From: Christopher Faulet <cfaulet@haproxy.com>
Date: Thu, 28 Mar 2024 16:23:51 +0000 (+0100)
Subject: REGTESTS: Fix script about OCSP update compatibility tests
X-Git-Tag: v3.0-dev7~65
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e91da1dd8ea45e865a307e81b99aa949c71f59e0;p=thirdparty%2Fhaproxy.git

REGTESTS: Fix script about OCSP update compatibility tests

There were two occurrences of the seventh test. I don't know really why, but
this triggered a VTC error:

---- h7    Assert error in _assert_VSB_state(), lib/vsb.c line 104:  Condition((s->s_flags & 0x00020000) == state) not true.  Errno=0 Success

Renumbering tests fixes the script.
---

diff --git a/reg-tests/ssl/ocsp_auto_update.vtc b/reg-tests/ssl/ocsp_auto_update.vtc
index 43a7b980fc..ab0e57ea6e 100644
--- a/reg-tests/ssl/ocsp_auto_update.vtc
+++ b/reg-tests/ssl/ocsp_auto_update.vtc
@@ -642,13 +642,10 @@ haproxy h7 -cli {
 haproxy h7 -wait
 process p7 -wait
 
-haproxy h6 -wait
-process p6 -wait
-
 
 ######################
 #                    #
-# SEVENTH TEST CASE  #
+# EIGTH TEST CASE    #
 #                    #
 ######################
 
@@ -658,11 +655,11 @@ process p6 -wait
 # instance is removed (via del ssl crt-list).
 #
 
-haproxy h7 -conf {
+haproxy h8 -conf {
     global
         tune.ssl.default-dh-param 2048
         tune.ssl.capture-buffer-size 1
-        stats socket "${tmpdir}/h7/stats" level admin
+        stats socket "${tmpdir}/h8/stats" level admin
         crt-base ${testdir}/ocsp_update
 
     defaults
@@ -675,7 +672,7 @@ haproxy h7 -conf {
         timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
 
     frontend ssl-fe
-        bind "${tmpdir}/ssl-h7.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+        bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
         http-request return status 200
 
     listen http_rebound_lst
@@ -685,7 +682,7 @@ haproxy h7 -conf {
 } -start
 
 # Check that the two certificates are taken into account in the auto update process
-haproxy h7 -cli {
+haproxy h8 -cli {
     send "show ssl ocsp-updates"
     expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015 .*"
 
@@ -696,7 +693,7 @@ haproxy h7 -cli {
 # Remove the second line from the crt-list and check that the corresponding
 # ocsp response was removed from the auto update list but is still present in the
 # system
-haproxy h7 -cli {
+haproxy h8 -cli {
     send "del ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list ${testdir}/ocsp_update/multicert/server_ocsp.pem.ecdsa"
     expect ~ "Entry.*deleted in crtlist"
 
@@ -713,10 +710,10 @@ haproxy h7 -cli {
 # Add the previously removed crt-list line with auto-update enabled and check that
 # the ocsp response appears in the auto update list
 shell {
-    printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h7/stats" - | grep "Inserting certificate.*in crt-list"
+    printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa [ocsp-update on] foo.bar\n\n" | socat "${tmpdir}/h8/stats" - | grep "Inserting certificate.*in crt-list"
 }
 
-haproxy h7 -cli {
+haproxy h8 -cli {
     send "show ssl ocsp-updates"
     expect ~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021016 .*"
 }
@@ -724,14 +721,14 @@ haproxy h7 -cli {
 # Check that the auto update option consistency check work even when crt-list
 # lines are added through the cli
 shell {
-    printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h7/stats" - | grep "Incompatibilities found in OCSP update mode for certificate"
+    printf "add ssl crt-list ${testdir}/ocsp_update/multicert_both_certs.crt-list <<\nmulticert/server_ocsp.pem.ecdsa foo.foo\n\n" | socat "${tmpdir}/h8/stats" - | grep "Incompatibilities found in OCSP update mode for certificate"
 }
 
-haproxy h7 -wait
+haproxy h8 -wait
 
 ####################
 #                  #
-# EIGTH TEST CASE  #
+# NINTH TEST CASE  #
 #                  #
 ####################
 
@@ -740,23 +737,23 @@ haproxy h7 -wait
 # update enabled can be updated via "update ssl ocsp-response" command.
 #
 
-process p8 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
+process p9 "openssl ocsp -index ${testdir}/ocsp_update/index.txt -rsigner ${testdir}/ocsp_update/ocsp.haproxy.com.pem -CA ${testdir}/ocsp_update/ocsp_update_rootca.crt -nrequest 1 -ndays 1 -port 12346 -timeout 5" -start
 
-barrier b8 cond 2 -cyclic
+barrier b9 cond 2 -cyclic
 
-syslog Syslog_h8 -level info {
+syslog Syslog_h9 -level info {
     recv
     expect ~ "GET /MEMwQTA%2FMD0wOzAJBgUrDgMCGgUABBSKg%2BAGD6%2F3Ccp%2Bm5VSKi6BY1%2FaCgQU9lKw5DXV6pI4UVCPCtvpLYXeAHoCAhAV HTTP/1.1"
 
-    barrier b8 sync
+    barrier b9 sync
 } -start
 
 
-haproxy h8 -conf {
+haproxy h9 -conf {
     global
         tune.ssl.default-dh-param 2048
         tune.ssl.capture-buffer-size 1
-        stats socket "${tmpdir}/h8/stats" level admin
+        stats socket "${tmpdir}/h9/stats" level admin
         crt-base ${testdir}/ocsp_update
 
     defaults
@@ -769,58 +766,58 @@ haproxy h8 -conf {
         timeout server  "${HAPROXY_TEST_TIMEOUT-5s}"
 
     frontend ssl-fe
-        bind "${tmpdir}/ssl-h8.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
+        bind "${tmpdir}/ssl-h9.sock" ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list ca-file ${testdir}/set_cafile_rootCA.crt verify none crt-ignore-err all
         http-request return status 200
 
     listen http_rebound_lst
         mode http
         option httplog
-        log ${Syslog_h8_addr}:${Syslog_h8_port} local0
+        log ${Syslog_h9_addr}:${Syslog_h9_port} local0
         bind "127.0.0.1:12345"
         server s1 "127.0.0.1:12346"
 } -start
 
 # We need to "enable" the cli with a first cli call before using it only through socats
-haproxy h8 -cli {
+haproxy h9 -cli {
     send "show ssl cert"
     expect ~ ""
 }
 
 # Create a new certificate and add it in the crt-list with ocsp auto-update enabled
 shell {
-    echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" -
-    printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h8/stats" -
-    printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h8/stats" -
-    printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(base64 -w 1000 ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h8/stats" -
-    echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" -
+    echo "new ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
+    printf "set ssl cert ${testdir}/ocsp_update/rsa.pem <<\n$(cat ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa)\n\n" | socat "${tmpdir}/h9/stats" -
+    printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.issuer <<\n$(cat ${testdir}/ocsp_update/ocsp_update_rootca.crt)\n\n" | socat "${tmpdir}/h9/stats" -
+    printf "set ssl cert ${testdir}/ocsp_update/rsa.pem.ocsp <<\n$(base64 -w 1000 ${testdir}/ocsp_update/multicert/server_ocsp.pem.rsa.ocsp)\n\n" | socat "${tmpdir}/h9/stats" -
+    echo "commit ssl cert ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
 
-    printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h8/stats" -
+    printf "add ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list <<\nrsa.pem [ocsp-update off] foo.bar\n\n" | socat "${tmpdir}/h9/stats" -
 }
 
 # Check that the line is in the crt-list
-haproxy h8 -cli {
+haproxy h9 -cli {
     send "show ssl crt-list ${testdir}/ocsp_update/multicert_ecdsa_no_update.crt-list"
     expect ~ "${testdir}/ocsp_update/rsa.pem .* foo.bar"
 }
 
 # Check that the new certificate is NOT in the auto update list
-haproxy h8 -cli {
+haproxy h9 -cli {
     send "show ssl ocsp-updates"
     expect !~ "303b300906052b0e03021a050004148a83e0060faff709ca7e9b95522a2e81635fda0a0414f652b0e435d5ea923851508f0adbe92d85de007a02021015.*"
 }
 
 shell {
-    echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h8/stats" -
+    echo "update ssl ocsp-response ${testdir}/ocsp_update/rsa.pem" | socat "${tmpdir}/h9/stats" -
 }
 
 shell "sleep 1"
 
-barrier b8 sync
+barrier b9 sync
 
-haproxy h8 -cli {
+haproxy h9 -cli {
     send "show ssl ocsp-response ${testdir}/ocsp_update/rsa.pem"
     expect ~ ".* Cert Status: revoked.*"
 }
 
-haproxy h8 -wait
-process p8 -wait
+haproxy h9 -wait
+process p9 -wait