[meek/master] Refactor --disable --cert --key handing. - tor-commits

11 Apr 2017

commit 7ac08ebf46a9b9b5c569cbadba62b79b4d5e6519
Author: David Fifield david@bamsoftware.com
Date:   Thu Mar 30 18:03:53 2017 -0700
Refactor --disable --cert --key handing.
---
 meek-server/meek-server.go | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/meek-server/meek-server.go b/meek-server/meek-server.go
index bf0f8a4..be2cd36 100644
--- a/meek-server/meek-server.go
+++ b/meek-server/meek-server.go
@@ -265,12 +265,7 @@ func (state *State) ExpireSessions() {
    }
 }
-func listenTLS(network string, addr *net.TCPAddr, certFilename, keyFilename string) (net.Listener, error) {
-	ctx, err := newCertContext(certFilename, keyFilename)
-	if err != nil {
-		return nil, err
-	}
-
+func listenTLS(network string, addr *net.TCPAddr, getCertificate func (*tls.ClientHelloInfo) (*tls.Certificate, error)) (net.Listener, error) {
    // This is cribbed from the source of net/http.Server.ListenAndServeTLS.
    // We have to separate the Listen and Serve parts because we need to
    // report the listening address before entering Serve (which is an
@@ -278,10 +273,7 @@ func listenTLS(network string, addr *net.TCPAddr, certFilename, keyFilename stri
    // https://groups.google.com/d/msg/Golang-nuts/3F1VRCCENp8/3hcayZiwYM8J
    config := &tls.Config{}
    config.NextProtos = []string{"http/1.1"}
-
-	// Install a GetCertificate callback that ensures that the certificate is
-	// up to date.
-	config.GetCertificate = ctx.GetCertificate
+	config.GetCertificate = getCertificate
conn, err := net.ListenTCP(network, addr)
    if err != nil {
@@ -307,8 +299,8 @@ func startListener(network string, addr *net.TCPAddr) (net.Listener, error) {
    return startServer(ln)
 }
-func startListenerTLS(network string, addr *net.TCPAddr, certFilename, keyFilename string) (net.Listener, error) {
-	ln, err := listenTLS(network, addr, certFilename, keyFilename)
+func startListenerTLS(network string, addr *net.TCPAddr, getCertificate func (*tls.ClientHelloInfo) (*tls.Certificate, error)) (net.Listener, error) {
+	ln, err := listenTLS(network, addr, getCertificate)
    if err != nil {
    	return nil, err
    }
@@ -356,14 +348,25 @@ func main() {
    	log.SetOutput(f)
    }
+	// Handle the various ways of setting up TLS. The legal configurations
+	// are:
+	//   --cert and --key together
+	//   --disable-tls
+	// The outputs of this block of code are the disableTLS and
+	// getCertificate variables.
+	var getCertificate func (*tls.ClientHelloInfo) (*tls.Certificate, error)
    if disableTLS {
    	if certFilename != "" || keyFilename != "" {
    		log.Fatalf("The --cert and --key options are not allowed with --disable-tls.\n")
    	}
-	} else {
-		if certFilename == "" || keyFilename == "" {
-			log.Fatalf("The --cert and --key options are required.\n")
+	} else if certFilename != "" && keyFilename != "" {
+		ctx, err := newCertContext(certFilename, keyFilename)
+		if err != nil {
+			log.Fatal(err)
    	}
+		getCertificate = ctx.GetCertificate
+	} else {
+		log.Fatalf("The --cert and --key options are required.\n")
    }
var err error
@@ -384,7 +387,7 @@ func main() {
    		if disableTLS {
    			ln, err = startListener("tcp", bindaddr.Addr)
    		} else {
-				ln, err = startListenerTLS("tcp", bindaddr.Addr, certFilename, keyFilename)
+				ln, err = startListenerTLS("tcp", bindaddr.Addr, getCertificate)
    		}
    		if err != nil {
    			pt.SmethodError(bindaddr.MethodName, err.Error())

    