diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | regress/rekey.sh | 64 |
2 files changed, 59 insertions, 9 deletions
@@ -27,6 +27,10 @@ | |||
27 | - dtucker@cvs.openbsd.org 2013/11/04 12:27:42 | 27 | - dtucker@cvs.openbsd.org 2013/11/04 12:27:42 |
28 | [regress/rekey.sh] | 28 | [regress/rekey.sh] |
29 | Test rekeying with all KexAlgorithms. | 29 | Test rekeying with all KexAlgorithms. |
30 | - dtucker@cvs.openbsd.org 2013/11/07 00:12:05 | ||
31 | [regress/rekey.sh] | ||
32 | Test rekeying for every Cipher, MAC and KEX, plus test every KEX with | ||
33 | the GCM ciphers. | ||
30 | 34 | ||
31 | 20131104 | 35 | 20131104 |
32 | - (djm) OpenBSD CVS Sync | 36 | - (djm) OpenBSD CVS Sync |
diff --git a/regress/rekey.sh b/regress/rekey.sh index 5f32961c8..156179b38 100644 --- a/regress/rekey.sh +++ b/regress/rekey.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: rekey.sh,v 1.9 2013/11/04 12:27:42 dtucker Exp $ | 1 | # $OpenBSD: rekey.sh,v 1.10 2013/11/07 00:12:05 dtucker Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="rekey" | 4 | tid="rekey" |
@@ -7,17 +7,44 @@ LOG=${TEST_SSH_LOGFILE} | |||
7 | 7 | ||
8 | rm -f ${LOG} | 8 | rm -f ${LOG} |
9 | 9 | ||
10 | kexalgs="curve25519-sha256@libssh.org ecdh-sha2-nistp256 \ | 10 | opts="" |
11 | ecdh-sha2-nistp384 ecdh-sha2-nistp521 diffie-hellman-group-exchange-sha256 \ | 11 | for i in `${SSH} -Q kex`; do |
12 | diffie-hellman-group-exchange-sha1 diffie-hellman-group14-sha1 \ | 12 | opts="$opts KexAlgorithms=$i" |
13 | diffie-hellman-group1-sha1" | 13 | done |
14 | for i in `${SSH} -Q cipher`; do | ||
15 | opts="$opts Ciphers=$i" | ||
16 | done | ||
17 | for i in `${SSH} -Q mac`; do | ||
18 | opts="$opts MACs=$i" | ||
19 | done | ||
14 | 20 | ||
15 | for s in 16 1k 128k 256k; do | 21 | for opt in $opts; do |
16 | for a in $kexalgs; do | 22 | verbose "client rekey $opt" |
17 | verbose "client rekeylimit ${s} ${a}" | 23 | rm -f ${COPY} ${LOG} |
24 | cat $DATA | \ | ||
25 | ${SSH} -oCompression=no -oRekeyLimit=16 -o$opt \ | ||
26 | -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
27 | if [ $? -ne 0 ]; then | ||
28 | fail "ssh failed" | ||
29 | fi | ||
30 | cmp $DATA ${COPY} || fail "corrupted copy" | ||
31 | n=`grep 'NEWKEYS sent' ${LOG} | wc -l` | ||
32 | n=`expr $n - 1` | ||
33 | trace "$n rekeying(s)" | ||
34 | if [ $n -lt 1 ]; then | ||
35 | fail "no rekeying occured" | ||
36 | fi | ||
37 | done | ||
38 | |||
39 | # GCM is magical so test with all KexAlgorithms | ||
40 | if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then | ||
41 | for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do | ||
42 | for kex in `${SSH} -Q kex`; do | ||
43 | verbose "client rekey $c $kex" | ||
18 | rm -f ${COPY} ${LOG} | 44 | rm -f ${COPY} ${LOG} |
19 | cat $DATA | \ | 45 | cat $DATA | \ |
20 | ${SSH} -oCompression=no -oRekeyLimit=$s -oKexAlgorithms=$a \ | 46 | ${SSH} -oCompression=no -oRekeyLimit=16 \ |
47 | -oCiphers=$c -oKexAlgorithms=$kex \ | ||
21 | -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | 48 | -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" |
22 | if [ $? -ne 0 ]; then | 49 | if [ $? -ne 0 ]; then |
23 | fail "ssh failed" | 50 | fail "ssh failed" |
@@ -30,6 +57,25 @@ for s in 16 1k 128k 256k; do | |||
30 | fail "no rekeying occured" | 57 | fail "no rekeying occured" |
31 | fi | 58 | fi |
32 | done | 59 | done |
60 | done | ||
61 | fi | ||
62 | |||
63 | for s in 16 1k 128k 256k; do | ||
64 | verbose "client rekeylimit ${s}" | ||
65 | rm -f ${COPY} ${LOG} | ||
66 | cat $DATA | \ | ||
67 | ${SSH} -oCompression=no -oRekeyLimit=$s \ | ||
68 | -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}" | ||
69 | if [ $? -ne 0 ]; then | ||
70 | fail "ssh failed" | ||
71 | fi | ||
72 | cmp $DATA ${COPY} || fail "corrupted copy" | ||
73 | n=`grep 'NEWKEYS sent' ${LOG} | wc -l` | ||
74 | n=`expr $n - 1` | ||
75 | trace "$n rekeying(s)" | ||
76 | if [ $n -lt 1 ]; then | ||
77 | fail "no rekeying occured" | ||
78 | fi | ||
33 | done | 79 | done |
34 | 80 | ||
35 | for s in 5 10; do | 81 | for s in 5 10; do |