1# $OpenBSD: rekey.sh,v 1.15 2014/04/21 22:15:37 djm Exp $ 2# Placed in the Public Domain. 3 4tid="rekey" 5 6LOG=${TEST_SSH_LOGFILE} 7 8rm -f ${LOG} 9cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 10 11# Test rekeying based on data volume only. 12# Arguments will be passed to ssh. 13ssh_data_rekeying() 14{ 15 _kexopt=$1 ; shift 16 _opts="$@" 17 if ! test -z "$_kexopts" ; then 18 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 19 echo "$_kexopt" >> $OBJ/sshd_proxy 20 _opts="$_opts -o$_kexopt" 21 fi 22 rm -f ${COPY} ${LOG} 23 _opts="$_opts -oCompression=no" 24 ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" 25 if [ $? -ne 0 ]; then 26 fail "ssh failed ($@)" 27 fi 28 cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" 29 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 30 n=`expr $n - 1` 31 trace "$n rekeying(s)" 32 if [ $n -lt 1 ]; then 33 fail "no rekeying occured ($@)" 34 fi 35} 36 37increase_datafile_size 300 38 39opts="" 40for i in `${SSH} -Q kex`; do 41 opts="$opts KexAlgorithms=$i" 42done 43for i in `${SSH} -Q cipher`; do 44 opts="$opts Ciphers=$i" 45done 46for i in `${SSH} -Q mac`; do 47 opts="$opts MACs=$i" 48done 49 50for opt in $opts; do 51 verbose "client rekey $opt" 52 ssh_data_rekeying "$opt" -oRekeyLimit=256k 53done 54 55# AEAD ciphers are magical so test with all KexAlgorithms 56if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then 57 for c in `${SSH} -Q cipher-auth`; do 58 for kex in `${SSH} -Q kex`; do 59 verbose "client rekey $c $kex" 60 ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c 61 done 62 done 63fi 64 65for s in 16 1k 128k 256k; do 66 verbose "client rekeylimit ${s}" 67 ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s 68done 69 70for s in 5 10; do 71 verbose "client rekeylimit default ${s}" 72 rm -f ${COPY} ${LOG} 73 ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ 74 $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" 75 if [ $? -ne 0 ]; then 76 fail "ssh failed" 77 fi 78 cmp ${DATA} ${COPY} || fail "corrupted copy" 79 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 80 n=`expr $n - 1` 81 trace "$n rekeying(s)" 82 if [ $n -lt 1 ]; then 83 fail "no rekeying occured" 84 fi 85done 86 87for s in 5 10; do 88 verbose "client rekeylimit default ${s} no data" 89 rm -f ${COPY} ${LOG} 90 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ 91 $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 92 if [ $? -ne 0 ]; then 93 fail "ssh failed" 94 fi 95 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 96 n=`expr $n - 1` 97 trace "$n rekeying(s)" 98 if [ $n -lt 1 ]; then 99 fail "no rekeying occured" 100 fi 101done 102 103echo "rekeylimit default 5" >>$OBJ/sshd_proxy 104for s in 5 10; do 105 verbose "server rekeylimit default ${s} no data" 106 rm -f ${COPY} ${LOG} 107 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 108 if [ $? -ne 0 ]; then 109 fail "ssh failed" 110 fi 111 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 112 n=`expr $n - 1` 113 trace "$n rekeying(s)" 114 if [ $n -lt 1 ]; then 115 fail "no rekeying occured" 116 fi 117done 118 119verbose "rekeylimit parsing" 120for size in 16 1k 1K 1m 1M 1g 1G; do 121 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do 122 case $size in 123 16) bytes=16 ;; 124 1k|1K) bytes=1024 ;; 125 1m|1M) bytes=1048576 ;; 126 1g|1G) bytes=1073741824 ;; 127 esac 128 case $time in 129 1) seconds=1 ;; 130 1m|1M) seconds=60 ;; 131 1h|1H) seconds=3600 ;; 132 1d|1D) seconds=86400 ;; 133 1w|1W) seconds=604800 ;; 134 esac 135 136 b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 137 awk '/rekeylimit/{print $2}'` 138 s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 139 awk '/rekeylimit/{print $3}'` 140 141 if [ "$bytes" != "$b" ]; then 142 fatal "rekeylimit size: expected $bytes bytes got $b" 143 fi 144 if [ "$seconds" != "$s" ]; then 145 fatal "rekeylimit time: expected $time seconds got $s" 146 fi 147 done 148done 149 150rm -f ${COPY} ${DATA} 151