/home/build/quick-libreswan-2/programs/pluto/ikev2

Bug Summary

File:	programs/pluto/ikev2_ts.c
Warning:	line 1222, column 8 Access to field 'ike_version' results in a dereference of a null pointer (loaded from variable 'c')
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -cc1 -triple x86_64-redhat-linux-gnu -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name ikev2_ts.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fmath-errno -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/build/quick-libreswan-2/programs/pluto -resource-dir /usr/lib64/clang/13.0.0 -D TimeZoneOffset=timezone -D PIE -D NSS_IPSEC_PROFILE -D XFRM_LIFETIME_DEFAULT=30 -D USE_IKEv1 -D XFRM_SUPPORT -D USE_XFRM_INTERFACE -D USE_DNSSEC -D DEFAULT_DNSSEC_ROOTKEY_FILE="/var/lib/unbound/root.key" -D HAVE_LABELED_IPSEC -D HAVE_SECCOMP -D LIBCURL -D USE_LINUX_AUDIT -D HAVE_NM -D USE_PAM_AUTH -D USE_3DES -D USE_AES -D USE_CAMELLIA -D USE_CHACHA -D USE_DH31 -D USE_MD5 -D USE_SHA1 -D USE_SHA2 -D USE_PRF_AES_XCBC -D USE_NSS_KDF -D DEFAULT_RUNDIR="/run/pluto" -D IPSEC_CONF="/etc/ipsec.conf" -D IPSEC_CONFDDIR="/etc/ipsec.d" -D IPSEC_NSSDIR="/var/lib/ipsec/nss" -D IPSEC_CONFDIR="/etc" -D IPSEC_EXECDIR="/usr/local/libexec/ipsec" -D IPSEC_SBINDIR="/usr/local/sbin" -D IPSEC_VARDIR="/var" -D POLICYGROUPSDIR="/etc/ipsec.d/policies" -D IPSEC_SECRETS_FILE="/etc/ipsec.secrets" -D FORCE_PR_ASSERT -D USE_FORK=1 -D USE_VFORK=0 -D USE_DAEMON=0 -D USE_PTHREAD_SETSCHEDPRIO=1 -D GCC_LINT -D HAVE_LIBCAP_NG -I . -I ../../OBJ.linux.x86_64/programs/pluto -I ../../include -I /usr/include/nss3 -I /usr/include/nspr4 -I /home/build/quick-libreswan-2/programs/pluto/linux-copy -D HERE_FILENAME="programs/pluto/ikev2_ts.c" -internal-isystem /usr/lib64/clang/13.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/bin/../lib/gcc/x86_64-redhat-linux/11/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -std=gnu99 -fdebug-compilation-dir=/home/build/quick-libreswan-2/programs/pluto -ferror-limit 19 -stack-protector 3 -fgnuc-version=4.2.1 -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-01-01-205714-1273399-1 -x c /home/build/quick-libreswan-2/programs/pluto/ikev2_ts.c
1/* IKEv2 Traffic Selectors, for libreswan
*
* Copyright (C) 2007-2008 Michael Richardson <mcr@xelerance.com>
* Copyright (C) 2009-2010 Paul Wouters <paul@xelerance.com>
* Copyright (C) 2010 Tuomo Soini <tis@foobar.fi>
* Copyright (C) 2011-2012 Avesh Agarwal <avagarwa@redhat.com>
* Copyright (C) 2012-2018 Paul Wouters <pwouters@redhat.com>
* Copyright (C) 2012,2016-2017 Antony Antony <appu@phenome.org>
* Copyright (C) 2013 D. Hugh Redelmeier <hugh@mimosa.com>
* Copyright (C) 2014-2015, 2018 Andrew cagney <cagney@gnu.org>
* Copyright (C) 2017 Antony Antony <antony@phenome.org>
* Copyright (C) 2019 Andrew Cagney <cagney@gnu.org>
* Copyright (C) 2021 Paul Wouters <paul.wouters@aiven.io>
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version.  See <https://www.gnu.org/licenses/gpl2.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
* for more details.
*
*/

27#include "defs.h"

29#include "log.h"
30#include "ikev2_ts.h"
31#include "connections.h"	/* for struct end */
32#include "demux.h"
33#include "virtual_ip.h"
34#include "host_pair.h"
35#include "ip_info.h"
36#include "ip_selector.h"
37#include "labeled_ipsec.h"
38#include "ip_range.h"
39#include "iface.h"
40#include "pending.h"		/* for connection_is_pending() */
41#include "state_db.h"		/* for FOR_EACH_STATE_NEW2OLD() */

43/*
* While the RFC seems to suggest that the traffic selectors come in
* pairs, strongswan, at least, doesn't.
*/

48struct traffic_selectors {
const char *name;
bool_Bool contains_sec_label;
unsigned nr;
/* ??? is 16 an undocumented limit - IKEv2 has no limit */
struct traffic_selector ts[16];
54};

56struct traffic_selector_payloads {
struct traffic_selectors i;
struct traffic_selectors r;
59};

61static const struct traffic_selector_payloads empty_traffic_selectors = {
.i = {
.name = "TSi",
},
.r = {
.name = "TSr",
},
68};

70struct ends {
const struct end *i;
const struct end *r;
73};

75enum fit {
END_EQUALS_TS = 1,
END_NARROWER_THAN_TS,
END_WIDER_THAN_TS,
79};


82static const char *fit_string(enum fit fit)
83{
switch (fit) {
case END_EQUALS_TS: return "==";
case END_NARROWER_THAN_TS: return "<=";
case END_WIDER_THAN_TS: return ">=";
default: bad_case(fit)libreswan_bad_case("fit", (fit), ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 88, }; &here; }));
}
90}

92void dbg_v2_ts(const struct traffic_selector *ts, const char *prefix, ...)
93{
if (DBGP(DBG_BASE)(cur_debugging & (((lset_t)1 << (DBG_BASE_IX))))) {
va_list ap;
va_start(ap, prefix)__builtin_va_start(ap, prefix);
DBG_va_list(prefix, ap);
va_end(ap)__builtin_va_end(ap);
DBG_log("  ts_type: %s", enum_name(&ikev2_ts_type_names, ts->ts_type));
DBG_log("  ipprotoid: %d", ts->ipprotoid);
DBG_log("  port range: %d-%d", ts->startport, ts->endport);
range_buf b;
DBG_log("  ip range: %s", str_range(&ts->net, &b));
DBG_log("  sec_label: "PRI_SHUNK"%.*s", pri_shunk(ts->sec_label)((int) (ts->sec_label).len), (const char *) ((ts->sec_label
).ptr));
}
106}

108static void traffic_selector_to_end(const struct traffic_selector *ts, struct end *end,
		    const char *story)
110{
dbg_v2_ts(ts, "%s() %s", __func__, story);
ip_subnet subnet;
happy(range_to_subnet(ts->net, &subnet)){ err_t ugh = range_to_subnet(ts->net, &subnet); if (ugh
 != ((void*)0)) { llog_passert(&failsafe_logger, ({ static
 const struct where here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 113, }; &here; }), "%s", ugh); } };
const ip_protocol *protocol = protocol_by_ipproto(ts->ipprotoid);
/* XXX: check port range valid */
ip_port port = ip_hport(ts->startport);
end->client = selector_from_subnet_protocol_port(subnet, protocol, port);
/* redundant */
end->port = ts->startport;
end->protocol = ts->ipprotoid;
end->has_client = !selector_eq_address(end->client, end->host_addr);
122}

124/* rewrite me with address_as_{chunk,shunk}()? */
125/* For now, note the struct traffic_selector can contain
* two selectors - an IPvX range and a sec_label
*/
128struct traffic_selector traffic_selector_from_end(const struct end *e, const char *what)
129{
struct traffic_selector ts = {
/*
 * Setting ts_type IKEv2_TS_FC_ADDR_RANGE (RFC-4595)
 * not yet supported.
 */
.ts_type = selector_type(&e->client)->ikev2_ts_addr_range_type,
/* subnet => range */
.net = selector_range(e->client),
.ipprotoid = e->protocol,
/*
 * Use the 'instance/narrowed' label from the ACQUIRE
 * and stored in the connection instance's sends, if
 * present.
 */
.sec_label = HUNK_AS_SHUNK(e->sec_label)({ typeof(e->sec_label) h_ = (e->sec_label); shunk2(h_.
ptr, h_.len); }),
};

/*
* if port is %any or 0 we mean all ports (or all
* iccmp/icmpv6).
*
* See RFC-5996 Section 3.13.1 handling for ICMP(1) and
* ICMPv6(58) we only support providing Type, not Code, eg
* protoport=1/1
*/
if (e->port == 0 || e->has_port_wildcard) {
ts.startport = 0;
ts.endport = 65535;
} else {
ts.startport = e->port;
ts.endport = e->port;
}

dbg_v2_ts(&ts, "%s TS", what);
return ts;
165}

167/*
* A struct end is converted to a struct traffic_selector.
*
* This (currently) can contain both an IP range AND a SEC_LABEL,
* which will get output here as two Traffic Selectors. The label is
* optional, the IP range is mandatory.
*/
174static stf_status emit_v2TS(struct pbs_outpacket_byte_stream *outpbs,
	    const struct_desc *ts_desc,
	    const struct traffic_selector *ts)
177{
struct pbs_outpacket_byte_stream ts_pbs;
bool_Bool with_label = (ts->sec_label.len > 0);

if (ts->ts_type != IKEv2_TS_IPV4_ADDR_RANGE &&
   ts->ts_type != IKEv2_TS_IPV6_ADDR_RANGE) {
return STF_INTERNAL_ERROR;
}

{
struct ikev2_ts its = {
	.isat_critical = ISAKMP_PAYLOAD_NONCRITICAL0x00,
	/*
	 * If there is a security label in the Traffic
	 * Selector, then we must send a TS_SECLABEL
	 * substructure as part of the Traffic
	 * Selector (TS) Payload.
	 *
	 * That means the TS Payload contains two TS
	 * substructures:
	 *  - One for the address/port range
	 *  - One for the TS_SECLABEL
	 */
	.isat_num = with_label ? 2 : 1,
};

if (!out_struct(&its, ts_desc, outpbs, &ts_pbs))
	return STF_INTERNAL_ERROR;
}

{
pb_stream ts_range_pbs;
struct ikev2_ts_header ts_header = {
	.isath_ipprotoid = ts->ipprotoid
};

switch (ts->ts_type) {
case IKEv2_TS_IPV4_ADDR_RANGE:
	ts_header.isath_type = IKEv2_TS_IPV4_ADDR_RANGE;
	break;
case IKEv2_TS_IPV6_ADDR_RANGE:
	ts_header.isath_type = IKEv2_TS_IPV6_ADDR_RANGE;
	break;
}

if (!out_struct(&ts_header, &ikev2_ts_header_desc, &ts_pbs, &ts_range_pbs))
	return STF_INTERNAL_ERROR;


struct ikev2_ts_portrange ts_ports = {
	.isatpr_startport = ts->startport,
	.isatpr_endport = ts->endport
};

if (!out_struct(&ts_ports, &ikev2_ts_portrange_desc, &ts_range_pbs, NULL((void*)0)))
	return STF_INTERNAL_ERROR;

diag_t d;
d = pbs_out_address(&ts_range_pbs, range_start(ts->net), "IP start");
if (d != NULL((void*)0)) {
	llog_diag(RC_LOG_SERIOUS, outpbs->outs_logger, &d, "%s", "");
	return STF_INTERNAL_ERROR;
}
d = pbs_out_address(&ts_range_pbs, range_end(ts->net), "IP end");
if (d != NULL((void*)0)) {
	llog_diag(RC_LOG_SERIOUS, outpbs->outs_logger, &d, "%s", "");
	return STF_INTERNAL_ERROR;
}
close_output_pbs(&ts_range_pbs);
}

/*
* Emit the security label, if known.
*/
if (with_label) {

struct ikev2_ts_header ts_header = {
	.isath_type = IKEv2_TS_SECLABEL,
	.isath_ipprotoid = 0 /* really RESERVED, not iprotoid */
};
/* Output the header of the TS_SECLABEL substructure payload. */
struct pbs_outpacket_byte_stream ts_label_pbs;
if (!out_struct(&ts_header, &ikev2_ts_header_desc, &ts_pbs, &ts_label_pbs)) {
	return STF_INTERNAL_ERROR;
}

/*
 * Output the security label value of the TS_SECLABEL
 * substructure payload.
 *
 * If we got ACQUIRE, or received a subset TS_LABEL,
 * use that one - it is subset of connection policy
 * one
 */

dbg("emitting sec_label="PRI_SHUNK, pri_shunk(ts->sec_label)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("emitting sec_label=""%.*s", ((int) (ts->sec_label
).len), (const char *) ((ts->sec_label).ptr)); } };

diag_t d = pbs_out_hunk(&ts_label_pbs, ts->sec_label, "output Security label")({ typeof(ts->sec_label) hunk_ = ts->sec_label; struct packet_byte_stream
 *outs_ = &ts_label_pbs; pbs_out_raw(outs_, hunk_.ptr, hunk_
.len, ("output Security label")); });
if (d != NULL((void*)0)) {
	llog_diag(RC_LOG_SERIOUS, outpbs->outs_logger, &d, "%s", "");
	return STF_INTERNAL_ERROR;
}

close_output_pbs(&ts_label_pbs);
}

close_output_pbs(&ts_pbs);
return STF_OK;
285}

287static struct traffic_selector impair_ts_to_subnet(const struct traffic_selector ts)
288{
struct traffic_selector ts_ret = ts;

ts_ret.net.end = ts_ret.net.start;
ts_ret.net.is_subnet = true1;

return ts_ret;
295}


298static struct traffic_selector impair_ts_to_supernet(const struct traffic_selector ts)
299{
struct traffic_selector ts_ret = ts;

if (ts_ret.ts_type == IKEv2_TS_IPV4_ADDR_RANGE)
ts_ret.net = range_from_subnet(ipv4_info.subnet.all);
else if (ts_ret.ts_type == IKEv2_TS_IPV6_ADDR_RANGE)
ts_ret.net = range_from_subnet(ipv6_info.subnet.all);

ts_ret.net.is_subnet = true1;

ts_ret.sec_label = ts.sec_label;

return ts_ret;
312}

314stf_status emit_v2TS_payloads(struct pbs_outpacket_byte_stream *outpbs, const struct child_sa *child)
315{
stf_status ret;
struct traffic_selector ts_i, ts_r;

switch (child->sa.st_sa_role) {
case SA_INITIATOR:
ts_i = traffic_selector_from_end(&child->sa.st_connection->spd.this, "this TSi");
ts_r = traffic_selector_from_end(&child->sa.st_connection->spd.that, "that TSr");
if (child->sa.st_state->kind == STATE_V2_REKEY_CHILD_I0 &&
    impair.rekey_initiate_supernet) {
	ts_i = ts_r = impair_ts_to_supernet(ts_i);
	range_buf tsi_buf;
	range_buf tsr_buf;
	dbg("rekey-initiate-supernet TSi and TSr set to %s %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-supernet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } }
			str_range(&ts_i.net, &tsi_buf),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-supernet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } }
			str_range(&ts_r.net, &tsr_buf)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-supernet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } };

} else if (child->sa.st_state->kind == STATE_V2_REKEY_CHILD_I0 &&
	   impair.rekey_initiate_subnet) {
	ts_i = impair_ts_to_subnet(ts_i);
	ts_r = impair_ts_to_subnet(ts_r);
	range_buf tsi_buf;
	range_buf tsr_buf;
	dbg("rekey-initiate-subnet TSi and TSr set to %s %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-subnet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } }
			str_range(&ts_i.net, &tsi_buf),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-subnet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } }
			str_range(&ts_r.net, &tsr_buf)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-initiate-subnet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } };

}

break;
case SA_RESPONDER:
ts_i = traffic_selector_from_end(&child->sa.st_connection->spd.that, "that TSi");
ts_r = traffic_selector_from_end(&child->sa.st_connection->spd.this, "this TSr");
if (child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0 &&
    impair.rekey_respond_subnet) {
	ts_i = impair_ts_to_subnet(ts_i);
	ts_r = impair_ts_to_subnet(ts_r);
	range_buf tsi_buf;
	range_buf tsr_buf;
	dbg("rekey-respond-subnet TSi and TSr set to %s %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-subnet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } }
			str_range(&ts_i.net, &tsi_buf),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-subnet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } }
			str_range(&ts_r.net, &tsr_buf)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-subnet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } };
}
if (child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0 &&
		impair.rekey_respond_supernet) {
	ts_i = ts_r = impair_ts_to_supernet(ts_i);
	range_buf tsi_buf;
	range_buf tsr_buf;
	dbg("rekey-respond-supernet TSi and TSr set to %s %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-supernet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } }
			str_range(&ts_i.net, &tsi_buf),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-supernet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } }
			str_range(&ts_r.net, &tsr_buf)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("rekey-respond-supernet TSi and TSr set to %s %s"
, str_range(&ts_i.net, &tsi_buf), str_range(&ts_r
.net, &tsr_buf)); } };
}
break;
default:
bad_case(child->sa.st_sa_role)libreswan_bad_case("child->sa.st_sa_role", (child->sa.st_sa_role
), ({ static const struct where here = { .func = __func__, .file
 = "programs/pluto/ikev2_ts.c", .line = 369, }; &here; })
);
}

ret = emit_v2TS(outpbs, &ikev2_ts_i_desc, &ts_i);
if (ret != STF_OK)
return ret;

ret = emit_v2TS(outpbs, &ikev2_ts_r_desc, &ts_r);
if (ret != STF_OK)
return ret;

return STF_OK;
381}

383/* return success */
384static bool_Bool v2_parse_tss(struct payload_digest *const ts_pd,
	 struct traffic_selectors *tss,
	 struct logger *logger)
387{
dbg("%s: parsing %u traffic selectors",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("%s: parsing %u traffic selectors", tss->name
, ts_pd->payload.v2ts.isat_num); } }
   tss->name, ts_pd->payload.v2ts.isat_num){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("%s: parsing %u traffic selectors", tss->name
, ts_pd->payload.v2ts.isat_num); } };

if (ts_pd->payload.v2ts.isat_num == 0) {
llog(RC_LOG, logger,
     "%s payload contains no entries when at least one is expected",
     tss->name);
return false0;
}

if (ts_pd->payload.v2ts.isat_num >= elemsof(tss->ts)(sizeof(tss->ts) / sizeof(*(tss->ts)))) {
llog(RC_LOG, logger,
     "%s contains %d entries which exceeds hardwired max of %zu",
     tss->name, ts_pd->payload.v2ts.isat_num, elemsof(tss->ts)(sizeof(tss->ts) / sizeof(*(tss->ts))));
return false0;	/* won't fit in array */
}

for (tss->nr = 0; tss->nr < ts_pd->payload.v2ts.isat_num; ) {
diag_t d;
struct traffic_selector *ts = &tss->ts[tss->nr];

*ts = (struct traffic_selector){0};

struct ikev2_ts_header ts_h;
struct pbs_inpacket_byte_stream ts_body_pbs;

d = pbs_in_struct(&ts_pd->pbs, &ikev2_ts_header_desc,
	  &ts_h, sizeof(ts_h), &ts_body_pbs);

switch (ts_h.isath_type) {
case IKEv2_TS_IPV4_ADDR_RANGE:
case IKEv2_TS_IPV6_ADDR_RANGE:
{
	ts->ipprotoid = ts_h.isath_ipprotoid;

	/* read and fill in port range */
	struct ikev2_ts_portrange pr;

	d = pbs_in_struct(&ts_body_pbs, &ikev2_ts_portrange_desc,
		  &pr, sizeof(pr), NULL((void*)0));
	if (d != NULL((void*)0)) {
		llog_diag(RC_LOG, logger, &d, "%s", "");
		return false0;
	}

	ts->startport = pr.isatpr_startport;
	ts->endport = pr.isatpr_endport;

	if (ts->startport > ts->endport) {
		llog(RC_LOG, logger,
		     "%s traffic selector %d has an invalid port range - ignored",
		     tss->name, tss->nr);
		continue;
	}

	/* read and fill in IP address range */
	const struct ip_info *ipv;
	switch (ts_h.isath_type) {
	case IKEv2_TS_IPV4_ADDR_RANGE:
		ipv = &ipv4_info;
		break;
	case IKEv2_TS_IPV6_ADDR_RANGE:
		ipv = &ipv6_info;
		break;
	default:
		bad_case(ts_h.isath_type)libreswan_bad_case("ts_h.isath_type", (ts_h.isath_type), ({ static
 const struct where here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 453, }; &here; })); /* make compiler happy */
	}

	ip_address start;
	d = pbs_in_address(&ts_body_pbs, &start, ipv, "TS IP start");
	if (d != NULL((void*)0)) {
		llog_diag(RC_LOG, logger, &d, "%s", "");
		return false0;
	}

	ip_address end;
	d = pbs_in_address(&ts_body_pbs, &end, ipv, "TS IP end");
	if (d != NULL((void*)0)) {
		llog_diag(RC_LOG, logger, &d, "%s", "");
		return false0;
	}

	/* XXX: does this matter? */
	if (pbs_left(&ts_body_pbs)((size_t)((&ts_body_pbs)->roof - (&ts_body_pbs)->
cur)) != 0)
		return false0;

	err_t err = addresses_to_nonzero_range(start, end, &ts->net);

	/* pluto doesn't yet do full ranges; check for subnet */
	ip_subnet ignore;
	err = err == NULL((void*)0) ? range_to_subnet(ts->net, &ignore) : err;

	if (err != NULL((void*)0)) {
		address_buf sb, eb;
		llog(RC_LOG, logger, "Traffic Selector range %s-%s invalid: %s",
		     str_address_sensitive(&start, &sb),
		     str_address_sensitive(&end, &eb),
		     err);
		return false0;
	}

	ts->ts_type = ts_h.isath_type;
	break;
}

case IKEv2_TS_SECLABEL:
{
	if (ts_h.isath_ipprotoid != 0) {
		llog(RC_LOG, logger, "Traffic Selector of type Security Label should not have non-zero IP protocol '%u' - ignored",
			ts_h.isath_ipprotoid);
	}

	shunk_t sec_label = pbs_in_left_as_shunk(&ts_body_pbs);
	err_t ugh = vet_seclabel(sec_label);
	if (ugh != NULL((void*)0)) {
		llog(RC_LOG, logger, "Traffic Selector %s", ugh);
		/* ??? should we just ignore?  If so, use continue */
		return false0;
	}

	ts->sec_label = sec_label;
	ts->ts_type = ts_h.isath_type;
	tss->contains_sec_label = true1;
	break;
}

case IKEv2_TS_FC_ADDR_RANGE:
	llog(RC_LOG, logger, "Encountered Traffic Selector Type FC_ADDR_RANGE not supported");
	return false0;

default:
	llog(RC_LOG, logger, "Encountered Traffic Selector of unknown Type");
	return false0;
}
tss->nr++;
}

dbg("%s: parsed %d traffic selectors", tss->name, tss->nr){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("%s: parsed %d traffic selectors", tss->name
, tss->nr); } };
return true1;
527}

529static bool_Bool v2_parse_tsp(const struct msg_digest *md,
	 struct traffic_selector_payloads *tsp,
	 struct logger *logger)
532{
if (!v2_parse_tss(md->chain[ISAKMP_NEXT_v2TSi], &tsp->i, logger)) {
6
←
Assuming the condition is false→
7
←
Taking false branch→
return false0;
}

if (!v2_parse_tss(md->chain[ISAKMP_NEXT_v2TSr], &tsp->r, logger)) {
8
←
Assuming the condition is false→
9
←
Taking false branch→
return false0;
}

return true1;
10
←
Returning the value 1, which participates in a condition later→
542}

544#define MATCH_PREFIX"        " "        "

546/*
* Check if our policy's protocol (proto) matches the Traffic Selector
* protocol (ts_proto).
*/

551static int narrow_protocol(const struct end *end,
	   const struct traffic_selectors *tss,
	   enum fit fit, unsigned index)
554{
const struct traffic_selector *ts = &tss->ts[index];
int protocol = -1;

switch (fit) {
case END_EQUALS_TS:
if (end->protocol == ts->ipprotoid) {
	protocol = end->protocol;
}
break;
case END_NARROWER_THAN_TS:
if (ts->ipprotoid == 0 /* wild-card */ ||
    ts->ipprotoid == end->protocol) {
	protocol = end->protocol;
}
break;
case END_WIDER_THAN_TS:
if (end->protocol == 0 /* wild-card */ ||
    end->protocol == ts->ipprotoid) {
	protocol = ts->ipprotoid;
}
break;
default:
bad_case(fit)libreswan_bad_case("fit", (fit), ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 577, }; &here; }));
}
dbg(MATCH_PREFIX "narrow protocol end=%s%d %s %s[%u]=%s%d: %d",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), tss->name, index, ts->ipprotoid == 0 ? "*" : "",
 ts->ipprotoid, protocol); } }
   end->protocol == 0 ? "*" : "", end->protocol,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), tss->name, index, ts->ipprotoid == 0 ? "*" : "",
 ts->ipprotoid, protocol); } }
   fit_string(fit),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), tss->name, index, ts->ipprotoid == 0 ? "*" : "",
 ts->ipprotoid, protocol); } }
   tss->name, index, ts->ipprotoid == 0 ? "*" : "", ts->ipprotoid,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), tss->name, index, ts->ipprotoid == 0 ? "*" : "",
 ts->ipprotoid, protocol); } }
   protocol){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow protocol end=%s%d %s %s[%u]=%s%d: %d"
, end->protocol == 0 ? "*" : "", end->protocol, fit_string
(fit), tss->name, index, ts->ipprotoid == 0 ? "*" : "",
 ts->ipprotoid, protocol); } };
return protocol;
585}

587static int score_narrow_protocol(const struct end *end,
		 const struct traffic_selectors *tss,
		 enum fit fit, unsigned index)
590{
int f;	/* strength of match */

int protocol = narrow_protocol(end, tss, fit, index);
if (protocol == 0) {
f = 255;	/* ??? odd value */
} else if (protocol > 0) {
f = 1;
} else {
f = 0;
}
LSWDBGP(DBG_BASE, buf)for (_Bool lswlog_p = (cur_debugging & (((lset_t)1 <<
 (DBG_BASE_IX)))); lswlog_p; lswlog_p = 0) for (char lswbuf[(
(size_t)1024)], *lswbuf_ = lswbuf; lswbuf_ != ((void*)0); lswbuf_
 = ((void*)0)) for (struct jambuf jambuf = array_as_jambuf((lswbuf
), sizeof(lswbuf)), *buf = &jambuf; buf != ((void*)0); buf
 = ((void*)0)) for (; buf != ((void*)0); jambuf_to_logger(buf
, &failsafe_logger, DEBUG_STREAM), buf = ((void*)0)) {
const struct traffic_selector *ts = &tss->ts[index];
jam(buf, MATCH_PREFIX"        " "match end->protocol=%s%d %s %s[%u].ipprotoid=%s%d: ",
	end->protocol == 0 ? "*" : "", end->protocol,
	fit_string(fit),
	tss->name, index, ts->ipprotoid == 0 ? "*" : "", ts->ipprotoid);
if (f > 0) {
	jam(buf, "YES fitness %d", f);
} else {
	jam(buf, "NO");
}
}
return f;
614}

616/*
* Narrow the END/TS ports according to FIT.
*
* Returns 0 (all ports), a specific port number, or -1 (no luck).
*
* Since 'struct end' only describes all-ports or a single port; only
* narrow to that.
*/

625static int narrow_port(const struct end *end,
       const struct traffic_selectors *tss,
       enum fit fit, unsigned index)
628{
passert(index < tss->nr)({ _Bool assertion__ = index < tss->nr; if (!assertion__
) { where_t here = ({ static const struct where here = { .func
 = __func__, .file = "programs/pluto/ikev2_ts.c", .line = 629
, }; &here; }); const struct logger *logger_ = &failsafe_logger
; llog_passert(logger_, here, "%s", "index < tss->nr");
 } (void) 1; });
const struct traffic_selector *ts = &tss->ts[index];

int end_low = end->port;
int end_high = end->port == 0 ? 65535 : end->port;
int port = -1;

switch (fit) {
case END_EQUALS_TS:
if (end_low == ts->startport && ts->endport == end_high) {
	/* end=ts=0-65535 || end=ts=N-N */
	port = end_low;
}
break;
case END_NARROWER_THAN_TS:
if (ts->startport <= end_low && end_high <= ts->endport) {
	/* end=ts=0-65535 || ts=N<=end<=M */
	port = end_low;
}
break;
case END_WIDER_THAN_TS:
if (end_low < ts->startport && ts->endport < end_high &&
    ts->startport == ts->endport) {
	/*ts=0<N-N<65535*/
	port = ts->startport;
} else if (end_low == ts->startport && ts->endport == end_high) {
	/* end=ts=0-65535 || end=ts=N-N */
	port = ts->startport;
}
break;
default:
bad_case(fit)libreswan_bad_case("fit", (fit), ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 660, }; &here; }));
}
dbg(MATCH_PREFIX "narrow port end=%u..%u %s %s[%u]=%u..%u: %d",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), tss->name, index, ts
->startport, ts->endport, port); } }
   end_low, end_high,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), tss->name, index, ts
->startport, ts->endport, port); } }
   fit_string(fit),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), tss->name, index, ts
->startport, ts->endport, port); } }
   tss->name, index, ts->startport, ts->endport,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), tss->name, index, ts
->startport, ts->endport, port); } }
   port){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "narrow port end=%u..%u %s %s[%u]=%u..%u: %d"
, end_low, end_high, fit_string(fit), tss->name, index, ts
->startport, ts->endport, port); } };
return port;
668}

670/*
* Assign a score to the narrowed port, rationale for score lost in
* time?
*/

675static int score_narrow_port(const struct end *end,
	     const struct traffic_selectors *tss,
	     enum fit fit, unsigned index)
678{
int f;	/* strength of match */

int port = narrow_port(end, tss, fit, index);
if (port > 0) {
f = 1;
} else if (port == 0) {
f = 65536; /* from 1 + 65535-0 */
} else {
f = 0;
}
if (f > 0) {
dbg(MATCH_PREFIX "  %s[%u] port match: YES fitness %d",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "  %s[%u] port match: YES fitness %d"
, tss->name, index, f); } }
    tss->name, index, f){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "  %s[%u] port match: YES fitness %d"
, tss->name, index, f); } };
} else {
dbg(MATCH_PREFIX "  %s[%u] port match: NO",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "  %s[%u] port match: NO", tss->
name, index); } }
    tss->name, index){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("        " "  %s[%u] port match: NO", tss->
name, index); } };
}
return f;
697}


700/*
* Does TS fit inside of END?
*
* Given other code flips the comparison depending initiator or
* responder, is this right?
*
* NOTE: Our parser/config only allows 1 CIDR, however IKEv2 ranges
*       can be non-CIDR for now we really support/limit ourselves to
*       a single CIDR
*/

711static int score_address_range(const struct end *end,
	       const struct traffic_selectors *tss,
	       enum fit fit, unsigned index)
714{
const struct traffic_selector *ts = &tss->ts[index];
/*
* Pre-compute possible fit --- sum of bits gives how good a
* fit this is.
*/
int ts_range = range_host_bits(ts->net);
int maskbits = end->client.maskbits;
int fitbits = maskbits + ts_range;

int f = 0;

/*
* NOTE: Our parser/config only allows 1 CIDR, however IKEv2
*       ranges can be non-CIDR for now we really
*       support/limit ourselves to a single CIDR
*
* XXX: so what is CIDR?
*/
ip_range range = selector_range(end->client);
switch (fit) {
case END_EQUALS_TS:
if (range_eq_range(range, ts->net)) {
	f = fitbits;
}
break;
case END_NARROWER_THAN_TS:
if (range_in_range(range, ts->net)) {
	f = fitbits;
}
break;
case END_WIDER_THAN_TS:
if (range_in_range(ts->net, range)) {
	f = fitbits;
}
break;
default:
bad_case(fit)libreswan_bad_case("fit", (fit), ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 751, }; &here; }));
}

/*
* comparing for ports for finding better local policy
*
* XXX: why do this?
*/
/* ??? arbitrary modification to objective function */
if (end->port != 0 &&
   ts->startport == end->port &&
   ts->endport == end->port)
f = f << 1;

LSWDBGP(DBG_BASE, buf)for (_Bool lswlog_p = (cur_debugging & (((lset_t)1 <<
 (DBG_BASE_IX)))); lswlog_p; lswlog_p = 0) for (char lswbuf[(
(size_t)1024)], *lswbuf_ = lswbuf; lswbuf_ != ((void*)0); lswbuf_
 = ((void*)0)) for (struct jambuf jambuf = array_as_jambuf((lswbuf
), sizeof(lswbuf)), *buf = &jambuf; buf != ((void*)0); buf
 = ((void*)0)) for (; buf != ((void*)0); jambuf_to_logger(buf
, &failsafe_logger, DEBUG_STREAM), buf = ((void*)0)) {
   jam(buf, MATCH_PREFIX"        " "match address end->client=");
   jam_selector(buf, &end->client);
   jam(buf, " %s %s[%u]net=", fit_string(fit), tss->name, index);
   jam_range(buf, &ts->net);
   jam(buf, ": ");
   if (f > 0) {
jam(buf, "YES fitness %d", f);
   } else {
jam(buf, "NO");
   }
}
return f;
778}

780struct score {
bool_Bool ok;
int address;
int port;
int protocol;
785};

787static struct score score_end(const struct end *end,
	      const struct traffic_selectors *tss,
	      enum fit fit, unsigned index)
790{
const struct traffic_selector *ts = &tss->ts[index];

LSWDBGP(DBG_BASE, buf)for (_Bool lswlog_p = (cur_debugging & (((lset_t)1 <<
 (DBG_BASE_IX)))); lswlog_p; lswlog_p = 0) for (char lswbuf[(
(size_t)1024)], *lswbuf_ = lswbuf; lswbuf_ != ((void*)0); lswbuf_
 = ((void*)0)) for (struct jambuf jambuf = array_as_jambuf((lswbuf
), sizeof(lswbuf)), *buf = &jambuf; buf != ((void*)0); buf
 = ((void*)0)) for (; buf != ((void*)0); jambuf_to_logger(buf
, &failsafe_logger, DEBUG_STREAM), buf = ((void*)0)) {
jam(buf, "    %s[%u]", tss->name, index);
if (ts->sec_label.len > 0) {
	jam(buf, " sec_label=");
	jam_sanitized_hunk(buf, ts->sec_label)({ typeof(ts->sec_label) hunk_ = (ts->sec_label); jam_sanitized_bytes
(buf, hunk_.ptr, hunk_.len); });
} else {
	range_buf ts_net;
	jam(buf, " net=%s iporotoid=%d {start,end}port=%d..%d",
	    str_range(&ts->net, &ts_net),
	    ts->ipprotoid,
	    ts->startport,
	    ts->endport);
}
}

struct score score = {
.ok = false0,
};

switch(ts->ts_type) {
case IKEv2_TS_IPV4_ADDR_RANGE:
case IKEv2_TS_IPV6_ADDR_RANGE:
score.address = score_address_range(end, tss, fit, index);
if (score.address <= 0) {
	return score;
}
score.port = score_narrow_port(end, tss, fit, index);
if (score.port <= 0) {
	return score;
}
score.protocol = score_narrow_protocol(end, tss, fit, index);
if (score.protocol <= 0) {
	return score;
}
score.ok = true1;
return score;
case IKEv2_TS_SECLABEL:
default:
return score;
}
833}

835struct best_score {
bool_Bool ok;
int address;
int port;
int protocol;
const struct traffic_selector *tsi;
const struct traffic_selector *tsr;
842};
843#define  NO_SCORE{ .ok = 0, .address = -1, .port = -1, .protocol = -1, } { .ok = false0, .address = -1, .port = -1, .protocol = -1, }

845static bool_Bool score_gt(const struct best_score *score, const struct best_score *best)
846{
return (score->address > best->address ||
(score->address == best->address &&
 score->port > best->port) ||
(score->address == best->address &&
 score->port == best->port &&
 score->protocol > best->protocol));
853}

855/*
* Return true for sec_label expected and good XOR not expected and
* not present.
*
* Return false when required sec_label is missing or bad; or
* sec_label encountered when it wasn't expected.
*
* The code calls sec_label_within_range() to check that the "source
* context has the access permission for the specified class on the
* "target context" (see selinux_check_access()):
*
* - for the initiator searching for a matching template connection to
*   instantiate, the "source context" is the sec_label from acquire,
*   and the "target context" is the sec_label in the template
*   connection.
*
* - for the responder searching for a template connection to match
*   the on-wire TS, the "source context" is the sec_label included in
*   the traffic selector, and the "target context" is (again) the
*   sec_label in the template connection.
*
* However, when the initiator gets back the responder's accepted TS
* containing a sec_label, the initiator only checks it is identical
* to what was sent out in the initiator's TS:
*
* - the RFC makes vague references to narrowing; but what that means
*   for sec_labels isn't clear
*
* - one interpretation, that the responder's "source context" has
*   "access permission" for the initiator's "source context" seems to
*   always fail when enforcing is enabled (suspect
*   selinux_check_access() requires a "ptarget context").
*/

889static bool_Bool check_tss_sec_label(const struct traffic_selectors *tss,
		chunk_t config_sec_label,
		shunk_t *selected_sec_label,
		struct logger *logger)
893{
passert(tss->contains_sec_label)({ _Bool assertion__ = tss->contains_sec_label; if (!assertion__
) { where_t here = ({ static const struct where here = { .func
 = __func__, .file = "programs/pluto/ikev2_ts.c", .line = 894
, }; &here; }); const struct logger *logger_ = &failsafe_logger
; llog_passert(logger_, here, "%s", "tss->contains_sec_label"
); } (void) 1; });

*selected_sec_label = null_shunk;
for (unsigned i = 0; i < tss->nr; i++) {
const struct traffic_selector *ts = &tss->ts[i];
if (ts->ts_type != IKEv2_TS_SECLABEL) {
	continue;
}

passert(vet_seclabel(ts->sec_label) == NULL)({ _Bool assertion__ = vet_seclabel(ts->sec_label) == ((void
*)0); if (!assertion__) { where_t here = ({ static const struct
 where here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 903, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_passert(logger_, here, "%s", "vet_seclabel(ts->sec_label) == ((void*)0)"
); } (void) 1; });

if (!sec_label_within_range(ts->sec_label, config_sec_label, logger)) {
	dbg("ikev2ts: %s sec_label="PRI_SHUNK" is not within range connection sec_label="PRI_SHUNK,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("ikev2ts: %s sec_label=""%.*s"" is not within range connection sec_label="
"%.*s", tss->name, ((int) (ts->sec_label).len), (const char
 *) ((ts->sec_label).ptr), ((int) (config_sec_label).len),
 (const char *) ((config_sec_label).ptr)); } }
	    tss->name, pri_shunk(ts->sec_label), pri_shunk(config_sec_label)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("ikev2ts: %s sec_label=""%.*s"" is not within range connection sec_label="
"%.*s", tss->name, ((int) (ts->sec_label).len), (const char
 *) ((ts->sec_label).ptr), ((int) (config_sec_label).len),
 (const char *) ((config_sec_label).ptr)); } };
	continue;
}

dbg("ikev2ts: received %s label within range of our security label",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("ikev2ts: received %s label within range of our security label"
, tss->name); } }
    tss->name){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("ikev2ts: received %s label within range of our security label"
, tss->name); } };

/* XXX we return the first match.  Should we return the best? */
*selected_sec_label = ts->sec_label;	/* first match */
return true1;
}

return false0;
920}

922static bool_Bool score_tsp_sec_label(const struct traffic_selector_payloads *tsp,
		chunk_t config_sec_label,
		shunk_t *selected_sec_label,
		struct logger *logger)
926{
if (config_sec_label.len == 0) {
/* This endpoint is not configured to use labeled IPsec. */
if (tsp->i.contains_sec_label || tsp->r.contains_sec_label) {
	dbg("error: received sec_label but this end is *not* configured to use sec_label"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("error: received sec_label but this end is *not* configured to use sec_label"
); } };
	return false0;
}
/* No sec_label was found and none was expected */
return true1;	/* success: no label, as expected */
}

/* This endpoint is configured to use labeled IPsec. */
passert(vet_seclabel(HUNK_AS_SHUNK(config_sec_label)) == NULL)({ _Bool assertion__ = vet_seclabel(({ typeof(config_sec_label
) h_ = (config_sec_label); shunk2(h_.ptr, h_.len); })) == ((void
*)0); if (!assertion__) { where_t here = ({ static const struct
 where here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 938, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_passert(logger_, here, "%s", "vet_seclabel(({ typeof(config_sec_label) h_ = (config_sec_label); shunk2(h_.ptr, h_.len); })) == ((void*)0)"
); } (void) 1; });

if (!tsp->i.contains_sec_label || !tsp->r.contains_sec_label) {
dbg("error: connection requires sec_label but not received TSi/TSr with sec_label"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("error: connection requires sec_label but not received TSi/TSr with sec_label"
); } };
return false0;
}

if (!check_tss_sec_label(&tsp->i, config_sec_label, selected_sec_label, logger) ||
   !check_tss_sec_label(&tsp->r, config_sec_label, selected_sec_label, logger)) {
return false0;
}

/* security label required and matched */
return true1;
952}

954static struct best_score score_ends_iprange(enum fit fit,
			    const struct connection *d,
			    const struct ends *ends,
			    const struct traffic_selector_payloads *tsp)
958{
if (DBGP(DBG_BASE)(cur_debugging & (((lset_t)1 << (DBG_BASE_IX))))) {
selector_buf ei3;
selector_buf er3;
connection_buf cib;
DBG_log("evaluating our conn="PRI_CONNECTION"\"%s\"%s"" I=%s:%d/%d R=%s:%d/%d%s to their:",
	pri_connection(d, &cib)(d)->name, str_connection_instance(d, &cib),
	str_selector(&ends->i->client, &ei3), ends->i->protocol, ends->i->port,
	str_selector(&ends->r->client, &er3), ends->r->protocol, ends->r->port,
	is_virtual_connection(d) ? " (virt)" : "");
}

struct best_score best_score = NO_SCORE{ .ok = 0, .address = -1, .port = -1, .protocol = -1, };

/* compare tsi/r array to this/that, evaluating how well it fits */
for (unsigned tsi_n = 0; tsi_n < tsp->i.nr; tsi_n++) {
const struct traffic_selector *tni = &tsp->i.ts[tsi_n];

/* choice hardwired for IPrange and sec_label */
struct score score_i = score_end(ends->i, &tsp->i, fit, tsi_n);
if (!score_i.ok) {
	continue;
}

for (unsigned tsr_n = 0; tsr_n < tsp->r.nr; tsr_n++) {
	const struct traffic_selector *tnr = &tsp->r.ts[tsr_n];

	struct score score_r = score_end(ends->r, &tsp->r, fit, tsr_n);
	if (!score_r.ok) {
		continue;
	}
	struct best_score score = {
		.ok = true1,
		/* ??? this objective function is odd and arbitrary */
		.address = (score_i.address << 8) + score_r.address,
		/* ??? arbitrary objective function */
		.port = score_i.port + score_r.port,
		/* ??? arbitrary objective function */
		.protocol = score_i.protocol + score_r.protocol,
		/* which one */
		.tsi = tni, .tsr = tnr,
	};

	/* score >= best_score? */
	if (score_gt(&score, &best_score)) {
		best_score = score;
		dbg("best fit so far: TSi[%d] TSr[%d]",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("best fit so far: TSi[%d] TSr[%d]", tsi_n, tsr_n
); } }
		    tsi_n, tsr_n){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("best fit so far: TSi[%d] TSr[%d]", tsi_n, tsr_n
); } };
	}
}
}

return best_score;
1011}

1013static bool_Bool v2_child_connection_probably_shared(struct child_sa *child)
1014{
struct connection *c = child->sa.st_connection;

if (connection_is_pending(c)) {
dbg("#%lu connection is also pending; but what about pending for this state???",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("#%lu connection is also pending; but what about pending for this state???"
, child->sa.st_serialno); } }
    child->sa.st_serialno){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("#%lu connection is also pending; but what about pending for this state???"
, child->sa.st_serialno); } };
return true1;
}

dbg("FOR_EACH_STATE_... in %s", __func__){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("FOR_EACH_STATE_... in %s", __func__); } };
struct ike_sa *ike = ike_sa(&child->sa, HERE({ static const struct where here = { .func = __func__, .file
 = "programs/pluto/ikev2_ts.c", .line = 1024, }; &here; }
));
struct state *st = NULL((void*)0);
FOR_EACH_STATE_NEW2OLD(st)for (struct list_entry *entry_ = (&state_serialno_list_head
)->head.older; entry_ != ((void*)0); entry_ = ((void*)0)) for
 (st = (typeof(st))entry_->data, entry_ = entry_->older
; st != ((void*)0); st = (typeof(st))entry_->data, entry_ =
 entry_->older) {
if (st->st_connection != c) {
	continue;
}
if (st == &child->sa) {
	dbg("ignoring ourselves #%lu sharing connection %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("ignoring ourselves #%lu sharing connection %s"
, st->st_serialno, c->name); } }
	    st->st_serialno, c->name){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("ignoring ourselves #%lu sharing connection %s"
, st->st_serialno, c->name); } };
	continue;
}
if (st == &ike->sa) {
	dbg("ignoring IKE SA #%lu sharing connection %s with #%lu",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("ignoring IKE SA #%lu sharing connection %s with #%lu"
, st->st_serialno, c->name, child->sa.st_serialno); }
 }
	    st->st_serialno, c->name, child->sa.st_serialno){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("ignoring IKE SA #%lu sharing connection %s with #%lu"
, st->st_serialno, c->name, child->sa.st_serialno); }
 };
	continue;
}
dbg("#%lu and #%lu share connection %s",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("#%lu and #%lu share connection %s", child->
sa.st_serialno, st->st_serialno, c->name); } }
    child->sa.st_serialno, st->st_serialno,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("#%lu and #%lu share connection %s", child->
sa.st_serialno, st->st_serialno, c->name); } }
    c->name){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("#%lu and #%lu share connection %s", child->
sa.st_serialno, st->st_serialno, c->name); } };
return true1;
}

return false0;
1047}

1049struct narrowed_ts {
bool_Bool ok;
int tsi_port;
int tsi_protocol;
int tsr_port;
int tsr_protocol;
1055};

1057static struct narrowed_ts narrow_request_ts(struct connection *c,
			    const struct traffic_selector_payloads *tsp,
			    enum fit fit)
1060{
struct narrowed_ts n = {
.ok = false0, /* until proven */
};

passert(tsp->i.nr >= 1)({ _Bool assertion__ = tsp->i.nr >= 1; if (!assertion__
) { where_t here = ({ static const struct where here = { .func
 = __func__, .file = "programs/pluto/ikev2_ts.c", .line = 1065
, }; &here; }); const struct logger *logger_ = &failsafe_logger
; llog_passert(logger_, here, "%s", "tsp->i.nr >= 1"); }
 (void) 1; });
n.tsi_port = narrow_port(&c->spd.that, &tsp->i, fit, 0);
if (n.tsi_port < 0) {
dbg("    skipping; TSi port too wide"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; TSi port too wide"); } };
return n;
}

n.tsi_protocol = narrow_protocol(&c->spd.that, &tsp->r, fit, 0);
if (n.tsi_protocol < 0) {
dbg("    skipping; TSi protocol too wide"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; TSi protocol too wide"); } };
return n;
}

passert(tsp->r.nr >= 1)({ _Bool assertion__ = tsp->r.nr >= 1; if (!assertion__
) { where_t here = ({ static const struct where here = { .func
 = __func__, .file = "programs/pluto/ikev2_ts.c", .line = 1078
, }; &here; }); const struct logger *logger_ = &failsafe_logger
; llog_passert(logger_, here, "%s", "tsp->r.nr >= 1"); }
 (void) 1; });
n.tsr_port = narrow_port(&c->spd.this, &tsp->r, fit, 0);
if (n.tsr_port < 0) {
dbg("    skipping; TSr port too wide"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; TSr port too wide"); } };
return n;
}

n.tsr_protocol = narrow_protocol(&c->spd.this, &tsp->r, fit, 0);
if (n.tsr_protocol < 0) {
dbg("    skipping; TSr protocol too wide"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; TSr protocol too wide"); } };
return n;
}

n.ok = true1;
return n;
1093}

1095static void scribble_request_ts_on_connection(struct child_sa *child,
			      struct connection *c,
			      struct narrowed_ts n)
1098{
if (c != child->sa.st_connection) {
connection_buf from, to;
dbg("  switching #%lu from "PRI_CONNECTION" to just-instantiated "PRI_CONNECTION,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  switching #%lu from ""\"%s\"%s"" to just-instantiated "
"\"%s\"%s", child->sa.st_serialno, (child->sa.st_connection
)->name, str_connection_instance(child->sa.st_connection
, &from), (c)->name, str_connection_instance(c, &to
)); } }
    child->sa.st_serialno,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  switching #%lu from ""\"%s\"%s"" to just-instantiated "
"\"%s\"%s", child->sa.st_serialno, (child->sa.st_connection
)->name, str_connection_instance(child->sa.st_connection
, &from), (c)->name, str_connection_instance(c, &to
)); } }
    pri_connection(child->sa.st_connection, &from),{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  switching #%lu from ""\"%s\"%s"" to just-instantiated "
"\"%s\"%s", child->sa.st_serialno, (child->sa.st_connection
)->name, str_connection_instance(child->sa.st_connection
, &from), (c)->name, str_connection_instance(c, &to
)); } }
    pri_connection(c, &to)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  switching #%lu from ""\"%s\"%s"" to just-instantiated "
"\"%s\"%s", child->sa.st_serialno, (child->sa.st_connection
)->name, str_connection_instance(child->sa.st_connection
, &from), (c)->name, str_connection_instance(c, &to
)); } };
} else {
connection_buf cib;
dbg("  overwrote #%lu connection "PRI_CONNECTION,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  overwrote #%lu connection ""\"%s\"%s", child
->sa.st_serialno, (c)->name, str_connection_instance(c,
 &cib)); } }
    child->sa.st_serialno, pri_connection(c, &cib)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  overwrote #%lu connection ""\"%s\"%s", child
->sa.st_serialno, (c)->name, str_connection_instance(c,
 &cib)); } };
}

/* "this" == responder; see function name */
c->spd.this.port = n.tsr_port;
c->spd.that.port = n.tsi_port;
c->spd.this.protocol = n.tsr_protocol;
c->spd.that.protocol = n.tsi_protocol;
/* hack */
dbg("XXX: updating best connection's ports/protocols"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("XXX: updating best connection's ports/protocols"
); } };
update_selector_hport(&c->spd.this.client, n.tsr_port){ (&c->spd.this.client)->hport = (n.tsr_port); };
update_selector_hport(&c->spd.that.client, n.tsi_port){ (&c->spd.that.client)->hport = (n.tsi_port); };
update_selector_ipproto(&c->spd.this.client, n.tsr_protocol){ (&c->spd.this.client)->ipproto = (n.tsr_protocol)
; };
update_selector_ipproto(&c->spd.that.client, n.tsi_protocol){ (&c->spd.that.client)->ipproto = (n.tsi_protocol)
; };
1122}

1124/*
* Find the best connection, possibly updating child.
*/
1127bool_Bool v2_process_request_ts_payloads(struct child_sa *child,
		    const struct msg_digest *md)
1129{
passert(v2_msg_role(md) == MESSAGE_REQUEST)({ _Bool assertion__ = v2_msg_role(md) == MESSAGE_REQUEST; if
 (!assertion__) { where_t here = ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1130, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_passert(logger_, here, "%s", "v2_msg_role(md) == MESSAGE_REQUEST"
); } (void) 1; });
1
Assuming the condition is true→
2
←
Taking false branch→
passert(child->sa.st_sa_role == SA_RESPONDER)({ _Bool assertion__ = child->sa.st_sa_role == SA_RESPONDER
; if (!assertion__) { where_t here = ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1131, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_passert(logger_, here, "%s", "child->sa.st_sa_role == SA_RESPONDER"
); } (void) 1; });
3
←
Assuming field 'st_sa_role' is equal to SA_RESPONDER→
4
←
Taking false branch→

struct traffic_selector_payloads tsp = empty_traffic_selectors;
if (!v2_parse_tsp(md, &tsp, child->sa.st_logger)) {
5
←
Calling 'v2_parse_tsp'→
11
←
Returning from 'v2_parse_tsp'→
12
←
Taking false branch→
return false0;
}

/* best so far; start with state's connection */
struct best_score best_score = NO_SCORE{ .ok = 0, .address = -1, .port = -1, .protocol = -1, };
const struct spd_route *best_spd_route = NULL((void*)0);
struct connection *const c = child->sa.st_connection;
13
←
'c' initialized here→
struct connection *best_connection = c;
shunk_t best_sec_label = null_shunk;

/* find best spd in c */

connection_buf ccb;
dbg("responder looking for best SPD in current connection "PRI_CONNECTION,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("responder looking for best SPD in current connection "
"\"%s\"%s", (c)->name, str_connection_instance(c, &ccb
)); } }
14
←
Assuming the condition is false→
15
←
Taking false branch→
   pri_connection(c, &ccb)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("responder looking for best SPD in current connection "
"\"%s\"%s", (c)->name, str_connection_instance(c, &ccb
)); } };
for (const struct spd_route *sra = &c->spd; sra != NULL((void*)0); sra = sra->spd_next) {
16
←
Assuming 'sra' is equal to NULL→
17
←
Loop condition is false. Execution continues on line 1203→

/* responder */
const struct ends ends = {
	.i = &sra->that,
	.r = &sra->this,
};

shunk_t selected_sec_label = null_shunk;
if (!score_tsp_sec_label(&tsp, c->config->sec_label,
			 &selected_sec_label,
			 child->sa.st_logger)) {
	/*
	 * Either:
	 *  - Security label required, but not found.
	 *    OR
	 *  - Security label *not* required, but found.
	 */
	continue;
}

enum fit responder_fit =
	(c->policy & POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))
	? END_NARROWER_THAN_TS
	: END_EQUALS_TS;
struct best_score score = score_ends_iprange(responder_fit, c, &ends, &tsp);
if (!score.ok) {
	continue;
}

if (score_gt(&score, &best_score)) {
	dbg("    found better spd route for TSi[%td],TSr[%td]",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    found better spd route for TSi[%td],TSr[%td]"
, score.tsi - tsp.i.ts, score.tsr - tsp.r.ts); } }
	    score.tsi - tsp.i.ts, score.tsr - tsp.r.ts){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    found better spd route for TSi[%td],TSr[%td]"
, score.tsi - tsp.i.ts, score.tsr - tsp.r.ts); } };
	best_score = score;
	best_spd_route = sra;
	best_sec_label = selected_sec_label;
	/* better SPD still within current connection */
	passert(best_connection == c)({ _Bool assertion__ = best_connection == c; if (!assertion__
) { where_t here = ({ static const struct where here = { .func
 = __func__, .file = "programs/pluto/ikev2_ts.c", .line = 1187
, }; &here; }); const struct logger *logger_ = &failsafe_logger
; llog_passert(logger_, here, "%s", "best_connection == c"); }
 (void) 1; });
}
}

/*
* ??? the use of hp looks nonsensical.
* Either the first non-empty host_pair should be used
* (like the current code) and the following should
* be broken into two loops: first find the non-empty
* host_pair list, second look through the host_pair list.
* OR
* what's really meant is look at the host_pair for
* each sra, something that matches the current
* nested loop structure but not what it actually does.
*/

dbg("looking for better host pair"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("looking for better host pair"); } };
18
←
Taking false branch→

const ip_address local = md->iface->ip_dev->id_address;
FOR_EACH_THING(remote, endpoint_address(md->sender), unset_address)for (typeof(endpoint_address(md->sender)) things_[] = { endpoint_address
(md->sender), unset_address }, *thingp_ = things_, remote;
 thingp_ < things_ + (sizeof(things_) / sizeof(*(things_))
) ? (remote = *thingp_, 1) : 0; thingp_++) {
19
←
'?' condition is true→
20
←
Loop condition is true.  Entering loop body→

FOR_EACH_HOST_PAIR_CONNECTION(local, remote, d)for (struct connection *next_ = ((void*)0), *d = next_host_pair_connection
(local, remote, &next_, 1, ({ static const struct where here
 = { .func = __func__, .file = "programs/pluto/ikev2_ts.c", .
line = 1208, }; &here; })); d != ((void*)0); d = next_host_pair_connection
(local, remote, &next_, 0, ({ static const struct where here
 = { .func = __func__, .file = "programs/pluto/ikev2_ts.c", .
line = 1208, }; &here; }))) {
21
←
Assuming 'd' is not equal to null→
22
←
Loop condition is true.  Entering loop body→

	/* groups are templates instantiated as GROUPINSTANCE */
	if (d->policy & POLICY_GROUP((lset_t)1 << (POLICY_GROUP_IX))) {
23
←
Assuming the condition is false→
24
←
Taking false branch→
		continue;
	}

	/*
	 * For labeled IPsec, always start with the
	 * template.  Who are we to argue if the
	 * kernel asks for a new SA with, seemingly, a
	 * security label that matches an existing
	 * connection instance.
	 */
	if (c->ike_version == IKEv2 &&
25
←
Access to field 'ike_version' results in a dereference of a null pointer (loaded from variable 'c')
	    c->config->sec_label.len > 0 &&
	    c->kind != CK_TEMPLATE) {
		connection_buf cb;
		dbg("skipping non-template IKEv2 "PRI_CONNECTION" with a security label",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("skipping non-template IKEv2 ""\"%s\"%s"" with a security label"
, (c)->name, str_connection_instance(c, &cb)); } }
		    pri_connection(c, &cb)){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("skipping non-template IKEv2 ""\"%s\"%s"" with a security label"
, (c)->name, str_connection_instance(c, &cb)); } };
		continue;
	}

	dbg("  investigating connection \"%s\" as a better match", d->name){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  investigating connection \"%s\" as a better match"
, d->name); } };

	/*
	 * ??? same_id && match_id seems redundant.
	 * if d->spd.this.id.kind == ID_NONE, both TRUE
	 * else if c->spd.this.id.kind == ID_NONE,
	 *     same_id treats it as a wildcard and match_id
	 *     does not.  Odd.
	 * else if kinds differ, match_id FALSE
	 * else if kind ID_DER_ASN1_DN, wildcards are forbidden by same_id
	 * else match_id just calls same_id.
	 * So: if wildcards are desired, just use match_id.
	 * If they are not, just use same_id
	 */
	int wildcards;	/* value ignored */
	int pathlen;	/* value ignored */

	/* conns created as aliases from the same source have identical ID/CA */
	if (!(c->connalias != NULL((void*)0) && d->connalias != NULL((void*)0) && streq(c->connalias, d->connalias)(strcmp((c->connalias), (d->connalias)) == 0))) {
		if (!(same_id(&c->spd.this.id, &d->spd.this.id) &&
			match_id(&c->spd.that.id, &d->spd.that.id, &wildcards) &&
			trusted_ca_nss(c->spd.that.ca, d->spd.that.ca, &pathlen)))
		{
			dbg("    connection \"%s\" does not match IDs or CA of current connection \"%s\"",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    connection \"%s\" does not match IDs or CA of current connection \"%s\""
, d->name, c->name); } }
				d->name, c->name){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    connection \"%s\" does not match IDs or CA of current connection \"%s\""
, d->name, c->name); } };
			continue;
		}
	}

	const struct spd_route *sr;

	for (sr = &d->spd; sr != NULL((void*)0); sr = sr->spd_next) {

		/* responder */
		const struct ends ends = {
			.i = &sr->that,
			.r = &sr->this,
		};
		/* responder -- note D! */
		enum fit responder_fit =
			(d->policy & POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))
			? END_NARROWER_THAN_TS
			: END_EQUALS_TS;

		/* Returns NULL(ok), &null_shunk(skip), memory(ok). */
		shunk_t selected_sec_label = null_shunk;
		if (!score_tsp_sec_label(&tsp, d->config->sec_label,
					 &selected_sec_label, child->sa.st_logger)) {
			/*
			 * Either:
			 *  - Security label required, but not found.
			 *    OR
			 *  - Security label *not* required, but found.
			 */
			continue;
		}

		struct best_score score = score_ends_iprange(responder_fit, d/*note D*/,
							     &ends, &tsp);
		if (!score.ok) {
			continue;
		}
		if (score_gt(&score, &best_score)) {
			dbg("    protocol fitness found better match d %s, TSi[%td],TSr[%td]",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    protocol fitness found better match d %s, TSi[%td],TSr[%td]"
, d->name, score.tsi - tsp.i.ts, score.tsr - tsp.r.ts); } }
			    d->name,{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    protocol fitness found better match d %s, TSi[%td],TSr[%td]"
, d->name, score.tsi - tsp.i.ts, score.tsr - tsp.r.ts); } }
			    score.tsi - tsp.i.ts, score.tsr - tsp.r.ts){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    protocol fitness found better match d %s, TSi[%td],TSr[%td]"
, d->name, score.tsi - tsp.i.ts, score.tsr - tsp.r.ts); } };
			best_connection = d;
			best_score = score;
			best_spd_route = sr;
			best_sec_label = selected_sec_label;
		}
	}
}
}

if (best_connection == c) {
dbg("  did not find a better connection using host pair"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  did not find a better connection using host pair"
); } };
}

1310#define CONNECTION_POLICIES(((lset_t)1 << (POLICY_NEGO_PASS_IX)) | ((lset_t)1 <<
 (POLICY_DONT_REKEY_IX)) | ((lset_t)1 << (POLICY_REAUTH_IX
)) | ((lset_t)1 << (POLICY_OPPORTUNISTIC_IX)) | ((lset_t
)1 << (POLICY_GROUP_IX)) | ((lset_t)1 << (POLICY_GROUTED_IX
)) | ((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) | ((lset_t
)1 << (POLICY_UP_IX)) | ((lset_t)1 << (POLICY_XAUTH_IX
)) | ((lset_t)1 << (POLICY_MODECFG_PULL_IX)) | ((lset_t
)1 << (POLICY_AGGRESSIVE_IX)) | ((lset_t)1 << (POLICY_OVERLAPIP_IX
)) | ((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX))) (POLICY_NEGO_PASS((lset_t)1 << (POLICY_NEGO_PASS_IX)) |				\
	     POLICY_DONT_REKEY((lset_t)1 << (POLICY_DONT_REKEY_IX)) |			\
	     POLICY_REAUTH((lset_t)1 << (POLICY_REAUTH_IX)) |				\
	     POLICY_OPPORTUNISTIC((lset_t)1 << (POLICY_OPPORTUNISTIC_IX)) |			\
	     POLICY_GROUP((lset_t)1 << (POLICY_GROUP_IX)) |				\
	     POLICY_GROUTED((lset_t)1 << (POLICY_GROUTED_IX)) |				\
	     POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) |			\
	     POLICY_UP((lset_t)1 << (POLICY_UP_IX)) |				\
	     POLICY_XAUTH((lset_t)1 << (POLICY_XAUTH_IX)) |				\
	     POLICY_MODECFG_PULL((lset_t)1 << (POLICY_MODECFG_PULL_IX)) |			\
	     POLICY_AGGRESSIVE((lset_t)1 << (POLICY_AGGRESSIVE_IX)) |			\
	     POLICY_OVERLAPIP((lset_t)1 << (POLICY_OVERLAPIP_IX)) |				\
	     POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))

/*
* Try instantiating something better.
*/
if (best_spd_route == NULL((void*)0) && c->kind != CK_INSTANCE) {
/*
 * Don't try to look for something else to
 * 'instantiate' when the current connection is
 * permanent.
 *
 * XXX: but c->kind could be CK_TEMPLATE?
 *
 * XXX: Is this missing an opportunity?  Could there
 * be a better connection to instantiate when the
 * current one is permanent?
 *
 * XXX: 'instantiate', not really?  The code below
 * sometimes blats the current instance with new
 * values - something that should not be done to a
 * permanent connection.
 */
pexpect((c->kind == CK_PERMANENT) ||({ _Bool assertion__ = (c->kind == CK_PERMANENT) || (c->
kind == CK_TEMPLATE && c->config->sec_label.len
 > 0); if (!assertion__) { where_t here_ = ({ static const
 struct where here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1345, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_pexpect(logger_, here_, "%s", "(c->kind == CK_PERMANENT) || (c->kind == CK_TEMPLATE && c->config->sec_label.len > 0)"
); } assertion__; })
	(c->kind == CK_TEMPLATE && c->config->sec_label.len > 0))({ _Bool assertion__ = (c->kind == CK_PERMANENT) || (c->
kind == CK_TEMPLATE && c->config->sec_label.len
 > 0); if (!assertion__) { where_t here_ = ({ static const
 struct where here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1345, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_pexpect(logger_, here_, "%s", "(c->kind == CK_PERMANENT) || (c->kind == CK_TEMPLATE && c->config->sec_label.len > 0)"
); } assertion__; });
dbg("no best spd route; but the current %s connection \"%s\" is not a CK_INSTANCE; giving up",{ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("no best spd route; but the current %s connection \"%s\" is not a CK_INSTANCE; giving up"
, enum_name(&connection_kind_names, c->kind), c->name
); } }
    enum_name(&connection_kind_names, c->kind), c->name){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("no best spd route; but the current %s connection \"%s\" is not a CK_INSTANCE; giving up"
, enum_name(&connection_kind_names, c->kind), c->name
); } };
llog_sa(RC_LOG_SERIOUS, child, "No IKEv2 connection found with compatible Traffic Selectors")llog(RC_LOG_SERIOUS, (child)->sa.st_logger, "No IKEv2 connection found with compatible Traffic Selectors"
);
return false0;
}

if (best_spd_route == NULL((void*)0) && ((c->policy & POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX))) ||
		       (c->policy & POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX))))) {
/*
 * Is there something better than the current
 * connection?
 *
 * Rather than overwrite the current INSTANCE; would
 * it be better to instantiate a new instance, and
 * then replace it?
 *
 * Would also address the above.
 *
 * If the connection seems to be shared, this happens.
 */
pexpect(c->kind == CK_INSTANCE)({ _Bool assertion__ = c->kind == CK_INSTANCE; if (!assertion__
) { where_t here_ = ({ static const struct where here = { .func
 = __func__, .file = "programs/pluto/ikev2_ts.c", .line = 1366
, }; &here; }); const struct logger *logger_ = &failsafe_logger
; llog_pexpect(logger_, here_, "%s", "c->kind == CK_INSTANCE"
); } assertion__; });
/* since an SPD_ROUTE wasn't found */
passert(best_connection == c)({ _Bool assertion__ = best_connection == c; if (!assertion__
) { where_t here = ({ static const struct where here = { .func
 = __func__, .file = "programs/pluto/ikev2_ts.c", .line = 1368
, }; &here; }); const struct logger *logger_ = &failsafe_logger
; llog_passert(logger_, here, "%s", "best_connection == c"); }
 (void) 1; });
dbg("no best spd route; looking for a better template connection to instantiate"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("no best spd route; looking for a better template connection to instantiate"
); } };

struct connection_query cq = { .where = HERE({ static const struct where here = { .func = __func__, .file
 = "programs/pluto/ikev2_ts.c", .line = 1371, }; &here; }
), .c = NULL((void*)0), };
while (new2old_connection(&cq)) {
	struct connection *t = cq.c;
	/* require a template */
	if (t->kind != CK_TEMPLATE) {
		continue;
	}
	LSWDBGP(DBG_BASE, buf)for (_Bool lswlog_p = (cur_debugging & (((lset_t)1 <<
 (DBG_BASE_IX)))); lswlog_p; lswlog_p = 0) for (char lswbuf[(
(size_t)1024)], *lswbuf_ = lswbuf; lswbuf_ != ((void*)0); lswbuf_
 = ((void*)0)) for (struct jambuf jambuf = array_as_jambuf((lswbuf
), sizeof(lswbuf)), *buf = &jambuf; buf != ((void*)0); buf
 = ((void*)0)) for (; buf != ((void*)0); jambuf_to_logger(buf
, &failsafe_logger, DEBUG_STREAM), buf = ((void*)0)) {
		jam(buf, "  investigating template \"%s\";",
			t->name);
		if (t->foodgroup != NULL((void*)0)) {
			jam(buf, " food-group=\"%s\"", t->foodgroup);
		}
		jam(buf, " policy=");
		jam_policy(buf, t->policy & CONNECTION_POLICIES(((lset_t)1 << (POLICY_NEGO_PASS_IX)) | ((lset_t)1 <<
 (POLICY_DONT_REKEY_IX)) | ((lset_t)1 << (POLICY_REAUTH_IX
)) | ((lset_t)1 << (POLICY_OPPORTUNISTIC_IX)) | ((lset_t
)1 << (POLICY_GROUP_IX)) | ((lset_t)1 << (POLICY_GROUTED_IX
)) | ((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) | ((lset_t
)1 << (POLICY_UP_IX)) | ((lset_t)1 << (POLICY_XAUTH_IX
)) | ((lset_t)1 << (POLICY_MODECFG_PULL_IX)) | ((lset_t
)1 << (POLICY_AGGRESSIVE_IX)) | ((lset_t)1 << (POLICY_OVERLAPIP_IX
)) | ((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX))));
	}

	/*
	 * Is it worth looking at the template.
	 *
	 * XXX: treat the combination the same as
	 * group instance, like the old code did; is
	 * this valid?
	 */
	switch (c->policy & (POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) |
			      POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))) {
	case POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)):
	case POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) | POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)): /* XXX: true */
		/* XXX: why does this matter; does it imply t->foodgroup != NULL? */
		if (!LIN(POLICY_GROUPINSTANCE, t->policy)(((((lset_t)1 << (POLICY_GROUPINSTANCE_IX))) & (t->
policy)) == (((lset_t)1 << (POLICY_GROUPINSTANCE_IX))))) {
			dbg("    skipping; not a group instance"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; not a group instance"); } };
			continue;
		}
		/* when OE, don't change food groups? */
		if (!streq(c->foodgroup, t->foodgroup)(strcmp((c->foodgroup), (t->foodgroup)) == 0)) {
			dbg("    skipping; wrong foodgroup name"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; wrong foodgroup name"); } };
			continue;
		}
		/* ??? why require current connection->name and t->name to be different */
		/* XXX: don't re-instantiate the same connection template???? */
		if (streq(c->name, t->name)(strcmp((c->name), (t->name)) == 0)) {
			dbg("    skipping; name same as current connection"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; name same as current connection"
); } };
			continue;
		}
		break;
	case POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)):
		if (!LIN(POLICY_IKEV2_ALLOW_NARROWING, t->policy)(((((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX))) &
 (t->policy)) == (((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX
))))) {
			dbg("    skipping; cannot narrow"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; cannot narrow"); } };
			continue;
		}
		break;
	default:
		bad_case(c->policy)libreswan_bad_case("c->policy", (c->policy), ({ static const
 struct where here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1423, }; &here; })); /* not quite true */
	}

	/* require initiator's subnet <= T; why? */
	if (!selector_in_selector(c->spd.that.client, t->spd.that.client)) {
		dbg("    skipping; current connection's initiator subnet is not <= template"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; current connection's initiator subnet is not <= template"
); } };
		continue;
	}
	/* require responder address match; why? */
	ip_address c_this_client_address = selector_prefix(c->spd.this.client);
	ip_address t_this_client_address = selector_prefix(t->spd.this.client);
	if (!address_eq_address(c_this_client_address, t_this_client_address)) {
		dbg("    skipping; responder addresses don't match"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("    skipping; responder addresses don't match"
); } };
		continue;
	}

	/* require a valid narrowed port? */
	enum fit fit;
	switch (c->policy & (POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) |
			     POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))) {
	case POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)):
	case POLICY_GROUPINSTANCE((lset_t)1 << (POLICY_GROUPINSTANCE_IX)) | POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)): /* XXX: true */
		/* exact match; XXX: 'cos that is what old code did */
		fit = END_EQUALS_TS;
		break;
	case POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)):
		/* narrow END's port to TS port */
		fit = END_WIDER_THAN_TS;
		break;
	default:
		bad_case(c->policy)libreswan_bad_case("c->policy", (c->policy), ({ static const
 struct where here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1453, }; &here; }));
	}

	passert(best_connection == c)({ _Bool assertion__ = best_connection == c; if (!assertion__
) { where_t here = ({ static const struct where here = { .func
 = __func__, .file = "programs/pluto/ikev2_ts.c", .line = 1456
, }; &here; }); const struct logger *logger_ = &failsafe_logger
; llog_passert(logger_, here, "%s", "best_connection == c"); }
 (void) 1; }); /* aka st->st_connection, no leak */
	pexpect(best_connection == child->sa.st_connection)({ _Bool assertion__ = best_connection == child->sa.st_connection
; if (!assertion__) { where_t here_ = ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1457, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_pexpect(logger_, here_, "%s", "best_connection == child->sa.st_connection"
); } assertion__; });
	struct narrowed_ts n = narrow_request_ts(t, &tsp, fit);
	if (!n.ok) {
		continue;
	}

	struct connection *s;
	if (v2_child_connection_probably_shared(child)) {
		/* instantiate it, filling in peer's ID */
		/* XXX: is best_sec_label ever non-NULL? */
		s = instantiate(t, &child->sa.st_connection->spd.that.host_addr,
				NULL((void*)0), best_sec_label);
	} else {
		s = child->sa.st_connection;
	}
	scribble_request_ts_on_connection(child, s, n);

	/* switch */
	best_connection = s;
	best_spd_route = &best_connection->spd;
	break;
}
} else if (best_connection == c &&
   c->kind == CK_TEMPLATE &&
   c->config->sec_label.len > 0) {
dbg("  instantiating template security label connection"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("  instantiating template security label connection"
); } };
/* sure looks like a sec-label template */
struct narrowed_ts n = narrow_request_ts(c, &tsp, END_WIDER_THAN_TS);
if (!n.ok) {
	return false0;
}

struct connection *s = instantiate(c, &child->sa.st_connection->spd.that.host_addr,
				   NULL((void*)0), best_sec_label);
scribble_request_ts_on_connection(child, s, n);

/* switch */
best_connection = s;
best_spd_route = &best_connection->spd;
}

if (best_spd_route == NULL((void*)0)) {
dbg("giving up"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("giving up"); } };
return false0;
}

/*
* this both replaces the child's connection, and flips any
* underlying current-connection
*
* XXX: but this is responder code, there probably isn't a
* current-connection - it would have gone straight to current
* state.
*
* XXX: ah, but the state code does: set-state; set-connection
* (yes order is wrong).  Why does it bother?
*
* update_state_connection(), if the connection changes,
* de-references the old connection; which is what really
* matters
*/
update_state_connection(&child->sa, best_connection);

return true1;
1521}

1523/* check TS payloads, response */
1524bool_Bool v2_process_ts_response(struct child_sa *child,
	    struct msg_digest *md)
1526{
passert(child->sa.st_sa_role == SA_INITIATOR)({ _Bool assertion__ = child->sa.st_sa_role == SA_INITIATOR
; if (!assertion__) { where_t here = ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1527, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_passert(logger_, here, "%s", "child->sa.st_sa_role == SA_INITIATOR"
); } (void) 1; });
passert(v2_msg_role(md) == MESSAGE_RESPONSE)({ _Bool assertion__ = v2_msg_role(md) == MESSAGE_RESPONSE; if
 (!assertion__) { where_t here = ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1528, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_passert(logger_, here, "%s", "v2_msg_role(md) == MESSAGE_RESPONSE"
); } (void) 1; });

struct connection *c = child->sa.st_connection;

struct traffic_selector_payloads tsp = empty_traffic_selectors;
if (!v2_parse_tsp(md, &tsp, child->sa.st_logger)) {
return false0;
}

/* initiator */
const struct spd_route *sra = &c->spd;
const struct ends e = {
.i = &sra->this,
.r = &sra->that,
};
enum fit initiator_widening =
(c->policy & POLICY_IKEV2_ALLOW_NARROWING((lset_t)1 << (POLICY_IKEV2_ALLOW_NARROWING_IX)))
? END_WIDER_THAN_TS
: END_EQUALS_TS;

/* Returns NULL(ok), &null_shunk(skip), memory(ok). */
shunk_t selected_sec_label = null_shunk;
if (!score_tsp_sec_label(&tsp, c->config->sec_label,
		 &selected_sec_label, child->sa.st_logger)) {
/*
 * Either:
 *  - Security label required, but not found.
 *    OR
 *  - Security label *not* required, but found.
 */
return false0;
}

struct best_score best = score_ends_iprange(initiator_widening, c, &e, &tsp);

if (!best.ok) {
dbg("reject responder TSi/TSr Traffic Selector"){ if ((cur_debugging & (((lset_t)1 << (DBG_BASE_IX)
)))) { DBG_log("reject responder TSi/TSr Traffic Selector"); }
 };
/* prevents parent from going to I3 */
return false0;
}

traffic_selector_to_end(best.tsi, &c->spd.this,
		"scribble accepted TSi response on initiator's this");
traffic_selector_to_end(best.tsr, &c->spd.that,
		"scribble accepted TSr response on initiator's that");

return true1;
1575}

1577/*
* RFC 7296 https://tools.ietf.org/html/rfc7296#section-2.8
* "when rekeying, the new Child SA SHOULD NOT have different Traffic
*  Selectors and algorithms than the old one."
*
* However, when narrowed down, the original TSi/TSr is wider than the
* returned narrowed TSi/TSr. Windows 10 is known to use the original
* and not the narrowed TSi/TSr.
*
* RFC 7296 #1.3.3 "The Traffic Selectors for traffic to be sent
* on that SA are specified in the TS payloads in the response,
* which may be a subset of what the initiator of the Child SA proposed."
*
* However, the rekey initiator, when it is the original initiator of
* the Child SA, may request a super set. And responder should
* respond with same set as initially negotiated, ie RFC 7296 #2.8
*
* See RFC 7296 Section 1.7. for the above change.
* Significant Differences between RFC 4306 and RFC 5996
*
* We already matched the right connection by the SPI of v2N_REKEY_SA
*/
1599bool_Bool child_rekey_responder_ts_verify(struct child_sa *child, struct msg_digest *md)
1600{
if (!pexpect(child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0)({ _Bool assertion__ = child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0
; if (!assertion__) { where_t here_ = ({ static const struct where
 here = { .func = __func__, .file = "programs/pluto/ikev2_ts.c"
, .line = 1601, }; &here; }); const struct logger *logger_
 = &failsafe_logger; llog_pexpect(logger_, here_, "%s", "child->sa.st_state->kind == STATE_V2_REKEY_CHILD_R0"
); } assertion__; }))
return false0;

const struct connection *c = child->sa.st_connection;
struct traffic_selector_payloads their_tsp = empty_traffic_selectors;

if (!v2_parse_tsp(md, &their_tsp, child->sa.st_logger)) {
log_state(RC_LOG_SERIOUS, &child->sa,
	  "received malformed TSi/TSr payload(s)");
return false0;
}

const struct ends ends = {
.i = &c->spd.that,
.r = &c->spd.this,
};

enum fit fitness = END_NARROWER_THAN_TS;

/* Returns NULL(ok), &null_shunk(skip), memory(ok). */
shunk_t selected_sec_label = null_shunk;
if (!score_tsp_sec_label(&their_tsp, c->config->sec_label,
		 &selected_sec_label,
		 child->sa.st_logger)) {
/*
 * Either:
 *  - Security label required, but not found.
 *    OR
 *  - Security label *not* required, but found.
 */
log_state(RC_LOG_SERIOUS, &child->sa,
	  "rekey: received Traffic Selectors mismatch configured selectors for Security Label");
return false0;
}

struct best_score score = score_ends_iprange(fitness, c, &ends, &their_tsp);

if (!score.ok) {
log_state(RC_LOG_SERIOUS, &child->sa,
	  "rekey: received Traffic Selectors does not contain existing IPsec SA Traffic Selectors");
return false0;
}

return true1;
1645}