ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

wireguard: sending the first handshake

Browse Source 
After creating a peer, we send a handshake request. But it's not quite right
to call wg_send_keepalive() directly.
According to documentation, handshake initiation is sent after (REKEY_TIMEOUT + jitter) ms.
Since it's the first one - we don't need to take REKEY_TIMEOUT into account,
but we still have jitter.

It also makes no sense to immediately send keepalives,
because the connection is not created yet.

Type: fix

Signed-off-by: Artem Glazychev <artem.glazychev@xored.com>
Change-Id: I61707e4be79be65abc3396b5f1dbd48ecbf7ba60
This commit is contained in:
Artem Glazychev
2023-01-24 16:10:29 +07:00
committed by Fan Zhang
parent 5616041aed
commit 53badfc683
4 changed files with 46 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/plugins/wireguard/wireguard_peer.c
View File

@ -244,11 +244,7 @@ wg_peer_enable (vlib_main_t *vm, wg_peer_t *peer)
noise_remote_init (&peer->remote, peeri, public_key, wg_if->local_idx);
wg_send_handshake (vm, peer, false);
if (peer->persistent_keepalive_interval != 0)
{
wg_send_keepalive (vm, peer);
}
wg_timers_send_first_handshake (peer);
}
walk_rc_t
@ -494,11 +490,7 @@ wg_peer_add (u32 tun_sw_if_index, const u8 public_key[NOISE_PUBLIC_KEY_LEN],
if (vnet_sw_interface_is_admin_up (vnet_get_main (), tun_sw_if_index))
{
wg_send_handshake (vm, peer, false);
if (peer->persistent_keepalive_interval != 0)
{
wg_send_keepalive (vm, peer);
}
wg_timers_send_first_handshake (peer);
}
*peer_index = peer - wg_peer_pool;

10
src/plugins/wireguard/wireguard_timer.c
View File

@ -238,6 +238,16 @@ wg_timers_handshake_initiated (wg_peer_t * peer)
peer->rehandshake_interval_tick);
}
void
wg_timers_send_first_handshake (wg_peer_t *peer)
{
// zero value is not allowed
peer->new_handshake_interval_tick =
get_random_u32_max (REKEY_TIMEOUT_JITTER) + 1;
start_timer_from_mt (peer - wg_peer_pool, WG_TIMER_NEW_HANDSHAKE,
peer->new_handshake_interval_tick);
}
void
wg_timers_session_derived (wg_peer_t * peer)
{

1
src/plugins/wireguard/wireguard_timer.h
View File

@ -50,6 +50,7 @@ void wg_timers_any_authenticated_packet_received_opt (wg_peer_t *peer,
f64 time);
void wg_timers_handshake_initiated (wg_peer_t * peer);
void wg_timers_handshake_complete (wg_peer_t * peer);
void wg_timers_send_first_handshake (wg_peer_t *peer);
void wg_timers_session_derived (wg_peer_t * peer);
void wg_timers_any_authenticated_packet_traversal (wg_peer_t * peer);

33
test/test_wireguard.py
View File

@ -147,6 +147,8 @@ UNDER_LOAD_INTERVAL = 1.0
HANDSHAKE_NUM_PER_PEER_UNTIL_UNDER_LOAD = 40
HANDSHAKE_NUM_BEFORE_RATELIMITING = 5
HANDSHAKE_JITTER = 0.5
class VppWgPeer(VppObject):
def __init__(self, test, itf, endpoint, port, allowed_ips, persistent_keepalive=15):
@ -672,6 +674,9 @@ class TestWg(VppTestCase):
self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
if is_resp:
# skip the first automatic handshake
self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
# prepare and send a handshake initiation
# expect the peer to send a handshake response
init = peer_1.mk_handshake(self.pg1, is_ip6=is_ip6)
@ -764,6 +769,9 @@ class TestWg(VppTestCase):
# reset noise to be able to turn into initiator later
peer_1.noise_reset()
else:
# skip the first automatic handshake
self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
# prepare and send a bunch of handshake initiations
# expect to switch to under load state
init = peer_1.mk_handshake(self.pg1, is_ip6=is_ip6)
@ -829,6 +837,9 @@ class TestWg(VppTestCase):
).add_vpp_config()
self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
# skip the first automatic handshake
self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
# prepare and send a bunch of handshake initiations
# expect to switch to under load state
init = peer_1.mk_handshake(self.pg1)
@ -893,6 +904,9 @@ class TestWg(VppTestCase):
).add_vpp_config()
self.assertEqual(len(self.vapi.wireguard_peers_dump()), 1)
# skip the first automatic handshake
self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
# prepare and send a bunch of handshake initiations
# expect to switch to under load state
init = peer_1.mk_handshake(self.pg1, is_ip6=is_ip6)
@ -963,6 +977,9 @@ class TestWg(VppTestCase):
).add_vpp_config()
self.assertEqual(len(self.vapi.wireguard_peers_dump()), 2)
# skip the first automatic handshake
self.pg1.get_capture(NUM_PEERS, timeout=HANDSHAKE_JITTER)
# (peer_1) prepare and send a bunch of handshake initiations
# expect not to switch to under load state
init_1 = peer_1.mk_handshake(self.pg1)
@ -2098,6 +2115,9 @@ class TestWg(VppTestCase):
self.pg0.generate_remote_hosts(NUM_IFS)
self.pg0.configure_ipv4_neighbors()
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
# Create interfaces with a peer on each
peers = []
routes = []
@ -2129,6 +2149,9 @@ class TestWg(VppTestCase):
self.assertEqual(len(self.vapi.wireguard_peers_dump()), NUM_IFS)
# skip the first automatic handshake
self.pg1.get_capture(NUM_IFS, timeout=HANDSHAKE_JITTER)
for i in range(NUM_IFS):
# send a valid handsake init for which we expect a response
p = peers[i].mk_handshake(self.pg1)
@ -2282,6 +2305,10 @@ class TestWg(VppTestCase):
self.assertEqual(len(self.vapi.wireguard_peers_dump()), NUM_PEERS * 2)
# skip the first automatic handshake
self.pg1.get_capture(NUM_PEERS, timeout=HANDSHAKE_JITTER)
self.pg2.get_capture(NUM_PEERS, timeout=HANDSHAKE_JITTER)
# Want events from the first perr of wg0
# and from all wg1 peers
peers_0[0].want_events()
@ -2472,6 +2499,9 @@ class WireguardHandoffTests(TestWg):
wg0.admin_up()
wg0.config_ip4()
self.pg_enable_capture(self.pg_interfaces)
self.pg_start()
peer_1 = VppWgPeer(
self, wg0, self.pg1.remote_ip4, port + 1, ["10.11.2.0/24", "10.11.3.0/24"]
).add_vpp_config()
@ -2481,6 +2511,9 @@ class WireguardHandoffTests(TestWg):
self, "10.11.3.0", 24, [VppRoutePath("10.11.3.1", wg0.sw_if_index)]
).add_vpp_config()
# skip the first automatic handshake
self.pg1.get_capture(1, timeout=HANDSHAKE_JITTER)
# send a valid handsake init for which we expect a response
p = peer_1.mk_handshake(self.pg1)