2018-08-28 10:47:58 +00:00
|
|
|
# $OpenBSD: rekey.sh,v 1.18 2018/04/10 00:14:10 djm Exp $
|
2004-01-07 11:10:17 +00:00
|
|
|
# Placed in the Public Domain.
|
|
|
|
|
|
2013-09-18 17:27:38 +00:00
|
|
|
tid="rekey"
|
2004-01-07 11:10:17 +00:00
|
|
|
|
2013-09-18 17:27:38 +00:00
|
|
|
LOG=${TEST_SSH_LOGFILE}
|
2004-01-07 11:10:17 +00:00
|
|
|
|
2013-09-18 17:27:38 +00:00
|
|
|
rm -f ${LOG}
|
2015-01-05 16:09:55 +00:00
|
|
|
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
|
2004-01-07 11:10:17 +00:00
|
|
|
|
2014-01-30 10:56:49 +00:00
|
|
|
# Test rekeying based on data volume only.
|
|
|
|
|
# Arguments will be passed to ssh.
|
|
|
|
|
ssh_data_rekeying()
|
|
|
|
|
{
|
2015-01-05 16:09:55 +00:00
|
|
|
_kexopt=$1 ; shift
|
|
|
|
|
_opts="$@"
|
|
|
|
|
if ! test -z "$_kexopts" ; then
|
|
|
|
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
|
|
|
|
echo "$_kexopt" >> $OBJ/sshd_proxy
|
|
|
|
|
_opts="$_opts -o$_kexopt"
|
|
|
|
|
fi
|
2013-09-18 17:27:38 +00:00
|
|
|
rm -f ${COPY} ${LOG}
|
2015-01-05 16:09:55 +00:00
|
|
|
_opts="$_opts -oCompression=no"
|
|
|
|
|
${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
|
2004-01-07 11:10:17 +00:00
|
|
|
if [ $? -ne 0 ]; then
|
2014-01-30 10:56:49 +00:00
|
|
|
fail "ssh failed ($@)"
|
2004-01-07 11:10:17 +00:00
|
|
|
fi
|
2014-01-30 10:56:49 +00:00
|
|
|
cmp ${DATA} ${COPY} || fail "corrupted copy ($@)"
|
2004-01-07 11:10:17 +00:00
|
|
|
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
|
|
|
|
|
n=`expr $n - 1`
|
|
|
|
|
trace "$n rekeying(s)"
|
|
|
|
|
if [ $n -lt 1 ]; then
|
2018-08-28 10:47:58 +00:00
|
|
|
fail "no rekeying occurred ($@)"
|
2004-01-07 11:10:17 +00:00
|
|
|
fi
|
2014-01-30 10:56:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
increase_datafile_size 300
|
|
|
|
|
|
|
|
|
|
opts=""
|
|
|
|
|
for i in `${SSH} -Q kex`; do
|
|
|
|
|
opts="$opts KexAlgorithms=$i"
|
|
|
|
|
done
|
|
|
|
|
for i in `${SSH} -Q cipher`; do
|
|
|
|
|
opts="$opts Ciphers=$i"
|
|
|
|
|
done
|
|
|
|
|
for i in `${SSH} -Q mac`; do
|
|
|
|
|
opts="$opts MACs=$i"
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
for opt in $opts; do
|
|
|
|
|
verbose "client rekey $opt"
|
2015-01-05 16:09:55 +00:00
|
|
|
ssh_data_rekeying "$opt" -oRekeyLimit=256k
|
2014-01-30 10:56:49 +00:00
|
|
|
done
|
|
|
|
|
|
|
|
|
|
# AEAD ciphers are magical so test with all KexAlgorithms
|
|
|
|
|
if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
|
|
|
|
|
for c in `${SSH} -Q cipher-auth`; do
|
|
|
|
|
for kex in `${SSH} -Q kex`; do
|
|
|
|
|
verbose "client rekey $c $kex"
|
2015-01-05 16:09:55 +00:00
|
|
|
ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
|
2014-01-30 10:56:49 +00:00
|
|
|
done
|
|
|
|
|
done
|
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
for s in 16 1k 128k 256k; do
|
|
|
|
|
verbose "client rekeylimit ${s}"
|
2015-01-05 16:09:55 +00:00
|
|
|
ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
|
2004-01-07 11:10:17 +00:00
|
|
|
done
|
2013-09-18 17:27:38 +00:00
|
|
|
|
|
|
|
|
for s in 5 10; do
|
|
|
|
|
verbose "client rekeylimit default ${s}"
|
|
|
|
|
rm -f ${COPY} ${LOG}
|
2014-01-30 10:56:49 +00:00
|
|
|
${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
|
|
|
|
|
$OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
|
2013-09-18 17:27:38 +00:00
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
|
fail "ssh failed"
|
|
|
|
|
fi
|
2014-01-30 10:56:49 +00:00
|
|
|
cmp ${DATA} ${COPY} || fail "corrupted copy"
|
2013-09-18 17:27:38 +00:00
|
|
|
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
|
|
|
|
|
n=`expr $n - 1`
|
|
|
|
|
trace "$n rekeying(s)"
|
|
|
|
|
if [ $n -lt 1 ]; then
|
2018-08-28 10:47:58 +00:00
|
|
|
fail "no rekeying occurred"
|
2013-09-18 17:27:38 +00:00
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
for s in 5 10; do
|
|
|
|
|
verbose "client rekeylimit default ${s} no data"
|
|
|
|
|
rm -f ${COPY} ${LOG}
|
|
|
|
|
${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
|
|
|
|
|
$OBJ/ssh_proxy somehost "sleep $s;sleep 3"
|
|
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
|
fail "ssh failed"
|
|
|
|
|
fi
|
|
|
|
|
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
|
|
|
|
|
n=`expr $n - 1`
|
|
|
|
|
trace "$n rekeying(s)"
|
|
|
|
|
if [ $n -lt 1 ]; then
|
2018-08-28 10:47:58 +00:00
|
|
|
fail "no rekeying occurred"
|
2013-09-18 17:27:38 +00:00
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
2015-07-02 13:15:34 +00:00
|
|
|
for s in 16 1k 128k 256k; do
|
|
|
|
|
verbose "server rekeylimit ${s}"
|
|
|
|
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
|
|
|
|
echo "rekeylimit ${s}" >>$OBJ/sshd_proxy
|
|
|
|
|
rm -f ${COPY} ${LOG}
|
|
|
|
|
${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \
|
|
|
|
|
> ${COPY}
|
|
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
|
fail "ssh failed"
|
|
|
|
|
fi
|
|
|
|
|
cmp ${DATA} ${COPY} || fail "corrupted copy"
|
|
|
|
|
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
|
|
|
|
|
n=`expr $n - 1`
|
|
|
|
|
trace "$n rekeying(s)"
|
|
|
|
|
if [ $n -lt 1 ]; then
|
2018-08-28 10:47:58 +00:00
|
|
|
fail "no rekeying occurred"
|
2015-07-02 13:15:34 +00:00
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
2013-09-18 17:27:38 +00:00
|
|
|
for s in 5 10; do
|
|
|
|
|
verbose "server rekeylimit default ${s} no data"
|
2015-07-02 13:15:34 +00:00
|
|
|
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
|
|
|
|
|
echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy
|
2013-09-18 17:27:38 +00:00
|
|
|
rm -f ${COPY} ${LOG}
|
|
|
|
|
${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 3"
|
|
|
|
|
if [ $? -ne 0 ]; then
|
|
|
|
|
fail "ssh failed"
|
|
|
|
|
fi
|
|
|
|
|
n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
|
|
|
|
|
n=`expr $n - 1`
|
|
|
|
|
trace "$n rekeying(s)"
|
|
|
|
|
if [ $n -lt 1 ]; then
|
2018-08-28 10:47:58 +00:00
|
|
|
fail "no rekeying occurred"
|
2013-09-18 17:27:38 +00:00
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
verbose "rekeylimit parsing"
|
2016-03-10 20:10:25 +00:00
|
|
|
for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do
|
2013-09-18 17:27:38 +00:00
|
|
|
for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do
|
|
|
|
|
case $size in
|
|
|
|
|
16) bytes=16 ;;
|
|
|
|
|
1k|1K) bytes=1024 ;;
|
|
|
|
|
1m|1M) bytes=1048576 ;;
|
|
|
|
|
1g|1G) bytes=1073741824 ;;
|
2016-03-10 20:10:25 +00:00
|
|
|
4g|4G) bytes=4294967296 ;;
|
|
|
|
|
8g|8G) bytes=8589934592 ;;
|
2013-09-18 17:27:38 +00:00
|
|
|
esac
|
|
|
|
|
case $time in
|
|
|
|
|
1) seconds=1 ;;
|
|
|
|
|
1m|1M) seconds=60 ;;
|
|
|
|
|
1h|1H) seconds=3600 ;;
|
|
|
|
|
1d|1D) seconds=86400 ;;
|
|
|
|
|
1w|1W) seconds=604800 ;;
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
|
|
b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
|
|
|
|
|
awk '/rekeylimit/{print $2}'`
|
|
|
|
|
s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \
|
|
|
|
|
awk '/rekeylimit/{print $3}'`
|
|
|
|
|
|
|
|
|
|
if [ "$bytes" != "$b" ]; then
|
2014-01-30 10:56:49 +00:00
|
|
|
fatal "rekeylimit size: expected $bytes bytes got $b"
|
2013-09-18 17:27:38 +00:00
|
|
|
fi
|
|
|
|
|
if [ "$seconds" != "$s" ]; then
|
2014-01-30 10:56:49 +00:00
|
|
|
fatal "rekeylimit time: expected $time seconds got $s"
|
2013-09-18 17:27:38 +00:00
|
|
|
fi
|
|
|
|
|
done
|
|
|
|
|
done
|
|
|
|
|
|
|
|
|
|
rm -f ${COPY} ${DATA}
|
