Attention is currently required from: flichtenheld. Hello flichtenheld,
I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/818?usp=email to review the following change. Change subject: [TEST-ONLY] Mess with internal logic to test epoch data ...................................................................... [TEST-ONLY] Mess with internal logic to test epoch data This rotates/invalidates keys extremely quickly and also jumps forward 1-8 keys instead of always one to test that part of the logic. Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91 Signed-off-by: Arne Schwabe <a...@rfc2549.org> --- M src/openvpn/crypto.c M src/openvpn/crypto_epoch.c M tests/unit_tests/openvpn/test_ssl.c 3 files changed, 18 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/18/818/1 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 9166707..e990d80 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -352,6 +352,9 @@ int64_t cipher_get_aead_limits(const char *ciphername) { + /* TESTING: Make AEAD key limits really really really small to force + * key rollever super quickly */ + return 256; if (!cipher_kt_mode_aead(ciphername)) { return 0; diff --git a/src/openvpn/crypto_epoch.c b/src/openvpn/crypto_epoch.c index 4a9a338..3df56ba 100644 --- a/src/openvpn/crypto_epoch.c +++ b/src/openvpn/crypto_epoch.c @@ -413,8 +413,13 @@ if (aead_usage_limit_reached(opt->aead_usage_limit, &opt->key_ctx_bi.encrypt, opt->packet_id.send.id)) { - /* Send key limit reached */ - epoch_iterate_send_key(opt); + int forward = rand() % 8 + 1; + /* Send key limit reached, go one key forward or in this TEST + * gremlin mode, 1 to 8 to test the other side future key stuff */ + for (int i = 0; i < forward; i++) + { + epoch_iterate_send_key(opt); + } } /* draft 8 of the aead usage limit still had but draft 9 complete * dropped this statement: @@ -436,7 +441,13 @@ /* Receive key limit reached. Increase our own send key to signal * that we want to use a new epoch. Peer should then also move its * key but is not required to do this */ - epoch_iterate_send_key(opt); + int forward = rand() % 8 + 1; + /* gremlin mode, 1 to 8 to test the other side future key stuff */ + for (int i = 0; i < forward; i++) + { + epoch_iterate_send_key(opt); + } + } } diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index 842c944..0d4d8be 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -398,7 +398,7 @@ struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 }}; memcpy(e1.epoch_key, key2.keys[0].cipher, sizeof(e1.epoch_key)); co.flags |= CO_EPOCH_DATA_KEY_FORMAT; - epoch_init_key_ctx(&co, &kt, &e1, &e1, 5); + epoch_init_key_ctx(&co, &kt, &e1, &e1, 9); /* Do a little of dancing for the epoch_send_key_iterate to test * that this works too */ -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/818?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91 Gerrit-Change-Number: 818 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <arne-open...@rfc2549.org> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-Attention: flichtenheld <fr...@lichtenheld.com> Gerrit-MessageType: newchange
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel