4 files changed, 79 insertions, 78 deletions
diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c
index 1911f339a09..98b6b8a40f5 100644
--- a/sbin/iked/ca.c
+++ b/sbin/iked/ca.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ca.c,v 1.46 2017/10/30 09:53:27 patrick Exp $	*/
+/*	$OpenBSD: ca.c,v 1.47 2019/02/27 06:33:56 sthen Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -808,7 +808,7 @@ ca_subjectpubkey_digest(X509 *x509, uint8_t *md, unsigned int *size)
 	 * Generate a SHA-1 digest of the Subject Public Key Info
 	 * element in the X.509 certificate, an ASN.1 sequence
 	 * that includes the public key type (eg. RSA) and the
-	 * public key value (see 3.7 of RFC4306).
+	 * public key value (see 3.7 of RFC7296).
 	 */
 	if ((pkey = X509_get_pubkey(x509)) == NULL)
 		return (-1);
diff --git a/sbin/iked/iked.8 b/sbin/iked/iked.8
index c42e03d38e1..f715db47afd 100644
--- a/sbin/iked/iked.8
+++ b/sbin/iked/iked.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: iked.8,v 1.21 2018/07/03 13:37:11 stsp Exp $
+.\" $OpenBSD: iked.8,v 1.22 2019/02/27 06:33:56 sthen Exp $
 .\"
 .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org>
 .\"
@@ -14,7 +14,7 @@
 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
-.Dd $Mdocdate: July 3 2018 $
+.Dd $Mdocdate: February 27 2019 $
 .Dt IKED 8
 .Os
 .Sh NAME
@@ -31,7 +31,7 @@ is an Internet Key Exchange (IKEv2) daemon which performs mutual
 authentication and which establishes and maintains IPsec flows and
 security associations (SAs) between the two peers.
 .Pp
-The IKEv2 protocol is defined in RFC 5996,
+The IKEv2 protocol is defined in RFC 7296,
 which combines and updates the previous standards:
 ISAKMP/Oakley (RFC 2408),
 IKE (RFC 2409),
@@ -187,8 +187,9 @@ control socket.
 .%A P. Hoffman
 .%A Y. Nir
 .%A P. Eronen
-.%D September 2010
-.%R RFC 5996
+.%A T. Kivinen
+.%D October 2014
+.%R RFC 7296
 .%T Internet Key Exchange Protocol Version 2 (IKEv2)
 .Re
 .Sh HISTORY
diff --git a/sbin/iked/ikev2.c b/sbin/iked/ikev2.c
index dd6264dd272..c928267a682 100644
--- a/sbin/iked/ikev2.c
+++ b/sbin/iked/ikev2.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.c,v 1.167 2019/02/26 18:05:22 patrick Exp $	*/
+/*	$OpenBSD: ikev2.c,v 1.168 2019/02/27 06:33:56 sthen Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -4585,7 +4585,7 @@ ikev2_sa_keys(struct iked *env, struct iked_sa *sa, struct ibuf *key)
 	 *  (Ni | Nr) is used as a PRF key, otherwise a "key" buffer
 	 *  is used and PRF is performed on the concatenation of DH
 	 *  exchange result and nonces (g^ir | Ni | Nr).  See sections
-	 *  2.14 and 2.18 of RFC5996 for more information.
+	 *  2.14 and 2.18 of RFC7296 for more information.
 	 */
 
 	/*
diff --git a/sbin/iked/ikev2.h b/sbin/iked/ikev2.h
index 48c6a6d4820..2b4bead5d42 100644
--- a/sbin/iked/ikev2.h
+++ b/sbin/iked/ikev2.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ikev2.h,v 1.27 2017/12/03 21:02:44 patrick Exp $	*/
+/*	$OpenBSD: ikev2.h,v 1.28 2019/02/27 06:33:57 sthen Exp $	*/
 
 /*
  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
@@ -184,7 +184,7 @@ extern struct iked_constmap ikev2_xformtype_map[];
 
 extern struct iked_constmap ikev2_xformencr_map[];
 
-#define IKEV2_IPCOMP_OUI		1	/* RFC5996 */
+#define IKEV2_IPCOMP_OUI		1	/* UNSPECIFIED */
 #define IKEV2_IPCOMP_DEFLATE		2	/* RFC2394 */
 #define IKEV2_IPCOMP_LZS		3	/* RFC2395 */
 #define IKEV2_IPCOMP_LZJH		4	/* RFC3051 */
@@ -283,38 +283,38 @@ struct ikev2_notify {
 	/* Followed by variable length notification data */
 } __packed;
 
-#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD	1	/* RFC4306 */
-#define IKEV2_N_INVALID_IKE_SPI			4	/* RFC4306 */
-#define IKEV2_N_INVALID_MAJOR_VERSION		5	/* RFC4306 */
-#define IKEV2_N_INVALID_SYNTAX			7	/* RFC4306 */
-#define IKEV2_N_INVALID_MESSAGE_ID		9	/* RFC4306 */
-#define IKEV2_N_INVALID_SPI			11	/* RFC4306 */
-#define IKEV2_N_NO_PROPOSAL_CHOSEN		14	/* RFC4306 */
-#define IKEV2_N_INVALID_KE_PAYLOAD		17	/* RFC4306 */
-#define IKEV2_N_AUTHENTICATION_FAILED		24	/* RFC4306 */
-#define IKEV2_N_SINGLE_PAIR_REQUIRED		34	/* RFC4306 */
-#define IKEV2_N_NO_ADDITIONAL_SAS		35	/* RFC4306 */
-#define IKEV2_N_INTERNAL_ADDRESS_FAILURE	36	/* RFC4306 */
-#define IKEV2_N_FAILED_CP_REQUIRED		37	/* RFC4306 */
-#define IKEV2_N_TS_UNACCEPTABLE			38	/* RFC4306 */
-#define IKEV2_N_INVALID_SELECTORS		39	/* RFC4306 */
+#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD	1	/* RFC7296 */
+#define IKEV2_N_INVALID_IKE_SPI			4	/* RFC7296 */
+#define IKEV2_N_INVALID_MAJOR_VERSION		5	/* RFC7296 */
+#define IKEV2_N_INVALID_SYNTAX			7	/* RFC7296 */
+#define IKEV2_N_INVALID_MESSAGE_ID		9	/* RFC7296 */
+#define IKEV2_N_INVALID_SPI			11	/* RFC7296 */
+#define IKEV2_N_NO_PROPOSAL_CHOSEN		14	/* RFC7296 */
+#define IKEV2_N_INVALID_KE_PAYLOAD		17	/* RFC7296 */
+#define IKEV2_N_AUTHENTICATION_FAILED		24	/* RFC7296 */
+#define IKEV2_N_SINGLE_PAIR_REQUIRED		34	/* RFC7296 */
+#define IKEV2_N_NO_ADDITIONAL_SAS		35	/* RFC7296 */
+#define IKEV2_N_INTERNAL_ADDRESS_FAILURE	36	/* RFC7296 */
+#define IKEV2_N_FAILED_CP_REQUIRED		37	/* RFC7296 */
+#define IKEV2_N_TS_UNACCEPTABLE			38	/* RFC7296 */
+#define IKEV2_N_INVALID_SELECTORS		39	/* RFC7296 */
 #define IKEV2_N_UNACCEPTABLE_ADDRESSES		40	/* RFC4555 */
 #define IKEV2_N_UNEXPECTED_NAT_DETECTED		41	/* RFC4555 */
 #define IKEV2_N_USE_ASSIGNED_HoA		42	/* RFC5026 */
-#define IKEV2_N_TEMPORARY_FAILURE		43	/* RFC5996 */
-#define IKEV2_N_CHILD_SA_NOT_FOUND		44	/* RFC5996 */
-#define IKEV2_N_INITIAL_CONTACT			16384	/* RFC4306 */
-#define IKEV2_N_SET_WINDOW_SIZE			16385	/* RFC4306 */
-#define IKEV2_N_ADDITIONAL_TS_POSSIBLE		16386	/* RFC4306 */
-#define IKEV2_N_IPCOMP_SUPPORTED		16387	/* RFC4306 */
-#define IKEV2_N_NAT_DETECTION_SOURCE_IP		16388	/* RFC4306 */
-#define IKEV2_N_NAT_DETECTION_DESTINATION_IP	16389	/* RFC4306 */
-#define IKEV2_N_COOKIE				16390	/* RFC4306 */
-#define IKEV2_N_USE_TRANSPORT_MODE		16391	/* RFC4306 */
-#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED	16392	/* RFC4306 */
-#define IKEV2_N_REKEY_SA			16393	/* RFC4306 */
-#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED	16394	/* RFC4306 */
-#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO	16395	/* RFC4306 */
+#define IKEV2_N_TEMPORARY_FAILURE		43	/* RFC7296 */
+#define IKEV2_N_CHILD_SA_NOT_FOUND		44	/* RFC7296 */
+#define IKEV2_N_INITIAL_CONTACT			16384	/* RFC7296 */
+#define IKEV2_N_SET_WINDOW_SIZE			16385	/* RFC7296 */
+#define IKEV2_N_ADDITIONAL_TS_POSSIBLE		16386	/* RFC7296 */
+#define IKEV2_N_IPCOMP_SUPPORTED		16387	/* RFC7296 */
+#define IKEV2_N_NAT_DETECTION_SOURCE_IP		16388	/* RFC7296 */
+#define IKEV2_N_NAT_DETECTION_DESTINATION_IP	16389	/* RFC7296 */
+#define IKEV2_N_COOKIE				16390	/* RFC7296 */
+#define IKEV2_N_USE_TRANSPORT_MODE		16391	/* RFC7296 */
+#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED	16392	/* RFC7296 */
+#define IKEV2_N_REKEY_SA			16393	/* RFC7296 */
+#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED	16394	/* RFC7296 */
+#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO	16395	/* RFC7296 */
 #define IKEV2_N_MOBIKE_SUPPORTED		16396	/* RFC4555 */
 #define IKEV2_N_ADDITIONAL_IP4_ADDRESS		16397	/* RFC4555 */
 #define IKEV2_N_ADDITIONAL_IP6_ADDRESS		16398	/* RFC4555 */
@@ -334,8 +334,8 @@ struct ikev2_notify {
 #define IKEV2_N_TICKET_NACK			16412	/* RFC5723 */
 #define IKEV2_N_TICKET_OPAQUE			16413	/* RFC5723 */
 #define IKEV2_N_LINK_ID				16414	/* RFC5739 */
-#define IKEV2_N_USE_WESP_MODE			16415	/* RFC-ietf-ipsecme-traffic-visibility-12.txt */
-#define IKEV2_N_ROHC_SUPPORTED			16416	/* RFC-ietf-rohc-ikev2-extensions-hcoipsec-12.txt */
+#define IKEV2_N_USE_WESP_MODE			16415	/* RFC5415 */
+#define IKEV2_N_ROHC_SUPPORTED			16416	/* RFC5857 */
 #define IKEV2_N_EAP_ONLY_AUTHENTICATION		16417	/* RFC5998 */
 #define IKEV2_N_CHILDLESS_IKEV2_SUPPORTED	16418	/* RFC6023 */
 #define IKEV2_N_QUICK_CRASH_DETECTION		16419	/* RFC6290 */
@@ -375,13 +375,13 @@ struct ikev2_id {
 } __packed;
 
 #define IKEV2_ID_NONE		0	/* No ID */
-#define IKEV2_ID_IPV4		1	/* RFC4306 (ID_IPV4_ADDR) */
-#define IKEV2_ID_FQDN		2	/* RFC4306 */
-#define IKEV2_ID_UFQDN		3	/* RFC4306 (ID_RFC822_ADDR) */
-#define IKEV2_ID_IPV6		5	/* RFC4306 (ID_IPV6_ADDR) */
-#define IKEV2_ID_ASN1_DN	9	/* RFC4306 */
-#define IKEV2_ID_ASN1_GN	10	/* RFC4306 */
-#define IKEV2_ID_KEY_ID		11	/* RFC4306 */
+#define IKEV2_ID_IPV4		1	/* RFC7296 (ID_IPV4_ADDR) */
+#define IKEV2_ID_FQDN		2	/* RFC7296 */
+#define IKEV2_ID_UFQDN		3	/* RFC7296 (ID_RFC822_ADDR) */
+#define IKEV2_ID_IPV6		5	/* RFC7296 (ID_IPV6_ADDR) */
+#define IKEV2_ID_ASN1_DN	9	/* RFC7296 */
+#define IKEV2_ID_ASN1_GN	10	/* RFC7296 */
+#define IKEV2_ID_KEY_ID		11	/* RFC7296 */
 #define IKEV2_ID_FC_NAME	12	/* RFC4595 */
 
 extern struct iked_constmap ikev2_id_map[];
@@ -396,18 +396,18 @@ struct ikev2_cert {
 } __packed;
 
 #define IKEV2_CERT_NONE			0	/* None */
-#define IKEV2_CERT_X509_PKCS7		1	/* RFC4306 */
-#define IKEV2_CERT_PGP			2	/* RFC4306 */
-#define IKEV2_CERT_DNS_SIGNED_KEY	3	/* RFC4306 */
-#define IKEV2_CERT_X509_CERT		4	/* RFC4306 */
-#define IKEV2_CERT_KERBEROS_TOKEN	6	/* RFC4306 */
-#define IKEV2_CERT_CRL			7	/* RFC4306 */
-#define IKEV2_CERT_ARL			8	/* RFC4306 */
-#define IKEV2_CERT_SPKI			9	/* RFC4306 */
-#define IKEV2_CERT_X509_ATTR		10	/* RFC4306 */
-#define IKEV2_CERT_RSA_KEY		11	/* RFC4306 */
-#define IKEV2_CERT_HASHURL_X509		12	/* RFC4306 */
-#define IKEV2_CERT_HASHURL_X509_BUNDLE	13	/* RFC4306 */
+#define IKEV2_CERT_X509_PKCS7		1	/* UNSPECIFIED */
+#define IKEV2_CERT_PGP			2	/* UNSPECIFIED */
+#define IKEV2_CERT_DNS_SIGNED_KEY	3	/* UNSPECIFIED */
+#define IKEV2_CERT_X509_CERT		4	/* RFC7296 */
+#define IKEV2_CERT_KERBEROS_TOKEN	6	/* UNSPECIFIED */
+#define IKEV2_CERT_CRL			7	/* RFC7296 */
+#define IKEV2_CERT_ARL			8	/* UNSPECIFIED */
+#define IKEV2_CERT_SPKI			9	/* UNSPECIFIED */
+#define IKEV2_CERT_X509_ATTR		10	/* UNSPECIFIED */
+#define IKEV2_CERT_RSA_KEY		11	/* RFC7296 */
+#define IKEV2_CERT_HASHURL_X509		12	/* RFC7296 */
+#define IKEV2_CERT_HASHURL_X509_BUNDLE	13	/* RFC7296 */
 #define IKEV2_CERT_OCSP			14	/* RFC4806 */
 /*
  * As of November 2014, work was still in progress to add a more generic
@@ -436,8 +436,8 @@ struct ikev2_ts {
 	uint16_t	ts_endport;		/* End port */
 } __packed;
 
-#define IKEV2_TS_IPV4_ADDR_RANGE	7	/* RFC4306 */
-#define IKEV2_TS_IPV6_ADDR_RANGE	8	/* RFC4306 */
+#define IKEV2_TS_IPV4_ADDR_RANGE	7	/* RFC7296 */
+#define IKEV2_TS_IPV6_ADDR_RANGE	8	/* RFC7296 */
 #define IKEV2_TS_FC_ADDR_RANGE		9	/* RFC4595 */
 
 extern struct iked_constmap ikev2_ts_map[];
@@ -453,9 +453,9 @@ struct ikev2_auth {
 } __packed;
 
 #define IKEV2_AUTH_NONE			0	/* None */
-#define IKEV2_AUTH_RSA_SIG		1	/* RFC4306 */
-#define IKEV2_AUTH_SHARED_KEY_MIC	2	/* RFC4306 */
-#define IKEV2_AUTH_DSS_SIG		3	/* RFC4306 */
+#define IKEV2_AUTH_RSA_SIG		1	/* RFC7296 */
+#define IKEV2_AUTH_SHARED_KEY_MIC	2	/* RFC7296 */
+#define IKEV2_AUTH_DSS_SIG		3	/* RFC7296 */
 #define IKEV2_AUTH_ECDSA_256		9	/* RFC4754 */
 #define IKEV2_AUTH_ECDSA_384		10	/* RFC4754 */
 #define IKEV2_AUTH_ECDSA_521		11	/* RFC4754 */
@@ -504,20 +504,20 @@ struct ikev2_cfg {
 	/* Followed by variable-length data */
 } __packed;
 
-#define IKEV2_CFG_INTERNAL_IP4_ADDRESS		1	/* RFC5996 */
-#define IKEV2_CFG_INTERNAL_IP4_NETMASK		2	/* RFC5996 */
-#define IKEV2_CFG_INTERNAL_IP4_DNS		3	/* RFC5996 */
-#define IKEV2_CFG_INTERNAL_IP4_NBNS		4	/* RFC5996 */
+#define IKEV2_CFG_INTERNAL_IP4_ADDRESS		1	/* RFC7296 */
+#define IKEV2_CFG_INTERNAL_IP4_NETMASK		2	/* RFC7296 */
+#define IKEV2_CFG_INTERNAL_IP4_DNS		3	/* RFC7296 */
+#define IKEV2_CFG_INTERNAL_IP4_NBNS		4	/* RFC7296 */
 #define IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY	5	/* RFC4306 */
-#define IKEV2_CFG_INTERNAL_IP4_DHCP		6	/* RFC5996 */
-#define IKEV2_CFG_APPLICATION_VERSION		7	/* RFC5996 */
-#define IKEV2_CFG_INTERNAL_IP6_ADDRESS		8	/* RFC5996 */
-#define IKEV2_CFG_INTERNAL_IP6_DNS		10	/* RFC5996 */
+#define IKEV2_CFG_INTERNAL_IP4_DHCP		6	/* RFC7296 */
+#define IKEV2_CFG_APPLICATION_VERSION		7	/* RFC7296 */
+#define IKEV2_CFG_INTERNAL_IP6_ADDRESS		8	/* RFC7296 */
+#define IKEV2_CFG_INTERNAL_IP6_DNS		10	/* RFC7296 */
 #define IKEV2_CFG_INTERNAL_IP6_NBNS		11	/* RFC4306 */
-#define IKEV2_CFG_INTERNAL_IP6_DHCP		12	/* RFC5996 */
-#define IKEV2_CFG_INTERNAL_IP4_SUBNET		13	/* RFC5996 */
-#define IKEV2_CFG_SUPPORTED_ATTRIBUTES		14	/* RFC5996 */
-#define IKEV2_CFG_INTERNAL_IP6_SUBNET		15	/* RFC5996 */
+#define IKEV2_CFG_INTERNAL_IP6_DHCP		12	/* RFC7296 */
+#define IKEV2_CFG_INTERNAL_IP4_SUBNET		13	/* RFC7296 */
+#define IKEV2_CFG_SUPPORTED_ATTRIBUTES		14	/* RFC7296 */
+#define IKEV2_CFG_INTERNAL_IP6_SUBNET		15	/* RFC7296 */
 #define IKEV2_CFG_MIP6_HOME_PREFIX		16	/* RFC5026 */
 #define IKEV2_CFG_INTERNAL_IP6_LINK		17	/* RFC5739 */
 #define IKEV2_CFG_INTERNAL_IP6_PREFIX		18	/* RFC5739 */