1# $FreeBSD$ 2# 3# SPDX-License-Identifier: BSD-2-Clause-FreeBSD 4# 5# Copyright (c) 2021 The FreeBSD Foundation 6# 7# This software was developed by Mark Johnston under sponsorship 8# from the FreeBSD Foundation. 9# 10# Redistribution and use in source and binary forms, with or without 11# modification, are permitted provided that the following conditions 12# are met: 13# 1. Redistributions of source code must retain the above copyright 14# notice, this list of conditions and the following disclaimer. 15# 2. Redistributions in binary form must reproduce the above copyright 16# notice, this list of conditions and the following disclaimer in the 17# documentation and/or other materials provided with the distribution. 18# 19# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 20# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 23# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29# SUCH DAMAGE. 30 31. $(atf_get_srcdir)/../common/vnet.subr 32 33atf_test_case "wg_basic" "cleanup" 34wg_basic_head() 35{ 36 atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails' 37 atf_set require.user root 38} 39 40wg_basic_body() 41{ 42 local epair pri1 pri2 pub1 pub2 wg1 wg2 43 local endpoint1 endpoint2 tunnel1 tunnel2 44 45 kldload -n if_wg 46 47 pri1=$(wg genkey) 48 pri2=$(wg genkey) 49 50 endpoint1=192.168.2.1 51 endpoint2=192.168.2.2 52 tunnel1=169.254.0.1 53 tunnel2=169.254.0.2 54 55 epair=$(vnet_mkepair) 56 57 vnet_init 58 59 vnet_mkjail wgtest1 ${epair}a 60 vnet_mkjail wgtest2 ${epair}b 61 62 # Workaround for PR 254212. 63 jexec wgtest1 ifconfig lo0 up 64 jexec wgtest2 ifconfig lo0 up 65 66 jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up 67 jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up 68 69 wg1=$(jexec wgtest1 ifconfig wg create) 70 echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ 71 private-key /dev/stdin 72 pub1=$(jexec wgtest1 wg show $wg1 public-key) 73 wg2=$(jexec wgtest2 ifconfig wg create) 74 echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \ 75 private-key /dev/stdin 76 pub2=$(jexec wgtest2 wg show $wg2 public-key) 77 78 atf_check -s exit:0 -o ignore \ 79 jexec wgtest1 wg set $wg1 peer "$pub2" \ 80 endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/32 81 atf_check -s exit:0 \ 82 jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up 83 84 atf_check -s exit:0 -o ignore \ 85 jexec wgtest2 wg set $wg2 peer "$pub1" \ 86 endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/32 87 atf_check -s exit:0 \ 88 jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up 89 90 # Generous timeout since the handshake takes some time. 91 atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2 92 atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1 93} 94 95wg_basic_cleanup() 96{ 97 vnet_cleanup 98} 99 100# The kernel is expected to silently ignore any attempt to add a peer with a 101# public key identical to the host's. 102atf_test_case "wg_key_peerdev_shared" "cleanup" 103wg_key_peerdev_shared_head() 104{ 105 atf_set descr 'Create a wg(4) interface with a shared pubkey between device and a peer' 106 atf_set require.user root 107} 108 109wg_key_peerdev_shared_body() 110{ 111 local epair pri1 pub1 wg1 112 local endpoint1 tunnel1 113 114 kldload -n if_wg 115 116 pri1=$(wg genkey) 117 118 endpoint1=192.168.2.1 119 tunnel1=169.254.0.1 120 121 vnet_mkjail wgtest1 122 123 wg1=$(jexec wgtest1 ifconfig wg create) 124 echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ 125 private-key /dev/stdin 126 pub1=$(jexec wgtest1 wg show $wg1 public-key) 127 128 atf_check -s exit:0 \ 129 jexec wgtest1 wg set ${wg1} peer "${pub1}" \ 130 allowed-ips "${tunnel1}/32" 131 132 atf_check -o empty jexec wgtest1 wg show ${wg1} peers 133} 134 135wg_key_peerdev_shared_cleanup() 136{ 137 vnet_cleanup 138} 139 140# When a wg(8) interface has a private key reassigned that corresponds to the 141# public key already on a peer, the kernel is expected to deconfigure the peer 142# to resolve the conflict. 143atf_test_case "wg_key_peerdev_makeshared" "cleanup" 144wg_key_peerdev_makeshared_head() 145{ 146 atf_set descr 'Create a wg(4) interface and assign peer key to device' 147 atf_set require.progs wg 148} 149 150wg_key_peerdev_makeshared_body() 151{ 152 local epair pri1 pub1 pri2 wg1 wg2 153 local endpoint1 tunnel1 154 155 kldload -n if_wg 156 157 pri1=$(wg genkey) 158 pri2=$(wg genkey) 159 160 endpoint1=192.168.2.1 161 tunnel1=169.254.0.1 162 163 vnet_mkjail wgtest1 164 165 wg1=$(jexec wgtest1 ifconfig wg create) 166 echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ 167 private-key /dev/stdin 168 pub1=$(jexec wgtest1 wg show $wg1 public-key) 169 wg2=$(jexec wgtest1 ifconfig wg create) 170 echo "$pri2" | jexec wgtest1 wg set $wg2 listen-port 12345 \ 171 private-key /dev/stdin 172 173 atf_check -s exit:0 -o ignore \ 174 jexec wgtest1 wg set ${wg2} peer "${pub1}" \ 175 allowed-ips "${tunnel1}/32" 176 177 atf_check -o not-empty jexec wgtest1 wg show ${wg2} peers 178 179 jexec wgtest1 sh -c "echo '${pri1}' > pri1" 180 181 atf_check -s exit:0 \ 182 jexec wgtest1 wg set ${wg2} private-key pri1 183 184 atf_check -o empty jexec wgtest1 wg show ${wg2} peers 185} 186 187wg_key_peerdev_makeshared_cleanup() 188{ 189 vnet_cleanup 190} 191 192atf_init_test_cases() 193{ 194 atf_add_test_case "wg_basic" 195 atf_add_test_case "wg_key_peerdev_shared" 196 atf_add_test_case "wg_key_peerdev_makeshared" 197} 198