[tor-commits] [meek/master] Refactor --disable --cert --key handing.

[dcf at torproject.org]

commit 7ac08ebf46a9b9b5c569cbadba62b79b4d5e6519
Author: David Fifield <david at bamsoftware.com>
Date:   Thu Mar 30 18:03:53 2017 -0700

    Refactor --disable --cert --key handing.
---
 meek-server/meek-server.go | 35 +++++++++++++++++++----------------
 1 file changed, 19 insertions(+), 16 deletions(-)

diff --git a/meek-server/meek-server.go b/meek-server/meek-server.go
index bf0f8a4..be2cd36 100644
--- a/meek-server/meek-server.go
+++ b/meek-server/meek-server.go
@@ -265,12 +265,7 @@ func (state *State) ExpireSessions() {
 	}
 }
 
-func listenTLS(network string, addr *net.TCPAddr, certFilename, keyFilename string) (net.Listener, error) {
-	ctx, err := newCertContext(certFilename, keyFilename)
-	if err != nil {
-		return nil, err
-	}
-
+func listenTLS(network string, addr *net.TCPAddr, getCertificate func (*tls.ClientHelloInfo) (*tls.Certificate, error)) (net.Listener, error) {
 	// This is cribbed from the source of net/http.Server.ListenAndServeTLS.
 	// We have to separate the Listen and Serve parts because we need to
 	// report the listening address before entering Serve (which is an
@@ -278,10 +273,7 @@ func listenTLS(network string, addr *net.TCPAddr, certFilename, keyFilename stri
 	// https://groups.google.com/d/msg/Golang-nuts/3F1VRCCENp8/3hcayZiwYM8J
 	config := &tls.Config{}
 	config.NextProtos = []string{"http/1.1"}
-
-	// Install a GetCertificate callback that ensures that the certificate is
-	// up to date.
-	config.GetCertificate = ctx.GetCertificate
+	config.GetCertificate = getCertificate
 
 	conn, err := net.ListenTCP(network, addr)
 	if err != nil {
@@ -307,8 +299,8 @@ func startListener(network string, addr *net.TCPAddr) (net.Listener, error) {
 	return startServer(ln)
 }
 
-func startListenerTLS(network string, addr *net.TCPAddr, certFilename, keyFilename string) (net.Listener, error) {
-	ln, err := listenTLS(network, addr, certFilename, keyFilename)
+func startListenerTLS(network string, addr *net.TCPAddr, getCertificate func (*tls.ClientHelloInfo) (*tls.Certificate, error)) (net.Listener, error) {
+	ln, err := listenTLS(network, addr, getCertificate)
 	if err != nil {
 		return nil, err
 	}
@@ -356,14 +348,25 @@ func main() {
 		log.SetOutput(f)
 	}
 
+	// Handle the various ways of setting up TLS. The legal configurations
+	// are:
+	//   --cert and --key together
+	//   --disable-tls
+	// The outputs of this block of code are the disableTLS and
+	// getCertificate variables.
+	var getCertificate func (*tls.ClientHelloInfo) (*tls.Certificate, error)
 	if disableTLS {
 		if certFilename != "" || keyFilename != "" {
 			log.Fatalf("The --cert and --key options are not allowed with --disable-tls.\n")
 		}
-	} else {
-		if certFilename == "" || keyFilename == "" {
-			log.Fatalf("The --cert and --key options are required.\n")
+	} else if certFilename != "" && keyFilename != "" {
+		ctx, err := newCertContext(certFilename, keyFilename)
+		if err != nil {
+			log.Fatal(err)
 		}
+		getCertificate = ctx.GetCertificate
+	} else {
+		log.Fatalf("The --cert and --key options are required.\n")
 	}
 
 	var err error
@@ -384,7 +387,7 @@ func main() {
 			if disableTLS {
 				ln, err = startListener("tcp", bindaddr.Addr)
 			} else {
-				ln, err = startListenerTLS("tcp", bindaddr.Addr, certFilename, keyFilename)
+				ln, err = startListenerTLS("tcp", bindaddr.Addr, getCertificate)
 			}
 			if err != nil {
 				pt.SmethodError(bindaddr.MethodName, err.Error())