add todos

ainghazal · Jan 22, 2024 · fca1080 · fca1080
1 parent bfc4e53
commit fca1080
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 8 deletions.
diff --git a/internal/controlchannel/controlchannel.go b/internal/controlchannel/controlchannel.go
@@ -86,18 +86,20 @@ func (ws *workersState) moveUpWorker() {
 			case model.P_CONTROL_SOFT_RESET_V1:
 				// We cannot blindly accept SOFT_RESET requests. They only make sense
 				// when we have generated keys. Note that a SOFT_RESET returns us to
-				// the INITIAL state, therefore, we cannot have concurrent resets in place.
-
-				// TODO(ainghazal): revisit this assumption
-				// when we implement key rotation.  OpenVPN has
-				// the concept of a "lame duck", i.e., the
-				// retiring key that needs to be expired a fixed time after the new
-				// one starts its lifetime.
+				// the INITIAL state, therefore, we will not have concurrent resets in place,
+				// even if after the first key generation we receive two SOFT_RESET requests
+				// back to back.
 
 				if ws.sessionManager.NegotiationState() < session.S_GENERATED_KEYS {
 					continue
 				}
 				ws.sessionManager.SetNegotiationState(session.S_INITIAL)
+				// TODO(ainghazal): revisit this step.
+				// when we implement key rotation.  OpenVPN has
+				// the concept of a "lame duck", i.e., the
+				// retiring key that needs to be expired a fixed time after the new
+				// one starts its lifetime, and this might be a good place to try
+				// to retire the old key.
 
 				// notify the TLS layer that it should initiate
 				// a TLS handshake and, if successful, generate

diff --git a/internal/packetmuxer/service.go b/internal/packetmuxer/service.go
@@ -218,7 +218,7 @@ func (ws *workersState) handleRawPacket(rawPacket []byte) error {
 	return nil
 }
 
-// finishThreeWayHandshake responsds to the HARD_RESET_SERVER and finishes the handshake.
+// finishThreeWayHandshake responds to the HARD_RESET_SERVER and finishes the handshake.
 func (ws *workersState) finishThreeWayHandshake(packet *model.Packet) error {
 	// register the server's session (note: the PoV is the server's one)
 	ws.sessionManager.SetRemoteSessionID(packet.LocalSessionID)

diff --git a/internal/tlssession/tlssession.go b/internal/tlssession/tlssession.go
@@ -123,6 +123,7 @@ func (ws *workersState) tlsAuth() error {
 	go ws.doTLSAuth(conn, tlsConf, errorch)
 
 	// make sure we timeout after 60 seconds anyway
+	// TODO: move this to the TUN layer ------------------------------------
 	ctx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
 	defer cancel()