[TEST-ONLY] Mess with internal logic to test epoch data

schwabe · schwabe · commit 5b8d8c677bb2 · 2024-11-28T20:16:04.000+01:00
This rotates/invalidates keys extremely quickly and also jumps forward
1-8 keys instead of always one to test that part of the logic.

Change-Id: I7cdf992eb6031315c4978c6a1fbbecfa723fca91
Signed-off-by: Arne Schwabe &lt;arne@rfc2549.org&gt;
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
@@ -352,6 +352,9 @@ openvpn_encrypt(struct buffer *buf, struct buffer work,
 int64_t
 cipher_get_aead_limits(const char *ciphername)
 {
+    /* TESTING: Make AEAD key limits really really really small to force
+     * key rollever super quickly */
+    return 256;
     if (!cipher_kt_mode_aead(ciphername))
     {
         return 0;
diff --git a/src/openvpn/crypto_epoch.c b/src/openvpn/crypto_epoch.c
@@ -414,8 +414,13 @@ epoch_check_send_iterate(struct crypto_options *opt)
         if (aead_usage_limit_reached(opt->aead_usage_limit, &opt->key_ctx_bi.encrypt,
                                      opt->packet_id.send.id))
         {
-            /* Send key limit reached */
-            epoch_iterate_send_key(opt);
+            int forward = rand() % 8 + 1;
+            /* Send key limit reached, go one key forward or in this TEST
+             * gremlin mode, 1 to 8 to test the other side future key stuff */
+            for (int i = 0; i < forward; i++)
+            {
+                epoch_iterate_send_key(opt);
+            }
         }
         /* draft 8 of the aead usage limit still had but draft 9 complete
          * dropped this statement:
@@ -437,7 +442,13 @@ epoch_check_send_iterate(struct crypto_options *opt)
             /* Receive key limit reached. Increase our own send key to signal
              * that we want to use a new epoch. Peer should then also move its
              * key but is not required to do this */
-            epoch_iterate_send_key(opt);
+            int forward = rand() % 8 + 1;
+            /* gremlin mode, 1 to 8 to test the other side future key stuff */
+            for (int i = 0; i < forward; i++)
+            {
+                epoch_iterate_send_key(opt);
+            }
+
         }
     }
 
diff --git a/tests/unit_tests/openvpn/test_ssl.c b/tests/unit_tests/openvpn/test_ssl.c
@@ -398,7 +398,7 @@ init_crypto_options(const char *cipher, const char *auth, bool epoch,
         struct epoch_key e1 = { .epoch = 1, .epoch_key = { 0 }};
         memcpy(e1.epoch_key, key2.keys[0].cipher, sizeof(e1.epoch_key));
         co.flags |= CO_EPOCH_DATA_KEY_FORMAT;
-        epoch_init_key_ctx(&co, &kt, &e1, &e1, 5);
+        epoch_init_key_ctx(&co, &kt, &e1, &e1, 9);
 
         /* Do a little of dancing for the epoch_send_key_iterate to test
          * that this works too */

Original file line number	Diff line number	Diff line change
`@@ -352,6 +352,9 @@ openvpn_encrypt(struct buffer *buf, struct buffer work,`
`352`	`352`	`int64_t`
`353`	`353`	`cipher_get_aead_limits(const char *ciphername)`
`354`	`354`	`{`
	`355`	`+ /* TESTING: Make AEAD key limits really really really small to force`
	`356`	`+ * key rollever super quickly */`
	`357`	`+ return 256;`
`355`	`358`	`if (!cipher_kt_mode_aead(ciphername))`
`356`	`359`	`{`
`357`	`360`	`return 0;`