diff options
author | Parménides GV <parmegv@sdf.org> | 2015-02-14 11:48:37 +0100 |
---|---|---|
committer | Parménides GV <parmegv@sdf.org> | 2015-02-14 11:48:37 +0100 |
commit | c198dbd9dd583d980ae7e70118f67d09bed8de55 (patch) | |
tree | c2863f28134af00f26299c97bb6a81ed0aa4ed96 /app/openvpn/src/openvpn/multi.c | |
parent | 9d346be65e6808710b9e814d2899e5888984b4ab (diff) | |
parent | 4028c100a59c45913cb569c4967faaddc090b1f9 (diff) |
Merge branch 'develop'0.9.2
Diffstat (limited to 'app/openvpn/src/openvpn/multi.c')
-rw-r--r-- | app/openvpn/src/openvpn/multi.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/app/openvpn/src/openvpn/multi.c b/app/openvpn/src/openvpn/multi.c index 90b3d2dc..b3688594 100644 --- a/app/openvpn/src/openvpn/multi.c +++ b/app/openvpn/src/openvpn/multi.c @@ -2125,17 +2125,20 @@ void multi_process_float (struct multi_context* m, struct multi_instance* mi) const uint32_t hv = hash_value (hash, &real); struct hash_bucket *bucket = hash_bucket (hash, hv); + /* make sure that we don't float to an address taken by another client */ struct hash_element *he = hash_lookup_fast (hash, bucket, &real, hv); if (he) { struct multi_instance *ex_mi = (struct multi_instance *) he->value; - const char *cn = tls_common_name (mi->context.c2.tls_multi, true); - const char *ex_cn = tls_common_name (ex_mi->context.c2.tls_multi, true); - if (cn && ex_cn && strcmp (cn, ex_cn)) + struct tls_multi *m1 = mi->context.c2.tls_multi; + struct tls_multi *m2 = ex_mi->context.c2.tls_multi; + + /* do not float if target address is taken by client with another cert */ + if (!cert_hash_compare(m1->locked_cert_hash_set, m2->locked_cert_hash_set)) { - msg (D_MULTI_MEDIUM, "prevent float to %s", - multi_instance_string (ex_mi, false, &gc)); + msg (D_MULTI_MEDIUM, "Disallow float to an address taken by another client %s", + multi_instance_string (ex_mi, false, &gc)); mi->context.c2.buf.len = 0; |