[pve-devel] [PATCH v2 manager 01/10] takeover CertCache from pve-cluster

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Nov 11 11:28:33 CET 2019 

same code, same semantics, different file/module

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
 PVE/Makefile      |  1 +
 PVE/CertCache.pm  | 92 +++++++++++++++++++++++++++++++++++++++++++++++
 PVE/HTTPServer.pm |  5 +--
 3 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 PVE/CertCache.pm

diff --git a/PVE/Makefile b/PVE/Makefile
index ad21d383..3a422bda 100644
--- a/PVE/Makefile
+++ b/PVE/Makefile
@@ -4,6 +4,7 @@ SUBDIRS=API2 Status CLI Service Ceph
 
 PERLSOURCE = 			\
 	CertHelpers.pm		\
+	CertCache.pm		\
 	API2.pm			\
 	API2Tools.pm		\
 	HTTPServer.pm		\
diff --git a/PVE/CertCache.pm b/PVE/CertCache.pm
new file mode 100644
index 00000000..4eadab29
--- /dev/null
+++ b/PVE/CertCache.pm
@@ -0,0 +1,92 @@
+package PVE::CertCache;
+
+use strict;
+use warnings;
+
+use Net::SSLeay;
+
+use PVE::Cluster;
+use PVE::SafeSyslog;
+
+# X509 Certificate cache helper
+
+my $cert_cache_nodes = {};
+my $cert_cache_timestamp = time();
+my $cert_cache_fingerprints = {};
+
+sub update_cert_cache {
+    my ($update_node, $clear) = @_;
+
+    syslog('info', "Clearing outdated entries from certificate cache")
+	if $clear;
+
+    $cert_cache_timestamp = time() if !defined($update_node);
+
+    my $node_list = defined($update_node) ?
+	[ $update_node ] : [ keys %$cert_cache_nodes ];
+
+    foreach my $node (@$node_list) {
+	my $clear_old = sub {
+	    if (my $old_fp = $cert_cache_nodes->{$node}) {
+		# distrust old fingerprint
+		delete $cert_cache_fingerprints->{$old_fp};
+		# ensure reload on next proxied request
+		delete $cert_cache_nodes->{$node};
+	    }
+	};
+
+	my $fp = eval { PVE::Cluster::get_node_fingerprint($node) };
+	if (my $err = $@) {
+	    warn "$err\n";
+	    &$clear_old() if $clear;
+	    next;
+	}
+
+	my $old_fp = $cert_cache_nodes->{$node};
+	$cert_cache_fingerprints->{$fp} = 1;
+	$cert_cache_nodes->{$node} = $fp;
+
+	if (defined($old_fp) && $fp ne $old_fp) {
+	    delete $cert_cache_fingerprints->{$old_fp};
+	}
+    }
+}
+
+# load and cache cert fingerprint once
+sub initialize_cert_cache {
+    my ($node) = @_;
+
+    update_cert_cache($node)
+	if defined($node) && !defined($cert_cache_nodes->{$node});
+}
+
+sub check_cert_fingerprint {
+    my ($cert) = @_;
+
+    # clear cache every 30 minutes at least
+    update_cert_cache(undef, 1) if time() - $cert_cache_timestamp >= 60*30;
+
+    # get fingerprint of server certificate
+    my $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256');
+    return 0 if !defined($fp) || $fp eq ''; # error
+
+    my $check = sub {
+	for my $expected (keys %$cert_cache_fingerprints) {
+	    return 1 if $fp eq $expected;
+	}
+	return 0;
+    };
+
+    return 1 if &$check();
+
+    # clear cache and retry at most once every minute
+    if (time() - $cert_cache_timestamp >= 60) {
+	syslog ('info', "Could not verify remote node certificate '$fp' with list of pinned certificates, refreshing cache");
+	update_cert_cache();
+	return &$check();
+    }
+
+    return 0;
+}
+
+1;
diff --git a/PVE/HTTPServer.pm b/PVE/HTTPServer.pm
index ce895725..e9572c71 100755
--- a/PVE/HTTPServer.pm
+++ b/PVE/HTTPServer.pm
@@ -11,6 +11,7 @@ use PVE::Exception qw(raise_param_exc raise);
 
 use PVE::RPCEnvironment;
 use PVE::AccessControl;
+use PVE::CertCache;
 use PVE::Cluster;
 use PVE::API2Tools;
 
@@ -199,13 +200,13 @@ sub rest_handler {
 sub check_cert_fingerprint {
     my ($self, $cert) = @_;
 
-    return PVE::Cluster::check_cert_fingerprint($cert);
+    return PVE::CertCache::check_cert_fingerprint($cert);
 }
 
 sub initialize_cert_cache {
     my ($self, $node) = @_;
 
-    PVE::Cluster::initialize_cert_cache($node);
+    PVE::CertCache::initialize_cert_cache($node);
 }
 
 sub remote_node_ip {
-- 
2.20.1

More information about the pve-devel mailing list