Merge pull request cloudflare#534 from cloudflare/jacob/optimistic-bu…

…ndler Fix data races and add "optimitic" first round of bundling
PeterDaveHello · Feb 26, 2016 · 1a782da · 1a782da
2 parents c0d6830 + d0c1ea6
commit 1a782da
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 32 deletions.
diff --git a/bundler/bundler.go b/bundler/bundler.go
@@ -600,20 +600,13 @@ func (b *Bundler) Bundle(certs []*x509.Certificate, key crypto.Signer, flavor Bu
 			return nil, errors.New(errors.CertificateError, errors.SelfSigned)
 		}
 
-		// verify and store input intermediates to the intermediate pool.
-		// Ignore the returned error here, will treat it in the second call.
-		go b.fetchIntermediates(certs)
-
 		chains, err := cert.Verify(b.VerifyOptions())
 		if err != nil {
 			log.Debugf("verification failed: %v", err)
 			// If the error was an unknown authority, try to fetch
 			// the intermediate specified in the AIA and add it to
 			// the intermediates bundle.
-			switch err := err.(type) {
-			case x509.UnknownAuthorityError:
-				// Do nothing -- have the default case return out.
-			default:
+			if _, ok := err.(x509.UnknownAuthorityError); !ok {
 				return nil, errors.Wrap(errors.CertificateError, errors.VerifyFailed, err)
 			}
 

diff --git a/scan/scan_common.go b/scan/scan_common.go
@@ -187,34 +187,24 @@ func (ctx *context) newfamilyContext(numScanners int) *familyContext {
 }
 
 func (ctx *context) copyResults(timeout time.Duration) map[string]FamilyResult {
-	var timedOut bool
-	done := make(chan bool, 1)
 	results := make(map[string]FamilyResult)
-
-	go func() {
-		for result := range ctx.resultChan {
-			if timedOut {
-				log.Debugf("Received result after timeout: %v", result)
-				continue
-			}
-
-			if results[result.Family] == nil {
-				results[result.Family] = make(FamilyResult)
+	for {
+		var result *Result
+		select {
+		case <-time.After(timeout):
+			log.Warningf("Scan timed out after %v", timeout)
+			return results
+		case result = <-ctx.resultChan:
+			if result == nil {
+				return results
 			}
-
-			results[result.Family][result.Scanner] = result.ScannerResult
 		}
-		done <- true
-	}()
 
-	select {
-	case <-done:
-	case <-time.After(timeout):
-		timedOut = true
-		log.Warningf("Scan timed out after %v", timeout)
+		if results[result.Family] == nil {
+			results[result.Family] = make(FamilyResult)
+		}
+		results[result.Family][result.Scanner] = result.ScannerResult
 	}
-
-	return results
 }
 
 func (familyCtx *familyContext) runScanner(familyName, scannerName string, scanner *Scanner) {

diff --git a/scan/vendor/crypto/tls/cfsslscan_common.go b/scan/vendor/crypto/tls/cfsslscan_common.go
@@ -91,7 +91,7 @@ var defaultSignatureAndHashAlgorithms []signatureAndHash
 var AllSignatureAndHashAlgorithms []SignatureAndHash
 
 // skxsLock prevents the concurrent modification of supportedSignatureAlgorithms.
-var skxsLock sync.Mutex
+var skxsLock sync.RWMutex
 
 func init() {
 	defaultSignatureAndHashAlgorithms = supportedSignatureAlgorithms

diff --git a/scan/vendor/crypto/tls/cfsslscan_handshake.go b/scan/vendor/crypto/tls/cfsslscan_handshake.go
@@ -3,6 +3,8 @@ package tls
 // SayHello constructs a simple Client Hello to a server, parses its serverHelloMsg response
 // and returns the negotiated ciphersuite ID, and, if an EC cipher suite, the curve ID
 func (c *Conn) SayHello() (cipherID, curveType uint16, curveID CurveID, version uint16, certs [][]byte, err error) {
+	skxsLock.RLock()
+	defer skxsLock.RUnlock()
 	hello := &clientHelloMsg{
 		vers:                c.config.maxVersion(),
 		compressionMethods:  []uint8{compressionNone},

diff --git a/scan/vendor/crypto/tls/handshake_client.go b/scan/vendor/crypto/tls/handshake_client.go
@@ -96,6 +96,8 @@ NextCipherSuite:
 	}
 
 	if hello.vers >= VersionTLS12 {
+		skxsLock.RLock()
+		defer skxsLock.RUnlock()
 		hello.signatureAndHashes = supportedSignatureAlgorithms
 	}