Updated version 3.0.14+dfsg from 'upstream/3.0.14+dfsg'
with Debian dir 6051b95c17389fbed327933140a5cdcc92a1cabc
Michael Stapelberg
6 years ago
10 | 10 | # The default rule is "all". |
11 | 11 | # |
12 | 12 | all: |
13 | ||
14 | # | |
15 | # Catch people who try to use BSD make | |
16 | # | |
17 | ifeq "0" "1" | |
18 | .error GNU Make is required to build FreeRADIUS | |
19 | endif | |
13 | 20 | |
14 | 21 | $(if $(wildcard Make.inc),,$(error Missing 'Make.inc' Run './configure [options]' and retry)) |
15 | 22 |
8664 | 8664 | |
8665 | 8665 | |
8666 | 8666 | for ac_header in \ |
8667 | openssl/asn1.h \ | |
8668 | openssl/conf.h \ | |
8667 | 8669 | openssl/crypto.h \ |
8668 | 8670 | openssl/err.h \ |
8669 | 8671 | openssl/evp.h \ |
8672 | openssl/hmac.h \ | |
8670 | 8673 | openssl/md5.h \ |
8671 | 8674 | openssl/md4.h \ |
8672 | 8675 | openssl/sha.h \ |
8778 | 8781 | conftest.$ac_objext conftest.beam conftest.$ac_ext |
8779 | 8782 | fi |
8780 | 8783 | |
8784 | for ac_func in \ | |
8785 | SSL_get_client_random \ | |
8786 | SSL_get_server_random \ | |
8787 | SSL_SESSION_get_master_key \ | |
8788 | HMAC_CTX_new \ | |
8789 | HMAC_CTX_free \ | |
8790 | ASN1_STRING_get0_data \ | |
8791 | CONF_modules_load_file \ | |
8792 | CRYPTO_set_id_callback \ | |
8793 | CRYPTO_set_locking_callback | |
8794 | ||
8795 | do : | |
8796 | as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` | |
8797 | ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" | |
8798 | if eval test \"x\$"$as_ac_var"\" = x"yes"; then : | |
8799 | cat >>confdefs.h <<_ACEOF | |
8800 | #define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 | |
8801 | _ACEOF | |
8802 | ||
8803 | fi | |
8804 | done | |
8805 | ||
8781 | 8806 | CPPFLAGS="$old_CPPFLAGS" |
8782 | 8807 | fi |
8783 | 8808 | |
8786 | 8811 | |
8787 | 8812 | |
8788 | 8813 | export OPENSSL_LIBS OPENSSL_LDFLAGS OPENSSL_CPPFLAGS |
8789 | for ac_func in SSL_get_client_random | |
8790 | do : | |
8791 | ac_fn_c_check_func "$LINENO" "SSL_get_client_random" "ac_cv_func_SSL_get_client_random" | |
8792 | if test "x$ac_cv_func_SSL_get_client_random" = xyes; then : | |
8793 | cat >>confdefs.h <<_ACEOF | |
8794 | #define HAVE_SSL_GET_CLIENT_RANDOM 1 | |
8795 | _ACEOF | |
8796 | SSL_get_server_random | |
8797 | fi | |
8798 | done | |
8799 | ||
8800 | 8814 | fi |
8801 | 8815 | |
8802 | 8816 | if test "x$PCAP_LIBS" = x; then |
1103 | 1103 | AC_DEFINE(HAVE_OPENSSL_SSL_H, 1, [Define to 1 if you have the <openssl/ssl.h> header file.]) |
1104 | 1104 | |
1105 | 1105 | AC_CHECK_HEADERS( \ |
1106 | openssl/asn1.h \ | |
1107 | openssl/conf.h \ | |
1106 | 1108 | openssl/crypto.h \ |
1107 | 1109 | openssl/err.h \ |
1108 | 1110 | openssl/evp.h \ |
1111 | openssl/hmac.h \ | |
1109 | 1112 | openssl/md5.h \ |
1110 | 1113 | openssl/md4.h \ |
1111 | 1114 | openssl/sha.h \ |
1173 | 1176 | AC_MSG_RESULT([cross-compiling (assuming yes)]) |
1174 | 1177 | ] |
1175 | 1178 | ) |
1179 | dnl # | |
1180 | dnl # Check if the new HMAC_CTX interface is defined | |
1181 | dnl # | |
1182 | AC_CHECK_FUNCS( \ | |
1183 | SSL_get_client_random \ | |
1184 | SSL_get_server_random \ | |
1185 | SSL_SESSION_get_master_key \ | |
1186 | HMAC_CTX_new \ | |
1187 | HMAC_CTX_free \ | |
1188 | ASN1_STRING_get0_data \ | |
1189 | CONF_modules_load_file \ | |
1190 | CRYPTO_set_id_callback \ | |
1191 | CRYPTO_set_locking_callback | |
1192 | ) | |
1176 | 1193 | CPPFLAGS="$old_CPPFLAGS" |
1177 | 1194 | fi |
1178 | 1195 | |
1181 | 1198 | AC_SUBST(OPENSSL_LDFLAGS) |
1182 | 1199 | AC_SUBST(OPENSSL_CPPFLAGS) |
1183 | 1200 | export OPENSSL_LIBS OPENSSL_LDFLAGS OPENSSL_CPPFLAGS |
1184 | AC_CHECK_FUNCS(SSL_get_client_random,SSL_get_server_random) | |
1185 | 1201 | fi |
1186 | 1202 | |
1187 | 1203 | dnl # |
0 | FreeRADIUS 3.0.14 Mon 06 Mar 2017 13:00:00 EDT urgency=medium | |
1 | Feature improvements | |
2 | * Enforce TLS client certificate expiration on | |
3 | session resumption, and Session-Timeout. | |
4 | See CVE-2017-9148. | |
5 | * Updated dictionary.cisco.vpn3000, dictionary.patton | |
6 | * Added dictionary.dellemc | |
7 | * Lowered the log output for failed PEAP sessions. | |
8 | * ALlow utc in rlm_date. Patch from | |
9 | Peter Lambrechtsen. | |
10 | * The internal OpenSSL session cache has been | |
11 | disabled. Please see mods-available/eap | |
12 | * Update detail reader documentation. | |
13 | Patch from Matthew Newton. Fixes #1973. | |
14 | * Make outgoing RadSec connections non-blocking. | |
15 | * Add SQL backing to Moonshot-*-TargetedId | |
16 | generation. Patch from Stefan Paetow. | |
17 | ||
18 | Bug fixes | |
19 | * radtest uses Cleartext-Password for EAP, not | |
20 | User-Password. | |
21 | * Update documentation for mods-enabled/ linking. | |
22 | * Enhanced checks for moonshot salt. Fixes #1933. | |
23 | * Allow session resumption for RadSec connections. | |
24 | Fixes #1936. | |
25 | * Update "huntgroups" file to note that port ranges | |
26 | are not supported. | |
27 | * Fix OpenSSL permissions issues on default key files. | |
28 | Fixes #1941. | |
29 | * Certificates are not required when PSK is used. | |
30 | * Allow SubjectAltName as first extension in cert. | |
31 | Fixes #1946. | |
32 | * Fixed talloc issue with TLS session resumption. | |
33 | Fixes #1980. | |
34 | * "&Attr-26 := 0x01" now produces useful error messages. | |
35 | * Handle connection error in rlm_ldap_cacheable_groupobj. | |
36 | Fixes #1951. | |
37 | * Fix endian issues in DHCP. | |
38 | * Multiple minor fixes for Coverity complaints. | |
39 | * Handle unexpected regex. Fixes #1959. | |
40 | * Fix minor issues in dictionaries. | |
41 | * Fix typos and grammar. Patches from Alan Buxey. | |
42 | * Fix erroneous VP creation in rlm_preproces. | |
43 | * Fix MIB. Patch from Jeff Gehlbach. | |
44 | * Trust router updates from Alejandro Perez. | |
45 | * Allow build with LibreSSL. Fixes #1989 | |
46 | * Use correct packet for channel bindings. Fixes #1990. | |
47 | * Many fixes found by PVS-Studio. Thanks to PVS-Studio | |
48 | for giving us a test license. Please see the git commit | |
49 | history for more information. | |
50 | * Fix incorrect length check in EAP-PWD. This may | |
51 | be exploitable. | |
52 | ||
53 | FreeRADIUS 3.0.13 Mon 06 Mar 2017 13:00:00 EDT urgency=medium | |
54 | Feature improvements | |
55 | * Add dictionary.rfc7930. Note that we do not implement | |
56 | the RFC. | |
57 | * Added 'cipher_server_preference' to mods-available/eap | |
58 | Patch from #1797. | |
59 | * OpenSSL 1.1.0 compatibility fixes. | |
60 | * rlm_perl: radiusd::xlat to evaluate xlat string | |
61 | within perl script | |
62 | * Allow authentication retry in winbind. Patch from | |
63 | Herwin Weststrate. See raddb/mods-available/mschap. | |
64 | * Added "recv-coa" method to rlm_rest. It behaves the | |
65 | same as "authorize". | |
66 | * Document Trust Router tr_port option. Patch from | |
67 | Stefan Paetow. | |
68 | * Update elasticsearch/logstash examples so that they work | |
69 | with elastic stack v5. Patch from Matthew Newton. | |
70 | * Print information about packets, replies, and contents | |
71 | in the detail file reader. | |
72 | * Update abfab-tr policy. Pull request #1893 | |
73 | from Stefan Paetow. | |
74 | * Reject packets which contain User-Password and | |
75 | EAP-Message. | |
76 | * Add example for filtering Access-Challenge. | |
77 | See sites-enabled/default. | |
78 | * Pull symlink fixes from v4.0.x. Fixes #1859. | |
79 | * Add systemd reload. Not everything is reloaded, but | |
80 | some is. Fixes #1662. | |
81 | * Better documentation for listen "ipaddr". Fixes #1921 | |
82 | * Add dictionary.cnergee, updated dictionary.nomadix. | |
83 | * radclient no longer needs -x to print statistics with -s. | |
84 | ||
85 | Bug fixes | |
86 | * Minor typos. Fixes #1763 | |
87 | * Fix typo in RPM build. Closes #1767. | |
88 | * rlm_mschap check for password expiry only | |
89 | if password was correct. Fixes #1762. | |
90 | * Update debian build. | |
91 | * update rlm_counter "man" page. Fixes #1775. | |
92 | * Remove erroneous assert. Fixes #1778. | |
93 | * fix mschap password change test. Fixes #1792. | |
94 | * Cleanup config file on data remove. Fixes #1795. | |
95 | * passwd module returns "notfound" if not found. | |
96 | * Check for old OpenSSL, and don't build rlm_eap_fast | |
97 | if it necessary. Fixes #1803 | |
98 | * Cleanup memory better after ldap version query. | |
99 | Patch from Aleksey Katargin. | |
100 | * Rename lt_* functions to avoid linker issues with | |
101 | libtool. Fixes #1277 | |
102 | * Many miscellaneous fixes and typos. | |
103 | * Allow long strings in %{%{foo} bar:-%{baz} blah". | |
104 | Fixes #1866 | |
105 | * Fix filtering operators, along with more documentation and | |
106 | more tests for them. | |
107 | * Fix OpenSSL fixes. Fixes #1876. | |
108 | * Finish SQL select queries even when SELECT returns no rows. | |
109 | Fixes #1879. | |
110 | * Set Module-Failure-Message for more EAP errors. | |
111 | * Correct typo in dictionary.rfc5580. Fixes #1882 | |
112 | * Remove obselete systemd syslog.target. | |
113 | * Client-Port-Balance load-balancing now uses client port. | |
114 | * Radrelay examples fixed from Alex Clouter. | |
115 | * Update systemd target. Pull request #1896. | |
116 | * Trim starting whitespace in xlat strings. | |
117 | * Get MySQL result lengths using normal API. | |
118 | * suid down after fchown(). Fixes #1914. | |
119 | * Fix cases of comparing pointer to NUL character. Fixes #1915. | |
120 | * OpenSSL v1.1 fixes. Pull request #1921. | |
121 | * Better Handle v4/v6 host names. Pull request #1919. | |
122 | * Remove "Auth-Type = System" from docs and examples. | |
123 | * Don't crash on malformed %{home_server}. Fixes #1922 | |
124 | * fix erroneous use of talloc destructor in rlm_eap | |
125 | * Issue trigger modules.sql.fail. Fixes #1923 | |
126 | * Document python_path gotcha's. Fixes #1845 | |
127 | * dlopen() the specific version of Python. Fixes #1592 | |
128 | ||
0 | 129 | FreeRADIUS 3.0.12 Thur 29 Sep 2016 13:00:00 EDT urgency=medium |
1 | 130 | Feature improvements |
2 | 131 | * Add support for =~ and !~ in update sections. |
23 | 152 | * Minor abfab and moonshot additions. |
24 | 153 | * Pass CFLAGS through from environment in RPM builds. |
25 | 154 | Allows more custom builds. |
26 | * Build with Heimdal in addtion to libkrb5. | |
155 | * Build with Heimdal in addition to libkrb5. | |
27 | 156 | |
28 | 157 | Bug fixes |
29 | 158 | * Use correct typedef for older versions of sqlite. |
30 | 159 | * Update mssql schema to add priority |
31 | * don't complain on /dev/urandom in ldap | |
32 | * fix == operator in update sections | |
160 | * Don't complain on /dev/urandom in ldap | |
161 | * Fix == operator in update sections | |
33 | 162 | * Don't create DHCP strings with many trailing zeros. |
34 | 163 | Patch from Nicolas C. Fixes #1526. |
35 | 164 | * Allow MS-CHAP change passwords instead of complaining |
4 | 4 | easiest way to query the logs, find out when a client connected or disconnected, |
5 | 5 | or view the top ten clients logging into the system over the last six hours? |
6 | 6 | |
7 | The logstash/elasticsearch/kibana stack is designed and built to do just that. | |
8 | elasticsearch is a search engine; logstash is commonly used to feed data in, | |
9 | and kibana the web interface to query the logs in near real time. | |
7 | The elastic stack is designed and built to do just that. elasticsearch is a | |
8 | search engine; logstash is commonly used to feed data in, and kibana the web | |
9 | interface to query the logs in near real time. | |
10 | 10 | |
11 | Installing the ELK stack is beyond the scope of this document, but can be done | |
11 | Installing the elastic stack is beyond the scope of this document, but can be done | |
12 | 12 | in a short amount of time by any competent sysadmin. Then comes getting the |
13 | 13 | logs in. |
14 | 14 | |
41 | 41 | tab-delimited key-value pairs out. Some additional data is then extracted |
42 | 42 | from certain key attributes. |
43 | 43 | |
44 | The file will need to be edited at least to set the input method: for | |
45 | experimentation the given input (stdin) may be used. If logstash is running on | |
46 | the RADIUS server then 'file' input may be appropriate, otherwise a different | |
47 | input such as log-courier or logstash-forwarder may be better to get the data | |
48 | over the network to the logstash server. | |
44 | The logstash config will need to be edited at least to set the input method: | |
45 | for experimentation the given input (file) may be used. If logstash is running | |
46 | on the RADIUS server itself then this example input may be appropriate, | |
47 | otherwise a different input such as log-courier or filebeat may be better to | |
48 | get the data over the network to logstash. | |
49 | 49 | |
50 | 50 | It would be best to use an input method that can join the multiple lines of |
51 | 51 | the detail file together and feed them to logstash as a single entry, rather |
52 | than using the logstash multiline filter. | |
52 | than using the logstash multiline codec. | |
53 | 53 | |
54 | 54 | log-courier.conf |
55 | 55 | |
57 | 57 | |
58 | 58 | kibana4-dashboard.json |
59 | 59 | |
60 | Basic RADIUS dashboard for Kibana4. | |
60 | Basic RADIUS dashboard for Kibana 4 and Kibana 5. | |
61 | 61 | |
62 | 62 | To import the dashboard first create a new index called "radius-*" in |
63 | 63 | Settings/Indices. Then go to Kibana's Settings page, "Objects" and "Import". |
64 | 64 | Once imported open the "RADIUS detail" dashboard. |
65 | ||
66 | kibana3-dashboard.json | |
67 | ||
68 | Basic RADIUS dashboard for Kibana3. To import the dashboard go to Load, | |
69 | Advanced and "Choose File". | |
70 | 65 | |
71 | 66 | |
72 | 67 | Example usage |
73 | 68 | ------------- |
74 | 69 | |
75 | 70 | Install mapping (only needs to be done once): |
76 | $ ./radius-mapping.sh | |
77 | 71 | |
78 | Feed a detail file in: | |
79 | $ /path/to/logstash -f logstash-radius.conf < acct-detail | |
72 | $ ./radius-mapping.sh | |
73 | ||
74 | Edit logstash-radius.conf to point to the correct file, then feed a detail file | |
75 | in: | |
76 | ||
77 | # /usr/share/logstash/bin/logstash --path.settings=/etc/logstash -f logstash-radius.conf | |
80 | 78 | |
81 | 79 | |
82 | 80 | See also |
88 | 86 | following software versions (note that elasticsearch 2.x may not yet |
89 | 87 | work with this config). |
90 | 88 | |
91 | elasticsearch 1.7.4 | |
92 | logstash 1.4.5 | |
93 | kibana 4.1.2 | |
94 | kibana 3.1.0 | |
89 | elasticsearch 5.1.2 | |
90 | logstash 5.1.2 | |
91 | kibana 5.1.2 | |
92 | kibana 4.1.11 | |
95 | 93 | |
96 | 94 | Matthew Newton |
97 | January 2016 | |
95 | January 2017 | |
98 | 96 |
0 | { | |
1 | "title": "RADIUS detail", | |
2 | "services": { | |
3 | "query": { | |
4 | "list": { | |
5 | "0": { | |
6 | "query": "*", | |
7 | "alias": "", | |
8 | "color": "#584477", | |
9 | "id": 0, | |
10 | "pin": false, | |
11 | "type": "lucene", | |
12 | "enable": true | |
13 | }, | |
14 | "1": { | |
15 | "id": 1, | |
16 | "type": "lucene", | |
17 | "query": "Acct-Status-Type:Start", | |
18 | "alias": "Accounting Start", | |
19 | "color": "#629E51", | |
20 | "pin": false, | |
21 | "enable": true | |
22 | }, | |
23 | "2": { | |
24 | "id": 2, | |
25 | "color": "#6ED0E0", | |
26 | "alias": "", | |
27 | "pin": false, | |
28 | "type": "lucene", | |
29 | "enable": true, | |
30 | "query": "Acct-Status-Type:Interim-Update" | |
31 | }, | |
32 | "3": { | |
33 | "id": 3, | |
34 | "color": "#BF1B00", | |
35 | "alias": "", | |
36 | "pin": false, | |
37 | "type": "lucene", | |
38 | "enable": true, | |
39 | "query": "Acct-Status-Type:Stop" | |
40 | } | |
41 | }, | |
42 | "ids": [ | |
43 | 0, | |
44 | 1, | |
45 | 2, | |
46 | 3 | |
47 | ] | |
48 | }, | |
49 | "filter": { | |
50 | "list": { | |
51 | "0": { | |
52 | "type": "time", | |
53 | "field": "@timestamp", | |
54 | "from": "now-7d", | |
55 | "to": "now", | |
56 | "mandate": "must", | |
57 | "active": true, | |
58 | "alias": "", | |
59 | "id": 0 | |
60 | } | |
61 | }, | |
62 | "ids": [ | |
63 | 0 | |
64 | ] | |
65 | } | |
66 | }, | |
67 | "rows": [ | |
68 | { | |
69 | "title": "Time series", | |
70 | "height": "200px", | |
71 | "editable": true, | |
72 | "collapse": false, | |
73 | "collapsable": true, | |
74 | "panels": [ | |
75 | { | |
76 | "span": 9, | |
77 | "editable": true, | |
78 | "type": "histogram", | |
79 | "loadingEditor": false, | |
80 | "mode": "count", | |
81 | "time_field": "@timestamp", | |
82 | "value_field": null, | |
83 | "x-axis": true, | |
84 | "y-axis": true, | |
85 | "scale": 1, | |
86 | "y_format": "none", | |
87 | "grid": { | |
88 | "max": null, | |
89 | "min": 0 | |
90 | }, | |
91 | "queries": { | |
92 | "mode": "selected", | |
93 | "ids": [ | |
94 | 1, | |
95 | 2, | |
96 | 3 | |
97 | ] | |
98 | }, | |
99 | "annotate": { | |
100 | "enable": false, | |
101 | "query": "*", | |
102 | "size": 20, | |
103 | "field": "_type", | |
104 | "sort": [ | |
105 | "_score", | |
106 | "desc" | |
107 | ] | |
108 | }, | |
109 | "auto_int": true, | |
110 | "resolution": 100, | |
111 | "interval": "1h", | |
112 | "intervals": [ | |
113 | "auto", | |
114 | "1s", | |
115 | "1m", | |
116 | "5m", | |
117 | "10m", | |
118 | "30m", | |
119 | "1h", | |
120 | "3h", | |
121 | "12h", | |
122 | "1d", | |
123 | "1w", | |
124 | "1y" | |
125 | ], | |
126 | "lines": false, | |
127 | "fill": 0, | |
128 | "linewidth": 3, | |
129 | "points": false, | |
130 | "pointradius": 5, | |
131 | "bars": true, | |
132 | "stack": true, | |
133 | "spyable": true, | |
134 | "zoomlinks": true, | |
135 | "options": true, | |
136 | "legend": true, | |
137 | "show_query": true, | |
138 | "interactive": true, | |
139 | "legend_counts": true, | |
140 | "timezone": "browser", | |
141 | "percentage": false, | |
142 | "zerofill": true, | |
143 | "derivative": false, | |
144 | "tooltip": { | |
145 | "value_type": "cumulative", | |
146 | "query_as_alias": true | |
147 | }, | |
148 | "title": "RADIUS Accounting data" | |
149 | }, | |
150 | { | |
151 | "error": false, | |
152 | "span": 3, | |
153 | "editable": true, | |
154 | "type": "terms", | |
155 | "loadingEditor": false, | |
156 | "field": "NAS-Identifier", | |
157 | "exclude": [], | |
158 | "missing": false, | |
159 | "other": false, | |
160 | "size": 20, | |
161 | "order": "count", | |
162 | "style": { | |
163 | "font-size": "10pt" | |
164 | }, | |
165 | "donut": false, | |
166 | "tilt": false, | |
167 | "labels": true, | |
168 | "arrangement": "horizontal", | |
169 | "chart": "pie", | |
170 | "counter_pos": "above", | |
171 | "spyable": true, | |
172 | "queries": { | |
173 | "mode": "selected", | |
174 | "ids": [ | |
175 | 1 | |
176 | ] | |
177 | }, | |
178 | "tmode": "terms", | |
179 | "tstat": "total", | |
180 | "valuefield": "", | |
181 | "title": "Sessions by NAS" | |
182 | } | |
183 | ], | |
184 | "notice": false | |
185 | }, | |
186 | { | |
187 | "title": "Graphs", | |
188 | "height": "200px", | |
189 | "editable": true, | |
190 | "collapse": false, | |
191 | "collapsable": true, | |
192 | "panels": [ | |
193 | { | |
194 | "error": false, | |
195 | "span": 3, | |
196 | "editable": true, | |
197 | "type": "terms", | |
198 | "loadingEditor": false, | |
199 | "field": "Calling-Station-Id", | |
200 | "exclude": [], | |
201 | "missing": false, | |
202 | "other": false, | |
203 | "size": 10, | |
204 | "order": "count", | |
205 | "style": { | |
206 | "font-size": "10pt" | |
207 | }, | |
208 | "donut": false, | |
209 | "tilt": false, | |
210 | "labels": true, | |
211 | "arrangement": "horizontal", | |
212 | "chart": "table", | |
213 | "counter_pos": "above", | |
214 | "spyable": true, | |
215 | "queries": { | |
216 | "mode": "selected", | |
217 | "ids": [ | |
218 | 1 | |
219 | ] | |
220 | }, | |
221 | "tmode": "terms", | |
222 | "tstat": "total", | |
223 | "valuefield": "", | |
224 | "title": "Top Calling-Station-Id" | |
225 | }, | |
226 | { | |
227 | "error": false, | |
228 | "span": 3, | |
229 | "editable": true, | |
230 | "type": "terms", | |
231 | "loadingEditor": false, | |
232 | "field": "Called-Station-Id", | |
233 | "exclude": [], | |
234 | "missing": false, | |
235 | "other": false, | |
236 | "size": 10, | |
237 | "order": "count", | |
238 | "style": { | |
239 | "font-size": "10pt" | |
240 | }, | |
241 | "donut": false, | |
242 | "tilt": false, | |
243 | "labels": true, | |
244 | "arrangement": "horizontal", | |
245 | "chart": "table", | |
246 | "counter_pos": "above", | |
247 | "spyable": true, | |
248 | "queries": { | |
249 | "mode": "selected", | |
250 | "ids": [ | |
251 | 1 | |
252 | ] | |
253 | }, | |
254 | "tmode": "terms", | |
255 | "tstat": "total", | |
256 | "valuefield": "", | |
257 | "title": "TopN Called-Station-Id" | |
258 | }, | |
259 | { | |
260 | "error": false, | |
261 | "span": 3, | |
262 | "editable": true, | |
263 | "type": "terms", | |
264 | "loadingEditor": false, | |
265 | "field": "User-Name", | |
266 | "exclude": [], | |
267 | "missing": false, | |
268 | "other": false, | |
269 | "size": 10, | |
270 | "order": "max", | |
271 | "style": { | |
272 | "font-size": "10pt" | |
273 | }, | |
274 | "donut": false, | |
275 | "tilt": false, | |
276 | "labels": true, | |
277 | "arrangement": "horizontal", | |
278 | "chart": "table", | |
279 | "counter_pos": "above", | |
280 | "spyable": true, | |
281 | "queries": { | |
282 | "mode": "all", | |
283 | "ids": [ | |
284 | 0, | |
285 | 1, | |
286 | 2, | |
287 | 3 | |
288 | ] | |
289 | }, | |
290 | "tmode": "terms_stats", | |
291 | "tstat": "max", | |
292 | "valuefield": "Acct-Output-Octets_long", | |
293 | "title": "TopN data Output" | |
294 | }, | |
295 | { | |
296 | "error": false, | |
297 | "span": 3, | |
298 | "editable": true, | |
299 | "type": "terms", | |
300 | "loadingEditor": false, | |
301 | "field": "User-Name", | |
302 | "exclude": [], | |
303 | "missing": false, | |
304 | "other": false, | |
305 | "size": 10, | |
306 | "order": "max", | |
307 | "style": { | |
308 | "font-size": "10pt" | |
309 | }, | |
310 | "donut": false, | |
311 | "tilt": false, | |
312 | "labels": true, | |
313 | "arrangement": "horizontal", | |
314 | "chart": "table", | |
315 | "counter_pos": "above", | |
316 | "spyable": true, | |
317 | "queries": { | |
318 | "mode": "all", | |
319 | "ids": [ | |
320 | 0, | |
321 | 1, | |
322 | 2, | |
323 | 3 | |
324 | ] | |
325 | }, | |
326 | "tmode": "terms_stats", | |
327 | "tstat": "max", | |
328 | "valuefield": "Acct-Input-Octets_long", | |
329 | "title": "TopN Data Input" | |
330 | } | |
331 | ], | |
332 | "notice": false | |
333 | }, | |
334 | { | |
335 | "title": "Table", | |
336 | "height": "150px", | |
337 | "editable": true, | |
338 | "collapse": false, | |
339 | "collapsable": true, | |
340 | "panels": [ | |
341 | { | |
342 | "error": false, | |
343 | "span": 12, | |
344 | "editable": true, | |
345 | "type": "table", | |
346 | "loadingEditor": false, | |
347 | "size": 100, | |
348 | "pages": 5, | |
349 | "offset": 0, | |
350 | "sort": [ | |
351 | "@timestamp", | |
352 | "asc" | |
353 | ], | |
354 | "overflow": "min-height", | |
355 | "fields": [ | |
356 | "timestamp", | |
357 | "User-Name", | |
358 | "Calling-Station-Id", | |
359 | "Called-Station-Id", | |
360 | "Framed-IP-Address", | |
361 | "NAS-Identifier" | |
362 | ], | |
363 | "highlight": [], | |
364 | "sortable": true, | |
365 | "header": true, | |
366 | "paging": true, | |
367 | "field_list": false, | |
368 | "all_fields": false, | |
369 | "trimFactor": 500, | |
370 | "localTime": false, | |
371 | "timeField": "@timestamp", | |
372 | "spyable": true, | |
373 | "queries": { | |
374 | "mode": "all", | |
375 | "ids": [ | |
376 | 0, | |
377 | 1, | |
378 | 2, | |
379 | 3 | |
380 | ] | |
381 | }, | |
382 | "style": { | |
383 | "font-size": "9pt" | |
384 | }, | |
385 | "normTimes": true, | |
386 | "title": "RADIUS data" | |
387 | } | |
388 | ], | |
389 | "notice": false | |
390 | } | |
391 | ], | |
392 | "editable": true, | |
393 | "failover": false, | |
394 | "index": { | |
395 | "interval": "day", | |
396 | "pattern": "[radius-]YYYY.MM.DD", | |
397 | "default": "[radius-]YYYY.MM.DD", | |
398 | "warm_fields": false | |
399 | }, | |
400 | "style": "dark", | |
401 | "panel_hints": true, | |
402 | "pulldowns": [ | |
403 | { | |
404 | "type": "query", | |
405 | "collapse": true, | |
406 | "notice": false, | |
407 | "enable": true, | |
408 | "query": "*", | |
409 | "pinned": true, | |
410 | "history": [ | |
411 | "Acct-Status-Type:Stop", | |
412 | "Acct-Status-Type:Interim-Update", | |
413 | "Acct-Status-Type:Start", | |
414 | "*" | |
415 | ], | |
416 | "remember": 10 | |
417 | }, | |
418 | { | |
419 | "type": "filtering", | |
420 | "collapse": true, | |
421 | "notice": true, | |
422 | "enable": true | |
423 | } | |
424 | ], | |
425 | "nav": [ | |
426 | { | |
427 | "type": "timepicker", | |
428 | "collapse": false, | |
429 | "notice": false, | |
430 | "enable": true, | |
431 | "status": "Stable", | |
432 | "time_options": [ | |
433 | "5m", | |
434 | "15m", | |
435 | "1h", | |
436 | "6h", | |
437 | "12h", | |
438 | "24h", | |
439 | "2d", | |
440 | "7d", | |
441 | "30d" | |
442 | ], | |
443 | "refresh_intervals": [ | |
444 | "5s", | |
445 | "10s", | |
446 | "30s", | |
447 | "1m", | |
448 | "5m", | |
449 | "15m", | |
450 | "30m", | |
451 | "1h", | |
452 | "2h", | |
453 | "1d" | |
454 | ], | |
455 | "timefield": "@timestamp", | |
456 | "now": true, | |
457 | "filter_id": 0 | |
458 | } | |
459 | ], | |
460 | "loader": { | |
461 | "save_gist": false, | |
462 | "save_elasticsearch": true, | |
463 | "save_local": true, | |
464 | "save_default": true, | |
465 | "save_temp": true, | |
466 | "save_temp_ttl_enable": true, | |
467 | "save_temp_ttl": "30d", | |
468 | "load_gist": false, | |
469 | "load_elasticsearch": true, | |
470 | "load_elasticsearch_size": 20, | |
471 | "load_local": false, | |
472 | "hide": false | |
473 | }, | |
474 | "refresh": false | |
475 | } |
0 | 0 | [ |
1 | { | |
2 | "_id": "RADIUS-data", | |
3 | "_type": "search", | |
4 | "_source": { | |
5 | "title": "RADIUS data", | |
6 | "description": "", | |
7 | "hits": 0, | |
8 | "columns": [ | |
9 | "User-Name", | |
10 | "Calling-Station-Id", | |
11 | "Called-Station-Id", | |
12 | "Framed-IP-Address", | |
13 | "NAS-Identifier" | |
14 | ], | |
15 | "sort": [ | |
16 | "@timestamp", | |
17 | "desc" | |
18 | ], | |
19 | "version": 1, | |
20 | "kibanaSavedObjectMeta": { | |
21 | "searchSourceJSON": "{\"index\":\"radius-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" | |
22 | } | |
23 | } | |
24 | }, | |
1 | 25 | { |
2 | 26 | "_id": "RADIUS-detail", |
3 | 27 | "_type": "dashboard", |
36 | 60 | "version": 1, |
37 | 61 | "kibanaSavedObjectMeta": { |
38 | 62 | "searchSourceJSON": "{\"index\":\"radius-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[{\"meta\":{\"negate\":false,\"index\":\"radius-*\",\"key\":\"Acct-Status-Type\",\"value\":\"Start\",\"disabled\":false},\"query\":{\"match\":{\"Acct-Status-Type\":{\"query\":\"Start\",\"type\":\"phrase\"}}}}]}" |
39 | } | |
40 | } | |
41 | }, | |
42 | { | |
43 | "_id": "RADIUS-data", | |
44 | "_type": "search", | |
45 | "_source": { | |
46 | "title": "RADIUS data", | |
47 | "description": "", | |
48 | "hits": 0, | |
49 | "columns": [ | |
50 | "User-Name", | |
51 | "Calling-Station-Id", | |
52 | "Called-Station-Id", | |
53 | "Framed-IP-Address", | |
54 | "NAS-Identifier" | |
55 | ], | |
56 | "sort": [ | |
57 | "@timestamp", | |
58 | "desc" | |
59 | ], | |
60 | "version": 1, | |
61 | "kibanaSavedObjectMeta": { | |
62 | "searchSourceJSON": "{\"index\":\"radius-*\",\"query\":{\"query_string\":{\"analyze_wildcard\":true,\"query\":\"*\"}},\"highlight\":{\"pre_tags\":[\"@kibana-highlighted-field@\"],\"post_tags\":[\"@/kibana-highlighted-field@\"],\"fields\":{\"*\":{}},\"fragment_size\":2147483647},\"filter\":[]}" | |
63 | 63 | } |
64 | 64 | } |
65 | 65 | }, |
0 | 0 | # Example log-courier configuration file for RADIUS detail files. |
1 | # | |
2 | # This has been tested with log-courier version 2.0.4 | |
1 | 3 | # |
2 | 4 | { |
3 | 5 | "general": { |
4 | 6 | "persist directory": "/var/lib/log-courier", |
5 | 7 | "log syslog": true, |
6 | "log stdout": false, | |
7 | "admin listen address": "unix:/var/run/log-courier/admin.socket" | |
8 | "log stdout": false | |
8 | 9 | }, |
9 | 10 | |
10 | 11 | "network": { |
11 | 12 | "transport": "tcp", |
12 | "reconnect": 10, | |
13 | 13 | |
14 | 14 | # Servers to connect to. |
15 | 15 | # |
43 | 43 | # logstash configuration. Logstash can then also be run |
44 | 44 | # with multiple workers (using -w). |
45 | 45 | # |
46 | "codec": { | |
47 | "name": "multiline", | |
48 | "pattern": "^[A-Z\t]", | |
49 | "negate": false, | |
50 | "what": "next" | |
51 | } | |
46 | "codecs": [ | |
47 | { | |
48 | "name": "multiline", | |
49 | "patterns": [ "^[A-Z\t]" ], | |
50 | "what": "next" | |
51 | } | |
52 | ] | |
52 | 53 | } |
53 | 54 | ] |
54 | 55 | } |
0 | 0 | # logstash configuration to process RADIUS detail files |
1 | 1 | # |
2 | 2 | # Matthew Newton |
3 | # January 2016 | |
3 | # January 2017 | |
4 | # | |
5 | # This config has been tested with logstash version 5.1.2. | |
4 | 6 | # |
5 | 7 | # RADIUS "detail" files are textual representations of the RADIUS |
6 | 8 | # packets, and are written to disk by e.g. FreeRADIUS. They look |
21 | 23 | |
22 | 24 | |
23 | 25 | |
24 | # Example input - read data from a file. This can be useful for | |
25 | # testing, but usually not so much for live service. For example, | |
26 | # to read in a detail file with this input you could use: | |
27 | # | |
28 | # /opt/logstash/bin/logstash -v -f logstash-radius.conf < detailfile | |
26 | # Example input - read data from a file. For example, to read in a | |
27 | # detail file with this input you could use: | |
28 | # | |
29 | # # /usr/share/logstash/bin/logstash --path.settings=/etc/logstash -f logstash-radius.conf | |
30 | # | |
29 | 31 | |
30 | 32 | input { |
31 | stdin { | |
33 | file { | |
34 | path => "/path/to/radius/detail/file" | |
35 | ||
36 | # Note when testing that logstash will remember where | |
37 | # it got to and continue from there. | |
38 | start_position => "beginning" | |
39 | ||
40 | # Set the type, for below. | |
32 | 41 | type => radiusdetail |
42 | ||
43 | # It is preferable to use a log feeder that can join | |
44 | # multiple lines together, rather than using multiline | |
45 | # here. For an example, see the log-courier | |
46 | # configuration in this directory. | |
47 | ||
48 | # If you didn't read the above, go back and read it again. | |
49 | ||
50 | # If that is not possible you may be able to use the | |
51 | # following section. Note that if you are using the | |
52 | # "stdin" input, the file is chunked into 16k blobs, | |
53 | # so every 16k a detail record is likely to be chopped | |
54 | # in half. If you are using the "file" input (as in this | |
55 | # example), the blank links between records are not | |
56 | # passed through so the regex here has to be aware of | |
57 | # that. Basically, do multiline as early as possible | |
58 | # in your log feeder client not here and you'll avoid | |
59 | # most issues that are likely to come up. | |
60 | ||
61 | codec => multiline { | |
62 | pattern => "^\t" | |
63 | negate => false | |
64 | what => "previous" | |
65 | } | |
66 | ||
67 | # If you really want to use the "stdin" input, this | |
68 | # will work better, but be aware of the comments | |
69 | # above. | |
70 | ||
71 | #codec => multiline { | |
72 | # pattern => "^[A-Z\t]" | |
73 | # negate => false | |
74 | # what => "next" | |
75 | #} | |
33 | 76 | } |
34 | 77 | } |
35 | 78 | |
36 | 79 | # Moving into production will likely need something more reliable. |
37 | 80 | # There are many input methods, an example here using log-courier |
38 | 81 | # (which supports client-site multiline processing and does not |
39 | # lose log events if logstash is restarted). | |
82 | # lose log events if logstash is restarted). You could also | |
83 | # investigate e.g. filebeat from Elastic. | |
40 | 84 | |
41 | 85 | # input { |
42 | 86 | # courier { |
43 | 87 | # port => 5140 |
44 | 88 | # transport => "tcp" |
89 | # | |
90 | # # Don't set the type here, as it's set in the | |
91 | # # log-courier config instead. | |
92 | # #type => radiusdetail | |
45 | 93 | # } |
46 | 94 | # } |
47 | 95 | |
54 | 102 | filter { |
55 | 103 | |
56 | 104 | if [type] == "radiusdetail" { |
57 | ||
58 | # If you are using a log feeder that can join | |
59 | # multiple lines together then that is preferrable | |
60 | # to using multiline here, because this can not be | |
61 | # used with threaded logstash (i.e. -w<n> at | |
62 | # startup). | |
63 | ||
64 | # In that case you should comment out the following | |
65 | # section. For example, see the log-courier | |
66 | # configuration configuration in this directory. | |
67 | ||
68 | multiline { | |
69 | pattern => "^[A-Z\t]" | |
70 | negate => false | |
71 | what => "next" | |
72 | } | |
73 | 105 | |
74 | 106 | # Pull off the timestamp at the start of the |
75 | 107 | # detail record. Note there may be additional data |
90 | 122 | # Split the attributes and values into fields. |
91 | 123 | # This is the bulk of processing that adds all of |
92 | 124 | # the RADIUS attributes as elasticsearch fields. |
125 | ||
126 | # Note issue https://github.com/logstash-plugins/logstash-filter-kv/issues/10 | |
127 | # currently means that all spaces will be stripped | |
128 | # from all fields. If this is a problem, adjust the | |
129 | # trim setting. | |
93 | 130 | |
94 | 131 | kv { |
95 | 132 | field_split => "\n" |
162 | 199 | # possible to make sure all MAC addresses look the |
163 | 200 | # same, which has obvious benefits. |
164 | 201 | # |
165 | # https://github.com/mcnewton/elk/blob/master/logstash-filters/sanitize_mac.rb | |
202 | # https://github.com/mcnewton/logstash-filter-sanitize_mac | |
166 | 203 | |
167 | 204 | # sanitize_mac { |
168 | 205 | # match => { |
169 | 206 | # "Called-Station-Id_mac" => "Called-Station-Id_mac" |
170 | 207 | # "Calling-Station-Id_mac" => "Calling-Station-Id_mac" |
171 | 208 | # } |
172 | # separator => ":" | |
209 | # separator => "-" | |
173 | 210 | # fixcase => "lower" |
174 | 211 | # } |
175 | 212 | |
181 | 218 | |
182 | 219 | if ([Acct-Input-Octets]) { |
183 | 220 | ruby { |
184 | code => "event['Acct-Input-Octets_long'] = | |
185 | event['Acct-Input-Octets'].to_i + ( event['Acct-Input-Gigawords'] ? (event['Acct-Input-Gigawords'].to_i * (2**32)) : 0)" | |
221 | code => "event.set('Acct-Input-Octets_long', event.get('Acct-Input-Octets').to_i + | |
222 | (event.get('Acct-Input-Gigawords') ? (event.get('Acct-Input-Gigawords').to_i * (2**32)) : 0))" | |
186 | 223 | } |
187 | 224 | } |
188 | 225 | |
189 | 226 | if ([Acct-Output-Octets]) { |
190 | 227 | ruby { |
191 | code => "event['Acct-Output-Octets_long'] = | |
192 | event['Acct-Output-Octets'].to_i + ( event['Acct-Output-Gigawords'] ? (event['Acct-Output-Gigawords'].to_i * (2**32)) : 0)" | |
228 | code => "event.set('Acct-Output-Octets_long', event.get('Acct-Output-Octets').to_i + | |
229 | (event.get('Acct-Output-Gigawords') ? (event.get('Acct-Output-Gigawords').to_i * (2**32)) : 0))" | |
193 | 230 | } |
194 | 231 | } |
195 | 232 | |
198 | 235 | |
199 | 236 | |
200 | 237 | |
201 | # Output data to the local elasticsearch cluster (called | |
202 | # "elasticsearch") using type "detail" in index "radius-DATE". | |
238 | # Output data to the local elasticsearch cluster | |
239 | # using type "detail" in index "radius-DATE". | |
203 | 240 | |
204 | 241 | output { |
205 | 242 | if [type] == "radiusdetail" { |
206 | 243 | elasticsearch { |
207 | host => localhost | |
208 | protocol => http | |
209 | cluster => elasticsearch | |
210 | index_type => "detail" | |
244 | document_type => "detail" | |
211 | 245 | index => "radius-%{+YYYY.MM.dd}" |
212 | 246 | flush_size => 1000 |
213 | 247 | } |
0 | 0 | #! /bin/sh |
1 | 1 | |
2 | # Create a template mapping for RADIUS data | |
2 | # Create an elasticsearch template mapping for RADIUS data | |
3 | 3 | # Matthew Newton |
4 | 4 | # April 2015 |
5 | 5 | |
6 | 6 | # This should be run on an elasticsearch node. Alternatively, |
7 | 7 | # adjust the curl URI below. |
8 | ||
9 | # This version has been tested on elasticsearch 5.1.2 | |
8 | 10 | |
9 | 11 | # The template will be called "radius", and will apply to all |
10 | 12 | # indices prefixed with "radius-" that contain data type "detail". |
14 | 16 | # |
15 | 17 | # Acct-Input- or Acct-Output- attributes are numbers; |
16 | 18 | # Acct-Session-Time is a number; |
17 | # Everything else is a string. | |
19 | # Everything else is a keyword, which is a non-analysed string. | |
18 | 20 | |
19 | 21 | # Additionally, the supplied logstash config will try and extract |
20 | 22 | # MAC addresses, IP addresses and ports from the data. These are |
40 | 42 | "detail":{ |
41 | 43 | |
42 | 44 | "properties": { |
43 | "@timestamp": { "format": "dateOptionalTime", "type": "date" }, | |
44 | "@version": { "type" : "string" }, | |
45 | "message": { "type" : "string" }, | |
46 | "Acct-Session-Time": { "type" : "long", "doc_values": true }, | |
47 | "offset": { "type" : "long", "doc_values": true } | |
45 | "@timestamp": { "format" : "date_optional_time", "type" : "date" }, | |
46 | "@version": { "type" : "keyword" }, | |
47 | "message": { "type" : "text" }, | |
48 | "Acct-Session-Time": { "type" : "long" }, | |
49 | "offset": { "type" : "long" } | |
48 | 50 | }, |
49 | 51 | |
50 | 52 | "dynamic_templates": [ |
53 | 55 | "match_pattern": "regex", |
54 | 56 | "match": "^Acct-(Input|Output)-.*$", |
55 | 57 | "mapping": { |
56 | "type": "long", | |
57 | "doc_values": true | |
58 | "type": "long" | |
58 | 59 | } |
59 | 60 | } |
60 | 61 | }, |
62 | 63 | { "ipv4_address": { |
63 | 64 | "path_match": "*_ip", |
64 | 65 | "mapping": { |
65 | "type": "ip", | |
66 | "doc_values": true | |
66 | "type": "ip" | |
67 | 67 | } |
68 | 68 | } |
69 | 69 | }, |
71 | 71 | { "network_port": { |
72 | 72 | "path_match": "*_port", |
73 | 73 | "mapping": { |
74 | "type": "integer", | |
75 | "doc_values": true | |
74 | "type": "integer" | |
76 | 75 | } |
77 | 76 | } |
78 | 77 | }, |
80 | 79 | { "long_number": { |
81 | 80 | "path_match": "*_long", |
82 | 81 | "mapping": { |
83 | "type": "integer", | |
84 | "doc_values": true | |
82 | "type": "long" | |
85 | 83 | } |
86 | 84 | } |
87 | 85 | }, |
89 | 87 | { "no_analyze_strings": { |
90 | 88 | "match": "*", |
91 | 89 | "mapping": { |
92 | "type": "string", | |
93 | "index": "not_analyzed", | |
94 | "doc_values": true | |
90 | "type": "keyword" | |
95 | 91 | } |
96 | 92 | } |
97 | 93 | } |
14 | 14 | .RB [ \--reset |
15 | 15 | .IR number] |
16 | 16 | .RB [ \--help ] |
17 | .RB [ \-- | |
18 | .IR(hours|minutes|seconds) ] | |
17 | .RB [ \-\-hours | \-\-minutes | \-\-seconds ] | |
19 | 18 | |
20 | 19 | .SH DESCRIPTION |
21 | 20 | \fBrad_counter\fP is a tool that can query and maintain FreeRADIUS rlm_counter DB files. |
0 | .TH RADCLIENT 1 "28 March 2014" "" "FreeRADIUS Daemon" | |
0 | .TH RADCLIENT 1 "28 February 2017" "" "FreeRADIUS Daemon" | |
1 | 1 | .SH NAME |
2 | 2 | radclient - send packets to a RADIUS server, show reply |
3 | 3 | .SH SYNOPSIS |
124 | 124 | service is not found in \fI/etc/services\fP, 1813 and 1812 are used |
125 | 125 | respectively. |
126 | 126 | |
127 | If a host name is specified, then radclient will do a DNS lookup, and | |
128 | use the A record to find the IP address of the RADIUS server. If | |
129 | there is no A record, then radclient will look for an AAAA record. If | |
130 | there is no AAAA record, an error will be produced. | |
131 | ||
132 | IPv6 addresses may be specified by surrounding it in square brackets. | |
133 | For example, [2002:c000:0201:0:0:0:0:0], or with a port, | |
134 | [2002:c000:0201:0:0:0:0:0]:18120. | |
135 | ||
127 | 136 | The RADIUS attributes read by \fIradclient\fP can contain the special |
128 | 137 | attribute \fBPacket-Dst-IP-Address\fP. If this attribute exists, then |
129 | 138 | that IP address is where the packet is sent, and the \fBserver\fP |
18 | 18 | The module also provides FreeRADIUS an interface into a radwtmp file |
19 | 19 | (used by "radlast") when added to the accounting section. |
20 | 20 | .PP |
21 | The \fIrlm_unix\fP module does provides the functionality for | |
22 | "Auth-Type = System". The module should be listed in the | |
21 | The \fIrlm_unix\fP module should be listed in the | |
23 | 22 | "authenticate" section. Please see the default \fIradiusd.conf\fP |
24 | 23 | shipped with the server for an example of the correct usage of this |
25 | 24 | module. |
9 | 9 | .RE |
10 | 10 | .sp |
11 | 11 | .. |
12 | .TH unlang 5 "05 February 2016" "" "FreeRADIUS Processing un-language" | |
12 | .TH unlang 5 "02 January 2016" "" "FreeRADIUS Processing un-language" | |
13 | 13 | .SH NAME |
14 | 14 | unlang \- FreeRADIUS Processing un\-language |
15 | 15 | .SH DESCRIPTION |
289 | 289 | |
290 | 290 | Load-balance sections can contain only a list of modules, and cannot |
291 | 291 | contain keywords that perform conditional operations (if, else, etc) |
292 | or update an attribute list. | |
292 | or update an attribute list. Please see raddb/radiusd.conf | |
293 | "instantiate" section for more configuration examples. | |
293 | 294 | |
294 | 295 | .DS |
295 | 296 | redundant-load-balance { |
759 | 760 | |
760 | 761 | Note that this operator is very different than the '=' operator listed |
761 | 762 | above! |
763 | .IP != | |
764 | Keep all attributes with matching name, and value not equal to the | |
765 | given one. | |
766 | .IP < | |
767 | Keep all attributes having values less than the value | |
768 | given here. Any larger value is replaced by the value given here. If | |
769 | no attribute exists, it is added with the value given here, as with | |
770 | "+=". | |
762 | 771 | .IP <= |
763 | 772 | Keep all attributes having values less than, or equal to, the value |
764 | 773 | given here. Any larger value is replaced by the value given here. If |
765 | 774 | no attribute exists, it is added with the value given here, as with |
766 | 775 | "+=". |
767 | ||
768 | This operator is valid only for attributes of integer type. | |
776 | .IP > | |
777 | Keep all attributes having values greater than the value | |
778 | given here. Any smaller value is replaced by the value given here. If | |
779 | no attribute exists, it is added with the value given here, as with | |
780 | "+=". | |
769 | 781 | .IP >= |
770 | 782 | Keep all attributes having values greater than, or equal to, the value |
771 | given here. Any larger value is replaced by the value given here. If | |
783 | given here. Any smaller value is replaced by the value given here. If | |
772 | 784 | no attribute exists, it is added with the value given here, as with |
773 | 785 | "+=". |
774 | ||
775 | This operator is valid only for attributes of integer type. | |
776 | 786 | .IP !* |
777 | 787 | Delete all occurances of the named attribute, no matter what the |
778 | 788 | value. |
168 | 168 | .RE |
169 | 169 | |
170 | 170 | .DS |
171 | DEFAULT Auth-Type = System | |
172 | .br | |
173 | Fall-Through = Yes | |
174 | ||
175 | .DE | |
176 | .RS | |
177 | For all users reaching this entry, perform authentication against the | |
178 | system, unless Auth-Type has already been set. Also, process any | |
179 | following entries which may match. | |
180 | .RE | |
181 | ||
182 | .DS | |
183 | 171 | DEFAULT Service-Type == Framed-User, Framed-Protocol == PPP |
184 | 172 | .br |
185 | 173 | Service-Type = Framed-User, |
6 | 6 | .IR condition ] |
7 | 7 | .RB [ \-d |
8 | 8 | .IR config_directory ] |
9 | .RB [ \-n | |
10 | .IR name ] | |
9 | 11 | .RB [ \-i |
10 | 12 | .IR ipv4-address ] |
11 | 13 | .RB [ \-I |
70 | 72 | .IP "\-d \fIconfig directory\fP" |
71 | 73 | The radius configuration directory, usually /etc/raddb. See the |
72 | 74 | \fIradmin\fP manual page for more description of this option. |
75 | .IP "\-n \fImname\fP" | |
76 | Read \fIraddb/name.conf\fP instead of \fIraddb/radiusd.conf\fP. | |
73 | 77 | .IP \-I\ \fIipv6-address\fP |
74 | 78 | Show debug output for the client having the given IPv6 address. This |
75 | 79 | option is equivalent to using: |
4 | 4 | OBJECT-IDENTITY |
5 | 5 | FROM SNMPv2-SMI |
6 | 6 | freeRadiusMgmt |
7 | FROM FREERADIUS-SMI; | |
7 | FROM FREERADIUS-SMI | |
8 | SnmpAdminString | |
9 | FROM SNMP-FRAMEWORK-MIB; | |
8 | 10 | |
9 | 11 | freeradiusObjects MODULE-IDENTITY |
10 | 12 | LAST-UPDATED "200712170000Z" |
24 | 26 | "Generic objects used by notification MIBs" |
25 | 27 | ::= { freeRadiusMgmt 1 } |
26 | 28 | |
27 | radiusObject OBJECT-IDENTITY | |
29 | radiusObject OBJECT-TYPE | |
30 | SYNTAX SnmpAdminString | |
31 | MAX-ACCESS accessible-for-notify | |
28 | 32 | STATUS current |
29 | 33 | DESCRIPTION |
30 | 34 | "A generic object" |
75 | 75 | |
76 | 76 | Modules can be enabled by creating a soft link. For module ``foo``, do:: |
77 | 77 | |
78 | $ cd raddb | |
79 | $ ln -s mods-available/foo mods-enabled/foo | |
78 | $ cd raddb/mods-enabled | |
79 | $ ln -s ../mods-available/foo | |
80 | 80 | |
81 | 81 | To create "local" versions of the modules, we suggest copying the file |
82 | 82 | instead. This leaves the original file (with documentation) in the |
17 | 17 | LOCAL_CERT_FILES := Makefile README xpextensions \ |
18 | 18 | ca.cnf server.cnf client.cnf bootstrap |
19 | 19 | |
20 | # | |
21 | # We don't create the installed certs if we're building a package, | |
22 | # OR if OpenSSL is not available. | |
23 | # | |
24 | ifeq "$(PACKAGE)" "" | |
25 | ifneq "$(OPENSSL_LIBS)" "" | |
20 | 26 | LOCAL_CERT_PRODUCTS := $(addprefix $(R)$(raddbdir)/certs/,ca.key ca.pem \ |
21 | 27 | client.key client.pem server.key server.pem) |
28 | endif | |
29 | endif | |
22 | 30 | |
23 | 31 | LEGACY_LINKS := $(addprefix $(R)$(raddbdir)/,users huntgroups hints) |
24 | 32 | |
111 | 119 | @[ -e $@ ] || echo LN-S $(patsubst $(R)$(raddbdir)/%,raddb/%,$@) |
112 | 120 | @[ -e $@ ] || ln -s $(patsubst $(R)$(raddbdir)/%,./%,$<) $@ |
113 | 121 | |
114 | ifeq ("$(PACKAGE)","") | |
122 | ifneq "$(LOCAL_CERT_PRODUCTS)" "" | |
115 | 123 | $(LOCAL_CERT_PRODUCTS): |
116 | 124 | @echo BOOTSTRAP raddb/certs/ |
117 | 125 | @$(MAKE) -C $(R)$(raddbdir)/certs/ |
9 | 9 | ###################################################################### |
10 | 10 | |
11 | 11 | DH_KEY_SIZE = 2048 |
12 | OPENSSL = openssl | |
12 | 13 | |
13 | 14 | # |
14 | 15 | # Set the passwords |
48 | 49 | # |
49 | 50 | ###################################################################### |
50 | 51 | dh: |
51 | openssl gendh -out dh -2 $(DH_KEY_SIZE) | |
52 | $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) | |
52 | 53 | |
53 | 54 | ###################################################################### |
54 | 55 | # |
58 | 59 | ca.key ca.pem: ca.cnf |
59 | 60 | @[ -f index.txt ] || $(MAKE) index.txt |
60 | 61 | @[ -f serial ] || $(MAKE) serial |
61 | openssl req -new -x509 -keyout ca.key -out ca.pem \ | |
62 | $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ | |
62 | 63 | -days $(CA_DEFAULT_DAYS) -config ./ca.cnf |
64 | chmod g+r ca.key | |
63 | 65 | |
64 | 66 | ca.der: ca.pem |
65 | openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der | |
67 | $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der | |
66 | 68 | |
67 | 69 | ###################################################################### |
68 | 70 | # |
70 | 72 | # |
71 | 73 | ###################################################################### |
72 | 74 | server.csr server.key: server.cnf |
73 | openssl req -new -out server.csr -keyout server.key -config ./server.cnf | |
75 | $(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf | |
76 | chmod g+r server.key | |
74 | 77 | |
75 | 78 | server.crt: server.csr ca.key ca.pem |
76 | openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf | |
79 | $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf | |
77 | 80 | |
78 | 81 | server.p12: server.crt |
79 | openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) | |
82 | $(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) | |
83 | chmod g+r server.p12 | |
80 | 84 | |
81 | 85 | server.pem: server.p12 |
82 | openssl pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) | |
86 | $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) | |
87 | chmod g+r server.pem | |
83 | 88 | |
84 | 89 | .PHONY: server.vrfy |
85 | 90 | server.vrfy: ca.pem |
86 | @openssl verify -CAfile ca.pem server.pem | |
91 | @$(OPENSSL) verify -CAfile ca.pem server.pem | |
87 | 92 | |
88 | 93 | ###################################################################### |
89 | 94 | # |
92 | 97 | # |
93 | 98 | ###################################################################### |
94 | 99 | client.csr client.key: client.cnf |
95 | openssl req -new -out client.csr -keyout client.key -config ./client.cnf | |
100 | $(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf | |
101 | chmod g+r client.key | |
96 | 102 | |
97 | 103 | client.crt: client.csr ca.pem ca.key |
98 | openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf | |
104 | $(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf | |
99 | 105 | |
100 | 106 | client.p12: client.crt |
101 | openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) | |
107 | $(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) | |
108 | chmod g+r client.p12 | |
102 | 109 | |
103 | 110 | client.pem: client.p12 |
104 | openssl pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) | |
111 | $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) | |
112 | chmod g+r client.pem | |
105 | 113 | cp client.pem $(USER_NAME).pem |
106 | 114 | |
107 | 115 | .PHONY: client.vrfy |
108 | 116 | client.vrfy: ca.pem client.pem |
109 | 117 | c_rehash . |
110 | openssl verify -CApath . client.pem | |
118 | $(OPENSSL) verify -CApath . client.pem | |
111 | 119 | |
112 | 120 | ###################################################################### |
113 | 121 | # |
121 | 129 | @echo '01' > serial |
122 | 130 | |
123 | 131 | print: |
124 | openssl x509 -text -in server.crt | |
132 | $(OPENSSL) x509 -text -in server.crt | |
125 | 133 | |
126 | 134 | printca: |
127 | openssl x509 -text -in ca.pem | |
135 | $(OPENSSL) x509 -text -in ca.pem | |
128 | 136 | |
129 | 137 | clean: |
130 | 138 | @rm -f *~ *old client.csr client.key client.crt client.p12 client.pem |
0 | 0 | Modules in Version 3 |
1 | 1 | ==================== |
2 | 2 | |
3 | As of Version 3, all of the modules have been places in the | |
3 | As of Version 3, all of the modules have been placed in the | |
4 | 4 | "mods-available/" directory. This practice follows that used by other |
5 | 5 | servers such as Nginx, Apache, etc. The "modules" directory should |
6 | 6 | not be used. |
57 | 57 | Ignoring module (see raddb/mods-available/README.rst) |
58 | 58 | |
59 | 59 | Then you are in the right place. Most of the time this message can be |
60 | ignored. The message can be fixed by find the references to "-module" | |
60 | ignored. The message can be fixed by finding the references to "-module" | |
61 | 61 | in the virtual server, and deleting them. |
62 | 62 | |
63 | 63 | Another way to fix it is to configure the module, as described above. |
61 | 61 | # |
62 | 62 | # This value should be between 10 and 86400. |
63 | 63 | ttl = 10 |
64 | ||
65 | # You can flush the cache via | |
66 | # | |
67 | # radmin -e "set module config cache epoch 123456789" | |
68 | # | |
69 | # Where last value is a 32-bit Unix timestamp. Cache entries older | |
70 | # than this are expired, as new entries added. | |
71 | # | |
72 | # You should never set the "epoch" configuration item in this file. | |
73 | 64 | |
74 | 65 | # If yes the following attributes will be added to the request: |
75 | 66 | # * &request:Cache-Entry-Hits - The number of times this entry |
10 | 10 | # |
11 | 11 | date { |
12 | 12 | format = "%b %e %Y %H:%M:%S %Z" |
13 | ||
14 | # Use UTC instead of local time. | |
15 | # | |
16 | # default = no | |
17 | # utc = yes | |
13 | 18 | } |
324 | 324 | # |
325 | 325 | cipher_list = "DEFAULT" |
326 | 326 | |
327 | # If enabled, OpenSSL will use server cipher list | |
328 | # (possibly defined by cipher_list option above) | |
329 | # for choosing right cipher suite rather than | |
330 | # using client-specified list which is OpenSSl default | |
331 | # behavior. Having it set to yes is a current best practice | |
332 | # for TLS | |
333 | cipher_server_preference = no | |
334 | ||
327 | 335 | # Work-arounds for OpenSSL nonsense |
328 | 336 | # OpenSSL 1.0.1f and 1.0.1g do not calculate |
329 | 337 | # the EAP keys correctly. The fix is to upgrade |
373 | 381 | # Enable it. The default is "no". Deleting the entire "cache" |
374 | 382 | # subsection also disables caching. |
375 | 383 | # |
384 | # As of version 3.0.14, the session cache requires the use | |
385 | # of the "name" and "persist_dir" configuration items, below. | |
386 | # | |
387 | # The internal OpenSSL session cache has been permanently | |
388 | # disabled. | |
389 | # | |
376 | 390 | # You can disallow resumption for a particular user by adding the |
377 | 391 | # following attribute to the control item list: |
378 | 392 | # |
381 | 395 | # If "enable = no" below, you CANNOT enable resumption for just one |
382 | 396 | # user by setting the above attribute to "yes". |
383 | 397 | # |
384 | enable = yes | |
398 | enable = no | |
385 | 399 | |
386 | 400 | # |
387 | 401 | # Lifetime of the cached entries, in hours. The sessions will be |
388 | 402 | # deleted/invalidated after this time. |
389 | 403 | # |
390 | 404 | lifetime = 24 # hours |
391 | ||
392 | # | |
393 | # The maximum number of entries in the | |
394 | # cache. Set to "0" for "infinite". | |
395 | # | |
396 | # This could be set to the number of users | |
397 | # who are logged in... which can be a LOT. | |
398 | # | |
399 | max_entries = 255 | |
400 | 405 | |
401 | 406 | # |
402 | 407 | # Internal "name" of the session cache. Used to |
0 | # -*- text -*- | |
1 | # | |
2 | # $Id$ | |
3 | ||
4 | # | |
5 | # Write Moonshot-*-TargetedId (MSTID) to the database. | |
6 | # | |
7 | # Schema raddb/sql/moonshot-targeted-ids/<DB>/schema.sql | |
8 | # Queries raddb/sql/moonshot-targeted-ids/<DB>/queries.conf | |
9 | # | |
10 | sql moonshot_tid_sql { | |
11 | ||
12 | # The dialect of SQL you want to use, this should usually match | |
13 | # the driver below. | |
14 | # | |
15 | # If you're using rlm_sql_null, then it should be the type of | |
16 | # database the logged queries are going to be executed against. | |
17 | dialect = "sqlite" | |
18 | ||
19 | # The sub-module to use to execute queries. This should match | |
20 | # the database you're attempting to connect to. | |
21 | # | |
22 | # There are MSTID queries available for: | |
23 | # * rlm_sql_mysql | |
24 | # * rlm_sql_postgresql | |
25 | # * rlm_sql_sqlite | |
26 | # * rlm_sql_null (log queries to disk) | |
27 | # | |
28 | driver = "rlm_sql_${dialect}" | |
29 | ||
30 | sqlite { | |
31 | filename = ${radacctdir}/moonshot-targeted-ids.sqlite | |
32 | bootstrap = ${modconfdir}/${..:name}/moonshot-targeted-ids/sqlite/schema.sql | |
33 | } | |
34 | ||
35 | # Write MSTID queries to a logfile. Useful for debugging. | |
36 | # logfile = ${logdir}/moonshot-targeted-id-log.sql | |
37 | ||
38 | pool { | |
39 | start = 5 | |
40 | min = 4 | |
41 | max = 10 | |
42 | spare = 3 | |
43 | uses = 0 | |
44 | lifetime = 0 | |
45 | idle_timeout = 60 | |
46 | } | |
47 | ||
48 | # If you adjust the table name here, you must also modify the table name in | |
49 | # the moonshot_get_targeted_id.post-auth policy in policy.d/moonshot-targeted-ids | |
50 | # and the schema.sql files in the mods-config/sql/moonshot-targeted-ids tree. | |
51 | # | |
52 | moonshot_tid_table = "moonshot_targeted_ids" | |
53 | sql_user_name = "%{User-Name}" | |
54 | ||
55 | $INCLUDE ${modconfdir}/${.:name}/moonshot-targeted-ids/${dialect}/queries.conf | |
56 | } |
76 | 76 | # |
77 | 77 | # winbind_username = "%{mschap:User-Name}" |
78 | 78 | # winbind_domain = "%{mschap:NT-Domain}" |
79 | ||
80 | # When using single sign-on with a winbind connection and the | |
81 | # client uses a different casing for the username than the | |
82 | # casing is according to the backend, reauth may fail because | |
83 | # of some Windows internals. This switch tries to find the | |
84 | # user in the correct casing in the backend, and retry | |
85 | # authentication with that username. | |
86 | # | |
87 | # winbind_retry_with_normalised_username = no | |
79 | 88 | |
80 | 89 | # |
81 | 90 | # Information for the winbind connection pool. The configuration |
8 | 8 | # It works in conjunction with otpd, which implements token |
9 | 9 | # management and OTP verification functions; and lsmd or gsmd, |
10 | 10 | # which implements synchronous state management functions. |
11 | # otpd, lsmd and gsmd are available from TRI-D Systems: | |
12 | # <http://www.tri-dsystems.com/> | |
13 | 11 | |
14 | 12 | # You must list this module in BOTH the authorize and authenticate |
15 | 13 | # sections in order to use it. |
6 | 6 | # a function defined, it will return NOOP. |
7 | 7 | # |
8 | 8 | python { |
9 | # Path to the python modules | |
10 | # | |
11 | # Note that due to limitations on Python, this configuration | |
12 | # item is GLOBAL TO THE SERVER. That is, you cannot have two | |
13 | # instances of the python module, each with a different path. | |
14 | # | |
15 | # python_path="/path/to/python/files:/another_path/to/python_files/" | |
16 | ||
9 | 17 | module = example |
10 | 18 | |
11 | 19 | mod_instantiate = ${.module} |
32 | 32 | # for a trust-router. For all other realms, |
33 | 33 | # they are ignored. |
34 | 34 | # trust_router = "localhost" |
35 | # tr_port = 12309 | |
35 | 36 | # rp_realm = "painless-security.com" |
36 | 37 | # default_community = "apc.moonshot.ja.net" |
37 | 38 | } |
59 | 59 | NAS-IP-Address =* ANY, |
60 | 60 | NAS-Identifier =* ANY, |
61 | 61 | Operator-Name =* ANY, |
62 | Calling-Station-Id =* ANY, | |
63 | Chargeable-User-Identity =* ANY, | |
62 | 64 | Proxy-State =* ANY |
8 | 8 | # Realm, the Huntgroup-Name or any combinaison of the attribute/value |
9 | 9 | # pairs contained in an accounting packet. |
10 | 10 | # |
11 | #DEFAULT Realm == "foo.net", Acct-Type := sql_log.foo | |
11 | # You will need to add an "Acct-Type foo {...}" subsection to the | |
12 | # main "accounting" section in order for these sample configurations | |
13 | # to work. | |
12 | 14 | # |
13 | #DEFAULT Huntgroup-Name == "wifi", Acct-Type := sql_log.wifi | |
15 | #DEFAULT Realm == "foo.net", Acct-Type := foo | |
14 | 16 | # |
15 | #DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := sql_log.other | |
17 | #DEFAULT Huntgroup-Name == "wifi", Acct-Type := wifi | |
16 | 18 | # |
17 | #DEFAULT Acct-Status-Type == Start, Acct-Type := sql_log.start | |
19 | #DEFAULT Client-IP-Address == 10.0.0.1, Acct-Type := other | |
20 | # | |
21 | #DEFAULT Acct-Status-Type == Start, Acct-Type := start | |
18 | 22 | |
19 | 23 | # Replace the User-Name with the Stripped-User-Name, if it exists. |
20 | 24 | # |
125 | 125 | return RLM_MODULE_REJECT; |
126 | 126 | } else { |
127 | 127 | # Accept user and set some attribute |
128 | $RAD_REPLY{'h323-credit-amount'} = "100"; | |
128 | if (&radiusd::xlat("%{client:group}") eq 'UltraAllInclusive') { | |
129 | # User called from NAS with unlim plan set, set higher limits | |
130 | $RAD_REPLY{'h323-credit-amount'} = "1000000"; | |
131 | } else { | |
132 | $RAD_REPLY{'h323-credit-amount'} = "100"; | |
133 | } | |
129 | 134 | return RLM_MODULE_OK; |
130 | 135 | } |
131 | 136 | } |
0 | 0 | # |
1 | 1 | # huntgroups This file defines the `huntgroups' that you have. A |
2 | 2 | # huntgroup is defined by specifying the IP address of |
3 | # the NAS and possibly a port range. Port can be identified | |
4 | # as just one port, or a range (from-to), and multiple ports | |
5 | # or ranges of ports must be separated by a comma. For | |
6 | # example: 1,2,3-8 | |
3 | # the NAS and possibly a port. | |
7 | 4 | # |
8 | 5 | # Matching is done while RADIUS scans the user file; if it |
9 | # includes the selection criterium "Huntgroup-Name == XXX" | |
6 | # includes the selection criteria "Huntgroup-Name == XXX" | |
10 | 7 | # the huntgroup is looked up in this file to see if it |
11 | 8 | # matches. There can be multiple definitions of the same |
12 | 9 | # huntgroup; the first one that matches will be used. |
31 | 28 | #delft NAS-IP-Address == 198.51.100.5 |
32 | 29 | |
33 | 30 | # |
34 | # Ports 0-7 on the first terminal server in Alphen are connected to | |
31 | # Port 0 on the first terminal server in Alphen are connected to | |
35 | 32 | # a huntgroup that is for business users only. Note that only one |
36 | 33 | # of the username or groupname has to match to get access (OR/OR). |
37 | 34 | # |
38 | 35 | # Note that this huntgroup is a subset of the "alphen" huntgroup. |
39 | 36 | # |
40 | #business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0-7 | |
41 | # User-Name = rogerl, | |
42 | # User-Name = henks, | |
43 | # Group = business, | |
44 | # Group = staff | |
37 | #business NAS-IP-Address == 198.51.100.5, NAS-Port-Id == 0 | |
38 | # User-Name == rogerl, | |
39 | # User-Name == henks, | |
40 | # Group == business, | |
41 | # Group == staff | |
45 | 42 |
0 | # -*- text -*- | |
1 | # | |
2 | # moonshot-targeted-ids/mysql/queries.conf -- Queries to update a MySQL Moonshot-Targeted-Ids table. | |
3 | # | |
4 | # $Id$ | |
5 | ||
6 | post-auth { | |
7 | # Query to store the Moonshot-*-TargetedId | |
8 | query = "\ | |
9 | INSERT IGNORE INTO ${..moonshot_tid_table} \ | |
10 | (gss_acceptor, namespace, username, targeted_id) \ | |
11 | VALUES \ | |
12 | ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ | |
13 | '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" | |
14 | } |
0 | CREATE TABLE `moonshot_targeted_ids` ( | |
1 | `gss_acceptor` varchar(254) NOT NULL default '', | |
2 | `namespace` varchar(36) NOT NULL default '', | |
3 | `username` varchar(64) NOT NULL default '', | |
4 | `targeted_id` varchar(128) NOT NULL default '', | |
5 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, | |
6 | PRIMARY KEY (`username`,`gss_acceptor`,`namespace`) | |
7 | ) ENGINE=InnoDB DEFAULT CHARSET=utf8; |
0 | # -*- text -*- | |
1 | # | |
2 | # moonshot-targeted-ids/postgresql/queries.conf -- Queries to update a PostgreSQL Moonshot-*-Targeted-Ids table. | |
3 | # | |
4 | # $Id$ | |
5 | ||
6 | post-auth { | |
7 | # Query to store the Moonshot-*-TargetedId | |
8 | query = "\ | |
9 | INSERT INTO ${..moonshot_tid_table} \ | |
10 | (gss_acceptor, namespace, username, targeted_id) \ | |
11 | VALUES \ | |
12 | ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ | |
13 | '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" | |
14 | } |
0 | CREATE TABLE moonshot_targeted_ids ( | |
1 | gss_acceptor varchar(254) NOT NULL DEFAULT '', | |
2 | namespace varchar(36) NOT NULL DEFAULT '', | |
3 | username varchar(64) NOT NULL DEFAULT '', | |
4 | targeted_id varchar(128) NOT NULL DEFAULT '', | |
5 | creationdate TIMESTAMP with time zone NOT NULL default 'now()', | |
6 | PRIMARY KEY (username, gss_acceptor, namespace) | |
7 | ); |
0 | # -*- text -*- | |
1 | # | |
2 | # moonshot-targeted-ids/sqlite/queries.conf -- Queries to update a sqlite Moonshot-*-Targeted-Ids table. | |
3 | # | |
4 | # $Id$ | |
5 | ||
6 | post-auth { | |
7 | # Query to store the Moonshot-*-TargetedId | |
8 | query = "\ | |
9 | INSERT INTO ${..moonshot_tid_table} \ | |
10 | (gss_acceptor, namespace, username, targeted_id) \ | |
11 | VALUES \ | |
12 | ('%{control:Moonshot-MSTID-GSS-Acceptor}', '%{control:Moonshot-MSTID-Namespace}', \ | |
13 | '%{tolower:%{User-Name}}', '%{control:Moonshot-MSTID-TargetedId}')" | |
14 | } |
0 | CREATE TABLE `moonshot_targeted_ids` ( | |
1 | `gss_acceptor` varchar(254) NOT NULL default '', | |
2 | `namespace` varchar(36) NOT NULL default '', | |
3 | `username` varchar(64) NOT NULL default '', | |
4 | `targeted_id` varchar(128) NOT NULL default '', | |
5 | `creationdate` timestamp NOT NULL default CURRENT_TIMESTAMP, | |
6 | PRIMARY KEY (`username`,`gss_acceptor`,`namespace`) | |
7 | ); |
23 | 23 | } |
24 | 24 | |
25 | 25 | abfab_client_check { |
26 | # check that the acceptor host name is correct | |
27 | if ("%{client:gss_acceptor_host_name}" && &gss-acceptor-host-name) { | |
28 | if ("%{client:gss_acceptor_host_name}" != "%{gss-acceptor-host-name}") { | |
29 | update reply { | |
30 | Reply-Message = "GSS-Acceptor-Host-Name incorrect" | |
31 | } | |
32 | reject | |
26 | # check that GSS-Acceptor-Host-Name is correct | |
27 | if ("%{client:gss_acceptor_host_name}") { | |
28 | if (&request:GSS-Acceptor-Host-Name) { | |
29 | if (&request:GSS-Acceptor-Host-Name != "%{client:gss_acceptor_host_name}") { | |
30 | update reply { | |
31 | Reply-Message = "GSS-Acceptor-Host-Name incorrect" | |
32 | } | |
33 | reject | |
34 | } | |
35 | } | |
36 | else { | |
37 | # set GSS-Acceptor-Host-Name if it is not set by the mechanism | |
38 | # but it is defined in the client configuration | |
39 | update request { | |
40 | GSS-Acceptor-Host-Name = "%{client:gss_acceptor_host_name}" | |
41 | } | |
33 | 42 | } |
34 | 43 | } |
35 | 44 | |
36 | # set trust-router-coi attribute from the client configuration | |
45 | # set Trust-Router-COI attribute from the client configuration | |
37 | 46 | if ("%{client:trust_router_coi}") { |
38 | 47 | update request { |
39 | 48 | Trust-Router-COI := "%{client:trust_router_coi}" |
40 | 49 | } |
41 | 50 | } |
42 | 51 | |
43 | # set gss-acceptor-realm-name attribute from the client configuration | |
52 | # set GSS-Acceptor-Realm-Name attribute from the client configuration | |
44 | 53 | if ("%{client:gss_acceptor_realm_name}") { |
45 | 54 | update request { |
46 | 55 | GSS-Acceptor-Realm-Name := "%{client:gss_acceptor_realm_name}" |
47 | 56 | } |
48 | 57 | } |
58 | ||
59 | # set GSS-Acceptor-Service-Name attribute from the client configuration | |
60 | if ("%{client:gss_acceptor_service_name}") { | |
61 | update request { | |
62 | GSS-Acceptor-Service-Name = "%{client:gss_acceptor_service_name}" | |
63 | } | |
64 | } | |
65 | ||
49 | 66 | } |
50 | 67 | |
51 | 68 | # A policy which is used to validate channel-bindings. |
32 | 32 | # wireless environment). |
33 | 33 | # |
34 | 34 | update request { |
35 | Tmp-String-9 := "${policy.class_value_prefix}" | |
35 | &Tmp-String-9 := "${policy.class_value_prefix}" | |
36 | 36 | } |
37 | 37 | |
38 | 38 | if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) && \ |
7 | 7 | # Moonshot-Host-TargetedId (138) |
8 | 8 | # Moonshot-Realm-TargetedId (139) |
9 | 9 | # Moonshot-TR-COI-TargetedId (140) |
10 | # Moonshot-MSTID-GSS-Acceptor (141) | |
11 | # Moonshot-MSTID-Namespace (142) | |
12 | # Moonshot-MSTID-TargetedId (143) | |
10 | 13 | # |
11 | 14 | # These attributes should also be listed in the attr_filter policies |
12 | 15 | # post-proxy and pre-proxy when you use attribute filtering: |
21 | 24 | # dictionary attacks, therefore should be chosen as a "random" |
22 | 25 | # string and kept secret. |
23 | 26 | # |
24 | targeted_id_salt = "changeme" | |
27 | # If you use special characters %, { and }, escape them with a \ first | |
28 | # | |
29 | targeted_id_salt = 'changeme' | |
30 | ||
25 | 31 | # |
26 | 32 | # Moonshot namespaces |
27 | 33 | # These namespaces are used for UUID generation. |
28 | 34 | # They should not be changed by implementors |
29 | 35 | # |
30 | moonshot_host_namespace = "a574a04e-b7ff-4850-aa24-a8599c7de1c6" | |
31 | moonshot_realm_namespace = "dea5f26d-a013-4444-977d-d09fc990d2e6" | |
32 | moonshot_coi_namespace = "145d7e7e-7d54-43ee-bbcb-3c6ad9428247" | |
33 | ||
34 | # This policy generates a host-specific targeted ID | |
36 | moonshot_host_namespace = 'a574a04e-b7ff-4850-aa24-a8599c7de1c6' | |
37 | moonshot_realm_namespace = 'dea5f26d-a013-4444-977d-d09fc990d2e6' | |
38 | moonshot_coi_namespace = '145d7e7e-7d54-43ee-bbcb-3c6ad9428247' | |
39 | ||
40 | ||
41 | # This policy generates a host-specific TargetedId | |
35 | 42 | # |
36 | 43 | moonshot_host_tid.post-auth { |
37 | # generate a UUID for Moonshot-Host-TargetedId | |
38 | # targeted id = (uuid -v 5 [namespace] [username][salt][RP host name])@[IdP realm name] | |
44 | # retrieve or generate a UUID for Moonshot-Host-TargetedId | |
39 | 45 | if (&outer.request:GSS-Acceptor-Host-Name) { |
40 | if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_host_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}}" =~ /^([^ ]+)([ ]*)$/) { | |
46 | # prep some variables (used regardless of SQL backing or not!) | |
47 | update control { | |
48 | Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Host-Name}}" | |
49 | Moonshot-MSTID-Namespace := "${policy.moonshot_host_namespace}" | |
50 | } | |
51 | ||
52 | # if you want to use SQL-based backing, remove the comment from | |
53 | # this line. You also have to configure and enable the | |
54 | # moonshot-targeted-ids sql module in mods-enabled. | |
55 | # | |
56 | # moonshot_get_targeted_id | |
57 | ||
58 | # generate a UUID for Moonshot-Host-TargetedId | |
59 | if (!&control:Moonshot-MSTID-TargetedId) { | |
60 | # generate the TID | |
61 | moonshot_make_targeted_id | |
62 | ||
63 | # if you want to store your TargetedId in SQL-based backing, | |
64 | # remove the comment from this line. You also have to configure | |
65 | # and enable the moonshot-targeted-ids sql module in mods-enabled. | |
66 | # | |
67 | # moonshot_tid_sql | |
68 | } | |
69 | ||
70 | # set the actual TargetedId in the session-state list | |
71 | if (&control:Moonshot-MSTID-TargetedId) { | |
41 | 72 | update outer.session-state { |
42 | Moonshot-Host-TargetedId := "%{1}@%{tolower:%{request:Realm}}" | |
43 | } | |
44 | } | |
45 | } | |
46 | } | |
47 | # This policy generates a realm-specific targeted ID | |
73 | Moonshot-Host-TargetedId := &control:Moonshot-MSTID-TargetedId | |
74 | } | |
75 | update control { | |
76 | Moonshot-MSTID-TargetedId !* ANY | |
77 | } | |
78 | } | |
79 | } | |
80 | } | |
81 | ||
82 | # This policy generates a realm-specific TargetedId | |
48 | 83 | # |
49 | 84 | moonshot_realm_tid.post-auth { |
50 | # generate a UUID for Moonshot-Realm-TargetedId | |
51 | # targeted id = (uuid -v 5 [namespace] [username][salt][RP realm name])@[IdP realm name] | |
85 | # retrieve or generate a UUID for Moonshot-Realm-TargetedId | |
52 | 86 | if (&outer.request:GSS-Acceptor-Realm-Name) { |
53 | if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_realm_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}}" =~ /^([^ ]+)([ ]*)$/) { | |
87 | # prep some variables (used regardless of SQL backing or not!) | |
88 | update control { | |
89 | Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:GSS-Acceptor-Realm-Name}}" | |
90 | Moonshot-MSTID-Namespace := "${policy.moonshot_realm_namespace}" | |
91 | } | |
92 | ||
93 | # if you want to use SQL-based backing, remove the comment from | |
94 | # this line. You also have to configure and enable the | |
95 | # moonshot-targeted-ids sql module in mods-enabled. | |
96 | # | |
97 | # moonshot_get_targeted_id | |
98 | ||
99 | # generate a UUID for Moonshot-Realm-TargetedId | |
100 | if (!&control:Moonshot-MSTID-TargetedId) { | |
101 | # generate the TID | |
102 | moonshot_make_targeted_id | |
103 | ||
104 | # if you want to store your TargetedId in SQL-based backing, | |
105 | # remove the comment from this line. You also have to configure | |
106 | # and enable the moonshot-targeted-ids sql module in mods-enabled. | |
107 | # | |
108 | # moonshot_tid_sql | |
109 | } | |
110 | ||
111 | # set the actual TargetedId in the session-state list | |
112 | if (&control:Moonshot-MSTID-TargetedId) { | |
54 | 113 | update outer.session-state { |
55 | Moonshot-Realm-TargetedId := "%{1}@%{tolower:%{request:Realm}}" | |
56 | } | |
57 | } | |
58 | } | |
59 | } | |
114 | Moonshot-Realm-TargetedId := &control:Moonshot-MSTID-TargetedId | |
115 | } | |
116 | update control { | |
117 | Moonshot-MSTID-TargetedId !* ANY | |
118 | } | |
119 | } | |
120 | } | |
121 | } | |
122 | ||
60 | 123 | # This policy generates a COI-specific targeted ID |
61 | 124 | # |
62 | 125 | moonshot_coi_tid.post-auth { |
63 | # generate a UUID for Moonshot-TR-COI-TargetedId | |
64 | # targeted id = (uuid -v 5 [namespace] [username][salt][RP COI name])@[IdP realm name] | |
126 | # retrieve or generate a UUID for Moonshot-TR-COI-TargetedId | |
65 | 127 | if (&outer.request:Trust-Router-COI) { |
66 | if ("%{echo:/usr/bin/uuid -v 5 ${policy.moonshot_coi_namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{tolower:%{outer.request:Trust-Router-COI}}}" =~ /^([^ ]+)([ ]*)$/) { | |
128 | # prep some variables (used regardless of SQL backing or not!) | |
129 | update control { | |
130 | Moonshot-MSTID-GSS-Acceptor := "%{tolower:%{outer.request:Trust-Router-COI}}" | |
131 | Moonshot-MSTID-Namespace := "${policy.moonshot_coi_namespace}" | |
132 | } | |
133 | ||
134 | # if you want to use SQL-based backing, remove the comment from | |
135 | # this line. You also have to configure and enable the | |
136 | # moonshot-targeted-ids sql module in mods-enabled. | |
137 | # | |
138 | # moonshot_get_targeted_id | |
139 | ||
140 | # generate a UUID for Moonshot-TR-COI-TargetedId | |
141 | if (!&control:Moonshot-MSTID-TargetedId) { | |
142 | # generate the TID | |
143 | moonshot_make_targeted_id | |
144 | ||
145 | # if you want to store your TargetedId in SQL-based backing, | |
146 | # remove the comment from this line. You also have to configure | |
147 | # and enable the moonshot-targeted-ids sql module in mods-enabled. | |
148 | # | |
149 | # moonshot_tid_sql | |
150 | } | |
151 | ||
152 | # set the actual TargetedId in the session-state list | |
153 | if (&control:Moonshot-MSTID-TargetedId) { | |
67 | 154 | update outer.session-state { |
68 | Moonshot-TR-COI-TargetedId := "%{1}@%{tolower:%{request:Realm}}" | |
69 | } | |
70 | } | |
71 | } | |
72 | } | |
155 | Moonshot-TR-COI-TargetedId := &control:Moonshot-MSTID-TargetedId | |
156 | } | |
157 | update control { | |
158 | Moonshot-MSTID-TargetedId !* ANY | |
159 | } | |
160 | } | |
161 | } | |
162 | } | |
163 | ||
164 | # This is the generic generation policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables | |
165 | # | |
166 | moonshot_make_targeted_id.post-auth { | |
167 | # uses variables set in the control list | |
168 | # | |
169 | if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) { | |
170 | # targeted id = (uuid -v 5 [namespace] [username][salt][GSS acceptor value])@[IdP realm name] | |
171 | # | |
172 | if ("%{echo:/usr/bin/uuid -v 5 %{control:Moonshot-MSTID-Namespace} %{tolower:%{User-Name}}${policy.targeted_id_salt}%{control:Moonshot-MSTID-GSS-Acceptor}}" =~ /^([^ ]+)([ ]*)$/) { | |
173 | update control { | |
174 | Moonshot-MSTID-TargetedId := "%{1}@%{tolower:%{request:Realm}}" | |
175 | } | |
176 | if (&control:Moonshot-MSTID-TargetedId =~ /([\%\{\}]+)/) { | |
177 | update control { | |
178 | Moonshot-MSTID-TargetedId !* ANY | |
179 | } | |
180 | update outer.session-state { | |
181 | Module-Failure-Message = 'Invalid TargetedId generated, check your targeted_id_salt!' | |
182 | } | |
183 | reject | |
184 | } | |
185 | } | |
186 | else { | |
187 | # we simply return the 'echo' error message as the Module-Failure-Message, usually a lack of 'uuid' | |
188 | reject | |
189 | } | |
190 | } | |
191 | else { | |
192 | # Our variables were not set, so we'll throw an error because there's no point in continuing! | |
193 | update outer.session-state { | |
194 | Module-Failure-Message = 'Required variables for moonshot_make_targeted_id not set!' | |
195 | } | |
196 | reject | |
197 | } | |
198 | } | |
199 | ||
200 | # This is the generic retrieval policy. It requires moonshot_host_tid, moonshot_realm_tid, or moonshot_coi_tid to set variables | |
201 | # | |
202 | moonshot_get_targeted_id.post-auth { | |
203 | # uses variables set in the control list | |
204 | # | |
205 | if (&control:Moonshot-MSTID-Namespace && &control:Moonshot-MSTID-GSS-Acceptor) { | |
206 | # retrieve the TargetedId | |
207 | # | |
208 | update control { | |
209 | Moonshot-MSTID-TargetedId := "%{moonshot_tid_sql:\ | |
210 | SELECT targeted_id FROM moonshot_targeted_ids \ | |
211 | WHERE gss_acceptor = '%{control:Moonshot-MSTID-GSS-Acceptor}' \ | |
212 | AND namespace = '%{control:Moonshot-MSTID-Namespace}' \ | |
213 | AND username = '%{tolower:%{User-Name}}'}" | |
214 | } | |
215 | ||
216 | # if the value is empty, there's no point in setting it and delete it from the control list! | |
217 | if (&control:Moonshot-MSTID-TargetedId == '') { | |
218 | update control { | |
219 | Moonshot-MSTID-TargetedId !* ANY | |
220 | } | |
221 | } | |
222 | } | |
223 | else { | |
224 | # Our variables were not set, so we'll throw an error because there's no point in continuing! | |
225 | update outer.session-state { | |
226 | Module-Failure-Message = 'Required variables for moonshot_get_targeted_id not set!' | |
227 | } | |
228 | reject | |
229 | } | |
230 | } |
72 | 72 | |
73 | 73 | # reject_delay && status_server don't apply when we are |
74 | 74 | # only reading accounting packets from the detail file |
75 | ||
76 | @openssl_version_check_config@ | |
75 | 77 | } |
76 | 78 | |
77 | 79 | # |
78 | 80 | # If you need more modules, add them here. |
79 | 81 | # |
80 | 82 | modules { |
81 | $INCLUDE ${confdir}/modules/always | |
83 | $INCLUDE ${confdir}/mods-enabled/always | |
82 | 84 | } |
83 | 85 | |
84 | 86 | # |
134 | 136 | acct_pool = radrelay |
135 | 137 | } |
136 | 138 | |
137 | # | |
138 | # Read the detail file. | |
139 | # | |
140 | listen { | |
141 | type = detail | |
139 | server radrelay { | |
140 | # | |
141 | # Read the detail file. | |
142 | # | |
143 | listen { | |
144 | type = detail | |
145 | ||
146 | # | |
147 | # The filename here should be the same as the one used by the | |
148 | # main radiusd program. It writes the file using the "detail" | |
149 | # module (see raddb/modules/detail). | |
150 | # | |
151 | filename = ${radacctdir}/detail | |
152 | load_factor = 90 | |
153 | } | |
142 | 154 | |
143 | 155 | # |
144 | # The filename here should be the same as the one used by the | |
145 | # main radiusd program. It writes the file using the "detail" | |
146 | # module (see raddb/modules/detail). | |
156 | # See also raddb/sites-available/copy-acct-to-home-server | |
157 | # for additional description. | |
147 | 158 | # |
148 | filename = ${radacctdir}/detail | |
149 | load_factor = 90 | |
150 | } | |
151 | ||
152 | # | |
153 | # See also raddb/sites-available/copy-acct-to-home-server | |
154 | # for additional description. | |
155 | # | |
156 | preacct { | |
157 | # | |
158 | # Proxy the packet using the given realm. | |
159 | # Note that we do not use the realm for anything else such | |
160 | # as prefix/suffix stripping or comparisons. | |
161 | # | |
162 | update control { | |
163 | Proxy-To-Realm := "radrelay" | |
159 | preacct { | |
160 | # | |
161 | # Proxy the packet using the given realm. | |
162 | # Note that we do not use the realm for anything else such | |
163 | # as prefix/suffix stripping or comparisons. | |
164 | # | |
165 | update control { | |
166 | Proxy-To-Realm := "radrelay" | |
167 | } | |
164 | 168 | } |
165 | 169 | } |
23 | 23 | cache { |
24 | 24 | enable = no |
25 | 25 | lifetime = 24 # hours |
26 | max_entries = 255 | |
26 | name = "abfab-tls" | |
27 | # persist_dir = ${logdir}/abfab-tls | |
27 | 28 | } |
28 | 29 | |
29 | 30 | require_client_cert = yes |
78 | 78 | # |
79 | 79 | # See "Authentication Logging Queries" in sql.conf |
80 | 80 | -sql |
81 | ||
82 | # | |
83 | # Instead of sending the query to the SQL server, | |
84 | # write it into a log file. | |
85 | # | |
86 | # sql_log | |
87 | 81 | |
88 | 82 | # |
89 | 83 | # Un-comment the following if you want to modify the user's object |
42 | 42 | # The location where the detail file is located. |
43 | 43 | # This should be on local disk, and NOT on an NFS |
44 | 44 | # mounted location! |
45 | # | |
46 | # On most systems, this should support file globbing | |
47 | # e.g. "${radacctdir}/detail-*:*" | |
48 | # This lets you write many smaller detail files as in | |
49 | # the example in radiusd.conf: ".../detail-%Y%m%d:%H" | |
50 | # Writing many small files is often better than writing | |
51 | # one large file. File globbing also means that with | |
52 | # a common naming scheme for detail files, then you can | |
53 | # have many detail file writers, and only one reader. | |
54 | # | |
45 | 55 | filename = "${radacctdir}/detail-*" |
46 | 56 | |
47 | 57 | # |
77 | 87 | # wake up, and poll for it every N seconds. |
78 | 88 | # |
79 | 89 | # Useful range of values: 1 to 60 |
90 | # | |
80 | 91 | poll_interval = 1 |
81 | 92 | |
82 | 93 | # |
86 | 97 | # home server responds. |
87 | 98 | # |
88 | 99 | # Useful range of values: 5 to 30 |
100 | # | |
89 | 101 | retry_interval = 30 |
90 | 102 | |
91 | 103 | # |
97 | 109 | # have already been processed. The default is "no". |
98 | 110 | # |
99 | 111 | # track = yes |
112 | ||
113 | # | |
114 | # In some circumstances it may be desirable for the | |
115 | # server to start up, process a detail file, and | |
116 | # immediately quit. To do this enable the "one_shot" | |
117 | # option below. | |
118 | # | |
119 | # Do not enable this for normal server operation. The | |
120 | # default is "no". | |
121 | # | |
122 | # one_shot = no | |
100 | 123 | } |
101 | 124 | |
102 | 125 | # |
27 | 27 | server copy-acct-to-home-server { |
28 | 28 | listen { |
29 | 29 | type = detail |
30 | ||
31 | # | |
32 | # See sites-available/buffered-sql for more details on | |
33 | # all the options available for the detail reader. | |
34 | # | |
30 | 35 | |
31 | 36 | ###################################################### |
32 | 37 | # |
62 | 67 | # one large file. File globbing also means that with |
63 | 68 | # a common naming scheme for detail files, then you can |
64 | 69 | # have many detail file writers, and only one reader. |
70 | # | |
65 | 71 | filename = ${radacctdir}/detail |
66 | 72 | |
67 | 73 | # |
118 | 118 | # See "Accounting queries" in sql.conf |
119 | 119 | # sql |
120 | 120 | |
121 | # | |
122 | # Instead of sending the query to the SQL server, | |
123 | # write it into a log file. | |
124 | # | |
125 | # sql_log | |
126 | ||
127 | 121 | # Cisco VoIP specific bulk accounting |
128 | 122 | # pgsql-voip |
129 | 123 |
84 | 84 | # proxy listeners are automatically created. |
85 | 85 | |
86 | 86 | # ipaddr/ipv4addr/ipv6addr - IP address on which to listen. |
87 | # Out of several options the first one will be used. | |
88 | # | |
89 | # Allowed values are: | |
90 | # IPv4 address (e.g. 1.2.3.4, for ipv4addr/ipaddr) | |
91 | # IPv6 address (e.g. 2001:db8::1, for ipv6addr/ipaddr) | |
92 | # hostname (radius.example.com, | |
93 | # A record for ipv4addr, | |
94 | # AAAA record for ipv6addr, | |
95 | # A or AAAA record for ipaddr) | |
96 | # wildcard (*) | |
87 | # If multiple ones are listed, only the first one will | |
88 | # be used, and the others will be ignored. | |
89 | # | |
90 | # The configuration options accept the following syntax: | |
91 | # | |
92 | # ipv4addr - IPv4 address (e.g.192.0.2.3) | |
93 | # - wildcard (i.e. *) | |
94 | # - hostname (radius.example.com) | |
95 | # Only the A record for the host name is used. | |
96 | # If there is no A record, an error is returned, | |
97 | # and the server fails to start. | |
98 | # | |
99 | # ipv6addr - IPv6 address (e.g. 2001:db8::1) | |
100 | # - wildcard (i.e. *) | |
101 | # - hostname (radius.example.com) | |
102 | # Only the AAAA record for the host name is used. | |
103 | # If there is no AAAA record, an error is returned, | |
104 | # and the server fails to start. | |
105 | # | |
106 | # ipaddr - IPv4 address as above | |
107 | # - IPv6 address as above | |
108 | # - wildcard (i.e. *), which means IPv4 wildcard. | |
109 | # - hostname | |
110 | # If there is only one A or AAAA record returned | |
111 | # for the host name, it is used. | |
112 | # If multiple A or AAAA records are returned | |
113 | # for the host name, only the first one is used. | |
114 | # If both A and AAAA records are returned | |
115 | # for the host name, only the A record is used. | |
97 | 116 | # |
98 | 117 | # ipv4addr = * |
99 | 118 | # ipv6addr = * |
346 | 365 | # It also sets the EAP-Type attribute in the request |
347 | 366 | # attribute list to the EAP type from the packet. |
348 | 367 | # |
349 | # The EAP module returns "ok" if it is not yet ready to | |
350 | # authenticate the user. The configuration below checks for | |
351 | # that code, and stops processing the "authorize" section if | |
352 | # so. | |
368 | # The EAP module returns "ok" or "updated" if it is not yet ready | |
369 | # to authenticate the user. The configuration below checks for | |
370 | # "ok", and stops processing the "authorize" section if so. | |
353 | 371 | # |
354 | 372 | # Any LDAP and/or SQL servers will not be queried for the |
355 | 373 | # initial set of packets that go back and forth to set up |
356 | 374 | # TTLS or PEAP. |
357 | 375 | # |
376 | # The "updated" check is commented out for compatibility with | |
377 | # previous versions of this configuration, but you may wish to | |
378 | # uncomment it as well; this will further reduce the number of | |
379 | # LDAP and/or SQL queries for TTLS or PEAP. | |
380 | # | |
358 | 381 | eap { |
359 | 382 | ok = return |
383 | # updated = return | |
360 | 384 | } |
361 | 385 | |
362 | 386 | # |
552 | 576 | # |
553 | 577 | |
554 | 578 | # update request { |
555 | # FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" | |
579 | # &FreeRADIUS-Acct-Session-Start-Time = "%{expr: %l - %{%{Acct-Session-Time}:-0} - %{%{Acct-Delay-Time}:-0}}" | |
556 | 580 | # } |
557 | 581 | |
558 | 582 | |
628 | 652 | # ok |
629 | 653 | # } |
630 | 654 | |
631 | # | |
632 | # Instead of sending the query to the SQL server, | |
633 | # write it into a log file. | |
634 | # | |
635 | # sql_log | |
636 | ||
637 | 655 | # Cisco VoIP specific bulk accounting |
638 | 656 | # pgsql-voip |
639 | 657 | |
711 | 729 | # |
712 | 730 | # See "Authentication Logging Queries" in mods-available/sql |
713 | 731 | -sql |
714 | ||
715 | # | |
716 | # Instead of sending the query to the SQL server, | |
717 | # write it into a log file. | |
718 | # | |
719 | # sql_log | |
720 | 732 | |
721 | 733 | # |
722 | 734 | # Un-comment the following if you want to modify the user's object |
826 | 838 | # Remove reply message if the response contains an EAP-Message |
827 | 839 | remove_reply_message_if_eap |
828 | 840 | } |
841 | ||
842 | # | |
843 | # Filter access challenges. | |
844 | # | |
845 | Post-Auth-Type Challenge { | |
846 | # remove_reply_message_if_eap | |
847 | # attr_filter.access_challenge.post-auth | |
848 | } | |
849 | ||
829 | 850 | } |
830 | 851 | |
831 | 852 | # |
301 | 301 | -sql |
302 | 302 | |
303 | 303 | # |
304 | # Instead of sending the query to the SQL server, | |
305 | # write it into a log file. | |
306 | # | |
307 | # sql_log | |
308 | ||
309 | # | |
310 | 304 | # Un-comment the following if you have set |
311 | 305 | # 'edir_account_policy_check = yes' in the ldap module sub-section of |
312 | 306 | # the 'modules' section. |
316 | 310 | |
317 | 311 | # |
318 | 312 | # Un-comment the following if you want to generate Moonshot (ABFAB) TargetedIds |
319 | # IMPORTANT: This requires the UUID package to be installed! | |
313 | # | |
314 | # IMPORTANT: This requires the UUID package to be installed, and a targeted_id_salt | |
315 | # to be configured. | |
316 | # | |
317 | # This functionality also supports SQL backing. To use this functionality, enable | |
318 | # and configure the moonshot-targeted-ids SQL module in the mods-enabled directory. | |
319 | # Then remove the comments from the appropriate lines in each of the below | |
320 | # policies in the policy.d/moonshot-targeted-ids file. | |
320 | 321 | # |
321 | 322 | # moonshot_host_tid |
322 | 323 | # moonshot_realm_tid |
323 | 324 | # moonshot_coi_tid |
324 | 325 | |
325 | 326 | # |
326 | # Instead of "use_tunneled_reply", uncomment the | |
327 | # next two "update" blocks. | |
328 | # | |
329 | # update { | |
330 | # &outer.session-state: += &reply: | |
331 | # } | |
332 | ||
333 | # | |
334 | # These attributes are for the inner session only. | |
335 | # They MUST NOT be sent in the outer reply. | |
336 | # | |
337 | # If you uncomment the previous block and leave | |
338 | # this one commented out, WiFi WILL NOT WORK, | |
339 | # because the client will get two MS-MPPE-keys | |
340 | # | |
341 | # update outer.session-state { | |
342 | # MS-MPPE-Encryption-Policy !* ANY | |
343 | # MS-MPPE-Encryption-Types !* ANY | |
344 | # MS-MPPE-Send-Key !* ANY | |
345 | # MS-MPPE-Recv-Key !* ANY | |
346 | # Message-Authenticator !* ANY | |
347 | # EAP-Message !* ANY | |
348 | # Proxy-State !* ANY | |
349 | # } | |
327 | # Instead of "use_tunneled_reply", change this "if (0)" to an | |
328 | # "if (1)". | |
329 | # | |
330 | if (0) { | |
331 | # | |
332 | # These attributes are for the inner-tunnel only, | |
333 | # and MUST NOT be copied to the outer reply. | |
334 | # | |
335 | update reply { | |
336 | User-Name !* ANY | |
337 | Message-Authenticator !* ANY | |
338 | EAP-Message !* ANY | |
339 | Proxy-State !* ANY | |
340 | MS-MPPE-Encryption-Types !* ANY | |
341 | MS-MPPE-Encryption-Policy !* ANY | |
342 | MS-MPPE-Send-Key !* ANY | |
343 | MS-MPPE-Recv-Key !* ANY | |
344 | } | |
345 | ||
346 | # | |
347 | # Copy the inner reply attributes to the outer | |
348 | # session-state list. The post-auth policy will take | |
349 | # care of copying the outer session-state list to the | |
350 | # outer reply. | |
351 | # | |
352 | update { | |
353 | &outer.session-state: += &reply: | |
354 | } | |
355 | } | |
350 | 356 | |
351 | 357 | # |
352 | 358 | # Access-Reject packets are sent through the REJECT sub-section of the |
198 | 198 | # in "man 1 ciphers". |
199 | 199 | cipher_list = "DEFAULT" |
200 | 200 | |
201 | # If enabled, OpenSSL will use server cipher list | |
202 | # (possibly defined by cipher_list option above) | |
203 | # for choosing right cipher suite rather than | |
204 | # using client-specified list which is OpenSSl default | |
205 | # behavior. Having it set to yes is a current best practice | |
206 | # for TLS | |
207 | cipher_server_preference = no | |
208 | ||
201 | 209 | # |
202 | 210 | # Session resumption / fast reauthentication |
203 | 211 | # cache. |
230 | 238 | # Deleting the entire "cache" subsection |
231 | 239 | # Also disables caching. |
232 | 240 | # |
241 | # | |
242 | # As of version 3.0.14, the session cache requires the use | |
243 | # of the "name" and "persist_dir" configuration items, below. | |
244 | # | |
245 | # The internal OpenSSL session cache has been permanently | |
246 | # disabled. | |
247 | # | |
233 | 248 | # You can disallow resumption for a |
234 | 249 | # particular user by adding the following |
235 | 250 | # attribute to the control item list: |
248 | 263 | # time. |
249 | 264 | # |
250 | 265 | lifetime = 24 # hours |
251 | ||
252 | # | |
253 | # The maximum number of entries in the | |
254 | # cache. Set to "0" for "infinite". | |
255 | # | |
256 | # This could be set to the number of users | |
257 | # who are logged in... which can be a LOT. | |
258 | # | |
259 | max_entries = 255 | |
260 | 266 | |
261 | 267 | # |
262 | 268 | # Internal "name" of the session cache. |
24 | 24 | } |
25 | 25 | |
26 | 26 | # |
27 | # Session database modules | |
28 | # | |
29 | /var/log/radius/radutmp /var/log/radius/radwtmp { | |
30 | nocreate | |
31 | } | |
32 | ||
33 | # | |
34 | 27 | # SQL log files |
35 | 28 | # |
36 | 29 | /var/log/radius/sqllog.sql { |
25 | 25 | |
26 | 26 | Summary: High-performance and highly configurable free RADIUS server |
27 | 27 | Name: freeradius |
28 | Version: 3.0.12 | |
28 | Version: 3.0.14 | |
29 | 29 | Release: 2%{?dist} |
30 | 30 | License: GPLv2+ and LGPLv2+ |
31 | 31 | Group: System Environment/Daemons |
664 | 664 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/mysql/* |
665 | 665 | %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/ndb |
666 | 666 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/ndb/* |
667 | %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/moonshot-targeted-ids/mysql | |
668 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/moonshot-targeted-ids/mysql/* | |
667 | 669 | # postgres |
668 | 670 | %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/postgresql |
669 | 671 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/postgresql/* |
673 | 675 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/postgresql/* |
674 | 676 | %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/postgresql |
675 | 677 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/postgresql/* |
678 | %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/moonshot-targeted-ids/postgresql | |
679 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/moonshot-targeted-ids/postgresql/* | |
676 | 680 | # sqlite |
677 | 681 | %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/counter/sqlite |
678 | 682 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/counter/sqlite/* |
685 | 689 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/ippool/sqlite/* |
686 | 690 | %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/main/sqlite |
687 | 691 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/main/sqlite/* |
692 | %dir %attr(750,root,radiusd) /etc/raddb/mods-config/sql/moonshot-targeted-ids/sqlite | |
693 | %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-config/sql/moonshot-targeted-ids/sqlite/* | |
688 | 694 | # ruby |
689 | 695 | %if %{?_with_rlm_ruby:1}%{!?_with_rlm_ruby:0} |
690 | 696 | %dir %attr(750,root,radiusd) /etc/raddb/mods-config/ruby |
713 | 719 | # man-pages |
714 | 720 | %doc %{_mandir}/man1/dhcpclient.1.gz |
715 | 721 | %doc %{_mandir}/man1/radclient.1.gz |
716 | %doc %{_mandir}/man1/radcounter.1.gz | |
722 | %doc %{_mandir}/man1/rad_counter.1.gz | |
717 | 723 | %doc %{_mandir}/man1/radeapclient.1.gz |
718 | 724 | %doc %{_mandir}/man1/radlast.1.gz |
719 | 725 | %doc %{_mandir}/man1/radtest.1.gz |
0 | 0 | [Unit] |
1 | 1 | Description=FreeRADIUS multi-protocol policy server |
2 | After=syslog.target network.target | |
2 | After=network.target | |
3 | 3 | Documentation=man:radiusd(8) man:radiusd.conf(5) http://wiki.freeradius.org/ http://networkradius.com/doc/ |
4 | 4 | |
5 | 5 | [Service] |
10 | 10 | ExecStart=/usr/sbin/radiusd $FREERADIUS_OPTIONS -m |
11 | 11 | Restart=on-failure |
12 | 12 | RestartSec=5 |
13 | ExecReload=/usr/sbin/radiusd $FREERADIUS_OPTIONS -Cxm -lstdout | |
14 | ExecReload=/bin/kill -HUP $MAINPID | |
13 | 15 | |
14 | 16 | [Install] |
15 | 17 | WantedBy=multi-user.target |
28 | 28 | } |
29 | 29 | |
30 | 30 | # |
31 | # Session database modules | |
32 | # | |
33 | /var/log/radius/radutmp /var/log/radius/radwtmp { | |
34 | nocreate | |
35 | } | |
36 | ||
37 | # | |
38 | 31 | # SQL log files |
39 | 32 | # |
40 | 33 | /var/log/radius/sqllog.sql { |
28 | 28 | # |
29 | 29 | |
30 | 30 | usage() { |
31 | printf "Usage: %s: [-c condition] [-d directory] [-D dictdir] [-i client-ip-address] [-I client-ipv6-address] [-f socket_file] [-t timeout] [-u user]\n" $(basename $0) >&2 | |
31 | printf "Usage: %s: [-c condition] [-d directory] [-n name] [-D dictdir] [-i client-ip-address] [-I client-ipv6-address] [-f socket_file] [-t timeout] [-u user]\n" $(basename $0) >&2 | |
32 | 32 | exit 2 |
33 | 33 | } |
34 | 34 | |
35 | 35 | extra= |
36 | 36 | condition=1 |
37 | 37 | timeout=60 |
38 | while getopts 'd:D:c:i:I:f:t:u:' OPTION | |
38 | while getopts 'd:n:D:c:i:I:f:t:u:' OPTION | |
39 | 39 | do |
40 | 40 | case $OPTION in |
41 | 41 | c) condition="$OPTARG" |
42 | 42 | ;; |
43 | 43 | d) extra="$extra -d $OPTARG" |
44 | ;; | |
45 | n) extra="$extra -n $OPTARG" | |
44 | 46 | ;; |
45 | 47 | D) extra="$extra -D $OPTARG" |
46 | 48 | ;; |
113 | 113 | $INCLUDE dictionary.rfc7155 |
114 | 114 | $INCLUDE dictionary.rfc7268 |
115 | 115 | $INCLUDE dictionary.rfc7499 |
116 | $INCLUDE dictionary.rfc7930 | |
116 | 117 | |
117 | 118 | # |
118 | 119 | # Mostly values which have been allocated by IANA under |
169 | 170 | $INCLUDE dictionary.cisco.bbsm |
170 | 171 | $INCLUDE dictionary.citrix |
171 | 172 | $INCLUDE dictionary.clavister |
173 | $INCLUDE dictionary.cnergee | |
172 | 174 | $INCLUDE dictionary.colubris |
173 | 175 | $INCLUDE dictionary.compatible |
174 | 176 | $INCLUDE dictionary.cosine |
175 | 177 | $INCLUDE dictionary.dante |
178 | $INCLUDE dictionary.dellemc | |
176 | 179 | $INCLUDE dictionary.dlink |
177 | 180 | $INCLUDE dictionary.digium |
178 | 181 | $INCLUDE dictionary.dragonwave |
215 | 218 | $INCLUDE dictionary.meraki |
216 | 219 | $INCLUDE dictionary.merit |
217 | 220 | $INCLUDE dictionary.meru |
221 | $INCLUDE dictionary.microsemi | |
218 | 222 | $INCLUDE dictionary.microsoft |
219 | 223 | $INCLUDE dictionary.mikrotik |
220 | 224 | $INCLUDE dictionary.motorola |
54 | 54 | ATTRIBUTE 3GPP-Allocate-IP-Type 27 byte |
55 | 55 | |
56 | 56 | VALUE 3GPP-RAT-Type UTRAN 1 |
57 | VALUE 3GPP-RAT-TYPE GERAN 2 | |
58 | VALUE 3GPP-RAT-TYPE WLAN 3 | |
59 | VALUE 3GPP-RAT-TYPE GAN 4 | |
60 | VALUE 3GPP-RAT-TYPE HSPA-Evolution 5 | |
61 | VALUE 3GPP-RAT-TYPE EUTRAN 6 | |
62 | VALUE 3GPP-RAT-TYPE Virtual 7 | |
57 | VALUE 3GPP-RAT-Type GERAN 2 | |
58 | VALUE 3GPP-RAT-Type WLAN 3 | |
59 | VALUE 3GPP-RAT-Type GAN 4 | |
60 | VALUE 3GPP-RAT-Type HSPA-Evolution 5 | |
61 | VALUE 3GPP-RAT-Type EUTRAN 6 | |
62 | VALUE 3GPP-RAT-Type Virtual 7 | |
63 | 63 | VALUE 3GPP-RAT-Type IEEE-802.16e 101 |
64 | 64 | VALUE 3GPP-RAT-Type 3GPP2-eHRPD 102 |
65 | 65 | VALUE 3GPP-RAT-Type 3GPP2-HRPD 103 |
0 | 0 | # -*- text -*- |
1 | # Copyright (C) 2015 The FreeRADIUS Server project and contributors | |
1 | # Copyright (C) 2017 The FreeRADIUS Server project and contributors | |
2 | 2 | # |
3 | 3 | # Cisco VPN 3000 Concentrator Dictionary |
4 | 4 | # |
83 | 83 | ATTRIBUTE CVPN3000-LEAP-Bypass 75 integer |
84 | 84 | ATTRIBUTE CVPN3000-WebVPN-Exchange-NETBIOS-name 78 string |
85 | 85 | ATTRIBUTE CVPN3000-Port-Forwarding-Name 79 string |
86 | ATTRIBUTE CVPN3000-IE-Proxy-Server 80 string | |
87 | ATTRIBUTE CVPN3000-IE-Proxy-Server-Policy 81 integer | |
88 | ATTRIBUTE CVPN3000-IE-Proxy-Exception-List 82 string | |
89 | ATTRIBUTE CVPN3000-IE-Proxy-Bypass-Local 83 integer | |
90 | ATTRIBUTE CVPN3000-IKE-Keepalive-Retry-Interval 84 integer | |
91 | ATTRIBUTE CVPN3000-Tunnel-Group-Lock 85 string | |
92 | ATTRIBUTE Cisco-VPN3000-Access-List-Inbound 86 string | |
93 | ATTRIBUTE Cisco-VPN3000-Access-List-Outbound 87 string | |
94 | ATTRIBUTE Cisco-VPN3000-Perfect-Forward-Secrecy-Enable 88 integer | |
95 | ATTRIBUTE Cisco-VPN3000-NAC-Enable 89 integer | |
96 | ATTRIBUTE Cisco-VPN3000-NAC-Status-Query-Timer 90 integer | |
97 | ATTRIBUTE Cisco-VPN3000-NAC-Revalidation-Timer 91 integer | |
98 | ATTRIBUTE Cisco-VPN3000-NAC-Default-ACL 92 integer | |
99 | ATTRIBUTE Cisco-VPN3000-WebVPN-URL-Entry-Enable 93 integer | |
100 | ATTRIBUTE Cisco-VPN3000-WebVPN-File-Access-Enable 94 integer | |
101 | ATTRIBUTE Cisco-VPN3000-WebVPN-File-Server-Entry-Enable 95 integer | |
102 | ATTRIBUTE Cisco-VPN3000-WebVPN-File-Server-Browsing-Enable 96 integer | |
103 | ATTRIBUTE Cisco-VPN3000-WebVPN-Port-Forwarding-Enable 97 integer | |
104 | ATTRIBUTE Cisco-VPN3000-WebVPN-Outlook-Exchange-Proxy-Enable 98 integer | |
105 | ATTRIBUTE Cisco-VPN3000-WebVPN-Outlook-Exchange-Proxy-Enable 99 integer | |
106 | ATTRIBUTE Cisco-VPN3000-WebVPN-Auto-Applet-Download-Enable 100 integer | |
107 | ATTRIBUTE Cisco-VPN3000-WebVPN-Citrix-MetaFrame-Enable 101 integer | |
108 | ATTRIBUTE Cisco-VPN3000-WebVPN-Apply-ACL 102 integer | |
109 | ATTRIBUTE Cisco-VPN3000-WebVPN-SSL-VPN-Client-Enable 103 integer | |
110 | ATTRIBUTE Cisco-VPN3000-WebVPN-SSL-VPN-Client-Required 104 integer | |
111 | ATTRIBUTE Cisco-VPN3000-WebVPN-SSL-VPN-Client-Keep-Installation 105 integer | |
112 | ||
86 | 113 | ATTRIBUTE CVPN3000-Partition-Primary-DHCP 128 ipaddr |
87 | 114 | ATTRIBUTE CVPN3000-Partition-Secondary-DHCP 129 ipaddr |
88 | 115 | ATTRIBUTE CVPN3000-Partition-Premise-Router 131 ipaddr |
0 | # -*- text -*- | |
1 | # Copyright (C) 2017 The Cnergee Access Server project | |
2 | # | |
3 | # dictionary.cnergee | |
4 | # | |
5 | ||
6 | VENDOR Cnergee 49426 | |
7 | ||
8 | BEGIN-VENDOR Cnergee | |
9 | ||
10 | ATTRIBUTE BELRAS-Up-Speed-Limit 1 integer | |
11 | ATTRIBUTE BELRAS-Down-Speed-Limit 2 integer | |
12 | ATTRIBUTE BELRAS-Qos-Speed 3 integer | |
13 | ATTRIBUTE BELRAS-User 4 string | |
14 | ATTRIBUTE BELRAS-DHCP-Router-IP-Address 5 ipaddr | |
15 | ATTRIBUTE BELRAS-DHCP-Mask 6 integer | |
16 | ATTRIBUTE BELRAS-Redirect 7 integer | |
17 | ATTRIBUTE BELRAS-redirect-Pool 8 integer | |
18 | ATTRIBUTE BELRAS-DHCP-Option82 9 octets | |
19 | ATTRIBUTE BELRAS-Session-Octets-Limit 10 integer | |
20 | ATTRIBUTE BELRAS-Octets-Direction 11 integer | |
21 | ATTRIBUTE BELRAS-AKAMAI-Speed 12 integer | |
22 | ATTRIBUTE BELRAS-CACHE-Speed 13 integer | |
23 | ATTRIBUTE BELRAS-CacheFly-Speed 14 integer | |
24 | ATTRIBUTE BELRAS-GGC-Speed 15 integer | |
25 | ATTRIBUTE BELRAS-GOOGLE-Speed 16 integer | |
26 | ATTRIBUTE BELRAS-Incapsula-Speed 17 integer | |
27 | ATTRIBUTE BELRAS-LIMELIGHT-Speed 18 integer | |
28 | ATTRIBUTE BELRAS-OTHERS-Speed 19 integer | |
29 | ATTRIBUTE BELRAS-REDIFF-Speed 20 integer | |
30 | ATTRIBUTE BELRAS-TORRENT-Speed 21 integer | |
31 | ATTRIBUTE BELRAS-BELCACHE-Speed 22 integer | |
32 | ATTRIBUTE BELRAS-DHCP-Lease-Time 23 integer | |
33 | ||
34 | VALUE BELRAS-redirect-Pool Deleted 1 | |
35 | VALUE BELRAS-redirect-Pool Disabled 2 | |
36 | VALUE BELRAS-redirect-Pool Disputes 3 | |
37 | VALUE BELRAS-redirect-Pool Expired 4 | |
38 | VALUE BELRAS-redirect-Pool Unknown 5 | |
39 | VALUE BELRAS-redirect-Pool Exhausted 6 | |
40 | VALUE BELRAS-redirect-Pool WrongMAC 7 | |
41 | VALUE BELRAS-redirect-Pool VLANmismatch 8 | |
42 | ||
43 | END-VENDOR Cnergee | |
44 |
0 | # -*- text -*- | |
1 | # Copyright (C) 2017 The FreeRADIUS Server project and contributors | |
2 | # | |
3 | # Dell Inc. | |
4 | # | |
5 | # DellEMC-AVpair Attribute-Value Pair. | |
6 | # DellEMC-Group-Name The Linux primary group name associated with the user. | |
7 | # This must be an existing group in /etc/groups. | |
8 | ||
9 | VENDOR DellEMC 674 | |
10 | ||
11 | BEGIN-VENDOR DellEMC | |
12 | ||
13 | ATTRIBUTE DellEMC-AVpair 1 string | |
14 | ATTRIBUTE DellEMC-Group-Name 2 string | |
15 | ||
16 | END-VENDOR DellEMC | |
17 |
331 | 331 | ATTRIBUTE DHCP-Ethernet-Interface 130 octets |
332 | 332 | ATTRIBUTE DHCP-Vendor-Discrimination-Str 130 octets |
333 | 333 | ATTRIBUTE DHCP-Remote-Stats-Svr-IP-Address 131 octets |
334 | ATTRIBUTE DHCP-IEEE-802.1P-VLAN-ID 132 octets | |
335 | ATTRIBUTE DHCP-IEEE-802.1Q-L2-Priority 133 octets | |
334 | ATTRIBUTE DHCP-IEEE-802.1Q-VLAN-ID 132 octets | |
335 | ATTRIBUTE DHCP-IEEE-802.1P-L2-Priority 133 octets | |
336 | 336 | ATTRIBUTE DHCP-Diffserv-Code-Point 134 octets |
337 | 337 | ATTRIBUTE DHCP-HTTP-Proxy 135 octets |
338 | 338 |
58 | 58 | ATTRIBUTE ERX-Secondary-Dns 5 ipaddr |
59 | 59 | ATTRIBUTE ERX-Primary-Wins 6 ipaddr |
60 | 60 | ATTRIBUTE ERX-Secondary-Wins 7 ipaddr |
61 | ATTRIBUTE ERX-Tunnel-Virtual-Router 8 string | |
62 | ATTRIBUTE ERX-Tunnel-Password 9 string | |
61 | ATTRIBUTE ERX-Tunnel-Virtual-Router 8 string has_tag | |
62 | ATTRIBUTE ERX-Tunnel-Password 9 string has_tag | |
63 | 63 | ATTRIBUTE ERX-Ingress-Policy-Name 10 string |
64 | 64 | ATTRIBUTE ERX-Egress-Policy-Name 11 string |
65 | 65 | ATTRIBUTE ERX-Ingress-Statistics 12 integer |
544 | 544 | VALUE TLS-OCSP-Cert-Valid yes 1 |
545 | 545 | VALUE TLS-OCSP-Cert-Valid no 0 |
546 | 546 | |
547 | ATTRIBUTE TLS-Cache-Filename 1946 string | |
548 | ||
547 | 549 | # |
548 | 550 | # Range: 1940-2099 |
549 | 551 | # Free |
740 | 742 | VALUE EAP-Type Notification 2 |
741 | 743 | VALUE EAP-Type NAK 3 |
742 | 744 | VALUE EAP-Type MD5-Challenge 4 |
745 | VALUE EAP-Type EAP-MD5 4 | |
743 | 746 | VALUE EAP-Type MD5 4 |
744 | 747 | VALUE EAP-Type One-Time-Password 5 |
745 | 748 | VALUE EAP-Type OTP 5 |
746 | 749 | VALUE EAP-Type Generic-Token-Card 6 |
750 | VALUE EAP-Type EAP-GTC 6 | |
747 | 751 | VALUE EAP-Type GTC 6 |
748 | 752 | VALUE EAP-Type RSA-Public-Key 9 |
749 | 753 | VALUE EAP-Type DSS-Unilateral 10 |
750 | 754 | VALUE EAP-Type KEA 11 |
751 | 755 | VALUE EAP-Type KEA-Validate 12 |
756 | VALUE EAP-Type EAP-TLS 13 | |
752 | 757 | VALUE EAP-Type TLS 13 |
753 | 758 | VALUE EAP-Type Defender-Token 14 |
754 | 759 | VALUE EAP-Type RSA-SecurID-EAP 15 |
756 | 761 | VALUE EAP-Type Cisco-LEAP 17 |
757 | 762 | VALUE EAP-Type LEAP 17 |
758 | 763 | VALUE EAP-Type Nokia-IP-Smart-Card 18 |
764 | VALUE EAP-Type EAP-SIM 18 | |
759 | 765 | VALUE EAP-Type SIM 18 |
760 | 766 | VALUE EAP-Type SRP-SHA1 19 |
761 | 767 | # 20 is unassigned |
768 | VALUE EAP-Type EAP-TTLS 21 | |
762 | 769 | VALUE EAP-Type TTLS 21 |
763 | 770 | VALUE EAP-Type Remote-Access-Service 22 |
771 | VALUE EAP-Type EAP-AKA 23 | |
764 | 772 | VALUE EAP-Type AKA 23 |
765 | 773 | VALUE EAP-Type 3Com-Wireless 24 |
766 | 774 | VALUE EAP-Type PEAP 25 |
782 | 790 | VALUE EAP-Type DeviceConnect-EAP 40 |
783 | 791 | VALUE EAP-Type SPEKE 41 |
784 | 792 | VALUE EAP-Type MOBAC 42 |
793 | VALUE EAP-Type EAP-FAST 43 | |
785 | 794 | VALUE EAP-Type FAST 43 |
786 | 795 | VALUE EAP-Type Zonelabs 44 |
787 | 796 | VALUE EAP-Type Link 45 |
788 | 797 | VALUE EAP-Type PAX 46 |
789 | 798 | VALUE EAP-Type PSK 47 |
790 | 799 | VALUE EAP-Type SAKE 48 |
800 | VALUE EAP-Type EAP-IKEv2 49 | |
791 | 801 | VALUE EAP-Type IKEv2 49 |
792 | 802 | VALUE EAP-Type AKA2 50 |
793 | 803 | VALUE EAP-Type GPSK 51 |
797 | 807 | # |
798 | 808 | # And this is what most people mean by MS-CHAPv2 |
799 | 809 | # |
810 | VALUE EAP-Type EAP-MSCHAPv2 26 | |
800 | 811 | VALUE EAP-Type MSCHAPv2 26 |
801 | 812 | |
802 | 813 | # |
0 | # -*- text -*- | |
1 | # | |
2 | # dictionary.microsemi | |
3 | # | |
4 | # As posted to the list by Simon Butcher <simon.butcher@microsemi.com> | |
5 | # | |
6 | # Version: $Id$ | |
7 | # | |
8 | ||
9 | VENDOR Microsemi 40676 | |
10 | ||
11 | BEGIN-VENDOR Microsemi | |
12 | ||
13 | ATTRIBUTE Microsemi-User-Full-Name 1 string | |
14 | ATTRIBUTE Microsemi-User-Name 2 string | |
15 | ATTRIBUTE Microsemi-User-Initials 3 string | |
16 | ATTRIBUTE Microsemi-User-Email 4 string | |
17 | ATTRIBUTE Microsemi-User-Group 5 string | |
18 | ATTRIBUTE Microsemi-Fallback-User-Group 6 string | |
19 | ATTRIBUTE Microsemi-Network-Element-Group 7 string | |
20 | ||
21 | END-VENDOR Microsemi |
19 | 19 | ATTRIBUTE Nomadix-Net-VLAN 11 integer |
20 | 20 | ATTRIBUTE Nomadix-Config-URL 12 string |
21 | 21 | ATTRIBUTE Nomadix-Goodbye-URL 13 string |
22 | ATTRIBUTE Nomadix-Qos-Policy 14 string | |
23 | ATTRIBUTE Nomadix-SMTP-Redirect 17 integer | |
24 | ATTRIBUTE Nomadix-Centralized-Mgmt 18 string | |
22 | 25 | ATTRIBUTE Nomadix-Group-Policy-Id 19 integer |
23 | 26 | ATTRIBUTE Nomadix-Group-Bw-Max-Up 20 integer |
24 | 27 | ATTRIBUTE Nomadix-Group-Bw-Max-Down 21 integer |
13 | 13 | |
14 | 14 | BEGIN-VENDOR Patton |
15 | 15 | |
16 | ATTRIBUTE Patton-Protocol 16 string | |
16 | 17 | ATTRIBUTE Patton-Setup-Time 32 string |
17 | 18 | ATTRIBUTE Patton-Connect-Time 33 string |
18 | 19 | ATTRIBUTE Patton-Disconnect-Time 34 string |
23 | 24 | ATTRIBUTE Patton-Called-Numbering-Plan 50 string |
24 | 25 | ATTRIBUTE Patton-Called-Type-Of-Number 51 string |
25 | 26 | ATTRIBUTE Patton-Called-Name 52 string |
27 | ATTRIBUTE Patton-Called-Station-Id 53 string | |
26 | 28 | ATTRIBUTE Patton-Called-Rx-Octets 64 integer |
27 | 29 | ATTRIBUTE Patton-Called-Tx-Octets 65 integer |
28 | 30 | ATTRIBUTE Patton-Called-Rx-Packets 66 integer |
32 | 34 | ATTRIBUTE Patton-Called-Rx-Jitter 70 integer |
33 | 35 | ATTRIBUTE Patton-Called-Tx-Jitter 71 integer |
34 | 36 | ATTRIBUTE Patton-Called-Codec 72 string |
37 | ATTRIBUTE Patton-Called-Remote-Ip 73 integer | |
38 | ATTRIBUTE Patton-Called-Remote-Udp-Port 74 integer | |
39 | ATTRIBUTE Patton-Called-Local-Udp-Port 75 integer | |
40 | ATTRIBUTE Patton-Called-Qos 76 integer | |
35 | 41 | ATTRIBUTE Patton-Called-MOS 77 integer |
36 | 42 | ATTRIBUTE Patton-Called-Round-Trip-Time 78 integer |
37 | 43 | ATTRIBUTE Patton-Calling-Unique-Id 80 string |
41 | 47 | ATTRIBUTE Patton-Calling-Presentation-Indicator 88 string |
42 | 48 | ATTRIBUTE Patton-Calling-Screening-Indicator 89 string |
43 | 49 | ATTRIBUTE Patton-Calling-Name 84 string |
50 | ATTRIBUTE Patton-Calling-Station-Id 85 string | |
44 | 51 | ATTRIBUTE Patton-Calling-Rx-Octets 96 integer |
45 | 52 | ATTRIBUTE Patton-Calling-Tx-Octets 97 integer |
46 | 53 | ATTRIBUTE Patton-Calling-Rx-Packets 98 integer |
50 | 57 | ATTRIBUTE Patton-Calling-Rx-Jitter 102 integer |
51 | 58 | ATTRIBUTE Patton-Calling-Tx-Jitter 103 integer |
52 | 59 | ATTRIBUTE Patton-Calling-Codec 104 string |
60 | ATTRIBUTE Patton-Calling-Remote-Ip 105 integer | |
61 | ATTRIBUTE Patton-Calling-Remote-Udp-Port 106 integer | |
62 | ATTRIBUTE Patton-Calling-Local-Udp-Port 107 integer | |
63 | ATTRIBUTE Patton-Calling-Qos 108 integer | |
53 | 64 | ATTRIBUTE Patton-Calling-MOS 109 integer |
54 | 65 | ATTRIBUTE Patton-Calling-Round-Trip-Time 110 integer |
55 | 66 |
27 | 27 | # Really a bit-packed field |
28 | 28 | # |
29 | 29 | ATTRIBUTE Location-Capable 131 integer |
30 | VALUE Location-Capable Civix-Location 1 | |
30 | VALUE Location-Capable Civic-Location 1 | |
31 | 31 | VALUE Location-Capable Geo-Location 2 |
32 | 32 | VALUE Location-Capable Users-Location 4 |
33 | 33 | VALUE Location-Capable NAS-Location 8 |
34 | 34 | |
35 | 35 | ATTRIBUTE Requested-Location-Info 132 integer |
36 | VALUE Requested-Location-Info Civix-Location 1 | |
36 | VALUE Requested-Location-Info Civic-Location 1 | |
37 | 37 | VALUE Requested-Location-Info Geo-Location 2 |
38 | 38 | VALUE Requested-Location-Info Users-Location 4 |
39 | 39 | VALUE Requested-Location-Info NAS-Location 8 |
0 | # -*- text -*- | |
1 | # Copyright (C) 2015 The FreeRADIUS Server project and contributors | |
2 | # | |
3 | # Attributes and values defined in RFC 7930 | |
4 | # http://www.ietf.org/rfc/rfc7930.txt | |
5 | # | |
6 | ||
7 | ATTRIBUTE Response-Length 241.3 integer | |
8 | ATTRIBUTE Original-Packet-Code 241.4 integer |
20 | 20 | ATTRIBUTE Moonshot-Host-TargetedId 138 string |
21 | 21 | ATTRIBUTE Moonshot-Realm-TargetedId 139 string |
22 | 22 | ATTRIBUTE Moonshot-TR-COI-TargetedId 140 string |
23 | ATTRIBUTE Moonshot-MSTID-GSS-Acceptor 141 string | |
24 | ATTRIBUTE Moonshot-MSTID-Namespace 142 string | |
25 | ATTRIBUTE Moonshot-MSTID-TargetedId 143 string | |
23 | 26 | |
24 | 27 | END-VENDOR UKERNA |
44 | 44 | ATTRIBUTE ZTE-TCP-Limit-Mode 96 integer |
45 | 45 | ATTRIBUTE ZTE-IGMP-Service-Profile-Num 97 integer |
46 | 46 | ATTRIBUTE ZTE-PPP-Sservice-Type 101 integer |
47 | ATTRIBUTE ZTE-SW-Privilege 104 integer | |
47 | 48 | ATTRIBUTE ZTE-Access-Domain 151 string |
48 | 49 | ATTRIBUTE ZTE-VPN-ID 190 string |
49 | 50 |
13 | 13 | |
14 | 14 | # Headers from v3.1.x |
15 | 15 | freeradius.snmp.h |
16 | util | |
16 | 17 | |
17 | 18 | # Build scripts |
18 | 19 | build-radpaths-h |
31 | 31 | /* Define to 1 if you have the <arpa/inet.h> header file. */ |
32 | 32 | #undef HAVE_ARPA_INET_H |
33 | 33 | |
34 | /* Define to 1 if you have the `ASN1_STRING_get0_data' function. */ | |
35 | #undef HAVE_ASN1_STRING_GET0_DATA | |
36 | ||
34 | 37 | /* Define if your compiler supports the __bounded__ attribute (usually OpenBSD |
35 | 38 | gcc). */ |
36 | 39 | #undef HAVE_ATTRIBUTE_BOUNDED |
62 | 65 | /* Define to 1 if you have the `collectdclient' library (-lcollectdclient). */ |
63 | 66 | #undef HAVE_COLLECTDC_H |
64 | 67 | |
68 | /* Define to 1 if you have the `CONF_modules_load_file' function. */ | |
69 | #undef HAVE_CONF_MODULES_LOAD_FILE | |
70 | ||
65 | 71 | /* Do we have the crypt function */ |
66 | 72 | #undef HAVE_CRYPT |
73 | ||
74 | /* Define to 1 if you have the `CRYPTO_set_id_callback' function. */ | |
75 | #undef HAVE_CRYPTO_SET_ID_CALLBACK | |
76 | ||
77 | /* Define to 1 if you have the `CRYPTO_set_locking_callback' function. */ | |
78 | #undef HAVE_CRYPTO_SET_LOCKING_CALLBACK | |
67 | 79 | |
68 | 80 | /* Define to 1 if you have the <crypt.h> header file. */ |
69 | 81 | #undef HAVE_CRYPT_H |
151 | 163 | /* Define to 1 if you have the <history.h> header file. */ |
152 | 164 | #undef HAVE_HISTORY_H |
153 | 165 | |
166 | /* Define to 1 if you have the `HMAC_CTX_free' function. */ | |
167 | #undef HAVE_HMAC_CTX_FREE | |
168 | ||
169 | /* Define to 1 if you have the `HMAC_CTX_new' function. */ | |
170 | #undef HAVE_HMAC_CTX_NEW | |
171 | ||
154 | 172 | /* Define if the function (or macro) htonll exists. */ |
155 | 173 | #undef HAVE_HTONLL |
156 | 174 | |
247 | 265 | /* Define to 1 if you have the `openat' function. */ |
248 | 266 | #undef HAVE_OPENAT |
249 | 267 | |
268 | /* Define to 1 if you have the <openssl/asn1.h> header file. */ | |
269 | #undef HAVE_OPENSSL_ASN1_H | |
270 | ||
271 | /* Define to 1 if you have the <openssl/conf.h> header file. */ | |
272 | #undef HAVE_OPENSSL_CONF_H | |
273 | ||
250 | 274 | /* Define to 1 if you have the <openssl/crypto.h> header file. */ |
251 | 275 | #undef HAVE_OPENSSL_CRYPTO_H |
252 | 276 | |
259 | 283 | /* Define to 1 if you have the <openssl/evp.h> header file. */ |
260 | 284 | #undef HAVE_OPENSSL_EVP_H |
261 | 285 | |
286 | /* Define to 1 if you have the <openssl/hmac.h> header file. */ | |
287 | #undef HAVE_OPENSSL_HMAC_H | |
288 | ||
262 | 289 | /* Define to 1 if you have the <openssl/md4.h> header file. */ |
263 | 290 | #undef HAVE_OPENSSL_MD4_H |
264 | 291 | |
372 | 399 | |
373 | 400 | /* Define to 1 if you have the `SSL_get_client_random' function. */ |
374 | 401 | #undef HAVE_SSL_GET_CLIENT_RANDOM |
402 | ||
403 | /* Define to 1 if you have the `SSL_get_server_random' function. */ | |
404 | #undef HAVE_SSL_GET_SERVER_RANDOM | |
405 | ||
406 | /* Define to 1 if you have the `SSL_SESSION_get_master_key' function. */ | |
407 | #undef HAVE_SSL_SESSION_GET_MASTER_KEY | |
375 | 408 | |
376 | 409 | /* Define to 1 if you have the <stdbool.h> header file. */ |
377 | 410 | #undef HAVE_STDBOOL_H |
417 | 417 | DECODE_FAIL_ATTRIBUTE_UNDERFLOW, |
418 | 418 | DECODE_FAIL_TOO_MANY_ATTRIBUTES, |
419 | 419 | DECODE_FAIL_MA_MISSING, |
420 | DECODE_FAIL_TOO_MANY_AUTH, | |
420 | 421 | DECODE_FAIL_MAX |
421 | 422 | } decode_fail_t; |
422 | 423 |
80 | 80 | # else |
81 | 81 | # include <time.h> |
82 | 82 | # endif |
83 | #endif | |
84 | ||
85 | #ifdef HAVE_OPENSSL_SSL_H | |
86 | # include <openssl/ssl.h> | |
87 | #endif | |
88 | ||
89 | #ifdef HAVE_OPENSSL_HMAC_H | |
90 | # include <openssl/hmac.h> | |
91 | #endif | |
92 | ||
93 | #ifdef HAVE_OPENSSL_ASN1_H | |
94 | # include <openssl/asn1.h> | |
95 | #endif | |
96 | ||
97 | #ifdef HAVE_OPENSSL_CONF_H | |
98 | # include <openssl/conf.h> | |
83 | 99 | #endif |
84 | 100 | |
85 | 101 | /* |
435 | 451 | typedef void(*sig_t)(int); |
436 | 452 | #endif |
437 | 453 | |
454 | #ifdef HAVE_OPENSSL_HMAC_H | |
455 | # ifndef HAVE_HMAC_CTX_NEW | |
456 | HMAC_CTX *HMAC_CTX_new(void); | |
457 | # endif | |
458 | # ifndef HAVE_HMAC_CTX_FREE | |
459 | void HMAC_CTX_free(HMAC_CTX *ctx); | |
460 | # endif | |
461 | #endif | |
462 | ||
463 | #ifdef HAVE_OPENSSL_ASN1_H | |
464 | # ifndef HAVE_ASN1_STRING_GET0_DATA | |
465 | static inline const unsigned char *ASN1_STRING_get0_data(const ASN1_STRING *x) | |
466 | { | |
467 | /* | |
468 | * Trick the compiler into not issuing the warning on qualifier stripping. | |
469 | * We know that ASN1_STRING_data doesn't change x, and we're casting | |
470 | * the return value back to const immediately, so it's OK. | |
471 | */ | |
472 | union { | |
473 | const ASN1_STRING *c; | |
474 | ASN1_STRING *nc; | |
475 | } const_strip = {.c = x}; | |
476 | return ASN1_STRING_data(const_strip.nc); | |
477 | } | |
478 | # endif | |
479 | #endif | |
480 | ||
481 | #ifdef HAVE_OPENSSL_CONF_H | |
482 | # ifndef HAVE_CONF_MODULES_LOAD_FILE | |
483 | static inline int CONF_modules_load_file(const char *filename, | |
484 | const char *appname, | |
485 | unsigned long flags) | |
486 | { | |
487 | (void)filename; | |
488 | (void)flags; | |
489 | return OPENSSL_config(appname); | |
490 | } | |
491 | # endif | |
492 | #endif | |
493 | ||
438 | 494 | #ifdef __cplusplus |
439 | 495 | } |
496 | #endif | |
497 | ||
498 | #ifdef HAVE_OPENSSL_SSL_H | |
499 | # ifndef HAVE_SSL_GET_CLIENT_RANDOM | |
500 | size_t SSL_get_client_random(const SSL *s, unsigned char *out, size_t outlen); | |
501 | # endif | |
502 | # ifndef HAVE_SSL_GET_SERVER_RANDOM | |
503 | size_t SSL_get_server_random(const SSL *s, unsigned char *out, size_t outlen); | |
504 | # endif | |
505 | # ifndef HAVE_SSL_SESSION_GET_MASTER_KEY | |
506 | size_t SSL_SESSION_get_master_key(const SSL_SESSION *s, | |
507 | unsigned char *out, size_t outlen); | |
508 | # endif | |
440 | 509 | #endif |
441 | 510 | |
442 | 511 | /* |
17 | 17 | extern "C" { |
18 | 18 | #endif |
19 | 19 | |
20 | typedef void *lt_dlhandle; | |
20 | typedef void *fr_dlhandle; | |
21 | 21 | |
22 | lt_dlhandle lt_dlopenext(char const *name); | |
23 | void *lt_dlsym(lt_dlhandle handle, char const *symbol); | |
24 | int lt_dlclose(lt_dlhandle handle); | |
25 | char const *lt_dlerror(void); | |
22 | fr_dlhandle fr_dlopenext(char const *name); | |
23 | void *fr_dlsym(fr_dlhandle handle, char const *symbol); | |
24 | int fr_dlclose(fr_dlhandle handle); | |
25 | char const *fr_dlerror(void); | |
26 | 26 | |
27 | 27 | /* |
28 | 28 | * Keep track of which modules we've loaded. |
30 | 30 | typedef struct module_entry_t { |
31 | 31 | char name[MAX_STRING_LEN]; |
32 | 32 | module_t const *module; |
33 | lt_dlhandle handle; | |
33 | fr_dlhandle handle; | |
34 | 34 | } module_entry_t; |
35 | 35 | |
36 | 36 | typedef struct fr_module_hup_t fr_module_hup_t; |
136 | 136 | unsigned int (*record_minus)(record_t *buf, void *ptr, unsigned int size); |
137 | 137 | |
138 | 138 | bool invalid_hb_used; //!< Whether heartbleed attack was detected. |
139 | bool connected; //!< whether the outgoing socket is connected | |
139 | 140 | |
140 | 141 | /* |
141 | 142 | * Framed-MTU attribute in RADIUS, if present, can also be used to set this |
307 | 308 | tls_session_t *tls_new_client_session(TALLOC_CTX *ctx, fr_tls_server_conf_t *conf, int fd); |
308 | 309 | fr_tls_server_conf_t *tls_server_conf_parse(CONF_SECTION *cs); |
309 | 310 | fr_tls_server_conf_t *tls_client_conf_parse(CONF_SECTION *cs); |
311 | fr_tls_server_conf_t *tls_server_conf_alloc(TALLOC_CTX *ctx); | |
310 | 312 | SSL_CTX *tls_init_ctx(fr_tls_server_conf_t *conf, int client); |
311 | 313 | int tls_handshake_recv(REQUEST *, tls_session_t *ssn); |
312 | 314 | int tls_handshake_send(REQUEST *, tls_session_t *ssn); |
363 | 365 | bool allow_expired_crl; |
364 | 366 | char const *check_cert_cn; |
365 | 367 | char const *cipher_list; |
368 | bool cipher_server_preference; | |
366 | 369 | char const *check_cert_issuer; |
367 | 370 | |
368 | 371 | bool session_cache_enable; |
103 | 103 | void fr_cbuff_rp_insert(fr_cbuff_t *cbuff, void *obj) |
104 | 104 | { |
105 | 105 | #ifdef HAVE_PTHREAD_H |
106 | if (cbuff->lock) PTHREAD_MUTEX_LOCK(cbuff); | |
106 | PTHREAD_MUTEX_LOCK(cbuff); | |
107 | 107 | #endif |
108 | 108 | |
109 | 109 | if (cbuff->elem[cbuff->in]) { |
120 | 120 | } |
121 | 121 | |
122 | 122 | #ifdef HAVE_PTHREAD_H |
123 | if (cbuff->lock) PTHREAD_MUTEX_UNLOCK(cbuff); | |
123 | PTHREAD_MUTEX_UNLOCK(cbuff); | |
124 | 124 | #endif |
125 | 125 | } |
126 | 126 | |
135 | 135 | void *obj = NULL; |
136 | 136 | |
137 | 137 | #ifdef HAVE_PTHREAD_H |
138 | if (cbuff->lock) PTHREAD_MUTEX_LOCK(cbuff); | |
138 | PTHREAD_MUTEX_LOCK(cbuff); | |
139 | 139 | #endif |
140 | 140 | |
141 | 141 | /* Buffer is empty */ |
146 | 146 | |
147 | 147 | done: |
148 | 148 | #ifdef HAVE_PTHREAD_H |
149 | if (cbuff->lock) PTHREAD_MUTEX_UNLOCK(cbuff); | |
149 | PTHREAD_MUTEX_UNLOCK(cbuff); | |
150 | 150 | #endif |
151 | 151 | return obj; |
152 | 152 | } |
401 | 401 | |
402 | 402 | #else /* HAVE_KQUEUE */ |
403 | 403 | |
404 | /* | |
405 | * select() has limits. | |
406 | */ | |
407 | if (fd > FD_SETSIZE) { | |
408 | fprintf(stderr, "FD is larger than FD_SETSIZE"); | |
409 | return 0; | |
410 | } | |
411 | ||
404 | 412 | for (i = 0; i <= el->max_readers; i++) { |
405 | 413 | /* |
406 | 414 | * Be fail-safe on multiple inserts. |
301 | 301 | } |
302 | 302 | |
303 | 303 | |
304 | /** Parse an IPv4 address or IPv4 prefix in presentation format (and others) | |
304 | /** | |
305 | * Parse an IPv4 address, IPv4 prefix in presentation format (and others), or | |
306 | * a hostname. | |
305 | 307 | * |
306 | 308 | * @param out Where to write the ip address value. |
307 | * @param value to parse, may be dotted quad [+ prefix], or integer, or octal number, or '*' (INADDR_ANY). | |
309 | * @param value to parse, may be dotted quad [+ prefix], or integer, or octal number, or '*' (INADDR_ANY), or a hostname. | |
308 | 310 | * @param inlen Length of value, if value is \0 terminated inlen may be -1. |
309 | 311 | * @param resolve If true and value doesn't look like an IP address, try and resolve value as a hostname. |
310 | 312 | * @param fallback to IPv6 resolution if no A records can be found. |
316 | 318 | unsigned int mask; |
317 | 319 | char *eptr; |
318 | 320 | |
319 | /* Dotted quad + / + [0-9]{1,2} */ | |
320 | char buffer[INET_ADDRSTRLEN + 3]; | |
321 | /* Dotted quad + / + [0-9]{1,2} or a hostname (RFC1035 2.3.4 Size limits) */ | |
322 | char buffer[256]; | |
321 | 323 | |
322 | 324 | /* |
323 | 325 | * Copy to intermediary buffer if we were given a length |
399 | 401 | return 0; |
400 | 402 | } |
401 | 403 | |
402 | /** Parse an IPv6 address or IPv6 prefix in presentation format (and others) | |
404 | /** | |
405 | * Parse an IPv6 address or IPv6 prefix in presentation format (and others), | |
406 | * or a hostname. | |
403 | 407 | * |
404 | 408 | * @param out Where to write the ip address value. |
405 | 409 | * @param value to parse. |
414 | 418 | unsigned int prefix; |
415 | 419 | char *eptr; |
416 | 420 | |
417 | /* IPv6 + / + [0-9]{1,3} */ | |
418 | char buffer[INET6_ADDRSTRLEN + 4]; | |
421 | /* IPv6 + / + [0-9]{1,3} or a hostname (RFC1035 2.3.4 Size limits) */ | |
422 | char buffer[256]; | |
419 | 423 | |
420 | 424 | /* |
421 | 425 | * Copy to intermediary buffer if we were given a length |
621 | 625 | * input length indicates there are more than 5 chars |
622 | 626 | * after the ':' then there's an issue. |
623 | 627 | */ |
624 | if (inlen > ((q + sizeof(buffer)) - value)) { | |
628 | if (len > (size_t) ((q + sizeof(buffer)) - value)) { | |
625 | 629 | error: |
626 | 630 | fr_strerror_printf("IP string contains trailing garbage after port delimiter"); |
627 | 631 | return -1; |
1866 | 1870 | */ |
1867 | 1871 | int fr_get_time(char const *date_str, time_t *date) |
1868 | 1872 | { |
1869 | int i; | |
1873 | int i, j; | |
1870 | 1874 | time_t t; |
1871 | 1875 | struct tm *tm, s_tm; |
1872 | 1876 | char buf[64]; |
1923 | 1927 | f[0] = f[i]; |
1924 | 1928 | f[i] = p; |
1925 | 1929 | |
1926 | for (i = 0; i < 12; i++) { | |
1927 | if (strncasecmp(months[i], f[0], 3) == 0) { | |
1928 | tm->tm_mon = i; | |
1930 | for (j = 0; j < 12; j++) { | |
1931 | if (strncasecmp(months[j], f[0], 3) == 0) { | |
1932 | tm->tm_mon = j; | |
1929 | 1933 | break; |
1930 | 1934 | } |
1931 | 1935 | } |
314 | 314 | } |
315 | 315 | #endif |
316 | 316 | |
317 | #ifdef HAVE_OPENSSL_HMAC_H | |
318 | # ifndef HAVE_HMAC_CTX_NEW | |
319 | HMAC_CTX *HMAC_CTX_new(void) | |
320 | { | |
321 | HMAC_CTX *ctx; | |
322 | ctx = OPENSSL_malloc(sizeof(*ctx)); | |
323 | if (!ctx) return NULL; | |
324 | ||
325 | memset(ctx, 0, sizeof(*ctx)); | |
326 | HMAC_CTX_init(ctx); | |
327 | return ctx; | |
328 | } | |
329 | # endif | |
330 | # ifndef HAVE_HMAC_CTX_FREE | |
331 | void HMAC_CTX_free(HMAC_CTX *ctx) | |
332 | { | |
333 | if (ctx == NULL) { | |
334 | return; | |
335 | } | |
336 | HMAC_CTX_cleanup(ctx); | |
337 | OPENSSL_free(ctx); | |
338 | } | |
339 | # endif | |
340 | #endif | |
341 | ||
342 | #ifdef HAVE_OPENSSL_SSL_H | |
343 | # ifndef HAVE_SSL_GET_CLIENT_RANDOM | |
344 | size_t SSL_get_client_random(const SSL *s, unsigned char *out, size_t outlen) | |
345 | { | |
346 | if (!outlen) return sizeof(s->s3->client_random); | |
347 | ||
348 | if (outlen > sizeof(s->s3->client_random)) outlen = sizeof(s->s3->client_random); | |
349 | ||
350 | memcpy(out, s->s3->client_random, outlen); | |
351 | return outlen; | |
352 | } | |
353 | # endif | |
354 | # ifndef HAVE_SSL_GET_SERVER_RANDOM | |
355 | size_t SSL_get_server_random(const SSL *s, unsigned char *out, size_t outlen) | |
356 | { | |
357 | if (!outlen) return sizeof(s->s3->server_random); | |
358 | ||
359 | if (outlen > sizeof(s->s3->server_random)) outlen = sizeof(s->s3->server_random); | |
360 | ||
361 | memcpy(out, s->s3->server_random, outlen); | |
362 | return outlen; | |
363 | } | |
364 | # endif | |
365 | # ifndef HAVE_SSL_SESSION_GET_MASTER_KEY | |
366 | size_t SSL_SESSION_get_master_key(const SSL_SESSION *s, | |
367 | unsigned char *out, size_t outlen) | |
368 | { | |
369 | if (!outlen) return s->master_key_length; | |
370 | ||
371 | if (outlen > (size_t)s->master_key_length) outlen = (size_t)s->master_key_length; | |
372 | ||
373 | memcpy(out, s->master_key, outlen); | |
374 | return outlen; | |
375 | } | |
376 | # endif | |
377 | #endif | |
378 | ||
317 | 379 | /** Call talloc strdup, setting the type on the new chunk correctly |
318 | 380 | * |
319 | 381 | * For some bizarre reason the talloc string functions don't set the |
568 | 568 | break; |
569 | 569 | |
570 | 570 | case '\n': |
571 | *out++ = 'b'; | |
571 | *out++ = 'n'; | |
572 | 572 | freespace--; |
573 | 573 | break; |
574 | 574 | |
582 | 582 | freespace--; |
583 | 583 | break; |
584 | 584 | default: |
585 | len = snprintf(out, freespace, "u%04X", *q); | |
585 | len = snprintf(out, freespace, "u%04X", (uint8_t) *q); | |
586 | 586 | if (is_truncated(len, freespace)) return (outlen - freespace) + len; |
587 | 587 | out += len; |
588 | 588 | freespace -= len; |
1605 | 1605 | /* |
1606 | 1606 | * Message-Authenticator is hard-coded. |
1607 | 1607 | */ |
1608 | if (!vp->da->vendor && (vp->da->attr == PW_MESSAGE_AUTHENTICATOR)) { | |
1608 | if (vp->da->attr == PW_MESSAGE_AUTHENTICATOR) { | |
1609 | 1609 | if (room < 18) return -1; |
1610 | 1610 | |
1611 | 1611 | ptr[0] = PW_MESSAGE_AUTHENTICATOR; |
2343 | 2343 | bool seen_ma = false; |
2344 | 2344 | uint32_t num_attributes; |
2345 | 2345 | decode_fail_t failure = DECODE_FAIL_NONE; |
2346 | bool eap = false; | |
2347 | bool non_eap = false; | |
2346 | 2348 | |
2347 | 2349 | /* |
2348 | 2350 | * Check for packets smaller than the packet header. |
2548 | 2550 | */ |
2549 | 2551 | case PW_EAP_MESSAGE: |
2550 | 2552 | require_ma = true; |
2553 | eap = true; | |
2554 | break; | |
2555 | ||
2556 | case PW_USER_PASSWORD: | |
2557 | case PW_CHAP_PASSWORD: | |
2558 | case PW_ARAP_PASSWORD: | |
2559 | non_eap = true; | |
2551 | 2560 | break; |
2552 | 2561 | |
2553 | 2562 | case PW_MESSAGE_AUTHENTICATOR: |
2622 | 2631 | &packet->src_ipaddr.ipaddr, |
2623 | 2632 | host_ipaddr, sizeof(host_ipaddr))); |
2624 | 2633 | failure = DECODE_FAIL_MA_MISSING; |
2634 | goto finish; | |
2635 | } | |
2636 | ||
2637 | if (eap && non_eap) { | |
2638 | FR_DEBUG_STRERROR_PRINTF("Bad packet from host %s: Packet contains EAP-Message and non-EAP authentication attribute", | |
2639 | inet_ntop(packet->src_ipaddr.af, | |
2640 | &packet->src_ipaddr.ipaddr, | |
2641 | host_ipaddr, sizeof(host_ipaddr))); | |
2642 | failure = DECODE_FAIL_TOO_MANY_AUTH; | |
2625 | 2643 | goto finish; |
2626 | 2644 | } |
2627 | 2645 |
634 | 634 | return -1; |
635 | 635 | } |
636 | 636 | |
637 | bin = fr_hex2bin((uint8_t *) &dst->filter, ret, src + 2, len); | |
637 | bin = fr_hex2bin((uint8_t *) &dst->filter, ret, src + 2, len - 2); | |
638 | 638 | if (bin < ret) { |
639 | 639 | memset(((uint8_t *) &dst->filter) + bin, 0, ret - bin); |
640 | 640 | } |
1529 | 1529 | p[1] = 'x'; |
1530 | 1530 | |
1531 | 1531 | fr_bin2hex(p + 2, data->octets, inlen); |
1532 | p[2 + (inlen * 2)] = '\0'; | |
1532 | 1533 | break; |
1533 | 1534 | |
1534 | 1535 | case PW_TYPE_DATE: |
196 | 196 | * Warn if more than one Auth-Type was found, because only the last |
197 | 197 | * one found will actually be used. |
198 | 198 | */ |
199 | if ((auth_type_count > 1) && (rad_debug_lvl)) { | |
199 | if ((auth_type_count > 1) && (rad_debug_lvl) && request->username) { | |
200 | 200 | RERROR("Warning: Found %d auth-types on request for user '%s'", |
201 | 201 | auth_type_count, request->username->vp_strvalue); |
202 | 202 | } |
331 | 331 | if (request->reply->code != PW_CODE_ACCESS_REJECT) { |
332 | 332 | RDEBUG("Using Post-Auth-Type Reject"); |
333 | 333 | |
334 | request->reply->code = PW_CODE_ACCESS_REJECT; | |
334 | 335 | process_post_auth(PW_POST_AUTH_TYPE_REJECT, request); |
335 | 336 | } |
336 | 337 |
344 | 344 | */ |
345 | 345 | static int fr_server_domain_socket_perm(char const *path, uid_t uid, gid_t gid) |
346 | 346 | { |
347 | int dir_fd = -1, path_fd = -1, sock_fd = -1, parent_fd = -1; | |
347 | int dir_fd = -1, sock_fd = -1, parent_fd = -1; | |
348 | 348 | char const *name; |
349 | 349 | char *buff = NULL, *dir = NULL, *p; |
350 | 350 | |
391 | 391 | fr_strerror_printf("Failed determining parent directory"); |
392 | 392 | error: |
393 | 393 | talloc_free(dir); |
394 | close(dir_fd); | |
395 | close(path_fd); | |
394 | if (sock_fd >= 0) close(sock_fd); | |
395 | if (dir_fd >= 0) close(dir_fd); | |
396 | if (parent_fd >= 0) close(parent_fd); | |
396 | 397 | return -1; |
397 | 398 | } |
398 | 399 | |
458 | 459 | if (ret < 0) { |
459 | 460 | fr_strerror_printf("Failed changing ownership of control socket directory: %s", |
460 | 461 | fr_syserror(errno)); |
461 | return -1; | |
462 | goto error; | |
462 | 463 | } |
463 | 464 | /* |
464 | 465 | * Control socket dir already exists, but we still need to |
526 | 527 | if (client_fd >= 0) { |
527 | 528 | fr_strerror_printf("Control socket '%s' is already in use", path); |
528 | 529 | close(client_fd); |
529 | return -1; | |
530 | goto error; | |
530 | 531 | } |
531 | 532 | } |
532 | 533 | |
675 | 676 | if (uid != (uid_t)-1) rad_seuid(euid); |
676 | 677 | if (gid != (gid_t)-1) rad_segid(egid); |
677 | 678 | |
678 | close(dir_fd); | |
679 | close(path_fd); | |
679 | if (dir_fd >= 0) close(dir_fd); | |
680 | if (parent_fd >= 0) close(parent_fd); | |
680 | 681 | |
681 | 682 | return sock_fd; |
682 | 683 | } |
1392 | 1392 | CONF_PAIR *cp = NULL; |
1393 | 1393 | fr_ipaddr_t *ipaddr; |
1394 | 1394 | char buffer[8192]; |
1395 | CONF_ITEM *c_item = &cs->item; | |
1395 | CONF_ITEM *c_item; | |
1396 | 1396 | |
1397 | 1397 | if (!cs) return -1; |
1398 | ||
1399 | c_item = &cs->item; | |
1398 | 1400 | |
1399 | 1401 | deprecated = (type & PW_TYPE_DEPRECATED); |
1400 | 1402 | required = (type & PW_TYPE_REQUIRED); |
1473 | 1475 | |
1474 | 1476 | if (!value) { |
1475 | 1477 | if (required) { |
1476 | is_required: | |
1477 | 1478 | cf_log_err(c_item, "Configuration item \"%s\" must have a value", name); |
1478 | 1479 | |
1479 | 1480 | return -1; |
1619 | 1620 | } |
1620 | 1621 | } |
1621 | 1622 | |
1622 | if (required && !value) goto is_required; | |
1623 | 1623 | if (cant_be_empty && (value[0] == '\0')) goto cant_be_empty; |
1624 | 1624 | |
1625 | 1625 | if (attribute) { |
3623 | 3623 | { |
3624 | 3624 | CONF_DATA mycd; |
3625 | 3625 | CONF_DATA *cd; |
3626 | CONF_ITEM *ci, *it; | |
3626 | 3627 | void *data; |
3627 | 3628 | |
3628 | 3629 | if (!cs || !name) return NULL; |
3636 | 3637 | cd = rbtree_finddata(cs->data_tree, &mycd); |
3637 | 3638 | if (!cd) return NULL; |
3638 | 3639 | |
3640 | ci = cf_data_to_item(cd); | |
3641 | if (cs->children == ci) { | |
3642 | cs->children = ci->next; | |
3643 | if (cs->tail == ci) cs->tail = NULL; | |
3644 | } else { | |
3645 | for (it = cs->children; it; it = it->next) { | |
3646 | if (it->next == ci) { | |
3647 | it->next = ci->next; | |
3648 | if (cs->tail == ci) cs->tail = it; | |
3649 | break; | |
3650 | } | |
3651 | } | |
3652 | } | |
3653 | ||
3639 | 3654 | talloc_set_destructor(cd, NULL); /* Disarm the destructor */ |
3640 | 3655 | rbtree_deletebydata(cs->data_tree, &mycd); |
3641 | 3656 |
642 | 642 | * have fewer than "min". When that happens, open more |
643 | 643 | * connections to enforce "min". |
644 | 644 | */ |
645 | if ((pool->num + pool->pending) <= pool->min) { | |
645 | if ((pool->num + pool->pending) < pool->min) { | |
646 | 646 | spawn = pool->min - (pool->num + pool->pending); |
647 | 647 | extra = 0; |
648 | ||
649 | INFO("Need %i more connections to reach min connections (%i)", spawn, pool->min); | |
648 | 650 | |
649 | 651 | /* |
650 | 652 | * If we're about to create more than "max", |
665 | 667 | * AND we don't have enough idle connections. |
666 | 668 | * Open some more. |
667 | 669 | */ |
668 | } else if (idle <= pool->spare) { | |
670 | } else if (idle < pool->spare) { | |
669 | 671 | /* |
670 | 672 | * Not enough spare connections. Spawn a few. |
671 | 673 | * But cap the pool size at "max" |
676 | 678 | if ((pool->num + pool->pending + spawn) > pool->max) { |
677 | 679 | spawn = pool->max - (pool->num + pool->pending); |
678 | 680 | } |
681 | ||
682 | INFO("Need %i more connections to reach %i spares", spawn, pool->spare); | |
679 | 683 | |
680 | 684 | /* |
681 | 685 | * min < num < max |
711 | 715 | * a connection. Avoids spurious log messages. |
712 | 716 | */ |
713 | 717 | if (spawn) { |
714 | INFO("%s: Need %i more connections to reach %i spares", | |
715 | pool->log_prefix, spawn, pool->spare); | |
716 | 718 | pthread_mutex_unlock(&pool->mutex); |
717 | 719 | fr_connection_spawn(pool, now, false); /* ignore return code */ |
718 | 720 | pthread_mutex_lock(&pool->mutex); |
820 | 822 | */ |
821 | 823 | if (!spawn) return NULL; |
822 | 824 | |
823 | /* | |
824 | * We don't have a connection. Try to open a new one. | |
825 | */ | |
826 | rad_assert(pool->active == pool->num); | |
827 | ||
828 | 825 | if (pool->num == pool->max) { |
829 | 826 | bool complain = false; |
830 | 827 | |
837 | 834 | } |
838 | 835 | |
839 | 836 | pthread_mutex_unlock(&pool->mutex); |
840 | ||
837 | ||
841 | 838 | if (!RATE_LIMIT_ENABLED || complain) { |
842 | 839 | ERROR("%s: No connections available and at max connection limit", pool->log_prefix); |
843 | 840 | } |
84 | 84 | } else { |
85 | 85 | int rtt; |
86 | 86 | struct timeval now; |
87 | ||
88 | RDEBUG("detail (%s): Done %s packet.", data->name, fr_packet_codes[request->packet->code]); | |
89 | ||
87 | 90 | /* |
88 | 91 | * We call gettimeofday a lot. But it should be OK, |
89 | 92 | * because there's nothing else to do. |
332 | 335 | vp_cursor_t cursor; |
333 | 336 | |
334 | 337 | DEBUG2("detail (%s): Read packet from %s", data->name, data->filename_work); |
335 | ||
336 | 338 | for (vp = fr_cursor_init(&cursor, &packet->vps); |
337 | 339 | vp; |
338 | 340 | vp = fr_cursor_next(&cursor)) { |
382 | 384 | rcode = read(data->master_pipe[0], &packet, sizeof(packet)); |
383 | 385 | if (rcode <= 0) return rcode; |
384 | 386 | |
387 | rad_assert(packet != NULL); | |
388 | ||
385 | 389 | if (DEBUG_ENABLED2) { |
386 | 390 | VALUE_PAIR *vp; |
387 | 391 | vp_cursor_t cursor; |
393 | 397 | debug_pair(vp); |
394 | 398 | } |
395 | 399 | } |
396 | rad_assert(packet != NULL); | |
397 | 400 | |
398 | 401 | switch (packet->code) { |
399 | 402 | case PW_CODE_ACCOUNTING_REQUEST: |
430 | 433 | |
431 | 434 | static RADIUS_PACKET *detail_poll(rad_listen_t *listener) |
432 | 435 | { |
436 | int y; | |
433 | 437 | char key[256], op[8], value[1024]; |
434 | 438 | vp_cursor_t cursor; |
435 | 439 | VALUE_PAIR *vp; |
550 | 554 | /* |
551 | 555 | * Else go read something. |
552 | 556 | */ |
553 | break; | |
557 | if (!fgets(buffer, sizeof(buffer), data->fp)) { | |
558 | DEBUG("detail (%s): Failed reading header from file - %s", | |
559 | data->name, data->filename_work); | |
560 | goto cleanup; | |
561 | } | |
562 | ||
563 | /* | |
564 | * Badly formatted file: delete it. | |
565 | */ | |
566 | if (!strchr(buffer, '\n')) { | |
567 | DEBUG("detail (%s): Invalid line without trailing LF - %s", data->name, buffer); | |
568 | goto cleanup; | |
569 | } | |
570 | ||
571 | if (!sscanf(buffer, "%*s %*s %*d %*d:%*d:%*d %d", &y)) { | |
572 | DEBUG("detail (%s): Failed reading detail file header in line - %s", data->name, buffer); | |
573 | goto cleanup; | |
574 | } | |
575 | ||
576 | data->state = STATE_READING; | |
577 | /* FALL-THROUGH */ | |
578 | ||
554 | 579 | |
555 | 580 | /* |
556 | 581 | * Read more value-pair's, unless we're |
558 | 583 | * we have. |
559 | 584 | */ |
560 | 585 | case STATE_READING: |
561 | if (data->fp && !feof(data->fp)) break; | |
562 | data->state = STATE_QUEUED; | |
563 | ||
564 | /* FALL-THROUGH */ | |
586 | rad_assert(data->fp != NULL); | |
587 | ||
588 | fr_cursor_init(&cursor, &data->vps); | |
589 | ||
590 | /* | |
591 | * Read a header, OR a value-pair. | |
592 | */ | |
593 | while (fgets(buffer, sizeof(buffer), data->fp)) { | |
594 | data->last_offset = data->offset; | |
595 | data->offset = ftell(data->fp); /* for statistics */ | |
596 | ||
597 | /* | |
598 | * Badly formatted file: delete it. | |
599 | */ | |
600 | if (!strchr(buffer, '\n')) { | |
601 | WARN("detail (%s): Skipping line without trailing LF - %s", data->name, buffer); | |
602 | fr_pair_list_free(&data->vps); | |
603 | goto cleanup; | |
604 | } | |
605 | ||
606 | /* | |
607 | * We're reading VP's, and got a blank line. | |
608 | * That indicates the end of an entry. Queue the | |
609 | * packet. | |
610 | */ | |
611 | if (buffer[0] == '\n') { | |
612 | data->state = STATE_QUEUED; | |
613 | data->tries = 0; | |
614 | data->packets++; | |
615 | goto alloc_packet; | |
616 | } | |
617 | ||
618 | /* | |
619 | * We have a full "attribute = value" line. | |
620 | * If it doesn't look reasonable, skip it. | |
621 | * | |
622 | * FIXME: print an error for badly formatted attributes? | |
623 | */ | |
624 | if (sscanf(buffer, "%255s %7s %1023s", key, op, value) != 3) { | |
625 | DEBUG("detail (%s): Skipping badly formatted line - %s", data->name, buffer); | |
626 | continue; | |
627 | } | |
628 | ||
629 | /* | |
630 | * Should be =, :=, +=, ... | |
631 | */ | |
632 | if (!strchr(op, '=')) { | |
633 | DEBUG("detail (%s): Skipping line without operator - %s", data->name, buffer); | |
634 | continue; | |
635 | } | |
636 | ||
637 | /* | |
638 | * Skip non-protocol attributes. | |
639 | */ | |
640 | if (!strcasecmp(key, "Request-Authenticator")) continue; | |
641 | ||
642 | /* | |
643 | * Set the original client IP address, based on | |
644 | * what's in the detail file. | |
645 | * | |
646 | * Hmm... we don't set the server IP address. | |
647 | * or port. Oh well. | |
648 | */ | |
649 | if (!strcasecmp(key, "Client-IP-Address")) { | |
650 | data->client_ip.af = AF_INET; | |
651 | if (ip_hton(&data->client_ip, AF_INET, value, false) < 0) { | |
652 | DEBUG("detail (%s): Failed parsing Client-IP-Address", data->name); | |
653 | fr_pair_list_free(&data->vps); | |
654 | goto cleanup; | |
655 | } | |
656 | continue; | |
657 | } | |
658 | ||
659 | /* | |
660 | * The original time at which we received the | |
661 | * packet. We need this to properly calculate | |
662 | * Acct-Delay-Time. | |
663 | */ | |
664 | if (!strcasecmp(key, "Timestamp")) { | |
665 | data->timestamp = atoi(value); | |
666 | data->timestamp_offset = data->last_offset; | |
667 | ||
668 | vp = fr_pair_afrom_num(data, PW_PACKET_ORIGINAL_TIMESTAMP, 0); | |
669 | if (vp) { | |
670 | vp->vp_date = (uint32_t) data->timestamp; | |
671 | vp->type = VT_DATA; | |
672 | fr_cursor_insert(&cursor, vp); | |
673 | } | |
674 | continue; | |
675 | } | |
676 | ||
677 | if (!strcasecmp(key, "Donestamp")) { | |
678 | data->timestamp = atoi(value); | |
679 | data->done_entry = true; | |
680 | continue; | |
681 | } | |
682 | ||
683 | DEBUG3("detail (%s): Trying to read VP from line - %s", data->name, buffer); | |
684 | ||
685 | /* | |
686 | * Read one VP. | |
687 | * | |
688 | * FIXME: do we want to check for non-protocol | |
689 | * attributes like radsqlrelay does? | |
690 | */ | |
691 | vp = NULL; | |
692 | if ((fr_pair_list_afrom_str(data, buffer, &vp) > 0) && | |
693 | (vp != NULL)) { | |
694 | fr_cursor_merge(&cursor, vp); | |
695 | } else { | |
696 | DEBUG("detail (%s): Failed reading VP from line - %s", data->name, buffer); | |
697 | goto cleanup; | |
698 | } | |
699 | } | |
700 | ||
701 | /* | |
702 | * The writer doesn't check that the | |
703 | * record was completely written. If the | |
704 | * disk is full, this can result in a | |
705 | * truncated record which has no trailing | |
706 | * blank line. When that happens, it's a | |
707 | * bad record, and we ignore it. | |
708 | */ | |
709 | if (feof(data->fp)) { | |
710 | DEBUG("detail (%s): Truncated record: treating it as EOF for detail file %s", | |
711 | data->name, data->filename_work); | |
712 | fr_pair_list_free(&data->vps); | |
713 | goto cleanup; | |
714 | } | |
715 | ||
716 | /* | |
717 | * Some kind of non-eof error. | |
718 | * | |
719 | * FIXME: Leave the file in-place, and warn the | |
720 | * administrator? | |
721 | */ | |
722 | DEBUG("detail (%s): Unknown error, deleting detail file %s", | |
723 | data->name, data->filename_work); | |
724 | goto cleanup; | |
565 | 725 | |
566 | 726 | case STATE_QUEUED: |
567 | 727 | goto alloc_packet; |
597 | 757 | rad_assert(data->fp != NULL); |
598 | 758 | |
599 | 759 | if (fseek(data->fp, data->timestamp_offset, SEEK_SET) < 0) { |
600 | WARN("detail (%s): Failed seeking to timestamp offset: %s", | |
760 | DEBUG("detail (%s): Failed seeking to timestamp offset: %s", | |
601 | 761 | data->name, fr_syserror(errno)); |
602 | 762 | } else if (fwrite("\tDone", 1, 5, data->fp) < 5) { |
603 | WARN("detail (%s): Failed marking request as done: %s", | |
763 | DEBUG("detail (%s): Failed marking request as done: %s", | |
604 | 764 | data->name, fr_syserror(errno)); |
605 | 765 | } else if (fflush(data->fp) != 0) { |
606 | WARN("detail (%s): Failed flushing marked detail file to disk: %s", | |
766 | DEBUG("detail (%s): Failed flushing marked detail file to disk: %s", | |
607 | 767 | data->name, fr_syserror(errno)); |
608 | 768 | } |
609 | 769 | |
610 | 770 | if (fseek(data->fp, data->offset, SEEK_SET) < 0) { |
611 | WARN("detail (%s): Failed seeking to next detail request: %s", | |
771 | DEBUG("detail (%s): Failed seeking to next detail request: %s", | |
612 | 772 | data->name, fr_syserror(errno)); |
613 | 773 | } |
614 | 774 | } |
617 | 777 | data->state = STATE_HEADER; |
618 | 778 | goto do_header; |
619 | 779 | } |
620 | ||
621 | fr_cursor_init(&cursor, &data->vps); | |
622 | ||
623 | /* | |
624 | * Read a header, OR a value-pair. | |
625 | */ | |
626 | while (fgets(buffer, sizeof(buffer), data->fp)) { | |
627 | data->last_offset = data->offset; | |
628 | data->offset = ftell(data->fp); /* for statistics */ | |
629 | ||
630 | /* | |
631 | * Badly formatted file: delete it. | |
632 | * | |
633 | * FIXME: Maybe flag an error? | |
634 | */ | |
635 | if (!strchr(buffer, '\n')) { | |
636 | fr_pair_list_free(&data->vps); | |
637 | goto cleanup; | |
638 | } | |
639 | ||
640 | /* | |
641 | * We're reading VP's, and got a blank line. | |
642 | * Queue the packet. | |
643 | */ | |
644 | if ((data->state == STATE_READING) && | |
645 | (buffer[0] == '\n')) { | |
646 | data->state = STATE_QUEUED; | |
647 | break; | |
648 | } | |
649 | ||
650 | /* | |
651 | * Look for date/time header, and read VP's if | |
652 | * found. If not, keep reading lines until we | |
653 | * find one. | |
654 | */ | |
655 | if (data->state == STATE_HEADER) { | |
656 | int y; | |
657 | ||
658 | if (sscanf(buffer, "%*s %*s %*d %*d:%*d:%*d %d", &y)) { | |
659 | data->state = STATE_READING; | |
660 | } | |
661 | continue; | |
662 | } | |
663 | ||
664 | /* | |
665 | * We have a full "attribute = value" line. | |
666 | * If it doesn't look reasonable, skip it. | |
667 | * | |
668 | * FIXME: print an error for badly formatted attributes? | |
669 | */ | |
670 | if (sscanf(buffer, "%255s %7s %1023s", key, op, value) != 3) { | |
671 | WARN("detail (%s): Skipping badly formatted line %s", data->name, buffer); | |
672 | continue; | |
673 | } | |
674 | ||
675 | /* | |
676 | * Should be =, :=, +=, ... | |
677 | */ | |
678 | if (!strchr(op, '=')) continue; | |
679 | ||
680 | /* | |
681 | * Skip non-protocol attributes. | |
682 | */ | |
683 | if (!strcasecmp(key, "Request-Authenticator")) continue; | |
684 | ||
685 | /* | |
686 | * Set the original client IP address, based on | |
687 | * what's in the detail file. | |
688 | * | |
689 | * Hmm... we don't set the server IP address. | |
690 | * or port. Oh well. | |
691 | */ | |
692 | if (!strcasecmp(key, "Client-IP-Address")) { | |
693 | data->client_ip.af = AF_INET; | |
694 | if (ip_hton(&data->client_ip, AF_INET, value, false) < 0) { | |
695 | ERROR("detail (%s): Failed parsing Client-IP-Address", data->name); | |
696 | ||
697 | fr_pair_list_free(&data->vps); | |
698 | goto cleanup; | |
699 | } | |
700 | continue; | |
701 | } | |
702 | ||
703 | /* | |
704 | * The original time at which we received the | |
705 | * packet. We need this to properly calculate | |
706 | * Acct-Delay-Time. | |
707 | */ | |
708 | if (!strcasecmp(key, "Timestamp")) { | |
709 | data->timestamp = atoi(value); | |
710 | data->timestamp_offset = data->last_offset; | |
711 | ||
712 | vp = fr_pair_afrom_num(data, PW_PACKET_ORIGINAL_TIMESTAMP, 0); | |
713 | if (vp) { | |
714 | vp->vp_date = (uint32_t) data->timestamp; | |
715 | vp->type = VT_DATA; | |
716 | fr_cursor_insert(&cursor, vp); | |
717 | } | |
718 | continue; | |
719 | } | |
720 | ||
721 | if (!strcasecmp(key, "Donestamp")) { | |
722 | data->timestamp = atoi(value); | |
723 | data->done_entry = true; | |
724 | continue; | |
725 | } | |
726 | ||
727 | /* | |
728 | * Read one VP. | |
729 | * | |
730 | * FIXME: do we want to check for non-protocol | |
731 | * attributes like radsqlrelay does? | |
732 | */ | |
733 | vp = NULL; | |
734 | if ((fr_pair_list_afrom_str(data, buffer, &vp) > 0) && | |
735 | (vp != NULL)) { | |
736 | fr_cursor_merge(&cursor, vp); | |
737 | } | |
738 | } | |
739 | ||
740 | /* | |
741 | * Some kind of error. | |
742 | * | |
743 | * FIXME: Leave the file in-place, and warn the | |
744 | * administrator? | |
745 | */ | |
746 | if (ferror(data->fp)) goto cleanup; | |
747 | ||
748 | data->tries = 0; | |
749 | data->packets++; | |
750 | 780 | |
751 | 781 | /* |
752 | 782 | * Process the packet. |
762 | 792 | data->tries++; |
763 | 793 | |
764 | 794 | /* |
765 | * The writer doesn't check that the record was | |
766 | * completely written. If the disk is full, this can | |
767 | * result in a truncated record. When that happens, | |
768 | * treat it as EOF. | |
769 | */ | |
770 | if (data->state != STATE_QUEUED) { | |
771 | ERROR("detail (%s): Truncated record: treating it as EOF for detail file %s", | |
772 | data->name, data->filename_work); | |
773 | fr_pair_list_free(&data->vps); | |
774 | goto cleanup; | |
775 | } | |
776 | ||
777 | /* | |
778 | 795 | * We're done reading the file, but we didn't read |
779 | 796 | * anything. Clean up, and don't return anything. |
780 | 797 | */ |
781 | 798 | if (!data->vps) { |
799 | WARN("detail (%s): Read empty packet from file %s", | |
800 | data->name, data->filename_work); | |
782 | 801 | data->state = STATE_HEADER; |
783 | if (!data->fp || feof(data->fp)) goto cleanup; | |
784 | 802 | return NULL; |
785 | 803 | } |
786 | 804 | |
1023 | 1041 | /* |
1024 | 1042 | * Overloaded to return "should we fix delay times" |
1025 | 1043 | */ |
1026 | int detail_decode(UNUSED rad_listen_t *this, UNUSED REQUEST *request) | |
1044 | int detail_decode(rad_listen_t *this, REQUEST *request) | |
1027 | 1045 | { |
1028 | 1046 | #ifdef WITH_DETAIL_THREAD |
1047 | listen_detail_t *data = this->data; | |
1048 | ||
1049 | RDEBUG("Received %s from detail file %s", | |
1050 | fr_packet_codes[request->packet->code], data->filename_work); | |
1051 | ||
1052 | rdebug_pair_list(L_DBG_LVL_1, request, request->packet->vps, "\t"); | |
1053 | ||
1029 | 1054 | return 0; |
1030 | 1055 | #else |
1031 | 1056 | listen_detail_t *data = this->data; |
1057 | ||
1058 | RDEBUG("Received %s from detail file %s", | |
1059 | fr_packet_codes[request->packet->code], data->filename_work); | |
1060 | ||
1061 | rdebug_pair_list(L_DBG_LVL_1, request, request->packet->vps, "\t"); | |
1032 | 1062 | |
1033 | 1063 | return data->signal; |
1034 | 1064 | #endif |
98 | 98 | * The VPT *doesn't* have a "bare word" type, |
99 | 99 | * which arguably it should. |
100 | 100 | */ |
101 | rcode = (vpt->name != '\0'); | |
101 | rcode = (*vpt->name != '\0'); | |
102 | 102 | break; |
103 | 103 | |
104 | 104 | case TMPL_TYPE_ATTR: |
163 | 163 | regmatch_t rxmatch[REQUEST_MAX_REGEX + 1]; /* +1 for %{0} (whole match) capture group */ |
164 | 164 | size_t nmatch = sizeof(rxmatch) / sizeof(regmatch_t); |
165 | 165 | |
166 | rad_assert(lhs_type == PW_TYPE_STRING); | |
167 | rad_assert(lhs != NULL); | |
166 | if (!lhs || (lhs_type != PW_TYPE_STRING)) return -1; | |
168 | 167 | |
169 | 168 | EVAL_DEBUG("CMP WITH REGEX %s %s", |
170 | 169 | map->rhs->tmpl_iflag ? "CASE INSENSITIVE" : "CASE SENSITIVE", |
362 | 361 | case '[': /* we don't list close braces */ |
363 | 362 | case '{': |
364 | 363 | case '(': |
365 | if (outlen < 3) goto done; | |
366 | ||
367 | 364 | *(p++) = '\\'; |
368 | 365 | outlen--; |
369 | 366 | /* FALL-THROUGH */ |
375 | 372 | } |
376 | 373 | } |
377 | 374 | |
378 | done: | |
379 | 375 | *(p++) = '\0'; |
380 | 376 | return p - out; |
381 | 377 | } |
85 | 85 | VALUE_PAIR *input_pairs, bool shell_escape) |
86 | 86 | { |
87 | 87 | #ifndef __MINGW32__ |
88 | char *p; | |
89 | 88 | VALUE_PAIR *vp; |
90 | 89 | int n; |
91 | 90 | int to_child[2] = {-1, -1}; |
168 | 167 | */ |
169 | 168 | snprintf(buffer, sizeof(buffer), "%s=", vp->da->name); |
170 | 169 | if (shell_escape) { |
170 | char *p; | |
171 | ||
171 | 172 | for (p = buffer; *p != '='; p++) { |
172 | 173 | if (*p == '-') { |
173 | 174 | *p = '_'; |
293 | 293 | * Try to lock it. If we can't lock it, it's because |
294 | 294 | * some reader has re-named the file to "foo.work" and |
295 | 295 | * locked it. So, we close the current file, re-open it, |
296 | * and try again/ | |
296 | * and try again. | |
297 | 297 | */ |
298 | 298 | if (ef->locking) { |
299 | 299 | for (tries = 0; tries < MAX_TRY_LOCK; tries++) { |
1324 | 1324 | fr_strerror()); |
1325 | 1325 | return -1; |
1326 | 1326 | } |
1327 | ||
1328 | if (request->reply->data_len > (MAX_PACKET_LEN - 100)) { | |
1329 | RWARN("Packet is large, and possibly truncated - %zd vs max %d", | |
1330 | request->reply->data_len, MAX_PACKET_LEN); | |
1331 | } | |
1332 | ||
1333 | 1327 | return 0; |
1334 | 1328 | } |
1335 | 1329 | |
1368 | 1362 | RERROR("Failed sending reply: %s", |
1369 | 1363 | fr_strerror()); |
1370 | 1364 | return -1; |
1371 | } | |
1372 | ||
1373 | if (request->reply->data_len > (MAX_PACKET_LEN - 100)) { | |
1374 | RWARN("Packet is large, and possibly truncated - %zd vs max %d", | |
1375 | request->reply->data_len, MAX_PACKET_LEN); | |
1376 | 1365 | } |
1377 | 1366 | |
1378 | 1367 | return 0; |
1395 | 1384 | RERROR("Failed sending proxied request: %s", |
1396 | 1385 | fr_strerror()); |
1397 | 1386 | return -1; |
1398 | } | |
1399 | ||
1400 | if (request->proxy->data_len > (MAX_PACKET_LEN - 100)) { | |
1401 | RWARN("Packet is large, and possibly truncated - %zd vs max %d", | |
1402 | request->proxy->data_len, MAX_PACKET_LEN); | |
1403 | 1387 | } |
1404 | 1388 | |
1405 | 1389 | return 0; |
2114 | 2098 | } |
2115 | 2099 | |
2116 | 2100 | if (request->reply->data_len > (MAX_PACKET_LEN - 100)) { |
2117 | RWARN("Packet is large, and possibly truncated - %zd vs max %d", | |
2101 | RWDEBUG("Packet is large, and possibly truncated - %zd vs max %d", | |
2118 | 2102 | request->reply->data_len, MAX_PACKET_LEN); |
2119 | 2103 | } |
2120 | 2104 | |
2173 | 2157 | } |
2174 | 2158 | |
2175 | 2159 | if (request->proxy->data_len > (MAX_PACKET_LEN - 100)) { |
2176 | RWARN("Packet is large, and possibly truncated - %zd vs max %d", | |
2160 | RWDEBUG("Packet is large, and possibly truncated - %zd vs max %d", | |
2177 | 2161 | request->proxy->data_len, MAX_PACKET_LEN); |
2178 | 2162 | } |
2179 | 2163 | |
2638 | 2622 | #ifdef WITH_TCP |
2639 | 2623 | if (sock->proto == IPPROTO_TCP) { |
2640 | 2624 | /* |
2641 | * If there are hard-coded worker threads, OR | |
2642 | * it's a TLS connection, it's blocking. | |
2625 | * Woker threads are blocking. | |
2643 | 2626 | * |
2644 | 2627 | * Otherwise, they're non-blocking. |
2645 | 2628 | */ |
2646 | if (!this->workers | |
2647 | #ifdef WITH_PROXY | |
2648 | #ifdef WITH_TLS | |
2649 | && (this->type == RAD_LISTEN_PROXY) && !this->tls | |
2650 | #endif | |
2651 | #endif | |
2652 | ) { | |
2629 | if (!this->workers) { | |
2653 | 2630 | if (fr_nonblock(this->fd) < 0) { |
2654 | 2631 | close(this->fd); |
2655 | 2632 | ERROR("Failed setting non-blocking on socket: %s", |
2935 | 2912 | { NULL, 0 }, |
2936 | 2913 | }; |
2937 | 2914 | |
2938 | static int _free_proto_handle(lt_dlhandle *handle) | |
2915 | static int _free_proto_handle(fr_dlhandle *handle) | |
2939 | 2916 | { |
2940 | 2917 | dlclose(*handle); |
2941 | 2918 | return 0; |
2948 | 2925 | rad_listen_t *this; |
2949 | 2926 | CONF_PAIR *cp; |
2950 | 2927 | char const *value; |
2951 | lt_dlhandle handle; | |
2928 | fr_dlhandle handle; | |
2952 | 2929 | CONF_SECTION *server_cs; |
2953 | 2930 | char buffer[32]; |
2954 | 2931 | |
2967 | 2944 | } |
2968 | 2945 | |
2969 | 2946 | snprintf(buffer, sizeof(buffer), "proto_%s", value); |
2970 | handle = lt_dlopenext(buffer); | |
2947 | handle = fr_dlopenext(buffer); | |
2971 | 2948 | if (handle) { |
2972 | 2949 | fr_protocol_t *proto; |
2973 | lt_dlhandle *marker; | |
2950 | fr_dlhandle *marker; | |
2974 | 2951 | |
2975 | 2952 | proto = dlsym(handle, buffer); |
2976 | 2953 | if (!proto) { |
2989 | 2966 | /* |
2990 | 2967 | * Ensure handle gets closed if config section gets freed |
2991 | 2968 | */ |
2992 | marker = talloc(cs, lt_dlhandle); | |
2969 | marker = talloc(cs, fr_dlhandle); | |
2993 | 2970 | *marker = handle; |
2994 | 2971 | talloc_set_destructor(marker, _free_proto_handle); |
2995 | 2972 |
642 | 642 | } |
643 | 643 | |
644 | 644 | /* |
645 | * Once we're done with all of the privileged work, | |
646 | * permanently change the UID. | |
647 | */ | |
648 | if (do_suid) { | |
649 | rad_suid_set_down_uid(server_uid); | |
650 | rad_suid_down(); | |
651 | } | |
652 | ||
653 | /* | |
654 | 645 | * If we don't already have a log file open, open one |
655 | 646 | * now. We may not have been logging anything yet. The |
656 | 647 | * server normally starts up fairly quietly. |
681 | 672 | main_config.name, main_config.log_file, fr_syserror(errno)); |
682 | 673 | return 0; |
683 | 674 | } |
675 | } | |
676 | ||
677 | /* | |
678 | * Once we're done with all of the privileged work, | |
679 | * permanently change the UID. | |
680 | */ | |
681 | if (do_suid) { | |
682 | rad_suid_set_down_uid(server_uid); | |
683 | rad_suid_down(); | |
684 | 684 | } |
685 | 685 | |
686 | 686 | /* |
1367 | 1367 | for (b = fr_cursor_first(&src_list); |
1368 | 1368 | b; |
1369 | 1369 | b = fr_cursor_next(&src_list)) { |
1370 | found = false; | |
1371 | ||
1370 | 1372 | for (a = fr_cursor_current(&dst_list); |
1371 | 1373 | a; |
1372 | 1374 | a = fr_cursor_next(&dst_list)) { |
1376 | 1378 | if (cmp > 0) break; |
1377 | 1379 | else if (cmp < 0) continue; |
1378 | 1380 | |
1381 | /* | |
1382 | * The LHS exists. We need to | |
1383 | * limit it's value based on the | |
1384 | * operator, and on the value of | |
1385 | * the RHS. | |
1386 | */ | |
1379 | 1387 | cmp = (value_data_cmp_op(map->op, a->da->type, &a->data, a->vp_length, b->da->type, &b->data, b->vp_length) == 0); |
1380 | if (cmp != 0) { | |
1388 | if (cmp == 1) switch (map->op) { | |
1389 | ||
1390 | /* | |
1391 | * Keep only matching attributes. | |
1392 | */ | |
1393 | default: | |
1394 | case T_OP_REG_NE: | |
1395 | case T_OP_NE: | |
1396 | case T_OP_REG_EQ: | |
1397 | case T_OP_CMP_EQ: | |
1381 | 1398 | a = fr_cursor_remove(&dst_list); |
1382 | 1399 | talloc_free(a); |
1400 | break; | |
1401 | ||
1402 | /* | |
1403 | * Keep matching | |
1404 | * attribute, and enforce | |
1405 | * matching values. | |
1406 | */ | |
1407 | case T_OP_GE: | |
1408 | case T_OP_GT: | |
1409 | case T_OP_LE: | |
1410 | case T_OP_LT: | |
1411 | DEBUG_OVERWRITE(a, b); | |
1412 | (void) value_data_copy(a, &a->data, a->da->type, | |
1413 | &b->data, b->vp_length); | |
1414 | found = true; | |
1415 | break; | |
1383 | 1416 | } |
1384 | 1417 | } |
1385 | if (!a) break; /* end of the list */ | |
1418 | ||
1419 | /* | |
1420 | * End of the dst list. | |
1421 | */ | |
1422 | if (!a) { | |
1423 | if (found) break; | |
1424 | ||
1425 | switch (map->op) { | |
1426 | default: | |
1427 | break; | |
1428 | ||
1429 | /* | |
1430 | * It wasn't found. Insert it with the given value. | |
1431 | */ | |
1432 | case T_OP_GE: | |
1433 | case T_OP_GT: | |
1434 | case T_OP_LE: | |
1435 | case T_OP_LT: | |
1436 | (void) fr_cursor_insert(&dst_list, fr_pair_copy(parent, b)); | |
1437 | break; | |
1438 | } | |
1439 | break; | |
1440 | } | |
1386 | 1441 | } |
1387 | 1442 | fr_pair_list_free(&head); |
1388 | 1443 | } |
1663 | 1663 | |
1664 | 1664 | if (!map_cast_from_hex(map, T_BARE_WORD, vpt->name)) { |
1665 | 1665 | map->rhs = vpt; |
1666 | cf_log_err(map->ci, "%s", fr_strerror()); | |
1666 | cf_log_err(map->ci, "Cannot parse RHS hex as the data type of the attribute %s", map->lhs->tmpl_da->name); | |
1667 | 1667 | return -1; |
1668 | 1668 | } |
1669 | 1669 | talloc_free(vpt); |
1683 | 1683 | da = dict_attrbytype(map->lhs->tmpl_da->attr, map->lhs->tmpl_da->vendor, |
1684 | 1684 | map->rhs->tmpl_data_type); |
1685 | 1685 | if (!da) { |
1686 | fr_strerror_printf("Cannot find %s variant of attribute \"%s\"", | |
1687 | fr_int2str(dict_attr_types, map->rhs->tmpl_data_type, | |
1688 | "<INVALID>"), map->lhs->tmpl_da->name); | |
1686 | cf_log_err(map->ci, "Cannot find %s variant of attribute \"%s\"", | |
1687 | fr_int2str(dict_attr_types, map->rhs->tmpl_data_type, | |
1688 | "<INVALID>"), map->lhs->tmpl_da->name); | |
1689 | 1689 | return -1; |
1690 | 1690 | } |
1691 | 1691 | map->lhs->tmpl_da = da; |
2094 | 2094 | memcpy(csingle->actions, defaultactions[component][GROUPTYPE_SIMPLE], |
2095 | 2095 | sizeof(csingle->actions)); |
2096 | 2096 | |
2097 | mx->xlat_name = strdup(fmt); | |
2097 | mx->xlat_name = talloc_strdup(mx, fmt); | |
2098 | if (!mx->xlat_name) { | |
2099 | talloc_free(mx); | |
2100 | return NULL; | |
2101 | } | |
2102 | ||
2098 | 2103 | if (fmt[0] != '%') { |
2099 | 2104 | char *p; |
2100 | 2105 | mx->exec = true; |
3323 | 3328 | |
3324 | 3329 | if (!map_cast_from_hex(map, T_BARE_WORD, vpt->name)) { |
3325 | 3330 | map->rhs = vpt; |
3326 | cf_log_err(map->ci, "%s", fr_strerror()); | |
3331 | cf_log_err(map->ci, "Cannot parse RHS hex as the data type of the attribute %s", map->lhs->tmpl_da->name); | |
3327 | 3332 | return -1; |
3328 | 3333 | } |
3329 | 3334 | talloc_free(vpt); |
154 | 154 | return 0; |
155 | 155 | } |
156 | 156 | |
157 | lt_dlhandle lt_dlopenext(char const *name) | |
157 | fr_dlhandle fr_dlopenext(char const *name) | |
158 | 158 | { |
159 | 159 | int flags = RTLD_NOW; |
160 | 160 | void *handle; |
272 | 272 | return handle; |
273 | 273 | } |
274 | 274 | |
275 | void *lt_dlsym(lt_dlhandle handle, char const *symbol) | |
275 | void *fr_dlsym(fr_dlhandle handle, char const *symbol) | |
276 | 276 | { |
277 | 277 | return dlsym(handle, symbol); |
278 | 278 | } |
279 | 279 | |
280 | int lt_dlclose(lt_dlhandle handle) | |
280 | int fr_dlclose(fr_dlhandle handle) | |
281 | 281 | { |
282 | 282 | if (!handle) return 0; |
283 | 283 | |
284 | 284 | return dlclose(handle); |
285 | 285 | } |
286 | 286 | |
287 | char const *lt_dlerror(void) | |
287 | char const *fr_dlerror(void) | |
288 | 288 | { |
289 | 289 | return dlerror(); |
290 | 290 | } |
515 | 515 | /* |
516 | 516 | * Keep the handle around so we can dlclose() it. |
517 | 517 | */ |
518 | handle = lt_dlopenext(module_name); | |
518 | handle = fr_dlopenext(module_name); | |
519 | 519 | if (!handle) { |
520 | 520 | cf_log_err_cs(cs, "Failed to link to module '%s': %s", module_name, fr_strerror()); |
521 | 521 | return NULL; |
577 | 577 | */ |
578 | 578 | if (node->entry->module->inst_size) { |
579 | 579 | *handle = talloc_zero_array(node, uint8_t, node->entry->module->inst_size); |
580 | rad_assert(handle); | |
580 | rad_assert(*handle); | |
581 | 581 | |
582 | 582 | talloc_set_name(*handle, "rlm_%s_t", |
583 | 583 | node->entry->module->name ? node->entry->module->name : "config"); |
1247 | 1247 | |
1248 | 1248 | static int load_byserver(CONF_SECTION *cs) |
1249 | 1249 | { |
1250 | rlm_components_t comp, found; | |
1250 | rlm_components_t comp; | |
1251 | bool found; | |
1251 | 1252 | char const *name = cf_section_name2(cs); |
1252 | 1253 | rbtree_t *components; |
1253 | 1254 | virtual_server_t *server = NULL; |
1285 | 1286 | * Loop over all of the known components, finding their |
1286 | 1287 | * configuration section, and loading it. |
1287 | 1288 | */ |
1288 | found = 0; | |
1289 | found = false; | |
1289 | 1290 | for (comp = 0; comp < MOD_COUNT; ++comp) { |
1290 | 1291 | CONF_SECTION *subcs; |
1291 | 1292 | |
1345 | 1346 | |
1346 | 1347 | server->subcs[comp] = subcs; |
1347 | 1348 | |
1348 | found = 1; | |
1349 | found = true; | |
1349 | 1350 | } /* loop over components */ |
1350 | 1351 | |
1351 | 1352 | /* |
77 | 77 | |
78 | 78 | char *expr = NULL, *value = NULL; |
79 | 79 | char const *expr_p, *value_p; |
80 | ||
81 | if (!vp) return -2; | |
80 | 82 | |
81 | 83 | if (check->da->type == PW_TYPE_STRING) { |
82 | 84 | expr_p = check->vp_strvalue; |
414 | 414 | if (!packet) return; |
415 | 415 | if (!RDEBUG_ENABLED) return; |
416 | 416 | |
417 | #ifdef WITH_DETAIL | |
418 | /* | |
419 | * Don't print IP addresses for detail files. | |
420 | */ | |
421 | if (request->listener && | |
422 | (request->listener->type == RAD_LISTEN_DETAIL)) return; | |
423 | ||
424 | #endif | |
417 | 425 | /* |
418 | 426 | * Client-specific debugging re-prints the input |
419 | 427 | * packet into the client log. |
476 | 484 | { |
477 | 485 | VERIFY_REQUEST(request); |
478 | 486 | |
487 | rad_assert(request->home_server != NULL); | |
488 | ||
479 | 489 | if (request->client) { |
480 | 490 | /* |
481 | 491 | * The client hasn't set the response window. Return |
491 | 501 | } |
492 | 502 | } |
493 | 503 | |
494 | rad_assert(request->home_server != NULL); | |
495 | 504 | return &request->home_server->response_window; |
496 | 505 | } |
497 | 506 | |
2113 | 2122 | } |
2114 | 2123 | |
2115 | 2124 | #ifdef WITH_TCP |
2116 | rad_assert(request->proxy_listener != NULL); | |
2117 | request->proxy_listener->count--; | |
2125 | if (request->proxy_listener) { | |
2126 | request->proxy_listener->count--; | |
2127 | } | |
2118 | 2128 | #endif |
2119 | 2129 | request->proxy_listener = NULL; |
2120 | 2130 | |
2560 | 2570 | |
2561 | 2571 | #ifdef WITH_ACCOUNTING |
2562 | 2572 | case PW_CODE_ACCOUNTING_REQUEST: |
2563 | proxy_acct_stats.last_packet = packet->timestamp.tv_sec; | |
2564 | ||
2565 | 2573 | request->proxy_listener->stats.total_responses++; |
2566 | 2574 | proxy_acct_stats.last_packet = packet->timestamp.tv_sec; |
2567 | 2575 | break; |
976 | 976 | return -1; |
977 | 977 | } |
978 | 978 | |
979 | fr_packet_header_print(fr_log_fp, request->packet, false); | |
980 | if (fr_debug_lvl > 0) vp_printlist(fr_log_fp, request->packet->vps); | |
979 | if (fr_log_fp) { | |
980 | fr_packet_header_print(fr_log_fp, request->packet, false); | |
981 | if (fr_debug_lvl > 0) vp_printlist(fr_log_fp, request->packet->vps); | |
982 | } | |
981 | 983 | |
982 | 984 | return 0; |
983 | 985 | } |
1086 | 1088 | goto packet_done; |
1087 | 1089 | } |
1088 | 1090 | |
1089 | fr_packet_header_print(fr_log_fp, request->reply, true); | |
1090 | if (fr_debug_lvl > 0) vp_printlist(fr_log_fp, request->reply->vps); | |
1091 | if (fr_log_fp) { | |
1092 | fr_packet_header_print(fr_log_fp, request->reply, true); | |
1093 | if (fr_debug_lvl > 0) vp_printlist(fr_log_fp, request->reply->vps); | |
1094 | } | |
1091 | 1095 | |
1092 | 1096 | /* |
1093 | 1097 | * Increment counters... |
1620 | 1624 | dict_free(); |
1621 | 1625 | |
1622 | 1626 | if (do_summary) { |
1623 | DEBUG("Packet summary:\n" | |
1624 | "\tAccepted : %" PRIu64 "\n" | |
1625 | "\tRejected : %" PRIu64 "\n" | |
1626 | "\tLost : %" PRIu64 "\n" | |
1627 | "\tPassed filter : %" PRIu64 "\n" | |
1628 | "\tFailed filter : %" PRIu64, | |
1629 | stats.accepted, | |
1630 | stats.rejected, | |
1631 | stats.lost, | |
1632 | stats.passed, | |
1633 | stats.failed | |
1627 | printf("Packet summary:\n" | |
1628 | "\tAccepted : %" PRIu64 "\n" | |
1629 | "\tRejected : %" PRIu64 "\n" | |
1630 | "\tLost : %" PRIu64 "\n" | |
1631 | "\tPassed filter : %" PRIu64 "\n" | |
1632 | "\tFailed filter : %" PRIu64 "\n", | |
1633 | stats.accepted, | |
1634 | stats.rejected, | |
1635 | stats.lost, | |
1636 | stats.passed, | |
1637 | stats.failed | |
1634 | 1638 | ); |
1635 | 1639 | } |
1636 | 1640 |
39 | 39 | |
40 | 40 | #ifdef HAVE_LIBREADLINE |
41 | 41 | |
42 | # include <stdio.h> | |
42 | 43 | #if defined(HAVE_READLINE_READLINE_H) |
43 | 44 | # include <readline/readline.h> |
44 | 45 | # define USE_READLINE (1) |
602 | 603 | |
603 | 604 | if (!quiet) { |
604 | 605 | printf("%s - FreeRADIUS Server administration tool.\n", radmin_version); |
605 | printf("Copyright (C) 2008-2016 The FreeRADIUS server project and contributors.\n"); | |
606 | printf("Copyright (C) 2008-2017 The FreeRADIUS server project and contributors.\n"); | |
606 | 607 | printf("There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A\n"); |
607 | 608 | printf("PARTICULAR PURPOSE.\n"); |
608 | 609 | printf("You may redistribute copies of FreeRADIUS under the terms of the\n"); |
80 | 80 | PASSWORD="MS-CHAP-Password" |
81 | 81 | ;; |
82 | 82 | eap-md5) |
83 | PASSWORD="User-Password" | |
83 | PASSWORD="Cleartext-Password" | |
84 | 84 | if [ ! -x "$radeapclient" ] |
85 | 85 | then |
86 | 86 | echo "radtest: No 'radeapclient' program was found. Cannot perform EAP-MD5." >&1 |
191 | 191 | } |
192 | 192 | |
193 | 193 | |
194 | static size_t CC_HINT(nonnull) xlat_cs(CONF_SECTION *cs, char const *fmt, char *out, size_t outlen) | |
194 | static size_t xlat_cs(CONF_SECTION *cs, char const *fmt, char *out, size_t outlen) | |
195 | 195 | { |
196 | 196 | char const *value = NULL; |
197 | ||
198 | if (!fmt) { | |
199 | DEBUG("No configuration item requested. Ignoring."); | |
200 | ||
201 | *out = '\0'; | |
202 | return 0; | |
203 | } | |
197 | 204 | |
198 | 205 | /* |
199 | 206 | * Instance name |
223 | 230 | /* |
224 | 231 | * Xlat for %{home_server:foo} |
225 | 232 | */ |
226 | static ssize_t CC_HINT(nonnull) xlat_home_server(UNUSED void *instance, REQUEST *request, | |
227 | char const *fmt, char *out, size_t outlen) | |
233 | static ssize_t xlat_home_server(UNUSED void *instance, REQUEST *request, | |
234 | char const *fmt, char *out, size_t outlen) | |
228 | 235 | { |
229 | 236 | if (!request->home_server) { |
230 | 237 | RWDEBUG("No home_server associated with this request"); |
238 | ||
239 | *out = '\0'; | |
240 | return 0; | |
241 | } | |
242 | ||
243 | if (!fmt) { | |
244 | RWDEBUG("No configuration item requested. Ignoring."); | |
231 | 245 | |
232 | 246 | *out = '\0'; |
233 | 247 | return 0; |
265 | 279 | /* |
266 | 280 | * Xlat for %{home_server_pool:foo} |
267 | 281 | */ |
268 | static ssize_t CC_HINT(nonnull) xlat_server_pool(UNUSED void *instance, REQUEST *request, | |
269 | char const *fmt, char *out, size_t outlen) | |
282 | static ssize_t xlat_server_pool(UNUSED void *instance, REQUEST *request, | |
283 | char const *fmt, char *out, size_t outlen) | |
270 | 284 | { |
271 | 285 | if (!request->home_pool) { |
272 | 286 | RWDEBUG("No home_pool associated with this request"); |
287 | ||
288 | *out = '\0'; | |
289 | return 0; | |
290 | } | |
291 | ||
292 | if (!fmt) { | |
293 | RWDEBUG("No configuration item requested. Ignoring."); | |
273 | 294 | |
274 | 295 | *out = '\0'; |
275 | 296 | return 0; |
1134 | 1155 | } |
1135 | 1156 | |
1136 | 1157 | this->next = NULL; |
1137 | this->when = now + 60; | |
1158 | this->when = now + 300; | |
1138 | 1159 | this->pool = pool; |
1139 | 1160 | pthread_mutex_unlock(&pool_free_mutex); |
1140 | 1161 | } |
2442 | 2463 | hash = 0; |
2443 | 2464 | break; |
2444 | 2465 | } |
2445 | fr_hash_update(&request->packet->src_port, | |
2446 | sizeof(request->packet->src_port), hash); | |
2466 | hash = fr_hash_update(&request->packet->src_port, | |
2467 | sizeof(request->packet->src_port), hash); | |
2447 | 2468 | start = hash % pool->num_home_servers; |
2448 | 2469 | break; |
2449 | 2470 |
478 | 478 | |
479 | 479 | PTHREAD_MUTEX_UNLOCK(&state->mutex); |
480 | 480 | |
481 | rad_assert(request->state == NULL); | |
482 | 481 | VERIFY_REQUEST(request); |
483 | 482 | return true; |
484 | 483 | } |
221 | 221 | |
222 | 222 | static pthread_mutex_t *ssl_mutexes = NULL; |
223 | 223 | |
224 | #ifdef HAVE_CRYPTO_SET_ID_CALLBACK | |
224 | 225 | static unsigned long ssl_id_function(void) |
225 | 226 | { |
226 | 227 | unsigned long ret; |
234 | 235 | |
235 | 236 | return ret; |
236 | 237 | } |
237 | ||
238 | #endif | |
239 | ||
240 | #ifdef HAVE_CRYPTO_SET_LOCKING_CALLBACK | |
238 | 241 | static void ssl_locking_function(int mode, int n, UNUSED char const *file, UNUSED int line) |
239 | 242 | { |
240 | 243 | if (mode & CRYPTO_LOCK) { |
243 | 246 | pthread_mutex_unlock(&(ssl_mutexes[n])); |
244 | 247 | } |
245 | 248 | } |
249 | #endif | |
246 | 250 | |
247 | 251 | static int setup_ssl_mutexes(void) |
248 | 252 | { |
258 | 262 | pthread_mutex_init(&(ssl_mutexes[i]), NULL); |
259 | 263 | } |
260 | 264 | |
265 | #ifdef HAVE_CRYPTO_SET_ID_CALLBACK | |
261 | 266 | CRYPTO_set_id_callback(ssl_id_function); |
267 | #endif | |
268 | #ifdef HAVE_CRYPTO_SET_LOCKING_CALLBACK | |
262 | 269 | CRYPTO_set_locking_callback(ssl_locking_function); |
270 | #endif | |
263 | 271 | |
264 | 272 | return 1; |
265 | 273 | } |
717 | 725 | * must remove the thread's error queue before |
718 | 726 | * exiting to prevent memory leaks. |
719 | 727 | */ |
728 | #if OPENSSL_VERSION_NUMBER < 0x10000000L | |
720 | 729 | ERR_remove_state(0); |
730 | #elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | |
731 | ERR_remove_thread_state(NULL); | |
732 | #endif | |
721 | 733 | #endif |
722 | 734 | |
723 | 735 | pthread_mutex_lock(&thread_pool.queue_mutex); |
1100 | 1112 | * We're no longer threaded. Remove the mutexes and free |
1101 | 1113 | * the memory. |
1102 | 1114 | */ |
1115 | #ifdef HAVE_CRYPTO_SET_ID_CALLBACK | |
1103 | 1116 | CRYPTO_set_id_callback(NULL); |
1117 | #endif | |
1118 | #ifdef HAVE_CRYPTO_SET_LOCKING_CALLBACK | |
1104 | 1119 | CRYPTO_set_locking_callback(NULL); |
1120 | #endif | |
1105 | 1121 | |
1106 | 1122 | free(ssl_mutexes); |
1107 | 1123 | #endif |
504 | 504 | talloc_set_destructor(ssn, _tls_session_free); |
505 | 505 | |
506 | 506 | ssn->ctx = conf->ctx; |
507 | ssn->mtu = conf->fragment_size; | |
507 | 508 | |
508 | 509 | SSL_CTX_set_mode(ssn->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY); |
509 | 510 | |
536 | 537 | SSL_set_ex_data(ssn->ssl, FR_TLS_EX_INDEX_SSN, (void *)ssn); |
537 | 538 | SSL_set_fd(ssn->ssl, fd); |
538 | 539 | ret = SSL_connect(ssn->ssl); |
540 | ||
541 | if (ret < 0) { | |
542 | switch (SSL_get_error(ssn->ssl, ret)) { | |
543 | default: | |
544 | break; | |
545 | ||
546 | ||
547 | ||
548 | case SSL_ERROR_WANT_READ: | |
549 | case SSL_ERROR_WANT_WRITE: | |
550 | ssn->connected = false; | |
551 | return ssn; | |
552 | } | |
553 | } | |
554 | ||
539 | 555 | if (ret <= 0) { |
540 | 556 | tls_error_io_log(NULL, ssn, ret, "Failed in " STRINGIFY(__FUNCTION__) " (SSL_connect)"); |
541 | 557 | talloc_free(ssn); |
543 | 559 | return NULL; |
544 | 560 | } |
545 | 561 | |
546 | ssn->mtu = conf->fragment_size; | |
547 | ||
562 | ssn->connected = true; | |
548 | 563 | return ssn; |
549 | 564 | } |
550 | 565 | |
822 | 837 | |
823 | 838 | static void session_close(tls_session_t *ssn) |
824 | 839 | { |
825 | SSL_set_quiet_shutdown(ssn->ssl, 1); | |
826 | SSL_shutdown(ssn->ssl); | |
827 | ||
828 | 840 | if (ssn->ssl) { |
841 | SSL_set_quiet_shutdown(ssn->ssl, 1); | |
842 | SSL_shutdown(ssn->ssl); | |
843 | ||
829 | 844 | SSL_free(ssn->ssl); |
830 | 845 | ssn->ssl = NULL; |
831 | 846 | } |
1188 | 1203 | { "allow_expired_crl", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, allow_expired_crl), NULL }, |
1189 | 1204 | { "check_cert_cn", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_cn), NULL }, |
1190 | 1205 | { "cipher_list", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, cipher_list), NULL }, |
1206 | { "cipher_server_preference", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, cipher_server_preference), NULL }, | |
1191 | 1207 | { "check_cert_issuer", FR_CONF_OFFSET(PW_TYPE_STRING, fr_tls_server_conf_t, check_cert_issuer), NULL }, |
1192 | 1208 | { "require_client_cert", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, fr_tls_server_conf_t, require_client_cert), NULL }, |
1193 | 1209 | |
1358 | 1374 | blob_len = i2d_SSL_SESSION(sess, NULL); |
1359 | 1375 | if (blob_len < 1) { |
1360 | 1376 | /* something went wrong */ |
1361 | RWDEBUG("Session serialisation failed, couldn't determine required buffer length"); | |
1377 | if (request) RWDEBUG("Session serialisation failed, couldn't determine required buffer length"); | |
1362 | 1378 | return 0; |
1363 | 1379 | } |
1364 | ||
1365 | 1380 | |
1366 | 1381 | /* Do not convert to TALLOC - Thread safety */ |
1367 | 1382 | /* alloc and convert to ASN.1 */ |
1374 | 1389 | p = sess_blob; |
1375 | 1390 | rv = i2d_SSL_SESSION(sess, &p); |
1376 | 1391 | if (rv != blob_len) { |
1377 | RWDEBUG("Session serialisation failed"); | |
1392 | if (request) RWDEBUG("Session serialisation failed"); | |
1378 | 1393 | goto error; |
1379 | 1394 | } |
1380 | 1395 | |
1381 | 1396 | /* open output file */ |
1382 | 1397 | snprintf(filename, sizeof(filename), "%s%c%s.asn1", |
1383 | 1398 | conf->session_cache_path, FR_DIR_SEP, buffer); |
1384 | fd = open(filename, O_RDWR|O_CREAT|O_EXCL, 0600); | |
1399 | fd = open(filename, O_RDWR|O_CREAT|O_EXCL, S_IWUSR); | |
1385 | 1400 | if (fd < 0) { |
1386 | RERROR("Session serialisation failed, failed opening session file %s: %s", | |
1387 | filename, fr_syserror(errno)); | |
1401 | if (request) RERROR("Session serialisation failed, failed opening session file %s: %s", | |
1402 | filename, fr_syserror(errno)); | |
1388 | 1403 | goto error; |
1404 | } | |
1405 | ||
1406 | /* | |
1407 | * Set the filename to be temporarily write-only. | |
1408 | */ | |
1409 | if (request) { | |
1410 | VALUE_PAIR *vp; | |
1411 | ||
1412 | vp = fr_pair_afrom_num(request->state_ctx, PW_TLS_CACHE_FILENAME, 0); | |
1413 | if (vp) { | |
1414 | fr_pair_value_strcpy(vp, filename); | |
1415 | fr_pair_add(&request->state, vp); | |
1416 | } | |
1389 | 1417 | } |
1390 | 1418 | |
1391 | 1419 | todo = blob_len; |
1393 | 1421 | while (todo > 0) { |
1394 | 1422 | rv = write(fd, p, todo); |
1395 | 1423 | if (rv < 1) { |
1396 | RWDEBUG("Failed writing session: %s", fr_syserror(errno)); | |
1424 | if (request) RWDEBUG("Failed writing session: %s", fr_syserror(errno)); | |
1397 | 1425 | close(fd); |
1398 | 1426 | goto error; |
1399 | 1427 | } |
1401 | 1429 | todo -= rv; |
1402 | 1430 | } |
1403 | 1431 | close(fd); |
1404 | RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len); | |
1432 | if (request) RWDEBUG("Wrote session %s to %s (%d bytes)", buffer, filename, blob_len); | |
1405 | 1433 | } |
1406 | 1434 | |
1407 | 1435 | error: |
1410 | 1438 | return 0; |
1411 | 1439 | } |
1412 | 1440 | |
1441 | /** Convert OpenSSL's ASN1_TIME to an epoch time | |
1442 | * | |
1443 | * @param[out] out Where to write the time_t. | |
1444 | * @param[in] asn1 The ASN1_TIME to convert. | |
1445 | * @return | |
1446 | * - 0 success. | |
1447 | * - -1 on failure. | |
1448 | */ | |
1449 | static int ocsp_asn1time_to_epoch(time_t *out, char const *asn1) | |
1450 | { | |
1451 | struct tm t; | |
1452 | char const *p = asn1, *end = p + strlen(p); | |
1453 | ||
1454 | memset(&t, 0, sizeof(t)); | |
1455 | ||
1456 | if ((end - p) <= 12) { | |
1457 | if ((end - p) < 2) { | |
1458 | fr_strerror_printf("ASN1 date string too short, expected 2 additional bytes, got %zu bytes", | |
1459 | end - p); | |
1460 | return -1; | |
1461 | } | |
1462 | ||
1463 | t.tm_year = (*(p++) - '0') * 10; | |
1464 | t.tm_year += (*(p++) - '0'); | |
1465 | if (t.tm_year < 70) t.tm_year += 100; | |
1466 | } else { | |
1467 | t.tm_year = (*(p++) - '0') * 1000; | |
1468 | t.tm_year += (*(p++) - '0') * 100; | |
1469 | t.tm_year += (*(p++) - '0') * 10; | |
1470 | t.tm_year += (*(p++) - '0'); | |
1471 | t.tm_year -= 1900; | |
1472 | } | |
1473 | ||
1474 | if ((end - p) < 10) { | |
1475 | fr_strerror_printf("ASN1 string too short, expected 10 additional bytes, got %zu bytes", | |
1476 | end - p); | |
1477 | return -1; | |
1478 | } | |
1479 | ||
1480 | t.tm_mon = (*(p++) - '0') * 10; | |
1481 | t.tm_mon += (*(p++) - '0') - 1; // -1 since January is 0 not 1. | |
1482 | t.tm_mday = (*(p++) - '0') * 10; | |
1483 | t.tm_mday += (*(p++) - '0'); | |
1484 | t.tm_hour = (*(p++) - '0') * 10; | |
1485 | t.tm_hour += (*(p++) - '0'); | |
1486 | t.tm_min = (*(p++) - '0') * 10; | |
1487 | t.tm_min += (*(p++) - '0'); | |
1488 | t.tm_sec = (*(p++) - '0') * 10; | |
1489 | t.tm_sec += (*(p++) - '0'); | |
1490 | ||
1491 | /* Apparently OpenSSL converts all timestamps to UTC? Maybe? */ | |
1492 | *out = timegm(&t); | |
1493 | return 0; | |
1494 | } | |
1495 | ||
1496 | #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | |
1413 | 1497 | static SSL_SESSION *cbtls_get_session(SSL *ssl, unsigned char *data, int len, int *copy) |
1498 | #else | |
1499 | static SSL_SESSION *cbtls_get_session(SSL *ssl, const unsigned char *data, int len, int *copy) | |
1500 | #endif | |
1414 | 1501 | { |
1415 | 1502 | size_t size; |
1416 | 1503 | char buffer[2 * MAX_SESSION_SIZE + 1]; |
1452 | 1539 | |
1453 | 1540 | struct stat st; |
1454 | 1541 | VALUE_PAIR *vps = NULL; |
1455 | ||
1456 | /* read in the cached VPs from the .vps file */ | |
1457 | snprintf(filename, sizeof(filename), "%s%c%s.vps", | |
1458 | conf->session_cache_path, FR_DIR_SEP, buffer); | |
1459 | rv = pairlist_read(talloc_ctx, filename, &pairlist, 1); | |
1460 | if (rv < 0) { | |
1461 | /* not safe to un-persist a session w/o VPs */ | |
1462 | RWDEBUG("Failed loading persisted VPs for session %s", buffer); | |
1463 | goto err; | |
1464 | } | |
1542 | VALUE_PAIR *vp; | |
1465 | 1543 | |
1466 | 1544 | /* load the actual SSL session */ |
1467 | 1545 | snprintf(filename, sizeof(filename), "%s%c%s.asn1", conf->session_cache_path, FR_DIR_SEP, buffer); |
1468 | 1546 | fd = open(filename, O_RDONLY); |
1469 | 1547 | if (fd < 0) { |
1470 | 1548 | RWDEBUG("No persisted session file %s: %s", filename, fr_syserror(errno)); |
1471 | goto err; | |
1549 | goto error; | |
1472 | 1550 | } |
1473 | 1551 | |
1474 | 1552 | rv = fstat(fd, &st); |
1475 | 1553 | if (rv < 0) { |
1476 | 1554 | RWDEBUG("Failed stating persisted session file %s: %s", filename, fr_syserror(errno)); |
1477 | 1555 | close(fd); |
1478 | goto err; | |
1556 | goto error; | |
1479 | 1557 | } |
1480 | 1558 | |
1481 | 1559 | sess_data = talloc_array(NULL, unsigned char, st.st_size); |
1482 | 1560 | if (!sess_data) { |
1483 | 1561 | RWDEBUG("Failed allocating buffer for persisted session (%d bytes)", (int) st.st_size); |
1484 | 1562 | close(fd); |
1485 | goto err; | |
1563 | goto error; | |
1486 | 1564 | } |
1487 | 1565 | |
1488 | 1566 | q = sess_data; |
1492 | 1570 | if (rv < 1) { |
1493 | 1571 | RWDEBUG("Failed reading persisted session: %s", fr_syserror(errno)); |
1494 | 1572 | close(fd); |
1495 | goto err; | |
1573 | goto error; | |
1496 | 1574 | } |
1497 | 1575 | todo -= rv; |
1498 | 1576 | q += rv; |
1515 | 1593 | sess = d2i_SSL_SESSION(NULL, o, st.st_size); |
1516 | 1594 | if (!sess) { |
1517 | 1595 | RWDEBUG("Failed loading persisted session: %s", ERR_error_string(ERR_get_error(), NULL)); |
1518 | goto err; | |
1596 | goto error; | |
1597 | } | |
1598 | ||
1599 | /* read in the cached VPs from the .vps file */ | |
1600 | snprintf(filename, sizeof(filename), "%s%c%s.vps", | |
1601 | conf->session_cache_path, FR_DIR_SEP, buffer); | |
1602 | rv = pairlist_read(talloc_ctx, filename, &pairlist, 1); | |
1603 | if (rv < 0) { | |
1604 | /* not safe to un-persist a session w/o VPs */ | |
1605 | RWDEBUG("Failed loading persisted VPs for session %s", buffer); | |
1606 | SSL_SESSION_free(sess); | |
1607 | goto error; | |
1608 | } | |
1609 | ||
1610 | /* | |
1611 | * Enforce client certificate expiration. | |
1612 | */ | |
1613 | vp = fr_pair_find_by_num(pairlist->reply, PW_TLS_CLIENT_CERT_EXPIRATION, 0, TAG_ANY); | |
1614 | if (vp) { | |
1615 | time_t expires; | |
1616 | ||
1617 | if (ocsp_asn1time_to_epoch(&expires, vp->vp_strvalue) < 0) { | |
1618 | RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s", buffer); | |
1619 | SSL_SESSION_free(sess); | |
1620 | goto error; | |
1621 | } | |
1622 | ||
1623 | if (expires <= request->timestamp) { | |
1624 | RDEBUG2("Certificate has expired, removing cache entry for session %s", buffer); | |
1625 | SSL_SESSION_free(sess); | |
1626 | goto error; | |
1627 | } | |
1628 | ||
1629 | /* | |
1630 | * Account for Session-Timeout, if it's available. | |
1631 | */ | |
1632 | vp = fr_pair_find_by_num(request->reply->vps, PW_SESSION_TIMEOUT, 0, TAG_ANY); | |
1633 | if (vp) { | |
1634 | if ((request->timestamp + vp->vp_integer) > expires) { | |
1635 | vp->vp_integer = expires - request->timestamp; | |
1636 | RWDEBUG2("Updating Session-Timeout to %u, due to impending certificate expiration", | |
1637 | vp->vp_integer); | |
1638 | } | |
1639 | } | |
1519 | 1640 | } |
1520 | 1641 | |
1521 | 1642 | /* move the cached VPs into the session */ |
1525 | 1646 | RWDEBUG("Successfully restored session %s", buffer); |
1526 | 1647 | rdebug_pair_list(L_DBG_LVL_2, request, vps, "reply:"); |
1527 | 1648 | } |
1528 | err: | |
1649 | error: | |
1529 | 1650 | if (sess_data) talloc_free(sess_data); |
1530 | 1651 | if (pairlist) pairlist_free(&pairlist); |
1531 | 1652 | |
1909 | 2030 | char cn_str[1024]; |
1910 | 2031 | char buf[64]; |
1911 | 2032 | X509 *client_cert; |
1912 | X509_CINF *client_inf; | |
2033 | #if OPENSSL_VERSION_NUMBER >= 0x10100000L | |
2034 | const STACK_OF(X509_EXTENSION) *ext_list; | |
2035 | #else | |
1913 | 2036 | STACK_OF(X509_EXTENSION) *ext_list; |
2037 | #endif | |
1914 | 2038 | SSL *ssl; |
1915 | 2039 | int err, depth, lookup, loc; |
1916 | 2040 | fr_tls_server_conf_t *conf; |
2015 | 2139 | rdebug_pair(L_DBG_LVL_2, request, vp, NULL); |
2016 | 2140 | } |
2017 | 2141 | |
2018 | X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, | |
2142 | X509_NAME_oneline(X509_get_issuer_name(client_cert), issuer, | |
2019 | 2143 | sizeof(issuer)); |
2020 | 2144 | issuer[sizeof(issuer) - 1] = '\0'; |
2021 | 2145 | if (certs && identity && (lookup <= 1) && issuer[0]) { |
2037 | 2161 | /* |
2038 | 2162 | * Get the RFC822 Subject Alternative Name |
2039 | 2163 | */ |
2040 | loc = X509_get_ext_by_NID(client_cert, NID_subject_alt_name, 0); | |
2164 | loc = X509_get_ext_by_NID(client_cert, NID_subject_alt_name, -1); | |
2041 | 2165 | if (certs && (lookup <= 1) && (loc >= 0)) { |
2042 | 2166 | X509_EXTENSION *ext = NULL; |
2043 | 2167 | GENERAL_NAMES *names = NULL; |
2052 | 2176 | #ifdef GEN_EMAIL |
2053 | 2177 | case GEN_EMAIL: |
2054 | 2178 | vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_SAN_EMAIL][lookup], |
2055 | (char *) ASN1_STRING_data(name->d.rfc822Name), T_OP_SET); | |
2179 | (char const *) ASN1_STRING_get0_data(name->d.rfc822Name), T_OP_SET); | |
2056 | 2180 | rdebug_pair(L_DBG_LVL_2, request, vp, NULL); |
2057 | 2181 | break; |
2058 | 2182 | #endif /* GEN_EMAIL */ |
2059 | 2183 | #ifdef GEN_DNS |
2060 | 2184 | case GEN_DNS: |
2061 | 2185 | vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_SAN_DNS][lookup], |
2062 | (char *) ASN1_STRING_data(name->d.dNSName), T_OP_SET); | |
2186 | (char const *) ASN1_STRING_get0_data(name->d.dNSName), T_OP_SET); | |
2063 | 2187 | rdebug_pair(L_DBG_LVL_2, request, vp, NULL); |
2064 | 2188 | break; |
2065 | 2189 | #endif /* GEN_DNS */ |
2070 | 2194 | /* we've got a UPN - Must be ASN1-encoded UTF8 string */ |
2071 | 2195 | if (name->d.otherName->value->type == V_ASN1_UTF8STRING) { |
2072 | 2196 | vp = fr_pair_make(talloc_ctx, certs, cert_attr_names[FR_TLS_SAN_UPN][lookup], |
2073 | (char *) ASN1_STRING_data(name->d.otherName->value->value.utf8string), T_OP_SET); | |
2197 | (char const *) ASN1_STRING_get0_data(name->d.otherName->value->value.utf8string), T_OP_SET); | |
2074 | 2198 | rdebug_pair(L_DBG_LVL_2, request, vp, NULL); |
2075 | 2199 | break; |
2076 | 2200 | } else { |
2108 | 2232 | } |
2109 | 2233 | |
2110 | 2234 | if (lookup == 0) { |
2235 | #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) | |
2236 | ext_list = X509_get0_extensions(client_cert); | |
2237 | #else | |
2238 | X509_CINF *client_inf; | |
2111 | 2239 | client_inf = client_cert->cert_info; |
2112 | 2240 | ext_list = client_inf->extensions; |
2241 | #endif | |
2113 | 2242 | } else { |
2114 | 2243 | ext_list = NULL; |
2115 | 2244 | } |
2169 | 2298 | |
2170 | 2299 | REXDENT(); |
2171 | 2300 | |
2172 | switch (ctx->error) { | |
2301 | switch (X509_STORE_CTX_get_error(ctx)) { | |
2173 | 2302 | case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: |
2174 | 2303 | RERROR("issuer=%s", issuer); |
2175 | 2304 | break; |
2312 | 2441 | true, true, EXEC_TIMEOUT) != 0) { |
2313 | 2442 | AUTH(LOG_PREFIX ": Certificate CN (%s) fails external verification!", common_name); |
2314 | 2443 | my_ok = 0; |
2315 | } else { | |
2444 | ||
2445 | } else if (request) { | |
2316 | 2446 | RDEBUG("Client certificate CN %s passed external validation", common_name); |
2317 | 2447 | } |
2318 | 2448 | |
2417 | 2547 | * is using the session |
2418 | 2548 | */ |
2419 | 2549 | static void sess_free_vps(UNUSED void *parent, void *data_ptr, |
2420 | UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx, | |
2421 | UNUSED long argl, UNUSED void *argp) | |
2422 | { | |
2423 | VALUE_PAIR *vp = data_ptr; | |
2424 | if (!vp) return; | |
2425 | ||
2426 | DEBUG2(LOG_PREFIX ": Freeing cached session VPs"); | |
2427 | ||
2428 | fr_pair_list_free(&vp); | |
2550 | UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx, | |
2551 | UNUSED long argl, UNUSED void *argp) | |
2552 | { | |
2553 | VALUE_PAIR *vp = data_ptr; | |
2554 | if (!vp) return; | |
2555 | ||
2556 | DEBUG2(LOG_PREFIX ": Freeing cached session VPs"); | |
2557 | ||
2558 | fr_pair_list_free(&vp); | |
2429 | 2559 | } |
2430 | 2560 | |
2431 | 2561 | static void sess_free_certs(UNUSED void *parent, void *data_ptr, |
2432 | UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx, | |
2433 | UNUSED long argl, UNUSED void *argp) | |
2434 | { | |
2435 | VALUE_PAIR **certs = data_ptr; | |
2436 | if (!certs) return; | |
2437 | ||
2438 | DEBUG2(LOG_PREFIX ": Freeing cached session Certificates"); | |
2439 | ||
2440 | fr_pair_list_free(certs); | |
2562 | UNUSED CRYPTO_EX_DATA *ad, UNUSED int idx, | |
2563 | UNUSED long argl, UNUSED void *argp) | |
2564 | { | |
2565 | VALUE_PAIR **certs = data_ptr; | |
2566 | if (!certs) return; | |
2567 | ||
2568 | DEBUG2(LOG_PREFIX ": Freeing cached session Certificates"); | |
2569 | ||
2570 | fr_pair_list_free(certs); | |
2441 | 2571 | } |
2442 | 2572 | |
2443 | 2573 | /** Add all the default ciphers and message digests reate our context. |
2450 | 2580 | SSL_load_error_strings(); /* readable error messages (examples show call before library_init) */ |
2451 | 2581 | SSL_library_init(); /* initialize library */ |
2452 | 2582 | OpenSSL_add_all_algorithms(); /* required for SHA2 in OpenSSL < 0.9.8o and 1.0.0.a */ |
2453 | OPENSSL_config(NULL); | |
2583 | CONF_modules_load_file(NULL, NULL, 0); | |
2454 | 2584 | |
2455 | 2585 | /* |
2456 | 2586 | * Initialize the index for the certificates. |
2512 | 2642 | */ |
2513 | 2643 | void tls_global_cleanup(void) |
2514 | 2644 | { |
2645 | #if OPENSSL_VERSION_NUMBER < 0x10000000L | |
2515 | 2646 | ERR_remove_state(0); |
2647 | #elif OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | |
2648 | ERR_remove_thread_state(NULL); | |
2649 | #endif | |
2516 | 2650 | ENGINE_cleanup(); |
2517 | 2651 | CONF_modules_unload(1); |
2518 | 2652 | ERR_free_strings(); |
2804 | 2938 | */ |
2805 | 2939 | ctx_options |= SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; |
2806 | 2940 | |
2941 | if (conf->cipher_server_preference) { | |
2942 | /* | |
2943 | * SSL_OP_CIPHER_SERVER_PREFERENCE to follow best practice | |
2944 | * of nowday's TLS: do not allow poorly-selected ciphers from | |
2945 | * client to take preference | |
2946 | */ | |
2947 | ctx_options |= SSL_OP_CIPHER_SERVER_PREFERENCE; | |
2948 | } | |
2949 | ||
2807 | 2950 | SSL_CTX_set_options(ctx, ctx_options); |
2808 | 2951 | |
2809 | 2952 | /* |
2928 | 3071 | } |
2929 | 3072 | |
2930 | 3073 | /* |
2931 | * Cache it, and DON'T auto-clear it. | |
3074 | * Cache it, DON'T auto-clear it, and disable the internal OpenSSL session cache. | |
2932 | 3075 | */ |
2933 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR); | |
3076 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER | SSL_SESS_CACHE_NO_AUTO_CLEAR | SSL_SESS_CACHE_NO_INTERNAL); | |
2934 | 3077 | |
2935 | 3078 | SSL_CTX_set_session_id_context(ctx, |
2936 | 3079 | (unsigned char *) conf->session_context_id, |
2976 | 3119 | return 0; |
2977 | 3120 | } |
2978 | 3121 | |
2979 | static fr_tls_server_conf_t *tls_server_conf_alloc(TALLOC_CTX *ctx) | |
3122 | fr_tls_server_conf_t *tls_server_conf_alloc(TALLOC_CTX *ctx) | |
2980 | 3123 | { |
2981 | 3124 | fr_tls_server_conf_t *conf; |
2982 | 3125 | |
3018 | 3161 | */ |
3019 | 3162 | if (conf->fragment_size < 100) conf->fragment_size = 100; |
3020 | 3163 | |
3021 | if (!conf->private_key_file) { | |
3022 | ERROR(LOG_PREFIX ": TLS Server requires a private key file"); | |
3023 | goto error; | |
3024 | } | |
3025 | ||
3026 | if (!conf->certificate_file) { | |
3027 | ERROR(LOG_PREFIX ": TLS Server requires a certificate file"); | |
3028 | goto error; | |
3164 | /* | |
3165 | * Only check for certificate things if we don't have a | |
3166 | * PSK query. | |
3167 | */ | |
3168 | if (conf->psk_identity) { | |
3169 | if (conf->private_key_file) { | |
3170 | WARN(LOG_PREFIX ": Ignoring private key file due to psk_identity being used"); | |
3171 | } | |
3172 | ||
3173 | if (conf->certificate_file) { | |
3174 | WARN(LOG_PREFIX ": Ignoring certificate file due to psk_identity being used"); | |
3175 | } | |
3176 | ||
3177 | } else { | |
3178 | if (!conf->private_key_file) { | |
3179 | ERROR(LOG_PREFIX ": TLS Server requires a private key file"); | |
3180 | goto error; | |
3181 | } | |
3182 | ||
3183 | if (!conf->certificate_file) { | |
3184 | ERROR(LOG_PREFIX ": TLS Server requires a certificate file"); | |
3185 | goto error; | |
3186 | } | |
3029 | 3187 | } |
3030 | 3188 | |
3031 | 3189 | /* |
3129 | 3287 | |
3130 | 3288 | return conf; |
3131 | 3289 | } |
3290 | ||
3132 | 3291 | |
3133 | 3292 | int tls_success(tls_session_t *ssn, REQUEST *request) |
3134 | 3293 | { |
3207 | 3366 | * Save the certs in the packet, so that we can see them. |
3208 | 3367 | */ |
3209 | 3368 | fr_pair_add(&request->packet->vps, fr_pair_list_copy(request->packet, *certs)); |
3369 | ||
3370 | vp = fr_pair_find_by_num(request->packet->vps, PW_TLS_CLIENT_CERT_EXPIRATION, 0, TAG_ANY); | |
3371 | if (vp) { | |
3372 | time_t expires; | |
3373 | ||
3374 | if (ocsp_asn1time_to_epoch(&expires, vp->vp_strvalue) < 0) { | |
3375 | RDEBUG2("Failed getting certificate expiration, removing cache entry for session %s", buffer); | |
3376 | SSL_CTX_remove_session(ssn->ctx, ssn->ssl_session); | |
3377 | return -1; | |
3378 | } | |
3379 | ||
3380 | if (expires <= request->timestamp) { | |
3381 | RDEBUG2("Certificate has expired, removing cache entry for session %s", buffer); | |
3382 | SSL_CTX_remove_session(ssn->ctx, ssn->ssl_session); | |
3383 | return -1; | |
3384 | } | |
3385 | ||
3386 | /* | |
3387 | * Account for Session-Timeout, if it's available. | |
3388 | */ | |
3389 | vp = fr_pair_find_by_num(request->reply->vps, PW_SESSION_TIMEOUT, 0, TAG_ANY); | |
3390 | if (vp) { | |
3391 | if ((request->timestamp + vp->vp_integer) > expires) { | |
3392 | vp->vp_integer = expires - request->timestamp; | |
3393 | RWDEBUG2("Updating Session-Timeout to %u, due to impending certificate expiration", | |
3394 | vp->vp_integer); | |
3395 | } | |
3396 | } | |
3397 | } | |
3210 | 3398 | } |
3211 | 3399 | |
3212 | 3400 | if (vps) { |
156 | 156 | rad_assert(sock->packet != NULL); |
157 | 157 | request->packet = talloc_steal(request, sock->packet); |
158 | 158 | |
159 | request->component = "<core>"; | |
160 | 159 | request->component = "<tls-connect>"; |
161 | 160 | |
162 | 161 | request->reply = rad_alloc(request, false); |
174 | 173 | |
175 | 174 | SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_REQUEST, (void *)request); |
176 | 175 | SSL_set_ex_data(sock->ssn->ssl, fr_tls_ex_index_certs, (void *) &sock->certs); |
177 | SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, sock->parent); | |
176 | SSL_set_ex_data(sock->ssn->ssl, FR_TLS_EX_INDEX_TALLOC, NULL); | |
178 | 177 | |
179 | 178 | doing_init = true; |
180 | 179 | } |
479 | 478 | return 0; |
480 | 479 | } |
481 | 480 | |
481 | static int try_connect(tls_session_t *ssn) | |
482 | { | |
483 | int ret; | |
484 | ret = SSL_connect(ssn->ssl); | |
485 | if (ret < 0) { | |
486 | switch (SSL_get_error(ssn->ssl, ret)) { | |
487 | default: | |
488 | break; | |
489 | ||
490 | ||
491 | ||
492 | case SSL_ERROR_WANT_READ: | |
493 | case SSL_ERROR_WANT_WRITE: | |
494 | ssn->connected = false; | |
495 | return 0; | |
496 | } | |
497 | } | |
498 | ||
499 | if (ret <= 0) { | |
500 | tls_error_io_log(NULL, ssn, ret, "Failed in " STRINGIFY(__FUNCTION__) " (SSL_connect)"); | |
501 | talloc_free(ssn); | |
502 | ||
503 | return -1; | |
504 | } | |
505 | ||
506 | return 1; | |
507 | } | |
508 | ||
482 | 509 | |
483 | 510 | #ifdef WITH_PROXY |
484 | 511 | /* |
500 | 527 | uint8_t *data; |
501 | 528 | listen_socket_t *sock = listener->data; |
502 | 529 | |
530 | if (!sock->ssn->connected) { | |
531 | rcode = try_connect(sock->ssn); | |
532 | if (rcode == 0) return 0; | |
533 | ||
534 | if (rcode < 0) { | |
535 | SSL_shutdown(sock->ssn->ssl); | |
536 | return -1; | |
537 | } | |
538 | ||
539 | sock->ssn->connected = true; | |
540 | } | |
541 | ||
503 | 542 | /* |
504 | 543 | * Get the maximum size of data to receive. |
505 | 544 | */ |
693 | 732 | request); |
694 | 733 | } |
695 | 734 | |
735 | if (!sock->ssn->connected) { | |
736 | PTHREAD_MUTEX_LOCK(&sock->mutex); | |
737 | rcode = try_connect(sock->ssn); | |
738 | PTHREAD_MUTEX_UNLOCK(&sock->mutex); | |
739 | if (rcode == 0) return 0; | |
740 | ||
741 | if (rcode < 0) { | |
742 | SSL_shutdown(sock->ssn->ssl); | |
743 | return -1; | |
744 | } | |
745 | ||
746 | sock->ssn->connected = true; | |
747 | } | |
748 | ||
696 | 749 | DEBUG3("Proxy is writing %u bytes to SSL", |
697 | 750 | (unsigned int) request->proxy->data_len); |
698 | 751 | PTHREAD_MUTEX_LOCK(&sock->mutex); |
576 | 576 | DEBUG2(" "); |
577 | 577 | } |
578 | 578 | INFO("FreeRADIUS Version " RADIUSD_VERSION_STRING); |
579 | INFO("Copyright (C) 1999-2016 The FreeRADIUS server project and contributors"); | |
579 | INFO("Copyright (C) 1999-2017 The FreeRADIUS server project and contributors"); | |
580 | 580 | INFO("There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A"); |
581 | 581 | INFO("PARTICULAR PURPOSE"); |
582 | 582 | INFO("You may redistribute copies of FreeRADIUS under the terms of the"); |
1622 | 1622 | #endif |
1623 | 1623 | |
1624 | 1624 | case XLAT_ALTERNATE: |
1625 | DEBUG("%.*sif {", lvl, xlat_tabs); | |
1625 | DEBUG("%.*sXLAT-IF {", lvl, xlat_tabs); | |
1626 | 1626 | xlat_tokenize_debug(node->child, lvl + 1); |
1627 | 1627 | DEBUG("%.*s}", lvl, xlat_tabs); |
1628 | DEBUG("%.*selse {", lvl, xlat_tabs); | |
1628 | DEBUG("%.*sXLAT-ELSE {", lvl, xlat_tabs); | |
1629 | 1629 | xlat_tokenize_debug(node->alternate, lvl + 1); |
1630 | 1630 | DEBUG("%.*s}", lvl, xlat_tabs); |
1631 | 1631 | break; |
1786 | 1786 | * much faster. |
1787 | 1787 | */ |
1788 | 1788 | tokens = talloc_typed_strdup(request, fmt); |
1789 | if (!tokens) return -1; | |
1789 | if (!tokens) { | |
1790 | error = "Out of memory"; | |
1791 | return -1; | |
1792 | } | |
1790 | 1793 | |
1791 | 1794 | slen = xlat_tokenize_literal(request, tokens, head, false, &error); |
1792 | 1795 | |
1805 | 1808 | */ |
1806 | 1809 | if (slen < 0) { |
1807 | 1810 | talloc_free(tokens); |
1808 | rad_assert(error != NULL); | |
1811 | ||
1812 | if (!error) error = "Unknown error"; | |
1809 | 1813 | |
1810 | 1814 | REMARKER(fmt, -slen, error); |
1811 | 1815 | return slen; |
2116 | 2120 | * Don't escape this. |
2117 | 2121 | */ |
2118 | 2122 | case XLAT_LITERAL: |
2119 | XLAT_DEBUG("xlat_aprint LITERAL"); | |
2123 | XLAT_DEBUG("%.*sxlat_aprint LITERAL", lvl, xlat_spaces); | |
2120 | 2124 | return talloc_typed_strdup(ctx, node->fmt); |
2121 | 2125 | |
2122 | 2126 | /* |
2128 | 2132 | size_t freespace = 256; |
2129 | 2133 | struct tm ts; |
2130 | 2134 | time_t when; |
2131 | ||
2132 | XLAT_DEBUG("xlat_aprint PERCENT"); | |
2135 | int usec; | |
2136 | ||
2137 | XLAT_DEBUG("%.*sxlat_aprint PERCENT", lvl, xlat_spaces); | |
2133 | 2138 | |
2134 | 2139 | str = talloc_array(ctx, char, freespace); /* @todo do better allocation */ |
2135 | 2140 | p = node->fmt; |
2136 | 2141 | |
2137 | 2142 | when = request->timestamp; |
2143 | usec = 0; | |
2138 | 2144 | if (request->packet) { |
2139 | 2145 | when = request->packet->timestamp.tv_sec; |
2146 | usec = request->packet->timestamp.tv_usec; | |
2140 | 2147 | } |
2141 | 2148 | |
2142 | 2149 | switch (*p) { |
2198 | 2205 | |
2199 | 2206 | case 'T': /* request timestamp */ |
2200 | 2207 | if (!localtime_r(&when, &ts)) goto error; |
2201 | strftime(str, freespace, "%Y-%m-%d-%H.%M.%S.000000", &ts); | |
2208 | nl = str + strftime(str, freespace, "%Y-%m-%d-%H.%M.%S", &ts); | |
2209 | rad_assert(((str + freespace) - nl) >= 8); | |
2210 | snprintf(nl, (str + freespace) - nl, ".%06d", usec); | |
2202 | 2211 | break; |
2203 | 2212 | |
2204 | 2213 | case 'Y': /* request year */ |
2224 | 2233 | break; |
2225 | 2234 | |
2226 | 2235 | case XLAT_ATTRIBUTE: |
2227 | XLAT_DEBUG("xlat_aprint ATTRIBUTE"); | |
2236 | XLAT_DEBUG("%.*sxlat_aprint ATTRIBUTE", lvl, xlat_spaces); | |
2228 | 2237 | |
2229 | 2238 | /* |
2230 | 2239 | * Some attributes are virtual <sigh> |
2231 | 2240 | */ |
2232 | 2241 | str = xlat_getvp(ctx, request, &node->attr, escape ? false : true, true); |
2233 | 2242 | if (str) { |
2234 | XLAT_DEBUG("EXPAND attr %s", node->attr.tmpl_da->name); | |
2235 | XLAT_DEBUG(" ---> %s", str); | |
2243 | XLAT_DEBUG("%.*sEXPAND attr %s", lvl, xlat_spaces, node->attr.tmpl_da->name); | |
2244 | XLAT_DEBUG("%.*s ---> %s", lvl ,xlat_spaces, str); | |
2236 | 2245 | } |
2237 | 2246 | break; |
2238 | 2247 | |
2326 | 2335 | |
2327 | 2336 | #ifdef HAVE_REGEX |
2328 | 2337 | case XLAT_REGEX: |
2329 | XLAT_DEBUG("xlat_aprint REGEX"); | |
2338 | XLAT_DEBUG("%.*sxlat_aprint REGEX", lvl, xlat_spaces); | |
2330 | 2339 | if (regex_request_to_sub(ctx, &str, request, node->attr.tmpl_num) < 0) return NULL; |
2331 | 2340 | |
2332 | 2341 | break; |
2333 | 2342 | #endif |
2334 | 2343 | |
2335 | 2344 | case XLAT_ALTERNATE: |
2336 | XLAT_DEBUG("xlat_aprint ALTERNATE"); | |
2345 | XLAT_DEBUG("%.*sxlat_aprint ALTERNATE", lvl, xlat_spaces); | |
2337 | 2346 | rad_assert(node->child != NULL); |
2338 | 2347 | rad_assert(node->alternate != NULL); |
2339 | 2348 | |
2340 | str = xlat_aprint(ctx, request, node->child, escape, escape_ctx, lvl); | |
2341 | if (str) { | |
2342 | XLAT_DEBUG("ALTERNATE got string: %s", str); | |
2343 | break; | |
2344 | } | |
2345 | ||
2346 | XLAT_DEBUG("ALTERNATE going to alternate"); | |
2347 | str = xlat_aprint(ctx, request, node->alternate, escape, escape_ctx, lvl); | |
2349 | /* | |
2350 | * If there are no "next" nodes, call ourselves | |
2351 | * recursively, which is fast. | |
2352 | * | |
2353 | * If there are "next" nodes, call xlat_process() | |
2354 | * which does a ton more work. | |
2355 | */ | |
2356 | if (!node->next) { | |
2357 | str = xlat_aprint(ctx, request, node->child, escape, escape_ctx, lvl); | |
2358 | if (str) { | |
2359 | XLAT_DEBUG("%.*sALTERNATE got first string: %s", lvl, xlat_spaces, str); | |
2360 | } else { | |
2361 | str = xlat_aprint(ctx, request, node->alternate, escape, escape_ctx, lvl); | |
2362 | XLAT_DEBUG("%.*sALTERNATE got alternate string %s", lvl, xlat_spaces, str); | |
2363 | } | |
2364 | } else { | |
2365 | ||
2366 | if (xlat_process(&str, request, node->child, escape, escape_ctx) > 0) { | |
2367 | XLAT_DEBUG("%.*sALTERNATE got first string: %s", lvl, xlat_spaces, str); | |
2368 | } else { | |
2369 | (void) xlat_process(&str, request, node->alternate, escape, escape_ctx); | |
2370 | XLAT_DEBUG("%.*sALTERNATE got alternate string %s", lvl, xlat_spaces, str); | |
2371 | } | |
2372 | } | |
2348 | 2373 | break; |
2349 | ||
2350 | 2374 | } |
2351 | 2375 | |
2352 | 2376 | /* |
2612 | 2636 | |
2613 | 2637 | ssize_t radius_axlat(char **out, REQUEST *request, char const *fmt, xlat_escape_t escape, void *ctx) |
2614 | 2638 | { |
2639 | *out = NULL; | |
2615 | 2640 | return xlat_expand(out, 0, request, fmt, escape, ctx); |
2616 | 2641 | } |
2617 | 2642 | |
2618 | 2643 | ssize_t radius_axlat_struct(char **out, REQUEST *request, xlat_exp_t const *xlat, xlat_escape_t escape, void *ctx) |
2619 | 2644 | { |
2645 | *out = NULL; | |
2620 | 2646 | return xlat_expand_struct(out, 0, request, xlat, escape, ctx); |
2621 | 2647 | } |
0 | ||
0 | 1 | /* |
1 | 2 | * dhcp.c Functions to send/receive dhcp packets. |
2 | 3 | * |
1154 | 1155 | * DHCP-Message-Type is first, for simplicity. |
1155 | 1156 | */ |
1156 | 1157 | if ((my_a->da->attr == PW_DHCP_MESSAGE_TYPE) && (my_b->da->attr != PW_DHCP_MESSAGE_TYPE)) return -1; |
1158 | if ((my_a->da->attr != PW_DHCP_MESSAGE_TYPE) && (my_b->da->attr == PW_DHCP_MESSAGE_TYPE)) return +1; | |
1157 | 1159 | |
1158 | 1160 | /* |
1159 | 1161 | * Relay-Agent is last |
1160 | 1162 | */ |
1161 | if ((my_a->da->attr == PW_DHCP_OPTION_82) && (my_b->da->attr != PW_DHCP_OPTION_82)) return 1; | |
1163 | if ((my_a->da->attr == PW_DHCP_OPTION_82) && (my_b->da->attr != PW_DHCP_OPTION_82)) return +1; | |
1164 | if ((my_a->da->attr != PW_DHCP_OPTION_82) && (my_b->da->attr == PW_DHCP_OPTION_82)) return -1; | |
1162 | 1165 | |
1163 | 1166 | if (my_a->da->attr < my_b->da->attr) return -1; |
1164 | 1167 | if (my_a->da->attr > my_b->da->attr) return 1; |
104 | 104 | } |
105 | 105 | vp = fr_pair_find_by_num(request->packet->vps, 259, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Hop-Count */ |
106 | 106 | rad_assert(vp != NULL); |
107 | if (vp->vp_integer > maxhops) { | |
107 | if (vp->vp_byte > maxhops) { | |
108 | 108 | DEBUG("DHCP: Number of hops is greater than %d: not relaying\n", maxhops); |
109 | 109 | return 1; |
110 | 110 | } else { |
111 | /* Increment hop count */ | |
112 | vp->vp_integer++; | |
111 | /* Increment hop count */ | |
112 | vp->vp_byte++; | |
113 | 113 | } |
114 | 114 | |
115 | 115 | sock = request->listener->data; |
300 | 300 | |
301 | 301 | vp = fr_pair_find_by_num(request->packet->vps, 53, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Message-Type */ |
302 | 302 | if (vp) { |
303 | DICT_VALUE *dv = dict_valbyattr(53, DHCP_MAGIC_VENDOR, vp->vp_integer); | |
303 | DICT_VALUE *dv = dict_valbyattr(53, DHCP_MAGIC_VENDOR, vp->vp_byte); | |
304 | 304 | DEBUG("Trying sub-section dhcp %s {...}", |
305 | 305 | dv ? dv->name : "<unknown>"); |
306 | rcode = process_post_auth(vp->vp_integer, request); | |
306 | rcode = process_post_auth(vp->vp_byte, request); | |
307 | 307 | } else { |
308 | 308 | DEBUG("DHCP: Failed to find DHCP-Message-Type in packet!"); |
309 | 309 | rcode = RLM_MODULE_FAIL; |
311 | 311 | |
312 | 312 | vp = fr_pair_find_by_num(request->reply->vps, 53, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Message-Type */ |
313 | 313 | if (vp) { |
314 | request->reply->code = vp->vp_integer; | |
314 | request->reply->code = vp->vp_byte; | |
315 | 315 | if ((request->reply->code != 0) && |
316 | 316 | (request->reply->code < PW_DHCP_OFFSET)) { |
317 | 317 | request->reply->code += PW_DHCP_OFFSET; |
365 | 365 | } |
366 | 366 | |
367 | 367 | /* BOOTREPLY received on port 67 (i.e. from a server) */ |
368 | if (vp->vp_integer == 2) { | |
368 | if (vp->vp_byte == 2) { | |
369 | 369 | return dhcprelay_process_server_reply(request); |
370 | 370 | } |
371 | 371 | |
375 | 375 | } |
376 | 376 | |
377 | 377 | /* else it's a packet from a client, without relaying */ |
378 | rad_assert(vp->vp_integer == 1); /* BOOTREQUEST */ | |
378 | rad_assert(vp->vp_byte == 1); /* BOOTREQUEST */ | |
379 | 379 | |
380 | 380 | sock = request->listener->data; |
381 | 381 | |
413 | 413 | |
414 | 414 | vp = fr_pair_find_by_num(request->reply->vps, 256, DHCP_MAGIC_VENDOR, TAG_ANY); /* DHCP-Opcode */ |
415 | 415 | rad_assert(vp != NULL); |
416 | vp->vp_integer = 2; /* BOOTREPLY */ | |
416 | vp->vp_byte = 2; /* BOOTREPLY */ | |
417 | 417 | |
418 | 418 | /* |
419 | 419 | * Allow NAKs to be delayed for a short period of time. |
711 | 711 | /* |
712 | 712 | * Load the appropriate driver for our database |
713 | 713 | */ |
714 | inst->handle = lt_dlopenext(inst->driver_name); | |
714 | inst->handle = fr_dlopenext(inst->driver_name); | |
715 | 715 | if (!inst->handle) { |
716 | 716 | cf_log_err_cs(conf, "Could not link driver %s: %s", inst->driver_name, dlerror()); |
717 | 717 | cf_log_err_cs(conf, "Make sure it (and all its dependent libraries!) are in the search path" |
31 | 31 | typedef struct rlm_date_t { |
32 | 32 | char const *xlat_name; |
33 | 33 | char const *fmt; |
34 | bool utc; | |
34 | 35 | } rlm_date_t; |
35 | 36 | |
36 | 37 | static const CONF_PARSER module_config[] = { |
37 | 38 | { "format", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_date_t, fmt), "%b %e %Y %H:%M:%S %Z" }, |
39 | { "utc", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_date_t, utc), "no" }, | |
38 | 40 | CONF_PARSER_TERMINATOR |
39 | 41 | }; |
40 | 42 | |
45 | 47 | time_t date = 0; |
46 | 48 | struct tm tminfo; |
47 | 49 | VALUE_PAIR *vp; |
50 | ||
51 | memset(&tminfo, 0, sizeof(tminfo)); | |
48 | 52 | |
49 | 53 | if ((radius_get_vp(&vp, request, fmt) < 0) || !vp) { |
50 | 54 | *out = '\0'; |
66 | 70 | date = (time_t) vp->vp_integer; |
67 | 71 | |
68 | 72 | encode: |
69 | if (localtime_r(&date, &tminfo) == NULL) { | |
70 | REDEBUG("Failed converting time string to localtime"); | |
71 | goto error; | |
73 | if (!inst->utc) { | |
74 | if (localtime_r(&date, &tminfo) == NULL) { | |
75 | REDEBUG("Failed converting time string to localtime"); | |
76 | goto error; | |
77 | } | |
78 | } else { | |
79 | if (gmtime_r(&date, &tminfo) == NULL) { | |
80 | REDEBUG("Failed converting time string to gmtime"); | |
81 | goto error; | |
82 | } | |
72 | 83 | } |
73 | 84 | return strftime(out, outlen, inst->fmt, &tminfo); |
74 | 85 |
223 | 223 | VALUE_PAIR *vp; |
224 | 224 | char timestamp[256]; |
225 | 225 | |
226 | if (!packet->vps) { | |
227 | RWDEBUG("Skipping empty packet"); | |
228 | return 0; | |
229 | } | |
230 | ||
226 | 231 | if (radius_xlat(timestamp, sizeof(timestamp), request, inst->header, NULL, NULL) < 0) { |
227 | 232 | return -1; |
228 | 233 | } |
420 | 425 | * Flush everything |
421 | 426 | */ |
422 | 427 | fclose(outfp); |
423 | exfile_unlock(inst->ef, outfd); /* do NOT close outfp */ | |
428 | exfile_unlock(inst->ef, outfd); /* do NOT close outfd */ | |
424 | 429 | |
425 | 430 | /* |
426 | 431 | * And everything is fine. |
124 | 124 | /* |
125 | 125 | * Link the loaded EAP-Type |
126 | 126 | */ |
127 | method->handle = lt_dlopenext(mod_name); | |
127 | method->handle = fr_dlopenext(mod_name); | |
128 | 128 | if (!method->handle) { |
129 | 129 | ERROR("rlm_eap (%s): Failed to link %s: %s", inst->xlat_name, mod_name, fr_strerror()); |
130 | 130 |
206 | 206 | fake->server = "channel_bindings"; |
207 | 207 | fake->packet->code = PW_CODE_ACCESS_REQUEST; |
208 | 208 | |
209 | rcode = rad_virtual_server(fake); | |
210 | ||
211 | switch (rcode) { | |
209 | switch (rad_virtual_server(fake)) { | |
212 | 210 | /* If rad_authenticate succeeded, build a reply */ |
213 | 211 | case RLM_MODULE_OK: |
214 | 212 | case RLM_MODULE_HANDLED: |
279 | 277 | return packet; |
280 | 278 | } |
281 | 279 | |
282 | VALUE_PAIR *eap_chbind_packet2vp(REQUEST *request, chbind_packet_t *packet) | |
280 | VALUE_PAIR *eap_chbind_packet2vp(RADIUS_PACKET *packet, chbind_packet_t *chbind) | |
283 | 281 | { |
284 | 282 | VALUE_PAIR *vp; |
285 | 283 | |
286 | if (!packet) return NULL; /* don't produce garbage */ | |
287 | ||
288 | vp = fr_pair_afrom_num(request->packet, PW_UKERNA_CHBIND, VENDORPEC_UKERNA); | |
284 | if (!chbind) return NULL; /* don't produce garbage */ | |
285 | ||
286 | vp = fr_pair_afrom_num(packet, VENDORPEC_UKERNA, PW_UKERNA_CHBIND); | |
289 | 287 | if (!vp) return NULL; |
290 | fr_pair_value_memcpy(vp, (uint8_t *) packet, talloc_array_length((uint8_t *)packet)); | |
288 | fr_pair_value_memcpy(vp, (uint8_t *) chbind, talloc_array_length((uint8_t *)chbind)); | |
291 | 289 | |
292 | 290 | return vp; |
293 | 291 | } |
57 | 57 | /* Channel binding function prototypes */ |
58 | 58 | PW_CODE chbind_process(REQUEST *request, CHBIND_REQ *chbind_req); |
59 | 59 | |
60 | VALUE_PAIR *eap_chbind_packet2vp(REQUEST *request, chbind_packet_t *packet); | |
60 | VALUE_PAIR *eap_chbind_packet2vp(RADIUS_PACKET *packet, chbind_packet_t *chbind); | |
61 | 61 | chbind_packet_t *eap_chbind_vp2packet(TALLOC_CTX *ctx, VALUE_PAIR *vps); |
62 | 62 | |
63 | 63 | #endif /*_EAP_CHBIND_H*/ |
324 | 324 | if (prev_eap_ds && prev_eap_ds->response) |
325 | 325 | eaptls_prev = (eaptls_packet_t *)prev_eap_ds->response->type.data; |
326 | 326 | |
327 | /* | |
328 | * First output the flags (for debugging) | |
329 | */ | |
330 | RDEBUG3("Peer sent flags %c%c%c", | |
331 | TLS_START(eaptls_packet->flags) ? 'S' : '-', | |
332 | TLS_MORE_FRAGMENTS(eaptls_packet->flags) ? 'M' : '-', | |
333 | TLS_LENGTH_INCLUDED(eaptls_packet->flags) ? 'L' : '-'); | |
327 | if (eaptls_packet) { | |
328 | /* | |
329 | * First output the flags (for debugging) | |
330 | */ | |
331 | RDEBUG3("Peer sent flags %c%c%c", | |
332 | TLS_START(eaptls_packet->flags) ? 'S' : '-', | |
333 | TLS_MORE_FRAGMENTS(eaptls_packet->flags) ? 'M' : '-', | |
334 | TLS_LENGTH_INCLUDED(eaptls_packet->flags) ? 'L' : '-'); | |
335 | } | |
334 | 336 | |
335 | 337 | /* |
336 | 338 | * check for ACK |
61 | 61 | int eaptls_request(EAP_DS *eap_ds, tls_session_t *ssn) CC_HINT(nonnull); |
62 | 62 | |
63 | 63 | |
64 | /* MPPE key generation */ | |
65 | 64 | void T_PRF(unsigned char const *secret, unsigned int secret_len, char const *prf_label, unsigned char const *seed, unsigned int seed_len, unsigned char *out, unsigned int out_len) CC_HINT(nonnull(1,3,6)); |
66 | 65 | void eaptls_gen_mppe_keys(REQUEST *request, SSL *s, char const *prf_label); |
67 | 66 | void eapttls_gen_challenge(SSL *s, uint8_t *buffer, size_t size); |
36 | 36 | unsigned char const *seed, unsigned int seed_len, |
37 | 37 | unsigned char *out, unsigned int out_len) |
38 | 38 | { |
39 | HMAC_CTX ctx_a, ctx_out; | |
39 | HMAC_CTX *ctx_a, *ctx_out; | |
40 | 40 | unsigned char a[HMAC_MAX_MD_CBLOCK]; |
41 | 41 | unsigned int size; |
42 | 42 | |
43 | HMAC_CTX_init(&ctx_a); | |
44 | HMAC_CTX_init(&ctx_out); | |
43 | ctx_a = HMAC_CTX_new(); | |
44 | ctx_out = HMAC_CTX_new(); | |
45 | 45 | #ifdef EVP_MD_CTX_FLAG_NON_FIPS_ALLOW |
46 | HMAC_CTX_set_flags(&ctx_a, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
47 | HMAC_CTX_set_flags(&ctx_out, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
46 | HMAC_CTX_set_flags(ctx_a, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
47 | HMAC_CTX_set_flags(ctx_out, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); | |
48 | 48 | #endif |
49 | HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL); | |
50 | HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL); | |
51 | ||
52 | size = HMAC_size(&ctx_out); | |
49 | HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL); | |
50 | HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL); | |
51 | ||
52 | size = HMAC_size(ctx_out); | |
53 | 53 | |
54 | 54 | /* Calculate A(1) */ |
55 | HMAC_Update(&ctx_a, seed, seed_len); | |
56 | HMAC_Final(&ctx_a, a, NULL); | |
55 | HMAC_Update(ctx_a, seed, seed_len); | |
56 | HMAC_Final(ctx_a, a, NULL); | |
57 | 57 | |
58 | 58 | while (1) { |
59 | 59 | /* Calculate next part of output */ |
60 | HMAC_Update(&ctx_out, a, size); | |
61 | HMAC_Update(&ctx_out, seed, seed_len); | |
60 | HMAC_Update(ctx_out, a, size); | |
61 | HMAC_Update(ctx_out, seed, seed_len); | |
62 | 62 | |
63 | 63 | /* Check if last part */ |
64 | 64 | if (out_len < size) { |
65 | HMAC_Final(&ctx_out, a, NULL); | |
65 | HMAC_Final(ctx_out, a, NULL); | |
66 | 66 | memcpy(out, a, out_len); |
67 | 67 | break; |
68 | 68 | } |
69 | 69 | |
70 | 70 | /* Place digest in output buffer */ |
71 | HMAC_Final(&ctx_out, out, NULL); | |
72 | HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL); | |
71 | HMAC_Final(ctx_out, out, NULL); | |
72 | HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL); | |
73 | 73 | out += size; |
74 | 74 | out_len -= size; |
75 | 75 | |
76 | 76 | /* Calculate next A(i) */ |
77 | HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL); | |
78 | HMAC_Update(&ctx_a, a, size); | |
79 | HMAC_Final(&ctx_a, a, NULL); | |
80 | } | |
81 | ||
82 | HMAC_CTX_cleanup(&ctx_a); | |
83 | HMAC_CTX_cleanup(&ctx_out); | |
77 | HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL); | |
78 | HMAC_Update(ctx_a, a, size); | |
79 | HMAC_Final(ctx_a, a, NULL); | |
80 | } | |
81 | ||
82 | HMAC_CTX_free(ctx_a); | |
83 | HMAC_CTX_free(ctx_out); | |
84 | 84 | memset(a, 0, sizeof(a)); |
85 | 85 | } |
86 | 86 | |
242 | 242 | |
243 | 243 | p[0] = header & 0xff; |
244 | 244 | |
245 | #ifdef HAVE_SSL_GET_CLIENT_RANDOM | |
246 | 245 | SSL_get_client_random(s, p + 1, SSL3_RANDOM_SIZE); |
247 | 246 | SSL_get_server_random(s, p + 1 + SSL3_RANDOM_SIZE, SSL3_RANDOM_SIZE); |
248 | #else | |
249 | memcpy(p + 1, s->s3->client_random, SSL3_RANDOM_SIZE); | |
250 | memcpy(p + 1 + SSL3_RANDOM_SIZE, | |
251 | s->s3->server_random, SSL3_RANDOM_SIZE); | |
252 | #endif | |
247 | ||
253 | 248 | vp->vp_octets = p; |
254 | 249 | fr_pair_add(&packet->vps, vp); |
255 | 250 | } |
259 | 254 | */ |
260 | 255 | void eap_fast_tls_gen_challenge(SSL *s, uint8_t *buffer, uint8_t *scratch, size_t size, char const *prf_label) |
261 | 256 | { |
257 | uint8_t *p; | |
258 | size_t len, master_key_len; | |
262 | 259 | uint8_t seed[128 + 2*SSL3_RANDOM_SIZE]; |
263 | uint8_t *p = seed; | |
264 | size_t len; | |
260 | uint8_t master_key[SSL_MAX_MASTER_KEY_LENGTH]; | |
265 | 261 | |
266 | 262 | len = strlen(prf_label); |
267 | 263 | if (len > 128) len = 128; |
268 | 264 | |
265 | p = seed; | |
269 | 266 | memcpy(p, prf_label, len); |
270 | 267 | p += len; |
271 | memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); | |
268 | SSL_get_server_random(s, p, SSL3_RANDOM_SIZE); | |
272 | 269 | p += SSL3_RANDOM_SIZE; |
273 | memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); | |
270 | SSL_get_client_random(s, p, SSL3_RANDOM_SIZE); | |
274 | 271 | p += SSL3_RANDOM_SIZE; |
275 | 272 | |
276 | PRF(s->session->master_key, s->session->master_key_length, | |
277 | seed, p - seed, buffer, scratch, size); | |
278 | } | |
279 | ||
280 | ||
273 | master_key_len = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, sizeof(master_key)); | |
274 | PRF(master_key, master_key_len, seed, p - seed, buffer, scratch, size); | |
275 | } | |
276 | ||
277 |
88 | 88 | |
89 | 89 | handler->opaque = NULL; |
90 | 90 | handler->free_opaque = NULL; |
91 | ||
92 | if (handler->certs) fr_pair_list_free(&handler->certs); | |
93 | 91 | |
94 | 92 | /* |
95 | 93 | * Give helpful debug messages if: |
110 | 108 | WARN("!! Please read http://wiki.freeradius.org/guide/Certificate_Compatibility !!"); |
111 | 109 | WARN("!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"); |
112 | 110 | } |
113 | ||
114 | talloc_free(handler); | |
115 | 111 | |
116 | 112 | return 0; |
117 | 113 | } |
435 | 431 | * Might not have been there. |
436 | 432 | */ |
437 | 433 | if (!handler) { |
438 | ERROR("rlm_eap (%s): No EAP session matching state " | |
434 | RERROR("rlm_eap (%s): No EAP session matching state " | |
439 | 435 | "0x%02x%02x%02x%02x%02x%02x%02x%02x", |
440 | 436 | inst->xlat_name, |
441 | 437 | state->vp_octets[0], state->vp_octets[1], |
446 | 442 | } |
447 | 443 | |
448 | 444 | if (handler->trips >= 50) { |
449 | ERROR("rlm_eap (%s): Aborting! More than 50 roundtrips " | |
445 | RERROR("rlm_eap (%s): Aborting! More than 50 roundtrips " | |
450 | 446 | "made in session with state " |
451 | 447 | "0x%02x%02x%02x%02x%02x%02x%02x%02x", |
452 | 448 | inst->xlat_name, |
467 | 467 | /* |
468 | 468 | * Keep a copy of the the password attribute. |
469 | 469 | */ |
470 | case PW_CLEARTEXT_PASSWORD: | |
470 | 471 | case PW_USER_PASSWORD: |
471 | 472 | case PW_CHAP_PASSWORD: |
472 | 473 | case PW_MS_CHAP_PASSWORD: |
29 | 29 | |
30 | 30 | #include "rlm_eap.h" |
31 | 31 | |
32 | #include <sys/stat.h> | |
33 | ||
32 | 34 | static const CONF_PARSER module_config[] = { |
33 | 35 | { "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_t, default_method_name), "md5" }, |
34 | 36 | { "timer_expire", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_eap_t, timer_limit), "60" }, |
405 | 407 | } |
406 | 408 | |
407 | 409 | } else { |
410 | /* | |
411 | * Enable the cached entry on success. | |
412 | */ | |
413 | if (handler->eap_ds->request->code == PW_EAP_SUCCESS) { | |
414 | VALUE_PAIR *vp; | |
415 | ||
416 | vp = fr_pair_find_by_num(request->state, PW_TLS_CACHE_FILENAME, 0, TAG_ANY); | |
417 | if (vp) (void) chmod(vp->vp_strvalue, S_IRUSR | S_IWUSR); | |
418 | } | |
419 | ||
420 | /* | |
421 | * Disable the cached entry on failure. | |
422 | */ | |
423 | if (handler->eap_ds->request->code == PW_EAP_FAILURE) { | |
424 | VALUE_PAIR *vp; | |
425 | ||
426 | vp = fr_pair_find_by_num(request->state, PW_TLS_CACHE_FILENAME, 0, TAG_ANY); | |
427 | if (vp) (void) unlink(vp->vp_strvalue); | |
428 | } | |
429 | ||
408 | 430 | RDEBUG2("Freeing handler"); |
409 | 431 | /* handler is not required any more, free it now */ |
410 | 432 | talloc_free(handler); |
430 | 452 | |
431 | 453 | /* |
432 | 454 | * Cisco AP1230 has a bug and needs a zero |
433 | * terminated string in Access-Accept. | |
455 | * terminated string in Access-Accept. This | |
456 | * means it requires 2 trailing zeros. One to | |
457 | * send in the RADIUS packet, and the other to | |
458 | * convince the rest of the server that | |
459 | * vp->vp_strvalue is still a NUL-terminated C | |
460 | * string. | |
434 | 461 | */ |
435 | 462 | if (inst->mod_accounting_username_bug) { |
436 | 463 | char const *old = vp->vp_strvalue; |
437 | char *new = talloc_zero_array(vp, char, vp->vp_length + 1); | |
464 | char *new; | |
465 | ||
466 | vp->vp_length++; /* account for an additional zero */ | |
467 | ||
468 | new = talloc_array(vp, char, vp->vp_length + 1); | |
438 | 469 | |
439 | 470 | memcpy(new, old, vp->vp_length); |
471 | new[vp->length] = '\0'; | |
472 | new[vp->length + 1] = '\0'; | |
440 | 473 | vp->vp_strvalue = new; |
441 | vp->vp_length++; | |
442 | 474 | |
443 | 475 | rad_const_free(old); |
476 | VERIFY_VP(vp); | |
444 | 477 | } |
445 | 478 | } |
446 | 479 |
35 | 35 | typedef struct eap_module { |
36 | 36 | char const *name; |
37 | 37 | rlm_eap_module_t *type; |
38 | lt_dlhandle handle; | |
38 | fr_dlhandle handle; | |
39 | 39 | CONF_SECTION *cs; |
40 | 40 | void *instance; |
41 | 41 | } eap_module_t; |
0 | TARGETNAME := rlm_eap_fast | |
1 | ||
2 | ifneq "$(OPENSSL_LIBS)" "" | |
3 | TARGET := $(TARGETNAME).a | |
4 | endif | |
5 | ||
6 | SOURCES := $(TARGETNAME).c eap_fast.c eap_fast_crypto.c | |
7 | ||
8 | SRC_INCDIRS := ${top_srcdir}/src/modules/rlm_eap/ ${top_srcdir}/src/modules/rlm_eap/libeap/ | |
9 | TGT_PREREQS := libfreeradius-eap.a |
0 | TARGETNAME := @targetname@ | |
1 | ||
2 | ifneq "$(OPENSSL_LIBS)" "" | |
3 | TARGET := $(TARGETNAME).a | |
4 | endif | |
5 | ||
6 | SOURCES := $(TARGETNAME).c eap_fast.c eap_fast_crypto.c | |
7 | ||
8 | SRC_INCDIRS := ${top_srcdir}/src/modules/rlm_eap/ ${top_srcdir}/src/modules/rlm_eap/libeap/ | |
9 | TGT_PREREQS := libfreeradius-eap.a |
0 | #! /bin/sh | |
1 | # From configure.ac Revision. | |
2 | # Guess values for system-dependent variables and create Makefiles. | |
3 | # Generated by GNU Autoconf 2.69. | |
4 | # | |
5 | # | |
6 | # Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. | |
7 | # | |
8 | # | |
9 | # This configure script is free software; the Free Software Foundation | |
10 | # gives unlimited permission to copy, distribute and modify it. | |
11 | ## -------------------- ## | |
12 | ## M4sh Initialization. ## | |
13 | ## -------------------- ## | |
14 | ||
15 | # Be more Bourne compatible | |
16 | DUALCASE=1; export DUALCASE # for MKS sh | |
17 | if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : | |
18 | emulate sh | |
19 | NULLCMD=: | |
20 | # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which | |
21 | # is contrary to our usage. Disable this feature. | |
22 | alias -g '${1+"$@"}'='"$@"' | |
23 | setopt NO_GLOB_SUBST | |
24 | else | |
25 | case `(set -o) 2>/dev/null` in #( | |
26 | *posix*) : | |
27 | set -o posix ;; #( | |
28 | *) : | |
29 | ;; | |
30 | esac | |
31 | fi | |
32 | ||
33 | ||
34 | as_nl=' | |
35 | ' | |
36 | export as_nl | |
37 | # Printing a long string crashes Solaris 7 /usr/bin/printf. | |
38 | as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' | |
39 | as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo | |
40 | as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo | |
41 | # Prefer a ksh shell builtin over an external printf program on Solaris, | |
42 | # but without wasting forks for bash or zsh. | |
43 | if test -z "$BASH_VERSION$ZSH_VERSION" \ | |
44 | && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then | |
45 | as_echo='print -r --' | |
46 | as_echo_n='print -rn --' | |
47 | elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then | |
48 | as_echo='printf %s\n' | |
49 | as_echo_n='printf %s' | |
50 | else | |
51 | if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then | |
52 | as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' | |
53 | as_echo_n='/usr/ucb/echo -n' | |
54 | else | |
55 | as_echo_body='eval expr "X$1" : "X\\(.*\\)"' | |
56 | as_echo_n_body='eval | |
57 | arg=$1; | |
58 | case $arg in #( | |
59 | *"$as_nl"*) | |
60 | expr "X$arg" : "X\\(.*\\)$as_nl"; | |
61 | arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; | |
62 | esac; | |
63 | expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" | |
64 | ' | |
65 | export as_echo_n_body | |
66 | as_echo_n='sh -c $as_echo_n_body as_echo' | |
67 | fi | |
68 | export as_echo_body | |
69 | as_echo='sh -c $as_echo_body as_echo' | |
70 | fi | |
71 | ||
72 | # The user is always right. | |
73 | if test "${PATH_SEPARATOR+set}" != set; then | |
74 | PATH_SEPARATOR=: | |
75 | (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { | |
76 | (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || | |
77 | PATH_SEPARATOR=';' | |
78 | } | |
79 | fi | |
80 | ||
81 | ||
82 | # IFS | |
83 | # We need space, tab and new line, in precisely that order. Quoting is | |
84 | # there to prevent editors from complaining about space-tab. | |
85 | # (If _AS_PATH_WALK were called with IFS unset, it would disable word | |
86 | # splitting by setting IFS to empty value.) | |
87 | IFS=" "" $as_nl" | |
88 | ||
89 | # Find who we are. Look in the path if we contain no directory separator. | |
90 | as_myself= | |
91 | case $0 in #(( | |
92 | *[\\/]* ) as_myself=$0 ;; | |
93 | *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
94 | for as_dir in $PATH | |
95 | do | |
96 | IFS=$as_save_IFS | |
97 | test -z "$as_dir" && as_dir=. | |
98 | test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break | |
99 | done | |
100 | IFS=$as_save_IFS | |
101 | ||
102 | ;; | |
103 | esac | |
104 | # We did not find ourselves, most probably we were run as `sh COMMAND' | |
105 | # in which case we are not to be found in the path. | |
106 | if test "x$as_myself" = x; then | |
107 | as_myself=$0 | |
108 | fi | |
109 | if test ! -f "$as_myself"; then | |
110 | $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 | |
111 | exit 1 | |
112 | fi | |
113 | ||
114 | # Unset variables that we do not need and which cause bugs (e.g. in | |
115 | # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" | |
116 | # suppresses any "Segmentation fault" message there. '((' could | |
117 | # trigger a bug in pdksh 5.2.14. | |
118 | for as_var in BASH_ENV ENV MAIL MAILPATH | |
119 | do eval test x\${$as_var+set} = xset \ | |
120 | && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : | |
121 | done | |
122 | PS1='$ ' | |
123 | PS2='> ' | |
124 | PS4='+ ' | |
125 | ||
126 | # NLS nuisances. | |
127 | LC_ALL=C | |
128 | export LC_ALL | |
129 | LANGUAGE=C | |
130 | export LANGUAGE | |
131 | ||
132 | # CDPATH. | |
133 | (unset CDPATH) >/dev/null 2>&1 && unset CDPATH | |
134 | ||
135 | # Use a proper internal environment variable to ensure we don't fall | |
136 | # into an infinite loop, continuously re-executing ourselves. | |
137 | if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then | |
138 | _as_can_reexec=no; export _as_can_reexec; | |
139 | # We cannot yet assume a decent shell, so we have to provide a | |
140 | # neutralization value for shells without unset; and this also | |
141 | # works around shells that cannot unset nonexistent variables. | |
142 | # Preserve -v and -x to the replacement shell. | |
143 | BASH_ENV=/dev/null | |
144 | ENV=/dev/null | |
145 | (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV | |
146 | case $- in # (((( | |
147 | *v*x* | *x*v* ) as_opts=-vx ;; | |
148 | *v* ) as_opts=-v ;; | |
149 | *x* ) as_opts=-x ;; | |
150 | * ) as_opts= ;; | |
151 | esac | |
152 | exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} | |
153 | # Admittedly, this is quite paranoid, since all the known shells bail | |
154 | # out after a failed `exec'. | |
155 | $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 | |
156 | as_fn_exit 255 | |
157 | fi | |
158 | # We don't want this to propagate to other subprocesses. | |
159 | { _as_can_reexec=; unset _as_can_reexec;} | |
160 | if test "x$CONFIG_SHELL" = x; then | |
161 | as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : | |
162 | emulate sh | |
163 | NULLCMD=: | |
164 | # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which | |
165 | # is contrary to our usage. Disable this feature. | |
166 | alias -g '\${1+\"\$@\"}'='\"\$@\"' | |
167 | setopt NO_GLOB_SUBST | |
168 | else | |
169 | case \`(set -o) 2>/dev/null\` in #( | |
170 | *posix*) : | |
171 | set -o posix ;; #( | |
172 | *) : | |
173 | ;; | |
174 | esac | |
175 | fi | |
176 | " | |
177 | as_required="as_fn_return () { (exit \$1); } | |
178 | as_fn_success () { as_fn_return 0; } | |
179 | as_fn_failure () { as_fn_return 1; } | |
180 | as_fn_ret_success () { return 0; } | |
181 | as_fn_ret_failure () { return 1; } | |
182 | ||
183 | exitcode=0 | |
184 | as_fn_success || { exitcode=1; echo as_fn_success failed.; } | |
185 | as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } | |
186 | as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } | |
187 | as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } | |
188 | if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : | |
189 | ||
190 | else | |
191 | exitcode=1; echo positional parameters were not saved. | |
192 | fi | |
193 | test x\$exitcode = x0 || exit 1 | |
194 | test -x / || exit 1" | |
195 | as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO | |
196 | as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO | |
197 | eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && | |
198 | test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 | |
199 | test \$(( 1 + 1 )) = 2 || exit 1" | |
200 | if (eval "$as_required") 2>/dev/null; then : | |
201 | as_have_required=yes | |
202 | else | |
203 | as_have_required=no | |
204 | fi | |
205 | if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : | |
206 | ||
207 | else | |
208 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
209 | as_found=false | |
210 | for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH | |
211 | do | |
212 | IFS=$as_save_IFS | |
213 | test -z "$as_dir" && as_dir=. | |
214 | as_found=: | |
215 | case $as_dir in #( | |
216 | /*) | |
217 | for as_base in sh bash ksh sh5; do | |
218 | # Try only shells that exist, to save several forks. | |
219 | as_shell=$as_dir/$as_base | |
220 | if { test -f "$as_shell" || test -f "$as_shell.exe"; } && | |
221 | { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : | |
222 | CONFIG_SHELL=$as_shell as_have_required=yes | |
223 | if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : | |
224 | break 2 | |
225 | fi | |
226 | fi | |
227 | done;; | |
228 | esac | |
229 | as_found=false | |
230 | done | |
231 | $as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && | |
232 | { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : | |
233 | CONFIG_SHELL=$SHELL as_have_required=yes | |
234 | fi; } | |
235 | IFS=$as_save_IFS | |
236 | ||
237 | ||
238 | if test "x$CONFIG_SHELL" != x; then : | |
239 | export CONFIG_SHELL | |
240 | # We cannot yet assume a decent shell, so we have to provide a | |
241 | # neutralization value for shells without unset; and this also | |
242 | # works around shells that cannot unset nonexistent variables. | |
243 | # Preserve -v and -x to the replacement shell. | |
244 | BASH_ENV=/dev/null | |
245 | ENV=/dev/null | |
246 | (unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV | |
247 | case $- in # (((( | |
248 | *v*x* | *x*v* ) as_opts=-vx ;; | |
249 | *v* ) as_opts=-v ;; | |
250 | *x* ) as_opts=-x ;; | |
251 | * ) as_opts= ;; | |
252 | esac | |
253 | exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} | |
254 | # Admittedly, this is quite paranoid, since all the known shells bail | |
255 | # out after a failed `exec'. | |
256 | $as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 | |
257 | exit 255 | |
258 | fi | |
259 | ||
260 | if test x$as_have_required = xno; then : | |
261 | $as_echo "$0: This script requires a shell more modern than all" | |
262 | $as_echo "$0: the shells that I found on your system." | |
263 | if test x${ZSH_VERSION+set} = xset ; then | |
264 | $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" | |
265 | $as_echo "$0: be upgraded to zsh 4.3.4 or later." | |
266 | else | |
267 | $as_echo "$0: Please tell bug-autoconf@gnu.org about your system, | |
268 | $0: including any error possibly output before this | |
269 | $0: message. Then install a modern shell, or manually run | |
270 | $0: the script under such a shell if you do have one." | |
271 | fi | |
272 | exit 1 | |
273 | fi | |
274 | fi | |
275 | fi | |
276 | SHELL=${CONFIG_SHELL-/bin/sh} | |
277 | export SHELL | |
278 | # Unset more variables known to interfere with behavior of common tools. | |
279 | CLICOLOR_FORCE= GREP_OPTIONS= | |
280 | unset CLICOLOR_FORCE GREP_OPTIONS | |
281 | ||
282 | ## --------------------- ## | |
283 | ## M4sh Shell Functions. ## | |
284 | ## --------------------- ## | |
285 | # as_fn_unset VAR | |
286 | # --------------- | |
287 | # Portably unset VAR. | |
288 | as_fn_unset () | |
289 | { | |
290 | { eval $1=; unset $1;} | |
291 | } | |
292 | as_unset=as_fn_unset | |
293 | ||
294 | # as_fn_set_status STATUS | |
295 | # ----------------------- | |
296 | # Set $? to STATUS, without forking. | |
297 | as_fn_set_status () | |
298 | { | |
299 | return $1 | |
300 | } # as_fn_set_status | |
301 | ||
302 | # as_fn_exit STATUS | |
303 | # ----------------- | |
304 | # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. | |
305 | as_fn_exit () | |
306 | { | |
307 | set +e | |
308 | as_fn_set_status $1 | |
309 | exit $1 | |
310 | } # as_fn_exit | |
311 | ||
312 | # as_fn_mkdir_p | |
313 | # ------------- | |
314 | # Create "$as_dir" as a directory, including parents if necessary. | |
315 | as_fn_mkdir_p () | |
316 | { | |
317 | ||
318 | case $as_dir in #( | |
319 | -*) as_dir=./$as_dir;; | |
320 | esac | |
321 | test -d "$as_dir" || eval $as_mkdir_p || { | |
322 | as_dirs= | |
323 | while :; do | |
324 | case $as_dir in #( | |
325 | *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( | |
326 | *) as_qdir=$as_dir;; | |
327 | esac | |
328 | as_dirs="'$as_qdir' $as_dirs" | |
329 | as_dir=`$as_dirname -- "$as_dir" || | |
330 | $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ | |
331 | X"$as_dir" : 'X\(//\)[^/]' \| \ | |
332 | X"$as_dir" : 'X\(//\)$' \| \ | |
333 | X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || | |
334 | $as_echo X"$as_dir" | | |
335 | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ | |
336 | s//\1/ | |
337 | q | |
338 | } | |
339 | /^X\(\/\/\)[^/].*/{ | |
340 | s//\1/ | |
341 | q | |
342 | } | |
343 | /^X\(\/\/\)$/{ | |
344 | s//\1/ | |
345 | q | |
346 | } | |
347 | /^X\(\/\).*/{ | |
348 | s//\1/ | |
349 | q | |
350 | } | |
351 | s/.*/./; q'` | |
352 | test -d "$as_dir" && break | |
353 | done | |
354 | test -z "$as_dirs" || eval "mkdir $as_dirs" | |
355 | } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" | |
356 | ||
357 | ||
358 | } # as_fn_mkdir_p | |
359 | ||
360 | # as_fn_executable_p FILE | |
361 | # ----------------------- | |
362 | # Test if FILE is an executable regular file. | |
363 | as_fn_executable_p () | |
364 | { | |
365 | test -f "$1" && test -x "$1" | |
366 | } # as_fn_executable_p | |
367 | # as_fn_append VAR VALUE | |
368 | # ---------------------- | |
369 | # Append the text in VALUE to the end of the definition contained in VAR. Take | |
370 | # advantage of any shell optimizations that allow amortized linear growth over | |
371 | # repeated appends, instead of the typical quadratic growth present in naive | |
372 | # implementations. | |
373 | if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : | |
374 | eval 'as_fn_append () | |
375 | { | |
376 | eval $1+=\$2 | |
377 | }' | |
378 | else | |
379 | as_fn_append () | |
380 | { | |
381 | eval $1=\$$1\$2 | |
382 | } | |
383 | fi # as_fn_append | |
384 | ||
385 | # as_fn_arith ARG... | |
386 | # ------------------ | |
387 | # Perform arithmetic evaluation on the ARGs, and store the result in the | |
388 | # global $as_val. Take advantage of shells that can avoid forks. The arguments | |
389 | # must be portable across $(()) and expr. | |
390 | if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : | |
391 | eval 'as_fn_arith () | |
392 | { | |
393 | as_val=$(( $* )) | |
394 | }' | |
395 | else | |
396 | as_fn_arith () | |
397 | { | |
398 | as_val=`expr "$@" || test $? -eq 1` | |
399 | } | |
400 | fi # as_fn_arith | |
401 | ||
402 | ||
403 | # as_fn_error STATUS ERROR [LINENO LOG_FD] | |
404 | # ---------------------------------------- | |
405 | # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are | |
406 | # provided, also output the error to LOG_FD, referencing LINENO. Then exit the | |
407 | # script with STATUS, using 1 if that was 0. | |
408 | as_fn_error () | |
409 | { | |
410 | as_status=$1; test $as_status -eq 0 && as_status=1 | |
411 | if test "$4"; then | |
412 | as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | |
413 | $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 | |
414 | fi | |
415 | $as_echo "$as_me: error: $2" >&2 | |
416 | as_fn_exit $as_status | |
417 | } # as_fn_error | |
418 | ||
419 | if expr a : '\(a\)' >/dev/null 2>&1 && | |
420 | test "X`expr 00001 : '.*\(...\)'`" = X001; then | |
421 | as_expr=expr | |
422 | else | |
423 | as_expr=false | |
424 | fi | |
425 | ||
426 | if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then | |
427 | as_basename=basename | |
428 | else | |
429 | as_basename=false | |
430 | fi | |
431 | ||
432 | if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then | |
433 | as_dirname=dirname | |
434 | else | |
435 | as_dirname=false | |
436 | fi | |
437 | ||
438 | as_me=`$as_basename -- "$0" || | |
439 | $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ | |
440 | X"$0" : 'X\(//\)$' \| \ | |
441 | X"$0" : 'X\(/\)' \| . 2>/dev/null || | |
442 | $as_echo X/"$0" | | |
443 | sed '/^.*\/\([^/][^/]*\)\/*$/{ | |
444 | s//\1/ | |
445 | q | |
446 | } | |
447 | /^X\/\(\/\/\)$/{ | |
448 | s//\1/ | |
449 | q | |
450 | } | |
451 | /^X\/\(\/\).*/{ | |
452 | s//\1/ | |
453 | q | |
454 | } | |
455 | s/.*/./; q'` | |
456 | ||
457 | # Avoid depending upon Character Ranges. | |
458 | as_cr_letters='abcdefghijklmnopqrstuvwxyz' | |
459 | as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' | |
460 | as_cr_Letters=$as_cr_letters$as_cr_LETTERS | |
461 | as_cr_digits='0123456789' | |
462 | as_cr_alnum=$as_cr_Letters$as_cr_digits | |
463 | ||
464 | ||
465 | as_lineno_1=$LINENO as_lineno_1a=$LINENO | |
466 | as_lineno_2=$LINENO as_lineno_2a=$LINENO | |
467 | eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && | |
468 | test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { | |
469 | # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) | |
470 | sed -n ' | |
471 | p | |
472 | /[$]LINENO/= | |
473 | ' <$as_myself | | |
474 | sed ' | |
475 | s/[$]LINENO.*/&-/ | |
476 | t lineno | |
477 | b | |
478 | :lineno | |
479 | N | |
480 | :loop | |
481 | s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ | |
482 | t loop | |
483 | s/-\n.*// | |
484 | ' >$as_me.lineno && | |
485 | chmod +x "$as_me.lineno" || | |
486 | { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } | |
487 | ||
488 | # If we had to re-execute with $CONFIG_SHELL, we're ensured to have | |
489 | # already done that, so ensure we don't try to do so again and fall | |
490 | # in an infinite loop. This has already happened in practice. | |
491 | _as_can_reexec=no; export _as_can_reexec | |
492 | # Don't try to exec as it changes $[0], causing all sort of problems | |
493 | # (the dirname of $[0] is not the place where we might find the | |
494 | # original and so on. Autoconf is especially sensitive to this). | |
495 | . "./$as_me.lineno" | |
496 | # Exit status is that of the last command. | |
497 | exit | |
498 | } | |
499 | ||
500 | ECHO_C= ECHO_N= ECHO_T= | |
501 | case `echo -n x` in #((((( | |
502 | -n*) | |
503 | case `echo 'xy\c'` in | |
504 | *c*) ECHO_T=' ';; # ECHO_T is single tab character. | |
505 | xy) ECHO_C='\c';; | |
506 | *) echo `echo ksh88 bug on AIX 6.1` > /dev/null | |
507 | ECHO_T=' ';; | |
508 | esac;; | |
509 | *) | |
510 | ECHO_N='-n';; | |
511 | esac | |
512 | ||
513 | rm -f conf$$ conf$$.exe conf$$.file | |
514 | if test -d conf$$.dir; then | |
515 | rm -f conf$$.dir/conf$$.file | |
516 | else | |
517 | rm -f conf$$.dir | |
518 | mkdir conf$$.dir 2>/dev/null | |
519 | fi | |
520 | if (echo >conf$$.file) 2>/dev/null; then | |
521 | if ln -s conf$$.file conf$$ 2>/dev/null; then | |
522 | as_ln_s='ln -s' | |
523 | # ... but there are two gotchas: | |
524 | # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. | |
525 | # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. | |
526 | # In both cases, we have to default to `cp -pR'. | |
527 | ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || | |
528 | as_ln_s='cp -pR' | |
529 | elif ln conf$$.file conf$$ 2>/dev/null; then | |
530 | as_ln_s=ln | |
531 | else | |
532 | as_ln_s='cp -pR' | |
533 | fi | |
534 | else | |
535 | as_ln_s='cp -pR' | |
536 | fi | |
537 | rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file | |
538 | rmdir conf$$.dir 2>/dev/null | |
539 | ||
540 | if mkdir -p . 2>/dev/null; then | |
541 | as_mkdir_p='mkdir -p "$as_dir"' | |
542 | else | |
543 | test -d ./-p && rmdir ./-p | |
544 | as_mkdir_p=false | |
545 | fi | |
546 | ||
547 | as_test_x='test -x' | |
548 | as_executable_p=as_fn_executable_p | |
549 | ||
550 | # Sed expression to map a string onto a valid CPP name. | |
551 | as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" | |
552 | ||
553 | # Sed expression to map a string onto a valid variable name. | |
554 | as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" | |
555 | ||
556 | ||
557 | test -n "$DJDIR" || exec 7<&0 </dev/null | |
558 | exec 6>&1 | |
559 | ||
560 | # Name of the host. | |
561 | # hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, | |
562 | # so uname gets run too. | |
563 | ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` | |
564 | ||
565 | # | |
566 | # Initializations. | |
567 | # | |
568 | ac_default_prefix=/usr/local | |
569 | ac_clean_files= | |
570 | ac_config_libobj_dir=. | |
571 | LIBOBJS= | |
572 | cross_compiling=no | |
573 | subdirs= | |
574 | MFLAGS= | |
575 | MAKEFLAGS= | |
576 | ||
577 | # Identity of this package. | |
578 | PACKAGE_NAME= | |
579 | PACKAGE_TARNAME= | |
580 | PACKAGE_VERSION= | |
581 | PACKAGE_STRING= | |
582 | PACKAGE_BUGREPORT= | |
583 | PACKAGE_URL= | |
584 | ||
585 | ac_unique_file="rlm_eap_fast.c" | |
586 | ac_subst_vars='LTLIBOBJS | |
587 | LIBOBJS | |
588 | targetname | |
589 | mod_cflags | |
590 | mod_ldflags | |
591 | EGREP | |
592 | GREP | |
593 | CPP | |
594 | OBJEXT | |
595 | EXEEXT | |
596 | ac_ct_CC | |
597 | CPPFLAGS | |
598 | LDFLAGS | |
599 | CFLAGS | |
600 | CC | |
601 | target_alias | |
602 | host_alias | |
603 | build_alias | |
604 | LIBS | |
605 | ECHO_T | |
606 | ECHO_N | |
607 | ECHO_C | |
608 | DEFS | |
609 | mandir | |
610 | localedir | |
611 | libdir | |
612 | psdir | |
613 | pdfdir | |
614 | dvidir | |
615 | htmldir | |
616 | infodir | |
617 | docdir | |
618 | oldincludedir | |
619 | includedir | |
620 | localstatedir | |
621 | sharedstatedir | |
622 | sysconfdir | |
623 | datadir | |
624 | datarootdir | |
625 | libexecdir | |
626 | sbindir | |
627 | bindir | |
628 | program_transform_name | |
629 | prefix | |
630 | exec_prefix | |
631 | PACKAGE_URL | |
632 | PACKAGE_BUGREPORT | |
633 | PACKAGE_STRING | |
634 | PACKAGE_VERSION | |
635 | PACKAGE_TARNAME | |
636 | PACKAGE_NAME | |
637 | PATH_SEPARATOR | |
638 | SHELL' | |
639 | ac_subst_files='' | |
640 | ac_user_opts=' | |
641 | enable_option_checking | |
642 | with_openssl_lib_dir | |
643 | with_openssl_include_dir | |
644 | ' | |
645 | ac_precious_vars='build_alias | |
646 | host_alias | |
647 | target_alias | |
648 | CC | |
649 | CFLAGS | |
650 | LDFLAGS | |
651 | LIBS | |
652 | CPPFLAGS | |
653 | CPP' | |
654 | ||
655 | ||
656 | # Initialize some variables set by options. | |
657 | ac_init_help= | |
658 | ac_init_version=false | |
659 | ac_unrecognized_opts= | |
660 | ac_unrecognized_sep= | |
661 | # The variables have the same names as the options, with | |
662 | # dashes changed to underlines. | |
663 | cache_file=/dev/null | |
664 | exec_prefix=NONE | |
665 | no_create= | |
666 | no_recursion= | |
667 | prefix=NONE | |
668 | program_prefix=NONE | |
669 | program_suffix=NONE | |
670 | program_transform_name=s,x,x, | |
671 | silent= | |
672 | site= | |
673 | srcdir= | |
674 | verbose= | |
675 | x_includes=NONE | |
676 | x_libraries=NONE | |
677 | ||
678 | # Installation directory options. | |
679 | # These are left unexpanded so users can "make install exec_prefix=/foo" | |
680 | # and all the variables that are supposed to be based on exec_prefix | |
681 | # by default will actually change. | |
682 | # Use braces instead of parens because sh, perl, etc. also accept them. | |
683 | # (The list follows the same order as the GNU Coding Standards.) | |
684 | bindir='${exec_prefix}/bin' | |
685 | sbindir='${exec_prefix}/sbin' | |
686 | libexecdir='${exec_prefix}/libexec' | |
687 | datarootdir='${prefix}/share' | |
688 | datadir='${datarootdir}' | |
689 | sysconfdir='${prefix}/etc' | |
690 | sharedstatedir='${prefix}/com' | |
691 | localstatedir='${prefix}/var' | |
692 | includedir='${prefix}/include' | |
693 | oldincludedir='/usr/include' | |
694 | docdir='${datarootdir}/doc/${PACKAGE}' | |
695 | infodir='${datarootdir}/info' | |
696 | htmldir='${docdir}' | |
697 | dvidir='${docdir}' | |
698 | pdfdir='${docdir}' | |
699 | psdir='${docdir}' | |
700 | libdir='${exec_prefix}/lib' | |
701 | localedir='${datarootdir}/locale' | |
702 | mandir='${datarootdir}/man' | |
703 | ||
704 | ac_prev= | |
705 | ac_dashdash= | |
706 | for ac_option | |
707 | do | |
708 | # If the previous option needs an argument, assign it. | |
709 | if test -n "$ac_prev"; then | |
710 | eval $ac_prev=\$ac_option | |
711 | ac_prev= | |
712 | continue | |
713 | fi | |
714 | ||
715 | case $ac_option in | |
716 | *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; | |
717 | *=) ac_optarg= ;; | |
718 | *) ac_optarg=yes ;; | |
719 | esac | |
720 | ||
721 | # Accept the important Cygnus configure options, so we can diagnose typos. | |
722 | ||
723 | case $ac_dashdash$ac_option in | |
724 | --) | |
725 | ac_dashdash=yes ;; | |
726 | ||
727 | -bindir | --bindir | --bindi | --bind | --bin | --bi) | |
728 | ac_prev=bindir ;; | |
729 | -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) | |
730 | bindir=$ac_optarg ;; | |
731 | ||
732 | -build | --build | --buil | --bui | --bu) | |
733 | ac_prev=build_alias ;; | |
734 | -build=* | --build=* | --buil=* | --bui=* | --bu=*) | |
735 | build_alias=$ac_optarg ;; | |
736 | ||
737 | -cache-file | --cache-file | --cache-fil | --cache-fi \ | |
738 | | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) | |
739 | ac_prev=cache_file ;; | |
740 | -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ | |
741 | | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) | |
742 | cache_file=$ac_optarg ;; | |
743 | ||
744 | --config-cache | -C) | |
745 | cache_file=config.cache ;; | |
746 | ||
747 | -datadir | --datadir | --datadi | --datad) | |
748 | ac_prev=datadir ;; | |
749 | -datadir=* | --datadir=* | --datadi=* | --datad=*) | |
750 | datadir=$ac_optarg ;; | |
751 | ||
752 | -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ | |
753 | | --dataroo | --dataro | --datar) | |
754 | ac_prev=datarootdir ;; | |
755 | -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ | |
756 | | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) | |
757 | datarootdir=$ac_optarg ;; | |
758 | ||
759 | -disable-* | --disable-*) | |
760 | ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` | |
761 | # Reject names that are not valid shell variable names. | |
762 | expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && | |
763 | as_fn_error $? "invalid feature name: $ac_useropt" | |
764 | ac_useropt_orig=$ac_useropt | |
765 | ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` | |
766 | case $ac_user_opts in | |
767 | *" | |
768 | "enable_$ac_useropt" | |
769 | "*) ;; | |
770 | *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" | |
771 | ac_unrecognized_sep=', ';; | |
772 | esac | |
773 | eval enable_$ac_useropt=no ;; | |
774 | ||
775 | -docdir | --docdir | --docdi | --doc | --do) | |
776 | ac_prev=docdir ;; | |
777 | -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) | |
778 | docdir=$ac_optarg ;; | |
779 | ||
780 | -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) | |
781 | ac_prev=dvidir ;; | |
782 | -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) | |
783 | dvidir=$ac_optarg ;; | |
784 | ||
785 | -enable-* | --enable-*) | |
786 | ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` | |
787 | # Reject names that are not valid shell variable names. | |
788 | expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && | |
789 | as_fn_error $? "invalid feature name: $ac_useropt" | |
790 | ac_useropt_orig=$ac_useropt | |
791 | ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` | |
792 | case $ac_user_opts in | |
793 | *" | |
794 | "enable_$ac_useropt" | |
795 | "*) ;; | |
796 | *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" | |
797 | ac_unrecognized_sep=', ';; | |
798 | esac | |
799 | eval enable_$ac_useropt=\$ac_optarg ;; | |
800 | ||
801 | -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ | |
802 | | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ | |
803 | | --exec | --exe | --ex) | |
804 | ac_prev=exec_prefix ;; | |
805 | -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ | |
806 | | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ | |
807 | | --exec=* | --exe=* | --ex=*) | |
808 | exec_prefix=$ac_optarg ;; | |
809 | ||
810 | -gas | --gas | --ga | --g) | |
811 | # Obsolete; use --with-gas. | |
812 | with_gas=yes ;; | |
813 | ||
814 | -help | --help | --hel | --he | -h) | |
815 | ac_init_help=long ;; | |
816 | -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) | |
817 | ac_init_help=recursive ;; | |
818 | -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) | |
819 | ac_init_help=short ;; | |
820 | ||
821 | -host | --host | --hos | --ho) | |
822 | ac_prev=host_alias ;; | |
823 | -host=* | --host=* | --hos=* | --ho=*) | |
824 | host_alias=$ac_optarg ;; | |
825 | ||
826 | -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) | |
827 | ac_prev=htmldir ;; | |
828 | -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ | |
829 | | --ht=*) | |
830 | htmldir=$ac_optarg ;; | |
831 | ||
832 | -includedir | --includedir | --includedi | --included | --include \ | |
833 | | --includ | --inclu | --incl | --inc) | |
834 | ac_prev=includedir ;; | |
835 | -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ | |
836 | | --includ=* | --inclu=* | --incl=* | --inc=*) | |
837 | includedir=$ac_optarg ;; | |
838 | ||
839 | -infodir | --infodir | --infodi | --infod | --info | --inf) | |
840 | ac_prev=infodir ;; | |
841 | -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) | |
842 | infodir=$ac_optarg ;; | |
843 | ||
844 | -libdir | --libdir | --libdi | --libd) | |
845 | ac_prev=libdir ;; | |
846 | -libdir=* | --libdir=* | --libdi=* | --libd=*) | |
847 | libdir=$ac_optarg ;; | |
848 | ||
849 | -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ | |
850 | | --libexe | --libex | --libe) | |
851 | ac_prev=libexecdir ;; | |
852 | -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ | |
853 | | --libexe=* | --libex=* | --libe=*) | |
854 | libexecdir=$ac_optarg ;; | |
855 | ||
856 | -localedir | --localedir | --localedi | --localed | --locale) | |
857 | ac_prev=localedir ;; | |
858 | -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) | |
859 | localedir=$ac_optarg ;; | |
860 | ||
861 | -localstatedir | --localstatedir | --localstatedi | --localstated \ | |
862 | | --localstate | --localstat | --localsta | --localst | --locals) | |
863 | ac_prev=localstatedir ;; | |
864 | -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ | |
865 | | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) | |
866 | localstatedir=$ac_optarg ;; | |
867 | ||
868 | -mandir | --mandir | --mandi | --mand | --man | --ma | --m) | |
869 | ac_prev=mandir ;; | |
870 | -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) | |
871 | mandir=$ac_optarg ;; | |
872 | ||
873 | -nfp | --nfp | --nf) | |
874 | # Obsolete; use --without-fp. | |
875 | with_fp=no ;; | |
876 | ||
877 | -no-create | --no-create | --no-creat | --no-crea | --no-cre \ | |
878 | | --no-cr | --no-c | -n) | |
879 | no_create=yes ;; | |
880 | ||
881 | -no-recursion | --no-recursion | --no-recursio | --no-recursi \ | |
882 | | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) | |
883 | no_recursion=yes ;; | |
884 | ||
885 | -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ | |
886 | | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ | |
887 | | --oldin | --oldi | --old | --ol | --o) | |
888 | ac_prev=oldincludedir ;; | |
889 | -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ | |
890 | | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ | |
891 | | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) | |
892 | oldincludedir=$ac_optarg ;; | |
893 | ||
894 | -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) | |
895 | ac_prev=prefix ;; | |
896 | -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) | |
897 | prefix=$ac_optarg ;; | |
898 | ||
899 | -program-prefix | --program-prefix | --program-prefi | --program-pref \ | |
900 | | --program-pre | --program-pr | --program-p) | |
901 | ac_prev=program_prefix ;; | |
902 | -program-prefix=* | --program-prefix=* | --program-prefi=* \ | |
903 | | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) | |
904 | program_prefix=$ac_optarg ;; | |
905 | ||
906 | -program-suffix | --program-suffix | --program-suffi | --program-suff \ | |
907 | | --program-suf | --program-su | --program-s) | |
908 | ac_prev=program_suffix ;; | |
909 | -program-suffix=* | --program-suffix=* | --program-suffi=* \ | |
910 | | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) | |
911 | program_suffix=$ac_optarg ;; | |
912 | ||
913 | -program-transform-name | --program-transform-name \ | |
914 | | --program-transform-nam | --program-transform-na \ | |
915 | | --program-transform-n | --program-transform- \ | |
916 | | --program-transform | --program-transfor \ | |
917 | | --program-transfo | --program-transf \ | |
918 | | --program-trans | --program-tran \ | |
919 | | --progr-tra | --program-tr | --program-t) | |
920 | ac_prev=program_transform_name ;; | |
921 | -program-transform-name=* | --program-transform-name=* \ | |
922 | | --program-transform-nam=* | --program-transform-na=* \ | |
923 | | --program-transform-n=* | --program-transform-=* \ | |
924 | | --program-transform=* | --program-transfor=* \ | |
925 | | --program-transfo=* | --program-transf=* \ | |
926 | | --program-trans=* | --program-tran=* \ | |
927 | | --progr-tra=* | --program-tr=* | --program-t=*) | |
928 | program_transform_name=$ac_optarg ;; | |
929 | ||
930 | -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) | |
931 | ac_prev=pdfdir ;; | |
932 | -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) | |
933 | pdfdir=$ac_optarg ;; | |
934 | ||
935 | -psdir | --psdir | --psdi | --psd | --ps) | |
936 | ac_prev=psdir ;; | |
937 | -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) | |
938 | psdir=$ac_optarg ;; | |
939 | ||
940 | -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | |
941 | | -silent | --silent | --silen | --sile | --sil) | |
942 | silent=yes ;; | |
943 | ||
944 | -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) | |
945 | ac_prev=sbindir ;; | |
946 | -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ | |
947 | | --sbi=* | --sb=*) | |
948 | sbindir=$ac_optarg ;; | |
949 | ||
950 | -sharedstatedir | --sharedstatedir | --sharedstatedi \ | |
951 | | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ | |
952 | | --sharedst | --shareds | --shared | --share | --shar \ | |
953 | | --sha | --sh) | |
954 | ac_prev=sharedstatedir ;; | |
955 | -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ | |
956 | | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ | |
957 | | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ | |
958 | | --sha=* | --sh=*) | |
959 | sharedstatedir=$ac_optarg ;; | |
960 | ||
961 | -site | --site | --sit) | |
962 | ac_prev=site ;; | |
963 | -site=* | --site=* | --sit=*) | |
964 | site=$ac_optarg ;; | |
965 | ||
966 | -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) | |
967 | ac_prev=srcdir ;; | |
968 | -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) | |
969 | srcdir=$ac_optarg ;; | |
970 | ||
971 | -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ | |
972 | | --syscon | --sysco | --sysc | --sys | --sy) | |
973 | ac_prev=sysconfdir ;; | |
974 | -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ | |
975 | | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) | |
976 | sysconfdir=$ac_optarg ;; | |
977 | ||
978 | -target | --target | --targe | --targ | --tar | --ta | --t) | |
979 | ac_prev=target_alias ;; | |
980 | -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) | |
981 | target_alias=$ac_optarg ;; | |
982 | ||
983 | -v | -verbose | --verbose | --verbos | --verbo | --verb) | |
984 | verbose=yes ;; | |
985 | ||
986 | -version | --version | --versio | --versi | --vers | -V) | |
987 | ac_init_version=: ;; | |
988 | ||
989 | -with-* | --with-*) | |
990 | ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` | |
991 | # Reject names that are not valid shell variable names. | |
992 | expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && | |
993 | as_fn_error $? "invalid package name: $ac_useropt" | |
994 | ac_useropt_orig=$ac_useropt | |
995 | ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` | |
996 | case $ac_user_opts in | |
997 | *" | |
998 | "with_$ac_useropt" | |
999 | "*) ;; | |
1000 | *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" | |
1001 | ac_unrecognized_sep=', ';; | |
1002 | esac | |
1003 | eval with_$ac_useropt=\$ac_optarg ;; | |
1004 | ||
1005 | -without-* | --without-*) | |
1006 | ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` | |
1007 | # Reject names that are not valid shell variable names. | |
1008 | expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && | |
1009 | as_fn_error $? "invalid package name: $ac_useropt" | |
1010 | ac_useropt_orig=$ac_useropt | |
1011 | ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` | |
1012 | case $ac_user_opts in | |
1013 | *" | |
1014 | "with_$ac_useropt" | |
1015 | "*) ;; | |
1016 | *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" | |
1017 | ac_unrecognized_sep=', ';; | |
1018 | esac | |
1019 | eval with_$ac_useropt=no ;; | |
1020 | ||
1021 | --x) | |
1022 | # Obsolete; use --with-x. | |
1023 | with_x=yes ;; | |
1024 | ||
1025 | -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ | |
1026 | | --x-incl | --x-inc | --x-in | --x-i) | |
1027 | ac_prev=x_includes ;; | |
1028 | -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ | |
1029 | | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) | |
1030 | x_includes=$ac_optarg ;; | |
1031 | ||
1032 | -x-libraries | --x-libraries | --x-librarie | --x-librari \ | |
1033 | | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) | |
1034 | ac_prev=x_libraries ;; | |
1035 | -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ | |
1036 | | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) | |
1037 | x_libraries=$ac_optarg ;; | |
1038 | ||
1039 | -*) as_fn_error $? "unrecognized option: \`$ac_option' | |
1040 | Try \`$0 --help' for more information" | |
1041 | ;; | |
1042 | ||
1043 | *=*) | |
1044 | ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` | |
1045 | # Reject names that are not valid shell variable names. | |
1046 | case $ac_envvar in #( | |
1047 | '' | [0-9]* | *[!_$as_cr_alnum]* ) | |
1048 | as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; | |
1049 | esac | |
1050 | eval $ac_envvar=\$ac_optarg | |
1051 | export $ac_envvar ;; | |
1052 | ||
1053 | *) | |
1054 | # FIXME: should be removed in autoconf 3.0. | |
1055 | $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 | |
1056 | expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && | |
1057 | $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 | |
1058 | : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" | |
1059 | ;; | |
1060 | ||
1061 | esac | |
1062 | done | |
1063 | ||
1064 | if test -n "$ac_prev"; then | |
1065 | ac_option=--`echo $ac_prev | sed 's/_/-/g'` | |
1066 | as_fn_error $? "missing argument to $ac_option" | |
1067 | fi | |
1068 | ||
1069 | if test -n "$ac_unrecognized_opts"; then | |
1070 | case $enable_option_checking in | |
1071 | no) ;; | |
1072 | fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; | |
1073 | *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; | |
1074 | esac | |
1075 | fi | |
1076 | ||
1077 | # Check all directory arguments for consistency. | |
1078 | for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ | |
1079 | datadir sysconfdir sharedstatedir localstatedir includedir \ | |
1080 | oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ | |
1081 | libdir localedir mandir | |
1082 | do | |
1083 | eval ac_val=\$$ac_var | |
1084 | # Remove trailing slashes. | |
1085 | case $ac_val in | |
1086 | */ ) | |
1087 | ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` | |
1088 | eval $ac_var=\$ac_val;; | |
1089 | esac | |
1090 | # Be sure to have absolute directory names. | |
1091 | case $ac_val in | |
1092 | [\\/$]* | ?:[\\/]* ) continue;; | |
1093 | NONE | '' ) case $ac_var in *prefix ) continue;; esac;; | |
1094 | esac | |
1095 | as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" | |
1096 | done | |
1097 | ||
1098 | # There might be people who depend on the old broken behavior: `$host' | |
1099 | # used to hold the argument of --host etc. | |
1100 | # FIXME: To remove some day. | |
1101 | build=$build_alias | |
1102 | host=$host_alias | |
1103 | target=$target_alias | |
1104 | ||
1105 | # FIXME: To remove some day. | |
1106 | if test "x$host_alias" != x; then | |
1107 | if test "x$build_alias" = x; then | |
1108 | cross_compiling=maybe | |
1109 | elif test "x$build_alias" != "x$host_alias"; then | |
1110 | cross_compiling=yes | |
1111 | fi | |
1112 | fi | |
1113 | ||
1114 | ac_tool_prefix= | |
1115 | test -n "$host_alias" && ac_tool_prefix=$host_alias- | |
1116 | ||
1117 | test "$silent" = yes && exec 6>/dev/null | |
1118 | ||
1119 | ||
1120 | ac_pwd=`pwd` && test -n "$ac_pwd" && | |
1121 | ac_ls_di=`ls -di .` && | |
1122 | ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || | |
1123 | as_fn_error $? "working directory cannot be determined" | |
1124 | test "X$ac_ls_di" = "X$ac_pwd_ls_di" || | |
1125 | as_fn_error $? "pwd does not report name of working directory" | |
1126 | ||
1127 | ||
1128 | # Find the source files, if location was not specified. | |
1129 | if test -z "$srcdir"; then | |
1130 | ac_srcdir_defaulted=yes | |
1131 | # Try the directory containing this script, then the parent directory. | |
1132 | ac_confdir=`$as_dirname -- "$as_myself" || | |
1133 | $as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ | |
1134 | X"$as_myself" : 'X\(//\)[^/]' \| \ | |
1135 | X"$as_myself" : 'X\(//\)$' \| \ | |
1136 | X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || | |
1137 | $as_echo X"$as_myself" | | |
1138 | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ | |
1139 | s//\1/ | |
1140 | q | |
1141 | } | |
1142 | /^X\(\/\/\)[^/].*/{ | |
1143 | s//\1/ | |
1144 | q | |
1145 | } | |
1146 | /^X\(\/\/\)$/{ | |
1147 | s//\1/ | |
1148 | q | |
1149 | } | |
1150 | /^X\(\/\).*/{ | |
1151 | s//\1/ | |
1152 | q | |
1153 | } | |
1154 | s/.*/./; q'` | |
1155 | srcdir=$ac_confdir | |
1156 | if test ! -r "$srcdir/$ac_unique_file"; then | |
1157 | srcdir=.. | |
1158 | fi | |
1159 | else | |
1160 | ac_srcdir_defaulted=no | |
1161 | fi | |
1162 | if test ! -r "$srcdir/$ac_unique_file"; then | |
1163 | test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." | |
1164 | as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" | |
1165 | fi | |
1166 | ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" | |
1167 | ac_abs_confdir=`( | |
1168 | cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" | |
1169 | pwd)` | |
1170 | # When building in place, set srcdir=. | |
1171 | if test "$ac_abs_confdir" = "$ac_pwd"; then | |
1172 | srcdir=. | |
1173 | fi | |
1174 | # Remove unnecessary trailing slashes from srcdir. | |
1175 | # Double slashes in file names in object file debugging info | |
1176 | # mess up M-x gdb in Emacs. | |
1177 | case $srcdir in | |
1178 | */) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; | |
1179 | esac | |
1180 | for ac_var in $ac_precious_vars; do | |
1181 | eval ac_env_${ac_var}_set=\${${ac_var}+set} | |
1182 | eval ac_env_${ac_var}_value=\$${ac_var} | |
1183 | eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} | |
1184 | eval ac_cv_env_${ac_var}_value=\$${ac_var} | |
1185 | done | |
1186 | ||
1187 | # | |
1188 | # Report the --help message. | |
1189 | # | |
1190 | if test "$ac_init_help" = "long"; then | |
1191 | # Omit some internal or obsolete options to make the list less imposing. | |
1192 | # This message is too long to be a string in the A/UX 3.1 sh. | |
1193 | cat <<_ACEOF | |
1194 | \`configure' configures this package to adapt to many kinds of systems. | |
1195 | ||
1196 | Usage: $0 [OPTION]... [VAR=VALUE]... | |
1197 | ||
1198 | To assign environment variables (e.g., CC, CFLAGS...), specify them as | |
1199 | VAR=VALUE. See below for descriptions of some of the useful variables. | |
1200 | ||
1201 | Defaults for the options are specified in brackets. | |
1202 | ||
1203 | Configuration: | |
1204 | -h, --help display this help and exit | |
1205 | --help=short display options specific to this package | |
1206 | --help=recursive display the short help of all the included packages | |
1207 | -V, --version display version information and exit | |
1208 | -q, --quiet, --silent do not print \`checking ...' messages | |
1209 | --cache-file=FILE cache test results in FILE [disabled] | |
1210 | -C, --config-cache alias for \`--cache-file=config.cache' | |
1211 | -n, --no-create do not create output files | |
1212 | --srcdir=DIR find the sources in DIR [configure dir or \`..'] | |
1213 | ||
1214 | Installation directories: | |
1215 | --prefix=PREFIX install architecture-independent files in PREFIX | |
1216 | [$ac_default_prefix] | |
1217 | --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX | |
1218 | [PREFIX] | |
1219 | ||
1220 | By default, \`make install' will install all the files in | |
1221 | \`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify | |
1222 | an installation prefix other than \`$ac_default_prefix' using \`--prefix', | |
1223 | for instance \`--prefix=\$HOME'. | |
1224 | ||
1225 | For better control, use the options below. | |
1226 | ||
1227 | Fine tuning of the installation directories: | |
1228 | --bindir=DIR user executables [EPREFIX/bin] | |
1229 | --sbindir=DIR system admin executables [EPREFIX/sbin] | |
1230 | --libexecdir=DIR program executables [EPREFIX/libexec] | |
1231 | --sysconfdir=DIR read-only single-machine data [PREFIX/etc] | |
1232 | --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] | |
1233 | --localstatedir=DIR modifiable single-machine data [PREFIX/var] | |
1234 | --libdir=DIR object code libraries [EPREFIX/lib] | |
1235 | --includedir=DIR C header files [PREFIX/include] | |
1236 | --oldincludedir=DIR C header files for non-gcc [/usr/include] | |
1237 | --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] | |
1238 | --datadir=DIR read-only architecture-independent data [DATAROOTDIR] | |
1239 | --infodir=DIR info documentation [DATAROOTDIR/info] | |
1240 | --localedir=DIR locale-dependent data [DATAROOTDIR/locale] | |
1241 | --mandir=DIR man documentation [DATAROOTDIR/man] | |
1242 | --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] | |
1243 | --htmldir=DIR html documentation [DOCDIR] | |
1244 | --dvidir=DIR dvi documentation [DOCDIR] | |
1245 | --pdfdir=DIR pdf documentation [DOCDIR] | |
1246 | --psdir=DIR ps documentation [DOCDIR] | |
1247 | _ACEOF | |
1248 | ||
1249 | cat <<\_ACEOF | |
1250 | _ACEOF | |
1251 | fi | |
1252 | ||
1253 | if test -n "$ac_init_help"; then | |
1254 | ||
1255 | cat <<\_ACEOF | |
1256 | ||
1257 | Optional Packages: | |
1258 | --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] | |
1259 | --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) | |
1260 | --with-openssl-lib-dir=DIR directory for LDAP library files | |
1261 | --with-openssl-include-dir=DIR directory for LDAP include files | |
1262 | ||
1263 | Some influential environment variables: | |
1264 | CC C compiler command | |
1265 | CFLAGS C compiler flags | |
1266 | LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a | |
1267 | nonstandard directory <lib dir> | |
1268 | LIBS libraries to pass to the linker, e.g. -l<library> | |
1269 | CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if | |
1270 | you have headers in a nonstandard directory <include dir> | |
1271 | CPP C preprocessor | |
1272 | ||
1273 | Use these variables to override the choices made by `configure' or to help | |
1274 | it to find libraries and programs with nonstandard names/locations. | |
1275 | ||
1276 | Report bugs to the package provider. | |
1277 | _ACEOF | |
1278 | ac_status=$? | |
1279 | fi | |
1280 | ||
1281 | if test "$ac_init_help" = "recursive"; then | |
1282 | # If there are subdirs, report their specific --help. | |
1283 | for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue | |
1284 | test -d "$ac_dir" || | |
1285 | { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || | |
1286 | continue | |
1287 | ac_builddir=. | |
1288 | ||
1289 | case "$ac_dir" in | |
1290 | .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; | |
1291 | *) | |
1292 | ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` | |
1293 | # A ".." for each directory in $ac_dir_suffix. | |
1294 | ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` | |
1295 | case $ac_top_builddir_sub in | |
1296 | "") ac_top_builddir_sub=. ac_top_build_prefix= ;; | |
1297 | *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; | |
1298 | esac ;; | |
1299 | esac | |
1300 | ac_abs_top_builddir=$ac_pwd | |
1301 | ac_abs_builddir=$ac_pwd$ac_dir_suffix | |
1302 | # for backward compatibility: | |
1303 | ac_top_builddir=$ac_top_build_prefix | |
1304 | ||
1305 | case $srcdir in | |
1306 | .) # We are building in place. | |
1307 | ac_srcdir=. | |
1308 | ac_top_srcdir=$ac_top_builddir_sub | |
1309 | ac_abs_top_srcdir=$ac_pwd ;; | |
1310 | [\\/]* | ?:[\\/]* ) # Absolute name. | |
1311 | ac_srcdir=$srcdir$ac_dir_suffix; | |
1312 | ac_top_srcdir=$srcdir | |
1313 | ac_abs_top_srcdir=$srcdir ;; | |
1314 | *) # Relative name. | |
1315 | ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix | |
1316 | ac_top_srcdir=$ac_top_build_prefix$srcdir | |
1317 | ac_abs_top_srcdir=$ac_pwd/$srcdir ;; | |
1318 | esac | |
1319 | ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix | |
1320 | ||
1321 | cd "$ac_dir" || { ac_status=$?; continue; } | |
1322 | # Check for guested configure. | |
1323 | if test -f "$ac_srcdir/configure.gnu"; then | |
1324 | echo && | |
1325 | $SHELL "$ac_srcdir/configure.gnu" --help=recursive | |
1326 | elif test -f "$ac_srcdir/configure"; then | |
1327 | echo && | |
1328 | $SHELL "$ac_srcdir/configure" --help=recursive | |
1329 | else | |
1330 | $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 | |
1331 | fi || ac_status=$? | |
1332 | cd "$ac_pwd" || { ac_status=$?; break; } | |
1333 | done | |
1334 | fi | |
1335 | ||
1336 | test -n "$ac_init_help" && exit $ac_status | |
1337 | if $ac_init_version; then | |
1338 | cat <<\_ACEOF | |
1339 | configure | |
1340 | generated by GNU Autoconf 2.69 | |
1341 | ||
1342 | Copyright (C) 2012 Free Software Foundation, Inc. | |
1343 | This configure script is free software; the Free Software Foundation | |
1344 | gives unlimited permission to copy, distribute and modify it. | |
1345 | _ACEOF | |
1346 | exit | |
1347 | fi | |
1348 | ||
1349 | ## ------------------------ ## | |
1350 | ## Autoconf initialization. ## | |
1351 | ## ------------------------ ## | |
1352 | ||
1353 | # ac_fn_c_try_compile LINENO | |
1354 | # -------------------------- | |
1355 | # Try to compile conftest.$ac_ext, and return whether this succeeded. | |
1356 | ac_fn_c_try_compile () | |
1357 | { | |
1358 | as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | |
1359 | rm -f conftest.$ac_objext | |
1360 | if { { ac_try="$ac_compile" | |
1361 | case "(($ac_try" in | |
1362 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | |
1363 | *) ac_try_echo=$ac_try;; | |
1364 | esac | |
1365 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | |
1366 | $as_echo "$ac_try_echo"; } >&5 | |
1367 | (eval "$ac_compile") 2>conftest.err | |
1368 | ac_status=$? | |
1369 | if test -s conftest.err; then | |
1370 | grep -v '^ *+' conftest.err >conftest.er1 | |
1371 | cat conftest.er1 >&5 | |
1372 | mv -f conftest.er1 conftest.err | |
1373 | fi | |
1374 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | |
1375 | test $ac_status = 0; } && { | |
1376 | test -z "$ac_c_werror_flag" || | |
1377 | test ! -s conftest.err | |
1378 | } && test -s conftest.$ac_objext; then : | |
1379 | ac_retval=0 | |
1380 | else | |
1381 | $as_echo "$as_me: failed program was:" >&5 | |
1382 | sed 's/^/| /' conftest.$ac_ext >&5 | |
1383 | ||
1384 | ac_retval=1 | |
1385 | fi | |
1386 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno | |
1387 | as_fn_set_status $ac_retval | |
1388 | ||
1389 | } # ac_fn_c_try_compile | |
1390 | ||
1391 | # ac_fn_c_try_link LINENO | |
1392 | # ----------------------- | |
1393 | # Try to link conftest.$ac_ext, and return whether this succeeded. | |
1394 | ac_fn_c_try_link () | |
1395 | { | |
1396 | as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | |
1397 | rm -f conftest.$ac_objext conftest$ac_exeext | |
1398 | if { { ac_try="$ac_link" | |
1399 | case "(($ac_try" in | |
1400 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | |
1401 | *) ac_try_echo=$ac_try;; | |
1402 | esac | |
1403 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | |
1404 | $as_echo "$ac_try_echo"; } >&5 | |
1405 | (eval "$ac_link") 2>conftest.err | |
1406 | ac_status=$? | |
1407 | if test -s conftest.err; then | |
1408 | grep -v '^ *+' conftest.err >conftest.er1 | |
1409 | cat conftest.er1 >&5 | |
1410 | mv -f conftest.er1 conftest.err | |
1411 | fi | |
1412 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | |
1413 | test $ac_status = 0; } && { | |
1414 | test -z "$ac_c_werror_flag" || | |
1415 | test ! -s conftest.err | |
1416 | } && test -s conftest$ac_exeext && { | |
1417 | test "$cross_compiling" = yes || | |
1418 | test -x conftest$ac_exeext | |
1419 | }; then : | |
1420 | ac_retval=0 | |
1421 | else | |
1422 | $as_echo "$as_me: failed program was:" >&5 | |
1423 | sed 's/^/| /' conftest.$ac_ext >&5 | |
1424 | ||
1425 | ac_retval=1 | |
1426 | fi | |
1427 | # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information | |
1428 | # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would | |
1429 | # interfere with the next link command; also delete a directory that is | |
1430 | # left behind by Apple's compiler. We do this before executing the actions. | |
1431 | rm -rf conftest.dSYM conftest_ipa8_conftest.oo | |
1432 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno | |
1433 | as_fn_set_status $ac_retval | |
1434 | ||
1435 | } # ac_fn_c_try_link | |
1436 | ||
1437 | # ac_fn_c_try_cpp LINENO | |
1438 | # ---------------------- | |
1439 | # Try to preprocess conftest.$ac_ext, and return whether this succeeded. | |
1440 | ac_fn_c_try_cpp () | |
1441 | { | |
1442 | as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | |
1443 | if { { ac_try="$ac_cpp conftest.$ac_ext" | |
1444 | case "(($ac_try" in | |
1445 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | |
1446 | *) ac_try_echo=$ac_try;; | |
1447 | esac | |
1448 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | |
1449 | $as_echo "$ac_try_echo"; } >&5 | |
1450 | (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err | |
1451 | ac_status=$? | |
1452 | if test -s conftest.err; then | |
1453 | grep -v '^ *+' conftest.err >conftest.er1 | |
1454 | cat conftest.er1 >&5 | |
1455 | mv -f conftest.er1 conftest.err | |
1456 | fi | |
1457 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | |
1458 | test $ac_status = 0; } > conftest.i && { | |
1459 | test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || | |
1460 | test ! -s conftest.err | |
1461 | }; then : | |
1462 | ac_retval=0 | |
1463 | else | |
1464 | $as_echo "$as_me: failed program was:" >&5 | |
1465 | sed 's/^/| /' conftest.$ac_ext >&5 | |
1466 | ||
1467 | ac_retval=1 | |
1468 | fi | |
1469 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno | |
1470 | as_fn_set_status $ac_retval | |
1471 | ||
1472 | } # ac_fn_c_try_cpp | |
1473 | cat >config.log <<_ACEOF | |
1474 | This file contains any messages produced by compilers while | |
1475 | running configure, to aid debugging if configure makes a mistake. | |
1476 | ||
1477 | It was created by $as_me, which was | |
1478 | generated by GNU Autoconf 2.69. Invocation command line was | |
1479 | ||
1480 | $ $0 $@ | |
1481 | ||
1482 | _ACEOF | |
1483 | exec 5>>config.log | |
1484 | { | |
1485 | cat <<_ASUNAME | |
1486 | ## --------- ## | |
1487 | ## Platform. ## | |
1488 | ## --------- ## | |
1489 | ||
1490 | hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` | |
1491 | uname -m = `(uname -m) 2>/dev/null || echo unknown` | |
1492 | uname -r = `(uname -r) 2>/dev/null || echo unknown` | |
1493 | uname -s = `(uname -s) 2>/dev/null || echo unknown` | |
1494 | uname -v = `(uname -v) 2>/dev/null || echo unknown` | |
1495 | ||
1496 | /usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` | |
1497 | /bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` | |
1498 | ||
1499 | /bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` | |
1500 | /usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` | |
1501 | /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` | |
1502 | /usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` | |
1503 | /bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` | |
1504 | /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` | |
1505 | /bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` | |
1506 | ||
1507 | _ASUNAME | |
1508 | ||
1509 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
1510 | for as_dir in $PATH | |
1511 | do | |
1512 | IFS=$as_save_IFS | |
1513 | test -z "$as_dir" && as_dir=. | |
1514 | $as_echo "PATH: $as_dir" | |
1515 | done | |
1516 | IFS=$as_save_IFS | |
1517 | ||
1518 | } >&5 | |
1519 | ||
1520 | cat >&5 <<_ACEOF | |
1521 | ||
1522 | ||
1523 | ## ----------- ## | |
1524 | ## Core tests. ## | |
1525 | ## ----------- ## | |
1526 | ||
1527 | _ACEOF | |
1528 | ||
1529 | ||
1530 | # Keep a trace of the command line. | |
1531 | # Strip out --no-create and --no-recursion so they do not pile up. | |
1532 | # Strip out --silent because we don't want to record it for future runs. | |
1533 | # Also quote any args containing shell meta-characters. | |
1534 | # Make two passes to allow for proper duplicate-argument suppression. | |
1535 | ac_configure_args= | |
1536 | ac_configure_args0= | |
1537 | ac_configure_args1= | |
1538 | ac_must_keep_next=false | |
1539 | for ac_pass in 1 2 | |
1540 | do | |
1541 | for ac_arg | |
1542 | do | |
1543 | case $ac_arg in | |
1544 | -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; | |
1545 | -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | |
1546 | | -silent | --silent | --silen | --sile | --sil) | |
1547 | continue ;; | |
1548 | *\'*) | |
1549 | ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; | |
1550 | esac | |
1551 | case $ac_pass in | |
1552 | 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; | |
1553 | 2) | |
1554 | as_fn_append ac_configure_args1 " '$ac_arg'" | |
1555 | if test $ac_must_keep_next = true; then | |
1556 | ac_must_keep_next=false # Got value, back to normal. | |
1557 | else | |
1558 | case $ac_arg in | |
1559 | *=* | --config-cache | -C | -disable-* | --disable-* \ | |
1560 | | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ | |
1561 | | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ | |
1562 | | -with-* | --with-* | -without-* | --without-* | --x) | |
1563 | case "$ac_configure_args0 " in | |
1564 | "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; | |
1565 | esac | |
1566 | ;; | |
1567 | -* ) ac_must_keep_next=true ;; | |
1568 | esac | |
1569 | fi | |
1570 | as_fn_append ac_configure_args " '$ac_arg'" | |
1571 | ;; | |
1572 | esac | |
1573 | done | |
1574 | done | |
1575 | { ac_configure_args0=; unset ac_configure_args0;} | |
1576 | { ac_configure_args1=; unset ac_configure_args1;} | |
1577 | ||
1578 | # When interrupted or exit'd, cleanup temporary files, and complete | |
1579 | # config.log. We remove comments because anyway the quotes in there | |
1580 | # would cause problems or look ugly. | |
1581 | # WARNING: Use '\'' to represent an apostrophe within the trap. | |
1582 | # WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. | |
1583 | trap 'exit_status=$? | |
1584 | # Save into config.log some information that might help in debugging. | |
1585 | { | |
1586 | echo | |
1587 | ||
1588 | $as_echo "## ---------------- ## | |
1589 | ## Cache variables. ## | |
1590 | ## ---------------- ##" | |
1591 | echo | |
1592 | # The following way of writing the cache mishandles newlines in values, | |
1593 | ( | |
1594 | for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do | |
1595 | eval ac_val=\$$ac_var | |
1596 | case $ac_val in #( | |
1597 | *${as_nl}*) | |
1598 | case $ac_var in #( | |
1599 | *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 | |
1600 | $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; | |
1601 | esac | |
1602 | case $ac_var in #( | |
1603 | _ | IFS | as_nl) ;; #( | |
1604 | BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( | |
1605 | *) { eval $ac_var=; unset $ac_var;} ;; | |
1606 | esac ;; | |
1607 | esac | |
1608 | done | |
1609 | (set) 2>&1 | | |
1610 | case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( | |
1611 | *${as_nl}ac_space=\ *) | |
1612 | sed -n \ | |
1613 | "s/'\''/'\''\\\\'\'''\''/g; | |
1614 | s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" | |
1615 | ;; #( | |
1616 | *) | |
1617 | sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" | |
1618 | ;; | |
1619 | esac | | |
1620 | sort | |
1621 | ) | |
1622 | echo | |
1623 | ||
1624 | $as_echo "## ----------------- ## | |
1625 | ## Output variables. ## | |
1626 | ## ----------------- ##" | |
1627 | echo | |
1628 | for ac_var in $ac_subst_vars | |
1629 | do | |
1630 | eval ac_val=\$$ac_var | |
1631 | case $ac_val in | |
1632 | *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; | |
1633 | esac | |
1634 | $as_echo "$ac_var='\''$ac_val'\''" | |
1635 | done | sort | |
1636 | echo | |
1637 | ||
1638 | if test -n "$ac_subst_files"; then | |
1639 | $as_echo "## ------------------- ## | |
1640 | ## File substitutions. ## | |
1641 | ## ------------------- ##" | |
1642 | echo | |
1643 | for ac_var in $ac_subst_files | |
1644 | do | |
1645 | eval ac_val=\$$ac_var | |
1646 | case $ac_val in | |
1647 | *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; | |
1648 | esac | |
1649 | $as_echo "$ac_var='\''$ac_val'\''" | |
1650 | done | sort | |
1651 | echo | |
1652 | fi | |
1653 | ||
1654 | if test -s confdefs.h; then | |
1655 | $as_echo "## ----------- ## | |
1656 | ## confdefs.h. ## | |
1657 | ## ----------- ##" | |
1658 | echo | |
1659 | cat confdefs.h | |
1660 | echo | |
1661 | fi | |
1662 | test "$ac_signal" != 0 && | |
1663 | $as_echo "$as_me: caught signal $ac_signal" | |
1664 | $as_echo "$as_me: exit $exit_status" | |
1665 | } >&5 | |
1666 | rm -f core *.core core.conftest.* && | |
1667 | rm -f -r conftest* confdefs* conf$$* $ac_clean_files && | |
1668 | exit $exit_status | |
1669 | ' 0 | |
1670 | for ac_signal in 1 2 13 15; do | |
1671 | trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal | |
1672 | done | |
1673 | ac_signal=0 | |
1674 | ||
1675 | # confdefs.h avoids OS command line length limits that DEFS can exceed. | |
1676 | rm -f -r conftest* confdefs.h | |
1677 | ||
1678 | $as_echo "/* confdefs.h */" > confdefs.h | |
1679 | ||
1680 | # Predefined preprocessor variables. | |
1681 | ||
1682 | cat >>confdefs.h <<_ACEOF | |
1683 | #define PACKAGE_NAME "$PACKAGE_NAME" | |
1684 | _ACEOF | |
1685 | ||
1686 | cat >>confdefs.h <<_ACEOF | |
1687 | #define PACKAGE_TARNAME "$PACKAGE_TARNAME" | |
1688 | _ACEOF | |
1689 | ||
1690 | cat >>confdefs.h <<_ACEOF | |
1691 | #define PACKAGE_VERSION "$PACKAGE_VERSION" | |
1692 | _ACEOF | |
1693 | ||
1694 | cat >>confdefs.h <<_ACEOF | |
1695 | #define PACKAGE_STRING "$PACKAGE_STRING" | |
1696 | _ACEOF | |
1697 | ||
1698 | cat >>confdefs.h <<_ACEOF | |
1699 | #define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" | |
1700 | _ACEOF | |
1701 | ||
1702 | cat >>confdefs.h <<_ACEOF | |
1703 | #define PACKAGE_URL "$PACKAGE_URL" | |
1704 | _ACEOF | |
1705 | ||
1706 | ||
1707 | # Let the site file select an alternate cache file if it wants to. | |
1708 | # Prefer an explicitly selected file to automatically selected ones. | |
1709 | ac_site_file1=NONE | |
1710 | ac_site_file2=NONE | |
1711 | if test -n "$CONFIG_SITE"; then | |
1712 | # We do not want a PATH search for config.site. | |
1713 | case $CONFIG_SITE in #(( | |
1714 | -*) ac_site_file1=./$CONFIG_SITE;; | |
1715 | */*) ac_site_file1=$CONFIG_SITE;; | |
1716 | *) ac_site_file1=./$CONFIG_SITE;; | |
1717 | esac | |
1718 | elif test "x$prefix" != xNONE; then | |
1719 | ac_site_file1=$prefix/share/config.site | |
1720 | ac_site_file2=$prefix/etc/config.site | |
1721 | else | |
1722 | ac_site_file1=$ac_default_prefix/share/config.site | |
1723 | ac_site_file2=$ac_default_prefix/etc/config.site | |
1724 | fi | |
1725 | for ac_site_file in "$ac_site_file1" "$ac_site_file2" | |
1726 | do | |
1727 | test "x$ac_site_file" = xNONE && continue | |
1728 | if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then | |
1729 | { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 | |
1730 | $as_echo "$as_me: loading site script $ac_site_file" >&6;} | |
1731 | sed 's/^/| /' "$ac_site_file" >&5 | |
1732 | . "$ac_site_file" \ | |
1733 | || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | |
1734 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | |
1735 | as_fn_error $? "failed to load site script $ac_site_file | |
1736 | See \`config.log' for more details" "$LINENO" 5; } | |
1737 | fi | |
1738 | done | |
1739 | ||
1740 | if test -r "$cache_file"; then | |
1741 | # Some versions of bash will fail to source /dev/null (special files | |
1742 | # actually), so we avoid doing that. DJGPP emulates it as a regular file. | |
1743 | if test /dev/null != "$cache_file" && test -f "$cache_file"; then | |
1744 | { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 | |
1745 | $as_echo "$as_me: loading cache $cache_file" >&6;} | |
1746 | case $cache_file in | |
1747 | [\\/]* | ?:[\\/]* ) . "$cache_file";; | |
1748 | *) . "./$cache_file";; | |
1749 | esac | |
1750 | fi | |
1751 | else | |
1752 | { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 | |
1753 | $as_echo "$as_me: creating cache $cache_file" >&6;} | |
1754 | >$cache_file | |
1755 | fi | |
1756 | ||
1757 | # Check that the precious variables saved in the cache have kept the same | |
1758 | # value. | |
1759 | ac_cache_corrupted=false | |
1760 | for ac_var in $ac_precious_vars; do | |
1761 | eval ac_old_set=\$ac_cv_env_${ac_var}_set | |
1762 | eval ac_new_set=\$ac_env_${ac_var}_set | |
1763 | eval ac_old_val=\$ac_cv_env_${ac_var}_value | |
1764 | eval ac_new_val=\$ac_env_${ac_var}_value | |
1765 | case $ac_old_set,$ac_new_set in | |
1766 | set,) | |
1767 | { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 | |
1768 | $as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} | |
1769 | ac_cache_corrupted=: ;; | |
1770 | ,set) | |
1771 | { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 | |
1772 | $as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} | |
1773 | ac_cache_corrupted=: ;; | |
1774 | ,);; | |
1775 | *) | |
1776 | if test "x$ac_old_val" != "x$ac_new_val"; then | |
1777 | # differences in whitespace do not lead to failure. | |
1778 | ac_old_val_w=`echo x $ac_old_val` | |
1779 | ac_new_val_w=`echo x $ac_new_val` | |
1780 | if test "$ac_old_val_w" != "$ac_new_val_w"; then | |
1781 | { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 | |
1782 | $as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} | |
1783 | ac_cache_corrupted=: | |
1784 | else | |
1785 | { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 | |
1786 | $as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} | |
1787 | eval $ac_var=\$ac_old_val | |
1788 | fi | |
1789 | { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 | |
1790 | $as_echo "$as_me: former value: \`$ac_old_val'" >&2;} | |
1791 | { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 | |
1792 | $as_echo "$as_me: current value: \`$ac_new_val'" >&2;} | |
1793 | fi;; | |
1794 | esac | |
1795 | # Pass precious variables to config.status. | |
1796 | if test "$ac_new_set" = set; then | |
1797 | case $ac_new_val in | |
1798 | *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; | |
1799 | *) ac_arg=$ac_var=$ac_new_val ;; | |
1800 | esac | |
1801 | case " $ac_configure_args " in | |
1802 | *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. | |
1803 | *) as_fn_append ac_configure_args " '$ac_arg'" ;; | |
1804 | esac | |
1805 | fi | |
1806 | done | |
1807 | if $ac_cache_corrupted; then | |
1808 | { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | |
1809 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | |
1810 | { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 | |
1811 | $as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} | |
1812 | as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 | |
1813 | fi | |
1814 | ## -------------------- ## | |
1815 | ## Main body of script. ## | |
1816 | ## -------------------- ## | |
1817 | ||
1818 | ac_ext=c | |
1819 | ac_cpp='$CPP $CPPFLAGS' | |
1820 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | |
1821 | ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' | |
1822 | ac_compiler_gnu=$ac_cv_c_compiler_gnu | |
1823 | ||
1824 | ||
1825 | ||
1826 | ||
1827 | ||
1828 | mod_ldflags= | |
1829 | mod_cflags= | |
1830 | ||
1831 | if test x$with_rlm_eap_fast != xno; then | |
1832 | ||
1833 | openssl_lib_dir= | |
1834 | ||
1835 | # Check whether --with-openssl-lib-dir was given. | |
1836 | if test "${with_openssl_lib_dir+set}" = set; then : | |
1837 | withval=$with_openssl_lib_dir; case "$withval" in | |
1838 | no) | |
1839 | as_fn_error $? "Need openssl-lib-dir" "$LINENO" 5 | |
1840 | ;; | |
1841 | yes) | |
1842 | ;; | |
1843 | *) | |
1844 | openssl_lib_dir="$withval" | |
1845 | ;; | |
1846 | esac | |
1847 | ||
1848 | fi | |
1849 | ||
1850 | ||
1851 | openssl_include_dir= | |
1852 | ||
1853 | # Check whether --with-openssl-include-dir was given. | |
1854 | if test "${with_openssl_include_dir+set}" = set; then : | |
1855 | withval=$with_openssl_include_dir; case "$withval" in | |
1856 | no) | |
1857 | as_fn_error $? "Need openssl-include-dir" "$LINENO" 5 | |
1858 | ;; | |
1859 | yes) | |
1860 | ;; | |
1861 | *) | |
1862 | openssl_include_dir="$withval" | |
1863 | ;; | |
1864 | esac | |
1865 | ||
1866 | fi | |
1867 | ||
1868 | ||
1869 | ||
1870 | smart_try_dir=$openssl_include_dir | |
1871 | ac_ext=c | |
1872 | ac_cpp='$CPP $CPPFLAGS' | |
1873 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | |
1874 | ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' | |
1875 | ac_compiler_gnu=$ac_cv_c_compiler_gnu | |
1876 | if test -n "$ac_tool_prefix"; then | |
1877 | # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. | |
1878 | set dummy ${ac_tool_prefix}gcc; ac_word=$2 | |
1879 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | |
1880 | $as_echo_n "checking for $ac_word... " >&6; } | |
1881 | if ${ac_cv_prog_CC+:} false; then : | |
1882 | $as_echo_n "(cached) " >&6 | |
1883 | else | |
1884 | if test -n "$CC"; then | |
1885 | ac_cv_prog_CC="$CC" # Let the user override the test. | |
1886 | else | |
1887 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
1888 | for as_dir in $PATH | |
1889 | do | |
1890 | IFS=$as_save_IFS | |
1891 | test -z "$as_dir" && as_dir=. | |
1892 | for ac_exec_ext in '' $ac_executable_extensions; do | |
1893 | if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then | |
1894 | ac_cv_prog_CC="${ac_tool_prefix}gcc" | |
1895 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | |
1896 | break 2 | |
1897 | fi | |
1898 | done | |
1899 | done | |
1900 | IFS=$as_save_IFS | |
1901 | ||
1902 | fi | |
1903 | fi | |
1904 | CC=$ac_cv_prog_CC | |
1905 | if test -n "$CC"; then | |
1906 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 | |
1907 | $as_echo "$CC" >&6; } | |
1908 | else | |
1909 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
1910 | $as_echo "no" >&6; } | |
1911 | fi | |
1912 | ||
1913 | ||
1914 | fi | |
1915 | if test -z "$ac_cv_prog_CC"; then | |
1916 | ac_ct_CC=$CC | |
1917 | # Extract the first word of "gcc", so it can be a program name with args. | |
1918 | set dummy gcc; ac_word=$2 | |
1919 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | |
1920 | $as_echo_n "checking for $ac_word... " >&6; } | |
1921 | if ${ac_cv_prog_ac_ct_CC+:} false; then : | |
1922 | $as_echo_n "(cached) " >&6 | |
1923 | else | |
1924 | if test -n "$ac_ct_CC"; then | |
1925 | ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. | |
1926 | else | |
1927 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
1928 | for as_dir in $PATH | |
1929 | do | |
1930 | IFS=$as_save_IFS | |
1931 | test -z "$as_dir" && as_dir=. | |
1932 | for ac_exec_ext in '' $ac_executable_extensions; do | |
1933 | if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then | |
1934 | ac_cv_prog_ac_ct_CC="gcc" | |
1935 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | |
1936 | break 2 | |
1937 | fi | |
1938 | done | |
1939 | done | |
1940 | IFS=$as_save_IFS | |
1941 | ||
1942 | fi | |
1943 | fi | |
1944 | ac_ct_CC=$ac_cv_prog_ac_ct_CC | |
1945 | if test -n "$ac_ct_CC"; then | |
1946 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 | |
1947 | $as_echo "$ac_ct_CC" >&6; } | |
1948 | else | |
1949 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
1950 | $as_echo "no" >&6; } | |
1951 | fi | |
1952 | ||
1953 | if test "x$ac_ct_CC" = x; then | |
1954 | CC="" | |
1955 | else | |
1956 | case $cross_compiling:$ac_tool_warned in | |
1957 | yes:) | |
1958 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 | |
1959 | $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} | |
1960 | ac_tool_warned=yes ;; | |
1961 | esac | |
1962 | CC=$ac_ct_CC | |
1963 | fi | |
1964 | else | |
1965 | CC="$ac_cv_prog_CC" | |
1966 | fi | |
1967 | ||
1968 | if test -z "$CC"; then | |
1969 | if test -n "$ac_tool_prefix"; then | |
1970 | # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. | |
1971 | set dummy ${ac_tool_prefix}cc; ac_word=$2 | |
1972 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | |
1973 | $as_echo_n "checking for $ac_word... " >&6; } | |
1974 | if ${ac_cv_prog_CC+:} false; then : | |
1975 | $as_echo_n "(cached) " >&6 | |
1976 | else | |
1977 | if test -n "$CC"; then | |
1978 | ac_cv_prog_CC="$CC" # Let the user override the test. | |
1979 | else | |
1980 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
1981 | for as_dir in $PATH | |
1982 | do | |
1983 | IFS=$as_save_IFS | |
1984 | test -z "$as_dir" && as_dir=. | |
1985 | for ac_exec_ext in '' $ac_executable_extensions; do | |
1986 | if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then | |
1987 | ac_cv_prog_CC="${ac_tool_prefix}cc" | |
1988 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | |
1989 | break 2 | |
1990 | fi | |
1991 | done | |
1992 | done | |
1993 | IFS=$as_save_IFS | |
1994 | ||
1995 | fi | |
1996 | fi | |
1997 | CC=$ac_cv_prog_CC | |
1998 | if test -n "$CC"; then | |
1999 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 | |
2000 | $as_echo "$CC" >&6; } | |
2001 | else | |
2002 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2003 | $as_echo "no" >&6; } | |
2004 | fi | |
2005 | ||
2006 | ||
2007 | fi | |
2008 | fi | |
2009 | if test -z "$CC"; then | |
2010 | # Extract the first word of "cc", so it can be a program name with args. | |
2011 | set dummy cc; ac_word=$2 | |
2012 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | |
2013 | $as_echo_n "checking for $ac_word... " >&6; } | |
2014 | if ${ac_cv_prog_CC+:} false; then : | |
2015 | $as_echo_n "(cached) " >&6 | |
2016 | else | |
2017 | if test -n "$CC"; then | |
2018 | ac_cv_prog_CC="$CC" # Let the user override the test. | |
2019 | else | |
2020 | ac_prog_rejected=no | |
2021 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
2022 | for as_dir in $PATH | |
2023 | do | |
2024 | IFS=$as_save_IFS | |
2025 | test -z "$as_dir" && as_dir=. | |
2026 | for ac_exec_ext in '' $ac_executable_extensions; do | |
2027 | if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then | |
2028 | if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then | |
2029 | ac_prog_rejected=yes | |
2030 | continue | |
2031 | fi | |
2032 | ac_cv_prog_CC="cc" | |
2033 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | |
2034 | break 2 | |
2035 | fi | |
2036 | done | |
2037 | done | |
2038 | IFS=$as_save_IFS | |
2039 | ||
2040 | if test $ac_prog_rejected = yes; then | |
2041 | # We found a bogon in the path, so make sure we never use it. | |
2042 | set dummy $ac_cv_prog_CC | |
2043 | shift | |
2044 | if test $# != 0; then | |
2045 | # We chose a different compiler from the bogus one. | |
2046 | # However, it has the same basename, so the bogon will be chosen | |
2047 | # first if we set CC to just the basename; use the full file name. | |
2048 | shift | |
2049 | ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" | |
2050 | fi | |
2051 | fi | |
2052 | fi | |
2053 | fi | |
2054 | CC=$ac_cv_prog_CC | |
2055 | if test -n "$CC"; then | |
2056 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 | |
2057 | $as_echo "$CC" >&6; } | |
2058 | else | |
2059 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2060 | $as_echo "no" >&6; } | |
2061 | fi | |
2062 | ||
2063 | ||
2064 | fi | |
2065 | if test -z "$CC"; then | |
2066 | if test -n "$ac_tool_prefix"; then | |
2067 | for ac_prog in cl.exe | |
2068 | do | |
2069 | # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. | |
2070 | set dummy $ac_tool_prefix$ac_prog; ac_word=$2 | |
2071 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | |
2072 | $as_echo_n "checking for $ac_word... " >&6; } | |
2073 | if ${ac_cv_prog_CC+:} false; then : | |
2074 | $as_echo_n "(cached) " >&6 | |
2075 | else | |
2076 | if test -n "$CC"; then | |
2077 | ac_cv_prog_CC="$CC" # Let the user override the test. | |
2078 | else | |
2079 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
2080 | for as_dir in $PATH | |
2081 | do | |
2082 | IFS=$as_save_IFS | |
2083 | test -z "$as_dir" && as_dir=. | |
2084 | for ac_exec_ext in '' $ac_executable_extensions; do | |
2085 | if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then | |
2086 | ac_cv_prog_CC="$ac_tool_prefix$ac_prog" | |
2087 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | |
2088 | break 2 | |
2089 | fi | |
2090 | done | |
2091 | done | |
2092 | IFS=$as_save_IFS | |
2093 | ||
2094 | fi | |
2095 | fi | |
2096 | CC=$ac_cv_prog_CC | |
2097 | if test -n "$CC"; then | |
2098 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 | |
2099 | $as_echo "$CC" >&6; } | |
2100 | else | |
2101 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2102 | $as_echo "no" >&6; } | |
2103 | fi | |
2104 | ||
2105 | ||
2106 | test -n "$CC" && break | |
2107 | done | |
2108 | fi | |
2109 | if test -z "$CC"; then | |
2110 | ac_ct_CC=$CC | |
2111 | for ac_prog in cl.exe | |
2112 | do | |
2113 | # Extract the first word of "$ac_prog", so it can be a program name with args. | |
2114 | set dummy $ac_prog; ac_word=$2 | |
2115 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 | |
2116 | $as_echo_n "checking for $ac_word... " >&6; } | |
2117 | if ${ac_cv_prog_ac_ct_CC+:} false; then : | |
2118 | $as_echo_n "(cached) " >&6 | |
2119 | else | |
2120 | if test -n "$ac_ct_CC"; then | |
2121 | ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. | |
2122 | else | |
2123 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
2124 | for as_dir in $PATH | |
2125 | do | |
2126 | IFS=$as_save_IFS | |
2127 | test -z "$as_dir" && as_dir=. | |
2128 | for ac_exec_ext in '' $ac_executable_extensions; do | |
2129 | if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then | |
2130 | ac_cv_prog_ac_ct_CC="$ac_prog" | |
2131 | $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 | |
2132 | break 2 | |
2133 | fi | |
2134 | done | |
2135 | done | |
2136 | IFS=$as_save_IFS | |
2137 | ||
2138 | fi | |
2139 | fi | |
2140 | ac_ct_CC=$ac_cv_prog_ac_ct_CC | |
2141 | if test -n "$ac_ct_CC"; then | |
2142 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 | |
2143 | $as_echo "$ac_ct_CC" >&6; } | |
2144 | else | |
2145 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2146 | $as_echo "no" >&6; } | |
2147 | fi | |
2148 | ||
2149 | ||
2150 | test -n "$ac_ct_CC" && break | |
2151 | done | |
2152 | ||
2153 | if test "x$ac_ct_CC" = x; then | |
2154 | CC="" | |
2155 | else | |
2156 | case $cross_compiling:$ac_tool_warned in | |
2157 | yes:) | |
2158 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 | |
2159 | $as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} | |
2160 | ac_tool_warned=yes ;; | |
2161 | esac | |
2162 | CC=$ac_ct_CC | |
2163 | fi | |
2164 | fi | |
2165 | ||
2166 | fi | |
2167 | ||
2168 | ||
2169 | test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | |
2170 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | |
2171 | as_fn_error $? "no acceptable C compiler found in \$PATH | |
2172 | See \`config.log' for more details" "$LINENO" 5; } | |
2173 | ||
2174 | # Provide some information about the compiler. | |
2175 | $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 | |
2176 | set X $ac_compile | |
2177 | ac_compiler=$2 | |
2178 | for ac_option in --version -v -V -qversion; do | |
2179 | { { ac_try="$ac_compiler $ac_option >&5" | |
2180 | case "(($ac_try" in | |
2181 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | |
2182 | *) ac_try_echo=$ac_try;; | |
2183 | esac | |
2184 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | |
2185 | $as_echo "$ac_try_echo"; } >&5 | |
2186 | (eval "$ac_compiler $ac_option >&5") 2>conftest.err | |
2187 | ac_status=$? | |
2188 | if test -s conftest.err; then | |
2189 | sed '10a\ | |
2190 | ... rest of stderr output deleted ... | |
2191 | 10q' conftest.err >conftest.er1 | |
2192 | cat conftest.er1 >&5 | |
2193 | fi | |
2194 | rm -f conftest.er1 conftest.err | |
2195 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | |
2196 | test $ac_status = 0; } | |
2197 | done | |
2198 | ||
2199 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2200 | /* end confdefs.h. */ | |
2201 | ||
2202 | int | |
2203 | main () | |
2204 | { | |
2205 | ||
2206 | ; | |
2207 | return 0; | |
2208 | } | |
2209 | _ACEOF | |
2210 | ac_clean_files_save=$ac_clean_files | |
2211 | ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" | |
2212 | # Try to create an executable without -o first, disregard a.out. | |
2213 | # It will help us diagnose broken compilers, and finding out an intuition | |
2214 | # of exeext. | |
2215 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 | |
2216 | $as_echo_n "checking whether the C compiler works... " >&6; } | |
2217 | ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` | |
2218 | ||
2219 | # The possible output files: | |
2220 | ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" | |
2221 | ||
2222 | ac_rmfiles= | |
2223 | for ac_file in $ac_files | |
2224 | do | |
2225 | case $ac_file in | |
2226 | *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; | |
2227 | * ) ac_rmfiles="$ac_rmfiles $ac_file";; | |
2228 | esac | |
2229 | done | |
2230 | rm -f $ac_rmfiles | |
2231 | ||
2232 | if { { ac_try="$ac_link_default" | |
2233 | case "(($ac_try" in | |
2234 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | |
2235 | *) ac_try_echo=$ac_try;; | |
2236 | esac | |
2237 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | |
2238 | $as_echo "$ac_try_echo"; } >&5 | |
2239 | (eval "$ac_link_default") 2>&5 | |
2240 | ac_status=$? | |
2241 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | |
2242 | test $ac_status = 0; }; then : | |
2243 | # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. | |
2244 | # So ignore a value of `no', otherwise this would lead to `EXEEXT = no' | |
2245 | # in a Makefile. We should not override ac_cv_exeext if it was cached, | |
2246 | # so that the user can short-circuit this test for compilers unknown to | |
2247 | # Autoconf. | |
2248 | for ac_file in $ac_files '' | |
2249 | do | |
2250 | test -f "$ac_file" || continue | |
2251 | case $ac_file in | |
2252 | *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) | |
2253 | ;; | |
2254 | [ab].out ) | |
2255 | # We found the default executable, but exeext='' is most | |
2256 | # certainly right. | |
2257 | break;; | |
2258 | *.* ) | |
2259 | if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; | |
2260 | then :; else | |
2261 | ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` | |
2262 | fi | |
2263 | # We set ac_cv_exeext here because the later test for it is not | |
2264 | # safe: cross compilers may not add the suffix if given an `-o' | |
2265 | # argument, so we may need to know it at that point already. | |
2266 | # Even if this section looks crufty: it has the advantage of | |
2267 | # actually working. | |
2268 | break;; | |
2269 | * ) | |
2270 | break;; | |
2271 | esac | |
2272 | done | |
2273 | test "$ac_cv_exeext" = no && ac_cv_exeext= | |
2274 | ||
2275 | else | |
2276 | ac_file='' | |
2277 | fi | |
2278 | if test -z "$ac_file"; then : | |
2279 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2280 | $as_echo "no" >&6; } | |
2281 | $as_echo "$as_me: failed program was:" >&5 | |
2282 | sed 's/^/| /' conftest.$ac_ext >&5 | |
2283 | ||
2284 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | |
2285 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | |
2286 | as_fn_error 77 "C compiler cannot create executables | |
2287 | See \`config.log' for more details" "$LINENO" 5; } | |
2288 | else | |
2289 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | |
2290 | $as_echo "yes" >&6; } | |
2291 | fi | |
2292 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 | |
2293 | $as_echo_n "checking for C compiler default output file name... " >&6; } | |
2294 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 | |
2295 | $as_echo "$ac_file" >&6; } | |
2296 | ac_exeext=$ac_cv_exeext | |
2297 | ||
2298 | rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out | |
2299 | ac_clean_files=$ac_clean_files_save | |
2300 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 | |
2301 | $as_echo_n "checking for suffix of executables... " >&6; } | |
2302 | if { { ac_try="$ac_link" | |
2303 | case "(($ac_try" in | |
2304 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | |
2305 | *) ac_try_echo=$ac_try;; | |
2306 | esac | |
2307 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | |
2308 | $as_echo "$ac_try_echo"; } >&5 | |
2309 | (eval "$ac_link") 2>&5 | |
2310 | ac_status=$? | |
2311 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | |
2312 | test $ac_status = 0; }; then : | |
2313 | # If both `conftest.exe' and `conftest' are `present' (well, observable) | |
2314 | # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will | |
2315 | # work properly (i.e., refer to `conftest.exe'), while it won't with | |
2316 | # `rm'. | |
2317 | for ac_file in conftest.exe conftest conftest.*; do | |
2318 | test -f "$ac_file" || continue | |
2319 | case $ac_file in | |
2320 | *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; | |
2321 | *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` | |
2322 | break;; | |
2323 | * ) break;; | |
2324 | esac | |
2325 | done | |
2326 | else | |
2327 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | |
2328 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | |
2329 | as_fn_error $? "cannot compute suffix of executables: cannot compile and link | |
2330 | See \`config.log' for more details" "$LINENO" 5; } | |
2331 | fi | |
2332 | rm -f conftest conftest$ac_cv_exeext | |
2333 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 | |
2334 | $as_echo "$ac_cv_exeext" >&6; } | |
2335 | ||
2336 | rm -f conftest.$ac_ext | |
2337 | EXEEXT=$ac_cv_exeext | |
2338 | ac_exeext=$EXEEXT | |
2339 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2340 | /* end confdefs.h. */ | |
2341 | #include <stdio.h> | |
2342 | int | |
2343 | main () | |
2344 | { | |
2345 | FILE *f = fopen ("conftest.out", "w"); | |
2346 | return ferror (f) || fclose (f) != 0; | |
2347 | ||
2348 | ; | |
2349 | return 0; | |
2350 | } | |
2351 | _ACEOF | |
2352 | ac_clean_files="$ac_clean_files conftest.out" | |
2353 | # Check that the compiler produces executables we can run. If not, either | |
2354 | # the compiler is broken, or we cross compile. | |
2355 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 | |
2356 | $as_echo_n "checking whether we are cross compiling... " >&6; } | |
2357 | if test "$cross_compiling" != yes; then | |
2358 | { { ac_try="$ac_link" | |
2359 | case "(($ac_try" in | |
2360 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | |
2361 | *) ac_try_echo=$ac_try;; | |
2362 | esac | |
2363 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | |
2364 | $as_echo "$ac_try_echo"; } >&5 | |
2365 | (eval "$ac_link") 2>&5 | |
2366 | ac_status=$? | |
2367 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | |
2368 | test $ac_status = 0; } | |
2369 | if { ac_try='./conftest$ac_cv_exeext' | |
2370 | { { case "(($ac_try" in | |
2371 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | |
2372 | *) ac_try_echo=$ac_try;; | |
2373 | esac | |
2374 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | |
2375 | $as_echo "$ac_try_echo"; } >&5 | |
2376 | (eval "$ac_try") 2>&5 | |
2377 | ac_status=$? | |
2378 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | |
2379 | test $ac_status = 0; }; }; then | |
2380 | cross_compiling=no | |
2381 | else | |
2382 | if test "$cross_compiling" = maybe; then | |
2383 | cross_compiling=yes | |
2384 | else | |
2385 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | |
2386 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | |
2387 | as_fn_error $? "cannot run C compiled programs. | |
2388 | If you meant to cross compile, use \`--host'. | |
2389 | See \`config.log' for more details" "$LINENO" 5; } | |
2390 | fi | |
2391 | fi | |
2392 | fi | |
2393 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 | |
2394 | $as_echo "$cross_compiling" >&6; } | |
2395 | ||
2396 | rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out | |
2397 | ac_clean_files=$ac_clean_files_save | |
2398 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 | |
2399 | $as_echo_n "checking for suffix of object files... " >&6; } | |
2400 | if ${ac_cv_objext+:} false; then : | |
2401 | $as_echo_n "(cached) " >&6 | |
2402 | else | |
2403 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2404 | /* end confdefs.h. */ | |
2405 | ||
2406 | int | |
2407 | main () | |
2408 | { | |
2409 | ||
2410 | ; | |
2411 | return 0; | |
2412 | } | |
2413 | _ACEOF | |
2414 | rm -f conftest.o conftest.obj | |
2415 | if { { ac_try="$ac_compile" | |
2416 | case "(($ac_try" in | |
2417 | *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; | |
2418 | *) ac_try_echo=$ac_try;; | |
2419 | esac | |
2420 | eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" | |
2421 | $as_echo "$ac_try_echo"; } >&5 | |
2422 | (eval "$ac_compile") 2>&5 | |
2423 | ac_status=$? | |
2424 | $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 | |
2425 | test $ac_status = 0; }; then : | |
2426 | for ac_file in conftest.o conftest.obj conftest.*; do | |
2427 | test -f "$ac_file" || continue; | |
2428 | case $ac_file in | |
2429 | *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; | |
2430 | *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` | |
2431 | break;; | |
2432 | esac | |
2433 | done | |
2434 | else | |
2435 | $as_echo "$as_me: failed program was:" >&5 | |
2436 | sed 's/^/| /' conftest.$ac_ext >&5 | |
2437 | ||
2438 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | |
2439 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | |
2440 | as_fn_error $? "cannot compute suffix of object files: cannot compile | |
2441 | See \`config.log' for more details" "$LINENO" 5; } | |
2442 | fi | |
2443 | rm -f conftest.$ac_cv_objext conftest.$ac_ext | |
2444 | fi | |
2445 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 | |
2446 | $as_echo "$ac_cv_objext" >&6; } | |
2447 | OBJEXT=$ac_cv_objext | |
2448 | ac_objext=$OBJEXT | |
2449 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 | |
2450 | $as_echo_n "checking whether we are using the GNU C compiler... " >&6; } | |
2451 | if ${ac_cv_c_compiler_gnu+:} false; then : | |
2452 | $as_echo_n "(cached) " >&6 | |
2453 | else | |
2454 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2455 | /* end confdefs.h. */ | |
2456 | ||
2457 | int | |
2458 | main () | |
2459 | { | |
2460 | #ifndef __GNUC__ | |
2461 | choke me | |
2462 | #endif | |
2463 | ||
2464 | ; | |
2465 | return 0; | |
2466 | } | |
2467 | _ACEOF | |
2468 | if ac_fn_c_try_compile "$LINENO"; then : | |
2469 | ac_compiler_gnu=yes | |
2470 | else | |
2471 | ac_compiler_gnu=no | |
2472 | fi | |
2473 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2474 | ac_cv_c_compiler_gnu=$ac_compiler_gnu | |
2475 | ||
2476 | fi | |
2477 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 | |
2478 | $as_echo "$ac_cv_c_compiler_gnu" >&6; } | |
2479 | if test $ac_compiler_gnu = yes; then | |
2480 | GCC=yes | |
2481 | else | |
2482 | GCC= | |
2483 | fi | |
2484 | ac_test_CFLAGS=${CFLAGS+set} | |
2485 | ac_save_CFLAGS=$CFLAGS | |
2486 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 | |
2487 | $as_echo_n "checking whether $CC accepts -g... " >&6; } | |
2488 | if ${ac_cv_prog_cc_g+:} false; then : | |
2489 | $as_echo_n "(cached) " >&6 | |
2490 | else | |
2491 | ac_save_c_werror_flag=$ac_c_werror_flag | |
2492 | ac_c_werror_flag=yes | |
2493 | ac_cv_prog_cc_g=no | |
2494 | CFLAGS="-g" | |
2495 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2496 | /* end confdefs.h. */ | |
2497 | ||
2498 | int | |
2499 | main () | |
2500 | { | |
2501 | ||
2502 | ; | |
2503 | return 0; | |
2504 | } | |
2505 | _ACEOF | |
2506 | if ac_fn_c_try_compile "$LINENO"; then : | |
2507 | ac_cv_prog_cc_g=yes | |
2508 | else | |
2509 | CFLAGS="" | |
2510 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2511 | /* end confdefs.h. */ | |
2512 | ||
2513 | int | |
2514 | main () | |
2515 | { | |
2516 | ||
2517 | ; | |
2518 | return 0; | |
2519 | } | |
2520 | _ACEOF | |
2521 | if ac_fn_c_try_compile "$LINENO"; then : | |
2522 | ||
2523 | else | |
2524 | ac_c_werror_flag=$ac_save_c_werror_flag | |
2525 | CFLAGS="-g" | |
2526 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2527 | /* end confdefs.h. */ | |
2528 | ||
2529 | int | |
2530 | main () | |
2531 | { | |
2532 | ||
2533 | ; | |
2534 | return 0; | |
2535 | } | |
2536 | _ACEOF | |
2537 | if ac_fn_c_try_compile "$LINENO"; then : | |
2538 | ac_cv_prog_cc_g=yes | |
2539 | fi | |
2540 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2541 | fi | |
2542 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2543 | fi | |
2544 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2545 | ac_c_werror_flag=$ac_save_c_werror_flag | |
2546 | fi | |
2547 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 | |
2548 | $as_echo "$ac_cv_prog_cc_g" >&6; } | |
2549 | if test "$ac_test_CFLAGS" = set; then | |
2550 | CFLAGS=$ac_save_CFLAGS | |
2551 | elif test $ac_cv_prog_cc_g = yes; then | |
2552 | if test "$GCC" = yes; then | |
2553 | CFLAGS="-g -O2" | |
2554 | else | |
2555 | CFLAGS="-g" | |
2556 | fi | |
2557 | else | |
2558 | if test "$GCC" = yes; then | |
2559 | CFLAGS="-O2" | |
2560 | else | |
2561 | CFLAGS= | |
2562 | fi | |
2563 | fi | |
2564 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 | |
2565 | $as_echo_n "checking for $CC option to accept ISO C89... " >&6; } | |
2566 | if ${ac_cv_prog_cc_c89+:} false; then : | |
2567 | $as_echo_n "(cached) " >&6 | |
2568 | else | |
2569 | ac_cv_prog_cc_c89=no | |
2570 | ac_save_CC=$CC | |
2571 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2572 | /* end confdefs.h. */ | |
2573 | #include <stdarg.h> | |
2574 | #include <stdio.h> | |
2575 | struct stat; | |
2576 | /* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ | |
2577 | struct buf { int x; }; | |
2578 | FILE * (*rcsopen) (struct buf *, struct stat *, int); | |
2579 | static char *e (p, i) | |
2580 | char **p; | |
2581 | int i; | |
2582 | { | |
2583 | return p[i]; | |
2584 | } | |
2585 | static char *f (char * (*g) (char **, int), char **p, ...) | |
2586 | { | |
2587 | char *s; | |
2588 | va_list v; | |
2589 | va_start (v,p); | |
2590 | s = g (p, va_arg (v,int)); | |
2591 | va_end (v); | |
2592 | return s; | |
2593 | } | |
2594 | ||
2595 | /* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has | |
2596 | function prototypes and stuff, but not '\xHH' hex character constants. | |
2597 | These don't provoke an error unfortunately, instead are silently treated | |
2598 | as 'x'. The following induces an error, until -std is added to get | |
2599 | proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an | |
2600 | array size at least. It's necessary to write '\x00'==0 to get something | |
2601 | that's true only with -std. */ | |
2602 | int osf4_cc_array ['\x00' == 0 ? 1 : -1]; | |
2603 | ||
2604 | /* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters | |
2605 | inside strings and character constants. */ | |
2606 | #define FOO(x) 'x' | |
2607 | int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; | |
2608 | ||
2609 | int test (int i, double x); | |
2610 | struct s1 {int (*f) (int a);}; | |
2611 | struct s2 {int (*f) (double a);}; | |
2612 | int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); | |
2613 | int argc; | |
2614 | char **argv; | |
2615 | int | |
2616 | main () | |
2617 | { | |
2618 | return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; | |
2619 | ; | |
2620 | return 0; | |
2621 | } | |
2622 | _ACEOF | |
2623 | for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ | |
2624 | -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" | |
2625 | do | |
2626 | CC="$ac_save_CC $ac_arg" | |
2627 | if ac_fn_c_try_compile "$LINENO"; then : | |
2628 | ac_cv_prog_cc_c89=$ac_arg | |
2629 | fi | |
2630 | rm -f core conftest.err conftest.$ac_objext | |
2631 | test "x$ac_cv_prog_cc_c89" != "xno" && break | |
2632 | done | |
2633 | rm -f conftest.$ac_ext | |
2634 | CC=$ac_save_CC | |
2635 | ||
2636 | fi | |
2637 | # AC_CACHE_VAL | |
2638 | case "x$ac_cv_prog_cc_c89" in | |
2639 | x) | |
2640 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 | |
2641 | $as_echo "none needed" >&6; } ;; | |
2642 | xno) | |
2643 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 | |
2644 | $as_echo "unsupported" >&6; } ;; | |
2645 | *) | |
2646 | CC="$CC $ac_cv_prog_cc_c89" | |
2647 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 | |
2648 | $as_echo "$ac_cv_prog_cc_c89" >&6; } ;; | |
2649 | esac | |
2650 | if test "x$ac_cv_prog_cc_c89" != xno; then : | |
2651 | ||
2652 | fi | |
2653 | ||
2654 | ac_ext=c | |
2655 | ac_cpp='$CPP $CPPFLAGS' | |
2656 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | |
2657 | ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' | |
2658 | ac_compiler_gnu=$ac_cv_c_compiler_gnu | |
2659 | ||
2660 | ||
2661 | ||
2662 | ||
2663 | ac_safe=`echo "openssl/ec.h" | sed 'y%./+-%__pm%'` | |
2664 | old_CPPFLAGS="$CPPFLAGS" | |
2665 | smart_include= | |
2666 | smart_include_dir="/usr/local/include /opt/include" | |
2667 | ||
2668 | _smart_try_dir= | |
2669 | _smart_include_dir= | |
2670 | ||
2671 | for _prefix in $smart_prefix ""; do | |
2672 | for _dir in $smart_try_dir; do | |
2673 | _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}" | |
2674 | done | |
2675 | ||
2676 | for _dir in $smart_include_dir; do | |
2677 | _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}" | |
2678 | done | |
2679 | done | |
2680 | ||
2681 | if test "x$_smart_try_dir" != "x"; then | |
2682 | for try in $_smart_try_dir; do | |
2683 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ec.h in $try" >&5 | |
2684 | $as_echo_n "checking for openssl/ec.h in $try... " >&6; } | |
2685 | CPPFLAGS="-isystem $try $old_CPPFLAGS" | |
2686 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2687 | /* end confdefs.h. */ | |
2688 | ||
2689 | #include <openssl/ec.h> | |
2690 | int | |
2691 | main () | |
2692 | { | |
2693 | int a = 1; | |
2694 | ; | |
2695 | return 0; | |
2696 | } | |
2697 | _ACEOF | |
2698 | if ac_fn_c_try_compile "$LINENO"; then : | |
2699 | ||
2700 | smart_include="-isystem $try" | |
2701 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | |
2702 | $as_echo "yes" >&6; } | |
2703 | break | |
2704 | ||
2705 | else | |
2706 | ||
2707 | smart_include= | |
2708 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2709 | $as_echo "no" >&6; } | |
2710 | ||
2711 | fi | |
2712 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2713 | done | |
2714 | CPPFLAGS="$old_CPPFLAGS" | |
2715 | fi | |
2716 | ||
2717 | if test "x$smart_include" = "x"; then | |
2718 | for _prefix in $smart_prefix; do | |
2719 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/openssl/ec.h" >&5 | |
2720 | $as_echo_n "checking for ${_prefix}/openssl/ec.h... " >&6; } | |
2721 | ||
2722 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2723 | /* end confdefs.h. */ | |
2724 | ||
2725 | #include <openssl/ec.h> | |
2726 | int | |
2727 | main () | |
2728 | { | |
2729 | int a = 1; | |
2730 | ; | |
2731 | return 0; | |
2732 | } | |
2733 | _ACEOF | |
2734 | if ac_fn_c_try_compile "$LINENO"; then : | |
2735 | ||
2736 | smart_include="-isystem ${_prefix}/" | |
2737 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | |
2738 | $as_echo "yes" >&6; } | |
2739 | break | |
2740 | ||
2741 | else | |
2742 | ||
2743 | smart_include= | |
2744 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2745 | $as_echo "no" >&6; } | |
2746 | ||
2747 | fi | |
2748 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2749 | done | |
2750 | fi | |
2751 | ||
2752 | if test "x$smart_include" = "x"; then | |
2753 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ec.h" >&5 | |
2754 | $as_echo_n "checking for openssl/ec.h... " >&6; } | |
2755 | ||
2756 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2757 | /* end confdefs.h. */ | |
2758 | ||
2759 | #include <openssl/ec.h> | |
2760 | int | |
2761 | main () | |
2762 | { | |
2763 | int a = 1; | |
2764 | ; | |
2765 | return 0; | |
2766 | } | |
2767 | _ACEOF | |
2768 | if ac_fn_c_try_compile "$LINENO"; then : | |
2769 | ||
2770 | smart_include=" " | |
2771 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | |
2772 | $as_echo "yes" >&6; } | |
2773 | break | |
2774 | ||
2775 | else | |
2776 | ||
2777 | smart_include= | |
2778 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2779 | $as_echo "no" >&6; } | |
2780 | ||
2781 | fi | |
2782 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2783 | fi | |
2784 | ||
2785 | if test "x$smart_include" = "x"; then | |
2786 | ||
2787 | for prefix in $smart_prefix; do | |
2788 | ||
2789 | ||
2790 | if test "x$LOCATE" != "x"; then | |
2791 | DIRS= | |
2792 | file="${_prefix}/${1}" | |
2793 | ||
2794 | for x in `${LOCATE} $file 2>/dev/null`; do | |
2795 | base=`echo $x | sed "s%/${file}%%"` | |
2796 | if test "x$x" = "x$base"; then | |
2797 | continue; | |
2798 | fi | |
2799 | ||
2800 | dir=`${DIRNAME} $x 2>/dev/null` | |
2801 | exclude=`echo ${dir} | ${GREP} /home` | |
2802 | if test "x$exclude" != "x"; then | |
2803 | continue | |
2804 | fi | |
2805 | ||
2806 | already=`echo \$_smart_include_dir ${DIRS} | ${GREP} ${dir}` | |
2807 | if test "x$already" = "x"; then | |
2808 | DIRS="$DIRS $dir" | |
2809 | fi | |
2810 | done | |
2811 | fi | |
2812 | ||
2813 | eval "_smart_include_dir=\"\$_smart_include_dir $DIRS\"" | |
2814 | ||
2815 | done | |
2816 | ||
2817 | ||
2818 | if test "x$LOCATE" != "x"; then | |
2819 | DIRS= | |
2820 | file=openssl/ec.h | |
2821 | ||
2822 | for x in `${LOCATE} $file 2>/dev/null`; do | |
2823 | base=`echo $x | sed "s%/${file}%%"` | |
2824 | if test "x$x" = "x$base"; then | |
2825 | continue; | |
2826 | fi | |
2827 | ||
2828 | dir=`${DIRNAME} $x 2>/dev/null` | |
2829 | exclude=`echo ${dir} | ${GREP} /home` | |
2830 | if test "x$exclude" != "x"; then | |
2831 | continue | |
2832 | fi | |
2833 | ||
2834 | already=`echo \$_smart_include_dir ${DIRS} | ${GREP} ${dir}` | |
2835 | if test "x$already" = "x"; then | |
2836 | DIRS="$DIRS $dir" | |
2837 | fi | |
2838 | done | |
2839 | fi | |
2840 | ||
2841 | eval "_smart_include_dir=\"\$_smart_include_dir $DIRS\"" | |
2842 | ||
2843 | ||
2844 | for try in $_smart_include_dir; do | |
2845 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ec.h in $try" >&5 | |
2846 | $as_echo_n "checking for openssl/ec.h in $try... " >&6; } | |
2847 | CPPFLAGS="-isystem $try $old_CPPFLAGS" | |
2848 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2849 | /* end confdefs.h. */ | |
2850 | ||
2851 | #include <openssl/ec.h> | |
2852 | int | |
2853 | main () | |
2854 | { | |
2855 | int a = 1; | |
2856 | ; | |
2857 | return 0; | |
2858 | } | |
2859 | _ACEOF | |
2860 | if ac_fn_c_try_compile "$LINENO"; then : | |
2861 | ||
2862 | smart_include="-isystem $try" | |
2863 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | |
2864 | $as_echo "yes" >&6; } | |
2865 | break | |
2866 | ||
2867 | else | |
2868 | ||
2869 | smart_include= | |
2870 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2871 | $as_echo "no" >&6; } | |
2872 | ||
2873 | fi | |
2874 | rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext | |
2875 | done | |
2876 | CPPFLAGS="$old_CPPFLAGS" | |
2877 | fi | |
2878 | ||
2879 | if test "x$smart_include" != "x"; then | |
2880 | eval "ac_cv_header_$ac_safe=yes" | |
2881 | CPPFLAGS="$smart_include $old_CPPFLAGS" | |
2882 | SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS" | |
2883 | fi | |
2884 | ||
2885 | smart_prefix= | |
2886 | ||
2887 | if test "$ac_cv_header_openssl_ec_h" != "yes"; then | |
2888 | fail="$fail openssl/ec.h" | |
2889 | fi | |
2890 | ||
2891 | smart_try_dir=$openssl_lib_dir | |
2892 | ||
2893 | ||
2894 | sm_lib_safe=`echo "crypto" | sed 'y%./+-%__p_%'` | |
2895 | sm_func_safe=`echo "EVP_CIPHER_CTX_new" | sed 'y%./+-%__p_%'` | |
2896 | ||
2897 | old_LIBS="$LIBS" | |
2898 | old_CPPFLAGS="$CPPFLAGS" | |
2899 | smart_lib= | |
2900 | smart_ldflags= | |
2901 | smart_lib_dir= | |
2902 | ||
2903 | if test "x$smart_try_dir" != "x"; then | |
2904 | for try in $smart_try_dir; do | |
2905 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto in $try" >&5 | |
2906 | $as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto in $try... " >&6; } | |
2907 | LIBS="-lcrypto $old_LIBS" | |
2908 | CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" | |
2909 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2910 | /* end confdefs.h. */ | |
2911 | extern char EVP_CIPHER_CTX_new(); | |
2912 | int | |
2913 | main () | |
2914 | { | |
2915 | EVP_CIPHER_CTX_new() | |
2916 | ; | |
2917 | return 0; | |
2918 | } | |
2919 | _ACEOF | |
2920 | if ac_fn_c_try_link "$LINENO"; then : | |
2921 | ||
2922 | smart_lib="-lcrypto" | |
2923 | smart_ldflags="-L$try -Wl,-rpath,$try" | |
2924 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | |
2925 | $as_echo "yes" >&6; } | |
2926 | break | |
2927 | ||
2928 | else | |
2929 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2930 | $as_echo "no" >&6; } | |
2931 | fi | |
2932 | rm -f core conftest.err conftest.$ac_objext \ | |
2933 | conftest$ac_exeext conftest.$ac_ext | |
2934 | done | |
2935 | LIBS="$old_LIBS" | |
2936 | CPPFLAGS="$old_CPPFLAGS" | |
2937 | fi | |
2938 | ||
2939 | if test "x$smart_lib" = "x"; then | |
2940 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto" >&5 | |
2941 | $as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto... " >&6; } | |
2942 | LIBS="-lcrypto $old_LIBS" | |
2943 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
2944 | /* end confdefs.h. */ | |
2945 | extern char EVP_CIPHER_CTX_new(); | |
2946 | int | |
2947 | main () | |
2948 | { | |
2949 | EVP_CIPHER_CTX_new() | |
2950 | ; | |
2951 | return 0; | |
2952 | } | |
2953 | _ACEOF | |
2954 | if ac_fn_c_try_link "$LINENO"; then : | |
2955 | ||
2956 | smart_lib="-lcrypto" | |
2957 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | |
2958 | $as_echo "yes" >&6; } | |
2959 | ||
2960 | else | |
2961 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
2962 | $as_echo "no" >&6; } | |
2963 | fi | |
2964 | rm -f core conftest.err conftest.$ac_objext \ | |
2965 | conftest$ac_exeext conftest.$ac_ext | |
2966 | LIBS="$old_LIBS" | |
2967 | fi | |
2968 | ||
2969 | if test "x$smart_lib" = "x"; then | |
2970 | ||
2971 | ||
2972 | if test "x$LOCATE" != "x"; then | |
2973 | DIRS= | |
2974 | file=libcrypto${libltdl_cv_shlibext} | |
2975 | ||
2976 | for x in `${LOCATE} $file 2>/dev/null`; do | |
2977 | base=`echo $x | sed "s%/${file}%%"` | |
2978 | if test "x$x" = "x$base"; then | |
2979 | continue; | |
2980 | fi | |
2981 | ||
2982 | dir=`${DIRNAME} $x 2>/dev/null` | |
2983 | exclude=`echo ${dir} | ${GREP} /home` | |
2984 | if test "x$exclude" != "x"; then | |
2985 | continue | |
2986 | fi | |
2987 | ||
2988 | already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` | |
2989 | if test "x$already" = "x"; then | |
2990 | DIRS="$DIRS $dir" | |
2991 | fi | |
2992 | done | |
2993 | fi | |
2994 | ||
2995 | eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" | |
2996 | ||
2997 | ||
2998 | ||
2999 | if test "x$LOCATE" != "x"; then | |
3000 | DIRS= | |
3001 | file=libcrypto.a | |
3002 | ||
3003 | for x in `${LOCATE} $file 2>/dev/null`; do | |
3004 | base=`echo $x | sed "s%/${file}%%"` | |
3005 | if test "x$x" = "x$base"; then | |
3006 | continue; | |
3007 | fi | |
3008 | ||
3009 | dir=`${DIRNAME} $x 2>/dev/null` | |
3010 | exclude=`echo ${dir} | ${GREP} /home` | |
3011 | if test "x$exclude" != "x"; then | |
3012 | continue | |
3013 | fi | |
3014 | ||
3015 | already=`echo \$smart_lib_dir ${DIRS} | ${GREP} ${dir}` | |
3016 | if test "x$already" = "x"; then | |
3017 | DIRS="$DIRS $dir" | |
3018 | fi | |
3019 | done | |
3020 | fi | |
3021 | ||
3022 | eval "smart_lib_dir=\"\$smart_lib_dir $DIRS\"" | |
3023 | ||
3024 | ||
3025 | for try in $smart_lib_dir /usr/local/lib /opt/lib; do | |
3026 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto in $try" >&5 | |
3027 | $as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto in $try... " >&6; } | |
3028 | LIBS="-lcrypto $old_LIBS" | |
3029 | CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" | |
3030 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
3031 | /* end confdefs.h. */ | |
3032 | extern char EVP_CIPHER_CTX_new(); | |
3033 | int | |
3034 | main () | |
3035 | { | |
3036 | EVP_CIPHER_CTX_new() | |
3037 | ; | |
3038 | return 0; | |
3039 | } | |
3040 | _ACEOF | |
3041 | if ac_fn_c_try_link "$LINENO"; then : | |
3042 | ||
3043 | smart_lib="-lcrypto" | |
3044 | smart_ldflags="-L$try -Wl,-rpath,$try" | |
3045 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | |
3046 | $as_echo "yes" >&6; } | |
3047 | break | |
3048 | ||
3049 | else | |
3050 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
3051 | $as_echo "no" >&6; } | |
3052 | fi | |
3053 | rm -f core conftest.err conftest.$ac_objext \ | |
3054 | conftest$ac_exeext conftest.$ac_ext | |
3055 | done | |
3056 | LIBS="$old_LIBS" | |
3057 | CPPFLAGS="$old_CPPFLAGS" | |
3058 | fi | |
3059 | ||
3060 | if test "x$smart_lib" != "x"; then | |
3061 | eval "ac_cv_lib_${sm_lib_safe}_${sm_func_safe}=yes" | |
3062 | LIBS="$smart_ldflags $smart_lib $old_LIBS" | |
3063 | SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS" | |
3064 | fi | |
3065 | ||
3066 | if test "x$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" != "xyes"; then | |
3067 | fail="libssl" | |
3068 | fi | |
3069 | ||
3070 | ac_ext=c | |
3071 | ac_cpp='$CPP $CPPFLAGS' | |
3072 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | |
3073 | ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' | |
3074 | ac_compiler_gnu=$ac_cv_c_compiler_gnu | |
3075 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 | |
3076 | $as_echo_n "checking how to run the C preprocessor... " >&6; } | |
3077 | # On Suns, sometimes $CPP names a directory. | |
3078 | if test -n "$CPP" && test -d "$CPP"; then | |
3079 | CPP= | |
3080 | fi | |
3081 | if test -z "$CPP"; then | |
3082 | if ${ac_cv_prog_CPP+:} false; then : | |
3083 | $as_echo_n "(cached) " >&6 | |
3084 | else | |
3085 | # Double quotes because CPP needs to be expanded | |
3086 | for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" | |
3087 | do | |
3088 | ac_preproc_ok=false | |
3089 | for ac_c_preproc_warn_flag in '' yes | |
3090 | do | |
3091 | # Use a header file that comes with gcc, so configuring glibc | |
3092 | # with a fresh cross-compiler works. | |
3093 | # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since | |
3094 | # <limits.h> exists even on freestanding compilers. | |
3095 | # On the NeXT, cc -E runs the code through the compiler's parser, | |
3096 | # not just through cpp. "Syntax error" is here to catch this case. | |
3097 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
3098 | /* end confdefs.h. */ | |
3099 | #ifdef __STDC__ | |
3100 | # include <limits.h> | |
3101 | #else | |
3102 | # include <assert.h> | |
3103 | #endif | |
3104 | Syntax error | |
3105 | _ACEOF | |
3106 | if ac_fn_c_try_cpp "$LINENO"; then : | |
3107 | ||
3108 | else | |
3109 | # Broken: fails on valid input. | |
3110 | continue | |
3111 | fi | |
3112 | rm -f conftest.err conftest.i conftest.$ac_ext | |
3113 | ||
3114 | # OK, works on sane cases. Now check whether nonexistent headers | |
3115 | # can be detected and how. | |
3116 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
3117 | /* end confdefs.h. */ | |
3118 | #include <ac_nonexistent.h> | |
3119 | _ACEOF | |
3120 | if ac_fn_c_try_cpp "$LINENO"; then : | |
3121 | # Broken: success on invalid input. | |
3122 | continue | |
3123 | else | |
3124 | # Passes both tests. | |
3125 | ac_preproc_ok=: | |
3126 | break | |
3127 | fi | |
3128 | rm -f conftest.err conftest.i conftest.$ac_ext | |
3129 | ||
3130 | done | |
3131 | # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. | |
3132 | rm -f conftest.i conftest.err conftest.$ac_ext | |
3133 | if $ac_preproc_ok; then : | |
3134 | break | |
3135 | fi | |
3136 | ||
3137 | done | |
3138 | ac_cv_prog_CPP=$CPP | |
3139 | ||
3140 | fi | |
3141 | CPP=$ac_cv_prog_CPP | |
3142 | else | |
3143 | ac_cv_prog_CPP=$CPP | |
3144 | fi | |
3145 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 | |
3146 | $as_echo "$CPP" >&6; } | |
3147 | ac_preproc_ok=false | |
3148 | for ac_c_preproc_warn_flag in '' yes | |
3149 | do | |
3150 | # Use a header file that comes with gcc, so configuring glibc | |
3151 | # with a fresh cross-compiler works. | |
3152 | # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since | |
3153 | # <limits.h> exists even on freestanding compilers. | |
3154 | # On the NeXT, cc -E runs the code through the compiler's parser, | |
3155 | # not just through cpp. "Syntax error" is here to catch this case. | |
3156 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
3157 | /* end confdefs.h. */ | |
3158 | #ifdef __STDC__ | |
3159 | # include <limits.h> | |
3160 | #else | |
3161 | # include <assert.h> | |
3162 | #endif | |
3163 | Syntax error | |
3164 | _ACEOF | |
3165 | if ac_fn_c_try_cpp "$LINENO"; then : | |
3166 | ||
3167 | else | |
3168 | # Broken: fails on valid input. | |
3169 | continue | |
3170 | fi | |
3171 | rm -f conftest.err conftest.i conftest.$ac_ext | |
3172 | ||
3173 | # OK, works on sane cases. Now check whether nonexistent headers | |
3174 | # can be detected and how. | |
3175 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
3176 | /* end confdefs.h. */ | |
3177 | #include <ac_nonexistent.h> | |
3178 | _ACEOF | |
3179 | if ac_fn_c_try_cpp "$LINENO"; then : | |
3180 | # Broken: success on invalid input. | |
3181 | continue | |
3182 | else | |
3183 | # Passes both tests. | |
3184 | ac_preproc_ok=: | |
3185 | break | |
3186 | fi | |
3187 | rm -f conftest.err conftest.i conftest.$ac_ext | |
3188 | ||
3189 | done | |
3190 | # Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. | |
3191 | rm -f conftest.i conftest.err conftest.$ac_ext | |
3192 | if $ac_preproc_ok; then : | |
3193 | ||
3194 | else | |
3195 | { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 | |
3196 | $as_echo "$as_me: error: in \`$ac_pwd':" >&2;} | |
3197 | as_fn_error $? "C preprocessor \"$CPP\" fails sanity check | |
3198 | See \`config.log' for more details" "$LINENO" 5; } | |
3199 | fi | |
3200 | ||
3201 | ac_ext=c | |
3202 | ac_cpp='$CPP $CPPFLAGS' | |
3203 | ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' | |
3204 | ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' | |
3205 | ac_compiler_gnu=$ac_cv_c_compiler_gnu | |
3206 | ||
3207 | ||
3208 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 | |
3209 | $as_echo_n "checking for grep that handles long lines and -e... " >&6; } | |
3210 | if ${ac_cv_path_GREP+:} false; then : | |
3211 | $as_echo_n "(cached) " >&6 | |
3212 | else | |
3213 | if test -z "$GREP"; then | |
3214 | ac_path_GREP_found=false | |
3215 | # Loop through the user's path and test for each of PROGNAME-LIST | |
3216 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
3217 | for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin | |
3218 | do | |
3219 | IFS=$as_save_IFS | |
3220 | test -z "$as_dir" && as_dir=. | |
3221 | for ac_prog in grep ggrep; do | |
3222 | for ac_exec_ext in '' $ac_executable_extensions; do | |
3223 | ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" | |
3224 | as_fn_executable_p "$ac_path_GREP" || continue | |
3225 | # Check for GNU ac_path_GREP and select it if it is found. | |
3226 | # Check for GNU $ac_path_GREP | |
3227 | case `"$ac_path_GREP" --version 2>&1` in | |
3228 | *GNU*) | |
3229 | ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; | |
3230 | *) | |
3231 | ac_count=0 | |
3232 | $as_echo_n 0123456789 >"conftest.in" | |
3233 | while : | |
3234 | do | |
3235 | cat "conftest.in" "conftest.in" >"conftest.tmp" | |
3236 | mv "conftest.tmp" "conftest.in" | |
3237 | cp "conftest.in" "conftest.nl" | |
3238 | $as_echo 'GREP' >> "conftest.nl" | |
3239 | "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break | |
3240 | diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break | |
3241 | as_fn_arith $ac_count + 1 && ac_count=$as_val | |
3242 | if test $ac_count -gt ${ac_path_GREP_max-0}; then | |
3243 | # Best one so far, save it but keep looking for a better one | |
3244 | ac_cv_path_GREP="$ac_path_GREP" | |
3245 | ac_path_GREP_max=$ac_count | |
3246 | fi | |
3247 | # 10*(2^10) chars as input seems more than enough | |
3248 | test $ac_count -gt 10 && break | |
3249 | done | |
3250 | rm -f conftest.in conftest.tmp conftest.nl conftest.out;; | |
3251 | esac | |
3252 | ||
3253 | $ac_path_GREP_found && break 3 | |
3254 | done | |
3255 | done | |
3256 | done | |
3257 | IFS=$as_save_IFS | |
3258 | if test -z "$ac_cv_path_GREP"; then | |
3259 | as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 | |
3260 | fi | |
3261 | else | |
3262 | ac_cv_path_GREP=$GREP | |
3263 | fi | |
3264 | ||
3265 | fi | |
3266 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 | |
3267 | $as_echo "$ac_cv_path_GREP" >&6; } | |
3268 | GREP="$ac_cv_path_GREP" | |
3269 | ||
3270 | ||
3271 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 | |
3272 | $as_echo_n "checking for egrep... " >&6; } | |
3273 | if ${ac_cv_path_EGREP+:} false; then : | |
3274 | $as_echo_n "(cached) " >&6 | |
3275 | else | |
3276 | if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 | |
3277 | then ac_cv_path_EGREP="$GREP -E" | |
3278 | else | |
3279 | if test -z "$EGREP"; then | |
3280 | ac_path_EGREP_found=false | |
3281 | # Loop through the user's path and test for each of PROGNAME-LIST | |
3282 | as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
3283 | for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin | |
3284 | do | |
3285 | IFS=$as_save_IFS | |
3286 | test -z "$as_dir" && as_dir=. | |
3287 | for ac_prog in egrep; do | |
3288 | for ac_exec_ext in '' $ac_executable_extensions; do | |
3289 | ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" | |
3290 | as_fn_executable_p "$ac_path_EGREP" || continue | |
3291 | # Check for GNU ac_path_EGREP and select it if it is found. | |
3292 | # Check for GNU $ac_path_EGREP | |
3293 | case `"$ac_path_EGREP" --version 2>&1` in | |
3294 | *GNU*) | |
3295 | ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; | |
3296 | *) | |
3297 | ac_count=0 | |
3298 | $as_echo_n 0123456789 >"conftest.in" | |
3299 | while : | |
3300 | do | |
3301 | cat "conftest.in" "conftest.in" >"conftest.tmp" | |
3302 | mv "conftest.tmp" "conftest.in" | |
3303 | cp "conftest.in" "conftest.nl" | |
3304 | $as_echo 'EGREP' >> "conftest.nl" | |
3305 | "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break | |
3306 | diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break | |
3307 | as_fn_arith $ac_count + 1 && ac_count=$as_val | |
3308 | if test $ac_count -gt ${ac_path_EGREP_max-0}; then | |
3309 | # Best one so far, save it but keep looking for a better one | |
3310 | ac_cv_path_EGREP="$ac_path_EGREP" | |
3311 | ac_path_EGREP_max=$ac_count | |
3312 | fi | |
3313 | # 10*(2^10) chars as input seems more than enough | |
3314 | test $ac_count -gt 10 && break | |
3315 | done | |
3316 | rm -f conftest.in conftest.tmp conftest.nl conftest.out;; | |
3317 | esac | |
3318 | ||
3319 | $ac_path_EGREP_found && break 3 | |
3320 | done | |
3321 | done | |
3322 | done | |
3323 | IFS=$as_save_IFS | |
3324 | if test -z "$ac_cv_path_EGREP"; then | |
3325 | as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 | |
3326 | fi | |
3327 | else | |
3328 | ac_cv_path_EGREP=$EGREP | |
3329 | fi | |
3330 | ||
3331 | fi | |
3332 | fi | |
3333 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 | |
3334 | $as_echo "$ac_cv_path_EGREP" >&6; } | |
3335 | EGREP="$ac_cv_path_EGREP" | |
3336 | ||
3337 | ||
3338 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
3339 | /* end confdefs.h. */ | |
3340 | #include <openssl/crypto.h> | |
3341 | #if (OPENSSL_VERSION_NUMBER >= 0x01000100fL) | |
3342 | yes | |
3343 | #endif | |
3344 | ||
3345 | _ACEOF | |
3346 | if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | | |
3347 | $EGREP "yes" >/dev/null 2>&1; then : | |
3348 | ||
3349 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL version >= 1.0.1a" >&5 | |
3350 | $as_echo_n "checking for OpenSSL version >= 1.0.1a... " >&6; } | |
3351 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 | |
3352 | $as_echo "yes" >&6; } | |
3353 | ||
3354 | else | |
3355 | ||
3356 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL version >= 1.0.1a" >&5 | |
3357 | $as_echo_n "checking for OpenSSL version >= 1.0.1a... " >&6; } | |
3358 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 | |
3359 | $as_echo "no" >&6; } | |
3360 | fail="openssl>1.0.1" | |
3361 | ||
3362 | ||
3363 | fi | |
3364 | rm -f conftest* | |
3365 | ||
3366 | ||
3367 | targetname=rlm_eap_fast | |
3368 | else | |
3369 | targetname= | |
3370 | echo \*\*\* module rlm_eap_fast is disabled. | |
3371 | fi | |
3372 | ||
3373 | if test x"$fail" != x""; then | |
3374 | if test x"${enable_strict_dependencies}" = x"yes"; then | |
3375 | as_fn_error $? "set --without-rlm_eap_fast to disable it explicitly." "$LINENO" 5 | |
3376 | else | |
3377 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_fast." >&5 | |
3378 | $as_echo "$as_me: WARNING: silently not building rlm_eap_fast." >&2;} | |
3379 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_fast requires: $fail." >&5 | |
3380 | $as_echo "$as_me: WARNING: FAILURE: rlm_eap_fast requires: $fail." >&2;} | |
3381 | targetname="" | |
3382 | fi | |
3383 | fi | |
3384 | ||
3385 | ||
3386 | ||
3387 | ||
3388 | ||
3389 | unset ac_cv_env_LIBS_set | |
3390 | unset ac_cv_env_LIBS_value | |
3391 | ||
3392 | ac_config_files="$ac_config_files all.mk" | |
3393 | ||
3394 | cat >confcache <<\_ACEOF | |
3395 | # This file is a shell script that caches the results of configure | |
3396 | # tests run on this system so they can be shared between configure | |
3397 | # scripts and configure runs, see configure's option --config-cache. | |
3398 | # It is not useful on other systems. If it contains results you don't | |
3399 | # want to keep, you may remove or edit it. | |
3400 | # | |
3401 | # config.status only pays attention to the cache file if you give it | |
3402 | # the --recheck option to rerun configure. | |
3403 | # | |
3404 | # `ac_cv_env_foo' variables (set or unset) will be overridden when | |
3405 | # loading this file, other *unset* `ac_cv_foo' will be assigned the | |
3406 | # following values. | |
3407 | ||
3408 | _ACEOF | |
3409 | ||
3410 | # The following way of writing the cache mishandles newlines in values, | |
3411 | # but we know of no workaround that is simple, portable, and efficient. | |
3412 | # So, we kill variables containing newlines. | |
3413 | # Ultrix sh set writes to stderr and can't be redirected directly, | |
3414 | # and sets the high bit in the cache file unless we assign to the vars. | |
3415 | ( | |
3416 | for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do | |
3417 | eval ac_val=\$$ac_var | |
3418 | case $ac_val in #( | |
3419 | *${as_nl}*) | |
3420 | case $ac_var in #( | |
3421 | *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 | |
3422 | $as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; | |
3423 | esac | |
3424 | case $ac_var in #( | |
3425 | _ | IFS | as_nl) ;; #( | |
3426 | BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( | |
3427 | *) { eval $ac_var=; unset $ac_var;} ;; | |
3428 | esac ;; | |
3429 | esac | |
3430 | done | |
3431 | ||
3432 | (set) 2>&1 | | |
3433 | case $as_nl`(ac_space=' '; set) 2>&1` in #( | |
3434 | *${as_nl}ac_space=\ *) | |
3435 | # `set' does not quote correctly, so add quotes: double-quote | |
3436 | # substitution turns \\\\ into \\, and sed turns \\ into \. | |
3437 | sed -n \ | |
3438 | "s/'/'\\\\''/g; | |
3439 | s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" | |
3440 | ;; #( | |
3441 | *) | |
3442 | # `set' quotes correctly as required by POSIX, so do not add quotes. | |
3443 | sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" | |
3444 | ;; | |
3445 | esac | | |
3446 | sort | |
3447 | ) | | |
3448 | sed ' | |
3449 | /^ac_cv_env_/b end | |
3450 | t clear | |
3451 | :clear | |
3452 | s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ | |
3453 | t end | |
3454 | s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ | |
3455 | :end' >>confcache | |
3456 | if diff "$cache_file" confcache >/dev/null 2>&1; then :; else | |
3457 | if test -w "$cache_file"; then | |
3458 | if test "x$cache_file" != "x/dev/null"; then | |
3459 | { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 | |
3460 | $as_echo "$as_me: updating cache $cache_file" >&6;} | |
3461 | if test ! -f "$cache_file" || test -h "$cache_file"; then | |
3462 | cat confcache >"$cache_file" | |
3463 | else | |
3464 | case $cache_file in #( | |
3465 | */* | ?:*) | |
3466 | mv -f confcache "$cache_file"$$ && | |
3467 | mv -f "$cache_file"$$ "$cache_file" ;; #( | |
3468 | *) | |
3469 | mv -f confcache "$cache_file" ;; | |
3470 | esac | |
3471 | fi | |
3472 | fi | |
3473 | else | |
3474 | { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 | |
3475 | $as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} | |
3476 | fi | |
3477 | fi | |
3478 | rm -f confcache | |
3479 | ||
3480 | test "x$prefix" = xNONE && prefix=$ac_default_prefix | |
3481 | # Let make expand exec_prefix. | |
3482 | test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' | |
3483 | ||
3484 | # Transform confdefs.h into DEFS. | |
3485 | # Protect against shell expansion while executing Makefile rules. | |
3486 | # Protect against Makefile macro expansion. | |
3487 | # | |
3488 | # If the first sed substitution is executed (which looks for macros that | |
3489 | # take arguments), then branch to the quote section. Otherwise, | |
3490 | # look for a macro that doesn't take arguments. | |
3491 | ac_script=' | |
3492 | :mline | |
3493 | /\\$/{ | |
3494 | N | |
3495 | s,\\\n,, | |
3496 | b mline | |
3497 | } | |
3498 | t clear | |
3499 | :clear | |
3500 | s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g | |
3501 | t quote | |
3502 | s/^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)/-D\1=\2/g | |
3503 | t quote | |
3504 | b any | |
3505 | :quote | |
3506 | s/[ `~#$^&*(){}\\|;'\''"<>?]/\\&/g | |
3507 | s/\[/\\&/g | |
3508 | s/\]/\\&/g | |
3509 | s/\$/$$/g | |
3510 | H | |
3511 | :any | |
3512 | ${ | |
3513 | g | |
3514 | s/^\n// | |
3515 | s/\n/ /g | |
3516 | p | |
3517 | } | |
3518 | ' | |
3519 | DEFS=`sed -n "$ac_script" confdefs.h` | |
3520 | ||
3521 | ||
3522 | ac_libobjs= | |
3523 | ac_ltlibobjs= | |
3524 | U= | |
3525 | for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue | |
3526 | # 1. Remove the extension, and $U if already installed. | |
3527 | ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' | |
3528 | ac_i=`$as_echo "$ac_i" | sed "$ac_script"` | |
3529 | # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR | |
3530 | # will be set to the directory where LIBOBJS objects are built. | |
3531 | as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" | |
3532 | as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' | |
3533 | done | |
3534 | LIBOBJS=$ac_libobjs | |
3535 | ||
3536 | LTLIBOBJS=$ac_ltlibobjs | |
3537 | ||
3538 | ||
3539 | ||
3540 | : "${CONFIG_STATUS=./config.status}" | |
3541 | ac_write_fail=0 | |
3542 | ac_clean_files_save=$ac_clean_files | |
3543 | ac_clean_files="$ac_clean_files $CONFIG_STATUS" | |
3544 | { $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 | |
3545 | $as_echo "$as_me: creating $CONFIG_STATUS" >&6;} | |
3546 | as_write_fail=0 | |
3547 | cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 | |
3548 | #! $SHELL | |
3549 | # Generated by $as_me. | |
3550 | # Run this file to recreate the current configuration. | |
3551 | # Compiler output produced by configure, useful for debugging | |
3552 | # configure, is in config.log if it exists. | |
3553 | ||
3554 | debug=false | |
3555 | ac_cs_recheck=false | |
3556 | ac_cs_silent=false | |
3557 | ||
3558 | SHELL=\${CONFIG_SHELL-$SHELL} | |
3559 | export SHELL | |
3560 | _ASEOF | |
3561 | cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 | |
3562 | ## -------------------- ## | |
3563 | ## M4sh Initialization. ## | |
3564 | ## -------------------- ## | |
3565 | ||
3566 | # Be more Bourne compatible | |
3567 | DUALCASE=1; export DUALCASE # for MKS sh | |
3568 | if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : | |
3569 | emulate sh | |
3570 | NULLCMD=: | |
3571 | # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which | |
3572 | # is contrary to our usage. Disable this feature. | |
3573 | alias -g '${1+"$@"}'='"$@"' | |
3574 | setopt NO_GLOB_SUBST | |
3575 | else | |
3576 | case `(set -o) 2>/dev/null` in #( | |
3577 | *posix*) : | |
3578 | set -o posix ;; #( | |
3579 | *) : | |
3580 | ;; | |
3581 | esac | |
3582 | fi | |
3583 | ||
3584 | ||
3585 | as_nl=' | |
3586 | ' | |
3587 | export as_nl | |
3588 | # Printing a long string crashes Solaris 7 /usr/bin/printf. | |
3589 | as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' | |
3590 | as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo | |
3591 | as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo | |
3592 | # Prefer a ksh shell builtin over an external printf program on Solaris, | |
3593 | # but without wasting forks for bash or zsh. | |
3594 | if test -z "$BASH_VERSION$ZSH_VERSION" \ | |
3595 | && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then | |
3596 | as_echo='print -r --' | |
3597 | as_echo_n='print -rn --' | |
3598 | elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then | |
3599 | as_echo='printf %s\n' | |
3600 | as_echo_n='printf %s' | |
3601 | else | |
3602 | if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then | |
3603 | as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' | |
3604 | as_echo_n='/usr/ucb/echo -n' | |
3605 | else | |
3606 | as_echo_body='eval expr "X$1" : "X\\(.*\\)"' | |
3607 | as_echo_n_body='eval | |
3608 | arg=$1; | |
3609 | case $arg in #( | |
3610 | *"$as_nl"*) | |
3611 | expr "X$arg" : "X\\(.*\\)$as_nl"; | |
3612 | arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; | |
3613 | esac; | |
3614 | expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" | |
3615 | ' | |
3616 | export as_echo_n_body | |
3617 | as_echo_n='sh -c $as_echo_n_body as_echo' | |
3618 | fi | |
3619 | export as_echo_body | |
3620 | as_echo='sh -c $as_echo_body as_echo' | |
3621 | fi | |
3622 | ||
3623 | # The user is always right. | |
3624 | if test "${PATH_SEPARATOR+set}" != set; then | |
3625 | PATH_SEPARATOR=: | |
3626 | (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { | |
3627 | (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || | |
3628 | PATH_SEPARATOR=';' | |
3629 | } | |
3630 | fi | |
3631 | ||
3632 | ||
3633 | # IFS | |
3634 | # We need space, tab and new line, in precisely that order. Quoting is | |
3635 | # there to prevent editors from complaining about space-tab. | |
3636 | # (If _AS_PATH_WALK were called with IFS unset, it would disable word | |
3637 | # splitting by setting IFS to empty value.) | |
3638 | IFS=" "" $as_nl" | |
3639 | ||
3640 | # Find who we are. Look in the path if we contain no directory separator. | |
3641 | as_myself= | |
3642 | case $0 in #(( | |
3643 | *[\\/]* ) as_myself=$0 ;; | |
3644 | *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR | |
3645 | for as_dir in $PATH | |
3646 | do | |
3647 | IFS=$as_save_IFS | |
3648 | test -z "$as_dir" && as_dir=. | |
3649 | test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break | |
3650 | done | |
3651 | IFS=$as_save_IFS | |
3652 | ||
3653 | ;; | |
3654 | esac | |
3655 | # We did not find ourselves, most probably we were run as `sh COMMAND' | |
3656 | # in which case we are not to be found in the path. | |
3657 | if test "x$as_myself" = x; then | |
3658 | as_myself=$0 | |
3659 | fi | |
3660 | if test ! -f "$as_myself"; then | |
3661 | $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 | |
3662 | exit 1 | |
3663 | fi | |
3664 | ||
3665 | # Unset variables that we do not need and which cause bugs (e.g. in | |
3666 | # pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" | |
3667 | # suppresses any "Segmentation fault" message there. '((' could | |
3668 | # trigger a bug in pdksh 5.2.14. | |
3669 | for as_var in BASH_ENV ENV MAIL MAILPATH | |
3670 | do eval test x\${$as_var+set} = xset \ | |
3671 | && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : | |
3672 | done | |
3673 | PS1='$ ' | |
3674 | PS2='> ' | |
3675 | PS4='+ ' | |
3676 | ||
3677 | # NLS nuisances. | |
3678 | LC_ALL=C | |
3679 | export LC_ALL | |
3680 | LANGUAGE=C | |
3681 | export LANGUAGE | |
3682 | ||
3683 | # CDPATH. | |
3684 | (unset CDPATH) >/dev/null 2>&1 && unset CDPATH | |
3685 | ||
3686 | ||
3687 | # as_fn_error STATUS ERROR [LINENO LOG_FD] | |
3688 | # ---------------------------------------- | |
3689 | # Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are | |
3690 | # provided, also output the error to LOG_FD, referencing LINENO. Then exit the | |
3691 | # script with STATUS, using 1 if that was 0. | |
3692 | as_fn_error () | |
3693 | { | |
3694 | as_status=$1; test $as_status -eq 0 && as_status=1 | |
3695 | if test "$4"; then | |
3696 | as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | |
3697 | $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 | |
3698 | fi | |
3699 | $as_echo "$as_me: error: $2" >&2 | |
3700 | as_fn_exit $as_status | |
3701 | } # as_fn_error | |
3702 | ||
3703 | ||
3704 | # as_fn_set_status STATUS | |
3705 | # ----------------------- | |
3706 | # Set $? to STATUS, without forking. | |
3707 | as_fn_set_status () | |
3708 | { | |
3709 | return $1 | |
3710 | } # as_fn_set_status | |
3711 | ||
3712 | # as_fn_exit STATUS | |
3713 | # ----------------- | |
3714 | # Exit the shell with STATUS, even in a "trap 0" or "set -e" context. | |
3715 | as_fn_exit () | |
3716 | { | |
3717 | set +e | |
3718 | as_fn_set_status $1 | |
3719 | exit $1 | |
3720 | } # as_fn_exit | |
3721 | ||
3722 | # as_fn_unset VAR | |
3723 | # --------------- | |
3724 | # Portably unset VAR. | |
3725 | as_fn_unset () | |
3726 | { | |
3727 | { eval $1=; unset $1;} | |
3728 | } | |
3729 | as_unset=as_fn_unset | |
3730 | # as_fn_append VAR VALUE | |
3731 | # ---------------------- | |
3732 | # Append the text in VALUE to the end of the definition contained in VAR. Take | |
3733 | # advantage of any shell optimizations that allow amortized linear growth over | |
3734 | # repeated appends, instead of the typical quadratic growth present in naive | |
3735 | # implementations. | |
3736 | if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : | |
3737 | eval 'as_fn_append () | |
3738 | { | |
3739 | eval $1+=\$2 | |
3740 | }' | |
3741 | else | |
3742 | as_fn_append () | |
3743 | { | |
3744 | eval $1=\$$1\$2 | |
3745 | } | |
3746 | fi # as_fn_append | |
3747 | ||
3748 | # as_fn_arith ARG... | |
3749 | # ------------------ | |
3750 | # Perform arithmetic evaluation on the ARGs, and store the result in the | |
3751 | # global $as_val. Take advantage of shells that can avoid forks. The arguments | |
3752 | # must be portable across $(()) and expr. | |
3753 | if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : | |
3754 | eval 'as_fn_arith () | |
3755 | { | |
3756 | as_val=$(( $* )) | |
3757 | }' | |
3758 | else | |
3759 | as_fn_arith () | |
3760 | { | |
3761 | as_val=`expr "$@" || test $? -eq 1` | |
3762 | } | |
3763 | fi # as_fn_arith | |
3764 | ||
3765 | ||
3766 | if expr a : '\(a\)' >/dev/null 2>&1 && | |
3767 | test "X`expr 00001 : '.*\(...\)'`" = X001; then | |
3768 | as_expr=expr | |
3769 | else | |
3770 | as_expr=false | |
3771 | fi | |
3772 | ||
3773 | if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then | |
3774 | as_basename=basename | |
3775 | else | |
3776 | as_basename=false | |
3777 | fi | |
3778 | ||
3779 | if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then | |
3780 | as_dirname=dirname | |
3781 | else | |
3782 | as_dirname=false | |
3783 | fi | |
3784 | ||
3785 | as_me=`$as_basename -- "$0" || | |
3786 | $as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ | |
3787 | X"$0" : 'X\(//\)$' \| \ | |
3788 | X"$0" : 'X\(/\)' \| . 2>/dev/null || | |
3789 | $as_echo X/"$0" | | |
3790 | sed '/^.*\/\([^/][^/]*\)\/*$/{ | |
3791 | s//\1/ | |
3792 | q | |
3793 | } | |
3794 | /^X\/\(\/\/\)$/{ | |
3795 | s//\1/ | |
3796 | q | |
3797 | } | |
3798 | /^X\/\(\/\).*/{ | |
3799 | s//\1/ | |
3800 | q | |
3801 | } | |
3802 | s/.*/./; q'` | |
3803 | ||
3804 | # Avoid depending upon Character Ranges. | |
3805 | as_cr_letters='abcdefghijklmnopqrstuvwxyz' | |
3806 | as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' | |
3807 | as_cr_Letters=$as_cr_letters$as_cr_LETTERS | |
3808 | as_cr_digits='0123456789' | |
3809 | as_cr_alnum=$as_cr_Letters$as_cr_digits | |
3810 | ||
3811 | ECHO_C= ECHO_N= ECHO_T= | |
3812 | case `echo -n x` in #((((( | |
3813 | -n*) | |
3814 | case `echo 'xy\c'` in | |
3815 | *c*) ECHO_T=' ';; # ECHO_T is single tab character. | |
3816 | xy) ECHO_C='\c';; | |
3817 | *) echo `echo ksh88 bug on AIX 6.1` > /dev/null | |
3818 | ECHO_T=' ';; | |
3819 | esac;; | |
3820 | *) | |
3821 | ECHO_N='-n';; | |
3822 | esac | |
3823 | ||
3824 | rm -f conf$$ conf$$.exe conf$$.file | |
3825 | if test -d conf$$.dir; then | |
3826 | rm -f conf$$.dir/conf$$.file | |
3827 | else | |
3828 | rm -f conf$$.dir | |
3829 | mkdir conf$$.dir 2>/dev/null | |
3830 | fi | |
3831 | if (echo >conf$$.file) 2>/dev/null; then | |
3832 | if ln -s conf$$.file conf$$ 2>/dev/null; then | |
3833 | as_ln_s='ln -s' | |
3834 | # ... but there are two gotchas: | |
3835 | # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. | |
3836 | # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. | |
3837 | # In both cases, we have to default to `cp -pR'. | |
3838 | ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || | |
3839 | as_ln_s='cp -pR' | |
3840 | elif ln conf$$.file conf$$ 2>/dev/null; then | |
3841 | as_ln_s=ln | |
3842 | else | |
3843 | as_ln_s='cp -pR' | |
3844 | fi | |
3845 | else | |
3846 | as_ln_s='cp -pR' | |
3847 | fi | |
3848 | rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file | |
3849 | rmdir conf$$.dir 2>/dev/null | |
3850 | ||
3851 | ||
3852 | # as_fn_mkdir_p | |
3853 | # ------------- | |
3854 | # Create "$as_dir" as a directory, including parents if necessary. | |
3855 | as_fn_mkdir_p () | |
3856 | { | |
3857 | ||
3858 | case $as_dir in #( | |
3859 | -*) as_dir=./$as_dir;; | |
3860 | esac | |
3861 | test -d "$as_dir" || eval $as_mkdir_p || { | |
3862 | as_dirs= | |
3863 | while :; do | |
3864 | case $as_dir in #( | |
3865 | *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( | |
3866 | *) as_qdir=$as_dir;; | |
3867 | esac | |
3868 | as_dirs="'$as_qdir' $as_dirs" | |
3869 | as_dir=`$as_dirname -- "$as_dir" || | |
3870 | $as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ | |
3871 | X"$as_dir" : 'X\(//\)[^/]' \| \ | |
3872 | X"$as_dir" : 'X\(//\)$' \| \ | |
3873 | X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || | |
3874 | $as_echo X"$as_dir" | | |
3875 | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ | |
3876 | s//\1/ | |
3877 | q | |
3878 | } | |
3879 | /^X\(\/\/\)[^/].*/{ | |
3880 | s//\1/ | |
3881 | q | |
3882 | } | |
3883 | /^X\(\/\/\)$/{ | |
3884 | s//\1/ | |
3885 | q | |
3886 | } | |
3887 | /^X\(\/\).*/{ | |
3888 | s//\1/ | |
3889 | q | |
3890 | } | |
3891 | s/.*/./; q'` | |
3892 | test -d "$as_dir" && break | |
3893 | done | |
3894 | test -z "$as_dirs" || eval "mkdir $as_dirs" | |
3895 | } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" | |
3896 | ||
3897 | ||
3898 | } # as_fn_mkdir_p | |
3899 | if mkdir -p . 2>/dev/null; then | |
3900 | as_mkdir_p='mkdir -p "$as_dir"' | |
3901 | else | |
3902 | test -d ./-p && rmdir ./-p | |
3903 | as_mkdir_p=false | |
3904 | fi | |
3905 | ||
3906 | ||
3907 | # as_fn_executable_p FILE | |
3908 | # ----------------------- | |
3909 | # Test if FILE is an executable regular file. | |
3910 | as_fn_executable_p () | |
3911 | { | |
3912 | test -f "$1" && test -x "$1" | |
3913 | } # as_fn_executable_p | |
3914 | as_test_x='test -x' | |
3915 | as_executable_p=as_fn_executable_p | |
3916 | ||
3917 | # Sed expression to map a string onto a valid CPP name. | |
3918 | as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" | |
3919 | ||
3920 | # Sed expression to map a string onto a valid variable name. | |
3921 | as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" | |
3922 | ||
3923 | ||
3924 | exec 6>&1 | |
3925 | ## ----------------------------------- ## | |
3926 | ## Main body of $CONFIG_STATUS script. ## | |
3927 | ## ----------------------------------- ## | |
3928 | _ASEOF | |
3929 | test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 | |
3930 | ||
3931 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
3932 | # Save the log message, to keep $0 and so on meaningful, and to | |
3933 | # report actual input values of CONFIG_FILES etc. instead of their | |
3934 | # values after options handling. | |
3935 | ac_log=" | |
3936 | This file was extended by $as_me, which was | |
3937 | generated by GNU Autoconf 2.69. Invocation command line was | |
3938 | ||
3939 | CONFIG_FILES = $CONFIG_FILES | |
3940 | CONFIG_HEADERS = $CONFIG_HEADERS | |
3941 | CONFIG_LINKS = $CONFIG_LINKS | |
3942 | CONFIG_COMMANDS = $CONFIG_COMMANDS | |
3943 | $ $0 $@ | |
3944 | ||
3945 | on `(hostname || uname -n) 2>/dev/null | sed 1q` | |
3946 | " | |
3947 | ||
3948 | _ACEOF | |
3949 | ||
3950 | case $ac_config_files in *" | |
3951 | "*) set x $ac_config_files; shift; ac_config_files=$*;; | |
3952 | esac | |
3953 | ||
3954 | ||
3955 | ||
3956 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | |
3957 | # Files that config.status was made for. | |
3958 | config_files="$ac_config_files" | |
3959 | ||
3960 | _ACEOF | |
3961 | ||
3962 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
3963 | ac_cs_usage="\ | |
3964 | \`$as_me' instantiates files and other configuration actions | |
3965 | from templates according to the current configuration. Unless the files | |
3966 | and actions are specified as TAGs, all are instantiated by default. | |
3967 | ||
3968 | Usage: $0 [OPTION]... [TAG]... | |
3969 | ||
3970 | -h, --help print this help, then exit | |
3971 | -V, --version print version number and configuration settings, then exit | |
3972 | --config print configuration, then exit | |
3973 | -q, --quiet, --silent | |
3974 | do not print progress messages | |
3975 | -d, --debug don't remove temporary files | |
3976 | --recheck update $as_me by reconfiguring in the same conditions | |
3977 | --file=FILE[:TEMPLATE] | |
3978 | instantiate the configuration file FILE | |
3979 | ||
3980 | Configuration files: | |
3981 | $config_files | |
3982 | ||
3983 | Report bugs to the package provider." | |
3984 | ||
3985 | _ACEOF | |
3986 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | |
3987 | ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" | |
3988 | ac_cs_version="\\ | |
3989 | config.status | |
3990 | configured by $0, generated by GNU Autoconf 2.69, | |
3991 | with options \\"\$ac_cs_config\\" | |
3992 | ||
3993 | Copyright (C) 2012 Free Software Foundation, Inc. | |
3994 | This config.status script is free software; the Free Software Foundation | |
3995 | gives unlimited permission to copy, distribute and modify it." | |
3996 | ||
3997 | ac_pwd='$ac_pwd' | |
3998 | srcdir='$srcdir' | |
3999 | test -n "\$AWK" || AWK=awk | |
4000 | _ACEOF | |
4001 | ||
4002 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
4003 | # The default lists apply if the user does not specify any file. | |
4004 | ac_need_defaults=: | |
4005 | while test $# != 0 | |
4006 | do | |
4007 | case $1 in | |
4008 | --*=?*) | |
4009 | ac_option=`expr "X$1" : 'X\([^=]*\)='` | |
4010 | ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` | |
4011 | ac_shift=: | |
4012 | ;; | |
4013 | --*=) | |
4014 | ac_option=`expr "X$1" : 'X\([^=]*\)='` | |
4015 | ac_optarg= | |
4016 | ac_shift=: | |
4017 | ;; | |
4018 | *) | |
4019 | ac_option=$1 | |
4020 | ac_optarg=$2 | |
4021 | ac_shift=shift | |
4022 | ;; | |
4023 | esac | |
4024 | ||
4025 | case $ac_option in | |
4026 | # Handling of the options. | |
4027 | -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) | |
4028 | ac_cs_recheck=: ;; | |
4029 | --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) | |
4030 | $as_echo "$ac_cs_version"; exit ;; | |
4031 | --config | --confi | --conf | --con | --co | --c ) | |
4032 | $as_echo "$ac_cs_config"; exit ;; | |
4033 | --debug | --debu | --deb | --de | --d | -d ) | |
4034 | debug=: ;; | |
4035 | --file | --fil | --fi | --f ) | |
4036 | $ac_shift | |
4037 | case $ac_optarg in | |
4038 | *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; | |
4039 | '') as_fn_error $? "missing file argument" ;; | |
4040 | esac | |
4041 | as_fn_append CONFIG_FILES " '$ac_optarg'" | |
4042 | ac_need_defaults=false;; | |
4043 | --he | --h | --help | --hel | -h ) | |
4044 | $as_echo "$ac_cs_usage"; exit ;; | |
4045 | -q | -quiet | --quiet | --quie | --qui | --qu | --q \ | |
4046 | | -silent | --silent | --silen | --sile | --sil | --si | --s) | |
4047 | ac_cs_silent=: ;; | |
4048 | ||
4049 | # This is an error. | |
4050 | -*) as_fn_error $? "unrecognized option: \`$1' | |
4051 | Try \`$0 --help' for more information." ;; | |
4052 | ||
4053 | *) as_fn_append ac_config_targets " $1" | |
4054 | ac_need_defaults=false ;; | |
4055 | ||
4056 | esac | |
4057 | shift | |
4058 | done | |
4059 | ||
4060 | ac_configure_extra_args= | |
4061 | ||
4062 | if $ac_cs_silent; then | |
4063 | exec 6>/dev/null | |
4064 | ac_configure_extra_args="$ac_configure_extra_args --silent" | |
4065 | fi | |
4066 | ||
4067 | _ACEOF | |
4068 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | |
4069 | if \$ac_cs_recheck; then | |
4070 | set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion | |
4071 | shift | |
4072 | \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 | |
4073 | CONFIG_SHELL='$SHELL' | |
4074 | export CONFIG_SHELL | |
4075 | exec "\$@" | |
4076 | fi | |
4077 | ||
4078 | _ACEOF | |
4079 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
4080 | exec 5>>config.log | |
4081 | { | |
4082 | echo | |
4083 | sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX | |
4084 | ## Running $as_me. ## | |
4085 | _ASBOX | |
4086 | $as_echo "$ac_log" | |
4087 | } >&5 | |
4088 | ||
4089 | _ACEOF | |
4090 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | |
4091 | _ACEOF | |
4092 | ||
4093 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
4094 | ||
4095 | # Handling of arguments. | |
4096 | for ac_config_target in $ac_config_targets | |
4097 | do | |
4098 | case $ac_config_target in | |
4099 | "all.mk") CONFIG_FILES="$CONFIG_FILES all.mk" ;; | |
4100 | ||
4101 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; | |
4102 | esac | |
4103 | done | |
4104 | ||
4105 | ||
4106 | # If the user did not use the arguments to specify the items to instantiate, | |
4107 | # then the envvar interface is used. Set only those that are not. | |
4108 | # We use the long form for the default assignment because of an extremely | |
4109 | # bizarre bug on SunOS 4.1.3. | |
4110 | if $ac_need_defaults; then | |
4111 | test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files | |
4112 | fi | |
4113 | ||
4114 | # Have a temporary directory for convenience. Make it in the build tree | |
4115 | # simply because there is no reason against having it here, and in addition, | |
4116 | # creating and moving files from /tmp can sometimes cause problems. | |
4117 | # Hook for its removal unless debugging. | |
4118 | # Note that there is a small window in which the directory will not be cleaned: | |
4119 | # after its creation but before its name has been assigned to `$tmp'. | |
4120 | $debug || | |
4121 | { | |
4122 | tmp= ac_tmp= | |
4123 | trap 'exit_status=$? | |
4124 | : "${ac_tmp:=$tmp}" | |
4125 | { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status | |
4126 | ' 0 | |
4127 | trap 'as_fn_exit 1' 1 2 13 15 | |
4128 | } | |
4129 | # Create a (secure) tmp directory for tmp files. | |
4130 | ||
4131 | { | |
4132 | tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && | |
4133 | test -d "$tmp" | |
4134 | } || | |
4135 | { | |
4136 | tmp=./conf$$-$RANDOM | |
4137 | (umask 077 && mkdir "$tmp") | |
4138 | } || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 | |
4139 | ac_tmp=$tmp | |
4140 | ||
4141 | # Set up the scripts for CONFIG_FILES section. | |
4142 | # No need to generate them if there are no CONFIG_FILES. | |
4143 | # This happens for instance with `./config.status config.h'. | |
4144 | if test -n "$CONFIG_FILES"; then | |
4145 | ||
4146 | ||
4147 | ac_cr=`echo X | tr X '\015'` | |
4148 | # On cygwin, bash can eat \r inside `` if the user requested igncr. | |
4149 | # But we know of no other shell where ac_cr would be empty at this | |
4150 | # point, so we can use a bashism as a fallback. | |
4151 | if test "x$ac_cr" = x; then | |
4152 | eval ac_cr=\$\'\\r\' | |
4153 | fi | |
4154 | ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null` | |
4155 | if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then | |
4156 | ac_cs_awk_cr='\\r' | |
4157 | else | |
4158 | ac_cs_awk_cr=$ac_cr | |
4159 | fi | |
4160 | ||
4161 | echo 'BEGIN {' >"$ac_tmp/subs1.awk" && | |
4162 | _ACEOF | |
4163 | ||
4164 | ||
4165 | { | |
4166 | echo "cat >conf$$subs.awk <<_ACEOF" && | |
4167 | echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && | |
4168 | echo "_ACEOF" | |
4169 | } >conf$$subs.sh || | |
4170 | as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 | |
4171 | ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` | |
4172 | ac_delim='%!_!# ' | |
4173 | for ac_last_try in false false false false false :; do | |
4174 | . ./conf$$subs.sh || | |
4175 | as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 | |
4176 | ||
4177 | ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` | |
4178 | if test $ac_delim_n = $ac_delim_num; then | |
4179 | break | |
4180 | elif $ac_last_try; then | |
4181 | as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 | |
4182 | else | |
4183 | ac_delim="$ac_delim!$ac_delim _$ac_delim!! " | |
4184 | fi | |
4185 | done | |
4186 | rm -f conf$$subs.sh | |
4187 | ||
4188 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | |
4189 | cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && | |
4190 | _ACEOF | |
4191 | sed -n ' | |
4192 | h | |
4193 | s/^/S["/; s/!.*/"]=/ | |
4194 | p | |
4195 | g | |
4196 | s/^[^!]*!// | |
4197 | :repl | |
4198 | t repl | |
4199 | s/'"$ac_delim"'$// | |
4200 | t delim | |
4201 | :nl | |
4202 | h | |
4203 | s/\(.\{148\}\)..*/\1/ | |
4204 | t more1 | |
4205 | s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ | |
4206 | p | |
4207 | n | |
4208 | b repl | |
4209 | :more1 | |
4210 | s/["\\]/\\&/g; s/^/"/; s/$/"\\/ | |
4211 | p | |
4212 | g | |
4213 | s/.\{148\}// | |
4214 | t nl | |
4215 | :delim | |
4216 | h | |
4217 | s/\(.\{148\}\)..*/\1/ | |
4218 | t more2 | |
4219 | s/["\\]/\\&/g; s/^/"/; s/$/"/ | |
4220 | p | |
4221 | b | |
4222 | :more2 | |
4223 | s/["\\]/\\&/g; s/^/"/; s/$/"\\/ | |
4224 | p | |
4225 | g | |
4226 | s/.\{148\}// | |
4227 | t delim | |
4228 | ' <conf$$subs.awk | sed ' | |
4229 | /^[^""]/{ | |
4230 | N | |
4231 | s/\n// | |
4232 | } | |
4233 | ' >>$CONFIG_STATUS || ac_write_fail=1 | |
4234 | rm -f conf$$subs.awk | |
4235 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | |
4236 | _ACAWK | |
4237 | cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && | |
4238 | for (key in S) S_is_set[key] = 1 | |
4239 | FS = "" | |
4240 | ||
4241 | } | |
4242 | { | |
4243 | line = $ 0 | |
4244 | nfields = split(line, field, "@") | |
4245 | substed = 0 | |
4246 | len = length(field[1]) | |
4247 | for (i = 2; i < nfields; i++) { | |
4248 | key = field[i] | |
4249 | keylen = length(key) | |
4250 | if (S_is_set[key]) { | |
4251 | value = S[key] | |
4252 | line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) | |
4253 | len += length(value) + length(field[++i]) | |
4254 | substed = 1 | |
4255 | } else | |
4256 | len += 1 + keylen | |
4257 | } | |
4258 | ||
4259 | print line | |
4260 | } | |
4261 | ||
4262 | _ACAWK | |
4263 | _ACEOF | |
4264 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
4265 | if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then | |
4266 | sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" | |
4267 | else | |
4268 | cat | |
4269 | fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ | |
4270 | || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 | |
4271 | _ACEOF | |
4272 | ||
4273 | # VPATH may cause trouble with some makes, so we remove sole $(srcdir), | |
4274 | # ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and | |
4275 | # trailing colons and then remove the whole line if VPATH becomes empty | |
4276 | # (actually we leave an empty line to preserve line numbers). | |
4277 | if test "x$srcdir" = x.; then | |
4278 | ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ | |
4279 | h | |
4280 | s/// | |
4281 | s/^/:/ | |
4282 | s/[ ]*$/:/ | |
4283 | s/:\$(srcdir):/:/g | |
4284 | s/:\${srcdir}:/:/g | |
4285 | s/:@srcdir@:/:/g | |
4286 | s/^:*// | |
4287 | s/:*$// | |
4288 | x | |
4289 | s/\(=[ ]*\).*/\1/ | |
4290 | G | |
4291 | s/\n// | |
4292 | s/^[^=]*=[ ]*$// | |
4293 | }' | |
4294 | fi | |
4295 | ||
4296 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
4297 | fi # test -n "$CONFIG_FILES" | |
4298 | ||
4299 | ||
4300 | eval set X " :F $CONFIG_FILES " | |
4301 | shift | |
4302 | for ac_tag | |
4303 | do | |
4304 | case $ac_tag in | |
4305 | :[FHLC]) ac_mode=$ac_tag; continue;; | |
4306 | esac | |
4307 | case $ac_mode$ac_tag in | |
4308 | :[FHL]*:*);; | |
4309 | :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; | |
4310 | :[FH]-) ac_tag=-:-;; | |
4311 | :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; | |
4312 | esac | |
4313 | ac_save_IFS=$IFS | |
4314 | IFS=: | |
4315 | set x $ac_tag | |
4316 | IFS=$ac_save_IFS | |
4317 | shift | |
4318 | ac_file=$1 | |
4319 | shift | |
4320 | ||
4321 | case $ac_mode in | |
4322 | :L) ac_source=$1;; | |
4323 | :[FH]) | |
4324 | ac_file_inputs= | |
4325 | for ac_f | |
4326 | do | |
4327 | case $ac_f in | |
4328 | -) ac_f="$ac_tmp/stdin";; | |
4329 | *) # Look for the file first in the build tree, then in the source tree | |
4330 | # (if the path is not absolute). The absolute path cannot be DOS-style, | |
4331 | # because $ac_f cannot contain `:'. | |
4332 | test -f "$ac_f" || | |
4333 | case $ac_f in | |
4334 | [\\/$]*) false;; | |
4335 | *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; | |
4336 | esac || | |
4337 | as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; | |
4338 | esac | |
4339 | case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac | |
4340 | as_fn_append ac_file_inputs " '$ac_f'" | |
4341 | done | |
4342 | ||
4343 | # Let's still pretend it is `configure' which instantiates (i.e., don't | |
4344 | # use $as_me), people would be surprised to read: | |
4345 | # /* config.h. Generated by config.status. */ | |
4346 | configure_input='Generated from '` | |
4347 | $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' | |
4348 | `' by configure.' | |
4349 | if test x"$ac_file" != x-; then | |
4350 | configure_input="$ac_file. $configure_input" | |
4351 | { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 | |
4352 | $as_echo "$as_me: creating $ac_file" >&6;} | |
4353 | fi | |
4354 | # Neutralize special characters interpreted by sed in replacement strings. | |
4355 | case $configure_input in #( | |
4356 | *\&* | *\|* | *\\* ) | |
4357 | ac_sed_conf_input=`$as_echo "$configure_input" | | |
4358 | sed 's/[\\\\&|]/\\\\&/g'`;; #( | |
4359 | *) ac_sed_conf_input=$configure_input;; | |
4360 | esac | |
4361 | ||
4362 | case $ac_tag in | |
4363 | *:-:* | *:-) cat >"$ac_tmp/stdin" \ | |
4364 | || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; | |
4365 | esac | |
4366 | ;; | |
4367 | esac | |
4368 | ||
4369 | ac_dir=`$as_dirname -- "$ac_file" || | |
4370 | $as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ | |
4371 | X"$ac_file" : 'X\(//\)[^/]' \| \ | |
4372 | X"$ac_file" : 'X\(//\)$' \| \ | |
4373 | X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || | |
4374 | $as_echo X"$ac_file" | | |
4375 | sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ | |
4376 | s//\1/ | |
4377 | q | |
4378 | } | |
4379 | /^X\(\/\/\)[^/].*/{ | |
4380 | s//\1/ | |
4381 | q | |
4382 | } | |
4383 | /^X\(\/\/\)$/{ | |
4384 | s//\1/ | |
4385 | q | |
4386 | } | |
4387 | /^X\(\/\).*/{ | |
4388 | s//\1/ | |
4389 | q | |
4390 | } | |
4391 | s/.*/./; q'` | |
4392 | as_dir="$ac_dir"; as_fn_mkdir_p | |
4393 | ac_builddir=. | |
4394 | ||
4395 | case "$ac_dir" in | |
4396 | .) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; | |
4397 | *) | |
4398 | ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` | |
4399 | # A ".." for each directory in $ac_dir_suffix. | |
4400 | ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` | |
4401 | case $ac_top_builddir_sub in | |
4402 | "") ac_top_builddir_sub=. ac_top_build_prefix= ;; | |
4403 | *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; | |
4404 | esac ;; | |
4405 | esac | |
4406 | ac_abs_top_builddir=$ac_pwd | |
4407 | ac_abs_builddir=$ac_pwd$ac_dir_suffix | |
4408 | # for backward compatibility: | |
4409 | ac_top_builddir=$ac_top_build_prefix | |
4410 | ||
4411 | case $srcdir in | |
4412 | .) # We are building in place. | |
4413 | ac_srcdir=. | |
4414 | ac_top_srcdir=$ac_top_builddir_sub | |
4415 | ac_abs_top_srcdir=$ac_pwd ;; | |
4416 | [\\/]* | ?:[\\/]* ) # Absolute name. | |
4417 | ac_srcdir=$srcdir$ac_dir_suffix; | |
4418 | ac_top_srcdir=$srcdir | |
4419 | ac_abs_top_srcdir=$srcdir ;; | |
4420 | *) # Relative name. | |
4421 | ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix | |
4422 | ac_top_srcdir=$ac_top_build_prefix$srcdir | |
4423 | ac_abs_top_srcdir=$ac_pwd/$srcdir ;; | |
4424 | esac | |
4425 | ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix | |
4426 | ||
4427 | ||
4428 | case $ac_mode in | |
4429 | :F) | |
4430 | # | |
4431 | # CONFIG_FILE | |
4432 | # | |
4433 | ||
4434 | _ACEOF | |
4435 | ||
4436 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
4437 | # If the template does not know about datarootdir, expand it. | |
4438 | # FIXME: This hack should be removed a few years after 2.60. | |
4439 | ac_datarootdir_hack=; ac_datarootdir_seen= | |
4440 | ac_sed_dataroot=' | |
4441 | /datarootdir/ { | |
4442 | p | |
4443 | q | |
4444 | } | |
4445 | /@datadir@/p | |
4446 | /@docdir@/p | |
4447 | /@infodir@/p | |
4448 | /@localedir@/p | |
4449 | /@mandir@/p' | |
4450 | case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in | |
4451 | *datarootdir*) ac_datarootdir_seen=yes;; | |
4452 | *@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) | |
4453 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 | |
4454 | $as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} | |
4455 | _ACEOF | |
4456 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | |
4457 | ac_datarootdir_hack=' | |
4458 | s&@datadir@&$datadir&g | |
4459 | s&@docdir@&$docdir&g | |
4460 | s&@infodir@&$infodir&g | |
4461 | s&@localedir@&$localedir&g | |
4462 | s&@mandir@&$mandir&g | |
4463 | s&\\\${datarootdir}&$datarootdir&g' ;; | |
4464 | esac | |
4465 | _ACEOF | |
4466 | ||
4467 | # Neutralize VPATH when `$srcdir' = `.'. | |
4468 | # Shell code in configure.ac might set extrasub. | |
4469 | # FIXME: do we really want to maintain this feature? | |
4470 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | |
4471 | ac_sed_extra="$ac_vpsub | |
4472 | $extrasub | |
4473 | _ACEOF | |
4474 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
4475 | :t | |
4476 | /@[a-zA-Z_][a-zA-Z_0-9]*@/!b | |
4477 | s|@configure_input@|$ac_sed_conf_input|;t t | |
4478 | s&@top_builddir@&$ac_top_builddir_sub&;t t | |
4479 | s&@top_build_prefix@&$ac_top_build_prefix&;t t | |
4480 | s&@srcdir@&$ac_srcdir&;t t | |
4481 | s&@abs_srcdir@&$ac_abs_srcdir&;t t | |
4482 | s&@top_srcdir@&$ac_top_srcdir&;t t | |
4483 | s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t | |
4484 | s&@builddir@&$ac_builddir&;t t | |
4485 | s&@abs_builddir@&$ac_abs_builddir&;t t | |
4486 | s&@abs_top_builddir@&$ac_abs_top_builddir&;t t | |
4487 | $ac_datarootdir_hack | |
4488 | " | |
4489 | eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ | |
4490 | >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 | |
4491 | ||
4492 | test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && | |
4493 | { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && | |
4494 | { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ | |
4495 | "$ac_tmp/out"`; test -z "$ac_out"; } && | |
4496 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' | |
4497 | which seems to be undefined. Please make sure it is defined" >&5 | |
4498 | $as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' | |
4499 | which seems to be undefined. Please make sure it is defined" >&2;} | |
4500 | ||
4501 | rm -f "$ac_tmp/stdin" | |
4502 | case $ac_file in | |
4503 | -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; | |
4504 | *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; | |
4505 | esac \ | |
4506 | || as_fn_error $? "could not create $ac_file" "$LINENO" 5 | |
4507 | ;; | |
4508 | ||
4509 | ||
4510 | ||
4511 | esac | |
4512 | ||
4513 | done # for ac_tag | |
4514 | ||
4515 | ||
4516 | as_fn_exit 0 | |
4517 | _ACEOF | |
4518 | ac_clean_files=$ac_clean_files_save | |
4519 | ||
4520 | test $ac_write_fail = 0 || | |
4521 | as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 | |
4522 | ||
4523 | ||
4524 | # configure is writing to config.log, and then calls config.status. | |
4525 | # config.status does its own redirection, appending to config.log. | |
4526 | # Unfortunately, on DOS this fails, as config.log is still kept open | |
4527 | # by configure, so config.status won't be able to write to it; its | |
4528 | # output is simply discarded. So we exec the FD to /dev/null, | |
4529 | # effectively closing config.log, so it can be properly (re)opened and | |
4530 | # appended to by config.status. When coming back to configure, we | |
4531 | # need to make the FD available again. | |
4532 | if test "$no_create" != yes; then | |
4533 | ac_cs_success=: | |
4534 | ac_config_status_args= | |
4535 | test "$silent" = yes && | |
4536 | ac_config_status_args="$ac_config_status_args --quiet" | |
4537 | exec 5>/dev/null | |
4538 | $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false | |
4539 | exec 5>>config.log | |
4540 | # Use ||, not &&, to avoid exiting from the if with $? = 1, which | |
4541 | # would make configure fail if this is the last instruction. | |
4542 | $ac_cs_success || as_fn_exit 1 | |
4543 | fi | |
4544 | if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then | |
4545 | { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 | |
4546 | $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} | |
4547 | fi | |
4548 | ||
4549 |
0 | # | |
1 | # Autoconf input file. | |
2 | # | |
3 | # Version: $Id$ | |
4 | # | |
5 | ||
6 | AC_PREREQ([2.53]) | |
7 | AC_INIT(rlm_eap_fast.c) | |
8 | AC_REVISION($Revision$) | |
9 | AC_DEFUN(modname,[rlm_eap_fast]) | |
10 | ||
11 | mod_ldflags= | |
12 | mod_cflags= | |
13 | ||
14 | if test x$with_[]modname != xno; then | |
15 | ||
16 | dnl ############################################################ | |
17 | dnl # Check for command line options | |
18 | dnl ############################################################ | |
19 | dnl extra argument: --with-openssl-lib-dir | |
20 | openssl_lib_dir= | |
21 | AC_ARG_WITH(openssl-lib-dir, | |
22 | [ --with-openssl-lib-dir=DIR directory for LDAP library files []], | |
23 | [ case "$withval" in | |
24 | no) | |
25 | AC_MSG_ERROR(Need openssl-lib-dir) | |
26 | ;; | |
27 | yes) | |
28 | ;; | |
29 | *) | |
30 | openssl_lib_dir="$withval" | |
31 | ;; | |
32 | esac ] | |
33 | ) | |
34 | ||
35 | dnl extra argument: --with-openssl-include-dir | |
36 | openssl_include_dir= | |
37 | AC_ARG_WITH(openssl-include-dir, | |
38 | [ --with-openssl-include-dir=DIR directory for LDAP include files []], | |
39 | [ case "$withval" in | |
40 | no) | |
41 | AC_MSG_ERROR(Need openssl-include-dir) | |
42 | ;; | |
43 | yes) | |
44 | ;; | |
45 | *) | |
46 | openssl_include_dir="$withval" | |
47 | ;; | |
48 | esac ] | |
49 | ) | |
50 | ||
51 | dnl ############################################################ | |
52 | dnl # Check for header files | |
53 | dnl ############################################################ | |
54 | ||
55 | smart_try_dir=$openssl_include_dir | |
56 | FR_SMART_CHECK_INCLUDE(openssl/ec.h) | |
57 | if test "$ac_cv_header_openssl_ec_h" != "yes"; then | |
58 | fail="$fail openssl/ec.h" | |
59 | fi | |
60 | ||
61 | smart_try_dir=$openssl_lib_dir | |
62 | FR_SMART_CHECK_LIB(crypto, EVP_CIPHER_CTX_new) | |
63 | if test "x$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" != "xyes"; then | |
64 | fail="libssl" | |
65 | fi | |
66 | ||
67 | AC_EGREP_CPP(yes, | |
68 | [#include <openssl/crypto.h> | |
69 | #if (OPENSSL_VERSION_NUMBER >= 0x01000100fL) | |
70 | yes | |
71 | #endif | |
72 | ], | |
73 | [ | |
74 | AC_MSG_CHECKING([for OpenSSL version >= 1.0.1a]) | |
75 | AC_MSG_RESULT(yes) | |
76 | ], | |
77 | [ | |
78 | AC_MSG_CHECKING([for OpenSSL version >= 1.0.1a]) | |
79 | AC_MSG_RESULT(no) | |
80 | fail="openssl>1.0.1" | |
81 | ] | |
82 | ) | |
83 | ||
84 | targetname=modname | |
85 | else | |
86 | targetname= | |
87 | echo \*\*\* module modname is disabled. | |
88 | fi | |
89 | ||
90 | if test x"$fail" != x""; then | |
91 | if test x"${enable_strict_dependencies}" = x"yes"; then | |
92 | AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.]) | |
93 | else | |
94 | AC_MSG_WARN([silently not building ]modname[.]) | |
95 | AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]) | |
96 | targetname="" | |
97 | fi | |
98 | fi | |
99 | ||
100 | AC_SUBST(mod_ldflags) | |
101 | AC_SUBST(mod_cflags) | |
102 | AC_SUBST(targetname) | |
103 | AC_OUTPUT(all.mk) |
950 | 950 | if (t->stage == AUTHENTICATION) { /* FIXME do this only for MSCHAPv2 */ |
951 | 951 | VALUE_PAIR *tvp; |
952 | 952 | |
953 | RWDEBUG2("AUTHENTICATION"); | |
954 | vp = fr_pair_make(fake, &fake->config, "EAP-Type", "0", T_OP_EQ); | |
955 | vp->vp_integer = t->default_method; | |
956 | RWDEBUG2("AUTHENTICATION"); | |
953 | RDEBUG2("AUTHENTICATION"); | |
954 | vp = fr_pair_make(fake, &fake->config, "EAP-Type", "0", T_OP_EQ); | |
955 | vp->vp_integer = t->default_method; | |
957 | 956 | |
958 | 957 | /* |
959 | 958 | * RFC 5422 section 3.2.3 - Authenticating Using EAP-FAST-MSCHAPv2 |
1235 | 1234 | |
1236 | 1235 | eap_fast_append_result(tls_session, code); |
1237 | 1236 | |
1238 | if (code == PW_CODE_ACCESS_REJECT) | |
1239 | break; | |
1240 | ||
1241 | 1237 | if (t->pac.send) { |
1242 | 1238 | RDEBUG("Peer requires new PAC"); |
1243 | 1239 | eap_fast_send_pac_tunnel(request, tls_session); |
184 | 184 | } |
185 | 185 | |
186 | 186 | // hostap:src/crypto/tls_openssl.c:tls_sess_sec_cb() |
187 | #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) | |
187 | 188 | static int _session_secret(SSL *s, void *secret, int *secret_len, |
188 | 189 | UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers, |
189 | 190 | UNUSED SSL_CIPHER **cipher, void *arg) |
191 | #else | |
192 | static int _session_secret(SSL *s, void *secret, int *secret_len, | |
193 | UNUSED STACK_OF(SSL_CIPHER) *peer_ciphers, | |
194 | UNUSED const SSL_CIPHER **cipher, void *arg) | |
195 | #endif | |
190 | 196 | { |
191 | 197 | // FIXME enforce non-anon cipher |
192 | 198 | |
205 | 211 | #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) |
206 | 212 | eap_fast_session_ticket(tls_session, s->s3->client_random, s->s3->server_random, secret, secret_len); |
207 | 213 | #else |
208 | uint8_t const client_random[SSL3_RANDOM_SIZE]; | |
209 | uint8_t const server_random[SSL3_RANDOM_SIZE]; | |
214 | uint8_t client_random[SSL3_RANDOM_SIZE]; | |
215 | uint8_t server_random[SSL3_RANDOM_SIZE]; | |
210 | 216 | |
211 | 217 | SSL_get_client_random(s, client_random, sizeof(client_random)); |
212 | 218 | SSL_get_server_random(s, server_random, sizeof(server_random)); |
206 | 206 | * Verify the tunneled EAP message. |
207 | 207 | */ |
208 | 208 | static int eapmessage_verify(REQUEST *request, |
209 | uint8_t const *data, unsigned int data_len) | |
209 | uint8_t const *data, unsigned int data_len, int peap_version) | |
210 | 210 | { |
211 | 211 | eap_packet_raw_t const *eap_packet = (eap_packet_raw_t const *) data; |
212 | 212 | eap_type_t eap_method; |
213 | ||
214 | /* | |
215 | * Hack for now. | |
216 | */ | |
217 | if (peap_version == 1) return 1; | |
213 | 218 | |
214 | 219 | /* |
215 | 220 | * No data, OR only 1 byte of EAP type. |
240 | 245 | RDEBUG2("Received EAP-TLV response"); |
241 | 246 | return 1; |
242 | 247 | } |
243 | RDEBUG2("Got something weird"); | |
248 | RDEBUG2("Received unexpected EAP-Response, rejecting the session."); | |
244 | 249 | break; |
245 | 250 | |
246 | 251 | |
263 | 268 | */ |
264 | 269 | static VALUE_PAIR *eap2vp(UNUSED REQUEST *request, RADIUS_PACKET *packet, |
265 | 270 | EAP_DS *eap_ds, |
266 | uint8_t const *data, size_t data_len) | |
271 | uint8_t const *data, size_t data_len, int peap_version) | |
267 | 272 | { |
268 | 273 | size_t total; |
269 | 274 | uint8_t *p; |
280 | 285 | total = data_len; |
281 | 286 | if (total > 249) total = 249; |
282 | 287 | |
283 | /* | |
284 | * Hand-build an EAP packet from the crap in PEAP version 0. | |
285 | */ | |
286 | vp->vp_length = EAP_HEADER_LEN + total; | |
287 | vp->vp_octets = p = talloc_array(vp, uint8_t, vp->vp_length); | |
288 | ||
289 | p[0] = PW_EAP_RESPONSE; | |
290 | p[1] = eap_ds->response->id; | |
291 | p[2] = (data_len + EAP_HEADER_LEN) >> 8; | |
292 | p[3] = (data_len + EAP_HEADER_LEN) & 0xff; | |
293 | ||
294 | memcpy(p + EAP_HEADER_LEN, data, total); | |
288 | if (peap_version == 0) { | |
289 | /* | |
290 | * Hand-build an EAP packet from the crap in PEAP version 0. | |
291 | */ | |
292 | vp->vp_length = EAP_HEADER_LEN + total; | |
293 | vp->vp_octets = p = talloc_array(vp, uint8_t, vp->vp_length); | |
294 | ||
295 | p[0] = PW_EAP_RESPONSE; | |
296 | p[1] = eap_ds->response->id; | |
297 | p[2] = (data_len + EAP_HEADER_LEN) >> 8; | |
298 | p[3] = (data_len + EAP_HEADER_LEN) & 0xff; | |
299 | ||
300 | memcpy(p + EAP_HEADER_LEN, data, total); | |
301 | ||
302 | } else { /* peapv1 */ | |
303 | vp->vp_length = total; | |
304 | vp->vp_octets = p = talloc_array(vp, uint8_t, vp->vp_length); | |
305 | memcpy(p, data, total); | |
306 | } | |
295 | 307 | |
296 | 308 | fr_cursor_init(&cursor, &head); |
297 | 309 | fr_cursor_insert(&cursor, vp); |
322 | 334 | rad_assert(vp != NULL); |
323 | 335 | VALUE_PAIR *this; |
324 | 336 | vp_cursor_t cursor; |
337 | size_t header = EAP_HEADER_LEN; | |
338 | ||
339 | if (tls_session->peap_flag > 0) header = 0; | |
325 | 340 | |
326 | 341 | /* |
327 | 342 | * Skip the id, code, and length. Just write the EAP |
329 | 344 | */ |
330 | 345 | #ifndef NDEBUG |
331 | 346 | if ((rad_debug_lvl > 2) && fr_log_fp) { |
332 | size_t i, total, start = EAP_HEADER_LEN; | |
347 | size_t i, total, start = header; | |
333 | 348 | total = 0; |
334 | 349 | |
335 | 350 | for (this = fr_cursor_init(&cursor, &vp); this; this = fr_cursor_next(&cursor)) { |
359 | 374 | * Send the EAP data in the first attribute, WITHOUT the |
360 | 375 | * header. |
361 | 376 | */ |
362 | (tls_session->record_plus)(&tls_session->clean_in, vp->vp_octets + EAP_HEADER_LEN, vp->vp_length - EAP_HEADER_LEN); | |
377 | (tls_session->record_plus)(&tls_session->clean_in, vp->vp_octets + header, vp->vp_length - header); | |
363 | 378 | |
364 | 379 | /* |
365 | 380 | * Send the rest of the EAP data, but skipping the first VP. |
729 | 744 | rlm_rcode_t rcode = RLM_MODULE_REJECT; |
730 | 745 | uint8_t const *data; |
731 | 746 | unsigned int data_len; |
747 | size_t header = 0; | |
732 | 748 | |
733 | 749 | REQUEST *request = handler->request; |
734 | 750 | EAP_DS *eap_ds = handler->eap_ds; |
744 | 760 | RDEBUG2("PEAP state %s", peap_state(t)); |
745 | 761 | |
746 | 762 | if ((t->status != PEAP_STATUS_TUNNEL_ESTABLISHED) && |
747 | !eapmessage_verify(request, data, data_len)) { | |
763 | !eapmessage_verify(request, data, data_len, tls_session->peap_flag)) { | |
748 | 764 | REDEBUG("Tunneled data is invalid"); |
749 | 765 | if (rad_debug_lvl > 2) print_tunneled_data(data, data_len); |
750 | 766 | return RLM_MODULE_REJECT; |
751 | 767 | } |
768 | ||
769 | if (tls_session->peap_flag > 0) header = EAP_HEADER_LEN; | |
752 | 770 | |
753 | 771 | switch (t->status) { |
754 | 772 | case PEAP_STATUS_TUNNEL_ESTABLISHED: |
777 | 795 | |
778 | 796 | case PEAP_STATUS_INNER_IDENTITY_REQ_SENT: |
779 | 797 | /* we're expecting an identity response */ |
780 | if (data[0] != PW_EAP_IDENTITY) { | |
798 | if (data[header] != PW_EAP_IDENTITY) { | |
781 | 799 | REDEBUG("Expected EAP-Identity, got something else"); |
782 | 800 | return RLM_MODULE_REJECT; |
783 | 801 | } |
788 | 806 | t->username = fr_pair_make(t, NULL, "User-Name", NULL, T_OP_EQ); |
789 | 807 | rad_assert(t->username != NULL); |
790 | 808 | |
791 | fr_pair_value_bstrncpy(t->username, data + 1, data_len - 1); | |
809 | fr_pair_value_bstrncpy(t->username, data + header + 1, data_len - header - 1); | |
792 | 810 | |
793 | 811 | RDEBUG("Got inner identity '%s'", t->username->vp_strvalue); |
794 | 812 | if (t->soh) { |
803 | 821 | case PEAP_STATUS_WAIT_FOR_SOH_RESPONSE: |
804 | 822 | fake = request_alloc_fake(request); |
805 | 823 | rad_assert(!fake->packet->vps); |
806 | eapsoh_verify(fake, fake->packet, data, data_len); | |
824 | eapsoh_verify(fake, fake->packet, data + header, data_len - header); | |
807 | 825 | setup_fake_request(request, fake, t); |
808 | 826 | |
809 | 827 | if (t->soh_virtual_server) { |
841 | 859 | * If we authenticated the user, then it's OK. |
842 | 860 | */ |
843 | 861 | case PEAP_STATUS_SENT_TLV_SUCCESS: |
844 | if (eappeap_check_tlv(request, data, data_len)) { | |
862 | if (eappeap_check_tlv(request, data + header, data_len - header)) { | |
845 | 863 | RDEBUG2("Success"); |
846 | 864 | return RLM_MODULE_OK; |
847 | 865 | } |
875 | 893 | */ |
876 | 894 | case PEAP_STATUS_SENT_TLV_FAILURE: |
877 | 895 | RINDENT(); |
878 | RIDEBUG("The users session was previously rejected: returning reject (again.)"); | |
896 | REDEBUG("The users session was previously rejected: returning reject (again.)"); | |
879 | 897 | RIDEBUG("This means you need to read the PREVIOUS messages in the debug output"); |
880 | 898 | RIDEBUG("to find out the reason why the user was rejected"); |
881 | 899 | RIDEBUG("Look for \"reject\" or \"fail\". Those earlier messages will tell you"); |
936 | 954 | |
937 | 955 | case PEAP_STATUS_PHASE2: |
938 | 956 | fake->packet->vps = eap2vp(request, fake->packet, |
939 | eap_ds, data, data_len); | |
957 | eap_ds, data, data_len, tls_session->peap_flag); | |
940 | 958 | if (!fake->packet->vps) { |
941 | 959 | talloc_free(fake); |
942 | 960 | RDEBUG2("Unable to convert tunneled EAP packet to internal server data structures"); |
961 | 979 | * so we add one here, by pulling it out of the |
962 | 980 | * EAP-Identity packet. |
963 | 981 | */ |
964 | if ((data[0] == PW_EAP_IDENTITY) && (data_len > 1)) { | |
982 | if ((data[header] == PW_EAP_IDENTITY) && (data_len > (1 + header))) { | |
965 | 983 | t->username = fr_pair_make(t, NULL, "User-Name", NULL, T_OP_EQ); |
966 | 984 | rad_assert(t->username != NULL); |
967 | 985 | |
968 | fr_pair_value_bstrncpy(t->username, data + 1, data_len - 1); | |
986 | fr_pair_value_bstrncpy(t->username, data + header + 1, data_len - header - 1); | |
969 | 987 | |
970 | 988 | RDEBUG2("Got tunneled identity of %s", t->username->vp_strvalue); |
971 | 989 |
259 | 259 | */ |
260 | 260 | if (!tls_session->opaque) { |
261 | 261 | peap = tls_session->opaque = peap_alloc(tls_session, inst); |
262 | } | |
263 | ||
264 | /* | |
265 | * Negotiate PEAP versions down. | |
266 | */ | |
267 | if ((handler->eap_ds->response->type.data[0] & 0x03) < tls_session->peap_flag) { | |
268 | tls_session->peap_flag = handler->eap_ds->response->type.data[0] & 0x03; | |
262 | 269 | } |
263 | 270 | |
264 | 271 | status = eaptls_process(handler); |
2916 | 2916 | |
2917 | 2917 | |
2918 | 2918 | sm_lib_safe=`echo "crypto" | sed 'y%./+-%__p_%'` |
2919 | sm_func_safe=`echo "EVP_cleanup" | sed 'y%./+-%__p_%'` | |
2919 | sm_func_safe=`echo "EVP_CIPHER_CTX_new" | sed 'y%./+-%__p_%'` | |
2920 | 2920 | |
2921 | 2921 | old_LIBS="$LIBS" |
2922 | 2922 | old_CPPFLAGS="$CPPFLAGS" |
2926 | 2926 | |
2927 | 2927 | if test "x$smart_try_dir" != "x"; then |
2928 | 2928 | for try in $smart_try_dir; do |
2929 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_cleanup in -lcrypto in $try" >&5 | |
2930 | $as_echo_n "checking for EVP_cleanup in -lcrypto in $try... " >&6; } | |
2929 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto in $try" >&5 | |
2930 | $as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto in $try... " >&6; } | |
2931 | 2931 | LIBS="-lcrypto $old_LIBS" |
2932 | 2932 | CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" |
2933 | 2933 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
2934 | 2934 | /* end confdefs.h. */ |
2935 | extern char EVP_cleanup(); | |
2935 | extern char EVP_CIPHER_CTX_new(); | |
2936 | 2936 | int |
2937 | 2937 | main () |
2938 | 2938 | { |
2939 | EVP_cleanup() | |
2939 | EVP_CIPHER_CTX_new() | |
2940 | 2940 | ; |
2941 | 2941 | return 0; |
2942 | 2942 | } |
2961 | 2961 | fi |
2962 | 2962 | |
2963 | 2963 | if test "x$smart_lib" = "x"; then |
2964 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_cleanup in -lcrypto" >&5 | |
2965 | $as_echo_n "checking for EVP_cleanup in -lcrypto... " >&6; } | |
2964 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto" >&5 | |
2965 | $as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto... " >&6; } | |
2966 | 2966 | LIBS="-lcrypto $old_LIBS" |
2967 | 2967 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
2968 | 2968 | /* end confdefs.h. */ |
2969 | extern char EVP_cleanup(); | |
2969 | extern char EVP_CIPHER_CTX_new(); | |
2970 | 2970 | int |
2971 | 2971 | main () |
2972 | 2972 | { |
2973 | EVP_cleanup() | |
2973 | EVP_CIPHER_CTX_new() | |
2974 | 2974 | ; |
2975 | 2975 | return 0; |
2976 | 2976 | } |
3047 | 3047 | |
3048 | 3048 | |
3049 | 3049 | for try in $smart_lib_dir /usr/local/lib /opt/lib; do |
3050 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_cleanup in -lcrypto in $try" >&5 | |
3051 | $as_echo_n "checking for EVP_cleanup in -lcrypto in $try... " >&6; } | |
3050 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto in $try" >&5 | |
3051 | $as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto in $try... " >&6; } | |
3052 | 3052 | LIBS="-lcrypto $old_LIBS" |
3053 | 3053 | CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" |
3054 | 3054 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext |
3055 | 3055 | /* end confdefs.h. */ |
3056 | extern char EVP_cleanup(); | |
3056 | extern char EVP_CIPHER_CTX_new(); | |
3057 | 3057 | int |
3058 | 3058 | main () |
3059 | 3059 | { |
3060 | EVP_cleanup() | |
3060 | EVP_CIPHER_CTX_new() | |
3061 | 3061 | ; |
3062 | 3062 | return 0; |
3063 | 3063 | } |
3087 | 3087 | SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS" |
3088 | 3088 | fi |
3089 | 3089 | |
3090 | if test "x$ac_cv_lib_crypto_EVP_cleanup" != "xyes"; then | |
3090 | if test "x$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" != "xyes"; then | |
3091 | 3091 | fail="libssl" |
3092 | 3092 | else |
3093 | 3093 | for ac_func in EVP_sha256 |
59 | 59 | fi |
60 | 60 | |
61 | 61 | smart_try_dir=$openssl_lib_dir |
62 | FR_SMART_CHECK_LIB(crypto, EVP_cleanup) | |
63 | if test "x$ac_cv_lib_crypto_EVP_cleanup" != "xyes"; then | |
62 | FR_SMART_CHECK_LIB(crypto, EVP_CIPHER_CTX_new) | |
63 | if test "x$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" != "xyes"; then | |
64 | 64 | fail="libssl" |
65 | 65 | else |
66 | 66 | AC_CHECK_FUNCS(EVP_sha256) |
44 | 44 | uint8_t allzero[SHA256_DIGEST_LENGTH]; |
45 | 45 | |
46 | 46 | memset(allzero, 0, SHA256_DIGEST_LENGTH); |
47 | HMAC_Init(ctx, allzero, SHA256_DIGEST_LENGTH, EVP_sha256()); | |
47 | ||
48 | HMAC_Init_ex(ctx, allzero, SHA256_DIGEST_LENGTH, EVP_sha256(), NULL); | |
48 | 49 | } |
49 | 50 | |
50 | 51 | static void H_Update(HMAC_CTX *ctx, uint8_t const *data, int len) |
57 | 58 | unsigned int mdlen = SHA256_DIGEST_LENGTH; |
58 | 59 | |
59 | 60 | HMAC_Final(ctx, digest, &mdlen); |
60 | HMAC_CTX_cleanup(ctx); | |
61 | 61 | } |
62 | 62 | |
63 | 63 | /* a counter-based KDF based on NIST SP800-108 */ |
64 | static void eap_pwd_kdf(uint8_t *key, int keylen, char const *label, int labellen, uint8_t *result, int resultbitlen) | |
65 | { | |
66 | HMAC_CTX hctx; | |
64 | static int eap_pwd_kdf(uint8_t *key, int keylen, char const *label, int labellen, uint8_t *result, int resultbitlen) | |
65 | { | |
66 | HMAC_CTX *hctx = NULL; | |
67 | 67 | uint8_t digest[SHA256_DIGEST_LENGTH]; |
68 | 68 | uint16_t i, ctr, L; |
69 | 69 | int resultbytelen, len = 0; |
70 | 70 | unsigned int mdlen = SHA256_DIGEST_LENGTH; |
71 | 71 | uint8_t mask = 0xff; |
72 | 72 | |
73 | hctx = HMAC_CTX_new(); | |
74 | if (hctx == NULL) { | |
75 | DEBUG("failed allocating HMAC context"); | |
76 | return -1; | |
77 | } | |
73 | 78 | resultbytelen = (resultbitlen + 7)/8; |
74 | 79 | ctr = 0; |
75 | 80 | L = htons(resultbitlen); |
76 | 81 | while (len < resultbytelen) { |
77 | 82 | ctr++; i = htons(ctr); |
78 | HMAC_Init(&hctx, key, keylen, EVP_sha256()); | |
83 | HMAC_Init_ex(hctx, key, keylen, EVP_sha256(), NULL); | |
79 | 84 | if (ctr > 1) { |
80 | HMAC_Update(&hctx, digest, mdlen); | |
81 | } | |
82 | HMAC_Update(&hctx, (uint8_t *) &i, sizeof(uint16_t)); | |
83 | HMAC_Update(&hctx, (uint8_t const *)label, labellen); | |
84 | HMAC_Update(&hctx, (uint8_t *) &L, sizeof(uint16_t)); | |
85 | HMAC_Final(&hctx, digest, &mdlen); | |
85 | HMAC_Update(hctx, digest, mdlen); | |
86 | } | |
87 | HMAC_Update(hctx, (uint8_t *) &i, sizeof(uint16_t)); | |
88 | HMAC_Update(hctx, (uint8_t const *)label, labellen); | |
89 | HMAC_Update(hctx, (uint8_t *) &L, sizeof(uint16_t)); | |
90 | HMAC_Final(hctx, digest, &mdlen); | |
86 | 91 | if ((len + (int) mdlen) > resultbytelen) { |
87 | 92 | memcpy(result + len, digest, resultbytelen - len); |
88 | 93 | } else { |
89 | 94 | memcpy(result + len, digest, mdlen); |
90 | 95 | } |
91 | 96 | len += mdlen; |
92 | HMAC_CTX_cleanup(&hctx); | |
93 | } | |
97 | } | |
98 | HMAC_CTX_free(hctx); | |
94 | 99 | |
95 | 100 | /* since we're expanding to a bit length, mask off the excess */ |
96 | 101 | if (resultbitlen % 8) { |
97 | 102 | mask <<= (8 - (resultbitlen % 8)); |
98 | 103 | result[resultbytelen - 1] &= mask; |
99 | 104 | } |
105 | ||
106 | return 0; | |
100 | 107 | } |
101 | 108 | |
102 | 109 | int compute_password_element (pwd_session_t *session, uint16_t grp_num, |
106 | 113 | uint32_t *token) |
107 | 114 | { |
108 | 115 | BIGNUM *x_candidate = NULL, *rnd = NULL, *cofactor = NULL; |
109 | HMAC_CTX ctx; | |
116 | HMAC_CTX *ctx = NULL; | |
110 | 117 | uint8_t pwe_digest[SHA256_DIGEST_LENGTH], *prfbuf = NULL, ctr; |
111 | 118 | int nid, is_odd, primebitlen, primebytelen, ret = 0; |
119 | ||
120 | ctx = HMAC_CTX_new(); | |
121 | if (ctx == NULL) { | |
122 | DEBUG("failed allocating HMAC context"); | |
123 | goto fail; | |
124 | } | |
112 | 125 | |
113 | 126 | switch (grp_num) { /* from IANA registry for IKE D-H groups */ |
114 | 127 | case 19: |
189 | 202 | * pwd-seed = H(token | peer-id | server-id | password | |
190 | 203 | * counter) |
191 | 204 | */ |
192 | H_Init(&ctx); | |
193 | H_Update(&ctx, (uint8_t *)token, sizeof(*token)); | |
194 | H_Update(&ctx, (uint8_t const *)id_peer, id_peer_len); | |
195 | H_Update(&ctx, (uint8_t const *)id_server, id_server_len); | |
196 | H_Update(&ctx, (uint8_t const *)password, password_len); | |
197 | H_Update(&ctx, (uint8_t *)&ctr, sizeof(ctr)); | |
198 | H_Final(&ctx, pwe_digest); | |
205 | H_Init(ctx); | |
206 | H_Update(ctx, (uint8_t *)token, sizeof(*token)); | |
207 | H_Update(ctx, (uint8_t const *)id_peer, id_peer_len); | |
208 | H_Update(ctx, (uint8_t const *)id_server, id_server_len); | |
209 | H_Update(ctx, (uint8_t const *)password, password_len); | |
210 | H_Update(ctx, (uint8_t *)&ctr, sizeof(ctr)); | |
211 | H_Final(ctx, pwe_digest); | |
199 | 212 | |
200 | 213 | BN_bin2bn(pwe_digest, SHA256_DIGEST_LENGTH, rnd); |
201 | eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking", | |
202 | strlen("EAP-pwd Hunting And Pecking"), prfbuf, primebitlen); | |
214 | if (eap_pwd_kdf(pwe_digest, SHA256_DIGEST_LENGTH, "EAP-pwd Hunting And Pecking", | |
215 | strlen("EAP-pwd Hunting And Pecking"), prfbuf, primebitlen) != 0) { | |
216 | DEBUG("key derivation function failed"); | |
217 | goto fail; | |
218 | } | |
203 | 219 | |
204 | 220 | BN_bin2bn(prfbuf, primebytelen, x_candidate); |
205 | 221 | /* |
265 | 281 | BN_clear_free(x_candidate); |
266 | 282 | BN_clear_free(rnd); |
267 | 283 | talloc_free(prfbuf); |
284 | HMAC_CTX_free(ctx); | |
268 | 285 | |
269 | 286 | return ret; |
270 | 287 | } |
419 | 436 | int compute_server_confirm (pwd_session_t *session, uint8_t *out, BN_CTX *bnctx) |
420 | 437 | { |
421 | 438 | BIGNUM *x = NULL, *y = NULL; |
422 | HMAC_CTX ctx; | |
439 | HMAC_CTX *ctx = NULL; | |
423 | 440 | uint8_t *cruft = NULL; |
424 | 441 | int offset, req = -1; |
442 | ||
443 | ctx = HMAC_CTX_new(); | |
444 | if (ctx == NULL) { | |
445 | DEBUG2("pwd: unable to allocate HMAC context!"); | |
446 | goto finish; | |
447 | } | |
425 | 448 | |
426 | 449 | /* |
427 | 450 | * Each component of the cruft will be at most as big as the prime |
436 | 459 | * commit is H(k | server_element | server_scalar | peer_element | |
437 | 460 | * peer_scalar | ciphersuite) |
438 | 461 | */ |
439 | H_Init(&ctx); | |
462 | H_Init(ctx); | |
440 | 463 | |
441 | 464 | /* |
442 | 465 | * Zero the memory each time because this is mod prime math and some |
446 | 469 | */ |
447 | 470 | offset = BN_num_bytes(session->prime) - BN_num_bytes(session->k); |
448 | 471 | BN_bn2bin(session->k, cruft + offset); |
449 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
472 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
450 | 473 | |
451 | 474 | /* |
452 | 475 | * next is server element: x, y |
458 | 481 | memset(cruft, 0, BN_num_bytes(session->prime)); |
459 | 482 | offset = BN_num_bytes(session->prime) - BN_num_bytes(x); |
460 | 483 | BN_bn2bin(x, cruft + offset); |
461 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
484 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
462 | 485 | |
463 | 486 | memset(cruft, 0, BN_num_bytes(session->prime)); |
464 | 487 | offset = BN_num_bytes(session->prime) - BN_num_bytes(y); |
465 | 488 | BN_bn2bin(y, cruft + offset); |
466 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
489 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
467 | 490 | |
468 | 491 | /* |
469 | 492 | * and server scalar |
471 | 494 | memset(cruft, 0, BN_num_bytes(session->prime)); |
472 | 495 | offset = BN_num_bytes(session->order) - BN_num_bytes(session->my_scalar); |
473 | 496 | BN_bn2bin(session->my_scalar, cruft + offset); |
474 | H_Update(&ctx, cruft, BN_num_bytes(session->order)); | |
497 | H_Update(ctx, cruft, BN_num_bytes(session->order)); | |
475 | 498 | |
476 | 499 | /* |
477 | 500 | * next is peer element: x, y |
484 | 507 | memset(cruft, 0, BN_num_bytes(session->prime)); |
485 | 508 | offset = BN_num_bytes(session->prime) - BN_num_bytes(x); |
486 | 509 | BN_bn2bin(x, cruft + offset); |
487 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
510 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
488 | 511 | |
489 | 512 | memset(cruft, 0, BN_num_bytes(session->prime)); |
490 | 513 | offset = BN_num_bytes(session->prime) - BN_num_bytes(y); |
491 | 514 | BN_bn2bin(y, cruft + offset); |
492 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
515 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
493 | 516 | |
494 | 517 | /* |
495 | 518 | * and peer scalar |
497 | 520 | memset(cruft, 0, BN_num_bytes(session->prime)); |
498 | 521 | offset = BN_num_bytes(session->order) - BN_num_bytes(session->peer_scalar); |
499 | 522 | BN_bn2bin(session->peer_scalar, cruft + offset); |
500 | H_Update(&ctx, cruft, BN_num_bytes(session->order)); | |
523 | H_Update(ctx, cruft, BN_num_bytes(session->order)); | |
501 | 524 | |
502 | 525 | /* |
503 | 526 | * finally, ciphersuite |
504 | 527 | */ |
505 | H_Update(&ctx, (uint8_t *)&session->ciphersuite, sizeof(session->ciphersuite)); | |
506 | ||
507 | H_Final(&ctx, out); | |
528 | H_Update(ctx, (uint8_t *)&session->ciphersuite, sizeof(session->ciphersuite)); | |
529 | ||
530 | H_Final(ctx, out); | |
508 | 531 | |
509 | 532 | req = 0; |
510 | 533 | finish: |
511 | 534 | talloc_free(cruft); |
512 | 535 | BN_free(x); |
513 | 536 | BN_free(y); |
537 | HMAC_CTX_free(ctx); | |
514 | 538 | |
515 | 539 | return req; |
516 | 540 | } |
518 | 542 | int compute_peer_confirm (pwd_session_t *session, uint8_t *out, BN_CTX *bnctx) |
519 | 543 | { |
520 | 544 | BIGNUM *x = NULL, *y = NULL; |
521 | HMAC_CTX ctx; | |
545 | HMAC_CTX *ctx = NULL; | |
522 | 546 | uint8_t *cruft = NULL; |
523 | 547 | int offset, req = -1; |
548 | ||
549 | ctx = HMAC_CTX_new(); | |
550 | if (ctx == NULL) { | |
551 | DEBUG2("pwd: unable to allocate HMAC context!"); | |
552 | goto finish; | |
553 | } | |
524 | 554 | |
525 | 555 | /* |
526 | 556 | * Each component of the cruft will be at most as big as the prime |
535 | 565 | * commit is H(k | server_element | server_scalar | peer_element | |
536 | 566 | * peer_scalar | ciphersuite) |
537 | 567 | */ |
538 | H_Init(&ctx); | |
568 | H_Init(ctx); | |
539 | 569 | |
540 | 570 | /* |
541 | 571 | * Zero the memory each time because this is mod prime math and some |
545 | 575 | */ |
546 | 576 | offset = BN_num_bytes(session->prime) - BN_num_bytes(session->k); |
547 | 577 | BN_bn2bin(session->k, cruft + offset); |
548 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
578 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
549 | 579 | |
550 | 580 | /* |
551 | 581 | * then peer element: x, y |
558 | 588 | memset(cruft, 0, BN_num_bytes(session->prime)); |
559 | 589 | offset = BN_num_bytes(session->prime) - BN_num_bytes(x); |
560 | 590 | BN_bn2bin(x, cruft + offset); |
561 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
591 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
562 | 592 | |
563 | 593 | memset(cruft, 0, BN_num_bytes(session->prime)); |
564 | 594 | offset = BN_num_bytes(session->prime) - BN_num_bytes(y); |
565 | 595 | BN_bn2bin(y, cruft + offset); |
566 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
596 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
567 | 597 | |
568 | 598 | /* |
569 | 599 | * and peer scalar |
571 | 601 | memset(cruft, 0, BN_num_bytes(session->prime)); |
572 | 602 | offset = BN_num_bytes(session->order) - BN_num_bytes(session->peer_scalar); |
573 | 603 | BN_bn2bin(session->peer_scalar, cruft + offset); |
574 | H_Update(&ctx, cruft, BN_num_bytes(session->order)); | |
604 | H_Update(ctx, cruft, BN_num_bytes(session->order)); | |
575 | 605 | |
576 | 606 | /* |
577 | 607 | * then server element: x, y |
583 | 613 | memset(cruft, 0, BN_num_bytes(session->prime)); |
584 | 614 | offset = BN_num_bytes(session->prime) - BN_num_bytes(x); |
585 | 615 | BN_bn2bin(x, cruft + offset); |
586 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
616 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
587 | 617 | |
588 | 618 | memset(cruft, 0, BN_num_bytes(session->prime)); |
589 | 619 | offset = BN_num_bytes(session->prime) - BN_num_bytes(y); |
590 | 620 | BN_bn2bin(y, cruft + offset); |
591 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
621 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
592 | 622 | |
593 | 623 | /* |
594 | 624 | * and server scalar |
596 | 626 | memset(cruft, 0, BN_num_bytes(session->prime)); |
597 | 627 | offset = BN_num_bytes(session->order) - BN_num_bytes(session->my_scalar); |
598 | 628 | BN_bn2bin(session->my_scalar, cruft + offset); |
599 | H_Update(&ctx, cruft, BN_num_bytes(session->order)); | |
629 | H_Update(ctx, cruft, BN_num_bytes(session->order)); | |
600 | 630 | |
601 | 631 | /* |
602 | 632 | * finally, ciphersuite |
603 | 633 | */ |
604 | H_Update(&ctx, (uint8_t *)&session->ciphersuite, sizeof(session->ciphersuite)); | |
605 | ||
606 | H_Final(&ctx, out); | |
634 | H_Update(ctx, (uint8_t *)&session->ciphersuite, sizeof(session->ciphersuite)); | |
635 | ||
636 | H_Final(ctx, out); | |
607 | 637 | |
608 | 638 | req = 0; |
609 | 639 | finish: |
610 | 640 | talloc_free(cruft); |
611 | 641 | BN_free(x); |
612 | 642 | BN_free(y); |
643 | HMAC_CTX_free(ctx); | |
613 | 644 | |
614 | 645 | return req; |
615 | 646 | } |
616 | 647 | |
617 | 648 | int compute_keys (pwd_session_t *session, uint8_t *peer_confirm, uint8_t *msk, uint8_t *emsk) |
618 | 649 | { |
619 | HMAC_CTX ctx; | |
620 | uint8_t mk[SHA256_DIGEST_LENGTH], *cruft; | |
650 | HMAC_CTX *ctx = NULL; | |
651 | uint8_t mk[SHA256_DIGEST_LENGTH], *cruft = NULL; | |
621 | 652 | uint8_t session_id[SHA256_DIGEST_LENGTH + 1]; |
622 | 653 | uint8_t msk_emsk[128]; /* 64 each */ |
623 | int offset; | |
654 | int offset, ret = -1; | |
655 | ||
656 | ctx = HMAC_CTX_new(); | |
657 | if (ctx == NULL) { | |
658 | DEBUG2("pwd: unable to allocate HMAC context!"); | |
659 | goto finish; | |
660 | } | |
624 | 661 | |
625 | 662 | if ((cruft = talloc_array(session, uint8_t, BN_num_bytes(session->prime))) == NULL) { |
626 | 663 | DEBUG2("pwd: unable to allocate space to compute keys"); |
627 | return -1; | |
664 | goto finish; | |
628 | 665 | } |
629 | 666 | |
630 | 667 | /* |
632 | 669 | * scal_s) |
633 | 670 | */ |
634 | 671 | session_id[0] = PW_EAP_PWD; |
635 | H_Init(&ctx); | |
636 | H_Update(&ctx, (uint8_t *)&session->ciphersuite, sizeof(session->ciphersuite)); | |
672 | H_Init(ctx); | |
673 | H_Update(ctx, (uint8_t *)&session->ciphersuite, sizeof(session->ciphersuite)); | |
637 | 674 | offset = BN_num_bytes(session->order) - BN_num_bytes(session->peer_scalar); |
638 | 675 | memset(cruft, 0, BN_num_bytes(session->prime)); |
639 | 676 | BN_bn2bin(session->peer_scalar, cruft + offset); |
640 | H_Update(&ctx, cruft, BN_num_bytes(session->order)); | |
677 | H_Update(ctx, cruft, BN_num_bytes(session->order)); | |
641 | 678 | offset = BN_num_bytes(session->order) - BN_num_bytes(session->my_scalar); |
642 | 679 | memset(cruft, 0, BN_num_bytes(session->prime)); |
643 | 680 | BN_bn2bin(session->my_scalar, cruft + offset); |
644 | H_Update(&ctx, cruft, BN_num_bytes(session->order)); | |
645 | H_Final(&ctx, (uint8_t *)&session_id[1]); | |
681 | H_Update(ctx, cruft, BN_num_bytes(session->order)); | |
682 | H_Final(ctx, (uint8_t *)&session_id[1]); | |
646 | 683 | |
647 | 684 | /* then compute MK = H(k | commit-peer | commit-server) */ |
648 | H_Init(&ctx); | |
685 | H_Init(ctx); | |
649 | 686 | |
650 | 687 | memset(cruft, 0, BN_num_bytes(session->prime)); |
651 | 688 | offset = BN_num_bytes(session->prime) - BN_num_bytes(session->k); |
652 | 689 | BN_bn2bin(session->k, cruft + offset); |
653 | H_Update(&ctx, cruft, BN_num_bytes(session->prime)); | |
654 | ||
655 | H_Update(&ctx, peer_confirm, SHA256_DIGEST_LENGTH); | |
656 | ||
657 | H_Update(&ctx, session->my_confirm, SHA256_DIGEST_LENGTH); | |
658 | ||
659 | H_Final(&ctx, mk); | |
690 | H_Update(ctx, cruft, BN_num_bytes(session->prime)); | |
691 | ||
692 | H_Update(ctx, peer_confirm, SHA256_DIGEST_LENGTH); | |
693 | ||
694 | H_Update(ctx, session->my_confirm, SHA256_DIGEST_LENGTH); | |
695 | ||
696 | H_Final(ctx, mk); | |
660 | 697 | |
661 | 698 | /* stretch the mk with the session-id to get MSK | EMSK */ |
662 | eap_pwd_kdf(mk, SHA256_DIGEST_LENGTH, (char const *)session_id, | |
663 | SHA256_DIGEST_LENGTH + 1, msk_emsk, 1024); /* it's bits, ((64 + 64) * 8) */ | |
699 | if (eap_pwd_kdf(mk, SHA256_DIGEST_LENGTH, (char const *)session_id, | |
700 | SHA256_DIGEST_LENGTH + 1, msk_emsk, | |
701 | /* it's bits, ((64 + 64) * 8) */ | |
702 | 1024) != 0) { | |
703 | DEBUG("key derivation function failed"); | |
704 | goto finish; | |
705 | } | |
664 | 706 | |
665 | 707 | memcpy(msk, msk_emsk, 64); |
666 | 708 | memcpy(emsk, msk_emsk + 64, 64); |
667 | 709 | |
710 | ret = 0; | |
711 | finish: | |
668 | 712 | talloc_free(cruft); |
669 | return 0; | |
670 | } | |
671 | ||
672 | ||
673 | ||
674 | ||
713 | HMAC_CTX_free(ctx); | |
714 | return ret; | |
715 | } | |
716 | ||
717 | ||
718 | ||
719 |
385 | 385 | } |
386 | 386 | |
387 | 387 | packet = (pwd_id_packet_t *) in; |
388 | if (in_len < sizeof(packet)) { | |
389 | RDEBUG("Packet is too small (%zd < %zd).", in_len, sizeof(packet)); | |
388 | if (in_len < sizeof(*packet)) { | |
389 | RDEBUG("Packet is too small (%zd < %zd).", in_len, sizeof(*packet)); | |
390 | 390 | return 0; |
391 | 391 | } |
392 | 392 |
1182 | 1182 | if (req->response) { |
1183 | 1183 | RDEBUG("sending chbind response"); |
1184 | 1184 | fr_pair_add(&fake->reply->vps, |
1185 | eap_chbind_packet2vp(fake, req->response)); | |
1185 | eap_chbind_packet2vp(fake->reply, req->response)); | |
1186 | 1186 | } else { |
1187 | 1187 | RDEBUG("no chbind response"); |
1188 | 1188 | } |
216 | 216 | /* |
217 | 217 | * Will do the xlat for us |
218 | 218 | */ |
219 | return radius_compare_vps(request, check, NULL); | |
219 | return radius_compare_vps(request, check, req); | |
220 | 220 | } |
221 | 221 | |
222 | 222 | static int generic_attrs[] = { |
460 | 460 | |
461 | 461 | case LDAP_PROC_NO_RESULT: |
462 | 462 | RDEBUG2("No cacheable group memberships found in group objects"); |
463 | goto finish; | |
463 | 464 | |
464 | 465 | default: |
466 | rcode = RLM_MODULE_FAIL; | |
465 | 467 | goto finish; |
466 | 468 | } |
467 | 469 |
1173 | 1173 | ldap_memfree(dn); |
1174 | 1174 | } |
1175 | 1175 | REXDENT(); |
1176 | *rcode = RLM_MODULE_FAIL; | |
1176 | *rcode = RLM_MODULE_INVALID; | |
1177 | 1177 | goto finish; |
1178 | 1178 | } |
1179 | 1179 | } |
669 | 669 | |
670 | 670 | ldap_errno = ldap_get_option(NULL, LDAP_OPT_API_INFO, &info); |
671 | 671 | if (ldap_errno == LDAP_OPT_SUCCESS) { |
672 | int i; | |
673 | ||
672 | 674 | /* |
673 | 675 | * Don't generate warnings if the compile type vendor name |
674 | 676 | * is found within the link time vendor name. |
690 | 692 | INFO("rlm_ldap: libldap vendor: %s, version: %i", info.ldapai_vendor_name, |
691 | 693 | info.ldapai_vendor_version); |
692 | 694 | |
695 | if (info.ldapai_extensions != NULL ) { | |
696 | for ( i = 0; info.ldapai_extensions[i] != NULL; i++) { | |
697 | ldap_memfree(info.ldapai_extensions[i]); | |
698 | } | |
699 | ldap_memfree(info.ldapai_extensions); | |
700 | } | |
693 | 701 | ldap_memfree(info.ldapai_vendor_name); |
694 | ldap_memfree(info.ldapai_extensions); | |
695 | 702 | } else { |
696 | 703 | DEBUG("rlm_ldap: Falling back to build time libldap version info. Query for LDAP_OPT_API_INFO " |
697 | 704 | "returned: %i", ldap_errno); |
838 | 845 | /* |
839 | 846 | * Now iterate over all the 'server' config items |
840 | 847 | */ |
848 | if (!inst->server) inst->server = talloc_strdup(inst, ""); | |
841 | 849 | for (cp = cf_pair_find(conf, "server"); |
842 | 850 | cp; |
843 | 851 | cp = cf_pair_find_next(conf, cp, "server")) { |
168 | 168 | if (((request && RDEBUG_ENABLED3) || DEBUG_ENABLED3) && result) { |
169 | 169 | struct berval *srv_cred; |
170 | 170 | |
171 | if (ldap_parse_sasl_bind_result(conn->handle, result, &srv_cred, 0) == 0) { | |
171 | if ((ldap_parse_sasl_bind_result(conn->handle, result, &srv_cred, 0) == LDAP_SUCCESS) && | |
172 | (srv_cred != NULL)) { | |
172 | 173 | char *escaped; |
173 | 174 | |
174 | 175 | escaped = fr_aprints(request, srv_cred->bv_val, srv_cred->bv_len, '\0'); |
34 | 34 | |
35 | 35 | #define NT_LENGTH 24 |
36 | 36 | |
37 | /** Use Winbind to normalise a username | |
38 | * | |
39 | * @param[in] tctx The talloc context where the result is parented from | |
40 | * @param[in] ctx The winbind context | |
41 | * @param[in] dom_name The domain of the user | |
42 | * @param[in] name The username (without the domain) to be normalised | |
43 | * @return The username with the casing according to the Winbind remote server, | |
44 | * or NULL if the username could not be found. | |
45 | */ | |
46 | static char *wbclient_normalise_username(TALLOC_CTX *tctx, struct wbcContext *ctx, char const *dom_name, char const *name) | |
47 | { | |
48 | struct wbcDomainSid sid; | |
49 | enum wbcSidType name_type; | |
50 | wbcErr err; | |
51 | char *res_domain = NULL; | |
52 | char *res_name = NULL; | |
53 | char *res = NULL; | |
54 | ||
55 | /* Step 1: Convert a name to a sid */ | |
56 | err = wbcCtxLookupName(ctx, dom_name, name, &sid, &name_type); | |
57 | if (!WBC_ERROR_IS_OK(err)) | |
58 | return NULL; | |
59 | ||
60 | /* Step 2: Convert the sid back to a name */ | |
61 | err = wbcCtxLookupSid(ctx, &sid, &res_domain, &res_name, &name_type); | |
62 | if (!WBC_ERROR_IS_OK(err)) | |
63 | return NULL; | |
64 | ||
65 | MEM(res = talloc_strdup(tctx, res_name)); | |
66 | ||
67 | wbcFreeMemory(res_domain); | |
68 | wbcFreeMemory(res_name); | |
69 | ||
70 | return res; | |
71 | } | |
72 | ||
37 | 73 | /* |
38 | 74 | * Check NTLM authentication direct to winbind via |
39 | 75 | * Samba's libwbclient library |
48 | 84 | uint8_t nthashhash[NT_DIGEST_LENGTH]) |
49 | 85 | { |
50 | 86 | int rcode = -1; |
51 | struct wbcContext *wb_ctx; | |
87 | struct wbcContext *wb_ctx = NULL; | |
52 | 88 | struct wbcAuthUserParams authparams; |
53 | 89 | wbcErr err; |
54 | 90 | int len; |
123 | 159 | |
124 | 160 | err = wbcCtxAuthenticateUserEx(wb_ctx, &authparams, &info, &error); |
125 | 161 | |
162 | if (err == WBC_ERR_AUTH_ERROR && inst->wb_retry_with_normalised_username) { | |
163 | VALUE_PAIR *vp_response, *vp_challenge; | |
164 | char *normalised_username = wbclient_normalise_username(request, wb_ctx, authparams.domain_name, authparams.account_name); | |
165 | if (normalised_username) { | |
166 | RDEBUG2("Starting retry, normalised username %s to %s", authparams.account_name, normalised_username); | |
167 | if (strcmp(authparams.account_name, normalised_username) != 0) { | |
168 | authparams.account_name = normalised_username; | |
169 | ||
170 | /* Set PW_MS_CHAP_USER_NAME */ | |
171 | if (!fr_pair_make(request->packet, &request->packet->vps, "MS-CHAP-User-Name", normalised_username, T_OP_SET)) { | |
172 | RERROR("Failed creating MS-CHAP-User-Name"); | |
173 | goto normalised_username_retry_failure; | |
174 | } | |
175 | ||
176 | RDEBUG2("retrying authentication request user='%s' domain='%s'", authparams.account_name, | |
177 | authparams.domain_name); | |
178 | ||
179 | /* Recalculate hash */ | |
180 | if (!(vp_challenge = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY))) { | |
181 | RERROR("Unable to get MS-CHAP-Challenge"); | |
182 | goto normalised_username_retry_failure; | |
183 | } | |
184 | if (!(vp_response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY))) { | |
185 | RERROR("Unable to get MS-CHAP2-Response"); | |
186 | goto normalised_username_retry_failure; | |
187 | } | |
188 | mschap_challenge_hash(vp_response->vp_octets + 2, | |
189 | vp_challenge->vp_octets, | |
190 | normalised_username, | |
191 | authparams.password.response.challenge); | |
192 | ||
193 | err = wbcCtxAuthenticateUserEx(wb_ctx, &authparams, &info, &error); | |
194 | } | |
195 | normalised_username_retry_failure: | |
196 | talloc_free(normalised_username); | |
197 | } | |
198 | } | |
199 | ||
126 | 200 | fr_connection_release(inst->wb_pool, wb_ctx); |
127 | ||
128 | 201 | |
129 | 202 | /* |
130 | 203 | * Try and give some useful feedback on what happened. There are only |
154 | 227 | /* |
155 | 228 | * The password needs to be changed, so set rcode appropriately. |
156 | 229 | */ |
157 | if (error->nt_status & NT_STATUS_PASSWORD_EXPIRED || | |
158 | error->nt_status & NT_STATUS_PASSWORD_MUST_CHANGE) { | |
230 | if (error->nt_status == NT_STATUS_PASSWORD_EXPIRED || | |
231 | error->nt_status == NT_STATUS_PASSWORD_MUST_CHANGE) { | |
159 | 232 | rcode = -648; |
160 | 233 | } |
161 | 234 |
435 | 435 | char const *p; |
436 | 436 | |
437 | 437 | p = fmt + 8; /* 7 is the length of 'NT-Hash' */ |
438 | if ((p == '\0') || (outlen <= 32)) | |
438 | if ((*p == '\0') || (outlen <= 32)) | |
439 | 439 | return 0; |
440 | 440 | |
441 | 441 | while (isspace(*p)) p++; |
458 | 458 | char const *p; |
459 | 459 | |
460 | 460 | p = fmt + 8; /* 7 is the length of 'LM-Hash' */ |
461 | if ((p == '\0') || (outlen <= 32)) | |
461 | if ((*p == '\0') || (outlen <= 32)) | |
462 | 462 | return 0; |
463 | 463 | |
464 | 464 | while (isspace(*p)) p++; |
559 | 559 | { "retry_msg", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_mschap_t, retry_msg), NULL }, |
560 | 560 | { "winbind_username", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_mschap_t, wb_username), NULL }, |
561 | 561 | { "winbind_domain", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_mschap_t, wb_domain), NULL }, |
562 | { "winbind_retry_with_normalised_username", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, wb_retry_with_normalised_username), "no" }, | |
562 | 563 | #ifdef __APPLE__ |
563 | 564 | { "use_open_directory", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, open_directory), "yes" }, |
564 | 565 | #endif |
1212 | 1213 | return -1; |
1213 | 1214 | } |
1214 | 1215 | break; |
1215 | } | |
1216 | } | |
1216 | 1217 | |
1217 | 1218 | #ifdef WITH_AUTH_WINBIND |
1218 | 1219 | /* |
1404 | 1405 | char *p; |
1405 | 1406 | |
1406 | 1407 | if ((mschap_result == -648) || |
1407 | (smb_ctrl && ((smb_ctrl->vp_integer & ACB_PW_EXPIRED) != 0))) { | |
1408 | ((mschap_result == 0) && | |
1409 | (smb_ctrl && ((smb_ctrl->vp_integer & ACB_PW_EXPIRED) != 0)))) { | |
1408 | 1410 | REDEBUG("Password has expired. User should retry authentication"); |
1409 | 1411 | error = 648; |
1410 | 1412 | |
1468 | 1470 | break; |
1469 | 1471 | |
1470 | 1472 | default: |
1471 | rad_assert(0); | |
1473 | return RLM_MODULE_FAIL; | |
1472 | 1474 | } |
1473 | 1475 | mschap_add_reply(request, ident, "MS-CHAP-Error", buffer, strlen(buffer)); |
1474 | 1476 | |
1969 | 1971 | mschap_result, mschap_version, smb_ctrl); |
1970 | 1972 | if (rcode != RLM_MODULE_OK) return rcode; |
1971 | 1973 | |
1974 | #ifdef WITH_AUTH_WINBIND | |
1975 | if (inst->wb_retry_with_normalised_username) { | |
1976 | if ((response_name = fr_pair_find_by_num(request->packet->vps, PW_MS_CHAP_USER_NAME, 0, TAG_ANY))) { | |
1977 | if (strcmp(username_string, response_name->vp_strvalue)) { | |
1978 | RDEBUG2("Changing username %s to %s", username_string, response_name->vp_strvalue); | |
1979 | username_string = response_name->vp_strvalue; | |
1980 | } | |
1981 | } | |
1982 | } | |
1983 | #endif | |
1984 | ||
1972 | 1985 | mschap_auth_response(username_string, /* without the domain */ |
1973 | 1986 | nthashhash, /* nt-hash-hash */ |
1974 | 1987 | response->vp_octets + 26, /* peer response */ |
38 | 38 | vp_tmpl_t *wb_username; |
39 | 39 | vp_tmpl_t *wb_domain; |
40 | 40 | fr_connection_pool_t *wb_pool; |
41 | bool wb_retry_with_normalised_username; | |
41 | 42 | #ifdef __APPLE__ |
42 | 43 | bool open_directory; |
43 | 44 | #endif |
109 | 109 | size_t clen, |
110 | 110 | int32_t flags, int32_t when, uint8_t const key[16]) |
111 | 111 | { |
112 | HMAC_CTX hmac_ctx; | |
112 | HMAC_CTX *hmac_ctx; | |
113 | 113 | uint8_t hmac[MD5_DIGEST_LENGTH]; |
114 | 114 | char *p; |
115 | 115 | |
119 | 119 | * having to collect the data to be signed into one |
120 | 120 | * contiguous piece. |
121 | 121 | */ |
122 | HMAC_Init(&hmac_ctx, key, sizeof(key[0]) * 16, EVP_md5()); | |
123 | HMAC_Update(&hmac_ctx, (uint8_t const *) challenge, clen); | |
124 | HMAC_Update(&hmac_ctx, (uint8_t *) &flags, 4); | |
125 | HMAC_Update(&hmac_ctx, (uint8_t *) &when, 4); | |
126 | HMAC_Final(&hmac_ctx, hmac, NULL); | |
127 | HMAC_cleanup(&hmac_ctx); | |
122 | hmac_ctx = HMAC_CTX_new(); | |
123 | HMAC_Init_ex(hmac_ctx, key, sizeof(key[0]) * 16, EVP_md5(), NULL); | |
124 | HMAC_Update(hmac_ctx, (uint8_t const *) challenge, clen); | |
125 | HMAC_Update(hmac_ctx, (uint8_t *) &flags, 4); | |
126 | HMAC_Update(hmac_ctx, (uint8_t *) &when, 4); | |
127 | HMAC_Final(hmac_ctx, hmac, NULL); | |
128 | HMAC_CTX_free(hmac_ctx); | |
128 | 129 | |
129 | 130 | /* |
130 | 131 | * Generate the state. |
133 | 133 | int i; |
134 | 134 | |
135 | 135 | if (!ht) return; |
136 | for (i = 0; i < ht->tablesize; i++) | |
137 | if (ht->table[i]) | |
138 | destroy_password(ht->table[i]); | |
139 | 136 | if (ht->table) { |
137 | for (i = 0; i < ht->tablesize; i++) { | |
138 | if (ht->table[i]) | |
139 | destroy_password(ht->table[i]); | |
140 | } | |
140 | 141 | free(ht->table); |
141 | 142 | ht->table = NULL; |
142 | 143 | } |
541 | 542 | VALUE_PAIR *key, *i; |
542 | 543 | struct mypasswd * pw, *last_found; |
543 | 544 | vp_cursor_t cursor; |
545 | int found = 0; | |
544 | 546 | |
545 | 547 | key = fr_pair_find_by_da(request->packet->vps, inst->keyattr, TAG_ANY); |
546 | 548 | if (!key) { |
563 | 565 | addresult(request->packet, inst, request, &request->packet->vps, pw, 2, "request_items"); |
564 | 566 | } while ((pw = get_next(buffer, inst->ht, &last_found))); |
565 | 567 | |
568 | found++; | |
569 | ||
566 | 570 | if (!inst->allow_multiple) { |
567 | 571 | break; |
568 | 572 | } |
569 | 573 | } |
574 | ||
575 | if (!found) return RLM_MODULE_NOTFOUND; | |
570 | 576 | |
571 | 577 | return RLM_MODULE_OK; |
572 | 578 |
296 | 296 | XSRETURN_NO; |
297 | 297 | } |
298 | 298 | |
299 | /* | |
300 | * This is a wraper for radius_axlat | |
301 | * Now users are able to get data that is accessible only via xlat | |
302 | * e.g. %{client:...} | |
303 | * Call syntax is radiusd::xlat(string), string will be handled the | |
304 | * same way it is described in EXPANSIONS section of man unlang | |
305 | */ | |
306 | static XS(XS_radiusd_xlat) | |
307 | { | |
308 | dXSARGS; | |
309 | char *in_str; | |
310 | char *expanded; | |
311 | ssize_t slen; | |
312 | SV *rad_requestp_sv; | |
313 | REQUEST *request; | |
314 | ||
315 | if (items != 1) croak("Usage: radiusd::xlat(string)"); | |
316 | ||
317 | rad_requestp_sv = get_sv("RAD___REQUESTP", 0); | |
318 | if (rad_requestp_sv == NULL) croak("Can not evalue xlat, RAD___REQUESTP is not set!"); | |
319 | ||
320 | request = INT2PTR(REQUEST *, SvIV(rad_requestp_sv)); | |
321 | ||
322 | in_str = (char *) SvPV(ST(0), PL_na); | |
323 | expanded = NULL; | |
324 | slen = radius_axlat(&expanded, request, in_str, NULL, NULL); | |
325 | ||
326 | if (slen < 0) { | |
327 | REDEBUG("Error parsing xlat '%s'", in_str); | |
328 | XSRETURN_UNDEF; | |
329 | } | |
330 | ||
331 | ||
332 | XST_mPV(0, expanded); | |
333 | talloc_free(expanded); | |
334 | XSRETURN(1); | |
335 | } | |
336 | ||
299 | 337 | static void xs_init(pTHX) |
300 | 338 | { |
301 | 339 | char const *file = __FILE__; |
304 | 342 | newXS("DynaLoader::boot_DynaLoader", boot_DynaLoader, file); |
305 | 343 | |
306 | 344 | newXS("radiusd::radlog",XS_radiusd_radlog, "rlm_perl"); |
345 | newXS("radiusd::xlat",XS_radiusd_xlat, "rlm_perl"); | |
307 | 346 | } |
308 | 347 | |
309 | 348 | /* |
699 | 738 | VALUE_PAIR *vp; |
700 | 739 | STRLEN len; |
701 | 740 | |
702 | VERIFY_LIST(*vps); | |
703 | ||
704 | 741 | if (!SvOK(sv)) { |
705 | fail: | |
706 | REDEBUG("Failed to create pair &%s:%s %s $%s{'%s'} -> '%s'", list_name, key, | |
742 | REDEBUG("Internal failure creating pair &%s:%s %s $%s{'%s'} -> '%s'", list_name, key, | |
707 | 743 | fr_int2str(fr_tokens, op, "<INVALID>"), hash_name, key, (val ? val : "undef")); |
708 | 744 | return; |
709 | 745 | } |
746 | ||
710 | 747 | val = SvPV(sv, len); |
711 | 748 | vp = fr_pair_make(ctx, vps, key, NULL, op); |
712 | if (!vp) goto fail; | |
749 | if (!vp) { | |
750 | fail: | |
751 | REDEBUG("Failed to create pair - %s", fr_strerror()); | |
752 | REDEBUG(" &%s:%s %s $%s{'%s'} -> '%s'", list_name, key, | |
753 | fr_int2str(fr_tokens, op, "<INVALID>"), hash_name, key, (val ? val : "undef")); | |
754 | return; | |
755 | } | |
713 | 756 | |
714 | 757 | switch (vp->da->type) { |
715 | 758 | case PW_TYPE_STRING: |
751 | 794 | pairadd_sv(ctx, request, vps, key, res_sv, T_OP_EQ, hash_name, list_name); |
752 | 795 | } |
753 | 796 | } |
797 | ||
798 | if (*vps) VERIFY_LIST(*vps); | |
754 | 799 | } |
755 | 800 | |
756 | 801 | /* |
775 | 820 | HV *rad_request_proxy_hv; |
776 | 821 | HV *rad_request_proxy_reply_hv; |
777 | 822 | #endif |
823 | SV *rad_requestp_sv; | |
778 | 824 | |
779 | 825 | /* |
780 | 826 | * Radius has told us to call this function, but none |
809 | 855 | rad_config_hv = get_hv("RAD_CONFIG", 1); |
810 | 856 | rad_request_hv = get_hv("RAD_REQUEST", 1); |
811 | 857 | rad_state_hv = get_hv("RAD_STATE", 1); |
858 | rad_requestp_sv = get_sv("RAD___REQUESTP", 1); | |
812 | 859 | |
813 | 860 | perl_store_vps(request->packet, request, &request->packet->vps, rad_request_hv, "RAD_REQUEST", "request"); |
814 | 861 | perl_store_vps(request->reply, request, &request->reply->vps, rad_reply_hv, "RAD_REPLY", "reply"); |
834 | 881 | hv_undef(rad_request_proxy_reply_hv); |
835 | 882 | } |
836 | 883 | #endif |
884 | ||
885 | /* | |
886 | * Store pointer to request structure globally so xlat works | |
887 | * We mark it read-only for interpreter so end users will not be | |
888 | * in posession to change it and crash radiusd with bogus pointer | |
889 | */ | |
890 | SvREADONLY_off(rad_requestp_sv); | |
891 | sv_setiv(rad_requestp_sv, PTR2IV(request)); | |
892 | SvREADONLY_on(rad_requestp_sv); | |
837 | 893 | |
838 | 894 | PUSHMARK(SP); |
839 | 895 | /* |
0 | /* config.h.in. Generated from configure.ac by autoheader. */ | |
1 | ||
2 | /* Define to 1 if you have the `dl_iterate_phdr' function. */ | |
3 | #undef HAVE_DL_ITERATE_PHDR | |
4 | ||
5 | /* Define to the address where bug reports for this package should be sent. */ | |
6 | #undef PACKAGE_BUGREPORT | |
7 | ||
8 | /* Define to the full name of this package. */ | |
9 | #undef PACKAGE_NAME | |
10 | ||
11 | /* Define to the full name and version of this package. */ | |
12 | #undef PACKAGE_STRING | |
13 | ||
14 | /* Define to the one symbol short name of this package. */ | |
15 | #undef PACKAGE_TARNAME | |
16 | ||
17 | /* Define to the home page for this package. */ | |
18 | #undef PACKAGE_URL | |
19 | ||
20 | /* Define to the version of this package. */ | |
21 | #undef PACKAGE_VERSION |
1470 | 1470 | as_fn_set_status $ac_retval |
1471 | 1471 | |
1472 | 1472 | } # ac_fn_c_try_link |
1473 | ||
1474 | # ac_fn_c_check_func LINENO FUNC VAR | |
1475 | # ---------------------------------- | |
1476 | # Tests whether FUNC exists, setting the cache variable VAR accordingly | |
1477 | ac_fn_c_check_func () | |
1478 | { | |
1479 | as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack | |
1480 | { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 | |
1481 | $as_echo_n "checking for $2... " >&6; } | |
1482 | if eval \${$3+:} false; then : | |
1483 | $as_echo_n "(cached) " >&6 | |
1484 | else | |
1485 | cat confdefs.h - <<_ACEOF >conftest.$ac_ext | |
1486 | /* end confdefs.h. */ | |
1487 | /* Define $2 to an innocuous variant, in case <limits.h> declares $2. | |
1488 | For example, HP-UX 11i <limits.h> declares gettimeofday. */ | |
1489 | #define $2 innocuous_$2 | |
1490 | ||
1491 | /* System header to define __stub macros and hopefully few prototypes, | |
1492 | which can conflict with char $2 (); below. | |
1493 | Prefer <limits.h> to <assert.h> if __STDC__ is defined, since | |
1494 | <limits.h> exists even on freestanding compilers. */ | |
1495 | ||
1496 | #ifdef __STDC__ | |
1497 | # include <limits.h> | |
1498 | #else | |
1499 | # include <assert.h> | |
1500 | #endif | |
1501 | ||
1502 | #undef $2 | |
1503 | ||
1504 | /* Override any GCC internal prototype to avoid an error. | |
1505 | Use char because int might match the return type of a GCC | |
1506 | builtin and then its argument prototype would still apply. */ | |
1507 | #ifdef __cplusplus | |
1508 | extern "C" | |
1509 | #endif | |
1510 | char $2 (); | |
1511 | /* The GNU C library defines this for functions which it implements | |
1512 | to always fail with ENOSYS. Some functions are actually named | |
1513 | something starting with __ and the normal name is an alias. */ | |
1514 | #if defined __stub_$2 || defined __stub___$2 | |
1515 | choke me | |
1516 | #endif | |
1517 | ||
1518 | int | |
1519 | main () | |
1520 | { | |
1521 | return $2 (); | |
1522 | ; | |
1523 | return 0; | |
1524 | } | |
1525 | _ACEOF | |
1526 | if ac_fn_c_try_link "$LINENO"; then : | |
1527 | eval "$3=yes" | |
1528 | else | |
1529 | eval "$3=no" | |
1530 | fi | |
1531 | rm -f core conftest.err conftest.$ac_objext \ | |
1532 | conftest$ac_exeext conftest.$ac_ext | |
1533 | fi | |
1534 | eval ac_res=\$$3 | |
1535 | { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 | |
1536 | $as_echo "$ac_res" >&6; } | |
1537 | eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno | |
1538 | ||
1539 | } # ac_fn_c_check_func | |
1473 | 1540 | cat >config.log <<_ACEOF |
1474 | 1541 | This file contains any messages produced by compilers while |
1475 | 1542 | running configure, to aid debugging if configure makes a mistake. |
3499 | 3566 | fi |
3500 | 3567 | fi |
3501 | 3568 | fi |
3569 | ||
3570 | for ac_func in dl_iterate_phdr | |
3571 | do : | |
3572 | ac_fn_c_check_func "$LINENO" "dl_iterate_phdr" "ac_cv_func_dl_iterate_phdr" | |
3573 | if test "x$ac_cv_func_dl_iterate_phdr" = xyes; then : | |
3574 | cat >>confdefs.h <<_ACEOF | |
3575 | #define HAVE_DL_ITERATE_PHDR 1 | |
3576 | _ACEOF | |
3577 | ||
3578 | fi | |
3579 | done | |
3580 | ||
3502 | 3581 | else |
3503 | 3582 | targetname= |
3504 | 3583 | echo \*\*\* module rlm_python is disabled. |
3515 | 3594 | targetname="" |
3516 | 3595 | fi |
3517 | 3596 | fi |
3597 | ||
3598 | ac_config_headers="$ac_config_headers config.h" | |
3518 | 3599 | |
3519 | 3600 | |
3520 | 3601 | |
3615 | 3696 | # Let make expand exec_prefix. |
3616 | 3697 | test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' |
3617 | 3698 | |
3618 | # Transform confdefs.h into DEFS. | |
3619 | # Protect against shell expansion while executing Makefile rules. | |
3620 | # Protect against Makefile macro expansion. | |
3621 | # | |
3622 | # If the first sed substitution is executed (which looks for macros that | |
3623 | # take arguments), then branch to the quote section. Otherwise, | |
3624 | # look for a macro that doesn't take arguments. | |
3625 | ac_script=' | |
3626 | :mline | |
3627 | /\\$/{ | |
3628 | N | |
3629 | s,\\\n,, | |
3630 | b mline | |
3631 | } | |
3632 | t clear | |
3633 | :clear | |
3634 | s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g | |
3635 | t quote | |
3636 | s/^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)/-D\1=\2/g | |
3637 | t quote | |
3638 | b any | |
3639 | :quote | |
3640 | s/[ `~#$^&*(){}\\|;'\''"<>?]/\\&/g | |
3641 | s/\[/\\&/g | |
3642 | s/\]/\\&/g | |
3643 | s/\$/$$/g | |
3644 | H | |
3645 | :any | |
3646 | ${ | |
3647 | g | |
3648 | s/^\n// | |
3649 | s/\n/ /g | |
3650 | p | |
3651 | } | |
3652 | ' | |
3653 | DEFS=`sed -n "$ac_script" confdefs.h` | |
3654 | ||
3699 | DEFS=-DHAVE_CONFIG_H | |
3655 | 3700 | |
3656 | 3701 | ac_libobjs= |
3657 | 3702 | ac_ltlibobjs= |
4085 | 4130 | "*) set x $ac_config_files; shift; ac_config_files=$*;; |
4086 | 4131 | esac |
4087 | 4132 | |
4133 | case $ac_config_headers in *" | |
4134 | "*) set x $ac_config_headers; shift; ac_config_headers=$*;; | |
4135 | esac | |
4088 | 4136 | |
4089 | 4137 | |
4090 | 4138 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 |
4091 | 4139 | # Files that config.status was made for. |
4092 | 4140 | config_files="$ac_config_files" |
4141 | config_headers="$ac_config_headers" | |
4093 | 4142 | |
4094 | 4143 | _ACEOF |
4095 | 4144 | |
4110 | 4159 | --recheck update $as_me by reconfiguring in the same conditions |
4111 | 4160 | --file=FILE[:TEMPLATE] |
4112 | 4161 | instantiate the configuration file FILE |
4162 | --header=FILE[:TEMPLATE] | |
4163 | instantiate the configuration header FILE | |
4113 | 4164 | |
4114 | 4165 | Configuration files: |
4115 | 4166 | $config_files |
4167 | ||
4168 | Configuration headers: | |
4169 | $config_headers | |
4116 | 4170 | |
4117 | 4171 | Report bugs to the package provider." |
4118 | 4172 | |
4174 | 4228 | esac |
4175 | 4229 | as_fn_append CONFIG_FILES " '$ac_optarg'" |
4176 | 4230 | ac_need_defaults=false;; |
4177 | --he | --h | --help | --hel | -h ) | |
4231 | --header | --heade | --head | --hea ) | |
4232 | $ac_shift | |
4233 | case $ac_optarg in | |
4234 | *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; | |
4235 | esac | |
4236 | as_fn_append CONFIG_HEADERS " '$ac_optarg'" | |
4237 | ac_need_defaults=false;; | |
4238 | --he | --h) | |
4239 | # Conflict between --help and --header | |
4240 | as_fn_error $? "ambiguous option: \`$1' | |
4241 | Try \`$0 --help' for more information.";; | |
4242 | --help | --hel | -h ) | |
4178 | 4243 | $as_echo "$ac_cs_usage"; exit ;; |
4179 | 4244 | -q | -quiet | --quiet | --quie | --qui | --qu | --q \ |
4180 | 4245 | | -silent | --silent | --silen | --sile | --sil | --si | --s) |
4230 | 4295 | for ac_config_target in $ac_config_targets |
4231 | 4296 | do |
4232 | 4297 | case $ac_config_target in |
4298 | "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; | |
4233 | 4299 | "all.mk") CONFIG_FILES="$CONFIG_FILES all.mk" ;; |
4234 | 4300 | |
4235 | 4301 | *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; |
4243 | 4309 | # bizarre bug on SunOS 4.1.3. |
4244 | 4310 | if $ac_need_defaults; then |
4245 | 4311 | test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files |
4312 | test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers | |
4246 | 4313 | fi |
4247 | 4314 | |
4248 | 4315 | # Have a temporary directory for convenience. Make it in the build tree |
4430 | 4497 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 |
4431 | 4498 | fi # test -n "$CONFIG_FILES" |
4432 | 4499 | |
4433 | ||
4434 | eval set X " :F $CONFIG_FILES " | |
4500 | # Set up the scripts for CONFIG_HEADERS section. | |
4501 | # No need to generate them if there are no CONFIG_HEADERS. | |
4502 | # This happens for instance with `./config.status Makefile'. | |
4503 | if test -n "$CONFIG_HEADERS"; then | |
4504 | cat >"$ac_tmp/defines.awk" <<\_ACAWK || | |
4505 | BEGIN { | |
4506 | _ACEOF | |
4507 | ||
4508 | # Transform confdefs.h into an awk script `defines.awk', embedded as | |
4509 | # here-document in config.status, that substitutes the proper values into | |
4510 | # config.h.in to produce config.h. | |
4511 | ||
4512 | # Create a delimiter string that does not exist in confdefs.h, to ease | |
4513 | # handling of long lines. | |
4514 | ac_delim='%!_!# ' | |
4515 | for ac_last_try in false false :; do | |
4516 | ac_tt=`sed -n "/$ac_delim/p" confdefs.h` | |
4517 | if test -z "$ac_tt"; then | |
4518 | break | |
4519 | elif $ac_last_try; then | |
4520 | as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 | |
4521 | else | |
4522 | ac_delim="$ac_delim!$ac_delim _$ac_delim!! " | |
4523 | fi | |
4524 | done | |
4525 | ||
4526 | # For the awk script, D is an array of macro values keyed by name, | |
4527 | # likewise P contains macro parameters if any. Preserve backslash | |
4528 | # newline sequences. | |
4529 | ||
4530 | ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* | |
4531 | sed -n ' | |
4532 | s/.\{148\}/&'"$ac_delim"'/g | |
4533 | t rset | |
4534 | :rset | |
4535 | s/^[ ]*#[ ]*define[ ][ ]*/ / | |
4536 | t def | |
4537 | d | |
4538 | :def | |
4539 | s/\\$// | |
4540 | t bsnl | |
4541 | s/["\\]/\\&/g | |
4542 | s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ | |
4543 | D["\1"]=" \3"/p | |
4544 | s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p | |
4545 | d | |
4546 | :bsnl | |
4547 | s/["\\]/\\&/g | |
4548 | s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ | |
4549 | D["\1"]=" \3\\\\\\n"\\/p | |
4550 | t cont | |
4551 | s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p | |
4552 | t cont | |
4553 | d | |
4554 | :cont | |
4555 | n | |
4556 | s/.\{148\}/&'"$ac_delim"'/g | |
4557 | t clear | |
4558 | :clear | |
4559 | s/\\$// | |
4560 | t bsnlc | |
4561 | s/["\\]/\\&/g; s/^/"/; s/$/"/p | |
4562 | d | |
4563 | :bsnlc | |
4564 | s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p | |
4565 | b cont | |
4566 | ' <confdefs.h | sed ' | |
4567 | s/'"$ac_delim"'/"\\\ | |
4568 | "/g' >>$CONFIG_STATUS || ac_write_fail=1 | |
4569 | ||
4570 | cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 | |
4571 | for (key in D) D_is_set[key] = 1 | |
4572 | FS = "" | |
4573 | } | |
4574 | /^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { | |
4575 | line = \$ 0 | |
4576 | split(line, arg, " ") | |
4577 | if (arg[1] == "#") { | |
4578 | defundef = arg[2] | |
4579 | mac1 = arg[3] | |
4580 | } else { | |
4581 | defundef = substr(arg[1], 2) | |
4582 | mac1 = arg[2] | |
4583 | } | |
4584 | split(mac1, mac2, "(") #) | |
4585 | macro = mac2[1] | |
4586 | prefix = substr(line, 1, index(line, defundef) - 1) | |
4587 | if (D_is_set[macro]) { | |
4588 | # Preserve the white space surrounding the "#". | |
4589 | print prefix "define", macro P[macro] D[macro] | |
4590 | next | |
4591 | } else { | |
4592 | # Replace #undef with comments. This is necessary, for example, | |
4593 | # in the case of _POSIX_SOURCE, which is predefined and required | |
4594 | # on some systems where configure will not decide to define it. | |
4595 | if (defundef == "undef") { | |
4596 | print "/*", prefix defundef, macro, "*/" | |
4597 | next | |
4598 | } | |
4599 | } | |
4600 | } | |
4601 | { print } | |
4602 | _ACAWK | |
4603 | _ACEOF | |
4604 | cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 | |
4605 | as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 | |
4606 | fi # test -n "$CONFIG_HEADERS" | |
4607 | ||
4608 | ||
4609 | eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS " | |
4435 | 4610 | shift |
4436 | 4611 | for ac_tag |
4437 | 4612 | do |
4639 | 4814 | esac \ |
4640 | 4815 | || as_fn_error $? "could not create $ac_file" "$LINENO" 5 |
4641 | 4816 | ;; |
4642 | ||
4817 | :H) | |
4818 | # | |
4819 | # CONFIG_HEADER | |
4820 | # | |
4821 | if test x"$ac_file" != x-; then | |
4822 | { | |
4823 | $as_echo "/* $configure_input */" \ | |
4824 | && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" | |
4825 | } >"$ac_tmp/config.h" \ | |
4826 | || as_fn_error $? "could not create $ac_file" "$LINENO" 5 | |
4827 | if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then | |
4828 | { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 | |
4829 | $as_echo "$as_me: $ac_file is unchanged" >&6;} | |
4830 | else | |
4831 | rm -f "$ac_file" | |
4832 | mv "$ac_tmp/config.h" "$ac_file" \ | |
4833 | || as_fn_error $? "could not create $ac_file" "$LINENO" 5 | |
4834 | fi | |
4835 | else | |
4836 | $as_echo "/* $configure_input */" \ | |
4837 | && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ | |
4838 | || as_fn_error $? "could not create -" "$LINENO" 5 | |
4839 | fi | |
4840 | ;; | |
4643 | 4841 | |
4644 | 4842 | |
4645 | 4843 | esac |
125 | 125 | fi |
126 | 126 | fi |
127 | 127 | fi |
128 | ||
129 | AC_CHECK_FUNCS([dl_iterate_phdr]) | |
128 | 130 | else |
129 | 131 | targetname= |
130 | 132 | echo \*\*\* module modname is disabled. |
140 | 142 | fi |
141 | 143 | fi |
142 | 144 | |
145 | AC_CONFIG_HEADER(config.h) | |
143 | 146 | AC_SUBST(mod_ldflags) |
144 | 147 | AC_SUBST(mod_cflags) |
145 | 148 | AC_SUBST(targetname) |
28 | 28 | |
29 | 29 | #define LOG_PREFIX "rlm_python - " |
30 | 30 | |
31 | #include "config.h" | |
31 | 32 | #include <freeradius-devel/radiusd.h> |
32 | 33 | #include <freeradius-devel/modules.h> |
33 | 34 | #include <freeradius-devel/rad_assert.h> |
34 | 35 | |
35 | 36 | #include <Python.h> |
36 | 37 | #include <dlfcn.h> |
38 | #ifdef HAVE_DL_ITERATE_PHDR | |
39 | #include <link.h> | |
40 | #endif | |
41 | ||
42 | #define LIBPYTHON_LINKER_NAME \ | |
43 | "libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) ".so" | |
37 | 44 | |
38 | 45 | static uint32_t python_instances = 0; |
39 | 46 | static void *python_dlhandle; |
767 | 774 | DEBUG("%*s}", indent_section, " "); |
768 | 775 | } |
769 | 776 | |
777 | #ifdef HAVE_DL_ITERATE_PHDR | |
778 | static int dlopen_libpython_cb(struct dl_phdr_info *info, | |
779 | UNUSED size_t size, void *data) | |
780 | { | |
781 | const char *pattern = "/" LIBPYTHON_LINKER_NAME; | |
782 | char **ppath = (char **)data; | |
783 | ||
784 | if (strstr(info->dlpi_name, pattern) != NULL) { | |
785 | if (*ppath != NULL) { | |
786 | talloc_free(*ppath); | |
787 | *ppath = NULL; | |
788 | return EEXIST; | |
789 | } else { | |
790 | *ppath = talloc_strdup(NULL, info->dlpi_name); | |
791 | if (*ppath == NULL) { | |
792 | return errno; | |
793 | } | |
794 | } | |
795 | } | |
796 | return 0; | |
797 | } | |
798 | ||
799 | /* Dlopen the already linked libpython */ | |
800 | static void *dlopen_libpython(int flags) | |
801 | { | |
802 | char *path = NULL; | |
803 | int rc; | |
804 | void *handle; | |
805 | ||
806 | /* Find the linked libpython path */ | |
807 | rc = dl_iterate_phdr(dlopen_libpython_cb, &path); | |
808 | if (rc != 0) { | |
809 | WARN("Failed searching for libpython " | |
810 | "among linked libraries: %s", strerror(rc)); | |
811 | return NULL; | |
812 | } else if (path == NULL) { | |
813 | WARN("Libpython is not found among linked libraries"); | |
814 | return NULL; | |
815 | } | |
816 | ||
817 | /* Dlopen the found library */ | |
818 | handle = dlopen(path, flags); | |
819 | if (handle == NULL) { | |
820 | WARN("Failed loading %s: %s", path, dlerror()); | |
821 | } | |
822 | talloc_free(path); | |
823 | return handle; | |
824 | } | |
825 | #else /* ! HAVE_DL_ITERATE_PHDR */ | |
826 | /* Dlopen libpython by its linker name (bare soname) */ | |
827 | static void *dlopen_libpython(int flags) | |
828 | { | |
829 | const char *name = LIBPYTHON_LINKER_NAME; | |
830 | void *handle; | |
831 | handle = dlopen(name, flags); | |
832 | if (handle == NULL) { | |
833 | WARN("Failed loading %s: %s", name, dlerror()); | |
834 | } | |
835 | return handle; | |
836 | } | |
837 | #endif /* ! HAVE_DL_ITERATE_PHDR */ | |
838 | ||
770 | 839 | /** Initialises a separate python interpreter for this module instance |
771 | 840 | * |
772 | 841 | */ |
780 | 849 | if (python_instances == 0) { |
781 | 850 | INFO("Python version: %s", Py_GetVersion()); |
782 | 851 | |
783 | python_dlhandle = dlopen("libpython" STRINGIFY(PY_MAJOR_VERSION) "." STRINGIFY(PY_MINOR_VERSION) ".so", | |
784 | RTLD_NOW | RTLD_GLOBAL); | |
785 | if (!python_dlhandle) WARN("Failed loading libpython symbols into global symbol table: %s", dlerror()); | |
852 | python_dlhandle = dlopen_libpython(RTLD_NOW | RTLD_GLOBAL); | |
853 | if (!python_dlhandle) WARN("Failed loading libpython symbols into global symbol table"); | |
786 | 854 | |
787 | 855 | #if PY_VERSION_HEX > 0x03050000 |
788 | 856 | { |
69 | 69 | char *hexbuf = NULL; |
70 | 70 | DH *aaa_server_dh; |
71 | 71 | |
72 | tls = talloc_zero( hs, fr_tls_server_conf_t); | |
72 | tls = tls_server_conf_alloc(hs); | |
73 | 73 | if (!tls) return NULL; |
74 | 74 | |
75 | 75 | aaa_server_dh = tid_srvr_get_dh(server); |
180 | 180 | hs->secret = talloc_strdup(hs, "radsec"); |
181 | 181 | hs->response_window.tv_sec = 30; |
182 | 182 | hs->last_packet_recv = time(NULL); |
183 | ||
183 | /* | |
184 | * We want sockets using these servers to close as soon as possible, | |
185 | * to make sure that whenever a pool is replaced, sockets using old ones | |
186 | * will not last long (hopefully less than 300s). | |
187 | */ | |
188 | hs->limit.idle_timeout = 5; | |
184 | 189 | hs->tls = construct_tls(inst, hs, blk); |
185 | 190 | if (!hs->tls) goto error; |
186 | 191 | |
320 | 325 | } |
321 | 326 | |
322 | 327 | /* |
323 | * This server has received a packet in the last | |
324 | * 5 minutes. It doesn't need an update. | |
325 | */ | |
326 | if ((now - server->last_packet_recv) < 300) { | |
327 | return false; | |
328 | } | |
329 | ||
330 | /* | |
331 | 328 | * If we've opened in the last 10 minutes, then |
332 | 329 | * open rather than update. |
333 | 330 | */ |
160 | 160 | rlm_rest_section_t checksimul; //!< Configuration specific to simultaneous session |
161 | 161 | //!< checking. |
162 | 162 | rlm_rest_section_t post_auth; //!< Configuration specific to Post-auth |
163 | #ifdef WITH_COA | |
164 | rlm_rest_section_t recv_coa; //!< Configuration specific to recv-coa | |
165 | #endif | |
163 | 166 | } rlm_rest_t; |
164 | 167 | |
165 | 168 | /* |
173 | 173 | break; |
174 | 174 | |
175 | 175 | case '\n': |
176 | *out++ = 'b'; | |
176 | *out++ = 'n'; | |
177 | 177 | freespace--; |
178 | 178 | break; |
179 | 179 | |
188 | 188 | break; |
189 | 189 | |
190 | 190 | default: |
191 | len = snprintf(out, freespace, "u%04X", *p); | |
191 | len = snprintf(out, freespace, "u%04X", (uint8_t) *p); | |
192 | 192 | if (is_truncated(len, freespace)) return (outlen - freespace) + len; |
193 | 193 | out += len; |
194 | 194 | freespace -= len; |
651 | 651 | return rcode; |
652 | 652 | } |
653 | 653 | |
654 | #ifdef WITH_COA | |
655 | /* | |
656 | * Create the set of attribute-value pairs to check and reply | |
657 | * with for this user from the database. | |
658 | */ | |
659 | static rlm_rcode_t CC_HINT(nonnull) mod_recv_coa(void *instance, REQUEST *request) | |
660 | { | |
661 | rlm_rest_t *inst = instance; | |
662 | rlm_rest_section_t *section = &inst->recv_coa; | |
663 | ||
664 | void *handle; | |
665 | int hcode; | |
666 | int rcode = RLM_MODULE_OK; | |
667 | int ret; | |
668 | ||
669 | if (!section->name) return RLM_MODULE_NOOP; | |
670 | ||
671 | handle = fr_connection_get(inst->pool); | |
672 | if (!handle) return RLM_MODULE_FAIL; | |
673 | ||
674 | ret = rlm_rest_perform(instance, section, handle, request, NULL, NULL); | |
675 | if (ret < 0) { | |
676 | rcode = RLM_MODULE_FAIL; | |
677 | goto finish; | |
678 | } | |
679 | ||
680 | hcode = rest_get_handle_code(handle); | |
681 | switch (hcode) { | |
682 | case 404: | |
683 | case 410: | |
684 | rcode = RLM_MODULE_NOTFOUND; | |
685 | break; | |
686 | ||
687 | case 403: | |
688 | rcode = RLM_MODULE_USERLOCK; | |
689 | break; | |
690 | ||
691 | case 401: | |
692 | /* | |
693 | * Attempt to parse content if there was any. | |
694 | */ | |
695 | ret = rest_response_decode(inst, section, request, handle); | |
696 | if (ret < 0) { | |
697 | rcode = RLM_MODULE_FAIL; | |
698 | break; | |
699 | } | |
700 | ||
701 | rcode = RLM_MODULE_REJECT; | |
702 | break; | |
703 | ||
704 | case 204: | |
705 | rcode = RLM_MODULE_OK; | |
706 | break; | |
707 | ||
708 | default: | |
709 | /* | |
710 | * Attempt to parse content if there was any. | |
711 | */ | |
712 | if ((hcode >= 200) && (hcode < 300)) { | |
713 | ret = rest_response_decode(inst, section, request, handle); | |
714 | if (ret < 0) rcode = RLM_MODULE_FAIL; | |
715 | else if (ret == 0) rcode = RLM_MODULE_OK; | |
716 | else rcode = RLM_MODULE_UPDATED; | |
717 | break; | |
718 | } else if (hcode < 500) { | |
719 | rcode = RLM_MODULE_INVALID; | |
720 | } else { | |
721 | rcode = RLM_MODULE_FAIL; | |
722 | } | |
723 | } | |
724 | ||
725 | finish: | |
726 | switch (rcode) { | |
727 | case RLM_MODULE_INVALID: | |
728 | case RLM_MODULE_FAIL: | |
729 | case RLM_MODULE_USERLOCK: | |
730 | rest_response_error(request, handle); | |
731 | break; | |
732 | ||
733 | default: | |
734 | break; | |
735 | } | |
736 | ||
737 | rlm_rest_cleanup(instance, section, handle); | |
738 | ||
739 | fr_connection_release(inst->pool, handle); | |
740 | ||
741 | return rcode; | |
742 | } | |
743 | #endif | |
744 | ||
654 | 745 | static int parse_sub_section(CONF_SECTION *parent, rlm_rest_section_t *config, rlm_components_t comp) |
655 | 746 | { |
656 | 747 | CONF_SECTION *cs; |
822 | 913 | (parse_sub_section(conf, &inst->authorize, MOD_AUTHORIZE) < 0) || |
823 | 914 | (parse_sub_section(conf, &inst->authenticate, MOD_AUTHENTICATE) < 0) || |
824 | 915 | (parse_sub_section(conf, &inst->accounting, MOD_ACCOUNTING) < 0) || |
916 | ||
917 | #ifdef WITH_COA | |
918 | (parse_sub_section(conf, &inst->recv_coa, MOD_RECV_COA) < 0) || | |
919 | #endif | |
825 | 920 | |
826 | 921 | /* @todo add behaviour for checksimul */ |
827 | 922 | /* (parse_sub_section(conf, &inst->checksimul, MOD_SESSION) < 0) || */ |
884 | 979 | [MOD_AUTHENTICATE] = mod_authenticate, |
885 | 980 | [MOD_AUTHORIZE] = mod_authorize, |
886 | 981 | [MOD_ACCOUNTING] = mod_accounting, |
887 | [MOD_POST_AUTH] = mod_post_auth | |
982 | [MOD_POST_AUTH] = mod_post_auth, | |
983 | #ifdef WITH_COA | |
984 | [MOD_RECV_COA] = mod_recv_coa | |
985 | #endif | |
888 | 986 | }, |
889 | 987 | }; |
188 | 188 | memset(retval, 0, c*sizeof(char*)+1); |
189 | 189 | |
190 | 190 | /* advance cursor */ |
191 | if(SQLFetch(conn->stmt) == SQL_NO_DATA_FOUND) { | |
191 | if (SQLFetch(conn->stmt) == SQL_NO_DATA_FOUND) { | |
192 | 192 | handle->row = NULL; |
193 | goto error; | |
194 | } | |
195 | ||
196 | for(i = 0; i < c; i++) { | |
193 | for (i = 0; i < c; i++) free(retval[i]); | |
194 | free(retval); | |
195 | return RLM_SQL_NO_MORE_ROWS; | |
196 | } | |
197 | ||
198 | for (i = 0; i < c; i++) { | |
197 | 199 | /* get column length */ |
198 | 200 | SQLColAttribute(conn->stmt, i+1, SQL_DESC_DISPLAY_SIZE, NULL, 0, NULL, &len); |
199 | 201 | |
208 | 210 | |
209 | 211 | handle->row = retval; |
210 | 212 | return RLM_SQL_OK; |
211 | ||
212 | error: | |
213 | for(i = 0; i < c; i++) { | |
214 | free(retval[i]); | |
215 | } | |
216 | free(retval); | |
217 | ||
218 | return RLM_SQL_ERROR; | |
219 | 213 | } |
220 | 214 | |
221 | 215 | static sql_rcode_t sql_free_result(rlm_sql_handle_t *handle, UNUSED rlm_sql_config_t *config) |
215 | 215 | if (conn->statement_type != isc_info_sql_stmt_exec_procedure) { |
216 | 216 | res = fb_fetch(conn); |
217 | 217 | if (res == 100) { |
218 | return 0; | |
218 | return RLM_SQL_NO_MORE_ROWS; | |
219 | 219 | } |
220 | 220 | |
221 | 221 | if (res) { |
224 | 224 | return RLM_SQL_ERROR; |
225 | 225 | } |
226 | 226 | } else { |
227 | conn->statement_type=0; | |
227 | conn->statement_type = 0; | |
228 | 228 | } |
229 | 229 | |
230 | 230 | fb_store_row(conn); |
584 | 584 | return RLM_SQL_RECONNECT; |
585 | 585 | |
586 | 586 | case CS_END_DATA: |
587 | return RLM_SQL_OK; | |
587 | return RLM_SQL_NO_MORE_ROWS; | |
588 | 588 | |
589 | 589 | case CS_SUCCEED: |
590 | 590 | handle->row = conn->results; |
239 | 239 | |
240 | 240 | handle->row = NULL; |
241 | 241 | |
242 | if((rc = SQLFetch(conn->stmt)) == SQL_NO_DATA_FOUND) { | |
243 | return 0; | |
244 | } | |
242 | rc = SQLFetch(conn->stmt); | |
243 | if (rc == SQL_NO_DATA_FOUND) return RLM_SQL_NO_MORE_ROWS; | |
244 | ||
245 | 245 | /* XXX Check rc for database down, if so, return RLM_SQL_RECONNECT */ |
246 | 246 | |
247 | 247 | handle->row = conn->row; |
258 | 258 | conn->row = NULL; |
259 | 259 | |
260 | 260 | SQLFreeStmt(conn->stmt, SQL_DROP); |
261 | conn->stmt = NULL; | |
261 | 262 | |
262 | 263 | return 0; |
263 | 264 | } |
65 | 65 | MYSQL db; |
66 | 66 | MYSQL *sock; |
67 | 67 | MYSQL_RES *result; |
68 | rlm_sql_row_t row; | |
69 | 68 | } rlm_sql_mysql_conn_t; |
70 | 69 | |
71 | 70 | typedef struct rlm_sql_mysql_config { |
368 | 367 | } |
369 | 368 | |
370 | 369 | retry_store_result: |
371 | if (!(conn->result = mysql_store_result(conn->sock))) { | |
370 | conn->result = mysql_store_result(conn->sock); | |
371 | if (!conn->result) { | |
372 | 372 | rcode = sql_check_error(conn->sock, 0); |
373 | 373 | if (rcode != RLM_SQL_OK) return rcode; |
374 | 374 | #if (MYSQL_VERSION_ID >= 40100) |
377 | 377 | /* there are more results */ |
378 | 378 | goto retry_store_result; |
379 | 379 | } else if (ret > 0) return sql_check_error(NULL, ret); |
380 | /* ret == -1 signals no more results */ | |
380 | 381 | #endif |
381 | 382 | } |
382 | 383 | return RLM_SQL_OK; |
465 | 466 | |
466 | 467 | static sql_rcode_t sql_fetch_row(rlm_sql_handle_t *handle, rlm_sql_config_t *config) |
467 | 468 | { |
468 | rlm_sql_mysql_conn_t *conn = handle->conn; | |
469 | sql_rcode_t rcode; | |
470 | int ret; | |
469 | rlm_sql_mysql_conn_t *conn = handle->conn; | |
470 | sql_rcode_t rcode; | |
471 | MYSQL_ROW row; | |
472 | int ret; | |
473 | unsigned int num_fields, i; | |
474 | unsigned long *field_lens; | |
471 | 475 | |
472 | 476 | /* |
473 | 477 | * Check pointer before de-referencing it. |
476 | 480 | return RLM_SQL_RECONNECT; |
477 | 481 | } |
478 | 482 | |
483 | TALLOC_FREE(handle->row); /* Clear previous row set */ | |
484 | ||
479 | 485 | retry_fetch_row: |
480 | handle->row = mysql_fetch_row(conn->result); | |
481 | if (!handle->row) { | |
486 | row = mysql_fetch_row(conn->result); | |
487 | if (!row) { | |
482 | 488 | rcode = sql_check_error(conn->sock, 0); |
483 | 489 | if (rcode != RLM_SQL_OK) return rcode; |
484 | 490 | |
492 | 498 | goto retry_fetch_row; |
493 | 499 | } |
494 | 500 | } else if (ret > 0) return sql_check_error(NULL, ret); |
495 | #endif | |
496 | } | |
501 | /* If ret is -1 then there are no more rows */ | |
502 | #endif | |
503 | return RLM_SQL_NO_MORE_ROWS; | |
504 | } | |
505 | ||
506 | num_fields = mysql_num_fields(conn->result); | |
507 | if (!num_fields) return RLM_SQL_NO_MORE_ROWS; | |
508 | ||
509 | field_lens = mysql_fetch_lengths(conn->result); | |
510 | ||
511 | MEM(handle->row = talloc_zero_array(handle, char *, num_fields + 1)); | |
512 | for (i = 0; i < num_fields; i++) { | |
513 | MEM(handle->row[i] = talloc_bstrndup(handle->row, row[i], field_lens[i])); | |
514 | } | |
515 | ||
497 | 516 | return RLM_SQL_OK; |
498 | 517 | } |
499 | 518 | |
505 | 524 | mysql_free_result(conn->result); |
506 | 525 | conn->result = NULL; |
507 | 526 | } |
527 | TALLOC_FREE(handle->row); | |
508 | 528 | |
509 | 529 | return RLM_SQL_OK; |
510 | 530 | } |
63 | 63 | { |
64 | 64 | handle->row = NULL; |
65 | 65 | |
66 | return 0; | |
66 | return RLM_SQL_NO_MORE_ROWS; | |
67 | 67 | } |
68 | 68 | |
69 | 69 | static sql_rcode_t sql_free_result(UNUSED rlm_sql_handle_t * handle, UNUSED rlm_sql_config_t *config) |
446 | 446 | if (status == OCI_NO_DATA) { |
447 | 447 | handle->row = 0; |
448 | 448 | |
449 | return RLM_SQL_OK; | |
449 | return RLM_SQL_NO_MORE_ROWS; | |
450 | 450 | } |
451 | 451 | |
452 | 452 | if (status == OCI_ERROR) { |
413 | 413 | |
414 | 414 | handle->row = NULL; |
415 | 415 | |
416 | if (conn->cur_row >= PQntuples(conn->result)) | |
417 | return 0; | |
416 | if (conn->cur_row >= PQntuples(conn->result)) return RLM_SQL_NO_MORE_ROWS; | |
418 | 417 | |
419 | 418 | free_result_row(conn); |
420 | 419 | |
430 | 429 | } |
431 | 430 | conn->cur_row++; |
432 | 431 | handle->row = conn->row; |
433 | } | |
434 | ||
435 | return 0; | |
432 | } else { | |
433 | return RLM_SQL_NO_MORE_ROWS; | |
434 | } | |
435 | ||
436 | return RLM_SQL_OK; | |
436 | 437 | } |
437 | 438 | |
438 | 439 | static int sql_num_fields(rlm_sql_handle_t * handle, UNUSED rlm_sql_config_t *config) |
677 | 677 | /* |
678 | 678 | * No more rows to process (were done) |
679 | 679 | */ |
680 | if (status == SQLITE_DONE) { | |
681 | return 1; | |
682 | } | |
680 | if (status == SQLITE_DONE) return RLM_SQL_NO_MORE_ROWS; | |
683 | 681 | |
684 | 682 | /* |
685 | 683 | * We only need to do this once per result set, because |
731 | 729 | } |
732 | 730 | } |
733 | 731 | |
734 | return 0; | |
732 | return RLM_SQL_OK; | |
735 | 733 | } |
736 | 734 | |
737 | 735 | static sql_rcode_t sql_free_result(rlm_sql_handle_t *handle, UNUSED rlm_sql_config_t *config) |
753 | 751 | * It's just the last error that occurred processing the |
754 | 752 | * statement. |
755 | 753 | */ |
756 | return 0; | |
754 | return RLM_SQL_OK; | |
757 | 755 | } |
758 | 756 | |
759 | 757 | /** Retrieves any errors associated with the connection handle |
794 | 792 | { |
795 | 793 | rlm_sql_sqlite_conn_t *conn = handle->conn; |
796 | 794 | |
797 | if (conn->db) { | |
798 | return sqlite3_changes(conn->db); | |
799 | } | |
795 | if (conn->db) return sqlite3_changes(conn->db); | |
800 | 796 | |
801 | 797 | return -1; |
802 | 798 | } |
227 | 227 | handle->row = NULL; |
228 | 228 | |
229 | 229 | err_handle = SQLFetch(conn->stmt); |
230 | if(err_handle == SQL_NO_DATA_FOUND) { | |
231 | return 0; | |
232 | } | |
230 | if (err_handle == SQL_NO_DATA_FOUND) return RLM_SQL_NO_MORE_ROWS; | |
233 | 231 | |
234 | 232 | if ((state = sql_check_error(err_handle, handle, config))) return state; |
235 | 233 | |
236 | 234 | handle->row = conn->row; |
237 | return 0; | |
235 | return RLM_SQL_OK; | |
238 | 236 | } |
239 | 237 | |
240 | 238 | static sql_rcode_t sql_finish_select_query(rlm_sql_handle_t * handle, rlm_sql_config_t *config) |
153 | 153 | sql_rcode_t rcode; |
154 | 154 | ssize_t ret = 0; |
155 | 155 | size_t len = 0; |
156 | char const *p; | |
156 | 157 | |
157 | 158 | /* |
158 | 159 | * Add SQL-User-Name attribute just in case it is needed |
167 | 168 | rlm_sql_query_log(inst, request, NULL, query); |
168 | 169 | |
169 | 170 | /* |
171 | * Trim whitespace for the prefix check | |
172 | */ | |
173 | for (p = query; is_whitespace(p); p++); | |
174 | ||
175 | /* | |
170 | 176 | * If the query starts with any of the following prefixes, |
171 | 177 | * then return the number of rows affected |
172 | 178 | */ |
173 | if ((strncasecmp(query, "insert", 6) == 0) || | |
174 | (strncasecmp(query, "update", 6) == 0) || | |
175 | (strncasecmp(query, "delete", 6) == 0)) { | |
179 | if ((strncasecmp(p, "insert", 6) == 0) || | |
180 | (strncasecmp(p, "update", 6) == 0) || | |
181 | (strncasecmp(p, "delete", 6) == 0)) { | |
176 | 182 | int numaffected; |
177 | 183 | char buffer[21]; /* 64bit max is 20 decimal chars + null byte */ |
178 | 184 | |
188 | 194 | numaffected = (inst->module->sql_affected_rows)(handle, inst->config); |
189 | 195 | if (numaffected < 1) { |
190 | 196 | RDEBUG("SQL query affected no rows"); |
197 | (inst->module->sql_finish_query)(handle, inst->config); | |
191 | 198 | |
192 | 199 | goto finish; |
193 | 200 | } |
224 | 231 | if (rcode != RLM_SQL_OK) goto query_error; |
225 | 232 | |
226 | 233 | rcode = rlm_sql_fetch_row(inst, request, &handle); |
227 | if (rcode) goto query_error; | |
234 | if (rcode < 0) { | |
235 | (inst->module->sql_finish_select_query)(handle, inst->config); | |
236 | goto query_error; | |
237 | } | |
228 | 238 | |
229 | 239 | row = handle->row; |
230 | 240 | if (!row) { |
281 | 291 | |
282 | 292 | if (rlm_sql_select_query(inst, NULL, &handle, inst->config->client_query) != RLM_SQL_OK) return -1; |
283 | 293 | |
284 | while ((rlm_sql_fetch_row(inst, NULL, &handle) == 0) && (row = handle->row)) { | |
294 | while ((rlm_sql_fetch_row(inst, NULL, &handle) == RLM_SQL_OK) && (row = handle->row)) { | |
295 | int num_rows; | |
285 | 296 | char *server = NULL; |
297 | ||
286 | 298 | i++; |
299 | ||
300 | num_rows = (inst->module->sql_num_fields)(handle, inst->config); | |
301 | if (num_rows < 5) { | |
302 | WARN("SELECT returned too few rows. Please do not edit 'client_query'"); | |
303 | continue; | |
304 | } | |
287 | 305 | |
288 | 306 | /* |
289 | 307 | * The return data for each row MUST be in the following order: |
312 | 330 | continue; |
313 | 331 | } |
314 | 332 | |
315 | if (((inst->module->sql_num_fields)(handle, inst->config) > 5) && (row[5] != NULL) && *row[5]) { | |
333 | if ((num_rows > 5) && (row[5] != NULL) && *row[5]) { | |
316 | 334 | server = row[5]; |
317 | 335 | } |
318 | 336 | |
497 | 515 | |
498 | 516 | fr_pair_value_strsteal(vp, expanded); |
499 | 517 | RDEBUG2("SQL-User-Name set to '%s'", vp->vp_strvalue); |
500 | vp->op = T_OP_SET; | |
518 | vp->op = T_OP_SET; | |
501 | 519 | |
502 | 520 | /* |
503 | 521 | * Delete any existing SQL-User-Name, and replace it with ours. |
534 | 552 | talloc_free(expanded); |
535 | 553 | if (ret != RLM_SQL_OK) return -1; |
536 | 554 | |
537 | while (rlm_sql_fetch_row(inst, request, handle) == 0) { | |
555 | while (rlm_sql_fetch_row(inst, request, handle) == RLM_SQL_OK) { | |
538 | 556 | row = (*handle)->row; |
539 | 557 | if (!row) |
540 | 558 | break; |
567 | 585 | |
568 | 586 | /* |
569 | 587 | * sql groupcmp function. That way we can do group comparisons (in the users file for example) |
570 | * with the group memberships reciding in sql | |
588 | * with the group memberships residing in sql | |
571 | 589 | * The group membership query should only return one element which is the username. The returned |
572 | 590 | * username will then be checked with the passed check string. |
573 | 591 | */ |
842 | 860 | * |
843 | 861 | * We need this to check if the sql_fields callback is provided. |
844 | 862 | */ |
845 | inst->handle = lt_dlopenext(inst->config->sql_driver_name); | |
863 | inst->handle = fr_dlopenext(inst->config->sql_driver_name); | |
846 | 864 | if (!inst->handle) { |
847 | 865 | ERROR("Could not link driver %s: %s", inst->config->sql_driver_name, fr_strerror()); |
848 | 866 | ERROR("Make sure it (and all its dependent libraries!) are in the search path of your system's ld"); |
897 | 915 | xlat_register(inst->name, sql_xlat, sql_escape_func, inst); |
898 | 916 | |
899 | 917 | return 0; |
918 | } | |
919 | ||
920 | ||
921 | static void *mod_conn_create(TALLOC_CTX *ctx, void *instance) | |
922 | { | |
923 | int rcode; | |
924 | rlm_sql_t *inst = instance; | |
925 | rlm_sql_handle_t *handle; | |
926 | ||
927 | /* | |
928 | * Connections cannot be alloced from the inst or | |
929 | * pool contexts due to threading issues. | |
930 | */ | |
931 | handle = talloc_zero(ctx, rlm_sql_handle_t); | |
932 | if (!handle) return NULL; | |
933 | ||
934 | handle->log_ctx = talloc_pool(handle, 2048); | |
935 | if (!handle->log_ctx) { | |
936 | talloc_free(handle); | |
937 | return NULL; | |
938 | } | |
939 | ||
940 | /* | |
941 | * Handle requires a pointer to the SQL inst so the | |
942 | * destructor has access to the module configuration. | |
943 | */ | |
944 | handle->inst = inst; | |
945 | ||
946 | rcode = (inst->module->sql_socket_init)(handle, inst->config); | |
947 | if (rcode != 0) { | |
948 | fail: | |
949 | exec_trigger(NULL, inst->cs, "modules.sql.fail", true); | |
950 | ||
951 | /* | |
952 | * Destroy any half opened connections. | |
953 | */ | |
954 | talloc_free(handle); | |
955 | return NULL; | |
956 | } | |
957 | ||
958 | if (inst->config->connect_query) { | |
959 | if (rlm_sql_select_query(inst, NULL, &handle, inst->config->connect_query) != RLM_SQL_OK) goto fail; | |
960 | (inst->module->sql_finish_select_query)(handle, inst->config); | |
961 | } | |
962 | ||
963 | return handle; | |
900 | 964 | } |
901 | 965 | |
902 | 966 | |
1169 | 1233 | } |
1170 | 1234 | |
1171 | 1235 | /* |
1172 | * Neither group checks or profiles will work without | |
1236 | * Neither group checks nor profiles will work without | |
1173 | 1237 | * a group membership query. |
1174 | 1238 | */ |
1175 | 1239 | if (!inst->config->groupmemb_query) goto release; |
1262 | 1326 | } |
1263 | 1327 | |
1264 | 1328 | /* |
1265 | * At this point the key (user) hasn't be found in the check table, the reply table | |
1329 | * At this point the key (user) hasn't been found in the check table, the reply table | |
1266 | 1330 | * or the group mapping table, and there was no matching profile. |
1267 | 1331 | */ |
1268 | 1332 | release: |
1398 | 1462 | case RLM_SQL_ERROR: |
1399 | 1463 | /* |
1400 | 1464 | * If we get RLM_SQL_RECONNECT it means all connections in the pool |
1401 | * were exhausted, and we couldn't create a new connection, | |
1465 | * were exhausted and we couldn't create a new connection, | |
1402 | 1466 | * so we do not need to call fr_connection_release. |
1403 | 1467 | */ |
1404 | 1468 | case RLM_SQL_RECONNECT: |
1430 | 1494 | (inst->module->sql_finish_query)(handle, inst->config); |
1431 | 1495 | RDEBUG("%i record(s) updated", numaffected); |
1432 | 1496 | |
1433 | if (numaffected > 0) break; /* A query succeeded, were done! */ | |
1497 | if (numaffected > 0) break; /* A query succeeded, we're done! */ | |
1434 | 1498 | next: |
1435 | 1499 | /* |
1436 | 1500 | * We assume all entries with the same name form a redundant |
1589 | 1653 | call_num = vp->vp_strvalue; |
1590 | 1654 | } |
1591 | 1655 | |
1592 | while (rlm_sql_fetch_row(inst, request, &handle) == 0) { | |
1656 | while (rlm_sql_fetch_row(inst, request, &handle) == RLM_SQL_OK) { | |
1657 | int num_rows; | |
1658 | ||
1593 | 1659 | row = handle->row; |
1594 | 1660 | if (!row) { |
1595 | 1661 | break; |
1662 | } | |
1663 | ||
1664 | num_rows = (inst->module->sql_num_fields)(handle, inst->config); | |
1665 | if (num_rows < 8) { | |
1666 | RDEBUG("Too few rows returned. Please do not edit 'simul_verify_query'"); | |
1667 | rcode = RLM_MODULE_FAIL; | |
1668 | ||
1669 | goto finish; | |
1596 | 1670 | } |
1597 | 1671 | |
1598 | 1672 | if (!row[2]){ |
1635 | 1709 | else if (strcmp(row[7], "SLIP") == 0) |
1636 | 1710 | proto = 'S'; |
1637 | 1711 | } |
1638 | if (row[8]) | |
1712 | if ((num_rows > 8) && row[8]) | |
1639 | 1713 | sess_time = atoi(row[8]); |
1640 | 1714 | session_zap(request, nas_addr, nas_port, |
1641 | 1715 | row[2], row[1], framed_addr, |
41 | 41 | |
42 | 42 | /* SQL Errors */ |
43 | 43 | typedef enum { |
44 | RLM_SQL_QUERY_INVALID = -3, //!< Query syntax error | |
45 | RLM_SQL_ERROR = -2, //!< General connection/server error | |
46 | RLM_SQL_OK = 0, //!< Success | |
47 | RLM_SQL_RECONNECT = 1, //!< Stale connection, should reconnect | |
48 | RLM_SQL_ALT_QUERY = 2 //!< Key constraint violation | |
44 | RLM_SQL_QUERY_INVALID = -3, //!< Query syntax error. | |
45 | RLM_SQL_ERROR = -2, //!< General connection/server error. | |
46 | RLM_SQL_OK = 0, //!< Success. | |
47 | RLM_SQL_RECONNECT = 1, //!< Stale connection, should reconnect. | |
48 | RLM_SQL_ALT_QUERY, //!< Key constraint violation, use an alternative query. | |
49 | RLM_SQL_NO_MORE_ROWS, //!< No more rows available | |
49 | 50 | } sql_rcode_t; |
50 | 51 | |
51 | 52 | typedef enum { |
52 | FALL_THROUGH_DEFAULT = 0, | |
53 | FALL_THROUGH_NO = 0, | |
53 | 54 | FALL_THROUGH_YES, |
54 | FALL_THROUGH_NO | |
55 | FALL_THROUGH_DEFAULT, | |
55 | 56 | } sql_fall_through_t; |
56 | 57 | |
57 | 58 | |
240 | 241 | struct sql_grouplist *next; |
241 | 242 | } rlm_sql_grouplist_t; |
242 | 243 | |
243 | void *mod_conn_create(TALLOC_CTX *ctx, void *instance); | |
244 | 244 | int sql_fr_pair_list_afrom_str(TALLOC_CTX *ctx, REQUEST *request, VALUE_PAIR **first_pair, rlm_sql_row_t row); |
245 | 245 | int sql_read_realms(rlm_sql_handle_t *handle); |
246 | 246 | int sql_getvpdata(TALLOC_CTX *ctx, rlm_sql_t *inst, REQUEST *request, rlm_sql_handle_t **handle, VALUE_PAIR **pair, char const *query); |
48 | 48 | { "server error", RLM_SQL_ERROR }, |
49 | 49 | { "query invalid", RLM_SQL_QUERY_INVALID }, |
50 | 50 | { "no connection", RLM_SQL_RECONNECT }, |
51 | { "no more rows", RLM_SQL_NO_MORE_ROWS }, | |
51 | 52 | { NULL, 0 } |
52 | 53 | }; |
53 | 54 | |
54 | ||
55 | void *mod_conn_create(TALLOC_CTX *ctx, void *instance) | |
56 | { | |
57 | int rcode; | |
58 | rlm_sql_t *inst = instance; | |
59 | rlm_sql_handle_t *handle; | |
60 | ||
61 | /* | |
62 | * Connections cannot be alloced from the inst or | |
63 | * pool contexts due to threading issues. | |
64 | */ | |
65 | handle = talloc_zero(ctx, rlm_sql_handle_t); | |
66 | if (!handle) return NULL; | |
67 | ||
68 | handle->log_ctx = talloc_pool(handle, 2048); | |
69 | if (!handle->log_ctx) { | |
70 | talloc_free(handle); | |
71 | return NULL; | |
72 | } | |
73 | ||
74 | /* | |
75 | * Handle requires a pointer to the SQL inst so the | |
76 | * destructor has access to the module configuration. | |
77 | */ | |
78 | handle->inst = inst; | |
79 | ||
80 | rcode = (inst->module->sql_socket_init)(handle, inst->config); | |
81 | if (rcode != 0) { | |
82 | fail: | |
83 | /* | |
84 | * Destroy any half opened connections. | |
85 | */ | |
86 | talloc_free(handle); | |
87 | return NULL; | |
88 | } | |
89 | ||
90 | if (inst->config->connect_query) { | |
91 | if (rlm_sql_select_query(inst, NULL, &handle, inst->config->connect_query) != RLM_SQL_OK) goto fail; | |
92 | (inst->module->sql_finish_select_query)(handle, inst->config); | |
93 | } | |
94 | ||
95 | return handle; | |
96 | } | |
97 | 55 | |
98 | 56 | /************************************************************************* |
99 | 57 | * |
488 | 446 | rcode = rlm_sql_select_query(inst, request, handle, query); |
489 | 447 | if (rcode != RLM_SQL_OK) return -1; /* error handled by rlm_sql_select_query */ |
490 | 448 | |
491 | while (rlm_sql_fetch_row(inst, request, handle) == 0) { | |
449 | while (rlm_sql_fetch_row(inst, request, handle) == RLM_SQL_OK) { | |
492 | 450 | row = (*handle)->row; |
493 | 451 | if (!row) break; |
494 | 452 | if (sql_fr_pair_list_afrom_str(ctx, request, pair, row) != 0) { |
102 | 102 | CONF_PARSER_TERMINATOR |
103 | 103 | }; |
104 | 104 | |
105 | static int find_next_reset(rlm_sqlcounter_t *inst, time_t timeval) | |
105 | static int find_next_reset(rlm_sqlcounter_t *inst, REQUEST *request, time_t timeval) | |
106 | 106 | { |
107 | 107 | int ret = 0; |
108 | 108 | size_t len; |
110 | 110 | char last = '\0'; |
111 | 111 | struct tm *tm, s_tm; |
112 | 112 | char sCurrentTime[40], sNextTime[40]; |
113 | ||
114 | tm = localtime_r(&timeval, &s_tm); | |
115 | tm->tm_sec = tm->tm_min = 0; | |
116 | ||
117 | rad_assert(inst->reset != NULL); | |
118 | ||
119 | /* | |
120 | * Reset every N hours, days, weeks, months. | |
121 | */ | |
122 | if (isdigit((int) inst->reset[0])){ | |
123 | len = strlen(inst->reset); | |
124 | if (len == 0) return -1; | |
125 | ||
126 | last = inst->reset[len - 1]; | |
127 | if (!isalpha((int) last)) { | |
128 | last = 'd'; | |
129 | } | |
130 | ||
131 | num = atoi(inst->reset); | |
132 | DEBUG("rlm_sqlcounter: num=%d, last=%c",num,last); | |
133 | } | |
134 | ||
135 | if (strcmp(inst->reset, "hourly") == 0 || last == 'h') { | |
136 | /* | |
137 | * Round up to the next nearest hour. | |
138 | */ | |
139 | tm->tm_hour += num; | |
140 | inst->reset_time = mktime(tm); | |
141 | ||
142 | } else if (strcmp(inst->reset, "daily") == 0 || last == 'd') { | |
143 | /* | |
144 | * Round up to the next nearest day. | |
145 | */ | |
146 | tm->tm_hour = 0; | |
147 | tm->tm_mday += num; | |
148 | inst->reset_time = mktime(tm); | |
149 | ||
150 | } else if (strcmp(inst->reset, "weekly") == 0 || last == 'w') { | |
151 | /* | |
152 | * Round up to the next nearest week. | |
153 | */ | |
154 | tm->tm_hour = 0; | |
155 | tm->tm_mday += (7 - tm->tm_wday) +(7*(num-1)); | |
156 | inst->reset_time = mktime(tm); | |
157 | ||
158 | } else if (strcmp(inst->reset, "monthly") == 0 || last == 'm') { | |
159 | tm->tm_hour = 0; | |
160 | tm->tm_mday = 1; | |
161 | tm->tm_mon += num; | |
162 | inst->reset_time = mktime(tm); | |
163 | ||
164 | } else if (strcmp(inst->reset, "never") == 0) { | |
165 | inst->reset_time = 0; | |
166 | ||
167 | } else { | |
168 | return -1; | |
169 | } | |
170 | ||
171 | if (!request || (rad_debug_lvl < 2)) return ret; | |
172 | ||
173 | len = strftime(sCurrentTime, sizeof(sCurrentTime), "%Y-%m-%d %H:%M:%S", tm); | |
174 | if (len == 0) *sCurrentTime = '\0'; | |
175 | ||
176 | len = strftime(sNextTime, sizeof(sNextTime),"%Y-%m-%d %H:%M:%S",tm); | |
177 | if (len == 0) *sNextTime = '\0'; | |
178 | RDEBUG2("rlm_sqlcounter: Current Time: %" PRId64 " [%s], Next reset %" PRId64 " [%s]", | |
179 | (int64_t) timeval, sCurrentTime, (int64_t) inst->reset_time, sNextTime); | |
180 | ||
181 | return ret; | |
182 | } | |
183 | ||
184 | ||
185 | /* I don't believe that this routine handles Daylight Saving Time adjustments | |
186 | properly. Any suggestions? | |
187 | */ | |
188 | ||
189 | static int find_prev_reset(rlm_sqlcounter_t *inst, time_t timeval) | |
190 | { | |
191 | int ret = 0; | |
192 | size_t len; | |
193 | unsigned int num = 1; | |
194 | char last = '\0'; | |
195 | struct tm *tm, s_tm; | |
196 | char sCurrentTime[40], sPrevTime[40]; | |
113 | 197 | |
114 | 198 | tm = localtime_r(&timeval, &s_tm); |
115 | 199 | len = strftime(sCurrentTime, sizeof(sCurrentTime), "%Y-%m-%d %H:%M:%S", tm); |
130 | 214 | } |
131 | 215 | if (strcmp(inst->reset, "hourly") == 0 || last == 'h') { |
132 | 216 | /* |
133 | * Round up to the next nearest hour. | |
134 | */ | |
135 | tm->tm_hour += num; | |
136 | inst->reset_time = mktime(tm); | |
137 | } else if (strcmp(inst->reset, "daily") == 0 || last == 'd') { | |
138 | /* | |
139 | * Round up to the next nearest day. | |
140 | */ | |
141 | tm->tm_hour = 0; | |
142 | tm->tm_mday += num; | |
143 | inst->reset_time = mktime(tm); | |
144 | } else if (strcmp(inst->reset, "weekly") == 0 || last == 'w') { | |
145 | /* | |
146 | * Round up to the next nearest week. | |
147 | */ | |
148 | tm->tm_hour = 0; | |
149 | tm->tm_mday += (7 - tm->tm_wday) +(7*(num-1)); | |
150 | inst->reset_time = mktime(tm); | |
151 | } else if (strcmp(inst->reset, "monthly") == 0 || last == 'm') { | |
152 | tm->tm_hour = 0; | |
153 | tm->tm_mday = 1; | |
154 | tm->tm_mon += num; | |
155 | inst->reset_time = mktime(tm); | |
156 | } else if (strcmp(inst->reset, "never") == 0) { | |
157 | inst->reset_time = 0; | |
158 | } else { | |
159 | return -1; | |
160 | } | |
161 | ||
162 | len = strftime(sNextTime, sizeof(sNextTime),"%Y-%m-%d %H:%M:%S",tm); | |
163 | if (len == 0) *sNextTime = '\0'; | |
164 | DEBUG2("rlm_sqlcounter: Current Time: %" PRId64 " [%s], Next reset %" PRId64 " [%s]", | |
165 | (int64_t) timeval, sCurrentTime, (int64_t) inst->reset_time, sNextTime); | |
166 | ||
167 | return ret; | |
168 | } | |
169 | ||
170 | ||
171 | /* I don't believe that this routine handles Daylight Saving Time adjustments | |
172 | properly. Any suggestions? | |
173 | */ | |
174 | ||
175 | static int find_prev_reset(rlm_sqlcounter_t *inst, time_t timeval) | |
176 | { | |
177 | int ret = 0; | |
178 | size_t len; | |
179 | unsigned int num = 1; | |
180 | char last = '\0'; | |
181 | struct tm *tm, s_tm; | |
182 | char sCurrentTime[40], sPrevTime[40]; | |
183 | ||
184 | tm = localtime_r(&timeval, &s_tm); | |
185 | len = strftime(sCurrentTime, sizeof(sCurrentTime), "%Y-%m-%d %H:%M:%S", tm); | |
186 | if (len == 0) *sCurrentTime = '\0'; | |
187 | tm->tm_sec = tm->tm_min = 0; | |
188 | ||
189 | rad_assert(inst->reset != NULL); | |
190 | ||
191 | if (isdigit((int) inst->reset[0])){ | |
192 | len = strlen(inst->reset); | |
193 | if (len == 0) | |
194 | return -1; | |
195 | last = inst->reset[len - 1]; | |
196 | if (!isalpha((int) last)) | |
197 | last = 'd'; | |
198 | num = atoi(inst->reset); | |
199 | DEBUG("rlm_sqlcounter: num=%d, last=%c",num,last); | |
200 | } | |
201 | if (strcmp(inst->reset, "hourly") == 0 || last == 'h') { | |
202 | /* | |
203 | 217 | * Round down to the prev nearest hour. |
204 | 218 | */ |
205 | 219 | tm->tm_hour -= num - 1; |
206 | 220 | inst->last_reset = mktime(tm); |
221 | ||
207 | 222 | } else if (strcmp(inst->reset, "daily") == 0 || last == 'd') { |
208 | 223 | /* |
209 | 224 | * Round down to the prev nearest day. |
211 | 226 | tm->tm_hour = 0; |
212 | 227 | tm->tm_mday -= num - 1; |
213 | 228 | inst->last_reset = mktime(tm); |
229 | ||
214 | 230 | } else if (strcmp(inst->reset, "weekly") == 0 || last == 'w') { |
215 | 231 | /* |
216 | 232 | * Round down to the prev nearest week. |
218 | 234 | tm->tm_hour = 0; |
219 | 235 | tm->tm_mday -= tm->tm_wday +(7*(num-1)); |
220 | 236 | inst->last_reset = mktime(tm); |
237 | ||
221 | 238 | } else if (strcmp(inst->reset, "monthly") == 0 || last == 'm') { |
222 | 239 | tm->tm_hour = 0; |
223 | 240 | tm->tm_mday = 1; |
224 | 241 | tm->tm_mon -= num - 1; |
225 | 242 | inst->last_reset = mktime(tm); |
243 | ||
226 | 244 | } else if (strcmp(inst->reset, "never") == 0) { |
227 | 245 | inst->reset_time = 0; |
246 | ||
228 | 247 | } else { |
229 | 248 | return -1; |
230 | 249 | } |
462 | 481 | now = time(NULL); |
463 | 482 | inst->reset_time = 0; |
464 | 483 | |
465 | if (find_next_reset(inst, now) == -1) { | |
484 | if (find_next_reset(inst, NULL, now) < 0) { | |
466 | 485 | cf_log_err_cs(conf, "Invalid reset '%s'", inst->reset); |
467 | 486 | return -1; |
468 | 487 | } |
510 | 529 | * Re-set the next time and prev_time for this counters range |
511 | 530 | */ |
512 | 531 | inst->last_reset = inst->reset_time; |
513 | find_next_reset(inst,request->timestamp); | |
532 | find_next_reset(inst, request, request->timestamp); | |
514 | 533 | } |
515 | 534 | |
516 | 535 | /* |
26 | 26 | #include <freeradius-devel/radiusd.h> |
27 | 27 | #include <freeradius-devel/modules.h> |
28 | 28 | |
29 | /* | |
30 | * FIXME: Add check for this header to configure.ac | |
31 | */ | |
29 | #ifdef HAVE_OPENSSL_HMAC_H | |
32 | 30 | #include <openssl/hmac.h> |
31 | #endif | |
33 | 32 | |
34 | 33 | /* |
35 | 34 | * FIXME: Fix the build system to create definitions from names. |
121 | 120 | rlm_wimax_t *inst = instance; |
122 | 121 | VALUE_PAIR *msk, *emsk, *vp; |
123 | 122 | VALUE_PAIR *mn_nai, *ip, *fa_rk; |
124 | HMAC_CTX hmac; | |
123 | HMAC_CTX *hmac; | |
125 | 124 | unsigned int rk1_len, rk2_len, rk_len; |
126 | 125 | uint32_t mip_spi; |
127 | 126 | uint8_t usage_data[24]; |
160 | 159 | /* |
161 | 160 | * MIP-RK-1 = HMAC-SSHA256(EMSK, usage-data | 0x01) |
162 | 161 | */ |
163 | HMAC_CTX_init(&hmac); | |
164 | HMAC_Init_ex(&hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL); | |
165 | ||
166 | HMAC_Update(&hmac, &usage_data[0], sizeof(usage_data)); | |
167 | HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len); | |
162 | hmac = HMAC_CTX_new(); | |
163 | HMAC_Init_ex(hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL); | |
164 | ||
165 | HMAC_Update(hmac, &usage_data[0], sizeof(usage_data)); | |
166 | HMAC_Final(hmac, &mip_rk_1[0], &rk1_len); | |
168 | 167 | |
169 | 168 | /* |
170 | 169 | * MIP-RK-2 = HMAC-SSHA256(EMSK, MIP-RK-1 | usage-data | 0x01) |
171 | 170 | */ |
172 | HMAC_Init_ex(&hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL); | |
173 | ||
174 | HMAC_Update(&hmac, (uint8_t const *) &mip_rk_1, rk1_len); | |
175 | HMAC_Update(&hmac, &usage_data[0], sizeof(usage_data)); | |
176 | HMAC_Final(&hmac, &mip_rk_2[0], &rk2_len); | |
171 | HMAC_Init_ex(hmac, emsk->vp_octets, emsk->vp_length, EVP_sha256(), NULL); | |
172 | ||
173 | HMAC_Update(hmac, (uint8_t const *) &mip_rk_1, rk1_len); | |
174 | HMAC_Update(hmac, &usage_data[0], sizeof(usage_data)); | |
175 | HMAC_Final(hmac, &mip_rk_2[0], &rk2_len); | |
177 | 176 | |
178 | 177 | memcpy(mip_rk, mip_rk_1, rk1_len); |
179 | 178 | memcpy(mip_rk + rk1_len, mip_rk_2, rk2_len); |
182 | 181 | /* |
183 | 182 | * MIP-SPI = HMAC-SSHA256(MIP-RK, "SPI CMIP PMIP"); |
184 | 183 | */ |
185 | HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha256(), NULL); | |
186 | ||
187 | HMAC_Update(&hmac, (uint8_t const *) "SPI CMIP PMIP", 12); | |
188 | HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len); | |
184 | HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha256(), NULL); | |
185 | ||
186 | HMAC_Update(hmac, (uint8_t const *) "SPI CMIP PMIP", 12); | |
187 | HMAC_Final(hmac, &mip_rk_1[0], &rk1_len); | |
189 | 188 | |
190 | 189 | /* |
191 | 190 | * Take the 4 most significant octets. |
245 | 244 | * MN-HA-PMIP4 = |
246 | 245 | * H(MIP-RK, "PMIP4 MN HA" | HA-IPv4 | MN-NAI); |
247 | 246 | */ |
248 | HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL); | |
249 | ||
250 | HMAC_Update(&hmac, (uint8_t const *) "PMIP4 MN HA", 11); | |
251 | HMAC_Update(&hmac, (uint8_t const *) &ip->vp_ipaddr, 4); | |
252 | HMAC_Update(&hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length); | |
253 | HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len); | |
247 | HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL); | |
248 | ||
249 | HMAC_Update(hmac, (uint8_t const *) "PMIP4 MN HA", 11); | |
250 | HMAC_Update(hmac, (uint8_t const *) &ip->vp_ipaddr, 4); | |
251 | HMAC_Update(hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length); | |
252 | HMAC_Final(hmac, &mip_rk_1[0], &rk1_len); | |
254 | 253 | |
255 | 254 | /* |
256 | 255 | * Put MN-HA-PMIP4 into WiMAX-MN-hHA-MIP4-Key |
295 | 294 | * MN-HA-CMIP4 = |
296 | 295 | * H(MIP-RK, "CMIP4 MN HA" | HA-IPv4 | MN-NAI); |
297 | 296 | */ |
298 | HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL); | |
299 | ||
300 | HMAC_Update(&hmac, (uint8_t const *) "CMIP4 MN HA", 11); | |
301 | HMAC_Update(&hmac, (uint8_t const *) &ip->vp_ipaddr, 4); | |
302 | HMAC_Update(&hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length); | |
303 | HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len); | |
297 | HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL); | |
298 | ||
299 | HMAC_Update(hmac, (uint8_t const *) "CMIP4 MN HA", 11); | |
300 | HMAC_Update(hmac, (uint8_t const *) &ip->vp_ipaddr, 4); | |
301 | HMAC_Update(hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length); | |
302 | HMAC_Final(hmac, &mip_rk_1[0], &rk1_len); | |
304 | 303 | |
305 | 304 | /* |
306 | 305 | * Put MN-HA-CMIP4 into WiMAX-MN-hHA-MIP4-Key |
345 | 344 | * MN-HA-CMIP6 = |
346 | 345 | * H(MIP-RK, "CMIP6 MN HA" | HA-IPv6 | MN-NAI); |
347 | 346 | */ |
348 | HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL); | |
349 | ||
350 | HMAC_Update(&hmac, (uint8_t const *) "CMIP6 MN HA", 11); | |
351 | HMAC_Update(&hmac, (uint8_t const *) &ip->vp_ipv6addr, 16); | |
352 | HMAC_Update(&hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length); | |
353 | HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len); | |
347 | HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL); | |
348 | ||
349 | HMAC_Update(hmac, (uint8_t const *) "CMIP6 MN HA", 11); | |
350 | HMAC_Update(hmac, (uint8_t const *) &ip->vp_ipv6addr, 16); | |
351 | HMAC_Update(hmac, (uint8_t const *) &mn_nai->vp_strvalue, mn_nai->vp_length); | |
352 | HMAC_Final(hmac, &mip_rk_1[0], &rk1_len); | |
354 | 353 | |
355 | 354 | /* |
356 | 355 | * Put MN-HA-CMIP6 into WiMAX-MN-hHA-MIP6-Key |
392 | 391 | */ |
393 | 392 | fa_rk = fr_pair_find_by_num(request->reply->vps, 14, VENDORPEC_WIMAX, TAG_ANY); |
394 | 393 | if (fa_rk && (fa_rk->vp_length <= 1)) { |
395 | HMAC_Init_ex(&hmac, mip_rk, rk_len, EVP_sha1(), NULL); | |
396 | ||
397 | HMAC_Update(&hmac, (uint8_t const *) "FA-RK", 5); | |
398 | ||
399 | HMAC_Final(&hmac, &mip_rk_1[0], &rk1_len); | |
394 | HMAC_Init_ex(hmac, mip_rk, rk_len, EVP_sha1(), NULL); | |
395 | ||
396 | HMAC_Update(hmac, (uint8_t const *) "FA-RK", 5); | |
397 | ||
398 | HMAC_Final(hmac, &mip_rk_1[0], &rk1_len); | |
400 | 399 | |
401 | 400 | fr_pair_value_memcpy(fa_rk, &mip_rk_1[0], rk1_len); |
402 | 401 | } |
450 | 449 | /* |
451 | 450 | * Wipe the context of all sensitive information. |
452 | 451 | */ |
453 | HMAC_CTX_cleanup(&hmac); | |
452 | HMAC_CTX_free(hmac); | |
454 | 453 | |
455 | 454 | return RLM_MODULE_UPDATED; |
456 | 455 | } |
0 | # | |
1 | # User-Name is "bob", and a switch statement | |
2 | # with no "default" should not crash the server. | |
3 | # | |
4 | switch &User-Name { | |
5 | case "doug" { | |
6 | update reply { | |
7 | Filter-Id := "doug" | |
8 | } | |
9 | } | |
10 | } | |
11 | ||
12 | if (&reply:Filter-Id) { | |
13 | update reply { | |
14 | Filter-Id := "fail 1" | |
15 | } | |
16 | } | |
17 | else { | |
18 | update reply { | |
19 | Filter-Id := "filter" | |
20 | } | |
21 | }⏎ |
0 | 0 | # |
1 | 1 | # PRE: update |
2 | # | |
3 | ||
4 | # | |
5 | # Set it. | |
2 | 6 | # |
3 | 7 | update request { |
4 | 8 | NAS-Port := 1000 |
5 | 9 | } |
6 | 10 | |
7 | 11 | # |
8 | # Filtering | |
12 | # Enforce it. | |
9 | 13 | # |
10 | 14 | update request { |
11 | 15 | NAS-Port == 1000 |
17 | 21 | } |
18 | 22 | } |
19 | 23 | |
24 | # | |
25 | # Enforce to new lower value. | |
26 | # | |
20 | 27 | update request { |
21 | 28 | NAS-Port <= 500 |
22 | 29 | } |
23 | 30 | |
24 | 31 | if (NAS-Port != 500) { |
25 | 32 | update reply { |
26 | Filter-Id += "fail 2" | |
33 | Filter-Id += "fail 2 - expected 500, got %{NAS-Port}" | |
27 | 34 | } |
28 | 35 | } |
29 | 36 | |
37 | # | |
38 | # Enforce to new higher value | |
39 | # | |
30 | 40 | update request { |
31 | 41 | NAS-Port >= 2000 |
32 | 42 | } |
33 | 43 | |
34 | 44 | if (NAS-Port != 2000) { |
35 | 45 | update reply { |
36 | Filter-Id += "fail 3" | |
46 | Filter-Id += "fail 3 - expected 2000, got %{NAS-Port}" | |
47 | } | |
48 | } | |
49 | ||
50 | # | |
51 | # Enforce value which previously didn't exist. | |
52 | # | |
53 | update request { | |
54 | Idle-Timeout >= 14400 | |
55 | } | |
56 | ||
57 | if (&request:Idle-Timeout != 14400) { | |
58 | update reply { | |
59 | Filter-Id += "fail Idle-Timeout >= 14400" | |
37 | 60 | } |
38 | 61 | } |
39 | 62 |