From 0344b9a9c92ff98e1574dfee016f3d69ffc1ac3f Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 15 Apr 2020 10:48:29 +0200
Subject: [PATCH] nts: generate cookies from second newest key

Generate one server key in advance to give it time to be distributed to
other servers before it is actually used.
---
 nts_ke_server.c         | 7 ++++---
 test/simulation/139-nts | 8 ++++----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/nts_ke_server.c b/nts_ke_server.c
index 8cbccdc..8723006 100644
--- a/nts_ke_server.c
+++ b/nts_ke_server.c
@@ -50,6 +50,7 @@
 
 #define KEY_ID_INDEX_BITS 2
 #define MAX_SERVER_KEYS (1U << KEY_ID_INDEX_BITS)
+#define FUTURE_KEYS 1
 
 #define MIN_KEY_ROTATE_INTERVAL 1.0
 
@@ -471,7 +472,7 @@ save_keys(void)
     goto error;
 
   for (i = 0; i < MAX_SERVER_KEYS; i++) {
-    index = (current_server_key + i + 1) % MAX_SERVER_KEYS;
+    index = (current_server_key + i + 1 + FUTURE_KEYS) % MAX_SERVER_KEYS;
 
     if (key_length > sizeof (server_keys[index].key) ||
         !UTI_BytesToHex(server_keys[index].key, key_length, buf, sizeof (buf)) ||
@@ -543,7 +544,7 @@ load_keys(void)
 
     DEBUG_LOG("Loaded key %"PRIX32, id);
 
-    current_server_key = index;
+    current_server_key = (index + MAX_SERVER_KEYS - FUTURE_KEYS) % MAX_SERVER_KEYS;
   }
 
   fclose(f);
@@ -561,7 +562,7 @@ static void
 key_timeout(void *arg)
 {
   current_server_key = (current_server_key + 1) % MAX_SERVER_KEYS;
-  generate_key(current_server_key);
+  generate_key((current_server_key + FUTURE_KEYS) % MAX_SERVER_KEYS);
   save_keys();
 
   SCH_AddTimeoutByDelay(MAX(CNF_GetNtsRotate(), MIN_KEY_ROTATE_INTERVAL),
diff --git a/test/simulation/139-nts b/test/simulation/139-nts
index 3813b52..ddfb9b2 100755
--- a/test/simulation/139-nts
+++ b/test/simulation/139-nts
@@ -29,7 +29,7 @@ server_conf="
 ntsserverkey tmp/server.key
 ntsservercert tmp/server.crt
 ntsprocesses 0
-ntsrotate 64
+ntsrotate 66
 ntsdumpdir tmp
 "
 client_server_options="minpoll 6 maxpoll 6 nts"
@@ -44,9 +44,9 @@ check_chronyd_exit || test_fail
 check_source_selection || test_fail
 check_sync || test_fail
 
-check_file_messages "20.*123\.1.* 111 111 1111" 89 93 measurements.log || test_fail
-check_file_messages "20.*123\.1.* 111 001 0000" 30 32 measurements.log || test_fail
-check_file_messages "	2	1	.*	11443	" 200 240 log.packets || test_fail
+check_file_messages "20.*123\.1.* 111 111 1111" 75 80 measurements.log || test_fail
+check_file_messages "20.*123\.1.* 111 001 0000" 37 39 measurements.log || test_fail
+check_file_messages "	2	1	.*	11443	" 260 300 log.packets || test_fail
 check_file_messages "." 6 6 ntskeys || test_fail
 rm -f tmp/measurements.log