diff options
| author | Damien Miller <djm@mindrot.org> | 2013-11-21 14:26:18 +1100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2013-11-21 14:26:18 +1100 |
| commit | 8a073cf57940aabf85e49799f89f5d5e9b072c1b (patch) | |
| tree | 2446191d561babc47ccbeda447c0223bd4803dcb /regress | |
| parent | ea61b2179f63d48968dd2c9617621002bb658bfe (diff) | |
- djm@cvs.openbsd.org 2013/11/21 03:18:51
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
[regress/try-ciphers.sh]
use new "ssh -Q cipher-auth" query to obtain lists of authenticated
encryption ciphers instead of specifying them manually; ensures that
the new chacha20poly1305@openssh.com mode is tested;
ok markus@ and naddy@ as part of the diff to add
chacha20poly1305@openssh.com
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/cipher-speed.sh | 10 | ||||
| -rw-r--r-- | regress/integrity.sh | 14 | ||||
| -rw-r--r-- | regress/rekey.sh | 12 | ||||
| -rw-r--r-- | regress/try-ciphers.sh | 11 |
4 files changed, 25 insertions, 22 deletions
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh index 8ff9b3220..a6d53a78d 100644 --- a/regress/cipher-speed.sh +++ b/regress/cipher-speed.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cipher-speed.sh,v 1.10 2013/11/07 02:48:38 dtucker Exp $ | 1 | # $OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="cipher speed" | 4 | tid="cipher speed" |
| @@ -24,10 +24,10 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do | |||
| 24 | fail "ssh -2 failed with mac $m cipher $c" | 24 | fail "ssh -2 failed with mac $m cipher $c" |
| 25 | fi | 25 | fi |
| 26 | done | 26 | done |
| 27 | # No point trying all MACs for GCM since they are ignored. | 27 | # No point trying all MACs for AEAD ciphers since they are ignored. |
| 28 | case $c in | 28 | if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then |
| 29 | aes*-gcm@openssh.com) test $n -gt 0 && break;; | 29 | break |
| 30 | esac | 30 | fi |
| 31 | n=`expr $n + 1` | 31 | n=`expr $n + 1` |
| 32 | done; done | 32 | done; done |
| 33 | 33 | ||
diff --git a/regress/integrity.sh b/regress/integrity.sh index de2b8d05a..852d82690 100644 --- a/regress/integrity.sh +++ b/regress/integrity.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: integrity.sh,v 1.11 2013/11/07 02:48:38 dtucker Exp $ | 1 | # $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="integrity" | 4 | tid="integrity" |
| @@ -11,7 +11,7 @@ startoffset=2900 | |||
| 11 | macs=`${SSH} -Q mac` | 11 | macs=`${SSH} -Q mac` |
| 12 | # The following are not MACs, but ciphers with integrated integrity. They are | 12 | # The following are not MACs, but ciphers with integrated integrity. They are |
| 13 | # handled specially below. | 13 | # handled specially below. |
| 14 | macs="$macs `${SSH} -Q cipher | grep gcm@openssh.com`" | 14 | macs="$macs `${SSH} -Q cipher-auth`" |
| 15 | 15 | ||
| 16 | # avoid DH group exchange as the extra traffic makes it harder to get the | 16 | # avoid DH group exchange as the extra traffic makes it harder to get the |
| 17 | # offset into the stream right. | 17 | # offset into the stream right. |
| @@ -36,12 +36,14 @@ for m in $macs; do | |||
| 36 | fi | 36 | fi |
| 37 | # modify output from sshd at offset $off | 37 | # modify output from sshd at offset $off |
| 38 | pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" | 38 | pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1" |
| 39 | case $m in | 39 | if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then |
| 40 | aes*gcm*) macopt="-c $m";; | 40 | macopt="-c $m" |
| 41 | *) macopt="-m $m";; | 41 | else |
| 42 | esac | 42 | macopt="-m $m -c aes128-ctr" |
| 43 | fi | ||
| 43 | verbose "test $tid: $m @$off" | 44 | verbose "test $tid: $m @$off" |
| 44 | ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ | 45 | ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \ |
| 46 | -oServerAliveInterval=1 -oServerAliveCountMax=30 \ | ||
| 45 | 999.999.999.999 'printf "%4096s" " "' >/dev/null | 47 | 999.999.999.999 'printf "%4096s" " "' >/dev/null |
| 46 | if [ $? -eq 0 ]; then | 48 | if [ $? -eq 0 ]; then |
| 47 | fail "ssh -m $m succeeds with bit-flip at $off" | 49 | fail "ssh -m $m succeeds with bit-flip at $off" |
diff --git a/regress/rekey.sh b/regress/rekey.sh index fe81f0c33..cf9401ea0 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: rekey.sh,v 1.13 2013/11/09 05:41:34 dtucker Exp $ | 1 | # $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="rekey" | 4 | tid="rekey" |
| @@ -44,9 +44,9 @@ for opt in $opts; do | |||
| 44 | ssh_data_rekeying -oRekeyLimit=256k -o$opt | 44 | ssh_data_rekeying -oRekeyLimit=256k -o$opt |
| 45 | done | 45 | done |
| 46 | 46 | ||
| 47 | # GCM is magical so test with all KexAlgorithms | 47 | # AEAD ciphers are magical so test with all KexAlgorithms |
| 48 | if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then | 48 | if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then |
| 49 | for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do | 49 | for c in `${SSH} -Q cipher-auth`; do |
| 50 | for kex in `${SSH} -Q kex`; do | 50 | for kex in `${SSH} -Q kex`; do |
| 51 | verbose "client rekey $c $kex" | 51 | verbose "client rekey $c $kex" |
| 52 | ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex | 52 | ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex |
| @@ -131,10 +131,10 @@ for size in 16 1k 1K 1m 1M 1g 1G; do | |||
| 131 | awk '/rekeylimit/{print $3}'` | 131 | awk '/rekeylimit/{print $3}'` |
| 132 | 132 | ||
| 133 | if [ "$bytes" != "$b" ]; then | 133 | if [ "$bytes" != "$b" ]; then |
| 134 | fatal "rekeylimit size: expected $bytes got $b" | 134 | fatal "rekeylimit size: expected $bytes bytes got $b" |
| 135 | fi | 135 | fi |
| 136 | if [ "$seconds" != "$s" ]; then | 136 | if [ "$seconds" != "$s" ]; then |
| 137 | fatal "rekeylimit time: expected $time got $s" | 137 | fatal "rekeylimit time: expected $time seconds got $s" |
| 138 | fi | 138 | fi |
| 139 | done | 139 | done |
| 140 | done | 140 | done |
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh index 485843299..ac34cedbf 100644 --- a/regress/try-ciphers.sh +++ b/regress/try-ciphers.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: try-ciphers.sh,v 1.21 2013/11/07 02:48:38 dtucker Exp $ | 1 | # $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="try ciphers" | 4 | tid="try ciphers" |
| @@ -12,10 +12,11 @@ for c in `${SSH} -Q cipher`; do | |||
| 12 | if [ $? -ne 0 ]; then | 12 | if [ $? -ne 0 ]; then |
| 13 | fail "ssh -2 failed with mac $m cipher $c" | 13 | fail "ssh -2 failed with mac $m cipher $c" |
| 14 | fi | 14 | fi |
| 15 | # No point trying all MACs for GCM since they are ignored. | 15 | # No point trying all MACs for AEAD ciphers since they |
| 16 | case $c in | 16 | # are ignored. |
| 17 | aes*-gcm@openssh.com) test $n -gt 0 && break;; | 17 | if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then |
| 18 | esac | 18 | break |
| 19 | fi | ||
| 19 | n=`expr $n + 1` | 20 | n=`expr $n + 1` |
| 20 | done | 21 | done |
| 21 | done | 22 | done |