Merge branch 'testing-bookworm'

Use Debian bookworm as base image for testing.

src/libimcv/imv/data.sql

@@ -616,6 +616,12 @@ INSERT INTO products (      /* 103 */
  'Debian 11 x86_64'
 );
 
+INSERT INTO products (      /* 104 */
+  name
+) VALUES (
+ 'Debian 12 x86_64'
+);
+
 /* Directories */
 
 INSERT INTO directories (		/*  1 */
@@ -740,6 +746,18 @@ INSERT INTO files (				/*  6 */
   'tnc_config', 2
 );
 
+INSERT INTO files (             /*  7 */
+  name, dir
+) VALUES (
+ 'libcrypto.so.3', 11
+);
+
+INSERT INTO files (             /*  8 */
+  name, dir
+) VALUES (
+ 'libssl.so.3', 11
+);
+
 /* Algorithms */
 
 INSERT INTO algorithms (
@@ -995,7 +1013,7 @@ INSERT INTO groups (			/*  4 */
 INSERT INTO groups (			/*  5 */
   name, parent
 ) VALUES (
-  'Debian x86_64', 2
+  'Debian x86_64 OpenSSL 1.1', 2
 );
 
 INSERT INTO groups (			/*  6 */
@@ -1064,6 +1082,12 @@ INSERT INTO groups (      /* 16 */
   'TPM TBOOT'
 );
 
+INSERT INTO groups (      /* 17 */
+  name, parent
+) VALUES (
+  'Debian x86_64', 2
+);
+
 /* Default Product Groups */
 
 INSERT INTO groups_product_defaults (
@@ -1678,6 +1702,12 @@ INSERT INTO groups_product_defaults (
   15, 79
 );
 
+INSERT INTO groups_product_defaults (
+  group_id, product_id
+) VALUES (
+  17, 104
+);
+
 /* Policies */
 
 INSERT INTO policies (			/*  1 */
@@ -1812,6 +1842,18 @@ INSERT INTO policies (          /* 22 */
   16, 'TPM TBOOT Measurements', 'T', 2, 2
 );
 
+INSERT INTO policies (          /* 23 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libcrypto.so.3', 7, 2, 2
+);
+
+INSERT INTO policies (          /* 24 */
+  type, name, file, rec_fail, rec_noresult
+) VALUES (
+  6, 'Measure /usr/lib/x86_64-linux-gnu/libssl.so.3', 8, 2, 2
+);
+
 /* Enforcements */
 
 INSERT INTO enforcements (		/*  1 */
@@ -1922,6 +1964,18 @@ INSERT INTO enforcements (      /* 18 */
   22, 16, 60
 );
 
+INSERT INTO enforcements (      /* 19 */
+  policy, group_id, max_age
+) VALUES (
+  23, 17, 86400
+);
+
+INSERT INTO enforcements (      /* 20 */
+  policy, group_id, max_age
+) VALUES (
+  24, 17, 86400
+);
+
 /* swid_entities */
 
 INSERT INTO "swid_entities" (		/*  1 */

src/libstrongswan/utils/leak_detective.c

@@ -666,6 +666,8 @@ static char *whitelist[] = {
 	"botan_privkey_load",
 	"botan_privkey_load_rsa_pkcs1",
 	"botan_kdf",
+	/* C++ due to Botan */
+	"__cxa_get_globals",
 };
 
 /**

testing/config/kvm/alice.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>alice</name>
   <uuid>1f35c25d-6a7b-4ee1-2461-d7e530e7b2a9</uuid>
-  <memory unit='KiB'>184320</memory>
-  <currentMemory unit='KiB'>184320</currentMemory>
+  <memory unit='MiB'>200</memory>
+  <currentMemory unit='MiB'>200</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/bob.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>bob</name>
   <uuid>72728516-377f-f5be-ea1d-b1f1e851538f</uuid>
-  <memory unit='KiB'>131072</memory>
-  <currentMemory unit='KiB'>131072</currentMemory>
+  <memory unit='MiB'>128</memory>
+  <currentMemory unit='MiB'>128</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/carol.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>carol</name>
   <uuid>6bc2eef5-7faf-cde0-5f27-6fc29f93bc3d</uuid>
-  <memory unit='KiB'>131072</memory>
-  <currentMemory unit='KiB'>131072</currentMemory>
+  <memory unit='MiB'>128</memory>
+  <currentMemory unit='MiB'>128</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/dave.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>dave</name>
   <uuid>05f1debe-4e38-4f3d-10a0-c07fbb70d816</uuid>
-  <memory unit='KiB'>131072</memory>
-  <currentMemory unit='KiB'>131072</currentMemory>
+  <memory unit='MiB'>128</memory>
+  <currentMemory unit='MiB'>128</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/moon.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>moon</name>
   <uuid>b5e00ad3-1c81-3b2a-7f66-cdf8727b3c65</uuid>
-  <memory unit='KiB'>131072</memory>
-  <currentMemory unit='KiB'>131072</currentMemory>
+  <memory unit='MiB'>128</memory>
+  <currentMemory unit='MiB'>128</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/sun.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>sun</name>
   <uuid>35341843-346c-a63a-786b-9df0fd5e6264</uuid>
-  <memory unit='KiB'>147456</memory>
-  <currentMemory unit='KiB'>147456</currentMemory>
+  <memory unit='MiB'>144</memory>
+  <currentMemory unit='MiB'>144</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/venus.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>venus</name>
   <uuid>f0838df9-7cc0-84f5-6c14-2d16ab002e8d</uuid>
-  <memory unit='KiB'>131072</memory>
-  <currentMemory unit='KiB'>131072</currentMemory>
+  <memory unit='MiB'>128</memory>
+  <currentMemory unit='MiB'>128</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/config/kvm/winnetou.xml

@@ -1,8 +1,8 @@
 <domain type='kvm'>
   <name>winnetou</name>
   <uuid>b1d3d2f7-e20b-ab95-277e-66d4cac33cc3</uuid>
-  <memory unit='KiB'>184320</memory>
-  <currentMemory unit='KiB'>184320</currentMemory>
+  <memory unit='MiB'>160</memory>
+  <currentMemory unit='MiB'>160</currentMemory>
   <vcpu placement='static'>1</vcpu>
   <os>
     <type arch='x86_64' machine='pc'>hvm</type>

testing/do-tests

@@ -957,6 +957,8 @@ done
 # finish the results html file
 #
 
+printf -v timetotal_fmt '%02d:%02d:%02d' $((timetotal/3600)) $((timetotal%3600/60)) $((timetotal%60))
+
 cat >> $TESTRESULTSHTML << @EOF
     <tr>
       <td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td>
@@ -968,7 +970,7 @@ cat >> $TESTRESULTSHTML << @EOF
       <td><b>Failed</b></td><td><b><font color="red">$failed_cnt</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
     </tr>
     <tr>
-      <td><b>Time [s]</b></td><td><b><font color="blue">$timetotal</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
+      <td><b>Time</b></td><td><b><font color="blue">$timetotal_fmt (${timetotal}s)</font></b></td><td>&nbsp;</td><td>&nbsp;</td>
     </tr>
   </table>
 </body>
@@ -1014,4 +1016,4 @@ echo "or via the link http://$ipv4_winnetou/testresults/$TESTDATE"
 
 ENDDATE=`date +%Y%m%d-%H%M-%S`
 echo
-echo "Finished : $ENDDATE"
+echo "Finished : $ENDDATE ($timetotal_fmt)"

testing/hosts/default/etc/ssh/sshd_config

@@ -1,6 +1,7 @@
 Port 22
 Protocol 2
 Ciphers aes128-gcm@openssh.com
+KexAlgorithms curve25519-sha256
 HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ecdsa_key
 PermitRootLogin yes

testing/hosts/default/usr/local/bin/init_tnc

@@ -4,9 +4,11 @@ cd /var/www/tnc
 
 if [ -f django.db ]
 then
-	exit 0 
+	exit 0
 fi
 
+. /usr/local/venvs/tnc/bin/activate
+
 ./manage.py migrate --database meta
 ./manage.py setpassword strongSwan strongSwan
 ./manage.py collectstatic --noinput

testing/hosts/default/usr/local/bin/systemctl

@@ -8,7 +8,7 @@ ORIG=/bin/systemctl
 CONF=/lib/systemd/system/strongswan.service
 
 if [[ "$2" != "strongswan" ]]; then
-	$ORIG "$@"
+	exec $ORIG "$@"
 fi
 
 if [[ "$1" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
@@ -16,7 +16,10 @@ if [[ "$1" == "start" && -n $LEAK_DETECTIVE_LOG ]]; then
 fi
 
 $ORIG "$@"
+STATUS=$?
 
 if [[ "$1" == "stop" ]]; then
 	sed -i '/LEAK_DETECTIVE_LOG/d' $CONF 2>/dev/null
 fi
+
+exit $STATUS

testing/hosts/winnetou/etc/fstab

@@ -0,0 +1,3 @@
+/dev/vda1	/			ext3	defaults,relatime,barrier=1	0	1
+/hostshare /root/shared 9p trans=virtio,version=9p2000.L 0 0
+/testresults /var/www/testresults 9p trans=virtio,version=9p2000.L 0 0

testing/hosts/winnetou/etc/ldap/slapd.conf

@@ -3,7 +3,7 @@
 # This file should NOT be world readable.
 #
 
-moduleload	back_bdb.la
+moduleload	back_mdb.la
 
 include		/etc/ldap/schema/core.schema
 
@@ -11,10 +11,10 @@ pidfile		/var/run/openldap/slapd.pid
 argsfile	/var/run/openldap/slapd.args
 
 #######################################################################
-# BDB database definitions
+# Database definitions
 #######################################################################
 
-database	bdb
+database	mdb
 suffix		"o=strongSwan Project,c=CH"
 rootdn		"cn=Manager,o=strongSwan Project,c=CH"
 checkpoint	32	30

testing/scripts/build-baseimage

@@ -19,22 +19,18 @@ INC=$INC,openssl,vim,sqlite3,conntrack,gdb,cmake,libltdl-dev,wget,gnupg,man-db
 INC=$INC,libboost-thread-dev,libboost-system-dev,git,iperf,htop,valgrind,strace
 INC=$INC,gnat,gprbuild,acpid,acpi-support-base,libldns-dev,libunbound-dev
 INC=$INC,dnsutils,libsoup2.4-dev,ca-certificates,unzip,libsystemd-dev
-INC=$INC,python3,python3-setuptools,python3-dev,python3-pip,apt-transport-https
-INC=$INC,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi-py3
-INC=$INC,libxerces-c-dev
+INC=$INC,python3,python3-setuptools,python3-dev,python3-daemon,python3-venv,
+INC=$INC,apt-transport-https,libjson-c-dev,libxslt1-dev,libapache2-mod-wsgi-py3
+INC=$INC,libxerces-c-dev,rsyslog
 case "$BASEIMGSUITE" in
-bullseye)
-	INC=$INC,libiptc-dev
+buster)
+	INC=$INC,iptables-dev
 	;;
 *)
-	INC=$INC,iptables-dev
+	INC=$INC,libiptc-dev
 	;;
 esac
 case "$BASEIMGSUITE" in
-stretch)
-	INC=$INC,libahven5-dev,libxmlada-schema6-dev,libgmpada6-dev
-	INC=$INC,libalog2-dev
-	;;
 buster)
 	INC=$INC,libahven7-dev,libxmlada-schema8-dev,libgmpada8-dev
 	INC=$INC,libalog4-dev,dbus-user-session
@@ -46,6 +42,13 @@ bullseye)
 	# package (libboost-regex1.74.0-icu67), which debootstrap can't resolve (#878961)
 	INC=$INC,libboost-regex1.74.0
 	;;
+bookworm)
+	INC=$INC,libahven11-dev,libxmlada-schema12-dev,libgmpada12-dev
+	INC=$INC,libalog8-dev,dbus-user-session
+	# workaround for dependency issue gdb -> libsource-highlight4v5 -> virtual
+	# package (libboost-regex1.74.0-icu67), which debootstrap can't resolve (#878961)
+	INC=$INC,libboost-regex1.74.0
+	;;
 *)
 	echo_warn "Package list for '$BASEIMGSUITE' might has to be updated"
 	;;
@@ -56,7 +59,13 @@ INC=$INC,${SERVICES// /,}
 APT1="libgcrypt20-dev traceroute iptables"
 APT="tmux"
 # additional services to disable
-SERVICES="$SERVICES systemd-timesyncd.service"
+case "$BASEIMGSUITE" in
+bookworm)
+	;;
+*)
+	SERVICES="$SERVICES systemd-timesyncd"
+	;;
+esac
 
 CACHEDIR=$BUILDDIR/cache
 APTCACHE=$LOOPDIR/var/cache/apt/archives
@@ -153,14 +162,10 @@ do
 	execute_chroot "systemctl disable $service"
 done
 
-case "$BASEIMGSUITE" in
-buster|bullseye)
-	log_action "Switching from iptables-nft to iptables-legacy"
-	execute_chroot "update-alternatives --set iptables /usr/sbin/iptables-legacy" 0
-	execute_chroot "update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy" 0
-	log_status 0
-	;;
-esac
+log_action "Switching from iptables-nft to iptables-legacy"
+execute_chroot "update-alternatives --set iptables /usr/sbin/iptables-legacy" 0
+execute_chroot "update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy" 0
+log_status 0
 
 log_action "Disabling root password"
 execute_chroot "passwd -d root"

testing/scripts/build-certs-chroot

@@ -10,6 +10,12 @@ export LEAK_DETECTIVE_DISABLE=1
 # Determine testing directory
 DIR="$(dirname `readlink -f $0`)/.."
 
+# With OpenSSL 3, we need to generate RSA private keys in the traditional format
+# and not PKCS#8 so e.g. TKM can read them
+if [ 3 -ge $(openssl version | sed -re 's/^OpenSSL ([0-9]+)\..*/\1/') ]; then
+  TRAD="-traditional"
+fi
+
 # Define some global variables
 PROJECT="strongSwan Project"
 CA_DIR="${DIR}/hosts/winnetou/etc/ca"
@@ -166,7 +172,7 @@ do
 
   # Convert host key into DER format
   openssl rsa -in ${HOST_KEY} -outform der -out ${CA_DIR}/keys/${h}Key.der \
-          2> /dev/null
+          ${TRAD} 2> /dev/null
 done
 
 # Put DER-encoded moon private key and Root CA certificate into tkm scenarios
@@ -413,7 +419,7 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_BASE_CDP} --type rs
 HOST_KEY="${DIR}/hosts/carol/${IPSEC_DIR}/private/carolKey.pem"
 KEY_PWD="nH5ZQEWtku0RJEZ6"
 openssl rsa -in ${HOST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${HOST_KEY} \
-        2> /dev/null
+        ${TRAD} 2> /dev/null
 
 # Put a copy into the ikev2, botan and wolfssl rw-cert scenarios
 for d in ikev2 botan wolfssl
@@ -615,7 +621,7 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-224, CN=${CN}" \
     --digest sha224 --outform pem > ${TEST_CERT}
 openssl rsa -in ${TEST_KEY} -aes128 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
-        2> /dev/null
+        ${TRAD} 2> /dev/null
 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
 
 # Generate an AES-192 encrypted carol key and a SHA-384 hashed certificate
@@ -632,7 +638,7 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-384, CN=${CN}" \
     --digest sha384 --outform pem > ${TEST_CERT}
 openssl rsa -in ${TEST_KEY} -aes192 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
-        2> /dev/null
+        ${TRAD} 2> /dev/null
 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
 
 # Generate an AES-256 encrypted dave key and a SHA-512 hashed certificate
@@ -649,7 +655,7 @@ pki --issue --cakey ${CA_KEY} --cacert ${CA_CERT} --crl ${CA_CDP} --type rsa \
     --serial ${SERIAL} --dn "C=CH, O=${PROJECT}, OU=SHA-512, CN=${CN}" \
     --digest sha512 --outform pem > ${TEST_CERT}
 openssl rsa -in ${TEST_KEY} -aes256 --passout pass:${KEY_PWD} -out ${TEST_KEY} \
-        2> /dev/null
+        ${TRAD} 2> /dev/null
 cp ${TEST_CERT} ${CA_DIR}/certs/${SERIAL}.pem
 
 # Generate another carol certificate with an OCSP URI
@@ -948,8 +954,8 @@ pki --issue --cakey ${RESEARCH_KEY} --cacert ${RESEARCH_CERT} --type rsa \
 cp ${TEST_CERT} ${RESEARCH_DIR}/certs/${SERIAL}.pem
 
 # Save a copy of the private key in DER format
-openssl rsa -in ${TEST_KEY} -outform der \
-            -out ${RESEARCH_DIR}/keys/${SERIAL}.der 2> /dev/null
+openssl rsa -in ${TEST_KEY} -outform der -out ${RESEARCH_DIR}/keys/${SERIAL}.der \
+        ${TRAD} 2> /dev/null
 
 # Put a copy in the following scenarios
 for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \
@@ -1056,8 +1062,8 @@ pki --issue --cakey ${SALES_KEY} --cacert ${SALES_CERT} --type rsa \
 cp ${TEST_CERT} ${SALES_DIR}/certs/${SERIAL}.pem
 
 # Save a copy of the private key in DER format
-openssl rsa -in ${TEST_KEY} -outform der \
-            -out ${SALES_DIR}/keys/${SERIAL}.der 2> /dev/null
+openssl rsa -in ${TEST_KEY} -outform der -out ${SALES_DIR}/keys/${SERIAL}.der \
+        ${TRAD} 2> /dev/null
 
 # Put a copy in the following scenarios
 for t in ikev2-multi-ca/certreq-init ikev2-multi-ca/certreq-resp \

testing/scripts/build-guestimages

@@ -45,8 +45,8 @@ do
 	execute "qemu-nbd -c $NBDEV $IMGDIR/$host.$IMGEXT" 0
 	partprobe $NBDEV
 	execute "mount $NBDPARTITION $LOOPDIR" 0
-	execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
 	execute "cp -rf $HOSTSDIR/default/* $LOOPDIR" 0
+	execute "cp -rf $HOSTSDIR/${host}/etc $LOOPDIR" 0
 	execute_chroot "ldconfig" 0
 	execute "mkdir $LOOPDIR/etc/pts" 0
 
@@ -62,8 +62,6 @@ do
 		execute "cp -rf $DIR/../images $LOOPDIR/var/www/" 0
 		execute "cp -rf $DIR/../css $LOOPDIR/var/www/" 0
 		execute "mkdir $LOOPDIR/var/www/testresults" 0
-		echo "echo /testresults ... >> $LOOPDIR/etc/fstab" >>$LOGFILE 2>&1
-		echo "/testresults /var/www/testresults 9p trans=virtio,version=9p2000.L 0 0" >> $LOOPDIR/etc/fstab
 		execute_chroot "a2enmod -q cgid" 0
 		execute_chroot "a2enmod -q rewrite" 0
 		execute_chroot "mkdir /var/www/certs" 0
@@ -76,10 +74,19 @@ do
 		execute_chroot "dnssec-signzone -K /etc/bind -o org. /etc/bind/db.org" 0
 		execute_chroot "dnssec-signzone -K /etc/bind -o . /etc/bind/db.root" 0
 
-		# on bullseye, enabling via bind9 doesn't work, while disabling does, so
-		# use named there. on the other hand, older releases don't have named
-		# service files (systemctl returns 0 even if files are not found)
-		for service in apache2 slapd bind9 named
+		# on bullseye and newer, enabling via bind9 doesn't work, while
+		# disabling does, so use named here. on the other hand, older releases
+		# like buster don't have named service files
+		SERVICES="apache2 slapd"
+		case "$BASEIMGSUITE" in
+		buster)
+			SERVICES="$SERVICES bind9"
+			;;
+		*)
+			SERVICES="$SERVICES named"
+			;;
+		esac
+		for service in $SERVICES
 		do
 			execute_chroot "systemctl enable $service" 0
 		done

testing/scripts/build-strongswan

@@ -165,6 +165,10 @@ if [ "$ALL_RECIPES" ]; then
 		execute "cp -r $RECPDIR/patches $LOOPDIR/root/shared/compile" 0
 	fi
 	RECIPES=`ls $RECPDIR/*.mk | xargs -n1 basename`
+	log_action "Whitelist all Git repositories"
+	echo "[safe]"             > $LOOPDIR/root/.gitconfig
+	echo "    directory = *" >> $LOOPDIR/root/.gitconfig
+	log_status 0
 else
 	echo "Building and installing strongSwan"
 	RECIPES=`ls $RECPDIR/*strongswan.mk | xargs -n1 basename`

testing/scripts/recipes/004_spark-crypto.mk

@@ -2,7 +2,7 @@
 
 PKG = spark-crypto
 SRC = https://git.codelabs.ch/spark-crypto.git
-REV = c97939b6cdd5e5f19847cf8d1abb7575e1c01df7
+REV = 153590e2fc784d3173b73642fafa4efb597bb2f3
 
 DESTDIR = /usr/local/ada/lib/gnat
 

testing/scripts/recipes/007_x509-ada.mk

@@ -2,7 +2,7 @@
 
 PKG = x509-ada
 SRC = https://git.codelabs.ch/git/$(PKG).git
-REV = v0.1.2
+REV = v0.1.3
 
 PREFIX = /usr/local/ada
 

testing/scripts/recipes/013_strongswan.mk

@@ -130,5 +130,3 @@ build: configure
 install: build
 	cd $(BUILDDIR) && make -j install && \
 		cd $(DIR)/src/libcharon/plugins/vici/python && python3 setup.py install
-	# for Python-based updown scripts
-	pip3 install python-daemon

testing/scripts/recipes/015_strongTNC.mk

@@ -1,11 +1,12 @@
 #!/usr/bin/make
 
 PKG = strongTNC
-REV = 1.0
+REV = 1.0.2
 DIR = $(PKG)-$(REV)
 ZIP = $(PKG)-$(REV).zip
 SRC = https://github.com/strongswan/$(PKG)/archive/$(REV).zip
 DEPS = $(PKG)-deps
+VENV = /usr/local/venvs/tnc
 
 all: install
 
@@ -22,5 +23,6 @@ $(ZIP):
 	@touch $@
 
 install: .$(PKG)-deps-$(REV)
-	pip3 install --no-index --find-links=file://`pwd`/$(DEPS) -r $(DIR)/requirements.txt
+	python3 -m venv $(VENV)
+	$(VENV)/bin/pip install --no-index --find-links=file://`pwd`/$(DEPS) -r $(DIR)/requirements.txt
 	cp -r $(DIR) /var/www/tnc && chgrp -R www-data /var/www/tnc && chmod g+sw /var/www/tnc

testing/scripts/restore-defaults

@@ -35,7 +35,7 @@ then
 	for host in `ls $TESTSDIR/${testname}/hosts`
 	do
 		eval HOSTLOGIN="root@`echo $HOSTNAMEIPV4 | sed -n -e "s/^.*${host},//gp" | awk -F, '{ print $1 }' | awk '{ print $1 }'`"
-		scp $SSHCONF -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
 		scp $SSHCONF -r $HOSTCONFIGDIR/default/etc $HOSTLOGIN:/ > /dev/null 2>&1
+		scp $SSHCONF -r $HOSTCONFIGDIR/${host}/etc $HOSTLOGIN:/ > /dev/null 2>&1
 	done
 fi

testing/testing.conf

@@ -49,7 +49,7 @@ fi
 # Base image settings
 # The base image is a pristine OS installation created using debootstrap.
 : ${BASEIMGSIZE=2500}
-: ${BASEIMGSUITE=bullseye}
+: ${BASEIMGSUITE=bookworm}
 : ${BASEIMGARCH=amd64}
 : ${BASEIMG=$IMGDIR/debian-$BASEIMGSUITE-$BASEIMGARCH.$IMGEXT}
 : ${BASEIMGMIRROR=http://http.debian.net/debian}

testing/tests/route-based/net2net-xfrmi-ike/hosts/sun/etc/updown.py

@@ -2,11 +2,18 @@
 
 import sys
 import vici
-import daemon
 import logging
 from logging.handlers import SysLogHandler
 import subprocess
+
+# the hard limit (second number) is the value used by python-daemon when closing
+# potentially open file descriptors while daemonizing or even triggered by the
+# import.  since the default limit is 524288 on newer systems, this can take
+# quite a while, and due to how this range of FDs is handled internally (as set)
+# it can even trigger the OOM killer
 import resource
+resource.setrlimit(resource.RLIMIT_NOFILE, (256, 256))  # noqa
+import daemon
 
 
 logger = logging.getLogger('updownLogger')
@@ -59,13 +66,6 @@ def install_routes(ike_sa):
         subprocess.call(["ip", "route", "add", ts, "dev", ifname_out])
 
 
-# the hard limit (second number) is the value used by python-daemon when closing
-# potentially open file descriptors while daemonizing.  since the default is
-# 524288 on newer systems, this can take quite a while, and due to how this
-# range of FDs is handled internally (as set) it can even trigger the OOM killer
-resource.setrlimit(resource.RLIMIT_NOFILE, (256, 256))
-
-
 # daemonize and run parallel to the IKE daemon
 with daemon.DaemonContext():
     setup_logger()
@@ -75,7 +75,7 @@ with daemon.DaemonContext():
         ver = {k: v.decode("UTF-8") for k, v in session.version().items()}
         logger.info("connected to {daemon} {version} ({sysname}, {release}, "
                     "{machine})".format(**ver))
-    except:
+    except BaseException:
         logger.error("failed to get status via vici")
         sys.exit(1)
 
@@ -95,6 +95,6 @@ with daemon.DaemonContext():
 
     except IOError:
         logger.error("daemon disconnected")
-    except:
+    except BaseException as e:
         logger.error("exception while listening for events " +
-                     repr(sys.exc_info()[1]))
+                     repr(e))

testing/tests/tnc/tnccs-20-ev-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf

@@ -1,3 +1,4 @@
+WSGIPythonHome /usr/local/venvs/tnc
 WSGIPythonPath /var/www/tnc
 
 <VirtualHost *:80>

testing/tests/tnc/tnccs-20-pdp-eap/hosts/alice/etc/apache2/sites-available/000-default.conf

@@ -1,3 +1,4 @@
+WSGIPythonHome /usr/local/venvs/tnc
 WSGIPythonPath /var/www/tnc
 
 <VirtualHost *:80>

testing/tests/tnc/tnccs-20-pdp-pt-tls/hosts/alice/etc/apache2/sites-available/000-default.conf

@@ -1,3 +1,4 @@
+WSGIPythonHome /usr/local/venvs/tnc
 WSGIPythonPath /var/www/tnc
 
 <VirtualHost *:80>

testing/tkm/Dockerfile

@@ -23,12 +23,12 @@
 #
 #   make -j check TESTS_RUNNERS=tkm TESTS_TKM=1
 
-FROM debian:bullseye
+FROM debian:bookworm
 
 ARG packages="autoconf automake bison build-essential ca-certificates ccache \
 flex gettext git gperf libssl-dev libtool pkg-config \
-gnat gprbuild libahven9-dev libxmlada-schema10-dev libgmpada10-dev \
-libalog6-dev"
+gnat gprbuild libahven11-dev libxmlada-schema12-dev libgmpada12-dev \
+libalog8-dev"
 
 RUN apt-get update && \
   DEBIAN_FRONTEND=noninteractive apt-get install -qq -y \

testing/tkm/generate-config.sh

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 openssl genrsa -out key.pem 2048
-openssl rsa -in key.pem -outform der -out key.der
+openssl rsa -in key.pem -outform der -out key.der -traditional
 
 openssl req -x509 -nodes -newkey rsa:4096 -keyout cakey.pem -outform der \
 	-out ca.der -sha256 -subj "/CN=CA" -addext basicConstraints=critical,CA:TRUE