ikev1: Determine transform ID before mapping integrity algorithm ID

Due to the lookup based on the mapped algorithm ID the resulting AH
proposals were invalid.

Fixes #2347.

Fixes: 8456d6f5a8e9 ("ikev1: Don't require AH mapping for integrity algorithm when generating proposal")

diff --git a/src/libcharon/encoding/payloads/proposal_substructure.c b/src/libcharon/encoding/payloads/proposal_substructure.c
index 55641e1..c3f0639 100644 (file)
--- a/src/libcharon/encoding/payloads/proposal_substructure.c
+++ b/src/libcharon/encoding/payloads/proposal_substructure.c
@@ -1360,10 +1360,10 @@ static void set_from_proposal_v1(private_proposal_substructure_t *this,
        enumerator = proposal->create_enumerator(proposal, INTEGRITY_ALGORITHM);
        if (enumerator->enumerate(enumerator, &alg, &key_size))
        {
+               transid = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg);
                alg = get_ikev1_auth_from_alg(alg);
                if (alg)
                {
-                       transid = get_ikev1_transid_from_alg(INTEGRITY_ALGORITHM, alg);
                        if (!transform && transid)
                        {
                                transform = transform_substructure_create_type(