7 from hashlib import blake2s
8 from scapy.packet import Packet
9 from scapy.packet import Raw
10 from scapy.layers.l2 import Ether, ARP
11 from scapy.layers.inet import IP, UDP
12 from scapy.layers.inet6 import IPv6
13 from scapy.contrib.wireguard import Wireguard, WireguardResponse, \
14 WireguardInitiation, WireguardTransport
15 from cryptography.hazmat.primitives.asymmetric.x25519 import \
16 X25519PrivateKey, X25519PublicKey
17 from cryptography.hazmat.primitives.serialization import Encoding, \
18 PrivateFormat, PublicFormat, NoEncryption
19 from cryptography.hazmat.primitives.hashes import BLAKE2s, Hash
20 from cryptography.hazmat.primitives.hmac import HMAC
21 from cryptography.hazmat.backends import default_backend
22 from noise.connection import NoiseConnection, Keypair
24 from vpp_ipip_tun_interface import VppIpIpTunInterface
25 from vpp_interface import VppInterface
26 from vpp_ip_route import VppIpRoute, VppRoutePath
27 from vpp_object import VppObject
28 from framework import VppTestCase
29 from re import compile
32 """ TestWg is a subclass of VPPTestCase classes.
39 def private_key_bytes(k):
40 return k.private_bytes(Encoding.Raw,
45 def public_key_bytes(k):
46 return k.public_bytes(Encoding.Raw,
50 class VppWgInterface(VppInterface):
52 VPP WireGuard interface
55 def __init__(self, test, src, port):
56 super(VppWgInterface, self).__init__(test)
60 self.private_key = X25519PrivateKey.generate()
61 self.public_key = self.private_key.public_key()
63 def public_key_bytes(self):
64 return public_key_bytes(self.public_key)
66 def private_key_bytes(self):
67 return private_key_bytes(self.private_key)
69 def add_vpp_config(self):
70 r = self.test.vapi.wireguard_interface_create(interface={
71 'user_instance': 0xffffffff,
74 'private_key': private_key_bytes(self.private_key),
77 self.set_sw_if_index(r.sw_if_index)
78 self.test.registry.register(self, self.test.logger)
81 def remove_vpp_config(self):
82 self.test.vapi.wireguard_interface_delete(
83 sw_if_index=self._sw_if_index)
85 def query_vpp_config(self):
86 ts = self.test.vapi.wireguard_interface_dump(sw_if_index=0xffffffff)
88 if t.interface.sw_if_index == self._sw_if_index and \
89 str(t.interface.src_ip) == self.src and \
90 t.interface.port == self.port and \
91 t.interface.private_key == private_key_bytes(self.private_key):
96 return self.object_id()
99 return "wireguard-%d" % self._sw_if_index
102 def find_route(test, prefix, is_ip6, table_id=0):
103 routes = test.vapi.ip_route_dump(table_id, is_ip6)
106 if table_id == e.route.table_id \
107 and str(e.route.prefix) == str(prefix):
112 NOISE_HANDSHAKE_NAME = b"Noise_IKpsk2_25519_ChaChaPoly_BLAKE2s"
113 NOISE_IDENTIFIER_NAME = b"WireGuard v1 zx2c4 Jason@zx2c4.com"
116 class VppWgPeer(VppObject):
124 persistent_keepalive=15):
127 self.endpoint = endpoint
129 self.allowed_ips = allowed_ips
130 self.persistent_keepalive = persistent_keepalive
132 # remote peer's public
133 self.private_key = X25519PrivateKey.generate()
134 self.public_key = self.private_key.public_key()
136 self.noise = NoiseConnection.from_name(NOISE_HANDSHAKE_NAME)
138 def add_vpp_config(self, is_ip6=False):
139 rv = self._test.vapi.wireguard_peer_add(
141 'public_key': self.public_key_bytes(),
143 'endpoint': self.endpoint,
144 'n_allowed_ips': len(self.allowed_ips),
145 'allowed_ips': self.allowed_ips,
146 'sw_if_index': self.itf.sw_if_index,
147 'persistent_keepalive': self.persistent_keepalive})
148 self.index = rv.peer_index
149 self.receiver_index = self.index + 1
150 self._test.registry.register(self, self._test.logger)
153 def remove_vpp_config(self):
154 self._test.vapi.wireguard_peer_remove(peer_index=self.index)
157 return ("wireguard-peer-%s" % self.index)
159 def public_key_bytes(self):
160 return public_key_bytes(self.public_key)
162 def query_vpp_config(self):
163 peers = self._test.vapi.wireguard_peers_dump()
166 if p.peer.public_key == self.public_key_bytes() and \
167 p.peer.port == self.port and \
168 str(p.peer.endpoint) == self.endpoint and \
169 p.peer.sw_if_index == self.itf.sw_if_index and \
170 len(self.allowed_ips) == p.peer.n_allowed_ips:
171 self.allowed_ips.sort()
172 p.peer.allowed_ips.sort()
174 for (a1, a2) in zip(self.allowed_ips, p.peer.allowed_ips):
175 if str(a1) != str(a2):
180 def set_responder(self):
181 self.noise.set_as_responder()
183 def mk_tunnel_header(self, tx_itf, is_ip6=False):
185 return (Ether(dst=tx_itf.local_mac, src=tx_itf.remote_mac) /
186 IP(src=self.endpoint, dst=self.itf.src) /
187 UDP(sport=self.port, dport=self.itf.port))
189 return (Ether(dst=tx_itf.local_mac, src=tx_itf.remote_mac) /
190 IPv6(src=self.endpoint, dst=self.itf.src) /
191 UDP(sport=self.port, dport=self.itf.port))
193 def noise_init(self, public_key=None):
194 self.noise.set_prologue(NOISE_IDENTIFIER_NAME)
195 self.noise.set_psks(psk=bytes(bytearray(32)))
198 public_key = self.itf.public_key
201 self.noise.set_keypair_from_private_bytes(
203 private_key_bytes(self.private_key))
205 self.noise.set_keypair_from_public_bytes(
206 Keypair.REMOTE_STATIC,
207 public_key_bytes(public_key))
209 self.noise.start_handshake()
211 def mk_handshake(self, tx_itf, is_ip6=False, public_key=None):
212 self.noise.set_as_initiator()
213 self.noise_init(public_key)
215 p = (Wireguard() / WireguardInitiation())
217 p[Wireguard].message_type = 1
218 p[Wireguard].reserved_zero = 0
219 p[WireguardInitiation].sender_index = self.receiver_index
221 # some random data for the message
222 # lifted from the noise protocol's wireguard example
223 now = datetime.datetime.now()
224 tai = struct.pack('!qi', 4611686018427387914 + int(now.timestamp()),
225 int(now.microsecond * 1e3))
226 b = self.noise.write_message(payload=tai)
228 # load noise into init message
229 p[WireguardInitiation].unencrypted_ephemeral = b[0:32]
230 p[WireguardInitiation].encrypted_static = b[32:80]
231 p[WireguardInitiation].encrypted_timestamp = b[80:108]
233 # generate the mac1 hash
234 mac_key = blake2s(b'mac1----' +
235 self.itf.public_key_bytes()).digest()
236 p[WireguardInitiation].mac1 = blake2s(bytes(p)[0:116],
238 key=mac_key).digest()
239 p[WireguardInitiation].mac2 = bytearray(16)
241 p = (self.mk_tunnel_header(tx_itf, is_ip6) / p)
245 def verify_header(self, p, is_ip6=False):
247 self._test.assertEqual(p[IP].src, self.itf.src)
248 self._test.assertEqual(p[IP].dst, self.endpoint)
250 self._test.assertEqual(p[IPv6].src, self.itf.src)
251 self._test.assertEqual(p[IPv6].dst, self.endpoint)
252 self._test.assertEqual(p[UDP].sport, self.itf.port)
253 self._test.assertEqual(p[UDP].dport, self.port)
254 self._test.assert_packet_checksums_valid(p)
256 def consume_init(self, p, tx_itf, is_ip6=False):
257 self.noise.set_as_responder()
258 self.noise_init(self.itf.public_key)
259 self.verify_header(p, is_ip6)
261 init = Wireguard(p[Raw])
263 self._test.assertEqual(init[Wireguard].message_type, 1)
264 self._test.assertEqual(init[Wireguard].reserved_zero, 0)
266 self.sender = init[WireguardInitiation].sender_index
269 mac_key = blake2s(b'mac1----' +
270 public_key_bytes(self.public_key)).digest()
271 mac1 = blake2s(bytes(init)[0:-32],
273 key=mac_key).digest()
274 self._test.assertEqual(init[WireguardInitiation].mac1, mac1)
276 # this passes only unencrypted_ephemeral, encrypted_static,
277 # encrypted_timestamp fields of the init
278 payload = self.noise.read_message(bytes(init)[8:-32])
281 b = self.noise.write_message()
282 mac_key = blake2s(b'mac1----' +
283 public_key_bytes(self.itf.public_key)).digest()
284 resp = (Wireguard(message_type=2, reserved_zero=0) /
285 WireguardResponse(sender_index=self.receiver_index,
286 receiver_index=self.sender,
287 unencrypted_ephemeral=b[0:32],
288 encrypted_nothing=b[32:]))
289 mac1 = blake2s(bytes(resp)[:-32],
291 key=mac_key).digest()
292 resp[WireguardResponse].mac1 = mac1
294 resp = (self.mk_tunnel_header(tx_itf, is_ip6) / resp)
295 self._test.assertTrue(self.noise.handshake_finished)
299 def consume_response(self, p, is_ip6=False):
300 self.verify_header(p, is_ip6)
302 resp = Wireguard(p[Raw])
304 self._test.assertEqual(resp[Wireguard].message_type, 2)
305 self._test.assertEqual(resp[Wireguard].reserved_zero, 0)
306 self._test.assertEqual(resp[WireguardResponse].receiver_index,
309 self.sender = resp[Wireguard].sender_index
311 payload = self.noise.read_message(bytes(resp)[12:60])
312 self._test.assertEqual(payload, b'')
313 self._test.assertTrue(self.noise.handshake_finished)
315 def decrypt_transport(self, p, is_ip6=False):
316 self.verify_header(p, is_ip6)
318 p = Wireguard(p[Raw])
319 self._test.assertEqual(p[Wireguard].message_type, 4)
320 self._test.assertEqual(p[Wireguard].reserved_zero, 0)
321 self._test.assertEqual(p[WireguardTransport].receiver_index,
324 d = self.noise.decrypt(
325 p[WireguardTransport].encrypted_encapsulated_packet)
328 def encrypt_transport(self, p):
329 return self.noise.encrypt(bytes(p))
331 def validate_encapped(self, rxs, tx, is_ip6=False):
334 rx = IP(self.decrypt_transport(rx))
336 # chech the oringial packet is present
337 self._test.assertEqual(rx[IP].dst, tx[IP].dst)
338 self._test.assertEqual(rx[IP].ttl, tx[IP].ttl-1)
340 rx = IPv6(self.decrypt_transport(rx))
342 # chech the oringial packet is present
343 self._test.assertEqual(rx[IPv6].dst, tx[IPv6].dst)
344 self._test.assertEqual(rx[IPv6].ttl, tx[IPv6].ttl-1)
347 class TestWg(VppTestCase):
348 """ Wireguard Test Case """
350 error_str = compile(r"Error")
352 wg4_output_node_name = '/err/wg4-output-tun/'
353 wg4_input_node_name = '/err/wg4-input/'
354 wg6_output_node_name = '/err/wg6-output-tun/'
355 wg6_input_node_name = '/err/wg6-input/'
356 kp4_error = wg4_output_node_name + "Keypair error"
357 mac4_error = wg4_input_node_name + "Invalid MAC handshake"
358 peer4_error = wg4_input_node_name + "Peer error"
359 kp6_error = wg6_output_node_name + "Keypair error"
360 mac6_error = wg6_input_node_name + "Invalid MAC handshake"
361 peer6_error = wg6_input_node_name + "Peer error"
365 super(TestWg, cls).setUpClass()
367 cls.create_pg_interfaces(range(3))
368 for i in cls.pg_interfaces:
376 super(TestWg, cls).tearDownClass()
380 def tearDownClass(cls):
381 super(TestWg, cls).tearDownClass()
384 super(VppTestCase, self).setUp()
385 self.base_kp4_err = self.statistics.get_err_counter(self.kp4_error)
386 self.base_mac4_err = self.statistics.get_err_counter(self.mac4_error)
387 self.base_peer4_err = self.statistics.get_err_counter(self.peer4_error)
388 self.base_kp6_err = self.statistics.get_err_counter(self.kp6_error)
389 self.base_mac6_err = self.statistics.get_err_counter(self.mac6_error)
390 self.base_peer6_err = self.statistics.get_err_counter(self.peer6_error)
392 def test_wg_interface(self):
393 """ Simple interface creation """
397 wg0 = VppWgInterface(self,
399 port).add_vpp_config()
401 self.logger.info(self.vapi.cli("sh int"))
404 wg0.remove_vpp_config()
406 def test_handshake_hash(self):
407 """ test hashing an init message """
408 # a init packet generated by linux given the key below
409 h = "0100000098b9032b" \
429 b = bytearray.fromhex(h)
432 pubb = base64.b64decode("aRuHFTTxICIQNefp05oKWlJv3zgKxb8+WW7JJMh0jyM=")
433 pub = X25519PublicKey.from_public_bytes(pubb)
435 self.assertEqual(pubb, public_key_bytes(pub))
437 # strip the macs and build a new packet
439 mac_key = blake2s(b'mac1----' + public_key_bytes(pub)).digest()
440 init += blake2s(init,
442 key=mac_key).digest()
445 act = Wireguard(init)
447 self.assertEqual(tgt, act)
449 def test_wg_peer_resp(self):
450 """ Send handshake response """
454 wg0 = VppWgInterface(self,
456 port).add_vpp_config()
460 self.pg_enable_capture(self.pg_interfaces)
463 peer_1 = VppWgPeer(self,
467 ["10.11.3.0/24"]).add_vpp_config()
468 self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
470 r1 = VppIpRoute(self, "10.11.3.0", 24,
471 [VppRoutePath("10.11.3.1",
472 wg0.sw_if_index)]).add_vpp_config()
474 # wait for the peer to send a handshake
475 rx = self.pg1.get_capture(1, timeout=2)
477 # consume the handshake in the noise protocol and
478 # generate the response
479 resp = peer_1.consume_init(rx[0], self.pg1)
481 # send the response, get keepalive
482 rxs = self.send_and_expect(self.pg1, [resp], self.pg1)
485 b = peer_1.decrypt_transport(rx)
486 self.assertEqual(0, len(b))
488 # send a packets that are routed into the tunnel
489 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
490 IP(src=self.pg0.remote_ip4, dst="10.11.3.2") /
491 UDP(sport=555, dport=556) /
494 rxs = self.send_and_expect(self.pg0, p * 255, self.pg1)
496 peer_1.validate_encapped(rxs, p)
498 # send packets into the tunnel, expect to receive them on
500 p = [(peer_1.mk_tunnel_header(self.pg1) /
501 Wireguard(message_type=4, reserved_zero=0) /
503 receiver_index=peer_1.sender,
505 encrypted_encapsulated_packet=peer_1.encrypt_transport(
506 (IP(src="10.11.3.1", dst=self.pg0.remote_ip4, ttl=20) /
507 UDP(sport=222, dport=223) /
508 Raw())))) for ii in range(255)]
510 rxs = self.send_and_expect(self.pg1, p, self.pg0)
513 self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
514 self.assertEqual(rx[IP].ttl, 19)
516 r1.remove_vpp_config()
517 peer_1.remove_vpp_config()
518 wg0.remove_vpp_config()
520 def test_wg_peer_v4o4(self):
526 wg0 = VppWgInterface(self,
528 port).add_vpp_config()
532 peer_1 = VppWgPeer(self,
536 ["10.11.3.0/24"]).add_vpp_config()
537 self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
539 r1 = VppIpRoute(self, "10.11.3.0", 24,
540 [VppRoutePath("10.11.3.1",
541 wg0.sw_if_index)]).add_vpp_config()
543 # route a packet into the wg interface
544 # use the allowed-ip prefix
545 # this is dropped because the peer is not initiated
546 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
547 IP(src=self.pg0.remote_ip4, dst="10.11.3.2") /
548 UDP(sport=555, dport=556) /
550 self.send_and_assert_no_replies(self.pg0, [p])
551 self.assertEqual(self.base_kp4_err + 1,
552 self.statistics.get_err_counter(self.kp4_error))
554 # send a handsake from the peer with an invalid MAC
555 p = peer_1.mk_handshake(self.pg1)
556 p[WireguardInitiation].mac1 = b'foobar'
557 self.send_and_assert_no_replies(self.pg1, [p])
558 self.assertEqual(self.base_mac4_err + 1,
559 self.statistics.get_err_counter(self.mac4_error))
561 # send a handsake from the peer but signed by the wrong key.
562 p = peer_1.mk_handshake(self.pg1,
564 X25519PrivateKey.generate().public_key())
565 self.send_and_assert_no_replies(self.pg1, [p])
566 self.assertEqual(self.base_peer4_err + 1,
567 self.statistics.get_err_counter(self.peer4_error))
569 # send a valid handsake init for which we expect a response
570 p = peer_1.mk_handshake(self.pg1)
572 rx = self.send_and_expect(self.pg1, [p], self.pg1)
574 peer_1.consume_response(rx[0])
576 # route a packet into the wg interface
577 # this is dropped because the peer is still not initiated
578 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
579 IP(src=self.pg0.remote_ip4, dst="10.11.3.2") /
580 UDP(sport=555, dport=556) /
582 self.send_and_assert_no_replies(self.pg0, [p])
583 self.assertEqual(self.base_kp4_err + 2,
584 self.statistics.get_err_counter(self.kp4_error))
586 # send a data packet from the peer through the tunnel
587 # this completes the handshake
588 p = (IP(src="10.11.3.1", dst=self.pg0.remote_ip4, ttl=20) /
589 UDP(sport=222, dport=223) /
591 d = peer_1.encrypt_transport(p)
592 p = (peer_1.mk_tunnel_header(self.pg1) /
593 (Wireguard(message_type=4, reserved_zero=0) /
594 WireguardTransport(receiver_index=peer_1.sender,
596 encrypted_encapsulated_packet=d)))
597 rxs = self.send_and_expect(self.pg1, [p], self.pg0)
600 self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
601 self.assertEqual(rx[IP].ttl, 19)
603 # send a packets that are routed into the tunnel
604 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
605 IP(src=self.pg0.remote_ip4, dst="10.11.3.2") /
606 UDP(sport=555, dport=556) /
609 rxs = self.send_and_expect(self.pg0, p * 255, self.pg1)
612 rx = IP(peer_1.decrypt_transport(rx))
614 # chech the oringial packet is present
615 self.assertEqual(rx[IP].dst, p[IP].dst)
616 self.assertEqual(rx[IP].ttl, p[IP].ttl-1)
618 # send packets into the tunnel, expect to receive them on
620 p = [(peer_1.mk_tunnel_header(self.pg1) /
621 Wireguard(message_type=4, reserved_zero=0) /
623 receiver_index=peer_1.sender,
625 encrypted_encapsulated_packet=peer_1.encrypt_transport(
626 (IP(src="10.11.3.1", dst=self.pg0.remote_ip4, ttl=20) /
627 UDP(sport=222, dport=223) /
628 Raw())))) for ii in range(255)]
630 rxs = self.send_and_expect(self.pg1, p, self.pg0)
633 self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
634 self.assertEqual(rx[IP].ttl, 19)
636 r1.remove_vpp_config()
637 peer_1.remove_vpp_config()
638 wg0.remove_vpp_config()
640 def test_wg_peer_v6o6(self):
646 wg0 = VppWgInterface(self,
648 port).add_vpp_config()
652 peer_1 = VppWgPeer(self,
656 ["1::3:0/112"]).add_vpp_config(True)
657 self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
659 r1 = VppIpRoute(self, "1::3:0", 112,
660 [VppRoutePath("1::3:1",
661 wg0.sw_if_index)]).add_vpp_config()
663 # route a packet into the wg interface
664 # use the allowed-ip prefix
665 # this is dropped because the peer is not initiated
667 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
668 IPv6(src=self.pg0.remote_ip6, dst="1::3:2") /
669 UDP(sport=555, dport=556) /
671 self.send_and_assert_no_replies(self.pg0, [p])
673 self.assertEqual(self.base_kp6_err + 1,
674 self.statistics.get_err_counter(self.kp6_error))
676 # send a handsake from the peer with an invalid MAC
677 p = peer_1.mk_handshake(self.pg1, True)
678 p[WireguardInitiation].mac1 = b'foobar'
679 self.send_and_assert_no_replies(self.pg1, [p])
681 self.assertEqual(self.base_mac6_err + 1,
682 self.statistics.get_err_counter(self.mac6_error))
684 # send a handsake from the peer but signed by the wrong key.
685 p = peer_1.mk_handshake(self.pg1,
687 X25519PrivateKey.generate().public_key())
688 self.send_and_assert_no_replies(self.pg1, [p])
689 self.assertEqual(self.base_peer6_err + 1,
690 self.statistics.get_err_counter(self.peer6_error))
692 # send a valid handsake init for which we expect a response
693 p = peer_1.mk_handshake(self.pg1, True)
695 rx = self.send_and_expect(self.pg1, [p], self.pg1)
697 peer_1.consume_response(rx[0], True)
699 # route a packet into the wg interface
700 # this is dropped because the peer is still not initiated
701 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
702 IPv6(src=self.pg0.remote_ip6, dst="1::3:2") /
703 UDP(sport=555, dport=556) /
705 self.send_and_assert_no_replies(self.pg0, [p])
706 self.assertEqual(self.base_kp6_err + 2,
707 self.statistics.get_err_counter(self.kp6_error))
709 # send a data packet from the peer through the tunnel
710 # this completes the handshake
711 p = (IPv6(src="1::3:1", dst=self.pg0.remote_ip6, hlim=20) /
712 UDP(sport=222, dport=223) /
714 d = peer_1.encrypt_transport(p)
715 p = (peer_1.mk_tunnel_header(self.pg1, True) /
716 (Wireguard(message_type=4, reserved_zero=0) /
717 WireguardTransport(receiver_index=peer_1.sender,
719 encrypted_encapsulated_packet=d)))
720 rxs = self.send_and_expect(self.pg1, [p], self.pg0)
723 self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6)
724 self.assertEqual(rx[IPv6].hlim, 19)
726 # send a packets that are routed into the tunnel
727 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
728 IPv6(src=self.pg0.remote_ip6, dst="1::3:2") /
729 UDP(sport=555, dport=556) /
732 rxs = self.send_and_expect(self.pg0, p * 255, self.pg1)
735 rx = IPv6(peer_1.decrypt_transport(rx, True))
737 # chech the oringial packet is present
738 self.assertEqual(rx[IPv6].dst, p[IPv6].dst)
739 self.assertEqual(rx[IPv6].hlim, p[IPv6].hlim-1)
741 # send packets into the tunnel, expect to receive them on
743 p = [(peer_1.mk_tunnel_header(self.pg1, True) /
744 Wireguard(message_type=4, reserved_zero=0) /
746 receiver_index=peer_1.sender,
748 encrypted_encapsulated_packet=peer_1.encrypt_transport(
749 (IPv6(src="1::3:1", dst=self.pg0.remote_ip6, hlim=20) /
750 UDP(sport=222, dport=223) /
751 Raw())))) for ii in range(255)]
753 rxs = self.send_and_expect(self.pg1, p, self.pg0)
756 self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6)
757 self.assertEqual(rx[IPv6].hlim, 19)
759 r1.remove_vpp_config()
760 peer_1.remove_vpp_config()
761 wg0.remove_vpp_config()
763 def test_wg_peer_v6o4(self):
769 wg0 = VppWgInterface(self,
771 port).add_vpp_config()
775 peer_1 = VppWgPeer(self,
779 ["1::3:0/112"]).add_vpp_config(True)
780 self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
782 r1 = VppIpRoute(self, "1::3:0", 112,
783 [VppRoutePath("1::3:1",
784 wg0.sw_if_index)]).add_vpp_config()
786 # route a packet into the wg interface
787 # use the allowed-ip prefix
788 # this is dropped because the peer is not initiated
789 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
790 IPv6(src=self.pg0.remote_ip6, dst="1::3:2") /
791 UDP(sport=555, dport=556) /
793 self.send_and_assert_no_replies(self.pg0, [p])
794 self.assertEqual(self.base_kp6_err + 1,
795 self.statistics.get_err_counter(self.kp6_error))
797 # send a handsake from the peer with an invalid MAC
798 p = peer_1.mk_handshake(self.pg1)
799 p[WireguardInitiation].mac1 = b'foobar'
800 self.send_and_assert_no_replies(self.pg1, [p])
802 self.assertEqual(self.base_mac4_err + 1,
803 self.statistics.get_err_counter(self.mac4_error))
805 # send a handsake from the peer but signed by the wrong key.
806 p = peer_1.mk_handshake(self.pg1,
808 X25519PrivateKey.generate().public_key())
809 self.send_and_assert_no_replies(self.pg1, [p])
810 self.assertEqual(self.base_peer4_err + 1,
811 self.statistics.get_err_counter(self.peer4_error))
813 # send a valid handsake init for which we expect a response
814 p = peer_1.mk_handshake(self.pg1)
816 rx = self.send_and_expect(self.pg1, [p], self.pg1)
818 peer_1.consume_response(rx[0])
820 # route a packet into the wg interface
821 # this is dropped because the peer is still not initiated
822 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
823 IPv6(src=self.pg0.remote_ip6, dst="1::3:2") /
824 UDP(sport=555, dport=556) /
826 self.send_and_assert_no_replies(self.pg0, [p])
827 self.assertEqual(self.base_kp6_err + 2,
828 self.statistics.get_err_counter(self.kp6_error))
830 # send a data packet from the peer through the tunnel
831 # this completes the handshake
832 p = (IPv6(src="1::3:1", dst=self.pg0.remote_ip6, hlim=20) /
833 UDP(sport=222, dport=223) /
835 d = peer_1.encrypt_transport(p)
836 p = (peer_1.mk_tunnel_header(self.pg1) /
837 (Wireguard(message_type=4, reserved_zero=0) /
838 WireguardTransport(receiver_index=peer_1.sender,
840 encrypted_encapsulated_packet=d)))
841 rxs = self.send_and_expect(self.pg1, [p], self.pg0)
844 self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6)
845 self.assertEqual(rx[IPv6].hlim, 19)
847 # send a packets that are routed into the tunnel
848 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
849 IPv6(src=self.pg0.remote_ip6, dst="1::3:2") /
850 UDP(sport=555, dport=556) /
853 rxs = self.send_and_expect(self.pg0, p * 255, self.pg1)
856 rx = IPv6(peer_1.decrypt_transport(rx))
858 # chech the oringial packet is present
859 self.assertEqual(rx[IPv6].dst, p[IPv6].dst)
860 self.assertEqual(rx[IPv6].hlim, p[IPv6].hlim-1)
862 # send packets into the tunnel, expect to receive them on
864 p = [(peer_1.mk_tunnel_header(self.pg1) /
865 Wireguard(message_type=4, reserved_zero=0) /
867 receiver_index=peer_1.sender,
869 encrypted_encapsulated_packet=peer_1.encrypt_transport(
870 (IPv6(src="1::3:1", dst=self.pg0.remote_ip6, hlim=20) /
871 UDP(sport=222, dport=223) /
872 Raw())))) for ii in range(255)]
874 rxs = self.send_and_expect(self.pg1, p, self.pg0)
877 self.assertEqual(rx[IPv6].dst, self.pg0.remote_ip6)
878 self.assertEqual(rx[IPv6].hlim, 19)
880 r1.remove_vpp_config()
881 peer_1.remove_vpp_config()
882 wg0.remove_vpp_config()
884 def test_wg_peer_v4o6(self):
890 wg0 = VppWgInterface(self,
892 port).add_vpp_config()
896 peer_1 = VppWgPeer(self,
900 ["10.11.3.0/24"]).add_vpp_config()
901 self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
903 r1 = VppIpRoute(self, "10.11.3.0", 24,
904 [VppRoutePath("10.11.3.1",
905 wg0.sw_if_index)]).add_vpp_config()
907 # route a packet into the wg interface
908 # use the allowed-ip prefix
909 # this is dropped because the peer is not initiated
910 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
911 IP(src=self.pg0.remote_ip4, dst="10.11.3.2") /
912 UDP(sport=555, dport=556) /
914 self.send_and_assert_no_replies(self.pg0, [p])
915 self.assertEqual(self.base_kp4_err + 1,
916 self.statistics.get_err_counter(self.kp4_error))
918 # send a handsake from the peer with an invalid MAC
919 p = peer_1.mk_handshake(self.pg1, True)
920 p[WireguardInitiation].mac1 = b'foobar'
921 self.send_and_assert_no_replies(self.pg1, [p])
922 self.assertEqual(self.base_mac6_err + 1,
923 self.statistics.get_err_counter(self.mac6_error))
925 # send a handsake from the peer but signed by the wrong key.
926 p = peer_1.mk_handshake(self.pg1,
928 X25519PrivateKey.generate().public_key())
929 self.send_and_assert_no_replies(self.pg1, [p])
930 self.assertEqual(self.base_peer6_err + 1,
931 self.statistics.get_err_counter(self.peer6_error))
933 # send a valid handsake init for which we expect a response
934 p = peer_1.mk_handshake(self.pg1, True)
936 rx = self.send_and_expect(self.pg1, [p], self.pg1)
938 peer_1.consume_response(rx[0], True)
940 # route a packet into the wg interface
941 # this is dropped because the peer is still not initiated
942 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
943 IP(src=self.pg0.remote_ip4, dst="10.11.3.2") /
944 UDP(sport=555, dport=556) /
946 self.send_and_assert_no_replies(self.pg0, [p])
947 self.assertEqual(self.base_kp4_err + 2,
948 self.statistics.get_err_counter(self.kp4_error))
950 # send a data packet from the peer through the tunnel
951 # this completes the handshake
952 p = (IP(src="10.11.3.1", dst=self.pg0.remote_ip4, ttl=20) /
953 UDP(sport=222, dport=223) /
955 d = peer_1.encrypt_transport(p)
956 p = (peer_1.mk_tunnel_header(self.pg1, True) /
957 (Wireguard(message_type=4, reserved_zero=0) /
958 WireguardTransport(receiver_index=peer_1.sender,
960 encrypted_encapsulated_packet=d)))
961 rxs = self.send_and_expect(self.pg1, [p], self.pg0)
964 self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
965 self.assertEqual(rx[IP].ttl, 19)
967 # send a packets that are routed into the tunnel
968 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
969 IP(src=self.pg0.remote_ip4, dst="10.11.3.2") /
970 UDP(sport=555, dport=556) /
973 rxs = self.send_and_expect(self.pg0, p * 255, self.pg1)
976 rx = IP(peer_1.decrypt_transport(rx, True))
978 # chech the oringial packet is present
979 self.assertEqual(rx[IP].dst, p[IP].dst)
980 self.assertEqual(rx[IP].ttl, p[IP].ttl-1)
982 # send packets into the tunnel, expect to receive them on
984 p = [(peer_1.mk_tunnel_header(self.pg1, True) /
985 Wireguard(message_type=4, reserved_zero=0) /
987 receiver_index=peer_1.sender,
989 encrypted_encapsulated_packet=peer_1.encrypt_transport(
990 (IP(src="10.11.3.1", dst=self.pg0.remote_ip4, ttl=20) /
991 UDP(sport=222, dport=223) /
992 Raw())))) for ii in range(255)]
994 rxs = self.send_and_expect(self.pg1, p, self.pg0)
997 self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
998 self.assertEqual(rx[IP].ttl, 19)
1000 r1.remove_vpp_config()
1001 peer_1.remove_vpp_config()
1002 wg0.remove_vpp_config()
1004 def test_wg_multi_peer(self):
1005 """ multiple peer setup """
1009 wg0 = VppWgInterface(self,
1011 port).add_vpp_config()
1012 wg1 = VppWgInterface(self,
1014 port+1).add_vpp_config()
1018 # Check peer counter
1019 self.assertEqual(len(self.vapi.wireguard_peers_dump()), 0)
1021 self.pg_enable_capture(self.pg_interfaces)
1024 # Create many peers on sencond interface
1026 self.pg2.generate_remote_hosts(NUM_PEERS)
1027 self.pg2.configure_ipv4_neighbors()
1028 self.pg1.generate_remote_hosts(NUM_PEERS)
1029 self.pg1.configure_ipv4_neighbors()
1035 for i in range(NUM_PEERS):
1036 peers_1.append(VppWgPeer(self,
1038 self.pg1.remote_hosts[i].ip4,
1040 ["10.0.%d.4/32" % i]).add_vpp_config())
1041 routes_1.append(VppIpRoute(self, "10.0.%d.4" % i, 32,
1042 [VppRoutePath(self.pg1.remote_hosts[i].ip4,
1043 wg0.sw_if_index)]).add_vpp_config())
1045 peers_2.append(VppWgPeer(self,
1047 self.pg2.remote_hosts[i].ip4,
1049 ["10.100.%d.4/32" % i]).add_vpp_config())
1050 routes_2.append(VppIpRoute(self, "10.100.%d.4" % i, 32,
1051 [VppRoutePath(self.pg2.remote_hosts[i].ip4,
1052 wg1.sw_if_index)]).add_vpp_config())
1054 self.assertEqual(len(self.vapi.wireguard_peers_dump()), NUM_PEERS*2)
1056 self.logger.info(self.vapi.cli("show wireguard peer"))
1057 self.logger.info(self.vapi.cli("show wireguard interface"))
1058 self.logger.info(self.vapi.cli("show adj 37"))
1059 self.logger.info(self.vapi.cli("sh ip fib 172.16.3.17"))
1060 self.logger.info(self.vapi.cli("sh ip fib 10.11.3.0"))
1064 r.remove_vpp_config()
1066 r.remove_vpp_config()
1070 self.assertTrue(p.query_vpp_config())
1071 p.remove_vpp_config()
1073 self.assertTrue(p.query_vpp_config())
1074 p.remove_vpp_config()
1076 wg0.remove_vpp_config()
1077 wg1.remove_vpp_config()
1079 def test_wg_multi_interface(self):
1080 """ Multi-tunnel on the same port """
1083 # Create many wireguard interfaces
1085 self.pg1.generate_remote_hosts(NUM_IFS)
1086 self.pg1.configure_ipv4_neighbors()
1087 self.pg0.generate_remote_hosts(NUM_IFS)
1088 self.pg0.configure_ipv4_neighbors()
1090 # Create interfaces with a peer on each
1094 for i in range(NUM_IFS):
1095 # Use the same port for each interface
1096 wg0 = VppWgInterface(self,
1098 port).add_vpp_config()
1102 peers.append(VppWgPeer(self,
1104 self.pg1.remote_hosts[i].ip4,
1106 ["10.0.%d.0/24" % i]).add_vpp_config())
1108 routes.append(VppIpRoute(self, "10.0.%d.0" % i, 24,
1109 [VppRoutePath("10.0.%d.4" % i,
1110 wg0.sw_if_index)]).add_vpp_config())
1112 self.assertEqual(len(self.vapi.wireguard_peers_dump()), NUM_IFS)
1114 for i in range(NUM_IFS):
1115 # send a valid handsake init for which we expect a response
1116 p = peers[i].mk_handshake(self.pg1)
1117 rx = self.send_and_expect(self.pg1, [p], self.pg1)
1118 peers[i].consume_response(rx[0])
1120 # send a data packet from the peer through the tunnel
1121 # this completes the handshake
1122 p = (IP(src="10.0.%d.4" % i,
1123 dst=self.pg0.remote_hosts[i].ip4, ttl=20) /
1124 UDP(sport=222, dport=223) /
1126 d = peers[i].encrypt_transport(p)
1127 p = (peers[i].mk_tunnel_header(self.pg1) /
1128 (Wireguard(message_type=4, reserved_zero=0) /
1129 WireguardTransport(receiver_index=peers[i].sender,
1131 encrypted_encapsulated_packet=d)))
1132 rxs = self.send_and_expect(self.pg1, [p], self.pg0)
1134 self.assertEqual(rx[IP].dst, self.pg0.remote_hosts[i].ip4)
1135 self.assertEqual(rx[IP].ttl, 19)
1137 # send a packets that are routed into the tunnel
1138 for i in range(NUM_IFS):
1139 p = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
1140 IP(src=self.pg0.remote_hosts[i].ip4, dst="10.0.%d.4" % i) /
1141 UDP(sport=555, dport=556) /
1144 rxs = self.send_and_expect(self.pg0, p * 64, self.pg1)
1147 rx = IP(peers[i].decrypt_transport(rx))
1149 # check the oringial packet is present
1150 self.assertEqual(rx[IP].dst, p[IP].dst)
1151 self.assertEqual(rx[IP].ttl, p[IP].ttl-1)
1153 # send packets into the tunnel
1154 for i in range(NUM_IFS):
1155 p = [(peers[i].mk_tunnel_header(self.pg1) /
1156 Wireguard(message_type=4, reserved_zero=0) /
1158 receiver_index=peers[i].sender,
1160 encrypted_encapsulated_packet=peers[i].encrypt_transport(
1161 (IP(src="10.0.%d.4" % i,
1162 dst=self.pg0.remote_hosts[i].ip4, ttl=20) /
1163 UDP(sport=222, dport=223) /
1164 Raw())))) for ii in range(64)]
1166 rxs = self.send_and_expect(self.pg1, p, self.pg0)
1169 self.assertEqual(rx[IP].dst, self.pg0.remote_hosts[i].ip4)
1170 self.assertEqual(rx[IP].ttl, 19)
1173 r.remove_vpp_config()
1175 p.remove_vpp_config()
1177 i.remove_vpp_config()
1180 class WireguardHandoffTests(TestWg):
1181 """ Wireguard Tests in multi worker setup """
1182 vpp_worker_count = 2
1184 def test_wg_peer_init(self):
1190 wg0 = VppWgInterface(self,
1192 port).add_vpp_config()
1196 peer_1 = VppWgPeer(self,
1198 self.pg1.remote_ip4,
1201 "10.11.3.0/24"]).add_vpp_config()
1202 self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
1204 r1 = VppIpRoute(self, "10.11.3.0", 24,
1205 [VppRoutePath("10.11.3.1",
1206 wg0.sw_if_index)]).add_vpp_config()
1208 # send a valid handsake init for which we expect a response
1209 p = peer_1.mk_handshake(self.pg1)
1211 rx = self.send_and_expect(self.pg1, [p], self.pg1)
1213 peer_1.consume_response(rx[0])
1215 # send a data packet from the peer through the tunnel
1216 # this completes the handshake and pins the peer to worker 0
1217 p = (IP(src="10.11.3.1", dst=self.pg0.remote_ip4, ttl=20) /
1218 UDP(sport=222, dport=223) /
1220 d = peer_1.encrypt_transport(p)
1221 p = (peer_1.mk_tunnel_header(self.pg1) /
1222 (Wireguard(message_type=4, reserved_zero=0) /
1223 WireguardTransport(receiver_index=peer_1.sender,
1225 encrypted_encapsulated_packet=d)))
1226 rxs = self.send_and_expect(self.pg1, [p], self.pg0,
1230 self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
1231 self.assertEqual(rx[IP].ttl, 19)
1233 # send a packets that are routed into the tunnel
1234 # and pins the peer tp worker 1
1235 pe = (Ether(dst=self.pg0.local_mac, src=self.pg0.remote_mac) /
1236 IP(src=self.pg0.remote_ip4, dst="10.11.3.2") /
1237 UDP(sport=555, dport=556) /
1239 rxs = self.send_and_expect(self.pg0, pe * 255, self.pg1, worker=1)
1240 peer_1.validate_encapped(rxs, pe)
1242 # send packets into the tunnel, from the other worker
1243 p = [(peer_1.mk_tunnel_header(self.pg1) /
1244 Wireguard(message_type=4, reserved_zero=0) /
1246 receiver_index=peer_1.sender,
1248 encrypted_encapsulated_packet=peer_1.encrypt_transport(
1249 (IP(src="10.11.3.1", dst=self.pg0.remote_ip4, ttl=20) /
1250 UDP(sport=222, dport=223) /
1251 Raw())))) for ii in range(255)]
1253 rxs = self.send_and_expect(self.pg1, p, self.pg0, worker=1)
1256 self.assertEqual(rx[IP].dst, self.pg0.remote_ip4)
1257 self.assertEqual(rx[IP].ttl, 19)
1259 # send a packets that are routed into the tunnel
1261 rxs = self.send_and_expect(self.pg0, pe * 255, self.pg1, worker=0)
1263 peer_1.validate_encapped(rxs, pe)
1265 r1.remove_vpp_config()
1266 peer_1.remove_vpp_config()
1267 wg0.remove_vpp_config()
1269 @unittest.skip("test disabled")
1270 def test_wg_multi_interface(self):
1271 """ Multi-tunnel on the same port """