1 # $OpenBSD: rekey.sh,v 1.16 2015/02/14 12:43:16 markus Exp $
2 # Placed in the Public Domain.
6 LOG=${TEST_SSH_LOGFILE}
9 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
11 # Test rekeying based on data volume only.
12 # Arguments will be passed to ssh.
17 if ! test -z "$_kexopts" ; then
18 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
19 echo "$_kexopt" >> $OBJ/sshd_proxy
20 _opts="$_opts -o$_kexopt"
23 _opts="$_opts -oCompression=no"
24 ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
26 fail "ssh failed ($@)"
28 cmp ${DATA} ${COPY} || fail "corrupted copy ($@)"
29 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
31 trace "$n rekeying(s)"
33 fail "no rekeying occured ($@)"
37 increase_datafile_size 300
40 for i in `${SSH} -Q kex`; do
41 opts="$opts KexAlgorithms=$i"
43 for i in `${SSH} -Q cipher`; do
44 opts="$opts Ciphers=$i"
46 for i in `${SSH} -Q mac`; do
51 verbose "client rekey $opt"
52 ssh_data_rekeying "$opt" -oRekeyLimit=256k
55 # AEAD ciphers are magical so test with all KexAlgorithms
56 if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
57 for c in `${SSH} -Q cipher-auth`; do
58 for kex in `${SSH} -Q kex`; do
59 verbose "client rekey $c $kex"
60 ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
65 for s in 16 1k 128k 256k; do
66 verbose "client rekeylimit ${s}"
67 ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
71 verbose "client rekeylimit default ${s}"
73 ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
74 $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
78 cmp ${DATA} ${COPY} || fail "corrupted copy"
79 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
81 trace "$n rekeying(s)"
83 fail "no rekeying occured"
88 verbose "client rekeylimit default ${s} no data"
90 ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
91 $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
95 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
97 trace "$n rekeying(s)"
99 fail "no rekeying occured"
103 for s in 16 1k 128k 256k; do
104 verbose "server rekeylimit ${s}"
105 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
106 echo "rekeylimit ${s}" >>$OBJ/sshd_proxy
108 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
110 if [ $? -ne 0 ]; then
113 cmp ${DATA} ${COPY} || fail "corrupted copy"
114 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
116 trace "$n rekeying(s)"
117 if [ $n -lt 1 ]; then
118 fail "no rekeying occured"
123 verbose "server rekeylimit default ${s} no data"
124 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
125 echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy
127 ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
128 if [ $? -ne 0 ]; then
131 n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
133 trace "$n rekeying(s)"
134 if [ $n -lt 1 ]; then
135 fail "no rekeying occured"
139 verbose "rekeylimit parsing"
140 for size in 16 1k 1K 1m 1M 1g 1G; do
141 for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
145 1m|1M) bytes=1048576 ;;
146 1g|1G) bytes=1073741824 ;;
151 1h|1H) seconds=3600 ;;
152 1d|1D) seconds=86400 ;;
153 1w|1W) seconds=604800 ;;
156 b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
157 awk '/rekeylimit/{print $2}'`
158 s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
159 awk '/rekeylimit/{print $3}'`
161 if [ "$bytes" != "$b" ]; then
162 fatal "rekeylimit size: expected $bytes bytes got $b"
164 if [ "$seconds" != "$s" ]; then
165 fatal "rekeylimit time: expected $time seconds got $s"
170 rm -f ${COPY} ${DATA}