1 1.16 riastrad # $NetBSD: t_misc.sh,v 1.16 2024/08/26 17:52:46 riastradh Exp $ 2 1.1 riastrad # 3 1.1 riastrad # Copyright (c) 2018 Ryota Ozaki <ozaki.ryota (at] gmail.com> 4 1.1 riastrad # All rights reserved. 5 1.1 riastrad # 6 1.1 riastrad # Redistribution and use in source and binary forms, with or without 7 1.1 riastrad # modification, are permitted provided that the following conditions 8 1.1 riastrad # are met: 9 1.1 riastrad # 1. Redistributions of source code must retain the above copyright 10 1.1 riastrad # notice, this list of conditions and the following disclaimer. 11 1.1 riastrad # 2. Redistributions in binary form must reproduce the above copyright 12 1.1 riastrad # notice, this list of conditions and the following disclaimer in the 13 1.1 riastrad # documentation and/or other materials provided with the distribution. 14 1.1 riastrad # 15 1.1 riastrad # THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 16 1.1 riastrad # ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 17 1.1 riastrad # TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 18 1.1 riastrad # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 19 1.1 riastrad # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 1.1 riastrad # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 1.1 riastrad # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 1.1 riastrad # INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 1.1 riastrad # CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 1.1 riastrad # ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 1.1 riastrad # POSSIBILITY OF SUCH DAMAGE. 26 1.1 riastrad # 27 1.1 riastrad 28 1.1 riastrad BUS=bus 29 1.1 riastrad SOCK_LOCAL=unix://wg_local 30 1.1 riastrad SOCK_PEER=unix://wg_peer 31 1.1 riastrad 32 1.1 riastrad 33 1.1 riastrad atf_test_case wg_rekey cleanup 34 1.1 riastrad wg_rekey_head() 35 1.1 riastrad { 36 1.1 riastrad 37 1.1 riastrad atf_set "descr" "tests of rekeying of wg(4)" 38 1.1 riastrad atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 39 1.1 riastrad } 40 1.1 riastrad 41 1.1 riastrad wg_rekey_body() 42 1.1 riastrad { 43 1.1 riastrad local ifconfig="atf_check -s exit:0 rump.ifconfig" 44 1.1 riastrad local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" 45 1.1 riastrad local ip_local=192.168.1.1 46 1.1 riastrad local ip_peer=192.168.1.2 47 1.1 riastrad local ip_wg_local=10.0.0.1 48 1.1 riastrad local ip_wg_peer=10.0.0.2 49 1.1 riastrad local port=51820 50 1.1 riastrad local rekey_after_time=3 51 1.1 riastrad local latest_handshake= 52 1.1 riastrad 53 1.1 riastrad setup_servers 54 1.1 riastrad 55 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 56 1.1 riastrad atf_check -s exit:0 -o ignore \ 57 1.1 riastrad rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time 58 1.16 riastrad $DEBUG && atf_check -s exit:0 -o ignore \ 59 1.16 riastrad rump.sysctl -w net.wg.debug=-1 60 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 61 1.1 riastrad atf_check -s exit:0 -o ignore \ 62 1.1 riastrad rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time 63 1.16 riastrad $DEBUG && atf_check -s exit:0 -o ignore \ 64 1.16 riastrad rump.sysctl -w net.wg.debug=-1 65 1.1 riastrad 66 1.1 riastrad # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 67 1.1 riastrad generate_keys 68 1.1 riastrad 69 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 70 1.1 riastrad setup_common shmif0 inet $ip_local 24 71 1.1 riastrad setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 72 1.6 roy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 73 1.7 martin $ifconfig -w 10 74 1.1 riastrad 75 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 76 1.1 riastrad setup_common shmif0 inet $ip_peer 24 77 1.1 riastrad setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 78 1.1 riastrad add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 79 1.6 roy $ifconfig -w 10 80 1.1 riastrad 81 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 82 1.1 riastrad 83 1.16 riastrad echo ping1time=$(date) 84 1.1 riastrad $ping $ip_wg_peer 85 1.1 riastrad 86 1.1 riastrad latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ 87 1.4 tih | awk -F ': ' '/latest-handshake/ {print $2;}') 88 1.14 riastrad $DEBUG && echo handshake1=$latest_handshake 89 1.1 riastrad 90 1.1 riastrad sleep 1 91 1.1 riastrad 92 1.16 riastrad echo ping2time=$(date) 93 1.1 riastrad $ping $ip_wg_peer 94 1.1 riastrad 95 1.1 riastrad # No reinitiation is performed 96 1.1 riastrad atf_check -s exit:0 -o match:"$latest_handshake" \ 97 1.1 riastrad $HIJACKING wgconfig wg0 show peer peer0 98 1.1 riastrad 99 1.1 riastrad # Wait for a reinitiation to be performed 100 1.1 riastrad sleep $rekey_after_time 101 1.1 riastrad 102 1.16 riastrad echo ping3time=$(date) 103 1.1 riastrad $ping $ip_wg_peer 104 1.1 riastrad 105 1.1 riastrad # A reinitiation should be performed 106 1.1 riastrad atf_check -s exit:0 -o not-match:"$latest_handshake" \ 107 1.1 riastrad $HIJACKING wgconfig wg0 show peer peer0 108 1.1 riastrad 109 1.1 riastrad latest_handshake=$($HIJACKING wgconfig wg0 show peer peer0 \ 110 1.4 tih | awk -F ': ' '/latest-handshake/ {print $2;}') 111 1.14 riastrad $DEBUG && echo handshake2=$latest_handshake 112 1.1 riastrad 113 1.1 riastrad # Wait for a reinitiation to be performed again 114 1.5 riastrad sleep $((rekey_after_time+1)) 115 1.1 riastrad 116 1.16 riastrad echo ping4time=$(date) 117 1.1 riastrad $ping $ip_wg_peer 118 1.1 riastrad 119 1.1 riastrad # A reinitiation should be performed 120 1.1 riastrad atf_check -s exit:0 -o not-match:"$latest_handshake" \ 121 1.1 riastrad $HIJACKING wgconfig wg0 show peer peer0 122 1.1 riastrad 123 1.1 riastrad destroy_wg_interfaces 124 1.1 riastrad } 125 1.1 riastrad 126 1.1 riastrad wg_rekey_cleanup() 127 1.1 riastrad { 128 1.1 riastrad 129 1.1 riastrad $DEBUG && dump 130 1.1 riastrad cleanup 131 1.1 riastrad } 132 1.1 riastrad 133 1.1 riastrad atf_test_case wg_handshake_timeout cleanup 134 1.1 riastrad wg_handshake_timeout_head() 135 1.1 riastrad { 136 1.1 riastrad 137 1.1 riastrad atf_set "descr" "tests of handshake timeout of wg(4)" 138 1.1 riastrad atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 139 1.1 riastrad } 140 1.1 riastrad 141 1.1 riastrad wg_handshake_timeout_body() 142 1.1 riastrad { 143 1.1 riastrad local ifconfig="atf_check -s exit:0 rump.ifconfig" 144 1.1 riastrad local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" 145 1.1 riastrad local ip_local=192.168.1.1 146 1.1 riastrad local ip_peer=192.168.1.2 147 1.1 riastrad local ip_wg_local=10.0.0.1 148 1.1 riastrad local ip_wg_peer=10.0.0.2 149 1.1 riastrad local port=51820 150 1.1 riastrad local outfile=./out 151 1.13 riastrad local rekey_timeout=4 152 1.13 riastrad local rekey_attempt_time=10 153 1.1 riastrad local n= 154 1.1 riastrad 155 1.1 riastrad setup_servers 156 1.1 riastrad 157 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 158 1.1 riastrad atf_check -s exit:0 -o ignore \ 159 1.1 riastrad rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout 160 1.1 riastrad atf_check -s exit:0 -o ignore \ 161 1.1 riastrad rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time 162 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 163 1.1 riastrad atf_check -s exit:0 -o ignore \ 164 1.1 riastrad rump.sysctl -w net.wg.rekey_timeout=$rekey_timeout 165 1.1 riastrad atf_check -s exit:0 -o ignore \ 166 1.1 riastrad rump.sysctl -w net.wg.rekey_attempt_time=$rekey_attempt_time 167 1.1 riastrad 168 1.1 riastrad # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 169 1.1 riastrad generate_keys 170 1.1 riastrad 171 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 172 1.1 riastrad setup_common shmif0 inet $ip_local 24 173 1.1 riastrad setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 174 1.6 roy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 175 1.6 roy $ifconfig -w 10 176 1.1 riastrad 177 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 178 1.1 riastrad setup_common shmif0 inet $ip_peer 24 179 1.1 riastrad setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 180 1.1 riastrad add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 181 1.6 roy $ifconfig -w 10 182 1.1 riastrad 183 1.1 riastrad # Resolve arp 184 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 185 1.1 riastrad $ping $ip_peer 186 1.1 riastrad 187 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 188 1.1 riastrad $ifconfig shmif0 down 189 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 190 1.1 riastrad 191 1.1 riastrad extract_new_packets $BUS > $outfile 192 1.1 riastrad 193 1.1 riastrad # Should fail 194 1.1 riastrad atf_check -s not-exit:0 -o match:'100.0% packet loss' \ 195 1.1 riastrad rump.ping -n -c 1 -w 1 $ip_wg_peer 196 1.1 riastrad 197 1.1 riastrad sleep $((rekey_attempt_time + rekey_timeout)) 198 1.1 riastrad 199 1.1 riastrad extract_new_packets $BUS > $outfile 200 1.1 riastrad $DEBUG && cat $outfile 201 1.1 riastrad 202 1.1 riastrad n=$(grep "$ip_local.$port > $ip_peer.$port" $outfile |wc -l) 203 1.1 riastrad 204 1.1 riastrad # Give up handshaking after three attempts 205 1.1 riastrad atf_check_equal $n 3 206 1.1 riastrad 207 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 208 1.1 riastrad $ifconfig shmif0 up 209 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 210 1.1 riastrad 211 1.1 riastrad destroy_wg_interfaces 212 1.1 riastrad } 213 1.1 riastrad 214 1.1 riastrad wg_handshake_timeout_cleanup() 215 1.1 riastrad { 216 1.1 riastrad 217 1.1 riastrad $DEBUG && dump 218 1.1 riastrad cleanup 219 1.1 riastrad } 220 1.1 riastrad 221 1.1 riastrad atf_test_case wg_cookie cleanup 222 1.1 riastrad wg_cookie_head() 223 1.1 riastrad { 224 1.1 riastrad 225 1.1 riastrad atf_set "descr" "tests of cookie messages of the wg(4) protocol" 226 1.1 riastrad atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 227 1.1 riastrad } 228 1.1 riastrad 229 1.1 riastrad wg_cookie_body() 230 1.1 riastrad { 231 1.1 riastrad local ifconfig="atf_check -s exit:0 rump.ifconfig" 232 1.1 riastrad local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" 233 1.1 riastrad local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" 234 1.1 riastrad local ip_local=192.168.1.1 235 1.1 riastrad local ip_peer=192.168.1.2 236 1.1 riastrad local ip_wg_local=10.0.0.1 237 1.1 riastrad local ip_wg_peer=10.0.0.2 238 1.1 riastrad local port=51820 239 1.1 riastrad local outfile=./out 240 1.1 riastrad local rekey_timeout=5 241 1.1 riastrad 242 1.1 riastrad setup_servers 243 1.1 riastrad 244 1.1 riastrad # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 245 1.1 riastrad generate_keys 246 1.1 riastrad 247 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 248 1.1 riastrad setup_common shmif0 inet $ip_local 24 249 1.1 riastrad setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 250 1.6 roy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 251 1.6 roy $ifconfig -w 10 252 1.1 riastrad 253 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 254 1.1 riastrad setup_common shmif0 inet $ip_peer 24 255 1.1 riastrad setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 256 1.1 riastrad add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 257 1.6 roy $ifconfig -w 10 258 1.1 riastrad 259 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 260 1.1 riastrad # Emulate load on the peer 261 1.1 riastrad atf_check -s exit:0 -o ignore \ 262 1.1 riastrad rump.sysctl -w net.wg.force_underload=1 263 1.1 riastrad 264 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 265 1.1 riastrad 266 1.1 riastrad extract_new_packets $BUS > $outfile 267 1.1 riastrad $DEBUG && cat $outfile 268 1.1 riastrad 269 1.1 riastrad # The peer doesn't return a response message but a cookie message 270 1.1 riastrad # and a session doesn't start 271 1.1 riastrad $ping_fail $ip_wg_peer 272 1.1 riastrad 273 1.1 riastrad extract_new_packets $BUS > $outfile 274 1.1 riastrad $DEBUG && cat $outfile 275 1.1 riastrad # XXX length 64 indicates the message is a cookie message 276 1.1 riastrad atf_check -s exit:0 \ 277 1.1 riastrad -o match:"$ip_peer.$port > $ip_local.$port: UDP, length 64" \ 278 1.1 riastrad cat $outfile 279 1.1 riastrad 280 1.2 riastrad $DEBUG && $HIJACKING wgconfig wg0 show all 281 1.4 tih atf_check -s exit:0 -o match:"latest-handshake: \(never\)" \ 282 1.1 riastrad $HIJACKING wgconfig wg0 283 1.1 riastrad 284 1.1 riastrad # Wait for restarting a session 285 1.1 riastrad sleep $rekey_timeout 286 1.1 riastrad 287 1.1 riastrad # The second attempt should be success because the init message has 288 1.1 riastrad # a valid cookie. 289 1.1 riastrad $ping $ip_wg_peer 290 1.1 riastrad 291 1.2 riastrad $DEBUG && $HIJACKING wgconfig wg0 show all 292 1.4 tih atf_check -s exit:0 -o not-match:"latest-handshake: \(never\)" \ 293 1.1 riastrad $HIJACKING wgconfig wg0 294 1.1 riastrad 295 1.1 riastrad destroy_wg_interfaces 296 1.1 riastrad } 297 1.1 riastrad 298 1.1 riastrad wg_cookie_cleanup() 299 1.1 riastrad { 300 1.1 riastrad 301 1.1 riastrad $DEBUG && dump 302 1.1 riastrad cleanup 303 1.1 riastrad } 304 1.1 riastrad 305 1.1 riastrad atf_test_case wg_mobility cleanup 306 1.1 riastrad wg_mobility_head() 307 1.1 riastrad { 308 1.1 riastrad 309 1.1 riastrad atf_set "descr" "tests of the mobility of wg(4)" 310 1.1 riastrad atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 311 1.1 riastrad } 312 1.1 riastrad 313 1.1 riastrad wg_mobility_body() 314 1.1 riastrad { 315 1.1 riastrad local ifconfig="atf_check -s exit:0 rump.ifconfig" 316 1.1 riastrad local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" 317 1.1 riastrad local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" 318 1.1 riastrad local ip_local=192.168.1.1 319 1.1 riastrad local ip_peer=192.168.1.2 320 1.1 riastrad local ip_peer_new=192.168.1.3 321 1.1 riastrad local ip_wg_local=10.0.0.1 322 1.1 riastrad local ip_wg_peer=10.0.0.2 323 1.1 riastrad local port=51820 324 1.1 riastrad local outfile=./out 325 1.1 riastrad 326 1.1 riastrad setup_servers 327 1.1 riastrad 328 1.1 riastrad # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 329 1.1 riastrad generate_keys 330 1.1 riastrad 331 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 332 1.1 riastrad setup_common shmif0 inet $ip_local 24 333 1.1 riastrad setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 334 1.6 roy # Initially, the local doesn't know the endpoint of the peer 335 1.6 roy add_peer wg0 peer0 $key_pub_peer "" $ip_wg_peer/32 336 1.6 roy $ifconfig -w 10 337 1.1 riastrad 338 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 339 1.1 riastrad setup_common shmif0 inet $ip_peer 24 340 1.1 riastrad setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 341 1.1 riastrad add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 342 1.6 roy $ifconfig -w 10 343 1.1 riastrad 344 1.1 riastrad extract_new_packets $BUS > $outfile 345 1.1 riastrad $DEBUG && cat $outfile 346 1.1 riastrad 347 1.1 riastrad # Ping from the local to the peer doesn't work because the local 348 1.1 riastrad # doesn't know the endpoint of the peer 349 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 350 1.1 riastrad $ping_fail $ip_wg_peer 351 1.1 riastrad 352 1.1 riastrad extract_new_packets $BUS > $outfile 353 1.1 riastrad $DEBUG && cat $outfile 354 1.1 riastrad 355 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 356 1.1 riastrad $ping $ip_wg_local 357 1.1 riastrad 358 1.1 riastrad extract_new_packets $BUS > $outfile 359 1.1 riastrad $DEBUG && cat $outfile 360 1.1 riastrad 361 1.1 riastrad atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer.$port" cat $outfile 362 1.1 riastrad 363 1.1 riastrad # Change the IP address of the peer 364 1.1 riastrad setup_common shmif0 inet $ip_peer_new 24 365 1.6 roy $ifconfig -w 10 366 1.1 riastrad 367 1.1 riastrad # Ping from the local to the peer doesn't work because the local 368 1.1 riastrad # doesn't know the change of the IP address of the peer 369 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 370 1.1 riastrad $ping_fail $ip_wg_peer 371 1.1 riastrad 372 1.1 riastrad extract_new_packets $BUS > $outfile 373 1.1 riastrad $DEBUG && cat $outfile 374 1.1 riastrad 375 1.1 riastrad atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer.$port" cat $outfile 376 1.1 riastrad 377 1.1 riastrad # Ping from the peer to the local works because the local notices 378 1.1 riastrad # the change and updates the IP address of the peer 379 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 380 1.1 riastrad $ping $ip_wg_local 381 1.1 riastrad 382 1.1 riastrad extract_new_packets $BUS > $outfile 383 1.1 riastrad $DEBUG && cat $outfile 384 1.1 riastrad 385 1.1 riastrad atf_check -s exit:0 -o match:"$ip_local.$port > $ip_peer_new.$port" cat $outfile 386 1.1 riastrad atf_check -s exit:0 -o match:"$ip_peer_new.$port > $ip_local.$port" cat $outfile 387 1.1 riastrad atf_check -s exit:0 -o not-match:"$ip_local.$port > $ip_peer.$port" cat $outfile 388 1.1 riastrad 389 1.1 riastrad destroy_wg_interfaces 390 1.1 riastrad } 391 1.1 riastrad 392 1.1 riastrad wg_mobility_cleanup() 393 1.1 riastrad { 394 1.1 riastrad 395 1.1 riastrad $DEBUG && dump 396 1.1 riastrad cleanup 397 1.1 riastrad } 398 1.1 riastrad 399 1.1 riastrad atf_test_case wg_keepalive cleanup 400 1.1 riastrad wg_keepalive_head() 401 1.1 riastrad { 402 1.1 riastrad 403 1.1 riastrad atf_set "descr" "tests keepalive messages" 404 1.1 riastrad atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 405 1.1 riastrad } 406 1.1 riastrad 407 1.1 riastrad wg_keepalive_body() 408 1.1 riastrad { 409 1.1 riastrad local ifconfig="atf_check -s exit:0 rump.ifconfig" 410 1.1 riastrad local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" 411 1.1 riastrad local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" 412 1.1 riastrad local ip_local=192.168.1.1 413 1.1 riastrad local ip_peer=192.168.1.2 414 1.1 riastrad local ip_peer_new=192.168.1.3 415 1.1 riastrad local ip_wg_local=10.0.0.1 416 1.1 riastrad local ip_wg_peer=10.0.0.2 417 1.1 riastrad local port=51820 418 1.1 riastrad local outfile=./out 419 1.1 riastrad local keepalive_timeout=3 420 1.1 riastrad 421 1.1 riastrad setup_servers 422 1.1 riastrad 423 1.1 riastrad # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 424 1.1 riastrad generate_keys 425 1.1 riastrad 426 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 427 1.1 riastrad setup_common shmif0 inet $ip_local 24 428 1.1 riastrad setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 429 1.6 roy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 430 1.8 riastrad $ifconfig -w 10 431 1.1 riastrad 432 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 433 1.1 riastrad setup_common shmif0 inet $ip_peer 24 434 1.1 riastrad setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 435 1.1 riastrad add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 436 1.6 roy $ifconfig -w 10 437 1.1 riastrad 438 1.1 riastrad # Shorten keepalive_timeout of the peer 439 1.1 riastrad atf_check -s exit:0 -o ignore \ 440 1.1 riastrad rump.sysctl -w net.wg.keepalive_timeout=$keepalive_timeout 441 1.1 riastrad 442 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 443 1.1 riastrad 444 1.1 riastrad extract_new_packets $BUS > $outfile 445 1.1 riastrad $DEBUG && cat $outfile 446 1.1 riastrad 447 1.1 riastrad $ping $ip_wg_peer 448 1.1 riastrad 449 1.1 riastrad extract_new_packets $BUS > $outfile 450 1.1 riastrad $DEBUG && cat $outfile 451 1.1 riastrad 452 1.1 riastrad sleep $((keepalive_timeout + 1)) 453 1.1 riastrad 454 1.1 riastrad $ping $ip_wg_peer 455 1.1 riastrad 456 1.1 riastrad extract_new_packets $BUS > $outfile 457 1.1 riastrad $DEBUG && cat $outfile 458 1.1 riastrad 459 1.1 riastrad # XXX length 32 indicates the message is a keepalive (empty) message 460 1.1 riastrad atf_check -s exit:0 -o match:"$ip_peer.$port > $ip_local.$port: UDP, length 32" \ 461 1.1 riastrad cat $outfile 462 1.1 riastrad 463 1.1 riastrad destroy_wg_interfaces 464 1.1 riastrad } 465 1.1 riastrad 466 1.1 riastrad wg_keepalive_cleanup() 467 1.1 riastrad { 468 1.1 riastrad 469 1.1 riastrad $DEBUG && dump 470 1.1 riastrad cleanup 471 1.1 riastrad } 472 1.1 riastrad 473 1.1 riastrad atf_test_case wg_psk cleanup 474 1.1 riastrad wg_psk_head() 475 1.1 riastrad { 476 1.1 riastrad 477 1.1 riastrad atf_set "descr" "tests preshared-key" 478 1.1 riastrad atf_set "require.progs" "rump_server" "wgconfig" "wg-keygen" 479 1.1 riastrad } 480 1.1 riastrad 481 1.1 riastrad test_psk_common() 482 1.1 riastrad { 483 1.1 riastrad } 484 1.1 riastrad 485 1.1 riastrad wg_psk_body() 486 1.1 riastrad { 487 1.1 riastrad local ifconfig="atf_check -s exit:0 rump.ifconfig" 488 1.1 riastrad local ping="atf_check -s exit:0 -o ignore rump.ping -n -i 0.1 -c 3 -w 1" 489 1.1 riastrad local ping_fail="atf_check -s not-exit:0 -o ignore rump.ping -n -c 1 -w 1" 490 1.1 riastrad local ip_local=192.168.1.1 491 1.1 riastrad local ip_peer=192.168.1.2 492 1.1 riastrad local ip_peer_new=192.168.1.3 493 1.1 riastrad local ip_wg_local=10.0.0.1 494 1.1 riastrad local ip_wg_peer=10.0.0.2 495 1.1 riastrad local port=51820 496 1.1 riastrad local outfile=./out 497 1.1 riastrad local pskfile=./psk 498 1.1 riastrad local rekey_after_time=3 499 1.1 riastrad 500 1.1 riastrad setup_servers 501 1.1 riastrad 502 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 503 1.1 riastrad atf_check -s exit:0 -o ignore \ 504 1.1 riastrad rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time 505 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 506 1.1 riastrad atf_check -s exit:0 -o ignore \ 507 1.1 riastrad rump.sysctl -w net.wg.rekey_after_time=$rekey_after_time 508 1.1 riastrad 509 1.1 riastrad # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 510 1.1 riastrad generate_keys 511 1.1 riastrad key_psk=$(wg-keygen --psk) 512 1.1 riastrad $DEBUG && echo $key_psk 513 1.1 riastrad 514 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 515 1.1 riastrad setup_common shmif0 inet $ip_local 24 516 1.1 riastrad setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 517 1.1 riastrad 518 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 519 1.1 riastrad setup_common shmif0 inet $ip_peer 24 520 1.1 riastrad setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 521 1.1 riastrad 522 1.1 riastrad echo "$key_psk" > $pskfile 523 1.1 riastrad 524 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 525 1.1 riastrad 526 1.1 riastrad # The local always has the preshared key 527 1.1 riastrad add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 \ 528 1.1 riastrad $pskfile "$key_psk" 529 1.6 roy $ifconfig -w 10 530 1.1 riastrad 531 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 532 1.1 riastrad 533 1.1 riastrad # First, try the peer without the preshared key 534 1.1 riastrad add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 535 1.6 roy $ifconfig -w 10 536 1.1 riastrad 537 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 538 1.1 riastrad 539 1.1 riastrad extract_new_packets $BUS > $outfile 540 1.1 riastrad $DEBUG && cat $outfile 541 1.1 riastrad 542 1.1 riastrad $ping_fail $ip_wg_peer 543 1.1 riastrad 544 1.1 riastrad extract_new_packets $BUS > $outfile 545 1.1 riastrad $DEBUG && cat $outfile 546 1.1 riastrad 547 1.1 riastrad # Next, try with the preshared key 548 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 549 1.1 riastrad delete_peer wg0 peer0 550 1.1 riastrad add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 \ 551 1.1 riastrad $pskfile "$key_psk" 552 1.6 roy $ifconfig -w 10 553 1.1 riastrad 554 1.1 riastrad # Need a rekey 555 1.1 riastrad atf_check -s exit:0 sleep $((rekey_after_time + 1)) 556 1.1 riastrad 557 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 558 1.1 riastrad 559 1.1 riastrad extract_new_packets $BUS > $outfile 560 1.1 riastrad $DEBUG && cat $outfile 561 1.1 riastrad 562 1.1 riastrad $ping $ip_wg_peer 563 1.1 riastrad 564 1.1 riastrad extract_new_packets $BUS > $outfile 565 1.1 riastrad $DEBUG && cat $outfile 566 1.1 riastrad 567 1.1 riastrad # Then, try again without the preshared key just in case 568 1.1 riastrad export RUMP_SERVER=$SOCK_PEER 569 1.1 riastrad delete_peer wg0 peer0 570 1.1 riastrad add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 571 1.6 roy $ifconfig -w 10 572 1.1 riastrad 573 1.1 riastrad # Need a rekey 574 1.1 riastrad atf_check -s exit:0 sleep $((rekey_after_time + 1)) 575 1.1 riastrad 576 1.1 riastrad export RUMP_SERVER=$SOCK_LOCAL 577 1.1 riastrad $ping_fail $ip_wg_peer 578 1.1 riastrad 579 1.1 riastrad rm -f $pskfile 580 1.1 riastrad 581 1.1 riastrad destroy_wg_interfaces 582 1.1 riastrad } 583 1.1 riastrad 584 1.1 riastrad wg_psk_cleanup() 585 1.1 riastrad { 586 1.1 riastrad 587 1.1 riastrad $DEBUG && dump 588 1.1 riastrad cleanup 589 1.1 riastrad } 590 1.1 riastrad 591 1.3 riastrad atf_test_case wg_malformed cleanup 592 1.3 riastrad wg_malformed_head() 593 1.3 riastrad { 594 1.3 riastrad 595 1.3 riastrad atf_set "descr" "tests malformed packet headers" 596 1.3 riastrad atf_set "require.progs" "nc" "rump_server" "wgconfig" "wg-keygen" 597 1.12 martin atf_set "timeout" "100" 598 1.3 riastrad } 599 1.3 riastrad 600 1.3 riastrad wg_malformed_body() 601 1.3 riastrad { 602 1.3 riastrad local ifconfig="atf_check -s exit:0 rump.ifconfig" 603 1.3 riastrad local ping="atf_check -s exit:0 -o ignore rump.ping -n -c 1 -w 1" 604 1.3 riastrad local ip_local=192.168.1.1 605 1.3 riastrad local ip_peer=192.168.1.2 606 1.3 riastrad local ip_wg_local=10.0.0.1 607 1.3 riastrad local ip_wg_peer=10.0.0.2 608 1.3 riastrad local port=51820 609 1.3 riastrad setup_servers 610 1.3 riastrad 611 1.3 riastrad # It sets key_priv_local key_pub_local key_priv_peer key_pub_peer 612 1.3 riastrad generate_keys 613 1.3 riastrad 614 1.3 riastrad export RUMP_SERVER=$SOCK_LOCAL 615 1.3 riastrad setup_common shmif0 inet $ip_local 24 616 1.3 riastrad setup_wg_common wg0 inet $ip_wg_local 24 $port "$key_priv_local" 617 1.6 roy add_peer wg0 peer0 $key_pub_peer $ip_peer:$port $ip_wg_peer/32 618 1.6 roy $ifconfig -w 10 619 1.3 riastrad 620 1.3 riastrad export RUMP_SERVER=$SOCK_PEER 621 1.3 riastrad setup_common shmif0 inet $ip_peer 24 622 1.3 riastrad setup_wg_common wg0 inet $ip_wg_peer 24 $port "$key_priv_peer" 623 1.3 riastrad add_peer wg0 peer0 $key_pub_local $ip_local:$port $ip_wg_local/32 624 1.6 roy $ifconfig -w 10 625 1.3 riastrad 626 1.3 riastrad export RUMP_SERVER=$SOCK_LOCAL 627 1.3 riastrad 628 1.3 riastrad $ping $ip_wg_peer 629 1.3 riastrad 630 1.3 riastrad printf 'send malformed packets\n' 631 1.3 riastrad 632 1.3 riastrad $HIJACKING ping -c 1 -n $ip_peer 633 1.3 riastrad 634 1.3 riastrad printf 'x' | $HIJACKING nc -Nu -w 0 $ip_peer $port 635 1.3 riastrad printf 'xy' | $HIJACKING nc -Nu -w 0 $ip_peer $port 636 1.3 riastrad printf 'xyz' | $HIJACKING nc -Nu -w 0 $ip_peer $port 637 1.3 riastrad printf 'xyzw' | $HIJACKING nc -Nu -w 0 $ip_peer $port 638 1.3 riastrad printf '\x00\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 639 1.3 riastrad printf '\x00\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 640 1.3 riastrad printf '\x01\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 641 1.3 riastrad printf '\x01\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 642 1.3 riastrad printf '\x02\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 643 1.3 riastrad printf '\x02\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 644 1.3 riastrad printf '\x03\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 645 1.3 riastrad printf '\x03\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 646 1.3 riastrad printf '\x04\x00\x00\x00' | $HIJACKING nc -Nu -w 0 $ip_peer $port 647 1.3 riastrad printf '\x04\x00\x00\x00z' | $HIJACKING nc -Nu -w 0 $ip_peer $port 648 1.3 riastrad 649 1.3 riastrad printf 'done sending malformed packets\n' 650 1.3 riastrad 651 1.3 riastrad $ping $ip_wg_peer 652 1.3 riastrad } 653 1.3 riastrad 654 1.3 riastrad wg_malformed_cleanup() 655 1.3 riastrad { 656 1.3 riastrad 657 1.3 riastrad $DEBUG && dump 658 1.3 riastrad cleanup 659 1.3 riastrad } 660 1.3 riastrad 661 1.1 riastrad atf_init_test_cases() 662 1.1 riastrad { 663 1.1 riastrad 664 1.1 riastrad atf_add_test_case wg_rekey 665 1.1 riastrad atf_add_test_case wg_handshake_timeout 666 1.1 riastrad atf_add_test_case wg_cookie 667 1.1 riastrad atf_add_test_case wg_mobility 668 1.1 riastrad atf_add_test_case wg_keepalive 669 1.1 riastrad atf_add_test_case wg_psk 670 1.3 riastrad atf_add_test_case wg_malformed 671 1.1 riastrad } 672
Indexes created Mon Sep 22 21:09:42 GMT 2025