From ad6247f508ddd80f216023b024e66537df852036 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Thu, 6 Oct 2011 14:54:30 -0700 Subject: [PATCH] ovs-monitor-ipsec: Fix use_ssl_cert option implementation. I skipped writing a unit test for this feature on the first go-around, and of course that meant it didn't work. Bug #7693. Reported-by: Michael Hu --- debian/ovs-monitor-ipsec | 7 +-- tests/ovs-monitor-ipsec.at | 89 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 93 insertions(+), 3 deletions(-) diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec index f7bdf1da..ac2cd7e1 100755 --- a/debian/ovs-monitor-ipsec +++ b/debian/ovs-monitor-ipsec @@ -413,9 +413,10 @@ def update_ipsec(ipsec, interfaces, new_interfaces): def get_ssl_cert(data): for ovs_rec in data["Open_vSwitch"].rows.itervalues(): - ssl = ovs_rec.ssl - if ssl and ssl.certificate and ssl.private_key: - return (ssl.certificate, ssl.private_key) + if ovs_rec.ssl: + ssl = ovs_rec.ssl[0] + if ssl.certificate and ssl.private_key: + return (ssl.certificate, ssl.private_key) return None diff --git a/tests/ovs-monitor-ipsec.at b/tests/ovs-monitor-ipsec.at index f2794e03..f9868e76 100644 --- a/tests/ovs-monitor-ipsec.at +++ b/tests/ovs-monitor-ipsec.at @@ -219,4 +219,93 @@ sainfo anonymous { ]) AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem]) +### +### Add an SSL certificate interface. +### +cp cert.pem ssl-cert.pem +cp key.pem ssl-key.pem +AT_DATA([ssl-cacert.pem], [dnl +-----BEGIN CERTIFICATE----- +(not a real CA certificate) +-----END CERTIFICATE----- +]) +AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \ + -- add-port br0 gre2 \ + -- set Interface gre2 type=ipsec_gre \ + options:remote_ip=3.4.5.6 \ + options:peer_cert='"-----BEGIN CERTIFICATE----- +(not a real peer certificate) +-----END CERTIFICATE----- +"' \ + options:use_ssl_cert='"true"']) +OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21]) +AT_CHECK([sed '1,29d' actions], [0], [dnl +racoon: reload +setkey: +> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require; +> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require; +]) +AT_CHECK([trim etc/racoon/psk.txt], [0], []) +AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl +path pre_shared_key "/etc/racoon/psk.txt"; +path certificate "/etc/racoon/certs"; +remote 3.4.5.6 { + exchange_mode main; + nat_traversal on; + ike_frag on; + certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem"; + my_identifier asn1dn; + peers_identifier asn1dn; + peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem"; + verify_identifier on; + proposal { + encryption_algorithm aes; + hash_algorithm sha1; + authentication_method rsasig; + dh_group 2; + } +} +sainfo anonymous { + pfs_group 2; + lifetime time 1 hour; + encryption_algorithm aes; + authentication_algorithm hmac_sha1, hmac_md5; + compression_algorithm deflate; +} +]) +AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl +-----BEGIN CERTIFICATE----- +(not a real peer certificate) +-----END CERTIFICATE----- +]) + +### +### Delete the SSL certificate interface. +### +AT_CHECK([ovs_vsctl del-port gre2]) +OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29]) +AT_CHECK([sed '1,33d' actions], [0], [dnl +racoon: reload +setkey: +> spddelete 0.0.0.0/0 3.4.5.6 gre -P out; +> spddelete 3.4.5.6 0.0.0.0/0 gre -P in; +setkey: +> dump ; +setkey: +> dump ; +]) +AT_CHECK([trim etc/racoon/psk.txt], [0], []) +AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl +path pre_shared_key "/etc/racoon/psk.txt"; +path certificate "/etc/racoon/certs"; +sainfo anonymous { + pfs_group 2; + lifetime time 1 hour; + encryption_algorithm aes; + authentication_algorithm hmac_sha1, hmac_md5; + compression_algorithm deflate; +} +]) +AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem]) + AT_CLEANUP -- 2.30.2