"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "nonce/nonce.go" between
boulder-release-2020-06-23.tar.gz and boulder-release-2020-06-29.tar.gz

About: Boulder is an ACME-based Certificate Authority (CA) used by Let’s Encrypt (written in Go).

nonce.go  (boulder-release-2020-06-23):nonce.go  (boulder-release-2020-06-29)
skipping to change at line 50 skipping to change at line 50
// NonceService generates, cancels, and tracks Nonces. // NonceService generates, cancels, and tracks Nonces.
type NonceService struct { type NonceService struct {
mu sync.Mutex mu sync.Mutex
latest int64 latest int64
earliest int64 earliest int64
used map[int64]bool used map[int64]bool
usedHeap *int64Heap usedHeap *int64Heap
gcm cipher.AEAD gcm cipher.AEAD
maxUsed int maxUsed int
prefix string prefix string
noncesGenerated prometheus.Counter nonceCreates prometheus.Counter
nonceValidations *prometheus.CounterVec nonceRedeems *prometheus.CounterVec
nonceHeapLatency prometheus.Histogram nonceHeapLatency prometheus.Histogram
} }
type int64Heap []int64 type int64Heap []int64
func (h int64Heap) Len() int { return len(h) } func (h int64Heap) Len() int { return len(h) }
func (h int64Heap) Less(i, j int) bool { return h[i] < h[j] } func (h int64Heap) Less(i, j int) bool { return h[i] < h[j] }
func (h int64Heap) Swap(i, j int) { h[i], h[j] = h[j], h[i] } func (h int64Heap) Swap(i, j int) { h[i], h[j] = h[j], h[i] }
func (h *int64Heap) Push(x interface{}) { func (h *int64Heap) Push(x interface{}) {
skipping to change at line 108 skipping to change at line 108
} }
gcm, err := cipher.NewGCM(c) gcm, err := cipher.NewGCM(c)
if err != nil { if err != nil {
panic("Failure in NewGCM: " + err.Error()) panic("Failure in NewGCM: " + err.Error())
} }
if maxUsed <= 0 { if maxUsed <= 0 {
maxUsed = defaultMaxUsed maxUsed = defaultMaxUsed
} }
noncesGenerated := prometheus.NewCounter(prometheus.CounterOpts{ nonceCreates := prometheus.NewCounter(prometheus.CounterOpts{
Name: "nonces_generated", Name: "nonce_creates",
Help: "A counter of nonces generated", Help: "A counter of nonces generated",
}) })
stats.MustRegister(noncesGenerated) stats.MustRegister(nonceCreates)
nonceValidations := prometheus.NewCounterVec(prometheus.CounterOpts{ nonceRedeems := prometheus.NewCounterVec(prometheus.CounterOpts{
Name: "nonces_validations", Name: "nonce_redeems",
Help: "A counter of nonce validations labelled by result", Help: "A counter of nonce validations labelled by result",
}, []string{"result", "error"}) }, []string{"result", "error"})
stats.MustRegister(nonceValidations) stats.MustRegister(nonceRedeems)
nonceHeapLatency := prometheus.NewHistogram(prometheus.HistogramOpts{ nonceHeapLatency := prometheus.NewHistogram(prometheus.HistogramOpts{
Name: "nonce_heap_latency", Name: "nonce_heap_latency",
Help: "A histogram of latencies of heap pop operations", Help: "A histogram of latencies of heap pop operations",
}) })
stats.MustRegister(nonceHeapLatency) stats.MustRegister(nonceHeapLatency)
return &NonceService{ return &NonceService{
earliest: 0, earliest: 0,
latest: 0, latest: 0,
used: make(map[int64]bool, maxUsed), used: make(map[int64]bool, maxUsed),
usedHeap: &int64Heap{}, usedHeap: &int64Heap{},
gcm: gcm, gcm: gcm,
maxUsed: maxUsed, maxUsed: maxUsed,
prefix: prefix, prefix: prefix,
noncesGenerated: noncesGenerated, nonceCreates: nonceCreates,
nonceValidations: nonceValidations, nonceRedeems: nonceRedeems,
nonceHeapLatency: nonceHeapLatency, nonceHeapLatency: nonceHeapLatency,
}, nil }, nil
} }
func (ns *NonceService) encrypt(counter int64) (string, error) { func (ns *NonceService) encrypt(counter int64) (string, error) {
// Generate a nonce with upper 4 bytes zero // Generate a nonce with upper 4 bytes zero
nonce := make([]byte, 12) nonce := make([]byte, 12)
for i := 0; i < 4; i++ { for i := 0; i < 4; i++ {
nonce[i] = 0 nonce[i] = 0
} }
skipping to change at line 206 skipping to change at line 206
ctr.SetBytes(pt) ctr.SetBytes(pt)
return ctr.Int64(), nil return ctr.Int64(), nil
} }
// Nonce provides a new Nonce. // Nonce provides a new Nonce.
func (ns *NonceService) Nonce() (string, error) { func (ns *NonceService) Nonce() (string, error) {
ns.mu.Lock() ns.mu.Lock()
ns.latest++ ns.latest++
latest := ns.latest latest := ns.latest
ns.mu.Unlock() ns.mu.Unlock()
defer ns.noncesGenerated.Inc() defer ns.nonceCreates.Inc()
return ns.encrypt(latest) return ns.encrypt(latest)
} }
// Valid determines whether the provided Nonce string is valid, returning // Valid determines whether the provided Nonce string is valid, returning
// true if so. // true if so.
func (ns *NonceService) Valid(nonce string) bool { func (ns *NonceService) Valid(nonce string) bool {
c, err := ns.decrypt(nonce) c, err := ns.decrypt(nonce)
if err != nil { if err != nil {
ns.nonceValidations.WithLabelValues("invalid", "decrypt").Inc() ns.nonceRedeems.WithLabelValues("invalid", "decrypt").Inc()
return false return false
} }
ns.mu.Lock() ns.mu.Lock()
defer ns.mu.Unlock() defer ns.mu.Unlock()
if c > ns.latest { if c > ns.latest {
ns.nonceValidations.WithLabelValues("invalid", "too high").Inc() ns.nonceRedeems.WithLabelValues("invalid", "too high").Inc()
return false return false
} }
if c <= ns.earliest { if c <= ns.earliest {
ns.nonceValidations.WithLabelValues("invalid", "too low").Inc() ns.nonceRedeems.WithLabelValues("invalid", "too low").Inc()
return false return false
} }
if ns.used[c] { if ns.used[c] {
ns.nonceValidations.WithLabelValues("invalid", "already used").In c() ns.nonceRedeems.WithLabelValues("invalid", "already used").Inc()
return false return false
} }
ns.used[c] = true ns.used[c] = true
heap.Push(ns.usedHeap, c) heap.Push(ns.usedHeap, c)
if len(ns.used) > ns.maxUsed { if len(ns.used) > ns.maxUsed {
s := time.Now() s := time.Now()
ns.earliest = heap.Pop(ns.usedHeap).(int64) ns.earliest = heap.Pop(ns.usedHeap).(int64)
ns.nonceHeapLatency.Observe(time.Since(s).Seconds()) ns.nonceHeapLatency.Observe(time.Since(s).Seconds())
delete(ns.used, ns.earliest) delete(ns.used, ns.earliest)
} }
ns.nonceValidations.WithLabelValues("valid", "").Inc() ns.nonceRedeems.WithLabelValues("valid", "").Inc()
return true return true
} }
func splitNonce(nonce string) (string, string, error) { func splitNonce(nonce string) (string, string, error) {
if len(nonce) < 4 { if len(nonce) < 4 {
return "", "", errInvalidNonceLength return "", "", errInvalidNonceLength
} }
return nonce[:4], nonce[4:], nil return nonce[:4], nonce[4:], nil
} }
 End of changes. 11 change blocks. 
16 lines changed or deleted 16 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)