- djm@cvs.openbsd.org 2013/11/21 03:18:51
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh] [regress/try-ciphers.sh] use new "ssh -Q cipher-auth" query to obtain lists of authenticated encryption ciphers instead of specifying them manually; ensures that the new chacha20poly1305@openssh.com mode is tested; ok markus@ and naddy@ as part of the diff to add chacha20poly1305@openssh.com
This commit is contained in:
parent
ea61b2179f
commit
8a073cf579
|
@ -47,6 +47,15 @@
|
|||
[regress/modpipe.c]
|
||||
use unsigned long long instead of u_int64_t here to avoid warnings
|
||||
on some systems portable OpenSSH is built on.
|
||||
- djm@cvs.openbsd.org 2013/11/21 03:18:51
|
||||
[regress/cipher-speed.sh regress/integrity.sh regress/rekey.sh]
|
||||
[regress/try-ciphers.sh]
|
||||
use new "ssh -Q cipher-auth" query to obtain lists of authenticated
|
||||
encryption ciphers instead of specifying them manually; ensures that
|
||||
the new chacha20poly1305@openssh.com mode is tested;
|
||||
|
||||
ok markus@ and naddy@ as part of the diff to add
|
||||
chacha20poly1305@openssh.com
|
||||
|
||||
20131110
|
||||
- (dtucker) [regress/keytype.sh] Populate ECDSA key types to be tested by
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: cipher-speed.sh,v 1.10 2013/11/07 02:48:38 dtucker Exp $
|
||||
# $OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="cipher speed"
|
||||
|
@ -24,10 +24,10 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
|
|||
fail "ssh -2 failed with mac $m cipher $c"
|
||||
fi
|
||||
done
|
||||
# No point trying all MACs for GCM since they are ignored.
|
||||
case $c in
|
||||
aes*-gcm@openssh.com) test $n -gt 0 && break;;
|
||||
esac
|
||||
# No point trying all MACs for AEAD ciphers since they are ignored.
|
||||
if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
|
||||
break
|
||||
fi
|
||||
n=`expr $n + 1`
|
||||
done; done
|
||||
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: integrity.sh,v 1.11 2013/11/07 02:48:38 dtucker Exp $
|
||||
# $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="integrity"
|
||||
|
@ -11,7 +11,7 @@ startoffset=2900
|
|||
macs=`${SSH} -Q mac`
|
||||
# The following are not MACs, but ciphers with integrated integrity. They are
|
||||
# handled specially below.
|
||||
macs="$macs `${SSH} -Q cipher | grep gcm@openssh.com`"
|
||||
macs="$macs `${SSH} -Q cipher-auth`"
|
||||
|
||||
# avoid DH group exchange as the extra traffic makes it harder to get the
|
||||
# offset into the stream right.
|
||||
|
@ -36,12 +36,14 @@ for m in $macs; do
|
|||
fi
|
||||
# modify output from sshd at offset $off
|
||||
pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
|
||||
case $m in
|
||||
aes*gcm*) macopt="-c $m";;
|
||||
*) macopt="-m $m";;
|
||||
esac
|
||||
if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
|
||||
macopt="-c $m"
|
||||
else
|
||||
macopt="-m $m -c aes128-ctr"
|
||||
fi
|
||||
verbose "test $tid: $m @$off"
|
||||
${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
|
||||
-oServerAliveInterval=1 -oServerAliveCountMax=30 \
|
||||
999.999.999.999 'printf "%4096s" " "' >/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
fail "ssh -m $m succeeds with bit-flip at $off"
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: rekey.sh,v 1.13 2013/11/09 05:41:34 dtucker Exp $
|
||||
# $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="rekey"
|
||||
|
@ -44,9 +44,9 @@ for opt in $opts; do
|
|||
ssh_data_rekeying -oRekeyLimit=256k -o$opt
|
||||
done
|
||||
|
||||
# GCM is magical so test with all KexAlgorithms
|
||||
if ${SSH} -Q cipher | grep gcm@openssh.com >/dev/null ; then
|
||||
for c in `${SSH} -Q cipher | grep gcm@openssh.com`; do
|
||||
# AEAD ciphers are magical so test with all KexAlgorithms
|
||||
if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
|
||||
for c in `${SSH} -Q cipher-auth`; do
|
||||
for kex in `${SSH} -Q kex`; do
|
||||
verbose "client rekey $c $kex"
|
||||
ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
|
||||
|
@ -131,10 +131,10 @@ for size in 16 1k 1K 1m 1M 1g 1G; do
|
|||
awk '/rekeylimit/{print $3}'`
|
||||
|
||||
if [ "$bytes" != "$b" ]; then
|
||||
fatal "rekeylimit size: expected $bytes got $b"
|
||||
fatal "rekeylimit size: expected $bytes bytes got $b"
|
||||
fi
|
||||
if [ "$seconds" != "$s" ]; then
|
||||
fatal "rekeylimit time: expected $time got $s"
|
||||
fatal "rekeylimit time: expected $time seconds got $s"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
# $OpenBSD: try-ciphers.sh,v 1.21 2013/11/07 02:48:38 dtucker Exp $
|
||||
# $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="try ciphers"
|
||||
|
@ -12,10 +12,11 @@ for c in `${SSH} -Q cipher`; do
|
|||
if [ $? -ne 0 ]; then
|
||||
fail "ssh -2 failed with mac $m cipher $c"
|
||||
fi
|
||||
# No point trying all MACs for GCM since they are ignored.
|
||||
case $c in
|
||||
aes*-gcm@openssh.com) test $n -gt 0 && break;;
|
||||
esac
|
||||
# No point trying all MACs for AEAD ciphers since they
|
||||
# are ignored.
|
||||
if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
|
||||
break
|
||||
fi
|
||||
n=`expr $n + 1`
|
||||
done
|
||||
done
|
||||
|
|
Loading…
Reference in New Issue