]>
Commit | Line | Data |
---|---|---|
0f9ac2df FG |
1 | package PVE::CertCache; |
2 | ||
3 | use strict; | |
4 | use warnings; | |
5 | ||
6 | use Net::SSLeay; | |
7 | ||
8 | use PVE::Cluster; | |
9 | use PVE::SafeSyslog; | |
10 | ||
11 | # X509 Certificate cache helper | |
12 | ||
13 | my $cert_cache_nodes = {}; | |
14 | my $cert_cache_timestamp = time(); | |
15 | my $cert_cache_fingerprints = {}; | |
16 | ||
17 | sub update_cert_cache { | |
18 | my ($update_node, $clear) = @_; | |
19 | ||
20 | syslog('info', "Clearing outdated entries from certificate cache") | |
21 | if $clear; | |
22 | ||
23 | $cert_cache_timestamp = time() if !defined($update_node); | |
24 | ||
25 | my $node_list = defined($update_node) ? | |
26 | [ $update_node ] : [ keys %$cert_cache_nodes ]; | |
27 | ||
28 | foreach my $node (@$node_list) { | |
29 | my $clear_old = sub { | |
30 | if (my $old_fp = $cert_cache_nodes->{$node}) { | |
31 | # distrust old fingerprint | |
32 | delete $cert_cache_fingerprints->{$old_fp}; | |
33 | # ensure reload on next proxied request | |
34 | delete $cert_cache_nodes->{$node}; | |
35 | } | |
36 | }; | |
37 | ||
38 | my $fp = eval { PVE::Cluster::get_node_fingerprint($node) }; | |
39 | if (my $err = $@) { | |
40 | warn "$err\n"; | |
41 | &$clear_old() if $clear; | |
42 | next; | |
43 | } | |
44 | ||
45 | my $old_fp = $cert_cache_nodes->{$node}; | |
46 | $cert_cache_fingerprints->{$fp} = 1; | |
47 | $cert_cache_nodes->{$node} = $fp; | |
48 | ||
49 | if (defined($old_fp) && $fp ne $old_fp) { | |
50 | delete $cert_cache_fingerprints->{$old_fp}; | |
51 | } | |
52 | } | |
53 | } | |
54 | ||
55 | # load and cache cert fingerprint once | |
56 | sub initialize_cert_cache { | |
57 | my ($node) = @_; | |
58 | ||
59 | update_cert_cache($node) | |
60 | if defined($node) && !defined($cert_cache_nodes->{$node}); | |
61 | } | |
62 | ||
63 | sub check_cert_fingerprint { | |
64 | my ($cert) = @_; | |
65 | ||
66 | # clear cache every 30 minutes at least | |
67 | update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30; | |
68 | ||
69 | # get fingerprint of server certificate | |
70 | my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256'); | |
71 | return 0 if !defined($fp) || $fp eq ''; # error | |
72 | ||
73 | my $check = sub { | |
74 | for my $expected (keys %$cert_cache_fingerprints) { | |
75 | return 1 if $fp eq $expected; | |
76 | } | |
77 | return 0; | |
78 | }; | |
79 | ||
80 | return 1 if &$check(); | |
81 | ||
82 | # clear cache and retry at most once every minute | |
83 | if (time() - $cert_cache_timestamp >= 60) { | |
84 | syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache"); | |
85 | update_cert_cache(); | |
86 | return &$check(); | |
87 | } | |
88 | ||
89 | return 0; | |
90 | } | |
91 | ||
92 | 1; |