[Openvpn-devel,v4] Add check that username is identical to multi float
Commit Message
From: Arne Schwabe <arne@rfc2549.org>
This adds an additional safe guard for setups that do not use
client certificates.
Change-Id: Ie552084638320b3bace76be2f589013f12af3c46
Signed-off-by: Arne Schwabe <arne@rfc2549.org>
Acked-by: Frank Lichtenheld <frank@lichtenheld.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1724
---
This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1724
This mail reflects revision 4 of this Change.
Acked-by according to Gerrit (reflected above):
Frank Lichtenheld <frank@lichtenheld.com>
@@ -3115,6 +3115,18 @@
goto done;
}
+ /* do not allow if target address has a different username */
+ if (m1->locked_username || m2->locked_username)
+ {
+ if (!m1->locked_username || !m2->locked_username
+ || strcmp(m1->locked_username, m2->locked_username) != 0)
+ {
+ msg(D_MULTI_LOW, "Disallow float to an address taken by another client %s",
+ multi_instance_string(ex_mi, false, &gc));
+ goto done;
+ }
+ }
+
/* It doesn't make sense to let a peer float to the address it already
* has, so we disallow it. This can happen if a DCO netlink notification
* gets lost and we miss a floating step.
@@ -3131,7 +3143,7 @@
msg(D_MULTI_LOW,
"closing instance %s due to float collision with %s "
- "using the same certificate",
+ "using the same certificate and username",
multi_instance_string(ex_mi, false, &gc), multi_instance_string(mi, false, &gc));
multi_close_instance(m, ex_mi, false);
ret = true;