diff options
| author | Damien Miller <djm@mindrot.org> | 2012-12-12 10:54:37 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2012-12-12 10:54:37 +1100 |
| commit | 1fb593a3f198b75787c5c5974fe256122427d1d3 (patch) | |
| tree | 7413aa501ef522bd54386dfafdacfc26be44fd08 /regress/integrity.sh | |
| parent | 1a45b63d7b4fe34e18ab4cc669669003e6f8e403 (diff) | |
- markus@cvs.openbsd.org 2012/12/11 22:42:11
[regress/Makefile regress/modpipe.c regress/integrity.sh]
test the integrity of the packets; with djm@
Diffstat (limited to 'regress/integrity.sh')
| -rw-r--r-- | regress/integrity.sh | 58 |
1 files changed, 58 insertions, 0 deletions
diff --git a/regress/integrity.sh b/regress/integrity.sh new file mode 100644 index 000000000..23135685c --- /dev/null +++ b/regress/integrity.sh | |||
| @@ -0,0 +1,58 @@ | |||
| 1 | # $OpenBSD: integrity.sh,v 1.1 2012/12/11 22:42:11 markus Exp $ | ||
| 2 | # Placed in the Public Domain. | ||
| 3 | |||
| 4 | tid="integrity" | ||
| 5 | |||
| 6 | # start at byte 2300 (i.e. after kex) and corrupt at different offsets | ||
| 7 | # XXX the test hangs if we modify the low bytes of the packet length | ||
| 8 | # XXX and ssh tries to read... | ||
| 9 | tries=10 | ||
| 10 | startoffset=2300 | ||
| 11 | macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com | ||
| 12 | hmac-sha1-96 hmac-md5-96 hmac-sha2-256 hmac-sha2-512 | ||
| 13 | hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com | ||
| 14 | umac-64-etm@openssh.com umac-128-etm@openssh.com | ||
| 15 | hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com | ||
| 16 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" | ||
| 17 | |||
| 18 | # sshd-command for proxy (see test-exec.sh) | ||
| 19 | cmd="sh ${SRC}/sshd-log-wrapper.sh ${SSHD} ${TEST_SSH_LOGFILE} -i -f $OBJ/sshd_proxy" | ||
| 20 | |||
| 21 | for m in $macs; do | ||
| 22 | trace "test $tid: mac $m" | ||
| 23 | elen=0 | ||
| 24 | epad=0 | ||
| 25 | emac=0 | ||
| 26 | ecnt=0 | ||
| 27 | skip=0 | ||
| 28 | for off in $(jot $tries $startoffset); do | ||
| 29 | if [ $((skip--)) -gt 0 ]; then | ||
| 30 | # avoid modifying the high bytes of the length | ||
| 31 | continue | ||
| 32 | fi | ||
| 33 | # modify output from sshd at offset $off | ||
| 34 | pxy="proxycommand=$cmd | $OBJ/modpipe -m xor:$off:1" | ||
| 35 | output=$(${SSH} -m $m -2F $OBJ/ssh_proxy -o "$pxy" \ | ||
| 36 | 999.999.999.999 true 2>&1) | ||
| 37 | if [ $? -eq 0 ]; then | ||
| 38 | fail "ssh -m $m succeeds with bit-flip at $off" | ||
| 39 | fi | ||
| 40 | ecnt=$((ecnt+1)) | ||
| 41 | output=$(echo $output | tr -s '\r\n' '.') | ||
| 42 | verbose "test $tid: $m @$off $output" | ||
| 43 | case "$output" in | ||
| 44 | Bad?packet*) elen=$((elen+1)); skip=2;; | ||
| 45 | Corrupted?MAC*) emac=$((emac+1)); skip=0;; | ||
| 46 | padding*) epad=$((epad+1)); skip=0;; | ||
| 47 | *) fail "unexpected error mac $m at $off";; | ||
| 48 | esac | ||
| 49 | done | ||
| 50 | verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen" | ||
| 51 | if [ $emac -eq 0 ]; then | ||
| 52 | fail "$m: no mac errors" | ||
| 53 | fi | ||
| 54 | expect=$((ecnt-epad-elen)) | ||
| 55 | if [ $emac -ne $expect ]; then | ||
| 56 | fail "$m: expected $expect mac errors, got $emac" | ||
| 57 | fi | ||
| 58 | done | ||