1*25154f5fSriastradh# $NetBSD: t_interoperability.sh,v 1.1 2020/08/26 16:03:42 riastradh Exp $ 2*25154f5fSriastradh# 3*25154f5fSriastradh# Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com> 4*25154f5fSriastradh# All rights reserved. 5*25154f5fSriastradh# 6*25154f5fSriastradh# Redistribution and use in source and binary forms, with or without 7*25154f5fSriastradh# modification, are permitted provided that the following conditions 8*25154f5fSriastradh# are met: 9*25154f5fSriastradh# 1. Redistributions of source code must retain the above copyright 10*25154f5fSriastradh# notice, this list of conditions and the following disclaimer. 11*25154f5fSriastradh# 2. Redistributions in binary form must reproduce the above copyright 12*25154f5fSriastradh# notice, this list of conditions and the following disclaimer in the 13*25154f5fSriastradh# documentation and/or other materials provided with the distribution. 14*25154f5fSriastradh# 15*25154f5fSriastradh# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16*25154f5fSriastradh# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17*25154f5fSriastradh# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18*25154f5fSriastradh# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19*25154f5fSriastradh# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20*25154f5fSriastradh# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21*25154f5fSriastradh# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22*25154f5fSriastradh# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23*25154f5fSriastradh# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24*25154f5fSriastradh# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25*25154f5fSriastradh# POSSIBILITY OF SUCH DAMAGE. 26*25154f5fSriastradh# 27*25154f5fSriastradh 28*25154f5fSriastradhBUS=bus 29*25154f5fSriastradhSOCK_LOCAL=unix://wg_local 30*25154f5fSriastradhSOCK_PEER=unix://wg_peer 31*25154f5fSriastradh 32*25154f5fSriastradh 33*25154f5fSriastradhatf_test_case wg_interoperability_basic cleanup 34*25154f5fSriastradhwg_interoperability_basic_head() 35*25154f5fSriastradh{ 36*25154f5fSriastradh 37*25154f5fSriastradh atf_set "descr" "tests of interoperability with the WireGuard protocol" 38*25154f5fSriastradh atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 39*25154f5fSriastradh} 40*25154f5fSriastradh 41*25154f5fSriastradh# 42*25154f5fSriastradh# Set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test. 43*25154f5fSriastradh# Also to run the test, the following setups are required on the host and a peer. 44*25154f5fSriastradh# 45*25154f5fSriastradh# [Host] 46*25154f5fSriastradh# ifconfig bridge0 create 47*25154f5fSriastradh# ifconfig tap0 create 48*25154f5fSriastradh# brconfig bridge0 add tap0 49*25154f5fSriastradh# brconfig bridge0 add <external-interface> 50*25154f5fSriastradh# ifconfig tap0 up 51*25154f5fSriastradh# ifconfig bridge0 up 52*25154f5fSriastradh# 53*25154f5fSriastradh# [Peer] 54*25154f5fSriastradh# ip addr add 10.0.0.2/24 dev <external-interface> 55*25154f5fSriastradh# ip link add wg0 type wireguard 56*25154f5fSriastradh# ip addr add 10.0.1.2/24 dev wg0 57*25154f5fSriastradh# privkey="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 58*25154f5fSriastradh# ip link set wg0 up 59*25154f5fSriastradh# echo $privkey > /tmp/private-key 60*25154f5fSriastradh# wg set wg0 listen-port 52428 61*25154f5fSriastradh# wg set wg0 private-key /tmp/private-key 62*25154f5fSriastradh# pubkey="2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs=" 63*25154f5fSriastradh# wg set wg0 peer $pubkey endpoint 10.0.0.3:52428 allowed-ips 10.0.1.1/32 64*25154f5fSriastradh# 65*25154f5fSriastradhwg_interoperability_basic_body() 66*25154f5fSriastradh{ 67*25154f5fSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 68*25154f5fSriastradh local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 3 -w 3" 69*25154f5fSriastradh local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 3" 70*25154f5fSriastradh local key_priv_local= 71*25154f5fSriastradh local key_pub_local= 72*25154f5fSriastradh local key_priv_peer= 73*25154f5fSriastradh local key_pub_peer= 74*25154f5fSriastradh local ip_local=10.0.0.3 75*25154f5fSriastradh local ip_peer=10.0.0.2 76*25154f5fSriastradh local ip_wg_local=10.0.1.1 77*25154f5fSriastradh local ip_wg_peer=10.0.1.2 78*25154f5fSriastradh local port=52428 79*25154f5fSriastradh local outfile=./out 80*25154f5fSriastradh 81*25154f5fSriastradh if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then 82*25154f5fSriastradh atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test" 83*25154f5fSriastradh fi 84*25154f5fSriastradh 85*25154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 86*25154f5fSriastradh rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6 87*25154f5fSriastradh atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 88*25154f5fSriastradh atf_check -s exit:0 rump.ifconfig virt0 create 89*25154f5fSriastradh atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24 90*25154f5fSriastradh atf_check -s exit:0 rump.ifconfig virt0 up 91*25154f5fSriastradh 92*25154f5fSriastradh $ping $ip_peer 93*25154f5fSriastradh 94*25154f5fSriastradh key_priv_local="aK3TbzUNDO4aeDRX54x8bOG+NaKuqXKt7Hwq0Uz69Wo=" 95*25154f5fSriastradh key_pub_local="2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs=" 96*25154f5fSriastradh key_priv_peer="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 97*25154f5fSriastradh key_pub_peer="2ZM9RvDmMZS/Nuh8OaVaJrwFbO57/WJgeU+JoQ//nko=" 98*25154f5fSriastradh 99*25154f5fSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 100*25154f5fSriastradh add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 101*25154f5fSriastradh 102*25154f5fSriastradh $ping $ip_wg_peer 103*25154f5fSriastradh 104*25154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 105*25154f5fSriastradh $ifconfig wg0 destroy 106*25154f5fSriastradh} 107*25154f5fSriastradh 108*25154f5fSriastradhwg_interoperability_basic_cleanup() 109*25154f5fSriastradh{ 110*25154f5fSriastradh 111*25154f5fSriastradh $DEBUG && dump 112*25154f5fSriastradh cleanup 113*25154f5fSriastradh} 114*25154f5fSriastradh 115*25154f5fSriastradhatf_test_case wg_interoperability_cookie cleanup 116*25154f5fSriastradhwg_interoperability_cookie_head() 117*25154f5fSriastradh{ 118*25154f5fSriastradh 119*25154f5fSriastradh atf_set "descr" "tests of interoperability with the WireGuard protocol" 120*25154f5fSriastradh atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 121*25154f5fSriastradh} 122*25154f5fSriastradh 123*25154f5fSriastradhwg_interoperability_cookie_body() 124*25154f5fSriastradh{ 125*25154f5fSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 126*25154f5fSriastradh local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 3 -w 3" 127*25154f5fSriastradh local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 3" 128*25154f5fSriastradh local key_priv_local= 129*25154f5fSriastradh local key_pub_local= 130*25154f5fSriastradh local key_priv_peer= 131*25154f5fSriastradh local key_pub_peer= 132*25154f5fSriastradh local ip_local=10.0.0.3 133*25154f5fSriastradh local ip_peer=10.0.0.2 134*25154f5fSriastradh local ip_wg_local=10.0.1.1 135*25154f5fSriastradh local ip_wg_peer=10.0.1.2 136*25154f5fSriastradh local port=52428 137*25154f5fSriastradh local outfile=./out 138*25154f5fSriastradh local rekey_timeout=5 # default 139*25154f5fSriastradh 140*25154f5fSriastradh if [ "$ATF_NET_IF_WG_INTEROPERABILITY" != yes ]; then 141*25154f5fSriastradh atf_skip "set ATF_NET_IF_WG_INTEROPERABILITY=yes to run the test" 142*25154f5fSriastradh fi 143*25154f5fSriastradh 144*25154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 145*25154f5fSriastradh rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6 146*25154f5fSriastradh atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 147*25154f5fSriastradh atf_check -s exit:0 rump.ifconfig virt0 create 148*25154f5fSriastradh atf_check -s exit:0 rump.ifconfig virt0 $ip_local/24 149*25154f5fSriastradh atf_check -s exit:0 rump.ifconfig virt0 up 150*25154f5fSriastradh 151*25154f5fSriastradh $ping $ip_peer 152*25154f5fSriastradh 153*25154f5fSriastradh key_priv_local="aK3TbzUNDO4aeDRX54x8bOG+NaKuqXKt7Hwq0Uz69Wo=" 154*25154f5fSriastradh key_pub_local="2iWFzywbDvYu2gQW5Q7/z/g5/Cv4bDDd6L3OKXLOwxs=" 155*25154f5fSriastradh key_priv_peer="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 156*25154f5fSriastradh key_pub_peer="2ZM9RvDmMZS/Nuh8OaVaJrwFbO57/WJgeU+JoQ//nko=" 157*25154f5fSriastradh 158*25154f5fSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 159*25154f5fSriastradh 160*25154f5fSriastradh # Emulate load to send back a cookie on receiving a response message 161*25154f5fSriastradh atf_check -s exit:0 -o ignore \ 162*25154f5fSriastradh rump.sysctl -w net.wg.force_underload=1 163*25154f5fSriastradh 164*25154f5fSriastradh add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 165*25154f5fSriastradh 166*25154f5fSriastradh # ping fails because we don't accept a response message and send a cookie 167*25154f5fSriastradh $ping_fail $ip_wg_peer 168*25154f5fSriastradh 169*25154f5fSriastradh # Wait for retrying an initialization that works because the peer 170*25154f5fSriastradh # send a response message with the cookie we sent 171*25154f5fSriastradh atf_check -s exit:0 sleep $rekey_timeout 172*25154f5fSriastradh 173*25154f5fSriastradh # So ping works 174*25154f5fSriastradh $ping $ip_wg_peer 175*25154f5fSriastradh 176*25154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 177*25154f5fSriastradh $ifconfig wg0 destroy 178*25154f5fSriastradh} 179*25154f5fSriastradh 180*25154f5fSriastradhwg_interoperability_cookie_cleanup() 181*25154f5fSriastradh{ 182*25154f5fSriastradh 183*25154f5fSriastradh $DEBUG && dump 184*25154f5fSriastradh cleanup 185*25154f5fSriastradh} 186*25154f5fSriastradh 187*25154f5fSriastradhatf_test_case wg_userspace_basic cleanup 188*25154f5fSriastradhwg_userspace_basic_head() 189*25154f5fSriastradh{ 190*25154f5fSriastradh 191*25154f5fSriastradh atf_set "descr" "tests of userspace implementation of wg(4)" 192*25154f5fSriastradh atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 193*25154f5fSriastradh} 194*25154f5fSriastradh 195*25154f5fSriastradh# 196*25154f5fSriastradh# Set ATF_NET_IF_WG_USERSPACE=yes to run the test. 197*25154f5fSriastradh# Also to run the test, the following setups are required on the host and a peer. 198*25154f5fSriastradh# 199*25154f5fSriastradh# [Host] 200*25154f5fSriastradh# ifconfig bridge0 create 201*25154f5fSriastradh# ifconfig tap0 create 202*25154f5fSriastradh# brconfig bridge0 add tap0 203*25154f5fSriastradh# brconfig bridge0 add <external-interface> 204*25154f5fSriastradh# ifconfig tap0 up 205*25154f5fSriastradh# ifconfig bridge0 up 206*25154f5fSriastradh# 207*25154f5fSriastradh# [Peer] 208*25154f5fSriastradh# ip addr add 10.0.0.2/24 dev <external-interface> 209*25154f5fSriastradh# ip link add wg0 type wireguard 210*25154f5fSriastradh# ip addr add 10.0.4.2/24 dev wg0 211*25154f5fSriastradh# privkey="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 212*25154f5fSriastradh# ip link set wg0 up 213*25154f5fSriastradh# echo $privkey > /tmp/private-key 214*25154f5fSriastradh# wg set wg0 listen-port 52428 215*25154f5fSriastradh# wg set wg0 private-key /tmp/private-key 216*25154f5fSriastradh# pubkey="6mQ4lUO3oq5O8FfGW52CFXNbmh5iFT1XMqPzpdrc0nE=" 217*25154f5fSriastradh# wg set wg0 peer $pubkey endpoint 10.0.0.3:52428 allowed-ips 10.0.4.1/32 218*25154f5fSriastradh# 219*25154f5fSriastradhwg_userspace_basic_body() 220*25154f5fSriastradh{ 221*25154f5fSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 222*25154f5fSriastradh local ping="atf_check -s exit:0 -o ignore ping -n -c 3 -w 3" 223*25154f5fSriastradh local ping_fail="atf_check -s not-exit:0 -o ignore ping -n -c 1 -w 3" 224*25154f5fSriastradh local key_priv_local= 225*25154f5fSriastradh local key_pub_local= 226*25154f5fSriastradh local key_priv_peer= 227*25154f5fSriastradh local key_pub_peer= 228*25154f5fSriastradh local ip_local=10.0.0.3 229*25154f5fSriastradh local ip_peer=10.0.0.2 230*25154f5fSriastradh local ip_wg_local=10.0.4.1 231*25154f5fSriastradh local ip_wg_peer=10.0.4.2 232*25154f5fSriastradh local port_local=52429 233*25154f5fSriastradh local port_peer=52428 234*25154f5fSriastradh local outfile=./out 235*25154f5fSriastradh 236*25154f5fSriastradh if [ "$ATF_NET_IF_WG_USERSPACE" != yes ]; then 237*25154f5fSriastradh atf_skip "set ATF_NET_IF_WG_USERSPACE=yes to run the test" 238*25154f5fSriastradh fi 239*25154f5fSriastradh 240*25154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 241*25154f5fSriastradh rump_server_crypto_start $SOCK_LOCAL virtif wg netinet6 242*25154f5fSriastradh atf_check -s exit:0 rump.sysctl -q -w net.inet.ip.dad_count=0 243*25154f5fSriastradh 244*25154f5fSriastradh $DEBUG && netstat -nr -f inet 245*25154f5fSriastradh 246*25154f5fSriastradh $ping $ip_peer 247*25154f5fSriastradh 248*25154f5fSriastradh key_priv_local="6B0dualfIAiEG7/jFGOIHrJMhuypq87xCER/0ieIpE4=" 249*25154f5fSriastradh key_pub_local="6mQ4lUO3oq5O8FfGW52CFXNbmh5iFT1XMqPzpdrc0nE=" 250*25154f5fSriastradh key_priv_peer="EF9D8AOkmxjlkiRFqBnfJS+RJJHbUy02u+VkGlBr9Eo=" 251*25154f5fSriastradh key_pub_peer="2ZM9RvDmMZS/Nuh8OaVaJrwFbO57/WJgeU+JoQ//nko=" 252*25154f5fSriastradh 253*25154f5fSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port_local "$key_priv_local" tun0 254*25154f5fSriastradh add_peer wg0 peer0 $key_pub_peer $ip_peer:$port_peer $ip_wg_peer/32 255*25154f5fSriastradh 256*25154f5fSriastradh $DEBUG && rump.ifconfig wg0 257*25154f5fSriastradh $DEBUG && ifconfig tun0 258*25154f5fSriastradh $DEBUG && netstat -nr -f inet 259*25154f5fSriastradh 260*25154f5fSriastradh $ping $ip_wg_peer 261*25154f5fSriastradh 262*25154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 263*25154f5fSriastradh $ifconfig wg0 destroy 264*25154f5fSriastradh} 265*25154f5fSriastradh 266*25154f5fSriastradhwg_userspace_basic_cleanup() 267*25154f5fSriastradh{ 268*25154f5fSriastradh 269*25154f5fSriastradh $DEBUG && dump 270*25154f5fSriastradh cleanup 271*25154f5fSriastradh} 272*25154f5fSriastradh 273*25154f5fSriastradhatf_init_test_cases() 274*25154f5fSriastradh{ 275*25154f5fSriastradh 276*25154f5fSriastradh atf_add_test_case wg_interoperability_basic 277*25154f5fSriastradh atf_add_test_case wg_interoperability_cookie 278*25154f5fSriastradh atf_add_test_case wg_userspace_basic 279*25154f5fSriastradh} 280