From patchwork Fri Oct 24 09:05:33 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Chen, Libo (CN)" X-Patchwork-Id: 72958 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AAD6CCD1A5 for ; Fri, 24 Oct 2025 09:06:09 +0000 (UTC) Received: from mx0a-0064b401.pphosted.com (mx0a-0064b401.pphosted.com [205.220.166.238]) by mx.groups.io with SMTP id smtpd.web11.5870.1761296760830701299 for ; Fri, 24 Oct 2025 02:06:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@windriver.com header.s=PPS06212021 header.b=enucHj5v; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: windriver.com, ip: 205.220.166.238, mailfrom: prvs=2392d1e106=libo.chen.cn@windriver.com) Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 59O56WmR1364422 for ; Fri, 24 Oct 2025 02:06:00 -0700 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriver.com; h=content-transfer-encoding:content-type:date:from:message-id :mime-version:subject:to; s=PPS06212021; bh=QSh//qFSIbePmr9tIh1J iSl2X0ylYLRJzwc1e45AcsA=; b=enucHj5vaxxLsoVAcXmn7bV0o3oSwJvf7WHI 95Z0HAGeYtia4zcpabihRc0sKxoskIDfhchmDcRuhUfuV+5fs95Uacq/dzUBYx0K NiPXYBRWlK0MIzLMun20zdZ6U7BcX0VSyLopPldryE70bClQciv+6DJsPQukOs0D s3AkoStftGs9s/hBR6LQ5oxh6xM6XtZrysjBCimFkWQDzaal1ljehmEFP5bkdss8 gsPi0rWl0CZIrzh4EB9arMpFlGlYaI71tbSO6nBC1bP+MPDf5FhScXNyC5cqiPWU BVhrqhUZoJA74MtJGMqRstASrjv/Li4gayfQ6aCO4Nm67O7Myw== Received: from ph8pr06cu001.outbound.protection.outlook.com (mail-westus3azon11012007.outbound.protection.outlook.com [40.107.209.7]) by mx0a-0064b401.pphosted.com (PPS) with ESMTPS id 49ys00gnn5-1 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT) for ; Fri, 24 Oct 2025 02:05:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=aEMon8cn3TtUtojUZl8GZLu+8GuZW+BgMFtKOlgWSeJH5dsSJQVcuV3bnABD9vKmreKkBK5skqKe3tOtxWMgLI8/ZfiJBDI9fT560Cu1ioGioQ2Qou6LfyIa4RCxu+Gvrmj6pC63LURwRwkiO6RBpKgv5ZrjoDPT2fr6DPEZx+TwbNuar+muepnWGJXP8dKDnNYHGDiD1n5t4mO/oR2bbhKO+PlSHzG2pgrozo5VlMOL9sabUokYrWPnQmd+zz3WDY7ocMX4CnzG6vI375EZnZpcTYThMGQCaJKfIWC2v0APkvIi8sBpNxczu2gxldC6wVc4Bquz9s0PfWwvHP+9QA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=QSh//qFSIbePmr9tIh1JiSl2X0ylYLRJzwc1e45AcsA=; b=ir0wZ4j8ZwTbzIzpdVyTGkYb6qUKuA1EGHYA/9L91wFHNPjuCeVyMIMVS1LDGYWWQUJiTjkNXSFGDH5swi2AM1nS4VIl2bNtNGi/TKW22rlx2K6QRcHJdYxLgdHdjkwXnw9uO3DRw3W2UTM3kr5FWlLGOIjvbXPghWOdhyICfSOiOQgAO3AERGVGrYRojPHLOCqKuOP4siVI/WpK+tA5awQJSYM+vXN675oeYgYr6UJBcs1cyo4FfNveSzqxjbbm8snIHI3QdYtYoCqG3D2QnXJbTAiEJ9xWmXhcL59xCSPlbHkJVnpZbmSyZv0C1dbvT3o8MHA305CW+kPcHjR3jA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none Received: from BN9PR11MB5354.namprd11.prod.outlook.com (2603:10b6:408:11b::7) by SJ0PR11MB5770.namprd11.prod.outlook.com (2603:10b6:a03:421::6) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9253.13; Fri, 24 Oct 2025 09:05:55 +0000 Received: from BN9PR11MB5354.namprd11.prod.outlook.com ([fe80::5e9:ab74:5c12:ee2d]) by BN9PR11MB5354.namprd11.prod.outlook.com ([fe80::5e9:ab74:5c12:ee2d%3]) with mapi id 15.20.9253.011; Fri, 24 Oct 2025 09:05:55 +0000 From: libo.chen.cn@windriver.com To: openembedded-devel@lists.openembedded.org Subject: [meta-networking][PATCH] freeradius: Remove files which have license issues Date: Fri, 24 Oct 2025 17:05:33 +0800 Message-Id: <20251024090533.2412673-1-libo.chen.cn@windriver.com> X-Mailer: git-send-email 2.34.1 X-ClientProxiedBy: TYCPR01CA0161.jpnprd01.prod.outlook.com (2603:1096:400:2b1::11) To BN9PR11MB5354.namprd11.prod.outlook.com (2603:10b6:408:11b::7) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN9PR11MB5354:EE_|SJ0PR11MB5770:EE_ X-MS-Office365-Filtering-Correlation-Id: 9df40df7-6b0e-408b-db31-08de12dc89b4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|52116014|366016|376014|1800799024|38350700014|13003099007; X-Microsoft-Antispam-Message-Info: BHdVpJtnlYaXr9YE0/c0fNFXAZ8QpAk1szICOVpS2TztaH7sAyLRn/Y4+aaAl/s8mvMO1MeP3wOk1gsCa8BssbVrp3/Di3xi96Z2U1+nwsv9QmCWEBeZ02ik3+1GBz6VNLvI9+sz4GMpgv7m7/ZFY90znELP6O0n/Q4Fn8tdHVHwnMjlklOYsf0J8tLiHuRc2xTd9+CWwBqIqtlzUyQMJGJZQYBvvCRG2k6kuTpLLLnCCX3kbGlZ5wD8YMQRtHaD89dWaYf5FIww/DSu09/ru4yYeY5RuneBTR8w8zc/RtnaHaRLyr1pffIqjTg7DMwi4uXh7SbeJmfEEUOkPCkscYsTeYLLEaM2L93dOFUdEq9xWpZ2xctQN3qhkNid5If3yUHuiJwl9s1Bd2WA+Qqn4dX+RXLwhlMaw2sBAu9kGq0jZTtTS63dkQuOBR8wqbAqgLsM3iIE3EwoAL8qNOlzFUInWw6NaOMBOKwdAMMSyacY5i1K+WpyGIk76dktm4bn6kzIxxEC42j4SbDFcem0f6ZN0HECT5UWuiW3Dc1tReIb7fJv1/0gGzHuIHnz3Ra5gQABQ1qhzOK8Frt8KONBnl721Ojt9Up6zROJZB8uqmU/cZ2WdjQ3LTvAIK/+LJXre4RcAN16dKIY/pHnQDC1mDSh80W23UEo7P3siRvwsutAqiMciE51zENmqLzs4FwrFPxuPZ/+Mf8b3v8m5d+/cF2UWbueUEWb9cCMekXrEwNWaeV5Bzn6oXKIYSGYieJafI7S2zCuyYdUB40fvvXn35jDCJ1pwrVdbck2Hnzxp+WgjH7n6mah+Lx1OU1Z7Gsu7sZbjpT7Auk2dvX6K/dIzr8VLC2h5Ma3OG7f89GLFhJsYVBtmdGmiEUEoqWO4a0z/kx/NUn1WWowp3lXpIVm//XQfNeCRsryhkJbrlwwNGYiMp+cKQhwgIfvbFCSCJoIXD9rclMnilYgrquboyOfC1e9rmRDLQc0/FZ8mmpfxuPYjscpPa5w1yWwc6A9XuseIZByK4vHpdg64CTO4cBzpqYoBG5kEGo5XqyRHqv/1g+e1wLNGz7rhYN/Ox79NztOXbDYuLXTMF7x/a57VcWFSAB4H2nPCiY89iT6/Cs92vHnXoz+Po4UbfyU46n9+b04ljV7FIGkUNkKypB4F78/cs3XL+uHgFyQppH7kVIqQcZKoFzpizF3xF+QCeI8erLfTPe3aLNtP4kvKpBJDbFg5OK2u2F5YQsCNOyim6dfCjG5Q5UsGp6BVN0H0CeKFDmpSGmDySPxpPKtQVxdnZzfl1/2vWQMgj40JP3D8fA//Gn/TC3BySnZRd3tzEE68JHKSlwGs2sLY0KS+HPBf9JdrW8SASf/Qw5bsnAnfSUpnZBXcwufOrp5Z4nhZTFa32LlGlZ4vtaKmJzPr1kb+cq0I0ZK1LSOvC4C8UUuKtSfIW38NKqnFxnOGroiFo4AbLLR2ZbUpufT9vSoJV5Vl2dRI+t/Qwgn0L4ASvEt0p8HLRBHrfUcmNE1NUzac8PzbLRL X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN9PR11MB5354.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(52116014)(366016)(376014)(1800799024)(38350700014)(13003099007);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: roxNvM/ejK5Ko9jmdZMfYknHq3ZQtsEugHBPRJCsq4KsI8hu5tnZNimw0F8a5iTdBNOlM5Qpqr0Y3hmEotFbqRc1xqrgCCOpRUP628qbyDVO5GebzquRyshw/wlYxseNMwRMnVn3CPsB27X+Vls+/89GbT+idvyyoECyvrCfMcMv26YtRkVgYcpacNkpVpdVjIiiRsqq3Th8s64CHc1UT639cShULORIcGrj4vhaV/qVUCahMTeJKwMLtfJtZYUgDjKovhV18yCbxXSHW5BTNkDokMUcZ6AaWiJdw9xkwFbDQwPL8Aj0sUJh0uSmwhHO/ZLgW2hWXeHXCKi4RVOaGAIMeIc4HwzShBC1EDdpMwpt6zAKWfSieEUBBiT2Gqd+lf0epoH8DxZdFMhAYGgGs0x6c1S/7YtsPpvbUSU2+VLJ+QQMd7EZgImSE9+bi7uhoVHOjC0kMMzSLs/u9bZdw6v90muhEYsYoVdAqehQ5L48icDDWESR5I5YYLZ0mYRat+/L6L+klOJBkmSmRxgj5wwyT1M98/yme6mqF2dJCcBUbZJchhd/2W07QO+LZF/bQZQ5CCeOYJOtmsKRkM/8Jp4Wf/IvVIDE3QuE/6Cv4o8HVRl2JuOnBl/rxx2vO5syNX3iiob3eTBlJkkLslSNv07O+p0XHsYbtQEopEYWK2lAJDDFlMYvB4cImYbqx9tLrABS+QsvGoP+LEgV0/0uKfERA6pxpRJWxz0wxrqwrdb7ukCjAh7JJZy5b5Z+MEoczyW5yweNSjNDHp8/R36FXd/clApdCDyc5cv0E2FcqFvnS/J3qxWQ1SQ3J/0AxNGGEcF9GtARWMkSG8sBCCe0x+UNYOAEl/4G9xCiQc8qkC832Hv0ROzT1TqYg0FYsrOGJPQn6R+uLsi8c+W6hj60urnAWyDkl0HGbiB57vCw5aL9v0vDeJq7gyVktLNUaeVTMZm2slQ4vdL3Is9slqUy/K8aR7/MQxO8wROHu/RRTjpFS8GfwH3ddngNjeSYwXOMo7k2tY6gmv9rz981NREiG5WHYPEky21BTgf7m79YBg2n2cnUBzUIwiEyNqN3fh29RAe84zLffhPaKfT660RdS7VNmru/lzwFGtOoUAf9rQoSw3TMSwmIOIRU8gunsGiQ26z4dU2kYMcPWVguQ34n2r4lvhdYK6nbS6RouJ/41ijqTmD/8el49T9w8TmEhjiTmEq6/9WoMywY3n9Oi6NoIBXT7319sRaTl5C+PdvSRNNPOmZIKBjic6n/rBDq/bQMm2MTSoYI238TnS+olIkIju3PQuJIbp9Bzxyx+yvhLbJdN9Lhfag2MBfXgBZ6DnT5WNpwbzqLLsgGftwt5rr/O3XfYK4vl4hODUfi1/8UiNHkolf9tOultBdaU7jCsA5/K77UPKHLKwxG5Y5n/3YyTZMGJVDtYL9m5wA+FdfbtGxY4+OFVmABhhB1yG83H00YrBrdrEp/DFWI+vmzd+5310En1IBseeMIjZiuvpHvOooE5Ljg+lGi4NOTT9stk8sczapmnf6IZUVEyd4Kz2FXQXlfhREGPLI7kUaXMhfI1+hF9pdOPf3RWly+AwIdxL0awU/JELbQl31hMWL8ewdKgA== X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 9df40df7-6b0e-408b-db31-08de12dc89b4 X-MS-Exchange-CrossTenant-AuthSource: BN9PR11MB5354.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Oct 2025 09:05:55.4988 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: gaS0esCAL3gNTE5AswN6oA8Q7F88hKUhudPo2u3xClPBLNX9DXmvp3z6Ms8Ln5XP/8ROLQlDDX+XiUJPc9HDk1FO4vAKyZD+I1lbmAEWivg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR11MB5770 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUxMDI0MDA3OSBTYWx0ZWRfXzhqJT1Kgp9LY 5SdKywUk1xoYfeSmU+6yEt7udAE6M9Ck2i9ORVB6NrRUGCjDgXR39X5Mi6kylLB1TM/8rPtwvng WUO1LfvVSCxHx7UyDKDSzmadDuRQ4myd7WtiGg4GznuGqfns2gbwlhNWJdXZ52i3ai+b9/Ofaba IJzWrC1pAqdB6OX1icVFm3dczNUTIbCQPuNgLRvl+W72M1W7Rvpk27ocDSXqcfOWQQxfBRMx0G7 ELTcjzesfYGU1/7NxjrNSpWGM/Hp4f21b9rFerGMiKv/mYWiKojtT4DZM8JW6cORBhuHVpLJXTH Sb6RZlEs2sZ4Kgnzcax9g+go3LZAe9MMv+CKGRwCj4bi+5+WKw8TOGg/HxNGZ0QX+bmWoJJoMxA ffC03Eh5KIcDpK5iu35fIucB7imJWw== X-Proofpoint-ORIG-GUID: W3UypCbC9fKW7HQ49rZHV4OBuZ5m7K8- X-Proofpoint-GUID: W3UypCbC9fKW7HQ49rZHV4OBuZ5m7K8- X-Authority-Analysis: v=2.4 cv=N/8k1m9B c=1 sm=1 tr=0 ts=68fb4178 cx=c_pps a=OJmONvCW+i+0F2OUQkAdQg==:117 a=6eWqkTHjU83fiwn7nKZWdM+Sl24=:19 a=z/mQ4Ysz8XfWz/Q5cLBRGdckG28=:19 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=xqWC_Br6kY4A:10 a=x6icFKpwvdMA:10 a=VkNPw1HP01LnGYTKEx00:22 a=48vgC7mUAAAA:8 a=NEAV23lmAAAA:8 a=Ntg_Zx-WAAAA:8 a=t7CeM3EgAAAA:8 a=07Z4HDr4AAAA:8 a=mDV3o1hIAAAA:8 a=p1CNQN_dAAAA:8 a=9UpB0S8brqxQw9jNYv0A:9 a=n4r8XdVCT0961iEt:21 a=3ZKOabzyN94A:10 a=RUfouJl5KNV7104ufCm4:22 a=FdTzh2GWekK77mhwV6Dw:22 a=9HVVtDUExptghyUDL4SE:22 a=zElt8iOCMTxcIE1qDC9U:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1121,Hydra:6.1.9,FMLib:17.12.80.40 definitions=2025-10-23_03,2025-10-22_01,2025-03-28_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 phishscore=0 priorityscore=1501 impostorscore=0 suspectscore=0 bulkscore=0 malwarescore=0 adultscore=0 spamscore=0 clxscore=1015 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2510020000 definitions=main-2510240079 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Fri, 24 Oct 2025 09:06:09 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-devel/message/120947 From: Libo Chen remove the following files which have the following license: Copyright (C) 2023 Network RADIUS SARL (legal@networkradius.com) This software may not be redistributed in any form without the prior written consent of Network RADIUS. src/modules/rlm_dpsk/rlm_dpsk.c src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.h src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c src/modules/rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.h src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.c Signed-off-by: Libo Chen --- ...move-files-which-have-license-issues.patch | 8491 +++++++++++++++++ .../freeradius/freeradius_3.2.7.bb | 4 + 2 files changed, 8495 insertions(+) create mode 100644 meta-networking/recipes-connectivity/freeradius/files/0019-freeradius-Remove-files-which-have-license-issues.patch diff --git a/meta-networking/recipes-connectivity/freeradius/files/0019-freeradius-Remove-files-which-have-license-issues.patch b/meta-networking/recipes-connectivity/freeradius/files/0019-freeradius-Remove-files-which-have-license-issues.patch new file mode 100644 index 0000000000..50fa25e406 --- /dev/null +++ b/meta-networking/recipes-connectivity/freeradius/files/0019-freeradius-Remove-files-which-have-license-issues.patch @@ -0,0 +1,8491 @@ +From c8c36d7bd8aad1dae6a1e6eb8dd8429b837ea035 Mon Sep 17 00:00:00 2001 +From: Libo Chen +Date: Fri, 24 Oct 2025 12:12:10 +0800 +Subject: [PATCH] freeradius: Remove files which have license issues + +remove the following files which have the following license: + +Copyright (C) 2023 Network RADIUS SARL (legal@networkradius.com) + +This software may not be redistributed in any form without the prior +written consent of Network RADIUS. + +src/modules/rlm_dpsk/rlm_dpsk.c +src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.h +src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c +src/modules/rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c +src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.h +src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.c + +Upstream-Status: Pending + +Signed-off-by: Libo Chen +--- + src/modules/rlm_dpsk/all.mk | 10 - + src/modules/rlm_dpsk/rlm_dpsk.c | 955 ---- + .../rlm_eap/types/rlm_eap_teap/.gitignore | 1 - + .../rlm_eap/types/rlm_eap_teap/all.mk.in | 12 - + .../rlm_eap/types/rlm_eap_teap/configure | 4512 ----------------- + .../rlm_eap/types/rlm_eap_teap/configure.ac | 86 - + .../rlm_eap/types/rlm_eap_teap/eap_teap.c | 1817 ------- + .../rlm_eap/types/rlm_eap_teap/eap_teap.h | 176 - + .../types/rlm_eap_teap/eap_teap_crypto.c | 198 - + .../types/rlm_eap_teap/eap_teap_crypto.h | 39 - + .../rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c | 569 --- + 11 files changed, 8375 deletions(-) + delete mode 100644 src/modules/rlm_dpsk/all.mk + delete mode 100644 src/modules/rlm_dpsk/rlm_dpsk.c + delete mode 100644 src/modules/rlm_eap/types/rlm_eap_teap/.gitignore + delete mode 100644 src/modules/rlm_eap/types/rlm_eap_teap/all.mk.in + delete mode 100755 src/modules/rlm_eap/types/rlm_eap_teap/configure + delete mode 100644 src/modules/rlm_eap/types/rlm_eap_teap/configure.ac + delete mode 100644 src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c + delete mode 100644 src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.h + delete mode 100644 src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.c + delete mode 100644 src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.h + delete mode 100644 src/modules/rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c + +diff --git a/src/modules/rlm_dpsk/all.mk b/src/modules/rlm_dpsk/all.mk +deleted file mode 100644 +index 8da247565b..0000000000 +--- a/src/modules/rlm_dpsk/all.mk ++++ /dev/null +@@ -1,10 +0,0 @@ +-TARGETNAME := rlm_dpsk +- +-ifneq "$(OPENSSL_LIBS)" "" +-TARGET := $(TARGETNAME).a +-endif +- +-SOURCES := $(TARGETNAME).c +- +-SRC_CFLAGS := +-TGT_LDLIBS := +diff --git a/src/modules/rlm_dpsk/rlm_dpsk.c b/src/modules/rlm_dpsk/rlm_dpsk.c +deleted file mode 100644 +index 35773056b3..0000000000 +--- a/src/modules/rlm_dpsk/rlm_dpsk.c ++++ /dev/null +@@ -1,955 +0,0 @@ +-/* +- * Copyright (C) 2023 Network RADIUS SARL (legal@networkradius.com) +- * +- * This software may not be redistributed in any form without the prior +- * written consent of Network RADIUS. +- * +- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- */ +- +-/** +- * $Id$ +- * @file rlm_dpsk.c +- * @brief Dynamic PSK for WiFi +- * +- * @copyright 2023 Network RADIUS SAS (legal@networkradius.com) +- */ +-RCSID("$Id$") +- +-#include +-#include +-#include +-#include +- +-#include +-#include +-#include +- +-#include +- +-#define PW_FREERADIUS_8021X_ANONCE (1) +-#define PW_FREERADIUS_8021X_EAPOL_KEY_MSG (2) +- +-#define VENDORPEC_FREERADIUS_EVS5 ((((uint32_t) 245) << 24) | VENDORPEC_FREERADIUS) +- +-#define VENDORPEC_RUCKUS (25053) +-#define PW_RUCKUS_BSSID (14) +-#define PW_RUCKUS_DPSK_PARAMS (152) +- +-//#define PW_RUCKUS_DPSK_CIPHER (PW_RUCKUS_DPSK_PARAMS | (2 << 8)) +-#define PW_RUCKUS_DPSK_ANONCE (PW_RUCKUS_DPSK_PARAMS | (3 << 8)) +-#define PW_RUCKUS_DPSK_EAPOL_KEY_FRAME (PW_RUCKUS_DPSK_PARAMS | (4 << 8)) +- +- +-/* +- Header: 02030075 +- +- descriptor 02 +- information 010a +- length 0010 +- replay counter 000000000000001 +- snonce c3bb319516614aacfb44e933bf1671131fb1856e5b2721952d414ce3f5aa312b +- IV 0000000000000000000000000000000 +- rsc 0000000000000000 +- reserved 0000000000000000 +- mic 35cddcedad0dfb6a12a2eca55c17c323 +- data length 0016 +- data 30140100000fac040100000fac040100000fac028c00 +- +- 30 +- 14 length of data +- 01 ... +-*/ +- +-typedef struct eapol_key_frame_t { +- uint8_t descriptor; // message number 2 +- uint16_t information; // +- uint16_t length; // always 0010, for 16 octers +- uint8_t replay_counter[8]; // usually "1" +- uint8_t nonce[32]; // random token +- uint8_t iv[16]; // zeroes +- uint8_t rsc[8]; // zeros +- uint8_t reserved[8]; // zeroes +- uint8_t mic[16]; // calculated data +- uint16_t data_len; // various other things we don't need. +-// uint8_t data[]; +-} CC_HINT(__packed__) eapol_key_frame_t; +- +-typedef struct eapol_attr_t { +- uint8_t header[4]; // 02030075 +- eapol_key_frame_t frame; +-} CC_HINT(__packed__) eapol_attr_t; +- +-#ifdef HAVE_PTHREAD_H +-#define PTHREAD_MUTEX_LOCK pthread_mutex_lock +-#define PTHREAD_MUTEX_UNLOCK pthread_mutex_unlock +-#else +-#define PTHREAD_MUTEX_LOCK(_x) +-#define PTHREAD_MUTEX_UNLOCK(_x) +-#endif +- +-typedef struct rlm_dpsk_s rlm_dpsk_t; +- +-typedef struct { +- uint8_t mac[6]; +- uint8_t pmk[32]; +- +- uint8_t *ssid; +- size_t ssid_len; +- +- char *identity; +- size_t identity_len; +- +- uint8_t *psk; +- size_t psk_len; +- time_t expires; +- +- fr_dlist_t dlist; +- rlm_dpsk_t *inst; +-} rlm_dpsk_cache_t; +- +-struct rlm_dpsk_s { +- char const *xlat_name; +- bool ruckus; +- bool dynamic; +- +- rbtree_t *cache; +- +- uint32_t cache_size; +- uint32_t cache_lifetime; +- +- char const *filename; +- +-#ifdef HAVE_PTHREAD_H +- pthread_mutex_t mutex; +-#endif +- fr_dlist_t head; +- +- DICT_ATTR const *ssid; +- DICT_ATTR const *anonce; +- DICT_ATTR const *frame; +-}; +- +-static const CONF_PARSER module_config[] = { +- { "ruckus", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_dpsk_t, ruckus), "no" }, +- +- { "cache_size", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_dpsk_t, cache_size), "0" }, +- { "cache_lifetime", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_dpsk_t, cache_lifetime), "0" }, +- +- { "filename", FR_CONF_OFFSET(PW_TYPE_FILE_INPUT, rlm_dpsk_t, filename), NULL }, +- +- CONF_PARSER_TERMINATOR +-}; +- +- +-static inline CC_HINT(nonnull) rlm_dpsk_cache_t *fr_dlist_head(fr_dlist_t const *head) +-{ +- if (head->prev == head) return NULL; +- +- return (rlm_dpsk_cache_t *) (((uintptr_t) head->next) - offsetof(rlm_dpsk_cache_t, dlist)); +-} +- +-static void rdebug_hex(REQUEST *request, char const *prefix, uint8_t const *data, int len) +-{ +- int i; +- char buffer[2048]; /* large enough for largest len */ +- +- /* +- * Leave a trailing space, we don't really care about that. +- */ +- for (i = 0; i < len; i++) { +- snprintf(buffer + i * 2, sizeof(buffer) - i * 2, "%02x", data[i]); +- } +- +- RDEBUG("%s %s", prefix, buffer); +-} +-#define RDEBUG_HEX if (rad_debug_lvl >= 3) rdebug_hex +- +-#if 0 +-/* +- * Find the Ruckus attributes, and convert to FreeRADIUS ones. +- * +- * Also check the WPA2 cipher. We need AES + HMAC-SHA1. +- */ +-static bool normalize(rlm_dpsk_t *inst, REQUEST *request) +-{ +- VALUE_PAIR *bssid, *cipher, *anonce, *key_msg, *vp; +- +- if (!inst->ruckus) return false; +- +- bssid = fr_pair_find_by_num(request->packet->vps, PW_RUCKUS_BSSID, VENDORPEC_RUCKUS, TAG_ANY); +- if (!bssid) return false; +- +- cipher = fr_pair_find_by_num(request->packet->vps, PW_RUCKUS_DPSK_CIPHER, VENDORPEC_RUCKUS, TAG_ANY); +- if (!cipher) return false; +- +- if (cipher->vp_byte != 4) { +- RDEBUG("Found Ruckus-DPSK-Cipher != 4, which means that we cannot do DPSK"); +- return false; +- } +- +- anonce = fr_pair_find_by_num(request->packet->vps, PW_RUCKUS_DPSK_ANONCE, VENDORPEC_RUCKUS, TAG_ANY); +- if (!anonce) return false; +- +- key_msg = fr_pair_find_by_num(request->packet->vps, PW_RUCKUS_DPSK_EAPOL_KEY_FRAME, VENDORPEC_RUCKUS, TAG_ANY); +- if (!key_msg) return false; +- +- MEM(vp = fr_pair_afrom_da(request->packet, anonce->da)); +- fr_pair_value_memcpy(vp, anonce->vp_octets, anonce->vp_length); +- fr_pair_add(&request->packet->vps, vp); +- +- MEM(vp = fr_pair_afrom_da(request->packet, key_msg->da)); +- fr_pair_value_memcpy(vp, key_msg->vp_octets, key_msg->vp_length); +- fr_pair_add(&request->packet->vps, vp); +- +- return false; +-} +-#endif +- +-/* +- * mod_authorize() - authorize user if we can authenticate +- * it later. Add Auth-Type attribute if present in module +- * configuration (usually Auth-Type must be "DPSK") +- */ +-static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void * instance, REQUEST *request) +-{ +- rlm_dpsk_t *inst = instance; +- +- if (!fr_pair_find_by_da(request->packet->vps, inst->anonce, TAG_ANY) && +- !fr_pair_find_by_da(request->packet->vps, inst->frame, TAG_ANY)) { +- return RLM_MODULE_NOOP; +- } +- +- if (fr_pair_find_by_num(request->config, PW_AUTH_TYPE, 0, TAG_ANY)) { +- RWDEBUG2("Auth-Type already set. Not setting to %s", inst->xlat_name); +- return RLM_MODULE_NOOP; +- } +- +- RDEBUG2("Found %s. Setting 'Auth-Type = %s'", inst->frame->name, inst->xlat_name); +- +- /* +- * Set Auth-Type to MS-CHAP. The authentication code +- * will take care of turning cleartext passwords into +- * NT/LM passwords. +- */ +- if (!pair_make_config("Auth-Type", inst->xlat_name, T_OP_EQ)) { +- return RLM_MODULE_FAIL; +- } +- +- return RLM_MODULE_OK; +-} +- +-static rlm_dpsk_cache_t *dpsk_cache_find(REQUEST *request, rlm_dpsk_t const *inst, uint8_t *buffer, size_t buflen, VALUE_PAIR *ssid, uint8_t const *mac) +-{ +- rlm_dpsk_cache_t *entry, my_entry; +- +- memcpy(my_entry.mac, mac, sizeof(my_entry.mac)); +- memcpy(&my_entry.ssid, &ssid->vp_octets, sizeof(my_entry.ssid)); /* const issues */ +- my_entry.ssid_len = ssid->vp_length; +- +- entry = rbtree_finddata(inst->cache, &my_entry); +- if (entry) { +- if (entry->expires > request->timestamp) { +- RDEBUG3("Cache entry found"); +- memcpy(buffer, entry->pmk, buflen); +- return entry; +- } +- +- RDEBUG3("Cache entry has expired"); +- rbtree_deletebydata(inst->cache, entry); +- } +- +- return NULL; +-} +- +- +-static int generate_pmk(REQUEST *request, rlm_dpsk_t const *inst, uint8_t *buffer, size_t buflen, VALUE_PAIR *ssid, uint8_t const *mac, char const *psk, size_t psk_len) +-{ +- VALUE_PAIR *vp; +- +- fr_assert(buflen == 32); +- +- if (!ssid) { +- ssid = fr_pair_find_by_da(request->packet->vps, inst->ssid, TAG_ANY); +- if (!ssid) { +- RDEBUG("No %s in the request", inst->ssid->name); +- return 0; +- } +- } +- +- /* +- * No provided PSK. Try to look it up in the cache. If +- * it isn't there, find it in the config items. +- */ +- if (!psk) { +- if (inst->cache && mac) { +- rlm_dpsk_cache_t *entry; +- +- entry = dpsk_cache_find(request, inst, buffer, buflen, ssid, mac); +- if (entry) { +- memcpy(buffer, entry->pmk, buflen); +- return 1; +- } +- RDEBUG3("Cache entry not found"); +- } /* else no caching */ +- +- vp = fr_pair_find_by_num(request->config, PW_PRE_SHARED_KEY, 0, TAG_ANY); +- if (!vp) { +- RDEBUG("No &config:Pre-Shared-Key"); +- return 0; +- } +- +- psk = vp->vp_strvalue; +- psk_len = vp->vp_length; +- } +- +- if (PKCS5_PBKDF2_HMAC_SHA1((const char *) psk, psk_len, (const unsigned char *) ssid->vp_strvalue, ssid->vp_length, 4096, buflen, buffer) == 0) { +- RDEBUG("Failed calling OpenSSL to calculate the PMK"); +- return 0; +- } +- +- return 1; +-} +- +-/* +- * Verify the DPSK information. +- */ +-static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request) +-{ +- rlm_dpsk_t *inst = instance; +- VALUE_PAIR *anonce, *key_msg, *ssid, *vp; +- rlm_dpsk_cache_t *entry; +- int lineno = 0; +- size_t len, psk_len; +- unsigned int digest_len, mic_len; +- eapol_attr_t const *eapol; +- eapol_attr_t *zeroed; +- FILE *fp = NULL; +- char const *psk_identity = NULL, *psk; +- uint8_t *p; +- uint8_t const *snonce, *ap_mac; +- uint8_t const *min_mac, *max_mac; +- uint8_t const *min_nonce, *max_nonce; +- uint8_t pmk[32]; +- uint8_t s_mac[6], message[sizeof("Pairwise key expansion") + 6 + 6 + 32 + 32 + 1], frame[128]; +- uint8_t digest[EVP_MAX_MD_SIZE], mic[EVP_MAX_MD_SIZE]; +- char token_identity[256]; +- +- /* +- * Search for the information in a bunch of attributes. +- */ +- anonce = fr_pair_find_by_da(request->packet->vps, inst->anonce, TAG_ANY); +- if (!anonce) { +- RDEBUG("No FreeRADIUS-802.1X-Anonce in the request"); +- return RLM_MODULE_NOOP; +- } +- +- if (anonce->vp_length != 32) { +- RDEBUG("%s has incorrect length (%zu, not 32)", inst->anonce->name, anonce->vp_length); +- return RLM_MODULE_NOOP; +- } +- +- key_msg = fr_pair_find_by_da(request->packet->vps, inst->frame, TAG_ANY); +- if (!key_msg) { +- RDEBUG("No %s in the request", inst->frame->name); +- return RLM_MODULE_NOOP; +- } +- +- if (key_msg->vp_length < sizeof(*eapol)) { +- RDEBUG("%s has incorrect length (%zu < %zu)", inst->frame->name, key_msg->vp_length, sizeof(*eapol)); +- return RLM_MODULE_NOOP; +- } +- +- if (key_msg->vp_length > sizeof(frame)) { +- RDEBUG("%s has incorrect length (%zu > %zu)", inst->frame->name, key_msg->vp_length, sizeof(frame)); +- return RLM_MODULE_NOOP; +- } +- +- ssid = fr_pair_find_by_da(request->packet->vps, inst->ssid, TAG_ANY); +- if (!ssid) { +- RDEBUG("No %s in the request", inst->ssid->name); +- return 0; +- } +- +- /* +- * Get supplicant MAC address. +- */ +- vp = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY); +- if (!vp) { +- RDEBUG("No &User-Name"); +- return RLM_MODULE_NOOP; +- } +- +- len = fr_hex2bin(s_mac, sizeof(s_mac), vp->vp_strvalue, vp->vp_length); +- if (len != 6) { +- RDEBUG("&User-Name is not a recognizable hex MAC address"); +- return RLM_MODULE_NOOP; +- } +- +- /* +- * In case we're not reading from a file. +- */ +- vp = fr_pair_find_by_num(request->config, PW_PSK_IDENTITY, 0, TAG_ANY); +- if (vp) psk_identity = vp->vp_strvalue; +- +- vp = fr_pair_find_by_num(request->config, PW_PRE_SHARED_KEY, 0, TAG_ANY); +- if (vp) { +- psk = vp->vp_strvalue; +- psk_len = vp->vp_length; +- } else { +- psk = NULL; +- psk_len = 0; +- } +- +- /* +- * Get the AP MAC address. +- */ +- vp = fr_pair_find_by_num(request->packet->vps, PW_CALLED_STATION_MAC, 0, TAG_ANY); +- if (!vp) { +- RDEBUG("No &Called-Station-MAC"); +- return RLM_MODULE_NOOP; +- } +- +- if (vp->length != 6) { +- RDEBUG("&Called-Station-MAC is not a recognizable MAC address"); +- return RLM_MODULE_NOOP; +- } +- +- ap_mac = vp->vp_octets; +- +- /* +- * Sort the MACs +- */ +- if (memcmp(s_mac, ap_mac, 6) <= 0) { +- min_mac = s_mac; +- max_mac = ap_mac; +- } else { +- min_mac = ap_mac; +- max_mac = s_mac; +- } +- +- eapol = (eapol_attr_t const *) key_msg->vp_octets; +- +- /* +- * Get supplicant nonce and AP nonce. +- * +- * Then sort the nonces. +- */ +- snonce = key_msg->vp_octets + 17; +- if (memcmp(snonce, anonce->vp_octets, 32) <= 0) { +- min_nonce = snonce; +- max_nonce = anonce->vp_octets; +- } else { +- min_nonce = anonce->vp_octets; +- max_nonce = snonce; +- } +- +- /* +- * Create the base message which we will hash. +- */ +- memcpy(message, "Pairwise key expansion", sizeof("Pairwise key expansion")); /* including trailing NUL */ +- p = &message[sizeof("Pairwise key expansion")]; +- +- memcpy(p, min_mac, 6); +- memcpy(p + 6, max_mac, 6); +- p += 12; +- +- memcpy(p, min_nonce, 32); +- memcpy(p + 32, max_nonce, 32); +- p += 64; +- *p = '\0'; +- fr_assert(sizeof(message) == (p + 1 - message)); +- +- if (inst->filename && !psk) { +- FR_TOKEN token; +- char const *q, *filename; +- char token_psk[256]; +- char token_mac[256]; +- char buffer[1024]; +- char filename_buffer[1024]; +- +- /* +- * If there's a cached entry, we don't read the file. +- */ +- entry = dpsk_cache_find(request, inst, pmk, sizeof(pmk), ssid, s_mac); +- if (entry) { +- psk_identity = entry->identity; +- goto make_digest; +- } +- +- if (!inst->dynamic) { +- filename = inst->filename; +- } else { +- if (radius_xlat(filename_buffer, sizeof(filename_buffer), +- request, inst->filename, NULL, NULL) < 0) { +- return RLM_MODULE_FAIL; +- } +- +- filename = filename_buffer; +- } +- +- RDEBUG3("Looking for PSK in file %s", filename); +- +- fp = fopen(filename, "r"); +- if (!fp) { +- REDEBUG("Failed opening %s - %s", filename, fr_syserror(errno)); +- return RLM_MODULE_FAIL; +- } +- +-get_next_psk: +- q = fgets(buffer, sizeof(buffer), fp); +- if (!q) { +- RDEBUG("Failed to find matching key in %s", filename); +- fail: +- fclose(fp); +- return RLM_MODULE_FAIL; +- } +- +- /* +- * Split the line on commas, paying attention to double quotes. +- */ +- token = getstring(&q, token_identity, sizeof(token_identity), true); +- if (token == T_INVALID) { +- RDEBUG("%s[%d] Failed parsing identity", filename, lineno); +- goto fail; +- } +- +- if (*q != ',') { +- RDEBUG("%s[%d] Failed to find ',' after identity", filename, lineno); +- goto fail; +- } +- q++; +- +- token = getstring(&q, token_psk, sizeof(token_psk), true); +- if (token == T_INVALID) { +- RDEBUG("%s[%d] Failed parsing PSK", filename, lineno); +- goto fail; +- } +- +- if (*q == ',') { +- q++; +- +- token = getstring(&q, token_mac, sizeof(token_mac), true); +- if (token == T_INVALID) { +- RDEBUG("%s[%d] Failed parsing MAC", filename, lineno); +- goto fail; +- } +- +- /* +- * See if the MAC matches. If not, skip +- * this entry. That's a basic negative cache. +- */ +- if ((strlen(token_mac) != 12) || +- (fr_hex2bin((uint8_t *) token_mac, 6, token_mac, 12) != 12)) { +- RDEBUG("%s[%d] Failed parsing MAC", filename, lineno); +- goto fail; +- } +- +- if (memcmp(s_mac, token_mac, 6) != 0) { +- psk_identity = NULL; +- goto get_next_psk; +- } +- +- /* +- * Close the file so that we don't check any other entries. +- */ +- MEM(vp = fr_pair_afrom_num(request, PW_PRE_SHARED_KEY, 0)); +- fr_pair_value_bstrncpy(vp, token_psk, strlen(token_psk)); +- +- fr_pair_add(&request->config, vp); +- fclose(fp); +- fp = NULL; +- +- RDEBUG3("Found matching MAC"); +- } +- +- /* +- * Generate the PMK using the SSID, this MAC, and the PSK we just read. +- */ +- RDEBUG3("%s[%d] Trying PSK %s", filename, lineno, token_psk); +- if (generate_pmk(request, inst, pmk, sizeof(pmk), ssid, s_mac, token_psk, strlen(token_psk)) == 0) { +- RDEBUG("No &config:Pairwise-Master-Key or &config:Pre-Shared-Key found"); +- return RLM_MODULE_NOOP; +- } +- +- /* +- * Remember which identity we had +- */ +- psk_identity = token_identity; +- goto make_digest; +- } +- +- /* +- * Use the PMK if it already exists. Otherwise calculate it from the PSK. +- */ +- vp = fr_pair_find_by_num(request->config, PW_PAIRWISE_MASTER_KEY, 0, TAG_ANY); +- if (!vp) { +- if (generate_pmk(request, inst, pmk, sizeof(pmk), ssid, s_mac, psk, psk_len) == 0) { +- RDEBUG("No &config:Pairwise-Master-Key or &config:Pre-Shared-Key found"); +- fr_assert(!fp); +- return RLM_MODULE_NOOP; +- } +- +- } else if (vp->vp_length != sizeof(pmk)) { +- RDEBUG("Pairwise-Master-Key has incorrect length (%zu != %zu)", vp->vp_length, sizeof(pmk)); +- fr_assert(!fp); +- return RLM_MODULE_NOOP; +- +- } else { +- memcpy(pmk, vp->vp_octets, sizeof(pmk)); +- } +- +- /* +- * HMAC = HMAC_SHA1(pmk, message); +- * +- * We need the first 16 octets of this. +- */ +-make_digest: +- digest_len = sizeof(digest); +- HMAC(EVP_sha1(), pmk, sizeof(pmk), message, sizeof(message), digest, &digest_len); +- +- RDEBUG_HEX(request, "message:", message, sizeof(message)); +- RDEBUG_HEX(request, "pmk :", pmk, sizeof(pmk)); +- RDEBUG_HEX(request, "kck :", digest, 16); +- +- /* +- * Create the frame with the middle field zero, and hash it with the KCK digest we calculated from the key expansion. +- */ +- memcpy(frame, key_msg->vp_octets, key_msg->vp_length); +- zeroed = (eapol_attr_t *) &frame[0]; +- memset(&zeroed->frame.mic[0], 0, 16); +- +- RDEBUG_HEX(request, "zeroed:", frame, key_msg->vp_length); +- +- mic_len = sizeof(mic); +- HMAC(EVP_sha1(), digest, 16, frame, key_msg->vp_length, mic, &mic_len); +- +- /* +- * Do the MICs match? +- */ +- if (memcmp(&eapol->frame.mic[0], mic, 16) != 0) { +- if (fp) { +- psk_identity = NULL; +- goto get_next_psk; +- } +- +- RDEBUG_HEX(request, "calculated mic:", mic, 16); +- RDEBUG_HEX(request, "packet mic :", &eapol->frame.mic[0], 16); +- return RLM_MODULE_FAIL; +- } +- +- /* +- * It matches. Close the input file if necessary. +- */ +- if (fp) fclose(fp); +- +- /* +- * Extend the lifetime of the cache entry, or add the +- * cache entry if necessary. +- */ +- if (inst->cache) { +- rlm_dpsk_cache_t my_entry; +- +- /* +- * Find the entry (again), and update the expiry time. +- * +- * Create the entry if neessary. +- */ +- memcpy(my_entry.mac, s_mac, sizeof(my_entry.mac)); +- +- vp = fr_pair_find_by_da(request->packet->vps, inst->ssid, TAG_ANY); +- if (!vp) goto save_psk; /* should never really happen, but just to be safe */ +- +- memcpy(&my_entry.ssid, &vp->vp_octets, sizeof(my_entry.ssid)); /* const issues */ +- my_entry.ssid_len = vp->vp_length; +- +- entry = rbtree_finddata(inst->cache, &my_entry); +- if (!entry) { +- /* +- * Too many entries in the cache. Delete the oldest one. +- */ +- if (rbtree_num_elements(inst->cache) > inst->cache_size) { +- PTHREAD_MUTEX_LOCK(&inst->mutex); +- entry = fr_dlist_head(&inst->head); +- PTHREAD_MUTEX_UNLOCK(&inst->mutex); +- +- rbtree_deletebydata(inst->cache, entry); +- } +- +- MEM(entry = talloc_zero(NULL, rlm_dpsk_cache_t)); +- +- memcpy(entry->mac, s_mac, sizeof(entry->mac)); +- memcpy(entry->pmk, pmk, sizeof(entry->pmk)); +- +- fr_dlist_entry_init(&entry->dlist); +- entry->inst = inst; +- +- /* +- * Save the variable-length SSID. +- */ +- MEM(entry->ssid = talloc_memdup(entry, vp->vp_octets, vp->vp_length)); +- entry->ssid_len = vp->vp_length; +- +- /* +- * Save the PSK. If we just have the +- * PMK, then we can still cache that. +- */ +- vp = fr_pair_find_by_num(request->config, PW_PRE_SHARED_KEY, 0, TAG_ANY); +- if (vp) { +- MEM(entry->psk = talloc_memdup(entry, vp->vp_octets, vp->vp_length)); +- entry->psk_len = vp->vp_length; +- } +- +- /* +- * Save the identity. +- */ +- if (psk_identity) { +- MEM(entry->identity = talloc_memdup(entry, psk_identity, strlen(psk_identity))); +- entry->identity_len = strlen(psk_identity); +- } +- +- /* +- * Cache it. +- */ +- if (!rbtree_insert(inst->cache, entry)) { +- talloc_free(entry); +- goto save_found_psk; +- } +- RDEBUG3("Cache entry saved"); +- } +- entry->expires = request->timestamp + inst->cache_lifetime; +- +- PTHREAD_MUTEX_LOCK(&inst->mutex); +- fr_dlist_entry_unlink(&entry->dlist); +- fr_dlist_insert_tail(&inst->head, &entry->dlist); +- PTHREAD_MUTEX_UNLOCK(&inst->mutex); +- +- /* +- * Add the PSK to the reply items, if it was cached. +- */ +- if (entry->psk) { +- MEM(vp = fr_pair_afrom_num(request->reply, PW_PRE_SHARED_KEY, 0)); +- fr_pair_value_bstrncpy(vp, entry->psk, entry->psk_len); +- +- fr_pair_add(&request->reply->vps, vp); +- } +- +- goto save_psk_identity; +- } +- +- /* +- * Save a copy of the found PSK in the reply; +- */ +-save_psk: +- vp = fr_pair_find_by_num(request->config, PW_PRE_SHARED_KEY, 0, TAG_ANY); +- +-save_found_psk: +- if (!vp) return RLM_MODULE_OK; +- +- fr_pair_add(&request->reply->vps, fr_pair_copy(request->reply, vp)); +- +-save_psk_identity: +- /* +- * Save which identity matched. +- */ +- if (psk_identity) { +- MEM(vp = fr_pair_afrom_num(request->reply, PW_PSK_IDENTITY, 0)); +- fr_pair_value_bstrncpy(vp, psk_identity, strlen(psk_identity)); +- +- fr_pair_add(&request->reply->vps, vp); +- } +- +- return RLM_MODULE_OK; +-} +- +-/* +- * Generate the PMK from SSID and Pre-Shared-Key +- */ +-static ssize_t dpsk_xlat(void *instance, REQUEST *request, +- char const *fmt, char *out, size_t outlen) +-{ +- rlm_dpsk_t *inst = instance; +- char const *p, *ssid, *psk; +- size_t ssid_len, psk_len; +- uint8_t buffer[32]; +- +- /* +- * Prefer xlat arguments. But if they don't exist, use the attributes. +- */ +- p = fmt; +- while (isspace((uint8_t) *p)) p++; +- +- if (!*p) { +- if (generate_pmk(request, inst, buffer, sizeof(buffer), NULL, NULL, NULL, 0) == 0) { +- RDEBUG("No &request:Called-Station-SSID or &config:Pre-Shared-Key found"); +- return 0; +- } +- } else { +- ssid = p; +- +- while (*p && !isspace((uint8_t) *p)) p++; +- +- ssid_len = p - ssid; +- +- if (!*p) { +- REDEBUG("Found SSID, but no PSK"); +- return 0; +- } +- +- psk = p; +- +- while (*p && !isspace((uint8_t) *p)) p++; +- +- psk_len = p - psk; +- +- if (PKCS5_PBKDF2_HMAC_SHA1(psk, psk_len, (const unsigned char *) ssid, ssid_len, 4096, sizeof(buffer), buffer) == 0) { +- RDEBUG("Failed calling OpenSSL to calculate the PMK"); +- return 0; +- } +- } +- +- if (outlen < sizeof(buffer) * 2 + 1) { +- REDEBUG("Output buffer is too small for PMK"); +- return 0; +- } +- +- return fr_bin2hex(out, buffer, 32); +-} +- +-static int mod_bootstrap(CONF_SECTION *conf, void *instance) +-{ +- char const *name; +- rlm_dpsk_t *inst = instance; +- +- /* +- * Create the dynamic translation. +- */ +- name = cf_section_name2(conf); +- if (!name) name = cf_section_name1(conf); +- inst->xlat_name = name; +- xlat_register(inst->xlat_name, dpsk_xlat, NULL, inst); +- +- if (inst->ruckus) { +- inst->ssid = dict_attrbyvalue(PW_RUCKUS_BSSID, VENDORPEC_RUCKUS); +- inst->anonce = dict_attrbyvalue(PW_RUCKUS_DPSK_ANONCE, VENDORPEC_RUCKUS); +- inst->frame = dict_attrbyvalue(PW_RUCKUS_DPSK_EAPOL_KEY_FRAME, VENDORPEC_RUCKUS); +- } else { +- inst->ssid = dict_attrbyvalue(PW_CALLED_STATION_SSID, 0); +- inst->anonce = dict_attrbyvalue(PW_FREERADIUS_8021X_ANONCE, VENDORPEC_FREERADIUS_EVS5); +- inst->frame = dict_attrbyvalue(PW_FREERADIUS_8021X_EAPOL_KEY_MSG, VENDORPEC_FREERADIUS_EVS5); +- } +- +- if (!inst->ssid || !inst->anonce || !inst->frame) { +- cf_log_err_cs(conf, "Failed to find attributes in the dictionary. Please do not edit the default dictionaries!"); +- return -1; +- } +- +- inst->dynamic = inst->filename && (strchr(inst->filename, '%') != NULL); +- +- return 0; +-} +- +-static int cmp_cache_entry(void const *one, void const *two) +-{ +- rlm_dpsk_cache_t const *a = (rlm_dpsk_cache_t const *) one; +- rlm_dpsk_cache_t const *b = (rlm_dpsk_cache_t const *) two; +- int rcode; +- +- rcode = memcmp(a->mac, b->mac, sizeof(a->mac)); +- if (rcode != 0) return rcode; +- +- if (a->ssid_len < b->ssid_len) return -1; +- if (a->ssid_len > b->ssid_len) return +1; +- +- return memcmp(a->ssid, b->ssid, a->ssid_len); +-} +- +-static void free_cache_entry(void *data) +-{ +- rlm_dpsk_cache_t *entry = (rlm_dpsk_cache_t *) data; +- +- PTHREAD_MUTEX_LOCK(&entry->inst->mutex); +- fr_dlist_entry_unlink(&entry->dlist); +- PTHREAD_MUTEX_UNLOCK(&entry->inst->mutex); +- +- talloc_free(entry); +-} +- +-static int mod_instantiate(CONF_SECTION *conf, void *instance) +-{ +- rlm_dpsk_t *inst = instance; +- +- if (!inst->cache_size) return 0; +- +- FR_INTEGER_BOUND_CHECK("cache_size", inst->cache_size, <=, ((uint32_t) 1) << 16); +- +- if (!inst->cache_size) return 0; +- +- FR_INTEGER_BOUND_CHECK("cache_lifetime", inst->cache_lifetime, <=, (7 * 86400)); +- FR_INTEGER_BOUND_CHECK("cache_lifetime", inst->cache_lifetime, >=, 3600); +- +- inst->cache = rbtree_create(inst, cmp_cache_entry, free_cache_entry, RBTREE_FLAG_LOCK); +- if (!inst->cache) { +- cf_log_err_cs(conf, "Failed creating internal cache"); +- return -1; +- } +- +- fr_dlist_entry_init(&inst->head); +-#ifdef HAVE_PTHREAD_H +- if (pthread_mutex_init(&inst->mutex, NULL) < 0) { +- cf_log_err_cs(conf, "Failed creating mutex"); +- return -1; +- } +-#endif +- +- return 0; +-} +- +-#ifdef HAVE_PTHREAD_H +-static int mod_detach(void *instance) +-{ +- rlm_dpsk_t *inst = instance; +- +- if (!inst->cache_size) return 0; +- +- pthread_mutex_destroy(&inst->mutex); +- return 0; +-} +-#endif +- +-/* +- * The module name should be the only globally exported symbol. +- * That is, everything else should be 'static'. +- * +- * If the module needs to temporarily modify it's instantiation +- * data, the type should be changed to RLM_TYPE_THREAD_UNSAFE. +- * The server will then take care of ensuring that the module +- * is single-threaded. +- */ +-extern module_t rlm_dpsk; +-module_t rlm_dpsk = { +- .magic = RLM_MODULE_INIT, +- .name = "dpsk", +- .type = RLM_TYPE_THREAD_SAFE, +- .inst_size = sizeof(rlm_dpsk_t), +- .config = module_config, +- .bootstrap = mod_bootstrap, +- .instantiate = mod_instantiate, +-#ifdef HAVE_PTHREAD_H +- .detach = mod_detach, +-#endif +- .methods = { +- [MOD_AUTHORIZE] = mod_authorize, +- [MOD_AUTHENTICATE] = mod_authenticate, +- }, +-}; +diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/.gitignore b/src/modules/rlm_eap/types/rlm_eap_teap/.gitignore +deleted file mode 100644 +index 01a5daa3cc..0000000000 +--- a/src/modules/rlm_eap/types/rlm_eap_teap/.gitignore ++++ /dev/null +@@ -1 +0,0 @@ +-all.mk +diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/all.mk.in b/src/modules/rlm_eap/types/rlm_eap_teap/all.mk.in +deleted file mode 100644 +index dfdcd71fd3..0000000000 +--- a/src/modules/rlm_eap/types/rlm_eap_teap/all.mk.in ++++ /dev/null +@@ -1,12 +0,0 @@ +-TARGETNAME := @targetname@ +- +-ifneq "$(OPENSSL_LIBS)" "" +-ifneq "$(TARGETNAME)" "" +-TARGET := $(TARGETNAME).a +-endif +-endif +- +-SOURCES := $(TARGETNAME).c eap_teap.c eap_teap_crypto.c +- +-SRC_INCDIRS := ../../ ../../libeap/ +-TGT_PREREQS := libfreeradius-eap.a +diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/configure b/src/modules/rlm_eap/types/rlm_eap_teap/configure +deleted file mode 100755 +index e37094d80c..0000000000 +--- a/src/modules/rlm_eap/types/rlm_eap_teap/configure ++++ /dev/null +@@ -1,4512 +0,0 @@ +-#! /bin/sh +-# From configure.ac Revision. +-# Guess values for system-dependent variables and create Makefiles. +-# Generated by GNU Autoconf 2.69. +-# +-# +-# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. +-# +-# +-# This configure script is free software; the Free Software Foundation +-# gives unlimited permission to copy, distribute and modify it. +-## -------------------- ## +-## M4sh Initialization. ## +-## -------------------- ## +- +-# Be more Bourne compatible +-DUALCASE=1; export DUALCASE # for MKS sh +-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : +- emulate sh +- NULLCMD=: +- # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which +- # is contrary to our usage. Disable this feature. +- alias -g '${1+"$@"}'='"$@"' +- setopt NO_GLOB_SUBST +-else +- case `(set -o) 2>/dev/null` in #( +- *posix*) : +- set -o posix ;; #( +- *) : +- ;; +-esac +-fi +- +- +-as_nl=' +-' +-export as_nl +-# Printing a long string crashes Solaris 7 /usr/bin/printf. +-as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +-as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +-as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +-# Prefer a ksh shell builtin over an external printf program on Solaris, +-# but without wasting forks for bash or zsh. +-if test -z "$BASH_VERSION$ZSH_VERSION" \ +- && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then +- as_echo='print -r --' +- as_echo_n='print -rn --' +-elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then +- as_echo='printf %s\n' +- as_echo_n='printf %s' +-else +- if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then +- as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' +- as_echo_n='/usr/ucb/echo -n' +- else +- as_echo_body='eval expr "X$1" : "X\\(.*\\)"' +- as_echo_n_body='eval +- arg=$1; +- case $arg in #( +- *"$as_nl"*) +- expr "X$arg" : "X\\(.*\\)$as_nl"; +- arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; +- esac; +- expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" +- ' +- export as_echo_n_body +- as_echo_n='sh -c $as_echo_n_body as_echo' +- fi +- export as_echo_body +- as_echo='sh -c $as_echo_body as_echo' +-fi +- +-# The user is always right. +-if test "${PATH_SEPARATOR+set}" != set; then +- PATH_SEPARATOR=: +- (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { +- (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || +- PATH_SEPARATOR=';' +- } +-fi +- +- +-# IFS +-# We need space, tab and new line, in precisely that order. Quoting is +-# there to prevent editors from complaining about space-tab. +-# (If _AS_PATH_WALK were called with IFS unset, it would disable word +-# splitting by setting IFS to empty value.) +-IFS=" "" $as_nl" +- +-# Find who we are. Look in the path if we contain no directory separator. +-as_myself= +-case $0 in #(( +- *[\\/]* ) as_myself=$0 ;; +- *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +- done +-IFS=$as_save_IFS +- +- ;; +-esac +-# We did not find ourselves, most probably we were run as `sh COMMAND' +-# in which case we are not to be found in the path. +-if test "x$as_myself" = x; then +- as_myself=$0 +-fi +-if test ! -f "$as_myself"; then +- $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 +- exit 1 +-fi +- +-# Unset variables that we do not need and which cause bugs (e.g. in +-# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +-# suppresses any "Segmentation fault" message there. '((' could +-# trigger a bug in pdksh 5.2.14. +-for as_var in BASH_ENV ENV MAIL MAILPATH +-do eval test x\${$as_var+set} = xset \ +- && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +-done +-PS1='$ ' +-PS2='> ' +-PS4='+ ' +- +-# NLS nuisances. +-LC_ALL=C +-export LC_ALL +-LANGUAGE=C +-export LANGUAGE +- +-# CDPATH. +-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH +- +-# Use a proper internal environment variable to ensure we don't fall +- # into an infinite loop, continuously re-executing ourselves. +- if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then +- _as_can_reexec=no; export _as_can_reexec; +- # We cannot yet assume a decent shell, so we have to provide a +-# neutralization value for shells without unset; and this also +-# works around shells that cannot unset nonexistent variables. +-# Preserve -v and -x to the replacement shell. +-BASH_ENV=/dev/null +-ENV=/dev/null +-(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +-case $- in # (((( +- *v*x* | *x*v* ) as_opts=-vx ;; +- *v* ) as_opts=-v ;; +- *x* ) as_opts=-x ;; +- * ) as_opts= ;; +-esac +-exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +-# Admittedly, this is quite paranoid, since all the known shells bail +-# out after a failed `exec'. +-$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +-as_fn_exit 255 +- fi +- # We don't want this to propagate to other subprocesses. +- { _as_can_reexec=; unset _as_can_reexec;} +-if test "x$CONFIG_SHELL" = x; then +- as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : +- emulate sh +- NULLCMD=: +- # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which +- # is contrary to our usage. Disable this feature. +- alias -g '\${1+\"\$@\"}'='\"\$@\"' +- setopt NO_GLOB_SUBST +-else +- case \`(set -o) 2>/dev/null\` in #( +- *posix*) : +- set -o posix ;; #( +- *) : +- ;; +-esac +-fi +-" +- as_required="as_fn_return () { (exit \$1); } +-as_fn_success () { as_fn_return 0; } +-as_fn_failure () { as_fn_return 1; } +-as_fn_ret_success () { return 0; } +-as_fn_ret_failure () { return 1; } +- +-exitcode=0 +-as_fn_success || { exitcode=1; echo as_fn_success failed.; } +-as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } +-as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } +-as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } +-if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : +- +-else +- exitcode=1; echo positional parameters were not saved. +-fi +-test x\$exitcode = x0 || exit 1 +-test -x / || exit 1" +- as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO +- as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO +- eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && +- test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 +-test \$(( 1 + 1 )) = 2 || exit 1" +- if (eval "$as_required") 2>/dev/null; then : +- as_have_required=yes +-else +- as_have_required=no +-fi +- if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : +- +-else +- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-as_found=false +-for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- as_found=: +- case $as_dir in #( +- /*) +- for as_base in sh bash ksh sh5; do +- # Try only shells that exist, to save several forks. +- as_shell=$as_dir/$as_base +- if { test -f "$as_shell" || test -f "$as_shell.exe"; } && +- { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : +- CONFIG_SHELL=$as_shell as_have_required=yes +- if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : +- break 2 +-fi +-fi +- done;; +- esac +- as_found=false +-done +-$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && +- { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : +- CONFIG_SHELL=$SHELL as_have_required=yes +-fi; } +-IFS=$as_save_IFS +- +- +- if test "x$CONFIG_SHELL" != x; then : +- export CONFIG_SHELL +- # We cannot yet assume a decent shell, so we have to provide a +-# neutralization value for shells without unset; and this also +-# works around shells that cannot unset nonexistent variables. +-# Preserve -v and -x to the replacement shell. +-BASH_ENV=/dev/null +-ENV=/dev/null +-(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +-case $- in # (((( +- *v*x* | *x*v* ) as_opts=-vx ;; +- *v* ) as_opts=-v ;; +- *x* ) as_opts=-x ;; +- * ) as_opts= ;; +-esac +-exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +-# Admittedly, this is quite paranoid, since all the known shells bail +-# out after a failed `exec'. +-$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +-exit 255 +-fi +- +- if test x$as_have_required = xno; then : +- $as_echo "$0: This script requires a shell more modern than all" +- $as_echo "$0: the shells that I found on your system." +- if test x${ZSH_VERSION+set} = xset ; then +- $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" +- $as_echo "$0: be upgraded to zsh 4.3.4 or later." +- else +- $as_echo "$0: Please tell bug-autoconf@gnu.org about your system, +-$0: including any error possibly output before this +-$0: message. Then install a modern shell, or manually run +-$0: the script under such a shell if you do have one." +- fi +- exit 1 +-fi +-fi +-fi +-SHELL=${CONFIG_SHELL-/bin/sh} +-export SHELL +-# Unset more variables known to interfere with behavior of common tools. +-CLICOLOR_FORCE= GREP_OPTIONS= +-unset CLICOLOR_FORCE GREP_OPTIONS +- +-## --------------------- ## +-## M4sh Shell Functions. ## +-## --------------------- ## +-# as_fn_unset VAR +-# --------------- +-# Portably unset VAR. +-as_fn_unset () +-{ +- { eval $1=; unset $1;} +-} +-as_unset=as_fn_unset +- +-# as_fn_set_status STATUS +-# ----------------------- +-# Set $? to STATUS, without forking. +-as_fn_set_status () +-{ +- return $1 +-} # as_fn_set_status +- +-# as_fn_exit STATUS +-# ----------------- +-# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +-as_fn_exit () +-{ +- set +e +- as_fn_set_status $1 +- exit $1 +-} # as_fn_exit +- +-# as_fn_mkdir_p +-# ------------- +-# Create "$as_dir" as a directory, including parents if necessary. +-as_fn_mkdir_p () +-{ +- +- case $as_dir in #( +- -*) as_dir=./$as_dir;; +- esac +- test -d "$as_dir" || eval $as_mkdir_p || { +- as_dirs= +- while :; do +- case $as_dir in #( +- *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( +- *) as_qdir=$as_dir;; +- esac +- as_dirs="'$as_qdir' $as_dirs" +- as_dir=`$as_dirname -- "$as_dir" || +-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ +- X"$as_dir" : 'X\(//\)[^/]' \| \ +- X"$as_dir" : 'X\(//\)$' \| \ +- X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +-$as_echo X"$as_dir" | +- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ +- s//\1/ +- q +- } +- /^X\(\/\/\)[^/].*/{ +- s//\1/ +- q +- } +- /^X\(\/\/\)$/{ +- s//\1/ +- q +- } +- /^X\(\/\).*/{ +- s//\1/ +- q +- } +- s/.*/./; q'` +- test -d "$as_dir" && break +- done +- test -z "$as_dirs" || eval "mkdir $as_dirs" +- } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" +- +- +-} # as_fn_mkdir_p +- +-# as_fn_executable_p FILE +-# ----------------------- +-# Test if FILE is an executable regular file. +-as_fn_executable_p () +-{ +- test -f "$1" && test -x "$1" +-} # as_fn_executable_p +-# as_fn_append VAR VALUE +-# ---------------------- +-# Append the text in VALUE to the end of the definition contained in VAR. Take +-# advantage of any shell optimizations that allow amortized linear growth over +-# repeated appends, instead of the typical quadratic growth present in naive +-# implementations. +-if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : +- eval 'as_fn_append () +- { +- eval $1+=\$2 +- }' +-else +- as_fn_append () +- { +- eval $1=\$$1\$2 +- } +-fi # as_fn_append +- +-# as_fn_arith ARG... +-# ------------------ +-# Perform arithmetic evaluation on the ARGs, and store the result in the +-# global $as_val. Take advantage of shells that can avoid forks. The arguments +-# must be portable across $(()) and expr. +-if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : +- eval 'as_fn_arith () +- { +- as_val=$(( $* )) +- }' +-else +- as_fn_arith () +- { +- as_val=`expr "$@" || test $? -eq 1` +- } +-fi # as_fn_arith +- +- +-# as_fn_error STATUS ERROR [LINENO LOG_FD] +-# ---------------------------------------- +-# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +-# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +-# script with STATUS, using 1 if that was 0. +-as_fn_error () +-{ +- as_status=$1; test $as_status -eq 0 && as_status=1 +- if test "$4"; then +- as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack +- $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 +- fi +- $as_echo "$as_me: error: $2" >&2 +- as_fn_exit $as_status +-} # as_fn_error +- +-if expr a : '\(a\)' >/dev/null 2>&1 && +- test "X`expr 00001 : '.*\(...\)'`" = X001; then +- as_expr=expr +-else +- as_expr=false +-fi +- +-if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then +- as_basename=basename +-else +- as_basename=false +-fi +- +-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then +- as_dirname=dirname +-else +- as_dirname=false +-fi +- +-as_me=`$as_basename -- "$0" || +-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ +- X"$0" : 'X\(//\)$' \| \ +- X"$0" : 'X\(/\)' \| . 2>/dev/null || +-$as_echo X/"$0" | +- sed '/^.*\/\([^/][^/]*\)\/*$/{ +- s//\1/ +- q +- } +- /^X\/\(\/\/\)$/{ +- s//\1/ +- q +- } +- /^X\/\(\/\).*/{ +- s//\1/ +- q +- } +- s/.*/./; q'` +- +-# Avoid depending upon Character Ranges. +-as_cr_letters='abcdefghijklmnopqrstuvwxyz' +-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +-as_cr_Letters=$as_cr_letters$as_cr_LETTERS +-as_cr_digits='0123456789' +-as_cr_alnum=$as_cr_Letters$as_cr_digits +- +- +- as_lineno_1=$LINENO as_lineno_1a=$LINENO +- as_lineno_2=$LINENO as_lineno_2a=$LINENO +- eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && +- test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { +- # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) +- sed -n ' +- p +- /[$]LINENO/= +- ' <$as_myself | +- sed ' +- s/[$]LINENO.*/&-/ +- t lineno +- b +- :lineno +- N +- :loop +- s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ +- t loop +- s/-\n.*// +- ' >$as_me.lineno && +- chmod +x "$as_me.lineno" || +- { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } +- +- # If we had to re-execute with $CONFIG_SHELL, we're ensured to have +- # already done that, so ensure we don't try to do so again and fall +- # in an infinite loop. This has already happened in practice. +- _as_can_reexec=no; export _as_can_reexec +- # Don't try to exec as it changes $[0], causing all sort of problems +- # (the dirname of $[0] is not the place where we might find the +- # original and so on. Autoconf is especially sensitive to this). +- . "./$as_me.lineno" +- # Exit status is that of the last command. +- exit +-} +- +-ECHO_C= ECHO_N= ECHO_T= +-case `echo -n x` in #((((( +--n*) +- case `echo 'xy\c'` in +- *c*) ECHO_T=' ';; # ECHO_T is single tab character. +- xy) ECHO_C='\c';; +- *) echo `echo ksh88 bug on AIX 6.1` > /dev/null +- ECHO_T=' ';; +- esac;; +-*) +- ECHO_N='-n';; +-esac +- +-rm -f conf$$ conf$$.exe conf$$.file +-if test -d conf$$.dir; then +- rm -f conf$$.dir/conf$$.file +-else +- rm -f conf$$.dir +- mkdir conf$$.dir 2>/dev/null +-fi +-if (echo >conf$$.file) 2>/dev/null; then +- if ln -s conf$$.file conf$$ 2>/dev/null; then +- as_ln_s='ln -s' +- # ... but there are two gotchas: +- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. +- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. +- # In both cases, we have to default to `cp -pR'. +- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || +- as_ln_s='cp -pR' +- elif ln conf$$.file conf$$ 2>/dev/null; then +- as_ln_s=ln +- else +- as_ln_s='cp -pR' +- fi +-else +- as_ln_s='cp -pR' +-fi +-rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +-rmdir conf$$.dir 2>/dev/null +- +-if mkdir -p . 2>/dev/null; then +- as_mkdir_p='mkdir -p "$as_dir"' +-else +- test -d ./-p && rmdir ./-p +- as_mkdir_p=false +-fi +- +-as_test_x='test -x' +-as_executable_p=as_fn_executable_p +- +-# Sed expression to map a string onto a valid CPP name. +-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +- +-# Sed expression to map a string onto a valid variable name. +-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" +- +- +-test -n "$DJDIR" || exec 7<&0 &1 +- +-# Name of the host. +-# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, +-# so uname gets run too. +-ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` +- +-# +-# Initializations. +-# +-ac_default_prefix=/usr/local +-ac_clean_files= +-ac_config_libobj_dir=. +-LIBOBJS= +-cross_compiling=no +-subdirs= +-MFLAGS= +-MAKEFLAGS= +- +-# Identity of this package. +-PACKAGE_NAME= +-PACKAGE_TARNAME= +-PACKAGE_VERSION= +-PACKAGE_STRING= +-PACKAGE_BUGREPORT= +-PACKAGE_URL= +- +-ac_unique_file="rlm_eap_teap.c" +-ac_subst_vars='LTLIBOBJS +-LIBOBJS +-mod_cflags +-mod_ldflags +-targetname +-EGREP +-GREP +-CPP +-OBJEXT +-EXEEXT +-ac_ct_CC +-CPPFLAGS +-LDFLAGS +-CFLAGS +-CC +-target_alias +-host_alias +-build_alias +-LIBS +-ECHO_T +-ECHO_N +-ECHO_C +-DEFS +-mandir +-localedir +-libdir +-psdir +-pdfdir +-dvidir +-htmldir +-infodir +-docdir +-oldincludedir +-includedir +-runstatedir +-localstatedir +-sharedstatedir +-sysconfdir +-datadir +-datarootdir +-libexecdir +-sbindir +-bindir +-program_transform_name +-prefix +-exec_prefix +-PACKAGE_URL +-PACKAGE_BUGREPORT +-PACKAGE_STRING +-PACKAGE_VERSION +-PACKAGE_TARNAME +-PACKAGE_NAME +-PATH_SEPARATOR +-SHELL' +-ac_subst_files='' +-ac_user_opts=' +-enable_option_checking +-with_rlm_eap_teap +-with_openssl_lib_dir +-with_openssl_include_dir +-' +- ac_precious_vars='build_alias +-host_alias +-target_alias +-CC +-CFLAGS +-LDFLAGS +-LIBS +-CPPFLAGS +-CPP' +- +- +-# Initialize some variables set by options. +-ac_init_help= +-ac_init_version=false +-ac_unrecognized_opts= +-ac_unrecognized_sep= +-# The variables have the same names as the options, with +-# dashes changed to underlines. +-cache_file=/dev/null +-exec_prefix=NONE +-no_create= +-no_recursion= +-prefix=NONE +-program_prefix=NONE +-program_suffix=NONE +-program_transform_name=s,x,x, +-silent= +-site= +-srcdir= +-verbose= +-x_includes=NONE +-x_libraries=NONE +- +-# Installation directory options. +-# These are left unexpanded so users can "make install exec_prefix=/foo" +-# and all the variables that are supposed to be based on exec_prefix +-# by default will actually change. +-# Use braces instead of parens because sh, perl, etc. also accept them. +-# (The list follows the same order as the GNU Coding Standards.) +-bindir='${exec_prefix}/bin' +-sbindir='${exec_prefix}/sbin' +-libexecdir='${exec_prefix}/libexec' +-datarootdir='${prefix}/share' +-datadir='${datarootdir}' +-sysconfdir='${prefix}/etc' +-sharedstatedir='${prefix}/com' +-localstatedir='${prefix}/var' +-runstatedir='${localstatedir}/run' +-includedir='${prefix}/include' +-oldincludedir='/usr/include' +-docdir='${datarootdir}/doc/${PACKAGE}' +-infodir='${datarootdir}/info' +-htmldir='${docdir}' +-dvidir='${docdir}' +-pdfdir='${docdir}' +-psdir='${docdir}' +-libdir='${exec_prefix}/lib' +-localedir='${datarootdir}/locale' +-mandir='${datarootdir}/man' +- +-ac_prev= +-ac_dashdash= +-for ac_option +-do +- # If the previous option needs an argument, assign it. +- if test -n "$ac_prev"; then +- eval $ac_prev=\$ac_option +- ac_prev= +- continue +- fi +- +- case $ac_option in +- *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; +- *=) ac_optarg= ;; +- *) ac_optarg=yes ;; +- esac +- +- # Accept the important Cygnus configure options, so we can diagnose typos. +- +- case $ac_dashdash$ac_option in +- --) +- ac_dashdash=yes ;; +- +- -bindir | --bindir | --bindi | --bind | --bin | --bi) +- ac_prev=bindir ;; +- -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) +- bindir=$ac_optarg ;; +- +- -build | --build | --buil | --bui | --bu) +- ac_prev=build_alias ;; +- -build=* | --build=* | --buil=* | --bui=* | --bu=*) +- build_alias=$ac_optarg ;; +- +- -cache-file | --cache-file | --cache-fil | --cache-fi \ +- | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) +- ac_prev=cache_file ;; +- -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ +- | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) +- cache_file=$ac_optarg ;; +- +- --config-cache | -C) +- cache_file=config.cache ;; +- +- -datadir | --datadir | --datadi | --datad) +- ac_prev=datadir ;; +- -datadir=* | --datadir=* | --datadi=* | --datad=*) +- datadir=$ac_optarg ;; +- +- -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ +- | --dataroo | --dataro | --datar) +- ac_prev=datarootdir ;; +- -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ +- | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) +- datarootdir=$ac_optarg ;; +- +- -disable-* | --disable-*) +- ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` +- # Reject names that are not valid shell variable names. +- expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && +- as_fn_error $? "invalid feature name: $ac_useropt" +- ac_useropt_orig=$ac_useropt +- ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` +- case $ac_user_opts in +- *" +-"enable_$ac_useropt" +-"*) ;; +- *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" +- ac_unrecognized_sep=', ';; +- esac +- eval enable_$ac_useropt=no ;; +- +- -docdir | --docdir | --docdi | --doc | --do) +- ac_prev=docdir ;; +- -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) +- docdir=$ac_optarg ;; +- +- -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) +- ac_prev=dvidir ;; +- -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) +- dvidir=$ac_optarg ;; +- +- -enable-* | --enable-*) +- ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` +- # Reject names that are not valid shell variable names. +- expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && +- as_fn_error $? "invalid feature name: $ac_useropt" +- ac_useropt_orig=$ac_useropt +- ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` +- case $ac_user_opts in +- *" +-"enable_$ac_useropt" +-"*) ;; +- *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" +- ac_unrecognized_sep=', ';; +- esac +- eval enable_$ac_useropt=\$ac_optarg ;; +- +- -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ +- | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ +- | --exec | --exe | --ex) +- ac_prev=exec_prefix ;; +- -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ +- | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ +- | --exec=* | --exe=* | --ex=*) +- exec_prefix=$ac_optarg ;; +- +- -gas | --gas | --ga | --g) +- # Obsolete; use --with-gas. +- with_gas=yes ;; +- +- -help | --help | --hel | --he | -h) +- ac_init_help=long ;; +- -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) +- ac_init_help=recursive ;; +- -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) +- ac_init_help=short ;; +- +- -host | --host | --hos | --ho) +- ac_prev=host_alias ;; +- -host=* | --host=* | --hos=* | --ho=*) +- host_alias=$ac_optarg ;; +- +- -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) +- ac_prev=htmldir ;; +- -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ +- | --ht=*) +- htmldir=$ac_optarg ;; +- +- -includedir | --includedir | --includedi | --included | --include \ +- | --includ | --inclu | --incl | --inc) +- ac_prev=includedir ;; +- -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ +- | --includ=* | --inclu=* | --incl=* | --inc=*) +- includedir=$ac_optarg ;; +- +- -infodir | --infodir | --infodi | --infod | --info | --inf) +- ac_prev=infodir ;; +- -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) +- infodir=$ac_optarg ;; +- +- -libdir | --libdir | --libdi | --libd) +- ac_prev=libdir ;; +- -libdir=* | --libdir=* | --libdi=* | --libd=*) +- libdir=$ac_optarg ;; +- +- -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ +- | --libexe | --libex | --libe) +- ac_prev=libexecdir ;; +- -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ +- | --libexe=* | --libex=* | --libe=*) +- libexecdir=$ac_optarg ;; +- +- -localedir | --localedir | --localedi | --localed | --locale) +- ac_prev=localedir ;; +- -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) +- localedir=$ac_optarg ;; +- +- -localstatedir | --localstatedir | --localstatedi | --localstated \ +- | --localstate | --localstat | --localsta | --localst | --locals) +- ac_prev=localstatedir ;; +- -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ +- | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) +- localstatedir=$ac_optarg ;; +- +- -mandir | --mandir | --mandi | --mand | --man | --ma | --m) +- ac_prev=mandir ;; +- -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) +- mandir=$ac_optarg ;; +- +- -nfp | --nfp | --nf) +- # Obsolete; use --without-fp. +- with_fp=no ;; +- +- -no-create | --no-create | --no-creat | --no-crea | --no-cre \ +- | --no-cr | --no-c | -n) +- no_create=yes ;; +- +- -no-recursion | --no-recursion | --no-recursio | --no-recursi \ +- | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) +- no_recursion=yes ;; +- +- -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ +- | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ +- | --oldin | --oldi | --old | --ol | --o) +- ac_prev=oldincludedir ;; +- -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ +- | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ +- | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) +- oldincludedir=$ac_optarg ;; +- +- -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) +- ac_prev=prefix ;; +- -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) +- prefix=$ac_optarg ;; +- +- -program-prefix | --program-prefix | --program-prefi | --program-pref \ +- | --program-pre | --program-pr | --program-p) +- ac_prev=program_prefix ;; +- -program-prefix=* | --program-prefix=* | --program-prefi=* \ +- | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) +- program_prefix=$ac_optarg ;; +- +- -program-suffix | --program-suffix | --program-suffi | --program-suff \ +- | --program-suf | --program-su | --program-s) +- ac_prev=program_suffix ;; +- -program-suffix=* | --program-suffix=* | --program-suffi=* \ +- | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) +- program_suffix=$ac_optarg ;; +- +- -program-transform-name | --program-transform-name \ +- | --program-transform-nam | --program-transform-na \ +- | --program-transform-n | --program-transform- \ +- | --program-transform | --program-transfor \ +- | --program-transfo | --program-transf \ +- | --program-trans | --program-tran \ +- | --progr-tra | --program-tr | --program-t) +- ac_prev=program_transform_name ;; +- -program-transform-name=* | --program-transform-name=* \ +- | --program-transform-nam=* | --program-transform-na=* \ +- | --program-transform-n=* | --program-transform-=* \ +- | --program-transform=* | --program-transfor=* \ +- | --program-transfo=* | --program-transf=* \ +- | --program-trans=* | --program-tran=* \ +- | --progr-tra=* | --program-tr=* | --program-t=*) +- program_transform_name=$ac_optarg ;; +- +- -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) +- ac_prev=pdfdir ;; +- -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) +- pdfdir=$ac_optarg ;; +- +- -psdir | --psdir | --psdi | --psd | --ps) +- ac_prev=psdir ;; +- -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) +- psdir=$ac_optarg ;; +- +- -q | -quiet | --quiet | --quie | --qui | --qu | --q \ +- | -silent | --silent | --silen | --sile | --sil) +- silent=yes ;; +- +- -runstatedir | --runstatedir | --runstatedi | --runstated \ +- | --runstate | --runstat | --runsta | --runst | --runs \ +- | --run | --ru | --r) +- ac_prev=runstatedir ;; +- -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ +- | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ +- | --run=* | --ru=* | --r=*) +- runstatedir=$ac_optarg ;; +- +- -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) +- ac_prev=sbindir ;; +- -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ +- | --sbi=* | --sb=*) +- sbindir=$ac_optarg ;; +- +- -sharedstatedir | --sharedstatedir | --sharedstatedi \ +- | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ +- | --sharedst | --shareds | --shared | --share | --shar \ +- | --sha | --sh) +- ac_prev=sharedstatedir ;; +- -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ +- | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ +- | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ +- | --sha=* | --sh=*) +- sharedstatedir=$ac_optarg ;; +- +- -site | --site | --sit) +- ac_prev=site ;; +- -site=* | --site=* | --sit=*) +- site=$ac_optarg ;; +- +- -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) +- ac_prev=srcdir ;; +- -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) +- srcdir=$ac_optarg ;; +- +- -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ +- | --syscon | --sysco | --sysc | --sys | --sy) +- ac_prev=sysconfdir ;; +- -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ +- | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) +- sysconfdir=$ac_optarg ;; +- +- -target | --target | --targe | --targ | --tar | --ta | --t) +- ac_prev=target_alias ;; +- -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) +- target_alias=$ac_optarg ;; +- +- -v | -verbose | --verbose | --verbos | --verbo | --verb) +- verbose=yes ;; +- +- -version | --version | --versio | --versi | --vers | -V) +- ac_init_version=: ;; +- +- -with-* | --with-*) +- ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` +- # Reject names that are not valid shell variable names. +- expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && +- as_fn_error $? "invalid package name: $ac_useropt" +- ac_useropt_orig=$ac_useropt +- ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` +- case $ac_user_opts in +- *" +-"with_$ac_useropt" +-"*) ;; +- *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" +- ac_unrecognized_sep=', ';; +- esac +- eval with_$ac_useropt=\$ac_optarg ;; +- +- -without-* | --without-*) +- ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` +- # Reject names that are not valid shell variable names. +- expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && +- as_fn_error $? "invalid package name: $ac_useropt" +- ac_useropt_orig=$ac_useropt +- ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` +- case $ac_user_opts in +- *" +-"with_$ac_useropt" +-"*) ;; +- *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" +- ac_unrecognized_sep=', ';; +- esac +- eval with_$ac_useropt=no ;; +- +- --x) +- # Obsolete; use --with-x. +- with_x=yes ;; +- +- -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ +- | --x-incl | --x-inc | --x-in | --x-i) +- ac_prev=x_includes ;; +- -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ +- | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) +- x_includes=$ac_optarg ;; +- +- -x-libraries | --x-libraries | --x-librarie | --x-librari \ +- | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) +- ac_prev=x_libraries ;; +- -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ +- | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) +- x_libraries=$ac_optarg ;; +- +- -*) as_fn_error $? "unrecognized option: \`$ac_option' +-Try \`$0 --help' for more information" +- ;; +- +- *=*) +- ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` +- # Reject names that are not valid shell variable names. +- case $ac_envvar in #( +- '' | [0-9]* | *[!_$as_cr_alnum]* ) +- as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; +- esac +- eval $ac_envvar=\$ac_optarg +- export $ac_envvar ;; +- +- *) +- # FIXME: should be removed in autoconf 3.0. +- $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 +- expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && +- $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 +- : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" +- ;; +- +- esac +-done +- +-if test -n "$ac_prev"; then +- ac_option=--`echo $ac_prev | sed 's/_/-/g'` +- as_fn_error $? "missing argument to $ac_option" +-fi +- +-if test -n "$ac_unrecognized_opts"; then +- case $enable_option_checking in +- no) ;; +- fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; +- *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; +- esac +-fi +- +-# Check all directory arguments for consistency. +-for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ +- datadir sysconfdir sharedstatedir localstatedir includedir \ +- oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ +- libdir localedir mandir runstatedir +-do +- eval ac_val=\$$ac_var +- # Remove trailing slashes. +- case $ac_val in +- */ ) +- ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` +- eval $ac_var=\$ac_val;; +- esac +- # Be sure to have absolute directory names. +- case $ac_val in +- [\\/$]* | ?:[\\/]* ) continue;; +- NONE | '' ) case $ac_var in *prefix ) continue;; esac;; +- esac +- as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" +-done +- +-# There might be people who depend on the old broken behavior: `$host' +-# used to hold the argument of --host etc. +-# FIXME: To remove some day. +-build=$build_alias +-host=$host_alias +-target=$target_alias +- +-# FIXME: To remove some day. +-if test "x$host_alias" != x; then +- if test "x$build_alias" = x; then +- cross_compiling=maybe +- elif test "x$build_alias" != "x$host_alias"; then +- cross_compiling=yes +- fi +-fi +- +-ac_tool_prefix= +-test -n "$host_alias" && ac_tool_prefix=$host_alias- +- +-test "$silent" = yes && exec 6>/dev/null +- +- +-ac_pwd=`pwd` && test -n "$ac_pwd" && +-ac_ls_di=`ls -di .` && +-ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || +- as_fn_error $? "working directory cannot be determined" +-test "X$ac_ls_di" = "X$ac_pwd_ls_di" || +- as_fn_error $? "pwd does not report name of working directory" +- +- +-# Find the source files, if location was not specified. +-if test -z "$srcdir"; then +- ac_srcdir_defaulted=yes +- # Try the directory containing this script, then the parent directory. +- ac_confdir=`$as_dirname -- "$as_myself" || +-$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ +- X"$as_myself" : 'X\(//\)[^/]' \| \ +- X"$as_myself" : 'X\(//\)$' \| \ +- X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || +-$as_echo X"$as_myself" | +- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ +- s//\1/ +- q +- } +- /^X\(\/\/\)[^/].*/{ +- s//\1/ +- q +- } +- /^X\(\/\/\)$/{ +- s//\1/ +- q +- } +- /^X\(\/\).*/{ +- s//\1/ +- q +- } +- s/.*/./; q'` +- srcdir=$ac_confdir +- if test ! -r "$srcdir/$ac_unique_file"; then +- srcdir=.. +- fi +-else +- ac_srcdir_defaulted=no +-fi +-if test ! -r "$srcdir/$ac_unique_file"; then +- test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." +- as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" +-fi +-ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" +-ac_abs_confdir=`( +- cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" +- pwd)` +-# When building in place, set srcdir=. +-if test "$ac_abs_confdir" = "$ac_pwd"; then +- srcdir=. +-fi +-# Remove unnecessary trailing slashes from srcdir. +-# Double slashes in file names in object file debugging info +-# mess up M-x gdb in Emacs. +-case $srcdir in +-*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; +-esac +-for ac_var in $ac_precious_vars; do +- eval ac_env_${ac_var}_set=\${${ac_var}+set} +- eval ac_env_${ac_var}_value=\$${ac_var} +- eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} +- eval ac_cv_env_${ac_var}_value=\$${ac_var} +-done +- +-# +-# Report the --help message. +-# +-if test "$ac_init_help" = "long"; then +- # Omit some internal or obsolete options to make the list less imposing. +- # This message is too long to be a string in the A/UX 3.1 sh. +- cat <<_ACEOF +-\`configure' configures this package to adapt to many kinds of systems. +- +-Usage: $0 [OPTION]... [VAR=VALUE]... +- +-To assign environment variables (e.g., CC, CFLAGS...), specify them as +-VAR=VALUE. See below for descriptions of some of the useful variables. +- +-Defaults for the options are specified in brackets. +- +-Configuration: +- -h, --help display this help and exit +- --help=short display options specific to this package +- --help=recursive display the short help of all the included packages +- -V, --version display version information and exit +- -q, --quiet, --silent do not print \`checking ...' messages +- --cache-file=FILE cache test results in FILE [disabled] +- -C, --config-cache alias for \`--cache-file=config.cache' +- -n, --no-create do not create output files +- --srcdir=DIR find the sources in DIR [configure dir or \`..'] +- +-Installation directories: +- --prefix=PREFIX install architecture-independent files in PREFIX +- [$ac_default_prefix] +- --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX +- [PREFIX] +- +-By default, \`make install' will install all the files in +-\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify +-an installation prefix other than \`$ac_default_prefix' using \`--prefix', +-for instance \`--prefix=\$HOME'. +- +-For better control, use the options below. +- +-Fine tuning of the installation directories: +- --bindir=DIR user executables [EPREFIX/bin] +- --sbindir=DIR system admin executables [EPREFIX/sbin] +- --libexecdir=DIR program executables [EPREFIX/libexec] +- --sysconfdir=DIR read-only single-machine data [PREFIX/etc] +- --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] +- --localstatedir=DIR modifiable single-machine data [PREFIX/var] +- --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] +- --libdir=DIR object code libraries [EPREFIX/lib] +- --includedir=DIR C header files [PREFIX/include] +- --oldincludedir=DIR C header files for non-gcc [/usr/include] +- --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] +- --datadir=DIR read-only architecture-independent data [DATAROOTDIR] +- --infodir=DIR info documentation [DATAROOTDIR/info] +- --localedir=DIR locale-dependent data [DATAROOTDIR/locale] +- --mandir=DIR man documentation [DATAROOTDIR/man] +- --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] +- --htmldir=DIR html documentation [DOCDIR] +- --dvidir=DIR dvi documentation [DOCDIR] +- --pdfdir=DIR pdf documentation [DOCDIR] +- --psdir=DIR ps documentation [DOCDIR] +-_ACEOF +- +- cat <<\_ACEOF +-_ACEOF +-fi +- +-if test -n "$ac_init_help"; then +- +- cat <<\_ACEOF +- +-Optional Packages: +- --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +- --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) +- --without-rlm_eap_teap build without rlm_eap_teap +- --with-openssl-lib-dir=DIR +- directory for LDAP library files +- -with-openssl-include-dir=DIR +- directory for LDAP include files +- +-Some influential environment variables: +- CC C compiler command +- CFLAGS C compiler flags +- LDFLAGS linker flags, e.g. -L if you have libraries in a +- nonstandard directory +- LIBS libraries to pass to the linker, e.g. -l +- CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if +- you have headers in a nonstandard directory +- CPP C preprocessor +- +-Use these variables to override the choices made by `configure' or to help +-it to find libraries and programs with nonstandard names/locations. +- +-Report bugs to the package provider. +-_ACEOF +-ac_status=$? +-fi +- +-if test "$ac_init_help" = "recursive"; then +- # If there are subdirs, report their specific --help. +- for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue +- test -d "$ac_dir" || +- { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || +- continue +- ac_builddir=. +- +-case "$ac_dir" in +-.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +-*) +- ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` +- # A ".." for each directory in $ac_dir_suffix. +- ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` +- case $ac_top_builddir_sub in +- "") ac_top_builddir_sub=. ac_top_build_prefix= ;; +- *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; +- esac ;; +-esac +-ac_abs_top_builddir=$ac_pwd +-ac_abs_builddir=$ac_pwd$ac_dir_suffix +-# for backward compatibility: +-ac_top_builddir=$ac_top_build_prefix +- +-case $srcdir in +- .) # We are building in place. +- ac_srcdir=. +- ac_top_srcdir=$ac_top_builddir_sub +- ac_abs_top_srcdir=$ac_pwd ;; +- [\\/]* | ?:[\\/]* ) # Absolute name. +- ac_srcdir=$srcdir$ac_dir_suffix; +- ac_top_srcdir=$srcdir +- ac_abs_top_srcdir=$srcdir ;; +- *) # Relative name. +- ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix +- ac_top_srcdir=$ac_top_build_prefix$srcdir +- ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +-esac +-ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix +- +- cd "$ac_dir" || { ac_status=$?; continue; } +- # Check for guested configure. +- if test -f "$ac_srcdir/configure.gnu"; then +- echo && +- $SHELL "$ac_srcdir/configure.gnu" --help=recursive +- elif test -f "$ac_srcdir/configure"; then +- echo && +- $SHELL "$ac_srcdir/configure" --help=recursive +- else +- $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 +- fi || ac_status=$? +- cd "$ac_pwd" || { ac_status=$?; break; } +- done +-fi +- +-test -n "$ac_init_help" && exit $ac_status +-if $ac_init_version; then +- cat <<\_ACEOF +-configure +-generated by GNU Autoconf 2.69 +- +-Copyright (C) 2012 Free Software Foundation, Inc. +-This configure script is free software; the Free Software Foundation +-gives unlimited permission to copy, distribute and modify it. +-_ACEOF +- exit +-fi +- +-## ------------------------ ## +-## Autoconf initialization. ## +-## ------------------------ ## +- +-echo +-echo Running tests for rlm_eap_teap +-echo +- +- +-# ac_fn_c_try_compile LINENO +-# -------------------------- +-# Try to compile conftest.$ac_ext, and return whether this succeeded. +-ac_fn_c_try_compile () +-{ +- as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack +- rm -f conftest.$ac_objext +- if { { ac_try="$ac_compile" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +-$as_echo "$ac_try_echo"; } >&5 +- (eval "$ac_compile") 2>conftest.err +- ac_status=$? +- if test -s conftest.err; then +- grep -v '^ *+' conftest.err >conftest.er1 +- cat conftest.er1 >&5 +- mv -f conftest.er1 conftest.err +- fi +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; } && { +- test -z "$ac_c_werror_flag" || +- test ! -s conftest.err +- } && test -s conftest.$ac_objext; then : +- ac_retval=0 +-else +- $as_echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +- ac_retval=1 +-fi +- eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno +- as_fn_set_status $ac_retval +- +-} # ac_fn_c_try_compile +- +-# ac_fn_c_try_link LINENO +-# ----------------------- +-# Try to link conftest.$ac_ext, and return whether this succeeded. +-ac_fn_c_try_link () +-{ +- as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack +- rm -f conftest.$ac_objext conftest$ac_exeext +- if { { ac_try="$ac_link" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +-$as_echo "$ac_try_echo"; } >&5 +- (eval "$ac_link") 2>conftest.err +- ac_status=$? +- if test -s conftest.err; then +- grep -v '^ *+' conftest.err >conftest.er1 +- cat conftest.er1 >&5 +- mv -f conftest.er1 conftest.err +- fi +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; } && { +- test -z "$ac_c_werror_flag" || +- test ! -s conftest.err +- } && test -s conftest$ac_exeext && { +- test "$cross_compiling" = yes || +- test -x conftest$ac_exeext +- }; then : +- ac_retval=0 +-else +- $as_echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +- ac_retval=1 +-fi +- # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information +- # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would +- # interfere with the next link command; also delete a directory that is +- # left behind by Apple's compiler. We do this before executing the actions. +- rm -rf conftest.dSYM conftest_ipa8_conftest.oo +- eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno +- as_fn_set_status $ac_retval +- +-} # ac_fn_c_try_link +- +-# ac_fn_c_try_cpp LINENO +-# ---------------------- +-# Try to preprocess conftest.$ac_ext, and return whether this succeeded. +-ac_fn_c_try_cpp () +-{ +- as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack +- if { { ac_try="$ac_cpp conftest.$ac_ext" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +-$as_echo "$ac_try_echo"; } >&5 +- (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err +- ac_status=$? +- if test -s conftest.err; then +- grep -v '^ *+' conftest.err >conftest.er1 +- cat conftest.er1 >&5 +- mv -f conftest.er1 conftest.err +- fi +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; } > conftest.i && { +- test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || +- test ! -s conftest.err +- }; then : +- ac_retval=0 +-else +- $as_echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +- ac_retval=1 +-fi +- eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno +- as_fn_set_status $ac_retval +- +-} # ac_fn_c_try_cpp +-cat >config.log <<_ACEOF +-This file contains any messages produced by compilers while +-running configure, to aid debugging if configure makes a mistake. +- +-It was created by $as_me, which was +-generated by GNU Autoconf 2.69. Invocation command line was +- +- $ $0 $@ +- +-_ACEOF +-exec 5>>config.log +-{ +-cat <<_ASUNAME +-## --------- ## +-## Platform. ## +-## --------- ## +- +-hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` +-uname -m = `(uname -m) 2>/dev/null || echo unknown` +-uname -r = `(uname -r) 2>/dev/null || echo unknown` +-uname -s = `(uname -s) 2>/dev/null || echo unknown` +-uname -v = `(uname -v) 2>/dev/null || echo unknown` +- +-/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` +-/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` +- +-/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` +-/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` +-/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` +-/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` +-/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` +-/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` +-/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` +- +-_ASUNAME +- +-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- $as_echo "PATH: $as_dir" +- done +-IFS=$as_save_IFS +- +-} >&5 +- +-cat >&5 <<_ACEOF +- +- +-## ----------- ## +-## Core tests. ## +-## ----------- ## +- +-_ACEOF +- +- +-# Keep a trace of the command line. +-# Strip out --no-create and --no-recursion so they do not pile up. +-# Strip out --silent because we don't want to record it for future runs. +-# Also quote any args containing shell meta-characters. +-# Make two passes to allow for proper duplicate-argument suppression. +-ac_configure_args= +-ac_configure_args0= +-ac_configure_args1= +-ac_must_keep_next=false +-for ac_pass in 1 2 +-do +- for ac_arg +- do +- case $ac_arg in +- -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; +- -q | -quiet | --quiet | --quie | --qui | --qu | --q \ +- | -silent | --silent | --silen | --sile | --sil) +- continue ;; +- *\'*) +- ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; +- esac +- case $ac_pass in +- 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; +- 2) +- as_fn_append ac_configure_args1 " '$ac_arg'" +- if test $ac_must_keep_next = true; then +- ac_must_keep_next=false # Got value, back to normal. +- else +- case $ac_arg in +- *=* | --config-cache | -C | -disable-* | --disable-* \ +- | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ +- | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ +- | -with-* | --with-* | -without-* | --without-* | --x) +- case "$ac_configure_args0 " in +- "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; +- esac +- ;; +- -* ) ac_must_keep_next=true ;; +- esac +- fi +- as_fn_append ac_configure_args " '$ac_arg'" +- ;; +- esac +- done +-done +-{ ac_configure_args0=; unset ac_configure_args0;} +-{ ac_configure_args1=; unset ac_configure_args1;} +- +-# When interrupted or exit'd, cleanup temporary files, and complete +-# config.log. We remove comments because anyway the quotes in there +-# would cause problems or look ugly. +-# WARNING: Use '\'' to represent an apostrophe within the trap. +-# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. +-trap 'exit_status=$? +- # Save into config.log some information that might help in debugging. +- { +- echo +- +- $as_echo "## ---------------- ## +-## Cache variables. ## +-## ---------------- ##" +- echo +- # The following way of writing the cache mishandles newlines in values, +-( +- for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do +- eval ac_val=\$$ac_var +- case $ac_val in #( +- *${as_nl}*) +- case $ac_var in #( +- *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +-$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; +- esac +- case $ac_var in #( +- _ | IFS | as_nl) ;; #( +- BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( +- *) { eval $ac_var=; unset $ac_var;} ;; +- esac ;; +- esac +- done +- (set) 2>&1 | +- case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( +- *${as_nl}ac_space=\ *) +- sed -n \ +- "s/'\''/'\''\\\\'\'''\''/g; +- s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" +- ;; #( +- *) +- sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" +- ;; +- esac | +- sort +-) +- echo +- +- $as_echo "## ----------------- ## +-## Output variables. ## +-## ----------------- ##" +- echo +- for ac_var in $ac_subst_vars +- do +- eval ac_val=\$$ac_var +- case $ac_val in +- *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; +- esac +- $as_echo "$ac_var='\''$ac_val'\''" +- done | sort +- echo +- +- if test -n "$ac_subst_files"; then +- $as_echo "## ------------------- ## +-## File substitutions. ## +-## ------------------- ##" +- echo +- for ac_var in $ac_subst_files +- do +- eval ac_val=\$$ac_var +- case $ac_val in +- *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; +- esac +- $as_echo "$ac_var='\''$ac_val'\''" +- done | sort +- echo +- fi +- +- if test -s confdefs.h; then +- $as_echo "## ----------- ## +-## confdefs.h. ## +-## ----------- ##" +- echo +- cat confdefs.h +- echo +- fi +- test "$ac_signal" != 0 && +- $as_echo "$as_me: caught signal $ac_signal" +- $as_echo "$as_me: exit $exit_status" +- } >&5 +- rm -f core *.core core.conftest.* && +- rm -f -r conftest* confdefs* conf$$* $ac_clean_files && +- exit $exit_status +-' 0 +-for ac_signal in 1 2 13 15; do +- trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal +-done +-ac_signal=0 +- +-# confdefs.h avoids OS command line length limits that DEFS can exceed. +-rm -f -r conftest* confdefs.h +- +-$as_echo "/* confdefs.h */" > confdefs.h +- +-# Predefined preprocessor variables. +- +-cat >>confdefs.h <<_ACEOF +-#define PACKAGE_NAME "$PACKAGE_NAME" +-_ACEOF +- +-cat >>confdefs.h <<_ACEOF +-#define PACKAGE_TARNAME "$PACKAGE_TARNAME" +-_ACEOF +- +-cat >>confdefs.h <<_ACEOF +-#define PACKAGE_VERSION "$PACKAGE_VERSION" +-_ACEOF +- +-cat >>confdefs.h <<_ACEOF +-#define PACKAGE_STRING "$PACKAGE_STRING" +-_ACEOF +- +-cat >>confdefs.h <<_ACEOF +-#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" +-_ACEOF +- +-cat >>confdefs.h <<_ACEOF +-#define PACKAGE_URL "$PACKAGE_URL" +-_ACEOF +- +- +-# Let the site file select an alternate cache file if it wants to. +-# Prefer an explicitly selected file to automatically selected ones. +-ac_site_file1=NONE +-ac_site_file2=NONE +-if test -n "$CONFIG_SITE"; then +- # We do not want a PATH search for config.site. +- case $CONFIG_SITE in #(( +- -*) ac_site_file1=./$CONFIG_SITE;; +- */*) ac_site_file1=$CONFIG_SITE;; +- *) ac_site_file1=./$CONFIG_SITE;; +- esac +-elif test "x$prefix" != xNONE; then +- ac_site_file1=$prefix/share/config.site +- ac_site_file2=$prefix/etc/config.site +-else +- ac_site_file1=$ac_default_prefix/share/config.site +- ac_site_file2=$ac_default_prefix/etc/config.site +-fi +-for ac_site_file in "$ac_site_file1" "$ac_site_file2" +-do +- test "x$ac_site_file" = xNONE && continue +- if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 +-$as_echo "$as_me: loading site script $ac_site_file" >&6;} +- sed 's/^/| /' "$ac_site_file" >&5 +- . "$ac_site_file" \ +- || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "failed to load site script $ac_site_file +-See \`config.log' for more details" "$LINENO" 5; } +- fi +-done +- +-if test -r "$cache_file"; then +- # Some versions of bash will fail to source /dev/null (special files +- # actually), so we avoid doing that. DJGPP emulates it as a regular file. +- if test /dev/null != "$cache_file" && test -f "$cache_file"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 +-$as_echo "$as_me: loading cache $cache_file" >&6;} +- case $cache_file in +- [\\/]* | ?:[\\/]* ) . "$cache_file";; +- *) . "./$cache_file";; +- esac +- fi +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 +-$as_echo "$as_me: creating cache $cache_file" >&6;} +- >$cache_file +-fi +- +-# Check that the precious variables saved in the cache have kept the same +-# value. +-ac_cache_corrupted=false +-for ac_var in $ac_precious_vars; do +- eval ac_old_set=\$ac_cv_env_${ac_var}_set +- eval ac_new_set=\$ac_env_${ac_var}_set +- eval ac_old_val=\$ac_cv_env_${ac_var}_value +- eval ac_new_val=\$ac_env_${ac_var}_value +- case $ac_old_set,$ac_new_set in +- set,) +- { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 +-$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} +- ac_cache_corrupted=: ;; +- ,set) +- { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 +-$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} +- ac_cache_corrupted=: ;; +- ,);; +- *) +- if test "x$ac_old_val" != "x$ac_new_val"; then +- # differences in whitespace do not lead to failure. +- ac_old_val_w=`echo x $ac_old_val` +- ac_new_val_w=`echo x $ac_new_val` +- if test "$ac_old_val_w" != "$ac_new_val_w"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 +-$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} +- ac_cache_corrupted=: +- else +- { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 +-$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} +- eval $ac_var=\$ac_old_val +- fi +- { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 +-$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} +- { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 +-$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} +- fi;; +- esac +- # Pass precious variables to config.status. +- if test "$ac_new_set" = set; then +- case $ac_new_val in +- *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; +- *) ac_arg=$ac_var=$ac_new_val ;; +- esac +- case " $ac_configure_args " in +- *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. +- *) as_fn_append ac_configure_args " '$ac_arg'" ;; +- esac +- fi +-done +-if $ac_cache_corrupted; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +- { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 +-$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} +- as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 +-fi +-## -------------------- ## +-## Main body of script. ## +-## -------------------- ## +- +-ac_ext=c +-ac_cpp='$CPP $CPPFLAGS' +-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +-ac_compiler_gnu=$ac_cv_c_compiler_gnu +- +- +- +- +- +- +- +- +- +-# Check whether --with-rlm_eap_teap was given. +-if test "${with_rlm_eap_teap+set}" = set; then : +- withval=$with_rlm_eap_teap; +-fi +- +- +- +-mod_ldflags= +-mod_cflags= +- +- +-fail= +-fr_status= +-fr_features= +-: > "config.report" +-: > "config.report.tmp" +- +- +- +-if test x"$with_rlm_eap_teap" != xno; then +- +- +-openssl_lib_dir= +- +-# Check whether --with-openssl-lib-dir was given. +-if test "${with_openssl_lib_dir+set}" = set; then : +- withval=$with_openssl_lib_dir; case "$withval" in +- no) +- as_fn_error $? "Need openssl-lib-dir" "$LINENO" 5 +- ;; +- yes) +- ;; +- *) +- openssl_lib_dir="$withval" +- ;; +- esac +-fi +- +- +-openssl_include_dir= +- +-# Check whether --with-openssl-include-dir was given. +-if test "${with_openssl_include_dir+set}" = set; then : +- withval=$with_openssl_include_dir; case "$withval" in +- no) +- as_fn_error $? "Need openssl-include-dir" "$LINENO" 5 +- ;; +- yes) +- ;; +- *) +- openssl_include_dir="$withval" +- ;; +- esac +-fi +- +- +- +-smart_try_dir=$openssl_include_dir +-ac_ext=c +-ac_cpp='$CPP $CPPFLAGS' +-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +-ac_compiler_gnu=$ac_cv_c_compiler_gnu +-if test -n "$ac_tool_prefix"; then +- # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. +-set dummy ${ac_tool_prefix}gcc; ac_word=$2 +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +-$as_echo_n "checking for $ac_word... " >&6; } +-if ${ac_cv_prog_CC+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if test -n "$CC"; then +- ac_cv_prog_CC="$CC" # Let the user override the test. +-else +-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- for ac_exec_ext in '' $ac_executable_extensions; do +- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then +- ac_cv_prog_CC="${ac_tool_prefix}gcc" +- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 +- break 2 +- fi +-done +- done +-IFS=$as_save_IFS +- +-fi +-fi +-CC=$ac_cv_prog_CC +-if test -n "$CC"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +-$as_echo "$CC" >&6; } +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +- +- +-fi +-if test -z "$ac_cv_prog_CC"; then +- ac_ct_CC=$CC +- # Extract the first word of "gcc", so it can be a program name with args. +-set dummy gcc; ac_word=$2 +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +-$as_echo_n "checking for $ac_word... " >&6; } +-if ${ac_cv_prog_ac_ct_CC+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if test -n "$ac_ct_CC"; then +- ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +-else +-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- for ac_exec_ext in '' $ac_executable_extensions; do +- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then +- ac_cv_prog_ac_ct_CC="gcc" +- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 +- break 2 +- fi +-done +- done +-IFS=$as_save_IFS +- +-fi +-fi +-ac_ct_CC=$ac_cv_prog_ac_ct_CC +-if test -n "$ac_ct_CC"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +-$as_echo "$ac_ct_CC" >&6; } +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +- +- if test "x$ac_ct_CC" = x; then +- CC="" +- else +- case $cross_compiling:$ac_tool_warned in +-yes:) +-{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +-$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +-ac_tool_warned=yes ;; +-esac +- CC=$ac_ct_CC +- fi +-else +- CC="$ac_cv_prog_CC" +-fi +- +-if test -z "$CC"; then +- if test -n "$ac_tool_prefix"; then +- # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. +-set dummy ${ac_tool_prefix}cc; ac_word=$2 +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +-$as_echo_n "checking for $ac_word... " >&6; } +-if ${ac_cv_prog_CC+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if test -n "$CC"; then +- ac_cv_prog_CC="$CC" # Let the user override the test. +-else +-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- for ac_exec_ext in '' $ac_executable_extensions; do +- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then +- ac_cv_prog_CC="${ac_tool_prefix}cc" +- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 +- break 2 +- fi +-done +- done +-IFS=$as_save_IFS +- +-fi +-fi +-CC=$ac_cv_prog_CC +-if test -n "$CC"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +-$as_echo "$CC" >&6; } +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +- +- +- fi +-fi +-if test -z "$CC"; then +- # Extract the first word of "cc", so it can be a program name with args. +-set dummy cc; ac_word=$2 +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +-$as_echo_n "checking for $ac_word... " >&6; } +-if ${ac_cv_prog_CC+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if test -n "$CC"; then +- ac_cv_prog_CC="$CC" # Let the user override the test. +-else +- ac_prog_rejected=no +-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- for ac_exec_ext in '' $ac_executable_extensions; do +- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then +- if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then +- ac_prog_rejected=yes +- continue +- fi +- ac_cv_prog_CC="cc" +- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 +- break 2 +- fi +-done +- done +-IFS=$as_save_IFS +- +-if test $ac_prog_rejected = yes; then +- # We found a bogon in the path, so make sure we never use it. +- set dummy $ac_cv_prog_CC +- shift +- if test $# != 0; then +- # We chose a different compiler from the bogus one. +- # However, it has the same basename, so the bogon will be chosen +- # first if we set CC to just the basename; use the full file name. +- shift +- ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" +- fi +-fi +-fi +-fi +-CC=$ac_cv_prog_CC +-if test -n "$CC"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +-$as_echo "$CC" >&6; } +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +- +- +-fi +-if test -z "$CC"; then +- if test -n "$ac_tool_prefix"; then +- for ac_prog in cl.exe +- do +- # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +-set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +-$as_echo_n "checking for $ac_word... " >&6; } +-if ${ac_cv_prog_CC+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if test -n "$CC"; then +- ac_cv_prog_CC="$CC" # Let the user override the test. +-else +-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- for ac_exec_ext in '' $ac_executable_extensions; do +- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then +- ac_cv_prog_CC="$ac_tool_prefix$ac_prog" +- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 +- break 2 +- fi +-done +- done +-IFS=$as_save_IFS +- +-fi +-fi +-CC=$ac_cv_prog_CC +-if test -n "$CC"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +-$as_echo "$CC" >&6; } +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +- +- +- test -n "$CC" && break +- done +-fi +-if test -z "$CC"; then +- ac_ct_CC=$CC +- for ac_prog in cl.exe +-do +- # Extract the first word of "$ac_prog", so it can be a program name with args. +-set dummy $ac_prog; ac_word=$2 +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +-$as_echo_n "checking for $ac_word... " >&6; } +-if ${ac_cv_prog_ac_ct_CC+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if test -n "$ac_ct_CC"; then +- ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +-else +-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- for ac_exec_ext in '' $ac_executable_extensions; do +- if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then +- ac_cv_prog_ac_ct_CC="$ac_prog" +- $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 +- break 2 +- fi +-done +- done +-IFS=$as_save_IFS +- +-fi +-fi +-ac_ct_CC=$ac_cv_prog_ac_ct_CC +-if test -n "$ac_ct_CC"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +-$as_echo "$ac_ct_CC" >&6; } +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +- +- +- test -n "$ac_ct_CC" && break +-done +- +- if test "x$ac_ct_CC" = x; then +- CC="" +- else +- case $cross_compiling:$ac_tool_warned in +-yes:) +-{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +-$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +-ac_tool_warned=yes ;; +-esac +- CC=$ac_ct_CC +- fi +-fi +- +-fi +- +- +-test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "no acceptable C compiler found in \$PATH +-See \`config.log' for more details" "$LINENO" 5; } +- +-# Provide some information about the compiler. +-$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 +-set X $ac_compile +-ac_compiler=$2 +-for ac_option in --version -v -V -qversion; do +- { { ac_try="$ac_compiler $ac_option >&5" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +-$as_echo "$ac_try_echo"; } >&5 +- (eval "$ac_compiler $ac_option >&5") 2>conftest.err +- ac_status=$? +- if test -s conftest.err; then +- sed '10a\ +-... rest of stderr output deleted ... +- 10q' conftest.err >conftest.er1 +- cat conftest.er1 >&5 +- fi +- rm -f conftest.er1 conftest.err +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; } +-done +- +-cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-int +-main () +-{ +- +- ; +- return 0; +-} +-_ACEOF +-ac_clean_files_save=$ac_clean_files +-ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" +-# Try to create an executable without -o first, disregard a.out. +-# It will help us diagnose broken compilers, and finding out an intuition +-# of exeext. +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 +-$as_echo_n "checking whether the C compiler works... " >&6; } +-ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` +- +-# The possible output files: +-ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" +- +-ac_rmfiles= +-for ac_file in $ac_files +-do +- case $ac_file in +- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; +- * ) ac_rmfiles="$ac_rmfiles $ac_file";; +- esac +-done +-rm -f $ac_rmfiles +- +-if { { ac_try="$ac_link_default" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +-$as_echo "$ac_try_echo"; } >&5 +- (eval "$ac_link_default") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; then : +- # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. +-# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' +-# in a Makefile. We should not override ac_cv_exeext if it was cached, +-# so that the user can short-circuit this test for compilers unknown to +-# Autoconf. +-for ac_file in $ac_files '' +-do +- test -f "$ac_file" || continue +- case $ac_file in +- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) +- ;; +- [ab].out ) +- # We found the default executable, but exeext='' is most +- # certainly right. +- break;; +- *.* ) +- if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; +- then :; else +- ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` +- fi +- # We set ac_cv_exeext here because the later test for it is not +- # safe: cross compilers may not add the suffix if given an `-o' +- # argument, so we may need to know it at that point already. +- # Even if this section looks crufty: it has the advantage of +- # actually working. +- break;; +- * ) +- break;; +- esac +-done +-test "$ac_cv_exeext" = no && ac_cv_exeext= +- +-else +- ac_file='' +-fi +-if test -z "$ac_file"; then : +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-$as_echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +-{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error 77 "C compiler cannot create executables +-See \`config.log' for more details" "$LINENO" 5; } +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 +-$as_echo_n "checking for C compiler default output file name... " >&6; } +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 +-$as_echo "$ac_file" >&6; } +-ac_exeext=$ac_cv_exeext +- +-rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out +-ac_clean_files=$ac_clean_files_save +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 +-$as_echo_n "checking for suffix of executables... " >&6; } +-if { { ac_try="$ac_link" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +-$as_echo "$ac_try_echo"; } >&5 +- (eval "$ac_link") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; then : +- # If both `conftest.exe' and `conftest' are `present' (well, observable) +-# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will +-# work properly (i.e., refer to `conftest.exe'), while it won't with +-# `rm'. +-for ac_file in conftest.exe conftest conftest.*; do +- test -f "$ac_file" || continue +- case $ac_file in +- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; +- *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` +- break;; +- * ) break;; +- esac +-done +-else +- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "cannot compute suffix of executables: cannot compile and link +-See \`config.log' for more details" "$LINENO" 5; } +-fi +-rm -f conftest conftest$ac_cv_exeext +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 +-$as_echo "$ac_cv_exeext" >&6; } +- +-rm -f conftest.$ac_ext +-EXEEXT=$ac_cv_exeext +-ac_exeext=$EXEEXT +-cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-#include +-int +-main () +-{ +-FILE *f = fopen ("conftest.out", "w"); +- return ferror (f) || fclose (f) != 0; +- +- ; +- return 0; +-} +-_ACEOF +-ac_clean_files="$ac_clean_files conftest.out" +-# Check that the compiler produces executables we can run. If not, either +-# the compiler is broken, or we cross compile. +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 +-$as_echo_n "checking whether we are cross compiling... " >&6; } +-if test "$cross_compiling" != yes; then +- { { ac_try="$ac_link" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +-$as_echo "$ac_try_echo"; } >&5 +- (eval "$ac_link") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; } +- if { ac_try='./conftest$ac_cv_exeext' +- { { case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +-$as_echo "$ac_try_echo"; } >&5 +- (eval "$ac_try") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; }; then +- cross_compiling=no +- else +- if test "$cross_compiling" = maybe; then +- cross_compiling=yes +- else +- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "cannot run C compiled programs. +-If you meant to cross compile, use \`--host'. +-See \`config.log' for more details" "$LINENO" 5; } +- fi +- fi +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 +-$as_echo "$cross_compiling" >&6; } +- +-rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out +-ac_clean_files=$ac_clean_files_save +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 +-$as_echo_n "checking for suffix of object files... " >&6; } +-if ${ac_cv_objext+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-int +-main () +-{ +- +- ; +- return 0; +-} +-_ACEOF +-rm -f conftest.o conftest.obj +-if { { ac_try="$ac_compile" +-case "(($ac_try" in +- *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; +- *) ac_try_echo=$ac_try;; +-esac +-eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +-$as_echo "$ac_try_echo"; } >&5 +- (eval "$ac_compile") 2>&5 +- ac_status=$? +- $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 +- test $ac_status = 0; }; then : +- for ac_file in conftest.o conftest.obj conftest.*; do +- test -f "$ac_file" || continue; +- case $ac_file in +- *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; +- *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` +- break;; +- esac +-done +-else +- $as_echo "$as_me: failed program was:" >&5 +-sed 's/^/| /' conftest.$ac_ext >&5 +- +-{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "cannot compute suffix of object files: cannot compile +-See \`config.log' for more details" "$LINENO" 5; } +-fi +-rm -f conftest.$ac_cv_objext conftest.$ac_ext +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 +-$as_echo "$ac_cv_objext" >&6; } +-OBJEXT=$ac_cv_objext +-ac_objext=$OBJEXT +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 +-$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } +-if ${ac_cv_c_compiler_gnu+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-int +-main () +-{ +-#ifndef __GNUC__ +- choke me +-#endif +- +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- ac_compiler_gnu=yes +-else +- ac_compiler_gnu=no +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +-ac_cv_c_compiler_gnu=$ac_compiler_gnu +- +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 +-$as_echo "$ac_cv_c_compiler_gnu" >&6; } +-if test $ac_compiler_gnu = yes; then +- GCC=yes +-else +- GCC= +-fi +-ac_test_CFLAGS=${CFLAGS+set} +-ac_save_CFLAGS=$CFLAGS +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 +-$as_echo_n "checking whether $CC accepts -g... " >&6; } +-if ${ac_cv_prog_cc_g+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- ac_save_c_werror_flag=$ac_c_werror_flag +- ac_c_werror_flag=yes +- ac_cv_prog_cc_g=no +- CFLAGS="-g" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-int +-main () +-{ +- +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- ac_cv_prog_cc_g=yes +-else +- CFLAGS="" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-int +-main () +-{ +- +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +-else +- ac_c_werror_flag=$ac_save_c_werror_flag +- CFLAGS="-g" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +-int +-main () +-{ +- +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- ac_cv_prog_cc_g=yes +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- ac_c_werror_flag=$ac_save_c_werror_flag +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 +-$as_echo "$ac_cv_prog_cc_g" >&6; } +-if test "$ac_test_CFLAGS" = set; then +- CFLAGS=$ac_save_CFLAGS +-elif test $ac_cv_prog_cc_g = yes; then +- if test "$GCC" = yes; then +- CFLAGS="-g -O2" +- else +- CFLAGS="-g" +- fi +-else +- if test "$GCC" = yes; then +- CFLAGS="-O2" +- else +- CFLAGS= +- fi +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 +-$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } +-if ${ac_cv_prog_cc_c89+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- ac_cv_prog_cc_c89=no +-ac_save_CC=$CC +-cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-#include +-#include +-struct stat; +-/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ +-struct buf { int x; }; +-FILE * (*rcsopen) (struct buf *, struct stat *, int); +-static char *e (p, i) +- char **p; +- int i; +-{ +- return p[i]; +-} +-static char *f (char * (*g) (char **, int), char **p, ...) +-{ +- char *s; +- va_list v; +- va_start (v,p); +- s = g (p, va_arg (v,int)); +- va_end (v); +- return s; +-} +- +-/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has +- function prototypes and stuff, but not '\xHH' hex character constants. +- These don't provoke an error unfortunately, instead are silently treated +- as 'x'. The following induces an error, until -std is added to get +- proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an +- array size at least. It's necessary to write '\x00'==0 to get something +- that's true only with -std. */ +-int osf4_cc_array ['\x00' == 0 ? 1 : -1]; +- +-/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters +- inside strings and character constants. */ +-#define FOO(x) 'x' +-int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; +- +-int test (int i, double x); +-struct s1 {int (*f) (int a);}; +-struct s2 {int (*f) (double a);}; +-int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); +-int argc; +-char **argv; +-int +-main () +-{ +-return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; +- ; +- return 0; +-} +-_ACEOF +-for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ +- -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" +-do +- CC="$ac_save_CC $ac_arg" +- if ac_fn_c_try_compile "$LINENO"; then : +- ac_cv_prog_cc_c89=$ac_arg +-fi +-rm -f core conftest.err conftest.$ac_objext +- test "x$ac_cv_prog_cc_c89" != "xno" && break +-done +-rm -f conftest.$ac_ext +-CC=$ac_save_CC +- +-fi +-# AC_CACHE_VAL +-case "x$ac_cv_prog_cc_c89" in +- x) +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 +-$as_echo "none needed" >&6; } ;; +- xno) +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 +-$as_echo "unsupported" >&6; } ;; +- *) +- CC="$CC $ac_cv_prog_cc_c89" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 +-$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; +-esac +-if test "x$ac_cv_prog_cc_c89" != xno; then : +- +-fi +- +-ac_ext=c +-ac_cpp='$CPP $CPPFLAGS' +-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +-ac_compiler_gnu=$ac_cv_c_compiler_gnu +- +- +- +- +-ac_safe=`echo "openssl/ec.h" | sed 'y%./+-%__pm%'` +-old_CPPFLAGS="$CPPFLAGS" +-smart_include= +-smart_include_dir="/usr/local/include /opt/include" +- +-_smart_try_dir= +-_smart_include_dir= +- +-for _prefix in $smart_prefix ""; do +- for _dir in $smart_try_dir; do +- _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}" +- done +- +- for _dir in $smart_include_dir; do +- _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}" +- done +-done +- +-if test "x$_smart_try_dir" != "x"; then +- for try in $_smart_try_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ec.h in $try" >&5 +-$as_echo_n "checking for openssl/ec.h in $try... " >&6; } +- CPPFLAGS="-isystem $try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include="-isystem $try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break +- +-else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- done +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_include" = "x"; then +- for _prefix in $smart_prefix; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/openssl/ec.h" >&5 +-$as_echo_n "checking for ${_prefix}/openssl/ec.h... " >&6; } +- +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include="-isystem ${_prefix}/" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break +- +-else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- done +-fi +- +-if test "x$smart_include" = "x"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ec.h" >&5 +-$as_echo_n "checking for openssl/ec.h... " >&6; } +- +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include=" " +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break +- +-else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +-fi +- +-if test "x$smart_include" = "x"; then +- +- for try in $_smart_include_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for openssl/ec.h in $try" >&5 +-$as_echo_n "checking for openssl/ec.h in $try... " >&6; } +- CPPFLAGS="-isystem $try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +- +- #include +-int +-main () +-{ +-int a = 1; +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_compile "$LINENO"; then : +- +- smart_include="-isystem $try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break +- +-else +- +- smart_include= +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fi +-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +- done +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_include" != "x"; then +- eval "ac_cv_header_$ac_safe=yes" +- CPPFLAGS="$smart_include $old_CPPFLAGS" +- SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS" +-fi +- +-smart_prefix= +- +-if test "$ac_cv_header_openssl_ec_h" != "yes"; then +- +-fail="$fail openssl/ec.h" +- +-fi +- +-smart_try_dir=$openssl_lib_dir +- +- +-sm_lib_safe=`echo "crypto" | sed 'y%./+-%__p_%'` +-sm_func_safe=`echo "EVP_CIPHER_CTX_new" | sed 'y%./+-%__p_%'` +- +-old_LIBS="$LIBS" +-old_CPPFLAGS="$CPPFLAGS" +-smart_lib= +-smart_ldflags= +-smart_lib_dir= +- +-if test "x$smart_try_dir" != "x"; then +- for try in $smart_try_dir; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto in $try" >&5 +-$as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto in $try... " >&6; } +- LIBS="-lcrypto $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char EVP_CIPHER_CTX_new(); +-int +-main () +-{ +-EVP_CIPHER_CTX_new() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lcrypto" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break +- +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_lib" = "x"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto" >&5 +-$as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto... " >&6; } +- LIBS="-lcrypto $old_LIBS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char EVP_CIPHER_CTX_new(); +-int +-main () +-{ +-EVP_CIPHER_CTX_new() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lcrypto" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- LIBS="$old_LIBS" +-fi +- +-if test "x$smart_lib" = "x"; then +- for try in /usr/local/lib /opt/lib; do +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for EVP_CIPHER_CTX_new in -lcrypto in $try" >&5 +-$as_echo_n "checking for EVP_CIPHER_CTX_new in -lcrypto in $try... " >&6; } +- LIBS="-lcrypto $old_LIBS" +- CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-extern char EVP_CIPHER_CTX_new(); +-int +-main () +-{ +-EVP_CIPHER_CTX_new() +- ; +- return 0; +-} +-_ACEOF +-if ac_fn_c_try_link "$LINENO"; then : +- +- smart_lib="-lcrypto" +- smart_ldflags="-L$try -Wl,-rpath,$try" +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- break +- +-else +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +-fi +-rm -f core conftest.err conftest.$ac_objext \ +- conftest$ac_exeext conftest.$ac_ext +- done +- LIBS="$old_LIBS" +- CPPFLAGS="$old_CPPFLAGS" +-fi +- +-if test "x$smart_lib" != "x"; then +- eval "ac_cv_lib_${sm_lib_safe}_${sm_func_safe}=yes" +- LIBS="$smart_ldflags $smart_lib $old_LIBS" +- SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS" +-fi +- +-if test "x$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" != "xyes"; then +- +-fail="$fail libssl" +- +-fi +- +-ac_ext=c +-ac_cpp='$CPP $CPPFLAGS' +-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +-ac_compiler_gnu=$ac_cv_c_compiler_gnu +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 +-$as_echo_n "checking how to run the C preprocessor... " >&6; } +-# On Suns, sometimes $CPP names a directory. +-if test -n "$CPP" && test -d "$CPP"; then +- CPP= +-fi +-if test -z "$CPP"; then +- if ${ac_cv_prog_CPP+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- # Double quotes because CPP needs to be expanded +- for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" +- do +- ac_preproc_ok=false +-for ac_c_preproc_warn_flag in '' yes +-do +- # Use a header file that comes with gcc, so configuring glibc +- # with a fresh cross-compiler works. +- # Prefer to if __STDC__ is defined, since +- # exists even on freestanding compilers. +- # On the NeXT, cc -E runs the code through the compiler's parser, +- # not just through cpp. "Syntax error" is here to catch this case. +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-#ifdef __STDC__ +-# include +-#else +-# include +-#endif +- Syntax error +-_ACEOF +-if ac_fn_c_try_cpp "$LINENO"; then : +- +-else +- # Broken: fails on valid input. +-continue +-fi +-rm -f conftest.err conftest.i conftest.$ac_ext +- +- # OK, works on sane cases. Now check whether nonexistent headers +- # can be detected and how. +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-#include +-_ACEOF +-if ac_fn_c_try_cpp "$LINENO"; then : +- # Broken: success on invalid input. +-continue +-else +- # Passes both tests. +-ac_preproc_ok=: +-break +-fi +-rm -f conftest.err conftest.i conftest.$ac_ext +- +-done +-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +-rm -f conftest.i conftest.err conftest.$ac_ext +-if $ac_preproc_ok; then : +- break +-fi +- +- done +- ac_cv_prog_CPP=$CPP +- +-fi +- CPP=$ac_cv_prog_CPP +-else +- ac_cv_prog_CPP=$CPP +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 +-$as_echo "$CPP" >&6; } +-ac_preproc_ok=false +-for ac_c_preproc_warn_flag in '' yes +-do +- # Use a header file that comes with gcc, so configuring glibc +- # with a fresh cross-compiler works. +- # Prefer to if __STDC__ is defined, since +- # exists even on freestanding compilers. +- # On the NeXT, cc -E runs the code through the compiler's parser, +- # not just through cpp. "Syntax error" is here to catch this case. +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-#ifdef __STDC__ +-# include +-#else +-# include +-#endif +- Syntax error +-_ACEOF +-if ac_fn_c_try_cpp "$LINENO"; then : +- +-else +- # Broken: fails on valid input. +-continue +-fi +-rm -f conftest.err conftest.i conftest.$ac_ext +- +- # OK, works on sane cases. Now check whether nonexistent headers +- # can be detected and how. +- cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-#include +-_ACEOF +-if ac_fn_c_try_cpp "$LINENO"; then : +- # Broken: success on invalid input. +-continue +-else +- # Passes both tests. +-ac_preproc_ok=: +-break +-fi +-rm -f conftest.err conftest.i conftest.$ac_ext +- +-done +-# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +-rm -f conftest.i conftest.err conftest.$ac_ext +-if $ac_preproc_ok; then : +- +-else +- { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +-$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +-as_fn_error $? "C preprocessor \"$CPP\" fails sanity check +-See \`config.log' for more details" "$LINENO" 5; } +-fi +- +-ac_ext=c +-ac_cpp='$CPP $CPPFLAGS' +-ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +-ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +-ac_compiler_gnu=$ac_cv_c_compiler_gnu +- +- +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 +-$as_echo_n "checking for grep that handles long lines and -e... " >&6; } +-if ${ac_cv_path_GREP+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if test -z "$GREP"; then +- ac_path_GREP_found=false +- # Loop through the user's path and test for each of PROGNAME-LIST +- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- for ac_prog in grep ggrep; do +- for ac_exec_ext in '' $ac_executable_extensions; do +- ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" +- as_fn_executable_p "$ac_path_GREP" || continue +-# Check for GNU ac_path_GREP and select it if it is found. +- # Check for GNU $ac_path_GREP +-case `"$ac_path_GREP" --version 2>&1` in +-*GNU*) +- ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; +-*) +- ac_count=0 +- $as_echo_n 0123456789 >"conftest.in" +- while : +- do +- cat "conftest.in" "conftest.in" >"conftest.tmp" +- mv "conftest.tmp" "conftest.in" +- cp "conftest.in" "conftest.nl" +- $as_echo 'GREP' >> "conftest.nl" +- "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break +- diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break +- as_fn_arith $ac_count + 1 && ac_count=$as_val +- if test $ac_count -gt ${ac_path_GREP_max-0}; then +- # Best one so far, save it but keep looking for a better one +- ac_cv_path_GREP="$ac_path_GREP" +- ac_path_GREP_max=$ac_count +- fi +- # 10*(2^10) chars as input seems more than enough +- test $ac_count -gt 10 && break +- done +- rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +-esac +- +- $ac_path_GREP_found && break 3 +- done +- done +- done +-IFS=$as_save_IFS +- if test -z "$ac_cv_path_GREP"; then +- as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 +- fi +-else +- ac_cv_path_GREP=$GREP +-fi +- +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 +-$as_echo "$ac_cv_path_GREP" >&6; } +- GREP="$ac_cv_path_GREP" +- +- +-{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 +-$as_echo_n "checking for egrep... " >&6; } +-if ${ac_cv_path_EGREP+:} false; then : +- $as_echo_n "(cached) " >&6 +-else +- if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 +- then ac_cv_path_EGREP="$GREP -E" +- else +- if test -z "$EGREP"; then +- ac_path_EGREP_found=false +- # Loop through the user's path and test for each of PROGNAME-LIST +- as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- for ac_prog in egrep; do +- for ac_exec_ext in '' $ac_executable_extensions; do +- ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" +- as_fn_executable_p "$ac_path_EGREP" || continue +-# Check for GNU ac_path_EGREP and select it if it is found. +- # Check for GNU $ac_path_EGREP +-case `"$ac_path_EGREP" --version 2>&1` in +-*GNU*) +- ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; +-*) +- ac_count=0 +- $as_echo_n 0123456789 >"conftest.in" +- while : +- do +- cat "conftest.in" "conftest.in" >"conftest.tmp" +- mv "conftest.tmp" "conftest.in" +- cp "conftest.in" "conftest.nl" +- $as_echo 'EGREP' >> "conftest.nl" +- "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break +- diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break +- as_fn_arith $ac_count + 1 && ac_count=$as_val +- if test $ac_count -gt ${ac_path_EGREP_max-0}; then +- # Best one so far, save it but keep looking for a better one +- ac_cv_path_EGREP="$ac_path_EGREP" +- ac_path_EGREP_max=$ac_count +- fi +- # 10*(2^10) chars as input seems more than enough +- test $ac_count -gt 10 && break +- done +- rm -f conftest.in conftest.tmp conftest.nl conftest.out;; +-esac +- +- $ac_path_EGREP_found && break 3 +- done +- done +- done +-IFS=$as_save_IFS +- if test -z "$ac_cv_path_EGREP"; then +- as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 +- fi +-else +- ac_cv_path_EGREP=$EGREP +-fi +- +- fi +-fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 +-$as_echo "$ac_cv_path_EGREP" >&6; } +- EGREP="$ac_cv_path_EGREP" +- +- +-cat confdefs.h - <<_ACEOF >conftest.$ac_ext +-/* end confdefs.h. */ +-#include +- #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +- yes +- #endif +- +-_ACEOF +-if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | +- $EGREP "yes" >/dev/null 2>&1; then : +- +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL version >= 1.1.1" >&5 +-$as_echo_n "checking for OpenSSL version >= 1.1.1... " >&6; } +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +-$as_echo "yes" >&6; } +- +-else +- +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL version >= 1.1.1" >&5 +-$as_echo_n "checking for OpenSSL version >= 1.1.1... " >&6; } +- { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +-$as_echo "no" >&6; } +- +-fail="$fail OpenSSL>=1.1.1" +- +- +- +-fi +-rm -f conftest* +- +- +- +- targetname=rlm_eap_teap +-else +- targetname= +- echo \*\*\* module rlm_eap_teap is disabled. +- +- +-fr_status="disabled" +- +-fi +- +-if test x"$fail" != x""; then +- targetname="" +- +- +- if test x"${enable_strict_dependencies}" = x"yes"; then +- as_fn_error $? "set --without-rlm_eap_teap to disable it explicitly." "$LINENO" 5 +- else +- +- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_eap_teap." >&5 +-$as_echo "$as_me: WARNING: silently not building rlm_eap_teap." >&2;} +- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_eap_teap requires: $fail." >&5 +-$as_echo "$as_me: WARNING: FAILURE: rlm_eap_teap requires: $fail." >&2;}; +- fail="$(echo $fail)" +- +- +-fr_status="skipping (requires $fail)" +- +- fr_features= +- +- fi +- +-else +- +- +-fr_status="OK" +- +-fi +- +-if test x"$fr_features" = x""; then +- $as_echo "$fr_status" > "config.report" +-else +- $as_echo_n "$fr_status ... " > "config.report" +- cat "config.report.tmp" >> "config.report" +-fi +- +-rm "config.report.tmp" +- +- +- +- +- +- +- +-ac_config_files="$ac_config_files all.mk" +- +-cat >confcache <<\_ACEOF +-# This file is a shell script that caches the results of configure +-# tests run on this system so they can be shared between configure +-# scripts and configure runs, see configure's option --config-cache. +-# It is not useful on other systems. If it contains results you don't +-# want to keep, you may remove or edit it. +-# +-# config.status only pays attention to the cache file if you give it +-# the --recheck option to rerun configure. +-# +-# `ac_cv_env_foo' variables (set or unset) will be overridden when +-# loading this file, other *unset* `ac_cv_foo' will be assigned the +-# following values. +- +-_ACEOF +- +-# The following way of writing the cache mishandles newlines in values, +-# but we know of no workaround that is simple, portable, and efficient. +-# So, we kill variables containing newlines. +-# Ultrix sh set writes to stderr and can't be redirected directly, +-# and sets the high bit in the cache file unless we assign to the vars. +-( +- for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do +- eval ac_val=\$$ac_var +- case $ac_val in #( +- *${as_nl}*) +- case $ac_var in #( +- *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +-$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; +- esac +- case $ac_var in #( +- _ | IFS | as_nl) ;; #( +- BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( +- *) { eval $ac_var=; unset $ac_var;} ;; +- esac ;; +- esac +- done +- +- (set) 2>&1 | +- case $as_nl`(ac_space=' '; set) 2>&1` in #( +- *${as_nl}ac_space=\ *) +- # `set' does not quote correctly, so add quotes: double-quote +- # substitution turns \\\\ into \\, and sed turns \\ into \. +- sed -n \ +- "s/'/'\\\\''/g; +- s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" +- ;; #( +- *) +- # `set' quotes correctly as required by POSIX, so do not add quotes. +- sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" +- ;; +- esac | +- sort +-) | +- sed ' +- /^ac_cv_env_/b end +- t clear +- :clear +- s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ +- t end +- s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ +- :end' >>confcache +-if diff "$cache_file" confcache >/dev/null 2>&1; then :; else +- if test -w "$cache_file"; then +- if test "x$cache_file" != "x/dev/null"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 +-$as_echo "$as_me: updating cache $cache_file" >&6;} +- if test ! -f "$cache_file" || test -h "$cache_file"; then +- cat confcache >"$cache_file" +- else +- case $cache_file in #( +- */* | ?:*) +- mv -f confcache "$cache_file"$$ && +- mv -f "$cache_file"$$ "$cache_file" ;; #( +- *) +- mv -f confcache "$cache_file" ;; +- esac +- fi +- fi +- else +- { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 +-$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} +- fi +-fi +-rm -f confcache +- +-test "x$prefix" = xNONE && prefix=$ac_default_prefix +-# Let make expand exec_prefix. +-test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' +- +-# Transform confdefs.h into DEFS. +-# Protect against shell expansion while executing Makefile rules. +-# Protect against Makefile macro expansion. +-# +-# If the first sed substitution is executed (which looks for macros that +-# take arguments), then branch to the quote section. Otherwise, +-# look for a macro that doesn't take arguments. +-ac_script=' +-:mline +-/\\$/{ +- N +- s,\\\n,, +- b mline +-} +-t clear +-:clear +-s/^[ ]*#[ ]*define[ ][ ]*\([^ (][^ (]*([^)]*)\)[ ]*\(.*\)/-D\1=\2/g +-t quote +-s/^[ ]*#[ ]*define[ ][ ]*\([^ ][^ ]*\)[ ]*\(.*\)/-D\1=\2/g +-t quote +-b any +-:quote +-s/[ `~#$^&*(){}\\|;'\''"<>?]/\\&/g +-s/\[/\\&/g +-s/\]/\\&/g +-s/\$/$$/g +-H +-:any +-${ +- g +- s/^\n// +- s/\n/ /g +- p +-} +-' +-DEFS=`sed -n "$ac_script" confdefs.h` +- +- +-ac_libobjs= +-ac_ltlibobjs= +-U= +-for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue +- # 1. Remove the extension, and $U if already installed. +- ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' +- ac_i=`$as_echo "$ac_i" | sed "$ac_script"` +- # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR +- # will be set to the directory where LIBOBJS objects are built. +- as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" +- as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' +-done +-LIBOBJS=$ac_libobjs +- +-LTLIBOBJS=$ac_ltlibobjs +- +- +- +-: "${CONFIG_STATUS=./config.status}" +-ac_write_fail=0 +-ac_clean_files_save=$ac_clean_files +-ac_clean_files="$ac_clean_files $CONFIG_STATUS" +-{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 +-$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} +-as_write_fail=0 +-cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 +-#! $SHELL +-# Generated by $as_me. +-# Run this file to recreate the current configuration. +-# Compiler output produced by configure, useful for debugging +-# configure, is in config.log if it exists. +- +-debug=false +-ac_cs_recheck=false +-ac_cs_silent=false +- +-SHELL=\${CONFIG_SHELL-$SHELL} +-export SHELL +-_ASEOF +-cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 +-## -------------------- ## +-## M4sh Initialization. ## +-## -------------------- ## +- +-# Be more Bourne compatible +-DUALCASE=1; export DUALCASE # for MKS sh +-if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : +- emulate sh +- NULLCMD=: +- # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which +- # is contrary to our usage. Disable this feature. +- alias -g '${1+"$@"}'='"$@"' +- setopt NO_GLOB_SUBST +-else +- case `(set -o) 2>/dev/null` in #( +- *posix*) : +- set -o posix ;; #( +- *) : +- ;; +-esac +-fi +- +- +-as_nl=' +-' +-export as_nl +-# Printing a long string crashes Solaris 7 /usr/bin/printf. +-as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +-as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +-as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +-# Prefer a ksh shell builtin over an external printf program on Solaris, +-# but without wasting forks for bash or zsh. +-if test -z "$BASH_VERSION$ZSH_VERSION" \ +- && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then +- as_echo='print -r --' +- as_echo_n='print -rn --' +-elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then +- as_echo='printf %s\n' +- as_echo_n='printf %s' +-else +- if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then +- as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' +- as_echo_n='/usr/ucb/echo -n' +- else +- as_echo_body='eval expr "X$1" : "X\\(.*\\)"' +- as_echo_n_body='eval +- arg=$1; +- case $arg in #( +- *"$as_nl"*) +- expr "X$arg" : "X\\(.*\\)$as_nl"; +- arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; +- esac; +- expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" +- ' +- export as_echo_n_body +- as_echo_n='sh -c $as_echo_n_body as_echo' +- fi +- export as_echo_body +- as_echo='sh -c $as_echo_body as_echo' +-fi +- +-# The user is always right. +-if test "${PATH_SEPARATOR+set}" != set; then +- PATH_SEPARATOR=: +- (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { +- (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || +- PATH_SEPARATOR=';' +- } +-fi +- +- +-# IFS +-# We need space, tab and new line, in precisely that order. Quoting is +-# there to prevent editors from complaining about space-tab. +-# (If _AS_PATH_WALK were called with IFS unset, it would disable word +-# splitting by setting IFS to empty value.) +-IFS=" "" $as_nl" +- +-# Find who we are. Look in the path if we contain no directory separator. +-as_myself= +-case $0 in #(( +- *[\\/]* ) as_myself=$0 ;; +- *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +-for as_dir in $PATH +-do +- IFS=$as_save_IFS +- test -z "$as_dir" && as_dir=. +- test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break +- done +-IFS=$as_save_IFS +- +- ;; +-esac +-# We did not find ourselves, most probably we were run as `sh COMMAND' +-# in which case we are not to be found in the path. +-if test "x$as_myself" = x; then +- as_myself=$0 +-fi +-if test ! -f "$as_myself"; then +- $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 +- exit 1 +-fi +- +-# Unset variables that we do not need and which cause bugs (e.g. in +-# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +-# suppresses any "Segmentation fault" message there. '((' could +-# trigger a bug in pdksh 5.2.14. +-for as_var in BASH_ENV ENV MAIL MAILPATH +-do eval test x\${$as_var+set} = xset \ +- && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +-done +-PS1='$ ' +-PS2='> ' +-PS4='+ ' +- +-# NLS nuisances. +-LC_ALL=C +-export LC_ALL +-LANGUAGE=C +-export LANGUAGE +- +-# CDPATH. +-(unset CDPATH) >/dev/null 2>&1 && unset CDPATH +- +- +-# as_fn_error STATUS ERROR [LINENO LOG_FD] +-# ---------------------------------------- +-# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +-# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +-# script with STATUS, using 1 if that was 0. +-as_fn_error () +-{ +- as_status=$1; test $as_status -eq 0 && as_status=1 +- if test "$4"; then +- as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack +- $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 +- fi +- $as_echo "$as_me: error: $2" >&2 +- as_fn_exit $as_status +-} # as_fn_error +- +- +-# as_fn_set_status STATUS +-# ----------------------- +-# Set $? to STATUS, without forking. +-as_fn_set_status () +-{ +- return $1 +-} # as_fn_set_status +- +-# as_fn_exit STATUS +-# ----------------- +-# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +-as_fn_exit () +-{ +- set +e +- as_fn_set_status $1 +- exit $1 +-} # as_fn_exit +- +-# as_fn_unset VAR +-# --------------- +-# Portably unset VAR. +-as_fn_unset () +-{ +- { eval $1=; unset $1;} +-} +-as_unset=as_fn_unset +-# as_fn_append VAR VALUE +-# ---------------------- +-# Append the text in VALUE to the end of the definition contained in VAR. Take +-# advantage of any shell optimizations that allow amortized linear growth over +-# repeated appends, instead of the typical quadratic growth present in naive +-# implementations. +-if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : +- eval 'as_fn_append () +- { +- eval $1+=\$2 +- }' +-else +- as_fn_append () +- { +- eval $1=\$$1\$2 +- } +-fi # as_fn_append +- +-# as_fn_arith ARG... +-# ------------------ +-# Perform arithmetic evaluation on the ARGs, and store the result in the +-# global $as_val. Take advantage of shells that can avoid forks. The arguments +-# must be portable across $(()) and expr. +-if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : +- eval 'as_fn_arith () +- { +- as_val=$(( $* )) +- }' +-else +- as_fn_arith () +- { +- as_val=`expr "$@" || test $? -eq 1` +- } +-fi # as_fn_arith +- +- +-if expr a : '\(a\)' >/dev/null 2>&1 && +- test "X`expr 00001 : '.*\(...\)'`" = X001; then +- as_expr=expr +-else +- as_expr=false +-fi +- +-if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then +- as_basename=basename +-else +- as_basename=false +-fi +- +-if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then +- as_dirname=dirname +-else +- as_dirname=false +-fi +- +-as_me=`$as_basename -- "$0" || +-$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ +- X"$0" : 'X\(//\)$' \| \ +- X"$0" : 'X\(/\)' \| . 2>/dev/null || +-$as_echo X/"$0" | +- sed '/^.*\/\([^/][^/]*\)\/*$/{ +- s//\1/ +- q +- } +- /^X\/\(\/\/\)$/{ +- s//\1/ +- q +- } +- /^X\/\(\/\).*/{ +- s//\1/ +- q +- } +- s/.*/./; q'` +- +-# Avoid depending upon Character Ranges. +-as_cr_letters='abcdefghijklmnopqrstuvwxyz' +-as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +-as_cr_Letters=$as_cr_letters$as_cr_LETTERS +-as_cr_digits='0123456789' +-as_cr_alnum=$as_cr_Letters$as_cr_digits +- +-ECHO_C= ECHO_N= ECHO_T= +-case `echo -n x` in #((((( +--n*) +- case `echo 'xy\c'` in +- *c*) ECHO_T=' ';; # ECHO_T is single tab character. +- xy) ECHO_C='\c';; +- *) echo `echo ksh88 bug on AIX 6.1` > /dev/null +- ECHO_T=' ';; +- esac;; +-*) +- ECHO_N='-n';; +-esac +- +-rm -f conf$$ conf$$.exe conf$$.file +-if test -d conf$$.dir; then +- rm -f conf$$.dir/conf$$.file +-else +- rm -f conf$$.dir +- mkdir conf$$.dir 2>/dev/null +-fi +-if (echo >conf$$.file) 2>/dev/null; then +- if ln -s conf$$.file conf$$ 2>/dev/null; then +- as_ln_s='ln -s' +- # ... but there are two gotchas: +- # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. +- # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. +- # In both cases, we have to default to `cp -pR'. +- ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || +- as_ln_s='cp -pR' +- elif ln conf$$.file conf$$ 2>/dev/null; then +- as_ln_s=ln +- else +- as_ln_s='cp -pR' +- fi +-else +- as_ln_s='cp -pR' +-fi +-rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +-rmdir conf$$.dir 2>/dev/null +- +- +-# as_fn_mkdir_p +-# ------------- +-# Create "$as_dir" as a directory, including parents if necessary. +-as_fn_mkdir_p () +-{ +- +- case $as_dir in #( +- -*) as_dir=./$as_dir;; +- esac +- test -d "$as_dir" || eval $as_mkdir_p || { +- as_dirs= +- while :; do +- case $as_dir in #( +- *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( +- *) as_qdir=$as_dir;; +- esac +- as_dirs="'$as_qdir' $as_dirs" +- as_dir=`$as_dirname -- "$as_dir" || +-$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ +- X"$as_dir" : 'X\(//\)[^/]' \| \ +- X"$as_dir" : 'X\(//\)$' \| \ +- X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +-$as_echo X"$as_dir" | +- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ +- s//\1/ +- q +- } +- /^X\(\/\/\)[^/].*/{ +- s//\1/ +- q +- } +- /^X\(\/\/\)$/{ +- s//\1/ +- q +- } +- /^X\(\/\).*/{ +- s//\1/ +- q +- } +- s/.*/./; q'` +- test -d "$as_dir" && break +- done +- test -z "$as_dirs" || eval "mkdir $as_dirs" +- } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" +- +- +-} # as_fn_mkdir_p +-if mkdir -p . 2>/dev/null; then +- as_mkdir_p='mkdir -p "$as_dir"' +-else +- test -d ./-p && rmdir ./-p +- as_mkdir_p=false +-fi +- +- +-# as_fn_executable_p FILE +-# ----------------------- +-# Test if FILE is an executable regular file. +-as_fn_executable_p () +-{ +- test -f "$1" && test -x "$1" +-} # as_fn_executable_p +-as_test_x='test -x' +-as_executable_p=as_fn_executable_p +- +-# Sed expression to map a string onto a valid CPP name. +-as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" +- +-# Sed expression to map a string onto a valid variable name. +-as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" +- +- +-exec 6>&1 +-## ----------------------------------- ## +-## Main body of $CONFIG_STATUS script. ## +-## ----------------------------------- ## +-_ASEOF +-test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 +- +-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +-# Save the log message, to keep $0 and so on meaningful, and to +-# report actual input values of CONFIG_FILES etc. instead of their +-# values after options handling. +-ac_log=" +-This file was extended by $as_me, which was +-generated by GNU Autoconf 2.69. Invocation command line was +- +- CONFIG_FILES = $CONFIG_FILES +- CONFIG_HEADERS = $CONFIG_HEADERS +- CONFIG_LINKS = $CONFIG_LINKS +- CONFIG_COMMANDS = $CONFIG_COMMANDS +- $ $0 $@ +- +-on `(hostname || uname -n) 2>/dev/null | sed 1q` +-" +- +-_ACEOF +- +-case $ac_config_files in *" +-"*) set x $ac_config_files; shift; ac_config_files=$*;; +-esac +- +- +- +-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +-# Files that config.status was made for. +-config_files="$ac_config_files" +- +-_ACEOF +- +-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +-ac_cs_usage="\ +-\`$as_me' instantiates files and other configuration actions +-from templates according to the current configuration. Unless the files +-and actions are specified as TAGs, all are instantiated by default. +- +-Usage: $0 [OPTION]... [TAG]... +- +- -h, --help print this help, then exit +- -V, --version print version number and configuration settings, then exit +- --config print configuration, then exit +- -q, --quiet, --silent +- do not print progress messages +- -d, --debug don't remove temporary files +- --recheck update $as_me by reconfiguring in the same conditions +- --file=FILE[:TEMPLATE] +- instantiate the configuration file FILE +- +-Configuration files: +-$config_files +- +-Report bugs to the package provider." +- +-_ACEOF +-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +-ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" +-ac_cs_version="\\ +-config.status +-configured by $0, generated by GNU Autoconf 2.69, +- with options \\"\$ac_cs_config\\" +- +-Copyright (C) 2012 Free Software Foundation, Inc. +-This config.status script is free software; the Free Software Foundation +-gives unlimited permission to copy, distribute and modify it." +- +-ac_pwd='$ac_pwd' +-srcdir='$srcdir' +-test -n "\$AWK" || AWK=awk +-_ACEOF +- +-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +-# The default lists apply if the user does not specify any file. +-ac_need_defaults=: +-while test $# != 0 +-do +- case $1 in +- --*=?*) +- ac_option=`expr "X$1" : 'X\([^=]*\)='` +- ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` +- ac_shift=: +- ;; +- --*=) +- ac_option=`expr "X$1" : 'X\([^=]*\)='` +- ac_optarg= +- ac_shift=: +- ;; +- *) +- ac_option=$1 +- ac_optarg=$2 +- ac_shift=shift +- ;; +- esac +- +- case $ac_option in +- # Handling of the options. +- -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) +- ac_cs_recheck=: ;; +- --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) +- $as_echo "$ac_cs_version"; exit ;; +- --config | --confi | --conf | --con | --co | --c ) +- $as_echo "$ac_cs_config"; exit ;; +- --debug | --debu | --deb | --de | --d | -d ) +- debug=: ;; +- --file | --fil | --fi | --f ) +- $ac_shift +- case $ac_optarg in +- *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; +- '') as_fn_error $? "missing file argument" ;; +- esac +- as_fn_append CONFIG_FILES " '$ac_optarg'" +- ac_need_defaults=false;; +- --he | --h | --help | --hel | -h ) +- $as_echo "$ac_cs_usage"; exit ;; +- -q | -quiet | --quiet | --quie | --qui | --qu | --q \ +- | -silent | --silent | --silen | --sile | --sil | --si | --s) +- ac_cs_silent=: ;; +- +- # This is an error. +- -*) as_fn_error $? "unrecognized option: \`$1' +-Try \`$0 --help' for more information." ;; +- +- *) as_fn_append ac_config_targets " $1" +- ac_need_defaults=false ;; +- +- esac +- shift +-done +- +-ac_configure_extra_args= +- +-if $ac_cs_silent; then +- exec 6>/dev/null +- ac_configure_extra_args="$ac_configure_extra_args --silent" +-fi +- +-_ACEOF +-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +-if \$ac_cs_recheck; then +- set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion +- shift +- \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 +- CONFIG_SHELL='$SHELL' +- export CONFIG_SHELL +- exec "\$@" +-fi +- +-_ACEOF +-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +-exec 5>>config.log +-{ +- echo +- sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX +-## Running $as_me. ## +-_ASBOX +- $as_echo "$ac_log" +-} >&5 +- +-_ACEOF +-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +-_ACEOF +- +-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +- +-# Handling of arguments. +-for ac_config_target in $ac_config_targets +-do +- case $ac_config_target in +- "all.mk") CONFIG_FILES="$CONFIG_FILES all.mk" ;; +- +- *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; +- esac +-done +- +- +-# If the user did not use the arguments to specify the items to instantiate, +-# then the envvar interface is used. Set only those that are not. +-# We use the long form for the default assignment because of an extremely +-# bizarre bug on SunOS 4.1.3. +-if $ac_need_defaults; then +- test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files +-fi +- +-# Have a temporary directory for convenience. Make it in the build tree +-# simply because there is no reason against having it here, and in addition, +-# creating and moving files from /tmp can sometimes cause problems. +-# Hook for its removal unless debugging. +-# Note that there is a small window in which the directory will not be cleaned: +-# after its creation but before its name has been assigned to `$tmp'. +-$debug || +-{ +- tmp= ac_tmp= +- trap 'exit_status=$? +- : "${ac_tmp:=$tmp}" +- { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status +-' 0 +- trap 'as_fn_exit 1' 1 2 13 15 +-} +-# Create a (secure) tmp directory for tmp files. +- +-{ +- tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && +- test -d "$tmp" +-} || +-{ +- tmp=./conf$$-$RANDOM +- (umask 077 && mkdir "$tmp") +-} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 +-ac_tmp=$tmp +- +-# Set up the scripts for CONFIG_FILES section. +-# No need to generate them if there are no CONFIG_FILES. +-# This happens for instance with `./config.status config.h'. +-if test -n "$CONFIG_FILES"; then +- +- +-ac_cr=`echo X | tr X '\015'` +-# On cygwin, bash can eat \r inside `` if the user requested igncr. +-# But we know of no other shell where ac_cr would be empty at this +-# point, so we can use a bashism as a fallback. +-if test "x$ac_cr" = x; then +- eval ac_cr=\$\'\\r\' +-fi +-ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` +-if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then +- ac_cs_awk_cr='\\r' +-else +- ac_cs_awk_cr=$ac_cr +-fi +- +-echo 'BEGIN {' >"$ac_tmp/subs1.awk" && +-_ACEOF +- +- +-{ +- echo "cat >conf$$subs.awk <<_ACEOF" && +- echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && +- echo "_ACEOF" +-} >conf$$subs.sh || +- as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 +-ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` +-ac_delim='%!_!# ' +-for ac_last_try in false false false false false :; do +- . ./conf$$subs.sh || +- as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 +- +- ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` +- if test $ac_delim_n = $ac_delim_num; then +- break +- elif $ac_last_try; then +- as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 +- else +- ac_delim="$ac_delim!$ac_delim _$ac_delim!! " +- fi +-done +-rm -f conf$$subs.sh +- +-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +-cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && +-_ACEOF +-sed -n ' +-h +-s/^/S["/; s/!.*/"]=/ +-p +-g +-s/^[^!]*!// +-:repl +-t repl +-s/'"$ac_delim"'$// +-t delim +-:nl +-h +-s/\(.\{148\}\)..*/\1/ +-t more1 +-s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ +-p +-n +-b repl +-:more1 +-s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +-p +-g +-s/.\{148\}// +-t nl +-:delim +-h +-s/\(.\{148\}\)..*/\1/ +-t more2 +-s/["\\]/\\&/g; s/^/"/; s/$/"/ +-p +-b +-:more2 +-s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +-p +-g +-s/.\{148\}// +-t delim +-' >$CONFIG_STATUS || ac_write_fail=1 +-rm -f conf$$subs.awk +-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +-_ACAWK +-cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && +- for (key in S) S_is_set[key] = 1 +- FS = "" +- +-} +-{ +- line = $ 0 +- nfields = split(line, field, "@") +- substed = 0 +- len = length(field[1]) +- for (i = 2; i < nfields; i++) { +- key = field[i] +- keylen = length(key) +- if (S_is_set[key]) { +- value = S[key] +- line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) +- len += length(value) + length(field[++i]) +- substed = 1 +- } else +- len += 1 + keylen +- } +- +- print line +-} +- +-_ACAWK +-_ACEOF +-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +-if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then +- sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" +-else +- cat +-fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ +- || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 +-_ACEOF +- +-# VPATH may cause trouble with some makes, so we remove sole $(srcdir), +-# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and +-# trailing colons and then remove the whole line if VPATH becomes empty +-# (actually we leave an empty line to preserve line numbers). +-if test "x$srcdir" = x.; then +- ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ +-h +-s/// +-s/^/:/ +-s/[ ]*$/:/ +-s/:\$(srcdir):/:/g +-s/:\${srcdir}:/:/g +-s/:@srcdir@:/:/g +-s/^:*// +-s/:*$// +-x +-s/\(=[ ]*\).*/\1/ +-G +-s/\n// +-s/^[^=]*=[ ]*$// +-}' +-fi +- +-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +-fi # test -n "$CONFIG_FILES" +- +- +-eval set X " :F $CONFIG_FILES " +-shift +-for ac_tag +-do +- case $ac_tag in +- :[FHLC]) ac_mode=$ac_tag; continue;; +- esac +- case $ac_mode$ac_tag in +- :[FHL]*:*);; +- :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; +- :[FH]-) ac_tag=-:-;; +- :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; +- esac +- ac_save_IFS=$IFS +- IFS=: +- set x $ac_tag +- IFS=$ac_save_IFS +- shift +- ac_file=$1 +- shift +- +- case $ac_mode in +- :L) ac_source=$1;; +- :[FH]) +- ac_file_inputs= +- for ac_f +- do +- case $ac_f in +- -) ac_f="$ac_tmp/stdin";; +- *) # Look for the file first in the build tree, then in the source tree +- # (if the path is not absolute). The absolute path cannot be DOS-style, +- # because $ac_f cannot contain `:'. +- test -f "$ac_f" || +- case $ac_f in +- [\\/$]*) false;; +- *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; +- esac || +- as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; +- esac +- case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac +- as_fn_append ac_file_inputs " '$ac_f'" +- done +- +- # Let's still pretend it is `configure' which instantiates (i.e., don't +- # use $as_me), people would be surprised to read: +- # /* config.h. Generated by config.status. */ +- configure_input='Generated from '` +- $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' +- `' by configure.' +- if test x"$ac_file" != x-; then +- configure_input="$ac_file. $configure_input" +- { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 +-$as_echo "$as_me: creating $ac_file" >&6;} +- fi +- # Neutralize special characters interpreted by sed in replacement strings. +- case $configure_input in #( +- *\&* | *\|* | *\\* ) +- ac_sed_conf_input=`$as_echo "$configure_input" | +- sed 's/[\\\\&|]/\\\\&/g'`;; #( +- *) ac_sed_conf_input=$configure_input;; +- esac +- +- case $ac_tag in +- *:-:* | *:-) cat >"$ac_tmp/stdin" \ +- || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; +- esac +- ;; +- esac +- +- ac_dir=`$as_dirname -- "$ac_file" || +-$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ +- X"$ac_file" : 'X\(//\)[^/]' \| \ +- X"$ac_file" : 'X\(//\)$' \| \ +- X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || +-$as_echo X"$ac_file" | +- sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ +- s//\1/ +- q +- } +- /^X\(\/\/\)[^/].*/{ +- s//\1/ +- q +- } +- /^X\(\/\/\)$/{ +- s//\1/ +- q +- } +- /^X\(\/\).*/{ +- s//\1/ +- q +- } +- s/.*/./; q'` +- as_dir="$ac_dir"; as_fn_mkdir_p +- ac_builddir=. +- +-case "$ac_dir" in +-.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +-*) +- ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` +- # A ".." for each directory in $ac_dir_suffix. +- ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` +- case $ac_top_builddir_sub in +- "") ac_top_builddir_sub=. ac_top_build_prefix= ;; +- *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; +- esac ;; +-esac +-ac_abs_top_builddir=$ac_pwd +-ac_abs_builddir=$ac_pwd$ac_dir_suffix +-# for backward compatibility: +-ac_top_builddir=$ac_top_build_prefix +- +-case $srcdir in +- .) # We are building in place. +- ac_srcdir=. +- ac_top_srcdir=$ac_top_builddir_sub +- ac_abs_top_srcdir=$ac_pwd ;; +- [\\/]* | ?:[\\/]* ) # Absolute name. +- ac_srcdir=$srcdir$ac_dir_suffix; +- ac_top_srcdir=$srcdir +- ac_abs_top_srcdir=$srcdir ;; +- *) # Relative name. +- ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix +- ac_top_srcdir=$ac_top_build_prefix$srcdir +- ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +-esac +-ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix +- +- +- case $ac_mode in +- :F) +- # +- # CONFIG_FILE +- # +- +-_ACEOF +- +-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +-# If the template does not know about datarootdir, expand it. +-# FIXME: This hack should be removed a few years after 2.60. +-ac_datarootdir_hack=; ac_datarootdir_seen= +-ac_sed_dataroot=' +-/datarootdir/ { +- p +- q +-} +-/@datadir@/p +-/@docdir@/p +-/@infodir@/p +-/@localedir@/p +-/@mandir@/p' +-case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in +-*datarootdir*) ac_datarootdir_seen=yes;; +-*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) +- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 +-$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} +-_ACEOF +-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +- ac_datarootdir_hack=' +- s&@datadir@&$datadir&g +- s&@docdir@&$docdir&g +- s&@infodir@&$infodir&g +- s&@localedir@&$localedir&g +- s&@mandir@&$mandir&g +- s&\\\${datarootdir}&$datarootdir&g' ;; +-esac +-_ACEOF +- +-# Neutralize VPATH when `$srcdir' = `.'. +-# Shell code in configure.ac might set extrasub. +-# FIXME: do we really want to maintain this feature? +-cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +-ac_sed_extra="$ac_vpsub +-$extrasub +-_ACEOF +-cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +-:t +-/@[a-zA-Z_][a-zA-Z_0-9]*@/!b +-s|@configure_input@|$ac_sed_conf_input|;t t +-s&@top_builddir@&$ac_top_builddir_sub&;t t +-s&@top_build_prefix@&$ac_top_build_prefix&;t t +-s&@srcdir@&$ac_srcdir&;t t +-s&@abs_srcdir@&$ac_abs_srcdir&;t t +-s&@top_srcdir@&$ac_top_srcdir&;t t +-s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t +-s&@builddir@&$ac_builddir&;t t +-s&@abs_builddir@&$ac_abs_builddir&;t t +-s&@abs_top_builddir@&$ac_abs_top_builddir&;t t +-$ac_datarootdir_hack +-" +-eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ +- >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 +- +-test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && +- { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && +- { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ +- "$ac_tmp/out"`; test -z "$ac_out"; } && +- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' +-which seems to be undefined. Please make sure it is defined" >&5 +-$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' +-which seems to be undefined. Please make sure it is defined" >&2;} +- +- rm -f "$ac_tmp/stdin" +- case $ac_file in +- -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; +- *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; +- esac \ +- || as_fn_error $? "could not create $ac_file" "$LINENO" 5 +- ;; +- +- +- +- esac +- +-done # for ac_tag +- +- +-as_fn_exit 0 +-_ACEOF +-ac_clean_files=$ac_clean_files_save +- +-test $ac_write_fail = 0 || +- as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 +- +- +-# configure is writing to config.log, and then calls config.status. +-# config.status does its own redirection, appending to config.log. +-# Unfortunately, on DOS this fails, as config.log is still kept open +-# by configure, so config.status won't be able to write to it; its +-# output is simply discarded. So we exec the FD to /dev/null, +-# effectively closing config.log, so it can be properly (re)opened and +-# appended to by config.status. When coming back to configure, we +-# need to make the FD available again. +-if test "$no_create" != yes; then +- ac_cs_success=: +- ac_config_status_args= +- test "$silent" = yes && +- ac_config_status_args="$ac_config_status_args --quiet" +- exec 5>/dev/null +- $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false +- exec 5>>config.log +- # Use ||, not &&, to avoid exiting from the if with $? = 1, which +- # would make configure fail if this is the last instruction. +- $ac_cs_success || as_fn_exit 1 +-fi +-if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 +-$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} +-fi +- +diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/configure.ac b/src/modules/rlm_eap/types/rlm_eap_teap/configure.ac +deleted file mode 100644 +index 6247f4c8aa..0000000000 +--- a/src/modules/rlm_eap/types/rlm_eap_teap/configure.ac ++++ /dev/null +@@ -1,86 +0,0 @@ +-AC_PREREQ([2.69]) +-AC_INIT +-AC_CONFIG_SRCDIR([rlm_eap_teap.c]) +-AC_REVISION($Revision$) +-FR_INIT_MODULE([rlm_eap_teap]) +- +-mod_ldflags= +-mod_cflags= +- +-FR_MODULE_START_TESTS +- +-dnl ############################################################ +-dnl # Check for command line options +-dnl ############################################################ +-dnl extra argument: --with-openssl-lib-dir +-openssl_lib_dir= +-AC_ARG_WITH(openssl-lib-dir, +- [AS_HELP_STRING([--with-openssl-lib-dir=DIR], +- [directory for LDAP library files])], +- [case "$withval" in +- no) +- AC_MSG_ERROR(Need openssl-lib-dir) +- ;; +- yes) +- ;; +- *) +- openssl_lib_dir="$withval" +- ;; +- esac]) +- +-dnl extra argument: --with-openssl-include-dir +-openssl_include_dir= +-AC_ARG_WITH(openssl-include-dir, +- [AS_HELP_STRING([-with-openssl-include-dir=DIR], +- [directory for LDAP include files])], +- [case "$withval" in +- no) +- AC_MSG_ERROR(Need openssl-include-dir) +- ;; +- yes) +- ;; +- *) +- openssl_include_dir="$withval" +- ;; +- esac]) +- +-dnl ############################################################ +-dnl # Check for header files +-dnl ############################################################ +- +-smart_try_dir=$openssl_include_dir +-FR_SMART_CHECK_INCLUDE(openssl/ec.h) +-if test "$ac_cv_header_openssl_ec_h" != "yes"; then +- FR_MODULE_FAIL([openssl/ec.h]) +-fi +- +-smart_try_dir=$openssl_lib_dir +-FR_SMART_CHECK_LIB(crypto, EVP_CIPHER_CTX_new) +-if test "x$ac_cv_lib_crypto_EVP_CIPHER_CTX_new" != "xyes"; then +- FR_MODULE_FAIL([libssl]) +-fi +- +-AC_EGREP_CPP(yes, +- [#include +- #if (OPENSSL_VERSION_NUMBER >= 0x10101000L) +- yes +- #endif +- ], +- [ +- AC_MSG_CHECKING([for OpenSSL version >= 1.1.1]) +- AC_MSG_RESULT(yes) +- ], +- [ +- AC_MSG_CHECKING([for OpenSSL version >= 1.1.1]) +- AC_MSG_RESULT(no) +- FR_MODULE_FAIL([OpenSSL>=1.1.1]) +- ] +-) +- +-FR_MODULE_END_TESTS +- +-AC_SUBST(mod_ldflags) +-AC_SUBST(mod_cflags) +- +-AC_CONFIG_FILES([all.mk]) +-AC_OUTPUT +diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c +deleted file mode 100644 +index 8e372c69f3..0000000000 +--- a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.c ++++ /dev/null +@@ -1,1817 +0,0 @@ +-/* +- * eap_teap.c contains the interfaces that are called from the main handler +- * +- * Version: $Id$ +- * +- * Copyright (C) 2022 Network RADIUS SARL +- * +- * This software may not be redistributed in any form without the prior +- * written consent of Network RADIUS. +- * +- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- */ +- +-RCSID("$Id$") +- +-#include "eap_teap.h" +-#include "eap_teap_crypto.h" +-#include +-#include +-#include +- +-#define EAPTLS_MPPE_KEY_LEN 32 +- +-#define RDEBUGHEX(_label, _data, _length) \ +-if (fr_debug_lvl > 2) {\ +- char __buf[8192];\ +- for (size_t i = 0; (i < (size_t) _length) && (3*i < sizeof(__buf)); i++) {\ +- sprintf(&__buf[3*i], " %02x", (uint8_t)(_data)[i]);\ +- }\ +- RDEBUG2("%s - hexdump(len=%zu):%s", _label, (size_t)_length, __buf);\ +-} while (0) +- +-#define RANDFILL(x) do { rad_assert(sizeof(x) % sizeof(uint32_t) == 0); for (size_t i = 0; i < sizeof(x); i += sizeof(uint32_t)) *((uint32_t *)&x[i]) = fr_rand(); } while(0) +-#define ARRAY_SIZE(x) (sizeof(x)/sizeof((x)[0])) +-#define MIN(a,b) (((a)>(b)) ? (b) : (a)) +- +-struct crypto_binding_buffer { +- uint16_t tlv_type; +- uint16_t length; +- eap_tlv_crypto_binding_tlv_t binding; +- uint8_t eap_type; +- uint8_t outer_tlvs[1]; +-} CC_HINT(__packed__); +-#define CRYPTO_BINDING_BUFFER_INIT(_cbb) \ +-do {\ +- _cbb->tlv_type = htons(EAP_TEAP_TLV_MANDATORY | EAP_TEAP_TLV_CRYPTO_BINDING);\ +- _cbb->length = htons(sizeof(struct eap_tlv_crypto_binding_tlv_t));\ +- _cbb->eap_type = PW_EAP_TEAP;\ +-} while (0) +- +-static struct teap_imck_t imck_zeros = { }; +- +-/** +- * RFC 7170 EAP-TEAP Authentication Phase 1: Key Derivations +- */ +-static void eap_teap_init_keys(REQUEST *request, tls_session_t *tls_session) +-{ +- teap_tunnel_t *t = tls_session->opaque; +- +- const EVP_MD *md = SSL_CIPHER_get_handshake_digest(SSL_get_current_cipher(tls_session->ssl)); +- const int md_type = EVP_MD_type(md); +- +- RDEBUG3("Phase 2: Using MAC %s (%d)", OBJ_nid2sn(md_type), md_type); +- +- RDEBUG3("Phase 2: Deriving keys"); +- +- rad_assert(t->received_version > -1); +- rad_assert(t->imckc == 0); +- +- /* S-IMCK[0] = session_key_seed (RFC7170, Section 5.1) */ +- eaptls_gen_keys_only(request, tls_session->ssl, "EXPORTER: teap session key seed", NULL, 0, t->imck_msk.simck, sizeof(t->imck_msk.simck)); +- memcpy(t->imck_emsk.simck, t->imck_msk.simck, sizeof(t->imck_msk.simck)); +- RDEBUGHEX("Phase 2: S-IMCK[0]", t->imck_msk.simck, sizeof(t->imck_msk.simck)); +-} +- +-/** +- * RFC 7170 EAP-TEAP Intermediate Compound Key Derivations - Section 5.2 +- */ +-/** +- * RFC 7170 - Intermediate Compound Key Derivations +- */ +-static void eap_teap_derive_imck(REQUEST *request, tls_session_t *tls_session, +- uint8_t *msk, size_t msklen, +- uint8_t *emsk, size_t emsklen) +-{ +- teap_tunnel_t *t = tls_session->opaque; +- +- t->imckc++; +- RDEBUG2("Phase 2: Calculating ICMK for round (j = %d)", t->imckc); +- +- uint8_t imsk_msk[EAP_TEAP_IMSK_LEN] = {0}; +- uint8_t imsk_emsk[EAP_TEAP_IMSK_LEN + 32]; // +32 for EMSK overflow +- struct teap_imck_t imck_msk, imck_emsk; +- +- uint8_t imck_label[27] = "Inner Methods Compound Keys"; // width trims trailing \0 +- struct iovec imck_seed[2] = { +- { (void *)imck_label, sizeof(imck_label) }, +- { NULL, EAP_TEAP_IMSK_LEN } +- }; +- +- if (msklen) { +- memcpy(imsk_msk, msk, MIN(msklen, EAP_TEAP_IMSK_LEN)); +- RDEBUGHEX("Phase 2: IMSK from MSK", imsk_msk, EAP_TEAP_IMSK_LEN); +- } else { +- RDEBUGHEX("Phase 2: IMSK Zero", imsk_msk, EAP_TEAP_IMSK_LEN); +- } +- imck_seed[1].iov_base = imsk_msk; +- TLS_PRF(tls_session->ssl, +- t->imck_msk.simck, sizeof(t->imck_msk.simck), +- imck_seed, ARRAY_SIZE(imck_seed), +- (uint8_t *)&imck_msk, sizeof(imck_msk)); +- +- /* IMCK[j] 60 octets => S-IMCK[j] first 40 octets, CMK[j] last 20 octets */ +- RDEBUGHEX("Phase 2: MSK S-IMCK[j]", imck_msk.simck, sizeof(imck_msk.simck)); +- RDEBUGHEX("Phase 2: MSK CMK[j]", imck_msk.cmk, sizeof(imck_msk.cmk)); +- +- if (emsklen) { +- uint8_t emsk_label[20] = "TEAPbindkey@ietf.org"; +- uint8_t null[1] = {0}; +- uint8_t length[2] = {0,64}; /* length of 64 bytes in two bytes in network order */ +- struct iovec emsk_seed[] = { +- { (void *)emsk_label, sizeof(emsk_label) }, +- { (void *)null, sizeof(null) }, +- { (void *)length, sizeof(length) } +- }; +- +- /* +- * IMSK[j] = First 32 octets of TLS-PRF( +- * EMSK[j], +- * "TEAPbindkey@ietf.org", +- * 0x00 | 0x00 | 0x40) +- */ +- TLS_PRF(tls_session->ssl, +- emsk, emsklen, +- emsk_seed, ARRAY_SIZE(emsk_seed), +- imsk_emsk, sizeof(imsk_emsk)); +- +- RDEBUGHEX("Phase 2: IMSK from EMSK", imsk_emsk, EAP_TEAP_IMSK_LEN); +- +- /* +- * IMCK[j] = the first 60 octets of TLS-PRF(S-IMCK[j-1], +- * "Inner Methods Compound Keys", +- * IMSK[j]) +- */ +- imck_seed[1].iov_base = imsk_emsk; +- TLS_PRF(tls_session->ssl, +- t->imck_emsk.simck, sizeof(t->imck_emsk.simck), +- imck_seed, ARRAY_SIZE(imck_seed), +- (uint8_t *)&imck_emsk, sizeof(imck_emsk)); +- +- /* IMCK[j] 60 octets => S-IMCK[j] first 40 octets, CMK[j] last 20 octets */ +- RDEBUGHEX("Phase 2: EMSK S-IMCK[j]", imck_emsk.simck, sizeof(imck_emsk.simck)); +- RDEBUGHEX("Phase 2: EMSK CMK[j]", imck_emsk.cmk, sizeof(imck_emsk.cmk)); +- +- memcpy(&t->imck_emsk, &imck_emsk, sizeof(imck_emsk)); +- } +- +- memcpy(&t->imck_msk, &imck_msk, sizeof(imck_msk)); +-} +- +-static void eap_teap_tlv_append(tls_session_t *tls_session, int tlv, bool mandatory, int length, const void *data) +-{ +- uint16_t hdr[2]; +- +- hdr[0] = htons(tlv | (mandatory ? EAP_TEAP_TLV_MANDATORY : 0)); +- hdr[1] = htons(length); +- +- tls_session->record_plus(&tls_session->clean_in, &hdr, 4); +- tls_session->record_plus(&tls_session->clean_in, data, length); +-} +- +-static void eap_teap_send_error(tls_session_t *tls_session, int error) +-{ +- uint32_t value; +- value = htonl(error); +- +- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_ERROR, true, sizeof(value), &value); +-} +- +-static void eap_teap_append_identity_type(tls_session_t *tls_session, int value) +-{ +- uint16_t identity; +- identity = htons(value); +- teap_tunnel_t *t = (teap_tunnel_t *) tls_session->opaque; +- +- fr_assert(value != 0); +- fr_assert(value <= 2); +- +- /* +- * If we send this, it's required. +- */ +- t->auths[value].required = true; +- t->auths[value].sent = true; +- +- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_IDENTITY_TYPE, false, sizeof(identity), &identity); +-} +- +-static void eap_teap_append_result(REQUEST *request, tls_session_t *tls_session, PW_CODE code) +-{ +- teap_tunnel_t *t = (teap_tunnel_t *) tls_session->opaque; +- +- int type = (t->result_final) +- ? EAP_TEAP_TLV_RESULT +- : EAP_TEAP_TLV_INTERMED_RESULT; +- +- char const *name = (t->result_final) ? "Result" : "Intermediate-Result"; +- +- uint16_t state = (code == PW_CODE_ACCESS_REJECT) +- ? EAP_TEAP_TLV_RESULT_FAILURE +- : EAP_TEAP_TLV_RESULT_SUCCESS; +- state = htons(state); +- +- char const *state_name = (code == PW_CODE_ACCESS_REJECT) ? "Failure" : "Success"; +- +- RDEBUG("Phase 2: %s = %s", name, state_name); +- +- eap_teap_tlv_append(tls_session, type, true, sizeof(state), &state); +-} +- +-static void eap_teap_append_eap_identity_request(REQUEST *request, tls_session_t *tls_session, eap_handler_t *eap_session) +-{ +- eap_packet_raw_t eap_packet; +- +- RDEBUG("Phase 2: Sending EAP-Identity"); +- +- eap_packet.code = PW_EAP_REQUEST; +- eap_packet.id = eap_session->eap_ds->response->id + 1; +- eap_packet.length[0] = 0; +- eap_packet.length[1] = EAP_HEADER_LEN + 1; +- eap_packet.data[0] = PW_EAP_IDENTITY; +- +- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, sizeof(eap_packet), &eap_packet); +-} +- +-/* +- * RFC7170 and the consequences of EID5768, EID5770 and EID5775 makes the path forward unclear, +- * so just do what hostapd does...which the IETF probably agree with anyway: +- * https://mailarchive.ietf.org/arch/msg/emu/mXzpSGEn86Zx_fa4f1uULYMhMoM/ +- */ +-static void eap_teap_append_crypto_binding(REQUEST *request, tls_session_t *tls_session, +- uint8_t *msk, size_t msklen, +- uint8_t *emsk, size_t emsklen) +-{ +- teap_tunnel_t *t = tls_session->opaque; +- uint8_t mac_msk[EVP_MAX_MD_SIZE], mac_emsk[EVP_MAX_MD_SIZE]; +- unsigned int maclen = EVP_MAX_MD_SIZE; +- uint8_t *buf; +- size_t olen, buflen; +- struct crypto_binding_buffer *cbb; +- uint8_t *outer_tlvs; +- +- RDEBUG("Phase 2: Sending Cryptobinding"); +- +- eap_teap_derive_imck(request, tls_session, msk, msklen, emsk, emsklen); +- +- t->imck_emsk_available = emsklen > 0; +- +- olen = tls_session->outer_tlvs_octets_server ? talloc_array_length(tls_session->outer_tlvs_octets_server) : 0; +- olen += tls_session->outer_tlvs_octets_peer ? talloc_array_length(tls_session->outer_tlvs_octets_peer) : 0; +- +- buflen = sizeof(struct crypto_binding_buffer) - 1/*outer_tlvs*/ + olen; +- +- buf = talloc_zero_array(request, uint8_t, buflen); +- rad_assert(buf != NULL); +- +- cbb = (struct crypto_binding_buffer *)buf; +- +- CRYPTO_BINDING_BUFFER_INIT(cbb); +- cbb->binding.version = EAP_TEAP_VERSION; +- cbb->binding.received_version = t->received_version; +- +- cbb->binding.subtype = ((emsklen ? EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_BOTH : EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_MSK) << 4) | EAP_TEAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST; +- +- rad_assert(sizeof(cbb->binding.nonce) % sizeof(uint32_t) == 0); +- RANDFILL(cbb->binding.nonce); +- cbb->binding.nonce[sizeof(cbb->binding.nonce) - 1] &= ~0x01; /* RFC 7170, Section 4.2.13 */ +- +- outer_tlvs = &cbb->outer_tlvs[0]; +- +- if (tls_session->outer_tlvs_octets_server) { +- size_t len = talloc_array_length(tls_session->outer_tlvs_octets_server); +- +- memcpy(outer_tlvs, tls_session->outer_tlvs_octets_server, len); +- outer_tlvs += len; +- } +- +- if (tls_session->outer_tlvs_octets_peer) { +- size_t len = talloc_array_length(tls_session->outer_tlvs_octets_peer); +- +- memcpy(outer_tlvs, tls_session->outer_tlvs_octets_peer, len); +- } +- +- RDEBUGHEX("Phase 2: BUFFER for Compound MAC calculation", buf, buflen); +- +- const EVP_MD *md = SSL_CIPHER_get_handshake_digest(SSL_get_current_cipher(tls_session->ssl)); +- HMAC(md, &t->imck_msk.cmk, EAP_TEAP_CMK_LEN, buf, buflen, mac_msk, &maclen); +- if (t->imck_emsk_available) { +- HMAC(md, &t->imck_emsk.cmk, EAP_TEAP_CMK_LEN, buf, buflen, mac_emsk, &maclen); +- } +- memcpy(cbb->binding.msk_compound_mac, &mac_msk, sizeof(cbb->binding.msk_compound_mac)); +- if (t->imck_emsk_available) { +- memcpy(cbb->binding.emsk_compound_mac, &mac_emsk, sizeof(cbb->binding.emsk_compound_mac)); +- } +- +- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_CRYPTO_BINDING, true, sizeof(cbb->binding), (uint8_t *)&cbb->binding); +-} +- +-static int eap_teap_verify(REQUEST *request, tls_session_t *tls_session, uint8_t const *data, unsigned int data_len) +-{ +- uint16_t attr; +- uint16_t length; +- unsigned int remaining = data_len; +- int total = 0; +- int num[EAP_TEAP_TLV_MAX] = {0}; +- teap_tunnel_t *t = (teap_tunnel_t *) tls_session->opaque; +- uint32_t present = 0; +- uint32_t error = 0; +- uint16_t status = 0; +- +- rad_assert(sizeof(present) * 8 > EAP_TEAP_TLV_MAX); +- +- while (remaining > 0) { +- if (remaining < 4) { +- REDEBUG("Phase 2: Data is too small (%u) to contain a TLV header", remaining); +- return 0; +- } +- +- memcpy(&attr, data, sizeof(attr)); +- attr = ntohs(attr) & EAP_TEAP_TLV_TYPE; +- +- switch (attr) { +- case EAP_TEAP_TLV_RESULT: +- case EAP_TEAP_TLV_NAK: +- case EAP_TEAP_TLV_ERROR: +- case EAP_TEAP_TLV_VENDOR_SPECIFIC: +- case EAP_TEAP_TLV_EAP_PAYLOAD: +- case EAP_TEAP_TLV_INTERMED_RESULT: +- case EAP_TEAP_TLV_CRYPTO_BINDING: +- case EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_RESP: +- num[attr]++; +- present |= 1 << attr; +- +- if (num[EAP_TEAP_TLV_EAP_PAYLOAD] > 1) { +- REDEBUG("Phase 2: Too many EAP-Payload TLVs"); +-unexpected: +- for (int i = 0; i < EAP_TEAP_TLV_MAX; i++) { +- DICT_ATTR const *da; +- +- if (!(present & (1 << i))) continue; +- +- da = dict_attrbyvalue((i << 8) | PW_FREERADIUS_EAP_TEAP_TLV, VENDORPEC_FREERADIUS); +- if (da) { +- RDEBUG("Phase 2: - attribute %s is present", da->name); +- } else { +- RDEBUG("Phase 2: - attribute %d is present", i); +- } +- } +- eap_teap_send_error(tls_session, EAP_TEAP_ERR_UNEXPECTED_TLV); +- return 0; +- } +- +- if (num[EAP_TEAP_TLV_INTERMED_RESULT] > 1) { +- REDEBUG("Phase 2: Too many Intermediate-Result TLVs"); +- goto unexpected; +- } +- break; +- default: +- if ((data[0] & 0x80) != 0) { +- REDEBUG("Phase 2: Unknown mandatory TLV %02x", attr); +- goto unexpected; +- } +- +- num[0]++; +- } +- +- total++; +- +- memcpy(&length, data + 2, sizeof(length)); +- length = ntohs(length); +- +- data += 4; +- remaining -= 4; +- +- if (length > remaining) { +- REDEBUG2("Phase 2: TLV %u is longer than room remaining in the packet (%u > %u).", attr, +- length, remaining); +- return 0; +- } +- +- /* +- * If the rest of the TLVs are larger than +- * this attribute, continue. +- * +- * Otherwise, if the attribute over-flows the end +- * of the TLCs, die. +- */ +- if (remaining < length) { +- REDEBUG2("Phase 2: TLV overflows packet."); +- return 0; +- } +- +- if (attr == EAP_TEAP_TLV_ERROR) { +- if (length != 4) goto fail_length; +- error = (data[0] << 24) | (data[1] << 16) | (data[2] << 8) | data[3]; +- } +- +- /* +- * If there's an error, we bail out of the +- * authentication process before allocating +- * memory. +- */ +- if ((attr == EAP_TEAP_TLV_INTERMED_RESULT) || (attr == EAP_TEAP_TLV_RESULT)) { +- if (length != 2) { +- fail_length: +- REDEBUG("Phase 2: TLV %u is too short. Expected 2, got %d.", attr, length); +- return 0; +- } +- +- status = (data[0] << 8) | data[1]; +- if (status == 0) goto unknown_value; +- } +- +- /* +- * 1 octet length + User-Name +- * 1 octet length + User-Password +- */ +- if (attr == EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_RESP) { +- uint8_t const *p = data; +- uint16_t vlen = length; +- +- if (vlen <= 2) { +- REDEBUG("Phase 2: Basic-Password-Auth-Resp TLV is too short. Expected >2, got %d.", vlen); +- return 0; +- } +- +- /* +- * Can't be zero. We must have MORE than "1 octet length + User-Name" +- */ +- if (!p[0] || ((p[0] + 1) >= vlen)) { +- REDEBUG("Phase 2: Basic-Password-Auth-Resp TLV is invalid. User-Name field has bad lenth %u", p[0]); +- return 0; +- } +- +- vlen -= p[0] + 1; +- if (!vlen) { +- REDEBUG("Phase 2: Basic-Password-Auth-Resp TLV is invalid. Password field is missing"); +- return 0; +- } +- +- p += p[0] + 1; +- if (!p[0] || (p[0] >= vlen)) { +- REDEBUG("Phase 2: Basic-Password-Auth-Resp TLV is invalid. Password field has bad lenth %u", p[0]); +- return 0; +- } +- } +- +- if (attr == EAP_TEAP_TLV_IDENTITY_TYPE) { +- if (length != 2) goto fail_length; +- +- if ((data[0] != 0) || (data[1] == 0) || (data[1] > 2)) { +- REDEBUG("Phase 2: Identity-Type TLV contains invalid value %02x%02x", +- data[0], data[1]); +- return 0; +- } +- } +- +- /* +- * Check the size of Crypto-Binding TLV, and the TEAP version. +- */ +- if (attr == EAP_TEAP_TLV_CRYPTO_BINDING) { +- if (length != sizeof(eap_tlv_crypto_binding_tlv_t)) { +- REDEBUG("Phase 2: Crypto-Binding TLV has incorrect length %u", length); +- return 0; +- } +- +- if (data[1] != EAP_TEAP_VERSION) { +- REDEBUG("Phase 2: Crypto-Binding TLV has incorrect version %u", data[1]); +- return 0; +- } +- } +- +- /* +- * remaining > length, continue. +- */ +- remaining -= length; +- data += length; +- } +- +- /* +- * Check status if we have it. +- */ +- if (status) { +- if (status == EAP_TEAP_TLV_RESULT_FAILURE) { +- if (!error) { +- REDEBUG("Phase 2: Received Result from peer which indicates failure with error %u. Rejecting request.", error); +- } else { +- REDEBUG("Phase 2: Received Result from peer which indicates failure. Rejecting request."); +- } +- return 0; +- } +- +- if (status != EAP_TEAP_TLV_RESULT_SUCCESS) { +- unknown_value: +- REDEBUG("Phase 2: Received Result from peer with unknown value %u. Rejecting request.", status); +- goto unexpected; +- } +- } +- +- /* +- * Check if the peer mixed & matched TLVs. +- */ +- if ((num[EAP_TEAP_TLV_NAK] > 0) && (num[EAP_TEAP_TLV_NAK] != total)) { +- REDEBUG("Phase 2: NAK TLV was sent along with non-NAK TLVs. Rejecting request."); +- goto unexpected; +- } +- +- /* +- * RFC7170 EID5844 says we can have Intermediate-Result and Result TLVs all in one +- */ +- +- /* +- * Check mandatory or not mandatory TLVs. +- */ +- switch (t->stage) { +- case TLS_SESSION_HANDSHAKE: +- if (present) { +- REDEBUG("Phase 2: Unexpected TLVs in TLS Session Handshake stage"); +- goto unexpected; +- } +- break; +- case AUTHENTICATION: +- if (present & ~((1 << EAP_TEAP_TLV_EAP_PAYLOAD) | (1 << EAP_TEAP_TLV_CRYPTO_BINDING) | (1 << EAP_TEAP_TLV_INTERMED_RESULT) | (1 << EAP_TEAP_TLV_RESULT) | (1 << EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_RESP))) { +- REDEBUG("Phase 2: Unexpected TLVs in authentication stage"); +- goto unexpected; +- } +- +- /* +- * A password request must yield a password response. +- */ +- if (t->sent_basic_password && ((present & (1 << EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_RESP)) == 0)) { +- REDEBUG("Phase 2: Sent Basic-Password-Auth-Req but reply does not contain Basic-Password-Auth-Resp"); +- goto unexpected; +- } +- +- /* +- * If we have Identity-Type, the packet must also +- * contain either EAP-Payload or +- * Basic-Password-Auth-Resp. +- */ +- if (((present & (1 << EAP_TEAP_TLV_IDENTITY_TYPE)) != 0) && +- ((present & (1 << EAP_TEAP_TLV_EAP_PAYLOAD)) == 0) && +- ((present & (1 << EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_RESP)) == 0)) { +- REDEBUG("Phase 2: Received Identity-Type without EAP-Payload or Basic-Password-Auth-Resp"); +- goto unexpected; +- } +- +- break; +- case PROVISIONING: +- if (present & ~(1 << EAP_TEAP_TLV_RESULT)) { +- REDEBUG("Phase 2: Unexpected TLVs in provisioning stage"); +- goto unexpected; +- } +- break; +- case COMPLETE: +- if (present) { +- REDEBUG("Phase 2: Unexpected TLVs in complete stage"); +- goto unexpected; +- } +- break; +- default: +- REDEBUG("Phase 2: Internal error, invalid stage %d", t->stage); +- return 0; +- } +- +- /* +- * We got this far. It looks OK. +- */ +- return 1; +-} +- +-static ssize_t eap_teap_decode_vp(TALLOC_CTX *request, DICT_ATTR const *parent, +- uint8_t const *data, size_t const attr_len, VALUE_PAIR **out) +-{ +- int8_t tag = TAG_NONE; +- VALUE_PAIR *vp; +- uint8_t const *p = data; +- +- /* +- * FIXME: Attrlen can be larger than 253 for extended attrs! +- */ +- if (!parent || !out ) { +- RERROR("eap_teap_decode_vp: Invalid arguments"); +- return -1; +- } +- +- /* +- * Silently ignore zero-length attributes. +- */ +- if (attr_len == 0) return 0; +- +- /* +- * And now that we've verified the basic type +- * information, decode the actual p. +- */ +- vp = fr_pair_afrom_da(request, parent); +- if (!vp) return -1; +- +- vp->vp_length = attr_len; +- vp->tag = tag; +- +- switch (parent->type) { +- case PW_TYPE_STRING: +- fr_pair_value_bstrncpy(vp, p, attr_len); +- break; +- +- case PW_TYPE_OCTETS: +- fr_pair_value_memcpy(vp, p, attr_len); +- break; +- +- case PW_TYPE_ABINARY: +- if (vp->vp_length > sizeof(vp->vp_filter)) { +- vp->vp_length = sizeof(vp->vp_filter); +- } +- memcpy(vp->vp_filter, p, vp->vp_length); +- break; +- +- case PW_TYPE_BYTE: +- vp->vp_byte = p[0]; +- break; +- +- case PW_TYPE_SHORT: +- vp->vp_short = (p[0] << 8) | p[1]; +- break; +- +- case PW_TYPE_INTEGER: +- case PW_TYPE_SIGNED: /* overloaded with vp_integer */ +- memcpy(&vp->vp_integer, p, 4); +- vp->vp_integer = ntohl(vp->vp_integer); +- break; +- +- case PW_TYPE_INTEGER64: +- memcpy(&vp->vp_integer64, p, 8); +- vp->vp_integer64 = ntohll(vp->vp_integer64); +- break; +- +- case PW_TYPE_DATE: +- memcpy(&vp->vp_date, p, 4); +- vp->vp_date = ntohl(vp->vp_date); +- break; +- +- case PW_TYPE_ETHERNET: +- memcpy(vp->vp_ether, p, 6); +- break; +- +- case PW_TYPE_IPV4_ADDR: +- memcpy(&vp->vp_ipaddr, p, 4); +- break; +- +- case PW_TYPE_IFID: +- memcpy(vp->vp_ifid, p, 8); +- break; +- +- case PW_TYPE_IPV6_ADDR: +- memcpy(&vp->vp_ipv6addr, p, 16); +- break; +- +- case PW_TYPE_IPV6_PREFIX: +- /* +- * FIXME: double-check that +- * (vp->vp_octets[1] >> 3) matches vp->vp_length + 2 +- */ +- memcpy(vp->vp_ipv6prefix, p, vp->vp_length); +- if (vp->vp_length < 18) { +- memset(((uint8_t *)vp->vp_ipv6prefix) + vp->vp_length, 0, +- 18 - vp->vp_length); +- } +- break; +- +- case PW_TYPE_IPV4_PREFIX: +- /* FIXME: do the same double-check as for IPv6Prefix */ +- memcpy(vp->vp_ipv4prefix, p, vp->vp_length); +- +- /* +- * /32 means "keep all bits". Otherwise, mask +- * them out. +- */ +- if ((p[1] & 0x3f) > 32) { +- uint32_t addr, mask; +- +- memcpy(&addr, vp->vp_octets + 2, sizeof(addr)); +- mask = 1; +- mask <<= (32 - (p[1] & 0x3f)); +- mask--; +- mask = ~mask; +- mask = htonl(mask); +- addr &= mask; +- memcpy(vp->vp_ipv4prefix + 2, &addr, sizeof(addr)); +- } +- break; +- +- default: +- RERROR("eap_teap_decode_vp: type %d Internal sanity check %d ", parent->type, __LINE__); +- fr_pair_list_free(&vp); +- return -1; +- } +- +- vp->type = VT_DATA; +- *out = vp; +- return attr_len; +-} +- +- +-VALUE_PAIR *eap_teap_teap2vp(REQUEST *request, SSL *ssl, uint8_t const *data, size_t data_len, +- DICT_ATTR const *teap_da, vp_cursor_t *out) +-{ +- uint16_t attr; +- uint16_t length; +- size_t data_left = data_len; +- VALUE_PAIR *first = NULL; +- VALUE_PAIR *vp = NULL; +- DICT_ATTR const *da; +- +- if (!teap_da) +- teap_da = dict_attrbyvalue(PW_FREERADIUS_EAP_TEAP_TLV, VENDORPEC_FREERADIUS); +- rad_assert(teap_da != NULL); +- +- if (!out) { +- out = talloc(request, vp_cursor_t); +- rad_assert(out != NULL); +- fr_cursor_init(out, &first); +- } +- +- /* +- * Decode the TLVs +- */ +- while (data_left > 0) { +- ssize_t decoded; +- +- /* FIXME do something with mandatory */ +- +- memcpy(&attr, data, sizeof(attr)); +- attr = ntohs(attr) & EAP_TEAP_TLV_TYPE; +- +- memcpy(&length, data + 2, sizeof(length)); +- length = ntohs(length); +- +- data += 4; +- data_left -= 4; +- +- /* +- * Look up the TLV. +- * +- * For now, if it doesn't exist, ignore it. +- */ +- da = dict_attrbyparent(teap_da, attr, teap_da->vendor); +- if (!da) { +- RDEBUG3("Phase 2: Skipping unknown attribute %u", attr); +- goto next_attr; +- } +- if (da->type == PW_TYPE_TLV) { +- eap_teap_teap2vp(request, ssl, data, length, da, out); +- goto next_attr; +- } +- decoded = eap_teap_decode_vp(request, da, data, length, &vp); +- if (decoded < 0) { +- REDEBUG3("Phase 2: Failed decoding %s: %s", da->name, fr_strerror()); +- goto next_attr; +- } +- +- fr_cursor_merge(out, vp); +- +- next_attr: +- while (fr_cursor_next(out)) { +- /* nothing */ +- } +- +- data += length; +- data_left -= length; +- } +- +- /* +- * We got this far. It looks OK. +- */ +- return first; +-} +- +- +-static void eapteap_copy_request_to_tunnel(REQUEST *request, REQUEST *fake) { +- VALUE_PAIR *copy, *vp; +- vp_cursor_t cursor; +- +- for (vp = fr_cursor_init(&cursor, &request->packet->vps); +- vp; +- vp = fr_cursor_next(&cursor)) { +- /* +- * The attribute is a server-side thingy, +- * don't copy it. +- */ +- if ((vp->da->attr > 255) && (((vp->da->attr >> 16) & 0xffff) == 0)) { +- continue; +- } +- +- /* +- * The outside attribute is already in the +- * tunnel, don't copy it. +- * +- * This works for BOTH attributes which +- * are originally in the tunneled request, +- * AND attributes which are copied there +- * from below. +- */ +- if (fr_pair_find_by_da(fake->packet->vps, vp->da, TAG_ANY)) continue; +- +- /* +- * Some attributes are handled specially. +- */ +- if (!vp->da->vendor) switch (vp->da->attr) { +- /* +- * NEVER copy Message-Authenticator, +- * EAP-Message, or State. They're +- * only for outside of the tunnel. +- */ +- case PW_USER_NAME: +- case PW_USER_PASSWORD: +- case PW_CHAP_PASSWORD: +- case PW_CHAP_CHALLENGE: +- case PW_PROXY_STATE: +- case PW_MESSAGE_AUTHENTICATOR: +- case PW_EAP_MESSAGE: +- case PW_STATE: +- continue; +- +- /* +- * By default, copy it over. +- */ +- default: +- break; +- } +- +- /* +- * Don't copy from the head, we've already +- * checked it. +- */ +- copy = fr_pair_list_copy_by_num(fake->packet, vp, vp->da->attr, vp->da->vendor, TAG_ANY); +- fr_pair_add(&fake->packet->vps, copy); +- } +-} +- +-static const char *stage_name[] = { +- "TLS session handshake", +- "Authentication", +- "Provisioning", +- "Complete" +-}; +- +-/* +- * Use a reply packet to determine what to do. +- */ +-static rlm_rcode_t CC_HINT(nonnull) process_reply(eap_handler_t *eap_session, +- tls_session_t *tls_session, +- REQUEST *request, RADIUS_PACKET *reply) +-{ +- rlm_rcode_t rcode = RLM_MODULE_REJECT; +- VALUE_PAIR *vp; +- vp_cursor_t cursor; +- uint8_t msk[2 * CHAP_VALUE_LENGTH] = {0}, emsk[2 * EAPTLS_MPPE_KEY_LEN] = {0}; +- size_t msklen = 0, emsklen = 0; +- bool doing_eap; +- +- teap_tunnel_t *t = tls_session->opaque; +- +- rad_assert(eap_session->request == request); +- +- RDEBUG("Phase 2: Stage %s", stage_name[t->stage]); +- +- /* +- * If the response packet was Access-Accept, then +- * we're OK. If not, die horribly. +- * +- * FIXME: EAP-Messages can only start with 'identity', +- * NOT 'eap start', so we should check for that.... +- */ +- switch (reply->code) { +- case PW_CODE_ACCESS_ACCEPT: +- RDEBUG("Phase 2: Got tunneled Access-Accept"); +- +- for (vp = fr_cursor_init(&cursor, &reply->vps); vp; vp = fr_cursor_next(&cursor)) { +- if (vp->da->attr == PW_EAP_EMSK) { +- // FIXME check if we should be generating an emsk from MPPE keys below +- emsklen = MIN(vp->vp_length, sizeof(emsk)); +- memcpy(emsk, vp->vp_octets, emsklen); +- break; +- } +- +- if (vp->da->vendor != VENDORPEC_MICROSOFT) continue; +- +- /* like for EAP-FAST, the keying material is used reversed */ +- switch (vp->da->attr) { +- case PW_MSCHAP_MPPE_SEND_KEY: +- if (vp->vp_length == EAPTLS_MPPE_KEY_LEN) { +- /* do not set emsklen here so not to blat EAP-EMSK */ +- // emsklen = sizeof(emsk); +- memcpy(emsk, vp->vp_octets, EAPTLS_MPPE_KEY_LEN); +- } else if (vp->vp_length == CHAP_VALUE_LENGTH) { +- msklen = sizeof(msk); +- memcpy(msk, vp->vp_octets, CHAP_VALUE_LENGTH); +- } else { +- wrong_length: +- REDEBUG("Phase 2: Found %s with incorrect length. Expected %u or %u, got %zu", +- vp->da->name, CHAP_VALUE_LENGTH, EAPTLS_MPPE_KEY_LEN, vp->vp_length); +- return RLM_MODULE_INVALID; +- } +- +- RDEBUGHEX("Phase 2: MSCHAP-MPPE-SEND-KEY [low MSK]", vp->vp_octets, vp->length); +- break; +- +- case PW_MSCHAP_MPPE_RECV_KEY: +- /* only do this if there is no EAP-EMSK */ +- if (vp->vp_length == EAPTLS_MPPE_KEY_LEN && emsklen == 0) { +- msklen = sizeof(msk); +- memcpy(msk, vp->vp_octets, EAPTLS_MPPE_KEY_LEN); +- emsklen = sizeof(emsk); +- memcpy(&emsk[EAPTLS_MPPE_KEY_LEN], vp->vp_octets, EAPTLS_MPPE_KEY_LEN); +- } else if (vp->vp_length == CHAP_VALUE_LENGTH) { +- msklen = sizeof(msk); +- memcpy(&msk[CHAP_VALUE_LENGTH], vp->vp_octets, CHAP_VALUE_LENGTH); +- } else { +- goto wrong_length; +- } +- +- RDEBUGHEX("Phase 2: MSCHAP-MPPE-RECV-KEY [high MSK]", vp->vp_octets, vp->vp_length); +- break; +- +- case PW_MSCHAP2_SUCCESS: +- RDEBUG("Phase 2: Got %s, tunneling it to the client in a challenge", vp->da->name); +- if (t->use_tunneled_reply) { +- t->authenticated = true; +- /* +- * Clean up the tunneled reply. +- */ +- fr_pair_delete_by_num(&reply->vps, PW_PROXY_STATE, 0, TAG_ANY); +- fr_pair_delete_by_num(&reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY); +- fr_pair_delete_by_num(&reply->vps, PW_MESSAGE_AUTHENTICATOR, 0, TAG_ANY); +- +- /* +- * Delete MPPE keys & encryption policy. We don't +- * want these here. +- */ +- fr_pair_delete_by_num(&reply->vps, 7, VENDORPEC_MICROSOFT, TAG_ANY); +- fr_pair_delete_by_num(&reply->vps, 8, VENDORPEC_MICROSOFT, TAG_ANY); +- fr_pair_delete_by_num(&reply->vps, 16, VENDORPEC_MICROSOFT, TAG_ANY); +- fr_pair_delete_by_num(&reply->vps, 17, VENDORPEC_MICROSOFT, TAG_ANY); +- +- fr_pair_list_free(&t->accept_vps); /* for proxying MS-CHAP2 */ +- fr_pair_list_mcopy_by_num(t, &t->accept_vps, &reply->vps, 0, 0, TAG_ANY); +- rad_assert(!reply->vps); +- } +- break; +- +- default: +- break; +- } +- } +- +- if (t->use_tunneled_reply) { +- /* +- * Clean up the tunneled reply. +- */ +- fr_pair_delete_by_num(&reply->vps, PW_EAP_EMSK, 0, TAG_ANY); +- fr_pair_delete_by_num(&reply->vps, PW_EAP_SESSION_ID, 0, TAG_ANY); +- } +- +- eap_teap_append_result(request, tls_session, reply->code); +- eap_teap_append_crypto_binding(request, tls_session, msk, msklen, emsk, emsklen); +- +- vp = fr_pair_find_by_num(request->state, PW_EAP_TEAP_TLV_IDENTITY_TYPE, VENDORPEC_FREERADIUS, TAG_ANY); +- if (vp) { +- RDEBUG("Phase 2: Continuing with Identity-Type = %s", +- (vp->vp_short == 1) ? "User" : "Machine"); +- +- /* RFC3748, Section 2.1 - does not explictly tell us to but we need to eat the EAP-Success */ +- fr_pair_delete_by_num(&reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY); +- +- /* new identity */ +- talloc_free(t->username); +- t->username = NULL; +- +- if (t->num_identities == 2) { +- RDEBUG("Phase 2: Configured to send too many identities, failing the session"); +- goto fail; +- } +- +- t->identity_types[t->num_identities++] = vp->vp_short; +- +- /* RFC7170, Appendix C.6 */ +- eap_teap_append_identity_type(tls_session, vp->vp_short); +- +- if (t->default_method || t->eap_method[vp->vp_short]) { +- eap_teap_append_eap_identity_request(request, tls_session, eap_session); +- } +- +- if (!t->auto_chain) goto challenge; +- +- if (!(t->default_method || t->eap_method[vp->vp_short])) { +- RDEBUG("Phase 2: No %s EAP methods configured - assuming password", +- (vp->vp_short == 1) ? "User" : "Machine"); +- +- vp = fr_pair_afrom_num(reply, PW_EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, VENDORPEC_FREERADIUS); +- if (vp) { +- fr_pair_add(&reply->vps, vp); +- } else { +- RERROR("Failed adding attribute &reply:FreeRADIUS-EAP-TEAP-Basic-Password-Auth-Req"); +- goto fail; +- } +- } +- +- /* +- * Delete the &session-state:FreeRADIUS-EAP-TEAP-TLV-Identity-Type +- * which we found. +- * +- * If there are more than one, then the +- * next round will pick up the next one. +- */ +- RDEBUG("Phase 2: Deleting &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += %s", +- (vp->vp_short == 1) ? "User" : "Machine"); +- fr_pair_delete(&request->state, vp); +- +- /* +- * Always challenge, as we're sending EAP-Identity. +- */ +- goto challenge; +- } +- +- if (t->auths[1].required && !t->auths[1].received) { +- REDEBUG("Phase 2: We required Identity-Type = User, but we did not see it - rejecting the session"); +- goto fail; +- } +- +- if (t->auths[2].required && !t->auths[2].received) { +- REDEBUG("Phase 2: We required Identity-Type = Machine, but we did not see it - rejecting the session"); +- goto fail; +- } +- +- RDEBUG("Phase 2: All inner authentications have succeeded"); +- +- t->result_final = true; +- t->sent_basic_password = false; +- eap_teap_append_result(request, tls_session, reply->code); +- +- tls_session->authentication_success = true; +- rcode = RLM_MODULE_OK; +- +- break; +- +- case PW_CODE_ACCESS_REJECT: +- RDEBUG("Phase 2: Got tunneled Access-Reject"); +- +- fail: +- eap_teap_append_result(request, tls_session, PW_CODE_ACCESS_REJECT); +- rcode = RLM_MODULE_REJECT; +- break; +- +- /* +- * Handle Access-Challenge, but only if we +- * send tunneled reply data. This is because +- * an Access-Challenge means that we MUST tunnel +- * a Reply-Message to the client. +- */ +- case PW_CODE_ACCESS_CHALLENGE: +- RDEBUG("Phase 2: Got tunneled Access-Challenge"); +-challenge: +- /* +- * Keep the State attribute, if necessary. +- * +- * Get rid of the old State, too. +- */ +- fr_pair_list_free(&t->state); +- fr_pair_list_mcopy_by_num(t, &t->state, &reply->vps, PW_STATE, 0, TAG_ANY); +- +- t->sent_basic_password = false; +- doing_eap = false; +- +- /* +- * Copy the EAP-Message back to the tunnel. Note +- * that there can only be one EAP-Message +- * attribute. The RADIUS encoder takes care of +- * splitting it into multiple chunks in a RADIUS +- * packet. +- * +- * For TEAP, we can only send one EAP-Payload TLV +- * in a packet. +- */ +- vp = fr_pair_find_by_num(reply->vps, PW_EAP_MESSAGE, 0, TAG_ANY); +- if (vp) { +- doing_eap = true; +- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_EAP_PAYLOAD, true, vp->vp_length, vp->vp_octets); +- } +- +- /* +- * When chaining, we 'goto challenge' and can use +- * that to now signal back to unlang that a +- * method has completed and we can now move to +- * the next +- */ +- rcode = reply->code == PW_CODE_ACCESS_CHALLENGE ? RLM_MODULE_HANDLED : RLM_MODULE_OK; +- +- if (!doing_eap) { +- vp = fr_pair_find_by_num(reply->vps, PW_EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, VENDORPEC_FREERADIUS, TAG_ANY); +- if (!vp) { +- RWDEBUG("Phase 2: Not configured to use EAP or passwords. Authentication will likely fail."); +- break; +- } +- +- t->sent_basic_password = true; +- +- RDEBUG("Phase 2: Sending Basic-Password-Auth-Req"); +- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, vp->vp_length, vp->vp_strvalue); +- } +- +- break; +- +- default: +- RDEBUG("Phase 2: Unknown RADIUS packet type %d: rejecting tunneled user", reply->code); +- rcode = RLM_MODULE_INVALID; +- break; +- } +- +- +- return rcode; +-} +- +-static PW_CODE eap_teap_phase2(REQUEST *request, eap_handler_t *eap_session, +- tls_session_t *tls_session, REQUEST *fake) +-{ +- PW_CODE code = PW_CODE_ACCESS_REJECT; +- rlm_rcode_t rcode; +- VALUE_PAIR *vp; +- teap_tunnel_t *t; +- int eap_method = 0; +- +- RDEBUG3("Phase 2: Processing received EAP Payload"); +- +- t = (teap_tunnel_t *) tls_session->opaque; +- +- RDEBUG("Phase 2: Got tunneled request"); +- rdebug_pair_list(L_DBG_LVL_1, request, fake->packet->vps, NULL); +- +- /* +- * Tell the request that it's a fake one. +- */ +- fr_pair_make(fake->packet, &fake->packet->vps, "Freeradius-Proxied-To", "127.0.0.1", T_OP_EQ); +- +- /* +- * No User-Name in the stored data, look for +- * an EAP-Identity, and pull it out of there. +- */ +- if (!t->username) { +- vp = fr_pair_find_by_num(fake->packet->vps, PW_EAP_MESSAGE, 0, TAG_ANY); +- if (vp && +- (vp->vp_length >= EAP_HEADER_LEN + 2) && +- (vp->vp_strvalue[0] == PW_EAP_RESPONSE) && +- (vp->vp_strvalue[EAP_HEADER_LEN] == PW_EAP_IDENTITY) && +- (vp->vp_strvalue[EAP_HEADER_LEN + 1] != 0)) { +- /* +- * Create & remember a User-Name +- */ +- t->username = fr_pair_make(t, NULL, "User-Name", NULL, T_OP_EQ); +- rad_assert(t->username != NULL); +- +- fr_pair_value_bstrncpy(t->username, vp->vp_octets + 5, vp->vp_length - 5); +- +- RDEBUG("Phase 2: Got tunneled identity of %s", t->username->vp_strvalue); +- +- } else if (!fake->username) { +- /* +- * Don't reject the request outright, +- * as it's permitted to do EAP without +- * user-name. +- */ +- RWDEBUG2("Phase 2: No EAP-Identity found to start EAP conversation"); +- } +- } /* else there WAS a t->username */ +- +- if (t->username && !fake->username) { +- vp = fr_pair_list_copy(fake->packet, t->username); +- fr_pair_add(&fake->packet->vps, vp); +- fake->username = vp; +- } +- +- /* +- * Add the State attribute, too, if it exists. +- */ +- if (t->state) { +- vp = fr_pair_list_copy(fake->packet, t->state); +- if (vp) fr_pair_add(&fake->packet->vps, vp); +- } +- +- if (t->stage == AUTHENTICATION) { +- VALUE_PAIR *tvp; +- +- eap_method = t->default_method; +- +- RDEBUG2("Phase 2: Authentication"); +- +- /* +- * See which method we're doing. If we're told to do a particular kind of identity +- * check, AND there's not any EAP-Type already set, THEN do it. +- */ +- vp = fr_pair_find_by_num(fake->packet->vps, PW_EAP_TEAP_TLV_IDENTITY_TYPE, VENDORPEC_FREERADIUS, TAG_ANY); +- if (vp) { +- VALUE_PAIR *teap_type; +- +- t->auths[vp->vp_short].received++; +- +- /* +- * User auth. Prefer: +- * * values set by the admin for this session. +- * * otherwise configured in the TEAP module +- * * otherwise default_eap_type +- * * otherwise ??? +- */ +- if (vp->vp_short == 1) { +- teap_type = fr_pair_find_by_num(request->state, PW_TEAP_TYPE_USER, 0, TAG_ANY); +- if (teap_type) { +- eap_method = teap_type->vp_integer; +- +- RDEBUG("Phase 2: Setting User EAP-Type = %s from &config:TEAP-Type-User", +- eap_type2name(eap_method)); +- +- } else if (t->eap_method[vp->vp_short]) { +- eap_method = t->eap_method[vp->vp_short]; +- +- RDEBUG("Phase 2: Setting User EAP-Type = %s from TEAP configuration user_eap_type", +- eap_type2name(eap_method)); +- +- } else if (eap_method) { +- RDEBUG("Phase 2: Setting User EAP-Type = %s from TEAP configuration default_eap_type", +- eap_type2name(eap_method)); +- +- } else if (fake->password) { +- RDEBUG("Phase 2: User is not doing EAP, but instead is doing User-Password authentication"); +- +- } else { +- RWDEBUG("Phase 2: Not setting User EAP-Type"); +- } +- } +- +- if (vp->vp_short == 2) { +- teap_type = fr_pair_find_by_num(request->state, PW_TEAP_TYPE_MACHINE, 0, TAG_ANY); +- if (teap_type) { +- eap_method = teap_type->vp_integer; +- +- RDEBUG("Phase 2: Setting Machine EAP-Type = %s from &config:TEAP-Type-Machine", +- eap_type2name(eap_method)); +- +- } else if (t->eap_method[vp->vp_short]) { +- eap_method = t->eap_method[vp->vp_short]; +- +- RDEBUG("Phase 2: Setting Machine EAP-Type = %s from TEAP configuration machine_eap_type", +- eap_type2name(eap_method)); +- +- } else if (eap_method) { +- RDEBUG("Phase 2: Using Machine EAP-Type = %s from TEAP configuration default_eap_type", +- eap_type2name(eap_method)); +- +- } else if (fake->password) { +- RDEBUG("Phase 2: Machine is not doing EAP, but instead is doing User-Password authentication"); +- +- } else { +- RWDEBUG("Phase 2: Not setting Machine EAP-Type"); +- } +- } +- } +- +- if (eap_method) { +- /* +- * RFC 7170 - Authenticating Using EAP-TEAP-MSCHAPv2 +- */ +- if (eap_method == PW_EAP_MSCHAPV2 && t->mode == EAP_TEAP_PROVISIONING_ANON) { +- tvp = fr_pair_afrom_num(fake, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT); +- //fr_pair_value_memcpy(tvp, t->keyblock->server_challenge, CHAP_VALUE_LENGTH); +- fr_pair_add(&fake->config, tvp); +- +- tvp = fr_pair_afrom_num(fake, PW_MS_CHAP_PEER_CHALLENGE, 0); +- //fr_pair_value_memcpy(tvp, t->keyblock->client_challenge, CHAP_VALUE_LENGTH); +- fr_pair_add(&fake->config, tvp); +- } +- +- /* +- * Set the configuration to force a particular EAP-Type. +- */ +- RDEBUG("Phase 2: Forcing inner TEAP authentication to &control:EAP-Type = %s", eap_type2name(eap_method)); +- vp = fr_pair_afrom_num(fake, PW_EAP_TYPE, 0); +- if (vp) { +- fr_pair_add(&fake->config, vp); +- vp->vp_integer = eap_method; +- } +- +- } else if (!fake->password) { +- RWDEBUG("Phase 2: No explicit EAP-Type set."); +- } else { +- /* else it's User-Password authentication */ +- } +- } +- +- if (t->copy_request_to_tunnel) { +- eapteap_copy_request_to_tunnel(request, fake); +- } +- +- if ((vp = fr_pair_find_by_num(request->config, PW_VIRTUAL_SERVER, 0, TAG_ANY)) != NULL) { +- fake->server = vp->vp_strvalue; +- +- } else if (t->virtual_server) { +- fake->server = t->virtual_server; +- +- } /* else fake->server == request->server */ +- +- /* +- * Call authentication recursively, which will +- * do PAP, CHAP, MS-CHAP, etc. +- */ +- rad_virtual_server(fake); +- +- /* +- * Decide what to do with the reply. +- */ +- switch (fake->reply->code) { +- case 0: +- vp = fr_pair_find_by_num(fake->config, PW_RESPONSE_PACKET_TYPE, 0, TAG_ANY); +- if (vp && (vp->vp_integer == PW_CODE_ACCESS_CHALLENGE)) { +- fake->reply->code = PW_CODE_ACCESS_CHALLENGE; +- goto do_reply; +- } +- +- RDEBUG("Phase 2: No tunneled reply was found, rejecting the user."); +- code = PW_CODE_ACCESS_REJECT; +- break; +- +- default: +- do_reply: +- /* +- * Returns RLM_MODULE_FOO, and we want to return PW_FOO +- */ +- rcode = process_reply(eap_session, tls_session, request, fake->reply); +- switch (rcode) { +- case RLM_MODULE_REJECT: +- code = PW_CODE_ACCESS_REJECT; +- break; +- +- case RLM_MODULE_HANDLED: +- code = PW_CODE_ACCESS_CHALLENGE; +- break; +- +- case RLM_MODULE_OK: +- code = PW_CODE_ACCESS_ACCEPT; +- break; +- +- default: +- code = PW_CODE_ACCESS_REJECT; +- break; +- } +- break; +- } +- +- return code; +-} +- +-static PW_CODE eap_teap_crypto_binding(REQUEST *request, UNUSED eap_handler_t *eap_session, +- tls_session_t *tls_session, eap_tlv_crypto_binding_tlv_t const *binding) +-{ +- teap_tunnel_t *t = tls_session->opaque; +- uint8_t *buf; +- size_t olen, buflen; +- struct crypto_binding_buffer *cbb; +- uint8_t mac[EVP_MAX_MD_SIZE]; +- unsigned int maclen = sizeof(mac); +- unsigned int flags; +- struct teap_imck_t *imck = NULL; +- uint8_t *outer_tlvs; +- +- /* +- * @todo - put crypto binding calculations into a common function, +- */ +- olen = tls_session->outer_tlvs_octets_server ? talloc_array_length(tls_session->outer_tlvs_octets_server) : 0; +- olen += tls_session->outer_tlvs_octets_peer ? talloc_array_length(tls_session->outer_tlvs_octets_peer) : 0; +- +- buflen = sizeof(struct crypto_binding_buffer) - 1/*outer_tlvs*/ + olen; +- +- buf = talloc_zero_array(request, uint8_t, buflen); +- rad_assert(buf != NULL); +- +- cbb = (struct crypto_binding_buffer *)buf; +- +- /* +- * binding->version is what they are using. +- * binding->received_version is what they got from us. +- */ +- if (binding->version != t->received_version || binding->received_version != EAP_TEAP_VERSION) { +- RDEBUG2("Phase 2: Crypto-Binding TLV version mis-match (possible downgrade attack!)"); +- RDEBUG2("Phase 2: Expected client to send %d, got %d. We sent %d, they echoed back %d", +- t->received_version, binding->version, +- EAP_TEAP_VERSION, binding->received_version); +- return PW_CODE_ACCESS_REJECT; +- } +- if ((binding->subtype & 0xf) != EAP_TEAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE) { +- RDEBUG2("Phase 2: Crypto-Binding TLV contains unexpected response"); +- return PW_CODE_ACCESS_REJECT; +- } +- flags = binding->subtype >> 4; +- +- CRYPTO_BINDING_BUFFER_INIT(cbb); +- memcpy(&cbb->binding, binding, sizeof(cbb->binding) - sizeof(cbb->binding.emsk_compound_mac) - sizeof(cbb->binding.msk_compound_mac)); +- +- outer_tlvs = &cbb->outer_tlvs[0]; +- +- if (tls_session->outer_tlvs_octets_server) { +- size_t len = talloc_array_length(tls_session->outer_tlvs_octets_server); +- +- memcpy(outer_tlvs, tls_session->outer_tlvs_octets_server, len); +- outer_tlvs += len; +- } +- +- if (tls_session->outer_tlvs_octets_peer) { +- size_t len = talloc_array_length(tls_session->outer_tlvs_octets_peer); +- +- memcpy(outer_tlvs, tls_session->outer_tlvs_octets_peer, len); +- } +- +- RDEBUGHEX("Phase 2: BUFFER for Compound MAC calculation", buf, buflen); +- +- /* +- * we carry forward the S-IMCK[j] based on what we verified for session key generation +- * +- * https://mailarchive.ietf.org/arch/msg/emu/mXzpSGEn86Zx_fa4f1uULYMhMoM/ +- * https://github.com/emu-wg/teap-errata/pull/13 +- */ +- const EVP_MD *md = SSL_CIPHER_get_handshake_digest(SSL_get_current_cipher(tls_session->ssl)); +- +- /* +- * We verify cryptobinding MSK and EMSK, but we prefer +- * EMSK for the later IMCK deriviation. +- */ +- if ((flags & EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_MSK) != 0) { +- HMAC(md, &t->imck_msk.cmk, sizeof(t->imck_msk.cmk), buf, buflen, mac, &maclen); +- if (memcmp(binding->msk_compound_mac, mac, sizeof(binding->msk_compound_mac))) { +- RDEBUG2("Phase 2: Crypto-Binding TLV (MSK) mis-match"); +- return PW_CODE_ACCESS_REJECT; +- } +- imck = &t->imck_msk; +- } +- +- if (((flags & EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_EMSK) != 0) && t->imck_emsk_available) { +- HMAC(md, &t->imck_emsk.cmk, sizeof(t->imck_emsk.cmk), buf, buflen, mac, &maclen); +- if (memcmp(binding->emsk_compound_mac, mac, sizeof(binding->emsk_compound_mac))) { +- RDEBUG2("Phase 2: Crypto-Binding TLV (EMSK) mis-match"); +- return PW_CODE_ACCESS_REJECT; +- } +- +- RDEBUG3("Phase 2: Using all EMSK for ICMK"); +- imck = &t->imck_emsk; +- +- } else if (imck) { +- RDEBUG3("Phase 2: Using all MSK for ICMK"); +- +- } else { +- RDEBUG3("Phase 2: Using all zeroes for ICMK"); +- imck = &imck_zeros; +- } +- +- /* IMCK[j] 60 octets => S-IMCK[j] first 40 octets, CMK[j] last 20 octets */ +- RDEBUGHEX("Phase 2: S-IMCK[j]", imck->simck, sizeof(imck->simck)); +- +- uint8_t mk_msk_label[31] = "Session Key Generating Function"; +- +- struct iovec mk_msk_seed[1] = { +- { (void *)mk_msk_label, sizeof(mk_msk_label) } +- }; +- TLS_PRF(tls_session->ssl, +- imck->simck, sizeof(imck->simck), +- mk_msk_seed, ARRAY_SIZE(mk_msk_seed), +- (uint8_t *)&t->msk, sizeof(t->msk)); +- RDEBUGHEX("Phase 2: Derived key (MSK)", t->msk, sizeof(t->msk)); +- +- uint8_t mk_emsk_label[40] = "Extended Session Key Generating Function"; +- struct iovec mk_emsk_seed[1] = { +- { (void *)mk_emsk_label, sizeof(mk_emsk_label) } +- }; +- TLS_PRF(tls_session->ssl, +- imck->simck, sizeof(imck->simck), +- mk_emsk_seed, ARRAY_SIZE(mk_emsk_seed), +- (uint8_t *)&t->emsk, sizeof(t->emsk)); +- RDEBUGHEX("Phase 2: Derived key (EMSK)", t->emsk, sizeof(t->emsk)); +- +- return PW_CODE_ACCESS_ACCEPT; +-} +- +- +-static PW_CODE eap_teap_process_tlvs(REQUEST *request, eap_handler_t *eap_session, +- tls_session_t *tls_session, VALUE_PAIR *teap_vps) +-{ +- teap_tunnel_t *t = (teap_tunnel_t *) tls_session->opaque; +- VALUE_PAIR *vp, *copy; +- vp_cursor_t cursor; +- PW_CODE code = PW_CODE_ACCESS_ACCEPT; +- uint8_t const *p; +- bool gotintermedresult = false, gotresult = false, gotcryptobinding = false; +- REQUEST *fake; +- +- /* +- * Allocate a fake REQUEST structure. +- */ +- fake = request_alloc_fake(request); +- rad_assert(!fake->packet->vps); +- +- fake->eap_inner_tunnel = true; +- +- for (vp = fr_cursor_init(&cursor, &teap_vps); vp; vp = fr_cursor_next(&cursor)) { +- char *value; +- DICT_ATTR const *parent_da = NULL; +- VALUE_PAIR *vp_config; +- +- parent_da = dict_parent(vp->da->attr, vp->da->vendor); +- if (parent_da == NULL || vp->da->vendor != VENDORPEC_FREERADIUS || +- ((vp->da->attr & 0xff) != PW_FREERADIUS_EAP_TEAP_TLV)) { +- continue; +- } +- +- switch (parent_da->attr) { +- case PW_FREERADIUS_EAP_TEAP_TLV: +- switch (vp->da->attr >> 8) { +- case EAP_TEAP_TLV_IDENTITY_TYPE: +- vp_config = fr_pair_find_by_num(request->state, PW_EAP_TEAP_TLV_IDENTITY_TYPE, VENDORPEC_FREERADIUS, TAG_ANY); +- if (vp_config && (vp_config->vp_short != vp->vp_short)) { +- RWDEBUG("We requested &session-state:FreeRADIUS-EAP-TEAP-TLV-Identity-Type = %s", +- (vp_config->vp_short == 1) ? "User" : "Machine"); +- RWDEBUG("But the supplicant returned FreeRADIUS-EAP-TEAP-TLV-Identity-Type = %u", +- vp->vp_short); +- RWDEBUG("Authentication will likely fail."); +- } +- +- fr_pair_add(&fake->packet->vps, fr_pair_copy(fake->packet, vp)); +- break; +- +- /* +- * Copy EAP-Payload to EAP-Message +- */ +- case EAP_TEAP_TLV_EAP_PAYLOAD: +- copy = fr_pair_afrom_num(fake->packet, PW_EAP_MESSAGE, 0); +- fr_pair_value_memcpy(copy, vp->vp_octets, vp->vp_length); +- fr_pair_add(&fake->packet->vps, copy); +- break; +- +- /* +- * We copy the full attribute, even if the administrator +- * isn't ever going to use it. The existence of the attribute +- * is a signal that we have a password response, and not an EAP-Message. +- */ +- case EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_RESP: +- fr_pair_add(&fake->packet->vps, fr_pair_copy(fake->packet, vp)); +- +- p = vp->vp_octets; +- +- copy = fr_pair_afrom_num(fake->packet, PW_USER_NAME, 0); +- fr_pair_value_bstrncpy(copy, p + 1, p[0]); +- fr_pair_add(&fake->packet->vps, copy); +- fake->username = copy; +- +- p += p[0] + 1; +- +- copy = fr_pair_afrom_num(fake->packet, PW_USER_PASSWORD, 0); +- fr_pair_value_bstrncpy(copy, p + 1, p[0]); +- fr_pair_add(&fake->packet->vps, copy); +- fake->password = copy; +- break; +- +- /* +- * The rest of the TEAP +- * attributes are signalling, and +- * aren't needed by the inner-tunnel virtual server. +- */ +- case EAP_TEAP_TLV_RESULT: +- gotresult = true; +- if (vp->vp_short != EAP_TEAP_TLV_RESULT_SUCCESS) { +- REDEBUG("Phase 2: Peer sent Result = Failure - rejecting the session"); +- code = PW_CODE_ACCESS_REJECT; +- } +- break; +- +- case EAP_TEAP_TLV_INTERMED_RESULT: +- gotintermedresult = true; +- if (vp->vp_short != EAP_TEAP_TLV_RESULT_SUCCESS) { +- REDEBUG("Phase 2: Peer sent Intermediate-Result = Failure - rejecting the session"); +- code = PW_CODE_ACCESS_REJECT; +- } +- break; +- +- case EAP_TEAP_TLV_CRYPTO_BINDING: +- gotcryptobinding = true; +- +- code = eap_teap_crypto_binding(request, eap_session, tls_session, +- (eap_tlv_crypto_binding_tlv_t const *)vp->vp_octets); +- break; +- +- default: +- value = vp_aprints_value(request->packet, vp, '"'); +- RDEBUG2("Ignoring unknown attribute %s", value); +- talloc_free(value); +- } +- break; +- +- default: +- value = vp_aprints(request->packet, vp, '"'); +- RDEBUG2("Ignoring TEAP TLV %s", value); +- talloc_free(value); +- } +- +- if (code == PW_CODE_ACCESS_REJECT) { +- talloc_free(fake); +- return PW_CODE_ACCESS_REJECT; +- } +- } +- +- /* +- * Move to the provisioning stage only if we have a final result. +- */ +- if ((t->stage == AUTHENTICATION) && t->result_final) { +- if (gotcryptobinding && gotintermedresult) t->stage = PROVISIONING; +- /* rollback if we have an EAP sequence (chaining) */ +- if (t->stage == PROVISIONING && !gotresult && vp) t->stage = AUTHENTICATION; +- } +- +- if (t->stage == PROVISIONING) { +- if (gotcryptobinding && gotresult) t->stage = COMPLETE; +- } +- +- if (t->stage == COMPLETE) { +- if (!gotcryptobinding) { +- RWDEBUG("Phase 2: Peer did not send Crypto-Binding - rejecting"); +- talloc_free(fake); +- return PW_CODE_ACCESS_REJECT; +- } +- +- if (!gotresult) { +- RWDEBUG("Phase 2: Peer did not send Result - rejecting"); +- talloc_free(fake); +- return PW_CODE_ACCESS_REJECT; +- } +- +- } else { +- code = eap_teap_phase2(request, eap_session, tls_session, fake); +- } +- +- talloc_free(fake); +- return code; +-} +- +- +-static void print_tunneled_data(uint8_t const *data, size_t data_len) +-{ +- size_t i; +- +- DEBUG2(" TEAP tunnel data total %zu", data_len); +- +- if ((rad_debug_lvl > 2) && fr_log_fp) { +- for (i = 0; i < data_len; i++) { +- if ((i & 0x0f) == 0) fprintf(fr_log_fp, " TEAP tunnel data in %02x: ", (int) i); +- +- fprintf(fr_log_fp, "%02x ", data[i]); +- +- if ((i & 0x0f) == 0x0f) fprintf(fr_log_fp, "\n"); +- } +- if ((data_len & 0x0f) != 0) fprintf(fr_log_fp, "\n"); +- } +-} +- +- +-/* +- * Process the inner tunnel data +- */ +-PW_CODE eap_teap_process(eap_handler_t *eap_session, tls_session_t *tls_session) +-{ +- PW_CODE code; +- VALUE_PAIR *teap_vps, *vp; +- uint8_t const *data; +- size_t data_len; +- teap_tunnel_t *t; +- REQUEST *request = eap_session->request; +- +- /* +- * Just look at the buffer directly, without doing +- * record_to_buff. +- */ +- data_len = tls_session->clean_out.used; +- tls_session->clean_out.used = 0; +- data = tls_session->clean_out.data; +- +- t = (teap_tunnel_t *) tls_session->opaque; +- +- if (rad_debug_lvl > 2) print_tunneled_data(data, data_len); +- +- /* +- * See if the tunneled data is well formed. +- */ +- if (!eap_teap_verify(request, tls_session, data, data_len)) return PW_CODE_ACCESS_REJECT; +- +- if (t->stage == TLS_SESSION_HANDSHAKE) { +- rad_assert(t->mode == EAP_TEAP_UNKNOWN); +- +- char buf[256]; +- if (strstr(SSL_CIPHER_description(SSL_get_current_cipher(tls_session->ssl), +- buf, sizeof(buf)), "Au=None")) { +- /* FIXME enforce MSCHAPv2 - RFC 7170 */ +- RDEBUG2("Phase 2: Using anonymous provisioning"); +- t->mode = EAP_TEAP_PROVISIONING_ANON; +- } else { +- if (SSL_session_reused(tls_session->ssl)) { +- RDEBUG("Phase 2: Outer session was resumed"); +- t->mode = EAP_TEAP_NORMAL_AUTH; +- } else { +- RDEBUG2("Phase 2: Using authenticated provisioning"); +- t->mode = EAP_TEAP_PROVISIONING_AUTH; +- } +- } +- +- eap_teap_init_keys(request, tls_session); +- +- +- /* RFC7170, Appendix C.6 */ +- vp = fr_pair_find_by_num(request->state, PW_EAP_TEAP_TLV_IDENTITY_TYPE, VENDORPEC_FREERADIUS, TAG_ANY); +- if (vp) { +- RDEBUG("Phase 2: Sending Identity-Type = %s", (vp->vp_short == 1) ? "User" : "Machine"); +- eap_teap_append_identity_type(tls_session, vp->vp_short); +- +- if (t->num_identities == 2) { +- RDEBUG("Phase 2: Configured to send too many identities, failing the session"); +- goto fail; +- } +- +- t->identity_types[t->num_identities++] = vp->vp_short; +- +- RDEBUG("Phase 2: Deleting &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += %s", +- (vp->vp_short == 1) ? "User" : "Machine"); +- fr_pair_delete(&request->state, vp); +- } +- +- /* +- * We always start off with an EAP-Identity-Request. +- */ +- if (t->default_method || (vp && t->eap_method[vp->vp_short])) { +- eap_teap_append_eap_identity_request(request, tls_session, eap_session); +- } else { +- RDEBUG("Phase 2: No %s EAP method configured - sending Basic-Password-Auth-Req = \"\"", +- !vp ? "" : (vp->vp_short == 1) ? "User" : "Machine"); +- eap_teap_tlv_append(tls_session, EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, true, 0, ""); +- } +- +- t->stage = AUTHENTICATION; +- +- tls_handshake_send(request, tls_session); +- +- return PW_CODE_ACCESS_CHALLENGE; +- } +- +- teap_vps = eap_teap_teap2vp(request, tls_session->ssl, data, data_len, NULL, NULL); +- +- RDEBUG("Phase 2: Got Tunneled TEAP TLVs"); +- rdebug_pair_list(L_DBG_LVL_1, request, teap_vps, NULL); +- +- code = eap_teap_process_tlvs(request, eap_session, tls_session, teap_vps); +- +- fr_pair_list_free(&teap_vps); +- +- if (code == PW_CODE_ACCESS_REJECT) return PW_CODE_ACCESS_REJECT; +- +- switch (t->stage) { +- case AUTHENTICATION: +- code = PW_CODE_ACCESS_CHALLENGE; +- break; +- +- case PROVISIONING: +- if (!t->result_final) { +- t->result_final = true; +- eap_teap_append_result(request, tls_session, code); +- } +- /* FALL-THROUGH */ +- +- case COMPLETE: +- /* +- * TEAP wants to use it's own MSK, so boo to eap_tls_gen_mppe_keys() +- */ +- eap_add_reply(request, "MS-MPPE-Recv-Key", t->msk, EAPTLS_MPPE_KEY_LEN); +- eap_add_reply(request, "MS-MPPE-Send-Key", &t->msk[EAPTLS_MPPE_KEY_LEN], EAPTLS_MPPE_KEY_LEN); +- eap_add_reply(request, "EAP-MSK", t->msk, sizeof(t->msk)); +- eap_add_reply(request, "EAP-EMSK", t->emsk, sizeof(t->emsk)); +- +- break; +- +- default: +- RERROR("Internal sanity check failed in EAP-TEAP at %d", t->stage); +- fail: +- code = PW_CODE_ACCESS_REJECT; +- } +- +- tls_handshake_send(request, tls_session); +- +- return code; +-} +diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.h b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.h +deleted file mode 100644 +index 59f7835a26..0000000000 +--- a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap.h ++++ /dev/null +@@ -1,176 +0,0 @@ +-/* +- * eap_teap.h +- * +- * Version: $Id$ +- * +- * Copyright (C) 2022 Network RADIUS SARL +- * +- * This software may not be redistributed in any form without the prior +- * written consent of Network RADIUS. +- * +- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- */ +-#ifndef _EAP_TEAP_H +-#define _EAP_TEAP_H +- +-RCSIDH(eap_teap_h, "$Id$") +- +-#include "eap_tls.h" +- +-#define EAP_TEAP_VERSION 1 +- +-#define EAP_TEAP_MSK_LEN 64 +-#define EAP_TEAP_EMSK_LEN 64 +-#define EAP_TEAP_IMSK_LEN 32 +-#define EAP_TEAP_SKS_LEN 40 +-#define EAP_TEAP_SIMCK_LEN 40 +-#define EAP_TEAP_CMK_LEN 20 +- +-#define EAP_TEAP_TLV_MANDATORY 0x8000 +-#define EAP_TEAP_TLV_TYPE 0x3fff +- +-#define EAP_TEAP_ERR_TUNNEL_COMPROMISED 2001 +-#define EAP_TEAP_ERR_UNEXPECTED_TLV 2002 +- +-/* intermediate result values also match */ +-#define EAP_TEAP_TLV_RESULT_SUCCESS 1 +-#define EAP_TEAP_TLV_RESULT_FAILURE 2 +- +-#define EAP_TEAP_IDENTITY_TYPE_USER 1 +-#define EAP_TEAP_IDENTITY_TYPE_MACHINE 2 +- +-#define PW_EAP_TEAP_TLV_IDENTITY_TYPE (PW_FREERADIUS_EAP_TEAP_TLV | (EAP_TEAP_TLV_IDENTITY_TYPE << 8)) +-#define PW_EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ (PW_FREERADIUS_EAP_TEAP_TLV | (EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ << 8)) +-#define PW_EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_RESP (PW_FREERADIUS_EAP_TEAP_TLV | (EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_RESP << 8)) +- +-typedef enum eap_teap_stage_t { +- TLS_SESSION_HANDSHAKE = 0, +- AUTHENTICATION, +- PROVISIONING, +- COMPLETE +-} eap_teap_stage_t; +- +-typedef enum eap_teap_auth_type { +- EAP_TEAP_UNKNOWN = 0, +- EAP_TEAP_PROVISIONING_ANON, +- EAP_TEAP_PROVISIONING_AUTH, +- EAP_TEAP_NORMAL_AUTH +-} eap_teap_auth_type_t; +- +-/* RFC 7170, Section 4.2.13 - Crypto-Binding TLV */ +-typedef struct eap_tlv_crypto_binding_tlv_t { +- uint8_t reserved; +- uint8_t version; +- uint8_t received_version; +- uint8_t subtype; /* Flags[4b] and Sub-Type[4b] */ +- uint8_t nonce[32]; +- uint8_t emsk_compound_mac[20]; +- uint8_t msk_compound_mac[20]; +-} CC_HINT(__packed__) eap_tlv_crypto_binding_tlv_t; +- +-typedef enum eap_teap_tlv_type_t { +- EAP_TEAP_TLV_RESERVED_0 = 0, // 0 +- EAP_TEAP_TLV_AUTHORITY, // 1 +- EAP_TEAP_TLV_IDENTITY_TYPE, // 2 +- EAP_TEAP_TLV_RESULT, // 3 +- EAP_TEAP_TLV_NAK, // 4 +- EAP_TEAP_TLV_ERROR, // 5 +- EAP_TEAP_TLV_CHANNEL_BINDING, // 6 +- EAP_TEAP_TLV_VENDOR_SPECIFIC, // 7 +- EAP_TEAP_TLV_REQUEST_ACTION, // 8 +- EAP_TEAP_TLV_EAP_PAYLOAD, // 9 +- EAP_TEAP_TLV_INTERMED_RESULT, // 10 +- EAP_TEAP_TLV_PAC, // 11 +- EAP_TEAP_TLV_CRYPTO_BINDING, // 12 +- EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_REQ, // 13 +- EAP_TEAP_TLV_BASIC_PASSWORD_AUTH_RESP, // 14 +- EAP_TEAP_TLV_PKCS7, // 15 +- EAP_TEAP_TLV_PKCS10, // 16 +- EAP_TEAP_TLV_TRUSTED_ROOT, // 17 +- EAP_TEAP_TLV_MAX +-} eap_teap_tlv_type_t; +- +-typedef enum eap_teap_tlv_crypto_binding_tlv_flags_t { +- EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_EMSK = 1, // 1 +- EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_MSK, // 2 +- EAP_TEAP_TLV_CRYPTO_BINDING_FLAGS_CMAC_BOTH // 3 +-} eap_teap_tlv_crypto_binding_tlv_flags_t; +- +-typedef enum eap_teap_tlv_crypto_binding_tlv_subtype_t { +- EAP_TEAP_TLV_CRYPTO_BINDING_SUBTYPE_REQUEST = 0, // 0 +- EAP_TEAP_TLV_CRYPTO_BINDING_SUBTYPE_RESPONSE // 1 +-} eap_teap_tlv_crypto_binding_tlv_subtype_t; +- +-typedef struct teap_imck_t { +- uint8_t simck[EAP_TEAP_SIMCK_LEN]; +- uint8_t cmk[EAP_TEAP_CMK_LEN]; +-} CC_HINT(__packed__) teap_imck_t; +- +-typedef struct { +- bool required; +- bool sent; +- uint8_t received; +-} teap_auth_t; +- +-typedef struct teap_tunnel_t { +- VALUE_PAIR *username; +- VALUE_PAIR *state; +- VALUE_PAIR *accept_vps; +- bool copy_request_to_tunnel; +- bool use_tunneled_reply; +- +- bool authenticated; +- int received_version; +- +- int mode; +- eap_teap_stage_t stage; +- +- int num_identities; +- uint16_t identity_types[2]; +- +- teap_auth_t auths[3]; /* so we can index by Identity-Type */ +- +- int imckc; +- bool imck_emsk_available; +- struct teap_imck_t imck_msk; +- struct teap_imck_t imck_emsk; +- +- uint8_t msk[EAP_TEAP_MSK_LEN]; +- uint8_t emsk[EAP_TEAP_EMSK_LEN]; +- +- int default_method; +- int eap_method[3]; +- +- bool result_final; +- bool auto_chain; //!< do we automatically chain identities +- bool sent_basic_password; +- +-#ifdef WITH_PROXY +- bool proxy_tunneled_request_as_eap; //!< Proxy tunneled session as EAP, or as de-capsulated +- //!< protocol. +-#endif +- char const *virtual_server; +-} teap_tunnel_t; +- +-/* +- * Process the TEAP portion of an EAP-TEAP request. +- */ +-PW_CODE eap_teap_process(eap_handler_t *handler, tls_session_t *tls_session) CC_HINT(nonnull); +- +-/* +- * A bunch of EAP-TEAP helper functions. +- */ +-VALUE_PAIR *eap_teap_teap2vp(REQUEST *request, UNUSED SSL *ssl, uint8_t const *data, +- size_t data_len, DICT_ATTR const *teap_da, vp_cursor_t *out); +- +-#endif /* _EAP_TEAP_H */ +diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.c b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.c +deleted file mode 100644 +index 17f49f9dfc..0000000000 +--- a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.c ++++ /dev/null +@@ -1,198 +0,0 @@ +-/* +- * teap-crypto.c Cryptographic functions for EAP-TEAP. +- * +- * Version: $Id$ +- * +- * Copyright (C) 2022 Network RADIUS SARL +- * +- * This software may not be redistributed in any form without the prior +- * written consent of Network RADIUS. +- * +- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- */ +- +-RCSID("$Id$") +-USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ +- +-#include +-#include +- +-#include +-#include +-#include +- +-#include "eap_teap_crypto.h" +- +-# define DEBUG if (fr_debug_lvl && fr_log_fp) fr_printf_log +- +-static void debug_errors(void) +-{ +- unsigned long errCode; +- +- while((errCode = ERR_get_error())) { +- char *err = ERR_error_string(errCode, NULL); +- DEBUG("EAP-TEAP error in OpenSSL - %s", err); +- } +-} +- +-// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Encryption_using_GCM_mode +-int eap_teap_encrypt(uint8_t const *plaintext, size_t plaintext_len, +- uint8_t const *aad, size_t aad_len, +- uint8_t const *key, uint8_t *iv, unsigned char *ciphertext, +- uint8_t *tag) +-{ +- EVP_CIPHER_CTX *ctx; +- +- int len; +- +- int ciphertext_len; +- +- +- /* Create and initialise the context */ +- if (!(ctx = EVP_CIPHER_CTX_new())) { +- debug_errors(); +- return -1; +- }; +- +- /* Initialise the encryption operation. */ +- if (1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL)) { +- debug_errors(); +- return -1; +- }; +- +- /* Set IV length if default 12 bytes (96 bits) is not appropriate */ +- if (1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, 16, NULL)) { +- debug_errors(); +- return -1; +- }; +- +- /* Initialise key and IV */ +- if (1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv)) { +- debug_errors(); +- return -1; +- }; +- +- /* Provide any AAD data. This can be called zero or more times as +- * required +- */ +- if (1 != EVP_EncryptUpdate(ctx, NULL, &len, aad, aad_len)) { +- debug_errors(); +- return -1; +- }; +- +- /* Provide the message to be encrypted, and obtain the encrypted output. +- * EVP_EncryptUpdate can be called multiple times if necessary +- */ +- if (1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len)) { +- debug_errors(); +- return -1; +- }; +- ciphertext_len = len; +- +- /* Finalise the encryption. Normally ciphertext bytes may be written at +- * this stage, but this does not occur in GCM mode +- */ +- if (1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len)) { +- debug_errors(); +- return -1; +- }; +- ciphertext_len += len; +- +- /* Get the tag */ +- if (1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag)) { +- debug_errors(); +- return -1; +- }; +- +- /* Clean up */ +- EVP_CIPHER_CTX_free(ctx); +- +- return ciphertext_len; +-} +- +-int eap_teap_decrypt(uint8_t const *ciphertext, size_t ciphertext_len, +- uint8_t const *aad, size_t aad_len, +- uint8_t const *tag, uint8_t const *key, uint8_t const *iv, uint8_t *plaintext) +-{ +- EVP_CIPHER_CTX *ctx; +- int len; +- int plaintext_len; +- int ret; +- +- /* Create and initialise the context */ +- if (!(ctx = EVP_CIPHER_CTX_new())) { +- debug_errors(); +- return -1; +- }; +- +- /* Initialise the decryption operation. */ +- if (!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL)) { +- debug_errors(); +- return -1; +- }; +- +- /* Set IV length. Not necessary if this is 12 bytes (96 bits) */ +- if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, 16, NULL)) { +- debug_errors(); +- return -1; +- }; +- +- /* Initialise key and IV */ +- if (!EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv)) { +- debug_errors(); +- return -1; +- }; +- +- /* Provide any AAD data. This can be called zero or more times as +- * required +- */ +- if (!EVP_DecryptUpdate(ctx, NULL, &len, aad, aad_len)) { +- debug_errors(); +- return -1; +- }; +- +- /* Provide the message to be decrypted, and obtain the plaintext output. +- * EVP_DecryptUpdate can be called multiple times if necessary +- */ +- if (!EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len)) { +- debug_errors(); +- return -1; +- }; +- plaintext_len = len; +- +- { +- unsigned char *tmp; +- +- memcpy(&tmp, &tag, sizeof(tmp)); +- +- /* Set expected tag value. Works in OpenSSL 1.0.1d and later */ +- if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tmp)) { +- debug_errors(); +- return -1; +- }; +- } +- +- /* Finalise the decryption. A positive return value indicates success, +- * anything else is a failure - the plaintext is not trustworthy. +- */ +- ret = EVP_DecryptFinal_ex(ctx, plaintext + len, &len); +- +- /* Clean up */ +- EVP_CIPHER_CTX_free(ctx); +- +- if (ret < 0) return -1; +- +- /* Success */ +- plaintext_len += len; +- return plaintext_len; +-} +diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.h b/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.h +deleted file mode 100644 +index b02f2b9083..0000000000 +--- a/src/modules/rlm_eap/types/rlm_eap_teap/eap_teap_crypto.h ++++ /dev/null +@@ -1,39 +0,0 @@ +-/* +- * eap_teap_crypto.h +- * +- * Version: $Id$ +- * +- * Copyright (C) 2022 Network RADIUS SARL +- * +- * This software may not be redistributed in any form without the prior +- * written consent of Network RADIUS. +- * +- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- */ +- +-#ifndef _EAP_TEAP_CRYPTO_H +-#define _EAP_TEAP_CRYPTO_H +- +-RCSIDH(eap_teap_crypto_h, "$Id$") +- +- +-int eap_teap_encrypt(uint8_t const *plaintext, size_t plaintext_len, +- uint8_t const *aad, size_t aad_len, +- uint8_t const *key, uint8_t *iv, unsigned char *ciphertext, +- uint8_t *tag); +- +-int eap_teap_decrypt(uint8_t const *ciphertext, size_t ciphertext_len, +- uint8_t const *aad, size_t aad_len, +- uint8_t const *tag, uint8_t const *key, uint8_t const *iv, uint8_t *plaintext); +- +-#endif /* _EAP_TEAP_CRYPTO_H */ +diff --git a/src/modules/rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c b/src/modules/rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c +deleted file mode 100644 +index f2e2cc3d40..0000000000 +--- a/src/modules/rlm_eap/types/rlm_eap_teap/rlm_eap_teap.c ++++ /dev/null +@@ -1,569 +0,0 @@ +-/* +- * rlm_eap_teap.c contains the interfaces that are called from eap +- * +- * Version: $Id$ +- * +- * Copyright (C) 2022 Network RADIUS SARL +- * +- * This software may not be redistributed in any form without the prior +- * written consent of Network RADIUS. +- * +- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +- * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +- * SUCH DAMAGE. +- */ +- +-RCSID("$Id$") +-USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ +- +-#include "eap_teap.h" +- +-typedef struct rlm_eap_teap_t { +- /* +- * TLS configuration +- */ +- char const *tls_conf_name; +- fr_tls_server_conf_t *tls_conf; +- +- /* +- * Default tunneled EAP type +- */ +- char const *default_method_name; +- int default_method; +- +- /* +- * User tunneled EAP type +- */ +- char const *user_method_name; +- +- /* +- * Machine tunneled EAP type +- */ +- char const *machine_method_name; +- +- int eap_method[3]; +- +- +- /* +- * Use the reply attributes from the tunneled session in +- * the non-tunneled reply to the client. +- */ +- bool use_tunneled_reply; +- +- /* +- * Use SOME of the request attributes from outside of the +- * tunneled session in the tunneled request +- */ +- bool copy_request_to_tunnel; +- +- /* +- * Do we do require a client cert? +- */ +- bool req_client_cert; +- +- char const *authority_identity; +- +- uint16_t identity_type[2]; +- +- char const *identity_type_name; +- +- /* +- * Virtual server for inner tunnel session. +- */ +- char const *virtual_server; +-} rlm_eap_teap_t; +- +- +-static CONF_PARSER module_config[] = { +- { "tls", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_teap_t, tls_conf_name), NULL }, +- { "default_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_teap_t, default_method_name), .dflt = "" }, +- { "copy_request_to_tunnel", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_teap_t, copy_request_to_tunnel), "no" }, +- { "use_tunneled_reply", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_teap_t, use_tunneled_reply), "no" }, +- { "require_client_cert", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_eap_teap_t, req_client_cert), "no" }, +- { "authority_identity", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_REQUIRED, rlm_eap_teap_t, authority_identity), NULL }, +- { "virtual_server", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_teap_t, virtual_server), NULL }, +- { "identity_types", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_teap_t, identity_type_name), NULL }, +- +- { "user_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_teap_t, user_method_name), .dflt = "" }, +- { "machine_eap_type", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_eap_teap_t, machine_method_name), .dflt = "" }, +- CONF_PARSER_TERMINATOR +-}; +- +-static const bool allowed[PW_EAP_MAX_TYPES] = { +- [PW_EAP_SIM] = true, +- [PW_EAP_TLS] = true, +- [PW_EAP_MSCHAPV2] = true, +- [PW_EAP_PWD] = true, +-}; +- +-/* +- * Attach the module. +- */ +-static int mod_instantiate(CONF_SECTION *cs, void **instance) +-{ +- rlm_eap_teap_t *inst; +- +- *instance = inst = talloc_zero(cs, rlm_eap_teap_t); +- if (!inst) return -1; +- +- /* +- * Parse the configuration attributes. +- */ +- if (cf_section_parse(cs, inst, module_config) < 0) { +- return -1; +- } +- +- if (!inst->virtual_server) { +- ERROR("rlm_eap_teap: A 'virtual_server' MUST be defined for security"); +- return -1; +- } +- +- /* +- * Convert the name to an integer, to make it easier to +- * handle. +- */ +- if (inst->default_method_name && *inst->default_method_name) { +- inst->default_method = eap_name2type(inst->default_method_name); +- if (inst->default_method < 0) { +- ERROR("rlm_eap_teap: Unknown EAP type %s", +- inst->default_method_name); +- return -1; +- } +- } +- +- /* +- * @todo - allow a special value like 'basic-password', which +- * means that we propose the Basic-Password-Auth-Req TLV during Phase 2. +- * +- * @todo - and then also track the username across +- * multiple rounds, including some kind of State which +- * can be used to signal where we are in the negotiation +- * process. +- */ +- if (inst->user_method_name && *inst->user_method_name) { +- int method = eap_name2type(inst->user_method_name); +- +- if (method < 0) { +- ERROR("rlm_eap_teap: Unknown User EAP type %s", +- inst->user_method_name); +- return -1; +- } +- +- if (!allowed[method]) { +- ERROR("rlm_eap_teap: Invalid User EAP type %s", +- inst->user_method_name); +- return -1; +- } +- +- inst->eap_method[EAP_TEAP_IDENTITY_TYPE_USER] = method; +- } +- +- if (inst->machine_method_name && *inst->machine_method_name) { +- int method; +- +- method = eap_name2type(inst->machine_method_name); +- if (method < 0) { +- ERROR("rlm_eap_teap: Unknown Machine EAP type %s", +- inst->machine_method_name); +- return -1; +- } +- +- if (!allowed[method]) { +- ERROR("rlm_eap_teap: Invalid Machine EAP type %s", +- inst->machine_method_name); +- return -1; +- } +- +- inst->eap_method[EAP_TEAP_IDENTITY_TYPE_MACHINE] = method; +- } +- +- /* +- * Read tls configuration, either from group given by 'tls' +- * option, or from the eap-tls configuration. +- */ +- inst->tls_conf = eaptls_conf_parse(cs, "tls"); +- +- if (!inst->tls_conf) { +- ERROR("rlm_eap_teap: Failed initializing SSL context"); +- return -1; +- } +- +- /* +- * Parse default identities +- */ +- if (inst->identity_type_name) { +- char const *p; +- int i; +- +- p = inst->identity_type_name; +- i = 0; +- +- while (*p) { +- while (isspace((uint8_t) *p)) p++; +- +- if (strncasecmp(p, "user", 4) == 0) { +- inst->identity_type[i] = 1; +- p += 4; +- +- } else if (strncasecmp(p, "machine", 7) == 0) { +- inst->identity_type[i] = 2; +- p += 7; +- +- } else { +- invalid_identity: +- cf_log_err_cs(cs, "Invalid value in identity_types = '%s' at %s", +- inst->identity_type_name, p); +- return -1; +- } +- +- i++; +- +- while (isspace((uint8_t) *p)) p++; +- +- /* +- * We only support two things. +- */ +- if ((i == 2) && *p) goto invalid_identity; +- +- if (!*p) break; +- +- if (*p != ',') goto invalid_identity; +- +- p++; +- } +- } +- +- return 0; +-} +- +-/* +- * Allocate the TEAP per-session data +- */ +-static teap_tunnel_t *teap_alloc(TALLOC_CTX *ctx, rlm_eap_teap_t *inst) +-{ +- teap_tunnel_t *t; +- +- t = talloc_zero(ctx, teap_tunnel_t); +- +- t->received_version = -1; +- t->default_method = inst->default_method; +- memcpy(&t->eap_method, &inst->eap_method, sizeof(t->eap_method)); +- t->copy_request_to_tunnel = inst->copy_request_to_tunnel; +- t->use_tunneled_reply = inst->use_tunneled_reply; +- t->virtual_server = inst->virtual_server; +- return t; +-} +- +- +-/* +- * Send an initial eap-tls request to the peer, using the libeap functions. +- */ +-static int mod_session_init(void *type_arg, eap_handler_t *handler) +-{ +- int status; +- tls_session_t *ssn; +- rlm_eap_teap_t *inst; +- VALUE_PAIR *vp; +- bool client_cert; +- REQUEST *request = handler->request; +- +- inst = type_arg; +- +- handler->tls = true; +- +- if (request->parent) { +- RWDEBUG("----------------------------------------------------------------------"); +- RWDEBUG("You have configured TEAP to run inside of TEAP. THIS WILL NOT WORK."); +- RWDEBUG("Supported inner methods for TEAP are EAP-TLS, EAP-MSCHAPv2, and PAP."); +- RWDEBUG("Other methods may work, but are not actively supported."); +- RWDEBUG("----------------------------------------------------------------------"); +- } +- +- /* +- * Check if we need a client certificate. +- */ +- +- /* +- * EAP-TLS-Require-Client-Cert attribute will override +- * the require_client_cert configuration option. +- */ +- vp = fr_pair_find_by_num(handler->request->config, PW_EAP_TLS_REQUIRE_CLIENT_CERT, 0, TAG_ANY); +- if (vp) { +- client_cert = vp->vp_integer ? true : false; +- } else { +- client_cert = inst->req_client_cert; +- } +- +- /* +- * Disallow TLS 1.3 for now. +- */ +- ssn = eaptls_session(handler, inst->tls_conf, client_cert, false); +- if (!ssn) { +- return 0; +- } +- +- handler->opaque = ((void *)ssn); +- +- /* +- * As TEAP is a unique special snowflake and wants to use its +- * own rolling MSK for MPPE we we set the label to NULL so in that +- * eaptls_gen_mppe_keys() is NOT called in eaptls_success. +- */ +- ssn->label = NULL; +- +- /* +- * Really just protocol version. +- */ +- ssn->peap_flag = EAP_TEAP_VERSION; +- +- /* +- * hostapd's wpa_supplicant gets upset if we include all the +- * S+L+O flags but is happy with S+O (TLS payload is zero bytes +- * for S anyway) - FIXME not true for early-data TLSv1.3! +- */ +- ssn->length_flag = false; +- +- vp = fr_pair_make(ssn, NULL, "FreeRADIUS-EAP-TEAP-Authority-ID", inst->authority_identity, T_OP_EQ); +- fr_pair_add(&ssn->outer_tlvs_server, vp); +- +- /* +- * Be nice about identity types. +- */ +- vp = fr_pair_find_by_num(request->state, PW_EAP_TEAP_TLV_IDENTITY_TYPE, VENDORPEC_FREERADIUS, TAG_ANY); +- if (vp) { +- RDEBUG("Found &session-state:FreeRADIUS-EAP-TEAP-Identity-Type, not setting from configuration"); +- +- } else if (!inst->identity_type[0]) { +- RWDEBUG("No &session-state:FreeRADIUS-EAP-TEAP-Identity-Type was found."); +- RWDEBUG("No 'identity_types' was set in the configuration. TEAP will likely not work."); +- +- } else { +- teap_tunnel_t *t; +- +- fr_assert(ssn->opaque == NULL); +- +- ssn->opaque = teap_alloc(ssn, inst); +- t = (teap_tunnel_t *) ssn->opaque; +- +- /* +- * We automatically add &session-state:FreeRADIUS-EAP-TEAP-Identity-Type +- * to control the flow. +- */ +- t->auto_chain = true; +- +- vp = fr_pair_make(request->state_ctx, &request->state, "FreeRADIUS-EAP-TEAP-Identity-Type", NULL, T_OP_SET); +- if (vp) { +- vp->vp_short = inst->identity_type[0]; +- RDEBUG("Setting &session-state:FreeRADIUS-EAP-TEAP-Identity-Type = %s", +- (vp->vp_short == 1) ? "User" : "Machine"); +- +- t->auths[vp->vp_short].required = true; +- } +- +- if (inst->identity_type[1]) { +- vp = fr_pair_make(request->state_ctx, &request->state, "FreeRADIUS-EAP-TEAP-Identity-Type", NULL, T_OP_ADD); +- if (vp) { +- vp->vp_short = inst->identity_type[1]; +- RDEBUG("Followed by &session-state:FreeRADIUS-EAP-TEAP-Identity-Type += %s", +- (vp->vp_short == 1) ? "User" : "Machine"); +- +- t->auths[vp->vp_short].required = true; +- } +- } +- } +- +- /* +- * TLS session initialization is over. Now handle TLS +- * related handshaking or application data. +- */ +- status = eaptls_request(handler->eap_ds, ssn, true); +- if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) { +- REDEBUG("[eaptls start] = %s", fr_int2str(fr_tls_status_table, status, "")); +- } else { +- RDEBUG3("[eaptls start] = %s", fr_int2str(fr_tls_status_table, status, "")); +- } +- if (status == 0) return 0; +- +- /* +- * The next stage to process the packet. +- */ +- handler->stage = PROCESS; +- +- return 1; +-} +- +- +-/* +- * Do authentication, by letting EAP-TLS do most of the work. +- */ +-static int mod_process(void *arg, eap_handler_t *handler) +-{ +- int rcode; +- int ret = 0; +- fr_tls_status_t status; +- rlm_eap_teap_t *inst = (rlm_eap_teap_t *) arg; +- tls_session_t *tls_session = (tls_session_t *) handler->opaque; +- teap_tunnel_t *t = (teap_tunnel_t *) tls_session->opaque; +- REQUEST *request = handler->request; +- +- RDEBUG2("Authenticate"); +- +- /* +- * Process TLS layer until done. +- */ +- status = eaptls_process(handler); +- if ((status == FR_TLS_INVALID) || (status == FR_TLS_FAIL)) { +- REDEBUG("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "")); +- } else { +- RDEBUG3("[eaptls process] = %s", fr_int2str(fr_tls_status_table, status, "")); +- } +- +- /* +- * Make request available to any SSL callbacks +- */ +- SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_REQUEST, request); +- switch (status) { +- /* +- * EAP-TLS handshake was successful, tell the +- * client to keep talking. +- * +- * If this was EAP-TLS, we would just return +- * an EAP-TLS-Success packet here. +- */ +- case FR_TLS_SUCCESS: +- if (SSL_session_reused(tls_session->ssl)) { +- RDEBUG("Skipping Phase2 due to session resumption"); +- goto do_keys; +- } +- +- if (t && t->authenticated) { +- if (t->accept_vps) { +- RDEBUG2("Using saved attributes from the original Access-Accept"); +- rdebug_pair_list(L_DBG_LVL_2, request, t->accept_vps, NULL); +- fr_pair_list_mcopy_by_num(handler->request->reply, +- &handler->request->reply->vps, +- &t->accept_vps, 0, 0, TAG_ANY); +- } else if (t->use_tunneled_reply) { +- RDEBUG2("No saved attributes in the original Access-Accept"); +- } +- +- do_keys: +- /* +- * Success: Automatically return MPPE keys. +- */ +- ret = eaptls_success(handler, 0); +- goto done; +- } +- goto phase2; +- +- /* +- * The TLS code is still working on the TLS +- * exchange, and it's a valid TLS request. +- * do nothing. +- */ +- case FR_TLS_HANDLED: +- ret = 1; +- goto done; +- +- /* +- * Handshake is done, proceed with decoding tunneled +- * data. +- */ +- case FR_TLS_OK: +- break; +- +- /* +- * Anything else: fail. +- */ +- default: +- ret = 0; +- goto done; +- } +- +-phase2: +- /* +- * Session is established, proceed with decoding +- * tunneled data. +- */ +- RDEBUG2("Session established. Proceeding to decode tunneled attributes"); +- +- /* +- * We may need TEAP data associated with the session, so +- * allocate it here, if it wasn't already alloacted. +- */ +- if (!tls_session->opaque) { +- tls_session->opaque = teap_alloc(tls_session, inst); +- t = (teap_tunnel_t *) tls_session->opaque; +- } +- +- if (t->received_version < 0) { +- t->received_version = handler->eap_ds->response->type.data[0] & 0x07; +- +- /* +- * We only support TEAPv1. +- */ +- if (t->received_version != EAP_TEAP_VERSION) { +- RDEBUG("Invalid TEAP version received. Expected 1, got %u", t->received_version); +- goto fail; +- } +- } +- +- /* +- * Process the TEAP portion of the request. +- */ +- rcode = eap_teap_process(handler, tls_session); +- switch (rcode) { +- case PW_CODE_ACCESS_REJECT: +- fail: +- eaptls_fail(handler, 0); +- ret = 0; +- goto done; +- +- /* +- * Access-Challenge, continue tunneled conversation. +- */ +- case PW_CODE_ACCESS_CHALLENGE: +- eaptls_request(handler->eap_ds, tls_session, false); +- ret = 1; +- goto done; +- +- /* +- * Success: Automatically return MPPE keys. +- */ +- case PW_CODE_ACCESS_ACCEPT: +- goto do_keys; +- +- default: +- break; +- } +- +- /* +- * Something we don't understand: Reject it. +- */ +- eaptls_fail(handler, 0); +- +-done: +- SSL_set_ex_data(tls_session->ssl, FR_TLS_EX_INDEX_REQUEST, NULL); +- +- return ret; +-} +- +-/* +- * The module name should be the only globally exported symbol. +- * That is, everything else should be 'static'. +- */ +-extern rlm_eap_module_t rlm_eap_teap; +-rlm_eap_module_t rlm_eap_teap = { +- .name = "eap_teap", +- .instantiate = mod_instantiate, /* Create new submodule instance */ +- .session_init = mod_session_init, /* Initialise a new EAP session */ +- .process = mod_process /* Process next round of EAP method */ +-}; +-- +2.34.1 + diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.7.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.7.bb index ef98d7285d..d3c34e1d93 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.7.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.2.7.bb @@ -13,6 +13,8 @@ LICENSE = "GPL-2.0-only & LGPL-2.0-or-later" LIC_FILES_CHKSUM = "file://LICENSE;md5=eb723b61539feef013de476e68b5c50a" DEPENDS = "openssl-native openssl libidn libtool libpcap libtalloc" +PATCHTOOL = "git" + SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.2.x;lfs=0;;protocol=https \ file://freeradius \ file://volatiles.58_radiusd \ @@ -36,6 +38,7 @@ SRC_URI = "git://github.com/FreeRADIUS/freeradius-server.git;branch=v3.2.x;lfs=0 file://0016-version.c-don-t-print-build-flags.patch \ file://0017-Add-acinclude.m4-to-include-required-macros.patch \ file://0018-Fix-Service-start-error.patch \ + file://0019-freeradius-Remove-files-which-have-license-issues.patch \ " raddbdir = "${sysconfdir}/${MLPREFIX}raddb" @@ -81,6 +84,7 @@ EXTRA_OECONF = " --enable-strict-dependencies \ --without-rlm_securid \ --without-rlm_unbound \ --without-rlm_python \ + --without-rlm_eap_teap \ ac_cv_path_PERL=${bindir}/perl \ ax_cv_cc_builtin_choose_expr=no \ ax_cv_cc_builtin_types_compatible_p=no \