ovs-monitor-ipsec: Fix use_ssl_cert option implementation.
[openvswitch] / tests / ovs-monitor-ipsec.at
1 AT_BANNER([ovs-monitor-ipsec])
2
3 AT_SETUP([ovs-monitor-ipsec])
4 AT_SKIP_IF([test $HAVE_PYTHON = no])
5
6 OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
7 cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
8
9 trap 'kill `cat pid ovs-monitor-ipsec.pid`' 0
10
11 mkdir etc etc/init.d etc/racoon etc/racoon/certs
12 mkdir usr usr/sbin
13
14 AT_DATA([etc/init.d/racoon], [dnl
15 #! /bin/sh
16 echo "racoon: $@" >&3
17 exit 0
18 ])
19 chmod +x etc/init.d/racoon
20
21 AT_DATA([usr/sbin/setkey], [dnl
22 #! /bin/sh
23 exec >&3
24 echo "setkey:"
25 while read line; do
26       echo "> $line"
27 done
28 ])
29 chmod +x usr/sbin/setkey
30
31 touch etc/racoon/certs/ovs-stale.pem
32
33 ovs_vsctl () {
34     ovs-vsctl --timeout=5 --no-wait -vreconnect:ANY:emer --db=unix:socket "$@"
35 }
36 trim () {  # Removes blank lines and lines starting with # from input.
37     sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
38 }
39
40 ###
41 ### Start ovsdb-server.
42 ###
43 OVS_VSCTL_SETUP
44
45 ###
46 ### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
47 ###
48 AT_CHECK(
49   [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
50         "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
51         unix:socket 2>log 3>actions &])
52 AT_CAPTURE_FILE([log])
53 AT_CAPTURE_FILE([actions])
54 OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
55
56 ###
57 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
58 ###
59 AT_CHECK([ovs_vsctl \
60               -- add-br br0 \
61               -- add-port br0 gre0 \
62               -- set interface gre0 type=ipsec_gre \
63                                     options:remote_ip=1.2.3.4 \
64                                     options:psk=swordfish])
65 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
66 AT_CHECK([cat actions], [0], [dnl
67 setkey:
68 > flush;
69 setkey:
70 > spdflush;
71 racoon: reload
72 racoon: reload
73 setkey:
74 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
75 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
76 ])
77 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
78 ])
79 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
80 path pre_shared_key "/etc/racoon/psk.txt";
81 path certificate "/etc/racoon/certs";
82 remote 1.2.3.4 {
83         exchange_mode main;
84         nat_traversal on;
85         proposal {
86                 encryption_algorithm aes;
87                 hash_algorithm sha1;
88                 authentication_method pre_shared_key;
89                 dh_group 2;
90         }
91 }
92 sainfo anonymous {
93         pfs_group 2;
94         lifetime time 1 hour;
95         encryption_algorithm aes;
96         authentication_algorithm hmac_sha1, hmac_md5;
97         compression_algorithm deflate;
98 }
99 ])
100
101 ###
102 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
103 ###
104 AT_CHECK([ovs_vsctl del-port gre0])
105 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
106 AT_CHECK([sed '1,9d' actions], [0], [dnl
107 racoon: reload
108 setkey:
109 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
110 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
111 setkey:
112 > dump ;
113 setkey:
114 > dump ;
115 ])
116 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
117 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
118 path pre_shared_key "/etc/racoon/psk.txt";
119 path certificate "/etc/racoon/certs";
120 sainfo anonymous {
121         pfs_group 2;
122         lifetime time 1 hour;
123         encryption_algorithm aes;
124         authentication_algorithm hmac_sha1, hmac_md5;
125         compression_algorithm deflate;
126 }
127 ])
128
129 ###
130 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
131 ###
132 AT_DATA([cert.pem], [dnl
133 -----BEGIN CERTIFICATE-----
134 (not a real certificate)
135 -----END CERTIFICATE-----
136 ])
137 AT_DATA([key.pem], [dnl
138 -----BEGIN RSA PRIVATE KEY-----
139 (not a real private key)
140 -----END RSA PRIVATE KEY-----
141 ])
142 AT_CHECK([ovs_vsctl \
143               -- add-port br0 gre1 \
144               -- set Interface gre1 type=ipsec_gre \
145                  options:remote_ip=2.3.4.5 \
146                  options:peer_cert='"-----BEGIN CERTIFICATE-----
147 (not a real peer certificate)
148 -----END CERTIFICATE-----
149 "' \
150                  options:certificate='"/cert.pem"' \
151                  options:private_key='"/key.pem"'])
152 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
153 AT_CHECK([sed '1,17d' actions], [0], [dnl
154 racoon: reload
155 setkey:
156 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
157 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
158 ])
159 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
160 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
161 path pre_shared_key "/etc/racoon/psk.txt";
162 path certificate "/etc/racoon/certs";
163 remote 2.3.4.5 {
164         exchange_mode main;
165         nat_traversal on;
166         ike_frag on;
167         certificate_type x509 "/cert.pem" "/key.pem";
168         my_identifier asn1dn;
169         peers_identifier asn1dn;
170         peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
171         verify_identifier on;
172         proposal {
173                 encryption_algorithm aes;
174                 hash_algorithm sha1;
175                 authentication_method rsasig;
176                 dh_group 2;
177         }
178 }
179 sainfo anonymous {
180         pfs_group 2;
181         lifetime time 1 hour;
182         encryption_algorithm aes;
183         authentication_algorithm hmac_sha1, hmac_md5;
184         compression_algorithm deflate;
185 }
186 ])
187 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
188 -----BEGIN CERTIFICATE-----
189 (not a real peer certificate)
190 -----END CERTIFICATE-----
191 ])
192
193 ###
194 ### Delete the ipsec_gre certificate interface.
195 ###
196 AT_CHECK([ovs_vsctl del-port gre1])
197 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
198 AT_CHECK([sed '1,21d' actions], [0], [dnl
199 racoon: reload
200 setkey:
201 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
202 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
203 setkey:
204 > dump ;
205 setkey:
206 > dump ;
207 ])
208 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
209 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
210 path pre_shared_key "/etc/racoon/psk.txt";
211 path certificate "/etc/racoon/certs";
212 sainfo anonymous {
213         pfs_group 2;
214         lifetime time 1 hour;
215         encryption_algorithm aes;
216         authentication_algorithm hmac_sha1, hmac_md5;
217         compression_algorithm deflate;
218 }
219 ])
220 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
221
222 ###
223 ### Add an SSL certificate interface.
224 ###
225 cp cert.pem ssl-cert.pem
226 cp key.pem ssl-key.pem
227 AT_DATA([ssl-cacert.pem], [dnl
228 -----BEGIN CERTIFICATE-----
229 (not a real CA certificate)
230 -----END CERTIFICATE-----
231 ])
232 AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
233               -- add-port br0 gre2 \
234               -- set Interface gre2 type=ipsec_gre \
235                  options:remote_ip=3.4.5.6 \
236                  options:peer_cert='"-----BEGIN CERTIFICATE-----
237 (not a real peer certificate)
238 -----END CERTIFICATE-----
239 "' \
240                  options:use_ssl_cert='"true"'])
241 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
242 AT_CHECK([sed '1,29d' actions], [0], [dnl
243 racoon: reload
244 setkey:
245 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
246 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
247 ])
248 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
249 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
250 path pre_shared_key "/etc/racoon/psk.txt";
251 path certificate "/etc/racoon/certs";
252 remote 3.4.5.6 {
253         exchange_mode main;
254         nat_traversal on;
255         ike_frag on;
256         certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
257         my_identifier asn1dn;
258         peers_identifier asn1dn;
259         peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
260         verify_identifier on;
261         proposal {
262                 encryption_algorithm aes;
263                 hash_algorithm sha1;
264                 authentication_method rsasig;
265                 dh_group 2;
266         }
267 }
268 sainfo anonymous {
269         pfs_group 2;
270         lifetime time 1 hour;
271         encryption_algorithm aes;
272         authentication_algorithm hmac_sha1, hmac_md5;
273         compression_algorithm deflate;
274 }
275 ])
276 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
277 -----BEGIN CERTIFICATE-----
278 (not a real peer certificate)
279 -----END CERTIFICATE-----
280 ])
281
282 ###
283 ### Delete the SSL certificate interface.
284 ###
285 AT_CHECK([ovs_vsctl del-port gre2])
286 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
287 AT_CHECK([sed '1,33d' actions], [0], [dnl
288 racoon: reload
289 setkey:
290 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
291 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
292 setkey:
293 > dump ;
294 setkey:
295 > dump ;
296 ])
297 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
298 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
299 path pre_shared_key "/etc/racoon/psk.txt";
300 path certificate "/etc/racoon/certs";
301 sainfo anonymous {
302         pfs_group 2;
303         lifetime time 1 hour;
304         encryption_algorithm aes;
305         authentication_algorithm hmac_sha1, hmac_md5;
306         compression_algorithm deflate;
307 }
308 ])
309 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
310
311 AT_CLEANUP