1# $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $ 2# Placed in the Public Domain. 3 4tid="rekey" 5 6LOG=${TEST_SSH_LOGFILE} 7 8rm -f ${LOG} 9 10# Test rekeying based on data volume only. 11# Arguments will be passed to ssh. 12ssh_data_rekeying() 13{ 14 rm -f ${COPY} ${LOG} 15 ${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \ 16 "cat > ${COPY}" 17 if [ $? -ne 0 ]; then 18 fail "ssh failed ($@)" 19 fi 20 cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" 21 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 22 n=`expr $n - 1` 23 trace "$n rekeying(s)" 24 if [ $n -lt 1 ]; then 25 fail "no rekeying occured ($@)" 26 fi 27} 28 29increase_datafile_size 300 30 31opts="" 32for i in `${SSH} -Q kex`; do 33 opts="$opts KexAlgorithms=$i" 34done 35for i in `${SSH} -Q cipher`; do 36 opts="$opts Ciphers=$i" 37done 38for i in `${SSH} -Q mac`; do 39 opts="$opts MACs=$i" 40done 41 42for opt in $opts; do 43 verbose "client rekey $opt" 44 ssh_data_rekeying -oRekeyLimit=256k -o$opt 45done 46 47# AEAD ciphers are magical so test with all KexAlgorithms 48if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then 49 for c in `${SSH} -Q cipher-auth`; do 50 for kex in `${SSH} -Q kex`; do 51 verbose "client rekey $c $kex" 52 ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex 53 done 54 done 55fi 56 57for s in 16 1k 128k 256k; do 58 verbose "client rekeylimit ${s}" 59 ssh_data_rekeying -oCompression=no -oRekeyLimit=$s 60done 61 62for s in 5 10; do 63 verbose "client rekeylimit default ${s}" 64 rm -f ${COPY} ${LOG} 65 ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ 66 $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" 67 if [ $? -ne 0 ]; then 68 fail "ssh failed" 69 fi 70 cmp ${DATA} ${COPY} || fail "corrupted copy" 71 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 72 n=`expr $n - 1` 73 trace "$n rekeying(s)" 74 if [ $n -lt 1 ]; then 75 fail "no rekeying occured" 76 fi 77done 78 79for s in 5 10; do 80 verbose "client rekeylimit default ${s} no data" 81 rm -f ${COPY} ${LOG} 82 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ 83 $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 84 if [ $? -ne 0 ]; then 85 fail "ssh failed" 86 fi 87 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 88 n=`expr $n - 1` 89 trace "$n rekeying(s)" 90 if [ $n -lt 1 ]; then 91 fail "no rekeying occured" 92 fi 93done 94 95echo "rekeylimit default 5" >>$OBJ/sshd_proxy 96for s in 5 10; do 97 verbose "server rekeylimit default ${s} no data" 98 rm -f ${COPY} ${LOG} 99 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 100 if [ $? -ne 0 ]; then 101 fail "ssh failed" 102 fi 103 n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 104 n=`expr $n - 1` 105 trace "$n rekeying(s)" 106 if [ $n -lt 1 ]; then 107 fail "no rekeying occured" 108 fi 109done 110 111verbose "rekeylimit parsing" 112for size in 16 1k 1K 1m 1M 1g 1G; do 113 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do 114 case $size in 115 16) bytes=16 ;; 116 1k|1K) bytes=1024 ;; 117 1m|1M) bytes=1048576 ;; 118 1g|1G) bytes=1073741824 ;; 119 esac 120 case $time in 121 1) seconds=1 ;; 122 1m|1M) seconds=60 ;; 123 1h|1H) seconds=3600 ;; 124 1d|1D) seconds=86400 ;; 125 1w|1W) seconds=604800 ;; 126 esac 127 128 b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 129 awk '/rekeylimit/{print $2}'` 130 s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 131 awk '/rekeylimit/{print $3}'` 132 133 if [ "$bytes" != "$b" ]; then 134 fatal "rekeylimit size: expected $bytes bytes got $b" 135 fi 136 if [ "$seconds" != "$s" ]; then 137 fatal "rekeylimit time: expected $time seconds got $s" 138 fi 139 done 140done 141 142rm -f ${COPY} ${DATA} 143