Home Explore Help
Sign In
trn
/
j-hpn-ssh
mirror of git://github.com/johnsonjh/j-hpn-ssh
Watch 1
Star 1
Fork 0
Files
Tree: e677f121eb
Branches Tags
j-hpn-ssh
/
regress
/
rekey.sh

rekey.sh 4.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174 
  1. #	$OpenBSD: rekey.sh,v 1.18 2018/04/10 00:14:10 djm Exp $
    2. 

  2. #	Placed in the Public Domain.
    3. 

  3. 

  4. tid="rekey"
    5. 

  5. 

  6. LOG=${TEST_SSH_LOGFILE}
    7. 

  7. 

  8. rm -f ${LOG}
    9. 

  9. cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
    10. 

  10. 

  11. # Test rekeying based on data volume only.
    12. 

  12. # Arguments will be passed to ssh.
    13. 

  13. ssh_data_rekeying()
    14. 

  14. {
    15. 

  15. 	_kexopt=$1
    16. 

  16. 	shift
    17. 

  17. 	_opts="$@"
    18. 

  18. 	if ! test -z "$_kexopts"; then
    19. 

  19. 		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
    20. 

  20. 		echo "$_kexopt" >> $OBJ/sshd_proxy
    21. 

  21. 		_opts="$_opts -o$_kexopt"
    22. 

  22. 	fi
    23. 

  23. 	rm -f ${COPY} ${LOG}
    24. 

  24. 	_opts="$_opts -oCompression=no"
    25. 

  25. 	${SSH} < ${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
    26. 

  26. 	if [ $? -ne 0 ]; then
    27. 

  27. 		fail "ssh failed ($@)"
    28. 

  28. 	fi
    29. 

  29. 	cmp ${DATA} ${COPY} || fail "corrupted copy ($@)"
    30. 

  30. 	n=$(grep 'NEWKEYS sent' ${LOG} | wc -l)
    31. 

  31. 	n=$(expr $n - 1)
    32. 

  32. 	trace "$n rekeying(s)"
    33. 

  33. 	if [ $n -lt 1 ]; then
    34. 

  34. 		fail "no rekeying occurred ($@)"
    35. 

  35. 	fi
    36. 

  36. }
    37. 

  37. 

  38. increase_datafile_size 300
    39. 

  39. 

  40. opts=""
    41. 

  41. for i in $(${SSH} -Q kex); do
    42. 

  42. 	opts="$opts KexAlgorithms=$i"
    43. 

  43. done
    44. 

  44. for i in $(${SSH} -Q cipher); do
    45. 

  45. 	opts="$opts Ciphers=$i"
    46. 

  46. done
    47. 

  47. for i in $(${SSH} -Q mac); do
    48. 

  48. 	opts="$opts MACs=$i"
    49. 

  49. done
    50. 

  50. 

  51. for opt in $opts; do
    52. 

  52. 	verbose "client rekey $opt"
    53. 

  53. 	ssh_data_rekeying "$opt" -oRekeyLimit=256k
    54. 

  54. done
    55. 

  55. 

  56. # AEAD ciphers are magical so test with all KexAlgorithms
    57. 

  57. if ${SSH} -Q cipher-auth | grep '^.*$' > /dev/null 2>&1; then
    58. 

  58. 	for c in $(${SSH} -Q cipher-auth); do
    59. 

  59. 		for kex in $(${SSH} -Q kex); do
    60. 

  60. 			verbose "client rekey $c $kex"
    61. 

  61. 			ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
    62. 

  62. 		done
    63. 

  63. 	done
    64. 

  64. fi
    65. 

  65. 

  66. for s in 16 1k 128k 256k; do
    67. 

  67. 	verbose "client rekeylimit ${s}"
    68. 

  68. 	ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
    69. 

  69. done
    70. 

  70. 

  71. for s in 5 10; do
    72. 

  72. 	verbose "client rekeylimit default ${s}"
    73. 

  73. 	rm -f ${COPY} ${LOG}
    74. 

  74. 	${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
    75. 

  75. 		$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
    76. 

  76. 	if [ $? -ne 0 ]; then
    77. 

  77. 		fail "ssh failed"
    78. 

  78. 	fi
    79. 

  79. 	cmp ${DATA} ${COPY} || fail "corrupted copy"
    80. 

  80. 	n=$(grep 'NEWKEYS sent' ${LOG} | wc -l)
    81. 

  81. 	n=$(expr $n - 1)
    82. 

  82. 	trace "$n rekeying(s)"
    83. 

  83. 	if [ $n -lt 1 ]; then
    84. 

  84. 		fail "no rekeying occurred"
    85. 

  85. 	fi
    86. 

  86. done
    87. 

  87. 

  88. for s in 5 10; do
    89. 

  89. 	verbose "client rekeylimit default ${s} no data"
    90. 

  90. 	rm -f ${COPY} ${LOG}
    91. 

  91. 	${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
    92. 

  92. 		$OBJ/ssh_proxy somehost "sleep $s;sleep 3"
    93. 

  93. 	if [ $? -ne 0 ]; then
    94. 

  94. 		fail "ssh failed"
    95. 

  95. 	fi
    96. 

  96. 	n=$(grep 'NEWKEYS sent' ${LOG} | wc -l)
    97. 

  97. 	n=$(expr $n - 1)
    98. 

  98. 	trace "$n rekeying(s)"
    99. 

  99. 	if [ $n -lt 1 ]; then
    100. 

  100. 		fail "no rekeying occurred"
    101. 

  101. 	fi
    102. 

  102. done
    103. 

  103. 

  104. for s in 16 1k 128k 256k; do
    105. 

  105. 	verbose "server rekeylimit ${s}"
    106. 

  106. 	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
    107. 

  107. 	echo "rekeylimit ${s}" >> $OBJ/sshd_proxy
    108. 

  108. 	rm -f ${COPY} ${LOG}
    109. 

  109. 	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
    110. 

  110. 		> ${COPY}
    111. 

  111. 	if [ $? -ne 0 ]; then
    112. 

  112. 		fail "ssh failed"
    113. 

  113. 	fi
    114. 

  114. 	cmp ${DATA} ${COPY} || fail "corrupted copy"
    115. 

  115. 	n=$(grep 'NEWKEYS sent' ${LOG} | wc -l)
    116. 

  116. 	n=$(expr $n - 1)
    117. 

  117. 	trace "$n rekeying(s)"
    118. 

  118. 	if [ $n -lt 1 ]; then
    119. 

  119. 		fail "no rekeying occurred"
    120. 

  120. 	fi
    121. 

  121. done
    122. 

  122. 

  123. for s in 5 10; do
    124. 

  124. 	verbose "server rekeylimit default ${s} no data"
    125. 

  125. 	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
    126. 

  126. 	echo "rekeylimit default ${s}" >> $OBJ/sshd_proxy
    127. 

  127. 	rm -f ${COPY} ${LOG}
    128. 

  128. 	${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
    129. 

  129. 	if [ $? -ne 0 ]; then
    130. 

  130. 		fail "ssh failed"
    131. 

  131. 	fi
    132. 

  132. 	n=$(grep 'NEWKEYS sent' ${LOG} | wc -l)
    133. 

  133. 	n=$(expr $n - 1)
    134. 

  134. 	trace "$n rekeying(s)"
    135. 

  135. 	if [ $n -lt 1 ]; then
    136. 

  136. 		fail "no rekeying occurred"
    137. 

  137. 	fi
    138. 

  138. done
    139. 

  139. 

  140. verbose "rekeylimit parsing"
    141. 

  141. for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
    142. 

  142. 	for time in  1 1m 1M 1h 1H 1d 1D 1w 1W; do
    143. 

  143. 		case $size in
    144. 

  144. 			16) bytes=16 ;;
    145. 

  145. 			1k | 1K) bytes=1024 ;;
    146. 

  146. 			1m | 1M) bytes=1048576 ;;
    147. 

  147. 			1g | 1G) bytes=1073741824 ;;
    148. 

  148. 			4g | 4G) bytes=4294967296 ;;
    149. 

  149. 			8g | 8G) bytes=8589934592 ;;
    150. 

  150. 		esac
    151. 

  151. 		case $time in
    152. 

  152. 			1) seconds=1 ;;
    153. 

  153. 			1m | 1M) seconds=60 ;;
    154. 

  154. 			1h | 1H) seconds=3600 ;;
    155. 

  155. 			1d | 1D) seconds=86400 ;;
    156. 

  156. 			1w | 1W) seconds=604800 ;;
    157. 

  157. 		esac
    158. 

  158. 

  159. 		b=$($SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy |
    160. 

  160. 			awk '/rekeylimit/{print $2}')
    161. 

  161. 		s=$($SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy |
    162. 

  162. 			awk '/rekeylimit/{print $3}')
    163. 

  163. 

  164. 		if [ "$bytes" != "$b" ]; then
    165. 

  165. 			fatal "rekeylimit size: expected $bytes bytes got $b"
    166. 

  166. 		fi
    167. 

  167. 		if [ "$seconds" != "$s" ]; then
    168. 

  168. 			fatal "rekeylimit time: expected $time seconds got $s"
    169. 

  169. 		fi
    170. 

  170. 	done
    171. 

  171. done
    172. 

  172. 

  173. rm -f ${COPY} ${DATA}
    174. 

  174.