diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-28 09:49:46 +0000 |
commit | 50b37d4a27d3295a29afca2286f1a5a086142cec (patch) | |
tree | 9212f763934ee090ef72d823f559f52ce387f268 /src/modules/rlm_mschap | |
parent | Initial commit. (diff) | |
download | freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.tar.xz freeradius-50b37d4a27d3295a29afca2286f1a5a086142cec.zip |
Adding upstream version 3.2.1+dfsg.upstream/3.2.1+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/modules/rlm_mschap')
-rw-r--r-- | src/modules/rlm_mschap/.gitignore | 3 | ||||
-rw-r--r-- | src/modules/rlm_mschap/all.mk | 5 | ||||
-rw-r--r-- | src/modules/rlm_mschap/auth_wbclient.c | 270 | ||||
-rw-r--r-- | src/modules/rlm_mschap/auth_wbclient.h | 19 | ||||
-rw-r--r-- | src/modules/rlm_mschap/config.h.in | 7 | ||||
-rwxr-xr-x | src/modules/rlm_mschap/configure | 4815 | ||||
-rw-r--r-- | src/modules/rlm_mschap/configure.ac | 133 | ||||
-rw-r--r-- | src/modules/rlm_mschap/mschap.c | 147 | ||||
-rw-r--r-- | src/modules/rlm_mschap/mschap.h | 25 | ||||
-rw-r--r-- | src/modules/rlm_mschap/opendir.c | 418 | ||||
-rw-r--r-- | src/modules/rlm_mschap/rlm_mschap.c | 2150 | ||||
-rw-r--r-- | src/modules/rlm_mschap/rlm_mschap.h | 55 | ||||
-rw-r--r-- | src/modules/rlm_mschap/rlm_mschap.mk.in | 10 | ||||
-rw-r--r-- | src/modules/rlm_mschap/smbdes.c | 349 | ||||
-rw-r--r-- | src/modules/rlm_mschap/smbdes.h | 13 | ||||
-rw-r--r-- | src/modules/rlm_mschap/smbencrypt.c | 147 | ||||
-rw-r--r-- | src/modules/rlm_mschap/smbencrypt.mk | 8 |
17 files changed, 8574 insertions, 0 deletions
diff --git a/src/modules/rlm_mschap/.gitignore b/src/modules/rlm_mschap/.gitignore new file mode 100644 index 0000000..0dd46d5 --- /dev/null +++ b/src/modules/rlm_mschap/.gitignore @@ -0,0 +1,3 @@ +config.h +rlm_mschap.mk +smbencrypt diff --git a/src/modules/rlm_mschap/all.mk b/src/modules/rlm_mschap/all.mk new file mode 100644 index 0000000..533d19a --- /dev/null +++ b/src/modules/rlm_mschap/all.mk @@ -0,0 +1,5 @@ +SUBMAKEFILES := rlm_mschap.mk smbencrypt.mk + +src/modules/rlm_mschap/rlm_mschap.mk: src/modules/rlm_mschap/rlm_mschap.mk.in src/modules/rlm_mschap/configure + @echo CONFIGURE $(dir $<) + @cd $(dir $<) && ./configure $(CONFIGURE_ARGS) && touch $(notdir $@) diff --git a/src/modules/rlm_mschap/auth_wbclient.c b/src/modules/rlm_mschap/auth_wbclient.c new file mode 100644 index 0000000..8b4a3ee --- /dev/null +++ b/src/modules/rlm_mschap/auth_wbclient.c @@ -0,0 +1,270 @@ +/* + * This program is is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/** + * $Id$ + * @file auth_wbclient.c + * @brief NTLM authentication against the wbclient library + * + * @copyright 2015 Matthew Newton + */ + +RCSID("$Id$") + +#include <freeradius-devel/radiusd.h> +#include <freeradius-devel/rad_assert.h> + +#include <core/ntstatus.h> + +#include "rlm_mschap.h" +#include "mschap.h" +#include "auth_wbclient.h" + +#define NT_LENGTH 24 + +/** Use Winbind to normalise a username + * + * @param[in] tctx The talloc context where the result is parented from + * @param[in] ctx The winbind context + * @param[in] dom_name The domain of the user + * @param[in] name The username (without the domain) to be normalised + * @return The username with the casing according to the Winbind remote server, + * or NULL if the username could not be found. + */ +static char *wbclient_normalise_username(TALLOC_CTX *tctx, struct wbcContext *ctx, char const *dom_name, char const *name) +{ + struct wbcDomainSid sid; + enum wbcSidType name_type; + wbcErr err; + char *res_domain = NULL; + char *res_name = NULL; + char *res = NULL; + + /* Step 1: Convert a name to a sid */ + err = wbcCtxLookupName(ctx, dom_name, name, &sid, &name_type); + if (!WBC_ERROR_IS_OK(err)) + return NULL; + + /* Step 2: Convert the sid back to a name */ + err = wbcCtxLookupSid(ctx, &sid, &res_domain, &res_name, &name_type); + if (!WBC_ERROR_IS_OK(err)) + return NULL; + + MEM(res = talloc_strdup(tctx, res_name)); + + wbcFreeMemory(res_domain); + wbcFreeMemory(res_name); + + return res; +} + +/* + * Check NTLM authentication direct to winbind via + * Samba's libwbclient library + * + * Returns: + * 0 success + * -1 auth failure + * -2 failed connecting to AD + * -648 password expired + */ +int do_auth_wbclient(rlm_mschap_t *inst, REQUEST *request, + uint8_t const *challenge, uint8_t const *response, + uint8_t nthashhash[NT_DIGEST_LENGTH]) +{ + int rcode = -1; + struct wbcContext *wb_ctx = NULL; + struct wbcAuthUserParams authparams; + wbcErr err; + int len; + struct wbcAuthUserInfo *info = NULL; + struct wbcAuthErrorInfo *error = NULL; + char user_name_buf[500]; + char domain_name_buf[500]; + uint8_t resp[NT_LENGTH]; + + /* + * Clear the auth parameters - this is important, as + * there are options that will cause wbcAuthenticateUserEx + * to bomb out if not zero. + */ + memset(&authparams, 0, sizeof(authparams)); + + /* + * wb_username must be set for this function to be called + */ + rad_assert(inst->wb_username); + + /* + * Get the username and domain from the configuration + */ + len = tmpl_expand(&authparams.account_name, user_name_buf, sizeof(user_name_buf), + request, inst->wb_username, NULL, NULL); + if (len < 0) { + REDEBUG2("Unable to expand winbind_username"); + goto done; + } + + if (inst->wb_domain) { + len = tmpl_expand(&authparams.domain_name, domain_name_buf, sizeof(domain_name_buf), + request, inst->wb_domain, NULL, NULL); + if (len < 0) { + REDEBUG2("Unable to expand winbind_domain"); + goto done; + } + } else { + RWDEBUG2("No domain specified; authentication may fail because of this"); + } + + + /* + * Build the wbcAuthUserParams structure with what we know + */ + authparams.level = WBC_AUTH_USER_LEVEL_RESPONSE; + authparams.password.response.nt_length = NT_LENGTH; + + memcpy(resp, response, NT_LENGTH); + authparams.password.response.nt_data = resp; + + memcpy(authparams.password.response.challenge, challenge, + sizeof(authparams.password.response.challenge)); + + authparams.parameter_control |= WBC_MSV1_0_ALLOW_MSVCHAPV2 | + WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT | + WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT; + + + /* + * Send auth request across to winbind + */ + wb_ctx = fr_connection_get(inst->wb_pool); + if (wb_ctx == NULL) { + RERROR("Unable to get winbind connection from pool"); + goto done; + } + + RDEBUG2("sending authentication request user='%s' domain='%s'", authparams.account_name, + authparams.domain_name); + + err = wbcCtxAuthenticateUserEx(wb_ctx, &authparams, &info, &error); + + if (err == WBC_ERR_AUTH_ERROR && inst->wb_retry_with_normalised_username) { + VALUE_PAIR *vp_response, *vp_challenge; + char *normalised_username = wbclient_normalise_username(request, wb_ctx, authparams.domain_name, authparams.account_name); + if (normalised_username) { + RDEBUG2("Starting retry, normalised username %s to %s", authparams.account_name, normalised_username); + if (strcmp(authparams.account_name, normalised_username) != 0) { + authparams.account_name = normalised_username; + + /* Set PW_MS_CHAP_USER_NAME */ + if (!fr_pair_make(request->packet, &request->packet->vps, "MS-CHAP-User-Name", normalised_username, T_OP_SET)) { + RERROR("Failed creating MS-CHAP-User-Name"); + goto normalised_username_retry_failure; + } + + RDEBUG2("retrying authentication request user='%s' domain='%s'", authparams.account_name, + authparams.domain_name); + + /* Recalculate hash */ + if (!(vp_challenge = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY))) { + RERROR("Unable to get MS-CHAP-Challenge"); + goto normalised_username_retry_failure; + } + if (!(vp_response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY))) { + RERROR("Unable to get MS-CHAP2-Response"); + goto normalised_username_retry_failure; + } + mschap_challenge_hash(vp_response->vp_octets + 2, + vp_challenge->vp_octets, + normalised_username, + authparams.password.response.challenge); + + err = wbcCtxAuthenticateUserEx(wb_ctx, &authparams, &info, &error); + } +normalised_username_retry_failure: + talloc_free(normalised_username); + } + } + + fr_connection_release(inst->wb_pool, wb_ctx); + + /* + * Try and give some useful feedback on what happened. There are only + * a few errors that can actually be returned from wbcCtxAuthenticateUserEx. + */ + switch (err) { + case WBC_ERR_SUCCESS: + rcode = 0; + RDEBUG2("Authenticated successfully"); + /* Grab the nthashhash from the result */ + memcpy(nthashhash, info->user_session_key, NT_DIGEST_LENGTH); + break; + case WBC_ERR_WINBIND_NOT_AVAILABLE: + rcode = -2; + RERROR("Unable to contact winbind!"); + RDEBUG2("Check that winbind is running and that FreeRADIUS has"); + RDEBUG2("permission to connect to the winbind privileged socket."); + break; + case WBC_ERR_DOMAIN_NOT_FOUND: + REDEBUG2("Domain not found"); + break; + case WBC_ERR_AUTH_ERROR: + if (!error) { + REDEBUG2("Authentication failed"); + break; + } + + /* + * The password needs to be changed, so set rcode appropriately. + */ + if (error->nt_status == NT_STATUS_PASSWORD_EXPIRED || + error->nt_status == NT_STATUS_PASSWORD_MUST_CHANGE) { + rcode = -648; + } + + /* + * Return the NT_STATUS human readable error string, if there is one. + */ + if (error->display_string) { + REDEBUG2("%s [0x%X]", error->display_string, error->nt_status); + } else { + REDEBUG2("Authentication failed [0x%X]", error->nt_status); + } + break; + default: + /* + * Only errors left are + * WBC_ERR_INVALID_PARAM + * WBC_ERR_NO_MEMORY + * neither of which are particularly likely. + */ + rcode = -2; + if (error && error->display_string) { + REDEBUG2("libwbclient error: wbcErr %d (%s)", err, error->display_string); + } else { + REDEBUG2("libwbclient error: wbcErr %d", err); + } + break; + } + + +done: + if (info) wbcFreeMemory(info); + if (error) wbcFreeMemory(error); + + return rcode; +} + diff --git a/src/modules/rlm_mschap/auth_wbclient.h b/src/modules/rlm_mschap/auth_wbclient.h new file mode 100644 index 0000000..e54591c --- /dev/null +++ b/src/modules/rlm_mschap/auth_wbclient.h @@ -0,0 +1,19 @@ +/* Copyright 2015 The FreeRADIUS server project */ + +#ifndef _AUTH_WBCLIENT_H +#define _AUTH_WBCLIENT_H + +RCSIDH(auth_wbclient_h, "$Id$") + +#include <wbclient.h> + +/* Samba does not export this constant yet */ +#ifndef WBC_MSV1_0_ALLOW_MSVCHAPV2 +#define WBC_MSV1_0_ALLOW_MSVCHAPV2 0x00010000 +#endif + +int do_auth_wbclient(rlm_mschap_t *inst, REQUEST *request, + uint8_t const *challenge, uint8_t const *response, + uint8_t nthashhash[NT_DIGEST_LENGTH]); + +#endif /*_AUTH_WBCLIENT_H*/ diff --git a/src/modules/rlm_mschap/config.h.in b/src/modules/rlm_mschap/config.h.in new file mode 100644 index 0000000..ccd7fc8 --- /dev/null +++ b/src/modules/rlm_mschap/config.h.in @@ -0,0 +1,7 @@ +/* config.h.in. Generated from configure.ac by autoheader. */ + +/* Build with Apple Open Directory support */ +#undef HAVE_MEMBERSHIP_H + +/* Build with direct winbind auth support */ +#undef WITH_AUTH_WINBIND diff --git a/src/modules/rlm_mschap/configure b/src/modules/rlm_mschap/configure new file mode 100755 index 0000000..46350d9 --- /dev/null +++ b/src/modules/rlm_mschap/configure @@ -0,0 +1,4815 @@ +#! /bin/sh +# From configure.ac Revision. +# Guess values for system-dependent variables and create Makefiles. +# Generated by GNU Autoconf 2.69. +# +# +# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. +# +# +# This configure script is free software; the Free Software Foundation +# gives unlimited permission to copy, distribute and modify it. +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi + + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in #( + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +as_myself= +case $0 in #(( + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + exit 1 +fi + +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + +# Use a proper internal environment variable to ensure we don't fall + # into an infinite loop, continuously re-executing ourselves. + if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then + _as_can_reexec=no; export _as_can_reexec; + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +as_fn_exit 255 + fi + # We don't want this to propagate to other subprocesses. + { _as_can_reexec=; unset _as_can_reexec;} +if test "x$CONFIG_SHELL" = x; then + as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which + # is contrary to our usage. Disable this feature. + alias -g '\${1+\"\$@\"}'='\"\$@\"' + setopt NO_GLOB_SUBST +else + case \`(set -o) 2>/dev/null\` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi +" + as_required="as_fn_return () { (exit \$1); } +as_fn_success () { as_fn_return 0; } +as_fn_failure () { as_fn_return 1; } +as_fn_ret_success () { return 0; } +as_fn_ret_failure () { return 1; } + +exitcode=0 +as_fn_success || { exitcode=1; echo as_fn_success failed.; } +as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } +as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } +as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } +if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : + +else + exitcode=1; echo positional parameters were not saved. +fi +test x\$exitcode = x0 || exit 1 +test -x / || exit 1" + as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO + as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO + eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && + test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1" + if (eval "$as_required") 2>/dev/null; then : + as_have_required=yes +else + as_have_required=no +fi + if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : + +else + as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +as_found=false +for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + as_found=: + case $as_dir in #( + /*) + for as_base in sh bash ksh sh5; do + # Try only shells that exist, to save several forks. + as_shell=$as_dir/$as_base + if { test -f "$as_shell" || test -f "$as_shell.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : + CONFIG_SHELL=$as_shell as_have_required=yes + if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : + break 2 +fi +fi + done;; + esac + as_found=false +done +$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && + { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : + CONFIG_SHELL=$SHELL as_have_required=yes +fi; } +IFS=$as_save_IFS + + + if test "x$CONFIG_SHELL" != x; then : + export CONFIG_SHELL + # We cannot yet assume a decent shell, so we have to provide a +# neutralization value for shells without unset; and this also +# works around shells that cannot unset nonexistent variables. +# Preserve -v and -x to the replacement shell. +BASH_ENV=/dev/null +ENV=/dev/null +(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV +case $- in # (((( + *v*x* | *x*v* ) as_opts=-vx ;; + *v* ) as_opts=-v ;; + *x* ) as_opts=-x ;; + * ) as_opts= ;; +esac +exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} +# Admittedly, this is quite paranoid, since all the known shells bail +# out after a failed `exec'. +$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 +exit 255 +fi + + if test x$as_have_required = xno; then : + $as_echo "$0: This script requires a shell more modern than all" + $as_echo "$0: the shells that I found on your system." + if test x${ZSH_VERSION+set} = xset ; then + $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" + $as_echo "$0: be upgraded to zsh 4.3.4 or later." + else + $as_echo "$0: Please tell bug-autoconf@gnu.org about your system, +$0: including any error possibly output before this +$0: message. Then install a modern shell, or manually run +$0: the script under such a shell if you do have one." + fi + exit 1 +fi +fi +fi +SHELL=${CONFIG_SHELL-/bin/sh} +export SHELL +# Unset more variables known to interfere with behavior of common tools. +CLICOLOR_FORCE= GREP_OPTIONS= +unset CLICOLOR_FORCE GREP_OPTIONS + +## --------------------- ## +## M4sh Shell Functions. ## +## --------------------- ## +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" + + +} # as_fn_mkdir_p + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' +else + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append + +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith + + +# as_fn_error STATUS ERROR [LINENO LOG_FD] +# ---------------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with STATUS, using 1 if that was 0. +as_fn_error () +{ + as_status=$1; test $as_status -eq 0 && as_status=1 + if test "$4"; then + as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 + fi + $as_echo "$as_me: error: $2" >&2 + as_fn_exit $as_status +} # as_fn_error + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + + + as_lineno_1=$LINENO as_lineno_1a=$LINENO + as_lineno_2=$LINENO as_lineno_2a=$LINENO + eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && + test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { + # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) + sed -n ' + p + /[$]LINENO/= + ' <$as_myself | + sed ' + s/[$]LINENO.*/&-/ + t lineno + b + :lineno + N + :loop + s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ + t loop + s/-\n.*// + ' >$as_me.lineno && + chmod +x "$as_me.lineno" || + { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } + + # If we had to re-execute with $CONFIG_SHELL, we're ensured to have + # already done that, so ensure we don't try to do so again and fall + # in an infinite loop. This has already happened in practice. + _as_can_reexec=no; export _as_can_reexec + # Don't try to exec as it changes $[0], causing all sort of problems + # (the dirname of $[0] is not the place where we might find the + # original and so on. Autoconf is especially sensitive to this). + . "./$as_me.lineno" + # Exit status is that of the last command. + exit +} + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in #((((( +-n*) + case `echo 'xy\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; + esac;; +*) + ECHO_N='-n';; +esac + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -pR' + fi +else + as_ln_s='cp -pR' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + +if mkdir -p . 2>/dev/null; then + as_mkdir_p='mkdir -p "$as_dir"' +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + +as_test_x='test -x' +as_executable_p=as_fn_executable_p + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + +test -n "$DJDIR" || exec 7<&0 </dev/null +exec 6>&1 + +# Name of the host. +# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, +# so uname gets run too. +ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` + +# +# Initializations. +# +ac_default_prefix=/usr/local +ac_clean_files= +ac_config_libobj_dir=. +LIBOBJS= +cross_compiling=no +subdirs= +MFLAGS= +MAKEFLAGS= + +# Identity of this package. +PACKAGE_NAME= +PACKAGE_TARNAME= +PACKAGE_VERSION= +PACKAGE_STRING= +PACKAGE_BUGREPORT= +PACKAGE_URL= + +ac_unique_file="rlm_mschap.c" +ac_subst_vars='LTLIBOBJS +LIBOBJS +targetname +mod_cflags +mod_ldflags +mschap_sources +CPP +OBJEXT +EXEEXT +ac_ct_CC +CPPFLAGS +LDFLAGS +CFLAGS +CC +target_alias +host_alias +build_alias +LIBS +ECHO_T +ECHO_N +ECHO_C +DEFS +mandir +localedir +libdir +psdir +pdfdir +dvidir +htmldir +infodir +docdir +oldincludedir +includedir +runstatedir +localstatedir +sharedstatedir +sysconfdir +datadir +datarootdir +libexecdir +sbindir +bindir +program_transform_name +prefix +exec_prefix +PACKAGE_URL +PACKAGE_BUGREPORT +PACKAGE_STRING +PACKAGE_VERSION +PACKAGE_TARNAME +PACKAGE_NAME +PATH_SEPARATOR +SHELL' +ac_subst_files='' +ac_user_opts=' +enable_option_checking +with_rlm_mschap +with_winbind_include_dir +with_winbind_lib_dir +with_winbind_dir +' + ac_precious_vars='build_alias +host_alias +target_alias +CC +CFLAGS +LDFLAGS +LIBS +CPPFLAGS +CPP' + + +# Initialize some variables set by options. +ac_init_help= +ac_init_version=false +ac_unrecognized_opts= +ac_unrecognized_sep= +# The variables have the same names as the options, with +# dashes changed to underlines. +cache_file=/dev/null +exec_prefix=NONE +no_create= +no_recursion= +prefix=NONE +program_prefix=NONE +program_suffix=NONE +program_transform_name=s,x,x, +silent= +site= +srcdir= +verbose= +x_includes=NONE +x_libraries=NONE + +# Installation directory options. +# These are left unexpanded so users can "make install exec_prefix=/foo" +# and all the variables that are supposed to be based on exec_prefix +# by default will actually change. +# Use braces instead of parens because sh, perl, etc. also accept them. +# (The list follows the same order as the GNU Coding Standards.) +bindir='${exec_prefix}/bin' +sbindir='${exec_prefix}/sbin' +libexecdir='${exec_prefix}/libexec' +datarootdir='${prefix}/share' +datadir='${datarootdir}' +sysconfdir='${prefix}/etc' +sharedstatedir='${prefix}/com' +localstatedir='${prefix}/var' +runstatedir='${localstatedir}/run' +includedir='${prefix}/include' +oldincludedir='/usr/include' +docdir='${datarootdir}/doc/${PACKAGE}' +infodir='${datarootdir}/info' +htmldir='${docdir}' +dvidir='${docdir}' +pdfdir='${docdir}' +psdir='${docdir}' +libdir='${exec_prefix}/lib' +localedir='${datarootdir}/locale' +mandir='${datarootdir}/man' + +ac_prev= +ac_dashdash= +for ac_option +do + # If the previous option needs an argument, assign it. + if test -n "$ac_prev"; then + eval $ac_prev=\$ac_option + ac_prev= + continue + fi + + case $ac_option in + *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; + *=) ac_optarg= ;; + *) ac_optarg=yes ;; + esac + + # Accept the important Cygnus configure options, so we can diagnose typos. + + case $ac_dashdash$ac_option in + --) + ac_dashdash=yes ;; + + -bindir | --bindir | --bindi | --bind | --bin | --bi) + ac_prev=bindir ;; + -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) + bindir=$ac_optarg ;; + + -build | --build | --buil | --bui | --bu) + ac_prev=build_alias ;; + -build=* | --build=* | --buil=* | --bui=* | --bu=*) + build_alias=$ac_optarg ;; + + -cache-file | --cache-file | --cache-fil | --cache-fi \ + | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) + ac_prev=cache_file ;; + -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ + | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) + cache_file=$ac_optarg ;; + + --config-cache | -C) + cache_file=config.cache ;; + + -datadir | --datadir | --datadi | --datad) + ac_prev=datadir ;; + -datadir=* | --datadir=* | --datadi=* | --datad=*) + datadir=$ac_optarg ;; + + -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ + | --dataroo | --dataro | --datar) + ac_prev=datarootdir ;; + -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ + | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) + datarootdir=$ac_optarg ;; + + -disable-* | --disable-*) + ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid feature name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=no ;; + + -docdir | --docdir | --docdi | --doc | --do) + ac_prev=docdir ;; + -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) + docdir=$ac_optarg ;; + + -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) + ac_prev=dvidir ;; + -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) + dvidir=$ac_optarg ;; + + -enable-* | --enable-*) + ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid feature name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"enable_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval enable_$ac_useropt=\$ac_optarg ;; + + -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ + | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ + | --exec | --exe | --ex) + ac_prev=exec_prefix ;; + -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ + | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ + | --exec=* | --exe=* | --ex=*) + exec_prefix=$ac_optarg ;; + + -gas | --gas | --ga | --g) + # Obsolete; use --with-gas. + with_gas=yes ;; + + -help | --help | --hel | --he | -h) + ac_init_help=long ;; + -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) + ac_init_help=recursive ;; + -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) + ac_init_help=short ;; + + -host | --host | --hos | --ho) + ac_prev=host_alias ;; + -host=* | --host=* | --hos=* | --ho=*) + host_alias=$ac_optarg ;; + + -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) + ac_prev=htmldir ;; + -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ + | --ht=*) + htmldir=$ac_optarg ;; + + -includedir | --includedir | --includedi | --included | --include \ + | --includ | --inclu | --incl | --inc) + ac_prev=includedir ;; + -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ + | --includ=* | --inclu=* | --incl=* | --inc=*) + includedir=$ac_optarg ;; + + -infodir | --infodir | --infodi | --infod | --info | --inf) + ac_prev=infodir ;; + -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) + infodir=$ac_optarg ;; + + -libdir | --libdir | --libdi | --libd) + ac_prev=libdir ;; + -libdir=* | --libdir=* | --libdi=* | --libd=*) + libdir=$ac_optarg ;; + + -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ + | --libexe | --libex | --libe) + ac_prev=libexecdir ;; + -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ + | --libexe=* | --libex=* | --libe=*) + libexecdir=$ac_optarg ;; + + -localedir | --localedir | --localedi | --localed | --locale) + ac_prev=localedir ;; + -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) + localedir=$ac_optarg ;; + + -localstatedir | --localstatedir | --localstatedi | --localstated \ + | --localstate | --localstat | --localsta | --localst | --locals) + ac_prev=localstatedir ;; + -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ + | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) + localstatedir=$ac_optarg ;; + + -mandir | --mandir | --mandi | --mand | --man | --ma | --m) + ac_prev=mandir ;; + -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) + mandir=$ac_optarg ;; + + -nfp | --nfp | --nf) + # Obsolete; use --without-fp. + with_fp=no ;; + + -no-create | --no-create | --no-creat | --no-crea | --no-cre \ + | --no-cr | --no-c | -n) + no_create=yes ;; + + -no-recursion | --no-recursion | --no-recursio | --no-recursi \ + | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) + no_recursion=yes ;; + + -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ + | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ + | --oldin | --oldi | --old | --ol | --o) + ac_prev=oldincludedir ;; + -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ + | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ + | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) + oldincludedir=$ac_optarg ;; + + -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) + ac_prev=prefix ;; + -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) + prefix=$ac_optarg ;; + + -program-prefix | --program-prefix | --program-prefi | --program-pref \ + | --program-pre | --program-pr | --program-p) + ac_prev=program_prefix ;; + -program-prefix=* | --program-prefix=* | --program-prefi=* \ + | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) + program_prefix=$ac_optarg ;; + + -program-suffix | --program-suffix | --program-suffi | --program-suff \ + | --program-suf | --program-su | --program-s) + ac_prev=program_suffix ;; + -program-suffix=* | --program-suffix=* | --program-suffi=* \ + | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) + program_suffix=$ac_optarg ;; + + -program-transform-name | --program-transform-name \ + | --program-transform-nam | --program-transform-na \ + | --program-transform-n | --program-transform- \ + | --program-transform | --program-transfor \ + | --program-transfo | --program-transf \ + | --program-trans | --program-tran \ + | --progr-tra | --program-tr | --program-t) + ac_prev=program_transform_name ;; + -program-transform-name=* | --program-transform-name=* \ + | --program-transform-nam=* | --program-transform-na=* \ + | --program-transform-n=* | --program-transform-=* \ + | --program-transform=* | --program-transfor=* \ + | --program-transfo=* | --program-transf=* \ + | --program-trans=* | --program-tran=* \ + | --progr-tra=* | --program-tr=* | --program-t=*) + program_transform_name=$ac_optarg ;; + + -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) + ac_prev=pdfdir ;; + -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) + pdfdir=$ac_optarg ;; + + -psdir | --psdir | --psdi | --psd | --ps) + ac_prev=psdir ;; + -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) + psdir=$ac_optarg ;; + + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + silent=yes ;; + + -runstatedir | --runstatedir | --runstatedi | --runstated \ + | --runstate | --runstat | --runsta | --runst | --runs \ + | --run | --ru | --r) + ac_prev=runstatedir ;; + -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \ + | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \ + | --run=* | --ru=* | --r=*) + runstatedir=$ac_optarg ;; + + -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) + ac_prev=sbindir ;; + -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ + | --sbi=* | --sb=*) + sbindir=$ac_optarg ;; + + -sharedstatedir | --sharedstatedir | --sharedstatedi \ + | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ + | --sharedst | --shareds | --shared | --share | --shar \ + | --sha | --sh) + ac_prev=sharedstatedir ;; + -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ + | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ + | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ + | --sha=* | --sh=*) + sharedstatedir=$ac_optarg ;; + + -site | --site | --sit) + ac_prev=site ;; + -site=* | --site=* | --sit=*) + site=$ac_optarg ;; + + -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) + ac_prev=srcdir ;; + -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) + srcdir=$ac_optarg ;; + + -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ + | --syscon | --sysco | --sysc | --sys | --sy) + ac_prev=sysconfdir ;; + -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ + | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) + sysconfdir=$ac_optarg ;; + + -target | --target | --targe | --targ | --tar | --ta | --t) + ac_prev=target_alias ;; + -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) + target_alias=$ac_optarg ;; + + -v | -verbose | --verbose | --verbos | --verbo | --verb) + verbose=yes ;; + + -version | --version | --versio | --versi | --vers | -V) + ac_init_version=: ;; + + -with-* | --with-*) + ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid package name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=\$ac_optarg ;; + + -without-* | --without-*) + ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` + # Reject names that are not valid shell variable names. + expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && + as_fn_error $? "invalid package name: $ac_useropt" + ac_useropt_orig=$ac_useropt + ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` + case $ac_user_opts in + *" +"with_$ac_useropt" +"*) ;; + *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" + ac_unrecognized_sep=', ';; + esac + eval with_$ac_useropt=no ;; + + --x) + # Obsolete; use --with-x. + with_x=yes ;; + + -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ + | --x-incl | --x-inc | --x-in | --x-i) + ac_prev=x_includes ;; + -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ + | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) + x_includes=$ac_optarg ;; + + -x-libraries | --x-libraries | --x-librarie | --x-librari \ + | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) + ac_prev=x_libraries ;; + -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ + | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) + x_libraries=$ac_optarg ;; + + -*) as_fn_error $? "unrecognized option: \`$ac_option' +Try \`$0 --help' for more information" + ;; + + *=*) + ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` + # Reject names that are not valid shell variable names. + case $ac_envvar in #( + '' | [0-9]* | *[!_$as_cr_alnum]* ) + as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; + esac + eval $ac_envvar=\$ac_optarg + export $ac_envvar ;; + + *) + # FIXME: should be removed in autoconf 3.0. + $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 + expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && + $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 + : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" + ;; + + esac +done + +if test -n "$ac_prev"; then + ac_option=--`echo $ac_prev | sed 's/_/-/g'` + as_fn_error $? "missing argument to $ac_option" +fi + +if test -n "$ac_unrecognized_opts"; then + case $enable_option_checking in + no) ;; + fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; + *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; + esac +fi + +# Check all directory arguments for consistency. +for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ + datadir sysconfdir sharedstatedir localstatedir includedir \ + oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ + libdir localedir mandir runstatedir +do + eval ac_val=\$$ac_var + # Remove trailing slashes. + case $ac_val in + */ ) + ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` + eval $ac_var=\$ac_val;; + esac + # Be sure to have absolute directory names. + case $ac_val in + [\\/$]* | ?:[\\/]* ) continue;; + NONE | '' ) case $ac_var in *prefix ) continue;; esac;; + esac + as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" +done + +# There might be people who depend on the old broken behavior: `$host' +# used to hold the argument of --host etc. +# FIXME: To remove some day. +build=$build_alias +host=$host_alias +target=$target_alias + +# FIXME: To remove some day. +if test "x$host_alias" != x; then + if test "x$build_alias" = x; then + cross_compiling=maybe + elif test "x$build_alias" != "x$host_alias"; then + cross_compiling=yes + fi +fi + +ac_tool_prefix= +test -n "$host_alias" && ac_tool_prefix=$host_alias- + +test "$silent" = yes && exec 6>/dev/null + + +ac_pwd=`pwd` && test -n "$ac_pwd" && +ac_ls_di=`ls -di .` && +ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || + as_fn_error $? "working directory cannot be determined" +test "X$ac_ls_di" = "X$ac_pwd_ls_di" || + as_fn_error $? "pwd does not report name of working directory" + + +# Find the source files, if location was not specified. +if test -z "$srcdir"; then + ac_srcdir_defaulted=yes + # Try the directory containing this script, then the parent directory. + ac_confdir=`$as_dirname -- "$as_myself" || +$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_myself" : 'X\(//\)[^/]' \| \ + X"$as_myself" : 'X\(//\)$' \| \ + X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_myself" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + srcdir=$ac_confdir + if test ! -r "$srcdir/$ac_unique_file"; then + srcdir=.. + fi +else + ac_srcdir_defaulted=no +fi +if test ! -r "$srcdir/$ac_unique_file"; then + test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." + as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" +fi +ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" +ac_abs_confdir=`( + cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" + pwd)` +# When building in place, set srcdir=. +if test "$ac_abs_confdir" = "$ac_pwd"; then + srcdir=. +fi +# Remove unnecessary trailing slashes from srcdir. +# Double slashes in file names in object file debugging info +# mess up M-x gdb in Emacs. +case $srcdir in +*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; +esac +for ac_var in $ac_precious_vars; do + eval ac_env_${ac_var}_set=\${${ac_var}+set} + eval ac_env_${ac_var}_value=\$${ac_var} + eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} + eval ac_cv_env_${ac_var}_value=\$${ac_var} +done + +# +# Report the --help message. +# +if test "$ac_init_help" = "long"; then + # Omit some internal or obsolete options to make the list less imposing. + # This message is too long to be a string in the A/UX 3.1 sh. + cat <<_ACEOF +\`configure' configures this package to adapt to many kinds of systems. + +Usage: $0 [OPTION]... [VAR=VALUE]... + +To assign environment variables (e.g., CC, CFLAGS...), specify them as +VAR=VALUE. See below for descriptions of some of the useful variables. + +Defaults for the options are specified in brackets. + +Configuration: + -h, --help display this help and exit + --help=short display options specific to this package + --help=recursive display the short help of all the included packages + -V, --version display version information and exit + -q, --quiet, --silent do not print \`checking ...' messages + --cache-file=FILE cache test results in FILE [disabled] + -C, --config-cache alias for \`--cache-file=config.cache' + -n, --no-create do not create output files + --srcdir=DIR find the sources in DIR [configure dir or \`..'] + +Installation directories: + --prefix=PREFIX install architecture-independent files in PREFIX + [$ac_default_prefix] + --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX + [PREFIX] + +By default, \`make install' will install all the files in +\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify +an installation prefix other than \`$ac_default_prefix' using \`--prefix', +for instance \`--prefix=\$HOME'. + +For better control, use the options below. + +Fine tuning of the installation directories: + --bindir=DIR user executables [EPREFIX/bin] + --sbindir=DIR system admin executables [EPREFIX/sbin] + --libexecdir=DIR program executables [EPREFIX/libexec] + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] + --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] + --localstatedir=DIR modifiable single-machine data [PREFIX/var] + --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run] + --libdir=DIR object code libraries [EPREFIX/lib] + --includedir=DIR C header files [PREFIX/include] + --oldincludedir=DIR C header files for non-gcc [/usr/include] + --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] + --datadir=DIR read-only architecture-independent data [DATAROOTDIR] + --infodir=DIR info documentation [DATAROOTDIR/info] + --localedir=DIR locale-dependent data [DATAROOTDIR/locale] + --mandir=DIR man documentation [DATAROOTDIR/man] + --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE] + --htmldir=DIR html documentation [DOCDIR] + --dvidir=DIR dvi documentation [DOCDIR] + --pdfdir=DIR pdf documentation [DOCDIR] + --psdir=DIR ps documentation [DOCDIR] +_ACEOF + + cat <<\_ACEOF +_ACEOF +fi + +if test -n "$ac_init_help"; then + + cat <<\_ACEOF + +Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] + --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) + --without-rlm_mschap build without MS-CHAP support + --with-winbind-include-dir=DIR + Directory where the winbind includes may be found + --with-winbind-lib-dir=DIR + Directory where the winbind libraries may be found + --with-winbind-dir=DIR Base directory where winbind is installed + +Some influential environment variables: + CC C compiler command + CFLAGS C compiler flags + LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a + nonstandard directory <lib dir> + LIBS libraries to pass to the linker, e.g. -l<library> + CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if + you have headers in a nonstandard directory <include dir> + CPP C preprocessor + +Use these variables to override the choices made by `configure' or to help +it to find libraries and programs with nonstandard names/locations. + +Report bugs to the package provider. +_ACEOF +ac_status=$? +fi + +if test "$ac_init_help" = "recursive"; then + # If there are subdirs, report their specific --help. + for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue + test -d "$ac_dir" || + { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || + continue + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + cd "$ac_dir" || { ac_status=$?; continue; } + # Check for guested configure. + if test -f "$ac_srcdir/configure.gnu"; then + echo && + $SHELL "$ac_srcdir/configure.gnu" --help=recursive + elif test -f "$ac_srcdir/configure"; then + echo && + $SHELL "$ac_srcdir/configure" --help=recursive + else + $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 + fi || ac_status=$? + cd "$ac_pwd" || { ac_status=$?; break; } + done +fi + +test -n "$ac_init_help" && exit $ac_status +if $ac_init_version; then + cat <<\_ACEOF +configure +generated by GNU Autoconf 2.69 + +Copyright (C) 2012 Free Software Foundation, Inc. +This configure script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it. +_ACEOF + exit +fi + +## ------------------------ ## +## Autoconf initialization. ## +## ------------------------ ## + +# ac_fn_c_try_compile LINENO +# -------------------------- +# Try to compile conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_compile () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext + if { { ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compile") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest.$ac_objext; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_compile + +# ac_fn_c_try_cpp LINENO +# ---------------------- +# Try to preprocess conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_cpp () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + if { { ac_try="$ac_cpp conftest.$ac_ext" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } > conftest.i && { + test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || + test ! -s conftest.err + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_cpp + +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + test -x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link +cat >config.log <<_ACEOF +This file contains any messages produced by compilers while +running configure, to aid debugging if configure makes a mistake. + +It was created by $as_me, which was +generated by GNU Autoconf 2.69. Invocation command line was + + $ $0 $@ + +_ACEOF +exec 5>>config.log +{ +cat <<_ASUNAME +## --------- ## +## Platform. ## +## --------- ## + +hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` +uname -m = `(uname -m) 2>/dev/null || echo unknown` +uname -r = `(uname -r) 2>/dev/null || echo unknown` +uname -s = `(uname -s) 2>/dev/null || echo unknown` +uname -v = `(uname -v) 2>/dev/null || echo unknown` + +/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` +/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` + +/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` +/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` +/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` +/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` +/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` +/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` +/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` + +_ASUNAME + +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + $as_echo "PATH: $as_dir" + done +IFS=$as_save_IFS + +} >&5 + +cat >&5 <<_ACEOF + + +## ----------- ## +## Core tests. ## +## ----------- ## + +_ACEOF + + +# Keep a trace of the command line. +# Strip out --no-create and --no-recursion so they do not pile up. +# Strip out --silent because we don't want to record it for future runs. +# Also quote any args containing shell meta-characters. +# Make two passes to allow for proper duplicate-argument suppression. +ac_configure_args= +ac_configure_args0= +ac_configure_args1= +ac_must_keep_next=false +for ac_pass in 1 2 +do + for ac_arg + do + case $ac_arg in + -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil) + continue ;; + *\'*) + ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + case $ac_pass in + 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; + 2) + as_fn_append ac_configure_args1 " '$ac_arg'" + if test $ac_must_keep_next = true; then + ac_must_keep_next=false # Got value, back to normal. + else + case $ac_arg in + *=* | --config-cache | -C | -disable-* | --disable-* \ + | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ + | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ + | -with-* | --with-* | -without-* | --without-* | --x) + case "$ac_configure_args0 " in + "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; + esac + ;; + -* ) ac_must_keep_next=true ;; + esac + fi + as_fn_append ac_configure_args " '$ac_arg'" + ;; + esac + done +done +{ ac_configure_args0=; unset ac_configure_args0;} +{ ac_configure_args1=; unset ac_configure_args1;} + +# When interrupted or exit'd, cleanup temporary files, and complete +# config.log. We remove comments because anyway the quotes in there +# would cause problems or look ugly. +# WARNING: Use '\'' to represent an apostrophe within the trap. +# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. +trap 'exit_status=$? + # Save into config.log some information that might help in debugging. + { + echo + + $as_echo "## ---------------- ## +## Cache variables. ## +## ---------------- ##" + echo + # The following way of writing the cache mishandles newlines in values, +( + for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) { eval $ac_var=; unset $ac_var;} ;; + esac ;; + esac + done + (set) 2>&1 | + case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + sed -n \ + "s/'\''/'\''\\\\'\'''\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" + ;; #( + *) + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) + echo + + $as_echo "## ----------------- ## +## Output variables. ## +## ----------------- ##" + echo + for ac_var in $ac_subst_vars + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + + if test -n "$ac_subst_files"; then + $as_echo "## ------------------- ## +## File substitutions. ## +## ------------------- ##" + echo + for ac_var in $ac_subst_files + do + eval ac_val=\$$ac_var + case $ac_val in + *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; + esac + $as_echo "$ac_var='\''$ac_val'\''" + done | sort + echo + fi + + if test -s confdefs.h; then + $as_echo "## ----------- ## +## confdefs.h. ## +## ----------- ##" + echo + cat confdefs.h + echo + fi + test "$ac_signal" != 0 && + $as_echo "$as_me: caught signal $ac_signal" + $as_echo "$as_me: exit $exit_status" + } >&5 + rm -f core *.core core.conftest.* && + rm -f -r conftest* confdefs* conf$$* $ac_clean_files && + exit $exit_status +' 0 +for ac_signal in 1 2 13 15; do + trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal +done +ac_signal=0 + +# confdefs.h avoids OS command line length limits that DEFS can exceed. +rm -f -r conftest* confdefs.h + +$as_echo "/* confdefs.h */" > confdefs.h + +# Predefined preprocessor variables. + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_NAME "$PACKAGE_NAME" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_TARNAME "$PACKAGE_TARNAME" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_VERSION "$PACKAGE_VERSION" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_STRING "$PACKAGE_STRING" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" +_ACEOF + +cat >>confdefs.h <<_ACEOF +#define PACKAGE_URL "$PACKAGE_URL" +_ACEOF + + +# Let the site file select an alternate cache file if it wants to. +# Prefer an explicitly selected file to automatically selected ones. +ac_site_file1=NONE +ac_site_file2=NONE +if test -n "$CONFIG_SITE"; then + # We do not want a PATH search for config.site. + case $CONFIG_SITE in #(( + -*) ac_site_file1=./$CONFIG_SITE;; + */*) ac_site_file1=$CONFIG_SITE;; + *) ac_site_file1=./$CONFIG_SITE;; + esac +elif test "x$prefix" != xNONE; then + ac_site_file1=$prefix/share/config.site + ac_site_file2=$prefix/etc/config.site +else + ac_site_file1=$ac_default_prefix/share/config.site + ac_site_file2=$ac_default_prefix/etc/config.site +fi +for ac_site_file in "$ac_site_file1" "$ac_site_file2" +do + test "x$ac_site_file" = xNONE && continue + if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 +$as_echo "$as_me: loading site script $ac_site_file" >&6;} + sed 's/^/| /' "$ac_site_file" >&5 + . "$ac_site_file" \ + || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "failed to load site script $ac_site_file +See \`config.log' for more details" "$LINENO" 5; } + fi +done + +if test -r "$cache_file"; then + # Some versions of bash will fail to source /dev/null (special files + # actually), so we avoid doing that. DJGPP emulates it as a regular file. + if test /dev/null != "$cache_file" && test -f "$cache_file"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 +$as_echo "$as_me: loading cache $cache_file" >&6;} + case $cache_file in + [\\/]* | ?:[\\/]* ) . "$cache_file";; + *) . "./$cache_file";; + esac + fi +else + { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 +$as_echo "$as_me: creating cache $cache_file" >&6;} + >$cache_file +fi + +# Check that the precious variables saved in the cache have kept the same +# value. +ac_cache_corrupted=false +for ac_var in $ac_precious_vars; do + eval ac_old_set=\$ac_cv_env_${ac_var}_set + eval ac_new_set=\$ac_env_${ac_var}_set + eval ac_old_val=\$ac_cv_env_${ac_var}_value + eval ac_new_val=\$ac_env_${ac_var}_value + case $ac_old_set,$ac_new_set in + set,) + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,set) + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 +$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} + ac_cache_corrupted=: ;; + ,);; + *) + if test "x$ac_old_val" != "x$ac_new_val"; then + # differences in whitespace do not lead to failure. + ac_old_val_w=`echo x $ac_old_val` + ac_new_val_w=`echo x $ac_new_val` + if test "$ac_old_val_w" != "$ac_new_val_w"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 +$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} + ac_cache_corrupted=: + else + { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 +$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} + eval $ac_var=\$ac_old_val + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 +$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 +$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} + fi;; + esac + # Pass precious variables to config.status. + if test "$ac_new_set" = set; then + case $ac_new_val in + *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; + *) ac_arg=$ac_var=$ac_new_val ;; + esac + case " $ac_configure_args " in + *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. + *) as_fn_append ac_configure_args " '$ac_arg'" ;; + esac + fi +done +if $ac_cache_corrupted; then + { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 +$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} + as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 +fi +## -------------------- ## +## Main body of script. ## +## -------------------- ## + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + + + + + +# Check whether --with-rlm_mschap was given. +if test "${with_rlm_mschap+set}" = set; then : + withval=$with_rlm_mschap; +fi + + + +if test x$with_rlm_mschap != xno; then + + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. +set dummy ${ac_tool_prefix}gcc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_CC"; then + ac_ct_CC=$CC + # Extract the first word of "gcc", so it can be a program name with args. +set dummy gcc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="gcc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +else + CC="$ac_cv_prog_CC" +fi + +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. +set dummy ${ac_tool_prefix}cc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="${ac_tool_prefix}cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + fi +fi +if test -z "$CC"; then + # Extract the first word of "cc", so it can be a program name with args. +set dummy cc; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else + ac_prog_rejected=no +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then + ac_prog_rejected=yes + continue + fi + ac_cv_prog_CC="cc" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +if test $ac_prog_rejected = yes; then + # We found a bogon in the path, so make sure we never use it. + set dummy $ac_cv_prog_CC + shift + if test $# != 0; then + # We chose a different compiler from the bogus one. + # However, it has the same basename, so the bogon will be chosen + # first if we set CC to just the basename; use the full file name. + shift + ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" + fi +fi +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$CC"; then + if test -n "$ac_tool_prefix"; then + for ac_prog in cl.exe + do + # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. +set dummy $ac_tool_prefix$ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$CC"; then + ac_cv_prog_CC="$CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_CC="$ac_tool_prefix$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +CC=$ac_cv_prog_CC +if test -n "$CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 +$as_echo "$CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$CC" && break + done +fi +if test -z "$CC"; then + ac_ct_CC=$CC + for ac_prog in cl.exe +do + # Extract the first word of "$ac_prog", so it can be a program name with args. +set dummy $ac_prog; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_ac_ct_CC+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_CC"; then + ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_ac_ct_CC="$ac_prog" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_CC=$ac_cv_prog_ac_ct_CC +if test -n "$ac_ct_CC"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 +$as_echo "$ac_ct_CC" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + test -n "$ac_ct_CC" && break +done + + if test "x$ac_ct_CC" = x; then + CC="" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + CC=$ac_ct_CC + fi +fi + +fi + + +test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "no acceptable C compiler found in \$PATH +See \`config.log' for more details" "$LINENO" 5; } + +# Provide some information about the compiler. +$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 +set X $ac_compile +ac_compiler=$2 +for ac_option in --version -v -V -qversion; do + { { ac_try="$ac_compiler $ac_option >&5" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compiler $ac_option >&5") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + sed '10a\ +... rest of stderr output deleted ... + 10q' conftest.err >conftest.er1 + cat conftest.er1 >&5 + fi + rm -f conftest.er1 conftest.err + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } +done + +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" +# Try to create an executable without -o first, disregard a.out. +# It will help us diagnose broken compilers, and finding out an intuition +# of exeext. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 +$as_echo_n "checking whether the C compiler works... " >&6; } +ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` + +# The possible output files: +ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" + +ac_rmfiles= +for ac_file in $ac_files +do + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + * ) ac_rmfiles="$ac_rmfiles $ac_file";; + esac +done +rm -f $ac_rmfiles + +if { { ac_try="$ac_link_default" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link_default") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. +# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' +# in a Makefile. We should not override ac_cv_exeext if it was cached, +# so that the user can short-circuit this test for compilers unknown to +# Autoconf. +for ac_file in $ac_files '' +do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) + ;; + [ab].out ) + # We found the default executable, but exeext='' is most + # certainly right. + break;; + *.* ) + if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; + then :; else + ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + fi + # We set ac_cv_exeext here because the later test for it is not + # safe: cross compilers may not add the suffix if given an `-o' + # argument, so we may need to know it at that point already. + # Even if this section looks crufty: it has the advantage of + # actually working. + break;; + * ) + break;; + esac +done +test "$ac_cv_exeext" = no && ac_cv_exeext= + +else + ac_file='' +fi +if test -z "$ac_file"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +$as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error 77 "C compiler cannot create executables +See \`config.log' for more details" "$LINENO" 5; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 +$as_echo_n "checking for C compiler default output file name... " >&6; } +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 +$as_echo "$ac_file" >&6; } +ac_exeext=$ac_cv_exeext + +rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out +ac_clean_files=$ac_clean_files_save +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 +$as_echo_n "checking for suffix of executables... " >&6; } +if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + # If both `conftest.exe' and `conftest' are `present' (well, observable) +# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will +# work properly (i.e., refer to `conftest.exe'), while it won't with +# `rm'. +for ac_file in conftest.exe conftest conftest.*; do + test -f "$ac_file" || continue + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; + *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` + break;; + * ) break;; + esac +done +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot compute suffix of executables: cannot compile and link +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f conftest conftest$ac_cv_exeext +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 +$as_echo "$ac_cv_exeext" >&6; } + +rm -f conftest.$ac_ext +EXEEXT=$ac_cv_exeext +ac_exeext=$EXEEXT +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdio.h> +int +main () +{ +FILE *f = fopen ("conftest.out", "w"); + return ferror (f) || fclose (f) != 0; + + ; + return 0; +} +_ACEOF +ac_clean_files="$ac_clean_files conftest.out" +# Check that the compiler produces executables we can run. If not, either +# the compiler is broken, or we cross compile. +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 +$as_echo_n "checking whether we are cross compiling... " >&6; } +if test "$cross_compiling" != yes; then + { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } + if { ac_try='./conftest$ac_cv_exeext' + { { case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_try") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; }; then + cross_compiling=no + else + if test "$cross_compiling" = maybe; then + cross_compiling=yes + else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot run C compiled programs. +If you meant to cross compile, use \`--host'. +See \`config.log' for more details" "$LINENO" 5; } + fi + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 +$as_echo "$cross_compiling" >&6; } + +rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out +ac_clean_files=$ac_clean_files_save +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 +$as_echo_n "checking for suffix of object files... " >&6; } +if ${ac_cv_objext+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +rm -f conftest.o conftest.obj +if { { ac_try="$ac_compile" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_compile") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then : + for ac_file in conftest.o conftest.obj conftest.*; do + test -f "$ac_file" || continue; + case $ac_file in + *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; + *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` + break;; + esac +done +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + +{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "cannot compute suffix of object files: cannot compile +See \`config.log' for more details" "$LINENO" 5; } +fi +rm -f conftest.$ac_cv_objext conftest.$ac_ext +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 +$as_echo "$ac_cv_objext" >&6; } +OBJEXT=$ac_cv_objext +ac_objext=$OBJEXT +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 +$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } +if ${ac_cv_c_compiler_gnu+:} false; then : + $as_echo_n "(cached) " >&6 +else + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ +#ifndef __GNUC__ + choke me +#endif + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_compiler_gnu=yes +else + ac_compiler_gnu=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +ac_cv_c_compiler_gnu=$ac_compiler_gnu + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 +$as_echo "$ac_cv_c_compiler_gnu" >&6; } +if test $ac_compiler_gnu = yes; then + GCC=yes +else + GCC= +fi +ac_test_CFLAGS=${CFLAGS+set} +ac_save_CFLAGS=$CFLAGS +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 +$as_echo_n "checking whether $CC accepts -g... " >&6; } +if ${ac_cv_prog_cc_g+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_save_c_werror_flag=$ac_c_werror_flag + ac_c_werror_flag=yes + ac_cv_prog_cc_g=no + CFLAGS="-g" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_g=yes +else + CFLAGS="" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +else + ac_c_werror_flag=$ac_save_c_werror_flag + CFLAGS="-g" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_g=yes +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + ac_c_werror_flag=$ac_save_c_werror_flag +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 +$as_echo "$ac_cv_prog_cc_g" >&6; } +if test "$ac_test_CFLAGS" = set; then + CFLAGS=$ac_save_CFLAGS +elif test $ac_cv_prog_cc_g = yes; then + if test "$GCC" = yes; then + CFLAGS="-g -O2" + else + CFLAGS="-g" + fi +else + if test "$GCC" = yes; then + CFLAGS="-O2" + else + CFLAGS= + fi +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 +$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } +if ${ac_cv_prog_cc_c89+:} false; then : + $as_echo_n "(cached) " >&6 +else + ac_cv_prog_cc_c89=no +ac_save_CC=$CC +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdarg.h> +#include <stdio.h> +struct stat; +/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ +struct buf { int x; }; +FILE * (*rcsopen) (struct buf *, struct stat *, int); +static char *e (p, i) + char **p; + int i; +{ + return p[i]; +} +static char *f (char * (*g) (char **, int), char **p, ...) +{ + char *s; + va_list v; + va_start (v,p); + s = g (p, va_arg (v,int)); + va_end (v); + return s; +} + +/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has + function prototypes and stuff, but not '\xHH' hex character constants. + These don't provoke an error unfortunately, instead are silently treated + as 'x'. The following induces an error, until -std is added to get + proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an + array size at least. It's necessary to write '\x00'==0 to get something + that's true only with -std. */ +int osf4_cc_array ['\x00' == 0 ? 1 : -1]; + +/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters + inside strings and character constants. */ +#define FOO(x) 'x' +int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; + +int test (int i, double x); +struct s1 {int (*f) (int a);}; +struct s2 {int (*f) (double a);}; +int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); +int argc; +char **argv; +int +main () +{ +return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; + ; + return 0; +} +_ACEOF +for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ + -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" +do + CC="$ac_save_CC $ac_arg" + if ac_fn_c_try_compile "$LINENO"; then : + ac_cv_prog_cc_c89=$ac_arg +fi +rm -f core conftest.err conftest.$ac_objext + test "x$ac_cv_prog_cc_c89" != "xno" && break +done +rm -f conftest.$ac_ext +CC=$ac_save_CC + +fi +# AC_CACHE_VAL +case "x$ac_cv_prog_cc_c89" in + x) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 +$as_echo "none needed" >&6; } ;; + xno) + { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 +$as_echo "unsupported" >&6; } ;; + *) + CC="$CC $ac_cv_prog_cc_c89" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 +$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; +esac +if test "x$ac_cv_prog_cc_c89" != xno; then : + +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 +$as_echo_n "checking how to run the C preprocessor... " >&6; } +# On Suns, sometimes $CPP names a directory. +if test -n "$CPP" && test -d "$CPP"; then + CPP= +fi +if test -z "$CPP"; then + if ${ac_cv_prog_CPP+:} false; then : + $as_echo_n "(cached) " >&6 +else + # Double quotes because CPP needs to be expanded + for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" + do + ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since + # <limits.h> exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include <limits.h> +#else +# include <assert.h> +#endif + Syntax error +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + +else + # Broken: fails on valid input. +continue +fi +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <ac_nonexistent.h> +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break +fi +rm -f conftest.err conftest.i conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : + break +fi + + done + ac_cv_prog_CPP=$CPP + +fi + CPP=$ac_cv_prog_CPP +else + ac_cv_prog_CPP=$CPP +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 +$as_echo "$CPP" >&6; } +ac_preproc_ok=false +for ac_c_preproc_warn_flag in '' yes +do + # Use a header file that comes with gcc, so configuring glibc + # with a fresh cross-compiler works. + # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since + # <limits.h> exists even on freestanding compilers. + # On the NeXT, cc -E runs the code through the compiler's parser, + # not just through cpp. "Syntax error" is here to catch this case. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#ifdef __STDC__ +# include <limits.h> +#else +# include <assert.h> +#endif + Syntax error +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + +else + # Broken: fails on valid input. +continue +fi +rm -f conftest.err conftest.i conftest.$ac_ext + + # OK, works on sane cases. Now check whether nonexistent headers + # can be detected and how. + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <ac_nonexistent.h> +_ACEOF +if ac_fn_c_try_cpp "$LINENO"; then : + # Broken: success on invalid input. +continue +else + # Passes both tests. +ac_preproc_ok=: +break +fi +rm -f conftest.err conftest.i conftest.$ac_ext + +done +# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. +rm -f conftest.i conftest.err conftest.$ac_ext +if $ac_preproc_ok; then : + +else + { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 +$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} +as_fn_error $? "C preprocessor \"$CPP\" fails sanity check +See \`config.log' for more details" "$LINENO" 5; } +fi + +ac_ext=c +ac_cpp='$CPP $CPPFLAGS' +ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' +ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' +ac_compiler_gnu=$ac_cv_c_compiler_gnu + + + + winbind_include_dir= + +# Check whether --with-winbind-include-dir was given. +if test "${with_winbind_include_dir+set}" = set; then : + withval=$with_winbind_include_dir; case "$withval" in + no) + as_fn_error $? "Need winbind-include-dir" "$LINENO" 5 + ;; + yes) + ;; + *) + winbind_include_dir="$withval" + ;; + esac +fi + + + winbind_lib_dir= + +# Check whether --with-winbind-lib-dir was given. +if test "${with_winbind_lib_dir+set}" = set; then : + withval=$with_winbind_lib_dir; case "$withval" in + no) + as_fn_error $? "Need winbind-lib-dir" "$LINENO" 5 + ;; + yes) + ;; + *) + winbind_lib_dir="$withval" + ;; + esac +fi + + + +# Check whether --with-winbind-dir was given. +if test "${with_winbind_dir+set}" = set; then : + withval=$with_winbind_dir; case "$withval" in + no) + as_fn_error $? "Need winbind-dir" "$LINENO" 5 + ;; + yes) + ;; + *) + winbind_lib_dir="$withval/lib" + winbind_include_dir="$withval/include" + ;; + esac +fi + + + + + mschap_sources= + + + +ac_safe=`echo "membership.h" | sed 'y%./+-%__pm%'` +old_CPPFLAGS="$CPPFLAGS" +smart_include= +smart_include_dir="/usr/local/include /opt/include" + +_smart_try_dir= +_smart_include_dir= + +for _prefix in $smart_prefix ""; do + for _dir in $smart_try_dir; do + _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}" + done + + for _dir in $smart_include_dir; do + _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}" + done +done + +if test "x$_smart_try_dir" != "x"; then + for try in $_smart_try_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for membership.h in $try" >&5 +$as_echo_n "checking for membership.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <membership.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" = "x"; then + for _prefix in $smart_prefix; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/membership.h" >&5 +$as_echo_n "checking for ${_prefix}/membership.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <membership.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem ${_prefix}/" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +fi + +if test "x$smart_include" = "x"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for membership.h" >&5 +$as_echo_n "checking for membership.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <membership.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include=" " + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if test "x$smart_include" = "x"; then + + for try in $_smart_include_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for membership.h in $try" >&5 +$as_echo_n "checking for membership.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + + #include <membership.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" != "x"; then + eval "ac_cv_header_$ac_safe=yes" + CPPFLAGS="$smart_include $old_CPPFLAGS" + SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS" +fi + +smart_prefix= + + if test "x$ac_cv_header_membership_h" = "xyes"; then + +$as_echo "#define HAVE_MEMBERSHIP_H 1" >>confdefs.h + + mschap_sources="$mschap_sources opendir.c" + mod_ldflags="-F /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks -framework DirectoryService" + fi + + smart_try_dir="$winbind_include_dir /usr/include/samba-4.0" + + +ac_safe=`echo "wbclient.h" | sed 'y%./+-%__pm%'` +old_CPPFLAGS="$CPPFLAGS" +smart_include= +smart_include_dir="/usr/local/include /opt/include" + +_smart_try_dir= +_smart_include_dir= + +for _prefix in $smart_prefix ""; do + for _dir in $smart_try_dir; do + _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}" + done + + for _dir in $smart_include_dir; do + _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}" + done +done + +if test "x$_smart_try_dir" != "x"; then + for try in $_smart_try_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbclient.h in $try" >&5 +$as_echo_n "checking for wbclient.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdint.h> + #include <stdbool.h> + #include <wbclient.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" = "x"; then + for _prefix in $smart_prefix; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/wbclient.h" >&5 +$as_echo_n "checking for ${_prefix}/wbclient.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdint.h> + #include <stdbool.h> + #include <wbclient.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem ${_prefix}/" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +fi + +if test "x$smart_include" = "x"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbclient.h" >&5 +$as_echo_n "checking for wbclient.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdint.h> + #include <stdbool.h> + #include <wbclient.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include=" " + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if test "x$smart_include" = "x"; then + + for try in $_smart_include_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbclient.h in $try" >&5 +$as_echo_n "checking for wbclient.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdint.h> + #include <stdbool.h> + #include <wbclient.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" != "x"; then + eval "ac_cv_header_$ac_safe=yes" + CPPFLAGS="$smart_include $old_CPPFLAGS" + SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS" +fi + +smart_prefix= + + if test "x$ac_cv_header_wbclient_h" != "xyes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: wbclient.h not found. Use --with-winbind-include-dir=<path>." >&5 +$as_echo "$as_me: WARNING: wbclient.h not found. Use --with-winbind-include-dir=<path>." >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient" >&5 +$as_echo "$as_me: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient" >&2;} + fi + + + +ac_safe=`echo "core/ntstatus.h" | sed 'y%./+-%__pm%'` +old_CPPFLAGS="$CPPFLAGS" +smart_include= +smart_include_dir="/usr/local/include /opt/include" + +_smart_try_dir= +_smart_include_dir= + +for _prefix in $smart_prefix ""; do + for _dir in $smart_try_dir; do + _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}" + done + + for _dir in $smart_include_dir; do + _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}" + done +done + +if test "x$_smart_try_dir" != "x"; then + for try in $_smart_try_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for core/ntstatus.h in $try" >&5 +$as_echo_n "checking for core/ntstatus.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdint.h> + #include <stdbool.h> + #include <core/ntstatus.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" = "x"; then + for _prefix in $smart_prefix; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/core/ntstatus.h" >&5 +$as_echo_n "checking for ${_prefix}/core/ntstatus.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdint.h> + #include <stdbool.h> + #include <core/ntstatus.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem ${_prefix}/" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done +fi + +if test "x$smart_include" = "x"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for core/ntstatus.h" >&5 +$as_echo_n "checking for core/ntstatus.h... " >&6; } + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdint.h> + #include <stdbool.h> + #include <core/ntstatus.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include=" " + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext +fi + +if test "x$smart_include" = "x"; then + + for try in $_smart_include_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for core/ntstatus.h in $try" >&5 +$as_echo_n "checking for core/ntstatus.h in $try... " >&6; } + CPPFLAGS="-isystem $try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include <stdint.h> + #include <stdbool.h> + #include <core/ntstatus.h> +int +main () +{ +int a = 1; + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + + smart_include="-isystem $try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + + smart_include= + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + done + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_include" != "x"; then + eval "ac_cv_header_$ac_safe=yes" + CPPFLAGS="$smart_include $old_CPPFLAGS" + SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS" +fi + +smart_prefix= + + if test "x$ac_cv_header_core_ntstatus_h" != "xyes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: core/ntstatus.h not found. Use --with-winbind-include-dir=<path>." >&5 +$as_echo "$as_me: WARNING: core/ntstatus.h not found. Use --with-winbind-include-dir=<path>." >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient" >&5 +$as_echo "$as_me: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient" >&2;} + fi + + + if test "x$ac_cv_header_wbclient_h" = "xyes" && \ + test "x$ac_cv_header_core_ntstatus_h" = "xyes"; then + + smart_try_dir="$winbind_lib_dir" + + +sm_lib_safe=`echo "wbclient" | sed 'y%./+-%__p_%'` +sm_func_safe=`echo "wbcCtxAuthenticateUserEx" | sed 'y%./+-%__p_%'` + +old_LIBS="$LIBS" +old_CPPFLAGS="$CPPFLAGS" +smart_lib= +smart_ldflags= +smart_lib_dir= + +if test "x$smart_try_dir" != "x"; then + for try in $smart_try_dir; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbcCtxAuthenticateUserEx in -lwbclient in $try" >&5 +$as_echo_n "checking for wbcCtxAuthenticateUserEx in -lwbclient in $try... " >&6; } + LIBS="-lwbclient $old_LIBS" + CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +extern char wbcCtxAuthenticateUserEx(); +int +main () +{ +wbcCtxAuthenticateUserEx() + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + smart_lib="-lwbclient" + smart_ldflags="-L$try -Wl,-rpath,$try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + done + LIBS="$old_LIBS" + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_lib" = "x"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbcCtxAuthenticateUserEx in -lwbclient" >&5 +$as_echo_n "checking for wbcCtxAuthenticateUserEx in -lwbclient... " >&6; } + LIBS="-lwbclient $old_LIBS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +extern char wbcCtxAuthenticateUserEx(); +int +main () +{ +wbcCtxAuthenticateUserEx() + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + smart_lib="-lwbclient" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS="$old_LIBS" +fi + +if test "x$smart_lib" = "x"; then + for try in /usr/local/lib /opt/lib; do + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbcCtxAuthenticateUserEx in -lwbclient in $try" >&5 +$as_echo_n "checking for wbcCtxAuthenticateUserEx in -lwbclient in $try... " >&6; } + LIBS="-lwbclient $old_LIBS" + CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +extern char wbcCtxAuthenticateUserEx(); +int +main () +{ +wbcCtxAuthenticateUserEx() + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + + smart_lib="-lwbclient" + smart_ldflags="-L$try -Wl,-rpath,$try" + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + break + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + done + LIBS="$old_LIBS" + CPPFLAGS="$old_CPPFLAGS" +fi + +if test "x$smart_lib" != "x"; then + eval "ac_cv_lib_${sm_lib_safe}_${sm_func_safe}=yes" + LIBS="$smart_ldflags $smart_lib $old_LIBS" + SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS" +fi + + if test "x$ac_cv_lib_wbclient_wbcCtxAuthenticateUserEx" != "xyes"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: winbind libraries not found. Use --with-winbind-lib-dir=<path>." >&5 +$as_echo "$as_me: WARNING: winbind libraries not found. Use --with-winbind-lib-dir=<path>." >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Samba must be version 4.2.1 or higher to use this feature." >&5 +$as_echo "$as_me: WARNING: Samba must be version 4.2.1 or higher to use this feature." >&2;} + else + mschap_sources="$mschap_sources auth_wbclient.c" + +$as_echo "#define WITH_AUTH_WINBIND 1" >>confdefs.h + + fi + fi + + targetname=rlm_mschap +else + targetname= + echo \*\*\* module rlm_mschap is disabled. +fi + +if test x"$fail" != x""; then + if test x"${enable_strict_dependencies}" = x"yes"; then + as_fn_error $? "set --without-rlm_mschap to disable it explicitly." "$LINENO" 5 + else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_mschap." >&5 +$as_echo "$as_me: WARNING: silently not building rlm_mschap." >&2;} + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_mschap requires: $fail." >&5 +$as_echo "$as_me: WARNING: FAILURE: rlm_mschap requires: $fail." >&2;}; + targetname="" + fi +fi + +mod_ldflags="$mod_ldflags $SMART_LIBS" +mod_cflags="$SMART_CPPFLAGS" + + + + + +ac_config_headers="$ac_config_headers config.h" + +ac_config_files="$ac_config_files rlm_mschap.mk" + +cat >confcache <<\_ACEOF +# This file is a shell script that caches the results of configure +# tests run on this system so they can be shared between configure +# scripts and configure runs, see configure's option --config-cache. +# It is not useful on other systems. If it contains results you don't +# want to keep, you may remove or edit it. +# +# config.status only pays attention to the cache file if you give it +# the --recheck option to rerun configure. +# +# `ac_cv_env_foo' variables (set or unset) will be overridden when +# loading this file, other *unset* `ac_cv_foo' will be assigned the +# following values. + +_ACEOF + +# The following way of writing the cache mishandles newlines in values, +# but we know of no workaround that is simple, portable, and efficient. +# So, we kill variables containing newlines. +# Ultrix sh set writes to stderr and can't be redirected directly, +# and sets the high bit in the cache file unless we assign to the vars. +( + for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do + eval ac_val=\$$ac_var + case $ac_val in #( + *${as_nl}*) + case $ac_var in #( + *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 +$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; + esac + case $ac_var in #( + _ | IFS | as_nl) ;; #( + BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( + *) { eval $ac_var=; unset $ac_var;} ;; + esac ;; + esac + done + + (set) 2>&1 | + case $as_nl`(ac_space=' '; set) 2>&1` in #( + *${as_nl}ac_space=\ *) + # `set' does not quote correctly, so add quotes: double-quote + # substitution turns \\\\ into \\, and sed turns \\ into \. + sed -n \ + "s/'/'\\\\''/g; + s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" + ;; #( + *) + # `set' quotes correctly as required by POSIX, so do not add quotes. + sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" + ;; + esac | + sort +) | + sed ' + /^ac_cv_env_/b end + t clear + :clear + s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ + t end + s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ + :end' >>confcache +if diff "$cache_file" confcache >/dev/null 2>&1; then :; else + if test -w "$cache_file"; then + if test "x$cache_file" != "x/dev/null"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 +$as_echo "$as_me: updating cache $cache_file" >&6;} + if test ! -f "$cache_file" || test -h "$cache_file"; then + cat confcache >"$cache_file" + else + case $cache_file in #( + */* | ?:*) + mv -f confcache "$cache_file"$$ && + mv -f "$cache_file"$$ "$cache_file" ;; #( + *) + mv -f confcache "$cache_file" ;; + esac + fi + fi + else + { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 +$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} + fi +fi +rm -f confcache + +test "x$prefix" = xNONE && prefix=$ac_default_prefix +# Let make expand exec_prefix. +test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' + +DEFS=-DHAVE_CONFIG_H + +ac_libobjs= +ac_ltlibobjs= +U= +for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue + # 1. Remove the extension, and $U if already installed. + ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' + ac_i=`$as_echo "$ac_i" | sed "$ac_script"` + # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR + # will be set to the directory where LIBOBJS objects are built. + as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" + as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' +done +LIBOBJS=$ac_libobjs + +LTLIBOBJS=$ac_ltlibobjs + + + +: "${CONFIG_STATUS=./config.status}" +ac_write_fail=0 +ac_clean_files_save=$ac_clean_files +ac_clean_files="$ac_clean_files $CONFIG_STATUS" +{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 +$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} +as_write_fail=0 +cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 +#! $SHELL +# Generated by $as_me. +# Run this file to recreate the current configuration. +# Compiler output produced by configure, useful for debugging +# configure, is in config.log if it exists. + +debug=false +ac_cs_recheck=false +ac_cs_silent=false + +SHELL=\${CONFIG_SHELL-$SHELL} +export SHELL +_ASEOF +cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 +## -------------------- ## +## M4sh Initialization. ## +## -------------------- ## + +# Be more Bourne compatible +DUALCASE=1; export DUALCASE # for MKS sh +if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : + emulate sh + NULLCMD=: + # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which + # is contrary to our usage. Disable this feature. + alias -g '${1+"$@"}'='"$@"' + setopt NO_GLOB_SUBST +else + case `(set -o) 2>/dev/null` in #( + *posix*) : + set -o posix ;; #( + *) : + ;; +esac +fi + + +as_nl=' +' +export as_nl +# Printing a long string crashes Solaris 7 /usr/bin/printf. +as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo +as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo +# Prefer a ksh shell builtin over an external printf program on Solaris, +# but without wasting forks for bash or zsh. +if test -z "$BASH_VERSION$ZSH_VERSION" \ + && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='print -r --' + as_echo_n='print -rn --' +elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then + as_echo='printf %s\n' + as_echo_n='printf %s' +else + if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then + as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' + as_echo_n='/usr/ucb/echo -n' + else + as_echo_body='eval expr "X$1" : "X\\(.*\\)"' + as_echo_n_body='eval + arg=$1; + case $arg in #( + *"$as_nl"*) + expr "X$arg" : "X\\(.*\\)$as_nl"; + arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; + esac; + expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" + ' + export as_echo_n_body + as_echo_n='sh -c $as_echo_n_body as_echo' + fi + export as_echo_body + as_echo='sh -c $as_echo_body as_echo' +fi + +# The user is always right. +if test "${PATH_SEPARATOR+set}" != set; then + PATH_SEPARATOR=: + (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { + (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || + PATH_SEPARATOR=';' + } +fi + + +# IFS +# We need space, tab and new line, in precisely that order. Quoting is +# there to prevent editors from complaining about space-tab. +# (If _AS_PATH_WALK were called with IFS unset, it would disable word +# splitting by setting IFS to empty value.) +IFS=" "" $as_nl" + +# Find who we are. Look in the path if we contain no directory separator. +as_myself= +case $0 in #(( + *[\\/]* ) as_myself=$0 ;; + *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break + done +IFS=$as_save_IFS + + ;; +esac +# We did not find ourselves, most probably we were run as `sh COMMAND' +# in which case we are not to be found in the path. +if test "x$as_myself" = x; then + as_myself=$0 +fi +if test ! -f "$as_myself"; then + $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 + exit 1 +fi + +# Unset variables that we do not need and which cause bugs (e.g. in +# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" +# suppresses any "Segmentation fault" message there. '((' could +# trigger a bug in pdksh 5.2.14. +for as_var in BASH_ENV ENV MAIL MAILPATH +do eval test x\${$as_var+set} = xset \ + && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : +done +PS1='$ ' +PS2='> ' +PS4='+ ' + +# NLS nuisances. +LC_ALL=C +export LC_ALL +LANGUAGE=C +export LANGUAGE + +# CDPATH. +(unset CDPATH) >/dev/null 2>&1 && unset CDPATH + + +# as_fn_error STATUS ERROR [LINENO LOG_FD] +# ---------------------------------------- +# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are +# provided, also output the error to LOG_FD, referencing LINENO. Then exit the +# script with STATUS, using 1 if that was 0. +as_fn_error () +{ + as_status=$1; test $as_status -eq 0 && as_status=1 + if test "$4"; then + as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 + fi + $as_echo "$as_me: error: $2" >&2 + as_fn_exit $as_status +} # as_fn_error + + +# as_fn_set_status STATUS +# ----------------------- +# Set $? to STATUS, without forking. +as_fn_set_status () +{ + return $1 +} # as_fn_set_status + +# as_fn_exit STATUS +# ----------------- +# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. +as_fn_exit () +{ + set +e + as_fn_set_status $1 + exit $1 +} # as_fn_exit + +# as_fn_unset VAR +# --------------- +# Portably unset VAR. +as_fn_unset () +{ + { eval $1=; unset $1;} +} +as_unset=as_fn_unset +# as_fn_append VAR VALUE +# ---------------------- +# Append the text in VALUE to the end of the definition contained in VAR. Take +# advantage of any shell optimizations that allow amortized linear growth over +# repeated appends, instead of the typical quadratic growth present in naive +# implementations. +if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : + eval 'as_fn_append () + { + eval $1+=\$2 + }' +else + as_fn_append () + { + eval $1=\$$1\$2 + } +fi # as_fn_append + +# as_fn_arith ARG... +# ------------------ +# Perform arithmetic evaluation on the ARGs, and store the result in the +# global $as_val. Take advantage of shells that can avoid forks. The arguments +# must be portable across $(()) and expr. +if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : + eval 'as_fn_arith () + { + as_val=$(( $* )) + }' +else + as_fn_arith () + { + as_val=`expr "$@" || test $? -eq 1` + } +fi # as_fn_arith + + +if expr a : '\(a\)' >/dev/null 2>&1 && + test "X`expr 00001 : '.*\(...\)'`" = X001; then + as_expr=expr +else + as_expr=false +fi + +if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then + as_basename=basename +else + as_basename=false +fi + +if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then + as_dirname=dirname +else + as_dirname=false +fi + +as_me=`$as_basename -- "$0" || +$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ + X"$0" : 'X\(//\)$' \| \ + X"$0" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X/"$0" | + sed '/^.*\/\([^/][^/]*\)\/*$/{ + s//\1/ + q + } + /^X\/\(\/\/\)$/{ + s//\1/ + q + } + /^X\/\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + +# Avoid depending upon Character Ranges. +as_cr_letters='abcdefghijklmnopqrstuvwxyz' +as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' +as_cr_Letters=$as_cr_letters$as_cr_LETTERS +as_cr_digits='0123456789' +as_cr_alnum=$as_cr_Letters$as_cr_digits + +ECHO_C= ECHO_N= ECHO_T= +case `echo -n x` in #((((( +-n*) + case `echo 'xy\c'` in + *c*) ECHO_T=' ';; # ECHO_T is single tab character. + xy) ECHO_C='\c';; + *) echo `echo ksh88 bug on AIX 6.1` > /dev/null + ECHO_T=' ';; + esac;; +*) + ECHO_N='-n';; +esac + +rm -f conf$$ conf$$.exe conf$$.file +if test -d conf$$.dir; then + rm -f conf$$.dir/conf$$.file +else + rm -f conf$$.dir + mkdir conf$$.dir 2>/dev/null +fi +if (echo >conf$$.file) 2>/dev/null; then + if ln -s conf$$.file conf$$ 2>/dev/null; then + as_ln_s='ln -s' + # ... but there are two gotchas: + # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. + # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. + # In both cases, we have to default to `cp -pR'. + ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || + as_ln_s='cp -pR' + elif ln conf$$.file conf$$ 2>/dev/null; then + as_ln_s=ln + else + as_ln_s='cp -pR' + fi +else + as_ln_s='cp -pR' +fi +rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file +rmdir conf$$.dir 2>/dev/null + + +# as_fn_mkdir_p +# ------------- +# Create "$as_dir" as a directory, including parents if necessary. +as_fn_mkdir_p () +{ + + case $as_dir in #( + -*) as_dir=./$as_dir;; + esac + test -d "$as_dir" || eval $as_mkdir_p || { + as_dirs= + while :; do + case $as_dir in #( + *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( + *) as_qdir=$as_dir;; + esac + as_dirs="'$as_qdir' $as_dirs" + as_dir=`$as_dirname -- "$as_dir" || +$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$as_dir" : 'X\(//\)[^/]' \| \ + X"$as_dir" : 'X\(//\)$' \| \ + X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$as_dir" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + test -d "$as_dir" && break + done + test -z "$as_dirs" || eval "mkdir $as_dirs" + } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" + + +} # as_fn_mkdir_p +if mkdir -p . 2>/dev/null; then + as_mkdir_p='mkdir -p "$as_dir"' +else + test -d ./-p && rmdir ./-p + as_mkdir_p=false +fi + + +# as_fn_executable_p FILE +# ----------------------- +# Test if FILE is an executable regular file. +as_fn_executable_p () +{ + test -f "$1" && test -x "$1" +} # as_fn_executable_p +as_test_x='test -x' +as_executable_p=as_fn_executable_p + +# Sed expression to map a string onto a valid CPP name. +as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" + +# Sed expression to map a string onto a valid variable name. +as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" + + +exec 6>&1 +## ----------------------------------- ## +## Main body of $CONFIG_STATUS script. ## +## ----------------------------------- ## +_ASEOF +test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# Save the log message, to keep $0 and so on meaningful, and to +# report actual input values of CONFIG_FILES etc. instead of their +# values after options handling. +ac_log=" +This file was extended by $as_me, which was +generated by GNU Autoconf 2.69. Invocation command line was + + CONFIG_FILES = $CONFIG_FILES + CONFIG_HEADERS = $CONFIG_HEADERS + CONFIG_LINKS = $CONFIG_LINKS + CONFIG_COMMANDS = $CONFIG_COMMANDS + $ $0 $@ + +on `(hostname || uname -n) 2>/dev/null | sed 1q` +" + +_ACEOF + +case $ac_config_files in *" +"*) set x $ac_config_files; shift; ac_config_files=$*;; +esac + +case $ac_config_headers in *" +"*) set x $ac_config_headers; shift; ac_config_headers=$*;; +esac + + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +# Files that config.status was made for. +config_files="$ac_config_files" +config_headers="$ac_config_headers" + +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +ac_cs_usage="\ +\`$as_me' instantiates files and other configuration actions +from templates according to the current configuration. Unless the files +and actions are specified as TAGs, all are instantiated by default. + +Usage: $0 [OPTION]... [TAG]... + + -h, --help print this help, then exit + -V, --version print version number and configuration settings, then exit + --config print configuration, then exit + -q, --quiet, --silent + do not print progress messages + -d, --debug don't remove temporary files + --recheck update $as_me by reconfiguring in the same conditions + --file=FILE[:TEMPLATE] + instantiate the configuration file FILE + --header=FILE[:TEMPLATE] + instantiate the configuration header FILE + +Configuration files: +$config_files + +Configuration headers: +$config_headers + +Report bugs to the package provider." + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" +ac_cs_version="\\ +config.status +configured by $0, generated by GNU Autoconf 2.69, + with options \\"\$ac_cs_config\\" + +Copyright (C) 2012 Free Software Foundation, Inc. +This config.status script is free software; the Free Software Foundation +gives unlimited permission to copy, distribute and modify it." + +ac_pwd='$ac_pwd' +srcdir='$srcdir' +test -n "\$AWK" || AWK=awk +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# The default lists apply if the user does not specify any file. +ac_need_defaults=: +while test $# != 0 +do + case $1 in + --*=?*) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` + ac_shift=: + ;; + --*=) + ac_option=`expr "X$1" : 'X\([^=]*\)='` + ac_optarg= + ac_shift=: + ;; + *) + ac_option=$1 + ac_optarg=$2 + ac_shift=shift + ;; + esac + + case $ac_option in + # Handling of the options. + -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) + ac_cs_recheck=: ;; + --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) + $as_echo "$ac_cs_version"; exit ;; + --config | --confi | --conf | --con | --co | --c ) + $as_echo "$ac_cs_config"; exit ;; + --debug | --debu | --deb | --de | --d | -d ) + debug=: ;; + --file | --fil | --fi | --f ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + '') as_fn_error $? "missing file argument" ;; + esac + as_fn_append CONFIG_FILES " '$ac_optarg'" + ac_need_defaults=false;; + --header | --heade | --head | --hea ) + $ac_shift + case $ac_optarg in + *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; + esac + as_fn_append CONFIG_HEADERS " '$ac_optarg'" + ac_need_defaults=false;; + --he | --h) + # Conflict between --help and --header + as_fn_error $? "ambiguous option: \`$1' +Try \`$0 --help' for more information.";; + --help | --hel | -h ) + $as_echo "$ac_cs_usage"; exit ;; + -q | -quiet | --quiet | --quie | --qui | --qu | --q \ + | -silent | --silent | --silen | --sile | --sil | --si | --s) + ac_cs_silent=: ;; + + # This is an error. + -*) as_fn_error $? "unrecognized option: \`$1' +Try \`$0 --help' for more information." ;; + + *) as_fn_append ac_config_targets " $1" + ac_need_defaults=false ;; + + esac + shift +done + +ac_configure_extra_args= + +if $ac_cs_silent; then + exec 6>/dev/null + ac_configure_extra_args="$ac_configure_extra_args --silent" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +if \$ac_cs_recheck; then + set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion + shift + \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 + CONFIG_SHELL='$SHELL' + export CONFIG_SHELL + exec "\$@" +fi + +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +exec 5>>config.log +{ + echo + sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX +## Running $as_me. ## +_ASBOX + $as_echo "$ac_log" +} >&5 + +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + +# Handling of arguments. +for ac_config_target in $ac_config_targets +do + case $ac_config_target in + "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; + "rlm_mschap.mk") CONFIG_FILES="$CONFIG_FILES rlm_mschap.mk" ;; + + *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; + esac +done + + +# If the user did not use the arguments to specify the items to instantiate, +# then the envvar interface is used. Set only those that are not. +# We use the long form for the default assignment because of an extremely +# bizarre bug on SunOS 4.1.3. +if $ac_need_defaults; then + test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files + test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers +fi + +# Have a temporary directory for convenience. Make it in the build tree +# simply because there is no reason against having it here, and in addition, +# creating and moving files from /tmp can sometimes cause problems. +# Hook for its removal unless debugging. +# Note that there is a small window in which the directory will not be cleaned: +# after its creation but before its name has been assigned to `$tmp'. +$debug || +{ + tmp= ac_tmp= + trap 'exit_status=$? + : "${ac_tmp:=$tmp}" + { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status +' 0 + trap 'as_fn_exit 1' 1 2 13 15 +} +# Create a (secure) tmp directory for tmp files. + +{ + tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && + test -d "$tmp" +} || +{ + tmp=./conf$$-$RANDOM + (umask 077 && mkdir "$tmp") +} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 +ac_tmp=$tmp + +# Set up the scripts for CONFIG_FILES section. +# No need to generate them if there are no CONFIG_FILES. +# This happens for instance with `./config.status config.h'. +if test -n "$CONFIG_FILES"; then + + +ac_cr=`echo X | tr X '\015'` +# On cygwin, bash can eat \r inside `` if the user requested igncr. +# But we know of no other shell where ac_cr would be empty at this +# point, so we can use a bashism as a fallback. +if test "x$ac_cr" = x; then + eval ac_cr=\$\'\\r\' +fi +ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null` +if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then + ac_cs_awk_cr='\\r' +else + ac_cs_awk_cr=$ac_cr +fi + +echo 'BEGIN {' >"$ac_tmp/subs1.awk" && +_ACEOF + + +{ + echo "cat >conf$$subs.awk <<_ACEOF" && + echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && + echo "_ACEOF" +} >conf$$subs.sh || + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 +ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` +ac_delim='%!_!# ' +for ac_last_try in false false false false false :; do + . ./conf$$subs.sh || + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + + ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` + if test $ac_delim_n = $ac_delim_num; then + break + elif $ac_last_try; then + as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done +rm -f conf$$subs.sh + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && +_ACEOF +sed -n ' +h +s/^/S["/; s/!.*/"]=/ +p +g +s/^[^!]*!// +:repl +t repl +s/'"$ac_delim"'$// +t delim +:nl +h +s/\(.\{148\}\)..*/\1/ +t more1 +s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ +p +n +b repl +:more1 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t nl +:delim +h +s/\(.\{148\}\)..*/\1/ +t more2 +s/["\\]/\\&/g; s/^/"/; s/$/"/ +p +b +:more2 +s/["\\]/\\&/g; s/^/"/; s/$/"\\/ +p +g +s/.\{148\}// +t delim +' <conf$$subs.awk | sed ' +/^[^""]/{ + N + s/\n// +} +' >>$CONFIG_STATUS || ac_write_fail=1 +rm -f conf$$subs.awk +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +_ACAWK +cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && + for (key in S) S_is_set[key] = 1 + FS = "" + +} +{ + line = $ 0 + nfields = split(line, field, "@") + substed = 0 + len = length(field[1]) + for (i = 2; i < nfields; i++) { + key = field[i] + keylen = length(key) + if (S_is_set[key]) { + value = S[key] + line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) + len += length(value) + length(field[++i]) + substed = 1 + } else + len += 1 + keylen + } + + print line +} + +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then + sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" +else + cat +fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ + || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 +_ACEOF + +# VPATH may cause trouble with some makes, so we remove sole $(srcdir), +# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and +# trailing colons and then remove the whole line if VPATH becomes empty +# (actually we leave an empty line to preserve line numbers). +if test "x$srcdir" = x.; then + ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ +h +s/// +s/^/:/ +s/[ ]*$/:/ +s/:\$(srcdir):/:/g +s/:\${srcdir}:/:/g +s/:@srcdir@:/:/g +s/^:*// +s/:*$// +x +s/\(=[ ]*\).*/\1/ +G +s/\n// +s/^[^=]*=[ ]*$// +}' +fi + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +fi # test -n "$CONFIG_FILES" + +# Set up the scripts for CONFIG_HEADERS section. +# No need to generate them if there are no CONFIG_HEADERS. +# This happens for instance with `./config.status Makefile'. +if test -n "$CONFIG_HEADERS"; then +cat >"$ac_tmp/defines.awk" <<\_ACAWK || +BEGIN { +_ACEOF + +# Transform confdefs.h into an awk script `defines.awk', embedded as +# here-document in config.status, that substitutes the proper values into +# config.h.in to produce config.h. + +# Create a delimiter string that does not exist in confdefs.h, to ease +# handling of long lines. +ac_delim='%!_!# ' +for ac_last_try in false false :; do + ac_tt=`sed -n "/$ac_delim/p" confdefs.h` + if test -z "$ac_tt"; then + break + elif $ac_last_try; then + as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 + else + ac_delim="$ac_delim!$ac_delim _$ac_delim!! " + fi +done + +# For the awk script, D is an array of macro values keyed by name, +# likewise P contains macro parameters if any. Preserve backslash +# newline sequences. + +ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* +sed -n ' +s/.\{148\}/&'"$ac_delim"'/g +t rset +:rset +s/^[ ]*#[ ]*define[ ][ ]*/ / +t def +d +:def +s/\\$// +t bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3"/p +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p +d +:bsnl +s/["\\]/\\&/g +s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ +D["\1"]=" \3\\\\\\n"\\/p +t cont +s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p +t cont +d +:cont +n +s/.\{148\}/&'"$ac_delim"'/g +t clear +:clear +s/\\$// +t bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/"/p +d +:bsnlc +s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p +b cont +' <confdefs.h | sed ' +s/'"$ac_delim"'/"\\\ +"/g' >>$CONFIG_STATUS || ac_write_fail=1 + +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + for (key in D) D_is_set[key] = 1 + FS = "" +} +/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { + line = \$ 0 + split(line, arg, " ") + if (arg[1] == "#") { + defundef = arg[2] + mac1 = arg[3] + } else { + defundef = substr(arg[1], 2) + mac1 = arg[2] + } + split(mac1, mac2, "(") #) + macro = mac2[1] + prefix = substr(line, 1, index(line, defundef) - 1) + if (D_is_set[macro]) { + # Preserve the white space surrounding the "#". + print prefix "define", macro P[macro] D[macro] + next + } else { + # Replace #undef with comments. This is necessary, for example, + # in the case of _POSIX_SOURCE, which is predefined and required + # on some systems where configure will not decide to define it. + if (defundef == "undef") { + print "/*", prefix defundef, macro, "*/" + next + } + } +} +{ print } +_ACAWK +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 + as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 +fi # test -n "$CONFIG_HEADERS" + + +eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS " +shift +for ac_tag +do + case $ac_tag in + :[FHLC]) ac_mode=$ac_tag; continue;; + esac + case $ac_mode$ac_tag in + :[FHL]*:*);; + :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; + :[FH]-) ac_tag=-:-;; + :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; + esac + ac_save_IFS=$IFS + IFS=: + set x $ac_tag + IFS=$ac_save_IFS + shift + ac_file=$1 + shift + + case $ac_mode in + :L) ac_source=$1;; + :[FH]) + ac_file_inputs= + for ac_f + do + case $ac_f in + -) ac_f="$ac_tmp/stdin";; + *) # Look for the file first in the build tree, then in the source tree + # (if the path is not absolute). The absolute path cannot be DOS-style, + # because $ac_f cannot contain `:'. + test -f "$ac_f" || + case $ac_f in + [\\/$]*) false;; + *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; + esac || + as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; + esac + case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac + as_fn_append ac_file_inputs " '$ac_f'" + done + + # Let's still pretend it is `configure' which instantiates (i.e., don't + # use $as_me), people would be surprised to read: + # /* config.h. Generated by config.status. */ + configure_input='Generated from '` + $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' + `' by configure.' + if test x"$ac_file" != x-; then + configure_input="$ac_file. $configure_input" + { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 +$as_echo "$as_me: creating $ac_file" >&6;} + fi + # Neutralize special characters interpreted by sed in replacement strings. + case $configure_input in #( + *\&* | *\|* | *\\* ) + ac_sed_conf_input=`$as_echo "$configure_input" | + sed 's/[\\\\&|]/\\\\&/g'`;; #( + *) ac_sed_conf_input=$configure_input;; + esac + + case $ac_tag in + *:-:* | *:-) cat >"$ac_tmp/stdin" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; + esac + ;; + esac + + ac_dir=`$as_dirname -- "$ac_file" || +$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ + X"$ac_file" : 'X\(//\)[^/]' \| \ + X"$ac_file" : 'X\(//\)$' \| \ + X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || +$as_echo X"$ac_file" | + sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ + s//\1/ + q + } + /^X\(\/\/\)[^/].*/{ + s//\1/ + q + } + /^X\(\/\/\)$/{ + s//\1/ + q + } + /^X\(\/\).*/{ + s//\1/ + q + } + s/.*/./; q'` + as_dir="$ac_dir"; as_fn_mkdir_p + ac_builddir=. + +case "$ac_dir" in +.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; +*) + ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` + # A ".." for each directory in $ac_dir_suffix. + ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` + case $ac_top_builddir_sub in + "") ac_top_builddir_sub=. ac_top_build_prefix= ;; + *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; + esac ;; +esac +ac_abs_top_builddir=$ac_pwd +ac_abs_builddir=$ac_pwd$ac_dir_suffix +# for backward compatibility: +ac_top_builddir=$ac_top_build_prefix + +case $srcdir in + .) # We are building in place. + ac_srcdir=. + ac_top_srcdir=$ac_top_builddir_sub + ac_abs_top_srcdir=$ac_pwd ;; + [\\/]* | ?:[\\/]* ) # Absolute name. + ac_srcdir=$srcdir$ac_dir_suffix; + ac_top_srcdir=$srcdir + ac_abs_top_srcdir=$srcdir ;; + *) # Relative name. + ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix + ac_top_srcdir=$ac_top_build_prefix$srcdir + ac_abs_top_srcdir=$ac_pwd/$srcdir ;; +esac +ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix + + + case $ac_mode in + :F) + # + # CONFIG_FILE + # + +_ACEOF + +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +# If the template does not know about datarootdir, expand it. +# FIXME: This hack should be removed a few years after 2.60. +ac_datarootdir_hack=; ac_datarootdir_seen= +ac_sed_dataroot=' +/datarootdir/ { + p + q +} +/@datadir@/p +/@docdir@/p +/@infodir@/p +/@localedir@/p +/@mandir@/p' +case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in +*datarootdir*) ac_datarootdir_seen=yes;; +*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 +$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} +_ACEOF +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 + ac_datarootdir_hack=' + s&@datadir@&$datadir&g + s&@docdir@&$docdir&g + s&@infodir@&$infodir&g + s&@localedir@&$localedir&g + s&@mandir@&$mandir&g + s&\\\${datarootdir}&$datarootdir&g' ;; +esac +_ACEOF + +# Neutralize VPATH when `$srcdir' = `.'. +# Shell code in configure.ac might set extrasub. +# FIXME: do we really want to maintain this feature? +cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 +ac_sed_extra="$ac_vpsub +$extrasub +_ACEOF +cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 +:t +/@[a-zA-Z_][a-zA-Z_0-9]*@/!b +s|@configure_input@|$ac_sed_conf_input|;t t +s&@top_builddir@&$ac_top_builddir_sub&;t t +s&@top_build_prefix@&$ac_top_build_prefix&;t t +s&@srcdir@&$ac_srcdir&;t t +s&@abs_srcdir@&$ac_abs_srcdir&;t t +s&@top_srcdir@&$ac_top_srcdir&;t t +s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t +s&@builddir@&$ac_builddir&;t t +s&@abs_builddir@&$ac_abs_builddir&;t t +s&@abs_top_builddir@&$ac_abs_top_builddir&;t t +$ac_datarootdir_hack +" +eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \ + >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + +test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && + { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && + { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ + "$ac_tmp/out"`; test -z "$ac_out"; } && + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined" >&5 +$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' +which seems to be undefined. Please make sure it is defined" >&2;} + + rm -f "$ac_tmp/stdin" + case $ac_file in + -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; + *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; + esac \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + ;; + :H) + # + # CONFIG_HEADER + # + if test x"$ac_file" != x-; then + { + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" + } >"$ac_tmp/config.h" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then + { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 +$as_echo "$as_me: $ac_file is unchanged" >&6;} + else + rm -f "$ac_file" + mv "$ac_tmp/config.h" "$ac_file" \ + || as_fn_error $? "could not create $ac_file" "$LINENO" 5 + fi + else + $as_echo "/* $configure_input */" \ + && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ + || as_fn_error $? "could not create -" "$LINENO" 5 + fi + ;; + + + esac + +done # for ac_tag + + +as_fn_exit 0 +_ACEOF +ac_clean_files=$ac_clean_files_save + +test $ac_write_fail = 0 || + as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 + + +# configure is writing to config.log, and then calls config.status. +# config.status does its own redirection, appending to config.log. +# Unfortunately, on DOS this fails, as config.log is still kept open +# by configure, so config.status won't be able to write to it; its +# output is simply discarded. So we exec the FD to /dev/null, +# effectively closing config.log, so it can be properly (re)opened and +# appended to by config.status. When coming back to configure, we +# need to make the FD available again. +if test "$no_create" != yes; then + ac_cs_success=: + ac_config_status_args= + test "$silent" = yes && + ac_config_status_args="$ac_config_status_args --quiet" + exec 5>/dev/null + $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false + exec 5>>config.log + # Use ||, not &&, to avoid exiting from the if with $? = 1, which + # would make configure fail if this is the last instruction. + $ac_cs_success || as_fn_exit 1 +fi +if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 +$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} +fi + + diff --git a/src/modules/rlm_mschap/configure.ac b/src/modules/rlm_mschap/configure.ac new file mode 100644 index 0000000..2c0cfb5 --- /dev/null +++ b/src/modules/rlm_mschap/configure.ac @@ -0,0 +1,133 @@ +AC_INIT(rlm_mschap.c) +AC_REVISION($Revision$) +FR_INIT_MODULE([rlm_mschap], [MS-CHAP support]) + +if test x$with_[]modname != xno; then + + AC_PROG_CC + AC_PROG_CPP + + dnl ############################################################ + dnl # Check for command line options + dnl ############################################################ + + dnl extra argument: --with-winbind-include-dir=DIR + winbind_include_dir= + AC_ARG_WITH(winbind-include-dir, + [AS_HELP_STRING([--with-winbind-include-dir=DIR], + [Directory where the winbind includes may be found])], + [case "$withval" in + no) + AC_MSG_ERROR(Need winbind-include-dir) + ;; + yes) + ;; + *) + winbind_include_dir="$withval" + ;; + esac]) + + dnl extra argument: --with-winbind-lib-dir=DIR + winbind_lib_dir= + AC_ARG_WITH(winbind-lib-dir, + [AS_HELP_STRING([--with-winbind-lib-dir=DIR], + [Directory where the winbind libraries may be found])], + [case "$withval" in + no) + AC_MSG_ERROR(Need winbind-lib-dir) + ;; + yes) + ;; + *) + winbind_lib_dir="$withval" + ;; + esac]) + + dnl extra argument: --with-winbind-dir=DIR + AC_ARG_WITH(winbind-dir, + [AS_HELP_STRING([--with-winbind-dir=DIR], + [Base directory where winbind is installed])], + [case "$withval" in + no) + AC_MSG_ERROR(Need winbind-dir) + ;; + yes) + ;; + *) + winbind_lib_dir="$withval/lib" + winbind_include_dir="$withval/include" + ;; + esac]) + + + dnl ############################################################ + dnl # Check for header files + dnl ############################################################ + + mschap_sources= + FR_SMART_CHECK_INCLUDE(membership.h) + if test "x$ac_cv_header_membership_h" = "xyes"; then + AC_DEFINE([HAVE_MEMBERSHIP_H],[1],[Build with Apple Open Directory support]) + mschap_sources="$mschap_sources opendir.c" + mod_ldflags="-F /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks -framework DirectoryService" + fi + + smart_try_dir="$winbind_include_dir /usr/include/samba-4.0" + FR_SMART_CHECK_INCLUDE(wbclient.h, [#include <stdint.h> + #include <stdbool.h>]) + if test "x$ac_cv_header_wbclient_h" != "xyes"; then + AC_MSG_WARN([wbclient.h not found. Use --with-winbind-include-dir=<path>.]) + AC_MSG_WARN([silently building without support for direct authentication via winbind. requires: libwbclient]) + fi + + FR_SMART_CHECK_INCLUDE(core/ntstatus.h, [#include <stdint.h> + #include <stdbool.h>]) + if test "x$ac_cv_header_core_ntstatus_h" != "xyes"; then + AC_MSG_WARN([core/ntstatus.h not found. Use --with-winbind-include-dir=<path>.]) + AC_MSG_WARN([silently building without support for direct authentication via winbind. requires: libwbclient]) + fi + + dnl ############################################################ + dnl # Check for libraries + dnl ############################################################ + + if test "x$ac_cv_header_wbclient_h" = "xyes" && \ + test "x$ac_cv_header_core_ntstatus_h" = "xyes"; then + + smart_try_dir="$winbind_lib_dir" + FR_SMART_CHECK_LIB(wbclient, wbcCtxAuthenticateUserEx) + if test "x$ac_cv_lib_wbclient_wbcCtxAuthenticateUserEx" != "xyes"; then + AC_MSG_WARN([winbind libraries not found. Use --with-winbind-lib-dir=<path>.]) + AC_MSG_WARN([Samba must be version 4.2.1 or higher to use this feature.]) + else + mschap_sources="$mschap_sources auth_wbclient.c" + AC_DEFINE([WITH_AUTH_WINBIND],[1],[Build with direct winbind auth support]) + fi + fi + + targetname=modname +else + targetname= + echo \*\*\* module modname is disabled. +fi + +if test x"$fail" != x""; then + if test x"${enable_strict_dependencies}" = x"yes"; then + AC_MSG_ERROR([set --without-]modname[ to disable it explicitly.]) + else + AC_MSG_WARN([silently not building ]modname[.]) + AC_MSG_WARN([FAILURE: ]modname[ requires: $fail.]); + targetname="" + fi +fi + +mod_ldflags="$mod_ldflags $SMART_LIBS" +mod_cflags="$SMART_CPPFLAGS" +AC_SUBST(mschap_sources) +AC_SUBST(mod_ldflags) +AC_SUBST(mod_cflags) +AC_SUBST(targetname) + +AC_CONFIG_HEADER(config.h) +AC_OUTPUT(rlm_mschap.mk) + diff --git a/src/modules/rlm_mschap/mschap.c b/src/modules/rlm_mschap/mschap.c new file mode 100644 index 0000000..4e088ed --- /dev/null +++ b/src/modules/rlm_mschap/mschap.c @@ -0,0 +1,147 @@ +/* + * mschap.c + * + * Version: $Id$ + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + * + * Copyright 2000,2001,2006,2010 The FreeRADIUS server project + */ + + +/* + * This implements MS-CHAP, as described in RFC 2548 + * + * http://www.freeradius.org/rfc/rfc2548.txt + * + */ + +RCSID("$Id$") + +#include <freeradius-devel/radiusd.h> +#include <freeradius-devel/modules.h> +#include <freeradius-devel/rad_assert.h> +#include <freeradius-devel/md5.h> +#include <freeradius-devel/sha1.h> + +#include <ctype.h> + +#include "smbdes.h" +#include "mschap.h" + +/** Converts Unicode password to 16-byte NT hash with MD4 + * + * @param[out] out Pointer to 16 byte output buffer. + * @param[in] password to encode. + * @return 0 on success else -1 on failure. + */ +int mschap_ntpwdhash(uint8_t *out, char const *password) +{ + ssize_t len; + uint8_t ucs2_password[512]; + + len = fr_utf8_to_ucs2(ucs2_password, sizeof(ucs2_password), password, strlen(password)); + if (len < 0) { + *out = '\0'; + return -1; + } + fr_md4_calc(out, (uint8_t *) ucs2_password, len); + + return 0; +} + +/* + * challenge_hash() is used by mschap2() and auth_response() + * implements RFC2759 ChallengeHash() + * generates 64 bit challenge + */ +void mschap_challenge_hash(uint8_t const *peer_challenge, + uint8_t const *auth_challenge, + char const *user_name, uint8_t *challenge ) +{ + fr_sha1_ctx Context; + uint8_t hash[20]; + + fr_sha1_init(&Context); + fr_sha1_update(&Context, peer_challenge, 16); + fr_sha1_update(&Context, auth_challenge, 16); + fr_sha1_update(&Context, (uint8_t const *) user_name, + strlen(user_name)); + fr_sha1_final(hash, &Context); + memcpy(challenge, hash, 8); +} + +/* + * auth_response() generates MS-CHAP v2 SUCCESS response + * according to RFC 2759 GenerateAuthenticatorResponse() + * returns 42-octet response string + */ +void mschap_auth_response(char const *username, + uint8_t const *nt_hash_hash, + uint8_t const *ntresponse, + uint8_t const *peer_challenge, uint8_t const *auth_challenge, + char *response) +{ + fr_sha1_ctx Context; + static const uint8_t magic1[39] = + {0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76, + 0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65, + 0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67, + 0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74}; + + static const uint8_t magic2[41] = + {0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B, + 0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F, + 0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E, + 0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F, + 0x6E}; + + static char const hex[] = "0123456789ABCDEF"; + + size_t i; + uint8_t challenge[8]; + uint8_t digest[20]; + + fr_sha1_init(&Context); + fr_sha1_update(&Context, nt_hash_hash, 16); + fr_sha1_update(&Context, ntresponse, 24); + fr_sha1_update(&Context, magic1, 39); + fr_sha1_final(digest, &Context); + mschap_challenge_hash(peer_challenge, auth_challenge, username, challenge); + fr_sha1_init(&Context); + fr_sha1_update(&Context, digest, 20); + fr_sha1_update(&Context, challenge, 8); + fr_sha1_update(&Context, magic2, 41); + fr_sha1_final(digest, &Context); + + /* + * Encode the value of 'Digest' as "S=" followed by + * 40 ASCII hexadecimal digits and return it in + * AuthenticatorResponse. + * For example, + * "S=0123456789ABCDEF0123456789ABCDEF01234567" + */ + response[0] = 'S'; + response[1] = '='; + + /* + * The hexadecimal digits [A-F] MUST be uppercase. + */ + for (i = 0; i < sizeof(digest); i++) { + response[2 + (i * 2)] = hex[(digest[i] >> 4) & 0x0f]; + response[3 + (i * 2)] = hex[digest[i] & 0x0f]; + } +} + diff --git a/src/modules/rlm_mschap/mschap.h b/src/modules/rlm_mschap/mschap.h new file mode 100644 index 0000000..6fcc485 --- /dev/null +++ b/src/modules/rlm_mschap/mschap.h @@ -0,0 +1,25 @@ +/* Copyright 2006 The FreeRADIUS server project */ + +#ifndef _MSCHAP_H +#define _MSCHAP_H + +RCSIDH(mschap_h, "$Id$") + +#define NT_DIGEST_LENGTH 16 +#define LM_DIGEST_LENGTH 16 + +int mschap_ntpwdhash(uint8_t *out, char const *password); +void mschap_challenge_hash(uint8_t const *peer_challenge, + uint8_t const *auth_challenge, + char const *user_name, uint8_t *challenge ); + +void mschap_auth_response(char const *username, + uint8_t const *nt_hash_hash, + uint8_t const *ntresponse, + uint8_t const *peer_challenge, uint8_t const *auth_challenge, + char *response); +void mschap_add_reply(REQUEST *request, unsigned char ident, + char const *name, char const *value, size_t len); + + +#endif /*_MSCHAP_H*/ diff --git a/src/modules/rlm_mschap/opendir.c b/src/modules/rlm_mschap/opendir.c new file mode 100644 index 0000000..b3fd9ff --- /dev/null +++ b/src/modules/rlm_mschap/opendir.c @@ -0,0 +1,418 @@ +#ifdef __APPLE__ +/* + * Open Directory support from Apple Inc. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 only, as published by + * the Free Software Foundation. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License version 2 + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + * + * Copyright 2007 Apple Inc. + */ + +RCSID("$Id$") +USES_APPLE_DEPRECATED_API + +#include <freeradius-devel/radiusd.h> +#include <freeradius-devel/modules.h> +#include <freeradius-devel/rad_assert.h> +#include <freeradius-devel/md5.h> + +#include <ctype.h> + +#include "smbdes.h" + +#include <DirectoryService/DirectoryService.h> + +#define kActiveDirLoc "/Active Directory/" + +/* + * In rlm_mschap.c + */ +void mschap_add_reply(REQUEST *request, unsigned char ident, + char const *name, char const *value, size_t len); + +/* + * Only used by rlm_mschap.c + */ +rlm_rcode_t od_mschap_auth(REQUEST *request, VALUE_PAIR *challenge, VALUE_PAIR * usernamepair); + + +static rlm_rcode_t getUserNodeRef(REQUEST *request, char* inUserName, char **outUserName, + tDirNodeReference* userNodeRef, tDirReference dsRef) +{ + tDataBuffer *tDataBuff = NULL; + tDirNodeReference nodeRef = 0; + long status = eDSNoErr; + char const *what = NULL; + char *status_name = NULL; + tContextData context = 0; + uint32_t nodeCount = 0; + uint32_t attrIndex = 0; + tDataList *nodeName = NULL; + tAttributeEntryPtr pAttrEntry = NULL; + tDataList *pRecName = NULL; + tDataList *pRecType = NULL; + tDataList *pAttrType = NULL; + uint32_t recCount = 0; + tRecordEntry *pRecEntry = NULL; + tAttributeListRef attrListRef = 0; + char *pUserLocation = NULL; + tAttributeValueListRef valueRef = 0; + tDataList *pUserNode = NULL; + rlm_rcode_t result = RLM_MODULE_FAIL; + + if (!inUserName) { + ERROR("rlm_mschap: getUserNodeRef(): no username"); + return RLM_MODULE_FAIL; + } + + tDataBuff = dsDataBufferAllocate(dsRef, 4096); + if (!tDataBuff) { + RERROR("Failed allocating buffer"); + return RLM_MODULE_FAIL; + } + + do { + /* find on search node */ + status = dsFindDirNodes(dsRef, tDataBuff, NULL, + eDSAuthenticationSearchNodeName, + &nodeCount, &context); +#define OPEN_DIR_ERROR(_x) do if (status != eDSNoErr) { \ + what = _x; \ + goto error; \ + } while (0) + + OPEN_DIR_ERROR("Failed to find directory"); + + if (nodeCount < 1) { + what = "No directories found."; + goto error; + } + + status = dsGetDirNodeName(dsRef, tDataBuff, 1, &nodeName); + OPEN_DIR_ERROR("Failed getting directory name"); + + status = dsOpenDirNode(dsRef, nodeName, &nodeRef); + dsDataListDeallocate(dsRef, nodeName); + free(nodeName); + nodeName = NULL; + + OPEN_DIR_ERROR("Failed opening directory"); + + pRecName = dsBuildListFromStrings(dsRef, inUserName, NULL); + pRecType = dsBuildListFromStrings(dsRef, kDSStdRecordTypeUsers, + NULL); + pAttrType = dsBuildListFromStrings(dsRef, + kDSNAttrMetaNodeLocation, + kDSNAttrRecordName, NULL); + + recCount = 1; + status = dsGetRecordList(nodeRef, tDataBuff, pRecName, + eDSExact, pRecType, pAttrType, 0, + &recCount, &context); + OPEN_DIR_ERROR("Failed getting record list"); + + if (recCount == 0) { + what = "No user records returned"; + goto error; + } + + status = dsGetRecordEntry(nodeRef, tDataBuff, 1, + &attrListRef, &pRecEntry); + OPEN_DIR_ERROR("Failed getting record entry"); + + for (attrIndex = 1; (attrIndex <= pRecEntry->fRecordAttributeCount) && (status == eDSNoErr); attrIndex++) { + status = dsGetAttributeEntry(nodeRef, tDataBuff, attrListRef, attrIndex, &valueRef, &pAttrEntry); + if (status == eDSNoErr && pAttrEntry != NULL) { + tAttributeValueEntry *pValueEntry = NULL; + + if (strcmp(pAttrEntry->fAttributeSignature.fBufferData, kDSNAttrMetaNodeLocation) == 0) { + status = dsGetAttributeValue(nodeRef, tDataBuff, 1, valueRef, &pValueEntry); + if (status == eDSNoErr && pValueEntry != NULL) { + pUserLocation = talloc_zero_array(request, char, pValueEntry->fAttributeValueData.fBufferLength + 1); + memcpy(pUserLocation, pValueEntry->fAttributeValueData.fBufferData, pValueEntry->fAttributeValueData.fBufferLength); + } + } else if (strcmp(pAttrEntry->fAttributeSignature.fBufferData, kDSNAttrRecordName) == 0) { + status = dsGetAttributeValue(nodeRef, tDataBuff, 1, valueRef, &pValueEntry); + if (status == eDSNoErr && pValueEntry != NULL) { + *outUserName = talloc_zero_array(request, char, pValueEntry->fAttributeValueData.fBufferLength + 1); + memcpy(*outUserName, pValueEntry->fAttributeValueData.fBufferData, pValueEntry->fAttributeValueData.fBufferLength); + } + } + + if (pValueEntry) { + dsDeallocAttributeValueEntry(dsRef, pValueEntry); + pValueEntry = NULL; + } + + dsDeallocAttributeEntry(dsRef, pAttrEntry); + pAttrEntry = NULL; + dsCloseAttributeValueList(valueRef); + valueRef = 0; + } + } + + if (!pUserLocation) { + DEBUG2("[mschap] OpenDirectory has no user location"); + result = RLM_MODULE_NOOP; + break; + } + + /* OpenDirectory doesn't support mschapv2 authentication against + * Active Directory. AD users need to be authenticated using the + * normal freeradius AD path (i.e. ntlm_auth). + */ + if (strncmp(pUserLocation, kActiveDirLoc, strlen(kActiveDirLoc)) == 0) { + DEBUG2("[mschap] OpenDirectory authentication returning noop. OD doesn't support MSCHAPv2 for ActiveDirectory users"); + result = RLM_MODULE_NOOP; + break; + } + + pUserNode = dsBuildFromPath(dsRef, pUserLocation, "/"); + if (!pUserNode) { + RERROR("Failed building user from path"); + result = RLM_MODULE_FAIL; + break; + } + + status = dsOpenDirNode(dsRef, pUserNode, userNodeRef); + dsDataListDeallocate(dsRef, pUserNode); + free(pUserNode); + + if (status != eDSNoErr) { + error: + status_name = dsCopyDirStatusName(status); + RERROR("%s: status = %s", what, status_name); + free(status_name); + result = RLM_MODULE_FAIL; + break; + } + + result = RLM_MODULE_OK; + } + while (0); + + if (pRecEntry != NULL) + dsDeallocRecordEntry(dsRef, pRecEntry); + + if (tDataBuff != NULL) + dsDataBufferDeAllocate(dsRef, tDataBuff); + + if (pUserLocation != NULL) + talloc_free(pUserLocation); + + if (pRecName != NULL) { + dsDataListDeallocate(dsRef, pRecName); + free(pRecName); + } + if (pRecType != NULL) { + dsDataListDeallocate(dsRef, pRecType); + free(pRecType); + } + if (pAttrType != NULL) { + dsDataListDeallocate(dsRef, pAttrType); + free(pAttrType); + } + if (nodeRef != 0) + dsCloseDirNode(nodeRef); + + return result; +} + +rlm_rcode_t od_mschap_auth(REQUEST *request, VALUE_PAIR *challenge, VALUE_PAIR * usernamepair) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + tDirStatus status = eDSNoErr; + tDirReference dsRef = 0; + tDirNodeReference userNodeRef = 0; + tDataBuffer *tDataBuff = NULL; + tDataBuffer *pStepBuff = NULL; + tDataNode *pAuthType = NULL; + uint32_t uiCurr = 0; + uint32_t uiLen = 0; + char *username_string = NULL; + char *shortUserName = NULL; + VALUE_PAIR *response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY); +#ifndef NDEBUG + unsigned int t; +#endif + + username_string = talloc_array(request, char, usernamepair->vp_length + 1); + if (!username_string) + return RLM_MODULE_FAIL; + + strlcpy(username_string, usernamepair->vp_strvalue, usernamepair->vp_length + 1); + + status = dsOpenDirService(&dsRef); + if (status != eDSNoErr) { + talloc_free(username_string); + RERROR("Failed opening directory service"); + return RLM_MODULE_FAIL; + } + + rcode = getUserNodeRef(request, username_string, &shortUserName, &userNodeRef, dsRef); + if (rcode != RLM_MODULE_OK) { + if (rcode != RLM_MODULE_NOOP) { + RDEBUG2("od_mschap_auth: getUserNodeRef() failed"); + } + if (username_string != NULL) + talloc_free(username_string); + if (dsRef != 0) + dsCloseDirService(dsRef); + return rcode; + } + + /* We got a node; fill the stepBuffer + kDSStdAuthMSCHAP2 + MS-CHAPv2 authentication method. The Open Directory plug-in generates the reply data for the client. + The input buffer format consists of + a four byte length specifying the length of the user name that follows, the user name, + a four byte value specifying the length of the server challenge that follows, the server challenge, + a four byte value specifying the length of the peer challenge that follows, the peer challenge, + a four byte value specifying the length of the client's digest that follows, and the client's digest. + The output buffer consists of a four byte value specifying the length of the return digest for the client's challenge. + r = FillAuthBuff(pAuthBuff, 5, + strlen(inName), inName, // Directory Services long or short name + strlen(schal), schal, // server challenge + strlen(peerchal), peerchal, // client challenge + strlen(p24), p24, // P24 NT-Response + 4, "User"); // must match the username that was used for the hash + + inName = username_string + schal = challenge->vp_strvalue + peerchal = response->vp_strvalue + 2 (16 octets) + p24 = response->vp_strvalue + 26 (24 octets) + */ + + pStepBuff = dsDataBufferAllocate(dsRef, 4096); + tDataBuff = dsDataBufferAllocate(dsRef, 4096); + pAuthType = dsDataNodeAllocateString(dsRef, kDSStdAuthMSCHAP2); + uiCurr = 0; + + /* User name length + username */ + uiLen = (uint32_t)(shortUserName ? strlen(shortUserName) : 0); + + RDEBUG2("OD username_string = %s, OD shortUserName=%s (length = %d)\n", + username_string, shortUserName, uiLen); + + memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen)); + uiCurr += sizeof(uiLen); + memcpy(&(tDataBuff->fBufferData[uiCurr]), shortUserName, uiLen); + uiCurr += uiLen; +#ifndef NDEBUG + RINDENT(); + RDEBUG2("Stepbuf server challenge : "); + for (t = 0; t < challenge->vp_length; t++) { + fprintf(stderr, "%02x", (unsigned int) challenge->vp_strvalue[t]); + } + fprintf(stderr, "\n"); +#endif + + /* server challenge (ie. my (freeRADIUS) challenge) */ + uiLen = 16; + memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen)); + uiCurr += sizeof(uiLen); + memcpy(&(tDataBuff->fBufferData[uiCurr]), &(challenge->vp_strvalue[0]), + uiLen); + uiCurr += uiLen; + +#ifndef NDEBUG + RDEBUG2("Stepbuf peer challenge : "); + for (t = 2; t < 18; t++) { + fprintf(stderr, "%02x", (unsigned int) response->vp_strvalue[t]); + } + fprintf(stderr, "\n"); +#endif + + /* peer challenge (ie. the client-generated response) */ + uiLen = 16; + memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen)); + uiCurr += sizeof(uiLen); + memcpy(&(tDataBuff->fBufferData[uiCurr]), &(response->vp_strvalue[2]), + uiLen); + uiCurr += uiLen; + +#ifndef NDEBUG + RDEBUG2("Stepbuf p24 : "); + REXDENT(); + for (t = 26; t < 50; t++) { + fprintf(stderr, "%02x", (unsigned int) response->vp_strvalue[t]); + } + fprintf(stderr, "\n"); +#endif + + /* p24 (ie. second part of client-generated response) */ + uiLen = 24; /* strlen(&(response->vp_strvalue[26])); may contain NULL byte in the middle. */ + memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen)); + uiCurr += sizeof(uiLen); + memcpy(&(tDataBuff->fBufferData[uiCurr]), &(response->vp_strvalue[26]), + uiLen); + uiCurr += uiLen; + + /* Client generated use name (short name?) */ + uiLen = (uint32_t)strlen(username_string); + memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen)); + uiCurr += sizeof(uiLen); + memcpy(&(tDataBuff->fBufferData[uiCurr]), username_string, uiLen); + uiCurr += uiLen; + + tDataBuff->fBufferLength = uiCurr; + + status = dsDoDirNodeAuth(userNodeRef, pAuthType, 1, tDataBuff, + pStepBuff, NULL); + if (status == eDSNoErr) { + if (pStepBuff->fBufferLength > 4) { + uint32_t len; + + memcpy(&len, pStepBuff->fBufferData, sizeof(len)); + if (len == 40) { + char mschap_reply[42] = { '\0' }; + mschap_reply[0] = 'S'; + mschap_reply[1] = '='; + memcpy(&(mschap_reply[2]), &(pStepBuff->fBufferData[4]), len); + mschap_add_reply(request, + *response->vp_strvalue, + "MS-CHAP2-Success", + mschap_reply, len+2); + RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%u)\n", mschap_reply, (unsigned int) len); + } + } + } + + /* clean up */ + if (username_string != NULL) + talloc_free(username_string); + if (shortUserName != NULL) + talloc_free(shortUserName); + + if (tDataBuff != NULL) + dsDataBufferDeAllocate(dsRef, tDataBuff); + if (pStepBuff != NULL) + dsDataBufferDeAllocate(dsRef, pStepBuff); + if (pAuthType != NULL) + dsDataNodeDeAllocate(dsRef, pAuthType); + if (userNodeRef != 0) + dsCloseDirNode(userNodeRef); + if (dsRef != 0) + dsCloseDirService(dsRef); + + if (status != eDSNoErr) { + char *status_name = dsCopyDirStatusName(status); + RERROR("rlm_mschap: authentication failed - status = %s", status_name); + free(status_name); + return RLM_MODULE_REJECT; + } + + return RLM_MODULE_OK; +} + +#endif /* __APPLE__ */ diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c new file mode 100644 index 0000000..25bcd9c --- /dev/null +++ b/src/modules/rlm_mschap/rlm_mschap.c @@ -0,0 +1,2150 @@ +/* + * This program is is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or (at + * your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/** + * $Id$ + * @file rlm_mschap.c + * @brief Implemented mschap authentication. + * + * @copyright 2000,2001,2006 The FreeRADIUS server project + */ + +/* MPPE support from Takahiro Wagatsuma <waga@sic.shibaura-it.ac.jp> */ +RCSID("$Id$") + +#include <freeradius-devel/radiusd.h> +#include <freeradius-devel/modules.h> +#include <freeradius-devel/rad_assert.h> +#include <freeradius-devel/md5.h> +#include <freeradius-devel/sha1.h> + +#include <ctype.h> + +#include "rlm_mschap.h" +#include "mschap.h" +#include "smbdes.h" + +#ifdef WITH_AUTH_WINBIND +#include "auth_wbclient.h" +#endif + +#ifdef HAVE_OPENSSL_CRYPTO_H +USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */ +# include <openssl/rc4.h> +#endif + +#ifdef __APPLE__ +int od_mschap_auth(REQUEST *request, VALUE_PAIR *challenge, VALUE_PAIR * usernamepair); +#endif + +/* Allowable account control bits */ +#define ACB_DISABLED 0x00010000 //!< User account disabled. +#define ACB_HOMDIRREQ 0x00020000 //!< Home directory required. +#define ACB_PWNOTREQ 0x00040000 //!< User password not required. +#define ACB_TEMPDUP 0x00080000 //!< Temporary duplicate account. +#define ACB_NORMAL 0x00100000 //!< Normal user account. +#define ACB_MNS 0x00200000 //!< MNS logon user account. +#define ACB_DOMTRUST 0x00400000 //!< Interdomain trust account. +#define ACB_WSTRUST 0x00800000 //!< Workstation trust account. +#define ACB_SVRTRUST 0x01000000 //!< Server trust account. +#define ACB_PWNOEXP 0x02000000 //!< User password does not expire. +#define ACB_AUTOLOCK 0x04000000 //!< Account auto locked. +#define ACB_PW_EXPIRED 0x00020000 //!< Password Expired. + +static int pdb_decode_acct_ctrl(char const *p) +{ + int acct_ctrl = 0; + int done = 0; + + /* + * Check if the account type bits have been encoded after the + * NT password (in the form [NDHTUWSLXI]). + */ + + if (*p != '[') return 0; + + for (p++; *p && !done; p++) { + switch (*p) { + case 'N': /* 'N'o password. */ + acct_ctrl |= ACB_PWNOTREQ; + break; + + case 'D': /* 'D'isabled. */ + acct_ctrl |= ACB_DISABLED ; + break; + + case 'H': /* 'H'omedir required. */ + acct_ctrl |= ACB_HOMDIRREQ; + break; + + case 'T': /* 'T'emp account. */ + acct_ctrl |= ACB_TEMPDUP; + break; + + case 'U': /* 'U'ser account (normal). */ + acct_ctrl |= ACB_NORMAL; + break; + + case 'M': /* 'M'NS logon user account. What is this? */ + acct_ctrl |= ACB_MNS; + break; + + case 'W': /* 'W'orkstation account. */ + acct_ctrl |= ACB_WSTRUST; + break; + + case 'S': /* 'S'erver account. */ + acct_ctrl |= ACB_SVRTRUST; + break; + + case 'L': /* 'L'ocked account. */ + acct_ctrl |= ACB_AUTOLOCK; + break; + + case 'X': /* No 'X'piry on password */ + acct_ctrl |= ACB_PWNOEXP; + break; + + case 'I': /* 'I'nterdomain trust account. */ + acct_ctrl |= ACB_DOMTRUST; + break; + + case 'e': /* 'e'xpired, the password has */ + acct_ctrl |= ACB_PW_EXPIRED; + break; + + case ' ': /* ignore spaces */ + break; + + case ':': + case '\n': + case '\0': + case ']': + default: + done = 1; + break; + } + } + + return acct_ctrl; +} + + +/* + * Does dynamic translation of strings. + * + * Pulls NT-Response, LM-Response, or Challenge from MSCHAP + * attributes. + */ +static ssize_t mschap_xlat(void *instance, REQUEST *request, + char const *fmt, char *out, size_t outlen) +{ + size_t i, data_len; + uint8_t const *data = NULL; + uint8_t buffer[32]; + VALUE_PAIR *user_name; + VALUE_PAIR *chap_challenge, *response; + rlm_mschap_t *inst = instance; + + response = NULL; + + /* + * Challenge means MS-CHAPv1 challenge, or + * hash of MS-CHAPv2 challenge, and peer challenge. + */ + if (strncasecmp(fmt, "Challenge", 9) == 0) { + chap_challenge = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY); + if (!chap_challenge) { + REDEBUG("No MS-CHAP-Challenge in the request"); + return -1; + } + + /* + * MS-CHAP-Challenges are 8 octets, + * for MS-CHAPv1 + */ + if (chap_challenge->vp_length == 8) { + RDEBUG2("mschap1: %02x", chap_challenge->vp_octets[0]); + data = chap_challenge->vp_octets; + data_len = 8; + + /* + * MS-CHAP-Challenges are 16 octets, + * for MS-CHAPv2. + */ + } else if (chap_challenge->vp_length == 16) { + VALUE_PAIR *name_attr, *response_name; + char const *username_string; + + response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY); + if (!response) { + REDEBUG("MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge"); + return -1; + } + + /* + * FIXME: Much of this is copied from + * below. We should put it into a + * separate function. + */ + + /* + * Responses are 50 octets. + */ + if (response->vp_length < 50) { + REDEBUG("MS-CHAP-Response has the wrong format"); + return -1; + } + + user_name = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY); + if (!user_name) { + REDEBUG("User-Name is required to calculate MS-CHAPv1 Challenge"); + return -1; + } + + /* + * Check for MS-CHAP-User-Name and if found, use it + * to construct the MSCHAPv1 challenge. This is + * set by rlm_eap_mschap to the MS-CHAP Response + * packet Name field. + * + * We prefer this to the User-Name in the + * packet. + */ + response_name = fr_pair_find_by_num(request->packet->vps, PW_MS_CHAP_USER_NAME, 0, TAG_ANY); + if (response_name) { + name_attr = response_name; + } else { + name_attr = user_name; + } + + /* + * with_ntdomain_hack moved here, too. + */ + if ((username_string = strchr(name_attr->vp_strvalue, '\\')) != NULL) { + if (inst->with_ntdomain_hack) { + username_string++; + } else { + RWDEBUG2("NT Domain delimiter found, should we have enabled with_ntdomain_hack?"); + username_string = name_attr->vp_strvalue; + } + } else { + username_string = name_attr->vp_strvalue; + } + + if (response_name && + ((user_name->vp_length != response_name->vp_length) || + (strncasecmp(user_name->vp_strvalue, response_name->vp_strvalue, + user_name->vp_length) != 0))) { + RWDEBUG2("User-Name (%s) is not the same as MS-CHAP Name (%s) from EAP-MSCHAPv2", + user_name->vp_strvalue, response_name->vp_strvalue); + } + + /* + * Get the MS-CHAPv1 challenge + * from the MS-CHAPv2 peer challenge, + * our challenge, and the user name. + */ + RDEBUG2("Creating challenge hash with username: %s", username_string); + mschap_challenge_hash(response->vp_octets + 2, + chap_challenge->vp_octets, + username_string, buffer); + data = buffer; + data_len = 8; + } else { + REDEBUG("Invalid MS-CHAP challenge length"); + return -1; + } + + /* + * Get the MS-CHAPv1 response, or the MS-CHAPv2 + * response. + */ + } else if (strncasecmp(fmt, "NT-Response", 11) == 0) { + response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY); + if (!response) response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY); + if (!response) { + REDEBUG("No MS-CHAP-Response or MS-CHAP2-Response was found in the request"); + return -1; + } + + /* + * For MS-CHAPv1, the NT-Response exists only + * if the second octet says so. + */ + if ((response->da->vendor == VENDORPEC_MICROSOFT) && + (response->da->attr == PW_MSCHAP_RESPONSE) && + ((response->vp_octets[1] & 0x01) == 0)) { + REDEBUG("No NT-Response in MS-CHAP-Response"); + return -1; + } + + /* + * MS-CHAP-Response and MS-CHAP2-Response have + * the NT-Response at the same offset, and are + * the same length. + */ + data = response->vp_octets + 26; + data_len = 24; + + /* + * LM-Response is deprecated, and exists only + * in MS-CHAPv1, and not often there. + */ + } else if (strncasecmp(fmt, "LM-Response", 11) == 0) { + response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY); + if (!response) { + REDEBUG("No MS-CHAP-Response was found in the request"); + return -1; + } + + /* + * For MS-CHAPv1, the LM-Response exists only + * if the second octet says so. + */ + if ((response->vp_octets[1] & 0x01) != 0) { + REDEBUG("No LM-Response in MS-CHAP-Response"); + return -1; + } + data = response->vp_octets + 2; + data_len = 24; + + /* + * Pull the domain name out of the User-Name, if it exists. + * + * This is the full domain name, not just the name after host/ + */ + } else if (strncasecmp(fmt, "Domain-Name", 11) == 0) { + char *p; + + user_name = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY); + if (!user_name) { + REDEBUG("No User-Name was found in the request"); + return -1; + } + + /* + * First check to see if this is a host/ style User-Name + * (a la Kerberos host principal) + */ + if (strncmp(user_name->vp_strvalue, "host/", 5) == 0) { + /* + * If we're getting a User-Name formatted in this way, + * it's likely due to PEAP. The Windows Domain will be + * the first domain component following the hostname, + * or the machine name itself if only a hostname is supplied + */ + p = strchr(user_name->vp_strvalue, '.'); + if (!p) { + RDEBUG2("setting NT-Domain to same as machine name"); + strlcpy(out, user_name->vp_strvalue + 5, outlen); + } else { + p++; /* skip the period */ + strlcpy(out, p, outlen); + } + } else { + p = strchr(user_name->vp_strvalue, '\\'); + if (!p) { + REDEBUG("No NT-Domain was found in the User-Name"); + return -1; + } + + /* + * Hack. This is simpler than the alternatives. + */ + *p = '\0'; + strlcpy(out, user_name->vp_strvalue, outlen); + *p = '\\'; + } + + return strlen(out); + + /* + * Pull the NT-Domain out of the User-Name, if it exists. + */ + } else if (strncasecmp(fmt, "NT-Domain", 9) == 0) { + char *p, *q; + + user_name = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY); + if (!user_name) { + REDEBUG("No User-Name was found in the request"); + return -1; + } + + /* + * First check to see if this is a host/ style User-Name + * (a la Kerberos host principal) + */ + if (strncmp(user_name->vp_strvalue, "host/", 5) == 0) { + /* + * If we're getting a User-Name formatted in this way, + * it's likely due to PEAP. The Windows Domain will be + * the first domain component following the hostname, + * or the machine name itself if only a hostname is supplied + */ + p = strchr(user_name->vp_strvalue, '.'); + if (!p) { + RDEBUG2("setting NT-Domain to same as machine name"); + strlcpy(out, user_name->vp_strvalue + 5, outlen); + } else { + p++; /* skip the period */ + q = strchr(p, '.'); + /* + * use the same hack as below + * only if another period was found + */ + if (q) *q = '\0'; + strlcpy(out, p, outlen); + if (q) *q = '.'; + } + } else { + p = strchr(user_name->vp_strvalue, '\\'); + if (!p) { + REDEBUG("No NT-Domain was found in the User-Name"); + return -1; + } + + /* + * Hack. This is simpler than the alternatives. + */ + *p = '\0'; + strlcpy(out, user_name->vp_strvalue, outlen); + *p = '\\'; + } + + return strlen(out); + + /* + * Pull the User-Name out of the User-Name... + */ + } else if (strncasecmp(fmt, "User-Name", 9) == 0) { + char const *p, *q; + + user_name = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY); + if (!user_name) { + REDEBUG("No User-Name was found in the request"); + return -1; + } + + /* + * First check to see if this is a host/ style User-Name + * (a la Kerberos host principal) + */ + if (strncmp(user_name->vp_strvalue, "host/", 5) == 0) { + p = user_name->vp_strvalue + 5; + /* + * If we're getting a User-Name formatted in this way, + * it's likely due to PEAP. When authenticating this against + * a Domain, Windows will expect the User-Name to be in the + * format of hostname$, the SAM version of the name, so we + * have to convert it to that here. We do so by stripping + * off the first 5 characters (host/), and copying everything + * from that point to the first period into a string and appending + * a $ to the end. + */ + q = strchr(p, '.'); + + /* + * use the same hack as above + * only if a period was found + */ + if (q) { + snprintf(out, outlen, "%.*s$", + (int) (q - p), p); + } else { + snprintf(out, outlen, "%s$", p); + } + } else { + p = strchr(user_name->vp_strvalue, '\\'); + if (p) { + p++; /* skip the backslash */ + } else { + p = user_name->vp_strvalue; /* use the whole User-Name */ + } + strlcpy(out, p, outlen); + } + + return strlen(out); + + /* + * Return the NT-Hash of the passed string + */ + } else if (strncasecmp(fmt, "NT-Hash ", 8) == 0) { + char const *p; + + p = fmt + 8; /* 7 is the length of 'NT-Hash' */ + if ((*p == '\0') || (outlen <= 32)) + return 0; + + while (isspace(*p)) p++; + + if (mschap_ntpwdhash(buffer, p) < 0) { + REDEBUG("Failed generating NT-Password"); + *buffer = '\0'; + return -1; + } + + fr_bin2hex(out, buffer, NT_DIGEST_LENGTH); + out[32] = '\0'; + RDEBUG("NT-Hash of \"known-good\" password: %s", out); + return 32; + + /* + * Return the LM-Hash of the passed string + */ + } else if (strncasecmp(fmt, "LM-Hash ", 8) == 0) { + char const *p; + + p = fmt + 8; /* 7 is the length of 'LM-Hash' */ + if ((*p == '\0') || (outlen <= 32)) + return 0; + + while (isspace(*p)) p++; + + smbdes_lmpwdhash(p, buffer); + fr_bin2hex(out, buffer, LM_DIGEST_LENGTH); + out[32] = '\0'; + RDEBUG("LM-Hash of %s = %s", p, out); + return 32; + } else { + REDEBUG("Unknown expansion string '%s'", fmt); + return -1; + } + + if (outlen == 0) return 0; /* nowhere to go, don't do anything */ + + /* + * Didn't set anything: this is bad. + */ + if (!data) { + RWDEBUG2("Failed to do anything intelligent"); + return 0; + } + + /* + * Check the output length. + */ + if (outlen < ((data_len * 2) + 1)) { + data_len = (outlen - 1) / 2; + } + + /* + * + */ + for (i = 0; i < data_len; i++) { + sprintf(out + (2 * i), "%02x", data[i]); + } + out[data_len * 2] = '\0'; + + return data_len * 2; +} + + +#ifdef WITH_AUTH_WINBIND +/* + * Free connection pool winbind context + */ +static int _mod_conn_free(struct wbcContext **wb_ctx) +{ + wbcCtxFree(*wb_ctx); + + return 0; +} + +/* + * Create connection pool winbind context + */ +static void *mod_conn_create(TALLOC_CTX *ctx, UNUSED void *instance) +{ + struct wbcContext **wb_ctx; + + wb_ctx = talloc_zero(ctx, struct wbcContext *); + *wb_ctx = wbcCtxCreate(); + + if (*wb_ctx == NULL) { + ERROR("failed to create winbind context"); + talloc_free(wb_ctx); + return NULL; + } + + talloc_set_destructor(wb_ctx, _mod_conn_free); + + return *wb_ctx; +} +#endif + + +static const CONF_PARSER passchange_config[] = { + { "ntlm_auth", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, ntlm_cpw), NULL }, + { "ntlm_auth_username", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, ntlm_cpw_username), NULL }, + { "ntlm_auth_domain", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, ntlm_cpw_domain), NULL }, + { "local_cpw", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, local_cpw), NULL }, + CONF_PARSER_TERMINATOR +}; + +static const CONF_PARSER module_config[] = { + /* + * Cache the password by default. + */ + { "use_mppe", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, use_mppe), "yes" }, + { "require_encryption", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, require_encryption), "no" }, + { "require_strong", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, require_strong), "no" }, + { "with_ntdomain_hack", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, with_ntdomain_hack), "yes" }, + { "ntlm_auth", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, ntlm_auth), NULL }, + { "ntlm_auth_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_mschap_t, ntlm_auth_timeout), NULL }, + { "passchange", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) passchange_config }, + { "allow_retry", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, allow_retry), "yes" }, + { "retry_msg", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_mschap_t, retry_msg), NULL }, + { "winbind_username", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_mschap_t, wb_username), NULL }, + { "winbind_domain", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_mschap_t, wb_domain), NULL }, + { "winbind_retry_with_normalised_username", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, wb_retry_with_normalised_username), "no" }, +#ifdef __APPLE__ + { "use_open_directory", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, open_directory), "yes" }, +#endif + CONF_PARSER_TERMINATOR +}; + + +static int mod_bootstrap(CONF_SECTION *conf, void *instance) +{ + char const *name; + rlm_mschap_t *inst = instance; + + /* + * Create the dynamic translation. + */ + name = cf_section_name2(conf); + if (!name) name = cf_section_name1(conf); + inst->xlat_name = name; + xlat_register(inst->xlat_name, mschap_xlat, NULL, inst); + + return 0; +} + +/* + * Create instance for our module. Allocate space for + * instance structure and read configuration parameters + */ +static int mod_instantiate(CONF_SECTION *conf, void *instance) +{ + rlm_mschap_t *inst = instance; + + /* + * For backwards compatibility + */ + if (!dict_valbyname(PW_AUTH_TYPE, 0, inst->xlat_name)) { + inst->auth_type = "MS-CHAP"; + } else { + inst->auth_type = inst->xlat_name; + } + + /* + * Set auth method + */ + inst->method = AUTH_INTERNAL; + + if (inst->wb_username) { +#ifdef WITH_AUTH_WINBIND + inst->method = AUTH_WBCLIENT; + + inst->wb_pool = fr_connection_pool_module_init(conf, inst, mod_conn_create, NULL, NULL); + if (!inst->wb_pool) { + cf_log_err_cs(conf, "Unable to initialise winbind connection pool"); + return -1; + } +#else + cf_log_err_cs(conf, "'winbind' is not enabled in this build."); + return -1; +#endif + } + + /* preserve existing behaviour: this option overrides all */ + if (inst->ntlm_auth) { + inst->method = AUTH_NTLMAUTH_EXEC; + } + + switch (inst->method) { + case AUTH_INTERNAL: + DEBUG("rlm_mschap (%s): using internal authentication", inst->xlat_name); + break; + case AUTH_NTLMAUTH_EXEC: + DEBUG("rlm_mschap (%s): authenticating by calling 'ntlm_auth'", inst->xlat_name); + break; +#ifdef WITH_AUTH_WINBIND + case AUTH_WBCLIENT: + DEBUG("rlm_mschap (%s): authenticating directly to winbind", inst->xlat_name); + break; +#endif + } + + /* + * Check ntlm_auth_timeout is sane + */ + if (!inst->ntlm_auth_timeout) { + inst->ntlm_auth_timeout = EXEC_TIMEOUT; + } + if (inst->ntlm_auth_timeout < 1) { + cf_log_err_cs(conf, "ntml_auth_timeout '%d' is too small (minimum: 1)", + inst->ntlm_auth_timeout); + return -1; + } + if (inst->ntlm_auth_timeout > 10) { + cf_log_err_cs(conf, "ntlm_auth_timeout '%d' is too large (maximum: 10)", + inst->ntlm_auth_timeout); + return -1; + } + + return 0; +} + +/* + * Tidy up instance + */ +static int mod_detach(UNUSED void *instance) +{ +#ifdef WITH_AUTH_WINBIND + rlm_mschap_t *inst = instance; + + fr_connection_pool_free(inst->wb_pool); +#endif + + return 0; +} + +/* + * add_reply() adds either MS-CHAP2-Success or MS-CHAP-Error + * attribute to reply packet + */ +void mschap_add_reply(REQUEST *request, unsigned char ident, + char const *name, char const *value, size_t len) +{ + VALUE_PAIR *vp; + + vp = pair_make_reply(name, NULL, T_OP_EQ); + if (!vp) { + REDEBUG("Failed to create attribute %s: %s", name, fr_strerror()); + return; + } + + /* Account for the ident byte */ + vp->vp_length = len + 1; + if (vp->da->type == PW_TYPE_STRING) { + char *p; + + vp->vp_strvalue = p = talloc_array(vp, char, vp->vp_length + 1); + p[vp->vp_length] = '\0'; /* Always \0 terminate */ + p[0] = ident; + memcpy(p + 1, value, len); + } else { + uint8_t *p; + + vp->vp_octets = p = talloc_array(vp, uint8_t, vp->vp_length); + p[0] = ident; + memcpy(p + 1, value, len); + } +} + +/* + * Add MPPE attributes to the reply. + */ +static void mppe_add_reply(REQUEST *request, char const* name, uint8_t const * value, size_t len) +{ + VALUE_PAIR *vp; + + vp = pair_make_reply(name, NULL, T_OP_EQ); + if (!vp) { + REDEBUG("mppe_add_reply failed to create attribute %s: %s", name, fr_strerror()); + return; + } + + fr_pair_value_memcpy(vp, value, len); +} + +static int write_all(int fd, char const *buf, int len) { + int rv,done=0; + + while (done < len) { + rv = write(fd, buf+done, len-done); + if (rv <= 0) + break; + done += rv; + } + return done; +} + +/* + * Perform an MS-CHAP2 password change + */ + +static int CC_HINT(nonnull (1, 2, 4, 5)) do_mschap_cpw(rlm_mschap_t *inst, + REQUEST *request, +#ifdef HAVE_OPENSSL_CRYPTO_H + VALUE_PAIR *nt_password, +#else + UNUSED VALUE_PAIR *nt_password, +#endif + uint8_t *new_nt_password, + uint8_t *old_nt_hash, + MSCHAP_AUTH_METHOD method) +{ + if (inst->ntlm_cpw && method != AUTH_INTERNAL) { + /* + * we're going to run ntlm_auth in helper-mode + * we're expecting to use the ntlm-change-password-1 protocol + * which needs the following on stdin: + * + * username: %{mschap:User-Name} + * nt-domain: %{mschap:NT-Domain} + * new-nt-password-blob: bin2hex(new_nt_password) - 1032 bytes encoded + * old-nt-hash-blob: bin2hex(old_nt_hash) - 32 bytes encoded + * new-lm-password-blob: 00000...0000 - 1032 bytes null + * old-lm-hash-blob: 000....000 - 32 bytes null + * .\n + * + * ...and it should then print out + * + * Password-Change: Yes + * + * or + * + * Password-Change: No + * Password-Change-Error: blah + */ + + int to_child=-1; + int from_child=-1; + pid_t pid, child_pid; + int status, len; + char buf[2048]; + char *pmsg; + char const *emsg; + + RDEBUG("Doing MS-CHAPv2 password change via ntlm_auth helper"); + + /* + * Start up ntlm_auth with a pipe on stdin and stdout + */ + + pid = radius_start_program(inst->ntlm_cpw, request, true, &to_child, &from_child, NULL, false); + if (pid < 0) { + REDEBUG("could not exec ntlm_auth cpw command"); + return -1; + } + + /* + * write the stuff to the client + */ + + if (inst->ntlm_cpw_username) { + len = radius_xlat(buf, sizeof(buf) - 2, request, inst->ntlm_cpw_username, NULL, NULL); + if (len < 0) { + goto ntlm_auth_err; + } + + buf[len++] = '\n'; + buf[len] = '\0'; + + if (write_all(to_child, buf, len) != len) { + REDEBUG("Failed to write username to child"); + goto ntlm_auth_err; + } + } else { + RWDEBUG2("No ntlm_auth username set, passchange will definitely fail!"); + } + + if (inst->ntlm_cpw_domain) { + len = radius_xlat(buf, sizeof(buf) - 2, request, inst->ntlm_cpw_domain, NULL, NULL); + if (len < 0) { + goto ntlm_auth_err; + } + + buf[len++] = '\n'; + buf[len] = '\0'; + + if (write_all(to_child, buf, len) != len) { + REDEBUG("Failed to write domain to child"); + goto ntlm_auth_err; + } + } else { + RWDEBUG2("No ntlm_auth domain set, username must be full-username to work"); + } + + /* now the password blobs */ + len = sprintf(buf, "new-nt-password-blob: "); + fr_bin2hex(buf+len, new_nt_password, 516); + buf[len+1032] = '\n'; + buf[len+1033] = '\0'; + len = strlen(buf); + if (write_all(to_child, buf, len) != len) { + RDEBUG2("failed to write new password blob to child"); + goto ntlm_auth_err; + } + + len = sprintf(buf, "old-nt-hash-blob: "); + fr_bin2hex(buf+len, old_nt_hash, NT_DIGEST_LENGTH); + buf[len+32] = '\n'; + buf[len+33] = '\0'; + len = strlen(buf); + if (write_all(to_child, buf, len) != len) { + REDEBUG("Failed to write old hash blob to child"); + goto ntlm_auth_err; + } + + /* + * In current samba versions, failure to supply empty LM password/hash + * blobs causes the change to fail. + */ + len = sprintf(buf, "new-lm-password-blob: %01032i\n", 0); + if (write_all(to_child, buf, len) != len) { + REDEBUG("Failed to write dummy LM password to child"); + goto ntlm_auth_err; + } + len = sprintf(buf, "old-lm-hash-blob: %032i\n", 0); + if (write_all(to_child, buf, len) != len) { + REDEBUG("Failed to write dummy LM hash to child"); + goto ntlm_auth_err; + } + if (write_all(to_child, ".\n", 2) != 2) { + REDEBUG("Failed to send finish to child"); + goto ntlm_auth_err; + } + close(to_child); + to_child = -1; + + /* + * Read from the child + */ + len = radius_readfrom_program(from_child, pid, 10, buf, sizeof(buf)); + if (len < 0) { + /* radius_readfrom_program will have closed from_child for us */ + REDEBUG("Failure reading from child"); + return -1; + } + close(from_child); + from_child = -1; + + buf[len] = 0; + RDEBUG2("ntlm_auth said: %s", buf); + + child_pid = rad_waitpid(pid, &status); + if (child_pid == 0) { + REDEBUG("Timeout waiting for child"); + return -1; + } + if (child_pid != pid) { + REDEBUG("Abnormal exit status: %s", fr_syserror(errno)); + return -1; + } + + if (strstr(buf, "Password-Change: Yes")) { + RDEBUG2("ntlm_auth password change succeeded"); + return 0; + } + + pmsg = strstr(buf, "Password-Change-Error: "); + if (pmsg) { + emsg = strsep(&pmsg, "\n"); + } else { + emsg = "could not find error"; + } + REDEBUG("ntlm auth password change failed: %s", emsg); + +ntlm_auth_err: + /* safe because these either need closing or are == -1 */ + close(to_child); + close(from_child); + + return -1; + + } else if (inst->local_cpw) { +#ifdef HAVE_OPENSSL_CRYPTO_H + /* + * Decrypt the new password blob, add it as a temporary request + * variable, xlat the local_cpw string, then remove it + * + * this allows is to write e..g + * + * %{sql:insert into ...} + * + * ...or... + * + * %{exec:/path/to %{mschap:User-Name} %{MS-CHAP-New-Password}}" + * + */ + VALUE_PAIR *new_pass, *new_hash; + uint8_t *p, *q; + char *x; + size_t i; + size_t passlen; + ssize_t result_len; + char result[253]; + uint8_t nt_pass_decrypted[516], old_nt_hash_expected[NT_DIGEST_LENGTH]; + + if (!nt_password) { + RDEBUG("Local MS-CHAPv2 password change requires NT-Password attribute"); + return -1; + } else { + RDEBUG("Doing MS-CHAPv2 password change locally"); + } + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + { + EVP_CIPHER_CTX *ctx; + int ntlen = sizeof(nt_pass_decrypted); + + ctx = EVP_CIPHER_CTX_new(); + if (!ctx) { + REDEBUG("Failed getting RC4 from OpenSSL"); + error: + if (ctx) EVP_CIPHER_CTX_free(ctx); + return -1; + } + + if (!EVP_CIPHER_CTX_set_key_length(ctx, nt_password->vp_length)) { + REDEBUG("Failed setting key length"); + goto error; + } + + if (!EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, nt_password->vp_octets, NULL)) { + REDEBUG("Failed setting key value"); + goto error;; + } + + if (!EVP_EncryptUpdate(ctx, nt_pass_decrypted, &ntlen, new_nt_password, ntlen)) { + REDEBUG("Failed getting output"); + goto error; + } + + EVP_CIPHER_CTX_free(ctx); + } +#else + { + RC4_KEY key; + + /* + * Decrypt the blob + */ + RC4_set_key(&key, nt_password->vp_length, nt_password->vp_octets); + RC4(&key, 516, new_nt_password, nt_pass_decrypted); + } +#endif + + /* + * pwblock is + * 512-N bytes random pad + * N bytes password as utf-16-le + * 4 bytes - N as big-endian int + */ + passlen = nt_pass_decrypted[512]; + passlen += nt_pass_decrypted[513] << 8; + if ((nt_pass_decrypted[514] != 0) || + (nt_pass_decrypted[515] != 0)) { + REDEBUG("Decrypted new password blob claims length > 65536, " + "probably an invalid NT-Password"); + return -1; + } + + /* + * Sanity check - passlen positive and <= 512 if not, crypto has probably gone wrong + */ + if (passlen > 512) { + REDEBUG("Decrypted new password blob claims length %zu > 512, " + "probably an invalid NT-Password", passlen); + return -1; + } + + p = nt_pass_decrypted + 512 - passlen; + + /* + * The new NT hash - this should be preferred over the + * cleartext password as it avoids unicode hassles. + */ + new_hash = pair_make_request("MS-CHAP-New-NT-Password", NULL, T_OP_EQ); + new_hash->vp_length = NT_DIGEST_LENGTH; + new_hash->vp_octets = q = talloc_array(new_hash, uint8_t, new_hash->vp_length); + fr_md4_calc(q, p, passlen); + + /* + * Check that nt_password encrypted with new_hash + * matches the old_hash value from the client. + */ + smbhash(old_nt_hash_expected, nt_password->vp_octets, q); + smbhash(old_nt_hash_expected+8, nt_password->vp_octets+8, q + 7); + if (memcmp(old_nt_hash_expected, old_nt_hash, NT_DIGEST_LENGTH)!=0) { + REDEBUG("Old NT hash value from client does not match our value"); + return -1; + } + + /* + * The new cleartext password, which is utf-16 do some unpleasant vileness + * to turn it into utf8 without pulling in libraries like iconv. + * + * First pass: get the length of the converted string. + */ + new_pass = pair_make_request("MS-CHAP-New-Cleartext-Password", NULL, T_OP_EQ); + new_pass->vp_length = 0; + + i = 0; + while (i < passlen) { + int c; + + c = p[i++]; + c += p[i++] << 8; + + /* + * Gah. nasty. maybe we should just pull in iconv? + */ + if (c < 0x7f) { + new_pass->vp_length++; + } else if (c < 0x7ff) { + new_pass->vp_length += 2; + } else { + new_pass->vp_length += 3; + } + } + + new_pass->vp_strvalue = x = talloc_array(new_pass, char, new_pass->vp_length + 1); + + /* + * Second pass: convert the characters from UTF-16 to UTF-8. + */ + i = 0; + while (i < passlen) { + int c; + + c = p[i++]; + c += p[i++] << 8; + + /* + * Gah. nasty. maybe we should just pull in iconv? + */ + if (c < 0x7f) { + *x++ = c; + + } else if (c < 0x7ff) { + *x++ = 0xc0 + (c >> 6); + *x++ = 0x80 + (c & 0x3f); + + } else { + *x++ = 0xe0 + (c >> 12); + *x++ = 0x80 + ((c>>6) & 0x3f); + *x++ = 0x80 + (c & 0x3f); + } + } + + *x = '\0'; + + /* Perform the xlat */ + result_len = radius_xlat(result, sizeof(result), request, inst->local_cpw, NULL, NULL); + if (result_len < 0){ + return -1; + } else if (result_len == 0) { + REDEBUG("Local MS-CHAPv2 password change - xlat didn't give any result, assuming failure"); + return -1; + } + + RDEBUG("MS-CHAPv2 password change succeeded: %s", result); + + /* + * Update the NT-Password attribute with the new hash this lets us + * fall through to the authentication code using the new hash, + * not the old one. + */ + fr_pair_value_memcpy(nt_password, new_hash->vp_octets, new_hash->vp_length); + + /* + * Rock on! password change succeeded. + */ + return 0; +#else + REDEBUG("Local MS-CHAPv2 password changes require OpenSSL support"); + return -1; +#endif + } else { + REDEBUG("MS-CHAPv2 password change not configured"); + } + + return -1; +} + +/* + * Do the MS-CHAP stuff. + * + * This function is here so that all of the MS-CHAP related + * authentication is in one place, and we can perhaps later replace + * it with code to call winbindd, or something similar. + */ +static int CC_HINT(nonnull (1, 2, 4, 5 ,6)) do_mschap(rlm_mschap_t *inst, REQUEST *request, VALUE_PAIR *password, + uint8_t const *challenge, uint8_t const *response, + uint8_t nthashhash[NT_DIGEST_LENGTH], MSCHAP_AUTH_METHOD method) +{ + uint8_t calculated[24]; + + memset(nthashhash, 0, NT_DIGEST_LENGTH); + + switch (method) { + /* + * Do normal authentication. + */ + case AUTH_INTERNAL: + /* + * No password: can't do authentication. + */ + if (!password) { + REDEBUG("FAILED: No NT-Password. Cannot perform authentication"); + return -1; + } + + smbdes_mschap(password->vp_octets, challenge, calculated); + if (rad_digest_cmp(response, calculated, 24) != 0) { + return -1; + } + + /* + * If the password exists, and is an NT-Password, + * then calculate the hash of the NT hash. Doing this + * here minimizes work for later. + */ + if (!password->da->vendor && + (password->da->attr == PW_NT_PASSWORD)) { + fr_md4_calc(nthashhash, password->vp_octets, MD4_DIGEST_LENGTH); + } + break; + + /* + * Run ntlm_auth + */ + case AUTH_NTLMAUTH_EXEC: { + int result; + char buffer[256]; + size_t len; + + /* + * Run the program, and expect that we get 16 + */ + result = radius_exec_program(request, buffer, sizeof(buffer), NULL, request, inst->ntlm_auth, NULL, + true, true, inst->ntlm_auth_timeout); + if (result != 0) { + char *p; + + /* + * Do checks for numbers, which are + * language neutral. They're also + * faster. + */ + p = strcasestr(buffer, "0xC0000"); + if (p) { + int rcode = 0; + + p += 7; + if (strcmp(p, "224") == 0) { + rcode = -648; + + } else if (strcmp(p, "234") == 0) { + rcode = -647; + + } else if (strcmp(p, "072") == 0) { + rcode = -691; + + } else if (strcasecmp(p, "05E") == 0) { + rcode = -2; + } + + if (rcode != 0) { + REDEBUG2("%s", buffer); + return rcode; + } + + /* + * Else fall through to more ridiculous checks. + */ + } + + /* + * Look for variants of expire password. + */ + if (strcasestr(buffer, "0xC0000224") || + strcasestr(buffer, "Password expired") || + strcasestr(buffer, "Password has expired") || + strcasestr(buffer, "Password must be changed") || + strcasestr(buffer, "Must change password")) { + return -648; + } + + if (strcasestr(buffer, "0xC0000234") || + strcasestr(buffer, "Account locked out")) { + REDEBUG2("%s", buffer); + return -647; + } + + if (strcasestr(buffer, "0xC0000072") || + strcasestr(buffer, "Account disabled")) { + REDEBUG2("%s", buffer); + return -691; + } + + if (strcasestr(buffer, "0xC000005E") || + strcasestr(buffer, "No logon servers")) { + REDEBUG2("%s", buffer); + return -2; + } + + if (strcasestr(buffer, "could not obtain winbind separator") || + strcasestr(buffer, "Reading winbind reply failed")) { + REDEBUG2("%s", buffer); + return -2; + } + + RDEBUG2("External script failed"); + p = strchr(buffer, '\n'); + if (p) *p = '\0'; + + REDEBUG("External script says: %s", buffer); + return -1; + } + + /* + * Parse the answer as an nthashhash. + * + * ntlm_auth currently returns: + * NT_KEY: 000102030405060708090a0b0c0d0e0f + */ + if (memcmp(buffer, "NT_KEY: ", 8) != 0) { + REDEBUG("Invalid output from ntlm_auth: expecting 'NT_KEY: ' prefix"); + return -1; + } + + /* + * Check the length. It should be at least 32, with an LF at the end. + */ + len = strlen(buffer + 8); + if (len < 32) { + REDEBUG2("Invalid output from ntlm_auth: NT_KEY too short, expected 32 bytes got %zu bytes", + len); + + return -1; + } + + /* + * Update the NT hash hash, from the NT key. + */ + if (fr_hex2bin(nthashhash, NT_DIGEST_LENGTH, buffer + 8, len) != NT_DIGEST_LENGTH) { + REDEBUG("Invalid output from ntlm_auth: NT_KEY has non-hex values"); + return -1; + } + break; + } + +#ifdef WITH_AUTH_WINBIND + /* + * Process auth via the wbclient library + */ + case AUTH_WBCLIENT: + return do_auth_wbclient(inst, request, challenge, response, nthashhash); +#endif + + /* We should never reach this line */ + default: + RERROR("Internal error: Unknown mschap auth method (%d)", method); + return -1; + } + + return 0; +} + + +/* + * Data for the hashes. + */ +static const uint8_t SHSpad1[40] = + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + +static const uint8_t SHSpad2[40] = + { 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, + 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2 }; + +static const uint8_t magic1[27] = + { 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, + 0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d, + 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79 }; + +static const uint8_t magic2[84] = + { 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69, + 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20, + 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79, + 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, + 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65, + 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20, + 0x6b, 0x65, 0x79, 0x2e }; + +static const uint8_t magic3[84] = + { 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69, + 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20, + 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20, + 0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, + 0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, + 0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, + 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, + 0x6b, 0x65, 0x79, 0x2e }; + + +static void mppe_GetMasterKey(uint8_t const *nt_hashhash,uint8_t const *nt_response, + uint8_t *masterkey) +{ + uint8_t digest[20]; + fr_sha1_ctx Context; + + fr_sha1_init(&Context); + fr_sha1_update(&Context,nt_hashhash,NT_DIGEST_LENGTH); + fr_sha1_update(&Context,nt_response,24); + fr_sha1_update(&Context,magic1,27); + fr_sha1_final(digest,&Context); + + memcpy(masterkey,digest,16); +} + + +static void mppe_GetAsymmetricStartKey(uint8_t *masterkey,uint8_t *sesskey, + int keylen,int issend) +{ + uint8_t digest[20]; + const uint8_t *s; + fr_sha1_ctx Context; + + memset(digest,0,20); + + if(issend) { + s = magic3; + } else { + s = magic2; + } + + fr_sha1_init(&Context); + fr_sha1_update(&Context,masterkey,16); + fr_sha1_update(&Context,SHSpad1,40); + fr_sha1_update(&Context,s,84); + fr_sha1_update(&Context,SHSpad2,40); + fr_sha1_final(digest,&Context); + + memcpy(sesskey,digest,keylen); +} + + +static void mppe_chap2_get_keys128(uint8_t const *nt_hashhash,uint8_t const *nt_response, + uint8_t *sendkey,uint8_t *recvkey) +{ + uint8_t masterkey[16]; + + mppe_GetMasterKey(nt_hashhash,nt_response,masterkey); + + mppe_GetAsymmetricStartKey(masterkey,sendkey,16,1); + mppe_GetAsymmetricStartKey(masterkey,recvkey,16,0); +} + +/* + * Generate MPPE keys. + */ +static void mppe_chap2_gen_keys128(uint8_t const *nt_hashhash,uint8_t const *response, + uint8_t *sendkey,uint8_t *recvkey) +{ + uint8_t enckey1[16]; + uint8_t enckey2[16]; + + mppe_chap2_get_keys128(nt_hashhash,response,enckey1,enckey2); + + /* + * dictionary.microsoft defines these attributes as + * 'encrypt=2'. The functions in src/lib/radius.c will + * take care of encrypting/decrypting them as appropriate, + * so that we don't have to. + */ + memcpy (sendkey, enckey1, 16); + memcpy (recvkey, enckey2, 16); +} + + +/* + * mod_authorize() - authorize user if we can authenticate + * it later. Add Auth-Type attribute if present in module + * configuration (usually Auth-Type must be "MS-CHAP") + */ +static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void * instance, REQUEST *request) +{ + rlm_mschap_t *inst = instance; + VALUE_PAIR *challenge = NULL; + + challenge = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY); + if (!challenge) { + return RLM_MODULE_NOOP; + } + + if (!fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY) && + !fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY) && + !fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_CPW, VENDORPEC_MICROSOFT, TAG_ANY)) { + RDEBUG2("Found MS-CHAP-Challenge, but no MS-CHAP response or change-password"); + return RLM_MODULE_NOOP; + } + + if (fr_pair_find_by_num(request->config, PW_AUTH_TYPE, 0, TAG_ANY)) { + RWDEBUG2("Auth-Type already set. Not setting to MS-CHAP"); + return RLM_MODULE_NOOP; + } + + RDEBUG2("Found MS-CHAP attributes. Setting 'Auth-Type = %s'", inst->xlat_name); + + /* + * Set Auth-Type to MS-CHAP. The authentication code + * will take care of turning cleartext passwords into + * NT/LM passwords. + */ + if (!pair_make_config("Auth-Type", inst->auth_type, T_OP_EQ)) { + return RLM_MODULE_FAIL; + } + + return RLM_MODULE_OK; +} + +static rlm_rcode_t mschap_error(rlm_mschap_t *inst, REQUEST *request, unsigned char ident, + int mschap_result, int mschap_version, VALUE_PAIR *smb_ctrl) +{ + rlm_rcode_t rcode = RLM_MODULE_OK; + int error = 0; + int retry = 0; + char const *message = NULL; + + int i; + char new_challenge[33], buffer[128]; + char *p; + + if ((mschap_result == -648) || + ((mschap_result == 0) && + (smb_ctrl && ((smb_ctrl->vp_integer & ACB_PW_EXPIRED) != 0)))) { + REDEBUG("Password has expired. User should retry authentication"); + error = 648; + + /* + * A password change is NOT a retry! We MUST have retry=0 here. + */ + retry = 0; + message = "Password expired"; + rcode = RLM_MODULE_REJECT; + + /* + * Account is disabled. + * + * They're found, but they don't exist, so we + * return 'not found'. + */ + } else if ((mschap_result == -691) || + (smb_ctrl && (((smb_ctrl->vp_integer & ACB_DISABLED) != 0) || + ((smb_ctrl->vp_integer & (ACB_NORMAL|ACB_WSTRUST)) == 0)))) { + REDEBUG("SMB-Account-Ctrl (or ntlm_auth) " + "says that the account is disabled, " + "or is not a normal or workstation trust account"); + error = 691; + retry = 0; + message = "Account disabled"; + rcode = RLM_MODULE_NOTFOUND; + + /* + * User is locked out. + */ + } else if ((mschap_result == -647) || + (smb_ctrl && ((smb_ctrl->vp_integer & ACB_AUTOLOCK) != 0))) { + REDEBUG("SMB-Account-Ctrl (or ntlm_auth) " + "says that the account is locked out"); + error = 647; + retry = 0; + message = "Account locked out"; + rcode = RLM_MODULE_USERLOCK; + } else if (mschap_result == -2) { + RDEBUG("Authentication failed"); + error = 691; + retry = inst->allow_retry; + message = "Authentication failed"; + rcode = RLM_MODULE_FAIL; + + } else if (mschap_result < 0) { + REDEBUG("MS-CHAP2-Response is incorrect"); + error = 691; + retry = inst->allow_retry; + message = "Authentication rejected"; + rcode = RLM_MODULE_REJECT; + } + + if (rcode == RLM_MODULE_OK) return RLM_MODULE_OK; + + switch (mschap_version) { + case 1: + for (p = new_challenge, i = 0; i < 2; i++) p += snprintf(p, 9, "%08x", fr_rand()); + snprintf(buffer, sizeof(buffer), "E=%i R=%i C=%s V=2", + error, retry, new_challenge); + break; + + case 2: + for (p = new_challenge, i = 0; i < 4; i++) p += snprintf(p, 9, "%08x", fr_rand()); + snprintf(buffer, sizeof(buffer), "E=%i R=%i C=%s V=3 M=%s", + error, retry, new_challenge, message); + break; + + default: + return RLM_MODULE_FAIL; + } + mschap_add_reply(request, ident, "MS-CHAP-Error", buffer, strlen(buffer)); + + return rcode; +} + +/* + * mod_authenticate() - authenticate user based on given + * attributes and configuration. + * We will try to find out password in configuration + * or in configured passwd file. + * If one is found we will check paraneters given by NAS. + * + * If PW_SMB_ACCOUNT_CTRL is not set to ACB_PWNOTREQ we must have + * one of: + * PAP: PW_USER_PASSWORD or + * MS-CHAP: PW_MSCHAP_CHALLENGE and PW_MSCHAP_RESPONSE or + * MS-CHAP2: PW_MSCHAP_CHALLENGE and PW_MSCHAP2_RESPONSE + * In case of password mismatch or locked account we MAY return + * PW_MSCHAP_ERROR for MS-CHAP or MS-CHAP v2 + * If MS-CHAP2 succeeds we MUST return + * PW_MSCHAP2_SUCCESS + */ +static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request) +{ + rlm_mschap_t *inst = instance; + VALUE_PAIR *challenge = NULL; + VALUE_PAIR *response = NULL; + VALUE_PAIR *cpw = NULL; + VALUE_PAIR *password = NULL; + VALUE_PAIR *nt_password, *smb_ctrl; + VALUE_PAIR *username; + uint8_t nthashhash[NT_DIGEST_LENGTH]; + char msch2resp[42]; + char const *username_string; + int mschap_version = 0; + int mschap_result; + MSCHAP_AUTH_METHOD auth_method; + + /* + * If we have ntlm_auth configured, use it unless told + * otherwise + */ + auth_method = inst->method; + + /* + * If we have an ntlm_auth configuration, then we may + * want to suppress it. + */ + if (auth_method != AUTH_INTERNAL) { + VALUE_PAIR *vp = fr_pair_find_by_num(request->config, PW_MS_CHAP_USE_NTLM_AUTH, 0, TAG_ANY); + if (vp && vp->vp_integer == 0) auth_method = AUTH_INTERNAL; + } + + /* + * Find the SMB-Account-Ctrl attribute, or the + * SMB-Account-Ctrl-Text attribute. + */ + smb_ctrl = fr_pair_find_by_num(request->config, PW_SMB_ACCOUNT_CTRL, 0, TAG_ANY); + if (!smb_ctrl) { + password = fr_pair_find_by_num(request->config, PW_SMB_ACCOUNT_CTRL_TEXT, 0, TAG_ANY); + if (password) { + smb_ctrl = pair_make_config("SMB-Account-CTRL", "0", T_OP_SET); + if (smb_ctrl) { + smb_ctrl->vp_integer = pdb_decode_acct_ctrl(password->vp_strvalue); + } + } + } + + /* + * We're configured to do MS-CHAP authentication. + * and account control information exists. Enforce it. + */ + if (smb_ctrl) { + /* + * Password is not required. + */ + if ((smb_ctrl->vp_integer & ACB_PWNOTREQ) != 0) { + RDEBUG2("SMB-Account-Ctrl says no password is required"); + return RLM_MODULE_OK; + } + } + + /* + * Decide how to get the passwords. + */ + password = fr_pair_find_by_num(request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY); + + /* + * We need an NT-Password. + */ + nt_password = fr_pair_find_by_num(request->config, PW_NT_PASSWORD, 0, TAG_ANY); + if (nt_password) { + VERIFY_VP(nt_password); + + switch (nt_password->vp_length) { + case NT_DIGEST_LENGTH: + RDEBUG2("Found NT-Password"); + break; + + /* 0x */ + case 34: + case 32: + RWDEBUG("NT-Password has not been normalized by the 'pap' module (likely still in hex format). " + "Authentication may fail"); + nt_password = NULL; + break; + + default: + RWDEBUG("NT-Password found but incorrect length, expected " STRINGIFY(NT_DIGEST_LENGTH) + " bytes got %zu bytes. Authentication may fail", nt_password->vp_length); + nt_password = NULL; + break; + } + } + + /* + * ... or a Cleartext-Password, which we now transform into an NT-Password + */ + if (!nt_password) { + uint8_t *p; + + if (password) { + RDEBUG2("Found Cleartext-Password, hashing to create NT-Password"); + nt_password = pair_make_config("NT-Password", NULL, T_OP_EQ); + if (!nt_password) { + RERROR("No memory"); + return RLM_MODULE_FAIL; + } + nt_password->vp_length = NT_DIGEST_LENGTH; + nt_password->vp_octets = p = talloc_array(nt_password, uint8_t, nt_password->vp_length); + + if (mschap_ntpwdhash(p, password->vp_strvalue) < 0) { + RERROR("Failed generating NT-Password"); + return RLM_MODULE_FAIL; + } + } else if (auth_method == AUTH_INTERNAL) { + RWDEBUG2("No Cleartext-Password configured. Cannot create NT-Password"); + } + } + + cpw = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_CPW, VENDORPEC_MICROSOFT, TAG_ANY); + if (cpw) { + /* + * mschap2 password change request + * we cheat - first decode and execute the passchange + * we then extract the response, add it into the request + * then jump into mschap2 auth with the chal/resp + */ + uint8_t new_nt_encrypted[516], old_nt_encrypted[NT_DIGEST_LENGTH]; + VALUE_PAIR *nt_enc=NULL; + int seq, new_nt_enc_len; + uint8_t *p; + + RDEBUG("MS-CHAPv2 password change request received"); + + if (cpw->vp_length != 68) { + REDEBUG("MS-CHAP2-CPW has the wrong format: length %zu != 68", cpw->vp_length); + return RLM_MODULE_INVALID; + } + + if (cpw->vp_octets[0] != 7) { + REDEBUG("MS-CHAP2-CPW has the wrong format: code %d != 7", cpw->vp_octets[0]); + return RLM_MODULE_INVALID; + } + + /* + * look for the new (encrypted) password + * bah stupid composite attributes + * we're expecting 3 attributes with the leading bytes + * 06:<mschapid>:00:01:<1st chunk> + * 06:<mschapid>:00:02:<2nd chunk> + * 06:<mschapid>:00:03:<3rd chunk> + */ + new_nt_enc_len = 0; + for (seq = 1; seq < 4; seq++) { + vp_cursor_t cursor; + int found = 0; + + for (nt_enc = fr_cursor_init(&cursor, &request->packet->vps); + nt_enc; + nt_enc = fr_cursor_next(&cursor)) { + if (nt_enc->da->vendor != VENDORPEC_MICROSOFT) + continue; + + if (nt_enc->da->attr != PW_MSCHAP_NT_ENC_PW) + continue; + + if (nt_enc->vp_length < 4) { + REDEBUG("MS-CHAP-NT-Enc-PW with invalid format"); + return RLM_MODULE_INVALID; + } + + if (nt_enc->vp_octets[0] != 6) { + REDEBUG("MS-CHAP-NT-Enc-PW with invalid format"); + return RLM_MODULE_INVALID; + } + + if ((nt_enc->vp_octets[2] == 0) && (nt_enc->vp_octets[3] == seq)) { + found = 1; + break; + } + } + + if (!found) { + REDEBUG("Could not find MS-CHAP-NT-Enc-PW w/ sequence number %d", seq); + return RLM_MODULE_INVALID; + } + + if ((new_nt_enc_len + nt_enc->vp_length - 4) > sizeof(new_nt_encrypted)) { + REDEBUG("Unpacked MS-CHAP-NT-Enc-PW length > 516"); + return RLM_MODULE_INVALID; + } + + memcpy(new_nt_encrypted + new_nt_enc_len, nt_enc->vp_octets + 4, nt_enc->vp_length - 4); + new_nt_enc_len += nt_enc->vp_length - 4; + } + + if (new_nt_enc_len != 516) { + REDEBUG("Unpacked MS-CHAP-NT-Enc-PW length != 516"); + return RLM_MODULE_INVALID; + } + + /* + * RFC 2548 is confusing here + * it claims: + * + * 1 byte code + * 1 byte ident + * 16 octets - old hash encrypted with new hash + * 24 octets - peer challenge + * this is actually: + * 16 octets - peer challenge + * 8 octets - reserved + * 24 octets - nt response + * 2 octets - flags (ignored) + */ + + memcpy(old_nt_encrypted, cpw->vp_octets + 2, sizeof(old_nt_encrypted)); + + RDEBUG2("Password change payload valid"); + + /* perform the actual password change */ + if (do_mschap_cpw(inst, request, nt_password, new_nt_encrypted, old_nt_encrypted, auth_method) < 0) { + char buffer[128]; + + REDEBUG("Password change failed"); + + snprintf(buffer, sizeof(buffer), "E=709 R=0 M=Password change failed"); + mschap_add_reply(request, cpw->vp_octets[1], "MS-CHAP-Error", buffer, strlen(buffer)); + + return RLM_MODULE_REJECT; + } + RDEBUG("Password change successful"); + + /* + * Clear any expiry bit so the user can now login; + * obviously the password change action will need + * to have cleared this bit in the config/SQL/wherever + */ + if (smb_ctrl && smb_ctrl->vp_integer & ACB_PW_EXPIRED) { + RDEBUG("Clearing expiry bit in SMB-Acct-Ctrl to allow authentication"); + smb_ctrl->vp_integer &= ~ACB_PW_EXPIRED; + } + + /* + * Extract the challenge & response from the end of the password + * change, add them into the request and then continue with + * the authentication + */ + response = radius_pair_create(request->packet, &request->packet->vps, + PW_MSCHAP2_RESPONSE, + VENDORPEC_MICROSOFT); + response->vp_length = 50; + response->vp_octets = p = talloc_array(response, uint8_t, response->vp_length); + + /* ident & flags */ + p[0] = cpw->vp_octets[1]; + p[1] = 0; + /* peer challenge and client NT response */ + memcpy(p + 2, cpw->vp_octets + 18, 48); + } + + challenge = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY); + if (!challenge) { + REDEBUG("You set 'Auth-Type = MS-CHAP' for a request that does not contain any MS-CHAP attributes!"); + return RLM_MODULE_REJECT; + } + + /* + * We also require an MS-CHAP-Response. + */ + response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY); + + /* + * MS-CHAP-Response, means MS-CHAPv1 + */ + if (response) { + int offset; + rlm_rcode_t rcode; + mschap_version = 1; + + /* + * MS-CHAPv1 challenges are 8 octets. + */ + if (challenge->vp_length < 8) { + REDEBUG("MS-CHAP-Challenge has the wrong format"); + return RLM_MODULE_INVALID; + } + + /* + * Responses are 50 octets. + */ + if (response->vp_length < 50) { + REDEBUG("MS-CHAP-Response has the wrong format"); + return RLM_MODULE_INVALID; + } + + /* + * We are doing MS-CHAP. Calculate the MS-CHAP + * response + */ + if (response->vp_octets[1] & 0x01) { + RDEBUG2("Client is using MS-CHAPv1 with NT-Password"); + password = nt_password; + offset = 26; + } else { + REDEBUG2("Client is using MS-CHAPv1 with unsupported method LM-Password"); + return RLM_MODULE_FAIL; + } + + /* + * Do the MS-CHAP authentication. + */ + mschap_result = do_mschap(inst, request, password, challenge->vp_octets, + response->vp_octets + offset, nthashhash, auth_method); + /* + * Check for errors, and add MSCHAP-Error if necessary. + */ + rcode = mschap_error(inst, request, *response->vp_octets, + mschap_result, mschap_version, smb_ctrl); + if (rcode != RLM_MODULE_OK) return rcode; + } else if ((response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, + VENDORPEC_MICROSOFT, TAG_ANY)) != NULL) { + uint8_t mschapv1_challenge[16]; + VALUE_PAIR *name_attr, *response_name, *peer_challenge_attr; + rlm_rcode_t rcode; + uint8_t const *peer_challenge; + + mschap_version = 2; + + /* + * MS-CHAPv2 challenges are 16 octets. + */ + if (challenge->vp_length < 16) { + REDEBUG("MS-CHAP-Challenge has the wrong format"); + return RLM_MODULE_INVALID; + } + + /* + * Responses are 50 octets. + */ + if (response->vp_length < 50) { + REDEBUG("MS-CHAP-Response has the wrong format"); + return RLM_MODULE_INVALID; + } + + /* + * We also require a User-Name + */ + username = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY); + if (!username) { + REDEBUG("We require a User-Name for MS-CHAPv2"); + return RLM_MODULE_INVALID; + } + + /* + * Check for MS-CHAP-User-Name and if found, use it + * to construct the MSCHAPv1 challenge. This is + * set by rlm_eap_mschap to the MS-CHAP Response + * packet Name field. + * + * We prefer this to the User-Name in the + * packet. + */ + response_name = fr_pair_find_by_num(request->packet->vps, PW_MS_CHAP_USER_NAME, 0, TAG_ANY); + if (response_name) { + name_attr = response_name; + } else { + name_attr = username; + } + + /* + * with_ntdomain_hack moved here, too. + */ + if ((username_string = strchr(name_attr->vp_strvalue, '\\')) != NULL) { + if (inst->with_ntdomain_hack) { + username_string++; + } else { + RWDEBUG2("NT Domain delimiter found, should with_ntdomain_hack of been enabled?"); + username_string = name_attr->vp_strvalue; + } + } else { + username_string = name_attr->vp_strvalue; + } + + if (response_name && ((username->vp_length != response_name->vp_length) || + (strncasecmp(username->vp_strvalue, response_name->vp_strvalue, username->vp_length) != 0))) { + RWDEBUG("User-Name (%s) is not the same as MS-CHAP Name (%s) from EAP-MSCHAPv2", + username->vp_strvalue, response_name->vp_strvalue); + } + +#ifdef __APPLE__ + /* + * No "known good" NT-Password attribute. Try to do + * OpenDirectory authentication. + * + * If OD determines the user is an OD user it will return noop, which + * indicates the auth process should continue directly to OD. + * Otherwise OD will determine auth success/fail. + */ + if (!nt_password && inst->open_directory) { + RDEBUG2("No NT-Password configured. Trying OpenDirectory Authentication"); + int odStatus = od_mschap_auth(request, challenge, username); + if (odStatus != RLM_MODULE_NOOP) { + return odStatus; + } + } +#endif + peer_challenge = response->vp_octets + 2; + + peer_challenge_attr = fr_pair_find_by_num(request->config, PW_MS_CHAP_PEER_CHALLENGE, 0, TAG_ANY); + if (peer_challenge_attr) { + RDEBUG2("Overriding peer challenge"); + peer_challenge = peer_challenge_attr->vp_octets; + } + + /* + * The old "mschapv2" function has been moved to + * here. + * + * MS-CHAPv2 takes some additional data to create an + * MS-CHAPv1 challenge, and then does MS-CHAPv1. + */ + RDEBUG2("Creating challenge hash with username: %s", username_string); + mschap_challenge_hash(peer_challenge, /* peer challenge */ + challenge->vp_octets, /* our challenge */ + username_string, /* user name */ + mschapv1_challenge); /* resulting challenge */ + + RDEBUG2("Client is using MS-CHAPv2"); + mschap_result = do_mschap(inst, request, nt_password, mschapv1_challenge, + response->vp_octets + 26, nthashhash, auth_method); + rcode = mschap_error(inst, request, *response->vp_octets, + mschap_result, mschap_version, smb_ctrl); + if (rcode != RLM_MODULE_OK) return rcode; + +#ifdef WITH_AUTH_WINBIND + if (inst->wb_retry_with_normalised_username) { + if ((response_name = fr_pair_find_by_num(request->packet->vps, PW_MS_CHAP_USER_NAME, 0, TAG_ANY))) { + if (strcmp(username_string, response_name->vp_strvalue)) { + RDEBUG2("Changing username %s to %s", username_string, response_name->vp_strvalue); + username_string = response_name->vp_strvalue; + } + } + } +#endif + + mschap_auth_response(username_string, /* without the domain */ + nthashhash, /* nt-hash-hash */ + response->vp_octets + 26, /* peer response */ + peer_challenge, /* peer challenge */ + challenge->vp_octets, /* our challenge */ + msch2resp); /* calculated MPPE key */ + mschap_add_reply(request, *response->vp_octets, "MS-CHAP2-Success", msch2resp, 42); + + } else { /* Neither CHAPv1 or CHAPv2 response: die */ + REDEBUG("You set 'Auth-Type = MS-CHAP' for a request that does not contain any MS-CHAP attributes!"); + return RLM_MODULE_INVALID; + } + + /* now create MPPE attributes */ + if (inst->use_mppe) { + uint8_t mppe_sendkey[34]; + uint8_t mppe_recvkey[34]; + + if (mschap_version == 1) { + RDEBUG2("adding MS-CHAPv1 MPPE keys"); + memset(mppe_sendkey, 0, 32); + + /* + * According to RFC 2548 we + * should send NT hash. But in + * practice it doesn't work. + * Instead, we should send nthashhash + * + * This is an error in RFC 2548. + */ + /* + * do_mschap cares to zero nthashhash if NT hash + * is not available. + */ + memcpy(mppe_sendkey + 8, nthashhash, NT_DIGEST_LENGTH); + mppe_add_reply(request, "MS-CHAP-MPPE-Keys", mppe_sendkey, 24); + + } else if (mschap_version == 2) { + RDEBUG2("Adding MS-CHAPv2 MPPE keys"); + mppe_chap2_gen_keys128(nthashhash, response->vp_octets + 26, mppe_sendkey, mppe_recvkey); + + mppe_add_reply(request, "MS-MPPE-Recv-Key", mppe_recvkey, 16); + mppe_add_reply(request, "MS-MPPE-Send-Key", mppe_sendkey, 16); + + } + pair_make_reply("MS-MPPE-Encryption-Policy", + (inst->require_encryption) ? "0x00000002":"0x00000001", T_OP_EQ); + pair_make_reply("MS-MPPE-Encryption-Types", + (inst->require_strong) ? "0x00000004":"0x00000006", T_OP_EQ); + } /* else we weren't asked to use MPPE */ + + return RLM_MODULE_OK; +#undef inst +} + +extern module_t rlm_mschap; +module_t rlm_mschap = { + .magic = RLM_MODULE_INIT, + .name = "mschap", + .type = 0, + .inst_size = sizeof(rlm_mschap_t), + .config = module_config, + .bootstrap = mod_bootstrap, + .instantiate = mod_instantiate, + .detach = mod_detach, + .methods = { + [MOD_AUTHENTICATE] = mod_authenticate, + [MOD_AUTHORIZE] = mod_authorize + }, +}; diff --git a/src/modules/rlm_mschap/rlm_mschap.h b/src/modules/rlm_mschap/rlm_mschap.h new file mode 100644 index 0000000..7309919 --- /dev/null +++ b/src/modules/rlm_mschap/rlm_mschap.h @@ -0,0 +1,55 @@ +/* Copyright 2006-2015 The FreeRADIUS server project */ + +#ifndef _RLM_MSCHAP_H +#define _RLM_MSCHAP_H + +RCSIDH(rlm_mschap_h, "$Id$") + +#include "config.h" + +#ifdef HAVE_WDOCUMENTATION +DIAG_OFF(documentation) +#endif +#ifdef WITH_AUTH_WINBIND +# include <wbclient.h> +#endif +#ifdef HAVE_WDOCUMENTATION +DIAG_ON(documentation) +#endif + +/* Method of authentication we are going to use */ +typedef enum { + AUTH_INTERNAL = 0, + AUTH_NTLMAUTH_EXEC = 1 +#ifdef WITH_AUTH_WINBIND + ,AUTH_WBCLIENT = 2 +#endif +} MSCHAP_AUTH_METHOD; + +typedef struct rlm_mschap_t { + bool use_mppe; + bool require_encryption; + bool require_strong; + bool with_ntdomain_hack; /* this should be in another module */ + char const *xlat_name; + char const *ntlm_auth; + uint32_t ntlm_auth_timeout; + char const *ntlm_cpw; + char const *ntlm_cpw_username; + char const *ntlm_cpw_domain; + char const *local_cpw; + char const *auth_type; + bool allow_retry; + char const *retry_msg; + MSCHAP_AUTH_METHOD method; + vp_tmpl_t *wb_username; + vp_tmpl_t *wb_domain; + fr_connection_pool_t *wb_pool; + bool wb_retry_with_normalised_username; +#ifdef __APPLE__ + bool open_directory; +#endif +} rlm_mschap_t; + +#endif + diff --git a/src/modules/rlm_mschap/rlm_mschap.mk.in b/src/modules/rlm_mschap/rlm_mschap.mk.in new file mode 100644 index 0000000..0d046df --- /dev/null +++ b/src/modules/rlm_mschap/rlm_mschap.mk.in @@ -0,0 +1,10 @@ +TARGETNAME := @targetname@ + +ifneq "$(TARGETNAME)" "" +TARGET := $(TARGETNAME).a +endif + +SOURCES := $(TARGETNAME).c smbdes.c mschap.c @mschap_sources@ + +SRC_CFLAGS := @mod_cflags@ +TGT_LDLIBS := @mod_ldflags@ diff --git a/src/modules/rlm_mschap/smbdes.c b/src/modules/rlm_mschap/smbdes.c new file mode 100644 index 0000000..12e75a0 --- /dev/null +++ b/src/modules/rlm_mschap/smbdes.c @@ -0,0 +1,349 @@ +/* + Unix SMB/CIFS implementation. + + a partial implementation of DES designed for use in the + SMB authentication protocol + + Copyright (C) Andrew Tridgell 1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + + Copyright 2006 The FreeRADIUS server project +*/ + + +/* NOTES: + + This code makes no attempt to be fast! In fact, it is a very + slow implementation + + This code is NOT a complete DES implementation. It implements only + the minimum necessary for SMB authentication, as used by all SMB + products (including every copy of Microsoft Windows95 ever sold) + + In particular, it can only do a unchained forward DES pass. This + means it is not possible to use this code for encryption/decryption + of data, instead it is only useful as a "hash" algorithm. + + There is no entry point into this code that allows normal DES operation. + + I believe this means that this code does not come under ITAR + regulations but this is NOT a legal opinion. If you are concerned + about the applicability of ITAR regulations to this code then you + should confirm it for yourself (and maybe let me know if you come + up with a different answer to the one above) +*/ + +RCSID("$Id$") + +#include <freeradius-devel/libradius.h> +#include <ctype.h> +#include "smbdes.h" + + +#define uchar unsigned char + +static const uchar perm1[56] = {57, 49, 41, 33, 25, 17, 9, + 1, 58, 50, 42, 34, 26, 18, + 10, 2, 59, 51, 43, 35, 27, + 19, 11, 3, 60, 52, 44, 36, + 63, 55, 47, 39, 31, 23, 15, + 7, 62, 54, 46, 38, 30, 22, + 14, 6, 61, 53, 45, 37, 29, + 21, 13, 5, 28, 20, 12, 4}; + +static const uchar perm2[48] = {14, 17, 11, 24, 1, 5, + 3, 28, 15, 6, 21, 10, + 23, 19, 12, 4, 26, 8, + 16, 7, 27, 20, 13, 2, + 41, 52, 31, 37, 47, 55, + 30, 40, 51, 45, 33, 48, + 44, 49, 39, 56, 34, 53, + 46, 42, 50, 36, 29, 32}; + +static const uchar perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2, + 60, 52, 44, 36, 28, 20, 12, 4, + 62, 54, 46, 38, 30, 22, 14, 6, + 64, 56, 48, 40, 32, 24, 16, 8, + 57, 49, 41, 33, 25, 17, 9, 1, + 59, 51, 43, 35, 27, 19, 11, 3, + 61, 53, 45, 37, 29, 21, 13, 5, + 63, 55, 47, 39, 31, 23, 15, 7}; + +static const uchar perm4[48] = { 32, 1, 2, 3, 4, 5, + 4, 5, 6, 7, 8, 9, + 8, 9, 10, 11, 12, 13, + 12, 13, 14, 15, 16, 17, + 16, 17, 18, 19, 20, 21, + 20, 21, 22, 23, 24, 25, + 24, 25, 26, 27, 28, 29, + 28, 29, 30, 31, 32, 1}; + +static const uchar perm5[32] = { 16, 7, 20, 21, + 29, 12, 28, 17, + 1, 15, 23, 26, + 5, 18, 31, 10, + 2, 8, 24, 14, + 32, 27, 3, 9, + 19, 13, 30, 6, + 22, 11, 4, 25}; + + +static const uchar perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32, + 39, 7, 47, 15, 55, 23, 63, 31, + 38, 6, 46, 14, 54, 22, 62, 30, + 37, 5, 45, 13, 53, 21, 61, 29, + 36, 4, 44, 12, 52, 20, 60, 28, + 35, 3, 43, 11, 51, 19, 59, 27, + 34, 2, 42, 10, 50, 18, 58, 26, + 33, 1, 41, 9, 49, 17, 57, 25}; + + +static const uchar sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1}; + +static const uchar sbox[8][4][16] = { + {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7}, + {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8}, + {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0}, + {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}}, + + {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10}, + {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5}, + {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15}, + {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}}, + + {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8}, + {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1}, + {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7}, + {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}}, + + {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15}, + {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9}, + {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4}, + {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}}, + + {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9}, + {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6}, + {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14}, + {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}}, + + {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11}, + {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8}, + {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6}, + {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}}, + + {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1}, + {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6}, + {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2}, + {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}}, + + {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7}, + {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2}, + {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8}, + {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}}; + +static void permute(char *out, char const *in, uchar const *p, int n) +{ + int i; + for (i=0;i<n;i++) + out[i] = in[p[i]-1]; +} + +static void lshift(char *d, int count, int n) +{ + char out[64]; + int i; + for (i=0;i<n;i++) + out[i] = d[(i+count)%n]; + for (i=0;i<n;i++) + d[i] = out[i]; +} + +static void concat(char *out, char *in1, char *in2, int l1, int l2) +{ + while (l1--) + *out++ = *in1++; + while (l2--) + *out++ = *in2++; +} + +static void xor(char *out, char *in1, char *in2, int n) +{ + int i; + for (i=0;i<n;i++) + out[i] = in1[i] ^ in2[i]; +} + +static void dohash(char *out, char *in, char *key) +{ + int i, j, k; + char pk1[56]; + char c[28]; + char d[28]; + char cd[56]; + char ki[16][48]; + char pd1[64]; + char l[32], r[32]; + char rl[64]; + + permute(pk1, key, perm1, 56); + + for (i=0;i<28;i++) + c[i] = pk1[i]; + for (i=0;i<28;i++) + d[i] = pk1[i+28]; + + for (i=0;i<16;i++) { + lshift(c, sc[i], 28); + lshift(d, sc[i], 28); + + concat(cd, c, d, 28, 28); + permute(ki[i], cd, perm2, 48); + } + + permute(pd1, in, perm3, 64); + + for (j=0;j<32;j++) { + l[j] = pd1[j]; + r[j] = pd1[j+32]; + } + + for (i=0;i<16;i++) { + char er[48]; + char erk[48]; + char b[8][6]; + char cb[32]; + char pcb[32]; + char r2[32]; + + permute(er, r, perm4, 48); + + xor(erk, er, ki[i], 48); + + for (j=0;j<8;j++) + for (k=0;k<6;k++) + b[j][k] = erk[j*6 + k]; + + for (j=0;j<8;j++) { + int m, n; + m = (b[j][0]<<1) | b[j][5]; + + n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4]; + + for (k=0;k<4;k++) + b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0; + } + + for (j=0;j<8;j++) + for (k=0;k<4;k++) + cb[j*4+k] = b[j][k]; + permute(pcb, cb, perm5, 32); + + xor(r2, l, pcb, 32); + + for (j=0;j<32;j++) + l[j] = r[j]; + + for (j=0;j<32;j++) + r[j] = r2[j]; + } + + concat(rl, r, l, 32, 32); + + permute(out, rl, perm6, 64); +} + +static void str_to_key(unsigned char *str,unsigned char *key) +{ + int i; + + key[0] = str[0]>>1; + key[1] = ((str[0]&0x01)<<6) | (str[1]>>2); + key[2] = ((str[1]&0x03)<<5) | (str[2]>>3); + key[3] = ((str[2]&0x07)<<4) | (str[3]>>4); + key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5); + key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6); + key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7); + key[7] = str[6]&0x7F; + for (i=0;i<8;i++) { + key[i] = (key[i]<<1); + } +} + + +void smbhash(unsigned char *out, unsigned char const *in, unsigned char *key) +{ + int i; + char outb[64]; + char inb[64]; + char keyb[64]; + unsigned char key2[8]; + + str_to_key(key, key2); + + for (i=0;i<64;i++) { + inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0; + keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0; + outb[i] = 0; + } + + dohash(outb, inb, keyb); + + for (i=0;i<8;i++) { + out[i] = 0; + } + + for (i=0;i<64;i++) { + if (outb[i]) + out[i/8] |= (1<<(7-(i%8))); + } +} + +/* + * Converts the password to uppercase, and creates the LM + * password hash. + */ +void smbdes_lmpwdhash(char const *password, uint8_t *lmhash) +{ + int i; + uint8_t p14[14]; + static uint8_t sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25}; + + memset(p14, 0, sizeof(p14)); + for (i = 0; i < 14 && password[i]; i++) { + p14[i] = toupper((int) password[i]); + } + + smbhash(lmhash, sp8, p14); + smbhash(lmhash+8, sp8, p14+7); +} + +/* + * Take the NT or LM password, and return the MSCHAP response + * + * The win_password MUST be exactly 16 bytes long. + */ +void smbdes_mschap(uint8_t const win_password[16], + uint8_t const *challenge, uint8_t *response) +{ + uint8_t p21[21]; + + memset(p21, 0, sizeof(p21)); + memcpy(p21, win_password, 16); + + smbhash(response, challenge, p21); + smbhash(response+8, challenge, p21+7); + smbhash(response+16, challenge, p21+14); +} diff --git a/src/modules/rlm_mschap/smbdes.h b/src/modules/rlm_mschap/smbdes.h new file mode 100644 index 0000000..aa06d76 --- /dev/null +++ b/src/modules/rlm_mschap/smbdes.h @@ -0,0 +1,13 @@ +/* Copyright 2006 The FreeRADIUS server project */ + +#ifndef _SMBDES_H +#define _SMBDES_H + +RCSIDH(smbdes_h, "$Id$") + +void smbhash(unsigned char *out, unsigned char const *in, unsigned char *key); +void smbdes_lmpwdhash(char const *password, uint8_t *lmhash); +void smbdes_mschap(uint8_t const win_password[16], + uint8_t const *challenge, uint8_t *response); + +#endif /*_SMBDES_H*/ diff --git a/src/modules/rlm_mschap/smbencrypt.c b/src/modules/rlm_mschap/smbencrypt.c new file mode 100644 index 0000000..9a8a5ab --- /dev/null +++ b/src/modules/rlm_mschap/smbencrypt.c @@ -0,0 +1,147 @@ +/* + * smbencrypt.c Produces LM-Password and NT-Password from + * cleartext password + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA + * + * Copyright 2002 3APA3A for FreeRADIUS project + Copyright 2006 The FreeRADIUS server project + */ + +RCSID("$Id$") + +#include <freeradius-devel/libradius.h> + +#ifdef HAVE_OPENSSL_SSL_H +#include <openssl/ssl.h> +#include <freeradius-devel/openssl3.h> +#endif + +#include <freeradius-devel/md4.h> +#include <freeradius-devel/md5.h> +#include <freeradius-devel/sha1.h> +#include <ctype.h> + + +#include "smbdes.h" + +static char const hex[] = "0123456789ABCDEF"; + +#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L +# include <openssl/provider.h> + +static OSSL_PROVIDER *openssl_default_provider = NULL; +static OSSL_PROVIDER *openssl_legacy_provider = NULL; + +#define ERROR(_x) fprintf(stderr, _x) + +static int openssl3_init(void) +{ + /* + * Load the default provider for most algorithms + */ + openssl_default_provider = OSSL_PROVIDER_load(NULL, "default"); + if (!openssl_default_provider) { + ERROR("(TLS) Failed loading default provider"); + return -1; + } + + /* + * Needed for MD4 + * + * https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms + */ + openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy"); + if (!openssl_legacy_provider) { + ERROR("(TLS) Failed loading legacy provider"); + return -1; + } + + return 0; +} + +static void openssl3_free(void) +{ + if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) { + ERROR("Failed unloading default provider"); + } + openssl_default_provider = NULL; + + if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) { + ERROR("Failed unloading legacy provider"); + } + openssl_legacy_provider = NULL; +} +#else +#define openssl3_init() +#define openssl3_free() +#endif + + + +/* + * FIXME: use functions in freeradius + */ +static void tohex (unsigned char const *src, size_t len, char *dst) +{ + size_t i; + for (i=0; i<len; i++) { + dst[(i*2)] = hex[(src[i] >> 4)]; + dst[(i*2) + 1] = hex[(src[i]&0x0F)]; + } + dst[(i*2)] = 0; +} + +static void ntpwdhash(uint8_t *out, char const *password) +{ + ssize_t len; + uint8_t ucs2_password[512]; + + len = fr_utf8_to_ucs2(ucs2_password, sizeof(ucs2_password), password, strlen(password)); + if (len < 0) { + *out = '\0'; + return; + } + fr_md4_calc(out, (uint8_t *) ucs2_password, len); +} + +int main (int argc, char *argv[]) +{ + int i, l; + char password[1024]; + uint8_t hash[16]; + char ntpass[33]; + char lmpass[33]; + + openssl3_init(); + + fprintf(stderr, "LM Hash \tNT Hash\n"); + fprintf(stderr, "--------------------------------\t--------------------------------\n"); + fflush(stderr); + for (i = 1; i < argc; i++ ) { + strlcpy(password, argv[i], sizeof(password)); + l = strlen(password); + if (l && password[l-1] == '\n') password [l-1] = 0; + smbdes_lmpwdhash(password, hash); + tohex (hash, 16, lmpass); + ntpwdhash (hash, password); + tohex (hash, 16, ntpass); + printf("%s\t%s\n", lmpass, ntpass); + } + + openssl3_free(); + + return 0; +} diff --git a/src/modules/rlm_mschap/smbencrypt.mk b/src/modules/rlm_mschap/smbencrypt.mk new file mode 100644 index 0000000..70e8b7b --- /dev/null +++ b/src/modules/rlm_mschap/smbencrypt.mk @@ -0,0 +1,8 @@ +TARGET := smbencrypt +SOURCES := smbencrypt.c smbdes.c + +TGT_PREREQS := libfreeradius-radius.a + +SRC_CFLAGS := +TGT_LDLIBS := $(LIBS) + |