1# $OpenBSD: rekey.sh,v 1.16 2015/02/14 12:43:16 markus Exp $ 2# Placed in the Public Domain. 3 4tid="rekey" 5 6LOG=${TEST_SSH_LOGFILE} 7 8rm -f ${LOG} 9cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 10 11# Test rekeying based on data volume only. 12# Arguments will be passed to ssh. 13ssh_data_rekeying() 14{ 15 _kexopt=$1 ; shift 16 _opts="$@" 17 if ! test -z "$_kexopts" ; then 18 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 19 echo "$_kexopt" >> $OBJ/sshd_proxy 20 _opts="$_opts -o$_kexopt" 21 fi 22 rm -f ${COPY} ${LOG} 23 _opts="$_opts -oCompression=no" 24 ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" 25 if [ $? -ne 0 ]; then 26 fail "ssh failed ($@)" 27 fi 28 cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" 29 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 30 n=`expr $n - 1` 31 trace "$n rekeying(s)" 32 if [ $n -lt 1 ]; then 33 fail "no rekeying occured ($@)" 34 fi 35} 36 37increase_datafile_size 300 38 39opts="" 40for i in `${SSH} -Q kex`; do 41 opts="$opts KexAlgorithms=$i" 42done 43for i in `${SSH} -Q cipher`; do 44 opts="$opts Ciphers=$i" 45done 46for i in `${SSH} -Q mac`; do 47 opts="$opts MACs=$i" 48done 49 50for opt in $opts; do 51 verbose "client rekey $opt" 52 ssh_data_rekeying "$opt" -oRekeyLimit=256k 53done 54 55# AEAD ciphers are magical so test with all KexAlgorithms 56if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then 57 for c in `${SSH} -Q cipher-auth`; do 58 for kex in `${SSH} -Q kex`; do 59 verbose "client rekey $c $kex" 60 ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c 61 done 62 done 63fi 64 65for s in 16 1k 128k 256k; do 66 verbose "client rekeylimit ${s}" 67 ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s 68done 69 70for s in 5 10; do 71 verbose "client rekeylimit default ${s}" 72 rm -f ${COPY} ${LOG} 73 ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ 74 $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" 75 if [ $? -ne 0 ]; then 76 fail "ssh failed" 77 fi 78 cmp ${DATA} ${COPY} || fail "corrupted copy" 79 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 80 n=`expr $n - 1` 81 trace "$n rekeying(s)" 82 if [ $n -lt 1 ]; then 83 fail "no rekeying occured" 84 fi 85done 86 87for s in 5 10; do 88 verbose "client rekeylimit default ${s} no data" 89 rm -f ${COPY} ${LOG} 90 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ 91 $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 92 if [ $? -ne 0 ]; then 93 fail "ssh failed" 94 fi 95 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 96 n=`expr $n - 1` 97 trace "$n rekeying(s)" 98 if [ $n -lt 1 ]; then 99 fail "no rekeying occured" 100 fi 101done 102 103for s in 16 1k 128k 256k; do 104 verbose "server rekeylimit ${s}" 105 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 106 echo "rekeylimit ${s}" >>$OBJ/sshd_proxy 107 rm -f ${COPY} ${LOG} 108 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \ 109 > ${COPY} 110 if [ $? -ne 0 ]; then 111 fail "ssh failed" 112 fi 113 cmp ${DATA} ${COPY} || fail "corrupted copy" 114 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 115 n=`expr $n - 1` 116 trace "$n rekeying(s)" 117 if [ $n -lt 1 ]; then 118 fail "no rekeying occured" 119 fi 120done 121 122for s in 5 10; do 123 verbose "server rekeylimit default ${s} no data" 124 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 125 echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy 126 rm -f ${COPY} ${LOG} 127 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 128 if [ $? -ne 0 ]; then 129 fail "ssh failed" 130 fi 131 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 132 n=`expr $n - 1` 133 trace "$n rekeying(s)" 134 if [ $n -lt 1 ]; then 135 fail "no rekeying occured" 136 fi 137done 138 139verbose "rekeylimit parsing" 140for size in 16 1k 1K 1m 1M 1g 1G; do 141 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do 142 case $size in 143 16) bytes=16 ;; 144 1k|1K) bytes=1024 ;; 145 1m|1M) bytes=1048576 ;; 146 1g|1G) bytes=1073741824 ;; 147 esac 148 case $time in 149 1) seconds=1 ;; 150 1m|1M) seconds=60 ;; 151 1h|1H) seconds=3600 ;; 152 1d|1D) seconds=86400 ;; 153 1w|1W) seconds=604800 ;; 154 esac 155 156 b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 157 awk '/rekeylimit/{print $2}'` 158 s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 159 awk '/rekeylimit/{print $3}'` 160 161 if [ "$bytes" != "$b" ]; then 162 fatal "rekeylimit size: expected $bytes bytes got $b" 163 fi 164 if [ "$seconds" != "$s" ]; then 165 fatal "rekeylimit time: expected $time seconds got $s" 166 fi 167 done 168done 169 170rm -f ${COPY} ${DATA} 171