (list_shift(realm->accsrvconfs)); freerealm(realm); realm = NULL; exit: free(regex); if (servers) { if (realm) for (n = 0; servers[n]; n++) newrealmref(realm); freegconfmstr(servers); } if (accservers) { if (realm) for (n = 0; accservers[n]; n++) newrealmref(realm); freegconfmstr(accservers); } return newrealmref(realm); } struct list *createsubrealmservers(struct realm *realm, struct list *srvconfs) { struct list_node *entry; struct clsrvconf *conf, *srvconf; struct list *subrealmservers = NULL; pthread_t clientth; if (list_first(srvconfs)) { subrealmservers = list_create(); if (!subrealmservers) return NULL; } for (entry = list_first(srvconfs); entry; entry = list_next(entry)) { conf = (struct clsrvconf *)entry->data; if (!conf->servers && conf->dynamiclookupcommand) { srvconf = malloc(sizeof(struct clsrvconf)); if (!srvconf) { debug(DBG_ERR, "malloc failed"); continue; } debug(DBG_DBG, "%s: copying config %s", __func__, conf->name); *srvconf = *conf; /* Shallow copy -- sharing all the pointers. addserver() * will take care of servers (which btw has to be NUL) but * the rest of them are shared with the config found in * the srvconfs list. */ if (addserver(srvconf)) { srvconf->servers->dynamiclookuparg = stringcopy(realm->name, 0); srvconf->servers->dynstartup = 1; debug(DBG_DBG, "%s: new client writer for %s", __func__, srvconf->servers->conf->name); #if defined ENABLE_EXPERIMENTAL_DYNDISC pthread_mutex_lock(&srvconf->servers->lock); #endif if (pthread_create(&clientth, NULL, clientwr, (void *)(srvconf->servers))) { #if defined ENABLE_EXPERIMENTAL_DYNDISC pthread_mutex_unlock(&srvconf->servers->lock); #endif debugerrno(errno, DBG_ERR, "pthread_create failed"); freeserver(srvconf->servers, 1); srvconf->servers = NULL; #if defined ENABLE_EXPERIMENTAL_DYNDISC conf = srvconf; continue; #endif } else pthread_detach(clientth); #if defined ENABLE_EXPERIMENTAL_DYNDISC /* If clientwr() could not find a NAPTR we have to * wait for dynfailing=1 what is set in clientwr(). */ pthread_mutex_lock(&srvconf->servers->lock); pthread_mutex_unlock(&srvconf->servers->lock); #endif } conf = srvconf; } if (conf->servers) { if (list_push(subrealmservers, conf)) newrealmref(realm); else debug(DBG_ERR, "malloc failed"); } } return subrealmservers; } struct realm *adddynamicrealmserver(struct realm *realm, char *id) { struct realm *newrealm = NULL; char *realmname, *s; /* create dynamic for the realm (string after last @, exit if nothing after @ */ realmname = strrchr(id, '@'); if (!realmname) return NULL; realmname++; if (!*realmname) return NULL; for (s = realmname; *s; s++) if (*s != '.' && *s != '-' && !isalnum((int)*s)) return NULL; if (!realm->subrealms) realm->subrealms = list_create(); if (!realm->subrealms) return NULL; newrealm = addrealm(realm->subrealms, realmname, NULL, NULL, stringcopy(realm->message, 0), realm->accresp); if (!newrealm) { list_destroy(realm->subrealms); realm->subrealms = NULL; return NULL; } newrealm->parent = newrealmref(realm); /* add server and accserver to newrealm */ newrealm->srvconfs = createsubrealmservers(newrealm, realm->srvconfs); newrealm->accsrvconfs = createsubrealmservers(newrealm, realm->accsrvconfs); return newrealm; } int dynamicconfig(struct server *server) { int ok, fd[2], status; pid_t pid; struct clsrvconf *conf = server->conf; struct gconffile *cf = NULL; /* for now we only learn hostname/address */ debug(DBG_DBG, "dynamicconfig: need dynamic server config for %s", server->dynamiclookuparg); if (pipe(fd) > 0) { debugerrno(errno, DBG_ERR, "dynamicconfig: pipe error"); goto errexit; } pid = fork(); if (pid < 0) { debugerrno(errno, DBG_ERR, "dynamicconfig: fork error"); close(fd[0]); close(fd[1]); goto errexit; } else if (pid == 0) { /* child */ close(fd[0]); if (fd[1] != STDOUT_FILENO) { if (dup2(fd[1], STDOUT_FILENO) != STDOUT_FILENO) debugx(1, DBG_ERR, "dynamicconfig: dup2 error for command %s", conf->dynamiclookupcommand); close(fd[1]); } if (execlp(conf->dynamiclookupcommand, conf->dynamiclookupcommand, server->dynamiclookuparg, NULL) < 0) debugx(1, DBG_ERR, "dynamicconfig: exec error for command %s", conf->dynamiclookupcommand); } close(fd[1]); pushgconffile(&cf, fdopen(fd[0], "r"), conf->dynamiclookupcommand); ok = getgenericconfig(&cf, NULL, "Server", CONF_CBK, confserver_cb, (void *) conf, NULL); freegconf(&cf); if (waitpid(pid, &status, 0) < 0) { debugerrno(errno, DBG_ERR, "dynamicconfig: wait error"); goto errexit; } if (status) { debug(DBG_INFO, "dynamicconfig: command exited with status %d", WEXITSTATUS(status)); goto errexit; } if (ok) return 1; errexit: debug(DBG_WARN, "dynamicconfig: failed to obtain dynamic server config"); return 0; } /* should accept both names and numeric values, only numeric right now */ uint8_t attrname2val(char *attrname) { int val = 0; val = atoi(attrname); return val > 0 && val < 256 ? val : 0; } /* ATTRNAME is on the form vendor[:type]. If only vendor is found, TYPE is set to 256 and 1 is returned. If type is >= 256, 1 is returned. Otherwise, 0 is returned. */ /* should accept both names and numeric values, only numeric right now */ int vattrname2val(char *attrname, uint32_t *vendor, uint32_t *type) { char *s; *vendor = atoi(attrname); s = strchr(attrname, ':'); if (!s) { /* Only vendor was found. */ *type = 256; return 1; } *type = atoi(s + 1); return *type < 256; } /** Extract attributes from string NAMEVAL, create a struct tlv and * return the tlv. If VENDOR_FLAG, NAMEVAL is on the form * "::" and otherwise it's ":". Return * NULL if fields are missing or if conversion fails. * * FIXME: Should accept both names and numeric values, only numeric * right now */ struct tlv *extractattr(char *nameval, char vendor_flag) { int len, name = 0; int vendor = 0; /* Vendor 0 is reserved, see RFC 1700. */ char *s, *s2; struct tlv *a; s = strchr(nameval, ':'); if (!s) return NULL; name = atoi(nameval); if (vendor_flag) { s2 = strchr(s + 1, ':'); if (!s2) return NULL; vendor = name; name = atoi(s + 1); s = s2; } len = strlen(s + 1); if (len > 253) return NULL; if (name < 1 || name > 255) return NULL; a = malloc(sizeof(struct tlv)); if (!a) return NULL; a->v = (uint8_t *)stringcopy(s + 1, 0); if (!a->v) { free(a); return NULL; } a->t = name; a->l = len; if (vendor_flag) a = makevendortlv(vendor, a); return a; } /* should accept both names and numeric values, only numeric right now */ struct modattr *extractmodattr(char *nameval) { int name = 0; char *s, *t; struct modattr *m; if (!strncasecmp(nameval, "User-Name:/", 11)) { s = nameval + 11; name = 1; } else { s = strchr(nameval, ':'); name = atoi(nameval); if (!s || name < 1 || name > 255 || s[1] != '/') return NULL; s += 2; } /* regexp, remove optional trailing / if present */ if (s[strlen(s) - 1] == '/') s[strlen(s) - 1] = '\0'; t = strchr(s, '/'); if (!t) return NULL; *t = '\0'; t++; m = malloc(sizeof(struct modattr)); if (!m) { debug(DBG_ERR, "malloc failed"); return NULL; } m->t = name; m->replacement = stringcopy(t, 0); if (!m->replacement) { free(m); debug(DBG_ERR, "malloc failed"); return NULL; } m->regex = malloc(sizeof(regex_t)); if (!m->regex) { free(m->replacement); free(m); debug(DBG_ERR, "malloc failed"); return NULL; } if (regcomp(m->regex, s, REG_ICASE | REG_EXTENDED)) { free(m->regex); free(m->replacement); free(m); debug(DBG_ERR, "failed to compile regular expression %s", s); return NULL; } return m; } struct rewrite *getrewrite(char *alt1, char *alt2) { struct rewrite *r; if (alt1) if ((r = hash_read(rewriteconfs, alt1, strlen(alt1)))) return r; if (alt2) if ((r = hash_read(rewriteconfs, alt2, strlen(alt2)))) return r; return NULL; } void addrewrite(char *value, char **rmattrs, char **rmvattrs, char **addattrs, char **addvattrs, char **modattrs) { struct rewrite *rewrite = NULL; int i, n; uint8_t *rma = NULL; uint32_t *p, *rmva = NULL; struct list *adda = NULL, *moda = NULL; struct tlv *a; struct modattr *m; if (rmattrs) { for (n = 0; rmattrs[n]; n++); rma = calloc(n + 1, sizeof(uint8_t)); if (!rma) debugx(1, DBG_ERR, "malloc failed"); for (i = 0; i < n; i++) if (!(rma[i] = attrname2val(rmattrs[i]))) debugx(1, DBG_ERR, "addrewrite: removing invalid attribute %s", rmattrs[i]); freegconfmstr(rmattrs); rma[i] = 0; } if (rmvattrs) { for (n = 0; rmvattrs[n]; n++); rmva = calloc(2 * n + 1, sizeof(uint32_t)); if (!rmva) debugx(1, DBG_ERR, "malloc failed"); for (p = rmva, i = 0; i < n; i++, p += 2) if (!vattrname2val(rmvattrs[i], p, p + 1)) debugx(1, DBG_ERR, "addrewrite: removing invalid vendor attribute %s", rmvattrs[i]); freegconfmstr(rmvattrs); *p = 0; } if (addattrs) { adda = list_create(); if (!adda) debugx(1, DBG_ERR, "malloc failed"); for (i = 0; addattrs[i]; i++) { a = extractattr(addattrs[i], 0); if (!a) debugx(1, DBG_ERR, "addrewrite: adding invalid attribute %s", addattrs[i]); if (!list_push(adda, a)) debugx(1, DBG_ERR, "malloc failed"); } freegconfmstr(addattrs); } if (addvattrs) { if (!adda) adda = list_create(); if (!adda) debugx(1, DBG_ERR, "malloc failed"); for (i = 0; addvattrs[i]; i++) { a = extractattr(addvattrs[i], 1); if (!a) debugx(1, DBG_ERR, "addrewrite: adding invalid vendor attribute %s", addvattrs[i]); if (!list_push(adda, a)) debugx(1, DBG_ERR, "malloc failed"); } freegconfmstr(addvattrs); } if (modattrs) { moda = list_create(); if (!moda) debugx(1, DBG_ERR, "malloc failed"); for (i = 0; modattrs[i]; i++) { m = extractmodattr(modattrs[i]); if (!m) debugx(1, DBG_ERR, "addrewrite: modifying invalid attribute %s", modattrs[i]); if (!list_push(moda, m)) debugx(1, DBG_ERR, "malloc failed"); } freegconfmstr(modattrs); } if (rma || rmva || adda || moda) { rewrite = malloc(sizeof(struct rewrite)); if (!rewrite) debugx(1, DBG_ERR, "malloc failed"); rewrite->removeattrs = rma; rewrite->removevendorattrs = rmva; rewrite->addattrs = adda; rewrite->modattrs = moda; } if (!hash_insert(rewriteconfs, value, strlen(value), rewrite)) debugx(1, DBG_ERR, "malloc failed"); debug(DBG_DBG, "addrewrite: added rewrite block %s", value); } int setttlattr(struct options *opts, char *defaultattr) { char *ttlattr = opts->ttlattr ? opts->ttlattr : defaultattr; if (vattrname2val(ttlattr, opts->ttlattrtype, opts->ttlattrtype + 1) && (opts->ttlattrtype[1] != 256 || opts->ttlattrtype[0] < 256)) return 1; debug(DBG_ERR, "setttlattr: invalid TTLAttribute value %s", ttlattr); return 0; } void freeclsrvconf(struct clsrvconf *conf) { assert(conf); assert(conf->name); debug(DBG_DBG, "%s: freeing %p (%s)", __func__, conf, conf->name); free(conf->name); if (conf->hostsrc) freegconfmstr(conf->hostsrc); free(conf->portsrc); free(conf->secret); free(conf->tls); free(conf->matchcertattr); if (conf->certcnregex) regfree(conf->certcnregex); if (conf->certuriregex) regfree(conf->certuriregex); free(conf->confrewritein); free(conf->confrewriteout); if (conf->rewriteusername) { if (conf->rewriteusername->regex) regfree(conf->rewriteusername->regex); free(conf->rewriteusername->replacement); free(conf->rewriteusername); } free(conf->dynamiclookupcommand); free(conf->rewritein); free(conf->rewriteout); if (conf->hostports) freehostports(conf->hostports); if (conf->lock) { pthread_mutex_destroy(conf->lock); free(conf->lock); } /* not touching ssl_ctx, clients and servers */ free(conf); } int mergeconfstring(char **dst, char **src) { char *t; if (*src) { *dst = *src; *src = NULL; return 1; } if (*dst) { t = stringcopy(*dst, 0); if (!t) { debug(DBG_ERR, "malloc failed"); return 0; } *dst = t; } return 1; } char **mstringcopy(char **in) { char **out; int n; if (!in) return NULL; for (n = 0; in[n]; n++); out = malloc((n + 1) * sizeof(char *)); if (!out) return NULL; for (n = 0; in[n]; n++) { out[n] = stringcopy(in[n], 0); if (!out[n]) { freegconfmstr(out); return NULL; } } out[n] = NULL; return out; } int mergeconfmstring(char ***dst, char ***src) { char **t; if (*src) { *dst = *src; *src = NULL; return 1; } if (*dst) { t = mstringcopy(*dst); if (!t) { debug(DBG_ERR, "malloc failed"); return 0; } *dst = t; } return 1; } /* assumes dst is a shallow copy */ int mergesrvconf(struct clsrvconf *dst, struct clsrvconf *src) { if (!mergeconfstring(&dst->name, &src->name) || !mergeconfmstring(&dst->hostsrc, &src->hostsrc) || !mergeconfstring(&dst->portsrc, &src->portsrc) || !mergeconfstring(&dst->secret, &src->secret) || !mergeconfstring(&dst->tls, &src->tls) || !mergeconfstring(&dst->matchcertattr, &src->matchcertattr) || !mergeconfstring(&dst->confrewritein, &src->confrewritein) || !mergeconfstring(&dst->confrewriteout, &src->confrewriteout) || !mergeconfstring(&dst->confrewriteusername, &src->confrewriteusername) || !mergeconfstring(&dst->dynamiclookupcommand, &src->dynamiclookupcommand) || !mergeconfstring(&dst->fticks_viscountry, &src->fticks_viscountry) || !mergeconfstring(&dst->fticks_visinst, &src->fticks_visinst)) return 0; if (src->pdef) dst->pdef = src->pdef; dst->statusserver = src->statusserver; dst->certnamecheck = src->certnamecheck; if (src->retryinterval != 255) dst->retryinterval = src->retryinterval; if (src->retrycount != 255) dst->retrycount = src->retrycount; return 1; } /** Set *AF according to IPV4ONLY and IPV6ONLY: - If both are set, the function fails. - If exactly one is set, *AF is set accordingly. - If none is set, *AF is not affected. Return 0 on success and !0 on failure. In the case of an error, *AF is not affected. */ int config_hostaf(const char *desc, int ipv4only, int ipv6only, int *af) { assert(af != NULL); if (ipv4only && ipv6only) { debug(DBG_ERR, "error in block %s, at most one of IPv4Only and " "IPv6Only can be enabled", desc); return -1; } if (ipv4only) *af = AF_INET; if (ipv6only) *af = AF_INET6; return 0; } int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) { struct clsrvconf *conf; char *conftype = NULL, *rewriteinalias = NULL; long int dupinterval = LONG_MIN, addttl = LONG_MIN; uint8_t ipv4only = 0, ipv6only = 0; debug(DBG_DBG, "confclient_cb called for %s", block); conf = malloc(sizeof(struct clsrvconf)); if (!conf) debugx(1, DBG_ERR, "malloc failed"); memset(conf, 0, sizeof(struct clsrvconf)); conf->certnamecheck = 1; if (!getgenericconfig( cf, block, "type", CONF_STR, &conftype, "host", CONF_MSTR, &conf->hostsrc, "IPv4Only", CONF_BLN, &ipv4only, "IPv6Only", CONF_BLN, &ipv6only, "secret", CONF_STR, &conf->secret, #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) "tls", CONF_STR, &conf->tls, "matchcertificateattribute", CONF_STR, &conf->matchcertattr, "CertificateNameCheck", CONF_BLN, &conf->certnamecheck, #endif "DuplicateInterval", CONF_LINT, &dupinterval, "addTTL", CONF_LINT, &addttl, "rewrite", CONF_STR, &rewriteinalias, "rewriteIn", CONF_STR, &conf->confrewritein, "rewriteOut", CONF_STR, &conf->confrewriteout, "rewriteattribute", CONF_STR, &conf->confrewriteusername, #if defined(WANT_FTICKS) "fticksVISCOUNTRY", CONF_STR, &conf->fticks_viscountry, "fticksVISINST", CONF_STR, &conf->fticks_visinst, #endif NULL )) debugx(1, DBG_ERR, "configuration error"); conf->name = stringcopy(val, 0); if (conf->name && !conf->hostsrc) { conf->hostsrc = malloc(2 * sizeof(char *)); if (conf->hostsrc) { conf->hostsrc[0] = stringcopy(val, 0); conf->hostsrc[1] = NULL; } } if (!conf->name || !conf->hostsrc || !conf->hostsrc[0]) debugx(1, DBG_ERR, "malloc failed"); if (!conftype) debugx(1, DBG_ERR, "error in block %s, option type missing", block); conf->type = protoname2int(conftype); if (conf->type == 255) debugx(1, DBG_ERR, "error in block %s, unknown transport %s", block, conftype); free(conftype); conf->pdef = protodefs[conf->type]; #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) if (conf->type == RAD_TLS || conf->type == RAD_DTLS) { conf->tlsconf = conf->tls ? tlsgettls(conf->tls, NULL) : tlsgettls("defaultClient", "default"); if (!conf->tlsconf) debugx(1, DBG_ERR, "error in block %s, no tls context defined", block); if (conf->matchcertattr && !addmatchcertattr(conf)) debugx(1, DBG_ERR, "error in block %s, invalid MatchCertificateAttributeValue", block); } #endif conf->hostaf = AF_UNSPEC; if (config_hostaf("top level", options.ipv4only, options.ipv6only, &conf->hostaf)) debugx(1, DBG_ERR, "config error: ^"); if (config_hostaf(block, ipv4only, ipv6only, &conf->hostaf)) debugx(1, DBG_ERR, "error in block %s: ^", block); if (dupinterval != LONG_MIN) { if (dupinterval < 0 || dupinterval > 255) debugx(1, DBG_ERR, "error in block %s, value of option DuplicateInterval is %d, must be 0-255", block, dupinterval); conf->dupinterval = (uint8_t)dupinterval; } else conf->dupinterval = conf->pdef->duplicateintervaldefault; if (addttl != LONG_MIN) { if (addttl < 1 || addttl > 255) debugx(1, DBG_ERR, "error in block %s, value of option addTTL is %d, must be 1-255", block, addttl); conf->addttl = (uint8_t)addttl; } if (!conf->confrewritein) conf->confrewritein = rewriteinalias; else free(rewriteinalias); conf->rewritein = conf->confrewritein ? getrewrite(conf->confrewritein, NULL) : getrewrite("defaultClient", "default"); if (conf->confrewriteout) conf->rewriteout = getrewrite(conf->confrewriteout, NULL); if (conf->confrewriteusername) { conf->rewriteusername = extractmodattr(conf->confrewriteusername); if (!conf->rewriteusername) debugx(1, DBG_ERR, "error in block %s, invalid RewriteAttributeValue", block); } if (!addhostport(&conf->hostports, conf->hostsrc, conf->pdef->portdefault, 1) || !resolvehostports(conf->hostports, conf->hostaf, conf->pdef->socktype)) debugx(1, DBG_ERR, "%s: resolve failed, exiting", __func__); if (!conf->secret) { if (!conf->pdef->secretdefault) debugx(1, DBG_ERR, "error in block %s, secret must be specified for transport type %s", block, conf->pdef->name); conf->secret = stringcopy(conf->pdef->secretdefault, 0); if (!conf->secret) debugx(1, DBG_ERR, "malloc failed"); } conf->lock = malloc(sizeof(pthread_mutex_t)); if (!conf->lock) debugx(1, DBG_ERR, "malloc failed"); pthread_mutex_init(conf->lock, NULL); if (!list_push(clconfs, conf)) debugx(1, DBG_ERR, "malloc failed"); return 1; } int compileserverconfig(struct clsrvconf *conf, const char *block) { #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) if (conf->type == RAD_TLS || conf->type == RAD_DTLS) { conf->tlsconf = conf->tls ? tlsgettls(conf->tls, NULL) : tlsgettls("defaultServer", "default"); if (!conf->tlsconf) { debug(DBG_ERR, "error in block %s, no tls context defined", block); return 0; } if (conf->matchcertattr && !addmatchcertattr(conf)) { debug(DBG_ERR, "error in block %s, invalid MatchCertificateAttributeValue", block); return 0; } } #endif if (!conf->portsrc) { conf->portsrc = stringcopy(conf->pdef->portdefault, 0); if (!conf->portsrc) { debug(DBG_ERR, "malloc failed"); return 0; } } if (conf->retryinterval == 255) conf->retryinterval = conf->pdef->retryintervaldefault; if (conf->retrycount == 255) conf->retrycount = conf->pdef->retrycountdefault; conf->rewritein = conf->confrewritein ? getrewrite(conf->confrewritein, NULL) : getrewrite("defaultServer", "default"); if (conf->confrewriteout) conf->rewriteout = getrewrite(conf->confrewriteout, NULL); if (!addhostport(&conf->hostports, conf->hostsrc, conf->portsrc, 0)) { debug(DBG_ERR, "error in block %s, failed to parse %s", block, *conf->hostsrc); return 0; } if (!conf->dynamiclookupcommand && !resolvehostports(conf->hostports, conf->hostaf, conf->pdef->socktype)) { debug(DBG_ERR, "%s: resolve failed", __func__); return 0; } return 1; } int confserver_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) { struct clsrvconf *conf, *resconf; char *conftype = NULL, *rewriteinalias = NULL; long int retryinterval = LONG_MIN, retrycount = LONG_MIN, addttl = LONG_MIN; uint8_t ipv4only = 0, ipv6only = 0; debug(DBG_DBG, "confserver_cb called for %s", block); conf = malloc(sizeof(struct clsrvconf)); if (!conf) { debug(DBG_ERR, "malloc failed"); return 0; } memset(conf, 0, sizeof(struct clsrvconf)); conf->loopprevention = UCHAR_MAX; /* Uninitialized. */ resconf = (struct clsrvconf *)arg; if (resconf) { conf->statusserver = resconf->statusserver; conf->certnamecheck = resconf->certnamecheck; } else conf->certnamecheck = 1; if (!getgenericconfig(cf, block, "type", CONF_STR, &conftype, "host", CONF_MSTR, &conf->hostsrc, "IPv4Only", CONF_BLN, &ipv4only, "IPv6Only", CONF_BLN, &ipv6only, "port", CONF_STR, &conf->portsrc, "secret", CONF_STR, &conf->secret, #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) "tls", CONF_STR, &conf->tls, "MatchCertificateAttribute", CONF_STR, &conf->matchcertattr, "CertificateNameCheck", CONF_BLN, &conf->certnamecheck, #endif "addTTL", CONF_LINT, &addttl, "rewrite", CONF_STR, &rewriteinalias, "rewriteIn", CONF_STR, &conf->confrewritein, "rewriteOut", CONF_STR, &conf->confrewriteout, "StatusServer", CONF_BLN, &conf->statusserver, "RetryInterval", CONF_LINT, &retryinterval, "RetryCount", CONF_LINT, &retrycount, "DynamicLookupCommand", CONF_STR, &conf->dynamiclookupcommand, "LoopPrevention", CONF_BLN, &conf->loopprevention, NULL )) { debug(DBG_ERR, "configuration error"); goto errexit; } conf->name = stringcopy(val, 0); if (conf->name && !conf->hostsrc) { conf->hostsrc = malloc(2 * sizeof(char *)); if (conf->hostsrc) { conf->hostsrc[0] = stringcopy(val, 0); conf->hostsrc[1] = NULL; } } if (!conf->name || !conf->hostsrc || !conf->hostsrc[0]) { debug(DBG_ERR, "malloc failed"); goto errexit; } if (!conftype) { debug(DBG_ERR, "error in block %s, option type missing", block); goto errexit; } conf->type = protoname2int(conftype); if (conf->type == 255) { debug(DBG_ERR, "error in block %s, unknown transport %s", block, conftype); goto errexit; } free(conftype); conftype = NULL; conf->hostaf = AF_UNSPEC; if (config_hostaf("top level", options.ipv4only, options.ipv6only, &conf->hostaf)) debugx(1, DBG_ERR, "config error: ^"); if (config_hostaf(block, ipv4only, ipv6only, &conf->hostaf)) goto errexit; conf->pdef = protodefs[conf->type]; if (!conf->confrewritein) conf->confrewritein = rewriteinalias; else free(rewriteinalias); rewriteinalias = NULL; if (retryinterval != LONG_MIN) { if (retryinterval < 1 || retryinterval > conf->pdef->retryintervalmax) { debug(DBG_ERR, "error in block %s, value of option RetryInterval is %d, must be 1-%d", block, retryinterval, conf->pdef->retryintervalmax); goto errexit; } conf->retryinterval = (uint8_t)retryinterval; } else conf->retryinterval = 255; if (retrycount != LONG_MIN) { if (retrycount < 0 || retrycount > conf->pdef->retrycountmax) { debug(DBG_ERR, "error in block %s, value of option RetryCount is %d, must be 0-%d", block, retrycount, conf->pdef->retrycountmax); goto errexit; } conf->retrycount = (uint8_t)retrycount; } else conf->retrycount = 255; if (addttl != LONG_MIN) { if (addttl < 1 || addttl > 255) { debug(DBG_ERR, "error in block %s, value of option addTTL is %d, must be 1-255", block, addttl); goto errexit; } conf->addttl = (uint8_t)addttl; } if (resconf) { if (!mergesrvconf(resconf, conf)) goto errexit; free(conf); conf = resconf; if (conf->dynamiclookupcommand) { free(conf->dynamiclookupcommand); conf->dynamiclookupcommand = NULL; } } if (resconf || !conf->dynamiclookupcommand) { if (!compileserverconfig(conf, block)) return 0; /* Don't goto errexit and free resconf -- it's * not ours to free. */ } if (!conf->secret) { if (!conf->pdef->secretdefault) { debug(DBG_ERR, "error in block %s, secret must be specified for transport type %s", block, conf->pdef->name); return 0; } conf->secret = stringcopy(conf->pdef->secretdefault, 0); if (!conf->secret) { debug(DBG_ERR, "malloc failed"); return 0; } } if (resconf) return 1; if (!list_push(srvconfs, conf)) { debug(DBG_ERR, "malloc failed"); goto errexit; } return 1; errexit: free(conftype); free(rewriteinalias); freeclsrvconf(conf); return 0; } int confrealm_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) { char **servers = NULL, **accservers = NULL, *msg = NULL; uint8_t accresp = 0; debug(DBG_DBG, "confrealm_cb called for %s", block); if (!getgenericconfig(cf, block, "server", CONF_MSTR, &servers, "accountingServer", CONF_MSTR, &accservers, "ReplyMessage", CONF_STR, &msg, "AccountingResponse", CONF_BLN, &accresp, NULL )) debugx(1, DBG_ERR, "configuration error"); addrealm(realms, val, servers, accservers, msg, accresp); return 1; } int confrewrite_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) { char **rmattrs = NULL, **rmvattrs = NULL; char **addattrs = NULL, **addvattrs = NULL; char **modattrs = NULL; debug(DBG_DBG, "confrewrite_cb called for %s", block); if (!getgenericconfig(cf, block, "removeAttribute", CONF_MSTR, &rmattrs, "removeVendorAttribute", CONF_MSTR, &rmvattrs, "addAttribute", CONF_MSTR, &addattrs, "addVendorAttribute", CONF_MSTR, &addvattrs, "modifyAttribute", CONF_MSTR, &modattrs, NULL )) debugx(1, DBG_ERR, "configuration error"); addrewrite(val, rmattrs, rmvattrs, addattrs, addvattrs, modattrs); return 1; } int setprotoopts(uint8_t type, char **listenargs, char *sourcearg) { struct commonprotoopts *protoopts; protoopts = malloc(sizeof(struct commonprotoopts)); if (!protoopts) return 0; memset(protoopts, 0, sizeof(struct commonprotoopts)); protoopts->listenargs = listenargs; protoopts->sourcearg = sourcearg; protodefs[type]->setprotoopts(protoopts); return 1; } void getmainconfig(const char *configfile) { long int addttl = LONG_MIN, loglevel = LONG_MIN; struct gconffile *cfs; char **listenargs[RAD_PROTOCOUNT]; char *sourcearg[RAD_PROTOCOUNT]; #if defined(WANT_FTICKS) uint8_t *fticks_reporting_str = NULL; uint8_t *fticks_mac_str = NULL; uint8_t *fticks_key_str = NULL; #endif int i; cfs = openconfigfile(configfile); memset(&options, 0, sizeof(options)); memset(&listenargs, 0, sizeof(listenargs)); memset(&sourcearg, 0, sizeof(sourcearg)); clconfs = list_create(); if (!clconfs) debugx(1, DBG_ERR, "malloc failed"); srvconfs = list_create(); if (!srvconfs) debugx(1, DBG_ERR, "malloc failed"); realms = list_create(); if (!realms) debugx(1, DBG_ERR, "malloc failed"); rewriteconfs = hash_create(); if (!rewriteconfs) debugx(1, DBG_ERR, "malloc failed"); if (!getgenericconfig( &cfs, NULL, #ifdef RADPROT_UDP "ListenUDP", CONF_MSTR, &listenargs[RAD_UDP], "SourceUDP", CONF_STR, &sourcearg[RAD_UDP], #endif #ifdef RADPROT_TCP "ListenTCP", CONF_MSTR, &listenargs[RAD_TCP], "SourceTCP", CONF_STR, &sourcearg[RAD_TCP], #endif #ifdef RADPROT_TLS "ListenTLS", CONF_MSTR, &listenargs[RAD_TLS], "SourceTLS", CONF_STR, &sourcearg[RAD_TLS], #endif #ifdef RADPROT_DTLS "ListenDTLS", CONF_MSTR, &listenargs[RAD_DTLS], "SourceDTLS", CONF_STR, &sourcearg[RAD_DTLS], #endif "PidFile", CONF_STR, &options.pidfile, "TTLAttribute", CONF_STR, &options.ttlattr, "addTTL", CONF_LINT, &addttl, "LogLevel", CONF_LINT, &loglevel, "LogDestination", CONF_STR, &options.logdestination, "LoopPrevention", CONF_BLN, &options.loopprevention, "Client", CONF_CBK, confclient_cb, NULL, "Server", CONF_CBK, confserver_cb, NULL, "Realm", CONF_CBK, confrealm_cb, NULL, #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) "TLS", CONF_CBK, conftls_cb, NULL, #endif "Rewrite", CONF_CBK, confrewrite_cb, NULL, #if defined(WANT_FTICKS) "FTicksReporting", CONF_STR, &fticks_reporting_str, "FTicksMAC", CONF_STR, &fticks_mac_str, "FTicksKey", CONF_STR, &fticks_key_str, "FTicksSyslogFacility", CONF_STR, &options.ftickssyslogfacility, #endif "IPv4Only", CONF_BLN, &options.ipv4only, "IPv6Only", CONF_BLN, &options.ipv6only, NULL )) debugx(1, DBG_ERR, "configuration error"); if (loglevel != LONG_MIN) { if (loglevel < 1 || loglevel > 5) debugx(1, DBG_ERR, "error in %s, value of option LogLevel is %d, must be 1, 2, 3, 4 or 5", configfile, loglevel); options.loglevel = (uint8_t)loglevel; } if (addttl != LONG_MIN) { if (addttl < 1 || addttl > 255) debugx(1, DBG_ERR, "error in %s, value of option addTTL is %d, must be 1-255", configfile, addttl); options.addttl = (uint8_t)addttl; } if (!setttlattr(&options, DEFAULT_TTL_ATTR)) debugx(1, DBG_ERR, "Failed to set TTLAttribute, exiting"); #if defined(WANT_FTICKS) fticks_configure(&options, &fticks_reporting_str, &fticks_mac_str, &fticks_key_str); #endif for (i = 0; i < RAD_PROTOCOUNT; i++) if (listenargs[i] || sourcearg[i]) setprotoopts(i, listenargs[i], sourcearg[i]); } void getargs(int argc, char **argv, uint8_t *foreground, uint8_t *pretend, uint8_t *loglevel, char **configfile, char **pidfile) { int c; while ((c = getopt(argc, argv, "c:d:i:fpv")) != -1) { switch (c) { case 'c': *configfile = optarg; break; case 'd': if (strlen(optarg) != 1 || *optarg < '1' || *optarg > '5') debugx(1, DBG_ERR, "Debug level must be 1, 2, 3, 4 or 5, not %s", optarg); *loglevel = *optarg - '0'; break; case 'f': *foreground = 1; break; case 'i': *pidfile = optarg; break; case 'p': *pretend = 1; break; case 'v': debug(DBG_ERR, "radsecproxy revision %s", PACKAGE_VERSION); debug(DBG_ERR, "This binary was built with support for the following transports:"); #ifdef RADPROT_UDP debug(DBG_ERR, " UDP"); #endif #ifdef RADPROT_TCP debug(DBG_ERR, " TCP"); #endif #ifdef RADPROT_TLS debug(DBG_ERR, " TLS"); #endif #ifdef RADPROT_DTLS debug(DBG_ERR, " DTLS"); #endif exit(0); default: goto usage; } } if (!(argc - optind)) return; usage: debugx(1, DBG_ERR, "Usage:\n%s [ -c configfile ] [ -d debuglevel ] [ -f ] [ -i pidfile ] [ -p ] [ -v ]", argv[0]); } #ifdef SYS_SOLARIS9 int daemon(int a, int b) { int i; if (fork()) exit(0); setsid(); for (i = 0; i < 3; i++) { close(i); open("/dev/null", O_RDWR); } return 1; } #endif void *sighandler(void *arg) { sigset_t sigset; int sig; for(;;) { sigemptyset(&sigset); sigaddset(&sigset, SIGHUP); sigaddset(&sigset, SIGPIPE); sigwait(&sigset, &sig); switch (sig) { case 0: /* completely ignoring this */ break; case SIGHUP: debug(DBG_INFO, "sighandler: got SIGHUP"); debug_reopen_log(); break; case SIGPIPE: debug(DBG_WARN, "sighandler: got SIGPIPE, TLS write error?"); break; default: debug(DBG_WARN, "sighandler: ignoring signal %d", sig); } } } int createpidfile(const char *pidfile) { int r = 0; FILE *f = fopen(pidfile, "w"); if (f) r = fprintf(f, "%ld\n", (long) getpid()); return f && !fclose(f) && r >= 0; } int radsecproxy_main(int argc, char **argv) { pthread_t sigth; sigset_t sigset; struct list_node *entry; uint8_t foreground = 0, pretend = 0, loglevel = 0; char *configfile = NULL, *pidfile = NULL; struct clsrvconf *srvconf; int i; debug_init("radsecproxy"); debug_set_level(DEBUG_LEVEL); for (i = 0; i < RAD_PROTOCOUNT; i++) protodefs[i] = protoinits[i](i); /* needed even if no TLS/DTLS transport */ sslinit(); getargs(argc, argv, &foreground, &pretend, &loglevel, &configfile, &pidfile); if (loglevel) debug_set_level(loglevel); getmainconfig(configfile ? configfile : CONFIG_MAIN); if (loglevel) options.loglevel = loglevel; else if (options.loglevel) debug_set_level(options.loglevel); if (!foreground) { debug_set_destination(options.logdestination ? options.logdestination : "x-syslog:///", LOG_TYPE_DEBUG); #if defined(WANT_FTICKS) if (options.ftickssyslogfacility) { debug_set_destination(options.ftickssyslogfacility, LOG_TYPE_FTICKS); free(options.ftickssyslogfacility); } #endif } free(options.logdestination); if (!list_first(clconfs)) debugx(1, DBG_ERR, "No clients configured, nothing to do, exiting"); if (!list_first(realms)) debugx(1, DBG_ERR, "No realms configured, nothing to do, exiting"); if (pretend) debugx(0, DBG_ERR, "All OK so far; exiting since only pretending"); if (!foreground && (daemon(0, 0) < 0)) debugx(1, DBG_ERR, "daemon() failed: %s", strerror(errno)); debug_timestamp_on(); debug(DBG_INFO, "radsecproxy revision %s starting", PACKAGE_VERSION); if (!pidfile) pidfile = options.pidfile; if (pidfile && !createpidfile(pidfile)) debugx(1, DBG_ERR, "failed to create pidfile %s: %s", pidfile, strerror(errno)); sigemptyset(&sigset); /* exit on all but SIGHUP|SIGPIPE, ignore more? */ sigaddset(&sigset, SIGHUP); sigaddset(&sigset, SIGPIPE); pthread_sigmask(SIG_BLOCK, &sigset, NULL); pthread_create(&sigth, NULL, sighandler, NULL); for (entry = list_first(srvconfs); entry; entry = list_next(entry)) { srvconf = (struct clsrvconf *)entry->data; if (srvconf->dynamiclookupcommand) continue; if (!addserver(srvconf)) debugx(1, DBG_ERR, "failed to add server"); if (pthread_create(&srvconf->servers->clientth, NULL, clientwr, (void *)(srvconf->servers))) debugx(1, DBG_ERR, "pthread_create failed"); } for (i = 0; i < RAD_PROTOCOUNT; i++) { if (!protodefs[i]) continue; if (protodefs[i]->initextra) protodefs[i]->initextra(); if (find_clconf_type(i, NULL)) createlisteners(i); } /* just hang around doing nothing, anything to do here? */ for (;;) sleep(1000); } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/acinclude.m40000664000175100017510000000252512042223225013177 00000000000000dnl Based on the one from the Boinc project by Reinhard AC_DEFUN([AX_CHECK_SSL], [AC_MSG_CHECKING(for OpenSSL) SSL_DIR= found_ssl="no" AC_ARG_WITH(ssl, AC_HELP_STRING([--with-ssl], [Use SSL (in specified installation directory)]), [check_ssl_dir="$withval"], [check_ssl_dir=]) for dir in $check_ssl_dir /usr /usr/local/ssl /usr/lib/ssl /usr/ssl /usr/pkg /usr/local ; do ssldir="$dir" if test -f "$dir/include/openssl/ssl.h"; then found_ssl="yes"; SSL_DIR="${ssldir}" SSL_CFLAGS="-I$ssldir/include -I$ssldir/include/openssl"; break; fi if test -f "$dir/include/ssl.h"; then found_ssl="yes"; SSL_DIR="${ssldir}" SSL_CFLAGS="-I$ssldir/include/"; break fi done AC_MSG_RESULT($found_ssl) if test x_$found_ssl != x_yes; then AC_MSG_ERROR([ ---------------------------------------------------------------------- Cannot find SSL libraries. Please install OpenSSL or specify installation directory with --with-ssl=(dir). ---------------------------------------------------------------------- ]) else printf "OpenSSL found in $ssldir\n"; SSL_LIBS="-lssl -lcrypto"; SSL_LDFLAGS="-L$ssldir/lib"; AC_DEFINE_UNQUOTED([USE_OPENSSL],[1], ["Define to 1 if you want to use the OpenSSL crypto library"]) AC_SUBST(SSL_CFLAGS) AC_SUBST(SSL_LDFLAGS) AC_SUBST(SSL_LIBS) fi ])dnl radsecproxy-1.6.2/tlv11.c0000664000175100017510000000471012042223225012117 00000000000000/* * Copyright (C) 2008 Stig Venaas * Copyright (C) 2010 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #ifdef SYS_SOLARIS9 #include #else #include #endif #include "list.h" #include "tlv11.h" #include #include #include struct tlv *maketlv(uint8_t t, uint8_t l, void *v) { struct tlv *tlv; tlv = malloc(sizeof(struct tlv)); if (!tlv) return NULL; tlv->t = t; tlv->l = l; if (l && v) { tlv->v = malloc(l); if (!tlv->v) { free(tlv); return NULL; } memcpy(tlv->v, v, l); } else tlv->v = NULL; return tlv; } struct tlv *copytlv(struct tlv *in) { return in ? maketlv(in->t, in->l, in->v) : NULL; } void freetlv(struct tlv *tlv) { if (tlv) { free(tlv->v); free(tlv); } } int eqtlv(struct tlv *t1, struct tlv *t2) { if (!t1 || !t2) return t1 == t2; if (t1->t != t2->t || t1->l != t2->l) return 0; return memcmp(t1->v, t2->v, t1->l) == 0; } struct list *copytlvlist(struct list *tlvs) { struct list *out; struct list_node *node; if (!tlvs) return NULL; out = list_create(); if (!out) return NULL; for (node = list_first(tlvs); node; node = list_next(node)) { if (!list_push(out, copytlv((struct tlv *)node->data))) { freetlvlist(out); return NULL; } } return out; } void freetlvlist(struct list *tlvs) { struct tlv *tlv; while ((tlv = (struct tlv *)list_shift(tlvs))) freetlv(tlv); list_destroy(tlvs); } void rmtlv(struct list *tlvs, uint8_t t) { struct list_node *n, *p; struct tlv *tlv; p = NULL; n = list_first(tlvs); while (n) { tlv = (struct tlv *)n->data; if (tlv->t == t) { list_removedata(tlvs, tlv); freetlv(tlv); n = p ? list_next(p) : list_first(tlvs); } else { p = n; n = list_next(n); } } } uint8_t *tlv2str(struct tlv *tlv) { uint8_t *s = malloc(tlv->l + 1); if (s) { memcpy(s, tlv->v, tlv->l); s[tlv->l] = '\0'; } return s; } uint8_t *tlv2buf(uint8_t *p, const struct tlv *tlv) { *p++ = tlv->t; *p++ = tlv->l; if (tlv->l) { if (tlv->v) memcpy(p, tlv->v, tlv->l); else memset(p, 0, tlv->l); } return p; } /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/dtls.c0000664000175100017510000005003512042223225012117 00000000000000/* * Copyright (C) 2008-2009 Stig Venaas * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #include #include #include #include #include #include #include #ifdef SYS_SOLARIS9 #include #endif #include #include #include #include #include #include #include #include #include #include #include "hash.h" #include "radsecproxy.h" #ifdef RADPROT_DTLS #include "debug.h" #include "util.h" #include "hostport.h" static void setprotoopts(struct commonprotoopts *opts); static char **getlistenerargs(); void *udpdtlsserverrd(void *arg); int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text); void *dtlsclientrd(void *arg); int clientradputdtls(struct server *server, unsigned char *rad); void addserverextradtls(struct clsrvconf *conf); void dtlssetsrcres(); void initextradtls(); static const struct protodefs protodefs = { "dtls", "radsec", /* secretdefault */ SOCK_DGRAM, /* socktype */ "2083", /* portdefault */ REQUEST_RETRY_COUNT, /* retrycountdefault */ 10, /* retrycountmax */ REQUEST_RETRY_INTERVAL, /* retryintervaldefault */ 60, /* retryintervalmax */ DUPLICATE_INTERVAL, /* duplicateintervaldefault */ setprotoopts, /* setprotoopts */ getlistenerargs, /* getlistenerargs */ udpdtlsserverrd, /* listener */ dtlsconnect, /* connecter */ dtlsclientrd, /* clientconnreader */ clientradputdtls, /* clientradput */ NULL, /* addclient */ addserverextradtls, /* addserverextra */ dtlssetsrcres, /* setsrcres */ initextradtls /* initextra */ }; static int client4_sock = -1; static int client6_sock = -1; static struct addrinfo *srcres = NULL; static uint8_t handle; static struct commonprotoopts *protoopts = NULL; const struct protodefs *dtlsinit(uint8_t h) { handle = h; return &protodefs; } static void setprotoopts(struct commonprotoopts *opts) { protoopts = opts; } static char **getlistenerargs() { return protoopts ? protoopts->listenargs : NULL; } struct sessioncacheentry { pthread_mutex_t mutex; struct gqueue *rbios; struct timeval expiry; }; struct dtlsservernewparams { struct sessioncacheentry *sesscache; int sock; struct sockaddr_storage addr; }; void dtlssetsrcres() { if (!srcres) srcres = resolvepassiveaddrinfo(protoopts ? protoopts->sourcearg : NULL, AF_UNSPEC, NULL, protodefs.socktype); } int udp2bio(int s, struct gqueue *q, int cnt) { unsigned char *buf; BIO *rbio; if (cnt < 1) return 0; buf = malloc(cnt); if (!buf) { unsigned char err; debug(DBG_ERR, "udp2bio: malloc failed"); recv(s, &err, 1, 0); return 0; } cnt = recv(s, buf, cnt, 0); if (cnt < 1) { debug(DBG_WARN, "udp2bio: recv failed"); free(buf); return 0; } rbio = BIO_new_mem_buf(buf, cnt); BIO_set_mem_eof_return(rbio, -1); pthread_mutex_lock(&q->mutex); if (!list_push(q->entries, rbio)) { BIO_free(rbio); pthread_mutex_unlock(&q->mutex); return 0; } pthread_cond_signal(&q->cond); pthread_mutex_unlock(&q->mutex); return 1; } BIO *getrbio(SSL *ssl, struct gqueue *q, int timeout) { BIO *rbio; struct timeval now; struct timespec to; pthread_mutex_lock(&q->mutex); if (!(rbio = (BIO *)list_shift(q->entries))) { if (timeout) { gettimeofday(&now, NULL); memset(&to, 0, sizeof(struct timespec)); to.tv_sec = now.tv_sec + timeout; pthread_cond_timedwait(&q->cond, &q->mutex, &to); } else pthread_cond_wait(&q->cond, &q->mutex); rbio = (BIO *)list_shift(q->entries); } pthread_mutex_unlock(&q->mutex); return rbio; } int dtlsread(SSL *ssl, struct gqueue *q, unsigned char *buf, int num, int timeout) { int len, cnt; BIO *rbio; for (len = 0; len < num; len += cnt) { cnt = SSL_read(ssl, buf + len, num - len); if (cnt <= 0) switch (cnt = SSL_get_error(ssl, cnt)) { case SSL_ERROR_WANT_READ: rbio = getrbio(ssl, q, timeout); if (!rbio) return 0; BIO_free(ssl->rbio); ssl->rbio = rbio; cnt = 0; continue; case SSL_ERROR_WANT_WRITE: cnt = 0; continue; case SSL_ERROR_ZERO_RETURN: /* remote end sent close_notify, send one back */ SSL_shutdown(ssl); return -1; default: return -1; } } return num; } /* accept if acc == 1, else connect */ SSL *dtlsacccon(uint8_t acc, SSL_CTX *ctx, int s, struct sockaddr *addr, struct gqueue *rbios) { SSL *ssl; int i, res; unsigned long error; BIO *mem0bio, *wbio; ssl = SSL_new(ctx); if (!ssl) return NULL; mem0bio = BIO_new(BIO_s_mem()); BIO_set_mem_eof_return(mem0bio, -1); wbio = BIO_new_dgram(s, BIO_NOCLOSE); i = BIO_dgram_set_peer(wbio, addr); /* i just to avoid warning */ SSL_set_bio(ssl, mem0bio, wbio); for (i = 0; i < 5; i++) { res = acc ? SSL_accept(ssl) : SSL_connect(ssl); if (res > 0) return ssl; if (res == 0) break; if (SSL_get_error(ssl, res) == SSL_ERROR_WANT_READ) { BIO_free(ssl->rbio); ssl->rbio = getrbio(ssl, rbios, 5); if (!ssl->rbio) break; } while ((error = ERR_get_error())) debug(DBG_ERR, "dtls%st: DTLS: %s", acc ? "accep" : "connec", ERR_error_string(error, NULL)); } SSL_free(ssl); return NULL; } unsigned char *raddtlsget(SSL *ssl, struct gqueue *rbios, int timeout) { int cnt, len; unsigned char buf[4], *rad; for (;;) { cnt = dtlsread(ssl, rbios, buf, 4, timeout); if (cnt < 1) { debug(DBG_DBG, cnt ? "raddtlsget: connection lost" : "raddtlsget: timeout"); return NULL; } len = RADLEN(buf); rad = malloc(len); if (!rad) { debug(DBG_ERR, "raddtlsget: malloc failed"); continue; } memcpy(rad, buf, 4); cnt = dtlsread(ssl, rbios, rad + 4, len - 4, timeout); if (cnt < 1) { debug(DBG_DBG, cnt ? "raddtlsget: connection lost" : "raddtlsget: timeout"); free(rad); return NULL; } if (len >= 20) break; free(rad); debug(DBG_WARN, "raddtlsget: packet smaller than minimum radius size"); } debug(DBG_DBG, "raddtlsget: got %d bytes", len); return rad; } void *dtlsserverwr(void *arg) { int cnt; unsigned long error; struct client *client = (struct client *)arg; struct gqueue *replyq; struct request *reply; debug(DBG_DBG, "dtlsserverwr: starting for %s", addr2string(client->addr)); replyq = client->replyq; for (;;) { pthread_mutex_lock(&replyq->mutex); while (!list_first(replyq->entries)) { if (client->ssl) { debug(DBG_DBG, "dtlsserverwr: waiting for signal"); pthread_cond_wait(&replyq->cond, &replyq->mutex); debug(DBG_DBG, "dtlsserverwr: got signal"); } if (!client->ssl) { /* ssl might have changed while waiting */ pthread_mutex_unlock(&replyq->mutex); debug(DBG_DBG, "dtlsserverwr: exiting as requested"); ERR_remove_state(0); pthread_exit(NULL); } } reply = (struct request *)list_shift(replyq->entries); pthread_mutex_unlock(&replyq->mutex); cnt = SSL_write(client->ssl, reply->replybuf, RADLEN(reply->replybuf)); if (cnt > 0) debug(DBG_DBG, "dtlsserverwr: sent %d bytes, Radius packet of length %d to %s", cnt, RADLEN(reply->replybuf), addr2string(client->addr)); else while ((error = ERR_get_error())) debug(DBG_ERR, "dtlsserverwr: SSL: %s", ERR_error_string(error, NULL)); freerq(reply); } } void dtlsserverrd(struct client *client) { struct request *rq; uint8_t *buf; pthread_t dtlsserverwrth; debug(DBG_DBG, "dtlsserverrd: starting for %s", addr2string(client->addr)); if (pthread_create(&dtlsserverwrth, NULL, dtlsserverwr, (void *)client)) { debug(DBG_ERR, "dtlsserverrd: pthread_create failed"); return; } for (;;) { buf = raddtlsget(client->ssl, client->rbios, IDLE_TIMEOUT); if (!buf) { debug(DBG_ERR, "dtlsserverrd: connection from %s lost", addr2string(client->addr)); break; } debug(DBG_DBG, "dtlsserverrd: got Radius message from %s", addr2string(client->addr)); rq = newrequest(); if (!rq) { free(buf); continue; } rq->buf = buf; rq->from = client; if (!radsrv(rq)) { debug(DBG_ERR, "dtlsserverrd: message authentication/validation failed, closing connection from %s", addr2string(client->addr)); break; } } /* stop writer by setting ssl to NULL and give signal in case waiting for data */ client->ssl = NULL; pthread_mutex_lock(&client->replyq->mutex); pthread_cond_signal(&client->replyq->cond); pthread_mutex_unlock(&client->replyq->mutex); debug(DBG_DBG, "dtlsserverrd: waiting for writer to end"); pthread_join(dtlsserverwrth, NULL); debug(DBG_DBG, "dtlsserverrd: reader for %s exiting", addr2string(client->addr)); } void *dtlsservernew(void *arg) { struct dtlsservernewparams *params = (struct dtlsservernewparams *)arg; struct client *client; struct clsrvconf *conf; struct list_node *cur = NULL; SSL *ssl = NULL; X509 *cert = NULL; SSL_CTX *ctx = NULL; uint8_t delay = 60; struct tls *accepted_tls = NULL; debug(DBG_DBG, "dtlsservernew: starting"); conf = find_clconf(handle, (struct sockaddr *)¶ms->addr, NULL); if (conf) { ctx = tlsgetctx(handle, conf->tlsconf); if (!ctx) goto exit; ssl = dtlsacccon(1, ctx, params->sock, (struct sockaddr *)¶ms->addr, params->sesscache->rbios); if (!ssl) goto exit; cert = verifytlscert(ssl); if (!cert) goto exit; accepted_tls = conf->tlsconf; } while (conf) { if (accepted_tls == conf->tlsconf && verifyconfcert(cert, conf)) { X509_free(cert); client = addclient(conf, 1); if (client) { client->sock = params->sock; client->addr = addr_copy((struct sockaddr *)¶ms->addr); client->rbios = params->sesscache->rbios; client->ssl = ssl; dtlsserverrd(client); removeclient(client); delay = 0; } else { debug(DBG_WARN, "dtlsservernew: failed to create new client instance"); } goto exit; } conf = find_clconf(handle, (struct sockaddr *)¶ms->addr, &cur); } debug(DBG_WARN, "dtlsservernew: ignoring request, no matching TLS client"); if (cert) X509_free(cert); exit: if (ssl) { SSL_shutdown(ssl); SSL_free(ssl); } pthread_mutex_lock(¶ms->sesscache->mutex); freebios(params->sesscache->rbios); params->sesscache->rbios = NULL; gettimeofday(¶ms->sesscache->expiry, NULL); params->sesscache->expiry.tv_sec += delay; pthread_mutex_unlock(¶ms->sesscache->mutex); free(params); ERR_remove_state(0); pthread_exit(NULL); debug(DBG_DBG, "dtlsservernew: exiting"); } void cacheexpire(struct hash *cache, struct timeval *last) { struct timeval now; struct hash_entry *he; struct sessioncacheentry *e; gettimeofday(&now, NULL); if (now.tv_sec - last->tv_sec < 19) return; for (he = hash_first(cache); he; he = hash_next(he)) { e = (struct sessioncacheentry *)he->data; pthread_mutex_lock(&e->mutex); if (!e->expiry.tv_sec || e->expiry.tv_sec > now.tv_sec) { pthread_mutex_unlock(&e->mutex); continue; } debug(DBG_DBG, "cacheexpire: freeing entry"); hash_extract(cache, he->key, he->keylen); if (e->rbios) { freebios(e->rbios); e->rbios = NULL; } pthread_mutex_unlock(&e->mutex); pthread_mutex_destroy(&e->mutex); } last->tv_sec = now.tv_sec; } void *udpdtlsserverrd(void *arg) { int ndesc, cnt, s = *(int *)arg; unsigned char buf[4]; struct sockaddr_storage from; socklen_t fromlen = sizeof(from); struct dtlsservernewparams *params; fd_set readfds; struct timeval timeout, lastexpiry; pthread_t dtlsserverth; struct hash *sessioncache; struct sessioncacheentry *cacheentry; sessioncache = hash_create(); if (!sessioncache) debugx(1, DBG_ERR, "udpdtlsserverrd: malloc failed"); gettimeofday(&lastexpiry, NULL); for (;;) { FD_ZERO(&readfds); FD_SET(s, &readfds); memset(&timeout, 0, sizeof(struct timeval)); timeout.tv_sec = 60; ndesc = select(s + 1, &readfds, NULL, NULL, &timeout); if (ndesc < 1) { cacheexpire(sessioncache, &lastexpiry); continue; } cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen); if (cnt == -1) { debug(DBG_WARN, "udpdtlsserverrd: recv failed"); cacheexpire(sessioncache, &lastexpiry); continue; } cacheentry = hash_read(sessioncache, &from, fromlen); if (cacheentry) { debug(DBG_DBG, "udpdtlsserverrd: cache hit"); pthread_mutex_lock(&cacheentry->mutex); if (cacheentry->rbios) { if (udp2bio(s, cacheentry->rbios, cnt)) debug(DBG_DBG, "udpdtlsserverrd: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from)); } else recv(s, buf, 1, 0); pthread_mutex_unlock(&cacheentry->mutex); cacheexpire(sessioncache, &lastexpiry); continue; } /* from new source */ debug(DBG_DBG, "udpdtlsserverrd: cache miss"); params = malloc(sizeof(struct dtlsservernewparams)); if (!params) { cacheexpire(sessioncache, &lastexpiry); recv(s, buf, 1, 0); continue; } memset(params, 0, sizeof(struct dtlsservernewparams)); params->sesscache = malloc(sizeof(struct sessioncacheentry)); if (!params->sesscache) { free(params); cacheexpire(sessioncache, &lastexpiry); recv(s, buf, 1, 0); continue; } memset(params->sesscache, 0, sizeof(struct sessioncacheentry)); pthread_mutex_init(¶ms->sesscache->mutex, NULL); params->sesscache->rbios = newqueue(); if (hash_insert(sessioncache, &from, fromlen, params->sesscache)) { params->sock = s; memcpy(¶ms->addr, &from, fromlen); if (udp2bio(s, params->sesscache->rbios, cnt)) { debug(DBG_DBG, "udpdtlsserverrd: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from)); if (!pthread_create(&dtlsserverth, NULL, dtlsservernew, (void *)params)) { pthread_detach(dtlsserverth); cacheexpire(sessioncache, &lastexpiry); continue; } debug(DBG_ERR, "udpdtlsserverrd: pthread_create failed"); } hash_extract(sessioncache, &from, fromlen); } freebios(params->sesscache->rbios); pthread_mutex_destroy(¶ms->sesscache->mutex); free(params->sesscache); free(params); cacheexpire(sessioncache, &lastexpiry); } } int dtlsconnect(struct server *server, struct timeval *when, int timeout, char *text) { struct timeval now; time_t elapsed; X509 *cert; SSL_CTX *ctx = NULL; struct hostportres *hp; debug(DBG_DBG, "dtlsconnect: called from %s", text); pthread_mutex_lock(&server->lock); if (when && memcmp(&server->lastconnecttry, when, sizeof(struct timeval))) { /* already reconnected, nothing to do */ debug(DBG_DBG, "dtlsconnect(%s): seems already reconnected", text); pthread_mutex_unlock(&server->lock); return 1; } hp = (struct hostportres *)list_first(server->conf->hostports)->data; for (;;) { gettimeofday(&now, NULL); elapsed = now.tv_sec - server->lastconnecttry.tv_sec; if (timeout && server->lastconnecttry.tv_sec && elapsed > timeout) { debug(DBG_DBG, "dtlsconnect: timeout"); SSL_free(server->ssl); server->ssl = NULL; pthread_mutex_unlock(&server->lock); return 0; } if (server->connectionok) { server->connectionok = 0; sleep(2); } else if (elapsed < 1) sleep(2); else if (elapsed < 60) { debug(DBG_INFO, "dtlsconnect: sleeping %lds", elapsed); sleep(elapsed); } else if (elapsed < 100000) { debug(DBG_INFO, "dtlsconnect: sleeping %ds", 60); sleep(60); } else server->lastconnecttry.tv_sec = now.tv_sec; /* no sleep at startup */ debug(DBG_WARN, "dtlsconnect: trying to open DTLS connection to %s port %s", hp->host, hp->port); SSL_free(server->ssl); server->ssl = NULL; ctx = tlsgetctx(handle, server->conf->tlsconf); if (!ctx) continue; server->ssl = dtlsacccon(0, ctx, server->sock, hp->addrinfo->ai_addr, server->rbios); if (!server->ssl) continue; debug(DBG_DBG, "dtlsconnect: DTLS: ok"); cert = verifytlscert(server->ssl); if (!cert) continue; if (verifyconfcert(cert, server->conf)) break; X509_free(cert); } X509_free(cert); debug(DBG_WARN, "dtlsconnect: DTLS connection to %s port %s up", hp->host, hp->port); server->connectionok = 1; gettimeofday(&server->lastconnecttry, NULL); pthread_mutex_unlock(&server->lock); return 1; } int clientradputdtls(struct server *server, unsigned char *rad) { int cnt; size_t len; unsigned long error; struct clsrvconf *conf = server->conf; if (!server->connectionok) return 0; len = RADLEN(rad); if ((cnt = SSL_write(server->ssl, rad, len)) <= 0) { while ((error = ERR_get_error())) debug(DBG_ERR, "clientradputdtls: DTLS: %s", ERR_error_string(error, NULL)); return 0; } debug(DBG_DBG, "clientradputdtls: Sent %d bytes, Radius packet of length %d to DTLS peer %s", cnt, len, conf->name); return 1; } /* reads UDP containing DTLS and passes it on to dtlsclientrd */ void *udpdtlsclientrd(void *arg) { int cnt, s = *(int *)arg; unsigned char buf[4]; struct sockaddr_storage from; socklen_t fromlen = sizeof(from); struct clsrvconf *conf; fd_set readfds; for (;;) { FD_ZERO(&readfds); FD_SET(s, &readfds); if (select(s + 1, &readfds, NULL, NULL, NULL) < 1) continue; cnt = recvfrom(s, buf, 4, MSG_PEEK | MSG_TRUNC, (struct sockaddr *)&from, &fromlen); if (cnt == -1) { debug(DBG_WARN, "udpdtlsclientrd: recv failed"); continue; } conf = find_srvconf(handle, (struct sockaddr *)&from, NULL); if (!conf) { debug(DBG_WARN, "udpdtlsclientrd: got packet from wrong or unknown DTLS peer %s, ignoring", addr2string((struct sockaddr *)&from)); recv(s, buf, 4, 0); continue; } if (udp2bio(s, conf->servers->rbios, cnt)) debug(DBG_DBG, "radudpget: got DTLS in UDP from %s", addr2string((struct sockaddr *)&from)); } } void *dtlsclientrd(void *arg) { struct server *server = (struct server *)arg; unsigned char *buf; struct timeval lastconnecttry; int secs; for (;;) { /* yes, lastconnecttry is really necessary */ lastconnecttry = server->lastconnecttry; for (secs = 0; !(buf = raddtlsget(server->ssl, server->rbios, 10)) && !server->lostrqs && secs < IDLE_TIMEOUT; secs += 10); if (!buf) { dtlsconnect(server, &lastconnecttry, 0, "dtlsclientrd"); continue; } replyh(server, buf); } ERR_remove_state(0); server->clientrdgone = 1; return NULL; } void addserverextradtls(struct clsrvconf *conf) { switch (((struct hostportres *)list_first(conf->hostports)->data)->addrinfo->ai_family) { case AF_INET: if (client4_sock < 0) { client4_sock = bindtoaddr(srcres, AF_INET, 0, 1); if (client4_sock < 0) debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name); } conf->servers->sock = client4_sock; break; case AF_INET6: if (client6_sock < 0) { client6_sock = bindtoaddr(srcres, AF_INET6, 0, 1); if (client6_sock < 0) debugx(1, DBG_ERR, "addserver: failed to create client socket for server %s", conf->name); } conf->servers->sock = client6_sock; break; default: debugx(1, DBG_ERR, "addserver: unsupported address family"); } } void initextradtls() { pthread_t cl4th, cl6th; if (srcres) { freeaddrinfo(srcres); srcres = NULL; } if (client4_sock >= 0) if (pthread_create(&cl4th, NULL, udpdtlsclientrd, (void *)&client4_sock)) debugx(1, DBG_ERR, "pthread_create failed"); if (client6_sock >= 0) if (pthread_create(&cl6th, NULL, udpdtlsclientrd, (void *)&client6_sock)) debugx(1, DBG_ERR, "pthread_create failed"); } #else const struct protodefs *dtlsinit(uint8_t h) { return NULL; } #endif /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/tlscommon.c0000664000175100017510000004176412042223225013175 00000000000000/* * Copyright (C) 2006-2009 Stig Venaas * Copyright (C) 2010,2011 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) #include #include #include #include #include #include #include #ifdef SYS_SOLARIS9 #include #endif #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "debug.h" #include "hash.h" #include "util.h" #include "hostport.h" #include "radsecproxy.h" static struct hash *tlsconfs = NULL; static int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata) { int pwdlen = strlen(userdata); if (rwflag != 0 || pwdlen > size) /* not for decryption or too large */ return 0; memcpy(buf, userdata, pwdlen); return pwdlen; } static int verify_cb(int ok, X509_STORE_CTX *ctx) { char *buf = NULL; X509 *err_cert; int err, depth; err_cert = X509_STORE_CTX_get_current_cert(ctx); err = X509_STORE_CTX_get_error(ctx); depth = X509_STORE_CTX_get_error_depth(ctx); if (depth > MAX_CERT_DEPTH) { ok = 0; err = X509_V_ERR_CERT_CHAIN_TOO_LONG; X509_STORE_CTX_set_error(ctx, err); } if (!ok) { if (err_cert) buf = X509_NAME_oneline(X509_get_subject_name(err_cert), NULL, 0); debug(DBG_WARN, "verify error: num=%d:%s:depth=%d:%s", err, X509_verify_cert_error_string(err), depth, buf ? buf : ""); free(buf); buf = NULL; switch (err) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: if (err_cert) { buf = X509_NAME_oneline(X509_get_issuer_name(err_cert), NULL, 0); if (buf) { debug(DBG_WARN, "\tIssuer=%s", buf); free(buf); buf = NULL; } } break; case X509_V_ERR_CERT_NOT_YET_VALID: case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: debug(DBG_WARN, "\tCertificate not yet valid"); break; case X509_V_ERR_CERT_HAS_EXPIRED: debug(DBG_WARN, "Certificate has expired"); break; case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: debug(DBG_WARN, "Certificate no longer valid (after notAfter)"); break; case X509_V_ERR_NO_EXPLICIT_POLICY: debug(DBG_WARN, "No Explicit Certificate Policy"); break; } } #ifdef DEBUG printf("certificate verify returns %d\n", ok); #endif return ok; } #ifdef DEBUG static void ssl_info_callback(const SSL *ssl, int where, int ret) { const char *s; int w; w = where & ~SSL_ST_MASK; if (w & SSL_ST_CONNECT) s = "SSL_connect"; else if (w & SSL_ST_ACCEPT) s = "SSL_accept"; else s = "undefined"; if (where & SSL_CB_LOOP) debug(DBG_DBG, "%s:%s\n", s, SSL_state_string_long(ssl)); else if (where & SSL_CB_ALERT) { s = (where & SSL_CB_READ) ? "read" : "write"; debug(DBG_DBG, "SSL3 alert %s:%s:%s\n", s, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); } else if (where & SSL_CB_EXIT) { if (ret == 0) debug(DBG_DBG, "%s:failed in %s\n", s, SSL_state_string_long(ssl)); else if (ret < 0) debug(DBG_DBG, "%s:error in %s\n", s, SSL_state_string_long(ssl)); } } #endif static X509_VERIFY_PARAM *createverifyparams(char **poids) { X509_VERIFY_PARAM *pm; ASN1_OBJECT *pobject; int i; pm = X509_VERIFY_PARAM_new(); if (!pm) return NULL; for (i = 0; poids[i]; i++) { pobject = OBJ_txt2obj(poids[i], 0); if (!pobject) { X509_VERIFY_PARAM_free(pm); return NULL; } X509_VERIFY_PARAM_add0_policy(pm, pobject); } X509_VERIFY_PARAM_set_flags(pm, X509_V_FLAG_POLICY_CHECK | X509_V_FLAG_EXPLICIT_POLICY); return pm; } static int tlsaddcacrl(SSL_CTX *ctx, struct tls *conf) { STACK_OF(X509_NAME) *calist; X509_STORE *x509_s; unsigned long error; if (!SSL_CTX_load_verify_locations(ctx, conf->cacertfile, conf->cacertpath)) { while ((error = ERR_get_error())) debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); debug(DBG_ERR, "tlsaddcacrl: Error updating TLS context %s", conf->name); return 0; } calist = conf->cacertfile ? SSL_load_client_CA_file(conf->cacertfile) : NULL; if (!conf->cacertfile || calist) { if (conf->cacertpath) { if (!calist) calist = sk_X509_NAME_new_null(); if (!SSL_add_dir_cert_subjects_to_stack(calist, conf->cacertpath)) { sk_X509_NAME_free(calist); calist = NULL; } } } if (!calist) { while ((error = ERR_get_error())) debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); debug(DBG_ERR, "tlsaddcacrl: Error adding CA subjects in TLS context %s", conf->name); return 0; } ERR_clear_error(); /* add_dir_cert_subj returns errors on success */ SSL_CTX_set_client_CA_list(ctx, calist); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_cb); SSL_CTX_set_verify_depth(ctx, MAX_CERT_DEPTH + 1); if (conf->crlcheck || conf->vpm) { x509_s = SSL_CTX_get_cert_store(ctx); if (conf->crlcheck) X509_STORE_set_flags(x509_s, X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL); if (conf->vpm) X509_STORE_set1_param(x509_s, conf->vpm); } debug(DBG_DBG, "tlsaddcacrl: updated TLS context %s", conf->name); return 1; } static SSL_CTX *tlscreatectx(uint8_t type, struct tls *conf) { SSL_CTX *ctx = NULL; unsigned long error; long sslversion = SSLeay(); switch (type) { #ifdef RADPROT_TLS case RAD_TLS: ctx = SSL_CTX_new(TLSv1_method()); #ifdef DEBUG SSL_CTX_set_info_callback(ctx, ssl_info_callback); #endif break; #endif #ifdef RADPROT_DTLS case RAD_DTLS: ctx = SSL_CTX_new(DTLSv1_method()); #ifdef DEBUG SSL_CTX_set_info_callback(ctx, ssl_info_callback); #endif SSL_CTX_set_read_ahead(ctx, 1); break; #endif } if (!ctx) { debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name); return NULL; } if (sslversion < 0x00908100L || (sslversion >= 0x10000000L && sslversion < 0x10000020L)) { debug(DBG_WARN, "%s: %s seems to be of a version with a " "certain security critical bug (fixed in OpenSSL 0.9.8p and " "1.0.0b). Disabling OpenSSL session caching for context %p.", __func__, SSLeay_version(SSLEAY_VERSION), ctx); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); } if (conf->certkeypwd) { SSL_CTX_set_default_passwd_cb_userdata(ctx, conf->certkeypwd); SSL_CTX_set_default_passwd_cb(ctx, pem_passwd_cb); } if (!SSL_CTX_use_certificate_chain_file(ctx, conf->certfile) || !SSL_CTX_use_PrivateKey_file(ctx, conf->certkeyfile, SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) { while ((error = ERR_get_error())) debug(DBG_ERR, "SSL: %s", ERR_error_string(error, NULL)); debug(DBG_ERR, "tlscreatectx: Error initialising SSL/TLS in TLS context %s", conf->name); SSL_CTX_free(ctx); return NULL; } if (conf->policyoids) { if (!conf->vpm) { conf->vpm = createverifyparams(conf->policyoids); if (!conf->vpm) { debug(DBG_ERR, "tlscreatectx: Failed to add policyOIDs in TLS context %s", conf->name); SSL_CTX_free(ctx); return NULL; } } } if (!tlsaddcacrl(ctx, conf)) { if (conf->vpm) { X509_VERIFY_PARAM_free(conf->vpm); conf->vpm = NULL; } SSL_CTX_free(ctx); return NULL; } debug(DBG_DBG, "tlscreatectx: created TLS context %s", conf->name); return ctx; } struct tls *tlsgettls(char *alt1, char *alt2) { struct tls *t; t = hash_read(tlsconfs, alt1, strlen(alt1)); if (!t) t = hash_read(tlsconfs, alt2, strlen(alt2)); return t; } SSL_CTX *tlsgetctx(uint8_t type, struct tls *t) { struct timeval now; if (!t) return NULL; gettimeofday(&now, NULL); switch (type) { #ifdef RADPROT_TLS case RAD_TLS: if (t->tlsexpiry && t->tlsctx) { if (t->tlsexpiry < now.tv_sec) { t->tlsexpiry = now.tv_sec + t->cacheexpiry; tlsaddcacrl(t->tlsctx, t); } } if (!t->tlsctx) { t->tlsctx = tlscreatectx(RAD_TLS, t); if (t->cacheexpiry) t->tlsexpiry = now.tv_sec + t->cacheexpiry; } return t->tlsctx; #endif #ifdef RADPROT_DTLS case RAD_DTLS: if (t->dtlsexpiry && t->dtlsctx) { if (t->dtlsexpiry < now.tv_sec) { t->dtlsexpiry = now.tv_sec + t->cacheexpiry; tlsaddcacrl(t->dtlsctx, t); } } if (!t->dtlsctx) { t->dtlsctx = tlscreatectx(RAD_DTLS, t); if (t->cacheexpiry) t->dtlsexpiry = now.tv_sec + t->cacheexpiry; } return t->dtlsctx; #endif } return NULL; } X509 *verifytlscert(SSL *ssl) { X509 *cert; unsigned long error; if (SSL_get_verify_result(ssl) != X509_V_OK) { debug(DBG_ERR, "verifytlscert: basic validation failed"); while ((error = ERR_get_error())) debug(DBG_ERR, "verifytlscert: TLS: %s", ERR_error_string(error, NULL)); return NULL; } cert = SSL_get_peer_certificate(ssl); if (!cert) debug(DBG_ERR, "verifytlscert: failed to obtain certificate"); return cert; } static int subjectaltnameaddr(X509 *cert, int family, struct in6_addr *addr) { int loc, i, l, n, r = 0; char *v; X509_EXTENSION *ex; STACK_OF(GENERAL_NAME) *alt; GENERAL_NAME *gn; debug(DBG_DBG, "subjectaltnameaddr"); loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); if (loc < 0) return r; ex = X509_get_ext(cert, loc); alt = X509V3_EXT_d2i(ex); if (!alt) return r; n = sk_GENERAL_NAME_num(alt); for (i = 0; i < n; i++) { gn = sk_GENERAL_NAME_value(alt, i); if (gn->type != GEN_IPADD) continue; r = -1; v = (char *)ASN1_STRING_data(gn->d.ia5); l = ASN1_STRING_length(gn->d.ia5); if (((family == AF_INET && l == sizeof(struct in_addr)) || (family == AF_INET6 && l == sizeof(struct in6_addr))) && !memcmp(v, &addr, l)) { r = 1; break; } } GENERAL_NAMES_free(alt); return r; } static int subjectaltnameregexp(X509 *cert, int type, char *exact, regex_t *regex) { int loc, i, l, n, r = 0; char *s, *v; X509_EXTENSION *ex; STACK_OF(GENERAL_NAME) *alt; GENERAL_NAME *gn; debug(DBG_DBG, "subjectaltnameregexp"); loc = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); if (loc < 0) return r; ex = X509_get_ext(cert, loc); alt = X509V3_EXT_d2i(ex); if (!alt) return r; n = sk_GENERAL_NAME_num(alt); for (i = 0; i < n; i++) { gn = sk_GENERAL_NAME_value(alt, i); if (gn->type != type) continue; r = -1; v = (char *)ASN1_STRING_data(gn->d.ia5); l = ASN1_STRING_length(gn->d.ia5); if (l <= 0) continue; #ifdef DEBUG printfchars(NULL, gn->type == GEN_DNS ? "dns" : "uri", NULL, v, l); #endif if (exact) { if (memcmp(v, exact, l)) continue; } else { s = stringcopy((char *)v, l); if (!s) { debug(DBG_ERR, "malloc failed"); continue; } if (regexec(regex, s, 0, NULL, 0)) { free(s); continue; } free(s); } r = 1; break; } GENERAL_NAMES_free(alt); return r; } static int cnregexp(X509 *cert, char *exact, regex_t *regex) { int loc, l; char *v, *s; X509_NAME *nm; X509_NAME_ENTRY *e; ASN1_STRING *t; nm = X509_get_subject_name(cert); loc = -1; for (;;) { loc = X509_NAME_get_index_by_NID(nm, NID_commonName, loc); if (loc == -1) break; e = X509_NAME_get_entry(nm, loc); t = X509_NAME_ENTRY_get_data(e); v = (char *) ASN1_STRING_data(t); l = ASN1_STRING_length(t); if (l < 0) continue; if (exact) { if (l == strlen(exact) && !strncasecmp(exact, v, l)) return 1; } else { s = stringcopy((char *)v, l); if (!s) { debug(DBG_ERR, "malloc failed"); continue; } if (regexec(regex, s, 0, NULL, 0)) { free(s); continue; } free(s); return 1; } } return 0; } /* this is a bit sloppy, should not always accept match to any */ int certnamecheck(X509 *cert, struct list *hostports) { struct list_node *entry; struct hostportres *hp; int r; uint8_t type = 0; /* 0 for DNS, AF_INET for IPv4, AF_INET6 for IPv6 */ struct in6_addr addr; for (entry = list_first(hostports); entry; entry = list_next(entry)) { hp = (struct hostportres *)entry->data; if (hp->prefixlen != 255) { /* we disable the check for prefixes */ return 1; } if (inet_pton(AF_INET, hp->host, &addr)) type = AF_INET; else if (inet_pton(AF_INET6, hp->host, &addr)) type = AF_INET6; else type = 0; r = type ? subjectaltnameaddr(cert, type, &addr) : subjectaltnameregexp(cert, GEN_DNS, hp->host, NULL); if (r) { if (r > 0) { debug(DBG_DBG, "certnamecheck: Found subjectaltname matching %s %s", type ? "address" : "host", hp->host); return 1; } debug(DBG_WARN, "certnamecheck: No subjectaltname matching %s %s", type ? "address" : "host", hp->host); } else { if (cnregexp(cert, hp->host, NULL)) { debug(DBG_DBG, "certnamecheck: Found cn matching host %s", hp->host); return 1; } debug(DBG_WARN, "certnamecheck: cn not matching host %s", hp->host); } } return 0; } int verifyconfcert(X509 *cert, struct clsrvconf *conf) { if (conf->certnamecheck) { if (!certnamecheck(cert, conf->hostports)) { debug(DBG_WARN, "verifyconfcert: certificate name check failed"); return 0; } debug(DBG_WARN, "verifyconfcert: certificate name check ok"); } if (conf->certcnregex) { if (cnregexp(cert, NULL, conf->certcnregex) < 1) { debug(DBG_WARN, "verifyconfcert: CN not matching regex"); return 0; } debug(DBG_DBG, "verifyconfcert: CN matching regex"); } if (conf->certuriregex) { if (subjectaltnameregexp(cert, GEN_URI, NULL, conf->certuriregex) < 1) { debug(DBG_WARN, "verifyconfcert: subjectaltname URI not matching regex"); return 0; } debug(DBG_DBG, "verifyconfcert: subjectaltname URI matching regex"); } return 1; } int conftls_cb(struct gconffile **cf, void *arg, char *block, char *opt, char *val) { struct tls *conf; long int expiry = LONG_MIN; debug(DBG_DBG, "conftls_cb called for %s", block); conf = malloc(sizeof(struct tls)); if (!conf) { debug(DBG_ERR, "conftls_cb: malloc failed"); return 0; } memset(conf, 0, sizeof(struct tls)); if (!getgenericconfig(cf, block, "CACertificateFile", CONF_STR, &conf->cacertfile, "CACertificatePath", CONF_STR, &conf->cacertpath, "CertificateFile", CONF_STR, &conf->certfile, "CertificateKeyFile", CONF_STR, &conf->certkeyfile, "CertificateKeyPassword", CONF_STR, &conf->certkeypwd, "CacheExpiry", CONF_LINT, &expiry, "CRLCheck", CONF_BLN, &conf->crlcheck, "PolicyOID", CONF_MSTR, &conf->policyoids, NULL )) { debug(DBG_ERR, "conftls_cb: configuration error in block %s", val); goto errexit; } if (!conf->certfile || !conf->certkeyfile) { debug(DBG_ERR, "conftls_cb: TLSCertificateFile and TLSCertificateKeyFile must be specified in block %s", val); goto errexit; } if (!conf->cacertfile && !conf->cacertpath) { debug(DBG_ERR, "conftls_cb: CA Certificate file or path need to be specified in block %s", val); goto errexit; } if (expiry != LONG_MIN) { if (expiry < 0) { debug(DBG_ERR, "error in block %s, value of option CacheExpiry is %ld, may not be negative", val, expiry); goto errexit; } conf->cacheexpiry = expiry; } conf->name = stringcopy(val, 0); if (!conf->name) { debug(DBG_ERR, "conftls_cb: malloc failed"); goto errexit; } if (!tlsconfs) tlsconfs = hash_create(); if (!hash_insert(tlsconfs, val, strlen(val), conf)) { debug(DBG_ERR, "conftls_cb: malloc failed"); goto errexit; } if (!tlsgetctx(RAD_TLS, conf)) debug(DBG_ERR, "conftls_cb: error creating ctx for TLS block %s", val); debug(DBG_DBG, "conftls_cb: added TLS block %s", val); return 1; errexit: free(conf->cacertfile); free(conf->cacertpath); free(conf->certfile); free(conf->certkeyfile); free(conf->certkeypwd); freegconfmstr(conf->policyoids); free(conf); return 0; } int addmatchcertattr(struct clsrvconf *conf) { char *v; regex_t **r; if (!strncasecmp(conf->matchcertattr, "CN:/", 4)) { r = &conf->certcnregex; v = conf->matchcertattr + 4; } else if (!strncasecmp(conf->matchcertattr, "SubjectAltName:URI:/", 20)) { r = &conf->certuriregex; v = conf->matchcertattr + 20; } else return 0; if (!*v) return 0; /* regexp, remove optional trailing / if present */ if (v[strlen(v) - 1] == '/') v[strlen(v) - 1] = '\0'; if (!*v) return 0; *r = malloc(sizeof(regex_t)); if (!*r) { debug(DBG_ERR, "malloc failed"); return 0; } if (regcomp(*r, v, REG_EXTENDED | REG_ICASE | REG_NOSUB)) { free(*r); *r = NULL; debug(DBG_ERR, "failed to compile regular expression %s", v); return 0; } return 1; } #else /* Just to makes file non-empty, should rather avoid compiling this file when not needed */ static void tlsdummy() { } #endif /* Local Variables: */ /* c-file-style: "stroustrup" */ /* End: */ radsecproxy-1.6.2/radsecproxy.conf.5.xml0000664000175100017510000013122612042223225015163 00000000000000 2012-10-25 radsecproxy.conf 5 radsecproxy 1.6.2 radsecproxy.conf Radsec proxy configuration file Description When the proxy server starts, it will first check the command line arguments, and then read the configuration file. Normally radsecproxy will read the configuration file /usr/local/etc/radsecproxy.conf. The command line option can be used to instead read an alternate file (see radsecproxy1 for details). If the configuration file can not be found, the proxy will exit with an error message. Note that there is also an include facility so that any configuration file may include other configuration files. The proxy will also exit on configuration errors. Configuration Syntax When the configuration file is processed, whitespace (spaces and tabs) are generally ignored. For each line, leading and trailing whitespace are ignored. A line is ignored if it is empty, only consists of whitespace, or if the first non-whitespace character is a #. The configuration is generally case insensitive, but in some cases the option values (see below) are not. There are two types of configuration structures than can be used. The first and simplest are lines on the format option value. That is, an option name, see below for a list of valid options, followed by whitespace (at least one space or tab character), followed by a value. Note that if the value contains whitespace, then it must be quoted using "" or ''. Any whitespace in front of the option or after the value will be ignored. The other type of structure is a block. A block spans at least two lines, and has the format:
blocktype name { option value option value ... }
That is, some blocktype, see below for a list of the different block types, and then enclosed in braces you have zero or more lines that each have the previously described option value format. Different block types have different rules for which options can be specified, they are listed below. The rules regarding white space, comments and quotes are as above. Hence you may do things like:
blocktype name { # option value option "value with space" ... }
Option value characters can also be written in hex. This is done by writing the character % followed by two hexadecimal digits. If a % is used without two following hexadecimal digits, the % and the following characters are used as written. If you want to write a % and not use this decoding, you may of course write % in hex; i.e., %25. There is one special option that can be used both as a basic option and inside all blocks. That is the option Include where the value specifies files to be included. The value can be a single file, or it can use normal shell globbing to specify multiple files, e.g.:
include /usr/local/etc/radsecproxy.conf.d/*.conf
The files are sorted alphabetically. Included files are read in the order they are specified, when reaching the end of a file, the next file is read. When reaching the end of the last included file, the proxy returns to read the next line following the Include option. Included files may again include other files.
Basic Options The following basic options may be specified in the configuration file. Note that blocktypes and options inside blocks are discussed later. Note that none of these options are required, and indeed in many cases they are not needed. Note that you should specify each at most once. The behaviour with multiple occurences is undefined. PidFile The PidFile option specifies the name of a file to which the process id (PID) will be written. This is overridden by the command line option. There is no default value for the PidFile option. LogLevel This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5 logs everything. The default is 2 which logs errors, warnings and a few informational messages. Note that the command line option overrides this. LogDestination This specifies where the log messages should go. By default the messages go to syslog with facility LOG_DAEMON. Using this option you can specify another syslog facility, or you may specify that logging should be to a particular file, not using syslog. The value must be either a file or syslog URL. The file URL is the standard one, specifying a local file that should be used. For syslog, you must use the syntax: x-syslog:///FACILITY where FACILITY must be one of LOG_DAEMON, LOG_MAIL, LOG_USER, LOG_LOCAL0, LOG_LOCAL1, LOG_LOCAL2, LOG_LOCAL3, LOG_LOCAL4, LOG_LOCAL5, LOG_LOCAL6 or LOG_LOCAL7. You may omit the facility from the URL to specify logging to the default facility, but this is not very useful since this is the default log destination. Note that this option is ignored if is specified on the command line. FTicksReporting The FTicksReporting option is used to enable F-Ticks logging and can be set to None, Basic or Full. Its default value is None. If FTicksReporting is set to anything other than None, note that the default value for FTicksMAC is VendorKeyHashed which needs FTicksKey to be set. See radsecproxy.conf-example for details. Note that radsecproxy has to be configured with F-Ticks support (--enable-fticks) for this option to have any effect. FTicksMAC The FTicksMAC option can be used to control if and how Calling-Station-Id (the users Ethernet MAC address) is being logged. It can be set to one of Static, Original, VendorHashed, VendorKeyHashed, FullyHashed or FullyKeyHashed. The default value for FTicksMAC is VendorKeyHashed. This means that FTicksKey has to be set. Before chosing any of Original, FullyHashed or VendorHashed, consider the implications for user privacy when MAC addresses are collected. How will the logs be stored, transferred and accessed? See radsecproxy.conf-example for details. Note that radsecproxy has to be configured with F-Ticks support (--enable-fticks) for this option to have any effect. FTicksKey The FTicksKey option is used to specify the key to use when producing HMAC's as an effect of specifying VendorKeyHashed or FullyKeyHashed for the FTicksMAC option. Note that radsecproxy has to be configured with F-Ticks support (--enable-fticks) for this option to have any effect. FTicksSyslogFacility The FTicksSyslogFacility option is used to specify a dedicated syslog facility for F-Ticks messages. This allows for easier filtering of F-Ticks messages. If no FTicksSyslogFacility option is given, F-Ticks messages are written to what the LogDestination option specifies. F-Ticks messages are always logged using the log level LOG_DEBUG. Note that specifying a file in FTicksSyslogFacility (using the file:/// prefix) is not supported. ListenUDP Normally the proxy will listen to the standard RADIUS UDP port 1812 if configured to handle UDP clients. On most systems it will do this for all of the system's IP addresses (both IPv4 and IPv6). On some systems however, it may respond to only IPv4 or only IPv6. To specify an alternate port you may use a value on the form *:port where port is any valid port number. If you also want to specify a specific address you can do e.g. 192.168.1.1:1812 or [2001:db8::1]:1812. The port may be omitted if you want the default one (like in these examples). These examples are equivalent to 192.168.1.1 and 2001:db8::1. Note that you must use brackets around the IPv6 address. This option may be specified multiple times to listen to multiple addresses and/or ports. ListenTCP This option is similar to the ListenUDP option, except that it is used for receiving connections from TCP clients. The default port number is 1812. ListenTLS This is similar to the ListenUDP option, except that it is used for receiving connections from TLS clients. The default port number is 2083. Note that this option was previously called ListenTCP. ListenDTLS This is similar to the ListenUDP option, except that it is used for receiving connections from DTLS clients. The default port number is 2083. SourceUDP This can be used to specify source address and/or source port that the proxy will use for sending UDP client messages (e.g. Access Request). SourceTCP This can be used to specify source address and/or source port that the proxy will use for TCP connections. SourceTLS This can be used to specify source address and/or source port that the proxy will use for TLS connections. SourceDTLS This can be used to specify source address and/or source port that the proxy will use for DTLS connections. TTLAttribute This can be used to change the default TTL attribute. Only change this if you know what you are doing. The syntax is either a numerical value denoting the TTL attribute, or two numerical values separated by column specifying a vendor attribute, i.e. vendorid:attribute. AddTTL If a TTL attribute is present, the proxy will decrement the value and discard the message if zero. Normally the proxy does nothing if no TTL attribute is present. If you use the AddTTL option with a value 1-255, the proxy will when forwarding a message with no TTL attribute, add one with the specified value. Note that this option can also be specified for a client/server. It will then override this setting when forwarding a message to that client/server. LoopPrevention This can be set to on or off with off being the default. When this is enabled, a request will never be sent to a server named the same as the client it was received from. I.e., the names of the client block and the server block are compared. Note that this only gives limited protection against loops. It can be used as a basic option and inside server blocks where it overrides the basic setting. IPv4Only and IPv6Only These can be set to on or off with off being the default. At most one of IPv4Only and IPv6Only can be enabled. Enabling IPv4Only or IPv6Only makes radsecproxy resolve DNS names to the corresponding address family only, and not the other. This is done for both clients and servers. Note that this can be overridden in client and server blocks, see below. Include This is not a normal configuration option; it can be specified multiple times. It can both be used as a basic option and inside blocks. For the full description, see the configuration syntax section above. Blocks There are five types of blocks, they are client, server, realm, tls and rewrite. At least one instance of each of client and realm is required. This is necessary for the proxy to do anything useful, and it will exit if not. The tls block is required if at least one TLS/DTLS client or server is configured. Note that there can be multiple blocks for each type. For each type, the block names should be unique. The behaviour with multiple occurences of the same name for the same block type is undefined. Also note that some block option values may reference a block by name, in which case the block name must be previously defined. Hence the order of the blocks may be significant. Client Block The client block is used to configure a client. That is, tell the proxy about a client, and what parameters should be used for that client. The name of the client block must (with one exception, see below) be either the IP address (IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form IpAddress/PrefixLength, or a domain name (FQDN). The way an FQDN is resolved into an IP address may be influenced by the use of the IPv4Only and IPv6Only options. Note that literal IPv6 addresses must be enclosed in brackets. If a domain name is specified, then this will be resolved immediately to all the addresses associated with the name, and the proxy will not care about any possible DNS changes that might occur later. Hence there is no dependency on DNS after startup. When some client later sends a request to the proxy, the proxy will look at the IP address the request comes from, and then go through all the addresses of each of the configured clients (in the order they are defined), to determine which (if any) of the clients this is. In the case of TLS/DTLS, the name of the client must match the FQDN or IP address in the client certificate. Note that this is not required when the client name is an IP prefix. Alternatively one may use the host option inside a client block. In that case, the value of the host option is used as above, while the name of the block is only used as a descriptive name for the administrator. The host option may be used multiple times, and can be a mix of addresses, FQDNs and prefixes. The allowed options in a client block are host, IPv4Only, IPv6Only, type, secret, tls, certificateNameCheck, matchCertificateAttribute, duplicateInterval, AddTTL, fticksVISCOUNTRY, fticksVISINST, rewrite, rewriteIn, rewriteOut, and rewriteAttribute. We already discussed the host option. To specify how radsecproxy should resolve a host given as a DNS name, the IPv4Only or the IPv6Only can be set to on. At most one of these options can be enabled. Enabling IPv4Only or IPv6Only here overrides any basic settings set at the top level. The value of type must be one of udp, tcp, tls or dtls. The value of secret is the shared RADIUS key used with this client. If the secret contains whitespace, the value must be quoted. This option is optional for TLS/DTLS and if omitted will default to "radsec". (Note that using a secret other than "radsec" for TLS is a violation of the standard (RFC 6614) and that the proposed standard for DTLS stipulates that the secret must be "radius/dtls".) For a TLS/DTLS client you may also specify the tls option. The option value must be the name of a previously defined TLS block. If this option is not specified, the TLS block with the name defaultClient will be used if defined. If not defined, it will try to use the TLS block named default. If the specified TLS block name does not exist, or the option is not specified and none of the defaults exist, the proxy will exit with an error. NOTE: All versions of radsecproxy up to and including 1.6 erroneously verify client certificate chains using the CA in the very first matching client block regardless of which block is used for the final decision. This was changed in version 1.6.1 so that a client block with a different tls option than the first matching client block is no longer considered for verification of clients. For a TLS/DTLS client, the option certificateNameCheck can be set to off, to disable the default behaviour of matching CN or SubjectAltName against the specified hostname or IP address. Additional validation of certificate attributes can be done by use of the matchCertificateAttribute option. Currently one can only do some matching of CN and SubjectAltName. For regexp matching on CN, one can use the value CN:/regexp/. For SubjectAltName one can only do regexp matching of the URI, this is specified as SubjectAltName:URI:/regexp/. Note that currently this option can only be specified once in a client block. The duplicateInterval option can be used to specify for how many seconds duplicate checking should be done. If a proxy receives a new request within a few seconds of a previous one, it may be treated the same if from the same client, with the same authenticator etc. The proxy will then ignore the new request (if it is still processing the previous one), or returned a copy of the previous reply. The AddTTL option is similar to the AddTTL option used in the basic config. See that for details. Any value configured here overrides the basic one when sending messages to this client. The fticksVISCOUNTRY option configures clients eligible to F-Ticks logging as defined by the FTicksReporting basic option. The fticksVISINST option overwrites the default VISINST value taken from the client block name. The rewrite option is deprecated. Use rewriteIn instead. The rewriteIn option can be used to refer to a rewrite block that specifies certain rewrite operations that should be performed on incoming messages from the client. The rewriting is done before other processing. For details, see the rewrite block text below. Similarly to tls discussed above, if this option is not used, there is a fallback to using the rewrite block named defaultClient if it exists; and if not, a fallback to a block named default. The rewriteOut option is used in the same way as rewriteIn, except that it specifies rewrite operations that should be performed on outgoing messages to the client. The rewriting is done after other processing. Also, there is no rewrite fallback if this option is not used. The rewriteAttribute option currently makes it possible to specify that the User-Name attribute in a client request shall be rewritten in the request sent by the proxy. The User-Name attribute is written back to the original value if a matching response is later sent back to the client. The value must be on the form User-Name:/regexpmatch/replacement/. Example usage:
rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/
Server Block The server block is used to configure a server. That is, tell the proxy about a server, and what parameters should be used when communicating with that server. The name of the server block must (with one exception, see below) be either the IP address (IPv4 or IPv6) of the server, or a domain name (FQDN). If a domain name is specified, then this will be resolved immediately to all the addresses associated with the name, and the proxy will not care about any possible DNS changes that might occur later. Hence there is no dependency on DNS after startup. If the domain name resolves to multiple addresses, then for UDP/DTLS the first address is used. For TCP/TLS, the proxy will loop through the addresses until it can connect to one of them. The way an FQDN is resolved into an IP address may be influenced by the use of the IPv4Only and IPv6Only options. In the case of TLS/DTLS, the name of the server must match the FQDN or IP address in the server certificate. Alternatively one may use the host option inside a server block. In that case, the value of the host option is used as above, while the name of the block is only used as a descriptive name for the administrator. Note that multiple host options may be used. This will then be treated as multiple names/addresses for the same server. When initiating a TCP/TLS connection, all addresses of all names may be attempted, but there is no failover between the different host values. For failover one must use separate server blocks. Note that the name of the block, or values of host options may include a port number (separated with a column). This port number will then override the default port or a port option in the server block. Also note that literal IPv6 addresses must be enclosed in brackets. The allowed options in a server block are host, port, IPv4Only, IPv6Only, type, secret, tls, certificateNameCheck, matchCertificateAttribute, AddTTL, rewrite, rewriteIn, rewriteOut, statusServer, retryCount, dynamicLookupCommand and retryInterval and LoopPrevention. We already discussed the host option. To specify how radsecproxy should resolve a host given as a DNS name, the IPv4Only or the IPv6Only can be set to on. At most one of these options can be enabled. Enabling IPv4Only or IPv6Only here overrides any basic settings set at the top level. The port option allows you to specify which port number the server uses. The usage of type, secret, tls, certificateNameCheck, matchCertificateAttribute, AddTTL, rewrite, rewriteIn and rewriteOut are just as specified for the client block above, except that defaultServer (and not defaultClient) is the fallback for the tls, rewrite and rewriteIn options. statusServer can be specified to enable the use of status-server messages for this server. The value must be either on or off. The default when not specified, is off. If statusserver is enabled, the proxy will during idle periods send regular status-server messages to the server to verify that it is alive. This should only be enabled if the server supports it. The options retryCount and retryInterval can be used to specify how many times the proxy should retry sending a request and how long it should wait between each retry. The defaults are 2 retries and an interval of 5s. The option dynamicLookupCommand can be used to specify a command that should be executed to dynamically configure a server. The executable file should be given with full path and will be invoked with the name of the realm as its first and only argument. It should either print a valid server option on stdout and exit with a code of 0 or print nothing and exit with a non-zero exit code. An example of a shell script resolving the DNS NAPTR records for the realm and then the SRV records for each NAPTR matching 'x-eduroam:radius.tls' is provided in tools/naptr-eduroam.sh. This option was added in radsecproxy-1.3 but tends to crash radsecproxy versions earlier than 1.6. Using the LoopPrevention option here overrides any basic setting of this option. See section BASIC OPTIONS for details on this option. Realm Block When the proxy receives an Access-Request it needs to figure out to which server it should be forwarded. This is done by looking at the Username attribute in the request, and matching that against the names of the defined realm blocks. The proxy will match against the blocks in the order they are specified, using the first match if any. If no realm matches, the proxy will simply ignore the request. Each realm block specifies what the server should do when a match is found. A realm block may contain none, one or multiple server options, and similarly accountingServer options. There are also replyMessage and accountingResponse options. We will discuss these later. Realm block names and matching In the general case the proxy will look for a @ in the username attribute, and try to do an exact case insensitive match between what comes after the @ and the name of the realm block. So if you get a request with the attribute value anonymous@example.com, the proxy will go through the realm names in the order they are specified, looking for a realm block named example.com. There are two exceptions to this, one is the realm name * which means match everything. Hence if you have a realm block named *, then it will always match. This should then be the last realm block defined, since any blocks after this would never be checked. This is useful for having a default. The other exception is regular expression matching. If the realm name starts with a /, the name is treated as an regular expression. A case insensitive regexp match will then be done using this regexp on the value of the entire Username attribute. Optionally you may also have a trailing / after the regexp. So as an example, if you want to use regexp matching the domain example.com you could have a realm block named /@example\\.com$. Optinally this can also be written /@example\\.com$/. If you want to match all domains under the .com top domain, you could do /@.*\\.com$. Note that since the matching is done on the entire attribute value, you can also use rules like /^[a-k].*@example\\.com$/ to get some of the users in this domain to use one server, while other users could be matched by another realm block and use another server. Realm block options A realm block may contain none, one or multiple server options. If defined, the values of the server options must be the names of previously defined server blocks. Normally requests will be forwarded to the first server option defined. If there are multiple server options, the proxy will do fail-over and use the second server if the first is down. If the two first are down, it will try the third etc. If say the first server comes back up, it will go back to using that one. Currently detection of servers being up or down is based on the use of StatusServer (if enabled), and that TCP/TLS/DTLS connections are up. A realm block may also contain none, one or multiple accountingServer options. This is used exactly like the server option, except that it is used for specifying where to send matching accounting requests. The values must be the names of previously defined server blocks. When multiple accounting servers are defined, there is a failover mechanism similar to the one for the server option. If there is no server option, the proxy will if replyMessage is specified, reply back to the client with an Access Reject message. The message contains a replyMessage attribute with the value as specified by the replyMessage option. Note that this is different from having no match since then the request is simply ignored. You may wonder why this is useful. One example is if you handle say all domains under say .bv. Then you may have several realm blocks matching the domains that exists, while for other domains under .bv you want to send a reject. At the same time you might want to send all other requests to some default server. After the realms for the subdomains, you would then have two realm definitions. One with the name /@.*\\.bv$ with no servers, followed by one with the name * with the default server defined. This may also be useful for blocking particular usernames. If there is no accountingServer option, the proxy will normally do nothing, ignoring accounting requests. There is however an option called accountingResponse. If this is set to on, the proxy will log some of the accounting information and send an Accounting-Response back. This is useful if you do not care much about accounting, but want to stop clients from retransmitting accounting requests. By default this option is set to off. TLS Block The TLS block specifies TLS configuration options and you need at least one of these if you have clients or servers using TLS/DTLS. As discussed in the client and server block descriptions, a client or server block may reference a particular TLS block by name. There are also however the special TLS block names default, defaultClient and defaultServer which are used as defaults if the client or server block does not reference a TLS block. Also note that a TLS block must be defined before the client or server block that would use it. If you want the same TLS configuration for all TLS/DTLS clients and servers, you need just a single tls block named default, and the client and servers need not refer to it. If you want all TLS/DTLS clients to use one config, and all TLS/DTLS servers to use another, then you would be fine only defining two TLS blocks named defaultClient and defaultServer. If you want different clients (or different servers) to have different TLS parameters, then you may need to create other TLS blocks with other names, and reference those from the client or server definitions. Note that you could also have say a client block refer to a default, even defaultServer if you really want to. The available TLS block options are CACertificateFile, CACertificatePath, certificateFile, certificateKeyFile, certificateKeyPassword, cacheExpiry, CRLCheck and policyOID. When doing RADIUS over TLS/DTLS, both the client and the server present certificates, and they are both verified by the peer. Hence you must always specify certificateFile and certificateKeyFile options, as well as certificateKeyPassword if a password is needed to decrypt the private key. Note that CACertificateFile may be a certificate chain. In order to verify certificates, or send a chain of certificates to a peer, you also always need to specify CACertificateFile or CACertificatePath. Note that you may specify both, in which case the certificates in CACertificateFile are checked first. By default CRLs are not checked. This can be changed by setting CRLCheck to on. One can require peer certificates to adhere to certain policies by specifying one or multiple policyOIDs using one or multiple policyOID options. CA certificates and CRLs are normally cached permanently. That is, once a CA or CRL has been read, the proxy will never attempt to re-read it. CRLs may change relatively often and the proxy should ideally always use the latest CRLs. Rather than restarting the proxy, there is an option cacheExpiry that specifies how many seconds the CA and CRL information should be cached. Reasonable values might be say 3600 (1 hour) or 86400 (24 hours), depending on how frequently CRLs are updated and how critical it is to be up to date. This option may be set to zero to disable caching. Rewrite Block The rewrite block specifies rules that may rewrite RADIUS messages. It can be used to add, remove and modify specific attributes from messages received from and sent to clients and servers. As discussed in the client and server block descriptions, a client or server block may reference a particular rewrite block by name. There are however also the special rewrite block names default, defaultClient and defaultServer which are used as defaults if the client or server block does not reference a block. Also note that a rewrite block must be defined before the client or server block that would use it. If you want the same rewrite rules for input from all clients and servers, you need just a single rewrite block named default, and the client and servers need not refer to it. If you want all clients to use one config, and all servers to use another, then you would be fine only defining two rewrite blocks named defaultClient and defaultServer. Note that these defaults are only used for rewrite on input. No rewriting is done on output unless explicitly specified using the rewriteOut option. The available rewrite block options are addAttribute, addVendorAttribute, removeAttribute, removeVendorAttribute and modifyAttribute. They can all be specified none, one or multiple times. addAttribute is used to add attributes to a message. The option value must be on the form attribute:value where attribute is a numerical value specifying the attribute. Simliarly, the addVendorAttribute is used to specify a vendor attribute to be added. The option value must be on the form vendor:subattribute:value, where vendor and subattribute are numerical values. The removeAttribute option is used to specify an attribute that should be removed from received messages. The option value must be a numerical value specifying which attribute is to be removed. Similarly, removeVendorAttribute is used to specify a vendor attribute that is to be removed. The value can be a numerical value for removing all attributes from a given vendor, or on the form vendor:subattribute, where vendor and subattribute are numerical values, for removing a specific subattribute for a specific vendor. modifyAttribute is used to specify modification of attributes. The value must be on the form attribute:/regexpmatch/replacement/ where attribute is a numerical attribute type, regexpmatch is regexp matching rule and replacement specifies how to replace the matching regexp. Example usage:
modifyAttribute 1:/^(.*)@local$/\1@example.com/
See Also radsecproxy1 , RadSec internet draft
radsecproxy-1.6.2/missing0000755000175100017510000002623312042223267012413 00000000000000#! /bin/sh # Common stub for a few missing GNU programs while installing. scriptversion=2009-04-28.21; # UTC # Copyright (C) 1996, 1997, 1999, 2000, 2002, 2003, 2004, 2005, 2006, # 2008, 2009 Free Software Foundation, Inc. # Originally by Fran,cois Pinard , 1996. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2, or (at your option) # any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see . # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a # configuration script generated by Autoconf, you may include it under # the same distribution terms that you use for the rest of that program. if test $# -eq 0; then echo 1>&2 "Try \`$0 --help' for more information" exit 1 fi run=: sed_output='s/.* --output[ =]\([^ ]*\).*/\1/p' sed_minuso='s/.* -o \([^ ]*\).*/\1/p' # In the cases where this matters, `missing' is being run in the # srcdir already. if test -f configure.ac; then configure_ac=configure.ac else configure_ac=configure.in fi msg="missing on your system" case $1 in --run) # Try to run requested program, and just exit if it succeeds. run= shift "$@" && exit 0 # Exit code 63 means version mismatch. This often happens # when the user try to use an ancient version of a tool on # a file that requires a minimum version. In this case we # we should proceed has if the program had been absent, or # if --run hadn't been passed. if test $? = 63; then run=: msg="probably too old" fi ;; -h|--h|--he|--hel|--help) echo "\ $0 [OPTION]... PROGRAM [ARGUMENT]... Handle \`PROGRAM [ARGUMENT]...' for when PROGRAM is missing, or return an error status if there is no known handling for PROGRAM. Options: -h, --help display this help and exit -v, --version output version information and exit --run try to run the given command, and emulate it if it fails Supported PROGRAM values: aclocal touch file \`aclocal.m4' autoconf touch file \`configure' autoheader touch file \`config.h.in' autom4te touch the output file, or create a stub one automake touch all \`Makefile.in' files bison create \`y.tab.[ch]', if possible, from existing .[ch] flex create \`lex.yy.c', if possible, from existing .c help2man touch the output file lex create \`lex.yy.c', if possible, from existing .c makeinfo touch the output file tar try tar, gnutar, gtar, then tar without non-portable flags yacc create \`y.tab.[ch]', if possible, from existing .[ch] Version suffixes to PROGRAM as well as the prefixes \`gnu-', \`gnu', and \`g' are ignored when checking the name. Send bug reports to ." exit $? ;; -v|--v|--ve|--ver|--vers|--versi|--versio|--version) echo "missing $scriptversion (GNU Automake)" exit $? ;; -*) echo 1>&2 "$0: Unknown \`$1' option" echo 1>&2 "Try \`$0 --help' for more information" exit 1 ;; esac # normalize program name to check for. program=`echo "$1" | sed ' s/^gnu-//; t s/^gnu//; t s/^g//; t'` # Now exit if we have it, but it failed. Also exit now if we # don't have it and --version was passed (most likely to detect # the program). This is about non-GNU programs, so use $1 not # $program. case $1 in lex*|yacc*) # Not GNU programs, they don't have --version. ;; tar*) if test -n "$run"; then echo 1>&2 "ERROR: \`tar' requires --run" exit 1 elif test "x$2" = "x--version" || test "x$2" = "x--help"; then exit 1 fi ;; *) if test -z "$run" && ($1 --version) > /dev/null 2>&1; then # We have it, but it failed. exit 1 elif test "x$2" = "x--version" || test "x$2" = "x--help"; then # Could not run --version or --help. This is probably someone # running `$TOOL --version' or `$TOOL --help' to check whether # $TOOL exists and not knowing $TOOL uses missing. exit 1 fi ;; esac # If it does not exist, or fails to run (possibly an outdated version), # try to emulate it. case $program in aclocal*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified \`acinclude.m4' or \`${configure_ac}'. You might want to install the \`Automake' and \`Perl' packages. Grab them from any GNU archive site." touch aclocal.m4 ;; autoconf*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified \`${configure_ac}'. You might want to install the \`Autoconf' and \`GNU m4' packages. Grab them from any GNU archive site." touch configure ;; autoheader*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified \`acconfig.h' or \`${configure_ac}'. You might want to install the \`Autoconf' and \`GNU m4' packages. Grab them from any GNU archive site." files=`sed -n 's/^[ ]*A[CM]_CONFIG_HEADER(\([^)]*\)).*/\1/p' ${configure_ac}` test -z "$files" && files="config.h" touch_files= for f in $files; do case $f in *:*) touch_files="$touch_files "`echo "$f" | sed -e 's/^[^:]*://' -e 's/:.*//'`;; *) touch_files="$touch_files $f.in";; esac done touch $touch_files ;; automake*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified \`Makefile.am', \`acinclude.m4' or \`${configure_ac}'. You might want to install the \`Automake' and \`Perl' packages. Grab them from any GNU archive site." find . -type f -name Makefile.am -print | sed 's/\.am$/.in/' | while read f; do touch "$f"; done ;; autom4te*) echo 1>&2 "\ WARNING: \`$1' is needed, but is $msg. You might have modified some files without having the proper tools for further handling them. You can get \`$1' as part of \`Autoconf' from any GNU archive site." file=`echo "$*" | sed -n "$sed_output"` test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` if test -f "$file"; then touch $file else test -z "$file" || exec >$file echo "#! /bin/sh" echo "# Created by GNU Automake missing as a replacement of" echo "# $ $@" echo "exit 0" chmod +x $file exit 1 fi ;; bison*|yacc*) echo 1>&2 "\ WARNING: \`$1' $msg. You should only need it if you modified a \`.y' file. You may need the \`Bison' package in order for those modifications to take effect. You can get \`Bison' from any GNU archive site." rm -f y.tab.c y.tab.h if test $# -ne 1; then eval LASTARG="\${$#}" case $LASTARG in *.y) SRCFILE=`echo "$LASTARG" | sed 's/y$/c/'` if test -f "$SRCFILE"; then cp "$SRCFILE" y.tab.c fi SRCFILE=`echo "$LASTARG" | sed 's/y$/h/'` if test -f "$SRCFILE"; then cp "$SRCFILE" y.tab.h fi ;; esac fi if test ! -f y.tab.h; then echo >y.tab.h fi if test ! -f y.tab.c; then echo 'main() { return 0; }' >y.tab.c fi ;; lex*|flex*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified a \`.l' file. You may need the \`Flex' package in order for those modifications to take effect. You can get \`Flex' from any GNU archive site." rm -f lex.yy.c if test $# -ne 1; then eval LASTARG="\${$#}" case $LASTARG in *.l) SRCFILE=`echo "$LASTARG" | sed 's/l$/c/'` if test -f "$SRCFILE"; then cp "$SRCFILE" lex.yy.c fi ;; esac fi if test ! -f lex.yy.c; then echo 'main() { return 0; }' >lex.yy.c fi ;; help2man*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified a dependency of a manual page. You may need the \`Help2man' package in order for those modifications to take effect. You can get \`Help2man' from any GNU archive site." file=`echo "$*" | sed -n "$sed_output"` test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` if test -f "$file"; then touch $file else test -z "$file" || exec >$file echo ".ab help2man is required to generate this page" exit $? fi ;; makeinfo*) echo 1>&2 "\ WARNING: \`$1' is $msg. You should only need it if you modified a \`.texi' or \`.texinfo' file, or any other file indirectly affecting the aspect of the manual. The spurious call might also be the consequence of using a buggy \`make' (AIX, DU, IRIX). You might want to install the \`Texinfo' package or the \`GNU make' package. Grab either from any GNU archive site." # The file to touch is that specified with -o ... file=`echo "$*" | sed -n "$sed_output"` test -z "$file" && file=`echo "$*" | sed -n "$sed_minuso"` if test -z "$file"; then # ... or it is the one specified with @setfilename ... infile=`echo "$*" | sed 's/.* \([^ ]*\) *$/\1/'` file=`sed -n ' /^@setfilename/{ s/.* \([^ ]*\) *$/\1/ p q }' $infile` # ... or it is derived from the source name (dir/f.texi becomes f.info) test -z "$file" && file=`echo "$infile" | sed 's,.*/,,;s,.[^.]*$,,'`.info fi # If the file does not exist, the user really needs makeinfo; # let's fail without touching anything. test -f $file || exit 1 touch $file ;; tar*) shift # We have already tried tar in the generic part. # Look for gnutar/gtar before invocation to avoid ugly error # messages. if (gnutar --version > /dev/null 2>&1); then gnutar "$@" && exit 0 fi if (gtar --version > /dev/null 2>&1); then gtar "$@" && exit 0 fi firstarg="$1" if shift; then case $firstarg in *o*) firstarg=`echo "$firstarg" | sed s/o//` tar "$firstarg" "$@" && exit 0 ;; esac case $firstarg in *h*) firstarg=`echo "$firstarg" | sed s/h//` tar "$firstarg" "$@" && exit 0 ;; esac fi echo 1>&2 "\ WARNING: I can't seem to be able to run \`tar' with the given arguments. You may want to install GNU tar or Free paxutils, or check the command line arguments." exit 1 ;; *) echo 1>&2 "\ WARNING: \`$1' is needed, and is $msg. You might have modified some files without having the proper tools for further handling them. Check the \`README' file, it often tells you about the needed prerequisites for installing this package. You may also peek at any GNU archive site, in case some other package would contain this missing \`$1' program." exit 1 ;; esac exit 0 # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) # time-stamp-start: "scriptversion=" # time-stamp-format: "%:y-%02m-%02d.%02H" # time-stamp-time-zone: "UTC" # time-stamp-end: "; # UTC" # End: