tests: improve test suite and add qemu tester

6 files changed, 299 insertions, 49 deletions

diff --git a/src/Makefile b/src/Makefile
index e34fae7..3eef0b5 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -86,7 +86,7 @@ core-cloc: clean
 check:
 	$(MAKE) -C $(KERNELDIR) M=$(PWD) C=2 CF="-D__CHECK_ENDIAN__" CONFIG_WIREGUARD_DEBUG=y
 
-include debug.mk
+include tests/debug.mk
 
 .PHONY: all module module-debug tools install clean core-cloc check
 endif
diff --git a/src/netns.sh b/src/netns.sh
deleted file mode 100644
index 2157e03..0000000
--- a/src/netns.sh
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-[[ $UID != 0 ]] && exec sudo bash "$(readlink -f "$0")" "$@"
-set -ex
-cd "$(dirname "$(readlink -f "$0")")"
-
-cleanup() {
-	set +e
-	ip link del dev wgnetns1
-	ip link del dev wgnetns2
-	ip netns exec wgnetns ip link del dev wgnetns2
-	killall iperf3
-	ip netns del wgnetns
-	exit 0
-}
-
-trap cleanup EXIT
-
-ip link add dev wgnetns1 type wireguard
-ip link add dev wgnetns2 type wireguard
-
-ip netns del wgnetns 2>/dev/null || true
-ip netns add wgnetns
-ip link set wgnetns2 netns wgnetns
-ip netns exec wgnetns ip link set lo up
-
-ip addr add 192.168.241.1/24 dev wgnetns1
-ip netns exec wgnetns ip addr add 192.168.241.2/24 dev wgnetns2
-
-key1="$(tools/wg genkey)"
-key2="$(tools/wg genkey)"
-
-tools/wg set wgnetns1 private-key <(echo "$key1") listen-port 38281 peer "$(tools/wg pubkey <<<"$key2")" allowed-ips 192.168.241.2/24 endpoint 127.0.0.1:43928
-ip netns exec wgnetns tools/wg set wgnetns2 private-key <(echo "$key2") listen-port 43928 peer "$(tools/wg pubkey <<<"$key1")" allowed-ips 192.168.241.1/24 endpoint 127.0.0.1:38281
-
-ip link set wgnetns1 up
-ip netns exec wgnetns ip link set wgnetns2 up
-
-ip netns exec wgnetns iperf3 -s -D
-stdbuf -o 0 iperf3 -i 1 -n 300000G "$@" -c 192.168.241.2
diff --git a/src/debug.mk b/src/tests/debug.mk
index 5385092..a013c97 100644
--- a/src/debug.mk
+++ b/src/tests/debug.mk
@@ -15,18 +15,18 @@ ifeq ($(D),0)
 MAYBE_DEBUG :=
 endif
 
-quick: debug
-	sudo modprobe ip6_udp_tunnel
-	sudo modprobe udp_tunnel
-	sudo modprobe x_tables
-	-sudo rmmod wireguard
-	sudo insmod wireguard.ko
-	bash netns.sh $(QUICK_ARGS)
+test: debug
+	-sudo modprobe ip6_udp_tunnel
+	-sudo modprobe udp_tunnel
+	-sudo modprobe x_tables
+	-sudo modprobe ipv6
+	-sudo modprobe xt_hashlimit
+	./tests/netns.sh
 
-remote-quick:
+remote-test:
 	ssh $(SSH_OPTS1) -Nf $(REMOTE_HOST1)
 	rsync --rsh="ssh $(SSH_OPTS1)" $(RSYNC_OPTS) . $(REMOTE_HOST1):wireguard-build/
-	ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'make -C wireguard-build quick -j$$(nproc) "QUICK_ARGS=$(QUICK_ARGS)"'
+	ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'make -C wireguard-build test -j$$(nproc)'
 	ssh $(SSH_OPTS1) -O exit $(REMOTE_HOST1)
 
 remote-run-1:
diff --git a/src/tests/guest-init.sh b/src/tests/guest-init.sh
new file mode 100755
index 0000000..676bbb0
--- /dev/null
+++ b/src/tests/guest-init.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+export PATH="/tools:/sbin:/bin"
+/bin/busybox ln -sf / /usr
+/bin/busybox --install -s
+mkdir /run /proc /tmp /sys /var /dev
+ln -s /run /var/run
+mount -t tmpfs none /run
+mount -t tmpfs none /tmp
+mount -t sysfs none /sys
+mount -t proc none /proc
+mount -t devtmpfs none /dev
+ln -s /proc/self/fd /dev/fd
+/wireguard/tests/netns.sh --no-module-insert && touch /wg-netns-success
+echo o > /proc/sysrq-trigger
+sleep 10000000000
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
new file mode 100755
index 0000000..901ec36
--- /dev/null
+++ b/src/tests/netns.sh
@@ -0,0 +1,142 @@
+#!/bin/bash
+
+# This is a simple test suite for WireGuard. At some point it might be
+# nice to transition this to Sharness, like git, cgit, and pass, but
+# it's possible that kernel upstream won't like the bulkiness of that
+# very much. So for now we'll leave it to a single simple file like
+# this one here.
+#
+# The exit code is 0 when this is successful.
+
+[[ $UID != 0 ]] && exec sudo bash "$(readlink -f "$0")" "$@"
+[[ $1 == --no-module-insert ]] && no_module=1 || no_module=0
+set -ex
+date
+cd "$(dirname "$(readlink -f "$0")")/.."
+
+unset netns0 netns1 netns2
+while [[ $netns1 == "$netns2" || $netns0 == "$netns1" || $netns0 == "$netns2" ]]; do
+	netns0="wgtestns$RANDOM"
+	netns1="wgtestns$RANDOM"
+	netns2="wgtestns$RANDOM"
+done
+
+n0() { ip netns exec $netns0 "$@"; }
+n1() { ip netns exec $netns1 "$@"; }
+n2() { ip netns exec $netns2 "$@"; }
+ip0() { ip -n $netns0 "$@"; }
+ip1() { ip -n $netns1 "$@"; }
+ip2() { ip -n $netns2 "$@"; }
+
+cleanup() {
+	set +e
+	ip0 link del dev wg0
+	ip1 link del dev wg0
+	ip2 link del dev wg0
+	[[ $no_module -ne 1 ]] && rmmod wireguard
+	killall iperf3
+	ip netns del $netns1
+	ip netns del $netns2
+	ip netns del $netns0
+	exit
+}
+
+trap cleanup EXIT
+
+if [[ $no_module -ne 1 ]]; then
+	rmmod wireguard 2>/dev/null || true
+	# We consider insertion part of the tests because when compiled in debug mode,
+	# the module will fail to insert if the internal kernel self-tests fail.
+	insmod wireguard.ko
+fi
+
+ip netns del $netns0 2>/dev/null || true
+ip netns del $netns1 2>/dev/null || true
+ip netns del $netns2 2>/dev/null || true
+ip netns add $netns0
+ip netns add $netns1
+ip netns add $netns2
+
+ip0 link set up dev lo
+ip0 link add dev wg0 type wireguard
+ip0 link set wg0 netns $netns1
+ip0 link add dev wg0 type wireguard
+ip0 link set wg0 netns $netns2
+
+ip1 addr add 192.168.241.1/24 dev wg0
+ip1 addr add abcd::1/24 dev wg0
+ip2 addr add 192.168.241.2/24 dev wg0
+ip2 addr add abcd::2/24 dev wg0
+
+key1="$(tools/wg genkey)"
+key2="$(tools/wg genkey)"
+pub1="$(tools/wg pubkey <<<"$key1")"
+pub2="$(tools/wg pubkey <<<"$key2")"
+psk="$(tools/wg genpsk)"
+[[ -n $key1 && -n $key2 && -n $psk ]]
+
+n1 tools/wg set wg0 \
+	private-key <(echo "$key1") \
+	preshared-key <(echo "$psk") \
+	listen-port 1 \
+	peer "$pub2" \
+		allowed-ips 192.168.241.2/32,abcd::2/128
+n2 tools/wg set wg0 \
+	private-key <(echo "$key2") \
+	preshared-key <(echo "$psk") \
+	listen-port 2 \
+	peer "$pub1" \
+		allowed-ips 192.168.241.1/32,abcd::1/128
+
+ip1 link set up dev wg0
+ip2 link set up dev wg0
+
+tests() {
+	# Status before
+	n1 tools/wg
+	n2 tools/wg
+
+	# Ping over IPv4
+	n2 ping -c 10 -f -W 1 192.168.241.1
+	n1 ping -c 10 -f -W 1 192.168.241.2
+
+	# Ping over IPv6
+	n2 ping6 -c 10 -f -W 1 abcd::1
+	n1 ping6 -c 10 -f -W 1 abcd::2
+
+	# TCP over IPv4
+	n2 iperf3 -s -D -B 192.168.241.2
+	while ! ss -N $netns2 -tlp 'sport = 5201' | grep -q iperf3; do sleep 0.1; done
+	n1 iperf3 -Z -i 1 -n 1G "$@" -c 192.168.241.2
+
+	# TCP over IPv6
+	n1 iperf3 -s -D -B abcd::1
+	while ! ss -N $netns1 -tlp 'sport = 5201' | grep -q iperf3; do sleep 0.1; done
+	n2 iperf3 -Z -i 1 -n 1G "$@" -c abcd::1
+
+	# UDP over IPv4
+	n1 iperf3 -s -D -B 192.168.241.1
+	while ! ss -N $netns1 -tlp 'sport = 5201' | grep -q iperf3; do sleep 0.1; done
+	n2 iperf3 -Z -i 1 -n 1G "$@" -b 0 -u -c 192.168.241.1
+
+	# UDP over IPv6
+	n2 iperf3 -s -D -B abcd::2
+	while ! ss -N $netns2 -tlp 'sport = 5201' | grep -q iperf3; do sleep 0.1; done
+	n1 iperf3 -Z -i 1 -n 1G "$@" -b 0 -u -c abcd::2
+
+	# Status after
+	n1 tools/wg
+	n2 tools/wg
+}
+
+# Test using IPv4 as outer transport
+n1 tools/wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
+n2 tools/wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
+tests
+
+# Test using IPv6 as outer transport
+n1 tools/wg set wg0 peer "$pub2" endpoint [::1]:2
+n2 tools/wg set wg0 peer "$pub1" endpoint [::1]:1
+tests
+
+date
diff --git a/src/tests/qemu.sh b/src/tests/qemu.sh
new file mode 100755
index 0000000..8bd5026
--- /dev/null
+++ b/src/tests/qemu.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+# This compiles a kernel, creates a rootfs, and then starts up
+# QEMU to run the netns.sh test.
+#
+# The exit code is 0 when this is successful.
+
+set -ex
+cleanup() {
+	set +e
+	[[ -d $scratch_dir ]] || exit
+	cd /
+	rm -rf "$scratch_dir"
+}
+trap cleanup EXIT
+wireguard_dir="$(readlink -f "$(dirname "$(readlink -f "$0")")/..")"
+scratch_dir="$(mktemp -d)"
+cd "$scratch_dir"
+mkdir -p root/tools
+root_dir="$(readlink -f root)"
+wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.6.4.tar.xz
+tar xf linux-*.tar.xz
+cd linux-*
+make x86_64_defconfig
+sed -i "/^if NET\$/a source \"$wireguard_dir/Kconfig\"" net/Kconfig
+echo "obj-y += ../../../../../../../../../../../../../../../../../../../../../..$wireguard_dir/" >> net/Makefile
+cat >> .config <<_EOF
+CONFIG_NET=y
+CONFIG_INET=y
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_XTABLES=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IPV6=y
+CONFIG_NET_UDP_TUNNEL=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_WIREGUARD=y
+CONFIG_WIREGUARD_DEBUG=y
+CONFIG_WIREGUARD_PARALLEL=y
+CONFIG_HW_RANDOM_VIRTIO=y
+_EOF
+make kvmconfig
+make -j$(nproc)
+make INSTALL_HDR_PATH="$root_dir" headers_install
+cd ..
+
+wget https://www.musl-libc.org/releases/musl-1.1.15.tar.gz
+tar xf musl-*.tar.gz
+cd musl-*
+unset CC
+./configure --prefix="$root_dir"
+make -j$(nproc)
+make install
+export CC="$root_dir/bin/musl-gcc"
+export CFLAGS="-static -O2"
+cd ..
+wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
+tar xf bash-*.tar.gz
+cd bash-*
+for i in {1..43}; do
+        wget -O - http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03d' $i) | patch -p0
+done
+./configure --prefix="$root_dir" --without-bash-malloc
+make -j$(nproc)
+make install
+cd ..
+wget https://busybox.net/downloads/busybox-1.25.0.tar.bz2
+tar xf busybox-*.tar.bz2
+cd busybox-*
+make defconfig
+make -j$(nproc)
+cp busybox "$root_dir/bin/"
+cd ..
+wget http://ftp.netfilter.org/pub/libmnl/libmnl-1.0.4.tar.bz2
+tar xf libmnl-*.tar.bz2
+cd libmnl-*
+./configure --prefix="$root_dir" --enable-static --disable-shared
+make -j$(nproc)
+make install
+cd ..
+wget https://www.kernel.org/pub/linux/utils/net/iproute2/iproute2-4.3.0.tar.xz
+tar xf iproute2-*.tar.xz
+cd iproute2-*
+sed -i 's/-O2/-O2 -static/' Makefile
+sed -i '/ARPD/d' Makefile
+sed -i 's/arpd.8//' man/man8/Makefile
+sed -i 's/m_ipt.o//' tc/Makefile
+sed -i 's/[^ ]*_bpf.o//' tc/Makefile
+echo -e "TC_CONFIG_XT=n\nTC_CONFIG_ATM=n\nTC_CONFIG_IPSET=n\nIP_CONFIG_SETNS=y" > Config
+wget -O - https://cgit.gentoo.org/proj/musl.git/plain/sys-apps/iproute2/files/iproute2-4.3.0-musl.patch | patch -p1
+make -j$(nproc) PREFIX="$root_dir" CC="$CC" LDFLAGS=-static
+cp ip/ip misc/ss "$root_dir/tools"
+cd ..
+wget http://downloads.es.net/pub/iperf/iperf-3.1.3.tar.gz
+tar xf iperf-*.tar.gz
+cd iperf-*
+wget -O - https://github.com/esnet/iperf/commit/1fe02385b60c9dcd8a04b8bd3ff5cff120ec35a6.diff | patch -p1
+sed -i 's/-pg//;s/-g//' src/Makefile*
+LDFLAGS=-static CFLAGS="-static -O2 -D_GNU_SOURCE" ./configure --prefix="$root_dir" --disable-shared --enable-static
+make -j$(nprocs)
+rm src/iperf3
+sed -i 's/iperf3_CFLAGS =/iperf3_CFLAGS = -all-static/' src/Makefile
+make
+cp src/iperf3 "$root_dir/tools"
+wget https://github.com/iputils/iputils/archive/s20160308.tar.gz -O iputils-s20160308.tar.gz
+tar xf iputils-*.tar.gz
+cd iputils-*
+LDFLAGS=-static make CC="$CC" USE_IDN=no USE_CAP=no USE_CRYPTO=no USE_GCRYPT=no USE_NETTLE=no ping -j$(nproc)
+cp ping $root_dir/tools/ping
+cp ping $root_dir/tools/ping6
+cd ..
+cp -r "$wireguard_dir" "$root_dir/wireguard"
+cd "$root_dir/wireguard/tools"
+make clean
+LDFLAGS=-static PKG_CONFIG_SYSROOT_DIR="$root_dir" PKG_CONFIG_PATH="$root_dir/lib/pkgconfig" PKG_CONFIG_LIBDIR="$root_dir/lib/pkgconfig" PREFIX="$root_dir" make -j$(nproc)
+cd "$root_dir/.."
+
+qemu-system-x86_64 \
+	-enable-kvm \
+	-cpu host \
+	-smp 2 \
+	-m 64M \
+	-nographic \
+	-object rng-random,id=rng0,filename=/dev/urandom \
+	-device virtio-rng-pci,rng=rng0 \
+	-kernel linux-*/arch/x86/boot/bzImage \
+	-fsdev local,path="$root_dir",security_model=none,id=root \
+	-device virtio-9p-pci,fsdev=root,mount_tag=/dev/root \
+	-append "root=/dev/root rw rootfstype=9p rootflags=trans=virtio console=ttyS0 init=/wireguard/tests/guest-init.sh"
+
+[[ -e $root_dir/wg-netns-success ]]