cmdmon: reload NTS server keys on rekey command

When ntsrotate is set to 0, allow the keys to be reloaded with the rekey
command of chronyc.

diff --git a/client.c b/client.c
index 189937689151e74cb814d37bebf790a998566b0b..c557040339951c0258338d471133c1737d085670 100644 (file)
--- a/client.c
+++ b/client.c
@@ -1268,7 +1268,7 @@ give_help(void)
     "Other daemon commands:\0\0"
     "cyclelogs\0Close and re-open log files\0"
     "dump\0Dump measurements and NTS keys/cookies\0"
-    "rekey\0Re-read keys from key file\0"
+    "rekey\0Re-read keys\0"
     "reset\0Drop all measurements\0"
     "shutdown\0Stop daemon\0"
     "\0\0"

diff --git a/cmdmon.c b/cmdmon.c
index 77378be8c953c031b923b7b2ffc1857e76b54da0..c43e10cf453456283533706188a32d9101094c72 100644 (file)
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -620,6 +620,7 @@ static void
 handle_rekey(CMD_Request *rx_message, CMD_Reply *tx_message)
 {
   KEY_Reload();
+  NKS_ReloadKeys();
 }
 
 /* ================================================== */

diff --git a/nts_ke_server.c b/nts_ke_server.c
index cfa8b059f54e0426a7ed1ac2d813a6adfa62a731..4850696d2866d09d33e8c76c88b6e4fee0503d8f 100644 (file)
--- a/nts_ke_server.c
+++ b/nts_ke_server.c
@@ -722,6 +722,19 @@ NKS_DumpKeys(void)
 
 /* ================================================== */
 
+void
+NKS_ReloadKeys(void)
+{
+  /* Don't load the keys if they are expected to be generated by this server
+     instance (i.e. they are already loaded) to not delay the next rotation */
+  if (key_rotation_interval > 0)
+    return;
+
+  load_keys();
+}
+
+/* ================================================== */
+
 /* A server cookie consists of key ID, nonce, and encrypted C2S+S2C keys */
 
 int

diff --git a/nts_ke_server.h b/nts_ke_server.h
index edf62c595d30697721716bebac3ff9d5812c54e6..96143e4e9395bebb5e92bb4904e02be30b19fd73 100644 (file)
--- a/nts_ke_server.h
+++ b/nts_ke_server.h
@@ -36,6 +36,9 @@ extern void NKS_Finalise(void);
 /* Save the current server keys */
 extern void NKS_DumpKeys(void);
 
+/* Reload the keys */
+extern void NKS_ReloadKeys(void);
+
 /* Generate an NTS cookie with a given context */
 extern int NKS_GenerateCookie(NKE_Context *context, NKE_Cookie *cookie);
 

diff --git a/stubs.c b/stubs.c
index 49a6a4efb10da82961ef95b3add3d1d50a830464..f7731148cd25d4f07c7421ca102c197ea1957c41 100644 (file)
--- a/stubs.c
+++ b/stubs.c
@@ -550,4 +550,9 @@ NKS_DumpKeys(void)
 {
 }
 
+void
+NKS_ReloadKeys(void)
+{
+}
+
 #endif /* !FEAT_NTS */