From patchwork Fri Nov 22 16:29:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "plaisthos (Code Review)" X-Patchwork-Id: 3958 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:23c9:b0:5db:5963:ef83 with SMTP id s9csp452357mah; Fri, 22 Nov 2024 08:33:55 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUqEthuP4GJjU6YhKTLoKU4a0+1GtngeK8KH4EQdPfFU9ROO5NJxrFTCwVRb34Ond53Fl9nZiXqsjU=@openvpn.net X-Received: by 2002:a05:6870:6129:b0:297:212:81c7 with SMTP id 586e51a60fabf-29720ea310amr3420947fac.37.1732292995109; Fri, 22 Nov 2024 08:29:55 -0800 (PST) X-Google-Smtp-Source: AGHT+IGYy7Puo5+LdijiZtSvn5SUsCjBrnNoxV5jAgjvYOSm38LAK+Bgxa+WJpiawxiczRYc96zo X-Received: by 2002:a05:6870:6129:b0:297:212:81c7 with SMTP id 586e51a60fabf-29720ea310amr3420818fac.37.1732292993137; Fri, 22 Nov 2024 08:29:53 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1732292993; cv=none; d=google.com; s=arc-20240605; b=b6hoLvUx2BCbbE14DyBuN6GBtQpOzXXHjGY9fqf5GJJ0qdSFY9n2vWuhLVYUSBkzXl xSBfZVQZm3Zka1HEtEAG4fBRcOW8+3QkCI5oY97sJVGGKwPKwlqRyazJLtA/85G6rMee phwkyvH4NHiCS3+6XgjWQMH/Pbr2OMdbYxEwAQYWV2O3a+/szbx1EhG5yYtKRRICS16f mWof7roMFzmX+e83xWsY7aNYlY4AlKKAVDBz86UogSnjocYsfzW4jBFSkPOD/HJn3nJ8 LWO6lPYWv5mmZMGV2VvzszhXdpCCsgJP3/aAy15NaI+YA/VRKFO8xxBE7UwDEGqyKsNy aSiQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=7imlqnujy3z99JuFsLrp3puM2SfKPfU7YYLipBjfxJU=; fh=lm0MLPW7DntlrDqRECIiC9JlE1uPxhepE0URYHIf+eE=; b=fvg4B5+sI37C+xMyKQ9Q99531R2e7p8CylGflFyQGp/ulK6Ce0Q8UtG7Z+/fqoee0c qz09ejcZIu/Ixz/MXiQNbAw3xNt1aEWVu00Lu3pa8iJDrLrMPPek/6m8cr66iL6gn1pV iJZgsg9FFEPOjjmsmB9wIfLpfGJedadwzezxhh2TlVv2kcnaQ3HPeUMDSuDqRWljqZgt vvWpBr5XZOnrijcTNFQYE1/2EMx5GHPa5CGmEjPPicgcv4+ciniYXVk3vL9Ne93UeaMv r+rbvloCep3AkCLwA0KQDbSbPGb5RKrRd62tr5s3tW+NHhlQP0OZgWVgOa+NgeU06Hgp EoWw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="G6JJj/Z/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=B60p2zni; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=GQtZQ1wP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 586e51a60fabf-2971d556df0si1406462fac.8.2024.11.22.08.29.51 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 22 Nov 2024 08:29:52 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b="G6JJj/Z/"; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=B60p2zni; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=GQtZQ1wP; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tEWXP-000175-JQ; Fri, 22 Nov 2024 16:29:43 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tEWXO-00016y-8o for openvpn-devel@lists.sourceforge.net; Fri, 22 Nov 2024 16:29:41 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=bM8bsHf5/oi6Doxgbc1SIS6EkVmFDYOTItOQnQ6zqhs=; b=G6JJj/Z/6Q3DTA0ZmVVETM7XGT BHEmLCQ3IePbD963QccUagR0V4HiDRuVmy0I0fl0AuzC8ISDNb/L0oT4Rg4G47Q2Cpgnb4kSmTJ3w p64Z5HJkwsE4mCt4z+8Md2HfTpljIqGFE2Vvn1GFR5ODq8Wz33HxBW3JjVLI0+rAJhUk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=bM8bsHf5/oi6Doxgbc1SIS6EkVmFDYOTItOQnQ6zqhs=; b=B 60p2zniWvS2aDTjGJLqUBeYj7VeGjeglNlTJgDcDA4B0bM1aTmr7HW0TR7Pa4oJb4Krb1hT5UOOBQ VwblFGZ0a1O/vgMLoOyF8E+gZXbbvssrK1JxQjFKHenLBDNbi7at8GLIPYg2oJ7IJdyzKHegW2DbC 9UY7gjFyNXcrvH9I=; Received: from mail-wr1-f54.google.com ([209.85.221.54]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1tEWXM-0000dR-I6 for openvpn-devel@lists.sourceforge.net; Fri, 22 Nov 2024 16:29:41 +0000 Received: by mail-wr1-f54.google.com with SMTP id ffacd0b85a97d-382411ea5eeso1351452f8f.0 for ; Fri, 22 Nov 2024 08:29:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1732292969; x=1732897769; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=bM8bsHf5/oi6Doxgbc1SIS6EkVmFDYOTItOQnQ6zqhs=; b=GQtZQ1wPoePOuHjdjtVJDXjzCHD0oC/ZZutoDWaAtYWxq9imXyDVFYc0J5tRZA7/1+ lWi1rmBOF4shWNCfXjQbRFPvlAbXtIJxcGleoqxbnwRpMNk1PcFGgRw4p1pUlVEXJ3as EhsOcOZsFFUramqtYl9VzUa/7GWqCeYPQvVcNYoN24zwDEQY+yp/BIcp+upV6R5w3kU9 fdCwI+zi835PMesCEm+IPcJNr+SjEtSr4bZxppXV9DtZnRzWIdLBtuXwqujutSAaVvcs OOssD+R8SsGUKZzjXRCxFL1ZVFcHumHufm2glAlq9ktqC++vBLSwMN8LWsbP2Knc/iex 1ScQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1732292969; x=1732897769; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=bM8bsHf5/oi6Doxgbc1SIS6EkVmFDYOTItOQnQ6zqhs=; b=sYff4g+9oDJ2Z9F/4HM5J2/DifJJASuEHMkfvzbkWS+HBXyCdq2oLy02KkWyA55qTs i/AU7Eah9AvRkDclk6MBBnP1pUJt7+vFLv0lLp644JCgiGBKLnNqSXyPgd5Fhq/OYHOu shOjOc2FufK/7rGipd8Jf6GkgfW6aByOHeqkMWPeDktIpCgkDOrVpQGUlc0imW5da7Pq BKT6559waGBh8n/9DL8flK8EAoy+fs6MwkrqGavg5KzRzr9dUzTRpzRnPcU+n4shs0u9 41QTpUPvyOneIRSSl1AebrzL1VMIgGPpHuO7W31URKn93Q/axWgWPDYreuLHzJXdipU+ fhhw== X-Gm-Message-State: AOJu0Yx0eg8xvHiY31l6D4DEgAqpgwGCt6f1fg0hBiHL6tQ/k8r9q6WD tmUiLtGu4BrmmZ0rNN/reRhTWb3gB1cmd4mjx5ndkClVCkRBOaNDVpOgqC7+t9lQKx+2Oy+G9Ut 5 X-Gm-Gg: ASbGncuqPnezUS6/SYDcXd4z908XchE8YvIGL4be+nH/fle6ewIz8aFhoYHzq4g7ub8 mpxLHzehr2+JFSB6Q/DAZFRVv4kgd3FRPnu1UjGKIvtD6qd/1IwH5+b4M72bUM3tF0DMZl5RQVA ZH4vezJ8h9dR675+TggazAQJlKftXD3fe89hRQC6x0KTfBzEQYDRG4P8guHm/8HfpRc0//e7Oba vXSSoMI1aqLkzgPTsM7/K/1AyKJSgRRkvWg5LIgHEUdTCyff6rCN91qnJ/+uCv8/Gm6CIj5pgMP Hfv+2l/RJyNtW4LYHXTYKABEKrdXEtTbMcJ9iQ7fag== X-Received: by 2002:a5d:64af:0:b0:381:f596:767a with SMTP id ffacd0b85a97d-38259ccb426mr6351545f8f.12.1732292968803; Fri, 22 Nov 2024 08:29:28 -0800 (PST) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-433cde070besm32578835e9.2.2024.11.22.08.29.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 22 Nov 2024 08:29:28 -0800 (PST) From: "plaisthos (Code Review)" X-Google-Original-From: "plaisthos (Code Review)" X-Gerrit-PatchSet: 1 Date: Fri, 22 Nov 2024 16:29:27 +0000 To: flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91 X-Gerrit-Change-Number: 818 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: 322212dee2abbba1644eb758c1ebdb5fc8b27f0f References: Message-ID: MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.54 listed in sa-accredit.habeas.com] -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.54 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.54 listed in wl.mailspike.net] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [209.85.221.54 listed in bl.score.senderscore.com] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.0 SPF_PASS SPF: sender matches SPF record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1tEWXM-0000dR-I6 Subject: [Openvpn-devel] [S] Change in openvpn[master]: [TEST-ONLY] Mess with internal logic to test epoch data X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1816440856873751908?= X-GMAIL-MSGID: =?utf-8?q?1816440856873751908?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld. Hello flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/818?usp=email to review the following change. Change subject: [TEST-ONLY] Mess with internal logic to test epoch data ...................................................................... [TEST-ONLY] Mess with internal logic to test epoch data This rotates/invalidates keys extremely quickly and also jumps forward 1-8 keys instead of always one to test that part of the logic. Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91 Signed-off-by: Arne Schwabe --- M src/openvpn/crypto.c M src/openvpn/crypto_epoch.c M tests/unit_tests/openvpn/test_ssl.c 3 files changed, 18 insertions(+), 4 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/18/818/1 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index 9166707..e990d80 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -352,6 +352,9 @@ int64_t cipher_get_aead_limits(const char *ciphername) { + /* TESTING: Make AEAD key limits really really really small to force + * key rollever super quickly */ + return 256; if (!cipher_kt_mode_aead(ciphername)) { return 0; diff --git a/src/openvpn/crypto_epoch.c b/src/openvpn/crypto_epoch.c index 4a9a338..3df56ba 100644 --- a/src/openvpn/crypto_epoch.c +++ b/src/openvpn/crypto_epoch.c @@ -413,8 +413,13 @@ if (aead_usage_limit_reached(opt->aead_usage_limit, &opt->key_ctx_bi.encrypt, opt->packet_id.send.id)) { - /* Send key limit reached */ - epoch_iterate_send_key(opt); + int forward = rand() % 8 + 1; + /* Send key limit reached, go one key forward or in this TEST + * gremlin mode, 1 to 8 to test the other side future key stuff */ + for (int i = 0; i < forward; i++) + { + epoch_iterate_send_key(opt); + } } /* draft 8 of the aead usage limit still had but draft 9 complete * dropped this statement: @@ -436,7 +441,13 @@ /* Receive key limit reached. Increase our own send key to signal * that we want to use a new epoch. Peer should then also move its * key but is not required to do this */ - epoch_iterate_send_key(opt); + int forward = rand() % 8 + 1; + /* gremlin mode, 1 to 8 to test the other side future key stuff */ + for (int i = 0; i < forward; i++) + { + epoch_iterate_send_key(opt); + } + } } diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index 842c944..0d4d8be 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -398,7 +398,7 @@ struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 }}; memcpy(e1.epoch_key, key2.keys[0].cipher, sizeof(e1.epoch_key)); co.flags |= CO_EPOCH_DATA_KEY_FORMAT; - epoch_init_key_ctx(&co, &kt, &e1, &e1, 5); + epoch_init_key_ctx(&co, &kt, &e1, &e1, 9); /* Do a little of dancing for the epoch_send_key_iterate to test * that this works too */