move SslConfig & build_tls_acceptor to secure_utils

Summary: Moving to the crate allows apiserver to reuse the function. Reviewed By: jsgf Differential Revision: D8843178 fbshipit-source-id: 9d110c7f2683ff58654187222e7820240bfda98e
2024-10-11 01:07:15 +03:00 · 2018-07-16 16:56:45 -07:00 · 2018-07-16 16:56:45 -07:00 · 7aed398af3
commit 7aed398af3
parent b9ca1809b2
2 changed files with 4 additions and 43 deletions
--- a/server/src/main.rs
+++ b/server/src/main.rs
@ -78,7 +78,6 @@ mod listener;
 mod monitoring;
 mod remotefilelog;
 mod repo;
-mod ssl;

 use std::collections::HashMap;
 use std::io;
@ -223,7 +222,7 @@ fn start_repo_listeners<I>(
    repos: I,
    root_log: &Logger,
    sockname: &str,
-    ssl: ssl::SslConfig,
+    ssl: secure_utils::SslConfig,
 ) -> Result<(Vec<JoinHandle<!>>, ReadyState)>
 where
    I: IntoIterator<Item = (String, RepoConfig)>,
@ -295,9 +294,9 @@ fn connection_acceptor(
    sockname: &str,
    root_log: Logger,
    repo_senders: HashMap<String, mpsc::Sender<(Stdio, SocketAddr)>>,
-    ssl: ssl::SslConfig,
+    ssl: secure_utils::SslConfig,
 ) -> ! {
-    let tls_acceptor = ssl::build_tls_acceptor(ssl).expect("failed to build tls acceptor");
+    let tls_acceptor = secure_utils::build_tls_acceptor(ssl).expect("failed to build tls acceptor");

    let mut core = tokio_core::reactor::Core::new().expect("failed to create tokio core");
    let remote = core.remote();
@ -577,7 +576,7 @@ fn main() {
        let private_key = matches.value_of("private_key").unwrap().to_string();
        let ca_pem = matches.value_of("ca_pem").unwrap().to_string();

-        let ssl = ssl::SslConfig {
+        let ssl = secure_utils::SslConfig {
            cert,
            private_key,
            ca_pem,
--- a/server/src/ssl.rs
+++ b/server/src/ssl.rs
@ -1,38 +0,0 @@
-// Copyright (c) 2004-present, Facebook, Inc.
-// All Rights Reserved.
-//
-// This software may be used and distributed according to the terms of the
-// GNU General Public License version 2 or any later version.
-
-#![deny(warnings)]
-
-use openssl::ssl::{SslAcceptor, SslMethod, SslVerifyMode};
-
-use secure_utils;
-
-use errors::*;
-
-pub struct SslConfig {
-    pub cert: String,
-    pub private_key: String,
-    pub ca_pem: String,
-}
-
-// Builds an acceptor that has `accept_async()` method that handles tls handshake
-// and returns decrypted stream.
-pub fn build_tls_acceptor(ssl: SslConfig) -> Result<SslAcceptor> {
-    let mut acceptor = SslAcceptor::mozilla_intermediate(SslMethod::tls())?;
-
-    let pkcs12 =
-        secure_utils::build_identity(ssl.cert, ssl.private_key).context("failed to build pkcs12")?;
-    acceptor.set_certificate(&pkcs12.cert)?;
-    acceptor.set_private_key(&pkcs12.pkey)?;
-
-    // Set up client authentication via root certificate
-    acceptor
-        .cert_store_mut()
-        .add_cert(secure_utils::read_x509(ssl.ca_pem)?)?;
-    acceptor.set_verify(SslVerifyMode::PEER | SslVerifyMode::FAIL_IF_NO_PEER_CERT);
-
-    Ok(acceptor.build())
-}