Remove the obsoleted global identity configuration option.
This commit is contained in:
parent
bd378f6dda
commit
535280aca9
|
@ -6,6 +6,9 @@
|
|||
local address detection, make some functions static that are
|
||||
not needed global, rework how fd_set is construction for the
|
||||
main loop select()
|
||||
* src/racoon/{cfparse.y|cftoken.l|localconf.h|localconf.c|
|
||||
ipsec_doi.c|racoon.conf.5}: remove the obsoleted global identity
|
||||
configuration option
|
||||
|
||||
2008-12-18 Timo Teras <timo.teras@iki.fi>
|
||||
From Arnaud Ebalard <arno@natisbad.org>:
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: cfparse.y,v 1.33 2008/12/23 14:03:12 tteras Exp $ */
|
||||
/* $NetBSD: cfparse.y,v 1.34 2008/12/23 14:04:42 tteras Exp $ */
|
||||
|
||||
/* Id: cfparse.y,v 1.66 2006/08/22 18:17:17 manubsd Exp */
|
||||
|
||||
|
@ -186,8 +186,6 @@ static int fix_lifebyte __P((u_long));
|
|||
%token INCLUDE
|
||||
/* PFKEY_BUFFER */
|
||||
%token PFKEY_BUFFER
|
||||
/* self information */
|
||||
%token IDENTIFIER VENDORID
|
||||
/* logging */
|
||||
%token LOGGING LOGLEV
|
||||
/* padding */
|
||||
|
@ -271,7 +269,6 @@ statement
|
|||
| include_statement
|
||||
| pfkey_statement
|
||||
| gssenc_statement
|
||||
| identifier_statement
|
||||
| logging_statement
|
||||
| padding_statement
|
||||
| listen_statement
|
||||
|
@ -379,30 +376,6 @@ gssenc_statement
|
|||
}
|
||||
;
|
||||
|
||||
/* self information */
|
||||
identifier_statement
|
||||
: IDENTIFIER identifier_stmt
|
||||
;
|
||||
identifier_stmt
|
||||
: VENDORID
|
||||
{
|
||||
/*XXX to be deleted */
|
||||
}
|
||||
QUOTEDSTRING EOS
|
||||
| IDENTIFIERTYPE QUOTEDSTRING
|
||||
{
|
||||
/*XXX to be deleted */
|
||||
$2->l--; /* nuke '\0' */
|
||||
lcconf->ident[$1] = $2;
|
||||
if (lcconf->ident[$1] == NULL) {
|
||||
yyerror("failed to set my ident: %s",
|
||||
strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
EOS
|
||||
;
|
||||
|
||||
/* logging */
|
||||
logging_statement
|
||||
: LOGGING log_level EOS
|
||||
|
@ -1558,16 +1531,6 @@ sainfo_spec
|
|||
cur_algclass = $1;
|
||||
}
|
||||
algorithms EOS
|
||||
| IDENTIFIER IDENTIFIERTYPE
|
||||
{
|
||||
yyerror("it's deprecated to specify a identifier in phase 2");
|
||||
}
|
||||
EOS
|
||||
| MY_IDENTIFIER IDENTIFIERTYPE QUOTEDSTRING
|
||||
{
|
||||
yyerror("it's deprecated to specify a identifier in phase 2");
|
||||
}
|
||||
EOS
|
||||
;
|
||||
|
||||
algorithms
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: cftoken.l,v 1.17 2008/11/27 10:53:48 tteras Exp $ */
|
||||
/* $NetBSD: cftoken.l,v 1.18 2008/12/23 14:04:42 tteras Exp $ */
|
||||
|
||||
/* Id: cftoken.l,v 1.53 2006/08/22 18:17:17 manubsd Exp */
|
||||
|
||||
|
@ -132,7 +132,7 @@ addrstring [a-fA-F0-9:]([a-fA-F0-9:\.]*|[a-fA-F0-9:\.]*%[a-zA-Z0-9]*)
|
|||
decstring {digit}+
|
||||
hexstring 0x{hexdigit}+
|
||||
|
||||
%s S_INI S_PRIV S_PTH S_INF S_LOG S_PAD S_LST S_RTRY S_CFG S_LDAP
|
||||
%s S_INI S_PRIV S_PTH S_LOG S_PAD S_LST S_RTRY S_CFG S_LDAP
|
||||
%s S_ALGST S_ALGCL
|
||||
%s S_SAINF S_SAINFS
|
||||
%s S_RMT S_RMTS S_RMTP
|
||||
|
@ -177,10 +177,6 @@ hexstring 0x{hexdigit}+
|
|||
/* pfkey_buffer */
|
||||
<S_INI>pfkey_buffer { YYDB; return(PFKEY_BUFFER); }
|
||||
|
||||
/* self information */
|
||||
<S_INI>identifier { BEGIN S_INF; YYDB; yywarn("it is obsoleted. use \"my_identifier\" in each remote directives."); return(IDENTIFIER); }
|
||||
<S_INF>{semi} { BEGIN S_INI; return(EOS); }
|
||||
|
||||
/* special */
|
||||
<S_INI>complex_bundle { YYDB; return(COMPLEX_BUNDLE); }
|
||||
|
||||
|
@ -300,7 +296,6 @@ hexstring 0x{hexdigit}+
|
|||
<S_SAINFS>{ecl} { BEGIN S_INI; return(EOC); }
|
||||
<S_SAINFS>pfs_group { YYD; return(PFS_GROUP); }
|
||||
<S_SAINFS>remoteid { YYD; return(REMOTEID); }
|
||||
<S_SAINFS>identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
|
||||
<S_SAINFS>my_identifier { YYD; return(MY_IDENTIFIER); }
|
||||
<S_SAINFS>lifetime { YYD; return(LIFETIME); }
|
||||
<S_SAINFS>time { YYD; return(LIFETYPE_TIME); }
|
||||
|
@ -328,7 +323,6 @@ hexstring 0x{hexdigit}+
|
|||
<S_RMTS>identity_only { YYD; yylval.num = IPSECDOI_SIT_IDENTITY_ONLY; return(SITUATIONTYPE); }
|
||||
<S_RMTS>secrecy { YYD; yylval.num = IPSECDOI_SIT_SECRECY; return(SITUATIONTYPE); }
|
||||
<S_RMTS>integrity { YYD; yylval.num = IPSECDOI_SIT_INTEGRITY; return(SITUATIONTYPE); }
|
||||
<S_RMTS>identifier { YYD; yywarn("it is obsoleted. use \"my_identifier\"."); return(IDENTIFIER); }
|
||||
<S_RMTS>my_identifier { YYD; return(MY_IDENTIFIER); }
|
||||
<S_RMTS>xauth_login { YYD; return(XAUTH_LOGIN); /* formerly identifier type login */ }
|
||||
<S_RMTS>peers_identifier { YYD; return(PEERS_IDENTIFIER); }
|
||||
|
@ -557,7 +551,6 @@ xauth_rsa_client {
|
|||
|
||||
|
||||
/* identifier type */
|
||||
vendor_id { YYD; yywarn("it is obsoleted."); return(VENDORID); }
|
||||
user_fqdn { YYD; yylval.num = IDTYPE_USERFQDN; return(IDENTIFIERTYPE); }
|
||||
fqdn { YYD; yylval.num = IDTYPE_FQDN; return(IDENTIFIERTYPE); }
|
||||
keyid { YYD; yylval.num = IDTYPE_KEYID; return(IDENTIFIERTYPE); }
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: ipsec_doi.c,v 1.38 2008/12/05 06:02:20 tteras Exp $ */
|
||||
/* $NetBSD: ipsec_doi.c,v 1.39 2008/12/23 14:04:42 tteras Exp $ */
|
||||
|
||||
/* Id: ipsec_doi.c,v 1.55 2006/08/17 09:20:41 vanhu Exp */
|
||||
|
||||
|
@ -158,8 +158,6 @@ static int setph1attr __P((struct isakmpsa *, caddr_t));
|
|||
static vchar_t *setph2proposal0 __P((const struct ph2handle *,
|
||||
const struct saprop *, const struct saproto *));
|
||||
|
||||
static vchar_t *getidval __P((int, vchar_t *));
|
||||
|
||||
#ifdef HAVE_GSSAPI
|
||||
static struct isakmpsa *fixup_initiator_sa __P((struct isakmpsa *,
|
||||
struct isakmpsa *));
|
||||
|
@ -3762,7 +3760,6 @@ ipsecdoi_checkid1(iph1)
|
|||
|
||||
/* compare with the ID if specified. */
|
||||
if (genlist_next(iph1->rmconf->idvl_p, 0)) {
|
||||
vchar_t *ident0 = NULL;
|
||||
vchar_t ident;
|
||||
struct idspec *id;
|
||||
struct genlist_entry *gpb;
|
||||
|
@ -3775,19 +3772,15 @@ ipsecdoi_checkid1(iph1)
|
|||
goto matched;
|
||||
|
||||
/* compare defined ID with the ID sent by peer. */
|
||||
if (ident0 != NULL)
|
||||
vfree(ident0);
|
||||
ident0 = getidval(id->idtype, id->id);
|
||||
|
||||
switch (id->idtype) {
|
||||
case IDTYPE_ASN1DN:
|
||||
ident.v = iph1->id_p->v + sizeof(*id_b);
|
||||
ident.l = iph1->id_p->l - sizeof(*id_b);
|
||||
if (eay_cmp_asn1dn(ident0, &ident) == 0)
|
||||
if (eay_cmp_asn1dn(id->id, &ident) == 0)
|
||||
goto matched;
|
||||
break;
|
||||
case IDTYPE_ADDRESS:
|
||||
sa = (struct sockaddr *)ident0->v;
|
||||
sa = (struct sockaddr *)id->id->v;
|
||||
sa2 = (caddr_t)(id_b + 1);
|
||||
switch (sa->sa_family) {
|
||||
case AF_INET:
|
||||
|
@ -3811,23 +3804,17 @@ ipsecdoi_checkid1(iph1)
|
|||
}
|
||||
break;
|
||||
default:
|
||||
if (memcmp(ident0->v, id_b + 1, ident0->l) == 0)
|
||||
if (memcmp(id->id->v, id_b + 1, id->id->l) == 0)
|
||||
goto matched;
|
||||
break;
|
||||
}
|
||||
}
|
||||
if (ident0 != NULL) {
|
||||
vfree(ident0);
|
||||
ident0 = NULL;
|
||||
}
|
||||
plog(LLV_WARNING, LOCATION, NULL, "No ID match.\n");
|
||||
if (iph1->rmconf->verify_identifier)
|
||||
return ISAKMP_NTYPE_INVALID_ID_INFORMATION;
|
||||
matched: /* ID value match */
|
||||
if (ident0 != NULL)
|
||||
vfree(ident0);
|
||||
}
|
||||
|
||||
matched: /* ID value match */
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -3853,15 +3840,15 @@ ipsecdoi_setid1(iph1)
|
|||
switch (iph1->rmconf->idvtype) {
|
||||
case IDTYPE_FQDN:
|
||||
id_b.type = IPSECDOI_ID_FQDN;
|
||||
ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
|
||||
ident = vdup(iph1->rmconf->idv);
|
||||
break;
|
||||
case IDTYPE_USERFQDN:
|
||||
id_b.type = IPSECDOI_ID_USER_FQDN;
|
||||
ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
|
||||
ident = vdup(iph1->rmconf->idv);
|
||||
break;
|
||||
case IDTYPE_KEYID:
|
||||
id_b.type = IPSECDOI_ID_KEY_ID;
|
||||
ident = getidval(iph1->rmconf->idvtype, iph1->rmconf->idv);
|
||||
ident = vdup(iph1->rmconf->idv);
|
||||
break;
|
||||
case IDTYPE_ASN1DN:
|
||||
id_b.type = IPSECDOI_ID_DER_ASN1_DN;
|
||||
|
@ -3955,21 +3942,6 @@ err:
|
|||
return -1;
|
||||
}
|
||||
|
||||
static vchar_t *
|
||||
getidval(type, val)
|
||||
int type;
|
||||
vchar_t *val;
|
||||
{
|
||||
vchar_t *new = NULL;
|
||||
|
||||
if (val)
|
||||
new = vdup(val);
|
||||
else if (lcconf->ident[type])
|
||||
new = vdup(lcconf->ident[type]);
|
||||
|
||||
return new;
|
||||
}
|
||||
|
||||
/* it's only called by cfparse.y. */
|
||||
int
|
||||
set_identifier(vpp, type, value)
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: localconf.c,v 1.6 2008/12/23 14:03:12 tteras Exp $ */
|
||||
/* $NetBSD: localconf.c,v 1.7 2008/12/23 14:04:42 tteras Exp $ */
|
||||
|
||||
/* $KAME: localconf.c,v 1.33 2001/08/09 07:32:19 sakane Exp $ */
|
||||
|
||||
|
@ -93,11 +93,6 @@ flushlcconf()
|
|||
lcconf->pathinfo[i] = NULL;
|
||||
}
|
||||
}
|
||||
for (i = 0; i < LC_IDENTTYPE_MAX; i++) {
|
||||
if (lcconf->ident[i])
|
||||
vfree(lcconf->ident[i]);
|
||||
lcconf->ident[i] = NULL;
|
||||
}
|
||||
}
|
||||
|
||||
static void
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: localconf.h,v 1.6 2008/12/23 14:03:12 tteras Exp $ */
|
||||
/* $NetBSD: localconf.h,v 1.7 2008/12/23 14:04:42 tteras Exp $ */
|
||||
|
||||
/* Id: localconf.h,v 1.13 2005/11/06 18:13:18 monas Exp */
|
||||
|
||||
|
@ -61,8 +61,6 @@
|
|||
|
||||
#define LC_DEFAULT_SECRETSIZE 16 /* 128 bits */
|
||||
|
||||
#define LC_IDENTTYPE_MAX 5 /* XXX */
|
||||
|
||||
#define LC_GSSENC_UTF16LE 0 /* GSS ID in UTF-16LE */
|
||||
#define LC_GSSENC_LATIN1 1 /* GSS ID in ISO-Latin-1 */
|
||||
#define LC_GSSENC_MAX 2
|
||||
|
@ -82,7 +80,6 @@ struct localconf {
|
|||
int rtsock; /* routing socket */
|
||||
|
||||
char *pathinfo[LC_PATHTYPE_MAX];
|
||||
vchar_t *ident[LC_IDENTTYPE_MAX]; /* base of Identifier payload. */
|
||||
|
||||
int pad_random;
|
||||
int pad_randomlen;
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
.\" $NetBSD: racoon.conf.5,v 1.48 2008/11/28 22:37:44 wiz Exp $
|
||||
.\" $NetBSD: racoon.conf.5,v 1.49 2008/12/23 14:04:42 tteras Exp $
|
||||
.\"
|
||||
.\" Id: racoon.conf.5,v 1.54 2006/08/22 18:17:17 manubsd Exp
|
||||
.\"
|
||||
|
@ -237,12 +237,6 @@ Default is
|
|||
Specifies other configuration files to be included.
|
||||
.El
|
||||
.\"
|
||||
.Ss Identifier Specification
|
||||
is obsolete.
|
||||
It must be defined at each
|
||||
.Ic remote
|
||||
directive.
|
||||
.\"
|
||||
.Ss Timer Specification
|
||||
.Bl -tag -width Ds -compact
|
||||
.It Ic timer { Ar statements Ic }
|
||||
|
@ -427,11 +421,6 @@ You can omit this statement.
|
|||
Means to use SIT_IDENTITY_ONLY as specified in RFC 2407.
|
||||
You can omit this statement.
|
||||
.\"
|
||||
.It Ic identifier Ar idtype ;
|
||||
This statement is obsolete.
|
||||
Instead, use
|
||||
.Ic my_identifier .
|
||||
.\"
|
||||
.It Xo
|
||||
.Ic my_identifier Bq Ar qualifier
|
||||
.Ar idtype ... ;
|
||||
|
@ -1033,11 +1022,6 @@ Sainfos will only be used if their remoteid matches the ph1id of the
|
|||
remote section used for phase 1.
|
||||
Defaults to 0, which is also the default for ph1id.
|
||||
.\"
|
||||
.It Ic my_identifier Ar idtype ... ;
|
||||
is obsolete.
|
||||
It does not make sense to specify an identifier in the phase 2.
|
||||
.El
|
||||
.\"
|
||||
.Pp
|
||||
.Xr racoon 8
|
||||
does not have a list of security protocols to be negotiated.
|
||||
|
|
Loading…
Reference in New Issue