diff options
| author | Lev Stipakov <lstipakov@gmail.com> | 2015-01-07 21:26:38 +0200 |
|---|---|---|
| committer | Gert Doering <gert@greenie.muc.de> | 2015-01-22 11:34:04 +0100 |
| commit | 0c0c178a3d3bc541ccf076f99c54d5aa6908cbcb (patch) | |
| tree | abd99b85161c92b77fa757e304e684c90a96f8d3 /src/openvpn/ssl_verify.h | |
| parent | bd9aa06feb41838689ed01f79845bc765f887ae3 (diff) | |
| download | openvpn-0c0c178a3d3bc541ccf076f99c54d5aa6908cbcb.tar.gz openvpn-0c0c178a3d3bc541ccf076f99c54d5aa6908cbcb.tar.xz openvpn-0c0c178a3d3bc541ccf076f99c54d5aa6908cbcb.zip | |
Disallow lameduck's float to an address taken by another client
Existing check didn't take into account the case when floated client is
lame duck (CN for lame duck is NULL), which allowed lame duck to float
to an address taken by another client.
As a fix we use cert_hash_compare function which, besides fixing
mentioned case, also allows lame duck to float to an address already
taken by the same client.
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <1420658798-29943-1-git-send-email-lstipakov@gmail.com>
URL: http://article.gmane.org/gmane.network.openvpn.devel/9386
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Diffstat (limited to 'src/openvpn/ssl_verify.h')
| -rw-r--r-- | src/openvpn/ssl_verify.h | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/openvpn/ssl_verify.h b/src/openvpn/ssl_verify.h index 5f23431..d5bf22e 100644 --- a/src/openvpn/ssl_verify.h +++ b/src/openvpn/ssl_verify.h @@ -137,6 +137,14 @@ const char *tls_common_name (const struct tls_multi* multi, const bool null); */ const char *tls_username (const struct tls_multi *multi, const bool null); +/** + * Compares certificates hashes, returns true if hashes are equal. + * + * @param chs1 cert 1 hash set + * @param chs2 cert 2 hash set + */ +bool cert_hash_compare (const struct cert_hash_set *chs1, const struct cert_hash_set *chs2); + #ifdef ENABLE_PF /** |