tests: improve test suite and add qemu tester

4 files changed, 359 insertions, 0 deletions

diff --git a/src/tests/debug.mk b/src/tests/debug.mk
new file mode 100644
index 0000000..a013c97
--- /dev/null
+++ b/src/tests/debug.mk
@@ -0,0 +1,70 @@
+REMOTE_HOST1 ?= root@172.16.48.128
+REMOTE_HOST2 ?= root@172.16.48.129
+REMOTE_HOST3 ?= root@172.16.48.130
+PEER1 := [Peer]\nPublicKey=UQGBaem0U6JjIObMQzunZ2Euv8MMYcUUdWKJV87WDE8=\nAllowedIPs=192.168.2.1/32,abcd::1/128\nEndpoint=$(subst root@,,$(REMOTE_HOST1)):12912\n
+PEER2 := [Peer]\nPublicKey=tNXrD6GCvHRNgoZ/D/BmTbTbzoVGZh0R2V6rzY6hwl4=\nAllowedIPs=192.168.2.2/32,abcd::2/128\nEndpoint=$(subst root@,,$(REMOTE_HOST2)):21281\n
+PEER3 := [Peer]\nPublicKey=gLvFUb1FTyoACC/yZNqGLKnNkt+w30JEvfFChDVuewo=\nAllowedIPs=192.168.2.3/32,abcd::3/128\nEndpoint=$(subst root@,,$(REMOTE_HOST3)):54812\n
+SSH_OPTS := -q -o ControlMaster=auto -o ControlPath=.ssh-deployment.sock
+SSH_OPTS1 := $(SSH_OPTS)-1
+SSH_OPTS2 := $(SSH_OPTS)-2
+SSH_OPTS3 := $(SSH_OPTS)-3
+RSYNC_OPTS := --include="tools" --include="noise" --include="crypto" --include="*.mk" --include="*.sh" --include="*.8" --include="*.S" --include="*.c" --include="*.h" --include="Makefile" --exclude="*" -avP #--delete --delete-excluded
+
+MAYBE_DEBUG := "debug"
+ifeq ($(D),0)
+MAYBE_DEBUG :=
+endif
+
+test: debug
+	-sudo modprobe ip6_udp_tunnel
+	-sudo modprobe udp_tunnel
+	-sudo modprobe x_tables
+	-sudo modprobe ipv6
+	-sudo modprobe xt_hashlimit
+	./tests/netns.sh
+
+remote-test:
+	ssh $(SSH_OPTS1) -Nf $(REMOTE_HOST1)
+	rsync --rsh="ssh $(SSH_OPTS1)" $(RSYNC_OPTS) . $(REMOTE_HOST1):wireguard-build/
+	ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'make -C wireguard-build test -j$$(nproc)'
+	ssh $(SSH_OPTS1) -O exit $(REMOTE_HOST1)
+
+remote-run-1:
+	ssh $(SSH_OPTS1) -Nf $(REMOTE_HOST1)
+	rsync --rsh="ssh $(SSH_OPTS1)" $(RSYNC_OPTS) . $(REMOTE_HOST1):wireguard-build/
+	ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'ip l d wg0; rmmod wireguard; cd wireguard-build && make -j$$(nproc) $(MAYBE_DEBUG) && make install'
+	ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'ip l a wg0 type wireguard'
+	printf '[Interface]\nListenPort=12912\nPrivateKey=4IoHwlfTyKb9Z9W1YPmBmZvSiU6qcs0oa4xnjAEm/3U=\n$(PEER2)$(PEER3)' | ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'cat > config.conf'
+	ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'wg setconf wg0 config.conf'
+	ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'ip l set up dev wg0'
+	ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'ip a a 192.168.2.1/24 dev wg0'
+	ssh $(SSH_OPTS1) $(REMOTE_HOST1) 'ip a a abcd::1/120 dev wg0'
+	ssh $(SSH_OPTS1) -O exit $(REMOTE_HOST1)
+
+
+remote-run-2:
+	ssh $(SSH_OPTS2) -Nf $(REMOTE_HOST2)
+	rsync --rsh="ssh $(SSH_OPTS2)" $(RSYNC_OPTS) . $(REMOTE_HOST2):wireguard-build/
+	ssh $(SSH_OPTS2) $(REMOTE_HOST2) 'ip l d wg0; rmmod wireguard; cd wireguard-build && make -j$$(nproc) $(MAYBE_DEBUG) && make install'
+	ssh $(SSH_OPTS2) $(REMOTE_HOST2) 'ip l a wg0 type wireguard'
+	printf '[Interface]\nListenPort=21281\nPrivateKey=kEKL+m4h5xTn2cYKU6NTEv32kuXHAkuqrjdT9VtsnX8=\n$(PEER1)$(PEER3)' | ssh $(SSH_OPTS2) $(REMOTE_HOST2) 'cat > config.conf'
+	ssh $(SSH_OPTS2) $(REMOTE_HOST2) 'wg setconf wg0 config.conf'
+	ssh $(SSH_OPTS2) $(REMOTE_HOST2) 'ip l set up dev wg0'
+	ssh $(SSH_OPTS2) $(REMOTE_HOST2) 'ip a a 192.168.2.2/24 dev wg0'
+	ssh $(SSH_OPTS2) $(REMOTE_HOST2) 'ip a a abcd::2/120 dev wg0'
+	ssh $(SSH_OPTS2) -O exit $(REMOTE_HOST2)
+
+remote-run-3:
+	ssh $(SSH_OPTS3) -Nf $(REMOTE_HOST3)
+	rsync --rsh="ssh $(SSH_OPTS3)" $(RSYNC_OPTS) . $(REMOTE_HOST3):wireguard-build/
+	ssh $(SSH_OPTS3) $(REMOTE_HOST3) 'ip l d wg0; rmmod wireguard; cd wireguard-build && make -j$$(nproc) $(MAYBE_DEBUG) && make install'
+	ssh $(SSH_OPTS3) $(REMOTE_HOST3) 'ip l a wg0 type wireguard'
+	printf '[Interface]\nListenPort=54812\nPrivateKey=qFunvj5kgENrtWn754hNBLrk5mMA+8+evVtnI2YqWkk=\n$(PEER1)$(PEER2)' | ssh $(SSH_OPTS3) $(REMOTE_HOST3) 'cat > config.conf'
+	ssh $(SSH_OPTS3) $(REMOTE_HOST3) 'wg setconf wg0 config.conf'
+	ssh $(SSH_OPTS3) $(REMOTE_HOST3) 'ip l set up dev wg0'
+	ssh $(SSH_OPTS3) $(REMOTE_HOST3) 'ip a a 192.168.2.3/24 dev wg0'
+	ssh $(SSH_OPTS3) $(REMOTE_HOST3) 'ip a a abcd::3/120 dev wg0'
+	ssh $(SSH_OPTS3) -O exit $(REMOTE_HOST3)
+
+remote-run:
+	$(MAKE) -j3 remote-run-1 remote-run-2 remote-run-3
diff --git a/src/tests/guest-init.sh b/src/tests/guest-init.sh
new file mode 100755
index 0000000..676bbb0
--- /dev/null
+++ b/src/tests/guest-init.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+export PATH="/tools:/sbin:/bin"
+/bin/busybox ln -sf / /usr
+/bin/busybox --install -s
+mkdir /run /proc /tmp /sys /var /dev
+ln -s /run /var/run
+mount -t tmpfs none /run
+mount -t tmpfs none /tmp
+mount -t sysfs none /sys
+mount -t proc none /proc
+mount -t devtmpfs none /dev
+ln -s /proc/self/fd /dev/fd
+/wireguard/tests/netns.sh --no-module-insert && touch /wg-netns-success
+echo o > /proc/sysrq-trigger
+sleep 10000000000
diff --git a/src/tests/netns.sh b/src/tests/netns.sh
new file mode 100755
index 0000000..901ec36
--- /dev/null
+++ b/src/tests/netns.sh
@@ -0,0 +1,142 @@
+#!/bin/bash
+
+# This is a simple test suite for WireGuard. At some point it might be
+# nice to transition this to Sharness, like git, cgit, and pass, but
+# it's possible that kernel upstream won't like the bulkiness of that
+# very much. So for now we'll leave it to a single simple file like
+# this one here.
+#
+# The exit code is 0 when this is successful.
+
+[[ $UID != 0 ]] && exec sudo bash "$(readlink -f "$0")" "$@"
+[[ $1 == --no-module-insert ]] && no_module=1 || no_module=0
+set -ex
+date
+cd "$(dirname "$(readlink -f "$0")")/.."
+
+unset netns0 netns1 netns2
+while [[ $netns1 == "$netns2" || $netns0 == "$netns1" || $netns0 == "$netns2" ]]; do
+	netns0="wgtestns$RANDOM"
+	netns1="wgtestns$RANDOM"
+	netns2="wgtestns$RANDOM"
+done
+
+n0() { ip netns exec $netns0 "$@"; }
+n1() { ip netns exec $netns1 "$@"; }
+n2() { ip netns exec $netns2 "$@"; }
+ip0() { ip -n $netns0 "$@"; }
+ip1() { ip -n $netns1 "$@"; }
+ip2() { ip -n $netns2 "$@"; }
+
+cleanup() {
+	set +e
+	ip0 link del dev wg0
+	ip1 link del dev wg0
+	ip2 link del dev wg0
+	[[ $no_module -ne 1 ]] && rmmod wireguard
+	killall iperf3
+	ip netns del $netns1
+	ip netns del $netns2
+	ip netns del $netns0
+	exit
+}
+
+trap cleanup EXIT
+
+if [[ $no_module -ne 1 ]]; then
+	rmmod wireguard 2>/dev/null || true
+	# We consider insertion part of the tests because when compiled in debug mode,
+	# the module will fail to insert if the internal kernel self-tests fail.
+	insmod wireguard.ko
+fi
+
+ip netns del $netns0 2>/dev/null || true
+ip netns del $netns1 2>/dev/null || true
+ip netns del $netns2 2>/dev/null || true
+ip netns add $netns0
+ip netns add $netns1
+ip netns add $netns2
+
+ip0 link set up dev lo
+ip0 link add dev wg0 type wireguard
+ip0 link set wg0 netns $netns1
+ip0 link add dev wg0 type wireguard
+ip0 link set wg0 netns $netns2
+
+ip1 addr add 192.168.241.1/24 dev wg0
+ip1 addr add abcd::1/24 dev wg0
+ip2 addr add 192.168.241.2/24 dev wg0
+ip2 addr add abcd::2/24 dev wg0
+
+key1="$(tools/wg genkey)"
+key2="$(tools/wg genkey)"
+pub1="$(tools/wg pubkey <<<"$key1")"
+pub2="$(tools/wg pubkey <<<"$key2")"
+psk="$(tools/wg genpsk)"
+[[ -n $key1 && -n $key2 && -n $psk ]]
+
+n1 tools/wg set wg0 \
+	private-key <(echo "$key1") \
+	preshared-key <(echo "$psk") \
+	listen-port 1 \
+	peer "$pub2" \
+		allowed-ips 192.168.241.2/32,abcd::2/128
+n2 tools/wg set wg0 \
+	private-key <(echo "$key2") \
+	preshared-key <(echo "$psk") \
+	listen-port 2 \
+	peer "$pub1" \
+		allowed-ips 192.168.241.1/32,abcd::1/128
+
+ip1 link set up dev wg0
+ip2 link set up dev wg0
+
+tests() {
+	# Status before
+	n1 tools/wg
+	n2 tools/wg
+
+	# Ping over IPv4
+	n2 ping -c 10 -f -W 1 192.168.241.1
+	n1 ping -c 10 -f -W 1 192.168.241.2
+
+	# Ping over IPv6
+	n2 ping6 -c 10 -f -W 1 abcd::1
+	n1 ping6 -c 10 -f -W 1 abcd::2
+
+	# TCP over IPv4
+	n2 iperf3 -s -D -B 192.168.241.2
+	while ! ss -N $netns2 -tlp 'sport = 5201' | grep -q iperf3; do sleep 0.1; done
+	n1 iperf3 -Z -i 1 -n 1G "$@" -c 192.168.241.2
+
+	# TCP over IPv6
+	n1 iperf3 -s -D -B abcd::1
+	while ! ss -N $netns1 -tlp 'sport = 5201' | grep -q iperf3; do sleep 0.1; done
+	n2 iperf3 -Z -i 1 -n 1G "$@" -c abcd::1
+
+	# UDP over IPv4
+	n1 iperf3 -s -D -B 192.168.241.1
+	while ! ss -N $netns1 -tlp 'sport = 5201' | grep -q iperf3; do sleep 0.1; done
+	n2 iperf3 -Z -i 1 -n 1G "$@" -b 0 -u -c 192.168.241.1
+
+	# UDP over IPv6
+	n2 iperf3 -s -D -B abcd::2
+	while ! ss -N $netns2 -tlp 'sport = 5201' | grep -q iperf3; do sleep 0.1; done
+	n1 iperf3 -Z -i 1 -n 1G "$@" -b 0 -u -c abcd::2
+
+	# Status after
+	n1 tools/wg
+	n2 tools/wg
+}
+
+# Test using IPv4 as outer transport
+n1 tools/wg set wg0 peer "$pub2" endpoint 127.0.0.1:2
+n2 tools/wg set wg0 peer "$pub1" endpoint 127.0.0.1:1
+tests
+
+# Test using IPv6 as outer transport
+n1 tools/wg set wg0 peer "$pub2" endpoint [::1]:2
+n2 tools/wg set wg0 peer "$pub1" endpoint [::1]:1
+tests
+
+date
diff --git a/src/tests/qemu.sh b/src/tests/qemu.sh
new file mode 100755
index 0000000..8bd5026
--- /dev/null
+++ b/src/tests/qemu.sh
@@ -0,0 +1,132 @@
+#!/bin/bash
+# This compiles a kernel, creates a rootfs, and then starts up
+# QEMU to run the netns.sh test.
+#
+# The exit code is 0 when this is successful.
+
+set -ex
+cleanup() {
+	set +e
+	[[ -d $scratch_dir ]] || exit
+	cd /
+	rm -rf "$scratch_dir"
+}
+trap cleanup EXIT
+wireguard_dir="$(readlink -f "$(dirname "$(readlink -f "$0")")/..")"
+scratch_dir="$(mktemp -d)"
+cd "$scratch_dir"
+mkdir -p root/tools
+root_dir="$(readlink -f root)"
+wget https://cdn.kernel.org/pub/linux/kernel/v4.x/linux-4.6.4.tar.xz
+tar xf linux-*.tar.xz
+cd linux-*
+make x86_64_defconfig
+sed -i "/^if NET\$/a source \"$wireguard_dir/Kconfig\"" net/Kconfig
+echo "obj-y += ../../../../../../../../../../../../../../../../../../../../../..$wireguard_dir/" >> net/Makefile
+cat >> .config <<_EOF
+CONFIG_NET=y
+CONFIG_INET=y
+CONFIG_NETFILTER=y
+CONFIG_NETFILTER_XTABLES=y
+CONFIG_NETFILTER_ADVANCED=y
+CONFIG_NF_CONNTRACK=y
+CONFIG_IP6_NF_IPTABLES=y
+CONFIG_IPV6=y
+CONFIG_NET_UDP_TUNNEL=y
+CONFIG_NETFILTER_XT_MATCH_HASHLIMIT=y
+CONFIG_CRYPTO_MANAGER=y
+CONFIG_WIREGUARD=y
+CONFIG_WIREGUARD_DEBUG=y
+CONFIG_WIREGUARD_PARALLEL=y
+CONFIG_HW_RANDOM_VIRTIO=y
+_EOF
+make kvmconfig
+make -j$(nproc)
+make INSTALL_HDR_PATH="$root_dir" headers_install
+cd ..
+
+wget https://www.musl-libc.org/releases/musl-1.1.15.tar.gz
+tar xf musl-*.tar.gz
+cd musl-*
+unset CC
+./configure --prefix="$root_dir"
+make -j$(nproc)
+make install
+export CC="$root_dir/bin/musl-gcc"
+export CFLAGS="-static -O2"
+cd ..
+wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
+tar xf bash-*.tar.gz
+cd bash-*
+for i in {1..43}; do
+        wget -O - http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$(printf '%03d' $i) | patch -p0
+done
+./configure --prefix="$root_dir" --without-bash-malloc
+make -j$(nproc)
+make install
+cd ..
+wget https://busybox.net/downloads/busybox-1.25.0.tar.bz2
+tar xf busybox-*.tar.bz2
+cd busybox-*
+make defconfig
+make -j$(nproc)
+cp busybox "$root_dir/bin/"
+cd ..
+wget http://ftp.netfilter.org/pub/libmnl/libmnl-1.0.4.tar.bz2
+tar xf libmnl-*.tar.bz2
+cd libmnl-*
+./configure --prefix="$root_dir" --enable-static --disable-shared
+make -j$(nproc)
+make install
+cd ..
+wget https://www.kernel.org/pub/linux/utils/net/iproute2/iproute2-4.3.0.tar.xz
+tar xf iproute2-*.tar.xz
+cd iproute2-*
+sed -i 's/-O2/-O2 -static/' Makefile
+sed -i '/ARPD/d' Makefile
+sed -i 's/arpd.8//' man/man8/Makefile
+sed -i 's/m_ipt.o//' tc/Makefile
+sed -i 's/[^ ]*_bpf.o//' tc/Makefile
+echo -e "TC_CONFIG_XT=n\nTC_CONFIG_ATM=n\nTC_CONFIG_IPSET=n\nIP_CONFIG_SETNS=y" > Config
+wget -O - https://cgit.gentoo.org/proj/musl.git/plain/sys-apps/iproute2/files/iproute2-4.3.0-musl.patch | patch -p1
+make -j$(nproc) PREFIX="$root_dir" CC="$CC" LDFLAGS=-static
+cp ip/ip misc/ss "$root_dir/tools"
+cd ..
+wget http://downloads.es.net/pub/iperf/iperf-3.1.3.tar.gz
+tar xf iperf-*.tar.gz
+cd iperf-*
+wget -O - https://github.com/esnet/iperf/commit/1fe02385b60c9dcd8a04b8bd3ff5cff120ec35a6.diff | patch -p1
+sed -i 's/-pg//;s/-g//' src/Makefile*
+LDFLAGS=-static CFLAGS="-static -O2 -D_GNU_SOURCE" ./configure --prefix="$root_dir" --disable-shared --enable-static
+make -j$(nprocs)
+rm src/iperf3
+sed -i 's/iperf3_CFLAGS =/iperf3_CFLAGS = -all-static/' src/Makefile
+make
+cp src/iperf3 "$root_dir/tools"
+wget https://github.com/iputils/iputils/archive/s20160308.tar.gz -O iputils-s20160308.tar.gz
+tar xf iputils-*.tar.gz
+cd iputils-*
+LDFLAGS=-static make CC="$CC" USE_IDN=no USE_CAP=no USE_CRYPTO=no USE_GCRYPT=no USE_NETTLE=no ping -j$(nproc)
+cp ping $root_dir/tools/ping
+cp ping $root_dir/tools/ping6
+cd ..
+cp -r "$wireguard_dir" "$root_dir/wireguard"
+cd "$root_dir/wireguard/tools"
+make clean
+LDFLAGS=-static PKG_CONFIG_SYSROOT_DIR="$root_dir" PKG_CONFIG_PATH="$root_dir/lib/pkgconfig" PKG_CONFIG_LIBDIR="$root_dir/lib/pkgconfig" PREFIX="$root_dir" make -j$(nproc)
+cd "$root_dir/.."
+
+qemu-system-x86_64 \
+	-enable-kvm \
+	-cpu host \
+	-smp 2 \
+	-m 64M \
+	-nographic \
+	-object rng-random,id=rng0,filename=/dev/urandom \
+	-device virtio-rng-pci,rng=rng0 \
+	-kernel linux-*/arch/x86/boot/bzImage \
+	-fsdev local,path="$root_dir",security_model=none,id=root \
+	-device virtio-9p-pci,fsdev=root,mount_tag=/dev/root \
+	-append "root=/dev/root rw rootfstype=9p rootflags=trans=virtio console=ttyS0 init=/wireguard/tests/guest-init.sh"
+
+[[ -e $root_dir/wg-netns-success ]]