diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:40:04 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:40:04 +0000 |
commit | 25505898530a333011f4fd5cbc841ad6b26c089c (patch) | |
tree | 333a33fdd60930bcccc3f177ed9467d535e9bac6 /regress/rekey.sh | |
parent | Initial commit. (diff) | |
download | openssh-upstream.tar.xz openssh-upstream.zip |
Adding upstream version 1:9.2p1.upstream/1%9.2p1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | regress/rekey.sh | 172 |
1 files changed, 172 insertions, 0 deletions
diff --git a/regress/rekey.sh b/regress/rekey.sh new file mode 100644 index 0000000..61723cd --- /dev/null +++ b/regress/rekey.sh @@ -0,0 +1,172 @@ +# $OpenBSD: rekey.sh,v 1.19 2021/07/19 05:08:54 dtucker Exp $ +# Placed in the Public Domain. + +tid="rekey" + +LOG=${TEST_SSH_LOGFILE} + +rm -f ${LOG} +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak + +# Test rekeying based on data volume only. +# Arguments will be passed to ssh. +ssh_data_rekeying() +{ + _kexopt=$1 ; shift + _opts="$@" + if ! test -z "$_kexopts" ; then + cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy + echo "$_kexopt" >> $OBJ/sshd_proxy + _opts="$_opts -o$_kexopt" + fi + rm -f ${COPY} ${LOG} + _opts="$_opts -oCompression=no" + ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" + if [ $? -ne 0 ]; then + fail "ssh failed ($@)" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy ($@)" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occurred ($@)" + fi +} + +increase_datafile_size 300 + +opts="" +for i in `${SSH} -Q kex`; do + opts="$opts KexAlgorithms=$i" +done +for i in `${SSH} -Q cipher`; do + opts="$opts Ciphers=$i" +done +for i in `${SSH} -Q mac`; do + opts="$opts MACs=$i" +done + +for opt in $opts; do + verbose "client rekey $opt" + ssh_data_rekeying "$opt" -oRekeyLimit=256k +done + +# AEAD ciphers are magical so test with all KexAlgorithms +if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then + for c in `${SSH} -Q cipher-auth`; do + for kex in `${SSH} -Q kex`; do + verbose "client rekey $c $kex" + ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c + done + done +fi + +for s in 16 1k 128k 256k; do + verbose "client rekeylimit ${s}" + ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s +done + +for s in 5 10; do + verbose "client rekeylimit default ${s}" + rm -f ${COPY} ${LOG} + ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 10" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occurred" + fi +done + +for s in 5 10; do + verbose "client rekeylimit default ${s} no data" + rm -f ${COPY} ${LOG} + ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \ + $OBJ/ssh_proxy somehost "sleep $s;sleep 10" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occurred" + fi +done + +for s in 16 1k 128k 256k; do + verbose "server rekeylimit ${s}" + cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy + echo "rekeylimit ${s}" >>$OBJ/sshd_proxy + rm -f ${COPY} ${LOG} + ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "cat ${DATA}" \ + > ${COPY} + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + cmp ${DATA} ${COPY} || fail "corrupted copy" + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occurred" + fi +done + +for s in 5 10; do + verbose "server rekeylimit default ${s} no data" + cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy + echo "rekeylimit default ${s}" >>$OBJ/sshd_proxy + rm -f ${COPY} ${LOG} + ${SSH} -oCompression=no -F $OBJ/ssh_proxy somehost "sleep $s;sleep 10" + if [ $? -ne 0 ]; then + fail "ssh failed" + fi + n=`grep 'NEWKEYS sent' ${LOG} | wc -l` + n=`expr $n - 1` + trace "$n rekeying(s)" + if [ $n -lt 1 ]; then + fail "no rekeying occurred" + fi +done + +verbose "rekeylimit parsing" +for size in 16 1k 1K 1m 1M 1g 1G 4G 8G; do + for time in 1 1m 1M 1h 1H 1d 1D 1w 1W; do + case $size in + 16) bytes=16 ;; + 1k|1K) bytes=1024 ;; + 1m|1M) bytes=1048576 ;; + 1g|1G) bytes=1073741824 ;; + 4g|4G) bytes=4294967296 ;; + 8g|8G) bytes=8589934592 ;; + esac + case $time in + 1) seconds=1 ;; + 1m|1M) seconds=60 ;; + 1h|1H) seconds=3600 ;; + 1d|1D) seconds=86400 ;; + 1w|1W) seconds=604800 ;; + esac + + b=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ + awk '/rekeylimit/{print $2}'` + s=`$SUDO ${SSHD} -T -o "rekeylimit $size $time" -f $OBJ/sshd_proxy | \ + awk '/rekeylimit/{print $3}'` + + if [ "$bytes" != "$b" ]; then + fatal "rekeylimit size: expected $bytes bytes got $b" + fi + if [ "$seconds" != "$s" ]; then + fatal "rekeylimit time: expected $time seconds got $s" + fi + done +done + +rm -f ${COPY} ${DATA} |