std::shared_ptr createFizzServerContext()

in mcrouter/lib/network/FizzContextProvider.cpp [73:150]

• 73 lines of code
• 10 McCabe index (conditional complexity)

std::shared_ptr<fizz::server::FizzServerContext> createFizzServerContext(
    folly::StringPiece pemCertPath,
    folly::StringPiece certData,
    folly::StringPiece pemKeyPath,
    folly::StringPiece keyData,
    folly::StringPiece pemCaPath,
    bool requireClientVerification,
    bool preferOcbCipher,
    wangle::TLSTicketKeySeeds* ticketKeySeeds) {
  initSSL();
  auto certMgr = std::make_shared<fizz::server::CertManager>();
  try {
    auto selfCert =
        fizz::CertUtils::makeSelfCert(certData.str(), keyData.str());
    // add the default cert
    certMgr->addCert(std::move(selfCert), true);
  } catch (const std::exception& ex) {
    LOG_FAILURE(
        "SSLCert",
        failure::Category::kBadEnvironment,
        "Failed to create self cert from \"{}\" and \"{}\".  ex: {}",
        pemCertPath,
        pemKeyPath,
        ex.what());
    return nullptr;
  }

  auto ctx = std::make_shared<fizz::server::FizzServerContext>();
  ctx->setSupportedVersions({fizz::ProtocolVersion::tls_1_3});
  ctx->setSupportedPskModes(
      {fizz::PskKeyExchangeMode::psk_ke, fizz::PskKeyExchangeMode::psk_dhe_ke});
  ctx->setVersionFallbackEnabled(true);
  ctx->setCertManager(certMgr);
  if (!pemCaPath.empty()) {
    auto verifier = fizz::DefaultCertificateVerifier::createFromCAFile(
        fizz::VerificationContext::Server, pemCaPath.str());
    ctx->setClientCertVerifier(std::move(verifier));
    ctx->setClientAuthMode(fizz::server::ClientAuthMode::Optional);
  }
  if (requireClientVerification) {
    ctx->setClientAuthMode(fizz::server::ClientAuthMode::Required);
  }
  if (preferOcbCipher) {
#if FOLLY_OPENSSL_IS_110 && !defined(OPENSSL_NO_OCB)
    auto serverCiphers = folly::copy(ctx->getSupportedCiphers());
    serverCiphers.insert(
        serverCiphers.begin(),
        {
            fizz::CipherSuite::TLS_AES_128_OCB_SHA256_EXPERIMENTAL,
        });
    ctx->setSupportedCiphers(std::move(serverCiphers));
#endif
  }

  // set ticket seeds
  if (ticketKeySeeds) {
    std::vector<folly::ByteRange> ticketSecrets;
    for (const auto& secret : ticketKeySeeds->currentSeeds) {
      ticketSecrets.push_back(folly::StringPiece(secret));
    }
    for (const auto& secret : ticketKeySeeds->oldSeeds) {
      ticketSecrets.push_back(folly::StringPiece(secret));
    }
    for (const auto& secret : ticketKeySeeds->newSeeds) {
      ticketSecrets.push_back(folly::StringPiece(secret));
    }
    auto cipher = std::make_shared<fizz::server::AES128TicketCipher>(
        ctx->getFactoryPtr(), std::move(certMgr));
    cipher->setTicketSecrets(std::move(ticketSecrets));
    fizz::server::TicketPolicy policy;
    policy.setTicketValidity(std::chrono::seconds(kSessionLifeTime));
    policy.setHandshakeValidity(std::chrono::seconds(kHandshakeValidity));
    cipher->setPolicy(std::move(policy));
    ctx->setTicketCipher(std::move(cipher));
  }
  // TODO: allow for custom FizzFactory
  return ctx;
}