From patchwork Thu Feb 13 19:39:41 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4139 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:1d8f:b0:5e7:b9eb:58e8 with SMTP id hp15csp782187mab; Thu, 13 Feb 2025 11:40:02 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXFEfhtKBI7L08U0qF5J1cf90jLta6oHjkpwW9wjQV8aVYEV/fvJvSHc4fKaKUkn+8HJc/meMd/muw=@openvpn.net X-Google-Smtp-Source: AGHT+IFdsVjGRTaWdZmbJ1GJGePLizCsIcBUWnvoNL7z4pCKNFIWL6qASzUKQaZB9lR8Hw5QfLHY X-Received: by 2002:a05:6602:2c83:b0:855:2e1e:da12 with SMTP id ca18e2360f4ac-855635a50c1mr547237239f.4.1739475602508; Thu, 13 Feb 2025 11:40:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1739475602; cv=none; d=google.com; s=arc-20240605; b=RRLQlk3weSsrNZR5Z53iIfSUOMR5/exOblqsydFvftPFAKn8tI6N9sMQ3Nne5NnrLE gWf3DmWlUyVcdZ5hw+2HBVjPHVJJFaNmFlDmsqTn5QzeCb+kLXjYgB8xPMhvKA5GsxDZ d1GVQbAKrRccxNUqa5UmQvazEPdCzTDQa/sW8C3lZlz5uVFmI+9bJseGopHgoTTNFixc W9xhxeK1mIlcJ0Z7UWJ+Jb2sSoLq9kJF4A31nAvAHV0YiupUilw5TyLpHtRfoW8jUbnZ NcHD7ldNq/UYn+optiP+qJpQYtMeu71McTVW23fKFSVOcvOzb39UZtXzIQJP1a94FmUJ QXFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=GwobmRrbPDDPjiuAZFSlqWNiodrBjKSjxEVa1lNHiks=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=b0fKPc7NrYRzW6lwYrqk83fL9VaFCM980CKC0JVOKuLqjyiY1uPtE+ZGJEppLDI62e FAUwWPdZ7h2KwznDGaQdXekYhKiwtuJmv0FS0ygz8kn6iqTLFu6D3RuqMk6S7XK5D7Yl v4j2GfBPyU2JBboMZHcYRRKOThcwTmiGQyXEUb2njdF2s9Te9yhzJZZYA/4tAS43fd+g aJhkzzScH2GN+FCwQXKKvS9a76wYDMH9BtldklSoeVjD900g5HCiSROVtPlqGfKa8wli o9gwqec5HrrGuGBIhaVxuUb7GXnpVMHEMyrqBVucGBIPTbekwYT9PaAXNcOuha/vvwDM H+8Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=G8V9vzPx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lbiwJaP3; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-4ed28165fa3si1476885173.40.2025.02.13.11.40.01 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Feb 2025 11:40:02 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=G8V9vzPx; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=lbiwJaP3; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1tif43-0003YE-5v; Thu, 13 Feb 2025 19:39:58 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1tif41-0003Y8-8Q for openvpn-devel@lists.sourceforge.net; Thu, 13 Feb 2025 19:39:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=CpGF6in5uKCjH1JgGGQVlFFWQ7PFf9EN8yjVs3L5nvU=; b=G8V9vzPx9/obWT1uCLl4NiddqU F8a6tw4MxMy/h+n+39qjnuwSUIywL7dVtV4u6otVop3Zj2PMvCEBZ9GRL41JFseGBBVLmrmIGAOpC cQHcB63v/FIPKrGKhPyApFyas2pwoC8FHBlbipsNQ09nxz4Akb4rFFJhfYq147ApSRuE=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=CpGF6in5uKCjH1JgGGQVlFFWQ7PFf9EN8yjVs3L5nvU=; b=lbiwJaP3efm06hVwAoiJyMgjgU flehE87vLluqragozn4dEXl6icn/CbDSC5Kg4TR+Nvhi14GAqUlgxTLyhk5ZY26GkNaDgnI7pZCrK 6qz/Z6eYFlx3Izg/ACtznQSl9YUPclF2s8tPHDOVodxjF0zkogyAl17ApQJJmijOvn4s=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1tif3y-0005fB-Qw for openvpn-devel@lists.sourceforge.net; Thu, 13 Feb 2025 19:39:56 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 51DJdgwi026434 for ; Thu, 13 Feb 2025 20:39:42 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 51DJdgR2026433 for openvpn-devel@lists.sourceforge.net; Thu, 13 Feb 2025 20:39:42 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 13 Feb 2025 20:39:41 +0100 Message-ID: <20250213193942.26423-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.45.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-2.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe Change-Id: I15c7cfdddb06d4530d669b222a3c65db5169b29a Signed-off-by: Arne Schwabe Acked-by: MaxF --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Content analysis details: (0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 0.0 RCVD_IN_VALIDITY_CERTIFIED_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in sa-accredit.habeas.com] 0.0 RCVD_IN_VALIDITY_RPBL_BLOCKED RBL: ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. [193.149.48.174 listed in bl.score.senderscore.com] -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1tif3y-0005fB-Qw Subject: [Openvpn-devel] [PATCH v4] Extend the unit test for data channel packets with aead limit tests X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1823972369342150713?= X-GMAIL-MSGID: =?utf-8?q?1823972369342150713?= From: Arne Schwabe Change-Id: I15c7cfdddb06d4530d669b222a3c65db5169b29a Signed-off-by: Arne Schwabe Acked-by: MaxF --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/868 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): MaxF diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c index 486e298..9340953 100644 --- a/tests/unit_tests/openvpn/test_ssl.c +++ b/tests/unit_tests/openvpn/test_ssl.c @@ -363,14 +363,107 @@ /* compare */ assert_int_equal(buf.len, src.len); assert_memory_equal(BPTR(&src), BPTR(&buf), i); - } gc_free(&gc); } +static void +encrypt_one_packet(struct crypto_options *co, int len) +{ + struct frame frame; + init_frame_parameters(&frame); + + struct gc_arena gc = gc_new(); + struct buffer encrypt_workspace = alloc_buf_gc(BUF_SIZE(&frame), &gc); + struct buffer decrypt_workspace = alloc_buf_gc(BUF_SIZE(&frame), &gc); + struct buffer work = alloc_buf_gc(BUF_SIZE(&frame), &gc); + struct buffer buf = clear_buf(); + struct buffer src = alloc_buf_gc(frame.buf.payload_size, &gc); + void *buf_p; + + ASSERT(buf_init(&work, frame.buf.headroom)); + + /* + * Load src with random data. + */ + ASSERT(buf_init(&src, 0)); + ASSERT(len <= src.capacity); + src.len = len; + ASSERT(rand_bytes(BPTR(&src), BLEN(&src))); + + /* copy source to input buf */ + buf = work; + buf_p = buf_write_alloc(&buf, BLEN(&src)); + ASSERT(buf_p); + memcpy(buf_p, BPTR(&src), BLEN(&src)); + + ASSERT(buf_init(&encrypt_workspace, frame.buf.headroom)); + openvpn_encrypt(&buf, encrypt_workspace, co); + + /* decrypt */ + openvpn_decrypt(&buf, decrypt_workspace, co, &frame, BPTR(&buf)); + + /* compare */ + assert_int_equal(buf.len, src.len); + assert_memory_equal(BPTR(&src), BPTR(&buf), len); + + gc_free(&gc); +} -struct crypto_options +static void +check_aead_limits(struct crypto_options *co, bool chachapoly) +{ + + /* Check that we correctly react when we have a nearing AEAD limits */ + + /* manually increase the send counter to be past + * the GCM usage limit */ + co->key_ctx_bi.encrypt.plaintext_blocks = 0x1ull << 40; + + + bool epoch = (co->flags & CO_EPOCH_DATA_KEY_FORMAT); + + int expected_epoch = epoch ? 4 : 0; + + /* Ensure that we are still on the initial key (our init_crypto_options + * unit test method iterates the initial key to 4) or that it is 0 when + * epoch is not in * use */ + assert_int_equal(co->key_ctx_bi.encrypt.epoch, expected_epoch); + + encrypt_one_packet(co, 1000); + + /* either epoch key has been updated or warning is enabled */ + if (epoch && !chachapoly) + { + expected_epoch++; + } + + assert_int_equal(co->key_ctx_bi.encrypt.epoch, expected_epoch); + + if (!epoch) + { + /* Check always against the GCM usage limit here to see if that + * check works */ + assert_true(aead_usage_limit_reached((1ull << 36), + &co->key_ctx_bi.encrypt, + co->packet_id.send.id)); + return; + } + + /* Move to the end of the epoch data key send PID range, ChachaPoly + * should now also move to a new epoch data key */ + co->packet_id.send.id = PACKET_ID_EPOCH_MAX; + + encrypt_one_packet(co, 1000); + encrypt_one_packet(co, 1000); + + expected_epoch++; + assert_int_equal(co->key_ctx_bi.encrypt.epoch, expected_epoch); +} + + +static struct crypto_options init_crypto_options(const char *cipher, const char *auth, bool epoch, struct key2 *statickey) { @@ -428,16 +521,21 @@ static void run_data_channel_with_cipher_epoch(const char *cipher) { + bool ischacha = !strcmp(cipher, "ChaCha20-Poly1305"); + struct crypto_options co = init_crypto_options(cipher, "none", true, NULL); do_data_channel_round_trip(&co); + check_aead_limits(&co, ischacha); uninit_crypto_options(&co); } static void run_data_channel_with_cipher(const char *cipher, const char *auth) { + bool ischacha = !strcmp(cipher, "ChaCha20-Poly1305"); struct crypto_options co = init_crypto_options(cipher, auth, false, NULL); do_data_channel_round_trip(&co); + check_aead_limits(&co, ischacha); uninit_crypto_options(&co); }