From 958d66f8a7aa10d77636aab39a3f222b168079cd Mon Sep 17 00:00:00 2001
From: Miroslav Lichvar <mlichvar@redhat.com>
Date: Wed, 15 Apr 2020 11:52:49 +0200
Subject: [PATCH] cmdmon: reload NTS server keys on rekey command

When ntsrotate is set to 0, allow the keys to be reloaded with the rekey
command of chronyc.
---
 client.c        |  2 +-
 cmdmon.c        |  1 +
 nts_ke_server.c | 13 +++++++++++++
 nts_ke_server.h |  3 +++
 stubs.c         |  5 +++++
 5 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/client.c b/client.c
index 1899376..c557040 100644
--- a/client.c
+++ b/client.c
@@ -1268,7 +1268,7 @@ give_help(void)
     "Other daemon commands:\0\0"
     "cyclelogs\0Close and re-open log files\0"
     "dump\0Dump measurements and NTS keys/cookies\0"
-    "rekey\0Re-read keys from key file\0"
+    "rekey\0Re-read keys\0"
     "reset\0Drop all measurements\0"
     "shutdown\0Stop daemon\0"
     "\0\0"
diff --git a/cmdmon.c b/cmdmon.c
index 77378be..c43e10c 100644
--- a/cmdmon.c
+++ b/cmdmon.c
@@ -620,6 +620,7 @@ static void
 handle_rekey(CMD_Request *rx_message, CMD_Reply *tx_message)
 {
   KEY_Reload();
+  NKS_ReloadKeys();
 }
 
 /* ================================================== */
diff --git a/nts_ke_server.c b/nts_ke_server.c
index cfa8b05..4850696 100644
--- a/nts_ke_server.c
+++ b/nts_ke_server.c
@@ -722,6 +722,19 @@ NKS_DumpKeys(void)
 
 /* ================================================== */
 
+void
+NKS_ReloadKeys(void)
+{
+  /* Don't load the keys if they are expected to be generated by this server
+     instance (i.e. they are already loaded) to not delay the next rotation */
+  if (key_rotation_interval > 0)
+    return;
+
+  load_keys();
+}
+
+/* ================================================== */
+
 /* A server cookie consists of key ID, nonce, and encrypted C2S+S2C keys */
 
 int
diff --git a/nts_ke_server.h b/nts_ke_server.h
index edf62c5..96143e4 100644
--- a/nts_ke_server.h
+++ b/nts_ke_server.h
@@ -36,6 +36,9 @@ extern void NKS_Finalise(void);
 /* Save the current server keys */
 extern void NKS_DumpKeys(void);
 
+/* Reload the keys */
+extern void NKS_ReloadKeys(void);
+
 /* Generate an NTS cookie with a given context */
 extern int NKS_GenerateCookie(NKE_Context *context, NKE_Cookie *cookie);
 
diff --git a/stubs.c b/stubs.c
index 49a6a4e..f773114 100644
--- a/stubs.c
+++ b/stubs.c
@@ -550,4 +550,9 @@ NKS_DumpKeys(void)
 {
 }
 
+void
+NKS_ReloadKeys(void)
+{
+}
+
 #endif /* !FEAT_NTS */