wireguard: update ESTABLISHED flag

We cannot confidently say that if we have received and processed the handshake_initiation message, then the connection has been established. Because we also send a response. The fact that the connection is established can only be considered if a keepalive packet was received. Type: fix Signed-off-by: Artem Glazychev <artem.glazychev@xored.com> Change-Id: I61731916071990f28cdebcd1d0e4d302fa1dee15
2023-01-24 15:34:00 +07:00
parent 8430c402fc
commit 4d290c3aa7
2 changed files with 32 additions and 6 deletions
--- a/src/plugins/wireguard/wireguard_input.c
+++ b/src/plugins/wireguard/wireguard_input.c
@ -266,10 +266,6 @@ wg_handshake_process (vlib_main_t *vm, wg_main_t *wmp, vlib_buffer_t *b,
 	    vlib_node_increment_counter (vm, node_idx,
 					 WG_INPUT_ERROR_HANDSHAKE_SEND, 1);
 	  }
-	else
-	  {
-	    wg_peer_update_flags (rp->r_peer_idx, WG_PEER_ESTABLISHED, true);
-	  }
 	break;
      }
    case MESSAGE_HANDSHAKE_RESPONSE:
@ -365,7 +361,7 @@ wg_input_post_process (vlib_main_t *vm, vlib_buffer_t *b, u16 *next,
  if (decr_len == 0)
    {
      *is_keepalive = true;
-      return -1;
+      return 0;
    }

  wg_timers_data_received (peer);
@ -870,6 +866,7 @@ wg_input_inline (vlib_main_t *vm, vlib_node_runtime_t *node,
 					     out_udp_src_port);
 	  wg_timers_any_authenticated_packet_received_opt (peer, time);
 	  wg_timers_any_authenticated_packet_traversal (peer);
+	  wg_peer_update_flags (*peer_idx, WG_PEER_ESTABLISHED, true);
 	  last_peer_time_idx = peer_idx;
 	}

@ -1016,6 +1013,7 @@ wg_input_post (vlib_main_t *vm, vlib_node_runtime_t *node, vlib_frame_t *frame,
 					     out_udp_src_port);
 	  wg_timers_any_authenticated_packet_received_opt (peer, time);
 	  wg_timers_any_authenticated_packet_traversal (peer);
+	  wg_peer_update_flags (*peer_idx, WG_PEER_ESTABLISHED, true);
 	  last_peer_time_idx = peer_idx;
 	}

--- a/test/test_wireguard.py
+++ b/test/test_wireguard.py
@ -2315,17 +2315,45 @@ class TestWg(VppTestCase):
        wg1.want_events()

        for i in range(NUM_PEERS):
-            # send a valid handsake init for which we expect a response
+            # wg0 peers: send a valid handsake init for which we expect a response
            p = peers_0[i].mk_handshake(self.pg1)
            rx = self.send_and_expect(self.pg1, [p], self.pg1)
            peers_0[i].consume_response(rx[0])
+
+            # wg0 peers: send empty packet, it means successful connection (WIREGUARD_PEER_ESTABLISHED)
+            keepalive = peers_0[i].encrypt_transport(0)
+            p = peers_0[i].mk_tunnel_header(self.pg1) / (
+                Wireguard(message_type=4, reserved_zero=0)
+                / WireguardTransport(
+                    receiver_index=peers_0[i].sender,
+                    counter=0,
+                    encrypted_encapsulated_packet=keepalive,
+                )
+            )
+            self.send_and_assert_no_replies(self.pg1, [p])
+
+            # wg0 peers: wait for established flag
            if i == 0:
                peers_0[0].wait_event(ESTABLISHED_FLAG)

+            # wg1 peers: send a valid handsake init for which we expect a response
            p = peers_1[i].mk_handshake(self.pg2)
            rx = self.send_and_expect(self.pg2, [p], self.pg2)
            peers_1[i].consume_response(rx[0])

+            # wg1 peers: send empty packet, it means successful connection (WIREGUARD_PEER_ESTABLISHED)
+            keepalive = peers_1[i].encrypt_transport(0)
+            p = peers_1[i].mk_tunnel_header(self.pg2) / (
+                Wireguard(message_type=4, reserved_zero=0)
+                / WireguardTransport(
+                    receiver_index=peers_1[i].sender,
+                    counter=0,
+                    encrypted_encapsulated_packet=keepalive,
+                )
+            )
+            self.send_and_assert_no_replies(self.pg2, [p])
+
+        # wg1 peers: wait for established flag
        wg1.wait_events(ESTABLISHED_FLAG, [peers_1[0].index, peers_1[1].index])

        # remove routes