3 files changed, 52 insertions, 19 deletions

diff --git a/lib/diameter/src/base/diameter_capx.erl b/lib/diameter/src/base/diameter_capx.erl
index 9a443fead0..4b821f5139 100644
--- a/lib/diameter/src/base/diameter_capx.erl
+++ b/lib/diameter/src/base/diameter_capx.erl
@@ -282,9 +282,26 @@ build_CEA(_, LCaps, RCaps, Dict, CEA) ->
         [] ->
             Dict:'#set-'({'Result-Code', ?NOSECURITY}, CEA);
         [_] = IS ->
-            Dict:'#set-'({'Inband-Security-Id', IS}, CEA)
+            Dict:'#set-'({'Inband-Security-Id', inband_security(IS)}, CEA)
     end.
 
+%% Only set Inband-Security-Id if different from the default, since
+%% RFC 6733 recommends against the AVP:
+%%
+%% 6.10.  Inband-Security-Id AVP
+%%
+%%    The Inband-Security-Id AVP (AVP Code 299) is of type Unsigned32 and
+%%    is used in order to advertise support of the security portion of the
+%%    application.  The use of this AVP in CER and CEA messages is NOT
+%%    RECOMMENDED.  Instead, discovery of a Diameter entity's security
+%%    capabilities can be done either through static configuration or via
+%%    Diameter Peer Discovery as described in Section 5.2.
+
+inband_security([?NO_INBAND_SECURITY]) ->
+    [];
+inband_security([_] = IS) ->
+    IS.
+
 %% common_security/2
 
 common_security(#diameter_caps{inband_security_id = LS},
diff --git a/lib/diameter/src/base/diameter_peer_fsm.erl b/lib/diameter/src/base/diameter_peer_fsm.erl
index 232249b0e9..4e55864168 100644
--- a/lib/diameter/src/base/diameter_peer_fsm.erl
+++ b/lib/diameter/src/base/diameter_peer_fsm.erl
@@ -233,20 +233,21 @@ start_transport(Addrs0, T) ->
         {TPid, Addrs, Tmo, Data} ->
             erlang:monitor(process, TPid),
             q_next(TPid, Addrs0, Tmo, Data),
-            {TPid, addrs(Addrs, Addrs0)};
+            {TPid, Addrs};
         No ->
             exit({shutdown, No})
     end.
 
-addrs([], Addrs0) ->
-    Addrs0;
-addrs(Addrs, _) ->
-    Addrs.
-
-svc(Svc, []) ->
-    Svc;
-svc(Svc, Addrs) ->
-    readdr(Svc, Addrs).
+svc(#diameter_service{capabilities = LCaps0} = Svc, Addrs) ->
+    #diameter_caps{host_ip_address = Addrs0}
+        = LCaps0,
+    case Addrs0 of
+        [] ->
+            LCaps = LCaps0#diameter_caps{host_ip_address = Addrs},
+            Svc#diameter_service{capabilities = LCaps};
+        [_|_] ->
+            Svc
+    end.
 
 readdr(#diameter_service{capabilities = LCaps0} = Svc, Addrs) ->
     LCaps = LCaps0#diameter_caps{host_ip_address = Addrs},
@@ -360,7 +361,7 @@ transition({diameter, {TPid, connected, Remote, LAddrs}},
                   service = Svc}
            = S) ->
     transition({diameter, {TPid, connected, Remote}},
-               S#state{service = readdr(Svc, LAddrs)});
+               S#state{service = svc(Svc, LAddrs)});
 
 %% Connection from peer.
 transition({diameter, {TPid, connected}},
@@ -702,7 +703,7 @@ build_answer('CER',
         N -> {cea(CEA, N, Dict0), [fun open/5, Pkt,
                                                SupportedApps,
                                                Caps,
-                                               {accept, hd([_] = IS)}]}
+                                               {accept, inband_security(IS)}]}
     catch
         ?FAILURE(Reason) ->
             rejected(Reason, {'CER', Reason, Caps, Pkt}, S)
@@ -719,6 +720,11 @@ build_answer(Type,
     RC = rc(H, Es),
     {answer(Type, RC, Es, S), post(Type, RC, Pkt, S)}.
 
+inband_security([]) ->
+    ?NO_INBAND_SECURITY;
+inband_security([IS]) ->
+    IS.
+
 cea(CEA, ok, _) ->
     CEA;
 cea(CEA, 2001, _) ->
diff --git a/lib/diameter/src/base/diameter_traffic.erl b/lib/diameter/src/base/diameter_traffic.erl
index 820d37535a..0b15e68ec7 100644
--- a/lib/diameter/src/base/diameter_traffic.erl
+++ b/lib/diameter/src/base/diameter_traffic.erl
@@ -479,10 +479,9 @@ answer_message(RC,
                #diameter_caps{origin_host  = {OH,_},
                               origin_realm = {OR,_}},
                Dict0,
-               #diameter_packet{avps = Avps}
-               = Pkt) ->
+               Pkt) ->
     ?LOG({error, RC}, Pkt),
-    {Dict0, answer_message(OH, OR, RC, Dict0, Avps)}.
+    {Dict0, answer_message(OH, OR, RC, Dict0, Pkt)}.
 
 %% resend/7
 
@@ -861,12 +860,14 @@ failed(Rec, FailedAvp, Dict) ->
 
 %% answer_message/5
 
-answer_message(OH, OR, RC, Dict0, Avps) ->
+answer_message(OH, OR, RC, Dict0, #diameter_packet{avps = Avps,
+                                                   errors = Es}) ->
     {Code, _, Vid} = Dict0:avp_header('Session-Id'),
     ['answer-message', {'Origin-Host', OH},
                        {'Origin-Realm', OR},
-                       {'Result-Code', RC}
-                       | session_id(Code, Vid, Dict0, Avps)].
+                       {'Result-Code', RC}]
+        ++ session_id(Code, Vid, Dict0, Avps)
+        ++ failed_avp(RC, Es).
 
 session_id(Code, Vid, Dict0, Avps)
   when is_list(Avps) ->
@@ -878,6 +879,15 @@ session_id(Code, Vid, Dict0, Avps)
             []
     end.
 
+%% Note that this should only match 5xxx result codes currently but
+%% don't bother distinguishing this case.
+failed_avp(RC, [{RC, Avp} | _]) ->
+    [{'Failed-AVP', [{'AVP', [Avp]}]}];
+failed_avp(RC, [_ | Es]) ->
+    failed_avp(RC, Es);
+failed_avp(_, [] = No) ->
+    No.
+
 %% find_avp/3
 
 find_avp(Code, Vid, Avps)