From 598408bb2ffe0bed538380228a6f99e214ebf931 Mon Sep 17 00:00:00 2001
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Sun, 13 Nov 2016 08:27:48 +0900
Subject: [PATCH] Auto-renew ephemeral X.509 certificate.

If the ephemeral X.509 certificate is due for renewal in less than a
week, regenerate it automatically.
---
 daemon/tls.c | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/daemon/tls.c b/daemon/tls.c
index a10cdaba0..3764c6050 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -130,11 +130,26 @@ struct tls_ctx_t *tls_new(struct worker_ctx *worker)
 	}
 
 	time_t now = time(NULL);
-	if (net->tls_credentials->valid_until != GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION &&
-	    now >= net->tls_credentials->valid_until) {
-		/* Warn once when certificate expires */
-		kr_log_error("[tls] X.509 certificate has expired!\n");
-		net->tls_credentials->valid_until = GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION;
+	if (net->tls_credentials->valid_until != GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION) {
+		if (net->tls_credentials->ephemeral_servicename) {
+			/* ephemeral cert: refresh if due to expire within a week */
+			if (now >= net->tls_credentials->valid_until - 60*60*24*7) {
+				struct tls_credentials *newcreds = tls_get_ephemeral_credentials(worker->engine);
+				if (newcreds) {
+					tls_credentials_release(net->tls_credentials);
+					net->tls_credentials = newcreds;
+					kr_log_info("[tls] Renewed expiring ephemeral X.509 cert\n");
+				} else {
+					kr_log_error("[tls] Failed to renew expiring ephemeral X.509 cert, using existing one\n");
+				}				
+			}
+		} else {
+			/* non-ephemeral cert: warn once when certificate expires */
+			if (now >= net->tls_credentials->valid_until) {
+				kr_log_error("[tls] X.509 certificate has expired!\n");
+				net->tls_credentials->valid_until = GNUTLS_X509_NO_WELL_DEFINED_EXPIRATION;
+			}
+		}
 	}
 
 	struct tls_ctx_t *tls = calloc(1, sizeof(struct tls_ctx_t));
-- 
GitLab