rekey.sh revision 296633 
11573Srgrimes#	$OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $
21573Srgrimes#	Placed in the Public Domain.
31573Srgrimes
41573Srgrimestid="rekey"
51573Srgrimes
61573SrgrimesLOG=${TEST_SSH_LOGFILE}
71573Srgrimes
81573Srgrimesrm -f ${LOG}
91573Srgrimescp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
101573Srgrimes
111573Srgrimes# Test rekeying based on data volume only.
121573Srgrimes# Arguments will be passed to ssh.
131573Srgrimesssh_data_rekeying()
141573Srgrimes{
151573Srgrimes	_kexopt=$1 ; shift
16249808Semaste	_opts="$@"
171573Srgrimes	if ! test -z "$_kexopts" ; then
181573Srgrimes		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
191573Srgrimes		echo "$_kexopt" >> $OBJ/sshd_proxy
201573Srgrimes		_opts="$_opts -o$_kexopt"
211573Srgrimes	fi
221573Srgrimes	rm -f ${COPY} ${LOG}
231573Srgrimes	_opts="$_opts -oCompression=no"
241573Srgrimes	${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
251573Srgrimes	if [ $? -ne 0 ]; then
261573Srgrimes		fail "ssh failed ($@)"
271573Srgrimes	fi
281573Srgrimes	cmp ${DATA} ${COPY}		|| fail "corrupted copy ($@)"
291573Srgrimes	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
301573Srgrimes	n=`expr $n - 1`
311573Srgrimes	trace "$n rekeying(s)"
321573Srgrimes	if [ $n -lt 1 ]; then
331573Srgrimes		fail "no rekeying occured ($@)"
341573Srgrimes	fi
351573Srgrimes}
3692986Sobrien
3792986Sobrienincrease_datafile_size 300
381573Srgrimes
391573Srgrimesopts=""
401573Srgrimesfor i in `${SSH} -Q kex`; do
411573Srgrimes	opts="$opts KexAlgorithms=$i"
4271579Sdeischendone
431573Srgrimesfor i in `${SSH} -Q cipher`; do
4471579Sdeischen	opts="$opts Ciphers=$i"
45101776Stjrdone
4635129Sjbfor i in `${SSH} -Q mac`; do
471573Srgrimes	opts="$opts MACs=$i"
48178778Sjhbdone
49178778Sjhb
50178778Sjhbfor opt in $opts; do
5113545Sjulian	verbose "client rekey $opt"
521573Srgrimes	ssh_data_rekeying "$opt" -oRekeyLimit=256k
531573Srgrimesdone
5413545Sjulian
5535129Sjb# AEAD ciphers are magical so test with all KexAlgorithms
56127198Stjrif ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
57127198Stjr  for c in `${SSH} -Q cipher-auth`; do
58126804Stjr    for kex in `${SSH} -Q kex`; do
5935129Sjb	verbose "client rekey $c $kex"
6013545Sjulian	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
611573Srgrimes    done
62178721Sjhb  done
63178721Sjhbfi
64178721Sjhb
65178721Sjhbfor s in 16 1k 128k 256k; do
66178721Sjhb	verbose "client rekeylimit ${s}"
67178721Sjhb	ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
68178721Sjhbdone
69
70for s in 5 10; do
71	verbose "client rekeylimit default ${s}"
72	rm -f ${COPY} ${LOG}
73	${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
74		$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
75	if [ $? -ne 0 ]; then
76		fail "ssh failed"
77	fi
78	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
79	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
80	n=`expr $n - 1`
81	trace "$n rekeying(s)"
82	if [ $n -lt 1 ]; then
83		fail "no rekeying occured"
84	fi
85done
86
87for s in 5 10; do
88	verbose "client rekeylimit default ${s} no data"
89	rm -f ${COPY} ${LOG}
90	${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
91		$OBJ/ssh_proxy somehost "sleep $s;sleep 3"
92	if [ $? -ne 0 ]; then
93		fail "ssh failed"
94	fi
95	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
96	n=`expr $n - 1`
97	trace "$n rekeying(s)"
98	if [ $n -lt 1 ]; then
99		fail "no rekeying occured"
100	fi
101done
102
103for s in 16 1k 128k 256k; do
104	verbose "server rekeylimit ${s}"
105	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
106	echo "rekeylimit ${s}" >>$OBJ/sshd_proxy
107	rm -f ${COPY} ${LOG}
108	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
109	    > ${COPY}
110	if [ $? -ne 0 ]; then
111		fail "ssh failed"
112	fi
113	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
114	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
115	n=`expr $n - 1`
116	trace "$n rekeying(s)"
117	if [ $n -lt 1 ]; then
118		fail "no rekeying occured"
119	fi
120done
121
122for s in 5 10; do
123	verbose "server rekeylimit default ${s} no data"
124	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
125	echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy
126	rm -f ${COPY} ${LOG}
127	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
128	if [ $? -ne 0 ]; then
129		fail "ssh failed"
130	fi
131	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
132	n=`expr $n - 1`
133	trace "$n rekeying(s)"
134	if [ $n -lt 1 ]; then
135		fail "no rekeying occured"
136	fi
137done
138
139verbose "rekeylimit parsing"
140for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
141    for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
142	case $size in
143		16)	bytes=16 ;;
144		1k|1K)	bytes=1024 ;;
145		1m|1M)	bytes=1048576 ;;
146		1g|1G)	bytes=1073741824 ;;
147		4g|4G)	bytes=4294967296 ;;
148		8g|8G)	bytes=8589934592 ;;
149	esac
150	case $time in
151		1)	seconds=1 ;;
152		1m|1M)	seconds=60 ;;
153		1h|1H)	seconds=3600 ;;
154		1d|1D)	seconds=86400 ;;
155		1w|1W)	seconds=604800 ;;
156	esac
157
158	b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
159	    awk '/rekeylimit/{print $2}'`
160	s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
161	    awk '/rekeylimit/{print $3}'`
162
163	if [ "$bytes" != "$b" ]; then
164		fatal "rekeylimit size: expected $bytes bytes got $b"
165	fi
166	if [ "$seconds" != "$s" ]; then
167		fatal "rekeylimit time: expected $time seconds got $s"
168	fi
169    done
170done
171
172rm -f ${COPY} ${DATA}
173