[ovs-dev] [PATCH] ovs-monitor-ipsec: Fix use_ssl_cert option implementation.

Ethan Jackson ethan at nicira.com
Thu Oct 6 21:58:45 UTC 2011


Looks good to me.

Ethan

On Thu, Oct 6, 2011 at 14:54, Ben Pfaff <blp at nicira.com> wrote:
> I skipped writing a unit test for this feature on the first go-around, and
> of course that meant it didn't work.
>
> Bug #7693.
> Reported-by: Michael Hu <mhu at nicira.com>
> ---
>  debian/ovs-monitor-ipsec   |    7 ++-
>  tests/ovs-monitor-ipsec.at |   89 ++++++++++++++++++++++++++++++++++++++++++++
>  2 files changed, 93 insertions(+), 3 deletions(-)
>
> diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec
> index f7bdf1d..ac2cd7e 100755
> --- a/debian/ovs-monitor-ipsec
> +++ b/debian/ovs-monitor-ipsec
> @@ -413,9 +413,10 @@ def update_ipsec(ipsec, interfaces, new_interfaces):
>
>  def get_ssl_cert(data):
>     for ovs_rec in data["Open_vSwitch"].rows.itervalues():
> -        ssl = ovs_rec.ssl
> -        if ssl and ssl.certificate and ssl.private_key:
> -            return (ssl.certificate, ssl.private_key)
> +        if ovs_rec.ssl:
> +            ssl = ovs_rec.ssl[0]
> +            if ssl.certificate and ssl.private_key:
> +                return (ssl.certificate, ssl.private_key)
>
>     return None
>
> diff --git a/tests/ovs-monitor-ipsec.at b/tests/ovs-monitor-ipsec.at
> index f2794e0..f9868e7 100644
> --- a/tests/ovs-monitor-ipsec.at
> +++ b/tests/ovs-monitor-ipsec.at
> @@ -219,4 +219,93 @@ sainfo anonymous {
>  ])
>  AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem])
>
> +###
> +### Add an SSL certificate interface.
> +###
> +cp cert.pem ssl-cert.pem
> +cp key.pem ssl-key.pem
> +AT_DATA([ssl-cacert.pem], [dnl
> +-----BEGIN CERTIFICATE-----
> +(not a real CA certificate)
> +-----END CERTIFICATE-----
> +])
> +AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \
> +              -- add-port br0 gre2 \
> +              -- set Interface gre2 type=ipsec_gre \
> +                 options:remote_ip=3.4.5.6 \
> +                 options:peer_cert='"-----BEGIN CERTIFICATE-----
> +(not a real peer certificate)
> +-----END CERTIFICATE-----
> +"' \
> +                 options:use_ssl_cert='"true"'])
> +OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21])
> +AT_CHECK([sed '1,29d' actions], [0], [dnl
> +racoon: reload
> +setkey:
> +> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require;
> +> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require;
> +])
> +AT_CHECK([trim etc/racoon/psk.txt], [0], [])
> +AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
> +path pre_shared_key "/etc/racoon/psk.txt";
> +path certificate "/etc/racoon/certs";
> +remote 3.4.5.6 {
> +        exchange_mode main;
> +        nat_traversal on;
> +        ike_frag on;
> +        certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem";
> +        my_identifier asn1dn;
> +        peers_identifier asn1dn;
> +        peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem";
> +        verify_identifier on;
> +        proposal {
> +                encryption_algorithm aes;
> +                hash_algorithm sha1;
> +                authentication_method rsasig;
> +                dh_group 2;
> +        }
> +}
> +sainfo anonymous {
> +        pfs_group 2;
> +        lifetime time 1 hour;
> +        encryption_algorithm aes;
> +        authentication_algorithm hmac_sha1, hmac_md5;
> +        compression_algorithm deflate;
> +}
> +])
> +AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl
> +-----BEGIN CERTIFICATE-----
> +(not a real peer certificate)
> +-----END CERTIFICATE-----
> +])
> +
> +###
> +### Delete the SSL certificate interface.
> +###
> +AT_CHECK([ovs_vsctl del-port gre2])
> +OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29])
> +AT_CHECK([sed '1,33d' actions], [0], [dnl
> +racoon: reload
> +setkey:
> +> spddelete 0.0.0.0/0 3.4.5.6 gre -P out;
> +> spddelete 3.4.5.6 0.0.0.0/0 gre -P in;
> +setkey:
> +> dump ;
> +setkey:
> +> dump ;
> +])
> +AT_CHECK([trim etc/racoon/psk.txt], [0], [])
> +AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl
> +path pre_shared_key "/etc/racoon/psk.txt";
> +path certificate "/etc/racoon/certs";
> +sainfo anonymous {
> +        pfs_group 2;
> +        lifetime time 1 hour;
> +        encryption_algorithm aes;
> +        authentication_algorithm hmac_sha1, hmac_md5;
> +        compression_algorithm deflate;
> +}
> +])
> +AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem])
> +
>  AT_CLEANUP
> --
> 1.7.4.4
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
>



More information about the dev mailing list