iked(8): update RFC references
Hi,
i went through the code and man pages and updated obsolete RFC
references according to [iana].
The remaining mentions of RFC4306 are deprecated and listed as RESERVED
in the current registry, should they be removed from ikev2.h?
Tobias
[iana]
https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-10
Index: ca.c
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/ca.c,v
retrieving revision 1.46
diff -u -p -u -r1.46 ca.c
--- ca.c30 Oct 2017 09:53:27 - 1.46
+++ ca.c27 Feb 2019 10:58:22 -
@@ -808,7 +808,7 @@ ca_subjectpubkey_digest(X509 *x509, uint
* Generate a SHA-1 digest of the Subject Public Key Info
* element in the X.509 certificate, an ASN.1 sequence
* that includes the public key type (eg. RSA) and the
-* public key value (see 3.7 of RFC4306).
+* public key value (see 3.7 of RFC7296).
*/
if ((pkey = X509_get_pubkey(x509)) == NULL)
return (-1);
Index: iked.8
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/iked.8,v
retrieving revision 1.21
diff -u -p -u -r1.21 iked.8
--- iked.8 3 Jul 2018 13:37:11 - 1.21
+++ iked.8 27 Feb 2019 10:27:19 -
@@ -31,7 +31,7 @@ is an Internet Key Exchange (IKEv2) daem
authentication and which establishes and maintains IPsec flows and
security associations (SAs) between the two peers.
.Pp
-The IKEv2 protocol is defined in RFC 5996,
+The IKEv2 protocol is defined in RFC 7296,
which combines and updates the previous standards:
ISAKMP/Oakley (RFC 2408),
IKE (RFC 2409),
@@ -187,8 +187,9 @@ control socket.
.%A P. Hoffman
.%A Y. Nir
.%A P. Eronen
-.%D September 2010
-.%R RFC 5996
+.%A T. Kivinen
+.%D October 2014
+.%R RFC 7296
.%T Internet Key Exchange Protocol Version 2 (IKEv2)
.Re
.Sh HISTORY
Index: ikev2.c
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.c,v
retrieving revision 1.167
diff -u -p -u -r1.167 ikev2.c
--- ikev2.c 26 Feb 2019 18:05:22 - 1.167
+++ ikev2.c 27 Feb 2019 10:32:36 -
@@ -4585,7 +4585,7 @@ ikev2_sa_keys(struct iked *env, struct i
* (Ni | Nr) is used as a PRF key, otherwise a "key" buffer
* is used and PRF is performed on the concatenation of DH
* exchange result and nonces (g^ir | Ni | Nr). See sections
-* 2.14 and 2.18 of RFC5996 for more information.
+* 2.14 and 2.18 of RFC7296 for more information.
*/
/*
Index: ikev2.h
===
RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.h,v
retrieving revision 1.27
diff -u -p -u -r1.27 ikev2.h
--- ikev2.h 3 Dec 2017 21:02:44 - 1.27
+++ ikev2.h 27 Feb 2019 11:56:13 -
@@ -184,7 +184,7 @@ extern struct iked_constmap ikev2_xformt
extern struct iked_constmap ikev2_xformencr_map[];
-#define IKEV2_IPCOMP_OUI 1 /* RFC5996 */
+#define IKEV2_IPCOMP_OUI 1 /* UNSPECIFIED */
#define IKEV2_IPCOMP_DEFLATE 2 /* RFC2394 */
#define IKEV2_IPCOMP_LZS 3 /* RFC2395 */
#define IKEV2_IPCOMP_LZJH 4 /* RFC3051 */
@@ -283,38 +283,38 @@ struct ikev2_notify {
/* Followed by variable length notification data */
} __packed;
-#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC4306 */
-#define IKEV2_N_INVALID_IKE_SPI4 /* RFC4306 */
-#define IKEV2_N_INVALID_MAJOR_VERSION 5 /* RFC4306 */
-#define IKEV2_N_INVALID_SYNTAX 7 /* RFC4306 */
-#define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC4306 */
-#define IKEV2_N_INVALID_SPI11 /* RFC4306 */
-#define IKEV2_N_NO_PROPOSAL_CHOSEN 14 /* RFC4306 */
-#define IKEV2_N_INVALID_KE_PAYLOAD 17 /* RFC4306 */
-#define IKEV2_N_AUTHENTICATION_FAILED 24 /* RFC4306 */
-#define IKEV2_N_SINGLE_PAIR_REQUIRED 34 /* RFC4306 */
-#define IKEV2_N_NO_ADDITIONAL_SAS 35 /* RFC4306 */
-#define IKEV2_N_INTERNAL_ADDRESS_FAILURE 36 /* RFC4306 */
-#define IKEV2_N_FAILED_CP_REQUIRED 37 /* RFC4306 */
-#define IKEV2_N_TS_UNACCEPTABLE38 /* RFC4306 */
-#define IKEV2_N_INVALID_SELECTORS 39 /* RFC4306 */
+#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC7296 */
+#define IKEV2_N_INVALID_IKE_SPI4 /* RFC7296 */
+#define IKEV2_N_INVALID_MAJOR_VERSION 5 /* RFC7296 */
+#define IKEV2_N_INVALID_SYNTAX 7 /* RFC7296 */
+#define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC7296 */
+#define IKEV2_N_INVALID_SPI11 /* RFC7296 */
+#define IKEV
Re: iked(8): update RFC references
On Wed, Feb 27, 2019 at 01:08:44PM +0100, Tobias Heider wrote:
> Hi,
>
> i went through the code and man pages and updated obsolete RFC
> references according to [iana].
>
> The remaining mentions of RFC4306 are deprecated and listed as RESERVED
> in the current registry, should they be removed from ikev2.h?
>
> Tobias
>
> [iana]
> https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml#ikev2-parameters-10
The only issue I see with this if RFC7296 includes requirements that
RFC 5996 doesn't have and iked has not implemented them.
Looking at RFC7296 section 1.8 this is not the case so OK claudio@
> Index: ca.c
> ===
> RCS file: /mount/openbsd/cvs/src/sbin/iked/ca.c,v
> retrieving revision 1.46
> diff -u -p -u -r1.46 ca.c
> --- ca.c 30 Oct 2017 09:53:27 - 1.46
> +++ ca.c 27 Feb 2019 10:58:22 -
> @@ -808,7 +808,7 @@ ca_subjectpubkey_digest(X509 *x509, uint
>* Generate a SHA-1 digest of the Subject Public Key Info
>* element in the X.509 certificate, an ASN.1 sequence
>* that includes the public key type (eg. RSA) and the
> - * public key value (see 3.7 of RFC4306).
> + * public key value (see 3.7 of RFC7296).
>*/
> if ((pkey = X509_get_pubkey(x509)) == NULL)
> return (-1);
> Index: iked.8
> ===
> RCS file: /mount/openbsd/cvs/src/sbin/iked/iked.8,v
> retrieving revision 1.21
> diff -u -p -u -r1.21 iked.8
> --- iked.83 Jul 2018 13:37:11 - 1.21
> +++ iked.827 Feb 2019 10:27:19 -
> @@ -31,7 +31,7 @@ is an Internet Key Exchange (IKEv2) daem
> authentication and which establishes and maintains IPsec flows and
> security associations (SAs) between the two peers.
> .Pp
> -The IKEv2 protocol is defined in RFC 5996,
> +The IKEv2 protocol is defined in RFC 7296,
> which combines and updates the previous standards:
> ISAKMP/Oakley (RFC 2408),
> IKE (RFC 2409),
> @@ -187,8 +187,9 @@ control socket.
> .%A P. Hoffman
> .%A Y. Nir
> .%A P. Eronen
> -.%D September 2010
> -.%R RFC 5996
> +.%A T. Kivinen
> +.%D October 2014
> +.%R RFC 7296
> .%T Internet Key Exchange Protocol Version 2 (IKEv2)
> .Re
> .Sh HISTORY
> Index: ikev2.c
> ===
> RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.c,v
> retrieving revision 1.167
> diff -u -p -u -r1.167 ikev2.c
> --- ikev2.c 26 Feb 2019 18:05:22 - 1.167
> +++ ikev2.c 27 Feb 2019 10:32:36 -
> @@ -4585,7 +4585,7 @@ ikev2_sa_keys(struct iked *env, struct i
>* (Ni | Nr) is used as a PRF key, otherwise a "key" buffer
>* is used and PRF is performed on the concatenation of DH
>* exchange result and nonces (g^ir | Ni | Nr). See sections
> - * 2.14 and 2.18 of RFC5996 for more information.
> + * 2.14 and 2.18 of RFC7296 for more information.
>*/
>
> /*
> Index: ikev2.h
> ===
> RCS file: /mount/openbsd/cvs/src/sbin/iked/ikev2.h,v
> retrieving revision 1.27
> diff -u -p -u -r1.27 ikev2.h
> --- ikev2.h 3 Dec 2017 21:02:44 - 1.27
> +++ ikev2.h 27 Feb 2019 11:56:13 -
> @@ -184,7 +184,7 @@ extern struct iked_constmap ikev2_xformt
>
> extern struct iked_constmap ikev2_xformencr_map[];
>
> -#define IKEV2_IPCOMP_OUI 1 /* RFC5996 */
> +#define IKEV2_IPCOMP_OUI 1 /* UNSPECIFIED */
> #define IKEV2_IPCOMP_DEFLATE 2 /* RFC2394 */
> #define IKEV2_IPCOMP_LZS 3 /* RFC2395 */
> #define IKEV2_IPCOMP_LZJH4 /* RFC3051 */
> @@ -283,38 +283,38 @@ struct ikev2_notify {
> /* Followed by variable length notification data */
> } __packed;
>
> -#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC4306 */
> -#define IKEV2_N_INVALID_IKE_SPI 4 /* RFC4306 */
> -#define IKEV2_N_INVALID_MAJOR_VERSION5 /* RFC4306 */
> -#define IKEV2_N_INVALID_SYNTAX 7 /* RFC4306 */
> -#define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC4306 */
> -#define IKEV2_N_INVALID_SPI 11 /* RFC4306 */
> -#define IKEV2_N_NO_PROPOSAL_CHOSEN 14 /* RFC4306 */
> -#define IKEV2_N_INVALID_KE_PAYLOAD 17 /* RFC4306 */
> -#define IKEV2_N_AUTHENTICATION_FAILED24 /* RFC4306 */
> -#define IKEV2_N_SINGLE_PAIR_REQUIRED 34 /* RFC4306 */
> -#define IKEV2_N_NO_ADDITIONAL_SAS35 /* RFC4306 */
> -#define IKEV2_N_INTERNAL_ADDRESS_FAILURE 36 /* RFC4306 */
> -#define IKEV2_N_FAILED_CP_REQUIRED 37 /* RFC4306 */
> -#define IKEV2_N_TS_UNACCEPTABLE 38 /* RFC4306 */
> -#define IKEV2_N_INVALID_SELECTORS39 /* RFC4306 */
> +#define IKEV2_N_UNSUPPORTED_C
