Attention is currently required from: flichtenheld.

Hello flichtenheld, 

I'd like you to reexamine a change. Please visit

    http://gerrit.openvpn.net/c/openvpn/+/1724?usp=email

to look at the new patch set (#3).


Change subject: Add check that username is identical to multi float
......................................................................

Add check that username is identical to multi float

This adds an additional safe guard for setups that do not use
client certificates.

Change-Id: Ie552084638320b3bace76be2f589013f12af3c46
Signed-off-by: Arne Schwabe <[email protected]>
---
M src/openvpn/multi.c
1 file changed, 13 insertions(+), 1 deletion(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/24/1724/3

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 05a9dd3..78c4693 100644
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -3116,6 +3116,18 @@
         goto done;
     }

+    /* do not allow if target address has a different username */
+    if (m1->locked_username || m2->locked_username)
+    {
+        if (!m1->locked_username || !m2->locked_username
+            || strcmp(m1->locked_username, m2->locked_username) != 0)
+        {
+            msg(D_MULTI_LOW, "Disallow float to an address taken by another 
client %s",
+                multi_instance_string(ex_mi, false, &gc));
+            goto done;
+        }
+    }
+
     /* It doesn't make sense to let a peer float to the address it already
      * has, so we disallow it. This can happen if a DCO netlink notification
      * gets lost and we miss a floating step.
@@ -3132,7 +3144,7 @@
 
     msg(D_MULTI_LOW,
         "closing instance %s due to float collision with %s "
-        "using the same certificate",
+        "using the same certificate and username",
         multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, 
false, &gc));
     multi_close_instance(m, ex_mi, false);
     ret = true;

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1724?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings?usp=email

Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: Ie552084638320b3bace76be2f589013f12af3c46
Gerrit-Change-Number: 1724
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Reply via email to