From: Tobias Brunner Date: Thu, 2 Mar 2023 09:21:43 +0000 (+0100) Subject: vici: Fix fallback to remote ID if no mediation peer ID is configured X-Git-Tag: 5.9.11dr1~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dd79253e2d3a2d2f61689305cc02c506e2a5f746;p=thirdparty%2Fstrongswan.git vici: Fix fallback to remote ID if no mediation peer ID is configured Also adds error reporting via VICI for issues with mediation settings. Fixes: 229cdf6bc8f2 ("vici: Order auth rounds by optional `round` parameter instead of by position in the request") References strongswan/strongswan#1569 --- diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 989939fbf2..43c81a6c14 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -2604,8 +2604,8 @@ CALLBACK(config_sn, bool, #ifdef ME if (peer.mediation && peer.mediated_by) { - DBG1(DBG_CFG, "a mediation connection cannot be a mediated connection " - "at the same time, config discarded"); + request->reply = create_reply("a mediation connection cannot be a " + "mediated connection at the same time"); free_peer_data(&peer); return FALSE; } @@ -2616,23 +2616,23 @@ CALLBACK(config_sn, bool, else if (peer.mediated_by) { /* fallback to remote identity of first auth round if peer_id is not * given explicitly */ - auth_cfg_t *cfg; + auth_data_t *auth; if (!peer.peer_id && - peer.remote->get_first(peer.remote, (void**)&cfg) == SUCCESS) + peer.remote->get_first(peer.remote, (void**)&auth) == SUCCESS) { - peer.peer_id = cfg->get(cfg, AUTH_RULE_IDENTITY); + peer.peer_id = auth->cfg->get(auth->cfg, AUTH_RULE_IDENTITY); if (peer.peer_id) { peer.peer_id = peer.peer_id->clone(peer.peer_id); } - else - { - DBG1(DBG_CFG, "mediation peer missing for mediated connection, " - "config discarded"); - free_peer_data(&peer); - return FALSE; - } + } + if (!peer.peer_id) + { + request->reply = create_reply("mediation peer or remote identity " + "missing for mediated connection"); + free_peer_data(&peer); + return FALSE; } } #endif /* ME */