/home/build/libreswan/programs/pluto/ikev2

Bug Summary

File:	programs/pluto/ikev2_ts.c
Warning:	line 970, column 32 Access to field 'kind' results in a dereference of a null pointer (loaded from variable 'c')
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name ikev2_ts.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -mrelocation-model pic -pic-level 2 -pic-is-pie -mthread-model posix -mdisable-fp-elim -relaxed-aliasing -fmath-errno -masm-verbose -mconstructor-aliases -munwind-tables -fuse-init-array -target-cpu x86-64 -dwarf-column-info -debugger-tuning=gdb -resource-dir /usr/lib64/clang/8.0.0 -D TimeZoneOffset=timezone -D linux -D PIE -D NSS_IPSEC_PROFILE -D XFRM_SUPPORT -D USE_XFRM_INTERFACE -D USE_DNSSEC -D DEFAULT_DNSSEC_ROOTKEY_FILE="/var/lib/unbound/root.key" -D HAVE_LABELED_IPSEC -D HAVE_SECCOMP -D LIBCURL -D USE_LINUX_AUDIT -D USE_SYSTEMD_WATCHDOG -D HAVE_NM -D XAUTH_HAVE_PAM -D USE_3DES -D USE_AES -D USE_CAMELLIA -D USE_CHACHA -D USE_DH31 -D USE_MD5 -D USE_SHA1 -D USE_SHA2 -D USE_PRF_AES_XCBC -D DEFAULT_RUNDIR="/run/pluto" -D IPSEC_CONF="/etc/ipsec.conf" -D IPSEC_CONFDDIR="/etc/ipsec.d" -D IPSEC_NSSDIR="/etc/ipsec.d" -D IPSEC_CONFDIR="/etc" -D IPSEC_EXECDIR="/usr/local/libexec/ipsec" -D IPSEC_SBINDIR="/usr/local/sbin" -D IPSEC_VARDIR="/var" -D POLICYGROUPSDIR="/etc/ipsec.d/policies" -D IPSEC_SECRETS_FILE="/etc/ipsec.secrets" -D FORCE_PR_ASSERT -D USE_FORK=1 -D USE_VFORK=0 -D USE_DAEMON=0 -D USE_PTHREAD_SETSCHEDPRIO=1 -D GCC_LINT -D HAVE_LIBCAP_NG -I . -I ../../OBJ.linux.x86_64/programs/pluto -I ../../include -I /usr/include/nss3 -I /usr/include/nspr4 -I /home/build/libreswan/programs/pluto/linux-copy -D HERE_BASENAME="ikev2_ts.c" -internal-isystem /usr/local/include -internal-isystem /usr/lib64/clang/8.0.0/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -Wno-missing-field-initializers -std=gnu99 -fdebug-compilation-dir /home/build/libreswan/programs/pluto -ferror-limit 19 -fmessage-length 0 -stack-protector 3 -fobjc-runtime=gcc -fdiagnostics-show-option -analyzer-output=html -o /tmp/scan-build-2020-09-09-193337-25440-1 -x c /home/build/libreswan/programs/pluto/ikev2_ts.c -faddrsig
1/* IKEv2 Traffic Selectors, for libreswan
*
* Copyright (C) 2007-2008 Michael Richardson <mcr@xelerance.com>
* Copyright (C) 2009-2010 Paul Wouters <paul@xelerance.com>
* Copyright (C) 2010 Tuomo Soini <tis@foobar.fi>
* Copyright (C) 2011-2012 Avesh Agarwal <avagarwa@redhat.com>
* Copyright (C) 2012-2018 Paul Wouters <pwouters@redhat.com>
* Copyright (C) 2012,2016-2017 Antony Antony <appu@phenome.org>
* Copyright (C) 2013 D. Hugh Redelmeier <hugh@mimosa.com>
* Copyright (C) 2014-2015, 2018 Andrew cagney <cagney@gnu.org>
* Copyright (C) 2017 Antony Antony <antony@phenome.org>
* Copyright (C) 2019 Andrew Cagney <cagney@gnu.org>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.  See <https://www.gnu.org/licenses/gpl2.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
* for more details.
*
*/

26#include "defs.h"

28#include "log.h"
29#include "ikev2_ts.h"
30#include "connections.h"	/* for struct end */
31#include "demux.h"
32#include "virtual.h"
33#include "hostpair.h"
34#include "ip_info.h"
35#include "ip_selector.h"

37/*
* While the RFC seems to suggest that the traffic selectors come in
* pairs, strongswan, at least, doesn't.
*/
41struct traffic_selectors {
unsigned nr;
/* ??? is 16 an undocumented limit - IKEv2 has no limit */
struct traffic_selector ts[16];
45};

47struct ends {
const struct end *i;
const struct end *r;
50};

52enum fit {
END_EQUALS_TS = 1,
END_NARROWER_THAN_TS,
END_WIDER_THAN_TS,
56};


59static bool_Bool ts_in_tslist(struct traffic_selectors *haystack,
	struct traffic_selector *needle)
61{
for (unsigned int i = 0; i < haystack->nr; i++) {
struct traffic_selector hay = haystack->ts[i];

if (needle->ts_type == hay.ts_type &&
	needle->ipprotoid == hay.ipprotoid &&
	needle->startport == hay.startport &&
	needle->endport == hay.endport &&
	sameaddr(&needle->net.start, &hay.net.start) &&
	sameaddr(&needle->net.end, &hay.net.end))
                      {
		return TRUE1;
                      }
}
return FALSE0;
76}

78static const char *fit_string(enum fit fit)
79{
switch (fit) {
case END_EQUALS_TS: return "==";
case END_NARROWER_THAN_TS: return "<=";
case END_WIDER_THAN_TS: return ">=";
default: bad_case(fit)libreswan_bad_case("fit", (fit), (where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 84});
}
86}

88void ikev2_print_ts(const struct traffic_selector *ts)
89{
if (DBGP(DBG_BASE)(cur_debugging & (((lset_t)1 << (DBG_BASE_IX))))) {
DBG_log("printing contents struct traffic_selector");
DBG_log("  ts_type: %s", enum_name(&ikev2_ts_type_names, ts->ts_type));
DBG_log("  ipprotoid: %d", ts->ipprotoid);
DBG_log("  port range: %d-%d", ts->startport, ts->endport);
range_buf b;
DBG_log("  ip range: %s", str_range(&ts->net, &b));
}
98}

100/* rewrite me with address_as_{chunk,shunk}()? */
101struct traffic_selector ikev2_end_to_ts(const struct end *e)
102{
struct traffic_selector ts;

zero(&ts)memset((&ts), '\0', sizeof(*(&ts)));	/* OK: no pointer fields */

switch (subnet_type(&e->client)->af) {
case AF_INET2:
ts.ts_type = IKEv2_TS_IPV4_ADDR_RANGE;
break;
case AF_INET610:
ts.ts_type = IKEv2_TS_IPV6_ADDR_RANGE;
break;
}

/* subnet => range */
ts.net = range_from_subnet(&e->client);
/* Setting ts_type IKEv2_TS_FC_ADDR_RANGE (RFC-4595) not yet supported */

ts.ipprotoid = e->protocol;

/*
* if port is %any or 0 we mean all ports (or all iccmp/icmpv6)
* See RFC-5996 Section 3.13.1 handling for ICMP(1) and ICMPv6(58)
*   we only support providing Type, not Code, eg protoport=1/1
*/
if (e->port == 0 || e->has_port_wildcard) {
ts.startport = 0;
ts.endport = 65535;
} else {
ts.startport = e->port;
ts.endport = e->port;
}

return ts;
136}

138static stf_status ikev2_emit_ts(pb_stream *outpbs,
		const struct_desc *ts_desc,
		const struct traffic_selector *ts)
141{
pb_stream ts_pbs;

{
struct ikev2_ts its = {
	.isat_critical = ISAKMP_PAYLOAD_NONCRITICAL0x00,
	.isat_num = 1,
};

if (!out_struct(&its, ts_desc, outpbs, &ts_pbs))
	return STF_INTERNAL_ERROR;
}

pb_stream ts_pbs2;

{
struct ikev2_ts1 its1 = {
	.isat1_ipprotoid = ts->ipprotoid,   /* protocol as per local policy */
	.isat1_startport = ts->startport,   /* ports as per local policy */
	.isat1_endport = ts->endport,
};
switch (ts->ts_type) {
case IKEv2_TS_IPV4_ADDR_RANGE:
	its1.isat1_type = IKEv2_TS_IPV4_ADDR_RANGE;
	break;
case IKEv2_TS_IPV6_ADDR_RANGE:
	its1.isat1_type = IKEv2_TS_IPV6_ADDR_RANGE;
	break;
case IKEv2_TS_FC_ADDR_RANGE:
	DBG_log("IKEv2 Traffic Selector IKEv2_TS_FC_ADDR_RANGE not yet supported");
	return STF_INTERNAL_ERROR;

default:
	DBG_log("IKEv2 Traffic Selector type '%d' not supported",
		ts->ts_type);
	return STF_INTERNAL_ERROR;	/* ??? should be bad_case()? */
}

if (!out_struct(&its1, &ikev2_ts1_desc, &ts_pbs, &ts_pbs2))
	return STF_INTERNAL_ERROR;
}

/* now do IP addresses */
switch (ts->ts_type) {
case IKEv2_TS_IPV4_ADDR_RANGE:
case IKEv2_TS_IPV6_ADDR_RANGE:
{
diag_t d;
d = pbs_out_address(&ts_pbs2, &ts->net.start, "IP start");
if (d != NULL((void*)0)) {
	log_diag(RC_LOG_SERIOUS, outpbs->out_logger, &d, "%s", "");
	return STF_INTERNAL_ERROR;
}
d = pbs_out_address(&ts_pbs2, &ts->net.end, "IP end");
if (d != NULL((void*)0)) {
	log_diag(RC_LOG_SERIOUS, outpbs->out_logger, &d, "%s", "");
	return STF_INTERNAL_ERROR;
}
break;
}
case IKEv2_TS_FC_ADDR_RANGE:
DBG_log("Traffic Selector IKEv2_TS_FC_ADDR_RANGE not supported");
return STF_FAIL;

default:
DBG_log("Failed to create unknown IKEv2 Traffic Selector payload '%d'",
	ts->ts_type);
return STF_FAIL;
}

close_output_pbs(&ts_pbs2);
close_output_pbs(&ts_pbs);

return STF_OK;
215}

217static struct traffic_selector impair_ts_to_subnet(const struct traffic_selector *ts)
218{
struct traffic_selector ts_ret = *ts;

ts_ret.net.end = ts_ret.net.start;
ts_ret.net.is_subnet = true1;

return ts_ret;
225}


228static struct traffic_selector impair_ts_to_supernet(const struct traffic_selector *ts)
229{
struct traffic_selector ts_ret = *ts;

if (ts_ret.ts_type == IKEv2_TS_IPV4_ADDR_RANGE)
ts_ret.net = range_from_subnet(&ipv4_info.all_addresses);
else if (ts_ret.ts_type == IKEv2_TS_IPV6_ADDR_RANGE)
ts_ret.net = range_from_subnet(&ipv6_info.all_addresses);

ts_ret.net.is_subnet = true1;

return ts_ret;
240}

242stf_status v2_emit_ts_payloads(const struct child_sa *child,
	       pb_stream *outpbs,
	       const struct connection *c0)
245{
const struct traffic_selector *ts_i, *ts_r;
struct traffic_selector ts_i_impaired, ts_r_impaired;


switch (child->sa.st_sa_role) {
case SA_INITIATOR:
ts_i = &child->sa.st_ts_this;
ts_r = &child->sa.st_ts_that;
if (child->sa.st_state->kind == STATE_V2_REKEY_CHILD_I0 &&
		impair.rekey_initiate_supernet) {
	ts_i_impaired =  impair_ts_to_supernet(ts_i);
	ts_i = ts_r =  &ts_i_impaired; /* supernet TSi = TSr = 0/0 */
	range_buf tsi_buf;
                      range_buf tsr_buf;
	dbg("rekey-initiate-supernet TSi and TSr set to %s %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-supernet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } }
			str_range(&ts_i->net, &tsi_buf),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-supernet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } }
			str_range(&ts_r->net, &tsr_buf)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-supernet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } };

} else if (child->sa.st_state->kind == STATE_V2_REKEY_CHILD_I0 &&
		impair.rekey_initiate_subnet) {
	ts_i_impaired =  impair_ts_to_subnet(ts_i);
	ts_r_impaired =  impair_ts_to_subnet(ts_r);
	ts_i = &ts_i_impaired;
	ts_r = &ts_r_impaired;
	range_buf tsi_buf;
	range_buf tsr_buf;
	dbg("rekey-initiate-subnet TSi and TSr set to %s %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-subnet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } }
			str_range(&ts_i->net, &tsi_buf),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-subnet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } }
			str_range(&ts_r->net, &tsr_buf)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-subnet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } };

}

break;
case SA_RESPONDER:
ts_i = &child->sa.st_ts_that;
ts_r = &child->sa.st_ts_this;
if (child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0 &&
		impair.rekey_respond_subnet) {
	ts_i_impaired =  impair_ts_to_subnet(ts_i);
	ts_r_impaired =  impair_ts_to_subnet(ts_r);

	ts_i = &ts_i_impaired;
	ts_r = &ts_r_impaired;
	range_buf tsi_buf;
	range_buf tsr_buf;
	dbg("rekey-respond-subnet TSi and TSr set to %s %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-subnet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } }
			str_range(&ts_i->net, &tsi_buf),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-subnet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } }
			str_range(&ts_r->net, &tsr_buf)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-subnet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } };
}
if (child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0 &&
		impair.rekey_respond_supernet) {
	ts_i_impaired =  impair_ts_to_supernet(ts_i);
	ts_i = ts_r =  &ts_i_impaired; /* supernet TSi = TSr = 0/0 */
	range_buf tsi_buf;
                      range_buf tsr_buf;
	dbg("rekey-respond-supernet TSi and TSr set to %s %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-supernet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } }
			str_range(&ts_i->net, &tsi_buf),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-supernet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } }
			str_range(&ts_r->net, &tsr_buf)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-supernet TSi and TSr set to %s %s"
, str_range(&ts_i->net, &tsi_buf), str_range(&
ts_r->net, &tsr_buf)); } };
}
break;
default:
bad_case(child->sa.st_sa_role)libreswan_bad_case("child->sa.st_sa_role", (child->sa.st_sa_role
), (where_t) { .func = __func__, .basename = "ikev2_ts.c" , .
line = 307});
}

/*
* XXX: this looks wrong
*
* - instead of emitting two traffic selector payloads (TSi
*   TSr) each containing all the corresponding traffic
*   selectors, it is emitting a sequence of traffic selector
*   payloads each containing just one traffic selector
*
* - should multiple initiator (responder) traffic selector
*   payloads be emitted then they will all contain the same
*   value - the loop control variable SR is never referenced
*
* - should multiple traffic selector payload be emitted then
*   the next payload type for all but the last v2TSr payload
*   will be wrong - it is always set to the type of the
*   payload after these
*/

for (const struct spd_route *sr = &c0->spd; sr != NULL((void*)0);
    sr = sr->spd_next) {
stf_status ret = ikev2_emit_ts(outpbs, &ikev2_ts_i_desc, ts_i);

if (ret != STF_OK)
	return ret;
ret = ikev2_emit_ts(outpbs, &ikev2_ts_r_desc, ts_r);
if (ret != STF_OK)
	return ret;
}

return STF_OK;
340}

342/* return success */
343static bool_Bool v2_parse_ts(struct payload_digest *const ts_pd,
	struct traffic_selectors *tss,
	const char *which)
346{
dbg("%s: parsing %u traffic selectors",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("%s: parsing %u traffic selectors", which, ts_pd
->payload.v2ts.isat_num); } }
   which, ts_pd->payload.v2ts.isat_num){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("%s: parsing %u traffic selectors", which, ts_pd
->payload.v2ts.isat_num); } };

if (ts_pd->payload.v2ts.isat_num == 0) {
libreswan_log("%s payload contains no entries when at least one is expected",loglog(RC_LOG, "%s payload contains no entries when at least one is expected"
, which)
	      which)loglog(RC_LOG, "%s payload contains no entries when at least one is expected"
, which);
return false0;
}

if (ts_pd->payload.v2ts.isat_num >= elemsof(tss->ts)(sizeof(tss->ts) / sizeof(*(tss->ts)))) {
libreswan_log("%s contains %d entries which exceeds hardwired max of %zu",loglog(RC_LOG, "%s contains %d entries which exceeds hardwired max of %zu"
, which, ts_pd->payload.v2ts.isat_num, (sizeof(tss->ts)
 / sizeof(*(tss->ts))))
	      which, ts_pd->payload.v2ts.isat_num, elemsof(tss->ts))loglog(RC_LOG, "%s contains %d entries which exceeds hardwired max of %zu"
, which, ts_pd->payload.v2ts.isat_num, (sizeof(tss->ts)
 / sizeof(*(tss->ts))));
return false0;	/* won't fit in array */
}

for (tss->nr = 0; tss->nr < ts_pd->payload.v2ts.isat_num; tss->nr++) {
struct traffic_selector *ts = &tss->ts[tss->nr];

pb_stream addr;
struct ikev2_ts1 ts1;
if (!in_struct(&ts1, &ikev2_ts1_desc, &ts_pd->pbs, &addr))
	return false0;

const struct ip_info *ipv;
switch (ts1.isat1_type) {
case IKEv2_TS_IPV4_ADDR_RANGE:
	ts->ts_type = IKEv2_TS_IPV4_ADDR_RANGE;
	ipv = &ipv4_info;
	break;
case IKEv2_TS_IPV6_ADDR_RANGE:
	ts->ts_type = IKEv2_TS_IPV6_ADDR_RANGE;
	ipv = &ipv6_info;
	break;
default:
	return false0;
}

if (!pbs_in_address(&ts->net.start, ipv, &addr, "TS low")) {
	return false0;
}
if (!pbs_in_address(&ts->net.end, ipv, &addr, "TS high")) {
	return false0;
}
/* XXX: does this matter? */
if (pbs_left(&addr)((size_t)((&addr)->roof - (&addr)->cur)) != 0)
	return false0;

ts->ipprotoid = ts1.isat1_ipprotoid;

ts->startport = ts1.isat1_startport;
ts->endport = ts1.isat1_endport;
if (ts->startport > ts->endport) {
	libreswan_log("%s traffic selector %d has an invalid port range",loglog(RC_LOG, "%s traffic selector %d has an invalid port range"
, which, tss->nr)
		      which, tss->nr)loglog(RC_LOG, "%s traffic selector %d has an invalid port range"
, which, tss->nr);
	return false0;
}
}

dbg("%s: parsed %d traffic selectors", which, tss->nr){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("%s: parsed %d traffic selectors", which, tss->
nr); } };
return true1;
407}

409static bool_Bool v2_parse_tss(const struct msg_digest *md,
	 struct traffic_selectors *tsi,
	 struct traffic_selectors *tsr)
412{
if (!v2_parse_ts(md->chain[ISAKMP_NEXT_v2TSi], tsi, "TSi")) {
return false0;
}

if (!v2_parse_ts(md->chain[ISAKMP_NEXT_v2TSr], tsr, "TSr")) {
return false0;
}

return true1;
422}

424#define MATCH_PREFIX"        " "        "

426/*
* Check if our policy's protocol (proto) matches the Traffic Selector
* protocol (ts_proto).
*/

431static int narrow_protocol(const struct end *end,
	   const struct traffic_selectors *tss,
	   enum fit fit,
	   const char *which, unsigned index)
435{
const struct traffic_selector *ts = &tss->ts[index];
int protocol = -1;

switch (fit) {
case END_EQUALS_TS:
if (end->protocol == ts->ipprotoid) {
	protocol = end->protocol;
}
break;
case END_NARROWER_THAN_TS:
if (ts->ipprotoid == 0 /* wild-card */ ||
    ts->ipprotoid == end->protocol) {
	protocol = end->protocol;
}
break;
case END_WIDER_THAN_TS:
if (end->protocol == 0 /* wild-card */ ||
    end->protocol == ts->ipprotoid) {
	protocol = ts->ipprotoid;
}
break;
default:
bad_case(fit)libreswan_bad_case("fit", (fit), (where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 458});
}
dbg(MATCH_PREFIX "narrow protocol end=%s%d %s %s[%u]=%s%d: %d",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), which, index, ts->ipprotoid == 0 ? "*" : "", ts->
ipprotoid, protocol); } }
   end->protocol == 0 ? "*" : "", end->protocol,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), which, index, ts->ipprotoid == 0 ? "*" : "", ts->
ipprotoid, protocol); } }
   fit_string(fit),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), which, index, ts->ipprotoid == 0 ? "*" : "", ts->
ipprotoid, protocol); } }
   which, index, ts->ipprotoid == 0 ? "*" : "", ts->ipprotoid,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), which, index, ts->ipprotoid == 0 ? "*" : "", ts->
ipprotoid, protocol); } }
   protocol){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), which, index, ts->ipprotoid == 0 ? "*" : "", ts->
ipprotoid, protocol); } };
return protocol;
466}

468static int score_narrow_protocol(const struct end *end,
		 const struct traffic_selectors *tss,
		 enum fit fit,
		 const char *which, unsigned index)
472{
int f;	/* strength of match */

int protocol = narrow_protocol(end, tss, fit, which, index);
if (protocol == 0) {
f = 255;	/* ??? odd value */
} else if (protocol > 0) {
f = 1;
} else {
f = 0;
}
LSWDBGP(DBG_BASE, buf)for (_Bool lswlog_p = (cur_debugging & (((lset_t)1 <<
 (DBG_BASE_IX)))); lswlog_p; lswlog_p = 0) for (char lswbuf[(
(size_t)1024)], *lswbuf_ = lswbuf; lswbuf_ != ((void*)0); lswbuf_
 = ((void*)0)) for (struct jambuf jambuf = array_as_jambuf((lswbuf
), sizeof(lswbuf)), *buf = &jambuf; buf != ((void*)0); buf
 = ((void*)0)) for (; buf != ((void*)0); jambuf_to_debug_stream
(buf), buf = ((void*)0)) {
const struct traffic_selector *ts = &tss->ts[index];
jam(buf, MATCH_PREFIX"        " "match end->protocol=%s%d %s %s[%u].ipprotoid=%s%d: ",
	end->protocol == 0 ? "*" : "", end->protocol,
	fit_string(fit),
	which, index, ts->ipprotoid == 0 ? "*" : "", ts->ipprotoid);
if (f > 0) {
	jam(buf, "YES fitness %d", f);
} else {
	jam(buf, "NO");
}
}
return f;
496}

498/*
* Narrow the END/TS ports according to FIT.
*
* Returns 0 (all ports), a specific port number, or -1 (no luck).
*
* Since 'struct end' only describes all-ports or a single port; only
* narrow to that.
*/

507static int narrow_port(const struct end *end,
       const struct traffic_selectors *tss,
       enum fit fit,
       const char *which, unsigned index)
511{
passert(index < tss->nr){ _Bool assertion__ = index < tss->nr; if (!assertion__
) { lsw_passert_fail((where_t) { .func = __func__, .basename =
 "ikev2_ts.c" , .line = 512}, "%s", "index < tss->nr");
 } };
const struct traffic_selector *ts = &tss->ts[index];

int end_low = end->port;
int end_high = end->port == 0 ? 65535 : end->port;
int port = -1;

switch (fit) {
case END_EQUALS_TS:
if (end_low == ts->startport && ts->endport == end_high) {
	/* end=ts=0-65535 || end=ts=N-N */
	port = end_low;
}
break;
case END_NARROWER_THAN_TS:
if (ts->startport <= end_low && end_high <= ts->endport) {
	/* end=ts=0-65535 || ts=N<=end<=M */
	port = end_low;
}
break;
case END_WIDER_THAN_TS:
if (end_low < ts->startport && ts->endport < end_high &&
    ts->startport == ts->endport) {
	/*ts=0<N-N<65535*/
	port = ts->startport;
} else if (end_low == ts->startport && ts->endport == end_high) {
	/* end=ts=0-65535 || end=ts=N-N */
	port = ts->startport;
}
break;
default:
bad_case(fit)libreswan_bad_case("fit", (fit), (where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 543});
}
dbg(MATCH_PREFIX "narrow port end=%u..%u %s %s[%u]=%u..%u: %d",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), which, index, ts->startport
, ts->endport, port); } }
   end_low, end_high,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), which, index, ts->startport
, ts->endport, port); } }
   fit_string(fit),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), which, index, ts->startport
, ts->endport, port); } }
   which, index, ts->startport, ts->endport,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), which, index, ts->startport
, ts->endport, port); } }
   port){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), which, index, ts->startport
, ts->endport, port); } };
return port;
551}

553/*
* Assign a score to the narrowed port, rationale for score lost in
* time?
*/

558static int score_narrow_port(const struct end *end,
	     const struct traffic_selectors *tss,
	     enum fit fit,
	     const char *which, unsigned index)
562{
int f;	/* strength of match */

int port = narrow_port(end, tss, fit, which, index);
if (port > 0) {
f = 1;
} else if (port == 0) {
f = 65536; /* from 1 + 65535-0 */
} else {
f = 0;
}
if (f > 0) {
dbg(MATCH_PREFIX "  %s[%u] port match: YES fitness %d",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "  %s[%u] port match: YES fitness %d"
, which, index, f); } }
    which, index, f){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "  %s[%u] port match: YES fitness %d"
, which, index, f); } };
} else {
dbg(MATCH_PREFIX "  %s[%u] port match: NO",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "  %s[%u] port match: NO", which, index
); } }
    which, index){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "  %s[%u] port match: NO", which, index
); } };
}
return f;
581}

583/*
* Does TS fit inside of END?
*
* Given other code flips the comparison depending initiator or
* responder, is this right?
*
* NOTE: Our parser/config only allows 1 CIDR, however IKEv2 ranges
*       can be non-CIDR for now we really support/limit ourselves to
*       a single CIDR
*
* XXX: what exactly is CIDR?
*/

596static int score_address_range(const struct end *end,
	       const struct traffic_selectors *tss,
	       enum fit fit,
	       const char *which, unsigned index)
600{
const struct traffic_selector *ts = &tss->ts[index];
/*
* Pre-compute possible fit --- sum of bits gives how good a
* fit this is.
*/
int ts_range = iprange_bits(ts->net.start, ts->net.end);
int maskbits = end->client.maskbits;
int fitbits = maskbits + ts_range;

int f = 0;

/*
* NOTE: Our parser/config only allows 1 CIDR, however IKEv2
*       ranges can be non-CIDR for now we really
*       support/limit ourselves to a single CIDR
*
* XXX: so what is CIDR?
*/
ip_range range = range_from_subnet(&end->client);
passert(addrcmp(&range.start, &range.end) <= 0){ _Bool assertion__ = addrcmp(&range.start, &range.end
) <= 0; if (!assertion__) { lsw_passert_fail((where_t) { .
func = __func__, .basename = "ikev2_ts.c" , .line = 620}, "%s"
, "addrcmp(&range.start, &range.end) <= 0"); } };
passert(addrcmp(&ts->net.start, &ts->net.end) <= 0){ _Bool assertion__ = addrcmp(&ts->net.start, &ts->
net.end) <= 0; if (!assertion__) { lsw_passert_fail((where_t
) { .func = __func__, .basename = "ikev2_ts.c" , .line = 621}
, "%s", "addrcmp(&ts->net.start, &ts->net.end) <= 0"
); } };
switch (fit) {
case END_EQUALS_TS:
if (addrcmp(&range.start, &ts->net.start) == 0 &&
    addrcmp(&range.end, &ts->net.end) == 0) {
	f = fitbits;
}
break;
case END_NARROWER_THAN_TS:
if (addrcmp(&range.start, &ts->net.start) >= 0 &&
    addrcmp(&range.end, &ts->net.end) <= 0) {
	f = fitbits;
}
break;
case END_WIDER_THAN_TS:
if (addrcmp(&range.start, &ts->net.start) <= 0 &&
    addrcmp(&range.end, &ts->net.end) >= 0) {
	f = fitbits;
}
break;
default:
bad_case(fit)libreswan_bad_case("fit", (fit), (where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 642});
}

/*
* comparing for ports for finding better local policy
*
* XXX: why do this?
*/
/* ??? arbitrary modification to objective function */
if (end->port != 0 &&
   ts->startport == end->port &&
   ts->endport == end->port)
f = f << 1;

LSWDBGP(DBG_BASE, buf)for (_Bool lswlog_p = (cur_debugging & (((lset_t)1 <<
 (DBG_BASE_IX)))); lswlog_p; lswlog_p = 0) for (char lswbuf[(
(size_t)1024)], *lswbuf_ = lswbuf; lswbuf_ != ((void*)0); lswbuf_
 = ((void*)0)) for (struct jambuf jambuf = array_as_jambuf((lswbuf
), sizeof(lswbuf)), *buf = &jambuf; buf != ((void*)0); buf
 = ((void*)0)) for (; buf != ((void*)0); jambuf_to_debug_stream
(buf), buf = ((void*)0)) {
   jam(buf, MATCH_PREFIX"        " "match address end->client=");
   jam_subnet(buf, &end->client);
   jam(buf, " %s %s[%u]net=", fit_string(fit), which, index);
   jam_range(buf, &ts->net);
   jam(buf, ": ");
   if (f > 0) {
    jam(buf, "YES fitness %d", f);
   } else {
    jam(buf, "NO");
   }
}
return f;
669}

671struct score {
bool_Bool ok;
int address;
int port;
int protocol;
676};

678static struct score score_end(const struct end *end,
	      const struct traffic_selectors *tss,
	      enum fit fit,
	      const char *what, unsigned index)
682{
const struct traffic_selector *ts = &tss->ts[index];
range_buf ts_net;
dbg("    %s[%u] .net=%s .iporotoid=%d .{start,end}port=%d..%d",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    %s[%u] .net=%s .iporotoid=%d .{start,end}port=%d..%d"
, what, index, str_range(&ts->net, &ts_net), ts->
ipprotoid, ts->startport, ts->endport); } }
   what, index,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    %s[%u] .net=%s .iporotoid=%d .{start,end}port=%d..%d"
, what, index, str_range(&ts->net, &ts_net), ts->
ipprotoid, ts->startport, ts->endport); } }
   str_range(&ts->net, &ts_net),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    %s[%u] .net=%s .iporotoid=%d .{start,end}port=%d..%d"
, what, index, str_range(&ts->net, &ts_net), ts->
ipprotoid, ts->startport, ts->endport); } }
   ts->ipprotoid,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    %s[%u] .net=%s .iporotoid=%d .{start,end}port=%d..%d"
, what, index, str_range(&ts->net, &ts_net), ts->
ipprotoid, ts->startport, ts->endport); } }
   ts->startport,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    %s[%u] .net=%s .iporotoid=%d .{start,end}port=%d..%d"
, what, index, str_range(&ts->net, &ts_net), ts->
ipprotoid, ts->startport, ts->endport); } }
   ts->endport){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    %s[%u] .net=%s .iporotoid=%d .{start,end}port=%d..%d"
, what, index, str_range(&ts->net, &ts_net), ts->
ipprotoid, ts->startport, ts->endport); } };

struct score score = { .ok = false0, };
score.address = score_address_range(end, tss, fit, what, index);
if (score.address <= 0) {
return score;
}
score.port = score_narrow_port(end, tss, fit, what, index);
if (score.port <= 0) {
return score;
}
score.protocol = score_narrow_protocol(end, tss, fit, what, index);
if (score.protocol <= 0) {
return score;
}
score.ok = true1;
return score;
707}

709struct best_score {
bool_Bool ok;
int address;
int port;
int protocol;
const struct traffic_selector *tsi;
const struct traffic_selector *tsr;
716};
717#define  NO_SCORE{ .ok = 0, .address = -1, .port = -1, .protocol = -1, } { .ok = false0, .address = -1, .port = -1, .protocol = -1, }

719static bool_Bool score_gt(const struct best_score *score, const struct best_score *best)
720{
return (score->address > best->address ||
(score->address == best->address &&
 score->port > best->port) ||
(score->address == best->address &&
 score->port == best->port &&
 score->protocol > best->protocol));
727}

729static struct best_score score_ends(enum fit fit,
		    const struct connection *d,
		    const struct ends *ends,
		    const struct traffic_selectors *tsi,
		    const struct traffic_selectors *tsr)
734{
if (DBGP(DBG_BASE)(cur_debugging & (((lset_t)1 << (DBG_BASE_IX))))) {
selector_buf ei3;
selector_buf er3;
connection_buf cib;
DBG_log("evaluating our conn="PRI_CONNECTION"\"%s\"%s"" I=%s:%d/%d R=%s:%d/%d%s to their:",
	pri_connection(d, &cib)(d)->name, str_connection_instance(d, &cib),
	str_selector(&ends->i->client, &ei3), ends->i->protocol, ends->i->port,
	str_selector(&ends->r->client, &er3), ends->r->protocol, ends->r->port,
	is_virtual_connection(d) ? " (virt)" : "");
}

struct best_score best_score = NO_SCORE{ .ok = 0, .address = -1, .port = -1, .protocol = -1, };

/* compare tsi/r array to this/that, evaluating how well it fits */
for (unsigned tsi_n = 0; tsi_n < tsi->nr; tsi_n++) {
const struct traffic_selector *tni = &tsi->ts[tsi_n];

/* choice hardwired! */
struct score score_i = score_end(ends->i, tsi, fit, "TSi", tsi_n);
if (!score_i.ok) {
	continue;
}

for (unsigned tsr_n = 0; tsr_n < tsr->nr; tsr_n++) {
	const struct traffic_selector *tnr = &tsr->ts[tsr_n];

	struct score score_r = score_end(ends->r, tsr, fit, "TSr", tsr_n);
	if (!score_r.ok) {
		continue;
	}

	struct best_score score = {
		.ok = true1,
		/* ??? this objective function is odd and arbitrary */
		.address = (score_i.address << 8) + score_r.address,
		/* ??? arbitrary objective function */
		.port = score_i.port + score_r.port,
		/* ??? arbitrary objective function */
		.protocol = score_i.protocol + score_r.protocol,
		/* which one */
		.tsi = tni, .tsr = tnr,
	};

	/* score >= best_score? */
	if (score_gt(&score, &best_score)) {
		best_score = score;
		dbg("best fit so far: TSi[%d] TSr[%d]",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("best fit so far: TSi[%d] TSr[%d]", tsi_n, tsr_n
); } }
		    tsi_n, tsr_n){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("best fit so far: TSi[%d] TSr[%d]", tsi_n, tsr_n
); } };
	}
}
}

return best_score;
788}

790/*
* find the best connection and, if it is AUTH exchange, create the
* child state
*
* XXX: creating child as a side effect is pretty messed up.
*/
796bool_Bool v2_process_ts_request(struct child_sa *child,
	   const struct msg_digest *md)
798{
passert(v2_msg_role(md) == MESSAGE_REQUEST){ _Bool assertion__ = v2_msg_role(md) == MESSAGE_REQUEST; if (
!assertion__) { lsw_passert_fail((where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 799}, "%s", "v2_msg_role(md) == MESSAGE_REQUEST"
); } };
1
Assuming the condition is true→
2
←
Taking false branch→
passert(child->sa.st_sa_role == SA_RESPONDER){ _Bool assertion__ = child->sa.st_sa_role == SA_RESPONDER
; if (!assertion__) { lsw_passert_fail((where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 800}, "%s", "child->sa.st_sa_role == SA_RESPONDER"
); } };
3
←
Assuming the condition is true→
4
←
Taking false branch→

/*
* XXX: md->st here is parent????  Lets find out.
*/
if (md->st == &child->sa) {
5
←
Taking true branch→
dbg("Child SA TS Request has child->sa == md->st; so using child connection"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("Child SA TS Request has child->sa == md->st; so using child connection"
); } };
6
←
Assuming the condition is false→
7
←
Taking false branch→
} else if (md->st == &ike_sa(&child->sa, HERE(where_t) { .func = __func__, .basename = "ikev2_ts.c" , .line
 = 807})->sa) {
dbg("Child SA TS Request has ike->sa == md->st; so using parent connection"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("Child SA TS Request has ike->sa == md->st; so using parent connection"
); } };
} else {
dbg("Child SA TS Request has an unknown md->st; so using unknown connection"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("Child SA TS Request has an unknown md->st; so using unknown connection"
); } };
}
struct connection *c = md->st->st_connection;
8
←
'c' initialized here→

struct traffic_selectors tsi = { .nr = 0, };
struct traffic_selectors tsr = { .nr = 0, };
if (!v2_parse_tss(md, &tsi, &tsr)) {
9
←
Taking false branch→
return false0;
}

/* best so far; start with state's connection */
struct best_score best_score = NO_SCORE{ .ok = 0, .address = -1, .port = -1, .protocol = -1, };
const struct spd_route *best_spd_route = NULL((void*)0);
struct connection *best_connection = c;

/* find best spd in c */

dbg("looking for best SPD in current connection"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("looking for best SPD in current connection");
 } };
10
←
Assuming the condition is false→
11
←
Taking false branch→
for (const struct spd_route *sra = &c->spd; sra != NULL((void*)0); sra = sra->spd_next) {
12
←
Assuming 'sra' is equal to NULL→
13
←
Loop condition is false. Execution continues on line 865→

/* responder */
const struct ends ends = {
	.i = &sra->that,
	.r = &sra->this,
};
enum fit responder_fit =
	(c->policy & POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))
	? END_NARROWER_THAN_TS
	: END_EQUALS_TS;

struct best_score score = score_ends(responder_fit, c, &ends, &tsi, &tsr);
if (!score.ok) {
	continue;
}
if (score_gt(&score, &best_score)) {
	dbg("    found better spd route for TSi[%td],TSr[%td]",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    found better spd route for TSi[%td],TSr[%td]"
, score.tsi - tsi.ts, score.tsr - tsr.ts); } }
	    score.tsi - tsi.ts, score.tsr - tsr.ts){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    found better spd route for TSi[%td],TSr[%td]"
, score.tsi - tsi.ts, score.tsr - tsr.ts); } };
	best_score = score;
	best_spd_route = sra;
	passert(best_connection == c){ _Bool assertion__ = best_connection == c; if (!assertion__)
 { lsw_passert_fail((where_t) { .func = __func__, .basename =
 "ikev2_ts.c" , .line = 849}, "%s", "best_connection == c"); }
 };
}
}

/*
* ??? the use of hp looks nonsensical.
* Either the first non-empty host_pair should be used
* (like the current code) and the following should
* be broken into two loops: first find the non-empty
* host_pair list, second look through the host_pair list.
* OR
* what's really meant is look at the host_pair for
* each sra, something that matches the current
* nested loop structure but not what it actually does.
*/

dbg("looking for better host pair"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("looking for better host pair"); } };
14
←
Taking false branch→
const struct host_pair *hp = NULL((void*)0);
for (const struct spd_route *sra = &c->spd;
15
←
Loop condition is false. Execution continues on line 949→
    hp == NULL((void*)0) && sra != NULL((void*)0); sra = sra->spd_next) {
hp = find_host_pair(&sra->this.host_addr,
		    &sra->that.host_addr);

if (DBGP(DBG_BASE)(cur_debugging & (((lset_t)1 << (DBG_BASE_IX))))) {
	selector_buf s2;
	selector_buf d2;
	DBG_log("  checking hostpair %s -> %s is %s",
		str_selector(&sra->this.client, &s2),
		str_selector(&sra->that.client, &d2),
		hp == NULL((void*)0) ? "not found" : "found");
}

if (hp == NULL((void*)0))
	continue;

for (struct connection *d = hp->connections;
     d != NULL((void*)0); d = d->hp_next) {
	/* groups are templates instantiated as GROUPINSTANCE */
	if (d->policy & POLICY_GROUP((lset_t)1 << (POLICY_GROUP_IX))) {
		continue;
	}
	dbg("  investigating connection \"%s\" as a better match", d->name){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  investigating connection \"%s\" as a better match"
, d->name); } };

	/*
	 * ??? same_id && match_id seems redundant.
	 * if d->spd.this.id.kind == ID_NONE, both TRUE
	 * else if c->spd.this.id.kind == ID_NONE,
	 *     same_id treats it as a wildcard and match_id
	 *     does not.  Odd.
	 * else if kinds differ, match_id FALSE
	 * else if kind ID_DER_ASN1_DN, wildcards are forbidden by same_id
	 * else match_id just calls same_id.
	 * So: if wildcards are desired, just use match_id.
	 * If they are not, just use same_id
	 */
	int wildcards;	/* value ignored */
	int pathlen;	/* value ignored */
	if (!(same_id(&c->spd.this.id,
		      &d->spd.this.id) &&
	      match_id(&c->spd.that.id,
		       &d->spd.that.id, &wildcards) &&
	      trusted_ca_nss(c->spd.that.ca,
			 d->spd.that.ca, &pathlen))) {
		dbg("    connection \"%s\" does not match IDs or CA of current connection \"%s\"",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    connection \"%s\" does not match IDs or CA of current connection \"%s\""
, d->name, c->name); } }
		    d->name, c->name){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    connection \"%s\" does not match IDs or CA of current connection \"%s\""
, d->name, c->name); } };
		continue;
	}

	const struct spd_route *sr;

	for (sr = &d->spd; sr != NULL((void*)0); sr = sr->spd_next) {

		/* responder */
		const struct ends ends = {
			.i = &sr->that,
			.r = &sr->this,
		};
		/* responder -- note D! */
		enum fit responder_fit =
			(d->policy & POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))
			? END_NARROWER_THAN_TS
			: END_EQUALS_TS;

		struct best_score score = score_ends(responder_fit, d/*note D*/,
						     &ends, &tsi, &tsr);
		if (!score.ok) {
			continue;
		}
		if (score_gt(&score, &best_score)) {
			dbg("    protocol fitness found better match d %s, TSi[%td],TSr[%td]",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    protocol fitness found better match d %s, TSi[%td],TSr[%td]"
, d->name, score.tsi - tsi.ts, score.tsr - tsr.ts); } }
			    d->name,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    protocol fitness found better match d %s, TSi[%td],TSr[%td]"
, d->name, score.tsi - tsi.ts, score.tsr - tsr.ts); } }
			    score.tsi - tsi.ts, score.tsr - tsr.ts){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    protocol fitness found better match d %s, TSi[%td],TSr[%td]"
, d->name, score.tsi - tsi.ts, score.tsr - tsr.ts); } };
			best_connection = d;
			best_score = score;
			best_spd_route = sr;
		}
	}
}
}

if (best_connection == c) {
16
←
Taking true branch→
dbg("  did not find a better connection using host pair"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  did not find a better connection using host pair"
); } };
17
←
Taking false branch→
}

953#define CONNECTION_POLICIES(((lset_t)1 << (POLICY_NEGO_PASS_IX)) | ((lset_t)1 <<
 (POLICY_DONT_REKEY_IX)) | ((lset_t)1 << (POLICY_REAUTH_IX
)) | ((lset_t)1 << (POLICY_OPPORTUNISTIC_IX)) | ((lset_t
)1 << (POLICY_GROUP_IX)) | ((lset_t)1 << (POLICY_GROUTED_IX
)) | ((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) | ((lset_t
)1 << (POLICY_UP_IX)) | ((lset_t)1 << (POLICY_XAUTH_IX
)) | ((lset_t)1 << (POLICY_MODECFG_PULL_IX)) | ((lset_t
)1 << (POLICY_AGGRESSIVE_IX)) | ((lset_t)1 << (POLICY_OVERLAPIP_IX
)) | ((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX))) (POLICY_NEGO_PASS((lset_t)1 << (POLICY_NEGO_PASS_IX)) |				\
	     POLICY_DONT_REKEY((lset_t)1 << (POLICY_DONT_REKEY_IX)) |			\
	     POLICY_REAUTH((lset_t)1 << (POLICY_REAUTH_IX)) |				\
	     POLICY_OPPORTUNISTIC((lset_t)1 << (POLICY_OPPORTUNISTIC_IX)) |			\
	     POLICY_GROUP((lset_t)1 << (POLICY_GROUP_IX)) |				\
	     POLICY_GROUTED((lset_t)1 << (POLICY_GROUTED_IX)) |				\
	     POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) |			\
	     POLICY_UP((lset_t)1 << (POLICY_UP_IX)) |				\
	     POLICY_XAUTH((lset_t)1 << (POLICY_XAUTH_IX)) |				\
	     POLICY_MODECFG_PULL((lset_t)1 << (POLICY_MODECFG_PULL_IX)) |			\
	     POLICY_AGGRESSIVE((lset_t)1 << (POLICY_AGGRESSIVE_IX)) |			\
	     POLICY_OVERLAPIP((lset_t)1 << (POLICY_OVERLAPIP_IX)) |				\
	     POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))

/*
* Try instantiating something better.
*/
if (best_spd_route == NULL((void*)0) && c->kind != CK_INSTANCE) {
18
←
Access to field 'kind' results in a dereference of a null pointer (loaded from variable 'c')
/*
 * Don't try to look for something else to
 * 'instantiate' when the current connection is
 * permanent.
 *
 * XXX: Is this missing an opportunity?  Could there
 * be a better connection to instantiate when the
 * current one is permanent?
 *
 * XXX: 'instantiate', not really?  The code below
 * blats the current instance with new values -
 * something that should not be done to a permanent
 * connection.
 */
pexpect(c->kind == CK_PERMANENT)({ _Bool assertion__ = c->kind == CK_PERMANENT; if (!assertion__
) { log_pexpect((where_t) { .func = __func__, .basename = "ikev2_ts.c"
 , .line = 985}, "%s", "c->kind == CK_PERMANENT"); } assertion__
; });
dbg("no best spd route; but the current %s connection \"%s\" is not a CK_INSTANCE",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("no best spd route; but the current %s connection \"%s\" is not a CK_INSTANCE"
, enum_name(&connection_kind_names, c->kind), c->name
); } }
    enum_name(&connection_kind_names, c->kind), c->name){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("no best spd route; but the current %s connection \"%s\" is not a CK_INSTANCE"
, enum_name(&connection_kind_names, c->kind), c->name
); } };
} else if (best_spd_route == NULL((void*)0) &&
   ((c->policy & POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX))) ||
    c->policy & POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))) {
/*
 * Is there something better than the current
 * connection?
 *
 * Rather than overwrite the current INSTANCE; would
 * it be better to instantiate a new instance, and
 * then replace it?  Would also address the above.
 */
pexpect(c->kind == CK_INSTANCE)({ _Bool assertion__ = c->kind == CK_INSTANCE; if (!assertion__
) { log_pexpect((where_t) { .func = __func__, .basename = "ikev2_ts.c"
 , .line = 999}, "%s", "c->kind == CK_INSTANCE"); } assertion__
; });
/* since an SPD_ROUTE wasn't found */
passert(best_connection == c){ _Bool assertion__ = best_connection == c; if (!assertion__)
 { lsw_passert_fail((where_t) { .func = __func__, .basename =
 "ikev2_ts.c" , .line = 1001}, "%s", "best_connection == c");
 } };
dbg("no best spd route; looking for a better template connection to instantiate"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("no best spd route; looking for a better template connection to instantiate"
); } };

dbg("FOR_EACH_CONNECTION_... in %s", __func__){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("FOR_EACH_CONNECTION_... in %s", __func__); } };
for (struct connection *t = connections; t != NULL((void*)0); t = t->ac_next) {
	/* require a template */
	if (t->kind != CK_TEMPLATE) {
		continue;
	}
	LSWDBGP(DBG_BASE, buf)for (_Bool lswlog_p = (cur_debugging & (((lset_t)1 <<
 (DBG_BASE_IX)))); lswlog_p; lswlog_p = 0) for (char lswbuf[(
(size_t)1024)], *lswbuf_ = lswbuf; lswbuf_ != ((void*)0); lswbuf_
 = ((void*)0)) for (struct jambuf jambuf = array_as_jambuf((lswbuf
), sizeof(lswbuf)), *buf = &jambuf; buf != ((void*)0); buf
 = ((void*)0)) for (; buf != ((void*)0); jambuf_to_debug_stream
(buf), buf = ((void*)0)) {
		jam(buf, "  investigating template \"%s\";",
			t->name);
		if (t->foodgroup != NULL((void*)0)) {
			jam(buf, " food-group=\"%s\"", t->foodgroup);
		}
		jam(buf, " policy=%s", prettypolicy(t->policy & CONNECTION_POLICIES(((lset_t)1 << (POLICY_NEGO_PASS_IX)) | ((lset_t)1 <<
 (POLICY_DONT_REKEY_IX)) | ((lset_t)1 << (POLICY_REAUTH_IX
)) | ((lset_t)1 << (POLICY_OPPORTUNISTIC_IX)) | ((lset_t
)1 << (POLICY_GROUP_IX)) | ((lset_t)1 << (POLICY_GROUTED_IX
)) | ((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) | ((lset_t
)1 << (POLICY_UP_IX)) | ((lset_t)1 << (POLICY_XAUTH_IX
)) | ((lset_t)1 << (POLICY_MODECFG_PULL_IX)) | ((lset_t
)1 << (POLICY_AGGRESSIVE_IX)) | ((lset_t)1 << (POLICY_OVERLAPIP_IX
)) | ((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))));
	}

	/*
	 * Is it worth looking at the template.
	 *
	 * XXX: treat the combination the same as
	 * group instance, like the old code did; is
	 * this valid?
	 */
	switch (c->policy & (POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) |
			     POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))) {
	case POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)):
	case POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) | POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)): /* XXX: true */
		/* XXX: why does this matter; does it imply t->foodgroup != NULL? */
		if (!LIN(POLICY_GROUPINSTANCE, t->policy)(((((lset_t)1 << (POLICY_GROUPINSTANCE_IX))) & (t->
policy)) == (((lset_t)1 << (POLICY_GROUPINSTANCE_IX))))) {
			dbg("    skipping; not a group instance"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; not a group instance"); } };
			continue;
		}
		/* when OE, don't change food groups? */
		if (!streq(c->foodgroup, t->foodgroup)(strcmp((c->foodgroup), (t->foodgroup)) == 0)) {
			dbg("    skipping; wrong foodgroup name"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; wrong foodgroup name"); } };
			continue;
		}
		/* ??? why require current connection->name and t->name to be different */
		/* XXX: don't re-instantiate the same connection template???? */
		if (streq(c->name, t->name)(strcmp((c->name), (t->name)) == 0)) {
			dbg("    skipping; name same as current connection"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; name same as current connection"
); } };
			continue;
		}
		break;
	case POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)):
		if (!LIN(POLICY_IKEV2_ALLOW_NARROWING, t->policy)(((((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX))) &
 (t->policy)) == (((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX
))))) {
			dbg("    skipping; cannot narrow"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; cannot narrow"); } };
			continue;
		}
		break;
	default:
		bad_case(c->policy)libreswan_bad_case("c->policy", (c->policy), (where_t) {
 .func = __func__, .basename = "ikev2_ts.c" , .line = 1054}); /* not quite true */
	}

	/* require initiator's subnet <= T; why? */
	if (!subnetinsubnet(&c->spd.that.client, &t->spd.that.client)) {
		dbg("    skipping; current connection's initiator subnet is not <= template"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; current connection's initiator subnet is not <= template"
); } };
		continue;
	}
	/* require responder address match; why? */
	if (!sameaddr(&c->spd.this.client.addr, &t->spd.this.client.addr)) {
		dbg("    skipping; responder addresses don't match"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; responder addresses don't match"
); } };
		continue;
	}

	/* require a valid narrowed port? */
	enum fit fit;
	switch (c->policy & (POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) |
			     POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))) {
	case POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)):
	case POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) | POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)): /* XXX: true */
		/* exact match; XXX: 'cos that is what old code did */
		fit = END_EQUALS_TS;
		break;
	case POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)):
		/* narrow END's port to TS port */
		fit = END_WIDER_THAN_TS;
		break;
	default:
		bad_case(c->policy)libreswan_bad_case("c->policy", (c->policy), (where_t) {
 .func = __func__, .basename = "ikev2_ts.c" , .line = 1082});
	}

	passert(tsi.nr >= 1){ _Bool assertion__ = tsi.nr >= 1; if (!assertion__) { lsw_passert_fail
((where_t) { .func = __func__, .basename = "ikev2_ts.c" , .line
 = 1085}, "%s", "tsi.nr >= 1"); } };
	int tsi_port = narrow_port(&t->spd.that, &tsi,
				   fit, "TSi", 0);
	if (tsi_port < 0) {
		dbg("    skipping; TSi port too wide"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; TSi port too wide"); } };
		continue;
	}
	int tsi_protocol = narrow_protocol(&t->spd.that, &tsi,
					   fit, "TSi", 0);
	if (tsi_protocol < 0) {
		dbg("    skipping; TSi protocol too wide"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; TSi protocol too wide"); } };
		continue;
	}

	passert(tsr.nr >= 1){ _Bool assertion__ = tsr.nr >= 1; if (!assertion__) { lsw_passert_fail
((where_t) { .func = __func__, .basename = "ikev2_ts.c" , .line
 = 1099}, "%s", "tsr.nr >= 1"); } };
	int tsr_port = narrow_port(&t->spd.this, &tsr,
				   fit, "TRi", 0);
	if (tsr_port < 0) {
		dbg("    skipping; TSr port too wide"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; TSr port too wide"); } };
		continue;
	}
	int tsr_protocol = narrow_protocol(&t->spd.this, &tsr,
					   fit, "TSr", 0);
	if (tsr_protocol < 0) {
		dbg("    skipping; TSr protocol too wide"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; TSr protocol too wide"); } };
		continue;
	}

	passert(best_connection == c){ _Bool assertion__ = best_connection == c; if (!assertion__)
 { lsw_passert_fail((where_t) { .func = __func__, .basename =
 "ikev2_ts.c" , .line = 1113}, "%s", "best_connection == c");
 } }; /* aka st->st_connection, no leak */

	bool_Bool shared = v2_child_connection_probably_shared(child);
	if (shared) {
		/* instantiate it, filling in peer's ID */
		best_connection = instantiate(t, &c->spd.that.host_addr,
					      NULL((void*)0));
	}

	/* "this" == responder; see function name */
	best_connection->spd.this.port = tsr_port;
	best_connection->spd.that.port = tsi_port;
	best_connection->spd.this.protocol = tsr_protocol;
	best_connection->spd.that.protocol = tsi_protocol;
	best_spd_route = &best_connection->spd;

	if (shared) {
		char old[CONN_INST_BUF(2 + 10 + 1 + sizeof(subnet_buf) + 7 + sizeof(address_reversed_buf
) + 3 + sizeof(subnet_buf) + 1 + 1)];
		char new[CONN_INST_BUF(2 + 10 + 1 + sizeof(subnet_buf) + 7 + sizeof(address_reversed_buf
) + 3 + sizeof(subnet_buf) + 1 + 1)];
		dbg("switching from \"%s\"%s to \"%s\"%s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("switching from \"%s\"%s to \"%s\"%s", c->name
, fmt_conn_instance(c, old), best_connection->name, fmt_conn_instance
(best_connection, new)); } }
		    c->name, fmt_conn_instance(c, old),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("switching from \"%s\"%s to \"%s\"%s", c->name
, fmt_conn_instance(c, old), best_connection->name, fmt_conn_instance
(best_connection, new)); } }
		    best_connection->name, fmt_conn_instance(best_connection, new)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("switching from \"%s\"%s to \"%s\"%s", c->name
, fmt_conn_instance(c, old), best_connection->name, fmt_conn_instance
(best_connection, new)); } };
	} else {
		char cib[CONN_INST_BUF(2 + 10 + 1 + sizeof(subnet_buf) + 7 + sizeof(address_reversed_buf
) + 3 + sizeof(subnet_buf) + 1 + 1)];
		dbg("  overwrote connection with instance %s%s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  overwrote connection with instance %s%s", best_connection
->name, fmt_conn_instance(best_connection, cib)); } }
		    best_connection->name, fmt_conn_instance(best_connection, cib)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  overwrote connection with instance %s%s", best_connection
->name, fmt_conn_instance(best_connection, cib)); } };
	}
	break;
}
}

if (best_spd_route == NULL((void*)0)) {
dbg("giving up"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("giving up"); } };
return false0;
}

/*
* this both replaces the child's connection, and flips any
* underlying current-connection
*
* XXX: but this is responder code, there probably isn't a
* current-connection - it would have gone straight to current
* state.
*
* XXX: ah, but the state code does: set-state; set-connection
* (yes order is wrong).  Why does it bother?
*
* update_state_connection(), if the connection changes,
* de-references the old connection; which is what really
* matters
*/
update_state_connection(&child->sa, best_connection);

child->sa.st_ts_this = ikev2_end_to_ts(&best_spd_route->this);
child->sa.st_ts_that = ikev2_end_to_ts(&best_spd_route->that);

ikev2_print_ts(&child->sa.st_ts_this);
ikev2_print_ts(&child->sa.st_ts_that);

return true1;
1173}

1175/* check TS payloads, response */
1176bool_Bool v2_process_ts_response(struct child_sa *child,
	    struct msg_digest *md)
1178{
passert(child->sa.st_sa_role == SA_INITIATOR){ _Bool assertion__ = child->sa.st_sa_role == SA_INITIATOR
; if (!assertion__) { lsw_passert_fail((where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 1179}, "%s", "child->sa.st_sa_role == SA_INITIATOR"
); } };
passert(v2_msg_role(md) == MESSAGE_RESPONSE){ _Bool assertion__ = v2_msg_role(md) == MESSAGE_RESPONSE; if
 (!assertion__) { lsw_passert_fail((where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 1180}, "%s", "v2_msg_role(md) == MESSAGE_RESPONSE"
); } };

struct connection *c = child->sa.st_connection;

struct traffic_selectors tsi = { .nr = 0, };
struct traffic_selectors tsr = { .nr = 0, };
if (!v2_parse_tss(md, &tsi, &tsr)) {
return false0;
}

/* initiator */
const struct spd_route *sra = &c->spd;
const struct ends e = {
.i = &sra->this,
.r = &sra->that,
};
enum fit initiator_widening =
(c->policy & POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))
? END_WIDER_THAN_TS
: END_EQUALS_TS;

struct best_score best = score_ends(initiator_widening, c, &e, &tsi, &tsr);

if (!best.ok) {
dbg("reject responder TSi/TSr Traffic Selector"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("reject responder TSi/TSr Traffic Selector"); }
 };
/* prevents parent from going to I3 */
return false0;
}

dbg("found an acceptable TSi/TSr Traffic Selector"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("found an acceptable TSi/TSr Traffic Selector"
); } };
struct state *st = &child->sa;
memcpy(&st->st_ts_this, best.tsi,
      sizeof(struct traffic_selector));
memcpy(&st->st_ts_that, best.tsr,
      sizeof(struct traffic_selector));
ikev2_print_ts(&st->st_ts_this);
ikev2_print_ts(&st->st_ts_that);

ip_subnet tmp_subnet_i;
ip_subnet tmp_subnet_r;
rangetosubnet(&st->st_ts_this.net.start,
      &st->st_ts_this.net.end, &tmp_subnet_i);
rangetosubnet(&st->st_ts_that.net.start,
      &st->st_ts_that.net.end, &tmp_subnet_r);

c->spd.this.client = tmp_subnet_i;
c->spd.this.port = st->st_ts_this.startport;
c->spd.this.protocol = st->st_ts_this.ipprotoid;
setportof(htons(c->spd.this.port),{ *(&c->spd.this.client.addr) = set_endpoint_hport((&
c->spd.this.client.addr), ntohs(htons(c->spd.this.port)
)); }
  &c->spd.this.client.addr){ *(&c->spd.this.client.addr) = set_endpoint_hport((&
c->spd.this.client.addr), ntohs(htons(c->spd.this.port)
)); };

c->spd.this.has_client =
!(subnetishost(&c->spd.this.client) &&
  addrinsubnet(&c->spd.this.host_addr,
	       &c->spd.this.client));

c->spd.that.client = tmp_subnet_r;
c->spd.that.port = st->st_ts_that.startport;
c->spd.that.protocol = st->st_ts_that.ipprotoid;
setportof(htons(c->spd.that.port),{ *(&c->spd.that.client.addr) = set_endpoint_hport((&
c->spd.that.client.addr), ntohs(htons(c->spd.that.port)
)); }
  &c->spd.that.client.addr){ *(&c->spd.that.client.addr) = set_endpoint_hport((&
c->spd.that.client.addr), ntohs(htons(c->spd.that.port)
)); };

c->spd.that.has_client =
!(subnetishost(&c->spd.that.client) &&
  addrinsubnet(&c->spd.that.host_addr,
	       &c->spd.that.client));

return true1;
1248}

1250/*
* RFC 7296 https://tools.ietf.org/html/rfc7296#section-2.8
* "when rekeying, the new Child SA SHOULD NOT have different Traffic
*  Selectors and algorithms than the old one."
*
* We already matched the right connection by the SPI of v2N_REKEY_SA
*/
1257bool_Bool child_rekey_ts_verify(struct child_sa *child, struct msg_digest *md)
1258{
if (!pexpect(child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0 ||({ _Bool assertion__ = child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0
 || child->sa.st_state->kind == STATE_V2_REKEY_CHILD_I1
; if (!assertion__) { log_pexpect((where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 1260}, "%s", "child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0 || child->sa.st_state->kind == STATE_V2_REKEY_CHILD_I1"
); } assertion__; })
     child->sa.st_state->kind == STATE_V2_REKEY_CHILD_I1)({ _Bool assertion__ = child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0
 || child->sa.st_state->kind == STATE_V2_REKEY_CHILD_I1
; if (!assertion__) { log_pexpect((where_t) { .func = __func__
, .basename = "ikev2_ts.c" , .line = 1260}, "%s", "child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0 || child->sa.st_state->kind == STATE_V2_REKEY_CHILD_I1"
); } assertion__; })) {
return false0;
}

struct traffic_selectors their_tsis = { .nr = 0, };
struct traffic_selectors their_tsrs = { .nr = 0, };
enum message_role md_role = v2_msg_role(md);

if (!v2_parse_tss(md, &their_tsis, &their_tsrs)) {
log_state(RC_LOG_SERIOUS, &child->sa, "received malformed TSi/TSr payload(s)");
return false0;
}

struct traffic_selector ts_this = ikev2_end_to_ts(&child->sa.st_connection->spd.this);
struct traffic_selector ts_that = ikev2_end_to_ts(&child->sa.st_connection->spd.that);

if (!ts_in_tslist(&their_tsis, (md_role == MESSAGE_REQUEST) ? &ts_that : &ts_this)) {
log_state(RC_LOG_SERIOUS, &child->sa,
	  "received TSi payload does not contain existing IPsec SA traffic Selectors");
return false0;
}

if (!ts_in_tslist(&their_tsrs, (md_role == MESSAGE_REQUEST) ? &ts_this : &ts_that)) {
log_state(RC_LOG_SERIOUS, &child->sa, "received TSr payload(s) does not contain existing IPsec SA Traffic Selectors");
return false0;
}
return true1;
1287}