From: Tobias Brunner <tobias@strongswan.org>
Date: Thu, 8 Jan 2026 07:59:11 +0000 (+0100)
Subject: pubkey-authenticator: Avoid conflict with config switch based on EAP-Identity
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e73af66f4a7852eb17691e6fa151ea0204307539;p=thirdparty%2Fstrongswan.git

pubkey-authenticator: Avoid conflict with config switch based on EAP-Identity

The referenced commit ignored that INVALID_ARG was returned by this
authenticator if an unsupported signature scheme is encountered.  This
caused a crash in find_alternative_eap_cfg() as no EAP identity is
stored in the current auth config.

Since we don't distinguish the situation outside of the authenticator,
we can just return FAILED.

Closes strongswan/strongswan#2979

Fixes: 2f2e4abe3c52 ("ikev2: Add support to switch peer configs based on EAP-Identities")
---

diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
index 3f53bc1b24..392a61d9d9 100644
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -631,7 +631,7 @@ METHOD(authenticator_t, process, status_t,
 			DBG1(DBG_IKE, "%N authentication %s", auth_method_names,
 				 auth_method, reason);
 			signature_params_destroy(params);
-			return INVALID_ARG;
+			return FAILED;
 	}
 	id = this->ike_sa->get_other_id(this->ike_sa);
 	if (!get_auth_octets_scheme(this, TRUE, id, this->ppk, &octets, &params))