Avoid partial authentication state when using --disabled in CCD configs

If an openvpn server is configured with --client-config-dir and a client
configuration file contains 'disabled', it is supposed to tell the client
it is not authorized to use the service.

This patch will ensure that the internal state in this scenario is a
complete CAS_FAILED state, and not CAS_PARTIAL if other authorization
steps passed.

Trac: #521
Tested-by: Eric Crist <ecrist@secure-computing.net>
Signed-off-by: David Sommerseth <davids@redhat.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1447246899-22769-1-git-send-email-openvpn@sf.lists.topphemmelig.net>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10486
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit 6c2d790ad8f10029e95aecb0d39377ef06ea8b2a)

diff --git a/src/openvpn/multi.c b/src/openvpn/multi.c
index 374950ea0b626de9553fc04dbadf2c954e23a0d4..4e5df1289efed7cab0bd647f6b6a188f2abf6fce 100644 (file)
--- a/src/openvpn/multi.c
+++ b/src/openvpn/multi.c
@@ -1780,6 +1780,7 @@ multi_connection_established (struct multi_context *m, struct multi_instance *mi
        {
          msg (D_MULTI_ERRORS, "MULTI: client has been rejected due to 'disable' directive");
          cc_succeeded = false;
+         cc_succeeded_count = 0;
        }
 
       if (cc_succeeded)