summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2013-11-21 14:26:18 +1100
committerDamien Miller <djm@mindrot.org>2013-11-21 14:26:18 +1100
commit8a073cf57940aabf85e49799f89f5d5e9b072c1b (patch)
tree2446191d561babc47ccbeda447c0223bd4803dcb
parentea61b2179f63d48968dd2c9617621002bb658bfe (diff)
- djm@cvs.openbsd.org 2013/11/21 03:18:51
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] [regress/try-ciphers.sh] use new "ssh -Q cipher-auth" query to obtain lists of authenticated encryption ciphers instead of specifying them manually; ensures that the new chacha20poly1305@openssh.com mode is tested; ok markus@ and naddy@ as part of the diff to add chacha20poly1305@openssh.com
-rw-r--r--ChangeLog9
-rw-r--r--regress/cipher-speed.sh10
-rw-r--r--regress/integrity.sh14
-rw-r--r--regress/rekey.sh12
-rw-r--r--regress/try-ciphers.sh11
5 files changed, 34 insertions, 22 deletions
diff --git a/ChangeLog b/ChangeLog
index 377d35994..8cf8a20ac 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -47,6 +47,15 @@
47 [regress/modpipe.c] 47 [regress/modpipe.c]
48 use unsigned long long instead of u_int64_t here to avoid warnings 48 use unsigned long long instead of u_int64_t here to avoid warnings
49 on some systems portable OpenSSH is built on. 49 on some systems portable OpenSSH is built on.
50 - djm@cvs.openbsd.org 2013/11/21 03:18:51
51 [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
52 [regress/try-ciphers.sh]
53 use new "ssh -Q cipher-auth" query to obtain lists of authenticated
54 encryption ciphers instead of specifying them manually; ensures that
55 the new chacha20poly1305@openssh.com mode is tested;
56
57 ok markus@ and naddy@ as part of the diff to add
58 chacha20poly1305@openssh.com
50 59
5120131110 6020131110
52 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by 61 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 8ff9b3220..a6d53a78d 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cipher-speed.sh,v 1.10 2013/11/07 02:48:38 dtucker Exp $ 1# $OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="cipher speed" 4tid="cipher speed"
@@ -24,10 +24,10 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
24 fail "ssh -2 failed with mac $m cipher $c" 24 fail "ssh -2 failed with mac $m cipher $c"
25 fi 25 fi
26 done 26 done
27 # No point trying all MACs for GCM since they are ignored. 27 # No point trying all MACs for AEAD ciphers since they are ignored.
28 case $c in 28 if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
29 aes*-gcm@openssh.com) test $n -gt 0 && break;; 29 break
30 esac 30 fi
31 n=`expr $n + 1` 31 n=`expr $n + 1`
32done; done 32done; done
33 33
diff --git a/regress/integrity.sh b/regress/integrity.sh
index de2b8d05a..852d82690 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: integrity.sh,v 1.11 2013/11/07 02:48:38 dtucker Exp $ 1# $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="integrity" 4tid="integrity"
@@ -11,7 +11,7 @@ startoffset=2900
11macs=`${SSH} -Q mac` 11macs=`${SSH} -Q mac`
12# The following are not MACs, but ciphers with integrated integrity. They are 12# The following are not MACs, but ciphers with integrated integrity. They are
13# handled specially below. 13# handled specially below.
14macs="$macs `${SSH} -Q cipher | grep gcm@openssh.com`" 14macs="$macs `${SSH} -Q cipher-auth`"
15 15
16# avoid DH group exchange as the extra traffic makes it harder to get the 16# avoid DH group exchange as the extra traffic makes it harder to get the
17# offset into the stream right. 17# offset into the stream right.
@@ -36,12 +36,14 @@ for m in $macs; do
36 fi 36 fi
37 # modify output from sshd at offset $off 37 # modify output from sshd at offset $off
38 pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" 38 pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
39 case $m in 39 if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
40 aes*gcm*) macopt="-c $m";; 40 macopt="-c $m"
41 *) macopt="-m $m";; 41 else
42 esac 42 macopt="-m $m -c aes128-ctr"
43 fi
43 verbose "test $tid: $m @$off" 44 verbose "test $tid: $m @$off"
44 ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ 45 ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
46 -oServerAliveInterval=1 -oServerAliveCountMax=30 \
45 999.999.999.999 'printf "%4096s" " "' >/dev/null 47 999.999.999.999 'printf "%4096s" " "' >/dev/null
46 if [ $? -eq 0 ]; then 48 if [ $? -eq 0 ]; then
47 fail "ssh -m $m succeeds with bit-flip at $off" 49 fail "ssh -m $m succeeds with bit-flip at $off"
diff --git a/regress/rekey.sh b/regress/rekey.sh
index fe81f0c33..cf9401ea0 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: rekey.sh,v 1.13 2013/11/09 05:41:34 dtucker Exp $ 1# $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="rekey" 4tid="rekey"
@@ -44,9 +44,9 @@ for opt in $opts; do
44 ssh_data_rekeying -oRekeyLimit=256k -o$opt 44 ssh_data_rekeying -oRekeyLimit=256k -o$opt
45done 45done
46 46
47# GCM is magical so test with all KexAlgorithms 47# AEAD ciphers are magical so test with all KexAlgorithms
48if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then 48if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
49 for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do 49 for c in `${SSH} -Q cipher-auth`; do
50 for kex in `${SSH} -Q kex`; do 50 for kex in `${SSH} -Q kex`; do
51 verbose "client rekey $c $kex" 51 verbose "client rekey $c $kex"
52 ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex 52 ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
@@ -131,10 +131,10 @@ for size in 16 1k 1K 1m 1M 1g 1G; do
131 awk '/rekeylimit/{print $3}'` 131 awk '/rekeylimit/{print $3}'`
132 132
133 if [ "$bytes" != "$b" ]; then 133 if [ "$bytes" != "$b" ]; then
134 fatal "rekeylimit size: expected $bytes got $b" 134 fatal "rekeylimit size: expected $bytes bytes got $b"
135 fi 135 fi
136 if [ "$seconds" != "$s" ]; then 136 if [ "$seconds" != "$s" ]; then
137 fatal "rekeylimit time: expected $time got $s" 137 fatal "rekeylimit time: expected $time seconds got $s"
138 fi 138 fi
139 done 139 done
140done 140done
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 485843299..ac34cedbf 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: try-ciphers.sh,v 1.21 2013/11/07 02:48:38 dtucker Exp $ 1# $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="try ciphers" 4tid="try ciphers"
@@ -12,10 +12,11 @@ for c in `${SSH} -Q cipher`; do
12 if [ $? -ne 0 ]; then 12 if [ $? -ne 0 ]; then
13 fail "ssh -2 failed with mac $m cipher $c" 13 fail "ssh -2 failed with mac $m cipher $c"
14 fi 14 fi
15 # No point trying all MACs for GCM since they are ignored. 15 # No point trying all MACs for AEAD ciphers since they
16 case $c in 16 # are ignored.
17 aes*-gcm@openssh.com) test $n -gt 0 && break;; 17 if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
18 esac 18 break
19 fi
19 n=`expr $n + 1` 20 n=`expr $n + 1`
20 done 21 done
21done 22done