Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 0dc74512bdb105b048883f07de538b37e5e024d4 / . / regress / rekey.sh
blob: 0d4444d03fed19797df77506a30bd4c61383a5a0 [file] [log] [blame]
markus@openbsd.org8ea33652015-02-14 12:43:16 +0000[diff] [blame]1# $OpenBSD: rekey.sh,v 1.16 2015/02/14 12:43:16 markus Exp $
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +1000[diff] [blame]2# Placed in the Public Domain.
3
Darren Tucker982b0cb2013-05-17 09:45:12 +1000[diff] [blame]4tid="rekey"
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +1000[diff] [blame]5
Darren Tucker75129022013-05-17 09:19:10 +1000[diff] [blame]6LOG=${TEST_SSH_LOGFILE}
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +1000[diff] [blame]7
Darren Tucker59d928d2013-05-17 15:32:29 +1000[diff] [blame]8rm -f ${LOG}
Damien Milleredb1af52014-05-15 15:07:53 +1000[diff] [blame]9cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +1000[diff] [blame]10
Darren Tucker06595d62013-11-07 15:08:02 +1100[diff] [blame]11# Test rekeying based on data volume only.
12# Arguments will be passed to ssh.
13ssh_data_rekeying()
14{
Damien Milleredb1af52014-05-15 15:07:53 +1000[diff] [blame]15 _kexopt=$1 ; shift
16 _opts="$@"
17 if ! test -z "$_kexopts" ; then
18 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
19 echo "$_kexopt" >> $OBJ/sshd_proxy
20 _opts="$_opts -o$_kexopt"
21 fi
Darren Tucker06595d62013-11-07 15:08:02 +1100[diff] [blame]22 rm -f ${COPY} ${LOG}
Damien Milleredb1af52014-05-15 15:07:53 +1000[diff] [blame]23 _opts="$_opts -oCompression=no"
24 ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
Darren Tucker06595d62013-11-07 15:08:02 +1100[diff] [blame]25 if [ $? -ne 0 ]; then
26 fail "ssh failed ($@)"
27 fi
28 cmp ${DATA} ${COPY} || fail "corrupted copy ($@)"
29 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
30 n=`expr $n - 1`
31 trace "$n rekeying(s)"
32 if [ $n -lt 1 ]; then
33 fail "no rekeying occured ($@)"
34 fi
35}
36
Darren Tucker6e2fe812013-11-09 16:55:03 +1100[diff] [blame]37increase_datafile_size 300
38
Darren Tucker651dc8b2013-11-07 15:04:44 +1100[diff] [blame]39opts=""
40for i in `${SSH} -Q kex`; do
41 opts="$opts KexAlgorithms=$i"
42done
43for i in `${SSH} -Q cipher`; do
44 opts="$opts Ciphers=$i"
45done
46for i in `${SSH} -Q mac`; do
47 opts="$opts MACs=$i"
48done
Darren Tucker23455772013-11-07 15:00:51 +1100[diff] [blame]49
Darren Tucker651dc8b2013-11-07 15:04:44 +1100[diff] [blame]50for opt in $opts; do
51 verbose "client rekey $opt"
Damien Milleredb1af52014-05-15 15:07:53 +1000[diff] [blame]52 ssh_data_rekeying "$opt" -oRekeyLimit=256k
Darren Tucker651dc8b2013-11-07 15:04:44 +1100[diff] [blame]53done
54
Damien Miller8a073cf2013-11-21 14:26:18 +1100[diff] [blame]55# AEAD ciphers are magical so test with all KexAlgorithms
56if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
57 for c in `${SSH} -Q cipher-auth`; do
Darren Tucker651dc8b2013-11-07 15:04:44 +1100[diff] [blame]58 for kex in `${SSH} -Q kex`; do
59 verbose "client rekey $c $kex"
Damien Milleredb1af52014-05-15 15:07:53 +1000[diff] [blame]60 ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
Darren Tucker23455772013-11-07 15:00:51 +1100[diff] [blame]61 done
Darren Tucker651dc8b2013-11-07 15:04:44 +1100[diff] [blame]62 done
63fi
64
65for s in 16 1k 128k 256k; do
66 verbose "client rekeylimit ${s}"
Damien Milleredb1af52014-05-15 15:07:53 +1000[diff] [blame]67 ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
Darren Tuckerfc8a7ea2003-06-18 22:18:57 +1000[diff] [blame]68done
Darren Tuckera8a62fc2013-05-17 09:42:34 +1000[diff] [blame]69
Darren Tuckerc31c8722013-05-17 09:43:33 +1000[diff] [blame]70for s in 5 10; do
Darren Tucker14490fe2013-05-17 09:44:20 +1000[diff] [blame]71 verbose "client rekeylimit default ${s}"
Darren Tuckera8a62fc2013-05-17 09:42:34 +1000[diff] [blame]72 rm -f ${COPY} ${LOG}
Darren Tucker06595d62013-11-07 15:08:02 +1100[diff] [blame]73 ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
74 $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
Darren Tuckera8a62fc2013-05-17 09:42:34 +1000[diff] [blame]75 if [ $? -ne 0 ]; then
76 fail "ssh failed"
77 fi
Darren Tucker06595d62013-11-07 15:08:02 +1100[diff] [blame]78 cmp ${DATA} ${COPY} || fail "corrupted copy"
Darren Tuckera8a62fc2013-05-17 09:42:34 +1000[diff] [blame]79 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
80 n=`expr $n - 1`
81 trace "$n rekeying(s)"
82 if [ $n -lt 1 ]; then
83 fail "no rekeying occured"
84 fi
85done
86
Darren Tuckerc31c8722013-05-17 09:43:33 +1000[diff] [blame]87for s in 5 10; do
Darren Tucker14490fe2013-05-17 09:44:20 +1000[diff] [blame]88 verbose "client rekeylimit default ${s} no data"
Darren Tuckerc31c8722013-05-17 09:43:33 +1000[diff] [blame]89 rm -f ${COPY} ${LOG}
90 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
91 $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
92 if [ $? -ne 0 ]; then
93 fail "ssh failed"
94 fi
95 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
96 n=`expr $n - 1`
97 trace "$n rekeying(s)"
98 if [ $n -lt 1 ]; then
99 fail "no rekeying occured"
100 fi
101done
102
markus@openbsd.org8ea33652015-02-14 12:43:16 +0000[diff] [blame]103for s in 16 1k 128k 256k; do
104 verbose "server rekeylimit ${s}"
105 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
106 echo "rekeylimit ${s}" >>$OBJ/sshd_proxy
107 rm -f ${COPY} ${LOG}
108 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
109 > ${COPY}
110 if [ $? -ne 0 ]; then
111 fail "ssh failed"
112 fi
113 cmp ${DATA} ${COPY} || fail "corrupted copy"
114 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
115 n=`expr $n - 1`
116 trace "$n rekeying(s)"
117 if [ $n -lt 1 ]; then
118 fail "no rekeying occured"
119 fi
120done
121
Darren Tucker14490fe2013-05-17 09:44:20 +1000[diff] [blame]122for s in 5 10; do
123 verbose "server rekeylimit default ${s} no data"
markus@openbsd.org8ea33652015-02-14 12:43:16 +0000[diff] [blame]124 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
125 echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy
Darren Tucker14490fe2013-05-17 09:44:20 +1000[diff] [blame]126 rm -f ${COPY} ${LOG}
127 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
128 if [ $? -ne 0 ]; then
129 fail "ssh failed"
130 fi
131 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
132 n=`expr $n - 1`
133 trace "$n rekeying(s)"
134 if [ $n -lt 1 ]; then
135 fail "no rekeying occured"
136 fi
137done
138
Darren Tucker982b0cb2013-05-17 09:45:12 +1000[diff] [blame]139verbose "rekeylimit parsing"
140for size in 16 1k 1K 1m 1M 1g 1G; do
141 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
142 case $size in
143 16) bytes=16 ;;
144 1k|1K) bytes=1024 ;;
145 1m|1M) bytes=1048576 ;;
146 1g|1G) bytes=1073741824 ;;
147 esac
148 case $time in
149 1) seconds=1 ;;
150 1m|1M) seconds=60 ;;
151 1h|1H) seconds=3600 ;;
152 1d|1D) seconds=86400 ;;
153 1w|1W) seconds=604800 ;;
154 esac
155
156 b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
157 awk '/rekeylimit/{print $2}'`
158 s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
159 awk '/rekeylimit/{print $3}'`
160
161 if [ "$bytes" != "$b" ]; then
Damien Miller8a073cf2013-11-21 14:26:18 +1100[diff] [blame]162 fatal "rekeylimit size: expected $bytes bytes got $b"
Darren Tucker982b0cb2013-05-17 09:45:12 +1000[diff] [blame]163 fi
164 if [ "$seconds" != "$s" ]; then
Damien Miller8a073cf2013-11-21 14:26:18 +1100[diff] [blame]165 fatal "rekeylimit time: expected $time seconds got $s"
Darren Tucker982b0cb2013-05-17 09:45:12 +1000[diff] [blame]166 fi
167 done
168done
169
Darren Tucker75129022013-05-17 09:19:10 +1000[diff] [blame]170rm -f ${COPY} ${DATA}