Prevent race conditions for the certificate list

imdawon · Jun 30, 2024 · 3865539 · 3865539
1 parent 1db1d89
commit 3865539
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 17 deletions.
diff --git a/cmd/drawbridge/api.go b/cmd/drawbridge/api.go
@@ -91,17 +91,17 @@ func (d *Drawbridge) handleClientAuthorizationRequest(w http.ResponseWriter, req
 // as well as provisioning mTLS certificates for them.
 // Proxying requests for TCP and UDP traffic is handled by the reverse proxy.
 func (d *Drawbridge) SetUpEmissaryAPI(hostAndPort string) {
-	r := http.NewServeMux()
-	r.HandleFunc("/emissary/v1/auth", d.handleClientAuthorizationRequest)
-	server := http.Server{
-		TLSConfig: d.CA.ServerTLSConfig,
-		Addr:      hostAndPort,
-		Handler:   r,
-	}
-	slog.Info(fmt.Sprintf("Starting Emissary API server on http://%s", server.Addr))
+	// r := http.NewServeMux()
+	// r.HandleFunc("/emissary/v1/auth", d.handleClientAuthorizationRequest)
+	// server := http.Server{
+	// 	TLSConfig: d.CA.ServerTLSConfig,
+	// 	Addr:      hostAndPort,
+	// 	Handler:   r,
+	// }
+	// slog.Info(fmt.Sprintf("Starting Emissary API server on http://%s", server.Addr))
 
 	// We pass "" into listen and serve since we have already configured cert and keyfile for server.
-	slog.Error("Error starting Emissary API server: %s", server.ListenAndServeTLS("", ""))
+	// slog.Error("Error starting Emissary API server: %s", server.ListenAndServeTLS("", ""))
 }
 
 func (d *Drawbridge) SetUpCAAndDependentServices(protectedServices []services.ProtectedService) {
@@ -260,7 +260,9 @@ func (d *Drawbridge) StopRunningProtectedService(id int64) {
 // VerifyPeerCertificateWithRevocationCheck is a custom VerifyPeerCertificate callback
 // that checks if the peer's certificate is in the revoked certificates list
 func (d *Drawbridge) VerifyPeerCertificateWithRevocationCheck(cert string) error {
+	d.CA.CertificateListMutex.RLock()
 	deviceUUID := d.CA.CertificateList[cert]
+	d.CA.CertificateListMutex.RUnlock()
 	if deviceUUID.Revoked == 1 {
 		return errors.New("certificate is revoked")
 	}

diff --git a/cmd/reverse_proxy/ca/ca.go b/cmd/reverse_proxy/ca/ca.go
@@ -31,8 +31,9 @@ type CA struct {
 	CertificateAuthority *x509.Certificate
 	PrivateKey           crypto.PrivateKey
 	DB                   *persistence.SQLiteRepository
-	// sha256 key of certificate -> device uuid and revoked
-	CertificateList map[string]emissary.DeviceCertificate
+	// sha256 key of certificate -> device uuid and revoked value (0 for false| 1 for true)
+	CertificateList      map[string]emissary.DeviceCertificate
+	CertificateListMutex sync.RWMutex
 }
 
 var CertificateAuthority *CA
@@ -325,25 +326,23 @@ func (c *CA) verifyEmissaryCertificate(rawCerts [][]byte, verifiedChains [][]*x5
 	return nil
 }
 
-var revokedCertsMutex sync.RWMutex
-
 // RevokeCertInCertificateRevocationList adds a certificate to the revoked certificates list
 func (c *CA) RevokeCertInCertificateRevocationList(shaCert string) {
-	revokedCertsMutex.Lock()
-	defer revokedCertsMutex.Unlock()
+	c.CertificateListMutex.Lock()
 	cert, ok := c.CertificateList[shaCert]
 	if !ok {
 		slog.Error("Unable to revoke certificate as it doesn't exist in the certificate list", shaCert)
 	}
+	c.CertificateListMutex.Unlock()
 	certCopy := cert
 	certCopy.Revoked = 1
 	c.CertificateList[shaCert] = certCopy
 }
 
 // RevokeCertInCertificateRevocationList adds a certificate to the revoked certificates list
 func (c *CA) UnRevokeCertInCertificateRevocationList(shaCert string) {
-	revokedCertsMutex.Lock()
-	defer revokedCertsMutex.Unlock()
+	c.CertificateListMutex.Lock()
+	defer c.CertificateListMutex.Unlock()
 	cert, ok := c.CertificateList[shaCert]
 	if !ok {
 		slog.Error("Unable to unrevoke certificate as it doesn't exist in the certificate list", shaCert)