11541Srgrimes#	$OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $
21541Srgrimes#	Placed in the Public Domain.
31541Srgrimes
41541Srgrimestid="rekey"
51541Srgrimes
61541SrgrimesLOG=${TEST_SSH_LOGFILE}
71541Srgrimes
81541Srgrimesrm -f ${LOG}
91541Srgrimescp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
101541Srgrimes
111541Srgrimes# Test rekeying based on data volume only.
121541Srgrimes# Arguments will be passed to ssh.
131541Srgrimesssh_data_rekeying()
141541Srgrimes{
151541Srgrimes	_kexopt=$1 ; shift
161541Srgrimes	_opts="$@"
171541Srgrimes	if ! test -z "$_kexopts" ; then
181541Srgrimes		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
191541Srgrimes		echo "$_kexopt" >> $OBJ/sshd_proxy
201541Srgrimes		_opts="$_opts -o$_kexopt"
211541Srgrimes	fi
221541Srgrimes	rm -f ${COPY} ${LOG}
231541Srgrimes	_opts="$_opts -oCompression=no"
241541Srgrimes	${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
251541Srgrimes	if [ $? -ne 0 ]; then
261541Srgrimes		fail "ssh failed ($@)"
271541Srgrimes	fi
281541Srgrimes	cmp ${DATA} ${COPY}		|| fail "corrupted copy ($@)"
291541Srgrimes	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
301541Srgrimes	n=`expr $n - 1`
311541Srgrimes	trace "$n rekeying(s)"
321541Srgrimes	if [ $n -lt 1 ]; then
331541Srgrimes		fail "no rekeying occured ($@)"
3432350Seivind	fi
351541Srgrimes}
361541Srgrimes
371541Srgrimesincrease_datafile_size 300
381541Srgrimes
391541Srgrimesopts=""
401541Srgrimesfor i in `${SSH} -Q kex`; do
411541Srgrimes	opts="$opts KexAlgorithms=$i"
421541Srgrimesdone
4332350Seivindfor i in `${SSH} -Q cipher`; do
4432350Seivind	opts="$opts Ciphers=$i"
451541Srgrimesdone
4612693Sphkfor i in `${SSH} -Q mac`; do
4712693Sphk	opts="$opts MACs=$i"
481541Srgrimesdone
4912693Sphk
501541Srgrimesfor opt in $opts; do
5118892Sbde	verbose "client rekey $opt"
521541Srgrimes	ssh_data_rekeying "$opt" -oRekeyLimit=256k
531541Srgrimesdone
541541Srgrimes
551541Srgrimes# AEAD ciphers are magical so test with all KexAlgorithms
561541Srgrimesif ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
578426Swollman  for c in `${SSH} -Q cipher-auth`; do
581541Srgrimes    for kex in `${SSH} -Q kex`; do
591541Srgrimes	verbose "client rekey $c $kex"
601541Srgrimes	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
611541Srgrimes    done
621541Srgrimes  done
631541Srgrimesfi
641541Srgrimes
651541Srgrimesfor s in 16 1k 128k 256k; do
6612942Swollman	verbose "client rekeylimit ${s}"
671541Srgrimes	ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
6812693Sphkdone
6912942Swollman
7012942Swollmanfor s in 5 10; do
7112942Swollman	verbose "client rekeylimit default ${s}"
721541Srgrimes	rm -f ${COPY} ${LOG}
7312942Swollman	${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
7412942Swollman		$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
7512942Swollman	if [ $? -ne 0 ]; then
7612942Swollman		fail "ssh failed"
7712942Swollman	fi
7812942Swollman	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
7912693Sphk	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
801541Srgrimes	n=`expr $n - 1`
811541Srgrimes	trace "$n rekeying(s)"
8211225Swollman	if [ $n -lt 1 ]; then
8311225Swollman		fail "no rekeying occured"
8411225Swollman	fi
8511225Swollmandone
8611225Swollman
8711225Swollmanfor s in 5 10; do
8811225Swollman	verbose "client rekeylimit default ${s} no data"
8912693Sphk	rm -f ${COPY} ${LOG}
9011225Swollman	${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
9111225Swollman		$OBJ/ssh_proxy somehost "sleep $s;sleep 3"
921541Srgrimes	if [ $? -ne 0 ]; then
9312820Sphk		fail "ssh failed"
941541Srgrimes	fi
9512693Sphk	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
9612942Swollman	n=`expr $n - 1`
9712942Swollman	trace "$n rekeying(s)"
983282Swollman	if [ $n -lt 1 ]; then
9912942Swollman		fail "no rekeying occured"
10012942Swollman	fi
10112942Swollmandone
10212942Swollman
10312942Swollmanfor s in 16 1k 128k 256k; do
10412942Swollman	verbose "server rekeylimit ${s}"
10512693Sphk	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
10612877Sbde	echo "rekeylimit ${s}" >>$OBJ/sshd_proxy
10712693Sphk	rm -f ${COPY} ${LOG}
10812693Sphk	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
10912693Sphk	    > ${COPY}
11012693Sphk	if [ $? -ne 0 ]; then
11112693Sphk		fail "ssh failed"
11212693Sphk	fi
11332350Seivind	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
11412693Sphk	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
11532350Seivind	n=`expr $n - 1`
11612693Sphk	trace "$n rekeying(s)"
1171541Srgrimes	if [ $n -lt 1 ]; then
1181541Srgrimes		fail "no rekeying occured"
1191541Srgrimes	fi
1201541Srgrimesdone
1211541Srgrimes
1221541Srgrimesfor s in 5 10; do
1231541Srgrimes	verbose "server rekeylimit default ${s} no data"
1241541Srgrimes	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
1251541Srgrimes	echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy
12611225Swollman	rm -f ${COPY} ${LOG}
12711225Swollman	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
1281541Srgrimes	if [ $? -ne 0 ]; then
1291541Srgrimes		fail "ssh failed"
13011225Swollman	fi
1311541Srgrimes	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
13211225Swollman	n=`expr $n - 1`
1331541Srgrimes	trace "$n rekeying(s)"
13411225Swollman	if [ $n -lt 1 ]; then
1351541Srgrimes		fail "no rekeying occured"
1361541Srgrimes	fi
1371541Srgrimesdone
1381541Srgrimes
1391541Srgrimesverbose "rekeylimit parsing"
1401541Srgrimesfor size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
1411541Srgrimes    for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
1425196Swollman	case $size in
1431541Srgrimes		16)	bytes=16 ;;
1441541Srgrimes		1k|1K)	bytes=1024 ;;
1451541Srgrimes		1m|1M)	bytes=1048576 ;;
1461541Srgrimes		1g|1G)	bytes=1073741824 ;;
1471541Srgrimes		4g|4G)	bytes=4294967296 ;;
1481541Srgrimes		8g|8G)	bytes=8589934592 ;;
1491541Srgrimes	esac
1501541Srgrimes	case $time in
15112693Sphk		1)	seconds=1 ;;
1521541Srgrimes		1m|1M)	seconds=60 ;;
1531541Srgrimes		1h|1H)	seconds=3600 ;;
1541541Srgrimes		1d|1D)	seconds=86400 ;;
15511225Swollman		1w|1W)	seconds=604800 ;;
1561541Srgrimes	esac
1571541Srgrimes
1581541Srgrimes	b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
1591541Srgrimes	    awk '/rekeylimit/{print $2}'`
1601541Srgrimes	s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
1611541Srgrimes	    awk '/rekeylimit/{print $3}'`
1621541Srgrimes
1631541Srgrimes	if [ "$bytes" != "$b" ]; then
1641541Srgrimes		fatal "rekeylimit size: expected $bytes bytes got $b"
1651541Srgrimes	fi
1661541Srgrimes	if [ "$seconds" != "$s" ]; then
1671541Srgrimes		fatal "rekeylimit time: expected $time seconds got $s"
1681541Srgrimes	fi
1691541Srgrimes    done
1701541Srgrimesdone
1711541Srgrimes
1721541Srgrimesrm -f ${COPY} ${DATA}
1731541Srgrimes