2025-03-18, 02:40:44 +0100, Antonio Quartulli wrote:
> +int ovpn_crypto_state_reset(struct ovpn_crypto_state *cs,
> + const struct ovpn_peer_key_reset *pkr)
> +{
> + struct ovpn_crypto_key_slot *old = NULL, *new;
> + u8 idx;
> +
> + if (pkr->slot != OVPN_KEY_SLOT_PRIMARY &&
> + pkr->slot != OVPN_KEY_SLOT_SECONDARY)
> + return -EINVAL;
> +
> + new = ovpn_aead_crypto_key_slot_new(&pkr->key);
> + if (IS_ERR(new))
> + return PTR_ERR(new);
> +
> + spin_lock_bh(&cs->lock);
At this point, should there be a check that we're not installing 2
keys with the same key_id at the same time? I expect a well-behaved
userspace never does that, but it would confuse
ovpn_crypto_key_id_to_slot if it ever happened.
["well, then the tunnel is broken. if userspace sets up a broken
config that's not the kernel's problem." is an acceptable answer]
--
Sabrina
