learn: Fix bugs when learn actions use subfields wider than 64 bits.
[openvswitch] / tests / ovs-monitor-ipsec.at
1 AT_BANNER([ovs-monitor-ipsec])
2
3 AT_SETUP([ovs-monitor-ipsec])
4 AT_SKIP_IF([test $HAVE_PYTHON = no])
5
6 OVS_RUNDIR=`pwd`; export OVS_RUNDIR
7 OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
8 cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
9
10 trap 'kill `cat pid ovs-monitor-ipsec.pid`' 0
11
12 mkdir etc etc/init.d etc/racoon etc/racoon/certs
13 mkdir usr usr/sbin
14
15 AT_DATA([etc/init.d/racoon], [dnl
16 #! /bin/sh
17 echo "racoon: $@" >&3
18 exit 0
19 ])
20 chmod +x etc/init.d/racoon
21
22 AT_DATA([usr/sbin/setkey], [dnl
23 #! /bin/sh
24 exec >&3
25 echo "setkey:"
26 while read line; do
27       echo "> $line"
28 done
29 ])
30 chmod +x usr/sbin/setkey
31
32 touch etc/racoon/certs/ovs-stale.pem
33
34 ovs_vsctl () {
35     ovs-vsctl --timeout=5 --no-wait -vreconnect:ANY:emer --db=unix:socket "$@"
36 }
37 trim () {  # Removes blank lines and lines starting with # from input.
38     sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
39 }
40
41 ###
42 ### Start ovsdb-server.
43 ###
44 OVS_VSCTL_SETUP
45
46 ###
47 ### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
48 ###
49 AT_CHECK(
50   [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
51         "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
52         unix:socket 2>log 3>actions &])
53 AT_CAPTURE_FILE([log])
54 AT_CAPTURE_FILE([actions])
55 OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
56
57 ###
58 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
59 ###
60 AT_CHECK([ovs_vsctl \
61               -- add-br br0 \
62               -- add-port br0 gre0 \
63               -- set interface gre0 type=ipsec_gre \
64                                     options:remote_ip=1.2.3.4 \
65                                     options:psk=swordfish])
66 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
67 AT_CHECK([cat actions], [0], [dnl
68 setkey:
69 > flush;
70 setkey:
71 > spdflush;
72 racoon: reload
73 racoon: reload
74 setkey:
75 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
76 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
77 ])
78 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
79 ])
80 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
81 path pre_shared_key "/etc/racoon/psk.txt";
82 path certificate "/etc/racoon/certs";
83 remote 1.2.3.4 {
84         exchange_mode main;
85         nat_traversal on;
86         proposal {
87                 encryption_algorithm aes;
88                 hash_algorithm sha1;
89                 authentication_method pre_shared_key;
90                 dh_group 2;
91         }
92 }
93 sainfo anonymous {
94         pfs_group 2;
95         lifetime time 1 hour;
96         encryption_algorithm aes;
97         authentication_algorithm hmac_sha1, hmac_md5;
98         compression_algorithm deflate;
99 }
100 ])
101
102 ###
103 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
104 ###
105 AT_CHECK([ovs_vsctl del-port gre0])
106 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
107 AT_CHECK([sed '1,9d' actions], [0], [dnl
108 racoon: reload
109 setkey:
110 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
111 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
112 setkey:
113 > dump ;
114 setkey:
115 > dump ;
116 ])
117 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
118 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
119 path pre_shared_key "/etc/racoon/psk.txt";
120 path certificate "/etc/racoon/certs";
121 sainfo anonymous {
122         pfs_group 2;
123         lifetime time 1 hour;
124         encryption_algorithm aes;
125         authentication_algorithm hmac_sha1, hmac_md5;
126         compression_algorithm deflate;
127 }
128 ])
129
130 ###
131 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
132 ###
133 AT_DATA([cert.pem], [dnl
134 -----BEGIN CERTIFICATE-----
135 (not a real certificate)
136 -----END CERTIFICATE-----
137 ])
138 AT_DATA([key.pem], [dnl
139 -----BEGIN RSA PRIVATE KEY-----
140 (not a real private key)
141 -----END RSA PRIVATE KEY-----
142 ])
143 AT_CHECK([ovs_vsctl \
144               -- add-port br0 gre1 \
145               -- set Interface gre1 type=ipsec_gre \
146                  options:remote_ip=2.3.4.5 \
147                  options:peer_cert='"-----BEGIN CERTIFICATE-----
148 (not a real peer certificate)
149 -----END CERTIFICATE-----
150 "' \
151                  options:certificate='"/cert.pem"' \
152                  options:private_key='"/key.pem"'])
153 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
154 AT_CHECK([sed '1,17d' actions], [0], [dnl
155 racoon: reload
156 setkey:
157 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
158 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
159 ])
160 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
161 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
162 path pre_shared_key "/etc/racoon/psk.txt";
163 path certificate "/etc/racoon/certs";
164 remote 2.3.4.5 {
165         exchange_mode main;
166         nat_traversal on;
167         ike_frag on;
168         certificate_type x509 "/cert.pem" "/key.pem";
169         my_identifier asn1dn;
170         peers_identifier asn1dn;
171         peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
172         verify_identifier on;
173         proposal {
174                 encryption_algorithm aes;
175                 hash_algorithm sha1;
176                 authentication_method rsasig;
177                 dh_group 2;
178         }
179 }
180 sainfo anonymous {
181         pfs_group 2;
182         lifetime time 1 hour;
183         encryption_algorithm aes;
184         authentication_algorithm hmac_sha1, hmac_md5;
185         compression_algorithm deflate;
186 }
187 ])
188 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
189 -----BEGIN CERTIFICATE-----
190 (not a real peer certificate)
191 -----END CERTIFICATE-----
192 ])
193
194 ###
195 ### Delete the ipsec_gre certificate interface.
196 ###
197 AT_CHECK([ovs_vsctl del-port gre1])
198 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
199 AT_CHECK([sed '1,21d' actions], [0], [dnl
200 racoon: reload
201 setkey:
202 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
203 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
204 setkey:
205 > dump ;
206 setkey:
207 > dump ;
208 ])
209 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
210 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
211 path pre_shared_key "/etc/racoon/psk.txt";
212 path certificate "/etc/racoon/certs";
213 sainfo anonymous {
214         pfs_group 2;
215         lifetime time 1 hour;
216         encryption_algorithm aes;
217         authentication_algorithm hmac_sha1, hmac_md5;
218         compression_algorithm deflate;
219 }
220 ])
221 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
222
223 ###
224 ### Add an SSL certificate interface.
225 ###
226 cp cert.pem ssl-cert.pem
227 cp key.pem ssl-key.pem
228 AT_DATA([ssl-cacert.pem], [dnl
229 -----BEGIN CERTIFICATE-----
230 (not a real CA certificate)
231 -----END CERTIFICATE-----
232 ])
233 AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
234               -- add-port br0 gre2 \
235               -- set Interface gre2 type=ipsec_gre \
236                  options:remote_ip=3.4.5.6 \
237                  options:peer_cert='"-----BEGIN CERTIFICATE-----
238 (not a real peer certificate)
239 -----END CERTIFICATE-----
240 "' \
241                  options:use_ssl_cert='"true"'])
242 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
243 AT_CHECK([sed '1,29d' actions], [0], [dnl
244 racoon: reload
245 setkey:
246 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
247 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
248 ])
249 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
250 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
251 path pre_shared_key "/etc/racoon/psk.txt";
252 path certificate "/etc/racoon/certs";
253 remote 3.4.5.6 {
254         exchange_mode main;
255         nat_traversal on;
256         ike_frag on;
257         certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
258         my_identifier asn1dn;
259         peers_identifier asn1dn;
260         peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
261         verify_identifier on;
262         proposal {
263                 encryption_algorithm aes;
264                 hash_algorithm sha1;
265                 authentication_method rsasig;
266                 dh_group 2;
267         }
268 }
269 sainfo anonymous {
270         pfs_group 2;
271         lifetime time 1 hour;
272         encryption_algorithm aes;
273         authentication_algorithm hmac_sha1, hmac_md5;
274         compression_algorithm deflate;
275 }
276 ])
277 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
278 -----BEGIN CERTIFICATE-----
279 (not a real peer certificate)
280 -----END CERTIFICATE-----
281 ])
282
283 ###
284 ### Delete the SSL certificate interface.
285 ###
286 AT_CHECK([ovs_vsctl del-port gre2])
287 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
288 AT_CHECK([sed '1,33d' actions], [0], [dnl
289 racoon: reload
290 setkey:
291 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
292 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
293 setkey:
294 > dump ;
295 setkey:
296 > dump ;
297 ])
298 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
299 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
300 path pre_shared_key "/etc/racoon/psk.txt";
301 path certificate "/etc/racoon/certs";
302 sainfo anonymous {
303         pfs_group 2;
304         lifetime time 1 hour;
305         encryption_algorithm aes;
306         authentication_algorithm hmac_sha1, hmac_md5;
307         compression_algorithm deflate;
308 }
309 ])
310 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
311
312 OVSDB_SERVER_SHUTDOWN
313
314 AT_CLEANUP