rekey.sh revision 262566
1#	$OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $
2#	Placed in the Public Domain.
3
4tid="rekey"
5
6LOG=${TEST_SSH_LOGFILE}
7
8rm -f ${LOG}
9
10# Test rekeying based on data volume only.
11# Arguments will be passed to ssh.
12ssh_data_rekeying()
13{
14	rm -f ${COPY} ${LOG}
15	${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \
16		"cat > ${COPY}"
17	if [ $? -ne 0 ]; then
18		fail "ssh failed ($@)"
19	fi
20	cmp ${DATA} ${COPY}		|| fail "corrupted copy ($@)"
21	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
22	n=`expr $n - 1`
23	trace "$n rekeying(s)"
24	if [ $n -lt 1 ]; then
25		fail "no rekeying occured ($@)"
26	fi
27}
28
29increase_datafile_size 300
30
31opts=""
32for i in `${SSH} -Q kex`; do
33	opts="$opts KexAlgorithms=$i"
34done
35for i in `${SSH} -Q cipher`; do
36	opts="$opts Ciphers=$i"
37done
38for i in `${SSH} -Q mac`; do
39	opts="$opts MACs=$i"
40done
41
42for opt in $opts; do
43	verbose "client rekey $opt"
44	ssh_data_rekeying -oRekeyLimit=256k -o$opt
45done
46
47# AEAD ciphers are magical so test with all KexAlgorithms
48if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
49  for c in `${SSH} -Q cipher-auth`; do
50    for kex in `${SSH} -Q kex`; do
51	verbose "client rekey $c $kex"
52	ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
53    done
54  done
55fi
56
57for s in 16 1k 128k 256k; do
58	verbose "client rekeylimit ${s}"
59	ssh_data_rekeying -oCompression=no -oRekeyLimit=$s
60done
61
62for s in 5 10; do
63	verbose "client rekeylimit default ${s}"
64	rm -f ${COPY} ${LOG}
65	${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
66		$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
67	if [ $? -ne 0 ]; then
68		fail "ssh failed"
69	fi
70	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
71	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
72	n=`expr $n - 1`
73	trace "$n rekeying(s)"
74	if [ $n -lt 1 ]; then
75		fail "no rekeying occured"
76	fi
77done
78
79for s in 5 10; do
80	verbose "client rekeylimit default ${s} no data"
81	rm -f ${COPY} ${LOG}
82	${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
83		$OBJ/ssh_proxy somehost "sleep $s;sleep 3"
84	if [ $? -ne 0 ]; then
85		fail "ssh failed"
86	fi
87	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
88	n=`expr $n - 1`
89	trace "$n rekeying(s)"
90	if [ $n -lt 1 ]; then
91		fail "no rekeying occured"
92	fi
93done
94
95echo "rekeylimit default 5" >>$OBJ/sshd_proxy
96for s in 5 10; do
97	verbose "server rekeylimit default ${s} no data"
98	rm -f ${COPY} ${LOG}
99	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
100	if [ $? -ne 0 ]; then
101		fail "ssh failed"
102	fi
103	n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
104	n=`expr $n - 1`
105	trace "$n rekeying(s)"
106	if [ $n -lt 1 ]; then
107		fail "no rekeying occured"
108	fi
109done
110
111verbose "rekeylimit parsing"
112for size in 16 1k 1K 1m 1M 1g 1G; do
113    for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
114	case $size in
115		16)	bytes=16 ;;
116		1k|1K)	bytes=1024 ;;
117		1m|1M)	bytes=1048576 ;;
118		1g|1G)	bytes=1073741824 ;;
119	esac
120	case $time in
121		1)	seconds=1 ;;
122		1m|1M)	seconds=60 ;;
123		1h|1H)	seconds=3600 ;;
124		1d|1D)	seconds=86400 ;;
125		1w|1W)	seconds=604800 ;;
126	esac
127
128	b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
129	    awk '/rekeylimit/{print $2}'`
130	s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
131	    awk '/rekeylimit/{print $3}'`
132
133	if [ "$bytes" != "$b" ]; then
134		fatal "rekeylimit size: expected $bytes bytes got $b"
135	fi
136	if [ "$seconds" != "$s" ]; then
137		fatal "rekeylimit time: expected $time seconds got $s"
138	fi
139    done
140done
141
142rm -f ${COPY} ${DATA}
143