]>
Commit | Line | Data |
---|---|---|
0854fb22 DM |
1 | package PMG::Cluster; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use Socket; | |
7 | use PVE::Tools; | |
8 | use PVE::INotify; | |
9 | ||
10 | # this is also used to get the IP of the local node | |
11 | sub remote_node_ip { | |
12 | my ($nodename, $noerr) = @_; | |
13 | ||
14 | # todo: implement cluster node list | |
15 | ||
16 | # fallback: try to get IP by other means | |
17 | my ($family, $packed_ip); | |
18 | ||
19 | eval { | |
20 | my @res = PVE::Tools::getaddrinfo_all($nodename); | |
21 | $family = $res[0]->{family}; | |
22 | $packed_ip = (PVE::Tools::unpack_sockaddr_in46($res[0]->{addr}))[2]; | |
23 | }; | |
24 | ||
25 | if ($@) { | |
26 | die "hostname lookup failed:\n$@" if !$noerr; | |
27 | return undef; | |
28 | } | |
29 | ||
30 | my $ip = Socket::inet_ntop($family, $packed_ip); | |
31 | if ($ip =~ m/^127\.|^::1$/) { | |
32 | die "hostname lookup failed - got local IP address ($nodename = $ip)\n" if !$noerr; | |
33 | return undef; | |
34 | } | |
35 | ||
36 | return wantarray ? ($ip, $family) : $ip; | |
37 | } | |
38 | ||
39 | # X509 Certificate cache helper | |
40 | ||
41 | my $cert_cache_nodes = {}; | |
42 | my $cert_cache_timestamp = time(); | |
43 | my $cert_cache_fingerprints = {}; | |
44 | ||
45 | sub update_cert_cache { | |
46 | my ($update_node, $clear) = @_; | |
47 | ||
48 | syslog('info', "Clearing outdated entries from certificate cache") | |
49 | if $clear; | |
50 | ||
51 | $cert_cache_timestamp = time() if !defined($update_node); | |
52 | ||
53 | my $node_list = defined($update_node) ? | |
54 | [ $update_node ] : [ keys %$cert_cache_nodes ]; | |
55 | ||
56 | my $clear_node = sub { | |
57 | my ($node) = @_; | |
58 | if (my $old_fp = $cert_cache_nodes->{$node}) { | |
59 | # distrust old fingerprint | |
60 | delete $cert_cache_fingerprints->{$old_fp}; | |
61 | # ensure reload on next proxied request | |
62 | delete $cert_cache_nodes->{$node}; | |
63 | } | |
64 | }; | |
65 | ||
66 | my $nodename = PVE::INotify::nodename(); | |
67 | ||
68 | foreach my $node (@$node_list) { | |
69 | ||
70 | if ($node ne $nodename) { | |
71 | &$clear_node($node) if $clear; | |
72 | next; | |
73 | } | |
74 | ||
75 | my $cert_path = "/etc/proxmox/pmg-api.pem"; | |
76 | ||
77 | my $cert; | |
78 | eval { | |
79 | my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r'); | |
80 | $cert = Net::SSLeay::PEM_read_bio_X509($bio); | |
81 | Net::SSLeay::BIO_free($bio); | |
82 | }; | |
83 | my $err = $@; | |
84 | if ($err || !defined($cert)) { | |
85 | &$clear_node($node) if $clear; | |
86 | next; | |
87 | } | |
88 | ||
89 | my $fp; | |
90 | eval { | |
91 | $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256'); | |
92 | }; | |
93 | $err = $@; | |
94 | if ($err || !defined($fp) || $fp eq '') { | |
95 | &$clear_node($node) if $clear; | |
96 | next; | |
97 | } | |
98 | ||
99 | my $old_fp = $cert_cache_nodes->{$node}; | |
100 | $cert_cache_fingerprints->{$fp} = 1; | |
101 | $cert_cache_nodes->{$node} = $fp; | |
102 | ||
103 | if (defined($old_fp) && $fp ne $old_fp) { | |
104 | delete $cert_cache_fingerprints->{$old_fp}; | |
105 | } | |
106 | } | |
107 | } | |
108 | ||
109 | # load and cache cert fingerprint once | |
110 | sub initialize_cert_cache { | |
111 | my ($node) = @_; | |
112 | ||
113 | update_cert_cache($node) | |
114 | if defined($node) && !defined($cert_cache_nodes->{$node}); | |
115 | } | |
116 | ||
117 | sub check_cert_fingerprint { | |
118 | my ($cert) = @_; | |
119 | ||
120 | # clear cache every 30 minutes at least | |
121 | update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30; | |
122 | ||
123 | # get fingerprint of server certificate | |
124 | my $fp; | |
125 | eval { | |
126 | $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256'); | |
127 | }; | |
128 | return 0 if $@ || !defined($fp) || $fp eq ''; # error | |
129 | ||
130 | my $check = sub { | |
131 | for my $expected (keys %$cert_cache_fingerprints) { | |
132 | return 1 if $fp eq $expected; | |
133 | } | |
134 | return 0; | |
135 | }; | |
136 | ||
137 | return 1 if &$check(); | |
138 | ||
139 | # clear cache and retry at most once every minute | |
140 | if (time() - $cert_cache_timestamp >= 60) { | |
141 | syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache"); | |
142 | update_cert_cache(); | |
143 | return &$check(); | |
144 | } | |
145 | ||
146 | return 0; | |
147 | } | |
148 | ||
149 | 1; |