From nobody Tue Jan 24 05:43:21 2023 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4P1G960T30z3bNWj; Tue, 24 Jan 2023 05:43:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4P1G956Ksgz4Tcc; Tue, 24 Jan 2023 05:43:21 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674539001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9AOhJRdgRS7BZD7jQ79YGLPlZIid+sRgDAmqKzkYwDQ=; b=MK/Nkj1Sp4i0ziBbdRBnOK+FL01jRCTsUPLRq8Gl+3Wsr4XIr0HIdOc7+2Fgncx1CPzYVN dQKO5jWi+cC3ACreNPEDTxBjEYtTICtuXX6ryZPZ8S1FyCtB3pLmNzwr6B1/YJowF3s7iN ENWI4Na48PWN55SbswoRdpSWOnGs1J13rs1VnKcT29lxUUae9+bGaOudhtwLPut7MLTSL2 z6/zHhA1+keueTDAeBm4UAji/wXZ5q8ZuL7wJvxr81dFeOZzcs8T8XFK5sT2b6v+nm/OB1 Qg+TrYJ6K/qzJbj2fFUM14PBAQ8dG+i9WZicQ3rRB4qGws7UbMcmm9j6+1DbOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1674539001; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=9AOhJRdgRS7BZD7jQ79YGLPlZIid+sRgDAmqKzkYwDQ=; b=YBGKHBDStjRSxCFkGXlu9BVH3zXfk9HqOjPH8qNgsyr9OA8e/il+kvWDALX3g+V7xG0I1k 91hXmdcH1id02mnQd1hN4IcPRWx7SGSI3gmEhIBRVB2w4jCH+sURRuIZpeT10EupRIa/M7 RcVjZzG44ylX4KyH9B1Bf5s+Jztd1psmUDj4teO23u3Q8B/vPr8oYKbHrDQXP93IUawdK7 EBmFCsAYdufGpBkWOzhTnuIBOEKT16085MHLIQKxvSHdI51ZjSsbNIJC0GNFxC3BRChpPr RkyBClhdWe192L3g8CiFPncNBuH3Q08NVaZs6urMm4wjyoEdn9bA6ke/e0wXWg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1674539001; a=rsa-sha256; cv=none; b=OghBP3RAw8n9p0464fYelAiKcFCObkFkM6ESesf48HKS8tL3GrokA5zcBqc9asxcd5nY6l DpubyCKPExbFRLGZFZUVM5eAFEnP+ZeFcJoy1dd1Y4PjILl5eskKrY6lqFntCuzXH8Caid 3VaL84sWpXqkDmWrnNh2/0nWlB0X8ZqO2v6sXrfqzEGxLL/by/oJFuniM6m4KTJeeITFnx ai+Q/OjK/bkqMlQkFpOxrquI7f5YfubLX/tr91NqNkLo2MP1Gs7UvXFFRdrCH9cInYaf6w 1+Ub9nLXOG5KytM3T0cpE5rYPJEBU15YB5tqcJrruc3cB6VyrI3I7JvY8ghlxg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4P1G955GDgzyF0; Tue, 24 Jan 2023 05:43:21 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 30O5hLkx061968; Tue, 24 Jan 2023 05:43:21 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 30O5hLNF061967; Tue, 24 Jan 2023 05:43:21 GMT (envelope-from git) Date: Tue, 24 Jan 2023 05:43:21 GMT Message-Id: <202301240543.30O5hLNF061967@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: John Baldwin Subject: git: c45a44b20ae0 - stable/13 - wg: Re-add basic if_wg(4) tests. List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhb X-Git-Repository: src X-Git-Refname: refs/heads/stable/13 X-Git-Reftype: branch X-Git-Commit: c45a44b20ae078144454a63ca82861581c456635 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch stable/13 has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=c45a44b20ae078144454a63ca82861581c456635 commit c45a44b20ae078144454a63ca82861581c456635 Author: John Baldwin AuthorDate: 2022-12-16 20:01:26 +0000 Commit: John Baldwin CommitDate: 2023-01-24 05:18:28 +0000 wg: Re-add basic if_wg(4) tests. These were originally added in commit 74ae3f3e33b810248da19004c58b3581cd367843 but have been updated to use wg(8). Reviewed by: kevans, markj Sponsored by: The FreeBSD Foundation Differential Revision: https://reviews.freebsd.org/D37400 (cherry picked from commit 8fb9739615da8922fbd8988ccd77093d4ca335ba) --- tests/sys/net/Makefile | 1 + tests/sys/net/if_wg.sh | 197 +++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 198 insertions(+) diff --git a/tests/sys/net/Makefile b/tests/sys/net/Makefile index 0eed6cf734fa..cdf31477137e 100644 --- a/tests/sys/net/Makefile +++ b/tests/sys/net/Makefile @@ -14,6 +14,7 @@ ATF_TESTS_SH+= if_lagg_test ATF_TESTS_SH+= if_stf ATF_TESTS_SH+= if_tun_test ATF_TESTS_SH+= if_vlan +ATF_TESTS_SH+= if_wg TESTS_SUBDIRS+= routing diff --git a/tests/sys/net/if_wg.sh b/tests/sys/net/if_wg.sh new file mode 100644 index 000000000000..6946fb72524a --- /dev/null +++ b/tests/sys/net/if_wg.sh @@ -0,0 +1,197 @@ +# $FreeBSD$ +# +# SPDX-License-Identifier: BSD-2-Clause-FreeBSD +# +# Copyright (c) 2021 The FreeBSD Foundation +# +# This software was developed by Mark Johnston under sponsorship +# from the FreeBSD Foundation. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. + +. $(atf_get_srcdir)/../common/vnet.subr + +atf_test_case "wg_basic" "cleanup" +wg_basic_head() +{ + atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails' + atf_set require.user root +} + +wg_basic_body() +{ + local epair pri1 pri2 pub1 pub2 wg1 wg2 + local endpoint1 endpoint2 tunnel1 tunnel2 + + kldload -n if_wg + + pri1=$(wg genkey) + pri2=$(wg genkey) + + endpoint1=192.168.2.1 + endpoint2=192.168.2.2 + tunnel1=169.254.0.1 + tunnel2=169.254.0.2 + + epair=$(vnet_mkepair) + + vnet_init + + vnet_mkjail wgtest1 ${epair}a + vnet_mkjail wgtest2 ${epair}b + + # Workaround for PR 254212. + jexec wgtest1 ifconfig lo0 up + jexec wgtest2 ifconfig lo0 up + + jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up + jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ + private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + wg2=$(jexec wgtest2 ifconfig wg create) + echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \ + private-key /dev/stdin + pub2=$(jexec wgtest2 wg show $wg2 public-key) + + atf_check -s exit:0 -o ignore \ + jexec wgtest1 wg set $wg1 peer "$pub2" \ + endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/32 + atf_check -s exit:0 \ + jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up + + atf_check -s exit:0 -o ignore \ + jexec wgtest2 wg set $wg2 peer "$pub1" \ + endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/32 + atf_check -s exit:0 \ + jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up + + # Generous timeout since the handshake takes some time. + atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2 + atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1 +} + +wg_basic_cleanup() +{ + vnet_cleanup +} + +# The kernel is expected to silently ignore any attempt to add a peer with a +# public key identical to the host's. +atf_test_case "wg_key_peerdev_shared" "cleanup" +wg_key_peerdev_shared_head() +{ + atf_set descr 'Create a wg(4) interface with a shared pubkey between device and a peer' + atf_set require.user root +} + +wg_key_peerdev_shared_body() +{ + local epair pri1 pub1 wg1 + local endpoint1 tunnel1 + + kldload -n if_wg + + pri1=$(wg genkey) + + endpoint1=192.168.2.1 + tunnel1=169.254.0.1 + + vnet_mkjail wgtest1 + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ + private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + + atf_check -s exit:0 \ + jexec wgtest1 wg set ${wg1} peer "${pub1}" \ + allowed-ips "${tunnel1}/32" + + atf_check -o empty jexec wgtest1 wg show ${wg1} peers +} + +wg_key_peerdev_shared_cleanup() +{ + vnet_cleanup +} + +# When a wg(8) interface has a private key reassigned that corresponds to the +# public key already on a peer, the kernel is expected to deconfigure the peer +# to resolve the conflict. +atf_test_case "wg_key_peerdev_makeshared" "cleanup" +wg_key_peerdev_makeshared_head() +{ + atf_set descr 'Create a wg(4) interface and assign peer key to device' + atf_set require.progs wg +} + +wg_key_peerdev_makeshared_body() +{ + local epair pri1 pub1 pri2 wg1 wg2 + local endpoint1 tunnel1 + + kldload -n if_wg + + pri1=$(wg genkey) + pri2=$(wg genkey) + + endpoint1=192.168.2.1 + tunnel1=169.254.0.1 + + vnet_mkjail wgtest1 + + wg1=$(jexec wgtest1 ifconfig wg create) + echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \ + private-key /dev/stdin + pub1=$(jexec wgtest1 wg show $wg1 public-key) + wg2=$(jexec wgtest1 ifconfig wg create) + echo "$pri2" | jexec wgtest1 wg set $wg2 listen-port 12345 \ + private-key /dev/stdin + + atf_check -s exit:0 -o ignore \ + jexec wgtest1 wg set ${wg2} peer "${pub1}" \ + allowed-ips "${tunnel1}/32" + + atf_check -o not-empty jexec wgtest1 wg show ${wg2} peers + + jexec wgtest1 sh -c "echo '${pri1}' > pri1" + + atf_check -s exit:0 \ + jexec wgtest1 wg set ${wg2} private-key pri1 + + atf_check -o empty jexec wgtest1 wg show ${wg2} peers +} + +wg_key_peerdev_makeshared_cleanup() +{ + vnet_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "wg_basic" + atf_add_test_case "wg_key_peerdev_shared" + atf_add_test_case "wg_key_peerdev_makeshared" +}