From patchwork Wed Jan 17 20:12:58 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: aginwala aginwala X-Patchwork-Id: 1887616 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=XUAOZAUm; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TFcWW5KW8z23dx for ; Thu, 18 Jan 2024 07:13:11 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id BA9B06158F; Wed, 17 Jan 2024 20:13:09 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org BA9B06158F Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=XUAOZAUm X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YVdNd9B74r7z; Wed, 17 Jan 2024 20:13:08 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp3.osuosl.org (Postfix) with ESMTPS id 99CF460BB0; Wed, 17 Jan 2024 20:13:07 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 99CF460BB0 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7AD5EC0072; Wed, 17 Jan 2024 20:13:07 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 369D6C0037 for ; Wed, 17 Jan 2024 20:13:06 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 045E683DDF for ; Wed, 17 Jan 2024 20:13:06 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 045E683DDF Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=XUAOZAUm X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j2gy4NXFdJSA for ; Wed, 17 Jan 2024 20:13:05 +0000 (UTC) Received: from mail-pl1-x629.google.com (mail-pl1-x629.google.com [IPv6:2607:f8b0:4864:20::629]) by smtp1.osuosl.org (Postfix) with ESMTPS id 0911D83DD2 for ; Wed, 17 Jan 2024 20:13:04 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 0911D83DD2 Received: by mail-pl1-x629.google.com with SMTP id d9443c01a7336-1d6efe27c1dso5935145ad.0 for ; Wed, 17 Jan 2024 12:13:04 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705522384; x=1706127184; darn=openvswitch.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=Ok3hY7/1FHkwZtKuQnhHQwJ8k4A94ICjGoYSycnYT0k=; b=XUAOZAUm/OyubtEPHMC8wuIO5cnSzQuj/SvJloHeYsgsBNPTxGDzdJEXFEztSr99Xv afs7CBRGoJBo14dFQih9dGPr0buZqkY9gOwgLQ5UguJaJA0tdhF9avyPdXrxCvoYcI8d A3IB54wa29TgTjrILF5enXnCb7DiidAsoKwYQvKsK7nV6Ghnn1htfHBtD0oZJZSlcYSb FiW+SKJ7UYUK872GU2an43QIAbUW9Chl0P7W6bEp3p5pDudQewWs5RGmqqQ/NTUOPhZP EQlnvlr47FtkuGCN6QxejP/OD0LdQ9iF23tAGMzEFA01XRcoi9ghq16VozVPtc855yPy ilLA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705522384; x=1706127184; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=Ok3hY7/1FHkwZtKuQnhHQwJ8k4A94ICjGoYSycnYT0k=; b=mNUqbcN9bC7VJVEl4223y0OVSzmr6DyaWmmyeCPeRnW2dnqdInpv+BJ/uC4i35ASKU MWC3sliY5pNVZt5x9XovzyILh4atPjloMDh37gBOJDy3CAtEL+GZ8aVymtbyziGtGwfC 5g8mcjR6W9B76sbwudM6SkTMhhp2gOvuA9YCCZTylW0/EkN3v8T2Ys3c+cZW7NU92YZP YTlfULU3UuRQ6WFq5+0L1/y268Eij2OmbFMCtllKBKdsSjQarHUF6lp5tRkm2uBnlaQ2 vw8Grst/tl40GGDGBZbLzNIlBCfa8ZwmK7T7n3Kxb1kAd5nIjeTtbvvdSjgjUl4TvMrx AdMg== X-Gm-Message-State: AOJu0YzOIO44ifSMSQhPLcH73rSqrGaMtoOJiSpUFV40sQcn0BvV3BLk m8gIN5bWcsJ5TrecfWl+jaMqlxc9CeI= X-Google-Smtp-Source: AGHT+IH3TZjTiqSen+bb9NHnGf3i6aLc/dOJISEZ48nN08Oj+gsK9m8e+g+3pGf+uawokjPzilFtDA== X-Received: by 2002:a17:903:1cc:b0:1d6:fe87:4d53 with SMTP id e12-20020a17090301cc00b001d6fe874d53mr531909plh.55.1705522383682; Wed, 17 Jan 2024 12:13:03 -0800 (PST) Received: from T92R2DP9Q1.corp.ebay.com ([216.113.160.77]) by smtp.gmail.com with ESMTPSA id e2-20020a170902744200b001d6f584ee1esm56230plt.34.2024.01.17.12.13.03 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 17 Jan 2024 12:13:03 -0800 (PST) From: amginwal@gmail.com To: dev@openvswitch.org Date: Wed, 17 Jan 2024 12:12:58 -0800 Message-Id: <20240117201258.4033-1-amginwal@gmail.com> X-Mailer: git-send-email 2.39.3 (Apple Git-145) MIME-Version: 1.0 Cc: Aliasgar Ginwala Subject: [ovs-dev] [PATCH ovn v2] fix segfault due to ssl-ciphers X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Aliasgar Ginwala To avoid invalidating existing certs setup by old version of ovs pki. openssl supports setting ciphers but it fails with ovn as below ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' Aborted (core dumped) Avoid invalidating existing certs when bumping to new ovn version SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed while connecting to control plane. Also amend ovn ic northd and ovn ctl utilities Add tests for ssl ciphers Signed-off-by: Aliasgar Ginwala Acked-by: Ales Musil --- controller/ovn-controller.c | 7 ++ ic/ovn-ic.c | 8 ++ northd/ovn-northd.c | 8 ++ tests/ovn-controller.at | 23 +++++ tests/ovn.at | 182 ++++++++++++++++++++++++++++++++++++ utilities/ovn-dbctl.c | 8 ++ 6 files changed, 236 insertions(+) diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c index 856e5e270..4b16818a6 100644 --- a/controller/ovn-controller.c +++ b/controller/ovn-controller.c @@ -6166,6 +6166,13 @@ parse_options(int argc, char *argv[]) ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; case OPT_PEER_CA_CERT: stream_ssl_set_peer_ca_cert_file(optarg); diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 8ceb34d7c..6f8f5734d 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; + case 'd': ovnsb_db = optarg; break; diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index f3868068d..dadc1af38 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED, ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; + case 'd': ovnsb_db = optarg; break; diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 9d2a37c72..9cc8730e9 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -2712,3 +2712,26 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=40 | grep -q controller], [1] OVN_CLEANUP([hv1]) AT_CLEANUP ]) + + +AT_SETUP([ovn-controller - ssl ciphers using command line options]) +AT_KEYWORDS([ovn]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +ovn_start + +net_add n1 +sim_add hv1 +ovs-vsctl add-br br-phys +ovn_attach n1 br-phys 192.168.0.20 + +# Set cipher and and it should connect +OVS_APP_EXIT_AND_WAIT([ovn-controller]) +start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' + +OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], [0], [connected +]) + +cat hv1/ovn-controller.log + +OVN_CLEANUP([hv1]) +AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index c3644ac78..34f277ef9 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -37588,3 +37588,185 @@ OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) + +: > .$1.db.~lock~ +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema + +# Add read-only remote to sb ovsdb-server +AT_CHECK( + [ovsdb-tool transact ovn-sb.db \ + ['["OVN_Southbound", + {"op": "insert", + "table": "SB_Global", + "row": { + "connections": ["set", [["named-uuid", "xyz"]]]}}, + {"op": "insert", + "table": "Connection", + "uuid-name": "xyz", + "row": {"target": "pssl:0:127.0.0.1", + "read_only": true}}]']], [0], [ignore], [ignore]) + +start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ + --remote=db:OVN_Southbound,SB_Global,connections \ + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ + --certificate="$PKIDIR/testpki-test2-cert.pem" \ + --ca-cert="$PKIDIR/testpki-cacert.pem" \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + ovn-sb.db + +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +# read-only accesses should succeed +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list SB_Global], [0], [stdout], [ignore]) +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list Connection], [0], [stdout], [ignore]) + +# write access should fail +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + chassis-add ch vxlan 1.2.4.8], [1], [ignore], +[ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} +]) + +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) +AT_CLEANUP + +AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) + +: > .$1.db.~lock~ +ovsdb-tool create ovn-nb.db "$abs_top_srcdir"/ovn-nb.ovsschema + +# Start nb db server using db connection/ssl entries (unpopulated initially) +start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ + --remote=db:OVN_Northbound,NB_Global,connections \ + --private-key=db:OVN_Northbound,SSL,private_key \ + --certificate=db:OVN_Northbound,SSL,certificate \ + --ca-cert=db:OVN_Northbound,SSL,ca_cert \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + ovn-nb.db + +# Populate SSL configuration entries in nb db +AT_CHECK( + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + +# Populate a passive SSL connection in nb db +AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore]) + +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +# Verify SSL connetivity to nb db server +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list NB_Global], + [0], [stdout], [ignore]) +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list Connection], + [0], [stdout], [ignore]) +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + get-connection], + [0], [stdout], [ignore]) + +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) +AT_CLEANUP + +AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) + +: > .$1.db.~lock~ +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema + +# Start sb db server using db connection/ssl entries (unpopulated initially) +start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ + --remote=db:OVN_Southbound,SB_Global,connections \ + --private-key=db:OVN_Southbound,SSL,private_key \ + --certificate=db:OVN_Southbound,SSL,certificate \ + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + ovn-sb.db + +# Populate SSL configuration entries in sb db +AT_CHECK( + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + +# Populate a passive SSL connection in sb db +AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore]) + +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +# Verify SSL connetivity to sb db server +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list SB_Global], + [0], [stdout], [ignore]) +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list Connection], + [0], [stdout], [ignore]) +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + get-connection], + [0], [stdout], [ignore]) + +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) +AT_CLEANUP diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c index 2e9348c47..92be27b2c 100644 --- a/utilities/ovn-dbctl.c +++ b/utilities/ovn-dbctl.c @@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options *dbctl_options, ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; + case OPT_BOOTSTRAP_CA_CERT: stream_ssl_set_ca_cert_file(po->arg, true); break;