diff options
| -rw-r--r-- | ChangeLog | 190 | ||||
| -rw-r--r-- | LICENSE | 1 | ||||
| -rw-r--r-- | Makefile.am | 79 | ||||
| -rw-r--r-- | Makefile.in | 1109 | ||||
| -rw-r--r-- | README | 2 | ||||
| -rwxr-xr-x | configure | 247 | ||||
| -rw-r--r-- | configure.ac | 31 | ||||
| -rw-r--r-- | debug.c | 1 | ||||
| -rw-r--r-- | dtls.c | 1 | ||||
| -rw-r--r-- | fticks.c | 256 | ||||
| -rw-r--r-- | fticks.h | 16 | ||||
| -rw-r--r-- | main.c | 7 | ||||
| -rw-r--r-- | radsecproxy.c | 107 | ||||
| -rw-r--r-- | radsecproxy.conf-example | 34 | ||||
| -rw-r--r-- | radsecproxy.conf.5.xml | 1234 | ||||
| -rw-r--r-- | radsecproxy.h | 26 | ||||
| -rw-r--r-- | tcp.c | 3 | ||||
| -rw-r--r-- | tests/Makefile.am | 7 | ||||
| -rw-r--r-- | tests/t_fticks.c | 46 | ||||
| -rw-r--r-- | tls.c | 3 | ||||
| -rw-r--r-- | tlscommon.c | 2 | ||||
| -rw-r--r-- | tlv11.c | 1 | ||||
| -rwxr-xr-x[-rw-r--r--] | tools/naptr-eduroam.sh | 77 | ||||
| -rw-r--r-- | udp.c | 3 |
24 files changed, 1613 insertions, 1870 deletions
@@ -1,67 +1,36 @@ -2007-09-21 1.0 -2007-10-16 1.0p1 - Fixed crash when servers were configured after first realm block -2007-12-24 1.1-alpha - Pretend option for validating configuration - Include option for including additional config files - Allows clients configured by IP prefix, dynamic clients - Server failover support - Rewriting of username attribute - Source address and port can be specified for requests -2008-05-14 1.1-beta - No longer looks for radsecproxy.conf in current directory - Rewrite block that allows removal of specified attributes - certificateNameCheck option for disabling CN/SubjectAltName check - matchCertificateAttribute now also supports CN matching - Forwarding of accounting messages, accountingServer option for realms - Supports multiple client blocks for same source address with different - certificate checks - Removed weekday from log timestamps -2008-07-24 1.1 - Logging stationid attribute - Added LoopPrevention option - Failover also without status-server - Options for RetryCount and RetryInterval - Working accounting and AccountingResponse option - CRL checking and option for enabling it -2008-10-07 1.2 - listenTCP and sourceTCP options renamed to listenTLS and sourceTLS - Old options deprecated but available for backwards compatiblity - Logging reply-message attribute from Reject messages - Contribution from Arne Schwabe - Rewrite blocks have new options addAttribute and modifyAttribute - rewriteIn (replacing rewrite) and rewriteOut in client and server - blocks for specifying rewrite on input/output. rewrite deprecated - but available as an alias for rewriteIn for backwards compatibility. - rewritein rewriteout rewrite - regular expressions in realms etc can now be more advanced, including - use of "or". - cacheExpiry option in tls blocks for specifying expiry time for the - cache of CA certificates and CRLs. This is particularly useful for - regularly updating CRLs. - Some logging has been made more informative -2008-12-04 1.3-alpha - Support for TCP and DTLS transports (type tcp, type dtls) - Listen... options can be specified multiple times - Dynamic server discovery - DuplicateInterval option in client block for specifying for how - long a request/reply shall be stored for duplicate detection - Support for RADIUS TTL (hopcount) attribute. Decrements value of - the TTL attribute if present, discards message if becomes 0. - If addTTL option is used, the TTL attribute is added with the - specified value if the forwarded message does not have one. - PolicyOID option can be used to require certain CA policies. -2009-02-18 1.3-beta - Client and Server blocks may contain multiple host options. - Configure (Makefile) options for specifying which transports - should be supported in a build. -2009-03-12 1.3 - Fixed some very minor bugs - Changed log levels for some messages, made loglevel 2 default -2009-07-22 1.3.1 - Fixed header files for FreeBSD - Fix for multiple UDP servers on same IP address, solves accounting - problems. +2011-09-28 1.5-dev + New features: + - Support for F-Ticks logging. + - New binary radsecproxy-hash. + + Incompatible changes: + - catgconf renamed to radsecproxy-conf. + + Bug fixes: + - All compiler warnings removed. Building with -Werror. + +2011-07-22 1.4.3 + Notes: + - The default secret for TLS and DTLS will change in a future + release. Please make sure to specify a secret in both client and + server blocks to avoid surprises. + + Bug fixes: + - Debug printout issue. + +2010-11-23 1.4.2 + Bug fixes: + - Don't disable OpenSSL session caching for 0.9.8p and newer in + the 0.9.x track. + - Detect OpenSSL version at runtime rather than at compile time. + +2010-11-17 1.4.1 + Bug fixes: + - OpenSSL session caching is disabled when built against OpenSSL + older than 1.0.0b to mitigate possible effects of + http://openssl.org/news/secadv_20101116.txt (RADSECPROXY-14). + - Crash bug when reading improper config file fixed. + 2010-06-12 1.4 Incompatible changes: - Log level 4 used to be DBG_DBG but is now DBG_NOTICE. In order @@ -81,21 +50,78 @@ - Build on Solaris when compiling with gcc. - A bug in pwdencrypt() with passwords of a length greater than 16 octets. -2010-11-17 1.4.1 - Bug fixes: - - OpenSSL session caching is disabled when built against OpenSSL - older than 1.0.0b to mitigate possible effects of - http://openssl.org/news/secadv_20101116.txt (RADSECPROXY-14). - - Crash bug when reading improper config file fixed. -2010-11-23 1.4.2 - Bug fixes: - - Don't disable OpenSSL session caching for 0.9.8p and newer in - the 0.9.x track. - - Detect OpenSSL version at runtime rather than at compile time. -2011-07-22 1.4.3 - Notes: - - The default secret for TLS and DTLS will change in a future - relase. Plaese make sure to specify a secret in both client and - server blocks to avoid surprises. - Bug fixes: - - Debug printout issue. + +2009-07-22 1.3.1 + Fixed header files for FreeBSD + Fix for multiple UDP servers on same IP address, solves accounting + problems. + +2009-03-12 1.3 + Fixed some very minor bugs + Changed log levels for some messages, made loglevel 2 default + +2009-02-18 1.3-beta + Client and Server blocks may contain multiple host options. + Configure (Makefile) options for specifying which transports + should be supported in a build. + +2008-12-04 1.3-alpha + Support for TCP and DTLS transports (type tcp, type dtls) + Listen... options can be specified multiple times + Dynamic server discovery + DuplicateInterval option in client block for specifying for how + long a request/reply shall be stored for duplicate detection + Support for RADIUS TTL (hopcount) attribute. Decrements value of + the TTL attribute if present, discards message if becomes 0. + If addTTL option is used, the TTL attribute is added with the + specified value if the forwarded message does not have one. + PolicyOID option can be used to require certain CA policies. + +2008-10-07 1.2 + listenTCP and sourceTCP options renamed to listenTLS and sourceTLS + Old options deprecated but available for backwards compatiblity + Logging reply-message attribute from Reject messages + Contribution from Arne Schwabe + Rewrite blocks have new options addAttribute and modifyAttribute + rewriteIn (replacing rewrite) and rewriteOut in client and server + blocks for specifying rewrite on input/output. rewrite deprecated + but available as an alias for rewriteIn for backwards compatibility. + rewritein rewriteout rewrite + regular expressions in realms etc can now be more advanced, including + use of "or". + cacheExpiry option in tls blocks for specifying expiry time for the + cache of CA certificates and CRLs. This is particularly useful for + regularly updating CRLs. + Some logging has been made more informative + +2008-07-24 1.1 + Logging stationid attribute + Added LoopPrevention option + Failover also without status-server + Options for RetryCount and RetryInterval + Working accounting and AccountingResponse option + CRL checking and option for enabling it + +2008-05-14 1.1-beta + No longer looks for radsecproxy.conf in current directory + Rewrite block that allows removal of specified attributes + certificateNameCheck option for disabling CN/SubjectAltName check + matchCertificateAttribute now also supports CN matching + Forwarding of accounting messages, accountingServer option for realms + Supports multiple client blocks for same source address with different + certificate checks + Removed weekday from log timestamps + +2007-12-24 1.1-alpha + Pretend option for validating configuration + Include option for including additional config files + Allows clients configured by IP prefix, dynamic clients + Server failover support + Rewriting of username attribute + Source address and port can be specified for requests + +2007-10-16 1.0p1 + Fixed crash when servers were configured after first realm block + +2007-09-21 1.0 + @@ -8,6 +8,7 @@ Alternatively the radsecproxy source code is subject to the terms of the below BSD style license. * Copyright (c) 2006-2010, UNINETT AS +* Copyright (c) 2010,2011, NORDUnet A/S * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/Makefile.am b/Makefile.am index cd40c2a..2067c5d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,51 +1,52 @@ AUTOMAKE_OPTIONS = foreign +SUBDIRS = tests + sbin_PROGRAMS = radsecproxy -bin_PROGRAMS = catgconf +bin_PROGRAMS = radsecproxy-conf +noinst_LIBRARIES = librsp.a + +radsecproxy_SOURCES = main.c -radsecproxy_SOURCES = radsecproxy.c \ - tlscommon.c \ - gconfig.c \ - util.c \ - debug.c \ - list.c \ - hash.c \ - tlv11.c \ - hostport.c \ - radmsg.c \ - udp.c \ - tcp.c \ - tls.c \ - dtls.c \ - radsecproxy.h \ - tlscommon.h \ - gconfig.h \ - debug.h \ - util.h \ - list.h \ - hash.h \ - tlv11.h \ - hostport.h \ - radmsg.h \ - udp.h \ - tcp.h \ - tls.h \ - dtls.h +librsp_a_SOURCES = \ + debug.c debug.h \ + dtls.c dtls.h \ + gconfig.c gconfig.h \ + hash.c hash.h \ + hostport.c hostport.h \ + list.c list.h \ + radmsg.c radmsg.h \ + radsecproxy.c radsecproxy.h \ + tcp.c tcp.h \ + tls.c tls.h \ + tlscommon.c tlscommon.h \ + tlv11.c tlv11.h \ + udp.c udp.h \ + util.c util.h + +if WANT_FTICKS +librsp_a_SOURCES += fticks.c fticks.h +endif -catgconf_SOURCES = debug.c \ - util.c \ - gconfig.c \ - catgconf.c +radsecproxy_conf_SOURCES = \ + catgconf.c \ + debug.c debug.h \ + gconfig.c gconfig.h \ + util.c util.h -radsecproxy_CFLAGS = -g -Wall -fno-strict-aliasing @SSL_CFLAGS@ @TARGET_CFLAGS@ -radsecproxy_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@ -radsecproxy_LDADD = @SSL_LIBS@ +librsp_a_CFLAGS = \ + -g -Wall -Werror -fno-strict-aliasing @SSL_CFLAGS@ @TARGET_CFLAGS@ +librsp_a_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@ +radsecproxy_CFLAGS = $(librsp_a_CFLAGS) +radsecproxy_LDFLAGS = $(librsp_a_LDFLAGS) +radsecproxy_LDADD = librsp.a @SSL_LIBS@ -catgconf_CFLAGS = -g -Wall -fno-strict-aliasing @TARGET_CFLAGS@ -catgconf_LDFLAGS = @TARGET_LDFLAGS@ +catgconf_CFLAGS = -g -Wall -fno-strict-aliasing @TARGET_CFLAGS@ +catgconf_LDFLAGS = @TARGET_LDFLAGS@ dist_man_MANS = radsecproxy.1 $(GENMANPAGES) -EXTRA_DIST = LICENSE THANKS radsecproxy.conf-example radsecproxy.conf.5.xml \ +EXTRA_DIST = \ + LICENSE THANKS radsecproxy.conf-example radsecproxy.conf.5.xml \ tools/naptr-eduroam.sh tools/radsec-dynsrv.sh tools/README if HAVE_DOCBOOK2X_MAN diff --git a/Makefile.in b/Makefile.in deleted file mode 100644 index f8d3058..0000000 --- a/Makefile.in +++ /dev/null @@ -1,1109 +0,0 @@ -# Makefile.in generated by automake 1.11.1 from Makefile.am. -# @configure_input@ - -# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, -# Inc. -# This Makefile.in is free software; the Free Software Foundation -# gives unlimited permission to copy and/or distribute it, -# with or without modifications, as long as this notice is preserved. - -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY, to the extent permitted by law; without -# even the implied warranty of MERCHANTABILITY or FITNESS FOR A -# PARTICULAR PURPOSE. - -@SET_MAKE@ - -VPATH = @srcdir@ -pkgdatadir = $(datadir)/@PACKAGE@ -pkgincludedir = $(includedir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ -pkglibexecdir = $(libexecdir)/@PACKAGE@ -am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd -install_sh_DATA = $(install_sh) -c -m 644 -install_sh_PROGRAM = $(install_sh) -c -install_sh_SCRIPT = $(install_sh) -c -INSTALL_HEADER = $(INSTALL_DATA) -transform = $(program_transform_name) -NORMAL_INSTALL = : -PRE_INSTALL = : -POST_INSTALL = : -NORMAL_UNINSTALL = : -PRE_UNINSTALL = : -POST_UNINSTALL = : -build_triplet = @build@ -host_triplet = @host@ -target_triplet = @target@ -sbin_PROGRAMS = radsecproxy$(EXEEXT) -bin_PROGRAMS = catgconf$(EXEEXT) -subdir = . -DIST_COMMON = README $(am__configure_deps) $(dist_man_MANS) \ - $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ - $(top_srcdir)/configure AUTHORS COPYING ChangeLog INSTALL NEWS \ - THANKS compile config.guess config.sub depcomp install-sh \ - missing -ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 -am__aclocal_m4_deps = $(top_srcdir)/acinclude.m4 \ - $(top_srcdir)/configure.ac -am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ - $(ACLOCAL_M4) -am__CONFIG_DISTCLEAN_FILES = config.status config.cache config.log \ - configure.lineno config.status.lineno -mkinstalldirs = $(install_sh) -d -CONFIG_CLEAN_FILES = -CONFIG_CLEAN_VPATH_FILES = -am__installdirs = "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" \ - "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)" -PROGRAMS = $(bin_PROGRAMS) $(sbin_PROGRAMS) -am_catgconf_OBJECTS = catgconf-debug.$(OBJEXT) catgconf-util.$(OBJEXT) \ - catgconf-gconfig.$(OBJEXT) catgconf-catgconf.$(OBJEXT) -catgconf_OBJECTS = $(am_catgconf_OBJECTS) -catgconf_LDADD = $(LDADD) -catgconf_LINK = $(CCLD) $(catgconf_CFLAGS) $(CFLAGS) \ - $(catgconf_LDFLAGS) $(LDFLAGS) -o $@ -am_radsecproxy_OBJECTS = radsecproxy-radsecproxy.$(OBJEXT) \ - radsecproxy-tlscommon.$(OBJEXT) radsecproxy-gconfig.$(OBJEXT) \ - radsecproxy-util.$(OBJEXT) radsecproxy-debug.$(OBJEXT) \ - radsecproxy-list.$(OBJEXT) radsecproxy-hash.$(OBJEXT) \ - radsecproxy-tlv11.$(OBJEXT) radsecproxy-hostport.$(OBJEXT) \ - radsecproxy-radmsg.$(OBJEXT) radsecproxy-udp.$(OBJEXT) \ - radsecproxy-tcp.$(OBJEXT) radsecproxy-tls.$(OBJEXT) \ - radsecproxy-dtls.$(OBJEXT) -radsecproxy_OBJECTS = $(am_radsecproxy_OBJECTS) -radsecproxy_DEPENDENCIES = -radsecproxy_LINK = $(CCLD) $(radsecproxy_CFLAGS) $(CFLAGS) \ - $(radsecproxy_LDFLAGS) $(LDFLAGS) -o $@ -DEFAULT_INCLUDES = -I.@am__isrc@ -depcomp = $(SHELL) $(top_srcdir)/depcomp -am__depfiles_maybe = depfiles -am__mv = mv -f -COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ - $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -CCLD = $(CC) -LINK = $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) $(LDFLAGS) -o $@ -SOURCES = $(catgconf_SOURCES) $(radsecproxy_SOURCES) -DIST_SOURCES = $(catgconf_SOURCES) $(radsecproxy_SOURCES) -am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; -am__vpath_adj = case $$p in \ - $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ - *) f=$$p;; \ - esac; -am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; -am__install_max = 40 -am__nobase_strip_setup = \ - srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` -am__nobase_strip = \ - for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" -am__nobase_list = $(am__nobase_strip_setup); \ - for p in $$list; do echo "$$p $$p"; done | \ - sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ - $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ - if (++n[$$2] == $(am__install_max)) \ - { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ - END { for (dir in files) print dir, files[dir] }' -am__base_list = \ - sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ - sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' -man1dir = $(mandir)/man1 -man5dir = $(mandir)/man5 -NROFF = nroff -MANS = $(dist_man_MANS) -ETAGS = etags -CTAGS = ctags -DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) -distdir = $(PACKAGE)-$(VERSION) -top_distdir = $(distdir) -am__remove_distdir = \ - { test ! -d "$(distdir)" \ - || { find "$(distdir)" -type d ! -perm -200 -exec chmod u+w {} ';' \ - && rm -fr "$(distdir)"; }; } -DIST_ARCHIVES = $(distdir).tar.gz -GZIP_ENV = --best -distuninstallcheck_listfiles = find . -type f -print -distcleancheck_listfiles = find . -type f -print -ACLOCAL = @ACLOCAL@ -AMTAR = @AMTAR@ -AUTOCONF = @AUTOCONF@ -AUTOHEADER = @AUTOHEADER@ -AUTOMAKE = @AUTOMAKE@ -AWK = @AWK@ -CC = @CC@ -CCDEPMODE = @CCDEPMODE@ -CFLAGS = @CFLAGS@ -CPPFLAGS = @CPPFLAGS@ -CYGPATH_W = @CYGPATH_W@ -DEFS = @DEFS@ -DEPDIR = @DEPDIR@ -DOCBOOK2X_MAN = @DOCBOOK2X_MAN@ -ECHO_C = @ECHO_C@ -ECHO_N = @ECHO_N@ -ECHO_T = @ECHO_T@ -EXEEXT = @EXEEXT@ -INSTALL = @INSTALL@ -INSTALL_DATA = @INSTALL_DATA@ -INSTALL_PROGRAM = @INSTALL_PROGRAM@ -INSTALL_SCRIPT = @INSTALL_SCRIPT@ -INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ -LDFLAGS = @LDFLAGS@ -LIBOBJS = @LIBOBJS@ -LIBS = @LIBS@ -LTLIBOBJS = @LTLIBOBJS@ -MAKEINFO = @MAKEINFO@ -MKDIR_P = @MKDIR_P@ -OBJEXT = @OBJEXT@ -PACKAGE = @PACKAGE@ -PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ -PACKAGE_NAME = @PACKAGE_NAME@ -PACKAGE_STRING = @PACKAGE_STRING@ -PACKAGE_TARNAME = @PACKAGE_TARNAME@ -PACKAGE_URL = @PACKAGE_URL@ -PACKAGE_VERSION = @PACKAGE_VERSION@ -PATH_SEPARATOR = @PATH_SEPARATOR@ -SET_MAKE = @SET_MAKE@ -SHELL = @SHELL@ -SSL_CFLAGS = @SSL_CFLAGS@ -SSL_LDFLAGS = @SSL_LDFLAGS@ -SSL_LIBS = @SSL_LIBS@ -STRIP = @STRIP@ -TARGET_CFLAGS = @TARGET_CFLAGS@ -TARGET_LDFLAGS = @TARGET_LDFLAGS@ -VERSION = @VERSION@ -abs_builddir = @abs_builddir@ -abs_srcdir = @abs_srcdir@ -abs_top_builddir = @abs_top_builddir@ -abs_top_srcdir = @abs_top_srcdir@ -ac_ct_CC = @ac_ct_CC@ -am__include = @am__include@ -am__leading_dot = @am__leading_dot@ -am__quote = @am__quote@ -am__tar = @am__tar@ -am__untar = @am__untar@ -bindir = @bindir@ -build = @build@ -build_alias = @build_alias@ -build_cpu = @build_cpu@ -build_os = @build_os@ -build_vendor = @build_vendor@ -builddir = @builddir@ -datadir = @datadir@ -datarootdir = @datarootdir@ -docdir = @docdir@ -dvidir = @dvidir@ -exec_prefix = @exec_prefix@ -host = @host@ -host_alias = @host_alias@ -host_cpu = @host_cpu@ -host_os = @host_os@ -host_vendor = @host_vendor@ -htmldir = @htmldir@ -includedir = @includedir@ -infodir = @infodir@ -install_sh = @install_sh@ -libdir = @libdir@ -libexecdir = @libexecdir@ -localedir = @localedir@ -localstatedir = @localstatedir@ -mandir = @mandir@ -mkdir_p = @mkdir_p@ -oldincludedir = @oldincludedir@ -pdfdir = @pdfdir@ -prefix = @prefix@ -program_transform_name = @program_transform_name@ -psdir = @psdir@ -sbindir = @sbindir@ -sharedstatedir = @sharedstatedir@ -srcdir = @srcdir@ -sysconfdir = @sysconfdir@ -target = @target@ -target_alias = @target_alias@ -target_cpu = @target_cpu@ -target_os = @target_os@ -target_vendor = @target_vendor@ -top_build_prefix = @top_build_prefix@ -top_builddir = @top_builddir@ -top_srcdir = @top_srcdir@ -AUTOMAKE_OPTIONS = foreign -radsecproxy_SOURCES = radsecproxy.c \ - tlscommon.c \ - gconfig.c \ - util.c \ - debug.c \ - list.c \ - hash.c \ - tlv11.c \ - hostport.c \ - radmsg.c \ - udp.c \ - tcp.c \ - tls.c \ - dtls.c \ - radsecproxy.h \ - tlscommon.h \ - gconfig.h \ - debug.h \ - util.h \ - list.h \ - hash.h \ - tlv11.h \ - hostport.h \ - radmsg.h \ - udp.h \ - tcp.h \ - tls.h \ - dtls.h - -catgconf_SOURCES = debug.c \ - util.c \ - gconfig.c \ - catgconf.c - -radsecproxy_CFLAGS = -g -Wall -fno-strict-aliasing @SSL_CFLAGS@ @TARGET_CFLAGS@ -radsecproxy_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@ -radsecproxy_LDADD = @SSL_LIBS@ -catgconf_CFLAGS = -g -Wall -fno-strict-aliasing @TARGET_CFLAGS@ -catgconf_LDFLAGS = @TARGET_LDFLAGS@ -dist_man_MANS = radsecproxy.1 $(GENMANPAGES) -EXTRA_DIST = LICENSE THANKS radsecproxy.conf-example radsecproxy.conf.5.xml \ - tools/naptr-eduroam.sh tools/radsec-dynsrv.sh tools/README - -@HAVE_DOCBOOK2X_MAN_TRUE@GENMANPAGES = radsecproxy.conf.5 -all: all-am - -.SUFFIXES: -.SUFFIXES: .c .o .obj -am--refresh: - @: -$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) - @for dep in $?; do \ - case '$(am__configure_deps)' in \ - *$$dep*) \ - echo ' cd $(srcdir) && $(AUTOMAKE) --foreign'; \ - $(am__cd) $(srcdir) && $(AUTOMAKE) --foreign \ - && exit 0; \ - exit 1;; \ - esac; \ - done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign Makefile'; \ - $(am__cd) $(top_srcdir) && \ - $(AUTOMAKE) --foreign Makefile -.PRECIOUS: Makefile -Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status - @case '$?' in \ - *config.status*) \ - echo ' $(SHELL) ./config.status'; \ - $(SHELL) ./config.status;; \ - *) \ - echo ' cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe)'; \ - cd $(top_builddir) && $(SHELL) ./config.status $@ $(am__depfiles_maybe);; \ - esac; - -$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) - $(SHELL) ./config.status --recheck - -$(top_srcdir)/configure: $(am__configure_deps) - $(am__cd) $(srcdir) && $(AUTOCONF) -$(ACLOCAL_M4): $(am__aclocal_m4_deps) - $(am__cd) $(srcdir) && $(ACLOCAL) $(ACLOCAL_AMFLAGS) -$(am__aclocal_m4_deps): -install-binPROGRAMS: $(bin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(bindir)" || $(MKDIR_P) "$(DESTDIR)$(bindir)" - @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ - for p in $$list; do echo "$$p $$p"; done | \ - sed 's/$(EXEEXT)$$//' | \ - while read p p1; do if test -f $$p; \ - then echo "$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ - -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ - sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) files[d] = files[d] " " $$1; \ - else { print "f", $$3 "/" $$4, $$1; } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(bindir)$$dir'"; \ - $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(bindir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-binPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(bin_PROGRAMS)'; test -n "$(bindir)" || list=; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ - -e 's/$$/$(EXEEXT)/' `; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(bindir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(bindir)" && rm -f $$files - -clean-binPROGRAMS: - -test -z "$(bin_PROGRAMS)" || rm -f $(bin_PROGRAMS) -install-sbinPROGRAMS: $(sbin_PROGRAMS) - @$(NORMAL_INSTALL) - test -z "$(sbindir)" || $(MKDIR_P) "$(DESTDIR)$(sbindir)" - @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ - for p in $$list; do echo "$$p $$p"; done | \ - sed 's/$(EXEEXT)$$//' | \ - while read p p1; do if test -f $$p; \ - then echo "$$p"; echo "$$p"; else :; fi; \ - done | \ - sed -e 'p;s,.*/,,;n;h' -e 's|.*|.|' \ - -e 'p;x;s,.*/,,;s/$(EXEEXT)$$//;$(transform);s/$$/$(EXEEXT)/' | \ - sed 'N;N;N;s,\n, ,g' | \ - $(AWK) 'BEGIN { files["."] = ""; dirs["."] = 1 } \ - { d=$$3; if (dirs[d] != 1) { print "d", d; dirs[d] = 1 } \ - if ($$2 == $$4) files[d] = files[d] " " $$1; \ - else { print "f", $$3 "/" $$4, $$1; } } \ - END { for (d in files) print "f", d, files[d] }' | \ - while read type dir files; do \ - if test "$$dir" = .; then dir=; else dir=/$$dir; fi; \ - test -z "$$files" || { \ - echo " $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files '$(DESTDIR)$(sbindir)$$dir'"; \ - $(INSTALL_PROGRAM_ENV) $(INSTALL_PROGRAM) $$files "$(DESTDIR)$(sbindir)$$dir" || exit $$?; \ - } \ - ; done - -uninstall-sbinPROGRAMS: - @$(NORMAL_UNINSTALL) - @list='$(sbin_PROGRAMS)'; test -n "$(sbindir)" || list=; \ - files=`for p in $$list; do echo "$$p"; done | \ - sed -e 'h;s,^.*/,,;s/$(EXEEXT)$$//;$(transform)' \ - -e 's/$$/$(EXEEXT)/' `; \ - test -n "$$list" || exit 0; \ - echo " ( cd '$(DESTDIR)$(sbindir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(sbindir)" && rm -f $$files - -clean-sbinPROGRAMS: - -test -z "$(sbin_PROGRAMS)" || rm -f $(sbin_PROGRAMS) -catgconf$(EXEEXT): $(catgconf_OBJECTS) $(catgconf_DEPENDENCIES) - @rm -f catgconf$(EXEEXT) - $(catgconf_LINK) $(catgconf_OBJECTS) $(catgconf_LDADD) $(LIBS) -radsecproxy$(EXEEXT): $(radsecproxy_OBJECTS) $(radsecproxy_DEPENDENCIES) - @rm -f radsecproxy$(EXEEXT) - $(radsecproxy_LINK) $(radsecproxy_OBJECTS) $(radsecproxy_LDADD) $(LIBS) - -mostlyclean-compile: - -rm -f *.$(OBJEXT) - -distclean-compile: - -rm -f *.tab.c - -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/catgconf-catgconf.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/catgconf-debug.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/catgconf-gconfig.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/catgconf-util.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-debug.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-dtls.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-gconfig.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-hash.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-hostport.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-list.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-radmsg.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-radsecproxy.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-tcp.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-tls.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-tlscommon.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-tlv11.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-udp.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/radsecproxy-util.Po@am__quote@ - -.c.o: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c $< - -.c.obj: -@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` - -catgconf-debug.o: debug.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -MT catgconf-debug.o -MD -MP -MF $(DEPDIR)/catgconf-debug.Tpo -c -o catgconf-debug.o `test -f 'debug.c' || echo '$(srcdir)/'`debug.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/catgconf-debug.Tpo $(DEPDIR)/catgconf-debug.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='debug.c' object='catgconf-debug.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -c -o catgconf-debug.o `test -f 'debug.c' || echo '$(srcdir)/'`debug.c - -catgconf-debug.obj: debug.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -MT catgconf-debug.obj -MD -MP -MF $(DEPDIR)/catgconf-debug.Tpo -c -o catgconf-debug.obj `if test -f 'debug.c'; then $(CYGPATH_W) 'debug.c'; else $(CYGPATH_W) '$(srcdir)/debug.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/catgconf-debug.Tpo $(DEPDIR)/catgconf-debug.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='debug.c' object='catgconf-debug.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -c -o catgconf-debug.obj `if test -f 'debug.c'; then $(CYGPATH_W) 'debug.c'; else $(CYGPATH_W) '$(srcdir)/debug.c'; fi` - -catgconf-util.o: util.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -MT catgconf-util.o -MD -MP -MF $(DEPDIR)/catgconf-util.Tpo -c -o catgconf-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/catgconf-util.Tpo $(DEPDIR)/catgconf-util.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='util.c' object='catgconf-util.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -c -o catgconf-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c - -catgconf-util.obj: util.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -MT catgconf-util.obj -MD -MP -MF $(DEPDIR)/catgconf-util.Tpo -c -o catgconf-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/catgconf-util.Tpo $(DEPDIR)/catgconf-util.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='util.c' object='catgconf-util.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -c -o catgconf-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` - -catgconf-gconfig.o: gconfig.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -MT catgconf-gconfig.o -MD -MP -MF $(DEPDIR)/catgconf-gconfig.Tpo -c -o catgconf-gconfig.o `test -f 'gconfig.c' || echo '$(srcdir)/'`gconfig.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/catgconf-gconfig.Tpo $(DEPDIR)/catgconf-gconfig.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='gconfig.c' object='catgconf-gconfig.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -c -o catgconf-gconfig.o `test -f 'gconfig.c' || echo '$(srcdir)/'`gconfig.c - -catgconf-gconfig.obj: gconfig.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -MT catgconf-gconfig.obj -MD -MP -MF $(DEPDIR)/catgconf-gconfig.Tpo -c -o catgconf-gconfig.obj `if test -f 'gconfig.c'; then $(CYGPATH_W) 'gconfig.c'; else $(CYGPATH_W) '$(srcdir)/gconfig.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/catgconf-gconfig.Tpo $(DEPDIR)/catgconf-gconfig.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='gconfig.c' object='catgconf-gconfig.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -c -o catgconf-gconfig.obj `if test -f 'gconfig.c'; then $(CYGPATH_W) 'gconfig.c'; else $(CYGPATH_W) '$(srcdir)/gconfig.c'; fi` - -catgconf-catgconf.o: catgconf.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -MT catgconf-catgconf.o -MD -MP -MF $(DEPDIR)/catgconf-catgconf.Tpo -c -o catgconf-catgconf.o `test -f 'catgconf.c' || echo '$(srcdir)/'`catgconf.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/catgconf-catgconf.Tpo $(DEPDIR)/catgconf-catgconf.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='catgconf.c' object='catgconf-catgconf.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -c -o catgconf-catgconf.o `test -f 'catgconf.c' || echo '$(srcdir)/'`catgconf.c - -catgconf-catgconf.obj: catgconf.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -MT catgconf-catgconf.obj -MD -MP -MF $(DEPDIR)/catgconf-catgconf.Tpo -c -o catgconf-catgconf.obj `if test -f 'catgconf.c'; then $(CYGPATH_W) 'catgconf.c'; else $(CYGPATH_W) '$(srcdir)/catgconf.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/catgconf-catgconf.Tpo $(DEPDIR)/catgconf-catgconf.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='catgconf.c' object='catgconf-catgconf.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(catgconf_CFLAGS) $(CFLAGS) -c -o catgconf-catgconf.obj `if test -f 'catgconf.c'; then $(CYGPATH_W) 'catgconf.c'; else $(CYGPATH_W) '$(srcdir)/catgconf.c'; fi` - -radsecproxy-radsecproxy.o: radsecproxy.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-radsecproxy.o -MD -MP -MF $(DEPDIR)/radsecproxy-radsecproxy.Tpo -c -o radsecproxy-radsecproxy.o `test -f 'radsecproxy.c' || echo '$(srcdir)/'`radsecproxy.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-radsecproxy.Tpo $(DEPDIR)/radsecproxy-radsecproxy.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='radsecproxy.c' object='radsecproxy-radsecproxy.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-radsecproxy.o `test -f 'radsecproxy.c' || echo '$(srcdir)/'`radsecproxy.c - -radsecproxy-radsecproxy.obj: radsecproxy.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-radsecproxy.obj -MD -MP -MF $(DEPDIR)/radsecproxy-radsecproxy.Tpo -c -o radsecproxy-radsecproxy.obj `if test -f 'radsecproxy.c'; then $(CYGPATH_W) 'radsecproxy.c'; else $(CYGPATH_W) '$(srcdir)/radsecproxy.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-radsecproxy.Tpo $(DEPDIR)/radsecproxy-radsecproxy.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='radsecproxy.c' object='radsecproxy-radsecproxy.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-radsecproxy.obj `if test -f 'radsecproxy.c'; then $(CYGPATH_W) 'radsecproxy.c'; else $(CYGPATH_W) '$(srcdir)/radsecproxy.c'; fi` - -radsecproxy-tlscommon.o: tlscommon.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-tlscommon.o -MD -MP -MF $(DEPDIR)/radsecproxy-tlscommon.Tpo -c -o radsecproxy-tlscommon.o `test -f 'tlscommon.c' || echo '$(srcdir)/'`tlscommon.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-tlscommon.Tpo $(DEPDIR)/radsecproxy-tlscommon.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tlscommon.c' object='radsecproxy-tlscommon.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-tlscommon.o `test -f 'tlscommon.c' || echo '$(srcdir)/'`tlscommon.c - -radsecproxy-tlscommon.obj: tlscommon.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-tlscommon.obj -MD -MP -MF $(DEPDIR)/radsecproxy-tlscommon.Tpo -c -o radsecproxy-tlscommon.obj `if test -f 'tlscommon.c'; then $(CYGPATH_W) 'tlscommon.c'; else $(CYGPATH_W) '$(srcdir)/tlscommon.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-tlscommon.Tpo $(DEPDIR)/radsecproxy-tlscommon.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tlscommon.c' object='radsecproxy-tlscommon.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-tlscommon.obj `if test -f 'tlscommon.c'; then $(CYGPATH_W) 'tlscommon.c'; else $(CYGPATH_W) '$(srcdir)/tlscommon.c'; fi` - -radsecproxy-gconfig.o: gconfig.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-gconfig.o -MD -MP -MF $(DEPDIR)/radsecproxy-gconfig.Tpo -c -o radsecproxy-gconfig.o `test -f 'gconfig.c' || echo '$(srcdir)/'`gconfig.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-gconfig.Tpo $(DEPDIR)/radsecproxy-gconfig.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='gconfig.c' object='radsecproxy-gconfig.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-gconfig.o `test -f 'gconfig.c' || echo '$(srcdir)/'`gconfig.c - -radsecproxy-gconfig.obj: gconfig.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-gconfig.obj -MD -MP -MF $(DEPDIR)/radsecproxy-gconfig.Tpo -c -o radsecproxy-gconfig.obj `if test -f 'gconfig.c'; then $(CYGPATH_W) 'gconfig.c'; else $(CYGPATH_W) '$(srcdir)/gconfig.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-gconfig.Tpo $(DEPDIR)/radsecproxy-gconfig.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='gconfig.c' object='radsecproxy-gconfig.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-gconfig.obj `if test -f 'gconfig.c'; then $(CYGPATH_W) 'gconfig.c'; else $(CYGPATH_W) '$(srcdir)/gconfig.c'; fi` - -radsecproxy-util.o: util.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-util.o -MD -MP -MF $(DEPDIR)/radsecproxy-util.Tpo -c -o radsecproxy-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-util.Tpo $(DEPDIR)/radsecproxy-util.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='util.c' object='radsecproxy-util.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-util.o `test -f 'util.c' || echo '$(srcdir)/'`util.c - -radsecproxy-util.obj: util.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-util.obj -MD -MP -MF $(DEPDIR)/radsecproxy-util.Tpo -c -o radsecproxy-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-util.Tpo $(DEPDIR)/radsecproxy-util.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='util.c' object='radsecproxy-util.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-util.obj `if test -f 'util.c'; then $(CYGPATH_W) 'util.c'; else $(CYGPATH_W) '$(srcdir)/util.c'; fi` - -radsecproxy-debug.o: debug.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-debug.o -MD -MP -MF $(DEPDIR)/radsecproxy-debug.Tpo -c -o radsecproxy-debug.o `test -f 'debug.c' || echo '$(srcdir)/'`debug.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-debug.Tpo $(DEPDIR)/radsecproxy-debug.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='debug.c' object='radsecproxy-debug.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-debug.o `test -f 'debug.c' || echo '$(srcdir)/'`debug.c - -radsecproxy-debug.obj: debug.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-debug.obj -MD -MP -MF $(DEPDIR)/radsecproxy-debug.Tpo -c -o radsecproxy-debug.obj `if test -f 'debug.c'; then $(CYGPATH_W) 'debug.c'; else $(CYGPATH_W) '$(srcdir)/debug.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-debug.Tpo $(DEPDIR)/radsecproxy-debug.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='debug.c' object='radsecproxy-debug.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-debug.obj `if test -f 'debug.c'; then $(CYGPATH_W) 'debug.c'; else $(CYGPATH_W) '$(srcdir)/debug.c'; fi` - -radsecproxy-list.o: list.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-list.o -MD -MP -MF $(DEPDIR)/radsecproxy-list.Tpo -c -o radsecproxy-list.o `test -f 'list.c' || echo '$(srcdir)/'`list.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-list.Tpo $(DEPDIR)/radsecproxy-list.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='list.c' object='radsecproxy-list.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-list.o `test -f 'list.c' || echo '$(srcdir)/'`list.c - -radsecproxy-list.obj: list.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-list.obj -MD -MP -MF $(DEPDIR)/radsecproxy-list.Tpo -c -o radsecproxy-list.obj `if test -f 'list.c'; then $(CYGPATH_W) 'list.c'; else $(CYGPATH_W) '$(srcdir)/list.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-list.Tpo $(DEPDIR)/radsecproxy-list.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='list.c' object='radsecproxy-list.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-list.obj `if test -f 'list.c'; then $(CYGPATH_W) 'list.c'; else $(CYGPATH_W) '$(srcdir)/list.c'; fi` - -radsecproxy-hash.o: hash.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-hash.o -MD -MP -MF $(DEPDIR)/radsecproxy-hash.Tpo -c -o radsecproxy-hash.o `test -f 'hash.c' || echo '$(srcdir)/'`hash.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-hash.Tpo $(DEPDIR)/radsecproxy-hash.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hash.c' object='radsecproxy-hash.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-hash.o `test -f 'hash.c' || echo '$(srcdir)/'`hash.c - -radsecproxy-hash.obj: hash.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-hash.obj -MD -MP -MF $(DEPDIR)/radsecproxy-hash.Tpo -c -o radsecproxy-hash.obj `if test -f 'hash.c'; then $(CYGPATH_W) 'hash.c'; else $(CYGPATH_W) '$(srcdir)/hash.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-hash.Tpo $(DEPDIR)/radsecproxy-hash.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hash.c' object='radsecproxy-hash.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-hash.obj `if test -f 'hash.c'; then $(CYGPATH_W) 'hash.c'; else $(CYGPATH_W) '$(srcdir)/hash.c'; fi` - -radsecproxy-tlv11.o: tlv11.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-tlv11.o -MD -MP -MF $(DEPDIR)/radsecproxy-tlv11.Tpo -c -o radsecproxy-tlv11.o `test -f 'tlv11.c' || echo '$(srcdir)/'`tlv11.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-tlv11.Tpo $(DEPDIR)/radsecproxy-tlv11.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tlv11.c' object='radsecproxy-tlv11.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-tlv11.o `test -f 'tlv11.c' || echo '$(srcdir)/'`tlv11.c - -radsecproxy-tlv11.obj: tlv11.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-tlv11.obj -MD -MP -MF $(DEPDIR)/radsecproxy-tlv11.Tpo -c -o radsecproxy-tlv11.obj `if test -f 'tlv11.c'; then $(CYGPATH_W) 'tlv11.c'; else $(CYGPATH_W) '$(srcdir)/tlv11.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-tlv11.Tpo $(DEPDIR)/radsecproxy-tlv11.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tlv11.c' object='radsecproxy-tlv11.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-tlv11.obj `if test -f 'tlv11.c'; then $(CYGPATH_W) 'tlv11.c'; else $(CYGPATH_W) '$(srcdir)/tlv11.c'; fi` - -radsecproxy-hostport.o: hostport.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-hostport.o -MD -MP -MF $(DEPDIR)/radsecproxy-hostport.Tpo -c -o radsecproxy-hostport.o `test -f 'hostport.c' || echo '$(srcdir)/'`hostport.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-hostport.Tpo $(DEPDIR)/radsecproxy-hostport.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hostport.c' object='radsecproxy-hostport.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-hostport.o `test -f 'hostport.c' || echo '$(srcdir)/'`hostport.c - -radsecproxy-hostport.obj: hostport.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-hostport.obj -MD -MP -MF $(DEPDIR)/radsecproxy-hostport.Tpo -c -o radsecproxy-hostport.obj `if test -f 'hostport.c'; then $(CYGPATH_W) 'hostport.c'; else $(CYGPATH_W) '$(srcdir)/hostport.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-hostport.Tpo $(DEPDIR)/radsecproxy-hostport.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='hostport.c' object='radsecproxy-hostport.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-hostport.obj `if test -f 'hostport.c'; then $(CYGPATH_W) 'hostport.c'; else $(CYGPATH_W) '$(srcdir)/hostport.c'; fi` - -radsecproxy-radmsg.o: radmsg.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-radmsg.o -MD -MP -MF $(DEPDIR)/radsecproxy-radmsg.Tpo -c -o radsecproxy-radmsg.o `test -f 'radmsg.c' || echo '$(srcdir)/'`radmsg.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-radmsg.Tpo $(DEPDIR)/radsecproxy-radmsg.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='radmsg.c' object='radsecproxy-radmsg.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-radmsg.o `test -f 'radmsg.c' || echo '$(srcdir)/'`radmsg.c - -radsecproxy-radmsg.obj: radmsg.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-radmsg.obj -MD -MP -MF $(DEPDIR)/radsecproxy-radmsg.Tpo -c -o radsecproxy-radmsg.obj `if test -f 'radmsg.c'; then $(CYGPATH_W) 'radmsg.c'; else $(CYGPATH_W) '$(srcdir)/radmsg.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-radmsg.Tpo $(DEPDIR)/radsecproxy-radmsg.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='radmsg.c' object='radsecproxy-radmsg.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-radmsg.obj `if test -f 'radmsg.c'; then $(CYGPATH_W) 'radmsg.c'; else $(CYGPATH_W) '$(srcdir)/radmsg.c'; fi` - -radsecproxy-udp.o: udp.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-udp.o -MD -MP -MF $(DEPDIR)/radsecproxy-udp.Tpo -c -o radsecproxy-udp.o `test -f 'udp.c' || echo '$(srcdir)/'`udp.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-udp.Tpo $(DEPDIR)/radsecproxy-udp.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='udp.c' object='radsecproxy-udp.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-udp.o `test -f 'udp.c' || echo '$(srcdir)/'`udp.c - -radsecproxy-udp.obj: udp.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-udp.obj -MD -MP -MF $(DEPDIR)/radsecproxy-udp.Tpo -c -o radsecproxy-udp.obj `if test -f 'udp.c'; then $(CYGPATH_W) 'udp.c'; else $(CYGPATH_W) '$(srcdir)/udp.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-udp.Tpo $(DEPDIR)/radsecproxy-udp.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='udp.c' object='radsecproxy-udp.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-udp.obj `if test -f 'udp.c'; then $(CYGPATH_W) 'udp.c'; else $(CYGPATH_W) '$(srcdir)/udp.c'; fi` - -radsecproxy-tcp.o: tcp.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-tcp.o -MD -MP -MF $(DEPDIR)/radsecproxy-tcp.Tpo -c -o radsecproxy-tcp.o `test -f 'tcp.c' || echo '$(srcdir)/'`tcp.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-tcp.Tpo $(DEPDIR)/radsecproxy-tcp.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tcp.c' object='radsecproxy-tcp.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-tcp.o `test -f 'tcp.c' || echo '$(srcdir)/'`tcp.c - -radsecproxy-tcp.obj: tcp.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-tcp.obj -MD -MP -MF $(DEPDIR)/radsecproxy-tcp.Tpo -c -o radsecproxy-tcp.obj `if test -f 'tcp.c'; then $(CYGPATH_W) 'tcp.c'; else $(CYGPATH_W) '$(srcdir)/tcp.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-tcp.Tpo $(DEPDIR)/radsecproxy-tcp.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tcp.c' object='radsecproxy-tcp.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-tcp.obj `if test -f 'tcp.c'; then $(CYGPATH_W) 'tcp.c'; else $(CYGPATH_W) '$(srcdir)/tcp.c'; fi` - -radsecproxy-tls.o: tls.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-tls.o -MD -MP -MF $(DEPDIR)/radsecproxy-tls.Tpo -c -o radsecproxy-tls.o `test -f 'tls.c' || echo '$(srcdir)/'`tls.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-tls.Tpo $(DEPDIR)/radsecproxy-tls.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tls.c' object='radsecproxy-tls.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-tls.o `test -f 'tls.c' || echo '$(srcdir)/'`tls.c - -radsecproxy-tls.obj: tls.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-tls.obj -MD -MP -MF $(DEPDIR)/radsecproxy-tls.Tpo -c -o radsecproxy-tls.obj `if test -f 'tls.c'; then $(CYGPATH_W) 'tls.c'; else $(CYGPATH_W) '$(srcdir)/tls.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-tls.Tpo $(DEPDIR)/radsecproxy-tls.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='tls.c' object='radsecproxy-tls.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-tls.obj `if test -f 'tls.c'; then $(CYGPATH_W) 'tls.c'; else $(CYGPATH_W) '$(srcdir)/tls.c'; fi` - -radsecproxy-dtls.o: dtls.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-dtls.o -MD -MP -MF $(DEPDIR)/radsecproxy-dtls.Tpo -c -o radsecproxy-dtls.o `test -f 'dtls.c' || echo '$(srcdir)/'`dtls.c -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-dtls.Tpo $(DEPDIR)/radsecproxy-dtls.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='dtls.c' object='radsecproxy-dtls.o' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-dtls.o `test -f 'dtls.c' || echo '$(srcdir)/'`dtls.c - -radsecproxy-dtls.obj: dtls.c -@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -MT radsecproxy-dtls.obj -MD -MP -MF $(DEPDIR)/radsecproxy-dtls.Tpo -c -o radsecproxy-dtls.obj `if test -f 'dtls.c'; then $(CYGPATH_W) 'dtls.c'; else $(CYGPATH_W) '$(srcdir)/dtls.c'; fi` -@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/radsecproxy-dtls.Tpo $(DEPDIR)/radsecproxy-dtls.Po -@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='dtls.c' object='radsecproxy-dtls.obj' libtool=no @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) $(radsecproxy_CFLAGS) $(CFLAGS) -c -o radsecproxy-dtls.obj `if test -f 'dtls.c'; then $(CYGPATH_W) 'dtls.c'; else $(CYGPATH_W) '$(srcdir)/dtls.c'; fi` -install-man1: $(dist_man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man1dir)" || $(MKDIR_P) "$(DESTDIR)$(man1dir)" - @list=''; test -n "$(man1dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.1[a-z]*$$/p'; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man1dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man1dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man1dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man1dir)" || exit $$?; }; \ - done; } - -uninstall-man1: - @$(NORMAL_UNINSTALL) - @list=''; test -n "$(man1dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.1[a-z]*$$/p'; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^1][0-9a-z]*$$,1,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man1dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man1dir)" && rm -f $$files; } -install-man5: $(dist_man_MANS) - @$(NORMAL_INSTALL) - test -z "$(man5dir)" || $(MKDIR_P) "$(DESTDIR)$(man5dir)" - @list=''; test -n "$(man5dir)" || exit 0; \ - { for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.5[a-z]*$$/p'; \ - } | while read p; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - echo "$$d$$p"; echo "$$p"; \ - done | \ - sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ - sed 'N;N;s,\n, ,g' | { \ - list=; while read file base inst; do \ - if test "$$base" = "$$inst"; then list="$$list $$file"; else \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man5dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man5dir)/$$inst" || exit $$?; \ - fi; \ - done; \ - for i in $$list; do echo "$$i"; done | $(am__base_list) | \ - while read files; do \ - test -z "$$files" || { \ - echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man5dir)'"; \ - $(INSTALL_DATA) $$files "$(DESTDIR)$(man5dir)" || exit $$?; }; \ - done; } - -uninstall-man5: - @$(NORMAL_UNINSTALL) - @list=''; test -n "$(man5dir)" || exit 0; \ - files=`{ for i in $$list; do echo "$$i"; done; \ - l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \ - sed -n '/\.5[a-z]*$$/p'; \ - } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^5][0-9a-z]*$$,5,;x' \ - -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ - test -z "$$files" || { \ - echo " ( cd '$(DESTDIR)$(man5dir)' && rm -f" $$files ")"; \ - cd "$(DESTDIR)$(man5dir)" && rm -f $$files; } - -ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - mkid -fID $$unique -tags: TAGS - -TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - set x; \ - here=`pwd`; \ - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - shift; \ - if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ - test -n "$$unique" || unique=$$empty_fix; \ - if test $$# -gt 0; then \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - "$$@" $$unique; \ - else \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$unique; \ - fi; \ - fi -ctags: CTAGS -CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ - $(TAGS_FILES) $(LISP) - list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ - unique=`for i in $$list; do \ - if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ - done | \ - $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ - END { if (nonempty) { for (i in files) print i; }; }'`; \ - test -z "$(CTAGS_ARGS)$$unique" \ - || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$unique - -GTAGS: - here=`$(am__cd) $(top_builddir) && pwd` \ - && $(am__cd) $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) "$$here" - -distclean-tags: - -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags - -distdir: $(DISTFILES) - @list='$(MANS)'; if test -n "$$list"; then \ - list=`for p in $$list; do \ - if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ - if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ - if test -n "$$list" && \ - grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ - echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ - grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ - echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ - echo " typically \`make maintainer-clean' will remove them" >&2; \ - exit 1; \ - else :; fi; \ - else :; fi - $(am__remove_distdir) - test -d "$(distdir)" || mkdir "$(distdir)" - @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ - list='$(DISTFILES)'; \ - dist_files=`for file in $$list; do echo $$file; done | \ - sed -e "s|^$$srcdirstrip/||;t" \ - -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ - case $$dist_files in \ - */*) $(MKDIR_P) `echo "$$dist_files" | \ - sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ - sort -u` ;; \ - esac; \ - for file in $$dist_files; do \ - if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ - if test -d $$d/$$file; then \ - dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ - if test -d "$(distdir)/$$file"; then \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ - find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ - fi; \ - cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ - else \ - test -f "$(distdir)/$$file" \ - || cp -p $$d/$$file "$(distdir)/$$file" \ - || exit 1; \ - fi; \ - done - -test -n "$(am__skip_mode_fix)" \ - || find "$(distdir)" -type d ! -perm -755 \ - -exec chmod u+rwx,go+rx {} \; -o \ - ! -type d ! -perm -444 -links 1 -exec chmod a+r {} \; -o \ - ! -type d ! -perm -400 -exec chmod a+r {} \; -o \ - ! -type d ! -perm -444 -exec $(install_sh) -c -m a+r {} {} \; \ - || chmod -R a+r "$(distdir)" -dist-gzip: distdir - tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz - $(am__remove_distdir) - -dist-bzip2: distdir - tardir=$(distdir) && $(am__tar) | bzip2 -9 -c >$(distdir).tar.bz2 - $(am__remove_distdir) - -dist-lzma: distdir - tardir=$(distdir) && $(am__tar) | lzma -9 -c >$(distdir).tar.lzma - $(am__remove_distdir) - -dist-xz: distdir - tardir=$(distdir) && $(am__tar) | xz -c >$(distdir).tar.xz - $(am__remove_distdir) - -dist-tarZ: distdir - tardir=$(distdir) && $(am__tar) | compress -c >$(distdir).tar.Z - $(am__remove_distdir) - -dist-shar: distdir - shar $(distdir) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).shar.gz - $(am__remove_distdir) - -dist-zip: distdir - -rm -f $(distdir).zip - zip -rq $(distdir).zip $(distdir) - $(am__remove_distdir) - -dist dist-all: distdir - tardir=$(distdir) && $(am__tar) | GZIP=$(GZIP_ENV) gzip -c >$(distdir).tar.gz - $(am__remove_distdir) - -# This target untars the dist file and tries a VPATH configuration. Then -# it guarantees that the distribution is self-contained by making another -# tarfile. -distcheck: dist - case '$(DIST_ARCHIVES)' in \ - *.tar.gz*) \ - GZIP=$(GZIP_ENV) gzip -dc $(distdir).tar.gz | $(am__untar) ;;\ - *.tar.bz2*) \ - bzip2 -dc $(distdir).tar.bz2 | $(am__untar) ;;\ - *.tar.lzma*) \ - lzma -dc $(distdir).tar.lzma | $(am__untar) ;;\ - *.tar.xz*) \ - xz -dc $(distdir).tar.xz | $(am__untar) ;;\ - *.tar.Z*) \ - uncompress -c $(distdir).tar.Z | $(am__untar) ;;\ - *.shar.gz*) \ - GZIP=$(GZIP_ENV) gzip -dc $(distdir).shar.gz | unshar ;;\ - *.zip*) \ - unzip $(distdir).zip ;;\ - esac - chmod -R a-w $(distdir); chmod a+w $(distdir) - mkdir $(distdir)/_build - mkdir $(distdir)/_inst - chmod a-w $(distdir) - test -d $(distdir)/_build || exit 0; \ - dc_install_base=`$(am__cd) $(distdir)/_inst && pwd | sed -e 's,^[^:\\/]:[\\/],/,'` \ - && dc_destdir="$${TMPDIR-/tmp}/am-dc-$$$$/" \ - && am__cwd=`pwd` \ - && $(am__cd) $(distdir)/_build \ - && ../configure --srcdir=.. --prefix="$$dc_install_base" \ - $(DISTCHECK_CONFIGURE_FLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) \ - && $(MAKE) $(AM_MAKEFLAGS) dvi \ - && $(MAKE) $(AM_MAKEFLAGS) check \ - && $(MAKE) $(AM_MAKEFLAGS) install \ - && $(MAKE) $(AM_MAKEFLAGS) installcheck \ - && $(MAKE) $(AM_MAKEFLAGS) uninstall \ - && $(MAKE) $(AM_MAKEFLAGS) distuninstallcheck_dir="$$dc_install_base" \ - distuninstallcheck \ - && chmod -R a-w "$$dc_install_base" \ - && ({ \ - (cd ../.. && umask 077 && mkdir "$$dc_destdir") \ - && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" install \ - && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" uninstall \ - && $(MAKE) $(AM_MAKEFLAGS) DESTDIR="$$dc_destdir" \ - distuninstallcheck_dir="$$dc_destdir" distuninstallcheck; \ - } || { rm -rf "$$dc_destdir"; exit 1; }) \ - && rm -rf "$$dc_destdir" \ - && $(MAKE) $(AM_MAKEFLAGS) dist \ - && rm -rf $(DIST_ARCHIVES) \ - && $(MAKE) $(AM_MAKEFLAGS) distcleancheck \ - && cd "$$am__cwd" \ - || exit 1 - $(am__remove_distdir) - @(echo "$(distdir) archives ready for distribution: "; \ - list='$(DIST_ARCHIVES)'; for i in $$list; do echo $$i; done) | \ - sed -e 1h -e 1s/./=/g -e 1p -e 1x -e '$$p' -e '$$x' -distuninstallcheck: - @$(am__cd) '$(distuninstallcheck_dir)' \ - && test `$(distuninstallcheck_listfiles) | wc -l` -le 1 \ - || { echo "ERROR: files left after uninstall:" ; \ - if test -n "$(DESTDIR)"; then \ - echo " (check DESTDIR support)"; \ - fi ; \ - $(distuninstallcheck_listfiles) ; \ - exit 1; } >&2 -distcleancheck: distclean - @if test '$(srcdir)' = . ; then \ - echo "ERROR: distcleancheck can only run from a VPATH build" ; \ - exit 1 ; \ - fi - @test `$(distcleancheck_listfiles) | wc -l` -eq 0 \ - || { echo "ERROR: files left in build directory after distclean:" ; \ - $(distcleancheck_listfiles) ; \ - exit 1; } >&2 -check-am: all-am -check: check-am -all-am: Makefile $(PROGRAMS) $(MANS) -installdirs: - for dir in "$(DESTDIR)$(bindir)" "$(DESTDIR)$(sbindir)" "$(DESTDIR)$(man1dir)" "$(DESTDIR)$(man5dir)"; do \ - test -z "$$dir" || $(MKDIR_P) "$$dir"; \ - done -install: install-am -install-exec: install-exec-am -install-data: install-data-am -uninstall: uninstall-am - -install-am: all-am - @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am - -installcheck: installcheck-am -install-strip: - $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ - install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ - `test -z '$(STRIP)' || \ - echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install -mostlyclean-generic: - -clean-generic: - -distclean-generic: - -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) - -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) - -maintainer-clean-generic: - @echo "This command is intended for maintainers to use" - @echo "it deletes files that may require special tools to rebuild." -clean: clean-am - -clean-am: clean-binPROGRAMS clean-generic clean-local \ - clean-sbinPROGRAMS mostlyclean-am - -distclean: distclean-am - -rm -f $(am__CONFIG_DISTCLEAN_FILES) - -rm -rf ./$(DEPDIR) - -rm -f Makefile -distclean-am: clean-am distclean-compile distclean-generic \ - distclean-tags - -dvi: dvi-am - -dvi-am: - -html-am: - -info: info-am - -info-am: - -install-data-am: install-man - -install-dvi: install-dvi-am - -install-dvi-am: - -install-exec-am: install-binPROGRAMS install-sbinPROGRAMS - -install-html: install-html-am - -install-html-am: - -install-info: install-info-am - -install-info-am: - -install-man: install-man1 install-man5 - -install-pdf: install-pdf-am - -install-pdf-am: - -install-ps: install-ps-am - -install-ps-am: - -installcheck-am: - -maintainer-clean: maintainer-clean-am - -rm -f $(am__CONFIG_DISTCLEAN_FILES) - -rm -rf $(top_srcdir)/autom4te.cache - -rm -rf ./$(DEPDIR) - -rm -f Makefile -maintainer-clean-am: distclean-am maintainer-clean-generic - -mostlyclean: mostlyclean-am - -mostlyclean-am: mostlyclean-compile mostlyclean-generic - -pdf: pdf-am - -pdf-am: - -ps: ps-am - -ps-am: - -uninstall-am: uninstall-binPROGRAMS uninstall-man \ - uninstall-sbinPROGRAMS - -uninstall-man: uninstall-man1 uninstall-man5 - -.MAKE: install-am install-strip - -.PHONY: CTAGS GTAGS all all-am am--refresh check check-am clean \ - clean-binPROGRAMS clean-generic clean-local clean-sbinPROGRAMS \ - ctags dist dist-all dist-bzip2 dist-gzip dist-lzma dist-shar \ - dist-tarZ dist-xz dist-zip distcheck distclean \ - distclean-compile distclean-generic distclean-tags \ - distcleancheck distdir distuninstallcheck dvi dvi-am html \ - html-am info info-am install install-am install-binPROGRAMS \ - install-data install-data-am install-dvi install-dvi-am \ - install-exec install-exec-am install-html install-html-am \ - install-info install-info-am install-man install-man1 \ - install-man5 install-pdf install-pdf-am install-ps \ - install-ps-am install-sbinPROGRAMS install-strip installcheck \ - installcheck-am installdirs maintainer-clean \ - maintainer-clean-generic mostlyclean mostlyclean-compile \ - mostlyclean-generic pdf pdf-am ps ps-am tags uninstall \ - uninstall-am uninstall-binPROGRAMS uninstall-man \ - uninstall-man1 uninstall-man5 uninstall-sbinPROGRAMS - - -radsecproxy.conf.5: $(srcdir)/radsecproxy.conf.5.xml - docbook2x-man $< - -# Build HTML version of radsecproxy.conf.5. NOTE: Only tested with -# 'openjade' package installed on Ubuntu 9.10. -html: $(srcdir)/radsecproxy.conf.5.xml - -openjade -E2000 -t sgml-raw -d /usr/share/sgml/docbook/stylesheet/dsssl/modular/html/docbook.dsl -o radsecproxy.conf.html $< - -clean-local: - -rm radsecproxy.conf.5 - -# Tell versions [3.59,3.63) of GNU make to not export all variables. -# Otherwise a system limit (for SysV at least) may be exceeded. -.NOEXPORT: @@ -1,4 +1,4 @@ -This is radsecproxy 1.4.3 from 22 July 2011. +This is unreleased radsecproxy 1.5-dev. radsecproxy is a generic RADIUS proxy that supports both UDP and TLS (RadSec) RADIUS transports. There is also experimental support for @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.67 for radsecproxy 1.4.3. +# Generated by GNU Autoconf 2.67 for radsecproxy 1.5-dev. # # Report bugs to <radsecproxy@uninett.no>. # @@ -551,8 +551,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='radsecproxy' PACKAGE_TARNAME='radsecproxy' -PACKAGE_VERSION='1.4.3' -PACKAGE_STRING='radsecproxy 1.4.3' +PACKAGE_VERSION='1.5-dev' +PACKAGE_STRING='radsecproxy 1.5-dev' PACKAGE_BUGREPORT='radsecproxy@uninett.no' PACKAGE_URL='' @@ -568,6 +568,9 @@ TARGET_CFLAGS HAVE_DOCBOOK2X_MAN_FALSE HAVE_DOCBOOK2X_MAN_TRUE DOCBOOK2X_MAN +WANT_FTICKS_FALSE +WANT_FTICKS_TRUE +RANLIB am__fastdepCC_FALSE am__fastdepCC_TRUE CCDEPMODE @@ -665,6 +668,7 @@ enable_udp enable_tcp enable_tls enable_dtls +enable_fticks with_ssl ' ac_precious_vars='build_alias @@ -1218,7 +1222,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures radsecproxy 1.4.3 to adapt to many kinds of systems. +\`configure' configures radsecproxy 1.5-dev to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1289,7 +1293,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of radsecproxy 1.4.3:";; + short | recursive ) echo "Configuration of radsecproxy 1.5-dev:";; esac cat <<\_ACEOF @@ -1303,6 +1307,7 @@ Optional Features: --enable-tcp whether to enable TCP transport: yes/no; default yes --enable-tls whether to enable TLS (RadSec) transport: yes/no; default yes --enable-dtls whether to enable DTLS transport: yes/no; default yes + --enable-fticks build with F-Ticks support [default=no] Optional Packages: --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] @@ -1386,7 +1391,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -radsecproxy configure 1.4.3 +radsecproxy configure 1.5-dev generated by GNU Autoconf 2.67 Copyright (C) 2010 Free Software Foundation, Inc. @@ -1437,11 +1442,57 @@ fi as_fn_set_status $ac_retval } # ac_fn_c_try_compile + +# ac_fn_c_try_link LINENO +# ----------------------- +# Try to link conftest.$ac_ext, and return whether this succeeded. +ac_fn_c_try_link () +{ + as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack + rm -f conftest.$ac_objext conftest$ac_exeext + if { { ac_try="$ac_link" +case "(($ac_try" in + *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; + *) ac_try_echo=$ac_try;; +esac +eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" +$as_echo "$ac_try_echo"; } >&5 + (eval "$ac_link") 2>conftest.err + ac_status=$? + if test -s conftest.err; then + grep -v '^ *+' conftest.err >conftest.er1 + cat conftest.er1 >&5 + mv -f conftest.er1 conftest.err + fi + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; } && { + test -z "$ac_c_werror_flag" || + test ! -s conftest.err + } && test -s conftest$ac_exeext && { + test "$cross_compiling" = yes || + $as_test_x conftest$ac_exeext + }; then : + ac_retval=0 +else + $as_echo "$as_me: failed program was:" >&5 +sed 's/^/| /' conftest.$ac_ext >&5 + + ac_retval=1 +fi + # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information + # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would + # interfere with the next link command; also delete a directory that is + # left behind by Apple's compiler. We do this before executing the actions. + rm -rf conftest.dSYM conftest_ipa8_conftest.oo + eval $as_lineno_stack; test "x$as_lineno_stack" = x && { as_lineno=; unset as_lineno;} + as_fn_set_status $ac_retval + +} # ac_fn_c_try_link cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by radsecproxy $as_me 1.4.3, which was +It was created by radsecproxy $as_me 1.5-dev, which was generated by GNU Autoconf 2.67. Invocation command line was $ $0 $@ @@ -2366,7 +2417,7 @@ fi # Define the identity of the package. PACKAGE='radsecproxy' - VERSION='1.4.3' + VERSION='1.5-dev' cat >>confdefs.h <<_ACEOF @@ -3511,6 +3562,98 @@ if test "$am_t" != yes; then fi +if test -n "$ac_tool_prefix"; then + # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. +set dummy ${ac_tool_prefix}ranlib; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_RANLIB+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$RANLIB"; then + ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +RANLIB=$ac_cv_prog_RANLIB +if test -n "$RANLIB"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 +$as_echo "$RANLIB" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + +fi +if test -z "$ac_cv_prog_RANLIB"; then + ac_ct_RANLIB=$RANLIB + # Extract the first word of "ranlib", so it can be a program name with args. +set dummy ranlib; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$ac_ct_RANLIB"; then + ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then + ac_cv_prog_ac_ct_RANLIB="ranlib" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB +if test -n "$ac_ct_RANLIB"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 +$as_echo "$ac_ct_RANLIB" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + if test "x$ac_ct_RANLIB" = x; then + RANLIB=":" + else + case $cross_compiling:$ac_tool_warned in +yes:) +{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 +$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} +ac_tool_warned=yes ;; +esac + RANLIB=$ac_ct_RANLIB + fi +else + RANLIB="$ac_cv_prog_RANLIB" +fi + udp=yes # Check whether --enable-udp was given. if test "${enable_udp+set}" = set; then : @@ -3563,6 +3706,83 @@ if test "${enable_dtls+set}" = set; then : fi +# Check whether --enable-fticks was given. +if test "${enable_fticks+set}" = set; then : + enableval=$enable_fticks; case $enableval in +yes|no) ;; +*) as_fn_error $? "bad value $enableval for --enable-fticks, need yes or no" "$LINENO" 5 ;; +esac +else + enable_fticks=no +fi + + +if test "$enable_fticks" = "yes"; then + +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for nettle_sha256_init in -lnettle" >&5 +$as_echo_n "checking for nettle_sha256_init in -lnettle... " >&6; } +if test "${ac_cv_lib_nettle_nettle_sha256_init+set}" = set; then : + $as_echo_n "(cached) " >&6 +else + ac_check_lib_save_LIBS=$LIBS +LIBS="-lnettle $LIBS" +cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +/* Override any GCC internal prototype to avoid an error. + Use char because int might match the return type of a GCC + builtin and then its argument prototype would still apply. */ +#ifdef __cplusplus +extern "C" +#endif +char nettle_sha256_init (); +int +main () +{ +return nettle_sha256_init (); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ac_cv_lib_nettle_nettle_sha256_init=yes +else + ac_cv_lib_nettle_nettle_sha256_init=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext +LIBS=$ac_check_lib_save_LIBS +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nettle_nettle_sha256_init" >&5 +$as_echo "$ac_cv_lib_nettle_nettle_sha256_init" >&6; } +if test "x$ac_cv_lib_nettle_nettle_sha256_init" = x""yes; then : + cat >>confdefs.h <<_ACEOF +#define HAVE_LIBNETTLE 1 +_ACEOF + + LIBS="-lnettle $LIBS" + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: required library nettle not found, fticks support disabled" >&5 +$as_echo "$as_me: WARNING: required library nettle not found, fticks support disabled" >&2;} + enable_fticks=no +fi + +fi + +if test "$enable_fticks" = "yes"; then +$as_echo "#define WANT_FTICKS 1" >>confdefs.h + +fi + if test "$enable_fticks" = "yes"; then + WANT_FTICKS_TRUE= + WANT_FTICKS_FALSE='#' +else + WANT_FTICKS_TRUE='#' + WANT_FTICKS_FALSE= +fi + + case "${target_os}" in solaris*) @@ -3696,7 +3916,7 @@ _ACEOF fi -ac_config_files="$ac_config_files Makefile" +ac_config_files="$ac_config_files Makefile tests/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -3848,6 +4068,10 @@ if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then as_fn_error $? "conditional \"am__fastdepCC\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${WANT_FTICKS_TRUE}" && test -z "${WANT_FTICKS_FALSE}"; then + as_fn_error $? "conditional \"WANT_FTICKS\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${HAVE_DOCBOOK2X_MAN_TRUE}" && test -z "${HAVE_DOCBOOK2X_MAN_FALSE}"; then as_fn_error $? "conditional \"HAVE_DOCBOOK2X_MAN\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -4260,7 +4484,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by radsecproxy $as_me 1.4.3, which was +This file was extended by radsecproxy $as_me 1.5-dev, which was generated by GNU Autoconf 2.67. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4317,7 +4541,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -radsecproxy config.status 1.4.3 +radsecproxy config.status 1.5-dev configured by $0, generated by GNU Autoconf 2.67, with options \\"\$ac_cs_config\\" @@ -4437,6 +4661,7 @@ do case $ac_config_target in "depfiles") CONFIG_COMMANDS="$CONFIG_COMMANDS depfiles" ;; "Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;; + "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile" ;; *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5 ;; esac diff --git a/configure.ac b/configure.ac index 11bad1d..570c5dd 100644 --- a/configure.ac +++ b/configure.ac @@ -1,8 +1,13 @@ +<<<<<<< HEAD +AC_INIT(radsecproxy, 1.5-dev, radsecproxy@uninett.no) +======= AC_INIT(radsecproxy, 1.4.3, radsecproxy@uninett.no) +>>>>>>> master AC_CANONICAL_TARGET AM_INIT_AUTOMAKE AC_PROG_CC AM_PROG_CC_C_O +AC_PROG_RANLIB udp=yes AC_ARG_ENABLE(udp, [ --enable-udp whether to enable UDP transport: yes/no; default yes ], @@ -46,7 +51,26 @@ AC_ARG_ENABLE(dtls, exit -1 fi ]) - + +AC_ARG_ENABLE(fticks, +AC_HELP_STRING([--enable-fticks],[build with F-Ticks support [default=no]]), +[case $enableval in +yes|no) ;; +*) AC_MSG_ERROR([bad value $enableval for --enable-fticks, need yes or no]) ;; +esac], +[enable_fticks=no]) + +if test "$enable_fticks" = "yes"; then +AC_CHECK_LIB([nettle], [nettle_sha256_init],, + [AC_MSG_WARN([required library nettle not found, fticks support disabled]) + enable_fticks=no]) +fi + +if test "$enable_fticks" = "yes"; then +AC_DEFINE([WANT_FTICKS], [1]) +fi +AM_CONDITIONAL(WANT_FTICKS, test "$enable_fticks" = "yes") + dnl Check if we're on Solaris and set CFLAGS accordingly AC_CANONICAL_SYSTEM case "${target_os}" in @@ -88,4 +112,7 @@ AM_CONDITIONAL(HAVE_DOCBOOK2X_MAN, test "$DOCBOOK2X_MAN" = "yes") AC_SUBST(TARGET_CFLAGS) AC_SUBST(TARGET_LDFLAGS) AX_CHECK_SSL -AC_OUTPUT(Makefile) +AC_OUTPUT([ + Makefile + tests/Makefile +]) @@ -1,5 +1,6 @@ /* * Copyright (C) 2007 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2010 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -26,7 +26,6 @@ #include <pthread.h> #include <openssl/ssl.h> #include <openssl/err.h> -#include "list.h" #include "hash.h" #include "radsecproxy.h" diff --git a/fticks.c b/fticks.c new file mode 100644 index 0000000..c4acac2 --- /dev/null +++ b/fticks.c @@ -0,0 +1,256 @@ +/* Copyright (C) 2011 NORDUnet A/S + * See LICENSE for information about licensing. + */ + +#include <stdio.h> /* For sprintf(). */ +#include <string.h> +#include <ctype.h> +#include <errno.h> +#include <nettle/sha.h> +#include <nettle/hmac.h> + +#include <regex.h> +#include <pthread.h> +#include <sys/time.h> +#include "radsecproxy.h" +#include "debug.h" + +#include "fticks.h" + +static void +_format_hash(const uint8_t *hash, size_t out_len, uint8_t *out) +{ + int ir, iw; + + for (ir = 0, iw = 0; iw <= out_len - 3; ir++, iw += 2) + sprintf((char *) out + iw, "%02x", hash[ir % SHA256_DIGEST_SIZE]); +} + +static void +_hash(const uint8_t *in, + const uint8_t *key, + size_t out_len, + uint8_t *out) +{ + if (key == NULL) { + struct sha256_ctx ctx; + uint8_t hash[SHA256_DIGEST_SIZE]; + + sha256_init(&ctx); + sha256_update(&ctx, strlen((char *) in), in); + sha256_digest(&ctx, sizeof(hash), hash); + _format_hash(hash, out_len, out); + } + else { + struct hmac_sha256_ctx ctx; + uint8_t hash[SHA256_DIGEST_SIZE]; + + hmac_sha256_set_key(&ctx, strlen((char *) key), key); + hmac_sha256_update(&ctx, strlen((char *) in), in); + hmac_sha256_digest(&ctx, sizeof(hash), hash); + _format_hash(hash, out_len, out); + } +} + +int +fticks_configure(struct options *options, + uint8_t **reportingp, + uint8_t **macp, + uint8_t **keyp) +{ + int r = 0; + const char *reporting = (const char *) *reportingp; + const char *mac = (const char *) *macp; + + if (reporting == NULL) + goto out; + if (strcasecmp(reporting, "None") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_NONE; + else if (strcasecmp(reporting, "Basic") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_BASIC; + else if (strcasecmp(reporting, "Full") == 0) + options->fticks_reporting = RSP_FTICKS_REPORTING_FULL; + else { + debugx(1, DBG_ERR, "config error: invalid FTicksReporting value: %s", + reporting); + r = 1; + goto out; + } + + if (mac == NULL) + goto out; + if (strcasecmp(mac, "Static") == 0) + options->fticks_mac = RSP_FTICKS_MAC_STATIC; + else if (strcasecmp(mac, "Original") == 0) + options->fticks_mac = RSP_FTICKS_MAC_ORIGINAL; + else if (strcasecmp(mac, "VendorHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_HASHED; + else if (strcasecmp(mac, "VendorKeyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_VENDOR_KEY_HASHED; + else if (strcasecmp(mac, "FullyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_FULLY_HASHED; + else if (strcasecmp(mac, "FullyKeyHashed") == 0) + options->fticks_mac = RSP_FTICKS_MAC_FULLY_KEY_HASHED; + else { + debugx(1, DBG_ERR, "config error: invalid FTicksMAC value: %s", mac); + r = 1; + goto out; + } + + if (*keyp == NULL + && (options->fticks_mac == RSP_FTICKS_MAC_VENDOR_KEY_HASHED + || options->fticks_mac == RSP_FTICKS_MAC_FULLY_KEY_HASHED)) { + debugx(1, DBG_ERR, + "config error: FTicksMAC %s requires an FTicksKey", mac); + options->fticks_mac = RSP_FTICKS_MAC_STATIC; + r = 1; + goto out; + } + + if (*keyp != NULL) + options->fticks_key = *keyp; + +out: + if (*reportingp != NULL) { + free(*reportingp); + *reportingp = NULL; + } + if (*macp != NULL) { + free(*macp); + *macp = NULL; + } + return r; +} + +/** Hash the Ethernet MAC address in \a IN, keying a HMAC with \a KEY + unless \a KEY is NULL. If \a KEY is null \a IN is hashed with an + ordinary cryptographic hash function such as SHA-2. + + \a IN and \a KEY are NULL terminated strings. + + \a IN is supposed to be an Ethernet MAC address and is sanitised + by lowercasing it, removing all but [0-9a-f] and truncating it at + the first ';' found. The truncation is done because RADIUS + supposedly has a praxis of tacking on SSID to the MAC address in + Calling-Station-Id. + + \return 0 on success, -ENOMEM on out of memory. +*/ +int +fticks_hashmac(const uint8_t *in, + const uint8_t *key, + size_t out_len, + uint8_t *out) +{ + uint8_t *in_copy = NULL; + uint8_t *p = NULL; + int i; + + in_copy = calloc(1, strlen((const char *) in) + 1); + if (in_copy == NULL) + return -ENOMEM; + + /* Sanitise and lowercase 'in' into 'in_copy'. */ + for (i = 0, p = in_copy; in[i] != '\0'; i++) { + if (in[i] == ';') { + *p++ = '\0'; + break; + } + if (in[i] >= '0' && in[i] <= '9') { + *p++ = in[i]; + } + else if (tolower(in[i]) >= 'a' && tolower(in[i]) <= 'f') { + *p++ = tolower(in[i]); + } + } + + _hash(in_copy, key, out_len, out); + free(in_copy); + return 0; +} + +void +fticks_log(const struct options *options, + const struct client *client, + const struct radmsg *msg, + const struct rqout *rqout) +{ + uint8_t *username = NULL; + uint8_t *realm = NULL; + uint8_t visinst[8+40+1+1]; /* Room for 40 octets of VISINST. */ + uint8_t *macin = NULL; + uint8_t macout[2*32+1]; /* Room for ASCII representation of SHA256. */ + + username = radattr2ascii(radmsg_gettype(rqout->rq->msg, + RAD_Attr_User_Name)); + if (username != NULL) { + realm = (uint8_t *) strrchr((char *) username, '@'); + if (realm != NULL) + realm++; + } + if (realm == NULL) + realm = (uint8_t *) ""; + + memset(visinst, 0, sizeof(visinst)); + if (options->fticks_reporting == RSP_FTICKS_REPORTING_FULL) { + snprintf((char *) visinst, sizeof(visinst), "VISINST=%s#", + client->conf->name); + } + + memset(macout, 0, sizeof(macout)); + if (options->fticks_mac == RSP_FTICKS_MAC_STATIC) { + strncpy((char *) macout, "undisclosed", sizeof(macout) - 1); + } + else { + macin = radattr2ascii(radmsg_gettype(rqout->rq->msg, + RAD_Attr_Calling_Station_Id)); + if (macin) { + switch (options->fticks_mac) + { + case RSP_FTICKS_MAC_ORIGINAL: + memcpy(macout, macin, sizeof(macout)); + break; + case RSP_FTICKS_MAC_VENDOR_HASHED: + memcpy(macout, macin, 9); + fticks_hashmac(macin, NULL, sizeof(macout) - 9, macout + 9); + break; + case RSP_FTICKS_MAC_VENDOR_KEY_HASHED: + memcpy(macout, macin, 9); + /* We are hashing the first nine octets too for easier + * correlation between vendor-key-hashed and + * fully-key-hashed log records. This opens up for a + * known plaintext attack on the key but the + * consequences of that is considered outweighed by + * the convenience gained. */ + fticks_hashmac(macin, options->fticks_key, + sizeof(macout) - 9, macout + 9); + break; + case RSP_FTICKS_MAC_FULLY_HASHED: + fticks_hashmac(macin, NULL, sizeof(macout), macout); + break; + case RSP_FTICKS_MAC_FULLY_KEY_HASHED: + fticks_hashmac(macin, options->fticks_key, sizeof(macout), + macout); + break; + default: + debugx(2, DBG_ERR, "invalid fticks mac configuration: %d", + options->fticks_mac); + } + } + } + debug(0xff, + "F-TICKS/eduroam/1.0#REALM=%s#VISCOUNTRY=%s#%sCSI=%s#RESULT=%s#", + realm, + client->conf->fticks_viscountry, + visinst, + macout, + msg->code == RAD_Access_Accept ? "OK" : "FAIL"); + if (macin != NULL) + free(macin); + if (username != NULL) + free(username); +} + +/* Local Variables: */ +/* c-file-style: "stroustrup" */ +/* End: */ diff --git a/fticks.h b/fticks.h new file mode 100644 index 0000000..eb880c0 --- /dev/null +++ b/fticks.h @@ -0,0 +1,16 @@ +/* Copyright (C) 2011 NORDUnet A/S + * See LICENSE for information about licensing. + */ + +int fticks_configure(struct options *options, + uint8_t **reportingp, + uint8_t **macp, + uint8_t **keyp); +int fticks_hashmac(const uint8_t *in, + const uint8_t *key, + size_t out_len, + uint8_t *out); +void fticks_log(const struct options *options, + const struct client *client, + const struct radmsg *msg, + const struct rqout *rqout); @@ -0,0 +1,7 @@ +int radsecproxy_main(int argc, char **argv); + +int main(int argc, char **argv) +{ + return radsecproxy_main(argc, argv); +} + diff --git a/radsecproxy.c b/radsecproxy.c index 130d6f0..6554e8d 100644 --- a/radsecproxy.c +++ b/radsecproxy.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2010, 2011 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -68,7 +69,6 @@ #include <openssl/err.h> #include <openssl/md5.h> #include "debug.h" -#include "list.h" #include "hash.h" #include "util.h" #include "hostport.h" @@ -77,6 +77,9 @@ #include "tcp.h" #include "tls.h" #include "dtls.h" +#if defined(WANT_FTICKS) +#include "fticks.h" +#endif static struct options options; static struct list *clconfs, *srvconfs; @@ -1664,6 +1667,12 @@ void replyh(struct server *server, unsigned char *buf) { } } +#if defined(WANT_FTICKS) + if (msg->code == RAD_Access_Accept || msg->code == RAD_Access_Reject) + if (options.fticks_reporting && from->conf->fticks_viscountry != NULL) + fticks_log(&options, from, msg, rqout); +#endif + msg->id = (char)rqout->rq->rqid; memcpy(msg->auth, rqout->rq->rqauth, 16); @@ -2254,10 +2263,8 @@ int dynamicconfig(struct server *server) { close(fd[1]); pushgconffile(&cf, fdopen(fd[0], "r"), conf->dynamiclookupcommand); - ok = getgenericconfig(&cf, NULL, - "Server", CONF_CBK, confserver_cb, (void *)conf, - NULL - ); + ok = getgenericconfig(&cf, NULL, "Server", CONF_CBK, confserver_cb, + (void *) conf, NULL); freegconf(&cf); if (waitpid(pid, &status, 0) < 0) { @@ -2659,22 +2666,26 @@ int confclient_cb(struct gconffile **cf, void *arg, char *block, char *opt, char memset(conf, 0, sizeof(struct clsrvconf)); conf->certnamecheck = 1; - if (!getgenericconfig(cf, block, - "type", CONF_STR, &conftype, - "host", CONF_MSTR, &conf->hostsrc, - "secret", CONF_STR, &conf->secret, + if (!getgenericconfig( + cf, block, + "type", CONF_STR, &conftype, + "host", CONF_MSTR, &conf->hostsrc, + "secret", CONF_STR, &conf->secret, #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) - "tls", CONF_STR, &conf->tls, - "matchcertificateattribute", CONF_STR, &conf->matchcertattr, - "CertificateNameCheck", CONF_BLN, &conf->certnamecheck, + "tls", CONF_STR, &conf->tls, + "matchcertificateattribute", CONF_STR, &conf->matchcertattr, + "CertificateNameCheck", CONF_BLN, &conf->certnamecheck, #endif - "DuplicateInterval", CONF_LINT, &dupinterval, - "addTTL", CONF_LINT, &addttl, - "rewrite", CONF_STR, &rewriteinalias, - "rewriteIn", CONF_STR, &conf->confrewritein, - "rewriteOut", CONF_STR, &conf->confrewriteout, - "rewriteattribute", CONF_STR, &conf->confrewriteusername, - NULL + "DuplicateInterval", CONF_LINT, &dupinterval, + "addTTL", CONF_LINT, &addttl, + "rewrite", CONF_STR, &rewriteinalias, + "rewriteIn", CONF_STR, &conf->confrewritein, + "rewriteOut", CONF_STR, &conf->confrewriteout, + "rewriteattribute", CONF_STR, &conf->confrewriteusername, +#if defined(WANT_FTICKS) + "fticksVISCOUNTRY", CONF_STR, &conf->fticks_viscountry, +#endif + NULL )) debugx(1, DBG_ERR, "configuration error"); @@ -3006,6 +3017,11 @@ void getmainconfig(const char *configfile) { struct gconffile *cfs; char **listenargs[RAD_PROTOCOUNT]; char *sourcearg[RAD_PROTOCOUNT]; +#if defined(WANT_FTICKS) + uint8_t *fticks_reporting_str = NULL; + uint8_t *fticks_mac_str = NULL; + uint8_t *fticks_key_str = NULL; +#endif int i; cfs = openconfigfile(configfile); @@ -3029,36 +3045,42 @@ void getmainconfig(const char *configfile) { if (!rewriteconfs) debugx(1, DBG_ERR, "malloc failed"); - if (!getgenericconfig(&cfs, NULL, + if (!getgenericconfig( + &cfs, NULL, #ifdef RADPROT_UDP - "ListenUDP", CONF_MSTR, &listenargs[RAD_UDP], - "SourceUDP", CONF_STR, &sourcearg[RAD_UDP], + "ListenUDP", CONF_MSTR, &listenargs[RAD_UDP], + "SourceUDP", CONF_STR, &sourcearg[RAD_UDP], #endif #ifdef RADPROT_TCP - "ListenTCP", CONF_MSTR, &listenargs[RAD_TCP], - "SourceTCP", CONF_STR, &sourcearg[RAD_TCP], + "ListenTCP", CONF_MSTR, &listenargs[RAD_TCP], + "SourceTCP", CONF_STR, &sourcearg[RAD_TCP], #endif #ifdef RADPROT_TLS - "ListenTLS", CONF_MSTR, &listenargs[RAD_TLS], - "SourceTLS", CONF_STR, &sourcearg[RAD_TLS], + "ListenTLS", CONF_MSTR, &listenargs[RAD_TLS], + "SourceTLS", CONF_STR, &sourcearg[RAD_TLS], #endif #ifdef RADPROT_DTLS - "ListenDTLS", CONF_MSTR, &listenargs[RAD_DTLS], - "SourceDTLS", CONF_STR, &sourcearg[RAD_DTLS], + "ListenDTLS", CONF_MSTR, &listenargs[RAD_DTLS], + "SourceDTLS", CONF_STR, &sourcearg[RAD_DTLS], #endif - "TTLAttribute", CONF_STR, &options.ttlattr, - "addTTL", CONF_LINT, &addttl, - "LogLevel", CONF_LINT, &loglevel, - "LogDestination", CONF_STR, &options.logdestination, - "LoopPrevention", CONF_BLN, &options.loopprevention, - "Client", CONF_CBK, confclient_cb, NULL, - "Server", CONF_CBK, confserver_cb, NULL, - "Realm", CONF_CBK, confrealm_cb, NULL, + "TTLAttribute", CONF_STR, &options.ttlattr, + "addTTL", CONF_LINT, &addttl, + "LogLevel", CONF_LINT, &loglevel, + "LogDestination", CONF_STR, &options.logdestination, + "LoopPrevention", CONF_BLN, &options.loopprevention, + "Client", CONF_CBK, confclient_cb, NULL, + "Server", CONF_CBK, confserver_cb, NULL, + "Realm", CONF_CBK, confrealm_cb, NULL, #if defined(RADPROT_TLS) || defined(RADPROT_DTLS) - "TLS", CONF_CBK, conftls_cb, NULL, + "TLS", CONF_CBK, conftls_cb, NULL, #endif - "Rewrite", CONF_CBK, confrewrite_cb, NULL, - NULL + "Rewrite", CONF_CBK, confrewrite_cb, NULL, +#if defined(WANT_FTICKS) + "FTicksReporting", CONF_STR, &fticks_reporting_str, + "FTicksMAC", CONF_STR, &fticks_mac_str, + "FTicksKey", CONF_STR, &fticks_key_str, +#endif + NULL )) debugx(1, DBG_ERR, "configuration error"); @@ -3075,6 +3097,11 @@ void getmainconfig(const char *configfile) { if (!setttlattr(&options, DEFAULT_TTL_ATTR)) debugx(1, DBG_ERR, "Failed to set TTLAttribute, exiting"); +#if defined(WANT_FTICKS) + fticks_configure(&options, &fticks_reporting_str, &fticks_mac_str, + &fticks_key_str); +#endif + for (i = 0; i < RAD_PROTOCOUNT; i++) if (listenargs[i] || sourcearg[i]) setprotoopts(i, listenargs[i], sourcearg[i]); @@ -3180,7 +3207,7 @@ int createpidfile(const char *pidfile) { return f && !fclose(f) && r >= 0; } -int main(int argc, char **argv) { +int radsecproxy_main(int argc, char **argv) { pthread_t sigth; sigset_t sigset; struct list_node *entry; diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example index 6d24ba8..909356c 100644 --- a/radsecproxy.conf-example +++ b/radsecproxy.conf-example @@ -6,9 +6,9 @@ # You can optionally specify addresses and ports to listen on # Multiple statements can be used for multiple ports/addresses #ListenUDP *:1814 -#listenUDP localhost +#ListenUDP localhost #ListenTCP [2001:700:1:7:215:f2ff:fe35:307d]:1812 -#listenTLS 10.10.10.10:2084 +#ListenTLS 10.10.10.10:2084 #ListenTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 #ListenDTLS [2001:700:1:7:215:f2ff:fe35:307d]:2084 @@ -17,6 +17,7 @@ #SourceTCP *:33000 #SourceTLS *:33001 #SourceDTLS *:33001 + # Optional log level. 3 is default, 1 is less, 5 is more #LogLevel 3 # Optional LogDestination, else stderr used for logging @@ -28,12 +29,39 @@ #LogDestination x-syslog:/// #LogDestination x-syslog:///log_local2 +# For generating log entries conforming to the F-Ticks system, specify +# FTicksReporting with one of the following values. +# None -- Do not log in F-Ticks format. This is the default. +# Basic -- Do log in F-Ticks format but do not log VISINST. +# Full -- Do log in F-Ticks format and do log VISINST. +# Please note that in order to get F-Ticks logging for a given client, +# its matching client configuration block has to contain the +# fticksVISCOUNTRY option. + +# You can optionally specify FTicksMAC in order to determine if and +# how Calling-Station-Id is logged. +# Static -- Use a static string as a placeholder for +# Calling-Station-Id. This is the default. +# Original -- Log Calling-Station-Id as-is. +# VendorHashed -- Keep first three segments as-is, hash the rest. +# VendorKeyHashed -- Like VendorHashed but salt with F-Ticks-Key. +# FullyHashed -- Hash the entire string. +# FullyKeyHashed -- Like FullyHashed but salt with F-Ticks-Key. + +# In order to use FTicksMAC with one of VendorKeyHashed or +# FullyKeyHashed, specify a key with FTicksKey. +# FTicksKey <key> + +# Default F-Ticks configuration: +#FTicksReporting None +#FTicksMAC Static + # There is an option for doing some simple loop prevention. Note that # the LoopPrevention directive can be used in server blocks too, # overriding what's set here in the basic settings. #LoopPrevention on # Add TTL attribute with value 20 if not present (prevents endless loops) -#addTTL 20 +#AddTTL 20 # If we have TLS clients or servers we must define at least one tls block. # You can name them whatever you like and then reference them by name when diff --git a/radsecproxy.conf.5.xml b/radsecproxy.conf.5.xml index 8dfcd58..bfc701e 100644 --- a/radsecproxy.conf.5.xml +++ b/radsecproxy.conf.5.xml @@ -2,246 +2,321 @@ "http://www.oasis-open.org/docbook/xml/4.1.2/docbookx.dtd"> <refentry> <refentryinfo> - <date>2009-03-12</date> + <date>2011-04-04</date> </refentryinfo> <refmeta> <refentrytitle> <application>radsecproxy.conf</application> </refentrytitle> <manvolnum>5</manvolnum> - <refmiscinfo>radsecproxy devel 2009-03-12</refmiscinfo> + <refmiscinfo>radsecproxy 1.5-dev</refmiscinfo> </refmeta> <refnamediv> <refname> <application>radsecproxy.conf</application> </refname> - <refpurpose> -Radsec proxy configuration file - </refpurpose> + <refpurpose>Radsec proxy configuration file</refpurpose> </refnamediv> <refsect1> <title>Description</title> <para> -When the proxy server starts, it will first check the command line arguments, -and then read the configuration file. Normally radsecproxy will read the -configuration file <filename>/etc/radsecproxy.conf</filename>. The command -line <option>-c</option> option can be used to instead read an alternate -file (see + When the proxy server starts, it will first check the command + line arguments, and then read the configuration file. Normally + radsecproxy will read the configuration file + <filename>/etc/radsecproxy.conf</filename>. The command line + <option>-c</option> option can be used to instead read an + alternate file (see <citerefentry> - <refentrytitle>radsecproxy</refentrytitle> - <manvolnum>1</manvolnum> + <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum> </citerefentry> -for details). + for details). </para> <para> - If the configuration file can not be found, the proxy will exit with an - error message. Note that there is also an include facility so that any - configuration file may include other configuration files. The proxy will - also exit on configuration errors. + If the configuration file can not be found, the proxy will exit + with an error message. Note that there is also an include facility + so that any configuration file may include other configuration + files. The proxy will also exit on configuration errors. </para> </refsect1> <refsect1> <title>Configuration Syntax</title> <para> -When the configuration file is processed, whitespace (spaces and tabs) are -generally ignored. For each line, leading and trailing whitespace are ignored. -A line is ignored if it is empty, only consists of whitespace, or if the first -non-whitespace character is a <literal>#</literal>. The configuration is -generally case insensitive, but in some cases the option values (see below) -are not. - </para> - <para> -There are two types of configuration structures than can be used. The first -and simplest are lines on the format <emphasis>option value</emphasis>. That -is, an option name, see below for a list of valid options, followed by -whitespace (at least one space or tab character), followed by a value. Note -that if the value contains whitespace, then it must be quoted using -<literal>""</literal> or <literal>''</literal>. Any whitespace -in front of the option or after the value will be ignored. - </para> - <para> -The other type of structure is a block. A block spans at least two lines, and -has the format: - <blockquote> -<literallayout> + When the configuration file is processed, whitespace (spaces and + tabs) are generally ignored. For each line, leading and trailing + whitespace are ignored. A line is ignored if it is empty, only + consists of whitespace, or if the first non-whitespace character + is a <literal>#</literal>. The configuration is generally case + insensitive, but in some cases the option values (see below) are + not. + </para> + <para> + There are two types of configuration structures than can be + used. The first and simplest are lines on the format + <emphasis>option value</emphasis>. That is, an option name, see + below for a list of valid options, followed by whitespace (at + least one space or tab character), followed by a value. Note + that if the value contains whitespace, then it must be quoted + using <literal>""</literal> or <literal>''</literal>. Any + whitespace in front of the option or after the value will be + ignored. + </para> + <para> + The other type of structure is a block. A block spans at least + two lines, and has the format: + <blockquote><literallayout> blocktype name { option value option value ... } -</literallayout> - </blockquote> -That is, some blocktype, see below for a list of the different block types, and -then enclosed in braces you have zero or more lines that each have the -previously described <emphasis>option value</emphasis> format. Different block -types have different rules for which options can be specified, they are listed -below. The rules regarding white space, comments and quotes are as above. Hence -you may do things like: - <blockquote> - <para> -<literallayout> + </literallayout></blockquote> + That is, some blocktype, see below for a list of the different + block types, and then enclosed in braces you have zero or more + lines that each have the previously described <emphasis>option + value</emphasis> format. Different block types have different + rules for which options can be specified, they are listed + below. The rules regarding white space, comments and quotes are + as above. Hence you may do things like: + <blockquote><literallayout> blocktype name { # option value option "value with space" ... } -</literallayout> - </para> - </blockquote> + </literallayout></blockquote> </para> <para> -Option value characters can also be written in hex. This is done by writing the -character <literal>%</literal> followed by two hexadecimal digits. If a -<literal>%</literal> is used without two following hexadecimal digits, the -<literal>%</literal> and the following characters are used as written. If you -want to write a <literal>%</literal> and not use this decoding, you may of -course write <literal>%</literal> in hex; i.e., <literal>%25</literal>. + Option value characters can also be written in hex. This is done + by writing the character <literal>%</literal> followed by two + hexadecimal digits. If a <literal>%</literal> is used without + two following hexadecimal digits, the <literal>%</literal> and + the following characters are used as written. If you want to + write a <literal>%</literal> and not use this decoding, you may + of course write <literal>%</literal> in hex; i.e., + <literal>%25</literal>. </para> <para> -There is one special option that can be used both as a basic option and inside -all blocks. That is the option <literal>include</literal> where the value -specifies files to be included. The value can be a single file, or it can use -normal shell globbing to specify multiple files, e.g.: + There is one special option that can be used both as a basic + option and inside all blocks. That is the option + <literal>Include</literal> where the value specifies files to be + included. The value can be a single file, or it can use normal + shell globbing to specify multiple files, e.g.: <blockquote> <para> -include /etc/radsecproxy.conf.d/*.conf + include /etc/radsecproxy.conf.d/*.conf </para> </blockquote> -The files are sorted alphabetically. Included files are read in the order they -are specified, when reaching the end of a file, the next file is read. When -reaching the end of the last included file, the proxy returns to read the next -line following the <literal>include</literal> option. Included files may again -include other files. + The files are sorted alphabetically. Included files are read in + the order they are specified, when reaching the end of a file, + the next file is read. When reaching the end of the last + included file, the proxy returns to read the next line following + the <literal>Include</literal> option. Included files may again + include other files. </para> </refsect1> <refsect1> <title>Basic Options</title> <para> -The following basic options may be specified in the configuration file. Note -that blocktypes and options inside blocks are discussed later. Note that none -of these options are required, and indeed in many cases they are not needed. -Note that you should specify each at most once. The behaviour with multiple -occurences is undefined. + The following basic options may be specified in the + configuration file. Note that blocktypes and options inside + blocks are discussed later. Note that none of these options are + required, and indeed in many cases they are not needed. Note + that you should specify each at most once. The behaviour with + multiple occurences is undefined. </para> <variablelist> <varlistentry> - <term><literal>logLevel</literal></term> + <term><literal>LogLevel</literal></term> <listitem> <para> -This option specifies the debug level. It must be set to 1, 2, 3, 4 or 5, where -1 logs only serious errors, and 5 logs everything. The default is 2 which logs -errors, warnings and a few informational messages. Note that the command line -option <option>-d</option> overrides this. + This option specifies the debug level. It must be set to + 1, 2, 3, 4 or 5, where 1 logs only serious errors, and 5 + logs everything. The default is 2 which logs errors, + warnings and a few informational messages. Note that the + command line option <option>-d</option> overrides this. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>logDestination</literal></term> + <term><literal>LogDestination</literal></term> <listitem> <para> -This specifies where the log messages should go. By default the messages go to -syslog with facility <literal>LOG_DAEMON</literal>. Using this option you can -specify another syslog facility, or you may specify that logging should be to -a particular file, not using syslog. The value must be either a file or -syslog URL. The file URL is the standard one, specifying a local file that -should be used. For syslog, you must use the syntax: -<literal>x-syslog:///FACILITY</literal> where <literal>FACILITY</literal> must -be one of <literal>LOG_DAEMON</literal>, <literal>LOG_MAIL</literal>, -<literal>LOG_USER</literal>, <literal>LOG_LOCAL0</literal>, -<literal>LOG_LOCAL1</literal>, <literal>LOG_LOCAL2</literal>, -<literal>LOG_LOCAL3</literal>, <literal>LOG_LOCAL4</literal>, -<literal>LOG_LOCAL5</literal>, <literal>LOG_LOCAL6</literal> or -<literal>LOG_LOCAL7</literal>. You may omit the facility from the URL to -specify logging to the default facility, but this is not very useful since -this is the default log destination. Note that this option is ignored if -<option>-f</option> is specified on the command line. + This specifies where the log messages should go. By + default the messages go to syslog with facility + <literal>LOG_DAEMON</literal>. Using this option you can + specify another syslog facility, or you may specify that + logging should be to a particular file, not using + syslog. The value must be either a file or syslog URL. The + file URL is the standard one, specifying a local file that + should be used. For syslog, you must use the syntax: + <literal>x-syslog:///FACILITY</literal> where + <literal>FACILITY</literal> must be one of + <literal>LOG_DAEMON</literal>, + <literal>LOG_MAIL</literal>, <literal>LOG_USER</literal>, + <literal>LOG_LOCAL0</literal>, + <literal>LOG_LOCAL1</literal>, + <literal>LOG_LOCAL2</literal>, + <literal>LOG_LOCAL3</literal>, + <literal>LOG_LOCAL4</literal>, + <literal>LOG_LOCAL5</literal>, + <literal>LOG_LOCAL6</literal> or + <literal>LOG_LOCAL7</literal>. You may omit the facility + from the URL to specify logging to the default facility, + but this is not very useful since this is the default log + destination. Note that this option is ignored if + <option>-f</option> is specified on the command line. </para> </listitem> </varlistentry> + + <varlistentry> + <term><literal>FTicksReporting</literal></term> + <listitem> + <para> + The FTicksReporting option is used to enable F-Ticks + logging and can be set to <literal>None</literal>, + <literal>Basic</literal> or <literal>Full</literal>. Its + default value is <literal>None</literal>. + + See <literal>radsecproxy.conf-example</literal> for + details. Note that radsecproxy has to be configured with + support for F-Ticks (<literal>--enable-fticks</literal>) + for this option to have any effect. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>FTicksMAC</literal></term> + <listitem> + <para> + The FTicksMAC option can be used to control if and how + Calling-Station-Id is being logged. It can be set to one + of <literal>Static</literal>, <literal>Original</literal>, + <literal>VendorHashed</literal>, + <literal>VendorKeyHashed</literal>, + <literal>FullyHashed</literal> or + <literal>FullyKeyHashed</literal>. + + Its default value is <static>Static</static>. + + See <literal>radsecproxy.conf-example</literal> for + details. Note that radsecproxy has to be configured with + support for F-Ticks (<literal>--enable-fticks</literal>) + for this option to have any effect. + </para> + </listitem> + </varlistentry> + <varlistentry> - <term><literal>listenUDP</literal></term> + <term><literal>FTicksKey</literal></term> <listitem> <para> -Normally the proxy will listen to the standard RADIUS UDP port -<literal>1812</literal> if configured to handle UDP clients. On most systems it -will do this for all of the system's IP addresses (both IPv4 and IPv6). On some -systems however, it may respond to only IPv4 or only IPv6. To specify an -alternate port you may use a value on the form <literal>*:port</literal> where -port is any valid port number. If you also want to specify a specific address -you can do e.g. <literal>192.168.1.1:1812</literal> or -<literal>[2001:db8::1]:1812</literal>. The port may be omitted if you want the -default one (like in these examples). These examples are equivalent to -<literal>192.168.1.1</literal> and <literal>2001:db8::1</literal>. Note that -you must use brackets around the IPv6 address. -This option may be specified multiple times to listen to multiple addresses -and/or ports. + The FTicksKey option is used to specify the key to use + when producing HMAC's as an effect of specifying + VendorKeyHashed or FullyKeyHashed for the FTicksMAC + option. + + Note that radsecproxy has to be configured with support + for F-Ticks (<literal>--enable-fticks</literal>) for this + option to have any effect. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term><literal>ListenUDP</literal></term> + <listitem> + <para> + Normally the proxy will listen to the standard RADIUS UDP + port <literal>1812</literal> if configured to handle UDP + clients. On most systems it will do this for all of the + system's IP addresses (both IPv4 and IPv6). On some + systems however, it may respond to only IPv4 or only + IPv6. To specify an alternate port you may use a value on + the form <literal>*:port</literal> where port is any valid + port number. If you also want to specify a specific + address you can do + e.g. <literal>192.168.1.1:1812</literal> or + <literal>[2001:db8::1]:1812</literal>. The port may be + omitted if you want the default one (like in these + examples). These examples are equivalent to + <literal>192.168.1.1</literal> and + <literal>2001:db8::1</literal>. Note that you must use + brackets around the IPv6 address. This option may be + specified multiple times to listen to multiple addresses + and/or ports. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>listenTCP</literal></term> + <term><literal>ListenTCP</literal></term> <listitem> <para> -This option is similar to the <literal>listenUDP</literal> option, except -that it is used for receiving connections from TCP clients. The default port -number is <literal>1812</literal>. + This option is similar to the <literal>ListenUDP</literal> + option, except that it is used for receiving connections + from TCP clients. The default port number is + <literal>1812</literal>. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>listenTLS</literal></term> + <term><literal>ListenTLS</literal></term> <listitem> <para> -This is similar to the <literal>listenUDP</literal> option, except that it is -used for receiving connections from TLS clients. The default port number is -<literal>2083</literal>. Note that this option was previously called -<literal>listenTCP</literal>. + This is similar to the <literal>ListenUDP</literal> + option, except that it is used for receiving connections + from TLS clients. The default port number is + <literal>2083</literal>. Note that this option was + previously called <literal>ListenTCP</literal>. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>listenDTLS</literal></term> + <term><literal>ListenDTLS</literal></term> <listitem> <para> -This is similar to the <literal>listenUDP</literal> option, except that it is -used for receiving connections from DTLS clients. The default port number is -<literal>2083</literal>. + This is similar to the <literal>ListenUDP</literal> + option, except that it is used for receiving connections + from DTLS clients. The default port number is + <literal>2083</literal>. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>sourceUDP</literal></term> + <term><literal>SourceUDP</literal></term> <listitem> <para> -This can be used to specify source address and/or source port that the proxy -will use for sending UDP client messages (e.g. Access Request). + This can be used to specify source address and/or source + port that the proxy will use for sending UDP client + messages (e.g. Access Request). </para> </listitem> </varlistentry> <varlistentry> - <term><literal>sourceTCP</literal></term> + <term><literal>SourceTCP</literal></term> <listitem> <para> -This can be used to specify source address and/or source port that the proxy -will use for TCP connections. + This can be used to specify source address and/or source + port that the proxy will use for TCP connections. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>sourceTLS</literal></term> + <term><literal>SourceTLS</literal></term> <listitem> <para> -This can be used to specify source address and/or source port that the proxy -will use for TLS connections. + This can be used to specify source address and/or source + port that the proxy will use for TLS connections. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>sourceDTLS</literal></term> + <term><literal>SourceDTLS</literal></term> <listitem> <para> -This can be used to specify source address and/or source port that the proxy -will use for DTLS connections. + This can be used to specify source address and/or source + port that the proxy will use for DTLS connections. </para> </listitem> </varlistentry> @@ -249,48 +324,55 @@ will use for DTLS connections. <term><literal>TTLAttribute</literal></term> <listitem> <para> -This can be used to change the default TTL attribute. Only change this if -you know what you are doing. The syntax is either a numerical value -denoting the TTL attribute, or two numerical values separated by column -specifying a vendor attribute, i.e. <literal>vendorid:attribute</literal>. + This can be used to change the default TTL attribute. Only + change this if you know what you are doing. The syntax is + either a numerical value denoting the TTL attribute, or + two numerical values separated by column specifying a + vendor attribute, + i.e. <literal>vendorid:attribute</literal>. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>addTTL</literal></term> + <term><literal>AddTTL</literal></term> <listitem> <para> -If a TTL attribute is present, the proxy will decrement the value and -discard the message if zero. Normally the proxy does nothing if no TTL -attribute is present. If you use the addTTL option with a value 1-255, -the proxy will when forwarding a message with no TTL attribute, add one -with the specified value. Note that this option can also be specified -for a client/server. It will then override this setting when forwarding -a message to that client/server. + If a TTL attribute is present, the proxy will decrement + the value and discard the message if zero. Normally the + proxy does nothing if no TTL attribute is present. If you + use the AddTTL option with a value 1-255, the proxy will + when forwarding a message with no TTL attribute, add one + with the specified value. Note that this option can also + be specified for a client/server. It will then override + this setting when forwarding a message to that + client/server. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>loopPrevention</literal></term> + <term><literal>LoopPrevention</literal></term> <listitem> <para> -This can be set to <literal>on</literal> or <literal>off</literal> with -<literal>off</literal> being the default. When this is enabled, a request -will never be sent to a server named the same as the client it was received -from. I.e., the names of the client block and the server block are compared. -Note that this only gives limited protection against loops. -It can be used as a basic option and inside server blocks where it overrides -the basic setting. + This can be set to <literal>on</literal> or + <literal>off</literal> with <literal>off</literal> being + the default. When this is enabled, a request will never be + sent to a server named the same as the client it was + received from. I.e., the names of the client block and the + server block are compared. Note that this only gives + limited protection against loops. It can be used as a + basic option and inside server blocks where it overrides + the basic setting. </para> </listitem> </varlistentry> <varlistentry> - <term><literal>include</literal></term> + <term><literal>Include</literal></term> <listitem> <para> -This is not a normal configuration option; it can be specified multiple times. -It can both be used as a basic option and inside blocks. For the full -description, see the configuration syntax section above. + This is not a normal configuration option; it can be + specified multiple times. It can both be used as a basic + option and inside blocks. For the full description, see + the configuration syntax section above. </para> </listitem> </varlistentry> @@ -299,140 +381,163 @@ description, see the configuration syntax section above. <refsect1> <title>Blocks</title> <para> -There are five types of blocks, they are <literal>client</literal>, -<literal>server</literal>, <literal>realm</literal>, <literal>tls</literal> -and <literal>rewrite</literal>. At least one instance of each of -<literal>client</literal> and <literal>realm</literal> is required. This is -necessary for the proxy to do anything useful, and it will exit if not. The -<literal>tls</literal> block is required if at least one TLS/DTLS client or -server is configured. Note that there can be multiple blocks for each type. -For each type, the block names should be unique. The behaviour with multiple -occurences of the same name for the same block type is undefined. Also note -that some block option values may reference a block by name, in which case -the block name must be previously defined. Hence the order of the blocks may -be significant. + There are five types of blocks, they are + <literal>client</literal>, <literal>server</literal>, + <literal>realm</literal>, <literal>tls</literal> and + <literal>rewrite</literal>. At least one instance of each of + <literal>client</literal> and <literal>realm</literal> is + required. This is necessary for the proxy to do anything useful, + and it will exit if not. The <literal>tls</literal> block is + required if at least one TLS/DTLS client or server is + configured. Note that there can be multiple blocks for each + type. For each type, the block names should be unique. The + behaviour with multiple occurences of the same name for the same + block type is undefined. Also note that some block option values + may reference a block by name, in which case the block name must + be previously defined. Hence the order of the blocks may be + significant. </para> </refsect1> <refsect1> <title>Client Block</title> <para> -The client block is used to configure a client. That is, tell the proxy about a -client, and what parameters should be used for that client. The name of the -client block must (with one exception, see below) be either the IP address -(IPv4 or IPv6) of the client, an IP prefix (IPv4 or IPv6) on the form -IpAddress/PrefixLength, or a domain name (FQDN). Note that literal IPv6 -addresses must be enclosed in brackets. - </para> - <para> -If a domain name is specified, then this will be resolved immediately to all -the addresses associated with the name, and the proxy will not care about any -possible DNS changes that might occur later. Hence there is no dependency on -DNS after startup. - </para> - <para> -When some client later sends a request to the proxy, the proxy will look at the -IP address the request comes from, and then go through all the addresses of -each of the configured clients (in the order they are defined), to determine -which (if any) of the clients this is. - </para> - <para> -In the case of TLS/DTLS, the name of the client must match the FQDN or IP -address in the client certificate. Note that this is not required when the -client name is an IP prefix. - </para> - <para> -Alternatively one may use the <literal>host</literal> option inside a client -block. In that case, the value of the <literal>host</literal> option is used as -above, while the name of the block is only used as a descriptive name for the -administrator. The host option may be used multiple times, and can be a mix of -addresses, FQDNs and prefixes. - </para> - <para> -The allowed options in a client block are <literal>host</literal>, -<literal>type</literal>, <literal>secret</literal>, <literal>tls</literal>, -<literal>certificateNameCheck</literal>, -<literal>matchCertificateAttribute</literal>, -<literal>duplicateInterval</literal>, <literal>addTTL</literal>, -<literal>rewrite</literal>, <literal>rewriteIn</literal>, -<literal>rewriteOut</literal> and <literal>rewriteAttribute</literal>. -We already discussed the -<literal>host</literal> option. The value of <literal>type</literal> must be -one of <literal>udp</literal>, <literal>tcp</literal>, <literal>tls</literal> -or <literal>dtls</literal>. The value of <literal>secret</literal> is the -shared RADIUS key used with this client. If the secret contains whitespace, -the value must be quoted. A secret must be supplied for UDP/TCP. If -no secret is supplied for TLS/DTLS, a default value of "mysecret" is -being used. This value will change in a future release to match the -upcoming standard. - </para> - <para> -For a TLS/DTLS client you may also specify the <literal>tls</literal> option. -The option value must be the name of a previously defined TLS block. If this -option is not specified, the TLS block with the name -<literal>defaultClient</literal> will be used if defined. If not defined, it -will try to use the TLS block named <literal>default</literal>. If the -specified TLS block name does not exist, or the option is not specified and -none of the defaults exist, the proxy will exit with an error. - </para> - <para> -For a TLS/DTLS client, the option <literal>certificateNameCheck</literal> -can be set -to <literal>off</literal>, to disable the default behaviour of matching CN or -SubjectAltName against the specified hostname or IP address. - </para> - <para> -Additional validation of certificate attributes can be done by use of the -<literal>matchCertificateAttribute</literal> option. Currently one can only do -some matching of CN and SubjectAltName. For regexp matching on CN, one can use -the value <literal>CN:/regexp/</literal>. For SubjectAltName one can only do -regexp matching of the URI, this is specified as -<literal>SubjectAltName:URI:/regexp/</literal>. Note that currently this option -can only be specified once in a client block. - </para> - <para> -The <literal>duplicateInterval</literal> option can be used to specify for how -many seconds duplicate checking should be done. If a proxy receives a new -request within a few seconds of a previous one, it may be treated the same if -from the same client, with the same authenticator etc. The proxy will then -ignore the new request (if it is still processing the previous one), or -returned a copy of the previous reply. - </para> - <para> -The <literal>addTTL</literal> option is similar to the -<literal>addTTL</literal> option used in the basic config. See that for -details. Any value configured here overrides the basic one when sending -messages to this client. - </para> - <para> -The <literal>rewrite</literal> option is deprecated. Use -<literal>rewriteIn</literal> instead. - </para> - <para> -The <literal>rewriteIn</literal> option can be used to refer to a rewrite block -that specifies certain rewrite operations that should be performed on incoming -messages from the client. The rewriting is done before other processing. -For details, see the rewrite block text below. Similarly to -<literal>tls</literal> discussed above, if this option is not used, there is a -fallback to using the <literal>rewrite</literal> block named -<literal>defaultClient</literal> if it exists; and if not, a fallback to a -block named <literal>default</literal>. - </para> - <para> -The <literal>rewriteOut</literal> option is used in the same way as -<literal>rewriteIn</literal>, except that it specifies rewrite operations that -should be performed on outgoing messages to the client. The rewriting is done -after other processing. Also, there is no rewrite fallback if this option is -not used. + The client block is used to configure a client. That is, tell + the proxy about a client, and what parameters should be used for + that client. The name of the client block must (with one + exception, see below) be either the IP address (IPv4 or IPv6) of + the client, an IP prefix (IPv4 or IPv6) on the form + IpAddress/PrefixLength, or a domain name (FQDN). Note that + literal IPv6 addresses must be enclosed in brackets. </para> <para> -The <literal>rewriteAttribute</literal> option currently makes it possible to -specify that the User-Name attribute in a client request shall be rewritten in -the request sent by the proxy. The User-Name attribute is written back to the -original value if a matching response is later sent back to the client. The -value must be on the form User-Name:/regexpmatch/replacement/. Example usage: + If a domain name is specified, then this will be resolved + immediately to all the addresses associated with the name, and + the proxy will not care about any possible DNS changes that + might occur later. Hence there is no dependency on DNS after + startup. + </para> + <para> + When some client later sends a request to the proxy, the proxy + will look at the IP address the request comes from, and then go + through all the addresses of each of the configured clients (in + the order they are defined), to determine which (if any) of the + clients this is. + </para> + <para> + In the case of TLS/DTLS, the name of the client must match the + FQDN or IP address in the client certificate. Note that this is + not required when the client name is an IP prefix. + </para> + <para> + Alternatively one may use the <literal>host</literal> option + inside a client block. In that case, the value of the + <literal>host</literal> option is used as above, while the name + of the block is only used as a descriptive name for the + administrator. The host option may be used multiple times, and + can be a mix of addresses, FQDNs and prefixes. + </para> + <para> + The allowed options in a client block are + <literal>host</literal>, <literal>type</literal>, + <literal>secret</literal>, <literal>tls</literal>, + <literal>certificateNameCheck</literal>, + <literal>matchCertificateAttribute</literal>, + <literal>duplicateInterval</literal>, <literal>AddTTL</literal>, + <literal>fticksVISCOUNTRY</literal>, <literal>rewrite</literal>, + <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, and + <literal>rewriteAttribute</literal>. + + We already discussed the <literal>host</literal> option. The + value of <literal>type</literal> must be one of + <literal>udp</literal>, <literal>tcp</literal>, + <literal>tls</literal> or <literal>dtls</literal>. The value of + <literal>secret</literal> is the shared RADIUS key used with + this client. If the secret contains whitespace, the value must + be quoted. This option is optional for TLS/DTLS. + </para> + <para> + For a TLS/DTLS client you may also specify the + <literal>tls</literal> option. The option value must be the + name of a previously defined TLS block. If this option is not + specified, the TLS block with the name + <literal>defaultClient</literal> will be used if defined. If not + defined, it will try to use the TLS block named + <literal>default</literal>. If the specified TLS block name does + not exist, or the option is not specified and none of the + defaults exist, the proxy will exit with an error. + </para> + <para> + For a TLS/DTLS client, the option + <literal>certificateNameCheck</literal> can be set to + <literal>off</literal>, to disable the default behaviour of + matching CN or SubjectAltName against the specified hostname or + IP address. + </para> + <para> + Additional validation of certificate attributes can be done by + use of the <literal>matchCertificateAttribute</literal> + option. Currently one can only do some matching of CN and + SubjectAltName. For regexp matching on CN, one can use the value + <literal>CN:/regexp/</literal>. For SubjectAltName one can only + do regexp matching of the URI, this is specified as + <literal>SubjectAltName:URI:/regexp/</literal>. Note that + currently this option can only be specified once in a client + block. + </para> + <para> + The <literal>duplicateInterval</literal> option can be used to + specify for how many seconds duplicate checking should be + done. If a proxy receives a new request within a few seconds of + a previous one, it may be treated the same if from the same + client, with the same authenticator etc. The proxy will then + ignore the new request (if it is still processing the previous + one), or returned a copy of the previous reply. + </para> + <para> + The <literal>AddTTL</literal> option is similar to the + <literal>AddTTL</literal> option used in the basic config. See + that for details. Any value configured here overrides the basic + one when sending messages to this client. + </para> + <para> + The <literal>fticksVISCOUNTRY</literal> option configures + clients eligible to F-Ticks logging as defined by the + <literal>FTicksReporting</literal> basic option. + </para> + <para> + The <literal>rewrite</literal> option is deprecated. Use + <literal>rewriteIn</literal> instead. + </para> + <para> + The <literal>rewriteIn</literal> option can be used to refer to + a rewrite block that specifies certain rewrite operations that + should be performed on incoming messages from the client. The + rewriting is done before other processing. For details, see the + rewrite block text below. Similarly to <literal>tls</literal> + discussed above, if this option is not used, there is a fallback + to using the <literal>rewrite</literal> block named + <literal>defaultClient</literal> if it exists; and if not, a + fallback to a block named <literal>default</literal>. + </para> + <para> + The <literal>rewriteOut</literal> option is used in the same way + as <literal>rewriteIn</literal>, except that it specifies + rewrite operations that should be performed on outgoing messages + to the client. The rewriting is done after other + processing. Also, there is no rewrite fallback if this option is + not used. + </para> + <para> + The <literal>rewriteAttribute</literal> option currently makes + it possible to specify that the User-Name attribute in a client + request shall be rewritten in the request sent by the proxy. The + User-Name attribute is written back to the original value if a + matching response is later sent back to the client. The value + must be on the form User-Name:/regexpmatch/replacement/. Example + usage: <blockquote> <para> -rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/ + rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/ </para> </blockquote> </para> @@ -440,295 +545,351 @@ rewriteAttribute User-Name:/^(.*)@local$/\1@example.com/ <refsect1> <title>Server Block</title> <para> -The server block is used to configure a server. That is, tell the proxy about a -server, and what parameters should be used when communicating with that server. -The name of the server block must (with one exception, see below) be either the -IP address (IPv4 or IPv6) of the server, or a domain name (FQDN). If a domain -name is specified, then this will be resolved immediately to all the addresses -associated with the name, and the proxy will not care about any possible DNS -changes that might occur later. Hence there is no dependency on DNS after -startup. If the domain name resolves to multiple addresses, then for UDP/DTLS -the first address is used. For TCP/TLS, the proxy will loop through the -addresses until it can connect to one of them. In the case of TLS/DTLS, the -name of the server must match the FQDN or IP address in the server certificate. - </para> - <para> -Alternatively one may use the <literal>host</literal> option inside a server -block. In that case, the value of the <literal>host</literal> option is used as -above, while the name of the block is only used as a descriptive name for the -administrator. Note that multiple host options may be used. This will then be -treated as multiple names/addresses for the same server. When initiating a TCP/TLS -connection, all addresses of all names may be attempted, but there is no failover -between the different host values. For failover one must use separate server -blocks. - </para> - <para> -Note that the name of the block, or values of host options may include a -port number (separated with a column). This port number will then override the -default port or a port option in the server block. Also note that literal IPv6 -addresses must be enclosed in brackets. - </para> - <para> -The allowed options in a server block are <literal>host</literal>, -<literal>port</literal>, <literal>type</literal>, <literal>secret</literal>, -<literal>tls</literal>, <literal>certificateNameCheck</literal>, -<literal>matchCertificateAttribute</literal>, <literal>addTTL</literal>, -<literal>rewrite</literal>, -<literal>rewriteIn</literal>, <literal>rewriteOut</literal>, -<literal>statusServer</literal>, <literal>retryCount</literal>, -<literal>retryInterval</literal>, <literal>dynamicLookupCommand</literal> -and <literal>loopPrevention</literal>. - </para> - <para> -We already discussed the <literal>host</literal> option. The -<literal>port</literal> option allows you to specify which port number the -server uses. The usage of <literal>type</literal>, <literal>secret</literal>, -<literal>tls</literal>, <literal>certificateNameCheck</literal>, -<literal>matchCertificateAttribute</literal>, <literal>addTTL</literal>, -<literal>rewrite</literal>, -<literal>rewriteIn</literal> and <literal>rewriteOut</literal> are just as -specified for the <literal>client block</literal> above, except that -<literal>defaultServer</literal> (and not <literal>defaultClient</literal>) -is the fallback for the <literal>tls</literal>, <literal>rewrite</literal> -and <literal>rewriteIn</literal> options. - </para> - <para> -<literal>statusServer</literal> can be specified to enable the use of -status-server messages for this server. The value must be either -<literal>on</literal> or <literal>off</literal>. The default when not -specified, is <literal>off</literal>. If statusserver is enabled, the proxy -will during idle periods send regular status-server messages to the server -to verify that it is alive. This should only be enabled if the server -supports it. - </para> - <para> -The options <literal>retryCount</literal> and -<literal>retryInterval</literal> can be used to specify how many times the -proxy should retry sending a request and how long it should wait between each -retry. The defaults are 2 retries and an interval of 5s. - </para> - <para> -The option <literal>dynamicLookupCommand</literal> can be used to specify a -command that should be executed to dynamically configure and use a server. -The use of this feature will be documented separately/later. - </para> - <para> -Using the <literal>loopPrevention</literal> option here overrides any -basic setting of this option. See section <literal>BASIC -OPTIONS</literal> for details on this option. + The server block is used to configure a server. That is, tell + the proxy about a server, and what parameters should be used + when communicating with that server. The name of the server + block must (with one exception, see below) be either the IP + address (IPv4 or IPv6) of the server, or a domain name + (FQDN). If a domain name is specified, then this will be + resolved immediately to all the addresses associated with the + name, and the proxy will not care about any possible DNS changes + that might occur later. Hence there is no dependency on DNS + after startup. If the domain name resolves to multiple + addresses, then for UDP/DTLS the first address is used. For + TCP/TLS, the proxy will loop through the addresses until it can + connect to one of them. In the case of TLS/DTLS, the name of the + server must match the FQDN or IP address in the server + certificate. + </para> + <para> + Alternatively one may use the <literal>host</literal> option + inside a server block. In that case, the value of the + <literal>host</literal> option is used as above, while the name + of the block is only used as a descriptive name for the + administrator. Note that multiple host options may be used. This + will then be treated as multiple names/addresses for the same + server. When initiating a TCP/TLS connection, all addresses of + all names may be attempted, but there is no failover between the + different host values. For failover one must use separate server + blocks. + </para> + <para> + Note that the name of the block, or values of host options may + include a port number (separated with a column). This port + number will then override the default port or a port option in + the server block. Also note that literal IPv6 addresses must be + enclosed in brackets. + </para> + <para> + The allowed options in a server block are + <literal>host</literal>, <literal>port</literal>, + <literal>type</literal>, <literal>secret</literal>, + <literal>tls</literal>, <literal>certificateNameCheck</literal>, + <literal>matchCertificateAttribute</literal>, + <literal>AddTTL</literal>, <literal>rewrite</literal>, + <literal>rewriteIn</literal>, <literal>rewriteOut</literal>, + <literal>statusServer</literal>, <literal>retryCount</literal>, + <literal>retryInterval</literal>, + <literal>dynamicLookupCommand</literal> and + <literal>LoopPrevention</literal>. + </para> + <para> + We already discussed the <literal>host</literal> option. The + <literal>port</literal> option allows you to specify which port + number the server uses. The usage of <literal>type</literal>, + <literal>secret</literal>, <literal>tls</literal>, + <literal>certificateNameCheck</literal>, + <literal>matchCertificateAttribute</literal>, + <literal>AddTTL</literal>, <literal>rewrite</literal>, + <literal>rewriteIn</literal> and <literal>rewriteOut</literal> + are just as specified for the <literal>client block</literal> + above, except that <literal>defaultServer</literal> (and not + <literal>defaultClient</literal>) is the fallback for the + <literal>tls</literal>, <literal>rewrite</literal> and + <literal>rewriteIn</literal> options. + </para> + <para> + <literal>statusServer</literal> can be specified to enable the + use of status-server messages for this server. The value must be + either <literal>on</literal> or <literal>off</literal>. The + default when not specified, is <literal>off</literal>. If + statusserver is enabled, the proxy will during idle periods send + regular status-server messages to the server to verify that it + is alive. This should only be enabled if the server supports it. + </para> + <para> + The options <literal>retryCount</literal> and + <literal>retryInterval</literal> can be used to specify how many + times the proxy should retry sending a request and how long it + should wait between each retry. The defaults are 2 retries and + an interval of 5s. + </para> + <para> + The option <literal>dynamicLookupCommand</literal> can be used + to specify a command that should be executed to dynamically + configure and use a server. The use of this feature will be + documented separately/later. + </para> + <para> + Using the <literal>LoopPrevention</literal> option here + overrides any basic setting of this option. See section + <literal>BASIC OPTIONS</literal> for details on this option. </para> </refsect1> <refsect1> <title>Realm Block</title> <para> -When the proxy receives an Access-Request it needs to figure out to which -server it should be forwarded. This is done by looking at the Username attribute -in the request, and matching that against the names of the defined realm blocks. -The proxy will match against the blocks in the order they are specified, using -the first match if any. If no realm matches, the proxy will simply ignore the -request. Each realm block specifies what the server should do when a match is -found. A realm block may contain none, one or multiple <literal>server</literal> -options, and similarly <literal>accountingServer</literal> options. There are -also <literal>replyMessage</literal> and <literal>accountingResponse</literal> -options. We will discuss these later. + When the proxy receives an Access-Request it needs to figure out + to which server it should be forwarded. This is done by looking + at the Username attribute in the request, and matching that + against the names of the defined realm blocks. The proxy will + match against the blocks in the order they are specified, using + the first match if any. If no realm matches, the proxy will + simply ignore the request. Each realm block specifies what the + server should do when a match is found. A realm block may + contain none, one or multiple <literal>server</literal> options, + and similarly <literal>accountingServer</literal> options. There + are also <literal>replyMessage</literal> and + <literal>accountingResponse</literal> options. We will discuss + these later. </para> <refsect2> <title>Realm block names and matching</title> <para> -In the general case the proxy will look for a <literal>@</literal> in the -username attribute, and try to do an exact case insensitive match between what -comes after the <literal>@</literal> and the name of the realm block. So if you -get a request with the attribute value <literal>anonymous@example.com</literal>, -the proxy will go through the realm names in the order they are specified, -looking for a realm block named <literal>example.com</literal>. + In the general case the proxy will look for a + <literal>@</literal> in the username attribute, and try to do + an exact case insensitive match between what comes after the + <literal>@</literal> and the name of the realm block. So if + you get a request with the attribute value + <literal>anonymous@example.com</literal>, the proxy will go + through the realm names in the order they are specified, + looking for a realm block named + <literal>example.com</literal>. </para> <para> -There are two exceptions to this, one is the realm name <literal>*</literal> -which means match everything. Hence if you have a realm block named -<literal>*</literal>, then it will always match. This should then be the last -realm block defined, since any blocks after this would never be checked. This -is useful for having a default. + There are two exceptions to this, one is the realm name + <literal>*</literal> which means match everything. Hence if + you have a realm block named <literal>*</literal>, then it + will always match. This should then be the last realm block + defined, since any blocks after this would never be + checked. This is useful for having a default. </para> <para> -The other exception is regular expression matching. If the realm name starts -with a <literal>/</literal>, the name is treated as an regular expression. A -case insensitive regexp match will then be done using this regexp on the value -of the entire Username attribute. Optionally you may also have a trailing -<literal>/</literal> after the regexp. So as an example, if you want to use -regexp matching the domain <literal>example.com</literal> you could have a -realm block named <literal>/@example\\.com$</literal>. Optinally this can also -be written <literal>/@example\\.com$/</literal>. If you want to match all -domains under the <literal>.com</literal> top domain, you could do -<literal>/@.*\\.com$</literal>. Note that since the matching is done on the -entire attribute value, you can also use rules like -<literal>/^[a-k].*@example\\.com$/</literal> to get some of the users in this -domain to use one server, while other users could be matched by another realm -block and use another server. + The other exception is regular expression matching. If the + realm name starts with a <literal>/</literal>, the name is + treated as an regular expression. A case insensitive regexp + match will then be done using this regexp on the value of the + entire Username attribute. Optionally you may also have a + trailing <literal>/</literal> after the regexp. So as an + example, if you want to use regexp matching the domain + <literal>example.com</literal> you could have a realm block + named <literal>/@example\\.com$</literal>. Optinally this can + also be written <literal>/@example\\.com$/</literal>. If you + want to match all domains under the <literal>.com</literal> + top domain, you could do <literal>/@.*\\.com$</literal>. Note + that since the matching is done on the entire attribute value, + you can also use rules like + <literal>/^[a-k].*@example\\.com$/</literal> to get some of + the users in this domain to use one server, while other users + could be matched by another realm block and use another + server. </para> </refsect2> <refsect2> <title>Realm block options</title> <para> -A realm block may contain none, one or multiple <literal>server</literal> -options. If defined, the values of the <literal>server</literal> options must -be the names of previously defined server blocks. Normally requests will be -forwarded to the first server option defined. If there are multiple server -options, the proxy will do fail-over and use the second server if the first -is down. If the two first are down, it will try the third etc. If say the -first server comes back up, it will go back to using that one. Currently -detection of servers being up or down is based on the use of StatusServer (if -enabled), and that TCP/TLS/DTLS connections are up. + A realm block may contain none, one or multiple + <literal>server</literal> options. If defined, the values of + the <literal>server</literal> options must be the names of + previously defined server blocks. Normally requests will be + forwarded to the first server option defined. If there are + multiple server options, the proxy will do fail-over and use + the second server if the first is down. If the two first are + down, it will try the third etc. If say the first server comes + back up, it will go back to using that one. Currently + detection of servers being up or down is based on the use of + StatusServer (if enabled), and that TCP/TLS/DTLS connections + are up. </para> <para> -A realm block may also contain none, one or multiple -<literal>accountingServer</literal> options. This is used exactly like the -<literal>server</literal> option, except that it is used for specifying where -to send matching accounting requests. The values must be the names of -previously defined server blocks. When multiple accounting servers are -defined, there is a failover mechanism similar to the one for the -<literal>server</literal> option. + A realm block may also contain none, one or multiple + <literal>accountingServer</literal> options. This is used + exactly like the <literal>server</literal> option, except that + it is used for specifying where to send matching accounting + requests. The values must be the names of previously defined + server blocks. When multiple accounting servers are defined, + there is a failover mechanism similar to the one for the + <literal>server</literal> option. </para> <para> -If there is no <literal>server</literal> option, the proxy will if -<literal>replyMessage</literal> is specified, reply back to the client with -an Access Reject message. The message contains a replyMessage attribute with -the value as specified by the <literal>replyMessage</literal> option. Note -that this is different from having no match since then the request is simply -ignored. You may wonder why this is useful. One example is if you handle say -all domains under say <literal>.bv</literal>. Then you may have several realm -blocks matching the domains that exists, while for other domains under -<literal>.bv</literal> you want to send a reject. At the same time you might -want to send all other requests to some default server. After the realms for -the subdomains, you would then have two realm definitions. One with the name -<literal>/@.*\\.bv$</literal> with no servers, followed by one with the name -<literal>*</literal> with the default server defined. This may also be useful -for blocking particular usernames. + If there is no <literal>server</literal> option, the proxy + will if <literal>replyMessage</literal> is specified, reply + back to the client with an Access Reject message. The message + contains a replyMessage attribute with the value as specified + by the <literal>replyMessage</literal> option. Note that this + is different from having no match since then the request is + simply ignored. You may wonder why this is useful. One example + is if you handle say all domains under say + <literal>.bv</literal>. Then you may have several realm blocks + matching the domains that exists, while for other domains + under <literal>.bv</literal> you want to send a reject. At the + same time you might want to send all other requests to some + default server. After the realms for the subdomains, you would + then have two realm definitions. One with the name + <literal>/@.*\\.bv$</literal> with no servers, followed by one + with the name <literal>*</literal> with the default server + defined. This may also be useful for blocking particular + usernames. </para> <para> -If there is no <literal>accountingServer</literal> option, the proxy will -normally do nothing, ignoring accounting requests. There is however an option -called <literal>accountingResponse</literal>. If this is set to -<literal>on</literal>, the proxy will log some of the accounting information -and send an Accounting-Response back. This is useful if you do not care much -about accounting, but want to stop clients from retransmitting accounting -requests. By default this option is set to <literal>off</literal>. + If there is no <literal>accountingServer</literal> option, the + proxy will normally do nothing, ignoring accounting + requests. There is however an option called + <literal>accountingResponse</literal>. If this is set to + <literal>on</literal>, the proxy will log some of the + accounting information and send an Accounting-Response + back. This is useful if you do not care much about accounting, + but want to stop clients from retransmitting accounting + requests. By default this option is set to + <literal>off</literal>. </para> </refsect2> </refsect1> <refsect1> <title>TLS Block</title> <para> -The TLS block specifies TLS configuration options and you need at least one -of these if you have clients or servers using TLS/DTLS. As discussed in the -client and server block descriptions, a client or server block may reference -a particular TLS block by name. There are also however the special TLS block -names <literal>default</literal>, <literal>defaultClient</literal> and -<literal>defaultServer</literal> which are used as defaults if the client or -server block does not reference a TLS block. Also note that a TLS block must -be defined before the client or server block that would use it. If you want -the same TLS configuration for all TLS/DTLS clients and servers, you need -just a single tls block named <literal>default</literal>, and the client and -servers need not refer to it. If you want all TLS/DTLS clients to use one -config, and all TLS/DTLS servers to use another, then you would be fine only -defining two TLS blocks named <literal>defaultClient</literal> and -<literal>defaultServer</literal>. If you want different clients (or different -servers) to have different TLS parameters, then you may need to create other -TLS blocks with other names, and reference those from the client or server -definitions. Note that you could also have say a client block refer to a -default, even <literal>defaultServer</literal> if you really want to. - </para> - <para> -The available TLS block options are <literal>CACertificateFile</literal>, -<literal>CACertificatePath</literal>, <literal>certificateFile</literal>, -<literal>certificateKeyFile</literal>, -<literal>certificateKeyPassword</literal>, <literal>cacheExpiry</literal>, -<literal>CRLCheck</literal> and <literal>policyOID</literal>. -When doing RADIUS over TLS/DTLS, both the -client and the server present certificates, and they are both verified by -the peer. Hence you must always specify <literal>certificateFile</literal> -and <literal>certificateKeyFile</literal> options, as well as -<literal>certificateKeyPassword</literal> if a password is needed to decrypt -the private key. Note that <literal>CACertificateFile</literal> may be a -certificate chain. In order to verify certificates, or send a chain of -certificates to a peer, you also always need to specify -<literal>CACertificateFile</literal> or <literal>CACertificatePath</literal>. -Note that you may specify both, in which case the certificates in -<literal>CACertificateFile</literal> are checked first. By default CRLs are -not checked. This can be changed by setting <literal>CRLCheck</literal> to -<literal>on</literal>. One can require peer certificates to adhere to certain -policies by specifying one or multiple policyOIDs using one or multiple -<literal>policyOID</literal> options. - </para> - <para> -CA certificates and CRLs are normally cached permanently. That is, once a CA -or CRL has been read, the proxy will never attempt to re-read it. CRLs may -change relatively often and the proxy should ideally always use the latest -CRLs. Rather than restarting the proxy, there is an option -<literal>cacheExpiry</literal> that specifies how many seconds the CA and -CRL information should be cached. Reasonable values might be say 3600 -(1 hour) or 86400 (24 hours), depending on how frequently CRLs are updated -and how critical it is to be up to date. This option may be set to zero to -disable caching. + The TLS block specifies TLS configuration options and you need + at least one of these if you have clients or servers using + TLS/DTLS. As discussed in the client and server block + descriptions, a client or server block may reference a + particular TLS block by name. There are also however the special + TLS block names <literal>default</literal>, + <literal>defaultClient</literal> and + <literal>defaultServer</literal> which are used as defaults if + the client or server block does not reference a TLS block. Also + note that a TLS block must be defined before the client or + server block that would use it. If you want the same TLS + configuration for all TLS/DTLS clients and servers, you need + just a single tls block named <literal>default</literal>, and + the client and servers need not refer to it. If you want all + TLS/DTLS clients to use one config, and all TLS/DTLS servers to + use another, then you would be fine only defining two TLS blocks + named <literal>defaultClient</literal> and + <literal>defaultServer</literal>. If you want different clients + (or different servers) to have different TLS parameters, then + you may need to create other TLS blocks with other names, and + reference those from the client or server definitions. Note that + you could also have say a client block refer to a default, even + <literal>defaultServer</literal> if you really want to. + </para> + <para> + The available TLS block options are + <literal>CACertificateFile</literal>, + <literal>CACertificatePath</literal>, + <literal>certificateFile</literal>, + <literal>certificateKeyFile</literal>, + <literal>certificateKeyPassword</literal>, + <literal>cacheExpiry</literal>, <literal>CRLCheck</literal> and + <literal>policyOID</literal>. When doing RADIUS over TLS/DTLS, + both the client and the server present certificates, and they + are both verified by the peer. Hence you must always specify + <literal>certificateFile</literal> and + <literal>certificateKeyFile</literal> options, as well as + <literal>certificateKeyPassword</literal> if a password is + needed to decrypt the private key. Note that + <literal>CACertificateFile</literal> may be a certificate + chain. In order to verify certificates, or send a chain of + certificates to a peer, you also always need to specify + <literal>CACertificateFile</literal> or + <literal>CACertificatePath</literal>. Note that you may specify + both, in which case the certificates in + <literal>CACertificateFile</literal> are checked first. By + default CRLs are not checked. This can be changed by setting + <literal>CRLCheck</literal> to <literal>on</literal>. One can + require peer certificates to adhere to certain policies by + specifying one or multiple policyOIDs using one or multiple + <literal>policyOID</literal> options. + </para> + <para> + CA certificates and CRLs are normally cached permanently. That + is, once a CA or CRL has been read, the proxy will never attempt + to re-read it. CRLs may change relatively often and the proxy + should ideally always use the latest CRLs. Rather than + restarting the proxy, there is an option + <literal>cacheExpiry</literal> that specifies how many seconds + the CA and CRL information should be cached. Reasonable values + might be say 3600 (1 hour) or 86400 (24 hours), depending on how + frequently CRLs are updated and how critical it is to be up to + date. This option may be set to zero to disable caching. </para> </refsect1> <refsect1> <title>Rewrite Block</title> <para> -The rewrite block specifies rules that may rewrite RADIUS messages. It can be -used to add, remove and modify specific attributes from messages received -from and sent to clients and servers. As discussed in the client and server -block descriptions, a client or server block may reference a particular -rewrite block by name. There are however also the special rewrite block names -<literal>default</literal>, <literal>defaultClient</literal> and -<literal>defaultServer</literal> which are used as defaults if the client or -server block does not reference a block. Also note that a rewrite block must -be defined before the client or server block that would use it. If you want -the same rewrite rules for input from all clients and servers, you need just -a single rewrite block named <literal>default</literal>, and the client and -servers need not refer to it. If you want all clients to use one config, and -all servers to use another, then you would be fine only defining two rewrite -blocks named <literal>defaultClient</literal> and -<literal>defaultServer</literal>. Note that these defaults are only used for -rewrite on input. No rewriting is done on output unless explicitly specifed -using the <literal>rewriteOut</literal> option. - </para> - <para> -The available rewrite block options -are <literal>addAttribute</literal>, <literal>addVendorAttribute</literal>, -<literal>removeAttribute</literal>, <literal>removeVendorAttribute</literal> -and <literal>modifyAttribute</literal>. They can all be specified none, one -or multiple times. - </para> - <para> -<literal>addAttribute</literal> is used to add attributes to a -message. The option value must be on the -form <literal>attribute:value</literal> where attribute is a numerical -value specifying the attribute. Simliarly, -the <literal>addVendorAttribute</literal> is used to specify a vendor -attribute to be added. The option value must be on the -form <literal>vendor:subattribute:value</literal>, where vendor and -subattribute are numerical values. - </para> - <para> -The <literal>removeAttribute</literal> option is used to specify an -attribute that should be removed from received messages. The option value -must be a numerical value specifying which attribute is to be removed. -Similarly, <literal>removeVendorAttribute</literal> is used to specify a -vendor attribute that is to be removed. The value can be a numerical value -for removing all attributes from a given vendor, or on the form -<literal>vendor:subattribute</literal>, where vendor and subattribute are -numerical values, for removing a specific subattribute for a specific -vendor. - </para> - <para> -<literal>modifyAttribute</literal> is used to specify modification of -attributes. The value must be on the form -<literal>attribute:/regexpmatch/replacement/</literal> where attribute is -a numerical attribute type, regexpmatch is regexp matching rule and -replacement specifies how to replace the matching regexp. Example usage: + The rewrite block specifies rules that may rewrite RADIUS + messages. It can be used to add, remove and modify specific + attributes from messages received from and sent to clients and + servers. As discussed in the client and server block + descriptions, a client or server block may reference a + particular rewrite block by name. There are however also the + special rewrite block names <literal>default</literal>, + <literal>defaultClient</literal> and + <literal>defaultServer</literal> which are used as defaults if + the client or server block does not reference a block. Also note + that a rewrite block must be defined before the client or server + block that would use it. If you want the same rewrite rules for + input from all clients and servers, you need just a single + rewrite block named <literal>default</literal>, and the client + and servers need not refer to it. If you want all clients to use + one config, and all servers to use another, then you would be + fine only defining two rewrite blocks named + <literal>defaultClient</literal> and + <literal>defaultServer</literal>. Note that these defaults are + only used for rewrite on input. No rewriting is done on output + unless explicitly specifed using the + <literal>rewriteOut</literal> option. + </para> + <para> + The available rewrite block options are + <literal>addAttribute</literal>, + <literal>addVendorAttribute</literal>, + <literal>removeAttribute</literal>, + <literal>removeVendorAttribute</literal> and + <literal>modifyAttribute</literal>. They can all be specified + none, one or multiple times. + </para> + <para> + <literal>addAttribute</literal> is used to add attributes to a + message. The option value must be on the form + <literal>attribute:value</literal> where attribute is a + numerical value specifying the attribute. Simliarly, the + <literal>addVendorAttribute</literal> is used to specify a + vendor attribute to be added. The option value must be on the + form <literal>vendor:subattribute:value</literal>, where vendor + and subattribute are numerical values. + </para> + <para> + The <literal>removeAttribute</literal> option is used to specify + an attribute that should be removed from received messages. The + option value must be a numerical value specifying which + attribute is to be removed. Similarly, + <literal>removeVendorAttribute</literal> is used to specify a + vendor attribute that is to be removed. The value can be a + numerical value for removing all attributes from a given vendor, + or on the form <literal>vendor:subattribute</literal>, where + vendor and subattribute are numerical values, for removing a + specific subattribute for a specific vendor. + </para> + <para> + <literal>modifyAttribute</literal> is used to specify + modification of attributes. The value must be on the form + <literal>attribute:/regexpmatch/replacement/</literal> where + attribute is a numerical attribute type, regexpmatch is regexp + matching rule and replacement specifies how to replace the + matching regexp. Example usage: <blockquote> <para> -modifyAttribute 1:/^(.*)@local$/\1@example.com/ + modifyAttribute 1:/^(.*)@local$/\1@example.com/ </para> </blockquote> </para> @@ -737,8 +898,7 @@ modifyAttribute 1:/^(.*)@local$/\1@example.com/ <title>See Also</title> <para> <citerefentry> - <refentrytitle>radsecproxy</refentrytitle> - <manvolnum>1</manvolnum> + <refentrytitle>radsecproxy</refentrytitle><manvolnum>1</manvolnum> </citerefentry>, <ulink url="http://tools.ietf.org/html/draft-ietf-radext-radsec"> <citetitle>RadSec internet draft</citetitle> diff --git a/radsecproxy.h b/radsecproxy.h index 7528f7f..03ae54c 100644 --- a/radsecproxy.h +++ b/radsecproxy.h @@ -1,11 +1,17 @@ /* * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2010 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. */ +#include <sys/time.h> +#include <stdint.h> +#include <pthread.h> +#include <regex.h> +#include "list.h" #include "tlv11.h" #include "radmsg.h" #include "gconfig.h" @@ -32,6 +38,21 @@ #define RAD_DTLS 3 #define RAD_PROTOCOUNT 4 +enum rsp_fticks_reporting_type { + RSP_FTICKS_REPORTING_NONE = 0, /* Default. */ + RSP_FTICKS_REPORTING_BASIC, + RSP_FTICKS_REPORTING_FULL +}; + +enum rsp_fticks_mac_type { + RSP_FTICKS_MAC_STATIC = 0, /* Default. */ + RSP_FTICKS_MAC_ORIGINAL, + RSP_FTICKS_MAC_VENDOR_HASHED, + RSP_FTICKS_MAC_VENDOR_KEY_HASHED, + RSP_FTICKS_MAC_FULLY_HASHED, + RSP_FTICKS_MAC_FULLY_KEY_HASHED +}; + struct options { char *logdestination; char *ttlattr; @@ -39,6 +60,9 @@ struct options { uint8_t addttl; uint8_t loglevel; uint8_t loopprevention; + enum rsp_fticks_reporting_type fticks_reporting; + enum rsp_fticks_mac_type fticks_mac; + uint8_t *fticks_key; }; struct commonprotoopts { @@ -105,6 +129,7 @@ struct clsrvconf { struct tls *tlsconf; struct list *clients; struct server *servers; + char *fticks_viscountry; }; #include "tlscommon.h" @@ -210,6 +235,7 @@ void freerq(struct request *rq); int radsrv(struct request *rq); void replyh(struct server *server, unsigned char *buf); struct addrinfo *resolve_hostport_addrinfo(uint8_t type, char *hostport); +uint8_t *radattr2ascii(struct tlv *attr); /* Local Variables: */ /* c-file-style: "stroustrup" */ @@ -24,9 +24,8 @@ #include <arpa/inet.h> #include <regex.h> #include <pthread.h> -#include "list.h" -#include "hostport.h" #include "radsecproxy.h" +#include "hostport.h" #ifdef RADPROT_TCP #include "debug.h" diff --git a/tests/Makefile.am b/tests/Makefile.am new file mode 100644 index 0000000..9c0ce94 --- /dev/null +++ b/tests/Makefile.am @@ -0,0 +1,7 @@ +check_PROGRAMS = t_fticks + +AM_CFLAGS = -g -Wall -Werror @TARGET_CFLAGS@ +AM_LDFLAGS = @SSL_LDFLAGS@ @TARGET_LDFLAGS@ +LDADD = $(top_builddir)/librsp.a @SSL_LIBS@ + +TESTS = $(check_PROGRAMS) diff --git a/tests/t_fticks.c b/tests/t_fticks.c new file mode 100644 index 0000000..a0e44c3 --- /dev/null +++ b/tests/t_fticks.c @@ -0,0 +1,46 @@ +#include <stdio.h> +#include <errno.h> +#include "../radsecproxy.h" +#include "../fticks.h" + +static int +_check_hash(const char *mac, const char *key, const char *hash, const char*hmac) +{ + int rv = 0; + uint8_t buf[128]; + + if (fticks_hashmac((const uint8_t *) mac, NULL, sizeof(buf), buf) != 0) + return -ENOMEM; + if (strcmp(hash, (const char *) buf) != 0) + rv = !!fprintf(stderr, "%s: bad hash: %s\n", mac, buf); + if (fticks_hashmac((const uint8_t *) mac, (const uint8_t *) key, + sizeof(buf), buf) != 0) + return -ENOMEM; + if (strcmp(hmac, (const char *) buf) != 0) + rv = !!fprintf(stderr, "%s: bad hash (key=\"%s\"): %s\n", mac, key, buf); + + return rv; +} + +#define MAC1 "00:23:14:0a:f7:24" +#define MAC1_UC "00:23:14:0A:F7:24" +#define MAC1_APPENDED "00:23:14:0a:f7:24;cruft" +#define MAC1_WEIRD "00:23:-[?xyzzy!]-14:0a:f7:24" +#define KEY1 "magic passphrase" +#define HASH1 "29c0ee9d9c41771795a11ff75fefe9f5ccaab523ad31fc4fd8e776c707ad158129c0ee9d9c41771795a11ff75fefe9f5ccaab523ad31fc4fd8e776c707ad15" +#define HMAC1 "57c8cd8031142c51ac9747370f48a5aa731006729d0cdf589ba101864f35f39057c8cd8031142c51ac9747370f48a5aa731006729d0cdf589ba101864f35f3" + +int +main (int argc, char *argv[]) +{ + if (_check_hash(MAC1, KEY1, HASH1, HMAC1) != 0) + return 1; + if (_check_hash(MAC1_UC, KEY1, HASH1, HMAC1) != 0) + return 1; + if (_check_hash(MAC1_APPENDED, KEY1, HASH1, HMAC1) != 0) + return 1; + if (_check_hash(MAC1_WEIRD, KEY1, HASH1, HMAC1) != 0) + return 1; + + return 0; +} @@ -26,9 +26,8 @@ #include <pthread.h> #include <openssl/ssl.h> #include <openssl/err.h> -#include "list.h" -#include "hostport.h" #include "radsecproxy.h" +#include "hostport.h" #ifdef RADPROT_TLS #include "debug.h" diff --git a/tlscommon.c b/tlscommon.c index 8a8c2b7..eb2af8c 100644 --- a/tlscommon.c +++ b/tlscommon.c @@ -1,5 +1,6 @@ /* * Copyright (C) 2006-2009 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2010 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -32,7 +33,6 @@ #include <openssl/md5.h> #include <openssl/x509v3.h> #include "debug.h" -#include "list.h" #include "hash.h" #include "util.h" #include "hostport.h" @@ -1,5 +1,6 @@ /* * Copyright (C) 2008 Stig Venaas <venaas@uninett.no> + * Copyright (C) 2010 NORDUnet A/S * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above diff --git a/tools/naptr-eduroam.sh b/tools/naptr-eduroam.sh index 9bc6c45..be722c9 100644..100755 --- a/tools/naptr-eduroam.sh +++ b/tools/naptr-eduroam.sh @@ -1,15 +1,15 @@ -#! /bin/bash +#! /bin/sh # Example script! # This script looks up radsec srv records in DNS for the one # realm given as argument, and creates a server template based # on that. It currently ignores weight markers, but does sort # servers on priority marker, lowest number first. -# For host command this is coloumn 5, for dig it is coloumn 1. +# For host command this is column 5, for dig it is column 1. usage() { - echo "Usage: ${0} <realm>" - exit 1 + /bin/echo "Usage: ${0} <realm>" + exit 1 } test -n "${1}" || usage @@ -19,54 +19,55 @@ DIGCMD=$(command -v dig) HOSTCMD=$(command -v host) dig_it_srv() { - ${DIGCMD} +short srv $SRV_HOST | sort -k1 | - while read line ; do - set $line ; PORT=$3 ; HOST=$4 - echo -e "\thost ${HOST%.}:${PORT}" - done + ${DIGCMD} +short srv $SRV_HOST | sort -k1 | + while read line; do + set $line ; PORT=$3 ; HOST=$4 + /bin/echo -e "\thost ${HOST%.}:${PORT}" + done } dig_it_naptr() { - ${DIGCMD} +short naptr ${REALM} | grep x-eduroam:radius.tls | sort -k1 | - while read line ; do - set $line ; TYPE=$3 ; HOST=$6 - if [ "$TYPE" == "\"s\"" ]; then { - SRV_HOST=${HOST%.} - dig_it_srv; }; fi - done + ${DIGCMD} +short naptr ${REALM} | grep x-eduroam:radius.tls | sort -k1 | + while read line; do + set $line ; TYPE=$3 ; HOST=$6 + if [ "$TYPE" = "\"s\"" ]; then + SRV_HOST=${HOST%.} + dig_it_srv + fi + done } host_it_srv() { - ${HOSTCMD} -t srv $SRV_HOST | sort -k5 | - while read line ; do - set $line ; PORT=$7 ; HOST=$8 - echo -e "\thost ${HOST%.}:${PORT}" - done + ${HOSTCMD} -t srv $SRV_HOST | sort -k5 | + while read line; do + set $line ; PORT=$7 ; HOST=$8 + /bin/echo -e "\thost ${HOST%.}:${PORT}" + done } host_it_naptr() { - ${HOSTCMD} -t naptr ${REALM} | grep x-eduroam:radius.tls | sort -k5 | - while read line ; do - set $line ; TYPE=$7 ; HOST=${10} - if [ "$TYPE" == "\"s\"" ]; then { - SRV_HOST=${HOST%.} - host_it_srv; }; fi - - done + ${HOSTCMD} -t naptr ${REALM} | grep x-eduroam:radius.tls | sort -k5 | + while read line; do + set $line ; TYPE=$7 ; HOST=${10} + if [ "$TYPE" = "\"s\"" ]; then + SRV_HOST=${HOST%.} + host_it_srv + fi + done } -if test -x "${DIGCMD}" ; then - SERVERS=$(dig_it_naptr) -elif test -x "${HOSTCMD}" ; then - SERVERS=$(host_it_naptr) +if [ -x "${DIGCMD}" ]; then + SERVERS=$(dig_it_naptr) +elif [ -x "${HOSTCMD}" ]; then + SERVERS=$(host_it_naptr) else - echo "${0} requires either \"dig\" or \"host\" command." - exit 1 + /bin/echo "${0} requires either \"dig\" or \"host\" command." + exit 1 fi -if test -n "${SERVERS}" ; then - echo -e "server dynamic_radsec.${REALM} {\n${SERVERS}\n\ttype TLS\n}" - exit 0 +if [ -n "${SERVERS}" ]; then + /bin/echo -e "server dynamic_radsec.${REALM} {\n${SERVERS}\n\ttype TLS\n}" + exit 0 fi exit 0 @@ -24,9 +24,8 @@ #include <arpa/inet.h> #include <regex.h> #include <pthread.h> -#include "list.h" -#include "hostport.h" #include "radsecproxy.h" +#include "hostport.h" #ifdef RADPROT_UDP #include "debug.h" |