plaisthos has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/1724?usp=email )
Change subject: Add check that username is identical to multi float ...................................................................... Add check that username is identical to multi float This adds this as additional safe guard for setups that do not use client certificates. Change-Id: Ie552084638320b3bace76be2f589013f12af3c46 Signed-off-by: Arne Schwabe <[email protected]> --- M src/openvpn/multi.c 1 file changed, 12 insertions(+), 1 deletion(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/24/1724/1 diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c index e2c0405..8a8d742 100644 --- a/src/openvpn/multi.c +++ b/src/openvpn/multi.c @@ -3140,6 +3140,17 @@ goto done; } + /* do not allow if target address has a different username */ + if (m1->locked_username || m2->locked_username) + { + if (!m1->locked_username || !m2->locked_username + || strcmp(m1->locked_username, m2->locked_username) != 0) + { + msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s", + multi_instance_string(ex_mi, false, &gc)); + } + } + /* It doesn't make sense to let a peer float to the address it already * has, so we disallow it. This can happen if a DCO netlink notification * gets lost and we miss a floating step. @@ -3156,7 +3167,7 @@ msg(D_MULTI_LOW, "closing instance %s due to float collision with %s " - "using the same certificate", + "using the same certificate and username", multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, false, &gc)); multi_close_instance(m, ex_mi, false); return true; -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1724?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: Ie552084638320b3bace76be2f589013f12af3c46 Gerrit-Change-Number: 1724 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
