[Swan-dev] oddity in ikev2_process_child_sa_pl

D. Hugh Redelmeier hugh at mimosa.com
Sun Jun 3 22:18:28 UTC 2018


        /*
         * Update/check the PFS.
	 *
         * For the responder, go with what ever was negotiated.	 For
	 * the initiator, check what was negotiated against what was
	 * sent.
	 */
	const struct oakley_group_desc *accepted_dh = proto_info->attrs.transattrs.ta_dh;
	switch (st->st_sa_role) {
	case SA_INITIATOR:
		pexpect(expect_accepted);
		if (accepted_dh != NULL && accepted_dh != st->st_pfs_group) {
			loglog(RC_LOG_SERIOUS,
			       "expecting %s but remote's accepted proposal includes %s",
			       st->st_pfs_group == NULL ? "no DH" : st->st_pfs_group->common.fqn,
			       accepted_dh == NULL ? "no DH" : accepted_dh->common.fqn);
                        return STF_FAIL + v2N_NO_PROPOSAL_CHOSEN;
		}
                st->st_pfs_group = accepted_dh;
		break;

coverity noticed that
			       accepted_dh == NULL ? "no DH" : accepted_dh->common.fqn);
was silly because we know that accepted_dh is not NULL (the preceding if checks).

I'm wondering, whether the test is correct.  Should it be || instead of &&?  It's not clear to me.


More information about the Swan-dev mailing list