summaryrefslogtreecommitdiffstats
path: root/contrib/tlsticketupdate.go
blob: ff3d7596aff00bd99243f0cbb4edbb8ef93f8d8e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
//
// nghttp2 - HTTP/2 C Library
//
// Copyright (c) 2015 Tatsuhiro Tsujikawa
//
// Permission is hereby granted, free of charge, to any person obtaining
// a copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to
// permit persons to whom the Software is furnished to do so, subject to
// the following conditions:
//
// The above copyright notice and this permission notice shall be
// included in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
// EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
// NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
// LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
// OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
// WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
//
package main

import (
	"bytes"
	"crypto/rand"
	"encoding/binary"
	"flag"
	"fmt"
	"log"
	"time"

	"github.com/bradfitz/gomemcache/memcache"
)

func makeKey(len int) []byte {
	b := make([]byte, len)
	if _, err := rand.Read(b); err != nil {
		log.Fatalf("rand.Read: %v", err)
	}
	return b
}

func main() {
	var host = flag.String("host", "127.0.0.1", "memcached host")
	var port = flag.Int("port", 11211, "memcached port")
	var cipher = flag.String("cipher", "aes-128-cbc", "cipher for TLS ticket encryption")
	var interval = flag.Int("interval", 3600, "interval to update TLS ticket keys")

	flag.Parse()

	var keylen int
	switch *cipher {
	case "aes-128-cbc":
		keylen = 48
	case "aes-256-cbc":
		keylen = 80
	default:
		log.Fatalf("cipher: unknown cipher %v", cipher)
	}

	mc := memcache.New(fmt.Sprintf("%v:%v", *host, *port))

	keys := [][]byte{
		makeKey(keylen), // current encryption key
		makeKey(keylen), // next encryption key; now decryption only
	}

	for {
		buf := new(bytes.Buffer)
		if err := binary.Write(buf, binary.BigEndian, uint32(1)); err != nil {
			log.Fatalf("failed to write version: %v", err)
		}

		for _, key := range keys {
			if err := binary.Write(buf, binary.BigEndian, uint16(keylen)); err != nil {
				log.Fatalf("failed to write length: %v", err)
			}
			if _, err := buf.Write(key); err != nil {
				log.Fatalf("buf.Write: %v", err)
			}
		}

		mc.Set(&memcache.Item{
			Key:        "nghttpx:tls-ticket-key",
			Value:      buf.Bytes(),
			Expiration: int32((*interval) + 300),
		})

		<-time.After(time.Duration(*interval) * time.Second)

		// rotate keys.  the last key is now encryption key.
		// generate new key and append it to the last, so that
		// we can at least decrypt TLS ticket encrypted by new
		// key on the host which does not get new key yet.
		// keep at most past 11 keys as decryption only key
		n := len(keys) + 1
		if n > 13 {
			n = 13
		}
		newKeys := make([][]byte, n)
		newKeys[0] = keys[len(keys)-1]
		copy(newKeys[1:], keys[0:n-2])
		newKeys[n-1] = makeKey(keylen)

		keys = newKeys
	}

}