1*bc2ee209Sriastradh# $NetBSD: t_misc.sh,v 1.16 2024/08/26 17:52:46 riastradh Exp $ 225154f5fSriastradh# 325154f5fSriastradh# Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com> 425154f5fSriastradh# All rights reserved. 525154f5fSriastradh# 625154f5fSriastradh# Redistribution and use in source and binary forms, with or without 725154f5fSriastradh# modification, are permitted provided that the following conditions 825154f5fSriastradh# are met: 925154f5fSriastradh# 1. Redistributions of source code must retain the above copyright 1025154f5fSriastradh# notice, this list of conditions and the following disclaimer. 1125154f5fSriastradh# 2. Redistributions in binary form must reproduce the above copyright 1225154f5fSriastradh# notice, this list of conditions and the following disclaimer in the 1325154f5fSriastradh# documentation and/or other materials provided with the distribution. 1425154f5fSriastradh# 1525154f5fSriastradh# THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 1625154f5fSriastradh# ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 1725154f5fSriastradh# TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 1825154f5fSriastradh# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 1925154f5fSriastradh# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 2025154f5fSriastradh# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 2125154f5fSriastradh# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 2225154f5fSriastradh# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 2325154f5fSriastradh# CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 2425154f5fSriastradh# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 2525154f5fSriastradh# POSSIBILITY OF SUCH DAMAGE. 2625154f5fSriastradh# 2725154f5fSriastradh 2825154f5fSriastradhBUS=bus 2925154f5fSriastradhSOCK_LOCAL=unix://wg_local 3025154f5fSriastradhSOCK_PEER=unix://wg_peer 3125154f5fSriastradh 3225154f5fSriastradh 3325154f5fSriastradhatf_test_case wg_rekey cleanup 3425154f5fSriastradhwg_rekey_head() 3525154f5fSriastradh{ 3625154f5fSriastradh 3725154f5fSriastradh atf_set "descr" "tests of rekeying of wg(4)" 3825154f5fSriastradh atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 3925154f5fSriastradh} 4025154f5fSriastradh 4125154f5fSriastradhwg_rekey_body() 4225154f5fSriastradh{ 4325154f5fSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 4425154f5fSriastradh local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" 4525154f5fSriastradh local ip_local=192.168.1.1 4625154f5fSriastradh local ip_peer=192.168.1.2 4725154f5fSriastradh local ip_wg_local=10.0.0.1 4825154f5fSriastradh local ip_wg_peer=10.0.0.2 4925154f5fSriastradh local port=51820 5025154f5fSriastradh local rekey_after_time=3 5125154f5fSriastradh local latest_handshake= 5225154f5fSriastradh 5325154f5fSriastradh setup_servers 5425154f5fSriastradh 5525154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 5625154f5fSriastradh atf_check -s exit:0 -o ignore \ 5725154f5fSriastradh rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time 58*bc2ee209Sriastradh $DEBUG && atf_check -s exit:0 -o ignore \ 59*bc2ee209Sriastradh rump.sysctl -w net.wg.debug=-1 6025154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 6125154f5fSriastradh atf_check -s exit:0 -o ignore \ 6225154f5fSriastradh rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time 63*bc2ee209Sriastradh $DEBUG && atf_check -s exit:0 -o ignore \ 64*bc2ee209Sriastradh rump.sysctl -w net.wg.debug=-1 6525154f5fSriastradh 6625154f5fSriastradh # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 6725154f5fSriastradh generate_keys 6825154f5fSriastradh 6925154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 7025154f5fSriastradh setup_common shmif0 inet $ip_local 24 7125154f5fSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 7212f66125Sroy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 735e2aeb22Smartin $ifconfig -w 10 7425154f5fSriastradh 7525154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 7625154f5fSriastradh setup_common shmif0 inet $ip_peer 24 7725154f5fSriastradh setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 7825154f5fSriastradh add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 7912f66125Sroy $ifconfig -w 10 8025154f5fSriastradh 8125154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 8225154f5fSriastradh 83*bc2ee209Sriastradh echo ping1time=$(date) 8425154f5fSriastradh $ping $ip_wg_peer 8525154f5fSriastradh 8625154f5fSriastradh latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ 87e76a1fddStih | awk -F ': ' '/latest-handshake/ {print $2;}') 88880e6674Sriastradh $DEBUG && echo handshake1=$latest_handshake 8925154f5fSriastradh 9025154f5fSriastradh sleep 1 9125154f5fSriastradh 92*bc2ee209Sriastradh echo ping2time=$(date) 9325154f5fSriastradh $ping $ip_wg_peer 9425154f5fSriastradh 9525154f5fSriastradh # No reinitiation is performed 9625154f5fSriastradh atf_check -s exit:0 -o match:"$latest_handshake" \ 9725154f5fSriastradh $HIJACKING wgconfig wg0 show peer peer0 9825154f5fSriastradh 9925154f5fSriastradh # Wait for a reinitiation to be performed 10025154f5fSriastradh sleep $rekey_after_time 10125154f5fSriastradh 102*bc2ee209Sriastradh echo ping3time=$(date) 10325154f5fSriastradh $ping $ip_wg_peer 10425154f5fSriastradh 10525154f5fSriastradh # A reinitiation should be performed 10625154f5fSriastradh atf_check -s exit:0 -o not-match:"$latest_handshake" \ 10725154f5fSriastradh $HIJACKING wgconfig wg0 show peer peer0 10825154f5fSriastradh 10925154f5fSriastradh latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ 110e76a1fddStih | awk -F ': ' '/latest-handshake/ {print $2;}') 111880e6674Sriastradh $DEBUG && echo handshake2=$latest_handshake 11225154f5fSriastradh 11325154f5fSriastradh # Wait for a reinitiation to be performed again 1144131d8f5Sriastradh sleep $((rekey_after_time+1)) 11525154f5fSriastradh 116*bc2ee209Sriastradh echo ping4time=$(date) 11725154f5fSriastradh $ping $ip_wg_peer 11825154f5fSriastradh 11925154f5fSriastradh # A reinitiation should be performed 12025154f5fSriastradh atf_check -s exit:0 -o not-match:"$latest_handshake" \ 12125154f5fSriastradh $HIJACKING wgconfig wg0 show peer peer0 12225154f5fSriastradh 12325154f5fSriastradh destroy_wg_interfaces 12425154f5fSriastradh} 12525154f5fSriastradh 12625154f5fSriastradhwg_rekey_cleanup() 12725154f5fSriastradh{ 12825154f5fSriastradh 12925154f5fSriastradh $DEBUG && dump 13025154f5fSriastradh cleanup 13125154f5fSriastradh} 13225154f5fSriastradh 13325154f5fSriastradhatf_test_case wg_handshake_timeout cleanup 13425154f5fSriastradhwg_handshake_timeout_head() 13525154f5fSriastradh{ 13625154f5fSriastradh 13725154f5fSriastradh atf_set "descr" "tests of handshake timeout of wg(4)" 13825154f5fSriastradh atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 13925154f5fSriastradh} 14025154f5fSriastradh 14125154f5fSriastradhwg_handshake_timeout_body() 14225154f5fSriastradh{ 14325154f5fSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 14425154f5fSriastradh local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" 14525154f5fSriastradh local ip_local=192.168.1.1 14625154f5fSriastradh local ip_peer=192.168.1.2 14725154f5fSriastradh local ip_wg_local=10.0.0.1 14825154f5fSriastradh local ip_wg_peer=10.0.0.2 14925154f5fSriastradh local port=51820 15025154f5fSriastradh local outfile=./out 151748eee03Sriastradh local rekey_timeout=4 152748eee03Sriastradh local rekey_attempt_time=10 15325154f5fSriastradh local n= 15425154f5fSriastradh 15525154f5fSriastradh setup_servers 15625154f5fSriastradh 15725154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 15825154f5fSriastradh atf_check -s exit:0 -o ignore \ 15925154f5fSriastradh rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout 16025154f5fSriastradh atf_check -s exit:0 -o ignore \ 16125154f5fSriastradh rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time 16225154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 16325154f5fSriastradh atf_check -s exit:0 -o ignore \ 16425154f5fSriastradh rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout 16525154f5fSriastradh atf_check -s exit:0 -o ignore \ 16625154f5fSriastradh rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time 16725154f5fSriastradh 16825154f5fSriastradh # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 16925154f5fSriastradh generate_keys 17025154f5fSriastradh 17125154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 17225154f5fSriastradh setup_common shmif0 inet $ip_local 24 17325154f5fSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 17412f66125Sroy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 17512f66125Sroy $ifconfig -w 10 17625154f5fSriastradh 17725154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 17825154f5fSriastradh setup_common shmif0 inet $ip_peer 24 17925154f5fSriastradh setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 18025154f5fSriastradh add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 18112f66125Sroy $ifconfig -w 10 18225154f5fSriastradh 18325154f5fSriastradh # Resolve arp 18425154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 18525154f5fSriastradh $ping $ip_peer 18625154f5fSriastradh 18725154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 18825154f5fSriastradh $ifconfig shmif0 down 18925154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 19025154f5fSriastradh 19125154f5fSriastradh extract_new_packets $BUS > $outfile 19225154f5fSriastradh 19325154f5fSriastradh # Should fail 19425154f5fSriastradh atf_check -s not-exit:0 -o match:'100.0% packet loss' \ 19525154f5fSriastradh rump.ping -n -c 1 -w 1 $ip_wg_peer 19625154f5fSriastradh 19725154f5fSriastradh sleep $((rekey_attempt_time + rekey_timeout)) 19825154f5fSriastradh 19925154f5fSriastradh extract_new_packets $BUS > $outfile 20025154f5fSriastradh $DEBUG && cat $outfile 20125154f5fSriastradh 20225154f5fSriastradh n=$(grep "$ip_local.$port > $ip_peer.$port" $outfile |wc -l) 20325154f5fSriastradh 20425154f5fSriastradh # Give up handshaking after three attempts 20525154f5fSriastradh atf_check_equal $n 3 20625154f5fSriastradh 20725154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 20825154f5fSriastradh $ifconfig shmif0 up 20925154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 21025154f5fSriastradh 21125154f5fSriastradh destroy_wg_interfaces 21225154f5fSriastradh} 21325154f5fSriastradh 21425154f5fSriastradhwg_handshake_timeout_cleanup() 21525154f5fSriastradh{ 21625154f5fSriastradh 21725154f5fSriastradh $DEBUG && dump 21825154f5fSriastradh cleanup 21925154f5fSriastradh} 22025154f5fSriastradh 22125154f5fSriastradhatf_test_case wg_cookie cleanup 22225154f5fSriastradhwg_cookie_head() 22325154f5fSriastradh{ 22425154f5fSriastradh 22525154f5fSriastradh atf_set "descr" "tests of cookie messages of the wg(4) protocol" 22625154f5fSriastradh atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 22725154f5fSriastradh} 22825154f5fSriastradh 22925154f5fSriastradhwg_cookie_body() 23025154f5fSriastradh{ 23125154f5fSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 23225154f5fSriastradh local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" 23325154f5fSriastradh local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" 23425154f5fSriastradh local ip_local=192.168.1.1 23525154f5fSriastradh local ip_peer=192.168.1.2 23625154f5fSriastradh local ip_wg_local=10.0.0.1 23725154f5fSriastradh local ip_wg_peer=10.0.0.2 23825154f5fSriastradh local port=51820 23925154f5fSriastradh local outfile=./out 24025154f5fSriastradh local rekey_timeout=5 24125154f5fSriastradh 24225154f5fSriastradh setup_servers 24325154f5fSriastradh 24425154f5fSriastradh # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 24525154f5fSriastradh generate_keys 24625154f5fSriastradh 24725154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 24825154f5fSriastradh setup_common shmif0 inet $ip_local 24 24925154f5fSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 25012f66125Sroy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 25112f66125Sroy $ifconfig -w 10 25225154f5fSriastradh 25325154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 25425154f5fSriastradh setup_common shmif0 inet $ip_peer 24 25525154f5fSriastradh setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 25625154f5fSriastradh add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 25712f66125Sroy $ifconfig -w 10 25825154f5fSriastradh 25925154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 26025154f5fSriastradh # Emulate load on the peer 26125154f5fSriastradh atf_check -s exit:0 -o ignore \ 26225154f5fSriastradh rump.sysctl -w net.wg.force_underload=1 26325154f5fSriastradh 26425154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 26525154f5fSriastradh 26625154f5fSriastradh extract_new_packets $BUS > $outfile 26725154f5fSriastradh $DEBUG && cat $outfile 26825154f5fSriastradh 26925154f5fSriastradh # The peer doesn't return a response message but a cookie message 27025154f5fSriastradh # and a session doesn't start 27125154f5fSriastradh $ping_fail $ip_wg_peer 27225154f5fSriastradh 27325154f5fSriastradh extract_new_packets $BUS > $outfile 27425154f5fSriastradh $DEBUG && cat $outfile 27525154f5fSriastradh # XXX length 64 indicates the message is a cookie message 27625154f5fSriastradh atf_check -s exit:0 \ 27725154f5fSriastradh -o match:"$ip_peer.$port > $ip_local.$port: UDP, length 64" \ 27825154f5fSriastradh cat $outfile 27925154f5fSriastradh 2805ec0ae9aSriastradh $DEBUG && $HIJACKING wgconfig wg0 show all 281e76a1fddStih atf_check -s exit:0 -o match:"latest-handshake: \(never\)" \ 28225154f5fSriastradh $HIJACKING wgconfig wg0 28325154f5fSriastradh 28425154f5fSriastradh # Wait for restarting a session 28525154f5fSriastradh sleep $rekey_timeout 28625154f5fSriastradh 28725154f5fSriastradh # The second attempt should be success because the init message has 28825154f5fSriastradh # a valid cookie. 28925154f5fSriastradh $ping $ip_wg_peer 29025154f5fSriastradh 2915ec0ae9aSriastradh $DEBUG && $HIJACKING wgconfig wg0 show all 292e76a1fddStih atf_check -s exit:0 -o not-match:"latest-handshake: \(never\)" \ 29325154f5fSriastradh $HIJACKING wgconfig wg0 29425154f5fSriastradh 29525154f5fSriastradh destroy_wg_interfaces 29625154f5fSriastradh} 29725154f5fSriastradh 29825154f5fSriastradhwg_cookie_cleanup() 29925154f5fSriastradh{ 30025154f5fSriastradh 30125154f5fSriastradh $DEBUG && dump 30225154f5fSriastradh cleanup 30325154f5fSriastradh} 30425154f5fSriastradh 30525154f5fSriastradhatf_test_case wg_mobility cleanup 30625154f5fSriastradhwg_mobility_head() 30725154f5fSriastradh{ 30825154f5fSriastradh 30925154f5fSriastradh atf_set "descr" "tests of the mobility of wg(4)" 31025154f5fSriastradh atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 31125154f5fSriastradh} 31225154f5fSriastradh 31325154f5fSriastradhwg_mobility_body() 31425154f5fSriastradh{ 31525154f5fSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 31625154f5fSriastradh local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" 31725154f5fSriastradh local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" 31825154f5fSriastradh local ip_local=192.168.1.1 31925154f5fSriastradh local ip_peer=192.168.1.2 32025154f5fSriastradh local ip_peer_new=192.168.1.3 32125154f5fSriastradh local ip_wg_local=10.0.0.1 32225154f5fSriastradh local ip_wg_peer=10.0.0.2 32325154f5fSriastradh local port=51820 32425154f5fSriastradh local outfile=./out 32525154f5fSriastradh 32625154f5fSriastradh setup_servers 32725154f5fSriastradh 32825154f5fSriastradh # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 32925154f5fSriastradh generate_keys 33025154f5fSriastradh 33125154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 33225154f5fSriastradh setup_common shmif0 inet $ip_local 24 33325154f5fSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 33412f66125Sroy # Initially, the local doesn't know the endpoint of the peer 33512f66125Sroy add_peer wg0 peer0 $key_pub_peer "" $ip_wg_peer/32 33612f66125Sroy $ifconfig -w 10 33725154f5fSriastradh 33825154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 33925154f5fSriastradh setup_common shmif0 inet $ip_peer 24 34025154f5fSriastradh setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 34125154f5fSriastradh add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 34212f66125Sroy $ifconfig -w 10 34325154f5fSriastradh 34425154f5fSriastradh extract_new_packets $BUS > $outfile 34525154f5fSriastradh $DEBUG && cat $outfile 34625154f5fSriastradh 34725154f5fSriastradh # Ping from the local to the peer doesn't work because the local 34825154f5fSriastradh # doesn't know the endpoint of the peer 34925154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 35025154f5fSriastradh $ping_fail $ip_wg_peer 35125154f5fSriastradh 35225154f5fSriastradh extract_new_packets $BUS > $outfile 35325154f5fSriastradh $DEBUG && cat $outfile 35425154f5fSriastradh 35525154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 35625154f5fSriastradh $ping $ip_wg_local 35725154f5fSriastradh 35825154f5fSriastradh extract_new_packets $BUS > $outfile 35925154f5fSriastradh $DEBUG && cat $outfile 36025154f5fSriastradh 36125154f5fSriastradh atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer.$port" cat $outfile 36225154f5fSriastradh 36325154f5fSriastradh # Change the IP address of the peer 36425154f5fSriastradh setup_common shmif0 inet $ip_peer_new 24 36512f66125Sroy $ifconfig -w 10 36625154f5fSriastradh 36725154f5fSriastradh # Ping from the local to the peer doesn't work because the local 36825154f5fSriastradh # doesn't know the change of the IP address of the peer 36925154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 37025154f5fSriastradh $ping_fail $ip_wg_peer 37125154f5fSriastradh 37225154f5fSriastradh extract_new_packets $BUS > $outfile 37325154f5fSriastradh $DEBUG && cat $outfile 37425154f5fSriastradh 37525154f5fSriastradh atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer.$port" cat $outfile 37625154f5fSriastradh 37725154f5fSriastradh # Ping from the peer to the local works because the local notices 37825154f5fSriastradh # the change and updates the IP address of the peer 37925154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 38025154f5fSriastradh $ping $ip_wg_local 38125154f5fSriastradh 38225154f5fSriastradh extract_new_packets $BUS > $outfile 38325154f5fSriastradh $DEBUG && cat $outfile 38425154f5fSriastradh 38525154f5fSriastradh atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer_new.$port" cat $outfile 38625154f5fSriastradh atf_check -s exit:0 -o match:"$ip_peer_new.$port > $ip_local.$port" cat $outfile 38725154f5fSriastradh atf_check -s exit:0 -o not-match:"$ip_local.$port > $ip_peer.$port" cat $outfile 38825154f5fSriastradh 38925154f5fSriastradh destroy_wg_interfaces 39025154f5fSriastradh} 39125154f5fSriastradh 39225154f5fSriastradhwg_mobility_cleanup() 39325154f5fSriastradh{ 39425154f5fSriastradh 39525154f5fSriastradh $DEBUG && dump 39625154f5fSriastradh cleanup 39725154f5fSriastradh} 39825154f5fSriastradh 39925154f5fSriastradhatf_test_case wg_keepalive cleanup 40025154f5fSriastradhwg_keepalive_head() 40125154f5fSriastradh{ 40225154f5fSriastradh 40325154f5fSriastradh atf_set "descr" "tests keepalive messages" 40425154f5fSriastradh atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 40525154f5fSriastradh} 40625154f5fSriastradh 40725154f5fSriastradhwg_keepalive_body() 40825154f5fSriastradh{ 40925154f5fSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 41025154f5fSriastradh local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" 41125154f5fSriastradh local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" 41225154f5fSriastradh local ip_local=192.168.1.1 41325154f5fSriastradh local ip_peer=192.168.1.2 41425154f5fSriastradh local ip_peer_new=192.168.1.3 41525154f5fSriastradh local ip_wg_local=10.0.0.1 41625154f5fSriastradh local ip_wg_peer=10.0.0.2 41725154f5fSriastradh local port=51820 41825154f5fSriastradh local outfile=./out 41925154f5fSriastradh local keepalive_timeout=3 42025154f5fSriastradh 42125154f5fSriastradh setup_servers 42225154f5fSriastradh 42325154f5fSriastradh # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 42425154f5fSriastradh generate_keys 42525154f5fSriastradh 42625154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 42725154f5fSriastradh setup_common shmif0 inet $ip_local 24 42825154f5fSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 42912f66125Sroy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 4305bdf84f0Sriastradh $ifconfig -w 10 43125154f5fSriastradh 43225154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 43325154f5fSriastradh setup_common shmif0 inet $ip_peer 24 43425154f5fSriastradh setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 43525154f5fSriastradh add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 43612f66125Sroy $ifconfig -w 10 43725154f5fSriastradh 43825154f5fSriastradh # Shorten keepalive_timeout of the peer 43925154f5fSriastradh atf_check -s exit:0 -o ignore \ 44025154f5fSriastradh rump.sysctl -w net.wg.keepalive_timeout=$keepalive_timeout 44125154f5fSriastradh 44225154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 44325154f5fSriastradh 44425154f5fSriastradh extract_new_packets $BUS > $outfile 44525154f5fSriastradh $DEBUG && cat $outfile 44625154f5fSriastradh 44725154f5fSriastradh $ping $ip_wg_peer 44825154f5fSriastradh 44925154f5fSriastradh extract_new_packets $BUS > $outfile 45025154f5fSriastradh $DEBUG && cat $outfile 45125154f5fSriastradh 45225154f5fSriastradh sleep $((keepalive_timeout + 1)) 45325154f5fSriastradh 45425154f5fSriastradh $ping $ip_wg_peer 45525154f5fSriastradh 45625154f5fSriastradh extract_new_packets $BUS > $outfile 45725154f5fSriastradh $DEBUG && cat $outfile 45825154f5fSriastradh 45925154f5fSriastradh # XXX length 32 indicates the message is a keepalive (empty) message 46025154f5fSriastradh atf_check -s exit:0 -o match:"$ip_peer.$port > $ip_local.$port: UDP, length 32" \ 46125154f5fSriastradh cat $outfile 46225154f5fSriastradh 46325154f5fSriastradh destroy_wg_interfaces 46425154f5fSriastradh} 46525154f5fSriastradh 46625154f5fSriastradhwg_keepalive_cleanup() 46725154f5fSriastradh{ 46825154f5fSriastradh 46925154f5fSriastradh $DEBUG && dump 47025154f5fSriastradh cleanup 47125154f5fSriastradh} 47225154f5fSriastradh 47325154f5fSriastradhatf_test_case wg_psk cleanup 47425154f5fSriastradhwg_psk_head() 47525154f5fSriastradh{ 47625154f5fSriastradh 47725154f5fSriastradh atf_set "descr" "tests preshared-key" 47825154f5fSriastradh atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 47925154f5fSriastradh} 48025154f5fSriastradh 48125154f5fSriastradhtest_psk_common() 48225154f5fSriastradh{ 48325154f5fSriastradh} 48425154f5fSriastradh 48525154f5fSriastradhwg_psk_body() 48625154f5fSriastradh{ 48725154f5fSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 48825154f5fSriastradh local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" 48925154f5fSriastradh local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" 49025154f5fSriastradh local ip_local=192.168.1.1 49125154f5fSriastradh local ip_peer=192.168.1.2 49225154f5fSriastradh local ip_peer_new=192.168.1.3 49325154f5fSriastradh local ip_wg_local=10.0.0.1 49425154f5fSriastradh local ip_wg_peer=10.0.0.2 49525154f5fSriastradh local port=51820 49625154f5fSriastradh local outfile=./out 49725154f5fSriastradh local pskfile=./psk 49825154f5fSriastradh local rekey_after_time=3 49925154f5fSriastradh 50025154f5fSriastradh setup_servers 50125154f5fSriastradh 50225154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 50325154f5fSriastradh atf_check -s exit:0 -o ignore \ 50425154f5fSriastradh rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time 50525154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 50625154f5fSriastradh atf_check -s exit:0 -o ignore \ 50725154f5fSriastradh rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time 50825154f5fSriastradh 50925154f5fSriastradh # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 51025154f5fSriastradh generate_keys 51125154f5fSriastradh key_psk=$(wg-keygen --psk) 51225154f5fSriastradh $DEBUG && echo $key_psk 51325154f5fSriastradh 51425154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 51525154f5fSriastradh setup_common shmif0 inet $ip_local 24 51625154f5fSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 51725154f5fSriastradh 51825154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 51925154f5fSriastradh setup_common shmif0 inet $ip_peer 24 52025154f5fSriastradh setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 52125154f5fSriastradh 52225154f5fSriastradh echo "$key_psk" > $pskfile 52325154f5fSriastradh 52425154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 52525154f5fSriastradh 52625154f5fSriastradh # The local always has the preshared key 52725154f5fSriastradh add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 \ 52825154f5fSriastradh $pskfile "$key_psk" 52912f66125Sroy $ifconfig -w 10 53025154f5fSriastradh 53125154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 53225154f5fSriastradh 53325154f5fSriastradh # First, try the peer without the preshared key 53425154f5fSriastradh add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 53512f66125Sroy $ifconfig -w 10 53625154f5fSriastradh 53725154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 53825154f5fSriastradh 53925154f5fSriastradh extract_new_packets $BUS > $outfile 54025154f5fSriastradh $DEBUG && cat $outfile 54125154f5fSriastradh 54225154f5fSriastradh $ping_fail $ip_wg_peer 54325154f5fSriastradh 54425154f5fSriastradh extract_new_packets $BUS > $outfile 54525154f5fSriastradh $DEBUG && cat $outfile 54625154f5fSriastradh 54725154f5fSriastradh # Next, try with the preshared key 54825154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 54925154f5fSriastradh delete_peer wg0 peer0 55025154f5fSriastradh add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 \ 55125154f5fSriastradh $pskfile "$key_psk" 55212f66125Sroy $ifconfig -w 10 55325154f5fSriastradh 55425154f5fSriastradh # Need a rekey 55525154f5fSriastradh atf_check -s exit:0 sleep $((rekey_after_time + 1)) 55625154f5fSriastradh 55725154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 55825154f5fSriastradh 55925154f5fSriastradh extract_new_packets $BUS > $outfile 56025154f5fSriastradh $DEBUG && cat $outfile 56125154f5fSriastradh 56225154f5fSriastradh $ping $ip_wg_peer 56325154f5fSriastradh 56425154f5fSriastradh extract_new_packets $BUS > $outfile 56525154f5fSriastradh $DEBUG && cat $outfile 56625154f5fSriastradh 56725154f5fSriastradh # Then, try again without the preshared key just in case 56825154f5fSriastradh export RUMP_SERVER=$SOCK_PEER 56925154f5fSriastradh delete_peer wg0 peer0 57025154f5fSriastradh add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 57112f66125Sroy $ifconfig -w 10 57225154f5fSriastradh 57325154f5fSriastradh # Need a rekey 57425154f5fSriastradh atf_check -s exit:0 sleep $((rekey_after_time + 1)) 57525154f5fSriastradh 57625154f5fSriastradh export RUMP_SERVER=$SOCK_LOCAL 57725154f5fSriastradh $ping_fail $ip_wg_peer 57825154f5fSriastradh 57925154f5fSriastradh rm -f $pskfile 58025154f5fSriastradh 58125154f5fSriastradh destroy_wg_interfaces 58225154f5fSriastradh} 58325154f5fSriastradh 58425154f5fSriastradhwg_psk_cleanup() 58525154f5fSriastradh{ 58625154f5fSriastradh 58725154f5fSriastradh $DEBUG && dump 58825154f5fSriastradh cleanup 58925154f5fSriastradh} 59025154f5fSriastradh 59103c60d1bSriastradhatf_test_case wg_malformed cleanup 59203c60d1bSriastradhwg_malformed_head() 59303c60d1bSriastradh{ 59403c60d1bSriastradh 59503c60d1bSriastradh atf_set "descr" "tests malformed packet headers" 59603c60d1bSriastradh atf_set "require.progs" "nc" "rump_server" "wgconfig" "wg-keygen" 597d9e5a99cSmartin atf_set "timeout" "100" 59803c60d1bSriastradh} 59903c60d1bSriastradh 60003c60d1bSriastradhwg_malformed_body() 60103c60d1bSriastradh{ 60203c60d1bSriastradh local ifconfig="atf_check -s exit:0 rump.ifconfig" 60303c60d1bSriastradh local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" 60403c60d1bSriastradh local ip_local=192.168.1.1 60503c60d1bSriastradh local ip_peer=192.168.1.2 60603c60d1bSriastradh local ip_wg_local=10.0.0.1 60703c60d1bSriastradh local ip_wg_peer=10.0.0.2 60803c60d1bSriastradh local port=51820 60903c60d1bSriastradh setup_servers 61003c60d1bSriastradh 61103c60d1bSriastradh # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 61203c60d1bSriastradh generate_keys 61303c60d1bSriastradh 61403c60d1bSriastradh export RUMP_SERVER=$SOCK_LOCAL 61503c60d1bSriastradh setup_common shmif0 inet $ip_local 24 61603c60d1bSriastradh setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 61712f66125Sroy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 61812f66125Sroy $ifconfig -w 10 61903c60d1bSriastradh 62003c60d1bSriastradh export RUMP_SERVER=$SOCK_PEER 62103c60d1bSriastradh setup_common shmif0 inet $ip_peer 24 62203c60d1bSriastradh setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 62303c60d1bSriastradh add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 62412f66125Sroy $ifconfig -w 10 62503c60d1bSriastradh 62603c60d1bSriastradh export RUMP_SERVER=$SOCK_LOCAL 62703c60d1bSriastradh 62803c60d1bSriastradh $ping $ip_wg_peer 62903c60d1bSriastradh 63003c60d1bSriastradh printf 'send malformed packets\n' 63103c60d1bSriastradh 63203c60d1bSriastradh $HIJACKING ping -c 1 -n $ip_peer 63303c60d1bSriastradh 63403c60d1bSriastradh printf 'x' | $HIJACKING nc -Nu -w 0 $ip_peer $port 63503c60d1bSriastradh printf 'xy' | $HIJACKING nc -Nu -w 0 $ip_peer $port 63603c60d1bSriastradh printf 'xyz' | $HIJACKING nc -Nu -w 0 $ip_peer $port 63703c60d1bSriastradh printf 'xyzw' | $HIJACKING nc -Nu -w 0 $ip_peer $port 63803c60d1bSriastradh printf '\x00\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 63903c60d1bSriastradh printf '\x00\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 64003c60d1bSriastradh printf '\x01\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 64103c60d1bSriastradh printf '\x01\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 64203c60d1bSriastradh printf '\x02\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 64303c60d1bSriastradh printf '\x02\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 64403c60d1bSriastradh printf '\x03\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 64503c60d1bSriastradh printf '\x03\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 64603c60d1bSriastradh printf '\x04\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 64703c60d1bSriastradh printf '\x04\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 64803c60d1bSriastradh 64903c60d1bSriastradh printf 'done sending malformed packets\n' 65003c60d1bSriastradh 65103c60d1bSriastradh $ping $ip_wg_peer 65203c60d1bSriastradh} 65303c60d1bSriastradh 65403c60d1bSriastradhwg_malformed_cleanup() 65503c60d1bSriastradh{ 65603c60d1bSriastradh 65703c60d1bSriastradh $DEBUG && dump 65803c60d1bSriastradh cleanup 65903c60d1bSriastradh} 66003c60d1bSriastradh 66125154f5fSriastradhatf_init_test_cases() 66225154f5fSriastradh{ 66325154f5fSriastradh 66425154f5fSriastradh atf_add_test_case wg_rekey 66525154f5fSriastradh atf_add_test_case wg_handshake_timeout 66625154f5fSriastradh atf_add_test_case wg_cookie 66725154f5fSriastradh atf_add_test_case wg_mobility 66825154f5fSriastradh atf_add_test_case wg_keepalive 66925154f5fSriastradh atf_add_test_case wg_psk 67003c60d1bSriastradh atf_add_test_case wg_malformed 67125154f5fSriastradh} 672