xref: /freebsd/crypto/openssh/regress/rekey.sh (revision a0ee8cc636cd5c2374ec44ca71226564ea0bca95)
1#	$OpenBSD: rekey.sh,v 1.15 2014/04/21 22:15:37 djm Exp $
2#	Placed in the Public Domain.
3
4tid="rekey"
5
6LOG=${TEST_SSH_LOGFILE}
7
8rm -f ${LOG}
9cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
10
11# Test rekeying based on data volume only.
12# Arguments will be passed to ssh.
13ssh_data_rekeying()
14{
15	_kexopt=$1 ; shift
16	_opts="$@"
17	if ! test -z "$_kexopts" ; then
18		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
19		echo "$_kexopt" >> $OBJ/sshd_proxy
20		_opts="$_opts -o$_kexopt"
21	fi
22	rm -f ${COPY} ${LOG}
23	_opts="$_opts -oCompression=no"
24	${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
25	if [ $? -ne 0 ]; then
26		fail "ssh failed ($@)"
27	fi
28	cmp ${DATA} ${COPY}		|| fail "corrupted copy ($@)"
29	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
30	n=`expr $n - 1`
31	trace "$n rekeying(s)"
32	if [ $n -lt 1 ]; then
33		fail "no rekeying occured ($@)"
34	fi
35}
36
37increase_datafile_size 300
38
39opts=""
40for i in `${SSH} -Q kex`; do
41	opts="$opts KexAlgorithms=$i"
42done
43for i in `${SSH} -Q cipher`; do
44	opts="$opts Ciphers=$i"
45done
46for i in `${SSH} -Q mac`; do
47	opts="$opts MACs=$i"
48done
49
50for opt in $opts; do
51	verbose "client rekey $opt"
52	ssh_data_rekeying "$opt" -oRekeyLimit=256k
53done
54
55# AEAD ciphers are magical so test with all KexAlgorithms
56if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
57  for c in `${SSH} -Q cipher-auth`; do
58    for kex in `${SSH} -Q kex`; do
59	verbose "client rekey $c $kex"
60	ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
61    done
62  done
63fi
64
65for s in 16 1k 128k 256k; do
66	verbose "client rekeylimit ${s}"
67	ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
68done
69
70for s in 5 10; do
71	verbose "client rekeylimit default ${s}"
72	rm -f ${COPY} ${LOG}
73	${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
74		$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
75	if [ $? -ne 0 ]; then
76		fail "ssh failed"
77	fi
78	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
79	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
80	n=`expr $n - 1`
81	trace "$n rekeying(s)"
82	if [ $n -lt 1 ]; then
83		fail "no rekeying occured"
84	fi
85done
86
87for s in 5 10; do
88	verbose "client rekeylimit default ${s} no data"
89	rm -f ${COPY} ${LOG}
90	${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
91		$OBJ/ssh_proxy somehost "sleep $s;sleep 3"
92	if [ $? -ne 0 ]; then
93		fail "ssh failed"
94	fi
95	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
96	n=`expr $n - 1`
97	trace "$n rekeying(s)"
98	if [ $n -lt 1 ]; then
99		fail "no rekeying occured"
100	fi
101done
102
103echo "rekeylimit default 5" >>$OBJ/sshd_proxy
104for s in 5 10; do
105	verbose "server rekeylimit default ${s} no data"
106	rm -f ${COPY} ${LOG}
107	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
108	if [ $? -ne 0 ]; then
109		fail "ssh failed"
110	fi
111	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
112	n=`expr $n - 1`
113	trace "$n rekeying(s)"
114	if [ $n -lt 1 ]; then
115		fail "no rekeying occured"
116	fi
117done
118
119verbose "rekeylimit parsing"
120for size in 16 1k 1K 1m 1M 1g 1G; do
121    for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
122	case $size in
123		16)	bytes=16 ;;
124		1k|1K)	bytes=1024 ;;
125		1m|1M)	bytes=1048576 ;;
126		1g|1G)	bytes=1073741824 ;;
127	esac
128	case $time in
129		1)	seconds=1 ;;
130		1m|1M)	seconds=60 ;;
131		1h|1H)	seconds=3600 ;;
132		1d|1D)	seconds=86400 ;;
133		1w|1W)	seconds=604800 ;;
134	esac
135
136	b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
137	    awk '/rekeylimit/{print $2}'`
138	s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
139	    awk '/rekeylimit/{print $3}'`
140
141	if [ "$bytes" != "$b" ]; then
142		fatal "rekeylimit size: expected $bytes bytes got $b"
143	fi
144	if [ "$seconds" != "$s" ]; then
145		fatal "rekeylimit time: expected $time seconds got $s"
146	fi
147    done
148done
149
150rm -f ${COPY} ${DATA}
151