11541Srgrimes# $OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $ 21541Srgrimes# Placed in the Public Domain. 31541Srgrimes 41541Srgrimestid="rekey" 51541Srgrimes 61541SrgrimesLOG=${TEST_SSH_LOGFILE} 71541Srgrimes 81541Srgrimesrm -f ${LOG} 91541Srgrimescp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 101541Srgrimes 111541Srgrimes# Test rekeying based on data volume only. 121541Srgrimes# Arguments will be passed to ssh. 131541Srgrimesssh_data_rekeying() 141541Srgrimes{ 151541Srgrimes _kexopt=$1 ; shift 161541Srgrimes _opts="$@" 171541Srgrimes if ! test -z "$_kexopts" ; then 181541Srgrimes cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 191541Srgrimes echo "$_kexopt" >> $OBJ/sshd_proxy 201541Srgrimes _opts="$_opts -o$_kexopt" 211541Srgrimes fi 221541Srgrimes rm -f ${COPY} ${LOG} 231541Srgrimes _opts="$_opts -oCompression=no" 241541Srgrimes ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" 251541Srgrimes if [ $? -ne 0 ]; then 261541Srgrimes fail "ssh failed ($@)" 271541Srgrimes fi 281541Srgrimes cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" 291541Srgrimes n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 301541Srgrimes n=`expr $n - 1` 311541Srgrimes trace "$n rekeying(s)" 321541Srgrimes if [ $n -lt 1 ]; then 331541Srgrimes fail "no rekeying occured ($@)" 3432350Seivind fi 351541Srgrimes} 361541Srgrimes 371541Srgrimesincrease_datafile_size 300 381541Srgrimes 391541Srgrimesopts="" 401541Srgrimesfor i in `${SSH} -Q kex`; do 411541Srgrimes opts="$opts KexAlgorithms=$i" 421541Srgrimesdone 4332350Seivindfor i in `${SSH} -Q cipher`; do 4432350Seivind opts="$opts Ciphers=$i" 451541Srgrimesdone 4612693Sphkfor i in `${SSH} -Q mac`; do 4712693Sphk opts="$opts MACs=$i" 481541Srgrimesdone 4912693Sphk 501541Srgrimesfor opt in $opts; do 5118892Sbde verbose "client rekey $opt" 521541Srgrimes ssh_data_rekeying "$opt" -oRekeyLimit=256k 531541Srgrimesdone 541541Srgrimes 551541Srgrimes# AEAD ciphers are magical so test with all KexAlgorithms 561541Srgrimesif ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then 578426Swollman for c in `${SSH} -Q cipher-auth`; do 581541Srgrimes for kex in `${SSH} -Q kex`; do 591541Srgrimes verbose "client rekey $c $kex" 601541Srgrimes ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c 611541Srgrimes done 621541Srgrimes done 631541Srgrimesfi 641541Srgrimes 651541Srgrimesfor s in 16 1k 128k 256k; do 6612942Swollman verbose "client rekeylimit ${s}" 671541Srgrimes ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s 6812693Sphkdone 6912942Swollman 7012942Swollmanfor s in 5 10; do 7112942Swollman verbose "client rekeylimit default ${s}" 721541Srgrimes rm -f ${COPY} ${LOG} 7312942Swollman ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ 7412942Swollman $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" 7512942Swollman if [ $? -ne 0 ]; then 7612942Swollman fail "ssh failed" 7712942Swollman fi 7812942Swollman cmp ${DATA} ${COPY} || fail "corrupted copy" 7912693Sphk n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 801541Srgrimes n=`expr $n - 1` 811541Srgrimes trace "$n rekeying(s)" 8211225Swollman if [ $n -lt 1 ]; then 8311225Swollman fail "no rekeying occured" 8411225Swollman fi 8511225Swollmandone 8611225Swollman 8711225Swollmanfor s in 5 10; do 8811225Swollman verbose "client rekeylimit default ${s} no data" 8912693Sphk rm -f ${COPY} ${LOG} 9011225Swollman ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ 9111225Swollman $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 921541Srgrimes if [ $? -ne 0 ]; then 9312820Sphk fail "ssh failed" 941541Srgrimes fi 9512693Sphk n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 9612942Swollman n=`expr $n - 1` 9712942Swollman trace "$n rekeying(s)" 983282Swollman if [ $n -lt 1 ]; then 9912942Swollman fail "no rekeying occured" 10012942Swollman fi 10112942Swollmandone 10212942Swollman 10312942Swollmanfor s in 16 1k 128k 256k; do 10412942Swollman verbose "server rekeylimit ${s}" 10512693Sphk cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 10612877Sbde echo "rekeylimit ${s}" >>$OBJ/sshd_proxy 10712693Sphk rm -f ${COPY} ${LOG} 10812693Sphk ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \ 10912693Sphk > ${COPY} 11012693Sphk if [ $? -ne 0 ]; then 11112693Sphk fail "ssh failed" 11212693Sphk fi 11332350Seivind cmp ${DATA} ${COPY} || fail "corrupted copy" 11412693Sphk n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 11532350Seivind n=`expr $n - 1` 11612693Sphk trace "$n rekeying(s)" 1171541Srgrimes if [ $n -lt 1 ]; then 1181541Srgrimes fail "no rekeying occured" 1191541Srgrimes fi 1201541Srgrimesdone 1211541Srgrimes 1221541Srgrimesfor s in 5 10; do 1231541Srgrimes verbose "server rekeylimit default ${s} no data" 1241541Srgrimes cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 1251541Srgrimes echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy 12611225Swollman rm -f ${COPY} ${LOG} 12711225Swollman ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 1281541Srgrimes if [ $? -ne 0 ]; then 1291541Srgrimes fail "ssh failed" 13011225Swollman fi 1311541Srgrimes n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 13211225Swollman n=`expr $n - 1` 1331541Srgrimes trace "$n rekeying(s)" 13411225Swollman if [ $n -lt 1 ]; then 1351541Srgrimes fail "no rekeying occured" 1361541Srgrimes fi 1371541Srgrimesdone 1381541Srgrimes 1391541Srgrimesverbose "rekeylimit parsing" 1401541Srgrimesfor size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do 1411541Srgrimes for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do 1425196Swollman case $size in 1431541Srgrimes 16) bytes=16 ;; 1441541Srgrimes 1k|1K) bytes=1024 ;; 1451541Srgrimes 1m|1M) bytes=1048576 ;; 1461541Srgrimes 1g|1G) bytes=1073741824 ;; 1471541Srgrimes 4g|4G) bytes=4294967296 ;; 1481541Srgrimes 8g|8G) bytes=8589934592 ;; 1491541Srgrimes esac 1501541Srgrimes case $time in 15112693Sphk 1) seconds=1 ;; 1521541Srgrimes 1m|1M) seconds=60 ;; 1531541Srgrimes 1h|1H) seconds=3600 ;; 1541541Srgrimes 1d|1D) seconds=86400 ;; 15511225Swollman 1w|1W) seconds=604800 ;; 1561541Srgrimes esac 1571541Srgrimes 1581541Srgrimes b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 1591541Srgrimes awk '/rekeylimit/{print $2}'` 1601541Srgrimes s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 1611541Srgrimes awk '/rekeylimit/{print $3}'` 1621541Srgrimes 1631541Srgrimes if [ "$bytes" != "$b" ]; then 1641541Srgrimes fatal "rekeylimit size: expected $bytes bytes got $b" 1651541Srgrimes fi 1661541Srgrimes if [ "$seconds" != "$s" ]; then 1671541Srgrimes fatal "rekeylimit time: expected $time seconds got $s" 1681541Srgrimes fi 1691541Srgrimes done 1701541Srgrimesdone 1711541Srgrimes 1721541Srgrimesrm -f ${COPY} ${DATA} 1731541Srgrimes