- djm@cvs.openbsd.org 2013/11/21 03:18:51

[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
     [regress/try-ciphers.sh]
     use new "ssh -Q cipher-auth" query to obtain lists of authenticated
     encryption ciphers instead of specifying them manually; ensures that
     the new chacha20poly1305@openssh.com mode is tested;

     ok markus@ and naddy@ as part of the diff to add
     chacha20poly1305@openssh.com
This commit is contained in:
Damien Miller 2013-11-21 14:26:18 +11:00
parent ea61b2179f
commit 8a073cf579
5 changed files with 34 additions and 22 deletions

View File

@ -47,6 +47,15 @@
[regress/modpipe.c]
use unsigned long long instead of u_int64_t here to avoid warnings
on some systems portable OpenSSH is built on.
- djm@cvs.openbsd.org 2013/11/21 03:18:51
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
[regress/try-ciphers.sh]
use new "ssh -Q cipher-auth" query to obtain lists of authenticated
encryption ciphers instead of specifying them manually; ensures that
the new chacha20poly1305@openssh.com mode is tested;
ok markus@ and naddy@ as part of the diff to add
chacha20poly1305@openssh.com
20131110
- (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by

View File

@ -1,4 +1,4 @@
# $OpenBSD: cipher-speed.sh,v 1.10 2013/11/07 02:48:38 dtucker Exp $
# $OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $
# Placed in the Public Domain.
tid="cipher speed"
@ -24,10 +24,10 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
fail "ssh -2 failed with mac $m cipher $c"
fi
done
# No point trying all MACs for GCM since they are ignored.
case $c in
aes*-gcm@openssh.com) test $n -gt 0 && break;;
esac
# No point trying all MACs for AEAD ciphers since they are ignored.
if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
break
fi
n=`expr $n + 1`
done; done

View File

@ -1,4 +1,4 @@
# $OpenBSD: integrity.sh,v 1.11 2013/11/07 02:48:38 dtucker Exp $
# $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $
# Placed in the Public Domain.
tid="integrity"
@ -11,7 +11,7 @@ startoffset=2900
macs=`${SSH} -Q mac`
# The following are not MACs, but ciphers with integrated integrity. They are
# handled specially below.
macs="$macs `${SSH} -Q cipher | grep gcm@openssh.com`"
macs="$macs `${SSH} -Q cipher-auth`"
# avoid DH group exchange as the extra traffic makes it harder to get the
# offset into the stream right.
@ -36,12 +36,14 @@ for m in $macs; do
fi
# modify output from sshd at offset $off
pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
case $m in
aes*gcm*) macopt="-c $m";;
*) macopt="-m $m";;
esac
if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
macopt="-c $m"
else
macopt="-m $m -c aes128-ctr"
fi
verbose "test $tid: $m @$off"
${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
-oServerAliveInterval=1 -oServerAliveCountMax=30 \
999.999.999.999 'printf "%4096s" " "' >/dev/null
if [ $? -eq 0 ]; then
fail "ssh -m $m succeeds with bit-flip at $off"

View File

@ -1,4 +1,4 @@
# $OpenBSD: rekey.sh,v 1.13 2013/11/09 05:41:34 dtucker Exp $
# $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $
# Placed in the Public Domain.
tid="rekey"
@ -44,9 +44,9 @@ for opt in $opts; do
ssh_data_rekeying -oRekeyLimit=256k -o$opt
done
# GCM is magical so test with all KexAlgorithms
if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then
for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do
# AEAD ciphers are magical so test with all KexAlgorithms
if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
for c in `${SSH} -Q cipher-auth`; do
for kex in `${SSH} -Q kex`; do
verbose "client rekey $c $kex"
ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
@ -131,10 +131,10 @@ for size in 16 1k 1K 1m 1M 1g 1G; do
awk '/rekeylimit/{print $3}'`
if [ "$bytes" != "$b" ]; then
fatal "rekeylimit size: expected $bytes got $b"
fatal "rekeylimit size: expected $bytes bytes got $b"
fi
if [ "$seconds" != "$s" ]; then
fatal "rekeylimit time: expected $time got $s"
fatal "rekeylimit time: expected $time seconds got $s"
fi
done
done

View File

@ -1,4 +1,4 @@
# $OpenBSD: try-ciphers.sh,v 1.21 2013/11/07 02:48:38 dtucker Exp $
# $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $
# Placed in the Public Domain.
tid="try ciphers"
@ -12,10 +12,11 @@ for c in `${SSH} -Q cipher`; do
if [ $? -ne 0 ]; then
fail "ssh -2 failed with mac $m cipher $c"
fi
# No point trying all MACs for GCM since they are ignored.
case $c in
aes*-gcm@openssh.com) test $n -gt 0 && break;;
esac
# No point trying all MACs for AEAD ciphers since they
# are ignored.
if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
break
fi
n=`expr $n + 1`
done
done