1#	$NetBSD: t_interoperability.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $
2#
3# Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com>
4# All rights reserved.
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions
8# are met:
9# 1. Redistributions of source code must retain the above copyright
10#    notice, this list of conditions and the following disclaimer.
11# 2. Redistributions in binary form must reproduce the above copyright
12#    notice, this list of conditions and the following disclaimer in the
13#    documentation and/or other materials provided with the distribution.
14#
15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
18# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
25# POSSIBILITY OF SUCH DAMAGE.
26#
27
28BUS=bus
29SOCK_LOCAL=unix://wg_local
30SOCK_PEER=unix://wg_peer
31
32
33atf_test_case wg_interoperability_basic cleanup
34wg_interoperability_basic_head()
35{
36
37	atf_set "descr" "tests of interoperability with the WireGuard protocol"
38	atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
39}
40
41#
42# Set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test.
43# Also to run the test, the following setups are required on the host and a peer.
44#
45# [Host]
46#   ifconfig bridge0 create
47#   ifconfig tap0 create
48#   brconfig bridge0 add tap0
49#   brconfig bridge0 add <external-interface>
50#   ifconfig tap0 up
51#   ifconfig bridge0 up
52#
53# [Peer]
54#   ip addr add 10.0.0.2/24 dev <external-interface>
55#   ip link add wg0 type wireguard
56#   ip addr add 10.0.1.2/24 dev wg0
57#   privkey="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo="
58#   ip link set wg0 up
59#   echo $privkey > /tmp/private-key
60#   wg set wg0 listen-port 52428
61#   wg set wg0 private-key /tmp/private-key
62#   pubkey="2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs="
63#   wg set wg0 peer $pubkey endpoint 10.0.0.3:52428 allowed-ips 10.0.1.1/32
64#
65wg_interoperability_basic_body()
66{
67	local ifconfig="atf_check -s exit:0 rump.ifconfig"
68	local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 3 -w 3"
69	local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 3"
70	local key_priv_local=
71	local key_pub_local=
72	local key_priv_peer=
73	local key_pub_peer=
74	local ip_local=10.0.0.3
75	local ip_peer=10.0.0.2
76	local ip_wg_local=10.0.1.1
77	local ip_wg_peer=10.0.1.2
78	local port=52428
79	local outfile=./out
80
81	if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then
82		atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test"
83	fi
84
85	export RUMP_SERVER=$SOCK_LOCAL
86	rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6
87	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
88	atf_check -s exit:0 rump.ifconfig virt0 create
89	atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24
90	atf_check -s exit:0 rump.ifconfig virt0 up
91
92	$ping $ip_peer
93
94	key_priv_local="aK3TbzUNDO4aeDRX54x8bOG+NaKuqXKt7Hwq0Uz69Wo="
95	key_pub_local="2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs="
96	key_priv_peer="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo="
97	key_pub_peer="2ZM9RvDmMZS/Nuh8OaVaJrwFbO57/WJgeU+JoQ//nko="
98
99	setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local"
100	add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32
101
102	$ping $ip_wg_peer
103
104	export RUMP_SERVER=$SOCK_LOCAL
105	$ifconfig wg0 destroy
106}
107
108wg_interoperability_basic_cleanup()
109{
110
111	$DEBUG && dump
112	cleanup
113}
114
115atf_test_case wg_interoperability_cookie cleanup
116wg_interoperability_cookie_head()
117{
118
119	atf_set "descr" "tests of interoperability with the WireGuard protocol"
120	atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
121}
122
123wg_interoperability_cookie_body()
124{
125	local ifconfig="atf_check -s exit:0 rump.ifconfig"
126	local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 3 -w 3"
127	local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 3"
128	local key_priv_local=
129	local key_pub_local=
130	local key_priv_peer=
131	local key_pub_peer=
132	local ip_local=10.0.0.3
133	local ip_peer=10.0.0.2
134	local ip_wg_local=10.0.1.1
135	local ip_wg_peer=10.0.1.2
136	local port=52428
137	local outfile=./out
138	local rekey_timeout=5 # default
139
140	if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then
141		atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test"
142	fi
143
144	export RUMP_SERVER=$SOCK_LOCAL
145	rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6
146	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
147	atf_check -s exit:0 rump.ifconfig virt0 create
148	atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24
149	atf_check -s exit:0 rump.ifconfig virt0 up
150
151	$ping $ip_peer
152
153	key_priv_local="aK3TbzUNDO4aeDRX54x8bOG+NaKuqXKt7Hwq0Uz69Wo="
154	key_pub_local="2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs="
155	key_priv_peer="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo="
156	key_pub_peer="2ZM9RvDmMZS/Nuh8OaVaJrwFbO57/WJgeU+JoQ//nko="
157
158	setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local"
159
160	# Emulate load to send back a cookie on receiving a response message
161	atf_check -s exit:0 -o ignore \
162	    rump.sysctl -w net.wg.force_underload=1
163
164	add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32
165
166	# ping fails because we don't accept a response message and send a cookie
167	$ping_fail $ip_wg_peer
168
169	# Wait for retrying an initialization that works because the peer
170	# send a response message with the cookie we sent
171	atf_check -s exit:0 sleep $rekey_timeout
172
173	# So ping works
174	$ping $ip_wg_peer
175
176	export RUMP_SERVER=$SOCK_LOCAL
177	$ifconfig wg0 destroy
178}
179
180wg_interoperability_cookie_cleanup()
181{
182
183	$DEBUG && dump
184	cleanup
185}
186
187atf_test_case wg_userspace_basic cleanup
188wg_userspace_basic_head()
189{
190
191	atf_set "descr" "tests of userspace implementation of wg(4)"
192	atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen"
193}
194
195#
196# Set ATF_NET_IF_WG_USERSPACE=yes to run the test.
197# Also to run the test, the following setups are required on the host and a peer.
198#
199# [Host]
200#   ifconfig bridge0 create
201#   ifconfig tap0 create
202#   brconfig bridge0 add tap0
203#   brconfig bridge0 add <external-interface>
204#   ifconfig tap0 up
205#   ifconfig bridge0 up
206#
207# [Peer]
208#   ip addr add 10.0.0.2/24 dev <external-interface>
209#   ip link add wg0 type wireguard
210#   ip addr add 10.0.4.2/24 dev wg0
211#   privkey="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo="
212#   ip link set wg0 up
213#   echo $privkey > /tmp/private-key
214#   wg set wg0 listen-port 52428
215#   wg set wg0 private-key /tmp/private-key
216#   pubkey="6mQ4lUO3oq5O8FfGW52CFXNbmh5iFT1XMqPzpdrc0nE="
217#   wg set wg0 peer $pubkey endpoint 10.0.0.3:52428 allowed-ips 10.0.4.1/32
218#
219wg_userspace_basic_body()
220{
221	local ifconfig="atf_check -s exit:0 rump.ifconfig"
222	local ping="atf_check -s exit:0 -o ignore ping -n -c 3 -w 3"
223	local ping_fail="atf_check -s not-exit:0 -o ignore ping -n -c 1 -w 3"
224	local key_priv_local=
225	local key_pub_local=
226	local key_priv_peer=
227	local key_pub_peer=
228	local ip_local=10.0.0.3
229	local ip_peer=10.0.0.2
230	local ip_wg_local=10.0.4.1
231	local ip_wg_peer=10.0.4.2
232	local port_local=52429
233	local port_peer=52428
234	local outfile=./out
235
236	if [ "$ATF_NET_IF_WG_USERSPACE" != yes ]; then
237		atf_skip "set ATF_NET_IF_WG_USERSPACE=yes to run the test"
238	fi
239
240	export RUMP_SERVER=$SOCK_LOCAL
241	rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6
242	atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0
243
244	$DEBUG && netstat -nr -f inet
245
246	$ping $ip_peer
247
248	key_priv_local="6B0dualfIAiEG7/jFGOIHrJMhuypq87xCER/0ieIpE4="
249	key_pub_local="6mQ4lUO3oq5O8FfGW52CFXNbmh5iFT1XMqPzpdrc0nE="
250	key_priv_peer="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo="
251	key_pub_peer="2ZM9RvDmMZS/Nuh8OaVaJrwFbO57/WJgeU+JoQ//nko="
252
253	setup_wg_common wg0 inet $ip_wg_local 24 $port_local "$key_priv_local" tun0
254	add_peer wg0 peer0 $key_pub_peer $ip_peer:$port_peer $ip_wg_peer/32
255
256	$DEBUG && rump.ifconfig wg0
257	$DEBUG && ifconfig tun0
258	$DEBUG && netstat -nr -f inet
259
260	$ping $ip_wg_peer
261
262	export RUMP_SERVER=$SOCK_LOCAL
263	$ifconfig wg0 destroy
264}
265
266wg_userspace_basic_cleanup()
267{
268
269	$DEBUG && dump
270	cleanup
271}
272
273atf_init_test_cases()
274{
275
276	atf_add_test_case wg_interoperability_basic
277	atf_add_test_case wg_interoperability_cookie
278	atf_add_test_case wg_userspace_basic
279}
280