Dropped support of deprecated authby=eap and eap= options
authorMartin Willi <martin@revosec.ch>
Fri, 20 Jan 2012 15:03:18 +0000 (16:03 +0100)
committerMartin Willi <martin@revosec.ch>
Tue, 20 Mar 2012 16:31:38 +0000 (17:31 +0100)
man/ipsec.conf.5.in
src/starter/args.c
src/starter/confread.c
src/starter/confread.h
src/starter/keywords.h
src/starter/keywords.txt
src/stroke/stroke.c
src/stroke/stroke_msg.h

index e2835bd..2f914b0 100644 (file)
@@ -247,7 +247,7 @@ acceptable values are
 .br
 The IKEv2 daemon currently supports ESP only.
 .TP
-.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | never | xauthpsk | xauthrsasig"
 how the two security gateways should authenticate each other;
 acceptable values are
 .B psk
@@ -269,12 +269,7 @@ IKEv1 additionally supports the values
 and
 .B xauthrsasig
 that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
+based on shared secrets or digital RSA signatures, respectively.
 This parameter is deprecated for IKEv2 connections, as two peers do not need
 to agree on an authentication method. Use the
 .B leftauth
@@ -377,31 +372,6 @@ might trigger a closeaction when not desired.
 defines the timeout interval, after which a CHILD_SA is closed if it did
 not send or receive any traffic. Currently supported in IKEv2 connections only.
 .TP
-.BR eap " = md5 | mschapv2 | radius | ... | <type> | <type>-<vendor>
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B radius
-for the EAP-RADIUS proxy and
-.B sim
-for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
-.TP
 .BR eap_identity " = <id>"
 defines the identity the client uses to reply to a EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
@@ -598,12 +568,13 @@ For
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
+.BR eap-sim ,
 .BR eap-gtc ,
 .BR eap-md5 ,
 .BR eap-tls ,
 .B eap-mschapv2
 and
-.BR eap-sim .
+.BR eap-radius .
 Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
 EAP methods are defined in the form
 .B eap-type-vendor
index 88133dd..0699eb0 100644 (file)
@@ -207,7 +207,6 @@ static const token_info_t token_info[] =
        { ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool                     },
        { ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
        { ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
-       { ARG_MISC, 0, NULL  /* KW_EAP */                                              },
        { ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
        { ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
        { ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
index 1da4eb0..ce69fd7 100644 (file)
@@ -22,8 +22,6 @@
 
 #include <freeswan.h>
 
-#include <eap/eap.h>
-
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/log.h"
@@ -668,7 +666,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
                                        {
                                                conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
                                        }
-                                       else if (streq(value, "xauthpsk") || streq(value, "eap"))
+                                       else if (streq(value, "xauthpsk"))
                                        {
                                                conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
                                        }
@@ -687,36 +685,6 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
                                }
                        }
                        break;
-               case KW_EAP:
-               {
-                       char *sep;
-
-                       /* check for vendor-type format */
-                       sep = strchr(kw->value, '-');
-                       if (sep)
-                       {
-                               *(sep++) = '\0';
-                               conn->eap_type = atoi(kw->value);
-                               conn->eap_vendor = atoi(sep);
-                               if (conn->eap_type == 0 || conn->eap_vendor == 0)
-                               {
-                                       plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value);
-                                       cfg->err++;
-                               }
-                               break;
-                       }
-                       conn->eap_type = eap_type_from_string(kw->value);
-                       if (conn->eap_type == 0)
-                       {
-                               conn->eap_type = atoi(kw->value);
-                               if (conn->eap_type == 0)
-                               {
-                                       plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
-                                       cfg->err++;
-                               }
-                       }
-                       break;
-               }
                case KW_MARK:
                        if (!handle_mark(kw->value, &conn->mark_in))
                        {
index 25f37e6..19c404e 100644 (file)
@@ -110,8 +110,6 @@ struct starter_conn {
                starter_state_t state;
 
                keyexchange_t   keyexchange;
-               u_int32_t       eap_type;
-               u_int32_t       eap_vendor;
                char            *eap_identity;
                char            *aaa_identity;
                char            *xauth_identity;
index 71e31e9..3374fa8 100644 (file)
@@ -70,7 +70,6 @@ typedef enum {
        KW_AGGRESSIVE,
        KW_AUTH,
        KW_AUTHBY,
-       KW_EAP,
        KW_EAP_IDENTITY,
        KW_AAA_IDENTITY,
        KW_MOBIKE,
index bd1f930..d31fd24 100644 (file)
@@ -47,7 +47,6 @@ nat_traversal,     KW_NAT_TRAVERSAL
 keep_alive,        KW_KEEP_ALIVE
 force_keepalive,   KW_FORCE_KEEPALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
-eap,               KW_EAP
 eap_identity,      KW_EAP_IDENTITY
 aaa_identity,      KW_AAA_IDENTITY
 mobike,                   KW_MOBIKE
index 697115a..e702453 100644 (file)
@@ -139,7 +139,6 @@ static int add_connection(char *name,
 
        msg.add_conn.name = push_string(&msg, name);
        msg.add_conn.version = 2;
-       msg.add_conn.auth_method = 2;
        msg.add_conn.mode = 1;
        msg.add_conn.mobike = 1;
        msg.add_conn.dpd.action = 1;
index 825228e..be12cab 100644 (file)
@@ -240,10 +240,6 @@ struct stroke_msg_t {
                struct {
                        char *name;
                        int version;
-                       /* next three are deprecated, use stroke_end_t.auth instead */
-                       int auth_method;
-                       u_int32_t eap_type;
-                       u_int32_t eap_vendor;
                        char *eap_identity;
                        char *aaa_identity;
                        char *xauth_identity;