Looks good to me. Ethan
On Thu, Oct 6, 2011 at 14:54, Ben Pfaff <[email protected]> wrote: > I skipped writing a unit test for this feature on the first go-around, and > of course that meant it didn't work. > > Bug #7693. > Reported-by: Michael Hu <[email protected]> > --- > debian/ovs-monitor-ipsec | 7 ++- > tests/ovs-monitor-ipsec.at | 89 > ++++++++++++++++++++++++++++++++++++++++++++ > 2 files changed, 93 insertions(+), 3 deletions(-) > > diff --git a/debian/ovs-monitor-ipsec b/debian/ovs-monitor-ipsec > index f7bdf1d..ac2cd7e 100755 > --- a/debian/ovs-monitor-ipsec > +++ b/debian/ovs-monitor-ipsec > @@ -413,9 +413,10 @@ def update_ipsec(ipsec, interfaces, new_interfaces): > > def get_ssl_cert(data): > for ovs_rec in data["Open_vSwitch"].rows.itervalues(): > - ssl = ovs_rec.ssl > - if ssl and ssl.certificate and ssl.private_key: > - return (ssl.certificate, ssl.private_key) > + if ovs_rec.ssl: > + ssl = ovs_rec.ssl[0] > + if ssl.certificate and ssl.private_key: > + return (ssl.certificate, ssl.private_key) > > return None > > diff --git a/tests/ovs-monitor-ipsec.at b/tests/ovs-monitor-ipsec.at > index f2794e0..f9868e7 100644 > --- a/tests/ovs-monitor-ipsec.at > +++ b/tests/ovs-monitor-ipsec.at > @@ -219,4 +219,93 @@ sainfo anonymous { > ]) > AT_CHECK([test ! -f etc/racoon/certs/ovs-2.3.4.5.pem]) > > +### > +### Add an SSL certificate interface. > +### > +cp cert.pem ssl-cert.pem > +cp key.pem ssl-key.pem > +AT_DATA([ssl-cacert.pem], [dnl > +-----BEGIN CERTIFICATE----- > +(not a real CA certificate) > +-----END CERTIFICATE----- > +]) > +AT_CHECK([ovs_vsctl set-ssl /ssl-key.pem /ssl-cert.pem /ssl-cacert.pem \ > + -- add-port br0 gre2 \ > + -- set Interface gre2 type=ipsec_gre \ > + options:remote_ip=3.4.5.6 \ > + options:peer_cert='"-----BEGIN CERTIFICATE----- > +(not a real peer certificate) > +-----END CERTIFICATE----- > +"' \ > + options:use_ssl_cert='"true"']) > +OVS_WAIT_UNTIL([test `wc -l < actions` -ge 21]) > +AT_CHECK([sed '1,29d' actions], [0], [dnl > +racoon: reload > +setkey: > +> spdadd 0.0.0.0/0 3.4.5.6 gre -P out ipsec esp/transport//require; > +> spdadd 3.4.5.6 0.0.0.0/0 gre -P in ipsec esp/transport//require; > +]) > +AT_CHECK([trim etc/racoon/psk.txt], [0], []) > +AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl > +path pre_shared_key "/etc/racoon/psk.txt"; > +path certificate "/etc/racoon/certs"; > +remote 3.4.5.6 { > + exchange_mode main; > + nat_traversal on; > + ike_frag on; > + certificate_type x509 "/ssl-cert.pem" "/ssl-key.pem"; > + my_identifier asn1dn; > + peers_identifier asn1dn; > + peers_certfile x509 "/etc/racoon/certs/ovs-3.4.5.6.pem"; > + verify_identifier on; > + proposal { > + encryption_algorithm aes; > + hash_algorithm sha1; > + authentication_method rsasig; > + dh_group 2; > + } > +} > +sainfo anonymous { > + pfs_group 2; > + lifetime time 1 hour; > + encryption_algorithm aes; > + authentication_algorithm hmac_sha1, hmac_md5; > + compression_algorithm deflate; > +} > +]) > +AT_CHECK([cat etc/racoon/certs/ovs-3.4.5.6.pem], [0], [dnl > +-----BEGIN CERTIFICATE----- > +(not a real peer certificate) > +-----END CERTIFICATE----- > +]) > + > +### > +### Delete the SSL certificate interface. > +### > +AT_CHECK([ovs_vsctl del-port gre2]) > +OVS_WAIT_UNTIL([test `wc -l < actions` -ge 29]) > +AT_CHECK([sed '1,33d' actions], [0], [dnl > +racoon: reload > +setkey: > +> spddelete 0.0.0.0/0 3.4.5.6 gre -P out; > +> spddelete 3.4.5.6 0.0.0.0/0 gre -P in; > +setkey: > +> dump ; > +setkey: > +> dump ; > +]) > +AT_CHECK([trim etc/racoon/psk.txt], [0], []) > +AT_CHECK([trim etc/racoon/racoon.conf], [0], [dnl > +path pre_shared_key "/etc/racoon/psk.txt"; > +path certificate "/etc/racoon/certs"; > +sainfo anonymous { > + pfs_group 2; > + lifetime time 1 hour; > + encryption_algorithm aes; > + authentication_algorithm hmac_sha1, hmac_md5; > + compression_algorithm deflate; > +} > +]) > +AT_CHECK([test ! -f etc/racoon/certs/ovs-3.4.5.6.pem]) > + > AT_CLEANUP > -- > 1.7.4.4 > > _______________________________________________ > dev mailing list > [email protected] > http://openvswitch.org/mailman/listinfo/dev > _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
