[Openvpn-devel] [S] Change in openvpn[master]: [TEST-ONLY] Mess with internal logic to test epoch data

Sun, 01 Dec 2024 05:55:12 -0800 

Attention is currently required from: flichtenheld.

Hello flichtenheld, 

I'd like you to reexamine a change. Please visit

    http://gerrit.openvpn.net/c/openvpn/+/818?usp=email

to look at the new patch set (#3).


Change subject: [TEST-ONLY] Mess with internal logic to test epoch data
......................................................................

[TEST-ONLY] Mess with internal logic to test epoch data

This rotates/invalidates keys extremely quickly and also jumps forward
1-8 keys instead of always one to test that part of the logic.

Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91
Signed-off-by: Arne Schwabe <[email protected]>
---
M src/openvpn/crypto.c
M src/openvpn/crypto_epoch.c
M tests/unit_tests/openvpn/test_crypto.c
M tests/unit_tests/openvpn/test_ssl.c
4 files changed, 21 insertions(+), 17 deletions(-)


  git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/18/818/3

diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index 9e9fa00..3321d64 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -352,6 +352,9 @@
 int64_t
 cipher_get_aead_limits(const char *ciphername)
 {
+    /* TESTING: Make AEAD key limits really really really small to force
+     * key rollever super quickly */
+    return 256;
     if (!cipher_kt_mode_aead(ciphername))
     {
         return 0;
diff --git a/src/openvpn/crypto_epoch.c b/src/openvpn/crypto_epoch.c
index d69f4d5..fc687b5 100644
--- a/src/openvpn/crypto_epoch.c
+++ b/src/openvpn/crypto_epoch.c
@@ -414,8 +414,13 @@
         if (aead_usage_limit_reached(opt->aead_usage_limit, 
&opt->key_ctx_bi.encrypt,
                                      opt->packet_id.send.id))
         {
-            /* Send key limit reached */
-            epoch_iterate_send_key(opt);
+            int forward = rand() % 8 + 1;
+            /* Send key limit reached, go one key forward or in this TEST
+             * gremlin mode, 1 to 8 to test the other side future key stuff */
+            for (int i = 0; i < forward; i++)
+            {
+                epoch_iterate_send_key(opt);
+            }
         }
         /* draft 8 of the aead usage limit still had but draft 9 complete
          * dropped this statement:
@@ -437,7 +442,13 @@
             /* Receive key limit reached. Increase our own send key to signal
              * that we want to use a new epoch. Peer should then also move its
              * key but is not required to do this */
-            epoch_iterate_send_key(opt);
+            int forward = rand() % 8 + 1;
+            /* gremlin mode, 1 to 8 to test the other side future key stuff */
+            for (int i = 0; i < forward; i++)
+            {
+                epoch_iterate_send_key(opt);
+            }
+
         }
     }

diff --git a/tests/unit_tests/openvpn/test_crypto.c 
b/tests/unit_tests/openvpn/test_crypto.c
index 82ca86e..07008c2 100644
--- a/tests/unit_tests/openvpn/test_crypto.c
+++ b/tests/unit_tests/openvpn/test_crypto.c
@@ -458,24 +458,14 @@
 void
 crypto_test_aead_limits(void **state)
 {
+#define BROKEN_LIMIT 0x100
     /* if ChaCha20-Poly1305 is not supported by the crypto library or in the
      * current mode (FIPS), this will still return -1 */
-    assert_int_equal(cipher_get_aead_limits("CHACHA20-POLY1305"), 0);
+    assert_int_equal(cipher_get_aead_limits("CHACHA20-POLY1305"), 
BROKEN_LIMIT);

     int64_t aeslimit = cipher_get_aead_limits("AES-128-GCM");

-    assert_int_equal(aeslimit, (1ull << 36) - 1);
-
-    /* Check if this matches our exception for 1600 size packets assuming
-     * AEAD_LIMIT_BLOCKSIZE (128 bits/ 16 bytes). Gives us 100 blocks
-     * + 1 for the packet */
-    int64_t L = 101;
-    /* 2 ^ 29.34, using the result here to avoid linking to libm */
-    assert_int_equal(aeslimit / L, 680390858);
-
-    /* and for 9000, 2^26.86 */
-    L = 563;
-    assert_int_equal(aeslimit / L, 122059461);
+    assert_int_equal(aeslimit, BROKEN_LIMIT);
 }

 void
diff --git a/tests/unit_tests/openvpn/test_ssl.c 
b/tests/unit_tests/openvpn/test_ssl.c
index 842c944..0d4d8be 100644
--- a/tests/unit_tests/openvpn/test_ssl.c
+++ b/tests/unit_tests/openvpn/test_ssl.c
@@ -398,7 +398,7 @@
         struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 }};
         memcpy(e1.epoch_key, key2.keys[0].cipher, sizeof(e1.epoch_key));
         co.flags |= CO_EPOCH_DATA_KEY_FORMAT;
-        epoch_init_key_ctx(&co, &kt, &e1, &e1, 5);
+        epoch_init_key_ctx(&co, &kt, &e1, &e1, 9);

         /* Do a little of dancing for the epoch_send_key_iterate to test
          * that this works too */

--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/818?usp=email
To unsubscribe, or for help writing mail filters, visit 
http://gerrit.openvpn.net/settings

Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91
Gerrit-Change-Number: 818
Gerrit-PatchSet: 3
Gerrit-Owner: plaisthos <[email protected]>
Gerrit-Reviewer: flichtenheld <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
Gerrit-Attention: flichtenheld <[email protected]>
Gerrit-MessageType: newpatchset

_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel






















					Reply via email to