openssh/regress/rekey.sh

296633Sdes#	$OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $
124208Sdes#	Placed in the Public Domain.
124208Sdes
255670Sdestid="rekey"
124208Sdes
255670SdesLOG=${TEST_SSH_LOGFILE}
124208Sdes
255670Sdesrm -f ${LOG}
294328Sdescp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
124208Sdes
261320Sdes# Test rekeying based on data volume only.
261320Sdes# Arguments will be passed to ssh.
261320Sdesssh_data_rekeying()
261320Sdes{
294328Sdes	_kexopt=$1 ; shift
294328Sdes	_opts="$@"
294328Sdes	if ! test -z "$_kexopts" ; then
294328Sdes		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
294328Sdes		echo "$_kexopt" >> $OBJ/sshd_proxy
294328Sdes		_opts="$_opts -o$_kexopt"
294328Sdes	fi
255670Sdes	rm -f ${COPY} ${LOG}
294328Sdes	_opts="$_opts -oCompression=no"
294328Sdes	${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
124208Sdes	if [ $? -ne 0 ]; then
261320Sdes		fail "ssh failed ($@)"
124208Sdes	fi
261320Sdes	cmp ${DATA} ${COPY}		|| fail "corrupted copy ($@)"
124208Sdes	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
124208Sdes	n=`expr $n - 1`
124208Sdes	trace "$n rekeying(s)"
124208Sdes	if [ $n -lt 1 ]; then
261320Sdes		fail "no rekeying occured ($@)"
124208Sdes	fi
261320Sdes}
261320Sdes
261320Sdesincrease_datafile_size 300
261320Sdes
261320Sdesopts=""
261320Sdesfor i in `${SSH} -Q kex`; do
261320Sdes	opts="$opts KexAlgorithms=$i"
124208Sdesdone
261320Sdesfor i in `${SSH} -Q cipher`; do
261320Sdes	opts="$opts Ciphers=$i"
261320Sdesdone
261320Sdesfor i in `${SSH} -Q mac`; do
261320Sdes	opts="$opts MACs=$i"
261320Sdesdone
255670Sdes
261320Sdesfor opt in $opts; do
261320Sdes	verbose "client rekey $opt"
294328Sdes	ssh_data_rekeying "$opt" -oRekeyLimit=256k
261320Sdesdone
261320Sdes
261320Sdes# AEAD ciphers are magical so test with all KexAlgorithms
261320Sdesif ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
261320Sdes  for c in `${SSH} -Q cipher-auth`; do
261320Sdes    for kex in `${SSH} -Q kex`; do
261320Sdes	verbose "client rekey $c $kex"
294328Sdes	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
261320Sdes    done
261320Sdes  done
261320Sdesfi
261320Sdes
261320Sdesfor s in 16 1k 128k 256k; do
261320Sdes	verbose "client rekeylimit ${s}"
294328Sdes	ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
261320Sdesdone
261320Sdes
255670Sdesfor s in 5 10; do
255670Sdes	verbose "client rekeylimit default ${s}"
255670Sdes	rm -f ${COPY} ${LOG}
261320Sdes	${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
261320Sdes		$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
255670Sdes	if [ $? -ne 0 ]; then
255670Sdes		fail "ssh failed"
255670Sdes	fi
261320Sdes	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
255670Sdes	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
255670Sdes	n=`expr $n - 1`
255670Sdes	trace "$n rekeying(s)"
255670Sdes	if [ $n -lt 1 ]; then
255670Sdes		fail "no rekeying occured"
255670Sdes	fi
255670Sdesdone
255670Sdes
255670Sdesfor s in 5 10; do
255670Sdes	verbose "client rekeylimit default ${s} no data"
255670Sdes	rm -f ${COPY} ${LOG}
255670Sdes	${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
255670Sdes		$OBJ/ssh_proxy somehost "sleep $s;sleep 3"
255670Sdes	if [ $? -ne 0 ]; then
255670Sdes		fail "ssh failed"
255670Sdes	fi
255670Sdes	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
255670Sdes	n=`expr $n - 1`
255670Sdes	trace "$n rekeying(s)"
255670Sdes	if [ $n -lt 1 ]; then
255670Sdes		fail "no rekeying occured"
255670Sdes	fi
255670Sdesdone
255670Sdes
294332Sdesfor s in 16 1k 128k 256k; do
294332Sdes	verbose "server rekeylimit ${s}"
294332Sdes	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
294332Sdes	echo "rekeylimit ${s}" >>$OBJ/sshd_proxy
294332Sdes	rm -f ${COPY} ${LOG}
294332Sdes	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
294332Sdes	    > ${COPY}
294332Sdes	if [ $? -ne 0 ]; then
294332Sdes		fail "ssh failed"
294332Sdes	fi
294332Sdes	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
294332Sdes	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
294332Sdes	n=`expr $n - 1`
294332Sdes	trace "$n rekeying(s)"
294332Sdes	if [ $n -lt 1 ]; then
294332Sdes		fail "no rekeying occured"
294332Sdes	fi
294332Sdesdone
294332Sdes
255670Sdesfor s in 5 10; do
255670Sdes	verbose "server rekeylimit default ${s} no data"
294332Sdes	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
294332Sdes	echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy
255670Sdes	rm -f ${COPY} ${LOG}
255670Sdes	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
255670Sdes	if [ $? -ne 0 ]; then
255670Sdes		fail "ssh failed"
255670Sdes	fi
255670Sdes	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
255670Sdes	n=`expr $n - 1`
255670Sdes	trace "$n rekeying(s)"
255670Sdes	if [ $n -lt 1 ]; then
255670Sdes		fail "no rekeying occured"
255670Sdes	fi
255670Sdesdone
255670Sdes
255670Sdesverbose "rekeylimit parsing"
296633Sdesfor size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
255670Sdes    for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
255670Sdes	case $size in
255670Sdes		16)	bytes=16 ;;
255670Sdes		1k|1K)	bytes=1024 ;;
255670Sdes		1m|1M)	bytes=1048576 ;;
255670Sdes		1g|1G)	bytes=1073741824 ;;
296633Sdes		4g|4G)	bytes=4294967296 ;;
296633Sdes		8g|8G)	bytes=8589934592 ;;
255670Sdes	esac
255670Sdes	case $time in
255670Sdes		1)	seconds=1 ;;
255670Sdes		1m|1M)	seconds=60 ;;
255670Sdes		1h|1H)	seconds=3600 ;;
255670Sdes		1d|1D)	seconds=86400 ;;
255670Sdes		1w|1W)	seconds=604800 ;;
255670Sdes	esac
255670Sdes
255670Sdes	b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
255670Sdes	    awk '/rekeylimit/{print $2}'`
255670Sdes	s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
255670Sdes	    awk '/rekeylimit/{print $3}'`
255670Sdes
255670Sdes	if [ "$bytes" != "$b" ]; then
261320Sdes		fatal "rekeylimit size: expected $bytes bytes got $b"
255670Sdes	fi
255670Sdes	if [ "$seconds" != "$s" ]; then
261320Sdes		fatal "rekeylimit time: expected $time seconds got $s"
255670Sdes	fi
255670Sdes    done
255670Sdesdone
255670Sdes
255670Sdesrm -f ${COPY} ${DATA}