1262566Sdes# $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $ 2124208Sdes# Placed in the Public Domain. 3124208Sdes 4255670Sdestid="rekey" 5124208Sdes 6255670SdesLOG=${TEST_SSH_LOGFILE} 7124208Sdes 8255670Sdesrm -f ${LOG} 9124208Sdes 10262566Sdes# Test rekeying based on data volume only. 11262566Sdes# Arguments will be passed to ssh. 12262566Sdesssh_data_rekeying() 13262566Sdes{ 14255670Sdes rm -f ${COPY} ${LOG} 15262566Sdes ${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \ 16262566Sdes "cat > ${COPY}" 17124208Sdes if [ $? -ne 0 ]; then 18262566Sdes fail "ssh failed ($@)" 19124208Sdes fi 20262566Sdes cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" 21124208Sdes n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 22124208Sdes n=`expr $n - 1` 23124208Sdes trace "$n rekeying(s)" 24124208Sdes if [ $n -lt 1 ]; then 25262566Sdes fail "no rekeying occured ($@)" 26124208Sdes fi 27262566Sdes} 28262566Sdes 29262566Sdesincrease_datafile_size 300 30262566Sdes 31262566Sdesopts="" 32262566Sdesfor i in `${SSH} -Q kex`; do 33262566Sdes opts="$opts KexAlgorithms=$i" 34124208Sdesdone 35262566Sdesfor i in `${SSH} -Q cipher`; do 36262566Sdes opts="$opts Ciphers=$i" 37262566Sdesdone 38262566Sdesfor i in `${SSH} -Q mac`; do 39262566Sdes opts="$opts MACs=$i" 40262566Sdesdone 41255670Sdes 42262566Sdesfor opt in $opts; do 43262566Sdes verbose "client rekey $opt" 44262566Sdes ssh_data_rekeying -oRekeyLimit=256k -o$opt 45262566Sdesdone 46262566Sdes 47262566Sdes# AEAD ciphers are magical so test with all KexAlgorithms 48262566Sdesif ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then 49262566Sdes for c in `${SSH} -Q cipher-auth`; do 50262566Sdes for kex in `${SSH} -Q kex`; do 51262566Sdes verbose "client rekey $c $kex" 52262566Sdes ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex 53262566Sdes done 54262566Sdes done 55262566Sdesfi 56262566Sdes 57262566Sdesfor s in 16 1k 128k 256k; do 58262566Sdes verbose "client rekeylimit ${s}" 59262566Sdes ssh_data_rekeying -oCompression=no -oRekeyLimit=$s 60262566Sdesdone 61262566Sdes 62255670Sdesfor s in 5 10; do 63255670Sdes verbose "client rekeylimit default ${s}" 64255670Sdes rm -f ${COPY} ${LOG} 65262566Sdes ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ 66262566Sdes $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3" 67255670Sdes if [ $? -ne 0 ]; then 68255670Sdes fail "ssh failed" 69255670Sdes fi 70262566Sdes cmp ${DATA} ${COPY} || fail "corrupted copy" 71255670Sdes n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 72255670Sdes n=`expr $n - 1` 73255670Sdes trace "$n rekeying(s)" 74255670Sdes if [ $n -lt 1 ]; then 75255670Sdes fail "no rekeying occured" 76255670Sdes fi 77255670Sdesdone 78255670Sdes 79255670Sdesfor s in 5 10; do 80255670Sdes verbose "client rekeylimit default ${s} no data" 81255670Sdes rm -f ${COPY} ${LOG} 82255670Sdes ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ 83255670Sdes $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 84255670Sdes if [ $? -ne 0 ]; then 85255670Sdes fail "ssh failed" 86255670Sdes fi 87255670Sdes n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 88255670Sdes n=`expr $n - 1` 89255670Sdes trace "$n rekeying(s)" 90255670Sdes if [ $n -lt 1 ]; then 91255670Sdes fail "no rekeying occured" 92255670Sdes fi 93255670Sdesdone 94255670Sdes 95255670Sdesecho "rekeylimit default 5" >>$OBJ/sshd_proxy 96255670Sdesfor s in 5 10; do 97255670Sdes verbose "server rekeylimit default ${s} no data" 98255670Sdes rm -f ${COPY} ${LOG} 99255670Sdes ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3" 100255670Sdes if [ $? -ne 0 ]; then 101255670Sdes fail "ssh failed" 102255670Sdes fi 103255670Sdes n=`grep 'NEWKEYS sent' ${LOG} | wc -l` 104255670Sdes n=`expr $n - 1` 105255670Sdes trace "$n rekeying(s)" 106255670Sdes if [ $n -lt 1 ]; then 107255670Sdes fail "no rekeying occured" 108255670Sdes fi 109255670Sdesdone 110255670Sdes 111255670Sdesverbose "rekeylimit parsing" 112255670Sdesfor size in 16 1k 1K 1m 1M 1g 1G; do 113255670Sdes for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do 114255670Sdes case $size in 115255670Sdes 16) bytes=16 ;; 116255670Sdes 1k|1K) bytes=1024 ;; 117255670Sdes 1m|1M) bytes=1048576 ;; 118255670Sdes 1g|1G) bytes=1073741824 ;; 119255670Sdes esac 120255670Sdes case $time in 121255670Sdes 1) seconds=1 ;; 122255670Sdes 1m|1M) seconds=60 ;; 123255670Sdes 1h|1H) seconds=3600 ;; 124255670Sdes 1d|1D) seconds=86400 ;; 125255670Sdes 1w|1W) seconds=604800 ;; 126255670Sdes esac 127255670Sdes 128255670Sdes b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 129255670Sdes awk '/rekeylimit/{print $2}'` 130255670Sdes s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ 131255670Sdes awk '/rekeylimit/{print $3}'` 132255670Sdes 133255670Sdes if [ "$bytes" != "$b" ]; then 134262566Sdes fatal "rekeylimit size: expected $bytes bytes got $b" 135255670Sdes fi 136255670Sdes if [ "$seconds" != "$s" ]; then 137262566Sdes fatal "rekeylimit time: expected $time seconds got $s" 138255670Sdes fi 139255670Sdes done 140255670Sdesdone 141255670Sdes 142255670Sdesrm -f ${COPY} ${DATA} 143