Attention is currently required from: flichtenheld.
Hello flichtenheld,
I'd like you to do a code review.
Please visit
http://gerrit.openvpn.net/c/openvpn/+/818?usp=email
to review the following change.
Change subject: [TEST-ONLY] Mess with internal logic to test epoch data
......................................................................
[TEST-ONLY] Mess with internal logic to test epoch data
This rotates/invalidates keys extremely quickly and also jumps forward
1-8 keys instead of always one to test that part of the logic.
Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91
Signed-off-by: Arne Schwabe <a...@rfc2549.org>
---
M src/openvpn/crypto.c
M src/openvpn/crypto_epoch.c
M tests/unit_tests/openvpn/test_ssl.c
3 files changed, 18 insertions(+), 4 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/18/818/1
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 9166707..e990d80 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -352,6 +352,9 @@
int64_t
cipher_get_aead_limits(const char *ciphername)
{
+ /* TESTING: Make AEAD key limits really really really small to force
+ * key rollever super quickly */
+ return 256;
if (!cipher_kt_mode_aead(ciphername))
{
return 0;
diff --git a/src/openvpn/crypto_epoch.c b/src/openvpn/crypto_epoch.c
index 4a9a338..3df56ba 100644
--- a/src/openvpn/crypto_epoch.c
+++ b/src/openvpn/crypto_epoch.c
@@ -413,8 +413,13 @@
if (aead_usage_limit_reached(opt->aead_usage_limit,
&opt->key_ctx_bi.encrypt,
opt->packet_id.send.id))
{
- /* Send key limit reached */
- epoch_iterate_send_key(opt);
+ int forward = rand() % 8 + 1;
+ /* Send key limit reached, go one key forward or in this TEST
+ * gremlin mode, 1 to 8 to test the other side future key stuff */
+ for (int i = 0; i < forward; i++)
+ {
+ epoch_iterate_send_key(opt);
+ }
}
/* draft 8 of the aead usage limit still had but draft 9 complete
* dropped this statement:
@@ -436,7 +441,13 @@
/* Receive key limit reached. Increase our own send key to signal
* that we want to use a new epoch. Peer should then also move its
* key but is not required to do this */
- epoch_iterate_send_key(opt);
+ int forward = rand() % 8 + 1;
+ /* gremlin mode, 1 to 8 to test the other side future key stuff */
+ for (int i = 0; i < forward; i++)
+ {
+ epoch_iterate_send_key(opt);
+ }
+
}
}
diff --git a/tests/unit_tests/openvpn/test_ssl.c
b/tests/unit_tests/openvpn/test_ssl.c
index 842c944..0d4d8be 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -398,7 +398,7 @@
struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 }};
memcpy(e1.epoch_key, key2.keys[0].cipher, sizeof(e1.epoch_key));
co.flags |= CO_EPOCH_DATA_KEY_FORMAT;
- epoch_init_key_ctx(&co, &kt, &e1, &e1, 5);
+ epoch_init_key_ctx(&co, &kt, &e1, &e1, 9);
/* Do a little of dancing for the epoch_send_key_iterate to test
* that this works too */
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/818?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91
Gerrit-Change-Number: 818
Gerrit-PatchSet: 1
Gerrit-Owner: plaisthos <arne-open...@rfc2549.org>
Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com>
Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net>
Gerrit-Attention: flichtenheld <fr...@lichtenheld.com>
Gerrit-MessageType: newchange
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
