Home | History | Annotate | Download | only in regress 
      1 #	$OpenBSD: rekey.sh,v 1.17 2016/01/29 05:18:15 dtucker Exp $
      2 #	Placed in the Public Domain.
      3 
      4 tid="rekey"
      5 
      6 LOG=${TEST_SSH_LOGFILE}
      7 
      8 rm -f ${LOG}
      9 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
     10 
     11 # Test rekeying based on data volume only.
     12 # Arguments will be passed to ssh.
     13 ssh_data_rekeying()
     14 {
     15 	_kexopt=$1 ; shift
     16 	_opts="$@"
     17 	if ! test -z "$_kexopts" ; then
     18 		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
     19 		echo "$_kexopt" >> $OBJ/sshd_proxy
     20 		_opts="$_opts -o$_kexopt"
     21 	fi
     22 	rm -f ${COPY} ${LOG}
     23 	_opts="$_opts -oCompression=no"
     24 	${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
     25 	if [ $? -ne 0 ]; then
     26 		fail "ssh failed ($@)"
     27 	fi
     28 	cmp ${DATA} ${COPY}		|| fail "corrupted copy ($@)"
     29 	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
     30 	n=`expr $n - 1`
     31 	trace "$n rekeying(s)"
     32 	if [ $n -lt 1 ]; then
     33 		fail "no rekeying occured ($@)"
     34 	fi
     35 }
     36 
     37 increase_datafile_size 300
     38 
     39 opts=""
     40 for i in `${SSH} -Q kex`; do
     41 	opts="$opts KexAlgorithms=$i"
     42 done
     43 for i in `${SSH} -Q cipher`; do
     44 	opts="$opts Ciphers=$i"
     45 done
     46 for i in `${SSH} -Q mac`; do
     47 	opts="$opts MACs=$i"
     48 done
     49 
     50 for opt in $opts; do
     51 	verbose "client rekey $opt"
     52 	ssh_data_rekeying "$opt" -oRekeyLimit=256k
     53 done
     54 
     55 # AEAD ciphers are magical so test with all KexAlgorithms
     56 if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
     57   for c in `${SSH} -Q cipher-auth`; do
     58     for kex in `${SSH} -Q kex`; do
     59 	verbose "client rekey $c $kex"
     60 	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
     61     done
     62   done
     63 fi
     64 
     65 for s in 16 1k 128k 256k; do
     66 	verbose "client rekeylimit ${s}"
     67 	ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
     68 done
     69 
     70 for s in 5 10; do
     71 	verbose "client rekeylimit default ${s}"
     72 	rm -f ${COPY} ${LOG}
     73 	${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
     74 		$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
     75 	if [ $? -ne 0 ]; then
     76 		fail "ssh failed"
     77 	fi
     78 	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
     79 	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
     80 	n=`expr $n - 1`
     81 	trace "$n rekeying(s)"
     82 	if [ $n -lt 1 ]; then
     83 		fail "no rekeying occured"
     84 	fi
     85 done
     86 
     87 for s in 5 10; do
     88 	verbose "client rekeylimit default ${s} no data"
     89 	rm -f ${COPY} ${LOG}
     90 	${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
     91 		$OBJ/ssh_proxy somehost "sleep $s;sleep 3"
     92 	if [ $? -ne 0 ]; then
     93 		fail "ssh failed"
     94 	fi
     95 	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
     96 	n=`expr $n - 1`
     97 	trace "$n rekeying(s)"
     98 	if [ $n -lt 1 ]; then
     99 		fail "no rekeying occured"
    100 	fi
    101 done
    102 
    103 for s in 16 1k 128k 256k; do
    104 	verbose "server rekeylimit ${s}"
    105 	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
    106 	echo "rekeylimit ${s}" >>$OBJ/sshd_proxy
    107 	rm -f ${COPY} ${LOG}
    108 	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
    109 	    > ${COPY}
    110 	if [ $? -ne 0 ]; then
    111 		fail "ssh failed"
    112 	fi
    113 	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
    114 	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
    115 	n=`expr $n - 1`
    116 	trace "$n rekeying(s)"
    117 	if [ $n -lt 1 ]; then
    118 		fail "no rekeying occured"
    119 	fi
    120 done
    121 
    122 for s in 5 10; do
    123 	verbose "server rekeylimit default ${s} no data"
    124 	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
    125 	echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy
    126 	rm -f ${COPY} ${LOG}
    127 	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
    128 	if [ $? -ne 0 ]; then
    129 		fail "ssh failed"
    130 	fi
    131 	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
    132 	n=`expr $n - 1`
    133 	trace "$n rekeying(s)"
    134 	if [ $n -lt 1 ]; then
    135 		fail "no rekeying occured"
    136 	fi
    137 done
    138 
    139 verbose "rekeylimit parsing"
    140 for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
    141     for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
    142 	case $size in
    143 		16)	bytes=16 ;;
    144 		1k|1K)	bytes=1024 ;;
    145 		1m|1M)	bytes=1048576 ;;
    146 		1g|1G)	bytes=1073741824 ;;
    147 		4g|4G)	bytes=4294967296 ;;
    148 		8g|8G)	bytes=8589934592 ;;
    149 	esac
    150 	case $time in
    151 		1)	seconds=1 ;;
    152 		1m|1M)	seconds=60 ;;
    153 		1h|1H)	seconds=3600 ;;
    154 		1d|1D)	seconds=86400 ;;
    155 		1w|1W)	seconds=604800 ;;
    156 	esac
    157 
    158 	b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
    159 	    awk '/rekeylimit/{print $2}'`
    160 	s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
    161 	    awk '/rekeylimit/{print $3}'`
    162 
    163 	if [ "$bytes" != "$b" ]; then
    164 		fatal "rekeylimit size: expected $bytes bytes got $b"
    165 	fi
    166 	if [ "$seconds" != "$s" ]; then
    167 		fatal "rekeylimit time: expected $time seconds got $s"
    168 	fi
    169     done
    170 done
    171 
    172 rm -f ${COPY} ${DATA}
    173