IKEv1 support of ESP SHA2_HMAC with correct truncation

10 files changed, 160 insertions, 112 deletions

diff --git a/src/libfreeswan/pfkeyv2.h b/src/libfreeswan/pfkeyv2.h
index 8a30d1edb..685db1273 100644
--- a/src/libfreeswan/pfkeyv2.h
+++ b/src/libfreeswan/pfkeyv2.h
@@ -318,7 +318,8 @@ struct sadb_protocol {
 #define SADB_X_AALG_RIPEMD160HMAC	8
 #define SADB_X_AALG_AES_XCBC_MAC	9
 #define SADB_X_AALG_NULL			251	/* kame */
-#define SADB_AALG_MAX				251
+#define SADB_X_AALG_SHA2_256_96HMAC	252
+#define SADB_AALG_MAX				252
 
 /* Encryption algorithms */
 #define SADB_EALG_NONE				0
diff --git a/src/pluto/alg_info.c b/src/pluto/alg_info.c
index a9a6dd5f0..ce7d1c7f1 100644
--- a/src/pluto/alg_info.c
+++ b/src/pluto/alg_info.c
@@ -60,6 +60,7 @@ int alg_info_esp_aa2sadb(int auth)
 		case AUTH_ALGORITHM_HMAC_SHA2_384:
 		case AUTH_ALGORITHM_HMAC_SHA2_512:
 		case AUTH_ALGORITHM_HMAC_RIPEMD:
+		case AUTH_ALGORITHM_AES_XCBC_MAC:
 			sadb_aalg = auth;
 			break;
 		default:
@@ -78,11 +79,11 @@ int alg_info_esp_sadb2aa(int sadb_aalg)
 		case SADB_AALG_SHA1HMAC:
 			auth = sadb_aalg - 1;
 			break;
-		/* since they are the same ...  :)  */
-		case AUTH_ALGORITHM_HMAC_SHA2_256:
-		case AUTH_ALGORITHM_HMAC_SHA2_384:
-		case AUTH_ALGORITHM_HMAC_SHA2_512:
-		case AUTH_ALGORITHM_HMAC_RIPEMD:
+		case SADB_X_AALG_SHA2_256HMAC:
+		case SADB_X_AALG_SHA2_384HMAC:
+		case SADB_X_AALG_SHA2_512HMAC:
+		case SADB_X_AALG_RIPEMD160HMAC:
+		case SADB_X_AALG_AES_XCBC_MAC:
 			auth = sadb_aalg;
 			break;
 		default:
@@ -133,7 +134,7 @@ static void __alg_info_esp_add(struct alg_info_esp *alg_info, int ealg_id,
 
 	DBG(DBG_CRYPT,
 		DBG_log("esp alg added: %s_%d/%s, cnt=%d",
-				enum_show(&esp_transformid_names, ealg_id), ek_bits,
+				enum_show(&esp_transform_names, ealg_id), ek_bits,
 				enum_show(&auth_alg_names, aalg_id),
 				alg_info->alg_info_cnt)
 	)
@@ -546,7 +547,7 @@ alg_info_snprint(char *buf, int buflen, struct alg_info *alg_info)
 			ALG_INFO_ESP_FOREACH(alg_info_esp, esp_info, cnt)
 			{
 				np = snprintf(ptr, buflen, "%s",
-						enum_show(&esp_transformid_names, esp_info->esp_ealg_id));
+						enum_show(&esp_transform_names, esp_info->esp_ealg_id));
 				ptr += np;
 				buflen -= np;
 				if (esp_info->esp_ealg_keylen)
diff --git a/src/pluto/constants.c b/src/pluto/constants.c
index 4721d6ae0..2d4784b83 100644
--- a/src/pluto/constants.c
+++ b/src/pluto/constants.c
@@ -352,11 +352,21 @@ static const char *const ah_transform_name[] = {
 	"HMAC_SHA2_512",
 	"HMAC_RIPEMD",
 	"AES_XCBC_96",
-	"SIG_RSA"
+	"SIG_RSA",
+	"AES_128_GMAC",
+	"AES_192_GMAC",
+	"AES_256_GMAC"
+};
+
+static const char *const ah_transform_name_high[] = {
+	"HMAC_SHA2_256_96"
 };
 
-enum_names ah_transformid_names =
-	{ AH_MD5, AH_RSA, ah_transform_name, NULL };
+enum_names ah_transform_names_high =
+	{ AH_SHA2_256_96, AH_SHA2_256_96, ah_transform_name_high, NULL };
+
+enum_names ah_transform_names =
+	{ AH_MD5, AH_AES_256_GMAC, ah_transform_name, &ah_transform_names_high };
 
 /* IPsec ESP transform values */
 
@@ -390,11 +400,11 @@ static const char *const esp_transform_name_high[] = {
 	"TWOFISH_CBC"
 };
 
-enum_names esp_transformid_names_high =
+enum_names esp_transform_names_high =
 	{ ESP_SERPENT, ESP_TWOFISH, esp_transform_name_high, NULL };
 
-enum_names esp_transformid_names =
-	{ ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transformid_names_high };
+enum_names esp_transform_names =
+	{ ESP_DES_IV64, ESP_CAMELLIA, esp_transform_name, &esp_transform_names_high };
 
 /* IPCOMP transform values */
 
diff --git a/src/pluto/constants.h b/src/pluto/constants.h
index 57450368e..8c574ebc5 100644
--- a/src/pluto/constants.h
+++ b/src/pluto/constants.h
@@ -137,19 +137,23 @@ extern const char sparse_end[];
  * and in http://www.iana.org/assignments/isakmp-registry
  */
 enum ipsec_authentication_algo {
-  AH_NONE         = 0,
-  AH_MD5          = 2,
-  AH_SHA          = 3,
-  AH_DES          = 4,
-  AH_SHA2_256     = 5,
-  AH_SHA2_384     = 6,
-  AH_SHA2_512     = 7,
-  AH_RIPEMD       = 8,
-  AH_AES_XCBC_MAC = 9,
-  AH_RSA          = 10
+	AH_NONE         = 0,
+	AH_MD5          = 2,
+	AH_SHA          = 3,
+	AH_DES          = 4,
+	AH_SHA2_256     = 5,
+	AH_SHA2_384     = 6,
+	AH_SHA2_512     = 7,
+	AH_RIPEMD       = 8,
+	AH_AES_XCBC_MAC = 9,
+	AH_RSA          = 10,
+	AH_AES_128_GMAC = 11,
+	AH_AES_192_GMAC = 12,
+	AH_AES_256_GMAC = 13,
+	AH_SHA2_256_96  = 252  
 };
 
-extern enum_names ah_transformid_names;
+extern enum_names ah_transform_names;
 
 /* IPsec ESP transform values
  * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
@@ -157,45 +161,45 @@ extern enum_names ah_transformid_names;
  */
 
 enum ipsec_cipher_algo {
-  ESP_NONE          = 0,
-  ESP_DES_IV64      = 1,
-  ESP_DES           = 2,
-  ESP_3DES          = 3,
-  ESP_RC5           = 4,
-  ESP_IDEA          = 5,
-  ESP_CAST          = 6,
-  ESP_BLOWFISH      = 7,
-  ESP_3IDEA         = 8,
-  ESP_DES_IV32      = 9,
-  ESP_RC4           = 10,
-  ESP_NULL          = 11,
-  ESP_AES           = 12,
-  ESP_AES_CTR       = 13,
-  ESP_AES_CCM_8     = 14,
-  ESP_AES_CCM_12    = 15,
-  ESP_AES_CCM_16    = 16,
-  ESP_UNASSIGNED_17 = 17,
-  ESP_AES_GCM_8     = 18,
-  ESP_AES_GCM_12    = 19,
-  ESP_AES_GCM_16    = 20,
-  ESP_SEED_CBC      = 21,
-  ESP_CAMELLIA      = 22,
-  ESP_SERPENT       = 252,
-  ESP_TWOFISH       = 253
+	ESP_NONE          = 0,
+	ESP_DES_IV64      = 1,
+	ESP_DES           = 2,
+	ESP_3DES          = 3,
+	ESP_RC5           = 4,
+	ESP_IDEA          = 5,
+	ESP_CAST          = 6,
+	ESP_BLOWFISH      = 7,
+	ESP_3IDEA         = 8,
+	ESP_DES_IV32      = 9,
+	ESP_RC4           = 10,
+	ESP_NULL          = 11,
+	ESP_AES           = 12,
+	ESP_AES_CTR       = 13,
+	ESP_AES_CCM_8     = 14,
+	ESP_AES_CCM_12    = 15,
+	ESP_AES_CCM_16    = 16,
+	ESP_UNASSIGNED_17 = 17,
+	ESP_AES_GCM_8     = 18,
+	ESP_AES_GCM_12    = 19,
+	ESP_AES_GCM_16    = 20,
+	ESP_SEED_CBC      = 21,
+	ESP_CAMELLIA      = 22,
+	ESP_SERPENT       = 252,
+	ESP_TWOFISH       = 253
 };
 
-extern enum_names esp_transformid_names;
+extern enum_names esp_transform_names;
 
 /* IPCOMP transform values
  * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
  */
 
 enum ipsec_comp_algo {
-  IPSCOMP_NONE   = 0,
-  IPCOMP_OUI     = 1,
-  IPCOMP_DEFLATE = 2,
-  IPCOMP_LZS     = 3,
-  IPCOMP_LZJH    = 4
+	IPSCOMP_NONE   = 0,
+	IPCOMP_OUI     = 1,
+	IPCOMP_DEFLATE = 2,
+	IPCOMP_LZS     = 3,
+	IPCOMP_LZJH    = 4
 };
 
 extern enum_names ipcomp_transformid_names;
@@ -204,18 +208,18 @@ extern enum_names ipcomp_transformid_names;
  * RFC 2408 ISAKMP, chapter 3.9
  */
 enum ipsec_cert_type {
-  CERT_NONE=                0,
-  CERT_PKCS7_WRAPPED_X509=  1,
-  CERT_PGP=                 2,
-  CERT_DNS_SIGNED_KEY=      3,
-  CERT_X509_SIGNATURE=      4,
-  CERT_X509_KEY_EXCHANGE=   5,
-  CERT_KERBEROS_TOKENS=     6,
-  CERT_CRL=                 7,
-  CERT_ARL=                 8,
-  CERT_SPKI=                9,
-  CERT_X509_ATTRIBUTE=      10,
-  CERT_RAW_RSA_KEY=         11
+	CERT_NONE=                0,
+	CERT_PKCS7_WRAPPED_X509=  1,
+	CERT_PGP=                 2,
+	CERT_DNS_SIGNED_KEY=      3,
+	CERT_X509_SIGNATURE=      4,
+	CERT_X509_KEY_EXCHANGE=   5,
+	CERT_KERBEROS_TOKENS=     6,
+	CERT_CRL=                 7,
+	CERT_ARL=                 8,
+	CERT_SPKI=                9,
+	CERT_X509_ATTRIBUTE=      10,
+	CERT_RAW_RSA_KEY=         11
 };
 
 /* RFC 2560 OCSP - certificate status */
@@ -852,18 +856,22 @@ extern enum_names enc_mode_names;
 
 extern enum_names auth_alg_names, extended_auth_alg_names;
 
-#define AUTH_ALGORITHM_NONE             0  /* our private designation */
-#define AUTH_ALGORITHM_HMAC_MD5         1
-#define AUTH_ALGORITHM_HMAC_SHA1        2
-#define AUTH_ALGORITHM_DES_MAC          3
-#define AUTH_ALGORITHM_KPDK             4
-#define AUTH_ALGORITHM_HMAC_SHA2_256    5
-#define AUTH_ALGORITHM_HMAC_SHA2_384    6
-#define AUTH_ALGORITHM_HMAC_SHA2_512    7
-#define AUTH_ALGORITHM_HMAC_RIPEMD      8
-#define AUTH_ALGORITHM_AES_XCBC_MAC     9
-#define AUTH_ALGORITHM_SIG_RSA          10
-#define AUTH_ALGORITHM_NULL             251
+#define AUTH_ALGORITHM_NONE                0  /* our private designation */
+#define AUTH_ALGORITHM_HMAC_MD5            1
+#define AUTH_ALGORITHM_HMAC_SHA1           2
+#define AUTH_ALGORITHM_DES_MAC             3
+#define AUTH_ALGORITHM_KPDK                4
+#define AUTH_ALGORITHM_HMAC_SHA2_256       5
+#define AUTH_ALGORITHM_HMAC_SHA2_384       6
+#define AUTH_ALGORITHM_HMAC_SHA2_512       7
+#define AUTH_ALGORITHM_HMAC_RIPEMD         8
+#define AUTH_ALGORITHM_AES_XCBC_MAC        9
+#define AUTH_ALGORITHM_SIG_RSA            10
+#define AUTH_ALGORITHM_AES_128_GMAC       11
+#define AUTH_ALGORITHM_AES_192_GMAC       12
+#define AUTH_ALGORITHM_AES_256_GMAC       13
+#define AUTH_ALGORITHM_NULL              251
+#define AUTH_ALGORITHM_HMAC_SHA2_256_96  252
 
 /* Oakley Lifetime Type attribute
  * draft-ietf-ipsec-ike-01.txt appendix A
diff --git a/src/pluto/crypto.c b/src/pluto/crypto.c
index 85568f67f..327e1ceea 100644
--- a/src/pluto/crypto.c
+++ b/src/pluto/crypto.c
@@ -581,12 +581,20 @@ int esp_from_integrity_algorithm(integrity_algorithm_t alg)
 			return AUTH_ALGORITHM_HMAC_SHA1;
 		case AUTH_AES_XCBC_96:
 			return AUTH_ALGORITHM_AES_XCBC_MAC;
+		case AUTH_HMAC_SHA2_256_96:
+			return AUTH_ALGORITHM_HMAC_SHA2_256_96;
 		case AUTH_HMAC_SHA2_256_128:
 			return AUTH_ALGORITHM_HMAC_SHA2_256;
 		case AUTH_HMAC_SHA2_384_192:
 			return AUTH_ALGORITHM_HMAC_SHA2_384;
 		case AUTH_HMAC_SHA2_512_256:
 			return AUTH_ALGORITHM_HMAC_SHA2_512;
+		case AUTH_AES_128_GMAC:
+			return AUTH_ALGORITHM_AES_128_GMAC;
+		case AUTH_AES_192_GMAC:
+			return AUTH_ALGORITHM_AES_192_GMAC;
+		case AUTH_AES_256_GMAC:
+			return AUTH_ALGORITHM_AES_256_GMAC;
 		default:
 			return 0;
 	}
diff --git a/src/pluto/kernel.c b/src/pluto/kernel.c
index 97e8a2eea..fe4655d3f 100644
--- a/src/pluto/kernel.c
+++ b/src/pluto/kernel.c
@@ -1939,7 +1939,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 				 * assuming the name will be found.
 				 */
 				loglog(RC_LOG_SERIOUS, "ESP transform %s / auth %s not implemented yet"
-					, enum_name(&esp_transformid_names, st->st_esp.attrs.transid)
+					, enum_name(&esp_transform_names, st->st_esp.attrs.transid)
 					, enum_name(&auth_alg_names, st->st_esp.attrs.auth));
 				goto fail;
 			}
@@ -1958,7 +1958,7 @@ static bool setup_half_ipsec_sa(struct state *st, bool inbound)
 			if (key_len > ei->enckeylen)
 			{
 				loglog(RC_LOG_SERIOUS, "ESP transform %s passed key_len=%d > %d",
-					enum_name(&esp_transformid_names, st->st_esp.attrs.transid),
+					enum_name(&esp_transform_names, st->st_esp.attrs.transid),
 					(int)key_len, (int)ei->enckeylen);
 				goto fail;
 			}
diff --git a/src/pluto/kernel_alg.c b/src/pluto/kernel_alg.c
index 450c507d0..6734833ba 100644
--- a/src/pluto/kernel_alg.c
+++ b/src/pluto/kernel_alg.c
@@ -237,14 +237,14 @@ bool kernel_alg_esp_ok_final(u_int ealg, u_int key_len, u_int aalg,
 					{
 						loglog(RC_LOG_SERIOUS
 							, "You should NOT use insecure ESP algorithms [%s (%d)]!"
-							, enum_name(&esp_transformid_names, ealg), key_len);
+							, enum_name(&esp_transform_names, ealg), key_len);
 					}
 					return TRUE;
 				}
 			}
 		}
 		plog("IPSec Transform [%s (%d), %s] refused due to %s",
-				enum_name(&esp_transformid_names, ealg), key_len,
+				enum_name(&esp_transform_names, ealg), key_len,
 				enum_name(&auth_alg_names, aalg),
 				ealg_insecure ? "insecure key_len and enc. alg. not listed in \"esp\" string" : "strict flag");
 		return FALSE;
@@ -461,7 +461,7 @@ void kernel_alg_list(void)
 		if (ESP_EALG_PRESENT(sadb_id))
 		{
 			n = snprintf(pos, len, " %s",
-						 enum_name(&esp_transformid_names, sadb_id));
+						 enum_name(&esp_transform_names, sadb_id));
 			pos += n;
 			len -= n;
 			if (len <= 0)
@@ -502,7 +502,7 @@ void kernel_alg_show_connection(connection_t *c, const char *instance)
 		const char *aalg_name, *pfsgroup_name;
 
 		aalg_name = (c->policy & POLICY_AUTHENTICATE) ?
-					enum_show(&ah_transformid_names, st->st_ah.attrs.transid):
+					enum_show(&ah_transform_names, st->st_ah.attrs.transid):
 					enum_show(&auth_alg_names, st->st_esp.attrs.auth);
 
 		pfsgroup_name = (c->policy & POLICY_PFS) ?
@@ -516,7 +516,7 @@ void kernel_alg_show_connection(connection_t *c, const char *instance)
 			whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s_%u/%s/%s",
 				c->name, instance,
 				(st->st_ah.present) ? "/AH" : "",
-				enum_show(&esp_transformid_names, st->st_esp.attrs.transid),
+				enum_show(&esp_transform_names, st->st_esp.attrs.transid),
 				st->st_esp.attrs.key_len, aalg_name, pfsgroup_name);
 		}
 		else
@@ -524,7 +524,7 @@ void kernel_alg_show_connection(connection_t *c, const char *instance)
 			whack_log(RC_COMMENT, "\"%s\"%s:   ESP%s proposal: %s/%s/%s",
 				c->name, instance,
 				(st->st_ah.present) ? "/AH" : "",
-				enum_show(&esp_transformid_names, st->st_esp.attrs.transid),
+				enum_show(&esp_transform_names, st->st_esp.attrs.transid),
 				aalg_name, pfsgroup_name);
 		}
 	}
diff --git a/src/pluto/kernel_netlink.c b/src/pluto/kernel_netlink.c
index f7de01d94..0b4f4dd32 100644
--- a/src/pluto/kernel_netlink.c
+++ b/src/pluto/kernel_netlink.c
@@ -85,15 +85,15 @@ static sparse_names xfrm_type_names = {
 
 /* Authentication algorithms */
 static sparse_names aalg_list = {
-	{ SADB_X_AALG_NULL,          "digest_null" },
-	{ SADB_AALG_MD5HMAC,         "md5" },
-	{ SADB_AALG_SHA1HMAC,        "sha1" },
-	{ SADB_X_AALG_SHA2_256HMAC,  "sha256" },
-	{ SADB_X_AALG_SHA2_384HMAC,  "sha384" },
-	{ SADB_X_AALG_SHA2_512HMAC,  "sha512" },
-	{ SADB_X_AALG_RIPEMD160HMAC, "ripemd160" },
-	{ SADB_X_AALG_AES_XCBC_MAC,  "xcbc(aes)"},
-	{ SADB_X_AALG_NULL,          "null" },
+	{ SADB_X_AALG_NULL,            "digest_null" },
+	{ SADB_AALG_MD5HMAC,           "md5" },
+	{ SADB_AALG_SHA1HMAC,          "sha1" },
+	{ SADB_X_AALG_SHA2_256_96HMAC, "sha256" },
+	{ SADB_X_AALG_SHA2_256HMAC,    "hmac(sha256)" },
+	{ SADB_X_AALG_SHA2_384HMAC,    "hmac(sha384)" },
+	{ SADB_X_AALG_SHA2_512HMAC,    "hmac(sha512)" },
+	{ SADB_X_AALG_RIPEMD160HMAC,   "ripemd160" },
+	{ SADB_X_AALG_AES_XCBC_MAC,    "xcbc(aes)"},
 	{ 0, sparse_end }
 };
 
@@ -629,7 +629,6 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 
 	if (sa->authalg)
 	{
-		struct xfrm_algo algo;
 		const char *name;
 
 		name = sparse_name(aalg_list, sa->authalg);
@@ -645,16 +644,37 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 					sa->authkeylen * BITS_PER_BYTE)
 			)
 
-		strcpy(algo.alg_name, name);
-		algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+		if (sa->authalg == SADB_X_AALG_SHA2_256HMAC)
+		{
+			struct xfrm_algo_auth algo;
 
-		attr->rta_type = XFRMA_ALG_AUTH;
-		attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+			/* the kernel uses SHA256 with 96 bit truncation by default,
+			 * use specified truncation size supported by newer kernels */
+			strcpy(algo.alg_name, name);
+			algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+			algo.alg_trunc_len = 128;
 
-		memcpy(RTA_DATA(attr), &algo, sizeof(algo));
-		memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
-			, sa->authkeylen);
+			attr->rta_type = XFRMA_ALG_AUTH_TRUNC;
+			attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
 
+			memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+			memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
+				, sa->authkeylen);
+		}
+		else
+		{
+			struct xfrm_algo algo;
+
+			strcpy(algo.alg_name, name);
+			algo.alg_key_len = sa->authkeylen * BITS_PER_BYTE;
+
+			attr->rta_type = XFRMA_ALG_AUTH;
+			attr->rta_len = RTA_LENGTH(sizeof(algo) + sa->authkeylen);
+
+			memcpy(RTA_DATA(attr), &algo, sizeof(algo));
+			memcpy((char *)RTA_DATA(attr) + sizeof(algo), sa->authkey
+				, sa->authkeylen);
+		}
 		req.n.nlmsg_len += attr->rta_len;
 		attr = (struct rtattr *)((char *)attr + attr->rta_len);
 	}
@@ -687,7 +707,7 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 			}
 			DBG(DBG_CRYPT,
 				DBG_log("configured esp encryption algorithm %s with key size %d",
-						enum_show(&esp_transformid_names, sa->encalg),
+						enum_show(&esp_transform_names, sa->encalg),
 						sa->enckeylen * BITS_PER_BYTE)
 			)
 			attr->rta_type = XFRMA_ALG_AEAD;
@@ -717,7 +737,7 @@ static bool netlink_add_sa(const struct kernel_sa *sa, bool replace)
 			}
 			DBG(DBG_CRYPT,
 				DBG_log("configured esp encryption algorithm %s with key size %d",
-						enum_show(&esp_transformid_names, sa->encalg),
+						enum_show(&esp_transform_names, sa->encalg),
 						sa->enckeylen * BITS_PER_BYTE)
 			)
 			attr->rta_type = XFRMA_ALG_CRYPT;
diff --git a/src/pluto/packet.c b/src/pluto/packet.c
index b82fe20e3..35fc4afcc 100644
--- a/src/pluto/packet.c
+++ b/src/pluto/packet.c
@@ -227,7 +227,7 @@ static field_desc isat_fields_ah[] = {
 	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
 	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
 	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transformid_names },
+	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &ah_transform_names },
 	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
 	{ ft_end, 0, NULL, NULL }
 };
@@ -242,7 +242,7 @@ static field_desc isat_fields_esp[] = {
 	{ ft_mbz, 8/BITS_PER_BYTE, NULL, NULL },
 	{ ft_len, 16/BITS_PER_BYTE, "length", NULL },
 	{ ft_nat, 8/BITS_PER_BYTE, "transform number", NULL },
-	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transformid_names },
+	{ ft_enum, 8/BITS_PER_BYTE, "transform ID", &esp_transform_names },
 	{ ft_mbz, 16/BITS_PER_BYTE, NULL, NULL },
 	{ ft_end, 0, NULL, NULL }
 };
diff --git a/src/pluto/spdb.c b/src/pluto/spdb.c
index 5c2aab827..cdf2cb21b 100644
--- a/src/pluto/spdb.c
+++ b/src/pluto/spdb.c
@@ -2008,7 +2008,7 @@ parse_ipsec_sa_body(
 				{
 					loglog(RC_LOG_SERIOUS, "%s attribute inappropriate in %s Transform"
 						, enum_name(&auth_alg_names, ah_attrs.auth)
-						, enum_show(&ah_transformid_names, ah_attrs.transid));
+						, enum_show(&ah_transform_names, ah_attrs.transid));
 					return ISAKMP_BAD_PROPOSAL_SYNTAX;
 				}
 				if (!ok_auth)
@@ -2017,7 +2017,7 @@ parse_ipsec_sa_body(
 						, DBG_log("%s attribute unsupported"
 							" in %s Transform from %s"
 							, enum_name(&auth_alg_names, ah_attrs.auth)
-							, enum_show(&ah_transformid_names, ah_attrs.transid)
+							, enum_show(&ah_transform_names, ah_attrs.transid)
 							, ip_str(&c->spd.that.host_addr)));
 					continue;   /* try another */
 				}
@@ -2085,7 +2085,7 @@ parse_ipsec_sa_body(
 					default:
 						DBG(DBG_CONTROL | DBG_CRYPT
 							, DBG_log("unsupported ESP Transform %s from %s"
-								, enum_show(&esp_transformid_names, esp_attrs.transid)
+								, enum_show(&esp_transform_names, esp_attrs.transid)
 								, ip_str(&c->spd.that.host_addr)));
 						continue;   /* try another */
 					}