From patchwork Fri May 5 12:21:12 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Stefan Hoffmann X-Patchwork-Id: 1777599 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QCVCm05w2z213r for ; Fri, 5 May 2023 22:21:23 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id D0EEA6FE81; Fri, 5 May 2023 12:21:21 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org D0EEA6FE81 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A4zpWg2lmxer; Fri, 5 May 2023 12:21:20 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp3.osuosl.org (Postfix) with ESMTPS id E910B60E74; Fri, 5 May 2023 12:21:19 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org E910B60E74 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id B1CB7C002A; Fri, 5 May 2023 12:21:19 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 2ED4FC0037 for ; Fri, 5 May 2023 12:21:19 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 474EA427DD for ; Fri, 5 May 2023 12:21:17 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 474EA427DD X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zeo-rU_-qh5J for ; Fri, 5 May 2023 12:21:16 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 319D0427D4 Received: from mx3.cloudandheat.com (mx3.cloudandheat.com [185.128.118.157]) by smtp4.osuosl.org (Postfix) with ESMTPS id 319D0427D4 for ; Fri, 5 May 2023 12:21:16 +0000 (UTC) Received: by mx3.cloudandheat.com with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.93) (envelope-from ) id 1puuR1-00Dn2d-4g for dev@openvswitch.org; Fri, 05 May 2023 12:21:15 +0000 Message-ID: <371707ba4ddeb730d3ddf4a3be955f3805910f0c.camel@cloudandheat.com> From: Stefan Hoffmann To: dev@openvswitch.org Date: Fri, 05 May 2023 14:21:12 +0200 User-Agent: Evolution 3.44.4-0ubuntu1 MIME-Version: 1.0 X-Content-Filtered-By: Mailman/MimeDel 2.1.15 Subject: [ovs-dev] [PATCH 2/2] test-stream: Add ssl tests for stream open block X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This tests stream.c and stream.py with ssl connection at CHECK_STREAM_OPEN_BLOCK. For the tests, ovsdb needs to be build with libssl. Signed-off-by: Stefan Hoffmann --- tests/ovsdb-idl.at | 41 ++++++++++++++++++++++++++++++++++++----- tests/test-stream.c | 12 +++++++++++- tests/test-stream.py | 18 ++++++++++++++++++ 3 files changed, 65 insertions(+), 6 deletions(-) diff --git a/tests/ovsdb-idl.at b/tests/ovsdb-idl.at index 8b1cdcdf8..a62816636 100644 --- a/tests/ovsdb-idl.at +++ b/tests/ovsdb-idl.at @@ -10,9 +10,20 @@ m4_define([OVSDB_START_IDLTEST], [ AT_CHECK([ovsdb-tool create db dnl m4_if([$2], [], [$abs_srcdir/idltest.ovsschema], [$2])]) + PKIDIR=$abs_top_builddir/tests + SSL_FLAGS="" + REMOTE_STRING="$1" + REMOTE_PROTOCOL="${REMOTE_STRING::4}" + if [[ "$REMOTE_PROTOCOL" == "pssl" ]]; then + SSL_FLAGS="--private-key=$PKIDIR/testpki-privkey2.pem dnl + --certificate=$PKIDIR/testpki-cert2.pem dnl + --ca-cert=$PKIDIR/testpki-cacert.pem" + fi + #m4_if([$REMOTE_PROTOCOL], [pssl], [--private-key=$PKIDIR/testpki-privkey2.pem --certificate=$PKIDIR/testpki-cert2.pem --ca-cert=$PKIDIR/testpki-cacert.pem], []) dnl AT_CHECK([ovsdb-server -vconsole:warn --log-file --detach --no-chdir dnl --pidfile --remote=punix:socket dnl - m4_if([$1], [], [], [--remote=$1]) db + $SSL_FLAGS dnl + m4_if([$1], [], [], [--remote=$1]) db dnl ]) on_exit 'kill `cat ovsdb-server.pid`' ]) @@ -2284,14 +2295,28 @@ m4_define([CHECK_STREAM_OPEN_BLOCK], [AT_SETUP([Check stream open block - $1 - $3]) AT_SKIP_IF([test "$3" = "tcp6" && test "$IS_WIN32" = "yes"]) AT_SKIP_IF([test "$3" = "tcp6" && test "$HAVE_IPV6" = "no"]) + AT_SKIP_IF([test "$3" = "ssl6" && test "$IS_WIN32" = "yes"]) + AT_SKIP_IF([test "$3" = "ssl6" && test "$HAVE_IPV6" = "no"]) + AT_SKIP_IF([test "$3" = "ssl" && test "$HAVE_OPENSSL" = "no"]) + $PYTHON3 -c "import ssl" + SSL_PRESENT=$? + AT_SKIP_IF([test "$3" = "ssl" && test $SSL_PRESENT != 0]) + AT_SKIP_IF([test "$3" = "ssl6" && test "$HAVE_OPENSSL" = "no"]) + AT_SKIP_IF([test "$3" = "ssl6" && test $SSL_PRESENT != 0]) AT_KEYWORDS([ovsdb server stream open_block $3]) - OVSDB_START_IDLTEST(["ptcp:0:$4"]) + PKIDIR=$abs_top_builddir/tests + PROTOCOL=$3 + PROTOCOL=${PROTOCOL::3} + m4_define([LISTEN_PROTOCOL], [p$PROTOCOL]) + OVSDB_START_IDLTEST([LISTEN_PROTOCOL:0:$4]) PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) WRONG_PORT=$(($TCP_PORT + 101)) - AT_CHECK([$2 tcp:$4:$TCP_PORT], [0], [ignore]) - AT_CHECK([$2 tcp:$4:$WRONG_PORT], [1], [ignore], [ignore]) + SSL_KEY_ARGS="$PKIDIR/testpki-privkey.pem $PKIDIR/testpki-cert.pem $PKIDIR/testpki-cacert.pem" + AT_CHECK([$2 $PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [0], [ignore]) + AT_CHECK([$2 $PROTOCOL:$4:$WRONG_PORT $SSL_KEY_ARGS], [1], [ignore], + [ignore]) OVSDB_SERVER_SHUTDOWN - AT_CHECK([$2 tcp:$4:$TCP_PORT], [1], [ignore], [ignore]) + AT_CHECK([$2 $PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [1], [ignore], [ignore]) AT_CLEANUP]) CHECK_STREAM_OPEN_BLOCK([C], [test-stream], [tcp], [127.0.0.1]) @@ -2300,6 +2325,12 @@ CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py], [tcp], [127.0.0.1]) CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py], [tcp6], [[[::1]]]) +CHECK_STREAM_OPEN_BLOCK([C], [test-stream], [ssl], [127.0.0.1]) +CHECK_STREAM_OPEN_BLOCK([C], [test-stream], [ssl6], [[[::1]]]) +CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py], + [ssl], [127.0.0.1]) +CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py], + [ssl6], [[[::1]]]) # same as OVSDB_CHECK_IDL but uses Python IDL implementation with tcp # with multiple remotes to assert the idl connects to the leader of the Raft cluster diff --git a/tests/test-stream.c b/tests/test-stream.c index 68ce2c544..14e3bfe38 100644 --- a/tests/test-stream.c +++ b/tests/test-stream.c @@ -19,6 +19,7 @@ #include "fatal-signal.h" #include "openvswitch/vlog.h" #include "stream.h" +#include "stream-ssl.h" #include "util.h" VLOG_DEFINE_THIS_MODULE(test_stream); @@ -33,7 +34,16 @@ main(int argc, char *argv[]) set_program_name(argv[0]); if (argc < 2) { - ovs_fatal(0, "usage: %s REMOTE", argv[0]); + ovs_fatal(0, "usage: %s REMOTE [SSL_KEY] [SSL_CERT] [SSL_CA]", + argv[0]); + } + if (strncmp("ssl:", argv[1], 4) == 0) { + if (argc < 5) { + ovs_fatal(0, "usage with ssl: %s REMOTE SSL_KEY SSL_CERT SSL_CA", + argv[0]); + } + stream_ssl_set_ca_cert_file(argv[4], false); + stream_ssl_set_key_and_cert(argv[2], argv[3]); } error = stream_open_block(stream_open(argv[1], &stream, DSCP_DEFAULT), diff --git a/tests/test-stream.py b/tests/test-stream.py index 93d63c019..a6a9c18b2 100644 --- a/tests/test-stream.py +++ b/tests/test-stream.py @@ -15,10 +15,28 @@ import sys import ovs.stream +import ovs.util def main(argv): + if len(argv) < 2: + ovs.util.ovs_fatal(0, + "usage: %s REMOTE [SSL_KEY] [SSL_CERT] [SSL_CA]", + argv[0], + ) remote = argv[1] + + if remote.startswith("ssl:"): + if len(argv) < 5: + ovs.util.ovs_fatal( + 0, + "usage with ssl: %s REMOTE [SSL_KEY] [SSL_CERT] [SSL_CA]", + argv[0], + ) + ovs.stream.SSLStream.ssl_set_ca_cert_file(argv[4]) + ovs.stream.SSLStream.ssl_set_certificate_file(argv[3]) + ovs.stream.SSLStream.ssl_set_private_key_file(argv[2]) + err, stream = ovs.stream.Stream.open_block( ovs.stream.Stream.open(remote), 10000)