From: Tobias Brunner <tobias@strongswan.org>
Date: Tue, 2 Dec 2025 15:17:36 +0000 (+0100)
Subject: charon-nm: Pass configured user when connecting to SSH/GPG agent
X-Git-Tag: 6.0.4~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7cc8973db70f70252ba6a59039c678e9933cf8c7;p=thirdparty%2Fstrongswan.git

charon-nm: Pass configured user when connecting to SSH/GPG agent

This prevents an attack similar to the one fixed previously where a
user passes the path to credentials of another user, in this case the
path to the agent socket of that user.
---

diff --git a/src/charon-nm/nm/nm_service.c b/src/charon-nm/nm/nm_service.c
index d24e7b29e4..50a65e9457 100644
--- a/src/charon-nm/nm/nm_service.c
+++ b/src/charon-nm/nm/nm_service.c
@@ -637,6 +637,7 @@ static bool add_auth_cfg_cert(NMStrongswanPluginPrivate *priv,
 				private = lib->creds->create(lib->creds, CRED_PRIVATE_KEY,
 											 public->get_type(public),
 											 BUILD_AGENT_SOCKET, str,
+											 BUILD_AGENT_USER, user,
 											 BUILD_PUBLIC_KEY, public,
 											 BUILD_END);
 				public->destroy(public);