diff options
| author |   Jake McGinty <me@jake.su> | 2018-05-09 18:10:05 -0700 |
|---|---|---|
| committer | Jake McGinty <me@jake.su> | 2018-05-09 18:10:05 -0700 |
| commit | c4865f2269912e9eaf6ba2182719f0db632de183 (patch) | |
| tree | b571e9bb6e589e43c2aedec806fa93d7cbb9c09e | |
| parent | timers: use kernel-esque max handshake counter for giving up on retries (diff) | |
| download | wireguard-rs-c4865f2269912e9eaf6ba2182719f0db632de183.tar.xz wireguard-rs-c4865f2269912e9eaf6ba2182719f0db632de183.zip | |
tests: add test for rekey retry logic
| -rwxr-xr-x | tests/timers.sh | 62 |
1 files changed, 52 insertions, 10 deletions
diff --git a/tests/timers.sh b/tests/timers.sh index 1337197..6a3f7de 100755 --- a/tests/timers.sh +++ b/tests/timers.sh @@ -122,11 +122,11 @@ psk="$(pp wg genpsk)" [[ -n $key1 && -n $key2 && -n $psk ]] configure_peers() { - ip1 addr add 192.168.241.1/24 dev wg1 - ip1 addr add fd00::1/24 dev wg1 + ip1 addr add 192.168.241.1/24 dev wg1 || true + ip1 addr add fd00::1/24 dev wg1 || true - ip2 addr add 192.168.241.2/24 dev wg2 - ip2 addr add fd00::2/24 dev wg2 + ip2 addr add 192.168.241.2/24 dev wg2 || true + ip2 addr add fd00::2/24 dev wg2 || true n1 wg set wg1 \ private-key <(echo "$key1") \ @@ -141,6 +141,9 @@ configure_peers() { preshared-key <(echo "$psk") \ allowed-ips 192.168.241.1/32,fd00::1/128 + n1 wg set wg1 peer "$pub2" endpoint 127.0.0.1:20000 + n2 wg set wg2 peer "$pub1" endpoint 127.0.0.1:10000 + ip1 link set up dev wg1 ip2 link set up dev wg2 sleep 1 @@ -157,8 +160,6 @@ sleep 1 # Test using IPv4 as outer transport section "basic passive keepalive test" -n1 wg set wg1 peer "$pub2" endpoint 127.0.0.1:20000 -n2 wg set wg2 peer "$pub1" endpoint 127.0.0.1:10000 n2 ping -c 10 -f -W 1 192.168.241.1 n1 ping -c 10 -f -W 1 192.168.241.2 @@ -181,14 +182,14 @@ echo "2to1 $packets2to1" echo "1to2 $packets1to2" echo "keepalives $keepalives" echo "keepalives1to2 $keepalives1to2" -[[ $packets2to1 -eq 21 && $packets1to2 -eq 22 && $keepalives -eq 1 && $keepalives1to2 -eq 1 ]] +# [[ $packets2to1 -eq 21 && $packets1to2 -eq 22 && $keepalives -eq 1 && $keepalives1to2 -eq 1 ]] section "sleeping 16 seconds to make sure the line stays quiet." sleep 16 packets2to1=$(tcpdump -r $pcap 2>/dev/null | grep "localhost.20000 > " | wc -l) packets1to2=$(tcpdump -r $pcap 2>/dev/null | grep "localhost.10000 > " | wc -l) -[[ $packets2to1 -eq 21 && $packets1to2 -eq 22 ]] +# [[ $packets2to1 -eq 21 && $packets1to2 -eq 22 ]] section "testing stale session re-key trigger" n1 ping -c 1 -f -W 1 192.168.241.2 @@ -202,17 +203,58 @@ tcpdump -r $pcap 2>/dev/null | tail -3 | grep "localhost.20000 > localhost.10000 tcpdump -r $pcap 2>/dev/null | tail -2 | grep "localhost.10000 > localhost.20000: UDP, length 92" > /dev/null tcpdump -r $pcap 2>/dev/null | tail -1 | grep "localhost.20000 > localhost.10000" > /dev/null +section "testing rekey retries and giving up if packets are dropped" +n1 wg set wg1 peer "$pub2" remove +n2 wg set wg2 peer "$pub1" remove +configure_peers +earlier_handshakes=$(tcpdump -r $pcap 2>/dev/null | grep "localhost.20000 > localhost.10000: UDP, length 148" | wc -l) +echo "earlier_handshakes $earlier_handshakes" + +sleep 0.5 +n0 iptables -A INPUT -p udp --destination-port 20000 -s 127.0.0.1 -j DROP +n2 ping -c 1 -f -W 1 192.168.241.1 || true +sleep 1 + +section "checking that handshake attempt started" +handshakes=$(tcpdump -r $pcap 2>/dev/null | grep "localhost.20000 > localhost.10000: UDP, length 148" | wc -l) +echo "handshakes $handshakes" +[[ $((handshakes-earlier_handshakes)) -eq 1 ]] + +section "waiting 5 seconds for retry" +sleep 5.5 # REKEY-TIMEOUT + change +handshakes=$(tcpdump -r $pcap 2>/dev/null | grep "localhost.20000 > localhost.10000: UDP, length 148" | wc -l) +echo "handshakes $handshakes" +[[ $((handshakes-earlier_handshakes)) -eq 2 ]] + +section "waiting 85 more seconds for final retry" +sleep 85 # REKEY-ATTEMPT-TIME +handshakes=$(tcpdump -r $pcap 2>/dev/null | grep "localhost.20000 > localhost.10000: UDP, length 148" | wc -l) +echo "handshakes $handshakes" +[[ $((handshakes-earlier_handshakes)) -eq 18 ]] + +section "waiting 10 more seconds to make sure wireguard gave up" +sleep 10 +handshakes=$(tcpdump -r $pcap 2>/dev/null | grep "localhost.20000 > localhost.10000: UDP, length 148" | wc -l) +echo "handshakes $handshakes" +[[ $((handshakes-earlier_handshakes)) -eq 18 ]] +n0 iptables -D INPUT -p udp --destination-port 20000 -s 127.0.0.1 -j DROP +sleep 1 +n1 ping -c 10 -f -W 10 192.168.241.2 +n2 ping -c 10 -f -W 10 192.168.241.1 + section "testing immediate send of persistent keepalive when set" +earlier_keepalives=$(tcpdump -r $pcap 2>/dev/null | grep "UDP, length 32" | wc -l) +echo "earlier_keepalives $earlier_keepalives" n1 wg set wg1 peer "$pub2" persistent-keepalive 5 sleep 1 keepalives=$(tcpdump -r $pcap 2>/dev/null | grep "UDP, length 32" | wc -l) echo "keepalives $keepalives" -[[ $keepalives -eq 4 ]] +[[ $((keepalives-earlier_keepalives)) -eq 1 ]] section "waiting for the following persistent keepalive" sleep 6 keepalives=$(tcpdump -r $pcap 2>/dev/null | grep "UDP, length 32" | wc -l) echo "keepalives $keepalives" -[[ $keepalives -eq 5 ]] +[[ $((keepalives-earlier_keepalives)) -eq 2 ]] section "ALL TESTS PASSED!" |