genode/repos/dde_linux/run/wg_reconfig.run

583 lines
19 KiB
Plaintext
Raw Normal View History

#
# Two pings (peer 1 and peer 4) and a fetchurl (peer 3) try to reach a server
# (peer 2) through a WireGuard VNP (10.0.9.0/24) while the configuration of
# the server WireGuard changes. Each peer has its own WireGuard instance and
# talks to the other peers only through WireGuard.
#
# In configuration step 1, the server WireGuard accepts only peer 1. In step 2
# it gets re-configured to accept only peer 3. Then, in step 3, it gets
# re-configured to accept both peer 1 and peer 4 and, in the final step 4, an
# attempt is made to re-configure the private key, which should fail.
#
# Note that the peer 1 WireGuard has to be reconfigured as well, in order to
# be forced to redo the initiation handshake for configuration step 3 of the
# server WireGuard.
#
if {[expr ![have_spec arm_v8a] && ![have_spec x86_64]]} {
puts "Run script is not supported on this platform."
exit 0
}
create_boot_directory
import_from_depot [depot_user]/src/libc \
[depot_user]/src/libssh \
[depot_user]/src/lighttpd \
[depot_user]/src/openssl \
[depot_user]/src/posix \
[depot_user]/src/vfs \
[depot_user]/src/vfs_lwip \
[depot_user]/src/zlib
proc peer_1_wg_config {peers} {
append result {
<config private_key="0CtU34qsl97IGiYKSO4tMaF/SJvy04zzeQkhZEbZSk0="
listen_port="49001">
}
if {[lsearch $peers peer_3] != -1} {
append result {
<peer public_key="GrvyALPZ3PQ2AWM+ovxJqnxSqKpmTyqUui5jH+C8I0E="
endpoint_ip="10.1.2.1"
endpoint_port="49002"
allowed_ip="10.0.9.2/32" />
}
}
append result {
</config>
}
return $result
}
proc peer_2_wg_config {peers private_key} {
switch $private_key {
private_key_1 {
append result {
<config private_key="8GRSQZMgG1uuvz4APIBqrDmiLj8L886r++hzixjjHFc="
}
}
private_key_2 {
append result {
<config private_key="oKzvdG6XOPRyFaruEfwTTNiGlsDKHqO4HOrN0lnrcGM="
}
}
}
append result {
listen_port="49002">
}
if {[lsearch $peers peer_1] != -1} {
append result {
<peer public_key="r1Gslnm82X8NaijsWzPoSFzDZGl2tTJoPa+EJL4gYQw="
allowed_ip="10.0.9.1/32" />
}
}
if {[lsearch $peers peer_3] != -1} {
append result {
<peer public_key="gFRbQOj7cVLoLKDIFfNZbguw89vuZrc0i74TV5qOexY="
allowed_ip="10.0.9.3/32" />
}
}
if {[lsearch $peers peer_4] != -1} {
append result {
<peer public_key="qBj913LPLPO5543Iaz80wTJdUrdjoCafinRQhREIQF4="
allowed_ip="10.0.9.4/32" />
}
}
append result {
</config>
}
return $result
}
append config {
<config>
<parent-provides>
<service name="ROM"/>
<service name="IRQ"/>
<service name="IO_MEM"/>
<service name="IO_PORT"/>
<service name="PD"/>
<service name="RM"/>
<service name="CPU"/>
<service name="LOG"/>
</parent-provides>
<start name="timer" caps="100">
<resource name="RAM" quantum="1M"/>
<provides> <service name="Timer"/> </provides>
<route>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="dynamic_rom" caps="100">
<resource name="RAM" quantum="4M"/>
<provides><service name="ROM"/></provides>
<config verbose="yes">
<rom name="peer_2_wg_config">
<inline description="step 1: peer_1_only">
} [peer_2_wg_config peer_1 private_key_1] {
</inline>
<sleep milliseconds="5000"/>
<inline description="step 2: peer_3_only">
} [peer_2_wg_config peer_3 private_key_1] {
</inline>
<sleep milliseconds="5000"/>
<inline description="step 3: peer_1_and peer 4">
} [peer_2_wg_config {peer_1 peer_4} private_key_1] {
</inline>
<sleep milliseconds="5000"/>
<inline description="step 4: invalid reconfiguration attempt">
} [peer_2_wg_config {peer_1 peer_4} private_key_2] {
</inline>
<sleep milliseconds="600000"/>
</rom>
<rom name="peer_1_wg_config">
<inline> } [peer_1_wg_config peer_3] { </inline>
<sleep milliseconds="9000"/>
<inline> } [peer_1_wg_config { }] { </inline>
<sleep milliseconds="1000"/>
<inline> } [peer_1_wg_config peer_3] { </inline>
<sleep milliseconds="600000"/>
</rom>
</config>
<route>
<service name="Timer"> <child name="timer"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="report" caps="100">
<binary name="report_rom"/>
<resource name="RAM" quantum="1M"/>
<provides> <service name="Report"/> <service name="ROM"/> </provides>
<route>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="peer_1_ping" caps="100">
<binary name="ping"/>
<resource name="RAM" quantum="8M"/>
<config dst_ip="10.0.9.2" period_sec="1" count="1000"/>
<route>
<service name="Nic"> <child name="nic_router"/> </service>
<service name="Timer"> <child name="timer"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="peer_4_ping" caps="100">
<binary name="ping"/>
<resource name="RAM" quantum="8M"/>
<config dst_ip="10.0.9.2" period_sec="1" count="1000"/>
<route>
<service name="Nic"> <child name="nic_router"/> </service>
<service name="Timer"> <child name="timer"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="peer_3_fetchurl" caps="200">
<binary name="fetchurl"/>
<resource name="RAM" quantum="10M"/>
<config progress_timeout="3000">
<report progress="yes"/>
<vfs>
<dir name="dev">
<log/> <null/>
<inline name="rtc">2019-07-04 12:00</inline>
<inline name="random">01234567890123456789</inline>
</dir>
<dir name="socket">
<lwip dhcp="yes"/>
</dir>
<dir name="vm">
<ram/>
</dir>
</vfs>
<libc stdout="/dev/log" stderr="/dev/log" rtc="/dev/rtc" socket="/socket"/>
<fetch url="10.0.9.2" path="/vm/index.html" retry="1000"/>
</config>
<route>
<service name="File_system"> <child name="lx_fs"/> </service>
<service name="Report"> <child name="report"/> </service>
<service name="Timer"> <child name="timer"/> </service>
<service name="Nic"> <child name="nic_router"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="peer_1_wg" caps="200">
<binary name="wireguard"/>
<resource name="RAM" quantum="10M"/>
<route>
<service name="ROM" label="config">
<child label="peer_1_wg_config" name="dynamic_rom"/>
</service>
<service name="Timer"> <child name="timer"/> </service>
<service name="Nic"> <child name="nic_router"/> </service>
<service name="Uplink"> <child name="nic_router"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="peer_2_wg" caps="200">
<binary name="wireguard"/>
<resource name="RAM" quantum="10M"/>
<route>
<service name="ROM" label="config">
<child label="peer_2_wg_config" name="dynamic_rom"/>
</service>
<service name="Timer"> <child name="timer"/> </service>
<service name="Nic"> <child name="nic_router"/> </service>
<service name="Uplink"> <child name="nic_router"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="peer_3_wg" caps="200">
<binary name="wireguard"/>
<resource name="RAM" quantum="10M"/>
<config private_key="EA+4fJCOJM5/C90zCwsh4jTdKMnlQ2JOnW1bvkwdnEA="
listen_port="49003">
<peer public_key="GrvyALPZ3PQ2AWM+ovxJqnxSqKpmTyqUui5jH+C8I0E="
endpoint_ip="10.3.2.1"
endpoint_port="49002"
allowed_ip="10.0.9.2/32" />
</config>
<route>
<service name="Timer"> <child name="timer"/> </service>
<service name="Nic"> <child name="nic_router"/> </service>
<service name="Uplink"> <child name="nic_router"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="peer_4_wg" caps="200">
<binary name="wireguard"/>
<resource name="RAM" quantum="10M"/>
<config private_key="2OhXWuHHho3fTVi+7LB/ggK0w4cDvFYFJMC3/Mx6Bls="
listen_port="49004">
<peer public_key="GrvyALPZ3PQ2AWM+ovxJqnxSqKpmTyqUui5jH+C8I0E="
endpoint_ip="10.4.2.1"
endpoint_port="49002"
allowed_ip="10.0.9.2/32" />
</config>
<route>
<service name="Timer"> <child name="timer"/> </service>
<service name="Nic"> <child name="nic_router"/> </service>
<service name="Uplink"> <child name="nic_router"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="nic_router" caps="200">
<resource name="RAM" quantum="10M"/>
<provides>
<service name="Nic"/>
<service name="Uplink"/>
</provides>
<config>
<!-- Peer 1 (ping) -->
<policy label="peer_1_wg -> nic_session" domain="peer_1_outer_downlink"/>
<policy label="peer_1_wg -> uplink_session" domain="peer_1_inner_uplink"/>
<policy label="peer_1_ping -> " domain="peer_1_inner_downlink"/>
<domain name="peer_1_outer_downlink" interface="10.1.2.1/24">
<dhcp-server ip_first="10.1.2.2" ip_last="10.1.2.2"/>
<udp-forward port="49002" domain="peer_2_outer_downlink" to="10.0.3.2"/>
</domain>
<domain name="peer_1_inner_uplink" interface="10.0.9.1/24" use_arp="no">
<nat domain="peer_1_inner_downlink" icmp-ids="1000"/>
</domain>
<domain name="peer_1_inner_downlink" interface="10.1.3.1/24">
<dhcp-server ip_first="10.1.3.2" ip_last="10.1.3.2"/>
<icmp dst="10.0.9.2/24" domain="peer_1_inner_uplink"/>
</domain>
<!-- Peer 2 (lighttpd) -->
<policy label="peer_2_wg -> nic_session" domain="peer_2_outer_downlink"/>
<policy label="peer_2_wg -> uplink_session" domain="peer_2_inner_uplink"/>
<policy label="peer_2_lighttpd -> lwip" domain="peer_2_inner_downlink"/>
<domain name="peer_2_outer_downlink" interface="10.0.3.1/24">
<dhcp-server ip_first="10.0.3.2" ip_last="10.0.3.2"/>
</domain>
<domain name="peer_2_inner_uplink" interface="10.0.9.2/24" use_arp="no" icmp_echo_server="yes">
<tcp-forward port="80" domain="peer_2_inner_downlink" to="10.0.5.2"/>
</domain>
<domain name="peer_2_inner_downlink" interface="10.0.5.1/24">
<dhcp-server ip_first="10.0.5.2" ip_last="10.0.5.2"/>
</domain>
<!-- Peer 3 (fetchurl)-->
<policy label="peer_3_wg -> nic_session" domain="peer_3_outer_downlink"/>
<policy label="peer_3_wg -> uplink_session" domain="peer_3_inner_uplink"/>
<policy label="peer_3_fetchurl -> lwip" domain="peer_3_inner_downlink"/>
<domain name="peer_3_outer_downlink" interface="10.3.2.1/24">
<dhcp-server ip_first="10.3.2.2" ip_last="10.3.2.2"/>
<udp-forward port="49002" domain="peer_2_outer_downlink" to="10.0.3.2"/>
</domain>
<domain name="peer_3_inner_uplink" interface="10.0.9.3/24" use_arp="no">
<nat domain="peer_3_inner_downlink" tcp-ports="1000"/>
</domain>
<domain name="peer_3_inner_downlink" interface="10.3.3.1/24">
<dhcp-server ip_first="10.3.3.2" ip_last="10.3.3.2"/>
<tcp dst="10.0.9.2/24">
<permit port="80" domain="peer_3_inner_uplink"/>
</tcp>
</domain>
<!-- Peer 4 (ping) -->
<policy label="peer_4_wg -> nic_session" domain="peer_4_outer_downlink"/>
<policy label="peer_4_wg -> uplink_session" domain="peer_4_inner_uplink"/>
<policy label="peer_4_ping -> " domain="peer_4_inner_downlink"/>
<domain name="peer_4_outer_downlink" interface="10.4.2.1/24">
<dhcp-server ip_first="10.4.2.2" ip_last="10.4.2.2"/>
<udp-forward port="49002" domain="peer_2_outer_downlink" to="10.0.3.2"/>
</domain>
<domain name="peer_4_inner_uplink" interface="10.0.9.4/24" use_arp="no">
<nat domain="peer_4_inner_downlink" icmp-ids="1000"/>
</domain>
<domain name="peer_4_inner_downlink" interface="10.4.3.1/24">
<dhcp-server ip_first="10.4.3.2" ip_last="10.4.3.2"/>
<icmp dst="10.0.9.2/24" domain="peer_4_inner_uplink"/>
</domain>
</config>
<route>
<service name="Timer"> <child name="timer"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
<start name="peer_2_lighttpd" caps="200">
<binary name="lighttpd"/>
<resource name="RAM" quantum="50M" />
<config>
<arg value="lighttpd" />
<arg value="-f" />
<arg value="/etc/lighttpd/lighttpd.conf" />
<arg value="-D" />
<vfs>
<dir name="dev">
<log/> <null/>
<inline name="rtc">2000-01-01 00:00</inline>
<inline name="random">0123456789012345678901234567890123456789</inline>
</dir>
<dir name="socket"> <lwip dhcp="yes"/> </dir>
<dir name="etc">
<dir name="lighttpd">
<inline name="lighttpd.conf">
# lighttpd configuration
server.port = 80
server.document-root = "/website"
server.event-handler = "select"
server.network-backend = "write"
server.upload-dirs = ( "/tmp" )
server.modules = ("mod_openssl")
index-file.names = (
"index.xhtml", "index.html", "index.htm"
)
mimetype.assign = (
".html" => "text/html",
".htm" => "text/html"
)
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/example.pem"
}
</inline>
<inline name="example.pem">
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC4KHUZjDRew89c
wDlYPz9XFigcMDnDlHzdg2ByrGZIOUNYC5LH1QUK0TDbPP45Xx455niA0QY85dMQ
4DQx0Qk6+TDpVD3F2MYQgbIX6YkX9kgqX+jiHgsNzRD4KamNYmfUY+dJhlZEXWAF
uNSnRLvg4EH72AVKLLKiruGwkisW/AYU6dNE8iFOYL8Q75bBUADiQSDdD8vkpeXg
1NqxNyHPR6YRbA+vqcK0kbC8btKR9wG6m99OhTR4x3M87vtFFLNtJNEf54fYxi+L
1rljSqHbaXD+XJsVKgX+UlI1ZlYW4KqlMciMemkBp0CovCxLfsbMmkXAW2RONpkm
+sdO3CXFAgMBAAECggEAIKv00nqAVAuzP0ZPJivaZe3lYdLgfKVcXcRQGSgi4U9f
dkBfYxqU0W15mHvCspUAfM85s8jhrW4suwK739axJ4hMOCkc6Hvj78vCt+FT1C96
cCIh4/PmjCVEjHJ/xTifKRwsTWwK5AgY4AsBl0dneabvremOTrGNY7VZDwVvpZz1
qXkSNjQ63tZKj9cESO5ceGLzuBAG6JDDpqJM5fmdsQ36/QVz9Gogr8bXEWFM1TOo
lWVAPB/l6nqKurfMv+5th354+owv9CGKxqLBE1fujwE2VogBz7mkR/rnABOPU5ev
wQVLXoUkO2bI8Uvc28lChaiG6ihfdmNCmwoi56HFRQKBgQDj0WoIxiY7H42KV7Hh
uQZv/0aoQyjXuqJ7Vq0HdxOAxZr0GpSYgo3MTZWooI2AnAstPHXo0BsQr+XVijWm
xiDxMM4p9nrBzjEIHwyDaf62Pz/6lIPdenynLiEIOUbocJ3r0/3tCrY3U7fgjzYY
f9PZmXKEOOKdbVPyXG0OIJ/ADwKBgQDO8GkCdVGy/YB0X7ntqcBG0xgmDnKRmYpQ
X7Tb377AT2lzvftxaRVrx+UXtvFdy4xdrxjqHJCgOHT/fsAfjJlo7v1+KhTvE0pt
jCdJPLbzXJRwaISaeEaMJ/N8Vv/j2/YuoS5M5vh4NlWeO16HtF7N9V9cMEZ5iRW1
9G/eWgOo6wKBgQCY6rn3xblnuhgxogd+ccmGZ50v2FST6WyiyV0/Q4hNyVXnP+g6
LneriPBJzertRtChvpGOghGIs+jb2veESD1YZ+Aafp2LdTGoN98YXo9gGTiCpCmX
Al6lgOsfMAMOhnkaEKPC9ou0u3cTPk2bSEIVL1CUu/IwpW/RoIR7FR7ltQKBgQDA
RAmsqQfhPzqL5SzALclhhFuZcC7uLDOf/WvyJW37C000pjzp3/JxE2Y8pFKZDLc7
i6WgTi3pTssVXtRt+5nFLtcC02Jjxg6OvXr6xphMf6XC0rjxM/KH4c6Npd9V+1Y9
eK+l76rHNeRSgWKQvvqebO3On2O7I6yyQ4t0kTl5RQKBgQCbX1cTtNmNr6HNleXL
zfclKESSYy57uq3fQxhRrEE2ZNbemLOxEuoBCFYoMwpZEjC1GZyICrM7o5673/Ih
I0oZerUBmt2l8noZCQoITEa97bCbp2vIdHYnCf/H3Nf2qM329fc00kAmm7vUVRgM
4BqXnuFcAOuY68sgp9JArzK+EQ==
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDazCCAlOgAwIBAgIUYPOYXijLmMjjlgRCGHuZeyP0iPEwDQYJKoZIhvcNAQEL
BQAwRTELMAkGA1UEBhMCREUxEzARBgNVBAgMClNvbWUtU3RhdGUxDTALBgNVBAoM
BFRlc3QxEjAQBgNVBAMMCTEwLjAuMi41NTAeFw0yMDA1MTQxNDQ0MzlaFw00NzA5
MzAxNDQ0MzlaMEUxCzAJBgNVBAYTAkRFMRMwEQYDVQQIDApTb21lLVN0YXRlMQ0w
CwYDVQQKDARUZXN0MRIwEAYDVQQDDAkxMC4wLjIuNTUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQC4KHUZjDRew89cwDlYPz9XFigcMDnDlHzdg2ByrGZI
OUNYC5LH1QUK0TDbPP45Xx455niA0QY85dMQ4DQx0Qk6+TDpVD3F2MYQgbIX6YkX
9kgqX+jiHgsNzRD4KamNYmfUY+dJhlZEXWAFuNSnRLvg4EH72AVKLLKiruGwkisW
/AYU6dNE8iFOYL8Q75bBUADiQSDdD8vkpeXg1NqxNyHPR6YRbA+vqcK0kbC8btKR
9wG6m99OhTR4x3M87vtFFLNtJNEf54fYxi+L1rljSqHbaXD+XJsVKgX+UlI1ZlYW
4KqlMciMemkBp0CovCxLfsbMmkXAW2RONpkm+sdO3CXFAgMBAAGjUzBRMB0GA1Ud
DgQWBBQvSHuosL/SDn/8sKl0dpyPeFvOfjAfBgNVHSMEGDAWgBQvSHuosL/SDn/8
sKl0dpyPeFvOfjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBR
sGYEuRwIU/tmAmTbniptItN9VE0NNj9QeKh+hKQ9cHvhxmlBlf5b7Vb2JaRZdy88
kRIFKiNkyjgQVg+5KuEIcg17mHSal7zG+jIZ3c1bIpVCM4AjUe7EXl8LM4+dJ5sX
Bwpd34tUk2edOiT8R/dU7uesxCdeIQ2FfvKyrXca73nj+UTvFGXUk/9mWY8KAaYc
F/PWBhiZhJD4/dkUHJnrVtjpcqW2Io8bFmrMq2vfqQv+W2FZGCsHgXkAZO2E0jyQ
5eOrwzgWRtMc5PvoGvqQfefseaLs0fvSQdcPqfv88Eqk5NGTOCIW8/KEsBwFJuwa
EpA5DBBklj8UE2CdONvN
-----END CERTIFICATE-----
</inline>
</dir>
</dir>
<dir name="website">
<inline name="index.html">
<html>
<head>
<title>Hello</title>
</head>
<body>
<p>Hello Genode!</p>
<b>I am bold ;-)</b>
</body>
</html>
</inline>
</dir>
<dir name="tmp"> <ram/> </dir>
</vfs>
<libc stdin="/dev/null" stdout="/dev/log" stderr="/dev/log"
rtc="/dev/rtc" rng="/dev/random" socket="/socket"/>
</config>
<route>
<service name="File_system"> <child name="lx_fs"/> </service>
<service name="Nic"> <child name="nic_router"/> </service>
<service name="Timer"> <child name="timer"/> </service>
<service name="ROM"> <parent/> </service>
<service name="PD"> <parent/> </service>
<service name="CPU"> <parent/> </service>
<service name="LOG"> <parent/> </service>
</route>
</start>
</config>
}
install_config $config
append targets {
core init timer lib/ld server/nic_router app/wireguard server/report_rom app/ping
app/fetchurl server/dynamic_rom }
append boot_modules {
core init timer nic_router wireguard fetchurl ping report_rom curl.lib.so
ld.lib.so dynamic_rom }
build $targets
build_boot_image $boot_modules
append qemu_args "-nographic "
append output_pattern "peer_1_ping. 64 bytes from 10.0.9.2.*\n"
append output_pattern ".*peer_1_ping. 64 bytes from 10.0.9.2.*\n"
append output_pattern ".*child \"peer_3_fetchurl\" exited with exit value 0.*\n"
append output_pattern ".*peer_1_ping. 64 bytes from 10.0.9.2.*\n"
append output_pattern ".*peer_4_ping. 64 bytes from 10.0.9.2.*\n"
append output_pattern ".*peer_2_wg. .*Error: Uncaught exception of type .*Invalid_reconfiguration_attempt.*\n"
run_genode_until $output_pattern 45