summaryrefslogtreecommitdiffstats
path: root/lib/libkeynote
diff options
context:
space:
mode:
authorangelos <angelos@openbsd.org>1999-10-01 01:08:28 +0000
committerangelos <angelos@openbsd.org>1999-10-01 01:08:28 +0000
commit9186b70c618b4775fe2a79b1fada2ad20abcaf4e (patch)
tree70dca6164d7b91778a9b9993c1fb66d527166d99 /lib/libkeynote
parentSync w/NetBSD. Add support for ES18[67][89] - Nonaka Kimihiro + muting control fix (diff)
downloadwireguard-openbsd-9186b70c618b4775fe2a79b1fada2ad20abcaf4e.tar.xz
wireguard-openbsd-9186b70c618b4775fe2a79b1fada2ad20abcaf4e.zip
Update for version 2.0
Diffstat (limited to 'lib/libkeynote')
-rw-r--r--lib/libkeynote/Makefile31
-rw-r--r--lib/libkeynote/Makefile.bsd-wrapper63
-rw-r--r--lib/libkeynote/Makefile.distribution159
-rw-r--r--lib/libkeynote/Makefile.in186
-rw-r--r--lib/libkeynote/README51
-rw-r--r--lib/libkeynote/TODO17
-rw-r--r--lib/libkeynote/aux.c27
-rw-r--r--lib/libkeynote/base64.c52
-rw-r--r--lib/libkeynote/config.hin93
-rw-r--r--lib/libkeynote/configure2454
-rw-r--r--lib/libkeynote/configure.in50
-rw-r--r--lib/libkeynote/doc/rfc2704.txt (renamed from lib/libkeynote/doc/keynote-spec)909
-rw-r--r--lib/libkeynote/environment.c145
-rw-r--r--lib/libkeynote/getopt.c (renamed from lib/libkeynote/Misc/getopt.c)13
-rw-r--r--lib/libkeynote/getopt.h (renamed from lib/libkeynote/Misc/getopt.h)3
-rw-r--r--lib/libkeynote/header.h6
-rw-r--r--lib/libkeynote/keynote-keygen.c34
-rw-r--r--lib/libkeynote/keynote-main.c20
-rw-r--r--lib/libkeynote/keynote-sign.c27
-rw-r--r--lib/libkeynote/keynote-sigver.c27
-rw-r--r--lib/libkeynote/keynote-ver.l26
-rw-r--r--lib/libkeynote/keynote-ver.y11
-rw-r--r--lib/libkeynote/keynote-verify.c45
-rw-r--r--lib/libkeynote/keynote.125
-rw-r--r--lib/libkeynote/keynote.380
-rw-r--r--lib/libkeynote/keynote.415
-rw-r--r--lib/libkeynote/keynote.h78
-rw-r--r--lib/libkeynote/keynote.l34
-rw-r--r--lib/libkeynote/keynote.y30
-rw-r--r--lib/libkeynote/parse_assertion.c12
-rw-r--r--lib/libkeynote/signature.c55
-rw-r--r--lib/libkeynote/signature.h2
-rw-r--r--lib/libkeynote/testsuite/openssl.cnf24
-rw-r--r--lib/libkeynote/testsuite/test-assertion1-signed.in45
34 files changed, 4155 insertions, 694 deletions
diff --git a/lib/libkeynote/Makefile b/lib/libkeynote/Makefile
deleted file mode 100644
index 4388cf0478b..00000000000
--- a/lib/libkeynote/Makefile
+++ /dev/null
@@ -1,31 +0,0 @@
-# $OpenBSD: Makefile,v 1.5 1999/08/13 22:34:26 angelos Exp $
-
-LIB= keynote
-MAN= keynote.3 keynote.4
-
-CFLAGS+= -Wall -DCRYPTO -I/usr/include/ssl -I. -I${.CURDIR}
-LEXFLAGS = -Cr -Pkn -s -i
-YACCFLAGS = -d -p kn -b k
-
-HDRS= keynote.h
-SRCS= k.tab.c lex.kn.c environment.c parse_assertion.c signature.c aux.c \
- base64.c
-
-CLEANFILES+= k.tab.c lex.kn.c k.tab.h
-
-k.tab.c: keynote.y keynote.h signature.h
- $(YACC.y) $(YACCFLAGS) ${.CURDIR}/keynote.y
-
-lex.kn.c: keynote.l keynote.y keynote.h assertion.h signature.h
- $(LEX.l) $(LEXFLAGS) ${.CURDIR}/keynote.l
-
-includes:
- @cd ${.CURDIR}; for i in $(HDRS); do \
- j="cmp -s $$i ${DESTDIR}/usr/include/$$i || \
- ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \
- $$i ${DESTDIR}/usr/include"; \
- echo $$j; \
- eval "$$j"; \
- done
-
-.include <bsd.lib.mk>
diff --git a/lib/libkeynote/Makefile.bsd-wrapper b/lib/libkeynote/Makefile.bsd-wrapper
new file mode 100644
index 00000000000..38127555405
--- /dev/null
+++ b/lib/libkeynote/Makefile.bsd-wrapper
@@ -0,0 +1,63 @@
+# $OpenBSD: Makefile.bsd-wrapper,v 1.1 1999/10/01 01:08:28 angelos Exp $
+
+HDRS= keynote.h
+MAN= keynote.1 keynote.3 keynote.4
+
+all: config.status
+ @cd ${.CURDIR} && ${MAKE} all
+
+.FORCE: .IGNORE
+
+.include <bsd.own.mk>
+
+.ifdef GLOBAL_AUTOCONF_CACHE
+CF= --cache-file=${GLOBAL_AUTOCONF_CACHE}
+.else
+CF=
+.endif
+
+config: .FORCE
+.ifndef GLOBAL_AUTOCONF_CACHE
+ -rm -f config.cache
+.endif
+ PATH="/bin:/usr/bin:/sbin:/usr/sbin" \
+ /bin/sh ${.CURDIR}/configure ${CF}
+
+config.status: Makefile.in configure
+ PATH="/bin:/usr/bin:/sbin:/usr/sbin" \
+ /bin/sh ${.CURDIR}/configure ${CF} && touch config.status
+
+includes:
+ @cd ${.CURDIR}; for i in $(HDRS); do \
+ j="cmp -s $$i ${DESTDIR}/usr/include/$$i || \
+ ${INSTALL} ${INSTALL_COPY} -o ${BINOWN} -g ${BINGRP} -m 444 \
+ $$i ${DESTDIR}/usr/include"; \
+ echo $$j; \
+ eval "$$j"; \
+ done
+
+clean:
+ -rm -f keynote.cat3 keynote.cat4 keynote.cat1
+ @if [ -f Makefile ]; then ${MAKE} clean; fi
+
+cleandir:
+ -rm -f keynote.cat3 keynote.cat4 keynote.cat1
+ @if [ -f Makefile ]; then ${MAKE} cleanall; fi
+
+install-keynote:
+ install -c -s -o root -g bin -m 555 keynote /usr/bin
+ install -c -o root -g bin -m 444 keynote.cat1 /usr/share/man/cat1/keynote.0
+
+install:
+ install -c -o root -g bin -m 600 libkeynote.a /usr/lib
+ ranlib -t /usr/lib/libkeynote.a
+ chmod 444 /usr/lib/libkeynote.a
+ install -c -o root -g bin -m 444 keynote.cat3 /usr/share/man/cat3/keynote.0
+ install -c -o root -g bin -m 444 keynote.cat4 /usr/share/man/cat4/keynote.0
+
+depend:
+ # Nothing here so far...
+
+.include <bsd.obj.mk>
+.include <bsd.subdir.mk>
+.include <bsd.man.mk>
diff --git a/lib/libkeynote/Makefile.distribution b/lib/libkeynote/Makefile.distribution
deleted file mode 100644
index cd88c9bc98c..00000000000
--- a/lib/libkeynote/Makefile.distribution
+++ /dev/null
@@ -1,159 +0,0 @@
-# $OpenBSD: Makefile.distribution,v 1.8 1999/08/13 22:25:54 angelos Exp $
-#
-# The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
-#
-# This code was written by Angelos D. Keromytis in Philadelphia, PA, USA,
-# in April-May 1998
-#
-# Copyright (C) 1998, 1999 by Angelos D. Keromytis.
-#
-# Permission to use, copy, and modify this software without fee
-# is hereby granted, provided that this entire notice is included in
-# all copies of any software which is or includes a copy or
-# modification of this software.
-#
-# THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
-# IMPLIED WARRANTY. IN PARTICULAR, THE AUTHORS MAKES NO
-# REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
-# MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
-# PURPOSE.
-
-VERSION = 2-beta4
-DISTFILE = keynote-${VERSION}.tar.gz
-KNSUBDIR = KeyNote-${VERSION}
-
-RANLIB = ranlib
-MKDIR = mkdir
-YACC = yacc
-#YACC = bison
-TRUE = true
-LEX = flex
-TAR = tar
-CC = gcc
-RM = rm
-AR = ar
-NROFF = nroff
-
-TARFLAGS = -cvzf ${DISTFILE}
-YACCFLAGS2 = -d -p kv -b z
-YACCFLAGS = -d -p kn -b k
-LEXFLAGS2 = -Pkv -s -i
-LEXFLAGS = -Cr -Pkn -s -i
-CFLAGS = -O2 -Wall # -g
-RMFLAGS2 = -rf
-RMFLAGS = -f
-NROFFFLAGS = -mandoc
-
-# SSLeay/OpenSSL pointers
-SSLINC = -I/usr/local/include -I/usr/local/include/ssl \
- -I/usr/local/include/openssl -I/usr/include/ssl \
- -I/usr/include/openssl \
- -I/usr/local/ssl/include -I/usr/local/ssl/include/ssl \
- -I/usr/local/openssl/include -I/usr/local/openssl/include/openssl \
- -I/usr/local/openssl/include/ssl -I/usr/local/ssl/include/openssl
-SSLLIB = -L/usr/lib -L/usr/local/lib -L/usr/local/ssl/lib \
- -L/usr/local/ssl/lib -L/usr/local/openssl/lib \
- -L/usr/local/openssl/ -lcrypto
-
-# No-crypto compile/link flags and definitions
-NOCRYPTODEFS = #-DPGPLIB -DNO_SNPRINTF -DNEED_GETOPT -DPILOT
-NOCRYPTOINC = -I.
-NOCRYPTOLIBS = -L. -lkeynote -lm
-
-# Final compile/link flags and definitions
-DEFS = -DCRYPTO ${NOCRYPTODEFS}
-INC = $(SSLINC) ${NOCRYPTOINC}
-LIBS = ${NOCRYPTOLIBS} ${SSLLIB}
-
-TARGET = libkeynote.a
-TARGET2 = keynote
-
-#GETOPT = getopt.o
-OBJS = k.tab.o lex.kn.o environment.o parse_assertion.o \
- signature.o aux.o base64.o $(GETOPT)
-OBJS2 = z.tab.o lex.kv.o keynote-verify.o keynote-sign.o keynote-sigver.o \
- keynote-keygen.o keynote-main.o
-
-crypto: all
-
-nocrypto:
- ${MAKE} LIBS="${NOCRYPTOLIBS}" INC="${NOCRYPTOINC}" \
- DEFS="${NOCRYPTODEFS}"
-
-all: $(TARGET) $(TARGET2)
-
-library: $(TARGET)
-
-$(TARGET): $(OBJS)
- $(AR) -cvr $(TARGET) $(OBJS)
- $(RANLIB) $(TARGET)
-
-$(TARGET2): $(TARGET) $(OBJS2)
- $(CC) $(CFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS)
-
-k.tab.c: keynote.y keynote.h assertion.h
- $(YACC) $(YACCFLAGS) keynote.y
-
-z.tab.c: keynote-ver.y keynote.h header.h
- $(YACC) $(YACCFLAGS2) keynote-ver.y
-
-lex.kn.c: keynote.l k.tab.h keynote.h assertion.h
- $(LEX) $(LEXFLAGS) keynote.l
-
-lex.kv.c: keynote-ver.l z.tab.h keynote.h header.h
- $(LEX) $(LEXFLAGS2) keynote-ver.l
-
-.c.o:
- $(CC) $(CFLAGS) $(DEFS) $(INC) -c $<
-
-aux.c: keynote.h assertion.h signature.h
-parse_assertion.c: keynote.h assertion.h signature.h
-environment.c: keynote.h assertion.h
-keynote-verify.c: keynote.h header.h
-signature.c: keynote.h assertion.h signature.h
-keynote-keygen.c: keynote.h assertion.h signature.h header.h
-keynote-sign.c: keynote.h header.h
-keynote-sigver.c: keynote.h header.h
-keynote-main.c: header.h
-base64.c: keynote.h
-
-clean:
- $(RM) $(RMFLAGS) $(OBJS) $(OBJS2) a.out *.core *~ */*~
-
-cleandir: cleanall
-
-cleanall: clean
- $(RM) $(RMFLAGS) *.o k.tab.c lex.kn.c k.tab.h z.tab.c z.tab.h
- $(RM) $(RMFLAGS) lex.kv.c y.output z.output ${DISTFILE}
- $(RM) $(RMFLAGS) $(TARGET) $(TARGET2) man/*.0
-
-test: all
- ./$(TARGET2) verify -e testsuite/test-env \
- -r false,maybe,probably,true \
- -k testsuite/auth1 -k testsuite/auth2 -k testsuite/auth3 \
- -k testsuite/auth4 \
- -l testsuite/test-assertion1 -l testsuite/test-assertion2 \
- -l testsuite/test-assertion3 -l testsuite/test-assertion4 \
- -l testsuite/test-assertion5 -l testsuite/test-assertion6 \
- -l testsuite/test-assertion7 || ${TRUE}
-
-manpages: mankeynote mansystem manutility
-
-mankeynote:
- ${NROFF} ${NROFFFLAGS} man/keynote.3 > man/keynote-library.0
-
-mansystem:
- ${NROFF} ${NROFFFLAGS} man/keynote.4 > man/keynote-system.0
-
-manutility:
- ${NROFF} ${NROFFFLAGS} man/keynote.1 > man/keynote-utility.0
-
-distribution: test cleanall manpages
- ${MKDIR} ${KNSUBDIR}
- $(TAR) cf - . | (cd ${KNSUBDIR}; ${TAR} xf -)
- ${RM} ${RMFLAGS2} ${KNSUBDIR}/CVS ${KNSUBDIR}/testsuite/CVS \
- ${KNSUBDIR}/Misc/CVS ${KNSUBDIR}/${KNSUBDIR} \
- ${KNSUBDIR}/.cvsignore ${KNSUBDIR}/man/CVS \
- ${KNSUBDIR}/man/.cvsignore ${KNSUBDIR}/doc/CVS
- $(TAR) $(TARFLAGS) ${KNSUBDIR}
- ${RM} ${RMFLAGS2} ${KNSUBDIR}
diff --git a/lib/libkeynote/Makefile.in b/lib/libkeynote/Makefile.in
new file mode 100644
index 00000000000..866bf6b543c
--- /dev/null
+++ b/lib/libkeynote/Makefile.in
@@ -0,0 +1,186 @@
+# $OpenBSD: Makefile.in,v 1.1 1999/10/01 01:08:29 angelos Exp $
+#
+# The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
+#
+# This code was written by Angelos D. Keromytis in Philadelphia, PA, USA,
+# in April-May 1998
+#
+# Copyright (C) 1998, 1999 by Angelos D. Keromytis.
+#
+# Permission to use, copy, and modify this software without fee
+# is hereby granted, provided that this entire notice is included in
+# all copies of any software which is or includes a copy or
+# modification of this software.
+#
+# THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR
+# IMPLIED WARRANTY. IN PARTICULAR, THE AUTHORS MAKES NO
+# REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE
+# MERCHANTABILITY OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR
+# PURPOSE.
+
+VERSION = 2.0
+DISTFILE = keynote-${VERSION}.tar.gz
+KNSUBDIR = KeyNote-${VERSION}
+
+srcdir = @srcdir@
+
+LEX = @LEX@
+CC = @CC@
+RANLIB = @RANLIB@
+YACC = @YACC@
+SSLEAY = @SSLEAY@
+RM = @RM@
+AR = @AR@
+NROFF = @NROFF@
+TAR = @TAR@
+TRUE = @TRUE@
+MKDIR = @MKDIR@
+SED = @SED@
+ECHO = @ECHO@
+TR = @TR@
+
+TARFLAGS = -cvzf ${DISTFILE}
+YACCFLAGS2 = -d -p kv -b z
+YACCFLAGS = -d -p kn -b k
+LEXFLAGS2 = -Pkv -s -i
+LEXFLAGS = -Cr -Pkn -s -i
+CFLAGS = -O2 -Wall # -g
+RMFLAGS2 = -rf
+RMFLAGS = -f
+NROFFFLAGS = -mandoc
+
+SSLCONF = ${srcdir}/testsuite/openssl.cnf
+SSLCERT = ${srcdir}/testsuite/test.cert.pem
+SSLKEY = ${srcdir}/testsuite/test.key.pem
+SIGN_ASSERT = ${srcdir}/testsuite/test-assertion1-signed
+
+# No-crypto compile/link flags and definitions
+NOCRYPTODEFS = @DEFS@
+
+# Final compile/link flags and definitions
+DEFS = -DCRYPTO ${NOCRYPTODEFS}
+INC = -I.
+LIBS = -L. -lkeynote @LIBS@
+
+TARGET = libkeynote.a
+TARGET2 = keynote
+
+OBJS = k.tab.o lex.kn.o environment.o parse_assertion.o \
+ signature.o aux.o base64.o
+OBJS2 = z.tab.o lex.kv.o keynote-verify.o keynote-sign.o \
+ keynote-sigver.o keynote-keygen.o keynote-main.o @LIBOBJS@
+
+crypto: all
+
+nocrypto:
+ ${MAKE} DEFS="${NOCRYPTODEFS}"
+
+all: $(TARGET) $(TARGET2)
+
+library: $(TARGET)
+
+$(TARGET): $(OBJS)
+ $(AR) -cvr $(TARGET) $(OBJS)
+ $(RANLIB) $(TARGET)
+
+$(TARGET2): $(TARGET) $(OBJS2)
+ $(CC) $(CFLAGS) -o $(TARGET2) $(OBJS2) $(LIBS)
+
+k.tab.c: keynote.y keynote.h assertion.h config.h
+ $(YACC) $(YACCFLAGS) ${srcdir}/keynote.y
+
+z.tab.c: keynote-ver.y keynote.h header.h config.h
+ $(YACC) $(YACCFLAGS2) ${srcdir}/keynote-ver.y
+
+lex.kn.c: keynote.l k.tab.h keynote.h assertion.h config.h
+ $(LEX) $(LEXFLAGS) ${srcdir}/keynote.l
+
+lex.kv.c: keynote-ver.l z.tab.h keynote.h header.h config.h
+ $(LEX) $(LEXFLAGS2) ${srcdir}/keynote-ver.l
+
+.c.o:
+ $(CC) $(CFLAGS) $(DEFS) $(INC) -c $<
+
+aux.o: ${srcdir}/aux.c
+parse_assertion.o: ${srcdir}/parse_assertion.c
+environment.o: ${srcdir}/environment.c
+keynote-verify.o: ${srcdir}/keynote-verify.c
+signature.o: ${srcdir}/signature.c
+keynote-keygen.o: ${srcdir}/keynote-keygen.c
+keynote-sign.o: ${srcdir}/keynote-sign.c
+keynote-sigver.o: ${srcdir}/keynote-sigver.c
+keynote-main.o: ${srcdir}/keynote-main.c
+base64.o: ${srcdir}/base64.c
+getopt.o: ${srcdir}/getopt.c
+
+aux.c: keynote.h assertion.h signature.h config.h
+parse_assertion.c: keynote.h assertion.h signature.h config.h
+environment.c: keynote.h assertion.h config.h
+keynote-verify.c: keynote.h header.h config.h
+signature.c: keynote.h assertion.h signature.h config.h
+keynote-keygen.c: keynote.h assertion.h signature.h header.h config.h
+keynote-sign.c: keynote.h header.h config.h
+keynote-sigver.c: keynote.h header.h config.h
+keynote-main.c: header.h config.h
+base64.c: keynote.h config.h
+
+clean:
+ $(RM) $(RMFLAGS) $(OBJS) $(OBJS2) a.out *.core *~ */*~
+ $(RM) $(RMFLAGS) $(SSLCERT) $(SSLCERT).1 $(SSLCERT).2
+ $(RM) $(RMFLAGS) $(SSLKEY) $(SIGN_ASSERT)
+
+cleandir: cleanall
+
+cleanall: clean
+ $(RM) $(RMFLAGS) *.o k.tab.c lex.kn.c k.tab.h z.tab.c z.tab.h
+ $(RM) $(RMFLAGS) lex.kv.c y.output z.output ${DISTFILE}
+ $(RM) $(RMFLAGS) $(TARGET) $(TARGET2) man/*.0 config.cache
+ $(RM) $(RMFLAGS) config.log config.status config.h Makefile
+
+$(SSLCERT) $(SSLKEY):
+ $(SSLEAY) req -config $(SSLCONF) \
+ -new -x509 -nodes -out $(SSLCERT) \
+ -keyout $(SSLKEY)
+
+test-sig: all $(SSLCERT) $(SSLKEY)
+ $(SED) -e 's/--.*//' < $(SSLCERT) > $(SSLCERT).1
+ $(ECHO) -n 'authorizer: "x509-base64:' > $(SSLCERT).2
+ $(TR) -d '\n' < $(SSLCERT).1 >> $(SSLCERT).2
+ $(ECHO) '"' >> $(SSLCERT).2
+ $(SED) -e "/@@AUTH@@/r $(SSLCERT).2" -e "s/@@AUTH@@//" < $(SIGN_ASSERT).in > $(SIGN_ASSERT)
+ ./$(TARGET2) sign -v "sig-x509-sha1-base64:" $(SIGN_ASSERT) $(SSLKEY) | tee -a $(SIGN_ASSERT)
+ ./$(TARGET2) sigver $(SIGN_ASSERT)
+
+test: all
+ ./$(TARGET2) verify -e ${srcdir}/testsuite/test-env \
+ -r false,maybe,probably,true \
+ -k ${srcdir}/testsuite/auth1 -k ${srcdir}/testsuite/auth2 \
+ -k ${srcdir}/testsuite/auth3 -k ${srcdir}/testsuite/auth4 \
+ -l ${srcdir}/testsuite/test-assertion1 \
+ -l ${srcdir}/testsuite/test-assertion2 \
+ -l ${srcdir}/testsuite/test-assertion3 \
+ -l ${srcdir}/testsuite/test-assertion4 \
+ -l ${srcdir}/testsuite/test-assertion5 \
+ -l ${srcdir}/testsuite/test-assertion6 \
+ -l ${srcdir}/testsuite/test-assertion7 || ${TRUE}
+
+manpages: mankeynote mansystem manutility
+
+mankeynote:
+ ${NROFF} ${NROFFFLAGS} man/keynote.3 > man/keynote-library.0
+
+mansystem:
+ ${NROFF} ${NROFFFLAGS} man/keynote.4 > man/keynote-system.0
+
+manutility:
+ ${NROFF} ${NROFFFLAGS} man/keynote.1 > man/keynote-utility.0
+
+distribution: test cleanall manpages
+ ${MKDIR} ${KNSUBDIR}
+ $(TAR) cf - . | (cd ${KNSUBDIR}; ${TAR} xf -)
+ ${RM} ${RMFLAGS2} ${KNSUBDIR}/CVS ${KNSUBDIR}/testsuite/CVS \
+ ${KNSUBDIR}/Misc/CVS ${KNSUBDIR}/${KNSUBDIR} \
+ ${KNSUBDIR}/.cvsignore ${KNSUBDIR}/man/CVS \
+ ${KNSUBDIR}/man/.cvsignore ${KNSUBDIR}/doc/CVS
+ $(TAR) $(TARFLAGS) ${KNSUBDIR}
+ ${RM} ${RMFLAGS2} ${KNSUBDIR} man/*.0
diff --git a/lib/libkeynote/README b/lib/libkeynote/README
index 0b769a8fa50..5e07b69dac7 100644
--- a/lib/libkeynote/README
+++ b/lib/libkeynote/README
@@ -1,15 +1,18 @@
-# $OpenBSD: README,v 1.3 1999/05/27 01:09:43 angelos Exp $
+# $OpenBSD: README,v 1.4 1999/10/01 01:08:29 angelos Exp $
-This is release 2-beta2 of the KeyNote trust management library reference
-implementation.
+This is release 2.0 of the KeyNote trust management library reference
+implementation (in case you are wondering, there was never an official 1.0
+release).
-For details on the KeyNote spec, read the file keynote-spec, included in
-this distribution (in the doc/ directory).
+For details on the KeyNote spec, read RFC 2704, included in this distribution
+(in the doc/ directory).
-To build the distribution, just type "make" or "make crypt". To test the
-distribution, type "make test". The query should evaluate to "true" (look
-at the last few lines of output). To build without crypto support, use
-"make nocrypto".
+To build the distribution, just type "./configure" and then "make" or
+"make crypt". To test the distribution, type "make test". The query should
+evaluate to "true" (look at the last line of output). To build without
+crypto support, use "make nocrypto" instead (you still need to run
+"configure"). If you have built crypto support, "make test-sig" will run
+some more tests on the cryptographic algorithms.
Compile tips:
- You need the SSLeay/OpenSSL library if you compile with crypto
@@ -20,36 +23,6 @@ Compile tips:
OpenSSL can be found at:
http://www.openssl.com/
- Edit this distribution's Makefile, changing the variables SSLINC and
- SSLLIB to reflect the location of the include files and libraries
- respectively for SSLeay/OpenSSL.
-
-- Similarly, if you compile with -DPGPLIB you will need PGPlib-1.1
- from ftp://dslab1.cs.uit.no/pub/PGPlib-1.1.tar.gz
- ** Notice: there is no support for PGPLIB yet **
-
- Make sure PGPINC and PGPLIB (in Makefile) point at the right
- locations for the include files and the library respectively.
-
-- You may need to add support for initialization of the random
- generator routines. There is currently support for most BSDs and
- Linux. Look in keynote-keygen.c and environment.c for calls to
- RAND_seed(). Bear in mind that you need high-quality
- (cryptographic-grade) randomness.
-
-- If your system does not have snprintf(), uncomment the -DNO_SNPRINTF
- in the Makefile (NOCRYPTODEFS variable).
-
-- If your system does not have getopt(), move the files getopt.c and
- getopt.h from Misc/ and uncomment the GETOPT line in the Makefile, and
- enable the -DNEED_GETOPT flag in NOCRYPTODEFS (you do not need to
- for Windows).
-
-- For Windows, you should be able to compile using Visual C++ without
- too much trouble (thanks to Dave Clark for testing release 0.1). You
- can get a copy of a regular expression library from the KeyNote web
- page (see below).
-
The Makefile creates the libkeynote.a library and the keynote program.
*** Notice that the 4 programs of previous releases have been folded into one
diff --git a/lib/libkeynote/TODO b/lib/libkeynote/TODO
index 4868357fa2b..803fe44395f 100644
--- a/lib/libkeynote/TODO
+++ b/lib/libkeynote/TODO
@@ -1,15 +1,10 @@
-# $OpenBSD: TODO,v 1.4 1999/06/21 19:58:21 angelos Exp $
+# $OpenBSD: TODO,v 1.5 1999/10/01 01:08:29 angelos Exp $
-Short term TODOs:
+TODOs:
+ - Write key/signature algorithm drafts
- More interesting/comprehensive testsuite
- - Add the proper RFC reference to the manpages and README
- - Write key/signature algorithm draft(s)
- - autoconf
- - Document X509 support
- - Callbacks should get a pointer to the assertion
-
-Long term TODOs:
- - Some sort of tcl/tk GUI
- - PalmPilot support
+ - Make X509 support be non-RSA specific
+ - Recursive parser
- PGPlib support
- ElGamal support
+ - Some sort of tcl/tk GUI
diff --git a/lib/libkeynote/aux.c b/lib/libkeynote/aux.c
index 425a07451a1..fe9906bb4bd 100644
--- a/lib/libkeynote/aux.c
+++ b/lib/libkeynote/aux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: aux.c,v 1.3 1999/05/31 20:09:58 angelos Exp $ */
+/* $OpenBSD: aux.c,v 1.4 1999/10/01 01:08:29 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -19,15 +19,22 @@
* PURPOSE.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
+
+#if STDC_HEADERS
#include <string.h>
+#endif /* STDC_HEADERS */
+
+#if HAVE_LIMITS_H
#include <limits.h>
-#ifndef PILOT
-#include <time.h>
-#endif /* PILOT */
+#endif /* HAVE_LIMITS_H */
#include "keynote.h"
#include "assertion.h"
@@ -116,7 +123,11 @@ keynote_in_action_authorizers(void *key, int algorithm)
for (kl = keynote_current_session->ks_action_authorizers;
kl != (struct keylist *) NULL;
kl = kl->key_next)
- if (kl->key_alg == alg)
+ if ((kl->key_alg == alg) ||
+ ((kl->key_alg == KEYNOTE_ALGORITHM_RSA) &&
+ (alg = KEYNOTE_ALGORITHM_X509)) ||
+ ((kl->key_alg == KEYNOTE_ALGORITHM_X509) &&
+ (alg = KEYNOTE_ALGORITHM_RSA)))
if (kn_keycompare(kl->key_key, s, alg) == RESULT_TRUE)
return RESULT_TRUE;
@@ -299,7 +310,11 @@ keynote_find_assertion(void *authorizer, int num, int algorithm)
as != (struct assertion *) NULL;
as = as->as_next)
if ((as->as_authorizer != (void *) NULL) &&
- (as->as_signeralgorithm == algorithm))
+ ((as->as_signeralgorithm == algorithm) ||
+ ((as->as_signeralgorithm == KEYNOTE_ALGORITHM_RSA) &&
+ (algorithm == KEYNOTE_ALGORITHM_X509)) ||
+ ((as->as_signeralgorithm == KEYNOTE_ALGORITHM_X509) &&
+ (algorithm == KEYNOTE_ALGORITHM_RSA))))
if (kn_keycompare(authorizer, as->as_authorizer, algorithm) ==
RESULT_TRUE)
if (num-- == 0)
diff --git a/lib/libkeynote/base64.c b/lib/libkeynote/base64.c
index 284d48ec37f..7bc0c961f46 100644
--- a/lib/libkeynote/base64.c
+++ b/lib/libkeynote/base64.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: base64.c,v 1.2 1999/05/31 20:09:58 angelos Exp $ */
+/* $OpenBSD: base64.c,v 1.3 1999/10/01 01:08:29 angelos Exp $ */
/*
* Copyright (c) 1996 by Internet Software Consortium.
*
@@ -41,15 +41,58 @@
* IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
-#include <ctype.h>
-#include <stdio.h>
#include <stdlib.h>
+#include <stdio.h>
+#include <ctype.h>
+
+#if STDC_HEADERS
#include <string.h>
+#if !defined(HAVE_STRCHR)
+#define strchr index
+#endif /* !HAVE_STRCHR */
+#endif /* STDC_HEADERS */
#include "keynote.h"
-#define Assert(Cond) if (!(Cond)) return -1;
+#if defined(HAVE___B64_NTOP)
+int __b64_ntop __P((u_char const *, size_t, char *, size_t));
+int __b64_pton __P((char const *, u_char *, size_t));
+
+int
+kn_encode_base64(src, srclength, target, targsize)
+unsigned char const *src;
+unsigned int srclength;
+char *target;
+unsigned int targsize;
+{
+ int i;
+
+ i = __b64_ntop(src, srclength, target, targsize);
+ if (i == -1)
+ keynote_errno = ERROR_SYNTAX;
+ return i;
+}
+
+int
+kn_decode_base64(src, target, targsize)
+char const *src;
+unsigned char *target;
+unsigned int targsize;
+{
+ int i;
+
+ i = __b64_pton(src, target, targsize);
+ if (i == -1)
+ keynote_errno = ERROR_SYNTAX;
+ return i;
+}
+#else /* HAVE___B64_NTOP */
+#define Assert(Cond) if (!(Cond)) { keynote_errno = ERROR_SYNTAX; return -1; }
static const char Base64[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
@@ -346,3 +389,4 @@ unsigned int targsize;
return (tarindex);
}
+#endif /* HAVE___B64_NTOP */
diff --git a/lib/libkeynote/config.hin b/lib/libkeynote/config.hin
new file mode 100644
index 00000000000..37472739f3b
--- /dev/null
+++ b/lib/libkeynote/config.hin
@@ -0,0 +1,93 @@
+/* $OpenBSD: config.hin,v 1.1 1999/10/01 01:08:29 angelos Exp $ */
+
+/* config.hin. Generated automatically from configure.in by autoheader. */
+
+/* Define to empty if the keyword does not work. */
+#undef const
+
+/* Define if you have the ANSI C header files. */
+#undef STDC_HEADERS
+
+/* Define if you can safely include both <sys/time.h> and <time.h>. */
+#undef TIME_WITH_SYS_TIME
+
+/* Define if you have the _close function. */
+#undef HAVE__CLOSE
+
+/* Define if you have the _open function. */
+#undef HAVE__OPEN
+
+/* Define if you have the _read function. */
+#undef HAVE__READ
+
+/* Define if you have the b64_ntop function. */
+#undef HAVE___B64_NTOP
+
+/* Define if you have the close function. */
+#undef HAVE_CLOSE
+
+/* Define if you have the getopt function. */
+#undef HAVE_GETOPT
+
+/* Define if you have the memcpy function. */
+#undef HAVE_MEMCPY
+
+/* Define if you have the open function. */
+#undef HAVE_OPEN
+
+/* Define if you have the read function. */
+#undef HAVE_READ
+
+/* Define if you have the regcomp function. */
+#undef HAVE_REGCOMP
+
+/* Define if you have the snprintf function. */
+#undef HAVE_SNPRINTF
+
+/* Define if you have the strcasecmp function. */
+#undef HAVE_STRCASECMP
+
+/* Define if you have the strchr function. */
+#undef HAVE_STRCHR
+
+/* Define if you have the stricmp function. */
+#undef HAVE_STRICMP
+
+/* Define if you have the strncasecmp function. */
+#undef HAVE_STRNCASECMP
+
+/* Define if you have the strnicmp function. */
+#undef HAVE_STRNICMP
+
+/* Define if you have the <fcntl.h> header file. */
+#undef HAVE_FCNTL_H
+
+/* Define if you have the <io.h> header file. */
+#undef HAVE_IO_H
+
+/* Define if you have the <limits.h> header file. */
+#undef HAVE_LIMITS_H
+
+/* Define if you have the <memory.h> header file. */
+#undef HAVE_MEMORY_H
+
+/* Define if you have the <openssl/crypto.h> header file. */
+#undef HAVE_OPENSSL_CRYPTO_H
+
+/* Define if you have the <regex.h> header file. */
+#undef HAVE_REGEX_H
+
+/* Define if you have the <ssl/crypto.h> header file. */
+#undef HAVE_SSL_CRYPTO_H
+
+/* Define if you have the <sys/time.h> header file. */
+#undef HAVE_SYS_TIME_H
+
+/* Define if you have the <unistd.h> header file. */
+#undef HAVE_UNISTD_H
+
+/* Define if you have the crypto library (-lcrypto). */
+#undef HAVE_LIBCRYPTO
+
+/* Define if you have /dev/urandom file. */
+#undef HAVE__DEV_URANDOM
diff --git a/lib/libkeynote/configure b/lib/libkeynote/configure
new file mode 100644
index 00000000000..77bbf748624
--- /dev/null
+++ b/lib/libkeynote/configure
@@ -0,0 +1,2454 @@
+#! /bin/sh
+# $OpenBSD: configure,v 1.1 1999/10/01 01:08:29 angelos Exp $
+
+# Guess values for system-dependent variables and create Makefiles.
+# Generated automatically using autoconf version 2.13
+# Copyright (C) 1992, 93, 94, 95, 96 Free Software Foundation, Inc.
+#
+# This configure script is free software; the Free Software Foundation
+# gives unlimited permission to copy, distribute and modify it.
+
+# Defaults:
+ac_help=
+ac_default_prefix=/usr/local
+# Any additions from configure.in:
+
+# Initialize some variables set by options.
+# The variables have the same names as the options, with
+# dashes changed to underlines.
+build=NONE
+cache_file=./config.cache
+exec_prefix=NONE
+host=NONE
+no_create=
+nonopt=NONE
+no_recursion=
+prefix=NONE
+program_prefix=NONE
+program_suffix=NONE
+program_transform_name=s,x,x,
+silent=
+site=
+srcdir=
+target=NONE
+verbose=
+x_includes=NONE
+x_libraries=NONE
+bindir='${exec_prefix}/bin'
+sbindir='${exec_prefix}/sbin'
+libexecdir='${exec_prefix}/libexec'
+datadir='${prefix}/share'
+sysconfdir='${prefix}/etc'
+sharedstatedir='${prefix}/com'
+localstatedir='${prefix}/var'
+libdir='${exec_prefix}/lib'
+includedir='${prefix}/include'
+oldincludedir='/usr/include'
+infodir='${prefix}/info'
+mandir='${prefix}/man'
+
+# Initialize some other variables.
+subdirs=
+MFLAGS= MAKEFLAGS=
+SHELL=${CONFIG_SHELL-/bin/sh}
+# Maximum number of lines to put in a shell here document.
+ac_max_here_lines=12
+
+ac_prev=
+for ac_option
+do
+
+ # If the previous option needs an argument, assign it.
+ if test -n "$ac_prev"; then
+ eval "$ac_prev=\$ac_option"
+ ac_prev=
+ continue
+ fi
+
+ case "$ac_option" in
+ -*=*) ac_optarg=`echo "$ac_option" | sed 's/[-_a-zA-Z0-9]*=//'` ;;
+ *) ac_optarg= ;;
+ esac
+
+ # Accept the important Cygnus configure options, so we can diagnose typos.
+
+ case "$ac_option" in
+
+ -bindir | --bindir | --bindi | --bind | --bin | --bi)
+ ac_prev=bindir ;;
+ -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*)
+ bindir="$ac_optarg" ;;
+
+ -build | --build | --buil | --bui | --bu)
+ ac_prev=build ;;
+ -build=* | --build=* | --buil=* | --bui=* | --bu=*)
+ build="$ac_optarg" ;;
+
+ -cache-file | --cache-file | --cache-fil | --cache-fi \
+ | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c)
+ ac_prev=cache_file ;;
+ -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \
+ | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*)
+ cache_file="$ac_optarg" ;;
+
+ -datadir | --datadir | --datadi | --datad | --data | --dat | --da)
+ ac_prev=datadir ;;
+ -datadir=* | --datadir=* | --datadi=* | --datad=* | --data=* | --dat=* \
+ | --da=*)
+ datadir="$ac_optarg" ;;
+
+ -disable-* | --disable-*)
+ ac_feature=`echo $ac_option|sed -e 's/-*disable-//'`
+ # Reject names that are not valid shell variable names.
+ if test -n "`echo $ac_feature| sed 's/[-a-zA-Z0-9_]//g'`"; then
+ { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+ fi
+ ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+ eval "enable_${ac_feature}=no" ;;
+
+ -enable-* | --enable-*)
+ ac_feature=`echo $ac_option|sed -e 's/-*enable-//' -e 's/=.*//'`
+ # Reject names that are not valid shell variable names.
+ if test -n "`echo $ac_feature| sed 's/[-_a-zA-Z0-9]//g'`"; then
+ { echo "configure: error: $ac_feature: invalid feature name" 1>&2; exit 1; }
+ fi
+ ac_feature=`echo $ac_feature| sed 's/-/_/g'`
+ case "$ac_option" in
+ *=*) ;;
+ *) ac_optarg=yes ;;
+ esac
+ eval "enable_${ac_feature}='$ac_optarg'" ;;
+
+ -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \
+ | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \
+ | --exec | --exe | --ex)
+ ac_prev=exec_prefix ;;
+ -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \
+ | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \
+ | --exec=* | --exe=* | --ex=*)
+ exec_prefix="$ac_optarg" ;;
+
+ -gas | --gas | --ga | --g)
+ # Obsolete; use --with-gas.
+ with_gas=yes ;;
+
+ -help | --help | --hel | --he)
+ # Omit some internal or obsolete options to make the list less imposing.
+ # This message is too long to be a string in the A/UX 3.1 sh.
+ cat << EOF
+Usage: configure [options] [host]
+Options: [defaults in brackets after descriptions]
+Configuration:
+ --cache-file=FILE cache test results in FILE
+ --help print this message
+ --no-create do not create output files
+ --quiet, --silent do not print \`checking...' messages
+ --version print the version of autoconf that created configure
+Directory and file names:
+ --prefix=PREFIX install architecture-independent files in PREFIX
+ [$ac_default_prefix]
+ --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
+ [same as prefix]
+ --bindir=DIR user executables in DIR [EPREFIX/bin]
+ --sbindir=DIR system admin executables in DIR [EPREFIX/sbin]
+ --libexecdir=DIR program executables in DIR [EPREFIX/libexec]
+ --datadir=DIR read-only architecture-independent data in DIR
+ [PREFIX/share]
+ --sysconfdir=DIR read-only single-machine data in DIR [PREFIX/etc]
+ --sharedstatedir=DIR modifiable architecture-independent data in DIR
+ [PREFIX/com]
+ --localstatedir=DIR modifiable single-machine data in DIR [PREFIX/var]
+ --libdir=DIR object code libraries in DIR [EPREFIX/lib]
+ --includedir=DIR C header files in DIR [PREFIX/include]
+ --oldincludedir=DIR C header files for non-gcc in DIR [/usr/include]
+ --infodir=DIR info documentation in DIR [PREFIX/info]
+ --mandir=DIR man documentation in DIR [PREFIX/man]
+ --srcdir=DIR find the sources in DIR [configure dir or ..]
+ --program-prefix=PREFIX prepend PREFIX to installed program names
+ --program-suffix=SUFFIX append SUFFIX to installed program names
+ --program-transform-name=PROGRAM
+ run sed PROGRAM on installed program names
+EOF
+ cat << EOF
+Host type:
+ --build=BUILD configure for building on BUILD [BUILD=HOST]
+ --host=HOST configure for HOST [guessed]
+ --target=TARGET configure for TARGET [TARGET=HOST]
+Features and packages:
+ --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
+ --enable-FEATURE[=ARG] include FEATURE [ARG=yes]
+ --with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
+ --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
+ --x-includes=DIR X include files are in DIR
+ --x-libraries=DIR X library files are in DIR
+EOF
+ if test -n "$ac_help"; then
+ echo "--enable and --with options recognized:$ac_help"
+ fi
+ exit 0 ;;
+
+ -host | --host | --hos | --ho)
+ ac_prev=host ;;
+ -host=* | --host=* | --hos=* | --ho=*)
+ host="$ac_optarg" ;;
+
+ -includedir | --includedir | --includedi | --included | --include \
+ | --includ | --inclu | --incl | --inc)
+ ac_prev=includedir ;;
+ -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \
+ | --includ=* | --inclu=* | --incl=* | --inc=*)
+ includedir="$ac_optarg" ;;
+
+ -infodir | --infodir | --infodi | --infod | --info | --inf)
+ ac_prev=infodir ;;
+ -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*)
+ infodir="$ac_optarg" ;;
+
+ -libdir | --libdir | --libdi | --libd)
+ ac_prev=libdir ;;
+ -libdir=* | --libdir=* | --libdi=* | --libd=*)
+ libdir="$ac_optarg" ;;
+
+ -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \
+ | --libexe | --libex | --libe)
+ ac_prev=libexecdir ;;
+ -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \
+ | --libexe=* | --libex=* | --libe=*)
+ libexecdir="$ac_optarg" ;;
+
+ -localstatedir | --localstatedir | --localstatedi | --localstated \
+ | --localstate | --localstat | --localsta | --localst \
+ | --locals | --local | --loca | --loc | --lo)
+ ac_prev=localstatedir ;;
+ -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \
+ | --localstate=* | --localstat=* | --localsta=* | --localst=* \
+ | --locals=* | --local=* | --loca=* | --loc=* | --lo=*)
+ localstatedir="$ac_optarg" ;;
+
+ -mandir | --mandir | --mandi | --mand | --man | --ma | --m)
+ ac_prev=mandir ;;
+ -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*)
+ mandir="$ac_optarg" ;;
+
+ -nfp | --nfp | --nf)
+ # Obsolete; use --without-fp.
+ with_fp=no ;;
+
+ -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+ | --no-cr | --no-c)
+ no_create=yes ;;
+
+ -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r)
+ no_recursion=yes ;;
+
+ -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \
+ | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \
+ | --oldin | --oldi | --old | --ol | --o)
+ ac_prev=oldincludedir ;;
+ -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \
+ | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \
+ | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*)
+ oldincludedir="$ac_optarg" ;;
+
+ -prefix | --prefix | --prefi | --pref | --pre | --pr | --p)
+ ac_prev=prefix ;;
+ -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*)
+ prefix="$ac_optarg" ;;
+
+ -program-prefix | --program-prefix | --program-prefi | --program-pref \
+ | --program-pre | --program-pr | --program-p)
+ ac_prev=program_prefix ;;
+ -program-prefix=* | --program-prefix=* | --program-prefi=* \
+ | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*)
+ program_prefix="$ac_optarg" ;;
+
+ -program-suffix | --program-suffix | --program-suffi | --program-suff \
+ | --program-suf | --program-su | --program-s)
+ ac_prev=program_suffix ;;
+ -program-suffix=* | --program-suffix=* | --program-suffi=* \
+ | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*)
+ program_suffix="$ac_optarg" ;;
+
+ -program-transform-name | --program-transform-name \
+ | --program-transform-nam | --program-transform-na \
+ | --program-transform-n | --program-transform- \
+ | --program-transform | --program-transfor \
+ | --program-transfo | --program-transf \
+ | --program-trans | --program-tran \
+ | --progr-tra | --program-tr | --program-t)
+ ac_prev=program_transform_name ;;
+ -program-transform-name=* | --program-transform-name=* \
+ | --program-transform-nam=* | --program-transform-na=* \
+ | --program-transform-n=* | --program-transform-=* \
+ | --program-transform=* | --program-transfor=* \
+ | --program-transfo=* | --program-transf=* \
+ | --program-trans=* | --program-tran=* \
+ | --progr-tra=* | --program-tr=* | --program-t=*)
+ program_transform_name="$ac_optarg" ;;
+
+ -q | -quiet | --quiet | --quie | --qui | --qu | --q \
+ | -silent | --silent | --silen | --sile | --sil)
+ silent=yes ;;
+
+ -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb)
+ ac_prev=sbindir ;;
+ -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \
+ | --sbi=* | --sb=*)
+ sbindir="$ac_optarg" ;;
+
+ -sharedstatedir | --sharedstatedir | --sharedstatedi \
+ | --sharedstated | --sharedstate | --sharedstat | --sharedsta \
+ | --sharedst | --shareds | --shared | --share | --shar \
+ | --sha | --sh)
+ ac_prev=sharedstatedir ;;
+ -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \
+ | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \
+ | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \
+ | --sha=* | --sh=*)
+ sharedstatedir="$ac_optarg" ;;
+
+ -site | --site | --sit)
+ ac_prev=site ;;
+ -site=* | --site=* | --sit=*)
+ site="$ac_optarg" ;;
+
+ -srcdir | --srcdir | --srcdi | --srcd | --src | --sr)
+ ac_prev=srcdir ;;
+ -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*)
+ srcdir="$ac_optarg" ;;
+
+ -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \
+ | --syscon | --sysco | --sysc | --sys | --sy)
+ ac_prev=sysconfdir ;;
+ -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \
+ | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*)
+ sysconfdir="$ac_optarg" ;;
+
+ -target | --target | --targe | --targ | --tar | --ta | --t)
+ ac_prev=target ;;
+ -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*)
+ target="$ac_optarg" ;;
+
+ -v | -verbose | --verbose | --verbos | --verbo | --verb)
+ verbose=yes ;;
+
+ -version | --version | --versio | --versi | --vers)
+ echo "configure generated by autoconf version 2.13"
+ exit 0 ;;
+
+ -with-* | --with-*)
+ ac_package=`echo $ac_option|sed -e 's/-*with-//' -e 's/=.*//'`
+ # Reject names that are not valid shell variable names.
+ if test -n "`echo $ac_package| sed 's/[-_a-zA-Z0-9]//g'`"; then
+ { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+ fi
+ ac_package=`echo $ac_package| sed 's/-/_/g'`
+ case "$ac_option" in
+ *=*) ;;
+ *) ac_optarg=yes ;;
+ esac
+ eval "with_${ac_package}='$ac_optarg'" ;;
+
+ -without-* | --without-*)
+ ac_package=`echo $ac_option|sed -e 's/-*without-//'`
+ # Reject names that are not valid shell variable names.
+ if test -n "`echo $ac_package| sed 's/[-a-zA-Z0-9_]//g'`"; then
+ { echo "configure: error: $ac_package: invalid package name" 1>&2; exit 1; }
+ fi
+ ac_package=`echo $ac_package| sed 's/-/_/g'`
+ eval "with_${ac_package}=no" ;;
+
+ --x)
+ # Obsolete; use --with-x.
+ with_x=yes ;;
+
+ -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \
+ | --x-incl | --x-inc | --x-in | --x-i)
+ ac_prev=x_includes ;;
+ -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \
+ | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*)
+ x_includes="$ac_optarg" ;;
+
+ -x-libraries | --x-libraries | --x-librarie | --x-librari \
+ | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l)
+ ac_prev=x_libraries ;;
+ -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \
+ | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*)
+ x_libraries="$ac_optarg" ;;
+
+ -*) { echo "configure: error: $ac_option: invalid option; use --help to show usage" 1>&2; exit 1; }
+ ;;
+
+ *)
+ if test -n "`echo $ac_option| sed 's/[-a-z0-9.]//g'`"; then
+ echo "configure: warning: $ac_option: invalid host type" 1>&2
+ fi
+ if test "x$nonopt" != xNONE; then
+ { echo "configure: error: can only configure for one host and one target at a time" 1>&2; exit 1; }
+ fi
+ nonopt="$ac_option"
+ ;;
+
+ esac
+done
+
+if test -n "$ac_prev"; then
+ { echo "configure: error: missing argument to --`echo $ac_prev | sed 's/_/-/g'`" 1>&2; exit 1; }
+fi
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+# File descriptor usage:
+# 0 standard input
+# 1 file creation
+# 2 errors and warnings
+# 3 some systems may open it to /dev/tty
+# 4 used on the Kubota Titan
+# 6 checking for... messages and results
+# 5 compiler messages saved in config.log
+if test "$silent" = yes; then
+ exec 6>/dev/null
+else
+ exec 6>&1
+fi
+exec 5>./config.log
+
+echo "\
+This file contains any messages produced by compilers while
+running configure, to aid debugging if configure makes a mistake.
+" 1>&5
+
+# Strip out --no-create and --no-recursion so they do not pile up.
+# Also quote any args containing shell metacharacters.
+ac_configure_args=
+for ac_arg
+do
+ case "$ac_arg" in
+ -no-create | --no-create | --no-creat | --no-crea | --no-cre \
+ | --no-cr | --no-c) ;;
+ -no-recursion | --no-recursion | --no-recursio | --no-recursi \
+ | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) ;;
+ *" "*|*" "*|*[\[\]\~\#\$\^\&\*\(\)\{\}\\\|\;\<\>\?]*)
+ ac_configure_args="$ac_configure_args '$ac_arg'" ;;
+ *) ac_configure_args="$ac_configure_args $ac_arg" ;;
+ esac
+done
+
+# NLS nuisances.
+# Only set these to C if already set. These must not be set unconditionally
+# because not all systems understand e.g. LANG=C (notably SCO).
+# Fixing LC_MESSAGES prevents Solaris sh from translating var values in `set'!
+# Non-C LC_CTYPE values break the ctype check.
+if test "${LANG+set}" = set; then LANG=C; export LANG; fi
+if test "${LC_ALL+set}" = set; then LC_ALL=C; export LC_ALL; fi
+if test "${LC_MESSAGES+set}" = set; then LC_MESSAGES=C; export LC_MESSAGES; fi
+if test "${LC_CTYPE+set}" = set; then LC_CTYPE=C; export LC_CTYPE; fi
+
+# confdefs.h avoids OS command line length limits that DEFS can exceed.
+rm -rf conftest* confdefs.h
+# AIX cpp loses on an empty file, so make sure it contains at least a newline.
+echo > confdefs.h
+
+# A filename unique to this package, relative to the directory that
+# configure is in, which we can look for to find out if srcdir is correct.
+ac_unique_file=assertion.h
+
+# Find the source files, if location was not specified.
+if test -z "$srcdir"; then
+ ac_srcdir_defaulted=yes
+ # Try the directory containing this script, then its parent.
+ ac_prog=$0
+ ac_confdir=`echo $ac_prog|sed 's%/[^/][^/]*$%%'`
+ test "x$ac_confdir" = "x$ac_prog" && ac_confdir=.
+ srcdir=$ac_confdir
+ if test ! -r $srcdir/$ac_unique_file; then
+ srcdir=..
+ fi
+else
+ ac_srcdir_defaulted=no
+fi
+if test ! -r $srcdir/$ac_unique_file; then
+ if test "$ac_srcdir_defaulted" = yes; then
+ { echo "configure: error: can not find sources in $ac_confdir or .." 1>&2; exit 1; }
+ else
+ { echo "configure: error: can not find sources in $srcdir" 1>&2; exit 1; }
+ fi
+fi
+srcdir=`echo "${srcdir}" | sed 's%\([^/]\)/*$%\1%'`
+
+# Prefer explicitly selected file to automatically selected ones.
+if test -z "$CONFIG_SITE"; then
+ if test "x$prefix" != xNONE; then
+ CONFIG_SITE="$prefix/share/config.site $prefix/etc/config.site"
+ else
+ CONFIG_SITE="$ac_default_prefix/share/config.site $ac_default_prefix/etc/config.site"
+ fi
+fi
+for ac_site_file in $CONFIG_SITE; do
+ if test -r "$ac_site_file"; then
+ echo "loading site script $ac_site_file"
+ . "$ac_site_file"
+ fi
+done
+
+if test -r "$cache_file"; then
+ echo "loading cache $cache_file"
+ . $cache_file
+else
+ echo "creating cache $cache_file"
+ > $cache_file
+fi
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+ac_exeext=
+ac_objext=o
+if (echo "testing\c"; echo 1,2,3) | grep c >/dev/null; then
+ # Stardent Vistra SVR4 grep lacks -e, says ghazi@caip.rutgers.edu.
+ if (echo -n testing; echo 1,2,3) | sed s/-n/xn/ | grep xn >/dev/null; then
+ ac_n= ac_c='
+' ac_t=' '
+ else
+ ac_n=-n ac_c= ac_t=
+ fi
+else
+ ac_n= ac_c='\c' ac_t=
+fi
+
+
+
+
+
+# Extract the first word of "flex", so it can be a program name with args.
+set dummy flex; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:531: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_LEX'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test -n "$LEX"; then
+ ac_cv_prog_LEX="$LEX" # Let the user override the test.
+else
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_prog_LEX="flex"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_prog_LEX" && ac_cv_prog_LEX="lex"
+fi
+fi
+LEX="$ac_cv_prog_LEX"
+if test -n "$LEX"; then
+ echo "$ac_t""$LEX" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$LEXLIB"
+then
+ case "$LEX" in
+ flex*) ac_lib=fl ;;
+ *) ac_lib=l ;;
+ esac
+ echo $ac_n "checking for yywrap in -l$ac_lib""... $ac_c" 1>&6
+echo "configure:565: checking for yywrap in -l$ac_lib" >&5
+ac_lib_var=`echo $ac_lib'_'yywrap | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-l$ac_lib $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 573 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char yywrap();
+
+int main() {
+yywrap()
+; return 0; }
+EOF
+if { (eval echo configure:584: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ LEXLIB="-l$ac_lib"
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+fi
+
+# Extract the first word of "gcc", so it can be a program name with args.
+set dummy gcc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:609: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_prog_CC="gcc"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+ echo "$ac_t""$CC" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+if test -z "$CC"; then
+ # Extract the first word of "cc", so it can be a program name with args.
+set dummy cc; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:639: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_prog_rejected=no
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ if test "$ac_dir/$ac_word" = "/usr/ucb/cc"; then
+ ac_prog_rejected=yes
+ continue
+ fi
+ ac_cv_prog_CC="cc"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+if test $ac_prog_rejected = yes; then
+ # We found a bogon in the path, so make sure we never use it.
+ set dummy $ac_cv_prog_CC
+ shift
+ if test $# -gt 0; then
+ # We chose a different compiler from the bogus one.
+ # However, it has the same basename, so the bogon will be chosen
+ # first if we set CC to just the basename; use the full file name.
+ shift
+ set dummy "$ac_dir/$ac_word" "$@"
+ shift
+ ac_cv_prog_CC="$@"
+ fi
+fi
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+ echo "$ac_t""$CC" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+ if test -z "$CC"; then
+ case "`uname -s`" in
+ *win32* | *WIN32*)
+ # Extract the first word of "cl", so it can be a program name with args.
+set dummy cl; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:690: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_CC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test -n "$CC"; then
+ ac_cv_prog_CC="$CC" # Let the user override the test.
+else
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_prog_CC="cl"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+fi
+fi
+CC="$ac_cv_prog_CC"
+if test -n "$CC"; then
+ echo "$ac_t""$CC" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+ ;;
+ esac
+ fi
+ test -z "$CC" && { echo "configure: error: no acceptable cc found in \$PATH" 1>&2; exit 1; }
+fi
+
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works""... $ac_c" 1>&6
+echo "configure:722: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) works" >&5
+
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+cat > conftest.$ac_ext << EOF
+
+#line 733 "configure"
+#include "confdefs.h"
+
+main(){return(0);}
+EOF
+if { (eval echo configure:738: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ ac_cv_prog_cc_works=yes
+ # If we can't run a trivial program, we are probably using a cross compiler.
+ if (./conftest; exit) 2>/dev/null; then
+ ac_cv_prog_cc_cross=no
+ else
+ ac_cv_prog_cc_cross=yes
+ fi
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ ac_cv_prog_cc_works=no
+fi
+rm -fr conftest*
+ac_ext=c
+# CFLAGS is not in ac_cpp because -g, -O, etc. are not valid cpp options.
+ac_cpp='$CPP $CPPFLAGS'
+ac_compile='${CC-cc} -c $CFLAGS $CPPFLAGS conftest.$ac_ext 1>&5'
+ac_link='${CC-cc} -o conftest${ac_exeext} $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS 1>&5'
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo "$ac_t""$ac_cv_prog_cc_works" 1>&6
+if test $ac_cv_prog_cc_works = no; then
+ { echo "configure: error: installation or configuration problem: C compiler cannot create executables." 1>&2; exit 1; }
+fi
+echo $ac_n "checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler""... $ac_c" 1>&6
+echo "configure:764: checking whether the C compiler ($CC $CFLAGS $LDFLAGS) is a cross-compiler" >&5
+echo "$ac_t""$ac_cv_prog_cc_cross" 1>&6
+cross_compiling=$ac_cv_prog_cc_cross
+
+echo $ac_n "checking whether we are using GNU C""... $ac_c" 1>&6
+echo "configure:769: checking whether we are using GNU C" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_gcc'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.c <<EOF
+#ifdef __GNUC__
+ yes;
+#endif
+EOF
+if { ac_try='${CC-cc} -E conftest.c'; { (eval echo configure:778: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }; } | egrep yes >/dev/null 2>&1; then
+ ac_cv_prog_gcc=yes
+else
+ ac_cv_prog_gcc=no
+fi
+fi
+
+echo "$ac_t""$ac_cv_prog_gcc" 1>&6
+
+if test $ac_cv_prog_gcc = yes; then
+ GCC=yes
+else
+ GCC=
+fi
+
+ac_test_CFLAGS="${CFLAGS+set}"
+ac_save_CFLAGS="$CFLAGS"
+CFLAGS=
+echo $ac_n "checking whether ${CC-cc} accepts -g""... $ac_c" 1>&6
+echo "configure:797: checking whether ${CC-cc} accepts -g" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_cc_g'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ echo 'void f(){}' > conftest.c
+if test -z "`${CC-cc} -g -c conftest.c 2>&1`"; then
+ ac_cv_prog_cc_g=yes
+else
+ ac_cv_prog_cc_g=no
+fi
+rm -f conftest*
+
+fi
+
+echo "$ac_t""$ac_cv_prog_cc_g" 1>&6
+if test "$ac_test_CFLAGS" = set; then
+ CFLAGS="$ac_save_CFLAGS"
+elif test $ac_cv_prog_cc_g = yes; then
+ if test "$GCC" = yes; then
+ CFLAGS="-g -O2"
+ else
+ CFLAGS="-g"
+ fi
+else
+ if test "$GCC" = yes; then
+ CFLAGS="-O2"
+ else
+ CFLAGS=
+ fi
+fi
+
+# Extract the first word of "ranlib", so it can be a program name with args.
+set dummy ranlib; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:831: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_RANLIB'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test -n "$RANLIB"; then
+ ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test.
+else
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_prog_RANLIB="ranlib"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_prog_RANLIB" && ac_cv_prog_RANLIB=":"
+fi
+fi
+RANLIB="$ac_cv_prog_RANLIB"
+if test -n "$RANLIB"; then
+ echo "$ac_t""$RANLIB" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+for ac_prog in 'bison -y' byacc
+do
+# Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:863: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_prog_YACC'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test -n "$YACC"; then
+ ac_cv_prog_YACC="$YACC" # Let the user override the test.
+else
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_prog_YACC="$ac_prog"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+fi
+fi
+YACC="$ac_cv_prog_YACC"
+if test -n "$YACC"; then
+ echo "$ac_t""$YACC" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+test -n "$YACC" && break
+done
+test -n "$YACC" || YACC="yacc"
+
+for ac_prog in openssl ssleay
+do
+# Extract the first word of "$ac_prog", so it can be a program name with args.
+set dummy $ac_prog; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:898: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_SSLEAY'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$SSLEAY" in
+ /*)
+ ac_cv_path_SSLEAY="$SSLEAY" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_SSLEAY="$SSLEAY" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="\
+ $PATH:/usr/local/bin:/usr/local/ssl/sbin:/usr/local/ssl/bin:/usr/ssl/bin:/usr/ssl/sbin:/usr/sbin:/usr/openssl/bin:/usr/openssl/bin:/usr/local/openssl/bin:/usr/local/openssl/sbin"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_SSLEAY="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ ;;
+esac
+fi
+SSLEAY="$ac_cv_path_SSLEAY"
+if test -n "$SSLEAY"; then
+ echo "$ac_t""$SSLEAY" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+test -n "$SSLEAY" && break
+done
+test -n "$SSLEAY" || SSLEAY="/usr/local/bin/ssleay"
+
+# Extract the first word of "rm", so it can be a program name with args.
+set dummy rm; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:938: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_RM'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$RM" in
+ /*)
+ ac_cv_path_RM="$RM" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_RM="$RM" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_RM="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_path_RM" && ac_cv_path_RM="/bin/rm"
+ ;;
+esac
+fi
+RM="$ac_cv_path_RM"
+if test -n "$RM"; then
+ echo "$ac_t""$RM" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "ar", so it can be a program name with args.
+set dummy ar; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:974: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_AR'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$AR" in
+ /*)
+ ac_cv_path_AR="$AR" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_AR="$AR" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_AR="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_path_AR" && ac_cv_path_AR="/usr/bin/ar"
+ ;;
+esac
+fi
+AR="$ac_cv_path_AR"
+if test -n "$AR"; then
+ echo "$ac_t""$AR" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "nroff", so it can be a program name with args.
+set dummy nroff; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1010: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_NROFF'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$NROFF" in
+ /*)
+ ac_cv_path_NROFF="$NROFF" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_NROFF="$NROFF" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_NROFF="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_path_NROFF" && ac_cv_path_NROFF="/usr/bin/nroff"
+ ;;
+esac
+fi
+NROFF="$ac_cv_path_NROFF"
+if test -n "$NROFF"; then
+ echo "$ac_t""$NROFF" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "tar", so it can be a program name with args.
+set dummy tar; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1046: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_TAR'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$TAR" in
+ /*)
+ ac_cv_path_TAR="$TAR" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_TAR="$TAR" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_TAR="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_path_TAR" && ac_cv_path_TAR="/bin/tar"
+ ;;
+esac
+fi
+TAR="$ac_cv_path_TAR"
+if test -n "$TAR"; then
+ echo "$ac_t""$TAR" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "true", so it can be a program name with args.
+set dummy true; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1082: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_TRUE'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$TRUE" in
+ /*)
+ ac_cv_path_TRUE="$TRUE" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_TRUE="$TRUE" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_TRUE="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_path_TRUE" && ac_cv_path_TRUE="/usr/bin/true"
+ ;;
+esac
+fi
+TRUE="$ac_cv_path_TRUE"
+if test -n "$TRUE"; then
+ echo "$ac_t""$TRUE" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "mkdir", so it can be a program name with args.
+set dummy mkdir; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1118: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_MKDIR'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$MKDIR" in
+ /*)
+ ac_cv_path_MKDIR="$MKDIR" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_MKDIR="$MKDIR" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_MKDIR="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_path_MKDIR" && ac_cv_path_MKDIR="/bin/mkdir"
+ ;;
+esac
+fi
+MKDIR="$ac_cv_path_MKDIR"
+if test -n "$MKDIR"; then
+ echo "$ac_t""$MKDIR" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "tr", so it can be a program name with args.
+set dummy tr; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1154: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_TR'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$TR" in
+ /*)
+ ac_cv_path_TR="$TR" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_TR="$TR" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_TR="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_path_TR" && ac_cv_path_TR="/usr/bin/tr"
+ ;;
+esac
+fi
+TR="$ac_cv_path_TR"
+if test -n "$TR"; then
+ echo "$ac_t""$TR" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "echo", so it can be a program name with args.
+set dummy echo; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1190: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_ECHO'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$ECHO" in
+ /*)
+ ac_cv_path_ECHO="$ECHO" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_ECHO="$ECHO" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_ECHO="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_path_ECHO" && ac_cv_path_ECHO="/bin/echo"
+ ;;
+esac
+fi
+ECHO="$ac_cv_path_ECHO"
+if test -n "$ECHO"; then
+ echo "$ac_t""$ECHO" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+# Extract the first word of "sed", so it can be a program name with args.
+set dummy sed; ac_word=$2
+echo $ac_n "checking for $ac_word""... $ac_c" 1>&6
+echo "configure:1226: checking for $ac_word" >&5
+if eval "test \"`echo '$''{'ac_cv_path_SED'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ case "$SED" in
+ /*)
+ ac_cv_path_SED="$SED" # Let the user override the test with a path.
+ ;;
+ ?:/*)
+ ac_cv_path_SED="$SED" # Let the user override the test with a dos path.
+ ;;
+ *)
+ IFS="${IFS= }"; ac_save_ifs="$IFS"; IFS=":"
+ ac_dummy="$PATH"
+ for ac_dir in $ac_dummy; do
+ test -z "$ac_dir" && ac_dir=.
+ if test -f $ac_dir/$ac_word; then
+ ac_cv_path_SED="$ac_dir/$ac_word"
+ break
+ fi
+ done
+ IFS="$ac_save_ifs"
+ test -z "$ac_cv_path_SED" && ac_cv_path_SED="/usr/bin/sed"
+ ;;
+esac
+fi
+SED="$ac_cv_path_SED"
+if test -n "$SED"; then
+ echo "$ac_t""$SED" 1>&6
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+
+echo $ac_n "checking for floor in -lm""... $ac_c" 1>&6
+echo "configure:1261: checking for floor in -lm" >&5
+ac_lib_var=`echo m'_'floor | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-lm $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1269 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char floor();
+
+int main() {
+floor()
+; return 0; }
+EOF
+if { (eval echo configure:1280: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_lib=HAVE_LIB`echo m | sed -e 's/[^a-zA-Z0-9_]/_/g' \
+ -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+ LIBS="-lm $LIBS"
+
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+echo $ac_n "checking for RSA_ref_private_decrypt in -lRSAglue""... $ac_c" 1>&6
+echo "configure:1308: checking for RSA_ref_private_decrypt in -lRSAglue" >&5
+ac_lib_var=`echo RSAglue'_'RSA_ref_private_decrypt | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-lRSAglue $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1316 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char RSA_ref_private_decrypt();
+
+int main() {
+RSA_ref_private_decrypt()
+; return 0; }
+EOF
+if { (eval echo configure:1327: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_lib=HAVE_LIB`echo RSAglue | sed -e 's/[^a-zA-Z0-9_]/_/g' \
+ -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+ LIBS="-lRSAglue $LIBS"
+
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+echo $ac_n "checking for RSAPrivateDecrypt in -lrsaref""... $ac_c" 1>&6
+echo "configure:1355: checking for RSAPrivateDecrypt in -lrsaref" >&5
+ac_lib_var=`echo rsaref'_'RSAPrivateDecrypt | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-lrsaref $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1363 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char RSAPrivateDecrypt();
+
+int main() {
+RSAPrivateDecrypt()
+; return 0; }
+EOF
+if { (eval echo configure:1374: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_lib=HAVE_LIB`echo rsaref | sed -e 's/[^a-zA-Z0-9_]/_/g' \
+ -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+ LIBS="-lrsaref $LIBS"
+
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+echo $ac_n "checking for i2a_ASN1_STRING in -lcrypto""... $ac_c" 1>&6
+echo "configure:1402: checking for i2a_ASN1_STRING in -lcrypto" >&5
+ac_lib_var=`echo crypto'_'i2a_ASN1_STRING | sed 'y%./+-%__p_%'`
+if eval "test \"`echo '$''{'ac_cv_lib_$ac_lib_var'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ ac_save_LIBS="$LIBS"
+LIBS="-lcrypto $LIBS"
+cat > conftest.$ac_ext <<EOF
+#line 1410 "configure"
+#include "confdefs.h"
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char i2a_ASN1_STRING();
+
+int main() {
+i2a_ASN1_STRING()
+; return 0; }
+EOF
+if { (eval echo configure:1421: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_lib_$ac_lib_var=no"
+fi
+rm -f conftest*
+LIBS="$ac_save_LIBS"
+
+fi
+if eval "test \"`echo '$ac_cv_lib_'$ac_lib_var`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_lib=HAVE_LIB`echo crypto | sed -e 's/[^a-zA-Z0-9_]/_/g' \
+ -e 'y/abcdefghijklmnopqrstuvwxyz/ABCDEFGHIJKLMNOPQRSTUVWXYZ/'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_lib 1
+EOF
+
+ LIBS="-lcrypto $LIBS"
+
+else
+ echo "$ac_t""no" 1>&6
+fi
+
+
+echo $ac_n "checking how to run the C preprocessor""... $ac_c" 1>&6
+echo "configure:1450: checking how to run the C preprocessor" >&5
+# On Suns, sometimes $CPP names a directory.
+if test -n "$CPP" && test -d "$CPP"; then
+ CPP=
+fi
+if test -z "$CPP"; then
+if eval "test \"`echo '$''{'ac_cv_prog_CPP'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ # This must be in double quotes, not single quotes, because CPP may get
+ # substituted into the Makefile and "${CC-cc}" will confuse make.
+ CPP="${CC-cc} -E"
+ # On the NeXT, cc -E runs the code through the compiler's parser,
+ # not just through cpp.
+ cat > conftest.$ac_ext <<EOF
+#line 1465 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1471: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+ :
+else
+ echo "$ac_err" >&5
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ CPP="${CC-cc} -E -traditional-cpp"
+ cat > conftest.$ac_ext <<EOF
+#line 1482 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1488: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+ :
+else
+ echo "$ac_err" >&5
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ CPP="${CC-cc} -nologo -E"
+ cat > conftest.$ac_ext <<EOF
+#line 1499 "configure"
+#include "confdefs.h"
+#include <assert.h>
+Syntax Error
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1505: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+ :
+else
+ echo "$ac_err" >&5
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ CPP=/lib/cpp
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+fi
+rm -f conftest*
+ ac_cv_prog_CPP="$CPP"
+fi
+ CPP="$ac_cv_prog_CPP"
+else
+ ac_cv_prog_CPP="$CPP"
+fi
+echo "$ac_t""$CPP" 1>&6
+
+echo $ac_n "checking for ANSI C header files""... $ac_c" 1>&6
+echo "configure:1530: checking for ANSI C header files" >&5
+if eval "test \"`echo '$''{'ac_cv_header_stdc'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1535 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+#include <stdarg.h>
+#include <string.h>
+#include <float.h>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1543: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+ rm -rf conftest*
+ ac_cv_header_stdc=yes
+else
+ echo "$ac_err" >&5
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+if test $ac_cv_header_stdc = yes; then
+ # SunOS 4.x string.h does not declare mem*, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 1560 "configure"
+#include "confdefs.h"
+#include <string.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+ egrep "memchr" >/dev/null 2>&1; then
+ :
+else
+ rm -rf conftest*
+ ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+ # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI.
+cat > conftest.$ac_ext <<EOF
+#line 1578 "configure"
+#include "confdefs.h"
+#include <stdlib.h>
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+ egrep "free" >/dev/null 2>&1; then
+ :
+else
+ rm -rf conftest*
+ ac_cv_header_stdc=no
+fi
+rm -f conftest*
+
+fi
+
+if test $ac_cv_header_stdc = yes; then
+ # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi.
+if test "$cross_compiling" = yes; then
+ :
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1599 "configure"
+#include "confdefs.h"
+#include <ctype.h>
+#define ISLOWER(c) ('a' <= (c) && (c) <= 'z')
+#define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c))
+#define XOR(e, f) (((e) && !(f)) || (!(e) && (f)))
+int main () { int i; for (i = 0; i < 256; i++)
+if (XOR (islower (i), ISLOWER (i)) || toupper (i) != TOUPPER (i)) exit(2);
+exit (0); }
+
+EOF
+if { (eval echo configure:1610: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext} && (./conftest; exit) 2>/dev/null
+then
+ :
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -fr conftest*
+ ac_cv_header_stdc=no
+fi
+rm -fr conftest*
+fi
+
+fi
+fi
+
+echo "$ac_t""$ac_cv_header_stdc" 1>&6
+if test $ac_cv_header_stdc = yes; then
+ cat >> confdefs.h <<\EOF
+#define STDC_HEADERS 1
+EOF
+
+fi
+
+echo $ac_n "checking whether time.h and sys/time.h may both be included""... $ac_c" 1>&6
+echo "configure:1634: checking whether time.h and sys/time.h may both be included" >&5
+if eval "test \"`echo '$''{'ac_cv_header_time'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1639 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#include <sys/time.h>
+#include <time.h>
+int main() {
+struct tm *tp;
+; return 0; }
+EOF
+if { (eval echo configure:1648: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_header_time=yes
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ ac_cv_header_time=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_header_time" 1>&6
+if test $ac_cv_header_time = yes; then
+ cat >> confdefs.h <<\EOF
+#define TIME_WITH_SYS_TIME 1
+EOF
+
+fi
+
+for ac_hdr in fcntl.h limits.h unistd.h regex.h sys/time.h io.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:1672: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1677 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1682: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+else
+ echo "$ac_err" >&5
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+else
+ echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_hdr in ssl/crypto.h openssl/crypto.h memory.h
+do
+ac_safe=`echo "$ac_hdr" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_hdr""... $ac_c" 1>&6
+echo "configure:1712: checking for $ac_hdr" >&5
+if eval "test \"`echo '$''{'ac_cv_header_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1717 "configure"
+#include "confdefs.h"
+#include <$ac_hdr>
+EOF
+ac_try="$ac_cpp conftest.$ac_ext >/dev/null 2>conftest.out"
+{ (eval echo configure:1722: \"$ac_try\") 1>&5; (eval $ac_try) 2>&5; }
+ac_err=`grep -v '^ *+' conftest.out | grep -v "^conftest.${ac_ext}\$"`
+if test -z "$ac_err"; then
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=yes"
+else
+ echo "$ac_err" >&5
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_header_$ac_safe=no"
+fi
+rm -f conftest*
+fi
+if eval "test \"`echo '$ac_cv_header_'$ac_safe`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_hdr=HAVE_`echo $ac_hdr | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_hdr 1
+EOF
+
+else
+ echo "$ac_t""no" 1>&6
+fi
+done
+
+
+for ac_file in /dev/urandom
+do
+
+ac_safe=`echo "$ac_file" | sed 'y%./+-%__p_%'`
+echo $ac_n "checking for $ac_file""... $ac_c" 1>&6
+echo "configure:1754: checking for $ac_file" >&5
+if eval "test \"`echo '$''{'ac_cv_file_$ac_safe'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ if test "$cross_compiling" = yes; then
+ { echo "configure: error: Cannot check for file existence when cross compiling" 1>&2; exit 1; }
+else
+ if test -r $ac_file; then
+ eval "ac_cv_file_$ac_safe=yes"
+ else
+ eval "ac_cv_file_$ac_safe=no"
+ fi
+fi
+fi
+if eval "test \"`echo '$ac_cv_file_'$ac_safe`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_file=HAVE_`echo $ac_file | sed 'y%abcdefghijklmnopqrstuvwxyz./-%ABCDEFGHIJKLMNOPQRSTUVWXYZ___%'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_file 1
+EOF
+
+else
+ echo "$ac_t""no" 1>&6
+
+fi
+done
+
+
+echo $ac_n "checking for working const""... $ac_c" 1>&6
+echo "configure:1783: checking for working const" >&5
+if eval "test \"`echo '$''{'ac_cv_c_const'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1788 "configure"
+#include "confdefs.h"
+
+int main() {
+
+/* Ultrix mips cc rejects this. */
+typedef int charset[2]; const charset x;
+/* SunOS 4.1.1 cc rejects this. */
+char const *const *ccp;
+char **p;
+/* NEC SVR4.0.2 mips cc rejects this. */
+struct point {int x, y;};
+static struct point const zero = {0,0};
+/* AIX XL C 1.02.0.0 rejects this.
+ It does not let you subtract one const X* pointer from another in an arm
+ of an if-expression whose if-part is not a constant expression */
+const char *g = "string";
+ccp = &g + (g ? g-g : 0);
+/* HPUX 7.0 cc rejects these. */
+++ccp;
+p = (char**) ccp;
+ccp = (char const *const *) p;
+{ /* SCO 3.2v4 cc rejects this. */
+ char *t;
+ char const *s = 0 ? (char *) 0 : (char const *) 0;
+
+ *t++ = 0;
+}
+{ /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */
+ int x[] = {25, 17};
+ const int *foo = &x[0];
+ ++foo;
+}
+{ /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */
+ typedef const int *iptr;
+ iptr p = 0;
+ ++p;
+}
+{ /* AIX XL C 1.02.0.0 rejects this saying
+ "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */
+ struct s { int j; const int *ap[3]; };
+ struct s *b; b->j = 5;
+}
+{ /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */
+ const int foo = 10;
+}
+
+; return 0; }
+EOF
+if { (eval echo configure:1837: \"$ac_compile\") 1>&5; (eval $ac_compile) 2>&5; }; then
+ rm -rf conftest*
+ ac_cv_c_const=yes
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ ac_cv_c_const=no
+fi
+rm -f conftest*
+fi
+
+echo "$ac_t""$ac_cv_c_const" 1>&6
+if test $ac_cv_c_const = no; then
+ cat >> confdefs.h <<\EOF
+#define const
+EOF
+
+fi
+
+echo $ac_n "checking for u_int""... $ac_c" 1>&6
+echo "configure:1858: checking for u_int" >&5
+if eval "test \"`echo '$''{'ac_cv_type_u_int'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1863 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+ egrep "(^|[^a-zA-Z_0-9])u_int[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+ rm -rf conftest*
+ ac_cv_type_u_int=yes
+else
+ rm -rf conftest*
+ ac_cv_type_u_int=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_u_int" 1>&6
+if test $ac_cv_type_u_int = no; then
+ cat >> confdefs.h <<\EOF
+#define u_int unsigned int
+EOF
+
+fi
+
+echo $ac_n "checking for u_char""... $ac_c" 1>&6
+echo "configure:1891: checking for u_char" >&5
+if eval "test \"`echo '$''{'ac_cv_type_u_char'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1896 "configure"
+#include "confdefs.h"
+#include <sys/types.h>
+#if STDC_HEADERS
+#include <stdlib.h>
+#include <stddef.h>
+#endif
+EOF
+if (eval "$ac_cpp conftest.$ac_ext") 2>&5 |
+ egrep "(^|[^a-zA-Z_0-9])u_char[^a-zA-Z_0-9]" >/dev/null 2>&1; then
+ rm -rf conftest*
+ ac_cv_type_u_char=yes
+else
+ rm -rf conftest*
+ ac_cv_type_u_char=no
+fi
+rm -f conftest*
+
+fi
+echo "$ac_t""$ac_cv_type_u_char" 1>&6
+if test $ac_cv_type_u_char = no; then
+ cat >> confdefs.h <<\EOF
+#define u_char unsigned char
+EOF
+
+fi
+
+
+for ac_func in regcomp open close read _open _close _read strchr memcpy
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:1927: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1932 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:1955: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+ echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in strcasecmp strncasecmp stricmp strnicmp snprintf __b64_ntop
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:1982: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 1987 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:2010: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+ echo "$ac_t""no" 1>&6
+fi
+done
+
+for ac_func in getopt
+do
+echo $ac_n "checking for $ac_func""... $ac_c" 1>&6
+echo "configure:2037: checking for $ac_func" >&5
+if eval "test \"`echo '$''{'ac_cv_func_$ac_func'+set}'`\" = set"; then
+ echo $ac_n "(cached) $ac_c" 1>&6
+else
+ cat > conftest.$ac_ext <<EOF
+#line 2042 "configure"
+#include "confdefs.h"
+/* System header to define __stub macros and hopefully few prototypes,
+ which can conflict with char $ac_func(); below. */
+#include <assert.h>
+/* Override any gcc2 internal prototype to avoid an error. */
+/* We use char because int might match the return type of a gcc2
+ builtin and then its argument prototype would still apply. */
+char $ac_func();
+
+int main() {
+
+/* The GNU C library defines this for functions which it implements
+ to always fail with ENOSYS. Some functions are actually named
+ something starting with __ and the normal name is an alias. */
+#if defined (__stub_$ac_func) || defined (__stub___$ac_func)
+choke me
+#else
+$ac_func();
+#endif
+
+; return 0; }
+EOF
+if { (eval echo configure:2065: \"$ac_link\") 1>&5; (eval $ac_link) 2>&5; } && test -s conftest${ac_exeext}; then
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=yes"
+else
+ echo "configure: failed program was:" >&5
+ cat conftest.$ac_ext >&5
+ rm -rf conftest*
+ eval "ac_cv_func_$ac_func=no"
+fi
+rm -f conftest*
+fi
+
+if eval "test \"`echo '$ac_cv_func_'$ac_func`\" = yes"; then
+ echo "$ac_t""yes" 1>&6
+ ac_tr_func=HAVE_`echo $ac_func | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+ cat >> confdefs.h <<EOF
+#define $ac_tr_func 1
+EOF
+
+else
+ echo "$ac_t""no" 1>&6
+LIBOBJS="$LIBOBJS ${ac_func}.${ac_objext}"
+fi
+done
+
+
+
+trap '' 1 2 15
+cat > confcache <<\EOF
+# This file is a shell script that caches the results of configure
+# tests run on this system so they can be shared between configure
+# scripts and configure runs. It is not useful on other systems.
+# If it contains results you don't want to keep, you may remove or edit it.
+#
+# By default, configure uses ./config.cache as the cache file,
+# creating it if it does not exist already. You can give configure
+# the --cache-file=FILE option to use a different cache file; that is
+# what configure does when it calls configure scripts in
+# subdirectories, so they share the cache.
+# Giving --cache-file=/dev/null disables caching, for debugging configure.
+# config.status only pays attention to the cache file if you give it the
+# --recheck option to rerun configure.
+#
+EOF
+# The following way of writing the cache mishandles newlines in values,
+# but we know of no workaround that is simple, portable, and efficient.
+# So, don't put newlines in cache variables' values.
+# Ultrix sh set writes to stderr and can't be redirected directly,
+# and sets the high bit in the cache file unless we assign to the vars.
+(set) 2>&1 |
+ case `(ac_space=' '; set | grep ac_space) 2>&1` in
+ *ac_space=\ *)
+ # `set' does not quote correctly, so add quotes (double-quote substitution
+ # turns \\\\ into \\, and sed turns \\ into \).
+ sed -n \
+ -e "s/'/'\\\\''/g" \
+ -e "s/^\\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\\)=\\(.*\\)/\\1=\${\\1='\\2'}/p"
+ ;;
+ *)
+ # `set' quotes correctly as required by POSIX, so do not add quotes.
+ sed -n -e 's/^\([a-zA-Z0-9_]*_cv_[a-zA-Z0-9_]*\)=\(.*\)/\1=${\1=\2}/p'
+ ;;
+ esac >> confcache
+if cmp -s $cache_file confcache; then
+ :
+else
+ if test -w $cache_file; then
+ echo "updating cache $cache_file"
+ cat confcache > $cache_file
+ else
+ echo "not updating unwritable cache $cache_file"
+ fi
+fi
+rm -f confcache
+
+trap 'rm -fr conftest* confdefs* core core.* *.core $ac_clean_files; exit 1' 1 2 15
+
+test "x$prefix" = xNONE && prefix=$ac_default_prefix
+# Let make expand exec_prefix.
+test "x$exec_prefix" = xNONE && exec_prefix='${prefix}'
+
+# Any assignment to VPATH causes Sun make to only execute
+# the first set of double-colon rules, so remove it if not needed.
+# If there is a colon in the path, we need to keep it.
+if test "x$srcdir" = x.; then
+ ac_vpsub='/^[ ]*VPATH[ ]*=[^:]*$/d'
+fi
+
+trap 'rm -f $CONFIG_STATUS conftest*; exit 1' 1 2 15
+
+DEFS=-DHAVE_CONFIG_H
+
+# Without the "./", some shells look in PATH for config.status.
+: ${CONFIG_STATUS=./config.status}
+
+echo creating $CONFIG_STATUS
+rm -f $CONFIG_STATUS
+cat > $CONFIG_STATUS <<EOF
+#! /bin/sh
+# Generated automatically by configure.
+# Run this file to recreate the current configuration.
+# This directory was configured as follows,
+# on host `(hostname || uname -n) 2>/dev/null | sed 1q`:
+#
+# $0 $ac_configure_args
+#
+# Compiler output produced by configure, useful for debugging
+# configure, is in ./config.log if it exists.
+
+ac_cs_usage="Usage: $CONFIG_STATUS [--recheck] [--version] [--help]"
+for ac_option
+do
+ case "\$ac_option" in
+ -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r)
+ echo "running \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion"
+ exec \${CONFIG_SHELL-/bin/sh} $0 $ac_configure_args --no-create --no-recursion ;;
+ -version | --version | --versio | --versi | --vers | --ver | --ve | --v)
+ echo "$CONFIG_STATUS generated by autoconf version 2.13"
+ exit 0 ;;
+ -help | --help | --hel | --he | --h)
+ echo "\$ac_cs_usage"; exit 0 ;;
+ *) echo "\$ac_cs_usage"; exit 1 ;;
+ esac
+done
+
+ac_given_srcdir=$srcdir
+
+trap 'rm -fr `echo "Makefile config.h:config.hin" | sed "s/:[^ ]*//g"` conftest*; exit 1' 1 2 15
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+# Protect against being on the right side of a sed subst in config.status.
+sed 's/%@/@@/; s/@%/@@/; s/%g\$/@g/; /@g\$/s/[\\\\&%]/\\\\&/g;
+ s/@@/%@/; s/@@/@%/; s/@g\$/%g/' > conftest.subs <<\\CEOF
+$ac_vpsub
+$extrasub
+s%@SHELL@%$SHELL%g
+s%@CFLAGS@%$CFLAGS%g
+s%@CPPFLAGS@%$CPPFLAGS%g
+s%@CXXFLAGS@%$CXXFLAGS%g
+s%@FFLAGS@%$FFLAGS%g
+s%@DEFS@%$DEFS%g
+s%@LDFLAGS@%$LDFLAGS%g
+s%@LIBS@%$LIBS%g
+s%@exec_prefix@%$exec_prefix%g
+s%@prefix@%$prefix%g
+s%@program_transform_name@%$program_transform_name%g
+s%@bindir@%$bindir%g
+s%@sbindir@%$sbindir%g
+s%@libexecdir@%$libexecdir%g
+s%@datadir@%$datadir%g
+s%@sysconfdir@%$sysconfdir%g
+s%@sharedstatedir@%$sharedstatedir%g
+s%@localstatedir@%$localstatedir%g
+s%@libdir@%$libdir%g
+s%@includedir@%$includedir%g
+s%@oldincludedir@%$oldincludedir%g
+s%@infodir@%$infodir%g
+s%@mandir@%$mandir%g
+s%@LEX@%$LEX%g
+s%@LEXLIB@%$LEXLIB%g
+s%@CC@%$CC%g
+s%@RANLIB@%$RANLIB%g
+s%@YACC@%$YACC%g
+s%@SSLEAY@%$SSLEAY%g
+s%@RM@%$RM%g
+s%@AR@%$AR%g
+s%@NROFF@%$NROFF%g
+s%@TAR@%$TAR%g
+s%@TRUE@%$TRUE%g
+s%@MKDIR@%$MKDIR%g
+s%@TR@%$TR%g
+s%@ECHO@%$ECHO%g
+s%@SED@%$SED%g
+s%@CPP@%$CPP%g
+s%@LIBOBJS@%$LIBOBJS%g
+
+CEOF
+EOF
+
+cat >> $CONFIG_STATUS <<\EOF
+
+# Split the substitutions into bite-sized pieces for seds with
+# small command number limits, like on Digital OSF/1 and HP-UX.
+ac_max_sed_cmds=90 # Maximum number of lines to put in a sed script.
+ac_file=1 # Number of current file.
+ac_beg=1 # First line for current file.
+ac_end=$ac_max_sed_cmds # Line after last line for current file.
+ac_more_lines=:
+ac_sed_cmds=""
+while $ac_more_lines; do
+ if test $ac_beg -gt 1; then
+ sed "1,${ac_beg}d; ${ac_end}q" conftest.subs > conftest.s$ac_file
+ else
+ sed "${ac_end}q" conftest.subs > conftest.s$ac_file
+ fi
+ if test ! -s conftest.s$ac_file; then
+ ac_more_lines=false
+ rm -f conftest.s$ac_file
+ else
+ if test -z "$ac_sed_cmds"; then
+ ac_sed_cmds="sed -f conftest.s$ac_file"
+ else
+ ac_sed_cmds="$ac_sed_cmds | sed -f conftest.s$ac_file"
+ fi
+ ac_file=`expr $ac_file + 1`
+ ac_beg=$ac_end
+ ac_end=`expr $ac_end + $ac_max_sed_cmds`
+ fi
+done
+if test -z "$ac_sed_cmds"; then
+ ac_sed_cmds=cat
+fi
+EOF
+
+cat >> $CONFIG_STATUS <<EOF
+
+CONFIG_FILES=\${CONFIG_FILES-"Makefile"}
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+for ac_file in .. $CONFIG_FILES; do if test "x$ac_file" != x..; then
+ # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+ case "$ac_file" in
+ *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+ ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+ *) ac_file_in="${ac_file}.in" ;;
+ esac
+
+ # Adjust a relative srcdir, top_srcdir, and INSTALL for subdirectories.
+
+ # Remove last slash and all that follows it. Not all systems have dirname.
+ ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+ if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+ # The file is in a subdirectory.
+ test ! -d "$ac_dir" && mkdir "$ac_dir"
+ ac_dir_suffix="/`echo $ac_dir|sed 's%^\./%%'`"
+ # A "../" for each directory in $ac_dir_suffix.
+ ac_dots=`echo $ac_dir_suffix|sed 's%/[^/]*%../%g'`
+ else
+ ac_dir_suffix= ac_dots=
+ fi
+
+ case "$ac_given_srcdir" in
+ .) srcdir=.
+ if test -z "$ac_dots"; then top_srcdir=.
+ else top_srcdir=`echo $ac_dots|sed 's%/$%%'`; fi ;;
+ /*) srcdir="$ac_given_srcdir$ac_dir_suffix"; top_srcdir="$ac_given_srcdir" ;;
+ *) # Relative path.
+ srcdir="$ac_dots$ac_given_srcdir$ac_dir_suffix"
+ top_srcdir="$ac_dots$ac_given_srcdir" ;;
+ esac
+
+
+ echo creating "$ac_file"
+ rm -f "$ac_file"
+ configure_input="Generated automatically from `echo $ac_file_in|sed 's%.*/%%'` by configure."
+ case "$ac_file" in
+ *Makefile*) ac_comsub="1i\\
+# $configure_input" ;;
+ *) ac_comsub= ;;
+ esac
+
+ ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+ sed -e "$ac_comsub
+s%@configure_input@%$configure_input%g
+s%@srcdir@%$srcdir%g
+s%@top_srcdir@%$top_srcdir%g
+" $ac_file_inputs | (eval "$ac_sed_cmds") > $ac_file
+fi; done
+rm -f conftest.s*
+
+# These sed commands are passed to sed as "A NAME B NAME C VALUE D", where
+# NAME is the cpp macro being defined and VALUE is the value it is being given.
+#
+# ac_d sets the value in "#define NAME VALUE" lines.
+ac_dA='s%^\([ ]*\)#\([ ]*define[ ][ ]*\)'
+ac_dB='\([ ][ ]*\)[^ ]*%\1#\2'
+ac_dC='\3'
+ac_dD='%g'
+# ac_u turns "#undef NAME" with trailing blanks into "#define NAME VALUE".
+ac_uA='s%^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)'
+ac_uB='\([ ]\)%\1#\2define\3'
+ac_uC=' '
+ac_uD='\4%g'
+# ac_e turns "#undef NAME" without trailing blanks into "#define NAME VALUE".
+ac_eA='s%^\([ ]*\)#\([ ]*\)undef\([ ][ ]*\)'
+ac_eB='$%\1#\2define\3'
+ac_eC=' '
+ac_eD='%g'
+
+if test "${CONFIG_HEADERS+set}" != set; then
+EOF
+cat >> $CONFIG_STATUS <<EOF
+ CONFIG_HEADERS="config.h:config.hin"
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+fi
+for ac_file in .. $CONFIG_HEADERS; do if test "x$ac_file" != x..; then
+ # Support "outfile[:infile[:infile...]]", defaulting infile="outfile.in".
+ case "$ac_file" in
+ *:*) ac_file_in=`echo "$ac_file"|sed 's%[^:]*:%%'`
+ ac_file=`echo "$ac_file"|sed 's%:.*%%'` ;;
+ *) ac_file_in="${ac_file}.in" ;;
+ esac
+
+ echo creating $ac_file
+
+ rm -f conftest.frag conftest.in conftest.out
+ ac_file_inputs=`echo $ac_file_in|sed -e "s%^%$ac_given_srcdir/%" -e "s%:% $ac_given_srcdir/%g"`
+ cat $ac_file_inputs > conftest.in
+
+EOF
+
+# Transform confdefs.h into a sed script conftest.vals that substitutes
+# the proper values into config.h.in to produce config.h. And first:
+# Protect against being on the right side of a sed subst in config.status.
+# Protect against being in an unquoted here document in config.status.
+rm -f conftest.vals
+cat > conftest.hdr <<\EOF
+s/[\\&%]/\\&/g
+s%[\\$`]%\\&%g
+s%#define \([A-Za-z_][A-Za-z0-9_]*\) *\(.*\)%${ac_dA}\1${ac_dB}\1${ac_dC}\2${ac_dD}%gp
+s%ac_d%ac_u%gp
+s%ac_u%ac_e%gp
+EOF
+sed -n -f conftest.hdr confdefs.h > conftest.vals
+rm -f conftest.hdr
+
+# This sed command replaces #undef with comments. This is necessary, for
+# example, in the case of _POSIX_SOURCE, which is predefined and required
+# on some systems where configure will not decide to define it.
+cat >> conftest.vals <<\EOF
+s%^[ ]*#[ ]*undef[ ][ ]*[a-zA-Z_][a-zA-Z_0-9]*%/* & */%
+EOF
+
+# Break up conftest.vals because some shells have a limit on
+# the size of here documents, and old seds have small limits too.
+
+rm -f conftest.tail
+while :
+do
+ ac_lines=`grep -c . conftest.vals`
+ # grep -c gives empty output for an empty file on some AIX systems.
+ if test -z "$ac_lines" || test "$ac_lines" -eq 0; then break; fi
+ # Write a limited-size here document to conftest.frag.
+ echo ' cat > conftest.frag <<CEOF' >> $CONFIG_STATUS
+ sed ${ac_max_here_lines}q conftest.vals >> $CONFIG_STATUS
+ echo 'CEOF
+ sed -f conftest.frag conftest.in > conftest.out
+ rm -f conftest.in
+ mv conftest.out conftest.in
+' >> $CONFIG_STATUS
+ sed 1,${ac_max_here_lines}d conftest.vals > conftest.tail
+ rm -f conftest.vals
+ mv conftest.tail conftest.vals
+done
+rm -f conftest.vals
+
+cat >> $CONFIG_STATUS <<\EOF
+ rm -f conftest.frag conftest.h
+ echo "/* $ac_file. Generated automatically by configure. */" > conftest.h
+ cat conftest.in >> conftest.h
+ rm -f conftest.in
+ if cmp -s $ac_file conftest.h 2>/dev/null; then
+ echo "$ac_file is unchanged"
+ rm -f conftest.h
+ else
+ # Remove last slash and all that follows it. Not all systems have dirname.
+ ac_dir=`echo $ac_file|sed 's%/[^/][^/]*$%%'`
+ if test "$ac_dir" != "$ac_file" && test "$ac_dir" != .; then
+ # The file is in a subdirectory.
+ test ! -d "$ac_dir" && mkdir "$ac_dir"
+ fi
+ rm -f $ac_file
+ mv conftest.h $ac_file
+ fi
+fi; done
+
+EOF
+cat >> $CONFIG_STATUS <<EOF
+
+EOF
+cat >> $CONFIG_STATUS <<\EOF
+
+exit 0
+EOF
+chmod +x $CONFIG_STATUS
+rm -fr confdefs* $ac_clean_files
+test "$no_create" = yes || ${CONFIG_SHELL-/bin/sh} $CONFIG_STATUS || exit 1
+
diff --git a/lib/libkeynote/configure.in b/lib/libkeynote/configure.in
new file mode 100644
index 00000000000..4e1c0d222c3
--- /dev/null
+++ b/lib/libkeynote/configure.in
@@ -0,0 +1,50 @@
+dnl $OpenBSD: configure.in,v 1.1 1999/10/01 01:08:29 angelos Exp $
+dnl Process this file with autoconf to produce a configure script.
+AC_INIT(assertion.h)
+
+dnl Defs file
+AC_CONFIG_HEADER(config.h:config.hin)
+
+dnl Checks for programs.
+AC_PROG_LEX
+AC_PROG_CC
+AC_PROG_RANLIB
+AC_PROG_YACC
+AC_PATH_PROGS(SSLEAY, openssl ssleay, /usr/local/bin/ssleay, \
+ $PATH:/usr/local/bin:/usr/local/ssl/sbin:/usr/local/ssl/bin:/usr/ssl/bin:/usr/ssl/sbin:/usr/sbin:/usr/openssl/bin:/usr/openssl/bin:/usr/local/openssl/bin:/usr/local/openssl/sbin)
+AC_PATH_PROG(RM, rm, /bin/rm)
+AC_PATH_PROG(AR, ar, /usr/bin/ar)
+AC_PATH_PROG(NROFF, nroff, /usr/bin/nroff)
+AC_PATH_PROG(TAR, tar, /bin/tar)
+AC_PATH_PROG(TRUE, true, /usr/bin/true)
+AC_PATH_PROG(MKDIR, mkdir, /bin/mkdir)
+AC_PATH_PROG(TR, tr, /usr/bin/tr)
+AC_PATH_PROG(ECHO, echo, /bin/echo)
+AC_PATH_PROG(SED, sed, /usr/bin/sed)
+
+dnl Checks for libraries.
+AC_CHECK_LIB(m, floor)
+AC_CHECK_LIB(RSAglue, RSA_ref_private_decrypt)
+AC_CHECK_LIB(rsaref, RSAPrivateDecrypt)
+AC_CHECK_LIB(crypto, i2a_ASN1_STRING)
+
+dnl Checks for header files.
+AC_HEADER_STDC
+AC_HEADER_TIME
+AC_CHECK_HEADERS(fcntl.h limits.h unistd.h regex.h sys/time.h io.h)
+AC_CHECK_HEADERS(ssl/crypto.h openssl/crypto.h memory.h)
+
+dnl Checks for other files
+AC_CHECK_FILES(/dev/urandom)
+
+dnl Checks for typedefs, structures, and compiler characteristics.
+AC_C_CONST
+AC_CHECK_TYPE(u_int, unsigned int)
+AC_CHECK_TYPE(u_char, unsigned char)
+
+dnl Checks for library functions.
+AC_CHECK_FUNCS(regcomp open close read _open _close _read strchr memcpy)
+AC_CHECK_FUNCS(strcasecmp strncasecmp stricmp strnicmp snprintf __b64_ntop)
+AC_REPLACE_FUNCS(getopt)
+
+AC_OUTPUT(Makefile)
diff --git a/lib/libkeynote/doc/keynote-spec b/lib/libkeynote/doc/rfc2704.txt
index 8298e2ebe90..d41cd3ae165 100644
--- a/lib/libkeynote/doc/keynote-spec
+++ b/lib/libkeynote/doc/rfc2704.txt
@@ -1,53 +1,40 @@
-Network Working Group Matt Blaze
-INTERNET DRAFT Joan Feigenbaum
-Expires in six months John Ioannidis
- AT&T Labs - Research
- Angelos D. Keromytis
- U. of Pennsylvania
- March 1999
- The KeyNote Trust-Management System
- Version 2
- <draft-blaze-ietf-trustmgt-keynote-01.txt>
-Status of this Memo
- This document is an Internet-Draft and is in full conformance with
- all provisions of Section 10 of RFC2026.
- Please direct comments to one of the authors (for the authors contact
- information, see the end of this document), and/or to the
- trustmgt@east.isi.edu mailing list.
- Internet Drafts are working documents of the Internet Engineering
- Task Force (IETF), its areas, and its working Groups. Note that
- other groups may also distribute working documents as Internet
- Drafts.
- Internet-Drafts draft documents are valid for a maximum of six months
- and may be updated, replaced, or obsoleted by other documents at any
- time. It is inappropriate to use Internet-Drafts as reference
- material or to cite them other than as "work in progress".
+Network Working Group M. Blaze
+Request for Comments: 2704 J. Feigenbaum
+Category: Informational J. Ioannidis
+ AT&T Labs - Research
+ A. Keromytis
+ U. of Pennsylvania
+ September 1999
+
+
+ The KeyNote Trust-Management System Version 2
- The list of current Internet-Drafts can be accessed at
- http://www.ietf.org/ietf/1id-abstracts.txt
+Status of this Memo
- The list of Internet-Draft Shadow Directories can be accessed at
- http://www.ietf.org/shadow.html.
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
- Distribution of this memo is unlimited.
+Copyright Notice
+
+ Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
This memo describes version 2 of the KeyNote trust-management system.
- It specifies the syntax and semantics of KeyNote `assertions,'
+ It specifies the syntax and semantics of KeyNote `assertions',
describes `action attribute' processing, and outlines the application
architecture into which a KeyNote implementation can be fit. The
KeyNote architecture and language are useful as building blocks for
the trust management aspects of a variety of Internet protocols and
services.
-
1. Introduction
Trust management, introduced in the PolicyMaker system [BFL96], is a
@@ -61,23 +48,35 @@ Abstract
keys to names, credentials can bind keys directly to the
authorization to perform specific tasks.
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 1]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
A trust-management system has five basic components:
- * A language for describing `actions,' which are operations with
- security consequences that are to be controlled by the system.
+ * A language for describing `actions', which are operations with
+ security consequences that are to be controlled by the system.
- * A mechanism for identifying `principals,' which are entities that
- can be authorized to perform actions.
+ * A mechanism for identifying `principals', which are entities that
+ can be authorized to perform actions.
- * A language for specifying application `policies,' which govern the
- actions that principals are authorized to perform.
+ * A language for specifying application `policies', which govern the
+ actions that principals are authorized to perform.
- * A language for specifying `credentials,' which allow principals
- to delegate authorization to other principals.
+ * A language for specifying `credentials', which allow principals to
+ delegate authorization to other principals.
- * A `compliance checker,' which provides a service to applications
- for determining how an action requested by principals should be
- handled, given a policy and a set of credentials.
+ * A `compliance checker', which provides a service to applications
+ for determining how an action requested by principals should be
+ handled, given a policy and a set of credentials.
The trust-management approach has a number of advantages over other
mechanisms for specifying and controlling authorization, especially
@@ -85,9 +84,9 @@ Abstract
decentralized.
Trust management unifies the notions of security policy, credentials,
- access control, and authorization. An application that uses a trust-
- management system can simply ask the compliance checker whether a
- requested action should be allowed. Furthermore, policies and
+ access control, and authorization. An application that uses a
+ trust-management system can simply ask the compliance checker whether
+ a requested action should be allowed. Furthermore, policies and
credentials are written in standard languages that are shared by all
trust-managed applications; the security configuration mechanism for
one application carries exactly the same syntactic and semantic
@@ -103,38 +102,46 @@ Abstract
distributed system security, see [Bla99].
KeyNote is a simple and flexible trust-management system designed to
- work well for a variety of large- and small- scale Internet-based
+ work well for a variety of large- and small-scale Internet-based
applications. It provides a single, unified language for both local
policies and credentials. KeyNote policies and credentials, called
- `assertions,' contain predicates that describe the trusted actions
+ `assertions', contain predicates that describe the trusted actions
permitted by the holders of specific public keys. KeyNote assertions
are essentially small, highly-structured programs. A signed
+
+
+
+Blaze, et al. Informational [Page 2]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
assertion, which can be sent over an untrusted network, is also
- called a `credential assertion.' Credential assertions, which also
+ called a `credential assertion'. Credential assertions, which also
serve the role of certificates, have the same syntax as policy
assertions but are also signed by the principal delegating the trust.
In KeyNote:
- * Actions are specified as a collection of name-value pairs.
+ * Actions are specified as a collection of name-value pairs.
- * Principal names can be any convenient string and can directly
- represent cryptographic public keys.
+ * Principal names can be any convenient string and can directly
+ represent cryptographic public keys.
- * The same language is used for both policies and credentials.
+ * The same language is used for both policies and credentials.
- * The policy and credential language is concise, highly expressive,
- human readable and writable, and compatible with a variety of
- storage and transmission media, including electronic mail.
+ * The policy and credential language is concise, highly expressive,
+ human readable and writable, and compatible with a variety of
+ storage and transmission media, including electronic mail.
- * The compliance checker returns an application-configured `policy
- compliance value' that describes how a request should be handled
- by the application. Policy compliance values are always
- positively derived from policy and credentials, facilitating
- analysis of KeyNote-based systems.
+ * The compliance checker returns an application-configured `policy
+ compliance value' that describes how a request should be handled
+ by the application. Policy compliance values are always
+ positively derived from policy and credentials, facilitating
+ analysis of KeyNote-based systems.
- * Compliance checking is efficient enough for high-performance and
- real-time applications.
+ * Compliance checking is efficient enough for high-performance and
+ real-time applications.
This document describes the KeyNote policy and credential assertion
language, the structure of KeyNote action descriptions, and the
@@ -149,32 +156,39 @@ Abstract
different interfaces to KeyNote compliance checkers; this document
does not aim to specify a complete compliance checker API.
-
2. KeyNote Concepts
In KeyNote, the authority to perform trusted actions is associated
- with one or more `principals.' A principal may be a physical entity,
+ with one or more `principals'. A principal may be a physical entity,
a process in an operating system, a public key, or any other
convenient abstraction. KeyNote principals are identified by a
- string called a `Principal Identifier.' In some cases, a Principal
+ string called a `Principal Identifier'. In some cases, a Principal
Identifier will contain a cryptographic key interpreted by the
+
+
+
+Blaze, et al. Informational [Page 3]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
KeyNote system (e.g., for credential signature verification). In
other cases, Principal Identifiers may have a structure that is
opaque to KeyNote.
Principals perform two functions of concern to KeyNote: They request
- `actions' and they issue `assertions.' Actions are any trusted
+ `actions' and they issue `assertions'. Actions are any trusted
operations that an application places under KeyNote control.
Assertions delegate the authorization to perform actions to other
principals.
Actions are described to the KeyNote compliance checker in terms of a
- collection of name-value pairs called an `action attribute set.' The
+ collection of name-value pairs called an `action attribute set'. The
action attribute set is created by the invoking application. Its
structure and format are described in detail in Section 3 of this
document.
- KeyNote provides advice to applications on the interpretation of
+ KeyNote provides advice to applications about the interpretation of
policy with regard to specific requested actions. Applications
invoke the KeyNote compliance checker by issuing a `query' containing
a proposed action attribute set and identifying the principal(s)
@@ -203,6 +217,17 @@ Abstract
of trust in KeyNote. "POLICY" is therefore considered to be
authorized to perform any action.
+
+
+
+
+
+
+Blaze, et al. Informational [Page 4]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
Assertions issued by the "POLICY" principal are called `policy
assertions' and are used to delegate authority to otherwise untrusted
principals. The KeyNote security policy of an application consists
@@ -211,7 +236,7 @@ Abstract
When a principal is identified by a public key, it can digitally sign
assertions and distribute them over untrusted networks for use by
other KeyNote compliance checkers. These signed assertions are also
- called `credentials,' and serve a role similar to that of traditional
+ called `credentials', and serve a role similar to that of traditional
public key certificates. Policies and credentials share the same
syntax and are evaluated according to the same semantics. A
principal can therefore convert its policy assertions into
@@ -221,20 +246,20 @@ Abstract
policies and credentials that are amenable to transmission and
storage over a variety of media. Its assertion syntax is inspired by
the format of RFC822-style message headers [Cro82]. A KeyNote
- assertion contains a sequence of sections, called `fields,' each of
- which specifying one aspect of the assertion's semantics. Fields
+ assertion contains a sequence of sections, called `fields', each of
+ which specifies one aspect of the assertion's semantics. Fields
start with an identifier at the beginning of a line and continue
until the next field is encountered. For example:
- KeyNote-Version: 2
- Comment: A simple, if contrived, email certificate for user mab
- Local-Constants: ATT_CA_key = "RSA:acdfa1df1011bbac"
- mab_key = "DSA:deadbeefcafe001a"
- Authorizer: ATT_CA_key
- Licensees: mab_key
- Conditions: ((app_domain == "email") # valid for email only
- && (address == "mab@research.att.com"));
- Signature: "RSA-SHA1:f00f2244"
+ KeyNote-Version: 2
+ Comment: A simple, if contrived, email certificate for user mab
+ Local-Constants: ATT_CA_key = "RSA:acdfa1df1011bbac"
+ mab_key = "DSA:deadbeefcafe001a"
+ Authorizer: ATT_CA_key
+ Licensees: mab_key
+ Conditions: ((app_domain == "email") # valid for email only
+ && (address == "mab@research.att.com"));
+ Signature: "RSA-SHA1:f00f2244"
The meanings of the various sections are described in Sections 4 and
5 of this document.
@@ -251,16 +276,25 @@ Abstract
positively derived from assertions made by trusted principals.
Removing an assertion never results in increasing the compliance
value returned by KeyNote for a given query. The monotonicity
+
+
+
+Blaze, et al. Informational [Page 5]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
property can simplify the design and analysis of complex network-
based security protocols; network failures that prevent the
transmission of credentials can never result in spurious
- authorization of dangerous actions.
-
+ authorization of dangerous actions. A detailed discussion of
+ monotonicity and safety in trust management can be found in [BFL96]
+ and [BFS98].
3. Action Attributes
Trusted actions to be evaluated by KeyNote are described by a
- collection of name-value pairs called the `action attribute set.'
+ collection of name-value pairs called the `action attribute set'.
Action attributes are the mechanism by which applications communicate
requests to KeyNote and are the primary objects on which KeyNote
assertions operate. An action attribute set is passed to the KeyNote
@@ -275,7 +309,7 @@ Abstract
Action attribute names and values are represented by arbitrary-length
strings. KeyNote guarantees support of attribute names and values up
to 2048 characters long. The handling of longer attribute names or
- values is not specified and is KeyNote- implementation-dependent.
+ values is not specified and is KeyNote-implementation-dependent.
Applications and assertions should therefore avoid depending on the
the use of attributes with names or values longer than 2048
characters. The length of an attribute value is represented by an
@@ -299,6 +333,13 @@ Abstract
character and can be followed by any number of alphanumerics and
underscores. Attribute names are case-sensitive.
+
+
+Blaze, et al. Informational [Page 6]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
The exact mechanism for passing the action attribute set to the
compliance checker is determined by the KeyNote implementation.
Depending on specific requirements, an implementation may provide a
@@ -343,6 +384,18 @@ Abstract
policies and credentials that are to inter-operate in a specific
KeyNote query evaluation.
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 7]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
By convention, the name of the application domain over which action
attributes should be interpreted is given in the attribute named
"app_domain". The IANA (or some other suitable authority) will
@@ -373,7 +426,6 @@ Abstract
attributes. (Indeed, we recognize that the reality of email security
is considerably more complex than this example might suggest.)
-
4. KeyNote Assertion Syntax
In the following sections, the notation [X]* means zero or more
@@ -381,7 +433,7 @@ Abstract
more repetitions of X. The notation <X>* means zero or more
repetitions of non-terminal <X>. The notation <X>+ means one or more
repetitions of X, whereas <X>? means zero or one repetitions of X.
- Nonterminal grammar symbols are enclosed in angled brackets. Quoted
+ Nonterminal grammar symbols are enclosed in angle brackets. Quoted
strings in grammar productions represent terminals.
4.1 Basic Structure
@@ -392,7 +444,15 @@ Abstract
All KeyNote assertions are encoded in ASCII.
- KeyNote assertions are divided into sections, called `fields,' that
+
+
+
+Blaze, et al. Informational [Page 8]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ KeyNote assertions are divided into sections, called `fields', that
serve various semantic functions. Each field starts with an
identifying label at the beginning of a line, followed by the ":"
character and the field's contents. There can be at most one field
@@ -430,7 +490,7 @@ Abstract
4.2 Comments
- <Comment>:: "#" {ASCII characters} ;
+ <Comment>:: "#" {ASCII characters} ;
The octothorp character ("#", ASCII 35 decimal) can be used to
introduce comments. Outside of quoted strings (see Section 4.3), all
@@ -438,6 +498,16 @@ Abstract
are ignored. However, commented text is included in the computation
of assertion signatures (see Section 4.6.7).
+
+
+
+
+
+Blaze, et al. Informational [Page 9]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
4.3 Strings
A `string' is a lexical object containing a sequence of characters.
@@ -447,7 +517,7 @@ Abstract
4.3.1 String Literals
- <StringLiteral>:: "\"" {see description below} "\"" ;
+ <StringLiteral>:: "\"" {see description below} "\"" ;
A string literal directly represents the value of a string. String
literals must be quoted by preceding and following them with the
@@ -480,10 +550,20 @@ Abstract
"\"). The following four strings are equivalent:
"this string contains a newline\n followed by one space."
-
"this string contains a newline\n \
followed by one space."
+
+
+
+
+
+
+Blaze, et al. Informational [Page 10]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
"this str\
ing contains a \
newline\n followed by one space."
@@ -532,6 +612,14 @@ Abstract
dereferenced as a string and the value zero when dereferenced as an
integer or float.
+
+
+
+Blaze, et al. Informational [Page 11]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
Attribute names may be given literally or calculated from string
expressions and may be recursively dereferenced. In the simplest
case, an attribute is dereferenced simply by using its name outside
@@ -543,11 +631,11 @@ Abstract
attribute "xyz" contains the string "qua", the following string
comparisons are all true:
- foo == "bar"
- $("foo") == "bar"
- $foo == "xyz"
- $(foo) == "xyz"
- $$foo == "qua"
+ foo == "bar"
+ $("foo") == "bar"
+ $foo == "xyz"
+ $(foo) == "xyz"
+ $$foo == "qua"
If <StrEx> evaluates to an invalid or uninitialized attribute name,
its value is considered to be the empty string (or zero if used as a
@@ -560,7 +648,7 @@ Abstract
4.5 Principal Identifiers
Principals are represented as ASCII strings called `Principal
- Identifiers.' Principal Identifiers may be arbitrary labels whose
+ Identifiers'. Principal Identifiers may be arbitrary labels whose
structure is not interpreted by the KeyNote system or they may encode
cryptographic keys that are used by KeyNote for credential signature
verification.
@@ -568,20 +656,30 @@ Abstract
<PrincipalIdentifier>:: <OpaqueID>
| <KeyID> ;
-4.5.1 Opaque Principal Identifiers
+ 4.5.1 Opaque Principal Identifiers
Principal Identifiers that are used by KeyNote only as labels are
- said to be `opaque.' Opaque identifiers are encoded in assertions as
+ said to be `opaque'. Opaque identifiers are encoded in assertions as
strings (see Section 4.3):
<OpaqueID>:: <StrEx> ;
Opaque identifier strings should not contain the ":" character.
+
+
+
+
+
+Blaze, et al. Informational [Page 12]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
4.5.2 Cryptographic Principal Identifiers
Principal Identifiers that are used by KeyNote as keys, e.g., to
- verify credential signatures, are said to be `cryptographic.'
+ verify credential signatures, are said to be `cryptographic'.
Cryptographic identifiers are also lexically encoded as strings:
<KeyID>:: <StrEx> ;
@@ -626,6 +724,14 @@ Abstract
<VersionString>:: <StringLiteral>
| <IntegerLiteral> ;
+
+
+
+Blaze, et al. Informational [Page 13]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
where <VersionString> is an ASCII-encoded string. Assertions in
production versions of KeyNote use decimal digits in the version
representing the version number of the KeyNote language under which
@@ -672,6 +778,16 @@ Abstract
The Principal Identifier may be given directly or by reference to the
attribute namespace (as defined in Section 4.4).
+
+
+
+
+
+Blaze, et al. Informational [Page 14]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
4.6.4 The Licensees Field
The Licensees field identifies the principals authorized by the
@@ -709,83 +825,98 @@ Abstract
operate on the action attribute set. The Conditions field is of the
form:
- <ConditionsField>:: "Conditions:" <ConditionsProgram> ;
-
- <ConditionsProgram>:: /* Can be empty */
- | <Clause> ";" <ConditionsProgram> ;
-
- <Clause>:: <Test> "->" "{" <ConditionsProgram> "}"
- | <Test> "->" <Value>
- | <Test> ;
-
- <Value>:: <StrEx> ;
-
- <Test>:: <RelExpr> ;
-
- <RelExpr>:: "(" <RelExpr> ")" /* Parentheses */
- | <RelExpr> "&&" <RelExpr> /* Logical AND */
- | <RelExpr> "||" <RelExpr> /* Logical OR */
- | "!" <RelExpr> /* Logical NOT */
- | <IntRelExpr>
- | <FloatRelExpr>
- | <StringRelExpr>
- | "true" /* case insensitive */
- | "false" ; /* case insensitive */
-
- <IntRelExpr>:: <IntEx> "==" <IntEx>
- | <IntEx> "!=" <IntEx>
- | <IntEx> "<" <IntEx>
- | <IntEx> ">" <IntEx>
- | <IntEx> "<=" <IntEx>
- | <IntEx> ">=" <IntEx> ;
-
- <FloatRelExpr>:: <FloatEx> "<" <FloatEx>
- | <FloatEx> ">" <FloatEx>
- | <FloatEx> "<=" <FloatEx>
- | <FloatEx> ">=" <FloatEx> ;
-
- <StringRelExpr>:: <StrEx> "==" <StrEx> /* String equality */
- | <StrEx> "!=" <StrEx> /* String inequality */
- | <StrEx> "<" <StrEx> /* Alphanum. comparisons */
- | <StrEx> ">" <StrEx>
- | <StrEx> "<=" <StrEx>
- | <StrEx> ">=" <StrEx>
- | <StrEx> "~=" <RegExpr> ; /* Reg. expr. matching */
-
- <IntEx>:: <IntEx> "+" <IntEx> /* Integer */
- | <IntEx> "-" <IntEx>
- | <IntEx> "*" <IntEx>
- | <IntEx> "/" <IntEx>
- | <IntEx> "%" <IntEx>
- | <IntEx> "^" <IntEx> /* Exponentiation */
- | "-" <IntEx>
- | "(" <IntEx> ")"
- | <IntegerLiteral>
- | "@" <StrEx> ;
-
- <FloatEx>:: <FloatEx> "+" <FloatEx> /* Floating point */
- | <FloatEx> "-" <FloatEx>
- | <FloatEx> "*" <FloatEx>
- | <FloatEx> "/" <FloatEx>
- | <FloatEx> "^" <FloatEx> /* Exponentiation */
- | "-" <FloatEx>
- | "(" <FloatEx> ")"
- | <FloatLiteral>
- | "&" <StrEx> ;
-
- <IntegerLiteral>:: {Decimal number of at least one digit} ;
- <FloatLiteral>:: <IntegerLiteral>"."<IntegerLiteral> ;
-
- <StringLiteral> is a quoted string as defined in Section 4.3
- <AttributeID> is defined in Section 3.
+ <ConditionsField>:: "Conditions:" <ConditionsProgram> ;
- The operation precedence classes are (from highest to lowest):
+ <ConditionsProgram>:: /* Can be empty */
+ | <Clause> ";" <ConditionsProgram> ;
+
+ <Clause>:: <Test> "->" "{" <ConditionsProgram> "}"
+ | <Test> "->" <Value>
+ | <Test> ;
+
+ <Value>:: <StrEx> ;
+
+
+
+
+Blaze, et al. Informational [Page 15]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ <Test>:: <RelExpr> ;
+
+ <RelExpr>:: "(" <RelExpr> ")" /* Parentheses */
+ | <RelExpr> "&&" <RelExpr> /* Logical AND */
+ | <RelExpr> "||" <RelExpr> /* Logical OR */
+ | "!" <RelExpr> /* Logical NOT */
+ | <IntRelExpr>
+ | <FloatRelExpr>
+ | <StringRelExpr>
+ | "true" /* case insensitive */
+ | "false" ; /* case insensitive */
+
+ <IntRelExpr>:: <IntEx> "==" <IntEx>
+ | <IntEx> "!=" <IntEx>
+ | <IntEx> "<" <IntEx>
+ | <IntEx> ">" <IntEx>
+ | <IntEx> "<=" <IntEx>
+ | <IntEx> ">=" <IntEx> ;
+
+ <FloatRelExpr>:: <FloatEx> "<" <FloatEx>
+ | <FloatEx> ">" <FloatEx>
+ | <FloatEx> "<=" <FloatEx>
+ | <FloatEx> ">=" <FloatEx> ;
- { (, ) }
- {unary -, @, &, $}
- {^}
- {*, /, %}
- {+, -, .}
+ <StringRelExpr>:: <StrEx> "==" <StrEx> /* String equality */
+ | <StrEx> "!=" <StrEx> /* String inequality */
+ | <StrEx> "<" <StrEx> /* Alphanum. comparisons */
+ | <StrEx> ">" <StrEx>
+ | <StrEx> "<=" <StrEx>
+ | <StrEx> ">=" <StrEx>
+ | <StrEx> "~=" <RegExpr> ; /* Reg. expr. matching */
+
+ <IntEx>:: <IntEx> "+" <IntEx> /* Integer */
+ | <IntEx> "-" <IntEx>
+ | <IntEx> "*" <IntEx>
+ | <IntEx> "/" <IntEx>
+ | <IntEx> "%" <IntEx>
+ | <IntEx> "^" <IntEx> /* Exponentiation */
+ | "-" <IntEx>
+ | "(" <IntEx> ")"
+ | <IntegerLiteral>
+ | "@" <StrEx> ;
+
+ <FloatEx>:: <FloatEx> "+" <FloatEx> /* Floating point */
+ | <FloatEx> "-" <FloatEx>
+ | <FloatEx> "*" <FloatEx>
+ | <FloatEx> "/" <FloatEx>
+ | <FloatEx> "^" <FloatEx> /* Exponentiation */
+
+
+
+Blaze, et al. Informational [Page 16]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ | "-" <FloatEx>
+ | "(" <FloatEx> ")"
+ | <FloatLiteral>
+ | "&" <StrEx> ;
+
+ <IntegerLiteral>:: {Decimal number of at least one digit} ;
+ <FloatLiteral>:: <IntegerLiteral>"."<IntegerLiteral> ;
+
+ <StringLiteral> is a quoted string as defined in Section 4.3
+ <AttributeID> is defined in Section 3.
+
+ The operation precedence classes are (from highest to lowest):
+ { (, ) }
+ {unary -, @, &, $}
+ {^}
+ {*, /, %}
+ {+, -, .}
Operators in the same precedence class are evaluated left-to-right.
@@ -812,6 +943,19 @@ Abstract
properly converted (e.g., it contains invalid characters or is empty)
its value is considered to be zero.
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 17]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
4.6.6 The Comment Field
The Comment field allows assertions to be annotated with information
@@ -822,12 +966,12 @@ Abstract
No interpretation of the contents of this field is performed by
KeyNote. Note that this is one of two mechanisms for including
comments in KeyNote assertions; comments can also be inserted
- anywhere in an assertion's body by preceeding them with the "#"
+ anywhere in an assertion's body by preceding them with the "#"
character (except inside string literals).
4.6.7 The Signature Field
- The Signature field identifies a signed assertions and gives the
+ The Signature field identifies a signed assertion and gives the
encoded digital signature of the principal identified in the
Authorizer field. The Signature field is of the form:
@@ -848,18 +992,26 @@ Abstract
be the same.
If the signature field is included, the principal named in the
- Authorizer field must be a Cryptographic Principal Indentifier, the
+ Authorizer field must be a Cryptographic Principal Identifier, the
algorithm must be known to the KeyNote implementation, and the
signature must be correct for the assertion body and authorizer key.
The signature is computed over the assertion text, beginning with the
first field (including the field identifier string), up to (but not
- including) the Signature field identifier. The newline preceeding
- the signature field identifier is the last character included in
+ including) the Signature field identifier. The newline preceding the
+ signature field identifier is the last character included in
signature calculation. The signature is always the last field in a
KeyNote assertion. Text following this field is not considered part
of the assertion.
+
+
+
+Blaze, et al. Informational [Page 18]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
The algorithms for computing and verifying signatures must be
configured into each KeyNote implementation and are defined and
documented separately.
@@ -868,7 +1020,6 @@ Abstract
fictitious and generally much shorter than would be required for
security in practice.
-
5. Query Evaluation Semantics
The KeyNote compliance checker finds and returns the Policy
@@ -878,15 +1029,15 @@ Abstract
A KeyNote query has four parameters:
- * The identifier of the principal(s) requesting the action.
+ * The identifier of the principal(s) requesting the action.
- * The action attribute set describing the action.
+ * The action attribute set describing the action.
- * The set of compliance values of interest to the application,
- ordered from _MIN_TRUST to _MAX_TRUST
+ * The set of compliance values of interest to the application,
+ ordered from _MIN_TRUST to _MAX_TRUST
- * The policy and credential assertions that should be included
- in the evaluation.
+ * The policy and credential assertions that should be included in
+ the evaluation.
The mechanism for passing these parameters to the KeyNote evaluator
is application dependent. In particular, an evaluator might provide
@@ -903,10 +1054,20 @@ Abstract
`requester' of the action. Actions may be requested by several
principals, each considered to have individually requested it. This
allows policies that require multiple authorizations, e.g., `two
- person control.' The set of authorizing principals is made available
+ person control'. The set of authorizing principals is made available
in the special attribute "_ACTION_AUTHORIZERS"; if several principals
are authorizers, their identifiers are separated with commas.
+
+
+
+
+
+Blaze, et al. Informational [Page 19]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
5.1.2 Ordered Compliance Value Set
The set of compliance values of interest to an application (and their
@@ -916,7 +1077,7 @@ Abstract
sets {FALSE, TRUE} or {REJECT, APPROVE}. Other applications may
require a range of possible values, e.g., {No_Access, Limited_Access,
Full_Access}. Note that applications should include in this set only
- compliance values names that are actually returned by the assertions.
+ compliance value names that are actually returned by the assertions.
The lowest-order and highest-order compliance value strings given in
the query are available in the special attributes named "_MIN_TRUST"
@@ -952,14 +1113,25 @@ Abstract
Value of the principal named "POLICY". This value is defined as
follows:
+
+
+
+
+
+
+Blaze, et al. Informational [Page 20]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
5.3.1 Principal Compliance Value
The Compliance Value of a principal <X> is the highest order
(maximum) of:
- - the Direct Authorization Value of principal <X>; and
+ - the Direct Authorization Value of principal <X>; and
- - the Assertion Compliance Values of all assertions identifying
+ - the Assertion Compliance Values of all assertions identifying
<X> in the Authorizer field.
5.3.2 Direct Authorization Value
@@ -976,23 +1148,23 @@ Abstract
5.3.4 Conditions Compliance Value
- The Conditions Compliance Value of an assertion is the highest- order
+ The Conditions Compliance Value of an assertion is the highest-order
(maximum) value among all successful clauses listed in the conditions
section.
If no clause's test succeeds or the Conditions field is empty, an
- assertion's conditions compliance value is considered to be the
+ assertion's Conditions Compliance Value is considered to be the
_MIN_TRUST value, as defined Section 5.1.
If an assertion's Conditions field is missing entirely, its
- conditions compliance value is considered to be the _MAX_TRUST value,
+ Conditions Compliance Value is considered to be the _MAX_TRUST value,
as defined in Section 5.1.
The set of successful test clause values is calculated as follows:
Recall from the grammar of section 4.6.5 that each clause in the
conditions section has two logical parts: a `test' and an optional
- `value,' which, if present, is separated from the test with the "->"
+ `value', which, if present, is separated from the test with the "->"
token. The test subclause is a predicate that either succeeds
(evaluates to logical `true') or fails (evaluates to logical
`false'). The value subclause is a string expression that evaluates
@@ -1000,6 +1172,14 @@ Abstract
query. If the value subclause is missing, it is considered to be
_MAX_TRUST. That is, the clause
+
+
+
+Blaze, et al. Informational [Page 21]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
foo=="bar";
is equivalent to
@@ -1022,12 +1202,12 @@ Abstract
would contain the values "guest_access" (by clause (3)) and
"full_access" (by clause (4)). If the ordered set of compliance
values given in the query (in ascending order) is {"no_access",
- "guest_access", "user_access", "full_access"}, the conditions
- compliance value of the assertion would be "full_access" (because
+ "guest_access", "user_access", "full_access"}, the Conditions
+ Compliance Value of the assertion would be "full_access" (because
"full_access" has a higher-order value than "guest_access"). If the
"user_id" attribute had the value "19283" and the "user_name"
attribute had the value "nobody", no clause would succeed and the
- conditions compliance value would be "no_access", which is the
+ Conditions Compliance Value would be "no_access", which is the
lowest-order possible value (_MIN_TRUST).
If a clause lists an explicit value, its value string must be named
@@ -1048,6 +1228,14 @@ Abstract
(a=="b") && (d=="e") -> "value2";
(a=="b") -> "value3";
+
+
+
+Blaze, et al. Informational [Page 22]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
String comparisons are case-sensitive.
A regular expression comparison ("~=") is considered true if the
@@ -1055,9 +1243,9 @@ Abstract
expression. If the POSIX regular expression group matching scheme is
used, the number of groups matched is placed in the temporary meta-
attribute "_0" (dereferenced as _0), and each match is placed in
- sequence in the temporary attributes (_1, _2, ..., _N). These match
- attributes values are valid only within subsequent references made
- within the same clause. Regular expression evaluation is case-
+ sequence in the temporary attributes (_1, _2, ..., _N). These
+ match-attributes' values are valid only within subsequent references
+ made within the same clause. Regular expression evaluation is case-
sensitive.
A runtime error occurring in the evaluation of a test, such as
@@ -1095,19 +1283,28 @@ Abstract
The licensees expression (as defined in Section 4.6.4) is evaluated
as follows:
- * A "(...)" expression has the value of the enclosed subexpression.
- * A "&&" expression has the lower-order (minimum) of its two
- subexpression values.
- * A "||" expression has the higher-order (maximum) of its two
- subexpression values.
- * A "<K>-of(<List>)" expression has the K-th highest order
- compliance value listed in <list>. Values that appear multiple
- times are counted with multiplicity. For example, if K = 3 and
- the orders of the listed compliance values are (0, 1, 2, 2, 3),
- the value of the expression is the compliance value of order 2.
+
+Blaze, et al. Informational [Page 23]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
+ * A "(...)" expression has the value of the enclosed subexpression.
+
+ * A "&&" expression has the lower-order (minimum) of its two
+ subexpression values.
+
+ * A "||" expression has the higher-order (maximum) of its two
+ subexpression values.
+
+ * A "<K>-of(<List>)" expression has the K-th highest order
+ compliance value listed in <list>. Values that appear multiple
+ times are counted with multiplicity. For example, if K = 3 and
+ the orders of the listed compliance values are (0, 1, 2, 2, 3),
+ the value of the expression is the compliance value of order 2.
For example, consider the following Licensees field:
@@ -1134,15 +1331,23 @@ Abstract
Implementations that permit signed credentials to be verified by the
KeyNote compliance checker generally provide two `channels' through
- which applications can make assertions available. Unsigned, locally-
- trusted assertions are provided over a `trusted' interface, while
- signed credentials are provided over an `untrusted' interface. The
- KeyNote compliance checker verifies correct signatures for all
+ which applications can make assertions available. Unsigned,
+ locally-trusted assertions are provided over a `trusted' interface,
+ while signed credentials are provided over an `untrusted' interface.
+ The KeyNote compliance checker verifies correct signatures for all
assertions submitted over the untrusted interface. The integrity of
KeyNote evaluation requires that only assertions trusted as
reflecting local policy are submitted to KeyNote via the trusted
interface.
+
+
+
+Blaze, et al. Informational [Page 24]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
Note that applications that use KeyNote exclusively as a local policy
specification mechanism need use only trusted assertions. Other
applications might need only a small number of infrequently changed
@@ -1174,7 +1379,6 @@ Abstract
them to the invoking application if requested. Such mechanisms are
outside the scope of this document.
-
6. Examples
In this section, we give examples of KeyNote assertions that might be
@@ -1188,6 +1392,18 @@ Abstract
these examples do not represent the result of any real signature
calculation.
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 25]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
1. TRADITIONAL CA / EMAIL
A. A policy unconditionally authorizing RSA key abc123 for all
@@ -1230,6 +1446,20 @@ Abstract
(address == "mab@keynote.research.att.com"));
Signature: "DSA-SHA1:ab23487"
+
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 26]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
D. Another certificate credential for a specific user, also
issued by the `Alice' authority. This example allows three
different keys to sign as jf@keynote.research.att.com (each
@@ -1276,6 +1506,16 @@ Abstract
address = "mab@keynote.research.att.com"
name = "J. Feigenbaum"
+
+
+
+
+
+Blaze, et al. Informational [Page 27]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
2. WORKFLOW/ELECTRONIC COMMERCE
E. A policy that delegates authority for the "SPEND" application
@@ -1323,6 +1563,15 @@ Abstract
Conditions: (app_domain=="SPEND") &&
(@(dollars) < 1000);
+
+
+
+
+Blaze, et al. Informational [Page 28]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
H. A credential from dab212 with a similar policy, but only one
signer is required if @(dollars) < 500. A log entry is made if
the amount is at least 100.
@@ -1369,6 +1618,16 @@ Abstract
app_domain = "SPEND"
dollars = "150"
+
+
+
+
+
+Blaze, et al. Informational [Page 29]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
However, the following return "Reject" (_MIN_TRUST):
_ACTION_AUTHORIZERS = "DSA:def975"
@@ -1379,7 +1638,6 @@ Abstract
app_domain = "SPEND"
dollars = "5500"
-
7. Trust-Management Architecture
KeyNote provides a simple mechanism for describing security policy
@@ -1400,23 +1658,31 @@ Abstract
KeyNote output as a policy enforcement mechanism depends on a number
of factors:
- * The action attributes and the assignment of their values must
- reflect accurately the security requirements of the application.
- Identifying the attributes to include in the action attribute set
- is perhaps the most important task in integrating KeyNote into
- new applications.
+ * The action attributes and the assignment of their values must
+ reflect accurately the security requirements of the application.
+ Identifying the attributes to include in the action attribute set
+ is perhaps the most important task in integrating KeyNote into new
+ applications.
+
+ * The policy of the application must be correct and well-formed. In
+ particular, trust must be deferred only to principals that should,
+ in fact, be trusted by the application.
- * The policy of the application must be correct and well-formed.
- In particular, trust must be deferred only to principals that
- should, in fact, be trusted by the application.
+ * The application itself must be trustworthy. KeyNote does not
+ directly enforce policy; it only provides advice to the
+ applications that call it. In other words, KeyNote assumes that
+ the application itself is trusted and that the policy assertions
+ it specifies are correct. Nothing prevents an application from
+ submitting misleading or incorrect assertions to KeyNote or from
+ ignoring KeyNote altogether.
+
+
+
+
+Blaze, et al. Informational [Page 30]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
- * The application itself must be trustworthy. KeyNote does not
- directly enforce policy; it only provides advice to the
- applications that call it. In other words, KeyNote assumes that
- the application itself is trusted and that the policy assertions
- it specifies are correct. Nothing prevents an application from
- submitting misleading or incorrect assertions to KeyNote or from
- ignoring KeyNote altogether.
It is also up to the application (or some service outside KeyNote) to
select the appropriate credentials and policy assertions with which
@@ -1452,34 +1718,41 @@ Abstract
communicating their queries via some interprocess communication
mechanism.
-
8. Security Considerations
Trust management is itself a security service. Bugs in or incorrect
use of a KeyNote compliance checker implementation could have
security implications for any applications in which it is used.
-
9. IANA Considerations
This document contains three identifiers to be maintained by the
IANA. This section explains the criteria to be used by the IANA to
assign additional identifiers in each of these lists.
+
+
+
+
+
+Blaze, et al. Informational [Page 31]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
9.1 app_domain Identifiers
- The only requirement on IANA on allocation of these identifiers is
+ The only thing required of IANA on allocation of these identifiers is
that they be unique strings. These strings are case-sensitive for
- KeyNote purposes, however it is strongly recommended that IANA
- assigns different capitalizations of the same string only to the same
+ KeyNote purposes, however it is strongly recommended that IANA assign
+ different capitalizations of the same string only to the same
organization.
-
9.2 Public Key Format Identifiers
These strings uniquely identify a public key algorithm as used in the
KeyNote system for representing keys. Requests for assignment of new
- identifiers must be accompanied by an RFC-style document which
+ identifiers must be accompanied by an RFC-style document that
describes the details of this encoding. Example strings are "rsa-
hex:" and "dsa-base64:". These strings are case-insensitive.
@@ -1488,18 +1761,46 @@ Abstract
These strings uniquely identify a public key algorithm as used in the
KeyNote system for representing public key signatures. Requests for
assignment of new identifiers must be accompanied by an RFC-style
- document which describes the details of this encoding. Example
- strings are "sig-rsa-md5-hex:" and "sig-dsa-sha1-base64:". Note that
- all such strings must begin with the prefix "sig-". These strings
- are case-insensitive.
+ document that describes the details of this encoding. Example strings
+ are "sig-rsa-md5-hex:" and "sig-dsa-sha1-base64:". Note that all
+ such strings must begin with the prefix "sig-". These strings are
+ case-insensitive.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Blaze, et al. Informational [Page 32]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
A. Acknowledgments
We thank Lorrie Faith Cranor (AT&T Labs - Research) and Jonathan M.
Smith (University of Pennsylvania) for their suggestions and comments
- on earlier versions of this.
-
+ on earlier versions of this document.
B. Full BNF (alphabetical order)
@@ -1544,6 +1845,13 @@ B. Full BNF (alphabetical order)
| <FloatEx> "<=" <FloatEx>
| <FloatEx> ">=" <FloatEx> ;
+
+
+Blaze, et al. Informational [Page 33]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
<FloatLiteral>:: <IntegerLiteral>"."<IntegerLiteral> ;
<IDString>:: <ALGORITHM>":"<ENCODEDBITS> ;
@@ -1593,6 +1901,13 @@ B. Full BNF (alphabetical order)
<SignatureField>:: "Signature:" <Signature> ;
+
+
+Blaze, et al. Informational [Page 34]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
<StrEx>:: <StrEx> "." <StrEx> | <StringLiteral> | "(" <StrEx> ")"
| <DerefAttribute> | "$" <StrEx> ;
@@ -1611,19 +1926,18 @@ B. Full BNF (alphabetical order)
<VersionString>:: <StringLiteral> | <IntegerLiteral> ;
-
References
[BFL96] M. Blaze, J. Feigenbaum, J. Lacy. Decentralized Trust
Management. Proceedings of the 17th IEEE Symp. on Security
- and Privacy. pp 164-173. IEEE Computer Society,
- 1996. Available at
+ and Privacy. pp 164-173. IEEE Computer Society, 1996.
+ Available at
<ftp://ftp.research.att.com/dist/mab/policymaker.ps>
[BFS98] M. Blaze, J. Feigenbaum, M. Strauss. Compliance-Checking in
- the PolicyMaker Trust-Management System. Proc. 2nd
- Financial Crypto Conference. Anguila 1998. LNCS #1465, pp
- 251-265, Springer-Verlag, 1998. Available at
+ the PolicyMaker Trust-Management System. Proc. 2nd Financial
+ Crypto Conference. Anguilla 1998. LNCS #1465, pp 251-265,
+ Springer-Verlag, 1998. Available at
<ftp://ftp.research.att.com/dist/mab/pmcomply.ps>
[Bla99] M. Blaze, J. Feigenbaum, J. Ioannidis, A. Keromytis. The
@@ -1633,8 +1947,8 @@ References
Springer-Verlag, 1999. Available at
<ftp://ftp.research.att.com/dist/mab/trustmgt.ps>.
- [Cro82] D. H. Crocker. Standard for the Format of ARPA Internet
- Text Messages. RFC 822. August 1982.
+ [Cro82] Crocker, D., "Standard for the Format of ARPA Internet Text
+ Messages", STD 11, RFC 822, August 1982.
[DSA94] Digital Signature Standard. FIPS-186. National Institute of
Standards, U.S. Department of Commerce. May 1994.
@@ -1642,35 +1956,68 @@ References
[PKCS1] PKCS #1: RSA Encryption Standard, Version 1.5. RSA
Laboratories. November 1993.
+
+
+
+Blaze, et al. Informational [Page 35]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
+
+
[RSA78] R. L. Rivest, A. Shamir, L. M. Adleman. A Method for
Obtaining Digital Signatures and Public-Key Cryptosystems.
- Communications of the ACM, v21n2. pp 120-126. February
- 1978.
+ Communications of the ACM, v21n2. pp 120-126. February 1978.
+Authors' Addresses
-Contacts
-
- Comments about this document should be discussed on the
- trustmgt@east.isi.edu mailing list. The archive for that list can be
- found at http://www.cairn.net/trustmgt/.
+ Comments about this document should be discussed on the keynote-users
+ mailing list hosted at nsa.research.att.com. To subscribe, send an
+ email message containing the single line
+ subscribe keynote-users
+ in the message body to <majordomo@nsa.research.att.com>.
Questions about this document can also be directed to the authors as
a group at the keynote@research.att.com alias, or to the individual
authors at:
- Matt Blaze Joan Feigenbaum John Ioannidis
- mab@research.att.com jf@research.att.com ji@research.att.com
+ Matt Blaze
+ AT&T Labs - Research
+ 180 Park Avenue
+ Florham Park, New Jersey 07932-0971
+
+ EMail: mab@research.att.com
+
+
+ Joan Feigenbaum
+ AT&T Labs - Research
+ 180 Park Avenue
+ Florham Park, New Jersey 07932-0971
+
+ EMail: jf@research.att.com
+
+
+ John Ioannidis
+ AT&T Labs - Research
+ 180 Park Avenue
+ Florham Park, New Jersey 07932-0971
+
+ EMail: ji@research.att.com
+
+
+ Angelos D. Keromytis
+ Distributed Systems Lab
+ CIS Department, University of Pennsylvania
+ 200 S. 33rd Street
+ Philadelphia, Pennsylvania 19104-6389
+
+ EMail: angelos@dsl.cis.upenn.edu
- AT&T Labs - Research
- 180 Park Avenue
- Florham Park, New Jersey 07932-0000
- Angelos D. Keromytis
- Distributed Systems Lab
- CIS Department, University of Pennsylvania
- 200 S. 33rd Street
- Philadelphia, Pennsylvania 19104-6389
- Email: angelos@dsl.cis.upenn.edu
+
+
+Blaze, et al. Informational [Page 36]
+
+RFC 2704 The KeyNote Trust-Management System September 1999
Full Copyright Statement
@@ -1701,7 +2048,10 @@ Full Copyright Statement
HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+Acknowledgement
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
@@ -1721,20 +2071,5 @@ Full Copyright Statement
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+Blaze, et al. Informational [Page 37]
+
diff --git a/lib/libkeynote/environment.c b/lib/libkeynote/environment.c
index 232f98aaaf9..fd38332ef7d 100644
--- a/lib/libkeynote/environment.c
+++ b/lib/libkeynote/environment.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: environment.c,v 1.2 1999/05/31 20:09:58 angelos Exp $ */
+/* $OpenBSD: environment.c,v 1.3 1999/10/01 01:08:29 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -19,16 +19,35 @@
* PURPOSE.
*/
-#include <stdio.h>
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
+#include <sys/types.h>
#include <stdlib.h>
-#include <string.h>
+#include <stdio.h>
#include <ctype.h>
+
+#if STDC_HEADERS
+#include <string.h>
+#if !defined(HAVE_MEMCPY)
+#define memcpy(d, s, n) bcopy ((s), (d), (n))
+#endif /* !HAVE_MEMCPY */
+#endif /* STDC_HEADERS */
+
+#if HAVE_MEMORY_H
+#include <memory.h>
+#endif /* HAVE_MEMORY_H */
+
+#if HAVE_FCNTL_H
#include <fcntl.h>
-#ifdef WIN32
+#endif /* HAVE_FCNTL_H */
+
+#if HAVE_IO_H
#include <io.h>
-#else
+#elif HAVE_UNISTD_H
#include <unistd.h>
-#endif
+#endif /* HAVE_IO_H */
#include "keynote.h"
#include "assertion.h"
@@ -351,7 +370,6 @@ static int
keynote_init_environment(void)
{
#ifdef CRYPTO
-#if defined(KEYNOTERNDFILENAME)
int cnt = KEYNOTE_RAND_INIT_LEN, i;
do
@@ -364,10 +382,8 @@ keynote_init_environment(void)
cnt -= i;
} while (cnt > 0);
-#else /* KEYNOTERNDFILENAME */
-#error "You need to seed the RNG."
-#endif /* KEYNOTERNDFILENAME */
#endif /* CRYPTO */
+
memset(keynote_current_session->ks_env_table, 0,
HASHTABLESIZE * sizeof(struct environment *));
memset(keynote_current_session->ks_assertion_table, 0,
@@ -465,6 +481,35 @@ kn_init(void)
}
/*
+ * Cleanup the action environment.
+ */
+int
+kn_cleanup_action_environment(int sessid)
+{
+ struct keynote_session *ks;
+
+ keynote_errno = 0;
+ if ((keynote_current_session == (struct keynote_session *) NULL) ||
+ (keynote_current_session->ks_id != sessid))
+ {
+ keynote_current_session = keynote_find_session(sessid);
+ if (keynote_current_session == (struct keynote_session *) NULL)
+ {
+ keynote_errno = ERROR_NOTFOUND;
+ return -1;
+ }
+ }
+
+ ks = keynote_current_session;
+
+ /* Cleanup environment */
+ keynote_env_cleanup(ks->ks_env_table, HASHTABLESIZE);
+ keynote_env_cleanup(&(ks->ks_env_regex), 1);
+
+ return 0;
+}
+
+/*
* Close a session.
*/
int
@@ -488,7 +533,7 @@ kn_close(int sessid)
ks = keynote_current_session;
- /* Cleanup environment */
+ /* Cleanup environment -- no point using kn_cleanup_action_environment() */
keynote_env_cleanup(ks->ks_env_table, HASHTABLESIZE);
keynote_env_cleanup(&(ks->ks_env_regex), 1);
@@ -824,7 +869,7 @@ kn_read_asserts(char *buffer, int bufferlen, int *numassertions)
}
/* Copy string */
- bcopy(ptr, buf[*numassertions], (buffer + i) - ptr);
+ memcpy(buf[*numassertions], ptr, (buffer + i) - ptr);
(*numassertions)++;
}
@@ -885,3 +930,79 @@ kn_read_asserts(char *buffer, int bufferlen, int *numassertions)
return buf;
}
+
+/*
+ * Return the authorizer key for a given assertion.
+ */
+void *
+kn_get_authorizer(int sessid, int assertid, int *algorithm)
+{
+ struct assertion *as;
+ int i;
+
+ if ((keynote_current_session == (struct keynote_session *) NULL) ||
+ (keynote_current_session->ks_id != sessid))
+ {
+ keynote_current_session = keynote_find_session(sessid);
+ if (keynote_current_session == (struct keynote_session *) NULL)
+ {
+ keynote_errno = ERROR_NOTFOUND;
+ return (void *) NULL;
+ }
+ }
+
+ /* Traverse the hash table looking for assertid */
+ for (i = 0; i < HASHTABLESIZE; i++)
+ for (as = keynote_current_session->ks_assertion_table[i];
+ as != (struct assertion *) NULL;
+ as = as->as_next)
+ if (as->as_id == assertid)
+ break;
+
+ if (as == (struct assertion *) NULL)
+ {
+ keynote_errno = ERROR_NOTFOUND;
+ return (void *) NULL;
+ }
+
+ *algorithm = as->as_signeralgorithm;
+ return as->as_authorizer;
+}
+
+/*
+ * Return the licensees for a given assertion.
+ */
+struct keynote_keylist *
+kn_get_licensees(int sessid, int assertid)
+{
+ struct assertion *as;
+ int i;
+
+ if ((keynote_current_session == (struct keynote_session *) NULL) ||
+ (keynote_current_session->ks_id != sessid))
+ {
+ keynote_current_session = keynote_find_session(sessid);
+ if (keynote_current_session == (struct keynote_session *) NULL)
+ {
+ keynote_errno = ERROR_NOTFOUND;
+ return (struct keynote_keylist *) NULL;
+ }
+ }
+
+ /* Traverse the hash table looking for assertid */
+ for (i = 0; i < HASHTABLESIZE; i++)
+ for (as = keynote_current_session->ks_assertion_table[i];
+ as != (struct assertion *) NULL;
+ as = as->as_next)
+ if (as->as_id == assertid)
+ break;
+
+ if (as == (struct assertion *) NULL)
+ {
+ keynote_errno = ERROR_NOTFOUND;
+ return (struct keynote_keylist *) NULL;
+ }
+
+ return (struct keynote_keylist *) as->as_keylist;
+}
+
diff --git a/lib/libkeynote/Misc/getopt.c b/lib/libkeynote/getopt.c
index f77359cf40a..a281cbab406 100644
--- a/lib/libkeynote/Misc/getopt.c
+++ b/lib/libkeynote/getopt.c
@@ -1,9 +1,18 @@
-/* $OpenBSD: getopt.c,v 1.1.1.1 1999/05/23 22:11:07 angelos Exp $ */
+/* $OpenBSD: getopt.c,v 1.1 1999/10/01 01:08:29 angelos Exp $ */
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
#include <stdio.h>
-#include <string.h>
#include <ctype.h>
+#if STDC_HEADERS
+#include <string.h>
+#if !defined(HAVE_STRCHR)
+#define strchr index
+#endif /* !HAVE_STRCHR */
+#endif /* STDC_HEADERS */
+
/*** getopt
*
* This function is the public domain version of getopt, the command
diff --git a/lib/libkeynote/Misc/getopt.h b/lib/libkeynote/getopt.h
index 74218bdb6f7..e9e0dd521ba 100644
--- a/lib/libkeynote/Misc/getopt.h
+++ b/lib/libkeynote/getopt.h
@@ -1,5 +1,4 @@
-/* $OpenBSD: getopt.h,v 1.1.1.1 1999/05/23 22:11:07 angelos Exp $ */
-
+/* $OpenBSD: getopt.h,v 1.1 1999/10/01 01:08:30 angelos Exp $ */
extern int opterr; /* flag:error message on unrecognzed options */
extern int optind; /* last touched cmdline argument */
extern char *optarg; /* argument to optopt */
diff --git a/lib/libkeynote/header.h b/lib/libkeynote/header.h
index 29752468e4d..8a82f93d3f6 100644
--- a/lib/libkeynote/header.h
+++ b/lib/libkeynote/header.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: header.h,v 1.1 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: header.h,v 1.2 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -23,8 +23,8 @@
#define _HEADER_H_
/* Functions */
-extern int keynote_sign(int, char **), keynote_sigver(int, char **);
-extern int keynote_verify(int, char **), keynote_keygen(int, char **);
+extern void keynote_sign(int, char **), keynote_sigver(int, char **);
+extern void keynote_verify(int, char **), keynote_keygen(int, char **);
extern void print_key(FILE *, char *, char *, int, int);
extern void mystrncpy(char *, char *, int);
extern void print_space(FILE *, int);
diff --git a/lib/libkeynote/keynote-keygen.c b/lib/libkeynote/keynote-keygen.c
index 06cca5c14ee..85c79fd0475 100644
--- a/lib/libkeynote/keynote-keygen.c
+++ b/lib/libkeynote/keynote-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: keynote-keygen.c,v 1.3 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: keynote-keygen.c,v 1.4 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -19,19 +19,29 @@
* PURPOSE.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
-#include <string.h>
#include <stdio.h>
+#include <ctype.h>
+
+#if STDC_HEADERS
+#include <string.h>
+#endif /* STDC_HEADERS */
+
+#if HAVE_FCNTL_H
#include <fcntl.h>
+#endif /* HAVE_FCNTL_H */
-#ifdef WIN32
-#include <ctype.h>
+#if HAVE_IO_H
#include <io.h>
-#else /* WIN32 */
+#elif HAVE_UNISTD_H
#include <unistd.h>
-#endif /* WIN32 */
+#endif /* HAVE_IO_H */
#include "keynote.h"
#include "assertion.h"
@@ -90,11 +100,7 @@ print_key(FILE *fp, char *algname, char *key, int start, int length)
fprintf(fp, "\"\n");
}
-#ifdef WIN32
void
-#else /* WIN32 */
-int
-#endif /* WIN32 */
keynote_keygen(int argc, char *argv[])
{
int begin = KEY_PRINT_OFFSET, prlen = KEY_PRINT_LENGTH;
@@ -106,9 +112,7 @@ keynote_keygen(int argc, char *argv[])
DSA *dsa;
RSA *rsa;
FILE *fp;
-#if defined(KEYNOTERNDFILENAME)
int fd, cnt = RND_BYTES;
-#endif /* KEYNOTERNDFILENAME */
#endif /* CRYPTO || PGPLIB */
char *algname;
@@ -172,10 +176,7 @@ keynote_keygen(int argc, char *argv[])
fprintf(stderr, "Invalid specified keysize %d\n", len);
exit(-1);
}
-#endif /* CRYPTO || PGPLIB */
-#if defined(CRYPTO)
-#if defined(KEYNOTERNDFILENAME)
fd = open(KEYNOTERNDFILENAME, O_RDONLY, 0);
if (fd < 0)
{
@@ -214,9 +215,6 @@ keynote_keygen(int argc, char *argv[])
cnt -= fd;
} while (cnt > 0);
-#else /* KEYNOTERNDFILENAME */
-#error "No RNG available!"
-#endif /* KEYNOTERNDFILENAME */
if ((alg == KEYNOTE_ALGORITHM_DSA) &&
(ienc == INTERNAL_ENC_ASN1) &&
diff --git a/lib/libkeynote/keynote-main.c b/lib/libkeynote/keynote-main.c
index bc91a3c8ac7..c18ae6965b8 100644
--- a/lib/libkeynote/keynote-main.c
+++ b/lib/libkeynote/keynote-main.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: keynote-main.c,v 1.5 1999/05/31 20:15:25 angelos Exp $ */
+/* $OpenBSD: keynote-main.c,v 1.6 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -19,16 +19,24 @@
* PURPOSE.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
-#include <string.h>
#include <stdio.h>
-#include <fcntl.h>
#include <ctype.h>
+#if STDC_HEADERS
+#include <string.h>
+#endif /* STDC_HEADERS */
+
+#if HAVE_FCNTL_H
+#include <fcntl.h>
+#endif /* HAVE_FCNTL_H */
#ifdef WIN32
-#include <ctype.h>
#include <io.h>
#else
#include <unistd.h>
@@ -48,11 +56,7 @@ mainusage()
"e.g., keynote sign\n");
}
-#ifdef WIN32
-void
-#else
int
-#endif
main(int argc, char *argv[])
{
if (argc < 2)
diff --git a/lib/libkeynote/keynote-sign.c b/lib/libkeynote/keynote-sign.c
index 37fb931a4ec..a8329444c29 100644
--- a/lib/libkeynote/keynote-sign.c
+++ b/lib/libkeynote/keynote-sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: keynote-sign.c,v 1.5 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: keynote-sign.c,v 1.6 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -19,20 +19,29 @@
* PURPOSE.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
-#include <string.h>
#include <stdio.h>
-#include <fcntl.h>
#include <ctype.h>
-#ifdef WIN32
-#include <ctype.h>
+#if STDC_HEADERS
+#include <string.h>
+#endif /* STDC_HEADERS */
+
+#if HAVE_FCNTL_H
+#include <fcntl.h>
+#endif /* HAVE_FCNTL_H */
+
+#if HAVE_IO_H
#include <io.h>
-#else /* WIN32 */
+#elif HAVE_UNISTD_H
#include <unistd.h>
-#endif /* WIN32 */
+#endif /* HAVE_IO_H */
#include "keynote.h"
#include "header.h"
@@ -45,11 +54,7 @@ signusage(void)
"<PrivateKeyFile>\n");
}
-#ifdef WIN32
void
-#else /* WIN32 */
-int
-#endif /* WIN32 */
keynote_sign(int argc, char *argv[])
{
int begin = SIG_PRINT_OFFSET, prlen = SIG_PRINT_LENGTH;
diff --git a/lib/libkeynote/keynote-sigver.c b/lib/libkeynote/keynote-sigver.c
index 11cc0c3e169..be103781ae8 100644
--- a/lib/libkeynote/keynote-sigver.c
+++ b/lib/libkeynote/keynote-sigver.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: keynote-sigver.c,v 1.3 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: keynote-sigver.c,v 1.4 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -19,20 +19,29 @@
* PURPOSE.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
-#include <string.h>
#include <stdio.h>
-#include <fcntl.h>
#include <ctype.h>
-#ifdef WIN32
-#include <ctype.h>
+#if STDC_HEADERS
+#include <string.h>
+#endif /* STDC_HEADERS */
+
+#if HAVE_FCNTL_H
+#include <fcntl.h>
+#endif /* HAVE_FCNTL_H */
+
+#if HAVE_IO_H
#include <io.h>
-#else /* WIN32 */
+#elif HAVE_UNISTD_H
#include <unistd.h>
-#endif /* WIN32 */
+#endif /* HAVE_IO_H */
#include "keynote.h"
#include "header.h"
@@ -44,11 +53,7 @@ sigverusage(void)
fprintf(stderr, "\t<AssertionFile>\n");
}
-#ifdef WIN32
void
-#else /* WIN32 */
-int
-#endif /* WIN32 */
keynote_sigver(int argc, char *argv[])
{
struct stat sb;
diff --git a/lib/libkeynote/keynote-ver.l b/lib/libkeynote/keynote-ver.l
index d50101f1e3d..d4724356abe 100644
--- a/lib/libkeynote/keynote-ver.l
+++ b/lib/libkeynote/keynote-ver.l
@@ -1,5 +1,5 @@
%{
-/* $OpenBSD: keynote-ver.l,v 1.2 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: keynote-ver.l,v 1.3 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -20,11 +20,31 @@
* PURPOSE.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
-#include <unistd.h>
#include <ctype.h>
-#include <time.h>
+
+#if STDC_HEADERS
#include <string.h>
+#endif /* STDC_HEADERS */
+
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif /* HAVE_UNISTD_H */
+
+#if TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#else
+#if HAVE_SYS_TIME_H
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#endif
#include "z.tab.h"
#include "keynote.h"
diff --git a/lib/libkeynote/keynote-ver.y b/lib/libkeynote/keynote-ver.y
index 8da630254ad..c8cbc19ee56 100644
--- a/lib/libkeynote/keynote-ver.y
+++ b/lib/libkeynote/keynote-ver.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: keynote-ver.y,v 1.2 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: keynote-ver.y,v 1.3 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -28,10 +28,17 @@
%nonassoc EQ
%start program
%{
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
+#include <stdlib.h>
#include <stdio.h>
+
+#if STDC_HEADERS
#include <string.h>
-#include <stdlib.h>
+#endif /* STDC_HEADERS */
#include "keynote.h"
#include "header.h"
diff --git a/lib/libkeynote/keynote-verify.c b/lib/libkeynote/keynote-verify.c
index 64dd8b4419a..87fe4f51a40 100644
--- a/lib/libkeynote/keynote-verify.c
+++ b/lib/libkeynote/keynote-verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: keynote-verify.c,v 1.3 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: keynote-verify.c,v 1.4 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -19,23 +19,40 @@
* PURPOSE.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
#include <sys/stat.h>
#include <stdlib.h>
-#include <string.h>
#include <stdio.h>
-#include <fcntl.h>
#include <ctype.h>
-#ifdef WIN32
+#if STDC_HEADERS
+#include <string.h>
+#if !defined(HAVE_MEMCPY)
+#define memcpy(d, s, n) bcopy ((s), (d), (n))
+#endif /* !HAVE_MEMCPY */
+#endif /* STDC_HEADERS */
+
+#if HAVE_MEMORY_H
+#include <memory.h>
+#endif /* HAVE_MEMORY_H */
+
+#if HAVE_FCNTL_H
+#include <fcntl.h>
+#endif /* HAVE_FCNTL_H */
+
+#if !defined(HAVE_GETOPT)
+#include <getopt.h>
+#endif /* HAVE_GETOPT */
+
+#if HAVE_IO_H
#include <io.h>
-#include "getopt.h"
-#else /* WIN32 */
+#elif HAVE_UNISTD_H
#include <unistd.h>
-#ifdef NEED_GETOPT
-#include "getopt.h"
-#endif /* NEED_GETOPT */
-#endif /* WIN32 */
+#endif /* HAVE_IO_H */
#include "keynote.h"
#include "header.h"
@@ -54,11 +71,7 @@ verifyusage(void)
fprintf(stderr, "\t<filename>: Non-local assertion\n");
}
-#ifdef WIN32
void
-#else /* WIN32 */
-int
-#endif /* WIN32 */
keynote_verify(int argc, char *argv[])
{
#ifdef LoopTesting
@@ -206,7 +219,7 @@ keynote_verify(int argc, char *argv[])
exit(-1);
}
- bcopy(retv, foov, numretv * sizeof(char **));
+ memcpy(foov, retv, numretv * sizeof(char **));
free(retv);
retv = foov;
}
@@ -221,7 +234,7 @@ keynote_verify(int argc, char *argv[])
}
/* Copy */
- bcopy(optarg, retv[numret], ptr - optarg);
+ memcpy(retv[numret], optarg, ptr - optarg);
optarg = ptr + 1;
}
diff --git a/lib/libkeynote/keynote.1 b/lib/libkeynote/keynote.1
index b28fa0f882f..6efa366bc81 100644
--- a/lib/libkeynote/keynote.1
+++ b/lib/libkeynote/keynote.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: keynote.1,v 1.9 1999/09/23 04:12:01 alex Exp $
+.\" $OpenBSD: keynote.1,v 1.10 1999/10/01 01:08:30 angelos Exp $
.\"
.\" The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
.\"
@@ -6,7 +6,7 @@
.\" in April-May 1998
.\"
.\" Copyright (C) 1998, 1999 by Angelos D. Keromytis.
-.\"
+.\"
.\" Permission to use, copy, and modify this software without fee
.\" is hereby granted, provided that this entire notice is included in
.\" all copies of any software which is or includes a copy or
@@ -55,6 +55,11 @@ operations
.Op Fl k Ar file
.Op Fl l Ar file
.Op Ar file ...
+.Sh DESCRIPTION
+For more details on
+.Nm KeyNote ,
+see RFC 2704.
+.Pp
.Sh KEY GENERATION
"keynote keygen" creates a public/private key of size
.Fa KeySize ,
@@ -69,6 +74,8 @@ identifiers are:
.It ``dsa-base64:''
.It ``rsa-hex:''
.It ``rsa-base64:''
+.It ``x509-hex:''
+.It ``x509-base64:''
.El
.Pp
Notice that the trailing colon is required. The resulting public key is
@@ -95,6 +102,7 @@ for the first line and has to be longer (by at least 2) than
also accounts for the line-continuation character (backslash) at
the end of each line, and the doublequotes at the beginning and end
of the key encoding. Default values are 12 and 50 respectively.
+.Pp
.Sh ASSERTION SIGNING
"keynote sign" reads the assertion contained in
.Fa AssertionFile
@@ -116,6 +124,8 @@ identifiers are:
.It ``sig-rsa-sha1-base64:''
.It ``sig-rsa-md5-hex:''
.It ``sig-rsa-md5-base64:''
+.It ``sig-x509-sha1-hex:''
+.It ``sig-x509-sha1-base64:''
.El
.Pp
Notice that the trailing colon is required.
@@ -149,10 +159,12 @@ flag is provided, "keynote sign" will also verify the newly-created
signature using the
.Fa Authorizer
field key.
+.Pp
.Sh SIGNATURE VERIFICATION
"keynote sigver" reads the assertion contained in
.Fa AssertionFile
and verifies the public-key signature on it.
+.Pp
.Sh QUERY TOOL
For each operand that names a
.A file ,
@@ -190,7 +202,7 @@ and can contain underscores.
.Fa value
is a quoted string, and can contain any character, and escape
(backslash) processing is performed, as specified in the KeyNote
-draft.
+RFC.
.Pp
The remaining options are:
.Bl -tag -width indent
@@ -213,14 +225,15 @@ flags should be given per invocation. If no flags are given,
"keynote verify" prints the usage message and exits with error code \-1.
.Pp
"keynote verify" exits with code \-1 if there was an error, and 0 on success.
+.Pp
.Sh SEE ALSO
.Xr keynote 3 ,
.Xr keynote 4
.Bl -tag -width "AAAAAAA"
-.It ``The KeyNote Trust-Management System''
+.It ``The KeyNote Trust-Management System, Version 2''
M. Blaze, J. Feigenbaum, A. D. Keromytis,
-Internet Drafts, draft-ietf-trustmgt-keynote-00.txt
-.It ``Decentralized Trust Management''
+Internet Drafts, RFC 2704.
+.It ``Decentralized Trust Management''
M. Blaze, J. Feigenbaum, J. Lacy,
1996 IEEE Conference on Privacy and Security
.It ``Compliance-Checking in the PolicyMaker Trust Management System''
diff --git a/lib/libkeynote/keynote.3 b/lib/libkeynote/keynote.3
index 7e192c9a7e7..fe776a0b887 100644
--- a/lib/libkeynote/keynote.3
+++ b/lib/libkeynote/keynote.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: keynote.3,v 1.9 1999/07/09 13:35:29 aaron Exp $
+.\" $OpenBSD: keynote.3,v 1.10 1999/10/01 01:08:30 angelos Exp $
.\"
.\" The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
.\"
@@ -6,7 +6,7 @@
.\" in April-May 1998
.\"
.\" Copyright (C) 1998, 1999 by Angelos D. Keromytis.
-.\"
+.\"
.\" Permission to use, copy, and modify this software without fee
.\" is hereby granted, provided that this entire notice is included in
.\" all copies of any software which is or includes a copy or
@@ -51,6 +51,14 @@ struct keynote_binary
int bn_len;
char *bn_key;
};
+
+struct keynote_keylist
+{
+ int key_alg;
+ void *key_key;
+ char *key_stringkey;
+ struct keynote_keylist *key_next;
+};
.Ed
.Ft int
.Fd keynote_errno;
@@ -73,6 +81,8 @@ struct keynote_binary
.Ft int
.Fn kn_get_failed "int sessid" "int type" "int seq"
.Ft int
+.Fn kn_cleanup_action_environment "int sessid"
+.Ft int
.Fn kn_close "int sessid"
.Ft int
.Fn kn_query "struct environment *env" "char **returnvalues, int numvalues" "char **trusted, int *trustedlen, int numtrusted" "char **untrusted, int *untrustedlen, int numuntrusted" "char **authorizers, int numauthauthorizers"
@@ -80,6 +90,10 @@ struct keynote_binary
.Fn kn_read_asserts "char *array" "int arraylen" "int *numassertions"
.Ft int
.Fn kn_keycompare "void *key1" "void *key2" "int algorithm"
+.Ft void *
+.Fn kn_get_authorizer "int sessid" "int assertid" "int *algorithm"
+.Ft struct keynote_keylist *
+.Fn kn_get_licensees "int sessid" "int assertid"
.Ft int
.Fn kn_encode_base64 "unsigned char const *src" "unsigned int srclen" "char *dst" "unsigned int dstlen"
.Ft int
@@ -98,10 +112,14 @@ struct keynote_binary
.Fn kn_verify_assertion "char *assertion" "int len"
.Fd Link options: -lkeynote -lm -lcrypto
.Sh DESCRIPTION
+For more details on
+.Nm KeyNote ,
+see RFC 2704.
+.Pp
.Va keynote_errno
contains an error code if some library call failed. Failed calls
return \-1 (if their return value is integer), or
-.Dv NULL
+.Dv NULL
(if their return value is a pointer) and set
.Va keynote_errno .
The defined error codes are:
@@ -151,7 +169,7 @@ session, and performs any necessary initializations. On success, this
function returns the new session ID, which is used by all subsequent
calls with a
.Fa sessid
-argument.
+argument.
On failure, it returns \-1 and sets
.Va keynote_errno
to
@@ -402,6 +420,11 @@ given criteria is found, it returns \-1 and set
to
.Er ERROR_NOTFOUND .
.Pp
+.Fn kn_cleanup_action_environment
+removes all action attributes from the action environment of session
+.Fa sessid .
+It returns 0 on success.
+.Pp
.Fn kn_close
closes session
.Fa sessid
@@ -444,6 +467,40 @@ and
.Fa algorithm )
and returns 1 if equal and 0 otherwise.
.Pp
+.Fn kn_get_authorizer
+returns the authorizer key (in binary format) for assertion
+.Fa assertid
+in session
+.Fa sessid .
+It also sets the
+.Fa algorithm
+argument to the algorithm of the authorizer key.
+On failure,
+.Fn kn_get_authorizer
+returns
+.Fv NULL ,
+and sets
+.Va keynote_errno
+to
+.Er ERROR_NOTFOUND .
+.Pp
+.Fn kn_get_licensees
+returns the licensee key(s) for assertion
+.Fa assertid
+in session
+.Fa sessid .
+The keys are returned in a linked list of
+.Fa struct keynote_keylist
+structures.
+On failure,
+.Fn kn_get_licensees
+returns
+.Fv NULL .
+and sets
+.Va keynote_errno
+to
+.Er ERROR_NOTFOUND .
+.Pp
.Fn kn_query
takes as arguments a list of action attributes in
.Fa env ,
@@ -660,7 +717,7 @@ this is an SSLeay/OpenSSL-defined
.Fa DSA *
for DSA keys,
.Fa RSA *
-for RSA keys, and a
+for RSA and X509-based keys, and a
.Fa keynote_binary *
for BINARY keys.
.Fa keytype
@@ -696,7 +753,11 @@ for RSA keys,
.Dv SIG_DSA_SHA1_HEX
and
.Dv SIG_DSA_SHA1_BASE64
-for DSA keys. No other cryptographic signatures are currently
+for DSA keys,
+.Dv SIG_X509_SHA1_HEX ,
+and
+.Dv SIG_X509_SHA1_BASE64
+for X509-based keys. No other cryptographic signatures are currently
supported by this implementation. If
.Fa vflag
is set to 1, then the generated signature will also be verified. On
@@ -739,6 +800,7 @@ if necessary memory could not be allocated, or
.Er ERROR_SYNTAX
if the assertion contained a syntactic error, or the cryptographic
algorithm was not supported.
+.Pp
.Sh FILES
.Fd keynote.h
.Fd libkeynote.a
@@ -746,10 +808,10 @@ algorithm was not supported.
.Xr keynote 1 ,
.Xr keynote 4
.Bl -tag -width "AAAAAAA"
-.It ``The KeyNote Trust-Management System''
+.It ``The KeyNote Trust-Management System, Version 2''
M. Blaze, J. Feigenbaum, A. D. Keromytis,
-Internet Drafts, draft-ietf-trustmgt-keynote-00.txt
-.It ``Decentralized Trust Management''
+Internet Drafts, RFC 2704.
+.It ``Decentralized Trust Management''
M. Blaze, J. Feigenbaum, J. Lacy,
1996 IEEE Conference on Privacy and Security
.It ``Compliance-Checking in the PolicyMaker Trust Management System''
diff --git a/lib/libkeynote/keynote.4 b/lib/libkeynote/keynote.4
index 92d4fefc8ac..dca070f350a 100644
--- a/lib/libkeynote/keynote.4
+++ b/lib/libkeynote/keynote.4
@@ -1,4 +1,4 @@
-.\" $OpenBSD: keynote.4,v 1.9 1999/07/09 13:35:29 aaron Exp $
+.\" $OpenBSD: keynote.4,v 1.10 1999/10/01 01:08:30 angelos Exp $
.\"
.\" The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
.\"
@@ -6,7 +6,7 @@
.\" in April-May 1998
.\"
.\" Copyright (C) 1998, 1999 by Angelos D. Keromytis.
-.\"
+.\"
.\" Permission to use, copy, and modify this software without fee
.\" is hereby granted, provided that this entire notice is included in
.\" all copies of any software which is or includes a copy or
@@ -31,6 +31,10 @@
.Fd #include <keynote.h>
.Fd Link options: -lkeynote -lm -lcrypto
.Sh DESCRIPTION
+For more details on
+.Nm KeyNote ,
+see RFC 2704.
+.Pp
Details on the API and command-line tool are given in the
man pages listed at the end of this manual.
.Pp
@@ -226,6 +230,7 @@ simplify the design and analysis of complex network-based security
protocols; network failures that prevent the transmission of
credentials can never result in spurious authorization of dangerous
actions.
+.Pp
.Sh FILES
.Fd keynote.h
.Fd libkeynote.a
@@ -233,10 +238,10 @@ actions.
.Xr keynote 1 ,
.Xr keynote 3
.Bl -tag -width "AAAAAAA"
-.It ``The KeyNote Trust-Management System''
+.It ``The KeyNote Trust-Management System, Version 2''
M. Blaze, J. Feigenbaum, A. D. Keromytis,
-Internet Drafts, draft-ietf-trustmgt-keynote-00.txt
-.It ``Decentralized Trust Management''
+Internet Drafts, RFC 2704.
+.It ``Decentralized Trust Management''
M. Blaze, J. Feigenbaum, J. Lacy,
1996 IEEE Conference on Privacy and Security
.It ``Compliance-Checking in the PolicyMaker Trust Management System''
diff --git a/lib/libkeynote/keynote.h b/lib/libkeynote/keynote.h
index a90fdeed518..024d51afeaf 100644
--- a/lib/libkeynote/keynote.h
+++ b/lib/libkeynote/keynote.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: keynote.h,v 1.6 1999/08/16 02:33:37 angelos Exp $ */
+/* $OpenBSD: keynote.h,v 1.7 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -22,33 +22,64 @@
#ifndef __KEYNOTE_H__
#define __KEYNOTE_H__
+#if HAVE_REGEX_H
+#include <sys/types.h>
#include <regex.h>
-
-#ifdef CRYPTO
-#include "crypto.h"
-#include "dsa.h"
-#include "rsa.h"
-#include "sha.h"
-#include "md5.h"
-#include "err.h"
-#include "rand.h"
-#include "x509.h"
-#include "pem.h"
+#endif /* HAVE_REGEX_H */
+
+#if defined(CRYPTO)
+#if HAVE_SSL_CRYPTO_H
+#include <ssl/crypto.h>
+#include <ssl/dsa.h>
+#include <ssl/rsa.h>
+#include <ssl/sha.h>
+#include <ssl/md5.h>
+#include <ssl/err.h>
+#include <ssl/rand.h>
+#include <ssl/x509.h>
+#include <ssl/pem.h>
+#elif HAVE_OPENSSL_CRYPTO_H
+#include <openssl/crypto.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include <openssl/sha.h>
+#include <openssl/md5.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+#else /* HAVE_SSL_CRYPTO_H */
+#error "SSLeay or OpenSSL not detected!"
+#endif /* HAVE_SSL_CRYPTO_H */
#endif /* CRYPTO */
-#ifdef WIN32
-#define u_int unsigned int
-#define u_char unsigned char
+#if !defined(HAVE_STRCASECMP) && defined(HAVE_STRICMP)
#define strcasecmp stricmp
+#endif /* !HAVE_STRCASECMP && HAVE_STRICMP */
+
+#if !defined(HAVE_STRNCASECMP) && defined(HAVE_STRNICMP)
#define strncasecmp strnicmp
+#endif /* !HAVE_STRNCASECMP && HAVE_STRNICMP */
+
+#if !defined(HAVE_OPEN) && defined(HAVE__OPEN)
#define open _open
+#endif /* !HAVE_OPEN && HAVE__OPEN */
+
+#if !defined(HAVE_READ) && defined(HAVE__READ)
#define read _read
+#endif /* !HAVE_READ && HAVE__OPEN */
+
+#if !defined(HAVE_CLOSE) && defined(HAVE__CLOSE)
#define close _close
-#endif
+#endif /* !HAVE_CLOSE && HAVE__CLOSE */
-#if defined(__OpenBSD__) || defined(linux) || defined(__FreeBSD__) || defined(__NetBSD__)
+#if defined(CRYPTO)
+#if HAVE__DEV_URANDOM
#define KEYNOTERNDFILENAME "/dev/urandom"
-#endif /* __OpenBSD__ || linux || __FreeBSD__ || __NetBSD__ */
+#else /* HAVE__DEV_URANDOM */
+#error "You need a random device!"
+#endif /* HAVE__DEV_URANDOM */
+#endif /* CRYPTO */
struct environment
{
@@ -71,6 +102,14 @@ struct keynote_binary
char *bn_key;
};
+struct keynote_keylist
+{
+ int key_alg;
+ void *key_key;
+ char *key_stringkey;
+ struct keynote_keylist *key_next;
+};
+
#define SIG_DSA_SHA1_HEX "sig-dsa-sha1-hex:"
#define SIG_DSA_SHA1_HEX_LEN strlen(SIG_DSA_SHA1_HEX)
#define SIG_DSA_SHA1_BASE64 "sig-dsa-sha1-base64:"
@@ -169,6 +208,7 @@ int kn_add_authorizer(int, char *);
int kn_remove_authorizer(int, char *);
int kn_do_query(int, char **, int);
int kn_get_failed(int, int, int);
+int kn_cleanup_action_environment(int);
int kn_close(int);
/* Simple API */
@@ -178,6 +218,8 @@ int kn_query(struct environment *, char **, int, char **, int *, int,
/* Aux. routines */
char **kn_read_asserts(char *, int, int *);
int kn_keycompare(void *, void *, int);
+void *kn_get_authorizer(int, int, int *);
+struct keynote_keylist *kn_get_licensees(int, int);
/* ASCII-encoding API */
int kn_encode_base64(unsigned char const *, unsigned int, char *,
diff --git a/lib/libkeynote/keynote.l b/lib/libkeynote/keynote.l
index b4972435ca1..8dae7164fc6 100644
--- a/lib/libkeynote/keynote.l
+++ b/lib/libkeynote/keynote.l
@@ -1,5 +1,5 @@
%{
-/* $OpenBSD: keynote.l,v 1.2 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: keynote.l,v 1.3 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -20,13 +20,31 @@
* PURPOSE.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
-#include <unistd.h>
#include <ctype.h>
-#ifndef PILOT
-#include <time.h>
-#endif /* PILOT */
+
+#if STDC_HEADERS
#include <string.h>
+#endif /* STDC_HEADERS */
+
+#if HAVE_UNISTD_H
+#include <unistd.h>
+#endif /* HAVE_UNISTD_H */
+
+#if TIME_WITH_SYS_TIME
+#include <sys/time.h>
+#include <time.h>
+#else
+#if HAVE_SYS_TIME_H
+#include <sys/time.h>
+#else
+#include <time.h>
+#endif
+#endif
#include "k.tab.h"
#include "keynote.h"
@@ -491,7 +509,7 @@ keynote_evaluate_assertion(struct assertion *as)
keynote_env_cleanup(&keynote_temp_list, 1);
keynote_lex_zap();
- kn_delete_buffer(keynote_bs); /* Free the space */
+ kn_delete_buffer(keynote_bs);
keynote_used_variable = 0;
keynote_returnvalue = 0;
@@ -536,7 +554,7 @@ keynote_parse_keypred(struct assertion *as, int record)
if (keynote_errno == 0)
keynote_errno = ERROR_SYNTAX;
- kn_delete_buffer(keypred_state); /* Free memory */
+ kn_delete_buffer(keypred_state);
keynote_lex_zap();
keynote_cleanup_kth();
@@ -613,7 +631,7 @@ keynote_evaluate_authorizer(struct assertion *as, int flag)
if ((err != 0) && (keynote_errno == 0))
keynote_errno = ERROR_SYNTAX;
- kn_delete_buffer(authorizer_state); /* Free memory */
+ kn_delete_buffer(authorizer_state);
keynote_lex_zap();
keynote_justrecord = 0;
diff --git a/lib/libkeynote/keynote.y b/lib/libkeynote/keynote.y
index 64c1e6443f4..0ff077d993b 100644
--- a/lib/libkeynote/keynote.y
+++ b/lib/libkeynote/keynote.y
@@ -1,4 +1,4 @@
-/* $OpenBSD: keynote.y,v 1.2 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: keynote.y,v 1.3 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -43,13 +43,19 @@
%nonassoc UNARYMINUS DEREF OPENNUM OPENFLT
%start grammarswitch
%{
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
+#include <stdlib.h>
#include <stdio.h>
+#include <ctype.h>
#include <math.h>
+
+#if STDC_HEADERS
#include <string.h>
-#include <stdlib.h>
-#include <ctype.h>
-#include <regex.h>
+#endif /* STDC_HEADERS */
#include "keynote.h"
#include "assertion.h"
@@ -502,8 +508,12 @@ stringexp: str EQ str {
memset(pmatch, 0, sizeof(pmatch));
memset(grp, 0, sizeof(grp));
+#if HAVE_REGCOMP
if (regcomp(&preg, $3, REG_EXTENDED))
{
+#else /* HAVE_REGCOMP */
+#error "This system does not have regcomp()."
+#endif /* HAVE_REGCOMP */
free($1);
free($3);
keynote_exceptionflag = 1;
@@ -518,11 +528,11 @@ stringexp: str EQ str {
$$ = (i == 0 ? 1 : 0);
if (i == 0)
{
-#ifdef NO_SNPRINTF
+#if !defined(HAVE_SNPRINTF)
sprintf(grp, "%d", preg.re_nsub);
-#else /* NO_SNPRINTF */
+#else /* !HAVE_SNPRINTF */
snprintf(grp, 3, "%d", preg.re_nsub);
-#endif /* NO_SNPRINTF */
+#endif /* !HAVE_SNPRINTF */
if (keynote_env_add("_0", grp, &keynote_temp_list,
1, 0) != RESULT_TRUE)
{
@@ -546,11 +556,11 @@ stringexp: str EQ str {
strncpy(gr, $1 + pmatch[i].rm_so,
pmatch[i].rm_eo - pmatch[i].rm_so);
gr[pmatch[i].rm_eo - pmatch[i].rm_so] = '\0';
-#ifdef NO_SNPRINTF
+#if !defined(HAVE_SNPRINTF)
sprintf(grp, "_%d", i);
-#else /* NO_SNPRINTF */
+#else /* !HAVE_SNPRINTF */
snprintf(grp, 3, "_%d", i);
-#endif /* NO_SNPRINTF */
+#endif /* !HAVE_SNPRINTF */
if (keynote_env_add(grp, gr, &keynote_temp_list,
1, 0) == -1)
{
diff --git a/lib/libkeynote/parse_assertion.c b/lib/libkeynote/parse_assertion.c
index 1d39e34ecc9..370c2356035 100644
--- a/lib/libkeynote/parse_assertion.c
+++ b/lib/libkeynote/parse_assertion.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: parse_assertion.c,v 1.2 1999/05/31 20:09:59 angelos Exp $ */
+/* $OpenBSD: parse_assertion.c,v 1.3 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -19,12 +19,22 @@
* PURPOSE.
*/
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
#include <sys/types.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>
+
+#if STDC_HEADERS
#include <string.h>
+#endif /* STDC_HEADERS */
+
+#if HAVE_LIMITS_H
#include <limits.h>
+#endif /* HAVE_LIMITS_H */
#include "keynote.h"
#include "assertion.h"
diff --git a/lib/libkeynote/signature.c b/lib/libkeynote/signature.c
index 39fb4b54ac4..adc43aae591 100644
--- a/lib/libkeynote/signature.c
+++ b/lib/libkeynote/signature.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: signature.c,v 1.6 1999/08/16 02:33:37 angelos Exp $ */
+/* $OpenBSD: signature.c,v 1.7 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
@@ -24,10 +24,21 @@
* 3 May 1999
*/
-#include <stdio.h>
+#if HAVE_CONFIG_H
+#include "config.h"
+#endif /* HAVE_CONFIG_H */
+
+#include <sys/types.h>
#include <stdlib.h>
-#include <limits.h>
+#include <stdio.h>
+
+#if STDC_HEADERS
#include <string.h>
+#endif /* STDC_HEADERS */
+
+#if HAVE_LIMITS_H
+#include <limits.h>
+#endif /* HAVE_LIMITS_H */
#include "keynote.h"
#include "assertion.h"
@@ -172,8 +183,6 @@ keynote_free_key(void *key, int type)
free(key);
}
-#if defined(CRYPTO) || defined(PGPLIB)
-
/*
* Map a signature to an algorithm. Return algorithm number (defined in
* keynote.h), or KEYNOTE_ALGORITHM_NONE if unknown.
@@ -286,7 +295,6 @@ keynote_get_sig_algorithm(char *sig, int *hash, int *enc, int *internal)
*internal = INTERNAL_ENC_NONE;
return KEYNOTE_ALGORITHM_NONE;
}
-#endif /* CRYPTO || PGPLIB */
/*
* Map a key to an algorithm. Return algorithm number (defined in
@@ -681,6 +689,19 @@ kn_keycompare(void *key1, void *key2, int algorithm)
return RESULT_FALSE;
#endif /* CRYPTO */
+ case KEYNOTE_ALGORITHM_X509:
+#ifdef CRYPTO
+ p3 = (RSA *) key1;
+ p4 = (RSA *) key2;
+ if (!BN_cmp(p3->n, p4->n) &&
+ !BN_cmp(p3->e, p4->e))
+ return RESULT_TRUE;
+ else
+ return RESULT_FALSE;
+#else /* CRYPTO */
+ return RESULT_FALSE;
+#endif /* CRYPTO */
+
case KEYNOTE_ALGORITHM_RSA:
#ifdef CRYPTO
p3 = (RSA *) key1;
@@ -691,7 +712,7 @@ kn_keycompare(void *key1, void *key2, int algorithm)
else
return RESULT_FALSE;
#else /* CRYPTO */
- return RETURN_FALSE;
+ return RESULT_FALSE;
#endif /* CRYPTO */
case KEYNOTE_ALGORITHM_ELGAMAL:
@@ -746,7 +767,11 @@ keynote_sigverify_assertion(struct assertion *as)
return SIGRESULT_FALSE;
/* Check for matching algorithms */
- if (alg != as->as_signeralgorithm)
+ if ((alg != as->as_signeralgorithm) &&
+ !((alg == KEYNOTE_ALGORITHM_RSA) &&
+ (as->as_signeralgorithm == KEYNOTE_ALGORITHM_X509)) &&
+ !((alg == KEYNOTE_ALGORITHM_X509) &&
+ (as->as_signeralgorithm == KEYNOTE_ALGORITHM_RSA)))
return SIGRESULT_FALSE;
sig = index(as->as_signature, ':'); /* Move forward to the Encoding. We
@@ -918,7 +943,16 @@ keynote_sign_assertion(struct assertion *as, char *sigalg, void *key,
alg = keynote_get_sig_algorithm(sigalg, &hashtype, &encoding,
&internalenc);
- if ((alg != as->as_signeralgorithm) || (alg != keyalg))
+ if (((alg != as->as_signeralgorithm) &&
+ !((alg == KEYNOTE_ALGORITHM_RSA) &&
+ (as->as_signeralgorithm == KEYNOTE_ALGORITHM_X509)) &&
+ !((alg == KEYNOTE_ALGORITHM_X509) &&
+ (as->as_signeralgorithm == KEYNOTE_ALGORITHM_RSA))) ||
+ ((alg != keyalg) &&
+ !((alg == KEYNOTE_ALGORITHM_RSA) &&
+ (keyalg == KEYNOTE_ALGORITHM_X509)) &&
+ !((alg == KEYNOTE_ALGORITHM_X509) &&
+ (keyalg == KEYNOTE_ALGORITHM_RSA))))
{
keynote_errno = ERROR_SYNTAX;
return (char *) NULL;
@@ -1027,12 +1061,11 @@ keynote_sign_assertion(struct assertion *as, char *sigalg, void *key,
}
/* RSA-specific */
-#if SSLEAY_VERSION_NUMBER >= 0x00904
+#if SSLEAY_VERSION_NUMBER >= 0x00904100L
rsa = (RSA *) PEM_read_bio_RSAPrivateKey(biokey, NULL, NULL, NULL);
#else /* SSLEAY_VERSION_NUMBER */
rsa = (RSA *) PEM_read_bio_RSAPrivateKey(biokey, NULL, NULL);
#endif /* SSLEAY_VERSION_NUMBER */
-
if (rsa == (RSA *) NULL)
{
BIO_free(biokey);
diff --git a/lib/libkeynote/signature.h b/lib/libkeynote/signature.h
index 665b9038448..edbe5edfa52 100644
--- a/lib/libkeynote/signature.h
+++ b/lib/libkeynote/signature.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: signature.h,v 1.3 1999/05/31 20:10:00 angelos Exp $ */
+/* $OpenBSD: signature.h,v 1.4 1999/10/01 01:08:30 angelos Exp $ */
/*
* The author of this code is Angelos D. Keromytis (angelos@dsl.cis.upenn.edu)
*
diff --git a/lib/libkeynote/testsuite/openssl.cnf b/lib/libkeynote/testsuite/openssl.cnf
new file mode 100644
index 00000000000..854571ecd55
--- /dev/null
+++ b/lib/libkeynote/testsuite/openssl.cnf
@@ -0,0 +1,24 @@
+#
+# SSLeay example configuration file.
+#
+
+RANDFILE = $ENV::HOME/.rnd
+
+[ req ]
+default_bits = 1024
+default_keyfile = privkey.pem
+distinguished_name = req_distinguished_name
+
+[ req_distinguished_name ]
+countryName = Country Name (2 letter code)
+countryName_value = GB
+
+organizationName = Organization Name (eg, company; recommended)
+organizationName_value = BenCo
+
+commonName = server name (eg. ssl.domain.tld; required!!!)
+commonName_value = BenCo CA
+
+emailAddress = Email Address
+emailAddress_value = ben@algroup.co.uk
+
diff --git a/lib/libkeynote/testsuite/test-assertion1-signed.in b/lib/libkeynote/testsuite/test-assertion1-signed.in
new file mode 100644
index 00000000000..b3eb754b0b1
--- /dev/null
+++ b/lib/libkeynote/testsuite/test-assertion1-signed.in
@@ -0,0 +1,45 @@
+keynote-version: 2 # some comment
+comment: The weird looking string test in the conditions field is for
+ verifying correctness of string grammar
+# comment inside comment field, no problem
+#authorizer: $$$$foo # Don't try this at home@@AUTH@@
+licensees: (MYKEY) && ((("Key3") || "Key4") && (MYKEY)) || TWOKEY
+local-constants: MYKEY = "Key3"
+# we can put a comment here
+ TWOKEY = "dsa-hex:3081de02402ae5e2d8c12fbaec4934dd5a98cbe39159\
+ f1b8d02143a5e3d07c96c0acedef73d508a54286bb19b53cd2b7\
+ bd0beca47b12ec75ddd7a7aeece8b724fbf940ca220241008cfe\
+ 2799793dc5eef44cc78228d2a42e76246326e6f442d7c14eb705\
+ 3e48d49a001350177e7d320d762d87f10ecbeceffb12b359e4c0\
+ f827e05b34ef336823710215008773db9f8a9d42e7ad53c023d1\
+ 61dda43ae081a9024069f506a956d69c8a0a2ab6d6a888f57dd0\
+ 6593f537135b6d3c2bc928634f7e5e03b12c9fbac7ce4a6ce708\
+ b63bdcda576e5eeecfb68930a5c3ca8df71d84fd0e"
+conditions: app_domain == "testing" ->
+# gratuitous comment
+ {
+ 1 / 0 == 1 -> "true"; # runtime exception
+ true -> "false";
+ request == "whatever" -> "false";
+ TWOKEY == "dsa-hex:3081de02402ae5e2d8c12fbaec4934dd5a98cbe39159\
+ f1b8d02143a5e3d07c96c0acedef73d508a54286bb19b53cd2b7\
+ bd0beca47b12ec75ddd7a7aeece8b724fbf940ca220241008cfe\
+ 2799793dc5eef44cc78228d2a42e76246326e6f442d7c14eb705\
+ 3e48d49a001350177e7d320d762d87f10ecbeceffb12b359e4c0\
+ f827e05b34ef336823710215008773db9f8a9d42e7ad53c023d1\
+ 61dda43ae081a9024069f506a956d69c8a0a2ab6d6a888f57dd0\
+ 6593f537135b6d3c2bc928634f7e5e03b12c9fbac7ce4a6ce708\
+ b63bdcda576e5eeecfb68930a5c3ca8df71d84fd0e" &&
+ @(foo) == @foo &&
+ "this string contains a newline\n\
+ \ followed by one space." ==
+ "this\ string\ contains\ a\ newline\n\ foll\
+ owed\ by\ one\ space\." &&
+ "this string contains a newline\n\ \
+ followed by one space." ==
+ "this string contains a newline\012\040followed by one space." &&
+ request == "test" -> "true"; # this is another comment
+ request == "whatever3" -> "true";
+ request == "test" -> "fa" . "lse";
+ };
+signature:
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.