From patchwork Thu May 11 13:38:50 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Hoffmann <stefan.hoffmann@cloudandheat.com>
X-Patchwork-Id: 1780102
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4QHCfg5RTxz214S
	for <incoming@patchwork.ozlabs.org>; Thu, 11 May 2023 23:39:07 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp3.osuosl.org (Postfix) with ESMTP id B588660B5A;
	Thu, 11 May 2023 13:39:05 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B588660B5A
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
	by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id XO_i9RGFcldz; Thu, 11 May 2023 13:39:04 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp3.osuosl.org (Postfix) with ESMTPS id B43B260B55;
	Thu, 11 May 2023 13:39:03 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org B43B260B55
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 89B07C0036;
	Thu, 11 May 2023 13:39:03 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 88DB7C002A
 for <dev@openvswitch.org>; Thu, 11 May 2023 13:39:01 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 54AF240093
 for <dev@openvswitch.org>; Thu, 11 May 2023 13:39:01 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 54AF240093
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ObDmEgYDFwZ1 for <dev@openvswitch.org>;
 Thu, 11 May 2023 13:39:00 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 4BE5C4006B
Received: from mx3.cloudandheat.com (mx3.cloudandheat.com [185.128.118.157])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 4BE5C4006B
 for <dev@openvswitch.org>; Thu, 11 May 2023 13:39:00 +0000 (UTC)
Received: by mx3.cloudandheat.com with esmtpsa
 (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256)
 (Exim 4.93) (envelope-from <stefan.hoffmann@cloudandheat.com>)
 id 1px6VW-00E2tu-0v
 for dev@openvswitch.org; Thu, 11 May 2023 13:38:58 +0000
Message-ID: <6d6e3fb131d56e2ab76b7ff6c5774376b64ebdad.camel@cloudandheat.com>
From: Stefan Hoffmann <stefan.hoffmann@cloudandheat.com>
To: dev@openvswitch.org
Date: Thu, 11 May 2023 15:38:50 +0200
User-Agent: Evolution 3.44.4-0ubuntu1 
MIME-Version: 1.0
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Subject: [ovs-dev] [PATCH v3 2/2] test-stream: Add ssl tests for stream open
	block
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

This tests stream.c and stream.py with ssl connection at
CHECK_STREAM_OPEN_BLOCK.
For the tests, ovsdb needs to be build with libssl.

Signed-off-by: Stefan Hoffmann <stefan.hoffmann@cloudandheat.com>
---

Changes based on comments from Ilya Maximets:
use m4_join; use m4_substr directly at call, without using variable in
between

Hint: at some places we can't use brackets, as m4 seems to not resolve the
variables otherwise. Mail with comments at this places will follow.

 tests/ovsdb-idl.at   | 31 +++++++++++++++++++++++++++----
 tests/test-stream.c  | 12 +++++++++++-
 tests/test-stream.py | 18 ++++++++++++++++++
 3 files changed, 56 insertions(+), 5 deletions(-)

diff --git a/tests/ovsdb-idl.at b/tests/ovsdb-idl.at
index 258d79fe9..978a6677b 100644
--- a/tests/ovsdb-idl.at
+++ b/tests/ovsdb-idl.at
@@ -28,8 +28,13 @@ m4_define([OVSDB_START_IDLTEST],
 [
   AT_CHECK([ovsdb-tool create db dnl
               m4_if([$2], [], [$abs_srcdir/idltest.ovsschema], [$2])])
+  PKIDIR=$abs_top_builddir/tests
   AT_CHECK([ovsdb-server -vconsole:warn --log-file --detach --no-chdir dnl
               --pidfile --remote=punix:socket dnl
+              m4_if(m4_substr($1, 0, 5), [pssl:],
+                    [--private-key=$PKIDIR/testpki-privkey2.pem dnl
+                     --certificate=$PKIDIR/testpki-cert2.pem dnl
+                     --ca-cert=$PKIDIR/testpki-cacert.pem], []) dnl
               m4_if([$1], [], [], [--remote=$1]) db dnl
   ])
   on_exit 'kill `cat ovsdb-server.pid`'
@@ -2286,14 +2291,26 @@ m4_define([CHECK_STREAM_OPEN_BLOCK],
   [AT_SETUP([Check stream open block - $1 - $3])
    AT_SKIP_IF([test "$3" = "tcp6" && test "$IS_WIN32" = "yes"])
    AT_SKIP_IF([test "$3" = "tcp6" && test "$HAVE_IPV6" = "no"])
+   AT_SKIP_IF([test "$3" = "ssl6" && test "$IS_WIN32" = "yes"])
+   AT_SKIP_IF([test "$3" = "ssl6" && test "$HAVE_IPV6" = "no"])
+   AT_SKIP_IF([test "$3" = "ssl" && test "$HAVE_OPENSSL" = "no"])
+   $PYTHON3 -c "import ssl"
+   SSL_PRESENT=$?
+   AT_SKIP_IF([test "$3" = "ssl" && test $SSL_PRESENT != 0])
+   AT_SKIP_IF([test "$3" = "ssl6" && test "$HAVE_OPENSSL" = "no"])
+   AT_SKIP_IF([test "$3" = "ssl6" && test $SSL_PRESENT != 0])
    AT_KEYWORDS([ovsdb server stream open_block $3])
-   OVSDB_START_IDLTEST(["ptcp:0:$4"])
+   PKIDIR=$abs_top_builddir/tests
+   m4_define([PROTOCOL], [m4_substr([$3], [0], [3])])
+   OVSDB_START_IDLTEST([m4_join([], [p], PROTOCOL, [:0:], $4)])
    PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
    WRONG_PORT=$(($TCP_PORT + 101))
-   AT_CHECK([$2 tcp:$4:$TCP_PORT], [0], [ignore])
-   AT_CHECK([$2 tcp:$4:$WRONG_PORT], [1], [ignore], [ignore])
+   SSL_KEY_ARGS="$PKIDIR/testpki-privkey.pem $PKIDIR/testpki-cert.pem $PKIDIR/testpki-cacert.pem"
+   AT_CHECK([$2 PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [0], [ignore])
+   AT_CHECK([$2 PROTOCOL:$4:$WRONG_PORT $SSL_KEY_ARGS], [1], [ignore],
+            [ignore])
    OVSDB_SERVER_SHUTDOWN
-   AT_CHECK([$2 tcp:$4:$TCP_PORT], [1], [ignore], [ignore])
+   AT_CHECK([$2 PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [1], [ignore], [ignore])
    AT_CLEANUP])
 
 CHECK_STREAM_OPEN_BLOCK([C], [test-stream], [tcp], [127.0.0.1])
@@ -2302,6 +2319,12 @@ CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py],
                         [tcp], [127.0.0.1])
 CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py],
                         [tcp6], [[[::1]]])
+CHECK_STREAM_OPEN_BLOCK([C], [test-stream], [ssl], [127.0.0.1])
+CHECK_STREAM_OPEN_BLOCK([C], [test-stream], [ssl6], [[[::1]]])
+CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py],
+                        [ssl], [127.0.0.1])
+CHECK_STREAM_OPEN_BLOCK([Python3], [$PYTHON3 $srcdir/test-stream.py],
+                        [ssl6], [[[::1]]])
 
 # same as OVSDB_CHECK_IDL but uses Python IDL implementation with tcp
 # with multiple remotes to assert the idl connects to the leader of the Raft cluster
diff --git a/tests/test-stream.c b/tests/test-stream.c
index 68ce2c544..14e3bfe38 100644
--- a/tests/test-stream.c
+++ b/tests/test-stream.c
@@ -19,6 +19,7 @@
 #include "fatal-signal.h"
 #include "openvswitch/vlog.h"
 #include "stream.h"
+#include "stream-ssl.h"
 #include "util.h"
 
 VLOG_DEFINE_THIS_MODULE(test_stream);
@@ -33,7 +34,16 @@ main(int argc, char *argv[])
     set_program_name(argv[0]);
 
     if (argc < 2) {
-        ovs_fatal(0, "usage: %s REMOTE", argv[0]);
+        ovs_fatal(0, "usage: %s REMOTE [SSL_KEY] [SSL_CERT] [SSL_CA]",
+                  argv[0]);
+    }
+    if (strncmp("ssl:", argv[1], 4) == 0) {
+        if (argc < 5) {
+            ovs_fatal(0, "usage with ssl: %s REMOTE SSL_KEY SSL_CERT SSL_CA",
+                      argv[0]);
+        }
+        stream_ssl_set_ca_cert_file(argv[4], false);
+        stream_ssl_set_key_and_cert(argv[2], argv[3]);
     }
 
     error = stream_open_block(stream_open(argv[1], &stream, DSCP_DEFAULT),
diff --git a/tests/test-stream.py b/tests/test-stream.py
index 93d63c019..a6a9c18b2 100644
--- a/tests/test-stream.py
+++ b/tests/test-stream.py
@@ -15,10 +15,28 @@
 import sys
 
 import ovs.stream
+import ovs.util
 
 
 def main(argv):
+    if len(argv) < 2:
+        ovs.util.ovs_fatal(0,
+                           "usage: %s REMOTE [SSL_KEY] [SSL_CERT] [SSL_CA]",
+                           argv[0],
+                           )
     remote = argv[1]
+
+    if remote.startswith("ssl:"):
+        if len(argv) < 5:
+            ovs.util.ovs_fatal(
+                0,
+                "usage with ssl: %s REMOTE [SSL_KEY] [SSL_CERT] [SSL_CA]",
+                argv[0],
+            )
+        ovs.stream.SSLStream.ssl_set_ca_cert_file(argv[4])
+        ovs.stream.SSLStream.ssl_set_certificate_file(argv[3])
+        ovs.stream.SSLStream.ssl_set_private_key_file(argv[2])
+
     err, stream = ovs.stream.Stream.open_block(
             ovs.stream.Stream.open(remote), 10000)