rekey.sh revision 296633
11573Srgrimes# $OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $ 21573Srgrimes# Placed in the Public Domain. 31573Srgrimes 41573Srgrimestid="rekey" 51573Srgrimes 61573SrgrimesLOG=${TEST_SSH_LOGFILE} 71573Srgrimes 81573Srgrimesrm -f ${LOG} 91573Srgrimescp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 101573Srgrimes 111573Srgrimes# Test rekeying based on data volume only. 121573Srgrimes# Arguments will be passed to ssh. 131573Srgrimesssh_data_rekeying() 141573Srgrimes{ 151573Srgrimes _kexopt=$1 ; shift 16249808Semaste _opts="$@" 171573Srgrimes if ! test -z "$_kexopts" ; then 181573Srgrimes cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 191573Srgrimes echo "$_kexopt" >> $OBJ/sshd_proxy 201573Srgrimes _opts="$_opts -o$_kexopt" 211573Srgrimes fi 221573Srgrimes rm -f ${COPY} ${LOG} 231573Srgrimes _opts="$_opts -oCompression=no" 241573Srgrimes ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" 251573Srgrimes if [ $? -ne 0 ]; then 261573Srgrimes fail "ssh failed ($@)" 271573Srgrimes fi 281573Srgrimes cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" 291573Srgrimes n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 301573Srgrimes n=`expr $n - 1` 311573Srgrimes trace "$n rekeying(s)" 321573Srgrimes if [ $n -lt 1 ]; then 331573Srgrimes fail "no rekeying occured ($@)" 341573Srgrimes fi 351573Srgrimes} 3692986Sobrien 3792986Sobrienincrease_datafile_size 300 381573Srgrimes 391573Srgrimesopts="" 401573Srgrimesfor i in `${SSH} -Q kex`; do 411573Srgrimes opts="$opts KexAlgorithms=$i" 4271579Sdeischendone 431573Srgrimesfor i in `${SSH} -Q cipher`; do 4471579Sdeischen opts="$opts Ciphers=$i" 45101776Stjrdone 4635129Sjbfor i in `${SSH} -Q mac`; do 471573Srgrimes opts="$opts MACs=$i" 48178778Sjhbdone 49178778Sjhb 50178778Sjhbfor opt in $opts; do 5113545Sjulian verbose "client rekey $opt" 521573Srgrimes ssh_data_rekeying "$opt" -oRekeyLimit=256k 531573Srgrimesdone 5413545Sjulian 5535129Sjb# AEAD ciphers are magical so test with all KexAlgorithms 56127198Stjrif ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then 57127198Stjr for c in `${SSH} -Q cipher-auth`; do 58126804Stjr for kex in `${SSH} -Q kex`; do 5935129Sjb verbose "client rekey $c $kex" 6013545Sjulian ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c 611573Srgrimes done 62178721Sjhb done 63178721Sjhbfi 64178721Sjhb 65178721Sjhbfor s in 16 1k 128k 256k; do 66178721Sjhb verbose "client rekeylimit ${s}" 67178721Sjhb ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s 68178721Sjhbdone 69 70for s in 5 10; do 71 verbose "client rekeylimit default ${s}" 72 rm -f ${COPY} ${LOG} 73 ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ 74 $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" 75 if [ $? -ne 0 ]; then 76 fail "ssh failed" 77 fi 78 cmp ${DATA} ${COPY} || fail "corrupted copy" 79 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 80 n=`expr $n - 1` 81 trace "$n rekeying(s)" 82 if [ $n -lt 1 ]; then 83 fail "no rekeying occured" 84 fi 85done 86 87for s in 5 10; do 88 verbose "client rekeylimit default ${s} no data" 89 rm -f ${COPY} ${LOG} 90 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ 91 $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 92 if [ $? -ne 0 ]; then 93 fail "ssh failed" 94 fi 95 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 96 n=`expr $n - 1` 97 trace "$n rekeying(s)" 98 if [ $n -lt 1 ]; then 99 fail "no rekeying occured" 100 fi 101done 102 103for s in 16 1k 128k 256k; do 104 verbose "server rekeylimit ${s}" 105 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 106 echo "rekeylimit ${s}" >>$OBJ/sshd_proxy 107 rm -f ${COPY} ${LOG} 108 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \ 109 > ${COPY} 110 if [ $? -ne 0 ]; then 111 fail "ssh failed" 112 fi 113 cmp ${DATA} ${COPY} || fail "corrupted copy" 114 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 115 n=`expr $n - 1` 116 trace "$n rekeying(s)" 117 if [ $n -lt 1 ]; then 118 fail "no rekeying occured" 119 fi 120done 121 122for s in 5 10; do 123 verbose "server rekeylimit default ${s} no data" 124 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 125 echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy 126 rm -f ${COPY} ${LOG} 127 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 128 if [ $? -ne 0 ]; then 129 fail "ssh failed" 130 fi 131 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 132 n=`expr $n - 1` 133 trace "$n rekeying(s)" 134 if [ $n -lt 1 ]; then 135 fail "no rekeying occured" 136 fi 137done 138 139verbose "rekeylimit parsing" 140for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do 141 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do 142 case $size in 143 16) bytes=16 ;; 144 1k|1K) bytes=1024 ;; 145 1m|1M) bytes=1048576 ;; 146 1g|1G) bytes=1073741824 ;; 147 4g|4G) bytes=4294967296 ;; 148 8g|8G) bytes=8589934592 ;; 149 esac 150 case $time in 151 1) seconds=1 ;; 152 1m|1M) seconds=60 ;; 153 1h|1H) seconds=3600 ;; 154 1d|1D) seconds=86400 ;; 155 1w|1W) seconds=604800 ;; 156 esac 157 158 b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 159 awk '/rekeylimit/{print $2}'` 160 s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 161 awk '/rekeylimit/{print $3}'` 162 163 if [ "$bytes" != "$b" ]; then 164 fatal "rekeylimit size: expected $bytes bytes got $b" 165 fi 166 if [ "$seconds" != "$s" ]; then 167 fatal "rekeylimit time: expected $time seconds got $s" 168 fi 169 done 170done 171 172rm -f ${COPY} ${DATA} 173