Merge branch 'master' into go-jose-update

core/dns.go

@@ -127,6 +127,7 @@ func NewDNSResolverImpl(dialTimeout time.Duration, servers []string) *DNSResolve
 
 	// Set timeout for underlying net.Conn
 	dnsClient.DialTimeout = dialTimeout
+	dnsClient.Net = "tcp"
 
 	return &DNSResolverImpl{
 		DNSClient:                dnsClient,

core/dns_test.go

@@ -21,7 +21,6 @@ import (
 const dnsLoopbackAddr = "127.0.0.1:4053"
 
 func mockDNSQuery(w dns.ResponseWriter, r *dns.Msg) {
-	defer w.Close()
 	m := new(dns.Msg)
 	m.SetReply(r)
 	m.Compress = false
@@ -114,7 +113,7 @@ func mockDNSQuery(w dns.ResponseWriter, r *dns.Msg) {
 
 func serveLoopResolver(stopChan chan bool) chan bool {
 	dns.HandleFunc(".", mockDNSQuery)
-	server := &dns.Server{Addr: dnsLoopbackAddr, Net: "udp", ReadTimeout: time.Millisecond, WriteTimeout: time.Millisecond}
+	server := &dns.Server{Addr: dnsLoopbackAddr, Net: "tcp", ReadTimeout: time.Millisecond, WriteTimeout: time.Millisecond}
 	waitChan := make(chan bool, 1)
 	go func() {
 		waitChan <- true

policy/policy-authority.go

@@ -7,6 +7,7 @@ package policy
 
 import (
 	"errors"
+	"math/rand"
 	"net"
 	"regexp"
 	"strings"
@@ -25,6 +26,7 @@ type PolicyAuthorityImpl struct {
 
 	EnforceWhitelist  bool
 	enabledChallenges map[string]bool
+	pseudoRNG         *rand.Rand
 }
 
 // NewPolicyAuthorityImpl constructs a Policy Authority.
@@ -43,6 +45,8 @@ func NewPolicyAuthorityImpl(dbMap *gorp.DbMap, enforceWhitelist bool, challengeT
 		DB:                padb,
 		EnforceWhitelist:  enforceWhitelist,
 		enabledChallenges: challengeTypes,
+		// We don't need real randomness for this.
+		pseudoRNG: rand.New(rand.NewSource(99)),
 	}
 
 	return &pa, nil
@@ -206,9 +210,8 @@ func (pa PolicyAuthorityImpl) WillingToIssue(id core.AcmeIdentifier, regID int64
 // acceptable for the given identifier.
 //
 // Note: Current implementation is static, but future versions may not be.
-func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, accountKey *jose.JsonWebKey) (challenges []core.Challenge, combinations [][]int, err error) {
+func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, accountKey *jose.JsonWebKey) ([]core.Challenge, [][]int, error) {
-	challenges = []core.Challenge{}
+	challenges := []core.Challenge{}
-	combinations = [][]int{}
 
 	// TODO(https://github.com/letsencrypt/boulder/issues/894): Remove this block
 	if pa.enabledChallenges[core.ChallengeTypeSimpleHTTP] {
@@ -232,9 +235,20 @@ func (pa PolicyAuthorityImpl) ChallengesFor(identifier core.AcmeIdentifier, acco
 		challenges = append(challenges, core.DNSChallenge01(accountKey))
 	}
 
-	combinations = make([][]int, len(challenges))
+	// We shuffle the challenges and combinations to prevent ACME clients from
-	for i := range combinations {
+	// relying on the specific order that boulder returns them in.
+	shuffled := make([]core.Challenge, len(challenges))
+	combinations := make([][]int, len(challenges))
+
+	for i, challIdx := range pa.pseudoRNG.Perm(len(challenges)) {
+		shuffled[i] = challenges[challIdx]
 		combinations[i] = []int{i}
 	}
-	return
+
+	shuffledCombos := make([][]int, len(combinations))
+	for i, comboIdx := range pa.pseudoRNG.Perm(len(combinations)) {
+		shuffledCombos[i] = combinations[comboIdx]
+	}
+
+	return shuffled, shuffledCombos, nil
 }

policy/policy-authority_test.go

@@ -217,11 +217,18 @@ func TestChallengesFor(t *testing.T) {
 
 	test.Assert(t, len(challenges) == len(enabledChallenges), "Wrong number of challenges returned")
 	test.Assert(t, len(combinations) == len(enabledChallenges), "Wrong number of combinations returned")
-	for i, challenge := range challenges {
+
+	seenChalls := make(map[string]bool)
+	// Expected only if the pseudo-RNG is seeded with 99.
+	expectedCombos := [][]int{[]int{0}, []int{3}, []int{4}, []int{2}, []int{1}}
+	for _, challenge := range challenges {
+		test.Assert(t, !seenChalls[challenge.Type], "should not already have seen this type")
+		seenChalls[challenge.Type] = true
+
 		test.Assert(t, enabledChallenges[challenge.Type], "Unsupported challenge returned")
-		test.AssertEquals(t, len(combinations[i]), 1)
-		test.AssertEquals(t, combinations[i][0], i)
 	}
+	test.AssertEquals(t, len(seenChalls), len(enabledChallenges))
+	test.AssertDeepEquals(t, expectedCombos, combinations)
 }
 
 func TestWillingToIssueWithWhitelist(t *testing.T) {

test/boulder-config.json

@@ -2,7 +2,7 @@
   "syslog": {
     "network": "",
     "server": "",
-    "stdoutlevel": -1
+    "stdoutlevel": 7
   },
 
   "amqp": {

test/dns-test-srv/main.go

@@ -15,7 +15,6 @@ import (
 )
 
 func dnsHandler(w dns.ResponseWriter, r *dns.Msg) {
-	defer w.Close()
 	m := new(dns.Msg)
 	m.SetReply(r)
 	m.Compress = false
@@ -65,7 +64,7 @@ func serveTestResolver() {
 	dns.HandleFunc(".", dnsHandler)
 	server := &dns.Server{
 		Addr:         "127.0.0.1:8053",
-		Net:          "udp",
+		Net:          "tcp",
 		ReadTimeout:  time.Millisecond,
 		WriteTimeout: time.Millisecond,
 	}