static void
pf_addr_test_print(const char *prefix,
const char *prefix2,
const struct context *src,
const struct mroute_addr *dest,
const bool allow,
const struct ipv4_subnet *rule)
{
struct gc_arena gc = gc_new();
if (rule)
{
dmsg(D_PF_DEBUG, "PF: %s/%s %s %s %s rule=[%s/%s %s]",
prefix,
prefix2,
tls_common_name(src->c2.tls_multi, false),
mroute_addr_print_ex(dest, MAPF_SHOW_ARP, &gc),
drop_accept(allow),
print_in_addr_t(rule->network, 0, &gc),
print_in_addr_t(rule->netmask, 0, &gc),
drop_accept(!rule->exclude));
}
else
{
dmsg(D_PF_DEBUG, "PF: %s/%s %s %s %s",
prefix,
prefix2,
tls_common_name(src->c2.tls_multi, false),
mroute_addr_print_ex(dest, MAPF_SHOW_ARP, &gc),
drop_accept(allow));
}
gc_free(&gc);
}
/*
* Send a string to remote over the TLS control channel.
* Used for push/pull messages, passing username/password,
* etc.
*/
bool
send_control_channel_string (struct context *c, const char *str, int msglevel)
{
#if defined(ENABLE_CRYPTO) && defined(ENABLE_SSL)
if (c->c2.tls_multi) {
struct gc_arena gc = gc_new ();
bool stat;
/* buffered cleartext write onto TLS control channel */
stat = tls_send_payload (c->c2.tls_multi, (uint8_t*) str, strlen (str) + 1);
/*
* Reschedule tls_multi_process.
* NOTE: in multi-client mode, usually the below two statements are
* insufficient to reschedule the client instance object unless
* multi_schedule_context_wakeup(m, mi) is also called.
*/
interval_action (&c->c2.tmp_int);
context_immediate_reschedule (c); /* ZERO-TIMEOUT */
msg (msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
tls_common_name (c->c2.tls_multi, false),
sanitize_control_message (str, &gc),
(int) stat);
gc_free (&gc);
return stat;
}
#endif
return true;
}
/*
* Send a string to remote over the TLS control channel.
* Used for push/pull messages, passing username/password,
* etc.
*/
bool
send_control_channel_string (struct context *c, const char *str, int msglevel)
{
#if defined(USE_CRYPTO) && defined(USE_SSL)
if (c->c2.tls_multi) {
bool stat;
/* buffered cleartext write onto TLS control channel */
stat = tls_send_payload (c->c2.tls_multi, (uint8_t*) str, strlen (str) + 1);
/* reschedule tls_multi_process */
interval_action (&c->c2.tmp_int);
context_immediate_reschedule (c); /* ZERO-TIMEOUT */
msg (msglevel, "SENT CONTROL [%s]: '%s' (status=%d)",
tls_common_name (c->c2.tls_multi, false),
str,
(int) stat);
return stat;
}
#endif
return true;
}
bool
pf_cn_test(struct pf_set *pfs, const struct tls_multi *tm, const int type, const char *prefix)
{
if (pfs && !pfs->kill)
{
const char *cn;
uint32_t cn_hash;
if (tls_common_name_hash(tm, &cn, &cn_hash))
{
const struct pf_cn *rule = lookup_cn_rule(pfs->cns.hash_table, cn, cn_hash);
if (rule)
{
#ifdef ENABLE_DEBUG
if (check_debug_level(D_PF_DEBUG))
{
pf_cn_test_print("PF_CN_MATCH", type, prefix, cn, !rule->exclude, rule);
}
#endif
if (!rule->exclude)
{
return true;
}
else
{
return false;
}
}
else
{
#ifdef ENABLE_DEBUG
if (check_debug_level(D_PF_DEBUG))
{
pf_cn_test_print("PF_CN_DEFAULT", type, prefix, cn, pfs->cns.default_allow, NULL);
}
#endif
if (pfs->cns.default_allow)
{
return true;
}
else
{
return false;
}
}
}
}
#ifdef ENABLE_DEBUG
if (check_debug_level(D_PF_DEBUG))
{
pf_cn_test_print("PF_CN_FAULT", type, prefix, tls_common_name(tm, false), false, NULL);
}
#endif
return false;
}
