From 4d290c3aa74c7bd346b311940e5feb399464057e Mon Sep 17 00:00:00 2001 From: Artem Glazychev Date: Tue, 24 Jan 2023 15:34:00 +0700 Subject: wireguard: update ESTABLISHED flag We cannot confidently say that if we have received and processed the handshake_initiation message, then the connection has been established. Because we also send a response. The fact that the connection is established can only be considered if a keepalive packet was received. Type: fix Signed-off-by: Artem Glazychev Change-Id: I61731916071990f28cdebcd1d0e4d302fa1dee15 --- src/plugins/wireguard/wireguard_input.c | 8 +++----- test/test_wireguard.py | 30 +++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/src/plugins/wireguard/wireguard_input.c b/src/plugins/wireguard/wireguard_input.c index 777f0ec54b3..6b8c803c97d 100644 --- a/src/plugins/wireguard/wireguard_input.c +++ b/src/plugins/wireguard/wireguard_input.c @@ -266,10 +266,6 @@ wg_handshake_process (vlib_main_t *vm, wg_main_t *wmp, vlib_buffer_t *b, vlib_node_increment_counter (vm, node_idx, WG_INPUT_ERROR_HANDSHAKE_SEND, 1); } - else - { - wg_peer_update_flags (rp->r_peer_idx, WG_PEER_ESTABLISHED, true); - } break; } case MESSAGE_HANDSHAKE_RESPONSE: @@ -365,7 +361,7 @@ wg_input_post_process (vlib_main_t *vm, vlib_buffer_t *b, u16 *next, if (decr_len == 0) { *is_keepalive = true; - return -1; + return 0; } wg_timers_data_received (peer); @@ -870,6 +866,7 @@ wg_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node, out_udp_src_port); wg_timers_any_authenticated_packet_received_opt (peer, time); wg_timers_any_authenticated_packet_traversal (peer); + wg_peer_update_flags (*peer_idx, WG_PEER_ESTABLISHED, true); last_peer_time_idx = peer_idx; } @@ -1016,6 +1013,7 @@ wg_input_post (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame, out_udp_src_port); wg_timers_any_authenticated_packet_received_opt (peer, time); wg_timers_any_authenticated_packet_traversal (peer); + wg_peer_update_flags (*peer_idx, WG_PEER_ESTABLISHED, true); last_peer_time_idx = peer_idx; } diff --git a/test/test_wireguard.py b/test/test_wireguard.py index 72a317ca8c2..b9713f6fc08 100644 --- a/test/test_wireguard.py +++ b/test/test_wireguard.py @@ -2315,17 +2315,45 @@ class TestWg(VppTestCase): wg1.want_events() for i in range(NUM_PEERS): - # send a valid handsake init for which we expect a response + # wg0 peers: send a valid handsake init for which we expect a response p = peers_0[i].mk_handshake(self.pg1) rx = self.send_and_expect(self.pg1, [p], self.pg1) peers_0[i].consume_response(rx[0]) + + # wg0 peers: send empty packet, it means successful connection (WIREGUARD_PEER_ESTABLISHED) + keepalive = peers_0[i].encrypt_transport(0) + p = peers_0[i].mk_tunnel_header(self.pg1) / ( + Wireguard(message_type=4, reserved_zero=0) + / WireguardTransport( + receiver_index=peers_0[i].sender, + counter=0, + encrypted_encapsulated_packet=keepalive, + ) + ) + self.send_and_assert_no_replies(self.pg1, [p]) + + # wg0 peers: wait for established flag if i == 0: peers_0[0].wait_event(ESTABLISHED_FLAG) + # wg1 peers: send a valid handsake init for which we expect a response p = peers_1[i].mk_handshake(self.pg2) rx = self.send_and_expect(self.pg2, [p], self.pg2) peers_1[i].consume_response(rx[0]) + # wg1 peers: send empty packet, it means successful connection (WIREGUARD_PEER_ESTABLISHED) + keepalive = peers_1[i].encrypt_transport(0) + p = peers_1[i].mk_tunnel_header(self.pg2) / ( + Wireguard(message_type=4, reserved_zero=0) + / WireguardTransport( + receiver_index=peers_1[i].sender, + counter=0, + encrypted_encapsulated_packet=keepalive, + ) + ) + self.send_and_assert_no_replies(self.pg2, [p]) + + # wg1 peers: wait for established flag wg1.wait_events(ESTABLISHED_FLAG, [peers_1[0].index, peers_1[1].index]) # remove routes -- cgit 1.2.3-korg