blob: fd6a02cc7a625f694880e4613aa85d4274f16418 [file] [log] [blame]
djm@openbsd.org907da2f2018-04-10 00:14:10 +00001# $OpenBSD: rekey.sh,v 1.18 2018/04/10 00:14:10 djm Exp $
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +10002# Placed in the Public Domain.
3
Darren Tucker982b0cb2013-05-17 09:45:12 +10004tid="rekey"
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +10005
Darren Tucker75129022013-05-17 09:19:10 +10006LOG=${TEST_SSH_LOGFILE}
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +10007
Darren Tucker59d928d2013-05-17 15:32:29 +10008rm -f ${LOG}
Damien Milleredb1af52014-05-15 15:07:53 +10009cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +100010
Darren Tucker06595d62013-11-07 15:08:02 +110011# Test rekeying based on data volume only.
12# Arguments will be passed to ssh.
13ssh_data_rekeying()
14{
Damien Milleredb1af52014-05-15 15:07:53 +100015 _kexopt=$1 ; shift
16 _opts="$@"
17 if ! test -z "$_kexopts" ; then
18 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
19 echo "$_kexopt" >> $OBJ/sshd_proxy
20 _opts="$_opts -o$_kexopt"
21 fi
Darren Tucker06595d62013-11-07 15:08:02 +110022 rm -f ${COPY} ${LOG}
Damien Milleredb1af52014-05-15 15:07:53 +100023 _opts="$_opts -oCompression=no"
24 ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
Darren Tucker06595d62013-11-07 15:08:02 +110025 if [ $? -ne 0 ]; then
26 fail "ssh failed ($@)"
27 fi
28 cmp ${DATA} ${COPY} || fail "corrupted copy ($@)"
29 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
30 n=`expr $n - 1`
31 trace "$n rekeying(s)"
32 if [ $n -lt 1 ]; then
djm@openbsd.org907da2f2018-04-10 00:14:10 +000033 fail "no rekeying occurred ($@)"
Darren Tucker06595d62013-11-07 15:08:02 +110034 fi
35}
36
Darren Tucker6e2fe812013-11-09 16:55:03 +110037increase_datafile_size 300
38
Darren Tucker651dc8b2013-11-07 15:04:44 +110039opts=""
40for i in `${SSH} -Q kex`; do
41 opts="$opts KexAlgorithms=$i"
42done
43for i in `${SSH} -Q cipher`; do
44 opts="$opts Ciphers=$i"
45done
46for i in `${SSH} -Q mac`; do
47 opts="$opts MACs=$i"
48done
Darren Tucker23455772013-11-07 15:00:51 +110049
Darren Tucker651dc8b2013-11-07 15:04:44 +110050for opt in $opts; do
51 verbose "client rekey $opt"
Damien Milleredb1af52014-05-15 15:07:53 +100052 ssh_data_rekeying "$opt" -oRekeyLimit=256k
Darren Tucker651dc8b2013-11-07 15:04:44 +110053done
54
Damien Miller8a073cf2013-11-21 14:26:18 +110055# AEAD ciphers are magical so test with all KexAlgorithms
56if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
57 for c in `${SSH} -Q cipher-auth`; do
Darren Tucker651dc8b2013-11-07 15:04:44 +110058 for kex in `${SSH} -Q kex`; do
59 verbose "client rekey $c $kex"
Damien Milleredb1af52014-05-15 15:07:53 +100060 ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
Darren Tucker23455772013-11-07 15:00:51 +110061 done
Darren Tucker651dc8b2013-11-07 15:04:44 +110062 done
63fi
64
65for s in 16 1k 128k 256k; do
66 verbose "client rekeylimit ${s}"
Damien Milleredb1af52014-05-15 15:07:53 +100067 ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +100068done
Darren Tuckera8a62fc2013-05-17 09:42:34 +100069
Darren Tuckerc31c8722013-05-17 09:43:33 +100070for s in 5 10; do
Darren Tucker14490fe2013-05-17 09:44:20 +100071 verbose "client rekeylimit default ${s}"
Darren Tuckera8a62fc2013-05-17 09:42:34 +100072 rm -f ${COPY} ${LOG}
Darren Tucker06595d62013-11-07 15:08:02 +110073 ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
74 $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
Darren Tuckera8a62fc2013-05-17 09:42:34 +100075 if [ $? -ne 0 ]; then
76 fail "ssh failed"
77 fi
Darren Tucker06595d62013-11-07 15:08:02 +110078 cmp ${DATA} ${COPY} || fail "corrupted copy"
Darren Tuckera8a62fc2013-05-17 09:42:34 +100079 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
80 n=`expr $n - 1`
81 trace "$n rekeying(s)"
82 if [ $n -lt 1 ]; then
djm@openbsd.org907da2f2018-04-10 00:14:10 +000083 fail "no rekeying occurred"
Darren Tuckera8a62fc2013-05-17 09:42:34 +100084 fi
85done
86
Darren Tuckerc31c8722013-05-17 09:43:33 +100087for s in 5 10; do
Darren Tucker14490fe2013-05-17 09:44:20 +100088 verbose "client rekeylimit default ${s} no data"
Darren Tuckerc31c8722013-05-17 09:43:33 +100089 rm -f ${COPY} ${LOG}
90 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
91 $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
92 if [ $? -ne 0 ]; then
93 fail "ssh failed"
94 fi
95 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
96 n=`expr $n - 1`
97 trace "$n rekeying(s)"
98 if [ $n -lt 1 ]; then
djm@openbsd.org907da2f2018-04-10 00:14:10 +000099 fail "no rekeying occurred"
Darren Tuckerc31c8722013-05-17 09:43:33 +1000100 fi
101done
102
markus@openbsd.org8ea33652015-02-14 12:43:16 +0000103for s in 16 1k 128k 256k; do
104 verbose "server rekeylimit ${s}"
105 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
106 echo "rekeylimit ${s}" >>$OBJ/sshd_proxy
107 rm -f ${COPY} ${LOG}
108 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
109 > ${COPY}
110 if [ $? -ne 0 ]; then
111 fail "ssh failed"
112 fi
113 cmp ${DATA} ${COPY} || fail "corrupted copy"
114 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
115 n=`expr $n - 1`
116 trace "$n rekeying(s)"
117 if [ $n -lt 1 ]; then
djm@openbsd.org907da2f2018-04-10 00:14:10 +0000118 fail "no rekeying occurred"
markus@openbsd.org8ea33652015-02-14 12:43:16 +0000119 fi
120done
121
Darren Tucker14490fe2013-05-17 09:44:20 +1000122for s in 5 10; do
123 verbose "server rekeylimit default ${s} no data"
markus@openbsd.org8ea33652015-02-14 12:43:16 +0000124 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
125 echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy
Darren Tucker14490fe2013-05-17 09:44:20 +1000126 rm -f ${COPY} ${LOG}
127 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
128 if [ $? -ne 0 ]; then
129 fail "ssh failed"
130 fi
131 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
132 n=`expr $n - 1`
133 trace "$n rekeying(s)"
134 if [ $n -lt 1 ]; then
djm@openbsd.org907da2f2018-04-10 00:14:10 +0000135 fail "no rekeying occurred"
Darren Tucker14490fe2013-05-17 09:44:20 +1000136 fi
137done
138
Darren Tucker982b0cb2013-05-17 09:45:12 +1000139verbose "rekeylimit parsing"
dtucker@openbsd.org537f88e2016-01-29 05:18:15 +0000140for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
Darren Tucker982b0cb2013-05-17 09:45:12 +1000141 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
142 case $size in
143 16) bytes=16 ;;
144 1k|1K) bytes=1024 ;;
145 1m|1M) bytes=1048576 ;;
146 1g|1G) bytes=1073741824 ;;
dtucker@openbsd.org537f88e2016-01-29 05:18:15 +0000147 4g|4G) bytes=4294967296 ;;
148 8g|8G) bytes=8589934592 ;;
Darren Tucker982b0cb2013-05-17 09:45:12 +1000149 esac
150 case $time in
151 1) seconds=1 ;;
152 1m|1M) seconds=60 ;;
153 1h|1H) seconds=3600 ;;
154 1d|1D) seconds=86400 ;;
155 1w|1W) seconds=604800 ;;
156 esac
157
158 b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
159 awk '/rekeylimit/{print $2}'`
160 s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
161 awk '/rekeylimit/{print $3}'`
162
163 if [ "$bytes" != "$b" ]; then
Damien Miller8a073cf2013-11-21 14:26:18 +1100164 fatal "rekeylimit size: expected $bytes bytes got $b"
Darren Tucker982b0cb2013-05-17 09:45:12 +1000165 fi
166 if [ "$seconds" != "$s" ]; then
Damien Miller8a073cf2013-11-21 14:26:18 +1100167 fatal "rekeylimit time: expected $time seconds got $s"
Darren Tucker982b0cb2013-05-17 09:45:12 +1000168 fi
169 done
170done
171
Darren Tucker75129022013-05-17 09:19:10 +1000172rm -f ${COPY} ${DATA}