blob: fd6a02cc7a625f694880e4613aa85d4274f16418 [file] [log] [blame]
# $OpenBSD: rekey.sh,v 1.18 2018/04/10 00:14:10 djm Exp $
# Placed in the Public Domain.
tid="rekey"
LOG=${TEST_SSH_LOGFILE}
rm -f ${LOG}
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
# Test rekeying based on data volume only.
# Arguments will be passed to ssh.
ssh_data_rekeying()
{
_kexopt=$1 ; shift
_opts="$@"
if ! test -z "$_kexopts" ; then
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "$_kexopt" >> $OBJ/sshd_proxy
_opts="$_opts -o$_kexopt"
fi
rm -f ${COPY} ${LOG}
_opts="$_opts -oCompression=no"
${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
if [ $? -ne 0 ]; then
fail "ssh failed ($@)"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy ($@)"
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
n=`expr $n - 1`
trace "$n rekeying(s)"
if [ $n -lt 1 ]; then
fail "no rekeying occurred ($@)"
fi
}
increase_datafile_size 300
opts=""
for i in `${SSH} -Q kex`; do
opts="$opts KexAlgorithms=$i"
done
for i in `${SSH} -Q cipher`; do
opts="$opts Ciphers=$i"
done
for i in `${SSH} -Q mac`; do
opts="$opts MACs=$i"
done
for opt in $opts; do
verbose "client rekey $opt"
ssh_data_rekeying "$opt" -oRekeyLimit=256k
done
# AEAD ciphers are magical so test with all KexAlgorithms
if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
for c in `${SSH} -Q cipher-auth`; do
for kex in `${SSH} -Q kex`; do
verbose "client rekey $c $kex"
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
done
done
fi
for s in 16 1k 128k 256k; do
verbose "client rekeylimit ${s}"
ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
done
for s in 5 10; do
verbose "client rekeylimit default ${s}"
rm -f ${COPY} ${LOG}
${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
if [ $? -ne 0 ]; then
fail "ssh failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
n=`expr $n - 1`
trace "$n rekeying(s)"
if [ $n -lt 1 ]; then
fail "no rekeying occurred"
fi
done
for s in 5 10; do
verbose "client rekeylimit default ${s} no data"
rm -f ${COPY} ${LOG}
${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
$OBJ/ssh_proxy somehost "sleep $s;sleep 3"
if [ $? -ne 0 ]; then
fail "ssh failed"
fi
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
n=`expr $n - 1`
trace "$n rekeying(s)"
if [ $n -lt 1 ]; then
fail "no rekeying occurred"
fi
done
for s in 16 1k 128k 256k; do
verbose "server rekeylimit ${s}"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "rekeylimit ${s}" >>$OBJ/sshd_proxy
rm -f ${COPY} ${LOG}
${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
> ${COPY}
if [ $? -ne 0 ]; then
fail "ssh failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
n=`expr $n - 1`
trace "$n rekeying(s)"
if [ $n -lt 1 ]; then
fail "no rekeying occurred"
fi
done
for s in 5 10; do
verbose "server rekeylimit default ${s} no data"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy
rm -f ${COPY} ${LOG}
${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
if [ $? -ne 0 ]; then
fail "ssh failed"
fi
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
n=`expr $n - 1`
trace "$n rekeying(s)"
if [ $n -lt 1 ]; then
fail "no rekeying occurred"
fi
done
verbose "rekeylimit parsing"
for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
case $size in
16) bytes=16 ;;
1k|1K) bytes=1024 ;;
1m|1M) bytes=1048576 ;;
1g|1G) bytes=1073741824 ;;
4g|4G) bytes=4294967296 ;;
8g|8G) bytes=8589934592 ;;
esac
case $time in
1) seconds=1 ;;
1m|1M) seconds=60 ;;
1h|1H) seconds=3600 ;;
1d|1D) seconds=86400 ;;
1w|1W) seconds=604800 ;;
esac
b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
awk '/rekeylimit/{print $2}'`
s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
awk '/rekeylimit/{print $3}'`
if [ "$bytes" != "$b" ]; then
fatal "rekeylimit size: expected $bytes bytes got $b"
fi
if [ "$seconds" != "$s" ]; then
fatal "rekeylimit time: expected $time seconds got $s"
fi
done
done
rm -f ${COPY} ${DATA}