- djm@cvs.openbsd.org 2013/11/21 03:18:51

[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] [regress/try-ciphers.sh] use new "ssh -Q cipher-auth" query to obtain lists of authenticated encryption ciphers instead of specifying them manually; ensures that the new chacha20poly1305@openssh.com mode is tested; ok markus@ and naddy@ as part of the diff to add chacha20poly1305@openssh.com
2013-11-21 14:26:18 +11:00 · 2013-11-21 14:26:18 +11:00 · 8a073cf579
parent ea61b2179f
commit 8a073cf579
5 changed files with 34 additions and 22 deletions
--- a/9
+++ b/9
@ -47,6 +47,15 @@
     [regress/modpipe.c]
     use unsigned long long instead of u_int64_t here to avoid warnings
     on some systems portable OpenSSH is built on.
+   - djm@cvs.openbsd.org 2013/11/21 03:18:51
+     [regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
+     [regress/try-ciphers.sh]
+     use new "ssh -Q cipher-auth" query to obtain lists of authenticated
+     encryption ciphers instead of specifying them manually; ensures that
+     the new chacha20poly1305@openssh.com mode is tested;
+     
+     ok markus@ and naddy@ as part of the diff to add
+     chacha20poly1305@openssh.com

 20131110
 - (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: cipher-speed.sh,v 1.10 2013/11/07 02:48:38 dtucker Exp $
+#	$OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $
 #	Placed in the Public Domain.

 tid="cipher speed"
@ -24,10 +24,10 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
 			fail "ssh -2 failed with mac $m cipher $c"
 		fi
 	done
-	# No point trying all MACs for GCM since they are ignored.
-	case $c in
-	aes*-gcm@openssh.com)	test $n -gt 0 && break;;
-	esac
+	# No point trying all MACs for AEAD ciphers since they are ignored.
+	if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
+		break
+	fi
 	n=`expr $n + 1`
 done; done

--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: integrity.sh,v 1.11 2013/11/07 02:48:38 dtucker Exp $
+#	$OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $
 #	Placed in the Public Domain.

 tid="integrity"
@ -11,7 +11,7 @@ startoffset=2900
 macs=`${SSH} -Q mac`
 # The following are not MACs, but ciphers with integrated integrity. They are
 # handled specially below.
-macs="$macs `${SSH} -Q cipher | grep gcm@openssh.com`"
+macs="$macs `${SSH} -Q cipher-auth`"

 # avoid DH group exchange as the extra traffic makes it harder to get the
 # offset into the stream right.
@ -36,12 +36,14 @@ for m in $macs; do
 		fi
 		# modify output from sshd at offset $off
 		pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
-		case $m in
-			aes*gcm*)	macopt="-c $m";;
-			*)		macopt="-m $m";;
-		esac
+		if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
+			macopt="-c $m"
+		else
+			macopt="-m $m -c aes128-ctr"
+		fi
 		verbose "test $tid: $m @$off"
 		${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
+		    -oServerAliveInterval=1 -oServerAliveCountMax=30 \
 		    999.999.999.999 'printf "%4096s" " "' >/dev/null
 		if [ $? -eq 0 ]; then
 			fail "ssh -m $m succeeds with bit-flip at $off"
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: rekey.sh,v 1.13 2013/11/09 05:41:34 dtucker Exp $
+#	$OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $
 #	Placed in the Public Domain.

 tid="rekey"
@ -44,9 +44,9 @@ for opt in $opts; do
 	ssh_data_rekeying -oRekeyLimit=256k -o$opt
 done

-# GCM is magical so test with all KexAlgorithms
-if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then
-  for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do
+# AEAD ciphers are magical so test with all KexAlgorithms
+if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
+  for c in `${SSH} -Q cipher-auth`; do
    for kex in `${SSH} -Q kex`; do
 	verbose "client rekey $c $kex"
 	ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
@ -131,10 +131,10 @@ for size in 16 1k 1K 1m 1M 1g 1G; do
 	    awk '/rekeylimit/{print $3}'`

 	if [ "$bytes" != "$b" ]; then
-		fatal "rekeylimit size: expected $bytes got $b"
+		fatal "rekeylimit size: expected $bytes bytes got $b"
 	fi
 	if [ "$seconds" != "$s" ]; then
-		fatal "rekeylimit time: expected $time got $s"
+		fatal "rekeylimit time: expected $time seconds got $s"
 	fi
    done
 done
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: try-ciphers.sh,v 1.21 2013/11/07 02:48:38 dtucker Exp $
+#	$OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $
 #	Placed in the Public Domain.

 tid="try ciphers"
@ -12,10 +12,11 @@ for c in `${SSH} -Q cipher`; do
 		if [ $? -ne 0 ]; then
 			fail "ssh -2 failed with mac $m cipher $c"
 		fi
-		# No point trying all MACs for GCM since they are ignored.
-		case $c in
-		aes*-gcm@openssh.com)	test $n -gt 0 && break;;
-		esac
+		# No point trying all MACs for AEAD ciphers since they
+		# are ignored.
+		if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
+			break
+		fi
 		n=`expr $n + 1`
 	done
 done