aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Willi <martin@revosec.ch>2012-01-20 16:03:18 +0100
committerMartin Willi <martin@revosec.ch>2012-03-20 17:31:38 +0100
commitc8d46f295948d01aef96fba5413206d2ae0a16f9 (patch)
tree141a299e6562be986659871a500b1d0bc255ac61
parentc791def8c13ccb587ec9e37570f9a957af6a515e (diff)
downloadstrongswan-c8d46f295948d01aef96fba5413206d2ae0a16f9.tar.bz2
strongswan-c8d46f295948d01aef96fba5413206d2ae0a16f9.tar.xz
Dropped support of deprecated authby=eap and eap= options
-rw-r--r--man/ipsec.conf.5.in37
-rw-r--r--src/starter/args.c1
-rw-r--r--src/starter/confread.c34
-rw-r--r--src/starter/confread.h2
-rw-r--r--src/starter/keywords.h1
-rw-r--r--src/starter/keywords.txt1
-rw-r--r--src/stroke/stroke.c1
-rw-r--r--src/stroke/stroke_msg.h4
8 files changed, 5 insertions, 76 deletions
diff --git a/man/ipsec.conf.5.in b/man/ipsec.conf.5.in
index e2835bde3..2f914b0c8 100644
--- a/man/ipsec.conf.5.in
+++ b/man/ipsec.conf.5.in
@@ -247,7 +247,7 @@ acceptable values are
.br
The IKEv2 daemon currently supports ESP only.
.TP
-.BR authby " = " pubkey " | rsasig | ecdsasig | psk | eap | never | xauth..."
+.BR authby " = " pubkey " | rsasig | ecdsasig | psk | never | xauthpsk | xauthrsasig"
how the two security gateways should authenticate each other;
acceptable values are
.B psk
@@ -269,12 +269,7 @@ IKEv1 additionally supports the values
and
.B xauthrsasig
that will enable eXtended AUTHentication (XAUTH) in addition to IKEv1 main mode
-based on shared secrets or digital RSA signatures, respectively.
-IKEv2 additionally supports the value
-.BR eap ,
-which indicates an initiator to request EAP authentication. The EAP method
-to use is selected by the server (see
-.BR eap ).
+based on shared secrets or digital RSA signatures, respectively.
This parameter is deprecated for IKEv2 connections, as two peers do not need
to agree on an authentication method. Use the
.B leftauth
@@ -377,31 +372,6 @@ might trigger a closeaction when not desired.
defines the timeout interval, after which a CHILD_SA is closed if it did
not send or receive any traffic. Currently supported in IKEv2 connections only.
.TP
-.BR eap " = md5 | mschapv2 | radius | ... | <type> | <type>-<vendor>
-defines the EAP type to propose as server if the client requests EAP
-authentication. Currently supported values are
-.B aka
-for EAP-AKA,
-.B gtc
-for EAP-GTC,
-.B md5
-for EAP-MD5,
-.B mschapv2
-for EAP-MS-CHAPv2,
-.B radius
-for the EAP-RADIUS proxy and
-.B sim
-for EAP-SIM. Additionally, IANA assigned EAP method numbers are accepted, or a
-definition in the form
-.B eap=type-vendor
-(e.g. eap=7-12345) can be used to specify vendor specific EAP types.
-This parameter is deprecated in the favour of
-.B leftauth.
-
-To forward EAP authentication to a RADIUS server using the EAP-RADIUS plugin,
-set
-.BR eap=radius .
-.TP
.BR eap_identity " = <id>"
defines the identity the client uses to reply to a EAP Identity request.
If defined on the EAP server, the defined identity will be used as peer
@@ -598,12 +568,13 @@ For
.B eap,
an optional EAP method can be appended. Currently defined methods are
.BR eap-aka ,
+.BR eap-sim ,
.BR eap-gtc ,
.BR eap-md5 ,
.BR eap-tls ,
.B eap-mschapv2
and
-.BR eap-sim .
+.BR eap-radius .
Alternatively, IANA assigned EAP method numbers are accepted. Vendor specific
EAP methods are defined in the form
.B eap-type-vendor
diff --git a/src/starter/args.c b/src/starter/args.c
index 88133dd53..0699eb058 100644
--- a/src/starter/args.c
+++ b/src/starter/args.c
@@ -207,7 +207,6 @@ static const token_info_t token_info[] =
{ ARG_ENUM, offsetof(starter_conn_t, aggressive), LST_bool },
{ ARG_MISC, 0, NULL /* KW_AUTH */ },
{ ARG_MISC, 0, NULL /* KW_AUTHBY */ },
- { ARG_MISC, 0, NULL /* KW_EAP */ },
{ ARG_STR, offsetof(starter_conn_t, eap_identity), NULL },
{ ARG_STR, offsetof(starter_conn_t, aaa_identity), NULL },
{ ARG_MISC, 0, NULL /* KW_MOBIKE */ },
diff --git a/src/starter/confread.c b/src/starter/confread.c
index 1da4eb025..ce69fd724 100644
--- a/src/starter/confread.c
+++ b/src/starter/confread.c
@@ -22,8 +22,6 @@
#include <freeswan.h>
-#include <eap/eap.h>
-
#include "../pluto/constants.h"
#include "../pluto/defs.h"
#include "../pluto/log.h"
@@ -668,7 +666,7 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
{
conn->policy |= POLICY_XAUTH_RSASIG | POLICY_ENCRYPT;
}
- else if (streq(value, "xauthpsk") || streq(value, "eap"))
+ else if (streq(value, "xauthpsk"))
{
conn->policy |= POLICY_XAUTH_PSK | POLICY_ENCRYPT;
}
@@ -687,36 +685,6 @@ static void load_conn(starter_conn_t *conn, kw_list_t *kw, starter_config_t *cfg
}
}
break;
- case KW_EAP:
- {
- char *sep;
-
- /* check for vendor-type format */
- sep = strchr(kw->value, '-');
- if (sep)
- {
- *(sep++) = '\0';
- conn->eap_type = atoi(kw->value);
- conn->eap_vendor = atoi(sep);
- if (conn->eap_type == 0 || conn->eap_vendor == 0)
- {
- plog("# invalid EAP type: %s=%s", kw->entry->name, kw->value);
- cfg->err++;
- }
- break;
- }
- conn->eap_type = eap_type_from_string(kw->value);
- if (conn->eap_type == 0)
- {
- conn->eap_type = atoi(kw->value);
- if (conn->eap_type == 0)
- {
- plog("# unknown EAP type: %s=%s", kw->entry->name, kw->value);
- cfg->err++;
- }
- }
- break;
- }
case KW_MARK:
if (!handle_mark(kw->value, &conn->mark_in))
{
diff --git a/src/starter/confread.h b/src/starter/confread.h
index 25f37e633..19c404e2e 100644
--- a/src/starter/confread.h
+++ b/src/starter/confread.h
@@ -110,8 +110,6 @@ struct starter_conn {
starter_state_t state;
keyexchange_t keyexchange;
- u_int32_t eap_type;
- u_int32_t eap_vendor;
char *eap_identity;
char *aaa_identity;
char *xauth_identity;
diff --git a/src/starter/keywords.h b/src/starter/keywords.h
index 71e31e9f5..3374fa8c7 100644
--- a/src/starter/keywords.h
+++ b/src/starter/keywords.h
@@ -70,7 +70,6 @@ typedef enum {
KW_AGGRESSIVE,
KW_AUTH,
KW_AUTHBY,
- KW_EAP,
KW_EAP_IDENTITY,
KW_AAA_IDENTITY,
KW_MOBIKE,
diff --git a/src/starter/keywords.txt b/src/starter/keywords.txt
index bd1f9304c..d31fd2461 100644
--- a/src/starter/keywords.txt
+++ b/src/starter/keywords.txt
@@ -47,7 +47,6 @@ nat_traversal, KW_NAT_TRAVERSAL
keep_alive, KW_KEEP_ALIVE
force_keepalive, KW_FORCE_KEEPALIVE
virtual_private, KW_VIRTUAL_PRIVATE
-eap, KW_EAP
eap_identity, KW_EAP_IDENTITY
aaa_identity, KW_AAA_IDENTITY
mobike, KW_MOBIKE
diff --git a/src/stroke/stroke.c b/src/stroke/stroke.c
index 697115a84..e70245362 100644
--- a/src/stroke/stroke.c
+++ b/src/stroke/stroke.c
@@ -139,7 +139,6 @@ static int add_connection(char *name,
msg.add_conn.name = push_string(&msg, name);
msg.add_conn.version = 2;
- msg.add_conn.auth_method = 2;
msg.add_conn.mode = 1;
msg.add_conn.mobike = 1;
msg.add_conn.dpd.action = 1;
diff --git a/src/stroke/stroke_msg.h b/src/stroke/stroke_msg.h
index 825228e9d..be12cabbe 100644
--- a/src/stroke/stroke_msg.h
+++ b/src/stroke/stroke_msg.h
@@ -240,10 +240,6 @@ struct stroke_msg_t {
struct {
char *name;
int version;
- /* next three are deprecated, use stroke_end_t.auth instead */
- int auth_method;
- u_int32_t eap_type;
- u_int32_t eap_vendor;
char *eap_identity;
char *aaa_identity;
char *xauth_identity;