aboutsummaryrefslogtreecommitdiffstats
path: root/tests/if_wg_test.sh
diff options
context:
space:
mode:
authorJason A. Donenfeld <Jason@zx2c4.com>2021-06-01 10:45:21 +0200
committerJason A. Donenfeld <Jason@zx2c4.com>2021-06-01 15:12:30 +0200
commit3be23818a151c902ea2f13251b8afed4e37d4569 (patch)
treef1f3b47a6324cff40cd0adfdd5f67f7475cf44f3 /tests/if_wg_test.sh
parentif_wg: pass back result of selftests and enable in CI (diff)
downloadwireguard-freebsd-3be23818a151c902ea2f13251b8afed4e37d4569.tar.xz
wireguard-freebsd-3be23818a151c902ea2f13251b8afed4e37d4569.zip
netns: trim test to working parts and rework jail logic
Rather than agonizing on and on about finishing this, just get what actually works in a tidy place. We also make everything happen in a dedicated child jail, and work with JIDs instead of labels. This should improve isolation and reliability. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Diffstat (limited to '')
-rwxr-xr-xtests/if_wg_test.sh164
1 files changed, 0 insertions, 164 deletions
diff --git a/tests/if_wg_test.sh b/tests/if_wg_test.sh
deleted file mode 100755
index 69e90d9..0000000
--- a/tests/if_wg_test.sh
+++ /dev/null
@@ -1,164 +0,0 @@
-# $FreeBSD$
-#
-# SPDX-License-Identifier: BSD-2-Clause-FreeBSD
-#
-# Copyright (c) 2021 The FreeBSD Foundation
-
-. $(atf_get_srcdir)/../common/vnet.subr
-
-atf_test_case "wg_basic" "cleanup"
-wg_basic_head()
-{
- atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails'
- atf_set require.user root
-}
-
-wg_basic_body()
-{
- local epair pri1 pri2 pub1 pub2 wg1 wg2
- local endpoint1 endpoint2 tunnel1 tunnel2
-
- kldload -n if_wg
-
- pri1=$(openssl rand -base64 32)
- pri2=$(openssl rand -base64 32)
-
- endpoint1=192.168.2.1
- endpoint2=192.168.2.2
- tunnel1=169.254.0.1
- tunnel2=169.254.0.2
-
- epair=$(vnet_mkepair)
-
- vnet_init
-
- vnet_mkjail wgtest1 ${epair}a
- vnet_mkjail wgtest2 ${epair}b
-
- # Workaround for PR 254212.
- jexec wgtest1 ifconfig lo0 up
- jexec wgtest2 ifconfig lo0 up
-
- jexec wgtest1 ifconfig ${epair}a $endpoint1 up
- jexec wgtest2 ifconfig ${epair}b $endpoint2 up
-
- wg1=$(jexec wgtest1 ifconfig wg create listen-port 12345 private-key "$pri1")
- pub1=$(jexec wgtest1 ifconfig $wg1 | awk '/public-key:/ {print $2}')
- wg2=$(jexec wgtest2 ifconfig wg create listen-port 12345 private-key "$pri2")
- pub2=$(jexec wgtest2 ifconfig $wg2 | awk '/public-key:/ {print $2}')
-
- atf_check -s exit:0 -o ignore \
- jexec wgtest1 ifconfig $wg1 peer public-key "$pub2" \
- endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/32
- atf_check -s exit:0 \
- jexec wgtest1 ifconfig $wg1 inet $tunnel1 up
-
- atf_check -s exit:0 -o ignore \
- jexec wgtest2 ifconfig $wg2 peer public-key "$pub1" \
- endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/32
- atf_check -s exit:0 \
- jexec wgtest2 ifconfig $wg2 inet $tunnel2 up
-
- # Generous timeout since the handshake takes some time.
- atf_check -s exit:0 -o ignore jexec wgtest1 ping -o -t 5 -i 0.25 $tunnel2
- atf_check -s exit:0 -o ignore jexec wgtest2 ping -o -t 5 -i 0.25 $tunnel1
-}
-
-wg_basic_cleanup()
-{
- vnet_cleanup
-}
-
-# The kernel is expecteld to silently ignore any attempt to add a peer with a
-# public key identical to the host's.
-atf_test_case "wg_key_peerdev_shared" "cleanup"
-wg_key_peerdev_shared_head()
-{
- atf_set descr 'Create a wg(4) interface with a shared pubkey between device and a peer'
- atf_set require.user root
-}
-
-wg_key_peerdev_shared_body()
-{
- local epair pri1 pub1 wg1
- local endpoint1 tunnel1
-
- kldload -n if_wg
-
- pri1=$(openssl rand -base64 32)
-
- endpoint1=192.168.2.1
- tunnel1=169.254.0.1
-
- vnet_mkjail wgtest1
-
- wg1=$(jexec wgtest1 ifconfig wg create listen-port 12345 private-key "$pri1")
- pub1=$(jexec wgtest1 ifconfig $wg1 | awk '/public-key:/ {print $2}')
-
- atf_check -s exit:0 \
- jexec wgtest1 ifconfig ${wg1} peer public-key "${pub1}" \
- allowed-ips "${tunnel1}/32"
-
- atf_check -o empty jexec wgtest1 ifconfig ${wg1} peers
-}
-
-wg_key_peerdev_shared_cleanup()
-{
- vnet_cleanup
-}
-
-# When a wg(8) interface has a private key reassigned that corresponds to the
-# public key already on a peer, the kernel is expected to deconfigure the peer
-# to resolve the conflict.
-atf_test_case "wg_key_peerdev_makeshared" "cleanup"
-wg_key_peerdev_makeshared_head()
-{
- atf_set descr 'Create a wg(4) interface and assign peer key to device'
- atf_set require.progs wg
-}
-
-wg_key_peerdev_makeshared_body()
-{
- local epair pri1 pub1 pri2 wg1 wg2
- local endpoint1 tunnel1
-
- kldload -n if_wg
-
- pri1=$(openssl rand -base64 32)
- pri2=$(openssl rand -base64 32)
-
- endpoint1=192.168.2.1
- tunnel1=169.254.0.1
-
- vnet_mkjail wgtest1
-
- wg1=$(jexec wgtest1 ifconfig wg create listen-port 12345 private-key "$pri1")
- pub1=$(jexec wgtest1 ifconfig $wg1 | awk '/public-key:/ {print $2}')
-
- wg2=$(jexec wgtest1 ifconfig wg create listen-port 12345 private-key "$pri2")
-
- atf_check -s exit:0 -o ignore \
- jexec wgtest1 ifconfig ${wg2} peer public-key "${pub1}" \
- allowed-ips "${tunnel1}/32"
-
- atf_check -o not-empty jexec wgtest1 ifconfig ${wg2} peers
-
- jexec wgtest1 sh -c "echo '${pri1}' > pri1"
-
- atf_check -s exit:0 \
- jexec wgtest1 wg set ${wg2} private-key pri1
-
- atf_check -o empty jexec wgtest1 ifconfig ${wg2} peers
-}
-
-wg_key_peerdev_makeshared_cleanup()
-{
- vnet_cleanup
-}
-
-atf_init_test_cases()
-{
- atf_add_test_case "wg_basic"
- atf_add_test_case "wg_key_peerdev_shared"
- atf_add_test_case "wg_key_peerdev_makeshared"
-}