3 # SPDX-License-Identifier: BSD-2-Clause-FreeBSD
5 # Copyright (c) 2021 The FreeBSD Foundation
7 # This software was developed by Mark Johnston under sponsorship
8 # from the FreeBSD Foundation.
10 # Redistribution and use in source and binary forms, with or without
11 # modification, are permitted provided that the following conditions
13 # 1. Redistributions of source code must retain the above copyright
14 # notice, this list of conditions and the following disclaimer.
15 # 2. Redistributions in binary form must reproduce the above copyright
16 # notice, this list of conditions and the following disclaimer in the
17 # documentation and/or other materials provided with the distribution.
19 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
20 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 # ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
23 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 . $(atf_get_srcdir)/../common/vnet.subr
33 atf_test_case "wg_basic" "cleanup"
36 atf_set descr 'Create a wg(4) tunnel over an epair and pass traffic between jails'
37 atf_set require.user root
42 local epair pri1 pri2 pub1 pub2 wg1 wg2
43 local endpoint1 endpoint2 tunnel1 tunnel2
45 kldload -n if_wg || atf_skip "This test requires if_wg and could not load it"
59 vnet_mkjail wgtest1 ${epair}a
60 vnet_mkjail wgtest2 ${epair}b
62 # Workaround for PR 254212.
63 jexec wgtest1 ifconfig lo0 up
64 jexec wgtest2 ifconfig lo0 up
66 jexec wgtest1 ifconfig ${epair}a ${endpoint1}/24 up
67 jexec wgtest2 ifconfig ${epair}b ${endpoint2}/24 up
69 wg1=$(jexec wgtest1 ifconfig wg create)
70 echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
71 private-key /dev/stdin
72 pub1=$(jexec wgtest1 wg show $wg1 public-key)
73 wg2=$(jexec wgtest2 ifconfig wg create)
74 echo "$pri2" | jexec wgtest2 wg set $wg2 listen-port 12345 \
75 private-key /dev/stdin
76 pub2=$(jexec wgtest2 wg show $wg2 public-key)
78 atf_check -s exit:0 -o ignore \
79 jexec wgtest1 wg set $wg1 peer "$pub2" \
80 endpoint ${endpoint2}:12345 allowed-ips ${tunnel2}/32
82 jexec wgtest1 ifconfig $wg1 inet ${tunnel1}/24 up
84 atf_check -s exit:0 -o ignore \
85 jexec wgtest2 wg set $wg2 peer "$pub1" \
86 endpoint ${endpoint1}:12345 allowed-ips ${tunnel1}/32
88 jexec wgtest2 ifconfig $wg2 inet ${tunnel2}/24 up
90 # Generous timeout since the handshake takes some time.
91 atf_check -s exit:0 -o ignore jexec wgtest1 ping -c 1 -t 5 $tunnel2
92 atf_check -s exit:0 -o ignore jexec wgtest2 ping -c 1 $tunnel1
100 # The kernel is expected to silently ignore any attempt to add a peer with a
101 # public key identical to the host's.
102 atf_test_case "wg_key_peerdev_shared" "cleanup"
103 wg_key_peerdev_shared_head()
105 atf_set descr 'Create a wg(4) interface with a shared pubkey between device and a peer'
106 atf_set require.user root
109 wg_key_peerdev_shared_body()
111 local epair pri1 pub1 wg1
112 local endpoint1 tunnel1
114 kldload -n if_wg || atf_skip "This test requires if_wg and could not load it"
118 endpoint1=192.168.2.1
123 wg1=$(jexec wgtest1 ifconfig wg create)
124 echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
125 private-key /dev/stdin
126 pub1=$(jexec wgtest1 wg show $wg1 public-key)
128 atf_check -s exit:0 \
129 jexec wgtest1 wg set ${wg1} peer "${pub1}" \
130 allowed-ips "${tunnel1}/32"
132 atf_check -o empty jexec wgtest1 wg show ${wg1} peers
135 wg_key_peerdev_shared_cleanup()
140 # When a wg(8) interface has a private key reassigned that corresponds to the
141 # public key already on a peer, the kernel is expected to deconfigure the peer
142 # to resolve the conflict.
143 atf_test_case "wg_key_peerdev_makeshared" "cleanup"
144 wg_key_peerdev_makeshared_head()
146 atf_set descr 'Create a wg(4) interface and assign peer key to device'
147 atf_set require.progs wg
150 wg_key_peerdev_makeshared_body()
152 local epair pri1 pub1 pri2 wg1 wg2
153 local endpoint1 tunnel1
155 kldload -n if_wg || atf_skip "This test requires if_wg and could not load it"
160 endpoint1=192.168.2.1
165 wg1=$(jexec wgtest1 ifconfig wg create)
166 echo "$pri1" | jexec wgtest1 wg set $wg1 listen-port 12345 \
167 private-key /dev/stdin
168 pub1=$(jexec wgtest1 wg show $wg1 public-key)
169 wg2=$(jexec wgtest1 ifconfig wg create)
170 echo "$pri2" | jexec wgtest1 wg set $wg2 listen-port 12345 \
171 private-key /dev/stdin
173 atf_check -s exit:0 -o ignore \
174 jexec wgtest1 wg set ${wg2} peer "${pub1}" \
175 allowed-ips "${tunnel1}/32"
177 atf_check -o not-empty jexec wgtest1 wg show ${wg2} peers
179 jexec wgtest1 sh -c "echo '${pri1}' > pri1"
181 atf_check -s exit:0 \
182 jexec wgtest1 wg set ${wg2} private-key pri1
184 atf_check -o empty jexec wgtest1 wg show ${wg2} peers
187 wg_key_peerdev_makeshared_cleanup()
192 atf_init_test_cases()
194 atf_add_test_case "wg_basic"
195 atf_add_test_case "wg_key_peerdev_shared"
196 atf_add_test_case "wg_key_peerdev_makeshared"