diff -ruN openssh-3.8p1/auth2-pubkey.c openssh-3.8p1+x509h/auth2-pubkey.c --- openssh-3.8p1/auth2-pubkey.c 2004-01-21 02:02:50.000000000 +0200 +++ openssh-3.8p1+x509h/auth2-pubkey.c 2004-04-05 09:06:01.000000000 +0300 @@ -1,5 +1,7 @@ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. + * X509 certificates support, + * Copyright (c) 2003 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: auth2-pubkey.c,v 1.6 2004/01/19 21:25:15 markus Exp $"); +RCSID("$OpenBSD$"); #include "ssh2.h" #include "xmalloc.h" @@ -40,6 +42,7 @@ #include "auth-options.h" #include "canohost.h" #include "monitor_wrap.h" +#include "ssh-x509.h" /* import */ extern ServerOptions options; @@ -238,9 +241,21 @@ found_key = 1; debug("matching key found: file %s, line %lu", file, linenum); - fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX); + /* Variable key always contain public key or + * certificate. In case of X.509 certificate + * x509 attribute of Key structure "found" + * can contain only "Distinguished Name" ! + */ + fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX); verbose("Found matching %s key: %s", key_type(found), fp); + if ((key->type == KEY_X509_RSA) || + (key->type == KEY_X509_DSA)) { + if (ssh_x509cert_check(key->x509) != 1) { + found_key = 0; + verbose("x509 certificate check reject matching key"); + } + } xfree(fp); break; } diff -ruN openssh-3.8p1/authfd.c openssh-3.8p1+x509h/authfd.c --- openssh-3.8p1/authfd.c 2003-11-21 14:56:47.000000000 +0200 +++ openssh-3.8p1+x509h/authfd.c 2004-02-25 09:06:01.000000000 +0200 @@ -12,6 +12,8 @@ * * SSH2 implementation, * Copyright (c) 2000 Markus Friedl. All rights reserved. + * X509 certificate support, + * Copyright (c) 2002 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfd.c,v 1.63 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD$"); #include @@ -475,6 +477,7 @@ buffer_put_cstring(b, key_ssh_name(key)); switch (key->type) { case KEY_RSA: + case KEY_X509_RSA: buffer_put_bignum2(b, key->rsa->n); buffer_put_bignum2(b, key->rsa->e); buffer_put_bignum2(b, key->rsa->d); @@ -483,6 +486,7 @@ buffer_put_bignum2(b, key->rsa->q); break; case KEY_DSA: + case KEY_X509_DSA: buffer_put_bignum2(b, key->dsa->p); buffer_put_bignum2(b, key->dsa->q); buffer_put_bignum2(b, key->dsa->g); @@ -490,6 +494,21 @@ buffer_put_bignum2(b, key->dsa->priv_key); break; } + if ((key->type == KEY_X509_RSA) || (key->type == KEY_X509_DSA)) { + int len; + void* str; + unsigned char *p; + + len = i2d_X509(key->x509, NULL); + str = xmalloc(len); + if (str == NULL) + { error("ssh_encode_identity_ssh2: out of memory"); return; } + + p = str; + i2d_X509(key->x509, &p); + buffer_put_string(b, str, len); + xfree(str); + } buffer_put_cstring(b, comment); } @@ -517,6 +536,8 @@ break; case KEY_RSA: case KEY_DSA: + case KEY_X509_RSA: + case KEY_X509_DSA: type = constrained ? SSH2_AGENTC_ADD_ID_CONSTRAINED : SSH2_AGENTC_ADD_IDENTITY; @@ -571,7 +592,7 @@ buffer_put_int(&msg, BN_num_bits(key->rsa->n)); buffer_put_bignum(&msg, key->rsa->e); buffer_put_bignum(&msg, key->rsa->n); - } else if (key->type == KEY_DSA || key->type == KEY_RSA) { + } else if (key->type == KEY_DSA || key->type == KEY_RSA || key->type == KEY_X509_DSA || key->type == KEY_X509_RSA ) { key_to_blob(key, &blob, &blen); buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY); buffer_put_string(&msg, blob, blen); diff -ruN openssh-3.8p1/authfile.c openssh-3.8p1+x509h/authfile.c --- openssh-3.8p1/authfile.c 2003-09-22 14:01:27.000000000 +0300 +++ openssh-3.8p1+x509h/authfile.c 2004-02-25 09:06:01.000000000 +0200 @@ -13,6 +13,8 @@ * * * Copyright (c) 2000 Markus Friedl. All rights reserved. + * X509 certificate support, + * Copyright (c) 2002 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -36,7 +38,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: authfile.c,v 1.55 2003/09/18 07:56:05 markus Exp $"); +RCSID("$OpenBSD$"); #include #include @@ -51,6 +53,7 @@ #include "log.h" #include "authfile.h" #include "rsa.h" +#include "ssh-x509.h" /* Version identification string for SSH v1 identity files. */ static const char authfile_id_string[] = @@ -196,6 +199,10 @@ success = PEM_write_RSAPrivateKey(fp, key->rsa, cipher, passphrase, len, NULL, NULL); break; + case KEY_X509_RSA: + case KEY_X509_DSA: + success = x509key_save_pem(fp, key, cipher, passphrase, len); + break; } fclose(fp); return success; @@ -212,6 +219,8 @@ break; case KEY_DSA: case KEY_RSA: + case KEY_X509_RSA: + case KEY_X509_DSA: return key_save_private_pem(key, filename, passphrase, comment); break; @@ -448,6 +457,7 @@ Key *prv = NULL; char *name = ""; + debug("read PEM private key begin"); fp = fdopen(fd, "r"); if (fp == NULL) { error("fdopen failed: %s", strerror(errno)); @@ -485,6 +495,8 @@ error("PEM_read_PrivateKey: mismatch or " "unknown EVP_PKEY save_type %d", pk->save_type); } + if (prv) + x509key_load_cert(prv, fp); fclose(fp); if (pk != NULL) EVP_PKEY_free(pk); @@ -631,6 +643,7 @@ char file[MAXPATHLEN]; /* try rsa1 private key */ + debug3("key_load_public(%.200s,...)", filename); pub = key_load_public_type(KEY_RSA1, filename, commentp); if (pub != NULL) return pub; diff -ruN openssh-3.8p1/compat.c openssh-3.8p1+x509h/compat.c --- openssh-3.8p1/compat.c 2003-11-03 11:09:03.000000000 +0200 +++ openssh-3.8p1+x509h/compat.c 2004-02-25 09:06:01.000000000 +0200 @@ -1,5 +1,7 @@ /* * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl. All rights reserved. + * X509 certificate support, + * Copyright (c) 2003 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -23,7 +25,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: compat.c,v 1.70 2003/11/02 11:01:03 markus Exp $"); +RCSID("$OpenBSD$"); #include "buffer.h" #include "packet.h" @@ -36,6 +38,8 @@ int compat20 = 0; int datafellows = 0; +int x509rsasigtype = SSH_X509RSA_MD5; + void enable_compat20(void) { @@ -223,3 +227,19 @@ return(fix_ciphers); } + +int +ssh_x509rsasig(int _x509rsasigtype) { + switch(_x509rsasigtype) { + case SSH_X509RSA_MD5 : + case SSH_X509RSA_SHA1: + x509rsasigtype = _x509rsasigtype; + break; + default : + x509rsasigtype = SSH_X509RSA_MD5; + logit("invalid x509rsa sigtype=%d, switched to default=%d", _x509rsasigtype, x509rsasigtype); + break; + } + debug3("x509rsa sigtype=%d", x509rsasigtype); + return (x509rsasigtype); +} diff -ruN openssh-3.8p1/compat.h openssh-3.8p1+x509h/compat.h --- openssh-3.8p1/compat.h 2003-11-03 11:09:03.000000000 +0200 +++ openssh-3.8p1+x509h/compat.h 2004-02-25 09:06:00.000000000 +0200 @@ -1,7 +1,9 @@ -/* $OpenBSD: compat.h,v 1.37 2003/11/02 11:01:03 markus Exp $ */ +/* $OpenBSD$ */ /* * Copyright (c) 1999, 2000, 2001 Markus Friedl. All rights reserved. + * X509 certificate support, + * Copyright (c) 2003 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -65,4 +67,12 @@ extern int compat13; extern int compat20; extern int datafellows; + + +#define SSH_X509RSA_MD5 0 +#define SSH_X509RSA_SHA1 1 +int ssh_x509rsasig(int _x509rsasigtype); + +extern int x509rsasigtype; + #endif diff -ruN openssh-3.8p1/config.h.in openssh-3.8p1+x509h/config.h.in --- openssh-3.8p1/config.h.in 2004-02-24 08:22:45.000000000 +0200 +++ openssh-3.8p1+x509h/config.h.in 2004-04-05 09:06:01.000000000 +0300 @@ -687,6 +687,9 @@ /* Define if you have the `nsleep' function. */ #undef HAVE_NSLEEP +/* Define if you have the `OCSP_sendreq_bio' function. */ +#undef HAVE_OCSP_SENDREQ_BIO + /* Define if you have the `ogetaddrinfo' function. */ #undef HAVE_OGETADDRINFO @@ -1017,6 +1020,19 @@ /* The size of a `short int', as computed by sizeof. */ #undef SIZEOF_SHORT_INT +/* Specify location of ssh CA root */ +#undef SSHCADIR + +/* Define if you don't want to validate X.509 certificates with OCSP */ +#undef SSH_OCSP_ENABLED + +/* Define if your openssl library don't support Email in X.509 'Distinguished + Name' */ +#undef SSH_OPENSSL_DN_WITHOUT_EMAIL + +/* Define if you don't want to verify certificates */ +#undef SSH_X509STORE_DISABLED + /* Define if you have the ANSI C header files. */ #undef STDC_HEADERS diff -ruN openssh-3.8p1/configure openssh-3.8p1+x509h/configure --- openssh-3.8p1/configure 2004-02-24 08:22:59.000000000 +0200 +++ openssh-3.8p1+x509h/configure 2004-04-05 09:06:02.000000000 +0300 @@ -670,6 +670,8 @@ --disable-largefile omit support for large files --disable-strip Disable calling strip(1) on install --disable-etc-default-login Disable using PATH from /etc/default/login no + --disable-x509store Disable X.509 store + --enable-ocsp Enable OCSP validation --disable-lastlog disable use of lastlog even if detected no --disable-utmp disable use of utmp even if detected no --disable-utmpx disable use of utmpx even if detected no @@ -714,6 +716,7 @@ --with-superuser-path= Specify different path for super-user --with-4in6 Check for and convert IPv4 in IPv6 mapped addresses --with-bsd-auth Enable BSD auth support + --with-sshca-dir=PATH Specify location of ssh CA root --with-pid-dir=PATH Specify location of ssh.pid file --with-lastlog=FILE|DIR specify lastlog location common locations @@ -909,7 +912,7 @@ fi for ac_site_file in $CONFIG_SITE; do if test -r "$ac_site_file"; then - { echo "$as_me:912: loading site script $ac_site_file" >&5 + { echo "$as_me:915: loading site script $ac_site_file" >&5 echo "$as_me: loading site script $ac_site_file" >&6;} cat "$ac_site_file" >&5 . "$ac_site_file" @@ -920,7 +923,7 @@ # Some versions of bash will fail to source /dev/null (special # files actually), so we avoid doing that. if test -f "$cache_file"; then - { echo "$as_me:923: loading cache $cache_file" >&5 + { echo "$as_me:926: loading cache $cache_file" >&5 echo "$as_me: loading cache $cache_file" >&6;} case $cache_file in [\\/]* | ?:[\\/]* ) . $cache_file;; @@ -928,7 +931,7 @@ esac fi else - { echo "$as_me:931: creating cache $cache_file" >&5 + { echo "$as_me:934: creating cache $cache_file" >&5 echo "$as_me: creating cache $cache_file" >&6;} >$cache_file fi @@ -944,21 +947,21 @@ eval ac_new_val="\$ac_env_${ac_var}_value" case $ac_old_set,$ac_new_set in set,) - { echo "$as_me:947: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 + { echo "$as_me:950: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} ac_cache_corrupted=: ;; ,set) - { echo "$as_me:951: error: \`$ac_var' was not set in the previous run" >&5 + { echo "$as_me:954: error: \`$ac_var' was not set in the previous run" >&5 echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} ac_cache_corrupted=: ;; ,);; *) if test "x$ac_old_val" != "x$ac_new_val"; then - { echo "$as_me:957: error: \`$ac_var' has changed since the previous run:" >&5 + { echo "$as_me:960: error: \`$ac_var' has changed since the previous run:" >&5 echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} - { echo "$as_me:959: former value: $ac_old_val" >&5 + { echo "$as_me:962: former value: $ac_old_val" >&5 echo "$as_me: former value: $ac_old_val" >&2;} - { echo "$as_me:961: current value: $ac_new_val" >&5 + { echo "$as_me:964: current value: $ac_new_val" >&5 echo "$as_me: current value: $ac_new_val" >&2;} ac_cache_corrupted=: fi;; @@ -977,9 +980,9 @@ fi done if $ac_cache_corrupted; then - { echo "$as_me:980: error: changes in the environment can compromise the build" >&5 + { echo "$as_me:983: error: changes in the environment can compromise the build" >&5 echo "$as_me: error: changes in the environment can compromise the build" >&2;} - { { echo "$as_me:982: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 + { { echo "$as_me:985: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&5 echo "$as_me: error: run \`make distclean' and/or \`rm $cache_file' and start over" >&2;} { (exit 1); exit 1; }; } fi @@ -999,10 +1002,10 @@ echo "#! $SHELL" >conftest.sh echo "exit 0" >>conftest.sh chmod +x conftest.sh -if { (echo "$as_me:1002: PATH=\".;.\"; conftest.sh") >&5 +if { (echo "$as_me:1005: PATH=\".;.\"; conftest.sh") >&5 (PATH=".;."; conftest.sh) 2>&5 ac_status=$? - echo "$as_me:1005: \$? = $ac_status" >&5 + echo "$as_me:1008: \$? = $ac_status" >&5 (exit $ac_status); }; then ac_path_separator=';' else @@ -1021,7 +1024,7 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. set dummy ${ac_tool_prefix}gcc; ac_word=$2 -echo "$as_me:1024: checking for $ac_word" >&5 +echo "$as_me:1027: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_CC+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1036,7 +1039,7 @@ test -z "$ac_dir" && ac_dir=. $as_executable_p "$ac_dir/$ac_word" || continue ac_cv_prog_CC="${ac_tool_prefix}gcc" -echo "$as_me:1039: found $ac_dir/$ac_word" >&5 +echo "$as_me:1042: found $ac_dir/$ac_word" >&5 break done @@ -1044,10 +1047,10 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - echo "$as_me:1047: result: $CC" >&5 + echo "$as_me:1050: result: $CC" >&5 echo "${ECHO_T}$CC" >&6 else - echo "$as_me:1050: result: no" >&5 + echo "$as_me:1053: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -1056,7 +1059,7 @@ ac_ct_CC=$CC # Extract the first word of "gcc", so it can be a program name with args. set dummy gcc; ac_word=$2 -echo "$as_me:1059: checking for $ac_word" >&5 +echo "$as_me:1062: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1071,7 +1074,7 @@ test -z "$ac_dir" && ac_dir=. $as_executable_p "$ac_dir/$ac_word" || continue ac_cv_prog_ac_ct_CC="gcc" -echo "$as_me:1074: found $ac_dir/$ac_word" >&5 +echo "$as_me:1077: found $ac_dir/$ac_word" >&5 break done @@ -1079,10 +1082,10 @@ fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - echo "$as_me:1082: result: $ac_ct_CC" >&5 + echo "$as_me:1085: result: $ac_ct_CC" >&5 echo "${ECHO_T}$ac_ct_CC" >&6 else - echo "$as_me:1085: result: no" >&5 + echo "$as_me:1088: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -1095,7 +1098,7 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. set dummy ${ac_tool_prefix}cc; ac_word=$2 -echo "$as_me:1098: checking for $ac_word" >&5 +echo "$as_me:1101: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_CC+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1110,7 +1113,7 @@ test -z "$ac_dir" && ac_dir=. $as_executable_p "$ac_dir/$ac_word" || continue ac_cv_prog_CC="${ac_tool_prefix}cc" -echo "$as_me:1113: found $ac_dir/$ac_word" >&5 +echo "$as_me:1116: found $ac_dir/$ac_word" >&5 break done @@ -1118,10 +1121,10 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - echo "$as_me:1121: result: $CC" >&5 + echo "$as_me:1124: result: $CC" >&5 echo "${ECHO_T}$CC" >&6 else - echo "$as_me:1124: result: no" >&5 + echo "$as_me:1127: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -1130,7 +1133,7 @@ ac_ct_CC=$CC # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 -echo "$as_me:1133: checking for $ac_word" >&5 +echo "$as_me:1136: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1145,7 +1148,7 @@ test -z "$ac_dir" && ac_dir=. $as_executable_p "$ac_dir/$ac_word" || continue ac_cv_prog_ac_ct_CC="cc" -echo "$as_me:1148: found $ac_dir/$ac_word" >&5 +echo "$as_me:1151: found $ac_dir/$ac_word" >&5 break done @@ -1153,10 +1156,10 @@ fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - echo "$as_me:1156: result: $ac_ct_CC" >&5 + echo "$as_me:1159: result: $ac_ct_CC" >&5 echo "${ECHO_T}$ac_ct_CC" >&6 else - echo "$as_me:1159: result: no" >&5 + echo "$as_me:1162: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -1169,7 +1172,7 @@ if test -z "$CC"; then # Extract the first word of "cc", so it can be a program name with args. set dummy cc; ac_word=$2 -echo "$as_me:1172: checking for $ac_word" >&5 +echo "$as_me:1175: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_CC+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1189,7 +1192,7 @@ continue fi ac_cv_prog_CC="cc" -echo "$as_me:1192: found $ac_dir/$ac_word" >&5 +echo "$as_me:1195: found $ac_dir/$ac_word" >&5 break done @@ -1211,10 +1214,10 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - echo "$as_me:1214: result: $CC" >&5 + echo "$as_me:1217: result: $CC" >&5 echo "${ECHO_T}$CC" >&6 else - echo "$as_me:1217: result: no" >&5 + echo "$as_me:1220: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -1225,7 +1228,7 @@ do # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -echo "$as_me:1228: checking for $ac_word" >&5 +echo "$as_me:1231: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_CC+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1240,7 +1243,7 @@ test -z "$ac_dir" && ac_dir=. $as_executable_p "$ac_dir/$ac_word" || continue ac_cv_prog_CC="$ac_tool_prefix$ac_prog" -echo "$as_me:1243: found $ac_dir/$ac_word" >&5 +echo "$as_me:1246: found $ac_dir/$ac_word" >&5 break done @@ -1248,10 +1251,10 @@ fi CC=$ac_cv_prog_CC if test -n "$CC"; then - echo "$as_me:1251: result: $CC" >&5 + echo "$as_me:1254: result: $CC" >&5 echo "${ECHO_T}$CC" >&6 else - echo "$as_me:1254: result: no" >&5 + echo "$as_me:1257: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -1264,7 +1267,7 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -echo "$as_me:1267: checking for $ac_word" >&5 +echo "$as_me:1270: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_ac_ct_CC+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1279,7 +1282,7 @@ test -z "$ac_dir" && ac_dir=. $as_executable_p "$ac_dir/$ac_word" || continue ac_cv_prog_ac_ct_CC="$ac_prog" -echo "$as_me:1282: found $ac_dir/$ac_word" >&5 +echo "$as_me:1285: found $ac_dir/$ac_word" >&5 break done @@ -1287,10 +1290,10 @@ fi ac_ct_CC=$ac_cv_prog_ac_ct_CC if test -n "$ac_ct_CC"; then - echo "$as_me:1290: result: $ac_ct_CC" >&5 + echo "$as_me:1293: result: $ac_ct_CC" >&5 echo "${ECHO_T}$ac_ct_CC" >&6 else - echo "$as_me:1293: result: no" >&5 + echo "$as_me:1296: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -1302,32 +1305,32 @@ fi -test -z "$CC" && { { echo "$as_me:1305: error: no acceptable cc found in \$PATH" >&5 +test -z "$CC" && { { echo "$as_me:1308: error: no acceptable cc found in \$PATH" >&5 echo "$as_me: error: no acceptable cc found in \$PATH" >&2;} { (exit 1); exit 1; }; } # Provide some information about the compiler. -echo "$as_me:1310:" \ +echo "$as_me:1313:" \ "checking for C compiler version" >&5 ac_compiler=`set X $ac_compile; echo $2` -{ (eval echo "$as_me:1313: \"$ac_compiler --version &5\"") >&5 +{ (eval echo "$as_me:1316: \"$ac_compiler --version &5\"") >&5 (eval $ac_compiler --version &5) 2>&5 ac_status=$? - echo "$as_me:1316: \$? = $ac_status" >&5 + echo "$as_me:1319: \$? = $ac_status" >&5 (exit $ac_status); } -{ (eval echo "$as_me:1318: \"$ac_compiler -v &5\"") >&5 +{ (eval echo "$as_me:1321: \"$ac_compiler -v &5\"") >&5 (eval $ac_compiler -v &5) 2>&5 ac_status=$? - echo "$as_me:1321: \$? = $ac_status" >&5 + echo "$as_me:1324: \$? = $ac_status" >&5 (exit $ac_status); } -{ (eval echo "$as_me:1323: \"$ac_compiler -V &5\"") >&5 +{ (eval echo "$as_me:1326: \"$ac_compiler -V &5\"") >&5 (eval $ac_compiler -V &5) 2>&5 ac_status=$? - echo "$as_me:1326: \$? = $ac_status" >&5 + echo "$as_me:1329: \$? = $ac_status" >&5 (exit $ac_status); } cat >conftest.$ac_ext <<_ACEOF -#line 1330 "configure" +#line 1333 "configure" #include "confdefs.h" int @@ -1343,13 +1346,13 @@ # Try to create an executable without -o first, disregard a.out. # It will help us diagnose broken compilers, and finding out an intuition # of exeext. -echo "$as_me:1346: checking for C compiler default output" >&5 +echo "$as_me:1349: checking for C compiler default output" >&5 echo $ECHO_N "checking for C compiler default output... $ECHO_C" >&6 ac_link_default=`echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` -if { (eval echo "$as_me:1349: \"$ac_link_default\"") >&5 +if { (eval echo "$as_me:1352: \"$ac_link_default\"") >&5 (eval $ac_link_default) 2>&5 ac_status=$? - echo "$as_me:1352: \$? = $ac_status" >&5 + echo "$as_me:1355: \$? = $ac_status" >&5 (exit $ac_status); }; then # Find the output, starting from the most likely. This scheme is # not robust to junk in `.', hence go to wildcards (a.*) only as a last @@ -1372,34 +1375,34 @@ else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 -{ { echo "$as_me:1375: error: C compiler cannot create executables" >&5 +{ { echo "$as_me:1378: error: C compiler cannot create executables" >&5 echo "$as_me: error: C compiler cannot create executables" >&2;} { (exit 77); exit 77; }; } fi ac_exeext=$ac_cv_exeext -echo "$as_me:1381: result: $ac_file" >&5 +echo "$as_me:1384: result: $ac_file" >&5 echo "${ECHO_T}$ac_file" >&6 # Check the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. -echo "$as_me:1386: checking whether the C compiler works" >&5 +echo "$as_me:1389: checking whether the C compiler works" >&5 echo $ECHO_N "checking whether the C compiler works... $ECHO_C" >&6 # FIXME: These cross compiler hacks should be removed for Autoconf 3.0 # If not cross compiling, check that we can run a simple program. if test "$cross_compiling" != yes; then if { ac_try='./$ac_file' - { (eval echo "$as_me:1392: \"$ac_try\"") >&5 + { (eval echo "$as_me:1395: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:1395: \$? = $ac_status" >&5 + echo "$as_me:1398: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cross_compiling=no else if test "$cross_compiling" = maybe; then cross_compiling=yes else - { { echo "$as_me:1402: error: cannot run C compiled programs. + { { echo "$as_me:1405: error: cannot run C compiled programs. If you meant to cross compile, use \`--host'." >&5 echo "$as_me: error: cannot run C compiled programs. If you meant to cross compile, use \`--host'." >&2;} @@ -1407,24 +1410,24 @@ fi fi fi -echo "$as_me:1410: result: yes" >&5 +echo "$as_me:1413: result: yes" >&5 echo "${ECHO_T}yes" >&6 rm -f a.out a.exe conftest$ac_cv_exeext ac_clean_files=$ac_clean_files_save # Check the compiler produces executables we can run. If not, either # the compiler is broken, or we cross compile. -echo "$as_me:1417: checking whether we are cross compiling" >&5 +echo "$as_me:1420: checking whether we are cross compiling" >&5 echo $ECHO_N "checking whether we are cross compiling... $ECHO_C" >&6 -echo "$as_me:1419: result: $cross_compiling" >&5 +echo "$as_me:1422: result: $cross_compiling" >&5 echo "${ECHO_T}$cross_compiling" >&6 -echo "$as_me:1422: checking for executable suffix" >&5 +echo "$as_me:1425: checking for executable suffix" >&5 echo $ECHO_N "checking for executable suffix... $ECHO_C" >&6 -if { (eval echo "$as_me:1424: \"$ac_link\"") >&5 +if { (eval echo "$as_me:1427: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:1427: \$? = $ac_status" >&5 + echo "$as_me:1430: \$? = $ac_status" >&5 (exit $ac_status); }; then # If both `conftest.exe' and `conftest' are `present' (well, observable) # catch `conftest.exe'. For instance with Cygwin, `ls conftest' will @@ -1440,25 +1443,25 @@ esac done else - { { echo "$as_me:1443: error: cannot compute EXEEXT: cannot compile and link" >&5 + { { echo "$as_me:1446: error: cannot compute EXEEXT: cannot compile and link" >&5 echo "$as_me: error: cannot compute EXEEXT: cannot compile and link" >&2;} { (exit 1); exit 1; }; } fi rm -f conftest$ac_cv_exeext -echo "$as_me:1449: result: $ac_cv_exeext" >&5 +echo "$as_me:1452: result: $ac_cv_exeext" >&5 echo "${ECHO_T}$ac_cv_exeext" >&6 rm -f conftest.$ac_ext EXEEXT=$ac_cv_exeext ac_exeext=$EXEEXT -echo "$as_me:1455: checking for object suffix" >&5 +echo "$as_me:1458: checking for object suffix" >&5 echo $ECHO_N "checking for object suffix... $ECHO_C" >&6 if test "${ac_cv_objext+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 1461 "configure" +#line 1464 "configure" #include "confdefs.h" int @@ -1470,10 +1473,10 @@ } _ACEOF rm -f conftest.o conftest.obj -if { (eval echo "$as_me:1473: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:1476: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:1476: \$? = $ac_status" >&5 + echo "$as_me:1479: \$? = $ac_status" >&5 (exit $ac_status); }; then for ac_file in `(ls conftest.o conftest.obj; ls conftest.*) 2>/dev/null`; do case $ac_file in @@ -1485,24 +1488,24 @@ else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 -{ { echo "$as_me:1488: error: cannot compute OBJEXT: cannot compile" >&5 +{ { echo "$as_me:1491: error: cannot compute OBJEXT: cannot compile" >&5 echo "$as_me: error: cannot compute OBJEXT: cannot compile" >&2;} { (exit 1); exit 1; }; } fi rm -f conftest.$ac_cv_objext conftest.$ac_ext fi -echo "$as_me:1495: result: $ac_cv_objext" >&5 +echo "$as_me:1498: result: $ac_cv_objext" >&5 echo "${ECHO_T}$ac_cv_objext" >&6 OBJEXT=$ac_cv_objext ac_objext=$OBJEXT -echo "$as_me:1499: checking whether we are using the GNU C compiler" >&5 +echo "$as_me:1502: checking whether we are using the GNU C compiler" >&5 echo $ECHO_N "checking whether we are using the GNU C compiler... $ECHO_C" >&6 if test "${ac_cv_c_compiler_gnu+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 1505 "configure" +#line 1508 "configure" #include "confdefs.h" int @@ -1517,16 +1520,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:1520: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:1523: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:1523: \$? = $ac_status" >&5 + echo "$as_me:1526: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:1526: \"$ac_try\"") >&5 + { (eval echo "$as_me:1529: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:1529: \$? = $ac_status" >&5 + echo "$as_me:1532: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_compiler_gnu=yes else @@ -1538,19 +1541,19 @@ ac_cv_c_compiler_gnu=$ac_compiler_gnu fi -echo "$as_me:1541: result: $ac_cv_c_compiler_gnu" >&5 +echo "$as_me:1544: result: $ac_cv_c_compiler_gnu" >&5 echo "${ECHO_T}$ac_cv_c_compiler_gnu" >&6 GCC=`test $ac_compiler_gnu = yes && echo yes` ac_test_CFLAGS=${CFLAGS+set} ac_save_CFLAGS=$CFLAGS CFLAGS="-g" -echo "$as_me:1547: checking whether $CC accepts -g" >&5 +echo "$as_me:1550: checking whether $CC accepts -g" >&5 echo $ECHO_N "checking whether $CC accepts -g... $ECHO_C" >&6 if test "${ac_cv_prog_cc_g+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 1553 "configure" +#line 1556 "configure" #include "confdefs.h" int @@ -1562,16 +1565,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:1565: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:1568: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:1568: \$? = $ac_status" >&5 + echo "$as_me:1571: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:1571: \"$ac_try\"") >&5 + { (eval echo "$as_me:1574: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:1574: \$? = $ac_status" >&5 + echo "$as_me:1577: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_prog_cc_g=yes else @@ -1581,7 +1584,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:1584: result: $ac_cv_prog_cc_g" >&5 +echo "$as_me:1587: result: $ac_cv_prog_cc_g" >&5 echo "${ECHO_T}$ac_cv_prog_cc_g" >&6 if test "$ac_test_CFLAGS" = set; then CFLAGS=$ac_save_CFLAGS @@ -1608,16 +1611,16 @@ #endif _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:1611: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:1614: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:1614: \$? = $ac_status" >&5 + echo "$as_me:1617: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:1617: \"$ac_try\"") >&5 + { (eval echo "$as_me:1620: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:1620: \$? = $ac_status" >&5 + echo "$as_me:1623: \$? = $ac_status" >&5 (exit $ac_status); }; }; then for ac_declaration in \ ''\ @@ -1629,7 +1632,7 @@ 'void exit (int);' do cat >conftest.$ac_ext <<_ACEOF -#line 1632 "configure" +#line 1635 "configure" #include "confdefs.h" #include $ac_declaration @@ -1642,16 +1645,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:1645: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:1648: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:1648: \$? = $ac_status" >&5 + echo "$as_me:1651: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:1651: \"$ac_try\"") >&5 + { (eval echo "$as_me:1654: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:1654: \$? = $ac_status" >&5 + echo "$as_me:1657: \$? = $ac_status" >&5 (exit $ac_status); }; }; then : else @@ -1661,7 +1664,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext cat >conftest.$ac_ext <<_ACEOF -#line 1664 "configure" +#line 1667 "configure" #include "confdefs.h" $ac_declaration int @@ -1673,16 +1676,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:1676: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:1679: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:1679: \$? = $ac_status" >&5 + echo "$as_me:1682: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:1682: \"$ac_try\"") >&5 + { (eval echo "$as_me:1685: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:1685: \$? = $ac_status" >&5 + echo "$as_me:1688: \$? = $ac_status" >&5 (exit $ac_status); }; }; then break else @@ -1726,7 +1729,7 @@ fi done if test -z "$ac_aux_dir"; then - { { echo "$as_me:1729: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5 + { { echo "$as_me:1732: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&5 echo "$as_me: error: cannot find install-sh or install.sh in $srcdir $srcdir/.. $srcdir/../.." >&2;} { (exit 1); exit 1; }; } fi @@ -1736,11 +1739,11 @@ # Make sure we can run config.sub. $ac_config_sub sun4 >/dev/null 2>&1 || - { { echo "$as_me:1739: error: cannot run $ac_config_sub" >&5 + { { echo "$as_me:1742: error: cannot run $ac_config_sub" >&5 echo "$as_me: error: cannot run $ac_config_sub" >&2;} { (exit 1); exit 1; }; } -echo "$as_me:1743: checking build system type" >&5 +echo "$as_me:1746: checking build system type" >&5 echo $ECHO_N "checking build system type... $ECHO_C" >&6 if test "${ac_cv_build+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1749,23 +1752,23 @@ test -z "$ac_cv_build_alias" && ac_cv_build_alias=`$ac_config_guess` test -z "$ac_cv_build_alias" && - { { echo "$as_me:1752: error: cannot guess build type; you must specify one" >&5 + { { echo "$as_me:1755: error: cannot guess build type; you must specify one" >&5 echo "$as_me: error: cannot guess build type; you must specify one" >&2;} { (exit 1); exit 1; }; } ac_cv_build=`$ac_config_sub $ac_cv_build_alias` || - { { echo "$as_me:1756: error: $ac_config_sub $ac_cv_build_alias failed." >&5 + { { echo "$as_me:1759: error: $ac_config_sub $ac_cv_build_alias failed." >&5 echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed." >&2;} { (exit 1); exit 1; }; } fi -echo "$as_me:1761: result: $ac_cv_build" >&5 +echo "$as_me:1764: result: $ac_cv_build" >&5 echo "${ECHO_T}$ac_cv_build" >&6 build=$ac_cv_build build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` -echo "$as_me:1768: checking host system type" >&5 +echo "$as_me:1771: checking host system type" >&5 echo $ECHO_N "checking host system type... $ECHO_C" >&6 if test "${ac_cv_host+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1774,19 +1777,19 @@ test -z "$ac_cv_host_alias" && ac_cv_host_alias=$ac_cv_build_alias ac_cv_host=`$ac_config_sub $ac_cv_host_alias` || - { { echo "$as_me:1777: error: $ac_config_sub $ac_cv_host_alias failed" >&5 + { { echo "$as_me:1780: error: $ac_config_sub $ac_cv_host_alias failed" >&5 echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;} { (exit 1); exit 1; }; } fi -echo "$as_me:1782: result: $ac_cv_host" >&5 +echo "$as_me:1785: result: $ac_cv_host" >&5 echo "${ECHO_T}$ac_cv_host" >&6 host=$ac_cv_host host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` -echo "$as_me:1789: checking whether byte ordering is bigendian" >&5 +echo "$as_me:1792: checking whether byte ordering is bigendian" >&5 echo $ECHO_N "checking whether byte ordering is bigendian... $ECHO_C" >&6 if test "${ac_cv_c_bigendian+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1794,7 +1797,7 @@ ac_cv_c_bigendian=unknown # See if sys/param.h defines the BYTE_ORDER macro. cat >conftest.$ac_ext <<_ACEOF -#line 1797 "configure" +#line 1800 "configure" #include "confdefs.h" #include #include @@ -1811,20 +1814,20 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:1814: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:1817: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:1817: \$? = $ac_status" >&5 + echo "$as_me:1820: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:1820: \"$ac_try\"") >&5 + { (eval echo "$as_me:1823: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:1823: \$? = $ac_status" >&5 + echo "$as_me:1826: \$? = $ac_status" >&5 (exit $ac_status); }; }; then # It does; now see whether it defined to BIG_ENDIAN or not. cat >conftest.$ac_ext <<_ACEOF -#line 1827 "configure" +#line 1830 "configure" #include "confdefs.h" #include #include @@ -1841,16 +1844,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:1844: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:1847: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:1847: \$? = $ac_status" >&5 + echo "$as_me:1850: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:1850: \"$ac_try\"") >&5 + { (eval echo "$as_me:1853: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:1853: \$? = $ac_status" >&5 + echo "$as_me:1856: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_c_bigendian=yes else @@ -1866,12 +1869,12 @@ rm -f conftest.$ac_objext conftest.$ac_ext if test $ac_cv_c_bigendian = unknown; then if test "$cross_compiling" = yes; then - { { echo "$as_me:1869: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:1872: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 1874 "configure" +#line 1877 "configure" #include "confdefs.h" int main () @@ -1887,15 +1890,15 @@ } _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:1890: \"$ac_link\"") >&5 +if { (eval echo "$as_me:1893: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:1893: \$? = $ac_status" >&5 + echo "$as_me:1896: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:1895: \"$ac_try\"") >&5 + { (eval echo "$as_me:1898: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:1898: \$? = $ac_status" >&5 + echo "$as_me:1901: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_c_bigendian=no else @@ -1908,7 +1911,7 @@ fi fi fi -echo "$as_me:1911: result: $ac_cv_c_bigendian" >&5 +echo "$as_me:1914: result: $ac_cv_c_bigendian" >&5 echo "${ECHO_T}$ac_cv_c_bigendian" >&6 if test $ac_cv_c_bigendian = yes; then @@ -1923,7 +1926,7 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -echo "$as_me:1926: checking for $ac_word" >&5 +echo "$as_me:1929: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_AWK+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -1938,7 +1941,7 @@ test -z "$ac_dir" && ac_dir=. $as_executable_p "$ac_dir/$ac_word" || continue ac_cv_prog_AWK="$ac_prog" -echo "$as_me:1941: found $ac_dir/$ac_word" >&5 +echo "$as_me:1944: found $ac_dir/$ac_word" >&5 break done @@ -1946,10 +1949,10 @@ fi AWK=$ac_cv_prog_AWK if test -n "$AWK"; then - echo "$as_me:1949: result: $AWK" >&5 + echo "$as_me:1952: result: $AWK" >&5 echo "${ECHO_T}$AWK" >&6 else - echo "$as_me:1952: result: no" >&5 + echo "$as_me:1955: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -1961,7 +1964,7 @@ ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' ac_compiler_gnu=$ac_cv_c_compiler_gnu -echo "$as_me:1964: checking how to run the C preprocessor" >&5 +echo "$as_me:1967: checking how to run the C preprocessor" >&5 echo $ECHO_N "checking how to run the C preprocessor... $ECHO_C" >&6 # On Suns, sometimes $CPP names a directory. if test -n "$CPP" && test -d "$CPP"; then @@ -1982,18 +1985,18 @@ # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat >conftest.$ac_ext <<_ACEOF -#line 1985 "configure" +#line 1988 "configure" #include "confdefs.h" #include Syntax error _ACEOF -if { (eval echo "$as_me:1990: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:1993: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:1996: \$? = $ac_status" >&5 + echo "$as_me:1999: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -2016,17 +2019,17 @@ # OK, works on sane cases. Now check whether non-existent headers # can be detected and how. cat >conftest.$ac_ext <<_ACEOF -#line 2019 "configure" +#line 2022 "configure" #include "confdefs.h" #include _ACEOF -if { (eval echo "$as_me:2023: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:2026: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:2029: \$? = $ac_status" >&5 + echo "$as_me:2032: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -2063,7 +2066,7 @@ else ac_cv_prog_CPP=$CPP fi -echo "$as_me:2066: result: $CPP" >&5 +echo "$as_me:2069: result: $CPP" >&5 echo "${ECHO_T}$CPP" >&6 ac_preproc_ok=false for ac_c_preproc_warn_flag in '' yes @@ -2073,18 +2076,18 @@ # On the NeXT, cc -E runs the code through the compiler's parser, # not just through cpp. "Syntax error" is here to catch this case. cat >conftest.$ac_ext <<_ACEOF -#line 2076 "configure" +#line 2079 "configure" #include "confdefs.h" #include Syntax error _ACEOF -if { (eval echo "$as_me:2081: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:2084: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:2087: \$? = $ac_status" >&5 + echo "$as_me:2090: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -2107,17 +2110,17 @@ # OK, works on sane cases. Now check whether non-existent headers # can be detected and how. cat >conftest.$ac_ext <<_ACEOF -#line 2110 "configure" +#line 2113 "configure" #include "confdefs.h" #include _ACEOF -if { (eval echo "$as_me:2114: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:2117: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:2120: \$? = $ac_status" >&5 + echo "$as_me:2123: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -2145,7 +2148,7 @@ if $ac_preproc_ok; then : else - { { echo "$as_me:2148: error: C preprocessor \"$CPP\" fails sanity check" >&5 + { { echo "$as_me:2151: error: C preprocessor \"$CPP\" fails sanity check" >&5 echo "$as_me: error: C preprocessor \"$CPP\" fails sanity check" >&2;} { (exit 1); exit 1; }; } fi @@ -2159,7 +2162,7 @@ if test -n "$ac_tool_prefix"; then # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. set dummy ${ac_tool_prefix}ranlib; ac_word=$2 -echo "$as_me:2162: checking for $ac_word" >&5 +echo "$as_me:2165: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_RANLIB+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2174,7 +2177,7 @@ test -z "$ac_dir" && ac_dir=. $as_executable_p "$ac_dir/$ac_word" || continue ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" -echo "$as_me:2177: found $ac_dir/$ac_word" >&5 +echo "$as_me:2180: found $ac_dir/$ac_word" >&5 break done @@ -2182,10 +2185,10 @@ fi RANLIB=$ac_cv_prog_RANLIB if test -n "$RANLIB"; then - echo "$as_me:2185: result: $RANLIB" >&5 + echo "$as_me:2188: result: $RANLIB" >&5 echo "${ECHO_T}$RANLIB" >&6 else - echo "$as_me:2188: result: no" >&5 + echo "$as_me:2191: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -2194,7 +2197,7 @@ ac_ct_RANLIB=$RANLIB # Extract the first word of "ranlib", so it can be a program name with args. set dummy ranlib; ac_word=$2 -echo "$as_me:2197: checking for $ac_word" >&5 +echo "$as_me:2200: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_prog_ac_ct_RANLIB+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2209,7 +2212,7 @@ test -z "$ac_dir" && ac_dir=. $as_executable_p "$ac_dir/$ac_word" || continue ac_cv_prog_ac_ct_RANLIB="ranlib" -echo "$as_me:2212: found $ac_dir/$ac_word" >&5 +echo "$as_me:2215: found $ac_dir/$ac_word" >&5 break done @@ -2218,10 +2221,10 @@ fi ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB if test -n "$ac_ct_RANLIB"; then - echo "$as_me:2221: result: $ac_ct_RANLIB" >&5 + echo "$as_me:2224: result: $ac_ct_RANLIB" >&5 echo "${ECHO_T}$ac_ct_RANLIB" >&6 else - echo "$as_me:2224: result: no" >&5 + echo "$as_me:2227: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -2242,7 +2245,7 @@ # AFS /usr/afsws/bin/install, which mishandles nonexistent args # SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" # ./install, which can be erroneously created by make from ./install.sh. -echo "$as_me:2245: checking for a BSD compatible install" >&5 +echo "$as_me:2248: checking for a BSD compatible install" >&5 echo $ECHO_N "checking for a BSD compatible install... $ECHO_C" >&6 if test -z "$INSTALL"; then if test "${ac_cv_path_install+set}" = set; then @@ -2291,7 +2294,7 @@ INSTALL=$ac_install_sh fi fi -echo "$as_me:2294: result: $INSTALL" >&5 +echo "$as_me:2297: result: $INSTALL" >&5 echo "${ECHO_T}$INSTALL" >&6 # Use test -z because SunOS4 sh mishandles braces in ${var-val}. @@ -2304,7 +2307,7 @@ # Extract the first word of "ar", so it can be a program name with args. set dummy ar; ac_word=$2 -echo "$as_me:2307: checking for $ac_word" >&5 +echo "$as_me:2310: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_AR+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2321,7 +2324,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_AR="$ac_dir/$ac_word" - echo "$as_me:2324: found $ac_dir/$ac_word" >&5 + echo "$as_me:2327: found $ac_dir/$ac_word" >&5 break fi done @@ -2332,10 +2335,10 @@ AR=$ac_cv_path_AR if test -n "$AR"; then - echo "$as_me:2335: result: $AR" >&5 + echo "$as_me:2338: result: $AR" >&5 echo "${ECHO_T}$AR" >&6 else - echo "$as_me:2338: result: no" >&5 + echo "$as_me:2341: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -2343,7 +2346,7 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -echo "$as_me:2346: checking for $ac_word" >&5 +echo "$as_me:2349: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PERL+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2360,7 +2363,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PERL="$ac_dir/$ac_word" - echo "$as_me:2363: found $ac_dir/$ac_word" >&5 + echo "$as_me:2366: found $ac_dir/$ac_word" >&5 break fi done @@ -2371,10 +2374,10 @@ PERL=$ac_cv_path_PERL if test -n "$PERL"; then - echo "$as_me:2374: result: $PERL" >&5 + echo "$as_me:2377: result: $PERL" >&5 echo "${ECHO_T}$PERL" >&6 else - echo "$as_me:2377: result: no" >&5 + echo "$as_me:2380: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -2383,7 +2386,7 @@ # Extract the first word of "sed", so it can be a program name with args. set dummy sed; ac_word=$2 -echo "$as_me:2386: checking for $ac_word" >&5 +echo "$as_me:2389: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_SED+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2400,7 +2403,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_SED="$ac_dir/$ac_word" - echo "$as_me:2403: found $ac_dir/$ac_word" >&5 + echo "$as_me:2406: found $ac_dir/$ac_word" >&5 break fi done @@ -2411,16 +2414,16 @@ SED=$ac_cv_path_SED if test -n "$SED"; then - echo "$as_me:2414: result: $SED" >&5 + echo "$as_me:2417: result: $SED" >&5 echo "${ECHO_T}$SED" >&6 else - echo "$as_me:2417: result: no" >&5 + echo "$as_me:2420: result: no" >&5 echo "${ECHO_T}no" >&6 fi # Extract the first word of "ent", so it can be a program name with args. set dummy ent; ac_word=$2 -echo "$as_me:2423: checking for $ac_word" >&5 +echo "$as_me:2426: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_ENT+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2437,7 +2440,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_ENT="$ac_dir/$ac_word" - echo "$as_me:2440: found $ac_dir/$ac_word" >&5 + echo "$as_me:2443: found $ac_dir/$ac_word" >&5 break fi done @@ -2448,16 +2451,16 @@ ENT=$ac_cv_path_ENT if test -n "$ENT"; then - echo "$as_me:2451: result: $ENT" >&5 + echo "$as_me:2454: result: $ENT" >&5 echo "${ECHO_T}$ENT" >&6 else - echo "$as_me:2454: result: no" >&5 + echo "$as_me:2457: result: no" >&5 echo "${ECHO_T}no" >&6 fi # Extract the first word of "bash", so it can be a program name with args. set dummy bash; ac_word=$2 -echo "$as_me:2460: checking for $ac_word" >&5 +echo "$as_me:2463: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_TEST_MINUS_S_SH+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2474,7 +2477,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_TEST_MINUS_S_SH="$ac_dir/$ac_word" - echo "$as_me:2477: found $ac_dir/$ac_word" >&5 + echo "$as_me:2480: found $ac_dir/$ac_word" >&5 break fi done @@ -2485,16 +2488,16 @@ TEST_MINUS_S_SH=$ac_cv_path_TEST_MINUS_S_SH if test -n "$TEST_MINUS_S_SH"; then - echo "$as_me:2488: result: $TEST_MINUS_S_SH" >&5 + echo "$as_me:2491: result: $TEST_MINUS_S_SH" >&5 echo "${ECHO_T}$TEST_MINUS_S_SH" >&6 else - echo "$as_me:2491: result: no" >&5 + echo "$as_me:2494: result: no" >&5 echo "${ECHO_T}no" >&6 fi # Extract the first word of "ksh", so it can be a program name with args. set dummy ksh; ac_word=$2 -echo "$as_me:2497: checking for $ac_word" >&5 +echo "$as_me:2500: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_TEST_MINUS_S_SH+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2511,7 +2514,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_TEST_MINUS_S_SH="$ac_dir/$ac_word" - echo "$as_me:2514: found $ac_dir/$ac_word" >&5 + echo "$as_me:2517: found $ac_dir/$ac_word" >&5 break fi done @@ -2522,16 +2525,16 @@ TEST_MINUS_S_SH=$ac_cv_path_TEST_MINUS_S_SH if test -n "$TEST_MINUS_S_SH"; then - echo "$as_me:2525: result: $TEST_MINUS_S_SH" >&5 + echo "$as_me:2528: result: $TEST_MINUS_S_SH" >&5 echo "${ECHO_T}$TEST_MINUS_S_SH" >&6 else - echo "$as_me:2528: result: no" >&5 + echo "$as_me:2531: result: no" >&5 echo "${ECHO_T}no" >&6 fi # Extract the first word of "sh", so it can be a program name with args. set dummy sh; ac_word=$2 -echo "$as_me:2534: checking for $ac_word" >&5 +echo "$as_me:2537: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_TEST_MINUS_S_SH+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2548,7 +2551,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_TEST_MINUS_S_SH="$ac_dir/$ac_word" - echo "$as_me:2551: found $ac_dir/$ac_word" >&5 + echo "$as_me:2554: found $ac_dir/$ac_word" >&5 break fi done @@ -2559,16 +2562,16 @@ TEST_MINUS_S_SH=$ac_cv_path_TEST_MINUS_S_SH if test -n "$TEST_MINUS_S_SH"; then - echo "$as_me:2562: result: $TEST_MINUS_S_SH" >&5 + echo "$as_me:2565: result: $TEST_MINUS_S_SH" >&5 echo "${ECHO_T}$TEST_MINUS_S_SH" >&6 else - echo "$as_me:2565: result: no" >&5 + echo "$as_me:2568: result: no" >&5 echo "${ECHO_T}no" >&6 fi # Extract the first word of "sh", so it can be a program name with args. set dummy sh; ac_word=$2 -echo "$as_me:2571: checking for $ac_word" >&5 +echo "$as_me:2574: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_SH+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2585,7 +2588,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_SH="$ac_dir/$ac_word" - echo "$as_me:2588: found $ac_dir/$ac_word" >&5 + echo "$as_me:2591: found $ac_dir/$ac_word" >&5 break fi done @@ -2596,10 +2599,10 @@ SH=$ac_cv_path_SH if test -n "$SH"; then - echo "$as_me:2599: result: $SH" >&5 + echo "$as_me:2602: result: $SH" >&5 echo "${ECHO_T}$SH" >&6 else - echo "$as_me:2602: result: no" >&5 + echo "$as_me:2605: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -2611,7 +2614,7 @@ fi; if test "$enable_largefile" != no; then - echo "$as_me:2614: checking for special C compiler options needed for large files" >&5 + echo "$as_me:2617: checking for special C compiler options needed for large files" >&5 echo $ECHO_N "checking for special C compiler options needed for large files... $ECHO_C" >&6 if test "${ac_cv_sys_largefile_CC+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2623,7 +2626,7 @@ # IRIX 6.2 and later do not support large files by default, # so use the C compiler's -n32 option if that helps. cat >conftest.$ac_ext <<_ACEOF -#line 2626 "configure" +#line 2629 "configure" #include "confdefs.h" #include /* Check that off_t can represent 2**63 - 1 correctly. @@ -2643,16 +2646,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:2646: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:2649: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:2649: \$? = $ac_status" >&5 + echo "$as_me:2652: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2652: \"$ac_try\"") >&5 + { (eval echo "$as_me:2655: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:2655: \$? = $ac_status" >&5 + echo "$as_me:2658: \$? = $ac_status" >&5 (exit $ac_status); }; }; then break else @@ -2662,16 +2665,16 @@ rm -f conftest.$ac_objext CC="$CC -n32" rm -f conftest.$ac_objext -if { (eval echo "$as_me:2665: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:2668: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:2668: \$? = $ac_status" >&5 + echo "$as_me:2671: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2671: \"$ac_try\"") >&5 + { (eval echo "$as_me:2674: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:2674: \$? = $ac_status" >&5 + echo "$as_me:2677: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_sys_largefile_CC=' -n32'; break else @@ -2685,13 +2688,13 @@ rm -f conftest.$ac_ext fi fi -echo "$as_me:2688: result: $ac_cv_sys_largefile_CC" >&5 +echo "$as_me:2691: result: $ac_cv_sys_largefile_CC" >&5 echo "${ECHO_T}$ac_cv_sys_largefile_CC" >&6 if test "$ac_cv_sys_largefile_CC" != no; then CC=$CC$ac_cv_sys_largefile_CC fi - echo "$as_me:2694: checking for _FILE_OFFSET_BITS value needed for large files" >&5 + echo "$as_me:2697: checking for _FILE_OFFSET_BITS value needed for large files" >&5 echo $ECHO_N "checking for _FILE_OFFSET_BITS value needed for large files... $ECHO_C" >&6 if test "${ac_cv_sys_file_offset_bits+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2699,7 +2702,7 @@ while :; do ac_cv_sys_file_offset_bits=no cat >conftest.$ac_ext <<_ACEOF -#line 2702 "configure" +#line 2705 "configure" #include "confdefs.h" #include /* Check that off_t can represent 2**63 - 1 correctly. @@ -2719,16 +2722,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:2722: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:2725: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:2725: \$? = $ac_status" >&5 + echo "$as_me:2728: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2728: \"$ac_try\"") >&5 + { (eval echo "$as_me:2731: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:2731: \$? = $ac_status" >&5 + echo "$as_me:2734: \$? = $ac_status" >&5 (exit $ac_status); }; }; then break else @@ -2737,7 +2740,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext cat >conftest.$ac_ext <<_ACEOF -#line 2740 "configure" +#line 2743 "configure" #include "confdefs.h" #define _FILE_OFFSET_BITS 64 #include @@ -2758,16 +2761,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:2761: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:2764: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:2764: \$? = $ac_status" >&5 + echo "$as_me:2767: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2767: \"$ac_try\"") >&5 + { (eval echo "$as_me:2770: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:2770: \$? = $ac_status" >&5 + echo "$as_me:2773: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_sys_file_offset_bits=64; break else @@ -2778,7 +2781,7 @@ break done fi -echo "$as_me:2781: result: $ac_cv_sys_file_offset_bits" >&5 +echo "$as_me:2784: result: $ac_cv_sys_file_offset_bits" >&5 echo "${ECHO_T}$ac_cv_sys_file_offset_bits" >&6 if test "$ac_cv_sys_file_offset_bits" != no; then @@ -2788,7 +2791,7 @@ fi rm -f conftest* - echo "$as_me:2791: checking for _LARGE_FILES value needed for large files" >&5 + echo "$as_me:2794: checking for _LARGE_FILES value needed for large files" >&5 echo $ECHO_N "checking for _LARGE_FILES value needed for large files... $ECHO_C" >&6 if test "${ac_cv_sys_large_files+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2796,7 +2799,7 @@ while :; do ac_cv_sys_large_files=no cat >conftest.$ac_ext <<_ACEOF -#line 2799 "configure" +#line 2802 "configure" #include "confdefs.h" #include /* Check that off_t can represent 2**63 - 1 correctly. @@ -2816,16 +2819,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:2819: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:2822: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:2822: \$? = $ac_status" >&5 + echo "$as_me:2825: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2825: \"$ac_try\"") >&5 + { (eval echo "$as_me:2828: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:2828: \$? = $ac_status" >&5 + echo "$as_me:2831: \$? = $ac_status" >&5 (exit $ac_status); }; }; then break else @@ -2834,7 +2837,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext cat >conftest.$ac_ext <<_ACEOF -#line 2837 "configure" +#line 2840 "configure" #include "confdefs.h" #define _LARGE_FILES 1 #include @@ -2855,16 +2858,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:2858: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:2861: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:2861: \$? = $ac_status" >&5 + echo "$as_me:2864: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:2864: \"$ac_try\"") >&5 + { (eval echo "$as_me:2867: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:2867: \$? = $ac_status" >&5 + echo "$as_me:2870: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_sys_large_files=1; break else @@ -2875,7 +2878,7 @@ break done fi -echo "$as_me:2878: result: $ac_cv_sys_large_files" >&5 +echo "$as_me:2881: result: $ac_cv_sys_large_files" >&5 echo "${ECHO_T}$ac_cv_sys_large_files" >&6 if test "$ac_cv_sys_large_files" != no; then @@ -2888,7 +2891,7 @@ fi if test -z "$AR" ; then - { { echo "$as_me:2891: error: *** 'ar' missing, please install or fix your \$PATH ***" >&5 + { { echo "$as_me:2894: error: *** 'ar' missing, please install or fix your \$PATH ***" >&5 echo "$as_me: error: *** 'ar' missing, please install or fix your \$PATH ***" >&2;} { (exit 1); exit 1; }; } fi @@ -2903,7 +2906,7 @@ # Search for login # Extract the first word of "login", so it can be a program name with args. set dummy login; ac_word=$2 -echo "$as_me:2906: checking for $ac_word" >&5 +echo "$as_me:2909: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_LOGIN_PROGRAM_FALLBACK+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2920,7 +2923,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_LOGIN_PROGRAM_FALLBACK="$ac_dir/$ac_word" - echo "$as_me:2923: found $ac_dir/$ac_word" >&5 + echo "$as_me:2926: found $ac_dir/$ac_word" >&5 break fi done @@ -2931,10 +2934,10 @@ LOGIN_PROGRAM_FALLBACK=$ac_cv_path_LOGIN_PROGRAM_FALLBACK if test -n "$LOGIN_PROGRAM_FALLBACK"; then - echo "$as_me:2934: result: $LOGIN_PROGRAM_FALLBACK" >&5 + echo "$as_me:2937: result: $LOGIN_PROGRAM_FALLBACK" >&5 echo "${ECHO_T}$LOGIN_PROGRAM_FALLBACK" >&6 else - echo "$as_me:2937: result: no" >&5 + echo "$as_me:2940: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -2948,7 +2951,7 @@ # Extract the first word of "passwd", so it can be a program name with args. set dummy passwd; ac_word=$2 -echo "$as_me:2951: checking for $ac_word" >&5 +echo "$as_me:2954: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PATH_PASSWD_PROG+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -2965,7 +2968,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PATH_PASSWD_PROG="$ac_dir/$ac_word" - echo "$as_me:2968: found $ac_dir/$ac_word" >&5 + echo "$as_me:2971: found $ac_dir/$ac_word" >&5 break fi done @@ -2976,10 +2979,10 @@ PATH_PASSWD_PROG=$ac_cv_path_PATH_PASSWD_PROG if test -n "$PATH_PASSWD_PROG"; then - echo "$as_me:2979: result: $PATH_PASSWD_PROG" >&5 + echo "$as_me:2982: result: $PATH_PASSWD_PROG" >&5 echo "${ECHO_T}$PATH_PASSWD_PROG" >&6 else - echo "$as_me:2982: result: no" >&5 + echo "$as_me:2985: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -2994,7 +2997,7 @@ LD=$CC fi -echo "$as_me:2997: checking for $CC option to accept ANSI C" >&5 +echo "$as_me:3000: checking for $CC option to accept ANSI C" >&5 echo $ECHO_N "checking for $CC option to accept ANSI C... $ECHO_C" >&6 if test "${ac_cv_prog_cc_stdc+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -3002,7 +3005,7 @@ ac_cv_prog_cc_stdc=no ac_save_CC=$CC cat >conftest.$ac_ext <<_ACEOF -#line 3005 "configure" +#line 3008 "configure" #include "confdefs.h" #include #include @@ -3051,16 +3054,16 @@ do CC="$ac_save_CC $ac_arg" rm -f conftest.$ac_objext -if { (eval echo "$as_me:3054: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:3057: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:3057: \$? = $ac_status" >&5 + echo "$as_me:3060: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:3060: \"$ac_try\"") >&5 + { (eval echo "$as_me:3063: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3063: \$? = $ac_status" >&5 + echo "$as_me:3066: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_prog_cc_stdc=$ac_arg break @@ -3077,15 +3080,15 @@ case "x$ac_cv_prog_cc_stdc" in x|xno) - echo "$as_me:3080: result: none needed" >&5 + echo "$as_me:3083: result: none needed" >&5 echo "${ECHO_T}none needed" >&6 ;; *) - echo "$as_me:3083: result: $ac_cv_prog_cc_stdc" >&5 + echo "$as_me:3086: result: $ac_cv_prog_cc_stdc" >&5 echo "${ECHO_T}$ac_cv_prog_cc_stdc" >&6 CC="$CC $ac_cv_prog_cc_stdc" ;; esac -echo "$as_me:3088: checking for inline" >&5 +echo "$as_me:3091: checking for inline" >&5 echo $ECHO_N "checking for inline... $ECHO_C" >&6 if test "${ac_cv_c_inline+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -3093,7 +3096,7 @@ ac_cv_c_inline=no for ac_kw in inline __inline__ __inline; do cat >conftest.$ac_ext <<_ACEOF -#line 3096 "configure" +#line 3099 "configure" #include "confdefs.h" #ifndef __cplusplus static $ac_kw int static_foo () {return 0; } @@ -3102,16 +3105,16 @@ _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:3105: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:3108: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:3108: \$? = $ac_status" >&5 + echo "$as_me:3111: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:3111: \"$ac_try\"") >&5 + { (eval echo "$as_me:3114: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3114: \$? = $ac_status" >&5 + echo "$as_me:3117: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_c_inline=$ac_kw; break else @@ -3122,7 +3125,7 @@ done fi -echo "$as_me:3125: result: $ac_cv_c_inline" >&5 +echo "$as_me:3128: result: $ac_cv_c_inline" >&5 echo "${ECHO_T}$ac_cv_c_inline" >&6 case $ac_cv_c_inline in inline | yes) ;; @@ -3157,7 +3160,7 @@ # Check for some target-specific stuff case "$host" in *-*-aix*) - echo "$as_me:3160: checking how to specify blibpath for linker ($LD)" >&5 + echo "$as_me:3163: checking how to specify blibpath for linker ($LD)" >&5 echo $ECHO_N "checking how to specify blibpath for linker ($LD)... $ECHO_C" >&6 if (test -z "$blibpath"); then blibpath="/usr/lib:/lib" @@ -3167,7 +3170,7 @@ if (test -z "$blibflags"); then LDFLAGS="$saved_LDFLAGS $tryflags$blibpath" cat >conftest.$ac_ext <<_ACEOF -#line 3170 "configure" +#line 3173 "configure" #include "confdefs.h" int @@ -3179,16 +3182,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3182: \"$ac_link\"") >&5 +if { (eval echo "$as_me:3185: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:3185: \$? = $ac_status" >&5 + echo "$as_me:3188: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3188: \"$ac_try\"") >&5 + { (eval echo "$as_me:3191: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3191: \$? = $ac_status" >&5 + echo "$as_me:3194: \$? = $ac_status" >&5 (exit $ac_status); }; }; then blibflags=$tryflags else @@ -3199,23 +3202,23 @@ fi done if (test -z "$blibflags"); then - echo "$as_me:3202: result: not found" >&5 + echo "$as_me:3205: result: not found" >&5 echo "${ECHO_T}not found" >&6 - { { echo "$as_me:3204: error: *** must be able to specify blibpath on AIX - check config.log" >&5 + { { echo "$as_me:3207: error: *** must be able to specify blibpath on AIX - check config.log" >&5 echo "$as_me: error: *** must be able to specify blibpath on AIX - check config.log" >&2;} { (exit 1); exit 1; }; } else - echo "$as_me:3208: result: $blibflags" >&5 + echo "$as_me:3211: result: $blibflags" >&5 echo "${ECHO_T}$blibflags" >&6 fi LDFLAGS="$saved_LDFLAGS" - echo "$as_me:3212: checking for authenticate" >&5 + echo "$as_me:3215: checking for authenticate" >&5 echo $ECHO_N "checking for authenticate... $ECHO_C" >&6 if test "${ac_cv_func_authenticate+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 3218 "configure" +#line 3221 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char authenticate (); below. */ @@ -3246,16 +3249,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3249: \"$ac_link\"") >&5 +if { (eval echo "$as_me:3252: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:3252: \$? = $ac_status" >&5 + echo "$as_me:3255: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3255: \"$ac_try\"") >&5 + { (eval echo "$as_me:3258: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3258: \$? = $ac_status" >&5 + echo "$as_me:3261: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_authenticate=yes else @@ -3265,7 +3268,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:3268: result: $ac_cv_func_authenticate" >&5 +echo "$as_me:3271: result: $ac_cv_func_authenticate" >&5 echo "${ECHO_T}$ac_cv_func_authenticate" >&6 if test $ac_cv_func_authenticate = yes; then cat >>confdefs.h <<\EOF @@ -3273,7 +3276,7 @@ EOF else - echo "$as_me:3276: checking for authenticate in -ls" >&5 + echo "$as_me:3279: checking for authenticate in -ls" >&5 echo $ECHO_N "checking for authenticate in -ls... $ECHO_C" >&6 if test "${ac_cv_lib_s_authenticate+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -3281,7 +3284,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-ls $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 3284 "configure" +#line 3287 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -3300,16 +3303,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3303: \"$ac_link\"") >&5 +if { (eval echo "$as_me:3306: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:3306: \$? = $ac_status" >&5 + echo "$as_me:3309: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3309: \"$ac_try\"") >&5 + { (eval echo "$as_me:3312: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3312: \$? = $ac_status" >&5 + echo "$as_me:3315: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_s_authenticate=yes else @@ -3320,7 +3323,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:3323: result: $ac_cv_lib_s_authenticate" >&5 +echo "$as_me:3326: result: $ac_cv_lib_s_authenticate" >&5 echo "${ECHO_T}$ac_cv_lib_s_authenticate" >&6 if test $ac_cv_lib_s_authenticate = yes; then cat >>confdefs.h <<\EOF @@ -3333,13 +3336,13 @@ fi - echo "$as_me:3336: checking whether loginfailed is declared" >&5 + echo "$as_me:3339: checking whether loginfailed is declared" >&5 echo $ECHO_N "checking whether loginfailed is declared... $ECHO_C" >&6 if test "${ac_cv_have_decl_loginfailed+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 3342 "configure" +#line 3345 "configure" #include "confdefs.h" #include @@ -3355,16 +3358,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:3358: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:3361: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:3361: \$? = $ac_status" >&5 + echo "$as_me:3364: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:3364: \"$ac_try\"") >&5 + { (eval echo "$as_me:3367: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3367: \$? = $ac_status" >&5 + echo "$as_me:3370: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_decl_loginfailed=yes else @@ -3374,13 +3377,13 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:3377: result: $ac_cv_have_decl_loginfailed" >&5 +echo "$as_me:3380: result: $ac_cv_have_decl_loginfailed" >&5 echo "${ECHO_T}$ac_cv_have_decl_loginfailed" >&6 if test $ac_cv_have_decl_loginfailed = yes; then - echo "$as_me:3380: checking if loginfailed takes 4 arguments" >&5 + echo "$as_me:3383: checking if loginfailed takes 4 arguments" >&5 echo $ECHO_N "checking if loginfailed takes 4 arguments... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 3383 "configure" +#line 3386 "configure" #include "confdefs.h" #include int @@ -3392,18 +3395,18 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:3395: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:3398: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:3398: \$? = $ac_status" >&5 + echo "$as_me:3401: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:3401: \"$ac_try\"") >&5 + { (eval echo "$as_me:3404: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3404: \$? = $ac_status" >&5 + echo "$as_me:3407: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:3406: result: yes" >&5 + echo "$as_me:3409: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define AIX_LOGINFAILED_4ARG 1 @@ -3412,7 +3415,7 @@ else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 -echo "$as_me:3415: result: no" >&5 +echo "$as_me:3418: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -3422,13 +3425,13 @@ for ac_func in setauthdb do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:3425: checking for $ac_func" >&5 +echo "$as_me:3428: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 3431 "configure" +#line 3434 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -3459,16 +3462,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3462: \"$ac_link\"") >&5 +if { (eval echo "$as_me:3465: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:3465: \$? = $ac_status" >&5 + echo "$as_me:3468: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3468: \"$ac_try\"") >&5 + { (eval echo "$as_me:3471: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3471: \$? = $ac_status" >&5 + echo "$as_me:3474: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -3478,7 +3481,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:3481: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:3484: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 + echo "$as_me:3582: checking if we have working getaddrinfo" >&5 echo $ECHO_N "checking if we have working getaddrinfo... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - echo "$as_me:3582: result: assume it is working" >&5 + echo "$as_me:3585: result: assume it is working" >&5 echo "${ECHO_T}assume it is working" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 3586 "configure" +#line 3589 "configure" #include "confdefs.h" #include main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16)) @@ -3593,23 +3596,23 @@ } _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:3596: \"$ac_link\"") >&5 +if { (eval echo "$as_me:3599: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:3599: \$? = $ac_status" >&5 + echo "$as_me:3602: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:3601: \"$ac_try\"") >&5 + { (eval echo "$as_me:3604: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3604: \$? = $ac_status" >&5 + echo "$as_me:3607: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:3606: result: working" >&5 + echo "$as_me:3609: result: working" >&5 echo "${ECHO_T}working" >&6 else echo "$as_me: program exited with status $ac_status" >&5 echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 -echo "$as_me:3612: result: buggy" >&5 +echo "$as_me:3615: result: buggy" >&5 echo "${ECHO_T}buggy" >&6 cat >>confdefs.h <<\EOF #define BROKEN_GETADDRINFO 1 @@ -3667,7 +3670,7 @@ LIBS="$LIBS -lsec -lsecpw" -echo "$as_me:3670: checking for t_error in -lxnet" >&5 +echo "$as_me:3673: checking for t_error in -lxnet" >&5 echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6 if test "${ac_cv_lib_xnet_t_error+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -3675,7 +3678,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lxnet $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 3678 "configure" +#line 3681 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -3694,16 +3697,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3697: \"$ac_link\"") >&5 +if { (eval echo "$as_me:3700: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:3700: \$? = $ac_status" >&5 + echo "$as_me:3703: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3703: \"$ac_try\"") >&5 + { (eval echo "$as_me:3706: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3706: \$? = $ac_status" >&5 + echo "$as_me:3709: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_xnet_t_error=yes else @@ -3714,7 +3717,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:3717: result: $ac_cv_lib_xnet_t_error" >&5 +echo "$as_me:3720: result: $ac_cv_lib_xnet_t_error" >&5 echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6 if test $ac_cv_lib_xnet_t_error = yes; then cat >>confdefs.h <&5 + { { echo "$as_me:3730: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;} { (exit 1); exit 1; }; } fi @@ -3759,7 +3762,7 @@ LIBS="$LIBS -lsec" -echo "$as_me:3762: checking for t_error in -lxnet" >&5 +echo "$as_me:3765: checking for t_error in -lxnet" >&5 echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6 if test "${ac_cv_lib_xnet_t_error+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -3767,7 +3770,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lxnet $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 3770 "configure" +#line 3773 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -3786,16 +3789,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3789: \"$ac_link\"") >&5 +if { (eval echo "$as_me:3792: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:3792: \$? = $ac_status" >&5 + echo "$as_me:3795: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3795: \"$ac_try\"") >&5 + { (eval echo "$as_me:3798: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3798: \$? = $ac_status" >&5 + echo "$as_me:3801: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_xnet_t_error=yes else @@ -3806,7 +3809,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:3809: result: $ac_cv_lib_xnet_t_error" >&5 +echo "$as_me:3812: result: $ac_cv_lib_xnet_t_error" >&5 echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6 if test $ac_cv_lib_xnet_t_error = yes; then cat >>confdefs.h <&5 + { { echo "$as_me:3822: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;} { (exit 1); exit 1; }; } fi @@ -3862,7 +3865,7 @@ esac LIBS="$LIBS -lsec" -echo "$as_me:3865: checking for t_error in -lxnet" >&5 +echo "$as_me:3868: checking for t_error in -lxnet" >&5 echo $ECHO_N "checking for t_error in -lxnet... $ECHO_C" >&6 if test "${ac_cv_lib_xnet_t_error+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -3870,7 +3873,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lxnet $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 3873 "configure" +#line 3876 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -3889,16 +3892,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:3892: \"$ac_link\"") >&5 +if { (eval echo "$as_me:3895: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:3895: \$? = $ac_status" >&5 + echo "$as_me:3898: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:3898: \"$ac_try\"") >&5 + { (eval echo "$as_me:3901: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:3901: \$? = $ac_status" >&5 + echo "$as_me:3904: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_xnet_t_error=yes else @@ -3909,7 +3912,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:3912: result: $ac_cv_lib_xnet_t_error" >&5 +echo "$as_me:3915: result: $ac_cv_lib_xnet_t_error" >&5 echo "${ECHO_T}$ac_cv_lib_xnet_t_error" >&6 if test $ac_cv_lib_xnet_t_error = yes; then cat >>confdefs.h <&5 + { { echo "$as_me:3925: error: *** -lxnet needed on HP-UX - check config.log ***" >&5 echo "$as_me: error: *** -lxnet needed on HP-UX - check config.log ***" >&2;} { (exit 1); exit 1; }; } fi @@ -3966,13 +3969,13 @@ #define WITH_IRIX_AUDIT 1 EOF - echo "$as_me:3969: checking for jlimit_startjob" >&5 + echo "$as_me:3972: checking for jlimit_startjob" >&5 echo $ECHO_N "checking for jlimit_startjob... $ECHO_C" >&6 if test "${ac_cv_func_jlimit_startjob+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 3975 "configure" +#line 3978 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char jlimit_startjob (); below. */ @@ -4003,16 +4006,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:4006: \"$ac_link\"") >&5 +if { (eval echo "$as_me:4009: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:4009: \$? = $ac_status" >&5 + echo "$as_me:4012: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:4012: \"$ac_try\"") >&5 + { (eval echo "$as_me:4015: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:4015: \$? = $ac_status" >&5 + echo "$as_me:4018: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_jlimit_startjob=yes else @@ -4022,7 +4025,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:4025: result: $ac_cv_func_jlimit_startjob" >&5 +echo "$as_me:4028: result: $ac_cv_func_jlimit_startjob" >&5 echo "${ECHO_T}$ac_cv_func_jlimit_startjob" >&6 if test $ac_cv_func_jlimit_startjob = yes; then cat >>confdefs.h <<\EOF @@ -4068,10 +4071,18 @@ #define PAM_TTY_KLUDGE 1 EOF - cat >>confdefs.h <<\EOF + case "$host" in + *-slackware-*) + cat >>confdefs.h <<\EOF +#define LOCKED_PASSWD_PREFIX "!" +EOF +;; + *) + cat >>confdefs.h <<\EOF #define LOCKED_PASSWD_PREFIX "!!" EOF - +;; + esac cat >>confdefs.h <<\EOF #define SPT_TYPE SPT_REUSEARGV EOF @@ -4167,11 +4178,11 @@ external_path_file=/etc/default/login # hardwire lastlog location (can't detect it on some versions) conf_lastlog_location="/var/adm/lastlog" - echo "$as_me:4170: checking for obsolete utmp and wtmp in solaris2.x" >&5 + echo "$as_me:4181: checking for obsolete utmp and wtmp in solaris2.x" >&5 echo $ECHO_N "checking for obsolete utmp and wtmp in solaris2.x... $ECHO_C" >&6 sol2ver=`echo "$host"| sed -e 's/.*[0-9]\.//'` if test "$sol2ver" -ge 8; then - echo "$as_me:4174: result: yes" >&5 + echo "$as_me:4185: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define DISABLE_UTMP 1 @@ -4182,7 +4193,7 @@ EOF else - echo "$as_me:4185: result: no" >&5 + echo "$as_me:4196: result: no" >&5 echo "${ECHO_T}no" >&6 fi ;; @@ -4192,13 +4203,13 @@ for ac_func in getpwanam do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:4195: checking for $ac_func" >&5 +echo "$as_me:4206: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 4201 "configure" +#line 4212 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -4229,16 +4240,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:4232: \"$ac_link\"") >&5 +if { (eval echo "$as_me:4243: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:4235: \$? = $ac_status" >&5 + echo "$as_me:4246: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:4238: \"$ac_try\"") >&5 + { (eval echo "$as_me:4249: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:4241: \$? = $ac_status" >&5 + echo "$as_me:4252: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -4248,7 +4259,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:4251: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:4262: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:4310: checking for dlsym in -ldl" >&5 echo $ECHO_N "checking for dlsym in -ldl... $ECHO_C" >&6 if test "${ac_cv_lib_dl_dlsym+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -4304,7 +4315,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 4307 "configure" +#line 4318 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -4323,16 +4334,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:4326: \"$ac_link\"") >&5 +if { (eval echo "$as_me:4337: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:4329: \$? = $ac_status" >&5 + echo "$as_me:4340: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:4332: \"$ac_try\"") >&5 + { (eval echo "$as_me:4343: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:4335: \$? = $ac_status" >&5 + echo "$as_me:4346: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_dl_dlsym=yes else @@ -4343,7 +4354,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:4346: result: $ac_cv_lib_dl_dlsym" >&5 +echo "$as_me:4357: result: $ac_cv_lib_dl_dlsym" >&5 echo "${ECHO_T}$ac_cv_lib_dl_dlsym" >&6 if test $ac_cv_lib_dl_dlsym = yes; then cat >>confdefs.h <&5 +echo "$as_me:4468: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 4463 "configure" +#line 4474 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -4491,16 +4502,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:4494: \"$ac_link\"") >&5 +if { (eval echo "$as_me:4505: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:4497: \$? = $ac_status" >&5 + echo "$as_me:4508: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:4500: \"$ac_try\"") >&5 + { (eval echo "$as_me:4511: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:4503: \$? = $ac_status" >&5 + echo "$as_me:4514: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -4510,7 +4521,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:4513: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:4524: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:4578: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 4573 "configure" +#line 4584 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -4601,16 +4612,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:4604: \"$ac_link\"") >&5 +if { (eval echo "$as_me:4615: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:4607: \$? = $ac_status" >&5 + echo "$as_me:4618: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:4610: \"$ac_try\"") >&5 + { (eval echo "$as_me:4621: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:4613: \$? = $ac_status" >&5 + echo "$as_me:4624: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -4620,7 +4631,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:4623: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:4634: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 + echo "$as_me:4734: checking for Digital Unix SIA" >&5 echo $ECHO_N "checking for Digital Unix SIA... $ECHO_C" >&6 no_osfsia="" @@ -4729,7 +4740,7 @@ withval="$with_osfsia" if test "x$withval" = "xno" ; then - echo "$as_me:4732: result: disabled" >&5 + echo "$as_me:4743: result: disabled" >&5 echo "${ECHO_T}disabled" >&6 no_osfsia=1 fi @@ -4737,7 +4748,7 @@ fi; if test -z "$no_osfsia" ; then if test -f /etc/sia/matrix.conf; then - echo "$as_me:4740: result: yes" >&5 + echo "$as_me:4751: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define HAVE_OSF_SIA 1 @@ -4753,7 +4764,7 @@ LIBS="$LIBS -lsecurity -ldb -lm -laud" else - echo "$as_me:4756: result: no" >&5 + echo "$as_me:4767: result: no" >&5 echo "${ECHO_T}no" >&6 cat >>confdefs.h <<\EOF #define LOCKED_PASSWD_SUBSTR "Nologin" @@ -4845,15 +4856,15 @@ fi; -echo "$as_me:4848: checking compiler and flags for sanity" >&5 +echo "$as_me:4859: checking compiler and flags for sanity" >&5 echo $ECHO_N "checking compiler and flags for sanity... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:4851: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:4862: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 4856 "configure" +#line 4867 "configure" #include "confdefs.h" #include @@ -4861,26 +4872,26 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:4864: \"$ac_link\"") >&5 +if { (eval echo "$as_me:4875: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:4867: \$? = $ac_status" >&5 + echo "$as_me:4878: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:4869: \"$ac_try\"") >&5 + { (eval echo "$as_me:4880: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:4872: \$? = $ac_status" >&5 + echo "$as_me:4883: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:4874: result: yes" >&5 + echo "$as_me:4885: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: program exited with status $ac_status" >&5 echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:4881: result: no" >&5 + echo "$as_me:4892: result: no" >&5 echo "${ECHO_T}no" >&6 - { { echo "$as_me:4883: error: *** compiler cannot create working executables, check config.log ***" >&5 + { { echo "$as_me:4894: error: *** compiler cannot create working executables, check config.log ***" >&5 echo "$as_me: error: *** compiler cannot create working executables, check config.log ***" >&2;} { (exit 1); exit 1; }; } @@ -4902,23 +4913,23 @@ util.h utime.h utmp.h utmpx.h vis.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -echo "$as_me:4905: checking for $ac_header" >&5 +echo "$as_me:4916: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 4911 "configure" +#line 4922 "configure" #include "confdefs.h" #include <$ac_header> _ACEOF -if { (eval echo "$as_me:4915: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:4926: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:4921: \$? = $ac_status" >&5 + echo "$as_me:4932: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -4937,7 +4948,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:4940: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:4951: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:4962: checking for yp_match" >&5 echo $ECHO_N "checking for yp_match... $ECHO_C" >&6 if test "${ac_cv_func_yp_match+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 4957 "configure" +#line 4968 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char yp_match (); below. */ @@ -4985,16 +4996,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:4988: \"$ac_link\"") >&5 +if { (eval echo "$as_me:4999: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:4991: \$? = $ac_status" >&5 + echo "$as_me:5002: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:4994: \"$ac_try\"") >&5 + { (eval echo "$as_me:5005: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:4997: \$? = $ac_status" >&5 + echo "$as_me:5008: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_yp_match=yes else @@ -5004,13 +5015,13 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:5007: result: $ac_cv_func_yp_match" >&5 +echo "$as_me:5018: result: $ac_cv_func_yp_match" >&5 echo "${ECHO_T}$ac_cv_func_yp_match" >&6 if test $ac_cv_func_yp_match = yes; then : else -echo "$as_me:5013: checking for yp_match in -lnsl" >&5 +echo "$as_me:5024: checking for yp_match in -lnsl" >&5 echo $ECHO_N "checking for yp_match in -lnsl... $ECHO_C" >&6 if test "${ac_cv_lib_nsl_yp_match+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5018,7 +5029,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lnsl $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 5021 "configure" +#line 5032 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -5037,16 +5048,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5040: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5051: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5043: \$? = $ac_status" >&5 + echo "$as_me:5054: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5046: \"$ac_try\"") >&5 + { (eval echo "$as_me:5057: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5049: \$? = $ac_status" >&5 + echo "$as_me:5060: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_nsl_yp_match=yes else @@ -5057,7 +5068,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:5060: result: $ac_cv_lib_nsl_yp_match" >&5 +echo "$as_me:5071: result: $ac_cv_lib_nsl_yp_match" >&5 echo "${ECHO_T}$ac_cv_lib_nsl_yp_match" >&6 if test $ac_cv_lib_nsl_yp_match = yes; then cat >>confdefs.h <&5 +echo "$as_me:5084: checking for setsockopt" >&5 echo $ECHO_N "checking for setsockopt... $ECHO_C" >&6 if test "${ac_cv_func_setsockopt+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 5079 "configure" +#line 5090 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char setsockopt (); below. */ @@ -5107,16 +5118,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5110: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5121: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5113: \$? = $ac_status" >&5 + echo "$as_me:5124: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5116: \"$ac_try\"") >&5 + { (eval echo "$as_me:5127: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5119: \$? = $ac_status" >&5 + echo "$as_me:5130: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_setsockopt=yes else @@ -5126,13 +5137,13 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:5129: result: $ac_cv_func_setsockopt" >&5 +echo "$as_me:5140: result: $ac_cv_func_setsockopt" >&5 echo "${ECHO_T}$ac_cv_func_setsockopt" >&6 if test $ac_cv_func_setsockopt = yes; then : else -echo "$as_me:5135: checking for setsockopt in -lsocket" >&5 +echo "$as_me:5146: checking for setsockopt in -lsocket" >&5 echo $ECHO_N "checking for setsockopt in -lsocket... $ECHO_C" >&6 if test "${ac_cv_lib_socket_setsockopt+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5140,7 +5151,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lsocket $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 5143 "configure" +#line 5154 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -5159,16 +5170,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5162: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5173: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5165: \$? = $ac_status" >&5 + echo "$as_me:5176: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5168: \"$ac_try\"") >&5 + { (eval echo "$as_me:5179: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5171: \$? = $ac_status" >&5 + echo "$as_me:5182: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_socket_setsockopt=yes else @@ -5179,7 +5190,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:5182: result: $ac_cv_lib_socket_setsockopt" >&5 +echo "$as_me:5193: result: $ac_cv_lib_socket_setsockopt" >&5 echo "${ECHO_T}$ac_cv_lib_socket_setsockopt" >&6 if test $ac_cv_lib_socket_setsockopt = yes; then cat >>confdefs.h <&5 + echo "$as_me:5208: checking for innetgr in -lrpc" >&5 echo $ECHO_N "checking for innetgr in -lrpc... $ECHO_C" >&6 if test "${ac_cv_lib_rpc_innetgr+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5202,7 +5213,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lrpc -lyp -lrpc $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 5205 "configure" +#line 5216 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -5221,16 +5232,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5224: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5235: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5227: \$? = $ac_status" >&5 + echo "$as_me:5238: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5230: \"$ac_try\"") >&5 + { (eval echo "$as_me:5241: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5233: \$? = $ac_status" >&5 + echo "$as_me:5244: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_rpc_innetgr=yes else @@ -5241,7 +5252,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:5244: result: $ac_cv_lib_rpc_innetgr" >&5 +echo "$as_me:5255: result: $ac_cv_lib_rpc_innetgr" >&5 echo "${ECHO_T}$ac_cv_lib_rpc_innetgr" >&6 if test $ac_cv_lib_rpc_innetgr = yes; then LIBS="-lrpc -lyp -lrpc $LIBS" @@ -5253,13 +5264,13 @@ for ac_func in dirname do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:5256: checking for $ac_func" >&5 +echo "$as_me:5267: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 5262 "configure" +#line 5273 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -5290,16 +5301,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5293: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5304: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5296: \$? = $ac_status" >&5 + echo "$as_me:5307: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5299: \"$ac_try\"") >&5 + { (eval echo "$as_me:5310: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5302: \$? = $ac_status" >&5 + echo "$as_me:5313: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -5309,7 +5320,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:5312: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:5323: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:5333: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 5328 "configure" +#line 5339 "configure" #include "confdefs.h" #include <$ac_header> _ACEOF -if { (eval echo "$as_me:5332: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:5343: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:5338: \$? = $ac_status" >&5 + echo "$as_me:5349: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -5354,7 +5365,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:5357: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:5368: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 + echo "$as_me:5380: checking for dirname in -lgen" >&5 echo $ECHO_N "checking for dirname in -lgen... $ECHO_C" >&6 if test "${ac_cv_lib_gen_dirname+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5374,7 +5385,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lgen $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 5377 "configure" +#line 5388 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -5393,16 +5404,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5396: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5407: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5399: \$? = $ac_status" >&5 + echo "$as_me:5410: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5402: \"$ac_try\"") >&5 + { (eval echo "$as_me:5413: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5405: \$? = $ac_status" >&5 + echo "$as_me:5416: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_gen_dirname=yes else @@ -5413,11 +5424,11 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:5416: result: $ac_cv_lib_gen_dirname" >&5 +echo "$as_me:5427: result: $ac_cv_lib_gen_dirname" >&5 echo "${ECHO_T}$ac_cv_lib_gen_dirname" >&6 if test $ac_cv_lib_gen_dirname = yes; then - echo "$as_me:5420: checking for broken dirname" >&5 + echo "$as_me:5431: checking for broken dirname" >&5 echo $ECHO_N "checking for broken dirname... $ECHO_C" >&6 if test "${ac_cv_have_broken_dirname+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5426,12 +5437,12 @@ save_LIBS="$LIBS" LIBS="$LIBS -lgen" if test "$cross_compiling" = yes; then - { { echo "$as_me:5429: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:5440: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 5434 "configure" +#line 5445 "configure" #include "confdefs.h" #include @@ -5451,15 +5462,15 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:5454: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5465: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5457: \$? = $ac_status" >&5 + echo "$as_me:5468: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:5459: \"$ac_try\"") >&5 + { (eval echo "$as_me:5470: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5462: \$? = $ac_status" >&5 + echo "$as_me:5473: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_broken_dirname="no" else @@ -5474,7 +5485,7 @@ LIBS="$save_LIBS" fi -echo "$as_me:5477: result: $ac_cv_have_broken_dirname" >&5 +echo "$as_me:5488: result: $ac_cv_have_broken_dirname" >&5 echo "${ECHO_T}$ac_cv_have_broken_dirname" >&6 if test "x$ac_cv_have_broken_dirname" = "xno" ; then LIBS="$LIBS -lgen" @@ -5485,23 +5496,23 @@ for ac_header in libgen.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -echo "$as_me:5488: checking for $ac_header" >&5 +echo "$as_me:5499: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 5494 "configure" +#line 5505 "configure" #include "confdefs.h" #include <$ac_header> _ACEOF -if { (eval echo "$as_me:5498: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:5509: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:5504: \$? = $ac_status" >&5 + echo "$as_me:5515: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -5520,7 +5531,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:5523: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:5534: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:5551: checking for getspnam" >&5 echo $ECHO_N "checking for getspnam... $ECHO_C" >&6 if test "${ac_cv_func_getspnam+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 5546 "configure" +#line 5557 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char getspnam (); below. */ @@ -5574,16 +5585,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5577: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5588: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5580: \$? = $ac_status" >&5 + echo "$as_me:5591: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5583: \"$ac_try\"") >&5 + { (eval echo "$as_me:5594: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5586: \$? = $ac_status" >&5 + echo "$as_me:5597: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_getspnam=yes else @@ -5593,12 +5604,12 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:5596: result: $ac_cv_func_getspnam" >&5 +echo "$as_me:5607: result: $ac_cv_func_getspnam" >&5 echo "${ECHO_T}$ac_cv_func_getspnam" >&6 if test $ac_cv_func_getspnam = yes; then : else - echo "$as_me:5601: checking for getspnam in -lgen" >&5 + echo "$as_me:5612: checking for getspnam in -lgen" >&5 echo $ECHO_N "checking for getspnam in -lgen... $ECHO_C" >&6 if test "${ac_cv_lib_gen_getspnam+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5606,7 +5617,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lgen $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 5609 "configure" +#line 5620 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -5625,16 +5636,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5628: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5639: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5631: \$? = $ac_status" >&5 + echo "$as_me:5642: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5634: \"$ac_try\"") >&5 + { (eval echo "$as_me:5645: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5637: \$? = $ac_status" >&5 + echo "$as_me:5648: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_gen_getspnam=yes else @@ -5645,7 +5656,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:5648: result: $ac_cv_lib_gen_getspnam" >&5 +echo "$as_me:5659: result: $ac_cv_lib_gen_getspnam" >&5 echo "${ECHO_T}$ac_cv_lib_gen_getspnam" >&6 if test $ac_cv_lib_gen_getspnam = yes; then LIBS="$LIBS -lgen" @@ -5653,7 +5664,7 @@ fi -echo "$as_me:5656: checking for library containing basename" >&5 +echo "$as_me:5667: checking for library containing basename" >&5 echo $ECHO_N "checking for library containing basename... $ECHO_C" >&6 if test "${ac_cv_search_basename+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5661,7 +5672,7 @@ ac_func_search_save_LIBS=$LIBS ac_cv_search_basename=no cat >conftest.$ac_ext <<_ACEOF -#line 5664 "configure" +#line 5675 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -5680,16 +5691,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5683: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5694: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5686: \$? = $ac_status" >&5 + echo "$as_me:5697: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5689: \"$ac_try\"") >&5 + { (eval echo "$as_me:5700: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5692: \$? = $ac_status" >&5 + echo "$as_me:5703: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_basename="none required" else @@ -5701,7 +5712,7 @@ for ac_lib in gen; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 5704 "configure" +#line 5715 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -5720,16 +5731,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5723: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5734: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5726: \$? = $ac_status" >&5 + echo "$as_me:5737: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5729: \"$ac_try\"") >&5 + { (eval echo "$as_me:5740: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5732: \$? = $ac_status" >&5 + echo "$as_me:5743: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_basename="-l$ac_lib" break @@ -5742,7 +5753,7 @@ fi LIBS=$ac_func_search_save_LIBS fi -echo "$as_me:5745: result: $ac_cv_search_basename" >&5 +echo "$as_me:5756: result: $ac_cv_search_basename" >&5 echo "${ECHO_T}$ac_cv_search_basename" >&6 if test "$ac_cv_search_basename" != no; then test "$ac_cv_search_basename" = "none required" || LIBS="$ac_cv_search_basename $LIBS" @@ -5757,7 +5768,7 @@ withval="$with_zlib" if test "x$withval" = "xno" ; then - { { echo "$as_me:5760: error: *** zlib is required ***" >&5 + { { echo "$as_me:5771: error: *** zlib is required ***" >&5 echo "$as_me: error: *** zlib is required ***" >&2;} { (exit 1); exit 1; }; } fi @@ -5782,7 +5793,7 @@ fi; -echo "$as_me:5785: checking for deflate in -lz" >&5 +echo "$as_me:5796: checking for deflate in -lz" >&5 echo $ECHO_N "checking for deflate in -lz... $ECHO_C" >&6 if test "${ac_cv_lib_z_deflate+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -5790,7 +5801,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lz $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 5793 "configure" +#line 5804 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -5809,16 +5820,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5812: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5823: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5815: \$? = $ac_status" >&5 + echo "$as_me:5826: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5818: \"$ac_try\"") >&5 + { (eval echo "$as_me:5829: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5821: \$? = $ac_status" >&5 + echo "$as_me:5832: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_z_deflate=yes else @@ -5829,7 +5840,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:5832: result: $ac_cv_lib_z_deflate" >&5 +echo "$as_me:5843: result: $ac_cv_lib_z_deflate" >&5 echo "${ECHO_T}$ac_cv_lib_z_deflate" >&6 if test $ac_cv_lib_z_deflate = yes; then cat >>confdefs.h <conftest.$ac_ext <<_ACEOF -#line 5854 "configure" +#line 5865 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -5870,16 +5881,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:5873: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5884: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5876: \$? = $ac_status" >&5 + echo "$as_me:5887: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:5879: \"$ac_try\"") >&5 + { (eval echo "$as_me:5890: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5882: \$? = $ac_status" >&5 + echo "$as_me:5893: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cat >>confdefs.h <<\EOF #define HAVE_LIBZ 1 @@ -5889,7 +5900,7 @@ echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - { { echo "$as_me:5892: error: *** zlib missing - please install first or check config.log ***" >&5 + { { echo "$as_me:5903: error: *** zlib missing - please install first or check config.log ***" >&5 echo "$as_me: error: *** zlib missing - please install first or check config.log ***" >&2;} { (exit 1); exit 1; }; } @@ -5898,23 +5909,23 @@ fi -echo "$as_me:5901: checking for zlib.h" >&5 +echo "$as_me:5912: checking for zlib.h" >&5 echo $ECHO_N "checking for zlib.h... $ECHO_C" >&6 if test "${ac_cv_header_zlib_h+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 5907 "configure" +#line 5918 "configure" #include "confdefs.h" #include _ACEOF -if { (eval echo "$as_me:5911: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:5922: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:5917: \$? = $ac_status" >&5 + echo "$as_me:5928: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -5933,12 +5944,12 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:5936: result: $ac_cv_header_zlib_h" >&5 +echo "$as_me:5947: result: $ac_cv_header_zlib_h" >&5 echo "${ECHO_T}$ac_cv_header_zlib_h" >&6 if test $ac_cv_header_zlib_h = yes; then : else - { { echo "$as_me:5941: error: *** zlib.h missing - please install first or check config.log ***" >&5 + { { echo "$as_me:5952: error: *** zlib.h missing - please install first or check config.log ***" >&5 echo "$as_me: error: *** zlib.h missing - please install first or check config.log ***" >&2;} { (exit 1); exit 1; }; } fi @@ -5952,15 +5963,15 @@ fi; -echo "$as_me:5955: checking for zlib 1.1.4 or greater" >&5 +echo "$as_me:5966: checking for zlib 1.1.4 or greater" >&5 echo $ECHO_N "checking for zlib 1.1.4 or greater... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:5958: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:5969: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 5963 "configure" +#line 5974 "configure" #include "confdefs.h" #include @@ -5977,26 +5988,26 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:5980: \"$ac_link\"") >&5 +if { (eval echo "$as_me:5991: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:5983: \$? = $ac_status" >&5 + echo "$as_me:5994: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:5985: \"$ac_try\"") >&5 + { (eval echo "$as_me:5996: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:5988: \$? = $ac_status" >&5 + echo "$as_me:5999: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:5990: result: yes" >&5 + echo "$as_me:6001: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: program exited with status $ac_status" >&5 echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:5996: result: no" >&5 + echo "$as_me:6007: result: no" >&5 echo "${ECHO_T}no" >&6 if test -z "$zlib_check_nonfatal" ; then - { { echo "$as_me:5999: error: *** zlib too old - check config.log *** + { { echo "$as_me:6010: error: *** zlib too old - check config.log *** Your reported zlib version has known security problems. It's possible your vendor has fixed these problems without changing the version number. If you are sure this is the case, you can disable the check by running @@ -6010,7 +6021,7 @@ If you are in doubt, upgrade zlib to version 1.1.4 or greater." >&2;} { (exit 1); exit 1; }; } else - { echo "$as_me:6013: WARNING: zlib version may have security problems" >&5 + { echo "$as_me:6024: WARNING: zlib version may have security problems" >&5 echo "$as_me: WARNING: zlib version may have security problems" >&2;} fi @@ -6018,13 +6029,13 @@ rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:6021: checking for strcasecmp" >&5 +echo "$as_me:6032: checking for strcasecmp" >&5 echo $ECHO_N "checking for strcasecmp... $ECHO_C" >&6 if test "${ac_cv_func_strcasecmp+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 6027 "configure" +#line 6038 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char strcasecmp (); below. */ @@ -6055,16 +6066,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6058: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6069: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6061: \$? = $ac_status" >&5 + echo "$as_me:6072: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6064: \"$ac_try\"") >&5 + { (eval echo "$as_me:6075: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6067: \$? = $ac_status" >&5 + echo "$as_me:6078: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_strcasecmp=yes else @@ -6074,12 +6085,12 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:6077: result: $ac_cv_func_strcasecmp" >&5 +echo "$as_me:6088: result: $ac_cv_func_strcasecmp" >&5 echo "${ECHO_T}$ac_cv_func_strcasecmp" >&6 if test $ac_cv_func_strcasecmp = yes; then : else - echo "$as_me:6082: checking for strcasecmp in -lresolv" >&5 + echo "$as_me:6093: checking for strcasecmp in -lresolv" >&5 echo $ECHO_N "checking for strcasecmp in -lresolv... $ECHO_C" >&6 if test "${ac_cv_lib_resolv_strcasecmp+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -6087,7 +6098,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lresolv $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 6090 "configure" +#line 6101 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -6106,16 +6117,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6109: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6120: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6112: \$? = $ac_status" >&5 + echo "$as_me:6123: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6115: \"$ac_try\"") >&5 + { (eval echo "$as_me:6126: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6118: \$? = $ac_status" >&5 + echo "$as_me:6129: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_resolv_strcasecmp=yes else @@ -6126,7 +6137,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:6129: result: $ac_cv_lib_resolv_strcasecmp" >&5 +echo "$as_me:6140: result: $ac_cv_lib_resolv_strcasecmp" >&5 echo "${ECHO_T}$ac_cv_lib_resolv_strcasecmp" >&6 if test $ac_cv_lib_resolv_strcasecmp = yes; then LIBS="$LIBS -lresolv" @@ -6134,13 +6145,13 @@ fi -echo "$as_me:6137: checking for utimes" >&5 +echo "$as_me:6148: checking for utimes" >&5 echo $ECHO_N "checking for utimes... $ECHO_C" >&6 if test "${ac_cv_func_utimes+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 6143 "configure" +#line 6154 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char utimes (); below. */ @@ -6171,16 +6182,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6174: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6185: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6177: \$? = $ac_status" >&5 + echo "$as_me:6188: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6180: \"$ac_try\"") >&5 + { (eval echo "$as_me:6191: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6183: \$? = $ac_status" >&5 + echo "$as_me:6194: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_utimes=yes else @@ -6190,12 +6201,12 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:6193: result: $ac_cv_func_utimes" >&5 +echo "$as_me:6204: result: $ac_cv_func_utimes" >&5 echo "${ECHO_T}$ac_cv_func_utimes" >&6 if test $ac_cv_func_utimes = yes; then : else - echo "$as_me:6198: checking for utimes in -lc89" >&5 + echo "$as_me:6209: checking for utimes in -lc89" >&5 echo $ECHO_N "checking for utimes in -lc89... $ECHO_C" >&6 if test "${ac_cv_lib_c89_utimes+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -6203,7 +6214,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lc89 $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 6206 "configure" +#line 6217 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -6222,16 +6233,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6225: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6236: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6228: \$? = $ac_status" >&5 + echo "$as_me:6239: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6231: \"$ac_try\"") >&5 + { (eval echo "$as_me:6242: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6234: \$? = $ac_status" >&5 + echo "$as_me:6245: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_c89_utimes=yes else @@ -6242,7 +6253,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:6245: result: $ac_cv_lib_c89_utimes" >&5 +echo "$as_me:6256: result: $ac_cv_lib_c89_utimes" >&5 echo "${ECHO_T}$ac_cv_lib_c89_utimes" >&6 if test $ac_cv_lib_c89_utimes = yes; then cat >>confdefs.h <<\EOF @@ -6257,23 +6268,23 @@ for ac_header in libutil.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -echo "$as_me:6260: checking for $ac_header" >&5 +echo "$as_me:6271: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 6266 "configure" +#line 6277 "configure" #include "confdefs.h" #include <$ac_header> _ACEOF -if { (eval echo "$as_me:6270: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:6281: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:6276: \$? = $ac_status" >&5 + echo "$as_me:6287: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -6292,7 +6303,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:6295: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:6306: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:6316: checking for library containing login" >&5 echo $ECHO_N "checking for library containing login... $ECHO_C" >&6 if test "${ac_cv_search_login+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -6310,7 +6321,7 @@ ac_func_search_save_LIBS=$LIBS ac_cv_search_login=no cat >conftest.$ac_ext <<_ACEOF -#line 6313 "configure" +#line 6324 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -6329,16 +6340,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6332: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6343: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6335: \$? = $ac_status" >&5 + echo "$as_me:6346: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6338: \"$ac_try\"") >&5 + { (eval echo "$as_me:6349: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6341: \$? = $ac_status" >&5 + echo "$as_me:6352: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_login="none required" else @@ -6350,7 +6361,7 @@ for ac_lib in util bsd; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 6353 "configure" +#line 6364 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -6369,16 +6380,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6372: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6383: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6375: \$? = $ac_status" >&5 + echo "$as_me:6386: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6378: \"$ac_try\"") >&5 + { (eval echo "$as_me:6389: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6381: \$? = $ac_status" >&5 + echo "$as_me:6392: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_login="-l$ac_lib" break @@ -6391,7 +6402,7 @@ fi LIBS=$ac_func_search_save_LIBS fi -echo "$as_me:6394: result: $ac_cv_search_login" >&5 +echo "$as_me:6405: result: $ac_cv_search_login" >&5 echo "${ECHO_T}$ac_cv_search_login" >&6 if test "$ac_cv_search_login" != no; then test "$ac_cv_search_login" = "none required" || LIBS="$ac_cv_search_login $LIBS" @@ -6404,13 +6415,13 @@ for ac_func in logout updwtmp logwtmp do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:6407: checking for $ac_func" >&5 +echo "$as_me:6418: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 6413 "configure" +#line 6424 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -6441,16 +6452,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6444: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6455: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6447: \$? = $ac_status" >&5 + echo "$as_me:6458: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6450: \"$ac_try\"") >&5 + { (eval echo "$as_me:6461: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6453: \$? = $ac_status" >&5 + echo "$as_me:6464: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -6460,7 +6471,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:6463: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:6474: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:6487: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 6482 "configure" +#line 6493 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -6510,16 +6521,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6513: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6524: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6516: \$? = $ac_status" >&5 + echo "$as_me:6527: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6519: \"$ac_try\"") >&5 + { (eval echo "$as_me:6530: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6522: \$? = $ac_status" >&5 + echo "$as_me:6533: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -6529,7 +6540,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:6532: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:6543: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:6552: checking for strftime in -lintl" >&5 echo $ECHO_N "checking for strftime in -lintl... $ECHO_C" >&6 if test "${ac_cv_lib_intl_strftime+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -6546,7 +6557,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lintl $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 6549 "configure" +#line 6560 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -6565,16 +6576,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6568: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6579: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6571: \$? = $ac_status" >&5 + echo "$as_me:6582: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6574: \"$ac_try\"") >&5 + { (eval echo "$as_me:6585: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6577: \$? = $ac_status" >&5 + echo "$as_me:6588: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_intl_strftime=yes else @@ -6585,7 +6596,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:6588: result: $ac_cv_lib_intl_strftime" >&5 +echo "$as_me:6599: result: $ac_cv_lib_intl_strftime" >&5 echo "${ECHO_T}$ac_cv_lib_intl_strftime" >&6 if test $ac_cv_lib_intl_strftime = yes; then cat >>confdefs.h <<\EOF @@ -6599,10 +6610,10 @@ done # Check for ALTDIRFUNC glob() extension -echo "$as_me:6602: checking for GLOB_ALTDIRFUNC support" >&5 +echo "$as_me:6613: checking for GLOB_ALTDIRFUNC support" >&5 echo $ECHO_N "checking for GLOB_ALTDIRFUNC support... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 6605 "configure" +#line 6616 "configure" #include "confdefs.h" #include @@ -6618,22 +6629,22 @@ #define GLOB_HAS_ALTDIRFUNC 1 EOF - echo "$as_me:6621: result: yes" >&5 + echo "$as_me:6632: result: yes" >&5 echo "${ECHO_T}yes" >&6 else - echo "$as_me:6626: result: no" >&5 + echo "$as_me:6637: result: no" >&5 echo "${ECHO_T}no" >&6 fi rm -f conftest* # Check for g.gl_matchc glob() extension -echo "$as_me:6633: checking for gl_matchc field in glob_t" >&5 +echo "$as_me:6644: checking for gl_matchc field in glob_t" >&5 echo $ECHO_N "checking for gl_matchc field in glob_t... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 6636 "configure" +#line 6647 "configure" #include "confdefs.h" #include @@ -6647,26 +6658,26 @@ #define GLOB_HAS_GL_MATCHC 1 EOF - echo "$as_me:6650: result: yes" >&5 + echo "$as_me:6661: result: yes" >&5 echo "${ECHO_T}yes" >&6 else - echo "$as_me:6655: result: no" >&5 + echo "$as_me:6666: result: no" >&5 echo "${ECHO_T}no" >&6 fi rm -f conftest* -echo "$as_me:6661: checking whether struct dirent allocates space for d_name" >&5 +echo "$as_me:6672: checking whether struct dirent allocates space for d_name" >&5 echo $ECHO_N "checking whether struct dirent allocates space for d_name... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:6664: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:6675: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 6669 "configure" +#line 6680 "configure" #include "confdefs.h" #include @@ -6675,24 +6686,24 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:6678: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6689: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6681: \$? = $ac_status" >&5 + echo "$as_me:6692: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:6683: \"$ac_try\"") >&5 + { (eval echo "$as_me:6694: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6686: \$? = $ac_status" >&5 + echo "$as_me:6697: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:6688: result: yes" >&5 + echo "$as_me:6699: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: program exited with status $ac_status" >&5 echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:6695: result: no" >&5 + echo "$as_me:6706: result: no" >&5 echo "${ECHO_T}no" >&6 cat >>confdefs.h <<\EOF #define BROKEN_ONE_BYTE_DIRENT_D_NAME 1 @@ -6723,15 +6734,15 @@ LIBS="-lskey $LIBS" SKEY_MSG="yes" - echo "$as_me:6726: checking for s/key support" >&5 + echo "$as_me:6737: checking for s/key support" >&5 echo $ECHO_N "checking for s/key support... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:6729: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:6740: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 6734 "configure" +#line 6745 "configure" #include "confdefs.h" #include @@ -6740,26 +6751,26 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:6743: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6754: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6746: \$? = $ac_status" >&5 + echo "$as_me:6757: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:6748: \"$ac_try\"") >&5 + { (eval echo "$as_me:6759: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6751: \$? = $ac_status" >&5 + echo "$as_me:6762: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:6753: result: yes" >&5 + echo "$as_me:6764: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: program exited with status $ac_status" >&5 echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:6760: result: no" >&5 + echo "$as_me:6771: result: no" >&5 echo "${ECHO_T}no" >&6 - { { echo "$as_me:6762: error: ** Incomplete or missing s/key libraries." >&5 + { { echo "$as_me:6773: error: ** Incomplete or missing s/key libraries." >&5 echo "$as_me: error: ** Incomplete or missing s/key libraries." >&2;} { (exit 1); exit 1; }; } @@ -6803,10 +6814,10 @@ fi LIBWRAP="-lwrap" LIBS="$LIBWRAP $LIBS" - echo "$as_me:6806: checking for libwrap" >&5 + echo "$as_me:6817: checking for libwrap" >&5 echo $ECHO_N "checking for libwrap... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 6809 "configure" +#line 6820 "configure" #include "confdefs.h" #include @@ -6821,19 +6832,19 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6824: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6835: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6827: \$? = $ac_status" >&5 + echo "$as_me:6838: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6830: \"$ac_try\"") >&5 + { (eval echo "$as_me:6841: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6833: \$? = $ac_status" >&5 + echo "$as_me:6844: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:6836: result: yes" >&5 + echo "$as_me:6847: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define LIBWRAP 1 @@ -6845,7 +6856,7 @@ echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - { { echo "$as_me:6848: error: *** libwrap missing" >&5 + { { echo "$as_me:6859: error: *** libwrap missing" >&5 echo "$as_me: error: *** libwrap missing" >&2;} { (exit 1); exit 1; }; } @@ -6872,13 +6883,13 @@ do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:6875: checking for $ac_func" >&5 +echo "$as_me:6886: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 6881 "configure" +#line 6892 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -6909,16 +6920,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6912: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6923: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6915: \$? = $ac_status" >&5 + echo "$as_me:6926: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6918: \"$ac_try\"") >&5 + { (eval echo "$as_me:6929: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6921: \$? = $ac_status" >&5 + echo "$as_me:6932: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -6928,7 +6939,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:6931: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:6942: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:6957: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 6952 "configure" +#line 6963 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -6980,16 +6991,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:6983: \"$ac_link\"") >&5 +if { (eval echo "$as_me:6994: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:6986: \$? = $ac_status" >&5 + echo "$as_me:6997: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:6989: \"$ac_try\"") >&5 + { (eval echo "$as_me:7000: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:6992: \$? = $ac_status" >&5 + echo "$as_me:7003: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -6999,7 +7010,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:7002: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:7013: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <conftest.$ac_ext <<_ACEOF -#line 7014 "configure" +#line 7025 "configure" #include "confdefs.h" #include @@ -7031,16 +7042,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:7034: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:7045: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:7037: \$? = $ac_status" >&5 + echo "$as_me:7048: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:7040: \"$ac_try\"") >&5 + { (eval echo "$as_me:7051: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7043: \$? = $ac_status" >&5 + echo "$as_me:7054: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cat >>confdefs.h <<\EOF @@ -7055,7 +7066,7 @@ fi done -echo "$as_me:7058: checking for library containing nanosleep" >&5 +echo "$as_me:7069: checking for library containing nanosleep" >&5 echo $ECHO_N "checking for library containing nanosleep... $ECHO_C" >&6 if test "${ac_cv_search_nanosleep+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -7063,7 +7074,7 @@ ac_func_search_save_LIBS=$LIBS ac_cv_search_nanosleep=no cat >conftest.$ac_ext <<_ACEOF -#line 7066 "configure" +#line 7077 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -7082,16 +7093,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7085: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7096: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7088: \$? = $ac_status" >&5 + echo "$as_me:7099: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7091: \"$ac_try\"") >&5 + { (eval echo "$as_me:7102: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7094: \$? = $ac_status" >&5 + echo "$as_me:7105: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_nanosleep="none required" else @@ -7103,7 +7114,7 @@ for ac_lib in rt posix4; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 7106 "configure" +#line 7117 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -7122,16 +7133,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7125: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7136: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7128: \$? = $ac_status" >&5 + echo "$as_me:7139: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7131: \"$ac_try\"") >&5 + { (eval echo "$as_me:7142: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7134: \$? = $ac_status" >&5 + echo "$as_me:7145: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_nanosleep="-l$ac_lib" break @@ -7144,7 +7155,7 @@ fi LIBS=$ac_func_search_save_LIBS fi -echo "$as_me:7147: result: $ac_cv_search_nanosleep" >&5 +echo "$as_me:7158: result: $ac_cv_search_nanosleep" >&5 echo "${ECHO_T}$ac_cv_search_nanosleep" >&6 if test "$ac_cv_search_nanosleep" != no; then test "$ac_cv_search_nanosleep" = "none required" || LIBS="$ac_cv_search_nanosleep $LIBS" @@ -7154,13 +7165,13 @@ fi -echo "$as_me:7157: checking for ANSI C header files" >&5 +echo "$as_me:7168: checking for ANSI C header files" >&5 echo $ECHO_N "checking for ANSI C header files... $ECHO_C" >&6 if test "${ac_cv_header_stdc+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7163 "configure" +#line 7174 "configure" #include "confdefs.h" #include #include @@ -7168,13 +7179,13 @@ #include _ACEOF -if { (eval echo "$as_me:7171: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:7182: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:7177: \$? = $ac_status" >&5 + echo "$as_me:7188: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -7196,7 +7207,7 @@ if test $ac_cv_header_stdc = yes; then # SunOS 4.x string.h does not declare mem*, contrary to ANSI. cat >conftest.$ac_ext <<_ACEOF -#line 7199 "configure" +#line 7210 "configure" #include "confdefs.h" #include @@ -7214,7 +7225,7 @@ if test $ac_cv_header_stdc = yes; then # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. cat >conftest.$ac_ext <<_ACEOF -#line 7217 "configure" +#line 7228 "configure" #include "confdefs.h" #include @@ -7235,7 +7246,7 @@ : else cat >conftest.$ac_ext <<_ACEOF -#line 7238 "configure" +#line 7249 "configure" #include "confdefs.h" #include #if ((' ' & 0x0FF) == 0x020) @@ -7261,15 +7272,15 @@ } _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:7264: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7275: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7267: \$? = $ac_status" >&5 + echo "$as_me:7278: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:7269: \"$ac_try\"") >&5 + { (eval echo "$as_me:7280: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7272: \$? = $ac_status" >&5 + echo "$as_me:7283: \$? = $ac_status" >&5 (exit $ac_status); }; }; then : else @@ -7282,7 +7293,7 @@ fi fi fi -echo "$as_me:7285: result: $ac_cv_header_stdc" >&5 +echo "$as_me:7296: result: $ac_cv_header_stdc" >&5 echo "${ECHO_T}$ac_cv_header_stdc" >&6 if test $ac_cv_header_stdc = yes; then @@ -7298,28 +7309,28 @@ inttypes.h stdint.h unistd.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -echo "$as_me:7301: checking for $ac_header" >&5 +echo "$as_me:7312: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7307 "configure" +#line 7318 "configure" #include "confdefs.h" $ac_includes_default #include <$ac_header> _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:7313: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:7324: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:7316: \$? = $ac_status" >&5 + echo "$as_me:7327: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:7319: \"$ac_try\"") >&5 + { (eval echo "$as_me:7330: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7322: \$? = $ac_status" >&5 + echo "$as_me:7333: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_Header=yes" else @@ -7329,7 +7340,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:7332: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:7343: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:7353: checking whether strsep is declared" >&5 echo $ECHO_N "checking whether strsep is declared... $ECHO_C" >&6 if test "${ac_cv_have_decl_strsep+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7348 "configure" +#line 7359 "configure" #include "confdefs.h" $ac_includes_default int @@ -7360,16 +7371,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:7363: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:7374: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:7366: \$? = $ac_status" >&5 + echo "$as_me:7377: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:7369: \"$ac_try\"") >&5 + { (eval echo "$as_me:7380: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7372: \$? = $ac_status" >&5 + echo "$as_me:7383: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_decl_strsep=yes else @@ -7379,20 +7390,20 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:7382: result: $ac_cv_have_decl_strsep" >&5 +echo "$as_me:7393: result: $ac_cv_have_decl_strsep" >&5 echo "${ECHO_T}$ac_cv_have_decl_strsep" >&6 if test $ac_cv_have_decl_strsep = yes; then for ac_func in strsep do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:7389: checking for $ac_func" >&5 +echo "$as_me:7400: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7395 "configure" +#line 7406 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -7423,16 +7434,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7426: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7437: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7429: \$? = $ac_status" >&5 + echo "$as_me:7440: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7432: \"$ac_try\"") >&5 + { (eval echo "$as_me:7443: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7435: \$? = $ac_status" >&5 + echo "$as_me:7446: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -7442,7 +7453,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:7445: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:7456: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:7468: checking whether getrusage is declared" >&5 echo $ECHO_N "checking whether getrusage is declared... $ECHO_C" >&6 if test "${ac_cv_have_decl_getrusage+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7463 "configure" +#line 7474 "configure" #include "confdefs.h" $ac_includes_default int @@ -7475,16 +7486,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:7478: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:7489: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:7481: \$? = $ac_status" >&5 + echo "$as_me:7492: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:7484: \"$ac_try\"") >&5 + { (eval echo "$as_me:7495: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7487: \$? = $ac_status" >&5 + echo "$as_me:7498: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_decl_getrusage=yes else @@ -7494,20 +7505,20 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:7497: result: $ac_cv_have_decl_getrusage" >&5 +echo "$as_me:7508: result: $ac_cv_have_decl_getrusage" >&5 echo "${ECHO_T}$ac_cv_have_decl_getrusage" >&6 if test $ac_cv_have_decl_getrusage = yes; then for ac_func in getrusage do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:7504: checking for $ac_func" >&5 +echo "$as_me:7515: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7510 "configure" +#line 7521 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -7538,16 +7549,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7541: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7552: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7544: \$? = $ac_status" >&5 + echo "$as_me:7555: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7547: \"$ac_try\"") >&5 + { (eval echo "$as_me:7558: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7550: \$? = $ac_status" >&5 + echo "$as_me:7561: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -7557,7 +7568,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:7560: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:7571: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:7583: checking whether tcsendbreak is declared" >&5 echo $ECHO_N "checking whether tcsendbreak is declared... $ECHO_C" >&6 if test "${ac_cv_have_decl_tcsendbreak+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7578 "configure" +#line 7589 "configure" #include "confdefs.h" #include @@ -7591,16 +7602,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:7594: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:7605: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:7597: \$? = $ac_status" >&5 + echo "$as_me:7608: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:7600: \"$ac_try\"") >&5 + { (eval echo "$as_me:7611: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7603: \$? = $ac_status" >&5 + echo "$as_me:7614: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_decl_tcsendbreak=yes else @@ -7610,7 +7621,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:7613: result: $ac_cv_have_decl_tcsendbreak" >&5 +echo "$as_me:7624: result: $ac_cv_have_decl_tcsendbreak" >&5 echo "${ECHO_T}$ac_cv_have_decl_tcsendbreak" >&6 if test $ac_cv_have_decl_tcsendbreak = yes; then cat >>confdefs.h <<\EOF @@ -7622,13 +7633,13 @@ for ac_func in tcsendbreak do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:7625: checking for $ac_func" >&5 +echo "$as_me:7636: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7631 "configure" +#line 7642 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -7659,16 +7670,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7662: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7673: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7665: \$? = $ac_status" >&5 + echo "$as_me:7676: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7668: \"$ac_try\"") >&5 + { (eval echo "$as_me:7679: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7671: \$? = $ac_status" >&5 + echo "$as_me:7682: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -7678,7 +7689,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:7681: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:7692: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:7707: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7702 "configure" +#line 7713 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -7730,16 +7741,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7733: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7744: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7736: \$? = $ac_status" >&5 + echo "$as_me:7747: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7739: \"$ac_try\"") >&5 + { (eval echo "$as_me:7750: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7742: \$? = $ac_status" >&5 + echo "$as_me:7753: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -7749,22 +7760,22 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:7752: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:7763: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 + echo "$as_me:7770: checking if setresuid seems to work" >&5 echo $ECHO_N "checking if setresuid seems to work... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:7762: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:7773: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 7767 "configure" +#line 7778 "configure" #include "confdefs.h" #include @@ -7773,17 +7784,17 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:7776: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7787: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7779: \$? = $ac_status" >&5 + echo "$as_me:7790: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:7781: \"$ac_try\"") >&5 + { (eval echo "$as_me:7792: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7784: \$? = $ac_status" >&5 + echo "$as_me:7795: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:7786: result: yes" >&5 + echo "$as_me:7797: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: program exited with status $ac_status" >&5 @@ -7793,7 +7804,7 @@ #define BROKEN_SETRESUID 1 EOF - echo "$as_me:7796: result: not implemented" >&5 + echo "$as_me:7807: result: not implemented" >&5 echo "${ECHO_T}not implemented" >&6 fi @@ -7806,13 +7817,13 @@ for ac_func in setresgid do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:7809: checking for $ac_func" >&5 +echo "$as_me:7820: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7815 "configure" +#line 7826 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -7843,16 +7854,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7846: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7857: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7849: \$? = $ac_status" >&5 + echo "$as_me:7860: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7852: \"$ac_try\"") >&5 + { (eval echo "$as_me:7863: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7855: \$? = $ac_status" >&5 + echo "$as_me:7866: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -7862,22 +7873,22 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:7865: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:7876: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 + echo "$as_me:7883: checking if setresgid seems to work" >&5 echo $ECHO_N "checking if setresgid seems to work... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:7875: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:7886: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 7880 "configure" +#line 7891 "configure" #include "confdefs.h" #include @@ -7886,17 +7897,17 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:7889: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7900: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7892: \$? = $ac_status" >&5 + echo "$as_me:7903: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:7894: \"$ac_try\"") >&5 + { (eval echo "$as_me:7905: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7897: \$? = $ac_status" >&5 + echo "$as_me:7908: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:7899: result: yes" >&5 + echo "$as_me:7910: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: program exited with status $ac_status" >&5 @@ -7906,7 +7917,7 @@ #define BROKEN_SETRESGID 1 EOF - echo "$as_me:7909: result: not implemented" >&5 + echo "$as_me:7920: result: not implemented" >&5 echo "${ECHO_T}not implemented" >&6 fi @@ -7919,13 +7930,13 @@ for ac_func in gettimeofday time do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:7922: checking for $ac_func" >&5 +echo "$as_me:7933: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7928 "configure" +#line 7939 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -7956,16 +7967,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:7959: \"$ac_link\"") >&5 +if { (eval echo "$as_me:7970: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:7962: \$? = $ac_status" >&5 + echo "$as_me:7973: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:7965: \"$ac_try\"") >&5 + { (eval echo "$as_me:7976: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:7968: \$? = $ac_status" >&5 + echo "$as_me:7979: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -7975,7 +7986,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:7978: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:7989: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:8002: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 7997 "configure" +#line 8008 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -8025,16 +8036,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8028: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8039: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8031: \$? = $ac_status" >&5 + echo "$as_me:8042: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8034: \"$ac_try\"") >&5 + { (eval echo "$as_me:8045: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8037: \$? = $ac_status" >&5 + echo "$as_me:8048: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -8044,7 +8055,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:8047: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:8058: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:8071: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 8066 "configure" +#line 8077 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -8094,16 +8105,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8097: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8108: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8100: \$? = $ac_status" >&5 + echo "$as_me:8111: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8103: \"$ac_try\"") >&5 + { (eval echo "$as_me:8114: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8106: \$? = $ac_status" >&5 + echo "$as_me:8117: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -8113,7 +8124,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:8116: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:8127: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:8140: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 8135 "configure" +#line 8146 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -8163,16 +8174,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8166: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8177: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8169: \$? = $ac_status" >&5 + echo "$as_me:8180: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8172: \"$ac_try\"") >&5 + { (eval echo "$as_me:8183: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8175: \$? = $ac_status" >&5 + echo "$as_me:8186: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -8182,7 +8193,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:8185: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:8196: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:8209: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 8204 "configure" +#line 8215 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -8232,16 +8243,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8235: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8246: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8238: \$? = $ac_status" >&5 + echo "$as_me:8249: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8241: \"$ac_try\"") >&5 + { (eval echo "$as_me:8252: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8244: \$? = $ac_status" >&5 + echo "$as_me:8255: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -8251,7 +8262,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:8254: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:8265: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:8275: checking for daemon" >&5 echo $ECHO_N "checking for daemon... $ECHO_C" >&6 if test "${ac_cv_func_daemon+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 8270 "configure" +#line 8281 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char daemon (); below. */ @@ -8298,16 +8309,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8301: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8312: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8304: \$? = $ac_status" >&5 + echo "$as_me:8315: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8307: \"$ac_try\"") >&5 + { (eval echo "$as_me:8318: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8310: \$? = $ac_status" >&5 + echo "$as_me:8321: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_daemon=yes else @@ -8317,7 +8328,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:8320: result: $ac_cv_func_daemon" >&5 +echo "$as_me:8331: result: $ac_cv_func_daemon" >&5 echo "${ECHO_T}$ac_cv_func_daemon" >&6 if test $ac_cv_func_daemon = yes; then cat >>confdefs.h <<\EOF @@ -8325,7 +8336,7 @@ EOF else - echo "$as_me:8328: checking for daemon in -lbsd" >&5 + echo "$as_me:8339: checking for daemon in -lbsd" >&5 echo $ECHO_N "checking for daemon in -lbsd... $ECHO_C" >&6 if test "${ac_cv_lib_bsd_daemon+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -8333,7 +8344,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lbsd $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 8336 "configure" +#line 8347 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -8352,16 +8363,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8355: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8366: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8358: \$? = $ac_status" >&5 + echo "$as_me:8369: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8361: \"$ac_try\"") >&5 + { (eval echo "$as_me:8372: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8364: \$? = $ac_status" >&5 + echo "$as_me:8375: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_bsd_daemon=yes else @@ -8372,7 +8383,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:8375: result: $ac_cv_lib_bsd_daemon" >&5 +echo "$as_me:8386: result: $ac_cv_lib_bsd_daemon" >&5 echo "${ECHO_T}$ac_cv_lib_bsd_daemon" >&6 if test $ac_cv_lib_bsd_daemon = yes; then LIBS="$LIBS -lbsd"; cat >>confdefs.h <<\EOF @@ -8383,13 +8394,13 @@ fi -echo "$as_me:8386: checking for getpagesize" >&5 +echo "$as_me:8397: checking for getpagesize" >&5 echo $ECHO_N "checking for getpagesize... $ECHO_C" >&6 if test "${ac_cv_func_getpagesize+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 8392 "configure" +#line 8403 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char getpagesize (); below. */ @@ -8420,16 +8431,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8423: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8434: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8426: \$? = $ac_status" >&5 + echo "$as_me:8437: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8429: \"$ac_try\"") >&5 + { (eval echo "$as_me:8440: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8432: \$? = $ac_status" >&5 + echo "$as_me:8443: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_getpagesize=yes else @@ -8439,7 +8450,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:8442: result: $ac_cv_func_getpagesize" >&5 +echo "$as_me:8453: result: $ac_cv_func_getpagesize" >&5 echo "${ECHO_T}$ac_cv_func_getpagesize" >&6 if test $ac_cv_func_getpagesize = yes; then cat >>confdefs.h <<\EOF @@ -8447,7 +8458,7 @@ EOF else - echo "$as_me:8450: checking for getpagesize in -lucb" >&5 + echo "$as_me:8461: checking for getpagesize in -lucb" >&5 echo $ECHO_N "checking for getpagesize in -lucb... $ECHO_C" >&6 if test "${ac_cv_lib_ucb_getpagesize+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -8455,7 +8466,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lucb $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 8458 "configure" +#line 8469 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -8474,16 +8485,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8477: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8488: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8480: \$? = $ac_status" >&5 + echo "$as_me:8491: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8483: \"$ac_try\"") >&5 + { (eval echo "$as_me:8494: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8486: \$? = $ac_status" >&5 + echo "$as_me:8497: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_ucb_getpagesize=yes else @@ -8494,7 +8505,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:8497: result: $ac_cv_lib_ucb_getpagesize" >&5 +echo "$as_me:8508: result: $ac_cv_lib_ucb_getpagesize" >&5 echo "${ECHO_T}$ac_cv_lib_ucb_getpagesize" >&6 if test $ac_cv_lib_ucb_getpagesize = yes; then LIBS="$LIBS -lucb"; cat >>confdefs.h <<\EOF @@ -8507,15 +8518,15 @@ # Check for broken snprintf if test "x$ac_cv_func_snprintf" = "xyes" ; then - echo "$as_me:8510: checking whether snprintf correctly terminates long strings" >&5 + echo "$as_me:8521: checking whether snprintf correctly terminates long strings" >&5 echo $ECHO_N "checking whether snprintf correctly terminates long strings... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:8513: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:8524: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 8518 "configure" +#line 8529 "configure" #include "confdefs.h" #include @@ -8523,30 +8534,30 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:8526: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8537: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8529: \$? = $ac_status" >&5 + echo "$as_me:8540: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:8531: \"$ac_try\"") >&5 + { (eval echo "$as_me:8542: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8534: \$? = $ac_status" >&5 + echo "$as_me:8545: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:8536: result: yes" >&5 + echo "$as_me:8547: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: program exited with status $ac_status" >&5 echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:8543: result: no" >&5 + echo "$as_me:8554: result: no" >&5 echo "${ECHO_T}no" >&6 cat >>confdefs.h <<\EOF #define BROKEN_SNPRINTF 1 EOF - { echo "$as_me:8549: WARNING: ****** Your snprintf() function is broken, complain to your vendor" >&5 + { echo "$as_me:8560: WARNING: ****** Your snprintf() function is broken, complain to your vendor" >&5 echo "$as_me: WARNING: ****** Your snprintf() function is broken, complain to your vendor" >&2;} fi @@ -8555,11 +8566,11 @@ fi if test "x$ac_cv_func_mkdtemp" = "xyes" ; then -echo "$as_me:8558: checking for (overly) strict mkstemp" >&5 +echo "$as_me:8569: checking for (overly) strict mkstemp" >&5 echo $ECHO_N "checking for (overly) strict mkstemp... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - echo "$as_me:8562: result: yes" >&5 + echo "$as_me:8573: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define HAVE_STRICT_MKSTEMP 1 @@ -8567,7 +8578,7 @@ else cat >conftest.$ac_ext <<_ACEOF -#line 8570 "configure" +#line 8581 "configure" #include "confdefs.h" #include @@ -8579,18 +8590,18 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:8582: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8593: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8585: \$? = $ac_status" >&5 + echo "$as_me:8596: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:8587: \"$ac_try\"") >&5 + { (eval echo "$as_me:8598: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8590: \$? = $ac_status" >&5 + echo "$as_me:8601: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:8593: result: no" >&5 + echo "$as_me:8604: result: no" >&5 echo "${ECHO_T}no" >&6 else @@ -8598,7 +8609,7 @@ echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:8601: result: yes" >&5 + echo "$as_me:8612: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define HAVE_STRICT_MKSTEMP 1 @@ -8610,15 +8621,15 @@ fi if test ! -z "$check_for_openpty_ctty_bug"; then - echo "$as_me:8613: checking if openpty correctly handles controlling tty" >&5 + echo "$as_me:8624: checking if openpty correctly handles controlling tty" >&5 echo $ECHO_N "checking if openpty correctly handles controlling tty... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:8616: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:8627: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 8621 "configure" +#line 8632 "configure" #include "confdefs.h" #include @@ -8655,18 +8666,18 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:8658: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8669: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8661: \$? = $ac_status" >&5 + echo "$as_me:8672: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:8663: \"$ac_try\"") >&5 + { (eval echo "$as_me:8674: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8666: \$? = $ac_status" >&5 + echo "$as_me:8677: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:8669: result: yes" >&5 + echo "$as_me:8680: result: yes" >&5 echo "${ECHO_T}yes" >&6 else @@ -8674,7 +8685,7 @@ echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:8677: result: no" >&5 + echo "$as_me:8688: result: no" >&5 echo "${ECHO_T}no" >&6 cat >>confdefs.h <<\EOF #define SSHD_ACQUIRES_CTTY 1 @@ -8685,14 +8696,14 @@ fi fi -echo "$as_me:8688: checking whether getpgrp takes no argument" >&5 +echo "$as_me:8699: checking whether getpgrp takes no argument" >&5 echo $ECHO_N "checking whether getpgrp takes no argument... $ECHO_C" >&6 if test "${ac_cv_func_getpgrp_void+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else # Use it with a single arg. cat >conftest.$ac_ext <<_ACEOF -#line 8695 "configure" +#line 8706 "configure" #include "confdefs.h" $ac_includes_default int @@ -8704,16 +8715,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:8707: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:8718: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:8710: \$? = $ac_status" >&5 + echo "$as_me:8721: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:8713: \"$ac_try\"") >&5 + { (eval echo "$as_me:8724: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8716: \$? = $ac_status" >&5 + echo "$as_me:8727: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_func_getpgrp_1=yes else @@ -8724,7 +8735,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext # Use it with no arg. cat >conftest.$ac_ext <<_ACEOF -#line 8727 "configure" +#line 8738 "configure" #include "confdefs.h" $ac_includes_default int @@ -8736,16 +8747,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:8739: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:8750: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:8742: \$? = $ac_status" >&5 + echo "$as_me:8753: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:8745: \"$ac_try\"") >&5 + { (eval echo "$as_me:8756: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8748: \$? = $ac_status" >&5 + echo "$as_me:8759: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_func_getpgrp_0=yes else @@ -8759,12 +8770,12 @@ yes:no) ac_cv_func_getpgrp_void=yes;; no:yes) ac_cv_func_getpgrp_void=false;; *) if test "$cross_compiling" = yes; then - { { echo "$as_me:8762: error: cannot check getpgrp if cross compiling" >&5 + { { echo "$as_me:8773: error: cannot check getpgrp if cross compiling" >&5 echo "$as_me: error: cannot check getpgrp if cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 8767 "configure" +#line 8778 "configure" #include "confdefs.h" $ac_includes_default @@ -8818,15 +8829,15 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:8821: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8832: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8824: \$? = $ac_status" >&5 + echo "$as_me:8835: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:8826: \"$ac_try\"") >&5 + { (eval echo "$as_me:8837: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8829: \$? = $ac_status" >&5 + echo "$as_me:8840: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_func_getpgrp_void=yes else @@ -8840,7 +8851,7 @@ esac # $ac_func_getpgrp_0:$ac_func_getpgrp_1 fi -echo "$as_me:8843: result: $ac_cv_func_getpgrp_void" >&5 +echo "$as_me:8854: result: $ac_cv_func_getpgrp_void" >&5 echo "${ECHO_T}$ac_cv_func_getpgrp_void" >&6 if test $ac_cv_func_getpgrp_void = yes; then @@ -8860,12 +8871,12 @@ if test "x$withval" != "xno" ; then if test "x$ac_cv_header_security_pam_appl_h" != "xyes" && \ test "x$ac_cv_header_pam_pam_appl_h" != "xyes" ; then - { { echo "$as_me:8863: error: PAM headers not found" >&5 + { { echo "$as_me:8874: error: PAM headers not found" >&5 echo "$as_me: error: PAM headers not found" >&2;} { (exit 1); exit 1; }; } fi -echo "$as_me:8868: checking for dlopen in -ldl" >&5 +echo "$as_me:8879: checking for dlopen in -ldl" >&5 echo $ECHO_N "checking for dlopen in -ldl... $ECHO_C" >&6 if test "${ac_cv_lib_dl_dlopen+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -8873,7 +8884,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-ldl $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 8876 "configure" +#line 8887 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -8892,16 +8903,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8895: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8906: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8898: \$? = $ac_status" >&5 + echo "$as_me:8909: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8901: \"$ac_try\"") >&5 + { (eval echo "$as_me:8912: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8904: \$? = $ac_status" >&5 + echo "$as_me:8915: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_dl_dlopen=yes else @@ -8912,7 +8923,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:8915: result: $ac_cv_lib_dl_dlopen" >&5 +echo "$as_me:8926: result: $ac_cv_lib_dl_dlopen" >&5 echo "${ECHO_T}$ac_cv_lib_dl_dlopen" >&6 if test $ac_cv_lib_dl_dlopen = yes; then cat >>confdefs.h <&5 +echo "$as_me:8937: checking for pam_set_item in -lpam" >&5 echo $ECHO_N "checking for pam_set_item in -lpam... $ECHO_C" >&6 if test "${ac_cv_lib_pam_pam_set_item+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -8931,7 +8942,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lpam $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 8934 "configure" +#line 8945 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -8950,16 +8961,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:8953: \"$ac_link\"") >&5 +if { (eval echo "$as_me:8964: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:8956: \$? = $ac_status" >&5 + echo "$as_me:8967: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:8959: \"$ac_try\"") >&5 + { (eval echo "$as_me:8970: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:8962: \$? = $ac_status" >&5 + echo "$as_me:8973: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_pam_pam_set_item=yes else @@ -8970,7 +8981,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:8973: result: $ac_cv_lib_pam_pam_set_item" >&5 +echo "$as_me:8984: result: $ac_cv_lib_pam_pam_set_item" >&5 echo "${ECHO_T}$ac_cv_lib_pam_pam_set_item" >&6 if test $ac_cv_lib_pam_pam_set_item = yes; then cat >>confdefs.h <&5 + { { echo "$as_me:8994: error: *** libpam missing" >&5 echo "$as_me: error: *** libpam missing" >&2;} { (exit 1); exit 1; }; } fi @@ -8988,13 +8999,13 @@ for ac_func in pam_getenvlist do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:8991: checking for $ac_func" >&5 +echo "$as_me:9002: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 8997 "configure" +#line 9008 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -9025,16 +9036,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9028: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9039: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9031: \$? = $ac_status" >&5 + echo "$as_me:9042: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9034: \"$ac_try\"") >&5 + { (eval echo "$as_me:9045: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9037: \$? = $ac_status" >&5 + echo "$as_me:9048: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -9044,7 +9055,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:9047: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:9058: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:9071: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 9066 "configure" +#line 9077 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -9094,16 +9105,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9097: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9108: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9100: \$? = $ac_status" >&5 + echo "$as_me:9111: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9103: \"$ac_try\"") >&5 + { (eval echo "$as_me:9114: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9106: \$? = $ac_status" >&5 + echo "$as_me:9117: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -9113,7 +9124,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:9116: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:9127: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 + echo "$as_me:9156: checking whether pam_strerror takes only one argument" >&5 echo $ECHO_N "checking whether pam_strerror takes only one argument... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 9148 "configure" +#line 9159 "configure" #include "confdefs.h" #include @@ -9164,18 +9175,18 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:9167: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:9178: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:9170: \$? = $ac_status" >&5 + echo "$as_me:9181: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:9173: \"$ac_try\"") >&5 + { (eval echo "$as_me:9184: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9176: \$? = $ac_status" >&5 + echo "$as_me:9187: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:9178: result: no" >&5 + echo "$as_me:9189: result: no" >&5 echo "${ECHO_T}no" >&6 else echo "$as_me: failed program was:" >&5 @@ -9185,7 +9196,7 @@ #define HAVE_OLD_PAM 1 EOF - echo "$as_me:9188: result: yes" >&5 + echo "$as_me:9199: result: yes" >&5 echo "${ECHO_T}yes" >&6 PAM_MSG="yes (old library)" @@ -9225,7 +9236,7 @@ fi; LIBS="-lcrypto $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 9228 "configure" +#line 9239 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -9244,16 +9255,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9247: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9258: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9250: \$? = $ac_status" >&5 + echo "$as_me:9261: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9253: \"$ac_try\"") >&5 + { (eval echo "$as_me:9264: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9256: \$? = $ac_status" >&5 + echo "$as_me:9267: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cat >>confdefs.h <<\EOF #define HAVE_OPENSSL 1 @@ -9270,7 +9281,7 @@ fi CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" cat >conftest.$ac_ext <<_ACEOF -#line 9273 "configure" +#line 9284 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -9289,16 +9300,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9292: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9303: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9295: \$? = $ac_status" >&5 + echo "$as_me:9306: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9298: \"$ac_try\"") >&5 + { (eval echo "$as_me:9309: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9301: \$? = $ac_status" >&5 + echo "$as_me:9312: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cat >>confdefs.h <<\EOF #define HAVE_OPENSSL 1 @@ -9308,7 +9319,7 @@ echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - { { echo "$as_me:9311: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***" >&5 + { { echo "$as_me:9322: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***" >&5 echo "$as_me: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***" >&2;} { (exit 1); exit 1; }; } @@ -9319,15 +9330,15 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext # Determine OpenSSL header version -echo "$as_me:9322: checking OpenSSL header version" >&5 +echo "$as_me:9333: checking OpenSSL header version" >&5 echo $ECHO_N "checking OpenSSL header version... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:9325: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:9336: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 9330 "configure" +#line 9341 "configure" #include "confdefs.h" #include @@ -9350,19 +9361,19 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:9353: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9364: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9356: \$? = $ac_status" >&5 + echo "$as_me:9367: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:9358: \"$ac_try\"") >&5 + { (eval echo "$as_me:9369: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9361: \$? = $ac_status" >&5 + echo "$as_me:9372: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ssl_header_ver=`cat conftest.sslincver` - echo "$as_me:9365: result: $ssl_header_ver" >&5 + echo "$as_me:9376: result: $ssl_header_ver" >&5 echo "${ECHO_T}$ssl_header_ver" >&6 else @@ -9370,9 +9381,9 @@ echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:9373: result: not found" >&5 + echo "$as_me:9384: result: not found" >&5 echo "${ECHO_T}not found" >&6 - { { echo "$as_me:9375: error: OpenSSL version header not found." >&5 + { { echo "$as_me:9386: error: OpenSSL version header not found." >&5 echo "$as_me: error: OpenSSL version header not found." >&2;} { (exit 1); exit 1; }; } @@ -9381,15 +9392,15 @@ fi # Determine OpenSSL library version -echo "$as_me:9384: checking OpenSSL library version" >&5 +echo "$as_me:9395: checking OpenSSL library version" >&5 echo $ECHO_N "checking OpenSSL library version... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:9387: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:9398: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 9392 "configure" +#line 9403 "configure" #include "confdefs.h" #include @@ -9413,19 +9424,19 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:9416: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9427: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9419: \$? = $ac_status" >&5 + echo "$as_me:9430: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:9421: \"$ac_try\"") >&5 + { (eval echo "$as_me:9432: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9424: \$? = $ac_status" >&5 + echo "$as_me:9435: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ssl_library_ver=`cat conftest.ssllibver` - echo "$as_me:9428: result: $ssl_library_ver" >&5 + echo "$as_me:9439: result: $ssl_library_ver" >&5 echo "${ECHO_T}$ssl_library_ver" >&6 else @@ -9433,9 +9444,9 @@ echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:9436: result: not found" >&5 + echo "$as_me:9447: result: not found" >&5 echo "${ECHO_T}not found" >&6 - { { echo "$as_me:9438: error: OpenSSL library not found." >&5 + { { echo "$as_me:9449: error: OpenSSL library not found." >&5 echo "$as_me: error: OpenSSL library not found." >&2;} { (exit 1); exit 1; }; } @@ -9444,15 +9455,15 @@ fi # Sanity check OpenSSL headers -echo "$as_me:9447: checking whether OpenSSL's headers match the library" >&5 +echo "$as_me:9458: checking whether OpenSSL's headers match the library" >&5 echo $ECHO_N "checking whether OpenSSL's headers match the library... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:9450: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:9461: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 9455 "configure" +#line 9466 "configure" #include "confdefs.h" #include @@ -9461,18 +9472,18 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:9464: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9475: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9467: \$? = $ac_status" >&5 + echo "$as_me:9478: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:9469: \"$ac_try\"") >&5 + { (eval echo "$as_me:9480: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9472: \$? = $ac_status" >&5 + echo "$as_me:9483: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:9475: result: yes" >&5 + echo "$as_me:9486: result: yes" >&5 echo "${ECHO_T}yes" >&6 else @@ -9480,9 +9491,9 @@ echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:9483: result: no" >&5 + echo "$as_me:9494: result: no" >&5 echo "${ECHO_T}no" >&6 - { { echo "$as_me:9485: error: Your OpenSSL headers do not match your library. + { { echo "$as_me:9496: error: Your OpenSSL headers do not match your library. Check config.log for details. Also see contrib/findssl.sh for help identifying header/library mismatches." >&5 echo "$as_me: error: Your OpenSSL headers do not match your library. @@ -9498,7 +9509,7 @@ # because the system crypt() is more featureful. if test "x$check_for_libcrypt_before" = "x1"; then -echo "$as_me:9501: checking for crypt in -lcrypt" >&5 +echo "$as_me:9512: checking for crypt in -lcrypt" >&5 echo $ECHO_N "checking for crypt in -lcrypt... $ECHO_C" >&6 if test "${ac_cv_lib_crypt_crypt+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -9506,7 +9517,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lcrypt $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 9509 "configure" +#line 9520 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -9525,16 +9536,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9528: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9539: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9531: \$? = $ac_status" >&5 + echo "$as_me:9542: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9534: \"$ac_try\"") >&5 + { (eval echo "$as_me:9545: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9537: \$? = $ac_status" >&5 + echo "$as_me:9548: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_crypt_crypt=yes else @@ -9545,7 +9556,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:9548: result: $ac_cv_lib_crypt_crypt" >&5 +echo "$as_me:9559: result: $ac_cv_lib_crypt_crypt" >&5 echo "${ECHO_T}$ac_cv_lib_crypt_crypt" >&6 if test $ac_cv_lib_crypt_crypt = yes; then cat >>confdefs.h <&5 + echo "$as_me:9575: checking for crypt in -lcrypt" >&5 echo $ECHO_N "checking for crypt in -lcrypt... $ECHO_C" >&6 if test "${ac_cv_lib_crypt_crypt+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -9569,7 +9580,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lcrypt $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 9572 "configure" +#line 9583 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -9588,16 +9599,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:9591: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9602: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9594: \$? = $ac_status" >&5 + echo "$as_me:9605: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:9597: \"$ac_try\"") >&5 + { (eval echo "$as_me:9608: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9600: \$? = $ac_status" >&5 + echo "$as_me:9611: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_crypt_crypt=yes else @@ -9608,7 +9619,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:9611: result: $ac_cv_lib_crypt_crypt" >&5 +echo "$as_me:9622: result: $ac_cv_lib_crypt_crypt" >&5 echo "${ECHO_T}$ac_cv_lib_crypt_crypt" >&6 if test $ac_cv_lib_crypt_crypt = yes; then LIBS="$LIBS -lcrypt" @@ -9619,15 +9630,15 @@ ### Configure cryptographic random number support # Check wheter OpenSSL seeds itself -echo "$as_me:9622: checking whether OpenSSL's PRNG is internally seeded" >&5 +echo "$as_me:9633: checking whether OpenSSL's PRNG is internally seeded" >&5 echo $ECHO_N "checking whether OpenSSL's PRNG is internally seeded... $ECHO_C" >&6 if test "$cross_compiling" = yes; then - { { echo "$as_me:9625: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:9636: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 9630 "configure" +#line 9641 "configure" #include "confdefs.h" #include @@ -9636,19 +9647,19 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:9639: \"$ac_link\"") >&5 +if { (eval echo "$as_me:9650: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:9642: \$? = $ac_status" >&5 + echo "$as_me:9653: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:9644: \"$ac_try\"") >&5 + { (eval echo "$as_me:9655: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:9647: \$? = $ac_status" >&5 + echo "$as_me:9658: \$? = $ac_status" >&5 (exit $ac_status); }; }; then OPENSSL_SEEDS_ITSELF=yes - echo "$as_me:9651: result: yes" >&5 + echo "$as_me:9662: result: yes" >&5 echo "${ECHO_T}yes" >&6 else @@ -9656,7 +9667,7 @@ echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:9659: result: no" >&5 + echo "$as_me:9670: result: no" >&5 echo "${ECHO_T}no" >&6 # Default to use of the rand helper if OpenSSL doesn't # seed itself @@ -9676,7 +9687,7 @@ # Force use of OpenSSL's internal RNG, even if # the previous test showed it to be unseeded. if test -z "$OPENSSL_SEEDS_ITSELF" ; then - { echo "$as_me:9679: WARNING: *** Forcing use of OpenSSL's non-self-seeding PRNG" >&5 + { echo "$as_me:9690: WARNING: *** Forcing use of OpenSSL's non-self-seeding PRNG" >&5 echo "$as_me: WARNING: *** Forcing use of OpenSSL's non-self-seeding PRNG" >&2;} OPENSSL_SEEDS_ITSELF=yes USE_RAND_HELPER="" @@ -9717,7 +9728,7 @@ [0-9]*) ;; *) - { { echo "$as_me:9720: error: You must specify a numeric port number for --with-prngd-port" >&5 + { { echo "$as_me:9731: error: You must specify a numeric port number for --with-prngd-port" >&5 echo "$as_me: error: You must specify a numeric port number for --with-prngd-port" >&2;} { (exit 1); exit 1; }; } ;; @@ -9748,7 +9759,7 @@ /*) ;; *) - { { echo "$as_me:9751: error: You must specify an absolute path to the entropy socket" >&5 + { { echo "$as_me:9762: error: You must specify an absolute path to the entropy socket" >&5 echo "$as_me: error: You must specify an absolute path to the entropy socket" >&2;} { (exit 1); exit 1; }; } ;; @@ -9756,12 +9767,12 @@ if test ! -z "$withval" ; then if test ! -z "$PRNGD_PORT" ; then - { { echo "$as_me:9759: error: You may not specify both a PRNGD/EGD port and socket" >&5 + { { echo "$as_me:9770: error: You may not specify both a PRNGD/EGD port and socket" >&5 echo "$as_me: error: You may not specify both a PRNGD/EGD port and socket" >&2;} { (exit 1); exit 1; }; } fi if test ! -r "$withval" ; then - { echo "$as_me:9764: WARNING: Entropy socket is not readable" >&5 + { echo "$as_me:9775: WARNING: Entropy socket is not readable" >&5 echo "$as_me: WARNING: Entropy socket is not readable" >&2;} fi PRNGD_SOCKET="$withval" @@ -9775,7 +9786,7 @@ # Check for existing socket only if we don't have a random device already if test "$USE_RAND_HELPER" = yes ; then - echo "$as_me:9778: checking for PRNGD/EGD socket" >&5 + echo "$as_me:9789: checking for PRNGD/EGD socket" >&5 echo $ECHO_N "checking for PRNGD/EGD socket... $ECHO_C" >&6 # Insert other locations here for sock in /var/run/egd-pool /dev/egd-pool /etc/entropy; do @@ -9789,10 +9800,10 @@ fi done if test ! -z "$PRNGD_SOCKET" ; then - echo "$as_me:9792: result: $PRNGD_SOCKET" >&5 + echo "$as_me:9803: result: $PRNGD_SOCKET" >&5 echo "${ECHO_T}$PRNGD_SOCKET" >&6 else - echo "$as_me:9795: result: not found" >&5 + echo "$as_me:9806: result: not found" >&5 echo "${ECHO_T}not found" >&6 fi fi @@ -9848,7 +9859,7 @@ # Extract the first word of "ls", so it can be a program name with args. set dummy ls; ac_word=$2 -echo "$as_me:9851: checking for $ac_word" >&5 +echo "$as_me:9862: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_LS+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -9865,7 +9876,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_LS="$ac_dir/$ac_word" - echo "$as_me:9868: found $ac_dir/$ac_word" >&5 + echo "$as_me:9879: found $ac_dir/$ac_word" >&5 break fi done @@ -9876,10 +9887,10 @@ PROG_LS=$ac_cv_path_PROG_LS if test -n "$PROG_LS"; then - echo "$as_me:9879: result: $PROG_LS" >&5 + echo "$as_me:9890: result: $PROG_LS" >&5 echo "${ECHO_T}$PROG_LS" >&6 else - echo "$as_me:9882: result: no" >&5 + echo "$as_me:9893: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -9889,7 +9900,7 @@ # Extract the first word of "netstat", so it can be a program name with args. set dummy netstat; ac_word=$2 -echo "$as_me:9892: checking for $ac_word" >&5 +echo "$as_me:9903: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_NETSTAT+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -9906,7 +9917,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_NETSTAT="$ac_dir/$ac_word" - echo "$as_me:9909: found $ac_dir/$ac_word" >&5 + echo "$as_me:9920: found $ac_dir/$ac_word" >&5 break fi done @@ -9917,10 +9928,10 @@ PROG_NETSTAT=$ac_cv_path_PROG_NETSTAT if test -n "$PROG_NETSTAT"; then - echo "$as_me:9920: result: $PROG_NETSTAT" >&5 + echo "$as_me:9931: result: $PROG_NETSTAT" >&5 echo "${ECHO_T}$PROG_NETSTAT" >&6 else - echo "$as_me:9923: result: no" >&5 + echo "$as_me:9934: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -9930,7 +9941,7 @@ # Extract the first word of "arp", so it can be a program name with args. set dummy arp; ac_word=$2 -echo "$as_me:9933: checking for $ac_word" >&5 +echo "$as_me:9944: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_ARP+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -9947,7 +9958,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_ARP="$ac_dir/$ac_word" - echo "$as_me:9950: found $ac_dir/$ac_word" >&5 + echo "$as_me:9961: found $ac_dir/$ac_word" >&5 break fi done @@ -9958,10 +9969,10 @@ PROG_ARP=$ac_cv_path_PROG_ARP if test -n "$PROG_ARP"; then - echo "$as_me:9961: result: $PROG_ARP" >&5 + echo "$as_me:9972: result: $PROG_ARP" >&5 echo "${ECHO_T}$PROG_ARP" >&6 else - echo "$as_me:9964: result: no" >&5 + echo "$as_me:9975: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -9971,7 +9982,7 @@ # Extract the first word of "ifconfig", so it can be a program name with args. set dummy ifconfig; ac_word=$2 -echo "$as_me:9974: checking for $ac_word" >&5 +echo "$as_me:9985: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_IFCONFIG+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -9988,7 +9999,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_IFCONFIG="$ac_dir/$ac_word" - echo "$as_me:9991: found $ac_dir/$ac_word" >&5 + echo "$as_me:10002: found $ac_dir/$ac_word" >&5 break fi done @@ -9999,10 +10010,10 @@ PROG_IFCONFIG=$ac_cv_path_PROG_IFCONFIG if test -n "$PROG_IFCONFIG"; then - echo "$as_me:10002: result: $PROG_IFCONFIG" >&5 + echo "$as_me:10013: result: $PROG_IFCONFIG" >&5 echo "${ECHO_T}$PROG_IFCONFIG" >&6 else - echo "$as_me:10005: result: no" >&5 + echo "$as_me:10016: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10012,7 +10023,7 @@ # Extract the first word of "jstat", so it can be a program name with args. set dummy jstat; ac_word=$2 -echo "$as_me:10015: checking for $ac_word" >&5 +echo "$as_me:10026: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_JSTAT+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10029,7 +10040,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_JSTAT="$ac_dir/$ac_word" - echo "$as_me:10032: found $ac_dir/$ac_word" >&5 + echo "$as_me:10043: found $ac_dir/$ac_word" >&5 break fi done @@ -10040,10 +10051,10 @@ PROG_JSTAT=$ac_cv_path_PROG_JSTAT if test -n "$PROG_JSTAT"; then - echo "$as_me:10043: result: $PROG_JSTAT" >&5 + echo "$as_me:10054: result: $PROG_JSTAT" >&5 echo "${ECHO_T}$PROG_JSTAT" >&6 else - echo "$as_me:10046: result: no" >&5 + echo "$as_me:10057: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10053,7 +10064,7 @@ # Extract the first word of "ps", so it can be a program name with args. set dummy ps; ac_word=$2 -echo "$as_me:10056: checking for $ac_word" >&5 +echo "$as_me:10067: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_PS+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10070,7 +10081,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_PS="$ac_dir/$ac_word" - echo "$as_me:10073: found $ac_dir/$ac_word" >&5 + echo "$as_me:10084: found $ac_dir/$ac_word" >&5 break fi done @@ -10081,10 +10092,10 @@ PROG_PS=$ac_cv_path_PROG_PS if test -n "$PROG_PS"; then - echo "$as_me:10084: result: $PROG_PS" >&5 + echo "$as_me:10095: result: $PROG_PS" >&5 echo "${ECHO_T}$PROG_PS" >&6 else - echo "$as_me:10087: result: no" >&5 + echo "$as_me:10098: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10094,7 +10105,7 @@ # Extract the first word of "sar", so it can be a program name with args. set dummy sar; ac_word=$2 -echo "$as_me:10097: checking for $ac_word" >&5 +echo "$as_me:10108: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_SAR+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10111,7 +10122,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_SAR="$ac_dir/$ac_word" - echo "$as_me:10114: found $ac_dir/$ac_word" >&5 + echo "$as_me:10125: found $ac_dir/$ac_word" >&5 break fi done @@ -10122,10 +10133,10 @@ PROG_SAR=$ac_cv_path_PROG_SAR if test -n "$PROG_SAR"; then - echo "$as_me:10125: result: $PROG_SAR" >&5 + echo "$as_me:10136: result: $PROG_SAR" >&5 echo "${ECHO_T}$PROG_SAR" >&6 else - echo "$as_me:10128: result: no" >&5 + echo "$as_me:10139: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10135,7 +10146,7 @@ # Extract the first word of "w", so it can be a program name with args. set dummy w; ac_word=$2 -echo "$as_me:10138: checking for $ac_word" >&5 +echo "$as_me:10149: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_W+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10152,7 +10163,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_W="$ac_dir/$ac_word" - echo "$as_me:10155: found $ac_dir/$ac_word" >&5 + echo "$as_me:10166: found $ac_dir/$ac_word" >&5 break fi done @@ -10163,10 +10174,10 @@ PROG_W=$ac_cv_path_PROG_W if test -n "$PROG_W"; then - echo "$as_me:10166: result: $PROG_W" >&5 + echo "$as_me:10177: result: $PROG_W" >&5 echo "${ECHO_T}$PROG_W" >&6 else - echo "$as_me:10169: result: no" >&5 + echo "$as_me:10180: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10176,7 +10187,7 @@ # Extract the first word of "who", so it can be a program name with args. set dummy who; ac_word=$2 -echo "$as_me:10179: checking for $ac_word" >&5 +echo "$as_me:10190: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_WHO+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10193,7 +10204,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_WHO="$ac_dir/$ac_word" - echo "$as_me:10196: found $ac_dir/$ac_word" >&5 + echo "$as_me:10207: found $ac_dir/$ac_word" >&5 break fi done @@ -10204,10 +10215,10 @@ PROG_WHO=$ac_cv_path_PROG_WHO if test -n "$PROG_WHO"; then - echo "$as_me:10207: result: $PROG_WHO" >&5 + echo "$as_me:10218: result: $PROG_WHO" >&5 echo "${ECHO_T}$PROG_WHO" >&6 else - echo "$as_me:10210: result: no" >&5 + echo "$as_me:10221: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10217,7 +10228,7 @@ # Extract the first word of "last", so it can be a program name with args. set dummy last; ac_word=$2 -echo "$as_me:10220: checking for $ac_word" >&5 +echo "$as_me:10231: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_LAST+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10234,7 +10245,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_LAST="$ac_dir/$ac_word" - echo "$as_me:10237: found $ac_dir/$ac_word" >&5 + echo "$as_me:10248: found $ac_dir/$ac_word" >&5 break fi done @@ -10245,10 +10256,10 @@ PROG_LAST=$ac_cv_path_PROG_LAST if test -n "$PROG_LAST"; then - echo "$as_me:10248: result: $PROG_LAST" >&5 + echo "$as_me:10259: result: $PROG_LAST" >&5 echo "${ECHO_T}$PROG_LAST" >&6 else - echo "$as_me:10251: result: no" >&5 + echo "$as_me:10262: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10258,7 +10269,7 @@ # Extract the first word of "lastlog", so it can be a program name with args. set dummy lastlog; ac_word=$2 -echo "$as_me:10261: checking for $ac_word" >&5 +echo "$as_me:10272: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_LASTLOG+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10275,7 +10286,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_LASTLOG="$ac_dir/$ac_word" - echo "$as_me:10278: found $ac_dir/$ac_word" >&5 + echo "$as_me:10289: found $ac_dir/$ac_word" >&5 break fi done @@ -10286,10 +10297,10 @@ PROG_LASTLOG=$ac_cv_path_PROG_LASTLOG if test -n "$PROG_LASTLOG"; then - echo "$as_me:10289: result: $PROG_LASTLOG" >&5 + echo "$as_me:10300: result: $PROG_LASTLOG" >&5 echo "${ECHO_T}$PROG_LASTLOG" >&6 else - echo "$as_me:10292: result: no" >&5 + echo "$as_me:10303: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10299,7 +10310,7 @@ # Extract the first word of "df", so it can be a program name with args. set dummy df; ac_word=$2 -echo "$as_me:10302: checking for $ac_word" >&5 +echo "$as_me:10313: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_DF+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10316,7 +10327,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_DF="$ac_dir/$ac_word" - echo "$as_me:10319: found $ac_dir/$ac_word" >&5 + echo "$as_me:10330: found $ac_dir/$ac_word" >&5 break fi done @@ -10327,10 +10338,10 @@ PROG_DF=$ac_cv_path_PROG_DF if test -n "$PROG_DF"; then - echo "$as_me:10330: result: $PROG_DF" >&5 + echo "$as_me:10341: result: $PROG_DF" >&5 echo "${ECHO_T}$PROG_DF" >&6 else - echo "$as_me:10333: result: no" >&5 + echo "$as_me:10344: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10340,7 +10351,7 @@ # Extract the first word of "vmstat", so it can be a program name with args. set dummy vmstat; ac_word=$2 -echo "$as_me:10343: checking for $ac_word" >&5 +echo "$as_me:10354: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_VMSTAT+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10357,7 +10368,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_VMSTAT="$ac_dir/$ac_word" - echo "$as_me:10360: found $ac_dir/$ac_word" >&5 + echo "$as_me:10371: found $ac_dir/$ac_word" >&5 break fi done @@ -10368,10 +10379,10 @@ PROG_VMSTAT=$ac_cv_path_PROG_VMSTAT if test -n "$PROG_VMSTAT"; then - echo "$as_me:10371: result: $PROG_VMSTAT" >&5 + echo "$as_me:10382: result: $PROG_VMSTAT" >&5 echo "${ECHO_T}$PROG_VMSTAT" >&6 else - echo "$as_me:10374: result: no" >&5 + echo "$as_me:10385: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10381,7 +10392,7 @@ # Extract the first word of "uptime", so it can be a program name with args. set dummy uptime; ac_word=$2 -echo "$as_me:10384: checking for $ac_word" >&5 +echo "$as_me:10395: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_UPTIME+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10398,7 +10409,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_UPTIME="$ac_dir/$ac_word" - echo "$as_me:10401: found $ac_dir/$ac_word" >&5 + echo "$as_me:10412: found $ac_dir/$ac_word" >&5 break fi done @@ -10409,10 +10420,10 @@ PROG_UPTIME=$ac_cv_path_PROG_UPTIME if test -n "$PROG_UPTIME"; then - echo "$as_me:10412: result: $PROG_UPTIME" >&5 + echo "$as_me:10423: result: $PROG_UPTIME" >&5 echo "${ECHO_T}$PROG_UPTIME" >&6 else - echo "$as_me:10415: result: no" >&5 + echo "$as_me:10426: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10422,7 +10433,7 @@ # Extract the first word of "ipcs", so it can be a program name with args. set dummy ipcs; ac_word=$2 -echo "$as_me:10425: checking for $ac_word" >&5 +echo "$as_me:10436: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_IPCS+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10439,7 +10450,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_IPCS="$ac_dir/$ac_word" - echo "$as_me:10442: found $ac_dir/$ac_word" >&5 + echo "$as_me:10453: found $ac_dir/$ac_word" >&5 break fi done @@ -10450,10 +10461,10 @@ PROG_IPCS=$ac_cv_path_PROG_IPCS if test -n "$PROG_IPCS"; then - echo "$as_me:10453: result: $PROG_IPCS" >&5 + echo "$as_me:10464: result: $PROG_IPCS" >&5 echo "${ECHO_T}$PROG_IPCS" >&6 else - echo "$as_me:10456: result: no" >&5 + echo "$as_me:10467: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10463,7 +10474,7 @@ # Extract the first word of "tail", so it can be a program name with args. set dummy tail; ac_word=$2 -echo "$as_me:10466: checking for $ac_word" >&5 +echo "$as_me:10477: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_PROG_TAIL+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10480,7 +10491,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_PROG_TAIL="$ac_dir/$ac_word" - echo "$as_me:10483: found $ac_dir/$ac_word" >&5 + echo "$as_me:10494: found $ac_dir/$ac_word" >&5 break fi done @@ -10491,10 +10502,10 @@ PROG_TAIL=$ac_cv_path_PROG_TAIL if test -n "$PROG_TAIL"; then - echo "$as_me:10494: result: $PROG_TAIL" >&5 + echo "$as_me:10505: result: $PROG_TAIL" >&5 echo "${ECHO_T}$PROG_TAIL" >&6 else - echo "$as_me:10497: result: no" >&5 + echo "$as_me:10508: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -10525,13 +10536,13 @@ fi # Checks for data types -echo "$as_me:10528: checking for char" >&5 +echo "$as_me:10539: checking for char" >&5 echo $ECHO_N "checking for char... $ECHO_C" >&6 if test "${ac_cv_type_char+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 10534 "configure" +#line 10545 "configure" #include "confdefs.h" $ac_includes_default int @@ -10546,16 +10557,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10549: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10560: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10552: \$? = $ac_status" >&5 + echo "$as_me:10563: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10555: \"$ac_try\"") >&5 + { (eval echo "$as_me:10566: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10558: \$? = $ac_status" >&5 + echo "$as_me:10569: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_type_char=yes else @@ -10565,10 +10576,10 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:10568: result: $ac_cv_type_char" >&5 +echo "$as_me:10579: result: $ac_cv_type_char" >&5 echo "${ECHO_T}$ac_cv_type_char" >&6 -echo "$as_me:10571: checking size of char" >&5 +echo "$as_me:10582: checking size of char" >&5 echo $ECHO_N "checking size of char... $ECHO_C" >&6 if test "${ac_cv_sizeof_char+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10577,7 +10588,7 @@ if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat >conftest.$ac_ext <<_ACEOF -#line 10580 "configure" +#line 10591 "configure" #include "confdefs.h" $ac_includes_default int @@ -10589,21 +10600,21 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10592: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10603: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10595: \$? = $ac_status" >&5 + echo "$as_me:10606: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10598: \"$ac_try\"") >&5 + { (eval echo "$as_me:10609: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10601: \$? = $ac_status" >&5 + echo "$as_me:10612: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=0 ac_mid=0 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 10606 "configure" +#line 10617 "configure" #include "confdefs.h" $ac_includes_default int @@ -10615,16 +10626,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10618: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10629: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10621: \$? = $ac_status" >&5 + echo "$as_me:10632: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10624: \"$ac_try\"") >&5 + { (eval echo "$as_me:10635: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10627: \$? = $ac_status" >&5 + echo "$as_me:10638: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid; break else @@ -10640,7 +10651,7 @@ ac_hi=-1 ac_mid=-1 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 10643 "configure" +#line 10654 "configure" #include "confdefs.h" $ac_includes_default int @@ -10652,16 +10663,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10655: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10666: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10658: \$? = $ac_status" >&5 + echo "$as_me:10669: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10661: \"$ac_try\"") >&5 + { (eval echo "$as_me:10672: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10664: \$? = $ac_status" >&5 + echo "$as_me:10675: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=$ac_mid; break else @@ -10677,7 +10688,7 @@ while test "x$ac_lo" != "x$ac_hi"; do ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` cat >conftest.$ac_ext <<_ACEOF -#line 10680 "configure" +#line 10691 "configure" #include "confdefs.h" $ac_includes_default int @@ -10689,16 +10700,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10692: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10703: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10695: \$? = $ac_status" >&5 + echo "$as_me:10706: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10698: \"$ac_try\"") >&5 + { (eval echo "$as_me:10709: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10701: \$? = $ac_status" >&5 + echo "$as_me:10712: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid else @@ -10711,12 +10722,12 @@ ac_cv_sizeof_char=$ac_lo else if test "$cross_compiling" = yes; then - { { echo "$as_me:10714: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:10725: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 10719 "configure" +#line 10730 "configure" #include "confdefs.h" $ac_includes_default int @@ -10732,15 +10743,15 @@ } _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:10735: \"$ac_link\"") >&5 +if { (eval echo "$as_me:10746: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:10738: \$? = $ac_status" >&5 + echo "$as_me:10749: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:10740: \"$ac_try\"") >&5 + { (eval echo "$as_me:10751: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10743: \$? = $ac_status" >&5 + echo "$as_me:10754: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_sizeof_char=`cat conftest.val` else @@ -10756,19 +10767,19 @@ ac_cv_sizeof_char=0 fi fi -echo "$as_me:10759: result: $ac_cv_sizeof_char" >&5 +echo "$as_me:10770: result: $ac_cv_sizeof_char" >&5 echo "${ECHO_T}$ac_cv_sizeof_char" >&6 cat >>confdefs.h <&5 +echo "$as_me:10776: checking for short int" >&5 echo $ECHO_N "checking for short int... $ECHO_C" >&6 if test "${ac_cv_type_short_int+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 10771 "configure" +#line 10782 "configure" #include "confdefs.h" $ac_includes_default int @@ -10783,16 +10794,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10786: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10797: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10789: \$? = $ac_status" >&5 + echo "$as_me:10800: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10792: \"$ac_try\"") >&5 + { (eval echo "$as_me:10803: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10795: \$? = $ac_status" >&5 + echo "$as_me:10806: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_type_short_int=yes else @@ -10802,10 +10813,10 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:10805: result: $ac_cv_type_short_int" >&5 +echo "$as_me:10816: result: $ac_cv_type_short_int" >&5 echo "${ECHO_T}$ac_cv_type_short_int" >&6 -echo "$as_me:10808: checking size of short int" >&5 +echo "$as_me:10819: checking size of short int" >&5 echo $ECHO_N "checking size of short int... $ECHO_C" >&6 if test "${ac_cv_sizeof_short_int+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -10814,7 +10825,7 @@ if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat >conftest.$ac_ext <<_ACEOF -#line 10817 "configure" +#line 10828 "configure" #include "confdefs.h" $ac_includes_default int @@ -10826,21 +10837,21 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10829: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10840: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10832: \$? = $ac_status" >&5 + echo "$as_me:10843: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10835: \"$ac_try\"") >&5 + { (eval echo "$as_me:10846: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10838: \$? = $ac_status" >&5 + echo "$as_me:10849: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=0 ac_mid=0 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 10843 "configure" +#line 10854 "configure" #include "confdefs.h" $ac_includes_default int @@ -10852,16 +10863,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10855: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10866: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10858: \$? = $ac_status" >&5 + echo "$as_me:10869: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10861: \"$ac_try\"") >&5 + { (eval echo "$as_me:10872: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10864: \$? = $ac_status" >&5 + echo "$as_me:10875: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid; break else @@ -10877,7 +10888,7 @@ ac_hi=-1 ac_mid=-1 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 10880 "configure" +#line 10891 "configure" #include "confdefs.h" $ac_includes_default int @@ -10889,16 +10900,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10892: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10903: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10895: \$? = $ac_status" >&5 + echo "$as_me:10906: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10898: \"$ac_try\"") >&5 + { (eval echo "$as_me:10909: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10901: \$? = $ac_status" >&5 + echo "$as_me:10912: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=$ac_mid; break else @@ -10914,7 +10925,7 @@ while test "x$ac_lo" != "x$ac_hi"; do ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` cat >conftest.$ac_ext <<_ACEOF -#line 10917 "configure" +#line 10928 "configure" #include "confdefs.h" $ac_includes_default int @@ -10926,16 +10937,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:10929: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:10940: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:10932: \$? = $ac_status" >&5 + echo "$as_me:10943: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:10935: \"$ac_try\"") >&5 + { (eval echo "$as_me:10946: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10938: \$? = $ac_status" >&5 + echo "$as_me:10949: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid else @@ -10948,12 +10959,12 @@ ac_cv_sizeof_short_int=$ac_lo else if test "$cross_compiling" = yes; then - { { echo "$as_me:10951: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:10962: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 10956 "configure" +#line 10967 "configure" #include "confdefs.h" $ac_includes_default int @@ -10969,15 +10980,15 @@ } _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:10972: \"$ac_link\"") >&5 +if { (eval echo "$as_me:10983: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:10975: \$? = $ac_status" >&5 + echo "$as_me:10986: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:10977: \"$ac_try\"") >&5 + { (eval echo "$as_me:10988: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:10980: \$? = $ac_status" >&5 + echo "$as_me:10991: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_sizeof_short_int=`cat conftest.val` else @@ -10993,19 +11004,19 @@ ac_cv_sizeof_short_int=0 fi fi -echo "$as_me:10996: result: $ac_cv_sizeof_short_int" >&5 +echo "$as_me:11007: result: $ac_cv_sizeof_short_int" >&5 echo "${ECHO_T}$ac_cv_sizeof_short_int" >&6 cat >>confdefs.h <&5 +echo "$as_me:11013: checking for int" >&5 echo $ECHO_N "checking for int... $ECHO_C" >&6 if test "${ac_cv_type_int+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 11008 "configure" +#line 11019 "configure" #include "confdefs.h" $ac_includes_default int @@ -11020,16 +11031,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11023: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11034: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11026: \$? = $ac_status" >&5 + echo "$as_me:11037: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11029: \"$ac_try\"") >&5 + { (eval echo "$as_me:11040: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11032: \$? = $ac_status" >&5 + echo "$as_me:11043: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_type_int=yes else @@ -11039,10 +11050,10 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:11042: result: $ac_cv_type_int" >&5 +echo "$as_me:11053: result: $ac_cv_type_int" >&5 echo "${ECHO_T}$ac_cv_type_int" >&6 -echo "$as_me:11045: checking size of int" >&5 +echo "$as_me:11056: checking size of int" >&5 echo $ECHO_N "checking size of int... $ECHO_C" >&6 if test "${ac_cv_sizeof_int+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -11051,7 +11062,7 @@ if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat >conftest.$ac_ext <<_ACEOF -#line 11054 "configure" +#line 11065 "configure" #include "confdefs.h" $ac_includes_default int @@ -11063,21 +11074,21 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11066: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11077: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11069: \$? = $ac_status" >&5 + echo "$as_me:11080: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11072: \"$ac_try\"") >&5 + { (eval echo "$as_me:11083: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11075: \$? = $ac_status" >&5 + echo "$as_me:11086: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=0 ac_mid=0 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 11080 "configure" +#line 11091 "configure" #include "confdefs.h" $ac_includes_default int @@ -11089,16 +11100,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11092: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11103: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11095: \$? = $ac_status" >&5 + echo "$as_me:11106: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11098: \"$ac_try\"") >&5 + { (eval echo "$as_me:11109: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11101: \$? = $ac_status" >&5 + echo "$as_me:11112: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid; break else @@ -11114,7 +11125,7 @@ ac_hi=-1 ac_mid=-1 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 11117 "configure" +#line 11128 "configure" #include "confdefs.h" $ac_includes_default int @@ -11126,16 +11137,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11129: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11140: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11132: \$? = $ac_status" >&5 + echo "$as_me:11143: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11135: \"$ac_try\"") >&5 + { (eval echo "$as_me:11146: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11138: \$? = $ac_status" >&5 + echo "$as_me:11149: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=$ac_mid; break else @@ -11151,7 +11162,7 @@ while test "x$ac_lo" != "x$ac_hi"; do ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` cat >conftest.$ac_ext <<_ACEOF -#line 11154 "configure" +#line 11165 "configure" #include "confdefs.h" $ac_includes_default int @@ -11163,16 +11174,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11166: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11177: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11169: \$? = $ac_status" >&5 + echo "$as_me:11180: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11172: \"$ac_try\"") >&5 + { (eval echo "$as_me:11183: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11175: \$? = $ac_status" >&5 + echo "$as_me:11186: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid else @@ -11185,12 +11196,12 @@ ac_cv_sizeof_int=$ac_lo else if test "$cross_compiling" = yes; then - { { echo "$as_me:11188: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:11199: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 11193 "configure" +#line 11204 "configure" #include "confdefs.h" $ac_includes_default int @@ -11206,15 +11217,15 @@ } _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:11209: \"$ac_link\"") >&5 +if { (eval echo "$as_me:11220: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:11212: \$? = $ac_status" >&5 + echo "$as_me:11223: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:11214: \"$ac_try\"") >&5 + { (eval echo "$as_me:11225: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11217: \$? = $ac_status" >&5 + echo "$as_me:11228: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_sizeof_int=`cat conftest.val` else @@ -11230,19 +11241,19 @@ ac_cv_sizeof_int=0 fi fi -echo "$as_me:11233: result: $ac_cv_sizeof_int" >&5 +echo "$as_me:11244: result: $ac_cv_sizeof_int" >&5 echo "${ECHO_T}$ac_cv_sizeof_int" >&6 cat >>confdefs.h <&5 +echo "$as_me:11250: checking for long int" >&5 echo $ECHO_N "checking for long int... $ECHO_C" >&6 if test "${ac_cv_type_long_int+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 11245 "configure" +#line 11256 "configure" #include "confdefs.h" $ac_includes_default int @@ -11257,16 +11268,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11260: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11271: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11263: \$? = $ac_status" >&5 + echo "$as_me:11274: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11266: \"$ac_try\"") >&5 + { (eval echo "$as_me:11277: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11269: \$? = $ac_status" >&5 + echo "$as_me:11280: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_type_long_int=yes else @@ -11276,10 +11287,10 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:11279: result: $ac_cv_type_long_int" >&5 +echo "$as_me:11290: result: $ac_cv_type_long_int" >&5 echo "${ECHO_T}$ac_cv_type_long_int" >&6 -echo "$as_me:11282: checking size of long int" >&5 +echo "$as_me:11293: checking size of long int" >&5 echo $ECHO_N "checking size of long int... $ECHO_C" >&6 if test "${ac_cv_sizeof_long_int+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -11288,7 +11299,7 @@ if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat >conftest.$ac_ext <<_ACEOF -#line 11291 "configure" +#line 11302 "configure" #include "confdefs.h" $ac_includes_default int @@ -11300,21 +11311,21 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11303: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11314: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11306: \$? = $ac_status" >&5 + echo "$as_me:11317: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11309: \"$ac_try\"") >&5 + { (eval echo "$as_me:11320: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11312: \$? = $ac_status" >&5 + echo "$as_me:11323: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=0 ac_mid=0 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 11317 "configure" +#line 11328 "configure" #include "confdefs.h" $ac_includes_default int @@ -11326,16 +11337,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11329: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11340: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11332: \$? = $ac_status" >&5 + echo "$as_me:11343: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11335: \"$ac_try\"") >&5 + { (eval echo "$as_me:11346: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11338: \$? = $ac_status" >&5 + echo "$as_me:11349: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid; break else @@ -11351,7 +11362,7 @@ ac_hi=-1 ac_mid=-1 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 11354 "configure" +#line 11365 "configure" #include "confdefs.h" $ac_includes_default int @@ -11363,16 +11374,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11366: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11377: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11369: \$? = $ac_status" >&5 + echo "$as_me:11380: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11372: \"$ac_try\"") >&5 + { (eval echo "$as_me:11383: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11375: \$? = $ac_status" >&5 + echo "$as_me:11386: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=$ac_mid; break else @@ -11388,7 +11399,7 @@ while test "x$ac_lo" != "x$ac_hi"; do ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` cat >conftest.$ac_ext <<_ACEOF -#line 11391 "configure" +#line 11402 "configure" #include "confdefs.h" $ac_includes_default int @@ -11400,16 +11411,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11403: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11414: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11406: \$? = $ac_status" >&5 + echo "$as_me:11417: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11409: \"$ac_try\"") >&5 + { (eval echo "$as_me:11420: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11412: \$? = $ac_status" >&5 + echo "$as_me:11423: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid else @@ -11422,12 +11433,12 @@ ac_cv_sizeof_long_int=$ac_lo else if test "$cross_compiling" = yes; then - { { echo "$as_me:11425: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:11436: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 11430 "configure" +#line 11441 "configure" #include "confdefs.h" $ac_includes_default int @@ -11443,15 +11454,15 @@ } _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:11446: \"$ac_link\"") >&5 +if { (eval echo "$as_me:11457: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:11449: \$? = $ac_status" >&5 + echo "$as_me:11460: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:11451: \"$ac_try\"") >&5 + { (eval echo "$as_me:11462: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11454: \$? = $ac_status" >&5 + echo "$as_me:11465: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_sizeof_long_int=`cat conftest.val` else @@ -11467,19 +11478,19 @@ ac_cv_sizeof_long_int=0 fi fi -echo "$as_me:11470: result: $ac_cv_sizeof_long_int" >&5 +echo "$as_me:11481: result: $ac_cv_sizeof_long_int" >&5 echo "${ECHO_T}$ac_cv_sizeof_long_int" >&6 cat >>confdefs.h <&5 +echo "$as_me:11487: checking for long long int" >&5 echo $ECHO_N "checking for long long int... $ECHO_C" >&6 if test "${ac_cv_type_long_long_int+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 11482 "configure" +#line 11493 "configure" #include "confdefs.h" $ac_includes_default int @@ -11494,16 +11505,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11497: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11508: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11500: \$? = $ac_status" >&5 + echo "$as_me:11511: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11503: \"$ac_try\"") >&5 + { (eval echo "$as_me:11514: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11506: \$? = $ac_status" >&5 + echo "$as_me:11517: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_type_long_long_int=yes else @@ -11513,10 +11524,10 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:11516: result: $ac_cv_type_long_long_int" >&5 +echo "$as_me:11527: result: $ac_cv_type_long_long_int" >&5 echo "${ECHO_T}$ac_cv_type_long_long_int" >&6 -echo "$as_me:11519: checking size of long long int" >&5 +echo "$as_me:11530: checking size of long long int" >&5 echo $ECHO_N "checking size of long long int... $ECHO_C" >&6 if test "${ac_cv_sizeof_long_long_int+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -11525,7 +11536,7 @@ if test "$cross_compiling" = yes; then # Depending upon the size, compute the lo and hi bounds. cat >conftest.$ac_ext <<_ACEOF -#line 11528 "configure" +#line 11539 "configure" #include "confdefs.h" $ac_includes_default int @@ -11537,21 +11548,21 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11540: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11551: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11543: \$? = $ac_status" >&5 + echo "$as_me:11554: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11546: \"$ac_try\"") >&5 + { (eval echo "$as_me:11557: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11549: \$? = $ac_status" >&5 + echo "$as_me:11560: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=0 ac_mid=0 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 11554 "configure" +#line 11565 "configure" #include "confdefs.h" $ac_includes_default int @@ -11563,16 +11574,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11566: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11577: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11569: \$? = $ac_status" >&5 + echo "$as_me:11580: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11572: \"$ac_try\"") >&5 + { (eval echo "$as_me:11583: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11575: \$? = $ac_status" >&5 + echo "$as_me:11586: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid; break else @@ -11588,7 +11599,7 @@ ac_hi=-1 ac_mid=-1 while :; do cat >conftest.$ac_ext <<_ACEOF -#line 11591 "configure" +#line 11602 "configure" #include "confdefs.h" $ac_includes_default int @@ -11600,16 +11611,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11603: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11614: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11606: \$? = $ac_status" >&5 + echo "$as_me:11617: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11609: \"$ac_try\"") >&5 + { (eval echo "$as_me:11620: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11612: \$? = $ac_status" >&5 + echo "$as_me:11623: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_lo=$ac_mid; break else @@ -11625,7 +11636,7 @@ while test "x$ac_lo" != "x$ac_hi"; do ac_mid=`expr '(' $ac_hi - $ac_lo ')' / 2 + $ac_lo` cat >conftest.$ac_ext <<_ACEOF -#line 11628 "configure" +#line 11639 "configure" #include "confdefs.h" $ac_includes_default int @@ -11637,16 +11648,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11640: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11651: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11643: \$? = $ac_status" >&5 + echo "$as_me:11654: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11646: \"$ac_try\"") >&5 + { (eval echo "$as_me:11657: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11649: \$? = $ac_status" >&5 + echo "$as_me:11660: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_hi=$ac_mid else @@ -11659,12 +11670,12 @@ ac_cv_sizeof_long_long_int=$ac_lo else if test "$cross_compiling" = yes; then - { { echo "$as_me:11662: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:11673: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 11667 "configure" +#line 11678 "configure" #include "confdefs.h" $ac_includes_default int @@ -11680,15 +11691,15 @@ } _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:11683: \"$ac_link\"") >&5 +if { (eval echo "$as_me:11694: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:11686: \$? = $ac_status" >&5 + echo "$as_me:11697: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:11688: \"$ac_try\"") >&5 + { (eval echo "$as_me:11699: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11691: \$? = $ac_status" >&5 + echo "$as_me:11702: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_sizeof_long_long_int=`cat conftest.val` else @@ -11704,7 +11715,7 @@ ac_cv_sizeof_long_long_int=0 fi fi -echo "$as_me:11707: result: $ac_cv_sizeof_long_long_int" >&5 +echo "$as_me:11718: result: $ac_cv_sizeof_long_long_int" >&5 echo "${ECHO_T}$ac_cv_sizeof_long_long_int" >&6 cat >>confdefs.h <&5 +echo "$as_me:11730: checking for u_int type" >&5 echo $ECHO_N "checking for u_int type... $ECHO_C" >&6 if test "${ac_cv_have_u_int+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 11726 "configure" +#line 11737 "configure" #include "confdefs.h" #include int @@ -11735,16 +11746,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11738: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11749: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11741: \$? = $ac_status" >&5 + echo "$as_me:11752: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11744: \"$ac_try\"") >&5 + { (eval echo "$as_me:11755: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11747: \$? = $ac_status" >&5 + echo "$as_me:11758: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_u_int="yes" else @@ -11756,7 +11767,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:11759: result: $ac_cv_have_u_int" >&5 +echo "$as_me:11770: result: $ac_cv_have_u_int" >&5 echo "${ECHO_T}$ac_cv_have_u_int" >&6 if test "x$ac_cv_have_u_int" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -11766,14 +11777,14 @@ have_u_int=1 fi -echo "$as_me:11769: checking for intXX_t types" >&5 +echo "$as_me:11780: checking for intXX_t types" >&5 echo $ECHO_N "checking for intXX_t types... $ECHO_C" >&6 if test "${ac_cv_have_intxx_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 11776 "configure" +#line 11787 "configure" #include "confdefs.h" #include int @@ -11785,16 +11796,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11788: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11799: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11791: \$? = $ac_status" >&5 + echo "$as_me:11802: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11794: \"$ac_try\"") >&5 + { (eval echo "$as_me:11805: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11797: \$? = $ac_status" >&5 + echo "$as_me:11808: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_intxx_t="yes" else @@ -11806,7 +11817,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:11809: result: $ac_cv_have_intxx_t" >&5 +echo "$as_me:11820: result: $ac_cv_have_intxx_t" >&5 echo "${ECHO_T}$ac_cv_have_intxx_t" >&6 if test "x$ac_cv_have_intxx_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -11819,10 +11830,10 @@ if (test -z "$have_intxx_t" && \ test "x$ac_cv_header_stdint_h" = "xyes") then - echo "$as_me:11822: checking for intXX_t types in stdint.h" >&5 + echo "$as_me:11833: checking for intXX_t types in stdint.h" >&5 echo $ECHO_N "checking for intXX_t types in stdint.h... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 11825 "configure" +#line 11836 "configure" #include "confdefs.h" #include int @@ -11834,43 +11845,43 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11837: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11848: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11840: \$? = $ac_status" >&5 + echo "$as_me:11851: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11843: \"$ac_try\"") >&5 + { (eval echo "$as_me:11854: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11846: \$? = $ac_status" >&5 + echo "$as_me:11857: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cat >>confdefs.h <<\EOF #define HAVE_INTXX_T 1 EOF - echo "$as_me:11853: result: yes" >&5 + echo "$as_me:11864: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:11859: result: no" >&5 + echo "$as_me:11870: result: no" >&5 echo "${ECHO_T}no" >&6 fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:11866: checking for int64_t type" >&5 +echo "$as_me:11877: checking for int64_t type" >&5 echo $ECHO_N "checking for int64_t type... $ECHO_C" >&6 if test "${ac_cv_have_int64_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 11873 "configure" +#line 11884 "configure" #include "confdefs.h" #include @@ -11891,16 +11902,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11894: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11905: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11897: \$? = $ac_status" >&5 + echo "$as_me:11908: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11900: \"$ac_try\"") >&5 + { (eval echo "$as_me:11911: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11903: \$? = $ac_status" >&5 + echo "$as_me:11914: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_int64_t="yes" else @@ -11912,7 +11923,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:11915: result: $ac_cv_have_int64_t" >&5 +echo "$as_me:11926: result: $ac_cv_have_int64_t" >&5 echo "${ECHO_T}$ac_cv_have_int64_t" >&6 if test "x$ac_cv_have_int64_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -11921,14 +11932,14 @@ fi -echo "$as_me:11924: checking for u_intXX_t types" >&5 +echo "$as_me:11935: checking for u_intXX_t types" >&5 echo $ECHO_N "checking for u_intXX_t types... $ECHO_C" >&6 if test "${ac_cv_have_u_intxx_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 11931 "configure" +#line 11942 "configure" #include "confdefs.h" #include int @@ -11940,16 +11951,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11943: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:11954: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11946: \$? = $ac_status" >&5 + echo "$as_me:11957: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11949: \"$ac_try\"") >&5 + { (eval echo "$as_me:11960: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11952: \$? = $ac_status" >&5 + echo "$as_me:11963: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_u_intxx_t="yes" else @@ -11961,7 +11972,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:11964: result: $ac_cv_have_u_intxx_t" >&5 +echo "$as_me:11975: result: $ac_cv_have_u_intxx_t" >&5 echo "${ECHO_T}$ac_cv_have_u_intxx_t" >&6 if test "x$ac_cv_have_u_intxx_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -11972,10 +11983,10 @@ fi if test -z "$have_u_intxx_t" ; then - echo "$as_me:11975: checking for u_intXX_t types in sys/socket.h" >&5 + echo "$as_me:11986: checking for u_intXX_t types in sys/socket.h" >&5 echo $ECHO_N "checking for u_intXX_t types in sys/socket.h... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 11978 "configure" +#line 11989 "configure" #include "confdefs.h" #include int @@ -11987,43 +11998,43 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:11990: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12001: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:11993: \$? = $ac_status" >&5 + echo "$as_me:12004: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:11996: \"$ac_try\"") >&5 + { (eval echo "$as_me:12007: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:11999: \$? = $ac_status" >&5 + echo "$as_me:12010: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cat >>confdefs.h <<\EOF #define HAVE_U_INTXX_T 1 EOF - echo "$as_me:12006: result: yes" >&5 + echo "$as_me:12017: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:12012: result: no" >&5 + echo "$as_me:12023: result: no" >&5 echo "${ECHO_T}no" >&6 fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12019: checking for u_int64_t types" >&5 +echo "$as_me:12030: checking for u_int64_t types" >&5 echo $ECHO_N "checking for u_int64_t types... $ECHO_C" >&6 if test "${ac_cv_have_u_int64_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12026 "configure" +#line 12037 "configure" #include "confdefs.h" #include int @@ -12035,16 +12046,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12038: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12049: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12041: \$? = $ac_status" >&5 + echo "$as_me:12052: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12044: \"$ac_try\"") >&5 + { (eval echo "$as_me:12055: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12047: \$? = $ac_status" >&5 + echo "$as_me:12058: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_u_int64_t="yes" else @@ -12056,7 +12067,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12059: result: $ac_cv_have_u_int64_t" >&5 +echo "$as_me:12070: result: $ac_cv_have_u_int64_t" >&5 echo "${ECHO_T}$ac_cv_have_u_int64_t" >&6 if test "x$ac_cv_have_u_int64_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12067,10 +12078,10 @@ fi if test -z "$have_u_int64_t" ; then - echo "$as_me:12070: checking for u_int64_t type in sys/bitypes.h" >&5 + echo "$as_me:12081: checking for u_int64_t type in sys/bitypes.h" >&5 echo $ECHO_N "checking for u_int64_t type in sys/bitypes.h... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 12073 "configure" +#line 12084 "configure" #include "confdefs.h" #include int @@ -12082,29 +12093,29 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12085: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12096: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12088: \$? = $ac_status" >&5 + echo "$as_me:12099: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12091: \"$ac_try\"") >&5 + { (eval echo "$as_me:12102: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12094: \$? = $ac_status" >&5 + echo "$as_me:12105: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cat >>confdefs.h <<\EOF #define HAVE_U_INT64_T 1 EOF - echo "$as_me:12101: result: yes" >&5 + echo "$as_me:12112: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:12107: result: no" >&5 + echo "$as_me:12118: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -12112,14 +12123,14 @@ fi if test -z "$have_u_intxx_t" ; then - echo "$as_me:12115: checking for uintXX_t types" >&5 + echo "$as_me:12126: checking for uintXX_t types" >&5 echo $ECHO_N "checking for uintXX_t types... $ECHO_C" >&6 if test "${ac_cv_have_uintxx_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12122 "configure" +#line 12133 "configure" #include "confdefs.h" #include @@ -12133,16 +12144,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12136: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12147: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12139: \$? = $ac_status" >&5 + echo "$as_me:12150: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12142: \"$ac_try\"") >&5 + { (eval echo "$as_me:12153: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12145: \$? = $ac_status" >&5 + echo "$as_me:12156: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_uintxx_t="yes" else @@ -12154,7 +12165,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12157: result: $ac_cv_have_uintxx_t" >&5 +echo "$as_me:12168: result: $ac_cv_have_uintxx_t" >&5 echo "${ECHO_T}$ac_cv_have_uintxx_t" >&6 if test "x$ac_cv_have_uintxx_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12165,10 +12176,10 @@ fi if test -z "$have_uintxx_t" ; then - echo "$as_me:12168: checking for uintXX_t types in stdint.h" >&5 + echo "$as_me:12179: checking for uintXX_t types in stdint.h" >&5 echo $ECHO_N "checking for uintXX_t types in stdint.h... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 12171 "configure" +#line 12182 "configure" #include "confdefs.h" #include int @@ -12180,29 +12191,29 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12183: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12194: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12186: \$? = $ac_status" >&5 + echo "$as_me:12197: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12189: \"$ac_try\"") >&5 + { (eval echo "$as_me:12200: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12192: \$? = $ac_status" >&5 + echo "$as_me:12203: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cat >>confdefs.h <<\EOF #define HAVE_UINTXX_T 1 EOF - echo "$as_me:12199: result: yes" >&5 + echo "$as_me:12210: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:12205: result: no" >&5 + echo "$as_me:12216: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -12212,10 +12223,10 @@ if (test -z "$have_u_intxx_t" || test -z "$have_intxx_t" && \ test "x$ac_cv_header_sys_bitypes_h" = "xyes") then - echo "$as_me:12215: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 + echo "$as_me:12226: checking for intXX_t and u_intXX_t types in sys/bitypes.h" >&5 echo $ECHO_N "checking for intXX_t and u_intXX_t types in sys/bitypes.h... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 12218 "configure" +#line 12229 "configure" #include "confdefs.h" #include @@ -12233,16 +12244,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12236: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12247: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12239: \$? = $ac_status" >&5 + echo "$as_me:12250: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12242: \"$ac_try\"") >&5 + { (eval echo "$as_me:12253: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12245: \$? = $ac_status" >&5 + echo "$as_me:12256: \$? = $ac_status" >&5 (exit $ac_status); }; }; then cat >>confdefs.h <<\EOF @@ -12253,27 +12264,27 @@ #define HAVE_INTXX_T 1 EOF - echo "$as_me:12256: result: yes" >&5 + echo "$as_me:12267: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 -echo "$as_me:12262: result: no" >&5 +echo "$as_me:12273: result: no" >&5 echo "${ECHO_T}no" >&6 fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12269: checking for u_char" >&5 +echo "$as_me:12280: checking for u_char" >&5 echo $ECHO_N "checking for u_char... $ECHO_C" >&6 if test "${ac_cv_have_u_char+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12276 "configure" +#line 12287 "configure" #include "confdefs.h" #include @@ -12287,16 +12298,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12290: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12301: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12293: \$? = $ac_status" >&5 + echo "$as_me:12304: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12296: \"$ac_try\"") >&5 + { (eval echo "$as_me:12307: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12299: \$? = $ac_status" >&5 + echo "$as_me:12310: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_u_char="yes" else @@ -12308,7 +12319,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12311: result: $ac_cv_have_u_char" >&5 +echo "$as_me:12322: result: $ac_cv_have_u_char" >&5 echo "${ECHO_T}$ac_cv_have_u_char" >&6 if test "x$ac_cv_have_u_char" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12317,13 +12328,13 @@ fi - echo "$as_me:12320: checking for socklen_t" >&5 + echo "$as_me:12331: checking for socklen_t" >&5 echo $ECHO_N "checking for socklen_t... $ECHO_C" >&6 if test "${ac_cv_type_socklen_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12326 "configure" +#line 12337 "configure" #include "confdefs.h" #include #include @@ -12340,16 +12351,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12343: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12354: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12346: \$? = $ac_status" >&5 + echo "$as_me:12357: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12349: \"$ac_try\"") >&5 + { (eval echo "$as_me:12360: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12352: \$? = $ac_status" >&5 + echo "$as_me:12363: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_type_socklen_t=yes else @@ -12359,13 +12370,13 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12362: result: $ac_cv_type_socklen_t" >&5 +echo "$as_me:12373: result: $ac_cv_type_socklen_t" >&5 echo "${ECHO_T}$ac_cv_type_socklen_t" >&6 if test $ac_cv_type_socklen_t = yes; then : else - echo "$as_me:12368: checking for socklen_t equivalent" >&5 + echo "$as_me:12379: checking for socklen_t equivalent" >&5 echo $ECHO_N "checking for socklen_t equivalent... $ECHO_C" >&6 if test "${curl_cv_socklen_t_equiv+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -12377,7 +12388,7 @@ for arg2 in "struct sockaddr" void; do for t in int size_t unsigned long "unsigned long"; do cat >conftest.$ac_ext <<_ACEOF -#line 12380 "configure" +#line 12391 "configure" #include "confdefs.h" #include @@ -12397,16 +12408,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12400: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12411: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12403: \$? = $ac_status" >&5 + echo "$as_me:12414: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12406: \"$ac_try\"") >&5 + { (eval echo "$as_me:12417: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12409: \$? = $ac_status" >&5 + echo "$as_me:12420: \$? = $ac_status" >&5 (exit $ac_status); }; }; then curl_cv_socklen_t_equiv="$t" @@ -12421,14 +12432,14 @@ done if test "x$curl_cv_socklen_t_equiv" = x; then - { { echo "$as_me:12424: error: Cannot find a type to use in place of socklen_t" >&5 + { { echo "$as_me:12435: error: Cannot find a type to use in place of socklen_t" >&5 echo "$as_me: error: Cannot find a type to use in place of socklen_t" >&2;} { (exit 1); exit 1; }; } fi fi - echo "$as_me:12431: result: $curl_cv_socklen_t_equiv" >&5 + echo "$as_me:12442: result: $curl_cv_socklen_t_equiv" >&5 echo "${ECHO_T}$curl_cv_socklen_t_equiv" >&6 cat >>confdefs.h <&5 +echo "$as_me:12451: checking for sig_atomic_t" >&5 echo $ECHO_N "checking for sig_atomic_t... $ECHO_C" >&6 if test "${ac_cv_type_sig_atomic_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12446 "configure" +#line 12457 "configure" #include "confdefs.h" #include @@ -12459,16 +12470,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12462: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12473: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12465: \$? = $ac_status" >&5 + echo "$as_me:12476: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12468: \"$ac_try\"") >&5 + { (eval echo "$as_me:12479: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12471: \$? = $ac_status" >&5 + echo "$as_me:12482: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_type_sig_atomic_t=yes else @@ -12478,7 +12489,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12481: result: $ac_cv_type_sig_atomic_t" >&5 +echo "$as_me:12492: result: $ac_cv_type_sig_atomic_t" >&5 echo "${ECHO_T}$ac_cv_type_sig_atomic_t" >&6 if test $ac_cv_type_sig_atomic_t = yes; then @@ -12488,14 +12499,14 @@ fi -echo "$as_me:12491: checking for size_t" >&5 +echo "$as_me:12502: checking for size_t" >&5 echo $ECHO_N "checking for size_t... $ECHO_C" >&6 if test "${ac_cv_have_size_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12498 "configure" +#line 12509 "configure" #include "confdefs.h" #include @@ -12509,16 +12520,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12512: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12523: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12515: \$? = $ac_status" >&5 + echo "$as_me:12526: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12518: \"$ac_try\"") >&5 + { (eval echo "$as_me:12529: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12521: \$? = $ac_status" >&5 + echo "$as_me:12532: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_size_t="yes" else @@ -12530,7 +12541,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12533: result: $ac_cv_have_size_t" >&5 +echo "$as_me:12544: result: $ac_cv_have_size_t" >&5 echo "${ECHO_T}$ac_cv_have_size_t" >&6 if test "x$ac_cv_have_size_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12539,14 +12550,14 @@ fi -echo "$as_me:12542: checking for ssize_t" >&5 +echo "$as_me:12553: checking for ssize_t" >&5 echo $ECHO_N "checking for ssize_t... $ECHO_C" >&6 if test "${ac_cv_have_ssize_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12549 "configure" +#line 12560 "configure" #include "confdefs.h" #include @@ -12560,16 +12571,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12563: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12574: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12566: \$? = $ac_status" >&5 + echo "$as_me:12577: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12569: \"$ac_try\"") >&5 + { (eval echo "$as_me:12580: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12572: \$? = $ac_status" >&5 + echo "$as_me:12583: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_ssize_t="yes" else @@ -12581,7 +12592,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12584: result: $ac_cv_have_ssize_t" >&5 +echo "$as_me:12595: result: $ac_cv_have_ssize_t" >&5 echo "${ECHO_T}$ac_cv_have_ssize_t" >&6 if test "x$ac_cv_have_ssize_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12590,14 +12601,14 @@ fi -echo "$as_me:12593: checking for clock_t" >&5 +echo "$as_me:12604: checking for clock_t" >&5 echo $ECHO_N "checking for clock_t... $ECHO_C" >&6 if test "${ac_cv_have_clock_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12600 "configure" +#line 12611 "configure" #include "confdefs.h" #include @@ -12611,16 +12622,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12614: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12625: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12617: \$? = $ac_status" >&5 + echo "$as_me:12628: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12620: \"$ac_try\"") >&5 + { (eval echo "$as_me:12631: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12623: \$? = $ac_status" >&5 + echo "$as_me:12634: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_clock_t="yes" else @@ -12632,7 +12643,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12635: result: $ac_cv_have_clock_t" >&5 +echo "$as_me:12646: result: $ac_cv_have_clock_t" >&5 echo "${ECHO_T}$ac_cv_have_clock_t" >&6 if test "x$ac_cv_have_clock_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12641,14 +12652,14 @@ fi -echo "$as_me:12644: checking for sa_family_t" >&5 +echo "$as_me:12655: checking for sa_family_t" >&5 echo $ECHO_N "checking for sa_family_t... $ECHO_C" >&6 if test "${ac_cv_have_sa_family_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12651 "configure" +#line 12662 "configure" #include "confdefs.h" #include @@ -12663,23 +12674,23 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12666: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12677: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12669: \$? = $ac_status" >&5 + echo "$as_me:12680: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12672: \"$ac_try\"") >&5 + { (eval echo "$as_me:12683: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12675: \$? = $ac_status" >&5 + echo "$as_me:12686: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_sa_family_t="yes" else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 cat >conftest.$ac_ext <<_ACEOF -#line 12682 "configure" +#line 12693 "configure" #include "confdefs.h" #include @@ -12695,16 +12706,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12698: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12709: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12701: \$? = $ac_status" >&5 + echo "$as_me:12712: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12704: \"$ac_try\"") >&5 + { (eval echo "$as_me:12715: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12707: \$? = $ac_status" >&5 + echo "$as_me:12718: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_sa_family_t="yes" else @@ -12719,7 +12730,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12722: result: $ac_cv_have_sa_family_t" >&5 +echo "$as_me:12733: result: $ac_cv_have_sa_family_t" >&5 echo "${ECHO_T}$ac_cv_have_sa_family_t" >&6 if test "x$ac_cv_have_sa_family_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12728,14 +12739,14 @@ fi -echo "$as_me:12731: checking for pid_t" >&5 +echo "$as_me:12742: checking for pid_t" >&5 echo $ECHO_N "checking for pid_t... $ECHO_C" >&6 if test "${ac_cv_have_pid_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12738 "configure" +#line 12749 "configure" #include "confdefs.h" #include @@ -12749,16 +12760,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12752: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12763: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12755: \$? = $ac_status" >&5 + echo "$as_me:12766: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12758: \"$ac_try\"") >&5 + { (eval echo "$as_me:12769: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12761: \$? = $ac_status" >&5 + echo "$as_me:12772: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_pid_t="yes" else @@ -12770,7 +12781,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12773: result: $ac_cv_have_pid_t" >&5 +echo "$as_me:12784: result: $ac_cv_have_pid_t" >&5 echo "${ECHO_T}$ac_cv_have_pid_t" >&6 if test "x$ac_cv_have_pid_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12779,14 +12790,14 @@ fi -echo "$as_me:12782: checking for mode_t" >&5 +echo "$as_me:12793: checking for mode_t" >&5 echo $ECHO_N "checking for mode_t... $ECHO_C" >&6 if test "${ac_cv_have_mode_t+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12789 "configure" +#line 12800 "configure" #include "confdefs.h" #include @@ -12800,16 +12811,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12803: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12814: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12806: \$? = $ac_status" >&5 + echo "$as_me:12817: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12809: \"$ac_try\"") >&5 + { (eval echo "$as_me:12820: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12812: \$? = $ac_status" >&5 + echo "$as_me:12823: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_mode_t="yes" else @@ -12821,7 +12832,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12824: result: $ac_cv_have_mode_t" >&5 +echo "$as_me:12835: result: $ac_cv_have_mode_t" >&5 echo "${ECHO_T}$ac_cv_have_mode_t" >&6 if test "x$ac_cv_have_mode_t" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12830,14 +12841,14 @@ fi -echo "$as_me:12833: checking for struct sockaddr_storage" >&5 +echo "$as_me:12844: checking for struct sockaddr_storage" >&5 echo $ECHO_N "checking for struct sockaddr_storage... $ECHO_C" >&6 if test "${ac_cv_have_struct_sockaddr_storage+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12840 "configure" +#line 12851 "configure" #include "confdefs.h" #include @@ -12852,16 +12863,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12855: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12866: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12858: \$? = $ac_status" >&5 + echo "$as_me:12869: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12861: \"$ac_try\"") >&5 + { (eval echo "$as_me:12872: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12864: \$? = $ac_status" >&5 + echo "$as_me:12875: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_struct_sockaddr_storage="yes" else @@ -12873,7 +12884,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12876: result: $ac_cv_have_struct_sockaddr_storage" >&5 +echo "$as_me:12887: result: $ac_cv_have_struct_sockaddr_storage" >&5 echo "${ECHO_T}$ac_cv_have_struct_sockaddr_storage" >&6 if test "x$ac_cv_have_struct_sockaddr_storage" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12882,14 +12893,14 @@ fi -echo "$as_me:12885: checking for struct sockaddr_in6" >&5 +echo "$as_me:12896: checking for struct sockaddr_in6" >&5 echo $ECHO_N "checking for struct sockaddr_in6... $ECHO_C" >&6 if test "${ac_cv_have_struct_sockaddr_in6+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12892 "configure" +#line 12903 "configure" #include "confdefs.h" #include @@ -12904,16 +12915,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12907: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12918: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12910: \$? = $ac_status" >&5 + echo "$as_me:12921: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12913: \"$ac_try\"") >&5 + { (eval echo "$as_me:12924: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12916: \$? = $ac_status" >&5 + echo "$as_me:12927: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_struct_sockaddr_in6="yes" else @@ -12925,7 +12936,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12928: result: $ac_cv_have_struct_sockaddr_in6" >&5 +echo "$as_me:12939: result: $ac_cv_have_struct_sockaddr_in6" >&5 echo "${ECHO_T}$ac_cv_have_struct_sockaddr_in6" >&6 if test "x$ac_cv_have_struct_sockaddr_in6" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12934,14 +12945,14 @@ fi -echo "$as_me:12937: checking for struct in6_addr" >&5 +echo "$as_me:12948: checking for struct in6_addr" >&5 echo $ECHO_N "checking for struct in6_addr... $ECHO_C" >&6 if test "${ac_cv_have_struct_in6_addr+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12944 "configure" +#line 12955 "configure" #include "confdefs.h" #include @@ -12956,16 +12967,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:12959: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:12970: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:12962: \$? = $ac_status" >&5 + echo "$as_me:12973: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:12965: \"$ac_try\"") >&5 + { (eval echo "$as_me:12976: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:12968: \$? = $ac_status" >&5 + echo "$as_me:12979: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_struct_in6_addr="yes" else @@ -12977,7 +12988,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:12980: result: $ac_cv_have_struct_in6_addr" >&5 +echo "$as_me:12991: result: $ac_cv_have_struct_in6_addr" >&5 echo "${ECHO_T}$ac_cv_have_struct_in6_addr" >&6 if test "x$ac_cv_have_struct_in6_addr" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -12986,14 +12997,14 @@ fi -echo "$as_me:12989: checking for struct addrinfo" >&5 +echo "$as_me:13000: checking for struct addrinfo" >&5 echo $ECHO_N "checking for struct addrinfo... $ECHO_C" >&6 if test "${ac_cv_have_struct_addrinfo+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 12996 "configure" +#line 13007 "configure" #include "confdefs.h" #include @@ -13009,16 +13020,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:13012: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:13023: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:13015: \$? = $ac_status" >&5 + echo "$as_me:13026: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:13018: \"$ac_try\"") >&5 + { (eval echo "$as_me:13029: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:13021: \$? = $ac_status" >&5 + echo "$as_me:13032: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_struct_addrinfo="yes" else @@ -13030,7 +13041,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:13033: result: $ac_cv_have_struct_addrinfo" >&5 +echo "$as_me:13044: result: $ac_cv_have_struct_addrinfo" >&5 echo "${ECHO_T}$ac_cv_have_struct_addrinfo" >&6 if test "x$ac_cv_have_struct_addrinfo" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -13039,14 +13050,14 @@ fi -echo "$as_me:13042: checking for struct timeval" >&5 +echo "$as_me:13053: checking for struct timeval" >&5 echo $ECHO_N "checking for struct timeval... $ECHO_C" >&6 if test "${ac_cv_have_struct_timeval+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13049 "configure" +#line 13060 "configure" #include "confdefs.h" #include int @@ -13058,16 +13069,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:13061: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:13072: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:13064: \$? = $ac_status" >&5 + echo "$as_me:13075: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:13067: \"$ac_try\"") >&5 + { (eval echo "$as_me:13078: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:13070: \$? = $ac_status" >&5 + echo "$as_me:13081: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_struct_timeval="yes" else @@ -13079,7 +13090,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:13082: result: $ac_cv_have_struct_timeval" >&5 +echo "$as_me:13093: result: $ac_cv_have_struct_timeval" >&5 echo "${ECHO_T}$ac_cv_have_struct_timeval" >&6 if test "x$ac_cv_have_struct_timeval" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -13089,13 +13100,13 @@ have_struct_timeval=1 fi -echo "$as_me:13092: checking for struct timespec" >&5 +echo "$as_me:13103: checking for struct timespec" >&5 echo $ECHO_N "checking for struct timespec... $ECHO_C" >&6 if test "${ac_cv_type_struct_timespec+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13098 "configure" +#line 13109 "configure" #include "confdefs.h" $ac_includes_default int @@ -13110,16 +13121,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:13113: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:13124: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:13116: \$? = $ac_status" >&5 + echo "$as_me:13127: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:13119: \"$ac_try\"") >&5 + { (eval echo "$as_me:13130: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:13122: \$? = $ac_status" >&5 + echo "$as_me:13133: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_type_struct_timespec=yes else @@ -13129,7 +13140,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:13132: result: $ac_cv_type_struct_timespec" >&5 +echo "$as_me:13143: result: $ac_cv_type_struct_timespec" >&5 echo "${ECHO_T}$ac_cv_type_struct_timespec" >&6 if test $ac_cv_type_struct_timespec = yes; then @@ -13149,12 +13160,12 @@ exit 1; else if test "$cross_compiling" = yes; then - { { echo "$as_me:13152: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:13163: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 13157 "configure" +#line 13168 "configure" #include "confdefs.h" #include @@ -13182,15 +13193,15 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:13185: \"$ac_link\"") >&5 +if { (eval echo "$as_me:13196: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:13188: \$? = $ac_status" >&5 + echo "$as_me:13199: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:13190: \"$ac_try\"") >&5 + { (eval echo "$as_me:13201: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:13193: \$? = $ac_status" >&5 + echo "$as_me:13204: \$? = $ac_status" >&5 (exit $ac_status); }; }; then true else @@ -13209,14 +13220,14 @@ # look for field 'ut_host' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host - echo "$as_me:13212: checking for ut_host field in utmp.h" >&5 + echo "$as_me:13223: checking for ut_host field in utmp.h" >&5 echo $ECHO_N "checking for ut_host field in utmp.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13219 "configure" +#line 13230 "configure" #include "confdefs.h" #include @@ -13233,7 +13244,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13236: result: $ossh_result" >&5 + echo "$as_me:13247: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13242,21 +13253,21 @@ fi else - echo "$as_me:13245: result: no" >&5 + echo "$as_me:13256: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_host' in header 'utmpx.h' ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_host - echo "$as_me:13252: checking for ut_host field in utmpx.h" >&5 + echo "$as_me:13263: checking for ut_host field in utmpx.h" >&5 echo $ECHO_N "checking for ut_host field in utmpx.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13259 "configure" +#line 13270 "configure" #include "confdefs.h" #include @@ -13273,7 +13284,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13276: result: $ossh_result" >&5 + echo "$as_me:13287: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13282,21 +13293,21 @@ fi else - echo "$as_me:13285: result: no" >&5 + echo "$as_me:13296: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'syslen' in header 'utmpx.h' ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"syslen - echo "$as_me:13292: checking for syslen field in utmpx.h" >&5 + echo "$as_me:13303: checking for syslen field in utmpx.h" >&5 echo $ECHO_N "checking for syslen field in utmpx.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13299 "configure" +#line 13310 "configure" #include "confdefs.h" #include @@ -13313,7 +13324,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13316: result: $ossh_result" >&5 + echo "$as_me:13327: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13322,21 +13333,21 @@ fi else - echo "$as_me:13325: result: no" >&5 + echo "$as_me:13336: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_pid' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_pid - echo "$as_me:13332: checking for ut_pid field in utmp.h" >&5 + echo "$as_me:13343: checking for ut_pid field in utmp.h" >&5 echo $ECHO_N "checking for ut_pid field in utmp.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13339 "configure" +#line 13350 "configure" #include "confdefs.h" #include @@ -13353,7 +13364,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13356: result: $ossh_result" >&5 + echo "$as_me:13367: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13362,21 +13373,21 @@ fi else - echo "$as_me:13365: result: no" >&5 + echo "$as_me:13376: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_type' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type - echo "$as_me:13372: checking for ut_type field in utmp.h" >&5 + echo "$as_me:13383: checking for ut_type field in utmp.h" >&5 echo $ECHO_N "checking for ut_type field in utmp.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13379 "configure" +#line 13390 "configure" #include "confdefs.h" #include @@ -13393,7 +13404,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13396: result: $ossh_result" >&5 + echo "$as_me:13407: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13402,21 +13413,21 @@ fi else - echo "$as_me:13405: result: no" >&5 + echo "$as_me:13416: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_type' in header 'utmpx.h' ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_type - echo "$as_me:13412: checking for ut_type field in utmpx.h" >&5 + echo "$as_me:13423: checking for ut_type field in utmpx.h" >&5 echo $ECHO_N "checking for ut_type field in utmpx.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13419 "configure" +#line 13430 "configure" #include "confdefs.h" #include @@ -13433,7 +13444,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13436: result: $ossh_result" >&5 + echo "$as_me:13447: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13442,21 +13453,21 @@ fi else - echo "$as_me:13445: result: no" >&5 + echo "$as_me:13456: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_tv' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv - echo "$as_me:13452: checking for ut_tv field in utmp.h" >&5 + echo "$as_me:13463: checking for ut_tv field in utmp.h" >&5 echo $ECHO_N "checking for ut_tv field in utmp.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13459 "configure" +#line 13470 "configure" #include "confdefs.h" #include @@ -13473,7 +13484,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13476: result: $ossh_result" >&5 + echo "$as_me:13487: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13482,21 +13493,21 @@ fi else - echo "$as_me:13485: result: no" >&5 + echo "$as_me:13496: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_id' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id - echo "$as_me:13492: checking for ut_id field in utmp.h" >&5 + echo "$as_me:13503: checking for ut_id field in utmp.h" >&5 echo $ECHO_N "checking for ut_id field in utmp.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13499 "configure" +#line 13510 "configure" #include "confdefs.h" #include @@ -13513,7 +13524,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13516: result: $ossh_result" >&5 + echo "$as_me:13527: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13522,21 +13533,21 @@ fi else - echo "$as_me:13525: result: no" >&5 + echo "$as_me:13536: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_id' in header 'utmpx.h' ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_id - echo "$as_me:13532: checking for ut_id field in utmpx.h" >&5 + echo "$as_me:13543: checking for ut_id field in utmpx.h" >&5 echo $ECHO_N "checking for ut_id field in utmpx.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13539 "configure" +#line 13550 "configure" #include "confdefs.h" #include @@ -13553,7 +13564,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13556: result: $ossh_result" >&5 + echo "$as_me:13567: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13562,21 +13573,21 @@ fi else - echo "$as_me:13565: result: no" >&5 + echo "$as_me:13576: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_addr' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr - echo "$as_me:13572: checking for ut_addr field in utmp.h" >&5 + echo "$as_me:13583: checking for ut_addr field in utmp.h" >&5 echo $ECHO_N "checking for ut_addr field in utmp.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13579 "configure" +#line 13590 "configure" #include "confdefs.h" #include @@ -13593,7 +13604,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13596: result: $ossh_result" >&5 + echo "$as_me:13607: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13602,21 +13613,21 @@ fi else - echo "$as_me:13605: result: no" >&5 + echo "$as_me:13616: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_addr' in header 'utmpx.h' ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr - echo "$as_me:13612: checking for ut_addr field in utmpx.h" >&5 + echo "$as_me:13623: checking for ut_addr field in utmpx.h" >&5 echo $ECHO_N "checking for ut_addr field in utmpx.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13619 "configure" +#line 13630 "configure" #include "confdefs.h" #include @@ -13633,7 +13644,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13636: result: $ossh_result" >&5 + echo "$as_me:13647: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13642,21 +13653,21 @@ fi else - echo "$as_me:13645: result: no" >&5 + echo "$as_me:13656: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_addr_v6' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 - echo "$as_me:13652: checking for ut_addr_v6 field in utmp.h" >&5 + echo "$as_me:13663: checking for ut_addr_v6 field in utmp.h" >&5 echo $ECHO_N "checking for ut_addr_v6 field in utmp.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13659 "configure" +#line 13670 "configure" #include "confdefs.h" #include @@ -13673,7 +13684,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13676: result: $ossh_result" >&5 + echo "$as_me:13687: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13682,21 +13693,21 @@ fi else - echo "$as_me:13685: result: no" >&5 + echo "$as_me:13696: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_addr_v6' in header 'utmpx.h' ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_addr_v6 - echo "$as_me:13692: checking for ut_addr_v6 field in utmpx.h" >&5 + echo "$as_me:13703: checking for ut_addr_v6 field in utmpx.h" >&5 echo $ECHO_N "checking for ut_addr_v6 field in utmpx.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13699 "configure" +#line 13710 "configure" #include "confdefs.h" #include @@ -13713,7 +13724,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13716: result: $ossh_result" >&5 + echo "$as_me:13727: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13722,21 +13733,21 @@ fi else - echo "$as_me:13725: result: no" >&5 + echo "$as_me:13736: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_exit' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_exit - echo "$as_me:13732: checking for ut_exit field in utmp.h" >&5 + echo "$as_me:13743: checking for ut_exit field in utmp.h" >&5 echo $ECHO_N "checking for ut_exit field in utmp.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13739 "configure" +#line 13750 "configure" #include "confdefs.h" #include @@ -13753,7 +13764,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13756: result: $ossh_result" >&5 + echo "$as_me:13767: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13762,21 +13773,21 @@ fi else - echo "$as_me:13765: result: no" >&5 + echo "$as_me:13776: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_time' in header 'utmp.h' ossh_safe=`echo "utmp.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time - echo "$as_me:13772: checking for ut_time field in utmp.h" >&5 + echo "$as_me:13783: checking for ut_time field in utmp.h" >&5 echo $ECHO_N "checking for ut_time field in utmp.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13779 "configure" +#line 13790 "configure" #include "confdefs.h" #include @@ -13793,7 +13804,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13796: result: $ossh_result" >&5 + echo "$as_me:13807: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13802,21 +13813,21 @@ fi else - echo "$as_me:13805: result: no" >&5 + echo "$as_me:13816: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_time' in header 'utmpx.h' ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_time - echo "$as_me:13812: checking for ut_time field in utmpx.h" >&5 + echo "$as_me:13823: checking for ut_time field in utmpx.h" >&5 echo $ECHO_N "checking for ut_time field in utmpx.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13819 "configure" +#line 13830 "configure" #include "confdefs.h" #include @@ -13833,7 +13844,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13836: result: $ossh_result" >&5 + echo "$as_me:13847: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13842,21 +13853,21 @@ fi else - echo "$as_me:13845: result: no" >&5 + echo "$as_me:13856: result: no" >&5 echo "${ECHO_T}no" >&6 fi # look for field 'ut_tv' in header 'utmpx.h' ossh_safe=`echo "utmpx.h" | sed 'y%./+-%__p_%'` ossh_varname="ossh_cv_$ossh_safe""_has_"ut_tv - echo "$as_me:13852: checking for ut_tv field in utmpx.h" >&5 + echo "$as_me:13863: checking for ut_tv field in utmpx.h" >&5 echo $ECHO_N "checking for ut_tv field in utmpx.h... $ECHO_C" >&6 if eval "test \"\${$ossh_varname+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13859 "configure" +#line 13870 "configure" #include "confdefs.h" #include @@ -13873,7 +13884,7 @@ ossh_result=`eval 'echo $'"$ossh_varname"` if test -n "`echo $ossh_varname`"; then - echo "$as_me:13876: result: $ossh_result" >&5 + echo "$as_me:13887: result: $ossh_result" >&5 echo "${ECHO_T}$ossh_result" >&6 if test "x$ossh_result" = "xyes"; then cat >>confdefs.h <<\EOF @@ -13882,17 +13893,17 @@ fi else - echo "$as_me:13885: result: no" >&5 + echo "$as_me:13896: result: no" >&5 echo "${ECHO_T}no" >&6 fi -echo "$as_me:13889: checking for struct stat.st_blksize" >&5 +echo "$as_me:13900: checking for struct stat.st_blksize" >&5 echo $ECHO_N "checking for struct stat.st_blksize... $ECHO_C" >&6 if test "${ac_cv_member_struct_stat_st_blksize+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13895 "configure" +#line 13906 "configure" #include "confdefs.h" $ac_includes_default int @@ -13906,16 +13917,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:13909: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:13920: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:13912: \$? = $ac_status" >&5 + echo "$as_me:13923: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:13915: \"$ac_try\"") >&5 + { (eval echo "$as_me:13926: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:13918: \$? = $ac_status" >&5 + echo "$as_me:13929: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_member_struct_stat_st_blksize=yes else @@ -13925,7 +13936,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:13928: result: $ac_cv_member_struct_stat_st_blksize" >&5 +echo "$as_me:13939: result: $ac_cv_member_struct_stat_st_blksize" >&5 echo "${ECHO_T}$ac_cv_member_struct_stat_st_blksize" >&6 if test $ac_cv_member_struct_stat_st_blksize = yes; then @@ -13935,14 +13946,14 @@ fi -echo "$as_me:13938: checking for ss_family field in struct sockaddr_storage" >&5 +echo "$as_me:13949: checking for ss_family field in struct sockaddr_storage" >&5 echo $ECHO_N "checking for ss_family field in struct sockaddr_storage... $ECHO_C" >&6 if test "${ac_cv_have_ss_family_in_struct_ss+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13945 "configure" +#line 13956 "configure" #include "confdefs.h" #include @@ -13957,16 +13968,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:13960: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:13971: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:13963: \$? = $ac_status" >&5 + echo "$as_me:13974: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:13966: \"$ac_try\"") >&5 + { (eval echo "$as_me:13977: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:13969: \$? = $ac_status" >&5 + echo "$as_me:13980: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_ss_family_in_struct_ss="yes" else @@ -13977,7 +13988,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:13980: result: $ac_cv_have_ss_family_in_struct_ss" >&5 +echo "$as_me:13991: result: $ac_cv_have_ss_family_in_struct_ss" >&5 echo "${ECHO_T}$ac_cv_have_ss_family_in_struct_ss" >&6 if test "x$ac_cv_have_ss_family_in_struct_ss" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -13986,14 +13997,14 @@ fi -echo "$as_me:13989: checking for __ss_family field in struct sockaddr_storage" >&5 +echo "$as_me:14000: checking for __ss_family field in struct sockaddr_storage" >&5 echo $ECHO_N "checking for __ss_family field in struct sockaddr_storage... $ECHO_C" >&6 if test "${ac_cv_have___ss_family_in_struct_ss+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 13996 "configure" +#line 14007 "configure" #include "confdefs.h" #include @@ -14008,16 +14019,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:14011: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:14022: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:14014: \$? = $ac_status" >&5 + echo "$as_me:14025: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:14017: \"$ac_try\"") >&5 + { (eval echo "$as_me:14028: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14020: \$? = $ac_status" >&5 + echo "$as_me:14031: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have___ss_family_in_struct_ss="yes" else @@ -14029,7 +14040,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:14032: result: $ac_cv_have___ss_family_in_struct_ss" >&5 +echo "$as_me:14043: result: $ac_cv_have___ss_family_in_struct_ss" >&5 echo "${ECHO_T}$ac_cv_have___ss_family_in_struct_ss" >&6 if test "x$ac_cv_have___ss_family_in_struct_ss" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14038,14 +14049,14 @@ fi -echo "$as_me:14041: checking for pw_class field in struct passwd" >&5 +echo "$as_me:14052: checking for pw_class field in struct passwd" >&5 echo $ECHO_N "checking for pw_class field in struct passwd... $ECHO_C" >&6 if test "${ac_cv_have_pw_class_in_struct_passwd+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14048 "configure" +#line 14059 "configure" #include "confdefs.h" #include @@ -14059,16 +14070,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:14062: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:14073: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:14065: \$? = $ac_status" >&5 + echo "$as_me:14076: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:14068: \"$ac_try\"") >&5 + { (eval echo "$as_me:14079: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14071: \$? = $ac_status" >&5 + echo "$as_me:14082: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_pw_class_in_struct_passwd="yes" else @@ -14080,7 +14091,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:14083: result: $ac_cv_have_pw_class_in_struct_passwd" >&5 +echo "$as_me:14094: result: $ac_cv_have_pw_class_in_struct_passwd" >&5 echo "${ECHO_T}$ac_cv_have_pw_class_in_struct_passwd" >&6 if test "x$ac_cv_have_pw_class_in_struct_passwd" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14089,14 +14100,14 @@ fi -echo "$as_me:14092: checking for pw_expire field in struct passwd" >&5 +echo "$as_me:14103: checking for pw_expire field in struct passwd" >&5 echo $ECHO_N "checking for pw_expire field in struct passwd... $ECHO_C" >&6 if test "${ac_cv_have_pw_expire_in_struct_passwd+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14099 "configure" +#line 14110 "configure" #include "confdefs.h" #include @@ -14110,16 +14121,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:14113: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:14124: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:14116: \$? = $ac_status" >&5 + echo "$as_me:14127: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:14119: \"$ac_try\"") >&5 + { (eval echo "$as_me:14130: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14122: \$? = $ac_status" >&5 + echo "$as_me:14133: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_pw_expire_in_struct_passwd="yes" else @@ -14131,7 +14142,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:14134: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5 +echo "$as_me:14145: result: $ac_cv_have_pw_expire_in_struct_passwd" >&5 echo "${ECHO_T}$ac_cv_have_pw_expire_in_struct_passwd" >&6 if test "x$ac_cv_have_pw_expire_in_struct_passwd" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14140,14 +14151,14 @@ fi -echo "$as_me:14143: checking for pw_change field in struct passwd" >&5 +echo "$as_me:14154: checking for pw_change field in struct passwd" >&5 echo $ECHO_N "checking for pw_change field in struct passwd... $ECHO_C" >&6 if test "${ac_cv_have_pw_change_in_struct_passwd+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14150 "configure" +#line 14161 "configure" #include "confdefs.h" #include @@ -14161,16 +14172,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:14164: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:14175: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:14167: \$? = $ac_status" >&5 + echo "$as_me:14178: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:14170: \"$ac_try\"") >&5 + { (eval echo "$as_me:14181: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14173: \$? = $ac_status" >&5 + echo "$as_me:14184: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_pw_change_in_struct_passwd="yes" else @@ -14182,7 +14193,7 @@ rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:14185: result: $ac_cv_have_pw_change_in_struct_passwd" >&5 +echo "$as_me:14196: result: $ac_cv_have_pw_change_in_struct_passwd" >&5 echo "${ECHO_T}$ac_cv_have_pw_change_in_struct_passwd" >&6 if test "x$ac_cv_have_pw_change_in_struct_passwd" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14191,19 +14202,19 @@ fi -echo "$as_me:14194: checking for msg_accrights field in struct msghdr" >&5 +echo "$as_me:14205: checking for msg_accrights field in struct msghdr" >&5 echo $ECHO_N "checking for msg_accrights field in struct msghdr... $ECHO_C" >&6 if test "${ac_cv_have_accrights_in_msghdr+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else if test "$cross_compiling" = yes; then - { { echo "$as_me:14201: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:14212: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 14206 "configure" +#line 14217 "configure" #include "confdefs.h" #include @@ -14220,15 +14231,15 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:14223: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14234: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14226: \$? = $ac_status" >&5 + echo "$as_me:14237: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:14228: \"$ac_try\"") >&5 + { (eval echo "$as_me:14239: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14231: \$? = $ac_status" >&5 + echo "$as_me:14242: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_accrights_in_msghdr="yes" else @@ -14242,7 +14253,7 @@ fi fi -echo "$as_me:14245: result: $ac_cv_have_accrights_in_msghdr" >&5 +echo "$as_me:14256: result: $ac_cv_have_accrights_in_msghdr" >&5 echo "${ECHO_T}$ac_cv_have_accrights_in_msghdr" >&6 if test "x$ac_cv_have_accrights_in_msghdr" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14251,19 +14262,19 @@ fi -echo "$as_me:14254: checking for msg_control field in struct msghdr" >&5 +echo "$as_me:14265: checking for msg_control field in struct msghdr" >&5 echo $ECHO_N "checking for msg_control field in struct msghdr... $ECHO_C" >&6 if test "${ac_cv_have_control_in_msghdr+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else if test "$cross_compiling" = yes; then - { { echo "$as_me:14261: error: cannot run test program while cross compiling" >&5 + { { echo "$as_me:14272: error: cannot run test program while cross compiling" >&5 echo "$as_me: error: cannot run test program while cross compiling" >&2;} { (exit 1); exit 1; }; } else cat >conftest.$ac_ext <<_ACEOF -#line 14266 "configure" +#line 14277 "configure" #include "confdefs.h" #include @@ -14280,15 +14291,15 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:14283: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14294: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14286: \$? = $ac_status" >&5 + echo "$as_me:14297: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:14288: \"$ac_try\"") >&5 + { (eval echo "$as_me:14299: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14291: \$? = $ac_status" >&5 + echo "$as_me:14302: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_control_in_msghdr="yes" else @@ -14302,7 +14313,7 @@ fi fi -echo "$as_me:14305: result: $ac_cv_have_control_in_msghdr" >&5 +echo "$as_me:14316: result: $ac_cv_have_control_in_msghdr" >&5 echo "${ECHO_T}$ac_cv_have_control_in_msghdr" >&6 if test "x$ac_cv_have_control_in_msghdr" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14311,14 +14322,14 @@ fi -echo "$as_me:14314: checking if libc defines __progname" >&5 +echo "$as_me:14325: checking if libc defines __progname" >&5 echo $ECHO_N "checking if libc defines __progname... $ECHO_C" >&6 if test "${ac_cv_libc_defines___progname+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14321 "configure" +#line 14332 "configure" #include "confdefs.h" int @@ -14330,16 +14341,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14333: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14344: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14336: \$? = $ac_status" >&5 + echo "$as_me:14347: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14339: \"$ac_try\"") >&5 + { (eval echo "$as_me:14350: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14342: \$? = $ac_status" >&5 + echo "$as_me:14353: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_libc_defines___progname="yes" else @@ -14351,7 +14362,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:14354: result: $ac_cv_libc_defines___progname" >&5 +echo "$as_me:14365: result: $ac_cv_libc_defines___progname" >&5 echo "${ECHO_T}$ac_cv_libc_defines___progname" >&6 if test "x$ac_cv_libc_defines___progname" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14360,14 +14371,14 @@ fi -echo "$as_me:14363: checking whether $CC implements __FUNCTION__" >&5 +echo "$as_me:14374: checking whether $CC implements __FUNCTION__" >&5 echo $ECHO_N "checking whether $CC implements __FUNCTION__... $ECHO_C" >&6 if test "${ac_cv_cc_implements___FUNCTION__+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14370 "configure" +#line 14381 "configure" #include "confdefs.h" #include @@ -14381,16 +14392,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14384: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14395: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14387: \$? = $ac_status" >&5 + echo "$as_me:14398: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14390: \"$ac_try\"") >&5 + { (eval echo "$as_me:14401: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14393: \$? = $ac_status" >&5 + echo "$as_me:14404: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_cc_implements___FUNCTION__="yes" else @@ -14402,7 +14413,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:14405: result: $ac_cv_cc_implements___FUNCTION__" >&5 +echo "$as_me:14416: result: $ac_cv_cc_implements___FUNCTION__" >&5 echo "${ECHO_T}$ac_cv_cc_implements___FUNCTION__" >&6 if test "x$ac_cv_cc_implements___FUNCTION__" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14411,14 +14422,14 @@ fi -echo "$as_me:14414: checking whether $CC implements __func__" >&5 +echo "$as_me:14425: checking whether $CC implements __func__" >&5 echo $ECHO_N "checking whether $CC implements __func__... $ECHO_C" >&6 if test "${ac_cv_cc_implements___func__+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14421 "configure" +#line 14432 "configure" #include "confdefs.h" #include @@ -14432,16 +14443,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14435: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14446: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14438: \$? = $ac_status" >&5 + echo "$as_me:14449: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14441: \"$ac_try\"") >&5 + { (eval echo "$as_me:14452: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14444: \$? = $ac_status" >&5 + echo "$as_me:14455: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_cc_implements___func__="yes" else @@ -14453,7 +14464,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:14456: result: $ac_cv_cc_implements___func__" >&5 +echo "$as_me:14467: result: $ac_cv_cc_implements___func__" >&5 echo "${ECHO_T}$ac_cv_cc_implements___func__" >&6 if test "x$ac_cv_cc_implements___func__" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14462,14 +14473,14 @@ fi -echo "$as_me:14465: checking whether getopt has optreset support" >&5 +echo "$as_me:14476: checking whether getopt has optreset support" >&5 echo $ECHO_N "checking whether getopt has optreset support... $ECHO_C" >&6 if test "${ac_cv_have_getopt_optreset+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14472 "configure" +#line 14483 "configure" #include "confdefs.h" #include @@ -14483,16 +14494,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14486: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14497: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14489: \$? = $ac_status" >&5 + echo "$as_me:14500: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14492: \"$ac_try\"") >&5 + { (eval echo "$as_me:14503: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14495: \$? = $ac_status" >&5 + echo "$as_me:14506: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_have_getopt_optreset="yes" else @@ -14504,7 +14515,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:14507: result: $ac_cv_have_getopt_optreset" >&5 +echo "$as_me:14518: result: $ac_cv_have_getopt_optreset" >&5 echo "${ECHO_T}$ac_cv_have_getopt_optreset" >&6 if test "x$ac_cv_have_getopt_optreset" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14513,14 +14524,14 @@ fi -echo "$as_me:14516: checking if libc defines sys_errlist" >&5 +echo "$as_me:14527: checking if libc defines sys_errlist" >&5 echo $ECHO_N "checking if libc defines sys_errlist... $ECHO_C" >&6 if test "${ac_cv_libc_defines_sys_errlist+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14523 "configure" +#line 14534 "configure" #include "confdefs.h" int @@ -14532,16 +14543,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14535: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14546: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14538: \$? = $ac_status" >&5 + echo "$as_me:14549: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14541: \"$ac_try\"") >&5 + { (eval echo "$as_me:14552: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14544: \$? = $ac_status" >&5 + echo "$as_me:14555: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_libc_defines_sys_errlist="yes" else @@ -14553,7 +14564,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:14556: result: $ac_cv_libc_defines_sys_errlist" >&5 +echo "$as_me:14567: result: $ac_cv_libc_defines_sys_errlist" >&5 echo "${ECHO_T}$ac_cv_libc_defines_sys_errlist" >&6 if test "x$ac_cv_libc_defines_sys_errlist" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14562,14 +14573,14 @@ fi -echo "$as_me:14565: checking if libc defines sys_nerr" >&5 +echo "$as_me:14576: checking if libc defines sys_nerr" >&5 echo $ECHO_N "checking if libc defines sys_nerr... $ECHO_C" >&6 if test "${ac_cv_libc_defines_sys_nerr+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14572 "configure" +#line 14583 "configure" #include "confdefs.h" int @@ -14581,16 +14592,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14584: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14595: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14587: \$? = $ac_status" >&5 + echo "$as_me:14598: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14590: \"$ac_try\"") >&5 + { (eval echo "$as_me:14601: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14593: \$? = $ac_status" >&5 + echo "$as_me:14604: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_libc_defines_sys_nerr="yes" else @@ -14602,7 +14613,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:14605: result: $ac_cv_libc_defines_sys_nerr" >&5 +echo "$as_me:14616: result: $ac_cv_libc_defines_sys_nerr" >&5 echo "${ECHO_T}$ac_cv_libc_defines_sys_nerr" >&6 if test "x$ac_cv_libc_defines_sys_nerr" = "xyes" ; then cat >>confdefs.h <<\EOF @@ -14633,23 +14644,23 @@ for ac_header in sectok.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -echo "$as_me:14636: checking for $ac_header" >&5 +echo "$as_me:14647: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 14642 "configure" +#line 14653 "configure" #include "confdefs.h" #include <$ac_header> _ACEOF -if { (eval echo "$as_me:14646: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:14657: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:14652: \$? = $ac_status" >&5 + echo "$as_me:14663: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -14668,7 +14679,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:14671: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:14682: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 + { { echo "$as_me:14693: error: Can't find sectok.h" >&5 echo "$as_me: error: Can't find sectok.h" >&2;} { (exit 1); exit 1; }; } fi -echo "$as_me:14687: checking for sectok_open in -lsectok" >&5 +echo "$as_me:14698: checking for sectok_open in -lsectok" >&5 echo $ECHO_N "checking for sectok_open in -lsectok... $ECHO_C" >&6 if test "${ac_cv_lib_sectok_sectok_open+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -14692,7 +14703,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lsectok $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 14695 "configure" +#line 14706 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -14711,16 +14722,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14714: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14725: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14717: \$? = $ac_status" >&5 + echo "$as_me:14728: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14720: \"$ac_try\"") >&5 + { (eval echo "$as_me:14731: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14723: \$? = $ac_status" >&5 + echo "$as_me:14734: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_sectok_sectok_open=yes else @@ -14731,7 +14742,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:14734: result: $ac_cv_lib_sectok_sectok_open" >&5 +echo "$as_me:14745: result: $ac_cv_lib_sectok_sectok_open" >&5 echo "${ECHO_T}$ac_cv_lib_sectok_sectok_open" >&6 if test $ac_cv_lib_sectok_sectok_open = yes; then cat >>confdefs.h <&5 + { { echo "$as_me:14757: error: Can't find libsectok" >&5 echo "$as_me: error: Can't find libsectok" >&2;} { (exit 1); exit 1; }; } fi @@ -14773,7 +14784,7 @@ OPENSC_CONFIG=$opensc_config_prefix/bin/opensc-config # Extract the first word of "opensc-config", so it can be a program name with args. set dummy opensc-config; ac_word=$2 -echo "$as_me:14776: checking for $ac_word" >&5 +echo "$as_me:14787: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_OPENSC_CONFIG+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -14790,7 +14801,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_OPENSC_CONFIG="$ac_dir/$ac_word" - echo "$as_me:14793: found $ac_dir/$ac_word" >&5 + echo "$as_me:14804: found $ac_dir/$ac_word" >&5 break fi done @@ -14802,10 +14813,10 @@ OPENSC_CONFIG=$ac_cv_path_OPENSC_CONFIG if test -n "$OPENSC_CONFIG"; then - echo "$as_me:14805: result: $OPENSC_CONFIG" >&5 + echo "$as_me:14816: result: $OPENSC_CONFIG" >&5 echo "${ECHO_T}$OPENSC_CONFIG" >&6 else - echo "$as_me:14808: result: no" >&5 + echo "$as_me:14819: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -14827,7 +14838,7 @@ fi # Check libraries needed by DNS fingerprint support -echo "$as_me:14830: checking for library containing getrrsetbyname" >&5 +echo "$as_me:14841: checking for library containing getrrsetbyname" >&5 echo $ECHO_N "checking for library containing getrrsetbyname... $ECHO_C" >&6 if test "${ac_cv_search_getrrsetbyname+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -14835,7 +14846,7 @@ ac_func_search_save_LIBS=$LIBS ac_cv_search_getrrsetbyname=no cat >conftest.$ac_ext <<_ACEOF -#line 14838 "configure" +#line 14849 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -14854,16 +14865,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14857: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14868: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14860: \$? = $ac_status" >&5 + echo "$as_me:14871: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14863: \"$ac_try\"") >&5 + { (eval echo "$as_me:14874: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14866: \$? = $ac_status" >&5 + echo "$as_me:14877: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_getrrsetbyname="none required" else @@ -14875,7 +14886,7 @@ for ac_lib in resolv; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 14878 "configure" +#line 14889 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -14894,16 +14905,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14897: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14908: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14900: \$? = $ac_status" >&5 + echo "$as_me:14911: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14903: \"$ac_try\"") >&5 + { (eval echo "$as_me:14914: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14906: \$? = $ac_status" >&5 + echo "$as_me:14917: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_getrrsetbyname="-l$ac_lib" break @@ -14916,7 +14927,7 @@ fi LIBS=$ac_func_search_save_LIBS fi -echo "$as_me:14919: result: $ac_cv_search_getrrsetbyname" >&5 +echo "$as_me:14930: result: $ac_cv_search_getrrsetbyname" >&5 echo "${ECHO_T}$ac_cv_search_getrrsetbyname" >&6 if test "$ac_cv_search_getrrsetbyname" != no; then test "$ac_cv_search_getrrsetbyname" = "none required" || LIBS="$ac_cv_search_getrrsetbyname $LIBS" @@ -14927,7 +14938,7 @@ else # Needed by our getrrsetbyname() - echo "$as_me:14930: checking for library containing res_query" >&5 + echo "$as_me:14941: checking for library containing res_query" >&5 echo $ECHO_N "checking for library containing res_query... $ECHO_C" >&6 if test "${ac_cv_search_res_query+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -14935,7 +14946,7 @@ ac_func_search_save_LIBS=$LIBS ac_cv_search_res_query=no cat >conftest.$ac_ext <<_ACEOF -#line 14938 "configure" +#line 14949 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -14954,16 +14965,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14957: \"$ac_link\"") >&5 +if { (eval echo "$as_me:14968: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:14960: \$? = $ac_status" >&5 + echo "$as_me:14971: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:14963: \"$ac_try\"") >&5 + { (eval echo "$as_me:14974: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:14966: \$? = $ac_status" >&5 + echo "$as_me:14977: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_res_query="none required" else @@ -14975,7 +14986,7 @@ for ac_lib in resolv; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 14978 "configure" +#line 14989 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -14994,16 +15005,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:14997: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15008: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15000: \$? = $ac_status" >&5 + echo "$as_me:15011: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15003: \"$ac_try\"") >&5 + { (eval echo "$as_me:15014: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15006: \$? = $ac_status" >&5 + echo "$as_me:15017: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_res_query="-l$ac_lib" break @@ -15016,14 +15027,14 @@ fi LIBS=$ac_func_search_save_LIBS fi -echo "$as_me:15019: result: $ac_cv_search_res_query" >&5 +echo "$as_me:15030: result: $ac_cv_search_res_query" >&5 echo "${ECHO_T}$ac_cv_search_res_query" >&6 if test "$ac_cv_search_res_query" != no; then test "$ac_cv_search_res_query" = "none required" || LIBS="$ac_cv_search_res_query $LIBS" fi - echo "$as_me:15026: checking for library containing dn_expand" >&5 + echo "$as_me:15037: checking for library containing dn_expand" >&5 echo $ECHO_N "checking for library containing dn_expand... $ECHO_C" >&6 if test "${ac_cv_search_dn_expand+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -15031,7 +15042,7 @@ ac_func_search_save_LIBS=$LIBS ac_cv_search_dn_expand=no cat >conftest.$ac_ext <<_ACEOF -#line 15034 "configure" +#line 15045 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -15050,16 +15061,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15053: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15064: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15056: \$? = $ac_status" >&5 + echo "$as_me:15067: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15059: \"$ac_try\"") >&5 + { (eval echo "$as_me:15070: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15062: \$? = $ac_status" >&5 + echo "$as_me:15073: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_dn_expand="none required" else @@ -15071,7 +15082,7 @@ for ac_lib in resolv; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 15074 "configure" +#line 15085 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -15090,16 +15101,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15093: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15104: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15096: \$? = $ac_status" >&5 + echo "$as_me:15107: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15099: \"$ac_try\"") >&5 + { (eval echo "$as_me:15110: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15102: \$? = $ac_status" >&5 + echo "$as_me:15113: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_dn_expand="-l$ac_lib" break @@ -15112,7 +15123,7 @@ fi LIBS=$ac_func_search_save_LIBS fi -echo "$as_me:15115: result: $ac_cv_search_dn_expand" >&5 +echo "$as_me:15126: result: $ac_cv_search_dn_expand" >&5 echo "${ECHO_T}$ac_cv_search_dn_expand" >&6 if test "$ac_cv_search_dn_expand" != no; then test "$ac_cv_search_dn_expand" = "none required" || LIBS="$ac_cv_search_dn_expand $LIBS" @@ -15122,13 +15133,13 @@ for ac_func in _getshort _getlong do as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` -echo "$as_me:15125: checking for $ac_func" >&5 +echo "$as_me:15136: checking for $ac_func" >&5 echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 if eval "test \"\${$as_ac_var+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 15131 "configure" +#line 15142 "configure" #include "confdefs.h" /* System header to define __stub macros and hopefully few prototypes, which can conflict with char $ac_func (); below. */ @@ -15159,16 +15170,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15162: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15173: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15165: \$? = $ac_status" >&5 + echo "$as_me:15176: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15168: \"$ac_try\"") >&5 + { (eval echo "$as_me:15179: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15171: \$? = $ac_status" >&5 + echo "$as_me:15182: \$? = $ac_status" >&5 (exit $ac_status); }; }; then eval "$as_ac_var=yes" else @@ -15178,7 +15189,7 @@ fi rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext fi -echo "$as_me:15181: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "$as_me:15192: result: `eval echo '${'$as_ac_var'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 if test `eval echo '${'$as_ac_var'}'` = yes; then cat >>confdefs.h <&5 + echo "$as_me:15202: checking for HEADER.ad" >&5 echo $ECHO_N "checking for HEADER.ad... $ECHO_C" >&6 if test "${ac_cv_member_HEADER_ad+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 15197 "configure" +#line 15208 "configure" #include "confdefs.h" #include @@ -15209,16 +15220,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:15212: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:15223: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:15215: \$? = $ac_status" >&5 + echo "$as_me:15226: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:15218: \"$ac_try\"") >&5 + { (eval echo "$as_me:15229: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15221: \$? = $ac_status" >&5 + echo "$as_me:15232: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_member_HEADER_ad=yes else @@ -15228,7 +15239,7 @@ fi rm -f conftest.$ac_objext conftest.$ac_ext fi -echo "$as_me:15231: result: $ac_cv_member_HEADER_ad" >&5 +echo "$as_me:15242: result: $ac_cv_member_HEADER_ad" >&5 echo "${ECHO_T}$ac_cv_member_HEADER_ad" >&6 if test $ac_cv_member_HEADER_ad = yes; then cat >>confdefs.h <<\EOF @@ -15258,17 +15269,17 @@ KRB5_MSG="yes" - echo "$as_me:15261: checking for krb5-config" >&5 + echo "$as_me:15272: checking for krb5-config" >&5 echo $ECHO_N "checking for krb5-config... $ECHO_C" >&6 if test -x $KRB5ROOT/bin/krb5-config ; then KRB5CONF=$KRB5ROOT/bin/krb5-config - echo "$as_me:15265: result: $KRB5CONF" >&5 + echo "$as_me:15276: result: $KRB5CONF" >&5 echo "${ECHO_T}$KRB5CONF" >&6 - echo "$as_me:15268: checking for gssapi support" >&5 + echo "$as_me:15279: checking for gssapi support" >&5 echo $ECHO_N "checking for gssapi support... $ECHO_C" >&6 if $KRB5CONF | grep gssapi >/dev/null ; then - echo "$as_me:15271: result: yes" >&5 + echo "$as_me:15282: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define GSSAPI 1 @@ -15276,17 +15287,17 @@ k5confopts=gssapi else - echo "$as_me:15279: result: no" >&5 + echo "$as_me:15290: result: no" >&5 echo "${ECHO_T}no" >&6 k5confopts="" fi K5CFLAGS="`$KRB5CONF --cflags $k5confopts`" K5LIBS="`$KRB5CONF --libs $k5confopts`" CPPFLAGS="$CPPFLAGS $K5CFLAGS" - echo "$as_me:15286: checking whether we are using Heimdal" >&5 + echo "$as_me:15297: checking whether we are using Heimdal" >&5 echo $ECHO_N "checking whether we are using Heimdal... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 15289 "configure" +#line 15300 "configure" #include "confdefs.h" #include int @@ -15298,18 +15309,18 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:15301: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:15312: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:15304: \$? = $ac_status" >&5 + echo "$as_me:15315: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:15307: \"$ac_try\"") >&5 + { (eval echo "$as_me:15318: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15310: \$? = $ac_status" >&5 + echo "$as_me:15321: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:15312: result: yes" >&5 + echo "$as_me:15323: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define HEIMDAL 1 @@ -15318,20 +15329,20 @@ else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 -echo "$as_me:15321: result: no" >&5 +echo "$as_me:15332: result: no" >&5 echo "${ECHO_T}no" >&6 fi rm -f conftest.$ac_objext conftest.$ac_ext else - echo "$as_me:15327: result: no" >&5 + echo "$as_me:15338: result: no" >&5 echo "${ECHO_T}no" >&6 CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include" LDFLAGS="$LDFLAGS -L${KRB5ROOT}/lib" - echo "$as_me:15331: checking whether we are using Heimdal" >&5 + echo "$as_me:15342: checking whether we are using Heimdal" >&5 echo $ECHO_N "checking whether we are using Heimdal... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 15334 "configure" +#line 15345 "configure" #include "confdefs.h" #include int @@ -15343,18 +15354,18 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:15346: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:15357: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:15349: \$? = $ac_status" >&5 + echo "$as_me:15360: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:15352: \"$ac_try\"") >&5 + { (eval echo "$as_me:15363: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15355: \$? = $ac_status" >&5 + echo "$as_me:15366: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:15357: result: yes" >&5 + echo "$as_me:15368: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define HEIMDAL 1 @@ -15365,13 +15376,13 @@ else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:15368: result: no" >&5 + echo "$as_me:15379: result: no" >&5 echo "${ECHO_T}no" >&6 K5LIBS="-lkrb5 -lk5crypto -lcom_err" fi rm -f conftest.$ac_objext conftest.$ac_ext - echo "$as_me:15374: checking for library containing dn_expand" >&5 + echo "$as_me:15385: checking for library containing dn_expand" >&5 echo $ECHO_N "checking for library containing dn_expand... $ECHO_C" >&6 if test "${ac_cv_search_dn_expand+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -15379,7 +15390,7 @@ ac_func_search_save_LIBS=$LIBS ac_cv_search_dn_expand=no cat >conftest.$ac_ext <<_ACEOF -#line 15382 "configure" +#line 15393 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -15398,16 +15409,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15401: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15412: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15404: \$? = $ac_status" >&5 + echo "$as_me:15415: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15407: \"$ac_try\"") >&5 + { (eval echo "$as_me:15418: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15410: \$? = $ac_status" >&5 + echo "$as_me:15421: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_dn_expand="none required" else @@ -15419,7 +15430,7 @@ for ac_lib in resolv; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 15422 "configure" +#line 15433 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -15438,16 +15449,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15441: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15452: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15444: \$? = $ac_status" >&5 + echo "$as_me:15455: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15447: \"$ac_try\"") >&5 + { (eval echo "$as_me:15458: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15450: \$? = $ac_status" >&5 + echo "$as_me:15461: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_dn_expand="-l$ac_lib" break @@ -15460,14 +15471,14 @@ fi LIBS=$ac_func_search_save_LIBS fi -echo "$as_me:15463: result: $ac_cv_search_dn_expand" >&5 +echo "$as_me:15474: result: $ac_cv_search_dn_expand" >&5 echo "${ECHO_T}$ac_cv_search_dn_expand" >&6 if test "$ac_cv_search_dn_expand" != no; then test "$ac_cv_search_dn_expand" = "none required" || LIBS="$ac_cv_search_dn_expand $LIBS" fi - echo "$as_me:15470: checking for gss_init_sec_context in -lgssapi" >&5 + echo "$as_me:15481: checking for gss_init_sec_context in -lgssapi" >&5 echo $ECHO_N "checking for gss_init_sec_context in -lgssapi... $ECHO_C" >&6 if test "${ac_cv_lib_gssapi_gss_init_sec_context+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -15475,7 +15486,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lgssapi $K5LIBS $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 15478 "configure" +#line 15489 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -15494,16 +15505,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15497: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15508: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15500: \$? = $ac_status" >&5 + echo "$as_me:15511: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15503: \"$ac_try\"") >&5 + { (eval echo "$as_me:15514: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15506: \$? = $ac_status" >&5 + echo "$as_me:15517: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_gssapi_gss_init_sec_context=yes else @@ -15514,7 +15525,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:15517: result: $ac_cv_lib_gssapi_gss_init_sec_context" >&5 +echo "$as_me:15528: result: $ac_cv_lib_gssapi_gss_init_sec_context" >&5 echo "${ECHO_T}$ac_cv_lib_gssapi_gss_init_sec_context" >&6 if test $ac_cv_lib_gssapi_gss_init_sec_context = yes; then cat >>confdefs.h <<\EOF @@ -15523,7 +15534,7 @@ K5LIBS="-lgssapi $K5LIBS" else - echo "$as_me:15526: checking for gss_init_sec_context in -lgssapi_krb5" >&5 + echo "$as_me:15537: checking for gss_init_sec_context in -lgssapi_krb5" >&5 echo $ECHO_N "checking for gss_init_sec_context in -lgssapi_krb5... $ECHO_C" >&6 if test "${ac_cv_lib_gssapi_krb5_gss_init_sec_context+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -15531,7 +15542,7 @@ ac_check_lib_save_LIBS=$LIBS LIBS="-lgssapi_krb5 $K5LIBS $LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 15534 "configure" +#line 15545 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -15550,16 +15561,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15553: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15564: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15556: \$? = $ac_status" >&5 + echo "$as_me:15567: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15559: \"$ac_try\"") >&5 + { (eval echo "$as_me:15570: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15562: \$? = $ac_status" >&5 + echo "$as_me:15573: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_lib_gssapi_krb5_gss_init_sec_context=yes else @@ -15570,7 +15581,7 @@ rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext LIBS=$ac_check_lib_save_LIBS fi -echo "$as_me:15573: result: $ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&5 +echo "$as_me:15584: result: $ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&5 echo "${ECHO_T}$ac_cv_lib_gssapi_krb5_gss_init_sec_context" >&6 if test $ac_cv_lib_gssapi_krb5_gss_init_sec_context = yes; then cat >>confdefs.h <<\EOF @@ -15579,29 +15590,29 @@ K5LIBS="-lgssapi_krb5 $K5LIBS" else - { echo "$as_me:15582: WARNING: Cannot find any suitable gss-api library - build may fail" >&5 + { echo "$as_me:15593: WARNING: Cannot find any suitable gss-api library - build may fail" >&5 echo "$as_me: WARNING: Cannot find any suitable gss-api library - build may fail" >&2;} fi fi - echo "$as_me:15588: checking for gssapi.h" >&5 + echo "$as_me:15599: checking for gssapi.h" >&5 echo $ECHO_N "checking for gssapi.h... $ECHO_C" >&6 if test "${ac_cv_header_gssapi_h+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 15594 "configure" +#line 15605 "configure" #include "confdefs.h" #include _ACEOF -if { (eval echo "$as_me:15598: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:15609: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:15604: \$? = $ac_status" >&5 + echo "$as_me:15615: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -15620,7 +15631,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:15623: result: $ac_cv_header_gssapi_h" >&5 +echo "$as_me:15634: result: $ac_cv_header_gssapi_h" >&5 echo "${ECHO_T}$ac_cv_header_gssapi_h" >&6 if test $ac_cv_header_gssapi_h = yes; then : @@ -15631,23 +15642,23 @@ for ac_header in gssapi.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -echo "$as_me:15634: checking for $ac_header" >&5 +echo "$as_me:15645: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 15640 "configure" +#line 15651 "configure" #include "confdefs.h" #include <$ac_header> _ACEOF -if { (eval echo "$as_me:15644: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:15655: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:15650: \$? = $ac_status" >&5 + echo "$as_me:15661: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -15666,7 +15677,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:15669: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:15680: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 + { echo "$as_me:15688: WARNING: Cannot find any suitable gss-api header - build may fail" >&5 echo "$as_me: WARNING: Cannot find any suitable gss-api header - build may fail" >&2;} fi @@ -15684,23 +15695,23 @@ oldCPP="$CPPFLAGS" CPPFLAGS="$CPPFLAGS -I${KRB5ROOT}/include/gssapi" - echo "$as_me:15687: checking for gssapi_krb5.h" >&5 + echo "$as_me:15698: checking for gssapi_krb5.h" >&5 echo $ECHO_N "checking for gssapi_krb5.h... $ECHO_C" >&6 if test "${ac_cv_header_gssapi_krb5_h+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 15693 "configure" +#line 15704 "configure" #include "confdefs.h" #include _ACEOF -if { (eval echo "$as_me:15697: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:15708: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:15703: \$? = $ac_status" >&5 + echo "$as_me:15714: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -15719,7 +15730,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:15722: result: $ac_cv_header_gssapi_krb5_h" >&5 +echo "$as_me:15733: result: $ac_cv_header_gssapi_krb5_h" >&5 echo "${ECHO_T}$ac_cv_header_gssapi_krb5_h" >&6 if test $ac_cv_header_gssapi_krb5_h = yes; then : @@ -15739,23 +15750,23 @@ for ac_header in gssapi.h gssapi/gssapi.h do as_ac_Header=`echo "ac_cv_header_$ac_header" | $as_tr_sh` -echo "$as_me:15742: checking for $ac_header" >&5 +echo "$as_me:15753: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 15748 "configure" +#line 15759 "configure" #include "confdefs.h" #include <$ac_header> _ACEOF -if { (eval echo "$as_me:15752: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:15763: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:15758: \$? = $ac_status" >&5 + echo "$as_me:15769: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -15774,7 +15785,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:15777: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:15788: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:15801: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 15796 "configure" +#line 15807 "configure" #include "confdefs.h" #include <$ac_header> _ACEOF -if { (eval echo "$as_me:15800: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:15811: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:15806: \$? = $ac_status" >&5 + echo "$as_me:15817: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -15822,7 +15833,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:15825: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:15836: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 +echo "$as_me:15849: checking for $ac_header" >&5 echo $ECHO_N "checking for $ac_header... $ECHO_C" >&6 if eval "test \"\${$as_ac_Header+set}\" = set"; then echo $ECHO_N "(cached) $ECHO_C" >&6 else cat >conftest.$ac_ext <<_ACEOF -#line 15844 "configure" +#line 15855 "configure" #include "confdefs.h" #include <$ac_header> _ACEOF -if { (eval echo "$as_me:15848: \"$ac_cpp conftest.$ac_ext\"") >&5 +if { (eval echo "$as_me:15859: \"$ac_cpp conftest.$ac_ext\"") >&5 (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 ac_status=$? egrep -v '^ *\+' conftest.er1 >conftest.err rm -f conftest.er1 cat conftest.err >&5 - echo "$as_me:15854: \$? = $ac_status" >&5 + echo "$as_me:15865: \$? = $ac_status" >&5 (exit $ac_status); } >/dev/null; then if test -s conftest.err; then ac_cpp_err=$ac_c_preproc_warn_flag @@ -15870,7 +15881,7 @@ fi rm -f conftest.err conftest.$ac_ext fi -echo "$as_me:15873: result: `eval echo '${'$as_ac_Header'}'`" >&5 +echo "$as_me:15884: result: `eval echo '${'$as_ac_Header'}'`" >&5 echo "${ECHO_T}`eval echo '${'$as_ac_Header'}'`" >&6 if test `eval echo '${'$as_ac_Header'}'` = yes; then cat >>confdefs.h <&5 + echo "$as_me:15895: checking for library containing k_hasafs" >&5 echo $ECHO_N "checking for library containing k_hasafs... $ECHO_C" >&6 if test "${ac_cv_search_k_hasafs+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -15889,7 +15900,7 @@ ac_func_search_save_LIBS=$LIBS ac_cv_search_k_hasafs=no cat >conftest.$ac_ext <<_ACEOF -#line 15892 "configure" +#line 15903 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -15908,16 +15919,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15911: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15922: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15914: \$? = $ac_status" >&5 + echo "$as_me:15925: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15917: \"$ac_try\"") >&5 + { (eval echo "$as_me:15928: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15920: \$? = $ac_status" >&5 + echo "$as_me:15931: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_k_hasafs="none required" else @@ -15929,7 +15940,7 @@ for ac_lib in kafs; do LIBS="-l$ac_lib $ac_func_search_save_LIBS" cat >conftest.$ac_ext <<_ACEOF -#line 15932 "configure" +#line 15943 "configure" #include "confdefs.h" /* Override any gcc2 internal prototype to avoid an error. */ @@ -15948,16 +15959,16 @@ } _ACEOF rm -f conftest.$ac_objext conftest$ac_exeext -if { (eval echo "$as_me:15951: \"$ac_link\"") >&5 +if { (eval echo "$as_me:15962: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:15954: \$? = $ac_status" >&5 + echo "$as_me:15965: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest$ac_exeext' - { (eval echo "$as_me:15957: \"$ac_try\"") >&5 + { (eval echo "$as_me:15968: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:15960: \$? = $ac_status" >&5 + echo "$as_me:15971: \$? = $ac_status" >&5 (exit $ac_status); }; }; then ac_cv_search_k_hasafs="-l$ac_lib" break @@ -15970,7 +15981,7 @@ fi LIBS=$ac_func_search_save_LIBS fi -echo "$as_me:15973: result: $ac_cv_search_k_hasafs" >&5 +echo "$as_me:15984: result: $ac_cv_search_k_hasafs" >&5 echo "${ECHO_T}$ac_cv_search_k_hasafs" >&6 if test "$ac_cv_search_k_hasafs" != no; then test "$ac_cv_search_k_hasafs" = "none required" || LIBS="$ac_cv_search_k_hasafs $LIBS" @@ -16013,7 +16024,7 @@ TestPath="${TestPath}${PATH_SEPARATOR}/usr/openwin/bin" # Extract the first word of "xauth", so it can be a program name with args. set dummy xauth; ac_word=$2 -echo "$as_me:16016: checking for $ac_word" >&5 +echo "$as_me:16027: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_xauth_path+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -16030,7 +16041,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_xauth_path="$ac_dir/$ac_word" - echo "$as_me:16033: found $ac_dir/$ac_word" >&5 + echo "$as_me:16044: found $ac_dir/$ac_word" >&5 break fi done @@ -16041,10 +16052,10 @@ xauth_path=$ac_cv_path_xauth_path if test -n "$xauth_path"; then - echo "$as_me:16044: result: $xauth_path" >&5 + echo "$as_me:16055: result: $xauth_path" >&5 echo "${ECHO_T}$xauth_path" >&6 else - echo "$as_me:16047: result: no" >&5 + echo "$as_me:16058: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -16088,13 +16099,13 @@ if test -z "$no_dev_ptmx" ; then if test "x$disable_ptmx_check" != "xyes" ; then - echo "$as_me:16091: checking for \"/dev/ptmx\"" >&5 + echo "$as_me:16102: checking for \"/dev/ptmx\"" >&5 echo $ECHO_N "checking for \"/dev/ptmx\"... $ECHO_C" >&6 if test "${ac_cv_file___dev_ptmx_+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else test "$cross_compiling" = yes && - { { echo "$as_me:16097: error: cannot check for file existence when cross compiling" >&5 + { { echo "$as_me:16108: error: cannot check for file existence when cross compiling" >&5 echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} { (exit 1); exit 1; }; } if test -r ""/dev/ptmx""; then @@ -16103,7 +16114,7 @@ ac_cv_file___dev_ptmx_=no fi fi -echo "$as_me:16106: result: $ac_cv_file___dev_ptmx_" >&5 +echo "$as_me:16117: result: $ac_cv_file___dev_ptmx_" >&5 echo "${ECHO_T}$ac_cv_file___dev_ptmx_" >&6 if test $ac_cv_file___dev_ptmx_ = yes; then @@ -16117,13 +16128,13 @@ fi fi -echo "$as_me:16120: checking for \"/dev/ptc\"" >&5 +echo "$as_me:16131: checking for \"/dev/ptc\"" >&5 echo $ECHO_N "checking for \"/dev/ptc\"... $ECHO_C" >&6 if test "${ac_cv_file___dev_ptc_+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else test "$cross_compiling" = yes && - { { echo "$as_me:16126: error: cannot check for file existence when cross compiling" >&5 + { { echo "$as_me:16137: error: cannot check for file existence when cross compiling" >&5 echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} { (exit 1); exit 1; }; } if test -r ""/dev/ptc""; then @@ -16132,7 +16143,7 @@ ac_cv_file___dev_ptc_=no fi fi -echo "$as_me:16135: result: $ac_cv_file___dev_ptc_" >&5 +echo "$as_me:16146: result: $ac_cv_file___dev_ptc_" >&5 echo "${ECHO_T}$ac_cv_file___dev_ptc_" >&6 if test $ac_cv_file___dev_ptc_ = yes; then @@ -16155,7 +16166,7 @@ MANTYPE=$withval ;; *) - { { echo "$as_me:16158: error: invalid man type: $withval" >&5 + { { echo "$as_me:16169: error: invalid man type: $withval" >&5 echo "$as_me: error: invalid man type: $withval" >&2;} { (exit 1); exit 1; }; } ;; @@ -16168,7 +16179,7 @@ do # Extract the first word of "$ac_prog", so it can be a program name with args. set dummy $ac_prog; ac_word=$2 -echo "$as_me:16171: checking for $ac_word" >&5 +echo "$as_me:16182: checking for $ac_word" >&5 echo $ECHO_N "checking for $ac_word... $ECHO_C" >&6 if test "${ac_cv_path_NROFF+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 @@ -16185,7 +16196,7 @@ test -z "$ac_dir" && ac_dir=. if $as_executable_p "$ac_dir/$ac_word"; then ac_cv_path_NROFF="$ac_dir/$ac_word" - echo "$as_me:16188: found $ac_dir/$ac_word" >&5 + echo "$as_me:16199: found $ac_dir/$ac_word" >&5 break fi done @@ -16196,10 +16207,10 @@ NROFF=$ac_cv_path_NROFF if test -n "$NROFF"; then - echo "$as_me:16199: result: $NROFF" >&5 + echo "$as_me:16210: result: $NROFF" >&5 echo "${ECHO_T}$NROFF" >&6 else - echo "$as_me:16202: result: no" >&5 + echo "$as_me:16213: result: no" >&5 echo "${ECHO_T}no" >&6 fi @@ -16256,10 +16267,10 @@ fi; if test -z "$disable_shadow" ; then - echo "$as_me:16259: checking if the systems has expire shadow information" >&5 + echo "$as_me:16270: checking if the systems has expire shadow information" >&5 echo $ECHO_N "checking if the systems has expire shadow information... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 16262 "configure" +#line 16273 "configure" #include "confdefs.h" #include @@ -16275,16 +16286,16 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:16278: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:16289: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:16281: \$? = $ac_status" >&5 + echo "$as_me:16292: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:16284: \"$ac_try\"") >&5 + { (eval echo "$as_me:16295: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:16287: \$? = $ac_status" >&5 + echo "$as_me:16298: \$? = $ac_status" >&5 (exit $ac_status); }; }; then sp_expire_available=yes else @@ -16295,14 +16306,14 @@ rm -f conftest.$ac_objext conftest.$ac_ext if test "x$sp_expire_available" = "xyes" ; then - echo "$as_me:16298: result: yes" >&5 + echo "$as_me:16309: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define HAS_SHADOW_EXPIRE 1 EOF else - echo "$as_me:16305: result: no" >&5 + echo "$as_me:16316: result: no" >&5 echo "${ECHO_T}no" >&6 fi fi @@ -16339,13 +16350,13 @@ else -echo "$as_me:16342: checking for \"/etc/default/login\"" >&5 +echo "$as_me:16353: checking for \"/etc/default/login\"" >&5 echo $ECHO_N "checking for \"/etc/default/login\"... $ECHO_C" >&6 if test "${ac_cv_file___etc_default_login_+set}" = set; then echo $ECHO_N "(cached) $ECHO_C" >&6 else test "$cross_compiling" = yes && - { { echo "$as_me:16348: error: cannot check for file existence when cross compiling" >&5 + { { echo "$as_me:16359: error: cannot check for file existence when cross compiling" >&5 echo "$as_me: error: cannot check for file existence when cross compiling" >&2;} { (exit 1); exit 1; }; } if test -r ""/etc/default/login""; then @@ -16354,7 +16365,7 @@ ac_cv_file___etc_default_login_=no fi fi -echo "$as_me:16357: result: $ac_cv_file___etc_default_login_" >&5 +echo "$as_me:16368: result: $ac_cv_file___etc_default_login_" >&5 echo "${ECHO_T}$ac_cv_file___etc_default_login_" >&6 if test $ac_cv_file___etc_default_login_ = yes; then external_path_file=/etc/default/login @@ -16382,7 +16393,7 @@ withval="$with_default_path" if test "x$external_path_file" = "x/etc/login.conf" ; then - { echo "$as_me:16385: WARNING: + { echo "$as_me:16396: WARNING: --with-default-path=PATH has no effect on this system. Edit /etc/login.conf instead." >&5 echo "$as_me: WARNING: @@ -16390,7 +16401,7 @@ Edit /etc/login.conf instead." >&2;} elif test "x$withval" != "xno" ; then if test ! -z "$external_path_file" ; then - { echo "$as_me:16393: WARNING: + { echo "$as_me:16404: WARNING: --with-default-path=PATH will only be used if PATH is not defined in $external_path_file ." >&5 echo "$as_me: WARNING: @@ -16403,11 +16414,11 @@ else if test "x$external_path_file" = "x/etc/login.conf" ; then - { echo "$as_me:16406: WARNING: Make sure the path to scp is in /etc/login.conf" >&5 + { echo "$as_me:16417: WARNING: Make sure the path to scp is in /etc/login.conf" >&5 echo "$as_me: WARNING: Make sure the path to scp is in /etc/login.conf" >&2;} else if test ! -z "$external_path_file" ; then - { echo "$as_me:16410: WARNING: + { echo "$as_me:16421: WARNING: If PATH is defined in $external_path_file, ensure the path to scp is included, otherwise scp will not work." >&5 echo "$as_me: WARNING: @@ -16419,7 +16430,7 @@ else cat >conftest.$ac_ext <<_ACEOF -#line 16422 "configure" +#line 16433 "configure" #include "confdefs.h" /* find out what STDPATH is */ @@ -16456,15 +16467,15 @@ _ACEOF rm -f conftest$ac_exeext -if { (eval echo "$as_me:16459: \"$ac_link\"") >&5 +if { (eval echo "$as_me:16470: \"$ac_link\"") >&5 (eval $ac_link) 2>&5 ac_status=$? - echo "$as_me:16462: \$? = $ac_status" >&5 + echo "$as_me:16473: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='./conftest$ac_exeext' - { (eval echo "$as_me:16464: \"$ac_try\"") >&5 + { (eval echo "$as_me:16475: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:16467: \$? = $ac_status" >&5 + echo "$as_me:16478: \$? = $ac_status" >&5 (exit $ac_status); }; }; then user_path=`cat conftest.stdpath` else @@ -16488,7 +16499,7 @@ echo $user_path | grep "^$t_bindir" > /dev/null 2>&1 if test $? -ne 0 ; then user_path=$user_path:$t_bindir - echo "$as_me:16491: result: Adding $t_bindir to USER_PATH so scp will work" >&5 + echo "$as_me:16502: result: Adding $t_bindir to USER_PATH so scp will work" >&5 echo "${ECHO_T}Adding $t_bindir to USER_PATH so scp will work" >&6 fi fi @@ -16518,7 +16529,7 @@ fi; -echo "$as_me:16521: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 +echo "$as_me:16532: checking if we need to convert IPv4 in IPv6-mapped addresses" >&5 echo $ECHO_N "checking if we need to convert IPv4 in IPv6-mapped addresses... $ECHO_C" >&6 IPV4_IN6_HACK_MSG="no" @@ -16527,7 +16538,7 @@ withval="$with_4in6" if test "x$withval" != "xno" ; then - echo "$as_me:16530: result: yes" >&5 + echo "$as_me:16541: result: yes" >&5 echo "${ECHO_T}yes" >&6 cat >>confdefs.h <<\EOF #define IPV4_IN_IPV6 1 @@ -16535,14 +16546,14 @@ IPV4_IN6_HACK_MSG="yes" else - echo "$as_me:16538: result: no" >&5 + echo "$as_me:16549: result: no" >&5 echo "${ECHO_T}no" >&6 fi else if test "x$inet6_default_4in6" = "xyes"; then - echo "$as_me:16545: result: yes (default)" >&5 + echo "$as_me:16556: result: yes (default)" >&5 echo "${ECHO_T}yes (default)" >&6 cat >>confdefs.h <<\EOF #define IPV4_IN_IPV6 1 @@ -16550,7 +16561,7 @@ IPV4_IN6_HACK_MSG="yes" else - echo "$as_me:16553: result: no (default)" >&5 + echo "$as_me:16564: result: no (default)" >&5 echo "${ECHO_T}no (default)" >&6 fi @@ -16573,6 +16584,263 @@ fi; +# Where to place ssh CA root +sshcadir='${sysconfdir}/ca' +sshcadir=`eval echo ${sshcadir}` +sshcadir=`eval echo ${sshcadir}` +case $sshcadir in + NONE/*) sshcadir=`echo $sshcadir | sed "s~NONE~$ac_default_prefix~"` ;; +esac + +# Check whether --with-sshca-dir or --without-sshca-dir was given. +if test "${with_sshca_dir+set}" = set; then + withval="$with_sshca_dir" + + if test "x$withval" != "xno" ; then + sshcadir=$withval + fi + +fi; + +cat >>confdefs.h <>confdefs.h <&5 +echo "$as_me: error: cannot enable OCSP when x509store is disabled" >&2;} + { (exit 1); exit 1; }; } + fi + fi + +fi; +if test "x$ssh_ocsp" = "xyes"; then + +for ac_func in OCSP_sendreq_bio +do +as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh` +echo "$as_me:16648: checking for $ac_func" >&5 +echo $ECHO_N "checking for $ac_func... $ECHO_C" >&6 +if eval "test \"\${$as_ac_var+set}\" = set"; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line 16654 "configure" +#include "confdefs.h" +/* System header to define __stub macros and hopefully few prototypes, + which can conflict with char $ac_func (); below. */ +#include +/* Override any gcc2 internal prototype to avoid an error. */ +#ifdef __cplusplus +extern "C" +#endif +/* We use char because int might match the return type of a gcc2 + builtin and then its argument prototype would still apply. */ +char $ac_func (); +char (*f) (); + +int +main () +{ +/* The GNU C library defines this for functions which it implements + to always fail with ENOSYS. Some functions are actually named + something starting with __ and the normal name is an alias. */ +#if defined (__stub_$ac_func) || defined (__stub___$ac_func) +choke me +#else +f = $ac_func; +#endif + + ; + return 0; +} +_ACEOF +rm -f conftest.$ac_objext conftest$ac_exeext +if { (eval echo "$as_me:16685: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:16688: \$? = $ac_status" >&5 + (exit $ac_status); } && + { ac_try='test -s conftest$ac_exeext' + { (eval echo "$as_me:16691: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:16694: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + eval "$as_ac_var=yes" +else + echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 +eval "$as_ac_var=no" +fi +rm -f conftest.$ac_objext conftest$ac_exeext conftest.$ac_ext +fi +echo "$as_me:16704: result: `eval echo '${'$as_ac_var'}'`" >&5 +echo "${ECHO_T}`eval echo '${'$as_ac_var'}'`" >&6 +if test `eval echo '${'$as_ac_var'}'` = yes; then + cat >>confdefs.h <&5 +echo $ECHO_N "checking for openssl/ocsp.h... $ECHO_C" >&6 +if test "${ac_cv_header_openssl_ocsp_h+set}" = set; then + echo $ECHO_N "(cached) $ECHO_C" >&6 +else + cat >conftest.$ac_ext <<_ACEOF +#line 16717 "configure" +#include "confdefs.h" +#include +_ACEOF +if { (eval echo "$as_me:16721: \"$ac_cpp conftest.$ac_ext\"") >&5 + (eval $ac_cpp conftest.$ac_ext) 2>conftest.er1 + ac_status=$? + egrep -v '^ *\+' conftest.er1 >conftest.err + rm -f conftest.er1 + cat conftest.err >&5 + echo "$as_me:16727: \$? = $ac_status" >&5 + (exit $ac_status); } >/dev/null; then + if test -s conftest.err; then + ac_cpp_err=$ac_c_preproc_warn_flag + else + ac_cpp_err= + fi +else + ac_cpp_err=yes +fi +if test -z "$ac_cpp_err"; then + ac_cv_header_openssl_ocsp_h=yes +else + echo "$as_me: failed program was:" >&5 + cat conftest.$ac_ext >&5 + ac_cv_header_openssl_ocsp_h=no +fi +rm -f conftest.err conftest.$ac_ext +fi +echo "$as_me:16746: result: $ac_cv_header_openssl_ocsp_h" >&5 +echo "${ECHO_T}$ac_cv_header_openssl_ocsp_h" >&6 +if test $ac_cv_header_openssl_ocsp_h = yes; then + : +else + + ssh_ocsp="no" + { { echo "$as_me:16753: error: OCSP header not found" >&5 +echo "$as_me: error: OCSP header not found" >&2;} + { (exit 1); exit 1; }; } + +fi + +else + + ssh_ocsp="no" + { echo "$as_me:16762: WARNING: Cannot find OCSP functions - OCSP is disabled" >&5 +echo "$as_me: WARNING: Cannot find OCSP functions - OCSP is disabled" >&2;} + +fi +done + +fi +if test "x$ssh_ocsp" = "xyes"; then + +cat >>confdefs.h <&5 +echo $ECHO_N "checking for Email in X.509 'Distinguished Name'... $ECHO_C" >&6 + if test "$cross_compiling" = yes; then + { { echo "$as_me:16788: error: cannot run test program while cross compiling" >&5 +echo "$as_me: error: cannot run test program while cross compiling" >&2;} + { (exit 1); exit 1; }; } +else + cat >conftest.$ac_ext <<_ACEOF +#line 16793 "configure" +#include "confdefs.h" + +#include + +int main(void) { + int nid; + nid = OBJ_txt2nid("Email"); + if (nid == NID_undef) + exit (1); + exit (0); + return (0); +} + +_ACEOF +rm -f conftest$ac_exeext +if { (eval echo "$as_me:16809: \"$ac_link\"") >&5 + (eval $ac_link) 2>&5 + ac_status=$? + echo "$as_me:16812: \$? = $ac_status" >&5 + (exit $ac_status); } && { ac_try='./conftest$ac_exeext' + { (eval echo "$as_me:16814: \"$ac_try\"") >&5 + (eval $ac_try) 2>&5 + ac_status=$? + echo "$as_me:16817: \$? = $ac_status" >&5 + (exit $ac_status); }; }; then + + echo "$as_me:16820: result: yes" >&5 +echo "${ECHO_T}yes" >&6 + +else + echo "$as_me: program exited with status $ac_status" >&5 +echo "$as_me: failed program was:" >&5 +cat conftest.$ac_ext >&5 + + echo "$as_me:16828: result: no" >&5 +echo "${ECHO_T}no" >&6 + ssh_x509dn_email="no" + +fi +rm -f core core.* *.core conftest$ac_exeext conftest.$ac_objext conftest.$ac_ext +fi +fi +if test "x$ssh_x509dn_email" = "xno"; then + +cat >>confdefs.h <&5 + { echo "$as_me:16861: WARNING: ** no $piddir directory on this system **" >&5 echo "$as_me: WARNING: ** no $piddir directory on this system **" >&2;} fi fi @@ -16713,10 +16981,10 @@ fi; -echo "$as_me:16716: checking if your system defines LASTLOG_FILE" >&5 +echo "$as_me:16984: checking if your system defines LASTLOG_FILE" >&5 echo $ECHO_N "checking if your system defines LASTLOG_FILE... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 16719 "configure" +#line 16987 "configure" #include "confdefs.h" #include @@ -16740,29 +17008,29 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:16743: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:17011: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:16746: \$? = $ac_status" >&5 + echo "$as_me:17014: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:16749: \"$ac_try\"") >&5 + { (eval echo "$as_me:17017: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:16752: \$? = $ac_status" >&5 + echo "$as_me:17020: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:16754: result: yes" >&5 + echo "$as_me:17022: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:16760: result: no" >&5 + echo "$as_me:17028: result: no" >&5 echo "${ECHO_T}no" >&6 - echo "$as_me:16762: checking if your system defines _PATH_LASTLOG" >&5 + echo "$as_me:17030: checking if your system defines _PATH_LASTLOG" >&5 echo $ECHO_N "checking if your system defines _PATH_LASTLOG... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 16765 "configure" +#line 17033 "configure" #include "confdefs.h" #include @@ -16783,24 +17051,24 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:16786: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:17054: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:16789: \$? = $ac_status" >&5 + echo "$as_me:17057: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:16792: \"$ac_try\"") >&5 + { (eval echo "$as_me:17060: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:16795: \$? = $ac_status" >&5 + echo "$as_me:17063: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:16797: result: yes" >&5 + echo "$as_me:17065: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:16803: result: no" >&5 + echo "$as_me:17071: result: no" >&5 echo "${ECHO_T}no" >&6 system_lastlog_path=no @@ -16818,7 +17086,7 @@ fi done if test -z "$conf_lastlog_location"; then - { echo "$as_me:16821: WARNING: ** Cannot find lastlog **" >&5 + { echo "$as_me:17089: WARNING: ** Cannot find lastlog **" >&5 echo "$as_me: WARNING: ** Cannot find lastlog **" >&2;} fi fi @@ -16831,10 +17099,10 @@ fi -echo "$as_me:16834: checking if your system defines UTMP_FILE" >&5 +echo "$as_me:17102: checking if your system defines UTMP_FILE" >&5 echo $ECHO_N "checking if your system defines UTMP_FILE... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 16837 "configure" +#line 17105 "configure" #include "confdefs.h" #include @@ -16852,23 +17120,23 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:16855: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:17123: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:16858: \$? = $ac_status" >&5 + echo "$as_me:17126: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:16861: \"$ac_try\"") >&5 + { (eval echo "$as_me:17129: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:16864: \$? = $ac_status" >&5 + echo "$as_me:17132: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:16866: result: yes" >&5 + echo "$as_me:17134: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:16871: result: no" >&5 + echo "$as_me:17139: result: no" >&5 echo "${ECHO_T}no" >&6 system_utmp_path=no @@ -16896,10 +17164,10 @@ fi -echo "$as_me:16899: checking if your system defines WTMP_FILE" >&5 +echo "$as_me:17167: checking if your system defines WTMP_FILE" >&5 echo $ECHO_N "checking if your system defines WTMP_FILE... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 16902 "configure" +#line 17170 "configure" #include "confdefs.h" #include @@ -16917,23 +17185,23 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:16920: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:17188: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:16923: \$? = $ac_status" >&5 + echo "$as_me:17191: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:16926: \"$ac_try\"") >&5 + { (eval echo "$as_me:17194: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:16929: \$? = $ac_status" >&5 + echo "$as_me:17197: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:16931: result: yes" >&5 + echo "$as_me:17199: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:16936: result: no" >&5 + echo "$as_me:17204: result: no" >&5 echo "${ECHO_T}no" >&6 system_wtmp_path=no @@ -16961,10 +17229,10 @@ fi -echo "$as_me:16964: checking if your system defines UTMPX_FILE" >&5 +echo "$as_me:17232: checking if your system defines UTMPX_FILE" >&5 echo $ECHO_N "checking if your system defines UTMPX_FILE... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 16967 "configure" +#line 17235 "configure" #include "confdefs.h" #include @@ -16985,23 +17253,23 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:16988: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:17256: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:16991: \$? = $ac_status" >&5 + echo "$as_me:17259: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:16994: \"$ac_try\"") >&5 + { (eval echo "$as_me:17262: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:16997: \$? = $ac_status" >&5 + echo "$as_me:17265: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:16999: result: yes" >&5 + echo "$as_me:17267: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:17004: result: no" >&5 + echo "$as_me:17272: result: no" >&5 echo "${ECHO_T}no" >&6 system_utmpx_path=no @@ -17021,10 +17289,10 @@ fi -echo "$as_me:17024: checking if your system defines WTMPX_FILE" >&5 +echo "$as_me:17292: checking if your system defines WTMPX_FILE" >&5 echo $ECHO_N "checking if your system defines WTMPX_FILE... $ECHO_C" >&6 cat >conftest.$ac_ext <<_ACEOF -#line 17027 "configure" +#line 17295 "configure" #include "confdefs.h" #include @@ -17045,23 +17313,23 @@ } _ACEOF rm -f conftest.$ac_objext -if { (eval echo "$as_me:17048: \"$ac_compile\"") >&5 +if { (eval echo "$as_me:17316: \"$ac_compile\"") >&5 (eval $ac_compile) 2>&5 ac_status=$? - echo "$as_me:17051: \$? = $ac_status" >&5 + echo "$as_me:17319: \$? = $ac_status" >&5 (exit $ac_status); } && { ac_try='test -s conftest.$ac_objext' - { (eval echo "$as_me:17054: \"$ac_try\"") >&5 + { (eval echo "$as_me:17322: \"$ac_try\"") >&5 (eval $ac_try) 2>&5 ac_status=$? - echo "$as_me:17057: \$? = $ac_status" >&5 + echo "$as_me:17325: \$? = $ac_status" >&5 (exit $ac_status); }; }; then - echo "$as_me:17059: result: yes" >&5 + echo "$as_me:17327: result: yes" >&5 echo "${ECHO_T}yes" >&6 else echo "$as_me: failed program was:" >&5 cat conftest.$ac_ext >&5 - echo "$as_me:17064: result: no" >&5 + echo "$as_me:17332: result: no" >&5 echo "${ECHO_T}no" >&6 system_wtmpx_path=no @@ -17083,7 +17351,7 @@ if test ! -z "$blibpath" ; then LDFLAGS="$LDFLAGS $blibflags$blibpath" - { echo "$as_me:17086: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&5 + { echo "$as_me:17354: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&5 echo "$as_me: WARNING: Please check and edit blibpath in LDFLAGS in Makefile" >&2;} fi @@ -17094,7 +17362,7 @@ LIBS=`echo $LIBS | sed 's/-ldl //'` fi -ac_config_files="$ac_config_files Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds" +ac_config_files="$ac_config_files Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds tests/CA/Makefile" cat >confcache <<\_ACEOF # This file is a shell script that caches the results of configure @@ -17175,7 +17443,7 @@ : ${CONFIG_STATUS=./config.status} ac_clean_files_save=$ac_clean_files ac_clean_files="$ac_clean_files $CONFIG_STATUS" -{ echo "$as_me:17178: creating $CONFIG_STATUS" >&5 +{ echo "$as_me:17446: creating $CONFIG_STATUS" >&5 echo "$as_me: creating $CONFIG_STATUS" >&6;} cat >$CONFIG_STATUS <<_ACEOF #! $SHELL @@ -17348,7 +17616,7 @@ echo "$ac_cs_version"; exit 0 ;; --he | --h) # Conflict between --help and --header - { { echo "$as_me:17351: error: ambiguous option: $1 + { { echo "$as_me:17619: error: ambiguous option: $1 Try \`$0 --help' for more information." >&5 echo "$as_me: error: ambiguous option: $1 Try \`$0 --help' for more information." >&2;} @@ -17367,7 +17635,7 @@ ac_need_defaults=false;; # This is an error. - -*) { { echo "$as_me:17370: error: unrecognized option: $1 + -*) { { echo "$as_me:17638: error: unrecognized option: $1 Try \`$0 --help' for more information." >&5 echo "$as_me: error: unrecognized option: $1 Try \`$0 --help' for more information." >&2;} @@ -17406,8 +17674,9 @@ "openbsd-compat/Makefile" ) CONFIG_FILES="$CONFIG_FILES openbsd-compat/Makefile" ;; "scard/Makefile" ) CONFIG_FILES="$CONFIG_FILES scard/Makefile" ;; "ssh_prng_cmds" ) CONFIG_FILES="$CONFIG_FILES ssh_prng_cmds" ;; + "tests/CA/Makefile" ) CONFIG_FILES="$CONFIG_FILES tests/CA/Makefile" ;; "config.h" ) CONFIG_HEADERS="$CONFIG_HEADERS config.h" ;; - *) { { echo "$as_me:17410: error: invalid argument: $ac_config_target" >&5 + *) { { echo "$as_me:17679: error: invalid argument: $ac_config_target" >&5 echo "$as_me: error: invalid argument: $ac_config_target" >&2;} { (exit 1); exit 1; }; };; esac @@ -17549,6 +17818,9 @@ s,@MANTYPE@,$MANTYPE,;t t s,@mansubdir@,$mansubdir,;t t s,@user_path@,$user_path,;t t +s,@sshcadir@,$sshcadir,;t t +s,@OCSP_ON@,$OCSP_ON,;t t +s,@OCSP_OFF@,$OCSP_OFF,;t t s,@piddir@,$piddir,;t t CEOF @@ -17664,7 +17936,7 @@ esac if test x"$ac_file" != x-; then - { echo "$as_me:17667: creating $ac_file" >&5 + { echo "$as_me:17939: creating $ac_file" >&5 echo "$as_me: creating $ac_file" >&6;} rm -f "$ac_file" fi @@ -17682,7 +17954,7 @@ -) echo $tmp/stdin ;; [\\/$]*) # Absolute (can't be DOS-style, as IFS=:) - test -f "$f" || { { echo "$as_me:17685: error: cannot find input file: $f" >&5 + test -f "$f" || { { echo "$as_me:17957: error: cannot find input file: $f" >&5 echo "$as_me: error: cannot find input file: $f" >&2;} { (exit 1); exit 1; }; } echo $f;; @@ -17695,7 +17967,7 @@ echo $srcdir/$f else # /dev/null tree - { { echo "$as_me:17698: error: cannot find input file: $f" >&5 + { { echo "$as_me:17970: error: cannot find input file: $f" >&5 echo "$as_me: error: cannot find input file: $f" >&2;} { (exit 1); exit 1; }; } fi;; @@ -17756,7 +18028,7 @@ * ) ac_file_in=$ac_file.in ;; esac - test x"$ac_file" != x- && { echo "$as_me:17759: creating $ac_file" >&5 + test x"$ac_file" != x- && { echo "$as_me:18031: creating $ac_file" >&5 echo "$as_me: creating $ac_file" >&6;} # First look for the input files in the build tree, otherwise in the @@ -17767,7 +18039,7 @@ -) echo $tmp/stdin ;; [\\/$]*) # Absolute (can't be DOS-style, as IFS=:) - test -f "$f" || { { echo "$as_me:17770: error: cannot find input file: $f" >&5 + test -f "$f" || { { echo "$as_me:18042: error: cannot find input file: $f" >&5 echo "$as_me: error: cannot find input file: $f" >&2;} { (exit 1); exit 1; }; } echo $f;; @@ -17780,7 +18052,7 @@ echo $srcdir/$f else # /dev/null tree - { { echo "$as_me:17783: error: cannot find input file: $f" >&5 + { { echo "$as_me:18055: error: cannot find input file: $f" >&5 echo "$as_me: error: cannot find input file: $f" >&2;} { (exit 1); exit 1; }; } fi;; @@ -17897,7 +18169,7 @@ rm -f $tmp/in if test x"$ac_file" != x-; then if cmp -s $ac_file $tmp/config.h 2>/dev/null; then - { echo "$as_me:17900: $ac_file is unchanged" >&5 + { echo "$as_me:18172: $ac_file is unchanged" >&5 echo "$as_me: $ac_file is unchanged" >&6;} else ac_dir=`$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ @@ -17983,6 +18255,7 @@ echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" +echo " CA root: $sshcadir" echo " Askpass program: $E" echo " Manual pages: $F" echo " PID file: $G" @@ -18007,6 +18280,8 @@ echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" +echo " X.509 store support: $ssh_x509store" +echo " OCSP support: $ssh_ocsp" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" diff -ruN openssh-3.8p1/configure.ac openssh-3.8p1+x509h/configure.ac --- openssh-3.8p1/configure.ac 2004-02-24 07:47:04.000000000 +0200 +++ openssh-3.8p1+x509h/configure.ac 2004-04-05 09:06:00.000000000 +0300 @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.202 2004/02/24 05:47:04 tim Exp $ +# $Id$ AC_INIT AC_CONFIG_SRCDIR([ssh.c]) @@ -230,7 +230,12 @@ check_for_openpty_ctty_bug=1 AC_DEFINE(DONT_TRY_OTHER_AF) AC_DEFINE(PAM_TTY_KLUDGE) - AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!") + case "$host" in + *-slackware-*) + AC_DEFINE(LOCKED_PASSWD_PREFIX, "!");; + *) + AC_DEFINE(LOCKED_PASSWD_PREFIX, "!!");; + esac AC_DEFINE(SPT_TYPE,SPT_REUSEARGV) inet6_default_4in6=yes case `uname -r` in @@ -2479,6 +2484,117 @@ ] ) +# Where to place ssh CA root +sshcadir='${sysconfdir}/ca' +sshcadir=`eval echo ${sshcadir}` +sshcadir=`eval echo ${sshcadir}` +case $sshcadir in + NONE/*) sshcadir=`echo $sshcadir | sed "s~NONE~$ac_default_prefix~"` ;; +esac + +AC_ARG_WITH(sshca-dir, + [ --with-sshca-dir=PATH Specify location of ssh CA root], + [ + if test "x$withval" != "xno" ; then + sshcadir=$withval + fi + ] +) + +AC_DEFINE_UNQUOTED(SSHCADIR, "$sshcadir", [Specify location of ssh CA root]) +AC_SUBST(sshcadir) + + +ssh_x509store="yes" +AC_ARG_ENABLE(x509store, + [ --disable-x509store Disable X.509 store], + [ + if test "x$enableval" = "xno"; then + ssh_x509store="no" + fi + ] +) +if test "x$ssh_x509store" = "xno"; then + AC_DEFINE_UNQUOTED( + SSH_X509STORE_DISABLED, 1, + [Define if you don't want to verify certificates]) +fi + + +ssh_ocsp="no" +AC_ARG_ENABLE(ocsp, + [ --enable-ocsp Enable OCSP validation], + [ + if test "x$enableval" = "xyes"; then + if test "x$ssh_x509store" = "xyes"; then + ssh_ocsp="yes" + else + AC_MSG_ERROR([cannot enable OCSP when x509store is disabled]) + fi + fi + ] +) +if test "x$ssh_ocsp" = "xyes"; then + AC_CHECK_FUNCS(OCSP_sendreq_bio, + [ + AC_CHECK_HEADER(openssl/ocsp.h, + [], + [ + ssh_ocsp="no" + AC_MSG_ERROR([OCSP header not found]) + ]) + ], + [ + ssh_ocsp="no" + AC_MSG_WARN([Cannot find OCSP functions - OCSP is disabled]) + ]) +fi +if test "x$ssh_ocsp" = "xyes"; then + AC_DEFINE_UNQUOTED( + SSH_OCSP_ENABLED, 1, + [Define if you don't want to validate X.509 certificates with OCSP]) + OCSP_ON='' + OCSP_OFF='#' +else + OCSP_ON='#' + OCSP_OFF='' +fi +AC_SUBST(OCSP_ON) +AC_SUBST(OCSP_OFF) + + +ssh_x509dn_email="yes" +if test "x$ssh_x509store" = "xyes"; then + # Check for Email in X.509 'Distinguished Name' + AC_MSG_CHECKING([for Email in X.509 'Distinguished Name']) + AC_TRY_RUN( + [ +#include + +int main(void) { + int nid; + nid = OBJ_txt2nid("Email"); + if (nid == NID_undef) + exit (1); + exit (0); + return (0); +} + ], + [ + AC_MSG_RESULT(yes) + ], + [ + AC_MSG_RESULT(no) + ssh_x509dn_email="no" + ] +) +fi +if test "x$ssh_x509dn_email" = "xno"; then + AC_DEFINE_UNQUOTED( + SSH_OPENSSL_DN_WITHOUT_EMAIL, 1, + [Define if your openssl library don't support Email in X.509 'Distinguished Name']) +fi + # Where to place sshd.pid piddir=/var/run # make sure the directory exists @@ -2771,7 +2887,7 @@ fi AC_EXEEXT -AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds]) +AC_CONFIG_FILES([Makefile openbsd-compat/Makefile scard/Makefile ssh_prng_cmds tests/CA/Makefile]) AC_OUTPUT # Print summary of options @@ -2793,6 +2909,7 @@ echo " User binaries: $B" echo " System binaries: $C" echo " Configuration files: $D" +echo " CA root: $sshcadir" echo " Askpass program: $E" echo " Manual pages: $F" echo " PID file: $G" @@ -2817,6 +2934,8 @@ echo " S/KEY support: $SKEY_MSG" echo " TCP Wrappers support: $TCPW_MSG" echo " MD5 password support: $MD5_MSG" +echo " X.509 store support: $ssh_x509store" +echo " OCSP support: $ssh_ocsp" echo " IP address in \$DISPLAY hack: $DISPLAY_HACK_MSG" echo " Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG" echo " BSD Auth support: $BSD_AUTH_MSG" diff -ruN openssh-3.8p1/hostfile.c openssh-3.8p1+x509h/hostfile.c --- openssh-3.8p1/hostfile.c 2003-11-17 12:18:23.000000000 +0200 +++ openssh-3.8p1+x509h/hostfile.c 2004-02-25 09:06:01.000000000 +0200 @@ -13,6 +13,8 @@ * * Copyright (c) 1999, 2000 Markus Friedl. All rights reserved. * Copyright (c) 1999 Niels Provos. All rights reserved. + * X509 certificates support, + * Copyright (c) 2002-2003 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -36,13 +38,14 @@ */ #include "includes.h" -RCSID("$OpenBSD: hostfile.c,v 1.32 2003/11/10 16:23:41 jakob Exp $"); +RCSID("$OpenBSD$"); #include "packet.h" #include "match.h" #include "key.h" #include "hostfile.h" #include "log.h" +#include "ssh-x509.h" /* * Parses an RSA (number of bits, e, n) or DSA key from a string. Moves the @@ -221,7 +224,17 @@ if (!f) return 0; fprintf(f, "%s ", host); - if (key_write(key, f)) { +#ifndef SSH_X509STORE_DISABLED + if ((key->type == KEY_X509_RSA) || (key->type == KEY_X509_DSA)) { + /* key_write will print x509 certificate in blob format :-( */ + success = x509key_write_subject(key, f); + } else { +#endif /*ndef SSH_X509STORE_DISABLED*/ + success = key_write(key, f); +#ifndef SSH_X509STORE_DISABLED + } +#endif /*ndef SSH_X509STORE_DISABLED*/ + if (success) { success = 1; } else { error("add_host_to_hostfile: saving key in %s failed", filename); diff -ruN openssh-3.8p1/INSTALL openssh-3.8p1+x509h/INSTALL --- openssh-3.8p1/INSTALL 2003-11-21 14:48:55.000000000 +0200 +++ openssh-3.8p1+x509h/INSTALL 2004-02-25 09:06:00.000000000 +0200 @@ -56,6 +56,9 @@ installed. No other current S/Key library is currently known to be supported. +X.509 certificate support: +http://roumenpetrov.info/openssh + 2. Building / Installation -------------------------- @@ -160,6 +163,15 @@ --with-sectok=DIR allows for OpenSC or sectok smartcard libraries to be used with OpenSSH. See 'README.smartcard' for more details. +--with-sshca-dir=PATH allows you to specify location of ssh CA root +used by ssh "x509 store" to verify certificates. + +--disable-x509store allows you to disable ssh "x509 store". In that +case ssh don't verify certificates. Format "Distinguished Name" for a +certificate in ssh files is disabled too. In that case ssh accept only +blob format of certificate in files (aka format of pub files). +See 'README.x509v3' for more details. + If you need to pass special options to the compiler or linker, you can specify these as environment variables before running ./configure. For example: @@ -200,4 +212,4 @@ http://www.openssh.com/ -$Id: INSTALL,v 1.63 2003/11/21 12:48:55 djm Exp $ +$Id$ diff -ruN openssh-3.8p1/key.c openssh-3.8p1+x509h/key.c --- openssh-3.8p1/key.c 2003-11-17 12:18:23.000000000 +0200 +++ openssh-3.8p1+x509h/key.c 2004-02-25 09:06:01.000000000 +0200 @@ -10,6 +10,8 @@ * * * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * X509 certificates support, + * Copyright (c) 2002-2003 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -32,13 +34,14 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: key.c,v 1.55 2003/11/10 16:23:41 jakob Exp $"); +RCSID("$OpenBSD$"); #include #include "xmalloc.h" #include "key.h" #include "rsa.h" +#include "ssh-x509.h" #include "uuencode.h" #include "buffer.h" #include "bufaux.h" @@ -55,9 +58,11 @@ k->flags = 0; k->dsa = NULL; k->rsa = NULL; + k->x509 = NULL; switch (k->type) { case KEY_RSA1: case KEY_RSA: + case KEY_X509_RSA: if ((rsa = RSA_new()) == NULL) fatal("key_new: RSA_new failed"); if ((rsa->n = BN_new()) == NULL) @@ -65,8 +70,13 @@ if ((rsa->e = BN_new()) == NULL) fatal("key_new: BN_new failed"); k->rsa = rsa; + if (k->type == KEY_X509_RSA) { + if ((k->x509 = X509_new()) == NULL) + fatal("key_new: X509_new failed"); + } break; case KEY_DSA: + case KEY_X509_DSA: if ((dsa = DSA_new()) == NULL) fatal("key_new: DSA_new failed"); if ((dsa->p = BN_new()) == NULL) @@ -78,6 +88,10 @@ if ((dsa->pub_key = BN_new()) == NULL) fatal("key_new: BN_new failed"); k->dsa = dsa; + if (k->type == KEY_X509_DSA) { + if ((k->x509 = X509_new()) == NULL) + fatal("key_new: X509_new failed"); + } break; case KEY_UNSPEC: break; @@ -95,6 +109,7 @@ switch (k->type) { case KEY_RSA1: case KEY_RSA: + case KEY_X509_RSA: if ((k->rsa->d = BN_new()) == NULL) fatal("key_new_private: BN_new failed"); if ((k->rsa->iqmp = BN_new()) == NULL) @@ -107,10 +122,25 @@ fatal("key_new_private: BN_new failed"); if ((k->rsa->dmp1 = BN_new()) == NULL) fatal("key_new_private: BN_new failed"); + if (k->type == KEY_X509_RSA) { + debug3("key_new_private: X509(rsa) MORE ...?"); + /* + if ((k->x509 = X509_new()) == NULL) + fatal("key_new: X509_new failed"); + */ + } break; case KEY_DSA: + case KEY_X509_DSA: if ((k->dsa->priv_key = BN_new()) == NULL) fatal("key_new_private: BN_new failed"); + if (k->type == KEY_X509_DSA) { + debug3("key_new_private: X509(dsa) MORE ...?"); + /* + if ((k->x509 = X509_new()) == NULL) + fatal("key_new: X509_new failed"); + */ + } break; case KEY_UNSPEC: break; @@ -135,6 +165,21 @@ DSA_free(k->dsa); k->dsa = NULL; break; + case KEY_X509_RSA: + case KEY_X509_DSA: + if (k->dsa != NULL) { + DSA_free(k->dsa); + k->dsa = NULL; + } + if (k->rsa != NULL) { + RSA_free(k->rsa); + k->rsa = NULL; + } + if (k->x509 != NULL) { + X509_free(k->x509); + k->x509 = NULL; + } + break; case KEY_UNSPEC: break; default: @@ -152,17 +197,29 @@ switch (a->type) { case KEY_RSA1: case KEY_RSA: +#ifdef SSH_X509STORE_DISABLED + case KEY_X509_RSA: +#endif return a->rsa != NULL && b->rsa != NULL && BN_cmp(a->rsa->e, b->rsa->e) == 0 && BN_cmp(a->rsa->n, b->rsa->n) == 0; break; case KEY_DSA: +#ifdef SSH_X509STORE_DISABLED + case KEY_X509_DSA: +#endif return a->dsa != NULL && b->dsa != NULL && BN_cmp(a->dsa->p, b->dsa->p) == 0 && BN_cmp(a->dsa->q, b->dsa->q) == 0 && BN_cmp(a->dsa->g, b->dsa->g) == 0 && BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0; break; +#ifndef SSH_X509STORE_DISABLED + case KEY_X509_RSA: + case KEY_X509_DSA: + return ssh_x509_equal(a, b) == 0; + break; +#endif /*ndef SSH_X509STORE_DISABLED*/ default: fatal("key_equal: bad key type %d", a->type); break; @@ -205,6 +262,8 @@ break; case KEY_DSA: case KEY_RSA: + case KEY_X509_RSA: + case KEY_X509_DSA: key_to_blob(k, &blob, &len); break; case KEY_UNSPEC: @@ -410,6 +469,8 @@ case KEY_UNSPEC: case KEY_RSA: case KEY_DSA: + case KEY_X509_RSA: + case KEY_X509_DSA: space = strchr(cp, ' '); if (space == NULL) { debug3("key_read: missing whitespace"); @@ -434,6 +495,11 @@ debug3("key_read: type mismatch"); return -1; } +#ifndef SSH_X509STORE_DISABLED + k = x509key_from_subject(type, cp); + if(k != NULL) + goto noblob; +#endif /*ndef SSH_X509STORE_DISABLED*/ len = 2*strlen(cp); blob = xmalloc(len); n = uudecode(cp, blob, len); @@ -453,7 +519,30 @@ key_free(k); return -1; } +noblob: /*XXXX*/ + if (ret->type == KEY_X509_RSA || + ret->type == KEY_X509_DSA ) { + if (ret->rsa != NULL) + RSA_free(ret->rsa); + ret->rsa = k->rsa; + k->rsa = NULL; + if (ret->dsa != NULL) + DSA_free(ret->dsa); + ret->dsa = k->dsa; + k->dsa = NULL; + if (ret->x509 != NULL) + X509_free(ret->x509); + ret->x509 = k->x509; + k->x509 = NULL; +#ifdef DEBUG_PK + if (ret->type == KEY_X509_RSA) + RSA_print_fp(stderr, ret->rsa, 8); + else + DSA_print_fp(stderr, ret->dsa, 8); +#endif + success = 1; + } else if (ret->type == KEY_RSA) { if (ret->rsa != NULL) RSA_free(ret->rsa); @@ -520,6 +609,8 @@ } xfree(blob); xfree(uu); + } else if ( (key->type == KEY_X509_RSA) || (key->type == KEY_X509_DSA) ) { + success = x509key_write(key, f); } return success; } @@ -537,6 +628,14 @@ case KEY_DSA: return "DSA"; break; + case KEY_X509_RSA: + if(k->rsa) return "RSA+cert"; + return "X509(rsa)"; + break; + case KEY_X509_DSA: + if(k->dsa) return "DSA+cert"; + return "X509(dsa)"; + break; } return "unknown"; } @@ -551,6 +650,12 @@ case KEY_DSA: return "ssh-dss"; break; + case KEY_X509_RSA: + return "x509v3-sign-rsa"; + break; + case KEY_X509_DSA: + return "x509v3-sign-dss"; + break; } return "ssh-unknown"; } @@ -566,6 +671,10 @@ case KEY_DSA: return BN_num_bits(k->dsa->p); break; + case KEY_X509_RSA: + case KEY_X509_DSA: + return ssh_x509_key_size(k); + break; } return 0; } @@ -640,6 +749,7 @@ int key_type_from_name(char *name) { + debug3("call key_type_from_name(%.200s) ...", name); if (strcmp(name, "rsa1") == 0) { return KEY_RSA1; } else if (strcmp(name, "rsa") == 0) { @@ -650,6 +760,10 @@ return KEY_RSA; } else if (strcmp(name, "ssh-dss") == 0) { return KEY_DSA; + } else if (strcmp(name, "x509v3-sign-rsa") == 0) { + return KEY_X509_RSA; + } else if (strcmp(name, "x509v3-sign-dss") == 0) { + return KEY_X509_DSA; } debug2("key_type_from_name: unknown key type '%s'", name); return KEY_UNSPEC; @@ -684,14 +798,19 @@ char *ktype; int rlen, type; Key *key = NULL; + debug3("key_from_blob(..., %d)", blen); #ifdef DEBUG_PK dump_base64(stderr, blob, blen); #endif + if ((key = x509key_from_blob(blob, blen)) != NULL) { + return key; + } buffer_init(&b); buffer_append(&b, blob, blen); ktype = buffer_get_string(&b, NULL); type = key_type_from_name(ktype); + debug3("key_from_blob(..., ...) ktype=%.30s", ktype); switch (type) { case KEY_RSA: @@ -751,6 +870,11 @@ buffer_put_bignum2(&b, key->rsa->e); buffer_put_bignum2(&b, key->rsa->n); break; + case KEY_X509_RSA: + case KEY_X509_DSA: + if (!x509key_to_blob(key, &b)) + return 0; + break; default: error("key_to_blob: unsupported key type %d", key->type); buffer_free(&b); @@ -781,6 +905,10 @@ case KEY_RSA: return ssh_rsa_sign(key, sigp, lenp, data, datalen); break; + case KEY_X509_RSA: + case KEY_X509_DSA: + return ssh_x509_sign(key, sigp, lenp, data, datalen); + break; default: error("key_sign: illegal key type %d", key->type); return -1; @@ -808,6 +936,10 @@ case KEY_RSA: return ssh_rsa_verify(key, signature, signaturelen, data, datalen); break; + case KEY_X509_RSA: + case KEY_X509_DSA: + return ssh_x509_verify(key, signature, signaturelen, data, datalen); + break; default: error("key_verify: illegal key type %d", key->type); return -1; @@ -830,6 +962,7 @@ switch (k->type) { case KEY_RSA1: case KEY_RSA: + case KEY_X509_RSA: if ((pk->rsa = RSA_new()) == NULL) fatal("key_demote: RSA_new failed"); if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL) @@ -838,6 +971,7 @@ fatal("key_demote: BN_dup failed"); break; case KEY_DSA: + case KEY_X509_DSA: if ((pk->dsa = DSA_new()) == NULL) fatal("key_demote: DSA_new failed"); if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL) @@ -850,9 +984,19 @@ fatal("key_demote: BN_dup failed"); break; default: - fatal("key_free: bad key type %d", k->type); + fatal("key_demote: bad key type %d", k->type); break; } + switch (k->type) { + case KEY_X509_RSA: + case KEY_X509_DSA: + if(k->x509) { + if ((pk->x509 = X509_dup(k->x509)) == NULL) + fatal("key_demote: X509_dup failed"); + } else + fatal("key_demote: no X509 data"); + break; + } return (pk); } diff -ruN openssh-3.8p1/key.h openssh-3.8p1+x509h/key.h --- openssh-3.8p1/key.h 2003-11-17 12:18:23.000000000 +0200 +++ openssh-3.8p1+x509h/key.h 2004-02-25 09:06:00.000000000 +0200 @@ -1,7 +1,9 @@ -/* $OpenBSD: key.h,v 1.23 2003/11/10 16:23:41 jakob Exp $ */ +/* $OpenBSD$ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * X509 certificates support, + * Copyright (c) 2002 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -28,12 +30,15 @@ #include #include +#include typedef struct Key Key; enum types { KEY_RSA1, KEY_RSA, KEY_DSA, + KEY_X509_RSA, + KEY_X509_DSA, KEY_UNSPEC }; enum fp_type { @@ -53,6 +58,7 @@ int flags; RSA *rsa; DSA *dsa; + X509 *x509; }; Key *key_new(int); diff -ruN openssh-3.8p1/LICENCE openssh-3.8p1+x509h/LICENCE --- openssh-3.8p1/LICENCE 2004-02-10 04:01:14.000000000 +0200 +++ openssh-3.8p1+x509h/LICENCE 2004-03-09 09:06:00.000000000 +0200 @@ -181,6 +181,7 @@ Per Allansson Nils Nordman Simon Wilkinson + Roumen Petrov Portable OpenSSH additionally includes code from the following copyright holders, also under the 2-term BSD license: @@ -329,4 +330,4 @@ ------ -$OpenBSD: LICENCE,v 1.18 2003/11/21 11:57:02 djm Exp $ +$OpenBSD$ diff -ruN openssh-3.8p1/log.c openssh-3.8p1+x509h/log.c --- openssh-3.8p1/log.c 2004-02-18 13:59:43.000000000 +0200 +++ openssh-3.8p1+x509h/log.c 2004-02-25 09:06:01.000000000 +0200 @@ -34,7 +34,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: log.c,v 1.29 2003/09/23 20:17:11 markus Exp $"); +RCSID("$OpenBSD$"); #include "log.h" #include "xmalloc.h" @@ -260,6 +260,11 @@ } } +LogLevel +get_log_level(void) { + return log_level; +} + #define MSGBUFSIZ 1024 void diff -ruN openssh-3.8p1/log.h openssh-3.8p1+x509h/log.h --- openssh-3.8p1/log.h 2003-10-02 09:12:37.000000000 +0300 +++ openssh-3.8p1+x509h/log.h 2004-02-25 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: log.h,v 1.10 2003/09/23 20:17:11 markus Exp $ */ +/* $OpenBSD$ */ /* * Author: Tatu Ylonen @@ -49,6 +49,7 @@ } LogLevel; void log_init(char *, LogLevel, SyslogFacility, int); +LogLevel get_log_level(void); SyslogFacility log_facility_number(char *); LogLevel log_level_number(char *); diff -ruN openssh-3.8p1/Makefile.in openssh-3.8p1+x509h/Makefile.in --- openssh-3.8p1/Makefile.in 2004-02-18 05:35:11.000000000 +0200 +++ openssh-3.8p1+x509h/Makefile.in 2004-04-05 09:06:01.000000000 +0300 @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.257 2004/02/18 03:35:11 djm Exp $ +# $Id$ # uncomment if you run a non bourne compatable shell. Ie. csh #SHELL = @SH@ @@ -14,6 +14,7 @@ mandir=@mandir@ mansubdir=@mansubdir@ sysconfdir=@sysconfdir@ +sshcadir=@sshcadir@ piddir=@piddir@ srcdir=@srcdir@ top_srcdir=@top_srcdir@ @@ -30,6 +31,7 @@ STRIP_OPT=@STRIP_OPT@ PATHS= -DSSHDIR=\"$(sysconfdir)\" \ + -DSSHCADIR=\"$(sshcadir)\" \ -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \ -D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \ -D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \ @@ -59,6 +61,8 @@ INSTALL_SSH_PRNG_CMDS=@INSTALL_SSH_PRNG_CMDS@ INSTALL_SSH_RAND_HELPER=@INSTALL_SSH_RAND_HELPER@ +X509_OBJS=ssh-x509.o x509store.o ssh-ocsp.o + TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-agent$(EXEEXT) scp$(EXEEXT) ssh-rand-helper${EXEEXT} sftp-server$(EXEEXT) sftp$(EXEEXT) LIBSSH_OBJS=acss.o authfd.o authfile.o bufaux.o buffer.o \ @@ -70,7 +74,7 @@ atomicio.o key.o dispatch.o kex.o mac.o uuencode.o misc.o \ rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o kexgex.o \ kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \ - entropy.o scard-opensc.o gss-genr.o + entropy.o scard-opensc.o gss-genr.o $(X509_OBJS) SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ sshconnect.o sshconnect1.o sshconnect2.o @@ -104,6 +108,10 @@ -e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \ -e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \ -e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \ + -e 's|/etc/ssh/ca/ca-bundle.crt|$(sshcadir)/ca-bundle.crt|g' \ + -e 's|/etc/ssh/ca/crt|$(sshcadir)/crt|g' \ + -e 's|/etc/ssh/ca/ca-bundle.crl|$(sshcadir)/ca-bundle.crl|g' \ + -e 's|/etc/ssh/ca/crl|$(sshcadir)/crl|g' \ -e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \ -e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \ -e 's|/etc/sshrc|$(sysconfdir)/sshrc|g' \ @@ -244,6 +252,8 @@ $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5 $(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8 $(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(sshcadir) + $(srcdir)/mkinstalldirs $(DESTDIR)$(piddir) (umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH)) $(INSTALL) -m 0755 $(STRIP_OPT) ssh $(DESTDIR)$(bindir)/ssh $(INSTALL) -m 0755 $(STRIP_OPT) scp $(DESTDIR)$(bindir)/scp @@ -370,7 +380,14 @@ -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8 -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1 -tests: $(TARGETS) + +tests: check + +# Target check is more common for projects using autoXXXX tools + +check: check-regress check-certs + +check-regress: $(TARGETS) BUILDDIR=`pwd`; \ [ -d `pwd`/regress ] || mkdir -p `pwd`/regress; \ [ -f `pwd`/regress/Makefile ] || \ @@ -401,9 +418,29 @@ TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \ TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \ EXEEXT="$(EXEEXT)" \ - $@ + tests + + +check-certs: $(TARGETS) + @if test ! -d "tests/CA"; then \ + mkdir -p "tests/CA" || exit 1; \ + fi + @BUILDDIR="`pwd`"; \ + ( cd "tests/CA" && \ + $(MAKE) \ + TEST_SSH_SSH="$${BUILDDIR}/ssh" \ + TEST_SSH_SSHD="$${BUILDDIR}/sshd" \ + TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent" \ + TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add" \ + TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen" \ + TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan" \ + TEST_SSH_SFTP="$${BUILDDIR}/sftp" \ + TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server" \ + $@ ) + regressclean: if [ -f regress/Makefile -a -r regress/Makefile ]; then \ (cd regress && $(MAKE) clean) \ fi + (cd tests/CA && $(MAKE) clean) diff -ruN openssh-3.8p1/myproposal.h openssh-3.8p1+x509h/myproposal.h --- openssh-3.8p1/myproposal.h 2003-05-18 13:54:00.000000000 +0300 +++ openssh-3.8p1+x509h/myproposal.h 2004-02-25 09:06:00.000000000 +0200 @@ -1,7 +1,9 @@ -/* $OpenBSD: myproposal.h,v 1.15 2003/05/17 04:27:52 markus Exp $ */ +/* $OpenBSD$ */ /* * Copyright (c) 2000 Markus Friedl. All rights reserved. + * X509 certificates support, + * Copyright (c) 2002 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -24,7 +26,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #define KEX_DEFAULT_KEX "diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" -#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" +#define KEX_DEFAULT_PK_ALG "x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss" #define KEX_DEFAULT_ENCRYPT \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ diff -ruN openssh-3.8p1/pathnames.h openssh-3.8p1+x509h/pathnames.h --- openssh-3.8p1/pathnames.h 2004-02-06 07:38:16.000000000 +0200 +++ openssh-3.8p1+x509h/pathnames.h 2004-02-25 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -/* $OpenBSD: pathnames.h,v 1.14 2004/01/30 09:48:57 markus Exp $ */ +/* $OpenBSD$ */ /* * Author: Tatu Ylonen @@ -10,6 +10,29 @@ * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". + * + * X509 certificates support, + * Copyright (c) 2002 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #define ETCDIR "/etc" @@ -172,3 +195,20 @@ #ifndef ASKPASS_PROGRAM #define ASKPASS_PROGRAM "/usr/lib/ssh/ssh-askpass" #endif /* ASKPASS_PROGRAM */ + + +#ifndef SSHCADIR +#define SSHCADIR SSHDIR "/ca" +#endif + +/* x509 user store */ +#define _PATH_USERCA_CERTIFICATE_FILE "~/" _PATH_SSH_USER_DIR "/ca-bundle.crt" +#define _PATH_USERCA_CERTIFICATE_PATH "~/" _PATH_SSH_USER_DIR "/crt" +#define _PATH_USERCA_REVOCATION_FILE "~/" _PATH_SSH_USER_DIR "/ca-bundle.crl" +#define _PATH_USERCA_REVOCATION_PATH "~/" _PATH_SSH_USER_DIR "/crl" + +/* x509 global store */ +#define _PATH_CA_CERTIFICATE_FILE SSHCADIR "/ca-bundle.crt" +#define _PATH_CA_CERTIFICATE_PATH SSHCADIR "/crt" +#define _PATH_CA_REVOCATION_FILE SSHCADIR "/ca-bundle.crl" +#define _PATH_CA_REVOCATION_PATH SSHCADIR "/crl" diff -ruN openssh-3.8p1/readconf.c openssh-3.8p1+x509h/readconf.c --- openssh-3.8p1/readconf.c 2003-12-17 07:33:11.000000000 +0200 +++ openssh-3.8p1+x509h/readconf.c 2004-04-05 09:06:01.000000000 +0300 @@ -9,10 +9,33 @@ * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". + * + * X509 certificate support, + * Copyright (c) 2002-2004 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: readconf.c,v 1.127 2003/12/16 15:49:51 markus Exp $"); +RCSID("$OpenBSD$"); #include "ssh.h" #include "xmalloc.h" @@ -25,6 +48,7 @@ #include "misc.h" #include "kex.h" #include "mac.h" +#include "tildexpand.h" /* Format of the configuration file: @@ -106,6 +130,14 @@ oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout, oAddressFamily, oGssAuthentication, oGssDelegateCreds, oServerAliveInterval, oServerAliveCountMax, + oX509rsaSigType, + oAllowedServerCertPurpose, + oCACertificateFile, oCACertificatePath, + oCARevocationFile, oCARevocationPath, + oUserCACertificateFile, oUserCACertificatePath, + oUserCARevocationFile, oUserCARevocationPath, + oVAType, oVACertificateFile, + oVAOCSPResponderURL, oDeprecated, oUnsupported } OpCodes; @@ -192,6 +224,19 @@ { "addressfamily", oAddressFamily }, { "serveraliveinterval", oServerAliveInterval }, { "serveralivecountmax", oServerAliveCountMax }, + { "x509rsasigtype", oX509rsaSigType }, + { "allowedcertpurpose", oAllowedServerCertPurpose }, + { "cacertificatefile", oCACertificateFile }, + { "cacertificatepath", oCACertificatePath }, + { "carevocationfile", oCARevocationFile }, + { "carevocationpath", oCARevocationPath }, + { "usercacertificatefile", oUserCACertificateFile }, + { "usercacertificatepath", oUserCACertificatePath }, + { "usercarevocationfile", oUserCARevocationFile }, + { "usercarevocationpath", oUserCARevocationPath }, + { "vatype", oVAType }, + { "vacertificatefile", oVACertificateFile }, + { "vaocspresponderurl", oVAOCSPResponderURL }, { NULL, oBadOption } }; @@ -744,11 +789,123 @@ intptr = &options->server_alive_count_max; goto parse_int; + case oX509rsaSigType: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + + if (strcasecmp(arg, "md5") == 0) + options->x509rsasigtype = SSH_X509RSA_MD5; + else if (strcasecmp(arg, "sha1") == 0) + options->x509rsasigtype = SSH_X509RSA_SHA1; + + if (options->x509rsasigtype < 0) { + fatal("%s line %d: Unsupported argument for X509rsaSigType.", + filename, linenum); + } + break; + + case oAllowedServerCertPurpose: + arg = strdelim(&s); + if (arg && *arg) { + if (strcasecmp(arg, "skip") == 0) goto skip_purpose; + + { /* convert string to OpenSSL index */ + int purpose_index; + purpose_index = ssh_get_x509purpose_s (0, arg); + if (purpose_index < 0) + fatal("config error: unsupported purpose '%.30s' in file %s line %d.", arg, filename, linenum); + + options->allowedcertpurpose = purpose_index; + } + } else { +skip_purpose: + options->allowedcertpurpose = -2; + verbose("config warning: option is set to don`t check certificate purpose in file %s line %d.", filename, linenum); + } + break; + +#ifndef SSH_X509STORE_DISABLED + case oCACertificateFile: + case oCACertificatePath: + case oCARevocationFile: + case oCARevocationPath: + case oUserCACertificateFile: + case oUserCACertificatePath: + case oUserCARevocationFile: + case oUserCARevocationPath: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + switch (opcode) { + case oCACertificateFile: + options->ca.certificate_file = xstrdup(arg); break; + case oCACertificatePath: + options->ca.certificate_path = xstrdup(arg); break; + case oCARevocationFile: + options->ca.revocation_file = xstrdup(arg); break; + case oCARevocationPath: + options->ca.revocation_path = xstrdup(arg); break; + case oUserCACertificateFile: + options->userca.certificate_file = xstrdup(arg); break; + case oUserCACertificatePath: + options->userca.certificate_path = xstrdup(arg); break; + case oUserCARevocationFile: + options->userca.revocation_file = xstrdup(arg); break; + case oUserCARevocationPath: + options->userca.revocation_path = xstrdup(arg); break; + default: + break; + } + break; +#endif /*ndef SSH_X509STORE_DISABLED*/ + +#ifdef SSH_OCSP_ENABLED + case oVAType: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + options->va.type = ssh_get_vatype_s(arg); + if (options->va.type < 0) + fatal("config error: OCSP Responder type '%.30s' in file %s line %d.", arg, filename, linenum); + break; + + case oVACertificateFile: + case oVAOCSPResponderURL: + arg = strdelim(&s); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + switch (opcode) { + default: + break; + case oVACertificateFile: + options->va.certificate_file = xstrdup(arg); break; + case oVAOCSPResponderURL: + options->va.responder_url = xstrdup(arg); break; + } + break; +#endif /*def SSH_OCSP_ENABLED*/ + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); return 0; +#ifdef SSH_X509STORE_DISABLED + case oCACertificateFile: + case oCACertificatePath: + case oCARevocationFile: + case oCARevocationPath: + case oUserCACertificateFile: + case oUserCACertificatePath: + case oUserCARevocationFile: + case oUserCARevocationPath: +#endif /*def SSH_X509STORE_DISABLED*/ +#ifndef SSH_OCSP_ENABLED + case oVAType: + case oVACertificateFile: + case oVAOCSPResponderURL: +#endif /*ndef SSH_OCSP_ENABLED*/ case oUnsupported: error("%s line %d: Unsupported option \"%s\"", filename, linenum, keyword); @@ -873,8 +1030,56 @@ options->verify_host_key_dns = -1; options->server_alive_interval = -1; options->server_alive_count_max = -1; + options->x509rsasigtype = -1; + options->allowedcertpurpose = -1; +#ifndef SSH_X509STORE_DISABLED + options->ca.certificate_file = NULL; + options->ca.certificate_path = NULL; + options->ca.revocation_file = NULL; + options->ca.revocation_path = NULL; + options->userca.certificate_file = NULL; + options->userca.certificate_path = NULL; + options->userca.revocation_file = NULL; + options->userca.revocation_path = NULL; +#endif /*ndef SSH_X509STORE_DISABLED*/ +#ifdef SSH_OCSP_ENABLED + options->va.type = -1; + options->va.certificate_file = NULL; + options->va.responder_url = NULL; +#endif /*def SSH_OCSP_ENABLED*/ } +#ifndef SSH_X509STORE_DISABLED +static int +ssh_x509store_init (Options *options) { + int x509_store_loaded = 0; + + if(ssh_x509store_addlocations(&options->userca)) { + x509_store_loaded = 1; + } + if(ssh_x509store_addlocations(&options->ca)) { + x509_store_loaded = 1; + } + + return x509_store_loaded; +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + +#ifndef SSH_X509STORE_DISABLED +static void +tilde_expand_filename2(const char **_fn, const char* _default) { + extern uid_t original_real_uid; + + if (*_fn == NULL) { + *_fn = tilde_expand_filename(_default, original_real_uid); + } else { + const char *p = *_fn; + *_fn = tilde_expand_filename(p, original_real_uid); + xfree((void*)p); + } +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + /* * Called after processing other sources of option data, this fills those * options for which no value has been specified with their default values. @@ -996,4 +1201,33 @@ /* options->hostname will be set in the main program if appropriate */ /* options->host_key_alias should not be set by default */ /* options->preferred_authentications will be set in ssh */ + + if (options->x509rsasigtype == -1) + options->x509rsasigtype = SSH_X509RSA_MD5; + options->x509rsasigtype = ssh_x509rsasig(options->x509rsasigtype); + if (options->allowedcertpurpose == -1) + options->allowedcertpurpose = ssh_get_default_x509purpose(0); + ssh_set_x509purpose(0, options->allowedcertpurpose); +#ifndef SSH_X509STORE_DISABLED + if (options->ca.certificate_file == NULL) + options->ca.certificate_file = _PATH_CA_CERTIFICATE_FILE; + if (options->ca.certificate_path == NULL) + options->ca.certificate_path = _PATH_CA_CERTIFICATE_PATH; + if (options->ca.revocation_file == NULL) + options->ca.revocation_file = _PATH_CA_REVOCATION_FILE; + if (options->ca.revocation_path == NULL) + options->ca.revocation_path = _PATH_CA_REVOCATION_PATH; + + tilde_expand_filename2(&options->userca.certificate_file, _PATH_USERCA_CERTIFICATE_FILE); + tilde_expand_filename2(&options->userca.certificate_path, _PATH_USERCA_CERTIFICATE_PATH); + tilde_expand_filename2(&options->userca.revocation_file , _PATH_USERCA_REVOCATION_FILE ); + tilde_expand_filename2(&options->userca.revocation_path , _PATH_USERCA_REVOCATION_PATH ); + + ssh_x509store_init(options); +#endif /*ndef SSH_X509STORE_DISABLED*/ +#ifdef SSH_OCSP_ENABLED + if (options->va.type == -1) + options->va.type = ssh_get_default_vatype(); + ssh_set_validator(&options->va); +#endif /*def SSH_OCSP_ENABLED*/ } diff -ruN openssh-3.8p1/readconf.h openssh-3.8p1+x509h/readconf.h --- openssh-3.8p1/readconf.h 2003-12-17 07:33:11.000000000 +0200 +++ openssh-3.8p1+x509h/readconf.h 2004-04-05 09:06:00.000000000 +0300 @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.59 2003/12/16 15:49:51 markus Exp $ */ +/* $OpenBSD$ */ /* * Author: Tatu Ylonen @@ -11,12 +11,36 @@ * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". + * + * X509 certificate support, + * Copyright (c) 2002-2003 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef READCONF_H #define READCONF_H #include "key.h" +#include "x509store.h" /* Data structure for representing a forwarding request. */ @@ -102,6 +126,21 @@ int no_host_authentication_for_localhost; int server_alive_interval; int server_alive_count_max; + + /* rumen-XXX: X509 RSA signature type: md5=0, sha1=1 */ + int x509rsasigtype; + /* allowed server certificate purpose */ + int allowedcertpurpose; +#ifndef SSH_X509STORE_DISABLED + /* sshd PKI(X509) global store */ + X509StoreOptions ca; + /* sshd PKI(X509) user store */ + X509StoreOptions userca; +#endif /*ndef SSH_X509STORE_DISABLED*/ +#ifdef SSH_OCSP_ENABLED + /* ssh X.509 extra validation */ + VAOptions va; +#endif /*def SSH_OCSP_ENABLED*/ } Options; diff -ruN openssh-3.8p1/README.x509v3 openssh-3.8p1+x509h/README.x509v3 --- openssh-3.8p1/README.x509v3 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/README.x509v3 2004-03-20 12:56:57.000000000 +0200 @@ -0,0 +1,447 @@ + Roumen Petrov + Sofia, Bulgaria + Sat Mar 20 2004 + +How to use X.509 certificates with OpenSSH? + + +Identity or hostkey file for protocol version 2 can contain private key +plus X.509 certificate in PEM format. Note that protocol version 2 keys +are in PEM format. To use X.509 certificate as identity or hostkey user +should convert certificate in PEM format and append to file. After this +with "ssh-keygen -y ..." user must update "pub" file. +File (identity or hostkey) with X.509 certificate (RSA key): +-----BEGIN RSA PRIVATE KEY----- +..... +-----END RSA PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +..... +-----END CERTIFICATE----- +Note that to use X.509 certificates in OpenSSH files must contain +private key followed by certificate. + + +1.) server configuration: + +1.1.) .../sshd_config + +1.1.1.) AllowedCertPurpose sslclient + The intended use off the X.509 client certificate. + +1.1.2.) "X509 store". + Server use "X509 store" to verify and validate client keys. + +1.1.2.1.) CACertificateFile /etc/ssh/ca/ca-bundle.crt + This file contain multiple certificates of certificate signers in PEM +format concatenated together. You can get a copy from openssl, apache, +KDE, mutt, etc. packages. Original file might is exported from Netscape +certificate database and one download URL is: + http://www.modssl.org/contrib/ca-bundle.crt.tar.gz + +1.1.2.2.) CACertificatePath /etc/ssh/ca/crt + "Hash dir" with certificates of certificate signers. Each certificate +should be stored in separate file with name [HASH].[NUMBER], where +[HASH] is certificate hash value and [NUMBER] is an integer starting +from zero. Hash is result from command like this: +$ openssl x509 -in certificate_file_name -noout -hash + +1.1.2.3.) CARevocationFile /etc/ssh/ca/ca-bundle.crl + This file contain multiple "Certificate Revocation List" (CRL) of +certificate signers in PEM format concatenated together. + +1.1.2.4.) CARevocationPath /etc/ssh/ca/crl + "Hash dir" with "Certificate Revocation List" (CRL) of certificate +signers. Each CRL should be stored in separate file with name +[HASH].r[NUMBER], where [HASH] is CRL hash value and [NUMBER] is an +integer starting from zero. Hash is result from command like this: +$ openssl crl -in crl_file_name -noout -hash + +1.1.3.) HostKey files... + Host key for protocol version 2 can contain private key plus X.509 +certificate in PEM format. + +1.1.4.) X509rsaSigType=md5 + Specifies prefered signature digest type for "x509v3-sign-rsa" keys. +The possible values are "md5" and "sha1". When X.509 certificate +signature blob fail with specified value, server try other and print +log message like this: +... X509COMPAT: RSA succeed for sha1 digest ... +This options is intended to collect information about default +signature digest type in other SecSH implementations. +When you see this PLEASE send a EMAIL with "X509COMPAT" lines +from log files. + +1.1.5.) VAType none + Specifies whether `Online Certificate Status Protocol' (OCSP) is used + to validate client X.509 certificates. Specified value is used only + when OpenSSH is build with OCSP support. See sshd_config(5) man page + for allowed values and other VA* options. + +1.2.) user files on the server + Append in USER_HOME/.ssh/authorized_keys a record with following +format: +{|CertBlob} +where: +KEY_TYPE:=x509v3-sign-rsa|x509v3-sign-dss (case sensitive !) +WORDDN:={Distinguished Name| + Distinguished-Name| + Distinguished_Name| + DistinguishedName| + DN| + Subject} +WORDDNSUFF:='='|':'|'' +NOTES: +- WORDDN is case insensitive ! + +- is like output from command: +$ openssl x509 -noout -subject -in A_CERTIFICATE_FILE + +- can be in RFC2253 format like output from command: +$ openssl x509 -noout -subject -in A_CERTIFICATE_FILE -nameopt RFC2253 + +- Order of items in is not important and separator +can be symbol "/", "," or mixed. All following subjects are equal: +a)CN=dsa test certificate,OU=OpenSSH Testers,O=Test Team,ST=World,C=XX +b)/C=XX/ST=World/O=Test Team/OU=OpenSSH Testers/CN=dsa test certificate +c)/O=Test Team/OU=OpenSSH Testers/C=XX/ST=World/CN=dsa test certificate +d)O=Test Team,OU=OpenSSH Testers/C=XX,ST=World/CN=dsa test certificate + +- CertBlob is uuencoded sequence of bytes in only one line. + +Shell sample: +- "Distinguished Name" format: +$ ( printf 'x509v3-sign-rsa '; + openssl x509 -noout -subject \ + -in A_OPENSSH_IDENTITY_FILE \ + ) >> $HOME/.ssh/authorized_keys + +- "blob" format: +$ cat A_OPENSSH_IDENTITY_FILE.pub \ + >> $HOME/.ssh/authorized_keys + +NOTES: +- adjust user authorized_keys file ownership - user must have at least +read access. +- SecSH X.509 key type is "x509v3-sign-rsa" or "x509v3-sign-dss". +- When OpenSSH is build with "--disable-x509store" YOU CANNOT USE +"Distinguished Name" format. You shold use ONLY "blob" format. + + +2.) client settings: +2.1.) IdentityFile + Depends from client. To use X.509 certificate "OpenSSH id-file" must +contain both sections - private key and certificate in PEM format: +Note: Don't forget to update public key file with command: +$ ssh-keygen -y -f IDENTITY_FILE > IDENTITY_FILE.pub +Command ssh-add use public key file! + +2.2.) global ssh_config, $HOME/.ssh/config or command line + +2.2.1.) AllowedCertPurpose sslserver + The intended use of the X.509 server certificate. + +2.2.2.) "X509 store". + Client use "X509 store" to verify and validate server hostkey. + See p. 1.1.2.) and check the options: +- [User]CACertificatePath; +- [User]CACertificateFile; +- [User]CARevocationFile; +- [User]CARevocationPath. + +Note: When we use own CA we must import CA certificate[s] to +"X509 store". More info on: + http://roumenpetrov.info/domino_CA/#dca2bundle + +2.2.3.) X509rsaSigType=md5 + Temporary option. Specifies signature digest type for +'x509v3-sign-rsa' keys. The possible values are "md5" and "sha1". Use +this option only in session with other SecSH servers with X.509 +certificates as identity or host key. When ssh print message like this +... X509COMPAT: RSA succeed for sha1 digest ... +PLEASE send a EMAIL with this message. +When you cannot use X.509 certificate as identity in session with other +SecSH implementations try this option. Example: +$ ssh -o X509rsaSigType=sha1 .... non_openssh_host + +Note: ssh-agent use only md5 digest for X.509 certificates. + +2.2.4.) VAType none + Specifies whether `Online Certificate Status Protocol' (OCSP) is used + to validate server X.509 certificates. Specified value is used only + when OpenSSH is build with OCSP support. See ssh_config(5) man page + for allowed values and other VA* options. + + +3.) test X.509 certificates. + +3.1.) In openssh build dir run "make check" or "make test". + Both commands are equivalent and run regression tests. + If you lake to test only X.509 certificates you can run +$ make check-certs + + If certificate test scripts fail might you should setup test +configuration in the file OPENSSH_SOURCE_PATH/tests/CA/config or +use some environment variables. Used variables are described +later in the document. + + Output from "make check-certs" is in color and when is redirected to +file later we can see content best with command "less -r ...". + When script run a test command print star '*' followed by simple +information about command. When command succeed script print at right +"done" in GREEN(!) otherwise "failed" in RED(!). After failed command +script show on next lines in RED(!) response, skip execution of next +command/script, print message like this: +.... +Testing OpenSSH client with certificates finished. + status: failed +.... + Note that failed is in RED(!) and exit code is NONZERO(!). + Some command in a test script must fail. Part of "simple information" +about command expected to fail is in RED(!). When command fail script +print "done" (THIS IS CORRECT - COMMAND MUST FAIL) and on next lines +print in GREEN(!) response. Usually this occur when server reject logon. +WHEN ALL TESTS SUCCEED output is: +.... +Testing OpenSSH client with certificates finished. + status: done +.... + Note that "done" is in GREEN(!) and exit code is ZERO(!). + +3.1.1.) Description of variables in Makefile file: + - SHELL + Used shell to run tests. Supported shell are bash, ksh, zsh and ash. + Script might run without porblems on standard unix sh. + Example: + $ make check-certs SHELL=/bin/zsh + +3.1.2.) Description of variables in config file: + +3.1.2.1.) main variables: + - SUDO + (only in config) + on some system sshd must be started as root. + If necessary set variable to sudo and configure sudo'ers. + - TMPDIR + (environment or config) + directory for temporary files. If not set its value is selected + from /tmp, /var/tmp or /usr/tmp. + - SSH_X509TESTS + (environment or config) + list with test scripts. A test script is in file with following + name: test-.sh.inc. + +3.1.2.2.) openssl: + - OPENSSL + (environment or config) + path to openssl binary. The default is result from command: + `which openssl`. + - RSA_DIGEST_LIST + (environment or config) + list with RSA digests in support of openssl. The default value is + build at run time from following digest list "md5 sha1 md2 md4 + rmd160" and contain only supported from openssl. + +3.1.2.3.) server section: + Read sshd_config.5 manual page for valid values. + - SSHD_PORT + (environment or config) + specifies the port number that server listens on and client connect + to on localhost. The default is 20022. + - SSHD_LISTENADDRESS + (only in config) + Same as sshd option "ListenAddress" but without(!) port number. + The default is "127.0.0.1". + - SSHSERVER_USEPRIVILEGESEPARATION="yes": + (only in config) + sshd "UsePrivilegeSeparation" option. + if necessary set to "no", to disable privilege separation. + - SSHSERVER_SYSLOGFACILITY=AUTH + (only in config) + sshd "SyslogFacility" option. + - SSHSERVER_LOGLEVEL=INFO + (only in config) + sshd 'LogLevel' option. + +3.1.2.4.) certificates: + - Variables related to test certificates and CA. + (only in config) + +3.1.2.5.) OCSP responder: + Used only when OpenSSH is build with OCSP support! + Variables related to OCSP tests. + - SSH_VA_BASEPORT + (environment or config) + test script run one or more OCSP responders at same once. First + responder listen on specified port, second on port plus one and + etc. The default is 20080. + - SSH_OPENSLL_OCSP_TMOUT=60 + (config) + Wait specified number of seconds sockets opened by OCSP responders + to close. After this test script continue with next step. + This is work around for missing SO_REUSEADDR socket option in + OpenSSL OCSP responder. + +3.1.3.) Sample commands to run tests: +$ OPENSSL=/usr/local/ssl/bin/openssl make check-certs +$ SSHD_PORT=1122 SSH_X509TESTS="agent blob_auth" make check-certs +$ RSA_DIGEST_LIST="md5 sha1" make check-certs +$ make check-certs SHELL=/bin/ksh + +When check fail see "Troubleshooting" later in document. + + +3.2.) Current test scripts uses only rsa as server hostkey. + To test sshd with X.509 certificate please find in file +openssh_tests.sh variable TEST_SSHD_HOSTKEY and change it. Sample: +TEST_SSH_HOSTKEY="${CWD}/testhostkey_rsa-rsa_md5" + + +3.3.) Test SecSH from "Microsoft Windows OS-es". + This is not part of document. +Tips: use created after "make check-certs" files: +- convert OPENSSH_BUILD_PATH/tests/CA/ca-test/crt/*crt.pem CA + certificates from PEM to DER format and import in + "Windows keystore"; +- import OPENSSH_BUILD_PATH/tests/CA/testid_*.p12 files in + "Windows keystore"; +- setup your client to use certificate[s](see SecSH client manuals). +DON'T FORGET TO REMOVE entries from "Windows keystore" after test! + + +3.4.) Go to OPENSSH_BUILD_PATH/tests/CA and run command "make clean" to +remove all client/server and CA files. + + +3.5.) files in OPENSSH_SOURCE_PATH/tests/CA directory: +config: + Configuration file. + +shell.rc: + Shell settings. + +1-cre_cadb.sh: + Create "Test CA" directories and files. + +2-cre_cakeys.sh: + Create "Test CA" private keys and certificates. + +3-cre_certs.sh: + Create client/server certificates. + This command create files with mask + "PATH_TO_KEYFILEn-[.]" + , where is in format "rsa_" or "dsa". + DIGEST are form variable "RSA_DIGEST_LIST" specified in "config" + file. Files without extention are openssh identity or hostkey files. + File with .pub extention contain openssh public key (BLOB format). + File with .crt extention contain openssl "text output" for identity + files. Files with .p12 extention are for "Microsoft Windows keystore". +Note: .p12 = .pfx for Windows. +4-cre_crls.sh: + Revoke part of client certificates. + +verify.sh: + To check certificates against "Test CA". Note: check only + testid_*.crt and testhostkey_*.crt files in current directory. + +functions: + Common usefull functions. + +openssh_tests.sh: + Main test script - call other testscripts. + +test-blob_auth.sh.inc, +test-dn_auth_file.sh.inc, +test-dn_auth_path.sh.inc, +test-agent.sh.inc, +test-crl.sh.inc: + Test shell scripts. See DESCRIPTION in each file. + +Note that hostbased authentication we cannot test without to install. +Generated testhostkey_* certificates are with sslserver and sslclient +purposes and you can use them to test manually hostbased authentication. + + +4.) Troubleshooting +"make check-certs" fails on: + +4.1.) "generating a new ... private key for the TEST CA ..." +Usually this happen on system without /dev/{u}random. +In file [BUILDDIR]/tests/CA/openssh_ca-2.log we can see a message: +"... PRNG not seeded ...". +Read again WARNING.RNG from OpenSSH sourcedir and/or +http://www.openssl.org/support/faq.html + +4.1.1.) reconfigure your system and/or openssl +4.1.2.) or do next +4.1.2.1.) install OpenSSH :-( otherwise later "make check-certs" +(ssh-keygen) fail with message: +"couldn't exec '.../libexec/ssh-rand-helper': ..." +and second ./ssh-rand-helper fail with message: +"couldn't read entropy commands file ../ssh_prng_cmds: ..." +Tip: configure OpenSSH with prefix for example $HOME/test + +4.1.2.2.) run: +ssh-rand-helper +rm -f $HOME/.rnd +ln -s .ssh/prng_seed $HOME/.rnd + +4.1.2.3.) test openssl with command: +/usr/local/ssl/bin/openssl genrsa -des3 -passout pass:change_it +Tip: before to create every key with OpenSSL run ssh-rand-helper ! + +4.1.2.4.) run again "... make check-certs ..." + +4.2.) fail on first check: "* rsa_md5 valid blob failed" +- Usually SUDO command is not set. See p. 3.1.2.1. +- When you build with tcpwrappers your hosts.allow must permit +connections from localhost, otherwise you can see in failed message +text like this: "... connection closed by remote host ..." + +4.3.) fail on "starting OCSP responder(XXX) on YYY:NNNNN failed" +- Ensure sequence of about six free ports and use SSH_VA_BASEPORT + to specify first of them. +- Ensure enough timeout previous running OCSP responders to free + ports. Increase value of SSH_OPENSLL_OCSP_TMOUT in test config file. + + +5.) FAQ + +Q.) How to convert a certificate from DER to PEM format? +A.) Run command "openssl x509 ..." with command line options +-inform/-outform - you can select one of formats: DER, NET or PEM. +The default is PEM. + +Q.) How to convert pfx to p12 file? +A.) Just change file extension ;-). + +Q.) How to use my p12 file in OpenSSH as identity? +A.) Run commands: +$ openssl pkcs12 -in FILE.p12 -clcerts > id_x509 +$ ssh-keygen -f id_x509 -y > id_x509.pub + Don't forget to set properly permition on file id_x509, as +example "chmod 600 id_x509". + Note name of identity file can be one of defaults: + 'id_rsa' or 'id_dsa'. + Configure client. + +Q.) How to use p12 file in OpenSSH as hostkey? +A.) Note that host keys are password less! + It is similar to client identity. + Remember umask settings. + Run as root commands: +# umask 0077 +# openssl pkcs12 -in FILE.p12 -clcerts > ssh_host_x509 + Note: you must enter export password! +# ssh-keygen -p -f ssh_host_x509 -N '' + Now hostkey file is password less ! +# ssh-keygen -f ssh_host_x509 -y > ssh_host_x509.pub + Restore umask settings. + Note name of hostkey file can be one of defaults: + 'ssh_host_dsa_key' or 'ssh_host_rsa_key'. + Configure server, test configuration with command +# sshd -t ..../sshd_config + and start/restart the server. Don't forget to inform users + that hostkey is changed! + + +Enjoy ;-) diff -ruN openssh-3.8p1/scp.0 openssh-3.8p1+x509h/scp.0 --- openssh-3.8p1/scp.0 2004-02-24 08:22:59.000000000 +0200 +++ openssh-3.8p1+x509h/scp.0 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -SCP(1) OpenBSD Reference Manual SCP(1) +SCP(1) System General Commands Manual SCP(1) NAME scp - secure copy (remote file copy program) @@ -28,8 +28,8 @@ -6 Forces scp to use IPv6 addresses only. - -B Selects batch mode (prevents asking for passwords or passphras- - es). + -B Selects batch mode (prevents asking for passwords or + passphrases). -C Compression enable. Passes the -C flag to ssh(1) to enable com- pression. @@ -54,50 +54,7 @@ Can be used to pass options to ssh in the format used in ssh_config(5). This is useful for specifying options for which there is no separate scp command-line flag. For full details of - the options listed below, and their possible values, see - ssh_config(5). - - AddressFamily - BatchMode - BindAddress - ChallengeResponseAuthentication - CheckHostIP - Cipher - Ciphers - Compression - CompressionLevel - ConnectionAttempts - ConnectionTimeout - GlobalKnownHostsFile - GSSAPIAuthentication - GSSAPIDelegateCredentials - Host - HostbasedAuthentication - HostKeyAlgorithms - HostKeyAlias - HostName - IdentityFile - LogLevel - MACs - NoHostAuthenticationForLocalhost - NumberOfPasswordPrompts - PasswordAuthentication - Port - PreferredAuthentications - Protocol - ProxyCommand - PubkeyAuthentication - RhostsRSAAuthentication - RSAAuthentication - ServerAliveInterval - ServerAliveCountMax - SmartcardDevice - StrictHostKeyChecking - TCPKeepAlive - UsePrivilegedPort - User - UserKnownHostsFile - VerifyHostKeyDNS + the options and their possible values, see ssh_config(5). -P port Specifies the port to connect to on the remote host. Note that @@ -135,4 +92,4 @@ Timo Rinne Tatu Ylonen -OpenBSD 3.4 September 25, 1999 3 +BSD September 25, 1999 BSD diff -ruN openssh-3.8p1/scp.1 openssh-3.8p1+x509h/scp.1 --- openssh-3.8p1/scp.1 2003-12-17 07:33:11.000000000 +0200 +++ openssh-3.8p1+x509h/scp.1 2004-03-09 09:06:00.000000000 +0200 @@ -9,7 +9,7 @@ .\" .\" Created: Sun May 7 00:14:37 1995 ylo .\" -.\" $OpenBSD: scp.1,v 1.32 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD$ .\" .Dd September 25, 1999 .Dt SCP 1 @@ -113,52 +113,8 @@ for which there is no separate .Nm scp command-line flag. -For full details of the options listed below, and their possible values, see +For full details of the options and their possible values, see .Xr ssh_config 5 . -.Pp -.Bl -tag -width Ds -offset indent -compact -.It AddressFamily -.It BatchMode -.It BindAddress -.It ChallengeResponseAuthentication -.It CheckHostIP -.It Cipher -.It Ciphers -.It Compression -.It CompressionLevel -.It ConnectionAttempts -.It ConnectionTimeout -.It GlobalKnownHostsFile -.It GSSAPIAuthentication -.It GSSAPIDelegateCredentials -.It Host -.It HostbasedAuthentication -.It HostKeyAlgorithms -.It HostKeyAlias -.It HostName -.It IdentityFile -.It LogLevel -.It MACs -.It NoHostAuthenticationForLocalhost -.It NumberOfPasswordPrompts -.It PasswordAuthentication -.It Port -.It PreferredAuthentications -.It Protocol -.It ProxyCommand -.It PubkeyAuthentication -.It RhostsRSAAuthentication -.It RSAAuthentication -.It ServerAliveInterval -.It ServerAliveCountMax -.It SmartcardDevice -.It StrictHostKeyChecking -.It TCPKeepAlive -.It UsePrivilegedPort -.It User -.It UserKnownHostsFile -.It VerifyHostKeyDNS -.El .It Fl P Ar port Specifies the port to connect to on the remote host. Note that this option is written with a capital diff -ruN openssh-3.8p1/servconf.c openssh-3.8p1+x509h/servconf.c --- openssh-3.8p1/servconf.c 2004-01-23 13:03:10.000000000 +0200 +++ openssh-3.8p1+x509h/servconf.c 2004-04-05 09:06:01.000000000 +0300 @@ -7,10 +7,33 @@ * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". + * + * X509 certificate support, + * Copyright (c) 2002-2004 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: servconf.c,v 1.130 2003/12/23 16:12:10 jakob Exp $"); +RCSID("$OpenBSD$"); #include "ssh.h" #include "log.h" @@ -101,6 +124,19 @@ options->client_alive_count_max = -1; options->authorized_keys_file = NULL; options->authorized_keys_file2 = NULL; + options->x509rsasigtype = -1; + options->allowedcertpurpose = -1; +#ifndef SSH_X509STORE_DISABLED + options->ca.certificate_file = NULL; + options->ca.certificate_path = NULL; + options->ca.revocation_file = NULL; + options->ca.revocation_path = NULL; +#endif /*ndef SSH_X509STORE_DISABLED*/ +#ifdef SSH_OCSP_ENABLED + options->va.type = -1; + options->va.certificate_file = NULL; + options->va.responder_url = NULL; +#endif /*def SSH_OCSP_ENABLED*/ /* Needs to be accessable in many places */ use_privsep = -1; @@ -228,6 +264,29 @@ if (options->authorized_keys_file == NULL) options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS; + if (options->x509rsasigtype == -1) + options->x509rsasigtype = SSH_X509RSA_MD5; + options->x509rsasigtype = ssh_x509rsasig(options->x509rsasigtype); + if (options->allowedcertpurpose == -1) + options->allowedcertpurpose = ssh_get_default_x509purpose(1); + ssh_set_x509purpose(1, options->allowedcertpurpose); +#ifndef SSH_X509STORE_DISABLED + if (options->ca.certificate_file == NULL) + options->ca.certificate_file = _PATH_CA_CERTIFICATE_FILE; + if (options->ca.certificate_path == NULL) + options->ca.certificate_path = _PATH_CA_CERTIFICATE_PATH; + if (options->ca.revocation_file == NULL) + options->ca.revocation_file = _PATH_CA_REVOCATION_FILE; + if (options->ca.revocation_path == NULL) + options->ca.revocation_path = _PATH_CA_REVOCATION_PATH; + ssh_x509store_addlocations(&options->ca); +#endif /*ndef SSH_X509STORE_DISABLED*/ +#ifdef SSH_OCSP_ENABLED + if (options->va.type == -1) + options->va.type = ssh_get_default_vatype(); + ssh_set_validator(&options->va); +#endif /*def SSH_OCSP_ENABLED*/ + /* Turn privilege separation on by default */ if (use_privsep == -1) use_privsep = 1; @@ -240,7 +299,6 @@ options->compression = 0; } #endif - } /* Keyword tokens. */ @@ -268,6 +326,12 @@ sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2, sGssAuthentication, sGssCleanupCreds, sUsePrivilegeSeparation, + sX509rsaSigType, + sAllowedClientCertPurpose, + sCACertificateFile, sCACertificatePath, + sCARevocationFile, sCARevocationPath, + sVAType, sVACertificateFile, + sVAOCSPResponderURL, sDeprecated, sUnsupported } ServerOpCodes; @@ -366,6 +430,15 @@ { "authorizedkeysfile", sAuthorizedKeysFile }, { "authorizedkeysfile2", sAuthorizedKeysFile2 }, { "useprivilegeseparation", sUsePrivilegeSeparation}, + { "x509rsasigtype", sX509rsaSigType }, + { "allowedcertpurpose", sAllowedClientCertPurpose }, + { "cacertificatefile", sCACertificateFile }, + { "cacertificatepath", sCACertificatePath }, + { "carevocationfile", sCARevocationFile }, + { "carevocationpath", sCARevocationPath }, + { "vatype", sVAType }, + { "vacertificatefile", sVACertificateFile }, + { "vaocspresponderurl", sVAOCSPResponderURL }, { NULL, sBadOption } }; @@ -892,6 +965,90 @@ intptr = &options->client_alive_count_max; goto parse_int; + case sX509rsaSigType: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + + if (strcasecmp(arg, "md5") == 0) + options->x509rsasigtype = SSH_X509RSA_MD5; + else if (strcasecmp(arg, "sha1") == 0) + options->x509rsasigtype = SSH_X509RSA_SHA1; + + if (options->x509rsasigtype < 0) { + fatal("config error: unsupported X509rsaSigType '%.30s' in file %s line %d.", arg, filename, linenum); + } + break; + + case sAllowedClientCertPurpose: + arg = strdelim(&cp); + if (arg && *arg) { + if (strcasecmp(arg, "skip") == 0) goto skip_purpose; + + { /* convert string to OpenSSL index */ + int purpose_index; + purpose_index = ssh_get_x509purpose_s (1, arg); + if (purpose_index < 0) + fatal("config error: unsupported purpose '%.30s' in file %s line %d.", arg, filename, linenum); + + options->allowedcertpurpose = purpose_index; + } + } else { +skip_purpose: + options->allowedcertpurpose = -2; + verbose("config warning: option is set to don't check certificate purpose in file %s line %d.", filename, linenum); + } + break; + +#ifndef SSH_X509STORE_DISABLED + case sCACertificateFile: + case sCACertificatePath: + case sCARevocationFile: + case sCARevocationPath: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + switch (opcode) { + case sCACertificateFile: + options->ca.certificate_file = xstrdup(arg); break; + case sCACertificatePath: + options->ca.certificate_path = xstrdup(arg); break; + case sCARevocationFile: + options->ca.revocation_file = xstrdup(arg); break; + case sCARevocationPath: + options->ca.revocation_path = xstrdup(arg); break; + default: + break; + } + break; +#endif /*ndef SSH_X509STORE_DISABLED*/ + +#ifdef SSH_OCSP_ENABLED + case sVAType: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + options->va.type = ssh_get_vatype_s(arg); + if (options->va.type < 0) + fatal("config error: OCSP Responder type '%.30s' in file %s line %d.", arg, filename, linenum); + break; + + case sVACertificateFile: + case sVAOCSPResponderURL: + arg = strdelim(&cp); + if (!arg || *arg == '\0') + fatal("%s line %d: Missing argument.", filename, linenum); + switch (opcode) { + default: + break; + case sVACertificateFile: + options->va.certificate_file = xstrdup(arg); break; + case sVAOCSPResponderURL: + options->va.responder_url = xstrdup(arg); break; + } + break; +#endif /*def SSH_OCSP_ENABLED*/ + case sDeprecated: logit("%s line %d: Deprecated option %s", filename, linenum, arg); @@ -899,6 +1056,17 @@ arg = strdelim(&cp); break; +#ifdef SSH_X509STORE_DISABLED + case sCACertificateFile: + case sCACertificatePath: + case sCARevocationFile: + case sCARevocationPath: +#endif /*def SSH_X509STORE_DISABLED*/ +#ifndef SSH_OCSP_ENABLED + case sVAType: + case sVACertificateFile: + case sVAOCSPResponderURL: +#endif /*ndef SSH_OCSP_ENABLED*/ case sUnsupported: logit("%s line %d: Unsupported option %s", filename, linenum, arg); diff -ruN openssh-3.8p1/servconf.h openssh-3.8p1+x509h/servconf.h --- openssh-3.8p1/servconf.h 2003-12-31 02:37:34.000000000 +0200 +++ openssh-3.8p1+x509h/servconf.h 2004-04-05 09:06:00.000000000 +0300 @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.67 2003/12/23 16:12:10 jakob Exp $ */ +/* $OpenBSD$ */ /* * Author: Tatu Ylonen @@ -11,11 +11,36 @@ * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". + * + * X509 certificate support, + * Copyright (c) 2002-2003 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #ifndef SERVCONF_H #define SERVCONF_H +#include "x509store.h" + #define MAX_PORTS 256 /* Max # ports. */ #define MAX_ALLOW_USERS 256 /* Max # users on allow list. */ @@ -125,6 +150,19 @@ char *authorized_keys_file; /* File containing public keys */ char *authorized_keys_file2; int use_pam; /* Enable auth via PAM */ + + /* rumen-XXX: X509 RSA signature type: md5=0, sha1=1 */ + int x509rsasigtype; + /* allowed client certificate purpose */ + int allowedcertpurpose; +#ifndef SSH_X509STORE_DISABLED + /* sshd PKI(X509) global store */ + X509StoreOptions ca; +#endif /*ndef SSH_X509STORE_DISABLED*/ +#ifdef SSH_OCSP_ENABLED + /* ssh X.509 extra validation */ + VAOptions va; +#endif /*def SSH_OCSP_ENABLED*/ } ServerOptions; void initialize_server_options(ServerOptions *); diff -ruN openssh-3.8p1/sftp.0 openssh-3.8p1+x509h/sftp.0 --- openssh-3.8p1/sftp.0 2004-02-24 08:23:05.000000000 +0200 +++ openssh-3.8p1+x509h/sftp.0 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -SFTP(1) OpenBSD Reference Manual SFTP(1) +SFTP(1) System General Commands Manual SFTP(1) NAME sftp - secure file transfer program @@ -15,8 +15,8 @@ sftp is an interactive file transfer program, similar to ftp(1), which performs all operations over an encrypted ssh(1) transport. It may also use many features of ssh, such as public key authentication and compres- - sion. sftp connects and logs into the specified host, then enters an in- - teractive command mode. + sion. sftp connects and logs into the specified host, then enters an + interactive command mode. The second usage format will retrieve files automatically if a non-inter- active authentication method is used; otherwise it will do so after suc- @@ -38,8 +38,8 @@ higher memory consumption. The default is 32768 bytes. -b batchfile - Batch mode reads a series of commands from an input batchfile in- - stead of stdin. Since it lacks user interaction it should be + Batch mode reads a series of commands from an input batchfile + instead of stdin. Since it lacks user interaction it should be used in conjunction with non-interactive authentication. A batchfile of `-' may be used to indicate standard input. sftp will abort if any of the following commands fail: get, put, @@ -59,50 +59,7 @@ ssh_config(5). This is useful for specifying options for which there is no separate sftp command-line flag. For example, to specify an alternate port use: sftp -oPort=24. For full details - of the options listed below, and their possible values, see - ssh_config(5). - - AddressFamily - BatchMode - BindAddress - ChallengeResponseAuthentication - CheckHostIP - Cipher - Ciphers - Compression - CompressionLevel - ConnectionAttempts - ConnectionTimeout - GlobalKnownHostsFile - GSSAPIAuthentication - GSSAPIDelegateCredentials - Host - HostbasedAuthentication - HostKeyAlgorithms - HostKeyAlias - HostName - IdentityFile - LogLevel - MACs - NoHostAuthenticationForLocalhost - NumberOfPasswordPrompts - PasswordAuthentication - Port - PreferredAuthentications - Protocol - ProxyCommand - PubkeyAuthentication - RhostsRSAAuthentication - RSAAuthentication - ServerAliveInterval - ServerAliveCountMax - SmartcardDevice - StrictHostKeyChecking - TCPKeepAlive - UsePrivilegedPort - User - UserKnownHostsFile - VerifyHostKeyDNS + of the options and their possible values, see ssh_config(5). -P sftp_server_path Connect directly to a local sftp server (rather than via ssh(1)) @@ -127,8 +84,8 @@ INTERACTIVE COMMANDS Once in interactive mode, sftp understands a set of commands similar to - those of ftp(1). Commands are case insensitive and pathnames may be en- - closed in quotes if they contain spaces. + those of ftp(1). Commands are case insensitive and pathnames may be + enclosed in quotes if they contain spaces. bye Quit sftp. @@ -157,8 +114,8 @@ lcd path Change local directory to path. lls [ls-options [path]] - Display local directory listing of either path or current di- - rectory if path is not specified. + Display local directory listing of either path or current + directory if path is not specified. lmkdir path Create local directory specified by path. @@ -214,7 +171,7 @@ ftp(1), scp(1), ssh(1), ssh-add(1), ssh-keygen(1), ssh_config(5), sftp-server(8), sshd(8) - T. Ylonen, and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. -OpenBSD 3.4 February 4, 2001 4 +BSD February 4, 2001 BSD diff -ruN openssh-3.8p1/sftp.1 openssh-3.8p1+x509h/sftp.1 --- openssh-3.8p1/sftp.1 2004-01-21 02:00:05.000000000 +0200 +++ openssh-3.8p1+x509h/sftp.1 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sftp.1,v 1.51 2004/01/13 12:17:33 jmc Exp $ +.\" $OpenBSD$ .\" .\" Copyright (c) 2001 Damien Miller. All rights reserved. .\" @@ -139,52 +139,8 @@ command-line flag. For example, to specify an alternate port use: .Ic sftp -oPort=24 . -For full details of the options listed below, and their possible values, see +For full details of the options and their possible values, see .Xr ssh_config 5 . -.Pp -.Bl -tag -width Ds -offset indent -compact -.It AddressFamily -.It BatchMode -.It BindAddress -.It ChallengeResponseAuthentication -.It CheckHostIP -.It Cipher -.It Ciphers -.It Compression -.It CompressionLevel -.It ConnectionAttempts -.It ConnectionTimeout -.It GlobalKnownHostsFile -.It GSSAPIAuthentication -.It GSSAPIDelegateCredentials -.It Host -.It HostbasedAuthentication -.It HostKeyAlgorithms -.It HostKeyAlias -.It HostName -.It IdentityFile -.It LogLevel -.It MACs -.It NoHostAuthenticationForLocalhost -.It NumberOfPasswordPrompts -.It PasswordAuthentication -.It Port -.It PreferredAuthentications -.It Protocol -.It ProxyCommand -.It PubkeyAuthentication -.It RhostsRSAAuthentication -.It RSAAuthentication -.It ServerAliveInterval -.It ServerAliveCountMax -.It SmartcardDevice -.It StrictHostKeyChecking -.It TCPKeepAlive -.It UsePrivilegedPort -.It User -.It UserKnownHostsFile -.It VerifyHostKeyDNS -.El .It Fl P Ar sftp_server_path Connect directly to a local sftp server (rather than via diff -ruN openssh-3.8p1/sftp-server.0 openssh-3.8p1+x509h/sftp-server.0 --- openssh-3.8p1/sftp-server.0 2004-02-24 08:23:04.000000000 +0200 +++ openssh-3.8p1+x509h/sftp-server.0 2004-03-09 08:54:18.000000000 +0200 @@ -1,4 +1,4 @@ -SFTP-SERVER(8) OpenBSD System Manager's Manual SFTP-SERVER(8) +SFTP-SERVER(8) System Manager's Manual SFTP-SERVER(8) NAME sftp-server - SFTP server subsystem @@ -8,14 +8,14 @@ DESCRIPTION sftp-server is a program that speaks the server side of SFTP protocol to - stdout and expects client requests from stdin. sftp-server is not in- - tended to be called directly, but from sshd(8) using the Subsystem op- - tion. See sshd_config(5) for more information. + stdout and expects client requests from stdin. sftp-server is not + intended to be called directly, but from sshd(8) using the Subsystem + option. See sshd_config(5) for more information. SEE ALSO sftp(1), ssh(1), sshd_config(5), sshd(8) - T. Ylonen, and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- + T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh- filexfer-00.txt, January 2001, work in progress material. AUTHORS @@ -24,4 +24,4 @@ HISTORY sftp-server first appeared in OpenBSD 2.8 . -OpenBSD 3.4 August 30, 2000 1 +BSD August 30, 2000 BSD diff -ruN openssh-3.8p1/ssh.0 openssh-3.8p1+x509h/ssh.0 --- openssh-3.8p1/ssh.0 2004-02-24 08:23:03.000000000 +0200 +++ openssh-3.8p1+x509h/ssh.0 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -SSH(1) OpenBSD Reference Manual SSH(1) +SSH(1) System General Commands Manual SSH(1) NAME ssh - OpenSSH SSH client (remote login program) @@ -12,9 +12,9 @@ DESCRIPTION ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote machine. It is intended to replace rlogin - and rsh, and provide secure encrypted communications between two untrust- - ed hosts over an insecure network. X11 connections and arbitrary TCP/IP - ports can also be forwarded over the secure channel. + and rsh, and provide secure encrypted communications between two + untrusted hosts over an insecure network. X11 connections and arbitrary + TCP/IP ports can also be forwarded over the secure channel. ssh connects and logs into the specified hostname (with optional user name). The user must prove his/her identity to the remote machine using @@ -54,11 +54,11 @@ The file $HOME/.ssh/authorized_keys lists the public keys that are per- mitted for logging in. When the user logs in, the ssh program tells the - server which key pair it would like to use for authentication. The serv- - er checks if this key is permitted, and if so, sends the user (actually - the ssh program running on behalf of the user) a challenge, a random num- - ber, encrypted by the user's public key. The challenge can only be de- - crypted using the proper private key. The user's client then decrypts + server which key pair it would like to use for authentication. The + server checks if this key is permitted, and if so, sends the user (actu- + ally the ssh program running on behalf of the user) a challenge, a random + number, encrypted by the user's public key. The challenge can only be + decrypted using the proper private key. The user's client then decrypts the challenge using the private key, proving that he/she knows the pri- vate key but without disclosing it to the server. @@ -91,13 +91,16 @@ The public key method is similar to RSA authentication described in the previous section and allows the RSA or DSA algorithm to be used: The - client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, to - sign the session identifier and sends the result to the server. The - server checks whether the matching public key is listed in + client uses his private key, $HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa, + which can contain a X.509 certificate in addition to key to sign the ses- + sion identifier and sends the result to the server. The server checks + whether the matching public key or certificate is listed in $HOME/.ssh/authorized_keys and grants access if both the key is found and - the signature is correct. The session identifier is derived from a - shared Diffie-Hellman value and is only known to the client and the serv- - er. + the signature is correct. In case with X.509 certificate server perform + additional verification and validation of that certificate through + database with certificates and CRLs of certificate signers. The session + identifier is derived from a shared Diffie-Hellman value and is only + known to the client and the server. If public key authentication fails or is not available, a password can be sent encrypted to the remote host to prove the user's identity. @@ -111,8 +114,8 @@ ensuring the integrity of the connection. Login session and remote execution - When the user's identity has been accepted by the server, the server ei- - ther executes the given command, or logs into the machine and gives the + When the user's identity has been accepted by the server, the server + either executes the given command, or logs into the machine and gives the user a normal shell on the remote machine. All communication with the remote command or shell will be automatically encrypted. @@ -165,11 +168,11 @@ the -X and -x options described later) and the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is automatically forwarded to the remote side in such a way that any X11 - programs started from the shell (or command) will go through the encrypt- - ed channel, and the connection to the real X server will be made from the - local machine. The user should not manually set DISPLAY. Forwarding of - X11 connections can be configured on the command line or in configuration - files. + programs started from the shell (or command) will go through the + encrypted channel, and the connection to the real X server will be made + from the local machine. The user should not manually set DISPLAY. For- + warding of X11 connections can be configured on the command line or in + configuration files. The DISPLAY value set by ssh will point to the server machine, but with a display number greater than zero. This is normal, and happens because @@ -285,26 +288,27 @@ default for the per-user configuration file is $HOME/.ssh/config. -f Requests ssh to go to background just before command execution. - This is useful if ssh is going to ask for passwords or passphras- - es, but the user wants it in the background. This implies -n. - The recommended way to start X11 programs at a remote site is - with something like ssh -f host xterm. + This is useful if ssh is going to ask for passwords or + passphrases, but the user wants it in the background. This + implies -n. The recommended way to start X11 programs at a + remote site is with something like ssh -f host xterm. -g Allows remote hosts to connect to local forwarded ports. -I smartcard_device - Specifies which smartcard device to use. The argument is the de- - vice ssh should use to communicate with a smartcard used for + Specifies which smartcard device to use. The argument is the + device ssh should use to communicate with a smartcard used for storing the user's private RSA key. -i identity_file Selects a file from which the identity (private key) for RSA or DSA authentication is read. The default is $HOME/.ssh/identity for protocol version 1, and $HOME/.ssh/id_rsa and - $HOME/.ssh/id_dsa for protocol version 2. Identity files may al- - so be specified on a per-host basis in the configuration file. - It is possible to have multiple -i options (and multiple identi- - ties specified in configuration files). + $HOME/.ssh/id_dsa for protocol version 2. For protocol version 2 + is possible identity to contain in addition a X.509 certificate. + Identity files may also be specified on a per-host basis in the + configuration file. It is possible to have multiple -i options + (and multiple identities specified in configuration files). -k Disables forwarding (delegation) of GSSAPI credentials to the server. @@ -334,70 +338,19 @@ -n Redirects stdin from /dev/null (actually, prevents reading from stdin). This must be used when ssh is run in the background. A - common trick is to use this to run X11 programs on a remote ma- - chine. For example, ssh -n shadows.cs.hut.fi emacs & will start - an emacs on shadows.cs.hut.fi, and the X11 connection will be au- - tomatically forwarded over an encrypted channel. The ssh program - will be put in the background. (This does not work if ssh needs - to ask for a password or passphrase; see also the -f option.) + common trick is to use this to run X11 programs on a remote + machine. For example, ssh -n shadows.cs.hut.fi emacs & will + start an emacs on shadows.cs.hut.fi, and the X11 connection will + be automatically forwarded over an encrypted channel. The ssh + program will be put in the background. (This does not work if + ssh needs to ask for a password or passphrase; see also the -f + option.) -o option Can be used to give options in the format used in the configura- tion file. This is useful for specifying options for which there - is no separate command-line flag. For full details of the op- - tions listed below, and their possible values, see ssh_config(5). - - AddressFamily - BatchMode - BindAddress - ChallengeResponseAuthentication - CheckHostIP - Cipher - Ciphers - ClearAllForwardings - Compression - CompressionLevel - ConnectionAttempts - ConnectionTimeout - DynamicForward - EscapeChar - ForwardAgent - ForwardX11 - ForwardX11Trusted - GatewayPorts - GlobalKnownHostsFile - GSSAPIAuthentication - GSSAPIDelegateCredentials - Host - HostbasedAuthentication - HostKeyAlgorithms - HostKeyAlias - HostName - IdentityFile - LocalForward - LogLevel - MACs - NoHostAuthenticationForLocalhost - NumberOfPasswordPrompts - PasswordAuthentication - Port - PreferredAuthentications - Protocol - ProxyCommand - PubkeyAuthentication - RemoteForward - RhostsRSAAuthentication - RSAAuthentication - ServerAliveInterval - ServerAliveCountMax - SmartcardDevice - StrictHostKeyChecking - TCPKeepAlive - UsePrivilegedPort - User - UserKnownHostsFile - VerifyHostKeyDNS - XAuthLocation + is no separate command-line flag. For full details of the + options and their possible values, see ssh_config(5). -p port Port to connect to on the remote host. This can be specified on @@ -419,9 +372,9 @@ syntax: port/host/hostport. -s May be used to request invocation of a subsystem on the remote - system. Subsystems are a feature of the SSH2 protocol which fa- - cilitate the use of SSH as a secure transport for other applica- - tions (eg. sftp(1)). The subsystem is specified as the remote + system. Subsystems are a feature of the SSH2 protocol which + facilitate the use of SSH as a secure transport for other appli- + cations (eg. sftp(1)). The subsystem is specified as the remote command. -T Disable pseudo-tty allocation. @@ -493,8 +446,8 @@ SSH_CONNECTION Identifies the client and server ends of the connection. The - variable contains four space-separated values: client ip-ad- - dress, client port number, server ip-address and server port + variable contains four space-separated values: client ip- + address, client port number, server ip-address and server port number. SSH_ORIGINAL_COMMAND @@ -519,29 +472,36 @@ FILES $HOME/.ssh/known_hosts - Records host keys for all hosts the user has logged into that are - not in /etc/ssh/ssh_known_hosts. See sshd(8). + Records host keys or certificates for all hosts the user has + logged into that are not in /etc/ssh/ssh_known_hosts. See + sshd(8). $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa Contains the authentication identity of the user. They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. - These files contain sensitive data and should be readable by the - user but not accessible by others (read/write/execute). Note - that ssh ignores a private key file if it is accessible by oth- - ers. It is possible to specify a passphrase when generating the - key; the passphrase will be used to encrypt the sensitive part of - this file using 3DES. + It is possible protocol version 2 identity to contain identity + plus X.509 certificate. These files contain sensitive data and + should be readable by the user but not accessible by others + (read/write/execute). Note that ssh ignores a private key file + if it is accessible by others. It is possible to specify a + passphrase when generating the key; the passphrase will be used + to encrypt the sensitive part of this file using 3DES. $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub Contains the public key for authentication (public part of the - identity file in human-readable form). The contents of the + identity file in human-readable form). Note that protocol ver- + sion 2 while a identity contain private key and X.509 certificate + this file must contain that certificate. The contents of the $HOME/.ssh/identity.pub file should be added to the file $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 1 RSA authentication. The con- tents of the $HOME/.ssh/id_dsa.pub and $HOME/.ssh/id_rsa.pub file should be added to $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 2 DSA/RSA - authentication. These files are not sensitive and can (but need + authentication. In case with X.509 certificates user can use + ``new style''. Instead to add content of file to authorized_keys + user can write certificate ``Distinguished Name''. See sshd(8) + manual page. These files are not sensitive and can (but need not) be readable by anyone. These files are never used automati- cally and are not necessary; they are only provided for the con- venience of the user. @@ -551,30 +511,32 @@ configuration options are described in ssh_config(5). $HOME/.ssh/authorized_keys - Lists the public keys (RSA/DSA) that can be used for logging in - as this user. The format of this file is described in the - sshd(8) manual page. In the simplest form the format is the same - as the .pub identity files. This file is not highly sensitive, - but the recommended permissions are read/write for the user, and - not accessible by others. + Lists the public keys (RSA/DSA) or certificates that can be used + for logging in as this user. The format of this file is + described in the sshd(8) manual page. In the simplest form the + format is the same as the .pub identity files. This file is not + highly sensitive, but the recommended permissions are read/write + for the user, and not accessible by others. /etc/ssh/ssh_known_hosts - Systemwide list of known host keys. This file should be prepared - by the system administrator to contain the public host keys of - all machines in the organization. This file should be world- - readable. This file contains public keys, one per line, in the - following format (fields separated by spaces): system name, pub- - lic key and optional comment field. When different names are - used for the same machine, all such names should be listed, sepa- - rated by commas. The format is described in the sshd(8) manual - page. + Systemwide list of known host keys or certificates. This file + should be prepared by the system administrator to contain the + public host keys or certificates of all machines in the organiza- + tion. This file should be world-readable. This file contains + public keys, one per line, in the following format (fields sepa- + rated by spaces): system name, public key and optional comment + field. When a X.509 certificate is used as host key instead of + public key line contain certificate (old style) or certificate + ``Distinguished Name''. When different names are used for the + same machine, all such names should be listed, separated by com- + mas. The format is described in the sshd(8) manual page. The canonical system name (as returned by name servers) is used by sshd(8) to verify the client host when logging in; other names are needed because ssh does not convert the user-supplied name to a canonical name before checking the key, because someone with - access to the name servers would then be able to fool host au- - thentication. + access to the name servers would then be able to fool host + authentication. /etc/ssh/ssh_config Systemwide configuration file. The file format and configuration @@ -584,12 +546,41 @@ /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys and are used for RhostsRSAAuthentication and HostbasedAuthentication. - If the protocol version 1 RhostsRSAAuthentication method is used, - ssh must be setuid root, since the host key is readable only by - root. For protocol version 2, ssh uses ssh-keysign(8) to access - the host keys for HostbasedAuthentication. This eliminates the - requirement that ssh be setuid root when that authentication - method is used. By default ssh is not setuid root. + It is possible files to contain private part plus X.509 certifi- + cate for protocol version 2 keys. If the protocol version 1 + RhostsRSAAuthentication method is used, ssh must be setuid root, + since the host key is readable only by root. For protocol ver- + sion 2, ssh uses ssh-keysign(8) to access the host keys for + HostbasedAuthentication. This eliminates the requirement that + ssh be setuid root when that authentication method is used. By + default ssh is not setuid root. When a certificate is used as + host key for hostbased authentication that certificate must have + client purpose too or server configuration must permit connection + without client purpose. For allowed client certificate purposes + see ssh_config(5). + + /etc/ssh/ca/ca-bundle.crt and /etc/ssh/ca/ca-bundle.crl + Part of systemwide ``X.509 store''. The first file contain mul- + tiple certificates and the second ``Certificate Revocation List'' + (CRLs) of certificate signers in PEM format concatenated + together. Used in verification and validation of server host + certificate. + + /etc/ssh/ca/crt and /etc/ssh/ca/crl + Part of systemwide ``X.509 store''. ``Hash dirs'' with certifi- + cates, the first file or CLRs, the second of certificate signers. + Each certificate should be stored in separate file with name + [HASH].[NUMBER] or [HASH].r[NUMBER] for the CRL, where [HASH] is + certificate or CRL hash value and [NUMBER] is an integer starting + from zero. Used in verification and validation of server host + certificate. + + ~/.ssh/ca/ca-bundle.crt and ~/.ssh/ca/ca-bundle.crl + Part of user ``X.509 store''. Same as above systemwide files. + + ~/.ssh/ca/crt and ~/.ssh/ca/crl + Part of user ``X.509 store''. Same as above systemwide directo- + ries. $HOME/.rhosts This file is used in rhosts authentication to list the host/user @@ -604,8 +595,8 @@ for anyone else. The recommended permission for most machines is read/write for the user, and not accessible by others. - Note that by default sshd(8) will be installed so that it re- - quires successful RSA host authentication before permitting + Note that by default sshd(8) will be installed so that it + requires successful RSA host authentication before permitting rhosts authentication. If the server machine does not have the client's host key in /etc/ssh/ssh_known_hosts, it can be stored in $HOME/.ssh/known_hosts. The easiest way to do this is to con- @@ -622,8 +613,8 @@ canonical hosts names, one per line (the full format is described in the sshd(8) manual page). If the client host is found in this file, login is automatically permitted provided client and server - user names are the same. Additionally, successful RSA host au- - thentication is normally required. This file should only be + user names are the same. Additionally, successful RSA host + authentication is normally required. This file should only be writable by root. /etc/shosts.equiv @@ -661,8 +652,9 @@ AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and - created OpenSSH. Markus Friedl contributed the support for SSH protocol - versions 1.5 and 2.0. + de Raadt and Dug Song removed many bugs, re-added newer features and cre- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. Roumen Petrov contributed support for x509 cer- + tificates. -OpenBSD 3.4 September 25, 1999 11 +BSD September 25, 1999 BSD diff -ruN openssh-3.8p1/ssh.1 openssh-3.8p1+x509h/ssh.1 --- openssh-3.8p1/ssh.1 2003-12-17 07:33:11.000000000 +0200 +++ openssh-3.8p1+x509h/ssh.1 2004-03-09 09:06:00.000000000 +0200 @@ -13,6 +13,7 @@ .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 2002 Roumen Petrov. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -34,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.181 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD$ .Dd September 25, 1999 .Dt SSH 1 .Os @@ -226,10 +227,15 @@ .Pa $HOME/.ssh/id_dsa or .Pa $HOME/.ssh/id_rsa , +which can contain a X.509 certificate in addition to key to sign the session identifier and sends the result to the server. -The server checks whether the matching public key is listed in +The server checks whether the matching public key or certificate +is listed in .Pa $HOME/.ssh/authorized_keys and grants access if both the key is found and the signature is correct. +In case with X.509 certificate server perform additional verification +and validation of that certificate through database with certificates +and CRLs of certificate signers. The session identifier is derived from a shared Diffie-Hellman value and is only known to the client and the server. .Pp @@ -532,6 +538,8 @@ and .Pa $HOME/.ssh/id_dsa for protocol version 2. +For protocol version 2 is possible identity to contain in addition +a X.509 certificate. Identity files may also be specified on a per-host basis in the configuration file. It is possible to have multiple @@ -603,62 +611,8 @@ Can be used to give options in the format used in the configuration file. This is useful for specifying options for which there is no separate command-line flag. -For full details of the options listed below, and their possible values, see +For full details of the options and their possible values, see .Xr ssh_config 5 . -.Pp -.Bl -tag -width Ds -offset indent -compact -.It AddressFamily -.It BatchMode -.It BindAddress -.It ChallengeResponseAuthentication -.It CheckHostIP -.It Cipher -.It Ciphers -.It ClearAllForwardings -.It Compression -.It CompressionLevel -.It ConnectionAttempts -.It ConnectionTimeout -.It DynamicForward -.It EscapeChar -.It ForwardAgent -.It ForwardX11 -.It ForwardX11Trusted -.It GatewayPorts -.It GlobalKnownHostsFile -.It GSSAPIAuthentication -.It GSSAPIDelegateCredentials -.It Host -.It HostbasedAuthentication -.It HostKeyAlgorithms -.It HostKeyAlias -.It HostName -.It IdentityFile -.It LocalForward -.It LogLevel -.It MACs -.It NoHostAuthenticationForLocalhost -.It NumberOfPasswordPrompts -.It PasswordAuthentication -.It Port -.It PreferredAuthentications -.It Protocol -.It ProxyCommand -.It PubkeyAuthentication -.It RemoteForward -.It RhostsRSAAuthentication -.It RSAAuthentication -.It ServerAliveInterval -.It ServerAliveCountMax -.It SmartcardDevice -.It StrictHostKeyChecking -.It TCPKeepAlive -.It UsePrivilegedPort -.It User -.It UserKnownHostsFile -.It VerifyHostKeyDNS -.It XAuthLocation -.El .It Fl p Ar port Port to connect to on the remote host. This can be specified on a @@ -841,14 +795,16 @@ .Sh FILES .Bl -tag -width Ds .It Pa $HOME/.ssh/known_hosts -Records host keys for all hosts the user has logged into that are not -in +Records host keys or certificates for all hosts the user has logged +into that are not in .Pa /etc/ssh/ssh_known_hosts . See .Xr sshd 8 . .It Pa $HOME/.ssh/identity, $HOME/.ssh/id_dsa, $HOME/.ssh/id_rsa Contains the authentication identity of the user. They are for protocol 1 RSA, protocol 2 DSA, and protocol 2 RSA, respectively. +It is possible protocol version 2 identity to contain identity plus +X.509 certificate. These files contain sensitive data and should be readable by the user but not accessible by others (read/write/execute). @@ -861,6 +817,8 @@ .It Pa $HOME/.ssh/identity.pub, $HOME/.ssh/id_dsa.pub, $HOME/.ssh/id_rsa.pub Contains the public key for authentication (public part of the identity file in human-readable form). +Note that protocol version 2 while a identity contain private key and +X.509 certificate this file must contain that certificate. The contents of the .Pa $HOME/.ssh/identity.pub file should be added to the file @@ -875,6 +833,14 @@ .Pa $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using protocol version 2 DSA/RSA authentication. +In case with X.509 certificates user can use +.Dq "new style" . +Instead to add content of file to authorized_keys user can write +certificate +.Dq "Distinguished Name" . +See +.Xr sshd 8 +manual page. These files are not sensitive and can (but need not) be readable by anyone. These files are @@ -885,7 +851,8 @@ The file format and configuration options are described in .Xr ssh_config 5 . .It Pa $HOME/.ssh/authorized_keys -Lists the public keys (RSA/DSA) that can be used for logging in as this user. +Lists the public keys (RSA/DSA) or certificates that can be used for +logging in as this user. The format of this file is described in the .Xr sshd 8 manual page. @@ -895,14 +862,17 @@ This file is not highly sensitive, but the recommended permissions are read/write for the user, and not accessible by others. .It Pa /etc/ssh/ssh_known_hosts -Systemwide list of known host keys. +Systemwide list of known host keys or certificates. This file should be prepared by the -system administrator to contain the public host keys of all machines in the -organization. +system administrator to contain the public host keys or certificates +of all machines in the organization. This file should be world-readable. This file contains public keys, one per line, in the following format (fields separated by spaces): system name, public key and optional comment field. +When a X.509 certificate is used as host key instead of public key line +contain certificate (old style) or certificate +.Dq "Distinguished Name" . When different names are used for the same machine, all such names should be listed, separated by commas. @@ -927,6 +897,8 @@ .Cm RhostsRSAAuthentication and .Cm HostbasedAuthentication . +It is possible files to contain private part plus X.509 certificate for +protocol version 2 keys. If the protocol version 1 .Cm RhostsRSAAuthentication method is used, @@ -944,6 +916,37 @@ By default .Nm is not setuid root. +When a certificate is used as host key for hostbased authentication +that certificate must have client purpose too or server configuration +must permit connection without client purpose. For allowed client +certificate purposes see +.Xr ssh_config 5 . +.It Pa "/etc/ssh/ca/ca-bundle.crt" and "/etc/ssh/ca/ca-bundle.crl" +Part of systemwide +.Dq "X.509 store" . +The first file contain multiple certificates and the second +.Dq "Certificate Revocation List" +(CRLs) of certificate signers in PEM format concatenated together. +Used in verification and validation of server host certificate. +.It Pa "/etc/ssh/ca/crt" and Pa "/etc/ssh/ca/crl" +Part of systemwide +.Dq "X.509 store" . +.Dq "Hash dirs" +with certificates, the first file or CLRs, the second of +certificate signers. +Each certificate should be stored in separate file with name +[HASH].[NUMBER] or [HASH].r[NUMBER] for the CRL, where [HASH] is +certificate or CRL hash value and [NUMBER] is an integer starting +from zero. +Used in verification and validation of server host certificate. +.It Pa "~/.ssh/ca/ca-bundle.crt" and "~/.ssh/ca/ca-bundle.crl" +Part of user +.Dq "X.509 store" . +Same as above systemwide files. +.It Pa "~/.ssh/ca/crt" and Pa "~/.ssh/ca/crl" +Part of user +.Dq "X.509 store" . +Same as above systemwide directories. .It Pa $HOME/.rhosts This file is used in .Em rhosts @@ -1066,3 +1069,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. +Roumen Petrov contributed support for x509 certificates. diff -ruN openssh-3.8p1/ssh-add.0 openssh-3.8p1+x509h/ssh-add.0 --- openssh-3.8p1/ssh-add.0 2004-02-24 08:23:00.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-add.0 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -SSH-ADD(1) OpenBSD Reference Manual SSH-ADD(1) +SSH-ADD(1) System General Commands Manual SSH-ADD(1) NAME ssh-add - adds RSA or DSA identities to the authentication agent @@ -10,7 +10,8 @@ DESCRIPTION ssh-add adds RSA or DSA identities to the authentication agent, - ssh-agent(1). When run without arguments, it adds the files + ssh-agent(1). It is possible identity to contain in addition correspond- + ing X.509 certificate. When run without arguments, it adds the files $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. Alterna- tive file names can be given on the command line. If any file requires a passphrase, ssh-add asks for the passphrase from the user. The @@ -25,8 +26,8 @@ -l Lists fingerprints of all identities currently represented by the agent. - -L Lists public key parameters of all identities currently repre- - sented by the agent. + -L Lists public key or certificate parameters of all identities cur- + rently represented by the agent. -d Instead of adding the identity, removes the identity from the agent. @@ -76,11 +77,13 @@ $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of - the user. + the user. It is possible to contain identity plus X.509 certifi- + cate. $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of - the user. + the user. It is possible to contain identity plus X.509 certifi- + cate. Identity files should not be readable by anyone but the user. Note that ssh-add ignores identity files if they are accessible by others. @@ -97,6 +100,7 @@ Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol - versions 1.5 and 2.0. + versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- + tificates. -OpenBSD 3.4 September 25, 1999 2 +BSD September 25, 1999 BSD diff -ruN openssh-3.8p1/ssh-add.1 openssh-3.8p1+x509h/ssh-add.1 --- openssh-3.8p1/ssh-add.1 2003-12-09 10:01:52.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-add.1 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-add.1,v 1.40 2003/11/25 23:10:08 matthieu Exp $ +.\" $OpenBSD$ .\" .\" -*- nroff -*- .\" @@ -16,6 +16,7 @@ .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 2002 Roumen Petrov. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -56,6 +57,8 @@ .Nm adds RSA or DSA identities to the authentication agent, .Xr ssh-agent 1 . +It is possible identity to contain in addition +corresponding X.509 certificate. When run without arguments, it adds the files .Pa $HOME/.ssh/id_rsa , .Pa $HOME/.ssh/id_dsa @@ -80,7 +83,8 @@ .It Fl l Lists fingerprints of all identities currently represented by the agent. .It Fl L -Lists public key parameters of all identities currently represented by the agent. +Lists public key or certificate parameters of +all identities currently represented by the agent. .It Fl d Instead of adding the identity, removes the identity from the agent. .It Fl D @@ -145,8 +149,10 @@ Contains the protocol version 1 RSA authentication identity of the user. .It Pa $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. +It is possible to contain identity plus X.509 certificate. .It Pa $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. +It is possible to contain identity plus X.509 certificate. .El .Pp Identity files should not be readable by anyone but the user. @@ -172,3 +178,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. +Roumen Petrov contributed support for X.509 certificates. diff -ruN openssh-3.8p1/ssh-add.c openssh-3.8p1+x509h/ssh-add.c --- openssh-3.8p1/ssh-add.c 2003-11-21 14:48:56.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-add.c 2004-02-25 09:06:01.000000000 +0200 @@ -12,6 +12,8 @@ * * SSH2 implementation, * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * X509 certificates support, + * Copyright (c) 2002-2003 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,7 +37,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: ssh-add.c,v 1.69 2003/11/21 11:57:03 djm Exp $"); +RCSID("$OpenBSD$"); #include @@ -49,6 +51,7 @@ #include "pathnames.h" #include "readpass.h" #include "misc.h" +#include "ssh-x509.h" #ifdef HAVE___PROGNAME extern char *__progname; @@ -235,9 +238,20 @@ key_size(key), fp, comment, key_type(key)); xfree(fp); } else { +#ifndef SSH_X509STORE_DISABLED + if ((key->type == KEY_X509_RSA) || (key->type == KEY_X509_DSA)) { + /* key_write will print x509 certificate in blob format :-( */ + if(!x509key_write_subject(key, stdout)) + fprintf(stderr, "x509key_write_subject failed"); + fprintf(stdout, "\n"); + } else { +#endif /*ndef SSH_X509STORE_DISABLED*/ if (!key_write(key, stdout)) fprintf(stderr, "key_write failed"); fprintf(stdout, " %s\n", comment); +#ifndef SSH_X509STORE_DISABLED + } +#endif /*ndef SSH_X509STORE_DISABLED*/ } key_free(key); xfree(comment); diff -ruN openssh-3.8p1/ssh-agent.0 openssh-3.8p1+x509h/ssh-agent.0 --- openssh-3.8p1/ssh-agent.0 2004-02-24 08:23:00.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-agent.0 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -SSH-AGENT(1) OpenBSD Reference Manual SSH-AGENT(1) +SSH-AGENT(1) System General Commands Manual SSH-AGENT(1) NAME ssh-agent - authentication agent @@ -9,7 +9,8 @@ DESCRIPTION ssh-agent is a program to hold private keys used for public key authenti- - cation (RSA, DSA). The idea is that ssh-agent is started in the begin- + cation (RSA, DSA). It is possible to contain in addition corresponding + X.509 certificate. The idea is that ssh-agent is started in the begin- ning of an X-session or a login session, and all other windows or pro- grams are started as clients to the ssh-agent program. Through use of environment variables the agent can be located and automatically used for @@ -18,8 +19,8 @@ The options are as follows: -a bind_address - Bind the agent to the unix-domain socket bind_address. The de- - fault is /tmp/ssh-XXXXXXXX/agent.. + Bind the agent to the unix-domain socket bind_address. The + default is /tmp/ssh-XXXXXXXXXX/agent.. -c Generate C-shell commands on stdout. This is the default if SHELL looks like it's a csh style of shell. @@ -34,8 +35,8 @@ Set a default value for the maximum lifetime of identities added to the agent. The lifetime may be specified in seconds or in a time format specified in sshd(8). A lifetime specified for an - identity with ssh-add(1) overrides this value. Without this op- - tion the default maximum lifetime is forever. + identity with ssh-add(1) overrides this value. Without this + option the default maximum lifetime is forever. -d Debug mode. When this option is specified ssh-agent will not fork. @@ -48,10 +49,10 @@ $HOME/.ssh/id_rsa, $HOME/.ssh/id_dsa and $HOME/.ssh/identity. If the identity has a passphrase, ssh-add(1) asks for the passphrase (using a small X11 application if running under X11, or from the terminal if run- - ning without X). It then sends the identity to the agent. Several iden- - tities can be stored in the agent; the agent can automatically use any of - these identities. ssh-add -l displays the identities currently held by - the agent. + ning without X). It then sends the identity to the agent. Identity can + contain in addition a X.509 certificate. Several identities can be + stored in the agent; the agent can automatically use any of these identi- + ties. ssh-add -l displays the identities currently held by the agent. The idea is that the agent is run in the user's local PC, laptop, or ter- minal. Authentication data need not be stored on any other machine, and @@ -67,15 +68,15 @@ looks at these variables and uses them to establish a connection to the agent. - The agent will never send a private key over its request channel. In- - stead, operations that require a private key will be performed by the + The agent will never send a private key over its request channel. + Instead, operations that require a private key will be performed by the agent, and the result will be returned to the requester. This way, pri- vate keys are not exposed to clients using the agent. A unix-domain socket is created and the name of this socket is stored in the SSH_AUTH_SOCK environment variable. The socket is made accessible - only to the current user. This method is easily abused by root or anoth- - er instance of the same user. + only to the current user. This method is easily abused by root or + another instance of the same user. The SSH_AGENT_PID environment variable holds the agent's process ID. @@ -89,13 +90,15 @@ $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of - the user. + the user. It is possible to contain identity plus x509 certifi- + cate. $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of - the user. + the user. It is possible to contain identity plus x509 certifi- + cate. - /tmp/ssh-XXXXXXXX/agent. + /tmp/ssh-XXXXXXXXXX/agent. Unix-domain sockets used to contain the connection to the authen- tication agent. These sockets should only be readable by the owner. The sockets should get automatically removed when the @@ -109,6 +112,7 @@ Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol - versions 1.5 and 2.0. + versions 1.5 and 2.0. Roumen Petrov contributed support for x509 cer- + tificates. -OpenBSD 3.4 September 25, 1999 2 +BSD September 25, 1999 BSD diff -ruN openssh-3.8p1/ssh-agent.1 openssh-3.8p1+x509h/ssh-agent.1 --- openssh-3.8p1/ssh-agent.1 2003-06-11 15:04:39.000000000 +0300 +++ openssh-3.8p1+x509h/ssh-agent.1 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-agent.1,v 1.39 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD$ .\" .\" Author: Tatu Ylonen .\" Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -13,6 +13,7 @@ .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 2002 Roumen Petrov. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -54,6 +55,7 @@ .Nm is a program to hold private keys used for public key authentication (RSA, DSA). +It is possible to contain in addition corresponding X.509 certificate. The idea is that .Nm is started in the beginning of an X-session or a login session, and @@ -70,7 +72,7 @@ Bind the agent to the unix-domain socket .Ar bind_address . The default is -.Pa /tmp/ssh-XXXXXXXX/agent. . +.Pa /tmp/ssh-XXXXXXXXXX/agent. . .It Fl c Generate C-shell commands on .Dv stdout . @@ -120,6 +122,7 @@ asks for the passphrase (using a small X11 application if running under X11, or from the terminal if running without X). It then sends the identity to the agent. +Identity can contain in addition a X.509 certificate. Several identities can be stored in the agent; the agent can automatically use any of these identities. .Ic ssh-add -l @@ -171,9 +174,11 @@ Contains the protocol version 1 RSA authentication identity of the user. .It Pa $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. +It is possible to contain identity plus x509 certificate. .It Pa $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. -.It Pa /tmp/ssh-XXXXXXXX/agent. +It is possible to contain identity plus x509 certificate. +.It Pa /tmp/ssh-XXXXXXXXXX/agent. Unix-domain sockets used to contain the connection to the authentication agent. These sockets should only be readable by the owner. @@ -193,3 +198,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. +Roumen Petrov contributed support for x509 certificates. diff -ruN openssh-3.8p1/ssh-agent.c openssh-3.8p1+x509h/ssh-agent.c --- openssh-3.8p1/ssh-agent.c 2003-12-09 10:15:11.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-agent.c 2004-02-25 09:06:01.000000000 +0200 @@ -11,6 +11,8 @@ * called by a name other than "ssh" or "Secure Shell". * * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. + * X509 certificates support, + * Copyright (c) 2002-2003 Roumen Petrov. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -35,7 +37,7 @@ #include "includes.h" #include "openbsd-compat/sys-queue.h" -RCSID("$OpenBSD: ssh-agent.c,v 1.117 2003/12/02 17:01:15 markus Exp $"); +RCSID("$OpenBSD$"); #include #include @@ -50,6 +52,7 @@ #include "authfd.h" #include "compat.h" #include "log.h" +#include "ssh-x509.h" #include "readpass.h" #include "misc.h" @@ -458,6 +461,7 @@ xfree(type_name); switch (type) { case KEY_DSA: + case KEY_X509_DSA: k = key_new_private(type); buffer_get_bignum2(&e->request, k->dsa->p); buffer_get_bignum2(&e->request, k->dsa->q); @@ -466,6 +470,7 @@ buffer_get_bignum2(&e->request, k->dsa->priv_key); break; case KEY_RSA: + case KEY_X509_RSA: k = key_new_private(type); buffer_get_bignum2(&e->request, k->rsa->n); buffer_get_bignum2(&e->request, k->rsa->e); @@ -481,10 +486,29 @@ buffer_clear(&e->request); goto send; } + switch (type) { + case KEY_X509_RSA: + case KEY_X509_DSA: { + u_char *blob = NULL; + u_int blen = 0; + Key *key = NULL; + + blob = buffer_get_string(&e->request, &blen); + key = x509key_from_blob(blob, blen); + if(key == NULL) { + fatal("process_add_identity() x509key_from_blob fail"); + } + k->x509 = key->x509; + key->x509 = NULL; + key_free(key); + } + break; + } break; } /* enable blinding */ switch (k->type) { + case KEY_X509_RSA: case KEY_RSA: case KEY_RSA1: if (RSA_blinding_on(k->rsa, NULL) != 1) { diff -ruN openssh-3.8p1/ssh_config openssh-3.8p1+x509h/ssh_config --- openssh-3.8p1/ssh_config 2003-08-13 13:37:05.000000000 +0300 +++ openssh-3.8p1+x509h/ssh_config 2004-04-05 09:06:00.000000000 +0300 @@ -1,4 +1,4 @@ -# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $ +# $OpenBSD$ # This is the ssh client system-wide configuration file. See # ssh_config(5) for more information. This file provides defaults for @@ -35,3 +35,14 @@ # Cipher 3des # Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc # EscapeChar ~ +# X509rsaSigType=md5 +# AllowedCertPurpose sslserver +# CACertificateFile /etc/ssh/ca/ca-bundle.crt +# CACertificatePath /etc/ssh/ca/crt +# CARevocationFile /etc/ssh/ca/ca-bundle.crl +# CARevocationPath /etc/ssh/ca/crl +# UserCACertificateFile ~/.ssh/ca-bundle.crt +# UserCACertificatePath ~/.ssh/crt +# UserCARevocationFile ~/.ssh/ca-bundle.crl +# UserCARevocationPath ~/.ssh/crl +# VAType none diff -ruN openssh-3.8p1/ssh_config.0 openssh-3.8p1+x509h/ssh_config.0 --- openssh-3.8p1/ssh_config.0 2004-02-24 08:23:07.000000000 +0200 +++ openssh-3.8p1+x509h/ssh_config.0 2004-04-05 09:06:00.000000000 +0300 @@ -1,4 +1,4 @@ -SSH_CONFIG(5) OpenBSD Programmer's Manual SSH_CONFIG(5) +SSH_CONFIG(5) System File Formats Manual SSH_CONFIG(5) NAME ssh_config - OpenSSH SSH client configuration files @@ -46,10 +46,19 @@ canonicalized host name before matching). AddressFamily - Specifies which address family to use when connecting. Valid ar- - guments are ``any'', ``inet'' (Use IPv4 only) or ``inet6'' (Use + Specifies which address family to use when connecting. Valid + arguments are ``any'', ``inet'' (Use IPv4 only) or ``inet6'' (Use IPv6 only.) + AllowedCertPurpose + The intended use for the X509 server certificate. Without this + option no chain verification will be done. Currently accepted + uses are case insensitive: + o `sslserver' , `SSL server' , `SSL_server' or `server' ; + o `any' , `Any Purpose' , `Any_Purpose' or `AnyPurpose' ; + o `skip' or `' (empty): do not check purpose. + The default is ``sslserver''. + BatchMode If set to ``yes'', passphrase/password querying will be disabled. This option is useful in scripts and other batch jobs where no @@ -61,6 +70,29 @@ interfaces or aliased addresses. Note that this option does not work if UsePrivilegedPort is set to ``yes''. + CACertificateFile + This file contain multiple certificates of certificate signers in + PEM format concatenated together. The default is + /etc/ssh/ca/ca-bundle.crt. + + CACertificatePath + ``Hash dir'' with certificates of certificate signers. Each cer- + tificate should be stored in separate file with name [HASH].[NUM- + BER], where [HASH] is certificate hash value and [NUMBER] is an + integer starting from zero. The default is /etc/ssh/ca/crt. + + CARevocationFile + This file contain multiple ``Certificate Revocation List'' (CRL) + of certificate signers in PEM format concatenated together. The + default is /etc/ssh/ca/ca-bundle.crl. + + CARevocationPath + ``Hash dir'' with ``Certificate Revocation List'' (CRL) of cer- + tificate signers. Each CRL should be stored in separate file with + name [HASH].r[NUMBER], where [HASH] is CRL hash value and [NUM- + BER] is an integer starting from zero. The default is + /etc/ssh/ca/crl. + ChallengeResponseAuthentication Specifies whether to use challenge response authentication. The argument to this keyword must be ``yes'' or ``no''. The default @@ -68,22 +100,22 @@ CheckHostIP If this flag is set to ``yes'', ssh will additionally check the - host IP address in the known_hosts file. This allows ssh to de- - tect if a host key changed due to DNS spoofing. If the option is - set to ``no'', the check will not be executed. The default is + host IP address in the known_hosts file. This allows ssh to + detect if a host key changed due to DNS spoofing. If the option + is set to ``no'', the check will not be executed. The default is ``yes''. Cipher Specifies the cipher to use for encrypting the session in proto- col version 1. Currently, ``blowfish'', ``3des'', and ``des'' - are supported. des is only supported in the ssh client for in- - teroperability with legacy protocol 1 implementations that do not - support the 3des cipher. Its use is strongly discouraged due to - cryptographic weaknesses. The default is ``3des''. + are supported. des is only supported in the ssh client for + interoperability with legacy protocol 1 implementations that do + not support the 3des cipher. Its use is strongly discouraged due + to cryptographic weaknesses. The default is ``3des''. Ciphers Specifies the ciphers allowed for protocol version 2 in order of - preference. Multiple ciphers must be comma-separated. The de- - fault is + preference. Multiple ciphers must be comma-separated. The + default is ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, aes192-cbc,aes256-cbc'' @@ -108,24 +140,24 @@ option applies to protocol version 1 only. ConnectionAttempts - Specifies the number of tries (one per second) to make before ex- - iting. The argument must be an integer. This may be useful in + Specifies the number of tries (one per second) to make before + exiting. The argument must be an integer. This may be useful in scripts if the connection sometimes fails. The default is 1. ConnectTimeout Specifies the timeout (in seconds) used when connecting to the ssh server, instead of using the default system TCP timeout. - This value is used only when the target is down or really un- - reachable, not when it refuses the connection. + This value is used only when the target is down or really + unreachable, not when it refuses the connection. DynamicForward Specifies that a TCP/IP port on the local machine be forwarded over the secure channel, and the application protocol is then used to determine where to connect to from the remote machine. The argument must be a port number. Currently the SOCKS4 and - SOCKS5 protocols are supported, and ssh will act as a SOCKS serv- - er. Multiple forwardings may be specified, and additional for- - wardings can be given on the command line. Only the superuser + SOCKS5 protocols are supported, and ssh will act as a SOCKS + server. Multiple forwardings may be specified, and additional + forwardings can be given on the command line. Only the superuser can forward privileged ports. EnableSSHKeysign @@ -157,9 +189,9 @@ the agent. ForwardX11 - Specifies whether X11 connections will be automatically redirect- - ed over the secure channel and DISPLAY set. The argument must be - ``yes'' or ``no''. The default is ``no''. + Specifies whether X11 connections will be automatically redi- + rected over the secure channel and DISPLAY set. The argument + must be ``yes'' or ``no''. The default is ``no''. X11 forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the @@ -171,9 +203,9 @@ ForwardX11Trusted If the this option is set to ``yes'' then remote X11 clients will have full access to the original X11 display. If this option is - set to ``no'' then remote X11 clients will be considered untrust- - ed and prevented from stealing or tampering with data belonging - to trusted X11 clients. + set to ``no'' then remote X11 clients will be considered + untrusted and prevented from stealing or tampering with data + belonging to trusted X11 clients. The default is ``no''. @@ -185,9 +217,10 @@ forwarded ports. By default, ssh binds local port forwardings to the loopback address. This prevents other remote hosts from con- necting to forwarded ports. GatewayPorts can be used to specify - that ssh should bind local port forwardings to the wildcard ad- - dress, thus allowing remote hosts to connect to forwarded ports. - The argument must be ``yes'' or ``no''. The default is ``no''. + that ssh should bind local port forwardings to the wildcard + address, thus allowing remote hosts to connect to forwarded + ports. The argument must be ``yes'' or ``no''. The default is + ``no''. GlobalKnownHostsFile Specifies a file to use for the global host key database instead @@ -200,19 +233,19 @@ GSSAPIDelegateCredentials Forward (delegate) credentials to the server. The default is - ``no''. Note that this option applies to protocol version 2 on- - ly. + ``no''. Note that this option applies to protocol version 2 + only. HostbasedAuthentication Specifies whether to try rhosts based authentication with public key authentication. The argument must be ``yes'' or ``no''. The - default is ``no''. This option applies to protocol version 2 on- - ly and is similar to RhostsRSAAuthentication. + default is ``no''. This option applies to protocol version 2 + only and is similar to RhostsRSAAuthentication. HostKeyAlgorithms Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. The default for this - option is: ``ssh-rsa,ssh-dss''. + option is: ``x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss''. HostKeyAlias Specifies an alias that should be used instead of the real host @@ -231,12 +264,13 @@ Specifies a file from which the user's RSA or DSA authentication identity is read. The default is $HOME/.ssh/identity for proto- col version 1, and $HOME/.ssh/id_rsa and $HOME/.ssh/id_dsa for - protocol version 2. Additionally, any identities represented by - the authentication agent will be used for authentication. The - file name may use the tilde syntax to refer to a user's home di- - rectory. It is possible to have multiple identity files speci- - fied in configuration files; all these identities will be tried - in sequence. + protocol version 2. For version 2 is possible identity file to + contain key plus X.509 certificate. Additionally, any identities + represented by the authentication agent will be used for authen- + tication. The file name may use the tilde syntax to refer to a + user's home directory. It is possible to have multiple identity + files specified in configuration files; all these identities will + be tried in sequence. LocalForward Specifies that a TCP/IP port on the local machine be forwarded @@ -254,20 +288,20 @@ DEBUG and DEBUG1 are equivalent. DEBUG2 and DEBUG3 each specify higher levels of verbose output. - MACs Specifies the MAC (message authentication code) algorithms in or- - der of preference. The MAC algorithm is used in protocol version - 2 for data integrity protection. Multiple algorithms must be - comma-separated. The default is ``hmac-md5,hmac-sha1,hmac- - ripemd160,hmac-sha1-96,hmac-md5-96''. + MACs Specifies the MAC (message authentication code) algorithms in + order of preference. The MAC algorithm is used in protocol ver- + sion 2 for data integrity protection. Multiple algorithms must + be comma-separated. The default is + ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. NoHostAuthenticationForLocalhost This option can be used if the home directory is shared across - machines. In this case localhost will refer to a different ma- - chine on each of the machines and the user will get many warnings - about changed host keys. However, this option disables host au- - thentication for localhost. The argument to this keyword must be - ``yes'' or ``no''. The default is to check the host key for lo- - calhost. + machines. In this case localhost will refer to a different + machine on each of the machines and the user will get many warn- + ings about changed host keys. However, this option disables host + authentication for localhost. The argument to this keyword must + be ``yes'' or ``no''. The default is to check the host key for + localhost. NumberOfPasswordPrompts Specifies the number of password prompts before giving up. The @@ -282,11 +316,11 @@ is 22. PreferredAuthentications - Specifies the order in which the client should try protocol 2 au- - thentication methods. This allows a client to prefer one method - (e.g. keyboard-interactive) over another method (e.g. password) - The default for this option is: ``hostbased,publickey,keyboard- - interactive,password''. + Specifies the order in which the client should try protocol 2 + authentication methods. This allows a client to prefer one + method (e.g. keyboard-interactive) over another method (e.g. + password) The default for this option is: + ``hostbased,publickey,keyboard-interactive,password''. Protocol Specifies the protocol versions ssh should support in order of @@ -304,10 +338,10 @@ write to its standard output. It should eventually connect an sshd(8) server running on some machine, or execute sshd -i some- where. Host key management will be done using the HostName of - the host being connected (defaulting to the name typed by the us- - er). Setting the command to ``none'' disables this option en- - tirely. Note that CheckHostIP is not available for connects with - a proxy command. + the host being connected (defaulting to the name typed by the + user). Setting the command to ``none'' disables this option + entirely. Note that CheckHostIP is not available for connects + with a proxy command. PubkeyAuthentication Specifies whether to try public key authentication. The argument @@ -357,9 +391,9 @@ tion has become inactive. The default value is 3. If, for example, ServerAliveInterval - (above) is set to 15, and ServerAliveCountMax is left at the de- - fault, if the server becomes unresponsive ssh will disconnect af- - ter approximately 45 seconds. + (above) is set to 15, and ServerAliveCountMax is left at the + default, if the server becomes unresponsive ssh will disconnect + after approximately 45 seconds. SmartcardDevice Specifies which smartcard device to use. The argument to this @@ -410,10 +444,45 @@ trouble of having to remember to give the user name on the com- mand line. + UserCACertificateFile + User CACertificateFile , the default is ~/.ssh/ca-bundle.crt. + + UserCACertificatePath + User CACertificatePath , the default is ~/.ssh/crt. + + UserCARevocationFile + User CARevocationFile , the default is ~/.ssh/ca-bundle.crl. + + UserCARevocationPath + User CARevocationPath , the default is ~/.ssh/crl. + UserKnownHostsFile Specifies a file to use for the user host key database instead of $HOME/.ssh/known_hosts. + VACertificateFile + File with X.509 certificates in PEM format concatenated together. + In use when VAType is set to ``ocspspec''. The default value is + `' (empty). Certificates from that file explicitly trust `OCSP + Responder' public key. They are used as trusted certificates in + addition to certificates from CACertificateFile , + CACertificatePath , UserCACertificateFile and + UserCACertificatePath to verify responder certificate. + + VAType Specifies whether `Online Certificate Status Protocol' (OCSP) is + used to validate X.509 certificates. Accepted values are case + insensitive: + o `none' : do not use OCSP to validate certificates; + o `ocspcert' : validate only certificates that specify `OCSP + Service Locator' URL; + o `ocspspec' : use specified in the configuration `OCSP + Responder' to validate all certificates. + The default is ``none''. + + VAOCSPResponderURL + `Access Location' / `OCSP Service Locator' URL of the OCSP + provider. In use when VAType is set to ``ocspspec''. + VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. If this option is set to ``yes'', the client @@ -430,13 +499,20 @@ Specifies the full pathname of the xauth(1) program. The default is /usr/X11R6/bin/xauth. + X509rsaSigType + Temporary option. Specifies signature digest type for + `x509v3-sign-rsa' identities. The possible values are ``md5'' and + ``sha1''. Use this option only in session with other SecSH + servers with X.509 certificates as identity or host key. The + default is ``md5''. + FILES $HOME/.ssh/config This is the per-user configuration file. The format of this file is described above. This file is used by the ssh client. This file does not usually contain any sensitive information, but the - recommended permissions are read/write for the user, and not ac- - cessible by others. + recommended permissions are read/write for the user, and not + accessible by others. /etc/ssh/ssh_config Systemwide configuration file. This file provides defaults for @@ -452,6 +528,7 @@ Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol - versions 1.5 and 2.0. + versions 1.5 and 2.0. Roumen Petrov contributed support for X.509 cer- + tificates. -OpenBSD 3.4 September 25, 1999 7 +BSD September 25, 1999 BSD diff -ruN openssh-3.8p1/ssh_config.5 openssh-3.8p1+x509h/ssh_config.5 --- openssh-3.8p1/ssh_config.5 2003-12-17 07:33:11.000000000 +0200 +++ openssh-3.8p1+x509h/ssh_config.5 2004-04-05 09:06:00.000000000 +0300 @@ -13,6 +13,7 @@ .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 2002 Roumen Petrov. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -34,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.28 2003/12/16 15:49:51 markus Exp $ +.\" $OpenBSD$ .Dd September 25, 1999 .Dt SSH_CONFIG 5 .Os @@ -123,6 +124,38 @@ (Use IPv4 only) or .Dq inet6 (Use IPv6 only.) +.It Cm AllowedCertPurpose +The intended use for the X509 server certificate. Without this option +no chain verification will be done. Currently accepted uses are case +insensitive: +.Bl -bullet -compact +.It +.Sq sslserver +, +.Sq SSL server +, +.Sq SSL_server +or +.Sq server +; +.It +.Sq any +, +.Sq Any Purpose +, +.Sq Any_Purpose +or +.Sq AnyPurpose +; +.It +.Sq skip +or +.Sq +.. +(empty): do not check purpose. +.El +The default is +.Dq sslserver . .It Cm BatchMode If set to .Dq yes , @@ -142,6 +175,35 @@ .Cm UsePrivilegedPort is set to .Dq yes . +.Pp +.It Cm CACertificateFile +This file contain multiple certificates of certificate signers in +PEM format concatenated together. The default is +.Pa /etc/ssh/ca/ca-bundle.crt . +.Pp +.It Cm CACertificatePath +.Dq "Hash dir" +with certificates of certificate signers. Each certificate should be +stored in separate file with name [HASH].[NUMBER], where [HASH] is +certificate hash value and [NUMBER] is an integer starting from zero. +The default is +.Pa /etc/ssh/ca/crt . +.Pp +.It Cm CARevocationFile +This file contain multiple +.Dq "Certificate Revocation List" +(CRL) of certificate signers in PEM format concatenated together. +The default is +.Pa /etc/ssh/ca/ca-bundle.crl . +.Pp +.It Cm CARevocationPath +.Dq "Hash dir" +with +.Dq "Certificate Revocation List" +(CRL) of certificate signers. Each CRL should be stored in separate +file with name [HASH].r[NUMBER], where [HASH] is CRL hash value and +[NUMBER] is an integer starting from zero. The default is +.Pa /etc/ssh/ca/crl . .It Cm ChallengeResponseAuthentication Specifies whether to use challenge response authentication. The argument to this keyword must be @@ -375,7 +437,7 @@ Specifies the protocol version 2 host key algorithms that the client wants to use in order of preference. The default for this option is: -.Dq ssh-rsa,ssh-dss . +.Dq x509v3-sign-rsa,x509v3-sign-dss,ssh-rsa,ssh-dss . .It Cm HostKeyAlias Specifies an alias that should be used instead of the real host name when looking up or saving the host key @@ -399,6 +461,7 @@ and .Pa $HOME/.ssh/id_dsa for protocol version 2. +For version 2 is possible identity file to contain key plus X.509 certificate. Additionally, any identities represented by the authentication agent will be used for authentication. The file name may use the tilde @@ -669,10 +732,86 @@ This can be useful when a different user name is used on different machines. This saves the trouble of having to remember to give the user name on the command line. +.Pp +.It Cm UserCACertificateFile +User +.Cm CACertificateFile +, the default is +.Pa ~/.ssh/ca-bundle.crt . +.Pp +.It Cm UserCACertificatePath +User +.Cm CACertificatePath +, the default is +.Pa ~/.ssh/crt . +.Pp +.It Cm UserCARevocationFile +User +.Cm CARevocationFile +, the default is +.Pa ~/.ssh/ca-bundle.crl . +.Pp +.It Cm UserCARevocationPath +User +.Cm CARevocationPath +, the default is +.Pa ~/.ssh/crl . .It Cm UserKnownHostsFile Specifies a file to use for the user host key database instead of .Pa $HOME/.ssh/known_hosts . +.It Cm VACertificateFile +File with X.509 certificates in PEM format concatenated together. +In use when +.Cm VAType +is set to +.Dq ocspspec . +The default value is +.Sq +.. +(empty). +Certificates from that file explicitly trust +.Sq "OCSP Responder" +public key. +They are used as trusted certificates in addition to certificates from +.Cm CACertificateFile +, +.Cm CACertificatePath +, +.Cm UserCACertificateFile +and +.Cm UserCACertificatePath +to verify responder certificate. +.It Cm VAType +Specifies whether +.Sq "Online Certificate Status Protocol" +(OCSP) is used to validate X.509 certificates. +Accepted values are case insensitive: +.Bl -bullet -compact +.It +.Sq none +: do not use OCSP to validate certificates; +.It +.Sq ocspcert +: validate only certificates that specify +.Sq "OCSP Service Locator" +URL; +.It +.Sq ocspspec +: use specified in the configuration +.Sq "OCSP Responder" +to validate all certificates. +.El +The default is +.Dq none . +.It Cm VAOCSPResponderURL +.Sq "Access Location" +/ +.Sq "OCSP Service Locator" +URL of the OCSP provider. In use when +.Cm VAType +is set to +.Dq ocspspec . .It Cm VerifyHostKeyDNS Specifies whether to verify the remote key using DNS and SSHFP resource records. @@ -702,6 +841,18 @@ program. The default is .Pa /usr/X11R6/bin/xauth . +.It Cm X509rsaSigType +Temporary option. +Specifies signature digest type for +.Sq x509v3-sign-rsa +identities. The possible values are +.Dq md5 +and +.Dq sha1 . +Use this option only in session with other SecSH servers +with X.509 certificates as identity or host key. +The default is +.Dq md5 . .El .Sh FILES .Bl -tag -width Ds @@ -732,3 +883,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. +Roumen Petrov contributed support for X.509 certificates. diff -ruN openssh-3.8p1/sshconnect.c openssh-3.8p1+x509h/sshconnect.c --- openssh-3.8p1/sshconnect.c 2004-01-27 12:21:27.000000000 +0200 +++ openssh-3.8p1+x509h/sshconnect.c 2004-02-25 09:06:01.000000000 +0200 @@ -10,10 +10,13 @@ * software must be clearly marked as such, and if the derived work is * incompatible with the protocol description in the RFC file, it must be * called by a name other than "ssh" or "Secure Shell". + * + * X509 certificates support, + * Copyright (c) 2002-2003 Roumen Petrov. All rights reserved. */ #include "includes.h" -RCSID("$OpenBSD: sshconnect.c,v 1.156 2004/01/25 03:49:09 djm Exp $"); +RCSID("$OpenBSD$"); #include @@ -32,12 +35,24 @@ #include "atomicio.h" #include "misc.h" #include "readpass.h" +#include "ssh-x509.h" #include "dns.h" char *client_version_string = NULL; char *server_version_string = NULL; +/* rumen-XXX: X.509 RSASIG check */ +extern void (*plogx509rsasig)(const char *msg); +static void logx509rsasig(const char *msg) { + logit("%.400s: server=%.200s (client=%.200s)", + msg, + (server_version_string ? server_version_string : "undefined"), + (client_version_string ? client_version_string : "undefined") + ); +} +/* rumen-XXX^ */ + int matching_host_key_dns = 0; /* import */ @@ -528,6 +543,8 @@ chop(client_version_string); chop(server_version_string); debug("Local version string %.100s", client_version_string); + + plogx509rsasig = logx509rsasig; /* rumen-XXX: X.509 RSASIG check */ } /* defaults to 'no' */ @@ -575,6 +592,7 @@ char msg[1024]; int len, host_line, ip_line; const char *host_file = NULL, *ip_file = NULL; + char extramsg[1024], *subject = NULL; /* * Force accepting of the host key for loopback/localhost. The @@ -738,13 +756,27 @@ "No matching host key fingerprint" " found in DNS.\n"); } + if ((host_key->type == KEY_X509_RSA) || (host_key->type == KEY_X509_DSA)) { + subject = x509key_subject(host_key); + snprintf(extramsg, sizeof(extramsg), + "Distinguished name is %.*s.\n", + X509KEY_SUBJECT_MAXLEN, subject); + } else { + subject = NULL; + *extramsg = '\0'; + } snprintf(msg, sizeof(msg), "The authenticity of host '%.200s (%s)' can't be " "established%s\n" "%s key fingerprint is %s.\n%s" + "%s" "Are you sure you want to continue connecting " "(yes/no)? ", - host, ip, msg1, type, fp, msg2); + host, ip, msg1, type, fp, msg2, extramsg); + if(subject != NULL) { + xfree(subject); + subject = NULL; + } xfree(fp); if (!confirm(msg)) goto fail; @@ -1011,7 +1043,8 @@ static int show_other_keys(const char *host, Key *key) { - int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, -1}; + int type[] = { KEY_RSA1, KEY_RSA, KEY_DSA, KEY_X509_RSA, KEY_X509_DSA, -1}; + int i, found = 0; for (i = 0; type[i] != -1; i++) { @@ -1056,6 +1089,12 @@ error("It is also possible that the %s host key has just been changed.", type); error("The fingerprint for the %s key sent by the remote host is\n%s.", type, fp); + if ((host_key->type == KEY_X509_RSA) || (host_key->type == KEY_X509_DSA)) { + char *subject = x509key_subject(host_key); + error("Distinguished name sent by remote host is\n%.*s.", + X509KEY_SUBJECT_MAXLEN, subject); + xfree(subject); + } error("Please contact your system administrator."); xfree(fp); diff -ruN openssh-3.8p1/sshd.0 openssh-3.8p1+x509h/sshd.0 --- openssh-3.8p1/sshd.0 2004-02-24 08:23:04.000000000 +0200 +++ openssh-3.8p1+x509h/sshd.0 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -SSHD(8) OpenBSD System Manager's Manual SSHD(8) +SSHD(8) System Manager's Manual SSHD(8) NAME sshd - OpenSSH SSH daemon @@ -14,8 +14,8 @@ intended to be as easy to install and use as possible. sshd is the daemon that listens for connections from clients. It is nor- - mally started at boot from /etc/rc. It forks a new daemon for each in- - coming connection. The forked daemons handle key exchange, encryption, + mally started at boot from /etc/rc. It forks a new daemon for each + incoming connection. The forked daemons handle key exchange, encryption, authentication, command execution, and data exchange. This implementa- tion of sshd supports both SSH protocol version 1 and 2 simultaneously. sshd works as follows: @@ -23,15 +23,15 @@ SSH protocol version 1 Each host has a host-specific RSA key (normally 1024 bits) used to iden- tify the host. Additionally, when the daemon starts, it generates a - server RSA key (normally 768 bits). This key is normally regenerated ev- - ery hour if it has been used, and is never stored on disk. + server RSA key (normally 768 bits). This key is normally regenerated + every hour if it has been used, and is never stored on disk. Whenever a client connects, the daemon responds with its public host and server keys. The client compares the RSA host key against its own database to verify that it has not changed. The client then generates a 256-bit random number. It encrypts this random number using both the - host key and the server key, and sends the encrypted number to the serv- - er. Both sides then use this random number as a session key which is + host key and the server key, and sends the encrypted number to the + server. Both sides then use this random number as a session key which is used to encrypt all further communications in the session. The rest of the session is encrypted using a conventional cipher, currently Blowfish or 3DES, with 3DES being used by default. The client selects the encryp- @@ -39,8 +39,8 @@ Next, the server and the client enter an authentication dialog. The client tries to authenticate itself using .rhosts authentication, .rhosts - authentication combined with RSA host authentication, RSA challenge-re- - sponse authentication, or password based authentication. + authentication combined with RSA host authentication, RSA challenge- + response authentication, or password based authentication. Regardless of the authentication type, the account is checked to ensure that it is accessible. An account is not accessible if it is locked, @@ -60,16 +60,17 @@ SSH protocol version 2 Version 2 works similarly: Each host has a host-specific key (RSA or DSA) - used to identify the host. However, when the daemon starts, it does not - generate a server key. Forward security is provided through a Diffie- - Hellman key agreement. This key agreement results in a shared session - key. + used to identify the host. It is possible host key to contain key plus + X.509 certificate. However, when the daemon starts, it does not generate + a server key. Forward security is provided through a Diffie-Hellman key + agreement. This key agreement results in a shared session key. The rest of the session is encrypted using a symmetric cipher, currently 128-bit AES, Blowfish, 3DES, CAST128, Arcfour, 192-bit AES, or 256-bit - AES. The client selects the encryption algorithm to use from those of- - fered by the server. Additionally, session integrity is provided through - a cryptographic message authentication code (hmac-sha1 or hmac-md5). + AES. The client selects the encryption algorithm to use from those + offered by the server. Additionally, session integrity is provided + through a cryptographic message authentication code (hmac-sha1 or hmac- + md5). Protocol version 2 provides a public key based user (PubkeyAuthentica- tion) or client host (HostbasedAuthentication) authentication method, @@ -116,8 +117,8 @@ -d Debug mode. The server sends verbose debug output to the system log, and does not put itself in the background. The server also will not fork and will only process one connection. This option - is only intended for debugging for the server. Multiple -d op- - tions increase the debugging level. Maximum is 3. + is only intended for debugging for the server. Multiple -d + options increase the debugging level. Maximum is 3. -e When this option is specified, sshd will send the output to the standard error instead of the system log. @@ -128,10 +129,10 @@ figuration file. -g login_grace_time - Gives the grace time for clients to authenticate themselves (de- - fault 120 seconds). If the client fails to authenticate the user - within this many seconds, the server disconnects and exits. A - value of zero indicates no limit. + Gives the grace time for clients to authenticate themselves + (default 120 seconds). If the client fails to authenticate the + user within this many seconds, the server disconnects and exits. + A value of zero indicates no limit. -h host_key_file Specifies a file from which a host key is read. This option must @@ -140,14 +141,16 @@ /etc/ssh/ssh_host_key for protocol version 1, and /etc/ssh/ssh_host_rsa_key and /etc/ssh/ssh_host_dsa_key for pro- tocol version 2. It is possible to have multiple host key files - for the different protocol versions and host key algorithms. + for the different protocol versions and host key algorithms. It + is possible host key for protocol version 2 to contain key plus + X.509 certificate. -i Specifies that sshd is being run from inetd(8). sshd is normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of - seconds. Clients would have to wait too long if the key was re- - generated every time. However, with small key sizes (e.g., 512) - using sshd from inetd may be feasible. + seconds. Clients would have to wait too long if the key was + regenerated every time. However, with small key sizes (e.g., + 512) using sshd from inetd may be feasible. -k key_gen_time Specifies how often the ephemeral protocol version 1 server key @@ -155,14 +158,14 @@ tion for regenerating the key fairly often is that the key is not stored anywhere, and after about an hour it becomes impossible to recover the key for decrypting intercepted communications even if - the machine is cracked into or physically seized. A value of ze- - ro indicates that the key will never be regenerated. + the machine is cracked into or physically seized. A value of + zero indicates that the key will never be regenerated. -o option Can be used to give options in the format used in the configura- tion file. This is useful for specifying options for which there - is no separate command-line flag. For full details of the op- - tions, and their values, see sshd_config(5). + is no separate command-line flag. For full details of the + options, and their values, see sshd_config(5). -p port Specifies the port on which the server listens for connections @@ -170,8 +173,8 @@ fied in the configuration file are ignored when a command-line port is specified. - -q Quiet mode. Nothing is sent to the system log. Normally the be- - ginning, authentication, and termination of each connection is + -q Quiet mode. Nothing is sent to the system log. Normally the + beginning, authentication, and termination of each connection is logged. -t Test mode. Only check the validity of the configuration file and @@ -186,10 +189,10 @@ indicates that only dotted decimal addresses should be put into the utmp file. -u0 may also be used to prevent sshd from making DNS requests unless the authentication mechanism or configuration - requires it. Authentication mechanisms that may require DNS in- - clude RhostsRSAAuthentication, HostbasedAuthentication and using - a from="pattern-list" option in a key file. Configuration op- - tions that require DNS include using a USER@HOST pattern in + requires it. Authentication mechanisms that may require DNS + include RhostsRSAAuthentication, HostbasedAuthentication and + using a from="pattern-list" option in a key file. Configuration + options that require DNS include using a USER@HOST pattern in AllowUsers or DenyUsers. CONFIGURATION FILE @@ -220,8 +223,8 @@ 7. Changes to user's home directory. - 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc ex- - ists, runs it; otherwise runs xauth. The ``rc'' files are + 8. If $HOME/.ssh/rc exists, runs it; else if /etc/ssh/sshrc + exists, runs it; otherwise runs xauth. The ``rc'' files are given the X11 authentication protocol and cookie in standard input. @@ -231,7 +234,9 @@ $HOME/.ssh/authorized_keys is the default file that lists the public keys that are permitted for RSA authentication in protocol version 1 and for public key authentication (PubkeyAuthentication) in protocol version 2. - AuthorizedKeysFile may be used to specify an alternative file. + It is posible for protocol version 2 to contain X.509 certificates or + certificates ``Distinguished Name''. AuthorizedKeysFile may be used to + specify an alternative file. Each line of the file contains one key (empty lines and lines starting with a `#' are ignored as comments). Each RSA public key consists of the @@ -243,10 +248,19 @@ ulus and comment fields give the RSA key for protocol version 1; the com- ment field is not used for anything (but may be convenient for the user to identify the key). For protocol version 2 the keytype is ``ssh-dss'' - or ``ssh-rsa''. + or ``ssh-rsa''. In addition for protocol version 2 user can use X.509 + certificates. In that case keytype is ``x509v3-sign-rsa'' or + ``x509v3-sign-dss''. Instead of ``base64 encoded key'' line must contain + base64 encoded certicate (old style) or a keyword (new style), optional + followed by symbol `=' (equal) or `:' (colon), zero or more spaces and + certificate ``Distinguished Name'' (Subject). Keyword is case insensitive + and can be one of `Subject' , `Distinguished Name' , `Distinguished-Name' + , `Distinguished_Name' , `DistinguishedName' or `DN'. Separator of Sub- + ject items can be `/' (slash), `,' (comma) or mixed and order is not + important. - Note that lines in this file are usually several hundred bytes long (be- - cause of the size of the public key encoding). You don't want to type + Note that lines in this file are usually several hundred bytes long + (because of the size of the public key encoding). You don't want to type them in; instead, copy the identity.pub, id_dsa.pub or the id_rsa.pub file and edit it. @@ -267,25 +281,25 @@ key is not accepted. The purpose of this option is to optionally increase security: public key authentication by itself does not trust the network or name servers or anything (but the key); how- - ever, if somebody somehow steals the key, the key permits an in- - truder to log in from anywhere in the world. This additional op- - tion makes using a stolen key more difficult (name servers and/or - routers would have to be compromised in addition to just the - key). + ever, if somebody somehow steals the key, the key permits an + intruder to log in from anywhere in the world. This additional + option makes using a stolen key more difficult (name servers + and/or routers would have to be compromised in addition to just + the key). command="command" Specifies that the command is executed whenever this key is used for authentication. The command supplied by the user (if any) is ignored. The command is run on a pty if the client requests a pty; otherwise it is run without a tty. If an 8-bit clean chan- - nel is required, one must not request a pty or should specify no- - pty. A quote may be included in the command by quoting it with a - backslash. This option might be useful to restrict certain pub- - lic keys to perform just a specific operation. An example might - be a key that permits remote backups but nothing else. Note that - the client may specify TCP/IP and/or X11 forwarding unless they - are explicitly prohibited. Note that this option applies to - shell, command or subsystem execution. + nel is required, one must not request a pty or should specify + no-pty. A quote may be included in the command by quoting it + with a backslash. This option might be useful to restrict cer- + tain public keys to perform just a specific operation. An exam- + ple might be a key that permits remote backups but nothing else. + Note that the client may specify TCP/IP and/or X11 forwarding + unless they are explicitly prohibited. Note that this option + applies to shell, command or subsystem execution. environment="NAME=value" Specifies that the string is to be added to the environment when @@ -297,8 +311,8 @@ no-port-forwarding Forbids TCP/IP forwarding when this key is used for authentica- - tion. Any port forward requests by the client will return an er- - ror. This might be used, e.g., in connection with the command + tion. Any port forward requests by the client will return an + error. This might be used, e.g., in connection with the command option. no-X11-forwarding @@ -316,25 +330,28 @@ nect to the specified host and port. IPv6 addresses can be spec- ified with an alternative syntax: host/port. Multiple permitopen options may be applied separated by commas. No pattern matching - is performed on the specified hostnames, they must be literal do- - mains or addresses. + is performed on the specified hostnames, they must be literal + domains or addresses. Examples 1024 33 12121...312314325 ylo@foo.bar from="*.niksula.hut.fi,!pc.niksula.hut.fi" 1024 35 23...2334 ylo@niksula - command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 back- - up.hut.fi + command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 + backup.hut.fi permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 + x509v3-sign-dss subject= /C=XX/ST=World/O=OpenSSH Test Team... + SSH_KNOWN_HOSTS FILE FORMAT The /etc/ssh/ssh_known_hosts and $HOME/.ssh/known_hosts files contain - host public keys for all known hosts. The global file should be prepared - by the administrator (optional), and the per-user file is maintained au- - tomatically: whenever the user connects from an unknown host its key is - added to the per-user file. + host public keys, certificates (old style) or certificates + ``Distinguished Name'' for all known hosts. The global file should be + prepared by the administrator (optional), and the per-user file is main- + tained automatically: whenever the user connects from an unknown host its + key is added to the per-user file. Each line in these files contains the following fields: hostnames, bits, exponent, modulus, comment. The fields are separated by spaces. @@ -343,8 +360,8 @@ cards); each pattern in turn is matched against the canonical host name (when authenticating a client) or against the user-supplied name (when authenticating a server). A pattern may also be preceded by `!' to indi- - cate negation: if the host name matches a negated pattern, it is not ac- - cepted (by that line) even if it matched another pattern on the line. + cate negation: if the host name matches a negated pattern, it is not + accepted (by that line) even if it matched another pattern on the line. Bits, exponent, and modulus are taken directly from the RSA host key; they can be obtained, e.g., from /etc/ssh/ssh_host_key.pub. The optional @@ -369,6 +386,7 @@ closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= + x509host x509v3-sign-rsa Subject:/C=XX..... FILES /etc/ssh/sshd_config @@ -377,19 +395,22 @@ /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key - These three files contain the private parts of the host keys. - These files should only be owned by root, readable only by root, - and not accessible to others. Note that sshd does not start if - this file is group/world-accessible. + These three files contain the private parts of the host keys. It + is possible to contain private part plus X.509 certificate for + protocol version 2 keys. These files should only be owned by + root, readable only by root, and not accessible to others. Note + that sshd does not start if this file is group/world-accessible. /etc/ssh/ssh_host_key.pub, /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub These three files contain the public parts of the host keys. These files should be world-readable but writable only by root. - Their contents should match the respective private parts. These - files are not really used for anything; they are provided for the - convenience of the user so their contents can be copied to known - hosts files. These files are created using ssh-keygen(1). + Their contents should match the respective private parts. Note + that when corresponding host key contain a certificate in addi- + tion these file must contains that certificate. These files are + not really used for anything; they are provided for the conve- + nience of the user so their contents can be copied to known hosts + files. These files are created using ssh-keygen(1). /etc/moduli Contains Diffie-Hellman groups used for the "Diffie-Hellman Group @@ -409,25 +430,40 @@ able. $HOME/.ssh/authorized_keys - Lists the public keys (RSA or DSA) that can be used to log into - the user's account. This file must be readable by root (which - may on some machines imply it being world-readable if the user's - home directory resides on an NFS volume). It is recommended that - it not be accessible by others. The format of this file is de- - scribed above. Users will place the contents of their + Lists the public keys (RSA or DSA), certificates or certificates + ``Distinguished Names'' (recommendet) that can be used to log + into the user's account. This file must be readable by root + (which may on some machines imply it being world-readable if the + user's home directory resides on an NFS volume). It is recom- + mended that it not be accessible by others. The format of this + file is described above. Users will place the contents of their identity.pub, id_dsa.pub and/or id_rsa.pub files into this file, as described in ssh-keygen(1). /etc/ssh/ssh_known_hosts, $HOME/.ssh/known_hosts These files are consulted when using rhosts with RSA host authen- tication or protocol version 2 hostbased authentication to check - the public key of the host. The key must be listed in one of - these files to be accepted. The client uses the same files to - verify that it is connecting to the correct remote host. These - files should be writable only by root/the owner. + the public key or certificate of the host. The key must be + listed in one of these files to be accepted. The client uses the + same files to verify that it is connecting to the correct remote + host. These files should be writable only by root/the owner. /etc/ssh/ssh_known_hosts should be world-readable, and $HOME/.ssh/known_hosts can, but need not be, world-readable. + /etc/ssh/ca/ca-bundle.crt and /etc/ssh/ca/ca-bundle.crl + The first file contain multiple certificates and the second + ``Certificate Revocation List'' (CRLs) of certificate signers in + PEM format concatenated together. Used to verify and validate + client certificate. + + /etc/ssh/ca/crt and /etc/ssh/ca/crl + ``Hash dirs'' with certificates, the first directory or CLRs, the + second of certificate signers. Each certificate should be stored + in separate file with name [HASH].[NUMBER] or [HASH].r[NUMBER] + for the CRL, where [HASH] is certificate or CRL hash value and + [NUMBER] is an integer starting from zero. Used to verify and + validate client certificate. + /etc/nologin If this file exists, sshd refuses to let anyone except root log in. The contents of the file are displayed to anyone trying to @@ -435,8 +471,8 @@ world-readable. /etc/hosts.allow, /etc/hosts.deny - Access controls that should be enforced by tcp-wrappers are de- - fined here. Further details are described in hosts_access(5). + Access controls that should be enforced by tcp-wrappers are + defined here. Further details are described in hosts_access(5). $HOME/.rhosts This file contains host-username pairs, separated by a space, one @@ -461,21 +497,22 @@ they have the same user name on both machines. The host name may also be followed by a user name; such users are permitted to log in as any user on this machine (except root). Additionally, the - syntax ``+@group'' can be used to specify netgroups. Negated en- - tries start with `-'. + syntax ``+@group'' can be used to specify netgroups. Negated + entries start with `-'. - If the client host/user is successfully matched in this file, lo- - gin is automatically permitted provided the client and server us- - er names are the same. Additionally, successful RSA host authen- - tication is normally required. This file must be writable only - by root; it is recommended that it be world-readable. + If the client host/user is successfully matched in this file, + login is automatically permitted provided the client and server + user names are the same. Additionally, successful RSA host + authentication is normally required. This file must be writable + only by root; it is recommended that it be world-readable. Warning: It is almost never a good idea to use user names in hosts.equiv. Beware that it really means that the named user(s) can log in as anybody, which includes bin, daemon, adm, and other - accounts that own critical binaries and directories. Using a us- - er name practically grants the user root access. The only valid - use for user names that I can think of is in negative entries. + accounts that own critical binaries and directories. Using a + user name practically grants the user root access. The only + valid use for user names that I can think of is in negative + entries. Note that this warning also applies to rsh/rlogin. @@ -493,18 +530,18 @@ is controlled via the PermitUserEnvironment option. $HOME/.ssh/rc - If this file exists, it is run with /bin/sh after reading the en- - vironment files but before starting the user's shell or command. - It must not produce any output on stdout; stderr must be used in- - stead. If X11 forwarding is in use, it will receive the "proto - cookie" pair in its standard input (and DISPLAY in its environ- - ment). The script must call xauth(1) because sshd will not run - xauth automatically to add X11 cookies. + If this file exists, it is run with /bin/sh after reading the + environment files but before starting the user's shell or com- + mand. It must not produce any output on stdout; stderr must be + used instead. If X11 forwarding is in use, it will receive the + "proto cookie" pair in its standard input (and DISPLAY in its + environment). The script must call xauth(1) because sshd will + not run xauth automatically to add X11 cookies. The primary purpose of this file is to run any initialization - routines which may be needed before the user's home directory be- - comes accessible; AFS is a particular example of such an environ- - ment. + routines which may be needed before the user's home directory + becomes accessible; AFS is a particular example of such an envi- + ronment. This file will probably contain some initialization code followed by something similar to: @@ -547,9 +584,10 @@ AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and - created OpenSSH. Markus Friedl contributed the support for SSH protocol + de Raadt and Dug Song removed many bugs, re-added newer features and cre- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support - for privilege separation. + for privilege separation. Roumen Petrov contributed support for X.509 + certificates. -OpenBSD 3.4 September 25, 1999 9 +BSD September 25, 1999 BSD diff -ruN openssh-3.8p1/sshd.8 openssh-3.8p1+x509h/sshd.8 --- openssh-3.8p1/sshd.8 2003-10-15 08:50:43.000000000 +0300 +++ openssh-3.8p1+x509h/sshd.8 2004-03-09 09:06:00.000000000 +0200 @@ -13,6 +13,7 @@ .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 2002 Roumen Petrov. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -34,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd.8,v 1.200 2003/10/08 08:27:36 jmc Exp $ +.\" $OpenBSD$ .Dd September 25, 1999 .Dt SSHD 8 .Os @@ -152,6 +153,7 @@ .Ss SSH protocol version 2 Version 2 works similarly: Each host has a host-specific key (RSA or DSA) used to identify the host. +It is possible host key to contain key plus X.509 certificate. However, when the daemon starts, it does not generate a server key. Forward security is provided through a Diffie-Hellman key agreement. This key agreement results in a shared session key. @@ -259,6 +261,8 @@ for protocol version 2. It is possible to have multiple host key files for the different protocol versions and host key algorithms. +It is possible host key for protocol version 2 to contain key plus X.509 +certificate. .It Fl i Specifies that .Nm @@ -402,6 +406,9 @@ permitted for RSA authentication in protocol version 1 and for public key authentication (PubkeyAuthentication) in protocol version 2. +It is posible for protocol version 2 to contain X.509 certificates +or certificates +.Dq "Distinguished Name" . .Cm AuthorizedKeysFile may be used to specify an alternative file. .Pp @@ -425,6 +432,37 @@ .Dq ssh-dss or .Dq ssh-rsa . +In addition for protocol version 2 user can use X.509 certificates. +In that case keytype is +.Dq x509v3-sign-rsa +or +.Dq x509v3-sign-dss . +Instead of +.Dq "base64 encoded key" +line must contain base64 encoded certicate (old style) or +a keyword (new style), optional followed by symbol +.Sq = +(equal) or +.Sq \&: +(colon), zero or more spaces and certificate +.Dq "Distinguished Name" +(Subject). Keyword is case insensitive and can be one of +.Sq Subject +, +.Sq "Distinguished Name" +, +.Sq Distinguished-Name +, +.Sq Distinguished_Name +, +.Sq DistinguishedName +or +.Sq DN . +Separator of Subject items can be +.Sq / +(slash), +.Sq \&, +(comma) or mixed and order is not important. .Pp Note that lines in this file are usually several hundred bytes long (because of the size of the public key encoding). @@ -529,12 +567,16 @@ command="dump /home",no-pty,no-port-forwarding 1024 33 23...2323 backup.hut.fi .Pp permitopen="10.2.1.55:80",permitopen="10.2.1.56:25" 1024 33 23...2323 +.Pp +x509v3-sign-dss subject= /C=XX/ST=World/O=OpenSSH Test Team... .Sh SSH_KNOWN_HOSTS FILE FORMAT The .Pa /etc/ssh/ssh_known_hosts and .Pa $HOME/.ssh/known_hosts -files contain host public keys for all known hosts. +files contain host public keys, certificates (old style) or certificates +.Dq "Distinguished Name" +for all known hosts. The global file should be prepared by the administrator (optional), and the per-user file is maintained automatically: whenever the user connects from an unknown host @@ -588,6 +630,7 @@ .Bd -literal closenet,...,130.233.208.41 1024 37 159...93 closenet.hut.fi cvs.openbsd.org,199.185.137.3 ssh-rsa AAAA1234.....= +x509host x509v3-sign-rsa Subject:/C=XX..... .Ed .Sh FILES .Bl -tag -width Ds @@ -598,6 +641,8 @@ .Xr sshd_config 5 . .It Pa /etc/ssh/ssh_host_key, /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key These three files contain the private parts of the host keys. +It is possible to contain private part plus X.509 certificate for +protocol version 2 keys. These files should only be owned by root, readable only by root, and not accessible to others. Note that @@ -608,6 +653,8 @@ These files should be world-readable but writable only by root. Their contents should match the respective private parts. +Note that when corresponding host key contain a certificate +in addition these file must contains that certificate. These files are not really used for anything; they are provided for the convenience of the user so their contents can be copied to known hosts files. @@ -632,7 +679,10 @@ started last). The content of this file is not sensitive; it can be world-readable. .It Pa $HOME/.ssh/authorized_keys -Lists the public keys (RSA or DSA) that can be used to log into the user's account. +Lists the public keys (RSA or DSA), certificates or certificates +.Dq "Distinguished Names" +(recommendet) +that can be used to log into the user's account. This file must be readable by root (which may on some machines imply it being world-readable if the user's home directory resides on an NFS volume). @@ -648,7 +698,7 @@ .It Pa "/etc/ssh/ssh_known_hosts", "$HOME/.ssh/known_hosts" These files are consulted when using rhosts with RSA host authentication or protocol version 2 hostbased authentication -to check the public key of the host. +to check the public key or certificate of the host. The key must be listed in one of these files to be accepted. The client uses the same files to verify that it is connecting to the correct remote host. @@ -657,6 +707,20 @@ should be world-readable, and .Pa $HOME/.ssh/known_hosts can, but need not be, world-readable. +.It Pa "/etc/ssh/ca/ca-bundle.crt" and "/etc/ssh/ca/ca-bundle.crl" +The first file contain multiple certificates and the second +.Dq "Certificate Revocation List" +(CRLs) of certificate signers in PEM format concatenated together. +Used to verify and validate client certificate. +.It Pa "/etc/ssh/ca/crt" and Pa "/etc/ssh/ca/crl" +.Dq "Hash dirs" +with certificates, the first directory or CLRs, the second of +certificate signers. +Each certificate should be stored in separate file with name +[HASH].[NUMBER] or [HASH].r[NUMBER] for the CRL, where [HASH] is +certificate or CRL hash value and [NUMBER] is an integer starting +from zero. +Used to verify and validate client certificate. .It Pa /etc/nologin If this file exists, .Nm @@ -836,3 +900,4 @@ protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. +Roumen Petrov contributed support for X.509 certificates. diff -ruN openssh-3.8p1/sshd.c openssh-3.8p1+x509h/sshd.c --- openssh-3.8p1/sshd.c 2004-02-24 00:20:29.000000000 +0200 +++ openssh-3.8p1+x509h/sshd.c 2004-02-25 09:06:01.000000000 +0200 @@ -20,6 +20,9 @@ * Copyright (c) 2000, 2001, 2002 Markus Friedl. All rights reserved. * Copyright (c) 2002 Niels Provos. All rights reserved. * + * X509 certificates support: + * Copyright (c) 2002-2003 Roumen Petrov. All rights reserved. + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -42,7 +45,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.286 2004/02/23 12:02:33 markus Exp $"); +RCSID("$OpenBSD$"); #include #include @@ -154,6 +157,17 @@ char *client_version_string = NULL; char *server_version_string = NULL; +/* rumen-XXX: X.509 RSASIG check */ +extern void (*plogx509rsasig)(const char *msg); +static void logx509rsasig(const char *msg) { + logit("%.400s: client=%.200s (server=%.200s)", + msg, + (client_version_string ? client_version_string : "undefined"), + (server_version_string ? server_version_string : "undefined") + ); +} +/* rumen-XXX^ */ + /* for rekeying XXX fixme */ Kex *xxx_kex; @@ -485,6 +499,8 @@ server_version_string, client_version_string); cleanup_exit(255); } + + plogx509rsasig = logx509rsasig; /* rumen-XXX: X.509 RSASIG check */ } /* Destroy the host and server keys. They will no longer be needed. */ @@ -685,6 +701,8 @@ switch (key->type) { case KEY_RSA: case KEY_DSA: + case KEY_X509_RSA: + case KEY_X509_DSA: if (buffer_len(&b) > 0) buffer_append(&b, ",", 1); p = key_ssh_name(key); @@ -989,6 +1007,8 @@ break; case KEY_RSA: case KEY_DSA: + case KEY_X509_RSA: + case KEY_X509_DSA: sensitive_data.have_ssh2_key = 1; break; } diff -ruN openssh-3.8p1/sshd_config openssh-3.8p1+x509h/sshd_config --- openssh-3.8p1/sshd_config 2003-12-31 02:38:32.000000000 +0200 +++ openssh-3.8p1+x509h/sshd_config 2004-04-05 09:06:00.000000000 +0300 @@ -1,4 +1,4 @@ -# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $ +# $OpenBSD$ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. @@ -21,6 +21,44 @@ #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key +# Signarure for "x509v3-sign-rsa" keys: md5,sha1 +#X509rsaSigType=md5 + +# The intended use for the X509 client certificate. Without this option +# no chain verification will be done. Currently accepted uses are case +# insensitive: +# - "sslclient", "SSL client", "SSL_client" or "client" +# - "any", "Any Purpose", "Any_Purpose" or "AnyPurpose" +# - "skip" or ""(empty): don`t check purpose. +#AllowedCertPurpose sslclient + +# A file with multiple certificates of certificate signers +# in PEM format concatenated together. +#CACertificateFile /etc/ssh/ca/ca-bundle.crt + +# A directory with certificates of certificate signers. +# The certificates should have name of the form: [HASH].[NUMBER] +# or have symbolic links to them of this form. +#CACertificatePath /etc/ssh/ca/crt + +# A file with multiple CRL of certificate signers +# in PEM format concatenated together. +#CARevocationFile /etc/ssh/ca/ca-bundle.crl + +# A directory with CRL of certificate signers. +# The CRL should have name of the form: [HASH].r[NUMBER] +# or have symbolic links to them of this form. +#CARevocationPath /etc/ssh/ca/crl + +# SSH can use "Online Certificate Status Protocol"(OCSP) +# to validate certificate. Set VAType to +# - none : do not use OCSP to validate certificates; +# - ocspcert: validate only certificates that specify `OCSP +# Service Locator' URL; +# - ocspspec: use specified in the configuration 'OCSP Responder' +# to validate all certificates. +#VAType none + # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 768 diff -ruN openssh-3.8p1/sshd_config.0 openssh-3.8p1+x509h/sshd_config.0 --- openssh-3.8p1/sshd_config.0 2004-02-24 08:23:06.000000000 +0200 +++ openssh-3.8p1+x509h/sshd_config.0 2004-04-05 09:06:00.000000000 +0300 @@ -1,4 +1,4 @@ -SSHD_CONFIG(5) OpenBSD Programmer's Manual SSHD_CONFIG(5) +SSHD_CONFIG(5) System File Formats Manual SSHD_CONFIG(5) NAME sshd_config - OpenSSH SSH daemon configuration file @@ -15,6 +15,16 @@ The possible keywords and their meanings are as follows (note that key- words are case-insensitive and arguments are case-sensitive): + AllowedCertPurpose + The intended use for the X509 client certificate. Without this + option no chain verification will be done. Currently accepted + uses are case insensitive: + o `sslclient' , `SSL client' , `SSL_client' or `client' ; + o `any' , `Any Purpose' , `Any_Purpose' or `AnyPurpose' ; + o `skip' or `' (empty): do not check purpose. + + The default is ``sslclient''. + AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. If specified, login is allowed only for @@ -25,30 +35,30 @@ AllowTcpForwarding Specifies whether TCP forwarding is permitted. The default is - ``yes''. Note that disabling TCP forwarding does not improve se- - curity unless users are also denied shell access, as they can al- - ways install their own forwarders. + ``yes''. Note that disabling TCP forwarding does not improve + security unless users are also denied shell access, as they can + always install their own forwarders. AllowUsers This keyword can be followed by a list of user name patterns, - separated by spaces. If specified, login is allowed only for us- - er names that match one of the patterns. `*' and `?' can be used - as wildcards in the patterns. Only user names are valid; a nu- - merical user ID is not recognized. By default, login is allowed - for all users. If the pattern takes the form USER@HOST then USER - and HOST are separately checked, restricting logins to particular - users from particular hosts. + separated by spaces. If specified, login is allowed only for + user names that match one of the patterns. `*' and `?' can be + used as wildcards in the patterns. Only user names are valid; a + numerical user ID is not recognized. By default, login is + allowed for all users. If the pattern takes the form USER@HOST + then USER and HOST are separately checked, restricting logins to + particular users from particular hosts. AuthorizedKeysFile Specifies the file that contains the public keys that can be used for user authentication. AuthorizedKeysFile may contain tokens of the form %T which are substituted during connection set-up. The following tokens are defined: %% is replaced by a literal - '%', %h is replaced by the home directory of the user being au- - thenticated and %u is replaced by the username of that user. Af- - ter expansion, AuthorizedKeysFile is taken to be an absolute path - or one relative to the user's home directory. The default is - ``.ssh/authorized_keys''. + '%', %h is replaced by the home directory of the user being + authenticated and %u is replaced by the username of that user. + After expansion, AuthorizedKeysFile is taken to be an absolute + path or one relative to the user's home directory. The default + is ``.ssh/authorized_keys''. Banner In some jurisdictions, sending a warning message before authenti- cation may be relevant for getting legal protection. The con- @@ -56,6 +66,29 @@ authentication is allowed. This option is only available for protocol version 2. By default, no banner is displayed. + CACertificateFile + This file contain multiple certificates of certificate signers in + PEM format concatenated together. The default is + /etc/ssh/ca/ca-bundle.crt. + + CACertificatePath + ``Hash dir'' with certificates of certificate signers. Each cer- + tificate should be stored in separate file with name [HASH].[NUM- + BER], where [HASH] is certificate hash value and [NUMBER] is an + integer starting from zero. The default is /etc/ssh/ca/crt. + + CARevocationFile + This file contain multiple ``Certificate Revocation List'' (CRL) + of certificate signers in PEM format concatenated together. The + default is /etc/ssh/ca/ca-bundle.crl. + + CARevocationPath + ``Hash dir'' with ``Certificate Revocation List'' (CRL) of cer- + tificate signers. Each CRL should be stored in separate file with + name [HASH].r[NUMBER], where [HASH] is CRL hash value and [NUM- + BER] is an integer starting from zero. The default is + /etc/ssh/ca/crl. + ChallengeResponseAuthentication Specifies whether challenge response authentication is allowed. All authentication styles from login.conf(5) are supported. The @@ -78,8 +111,8 @@ ClientAliveCountMax Sets the number of client alive messages (see above) which may be sent without sshd receiving any messages back from the client. - If this threshold is reached while client alive messages are be- - ing sent, sshd will disconnect the client, terminating the ses- + If this threshold is reached while client alive messages are + being sent, sshd will disconnect the client, terminating the ses- sion. It is important to note that the use of client alive mes- sages is very different from TCPKeepAlive (below). The client alive messages are sent through the encrypted channel and there- @@ -101,8 +134,8 @@ separated by spaces. Login is disallowed for users whose primary group or supplementary group list matches one of the patterns. `*' and `?' can be used as wildcards in the patterns. Only group - names are valid; a numerical group ID is not recognized. By de- - fault, login is allowed for all groups. + names are valid; a numerical group ID is not recognized. By + default, login is allowed for all groups. DenyUsers This keyword can be followed by a list of user name patterns, @@ -135,8 +168,8 @@ applies to protocol version 2 only. HostbasedAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication to- - gether with successful public key client host authentication is + Specifies whether rhosts or /etc/hosts.equiv authentication + together with successful public key client host authentication is allowed (hostbased authentication). This option is similar to RhostsRSAAuthentication and applies to protocol version 2 only. The default is ``no''. @@ -148,14 +181,15 @@ tocol version 2. Note that sshd will refuse to use a file if it is group/world-accessible. It is possible to have multiple host key files. ``rsa1'' keys are used for version 1 and ``dsa'' or - ``rsa'' are used for version 2 of the SSH protocol. + ``rsa'' are used for version 2 of the SSH protocol. It is possi- + ble host key to contain key plus X.509 certificate for version 2. IgnoreRhosts Specifies that .rhosts and .shosts files will not be used in RhostsRSAAuthentication or HostbasedAuthentication. - /etc/hosts.equiv and /etc/shosts.equiv are still used. The de- - fault is ``yes''. + /etc/hosts.equiv and /etc/shosts.equiv are still used. The + default is ``yes''. IgnoreUserKnownHosts Specifies whether sshd should ignore the user's @@ -215,15 +249,15 @@ MACs Specifies the available MAC (message authentication code) algo- rithms. The MAC algorithm is used in protocol version 2 for data - integrity protection. Multiple algorithms must be comma-separat- - ed. The default is ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac- - sha1-96,hmac-md5-96''. + integrity protection. Multiple algorithms must be comma-sepa- + rated. The default is + ``hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96''. MaxStartups Specifies the maximum number of concurrent unauthenticated con- nections to the sshd daemon. Additional connections will be - dropped until authentication succeeds or the LoginGraceTime ex- - pires for a connection. The default is 10. + dropped until authentication succeeds or the LoginGraceTime + expires for a connection. The default is 10. Alternatively, random early drop can be enabled by specifying the three colon separated values ``start:rate:full'' (e.g., @@ -234,8 +268,8 @@ unauthenticated connections reaches ``full'' (60). PasswordAuthentication - Specifies whether password authentication is allowed. The de- - fault is ``yes''. + Specifies whether password authentication is allowed. The + default is ``yes''. PermitEmptyPasswords When password authentication is allowed, it specifies whether the @@ -261,9 +295,9 @@ PermitUserEnvironment Specifies whether ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. The default is - ``no''. Enabling environment processing may enable users to by- - pass access restrictions in some configurations using mechanisms - such as LD_PRELOAD. + ``no''. Enabling environment processing may enable users to + bypass access restrictions in some configurations using mecha- + nisms such as LD_PRELOAD. PidFile Specifies the file that contains the process ID of the sshd dae- @@ -286,25 +320,25 @@ Specifies the protocol versions sshd supports. The possible val- ues are ``1'' and ``2''. Multiple versions must be comma-sepa- rated. The default is ``2,1''. Note that the order of the pro- - tocol list does not indicate preference, because the client se- - lects among multiple protocol versions offered by the server. + tocol list does not indicate preference, because the client + selects among multiple protocol versions offered by the server. Specifying ``2,1'' is identical to ``1,2''. PubkeyAuthentication - Specifies whether public key authentication is allowed. The de- - fault is ``yes''. Note that this option applies to protocol ver- - sion 2 only. + Specifies whether public key authentication is allowed. The + default is ``yes''. Note that this option applies to protocol + version 2 only. RhostsRSAAuthentication - Specifies whether rhosts or /etc/hosts.equiv authentication to- - gether with successful RSA host authentication is allowed. The - default is ``no''. This option applies to protocol version 1 on- - ly. + Specifies whether rhosts or /etc/hosts.equiv authentication + together with successful RSA host authentication is allowed. The + default is ``no''. This option applies to protocol version 1 + only. RSAAuthentication - Specifies whether pure RSA authentication is allowed. The de- - fault is ``yes''. This option applies to protocol version 1 on- - ly. + Specifies whether pure RSA authentication is allowed. The + default is ``yes''. This option applies to protocol version 1 + only. ServerKeyBits Defines the number of bits in the ephemeral protocol version 1 @@ -319,17 +353,17 @@ Subsystem Configures an external subsystem (e.g., file transfer daemon). - Arguments should be a subsystem name and a command to execute up- - on subsystem request. The command sftp-server(8) implements the - ``sftp'' file transfer subsystem. By default no subsystems are - defined. Note that this option applies to protocol version 2 on- - ly. + Arguments should be a subsystem name and a command to execute + upon subsystem request. The command sftp-server(8) implements + the ``sftp'' file transfer subsystem. By default no subsystems + are defined. Note that this option applies to protocol version 2 + only. SyslogFacility Gives the facility code that is used when logging messages from - sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, LO- - CAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The de- - fault is AUTH. + sshd. The possible values are: DAEMON, USER, AUTH, LOCAL0, + LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The + default is AUTH. TCPKeepAlive Specifies whether the system should send TCP keepalive messages @@ -338,8 +372,8 @@ this means that connections will die if the route is down tem- porarily, and some people find it annoying. On the other hand, if TCP keepalives are not sent, sessions may hang indefinitely on - the server, leaving ``ghost'' users and consuming server re- - sources. + the server, leaving ``ghost'' users and consuming server + resources. The default is ``yes'' (to send TCP keepalive messages), and the server will notice if the network goes down or the client host @@ -355,8 +389,8 @@ UseLogin Specifies whether login(1) is used for interactive login ses- sions. The default is ``no''. Note that login(1) is never used - for remote command execution. Note also, that if this is en- - abled, X11Forwarding will be disabled because login(1) does not + for remote command execution. Note also, that if this is + enabled, X11Forwarding will be disabled because login(1) does not know how to handle xauth(1) cookies. If UsePrivilegeSeparation is specified, it will be disabled after authentication. @@ -366,14 +400,36 @@ to run sshd as a non-root user. The default is ``no''. UsePrivilegeSeparation - Specifies whether sshd separates privileges by creating an un- - privileged child process to deal with incoming network traffic. + Specifies whether sshd separates privileges by creating an + unprivileged child process to deal with incoming network traffic. After successful authentication, another process will be created that has the privilege of the authenticated user. The goal of privilege separation is to prevent privilege escalation by con- taining any corruption within the unprivileged processes. The default is ``yes''. + VACertificateFile + File with X.509 certificates in PEM format concatenated together. + In use when VAType is set to ``ocspspec''. The default value is + `' (empty). Certificates from that file explicitly trust `OCSP + Responder' public key. They are used as trusted certificates in + addition to certificates from CACertificateFile and + CACertificatePath to verify responder certificate. + + VAType Specifies whether `Online Certificate Status Protocol' (OCSP) is + used to validate X.509 certificates. Accepted values are case + insensitive: + o `none' : do not use OCSP to validate certificates; + o `ocspcert' : validate only certificates that specify `OCSP + Service Locator' URL; + o `ocspspec' : use specified in the configuration `OCSP + Responder' to validate all certificates. + The default is ``none''. + + VAOCSPResponderURL + `Access Location' / `OCSP Service Locator' URL of the OCSP + provider. In use when VAType is set to ``ocspspec''. + X11DisplayOffset Specifies the first display number available for sshd's X11 for- warding. This prevents sshd from interfering with real X11 @@ -386,11 +442,11 @@ When X11 forwarding is enabled, there may be additional exposure to the server and to client displays if the sshd proxy display is configured to listen on the wildcard address (see X11UseLocalhost - below), however this is not the default. Additionally, the au- - thentication spoofing and authentication data verification and - substitution occur on the client side. The security risk of us- - ing X11 forwarding is that the client's X11 display server may be - exposed to attack when the ssh client requests forwarding (see + below), however this is not the default. Additionally, the + authentication spoofing and authentication data verification and + substitution occur on the client side. The security risk of + using X11 forwarding is that the client's X11 display server may + be exposed to attack when the ssh client requests forwarding (see the warnings for ForwardX11 in ssh_config(5)). A system adminis- trator may have a stance in which they want to protect clients that may expose themselves to attack by unwittingly requesting @@ -410,13 +466,25 @@ proxy display. However, some older X11 clients may not function with this configuration. X11UseLocalhost may be set to ``no'' to specify that the forwarding server should be bound to the wild- - card address. The argument must be ``yes'' or ``no''. The de- - fault is ``yes''. + card address. The argument must be ``yes'' or ``no''. The + default is ``yes''. XAuthLocation Specifies the full pathname of the xauth(1) program. The default is /usr/X11R6/bin/xauth. + X509rsaSigType + Temporary option. Specifies prefered signature digest type for + `x509v3-sign-rsa' keys. The possible values are ``md5'' and + ``sha1''. Server use this value to compute signature for host + X.509 RSA certificates. In new client connection with X.509 RSA + certificate as identity when signature blob fail with specified + value, server try to check signature with other possible value + and print log message containing text like this: `X509COMPAT: RSA + succeed for sha1 digest'. This options is intended to collect + information about default signature digest type in other SecSH + implementations. The default is ``md5''. + Time Formats sshd command-line arguments and configuration file options that specify time may be expressed using a sequence of the form: time[qualifier], @@ -454,6 +522,7 @@ de Raadt and Dug Song removed many bugs, re-added newer features and cre- ated OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support - for privilege separation. + for privilege separation. Roumen Petrov contributed support for X.509 + certificates. -OpenBSD 3.4 September 25, 1999 7 +BSD September 25, 1999 BSD diff -ruN openssh-3.8p1/sshd_config.5 openssh-3.8p1+x509h/sshd_config.5 --- openssh-3.8p1/sshd_config.5 2004-02-18 05:31:24.000000000 +0200 +++ openssh-3.8p1+x509h/sshd_config.5 2004-04-05 09:06:00.000000000 +0300 @@ -13,6 +13,7 @@ .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 2002 Roumen Petrov. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -34,7 +35,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.28 2004/02/17 19:35:21 jmc Exp $ +.\" $OpenBSD$ .Dd September 25, 1999 .Dt SSHD_CONFIG 5 .Os @@ -61,6 +62,40 @@ keywords and their meanings are as follows (note that keywords are case-insensitive and arguments are case-sensitive): .Bl -tag -width Ds +.It Cm AllowedCertPurpose +The intended use for the X509 client certificate. Without this option +no chain verification will be done. Currently accepted uses are case +insensitive: +.Bl -bullet -compact +.It +.Sq sslclient +, +.Sq SSL client +, +.Sq SSL_client +or +.Sq client +; +.It +.Sq any +, +.Sq Any Purpose +, +.Sq Any_Purpose +or +.Sq AnyPurpose +; +.It +.Sq skip +or +.Sq +.. +(empty): do not check purpose. +.El +.Pp +The default is +.Dq sslclient . +.Pp .It Cm AllowGroups This keyword can be followed by a list of group name patterns, separated by spaces. @@ -121,6 +156,35 @@ This option is only available for protocol version 2. By default, no banner is displayed. .Pp +.It Cm CACertificateFile +This file contain multiple certificates of certificate signers in +PEM format concatenated together. The default is +.Pa /etc/ssh/ca/ca-bundle.crt . +.Pp +.It Cm CACertificatePath +.Dq "Hash dir" +with certificates of certificate signers. Each certificate should be +stored in separate file with name [HASH].[NUMBER], where [HASH] is +certificate hash value and [NUMBER] is an integer starting from zero. +The default is +.Pa /etc/ssh/ca/crt . +.Pp +.It Cm CARevocationFile +This file contain multiple +.Dq "Certificate Revocation List" +(CRL) of certificate signers in PEM format concatenated together. +The default is +.Pa /etc/ssh/ca/ca-bundle.crl . +.Pp +.It Cm CARevocationPath +.Dq "Hash dir" +with +.Dq "Certificate Revocation List" +(CRL) of certificate signers. Each CRL should be stored in separate +file with name [HASH].r[NUMBER], where [HASH] is CRL hash value and +[NUMBER] is an integer starting from zero. The default is +.Pa /etc/ssh/ca/crl . +.Pp .It Cm ChallengeResponseAuthentication Specifies whether challenge response authentication is allowed. All authentication styles from @@ -265,6 +329,8 @@ or .Dq rsa are used for version 2 of the SSH protocol. +It is possible host key to contain key plus X.509 certificate +for version 2. .It Cm IgnoreRhosts Specifies that .Pa .rhosts @@ -619,6 +685,54 @@ escalation by containing any corruption within the unprivileged processes. The default is .Dq yes . +.It Cm VACertificateFile +File with X.509 certificates in PEM format concatenated together. +In use when +.Cm VAType +is set to +.Dq ocspspec . +The default value is +.Sq +.. +(empty). +Certificates from that file explicitly trust +.Sq "OCSP Responder" +public key. +They are used as trusted certificates in addition to certificates from +.Cm CACertificateFile +and +.Cm CACertificatePath +to verify responder certificate. +.It Cm VAType +Specifies whether +.Sq "Online Certificate Status Protocol" +(OCSP) is used to validate X.509 certificates. +Accepted values are case insensitive: +.Bl -bullet -compact +.It +.Sq none +: do not use OCSP to validate certificates; +.It +.Sq ocspcert +: validate only certificates that specify +.Sq "OCSP Service Locator" +URL; +.It +.Sq ocspspec +: use specified in the configuration +.Sq "OCSP Responder" +to validate all certificates. +.El +The default is +.Dq none . +.It Cm VAOCSPResponderURL +.Sq "Access Location" +/ +.Sq "OCSP Service Locator" +URL of the OCSP provider. In use when +.Cm VAType +is set to +.Dq ocspspec . .It Cm X11DisplayOffset Specifies the first display number available for .Nm sshd Ns 's @@ -693,6 +807,26 @@ program. The default is .Pa /usr/X11R6/bin/xauth . +.It Cm X509rsaSigType +Temporary option. +Specifies prefered signature digest type for +.Sq x509v3-sign-rsa +keys. The possible values are +.Dq md5 +and +.Dq sha1 . +Server use this value to compute signature for +host X.509 RSA certificates. +In new client connection with X.509 RSA certificate as identity +when signature blob fail with specified value, +server try to check signature with other possible value and +print log message containing text like this: +.Sq X509COMPAT: RSA succeed for sha1 digest . +This options is intended to collect information +about default signature digest type +in other SecSH implementations. +The default is +.Dq md5 . .El .Ss Time Formats .Nm sshd @@ -756,3 +890,4 @@ protocol versions 1.5 and 2.0. Niels Provos and Markus Friedl contributed support for privilege separation. +Roumen Petrov contributed support for X.509 certificates. diff -ruN openssh-3.8p1/ssh-keygen.0 openssh-3.8p1+x509h/ssh-keygen.0 --- openssh-3.8p1/ssh-keygen.0 2004-02-24 08:23:01.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-keygen.0 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -SSH-KEYGEN(1) OpenBSD Reference Manual SSH-KEYGEN(1) +SSH-KEYGEN(1) System General Commands Manual SSH-KEYGEN(1) NAME ssh-keygen - authentication key generation, management and conversion @@ -17,8 +17,8 @@ ssh-keygen -U reader [-f input_keyfile] ssh-keygen -r hostname [-f input_keyfile] [-g] ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point] - ssh-keygen -T output_file -f input_file [-v] [-a num_trials] [-W - generator] + ssh-keygen -T output_file -f input_file [-v] [-a num_trials] + [-W generator] DESCRIPTION ssh-keygen generates, manages and converts authentication keys for @@ -39,14 +39,14 @@ name but ``.pub'' appended. The program also asks for a passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. A - passphrase is similar to a password, except it can be a phrase with a se- - ries of words, punctuation, numbers, whitespace, or any string of charac- - ters you want. Good passphrases are 10-30 characters long, are not sim- - ple sentences or otherwise easily guessable (English prose has only 1-2 - bits of entropy per character, and provides very bad passphrases), and - contain a mix of upper and lowercase letters, numbers, and non-alphanu- - meric characters. The passphrase can be changed later by using the -p - option. + passphrase is similar to a password, except it can be a phrase with a + series of words, punctuation, numbers, whitespace, or any string of char- + acters you want. Good passphrases are 10-30 characters long, are not + simple sentences or otherwise easily guessable (English prose has only + 1-2 bits of entropy per character, and provides very bad passphrases), + and contain a mix of upper and lowercase letters, numbers, and non- + alphanumeric characters. The passphrase can be changed later by using + the -p option. There is no way to recover a lost passphrase. If the passphrase is lost or forgotten, a new key must be generated and copied to the corresponding @@ -96,6 +96,8 @@ -l Show fingerprint of specified public key file. Private RSA1 keys are also supported. For RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fingerprint. + When identity contain X.509 certificate its prints certificate + fingerprint. -p Requests changing the passphrase of a private key file instead of creating a new private key. The program will prompt for the file @@ -161,9 +163,9 @@ MODULI GENERATION ssh-keygen may be used to generate groups for the Diffie-Hellman Group Exchange (DH-GEX) protocol. Generating these groups is a two-step pro- - cess: first, candidate primes are generated using a fast, but memory in- - tensive process. These candidate primes are then tested for suitability - (a CPU-intensive process). + cess: first, candidate primes are generated using a fast, but memory + intensive process. These candidate primes are then tested for suitabil- + ity (a CPU-intensive process). Generation of primes is performed using the -G option. The desired length of the primes may be specified by the -b option. For example: @@ -194,8 +196,8 @@ FILES $HOME/.ssh/identity Contains the protocol version 1 RSA authentication identity of - the user. This file should not be readable by anyone but the us- - er. It is possible to specify a passphrase when generating the + the user. This file should not be readable by anyone but the + user. It is possible to specify a passphrase when generating the key; that passphrase will be used to encrypt the private part of this file using 3DES. This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private @@ -210,10 +212,11 @@ $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of - the user. This file should not be readable by anyone but the us- - er. It is possible to specify a passphrase when generating the - key; that passphrase will be used to encrypt the private part of - this file using 3DES. This file is not automatically accessed by + the user. It is possible to contain identity plus X.509 certifi- + cate. This file should not be readable by anyone but the user. + It is possible to specify a passphrase when generating the key; + that passphrase will be used to encrypt the private part of this + file using 3DES. This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made. @@ -222,14 +225,21 @@ tion. The contents of this file should be added to $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to - keep the contents of this file secret. + keep the contents of this file secret. When file + $HOME/.ssh/id_dsa contain DSA identity plus X.509 certificate + this file must contain that certificate! Use ssh-keygen with + option -y to regenerate its content. Note in case with X.509 + certificate you can append content to $HOME/.ssh/authorized_keys + or to add certificate ``Distinguished Name'' / ``Subject'' in + corresponding format to ``authorized keys'' file. See sshd(8). $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of - the user. This file should not be readable by anyone but the us- - er. It is possible to specify a passphrase when generating the - key; that passphrase will be used to encrypt the private part of - this file using 3DES. This file is not automatically accessed by + the user. It is possible to contain identity plus X.509 certifi- + cate. This file should not be readable by anyone but the user. + It is possible to specify a passphrase when generating the key; + that passphrase will be used to encrypt the private part of this + file using 3DES. This file is not automatically accessed by ssh-keygen but it is offered as the default file for the private key. ssh(1) will read this file when a login attempt is made. @@ -238,7 +248,13 @@ tion. The contents of this file should be added to $HOME/.ssh/authorized_keys on all machines where the user wishes to log in using public key authentication. There is no need to - keep the contents of this file secret. + keep the contents of this file secret. When file + $HOME/.ssh/id_rsa contain RSA identity plus X.509 certificate + this file must contain that certificate! Use ssh-keygen with + option -y to regenerate its content. Note in case with X.509 + certificate you can append content to $HOME/.ssh/authorized_keys + or to add certificate ``Distinguished Name'' / ``Subject'' in + corresponding format to ``authorized keys'' file. See sshd(8). /etc/moduli Contains Diffie-Hellman groups used for DH-GEX. The file format @@ -247,14 +263,15 @@ SEE ALSO ssh(1), ssh-add(1), ssh-agent(1), moduli(5), sshd(8) - J. Galbraith, and R. Thayer, SECSH Public Key File Format, draft-ietf- + J. Galbraith and R. Thayer, SECSH Public Key File Format, draft-ietf- secsh-publickeyfile-01.txt, March 2001, work in progress material. AUTHORS OpenSSH is a derivative of the original and free ssh 1.2.12 release by Tatu Ylonen. Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo - de Raadt and Dug Song removed many bugs, re-added newer features and - created OpenSSH. Markus Friedl contributed the support for SSH protocol - versions 1.5 and 2.0. + de Raadt and Dug Song removed many bugs, re-added newer features and cre- + ated OpenSSH. Markus Friedl contributed the support for SSH protocol + versions 1.5 and 2.0. Roumen Petrov contributed support for x509 cer- + tificates. -OpenBSD 3.4 September 25, 1999 4 +BSD September 25, 1999 BSD diff -ruN openssh-3.8p1/ssh-keygen.1 openssh-3.8p1+x509h/ssh-keygen.1 --- openssh-3.8p1/ssh-keygen.1 2003-12-31 02:34:52.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-keygen.1 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keygen.1,v 1.61 2003/12/22 09:16:58 djm Exp $ +.\" $OpenBSD$ .\" .\" -*- nroff -*- .\" @@ -16,6 +16,7 @@ .\" Copyright (c) 1999,2000 Markus Friedl. All rights reserved. .\" Copyright (c) 1999 Aaron Campbell. All rights reserved. .\" Copyright (c) 1999 Theo de Raadt. All rights reserved. +.\" Copyright (c) 2002 Roumen Petrov. All rights reserved. .\" .\" Redistribution and use in source and binary forms, with or without .\" modification, are permitted provided that the following conditions @@ -210,6 +211,7 @@ For RSA and DSA keys .Nm tries to find the matching public key file and prints its fingerprint. +When identity contain X.509 certificate its prints certificate fingerprint. .It Fl p Requests changing the passphrase of a private key file instead of creating a new private key. @@ -355,6 +357,7 @@ There is no need to keep the contents of this file secret. .It Pa $HOME/.ssh/id_dsa Contains the protocol version 2 DSA authentication identity of the user. +It is possible to contain identity plus X.509 certificate. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -371,8 +374,25 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. +When file +.Pa $HOME/.ssh/id_dsa +contain DSA identity plus X.509 certificate this file must contain +that certificate! Use +.Nm +with option -y to regenerate its content. +Note in case with X.509 certificate you can append content to +.Pa $HOME/.ssh/authorized_keys +or to add certificate +.Dq Distinguished Name +/ +.Dq Subject +in corresponding format to +.Dq authorized keys +file. See +.Xr sshd 8 . .It Pa $HOME/.ssh/id_rsa Contains the protocol version 2 RSA authentication identity of the user. +It is possible to contain identity plus X.509 certificate. This file should not be readable by anyone but the user. It is possible to specify a passphrase when generating the key; that passphrase will be @@ -389,6 +409,22 @@ on all machines where the user wishes to log in using public key authentication. There is no need to keep the contents of this file secret. +When file +.Pa $HOME/.ssh/id_rsa +contain RSA identity plus X.509 certificate this file must contain +that certificate! Use +.Nm +with option -y to regenerate its content. +Note in case with X.509 certificate you can append content to +.Pa $HOME/.ssh/authorized_keys +or to add certificate +.Dq Distinguished Name +/ +.Dq Subject +in corresponding format to +.Dq authorized keys +file. See +.Xr sshd 8 . .It Pa /etc/moduli Contains Diffie-Hellman groups used for DH-GEX. The file format is described in @@ -417,3 +453,4 @@ created OpenSSH. Markus Friedl contributed the support for SSH protocol versions 1.5 and 2.0. +Roumen Petrov contributed support for x509 certificates. diff -ruN openssh-3.8p1/ssh-keyscan.0 openssh-3.8p1+x509h/ssh-keyscan.0 --- openssh-3.8p1/ssh-keyscan.0 2004-02-24 08:23:01.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-keyscan.0 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -SSH-KEYSCAN(1) OpenBSD Reference Manual SSH-KEYSCAN(1) +SSH-KEYSCAN(1) System General Commands Manual SSH-KEYSCAN(1) NAME ssh-keyscan - gather ssh public keys @@ -29,15 +29,16 @@ Set the timeout for connection attempts. If timeout seconds have elapsed since a connection was initiated to a host or since the last time anything was read from that host, then the connection - is closed and the host in question considered unavailable. De- - fault is 5 seconds. + is closed and the host in question considered unavailable. + Default is 5 seconds. -t type Specifies the type of the key to fetch from the scanned hosts. The possible values are ``rsa1'' for protocol version 1 and - ``rsa'' or ``dsa'' for protocol version 2. Multiple values may - be specified by separating them with commas. The default is - ``rsa1''. + ``rsa'' or ``ssh-rsa'' , ``dsa'' or ``ssh-dss'' , + ``x509v3-sign-rsa'' or ``x509v3-sign-dss'' for protocol version + 2. Multiple values may be specified by separating them with com- + mas. The default is ``rsa1''. -f filename Read hosts or addrlist namelist pairs from this file, one per @@ -54,9 +55,9 @@ SECURITY If a ssh_known_hosts file is constructed using ssh-keyscan without veri- fying the keys, users will be vulnerable to attacks. On the other hand, - if the security model allows such a risk, ssh-keyscan can help in the de- - tection of tampered keyfiles or man in the middle attacks which have be- - gun after the ssh_known_hosts file was created. + if the security model allows such a risk, ssh-keyscan can help in the + detection of tampered keyfiles or man in the middle attacks which have + begun after the ssh_known_hosts file was created. FILES Input format: @@ -73,6 +74,12 @@ Where keytype is either ``ssh-rsa'' or ``ssh-dss''. + Output format for rsa and dsa keys with X.509 certificates: + + host-or-namelist keytype distinguished-name + + Where keytype is either ``x509v3-sign-rsa'' or ``x509v3-sign-dss''. + /etc/ssh/ssh_known_hosts EXAMPLES @@ -83,7 +90,7 @@ Find all hosts from the file ssh_hosts which have new or different keys from those in the sorted file ssh_known_hosts: - $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \ + $ ssh-keyscan -t x509v3-sign-rsa,x509v3-sign-dss,rsa,dsa -f ssh_hosts | \ sort -u - ssh_known_hosts | diff ssh_known_hosts - SEE ALSO @@ -92,7 +99,7 @@ AUTHORS David Mazieres wrote the initial version, and Wayne Davison added support for protocol - version 2. + version 2. Roumen Petrov contributed support for X.509 certificates. BUGS It generates "Connection closed by remote host" messages on the consoles @@ -100,4 +107,4 @@ This is because it opens a connection to the ssh port, reads the public key, and drops the connection as soon as it gets the key. -OpenBSD 3.4 January 1, 1996 2 +BSD January 1, 1996 BSD diff -ruN openssh-3.8p1/ssh-keyscan.1 openssh-3.8p1+x509h/ssh-keyscan.1 --- openssh-3.8p1/ssh-keyscan.1 2003-06-11 15:04:39.000000000 +0300 +++ openssh-3.8p1+x509h/ssh-keyscan.1 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keyscan.1,v 1.17 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD$ .\" .\" Copyright 1995, 1996 by David Mazieres . .\" @@ -6,6 +6,29 @@ .\" permitted provided that due credit is given to the author and the .\" OpenBSD project by leaving this copyright notice intact. .\" +.\" X509 certificates support, +.\" Copyright (c) 2002-2003 Roumen Petrov. All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +.\" .Dd January 1, 1996 .Dt SSH-KEYSCAN 1 .Os @@ -63,7 +86,15 @@ for protocol version 1 and .Dq rsa or +.Dq ssh-rsa +, .Dq dsa +or +.Dq ssh-dss +, +.Dq x509v3-sign-rsa +or +.Dq x509v3-sign-dss for protocol version 2. Multiple values may be specified by separating them with commas. The default is @@ -126,6 +157,18 @@ or .Dq ssh-dss . .Pp +.Pa Output format for rsa and dsa keys with X.509 certificates: +.Bd -literal +host-or-namelist keytype distinguished-name +.Ed +.Pp +Where +.Pa keytype +is either +.Dq x509v3-sign-rsa +or +.Dq x509v3-sign-dss . +.Pp .Pa /etc/ssh/ssh_known_hosts .Sh EXAMPLES Print the @@ -141,7 +184,7 @@ which have new or different keys from those in the sorted file .Pa ssh_known_hosts : .Bd -literal -$ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e +$ ssh-keyscan -t x509v3-sign-rsa,x509v3-sign-dss,rsa,dsa -f ssh_hosts | \e sort -u - ssh_known_hosts | diff ssh_known_hosts - .Ed .Sh SEE ALSO @@ -152,6 +195,7 @@ wrote the initial version, and .An Wayne Davison Aq wayned@users.sourceforge.net added support for protocol version 2. +Roumen Petrov contributed support for X.509 certificates. .Sh BUGS It generates "Connection closed by remote host" messages on the consoles of all the machines it scans if the server is older than version 2.9. diff -ruN openssh-3.8p1/ssh-keyscan.c openssh-3.8p1+x509h/ssh-keyscan.c --- openssh-3.8p1/ssh-keyscan.c 2003-12-09 15:52:38.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-keyscan.c 2004-02-25 09:06:01.000000000 +0200 @@ -4,10 +4,33 @@ * Modification and redistribution in source and binary forms is * permitted provided that due credit is given to the author and the * OpenBSD project by leaving this copyright notice intact. + * + * X509 certificates support, + * Copyright (c) 2002-2004 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "includes.h" -RCSID("$OpenBSD: ssh-keyscan.c,v 1.46 2003/11/23 23:17:34 djm Exp $"); +RCSID("$OpenBSD$"); #include "openbsd-compat/sys-queue.h" @@ -18,6 +41,7 @@ #include "ssh.h" #include "ssh1.h" #include "key.h" +#include "ssh-x509.h" #include "kex.h" #include "compat.h" #include "myproposal.h" @@ -38,6 +62,8 @@ #define KT_RSA1 1 #define KT_DSA 2 #define KT_RSA 4 +#define KT_X509DSA 8 +#define KT_X509RSA 16 int get_keytypes = KT_RSA1; /* Get only RSA1 keys by default */ @@ -75,7 +101,8 @@ int c_plen; /* Packet length field for ssh packet */ int c_len; /* Total bytes which must be read. */ int c_off; /* Length of data read so far. */ - int c_keytype; /* Only one of KT_RSA1, KT_DSA, or KT_RSA */ + int c_keytype; /* Only one of KT_RSA1, KT_DSA, KT_RSA, + KT_X509DSA or KT_X509RSA */ char *c_namebase; /* Address to free for c_name and c_namelist */ char *c_name; /* Hostname of connection for errors */ char *c_namelist; /* Pointer to other possible addresses */ @@ -345,8 +372,19 @@ packet_set_connection(c->c_fd, c->c_fd); enable_compat20(); - myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = c->c_keytype == KT_DSA? - "ssh-dss": "ssh-rsa"; + { + Key k; + switch (c->c_keytype) { + case KT_DSA: k.type = KEY_DSA; break; + case KT_RSA: k.type = KEY_RSA; break; + case KT_X509DSA: k.type = KEY_X509_DSA; break; + case KT_X509RSA: k.type = KEY_X509_RSA; break; + default: + fprintf(stderr, "keygrab_ssh2:Invalid keytype!\n"); + exit(1); + } + myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = (char*)key_ssh_name(&k); + } c->c_kex = kex_setup(myproposal); c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client; c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client; @@ -373,7 +411,16 @@ return; fprintf(stdout, "%s ", c->c_output_name ? c->c_output_name : c->c_name); +#ifndef SSH_X509STORE_DISABLED + if ((key->type == KEY_X509_RSA) || (key->type == KEY_X509_DSA)) { + /* key_write will print x509 certificate in blob format :-( */ + x509key_write_subject(key, stdout); + } else { +#endif /*ndef SSH_X509STORE_DISABLED*/ key_write(key, stdout); +#ifndef SSH_X509STORE_DISABLED + } +#endif /*ndef SSH_X509STORE_DISABLED*/ fputs("\n", stdout); } @@ -653,7 +700,7 @@ if (name == NULL) return; - for (j = KT_RSA1; j <= KT_RSA; j *= 2) { + for (j = KT_RSA1; j <= KT_X509RSA; j *= 2) { if (get_keytypes & j) { while (ncon >= MAXCON) conloop(); @@ -749,6 +796,12 @@ case KEY_RSA: get_keytypes |= KT_RSA; break; + case KEY_X509_DSA: + get_keytypes |= KT_X509DSA; + break; + case KEY_X509_RSA: + get_keytypes |= KT_X509RSA; + break; case KEY_UNSPEC: fatal("unknown key type %s", tname); } diff -ruN openssh-3.8p1/ssh-keysign.0 openssh-3.8p1+x509h/ssh-keysign.0 --- openssh-3.8p1/ssh-keysign.0 2004-02-24 08:23:05.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-keysign.0 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -SSH-KEYSIGN(8) OpenBSD System Manager's Manual SSH-KEYSIGN(8) +SSH-KEYSIGN(8) System Manager's Manual SSH-KEYSIGN(8) NAME ssh-keysign - ssh helper program for hostbased authentication @@ -28,7 +28,8 @@ generate the digital signature. They should be owned by root, readable only by root, and not accessible to others. Since they are readable only by root, ssh-keysign must be set-uid root if - hostbased authentication is used. + hostbased authentication is used. It is possible host key to + contain private parts plus X.509 certificate. SEE ALSO ssh(1), ssh-keygen(1), ssh_config(5), sshd(8) @@ -39,4 +40,4 @@ AUTHORS Markus Friedl -OpenBSD 3.4 May 24, 2002 1 +BSD May 24, 2002 BSD diff -ruN openssh-3.8p1/ssh-keysign.8 openssh-3.8p1+x509h/ssh-keysign.8 --- openssh-3.8p1/ssh-keysign.8 2003-06-11 15:04:39.000000000 +0300 +++ openssh-3.8p1+x509h/ssh-keysign.8 2004-03-09 09:06:00.000000000 +0200 @@ -1,4 +1,4 @@ -.\" $OpenBSD: ssh-keysign.8,v 1.7 2003/06/10 09:12:11 jmc Exp $ +.\" $OpenBSD$ .\" .\" Copyright (c) 2002 Markus Friedl. All rights reserved. .\" @@ -68,6 +68,7 @@ Since they are readable only by root, .Nm must be set-uid root if hostbased authentication is used. +It is possible host key to contain private parts plus X.509 certificate. .El .Sh SEE ALSO .Xr ssh 1 , diff -ruN openssh-3.8p1/ssh-ocsp.c openssh-3.8p1+x509h/ssh-ocsp.c --- openssh-3.8p1/ssh-ocsp.c 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-ocsp.c 2004-03-21 11:37:25.000000000 +0200 @@ -0,0 +1,1020 @@ +/* + * Copyright (c) 2004 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "x509store.h" + +#ifdef SSH_OCSP_ENABLED +#if 0 +# define SSH_WITH_SSLOCSP +#endif + +#include "xmalloc.h" +#include "log.h" +#include +#include +#include +#ifdef SSH_WITH_SSLOCSP +# include +#endif + + +static VAOptions va = { SSHVA_NONE, NULL, NULL }; + +typedef struct va_type_map_s va_type_map; +struct va_type_map_s { + int id; + const char* code; +}; + +static va_type_map sshva_type_map[] = { + { SSHVA_NONE , "none" }, + { SSHVA_OCSP_CERT, "ocspcert" }, + { SSHVA_OCSP_SPEC, "ocspspec" }, +}; + + +int +ssh_get_default_vatype(void) { + return(SSHVA_NONE); +} + + +int +ssh_get_vatype_s(const char* type) { + int k, n; + + if (type == NULL) return(-1); + + n = sizeof(sshva_type_map) / sizeof(sshva_type_map[0]); + for (k = 0; k < n; k++) { + va_type_map *p = sshva_type_map + k; +logit("RUMEN: p->code=%s", p->code); + if (strcasecmp(type, p->code) == 0) return(p->id); + } + + return(-1); +} + + +static void +ssh_set_vatype(int type) { + switch (type) { + case SSHVA_NONE: + case SSHVA_OCSP_CERT: + case SSHVA_OCSP_SPEC: + va.type = type; + break; + default: + fatal("ssh_set_vatype: invalid type %d", type); + break; + } +} + + +void +ssh_set_validator(const VAOptions *_va) { + if (va.certificate_file != NULL) { + xfree((void*)va.certificate_file); + va.certificate_file = NULL; + } + if (va.responder_url != NULL) { + xfree((void*)va.responder_url); + va.responder_url = NULL; + } + if (_va == NULL) { + debug("ssh_set_validator: NULL options - set vatype to none"); + ssh_set_vatype(SSHVA_NONE); + return; + } + + ssh_set_vatype(_va->type); /*fatal on error*/ + if (_va->certificate_file != NULL) { + switch(va.type) { + case SSHVA_NONE: + case SSHVA_OCSP_CERT: + debug("ssh_set_validator: ingnore certificate file"); + break; + case SSHVA_OCSP_SPEC: + va.certificate_file = xstrdup(_va->certificate_file); /*fatal on error*/ + break; + } + } + switch(va.type) { + case SSHVA_NONE: + case SSHVA_OCSP_CERT: + debug("ssh_set_validator: ingnore responder url"); + break; + case SSHVA_OCSP_SPEC: + if (_va->responder_url == NULL) { + fatal("ssh_set_validator: responder url is mandatory"); + } + va.responder_url = xstrdup(_va->responder_url); /*fatal on error*/ + break; + } +} + + +static char* +openssl_errormsg(char *buf, size_t len) { + ERR_error_string_n(ERR_get_error(), buf, len); + + /* clear rest of errors in OpenSSL "error buffer" */ + ERR_clear_error(); + return(buf); +} + + +static char* +ssh_ASN1_GENERALIZEDTIME_2_string(ASN1_GENERALIZEDTIME *asn1_time) { + BIO *bio; + int k; + char *p = NULL; + + if (asn1_time == NULL) { + error("ssh_ASN1_GENERALIZEDTIME_2_string: asn1_time is NULL"); + return(NULL); + } + + bio = BIO_new(BIO_s_mem()); + if (bio == NULL) { + error("ssh_ASN1_GENERALIZEDTIME_2_string: BIO_new fail"); + return(NULL); + } + + ASN1_GENERALIZEDTIME_print(bio, asn1_time); + BIO_flush(bio); + + k = BIO_pending(bio); + p = xmalloc(k + 1); /*fatal on error*/ + k = BIO_read(bio, p, k); + p[k] = '\0'; + BIO_free_all(bio); + return(p); +} + + +static STACK_OF(X509)* +ssh_load_x509certs(const char *certs_file, const char* certs_descrip) { + STACK_OF(X509) *ret_certs = NULL; + BIO *fbio = NULL; + + if (certs_file == NULL) { + error("ssh_load_x509certs: file is NULL"); + goto exit; + } + + ret_certs = sk_X509_new_null(); + if (ret_certs == NULL) { + error("ssh_load_x509certs: sk_X509_new_null fail"); + goto exit; + } + + fbio = BIO_new(BIO_s_file()); + if (fbio == NULL) { + error("ssh_load_x509certs: BIO_new fail"); + goto exit; + } + + if (BIO_read_filename(fbio, certs_file) <= 0) { + char ebuf[512]; + error("ssh_load_x509certs:" + " File description is '%.512s'." + " BIO_read_filename(..., '%.512s')" + " fail with errormsg='%.512s'" + , certs_descrip + , certs_file + , openssl_errormsg(ebuf, sizeof(ebuf))); + goto exit; + } + + { + int k; + STACK_OF(X509_INFO) *data; + + data = PEM_X509_INFO_read_bio(fbio, NULL, NULL, NULL); + if (data == NULL) { + error("ssh_load_x509certs: no data."); + goto exit; + } + + for (k = 0; k < sk_X509_INFO_num(data); k++) { + X509_INFO *xi = sk_X509_INFO_value(data, k); + if (xi->x509) { + sk_X509_push(ret_certs, xi->x509); + xi->x509 = NULL; + } + } + sk_X509_INFO_pop_free(data, X509_INFO_free); + } + +exit: + if (fbio != NULL) BIO_free_all(fbio); + if (ret_certs != NULL) { + debug3("ssh_load_x509certs: return %d certs", (int)sk_X509_num(ret_certs)); + } else { + debug("ssh_load_x509certs: return NULL"); + } + return(ret_certs); +} + + +static int/*bool*/ +ssh_ocspreq_addcert( + X509 *cert, + X509_STORE* x509store, + OCSP_REQUEST *req, + STACK_OF(OCSP_CERTID) *ids, + STACK *subjs +) { + X509 *issuer = NULL; + OCSP_CERTID *id = NULL; + char subj[512]; + + if (cert == NULL) { + error("ssh_ocspreq_addcert: cert is NULL"); + return(0); + } + if (x509store == NULL) { + error("ssh_ocspreq_addcert: x509store is NULL"); + return(0); + } + if (req == NULL) { + error("ssh_ocspreq_addcert: req is NULL"); + return(0); + } + if (ids == NULL) { + error("ssh_ocspreq_addcert: ids is NULL"); + return(0); + } + if (subjs == NULL) { + error("ssh_ocspreq_addcert: subjs is NULL"); + return(0); + } + + { + X509_OBJECT xobj; + memset(&xobj, 0, sizeof(xobj)); + if (ssh_x509store_lookup(x509store, X509_LU_X509, X509_get_issuer_name(cert), &xobj) > 0) { + issuer = xobj.data.x509; + } + X509_OBJECT_free_contents(&xobj); + } + if (issuer == NULL) { + error("ssh_ocspreq_addcert: cannot found issuer certificate"); + return(0); + } + + id = OCSP_cert_to_id(NULL, cert, issuer); + if (id == NULL) { + error("ssh_ocspreq_addcert: OCSP_cert_to_id fail"); + return(0); + } + + if (!OCSP_request_add0_id(req, id)) { + error("ssh_ocspreq_addcert: OCSP_request_add0_id fail"); + return(0); + } + if (!sk_OCSP_CERTID_push(ids, id)) { + error("ssh_ocspreq_addcert: sk_OCSP_CERTID_push fail"); + return(0); + } + X509_NAME_oneline(X509_get_subject_name(cert), subj, sizeof(subj)); + if (!sk_push(subjs, subj)) { + error("ssh_ocspreq_addcert: sk_push(..., subj) fail"); + return(0); + } + + return(1); +} + + +struct ssh_ocsp_conn_s { + const char *url; + +#ifdef SSH_WITH_SSLOCSP + int use_ssl; +#endif + /*pointers inside data buffer*/ + /*const*/ char *host; + const char *port; + /*const*/ char *path; + + /*data buffer to hold all connection info*/ + char *data; +}; + +typedef struct ssh_ocsp_conn_s ssh_ocsp_conn; + + +static void +ssh_ocsp_conn_free(ssh_ocsp_conn **pconn) { + ssh_ocsp_conn *conn = *pconn; + + if (conn == NULL) return; + *pconn = NULL; + + if (conn->data != NULL) xfree(conn->data); + if (conn->url != NULL) xfree((void*)conn->url ); + xfree(conn); +} + + +static int/*bool*/ +ssh_ocsp_set_protocol(ssh_ocsp_conn *conn, const char *protocol) { + if (strcmp(protocol, "http") == 0) { +#ifdef SSH_WITH_SSLOCSP + conn->use_ssl = 0; +#endif + return(1); + } + +#ifdef SSH_WITH_SSLOCSP + if (strcmp(protocol, "https") == 0) { + conn->use_ssl = 1; + return(1); + } +#endif + +#ifdef SSH_WITH_SSLOCSP + conn->use_ssl = -1; +#endif + return(0); +} + + +static ssh_ocsp_conn* +ssh_ocsp_conn_new(const char *url) { + ssh_ocsp_conn *conn = NULL; + char *p = NULL; + char *q = NULL; + + if (url == NULL) { + error("ssh_ocsp_conn_new: url is NULL"); + return(NULL); + } + + conn = xmalloc(sizeof(*conn)); /*fatal on error*/ + memset(conn, 0, sizeof(*conn)); + + conn->url = xstrdup(url); /*fatal on error*/ + conn->data = xstrdup(url); /*fatal on error*/ + + /* chech for protocol */ + p = conn->data; + q = strchr(p, ':'); + if (q == NULL) goto error; + *q = '\x0'; + + if (!ssh_ocsp_set_protocol(conn, p)) { + error("ssh_ocsp_conn_new:" + " unsupported protocol '%.16s'" + , p); + goto error; + } + + p = q; + if (*++p != '/') { /*this symbol is inside data */ + error("ssh_ocsp_conn_new: expected first slash," + " got char with code %d" + , (int)*p); + goto error; + } + if (*++p != '/') { /*this symbol is inside data */ + error("ssh_ocsp_conn_new: expected second slash," + " got char with code %d" + , (int)*p); + goto error; + } + + /* chech for host and port */ + if (*++p == '\x0') { + error("ssh_ocsp_conn_new: missing host in url '%.512s'", url); + goto error; + } + conn->host = p; + q = strchr(p, '/'); + if (q != NULL) { + *q = '\x0'; + /* q+1 might point to path */ + } + /*else q is NULL !!!*/ + + /* chech for port */ + p = strrchr(conn->host, ':'); + if (p != NULL) { + *p = '\x0'; + if (*++p != '\x0') conn->port = p; + } + if (conn->port == NULL) { +#ifdef SSH_WITH_SSLOCSP + conn->port = conn->use_ssl ? "443" : "80"; +#else + conn->port = "80"; +#endif + } + + /* chech for path */ + p = q; + if (p == NULL) goto exit; + if (*++p == '\x0') goto exit; + conn->path = p; + +exit: + return(conn); +error: + ssh_ocsp_conn_free(&conn); + goto exit; +} + + +static OCSP_RESPONSE* +ssh_ocsp_get_response(const ssh_ocsp_conn *conn, OCSP_REQUEST *req) { + OCSP_RESPONSE *resp = NULL; + BIO *bio_conn = NULL; +#ifdef SSH_WITH_SSLOCSP + SSL_CTX *ctx = NULL; +#endif + + if (conn == NULL) { + error("ssh_ocsp_get_response: conn is NULL"); + return(NULL); + } + if (req == NULL) { + error("ssh_ocsp_get_response: req is NULL"); + return(NULL); + } + +#ifndef OPENSSL_NO_SOCK + bio_conn = BIO_new_connect(conn->host); + if (bio_conn == NULL) { + char ebuf[512]; + error("ssh_ocsp_get_response:" + " BIO_new_connect fail with errormsg='%.512s'" + , openssl_errormsg(ebuf, sizeof(ebuf))); + goto exit; + } +#else + error("ssh_ocsp_get_response: sockets are not supported in OpenSSL"); + goto exit; +#endif + if (conn->port != NULL) { + BIO_set_conn_port(bio_conn, conn->port); + } + +#ifdef SSH_WITH_SSLOCSP + if (conn->use_ssl == 1) { + BIO *bio_sslconn; +#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) + ctx = SSL_CTX_new(SSLv23_client_method()); +#elif !defined(OPENSSL_NO_SSL3) + ctx = SSL_CTX_new(SSLv3_client_method()); +#elif !defined(OPENSSL_NO_SSL2) + ctx = SSL_CTX_new(SSLv2_client_method()); +#else + error("ssh_ocsp_get_response: SSL is disabled"); + goto exit; +#endif + SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY); + bio_sslconn = BIO_new_ssl(ctx, 1); + bio_conn = BIO_push(bio_sslconn, bio_conn); + } +#endif /*def SSH_WITH_SSLOCSP*/ + + if (BIO_do_connect(bio_conn) <= 0) { + char ebuf[512]; + error("ssh_ocsp_get_response:" + " BIO_do_connect fail with errormsg='%.512s'" + , openssl_errormsg(ebuf, sizeof(ebuf))); + goto exit; + } + + resp = OCSP_sendreq_bio(bio_conn, conn->path, req); + if (resp == NULL) { + char ebuf[512]; + error("ssh_ocsp_get_response:" + " OCSP_sendreq_bio fail with errormsg='%.512s'" + , openssl_errormsg(ebuf, sizeof(ebuf))); + } + +exit: + if (bio_conn != NULL) BIO_free_all(bio_conn); +#ifdef SSH_WITH_SSLOCSP + if (ctx != NULL) SSL_CTX_free(ctx); +#endif + + return(resp); +} + + +static OCSP_BASICRESP* +ssh_ocsp_get_basicresp( + OCSP_REQUEST *req, + OCSP_RESPONSE *resp, + STACK_OF(X509) *vacrts, + X509_STORE *x509store +) { + OCSP_BASICRESP *br = NULL; + unsigned long basic_verify_flags = 0/*NO:OCSP_NOEXPLICIT*/; + int flag; + + if (req == NULL) { + error("ssh_ocsp_get_basicresp: req is NULL"); + return(NULL); + } + if (resp == NULL) { + error("ssh_ocsp_get_basicresp: resp is NULL"); + return(NULL); + } + if (x509store == NULL) { + error("ssh_ocsp_get_basicresp: x509store is NULL"); + return(NULL); + } + + br = OCSP_response_get1_basic(resp); + if (br == NULL) { + char ebuf[512]; + error("ssh_ocsp_get_basicresp: " + " OCSP_response_get1_basic fail with errormsg='%.512s'" + , openssl_errormsg(ebuf, sizeof(ebuf))); + return(NULL); + } + + flag = OCSP_check_nonce(req, br); + if (flag <= 0) { + if (flag == -1) { + logit("ssh_ocsp_get_basicresp: WARNING - no nonce in response"); + } else { + char ebuf[512]; + error("ssh_ocsp_get_basicresp: " + " OCSP_check_nonce fail with errormsg='%.512s'" + , openssl_errormsg(ebuf, sizeof(ebuf))); + goto error; + } + } + +#ifdef SSHOCSPTEST +{ +int k; +logit("ssh_ocsp_get_basicresp: VA certs num=%d", sk_X509_num(vacrts)); +for (k = 0; k < sk_X509_num(vacrts); k++) { + char buf[512]; + X509 *x = sk_X509_value(vacrts, k); + X509_NAME_oneline(X509_get_subject_name(x), buf, sizeof(buf)); + logit("ssh_ocsp_get_basicresp: VA[%d] subject='%.512s'", k, buf); +} +} +#endif /*def SSHOCSPTEST*/ + +/* + * RFC2560: + * ... + * All definitive response messages SHALL be digitally signed. The key + * used to sign the response MUST belong to one of the following: + * + * -- the CA who issued the certificate in question + * -- a Trusted Responder whose public key is trusted by the requester + * -- a CA Designated Responder (Authorized Responder) who holds a + * specially marked certificate issued directly by the CA, indicating + * that the responder may issue OCSP responses for that CA + * ... + * + * TODO: to check OpenSLL implementation + */ + if ((vacrts == NULL) || (sk_X509_num(vacrts) <= 0)) { + flag = -1; + } else { + /* + * With flag OCSP_TRUSTOTHER: + * - we never get error 'without missing ocspsigning + * usage' for VA certificate !!! + * Without flag OCSP_TRUSTOTHER: + * - we can get OCSP_basic_verify error "root ca not trusted" + */ +#if 0 + flag = OCSP_basic_verify(br, vacrts, x509store, basic_verify_flags | OCSP_TRUSTOTHER); +#else + flag = OCSP_basic_verify(br, vacrts, x509store, basic_verify_flags); +#endif + } + if (flag < 0) { + flag = OCSP_basic_verify(br, NULL, x509store, basic_verify_flags); + } + if (flag <= 0) { + char ebuf[512]; + error("ssh_ocsp_get_basicresp:" + " flag=%d" + " OCSP_basic_verify fail with errormsg='%.512s'" + , flag + , openssl_errormsg(ebuf, sizeof(ebuf))); + goto error; + } + + debug3("ssh_ocsp_get_basicresp: OK"); + return(br); + +error: + debug3("ssh_ocsp_get_basicresp: FAIL"); + if (br != NULL) OCSP_BASICRESP_free(br); + return(NULL); +} + + +/* + * Method return: + * 1 - all cert.-s are good + * -1 - error or one cert. with status unknow + * 0 - otherwise, i.e. at least one cert. is revoked and rest are good + */ +static int +ssh_ocsp_check_validity( + OCSP_REQUEST *req, + OCSP_BASICRESP *br, + STACK_OF(OCSP_CERTID) *ids, + STACK *subjs +) { + int ret = 1; + /* Maximum leeway in validity period: default 5 minutes */ + const long nsec = (5 * 60); + const long maxage = -1; + + int k; + int status, reason; + ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; + + if (req == NULL) { + error("ssh_ocsp_check_validity: req is NULL"); + return(-1); + } + if (br == NULL) { + error("ssh_ocsp_check_validity: br is NULL"); + return(-1); + } + if (sk_OCSP_CERTID_num(ids) <= 0) { + error("ssh_ocsp_check_validity:" + " number of ids is %d" + , k); + return(-1); + } + if (sk_OCSP_CERTID_num(subjs) <= 0) { + error("ssh_ocsp_check_validity:" + " number of subjs is %d" + , sk_OCSP_CERTID_num(subjs)); + return(-1); + } + if (sk_OCSP_CERTID_num(ids) != sk_OCSP_CERTID_num(subjs)) { + error("ssh_ocsp_check_validity:" + " ids(%d) != subjs(%d)" + , sk_OCSP_CERTID_num(ids) + , sk_OCSP_CERTID_num(subjs)); + return(-1); + } + + for (k = 0; k < sk_OCSP_CERTID_num(ids); k++) { + OCSP_CERTID *id = sk_OCSP_CERTID_value(ids, k); + + if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { + char *subject = sk_value(subjs, k); + debug3("ssh_ocsp_check_validity:" + " cert[%d]='%.512s'" + , k, subject); + } + + if (!OCSP_resp_find_status( + br, id, &status, &reason, + &rev, &thisupd, &nextupd) + ) { + ret = -1; + error("ssh_ocsp_check_validity: cannot found status"); + break; + } + + if (!OCSP_check_validity(thisupd, nextupd, nsec, maxage)) { + char ebuf[512]; + ret = -1; + logit("ssh_ocsp_check_validity: " + " WARNING-invalid status time." + " OCSP_check_validity fail with errormsg='%.512s'" + , openssl_errormsg(ebuf, sizeof(ebuf))); + break; + } + debug("ssh_ocsp_check_validity: status=%.32s", OCSP_cert_status_str(status)); + if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { + char *p = ssh_ASN1_GENERALIZEDTIME_2_string(thisupd); + debug3("ssh_ocsp_check_validity: This Update=%.128s", p); + xfree(p); + if (nextupd != NULL) { + p = ssh_ASN1_GENERALIZEDTIME_2_string(nextupd); + debug3("ssh_ocsp_check_validity: Next Update=%.128s", p); + xfree(p); + } + } + + if (status == V_OCSP_CERTSTATUS_GOOD) continue; + + if (status != V_OCSP_CERTSTATUS_REVOKED) { + ret = -1; + error("ssh_ocsp_check_validity: unknow certificate status"); + break; + } + + ret = 0; + if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { + char *p = ssh_ASN1_GENERALIZEDTIME_2_string(rev); + debug3("ssh_ocsp_check_validity: Revocation Time=%.128s", p); + xfree(p); + if (reason != -1) { + debug3("ssh_ocsp_check_validity:" + " Revocation Reason='%.128s'" + , OCSP_crl_reason_str(reason)); + } + } + break; + } + debug3("ssh_ocsp_check_validity: return %d", ret); + return(ret); +} + + +static int +ssh_ocsp_validate( + X509 *cert, + X509_STORE *x509store, + const ssh_ocsp_conn *ocsp +) { + int ret = -1; + int add_nonce = 0; + + STACK_OF(X509) *vacrts = NULL; + OCSP_REQUEST *req = OCSP_REQUEST_new(); + STACK_OF(OCSP_CERTID) *ids = sk_OCSP_CERTID_new_null(); + STACK *subjs = sk_new_null(); + OCSP_RESPONSE *resp = NULL; + OCSP_BASICRESP *br = NULL; + + if ((va.type == SSHVA_OCSP_SPEC) && + (va.certificate_file != NULL)) { + vacrts = ssh_load_x509certs(va.certificate_file, "'OCSP Responder' trusted certificates"); + if (vacrts == NULL) goto exit; + debug("ssh_ocsp_validate: VA certs num=%d", sk_X509_num(vacrts)); + } + + if (!ssh_ocspreq_addcert(cert, x509store, req, ids, subjs)) { + goto exit; + } + + if (req && add_nonce) { + OCSP_request_add1_nonce(req, NULL, -1); + } + + resp = ssh_ocsp_get_response(ocsp, req); + if (resp == NULL) goto exit; + + { /*check OCSP response status*/ + int flag = OCSP_response_status(resp); + if (flag != OCSP_RESPONSE_STATUS_SUCCESSFUL) { + error("ssh_ocsp_validate:" + " responder error=%d(%.256s)" + , flag + , OCSP_response_status_str((long/*???*/)flag)); + goto exit; + } + } + + br = ssh_ocsp_get_basicresp(req, resp, vacrts, x509store); + if (br == NULL) goto exit; + + ret = ssh_ocsp_check_validity(req, br, ids, subjs); + +exit: + if (br != NULL) OCSP_BASICRESP_free(br); + if (resp != NULL) OCSP_RESPONSE_free(resp); + if (subjs != NULL) sk_free(subjs); + if (ids != NULL) sk_OCSP_CERTID_free(ids); + if (req != NULL) OCSP_REQUEST_free(req); + if (vacrts != NULL) sk_X509_pop_free(vacrts, X509_free); + + return(ret); +} + + +static AUTHORITY_INFO_ACCESS* +ssh_aia_get(X509_EXTENSION *ext) { + X509V3_EXT_METHOD *method = NULL; + void *ext_str = NULL; + unsigned char *p; + int len; + + if (ext == NULL) { + error("ssh_aia_get: ext is NULL"); + return(NULL); + } + + method = X509V3_EXT_get(ext); + if (method == NULL) { + debug("ssh_aia_get: cannot get method"); + return(NULL); + } + + p = ext->value->data; + len = ext->value->length; + if (method->it) { + ext_str = ASN1_item_d2i(NULL, &p, len, ASN1_ITEM_ptr(method->it)); + } else { + ext_str = method->d2i(NULL, &p, len); + } + if (ext_str == NULL) { + debug("ssh_aia_get: null ext_str!"); + return(NULL); + } + + return((AUTHORITY_INFO_ACCESS*)ext_str); +} + + +static void +ssh_aia_free(X509_EXTENSION *ext, AUTHORITY_INFO_ACCESS* aia) { + X509V3_EXT_METHOD *method = NULL; + + if (ext == NULL) { + error("ssh_aia_free: ext is NULL"); + return; + } + + method = X509V3_EXT_get(ext); + if (method == NULL) return; + + if (method->it) { + ASN1_item_free((void*)aia, ASN1_ITEM_ptr(method->it)); + } else { + method->ext_free(aia); + } +} + + +static int +ssh_aiaocsp_validate( + X509 *cert, + X509_STORE *x509store, + AUTHORITY_INFO_ACCESS *aia, + int *has_ocsp_url +) { + int ret = -1; + int k; + if (has_ocsp_url == NULL) { + fatal("ssh_aiaocsp_validate: has_ocsp_url is NULL"); + return(-1); /*;-)*/ + } + + *has_ocsp_url = 0; + for (k = 0; k < sk_ACCESS_DESCRIPTION_num(aia); k++) { + ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(aia, k); + GENERAL_NAME *gn; + ASN1_IA5STRING *uri; + ssh_ocsp_conn *conn; + + if (OBJ_obj2nid(ad->method) != + NID_id_pkix_OCSP_serviceLocator) continue; + + gn = ad->location; +#if 0 +{ +BIO *bio = BIO_new_fp(stderr, BIO_NOCLOSE); +if (bio != NULL) { + BIO_puts(bio, "gn->type:"); + switch (gn->type) { + case GEN_OTHERNAME : BIO_puts(bio, "GEN_OTHERNAME"); break; + case GEN_EMAIL : BIO_puts(bio, "GEN_EMAIL" ); break; + case GEN_DNS : BIO_puts(bio, "GEN_DNS" ); break; + case GEN_X400 : BIO_puts(bio, "GEN_X400" ); break; + case GEN_DIRNAME : BIO_puts(bio, "GEN_DIRNAME" ); break; + case GEN_EDIPARTY : BIO_puts(bio, "GEN_EDIPARTY" ); break; + case GEN_URI : BIO_puts(bio, "GEN_URI" ); break; + case GEN_IPADD : BIO_puts(bio, "GEN_IPADD" ); break; + case GEN_RID : BIO_puts(bio, "GEN_RID" ); break; + default : BIO_puts(bio, "[unsupported]"); break; + } + BIO_puts(bio, "\n"); + BIO_free(bio); +} +} +#endif + if (gn->type != GEN_URI) continue; + + uri = gn->d.uniformResourceIdentifier; + *has_ocsp_url = 1; + + conn = ssh_ocsp_conn_new((const char*)uri->data); + if (conn == NULL) { + debug("ssh_aiaocsp_validate: cannot create ocsp connection"); + continue; + } + ret = ssh_ocsp_validate(cert, x509store, conn); + ssh_ocsp_conn_free(&conn); + + if (ret >= 0) break; + } + + return(*has_ocsp_url ? ret : 1); +} + + +static int +ssh_x509_validate4cert(X509 *cert, X509_STORE *x509store) { + int found = 0; + int ret = -1; + int loc = -1; + + if (cert == NULL) return(0); + + for ( loc = X509_get_ext_by_NID(cert, NID_info_access, loc); + loc >= 0; + loc = X509_get_ext_by_NID(cert, NID_info_access, loc) + ) { + X509_EXTENSION *xe; + + xe = X509_get_ext(cert, loc); + if (xe == NULL) { + debug("ssh_x509_validate4cert: cannot get x509 extension"); + continue; + } + + {/*validate from AIA*/ + AUTHORITY_INFO_ACCESS *aia = ssh_aia_get(xe); + if (aia == NULL) continue; + + ret = ssh_aiaocsp_validate(cert, x509store, aia, &found); + + ssh_aia_free(xe, aia); + } + + if (ret >= 0) break; + } + + if (found) { + debug3("ssh_x509_validate4cert: validation result=%d", ret); + } else { + debug3("ssh_x509_validate4cert: no OCSP 'Service Locator' URL"); + } + return(found ? ret : 1); +} +#endif /*def SSH_OCSP_ENABLED*/ + + +int +ssh_x509_validate(X509 *cert, X509_STORE *x509store) { +#ifndef SSH_OCSP_ENABLED + return(1); +#else + int ret = -1; + ssh_ocsp_conn *conn = NULL; + + if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { + char buf[512]; + X509_NAME_oneline( X509_get_subject_name(cert), buf, sizeof(buf)); + debug3("ssh_x509_validate: for '%.512s'", buf); + } + + switch (va.type) { + default: + /*when something is missing*/ + fatal("ssh_x509_validate: invalid validator type %d", va.type); + break; /*;-)*/ + case SSHVA_NONE: + ret = 1; + break; + case SSHVA_OCSP_CERT: + ret = ssh_x509_validate4cert(cert, x509store); + break; + case SSHVA_OCSP_SPEC: + conn = ssh_ocsp_conn_new(va.responder_url); + if (conn != NULL) { + ret = ssh_ocsp_validate(cert, x509store, conn); + ssh_ocsp_conn_free(&conn); + } + break; + } + + return(ret); +#endif /*def SSH_OCSP_ENABLED*/ +} diff -ruN openssh-3.8p1/ssh-rand-helper.0 openssh-3.8p1+x509h/ssh-rand-helper.0 --- openssh-3.8p1/ssh-rand-helper.0 2004-02-24 08:23:05.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-rand-helper.0 2004-03-09 08:54:18.000000000 +0200 @@ -1,4 +1,4 @@ -SSH-RAND-HELPER(8) OpenBSD System Manager's Manual SSH-RAND-HELPER(8) +SSH-RAND-HELPER(8) System Manager's Manual SSH-RAND-HELPER(8) NAME ssh-rand-helper - Random number gatherer for OpenSSH @@ -46,4 +46,4 @@ SEE ALSO ssh(1), ssh-add(1), ssh-keygen(1), sshd(8) -OpenBSD 3.4 April 14, 2002 1 +BSD April 14, 2002 BSD diff -ruN openssh-3.8p1/ssh-x509.c openssh-3.8p1+x509h/ssh-x509.c --- openssh-3.8p1/ssh-x509.c 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-x509.c 2004-02-22 18:34:20.000000000 +0200 @@ -0,0 +1,984 @@ +/* + * Copyright (c) 2002-2004 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ +#include "ssh-x509.h" +#include "log.h" +#include +#include "xmalloc.h" +#include "uuencode.h" +#include +#include "bufaux.h" +#include "x509store.h" +#include "compat.h" + +static char* +openssl_errormsg(char *buf, size_t len) { + ERR_error_string_n(ERR_get_error(), buf, len); + + /* clear rest of errors in OpenSSL "error buffer" */ + ERR_clear_error(); + return(buf); +} + + +/* rumen-XXX: X.509 RSASIG check */ +void (*plogx509rsasig)(const char *msg) = NULL; + +#ifndef SSH_X509STORE_DISABLED +static const char* +x509key_find_subject(int _keytype, const char* s) { + static const char *keywords[] = { + "subject", + "distinguished name", + "distinguished-name", + "distinguished_name", + "distinguishedname", + "dn", + NULL + }; + const char **q, *p; + size_t len; + + if (_keytype != KEY_X509_RSA && + _keytype != KEY_X509_DSA) { + debug3("x509key_find_subject: %d is not x509 key ", _keytype); + return(NULL); + } + for (q=keywords; *q; q++) { + len = strlen(*q); + if (strncasecmp(s, *q, len) != 0) continue; + + for (p = s + len; *p && isspace((int)*p); p++) + {/*skip space*/} + if (!*p) { + error("x509key_find_subject: no data after keyword"); + return(NULL); + } + if (*p == ':' || *p == '=') { + for (p++; *p && isspace((int)*p); p++) + {/*skip space*/} + if (!*p) { + error("x509key_find_subject: no data after separator"); + return(NULL); + } + } + if (*p == '/' || *p == ',') { + /*skip leading [Relative]DistinguishedName elements separator*/ + for (p++; *p && isspace((int)*p); p++) + {/*skip space*/} + if (!*p) { + error("x509key_find_subject: no data"); + return(NULL); + } + } + return(p); + } + return(NULL); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +#ifndef SSH_X509STORE_DISABLED +static int +x509key_str2X509NAME(const char* _str, X509_NAME *_name) { + int ret = 1; + char *p, *q, *token; + char ch; + + p = (char*)_str; + while (*p) { + int nid; + for (; *p && isspace((int)*p); p++) + {/*skip space*/} + if (!*p) break; + + /* get shortest token */ + { + char *tokenA = strchr(p, ','); + char *tokenB = strchr(p, '/'); + + if (tokenA == NULL) { + token = tokenB; + } else if (tokenB == NULL) { + token = tokenA; + } else { + token = (tokenA < tokenB) ? tokenA : tokenB; + } + } + if (token) { + ch = *token; + *token = 0; + } else { + ch = 0; + token = p + strlen(p); + } + q = strchr(p, '='); + if (!q) { + error("x509key_str2X509NAME: cannot parse '%.200s' ...", p); + ret = 0; + break; + } + *q = 0; + nid = OBJ_txt2nid(p); +#ifdef SSH_OPENSSL_DN_WITHOUT_EMAIL + if (nid == NID_undef) { + /* work around for OpenSSL 0.9.7+ */ + if (strcasecmp(p, "Email") == 0) { + nid = OBJ_txt2nid("emailAddress"); + } + } +#endif /* def SSH_OPENSSL_DN_WITHOUT_EMAIL */ + *q = '='; + if (nid == NID_undef) { + error("x509key_str2X509NAME: cannot get nid from string '%.200s'", p); + ret = 0; + } else { + p = q + 1; + if (!*p) { + error("x509key_str2X509NAME: no data"); + ret = 0; + } else { /* add */ + char save; + for (q = token - 1; (q >= p) && isspace((int)*q); q--) + {/*skip unexpected \n, etc. from end*/} + + save = *++q; + *q = 0; + ret = X509_NAME_add_entry_by_NID(_name, nid, MBSTRING_ASC, (u_char*)p, q - p, -1, 0); + if (ret <= 0) { + char ebuf[256]; + error("x509key_str2X509NAME: X509_NAME_add_entry_by_NID" + " fail with errormsg='%.256s'" + " for nid=%d/%.32s" + " and data='%.128s'" + , openssl_errormsg(ebuf, sizeof(ebuf)) + , nid, OBJ_nid2ln(nid) + , p); + } + *q = save; + } + } + *token = ch; + if (ret <= 0) { + break; + } + p = token; + if (*p) p++; + } + debug3("x509key_str2X509NAME: return %d", ret); + return(ret); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +#ifndef SSH_X509STORE_DISABLED +Key* +x509key_from_subject(int _keytype, char* _cp) { + int ret = 1; + Key* key = NULL; + X509_NAME *subj; + const char *subject; + + debug3("x509key_from_subject(%d, [%.200s]) called ", _keytype, _cp); + subject = x509key_find_subject(_keytype, _cp); + if (subject == NULL) + return(NULL); + + debug3("x509key_from_subject: subject=[%.200s]", subject); + key = key_new(_keytype); + if (key == NULL) { + error("x509key_from_subject: out of memory"); + return(NULL); + } + + if (ret > 0) { + subj = X509_get_subject_name(key->x509); + if (subj == NULL) { + error("x509key_from_subject: new x509 key without subject"); + ret = 0; + } + } + + if (ret > 0) { + ret = x509key_str2X509NAME(subject, subj); + } + + if (ret <= 0) { + if (key != NULL) { + key_free(key); + key = NULL; + } + } + debug3("x509key_from_subject: return %p", (void*)key); + return(key); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +static Key* +x509_to_key(X509 *x509) { + Key *key = NULL; + EVP_PKEY *env_pkey; + + env_pkey = X509_get_pubkey(x509); + if (env_pkey == NULL) { + char ebuf[256]; + error("x509_to_key: X509_get_pubkey fail %.256s", + openssl_errormsg(ebuf, sizeof(ebuf))); + return(NULL); + } + /*else*/ + debug3("x509_to_key: X509_get_pubkey done!"); + + switch (env_pkey->type) { + case EVP_PKEY_RSA: + key = key_new(KEY_UNSPEC); + key->x509 = x509; + key->rsa = EVP_PKEY_get1_RSA(env_pkey); + key->type = KEY_X509_RSA; +#ifdef DEBUG_PK + RSA_print_fp(stderr, key->rsa, 8); +#endif + break; + + case EVP_PKEY_DSA: + key = key_new(KEY_UNSPEC); + key->x509 = x509; + key->dsa = EVP_PKEY_get1_DSA(env_pkey); + key->type = KEY_X509_DSA; +#ifdef DEBUG_PK + DSA_print_fp(stderr, key->dsa, 8); +#endif + break; + + default: + fatal("ssh_x509_key_size: unknow env_pkey->type %d", env_pkey->type); + /*unreachable code*/ + } + + return(key); +} + + +Key* +x509key_from_blob(const u_char *blob, int blen) { + Key* key = NULL; + BIO *mbio; + + /* convert blob data to BIO certificate data */ + mbio = BIO_new(BIO_s_mem()); + if (mbio == NULL) return(NULL); + BIO_write(mbio, blob, blen); + BIO_flush(mbio); + + debug3("x509key_from_blob:We have %d bytes available in BIO", BIO_pending(mbio)); + + { /* read X509 certificate from BIO data */ + X509* x509 = NULL; + x509 = d2i_X509_bio(mbio, NULL); + if (x509 == NULL) { + /* We will print only debug info !!! + * This method is used in place where we can only check incomming data. + * If data contain x506 certificate blob we will return a key otherwise NULL. + */ + char ebuf[256]; + debug3("x509key_from_blob: read X509 from BIO fail %.256s", + openssl_errormsg(ebuf, sizeof(ebuf))); + } else { + key = x509_to_key(x509); + if (key == NULL) + X509_free(x509); + } + } + + /* This call will walk the chain freeing all the BIOs */ + BIO_free_all(mbio); + return(key); +} + + +static int +x509key_check(const char* method, const Key *key) { + if (key == NULL) + { error("%.50s: no key", method); return(0); } + + if (key->type != KEY_X509_RSA && + key->type != KEY_X509_DSA ) + { error("%.50s: cannot handle key type %d", method, key->type); return(0); } + + if (key->x509 == NULL) + { error("%.50s: no X509 key", method); return(0); } + + return(1); +} + + +int +x509key_to_blob(const Key *key, Buffer *b) { + int len; + void *str; + u_char *p; + + if (!x509key_check("x509key_to_blob", key)) return(0); + + len = i2d_X509(key->x509, NULL); + str = xmalloc(len); /*fatal on error*/ + p = str; + i2d_X509(key->x509, &p); + buffer_append(b, str, len); + xfree(str); + return(1); +} + + +char* +x509key_subject(const Key *key) { + char *buf = NULL; + + if (!x509key_check("x509key_subject", key)) return(buf); + + buf = xmalloc(X509KEY_SUBJECT_MAXLEN); /*fatal on error*/ + X509_NAME_oneline(X509_get_subject_name(key->x509), buf, X509KEY_SUBJECT_MAXLEN); + return(buf); +} + + +int +x509key_write(const Key *key, FILE *f) { + int ret = 0; + Buffer b; + size_t n; + + if (!x509key_check("x509key_write_blob", key)) return(ret); + + buffer_init(&b); + ret = x509key_to_blob(key, &b); + if (ret) { + /* write ssh key name */ + const char *ktype = key_ssh_name(key); + n = strlen(ktype); + ret = ( fwrite(ktype, 1, n, f) == n ) && + ( fwrite(" ", 1, 1, f) == 1 ); + } + if (ret) { + char uu[1<<12]; /* 4096 bytes */ + + n = uuencode(buffer_ptr(&b), buffer_len(&b), uu, sizeof(uu)); + ret = n > 0; + if (ret) { + ret = (fwrite(uu, 1, n, f) == n); + } + } + buffer_free(&b); + return(ret); +} + + +#ifndef SSH_X509STORE_DISABLED +int +x509key_write_subject(const Key *key, FILE *f) { + BIO *out; + char buf[X509KEY_SUBJECT_MAXLEN]; + + if (!x509key_check("x509key_write_subject", key)) return(0); + + out = BIO_new_fp(f, BIO_NOCLOSE); + if (out == NULL) return(0); +#ifdef VMS + { + BIO *tmpbio = BIO_new(BIO_f_linebuffer()); + out = BIO_push(tmpbio, out); + } +#endif + + BIO_puts(out, key_ssh_name(key)); + BIO_puts(out, " Subject:"); + X509_NAME_oneline(X509_get_subject_name(key->x509), buf, sizeof(buf)); + BIO_puts(out, buf); + + BIO_free_all(out); + return(1); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +Key* +x509key_load_cert(Key *key, FILE *fp) { + if (key == NULL) return(NULL); + + if ( (key->type == KEY_RSA) || + (key->type == KEY_DSA) ) { + key->x509 = PEM_read_X509(fp, NULL, NULL, NULL); + if (key->x509 == NULL) { + char ebuf[256]; + debug3("x509key_load_cert: PEM_read_X509 fail %.256s", + openssl_errormsg(ebuf, sizeof(ebuf))); + } + else { + key->type = (key->type == KEY_RSA) ? KEY_X509_RSA : KEY_X509_DSA; + debug("read X509 certificate done: type %.40s", + key ? key_type(key) : ""); + } + } + return(key); +} + + +static int +x509key_save_cert(FILE *fp, X509 *x509) { + int ret = 0; + BIO *out; + char buf[X509KEY_SUBJECT_MAXLEN]; + + out = BIO_new_fp(fp, BIO_NOCLOSE); + if (out == NULL) return(0); +#ifdef VMS + { + BIO *tmpbio = BIO_new(BIO_f_linebuffer()); + out = BIO_push(tmpbio, out); + } +#endif + + BIO_puts(out, "issuer= "); + X509_NAME_oneline(X509_get_issuer_name(x509), buf, sizeof(buf)); + BIO_puts(out, buf); + BIO_puts(out, "\n"); + + BIO_puts(out, "subject= "); + X509_NAME_oneline(X509_get_subject_name(x509), buf, sizeof(buf)); + BIO_puts(out, buf); + BIO_puts(out, "\n"); + { + const char *alstr = (const char*)X509_alias_get0(x509, NULL); + if (alstr == NULL) alstr = ""; + BIO_puts(out, alstr); + BIO_puts(out, "\n"); + } + ret = PEM_write_bio_X509(out, x509); + if (!ret) { + char ebuf[256]; + error("x509key_save_cert: PEM_write_bio_X509 fail %.256s", + openssl_errormsg(ebuf, sizeof(ebuf))); + } + + BIO_free_all(out); + return(ret); +} + + +int +x509key_save_pem( + FILE *fp, + const Key *key, + const EVP_CIPHER *cipher, + u_char *passphrase, + int len +) { + if (!x509key_check("x509key_save_pem", key)) return(0); + + switch (key->type) { + case KEY_X509_DSA: + if (PEM_write_DSAPrivateKey(fp, key->dsa, cipher, passphrase, len, NULL, NULL)) + return(x509key_save_cert(fp, key->x509)); + break; + case KEY_X509_RSA: + if (PEM_write_RSAPrivateKey(fp, key->rsa, cipher, passphrase, len, NULL, NULL)) + return(x509key_save_cert(fp, key->x509)); + break; + } + return(0); +} + + +#ifndef SSH_X509STORE_DISABLED +static int +ssh_ASN1_OBJECT_cmp(const ASN1_OBJECT *a, const ASN1_OBJECT *b) { + int lmin = MIN(a->length, b->length); + + int ret = memcmp(a->data, b->data, lmin); + + return((ret == 0) + ? (b->length - a->length) + : ret); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +#ifndef SSH_X509STORE_DISABLED +static int +ssh_ASN1_STRING_casecmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + int la = M_ASN1_STRING_length(a); + int lb = M_ASN1_STRING_length(b); + const char *sa = (const char *)M_ASN1_STRING_data(a); + const char *sb = (const char *)M_ASN1_STRING_data(b); + + return((strncasecmp(sa, sb, MIN(la, lb)) != 0) ? (lb - la) : 0); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +#ifndef SSH_X509STORE_DISABLED +/* from RFC2459 + * (d) attribute values in PrintableString are compared after + * removing leading and trailing white space and converting internal + * substrings of one or more consecutive white space characters to a + * single space. + */ +static int +ssh_ASN1_PRINTABLESTRING_casecmp(const ASN1_STRING *a, const ASN1_STRING *b) +{ + int la = M_ASN1_STRING_length(a); + u_char *pa = M_ASN1_STRING_data(a); + int lb = M_ASN1_STRING_length(b); + u_char *pb = M_ASN1_STRING_data(b); + + /* skip leading spaces */ + for (; la > 0 && isspace(*pa); la--, pa++); + for (; lb > 0 && isspace(*pb); lb--, pb++); + + /* skip trailing spaces */ + { + u_char *p; + for (p = pa + la - 1; la > 0 && isspace(*p); la--, p--); + for (p = pb + lb - 1; lb > 0 && isspace(*p); lb--, p--); + } + + while (la > 0 && lb > 0) + { + int chA = tolower(*pa); + int chB = tolower(*pb); + + if (chA != chB) + return(chB - chA); + + pa++; pb++; + la--; lb--; + if (isspace(chA)) { + for (; la > 0 && isspace(*pa); la--, pa++); + for (; lb > 0 && isspace(*pb); lb--, pb++); + } + } + return(lb - la); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +#ifndef SSH_X509STORE_DISABLED +/* + * 1.) + * Since version 0.9.7.beta4 and 0.9.6h OpenSSL function X509_NAME_cmp + * is more restrictive but more correct (!). + * Problem is that some x509 implementation set X509_NAME entry + * incorrectly to "Printable String" :-[ . + * O.K. when one entry is "Printable String" we will compare + * to corresponding entry as "Printable String". + * 2.) + * OpenSSL functions X509_NAME_cmp check nids order in X509_NAME. + * i.e. X509_NAME{"/C=XX/O=YY"} is not equal to X509_NAME{"/O=YY/C=XX"} + */ +static int +ssh_X509_NAME_cmp(X509_NAME *_a, X509_NAME *_b) { + int k, n; + X509_NAME *b; + + + k = sk_X509_NAME_ENTRY_num(_a->entries); + n = sk_X509_NAME_ENTRY_num(_b->entries); + + if (k != n) + return(n - k); + + b = X509_NAME_dup(_b); + n = 0; + for (--k; k >= 0; k--) { + X509_NAME_ENTRY *neA; + ASN1_STRING *nvA; + int nid; + X509_NAME_ENTRY *neB; + ASN1_STRING *nvB; + int loc; + + neA = sk_X509_NAME_ENTRY_value(_a->entries, k); + nvA = neA->value; + nid = OBJ_obj2nid(neA->object); + loc = X509_NAME_get_index_by_NID(b, nid, -1); + if (loc < 0) { + char buf1[X509KEY_SUBJECT_MAXLEN]; + char buf2[X509KEY_SUBJECT_MAXLEN]; + + X509_NAME_oneline(_a, buf1, sizeof(buf1)); + X509_NAME_oneline(_b, buf2, sizeof(buf2)); + debug3("ssh_X509_NAME_cmp: insufficient entries with nid=%d(%.40s) in second name." + " na=%.*s, nb=%.*s", + nid, OBJ_nid2ln(nid), + (int) sizeof(buf1), buf1, + (int) sizeof(buf1), buf2); + n = -1; + break; + } +trynextentry: + neB = sk_X509_NAME_ENTRY_value(b->entries, loc); + nvB = neB->value; +#ifdef SSHX509TEST +{ + int la = M_ASN1_STRING_length(nvA); + u_char *pa = M_ASN1_STRING_data (nvA); + int lb = M_ASN1_STRING_length(nvB); + u_char *pb = M_ASN1_STRING_data (nvB); + + logit("nvA='%*s', nvB='%*s'", la, pa, lb, pb); +} +#endif + + if (nid == NID_pkcs9_emailAddress) { + int tag; + + tag = M_ASN1_STRING_type(nvA); + if (tag != V_ASN1_IA5STRING) { + /* to be strict and return nonzero or ... ? XXX + n = -1; + break; + */ + error("ssh_X509_NAME_cmp: incorrect type for emailAddress(a) %d(%.30s)", tag, ASN1_tag2str(tag)); + } + + tag = M_ASN1_STRING_type(nvB); + if (tag != V_ASN1_IA5STRING) { + /* to be strict and return nonzero or ... ? XXX + n = 1; + break; + */ + error("ssh_X509_NAME_cmp: incorrect type for emailAddress(b) %d(%.30s)", tag, ASN1_tag2str(tag)); + } + + n = ssh_ASN1_STRING_casecmp(nvA, nvB); + if (n == 0) goto entryisok; + + goto getnextentry; + } + if ((M_ASN1_STRING_type(nvA) == V_ASN1_PRINTABLESTRING) || + (M_ASN1_STRING_type(nvB) == V_ASN1_PRINTABLESTRING) ) { + int tag; + + tag = M_ASN1_STRING_type(nvA); + if (tag != V_ASN1_PRINTABLESTRING) + debug("ssh_X509_NAME_cmp: X509_NAME_ENTRY(a)->type=%d(%.30s) is not PrintableString", tag, ASN1_tag2str(tag)); + + tag = M_ASN1_STRING_type(nvB); + if (tag != V_ASN1_PRINTABLESTRING) + debug("ssh_X509_NAME_cmp: X509_NAME_ENTRY(b)->type=%d(%.30s) is not PrintableString", tag, ASN1_tag2str(tag)); + + n = ssh_ASN1_PRINTABLESTRING_casecmp(nvA, nvB); + if (n == 0) goto entryisok; + + goto getnextentry; + } + + n = M_ASN1_STRING_length(nvA) - M_ASN1_STRING_length(nvB); + if (n != 0) goto getnextentry; + + n = M_ASN1_STRING_length(nvA); + n = memcmp(nvA->data, nvB->data, n); + if (n != 0) goto getnextentry; + + /* openssl check object too */ + n = ssh_ASN1_OBJECT_cmp(neA->object, neB->object); + if (n != 0) goto getnextentry; + +entryisok: + { + X509_NAME_ENTRY *ne = X509_NAME_delete_entry(b, loc); + X509_NAME_ENTRY_free(ne); + } + continue; +getnextentry: + loc = X509_NAME_get_index_by_NID(b, nid, loc); + if (loc < 0) { + break; + } + goto trynextentry; + } + + X509_NAME_free(b); + return(n); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +#ifndef SSH_X509STORE_DISABLED +/* + * We can check only by Subject (Distinguished Name): + * - sshd receive from client only x509 certificate !!! + * - sshadd -d ... send only x509 certificate !!! + * - otherwise Key might contain private key + */ +int +ssh_x509_equal(const Key *a, const Key *b) { + if (!x509key_check("ssh_x509_equal", a)) return(1); + if (!x509key_check("ssh_x509_equal", b)) return(-1); + +#if 1 +/* + * We must use own method to compare two X509_NAMEs instead of OpenSSL + * function[s]! See notes before body of "ssh_X509_NAME_cmp()". + */ + { + X509_NAME *nameA = X509_get_subject_name(a->x509); + X509_NAME *nameB = X509_get_subject_name(b->x509); + return(ssh_X509_NAME_cmp(nameA, nameB)); + } +#else + return(X509_subject_name_cmp(a->x509, b->x509)); +#endif +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +int +ssh_x509_sign( + const Key *key, + u_char **psignature, u_int *psignaturelen, + const u_char *data, u_int datalen +) { + int ret = -1; + u_char sigret[256]; + u_int siglen; + + if (!x509key_check("ssh_x509_sign", key)) return(ret); + if ((key->rsa == NULL) && (key->dsa == NULL)) { + error("ssh_x509_sign: missing private key"); + return(ret); + } + + debug3("ssh_x509_sign: key_type=%.20s, key_ssh_name=%.40s", key_type(key), key_ssh_name(key)); + ret = 1; + { + EVP_PKEY *privkey = EVP_PKEY_new(); + if (privkey == NULL) { + error("ssh_x509_sign: out of memory"); + ret = -1; + } + else { + ret = (key->rsa) + ? EVP_PKEY_set1_RSA(privkey, key->rsa) + : EVP_PKEY_set1_DSA(privkey, key->dsa); + + if (ret <= 0) { + char ebuf[256]; + error("ssh_x509_sign: EVP_PKEY_set1_XXX: failed %.256s", + openssl_errormsg(ebuf, sizeof(ebuf))); + } + } + + if (ret > 0) { + EVP_MD_CTX ctx; + const EVP_MD *evp_md; + if (key->rsa) { + evp_md = (x509rsasigtype == SSH_X509RSA_SHA1) ? EVP_sha1() : EVP_md5(); + } else { + evp_md = EVP_dss1(); + } + + debug3("ssh_x509_sign: evp_md { %d(%.30s), %d(%.30s), %d, ... }", + evp_md->type, OBJ_nid2ln(evp_md->type), + evp_md->pkey_type, OBJ_nid2ln(evp_md->pkey_type), + evp_md->md_size); + + EVP_SignInit(&ctx, evp_md); + EVP_SignUpdate(&ctx, data, datalen); + + if (ret > 0) { + ret = EVP_SignFinal(&ctx, sigret, &siglen, privkey); + if (ret <= 0) { + char ebuf[256]; + error("ssh_x509_sign: digest failed: %.256s", + openssl_errormsg(ebuf, sizeof(ebuf))); + } + } + } + EVP_PKEY_free(privkey); + } + if (ret > 0) { + Buffer b; + + buffer_init(&b); + buffer_put_cstring(&b, key_ssh_name(key)); + buffer_put_string(&b, sigret, siglen); + + { + u_int len = buffer_len(&b); + if (psignaturelen != NULL) + *psignaturelen = len; + + if (psignature != NULL) { + *psignature = xmalloc(len); /*fatal on error*/ + memcpy(*psignature, buffer_ptr(&b), len); + } + } + buffer_free(&b); + } + ret = ret > 0 ? 0 : -1; + debug3("ssh_x509_sign: return %d", ret); + return(ret); +} + + +int +ssh_x509_verify( + const Key *key, + const u_char *signature, u_int signaturelen, + const u_char *data, u_int datalen +) { + int ret = -1; + u_char *sigblob = NULL; + uint len = 0; + + if (!x509key_check("ssh_x509_verify", key)) return(ret); + + { /* get signature data only */ + Buffer b; + buffer_init(&b); + buffer_append(&b, signature, signaturelen); + + { /* check signature key type */ + char *ktype = buffer_get_string(&b, NULL); + debug3("ssh_x509_verify: signature key type = %.40s", ktype); + ret = strcmp("x509v3-sign-rsa", ktype) == 0 || + strcmp("x509v3-sign-dss", ktype) == 0; + if (!ret) { + error("ssh_x509_verify: cannot handle signature key type %.40s", ktype); + } + xfree(ktype); + } + + if (ret > 0) { + sigblob = buffer_get_string(&b, &len); + } + + if (ret > 0) { + int rlen = buffer_len(&b); + if (rlen != 0) { + error("ssh_x509_verify: remaining bytes in signature %d", rlen); + ret = -1; + } + } + buffer_free(&b); + } + + if (ret > 0 ) { + EVP_PKEY* pubkey = X509_get_pubkey(key->x509); + if (pubkey == NULL) { + error("ssh_x509_verify: no 'X509 Public Key'"); + ret = -1; + } + + if (ret > 0) { + EVP_MD_CTX ctx; + const EVP_MD *evp_md; + if (key->rsa) { + evp_md = (x509rsasigtype == SSH_X509RSA_SHA1) ? EVP_sha1() : EVP_md5(); + } else { + evp_md = EVP_dss1(); + } + debug3("ssh_x509_verify: evp_md { %d(%.30s), %d(%.30s), %d, ... }", + evp_md->type, OBJ_nid2ln(evp_md->type), + evp_md->pkey_type, OBJ_nid2ln(evp_md->pkey_type), + evp_md->md_size); + + EVP_VerifyInit(&ctx, evp_md); + EVP_VerifyUpdate(&ctx, data, datalen); + ret = EVP_VerifyFinal(&ctx, sigblob, len, pubkey); + if ((ret <= 0) && key->rsa) { + /* rumen-XXX: X.509 RSASIG check */ + evp_md = (x509rsasigtype == SSH_X509RSA_SHA1) ? EVP_md5() : EVP_sha1(); + debug3("ssh_x509_verify: evp_md { %d(%.30s), %d(%.30s), %d, ... }", + evp_md->type, OBJ_nid2ln(evp_md->type), + evp_md->pkey_type, OBJ_nid2ln(evp_md->pkey_type), + evp_md->md_size); + + EVP_VerifyInit(&ctx, evp_md); + EVP_VerifyUpdate(&ctx, data, datalen); + ret = EVP_VerifyFinal(&ctx, sigblob, len, pubkey); + if (ret > 0) { + const char *pmsg; + if (x509rsasigtype == SSH_X509RSA_SHA1) + pmsg = "X509COMPAT: RSA succeed for md5 digest"; + else + pmsg = "X509COMPAT: RSA succeed for sha1 digest"; + if (plogx509rsasig) + plogx509rsasig(pmsg); + else + logit(pmsg); + } + } + if (ret <= 0) { + char ebuf[256]; + error("ssh_x509_verify: verify failed: %.256s", + openssl_errormsg(ebuf, sizeof(ebuf))); + ret = 0; + } + } + EVP_PKEY_free(pubkey); /* XXX ?*/ + } + if (sigblob) { + memset(sigblob, 's', len); + xfree(sigblob); + sigblob = NULL; + } + if (ret > 0) { + ret = ssh_x509cert_check(key->x509); + } + ret = ret > 0 ? 1 : (ret < 0 ? -1 : 0); + debug3("ssh_x509_verify: return %d", ret); + return(ret); +} + + +u_int +ssh_x509_key_size(const Key *key) { + EVP_PKEY *pkey; + int k = 0; + + if (!x509key_check("key_size", key)) goto done; + + pkey = X509_get_pubkey(key->x509); + if (pkey == NULL) goto done; + + switch(pkey->type) { + case EVP_PKEY_RSA: + /* BN_num_bits return int (!): XXX */ + k = BN_num_bits(pkey->pkey.rsa->n); + break; + case EVP_PKEY_DSA: + /*OpenSSH like this*/ + k = BN_num_bits(pkey->pkey.dsa->p); + break; + default: + fatal("ssh_x509_key_size: unknow pkey->type %d", pkey->type); + /*unreachable code*/ + } + EVP_PKEY_free(pkey); +done: + return((u_int) k); +} diff -ruN openssh-3.8p1/ssh-x509.h openssh-3.8p1+x509h/ssh-x509.h --- openssh-3.8p1/ssh-x509.h 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/ssh-x509.h 2004-02-22 18:24:36.000000000 +0200 @@ -0,0 +1,71 @@ +#ifndef SSH_X509_H +#define SSH_X509_H +/* + * Copyright (c) 2002-2004 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + + +#include "includes.h" +#include "key.h" +#include "buffer.h" + + +#ifndef SSH_X509STORE_DISABLED +/* + * Method return a key(x509) only with "Subject"("Distinguished Name") ! + */ +Key* x509key_from_subject(int _keytype, char* _cp); +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +Key* x509key_from_blob(const u_char *blob, int blen); +int x509key_to_blob(const Key *key, Buffer *b); + +#define X509KEY_SUBJECT_MAXLEN 512 +char* x509key_subject(const Key *key); + +/* + * Method write x509 certificate as blob. + */ +int x509key_write(const Key *key, FILE *f); +#ifndef SSH_X509STORE_DISABLED +/* + * Method write x509 certificate subject. + */ +int x509key_write_subject(const Key *key, FILE *f); +#endif /*ndef SSH_X509STORE_DISABLED*/ + +Key* x509key_load_cert(Key *key, FILE *fp); + +int x509key_save_pem(FILE *fp, const Key *key, const EVP_CIPHER *cipher, u_char *passphrase, int len); + + +#ifndef SSH_X509STORE_DISABLED +int ssh_x509_equal(const Key *a, const Key *b); +#endif /*ndef SSH_X509STORE_DISABLED*/ +int ssh_x509_sign(const Key *key, u_char **psignature, u_int *psignaturelen, const u_char *data, u_int datalen); +int ssh_x509_verify(const Key *key, const u_char *signature, u_int signaturelen, const u_char *data, u_int datalen); +u_int ssh_x509_key_size(const Key *key); + + +#endif /* SSH_X509_H */ diff -ruN openssh-3.8p1/tests/CA/1-cre_cadb.sh openssh-3.8p1+x509h/tests/CA/1-cre_cadb.sh --- openssh-3.8p1/tests/CA/1-cre_cadb.sh 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/1-cre_cadb.sh 2004-03-20 12:50:15.000000000 +0200 @@ -0,0 +1,328 @@ +#!/bin/sh +# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Create a new certificate authority config and database. +# + +CWD=`pwd` +SCRIPTDIR=`echo $0 | sed 's/1-cre_cadb.sh$//'` +. "${SCRIPTDIR}shell.rc" +. "${SCRIPTDIR}functions" +. "${SCRIPTDIR}config" + + +# === +# args: +# $1 - type +echo_CA_common_options () { +cat < "$1" +[ ca ] +default_ca = CA_OpenSSH_rsa_md5 + + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + + +[ req ] +default_bits = 1024 +distinguished_name = req_distinguished_name +attributes = req_attributes +#prompt = no + +# The extensions to add to a certificate request: +#???req_extensions = usr_cert + + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = $SSH_DN_C +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = $SSH_DN_ST + +localityName = Locality Name (eg, city) +localityName_default = $SSH_DN_L + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = $SSH_DN_O + +0.organizationalUnitName = Organizational Unit1 Name (eg, section1 - optional) +0.organizationalUnitName_default = ${SSH_DN_OU}-1 + +1.organizationalUnitName = Organizational Unit2 Name (eg, section2 - optional) +1.organizationalUnitName_default = ${SSH_DN_OU}-2 + +2.organizationalUnitName = Organizational Unit3 Name (eg, section3 - optional) +2.organizationalUnitName_default = ${SSH_DN_OU}-3 + +commonName = Common Name (eg, YOUR name) +commonName_min = 2 +commonName_max = 64 + +emailAddress = Email Address (optional) +emailAddress_max = 40 +emailAddress_default = $SSH_DN_EM + + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + + +[ ca_cert ] +# PKIX recommendation. + +# This is what PKIX recommends but some broken software chokes on critical +# extensions. +#basicConstraints = critical,CA:true +# So we do this instead. +# Since we generate OpenSSH test CA we comment next line. +#basicConstraints=CA:true + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated OpenSSH Test CA Certificate" + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +# Since we generate OpenSSH test CA we comment next line. +#keyUsage = cRLSign, keyCertSign + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +EOF + + +# X.509 extensions: SSH client certificates +cat << EOF >> "$1" + + +[ usr_cert ] +# These extensions are added when 'ca' signs a request. +basicConstraints=CA:FALSE +nsCertType = client, email + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated OpenSSH Test Client Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +EOF + +echo_CA_ocsp_options >> "$1" + + +# X.509 extensions: SSH server certificates +cat << EOF >> "$1" + + +[ srv_cert ] +# These extensions are added when 'ca' signs a request. +basicConstraints = CA:FALSE + +# To test OpenSSH hostbased authentication we need +# following certificate purposes: +nsCertType = server,client +# Normal for server certificate is: +#nsCertType = server +# but in last case me must disable check of certificate purposes +# in sshd_config otherwise hostbased fail. + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated OpenSSH Test Server Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +EOF + +echo_CA_ocsp_options >> "$1" + + +# X.509 extensions: OCSP Validator certificates +if test "x$SSH_OCSP" = "xyes"; then +cat << EOF >> "$1" + + +[ ocsp_cert ] +# These extensions are added when 'ca' signs a request. +basicConstraints = CA:FALSE + +# Normal for validator certificate is: +nsCertType = objsign + +# This is typical in keyUsage for a validator certificate. +keyUsage = nonRepudiation, digitalSignature + +# This should present for a validator certificate. +extendedKeyUsage = OCSPSigning + +# This will be displayed in Netscape's comment listbox. +nsComment = "OpenSSL Generated OpenSSH Test OCSP Responder Certificate" + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer:always +EOF +fi + + +for DIGEST in ${RSA_DIGEST_LIST}; do +( cat << EOF + + +[ CA_OpenSSH_rsa_${DIGEST} ] +EOF + echo_CA_common_options "rsa_${DIGEST}" + cat << EOF +# which md to use: +default_md = ${DIGEST} + +# The private key (!) +private_key = "${SSH_CAKEYDIR}/${CAKEY_PREFIX}-rsa.key" + +#The CA certificate (!) +certificate = "${SSH_CACERTDIR}/${CAKEY_PREFIX}-rsa_${DIGEST}.crt.pem" +EOF +) >> "$1" +done + +( cat << EOF + + +[ CA_OpenSSH_dsa ] +EOF + echo_CA_common_options "dsa" + cat << EOF +# which md to use: +default_md = sha1 + +# The private key (!) +private_key = "${SSH_CAKEYDIR}/${CAKEY_PREFIX}-dsa.key" + +#The CA certificate (!) +certificate = "${SSH_CACERTDIR}/${CAKEY_PREFIX}-dsa.crt.pem" +EOF +) >> "$1" +} + + +# === +cre_db () { +( + var="${SSH_CAROOT}" + + if test ! -d "$var"; then + mkdir -p "$var" || exit $? + else + count=`getNextDirName "${var}"` || exit $? + if test -d "${var}"; then + printf '%s' "saving old directoty as ${attn}${var}.${warn}${count}${norm} ... " + mv "${var}" "${var}.${count}"; show_status $? || exit $? + fi + fi + + mkdir -p "$var" && + mkdir "$var/crt" && + mkdir "$var/crl" || + exit $? + + for type in ${SSH_SIGN_TYPES}; do + create_empty_file "$var/index-${type}.txt" || exit $? + done + + mkdir "$var/newcerts" && + echo '200402160906000001' > "$var/serial" +) +} + + +# === + +cre_config "${TMPDIR}/${CACONFIG}" && +cre_db && +update_file "${TMPDIR}/${CACONFIG}" "${SSH_CACFGFILE}"; retval=$? + +show_status $retval "${extd}Creating${norm} ${warn}TEST${norm} ${attn}Certificate Authority Database${norm}" diff -ruN openssh-3.8p1/tests/CA/2-cre_cakeys.sh openssh-3.8p1+x509h/tests/CA/2-cre_cakeys.sh --- openssh-3.8p1/tests/CA/2-cre_cakeys.sh 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/2-cre_cakeys.sh 2004-03-20 12:40:15.000000000 +0200 @@ -0,0 +1,251 @@ +#!/bin/sh +# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Create "Test Certificate Authority" private keys and certificates. +# + +CWD=`pwd` +SCRIPTDIR=`echo $0 | sed 's/2-cre_cakeys.sh$//'` +. "${SCRIPTDIR}shell.rc" +. "${SCRIPTDIR}functions" +. "${SCRIPTDIR}config" + + +OPENSSH_LOG="$CWD/openssh_ca-2.log" +create_empty_file .delmy && +update_file .delmy "$OPENSSH_LOG" > /dev/null || exit $? + + +# === +echo_SSH_CA_DN () { +cat </dev/null + +$OPENSSL genrsa ${RSA_OPT} \ + -passout pass:${KEY_PASS} \ + -out "${TMPDIR}/${CAKEY_PREFIX}-rsa.key" 1024 \ + 2>> "$OPENSSH_LOG" \ +; show_status $? "generating ${extd}TEST CA${norm} ${attn}rsa${norm} private key" \ +|| return $? + +for DIGEST in ${RSA_DIGEST_LIST}; do + +rm -f "${TMPDIR}/${CAKEY_PREFIX}-rsa_${DIGEST}.crt" 2>/dev/null + +echo_SSH_CA_DN "rsa_${DIGEST}" | +$OPENSSL req \ + -new -x509 \ + -config "${SSH_CACFGFILE}" \ + -days $SSH_CACERTDAYS \ + -passin pass:${KEY_PASS} \ + -key "${TMPDIR}/${CAKEY_PREFIX}-rsa.key" \ + -${DIGEST} \ + -out "${TMPDIR}/${CAKEY_PREFIX}-rsa_${DIGEST}.crt" \ + -extensions ca_cert \ + 2>> "$OPENSSH_LOG" \ +; show_status $? "generating ${extd}TEST CA${norm} ${attn}rsa-${DIGEST}${norm} certificate" \ +|| return $? + +done + +return 0 +} + + +# === +gen_dsa () { +DSA_OPT="" +if [ -f /etc/random-seed ]; then + DSA_OPT="${DSA_OPT} -rand /etc/random-seed" +fi + +rm -f "${TMPDIR}/${CAKEY_PREFIX}-dsa.prm" 2>/dev/null +$OPENSSL dsaparam ${DSA_OPT} \ + -out "${TMPDIR}/${CAKEY_PREFIX}-dsa.prm" 1024\ + 2>> "$OPENSSH_LOG";\ +show_status $? "generating ${extd}DSA parameter file${norm}" \ +|| return $? + +rm -f "${TMPDIR}/${CAKEY_PREFIX}-dsa.key" 2>/dev/null +DSA_OPT="${DSA_OPT} -des3" +$OPENSSL gendsa ${DSA_OPT} \ + -passout pass:${KEY_PASS} \ + -out "${TMPDIR}/${CAKEY_PREFIX}-dsa.key" \ + "${TMPDIR}/${CAKEY_PREFIX}-dsa.prm" \ + 2>> "$OPENSSH_LOG" \ +; show_status $? "generating ${extd}TEST CA${norm} ${attn}dsa${norm} private key" \ +|| return $? + + +#request & ceritificate +rm -f "${TMPDIR}/${CAKEY_PREFIX}-dsa.crt" 2>/dev/null + +echo_SSH_CA_DN "dsa" | +$OPENSSL req \ + -new -x509 \ + -config "${SSH_CACFGFILE}" \ + -days $SSH_CACERTDAYS \ + -passin pass:${KEY_PASS} \ + -key "${TMPDIR}/${CAKEY_PREFIX}-dsa.key" \ + -out "${TMPDIR}/${CAKEY_PREFIX}-dsa.crt" \ + -extensions ca_cert \ + 2>> "$OPENSSH_LOG" \ +; show_status $? "generating ${extd}TEST CA${norm} ${attn}dsa-sha1${norm} certificate" \ +|| return $? + +return 0 +} + + +# === +crt2bundle () { +( + val="$1" + test -z "${val}" && { echo ${warn}missing DN${norm} >&2; return 1; } + + echo + echo ${val} + echo ${val} | sed -e 's/./=/g' + $OPENSSL x509 -inform PEM -in "${2}" -fingerprint -noout || exit $? + echo PEM data: + $OPENSSL x509 -inform PEM -in "${2}" -trustout || exit $? + echo Certificate Ingredients: + $OPENSSL x509 -inform PEM -in "${2}" -text -noout || exit $? + + exit 0 +) +} + + +# === +install () { +( + for D in \ + "${SSH_CAROOT}" \ + "${SSH_CAKEYDIR}" \ + "${SSH_CACERTDIR}" \ + ; do + if test ! -d "$D"; then + mkdir -p "${D}" || exit $? + fi + done + chmod 700 "${SSH_CAKEYDIR}" || exit $? + + update_file "${TMPDIR}/${CAKEY_PREFIX}-dsa.prm" "${SSH_CAROOT}/${CAKEY_PREFIX}-dsa.prm" && + for type in rsa dsa; do + F="${CAKEY_PREFIX}-${type}.key" + update_file "${TMPDIR}/${F}" "${SSH_CAKEYDIR}/${F}" && + chmod 400 "${SSH_CAKEYDIR}/${F}" || exit $? + done + + for type in ${SSH_SIGN_TYPES}; do + F="${CAKEY_PREFIX}-${type}.crt" + update_file "${TMPDIR}/${F}" "${SSH_CACERTDIR}/${F}.pem" || exit $? + done + + create_empty_file "${TMPDIR}/${CACERTFILE}" && + for type in ${SSH_SIGN_TYPES}; do + F="${SSH_CACERTDIR}/${CAKEY_PREFIX}-${type}.crt.pem" + crt2bundle "${SSH_DN_O}-${type}" "${F}" >> "${TMPDIR}/${CACERTFILE}" || exit $? + done + + update_file "${TMPDIR}/${CACERTFILE}" "${SSH_CAROOT}/${CACERTFILE}" +) +} + + +# === +cre_hash_link () { +( +#option -noout problem: +#exit code from .../openssl ... -noout ... is sometime nonzero !!! +#might only by .../openssl x509 ... -noout ... exit code is zero +#sample: +#a) exit code is one - INCORRECT +# .../openssl crl -in a_crl_file -hash -noout +#b) exit code is zero - correct +# .../openssl crl -in a_crl_file -hash -out /dev/null +# +#work around might is to use -out /dev/null :-/ + HASH=`$OPENSSL x509 -in "$1" -noout -hash` || exit $? + NAME=`getNextFreeName ${HASH}.` || exit $? + + echo "creating link ${attn}${NAME}${norm} to ${attn}$1${norm}" + rm -f "${NAME}" && + ln -s "$1" "${NAME}" || exit $? + #link might never fail ;-( + test -h "${NAME}" +) +} + + +cre_hashs () { +#(!) openssl script "c_rehash" is missing in some installations :-( +# c_rehash "${SSH_CACERTDIR}" +( + cd "${SSH_CACERTDIR}" || exit $? + + for F in [0-9a-f]*.[0-9]; do + # we must use test -L, but on ?-OSes ... :-( + if test -h "$F"; then + rm -f "$F" || exit $? + fi + done + + for type in ${SSH_SIGN_TYPES}; do + cre_hash_link "${CAKEY_PREFIX}-${type}.crt.pem" || exit $? + done + + exit 0 +) +} + + +# === + +gen_rsa && +gen_dsa && +install && +cre_hashs; retval=$? + +show_status $retval "${extd}Creating${norm} ${warn}TEST${norm} ${attn}Certificate Authority${norm}" +echo "${warn}password for all private keys is ${attn}${KEY_PASS}${norm}" +exit $retval diff -ruN openssh-3.8p1/tests/CA/3-cre_certs.sh openssh-3.8p1+x509h/tests/CA/3-cre_certs.sh --- openssh-3.8p1/tests/CA/3-cre_certs.sh 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/3-cre_certs.sh 2004-03-20 12:54:08.000000000 +0200 @@ -0,0 +1,273 @@ +#!/bin/sh +# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Create certificate(s). +# + +CWD=`pwd` +SCRIPTDIR=`echo $0 | sed 's/3-cre_certs.sh$//'` +. "${SCRIPTDIR}shell.rc" +. "${SCRIPTDIR}functions" +. "${SCRIPTDIR}config" + +usage () { + cat < + -f[ile] [ssh]key_file_name + -t[ype] certificate type: client, server, ocsp(if enabled) + -n[ame] "base" common name +EOF + exit 1 +} + +test "x$TEST_SSH_SSHKEYGEN" = "x" && { echo "Please define TEST_SSH_SSHKEYGEN"; exit 1; } +test -z "$1" && usage + +while ! test -z "$1"; do + case $1 in + -f|\ + -file) + shift + if test -z "$1"; then + usage + fi + if ! test -z "${SSH_BASE_KEY}"; then + usage + fi + SSH_BASE_KEY="$1" + shift + ;; + + -t|\ + -type) + shift + if test -z "$1"; then + usage + fi + if ! test -z "$SSH_CERT_TYPE"; then + usage + fi + SSH_CERT_TYPE="$1" + shift + case $SSH_CERT_TYPE in + client) + SSH_X509V3_EXTENSIONS="usr_cert" + ;; + server) + SSH_X509V3_EXTENSIONS="srv_cert" + ;; + ocsp) + if test "x$SSH_OCSP" = "xyes"; then + SSH_X509V3_EXTENSIONS="ocsp_cert" + else + echo "${warn}unsupported type${norm}" + usage + fi + ;; + *) + echo "${warn}wrong type${norm}" + usage + ;; + esac + ;; + + -n|\ + -name) + shift + if test -z "$1"; then + usage + fi + if ! test -z "${SSH_BASE_DN_CN}"; then + usage + fi + SSH_BASE_DN_CN="$1" + shift + ;; + + *) + usage + ;; + esac +done + +test -z "${SSH_BASE_KEY}" && usage +test ! -r "${SSH_BASE_KEY}" && { error_file_not_readable; exit 1; } +test -z "${SSH_BASE_DN_CN}" && usage +test -z "${SSH_CERT_TYPE}" && usage + + +OPENSSH_LOG="$CWD/openssh_ca-3.${SSH_BASE_KEY}.${SSH_X509V3_EXTENSIONS}.log" +create_empty_file .delmy && +update_file .delmy "$OPENSSH_LOG" > /dev/null || exit $? + + +# === +cre_csr () { + echo "=== create a new CSR ===" >> "$OPENSSH_LOG" + ( + if test "$SSH_X509V3_EXTENSIONS" != "usr_cert"; then + SSH_DN_EM="." + fi + + cat <> "$OPENSSH_LOG" \ + ; show_status $? "- ${extd}CSR${norm}" +} + + +# === +cre_crt () { + echo "=== create a new CRT ===" >> "$OPENSSH_LOG" + $OPENSSL ca \ + -config "${SSH_CACFGFILE}" \ + -batch \ + -in "${TMPDIR}/${SSH_X509V3_EXTENSIONS}-${type}${subtype}.csr" \ + -name "CA_OpenSSH_${type}" \ + -passin pass:$KEY_PASS \ + -out "${TMPDIR}/${SSH_X509V3_EXTENSIONS}-${type}${subtype}.crt" \ + -extensions ${SSH_X509V3_EXTENSIONS} \ + 2>> "$OPENSSH_LOG" \ + ; show_status $? "- ${extd}CRT${norm}" || + { retval=$? + printf '%s' "${warn}" + grep 'ERROR:' "$OPENSSH_LOG" + printf '%s' "${norm}" + return $retval + } + + sync + $OPENSSL verify \ + -CAfile "${SSH_CACERTDIR}/${CAKEY_PREFIX}-${type}.crt.pem" \ + "${TMPDIR}/${SSH_X509V3_EXTENSIONS}-${type}${subtype}.crt" && + rm -f "${TMPDIR}/${SSH_X509V3_EXTENSIONS}-${type}${subtype}.csr" || + return $? + + printf '%s' '- ' && + update_file \ + "${TMPDIR}/${SSH_X509V3_EXTENSIONS}-${type}${subtype}.crt" \ + "${SSH_BASE_KEY}-${type}${subtype}.crt" +} + + +# === +cre_OpenSSH_Crt () { + printf '%s' "- ${extd}OpenSSH certificate${norm}" + ( cat "${SSH_BASE_KEY}" + $OPENSSL x509 -in "${SSH_BASE_KEY}-${type}${subtype}.crt" -subject -issuer -alias + ) > "${SSH_BASE_KEY}-${type}${subtype}" && + chmod 600 "${SSH_BASE_KEY}-${type}${subtype}" \ + ; show_status $? +} + + +cre_OpenSSH_PubKey () { + printf '%s' "- ${extd}OpenSSH public key${norm}" + "$TEST_SSH_SSHKEYGEN" -y -f "${SSH_BASE_KEY}-${type}${subtype}" \ + > "${SSH_BASE_KEY}-${type}${subtype}.pub" \ + ; show_status $? +} + + +cre_P12_Crt () { + printf '%s' "- ${extd}PKCS #12${norm} file" + $OPENSSL pkcs12 \ + -passin pass:"" \ + -passout pass:"" \ + -in "${SSH_BASE_KEY}-${type}${subtype}" \ + -out "${SSH_BASE_KEY}-${type}${subtype}".p12 \ + -export \ + ; show_status $? +} + + +revoke_crt () { + echo "=== revoke a CRT ===" >> "$OPENSSH_LOG" + printf '%s' "- ${extd}revoke${norm} certificate" + $OPENSSL ca \ + -config "${SSH_CACFGFILE}" \ + -name "CA_OpenSSH_${type}" \ + -passin pass:$KEY_PASS \ + -revoke "${SSH_BASE_KEY}-${type}${subtype}.crt" \ + 2>> "$OPENSSH_LOG" \ + ; show_status $? +} + + +# === +cre_all2 () { + echo + printf '%s\n' "creating ${extd}${SSH_X509V3_EXTENSIONS}${norm} for ${extd}${SSH_BASE_DN_CN}${norm}(${attn}${type}${norm}${warn}${subtype}${norm}) ..." + + cre_csr && + cre_crt || return $? + + test "$SSH_X509V3_EXTENSIONS" = "ocsp_cert" && return 0 + + cre_OpenSSH_Crt && + cre_OpenSSH_PubKey && + cre_P12_Crt +} + + +# === +cre_all () { +( + subtype="" + for type in ${SSH_SIGN_TYPES}; do + cre_all2 || exit $? + done + + test "$SSH_X509V3_EXTENSIONS" = "srv_cert" && exit 0 + + subtype="-revoked" + for type in ${SSH_SIGN_TYPES}; do + cre_all2 && + revoke_crt || exit $? + done + + exit 0 +) +} + +# === + +cre_all; retval=$? + +echo +show_status $retval "${extd}Creating${norm} ${attn}${SSH_BASE_DN_CN}${norm} group of ${warn}test${norm} certificates" diff -ruN openssh-3.8p1/tests/CA/4-cre_crls.sh openssh-3.8p1+x509h/tests/CA/4-cre_crls.sh --- openssh-3.8p1/tests/CA/4-cre_crls.sh 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/4-cre_crls.sh 2004-02-16 21:02:12.000000000 +0200 @@ -0,0 +1,113 @@ +#!/bin/sh +# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Create "Test Certificate Authority" CRLs. +# + +CWD=`pwd` +SCRIPTDIR=`echo $0 | sed 's/4-cre_crls.sh$//'` +. "${SCRIPTDIR}shell.rc" +. "${SCRIPTDIR}functions" +. "${SCRIPTDIR}config" + + +OPENSSH_LOG="$CWD/openssh_ca-4.log" +create_empty_file .delmy && +update_file .delmy "$OPENSSH_LOG" > /dev/null || exit $? + + +# === +cre_crlfile() { +( + type="$1" + + cd "${SSH_CACRLDIR}" || exit $? + + FILE="${CAKEY_PREFIX}-${type}.crl.pem" + + printf '%s' "- ${attn}${type}${norm} certificates" + ${OPENSSL} ca \ + -config "${SSH_CACFGFILE}" \ + -name "CA_OpenSSH_${type}" \ + -passin pass:${KEY_PASS} \ + -gencrl \ + -out "${FILE}" \ + 2>> "$OPENSSH_LOG" \ + ; show_status $? || exit $? + + HASH=`${OPENSSL} crl -out /dev/null -in "${FILE}" -hash 2>> "$OPENSSH_LOG"` || exit $? + + NAME=`getNextFreeName "${HASH}.r"` || exit $? + + ln -s "${FILE}" "${NAME}" + #link might never fail :-( + test -h "${NAME}" +) +} + + +# === +cre_crlindir () { + echo "=== create a new CRL ===" >> "$OPENSSH_LOG" + rm -f "${SSH_CACRLDIR}"/* 2>/dev/null + + printf '%s\n' "creating ${extd}CA CRL file${norm} for ..." + for type in ${SSH_SIGN_TYPES}; do + cre_crlfile "${type}" || return $? + done + + return 0 +} + + +# === +cre_CAcrlfile () { +( + crlfile="${SSH_CAROOT}/${CACRLFILE}" + + create_empty_file "${crlfile}" && + for type in ${SSH_SIGN_TYPES}; do + ( ${OPENSSL} crl \ + -in "${SSH_CACRLDIR}/${CAKEY_PREFIX}-${type}.crl.pem" \ + -text \ + 2>> "$OPENSSH_LOG" + echo; echo + ) >> "${crlfile}" || exit $? + done + + exit 0 +) +} + + +# === +cre_all () { + cre_crlindir || return $? + + printf '%s' "creating ${extd}CA CRL ${attn}common${norm} ${extd}file${norm} ..." + cre_CAcrlfile; show_status $? +} + + +# === +cre_all; retval=$? + +show_status $retval "${extd}Creating${norm} ${warn}TEST${norm} ${attn}Certificate Authority${norm} CRL files" diff -ruN openssh-3.8p1/tests/CA/config openssh-3.8p1+x509h/tests/CA/config --- openssh-3.8p1/tests/CA/config 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/config 2004-03-20 12:02:17.000000000 +0200 @@ -0,0 +1,164 @@ +# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: OpenSSH CA configuration. +# + + +# === main variables: +# on some system (with pam?, AIX?, when port is below 1024, etc.) we +# might use sudo command to start sshd when current user isn`t root or +# to run tests as root. +# Prefered user for tests is NOT root :-) ! +SUDO= +#SUDO=sudo + + +#Old BSD shells, including the Ultrix `sh', don't accept the colon +#for any shell substitution, and complain and die. +##TMPDIR="${TMPDIR:-/tmp}" + +if test -n "$TMPDIR"; then + if test ! -d "$TMPDIR"; then + echo "error: $TMPDIR is not directory" + exit 1 + fi + if test ! -w "$TMPDIR"; then + echo "error: $TMPDIR is not writable" + exit 1 + fi +else + for D in /tmp /var/tmp /usr/tmp; do + test -d $D || continue + test -w $D || continue + TMPDIR=$D + break + done + if test -z "$TMPDIR"; then + echo "error: cannot set TMPDIR" + exit 1 + fi +fi + + +if test -z "${SSH_X509TESTS}"; then +SSH_X509TESTS="\ + blob_auth + dn_auth_file + dn_auth_path + agent + crl + ocsp +" +fi + + +# === openssl: + +if test -z "${OPENSSL}"; then + OPENSSL=`which openssl 2>/dev/null` + if test -z "${OPENSSL}"; then + echo "error:cannot find openssl is your path !" >&2 + exit 1 + fi +fi + +printf 'OpenSSL executable version: ' +"${OPENSSL}" version || exit $? + +# These are the known patent issues with OpenSSL: +# name # expires +# mdc2: 4,908,861 13/03/2007 +# idea: 5,214,703 25/05/2010 +# rc5: 5,724,428 03/03/2015 + +if test -z "${RSA_DIGEST_LIST}"; then + for DIGEST in md5 sha1 md2 md4 rmd160; do + if "${OPENSSL}" dgst -${DIGEST} "${OPENSSL}" >/dev/null 2>&1; then + RSA_DIGEST_LIST="${RSA_DIGEST_LIST} ${DIGEST}" + fi + done +fi +if test -z "${RSA_DIGEST_LIST}"; then + echo "RSA_DIGEST_LIST is empty" >&2 + exit 1 +fi +echo "RSA digest list: ${RSA_DIGEST_LIST}" + + +SSH_SIGN_TYPES="" +for DIGEST in ${RSA_DIGEST_LIST}; do + SSH_SIGN_TYPES="${SSH_SIGN_TYPES} rsa_${DIGEST}" +done + SSH_SIGN_TYPES="${SSH_SIGN_TYPES} dsa" + + +# === server section: + +if test -z "${SSHD_PORT}"; then + SSHD_PORT=20022 +fi + +SSHD_LISTENADDRESS=127.0.0.1 +#SSHD_LISTENADDRESS=::1 + +#"yes" or "no" +SSHSERVER_USEPRIVILEGESEPARATION="yes" + +SSHSERVER_SYSLOGFACILITY=AUTH +SSHSERVER_LOGLEVEL=FATAL +#SSHSERVER_SYSLOGFACILITY=LOCAL3 +#SSHSERVER_LOGLEVEL=DEBUG3 + + +# === certificates: + +KEY_PASS="change_it" +CAKEY_PREFIX="catest" + +SSH_CAROOT="`pwd`/ca-test" +SSH_CAKEYDIR="${SSH_CAROOT}/keys" + +CACERTFILE="catest-bundle.crt" +CACRLFILE="catest-bundle.crl" + +SSH_CACERTDIR="${SSH_CAROOT}/crt" +SSH_CACRLDIR="${SSH_CAROOT}/crl" + +CACONFIG="catest.config" +SSH_CACFGFILE="${SSH_CAROOT}/${CACONFIG}" + +SSH_CACERTDAYS=60 + +SSH_DN_C="XX" +SSH_DN_ST="World" +SSH_DN_L="Somewhere" +SSH_DN_O="OpenSSH Test Team" +SSH_DN_OU="OpenSSH Testers" +SSH_DN_EM="email@not.set" + +# OpenSSL OCSP test responders listen on BASE, BASE+1, ... +if test -z "${SSH_VA_BASEPORT}"; then + SSH_VA_BASEPORT=20080 +fi + +# OpenSSL OCSP responder don't use SO_REUSEADDR :-(, so ocsp tests +# must wait socket to close. +SSH_OPENSLL_OCSP_TMOUT=60 diff -ruN openssh-3.8p1/tests/CA/functions openssh-3.8p1+x509h/tests/CA/functions --- openssh-3.8p1/tests/CA/functions 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/functions 2004-02-17 21:23:33.000000000 +0200 @@ -0,0 +1,264 @@ +# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Usefull functions. +# + + +# === +# +# define colors and more for echo commands +# +# \033 ascii ESCape +# \033[G move to column (linux console, xterm, not vt100) +# \033[C move columns forward but only upto last column +# \033[D move columns backward but only upto first column +# \033[A move rows up +# \033[B move rows down +# \033[1m switch bold on +# \033[31m switch red on +# \033[32m switch green on +# \033[33m switch yellow on +# \033[m switch color/bold off +# \017 exit alternate mode (xterm, vt100, linux console) +# \033[10m exit alternate mode (linux console) +# \015 carriage return (without newline) +# + +if test -z "${LINES}" -o -z "${COLUMNS}" ; then + eval `stty size 2>/dev/null | (read L C; \ + if test x${L} = x; then L=24; fi; \ + if test x${C} = x; then C=80; fi; \ + echo LINES=${L} COLUMNS=${C} )` +fi +test ${LINES} -eq 0 && LINES=24 +test ${COLUMNS} -eq 0 && COLUMNS=80 +export LINES COLUMNS + +if test "${TERM}" != "dumb" ; then + esc=`printf '\033'` + extd="${esc}[1m" + warn="${esc}[1;31m" + done="${esc}[1;32m" + attn="${esc}[1;34m" + norm=`printf '%s\017' "${esc}[m"` + stat=`printf '\015%s' "${esc}[${COLUMNS}C${esc}[10D"` + + msg_done="${stat}${done}done${norm}" + msg_failed="${stat}${warn}failed${norm}" + +else + esc="" + extd="" + warn="" + done="" + attn="" + norm="" + stat="" + + msg_done="..done" + msg_failed="..failed" + +fi + + +# === +error_file_not_found () { + echo "${warn}file ${attn}${1}${warn} not found${norm}" + return 1 +} + + +# === +error_file_not_readable () { + echo "${warn}file ${attn}${1}${warn} not found or not readable${norm}" + return 1 +} + + +# === +error_dir_not_found () { + echo "${warn}directory ${attn}${1}${warn} not found${norm}" + return 1 +} + + +# === +printSeparator() { + echo "=======================================================================" +} + + +# === +show_status () { + if ! test -z "$2"; then + printf '%s' "$2" + fi + if test $1 -eq 0; then + echo "$msg_done" + else + echo "$msg_failed" + fi + return $1 +} + + +# === +getNextFreeName() { + var="$1" + limit="$2" + + if test -z "${limit}"; then + limit=10 + fi + + count=0 + while true; do + test ! -f "${var}${count}" && break + count=`expr ${count} + 1` + if test ${count} -ge ${limit}; then + echo "getNextFreeName: ${warn}limit reached${norm} for file ${attn}${var}${norm}" >&2 + + echo "" + return 33 + fi + done + + echo "${var}${count}" + return 0 +} + + +# === +getNextDirName() { + var="$1" + count=0 + while true; do + test ! -d "${var}.${count}" && break + count=`expr ${count} + 1` + done + if test ${count} -ge 10; then + echo "${warn}please remove ${attn}${var}${warn} backup directories !${norm}" >&2 + return 33 + fi + echo $count + return 0 +} + + +# === +create_empty_file () { + cat /dev/null > "$1" +} + + +# === +update_file () { + var_new="$1" + var_old="$2" + + if test ! -f "${var_old}"; then + printf '%s' "creating file ${attn}${var_old}${norm}" + mv "${var_new}" "${var_old}"; show_status $? + return $? + fi + test -r "${var_new}" || { error_file_not_readable "${var_new}"; return 1; } + + if diff "${var_old}" "${var_new}" >/dev/null 2>&1; then + echo "no changes in ${attn}${var_old}${norm}" + rm -f "${var_new}" + return 0 + fi + + backup=`getNextFreeName "${var_old}."` || return $? + printf '%s' "saving old file as ${attn}${backup}${norm}" + cp -p "${var_old}" "${backup}"; show_status $? || return $? + + printf '%s' "updating file ${attn}${var_old}${norm}" + if test ! -w "${var_old}"; then + chmod u+w "${var_old}" + not_writable="yes" + fi + cat "${var_new}" > "${var_old}"; show_status $? || return $? + if test "$not_writable" = "yes"; then + chmod u-w "${var_old}" + fi + rm -f "${var_new}" + return 0 +} + + +# === +getSSHkeyType () { + identity_file="$1" + if test ! -r "$identity_file"; then + error_file_not_readable "${identity_file}" >&2; return $? + fi + + sshkeytype="unspec" + retval=0 + + sshkeytype=`"${TEST_SSH_SSHKEYGEN}" -f "${identity_file}" -y 2>/dev/null`; retval=$? + if test $retval -ne 0 ; then + echo "${warn}command${norm} ${TEST_SSH_SSHKEYGEN} ${warn}fail${norm}" >&2 + return $retval + fi + echo "${sshkeytype}" | cut -d ' ' -f 1 + return 0 +} + + +# === +getSubject () { + identity_file="$1" +#rest of arguments passed to openssl + + if test ! -r "$identity_file"; then + error_file_not_readable "${identity_file}" >&2 + return 1 + fi + shift + + retval=0 + +#bash bug or ?: when commands are on only one line retval is always zero :-/ !!! +#unix sh don't like local :-) +# local subject=`"${OPENSSL}" x509 -noout -subject -in "${identity_file}" $*`; retval=$? + subject=`"${OPENSSL}" x509 -noout -subject -in "${identity_file}" $* 2>/dev/null`; retval=$? + if test $retval -ne 0 ; then + echo "${warn}cannot get certificate subject${norm}" >&2 + return $retval + fi + echo "$subject" | cut -d ' ' -f 2- +} + + +#=== +creX509AuthorizedKeysFile () { + identity_file="$1" + + sshkeytype=`getSSHkeyType "${identity_file}"` || return $? + subject=`getSubject "${identity_file}"` || return $? + echo "${sshkeytype} subject ${subject}" > "${AUTHORIZEDKEYSFILE}" +} + + +# === +FUNCTIONS_INCLUDED="yes" diff -ruN openssh-3.8p1/tests/CA/Makefile.in openssh-3.8p1+x509h/tests/CA/Makefile.in --- openssh-3.8p1/tests/CA/Makefile.in 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/Makefile.in 2004-03-09 21:37:04.000000000 +0200 @@ -0,0 +1,119 @@ +srcdir=@srcdir@ +@OCSP_ON@SSH_OCSP=yes +@OCSP_OFF@SSH_OCSP=no + + +all: + + +clean: + rm -f testhostkey_* + rm -f testid_* + rm -f testocsp_* + rm -fr ca-test/ + rm -f openssh_ca-?.log* + rm -f openssh_ca-3.*.log* + rm -f va-*.log + rm -f sshd_x509.log + +distclean: clean + rm -f Makefile + +# === + +check-certs: ca_files hostkeys identities ocsp_certs crl_files + @echo + $(SHELL) $(srcdir)/openssh_tests.sh + +# === +ca_files: ca-test/catest.config ca-test/catest-bundle.crt + +#user is responsible to recreate X.509 tests files !!! +#ca-test/catest.config: $(srcdir)/config +ca-test/catest.config: + @echo + SSH_OCSP=$(SSH_OCSP) \ + $(SHELL) $(srcdir)/1-cre_cadb.sh + +ca-test/catest-bundle.crt: ca-test/catest.config + @echo + $(SHELL) $(srcdir)/2-cre_cakeys.sh + + +# === +hostkeys: testhostkey_rsa testhostkey_rsa-rsa_md5 testhostkey_dsa testhostkey_dsa-rsa_md5 + +testhostkey_rsa: + @echo + @echo "generating RSA 'hostkey'" + $(TEST_SSH_SSHKEYGEN) -t rsa -b 1024 -f $@ -N "" + +testhostkey_rsa-rsa_md5: testhostkey_rsa ca-test/catest-bundle.crt + @echo + @echo "generating RSA server certificates, keys, etc." + $(SHELL) $(srcdir)/3-cre_certs.sh -f testhostkey_rsa -t server -n "localhost RSA" + +testhostkey_dsa: + @echo + @echo "generating DSA 'hostkey'" + $(TEST_SSH_SSHKEYGEN) -t dsa -b 1024 -f $@ -N "" + +testhostkey_dsa-rsa_md5: testhostkey_dsa ca-test/catest-bundle.crt + @echo + @echo "generating DSA server certificates, keys, etc." + $(SHELL) $(srcdir)/3-cre_certs.sh -f testhostkey_dsa -t server -n "localhost DSA" + + +# === +identities: testid_rsa testid_rsa-rsa_md5 testid_dsa testid_dsa-rsa_md5 + +testid_rsa: + @echo + @echo "generating RSA 'Identity'" + $(TEST_SSH_SSHKEYGEN) -t rsa -b 1024 -f $@ -N "" + +testid_rsa-rsa_md5: testid_rsa ca-test/catest-bundle.crt + @echo + @echo "generating RSA client certificates, keys, etc." + $(SHELL) $(srcdir)/3-cre_certs.sh -f testid_rsa -t client -n "OpenSSH RSA test certificate" + +testid_dsa: + @echo + @echo "generating DSA 'Identity'" + $(TEST_SSH_SSHKEYGEN) -t dsa -b 1024 -f $@ -N "" + +testid_dsa-rsa_md5: testid_dsa ca-test/catest-bundle.crt + @echo + @echo "generating DSA client certificates, keys, etc." + $(SHELL) $(srcdir)/3-cre_certs.sh -f testid_dsa -t client -n "OpenSSH DSA test certificate" + + +# === +@OCSP_OFF@ocsp_certs: +@OCSP_ON@ocsp_certs: testocsp_rsa-rsa_md5.crt testocsp_dsa-rsa_md5.crt + +@OCSP_ON@testocsp_rsa-rsa_md5.crt: testocsp_rsa ca-test/catest-bundle.crt +@OCSP_ON@ @echo; echo "generating RSA ocsp responder certificates." +@OCSP_ON@ SSH_OCSP=$(SSH_OCSP) \ +@OCSP_ON@ $(SHELL) $(srcdir)/3-cre_certs.sh -f testocsp_rsa -t ocsp -n "validator RSA" + +@OCSP_ON@testocsp_rsa: +@OCSP_ON@ @echo; echo "generating RSA 'ocspkey'" +@OCSP_ON@ $(TEST_SSH_SSHKEYGEN) -t rsa -b 1024 -f $@ -N "" + +@OCSP_ON@testocsp_dsa-rsa_md5.crt: testocsp_dsa ca-test/catest-bundle.crt +@OCSP_ON@ @echo; echo "generating DSA ocsp responder certificates." +@OCSP_ON@ SSH_OCSP=$(SSH_OCSP) \ +@OCSP_ON@ $(SHELL) $(srcdir)/3-cre_certs.sh -f testocsp_dsa -t ocsp -n "validator DSA" + +@OCSP_ON@testocsp_dsa: +@OCSP_ON@ @echo; echo "generating DSA 'ocspkey'" +@OCSP_ON@ $(TEST_SSH_SSHKEYGEN) -t dsa -b 1024 -f $@ -N "" + + +# === +crl_files: ca-test/catest-bundle.crl + +ca-test/catest-bundle.crl: testid_rsa-rsa_md5 testid_dsa-rsa_md5 + @echo + $(SHELL) $(srcdir)/4-cre_crls.sh diff -ruN openssh-3.8p1/tests/CA/openssh_tests.sh openssh-3.8p1+x509h/tests/CA/openssh_tests.sh --- openssh-3.8p1/tests/CA/openssh_tests.sh 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/openssh_tests.sh 2004-03-20 11:42:40.000000000 +0200 @@ -0,0 +1,351 @@ +#!/bin/sh +# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Test OpenSSH client and server with x509 certificates. +# + + +CWD=`pwd` +SCRIPTDIR=`echo $0 | sed 's/openssh_tests.sh//'` +. "${SCRIPTDIR}shell.rc" +. "${SCRIPTDIR}functions" +. "${SCRIPTDIR}config" + +test "x$TEST_SSH_SSH" = "x" && { echo "${warn}Please define ${attn}TEST_SSH_SSH${norm}" ; exit 1; } +test "x$TEST_SSH_SSHD" = "x" && { echo "${warn}Please define ${attn}TEST_SSH_SSHD${norm}" ; exit 1; } +test "x$TEST_SSH_SSHAGENT" = "x" && { echo "${warn}Please define ${attn}TEST_SSH_SSHAGENT${norm}" ; exit 1; } +test "x$TEST_SSH_SSHADD" = "x" && { echo "${warn}Please define ${attn}TEST_SSH_SSHADD${norm}" ; exit 1; } +#TEST_SSH_SSHKEYSCAN +#TEST_SSH_SFTP +#TEST_SSH_SFTPSERVER + + +SSHD_LOG="${CWD}/sshd_x509.log" +SSHD_PID="${CWD}/.sshd_x509.pid" +SSHD_CFG="${CWD}/sshd_config-certTests" +SSH_CFG="${CWD}/ssh_config-certTests" + +SSH_ERRLOG="${CWD}/.ssh_x509.err.log" +SSH_REPLY="${CWD}/.ssh_x509.reply" +SSH_EXTRA_OPTIONS="" + + +TEST_SSH_CLIENTKEYS="\ + testid_rsa + testid_dsa +" + +#OpenSSL OCSP limitation: only rsa keys +#TEST_OCSP_RESPKEYS="\ +# testocsp_rsa +# testocsp_dsa +#" +TEST_OCSP_RESPKEYS="testocsp_rsa" + +#TEST_SSHD_HOSTKEY="${CWD}/testhostkey_rsa-rsa_md5" +TEST_SSHD_HOSTKEY="${CWD}/testhostkey_rsa" + + +USERDIR="${HOME}/.ssh" +if test ! -d "${USERDIR}"; then + mkdir "${USERDIR}" || exit 1 + chmod 700 "${USERDIR}" || exit 1 +fi + +AUTHORIZEDKEYSFILE="${USERDIR}/authorized_keys-certTests" +USERKNOWNHOSTSFILE="${USERDIR}/known_hosts-certTests" + + +# === +# remove unsupported tests + +cat > "$SSHD_CFG" < "${SSHD_LOG}" 2>&1 +if grep 'Unsupported.*CACertificateFile' "${SSHD_LOG}" > /dev/null; then + SSH_X509STORE_DISABLED="yes" +else + SSH_X509STORE_DISABLED="no" +fi +if grep 'Unsupported.*VAType' "${SSHD_LOG}" > /dev/null; then + SSH_OCSP_ENABLED="no" +else + SSH_OCSP_ENABLED="yes" +fi + +echo SSH_X509STORE_DISABLED=${SSH_X509STORE_DISABLED} +if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + SSH_X509TESTS=`echo "${SSH_X509TESTS}" | \ + sed \ + -e 's|dn_auth_file||g' \ + -e 's|dn_auth_path||g' \ + -e 's|crl||g'` +fi +echo SSH_OCSP_ENABLED=${SSH_OCSP_ENABLED} +if test "x${SSH_OCSP_ENABLED}" = "xno"; then + SSH_X509TESTS=`echo "${SSH_X509TESTS}" | sed -e 's|ocsp||g'` +fi +echo SSH_X509TESTS=$SSH_X509TESTS + + +# === +runSSHdaemon() { + echo "=======================================================================" >> "${SSHD_LOG}" + + if test -f "${SSHD_PID}"; then + echo "${warn}sshd pid file exist!${norm}" >&2 + fi + + #NOTES: + #- without -d option sshd run in daemon mode and this command always return 0 !!! + #- bug or ?: with option -e no log to stderr in daemon mode + $SUDO "$TEST_SSH_SSHD" -f "${SSHD_CFG}" \ + -o PidFile="${SSHD_PID}" \ + -o SyslogFacility="${SSHSERVER_SYSLOGFACILITY}" \ + -o LogLevel="${SSHSERVER_LOGLEVEL}" \ + >> "${SSHD_LOG}" 2>&1 + + sleep 3 + if test ! -f "${SSHD_PID}"; then + printf "${warn}cannot start sshd:${norm} " >&2 + error_file_not_readable "${SSHD_PID}" + return 33 + fi +} + + +# === +killSSHdaemon() { +( + $SUDO kill `cat "${SSHD_PID}" 2>/dev/null` > /dev/null 2>&1 + K=0 + while test $K -le 9; do + if test ! -f "${SSHD_PID}"; then + break + fi + sleep 1 + K=`expr $K + 1` + done + rm -f "${SSHD_CFG}" + if test -f "${SSHD_PID}"; then + $SUDO kill -9 `cat "${SSHD_PID}" 2>/dev/null` > /dev/null 2>&1 + sleep 1 + $SUDO rm -f "${SSHD_PID}" > /dev/null 2>&1 + fi + exit 0 +) +} + + +# === +testEND() { + ( echo + echo "*=- The END -=*" + ) >> "${SSHD_LOG}" + + rm -f "${SSH_ERRLOG}" + rm -f "${SSH_REPLY}" + rm -f "${AUTHORIZEDKEYSFILE}" + rm -f "${USERKNOWNHOSTSFILE}" + rm -f "${SSH_CFG}" +} + +testBREAK() { + ( echo + echo "*=- BREAK -=*" + ) >> "${SSHD_LOG}" + killSSHdaemon +} + +trap testBREAK INT QUIT ABRT KILL TERM || exit 1 +trap testEND EXIT || exit 1 + + +# === +creTestSSHDcfgFile() { + cat > "${SSHD_CFG}" < "${SSH_CFG}" <> "${SSH_CFG}" < "${SSH_ERRLOG}" > "${SSH_REPLY}"; retval=$? + + if test "x$must_fail" = "x1"; then + if test $retval -ne 0; then + retval=0 + else + retval=1 + fi + fi + + show_status $retval + if test $retval -ne 0; then + printf '%s' "${warn}" + cat "${SSH_ERRLOG}"; printf '%s' "${norm}" + else + if test "x$must_fail" = "x1"; then + if ! fgrep 'Permission denied (publickey)' "${SSH_ERRLOG}" > /dev/null; then + retval=33 + printf '%s' "${warn}" + else + printf '%s' "${done}" + fi + cat "${SSH_ERRLOG}"; printf '%s' "${norm}" + else + if ! fgrep "$msg" "${SSH_REPLY}" > /dev/null; then + retval=33 + printf '%s' "${warn}" + cat "${SSH_REPLY}"; printf '%s' "${norm}" + fi + fi + fi + + exit $retval +) +} + + +# === +do_all () { + printf '%s' "" > "${AUTHORIZEDKEYSFILE}" + chmod 644 "${AUTHORIZEDKEYSFILE}" || return $? + + printf '%s' "" > "${SSHD_LOG}" + if test ! -f "${TEST_SSHD_HOSTKEY}"; then + "$TEST_SSH_SSHKEYGEN" -t rsa -f "${TEST_SSHD_HOSTKEY}" -N "" + fi + if test ! -f "${TEST_SSHD_HOSTKEY}.pub"; then + echo "${warn}Public host file ${attn}${TEST_SSHD_HOSTKEY}.pub${warn} not found !${norm}" + return 3 + fi + ( printf '%s' "${SSHD_LISTENADDRESS} " + cat "${TEST_SSHD_HOSTKEY}.pub" + ) > "${USERKNOWNHOSTSFILE}" + chmod 644 "${USERKNOWNHOSTSFILE}" || return $? + + # call the test scripts + for LTEST in ${SSH_X509TESTS}; do + ( + echo + echo "using: ${attn}${SCRIPTDIR}test-${LTEST}.sh.inc${norm}" + . ${SCRIPTDIR}test-${LTEST}.sh.inc && + do_test + ) || return $? + done + + printSeparator + return 0 +} + + +# === +echo +printSeparator +echo "${extd}Testing OpenSSH client and server with certificates:${norm}" +printSeparator + +do_all; retval=$? + +echo +printSeparator +echo "${extd}Testing OpenSSH client and server with certificates finished.${norm}" +show_status $retval " ${extd}status${norm}:" +printSeparator +echo + +exit $retval diff -ruN openssh-3.8p1/tests/CA/shell.rc openssh-3.8p1+x509h/tests/CA/shell.rc --- openssh-3.8p1/tests/CA/shell.rc 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/shell.rc 2004-02-14 22:16:21.000000000 +0200 @@ -0,0 +1,55 @@ +# Copyright (c) 2003-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Shell settings. +# + + +# === zsh: +if test -n "$ZSH_NAME"; then + unsetopt NOMATCH + # NOMATCH (+3) + # If a pattern for filename generation has no matches, print an + # error, instead of leaving it unchanged in the argument list. This + # also applies to file expansion of an initial `~' or `='. + # Check results from sample script: + # #!/bin/zsh + # for F in *notfound; do + # echo F=$F + # done + + setopt SH_WORD_SPLIT + # SH_WORD_SPLIT (-y) + # Causes field splitting to be performed on unquoted parameter + # expansions. Note that this option has nothing to do with word + # splitting. + # Check results from sample script: + # #!/bin/zsh + # VAR=" + # v1 + # v2 + # " + # for V in ${VAR}; do + # echo V=$V + # done +fi + + +# === diff -ruN openssh-3.8p1/tests/CA/test-agent.sh.inc openssh-3.8p1+x509h/tests/CA/test-agent.sh.inc --- openssh-3.8p1/tests/CA/test-agent.sh.inc 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/test-agent.sh.inc 2004-03-09 08:52:32.000000000 +0200 @@ -0,0 +1,156 @@ +# +# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Test OpenSSH client authentication: +# - add a key to agent; +# - list agent keys; +# - try to connect with key from agent; +# - remove the key from agent. +# + + +# === +#env. vars: +# SSH_CLIENTKEY +# type +testAgent () { + identity_file="${SSH_CLIENTKEY}-${type}" + if test ! -r "${identity_file}"; then + error_file_not_readable "${identity_file}"; return $? + fi + + ( + if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + cat "${identity_file}.pub" + else + sshkeytype=`getSSHkeyType "${identity_file}"` || exit $? + subject=`getSubject "${identity_file}"` || exit $? + + echo "${sshkeytype} Subject: ${subject}" + fi + ) > "${AUTHORIZEDKEYSFILE}" || return $? + +( +killAgent () { + "${TEST_SSH_SSHAGENT}" -k > /dev/null + sleep 1 + exit $1 +} + +checkEmptyListResponse () { + case $1 in + 1) return 0;; + 0) killAgent 99;; + *) killAgent $1;; + esac + return 33 +} + +showAgentMsg() { + show_status $1 "$2" + if test $1 -ne 0; then + printf '%s' "${warn}" + cat "${SSH_ERRLOG}" + printf '%s' "${norm}" + if test $1 -ne 2; then + killAgent $1 + fi + exit $1 + fi + + if test "x$3" != "x"; then + printf '%s' "${done}" + cat "$3" + printf '%s' "${norm}" + fi + return 0 +} + + eval `"${TEST_SSH_SSHAGENT}"` > /dev/null + + "${TEST_SSH_SSHADD}" -L >/dev/null; checkEmptyListResponse $? + + "${TEST_SSH_SSHADD}" "${identity_file}" 2> "${SSH_ERRLOG}" > "${SSH_REPLY}"; \ + showAgentMsg $? " add identity ${extd}${SSH_CLIENTKEY}-${attn}${type}${norm} to agent ..." + + "${TEST_SSH_SSHADD}" -L 2> "${SSH_ERRLOG}" > "${SSH_REPLY}"; \ + retval=$? + if test $retval -ne 0; then + showAgentMsg ${retval} + else + printf " ${done}-${norm} " + if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + printf '%s.......\n' "`cut -c -60 \"${SSH_REPLY}\"`" + else + cat "${SSH_REPLY}" + fi + fi + + runTest "${type}" \ + "use-only-key-from-agent" \ + "key from agent ..." || + killAgent $? + + "${TEST_SSH_SSHADD}" -d "${identity_file}".pub \ + 2> "${SSH_ERRLOG}" > "${SSH_REPLY}"; \ + showAgentMsg $? " remove identity ${extd}${SSH_CLIENTKEY}-${attn}${type}${norm} from agent ..." + + "${TEST_SSH_SSHADD}" -L > /dev/null; checkEmptyListResponse $? + + killAgent 0 +) +} + + +# === + +do_test () { + retval=0 + if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + echo "* ${extd}with x509 identity from ${attn}agent${norm}:" + else + echo "* ${extd}against ${attn}CACertificateFile${norm} and x509 identity from ${attn}agent${norm}:" + fi + + creTestSSHDcfgFile + if test "x${SSH_X509STORE_DISABLED}" != "xyes"; then + cat >> "$SSHD_CFG" </dev/null > "${AUTHORIZEDKEYSFILE}" || return $? + runTest "${type}" "${identity_file}"\ + "${extd}valid${norm} blob" || return $? + + blob=`cat "${AUTHORIZEDKEYSFILE}"` + echo $blob | cut -c 1-50 > "${AUTHORIZEDKEYSFILE}" + runTest "${type}" "${identity_file}"\ + "${warn}invalid${norm} blob" "Yes" || return $? +} + + +# === + +do_test () { + retval=0 + if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + echo "* ${extd}with autorization by x509 ${attn}blob${norm}:" + else + echo "* ${extd}against ${attn}CACertificateFile${norm} and autorization by x509 ${attn}blob${norm}:" + fi + + creTestSSHDcfgFile + if test "x${SSH_X509STORE_DISABLED}" != "xyes"; then + cat >> "$SSHD_CFG" <> "$SSHD_CFG" <> "$SSHD_CFG" <> "$SSHD_CFG" < /dev/null + FILE="${SSH_CACRLDIR}/${CAKEY_PREFIX}-${crltype}.crl.pem" + HASH=`${OPENSSL} crl -out /dev/null -in "${FILE}" -hash`; retval=$? + if test ${retval} -eq 0; then + hashfile="${CRL_TEST_DIR}/${HASH}.r0" + ln -s "${FILE}" "${hashfile}" + #link might never fail :-( + test -h "${hashfile}"; retval=$? + fi + #printf "${norm}" + show_status ${retval} || return $? + + ( + for type in ${SSH_SIGN_TYPES}; do + for SSH_CLIENTKEY in ${TEST_SSH_CLIENTKEYS}; do + identity_file="${SSH_CLIENTKEY}-${type}-revoked" + + creX509AuthorizedKeysFile "${identity_file}" || exit $? + + if test "${type}" = "${crltype}"; then + runTest "${SSH_CLIENTKEY}-${warn}${type}-revoked${norm}" \ + "${identity_file}" "" "Yes" + else + runTest "${identity_file}" \ + "${identity_file}" "" "" + fi || exit $? + done + done + exit 0 + ); retval=$? + + if test ${retval} -eq 0; then + rm -f "${hashfile}"; retval=$? + else + rm -f "${hashfile}" + fi + return ${retval} +} + + +#=== +test_onlyonecrl () { + retval=0 + CRL_TEST_DIR="${SSH_CAROOT}/crl-test" + + printSeparator + echo "Check ${extd}revoked${norm} with only ${attn}one CRL${norm} file in ${attn}CARevocationPath${norm} ..." + + mkdir -p "${CRL_TEST_DIR}" || return $? + + creTestSSHDcfgFile + cat >> "$SSHD_CFG" < /dev/null + if test ${retval} -eq 0; then + rmdir "${CRL_TEST_DIR}"; retval=$? + else + rmdir "${CRL_TEST_DIR}" + fi + return ${retval} +} + + +#=== + +do_test () { + if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + echo "* ${extd}X.509 store${norm} is ${attn}disabled${norm}" + return 1 + fi + echo "* ${extd}against ${attn}CA CRL${norm} file and/or hash-dir:" + + test_nocrl && + test_crlfile && + test_crldir && + test_onlyonecrl +} diff -ruN openssh-3.8p1/tests/CA/test-dn_auth_file.sh.inc openssh-3.8p1+x509h/tests/CA/test-dn_auth_file.sh.inc --- openssh-3.8p1/tests/CA/test-dn_auth_file.sh.inc 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/test-dn_auth_file.sh.inc 2004-03-09 08:51:13.000000000 +0200 @@ -0,0 +1,119 @@ +# +# Copyright (c) 2002-2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Test OpenSSH client authentication: +# - "IdentityFile" contain private key and x509 certificate; +# - "AuthorizedKeysFile" contain certificate "Distinguished Name"/ +# "Subject" in varios formats. +# + + +# === +#env. vars: +# SSH_CLIENTKEY +# type +testDNautorizations1 () { + identity_file="${SSH_CLIENTKEY}-${type}" + if test ! -r "$identity_file"; then + error_file_not_readable "${identity_file}"; return $? + fi + + sshkeytype=`getSSHkeyType "${identity_file}"` || return $? + subject=`getSubject "${identity_file}"` || return $? + + for subtype in \ + "Subject:" \ + "SuBjecT=" \ + "sUbjecT" \ + "diStinguished name:" \ + "distiNguished-nAme:" \ + "distinguiShed_naMe:" \ + "disTinguishednamE:" \ + "dN:" \ + ; do + echo "${sshkeytype} ${subtype} ${subject}" > "${AUTHORIZEDKEYSFILE}" + runTest "${type} ${subtype}" "${identity_file}" "" || return $? + done + + subtype="subject" + subject=`getSubject "${identity_file}" -nameopt RFC2253` || return $? + echo "${sshkeytype} ${subtype} ${subject}" > "${AUTHORIZEDKEYSFILE}" + runTest "${type} ${subtype} in ${attn}RFC2253${norm} format" "${identity_file}" "" || return $? + + echo "${sshkeytype} ${subtype} ${subject}" | sed -e 's/,/\//'> "${AUTHORIZEDKEYSFILE}" + runTest "${type} ${subtype} and mixed item-separator symbol" "${identity_file}" "" || return $? + + for subtype in \ + "Invalid" \ + "Subject-" \ + ; do + echo "${sshkeytype} ${subtype} ${subject}" > "${AUTHORIZEDKEYSFILE}" + runTest "${type} ${warn}${subtype}${norm}" "${identity_file}" \ + "autorization type" "Yes" || return $? + done + + subtype="Subject" + printf "${sshkeytype} ${subtype}," > "${AUTHORIZEDKEYSFILE}" + runTest "${type} ${warn}empty${norm} ${subtype}" "${identity_file}" \ + "" "Yes" || return $? + + subtype="Subject" + ( printf "${sshkeytype} ${subtype}" + echo "${subject}" | cut -c -40 + ) > "${AUTHORIZEDKEYSFILE}" + runTest "${type} ${warn}invalid${norm} ${subtype}" "${identity_file}" \ + "" "Yes" || return $? + + return 0 +} + + +# === + +do_test () { + if test "x${SSH_X509STORE_DISABLED}" = "xyes"; then + echo "* ${extd}X.509 store${norm} is ${attn}disabled${norm}" + return 1 + fi + echo "* ${extd}against ${attn}CACertificateFile${norm} and autorization by x509 ${attn}'Distinguished Name'${norm}:" + + creTestSSHDcfgFile + cat >> "$SSHD_CFG" <> "$SSHD_CFG" </dev/null + + for catype in ${SSH_SIGN_TYPES}; do + F="${SSH_CACERTDIR}/${CAKEY_PREFIX}-${catype}.crt.pem" + HASH=`$OPENSSL x509 -in "${F}" -noout -hash` + ( cd "${CRT_TEST_DIR}" || exit $? + ln -s "${F}" "$HASH.0" + #link might never fail :-( + test -h "$HASH.0" + ) && + do_test_catype; retval=$? + rm -f "${CRT_TEST_DIR}/$HASH.0" + if test $retval -ne 0; then + break + fi + done + + rmdir "${CRT_TEST_DIR}" + if test $retval -ne 0; then + exit $retval + fi + done + + exit 0 + ); retval=$? + killSSHdaemon + return $retval +} diff -ruN openssh-3.8p1/tests/CA/test-ocsp.sh.inc openssh-3.8p1+x509h/tests/CA/test-ocsp.sh.inc --- openssh-3.8p1/tests/CA/test-ocsp.sh.inc 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/tests/CA/test-ocsp.sh.inc 2004-03-20 12:01:13.000000000 +0200 @@ -0,0 +1,255 @@ +# +# Copyright (c) 2004 Roumen Petrov, Sofia, Bulgaria +# All rights reserved. +# +# Redistribution and use of this script, with or without modification, is +# permitted provided that the following conditions are met: +# +# 1. Redistributions of this script must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR IMPLIED +# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO +# EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; +# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, +# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR +# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF +# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# DESCRIPTION: Test OpenSSH client authentication: +# - "IdentityFile" contain private key and x509 certificate; +# - "AuthorizedKeysFile" contain certificate Subject; +# - validation against: +# - OCSP provider from certificate +# - specified in configuration OCSP provider +# - TODO:specified OCSP provider with revoked provider certificate +# Note: +# Due OpenSSL limitation no one of tests start OCSP provider with dsa key. +# + + +# === +openssl_ocsp_tmout() { +( + if test -z "${SSH_OPENSLL_OCSP_TMOUT}"; then + sleep 1 + exit 0 + fi + + count=${SSH_OPENSLL_OCSP_TMOUT} + echo "OpenSSL OCSP responder socket timeout ${count}[sec.]" >&2 + while test ${count} -gt 0; do + printf 'O' + sleep 1 + count=`expr ${count} - 1` + done + printf 'X\n' +) +} + + +# === +killResponders() { +( + if test -z "${SSH_OPENSLL_OCSP_TMOUT}"; then + ( + has="" + for pidfile in va-*.pid; do + if test -r "${pidfile}"; then + kill `cat "${pidfile}"` > /dev/null 2>&1 + has="yes" + fi + done + if test -n "${has}"; then + openssl_ocsp_tmout + fi + ) + fi + ( + has="" + for pidfile in va-*.pid; do + if test -r "${pidfile}"; then + kill -9 `cat "${pidfile}"` > /dev/null 2>&1 + rm -f "${pidfile}" + has="yes" + fi + done + if test -n "${has}"; then + openssl_ocsp_tmout + fi + ) + : +) +} + + +# === +OCSPtestBREAK() { + echo + killResponders + testBREAK +} + +trap OCSPtestBREAK INT QUIT ABRT KILL TERM || exit 1 + + +# === +#args: +# $1 - port +#env. vars: +# OCSP_RESPKEY +# type +runResponder() { +( + port=$1 + + pidfile="va-${port}.pid" + test -r "${pidfile}" && exit 1 + + printf ' %s' "starting OCSP ${extd}responder${norm}(${attn}${type}${norm}) on ${attn}${SSHD_LISTENADDRESS}:${port}${norm}" + ( + ${OPENSSL} ocsp \ + -CA "${SSH_CACERTDIR}/${CAKEY_PREFIX}-${type}.crt.pem" \ + -rsigner "${OCSP_RESPKEY}-${type}.crt" \ + -rkey "${OCSP_RESPKEY}" \ + -index "${SSH_CAROOT}/index-${type}.txt" \ + -host ${SSHD_LISTENADDRESS} \ + -port ${port} 2> va-${type}.log & + pid=$! + echo ${pid} > "${pidfile}" + wait ${pid} + rm -f "${pidfile}" + ) 2> /dev/null & + + sleep 1 + test -r "${pidfile}"; show_status $? +) +} + + +# === +test_ocsp_cert () { +( + printSeparator + echo "Begin test ${extd}against${norm} OCSP provider from ${attn}certificate${norm} ..." + + retval=1 + for OCSP_RESPKEY in ${TEST_OCSP_RESPKEYS}; do + printSeparator + echo " respoder key base ${attn}${OCSP_RESPKEY}${norm} ..." + + creTestSSHDcfgFile + cat >> "$SSHD_CFG" <> "$SSHD_CFG" <current_cert), buf, sizeof(buf)); + error("ssh_x509store_cb: subject='%.512s', error %d at %d depth lookup:%.200s", + buf, + ctx->error, + ctx->error_depth, + X509_verify_cert_error_string(ctx->error)); + +#if 0 + if (ctx->error == X509_V_ERR_CERT_HAS_EXPIRED) ok=1; + /* since we are just checking the certificates, it is + * ok if they are self signed. But we should still warn + * the user. + */ + if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; + /* Continue after extension errors too */ + if (ctx->error == X509_V_ERR_INVALID_CA) ok=1; + if (ctx->error == X509_V_ERR_PATH_LENGTH_EXCEEDED) ok=1; + if (ctx->error == X509_V_ERR_INVALID_PURPOSE) ok=1; + if (ctx->error == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) ok=1; +#endif + } +#ifdef SSH_CHECK_REVOKED + if (ok) { + ok = ssh_x509revoked_cb(ok, ctx); + } +#endif + return(ok); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +typedef struct { + const char **synonyms; +} CertPurposes; + + +static const char *__purpose_any[] = { + "any", "any purpose", "any_purpose", "anypurpose", NULL +}; + + +static const char *__purpose_sslclient[] = { + "sslclient", "ssl client", "ssl_client", "client", NULL +}; + + +static const char *__purpose_sslserver[] = { + "sslserver", "ssl server", "ssl_server", "server", NULL +}; + + +static CertPurposes +sslclient_purposes[] = { + { __purpose_sslclient }, + { __purpose_any }, + { NULL } +}; + + +static CertPurposes +sslserver_purposes [] = { + { __purpose_sslserver }, + { __purpose_any }, + { NULL } +}; + + +static const char* +get_cert_purpose(const char* _purpose_synonym, CertPurposes *_purposes) { + int i; + + for (i = 0; _purposes[i].synonyms; i++) { + const char *q = _purposes[i].synonyms[0]; + if (strcasecmp(_purpose_synonym, q) == 0 ) { + return(q); + } else { + const char **p; + for (p = (_purposes[i].synonyms) + 1; *p; p++) { + if (strcasecmp(_purpose_synonym, *p) == 0 ) { + return(q); + } + } + } + } + return(NULL); +} + + + +int +ssh_get_default_x509purpose(int _is_server) { + return(ssh_get_x509purpose_s(_is_server, + (_is_server ? __purpose_sslclient[0] : __purpose_sslserver[0]))); +} + + +int +ssh_get_x509purpose_s(int _is_server, const char* _purpose_synonym) { + const char * sslpurpose; + + sslpurpose = get_cert_purpose(_purpose_synonym, + (_is_server ? sslclient_purposes : sslserver_purposes)); + if (sslpurpose != NULL) { + int purpose_index = X509_PURPOSE_get_by_sname((char*)sslpurpose); + if (purpose_index < 0) + fatal( "ssh_get_x509purpose_s(%.10s): " + "X509_PURPOSE_get_by_sname fail for argument '%.30s(%.40s)'", + (_is_server ? "server" : "client"), + sslpurpose, _purpose_synonym); + return(purpose_index); + } + return(-1); +} + + +void +ssh_set_x509purpose(int _is_server, int _sshpurpose_index) { + sshpurpose.is_server = _is_server; + sshpurpose.index = _sshpurpose_index; +} + + +#ifndef SSH_X509STORE_DISABLED +static void +ssh_x509store_initcontext(void) { + if (x509store == NULL) { + x509store = X509_STORE_new(); + if (x509store == NULL) { + fatal("cannot create x509store context"); + } + X509_STORE_set_verify_cb_func(x509store, ssh_x509store_cb); + } +#ifdef SSH_CHECK_REVOKED + if (x509revoked == NULL) { + x509revoked = X509_STORE_new(); + if (x509revoked == NULL) { + fatal("cannot create x509revoced context"); + } + } +#endif +} + + +int +ssh_x509store_addlocations(const X509StoreOptions *_locations) { + int flag = 0, flag2 = 0; + + if (_locations == NULL) { + error("ssh_x509store_addlocations: _locations is NULL"); + return(0); + } + if ((_locations->certificate_path == NULL) && + (_locations->certificate_file == NULL)) { + error("ssh_x509store_addlocations: certificate path and file are NULLs"); + return(0); + } +#ifdef SSH_CHECK_REVOKED + if ((_locations->revocation_path == NULL) && + (_locations->revocation_file == NULL)) { + error("ssh_x509store_addlocations: revocation path and file are NULLs"); + return(0); + } +#endif + ssh_x509store_initcontext(); + /* + * Note: + * After X509_LOOKUP_{add_dir|load_file} calls we must call + * ERR_clear_error() otherwise when the first call to + * X509_LOOKUP_XXXX fail the second call fail too ! + */ + if (_locations->certificate_path != NULL) { + X509_LOOKUP *lookup = X509_STORE_add_lookup(x509store, X509_LOOKUP_hash_dir()); + if (lookup == NULL) { + fatal("ssh_x509store_addlocations:cannot add hash dir lookup !"); + return(0); /* ;-) */ + } + if (X509_LOOKUP_add_dir(lookup, _locations->certificate_path, X509_FILETYPE_PEM)) { + debug2("hash dir '%.400s' added to x509 store", _locations->certificate_path); + flag = 1; + } + ERR_clear_error(); + } + if (_locations->certificate_file != NULL) { + X509_LOOKUP *lookup = X509_STORE_add_lookup(x509store, X509_LOOKUP_file()); + if (lookup == NULL) { + fatal("ssh_x509store_addlocations:cannot add file lookup !"); + return(0); /* ;-) */ + } + if (X509_LOOKUP_load_file(lookup, _locations->certificate_file, X509_FILETYPE_PEM)) { + debug2("file '%.400s' added to x509 store", _locations->certificate_file); + flag = 1; + } + ERR_clear_error(); + } +#ifdef SSH_CHECK_REVOKED + if (_locations->revocation_path != NULL) { + X509_LOOKUP *lookup = X509_STORE_add_lookup(x509revoked, X509_LOOKUP_hash_dir()); + if (lookup == NULL) { + fatal("ssh_x509store_addlocations:cannot add hash dir revocation lookup !"); + return(0); /* ;-) */ + } + if (X509_LOOKUP_add_dir(lookup, _locations->revocation_path, X509_FILETYPE_PEM)) { + debug2("hash dir '%.400s' added to x509 revocation store", _locations->revocation_path); + flag2 = 1; + } + ERR_clear_error(); + } + if (_locations->revocation_file != NULL) { + X509_LOOKUP *lookup = X509_STORE_add_lookup(x509revoked, X509_LOOKUP_file()); + if (lookup == NULL) { + fatal("ssh_x509store_addlocations:cannot add file revocation lookup !"); + return(0); /* ;-) */ + } + if (X509_LOOKUP_load_file(lookup, _locations->revocation_file, X509_FILETYPE_PEM)) { + debug2("file '%.400s' added to x509 revocation store", _locations->revocation_file); + flag2 = 1; + } + ERR_clear_error(); + } +#else + flag2 = 1; +#endif + return(flag && flag2); +} + + +static int +ssh_verify_cert(X509_STORE_CTX *_csc, X509 *_cert) { + X509_STORE_CTX_init(_csc, x509store, _cert, NULL); + + if (sshpurpose.index >= 0) { + int def_purpose = ( sshpurpose.is_server + ? X509_PURPOSE_SSL_CLIENT + : X509_PURPOSE_SSL_SERVER + ); + X509_PURPOSE *xptmp = X509_PURPOSE_get0(sshpurpose.index); + int purpose, flag; + if (xptmp == NULL) { + fatal("ssh_verify_cert: cannot get purpose from index"); + return(-1); /* ;-) */ + } + purpose = X509_PURPOSE_get_id(xptmp); + flag = X509_STORE_CTX_purpose_inherit(_csc, def_purpose, purpose, 0); + if (flag <= 0) { + /* + * By default openssl applications don't check return code from + * X509_STORE_CTX_set_purpose or X509_STORE_CTX_purpose_inherit. + * + * Both methods return 0 (zero) and don't change purpose in context when: + * -X509_STORE_CTX_set_purpose(...) + * purpose is X509_PURPOSE_ANY + * -X509_STORE_CTX_purpose_inherit(...) + * purpose is X509_PURPOSE_ANY and default purpose is zero (!) + * + * Take note when purpose is "any" check method in current + * OpenSSL code just return 1. This openssl behavior is same + * as ssh option "AllowedCertPurpose=skip". + */ + int ecode; + char ebuf[256]; + + ecode = X509_STORE_CTX_get_error(_csc); + error("ssh_verify_cert: context purpose error, code=%d, msg='%.200s'" + , ecode + , X509_verify_cert_error_string(ecode)); + + ecode = ERR_get_error(); + ERR_error_string_n(ecode, ebuf, sizeof(ebuf)); + error("ssh_verify_cert: X509_STORE_CTX_purpose_inherit failed with '%.256s'" + , ebuf); + + /* clear rest of errors in OpenSSL "error buffer" */ + ERR_clear_error(); + return(-1); + } + } + + /* + if (issuer_checks) + X509_STORE_CTX_set_flags(_csc, X509_V_FLAG_CB_ISSUER_CHECK); + */ + + if (X509_verify_cert(_csc) == 0) { + int ecode = X509_STORE_CTX_get_error(_csc); + error("ssh_verify_cert: verify error, code=%d, msg='%.200s'" + , ecode + , X509_verify_cert_error_string(ecode)); + return(-1); + } + + return(1); +} +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +int +ssh_x509cert_check(X509 *_cert) { + int ret = 1; +#ifndef SSH_X509STORE_DISABLED + X509_STORE_CTX *csc; +#else /*def SSH_X509STORE_DISABLED*/ + X509_PURPOSE *xptmp; +#endif /*def SSH_X509STORE_DISABLED*/ + +#ifndef SSH_X509STORE_DISABLED + if (x509store == NULL) { + error("ssh_x509cert_check: context is NULL"); + return(-1); + } + + if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { + char buf[512]; + X509_NAME_oneline( X509_get_subject_name(_cert), buf, sizeof(buf)); + debug3("ssh_x509cert_check: for '%.512s'", buf); + } + + csc = X509_STORE_CTX_new(); + if (csc == NULL) { + int ecode = ERR_get_error(); + char ebuf[256]; + ERR_error_string_n(ecode, ebuf, sizeof(ebuf)); + error("ssh_x509cert_check:X509_STORE_CTX_new failed with '%.256s'", ebuf); + + /* clear rest of errors in OpenSSL "error buffer" */ + ERR_clear_error(); + return(-1); + } + + ret = ssh_verify_cert(csc, _cert); + X509_STORE_CTX_free(csc); + if (ret > 0) { +/* + * OpenSSH implementation first verify and validate certificate by + * "X.509 store" with certs and crls from file system. It is fast + * check. After this when certificate chain is correct and + * certificate is not revoked we send a status request to an OCSP + * responder if configured. + * + * RFC2560(OCSP): + * ... + * 2.7 CA Key Compromise + * If an OCSP responder knows that a particular CA's private key + * has been compromised, it MAY return the revoked state for all + * certificates issued by that CA. + * ... + * 5. Security Considerations + * For this service to be effective, certificate using systems must + * connect to the certificate status service provider. In the event + * such a connection cannot be obtained, certificate-using systems + * could implement CRL processing logic as a fall-back position. + * ... + * RFC2560(OCSP)^ + * + * About OpenSSH implementation: + * 1.) We preffer to delegate validation of issuer certificates to + * 'OCSP Provider'. It is easy and simple to configure an OCSP + * responder to return revoked state for all certificates issued + * by a CA. Usually 'OCSP Provider' admins shall be first informed + * for certificates with changed state. In each case this simplify + * 'OCSP client'. + * 2.) To conform to RFC2560 we should use OCSP to check status of + * all certificates in the chain. Since this is network request it + * is good to implement a cache and to save status with lifetime. + * Might is good to have an OCSP cache server ;-). + * + * To minimize network latency and keeping in mind 1.) we send + * 'OCSP request' only for the last certificate in the chain, i.e. + * sended client or server certificate. + * + * Therefore instead to send OCSP request in ssh_x509revoked_cb() + * we do this here. + */ + ret = ssh_x509_validate(_cert, x509store); + } + +#else /*def SSH_X509STORE_DISABLED*/ + if (sshpurpose.index >=0) { + xptmp = X509_PURPOSE_get0(sshpurpose.index); + if (xptmp == NULL) { + fatal("ssh_x509cert_check: cannot get purpose from index"); + return(-1); /* ;-) */ + } + ret = X509_check_purpose(_cert, X509_PURPOSE_get_id(xptmp), 0); + if (ret < 0) { + logit("ssh_x509cert_check: X509_check_purpose return %d", ret); + ret = 0; + } + } +#endif /*def SSH_X509STORE_DISABLED*/ + debug3("ssh_x509cert_check: return %d", ret); + return(ret); +} + + +#ifndef SSH_X509STORE_DISABLED +#ifdef SSH_CHECK_REVOKED +static int +ssh_check_crl(X509_STORE_CTX *_ctx, X509_CRL *_crl) { + X509 *cert = NULL; + time_t *pcheck_time; + int k; + + if (_crl == NULL) { + return(1); + } + + cert = X509_STORE_CTX_get_current_cert(_ctx); + if (cert == NULL) { + error("ssh_check_crl: missing current certificate in x509store context"); + return(0); + } + + if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { + BIO *bio; + char buf[512]; + char *p; + + bio = BIO_new(BIO_s_mem()); + if (bio == NULL) { + fatal("ssh_check_crl: out of memory"); + return(0); /* ;-) */ + } + + X509_NAME_oneline( X509_CRL_get_issuer(_crl), buf, sizeof(buf)); + + BIO_printf(bio, ", Last Update: "); + ASN1_UTCTIME_print(bio, X509_CRL_get_lastUpdate(_crl)); + + BIO_printf(bio, ", Next Update: "); + ASN1_UTCTIME_print(bio, X509_CRL_get_nextUpdate(_crl)); + + k = BIO_pending(bio); + p = xmalloc(k + 1); /*fatal on error*/ + k = BIO_read(bio, p, k); + p[k] = '\0'; + + debug3("ssh_check_crl: Issuer: %s%s", buf, p); + + xfree(p); + BIO_free(bio); + } + + { + EVP_PKEY *pkey = X509_get_pubkey(cert); + if (pkey == NULL) { + error("ssh_check_crl:unable to decode public key"); + X509_STORE_CTX_set_error(_ctx, X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY); + return(0); + } + + if (X509_CRL_verify(_crl, pkey) <= 0) { + error("ssh_check_crl:CRL has invalid signature"); + X509_STORE_CTX_set_error(_ctx, X509_V_ERR_CRL_SIGNATURE_FAILURE); + return(0); + } + EVP_PKEY_free(pkey); + } + + + if (_ctx->flags & X509_V_FLAG_USE_CHECK_TIME) + pcheck_time = &_ctx->check_time; + else + pcheck_time = NULL; + + k = X509_cmp_time(X509_CRL_get_lastUpdate(_crl), pcheck_time); + if (k == 0) { + X509_STORE_CTX_set_error(_ctx, X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD); + error("ssh_check_crl:CRL has invalid lastUpdate field"); + return(0); + } + if (k > 0) { + X509_STORE_CTX_set_error(_ctx, X509_V_ERR_CRL_NOT_YET_VALID); + error("ssh_check_crl:CRL is not yet valid"); + return(0); + } + + k = X509_cmp_time(X509_CRL_get_nextUpdate(_crl), pcheck_time); + if (k == 0) { + error("ssh_check_crl:CRL has invalid nextUpdate field"); + X509_STORE_CTX_set_error(_ctx, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD); + return(0); + } + if (k < 0) { + error("ssh_check_crl:CRL is expired"); + X509_STORE_CTX_set_error(_ctx, X509_V_ERR_CRL_HAS_EXPIRED); + return(0); + } + + return(1); +} + + +static int +ssh_check_crl_cert(X509_STORE_CTX *_ctx, X509_CRL *_crl, X509 *_cert) { + X509_REVOKED revoked; + int k; + char *p, buf1[512], buf2[512]; + + if (_crl == NULL) return(1); + revoked.serialNumber = X509_get_serialNumber(_cert); + k = sk_X509_REVOKED_find(_crl->crl->revoked, &revoked); + if (k < 0) return(1); + + X509_STORE_CTX_set_error(_ctx, X509_V_ERR_CERT_REVOKED); + /* yes, revoked. print log and ...*/ + p = ssh_ASN1_INTEGER_2_string(revoked.serialNumber); + X509_NAME_oneline(X509_get_subject_name(_cert), buf1, sizeof(buf1)); + X509_NAME_oneline(X509_CRL_get_issuer (_crl ), buf2, sizeof(buf2)); + + error("certificate '%.512s' with serial '%.40s' revoked from issuer '%.512s'", + buf1, p, buf2); + xfree(p); + + return(0); +} + + +static int +ssh_x509revoked_cb(int ok, X509_STORE_CTX *ctx) { + X509 *cert; + X509_OBJECT xobj; + + if (!ok) return(0); + if (x509revoked == NULL) + return(ok); /* XXX:hmm */ + + cert = X509_STORE_CTX_get_current_cert(ctx); + if (cert == NULL) { + error("ssh_x509revoked_cb: missing current certificate in x509store context"); + return(0); + } + + if (get_log_level() >= SYSLOG_LEVEL_DEBUG3) { + char buf[512]; + + X509_NAME_oneline(X509_get_issuer_name(cert), buf, sizeof(buf)); + debug3("ssh_x509revoked_cb:issuer =%.512s", buf); + + X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); + debug3("ssh_x509revoked_cb:subject=%.512s", buf); + } + + memset(&xobj, 0, sizeof(xobj)); + if (ssh_x509store_lookup( + x509revoked, X509_LU_CRL, + X509_get_subject_name(cert), + &xobj) > 0) { +/* + * In callback we cannot check CRL signature at this point when we use + * X509_get_issuer_name(), because we don't know issuer public key! + * Of course we can get the public key from X509_STORE defined by + * static variable "x509store". + * Of course we can check revocation outside callback, but we should + * try to find public key in X509_STORE[s]. + * + * At this point we can get easy public key of "current certificate"! + * + * Method: "look forward" + * At this call we check CLR (signature and other) issued with "current + * certificate" ("CertA"). If all is OK with "CertA" by next call of + * callback method "current certificate" is signed from "CertA" and the + * CRL issued from "CertA", if any is already verified - cool ;-). + * + * Note that when a certificate is revoked all signed form that + * certificate are revoked automatically too. With method "look forward" + * we already know that all issuers of "current certificate" aren't + * revoked. + */ + ok = ssh_check_crl(ctx, xobj.data.crl); + } + X509_OBJECT_free_contents(&xobj); + if (!ok) return(0); + + memset(&xobj, 0, sizeof(xobj)); + if (ssh_x509store_lookup( + x509revoked, X509_LU_CRL, + X509_get_issuer_name(cert), + &xobj) > 0) { + ok = ssh_check_crl_cert(ctx, xobj.data.crl, cert); + } + X509_OBJECT_free_contents(&xobj); + /* clear rest of errors in OpenSSL "error buffer" */ + ERR_clear_error(); + + if (!ok) return(0); + + /**/ + return(ok); +} +#endif + +#endif /*ndef SSH_X509STORE_DISABLED*/ diff -ruN openssh-3.8p1/x509store.h openssh-3.8p1+x509h/x509store.h --- openssh-3.8p1/x509store.h 1970-01-01 02:00:00.000000000 +0200 +++ openssh-3.8p1+x509h/x509store.h 2004-03-21 11:09:12.000000000 +0200 @@ -0,0 +1,93 @@ +#ifndef X509STORE_H +#define X509STORE_H +/* + * Copyright (c) 2002-2004 Roumen Petrov. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + + +#include "includes.h" +#include + + +int ssh_x509cert_check(X509 *_cert); + +int ssh_get_default_x509purpose(int _is_server); +/* return purpose index, not purpose id (!) */ +int ssh_get_x509purpose_s(int _is_server, const char* _purpose_synonym); +void ssh_set_x509purpose(int _is_server, int _sshpurpose_index); + + +#ifndef SSH_X509STORE_DISABLED + +int ssh_x509store_lookup(X509_STORE *store, int type, X509_NAME *name, X509_OBJECT *xobj); + +typedef struct { + /* ssh PKI(X509) store */ + const char *certificate_file; + const char *certificate_path; + const char *revocation_file; + const char *revocation_path; +} X509StoreOptions; + +int ssh_x509store_addlocations(const X509StoreOptions *_locations); + +int ssh_x509_validate(X509 *cert, X509_STORE *x509store); + +#endif /*ndef SSH_X509STORE_DISABLED*/ + + +#ifdef SSH_X509STORE_DISABLED +#ifdef SSH_OCSP_ENABLED +# include "cannot enable OCSP when x509store is disabled" +#endif /*def SSH_OCSP_ENABLED*/ +#endif /*def SSH_X509STORE_DISABLED*/ + + +#ifdef SSH_OCSP_ENABLED + +enum va_type { + SSHVA_NONE, + SSHVA_OCSP_CERT, + SSHVA_OCSP_SPEC +}; + + +typedef struct { + int type; /*allowed values from enum va_type*/ + + /* file with additional trusted certificates */ + const char *certificate_file; + + /* ssh OCSP Provider(Respoder) URL */ + const char *responder_url; +} VAOptions; + +int ssh_get_default_vatype(void); +int ssh_get_vatype_s(const char* type); + +void ssh_set_validator(const VAOptions *_va); /*fatal on error*/ + +#endif /*def SSH_OCSP_ENABLED*/ + + +#endif /* X509STORE_H */