git://git.onelab.eu / sliver-openvswitch.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
datapath: Fix namespace refcount leak on failed init.
[sliver-openvswitch.git] / tests / ovs-monitor-ipsec.at
1 AT_BANNER([ovs-monitor-ipsec])
2
3 AT_SETUP([ovs-monitor-ipsec])
4 AT_SKIP_IF([test $HAVE_PYTHON = no])
5
6 OVS_RUNDIR=`pwd`; export OVS_RUNDIR
7 OVS_DBDIR=`pwd`; export OVS_DBDIR
8 OVS_PKGDATADIR=`pwd`; export OVS_PKGDATADIR
9 cp "$top_srcdir/vswitchd/vswitch.ovsschema" .
10
11 ON_EXIT([kill `cat pid ovs-monitor-ipsec.pid`])
12
13 mkdir etc etc/init.d etc/racoon etc/racoon/certs
14 mkdir usr usr/sbin
15
16 AT_DATA([etc/init.d/racoon], [dnl
17 #! /bin/sh
18 echo "racoon: $@" >&3
19 exit 0
20 ])
21 chmod +x etc/init.d/racoon
22
23 AT_DATA([usr/sbin/setkey], [dnl
24 #! /bin/sh
25 exec >&3
26 echo "setkey:"
27 while read line; do
28       echo "> $line"
29 done
30 ])
31 chmod +x usr/sbin/setkey
32
33 touch etc/racoon/certs/ovs-stale.pem
34
35 ovs_vsctl () {
36     ovs-vsctl --timeout=5 --no-wait -vreconnect:emer --db=unix:socket "$@"
37 }
38 trim () {  # Removes blank lines and lines starting with # from input.
39     sed -e '/^#/d' -e '/^[       ]*$/d' "$@"
40 }
41
42 ###
43 ### Start ovsdb-server.
44 ###
45 OVS_VSCTL_SETUP
46
47 ###
48 ### Start ovs-monitor-ipsec and wait for it to delete the stale cert.
49 ###
50 AT_CHECK(
51   [$PYTHON $top_srcdir/debian/ovs-monitor-ipsec "--root-prefix=`pwd`" \
52         "--pidfile=`pwd`/ovs-monitor-ipsec.pid" \
53         unix:socket 2>log 3>actions &])
54 AT_CAPTURE_FILE([log])
55 AT_CAPTURE_FILE([actions])
56 OVS_WAIT_UNTIL([test ! -f etc/racoon/certs/ovs-stale.pem])
57
58 ###
59 ### Add an ipsec_gre psk interface and check what ovs-monitor-ipsec does
60 ###
61 AT_CHECK([ovs_vsctl \
62               -- add-br br0 \
63               -- add-port br0 gre0 \
64               -- set interface gre0 type=ipsec_gre \
65                                     options:remote_ip=1.2.3.4 \
66                                     options:psk=swordfish])
67 OVS_WAIT_UNTIL([test -f actions && grep 'spdadd 1.2.3.4' actions >/dev/null])
68 AT_CHECK([cat actions], [0], [dnl
69 setkey:
70 > flush;
71 setkey:
72 > spdflush;
73 racoon: reload
74 racoon: reload
75 setkey:
76 > spdadd 0.0.0.0/0 1.2.3.4 gre -P out ipsec esp/transport//require;
77 > spdadd 1.2.3.4 0.0.0.0/0 gre -P in ipsec esp/transport//require;
78 ])
79 AT_CHECK([trim etc/racoon/psk.txt], [0], [1.2.3.4   swordfish
80 ])
81 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
82 path pre_shared_key "/etc/racoon/psk.txt";
83 path certificate "/etc/racoon/certs";
84 remote 1.2.3.4 {
85         exchange_mode main;
86         nat_traversal on;
87         proposal {
88                 encryption_algorithm aes;
89                 hash_algorithm sha1;
90                 authentication_method pre_shared_key;
91                 dh_group 2;
92         }
93 }
94 sainfo anonymous {
95         pfs_group 2;
96         lifetime time 1 hour;
97         encryption_algorithm aes;
98         authentication_algorithm hmac_sha1, hmac_md5;
99         compression_algorithm deflate;
100 }
101 ])
102
103 ###
104 ### Delete the ipsec_gre interface and check what ovs-monitor-ipsec does
105 ###
106 AT_CHECK([ovs_vsctl del-port gre0])
107 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 17])
108 AT_CHECK([sed '1,9d' actions], [0], [dnl
109 racoon: reload
110 setkey:
111 > spddelete 0.0.0.0/0 1.2.3.4 gre -P out;
112 > spddelete 1.2.3.4 0.0.0.0/0 gre -P in;
113 setkey:
114 > dump ;
115 setkey:
116 > dump ;
117 ])
118 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
119 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
120 path pre_shared_key "/etc/racoon/psk.txt";
121 path certificate "/etc/racoon/certs";
122 sainfo anonymous {
123         pfs_group 2;
124         lifetime time 1 hour;
125         encryption_algorithm aes;
126         authentication_algorithm hmac_sha1, hmac_md5;
127         compression_algorithm deflate;
128 }
129 ])
130
131 ###
132 ### Add ipsec_gre certificate interface and check what ovs-monitor-ipsec does
133 ###
134 AT_DATA([cert.pem], [dnl
135 -----BEGIN CERTIFICATE-----
136 (not a real certificate)
137 -----END CERTIFICATE-----
138 ])
139 AT_DATA([key.pem], [dnl
140 -----BEGIN RSA PRIVATE KEY-----
141 (not a real private key)
142 -----END RSA PRIVATE KEY-----
143 ])
144 AT_CHECK([ovs_vsctl \
145               -- add-port br0 gre1 \
146               -- set Interface gre1 type=ipsec_gre \
147                  options:remote_ip=2.3.4.5 \
148                  options:peer_cert='"-----BEGIN CERTIFICATE-----
149 (not a real peer certificate)
150 -----END CERTIFICATE-----
151 "' \
152                  options:certificate='"/cert.pem"' \
153                  options:private_key='"/key.pem"'])
154 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
155 AT_CHECK([sed '1,17d' actions], [0], [dnl
156 racoon: reload
157 setkey:
158 > spdadd 0.0.0.0/0 2.3.4.5 gre -P out ipsec esp/transport//require;
159 > spdadd 2.3.4.5 0.0.0.0/0 gre -P in ipsec esp/transport//require;
160 ])
161 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
162 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
163 path pre_shared_key "/etc/racoon/psk.txt";
164 path certificate "/etc/racoon/certs";
165 remote 2.3.4.5 {
166         exchange_mode main;
167         nat_traversal on;
168         ike_frag on;
169         certificate_type x509 "/cert.pem" "/key.pem";
170         my_identifier asn1dn;
171         peers_identifier asn1dn;
172         peers_certfile x509 "/etc/racoon/certs/ovs-2.3.4.5.pem";
173         verify_identifier on;
174         proposal {
175                 encryption_algorithm aes;
176                 hash_algorithm sha1;
177                 authentication_method rsasig;
178                 dh_group 2;
179         }
180 }
181 sainfo anonymous {
182         pfs_group 2;
183         lifetime time 1 hour;
184         encryption_algorithm aes;
185         authentication_algorithm hmac_sha1, hmac_md5;
186         compression_algorithm deflate;
187 }
188 ])
189 AT_CHECK([cat etc/racoon/certs/ovs-2.3.4.5.pem], [0], [dnl
190 -----BEGIN CERTIFICATE-----
191 (not a real peer certificate)
192 -----END CERTIFICATE-----
193 ])
194
195 ###
196 ### Delete the ipsec_gre certificate interface.
197 ###
198 AT_CHECK([ovs_vsctl del-port gre1])
199 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
200 AT_CHECK([sed '1,21d' actions], [0], [dnl
201 racoon: reload
202 setkey:
203 > spddelete 0.0.0.0/0 2.3.4.5 gre -P out;
204 > spddelete 2.3.4.5 0.0.0.0/0 gre -P in;
205 setkey:
206 > dump ;
207 setkey:
208 > dump ;
209 ])
210 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
211 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
212 path pre_shared_key "/etc/racoon/psk.txt";
213 path certificate "/etc/racoon/certs";
214 sainfo anonymous {
215         pfs_group 2;
216         lifetime time 1 hour;
217         encryption_algorithm aes;
218         authentication_algorithm hmac_sha1, hmac_md5;
219         compression_algorithm deflate;
220 }
221 ])
222 AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
223
224 ###
225 ### Add an SSL certificate interface.
226 ###
227 cp cert.pem ssl-cert.pem
228 cp key.pem ssl-key.pem
229 AT_DATA([ssl-cacert.pem], [dnl
230 -----BEGIN CERTIFICATE-----
231 (not a real CA certificate)
232 -----END CERTIFICATE-----
233 ])
234 AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
235               -- add-port br0 gre2 \
236               -- set Interface gre2 type=ipsec_gre \
237                  options:remote_ip=3.4.5.6 \
238                  options:peer_cert='"-----BEGIN CERTIFICATE-----
239 (not a real peer certificate)
240 -----END CERTIFICATE-----
241 "' \
242                  options:use_ssl_cert='"true"'])
243 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 33])
244 AT_CHECK([sed '1,29d' actions], [0], [dnl
245 racoon: reload
246 setkey:
247 > spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
248 > spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
249 ])
250 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
251 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
252 path pre_shared_key "/etc/racoon/psk.txt";
253 path certificate "/etc/racoon/certs";
254 remote 3.4.5.6 {
255         exchange_mode main;
256         nat_traversal on;
257         ike_frag on;
258         certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
259         my_identifier asn1dn;
260         peers_identifier asn1dn;
261         peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
262         verify_identifier on;
263         proposal {
264                 encryption_algorithm aes;
265                 hash_algorithm sha1;
266                 authentication_method rsasig;
267                 dh_group 2;
268         }
269 }
270 sainfo anonymous {
271         pfs_group 2;
272         lifetime time 1 hour;
273         encryption_algorithm aes;
274         authentication_algorithm hmac_sha1, hmac_md5;
275         compression_algorithm deflate;
276 }
277 ])
278 AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
279 -----BEGIN CERTIFICATE-----
280 (not a real peer certificate)
281 -----END CERTIFICATE-----
282 ])
283
284 ###
285 ### Delete the SSL certificate interface.
286 ###
287 AT_CHECK([ovs_vsctl del-port gre2])
288 OVS_WAIT_UNTIL([test `wc -l < actions` -ge 41])
289 AT_CHECK([sed '1,33d' actions], [0], [dnl
290 racoon: reload
291 setkey:
292 > spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
293 > spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
294 setkey:
295 > dump ;
296 setkey:
297 > dump ;
298 ])
299 AT_CHECK([trim etc/racoon/psk.txt], [0], [])
300 AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
301 path pre_shared_key "/etc/racoon/psk.txt";
302 path certificate "/etc/racoon/certs";
303 sainfo anonymous {
304         pfs_group 2;
305         lifetime time 1 hour;
306         encryption_algorithm aes;
307         authentication_algorithm hmac_sha1, hmac_md5;
308         compression_algorithm deflate;
309 }
310 ])
311 AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
312
313 OVSDB_SERVER_SHUTDOWN
314
315 AT_CLEANUP
sliver-openvswitch