Remove the obsoleted global identity configuration option.

crypto/dist/ipsec-tools/ChangeLog

@@ -6,6 +6,9 @@
 	  local address detection, make some functions static that are
 	  not needed global, rework how fd_set is construction for the
 	  main loop select()
+	* src/racoon/{cfparse.y|cftoken.l|localconf.h|localconf.c|
+	  ipsec_doi.c|racoon.conf.5}: remove the obsoleted global identity
+	  configuration option
 
 2008-12-18  Timo Teras  <timo.teras@iki.fi>
 	From Arnaud Ebalard <arno@natisbad.org>:

crypto/dist/ipsec-tools/src/racoon/cfparse.y

@@ -1,4 +1,4 @@
-/*	$NetBSD: cfparse.y,v 1.33 2008/12/23 14:03:12 tteras Exp $	*/
+/*	$NetBSD: cfparse.y,v 1.34 2008/12/23 14:04:42 tteras Exp $	*/
 
 /* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
 
@@ -186,8 +186,6 @@ static int fix_lifebyte __P((u_long));
 %token INCLUDE
 	/* PFKEY_BUFFER */
 %token PFKEY_BUFFER
-	/* self information */
-%token IDENTIFIER VENDORID
 	/* logging */
 %token LOGGING LOGLEV
 	/* padding */
@@ -271,7 +269,6 @@ statement
 	|	include_statement
 	|	pfkey_statement
 	|	gssenc_statement
-	|	identifier_statement
 	|	logging_statement
 	|	padding_statement
 	|	listen_statement
@@ -379,30 +376,6 @@ gssenc_statement
 		}
 	;
 
-	/* self information */
-identifier_statement
-	:	IDENTIFIER identifier_stmt
-	;
-identifier_stmt
-	:	VENDORID
-		{
-			/*XXX to be deleted */
-		}
-		QUOTEDSTRING EOS
-	|	IDENTIFIERTYPE QUOTEDSTRING
-		{
-			/*XXX to be deleted */
-			$2->l--;	/* nuke '\0' */
-			lcconf->ident[$1] = $2;
-			if (lcconf->ident[$1] == NULL) {
-				yyerror("failed to set my ident: %s",
-					strerror(errno));
-				return -1;
-			}
-		}
-		EOS
-	;
-
 	/* logging */
 logging_statement
 	:	LOGGING log_level EOS
@@ -1558,16 +1531,6 @@ sainfo_spec
 			cur_algclass = $1;
 		}
 		algorithms EOS
-	|	IDENTIFIER IDENTIFIERTYPE
-		{
-			yyerror("it's deprecated to specify a identifier in phase 2");
-		}
-		EOS
-	|	MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
-		{
-			yyerror("it's deprecated to specify a identifier in phase 2");
-		}
-		EOS
 	;
 
 algorithms

crypto/dist/ipsec-tools/src/racoon/cftoken.l

@@ -1,4 +1,4 @@
-/*	$NetBSD: cftoken.l,v 1.17 2008/11/27 10:53:48 tteras Exp $	*/
+/*	$NetBSD: cftoken.l,v 1.18 2008/12/23 14:04:42 tteras Exp $	*/
 
 /* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
 
@@ -132,7 +132,7 @@ addrstring	[a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
 decstring	{digit}+
 hexstring	0x{hexdigit}+
 
-%s S_INI S_PRIV S_PTH S_INF S_LOG S_PAD S_LST S_RTRY S_CFG S_LDAP
+%s S_INI S_PRIV S_PTH S_LOG S_PAD S_LST S_RTRY S_CFG S_LDAP
 %s S_ALGST S_ALGCL
 %s S_SAINF S_SAINFS
 %s S_RMT S_RMTS S_RMTP
@@ -177,10 +177,6 @@ hexstring	0x{hexdigit}+
     /* pfkey_buffer */
 <S_INI>pfkey_buffer { YYDB; return(PFKEY_BUFFER); }
 
-	/* self information */
-<S_INI>identifier	{ BEGIN S_INF; YYDB; yywarn("it is obsoleted.  use \"my_identifier\" in each remote directives."); return(IDENTIFIER); }
-<S_INF>{semi}		{ BEGIN S_INI; return(EOS); }
-
 	/* special */
 <S_INI>complex_bundle	{ YYDB; return(COMPLEX_BUNDLE); }
 
@@ -300,7 +296,6 @@ hexstring	0x{hexdigit}+
 <S_SAINFS>{ecl}		{ BEGIN S_INI; return(EOC); }
 <S_SAINFS>pfs_group	{ YYD; return(PFS_GROUP); }
 <S_SAINFS>remoteid	{ YYD; return(REMOTEID); }
-<S_SAINFS>identifier	{ YYD; yywarn("it is obsoleted.  use \"my_identifier\"."); return(IDENTIFIER); }
 <S_SAINFS>my_identifier	{ YYD; return(MY_IDENTIFIER); }
 <S_SAINFS>lifetime	{ YYD; return(LIFETIME); }
 <S_SAINFS>time		{ YYD; return(LIFETYPE_TIME); }
@@ -328,7 +323,6 @@ hexstring	0x{hexdigit}+
 <S_RMTS>identity_only	{ YYD; yylval.num = IPSECDOI_SIT_IDENTITY_ONLY; return(SITUATIONTYPE); }
 <S_RMTS>secrecy		{ YYD; yylval.num = IPSECDOI_SIT_SECRECY; return(SITUATIONTYPE); }
 <S_RMTS>integrity	{ YYD; yylval.num = IPSECDOI_SIT_INTEGRITY; return(SITUATIONTYPE); }
-<S_RMTS>identifier	{ YYD; yywarn("it is obsoleted.  use \"my_identifier\"."); return(IDENTIFIER); }
 <S_RMTS>my_identifier	{ YYD; return(MY_IDENTIFIER); }
 <S_RMTS>xauth_login	{ YYD; return(XAUTH_LOGIN); /* formerly identifier type login */ }
 <S_RMTS>peers_identifier	{ YYD; return(PEERS_IDENTIFIER); }
@@ -557,7 +551,6 @@ xauth_rsa_client {
 
 
 	/* identifier type */
-vendor_id	{ YYD; yywarn("it is obsoleted."); return(VENDORID); }
 user_fqdn	{ YYD; yylval.num = IDTYPE_USERFQDN; return(IDENTIFIERTYPE); }
 fqdn		{ YYD; yylval.num = IDTYPE_FQDN; return(IDENTIFIERTYPE); }
 keyid		{ YYD; yylval.num = IDTYPE_KEYID; return(IDENTIFIERTYPE); }

crypto/dist/ipsec-tools/src/racoon/ipsec_doi.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: ipsec_doi.c,v 1.38 2008/12/05 06:02:20 tteras Exp $	*/
+/*	$NetBSD: ipsec_doi.c,v 1.39 2008/12/23 14:04:42 tteras Exp $	*/
 
 /* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
 
@@ -158,8 +158,6 @@ static int setph1attr __P((struct isakmpsa *, caddr_t));
 static vchar_t *setph2proposal0 __P((const struct ph2handle *,
 	const struct saprop *, const struct saproto *));
 
-static vchar_t *getidval __P((int, vchar_t *));
-
 #ifdef HAVE_GSSAPI
 static struct isakmpsa *fixup_initiator_sa __P((struct isakmpsa *,
 	struct isakmpsa *));
@@ -3762,7 +3760,6 @@ ipsecdoi_checkid1(iph1)
 
 	/* compare with the ID if specified. */
 	if (genlist_next(iph1->rmconf->idvl_p, 0)) {
-		vchar_t *ident0 = NULL;
 		vchar_t ident;
 		struct idspec *id;
 		struct genlist_entry *gpb;
@@ -3775,19 +3772,15 @@ ipsecdoi_checkid1(iph1)
 				goto matched;
 
 			/* compare defined ID with the ID sent by peer. */
-			if (ident0 != NULL)
-				vfree(ident0);
-			ident0 = getidval(id->idtype, id->id);
-
 			switch (id->idtype) {
 			case IDTYPE_ASN1DN:
 				ident.v = iph1->id_p->v + sizeof(*id_b);
 				ident.l = iph1->id_p->l - sizeof(*id_b);
-				if (eay_cmp_asn1dn(ident0, &ident) == 0)
+				if (eay_cmp_asn1dn(id->id, &ident) == 0)
 					goto matched;
 				break;
 			case IDTYPE_ADDRESS:
-				sa = (struct sockaddr *)ident0->v;
+				sa = (struct sockaddr *)id->id->v;
 				sa2 = (caddr_t)(id_b + 1);
 				switch (sa->sa_family) {
 				case AF_INET:
@@ -3811,23 +3804,17 @@ ipsecdoi_checkid1(iph1)
 				}
 				break;
 			default:
-				if (memcmp(ident0->v, id_b + 1, ident0->l) == 0)
+				if (memcmp(id->id->v, id_b + 1, id->id->l) == 0)
 					goto matched;
 				break;
 			}
 		}
-		if (ident0 != NULL) {
-			vfree(ident0);
-			ident0 = NULL;
-		}
 		plog(LLV_WARNING, LOCATION, NULL, "No ID match.\n");
 		if (iph1->rmconf->verify_identifier)
 			return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
-matched: /* ID value match */
-		if (ident0 != NULL)
-			vfree(ident0);
 	}
 
+matched: /* ID value match */
 	return 0;
 }
 
@@ -3853,15 +3840,15 @@ ipsecdoi_setid1(iph1)
 	switch (iph1->rmconf->idvtype) {
 	case IDTYPE_FQDN:
 		id_b.type = IPSECDOI_ID_FQDN;
-		ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
+		ident = vdup(iph1->rmconf->idv);
 		break;
 	case IDTYPE_USERFQDN:
 		id_b.type = IPSECDOI_ID_USER_FQDN;
-		ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
+		ident = vdup(iph1->rmconf->idv);
 		break;
 	case IDTYPE_KEYID:
 		id_b.type = IPSECDOI_ID_KEY_ID;
-		ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
+		ident = vdup(iph1->rmconf->idv);
 		break;
 	case IDTYPE_ASN1DN:
 		id_b.type = IPSECDOI_ID_DER_ASN1_DN;
@@ -3955,21 +3942,6 @@ err:
 	return -1;
 }
 
-static vchar_t *
-getidval(type, val)
-	int type;
-	vchar_t *val;
-{
-	vchar_t *new = NULL;
-
-	if (val)
-		new = vdup(val);
-	else if (lcconf->ident[type])
-		new = vdup(lcconf->ident[type]);
-
-	return new;
-}
-
 /* it's only called by cfparse.y. */
 int
 set_identifier(vpp, type, value)

crypto/dist/ipsec-tools/src/racoon/localconf.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: localconf.c,v 1.6 2008/12/23 14:03:12 tteras Exp $	*/
+/*	$NetBSD: localconf.c,v 1.7 2008/12/23 14:04:42 tteras Exp $	*/
 
 /*	$KAME: localconf.c,v 1.33 2001/08/09 07:32:19 sakane Exp $	*/
 
@@ -93,11 +93,6 @@ flushlcconf()
 			lcconf->pathinfo[i] = NULL;
 		}
 	}
-	for (i = 0; i < LC_IDENTTYPE_MAX; i++) {
-		if (lcconf->ident[i])
-			vfree(lcconf->ident[i]);
-		lcconf->ident[i] = NULL;
-	}
 }
 
 static void

crypto/dist/ipsec-tools/src/racoon/localconf.h

@@ -1,4 +1,4 @@
-/*	$NetBSD: localconf.h,v 1.6 2008/12/23 14:03:12 tteras Exp $	*/
+/*	$NetBSD: localconf.h,v 1.7 2008/12/23 14:04:42 tteras Exp $	*/
 
 /* Id: localconf.h,v 1.13 2005/11/06 18:13:18 monas Exp */
 
@@ -61,8 +61,6 @@
 
 #define LC_DEFAULT_SECRETSIZE	16	/* 128 bits */
 
-#define LC_IDENTTYPE_MAX	5	/* XXX */
-
 #define	LC_GSSENC_UTF16LE	0	/* GSS ID in UTF-16LE */
 #define	LC_GSSENC_LATIN1	1	/* GSS ID in ISO-Latin-1 */
 #define	LC_GSSENC_MAX		2
@@ -82,7 +80,6 @@ struct localconf {
 	int rtsock;			/* routing socket */
 
 	char *pathinfo[LC_PATHTYPE_MAX];
-	vchar_t *ident[LC_IDENTTYPE_MAX]; /* base of Identifier payload. */
 
 	int pad_random;
 	int pad_randomlen;

crypto/dist/ipsec-tools/src/racoon/racoon.conf.5

@@ -1,4 +1,4 @@
-.\"	$NetBSD: racoon.conf.5,v 1.48 2008/11/28 22:37:44 wiz Exp $
+.\"	$NetBSD: racoon.conf.5,v 1.49 2008/12/23 14:04:42 tteras Exp $
 .\"
 .\"	Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
 .\"
@@ -237,12 +237,6 @@ Default is
 Specifies other configuration files to be included.
 .El
 .\"
-.Ss Identifier Specification
-is obsolete.
-It must be defined at each
-.Ic remote
-directive.
-.\"
 .Ss Timer Specification
 .Bl -tag -width Ds -compact
 .It Ic timer { Ar statements Ic }
@@ -427,11 +421,6 @@ You can omit this statement.
 Means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
 You can omit this statement.
 .\"
-.It Ic identifier Ar idtype ;
-This statement is obsolete.
-Instead, use
-.Ic my_identifier .
-.\"
 .It Xo
 .Ic my_identifier Bq Ar qualifier
 .Ar idtype ... ;
@@ -1033,11 +1022,6 @@ Sainfos will only be used if their remoteid matches the ph1id of the
 remote section used for phase 1.
 Defaults to 0, which is also the default for ph1id.
 .\"
-.It Ic my_identifier Ar idtype ... ;
-is obsolete.
-It does not make sense to specify an identifier in the phase 2.
-.El
-.\"
 .Pp
 .Xr racoon 8
 does not have a list of security protocols to be negotiated.