From 169ec3dde995d48c02cb4d65e2fd69139a3a805b Mon Sep 17 00:00:00 2001
From: Anders Svensson <anders@erlang.org>
Date: Thu, 30 May 2013 15:03:28 +0200
Subject: Don't send default Inband-Security-Id in CER/CEA

RFC 6733 recommends against the use of Inband-Security-Id, so only send
a value that differs from the default.
---
 lib/diameter/src/base/diameter_capx.erl     | 19 ++++++++++++++++++-
 lib/diameter/src/base/diameter_peer_fsm.erl |  7 ++++++-
 2 files changed, 24 insertions(+), 2 deletions(-)

diff --git a/lib/diameter/src/base/diameter_capx.erl b/lib/diameter/src/base/diameter_capx.erl
index 9a443fead0..4b821f5139 100644
--- a/lib/diameter/src/base/diameter_capx.erl
+++ b/lib/diameter/src/base/diameter_capx.erl
@@ -282,9 +282,26 @@ build_CEA(_, LCaps, RCaps, Dict, CEA) ->
         [] ->
             Dict:'#set-'({'Result-Code', ?NOSECURITY}, CEA);
         [_] = IS ->
-            Dict:'#set-'({'Inband-Security-Id', IS}, CEA)
+            Dict:'#set-'({'Inband-Security-Id', inband_security(IS)}, CEA)
     end.
 
+%% Only set Inband-Security-Id if different from the default, since
+%% RFC 6733 recommends against the AVP:
+%%
+%% 6.10.  Inband-Security-Id AVP
+%%
+%%    The Inband-Security-Id AVP (AVP Code 299) is of type Unsigned32 and
+%%    is used in order to advertise support of the security portion of the
+%%    application.  The use of this AVP in CER and CEA messages is NOT
+%%    RECOMMENDED.  Instead, discovery of a Diameter entity's security
+%%    capabilities can be done either through static configuration or via
+%%    Diameter Peer Discovery as described in Section 5.2.
+
+inband_security([?NO_INBAND_SECURITY]) ->
+    [];
+inband_security([_] = IS) ->
+    IS.
+
 %% common_security/2
 
 common_security(#diameter_caps{inband_security_id = LS},
diff --git a/lib/diameter/src/base/diameter_peer_fsm.erl b/lib/diameter/src/base/diameter_peer_fsm.erl
index 6be4259510..d9db630ec0 100644
--- a/lib/diameter/src/base/diameter_peer_fsm.erl
+++ b/lib/diameter/src/base/diameter_peer_fsm.erl
@@ -702,7 +702,7 @@ build_answer('CER',
         N -> {cea(CEA, N, Dict0), [fun open/5, Pkt,
                                                SupportedApps,
                                                Caps,
-                                               {accept, hd([_] = IS)}]}
+                                               {accept, inband_security(IS)}]}
     catch
         ?FAILURE(Reason) ->
             rejected(Reason, {'CER', Reason, Caps, Pkt}, S)
@@ -719,6 +719,11 @@ build_answer(Type,
     RC = rc(H, Es),
     {answer(Type, RC, Es, S), post(Type, RC, Pkt, S)}.
 
+inband_security([]) ->
+    ?NO_INBAND_SECURITY;
+inband_security([IS]) ->
+    IS.
+
 cea(CEA, ok, _) ->
     CEA;
 cea(CEA, 2001, _) ->
-- 
cgit v1.2.3