1# $NetBSD: t_interoperability.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $ 2# 3# Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com> 4# All rights reserved. 5# 6# Redistribution and use in source and binary forms, with or without 7# modification, are permitted provided that the following conditions 8# are met: 9# 1. Redistributions of source code must retain the above copyright 10# notice, this list of conditions and the following disclaimer. 11# 2. Redistributions in binary form must reproduce the above copyright 12# notice, this list of conditions and the following disclaimer in the 13# documentation and/or other materials provided with the distribution. 14# 15# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25# POSSIBILITY OF SUCH DAMAGE. 26# 27 28BUS=bus 29SOCK_LOCAL=unix://wg_local 30SOCK_PEER=unix://wg_peer 31 32 33atf_test_case wg_interoperability_basic cleanup 34wg_interoperability_basic_head() 35{ 36 37 atf_set "descr" "tests of interoperability with the WireGuard protocol" 38 atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 39} 40 41# 42# Set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test. 43# Also to run the test, the following setups are required on the host and a peer. 44# 45# [Host] 46# ifconfig bridge0 create 47# ifconfig tap0 create 48# brconfig bridge0 add tap0 49# brconfig bridge0 add <external-interface> 50# ifconfig tap0 up 51# ifconfig bridge0 up 52# 53# [Peer] 54# ip addr add 10.0.0.2/24 dev <external-interface> 55# ip link add wg0 type wireguard 56# ip addr add 10.0.1.2/24 dev wg0 57# privkey="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 58# ip link set wg0 up 59# echo $privkey > /tmp/private-key 60# wg set wg0 listen-port 52428 61# wg set wg0 private-key /tmp/private-key 62# pubkey="2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs=" 63# wg set wg0 peer $pubkey endpoint 10.0.0.3:52428 allowed-ips 10.0.1.1/32 64# 65wg_interoperability_basic_body() 66{ 67 local ifconfig="atf_check -s exit:0 rump.ifconfig" 68 local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 3 -w 3" 69 local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 3" 70 local key_priv_local= 71 local key_pub_local= 72 local key_priv_peer= 73 local key_pub_peer= 74 local ip_local=10.0.0.3 75 local ip_peer=10.0.0.2 76 local ip_wg_local=10.0.1.1 77 local ip_wg_peer=10.0.1.2 78 local port=52428 79 local outfile=./out 80 81 if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then 82 atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test" 83 fi 84 85 export RUMP_SERVER=$SOCK_LOCAL 86 rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6 87 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 88 atf_check -s exit:0 rump.ifconfig virt0 create 89 atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24 90 atf_check -s exit:0 rump.ifconfig virt0 up 91 92 $ping $ip_peer 93 94 key_priv_local="aK3TbzUNDO4aeDRX54x8bOG+NaKuqXKt7Hwq0Uz69Wo=" 95 key_pub_local="2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs=" 96 key_priv_peer="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 97 key_pub_peer="2ZM9RvDmMZS/Nuh8OaVaJrwFbO57/WJgeU+JoQ//nko=" 98 99 setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 100 add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 101 102 $ping $ip_wg_peer 103 104 export RUMP_SERVER=$SOCK_LOCAL 105 $ifconfig wg0 destroy 106} 107 108wg_interoperability_basic_cleanup() 109{ 110 111 $DEBUG && dump 112 cleanup 113} 114 115atf_test_case wg_interoperability_cookie cleanup 116wg_interoperability_cookie_head() 117{ 118 119 atf_set "descr" "tests of interoperability with the WireGuard protocol" 120 atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 121} 122 123wg_interoperability_cookie_body() 124{ 125 local ifconfig="atf_check -s exit:0 rump.ifconfig" 126 local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 3 -w 3" 127 local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 3" 128 local key_priv_local= 129 local key_pub_local= 130 local key_priv_peer= 131 local key_pub_peer= 132 local ip_local=10.0.0.3 133 local ip_peer=10.0.0.2 134 local ip_wg_local=10.0.1.1 135 local ip_wg_peer=10.0.1.2 136 local port=52428 137 local outfile=./out 138 local rekey_timeout=5 # default 139 140 if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then 141 atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test" 142 fi 143 144 export RUMP_SERVER=$SOCK_LOCAL 145 rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6 146 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 147 atf_check -s exit:0 rump.ifconfig virt0 create 148 atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24 149 atf_check -s exit:0 rump.ifconfig virt0 up 150 151 $ping $ip_peer 152 153 key_priv_local="aK3TbzUNDO4aeDRX54x8bOG+NaKuqXKt7Hwq0Uz69Wo=" 154 key_pub_local="2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs=" 155 key_priv_peer="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 156 key_pub_peer="2ZM9RvDmMZS/Nuh8OaVaJrwFbO57/WJgeU+JoQ//nko=" 157 158 setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 159 160 # Emulate load to send back a cookie on receiving a response message 161 atf_check -s exit:0 -o ignore \ 162 rump.sysctl -w net.wg.force_underload=1 163 164 add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 165 166 # ping fails because we don't accept a response message and send a cookie 167 $ping_fail $ip_wg_peer 168 169 # Wait for retrying an initialization that works because the peer 170 # send a response message with the cookie we sent 171 atf_check -s exit:0 sleep $rekey_timeout 172 173 # So ping works 174 $ping $ip_wg_peer 175 176 export RUMP_SERVER=$SOCK_LOCAL 177 $ifconfig wg0 destroy 178} 179 180wg_interoperability_cookie_cleanup() 181{ 182 183 $DEBUG && dump 184 cleanup 185} 186 187atf_test_case wg_userspace_basic cleanup 188wg_userspace_basic_head() 189{ 190 191 atf_set "descr" "tests of userspace implementation of wg(4)" 192 atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 193} 194 195# 196# Set ATF_NET_IF_WG_USERSPACE=yes to run the test. 197# Also to run the test, the following setups are required on the host and a peer. 198# 199# [Host] 200# ifconfig bridge0 create 201# ifconfig tap0 create 202# brconfig bridge0 add tap0 203# brconfig bridge0 add <external-interface> 204# ifconfig tap0 up 205# ifconfig bridge0 up 206# 207# [Peer] 208# ip addr add 10.0.0.2/24 dev <external-interface> 209# ip link add wg0 type wireguard 210# ip addr add 10.0.4.2/24 dev wg0 211# privkey="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 212# ip link set wg0 up 213# echo $privkey > /tmp/private-key 214# wg set wg0 listen-port 52428 215# wg set wg0 private-key /tmp/private-key 216# pubkey="6mQ4lUO3oq5O8FfGW52CFXNbmh5iFT1XMqPzpdrc0nE=" 217# wg set wg0 peer $pubkey endpoint 10.0.0.3:52428 allowed-ips 10.0.4.1/32 218# 219wg_userspace_basic_body() 220{ 221 local ifconfig="atf_check -s exit:0 rump.ifconfig" 222 local ping="atf_check -s exit:0 -o ignore ping -n -c 3 -w 3" 223 local ping_fail="atf_check -s not-exit:0 -o ignore ping -n -c 1 -w 3" 224 local key_priv_local= 225 local key_pub_local= 226 local key_priv_peer= 227 local key_pub_peer= 228 local ip_local=10.0.0.3 229 local ip_peer=10.0.0.2 230 local ip_wg_local=10.0.4.1 231 local ip_wg_peer=10.0.4.2 232 local port_local=52429 233 local port_peer=52428 234 local outfile=./out 235 236 if [ "$ATF_NET_IF_WG_USERSPACE" != yes ]; then 237 atf_skip "set ATF_NET_IF_WG_USERSPACE=yes to run the test" 238 fi 239 240 export RUMP_SERVER=$SOCK_LOCAL 241 rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6 242 atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 243 244 $DEBUG && netstat -nr -f inet 245 246 $ping $ip_peer 247 248 key_priv_local="6B0dualfIAiEG7/jFGOIHrJMhuypq87xCER/0ieIpE4=" 249 key_pub_local="6mQ4lUO3oq5O8FfGW52CFXNbmh5iFT1XMqPzpdrc0nE=" 250 key_priv_peer="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 251 key_pub_peer="2ZM9RvDmMZS/Nuh8OaVaJrwFbO57/WJgeU+JoQ//nko=" 252 253 setup_wg_common wg0 inet $ip_wg_local 24 $port_local "$key_priv_local" tun0 254 add_peer wg0 peer0 $key_pub_peer $ip_peer:$port_peer $ip_wg_peer/32 255 256 $DEBUG && rump.ifconfig wg0 257 $DEBUG && ifconfig tun0 258 $DEBUG && netstat -nr -f inet 259 260 $ping $ip_wg_peer 261 262 export RUMP_SERVER=$SOCK_LOCAL 263 $ifconfig wg0 destroy 264} 265 266wg_userspace_basic_cleanup() 267{ 268 269 $DEBUG && dump 270 cleanup 271} 272 273atf_init_test_cases() 274{ 275 276 atf_add_test_case wg_interoperability_basic 277 atf_add_test_case wg_interoperability_cookie 278 atf_add_test_case wg_userspace_basic 279} 280