IKEv1 support of ESP SHA2_HMAC with correct truncation
authorAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 8 Dec 2009 23:24:22 +0000 (00:24 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Tue, 8 Dec 2009 23:24:42 +0000 (00:24 +0100)
src/libfreeswan/pfkeyv2.h
src/pluto/alg_info.c
src/pluto/constants.c
src/pluto/constants.h
src/pluto/crypto.c
src/pluto/kernel.c
src/pluto/kernel_alg.c
src/pluto/kernel_netlink.c
src/pluto/packet.c
src/pluto/spdb.c

index 8a30d1e..685db12 100644 (file)
@@ -318,7 +318,8 @@ struct sadb_protocol {
 #define SADB_X_AALG_RIPEMD160HMAC      8
 #define SADB_X_AALG_AES_XCBC_MAC       9
 #define SADB_X_AALG_NULL                       251     /* kame */
-#define SADB_AALG_MAX                          251
+#define SADB_X_AALG_SHA2_256_96HMAC    252
+#define SADB_AALG_MAX                          252
 
 /* Encryption algorithms */
 #define SADB_EALG_NONE                         0
index a9a6dd5..ce7d1c7 100644 (file)
@@ -60,6 +60,7 @@ int alg_info_esp_aa2sadb(int auth)
                case AUTH_ALGORITHM_HMAC_SHA2_384:
                case AUTH_ALGORITHM_HMAC_SHA2_512:
                case AUTH_ALGORITHM_HMAC_RIPEMD:
+               case AUTH_ALGORITHM_AES_XCBC_MAC:
                        sadb_aalg = auth;
                        break;
                default:
@@ -78,11 +79,11 @@ int alg_info_esp_sadb2aa(int sadb_aalg)
                case SADB_AALG_SHA1HMAC:
                        auth = sadb_aalg - 1;
                        break;
-               /* since they are the same ...  :)  */
-               case AUTH_ALGORITHM_HMAC_SHA2_256:
-               case AUTH_ALGORITHM_HMAC_SHA2_384:
-               case AUTH_ALGORITHM_HMAC_SHA2_512:
-               case AUTH_ALGORITHM_HMAC_RIPEMD:
+               case SADB_X_AALG_SHA2_256HMAC:
+               case SADB_X_AALG_SHA2_384HMAC:
+               case SADB_X_AALG_SHA2_512HMAC:
+               case SADB_X_AALG_RIPEMD160HMAC:
+               case SADB_X_AALG_AES_XCBC_MAC:
                        auth = sadb_aalg;
                        break;
                default:
@@ -133,7 +134,7 @@ static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id,
 
        DBG(DBG_CRYPT,
                DBG_log("esp alg added: %s_%d/%s, cnt=%d",
-                               enum_show(&esp_transformid_names, ealg_id), ek_bits,
+                               enum_show(&esp_transform_names, ealg_id), ek_bits,
                                enum_show(&auth_alg_names, aalg_id),
                                alg_info->alg_info_cnt)
        )
@@ -546,7 +547,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
                        ALG_INFO_ESP_FOREACH(alg_info_esp, esp_info, cnt)
                        {
                                np = snprintf(ptr, buflen, "%s",
-                                               enum_show(&esp_transformid_names, esp_info->esp_ealg_id));
+                                               enum_show(&esp_transform_names, esp_info->esp_ealg_id));
                                ptr += np;
                                buflen -= np;
                                if (esp_info->esp_ealg_keylen)
index 4721d6a..2d4784b 100644 (file)
@@ -352,11 +352,21 @@ static const char *const ah_transform_name[] = {
        "HMAC_SHA2_512",
        "HMAC_RIPEMD",
        "AES_XCBC_96",
-       "SIG_RSA"
+       "SIG_RSA",
+       "AES_128_GMAC",
+       "AES_192_GMAC",
+       "AES_256_GMAC"
+};
+
+static const char *const ah_transform_name_high[] = {
+       "HMAC_SHA2_256_96"
 };
 
-enum_names ah_transformid_names =
-       { AH_MD5, AH_RSA, ah_transform_name, NULL };
+enum_names ah_transform_names_high =
+       { AH_SHA2_256_96, AH_SHA2_256_96, ah_transform_name_high, NULL };
+
+enum_names ah_transform_names =
+       { AH_MD5, AH_AES_256_GMAC, ah_transform_name, &ah_transform_names_high };
 
 /* IPsec ESP transform values */
 
@@ -390,11 +400,11 @@ static const char *const esp_transform_name_high[] = {
        "TWOFISH_CBC"
 };
 
-enum_names esp_transformid_names_high =
+enum_names esp_transform_names_high =
        { ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
 
-enum_names esp_transformid_names =
-       { ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transformid_names_high };
+enum_names esp_transform_names =
+       { ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transform_names_high };
 
 /* IPCOMP transform values */
 
index 5745036..8c574eb 100644 (file)
@@ -137,19 +137,23 @@ extern const char sparse_end[];
  * and in http://www.iana.org/assignments/isakmp-registry
  */
 enum ipsec_authentication_algo {
-  AH_NONE         = 0,
-  AH_MD5          = 2,
-  AH_SHA          = 3,
-  AH_DES          = 4,
-  AH_SHA2_256     = 5,
-  AH_SHA2_384     = 6,
-  AH_SHA2_512     = 7,
-  AH_RIPEMD       = 8,
-  AH_AES_XCBC_MAC = 9,
-  AH_RSA          = 10
+       AH_NONE         = 0,
+       AH_MD5          = 2,
+       AH_SHA          = 3,
+       AH_DES          = 4,
+       AH_SHA2_256     = 5,
+       AH_SHA2_384     = 6,
+       AH_SHA2_512     = 7,
+       AH_RIPEMD       = 8,
+       AH_AES_XCBC_MAC = 9,
+       AH_RSA          = 10,
+       AH_AES_128_GMAC = 11,
+       AH_AES_192_GMAC = 12,
+       AH_AES_256_GMAC = 13,
+       AH_SHA2_256_96  = 252  
 };
 
-extern enum_names ah_transformid_names;
+extern enum_names ah_transform_names;
 
 /* IPsec ESP transform values
  * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
@@ -157,45 +161,45 @@ extern enum_names ah_transformid_names;
  */
 
 enum ipsec_cipher_algo {
-  ESP_NONE          = 0,
-  ESP_DES_IV64      = 1,
-  ESP_DES           = 2,
-  ESP_3DES          = 3,
-  ESP_RC5           = 4,
-  ESP_IDEA          = 5,
-  ESP_CAST          = 6,
-  ESP_BLOWFISH      = 7,
-  ESP_3IDEA         = 8,
-  ESP_DES_IV32      = 9,
-  ESP_RC4           = 10,
-  ESP_NULL          = 11,
-  ESP_AES           = 12,
-  ESP_AES_CTR       = 13,
-  ESP_AES_CCM_8     = 14,
-  ESP_AES_CCM_12    = 15,
-  ESP_AES_CCM_16    = 16,
-  ESP_UNASSIGNED_17 = 17,
-  ESP_AES_GCM_8     = 18,
-  ESP_AES_GCM_12    = 19,
-  ESP_AES_GCM_16    = 20,
-  ESP_SEED_CBC      = 21,
-  ESP_CAMELLIA      = 22,
-  ESP_SERPENT       = 252,
-  ESP_TWOFISH       = 253
+       ESP_NONE          = 0,
+       ESP_DES_IV64      = 1,
+       ESP_DES           = 2,
+       ESP_3DES          = 3,
+       ESP_RC5           = 4,
+       ESP_IDEA          = 5,
+       ESP_CAST          = 6,
+       ESP_BLOWFISH      = 7,
+       ESP_3IDEA         = 8,
+       ESP_DES_IV32      = 9,
+       ESP_RC4           = 10,
+       ESP_NULL          = 11,
+       ESP_AES           = 12,
+       ESP_AES_CTR       = 13,
+       ESP_AES_CCM_8     = 14,
+       ESP_AES_CCM_12    = 15,
+       ESP_AES_CCM_16    = 16,
+       ESP_UNASSIGNED_17 = 17,
+       ESP_AES_GCM_8     = 18,
+       ESP_AES_GCM_12    = 19,
+       ESP_AES_GCM_16    = 20,
+       ESP_SEED_CBC      = 21,
+       ESP_CAMELLIA      = 22,
+       ESP_SERPENT       = 252,
+       ESP_TWOFISH       = 253
 };
 
-extern enum_names esp_transformid_names;
+extern enum_names esp_transform_names;
 
 /* IPCOMP transform values
  * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
  */
 
 enum ipsec_comp_algo {
-  IPSCOMP_NONE   = 0,
-  IPCOMP_OUI     = 1,
-  IPCOMP_DEFLATE = 2,
-  IPCOMP_LZS     = 3,
-  IPCOMP_LZJH    = 4
+       IPSCOMP_NONE   = 0,
+       IPCOMP_OUI     = 1,
+       IPCOMP_DEFLATE = 2,
+       IPCOMP_LZS     = 3,
+       IPCOMP_LZJH    = 4
 };
 
 extern enum_names ipcomp_transformid_names;
@@ -204,18 +208,18 @@ extern enum_names ipcomp_transformid_names;
  * RFC 2408 ISAKMP, chapter 3.9
  */
 enum ipsec_cert_type {
-  CERT_NONE=                0,
-  CERT_PKCS7_WRAPPED_X509=  1,
-  CERT_PGP=                 2,
-  CERT_DNS_SIGNED_KEY=      3,
-  CERT_X509_SIGNATURE=      4,
-  CERT_X509_KEY_EXCHANGE=   5,
-  CERT_KERBEROS_TOKENS=     6,
-  CERT_CRL=                 7,
-  CERT_ARL=                 8,
-  CERT_SPKI=                9,
-  CERT_X509_ATTRIBUTE=      10,
-  CERT_RAW_RSA_KEY=         11
+       CERT_NONE=                0,
+       CERT_PKCS7_WRAPPED_X509=  1,
+       CERT_PGP=                 2,
+       CERT_DNS_SIGNED_KEY=      3,
+       CERT_X509_SIGNATURE=      4,
+       CERT_X509_KEY_EXCHANGE=   5,
+       CERT_KERBEROS_TOKENS=     6,
+       CERT_CRL=                 7,
+       CERT_ARL=                 8,
+       CERT_SPKI=                9,
+       CERT_X509_ATTRIBUTE=      10,
+       CERT_RAW_RSA_KEY=         11
 };
 
 /* RFC 2560 OCSP - certificate status */
@@ -852,18 +856,22 @@ extern enum_names enc_mode_names;
 
 extern enum_names auth_alg_names, extended_auth_alg_names;
 
-#define AUTH_ALGORITHM_NONE             0  /* our private designation */
-#define AUTH_ALGORITHM_HMAC_MD5         1
-#define AUTH_ALGORITHM_HMAC_SHA1        2
-#define AUTH_ALGORITHM_DES_MAC          3
-#define AUTH_ALGORITHM_KPDK             4
-#define AUTH_ALGORITHM_HMAC_SHA2_256    5
-#define AUTH_ALGORITHM_HMAC_SHA2_384    6
-#define AUTH_ALGORITHM_HMAC_SHA2_512    7
-#define AUTH_ALGORITHM_HMAC_RIPEMD      8
-#define AUTH_ALGORITHM_AES_XCBC_MAC     9
-#define AUTH_ALGORITHM_SIG_RSA          10
-#define AUTH_ALGORITHM_NULL             251
+#define AUTH_ALGORITHM_NONE                0  /* our private designation */
+#define AUTH_ALGORITHM_HMAC_MD5            1
+#define AUTH_ALGORITHM_HMAC_SHA1           2
+#define AUTH_ALGORITHM_DES_MAC             3
+#define AUTH_ALGORITHM_KPDK                4
+#define AUTH_ALGORITHM_HMAC_SHA2_256       5
+#define AUTH_ALGORITHM_HMAC_SHA2_384       6
+#define AUTH_ALGORITHM_HMAC_SHA2_512       7
+#define AUTH_ALGORITHM_HMAC_RIPEMD         8
+#define AUTH_ALGORITHM_AES_XCBC_MAC        9
+#define AUTH_ALGORITHM_SIG_RSA            10
+#define AUTH_ALGORITHM_AES_128_GMAC       11
+#define AUTH_ALGORITHM_AES_192_GMAC       12
+#define AUTH_ALGORITHM_AES_256_GMAC       13
+#define AUTH_ALGORITHM_NULL              251
+#define AUTH_ALGORITHM_HMAC_SHA2_256_96  252
 
 /* Oakley Lifetime Type attribute
  * draft-ietf-ipsec-ike-01.txt appendix A
index 85568f6..327e1ce 100644 (file)
@@ -581,12 +581,20 @@ int esp_from_integrity_algorithm(integrity_algorithm_t alg)
                        return AUTH_ALGORITHM_HMAC_SHA1;
                case AUTH_AES_XCBC_96:
                        return AUTH_ALGORITHM_AES_XCBC_MAC;
+               case AUTH_HMAC_SHA2_256_96:
+                       return AUTH_ALGORITHM_HMAC_SHA2_256_96;
                case AUTH_HMAC_SHA2_256_128:
                        return AUTH_ALGORITHM_HMAC_SHA2_256;
                case AUTH_HMAC_SHA2_384_192:
                        return AUTH_ALGORITHM_HMAC_SHA2_384;
                case AUTH_HMAC_SHA2_512_256:
                        return AUTH_ALGORITHM_HMAC_SHA2_512;
+               case AUTH_AES_128_GMAC:
+                       return AUTH_ALGORITHM_AES_128_GMAC;
+               case AUTH_AES_192_GMAC:
+                       return AUTH_ALGORITHM_AES_192_GMAC;
+               case AUTH_AES_256_GMAC:
+                       return AUTH_ALGORITHM_AES_256_GMAC;
                default:
                        return 0;
        }
index 97e8a2e..fe4655d 100644 (file)
@@ -1939,7 +1939,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
                                 * assuming the name will be found.
                                 */
                                loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
-                                       , enum_name(&esp_transformid_names, st->st_esp.attrs.transid)
+                                       , enum_name(&esp_transform_names, st->st_esp.attrs.transid)
                                        , enum_name(&auth_alg_names, st->st_esp.attrs.auth));
                                goto fail;
                        }
@@ -1958,7 +1958,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
                        if (key_len > ei->enckeylen)
                        {
                                loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
-                                       enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
+                                       enum_name(&esp_transform_names, st->st_esp.attrs.transid),
                                        (int)key_len, (int)ei->enckeylen);
                                goto fail;
                        }
index 450c507..6734833 100644 (file)
@@ -237,14 +237,14 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
                                        {
                                                loglog(RC_LOG_SERIOUS
                                                        , "You should NOT use insecure ESP algorithms [%s (%d)]!"
-                                                       , enum_name(&esp_transformid_names, ealg), key_len);
+                                                       , enum_name(&esp_transform_names, ealg), key_len);
                                        }
                                        return TRUE;
                                }
                        }
                }
                plog("IPSec Transform [%s (%d), %s] refused due to %s",
-                               enum_name(&esp_transformid_names, ealg), key_len,
+                               enum_name(&esp_transform_names, ealg), key_len,
                                enum_name(&auth_alg_names, aalg),
                                ealg_insecure ? "insecure key_len and enc. alg. not listed in \"esp\" string" : "strict flag");
                return FALSE;
@@ -461,7 +461,7 @@ void kernel_alg_list(void)
                if (ESP_EALG_PRESENT(sadb_id))
                {
                        n = snprintf(pos, len, " %s",
-                                                enum_name(&esp_transformid_names, sadb_id));
+                                                enum_name(&esp_transform_names, sadb_id));
                        pos += n;
                        len -= n;
                        if (len <= 0)
@@ -502,7 +502,7 @@ void kernel_alg_show_connection(connection_t *c, const char *instance)
                const char *aalg_name, *pfsgroup_name;
 
                aalg_name = (c->policy & POLICY_AUTHENTICATE) ?
-                                       enum_show(&ah_transformid_names, st->st_ah.attrs.transid):
+                                       enum_show(&ah_transform_names, st->st_ah.attrs.transid):
                                        enum_show(&auth_alg_names, st->st_esp.attrs.auth);
 
                pfsgroup_name = (c->policy & POLICY_PFS) ?
@@ -516,7 +516,7 @@ void kernel_alg_show_connection(connection_t *c, const char *instance)
                        whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s_%u/%s/%s",
                                c->name, instance,
                                (st->st_ah.present) ? "/AH" : "",
-                               enum_show(&esp_transformid_names, st->st_esp.attrs.transid),
+                               enum_show(&esp_transform_names, st->st_esp.attrs.transid),
                                st->st_esp.attrs.key_len, aalg_name, pfsgroup_name);
                }
                else
@@ -524,7 +524,7 @@ void kernel_alg_show_connection(connection_t *c, const char *instance)
                        whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s/%s/%s",
                                c->name, instance,
                                (st->st_ah.present) ? "/AH" : "",
-                               enum_show(&esp_transformid_names, st->st_esp.attrs.transid),
+                               enum_show(&esp_transform_names, st->st_esp.attrs.transid),
                                aalg_name, pfsgroup_name);
                }
        }
index f7de01d..0b4f4dd 100644 (file)
@@ -85,15 +85,15 @@ static sparse_names xfrm_type_names = {
 
 /* Authentication algorithms */
 static sparse_names aalg_list = {
-       { SADB_X_AALG_NULL,          "digest_null" },
-       { SADB_AALG_MD5HMAC,         "md5" },
-       { SADB_AALG_SHA1HMAC,        "sha1" },
-       { SADB_X_AALG_SHA2_256HMAC,  "sha256" },
-       { SADB_X_AALG_SHA2_384HMAC,  "sha384" },
-       { SADB_X_AALG_SHA2_512HMAC,  "sha512" },
-       { SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
-       { SADB_X_AALG_AES_XCBC_MAC,  "xcbc(aes)"},
-       { SADB_X_AALG_NULL,          "null" },
+       { SADB_X_AALG_NULL,            "digest_null" },
+       { SADB_AALG_MD5HMAC,           "md5" },
+       { SADB_AALG_SHA1HMAC,          "sha1" },
+       { SADB_X_AALG_SHA2_256_96HMAC, "sha256" },
+       { SADB_X_AALG_SHA2_256HMAC,    "hmac(sha256)" },
+       { SADB_X_AALG_SHA2_384HMAC,    "hmac(sha384)" },
+       { SADB_X_AALG_SHA2_512HMAC,    "hmac(sha512)" },
+       { SADB_X_AALG_RIPEMD160HMAC,   "ripemd160" },
+       { SADB_X_AALG_AES_XCBC_MAC,    "xcbc(aes)"},
        { 0, sparse_end }
 };
 
@@ -629,7 +629,6 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 
        if (sa->authalg)
        {
-               struct xfrm_algo algo;
                const char *name;
 
                name = sparse_name(aalg_list, sa->authalg);
@@ -645,16 +644,37 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
                                        sa->authkeylen * BITS_PER_BYTE)
                        )
 
-               strcpy(algo.alg_name, name);
-               algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+               if (sa->authalg == SADB_X_AALG_SHA2_256HMAC)
+               {
+                       struct xfrm_algo_auth algo;
 
-               attr->rta_type = XFRMA_ALG_AUTH;
-               attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+                       /* the kernel uses SHA256 with 96 bit truncation by default,
+                        * use specified truncation size supported by newer kernels */
+                       strcpy(algo.alg_name, name);
+                       algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+                       algo.alg_trunc_len = 128;
 
-               memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-               memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
-                       , sa->authkeylen);
+                       attr->rta_type = XFRMA_ALG_AUTH_TRUNC;
+                       attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
 
+                       memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+                       memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
+                               , sa->authkeylen);
+               }
+               else
+               {
+                       struct xfrm_algo algo;
+
+                       strcpy(algo.alg_name, name);
+                       algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+
+                       attr->rta_type = XFRMA_ALG_AUTH;
+                       attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+
+                       memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+                       memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
+                               , sa->authkeylen);
+               }
                req.n.nlmsg_len += attr->rta_len;
                attr = (struct rtattr *)((char *)attr + attr->rta_len);
        }
@@ -687,7 +707,7 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
                        }
                        DBG(DBG_CRYPT,
                                DBG_log("configured esp encryption algorithm %s with key size %d",
-                                               enum_show(&esp_transformid_names, sa->encalg),
+                                               enum_show(&esp_transform_names, sa->encalg),
                                                sa->enckeylen * BITS_PER_BYTE)
                        )
                        attr->rta_type = XFRMA_ALG_AEAD;
@@ -717,7 +737,7 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
                        }
                        DBG(DBG_CRYPT,
                                DBG_log("configured esp encryption algorithm %s with key size %d",
-                                               enum_show(&esp_transformid_names, sa->encalg),
+                                               enum_show(&esp_transform_names, sa->encalg),
                                                sa->enckeylen * BITS_PER_BYTE)
                        )
                        attr->rta_type = XFRMA_ALG_CRYPT;
index b82fe20..35fc4af 100644 (file)
@@ -227,7 +227,7 @@ static field_desc isat_fields_ah[] = {
        { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
        { ft_len, 16/BITS_PER_BYTE, "length", NULL },
        { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-       { ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transformid_names },
+       { ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transform_names },
        { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
        { ft_end, 0, NULL, NULL }
 };
@@ -242,7 +242,7 @@ static field_desc isat_fields_esp[] = {
        { ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
        { ft_len, 16/BITS_PER_BYTE, "length", NULL },
        { ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-       { ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transformid_names },
+       { ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transform_names },
        { ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
        { ft_end, 0, NULL, NULL }
 };
index 5c2aab8..cdf2cb2 100644 (file)
@@ -2008,7 +2008,7 @@ parse_ipsec_sa_body(
                                {
                                        loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
                                                , enum_name(&auth_alg_names, ah_attrs.auth)
-                                               , enum_show(&ah_transformid_names, ah_attrs.transid));
+                                               , enum_show(&ah_transform_names, ah_attrs.transid));
                                        return ISAKMP_BAD_PROPOSAL_SYNTAX;
                                }
                                if (!ok_auth)
@@ -2017,7 +2017,7 @@ parse_ipsec_sa_body(
                                                , DBG_log("%s attribute unsupported"
                                                        " in %s Transform from %s"
                                                        , enum_name(&auth_alg_names, ah_attrs.auth)
-                                                       , enum_show(&ah_transformid_names, ah_attrs.transid)
+                                                       , enum_show(&ah_transform_names, ah_attrs.transid)
                                                        , ip_str(&c->spd.that.host_addr)));
                                        continue;   /* try another */
                                }
@@ -2085,7 +2085,7 @@ parse_ipsec_sa_body(
                                        default:
                                                DBG(DBG_CONTROL | DBG_CRYPT
                                                        , DBG_log("unsupported ESP Transform %s from %s"
-                                                               , enum_show(&esp_transformid_names, esp_attrs.transid)
+                                                               , enum_show(&esp_transform_names, esp_attrs.transid)
                                                                , ip_str(&c->spd.that.host_addr)));
                                                continue;   /* try another */
                                        }