testing: Change memory allocation for alice and winnetou and switch to MiB
The services running on alice seem to require a bit more memory with
Debian bookworm, so increase the memory allocation. But at the same
time reduce winnetou's allocation by the same amount as it really doesn't
require that much memory.
testing: Hardcode /testresults mount point in winnetou's fstab
Because do-tests runs the restore-defaults script, fstab would get reset
to the default version and the mount point wouldn't be available anymore
after stopping and restarting the guests (unless the guest images were
rebuilt in between).
Tobias Brunner [Wed, 28 Jun 2023 13:54:54 +0000 (15:54 +0200)]
testing: Add support for Debian bookworm base images
By default, rsyslog is not installed anymore to avoid storing everything
twice (since journald is the default). If this becomes an issue, we
could delete /var/log/journal to only log via rsyslog.
Tobias Brunner [Wed, 28 Jun 2023 13:49:32 +0000 (15:49 +0200)]
testing: Install python-daemon via Debian package
System-wide installation via pip isn't easily possible anymore on Debian
bookworm, so just use the Debian package for this (is available in old
releases as well).
Tobias Brunner [Tue, 27 Jun 2023 17:03:32 +0000 (19:03 +0200)]
libimcv: Add Debian 12 (bookworm) to database
Because libcrypto and libssl are measured, we need a new group for Debian
versions with OpenSSL 3 (I've rather added a suffix to the old group as
that could eventually get removed, although we might need a 3.1 variant
in the future - maybe we should measure some other files?).
Tobias Brunner [Tue, 27 Jun 2023 16:45:53 +0000 (18:45 +0200)]
testing: Fix vici updown script on Debian bookworm
OOM-killer is now already triggered with `import daemon`, so set the
limit before that. Also some PEP8 fixes (including an exclusion for
the above fix as that causes imports to not be at the beginning of the
file).
Tobias Brunner [Tue, 27 Jun 2023 16:41:42 +0000 (18:41 +0200)]
testing: Whitelist all Git repositories in the root image
Without this, Git refuses to operate on the build dirs that are mounted
with weird ownership. When running as root in the chroot, Git checks
SUDO_UID, which won't match.
Tobias Brunner [Tue, 27 Jun 2023 16:40:24 +0000 (18:40 +0200)]
testing: Create traditional RSA keys with OpenSSL 3
This is necessary because TKM can't read PKCS#8 files and in some
scenarios we don't have the pkcs8 plugin loaded that would be required
to read/decrypt the non-traditional files.
Tobias Brunner [Tue, 27 Jun 2023 16:01:29 +0000 (18:01 +0200)]
testing: Fix systemctl wrapper and adapt enabling services on winnetou
The wrapper called the command twice for any unit but "strongswan" and
it didn't return the correct exit code. This was noticed when an
if-updown script tried to check if systemd-resolved is active and always
succeeded, which caused failing attempts to configure it.
But now that the return code is correct, trying to enable bind9 won't
fail silently anymore if the unit doesn't exist (similar on older systems
for named), so this is adapted.
Tobias Brunner [Mon, 26 Jun 2023 12:20:14 +0000 (14:20 +0200)]
testing: Configure curve25519-sha256 as key exchange for SSH
With Debian bookworm, the PQC KE sntrup761x25519-sha512 is negotiated, by
default. This increases the overhead significantly, in particular, the
size of the KE message, which wouldn't get through IPsec tunnels without
MSS clamping.
Tobias Brunner [Thu, 15 Jun 2023 15:54:08 +0000 (17:54 +0200)]
resolve: Try to maintain the order of DNS servers if using resolvconf
Since 17fd304e60df ("resolve: Don't install individual servers via
resolvconf"), DNS servers were sorted if getting installed via resolvconf.
In some setups the order might be important (even though relying on it
isn't a good idea in general as stub resolvers are free to use all of
the servers as they please).
Tobias Brunner [Fri, 12 May 2023 16:36:30 +0000 (18:36 +0200)]
credential-manager: Improve selection of local certificate and trust chain
The previous code was problematic if a certificate request for a known
but unrelated CA was received and the local trust chain was incomplete.
Due to the received anchor, the incomplete trust chain was dismissed and
any intermediate CA certificates were, therefore, not sent to the peer.
This new approach doesn't dismiss an incomplete trust chain, but prefers
one that can be resolved to a received anchor. If no such chain is found,
the first one is used.
Tobias Brunner [Tue, 23 May 2023 11:19:57 +0000 (13:19 +0200)]
Merge branch 'libipsec-raw-esp'
This adds support for sending/receiving ESP packets without UDP
encapsulation to libipsec and kernel-libipsec. Only Linux is currently
supported and the feature is disabled by default.
Tobias Brunner [Thu, 4 May 2023 12:20:09 +0000 (14:20 +0200)]
ipsec-sa-mgr: Optionally keep track of acquires for outbound SAs
Currently just based on the reqid. An acquire for the same reqid is
triggered at most every 10 seconds (gets ignored in trap_manager_t if
the SA is still getting established).
Entries are only cleaned up if an SA is eventually installed (similar to
the allocated SPIs). Should that ever be a problem, we could probably
schedule a job that regularly flushes old entries.
Tobias Brunner [Thu, 11 May 2023 10:29:10 +0000 (12:29 +0200)]
pki: Make --dn optional for certificate renewals via --scep command
When using OpenXPKI, the subject DN in the renewal request has to match
the previous DN exactly. However, because OpenXPKI may add a bunch of
DC/O RDNs to subjects of issued certificates, running --scep with the
same --dn that was used for the original request won't work (results in
a "Client error / malformed request badRequest" error even after enabling
`renewal_via_pkcs_req`). This simplifies renewals as --dn can just be
omitted and extracted from the original certificate to avoid this issue.
Tobias Brunner [Tue, 16 May 2023 10:48:22 +0000 (12:48 +0200)]
Merge branch 'debug-level-build'
This fixes the build with DEBUG_LEVEL < 4, which was broken when building
from the repository since --enable-warnings was made the default.
Although, most issues only occurred with the level reduced to 0/-1. And
while removing debug statements at compile time completely is probably
not useful in production, there might be use cases in certain benchmarking
scenarios. Also, with the recent changes to the controller there should
only rarely be a listener registered at a higher log level so the overhead
for those higher-level DBG statements is minimal.
Anyway, reducing the log level at compile time is a documented feature and
at least DEBUG_LEVEL=3 could be useful to prevent leaking sensitive
information via logs from the outset. So we should make sure compilation
doesn't fail.
projects / thirdparty / strongswan.git / log
