summaryrefslogtreecommitdiffstats
path: root/src/modules/rlm_mschap
diff options
context:
space:
mode:
Diffstat (limited to 'src/modules/rlm_mschap')
-rw-r--r--src/modules/rlm_mschap/.gitignore3
-rw-r--r--src/modules/rlm_mschap/README.md10
-rw-r--r--src/modules/rlm_mschap/all.mk5
-rw-r--r--src/modules/rlm_mschap/auth_wbclient.c270
-rw-r--r--src/modules/rlm_mschap/auth_wbclient.h19
-rw-r--r--src/modules/rlm_mschap/config.h.in7
-rwxr-xr-xsrc/modules/rlm_mschap/configure4931
-rw-r--r--src/modules/rlm_mschap/configure.ac128
-rw-r--r--src/modules/rlm_mschap/mschap.c147
-rw-r--r--src/modules/rlm_mschap/mschap.h25
-rw-r--r--src/modules/rlm_mschap/opendir.c418
-rw-r--r--src/modules/rlm_mschap/rlm_mschap.c2150
-rw-r--r--src/modules/rlm_mschap/rlm_mschap.h55
-rw-r--r--src/modules/rlm_mschap/rlm_mschap.mk.in10
-rw-r--r--src/modules/rlm_mschap/smbdes.c349
-rw-r--r--src/modules/rlm_mschap/smbdes.h13
-rw-r--r--src/modules/rlm_mschap/smbencrypt.c147
-rw-r--r--src/modules/rlm_mschap/smbencrypt.mk8
18 files changed, 8695 insertions, 0 deletions
diff --git a/src/modules/rlm_mschap/.gitignore b/src/modules/rlm_mschap/.gitignore
new file mode 100644
index 0000000..0dd46d5
--- /dev/null
+++ b/src/modules/rlm_mschap/.gitignore
@@ -0,0 +1,3 @@
+config.h
+rlm_mschap.mk
+smbencrypt
diff --git a/src/modules/rlm_mschap/README.md b/src/modules/rlm_mschap/README.md
new file mode 100644
index 0000000..a05ab8d
--- /dev/null
+++ b/src/modules/rlm_mschap/README.md
@@ -0,0 +1,10 @@
+# rlm_mschap
+## Metadata
+<dl>
+ <dt>category</dt><dd>authentication</dd>
+</dl>
+
+## Summary
+
+Supports MS-CHAP and MS-CHAPv2 authentication. It also enforces
+the SMB-Account-Ctrl attribute.
diff --git a/src/modules/rlm_mschap/all.mk b/src/modules/rlm_mschap/all.mk
new file mode 100644
index 0000000..533d19a
--- /dev/null
+++ b/src/modules/rlm_mschap/all.mk
@@ -0,0 +1,5 @@
+SUBMAKEFILES := rlm_mschap.mk smbencrypt.mk
+
+src/modules/rlm_mschap/rlm_mschap.mk: src/modules/rlm_mschap/rlm_mschap.mk.in src/modules/rlm_mschap/configure
+ @echo CONFIGURE $(dir $<)
+ @cd $(dir $<) && ./configure $(CONFIGURE_ARGS) && touch $(notdir $@)
diff --git a/src/modules/rlm_mschap/auth_wbclient.c b/src/modules/rlm_mschap/auth_wbclient.c
new file mode 100644
index 0000000..8b4a3ee
--- /dev/null
+++ b/src/modules/rlm_mschap/auth_wbclient.c
@@ -0,0 +1,270 @@
+/*
+ * This program is is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+/**
+ * $Id$
+ * @file auth_wbclient.c
+ * @brief NTLM authentication against the wbclient library
+ *
+ * @copyright 2015 Matthew Newton
+ */
+
+RCSID("$Id$")
+
+#include <freeradius-devel/radiusd.h>
+#include <freeradius-devel/rad_assert.h>
+
+#include <core/ntstatus.h>
+
+#include "rlm_mschap.h"
+#include "mschap.h"
+#include "auth_wbclient.h"
+
+#define NT_LENGTH 24
+
+/** Use Winbind to normalise a username
+ *
+ * @param[in] tctx The talloc context where the result is parented from
+ * @param[in] ctx The winbind context
+ * @param[in] dom_name The domain of the user
+ * @param[in] name The username (without the domain) to be normalised
+ * @return The username with the casing according to the Winbind remote server,
+ * or NULL if the username could not be found.
+ */
+static char *wbclient_normalise_username(TALLOC_CTX *tctx, struct wbcContext *ctx, char const *dom_name, char const *name)
+{
+ struct wbcDomainSid sid;
+ enum wbcSidType name_type;
+ wbcErr err;
+ char *res_domain = NULL;
+ char *res_name = NULL;
+ char *res = NULL;
+
+ /* Step 1: Convert a name to a sid */
+ err = wbcCtxLookupName(ctx, dom_name, name, &sid, &name_type);
+ if (!WBC_ERROR_IS_OK(err))
+ return NULL;
+
+ /* Step 2: Convert the sid back to a name */
+ err = wbcCtxLookupSid(ctx, &sid, &res_domain, &res_name, &name_type);
+ if (!WBC_ERROR_IS_OK(err))
+ return NULL;
+
+ MEM(res = talloc_strdup(tctx, res_name));
+
+ wbcFreeMemory(res_domain);
+ wbcFreeMemory(res_name);
+
+ return res;
+}
+
+/*
+ * Check NTLM authentication direct to winbind via
+ * Samba's libwbclient library
+ *
+ * Returns:
+ * 0 success
+ * -1 auth failure
+ * -2 failed connecting to AD
+ * -648 password expired
+ */
+int do_auth_wbclient(rlm_mschap_t *inst, REQUEST *request,
+ uint8_t const *challenge, uint8_t const *response,
+ uint8_t nthashhash[NT_DIGEST_LENGTH])
+{
+ int rcode = -1;
+ struct wbcContext *wb_ctx = NULL;
+ struct wbcAuthUserParams authparams;
+ wbcErr err;
+ int len;
+ struct wbcAuthUserInfo *info = NULL;
+ struct wbcAuthErrorInfo *error = NULL;
+ char user_name_buf[500];
+ char domain_name_buf[500];
+ uint8_t resp[NT_LENGTH];
+
+ /*
+ * Clear the auth parameters - this is important, as
+ * there are options that will cause wbcAuthenticateUserEx
+ * to bomb out if not zero.
+ */
+ memset(&authparams, 0, sizeof(authparams));
+
+ /*
+ * wb_username must be set for this function to be called
+ */
+ rad_assert(inst->wb_username);
+
+ /*
+ * Get the username and domain from the configuration
+ */
+ len = tmpl_expand(&authparams.account_name, user_name_buf, sizeof(user_name_buf),
+ request, inst->wb_username, NULL, NULL);
+ if (len < 0) {
+ REDEBUG2("Unable to expand winbind_username");
+ goto done;
+ }
+
+ if (inst->wb_domain) {
+ len = tmpl_expand(&authparams.domain_name, domain_name_buf, sizeof(domain_name_buf),
+ request, inst->wb_domain, NULL, NULL);
+ if (len < 0) {
+ REDEBUG2("Unable to expand winbind_domain");
+ goto done;
+ }
+ } else {
+ RWDEBUG2("No domain specified; authentication may fail because of this");
+ }
+
+
+ /*
+ * Build the wbcAuthUserParams structure with what we know
+ */
+ authparams.level = WBC_AUTH_USER_LEVEL_RESPONSE;
+ authparams.password.response.nt_length = NT_LENGTH;
+
+ memcpy(resp, response, NT_LENGTH);
+ authparams.password.response.nt_data = resp;
+
+ memcpy(authparams.password.response.challenge, challenge,
+ sizeof(authparams.password.response.challenge));
+
+ authparams.parameter_control |= WBC_MSV1_0_ALLOW_MSVCHAPV2 |
+ WBC_MSV1_0_ALLOW_WORKSTATION_TRUST_ACCOUNT |
+ WBC_MSV1_0_ALLOW_SERVER_TRUST_ACCOUNT;
+
+
+ /*
+ * Send auth request across to winbind
+ */
+ wb_ctx = fr_connection_get(inst->wb_pool);
+ if (wb_ctx == NULL) {
+ RERROR("Unable to get winbind connection from pool");
+ goto done;
+ }
+
+ RDEBUG2("sending authentication request user='%s' domain='%s'", authparams.account_name,
+ authparams.domain_name);
+
+ err = wbcCtxAuthenticateUserEx(wb_ctx, &authparams, &info, &error);
+
+ if (err == WBC_ERR_AUTH_ERROR && inst->wb_retry_with_normalised_username) {
+ VALUE_PAIR *vp_response, *vp_challenge;
+ char *normalised_username = wbclient_normalise_username(request, wb_ctx, authparams.domain_name, authparams.account_name);
+ if (normalised_username) {
+ RDEBUG2("Starting retry, normalised username %s to %s", authparams.account_name, normalised_username);
+ if (strcmp(authparams.account_name, normalised_username) != 0) {
+ authparams.account_name = normalised_username;
+
+ /* Set PW_MS_CHAP_USER_NAME */
+ if (!fr_pair_make(request->packet, &request->packet->vps, "MS-CHAP-User-Name", normalised_username, T_OP_SET)) {
+ RERROR("Failed creating MS-CHAP-User-Name");
+ goto normalised_username_retry_failure;
+ }
+
+ RDEBUG2("retrying authentication request user='%s' domain='%s'", authparams.account_name,
+ authparams.domain_name);
+
+ /* Recalculate hash */
+ if (!(vp_challenge = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY))) {
+ RERROR("Unable to get MS-CHAP-Challenge");
+ goto normalised_username_retry_failure;
+ }
+ if (!(vp_response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY))) {
+ RERROR("Unable to get MS-CHAP2-Response");
+ goto normalised_username_retry_failure;
+ }
+ mschap_challenge_hash(vp_response->vp_octets + 2,
+ vp_challenge->vp_octets,
+ normalised_username,
+ authparams.password.response.challenge);
+
+ err = wbcCtxAuthenticateUserEx(wb_ctx, &authparams, &info, &error);
+ }
+normalised_username_retry_failure:
+ talloc_free(normalised_username);
+ }
+ }
+
+ fr_connection_release(inst->wb_pool, wb_ctx);
+
+ /*
+ * Try and give some useful feedback on what happened. There are only
+ * a few errors that can actually be returned from wbcCtxAuthenticateUserEx.
+ */
+ switch (err) {
+ case WBC_ERR_SUCCESS:
+ rcode = 0;
+ RDEBUG2("Authenticated successfully");
+ /* Grab the nthashhash from the result */
+ memcpy(nthashhash, info->user_session_key, NT_DIGEST_LENGTH);
+ break;
+ case WBC_ERR_WINBIND_NOT_AVAILABLE:
+ rcode = -2;
+ RERROR("Unable to contact winbind!");
+ RDEBUG2("Check that winbind is running and that FreeRADIUS has");
+ RDEBUG2("permission to connect to the winbind privileged socket.");
+ break;
+ case WBC_ERR_DOMAIN_NOT_FOUND:
+ REDEBUG2("Domain not found");
+ break;
+ case WBC_ERR_AUTH_ERROR:
+ if (!error) {
+ REDEBUG2("Authentication failed");
+ break;
+ }
+
+ /*
+ * The password needs to be changed, so set rcode appropriately.
+ */
+ if (error->nt_status == NT_STATUS_PASSWORD_EXPIRED ||
+ error->nt_status == NT_STATUS_PASSWORD_MUST_CHANGE) {
+ rcode = -648;
+ }
+
+ /*
+ * Return the NT_STATUS human readable error string, if there is one.
+ */
+ if (error->display_string) {
+ REDEBUG2("%s [0x%X]", error->display_string, error->nt_status);
+ } else {
+ REDEBUG2("Authentication failed [0x%X]", error->nt_status);
+ }
+ break;
+ default:
+ /*
+ * Only errors left are
+ * WBC_ERR_INVALID_PARAM
+ * WBC_ERR_NO_MEMORY
+ * neither of which are particularly likely.
+ */
+ rcode = -2;
+ if (error && error->display_string) {
+ REDEBUG2("libwbclient error: wbcErr %d (%s)", err, error->display_string);
+ } else {
+ REDEBUG2("libwbclient error: wbcErr %d", err);
+ }
+ break;
+ }
+
+
+done:
+ if (info) wbcFreeMemory(info);
+ if (error) wbcFreeMemory(error);
+
+ return rcode;
+}
+
diff --git a/src/modules/rlm_mschap/auth_wbclient.h b/src/modules/rlm_mschap/auth_wbclient.h
new file mode 100644
index 0000000..e54591c
--- /dev/null
+++ b/src/modules/rlm_mschap/auth_wbclient.h
@@ -0,0 +1,19 @@
+/* Copyright 2015 The FreeRADIUS server project */
+
+#ifndef _AUTH_WBCLIENT_H
+#define _AUTH_WBCLIENT_H
+
+RCSIDH(auth_wbclient_h, "$Id$")
+
+#include <wbclient.h>
+
+/* Samba does not export this constant yet */
+#ifndef WBC_MSV1_0_ALLOW_MSVCHAPV2
+#define WBC_MSV1_0_ALLOW_MSVCHAPV2 0x00010000
+#endif
+
+int do_auth_wbclient(rlm_mschap_t *inst, REQUEST *request,
+ uint8_t const *challenge, uint8_t const *response,
+ uint8_t nthashhash[NT_DIGEST_LENGTH]);
+
+#endif /*_AUTH_WBCLIENT_H*/
diff --git a/src/modules/rlm_mschap/config.h.in b/src/modules/rlm_mschap/config.h.in
new file mode 100644
index 0000000..ccd7fc8
--- /dev/null
+++ b/src/modules/rlm_mschap/config.h.in
@@ -0,0 +1,7 @@
+/* config.h.in. Generated from configure.ac by autoheader. */
+
+/* Build with Apple Open Directory support */
+#undef HAVE_MEMBERSHIP_H
+
+/* Build with direct winbind auth support */
+#undef WITH_AUTH_WINBIND
diff --git a/src/modules/rlm_mschap/configure b/src/modules/rlm_mschap/configure
new file mode 100755
index 0000000..fe001f1
--- /dev/null
+++ b/src/modules/rlm_mschap/configure
@@ -0,0 +1,4931 @@
+#! /bin/sh
+# From configure.ac Revision.
+# Guess values for system-dependent variables and create Makefiles.
+# Generated by GNU Autoconf 2.69.
+#
+#
+# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc.
+#
+#
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+## -------------------- ##
+## M4sh Initialization. ##
+## -------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+ emulate sh
+ NULLCMD=:
+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '${1+"$@"}'='"$@"'
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in #(
+ *posix*) :
+ set -o posix ;; #(
+ *) :
+ ;;
+esac
+fi
+
+
+as_nl='
+'
+export as_nl
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+# Prefer a ksh shell builtin over an external printf program on Solaris,
+# but without wasting forks for bash or zsh.
+if test -z "$BASH_VERSION$ZSH_VERSION" \
+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
+ as_echo='print -r --'
+ as_echo_n='print -rn --'
+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+ as_echo='printf %s\n'
+ as_echo_n='printf %s'
+else
+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+ as_echo_n='/usr/ucb/echo -n'
+ else
+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
+ as_echo_n_body='eval
+ arg=$1;
+ case $arg in #(
+ *"$as_nl"*)
+ expr "X$arg" : "X\\(.*\\)$as_nl";
+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
+ esac;
+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
+ '
+ export as_echo_n_body
+ as_echo_n='sh -c $as_echo_n_body as_echo'
+ fi
+ export as_echo_body
+ as_echo='sh -c $as_echo_body as_echo'
+fi
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+ PATH_SEPARATOR=:
+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+ PATH_SEPARATOR=';'
+ }
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order. Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+IFS=" "" $as_nl"
+
+# Find who we are. Look in the path if we contain no directory separator.
+as_myself=
+case $0 in #((
+ *[\\/]* ) as_myself=$0 ;;
+ *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+ as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+ exit 1
+fi
+
+# Unset variables that we do not need and which cause bugs (e.g. in
+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1"
+# suppresses any "Segmentation fault" message there. '((' could
+# trigger a bug in pdksh 5.2.14.
+for as_var in BASH_ENV ENV MAIL MAILPATH
+do eval test x\${$as_var+set} = xset \
+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
+
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+# Use a proper internal environment variable to ensure we don't fall
+ # into an infinite loop, continuously re-executing ourselves.
+ if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then
+ _as_can_reexec=no; export _as_can_reexec;
+ # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+ *v*x* | *x*v* ) as_opts=-vx ;;
+ *v* ) as_opts=-v ;;
+ *x* ) as_opts=-x ;;
+ * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+as_fn_exit 255
+ fi
+ # We don't want this to propagate to other subprocesses.
+ { _as_can_reexec=; unset _as_can_reexec;}
+if test "x$CONFIG_SHELL" = x; then
+ as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then :
+ emulate sh
+ NULLCMD=:
+ # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '\${1+\"\$@\"}'='\"\$@\"'
+ setopt NO_GLOB_SUBST
+else
+ case \`(set -o) 2>/dev/null\` in #(
+ *posix*) :
+ set -o posix ;; #(
+ *) :
+ ;;
+esac
+fi
+"
+ as_required="as_fn_return () { (exit \$1); }
+as_fn_success () { as_fn_return 0; }
+as_fn_failure () { as_fn_return 1; }
+as_fn_ret_success () { return 0; }
+as_fn_ret_failure () { return 1; }
+
+exitcode=0
+as_fn_success || { exitcode=1; echo as_fn_success failed.; }
+as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; }
+as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; }
+as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; }
+if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then :
+
+else
+ exitcode=1; echo positional parameters were not saved.
+fi
+test x\$exitcode = x0 || exit 1
+test -x / || exit 1"
+ as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO
+ as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO
+ eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" &&
+ test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1"
+ if (eval "$as_required") 2>/dev/null; then :
+ as_have_required=yes
+else
+ as_have_required=no
+fi
+ if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then :
+
+else
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+as_found=false
+for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ as_found=:
+ case $as_dir in #(
+ /*)
+ for as_base in sh bash ksh sh5; do
+ # Try only shells that exist, to save several forks.
+ as_shell=$as_dir/$as_base
+ if { test -f "$as_shell" || test -f "$as_shell.exe"; } &&
+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then :
+ CONFIG_SHELL=$as_shell as_have_required=yes
+ if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then :
+ break 2
+fi
+fi
+ done;;
+ esac
+ as_found=false
+done
+$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } &&
+ { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then :
+ CONFIG_SHELL=$SHELL as_have_required=yes
+fi; }
+IFS=$as_save_IFS
+
+
+ if test "x$CONFIG_SHELL" != x; then :
+ export CONFIG_SHELL
+ # We cannot yet assume a decent shell, so we have to provide a
+# neutralization value for shells without unset; and this also
+# works around shells that cannot unset nonexistent variables.
+# Preserve -v and -x to the replacement shell.
+BASH_ENV=/dev/null
+ENV=/dev/null
+(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV
+case $- in # ((((
+ *v*x* | *x*v* ) as_opts=-vx ;;
+ *v* ) as_opts=-v ;;
+ *x* ) as_opts=-x ;;
+ * ) as_opts= ;;
+esac
+exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"}
+# Admittedly, this is quite paranoid, since all the known shells bail
+# out after a failed `exec'.
+$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2
+exit 255
+fi
+
+ if test x$as_have_required = xno; then :
+ $as_echo "$0: This script requires a shell more modern than all"
+ $as_echo "$0: the shells that I found on your system."
+ if test x${ZSH_VERSION+set} = xset ; then
+ $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should"
+ $as_echo "$0: be upgraded to zsh 4.3.4 or later."
+ else
+ $as_echo "$0: Please tell bug-autoconf@gnu.org about your system,
+$0: including any error possibly output before this
+$0: message. Then install a modern shell, or manually run
+$0: the script under such a shell if you do have one."
+ fi
+ exit 1
+fi
+fi
+fi
+SHELL=${CONFIG_SHELL-/bin/sh}
+export SHELL
+# Unset more variables known to interfere with behavior of common tools.
+CLICOLOR_FORCE= GREP_OPTIONS=
+unset CLICOLOR_FORCE GREP_OPTIONS
+
+## --------------------- ##
+## M4sh Shell Functions. ##
+## --------------------- ##
+# as_fn_unset VAR
+# ---------------
+# Portably unset VAR.
+as_fn_unset ()
+{
+ { eval $1=; unset $1;}
+}
+as_unset=as_fn_unset
+
+# as_fn_set_status STATUS
+# -----------------------
+# Set $? to STATUS, without forking.
+as_fn_set_status ()
+{
+ return $1
+} # as_fn_set_status
+
+# as_fn_exit STATUS
+# -----------------
+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
+as_fn_exit ()
+{
+ set +e
+ as_fn_set_status $1
+ exit $1
+} # as_fn_exit
+
+# as_fn_mkdir_p
+# -------------
+# Create "$as_dir" as a directory, including parents if necessary.
+as_fn_mkdir_p ()
+{
+
+ case $as_dir in #(
+ -*) as_dir=./$as_dir;;
+ esac
+ test -d "$as_dir" || eval $as_mkdir_p || {
+ as_dirs=
+ while :; do
+ case $as_dir in #(
+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
+ *) as_qdir=$as_dir;;
+ esac
+ as_dirs="'$as_qdir' $as_dirs"
+ as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$as_dir" : 'X\(//\)[^/]' \| \
+ X"$as_dir" : 'X\(//\)$' \| \
+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_dir" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+ test -d "$as_dir" && break
+ done
+ test -z "$as_dirs" || eval "mkdir $as_dirs"
+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
+
+
+} # as_fn_mkdir_p
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+ test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+# as_fn_append VAR VALUE
+# ----------------------
+# Append the text in VALUE to the end of the definition contained in VAR. Take
+# advantage of any shell optimizations that allow amortized linear growth over
+# repeated appends, instead of the typical quadratic growth present in naive
+# implementations.
+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
+ eval 'as_fn_append ()
+ {
+ eval $1+=\$2
+ }'
+else
+ as_fn_append ()
+ {
+ eval $1=\$$1\$2
+ }
+fi # as_fn_append
+
+# as_fn_arith ARG...
+# ------------------
+# Perform arithmetic evaluation on the ARGs, and store the result in the
+# global $as_val. Take advantage of shells that can avoid forks. The arguments
+# must be portable across $(()) and expr.
+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
+ eval 'as_fn_arith ()
+ {
+ as_val=$(( $* ))
+ }'
+else
+ as_fn_arith ()
+ {
+ as_val=`expr "$@" || test $? -eq 1`
+ }
+fi # as_fn_arith
+
+
+# as_fn_error STATUS ERROR [LINENO LOG_FD]
+# ----------------------------------------
+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
+# script with STATUS, using 1 if that was 0.
+as_fn_error ()
+{
+ as_status=$1; test $as_status -eq 0 && as_status=1
+ if test "$4"; then
+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
+ fi
+ $as_echo "$as_me: error: $2" >&2
+ as_fn_exit $as_status
+} # as_fn_error
+
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
+ as_expr=expr
+else
+ as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+ as_basename=basename
+else
+ as_basename=false
+fi
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+ as_dirname=dirname
+else
+ as_dirname=false
+fi
+
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+ X"$0" : 'X\(//\)$' \| \
+ X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X/"$0" |
+ sed '/^.*\/\([^/][^/]*\)\/*$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+
+ as_lineno_1=$LINENO as_lineno_1a=$LINENO
+ as_lineno_2=$LINENO as_lineno_2a=$LINENO
+ eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" &&
+ test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || {
+ # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-)
+ sed -n '
+ p
+ /[$]LINENO/=
+ ' <$as_myself |
+ sed '
+ s/[$]LINENO.*/&-/
+ t lineno
+ b
+ :lineno
+ N
+ :loop
+ s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/
+ t loop
+ s/-\n.*//
+ ' >$as_me.lineno &&
+ chmod +x "$as_me.lineno" ||
+ { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; }
+
+ # If we had to re-execute with $CONFIG_SHELL, we're ensured to have
+ # already done that, so ensure we don't try to do so again and fall
+ # in an infinite loop. This has already happened in practice.
+ _as_can_reexec=no; export _as_can_reexec
+ # Don't try to exec as it changes $[0], causing all sort of problems
+ # (the dirname of $[0] is not the place where we might find the
+ # original and so on. Autoconf is especially sensitive to this).
+ . "./$as_me.lineno"
+ # Exit status is that of the last command.
+ exit
+}
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in #(((((
+-n*)
+ case `echo 'xy\c'` in
+ *c*) ECHO_T=' ';; # ECHO_T is single tab character.
+ xy) ECHO_C='\c';;
+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null
+ ECHO_T=' ';;
+ esac;;
+*)
+ ECHO_N='-n';;
+esac
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+ rm -f conf$$.dir/conf$$.file
+else
+ rm -f conf$$.dir
+ mkdir conf$$.dir 2>/dev/null
+fi
+if (echo >conf$$.file) 2>/dev/null; then
+ if ln -s conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s='ln -s'
+ # ... but there are two gotchas:
+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+ # In both cases, we have to default to `cp -pR'.
+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+ as_ln_s='cp -pR'
+ elif ln conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s=ln
+ else
+ as_ln_s='cp -pR'
+ fi
+else
+ as_ln_s='cp -pR'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+if mkdir -p . 2>/dev/null; then
+ as_mkdir_p='mkdir -p "$as_dir"'
+else
+ test -d ./-p && rmdir ./-p
+ as_mkdir_p=false
+fi
+
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+test -n "$DJDIR" || exec 7<&0 </dev/null
+exec 6>&1
+
+# Name of the host.
+# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status,
+# so uname gets run too.
+ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q`
+
+#
+# Initializations.
+#
+ac_default_prefix=/usr/local
+ac_clean_files=
+ac_config_libobj_dir=.
+LIBOBJS=
+cross_compiling=no
+subdirs=
+MFLAGS=
+MAKEFLAGS=
+
+# Identity of this package.
+PACKAGE_NAME=
+PACKAGE_TARNAME=
+PACKAGE_VERSION=
+PACKAGE_STRING=
+PACKAGE_BUGREPORT=
+PACKAGE_URL=
+
+ac_unique_file="rlm_mschap.c"
+ac_subst_vars='LTLIBOBJS
+LIBOBJS
+mod_cflags
+mod_ldflags
+mschap_sources
+targetname
+CPP
+OBJEXT
+EXEEXT
+ac_ct_CC
+CPPFLAGS
+LDFLAGS
+CFLAGS
+CC
+target_alias
+host_alias
+build_alias
+LIBS
+ECHO_T
+ECHO_N
+ECHO_C
+DEFS
+mandir
+localedir
+libdir
+psdir
+pdfdir
+dvidir
+htmldir
+infodir
+docdir
+oldincludedir
+includedir
+runstatedir
+localstatedir
+sharedstatedir
+sysconfdir
+datadir
+datarootdir
+libexecdir
+sbindir
+bindir
+program_transform_name
+prefix
+exec_prefix
+PACKAGE_URL
+PACKAGE_BUGREPORT
+PACKAGE_STRING
+PACKAGE_VERSION
+PACKAGE_TARNAME
+PACKAGE_NAME
+PATH_SEPARATOR
+SHELL'
+ac_subst_files=''
+ac_user_opts='
+enable_option_checking
+with_rlm_mschap
+with_winbind_include_dir
+with_winbind_lib_dir
+with_winbind_dir
+'
+ ac_precious_vars='build_alias
+host_alias
+target_alias
+CC
+CFLAGS
+LDFLAGS
+LIBS
+CPPFLAGS
+CPP'
+
+
+# Initialize some variables set by options.
+ac_init_help=
+ac_init_version=false
+ac_unrecognized_opts=
+ac_unrecognized_sep=
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+cache_file=/dev/null
+exec_prefix=NONE
+no_create=
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+verbose=
+x_includes=NONE
+x_libraries=NONE
+
+# Installation directory options.
+# These are left unexpanded so users can "make install exec_prefix=/foo"
+# and all the variables that are supposed to be based on exec_prefix
+# by default will actually change.
+# Use braces instead of parens because sh, perl, etc. also accept them.
+# (The list follows the same order as the GNU Coding Standards.)
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datarootdir='${prefix}/share'
+datadir='${datarootdir}'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+runstatedir='${localstatedir}/run'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+docdir='${datarootdir}/doc/${PACKAGE}'
+infodir='${datarootdir}/info'
+htmldir='${docdir}'
+dvidir='${docdir}'
+pdfdir='${docdir}'
+psdir='${docdir}'
+libdir='${exec_prefix}/lib'
+localedir='${datarootdir}/locale'
+mandir='${datarootdir}/man'
+
+ac_prev=
+ac_dashdash=
+for ac_option
+do
+ # If the previous option needs an argument, assign it.
+ if test -n "$ac_prev"; then
+ eval $ac_prev=\$ac_option
+ ac_prev=
+ continue
+ fi
+
+ case $ac_option in
+ *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;;
+ *=) ac_optarg= ;;
+ *) ac_optarg=yes ;;
+ esac
+
+ # Accept the important Cygnus configure options, so we can diagnose typos.
+
+ case $ac_dashdash$ac_option in
+ --)
+ ac_dashdash=yes ;;
+
+ -bindir | --bindir | --bindi | --bind | --bin | --bi)
+ ac_prev=bindir ;;
+ -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+ bindir=$ac_optarg ;;
+
+ -build | --build | --buil | --bui | --bu)
+ ac_prev=build_alias ;;
+ -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+ build_alias=$ac_optarg ;;
+
+ -cache-file | --cache-file | --cache-fil | --cache-fi \
+ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+ ac_prev=cache_file ;;
+ -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+ cache_file=$ac_optarg ;;
+
+ --config-cache | -C)
+ cache_file=config.cache ;;
+
+ -datadir | --datadir | --datadi | --datad)
+ ac_prev=datadir ;;
+ -datadir=* | --datadir=* | --datadi=* | --datad=*)
+ datadir=$ac_optarg ;;
+
+ -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \
+ | --dataroo | --dataro | --datar)
+ ac_prev=datarootdir ;;
+ -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \
+ | --dataroot=* | --dataroo=* | --dataro=* | --datar=*)
+ datarootdir=$ac_optarg ;;
+
+ -disable-* | --disable-*)
+ ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'`
+ # Reject names that are not valid shell variable names.
+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+ as_fn_error $? "invalid feature name: $ac_useropt"
+ ac_useropt_orig=$ac_useropt
+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+ case $ac_user_opts in
+ *"
+"enable_$ac_useropt"
+"*) ;;
+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig"
+ ac_unrecognized_sep=', ';;
+ esac
+ eval enable_$ac_useropt=no ;;
+
+ -docdir | --docdir | --docdi | --doc | --do)
+ ac_prev=docdir ;;
+ -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*)
+ docdir=$ac_optarg ;;
+
+ -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv)
+ ac_prev=dvidir ;;
+ -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*)
+ dvidir=$ac_optarg ;;
+
+ -enable-* | --enable-*)
+ ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'`
+ # Reject names that are not valid shell variable names.
+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+ as_fn_error $? "invalid feature name: $ac_useropt"
+ ac_useropt_orig=$ac_useropt
+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+ case $ac_user_opts in
+ *"
+"enable_$ac_useropt"
+"*) ;;
+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig"
+ ac_unrecognized_sep=', ';;
+ esac
+ eval enable_$ac_useropt=\$ac_optarg ;;
+
+ -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+ | --exec | --exe | --ex)
+ ac_prev=exec_prefix ;;
+ -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+ | --exec=* | --exe=* | --ex=*)
+ exec_prefix=$ac_optarg ;;
+
+ -gas | --gas | --ga | --g)
+ # Obsolete; use --with-gas.
+ with_gas=yes ;;
+
+ -help | --help | --hel | --he | -h)
+ ac_init_help=long ;;
+ -help=r* | --help=r* | --hel=r* | --he=r* | -hr*)
+ ac_init_help=recursive ;;
+ -help=s* | --help=s* | --hel=s* | --he=s* | -hs*)
+ ac_init_help=short ;;
+
+ -host | --host | --hos | --ho)
+ ac_prev=host_alias ;;
+ -host=* | --host=* | --hos=* | --ho=*)
+ host_alias=$ac_optarg ;;
+
+ -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht)
+ ac_prev=htmldir ;;
+ -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \
+ | --ht=*)
+ htmldir=$ac_optarg ;;
+
+ -includedir | --includedir | --includedi | --included | --include \
+ | --includ | --inclu | --incl | --inc)
+ ac_prev=includedir ;;
+ -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+ | --includ=* | --inclu=* | --incl=* | --inc=*)
+ includedir=$ac_optarg ;;
+
+ -infodir | --infodir | --infodi | --infod | --info | --inf)
+ ac_prev=infodir ;;
+ -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+ infodir=$ac_optarg ;;
+
+ -libdir | --libdir | --libdi | --libd)
+ ac_prev=libdir ;;
+ -libdir=* | --libdir=* | --libdi=* | --libd=*)
+ libdir=$ac_optarg ;;
+
+ -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+ | --libexe | --libex | --libe)
+ ac_prev=libexecdir ;;
+ -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+ | --libexe=* | --libex=* | --libe=*)
+ libexecdir=$ac_optarg ;;
+
+ -localedir | --localedir | --localedi | --localed | --locale)
+ ac_prev=localedir ;;
+ -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*)
+ localedir=$ac_optarg ;;
+
+ -localstatedir | --localstatedir | --localstatedi | --localstated \
+ | --localstate | --localstat | --localsta | --localst | --locals)
+ ac_prev=localstatedir ;;
+ -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+ | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*)
+ localstatedir=$ac_optarg ;;
+
+ -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+ ac_prev=mandir ;;
+ -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+ mandir=$ac_optarg ;;
+
+ -nfp | --nfp | --nf)
+ # Obsolete; use --without-fp.
+ with_fp=no ;;
+
+ -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+ | --no-cr | --no-c | -n)
+ no_create=yes ;;
+
+ -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+ no_recursion=yes ;;
+
+ -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+ | --oldin | --oldi | --old | --ol | --o)
+ ac_prev=oldincludedir ;;
+ -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+ oldincludedir=$ac_optarg ;;
+
+ -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+ ac_prev=prefix ;;
+ -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+ prefix=$ac_optarg ;;
+
+ -program-prefix | --program-prefix | --program-prefi | --program-pref \
+ | --program-pre | --program-pr | --program-p)
+ ac_prev=program_prefix ;;
+ -program-prefix=* | --program-prefix=* | --program-prefi=* \
+ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+ program_prefix=$ac_optarg ;;
+
+ -program-suffix | --program-suffix | --program-suffi | --program-suff \
+ | --program-suf | --program-su | --program-s)
+ ac_prev=program_suffix ;;
+ -program-suffix=* | --program-suffix=* | --program-suffi=* \
+ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+ program_suffix=$ac_optarg ;;
+
+ -program-transform-name | --program-transform-name \
+ | --program-transform-nam | --program-transform-na \
+ | --program-transform-n | --program-transform- \
+ | --program-transform | --program-transfor \
+ | --program-transfo | --program-transf \
+ | --program-trans | --program-tran \
+ | --progr-tra | --program-tr | --program-t)
+ ac_prev=program_transform_name ;;
+ -program-transform-name=* | --program-transform-name=* \
+ | --program-transform-nam=* | --program-transform-na=* \
+ | --program-transform-n=* | --program-transform-=* \
+ | --program-transform=* | --program-transfor=* \
+ | --program-transfo=* | --program-transf=* \
+ | --program-trans=* | --program-tran=* \
+ | --progr-tra=* | --program-tr=* | --program-t=*)
+ program_transform_name=$ac_optarg ;;
+
+ -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd)
+ ac_prev=pdfdir ;;
+ -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*)
+ pdfdir=$ac_optarg ;;
+
+ -psdir | --psdir | --psdi | --psd | --ps)
+ ac_prev=psdir ;;
+ -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*)
+ psdir=$ac_optarg ;;
+
+ -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+ | -silent | --silent | --silen | --sile | --sil)
+ silent=yes ;;
+
+ -runstatedir | --runstatedir | --runstatedi | --runstated \
+ | --runstate | --runstat | --runsta | --runst | --runs \
+ | --run | --ru | --r)
+ ac_prev=runstatedir ;;
+ -runstatedir=* | --runstatedir=* | --runstatedi=* | --runstated=* \
+ | --runstate=* | --runstat=* | --runsta=* | --runst=* | --runs=* \
+ | --run=* | --ru=* | --r=*)
+ runstatedir=$ac_optarg ;;
+
+ -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+ ac_prev=sbindir ;;
+ -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+ | --sbi=* | --sb=*)
+ sbindir=$ac_optarg ;;
+
+ -sharedstatedir | --sharedstatedir | --sharedstatedi \
+ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+ | --sharedst | --shareds | --shared | --share | --shar \
+ | --sha | --sh)
+ ac_prev=sharedstatedir ;;
+ -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+ | --sha=* | --sh=*)
+ sharedstatedir=$ac_optarg ;;
+
+ -site | --site | --sit)
+ ac_prev=site ;;
+ -site=* | --site=* | --sit=*)
+ site=$ac_optarg ;;
+
+ -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+ ac_prev=srcdir ;;
+ -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+ srcdir=$ac_optarg ;;
+
+ -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+ | --syscon | --sysco | --sysc | --sys | --sy)
+ ac_prev=sysconfdir ;;
+ -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+ sysconfdir=$ac_optarg ;;
+
+ -target | --target | --targe | --targ | --tar | --ta | --t)
+ ac_prev=target_alias ;;
+ -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+ target_alias=$ac_optarg ;;
+
+ -v | -verbose | --verbose | --verbos | --verbo | --verb)
+ verbose=yes ;;
+
+ -version | --version | --versio | --versi | --vers | -V)
+ ac_init_version=: ;;
+
+ -with-* | --with-*)
+ ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'`
+ # Reject names that are not valid shell variable names.
+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+ as_fn_error $? "invalid package name: $ac_useropt"
+ ac_useropt_orig=$ac_useropt
+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+ case $ac_user_opts in
+ *"
+"with_$ac_useropt"
+"*) ;;
+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig"
+ ac_unrecognized_sep=', ';;
+ esac
+ eval with_$ac_useropt=\$ac_optarg ;;
+
+ -without-* | --without-*)
+ ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'`
+ # Reject names that are not valid shell variable names.
+ expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null &&
+ as_fn_error $? "invalid package name: $ac_useropt"
+ ac_useropt_orig=$ac_useropt
+ ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'`
+ case $ac_user_opts in
+ *"
+"with_$ac_useropt"
+"*) ;;
+ *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig"
+ ac_unrecognized_sep=', ';;
+ esac
+ eval with_$ac_useropt=no ;;
+
+ --x)
+ # Obsolete; use --with-x.
+ with_x=yes ;;
+
+ -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+ | --x-incl | --x-inc | --x-in | --x-i)
+ ac_prev=x_includes ;;
+ -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+ x_includes=$ac_optarg ;;
+
+ -x-libraries | --x-libraries | --x-librarie | --x-librari \
+ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+ ac_prev=x_libraries ;;
+ -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+ x_libraries=$ac_optarg ;;
+
+ -*) as_fn_error $? "unrecognized option: \`$ac_option'
+Try \`$0 --help' for more information"
+ ;;
+
+ *=*)
+ ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='`
+ # Reject names that are not valid shell variable names.
+ case $ac_envvar in #(
+ '' | [0-9]* | *[!_$as_cr_alnum]* )
+ as_fn_error $? "invalid variable name: \`$ac_envvar'" ;;
+ esac
+ eval $ac_envvar=\$ac_optarg
+ export $ac_envvar ;;
+
+ *)
+ # FIXME: should be removed in autoconf 3.0.
+ $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2
+ expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null &&
+ $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2
+ : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}"
+ ;;
+
+ esac
+done
+
+if test -n "$ac_prev"; then
+ ac_option=--`echo $ac_prev | sed 's/_/-/g'`
+ as_fn_error $? "missing argument to $ac_option"
+fi
+
+if test -n "$ac_unrecognized_opts"; then
+ case $enable_option_checking in
+ no) ;;
+ fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;;
+ *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;;
+ esac
+fi
+
+# Check all directory arguments for consistency.
+for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \
+ datadir sysconfdir sharedstatedir localstatedir includedir \
+ oldincludedir docdir infodir htmldir dvidir pdfdir psdir \
+ libdir localedir mandir runstatedir
+do
+ eval ac_val=\$$ac_var
+ # Remove trailing slashes.
+ case $ac_val in
+ */ )
+ ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'`
+ eval $ac_var=\$ac_val;;
+ esac
+ # Be sure to have absolute directory names.
+ case $ac_val in
+ [\\/$]* | ?:[\\/]* ) continue;;
+ NONE | '' ) case $ac_var in *prefix ) continue;; esac;;
+ esac
+ as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val"
+done
+
+# There might be people who depend on the old broken behavior: `$host'
+# used to hold the argument of --host etc.
+# FIXME: To remove some day.
+build=$build_alias
+host=$host_alias
+target=$target_alias
+
+# FIXME: To remove some day.
+if test "x$host_alias" != x; then
+ if test "x$build_alias" = x; then
+ cross_compiling=maybe
+ elif test "x$build_alias" != "x$host_alias"; then
+ cross_compiling=yes
+ fi
+fi
+
+ac_tool_prefix=
+test -n "$host_alias" && ac_tool_prefix=$host_alias-
+
+test "$silent" = yes && exec 6>/dev/null
+
+
+ac_pwd=`pwd` && test -n "$ac_pwd" &&
+ac_ls_di=`ls -di .` &&
+ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` ||
+ as_fn_error $? "working directory cannot be determined"
+test "X$ac_ls_di" = "X$ac_pwd_ls_di" ||
+ as_fn_error $? "pwd does not report name of working directory"
+
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+ ac_srcdir_defaulted=yes
+ # Try the directory containing this script, then the parent directory.
+ ac_confdir=`$as_dirname -- "$as_myself" ||
+$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$as_myself" : 'X\(//\)[^/]' \| \
+ X"$as_myself" : 'X\(//\)$' \| \
+ X"$as_myself" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_myself" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+ srcdir=$ac_confdir
+ if test ! -r "$srcdir/$ac_unique_file"; then
+ srcdir=..
+ fi
+else
+ ac_srcdir_defaulted=no
+fi
+if test ! -r "$srcdir/$ac_unique_file"; then
+ test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .."
+ as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir"
+fi
+ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work"
+ac_abs_confdir=`(
+ cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg"
+ pwd)`
+# When building in place, set srcdir=.
+if test "$ac_abs_confdir" = "$ac_pwd"; then
+ srcdir=.
+fi
+# Remove unnecessary trailing slashes from srcdir.
+# Double slashes in file names in object file debugging info
+# mess up M-x gdb in Emacs.
+case $srcdir in
+*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;;
+esac
+for ac_var in $ac_precious_vars; do
+ eval ac_env_${ac_var}_set=\${${ac_var}+set}
+ eval ac_env_${ac_var}_value=\$${ac_var}
+ eval ac_cv_env_${ac_var}_set=\${${ac_var}+set}
+ eval ac_cv_env_${ac_var}_value=\$${ac_var}
+done
+
+#
+# Report the --help message.
+#
+if test "$ac_init_help" = "long"; then
+ # Omit some internal or obsolete options to make the list less imposing.
+ # This message is too long to be a string in the A/UX 3.1 sh.
+ cat <<_ACEOF
+\`configure' configures this package to adapt to many kinds of systems.
+
+Usage: $0 [OPTION]... [VAR=VALUE]...
+
+To assign environment variables (e.g., CC, CFLAGS...), specify them as
+VAR=VALUE. See below for descriptions of some of the useful variables.
+
+Defaults for the options are specified in brackets.
+
+Configuration:
+ -h, --help display this help and exit
+ --help=short display options specific to this package
+ --help=recursive display the short help of all the included packages
+ -V, --version display version information and exit
+ -q, --quiet, --silent do not print \`checking ...' messages
+ --cache-file=FILE cache test results in FILE [disabled]
+ -C, --config-cache alias for \`--cache-file=config.cache'
+ -n, --no-create do not create output files
+ --srcdir=DIR find the sources in DIR [configure dir or \`..']
+
+Installation directories:
+ --prefix=PREFIX install architecture-independent files in PREFIX
+ [$ac_default_prefix]
+ --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
+ [PREFIX]
+
+By default, \`make install' will install all the files in
+\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify
+an installation prefix other than \`$ac_default_prefix' using \`--prefix',
+for instance \`--prefix=\$HOME'.
+
+For better control, use the options below.
+
+Fine tuning of the installation directories:
+ --bindir=DIR user executables [EPREFIX/bin]
+ --sbindir=DIR system admin executables [EPREFIX/sbin]
+ --libexecdir=DIR program executables [EPREFIX/libexec]
+ --sysconfdir=DIR read-only single-machine data [PREFIX/etc]
+ --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
+ --localstatedir=DIR modifiable single-machine data [PREFIX/var]
+ --runstatedir=DIR modifiable per-process data [LOCALSTATEDIR/run]
+ --libdir=DIR object code libraries [EPREFIX/lib]
+ --includedir=DIR C header files [PREFIX/include]
+ --oldincludedir=DIR C header files for non-gcc [/usr/include]
+ --datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
+ --datadir=DIR read-only architecture-independent data [DATAROOTDIR]
+ --infodir=DIR info documentation [DATAROOTDIR/info]
+ --localedir=DIR locale-dependent data [DATAROOTDIR/locale]
+ --mandir=DIR man documentation [DATAROOTDIR/man]
+ --docdir=DIR documentation root [DATAROOTDIR/doc/PACKAGE]
+ --htmldir=DIR html documentation [DOCDIR]
+ --dvidir=DIR dvi documentation [DOCDIR]
+ --pdfdir=DIR pdf documentation [DOCDIR]
+ --psdir=DIR ps documentation [DOCDIR]
+_ACEOF
+
+ cat <<\_ACEOF
+_ACEOF
+fi
+
+if test -n "$ac_init_help"; then
+
+ cat <<\_ACEOF
+
+Optional Packages:
+ --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
+ --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
+ --without-rlm_mschap build without MS-CHAP and MS-CHAPv2 authentication
+ --with-winbind-include-dir=DIR
+ Directory where the winbind includes may be found
+ --with-winbind-lib-dir=DIR
+ Directory where the winbind libraries may be found
+ --with-winbind-dir=DIR Base directory where winbind is installed
+
+Some influential environment variables:
+ CC C compiler command
+ CFLAGS C compiler flags
+ LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
+ nonstandard directory <lib dir>
+ LIBS libraries to pass to the linker, e.g. -l<library>
+ CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
+ you have headers in a nonstandard directory <include dir>
+ CPP C preprocessor
+
+Use these variables to override the choices made by `configure' or to help
+it to find libraries and programs with nonstandard names/locations.
+
+Report bugs to the package provider.
+_ACEOF
+ac_status=$?
+fi
+
+if test "$ac_init_help" = "recursive"; then
+ # If there are subdirs, report their specific --help.
+ for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue
+ test -d "$ac_dir" ||
+ { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } ||
+ continue
+ ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+ # A ".." for each directory in $ac_dir_suffix.
+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+ case $ac_top_builddir_sub in
+ "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+ esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+ .) # We are building in place.
+ ac_srcdir=.
+ ac_top_srcdir=$ac_top_builddir_sub
+ ac_abs_top_srcdir=$ac_pwd ;;
+ [\\/]* | ?:[\\/]* ) # Absolute name.
+ ac_srcdir=$srcdir$ac_dir_suffix;
+ ac_top_srcdir=$srcdir
+ ac_abs_top_srcdir=$srcdir ;;
+ *) # Relative name.
+ ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+ ac_top_srcdir=$ac_top_build_prefix$srcdir
+ ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+ cd "$ac_dir" || { ac_status=$?; continue; }
+ # Check for guested configure.
+ if test -f "$ac_srcdir/configure.gnu"; then
+ echo &&
+ $SHELL "$ac_srcdir/configure.gnu" --help=recursive
+ elif test -f "$ac_srcdir/configure"; then
+ echo &&
+ $SHELL "$ac_srcdir/configure" --help=recursive
+ else
+ $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2
+ fi || ac_status=$?
+ cd "$ac_pwd" || { ac_status=$?; break; }
+ done
+fi
+
+test -n "$ac_init_help" && exit $ac_status
+if $ac_init_version; then
+ cat <<\_ACEOF
+configure
+generated by GNU Autoconf 2.69
+
+Copyright (C) 2012 Free Software Foundation, Inc.
+This configure script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it.
+_ACEOF
+ exit
+fi
+
+## ------------------------ ##
+## Autoconf initialization. ##
+## ------------------------ ##
+
+echo
+echo Running tests for rlm_mschap
+echo
+
+
+# ac_fn_c_try_compile LINENO
+# --------------------------
+# Try to compile conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_compile ()
+{
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ rm -f conftest.$ac_objext
+ if { { ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_compile") 2>conftest.err
+ ac_status=$?
+ if test -s conftest.err; then
+ grep -v '^ *+' conftest.err >conftest.er1
+ cat conftest.er1 >&5
+ mv -f conftest.er1 conftest.err
+ fi
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest.$ac_objext; then :
+ ac_retval=0
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_retval=1
+fi
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+ as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_compile
+
+# ac_fn_c_try_cpp LINENO
+# ----------------------
+# Try to preprocess conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_cpp ()
+{
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ if { { ac_try="$ac_cpp conftest.$ac_ext"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err
+ ac_status=$?
+ if test -s conftest.err; then
+ grep -v '^ *+' conftest.err >conftest.er1
+ cat conftest.er1 >&5
+ mv -f conftest.er1 conftest.err
+ fi
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; } > conftest.i && {
+ test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ }; then :
+ ac_retval=0
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_retval=1
+fi
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+ as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_cpp
+
+# ac_fn_c_try_link LINENO
+# -----------------------
+# Try to link conftest.$ac_ext, and return whether this succeeded.
+ac_fn_c_try_link ()
+{
+ as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ rm -f conftest.$ac_objext conftest$ac_exeext
+ if { { ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_link") 2>conftest.err
+ ac_status=$?
+ if test -s conftest.err; then
+ grep -v '^ *+' conftest.err >conftest.er1
+ cat conftest.er1 >&5
+ mv -f conftest.er1 conftest.err
+ fi
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; } && {
+ test -z "$ac_c_werror_flag" ||
+ test ! -s conftest.err
+ } && test -s conftest$ac_exeext && {
+ test "$cross_compiling" = yes ||
+ test -x conftest$ac_exeext
+ }; then :
+ ac_retval=0
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+ ac_retval=1
+fi
+ # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information
+ # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would
+ # interfere with the next link command; also delete a directory that is
+ # left behind by Apple's compiler. We do this before executing the actions.
+ rm -rf conftest.dSYM conftest_ipa8_conftest.oo
+ eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno
+ as_fn_set_status $ac_retval
+
+} # ac_fn_c_try_link
+cat >config.log <<_ACEOF
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+
+It was created by $as_me, which was
+generated by GNU Autoconf 2.69. Invocation command line was
+
+ $ $0 $@
+
+_ACEOF
+exec 5>>config.log
+{
+cat <<_ASUNAME
+## --------- ##
+## Platform. ##
+## --------- ##
+
+hostname = `(hostname || uname -n) 2>/dev/null | sed 1q`
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown`
+/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown`
+
+/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown`
+/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown`
+/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown`
+/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown`
+/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown`
+/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown`
+
+_ASUNAME
+
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ $as_echo "PATH: $as_dir"
+ done
+IFS=$as_save_IFS
+
+} >&5
+
+cat >&5 <<_ACEOF
+
+
+## ----------- ##
+## Core tests. ##
+## ----------- ##
+
+_ACEOF
+
+
+# Keep a trace of the command line.
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Strip out --silent because we don't want to record it for future runs.
+# Also quote any args containing shell meta-characters.
+# Make two passes to allow for proper duplicate-argument suppression.
+ac_configure_args=
+ac_configure_args0=
+ac_configure_args1=
+ac_must_keep_next=false
+for ac_pass in 1 2
+do
+ for ac_arg
+ do
+ case $ac_arg in
+ -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;;
+ -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+ | -silent | --silent | --silen | --sile | --sil)
+ continue ;;
+ *\'*)
+ ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;;
+ esac
+ case $ac_pass in
+ 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;;
+ 2)
+ as_fn_append ac_configure_args1 " '$ac_arg'"
+ if test $ac_must_keep_next = true; then
+ ac_must_keep_next=false # Got value, back to normal.
+ else
+ case $ac_arg in
+ *=* | --config-cache | -C | -disable-* | --disable-* \
+ | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \
+ | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \
+ | -with-* | --with-* | -without-* | --without-* | --x)
+ case "$ac_configure_args0 " in
+ "$ac_configure_args1"*" '$ac_arg' "* ) continue ;;
+ esac
+ ;;
+ -* ) ac_must_keep_next=true ;;
+ esac
+ fi
+ as_fn_append ac_configure_args " '$ac_arg'"
+ ;;
+ esac
+ done
+done
+{ ac_configure_args0=; unset ac_configure_args0;}
+{ ac_configure_args1=; unset ac_configure_args1;}
+
+# When interrupted or exit'd, cleanup temporary files, and complete
+# config.log. We remove comments because anyway the quotes in there
+# would cause problems or look ugly.
+# WARNING: Use '\'' to represent an apostrophe within the trap.
+# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug.
+trap 'exit_status=$?
+ # Save into config.log some information that might help in debugging.
+ {
+ echo
+
+ $as_echo "## ---------------- ##
+## Cache variables. ##
+## ---------------- ##"
+ echo
+ # The following way of writing the cache mishandles newlines in values,
+(
+ for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do
+ eval ac_val=\$$ac_var
+ case $ac_val in #(
+ *${as_nl}*)
+ case $ac_var in #(
+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+ esac
+ case $ac_var in #(
+ _ | IFS | as_nl) ;; #(
+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
+ *) { eval $ac_var=; unset $ac_var;} ;;
+ esac ;;
+ esac
+ done
+ (set) 2>&1 |
+ case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #(
+ *${as_nl}ac_space=\ *)
+ sed -n \
+ "s/'\''/'\''\\\\'\'''\''/g;
+ s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p"
+ ;; #(
+ *)
+ sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+ ;;
+ esac |
+ sort
+)
+ echo
+
+ $as_echo "## ----------------- ##
+## Output variables. ##
+## ----------------- ##"
+ echo
+ for ac_var in $ac_subst_vars
+ do
+ eval ac_val=\$$ac_var
+ case $ac_val in
+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+ esac
+ $as_echo "$ac_var='\''$ac_val'\''"
+ done | sort
+ echo
+
+ if test -n "$ac_subst_files"; then
+ $as_echo "## ------------------- ##
+## File substitutions. ##
+## ------------------- ##"
+ echo
+ for ac_var in $ac_subst_files
+ do
+ eval ac_val=\$$ac_var
+ case $ac_val in
+ *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;;
+ esac
+ $as_echo "$ac_var='\''$ac_val'\''"
+ done | sort
+ echo
+ fi
+
+ if test -s confdefs.h; then
+ $as_echo "## ----------- ##
+## confdefs.h. ##
+## ----------- ##"
+ echo
+ cat confdefs.h
+ echo
+ fi
+ test "$ac_signal" != 0 &&
+ $as_echo "$as_me: caught signal $ac_signal"
+ $as_echo "$as_me: exit $exit_status"
+ } >&5
+ rm -f core *.core core.conftest.* &&
+ rm -f -r conftest* confdefs* conf$$* $ac_clean_files &&
+ exit $exit_status
+' 0
+for ac_signal in 1 2 13 15; do
+ trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal
+done
+ac_signal=0
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -f -r conftest* confdefs.h
+
+$as_echo "/* confdefs.h */" > confdefs.h
+
+# Predefined preprocessor variables.
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_NAME "$PACKAGE_NAME"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_TARNAME "$PACKAGE_TARNAME"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_VERSION "$PACKAGE_VERSION"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_STRING "$PACKAGE_STRING"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT"
+_ACEOF
+
+cat >>confdefs.h <<_ACEOF
+#define PACKAGE_URL "$PACKAGE_URL"
+_ACEOF
+
+
+# Let the site file select an alternate cache file if it wants to.
+# Prefer an explicitly selected file to automatically selected ones.
+ac_site_file1=NONE
+ac_site_file2=NONE
+if test -n "$CONFIG_SITE"; then
+ # We do not want a PATH search for config.site.
+ case $CONFIG_SITE in #((
+ -*) ac_site_file1=./$CONFIG_SITE;;
+ */*) ac_site_file1=$CONFIG_SITE;;
+ *) ac_site_file1=./$CONFIG_SITE;;
+ esac
+elif test "x$prefix" != xNONE; then
+ ac_site_file1=$prefix/share/config.site
+ ac_site_file2=$prefix/etc/config.site
+else
+ ac_site_file1=$ac_default_prefix/share/config.site
+ ac_site_file2=$ac_default_prefix/etc/config.site
+fi
+for ac_site_file in "$ac_site_file1" "$ac_site_file2"
+do
+ test "x$ac_site_file" = xNONE && continue
+ if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5
+$as_echo "$as_me: loading site script $ac_site_file" >&6;}
+ sed 's/^/| /' "$ac_site_file" >&5
+ . "$ac_site_file" \
+ || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "failed to load site script $ac_site_file
+See \`config.log' for more details" "$LINENO" 5; }
+ fi
+done
+
+if test -r "$cache_file"; then
+ # Some versions of bash will fail to source /dev/null (special files
+ # actually), so we avoid doing that. DJGPP emulates it as a regular file.
+ if test /dev/null != "$cache_file" && test -f "$cache_file"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5
+$as_echo "$as_me: loading cache $cache_file" >&6;}
+ case $cache_file in
+ [\\/]* | ?:[\\/]* ) . "$cache_file";;
+ *) . "./$cache_file";;
+ esac
+ fi
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5
+$as_echo "$as_me: creating cache $cache_file" >&6;}
+ >$cache_file
+fi
+
+# Check that the precious variables saved in the cache have kept the same
+# value.
+ac_cache_corrupted=false
+for ac_var in $ac_precious_vars; do
+ eval ac_old_set=\$ac_cv_env_${ac_var}_set
+ eval ac_new_set=\$ac_env_${ac_var}_set
+ eval ac_old_val=\$ac_cv_env_${ac_var}_value
+ eval ac_new_val=\$ac_env_${ac_var}_value
+ case $ac_old_set,$ac_new_set in
+ set,)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5
+$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;}
+ ac_cache_corrupted=: ;;
+ ,set)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5
+$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;}
+ ac_cache_corrupted=: ;;
+ ,);;
+ *)
+ if test "x$ac_old_val" != "x$ac_new_val"; then
+ # differences in whitespace do not lead to failure.
+ ac_old_val_w=`echo x $ac_old_val`
+ ac_new_val_w=`echo x $ac_new_val`
+ if test "$ac_old_val_w" != "$ac_new_val_w"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5
+$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;}
+ ac_cache_corrupted=:
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5
+$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;}
+ eval $ac_var=\$ac_old_val
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5
+$as_echo "$as_me: former value: \`$ac_old_val'" >&2;}
+ { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5
+$as_echo "$as_me: current value: \`$ac_new_val'" >&2;}
+ fi;;
+ esac
+ # Pass precious variables to config.status.
+ if test "$ac_new_set" = set; then
+ case $ac_new_val in
+ *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;;
+ *) ac_arg=$ac_var=$ac_new_val ;;
+ esac
+ case " $ac_configure_args " in
+ *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy.
+ *) as_fn_append ac_configure_args " '$ac_arg'" ;;
+ esac
+ fi
+done
+if $ac_cache_corrupted; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+ { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5
+$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;}
+ as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5
+fi
+## -------------------- ##
+## Main body of script. ##
+## -------------------- ##
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+
+
+
+
+
+
+# Check whether --with-rlm_mschap was given.
+if test "${with_rlm_mschap+set}" = set; then :
+ withval=$with_rlm_mschap;
+fi
+
+
+
+
+fail=
+fr_status=
+fr_features=
+: > "config.report"
+: > "config.report.tmp"
+
+
+
+if test x"$with_rlm_mschap" != xno; then
+
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}gcc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_CC="${ac_tool_prefix}gcc"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$ac_cv_prog_CC"; then
+ ac_ct_CC=$CC
+ # Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$ac_ct_CC"; then
+ ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_ac_ct_CC="gcc"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+ if test "x$ac_ct_CC" = x; then
+ CC=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+ CC=$ac_ct_CC
+ fi
+else
+ CC="$ac_cv_prog_CC"
+fi
+
+if test -z "$CC"; then
+ if test -n "$ac_tool_prefix"; then
+ # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args.
+set dummy ${ac_tool_prefix}cc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_CC="${ac_tool_prefix}cc"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ fi
+fi
+if test -z "$CC"; then
+ # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+ ac_prog_rejected=no
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then
+ ac_prog_rejected=yes
+ continue
+ fi
+ ac_cv_prog_CC="cc"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+if test $ac_prog_rejected = yes; then
+ # We found a bogon in the path, so make sure we never use it.
+ set dummy $ac_cv_prog_CC
+ shift
+ if test $# != 0; then
+ # We chose a different compiler from the bogus one.
+ # However, it has the same basename, so the bogon will be chosen
+ # first if we set CC to just the basename; use the full file name.
+ shift
+ ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@"
+ fi
+fi
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+fi
+if test -z "$CC"; then
+ if test -n "$ac_tool_prefix"; then
+ for ac_prog in cl.exe
+ do
+ # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args.
+set dummy $ac_tool_prefix$ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_CC+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_CC="$ac_tool_prefix$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+fi
+fi
+CC=$ac_cv_prog_CC
+if test -n "$CC"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5
+$as_echo "$CC" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$CC" && break
+ done
+fi
+if test -z "$CC"; then
+ ac_ct_CC=$CC
+ for ac_prog in cl.exe
+do
+ # Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_prog_ac_ct_CC+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ if test -n "$ac_ct_CC"; then
+ ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test.
+else
+as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then
+ ac_cv_prog_ac_ct_CC="$ac_prog"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
+done
+ done
+IFS=$as_save_IFS
+
+fi
+fi
+ac_ct_CC=$ac_cv_prog_ac_ct_CC
+if test -n "$ac_ct_CC"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5
+$as_echo "$ac_ct_CC" >&6; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+
+
+ test -n "$ac_ct_CC" && break
+done
+
+ if test "x$ac_ct_CC" = x; then
+ CC=""
+ else
+ case $cross_compiling:$ac_tool_warned in
+yes:)
+{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5
+$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;}
+ac_tool_warned=yes ;;
+esac
+ CC=$ac_ct_CC
+ fi
+fi
+
+fi
+
+
+test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "no acceptable C compiler found in \$PATH
+See \`config.log' for more details" "$LINENO" 5; }
+
+# Provide some information about the compiler.
+$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5
+set X $ac_compile
+ac_compiler=$2
+for ac_option in --version -v -V -qversion; do
+ { { ac_try="$ac_compiler $ac_option >&5"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_compiler $ac_option >&5") 2>conftest.err
+ ac_status=$?
+ if test -s conftest.err; then
+ sed '10a\
+... rest of stderr output deleted ...
+ 10q' conftest.err >conftest.er1
+ cat conftest.er1 >&5
+ fi
+ rm -f conftest.er1 conftest.err
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }
+done
+
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out"
+# Try to create an executable without -o first, disregard a.out.
+# It will help us diagnose broken compilers, and finding out an intuition
+# of exeext.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5
+$as_echo_n "checking whether the C compiler works... " >&6; }
+ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'`
+
+# The possible output files:
+ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*"
+
+ac_rmfiles=
+for ac_file in $ac_files
+do
+ case $ac_file in
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+ * ) ac_rmfiles="$ac_rmfiles $ac_file";;
+ esac
+done
+rm -f $ac_rmfiles
+
+if { { ac_try="$ac_link_default"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_link_default") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then :
+ # Autoconf-2.13 could set the ac_cv_exeext variable to `no'.
+# So ignore a value of `no', otherwise this would lead to `EXEEXT = no'
+# in a Makefile. We should not override ac_cv_exeext if it was cached,
+# so that the user can short-circuit this test for compilers unknown to
+# Autoconf.
+for ac_file in $ac_files ''
+do
+ test -f "$ac_file" || continue
+ case $ac_file in
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj )
+ ;;
+ [ab].out )
+ # We found the default executable, but exeext='' is most
+ # certainly right.
+ break;;
+ *.* )
+ if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no;
+ then :; else
+ ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+ fi
+ # We set ac_cv_exeext here because the later test for it is not
+ # safe: cross compilers may not add the suffix if given an `-o'
+ # argument, so we may need to know it at that point already.
+ # Even if this section looks crufty: it has the advantage of
+ # actually working.
+ break;;
+ * )
+ break;;
+ esac
+done
+test "$ac_cv_exeext" = no && ac_cv_exeext=
+
+else
+ ac_file=''
+fi
+if test -z "$ac_file"; then :
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+$as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error 77 "C compiler cannot create executables
+See \`config.log' for more details" "$LINENO" 5; }
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5
+$as_echo_n "checking for C compiler default output file name... " >&6; }
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5
+$as_echo "$ac_file" >&6; }
+ac_exeext=$ac_cv_exeext
+
+rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out
+ac_clean_files=$ac_clean_files_save
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5
+$as_echo_n "checking for suffix of executables... " >&6; }
+if { { ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_link") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then :
+ # If both `conftest.exe' and `conftest' are `present' (well, observable)
+# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will
+# work properly (i.e., refer to `conftest.exe'), while it won't with
+# `rm'.
+for ac_file in conftest.exe conftest conftest.*; do
+ test -f "$ac_file" || continue
+ case $ac_file in
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;;
+ *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'`
+ break;;
+ * ) break;;
+ esac
+done
+else
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot compute suffix of executables: cannot compile and link
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f conftest conftest$ac_cv_exeext
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5
+$as_echo "$ac_cv_exeext" >&6; }
+
+rm -f conftest.$ac_ext
+EXEEXT=$ac_cv_exeext
+ac_exeext=$EXEEXT
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdio.h>
+int
+main ()
+{
+FILE *f = fopen ("conftest.out", "w");
+ return ferror (f) || fclose (f) != 0;
+
+ ;
+ return 0;
+}
+_ACEOF
+ac_clean_files="$ac_clean_files conftest.out"
+# Check that the compiler produces executables we can run. If not, either
+# the compiler is broken, or we cross compile.
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5
+$as_echo_n "checking whether we are cross compiling... " >&6; }
+if test "$cross_compiling" != yes; then
+ { { ac_try="$ac_link"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_link") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }
+ if { ac_try='./conftest$ac_cv_exeext'
+ { { case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_try") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; }; then
+ cross_compiling=no
+ else
+ if test "$cross_compiling" = maybe; then
+ cross_compiling=yes
+ else
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot run C compiled programs.
+If you meant to cross compile, use \`--host'.
+See \`config.log' for more details" "$LINENO" 5; }
+ fi
+ fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5
+$as_echo "$cross_compiling" >&6; }
+
+rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out
+ac_clean_files=$ac_clean_files_save
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5
+$as_echo_n "checking for suffix of object files... " >&6; }
+if ${ac_cv_objext+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+rm -f conftest.o conftest.obj
+if { { ac_try="$ac_compile"
+case "(($ac_try" in
+ *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+ *) ac_try_echo=$ac_try;;
+esac
+eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\""
+$as_echo "$ac_try_echo"; } >&5
+ (eval "$ac_compile") 2>&5
+ ac_status=$?
+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5
+ test $ac_status = 0; }; then :
+ for ac_file in conftest.o conftest.obj conftest.*; do
+ test -f "$ac_file" || continue;
+ case $ac_file in
+ *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;;
+ *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'`
+ break;;
+ esac
+done
+else
+ $as_echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "cannot compute suffix of object files: cannot compile
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+rm -f conftest.$ac_cv_objext conftest.$ac_ext
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5
+$as_echo "$ac_cv_objext" >&6; }
+OBJEXT=$ac_cv_objext
+ac_objext=$OBJEXT
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5
+$as_echo_n "checking whether we are using the GNU C compiler... " >&6; }
+if ${ac_cv_c_compiler_gnu+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+#ifndef __GNUC__
+ choke me
+#endif
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ac_compiler_gnu=yes
+else
+ ac_compiler_gnu=no
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ac_cv_c_compiler_gnu=$ac_compiler_gnu
+
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5
+$as_echo "$ac_cv_c_compiler_gnu" >&6; }
+if test $ac_compiler_gnu = yes; then
+ GCC=yes
+else
+ GCC=
+fi
+ac_test_CFLAGS=${CFLAGS+set}
+ac_save_CFLAGS=$CFLAGS
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5
+$as_echo_n "checking whether $CC accepts -g... " >&6; }
+if ${ac_cv_prog_cc_g+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_save_c_werror_flag=$ac_c_werror_flag
+ ac_c_werror_flag=yes
+ ac_cv_prog_cc_g=no
+ CFLAGS="-g"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ac_cv_prog_cc_g=yes
+else
+ CFLAGS=""
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+else
+ ac_c_werror_flag=$ac_save_c_werror_flag
+ CFLAGS="-g"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+int
+main ()
+{
+
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+ ac_cv_prog_cc_g=yes
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ ac_c_werror_flag=$ac_save_c_werror_flag
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5
+$as_echo "$ac_cv_prog_cc_g" >&6; }
+if test "$ac_test_CFLAGS" = set; then
+ CFLAGS=$ac_save_CFLAGS
+elif test $ac_cv_prog_cc_g = yes; then
+ if test "$GCC" = yes; then
+ CFLAGS="-g -O2"
+ else
+ CFLAGS="-g"
+ fi
+else
+ if test "$GCC" = yes; then
+ CFLAGS="-O2"
+ else
+ CFLAGS=
+ fi
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5
+$as_echo_n "checking for $CC option to accept ISO C89... " >&6; }
+if ${ac_cv_prog_cc_c89+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ ac_cv_prog_cc_c89=no
+ac_save_CC=$CC
+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdarg.h>
+#include <stdio.h>
+struct stat;
+/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */
+struct buf { int x; };
+FILE * (*rcsopen) (struct buf *, struct stat *, int);
+static char *e (p, i)
+ char **p;
+ int i;
+{
+ return p[i];
+}
+static char *f (char * (*g) (char **, int), char **p, ...)
+{
+ char *s;
+ va_list v;
+ va_start (v,p);
+ s = g (p, va_arg (v,int));
+ va_end (v);
+ return s;
+}
+
+/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has
+ function prototypes and stuff, but not '\xHH' hex character constants.
+ These don't provoke an error unfortunately, instead are silently treated
+ as 'x'. The following induces an error, until -std is added to get
+ proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an
+ array size at least. It's necessary to write '\x00'==0 to get something
+ that's true only with -std. */
+int osf4_cc_array ['\x00' == 0 ? 1 : -1];
+
+/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters
+ inside strings and character constants. */
+#define FOO(x) 'x'
+int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1];
+
+int test (int i, double x);
+struct s1 {int (*f) (int a);};
+struct s2 {int (*f) (double a);};
+int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int);
+int argc;
+char **argv;
+int
+main ()
+{
+return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1];
+ ;
+ return 0;
+}
+_ACEOF
+for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \
+ -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__"
+do
+ CC="$ac_save_CC $ac_arg"
+ if ac_fn_c_try_compile "$LINENO"; then :
+ ac_cv_prog_cc_c89=$ac_arg
+fi
+rm -f core conftest.err conftest.$ac_objext
+ test "x$ac_cv_prog_cc_c89" != "xno" && break
+done
+rm -f conftest.$ac_ext
+CC=$ac_save_CC
+
+fi
+# AC_CACHE_VAL
+case "x$ac_cv_prog_cc_c89" in
+ x)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5
+$as_echo "none needed" >&6; } ;;
+ xno)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5
+$as_echo "unsupported" >&6; } ;;
+ *)
+ CC="$CC $ac_cv_prog_cc_c89"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5
+$as_echo "$ac_cv_prog_cc_c89" >&6; } ;;
+esac
+if test "x$ac_cv_prog_cc_c89" != xno; then :
+
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5
+$as_echo_n "checking how to run the C preprocessor... " >&6; }
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+ CPP=
+fi
+if test -z "$CPP"; then
+ if ${ac_cv_prog_CPP+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ # Double quotes because CPP needs to be expanded
+ for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp"
+ do
+ ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+ # Use a header file that comes with gcc, so configuring glibc
+ # with a fresh cross-compiler works.
+ # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+ # <limits.h> exists even on freestanding compilers.
+ # On the NeXT, cc -E runs the code through the compiler's parser,
+ # not just through cpp. "Syntax error" is here to catch this case.
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+ Syntax error
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+
+else
+ # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+ # OK, works on sane cases. Now check whether nonexistent headers
+ # can be detected and how.
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <ac_nonexistent.h>
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+ # Broken: success on invalid input.
+continue
+else
+ # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.i conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then :
+ break
+fi
+
+ done
+ ac_cv_prog_CPP=$CPP
+
+fi
+ CPP=$ac_cv_prog_CPP
+else
+ ac_cv_prog_CPP=$CPP
+fi
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5
+$as_echo "$CPP" >&6; }
+ac_preproc_ok=false
+for ac_c_preproc_warn_flag in '' yes
+do
+ # Use a header file that comes with gcc, so configuring glibc
+ # with a fresh cross-compiler works.
+ # Prefer <limits.h> to <assert.h> if __STDC__ is defined, since
+ # <limits.h> exists even on freestanding compilers.
+ # On the NeXT, cc -E runs the code through the compiler's parser,
+ # not just through cpp. "Syntax error" is here to catch this case.
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#ifdef __STDC__
+# include <limits.h>
+#else
+# include <assert.h>
+#endif
+ Syntax error
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+
+else
+ # Broken: fails on valid input.
+continue
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+ # OK, works on sane cases. Now check whether nonexistent headers
+ # can be detected and how.
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <ac_nonexistent.h>
+_ACEOF
+if ac_fn_c_try_cpp "$LINENO"; then :
+ # Broken: success on invalid input.
+continue
+else
+ # Passes both tests.
+ac_preproc_ok=:
+break
+fi
+rm -f conftest.err conftest.i conftest.$ac_ext
+
+done
+# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped.
+rm -f conftest.i conftest.err conftest.$ac_ext
+if $ac_preproc_ok; then :
+
+else
+ { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5
+$as_echo "$as_me: error: in \`$ac_pwd':" >&2;}
+as_fn_error $? "C preprocessor \"$CPP\" fails sanity check
+See \`config.log' for more details" "$LINENO" 5; }
+fi
+
+ac_ext=c
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5'
+ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5'
+ac_compiler_gnu=$ac_cv_c_compiler_gnu
+
+
+
+winbind_include_dir=
+
+# Check whether --with-winbind-include-dir was given.
+if test "${with_winbind_include_dir+set}" = set; then :
+ withval=$with_winbind_include_dir; case "$withval" in
+ no)
+ as_fn_error $? "Need winbind-include-dir" "$LINENO" 5
+ ;;
+ yes)
+ ;;
+ *)
+ winbind_include_dir="$withval"
+ ;;
+ esac
+fi
+
+
+winbind_lib_dir=
+
+# Check whether --with-winbind-lib-dir was given.
+if test "${with_winbind_lib_dir+set}" = set; then :
+ withval=$with_winbind_lib_dir; case "$withval" in
+ no)
+ as_fn_error $? "Need winbind-lib-dir" "$LINENO" 5
+ ;;
+ yes)
+ ;;
+ *)
+ winbind_lib_dir="$withval"
+ ;;
+ esac
+fi
+
+
+
+# Check whether --with-winbind-dir was given.
+if test "${with_winbind_dir+set}" = set; then :
+ withval=$with_winbind_dir; case "$withval" in
+ no)
+ as_fn_error $? "Need winbind-dir" "$LINENO" 5
+ ;;
+ yes)
+ ;;
+ *)
+ winbind_lib_dir="$withval/lib"
+ winbind_include_dir="$withval/include"
+ ;;
+ esac
+fi
+
+
+
+
+mschap_sources=
+
+
+
+ac_safe=`echo "membership.h" | sed 'y%./+-%__pm%'`
+old_CPPFLAGS="$CPPFLAGS"
+smart_include=
+smart_include_dir="/usr/local/include /opt/include"
+
+_smart_try_dir=
+_smart_include_dir=
+
+for _prefix in $smart_prefix ""; do
+ for _dir in $smart_try_dir; do
+ _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}"
+ done
+
+ for _dir in $smart_include_dir; do
+ _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}"
+ done
+done
+
+if test "x$_smart_try_dir" != "x"; then
+ for try in $_smart_try_dir; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for membership.h in $try" >&5
+$as_echo_n "checking for membership.h in $try... " >&6; }
+ CPPFLAGS="-isystem $try $old_CPPFLAGS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+ #include <membership.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include="-isystem $try"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+ CPPFLAGS="$old_CPPFLAGS"
+fi
+
+if test "x$smart_include" = "x"; then
+ for _prefix in $smart_prefix; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/membership.h" >&5
+$as_echo_n "checking for ${_prefix}/membership.h... " >&6; }
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+ #include <membership.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include="-isystem ${_prefix}/"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+fi
+
+if test "x$smart_include" = "x"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for membership.h" >&5
+$as_echo_n "checking for membership.h... " >&6; }
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+ #include <membership.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include=" "
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+if test "x$smart_include" = "x"; then
+
+ for try in $_smart_include_dir; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for membership.h in $try" >&5
+$as_echo_n "checking for membership.h in $try... " >&6; }
+ CPPFLAGS="-isystem $try $old_CPPFLAGS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+
+ #include <membership.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include="-isystem $try"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+ CPPFLAGS="$old_CPPFLAGS"
+fi
+
+if test "x$smart_include" != "x"; then
+ eval "ac_cv_header_$ac_safe=yes"
+ CPPFLAGS="$smart_include $old_CPPFLAGS"
+ SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS"
+fi
+
+smart_prefix=
+
+if test "x$ac_cv_header_membership_h" = "xyes"; then
+
+$as_echo "#define HAVE_MEMBERSHIP_H 1" >>confdefs.h
+
+ mschap_sources="$mschap_sources opendir.c"
+ mod_ldflags="-F /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks -framework DirectoryService"
+
+if echo "$fr_features" | grep -q "+opendirectory+"; then :
+else :
+ fr_report_prefix=""
+ if test x"$fr_features" != x""; then
+ fr_report_prefix=" "
+ fi
+ $as_echo "$fr_report_prefix""with opendirectory support" >> config.report.tmp
+ fr_features="$fr_features +opendirectory+"
+fi
+
+else
+
+if echo "$fr_features" | grep -q "+opendirectory+"; then :
+else :
+ fr_report_prefix=""
+ if test x"$fr_features" != x""; then
+ fr_report_prefix=" "
+ fi
+ $as_echo "$fr_report_prefix""without opendirectory support" >> config.report.tmp
+ fr_features="$fr_features +opendirectory+"
+fi
+
+fi
+
+smart_try_dir="$winbind_include_dir /usr/include/samba-4.0"
+
+
+ac_safe=`echo "wbclient.h" | sed 'y%./+-%__pm%'`
+old_CPPFLAGS="$CPPFLAGS"
+smart_include=
+smart_include_dir="/usr/local/include /opt/include"
+
+_smart_try_dir=
+_smart_include_dir=
+
+for _prefix in $smart_prefix ""; do
+ for _dir in $smart_try_dir; do
+ _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}"
+ done
+
+ for _dir in $smart_include_dir; do
+ _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}"
+ done
+done
+
+if test "x$_smart_try_dir" != "x"; then
+ for try in $_smart_try_dir; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbclient.h in $try" >&5
+$as_echo_n "checking for wbclient.h in $try... " >&6; }
+ CPPFLAGS="-isystem $try $old_CPPFLAGS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdint.h>
+ #include <stdbool.h>
+ #include <wbclient.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include="-isystem $try"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+ CPPFLAGS="$old_CPPFLAGS"
+fi
+
+if test "x$smart_include" = "x"; then
+ for _prefix in $smart_prefix; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/wbclient.h" >&5
+$as_echo_n "checking for ${_prefix}/wbclient.h... " >&6; }
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdint.h>
+ #include <stdbool.h>
+ #include <wbclient.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include="-isystem ${_prefix}/"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+fi
+
+if test "x$smart_include" = "x"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbclient.h" >&5
+$as_echo_n "checking for wbclient.h... " >&6; }
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdint.h>
+ #include <stdbool.h>
+ #include <wbclient.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include=" "
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+if test "x$smart_include" = "x"; then
+
+ for try in $_smart_include_dir; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbclient.h in $try" >&5
+$as_echo_n "checking for wbclient.h in $try... " >&6; }
+ CPPFLAGS="-isystem $try $old_CPPFLAGS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdint.h>
+ #include <stdbool.h>
+ #include <wbclient.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include="-isystem $try"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+ CPPFLAGS="$old_CPPFLAGS"
+fi
+
+if test "x$smart_include" != "x"; then
+ eval "ac_cv_header_$ac_safe=yes"
+ CPPFLAGS="$smart_include $old_CPPFLAGS"
+ SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS"
+fi
+
+smart_prefix=
+
+if test "x$ac_cv_header_wbclient_h" != "xyes"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: wbclient.h not found. Use --with-winbind-include-dir=<path>." >&5
+$as_echo "$as_me: WARNING: wbclient.h not found. Use --with-winbind-include-dir=<path>." >&2;}
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient" >&5
+$as_echo "$as_me: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient" >&2;}
+
+if echo "$fr_features" | grep -q "+wbclient+"; then :
+else :
+ fr_report_prefix=""
+ if test x"$fr_features" != x""; then
+ fr_report_prefix=" "
+ fi
+ $as_echo "$fr_report_prefix""without direct winbind support" >> config.report.tmp
+ fr_features="$fr_features +wbclient+"
+fi
+
+fi
+
+
+
+ac_safe=`echo "core/ntstatus.h" | sed 'y%./+-%__pm%'`
+old_CPPFLAGS="$CPPFLAGS"
+smart_include=
+smart_include_dir="/usr/local/include /opt/include"
+
+_smart_try_dir=
+_smart_include_dir=
+
+for _prefix in $smart_prefix ""; do
+ for _dir in $smart_try_dir; do
+ _smart_try_dir="${_smart_try_dir} ${_dir}/${_prefix}"
+ done
+
+ for _dir in $smart_include_dir; do
+ _smart_include_dir="${_smart_include_dir} ${_dir}/${_prefix}"
+ done
+done
+
+if test "x$_smart_try_dir" != "x"; then
+ for try in $_smart_try_dir; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for core/ntstatus.h in $try" >&5
+$as_echo_n "checking for core/ntstatus.h in $try... " >&6; }
+ CPPFLAGS="-isystem $try $old_CPPFLAGS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdint.h>
+ #include <stdbool.h>
+ #include <core/ntstatus.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include="-isystem $try"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+ CPPFLAGS="$old_CPPFLAGS"
+fi
+
+if test "x$smart_include" = "x"; then
+ for _prefix in $smart_prefix; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ${_prefix}/core/ntstatus.h" >&5
+$as_echo_n "checking for ${_prefix}/core/ntstatus.h... " >&6; }
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdint.h>
+ #include <stdbool.h>
+ #include <core/ntstatus.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include="-isystem ${_prefix}/"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+fi
+
+if test "x$smart_include" = "x"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for core/ntstatus.h" >&5
+$as_echo_n "checking for core/ntstatus.h... " >&6; }
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdint.h>
+ #include <stdbool.h>
+ #include <core/ntstatus.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include=" "
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+fi
+
+if test "x$smart_include" = "x"; then
+
+ for try in $_smart_include_dir; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for core/ntstatus.h in $try" >&5
+$as_echo_n "checking for core/ntstatus.h in $try... " >&6; }
+ CPPFLAGS="-isystem $try $old_CPPFLAGS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+#include <stdint.h>
+ #include <stdbool.h>
+ #include <core/ntstatus.h>
+int
+main ()
+{
+int a = 1;
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"; then :
+
+ smart_include="-isystem $try"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+
+ smart_include=
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+ done
+ CPPFLAGS="$old_CPPFLAGS"
+fi
+
+if test "x$smart_include" != "x"; then
+ eval "ac_cv_header_$ac_safe=yes"
+ CPPFLAGS="$smart_include $old_CPPFLAGS"
+ SMART_CPPFLAGS="$smart_include $SMART_CPPFLAGS"
+fi
+
+smart_prefix=
+
+if test "x$ac_cv_header_core_ntstatus_h" != "xyes"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: core/ntstatus.h not found. Use --with-winbind-include-dir=<path>." >&5
+$as_echo "$as_me: WARNING: core/ntstatus.h not found. Use --with-winbind-include-dir=<path>." >&2;}
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient" >&5
+$as_echo "$as_me: WARNING: silently building without support for direct authentication via winbind. requires: libwbclient" >&2;}
+
+if echo "$fr_features" | grep -q "+wbclient+"; then :
+else :
+ fr_report_prefix=""
+ if test x"$fr_features" != x""; then
+ fr_report_prefix=" "
+ fi
+ $as_echo "$fr_report_prefix""without direct winbind support" >> config.report.tmp
+ fr_features="$fr_features +wbclient+"
+fi
+
+fi
+
+
+if test "x$ac_cv_header_wbclient_h" = "xyes" && \
+ test "x$ac_cv_header_core_ntstatus_h" = "xyes"; then
+
+ smart_try_dir="$winbind_lib_dir"
+
+
+sm_lib_safe=`echo "wbclient" | sed 'y%./+-%__p_%'`
+sm_func_safe=`echo "wbcCtxAuthenticateUserEx" | sed 'y%./+-%__p_%'`
+
+old_LIBS="$LIBS"
+old_CPPFLAGS="$CPPFLAGS"
+smart_lib=
+smart_ldflags=
+smart_lib_dir=
+
+if test "x$smart_try_dir" != "x"; then
+ for try in $smart_try_dir; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbcCtxAuthenticateUserEx in -lwbclient in $try" >&5
+$as_echo_n "checking for wbcCtxAuthenticateUserEx in -lwbclient in $try... " >&6; }
+ LIBS="-lwbclient $old_LIBS"
+ CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+extern char wbcCtxAuthenticateUserEx();
+int
+main ()
+{
+wbcCtxAuthenticateUserEx()
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ smart_lib="-lwbclient"
+ smart_ldflags="-L$try -Wl,-rpath,$try"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ done
+ LIBS="$old_LIBS"
+ CPPFLAGS="$old_CPPFLAGS"
+fi
+
+if test "x$smart_lib" = "x"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbcCtxAuthenticateUserEx in -lwbclient" >&5
+$as_echo_n "checking for wbcCtxAuthenticateUserEx in -lwbclient... " >&6; }
+ LIBS="-lwbclient $old_LIBS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+extern char wbcCtxAuthenticateUserEx();
+int
+main ()
+{
+wbcCtxAuthenticateUserEx()
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ smart_lib="-lwbclient"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ LIBS="$old_LIBS"
+fi
+
+if test "x$smart_lib" = "x"; then
+ for try in /usr/local/lib /opt/lib; do
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for wbcCtxAuthenticateUserEx in -lwbclient in $try" >&5
+$as_echo_n "checking for wbcCtxAuthenticateUserEx in -lwbclient in $try... " >&6; }
+ LIBS="-lwbclient $old_LIBS"
+ CPPFLAGS="-L$try -Wl,-rpath,$try $old_CPPFLAGS"
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h. */
+extern char wbcCtxAuthenticateUserEx();
+int
+main ()
+{
+wbcCtxAuthenticateUserEx()
+ ;
+ return 0;
+}
+_ACEOF
+if ac_fn_c_try_link "$LINENO"; then :
+
+ smart_lib="-lwbclient"
+ smart_ldflags="-L$try -Wl,-rpath,$try"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
+$as_echo "yes" >&6; }
+ break
+
+else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
+fi
+rm -f core conftest.err conftest.$ac_objext \
+ conftest$ac_exeext conftest.$ac_ext
+ done
+ LIBS="$old_LIBS"
+ CPPFLAGS="$old_CPPFLAGS"
+fi
+
+if test "x$smart_lib" != "x"; then
+ eval "ac_cv_lib_${sm_lib_safe}_${sm_func_safe}=yes"
+ LIBS="$smart_ldflags $smart_lib $old_LIBS"
+ SMART_LIBS="$smart_ldflags $smart_lib $SMART_LIBS"
+fi
+
+ if test "x$ac_cv_lib_wbclient_wbcCtxAuthenticateUserEx" != "xyes"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: winbind libraries not found. Use --with-winbind-lib-dir=<path>." >&5
+$as_echo "$as_me: WARNING: winbind libraries not found. Use --with-winbind-lib-dir=<path>." >&2;}
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Samba must be version 4.2.1 or higher to use this feature." >&5
+$as_echo "$as_me: WARNING: Samba must be version 4.2.1 or higher to use this feature." >&2;}
+
+if echo "$fr_features" | grep -q "+wbclient+"; then :
+else :
+ fr_report_prefix=""
+ if test x"$fr_features" != x""; then
+ fr_report_prefix=" "
+ fi
+ $as_echo "$fr_report_prefix""without direct winbind support" >> config.report.tmp
+ fr_features="$fr_features +wbclient+"
+fi
+
+ else
+ mschap_sources="$mschap_sources auth_wbclient.c"
+
+$as_echo "#define WITH_AUTH_WINBIND 1" >>confdefs.h
+
+
+if echo "$fr_features" | grep -q "+wbclient+"; then :
+else :
+ fr_report_prefix=""
+ if test x"$fr_features" != x""; then
+ fr_report_prefix=" "
+ fi
+ $as_echo "$fr_report_prefix""with direct winbind support" >> config.report.tmp
+ fr_features="$fr_features +wbclient+"
+fi
+
+ fi
+fi
+
+
+ targetname=rlm_mschap
+else
+ targetname=
+ echo \*\*\* module rlm_mschap is disabled.
+
+
+fr_status="disabled"
+
+fi
+
+if test x"$fail" != x""; then
+ targetname=""
+
+
+ if test x"${enable_strict_dependencies}" = x"yes"; then
+ as_fn_error $? "set --without-rlm_mschap to disable it explicitly." "$LINENO" 5
+ else
+
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: silently not building rlm_mschap." >&5
+$as_echo "$as_me: WARNING: silently not building rlm_mschap." >&2;}
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: FAILURE: rlm_mschap requires: $fail." >&5
+$as_echo "$as_me: WARNING: FAILURE: rlm_mschap requires: $fail." >&2;};
+ fail="$(echo $fail)"
+
+
+fr_status="skipping (requires $fail)"
+
+ fr_features=
+
+ fi
+
+else
+
+
+fr_status="OK"
+
+fi
+
+if test x"$fr_features" = x""; then
+ $as_echo "$fr_status" > "config.report"
+else
+ $as_echo_n "$fr_status ... " > "config.report"
+ cat "config.report.tmp" >> "config.report"
+fi
+
+rm "config.report.tmp"
+
+
+
+
+mod_ldflags="$mod_ldflags $SMART_LIBS"
+mod_cflags="$SMART_CPPFLAGS"
+
+
+
+
+
+ac_config_headers="$ac_config_headers config.h"
+
+ac_config_files="$ac_config_files rlm_mschap.mk"
+
+cat >confcache <<\_ACEOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs, see configure's option --config-cache.
+# It is not useful on other systems. If it contains results you don't
+# want to keep, you may remove or edit it.
+#
+# config.status only pays attention to the cache file if you give it
+# the --recheck option to rerun configure.
+#
+# `ac_cv_env_foo' variables (set or unset) will be overridden when
+# loading this file, other *unset* `ac_cv_foo' will be assigned the
+# following values.
+
+_ACEOF
+
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, we kill variables containing newlines.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(
+ for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do
+ eval ac_val=\$$ac_var
+ case $ac_val in #(
+ *${as_nl}*)
+ case $ac_var in #(
+ *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5
+$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;;
+ esac
+ case $ac_var in #(
+ _ | IFS | as_nl) ;; #(
+ BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #(
+ *) { eval $ac_var=; unset $ac_var;} ;;
+ esac ;;
+ esac
+ done
+
+ (set) 2>&1 |
+ case $as_nl`(ac_space=' '; set) 2>&1` in #(
+ *${as_nl}ac_space=\ *)
+ # `set' does not quote correctly, so add quotes: double-quote
+ # substitution turns \\\\ into \\, and sed turns \\ into \.
+ sed -n \
+ "s/'/'\\\\''/g;
+ s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p"
+ ;; #(
+ *)
+ # `set' quotes correctly as required by POSIX, so do not add quotes.
+ sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p"
+ ;;
+ esac |
+ sort
+) |
+ sed '
+ /^ac_cv_env_/b end
+ t clear
+ :clear
+ s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/
+ t end
+ s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/
+ :end' >>confcache
+if diff "$cache_file" confcache >/dev/null 2>&1; then :; else
+ if test -w "$cache_file"; then
+ if test "x$cache_file" != "x/dev/null"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5
+$as_echo "$as_me: updating cache $cache_file" >&6;}
+ if test ! -f "$cache_file" || test -h "$cache_file"; then
+ cat confcache >"$cache_file"
+ else
+ case $cache_file in #(
+ */* | ?:*)
+ mv -f confcache "$cache_file"$$ &&
+ mv -f "$cache_file"$$ "$cache_file" ;; #(
+ *)
+ mv -f confcache "$cache_file" ;;
+ esac
+ fi
+ fi
+ else
+ { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5
+$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;}
+ fi
+fi
+rm -f confcache
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+DEFS=-DHAVE_CONFIG_H
+
+ac_libobjs=
+ac_ltlibobjs=
+U=
+for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue
+ # 1. Remove the extension, and $U if already installed.
+ ac_script='s/\$U\././;s/\.o$//;s/\.obj$//'
+ ac_i=`$as_echo "$ac_i" | sed "$ac_script"`
+ # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR
+ # will be set to the directory where LIBOBJS objects are built.
+ as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext"
+ as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo'
+done
+LIBOBJS=$ac_libobjs
+
+LTLIBOBJS=$ac_ltlibobjs
+
+
+
+: "${CONFIG_STATUS=./config.status}"
+ac_write_fail=0
+ac_clean_files_save=$ac_clean_files
+ac_clean_files="$ac_clean_files $CONFIG_STATUS"
+{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5
+$as_echo "$as_me: creating $CONFIG_STATUS" >&6;}
+as_write_fail=0
+cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1
+#! $SHELL
+# Generated by $as_me.
+# Run this file to recreate the current configuration.
+# Compiler output produced by configure, useful for debugging
+# configure, is in config.log if it exists.
+
+debug=false
+ac_cs_recheck=false
+ac_cs_silent=false
+
+SHELL=\${CONFIG_SHELL-$SHELL}
+export SHELL
+_ASEOF
+cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1
+## -------------------- ##
+## M4sh Initialization. ##
+## -------------------- ##
+
+# Be more Bourne compatible
+DUALCASE=1; export DUALCASE # for MKS sh
+if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then :
+ emulate sh
+ NULLCMD=:
+ # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which
+ # is contrary to our usage. Disable this feature.
+ alias -g '${1+"$@"}'='"$@"'
+ setopt NO_GLOB_SUBST
+else
+ case `(set -o) 2>/dev/null` in #(
+ *posix*) :
+ set -o posix ;; #(
+ *) :
+ ;;
+esac
+fi
+
+
+as_nl='
+'
+export as_nl
+# Printing a long string crashes Solaris 7 /usr/bin/printf.
+as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\'
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo
+as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo
+# Prefer a ksh shell builtin over an external printf program on Solaris,
+# but without wasting forks for bash or zsh.
+if test -z "$BASH_VERSION$ZSH_VERSION" \
+ && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then
+ as_echo='print -r --'
+ as_echo_n='print -rn --'
+elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then
+ as_echo='printf %s\n'
+ as_echo_n='printf %s'
+else
+ if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then
+ as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"'
+ as_echo_n='/usr/ucb/echo -n'
+ else
+ as_echo_body='eval expr "X$1" : "X\\(.*\\)"'
+ as_echo_n_body='eval
+ arg=$1;
+ case $arg in #(
+ *"$as_nl"*)
+ expr "X$arg" : "X\\(.*\\)$as_nl";
+ arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;;
+ esac;
+ expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl"
+ '
+ export as_echo_n_body
+ as_echo_n='sh -c $as_echo_n_body as_echo'
+ fi
+ export as_echo_body
+ as_echo='sh -c $as_echo_body as_echo'
+fi
+
+# The user is always right.
+if test "${PATH_SEPARATOR+set}" != set; then
+ PATH_SEPARATOR=:
+ (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && {
+ (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 ||
+ PATH_SEPARATOR=';'
+ }
+fi
+
+
+# IFS
+# We need space, tab and new line, in precisely that order. Quoting is
+# there to prevent editors from complaining about space-tab.
+# (If _AS_PATH_WALK were called with IFS unset, it would disable word
+# splitting by setting IFS to empty value.)
+IFS=" "" $as_nl"
+
+# Find who we are. Look in the path if we contain no directory separator.
+as_myself=
+case $0 in #((
+ *[\\/]* ) as_myself=$0 ;;
+ *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break
+ done
+IFS=$as_save_IFS
+
+ ;;
+esac
+# We did not find ourselves, most probably we were run as `sh COMMAND'
+# in which case we are not to be found in the path.
+if test "x$as_myself" = x; then
+ as_myself=$0
+fi
+if test ! -f "$as_myself"; then
+ $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2
+ exit 1
+fi
+
+# Unset variables that we do not need and which cause bugs (e.g. in
+# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1"
+# suppresses any "Segmentation fault" message there. '((' could
+# trigger a bug in pdksh 5.2.14.
+for as_var in BASH_ENV ENV MAIL MAILPATH
+do eval test x\${$as_var+set} = xset \
+ && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || :
+done
+PS1='$ '
+PS2='> '
+PS4='+ '
+
+# NLS nuisances.
+LC_ALL=C
+export LC_ALL
+LANGUAGE=C
+export LANGUAGE
+
+# CDPATH.
+(unset CDPATH) >/dev/null 2>&1 && unset CDPATH
+
+
+# as_fn_error STATUS ERROR [LINENO LOG_FD]
+# ----------------------------------------
+# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are
+# provided, also output the error to LOG_FD, referencing LINENO. Then exit the
+# script with STATUS, using 1 if that was 0.
+as_fn_error ()
+{
+ as_status=$1; test $as_status -eq 0 && as_status=1
+ if test "$4"; then
+ as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack
+ $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4
+ fi
+ $as_echo "$as_me: error: $2" >&2
+ as_fn_exit $as_status
+} # as_fn_error
+
+
+# as_fn_set_status STATUS
+# -----------------------
+# Set $? to STATUS, without forking.
+as_fn_set_status ()
+{
+ return $1
+} # as_fn_set_status
+
+# as_fn_exit STATUS
+# -----------------
+# Exit the shell with STATUS, even in a "trap 0" or "set -e" context.
+as_fn_exit ()
+{
+ set +e
+ as_fn_set_status $1
+ exit $1
+} # as_fn_exit
+
+# as_fn_unset VAR
+# ---------------
+# Portably unset VAR.
+as_fn_unset ()
+{
+ { eval $1=; unset $1;}
+}
+as_unset=as_fn_unset
+# as_fn_append VAR VALUE
+# ----------------------
+# Append the text in VALUE to the end of the definition contained in VAR. Take
+# advantage of any shell optimizations that allow amortized linear growth over
+# repeated appends, instead of the typical quadratic growth present in naive
+# implementations.
+if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then :
+ eval 'as_fn_append ()
+ {
+ eval $1+=\$2
+ }'
+else
+ as_fn_append ()
+ {
+ eval $1=\$$1\$2
+ }
+fi # as_fn_append
+
+# as_fn_arith ARG...
+# ------------------
+# Perform arithmetic evaluation on the ARGs, and store the result in the
+# global $as_val. Take advantage of shells that can avoid forks. The arguments
+# must be portable across $(()) and expr.
+if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then :
+ eval 'as_fn_arith ()
+ {
+ as_val=$(( $* ))
+ }'
+else
+ as_fn_arith ()
+ {
+ as_val=`expr "$@" || test $? -eq 1`
+ }
+fi # as_fn_arith
+
+
+if expr a : '\(a\)' >/dev/null 2>&1 &&
+ test "X`expr 00001 : '.*\(...\)'`" = X001; then
+ as_expr=expr
+else
+ as_expr=false
+fi
+
+if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then
+ as_basename=basename
+else
+ as_basename=false
+fi
+
+if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then
+ as_dirname=dirname
+else
+ as_dirname=false
+fi
+
+as_me=`$as_basename -- "$0" ||
+$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \
+ X"$0" : 'X\(//\)$' \| \
+ X"$0" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X/"$0" |
+ sed '/^.*\/\([^/][^/]*\)\/*$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\/\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+
+# Avoid depending upon Character Ranges.
+as_cr_letters='abcdefghijklmnopqrstuvwxyz'
+as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ'
+as_cr_Letters=$as_cr_letters$as_cr_LETTERS
+as_cr_digits='0123456789'
+as_cr_alnum=$as_cr_Letters$as_cr_digits
+
+ECHO_C= ECHO_N= ECHO_T=
+case `echo -n x` in #(((((
+-n*)
+ case `echo 'xy\c'` in
+ *c*) ECHO_T=' ';; # ECHO_T is single tab character.
+ xy) ECHO_C='\c';;
+ *) echo `echo ksh88 bug on AIX 6.1` > /dev/null
+ ECHO_T=' ';;
+ esac;;
+*)
+ ECHO_N='-n';;
+esac
+
+rm -f conf$$ conf$$.exe conf$$.file
+if test -d conf$$.dir; then
+ rm -f conf$$.dir/conf$$.file
+else
+ rm -f conf$$.dir
+ mkdir conf$$.dir 2>/dev/null
+fi
+if (echo >conf$$.file) 2>/dev/null; then
+ if ln -s conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s='ln -s'
+ # ... but there are two gotchas:
+ # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail.
+ # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable.
+ # In both cases, we have to default to `cp -pR'.
+ ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe ||
+ as_ln_s='cp -pR'
+ elif ln conf$$.file conf$$ 2>/dev/null; then
+ as_ln_s=ln
+ else
+ as_ln_s='cp -pR'
+ fi
+else
+ as_ln_s='cp -pR'
+fi
+rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file
+rmdir conf$$.dir 2>/dev/null
+
+
+# as_fn_mkdir_p
+# -------------
+# Create "$as_dir" as a directory, including parents if necessary.
+as_fn_mkdir_p ()
+{
+
+ case $as_dir in #(
+ -*) as_dir=./$as_dir;;
+ esac
+ test -d "$as_dir" || eval $as_mkdir_p || {
+ as_dirs=
+ while :; do
+ case $as_dir in #(
+ *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'(
+ *) as_qdir=$as_dir;;
+ esac
+ as_dirs="'$as_qdir' $as_dirs"
+ as_dir=`$as_dirname -- "$as_dir" ||
+$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$as_dir" : 'X\(//\)[^/]' \| \
+ X"$as_dir" : 'X\(//\)$' \| \
+ X"$as_dir" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$as_dir" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+ test -d "$as_dir" && break
+ done
+ test -z "$as_dirs" || eval "mkdir $as_dirs"
+ } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir"
+
+
+} # as_fn_mkdir_p
+if mkdir -p . 2>/dev/null; then
+ as_mkdir_p='mkdir -p "$as_dir"'
+else
+ test -d ./-p && rmdir ./-p
+ as_mkdir_p=false
+fi
+
+
+# as_fn_executable_p FILE
+# -----------------------
+# Test if FILE is an executable regular file.
+as_fn_executable_p ()
+{
+ test -f "$1" && test -x "$1"
+} # as_fn_executable_p
+as_test_x='test -x'
+as_executable_p=as_fn_executable_p
+
+# Sed expression to map a string onto a valid CPP name.
+as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'"
+
+# Sed expression to map a string onto a valid variable name.
+as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'"
+
+
+exec 6>&1
+## ----------------------------------- ##
+## Main body of $CONFIG_STATUS script. ##
+## ----------------------------------- ##
+_ASEOF
+test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# Save the log message, to keep $0 and so on meaningful, and to
+# report actual input values of CONFIG_FILES etc. instead of their
+# values after options handling.
+ac_log="
+This file was extended by $as_me, which was
+generated by GNU Autoconf 2.69. Invocation command line was
+
+ CONFIG_FILES = $CONFIG_FILES
+ CONFIG_HEADERS = $CONFIG_HEADERS
+ CONFIG_LINKS = $CONFIG_LINKS
+ CONFIG_COMMANDS = $CONFIG_COMMANDS
+ $ $0 $@
+
+on `(hostname || uname -n) 2>/dev/null | sed 1q`
+"
+
+_ACEOF
+
+case $ac_config_files in *"
+"*) set x $ac_config_files; shift; ac_config_files=$*;;
+esac
+
+case $ac_config_headers in *"
+"*) set x $ac_config_headers; shift; ac_config_headers=$*;;
+esac
+
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+# Files that config.status was made for.
+config_files="$ac_config_files"
+config_headers="$ac_config_headers"
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ac_cs_usage="\
+\`$as_me' instantiates files and other configuration actions
+from templates according to the current configuration. Unless the files
+and actions are specified as TAGs, all are instantiated by default.
+
+Usage: $0 [OPTION]... [TAG]...
+
+ -h, --help print this help, then exit
+ -V, --version print version number and configuration settings, then exit
+ --config print configuration, then exit
+ -q, --quiet, --silent
+ do not print progress messages
+ -d, --debug don't remove temporary files
+ --recheck update $as_me by reconfiguring in the same conditions
+ --file=FILE[:TEMPLATE]
+ instantiate the configuration file FILE
+ --header=FILE[:TEMPLATE]
+ instantiate the configuration header FILE
+
+Configuration files:
+$config_files
+
+Configuration headers:
+$config_headers
+
+Report bugs to the package provider."
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
+ac_cs_version="\\
+config.status
+configured by $0, generated by GNU Autoconf 2.69,
+ with options \\"\$ac_cs_config\\"
+
+Copyright (C) 2012 Free Software Foundation, Inc.
+This config.status script is free software; the Free Software Foundation
+gives unlimited permission to copy, distribute and modify it."
+
+ac_pwd='$ac_pwd'
+srcdir='$srcdir'
+test -n "\$AWK" || AWK=awk
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# The default lists apply if the user does not specify any file.
+ac_need_defaults=:
+while test $# != 0
+do
+ case $1 in
+ --*=?*)
+ ac_option=`expr "X$1" : 'X\([^=]*\)='`
+ ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'`
+ ac_shift=:
+ ;;
+ --*=)
+ ac_option=`expr "X$1" : 'X\([^=]*\)='`
+ ac_optarg=
+ ac_shift=:
+ ;;
+ *)
+ ac_option=$1
+ ac_optarg=$2
+ ac_shift=shift
+ ;;
+ esac
+
+ case $ac_option in
+ # Handling of the options.
+ -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+ ac_cs_recheck=: ;;
+ --version | --versio | --versi | --vers | --ver | --ve | --v | -V )
+ $as_echo "$ac_cs_version"; exit ;;
+ --config | --confi | --conf | --con | --co | --c )
+ $as_echo "$ac_cs_config"; exit ;;
+ --debug | --debu | --deb | --de | --d | -d )
+ debug=: ;;
+ --file | --fil | --fi | --f )
+ $ac_shift
+ case $ac_optarg in
+ *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
+ '') as_fn_error $? "missing file argument" ;;
+ esac
+ as_fn_append CONFIG_FILES " '$ac_optarg'"
+ ac_need_defaults=false;;
+ --header | --heade | --head | --hea )
+ $ac_shift
+ case $ac_optarg in
+ *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;;
+ esac
+ as_fn_append CONFIG_HEADERS " '$ac_optarg'"
+ ac_need_defaults=false;;
+ --he | --h)
+ # Conflict between --help and --header
+ as_fn_error $? "ambiguous option: \`$1'
+Try \`$0 --help' for more information.";;
+ --help | --hel | -h )
+ $as_echo "$ac_cs_usage"; exit ;;
+ -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+ | -silent | --silent | --silen | --sile | --sil | --si | --s)
+ ac_cs_silent=: ;;
+
+ # This is an error.
+ -*) as_fn_error $? "unrecognized option: \`$1'
+Try \`$0 --help' for more information." ;;
+
+ *) as_fn_append ac_config_targets " $1"
+ ac_need_defaults=false ;;
+
+ esac
+ shift
+done
+
+ac_configure_extra_args=
+
+if $ac_cs_silent; then
+ exec 6>/dev/null
+ ac_configure_extra_args="$ac_configure_extra_args --silent"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+if \$ac_cs_recheck; then
+ set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion
+ shift
+ \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6
+ CONFIG_SHELL='$SHELL'
+ export CONFIG_SHELL
+ exec "\$@"
+fi
+
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+exec 5>>config.log
+{
+ echo
+ sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX
+## Running $as_me. ##
+_ASBOX
+ $as_echo "$ac_log"
+} >&5
+
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+
+# Handling of arguments.
+for ac_config_target in $ac_config_targets
+do
+ case $ac_config_target in
+ "config.h") CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;;
+ "rlm_mschap.mk") CONFIG_FILES="$CONFIG_FILES rlm_mschap.mk" ;;
+
+ *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;;
+ esac
+done
+
+
+# If the user did not use the arguments to specify the items to instantiate,
+# then the envvar interface is used. Set only those that are not.
+# We use the long form for the default assignment because of an extremely
+# bizarre bug on SunOS 4.1.3.
+if $ac_need_defaults; then
+ test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files
+ test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers
+fi
+
+# Have a temporary directory for convenience. Make it in the build tree
+# simply because there is no reason against having it here, and in addition,
+# creating and moving files from /tmp can sometimes cause problems.
+# Hook for its removal unless debugging.
+# Note that there is a small window in which the directory will not be cleaned:
+# after its creation but before its name has been assigned to `$tmp'.
+$debug ||
+{
+ tmp= ac_tmp=
+ trap 'exit_status=$?
+ : "${ac_tmp:=$tmp}"
+ { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status
+' 0
+ trap 'as_fn_exit 1' 1 2 13 15
+}
+# Create a (secure) tmp directory for tmp files.
+
+{
+ tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` &&
+ test -d "$tmp"
+} ||
+{
+ tmp=./conf$$-$RANDOM
+ (umask 077 && mkdir "$tmp")
+} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5
+ac_tmp=$tmp
+
+# Set up the scripts for CONFIG_FILES section.
+# No need to generate them if there are no CONFIG_FILES.
+# This happens for instance with `./config.status config.h'.
+if test -n "$CONFIG_FILES"; then
+
+
+ac_cr=`echo X | tr X '\015'`
+# On cygwin, bash can eat \r inside `` if the user requested igncr.
+# But we know of no other shell where ac_cr would be empty at this
+# point, so we can use a bashism as a fallback.
+if test "x$ac_cr" = x; then
+ eval ac_cr=\$\'\\r\'
+fi
+ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' </dev/null 2>/dev/null`
+if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then
+ ac_cs_awk_cr='\\r'
+else
+ ac_cs_awk_cr=$ac_cr
+fi
+
+echo 'BEGIN {' >"$ac_tmp/subs1.awk" &&
+_ACEOF
+
+
+{
+ echo "cat >conf$$subs.awk <<_ACEOF" &&
+ echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' &&
+ echo "_ACEOF"
+} >conf$$subs.sh ||
+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'`
+ac_delim='%!_!# '
+for ac_last_try in false false false false false :; do
+ . ./conf$$subs.sh ||
+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+
+ ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X`
+ if test $ac_delim_n = $ac_delim_num; then
+ break
+ elif $ac_last_try; then
+ as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5
+ else
+ ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+ fi
+done
+rm -f conf$$subs.sh
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&
+_ACEOF
+sed -n '
+h
+s/^/S["/; s/!.*/"]=/
+p
+g
+s/^[^!]*!//
+:repl
+t repl
+s/'"$ac_delim"'$//
+t delim
+:nl
+h
+s/\(.\{148\}\)..*/\1/
+t more1
+s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/
+p
+n
+b repl
+:more1
+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
+p
+g
+s/.\{148\}//
+t nl
+:delim
+h
+s/\(.\{148\}\)..*/\1/
+t more2
+s/["\\]/\\&/g; s/^/"/; s/$/"/
+p
+b
+:more2
+s/["\\]/\\&/g; s/^/"/; s/$/"\\/
+p
+g
+s/.\{148\}//
+t delim
+' <conf$$subs.awk | sed '
+/^[^""]/{
+ N
+ s/\n//
+}
+' >>$CONFIG_STATUS || ac_write_fail=1
+rm -f conf$$subs.awk
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+_ACAWK
+cat >>"\$ac_tmp/subs1.awk" <<_ACAWK &&
+ for (key in S) S_is_set[key] = 1
+ FS = ""
+
+}
+{
+ line = $ 0
+ nfields = split(line, field, "@")
+ substed = 0
+ len = length(field[1])
+ for (i = 2; i < nfields; i++) {
+ key = field[i]
+ keylen = length(key)
+ if (S_is_set[key]) {
+ value = S[key]
+ line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3)
+ len += length(value) + length(field[++i])
+ substed = 1
+ } else
+ len += 1 + keylen
+ }
+
+ print line
+}
+
+_ACAWK
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then
+ sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g"
+else
+ cat
+fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \
+ || as_fn_error $? "could not setup config files machinery" "$LINENO" 5
+_ACEOF
+
+# VPATH may cause trouble with some makes, so we remove sole $(srcdir),
+# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and
+# trailing colons and then remove the whole line if VPATH becomes empty
+# (actually we leave an empty line to preserve line numbers).
+if test "x$srcdir" = x.; then
+ ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{
+h
+s///
+s/^/:/
+s/[ ]*$/:/
+s/:\$(srcdir):/:/g
+s/:\${srcdir}:/:/g
+s/:@srcdir@:/:/g
+s/^:*//
+s/:*$//
+x
+s/\(=[ ]*\).*/\1/
+G
+s/\n//
+s/^[^=]*=[ ]*$//
+}'
+fi
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+fi # test -n "$CONFIG_FILES"
+
+# Set up the scripts for CONFIG_HEADERS section.
+# No need to generate them if there are no CONFIG_HEADERS.
+# This happens for instance with `./config.status Makefile'.
+if test -n "$CONFIG_HEADERS"; then
+cat >"$ac_tmp/defines.awk" <<\_ACAWK ||
+BEGIN {
+_ACEOF
+
+# Transform confdefs.h into an awk script `defines.awk', embedded as
+# here-document in config.status, that substitutes the proper values into
+# config.h.in to produce config.h.
+
+# Create a delimiter string that does not exist in confdefs.h, to ease
+# handling of long lines.
+ac_delim='%!_!# '
+for ac_last_try in false false :; do
+ ac_tt=`sed -n "/$ac_delim/p" confdefs.h`
+ if test -z "$ac_tt"; then
+ break
+ elif $ac_last_try; then
+ as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5
+ else
+ ac_delim="$ac_delim!$ac_delim _$ac_delim!! "
+ fi
+done
+
+# For the awk script, D is an array of macro values keyed by name,
+# likewise P contains macro parameters if any. Preserve backslash
+# newline sequences.
+
+ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]*
+sed -n '
+s/.\{148\}/&'"$ac_delim"'/g
+t rset
+:rset
+s/^[ ]*#[ ]*define[ ][ ]*/ /
+t def
+d
+:def
+s/\\$//
+t bsnl
+s/["\\]/\\&/g
+s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\
+D["\1"]=" \3"/p
+s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p
+d
+:bsnl
+s/["\\]/\\&/g
+s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\
+D["\1"]=" \3\\\\\\n"\\/p
+t cont
+s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p
+t cont
+d
+:cont
+n
+s/.\{148\}/&'"$ac_delim"'/g
+t clear
+:clear
+s/\\$//
+t bsnlc
+s/["\\]/\\&/g; s/^/"/; s/$/"/p
+d
+:bsnlc
+s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p
+b cont
+' <confdefs.h | sed '
+s/'"$ac_delim"'/"\\\
+"/g' >>$CONFIG_STATUS || ac_write_fail=1
+
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ for (key in D) D_is_set[key] = 1
+ FS = ""
+}
+/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ {
+ line = \$ 0
+ split(line, arg, " ")
+ if (arg[1] == "#") {
+ defundef = arg[2]
+ mac1 = arg[3]
+ } else {
+ defundef = substr(arg[1], 2)
+ mac1 = arg[2]
+ }
+ split(mac1, mac2, "(") #)
+ macro = mac2[1]
+ prefix = substr(line, 1, index(line, defundef) - 1)
+ if (D_is_set[macro]) {
+ # Preserve the white space surrounding the "#".
+ print prefix "define", macro P[macro] D[macro]
+ next
+ } else {
+ # Replace #undef with comments. This is necessary, for example,
+ # in the case of _POSIX_SOURCE, which is predefined and required
+ # on some systems where configure will not decide to define it.
+ if (defundef == "undef") {
+ print "/*", prefix defundef, macro, "*/"
+ next
+ }
+ }
+}
+{ print }
+_ACAWK
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+ as_fn_error $? "could not setup config headers machinery" "$LINENO" 5
+fi # test -n "$CONFIG_HEADERS"
+
+
+eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS "
+shift
+for ac_tag
+do
+ case $ac_tag in
+ :[FHLC]) ac_mode=$ac_tag; continue;;
+ esac
+ case $ac_mode$ac_tag in
+ :[FHL]*:*);;
+ :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;;
+ :[FH]-) ac_tag=-:-;;
+ :[FH]*) ac_tag=$ac_tag:$ac_tag.in;;
+ esac
+ ac_save_IFS=$IFS
+ IFS=:
+ set x $ac_tag
+ IFS=$ac_save_IFS
+ shift
+ ac_file=$1
+ shift
+
+ case $ac_mode in
+ :L) ac_source=$1;;
+ :[FH])
+ ac_file_inputs=
+ for ac_f
+ do
+ case $ac_f in
+ -) ac_f="$ac_tmp/stdin";;
+ *) # Look for the file first in the build tree, then in the source tree
+ # (if the path is not absolute). The absolute path cannot be DOS-style,
+ # because $ac_f cannot contain `:'.
+ test -f "$ac_f" ||
+ case $ac_f in
+ [\\/$]*) false;;
+ *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";;
+ esac ||
+ as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;;
+ esac
+ case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac
+ as_fn_append ac_file_inputs " '$ac_f'"
+ done
+
+ # Let's still pretend it is `configure' which instantiates (i.e., don't
+ # use $as_me), people would be surprised to read:
+ # /* config.h. Generated by config.status. */
+ configure_input='Generated from '`
+ $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g'
+ `' by configure.'
+ if test x"$ac_file" != x-; then
+ configure_input="$ac_file. $configure_input"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5
+$as_echo "$as_me: creating $ac_file" >&6;}
+ fi
+ # Neutralize special characters interpreted by sed in replacement strings.
+ case $configure_input in #(
+ *\&* | *\|* | *\\* )
+ ac_sed_conf_input=`$as_echo "$configure_input" |
+ sed 's/[\\\\&|]/\\\\&/g'`;; #(
+ *) ac_sed_conf_input=$configure_input;;
+ esac
+
+ case $ac_tag in
+ *:-:* | *:-) cat >"$ac_tmp/stdin" \
+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;;
+ esac
+ ;;
+ esac
+
+ ac_dir=`$as_dirname -- "$ac_file" ||
+$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \
+ X"$ac_file" : 'X\(//\)[^/]' \| \
+ X"$ac_file" : 'X\(//\)$' \| \
+ X"$ac_file" : 'X\(/\)' \| . 2>/dev/null ||
+$as_echo X"$ac_file" |
+ sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)[^/].*/{
+ s//\1/
+ q
+ }
+ /^X\(\/\/\)$/{
+ s//\1/
+ q
+ }
+ /^X\(\/\).*/{
+ s//\1/
+ q
+ }
+ s/.*/./; q'`
+ as_dir="$ac_dir"; as_fn_mkdir_p
+ ac_builddir=.
+
+case "$ac_dir" in
+.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;;
+*)
+ ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'`
+ # A ".." for each directory in $ac_dir_suffix.
+ ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'`
+ case $ac_top_builddir_sub in
+ "") ac_top_builddir_sub=. ac_top_build_prefix= ;;
+ *) ac_top_build_prefix=$ac_top_builddir_sub/ ;;
+ esac ;;
+esac
+ac_abs_top_builddir=$ac_pwd
+ac_abs_builddir=$ac_pwd$ac_dir_suffix
+# for backward compatibility:
+ac_top_builddir=$ac_top_build_prefix
+
+case $srcdir in
+ .) # We are building in place.
+ ac_srcdir=.
+ ac_top_srcdir=$ac_top_builddir_sub
+ ac_abs_top_srcdir=$ac_pwd ;;
+ [\\/]* | ?:[\\/]* ) # Absolute name.
+ ac_srcdir=$srcdir$ac_dir_suffix;
+ ac_top_srcdir=$srcdir
+ ac_abs_top_srcdir=$srcdir ;;
+ *) # Relative name.
+ ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix
+ ac_top_srcdir=$ac_top_build_prefix$srcdir
+ ac_abs_top_srcdir=$ac_pwd/$srcdir ;;
+esac
+ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix
+
+
+ case $ac_mode in
+ :F)
+ #
+ # CONFIG_FILE
+ #
+
+_ACEOF
+
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+# If the template does not know about datarootdir, expand it.
+# FIXME: This hack should be removed a few years after 2.60.
+ac_datarootdir_hack=; ac_datarootdir_seen=
+ac_sed_dataroot='
+/datarootdir/ {
+ p
+ q
+}
+/@datadir@/p
+/@docdir@/p
+/@infodir@/p
+/@localedir@/p
+/@mandir@/p'
+case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in
+*datarootdir*) ac_datarootdir_seen=yes;;
+*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*)
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5
+$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;}
+_ACEOF
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ ac_datarootdir_hack='
+ s&@datadir@&$datadir&g
+ s&@docdir@&$docdir&g
+ s&@infodir@&$infodir&g
+ s&@localedir@&$localedir&g
+ s&@mandir@&$mandir&g
+ s&\\\${datarootdir}&$datarootdir&g' ;;
+esac
+_ACEOF
+
+# Neutralize VPATH when `$srcdir' = `.'.
+# Shell code in configure.ac might set extrasub.
+# FIXME: do we really want to maintain this feature?
+cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
+ac_sed_extra="$ac_vpsub
+$extrasub
+_ACEOF
+cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1
+:t
+/@[a-zA-Z_][a-zA-Z_0-9]*@/!b
+s|@configure_input@|$ac_sed_conf_input|;t t
+s&@top_builddir@&$ac_top_builddir_sub&;t t
+s&@top_build_prefix@&$ac_top_build_prefix&;t t
+s&@srcdir@&$ac_srcdir&;t t
+s&@abs_srcdir@&$ac_abs_srcdir&;t t
+s&@top_srcdir@&$ac_top_srcdir&;t t
+s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t
+s&@builddir@&$ac_builddir&;t t
+s&@abs_builddir@&$ac_abs_builddir&;t t
+s&@abs_top_builddir@&$ac_abs_top_builddir&;t t
+$ac_datarootdir_hack
+"
+eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | $AWK -f "$ac_tmp/subs.awk" \
+ >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+
+test -z "$ac_datarootdir_hack$ac_datarootdir_seen" &&
+ { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } &&
+ { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \
+ "$ac_tmp/out"`; test -z "$ac_out"; } &&
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined. Please make sure it is defined" >&5
+$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir'
+which seems to be undefined. Please make sure it is defined" >&2;}
+
+ rm -f "$ac_tmp/stdin"
+ case $ac_file in
+ -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";;
+ *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";;
+ esac \
+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+ ;;
+ :H)
+ #
+ # CONFIG_HEADER
+ #
+ if test x"$ac_file" != x-; then
+ {
+ $as_echo "/* $configure_input */" \
+ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs"
+ } >"$ac_tmp/config.h" \
+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+ if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5
+$as_echo "$as_me: $ac_file is unchanged" >&6;}
+ else
+ rm -f "$ac_file"
+ mv "$ac_tmp/config.h" "$ac_file" \
+ || as_fn_error $? "could not create $ac_file" "$LINENO" 5
+ fi
+ else
+ $as_echo "/* $configure_input */" \
+ && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \
+ || as_fn_error $? "could not create -" "$LINENO" 5
+ fi
+ ;;
+
+
+ esac
+
+done # for ac_tag
+
+
+as_fn_exit 0
+_ACEOF
+ac_clean_files=$ac_clean_files_save
+
+test $ac_write_fail = 0 ||
+ as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5
+
+
+# configure is writing to config.log, and then calls config.status.
+# config.status does its own redirection, appending to config.log.
+# Unfortunately, on DOS this fails, as config.log is still kept open
+# by configure, so config.status won't be able to write to it; its
+# output is simply discarded. So we exec the FD to /dev/null,
+# effectively closing config.log, so it can be properly (re)opened and
+# appended to by config.status. When coming back to configure, we
+# need to make the FD available again.
+if test "$no_create" != yes; then
+ ac_cs_success=:
+ ac_config_status_args=
+ test "$silent" = yes &&
+ ac_config_status_args="$ac_config_status_args --quiet"
+ exec 5>/dev/null
+ $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false
+ exec 5>>config.log
+ # Use ||, not &&, to avoid exiting from the if with $? = 1, which
+ # would make configure fail if this is the last instruction.
+ $ac_cs_success || as_fn_exit 1
+fi
+if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5
+$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;}
+fi
+
diff --git a/src/modules/rlm_mschap/configure.ac b/src/modules/rlm_mschap/configure.ac
new file mode 100644
index 0000000..953336f
--- /dev/null
+++ b/src/modules/rlm_mschap/configure.ac
@@ -0,0 +1,128 @@
+AC_PREREQ([2.69])
+AC_INIT
+AC_CONFIG_SRCDIR([rlm_mschap.c])
+AC_REVISION($Revision$)
+FR_INIT_MODULE([rlm_mschap], [MS-CHAP and MS-CHAPv2 authentication])
+
+FR_MODULE_START_TESTS
+
+AC_PROG_CC
+AC_PROG_CPP
+
+dnl ############################################################
+dnl # Check for command line options
+dnl ############################################################
+
+dnl extra argument: --with-winbind-include-dir=DIR
+winbind_include_dir=
+AC_ARG_WITH(winbind-include-dir,
+ [AS_HELP_STRING([--with-winbind-include-dir=DIR],
+ [Directory where the winbind includes may be found])],
+ [case "$withval" in
+ no)
+ AC_MSG_ERROR(Need winbind-include-dir)
+ ;;
+ yes)
+ ;;
+ *)
+ winbind_include_dir="$withval"
+ ;;
+ esac])
+
+dnl extra argument: --with-winbind-lib-dir=DIR
+winbind_lib_dir=
+AC_ARG_WITH(winbind-lib-dir,
+ [AS_HELP_STRING([--with-winbind-lib-dir=DIR],
+ [Directory where the winbind libraries may be found])],
+ [case "$withval" in
+ no)
+ AC_MSG_ERROR(Need winbind-lib-dir)
+ ;;
+ yes)
+ ;;
+ *)
+ winbind_lib_dir="$withval"
+ ;;
+ esac])
+
+dnl extra argument: --with-winbind-dir=DIR
+AC_ARG_WITH(winbind-dir,
+ [AS_HELP_STRING([--with-winbind-dir=DIR],
+ [Base directory where winbind is installed])],
+ [case "$withval" in
+ no)
+ AC_MSG_ERROR(Need winbind-dir)
+ ;;
+ yes)
+ ;;
+ *)
+ winbind_lib_dir="$withval/lib"
+ winbind_include_dir="$withval/include"
+ ;;
+ esac])
+
+
+dnl ############################################################
+dnl # Check for header files
+dnl ############################################################
+
+mschap_sources=
+FR_SMART_CHECK_INCLUDE(membership.h)
+if test "x$ac_cv_header_membership_h" = "xyes"; then
+ AC_DEFINE([HAVE_MEMBERSHIP_H],[1],[Build with Apple Open Directory support])
+ mschap_sources="$mschap_sources opendir.c"
+ mod_ldflags="-F /Library/Developer/CommandLineTools/SDKs/MacOSX.sdk/System/Library/Frameworks -framework DirectoryService"
+ FR_MODULE_FEATURE([opendirectory], [with opendirectory support])
+else
+ FR_MODULE_FEATURE([opendirectory], [without opendirectory support])
+fi
+
+smart_try_dir="$winbind_include_dir /usr/include/samba-4.0"
+FR_SMART_CHECK_INCLUDE(wbclient.h, [#include <stdint.h>
+ #include <stdbool.h>])
+if test "x$ac_cv_header_wbclient_h" != "xyes"; then
+ AC_MSG_WARN([wbclient.h not found. Use --with-winbind-include-dir=<path>.])
+ AC_MSG_WARN([silently building without support for direct authentication via winbind. requires: libwbclient])
+ FR_MODULE_FEATURE([wbclient], [without direct winbind support])
+fi
+
+FR_SMART_CHECK_INCLUDE(core/ntstatus.h, [#include <stdint.h>
+ #include <stdbool.h>])
+if test "x$ac_cv_header_core_ntstatus_h" != "xyes"; then
+ AC_MSG_WARN([core/ntstatus.h not found. Use --with-winbind-include-dir=<path>.])
+ AC_MSG_WARN([silently building without support for direct authentication via winbind. requires: libwbclient])
+ FR_MODULE_FEATURE([wbclient], [without direct winbind support])
+fi
+
+dnl ############################################################
+dnl # Check for libraries
+dnl ############################################################
+
+if test "x$ac_cv_header_wbclient_h" = "xyes" && \
+ test "x$ac_cv_header_core_ntstatus_h" = "xyes"; then
+
+ smart_try_dir="$winbind_lib_dir"
+ FR_SMART_CHECK_LIB(wbclient, wbcCtxAuthenticateUserEx)
+ if test "x$ac_cv_lib_wbclient_wbcCtxAuthenticateUserEx" != "xyes"; then
+ AC_MSG_WARN([winbind libraries not found. Use --with-winbind-lib-dir=<path>.])
+ AC_MSG_WARN([Samba must be version 4.2.1 or higher to use this feature.])
+ FR_MODULE_FEATURE([wbclient], [without direct winbind support])
+ else
+ mschap_sources="$mschap_sources auth_wbclient.c"
+ AC_DEFINE([WITH_AUTH_WINBIND],[1],[Build with direct winbind auth support])
+ FR_MODULE_FEATURE([wbclient], [with direct winbind support])
+ fi
+fi
+
+FR_MODULE_END_TESTS
+
+mod_ldflags="$mod_ldflags $SMART_LIBS"
+mod_cflags="$SMART_CPPFLAGS"
+
+AC_SUBST(mschap_sources)
+AC_SUBST(mod_ldflags)
+AC_SUBST(mod_cflags)
+
+AC_CONFIG_HEADER([config.h])
+AC_CONFIG_FILES([rlm_mschap.mk])
+AC_OUTPUT
diff --git a/src/modules/rlm_mschap/mschap.c b/src/modules/rlm_mschap/mschap.c
new file mode 100644
index 0000000..4e088ed
--- /dev/null
+++ b/src/modules/rlm_mschap/mschap.c
@@ -0,0 +1,147 @@
+/*
+ * mschap.c
+ *
+ * Version: $Id$
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * Copyright 2000,2001,2006,2010 The FreeRADIUS server project
+ */
+
+
+/*
+ * This implements MS-CHAP, as described in RFC 2548
+ *
+ * http://www.freeradius.org/rfc/rfc2548.txt
+ *
+ */
+
+RCSID("$Id$")
+
+#include <freeradius-devel/radiusd.h>
+#include <freeradius-devel/modules.h>
+#include <freeradius-devel/rad_assert.h>
+#include <freeradius-devel/md5.h>
+#include <freeradius-devel/sha1.h>
+
+#include <ctype.h>
+
+#include "smbdes.h"
+#include "mschap.h"
+
+/** Converts Unicode password to 16-byte NT hash with MD4
+ *
+ * @param[out] out Pointer to 16 byte output buffer.
+ * @param[in] password to encode.
+ * @return 0 on success else -1 on failure.
+ */
+int mschap_ntpwdhash(uint8_t *out, char const *password)
+{
+ ssize_t len;
+ uint8_t ucs2_password[512];
+
+ len = fr_utf8_to_ucs2(ucs2_password, sizeof(ucs2_password), password, strlen(password));
+ if (len < 0) {
+ *out = '\0';
+ return -1;
+ }
+ fr_md4_calc(out, (uint8_t *) ucs2_password, len);
+
+ return 0;
+}
+
+/*
+ * challenge_hash() is used by mschap2() and auth_response()
+ * implements RFC2759 ChallengeHash()
+ * generates 64 bit challenge
+ */
+void mschap_challenge_hash(uint8_t const *peer_challenge,
+ uint8_t const *auth_challenge,
+ char const *user_name, uint8_t *challenge )
+{
+ fr_sha1_ctx Context;
+ uint8_t hash[20];
+
+ fr_sha1_init(&Context);
+ fr_sha1_update(&Context, peer_challenge, 16);
+ fr_sha1_update(&Context, auth_challenge, 16);
+ fr_sha1_update(&Context, (uint8_t const *) user_name,
+ strlen(user_name));
+ fr_sha1_final(hash, &Context);
+ memcpy(challenge, hash, 8);
+}
+
+/*
+ * auth_response() generates MS-CHAP v2 SUCCESS response
+ * according to RFC 2759 GenerateAuthenticatorResponse()
+ * returns 42-octet response string
+ */
+void mschap_auth_response(char const *username,
+ uint8_t const *nt_hash_hash,
+ uint8_t const *ntresponse,
+ uint8_t const *peer_challenge, uint8_t const *auth_challenge,
+ char *response)
+{
+ fr_sha1_ctx Context;
+ static const uint8_t magic1[39] =
+ {0x4D, 0x61, 0x67, 0x69, 0x63, 0x20, 0x73, 0x65, 0x72, 0x76,
+ 0x65, 0x72, 0x20, 0x74, 0x6F, 0x20, 0x63, 0x6C, 0x69, 0x65,
+ 0x6E, 0x74, 0x20, 0x73, 0x69, 0x67, 0x6E, 0x69, 0x6E, 0x67,
+ 0x20, 0x63, 0x6F, 0x6E, 0x73, 0x74, 0x61, 0x6E, 0x74};
+
+ static const uint8_t magic2[41] =
+ {0x50, 0x61, 0x64, 0x20, 0x74, 0x6F, 0x20, 0x6D, 0x61, 0x6B,
+ 0x65, 0x20, 0x69, 0x74, 0x20, 0x64, 0x6F, 0x20, 0x6D, 0x6F,
+ 0x72, 0x65, 0x20, 0x74, 0x68, 0x61, 0x6E, 0x20, 0x6F, 0x6E,
+ 0x65, 0x20, 0x69, 0x74, 0x65, 0x72, 0x61, 0x74, 0x69, 0x6F,
+ 0x6E};
+
+ static char const hex[] = "0123456789ABCDEF";
+
+ size_t i;
+ uint8_t challenge[8];
+ uint8_t digest[20];
+
+ fr_sha1_init(&Context);
+ fr_sha1_update(&Context, nt_hash_hash, 16);
+ fr_sha1_update(&Context, ntresponse, 24);
+ fr_sha1_update(&Context, magic1, 39);
+ fr_sha1_final(digest, &Context);
+ mschap_challenge_hash(peer_challenge, auth_challenge, username, challenge);
+ fr_sha1_init(&Context);
+ fr_sha1_update(&Context, digest, 20);
+ fr_sha1_update(&Context, challenge, 8);
+ fr_sha1_update(&Context, magic2, 41);
+ fr_sha1_final(digest, &Context);
+
+ /*
+ * Encode the value of 'Digest' as "S=" followed by
+ * 40 ASCII hexadecimal digits and return it in
+ * AuthenticatorResponse.
+ * For example,
+ * "S=0123456789ABCDEF0123456789ABCDEF01234567"
+ */
+ response[0] = 'S';
+ response[1] = '=';
+
+ /*
+ * The hexadecimal digits [A-F] MUST be uppercase.
+ */
+ for (i = 0; i < sizeof(digest); i++) {
+ response[2 + (i * 2)] = hex[(digest[i] >> 4) & 0x0f];
+ response[3 + (i * 2)] = hex[digest[i] & 0x0f];
+ }
+}
+
diff --git a/src/modules/rlm_mschap/mschap.h b/src/modules/rlm_mschap/mschap.h
new file mode 100644
index 0000000..6fcc485
--- /dev/null
+++ b/src/modules/rlm_mschap/mschap.h
@@ -0,0 +1,25 @@
+/* Copyright 2006 The FreeRADIUS server project */
+
+#ifndef _MSCHAP_H
+#define _MSCHAP_H
+
+RCSIDH(mschap_h, "$Id$")
+
+#define NT_DIGEST_LENGTH 16
+#define LM_DIGEST_LENGTH 16
+
+int mschap_ntpwdhash(uint8_t *out, char const *password);
+void mschap_challenge_hash(uint8_t const *peer_challenge,
+ uint8_t const *auth_challenge,
+ char const *user_name, uint8_t *challenge );
+
+void mschap_auth_response(char const *username,
+ uint8_t const *nt_hash_hash,
+ uint8_t const *ntresponse,
+ uint8_t const *peer_challenge, uint8_t const *auth_challenge,
+ char *response);
+void mschap_add_reply(REQUEST *request, unsigned char ident,
+ char const *name, char const *value, size_t len);
+
+
+#endif /*_MSCHAP_H*/
diff --git a/src/modules/rlm_mschap/opendir.c b/src/modules/rlm_mschap/opendir.c
new file mode 100644
index 0000000..b3fd9ff
--- /dev/null
+++ b/src/modules/rlm_mschap/opendir.c
@@ -0,0 +1,418 @@
+#ifdef __APPLE__
+/*
+ * Open Directory support from Apple Inc.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 only, as published by
+ * the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License version 2
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+ *
+ * Copyright 2007 Apple Inc.
+ */
+
+RCSID("$Id$")
+USES_APPLE_DEPRECATED_API
+
+#include <freeradius-devel/radiusd.h>
+#include <freeradius-devel/modules.h>
+#include <freeradius-devel/rad_assert.h>
+#include <freeradius-devel/md5.h>
+
+#include <ctype.h>
+
+#include "smbdes.h"
+
+#include <DirectoryService/DirectoryService.h>
+
+#define kActiveDirLoc "/Active Directory/"
+
+/*
+ * In rlm_mschap.c
+ */
+void mschap_add_reply(REQUEST *request, unsigned char ident,
+ char const *name, char const *value, size_t len);
+
+/*
+ * Only used by rlm_mschap.c
+ */
+rlm_rcode_t od_mschap_auth(REQUEST *request, VALUE_PAIR *challenge, VALUE_PAIR * usernamepair);
+
+
+static rlm_rcode_t getUserNodeRef(REQUEST *request, char* inUserName, char **outUserName,
+ tDirNodeReference* userNodeRef, tDirReference dsRef)
+{
+ tDataBuffer *tDataBuff = NULL;
+ tDirNodeReference nodeRef = 0;
+ long status = eDSNoErr;
+ char const *what = NULL;
+ char *status_name = NULL;
+ tContextData context = 0;
+ uint32_t nodeCount = 0;
+ uint32_t attrIndex = 0;
+ tDataList *nodeName = NULL;
+ tAttributeEntryPtr pAttrEntry = NULL;
+ tDataList *pRecName = NULL;
+ tDataList *pRecType = NULL;
+ tDataList *pAttrType = NULL;
+ uint32_t recCount = 0;
+ tRecordEntry *pRecEntry = NULL;
+ tAttributeListRef attrListRef = 0;
+ char *pUserLocation = NULL;
+ tAttributeValueListRef valueRef = 0;
+ tDataList *pUserNode = NULL;
+ rlm_rcode_t result = RLM_MODULE_FAIL;
+
+ if (!inUserName) {
+ ERROR("rlm_mschap: getUserNodeRef(): no username");
+ return RLM_MODULE_FAIL;
+ }
+
+ tDataBuff = dsDataBufferAllocate(dsRef, 4096);
+ if (!tDataBuff) {
+ RERROR("Failed allocating buffer");
+ return RLM_MODULE_FAIL;
+ }
+
+ do {
+ /* find on search node */
+ status = dsFindDirNodes(dsRef, tDataBuff, NULL,
+ eDSAuthenticationSearchNodeName,
+ &nodeCount, &context);
+#define OPEN_DIR_ERROR(_x) do if (status != eDSNoErr) { \
+ what = _x; \
+ goto error; \
+ } while (0)
+
+ OPEN_DIR_ERROR("Failed to find directory");
+
+ if (nodeCount < 1) {
+ what = "No directories found.";
+ goto error;
+ }
+
+ status = dsGetDirNodeName(dsRef, tDataBuff, 1, &nodeName);
+ OPEN_DIR_ERROR("Failed getting directory name");
+
+ status = dsOpenDirNode(dsRef, nodeName, &nodeRef);
+ dsDataListDeallocate(dsRef, nodeName);
+ free(nodeName);
+ nodeName = NULL;
+
+ OPEN_DIR_ERROR("Failed opening directory");
+
+ pRecName = dsBuildListFromStrings(dsRef, inUserName, NULL);
+ pRecType = dsBuildListFromStrings(dsRef, kDSStdRecordTypeUsers,
+ NULL);
+ pAttrType = dsBuildListFromStrings(dsRef,
+ kDSNAttrMetaNodeLocation,
+ kDSNAttrRecordName, NULL);
+
+ recCount = 1;
+ status = dsGetRecordList(nodeRef, tDataBuff, pRecName,
+ eDSExact, pRecType, pAttrType, 0,
+ &recCount, &context);
+ OPEN_DIR_ERROR("Failed getting record list");
+
+ if (recCount == 0) {
+ what = "No user records returned";
+ goto error;
+ }
+
+ status = dsGetRecordEntry(nodeRef, tDataBuff, 1,
+ &attrListRef, &pRecEntry);
+ OPEN_DIR_ERROR("Failed getting record entry");
+
+ for (attrIndex = 1; (attrIndex <= pRecEntry->fRecordAttributeCount) && (status == eDSNoErr); attrIndex++) {
+ status = dsGetAttributeEntry(nodeRef, tDataBuff, attrListRef, attrIndex, &valueRef, &pAttrEntry);
+ if (status == eDSNoErr && pAttrEntry != NULL) {
+ tAttributeValueEntry *pValueEntry = NULL;
+
+ if (strcmp(pAttrEntry->fAttributeSignature.fBufferData, kDSNAttrMetaNodeLocation) == 0) {
+ status = dsGetAttributeValue(nodeRef, tDataBuff, 1, valueRef, &pValueEntry);
+ if (status == eDSNoErr && pValueEntry != NULL) {
+ pUserLocation = talloc_zero_array(request, char, pValueEntry->fAttributeValueData.fBufferLength + 1);
+ memcpy(pUserLocation, pValueEntry->fAttributeValueData.fBufferData, pValueEntry->fAttributeValueData.fBufferLength);
+ }
+ } else if (strcmp(pAttrEntry->fAttributeSignature.fBufferData, kDSNAttrRecordName) == 0) {
+ status = dsGetAttributeValue(nodeRef, tDataBuff, 1, valueRef, &pValueEntry);
+ if (status == eDSNoErr && pValueEntry != NULL) {
+ *outUserName = talloc_zero_array(request, char, pValueEntry->fAttributeValueData.fBufferLength + 1);
+ memcpy(*outUserName, pValueEntry->fAttributeValueData.fBufferData, pValueEntry->fAttributeValueData.fBufferLength);
+ }
+ }
+
+ if (pValueEntry) {
+ dsDeallocAttributeValueEntry(dsRef, pValueEntry);
+ pValueEntry = NULL;
+ }
+
+ dsDeallocAttributeEntry(dsRef, pAttrEntry);
+ pAttrEntry = NULL;
+ dsCloseAttributeValueList(valueRef);
+ valueRef = 0;
+ }
+ }
+
+ if (!pUserLocation) {
+ DEBUG2("[mschap] OpenDirectory has no user location");
+ result = RLM_MODULE_NOOP;
+ break;
+ }
+
+ /* OpenDirectory doesn't support mschapv2 authentication against
+ * Active Directory. AD users need to be authenticated using the
+ * normal freeradius AD path (i.e. ntlm_auth).
+ */
+ if (strncmp(pUserLocation, kActiveDirLoc, strlen(kActiveDirLoc)) == 0) {
+ DEBUG2("[mschap] OpenDirectory authentication returning noop. OD doesn't support MSCHAPv2 for ActiveDirectory users");
+ result = RLM_MODULE_NOOP;
+ break;
+ }
+
+ pUserNode = dsBuildFromPath(dsRef, pUserLocation, "/");
+ if (!pUserNode) {
+ RERROR("Failed building user from path");
+ result = RLM_MODULE_FAIL;
+ break;
+ }
+
+ status = dsOpenDirNode(dsRef, pUserNode, userNodeRef);
+ dsDataListDeallocate(dsRef, pUserNode);
+ free(pUserNode);
+
+ if (status != eDSNoErr) {
+ error:
+ status_name = dsCopyDirStatusName(status);
+ RERROR("%s: status = %s", what, status_name);
+ free(status_name);
+ result = RLM_MODULE_FAIL;
+ break;
+ }
+
+ result = RLM_MODULE_OK;
+ }
+ while (0);
+
+ if (pRecEntry != NULL)
+ dsDeallocRecordEntry(dsRef, pRecEntry);
+
+ if (tDataBuff != NULL)
+ dsDataBufferDeAllocate(dsRef, tDataBuff);
+
+ if (pUserLocation != NULL)
+ talloc_free(pUserLocation);
+
+ if (pRecName != NULL) {
+ dsDataListDeallocate(dsRef, pRecName);
+ free(pRecName);
+ }
+ if (pRecType != NULL) {
+ dsDataListDeallocate(dsRef, pRecType);
+ free(pRecType);
+ }
+ if (pAttrType != NULL) {
+ dsDataListDeallocate(dsRef, pAttrType);
+ free(pAttrType);
+ }
+ if (nodeRef != 0)
+ dsCloseDirNode(nodeRef);
+
+ return result;
+}
+
+rlm_rcode_t od_mschap_auth(REQUEST *request, VALUE_PAIR *challenge, VALUE_PAIR * usernamepair)
+{
+ rlm_rcode_t rcode = RLM_MODULE_OK;
+ tDirStatus status = eDSNoErr;
+ tDirReference dsRef = 0;
+ tDirNodeReference userNodeRef = 0;
+ tDataBuffer *tDataBuff = NULL;
+ tDataBuffer *pStepBuff = NULL;
+ tDataNode *pAuthType = NULL;
+ uint32_t uiCurr = 0;
+ uint32_t uiLen = 0;
+ char *username_string = NULL;
+ char *shortUserName = NULL;
+ VALUE_PAIR *response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY);
+#ifndef NDEBUG
+ unsigned int t;
+#endif
+
+ username_string = talloc_array(request, char, usernamepair->vp_length + 1);
+ if (!username_string)
+ return RLM_MODULE_FAIL;
+
+ strlcpy(username_string, usernamepair->vp_strvalue, usernamepair->vp_length + 1);
+
+ status = dsOpenDirService(&dsRef);
+ if (status != eDSNoErr) {
+ talloc_free(username_string);
+ RERROR("Failed opening directory service");
+ return RLM_MODULE_FAIL;
+ }
+
+ rcode = getUserNodeRef(request, username_string, &shortUserName, &userNodeRef, dsRef);
+ if (rcode != RLM_MODULE_OK) {
+ if (rcode != RLM_MODULE_NOOP) {
+ RDEBUG2("od_mschap_auth: getUserNodeRef() failed");
+ }
+ if (username_string != NULL)
+ talloc_free(username_string);
+ if (dsRef != 0)
+ dsCloseDirService(dsRef);
+ return rcode;
+ }
+
+ /* We got a node; fill the stepBuffer
+ kDSStdAuthMSCHAP2
+ MS-CHAPv2 authentication method. The Open Directory plug-in generates the reply data for the client.
+ The input buffer format consists of
+ a four byte length specifying the length of the user name that follows, the user name,
+ a four byte value specifying the length of the server challenge that follows, the server challenge,
+ a four byte value specifying the length of the peer challenge that follows, the peer challenge,
+ a four byte value specifying the length of the client's digest that follows, and the client's digest.
+ The output buffer consists of a four byte value specifying the length of the return digest for the client's challenge.
+ r = FillAuthBuff(pAuthBuff, 5,
+ strlen(inName), inName, // Directory Services long or short name
+ strlen(schal), schal, // server challenge
+ strlen(peerchal), peerchal, // client challenge
+ strlen(p24), p24, // P24 NT-Response
+ 4, "User"); // must match the username that was used for the hash
+
+ inName = username_string
+ schal = challenge->vp_strvalue
+ peerchal = response->vp_strvalue + 2 (16 octets)
+ p24 = response->vp_strvalue + 26 (24 octets)
+ */
+
+ pStepBuff = dsDataBufferAllocate(dsRef, 4096);
+ tDataBuff = dsDataBufferAllocate(dsRef, 4096);
+ pAuthType = dsDataNodeAllocateString(dsRef, kDSStdAuthMSCHAP2);
+ uiCurr = 0;
+
+ /* User name length + username */
+ uiLen = (uint32_t)(shortUserName ? strlen(shortUserName) : 0);
+
+ RDEBUG2("OD username_string = %s, OD shortUserName=%s (length = %d)\n",
+ username_string, shortUserName, uiLen);
+
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen));
+ uiCurr += sizeof(uiLen);
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), shortUserName, uiLen);
+ uiCurr += uiLen;
+#ifndef NDEBUG
+ RINDENT();
+ RDEBUG2("Stepbuf server challenge : ");
+ for (t = 0; t < challenge->vp_length; t++) {
+ fprintf(stderr, "%02x", (unsigned int) challenge->vp_strvalue[t]);
+ }
+ fprintf(stderr, "\n");
+#endif
+
+ /* server challenge (ie. my (freeRADIUS) challenge) */
+ uiLen = 16;
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen));
+ uiCurr += sizeof(uiLen);
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), &(challenge->vp_strvalue[0]),
+ uiLen);
+ uiCurr += uiLen;
+
+#ifndef NDEBUG
+ RDEBUG2("Stepbuf peer challenge : ");
+ for (t = 2; t < 18; t++) {
+ fprintf(stderr, "%02x", (unsigned int) response->vp_strvalue[t]);
+ }
+ fprintf(stderr, "\n");
+#endif
+
+ /* peer challenge (ie. the client-generated response) */
+ uiLen = 16;
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen));
+ uiCurr += sizeof(uiLen);
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), &(response->vp_strvalue[2]),
+ uiLen);
+ uiCurr += uiLen;
+
+#ifndef NDEBUG
+ RDEBUG2("Stepbuf p24 : ");
+ REXDENT();
+ for (t = 26; t < 50; t++) {
+ fprintf(stderr, "%02x", (unsigned int) response->vp_strvalue[t]);
+ }
+ fprintf(stderr, "\n");
+#endif
+
+ /* p24 (ie. second part of client-generated response) */
+ uiLen = 24; /* strlen(&(response->vp_strvalue[26])); may contain NULL byte in the middle. */
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen));
+ uiCurr += sizeof(uiLen);
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), &(response->vp_strvalue[26]),
+ uiLen);
+ uiCurr += uiLen;
+
+ /* Client generated use name (short name?) */
+ uiLen = (uint32_t)strlen(username_string);
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), &uiLen, sizeof(uiLen));
+ uiCurr += sizeof(uiLen);
+ memcpy(&(tDataBuff->fBufferData[uiCurr]), username_string, uiLen);
+ uiCurr += uiLen;
+
+ tDataBuff->fBufferLength = uiCurr;
+
+ status = dsDoDirNodeAuth(userNodeRef, pAuthType, 1, tDataBuff,
+ pStepBuff, NULL);
+ if (status == eDSNoErr) {
+ if (pStepBuff->fBufferLength > 4) {
+ uint32_t len;
+
+ memcpy(&len, pStepBuff->fBufferData, sizeof(len));
+ if (len == 40) {
+ char mschap_reply[42] = { '\0' };
+ mschap_reply[0] = 'S';
+ mschap_reply[1] = '=';
+ memcpy(&(mschap_reply[2]), &(pStepBuff->fBufferData[4]), len);
+ mschap_add_reply(request,
+ *response->vp_strvalue,
+ "MS-CHAP2-Success",
+ mschap_reply, len+2);
+ RDEBUG2("dsDoDirNodeAuth returns stepbuff: %s (len=%u)\n", mschap_reply, (unsigned int) len);
+ }
+ }
+ }
+
+ /* clean up */
+ if (username_string != NULL)
+ talloc_free(username_string);
+ if (shortUserName != NULL)
+ talloc_free(shortUserName);
+
+ if (tDataBuff != NULL)
+ dsDataBufferDeAllocate(dsRef, tDataBuff);
+ if (pStepBuff != NULL)
+ dsDataBufferDeAllocate(dsRef, pStepBuff);
+ if (pAuthType != NULL)
+ dsDataNodeDeAllocate(dsRef, pAuthType);
+ if (userNodeRef != 0)
+ dsCloseDirNode(userNodeRef);
+ if (dsRef != 0)
+ dsCloseDirService(dsRef);
+
+ if (status != eDSNoErr) {
+ char *status_name = dsCopyDirStatusName(status);
+ RERROR("rlm_mschap: authentication failed - status = %s", status_name);
+ free(status_name);
+ return RLM_MODULE_REJECT;
+ }
+
+ return RLM_MODULE_OK;
+}
+
+#endif /* __APPLE__ */
diff --git a/src/modules/rlm_mschap/rlm_mschap.c b/src/modules/rlm_mschap/rlm_mschap.c
new file mode 100644
index 0000000..00ab90d
--- /dev/null
+++ b/src/modules/rlm_mschap/rlm_mschap.c
@@ -0,0 +1,2150 @@
+/*
+ * This program is is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or (at
+ * your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+/**
+ * $Id$
+ * @file rlm_mschap.c
+ * @brief Implemented mschap authentication.
+ *
+ * @copyright 2000,2001,2006 The FreeRADIUS server project
+ */
+
+/* MPPE support from Takahiro Wagatsuma <waga@sic.shibaura-it.ac.jp> */
+RCSID("$Id$")
+
+#include <freeradius-devel/radiusd.h>
+#include <freeradius-devel/modules.h>
+#include <freeradius-devel/rad_assert.h>
+#include <freeradius-devel/md5.h>
+#include <freeradius-devel/sha1.h>
+
+#include <ctype.h>
+
+#include "rlm_mschap.h"
+#include "mschap.h"
+#include "smbdes.h"
+
+#ifdef WITH_AUTH_WINBIND
+#include "auth_wbclient.h"
+#endif
+
+#ifdef HAVE_OPENSSL_CRYPTO_H
+USES_APPLE_DEPRECATED_API /* OpenSSL API has been deprecated by Apple */
+# include <openssl/rc4.h>
+#endif
+
+#ifdef __APPLE__
+int od_mschap_auth(REQUEST *request, VALUE_PAIR *challenge, VALUE_PAIR * usernamepair);
+#endif
+
+/* Allowable account control bits */
+#define ACB_DISABLED 0x00010000 //!< User account disabled.
+#define ACB_HOMDIRREQ 0x00020000 //!< Home directory required.
+#define ACB_PWNOTREQ 0x00040000 //!< User password not required.
+#define ACB_TEMPDUP 0x00080000 //!< Temporary duplicate account.
+#define ACB_NORMAL 0x00100000 //!< Normal user account.
+#define ACB_MNS 0x00200000 //!< MNS logon user account.
+#define ACB_DOMTRUST 0x00400000 //!< Interdomain trust account.
+#define ACB_WSTRUST 0x00800000 //!< Workstation trust account.
+#define ACB_SVRTRUST 0x01000000 //!< Server trust account.
+#define ACB_PWNOEXP 0x02000000 //!< User password does not expire.
+#define ACB_AUTOLOCK 0x04000000 //!< Account auto locked.
+#define ACB_PW_EXPIRED 0x00020000 //!< Password Expired.
+
+static int pdb_decode_acct_ctrl(char const *p)
+{
+ int acct_ctrl = 0;
+ int done = 0;
+
+ /*
+ * Check if the account type bits have been encoded after the
+ * NT password (in the form [NDHTUWSLXI]).
+ */
+
+ if (*p != '[') return 0;
+
+ for (p++; *p && !done; p++) {
+ switch (*p) {
+ case 'N': /* 'N'o password. */
+ acct_ctrl |= ACB_PWNOTREQ;
+ break;
+
+ case 'D': /* 'D'isabled. */
+ acct_ctrl |= ACB_DISABLED ;
+ break;
+
+ case 'H': /* 'H'omedir required. */
+ acct_ctrl |= ACB_HOMDIRREQ;
+ break;
+
+ case 'T': /* 'T'emp account. */
+ acct_ctrl |= ACB_TEMPDUP;
+ break;
+
+ case 'U': /* 'U'ser account (normal). */
+ acct_ctrl |= ACB_NORMAL;
+ break;
+
+ case 'M': /* 'M'NS logon user account. What is this? */
+ acct_ctrl |= ACB_MNS;
+ break;
+
+ case 'W': /* 'W'orkstation account. */
+ acct_ctrl |= ACB_WSTRUST;
+ break;
+
+ case 'S': /* 'S'erver account. */
+ acct_ctrl |= ACB_SVRTRUST;
+ break;
+
+ case 'L': /* 'L'ocked account. */
+ acct_ctrl |= ACB_AUTOLOCK;
+ break;
+
+ case 'X': /* No 'X'piry on password */
+ acct_ctrl |= ACB_PWNOEXP;
+ break;
+
+ case 'I': /* 'I'nterdomain trust account. */
+ acct_ctrl |= ACB_DOMTRUST;
+ break;
+
+ case 'e': /* 'e'xpired, the password has */
+ acct_ctrl |= ACB_PW_EXPIRED;
+ break;
+
+ case ' ': /* ignore spaces */
+ break;
+
+ case ':':
+ case '\n':
+ case '\0':
+ case ']':
+ default:
+ done = 1;
+ break;
+ }
+ }
+
+ return acct_ctrl;
+}
+
+
+/*
+ * Does dynamic translation of strings.
+ *
+ * Pulls NT-Response, LM-Response, or Challenge from MSCHAP
+ * attributes.
+ */
+static ssize_t mschap_xlat(void *instance, REQUEST *request,
+ char const *fmt, char *out, size_t outlen)
+{
+ size_t i, data_len;
+ uint8_t const *data = NULL;
+ uint8_t buffer[32];
+ VALUE_PAIR *user_name;
+ VALUE_PAIR *chap_challenge, *response;
+ rlm_mschap_t *inst = instance;
+
+ response = NULL;
+
+ /*
+ * Challenge means MS-CHAPv1 challenge, or
+ * hash of MS-CHAPv2 challenge, and peer challenge.
+ */
+ if (strncasecmp(fmt, "Challenge", 9) == 0) {
+ chap_challenge = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY);
+ if (!chap_challenge) {
+ REDEBUG("No MS-CHAP-Challenge in the request");
+ return -1;
+ }
+
+ /*
+ * MS-CHAP-Challenges are 8 octets,
+ * for MS-CHAPv1
+ */
+ if (chap_challenge->vp_length == 8) {
+ RDEBUG2("mschap1: %02x", chap_challenge->vp_octets[0]);
+ data = chap_challenge->vp_octets;
+ data_len = 8;
+
+ /*
+ * MS-CHAP-Challenges are 16 octets,
+ * for MS-CHAPv2.
+ */
+ } else if (chap_challenge->vp_length == 16) {
+ VALUE_PAIR *name_attr, *response_name;
+ char const *username_string;
+
+ response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY);
+ if (!response) {
+ REDEBUG("MS-CHAP2-Response is required to calculate MS-CHAPv1 challenge");
+ return -1;
+ }
+
+ /*
+ * FIXME: Much of this is copied from
+ * below. We should put it into a
+ * separate function.
+ */
+
+ /*
+ * Responses are 50 octets.
+ */
+ if (response->vp_length < 50) {
+ REDEBUG("MS-CHAP-Response has the wrong format");
+ return -1;
+ }
+
+ user_name = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
+ if (!user_name) {
+ REDEBUG("User-Name is required to calculate MS-CHAPv1 Challenge");
+ return -1;
+ }
+
+ /*
+ * Check for MS-CHAP-User-Name and if found, use it
+ * to construct the MSCHAPv1 challenge. This is
+ * set by rlm_eap_mschap to the MS-CHAP Response
+ * packet Name field.
+ *
+ * We prefer this to the User-Name in the
+ * packet.
+ */
+ response_name = fr_pair_find_by_num(request->packet->vps, PW_MS_CHAP_USER_NAME, 0, TAG_ANY);
+ if (response_name) {
+ name_attr = response_name;
+ } else {
+ name_attr = user_name;
+ }
+
+ /*
+ * with_ntdomain_hack moved here, too.
+ */
+ if ((username_string = strchr(name_attr->vp_strvalue, '\\')) != NULL) {
+ if (inst->with_ntdomain_hack) {
+ username_string++;
+ } else {
+ RWDEBUG2("NT Domain delimiter found, should we have enabled with_ntdomain_hack?");
+ username_string = name_attr->vp_strvalue;
+ }
+ } else {
+ username_string = name_attr->vp_strvalue;
+ }
+
+ if (response_name &&
+ ((user_name->vp_length != response_name->vp_length) ||
+ (strncasecmp(user_name->vp_strvalue, response_name->vp_strvalue,
+ user_name->vp_length) != 0))) {
+ RWDEBUG2("User-Name (%s) is not the same as MS-CHAP Name (%s) from EAP-MSCHAPv2",
+ user_name->vp_strvalue, response_name->vp_strvalue);
+ }
+
+ /*
+ * Get the MS-CHAPv1 challenge
+ * from the MS-CHAPv2 peer challenge,
+ * our challenge, and the user name.
+ */
+ RDEBUG2("Creating challenge hash with username: %s", username_string);
+ mschap_challenge_hash(response->vp_octets + 2,
+ chap_challenge->vp_octets,
+ username_string, buffer);
+ data = buffer;
+ data_len = 8;
+ } else {
+ REDEBUG("Invalid MS-CHAP challenge length");
+ return -1;
+ }
+
+ /*
+ * Get the MS-CHAPv1 response, or the MS-CHAPv2
+ * response.
+ */
+ } else if (strncasecmp(fmt, "NT-Response", 11) == 0) {
+ response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY);
+ if (!response) response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY);
+ if (!response) {
+ REDEBUG("No MS-CHAP-Response or MS-CHAP2-Response was found in the request");
+ return -1;
+ }
+
+ /*
+ * For MS-CHAPv1, the NT-Response exists only
+ * if the second octet says so.
+ */
+ if ((response->da->vendor == VENDORPEC_MICROSOFT) &&
+ (response->da->attr == PW_MSCHAP_RESPONSE) &&
+ ((response->vp_octets[1] & 0x01) == 0)) {
+ REDEBUG("No NT-Response in MS-CHAP-Response");
+ return -1;
+ }
+
+ /*
+ * MS-CHAP-Response and MS-CHAP2-Response have
+ * the NT-Response at the same offset, and are
+ * the same length.
+ */
+ data = response->vp_octets + 26;
+ data_len = 24;
+
+ /*
+ * LM-Response is deprecated, and exists only
+ * in MS-CHAPv1, and not often there.
+ */
+ } else if (strncasecmp(fmt, "LM-Response", 11) == 0) {
+ response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY);
+ if (!response) {
+ REDEBUG("No MS-CHAP-Response was found in the request");
+ return -1;
+ }
+
+ /*
+ * For MS-CHAPv1, the LM-Response exists only
+ * if the second octet says so.
+ */
+ if ((response->vp_octets[1] & 0x01) != 0) {
+ REDEBUG("No LM-Response in MS-CHAP-Response");
+ return -1;
+ }
+ data = response->vp_octets + 2;
+ data_len = 24;
+
+ /*
+ * Pull the domain name out of the User-Name, if it exists.
+ *
+ * This is the full domain name, not just the name after host/
+ */
+ } else if (strncasecmp(fmt, "Domain-Name", 11) == 0) {
+ char *p;
+
+ user_name = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
+ if (!user_name) {
+ REDEBUG("No User-Name was found in the request");
+ return -1;
+ }
+
+ /*
+ * First check to see if this is a host/ style User-Name
+ * (a la Kerberos host principal)
+ */
+ if (strncmp(user_name->vp_strvalue, "host/", 5) == 0) {
+ /*
+ * If we're getting a User-Name formatted in this way,
+ * it's likely due to PEAP. The Windows Domain will be
+ * the first domain component following the hostname,
+ * or the machine name itself if only a hostname is supplied
+ */
+ p = strchr(user_name->vp_strvalue, '.');
+ if (!p) {
+ RDEBUG2("setting NT-Domain to same as machine name");
+ strlcpy(out, user_name->vp_strvalue + 5, outlen);
+ } else {
+ p++; /* skip the period */
+ strlcpy(out, p, outlen);
+ }
+ } else {
+ p = strchr(user_name->vp_strvalue, '\\');
+ if (!p) {
+ REDEBUG("No NT-Domain was found in the User-Name");
+ return -1;
+ }
+
+ /*
+ * Hack. This is simpler than the alternatives.
+ */
+ *p = '\0';
+ strlcpy(out, user_name->vp_strvalue, outlen);
+ *p = '\\';
+ }
+
+ return strlen(out);
+
+ /*
+ * Pull the NT-Domain out of the User-Name, if it exists.
+ */
+ } else if (strncasecmp(fmt, "NT-Domain", 9) == 0) {
+ char *p, *q;
+
+ user_name = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
+ if (!user_name) {
+ REDEBUG("No User-Name was found in the request");
+ return -1;
+ }
+
+ /*
+ * First check to see if this is a host/ style User-Name
+ * (a la Kerberos host principal)
+ */
+ if (strncmp(user_name->vp_strvalue, "host/", 5) == 0) {
+ /*
+ * If we're getting a User-Name formatted in this way,
+ * it's likely due to PEAP. The Windows Domain will be
+ * the first domain component following the hostname,
+ * or the machine name itself if only a hostname is supplied
+ */
+ p = strchr(user_name->vp_strvalue, '.');
+ if (!p) {
+ RDEBUG2("setting NT-Domain to same as machine name");
+ strlcpy(out, user_name->vp_strvalue + 5, outlen);
+ } else {
+ p++; /* skip the period */
+ q = strchr(p, '.');
+ /*
+ * use the same hack as below
+ * only if another period was found
+ */
+ if (q) *q = '\0';
+ strlcpy(out, p, outlen);
+ if (q) *q = '.';
+ }
+ } else {
+ p = strchr(user_name->vp_strvalue, '\\');
+ if (!p) {
+ REDEBUG("No NT-Domain was found in the User-Name");
+ return -1;
+ }
+
+ /*
+ * Hack. This is simpler than the alternatives.
+ */
+ *p = '\0';
+ strlcpy(out, user_name->vp_strvalue, outlen);
+ *p = '\\';
+ }
+
+ return strlen(out);
+
+ /*
+ * Pull the User-Name out of the User-Name...
+ */
+ } else if (strncasecmp(fmt, "User-Name", 9) == 0) {
+ char const *p, *q;
+
+ user_name = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
+ if (!user_name) {
+ REDEBUG("No User-Name was found in the request");
+ return -1;
+ }
+
+ /*
+ * First check to see if this is a host/ style User-Name
+ * (a la Kerberos host principal)
+ */
+ if (strncmp(user_name->vp_strvalue, "host/", 5) == 0) {
+ p = user_name->vp_strvalue + 5;
+ /*
+ * If we're getting a User-Name formatted in this way,
+ * it's likely due to PEAP. When authenticating this against
+ * a Domain, Windows will expect the User-Name to be in the
+ * format of hostname$, the SAM version of the name, so we
+ * have to convert it to that here. We do so by stripping
+ * off the first 5 characters (host/), and copying everything
+ * from that point to the first period into a string and appending
+ * a $ to the end.
+ */
+ q = strchr(p, '.');
+
+ /*
+ * use the same hack as above
+ * only if a period was found
+ */
+ if (q) {
+ snprintf(out, outlen, "%.*s$",
+ (int) (q - p), p);
+ } else {
+ snprintf(out, outlen, "%s$", p);
+ }
+ } else {
+ p = strchr(user_name->vp_strvalue, '\\');
+ if (p) {
+ p++; /* skip the backslash */
+ } else {
+ p = user_name->vp_strvalue; /* use the whole User-Name */
+ }
+ strlcpy(out, p, outlen);
+ }
+
+ return strlen(out);
+
+ /*
+ * Return the NT-Hash of the passed string
+ */
+ } else if (strncasecmp(fmt, "NT-Hash ", 8) == 0) {
+ char const *p;
+
+ p = fmt + 8; /* 7 is the length of 'NT-Hash' */
+ if ((*p == '\0') || (outlen <= 32))
+ return 0;
+
+ while (isspace((uint8_t) *p)) p++;
+
+ if (mschap_ntpwdhash(buffer, p) < 0) {
+ REDEBUG("Failed generating NT-Password");
+ *buffer = '\0';
+ return -1;
+ }
+
+ fr_bin2hex(out, buffer, NT_DIGEST_LENGTH);
+ out[32] = '\0';
+ RDEBUG("NT-Hash of \"known-good\" password: %s", out);
+ return 32;
+
+ /*
+ * Return the LM-Hash of the passed string
+ */
+ } else if (strncasecmp(fmt, "LM-Hash ", 8) == 0) {
+ char const *p;
+
+ p = fmt + 8; /* 7 is the length of 'LM-Hash' */
+ if ((*p == '\0') || (outlen <= 32))
+ return 0;
+
+ while (isspace((uint8_t) *p)) p++;
+
+ smbdes_lmpwdhash(p, buffer);
+ fr_bin2hex(out, buffer, LM_DIGEST_LENGTH);
+ out[32] = '\0';
+ RDEBUG("LM-Hash of %s = %s", p, out);
+ return 32;
+ } else {
+ REDEBUG("Unknown expansion string '%s'", fmt);
+ return -1;
+ }
+
+ if (outlen == 0) return 0; /* nowhere to go, don't do anything */
+
+ /*
+ * Didn't set anything: this is bad.
+ */
+ if (!data) {
+ RWDEBUG2("Failed to do anything intelligent");
+ return 0;
+ }
+
+ /*
+ * Check the output length.
+ */
+ if (outlen < ((data_len * 2) + 1)) {
+ data_len = (outlen - 1) / 2;
+ }
+
+ /*
+ *
+ */
+ for (i = 0; i < data_len; i++) {
+ sprintf(out + (2 * i), "%02x", data[i]);
+ }
+ out[data_len * 2] = '\0';
+
+ return data_len * 2;
+}
+
+
+#ifdef WITH_AUTH_WINBIND
+/*
+ * Free connection pool winbind context
+ */
+static int _mod_conn_free(struct wbcContext **wb_ctx)
+{
+ wbcCtxFree(*wb_ctx);
+
+ return 0;
+}
+
+/*
+ * Create connection pool winbind context
+ */
+static void *mod_conn_create(TALLOC_CTX *ctx, UNUSED void *instance)
+{
+ struct wbcContext **wb_ctx;
+
+ wb_ctx = talloc_zero(ctx, struct wbcContext *);
+ *wb_ctx = wbcCtxCreate();
+
+ if (*wb_ctx == NULL) {
+ ERROR("failed to create winbind context");
+ talloc_free(wb_ctx);
+ return NULL;
+ }
+
+ talloc_set_destructor(wb_ctx, _mod_conn_free);
+
+ return *wb_ctx;
+}
+#endif
+
+
+static const CONF_PARSER passchange_config[] = {
+ { "ntlm_auth", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, ntlm_cpw), NULL },
+ { "ntlm_auth_username", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, ntlm_cpw_username), NULL },
+ { "ntlm_auth_domain", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, ntlm_cpw_domain), NULL },
+ { "local_cpw", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, local_cpw), NULL },
+ CONF_PARSER_TERMINATOR
+};
+
+static const CONF_PARSER module_config[] = {
+ /*
+ * Cache the password by default.
+ */
+ { "use_mppe", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, use_mppe), "yes" },
+ { "require_encryption", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, require_encryption), "no" },
+ { "require_strong", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, require_strong), "no" },
+ { "with_ntdomain_hack", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, with_ntdomain_hack), "yes" },
+ { "ntlm_auth", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_XLAT, rlm_mschap_t, ntlm_auth), NULL },
+ { "ntlm_auth_timeout", FR_CONF_OFFSET(PW_TYPE_INTEGER, rlm_mschap_t, ntlm_auth_timeout), NULL },
+ { "passchange", FR_CONF_POINTER(PW_TYPE_SUBSECTION, NULL), (void const *) passchange_config },
+ { "allow_retry", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, allow_retry), "yes" },
+ { "retry_msg", FR_CONF_OFFSET(PW_TYPE_STRING, rlm_mschap_t, retry_msg), NULL },
+ { "winbind_username", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_mschap_t, wb_username), NULL },
+ { "winbind_domain", FR_CONF_OFFSET(PW_TYPE_STRING | PW_TYPE_TMPL, rlm_mschap_t, wb_domain), NULL },
+ { "winbind_retry_with_normalised_username", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, wb_retry_with_normalised_username), "no" },
+#ifdef __APPLE__
+ { "use_open_directory", FR_CONF_OFFSET(PW_TYPE_BOOLEAN, rlm_mschap_t, open_directory), "yes" },
+#endif
+ CONF_PARSER_TERMINATOR
+};
+
+
+static int mod_bootstrap(CONF_SECTION *conf, void *instance)
+{
+ char const *name;
+ rlm_mschap_t *inst = instance;
+
+ /*
+ * Create the dynamic translation.
+ */
+ name = cf_section_name2(conf);
+ if (!name) name = cf_section_name1(conf);
+ inst->xlat_name = name;
+ xlat_register(inst->xlat_name, mschap_xlat, NULL, inst);
+
+ return 0;
+}
+
+/*
+ * Create instance for our module. Allocate space for
+ * instance structure and read configuration parameters
+ */
+static int mod_instantiate(CONF_SECTION *conf, void *instance)
+{
+ rlm_mschap_t *inst = instance;
+
+ /*
+ * For backwards compatibility
+ */
+ if (!dict_valbyname(PW_AUTH_TYPE, 0, inst->xlat_name)) {
+ inst->auth_type = "MS-CHAP";
+ } else {
+ inst->auth_type = inst->xlat_name;
+ }
+
+ /*
+ * Set auth method
+ */
+ inst->method = AUTH_INTERNAL;
+
+ if (inst->wb_username) {
+#ifdef WITH_AUTH_WINBIND
+ inst->method = AUTH_WBCLIENT;
+
+ inst->wb_pool = fr_connection_pool_module_init(conf, inst, mod_conn_create, NULL, NULL);
+ if (!inst->wb_pool) {
+ cf_log_err_cs(conf, "Unable to initialise winbind connection pool");
+ return -1;
+ }
+#else
+ cf_log_err_cs(conf, "'winbind' is not enabled in this build.");
+ return -1;
+#endif
+ }
+
+ /* preserve existing behaviour: this option overrides all */
+ if (inst->ntlm_auth) {
+ inst->method = AUTH_NTLMAUTH_EXEC;
+ }
+
+ switch (inst->method) {
+ case AUTH_INTERNAL:
+ DEBUG("rlm_mschap (%s): using internal authentication", inst->xlat_name);
+ break;
+ case AUTH_NTLMAUTH_EXEC:
+ DEBUG("rlm_mschap (%s): authenticating by calling 'ntlm_auth'", inst->xlat_name);
+ break;
+#ifdef WITH_AUTH_WINBIND
+ case AUTH_WBCLIENT:
+ DEBUG("rlm_mschap (%s): authenticating directly to winbind", inst->xlat_name);
+ break;
+#endif
+ }
+
+ /*
+ * Check ntlm_auth_timeout is sane
+ */
+ if (!inst->ntlm_auth_timeout) {
+ inst->ntlm_auth_timeout = EXEC_TIMEOUT;
+ }
+ if (inst->ntlm_auth_timeout < 1) {
+ cf_log_err_cs(conf, "ntml_auth_timeout '%d' is too small (minimum: 1)",
+ inst->ntlm_auth_timeout);
+ return -1;
+ }
+ if (inst->ntlm_auth_timeout > 10) {
+ cf_log_err_cs(conf, "ntlm_auth_timeout '%d' is too large (maximum: 10)",
+ inst->ntlm_auth_timeout);
+ return -1;
+ }
+
+ return 0;
+}
+
+/*
+ * Tidy up instance
+ */
+static int mod_detach(UNUSED void *instance)
+{
+#ifdef WITH_AUTH_WINBIND
+ rlm_mschap_t *inst = instance;
+
+ fr_connection_pool_free(inst->wb_pool);
+#endif
+
+ return 0;
+}
+
+/*
+ * add_reply() adds either MS-CHAP2-Success or MS-CHAP-Error
+ * attribute to reply packet
+ */
+void mschap_add_reply(REQUEST *request, unsigned char ident,
+ char const *name, char const *value, size_t len)
+{
+ VALUE_PAIR *vp;
+
+ vp = pair_make_reply(name, NULL, T_OP_EQ);
+ if (!vp) {
+ REDEBUG("Failed to create attribute %s: %s", name, fr_strerror());
+ return;
+ }
+
+ /* Account for the ident byte */
+ vp->vp_length = len + 1;
+ if (vp->da->type == PW_TYPE_STRING) {
+ char *p;
+
+ vp->vp_strvalue = p = talloc_array(vp, char, vp->vp_length + 1);
+ p[vp->vp_length] = '\0'; /* Always \0 terminate */
+ p[0] = ident;
+ memcpy(p + 1, value, len);
+ } else {
+ uint8_t *p;
+
+ vp->vp_octets = p = talloc_array(vp, uint8_t, vp->vp_length);
+ p[0] = ident;
+ memcpy(p + 1, value, len);
+ }
+}
+
+/*
+ * Add MPPE attributes to the reply.
+ */
+static void mppe_add_reply(REQUEST *request, char const* name, uint8_t const * value, size_t len)
+{
+ VALUE_PAIR *vp;
+
+ vp = pair_make_reply(name, NULL, T_OP_EQ);
+ if (!vp) {
+ REDEBUG("mppe_add_reply failed to create attribute %s: %s", name, fr_strerror());
+ return;
+ }
+
+ fr_pair_value_memcpy(vp, value, len);
+}
+
+static int write_all(int fd, char const *buf, int len) {
+ int rv,done=0;
+
+ while (done < len) {
+ rv = write(fd, buf+done, len-done);
+ if (rv <= 0)
+ break;
+ done += rv;
+ }
+ return done;
+}
+
+/*
+ * Perform an MS-CHAP2 password change
+ */
+
+static int CC_HINT(nonnull (1, 2, 4, 5)) do_mschap_cpw(rlm_mschap_t *inst,
+ REQUEST *request,
+#ifdef HAVE_OPENSSL_CRYPTO_H
+ VALUE_PAIR *nt_password,
+#else
+ UNUSED VALUE_PAIR *nt_password,
+#endif
+ uint8_t *new_nt_password,
+ uint8_t *old_nt_hash,
+ MSCHAP_AUTH_METHOD method)
+{
+ if (inst->ntlm_cpw && method != AUTH_INTERNAL) {
+ /*
+ * we're going to run ntlm_auth in helper-mode
+ * we're expecting to use the ntlm-change-password-1 protocol
+ * which needs the following on stdin:
+ *
+ * username: %{mschap:User-Name}
+ * nt-domain: %{mschap:NT-Domain}
+ * new-nt-password-blob: bin2hex(new_nt_password) - 1032 bytes encoded
+ * old-nt-hash-blob: bin2hex(old_nt_hash) - 32 bytes encoded
+ * new-lm-password-blob: 00000...0000 - 1032 bytes null
+ * old-lm-hash-blob: 000....000 - 32 bytes null
+ * .\n
+ *
+ * ...and it should then print out
+ *
+ * Password-Change: Yes
+ *
+ * or
+ *
+ * Password-Change: No
+ * Password-Change-Error: blah
+ */
+
+ int to_child=-1;
+ int from_child=-1;
+ pid_t pid, child_pid;
+ int status, len;
+ char buf[2048];
+ char *pmsg;
+ char const *emsg;
+
+ RDEBUG("Doing MS-CHAPv2 password change via ntlm_auth helper");
+
+ /*
+ * Start up ntlm_auth with a pipe on stdin and stdout
+ */
+
+ pid = radius_start_program(inst->ntlm_cpw, request, true, &to_child, &from_child, NULL, false);
+ if (pid < 0) {
+ REDEBUG("could not exec ntlm_auth cpw command");
+ return -1;
+ }
+
+ /*
+ * write the stuff to the client
+ */
+
+ if (inst->ntlm_cpw_username) {
+ len = radius_xlat(buf, sizeof(buf) - 2, request, inst->ntlm_cpw_username, NULL, NULL);
+ if (len < 0) {
+ goto ntlm_auth_err;
+ }
+
+ buf[len++] = '\n';
+ buf[len] = '\0';
+
+ if (write_all(to_child, buf, len) != len) {
+ REDEBUG("Failed to write username to child");
+ goto ntlm_auth_err;
+ }
+ } else {
+ RWDEBUG2("No ntlm_auth username set, passchange will definitely fail!");
+ }
+
+ if (inst->ntlm_cpw_domain) {
+ len = radius_xlat(buf, sizeof(buf) - 2, request, inst->ntlm_cpw_domain, NULL, NULL);
+ if (len < 0) {
+ goto ntlm_auth_err;
+ }
+
+ buf[len++] = '\n';
+ buf[len] = '\0';
+
+ if (write_all(to_child, buf, len) != len) {
+ REDEBUG("Failed to write domain to child");
+ goto ntlm_auth_err;
+ }
+ } else {
+ RWDEBUG2("No ntlm_auth domain set, username must be full-username to work");
+ }
+
+ /* now the password blobs */
+ len = sprintf(buf, "new-nt-password-blob: ");
+ fr_bin2hex(buf+len, new_nt_password, 516);
+ buf[len+1032] = '\n';
+ buf[len+1033] = '\0';
+ len = strlen(buf);
+ if (write_all(to_child, buf, len) != len) {
+ RDEBUG2("failed to write new password blob to child");
+ goto ntlm_auth_err;
+ }
+
+ len = sprintf(buf, "old-nt-hash-blob: ");
+ fr_bin2hex(buf+len, old_nt_hash, NT_DIGEST_LENGTH);
+ buf[len+32] = '\n';
+ buf[len+33] = '\0';
+ len = strlen(buf);
+ if (write_all(to_child, buf, len) != len) {
+ REDEBUG("Failed to write old hash blob to child");
+ goto ntlm_auth_err;
+ }
+
+ /*
+ * In current samba versions, failure to supply empty LM password/hash
+ * blobs causes the change to fail.
+ */
+ len = sprintf(buf, "new-lm-password-blob: %01032i\n", 0);
+ if (write_all(to_child, buf, len) != len) {
+ REDEBUG("Failed to write dummy LM password to child");
+ goto ntlm_auth_err;
+ }
+ len = sprintf(buf, "old-lm-hash-blob: %032i\n", 0);
+ if (write_all(to_child, buf, len) != len) {
+ REDEBUG("Failed to write dummy LM hash to child");
+ goto ntlm_auth_err;
+ }
+ if (write_all(to_child, ".\n", 2) != 2) {
+ REDEBUG("Failed to send finish to child");
+ goto ntlm_auth_err;
+ }
+ close(to_child);
+ to_child = -1;
+
+ /*
+ * Read from the child
+ */
+ len = radius_readfrom_program(from_child, pid, 10, buf, sizeof(buf));
+ if (len < 0) {
+ /* radius_readfrom_program will have closed from_child for us */
+ REDEBUG("Failure reading from child");
+ return -1;
+ }
+ close(from_child);
+ from_child = -1;
+
+ buf[len] = 0;
+ RDEBUG2("ntlm_auth said: %s", buf);
+
+ child_pid = rad_waitpid(pid, &status);
+ if (child_pid == 0) {
+ REDEBUG("Timeout waiting for child");
+ return -1;
+ }
+ if (child_pid != pid) {
+ REDEBUG("Abnormal exit status: %s", fr_syserror(errno));
+ return -1;
+ }
+
+ if (strstr(buf, "Password-Change: Yes")) {
+ RDEBUG2("ntlm_auth password change succeeded");
+ return 0;
+ }
+
+ pmsg = strstr(buf, "Password-Change-Error: ");
+ if (pmsg) {
+ emsg = strsep(&pmsg, "\n");
+ } else {
+ emsg = "could not find error";
+ }
+ REDEBUG("ntlm auth password change failed: %s", emsg);
+
+ntlm_auth_err:
+ /* safe because these either need closing or are == -1 */
+ close(to_child);
+ close(from_child);
+
+ return -1;
+
+ } else if (inst->local_cpw) {
+#ifdef HAVE_OPENSSL_CRYPTO_H
+ /*
+ * Decrypt the new password blob, add it as a temporary request
+ * variable, xlat the local_cpw string, then remove it
+ *
+ * this allows is to write e..g
+ *
+ * %{sql:insert into ...}
+ *
+ * ...or...
+ *
+ * %{exec:/path/to %{mschap:User-Name} %{MS-CHAP-New-Password}}"
+ *
+ */
+ VALUE_PAIR *new_pass, *new_hash;
+ uint8_t *p, *q;
+ char *x;
+ size_t i;
+ size_t passlen;
+ ssize_t result_len;
+ char result[253];
+ uint8_t nt_pass_decrypted[516], old_nt_hash_expected[NT_DIGEST_LENGTH];
+
+ if (!nt_password) {
+ RDEBUG("Local MS-CHAPv2 password change requires NT-Password attribute");
+ return -1;
+ } else {
+ RDEBUG("Doing MS-CHAPv2 password change locally");
+ }
+
+#if OPENSSL_VERSION_NUMBER >= 0x30000000L
+ {
+ EVP_CIPHER_CTX *ctx;
+ int ntlen = sizeof(nt_pass_decrypted);
+
+ ctx = EVP_CIPHER_CTX_new();
+ if (!ctx) {
+ REDEBUG("Failed getting RC4 from OpenSSL");
+ error:
+ if (ctx) EVP_CIPHER_CTX_free(ctx);
+ return -1;
+ }
+
+ if (!EVP_CIPHER_CTX_set_key_length(ctx, nt_password->vp_length)) {
+ REDEBUG("Failed setting key length");
+ goto error;
+ }
+
+ if (!EVP_EncryptInit_ex(ctx, EVP_rc4(), NULL, nt_password->vp_octets, NULL)) {
+ REDEBUG("Failed setting key value");
+ goto error;;
+ }
+
+ if (!EVP_EncryptUpdate(ctx, nt_pass_decrypted, &ntlen, new_nt_password, ntlen)) {
+ REDEBUG("Failed getting output");
+ goto error;
+ }
+
+ EVP_CIPHER_CTX_free(ctx);
+ }
+#else
+ {
+ RC4_KEY key;
+
+ /*
+ * Decrypt the blob
+ */
+ RC4_set_key(&key, nt_password->vp_length, nt_password->vp_octets);
+ RC4(&key, 516, new_nt_password, nt_pass_decrypted);
+ }
+#endif
+
+ /*
+ * pwblock is
+ * 512-N bytes random pad
+ * N bytes password as utf-16-le
+ * 4 bytes - N as big-endian int
+ */
+ passlen = nt_pass_decrypted[512];
+ passlen += nt_pass_decrypted[513] << 8;
+ if ((nt_pass_decrypted[514] != 0) ||
+ (nt_pass_decrypted[515] != 0)) {
+ REDEBUG("Decrypted new password blob claims length > 65536, "
+ "probably an invalid NT-Password");
+ return -1;
+ }
+
+ /*
+ * Sanity check - passlen positive and <= 512 if not, crypto has probably gone wrong
+ */
+ if (passlen > 512) {
+ REDEBUG("Decrypted new password blob claims length %zu > 512, "
+ "probably an invalid NT-Password", passlen);
+ return -1;
+ }
+
+ p = nt_pass_decrypted + 512 - passlen;
+
+ /*
+ * The new NT hash - this should be preferred over the
+ * cleartext password as it avoids unicode hassles.
+ */
+ new_hash = pair_make_request("MS-CHAP-New-NT-Password", NULL, T_OP_EQ);
+ new_hash->vp_length = NT_DIGEST_LENGTH;
+ new_hash->vp_octets = q = talloc_array(new_hash, uint8_t, new_hash->vp_length);
+ fr_md4_calc(q, p, passlen);
+
+ /*
+ * Check that nt_password encrypted with new_hash
+ * matches the old_hash value from the client.
+ */
+ smbhash(old_nt_hash_expected, nt_password->vp_octets, q);
+ smbhash(old_nt_hash_expected+8, nt_password->vp_octets+8, q + 7);
+ if (memcmp(old_nt_hash_expected, old_nt_hash, NT_DIGEST_LENGTH)!=0) {
+ REDEBUG("Old NT hash value from client does not match our value");
+ return -1;
+ }
+
+ /*
+ * The new cleartext password, which is utf-16 do some unpleasant vileness
+ * to turn it into utf8 without pulling in libraries like iconv.
+ *
+ * First pass: get the length of the converted string.
+ */
+ new_pass = pair_make_request("MS-CHAP-New-Cleartext-Password", NULL, T_OP_EQ);
+ new_pass->vp_length = 0;
+
+ i = 0;
+ while (i < passlen) {
+ int c;
+
+ c = p[i++];
+ c += p[i++] << 8;
+
+ /*
+ * Gah. nasty. maybe we should just pull in iconv?
+ */
+ if (c < 0x7f) {
+ new_pass->vp_length++;
+ } else if (c < 0x7ff) {
+ new_pass->vp_length += 2;
+ } else {
+ new_pass->vp_length += 3;
+ }
+ }
+
+ new_pass->vp_strvalue = x = talloc_array(new_pass, char, new_pass->vp_length + 1);
+
+ /*
+ * Second pass: convert the characters from UTF-16 to UTF-8.
+ */
+ i = 0;
+ while (i < passlen) {
+ int c;
+
+ c = p[i++];
+ c += p[i++] << 8;
+
+ /*
+ * Gah. nasty. maybe we should just pull in iconv?
+ */
+ if (c < 0x7f) {
+ *x++ = c;
+
+ } else if (c < 0x7ff) {
+ *x++ = 0xc0 + (c >> 6);
+ *x++ = 0x80 + (c & 0x3f);
+
+ } else {
+ *x++ = 0xe0 + (c >> 12);
+ *x++ = 0x80 + ((c>>6) & 0x3f);
+ *x++ = 0x80 + (c & 0x3f);
+ }
+ }
+
+ *x = '\0';
+
+ /* Perform the xlat */
+ result_len = radius_xlat(result, sizeof(result), request, inst->local_cpw, NULL, NULL);
+ if (result_len < 0){
+ return -1;
+ } else if (result_len == 0) {
+ REDEBUG("Local MS-CHAPv2 password change - xlat didn't give any result, assuming failure");
+ return -1;
+ }
+
+ RDEBUG("MS-CHAPv2 password change succeeded: %s", result);
+
+ /*
+ * Update the NT-Password attribute with the new hash this lets us
+ * fall through to the authentication code using the new hash,
+ * not the old one.
+ */
+ fr_pair_value_memcpy(nt_password, new_hash->vp_octets, new_hash->vp_length);
+
+ /*
+ * Rock on! password change succeeded.
+ */
+ return 0;
+#else
+ REDEBUG("Local MS-CHAPv2 password changes require OpenSSL support");
+ return -1;
+#endif
+ } else {
+ REDEBUG("MS-CHAPv2 password change not configured");
+ }
+
+ return -1;
+}
+
+/*
+ * Do the MS-CHAP stuff.
+ *
+ * This function is here so that all of the MS-CHAP related
+ * authentication is in one place, and we can perhaps later replace
+ * it with code to call winbindd, or something similar.
+ */
+static int CC_HINT(nonnull (1, 2, 4, 5 ,6)) do_mschap(rlm_mschap_t *inst, REQUEST *request, VALUE_PAIR *password,
+ uint8_t const *challenge, uint8_t const *response,
+ uint8_t nthashhash[NT_DIGEST_LENGTH], MSCHAP_AUTH_METHOD method)
+{
+ uint8_t calculated[24];
+
+ memset(nthashhash, 0, NT_DIGEST_LENGTH);
+
+ switch (method) {
+ /*
+ * Do normal authentication.
+ */
+ case AUTH_INTERNAL:
+ /*
+ * No password: can't do authentication.
+ */
+ if (!password) {
+ REDEBUG("FAILED: No NT-Password. Cannot perform authentication");
+ return -1;
+ }
+
+ smbdes_mschap(password->vp_octets, challenge, calculated);
+ if (rad_digest_cmp(response, calculated, 24) != 0) {
+ return -1;
+ }
+
+ /*
+ * If the password exists, and is an NT-Password,
+ * then calculate the hash of the NT hash. Doing this
+ * here minimizes work for later.
+ */
+ if (!password->da->vendor &&
+ (password->da->attr == PW_NT_PASSWORD)) {
+ fr_md4_calc(nthashhash, password->vp_octets, MD4_DIGEST_LENGTH);
+ }
+ break;
+
+ /*
+ * Run ntlm_auth
+ */
+ case AUTH_NTLMAUTH_EXEC: {
+ int result;
+ char buffer[256];
+ size_t len;
+
+ /*
+ * Run the program, and expect that we get 16
+ */
+ result = radius_exec_program(request, buffer, sizeof(buffer), NULL, request, inst->ntlm_auth, NULL,
+ true, true, inst->ntlm_auth_timeout);
+ if (result != 0) {
+ char *p;
+
+ /*
+ * Do checks for numbers, which are
+ * language neutral. They're also
+ * faster.
+ */
+ p = strcasestr(buffer, "0xC0000");
+ if (p) {
+ int rcode = 0;
+
+ p += 7;
+ if (strcmp(p, "224") == 0) {
+ rcode = -648;
+
+ } else if (strcmp(p, "234") == 0) {
+ rcode = -647;
+
+ } else if (strcmp(p, "072") == 0) {
+ rcode = -691;
+
+ } else if (strcasecmp(p, "05E") == 0) {
+ rcode = -2;
+ }
+
+ if (rcode != 0) {
+ REDEBUG2("%s", buffer);
+ return rcode;
+ }
+
+ /*
+ * Else fall through to more ridiculous checks.
+ */
+ }
+
+ /*
+ * Look for variants of expire password.
+ */
+ if (strcasestr(buffer, "0xC0000224") ||
+ strcasestr(buffer, "Password expired") ||
+ strcasestr(buffer, "Password has expired") ||
+ strcasestr(buffer, "Password must be changed") ||
+ strcasestr(buffer, "Must change password")) {
+ return -648;
+ }
+
+ if (strcasestr(buffer, "0xC0000234") ||
+ strcasestr(buffer, "Account locked out")) {
+ REDEBUG2("%s", buffer);
+ return -647;
+ }
+
+ if (strcasestr(buffer, "0xC0000072") ||
+ strcasestr(buffer, "Account disabled")) {
+ REDEBUG2("%s", buffer);
+ return -691;
+ }
+
+ if (strcasestr(buffer, "0xC000005E") ||
+ strcasestr(buffer, "No logon servers")) {
+ REDEBUG2("%s", buffer);
+ return -2;
+ }
+
+ if (strcasestr(buffer, "could not obtain winbind separator") ||
+ strcasestr(buffer, "Reading winbind reply failed")) {
+ REDEBUG2("%s", buffer);
+ return -2;
+ }
+
+ RDEBUG2("External script failed");
+ p = strchr(buffer, '\n');
+ if (p) *p = '\0';
+
+ REDEBUG("External script says: %s", buffer);
+ return -1;
+ }
+
+ /*
+ * Parse the answer as an nthashhash.
+ *
+ * ntlm_auth currently returns:
+ * NT_KEY: 000102030405060708090a0b0c0d0e0f
+ */
+ if (memcmp(buffer, "NT_KEY: ", 8) != 0) {
+ REDEBUG("Invalid output from ntlm_auth: expecting 'NT_KEY: ' prefix");
+ return -1;
+ }
+
+ /*
+ * Check the length. It should be at least 32, with an LF at the end.
+ */
+ len = strlen(buffer + 8);
+ if (len < 32) {
+ REDEBUG2("Invalid output from ntlm_auth: NT_KEY too short, expected 32 bytes got %zu bytes",
+ len);
+
+ return -1;
+ }
+
+ /*
+ * Update the NT hash hash, from the NT key.
+ */
+ if (fr_hex2bin(nthashhash, NT_DIGEST_LENGTH, buffer + 8, len) != NT_DIGEST_LENGTH) {
+ REDEBUG("Invalid output from ntlm_auth: NT_KEY has non-hex values");
+ return -1;
+ }
+ break;
+ }
+
+#ifdef WITH_AUTH_WINBIND
+ /*
+ * Process auth via the wbclient library
+ */
+ case AUTH_WBCLIENT:
+ return do_auth_wbclient(inst, request, challenge, response, nthashhash);
+#endif
+
+ /* We should never reach this line */
+ default:
+ RERROR("Internal error: Unknown mschap auth method (%d)", method);
+ return -1;
+ }
+
+ return 0;
+}
+
+
+/*
+ * Data for the hashes.
+ */
+static const uint8_t SHSpad1[40] =
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+
+static const uint8_t SHSpad2[40] =
+ { 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+ 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+ 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2,
+ 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2, 0xf2 };
+
+static const uint8_t magic1[27] =
+ { 0x54, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74,
+ 0x68, 0x65, 0x20, 0x4d, 0x50, 0x50, 0x45, 0x20, 0x4d,
+ 0x61, 0x73, 0x74, 0x65, 0x72, 0x20, 0x4b, 0x65, 0x79 };
+
+static const uint8_t magic2[84] =
+ { 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+ 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+ 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+ 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20, 0x6b, 0x65, 0x79,
+ 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
+ 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73, 0x69, 0x64, 0x65,
+ 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+ 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+ 0x6b, 0x65, 0x79, 0x2e };
+
+static const uint8_t magic3[84] =
+ { 0x4f, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x69,
+ 0x65, 0x6e, 0x74, 0x20, 0x73, 0x69, 0x64, 0x65, 0x2c, 0x20,
+ 0x74, 0x68, 0x69, 0x73, 0x20, 0x69, 0x73, 0x20, 0x74, 0x68,
+ 0x65, 0x20, 0x72, 0x65, 0x63, 0x65, 0x69, 0x76, 0x65, 0x20,
+ 0x6b, 0x65, 0x79, 0x3b, 0x20, 0x6f, 0x6e, 0x20, 0x74, 0x68,
+ 0x65, 0x20, 0x73, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x73,
+ 0x69, 0x64, 0x65, 0x2c, 0x20, 0x69, 0x74, 0x20, 0x69, 0x73,
+ 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, 0x65, 0x6e, 0x64, 0x20,
+ 0x6b, 0x65, 0x79, 0x2e };
+
+
+static void mppe_GetMasterKey(uint8_t const *nt_hashhash,uint8_t const *nt_response,
+ uint8_t *masterkey)
+{
+ uint8_t digest[20];
+ fr_sha1_ctx Context;
+
+ fr_sha1_init(&Context);
+ fr_sha1_update(&Context,nt_hashhash,NT_DIGEST_LENGTH);
+ fr_sha1_update(&Context,nt_response,24);
+ fr_sha1_update(&Context,magic1,27);
+ fr_sha1_final(digest,&Context);
+
+ memcpy(masterkey,digest,16);
+}
+
+
+static void mppe_GetAsymmetricStartKey(uint8_t *masterkey,uint8_t *sesskey,
+ int keylen,int issend)
+{
+ uint8_t digest[20];
+ const uint8_t *s;
+ fr_sha1_ctx Context;
+
+ memset(digest,0,20);
+
+ if(issend) {
+ s = magic3;
+ } else {
+ s = magic2;
+ }
+
+ fr_sha1_init(&Context);
+ fr_sha1_update(&Context,masterkey,16);
+ fr_sha1_update(&Context,SHSpad1,40);
+ fr_sha1_update(&Context,s,84);
+ fr_sha1_update(&Context,SHSpad2,40);
+ fr_sha1_final(digest,&Context);
+
+ memcpy(sesskey,digest,keylen);
+}
+
+
+static void mppe_chap2_get_keys128(uint8_t const *nt_hashhash,uint8_t const *nt_response,
+ uint8_t *sendkey,uint8_t *recvkey)
+{
+ uint8_t masterkey[16];
+
+ mppe_GetMasterKey(nt_hashhash,nt_response,masterkey);
+
+ mppe_GetAsymmetricStartKey(masterkey,sendkey,16,1);
+ mppe_GetAsymmetricStartKey(masterkey,recvkey,16,0);
+}
+
+/*
+ * Generate MPPE keys.
+ */
+static void mppe_chap2_gen_keys128(uint8_t const *nt_hashhash,uint8_t const *response,
+ uint8_t *sendkey,uint8_t *recvkey)
+{
+ uint8_t enckey1[16];
+ uint8_t enckey2[16];
+
+ mppe_chap2_get_keys128(nt_hashhash,response,enckey1,enckey2);
+
+ /*
+ * dictionary.microsoft defines these attributes as
+ * 'encrypt=2'. The functions in src/lib/radius.c will
+ * take care of encrypting/decrypting them as appropriate,
+ * so that we don't have to.
+ */
+ memcpy (sendkey, enckey1, 16);
+ memcpy (recvkey, enckey2, 16);
+}
+
+
+/*
+ * mod_authorize() - authorize user if we can authenticate
+ * it later. Add Auth-Type attribute if present in module
+ * configuration (usually Auth-Type must be "MS-CHAP")
+ */
+static rlm_rcode_t CC_HINT(nonnull) mod_authorize(void * instance, REQUEST *request)
+{
+ rlm_mschap_t *inst = instance;
+ VALUE_PAIR *challenge = NULL;
+
+ challenge = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY);
+ if (!challenge) {
+ return RLM_MODULE_NOOP;
+ }
+
+ if (!fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY) &&
+ !fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY) &&
+ !fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_CPW, VENDORPEC_MICROSOFT, TAG_ANY)) {
+ RDEBUG2("Found MS-CHAP-Challenge, but no MS-CHAP response or change-password");
+ return RLM_MODULE_NOOP;
+ }
+
+ if (fr_pair_find_by_num(request->config, PW_AUTH_TYPE, 0, TAG_ANY)) {
+ RWDEBUG2("Auth-Type already set. Not setting to MS-CHAP");
+ return RLM_MODULE_NOOP;
+ }
+
+ RDEBUG2("Found MS-CHAP attributes. Setting 'Auth-Type = %s'", inst->xlat_name);
+
+ /*
+ * Set Auth-Type to MS-CHAP. The authentication code
+ * will take care of turning cleartext passwords into
+ * NT/LM passwords.
+ */
+ if (!pair_make_config("Auth-Type", inst->auth_type, T_OP_EQ)) {
+ return RLM_MODULE_FAIL;
+ }
+
+ return RLM_MODULE_OK;
+}
+
+static rlm_rcode_t mschap_error(rlm_mschap_t *inst, REQUEST *request, unsigned char ident,
+ int mschap_result, int mschap_version, VALUE_PAIR *smb_ctrl)
+{
+ rlm_rcode_t rcode = RLM_MODULE_OK;
+ int error = 0;
+ int retry = 0;
+ char const *message = NULL;
+
+ int i;
+ char new_challenge[33], buffer[128];
+ char *p;
+
+ if ((mschap_result == -648) ||
+ ((mschap_result == 0) &&
+ (smb_ctrl && ((smb_ctrl->vp_integer & ACB_PW_EXPIRED) != 0)))) {
+ REDEBUG("Password has expired. User should retry authentication");
+ error = 648;
+
+ /*
+ * A password change is NOT a retry! We MUST have retry=0 here.
+ */
+ retry = 0;
+ message = "Password expired";
+ rcode = RLM_MODULE_REJECT;
+
+ /*
+ * Account is disabled.
+ *
+ * They're found, but they don't exist, so we
+ * return 'not found'.
+ */
+ } else if ((mschap_result == -691) ||
+ (smb_ctrl && (((smb_ctrl->vp_integer & ACB_DISABLED) != 0) ||
+ ((smb_ctrl->vp_integer & (ACB_NORMAL|ACB_WSTRUST)) == 0)))) {
+ REDEBUG("SMB-Account-Ctrl (or ntlm_auth) "
+ "says that the account is disabled, "
+ "or is not a normal or workstation trust account");
+ error = 691;
+ retry = 0;
+ message = "Account disabled";
+ rcode = RLM_MODULE_NOTFOUND;
+
+ /*
+ * User is locked out.
+ */
+ } else if ((mschap_result == -647) ||
+ (smb_ctrl && ((smb_ctrl->vp_integer & ACB_AUTOLOCK) != 0))) {
+ REDEBUG("SMB-Account-Ctrl (or ntlm_auth) "
+ "says that the account is locked out");
+ error = 647;
+ retry = 0;
+ message = "Account locked out";
+ rcode = RLM_MODULE_USERLOCK;
+ } else if (mschap_result == -2) {
+ RDEBUG("Authentication failed");
+ error = 691;
+ retry = inst->allow_retry;
+ message = "Authentication failed";
+ rcode = RLM_MODULE_FAIL;
+
+ } else if (mschap_result < 0) {
+ REDEBUG("MS-CHAP2-Response is incorrect");
+ error = 691;
+ retry = inst->allow_retry;
+ message = "Authentication rejected";
+ rcode = RLM_MODULE_REJECT;
+ }
+
+ if (rcode == RLM_MODULE_OK) return RLM_MODULE_OK;
+
+ switch (mschap_version) {
+ case 1:
+ for (p = new_challenge, i = 0; i < 2; i++) p += snprintf(p, 9, "%08x", fr_rand());
+ snprintf(buffer, sizeof(buffer), "E=%i R=%i C=%s V=2",
+ error, retry, new_challenge);
+ break;
+
+ case 2:
+ for (p = new_challenge, i = 0; i < 4; i++) p += snprintf(p, 9, "%08x", fr_rand());
+ snprintf(buffer, sizeof(buffer), "E=%i R=%i C=%s V=3 M=%s",
+ error, retry, new_challenge, message);
+ break;
+
+ default:
+ return RLM_MODULE_FAIL;
+ }
+ mschap_add_reply(request, ident, "MS-CHAP-Error", buffer, strlen(buffer));
+
+ return rcode;
+}
+
+/*
+ * mod_authenticate() - authenticate user based on given
+ * attributes and configuration.
+ * We will try to find out password in configuration
+ * or in configured passwd file.
+ * If one is found we will check paraneters given by NAS.
+ *
+ * If PW_SMB_ACCOUNT_CTRL is not set to ACB_PWNOTREQ we must have
+ * one of:
+ * PAP: PW_USER_PASSWORD or
+ * MS-CHAP: PW_MSCHAP_CHALLENGE and PW_MSCHAP_RESPONSE or
+ * MS-CHAP2: PW_MSCHAP_CHALLENGE and PW_MSCHAP2_RESPONSE
+ * In case of password mismatch or locked account we MAY return
+ * PW_MSCHAP_ERROR for MS-CHAP or MS-CHAP v2
+ * If MS-CHAP2 succeeds we MUST return
+ * PW_MSCHAP2_SUCCESS
+ */
+static rlm_rcode_t CC_HINT(nonnull) mod_authenticate(void *instance, REQUEST *request)
+{
+ rlm_mschap_t *inst = instance;
+ VALUE_PAIR *challenge = NULL;
+ VALUE_PAIR *response = NULL;
+ VALUE_PAIR *cpw = NULL;
+ VALUE_PAIR *password = NULL;
+ VALUE_PAIR *nt_password, *smb_ctrl;
+ VALUE_PAIR *username;
+ uint8_t nthashhash[NT_DIGEST_LENGTH];
+ char msch2resp[42];
+ char const *username_string;
+ int mschap_version = 0;
+ int mschap_result;
+ MSCHAP_AUTH_METHOD auth_method;
+
+ /*
+ * If we have ntlm_auth configured, use it unless told
+ * otherwise
+ */
+ auth_method = inst->method;
+
+ /*
+ * If we have an ntlm_auth configuration, then we may
+ * want to suppress it.
+ */
+ if (auth_method != AUTH_INTERNAL) {
+ VALUE_PAIR *vp = fr_pair_find_by_num(request->config, PW_MS_CHAP_USE_NTLM_AUTH, 0, TAG_ANY);
+ if (vp && vp->vp_integer == 0) auth_method = AUTH_INTERNAL;
+ }
+
+ /*
+ * Find the SMB-Account-Ctrl attribute, or the
+ * SMB-Account-Ctrl-Text attribute.
+ */
+ smb_ctrl = fr_pair_find_by_num(request->config, PW_SMB_ACCOUNT_CTRL, 0, TAG_ANY);
+ if (!smb_ctrl) {
+ password = fr_pair_find_by_num(request->config, PW_SMB_ACCOUNT_CTRL_TEXT, 0, TAG_ANY);
+ if (password) {
+ smb_ctrl = pair_make_config("SMB-Account-CTRL", "0", T_OP_SET);
+ if (smb_ctrl) {
+ smb_ctrl->vp_integer = pdb_decode_acct_ctrl(password->vp_strvalue);
+ }
+ }
+ }
+
+ /*
+ * We're configured to do MS-CHAP authentication.
+ * and account control information exists. Enforce it.
+ */
+ if (smb_ctrl) {
+ /*
+ * Password is not required.
+ */
+ if ((smb_ctrl->vp_integer & ACB_PWNOTREQ) != 0) {
+ RDEBUG2("SMB-Account-Ctrl says no password is required");
+ return RLM_MODULE_OK;
+ }
+ }
+
+ /*
+ * Decide how to get the passwords.
+ */
+ password = fr_pair_find_by_num(request->config, PW_CLEARTEXT_PASSWORD, 0, TAG_ANY);
+
+ /*
+ * We need an NT-Password.
+ */
+ nt_password = fr_pair_find_by_num(request->config, PW_NT_PASSWORD, 0, TAG_ANY);
+ if (nt_password) {
+ VERIFY_VP(nt_password);
+
+ switch (nt_password->vp_length) {
+ case NT_DIGEST_LENGTH:
+ RDEBUG2("Found NT-Password");
+ break;
+
+ /* 0x */
+ case 34:
+ case 32:
+ RWDEBUG("NT-Password has not been normalized by the 'pap' module (likely still in hex format). "
+ "Authentication may fail");
+ nt_password = NULL;
+ break;
+
+ default:
+ RWDEBUG("NT-Password found but incorrect length, expected " STRINGIFY(NT_DIGEST_LENGTH)
+ " bytes got %zu bytes. Authentication may fail", nt_password->vp_length);
+ nt_password = NULL;
+ break;
+ }
+ }
+
+ /*
+ * ... or a Cleartext-Password, which we now transform into an NT-Password
+ */
+ if (!nt_password) {
+ uint8_t *p;
+
+ if (password) {
+ RDEBUG2("Found Cleartext-Password, hashing to create NT-Password");
+ nt_password = pair_make_config("NT-Password", NULL, T_OP_EQ);
+ if (!nt_password) {
+ RERROR("No memory");
+ return RLM_MODULE_FAIL;
+ }
+ nt_password->vp_length = NT_DIGEST_LENGTH;
+ nt_password->vp_octets = p = talloc_array(nt_password, uint8_t, nt_password->vp_length);
+
+ if (mschap_ntpwdhash(p, password->vp_strvalue) < 0) {
+ RERROR("Failed generating NT-Password");
+ return RLM_MODULE_FAIL;
+ }
+ } else if (auth_method == AUTH_INTERNAL) {
+ RWDEBUG2("No Cleartext-Password configured. Cannot create NT-Password");
+ }
+ }
+
+ cpw = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_CPW, VENDORPEC_MICROSOFT, TAG_ANY);
+ if (cpw) {
+ /*
+ * mschap2 password change request
+ * we cheat - first decode and execute the passchange
+ * we then extract the response, add it into the request
+ * then jump into mschap2 auth with the chal/resp
+ */
+ uint8_t new_nt_encrypted[516], old_nt_encrypted[NT_DIGEST_LENGTH];
+ VALUE_PAIR *nt_enc=NULL;
+ int seq, new_nt_enc_len;
+ uint8_t *p;
+
+ RDEBUG("MS-CHAPv2 password change request received");
+
+ if (cpw->vp_length != 68) {
+ REDEBUG("MS-CHAP2-CPW has the wrong format: length %zu != 68", cpw->vp_length);
+ return RLM_MODULE_INVALID;
+ }
+
+ if (cpw->vp_octets[0] != 7) {
+ REDEBUG("MS-CHAP2-CPW has the wrong format: code %d != 7", cpw->vp_octets[0]);
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * look for the new (encrypted) password
+ * bah stupid composite attributes
+ * we're expecting 3 attributes with the leading bytes
+ * 06:<mschapid>:00:01:<1st chunk>
+ * 06:<mschapid>:00:02:<2nd chunk>
+ * 06:<mschapid>:00:03:<3rd chunk>
+ */
+ new_nt_enc_len = 0;
+ for (seq = 1; seq < 4; seq++) {
+ vp_cursor_t cursor;
+ int found = 0;
+
+ for (nt_enc = fr_cursor_init(&cursor, &request->packet->vps);
+ nt_enc;
+ nt_enc = fr_cursor_next(&cursor)) {
+ if (nt_enc->da->vendor != VENDORPEC_MICROSOFT)
+ continue;
+
+ if (nt_enc->da->attr != PW_MSCHAP_NT_ENC_PW)
+ continue;
+
+ if (nt_enc->vp_length < 4) {
+ REDEBUG("MS-CHAP-NT-Enc-PW with invalid format");
+ return RLM_MODULE_INVALID;
+ }
+
+ if (nt_enc->vp_octets[0] != 6) {
+ REDEBUG("MS-CHAP-NT-Enc-PW with invalid format");
+ return RLM_MODULE_INVALID;
+ }
+
+ if ((nt_enc->vp_octets[2] == 0) && (nt_enc->vp_octets[3] == seq)) {
+ found = 1;
+ break;
+ }
+ }
+
+ if (!found) {
+ REDEBUG("Could not find MS-CHAP-NT-Enc-PW w/ sequence number %d", seq);
+ return RLM_MODULE_INVALID;
+ }
+
+ if ((new_nt_enc_len + nt_enc->vp_length - 4) > sizeof(new_nt_encrypted)) {
+ REDEBUG("Unpacked MS-CHAP-NT-Enc-PW length > 516");
+ return RLM_MODULE_INVALID;
+ }
+
+ memcpy(new_nt_encrypted + new_nt_enc_len, nt_enc->vp_octets + 4, nt_enc->vp_length - 4);
+ new_nt_enc_len += nt_enc->vp_length - 4;
+ }
+
+ if (new_nt_enc_len != 516) {
+ REDEBUG("Unpacked MS-CHAP-NT-Enc-PW length != 516");
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * RFC 2548 is confusing here
+ * it claims:
+ *
+ * 1 byte code
+ * 1 byte ident
+ * 16 octets - old hash encrypted with new hash
+ * 24 octets - peer challenge
+ * this is actually:
+ * 16 octets - peer challenge
+ * 8 octets - reserved
+ * 24 octets - nt response
+ * 2 octets - flags (ignored)
+ */
+
+ memcpy(old_nt_encrypted, cpw->vp_octets + 2, sizeof(old_nt_encrypted));
+
+ RDEBUG2("Password change payload valid");
+
+ /* perform the actual password change */
+ if (do_mschap_cpw(inst, request, nt_password, new_nt_encrypted, old_nt_encrypted, auth_method) < 0) {
+ char buffer[128];
+
+ REDEBUG("Password change failed");
+
+ snprintf(buffer, sizeof(buffer), "E=709 R=0 M=Password change failed");
+ mschap_add_reply(request, cpw->vp_octets[1], "MS-CHAP-Error", buffer, strlen(buffer));
+
+ return RLM_MODULE_REJECT;
+ }
+ RDEBUG("Password change successful");
+
+ /*
+ * Clear any expiry bit so the user can now login;
+ * obviously the password change action will need
+ * to have cleared this bit in the config/SQL/wherever
+ */
+ if (smb_ctrl && smb_ctrl->vp_integer & ACB_PW_EXPIRED) {
+ RDEBUG("Clearing expiry bit in SMB-Acct-Ctrl to allow authentication");
+ smb_ctrl->vp_integer &= ~ACB_PW_EXPIRED;
+ }
+
+ /*
+ * Extract the challenge & response from the end of the password
+ * change, add them into the request and then continue with
+ * the authentication
+ */
+ response = radius_pair_create(request->packet, &request->packet->vps,
+ PW_MSCHAP2_RESPONSE,
+ VENDORPEC_MICROSOFT);
+ response->vp_length = 50;
+ response->vp_octets = p = talloc_array(response, uint8_t, response->vp_length);
+
+ /* ident & flags */
+ p[0] = cpw->vp_octets[1];
+ p[1] = 0;
+ /* peer challenge and client NT response */
+ memcpy(p + 2, cpw->vp_octets + 18, 48);
+ }
+
+ challenge = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_CHALLENGE, VENDORPEC_MICROSOFT, TAG_ANY);
+ if (!challenge) {
+ REDEBUG("You set 'Auth-Type = MS-CHAP' for a request that does not contain any MS-CHAP attributes!");
+ return RLM_MODULE_REJECT;
+ }
+
+ /*
+ * We also require an MS-CHAP-Response.
+ */
+ response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP_RESPONSE, VENDORPEC_MICROSOFT, TAG_ANY);
+
+ /*
+ * MS-CHAP-Response, means MS-CHAPv1
+ */
+ if (response) {
+ int offset;
+ rlm_rcode_t rcode;
+ mschap_version = 1;
+
+ /*
+ * MS-CHAPv1 challenges are 8 octets.
+ */
+ if (challenge->vp_length < 8) {
+ REDEBUG("MS-CHAP-Challenge has the wrong format");
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * Responses are 50 octets.
+ */
+ if (response->vp_length < 50) {
+ REDEBUG("MS-CHAP-Response has the wrong format");
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * We are doing MS-CHAP. Calculate the MS-CHAP
+ * response
+ */
+ if (response->vp_octets[1] & 0x01) {
+ RDEBUG2("Client is using MS-CHAPv1 with NT-Password");
+ password = nt_password;
+ offset = 26;
+ } else {
+ REDEBUG2("Client is using MS-CHAPv1 with unsupported method LM-Password");
+ return RLM_MODULE_FAIL;
+ }
+
+ /*
+ * Do the MS-CHAP authentication.
+ */
+ mschap_result = do_mschap(inst, request, password, challenge->vp_octets,
+ response->vp_octets + offset, nthashhash, auth_method);
+ /*
+ * Check for errors, and add MSCHAP-Error if necessary.
+ */
+ rcode = mschap_error(inst, request, *response->vp_octets,
+ mschap_result, mschap_version, smb_ctrl);
+ if (rcode != RLM_MODULE_OK) return rcode;
+ } else if ((response = fr_pair_find_by_num(request->packet->vps, PW_MSCHAP2_RESPONSE,
+ VENDORPEC_MICROSOFT, TAG_ANY)) != NULL) {
+ uint8_t mschapv1_challenge[16];
+ VALUE_PAIR *name_attr, *response_name, *peer_challenge_attr;
+ rlm_rcode_t rcode;
+ uint8_t const *peer_challenge;
+
+ mschap_version = 2;
+
+ /*
+ * MS-CHAPv2 challenges are 16 octets.
+ */
+ if (challenge->vp_length < 16) {
+ REDEBUG("MS-CHAP-Challenge has the wrong format");
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * Responses are 50 octets.
+ */
+ if (response->vp_length < 50) {
+ REDEBUG("MS-CHAP-Response has the wrong format");
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * We also require a User-Name
+ */
+ username = fr_pair_find_by_num(request->packet->vps, PW_USER_NAME, 0, TAG_ANY);
+ if (!username) {
+ REDEBUG("We require a User-Name for MS-CHAPv2");
+ return RLM_MODULE_INVALID;
+ }
+
+ /*
+ * Check for MS-CHAP-User-Name and if found, use it
+ * to construct the MSCHAPv1 challenge. This is
+ * set by rlm_eap_mschap to the MS-CHAP Response
+ * packet Name field.
+ *
+ * We prefer this to the User-Name in the
+ * packet.
+ */
+ response_name = fr_pair_find_by_num(request->packet->vps, PW_MS_CHAP_USER_NAME, 0, TAG_ANY);
+ if (response_name) {
+ name_attr = response_name;
+ } else {
+ name_attr = username;
+ }
+
+ /*
+ * with_ntdomain_hack moved here, too.
+ */
+ if ((username_string = strchr(name_attr->vp_strvalue, '\\')) != NULL) {
+ if (inst->with_ntdomain_hack) {
+ username_string++;
+ } else {
+ RWDEBUG2("NT Domain delimiter found, should with_ntdomain_hack of been enabled?");
+ username_string = name_attr->vp_strvalue;
+ }
+ } else {
+ username_string = name_attr->vp_strvalue;
+ }
+
+ if (response_name && ((username->vp_length != response_name->vp_length) ||
+ (strncasecmp(username->vp_strvalue, response_name->vp_strvalue, username->vp_length) != 0))) {
+ RWDEBUG("User-Name (%s) is not the same as MS-CHAP Name (%s) from EAP-MSCHAPv2",
+ username->vp_strvalue, response_name->vp_strvalue);
+ }
+
+#ifdef __APPLE__
+ /*
+ * No "known good" NT-Password attribute. Try to do
+ * OpenDirectory authentication.
+ *
+ * If OD determines the user is an OD user it will return noop, which
+ * indicates the auth process should continue directly to OD.
+ * Otherwise OD will determine auth success/fail.
+ */
+ if (!nt_password && inst->open_directory) {
+ RDEBUG2("No NT-Password configured. Trying OpenDirectory Authentication");
+ int odStatus = od_mschap_auth(request, challenge, username);
+ if (odStatus != RLM_MODULE_NOOP) {
+ return odStatus;
+ }
+ }
+#endif
+ peer_challenge = response->vp_octets + 2;
+
+ peer_challenge_attr = fr_pair_find_by_num(request->config, PW_MS_CHAP_PEER_CHALLENGE, 0, TAG_ANY);
+ if (peer_challenge_attr) {
+ RDEBUG2("Overriding peer challenge");
+ peer_challenge = peer_challenge_attr->vp_octets;
+ }
+
+ /*
+ * The old "mschapv2" function has been moved to
+ * here.
+ *
+ * MS-CHAPv2 takes some additional data to create an
+ * MS-CHAPv1 challenge, and then does MS-CHAPv1.
+ */
+ RDEBUG2("Creating challenge hash with username: %s", username_string);
+ mschap_challenge_hash(peer_challenge, /* peer challenge */
+ challenge->vp_octets, /* our challenge */
+ username_string, /* user name */
+ mschapv1_challenge); /* resulting challenge */
+
+ RDEBUG2("Client is using MS-CHAPv2");
+ mschap_result = do_mschap(inst, request, nt_password, mschapv1_challenge,
+ response->vp_octets + 26, nthashhash, auth_method);
+ rcode = mschap_error(inst, request, *response->vp_octets,
+ mschap_result, mschap_version, smb_ctrl);
+ if (rcode != RLM_MODULE_OK) return rcode;
+
+#ifdef WITH_AUTH_WINBIND
+ if (inst->wb_retry_with_normalised_username) {
+ if ((response_name = fr_pair_find_by_num(request->packet->vps, PW_MS_CHAP_USER_NAME, 0, TAG_ANY))) {
+ if (strcmp(username_string, response_name->vp_strvalue)) {
+ RDEBUG2("Changing username %s to %s", username_string, response_name->vp_strvalue);
+ username_string = response_name->vp_strvalue;
+ }
+ }
+ }
+#endif
+
+ mschap_auth_response(username_string, /* without the domain */
+ nthashhash, /* nt-hash-hash */
+ response->vp_octets + 26, /* peer response */
+ peer_challenge, /* peer challenge */
+ challenge->vp_octets, /* our challenge */
+ msch2resp); /* calculated MPPE key */
+ mschap_add_reply(request, *response->vp_octets, "MS-CHAP2-Success", msch2resp, 42);
+
+ } else { /* Neither CHAPv1 or CHAPv2 response: die */
+ REDEBUG("You set 'Auth-Type = MS-CHAP' for a request that does not contain any MS-CHAP attributes!");
+ return RLM_MODULE_INVALID;
+ }
+
+ /* now create MPPE attributes */
+ if (inst->use_mppe) {
+ uint8_t mppe_sendkey[34];
+ uint8_t mppe_recvkey[34];
+
+ if (mschap_version == 1) {
+ RDEBUG2("adding MS-CHAPv1 MPPE keys");
+ memset(mppe_sendkey, 0, 32);
+
+ /*
+ * According to RFC 2548 we
+ * should send NT hash. But in
+ * practice it doesn't work.
+ * Instead, we should send nthashhash
+ *
+ * This is an error in RFC 2548.
+ */
+ /*
+ * do_mschap cares to zero nthashhash if NT hash
+ * is not available.
+ */
+ memcpy(mppe_sendkey + 8, nthashhash, NT_DIGEST_LENGTH);
+ mppe_add_reply(request, "MS-CHAP-MPPE-Keys", mppe_sendkey, 24);
+
+ } else if (mschap_version == 2) {
+ RDEBUG2("Adding MS-CHAPv2 MPPE keys");
+ mppe_chap2_gen_keys128(nthashhash, response->vp_octets + 26, mppe_sendkey, mppe_recvkey);
+
+ mppe_add_reply(request, "MS-MPPE-Recv-Key", mppe_recvkey, 16);
+ mppe_add_reply(request, "MS-MPPE-Send-Key", mppe_sendkey, 16);
+
+ }
+ pair_make_reply("MS-MPPE-Encryption-Policy",
+ (inst->require_encryption) ? "0x00000002":"0x00000001", T_OP_EQ);
+ pair_make_reply("MS-MPPE-Encryption-Types",
+ (inst->require_strong) ? "0x00000004":"0x00000006", T_OP_EQ);
+ } /* else we weren't asked to use MPPE */
+
+ return RLM_MODULE_OK;
+#undef inst
+}
+
+extern module_t rlm_mschap;
+module_t rlm_mschap = {
+ .magic = RLM_MODULE_INIT,
+ .name = "mschap",
+ .type = 0,
+ .inst_size = sizeof(rlm_mschap_t),
+ .config = module_config,
+ .bootstrap = mod_bootstrap,
+ .instantiate = mod_instantiate,
+ .detach = mod_detach,
+ .methods = {
+ [MOD_AUTHENTICATE] = mod_authenticate,
+ [MOD_AUTHORIZE] = mod_authorize
+ },
+};
diff --git a/src/modules/rlm_mschap/rlm_mschap.h b/src/modules/rlm_mschap/rlm_mschap.h
new file mode 100644
index 0000000..7309919
--- /dev/null
+++ b/src/modules/rlm_mschap/rlm_mschap.h
@@ -0,0 +1,55 @@
+/* Copyright 2006-2015 The FreeRADIUS server project */
+
+#ifndef _RLM_MSCHAP_H
+#define _RLM_MSCHAP_H
+
+RCSIDH(rlm_mschap_h, "$Id$")
+
+#include "config.h"
+
+#ifdef HAVE_WDOCUMENTATION
+DIAG_OFF(documentation)
+#endif
+#ifdef WITH_AUTH_WINBIND
+# include <wbclient.h>
+#endif
+#ifdef HAVE_WDOCUMENTATION
+DIAG_ON(documentation)
+#endif
+
+/* Method of authentication we are going to use */
+typedef enum {
+ AUTH_INTERNAL = 0,
+ AUTH_NTLMAUTH_EXEC = 1
+#ifdef WITH_AUTH_WINBIND
+ ,AUTH_WBCLIENT = 2
+#endif
+} MSCHAP_AUTH_METHOD;
+
+typedef struct rlm_mschap_t {
+ bool use_mppe;
+ bool require_encryption;
+ bool require_strong;
+ bool with_ntdomain_hack; /* this should be in another module */
+ char const *xlat_name;
+ char const *ntlm_auth;
+ uint32_t ntlm_auth_timeout;
+ char const *ntlm_cpw;
+ char const *ntlm_cpw_username;
+ char const *ntlm_cpw_domain;
+ char const *local_cpw;
+ char const *auth_type;
+ bool allow_retry;
+ char const *retry_msg;
+ MSCHAP_AUTH_METHOD method;
+ vp_tmpl_t *wb_username;
+ vp_tmpl_t *wb_domain;
+ fr_connection_pool_t *wb_pool;
+ bool wb_retry_with_normalised_username;
+#ifdef __APPLE__
+ bool open_directory;
+#endif
+} rlm_mschap_t;
+
+#endif
+
diff --git a/src/modules/rlm_mschap/rlm_mschap.mk.in b/src/modules/rlm_mschap/rlm_mschap.mk.in
new file mode 100644
index 0000000..0d046df
--- /dev/null
+++ b/src/modules/rlm_mschap/rlm_mschap.mk.in
@@ -0,0 +1,10 @@
+TARGETNAME := @targetname@
+
+ifneq "$(TARGETNAME)" ""
+TARGET := $(TARGETNAME).a
+endif
+
+SOURCES := $(TARGETNAME).c smbdes.c mschap.c @mschap_sources@
+
+SRC_CFLAGS := @mod_cflags@
+TGT_LDLIBS := @mod_ldflags@
diff --git a/src/modules/rlm_mschap/smbdes.c b/src/modules/rlm_mschap/smbdes.c
new file mode 100644
index 0000000..d80de34
--- /dev/null
+++ b/src/modules/rlm_mschap/smbdes.c
@@ -0,0 +1,349 @@
+/*
+ Unix SMB/CIFS implementation.
+
+ a partial implementation of DES designed for use in the
+ SMB authentication protocol
+
+ Copyright (C) Andrew Tridgell 1998
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software
+ Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+
+ Copyright 2006 The FreeRADIUS server project
+*/
+
+
+/* NOTES:
+
+ This code makes no attempt to be fast! In fact, it is a very
+ slow implementation
+
+ This code is NOT a complete DES implementation. It implements only
+ the minimum necessary for SMB authentication, as used by all SMB
+ products (including every copy of Microsoft Windows95 ever sold)
+
+ In particular, it can only do a unchained forward DES pass. This
+ means it is not possible to use this code for encryption/decryption
+ of data, instead it is only useful as a "hash" algorithm.
+
+ There is no entry point into this code that allows normal DES operation.
+
+ I believe this means that this code does not come under ITAR
+ regulations but this is NOT a legal opinion. If you are concerned
+ about the applicability of ITAR regulations to this code then you
+ should confirm it for yourself (and maybe let me know if you come
+ up with a different answer to the one above)
+*/
+
+RCSID("$Id$")
+
+#include <freeradius-devel/libradius.h>
+#include <ctype.h>
+#include "smbdes.h"
+
+
+#define uchar unsigned char
+
+static const uchar perm1[56] = {57, 49, 41, 33, 25, 17, 9,
+ 1, 58, 50, 42, 34, 26, 18,
+ 10, 2, 59, 51, 43, 35, 27,
+ 19, 11, 3, 60, 52, 44, 36,
+ 63, 55, 47, 39, 31, 23, 15,
+ 7, 62, 54, 46, 38, 30, 22,
+ 14, 6, 61, 53, 45, 37, 29,
+ 21, 13, 5, 28, 20, 12, 4};
+
+static const uchar perm2[48] = {14, 17, 11, 24, 1, 5,
+ 3, 28, 15, 6, 21, 10,
+ 23, 19, 12, 4, 26, 8,
+ 16, 7, 27, 20, 13, 2,
+ 41, 52, 31, 37, 47, 55,
+ 30, 40, 51, 45, 33, 48,
+ 44, 49, 39, 56, 34, 53,
+ 46, 42, 50, 36, 29, 32};
+
+static const uchar perm3[64] = {58, 50, 42, 34, 26, 18, 10, 2,
+ 60, 52, 44, 36, 28, 20, 12, 4,
+ 62, 54, 46, 38, 30, 22, 14, 6,
+ 64, 56, 48, 40, 32, 24, 16, 8,
+ 57, 49, 41, 33, 25, 17, 9, 1,
+ 59, 51, 43, 35, 27, 19, 11, 3,
+ 61, 53, 45, 37, 29, 21, 13, 5,
+ 63, 55, 47, 39, 31, 23, 15, 7};
+
+static const uchar perm4[48] = { 32, 1, 2, 3, 4, 5,
+ 4, 5, 6, 7, 8, 9,
+ 8, 9, 10, 11, 12, 13,
+ 12, 13, 14, 15, 16, 17,
+ 16, 17, 18, 19, 20, 21,
+ 20, 21, 22, 23, 24, 25,
+ 24, 25, 26, 27, 28, 29,
+ 28, 29, 30, 31, 32, 1};
+
+static const uchar perm5[32] = { 16, 7, 20, 21,
+ 29, 12, 28, 17,
+ 1, 15, 23, 26,
+ 5, 18, 31, 10,
+ 2, 8, 24, 14,
+ 32, 27, 3, 9,
+ 19, 13, 30, 6,
+ 22, 11, 4, 25};
+
+
+static const uchar perm6[64] ={ 40, 8, 48, 16, 56, 24, 64, 32,
+ 39, 7, 47, 15, 55, 23, 63, 31,
+ 38, 6, 46, 14, 54, 22, 62, 30,
+ 37, 5, 45, 13, 53, 21, 61, 29,
+ 36, 4, 44, 12, 52, 20, 60, 28,
+ 35, 3, 43, 11, 51, 19, 59, 27,
+ 34, 2, 42, 10, 50, 18, 58, 26,
+ 33, 1, 41, 9, 49, 17, 57, 25};
+
+
+static const uchar sc[16] = {1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1};
+
+static const uchar sbox[8][4][16] = {
+ {{14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7},
+ {0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8},
+ {4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0},
+ {15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13}},
+
+ {{15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10},
+ {3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5},
+ {0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15},
+ {13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9}},
+
+ {{10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8},
+ {13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1},
+ {13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7},
+ {1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12}},
+
+ {{7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15},
+ {13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9},
+ {10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4},
+ {3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14}},
+
+ {{2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9},
+ {14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6},
+ {4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14},
+ {11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3}},
+
+ {{12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11},
+ {10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8},
+ {9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6},
+ {4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13}},
+
+ {{4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1},
+ {13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6},
+ {1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2},
+ {6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12}},
+
+ {{13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7},
+ {1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2},
+ {7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8},
+ {2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11}}};
+
+static void permute(char *out, char const *in, uchar const *p, int n)
+{
+ int i;
+ for (i=0;i<n;i++)
+ out[i] = in[p[i]-1];
+}
+
+static void lshift(char *d, int count, int n)
+{
+ char out[64];
+ int i;
+ for (i=0;i<n;i++)
+ out[i] = d[(i+count)%n];
+ for (i=0;i<n;i++)
+ d[i] = out[i];
+}
+
+static void concat(char *out, char *in1, char *in2, int l1, int l2)
+{
+ while (l1--)
+ *out++ = *in1++;
+ while (l2--)
+ *out++ = *in2++;
+}
+
+static void xor(char *out, char *in1, char *in2, int n)
+{
+ int i;
+ for (i=0;i<n;i++)
+ out[i] = in1[i] ^ in2[i];
+}
+
+static void dohash(char *out, char *in, char *key)
+{
+ int i, j, k;
+ char pk1[56];
+ char c[28];
+ char d[28];
+ char cd[56];
+ char ki[16][48];
+ char pd1[64];
+ char l[32], r[32];
+ char rl[64];
+
+ permute(pk1, key, perm1, 56);
+
+ for (i=0;i<28;i++)
+ c[i] = pk1[i];
+ for (i=0;i<28;i++)
+ d[i] = pk1[i+28];
+
+ for (i=0;i<16;i++) {
+ lshift(c, sc[i], 28);
+ lshift(d, sc[i], 28);
+
+ concat(cd, c, d, 28, 28);
+ permute(ki[i], cd, perm2, 48);
+ }
+
+ permute(pd1, in, perm3, 64);
+
+ for (j=0;j<32;j++) {
+ l[j] = pd1[j];
+ r[j] = pd1[j+32];
+ }
+
+ for (i=0;i<16;i++) {
+ char er[48];
+ char erk[48];
+ char b[8][6];
+ char cb[32];
+ char pcb[32];
+ char r2[32];
+
+ permute(er, r, perm4, 48);
+
+ xor(erk, er, ki[i], 48);
+
+ for (j=0;j<8;j++)
+ for (k=0;k<6;k++)
+ b[j][k] = erk[j*6 + k];
+
+ for (j=0;j<8;j++) {
+ int m, n;
+ m = (b[j][0]<<1) | b[j][5];
+
+ n = (b[j][1]<<3) | (b[j][2]<<2) | (b[j][3]<<1) | b[j][4];
+
+ for (k=0;k<4;k++)
+ b[j][k] = (sbox[j][m][n] & (1<<(3-k)))?1:0;
+ }
+
+ for (j=0;j<8;j++)
+ for (k=0;k<4;k++)
+ cb[j*4+k] = b[j][k];
+ permute(pcb, cb, perm5, 32);
+
+ xor(r2, l, pcb, 32);
+
+ for (j=0;j<32;j++)
+ l[j] = r[j];
+
+ for (j=0;j<32;j++)
+ r[j] = r2[j];
+ }
+
+ concat(rl, r, l, 32, 32);
+
+ permute(out, rl, perm6, 64);
+}
+
+static void str_to_key(unsigned char *str,unsigned char *key)
+{
+ int i;
+
+ key[0] = str[0]>>1;
+ key[1] = ((str[0]&0x01)<<6) | (str[1]>>2);
+ key[2] = ((str[1]&0x03)<<5) | (str[2]>>3);
+ key[3] = ((str[2]&0x07)<<4) | (str[3]>>4);
+ key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5);
+ key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6);
+ key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7);
+ key[7] = str[6]&0x7F;
+ for (i=0;i<8;i++) {
+ key[i] = (key[i]<<1);
+ }
+}
+
+
+void smbhash(unsigned char *out, unsigned char const *in, unsigned char *key)
+{
+ int i;
+ char outb[64];
+ char inb[64];
+ char keyb[64];
+ unsigned char key2[8];
+
+ str_to_key(key, key2);
+
+ for (i=0;i<64;i++) {
+ inb[i] = (in[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
+ keyb[i] = (key2[i/8] & (1<<(7-(i%8)))) ? 1 : 0;
+ outb[i] = 0;
+ }
+
+ dohash(outb, inb, keyb);
+
+ for (i=0;i<8;i++) {
+ out[i] = 0;
+ }
+
+ for (i=0;i<64;i++) {
+ if (outb[i])
+ out[i/8] |= (1<<(7-(i%8)));
+ }
+}
+
+/*
+ * Converts the password to uppercase, and creates the LM
+ * password hash.
+ */
+void smbdes_lmpwdhash(char const *password, uint8_t *lmhash)
+{
+ int i;
+ uint8_t p14[14];
+ static uint8_t sp8[8] = {0x4b, 0x47, 0x53, 0x21, 0x40, 0x23, 0x24, 0x25};
+
+ memset(p14, 0, sizeof(p14));
+ for (i = 0; i < 14 && password[i]; i++) {
+ p14[i] = toupper((uint8_t) password[i]);
+ }
+
+ smbhash(lmhash, sp8, p14);
+ smbhash(lmhash+8, sp8, p14+7);
+}
+
+/*
+ * Take the NT or LM password, and return the MSCHAP response
+ *
+ * The win_password MUST be exactly 16 bytes long.
+ */
+void smbdes_mschap(uint8_t const win_password[16],
+ uint8_t const *challenge, uint8_t *response)
+{
+ uint8_t p21[21];
+
+ memset(p21, 0, sizeof(p21));
+ memcpy(p21, win_password, 16);
+
+ smbhash(response, challenge, p21);
+ smbhash(response+8, challenge, p21+7);
+ smbhash(response+16, challenge, p21+14);
+}
diff --git a/src/modules/rlm_mschap/smbdes.h b/src/modules/rlm_mschap/smbdes.h
new file mode 100644
index 0000000..aa06d76
--- /dev/null
+++ b/src/modules/rlm_mschap/smbdes.h
@@ -0,0 +1,13 @@
+/* Copyright 2006 The FreeRADIUS server project */
+
+#ifndef _SMBDES_H
+#define _SMBDES_H
+
+RCSIDH(smbdes_h, "$Id$")
+
+void smbhash(unsigned char *out, unsigned char const *in, unsigned char *key);
+void smbdes_lmpwdhash(char const *password, uint8_t *lmhash);
+void smbdes_mschap(uint8_t const win_password[16],
+ uint8_t const *challenge, uint8_t *response);
+
+#endif /*_SMBDES_H*/
diff --git a/src/modules/rlm_mschap/smbencrypt.c b/src/modules/rlm_mschap/smbencrypt.c
new file mode 100644
index 0000000..9a8a5ab
--- /dev/null
+++ b/src/modules/rlm_mschap/smbencrypt.c
@@ -0,0 +1,147 @@
+/*
+ * smbencrypt.c Produces LM-Password and NT-Password from
+ * cleartext password
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA
+ *
+ * Copyright 2002 3APA3A for FreeRADIUS project
+ Copyright 2006 The FreeRADIUS server project
+ */
+
+RCSID("$Id$")
+
+#include <freeradius-devel/libradius.h>
+
+#ifdef HAVE_OPENSSL_SSL_H
+#include <openssl/ssl.h>
+#include <freeradius-devel/openssl3.h>
+#endif
+
+#include <freeradius-devel/md4.h>
+#include <freeradius-devel/md5.h>
+#include <freeradius-devel/sha1.h>
+#include <ctype.h>
+
+
+#include "smbdes.h"
+
+static char const hex[] = "0123456789ABCDEF";
+
+#if defined(OPENSSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x30000000L
+# include <openssl/provider.h>
+
+static OSSL_PROVIDER *openssl_default_provider = NULL;
+static OSSL_PROVIDER *openssl_legacy_provider = NULL;
+
+#define ERROR(_x) fprintf(stderr, _x)
+
+static int openssl3_init(void)
+{
+ /*
+ * Load the default provider for most algorithms
+ */
+ openssl_default_provider = OSSL_PROVIDER_load(NULL, "default");
+ if (!openssl_default_provider) {
+ ERROR("(TLS) Failed loading default provider");
+ return -1;
+ }
+
+ /*
+ * Needed for MD4
+ *
+ * https://www.openssl.org/docs/man3.0/man7/migration_guide.html#Legacy-Algorithms
+ */
+ openssl_legacy_provider = OSSL_PROVIDER_load(NULL, "legacy");
+ if (!openssl_legacy_provider) {
+ ERROR("(TLS) Failed loading legacy provider");
+ return -1;
+ }
+
+ return 0;
+}
+
+static void openssl3_free(void)
+{
+ if (openssl_default_provider && !OSSL_PROVIDER_unload(openssl_default_provider)) {
+ ERROR("Failed unloading default provider");
+ }
+ openssl_default_provider = NULL;
+
+ if (openssl_legacy_provider && !OSSL_PROVIDER_unload(openssl_legacy_provider)) {
+ ERROR("Failed unloading legacy provider");
+ }
+ openssl_legacy_provider = NULL;
+}
+#else
+#define openssl3_init()
+#define openssl3_free()
+#endif
+
+
+
+/*
+ * FIXME: use functions in freeradius
+ */
+static void tohex (unsigned char const *src, size_t len, char *dst)
+{
+ size_t i;
+ for (i=0; i<len; i++) {
+ dst[(i*2)] = hex[(src[i] >> 4)];
+ dst[(i*2) + 1] = hex[(src[i]&0x0F)];
+ }
+ dst[(i*2)] = 0;
+}
+
+static void ntpwdhash(uint8_t *out, char const *password)
+{
+ ssize_t len;
+ uint8_t ucs2_password[512];
+
+ len = fr_utf8_to_ucs2(ucs2_password, sizeof(ucs2_password), password, strlen(password));
+ if (len < 0) {
+ *out = '\0';
+ return;
+ }
+ fr_md4_calc(out, (uint8_t *) ucs2_password, len);
+}
+
+int main (int argc, char *argv[])
+{
+ int i, l;
+ char password[1024];
+ uint8_t hash[16];
+ char ntpass[33];
+ char lmpass[33];
+
+ openssl3_init();
+
+ fprintf(stderr, "LM Hash \tNT Hash\n");
+ fprintf(stderr, "--------------------------------\t--------------------------------\n");
+ fflush(stderr);
+ for (i = 1; i < argc; i++ ) {
+ strlcpy(password, argv[i], sizeof(password));
+ l = strlen(password);
+ if (l && password[l-1] == '\n') password [l-1] = 0;
+ smbdes_lmpwdhash(password, hash);
+ tohex (hash, 16, lmpass);
+ ntpwdhash (hash, password);
+ tohex (hash, 16, ntpass);
+ printf("%s\t%s\n", lmpass, ntpass);
+ }
+
+ openssl3_free();
+
+ return 0;
+}
diff --git a/src/modules/rlm_mschap/smbencrypt.mk b/src/modules/rlm_mschap/smbencrypt.mk
new file mode 100644
index 0000000..70e8b7b
--- /dev/null
+++ b/src/modules/rlm_mschap/smbencrypt.mk
@@ -0,0 +1,8 @@
+TARGET := smbencrypt
+SOURCES := smbencrypt.c smbdes.c
+
+TGT_PREREQS := libfreeradius-radius.a
+
+SRC_CFLAGS :=
+TGT_LDLIBS := $(LIBS)
+
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-05 20:43:40 +0000