Dropped support of deprecated authby=eap and eap= options

8 files changed, 5 insertions, 76 deletions

diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index e2835bde3..2f914b0c8 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -247,7 +247,7 @@ acceptable values are
 .br
 The IKEv2 daemon currently supports ESP only.
 .TP
-.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | never | xauthpsk | xauthrsasig"
 how the two security gateways should authenticate each other;
 acceptable values are
 .B psk
@@ -269,12 +269,7 @@ IKEv1 additionally supports the values
 and
 .B xauthrsasig
 that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
-based on shared secrets  or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
+based on shared secrets or digital RSA signatures, respectively.
 This parameter is deprecated for IKEv2 connections, as two peers do not need
 to agree on an authentication method. Use the
 .B leftauth
@@ -377,31 +372,6 @@ might trigger a closeaction when not desired.
 defines the timeout interval, after which a CHILD_SA is closed if it did
 not send or receive any traffic. Currently supported in IKEv2 connections only.
 .TP
-.BR eap " = md5 | mschapv2 | radius | ... | <type> | <type>-<vendor>
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B radius
-for the EAP-RADIUS proxy and
-.B sim
-for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
-.TP
 .BR eap_identity " = <id>"
 defines the identity the client uses to reply to a EAP Identity request.
 If defined on the EAP server, the defined identity will be used as peer
@@ -598,12 +568,13 @@ For
 .B eap,
 an optional EAP method can be appended. Currently defined methods are
 .BR eap-aka ,
+.BR eap-sim ,
 .BR eap-gtc ,
 .BR eap-md5 ,
 .BR eap-tls ,
 .B eap-mschapv2
 and
-.BR eap-sim .
+.BR eap-radius .
 Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
 EAP methods are defined in the form
 .B eap-type-vendor
diff --git a/src/starter/args.c b/src/starter/args.c
index 88133dd53..0699eb058 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -207,7 +207,6 @@ static const token_info_t token_info[] =
 	{ ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool                     },
 	{ ARG_MISC, 0, NULL  /* KW_AUTH */                                             },
 	{ ARG_MISC, 0, NULL  /* KW_AUTHBY */                                           },
-	{ ARG_MISC, 0, NULL  /* KW_EAP */                                              },
 	{ ARG_STR,  offsetof(starter_conn_t, eap_identity), NULL                       },
 	{ ARG_STR,  offsetof(starter_conn_t, aaa_identity), NULL                       },
 	{ ARG_MISC, 0, NULL  /* KW_MOBIKE */                                           },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 1da4eb025..ce69fd724 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -22,8 +22,6 @@
 
 #include <freeswan.h>
 
-#include <eap/eap.h>
-
 #include "../pluto/constants.h"
 #include "../pluto/defs.h"
 #include "../pluto/log.h"
@@ -668,7 +666,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 					{
 						conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
 					}
-					else if (streq(value, "xauthpsk") || streq(value, "eap"))
+					else if (streq(value, "xauthpsk"))
 					{
 						conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
 					}
@@ -687,36 +685,6 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
 				}
 			}
 			break;
-		case KW_EAP:
-		{
-			char *sep;
-
-			/* check for vendor-type format */
-			sep = strchr(kw->value, '-');
-			if (sep)
-			{
-				*(sep++) = '\0';
-				conn->eap_type = atoi(kw->value);
-				conn->eap_vendor = atoi(sep);
-				if (conn->eap_type == 0 || conn->eap_vendor == 0)
-				{
-					plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value);
-					cfg->err++;
-				}
-				break;
-			}
-			conn->eap_type = eap_type_from_string(kw->value);
-			if (conn->eap_type == 0)
-			{
-				conn->eap_type = atoi(kw->value);
-				if (conn->eap_type == 0)
-				{
-					plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
-					cfg->err++;
-				}
-			}
-			break;
-		}
 		case KW_MARK:
 			if (!handle_mark(kw->value, &conn->mark_in))
 			{
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 25f37e633..19c404e2e 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -110,8 +110,6 @@ struct starter_conn {
 		starter_state_t state;
 
 		keyexchange_t   keyexchange;
-		u_int32_t       eap_type;
-		u_int32_t       eap_vendor;
 		char            *eap_identity;
 		char            *aaa_identity;
 		char            *xauth_identity;
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 71e31e9f5..3374fa8c7 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -70,7 +70,6 @@ typedef enum {
 	KW_AGGRESSIVE,
 	KW_AUTH,
 	KW_AUTHBY,
-	KW_EAP,
 	KW_EAP_IDENTITY,
 	KW_AAA_IDENTITY,
 	KW_MOBIKE,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index bd1f9304c..d31fd2461 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -47,7 +47,6 @@ nat_traversal,     KW_NAT_TRAVERSAL
 keep_alive,        KW_KEEP_ALIVE
 force_keepalive,   KW_FORCE_KEEPALIVE
 virtual_private,   KW_VIRTUAL_PRIVATE
-eap,               KW_EAP
 eap_identity,      KW_EAP_IDENTITY
 aaa_identity,      KW_AAA_IDENTITY
 mobike,	           KW_MOBIKE
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 697115a84..e70245362 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -139,7 +139,6 @@ static int add_connection(char *name,
 
 	msg.add_conn.name = push_string(&msg, name);
 	msg.add_conn.version = 2;
-	msg.add_conn.auth_method = 2;
 	msg.add_conn.mode = 1;
 	msg.add_conn.mobike = 1;
 	msg.add_conn.dpd.action = 1;
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 825228e9d..be12cabbe 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -240,10 +240,6 @@ struct stroke_msg_t {
 		struct {
 			char *name;
 			int version;
-			/* next three are deprecated, use stroke_end_t.auth instead */
-			int auth_method;
-			u_int32_t eap_type;
-			u_int32_t eap_vendor;
 			char *eap_identity;
 			char *aaa_identity;
 			char *xauth_identity;