Added Session Ticket Key rotation

renthraysk · renthraysk · commit 42686ebf26e1 · 2017-10-18T14:55:57.000+01:00
diff --git a/README.md b/README.md
@@ -1,7 +1 @@
 # tlsutil
-
-Example of creating a tls.Config
-
-```
-    cfg, err := NewTLSConfig(WithTLS12(),
-        WithKeyPair("localhost.pem", "localhost.key"))
diff --git a/keyrotation.go b/keyrotation.go
@@ -0,0 +1,79 @@
+package tlsutil
+
+import (
+	"crypto/rand"
+	"crypto/tls"
+	"io"
+	"time"
+
+	"github.com/renthraysk/group"
+)
+
+type KeyRotator struct {
+	cfg      *tls.Config
+	duration time.Duration
+	keys     [][32]byte
+	stop     chan chan struct{}
+}
+
+func (r *KeyRotator) read(key []byte) (int, error) {
+	if r.cfg.Rand != nil {
+		return io.ReadFull(r.cfg.Rand, key)
+	}
+	return rand.Read(key)
+}
+
+func (r *KeyRotator) rotate() error {
+	var key [32]byte
+
+	if len(r.keys) < cap(r.keys) {
+		r.keys = r.keys[:len(r.keys)+1]
+	}
+	copy(r.keys[1:], r.keys[:])
+
+	_, err := r.read(key[:])
+	if err == nil {
+		r.keys[0] = key
+	}
+	r.cfg.SetSessionTicketKeys(r.keys)
+	return err
+}
+
+func (r *KeyRotator) Start() error {
+	timer := time.NewTicker(r.duration)
+	defer timer.Stop()
+	for {
+		select {
+		case <-timer.C:
+			r.rotate()
+
+		case q := <-r.stop:
+			close(q)
+			return nil
+		}
+	}
+}
+
+func (r *KeyRotator) Stop(err error) {
+	q := make(chan struct{})
+	r.stop <- q
+	<-q
+}
+
+// WithSessionTicketKeyRotation
+func WithSessionTicketKeyRotation(g *group.Group, n int, d time.Duration) Option {
+	return func(cfg *tls.Config) error {
+		r := &KeyRotator{
+			cfg:      cfg,
+			duration: d,
+			keys:     make([][32]byte, 0, n),
+			stop:     make(chan chan struct{}),
+		}
+		if err := r.rotate(); err != nil {
+			cfg.SessionTicketsDisabled = true
+			return nil
+		}
+		g.Add(r)
+		return nil
+	}
+}
diff --git a/tlsutil.go b/tlsutil.go
@@ -23,6 +23,12 @@ func Wrap(opts ...Option) Option {
 	}
 }
 
+func WithError(err error) Option {
+	return func(cfg *tls.Config) error {
+		return err
+	}
+}
+
 // WithKeyPair load a certificate from a certFile, keyFile pair, and append to tls.Config's Certificates
 func WithKeyPair(certFile, keyFile string) Option {
 	return func(cfg *tls.Config) error {

Original file line number	Diff line number	Diff line change
`@@ -23,6 +23,12 @@ func Wrap(opts ...Option) Option {`
`23`	`23`	`}`
`24`	`24`	`}`
`25`	`25`
	`26`	`+func WithError(err error) Option {`
	`27`	`+ return func(cfg *tls.Config) error {`
	`28`	`+ return err`
	`29`	`+ }`
	`30`	`+}`
	`31`	`+`
`26`	`32`	`// WithKeyPair load a certificate from a certFile, keyFile pair, and append to tls.Config's Certificates`
`27`	`33`	`func WithKeyPair(certFile, keyFile string) Option {`
`28`	`34`	`return func(cfg *tls.Config) error {`