| @@ -1,672 +1,672 @@ | | | @@ -1,672 +1,672 @@ |
1 | # $NetBSD: t_misc.sh,v 1.4 2020/08/29 07:22:49 tih Exp $ | | 1 | # $NetBSD: t_misc.sh,v 1.5 2020/08/31 20:32:58 riastradh Exp $ |
2 | # | | 2 | # |
3 | # Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com> | | 3 | # Copyright (c) 2018 Ryota Ozaki <ozaki.ryota@gmail.com> |
4 | # All rights reserved. | | 4 | # All rights reserved. |
5 | # | | 5 | # |
6 | # Redistribution and use in source and binary forms, with or without | | 6 | # Redistribution and use in source and binary forms, with or without |
7 | # modification, are permitted provided that the following conditions | | 7 | # modification, are permitted provided that the following conditions |
8 | # are met: | | 8 | # are met: |
9 | # 1. Redistributions of source code must retain the above copyright | | 9 | # 1. Redistributions of source code must retain the above copyright |
10 | # notice, this list of conditions and the following disclaimer. | | 10 | # notice, this list of conditions and the following disclaimer. |
11 | # 2. Redistributions in binary form must reproduce the above copyright | | 11 | # 2. Redistributions in binary form must reproduce the above copyright |
12 | # notice, this list of conditions and the following disclaimer in the | | 12 | # notice, this list of conditions and the following disclaimer in the |
13 | # documentation and/or other materials provided with the distribution. | | 13 | # documentation and/or other materials provided with the distribution. |
14 | # | | 14 | # |
15 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 15 | # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
16 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 16 | # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
17 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 17 | # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
18 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 18 | # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
19 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 19 | # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
20 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 20 | # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
21 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 21 | # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
22 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 22 | # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
23 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 23 | # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
24 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 24 | # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
25 | # POSSIBILITY OF SUCH DAMAGE. | | 25 | # POSSIBILITY OF SUCH DAMAGE. |
26 | # | | 26 | # |
27 | | | 27 | |
28 | BUS=bus | | 28 | BUS=bus |
29 | SOCK_LOCAL=unix://wg_local | | 29 | SOCK_LOCAL=unix://wg_local |
30 | SOCK_PEER=unix://wg_peer | | 30 | SOCK_PEER=unix://wg_peer |
31 | | | 31 | |
32 | | | 32 | |
33 | atf_test_case wg_rekey cleanup | | 33 | atf_test_case wg_rekey cleanup |
34 | wg_rekey_head() | | 34 | wg_rekey_head() |
35 | { | | 35 | { |
36 | | | 36 | |
37 | atf_set "descr" "tests of rekeying of wg(4)" | | 37 | atf_set "descr" "tests of rekeying of wg(4)" |
38 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" | | 38 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" |
39 | } | | 39 | } |
40 | | | 40 | |
41 | wg_rekey_body() | | 41 | wg_rekey_body() |
42 | { | | 42 | { |
43 | local ifconfig="atf_check -s exit:0 rump.ifconfig" | | 43 | local ifconfig="atf_check -s exit:0 rump.ifconfig" |
44 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" | | 44 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" |
45 | local ip_local=192.168.1.1 | | 45 | local ip_local=192.168.1.1 |
46 | local ip_peer=192.168.1.2 | | 46 | local ip_peer=192.168.1.2 |
47 | local ip_wg_local=10.0.0.1 | | 47 | local ip_wg_local=10.0.0.1 |
48 | local ip_wg_peer=10.0.0.2 | | 48 | local ip_wg_peer=10.0.0.2 |
49 | local port=51820 | | 49 | local port=51820 |
50 | local rekey_after_time=3 | | 50 | local rekey_after_time=3 |
51 | local latest_handshake= | | 51 | local latest_handshake= |
52 | | | 52 | |
53 | setup_servers | | 53 | setup_servers |
54 | | | 54 | |
55 | export RUMP_SERVER=$SOCK_LOCAL | | 55 | export RUMP_SERVER=$SOCK_LOCAL |
56 | atf_check -s exit:0 -o ignore \ | | 56 | atf_check -s exit:0 -o ignore \ |
57 | rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time | | 57 | rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time |
58 | export RUMP_SERVER=$SOCK_PEER | | 58 | export RUMP_SERVER=$SOCK_PEER |
59 | atf_check -s exit:0 -o ignore \ | | 59 | atf_check -s exit:0 -o ignore \ |
60 | rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time | | 60 | rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time |
61 | | | 61 | |
62 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer | | 62 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer |
63 | generate_keys | | 63 | generate_keys |
64 | | | 64 | |
65 | export RUMP_SERVER=$SOCK_LOCAL | | 65 | export RUMP_SERVER=$SOCK_LOCAL |
66 | setup_common shmif0 inet $ip_local 24 | | 66 | setup_common shmif0 inet $ip_local 24 |
67 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" | | 67 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" |
68 | | | 68 | |
69 | export RUMP_SERVER=$SOCK_PEER | | 69 | export RUMP_SERVER=$SOCK_PEER |
70 | setup_common shmif0 inet $ip_peer 24 | | 70 | setup_common shmif0 inet $ip_peer 24 |
71 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" | | 71 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" |
72 | | | 72 | |
73 | export RUMP_SERVER=$SOCK_LOCAL | | 73 | export RUMP_SERVER=$SOCK_LOCAL |
74 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 | | 74 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 |
75 | | | 75 | |
76 | export RUMP_SERVER=$SOCK_PEER | | 76 | export RUMP_SERVER=$SOCK_PEER |
77 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 | | 77 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 |
78 | | | 78 | |
79 | export RUMP_SERVER=$SOCK_LOCAL | | 79 | export RUMP_SERVER=$SOCK_LOCAL |
80 | | | 80 | |
81 | $ping $ip_wg_peer | | 81 | $ping $ip_wg_peer |
82 | | | 82 | |
83 | latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ | | 83 | latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ |
84 | | awk -F ': ' '/latest-handshake/ {print $2;}') | | 84 | | awk -F ': ' '/latest-handshake/ {print $2;}') |
85 | $DEBUG && echo $latest_handshake | | 85 | $DEBUG && echo $latest_handshake |
86 | | | 86 | |
87 | sleep 1 | | 87 | sleep 1 |
88 | | | 88 | |
89 | $ping $ip_wg_peer | | 89 | $ping $ip_wg_peer |
90 | | | 90 | |
91 | # No reinitiation is performed | | 91 | # No reinitiation is performed |
92 | atf_check -s exit:0 -o match:"$latest_handshake" \ | | 92 | atf_check -s exit:0 -o match:"$latest_handshake" \ |
93 | $HIJACKING wgconfig wg0 show peer peer0 | | 93 | $HIJACKING wgconfig wg0 show peer peer0 |
94 | | | 94 | |
95 | # Wait for a reinitiation to be performed | | 95 | # Wait for a reinitiation to be performed |
96 | sleep $rekey_after_time | | 96 | sleep $rekey_after_time |
97 | | | 97 | |
98 | $ping $ip_wg_peer | | 98 | $ping $ip_wg_peer |
99 | | | 99 | |
100 | # A reinitiation should be performed | | 100 | # A reinitiation should be performed |
101 | atf_check -s exit:0 -o not-match:"$latest_handshake" \ | | 101 | atf_check -s exit:0 -o not-match:"$latest_handshake" \ |
102 | $HIJACKING wgconfig wg0 show peer peer0 | | 102 | $HIJACKING wgconfig wg0 show peer peer0 |
103 | | | 103 | |
104 | latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ | | 104 | latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ |
105 | | awk -F ': ' '/latest-handshake/ {print $2;}') | | 105 | | awk -F ': ' '/latest-handshake/ {print $2;}') |
106 | $DEBUG && echo $latest_handshake | | 106 | $DEBUG && echo $latest_handshake |
107 | | | 107 | |
108 | # Wait for a reinitiation to be performed again | | 108 | # Wait for a reinitiation to be performed again |
109 | sleep $rekey_after_time | | 109 | sleep $((rekey_after_time+1)) |
110 | | | 110 | |
111 | $ping $ip_wg_peer | | 111 | $ping $ip_wg_peer |
112 | | | 112 | |
113 | # A reinitiation should be performed | | 113 | # A reinitiation should be performed |
114 | atf_check -s exit:0 -o not-match:"$latest_handshake" \ | | 114 | atf_check -s exit:0 -o not-match:"$latest_handshake" \ |
115 | $HIJACKING wgconfig wg0 show peer peer0 | | 115 | $HIJACKING wgconfig wg0 show peer peer0 |
116 | | | 116 | |
117 | destroy_wg_interfaces | | 117 | destroy_wg_interfaces |
118 | } | | 118 | } |
119 | | | 119 | |
120 | wg_rekey_cleanup() | | 120 | wg_rekey_cleanup() |
121 | { | | 121 | { |
122 | | | 122 | |
123 | $DEBUG && dump | | 123 | $DEBUG && dump |
124 | cleanup | | 124 | cleanup |
125 | } | | 125 | } |
126 | | | 126 | |
127 | atf_test_case wg_handshake_timeout cleanup | | 127 | atf_test_case wg_handshake_timeout cleanup |
128 | wg_handshake_timeout_head() | | 128 | wg_handshake_timeout_head() |
129 | { | | 129 | { |
130 | | | 130 | |
131 | atf_set "descr" "tests of handshake timeout of wg(4)" | | 131 | atf_set "descr" "tests of handshake timeout of wg(4)" |
132 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" | | 132 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" |
133 | } | | 133 | } |
134 | | | 134 | |
135 | wg_handshake_timeout_body() | | 135 | wg_handshake_timeout_body() |
136 | { | | 136 | { |
137 | local ifconfig="atf_check -s exit:0 rump.ifconfig" | | 137 | local ifconfig="atf_check -s exit:0 rump.ifconfig" |
138 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" | | 138 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" |
139 | local ip_local=192.168.1.1 | | 139 | local ip_local=192.168.1.1 |
140 | local ip_peer=192.168.1.2 | | 140 | local ip_peer=192.168.1.2 |
141 | local ip_wg_local=10.0.0.1 | | 141 | local ip_wg_local=10.0.0.1 |
142 | local ip_wg_peer=10.0.0.2 | | 142 | local ip_wg_peer=10.0.0.2 |
143 | local port=51820 | | 143 | local port=51820 |
144 | local rekey_after_time=3 | | 144 | local rekey_after_time=3 |
145 | local outfile=./out | | 145 | local outfile=./out |
146 | local rekey_timeout=3 | | 146 | local rekey_timeout=3 |
147 | local rekey_attempt_time=8 | | 147 | local rekey_attempt_time=8 |
148 | local n= | | 148 | local n= |
149 | | | 149 | |
150 | setup_servers | | 150 | setup_servers |
151 | | | 151 | |
152 | export RUMP_SERVER=$SOCK_LOCAL | | 152 | export RUMP_SERVER=$SOCK_LOCAL |
153 | atf_check -s exit:0 -o ignore \ | | 153 | atf_check -s exit:0 -o ignore \ |
154 | rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout | | 154 | rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout |
155 | atf_check -s exit:0 -o ignore \ | | 155 | atf_check -s exit:0 -o ignore \ |
156 | rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time | | 156 | rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time |
157 | export RUMP_SERVER=$SOCK_PEER | | 157 | export RUMP_SERVER=$SOCK_PEER |
158 | atf_check -s exit:0 -o ignore \ | | 158 | atf_check -s exit:0 -o ignore \ |
159 | rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout | | 159 | rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout |
160 | atf_check -s exit:0 -o ignore \ | | 160 | atf_check -s exit:0 -o ignore \ |
161 | rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time | | 161 | rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time |
162 | | | 162 | |
163 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer | | 163 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer |
164 | generate_keys | | 164 | generate_keys |
165 | | | 165 | |
166 | export RUMP_SERVER=$SOCK_LOCAL | | 166 | export RUMP_SERVER=$SOCK_LOCAL |
167 | setup_common shmif0 inet $ip_local 24 | | 167 | setup_common shmif0 inet $ip_local 24 |
168 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" | | 168 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" |
169 | | | 169 | |
170 | export RUMP_SERVER=$SOCK_PEER | | 170 | export RUMP_SERVER=$SOCK_PEER |
171 | setup_common shmif0 inet $ip_peer 24 | | 171 | setup_common shmif0 inet $ip_peer 24 |
172 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" | | 172 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" |
173 | | | 173 | |
174 | export RUMP_SERVER=$SOCK_LOCAL | | 174 | export RUMP_SERVER=$SOCK_LOCAL |
175 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 | | 175 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 |
176 | | | 176 | |
177 | export RUMP_SERVER=$SOCK_PEER | | 177 | export RUMP_SERVER=$SOCK_PEER |
178 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 | | 178 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 |
179 | | | 179 | |
180 | # Resolve arp | | 180 | # Resolve arp |
181 | export RUMP_SERVER=$SOCK_LOCAL | | 181 | export RUMP_SERVER=$SOCK_LOCAL |
182 | $ping $ip_peer | | 182 | $ping $ip_peer |
183 | | | 183 | |
184 | export RUMP_SERVER=$SOCK_PEER | | 184 | export RUMP_SERVER=$SOCK_PEER |
185 | $ifconfig shmif0 down | | 185 | $ifconfig shmif0 down |
186 | export RUMP_SERVER=$SOCK_LOCAL | | 186 | export RUMP_SERVER=$SOCK_LOCAL |
187 | | | 187 | |
188 | extract_new_packets $BUS > $outfile | | 188 | extract_new_packets $BUS > $outfile |
189 | | | 189 | |
190 | # Should fail | | 190 | # Should fail |
191 | atf_check -s not-exit:0 -o match:'100.0% packet loss' \ | | 191 | atf_check -s not-exit:0 -o match:'100.0% packet loss' \ |
192 | rump.ping -n -c 1 -w 1 $ip_wg_peer | | 192 | rump.ping -n -c 1 -w 1 $ip_wg_peer |
193 | | | 193 | |
194 | sleep $((rekey_attempt_time + rekey_timeout)) | | 194 | sleep $((rekey_attempt_time + rekey_timeout)) |
195 | | | 195 | |
196 | extract_new_packets $BUS > $outfile | | 196 | extract_new_packets $BUS > $outfile |
197 | $DEBUG && cat $outfile | | 197 | $DEBUG && cat $outfile |
198 | | | 198 | |
199 | n=$(grep "$ip_local.$port > $ip_peer.$port" $outfile |wc -l) | | 199 | n=$(grep "$ip_local.$port > $ip_peer.$port" $outfile |wc -l) |
200 | | | 200 | |
201 | # Give up handshaking after three attempts | | 201 | # Give up handshaking after three attempts |
202 | atf_check_equal $n 3 | | 202 | atf_check_equal $n 3 |
203 | | | 203 | |
204 | export RUMP_SERVER=$SOCK_PEER | | 204 | export RUMP_SERVER=$SOCK_PEER |
205 | $ifconfig shmif0 up | | 205 | $ifconfig shmif0 up |
206 | export RUMP_SERVER=$SOCK_LOCAL | | 206 | export RUMP_SERVER=$SOCK_LOCAL |
207 | | | 207 | |
208 | destroy_wg_interfaces | | 208 | destroy_wg_interfaces |
209 | } | | 209 | } |
210 | | | 210 | |
211 | wg_handshake_timeout_cleanup() | | 211 | wg_handshake_timeout_cleanup() |
212 | { | | 212 | { |
213 | | | 213 | |
214 | $DEBUG && dump | | 214 | $DEBUG && dump |
215 | cleanup | | 215 | cleanup |
216 | } | | 216 | } |
217 | | | 217 | |
218 | atf_test_case wg_cookie cleanup | | 218 | atf_test_case wg_cookie cleanup |
219 | wg_cookie_head() | | 219 | wg_cookie_head() |
220 | { | | 220 | { |
221 | | | 221 | |
222 | atf_set "descr" "tests of cookie messages of the wg(4) protocol" | | 222 | atf_set "descr" "tests of cookie messages of the wg(4) protocol" |
223 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" | | 223 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" |
224 | } | | 224 | } |
225 | | | 225 | |
226 | wg_cookie_body() | | 226 | wg_cookie_body() |
227 | { | | 227 | { |
228 | local ifconfig="atf_check -s exit:0 rump.ifconfig" | | 228 | local ifconfig="atf_check -s exit:0 rump.ifconfig" |
229 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" | | 229 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" |
230 | local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" | | 230 | local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" |
231 | local ip_local=192.168.1.1 | | 231 | local ip_local=192.168.1.1 |
232 | local ip_peer=192.168.1.2 | | 232 | local ip_peer=192.168.1.2 |
233 | local ip_wg_local=10.0.0.1 | | 233 | local ip_wg_local=10.0.0.1 |
234 | local ip_wg_peer=10.0.0.2 | | 234 | local ip_wg_peer=10.0.0.2 |
235 | local port=51820 | | 235 | local port=51820 |
236 | local outfile=./out | | 236 | local outfile=./out |
237 | local rekey_timeout=5 | | 237 | local rekey_timeout=5 |
238 | | | 238 | |
239 | setup_servers | | 239 | setup_servers |
240 | | | 240 | |
241 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer | | 241 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer |
242 | generate_keys | | 242 | generate_keys |
243 | | | 243 | |
244 | export RUMP_SERVER=$SOCK_LOCAL | | 244 | export RUMP_SERVER=$SOCK_LOCAL |
245 | setup_common shmif0 inet $ip_local 24 | | 245 | setup_common shmif0 inet $ip_local 24 |
246 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" | | 246 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" |
247 | | | 247 | |
248 | export RUMP_SERVER=$SOCK_PEER | | 248 | export RUMP_SERVER=$SOCK_PEER |
249 | setup_common shmif0 inet $ip_peer 24 | | 249 | setup_common shmif0 inet $ip_peer 24 |
250 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" | | 250 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" |
251 | | | 251 | |
252 | export RUMP_SERVER=$SOCK_LOCAL | | 252 | export RUMP_SERVER=$SOCK_LOCAL |
253 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 | | 253 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 |
254 | | | 254 | |
255 | export RUMP_SERVER=$SOCK_PEER | | 255 | export RUMP_SERVER=$SOCK_PEER |
256 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 | | 256 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 |
257 | | | 257 | |
258 | export RUMP_SERVER=$SOCK_PEER | | 258 | export RUMP_SERVER=$SOCK_PEER |
259 | # Emulate load on the peer | | 259 | # Emulate load on the peer |
260 | atf_check -s exit:0 -o ignore \ | | 260 | atf_check -s exit:0 -o ignore \ |
261 | rump.sysctl -w net.wg.force_underload=1 | | 261 | rump.sysctl -w net.wg.force_underload=1 |
262 | | | 262 | |
263 | export RUMP_SERVER=$SOCK_LOCAL | | 263 | export RUMP_SERVER=$SOCK_LOCAL |
264 | | | 264 | |
265 | extract_new_packets $BUS > $outfile | | 265 | extract_new_packets $BUS > $outfile |
266 | $DEBUG && cat $outfile | | 266 | $DEBUG && cat $outfile |
267 | | | 267 | |
268 | # The peer doesn't return a response message but a cookie message | | 268 | # The peer doesn't return a response message but a cookie message |
269 | # and a session doesn't start | | 269 | # and a session doesn't start |
270 | $ping_fail $ip_wg_peer | | 270 | $ping_fail $ip_wg_peer |
271 | | | 271 | |
272 | extract_new_packets $BUS > $outfile | | 272 | extract_new_packets $BUS > $outfile |
273 | $DEBUG && cat $outfile | | 273 | $DEBUG && cat $outfile |
274 | # XXX length 64 indicates the message is a cookie message | | 274 | # XXX length 64 indicates the message is a cookie message |
275 | atf_check -s exit:0 \ | | 275 | atf_check -s exit:0 \ |
276 | -o match:"$ip_peer.$port > $ip_local.$port: UDP, length 64" \ | | 276 | -o match:"$ip_peer.$port > $ip_local.$port: UDP, length 64" \ |
277 | cat $outfile | | 277 | cat $outfile |
278 | | | 278 | |
279 | $DEBUG && $HIJACKING wgconfig wg0 show all | | 279 | $DEBUG && $HIJACKING wgconfig wg0 show all |
280 | atf_check -s exit:0 -o match:"latest-handshake: \(never\)" \ | | 280 | atf_check -s exit:0 -o match:"latest-handshake: \(never\)" \ |
281 | $HIJACKING wgconfig wg0 | | 281 | $HIJACKING wgconfig wg0 |
282 | | | 282 | |
283 | # Wait for restarting a session | | 283 | # Wait for restarting a session |
284 | sleep $rekey_timeout | | 284 | sleep $rekey_timeout |
285 | | | 285 | |
286 | # The second attempt should be success because the init message has | | 286 | # The second attempt should be success because the init message has |
287 | # a valid cookie. | | 287 | # a valid cookie. |
288 | $ping $ip_wg_peer | | 288 | $ping $ip_wg_peer |
289 | | | 289 | |
290 | $DEBUG && $HIJACKING wgconfig wg0 show all | | 290 | $DEBUG && $HIJACKING wgconfig wg0 show all |
291 | atf_check -s exit:0 -o not-match:"latest-handshake: \(never\)" \ | | 291 | atf_check -s exit:0 -o not-match:"latest-handshake: \(never\)" \ |
292 | $HIJACKING wgconfig wg0 | | 292 | $HIJACKING wgconfig wg0 |
293 | | | 293 | |
294 | destroy_wg_interfaces | | 294 | destroy_wg_interfaces |
295 | } | | 295 | } |
296 | | | 296 | |
297 | wg_cookie_cleanup() | | 297 | wg_cookie_cleanup() |
298 | { | | 298 | { |
299 | | | 299 | |
300 | $DEBUG && dump | | 300 | $DEBUG && dump |
301 | cleanup | | 301 | cleanup |
302 | } | | 302 | } |
303 | | | 303 | |
304 | atf_test_case wg_mobility cleanup | | 304 | atf_test_case wg_mobility cleanup |
305 | wg_mobility_head() | | 305 | wg_mobility_head() |
306 | { | | 306 | { |
307 | | | 307 | |
308 | atf_set "descr" "tests of the mobility of wg(4)" | | 308 | atf_set "descr" "tests of the mobility of wg(4)" |
309 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" | | 309 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" |
310 | } | | 310 | } |
311 | | | 311 | |
312 | wg_mobility_body() | | 312 | wg_mobility_body() |
313 | { | | 313 | { |
314 | local ifconfig="atf_check -s exit:0 rump.ifconfig" | | 314 | local ifconfig="atf_check -s exit:0 rump.ifconfig" |
315 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" | | 315 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" |
316 | local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" | | 316 | local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" |
317 | local ip_local=192.168.1.1 | | 317 | local ip_local=192.168.1.1 |
318 | local ip_peer=192.168.1.2 | | 318 | local ip_peer=192.168.1.2 |
319 | local ip_peer_new=192.168.1.3 | | 319 | local ip_peer_new=192.168.1.3 |
320 | local ip_wg_local=10.0.0.1 | | 320 | local ip_wg_local=10.0.0.1 |
321 | local ip_wg_peer=10.0.0.2 | | 321 | local ip_wg_peer=10.0.0.2 |
322 | local port=51820 | | 322 | local port=51820 |
323 | local outfile=./out | | 323 | local outfile=./out |
324 | | | 324 | |
325 | setup_servers | | 325 | setup_servers |
326 | | | 326 | |
327 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer | | 327 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer |
328 | generate_keys | | 328 | generate_keys |
329 | | | 329 | |
330 | export RUMP_SERVER=$SOCK_LOCAL | | 330 | export RUMP_SERVER=$SOCK_LOCAL |
331 | setup_common shmif0 inet $ip_local 24 | | 331 | setup_common shmif0 inet $ip_local 24 |
332 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" | | 332 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" |
333 | | | 333 | |
334 | export RUMP_SERVER=$SOCK_PEER | | 334 | export RUMP_SERVER=$SOCK_PEER |
335 | setup_common shmif0 inet $ip_peer 24 | | 335 | setup_common shmif0 inet $ip_peer 24 |
336 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" | | 336 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" |
337 | | | 337 | |
338 | export RUMP_SERVER=$SOCK_LOCAL | | 338 | export RUMP_SERVER=$SOCK_LOCAL |
339 | # Initially, the local doesn't know the endpoint of the peer | | 339 | # Initially, the local doesn't know the endpoint of the peer |
340 | add_peer wg0 peer0 $key_pub_peer "" $ip_wg_peer/32 | | 340 | add_peer wg0 peer0 $key_pub_peer "" $ip_wg_peer/32 |
341 | | | 341 | |
342 | export RUMP_SERVER=$SOCK_PEER | | 342 | export RUMP_SERVER=$SOCK_PEER |
343 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 | | 343 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 |
344 | | | 344 | |
345 | extract_new_packets $BUS > $outfile | | 345 | extract_new_packets $BUS > $outfile |
346 | $DEBUG && cat $outfile | | 346 | $DEBUG && cat $outfile |
347 | | | 347 | |
348 | # Ping from the local to the peer doesn't work because the local | | 348 | # Ping from the local to the peer doesn't work because the local |
349 | # doesn't know the endpoint of the peer | | 349 | # doesn't know the endpoint of the peer |
350 | export RUMP_SERVER=$SOCK_LOCAL | | 350 | export RUMP_SERVER=$SOCK_LOCAL |
351 | $ping_fail $ip_wg_peer | | 351 | $ping_fail $ip_wg_peer |
352 | | | 352 | |
353 | extract_new_packets $BUS > $outfile | | 353 | extract_new_packets $BUS > $outfile |
354 | $DEBUG && cat $outfile | | 354 | $DEBUG && cat $outfile |
355 | | | 355 | |
356 | export RUMP_SERVER=$SOCK_PEER | | 356 | export RUMP_SERVER=$SOCK_PEER |
357 | $ping $ip_wg_local | | 357 | $ping $ip_wg_local |
358 | | | 358 | |
359 | extract_new_packets $BUS > $outfile | | 359 | extract_new_packets $BUS > $outfile |
360 | $DEBUG && cat $outfile | | 360 | $DEBUG && cat $outfile |
361 | | | 361 | |
362 | atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer.$port" cat $outfile | | 362 | atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer.$port" cat $outfile |
363 | | | 363 | |
364 | # Change the IP address of the peer | | 364 | # Change the IP address of the peer |
365 | setup_common shmif0 inet $ip_peer_new 24 | | 365 | setup_common shmif0 inet $ip_peer_new 24 |
366 | atf_check -s exit:0 rump.ifconfig -w 10 | | 366 | atf_check -s exit:0 rump.ifconfig -w 10 |
367 | | | 367 | |
368 | # Ping from the local to the peer doesn't work because the local | | 368 | # Ping from the local to the peer doesn't work because the local |
369 | # doesn't know the change of the IP address of the peer | | 369 | # doesn't know the change of the IP address of the peer |
370 | export RUMP_SERVER=$SOCK_LOCAL | | 370 | export RUMP_SERVER=$SOCK_LOCAL |
371 | $ping_fail $ip_wg_peer | | 371 | $ping_fail $ip_wg_peer |
372 | | | 372 | |
373 | extract_new_packets $BUS > $outfile | | 373 | extract_new_packets $BUS > $outfile |
374 | $DEBUG && cat $outfile | | 374 | $DEBUG && cat $outfile |
375 | | | 375 | |
376 | atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer.$port" cat $outfile | | 376 | atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer.$port" cat $outfile |
377 | | | 377 | |
378 | # Ping from the peer to the local works because the local notices | | 378 | # Ping from the peer to the local works because the local notices |
379 | # the change and updates the IP address of the peer | | 379 | # the change and updates the IP address of the peer |
380 | export RUMP_SERVER=$SOCK_PEER | | 380 | export RUMP_SERVER=$SOCK_PEER |
381 | $ping $ip_wg_local | | 381 | $ping $ip_wg_local |
382 | | | 382 | |
383 | extract_new_packets $BUS > $outfile | | 383 | extract_new_packets $BUS > $outfile |
384 | $DEBUG && cat $outfile | | 384 | $DEBUG && cat $outfile |
385 | | | 385 | |
386 | atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer_new.$port" cat $outfile | | 386 | atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer_new.$port" cat $outfile |
387 | atf_check -s exit:0 -o match:"$ip_peer_new.$port > $ip_local.$port" cat $outfile | | 387 | atf_check -s exit:0 -o match:"$ip_peer_new.$port > $ip_local.$port" cat $outfile |
388 | atf_check -s exit:0 -o not-match:"$ip_local.$port > $ip_peer.$port" cat $outfile | | 388 | atf_check -s exit:0 -o not-match:"$ip_local.$port > $ip_peer.$port" cat $outfile |
389 | | | 389 | |
390 | destroy_wg_interfaces | | 390 | destroy_wg_interfaces |
391 | } | | 391 | } |
392 | | | 392 | |
393 | wg_mobility_cleanup() | | 393 | wg_mobility_cleanup() |
394 | { | | 394 | { |
395 | | | 395 | |
396 | $DEBUG && dump | | 396 | $DEBUG && dump |
397 | cleanup | | 397 | cleanup |
398 | } | | 398 | } |
399 | | | 399 | |
400 | atf_test_case wg_keepalive cleanup | | 400 | atf_test_case wg_keepalive cleanup |
401 | wg_keepalive_head() | | 401 | wg_keepalive_head() |
402 | { | | 402 | { |
403 | | | 403 | |
404 | atf_set "descr" "tests keepalive messages" | | 404 | atf_set "descr" "tests keepalive messages" |
405 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" | | 405 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" |
406 | } | | 406 | } |
407 | | | 407 | |
408 | wg_keepalive_body() | | 408 | wg_keepalive_body() |
409 | { | | 409 | { |
410 | local ifconfig="atf_check -s exit:0 rump.ifconfig" | | 410 | local ifconfig="atf_check -s exit:0 rump.ifconfig" |
411 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" | | 411 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" |
412 | local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" | | 412 | local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" |
413 | local ip_local=192.168.1.1 | | 413 | local ip_local=192.168.1.1 |
414 | local ip_peer=192.168.1.2 | | 414 | local ip_peer=192.168.1.2 |
415 | local ip_peer_new=192.168.1.3 | | 415 | local ip_peer_new=192.168.1.3 |
416 | local ip_wg_local=10.0.0.1 | | 416 | local ip_wg_local=10.0.0.1 |
417 | local ip_wg_peer=10.0.0.2 | | 417 | local ip_wg_peer=10.0.0.2 |
418 | local port=51820 | | 418 | local port=51820 |
419 | local outfile=./out | | 419 | local outfile=./out |
420 | local keepalive_timeout=3 | | 420 | local keepalive_timeout=3 |
421 | | | 421 | |
422 | setup_servers | | 422 | setup_servers |
423 | | | 423 | |
424 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer | | 424 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer |
425 | generate_keys | | 425 | generate_keys |
426 | | | 426 | |
427 | export RUMP_SERVER=$SOCK_LOCAL | | 427 | export RUMP_SERVER=$SOCK_LOCAL |
428 | setup_common shmif0 inet $ip_local 24 | | 428 | setup_common shmif0 inet $ip_local 24 |
429 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" | | 429 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" |
430 | | | 430 | |
431 | export RUMP_SERVER=$SOCK_PEER | | 431 | export RUMP_SERVER=$SOCK_PEER |
432 | setup_common shmif0 inet $ip_peer 24 | | 432 | setup_common shmif0 inet $ip_peer 24 |
433 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" | | 433 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" |
434 | | | 434 | |
435 | export RUMP_SERVER=$SOCK_LOCAL | | 435 | export RUMP_SERVER=$SOCK_LOCAL |
436 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 | | 436 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 |
437 | | | 437 | |
438 | export RUMP_SERVER=$SOCK_PEER | | 438 | export RUMP_SERVER=$SOCK_PEER |
439 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 | | 439 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 |
440 | | | 440 | |
441 | # Shorten keepalive_timeout of the peer | | 441 | # Shorten keepalive_timeout of the peer |
442 | atf_check -s exit:0 -o ignore \ | | 442 | atf_check -s exit:0 -o ignore \ |
443 | rump.sysctl -w net.wg.keepalive_timeout=$keepalive_timeout | | 443 | rump.sysctl -w net.wg.keepalive_timeout=$keepalive_timeout |
444 | | | 444 | |
445 | export RUMP_SERVER=$SOCK_LOCAL | | 445 | export RUMP_SERVER=$SOCK_LOCAL |
446 | | | 446 | |
447 | extract_new_packets $BUS > $outfile | | 447 | extract_new_packets $BUS > $outfile |
448 | $DEBUG && cat $outfile | | 448 | $DEBUG && cat $outfile |
449 | | | 449 | |
450 | $ping $ip_wg_peer | | 450 | $ping $ip_wg_peer |
451 | | | 451 | |
452 | extract_new_packets $BUS > $outfile | | 452 | extract_new_packets $BUS > $outfile |
453 | $DEBUG && cat $outfile | | 453 | $DEBUG && cat $outfile |
454 | | | 454 | |
455 | sleep $((keepalive_timeout + 1)) | | 455 | sleep $((keepalive_timeout + 1)) |
456 | | | 456 | |
457 | $ping $ip_wg_peer | | 457 | $ping $ip_wg_peer |
458 | | | 458 | |
459 | extract_new_packets $BUS > $outfile | | 459 | extract_new_packets $BUS > $outfile |
460 | $DEBUG && cat $outfile | | 460 | $DEBUG && cat $outfile |
461 | | | 461 | |
462 | # XXX length 32 indicates the message is a keepalive (empty) message | | 462 | # XXX length 32 indicates the message is a keepalive (empty) message |
463 | atf_check -s exit:0 -o match:"$ip_peer.$port > $ip_local.$port: UDP, length 32" \ | | 463 | atf_check -s exit:0 -o match:"$ip_peer.$port > $ip_local.$port: UDP, length 32" \ |
464 | cat $outfile | | 464 | cat $outfile |
465 | | | 465 | |
466 | destroy_wg_interfaces | | 466 | destroy_wg_interfaces |
467 | } | | 467 | } |
468 | | | 468 | |
469 | wg_keepalive_cleanup() | | 469 | wg_keepalive_cleanup() |
470 | { | | 470 | { |
471 | | | 471 | |
472 | $DEBUG && dump | | 472 | $DEBUG && dump |
473 | cleanup | | 473 | cleanup |
474 | } | | 474 | } |
475 | | | 475 | |
476 | atf_test_case wg_psk cleanup | | 476 | atf_test_case wg_psk cleanup |
477 | wg_psk_head() | | 477 | wg_psk_head() |
478 | { | | 478 | { |
479 | | | 479 | |
480 | atf_set "descr" "tests preshared-key" | | 480 | atf_set "descr" "tests preshared-key" |
481 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" | | 481 | atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" |
482 | } | | 482 | } |
483 | | | 483 | |
484 | test_psk_common() | | 484 | test_psk_common() |
485 | { | | 485 | { |
486 | } | | 486 | } |
487 | | | 487 | |
488 | wg_psk_body() | | 488 | wg_psk_body() |
489 | { | | 489 | { |
490 | local ifconfig="atf_check -s exit:0 rump.ifconfig" | | 490 | local ifconfig="atf_check -s exit:0 rump.ifconfig" |
491 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" | | 491 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" |
492 | local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" | | 492 | local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" |
493 | local ip_local=192.168.1.1 | | 493 | local ip_local=192.168.1.1 |
494 | local ip_peer=192.168.1.2 | | 494 | local ip_peer=192.168.1.2 |
495 | local ip_peer_new=192.168.1.3 | | 495 | local ip_peer_new=192.168.1.3 |
496 | local ip_wg_local=10.0.0.1 | | 496 | local ip_wg_local=10.0.0.1 |
497 | local ip_wg_peer=10.0.0.2 | | 497 | local ip_wg_peer=10.0.0.2 |
498 | local port=51820 | | 498 | local port=51820 |
499 | local outfile=./out | | 499 | local outfile=./out |
500 | local pskfile=./psk | | 500 | local pskfile=./psk |
501 | local rekey_after_time=3 | | 501 | local rekey_after_time=3 |
502 | | | 502 | |
503 | setup_servers | | 503 | setup_servers |
504 | | | 504 | |
505 | export RUMP_SERVER=$SOCK_LOCAL | | 505 | export RUMP_SERVER=$SOCK_LOCAL |
506 | atf_check -s exit:0 -o ignore \ | | 506 | atf_check -s exit:0 -o ignore \ |
507 | rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time | | 507 | rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time |
508 | export RUMP_SERVER=$SOCK_PEER | | 508 | export RUMP_SERVER=$SOCK_PEER |
509 | atf_check -s exit:0 -o ignore \ | | 509 | atf_check -s exit:0 -o ignore \ |
510 | rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time | | 510 | rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time |
511 | | | 511 | |
512 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer | | 512 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer |
513 | generate_keys | | 513 | generate_keys |
514 | key_psk=$(wg-keygen --psk) | | 514 | key_psk=$(wg-keygen --psk) |
515 | $DEBUG && echo $key_psk | | 515 | $DEBUG && echo $key_psk |
516 | | | 516 | |
517 | export RUMP_SERVER=$SOCK_LOCAL | | 517 | export RUMP_SERVER=$SOCK_LOCAL |
518 | setup_common shmif0 inet $ip_local 24 | | 518 | setup_common shmif0 inet $ip_local 24 |
519 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" | | 519 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" |
520 | | | 520 | |
521 | export RUMP_SERVER=$SOCK_PEER | | 521 | export RUMP_SERVER=$SOCK_PEER |
522 | setup_common shmif0 inet $ip_peer 24 | | 522 | setup_common shmif0 inet $ip_peer 24 |
523 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" | | 523 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" |
524 | | | 524 | |
525 | echo "$key_psk" > $pskfile | | 525 | echo "$key_psk" > $pskfile |
526 | | | 526 | |
527 | export RUMP_SERVER=$SOCK_LOCAL | | 527 | export RUMP_SERVER=$SOCK_LOCAL |
528 | | | 528 | |
529 | # The local always has the preshared key | | 529 | # The local always has the preshared key |
530 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 \ | | 530 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 \ |
531 | $pskfile "$key_psk" | | 531 | $pskfile "$key_psk" |
532 | | | 532 | |
533 | export RUMP_SERVER=$SOCK_PEER | | 533 | export RUMP_SERVER=$SOCK_PEER |
534 | | | 534 | |
535 | # First, try the peer without the preshared key | | 535 | # First, try the peer without the preshared key |
536 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 | | 536 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 |
537 | | | 537 | |
538 | export RUMP_SERVER=$SOCK_LOCAL | | 538 | export RUMP_SERVER=$SOCK_LOCAL |
539 | | | 539 | |
540 | extract_new_packets $BUS > $outfile | | 540 | extract_new_packets $BUS > $outfile |
541 | $DEBUG && cat $outfile | | 541 | $DEBUG && cat $outfile |
542 | | | 542 | |
543 | $ping_fail $ip_wg_peer | | 543 | $ping_fail $ip_wg_peer |
544 | | | 544 | |
545 | extract_new_packets $BUS > $outfile | | 545 | extract_new_packets $BUS > $outfile |
546 | $DEBUG && cat $outfile | | 546 | $DEBUG && cat $outfile |
547 | | | 547 | |
548 | # Next, try with the preshared key | | 548 | # Next, try with the preshared key |
549 | export RUMP_SERVER=$SOCK_PEER | | 549 | export RUMP_SERVER=$SOCK_PEER |
550 | delete_peer wg0 peer0 | | 550 | delete_peer wg0 peer0 |
551 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 \ | | 551 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 \ |
552 | $pskfile "$key_psk" | | 552 | $pskfile "$key_psk" |
553 | | | 553 | |
554 | # Need a rekey | | 554 | # Need a rekey |
555 | atf_check -s exit:0 sleep $((rekey_after_time + 1)) | | 555 | atf_check -s exit:0 sleep $((rekey_after_time + 1)) |
556 | | | 556 | |
557 | export RUMP_SERVER=$SOCK_LOCAL | | 557 | export RUMP_SERVER=$SOCK_LOCAL |
558 | | | 558 | |
559 | extract_new_packets $BUS > $outfile | | 559 | extract_new_packets $BUS > $outfile |
560 | $DEBUG && cat $outfile | | 560 | $DEBUG && cat $outfile |
561 | | | 561 | |
562 | $ping $ip_wg_peer | | 562 | $ping $ip_wg_peer |
563 | | | 563 | |
564 | extract_new_packets $BUS > $outfile | | 564 | extract_new_packets $BUS > $outfile |
565 | $DEBUG && cat $outfile | | 565 | $DEBUG && cat $outfile |
566 | | | 566 | |
567 | # Then, try again without the preshared key just in case | | 567 | # Then, try again without the preshared key just in case |
568 | export RUMP_SERVER=$SOCK_PEER | | 568 | export RUMP_SERVER=$SOCK_PEER |
569 | delete_peer wg0 peer0 | | 569 | delete_peer wg0 peer0 |
570 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 | | 570 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 |
571 | | | 571 | |
572 | # Need a rekey | | 572 | # Need a rekey |
573 | atf_check -s exit:0 sleep $((rekey_after_time + 1)) | | 573 | atf_check -s exit:0 sleep $((rekey_after_time + 1)) |
574 | | | 574 | |
575 | export RUMP_SERVER=$SOCK_LOCAL | | 575 | export RUMP_SERVER=$SOCK_LOCAL |
576 | $ping_fail $ip_wg_peer | | 576 | $ping_fail $ip_wg_peer |
577 | | | 577 | |
578 | rm -f $pskfile | | 578 | rm -f $pskfile |
579 | | | 579 | |
580 | destroy_wg_interfaces | | 580 | destroy_wg_interfaces |
581 | } | | 581 | } |
582 | | | 582 | |
583 | wg_psk_cleanup() | | 583 | wg_psk_cleanup() |
584 | { | | 584 | { |
585 | | | 585 | |
586 | $DEBUG && dump | | 586 | $DEBUG && dump |
587 | cleanup | | 587 | cleanup |
588 | } | | 588 | } |
589 | | | 589 | |
590 | atf_test_case wg_malformed cleanup | | 590 | atf_test_case wg_malformed cleanup |
591 | wg_malformed_head() | | 591 | wg_malformed_head() |
592 | { | | 592 | { |
593 | | | 593 | |
594 | atf_set "descr" "tests malformed packet headers" | | 594 | atf_set "descr" "tests malformed packet headers" |
595 | atf_set "require.progs" "nc" "rump_server" "wgconfig" "wg-keygen" | | 595 | atf_set "require.progs" "nc" "rump_server" "wgconfig" "wg-keygen" |
596 | atf_set "timeout" "10" | | 596 | atf_set "timeout" "10" |
597 | } | | 597 | } |
598 | | | 598 | |
599 | wg_malformed_body() | | 599 | wg_malformed_body() |
600 | { | | 600 | { |
601 | local ifconfig="atf_check -s exit:0 rump.ifconfig" | | 601 | local ifconfig="atf_check -s exit:0 rump.ifconfig" |
602 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" | | 602 | local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" |
603 | local ip_local=192.168.1.1 | | 603 | local ip_local=192.168.1.1 |
604 | local ip_peer=192.168.1.2 | | 604 | local ip_peer=192.168.1.2 |
605 | local ip_wg_local=10.0.0.1 | | 605 | local ip_wg_local=10.0.0.1 |
606 | local ip_wg_peer=10.0.0.2 | | 606 | local ip_wg_peer=10.0.0.2 |
607 | local port=51820 | | 607 | local port=51820 |
608 | setup_servers | | 608 | setup_servers |
609 | | | 609 | |
610 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer | | 610 | # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer |
611 | generate_keys | | 611 | generate_keys |
612 | | | 612 | |
613 | export RUMP_SERVER=$SOCK_LOCAL | | 613 | export RUMP_SERVER=$SOCK_LOCAL |
614 | setup_common shmif0 inet $ip_local 24 | | 614 | setup_common shmif0 inet $ip_local 24 |
615 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" | | 615 | setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" |
616 | | | 616 | |
617 | export RUMP_SERVER=$SOCK_PEER | | 617 | export RUMP_SERVER=$SOCK_PEER |
618 | setup_common shmif0 inet $ip_peer 24 | | 618 | setup_common shmif0 inet $ip_peer 24 |
619 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" | | 619 | setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" |
620 | | | 620 | |
621 | export RUMP_SERVER=$SOCK_LOCAL | | 621 | export RUMP_SERVER=$SOCK_LOCAL |
622 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 | | 622 | add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 |
623 | | | 623 | |
624 | export RUMP_SERVER=$SOCK_PEER | | 624 | export RUMP_SERVER=$SOCK_PEER |
625 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 | | 625 | add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 |
626 | | | 626 | |
627 | export RUMP_SERVER=$SOCK_LOCAL | | 627 | export RUMP_SERVER=$SOCK_LOCAL |
628 | | | 628 | |
629 | $ping $ip_wg_peer | | 629 | $ping $ip_wg_peer |
630 | | | 630 | |
631 | printf 'send malformed packets\n' | | 631 | printf 'send malformed packets\n' |
632 | | | 632 | |
633 | $HIJACKING ping -c 1 -n $ip_peer | | 633 | $HIJACKING ping -c 1 -n $ip_peer |
634 | | | 634 | |
635 | printf 'x' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 635 | printf 'x' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
636 | printf 'xy' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 636 | printf 'xy' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
637 | printf 'xyz' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 637 | printf 'xyz' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
638 | printf 'xyzw' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 638 | printf 'xyzw' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
639 | printf '\x00\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 639 | printf '\x00\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
640 | printf '\x00\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 640 | printf '\x00\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
641 | printf '\x01\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 641 | printf '\x01\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
642 | printf '\x01\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 642 | printf '\x01\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
643 | printf '\x02\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 643 | printf '\x02\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
644 | printf '\x02\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 644 | printf '\x02\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
645 | printf '\x03\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 645 | printf '\x03\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
646 | printf '\x03\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 646 | printf '\x03\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
647 | printf '\x04\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 647 | printf '\x04\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
648 | printf '\x04\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port | | 648 | printf '\x04\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port |
649 | | | 649 | |
650 | printf 'done sending malformed packets\n' | | 650 | printf 'done sending malformed packets\n' |
651 | | | 651 | |
652 | $ping $ip_wg_peer | | 652 | $ping $ip_wg_peer |
653 | } | | 653 | } |
654 | | | 654 | |
655 | wg_malformed_cleanup() | | 655 | wg_malformed_cleanup() |
656 | { | | 656 | { |
657 | | | 657 | |
658 | $DEBUG && dump | | 658 | $DEBUG && dump |
659 | cleanup | | 659 | cleanup |
660 | } | | 660 | } |
661 | | | 661 | |
662 | atf_init_test_cases() | | 662 | atf_init_test_cases() |
663 | { | | 663 | { |
664 | | | 664 | |
665 | atf_add_test_case wg_rekey | | 665 | atf_add_test_case wg_rekey |
666 | atf_add_test_case wg_handshake_timeout | | 666 | atf_add_test_case wg_handshake_timeout |
667 | atf_add_test_case wg_cookie | | 667 | atf_add_test_case wg_cookie |
668 | atf_add_test_case wg_mobility | | 668 | atf_add_test_case wg_mobility |
669 | atf_add_test_case wg_keepalive | | 669 | atf_add_test_case wg_keepalive |
670 | atf_add_test_case wg_psk | | 670 | atf_add_test_case wg_psk |
671 | atf_add_test_case wg_malformed | | 671 | atf_add_test_case wg_malformed |
672 | } | | 672 | } |