Because do-tests runs the restore-defaults script, fstab would get reset
to the default version and the mount point wouldn't be available anymore
after stopping and restarting the guests (unless the guest images were
rebuilt in between).
The wrapper called the command twice for any unit but "strongswan" and
it didn't return the correct exit code. This was noticed when an
if-updown script tried to check if systemd-resolved is active and always
succeeded, which caused failing attempts to configure it.
But now that the return code is correct, trying to enable bind9 won't
fail silently anymore if the unit doesn't exist (similar on older systems
for named), so this is adapted.
With Debian bookworm, the PQC KE sntrup761x25519-sha512 is negotiated, by
default. This increases the overhead significantly, in particular, the
size of the KE message, which wouldn't get through IPsec tunnels without
MSS clamping.
Mainly to test TKM's ability for handling multiple CAs and that the
received intermediate CA certificates are passed in the right order.
But also added a regular scenario where two intermediate CA certificates
are sent by one of the clients.
While the alias is available after enabling the unit, we don't
actually do that in our testing environment (adding a symlink manually
would work too, then again, why not just use the proper name?).
This installs tmux and its two dependencies libevent-2.0-5 and libutempter0.
For the tnc/tnccs-20-ev-pt-tls test scenario older, apparently replaced
versions of these packages are entered to the collector.db database, so that
dummy SWID tags for these packages can be requested via SWIMA.
Also includes some changes for jessie's version of FreeRADIUS 2 (was
previously a custom version).
Besides the move to a subdir the config files were adapted for 3.0.
The rlm_sim_files module was removed with FreeRADIUS 3 and Debian's
package of FreeRADIUS 2 does not ship it, so we now replicate it using
the files module (via users file, which is actually a symlink to
mods-config/files/authorize in the default installation of FreeRADIUS 3).
Another approach was tried using rlm_passwd, however, that module does
not read binary/hex data, only printable strings, which would require
changing the triplets.
For 2.x a hack in the site config is necessary to make the attributes
available to the EAP-SIM module.
Debian stretch's init script for isc-dhcp-server uses the INTERFACESv4|6
variables to decide whether to start the v4 and/or v6 DHCP server.
If they are not empty, the daemon is started for the respective version,
however, if both are empty (the default), to listen on all interfaces, the
daemon is started for both versions. The latter would require a subnet
config for IPv6 as the daemon otherwise exits, letting the init script fail,
while keeping the successfully started v4 version running, which, in turn,
can't be stopped anymore with the init script because it thinks the daemon
is not running.
So it's not possible with this init script to start DHCPv4 on all interfaces
without having to configure and run DHCPv6 also.
While we could continue to use FreeRADIUS 2.x that branch is officially EOL.
So instead of investing time and effort in updating/migrating the patches to
FreeRADIUS 3.x (the module changed quite significantly as it relies solely on
the naeap library in that release), for a protocol that is superseded anyway,
we just remove these scenarios and the dependencies. Actually, the
complete rlm_eap_tnc module will be removed with FreeRADIUS 4.0.
RC4, which was previously used for performance reasons, is not supported
anymore with newer versions of SSH (stretch still supports it, but it
requires explicit configuration on the guests when they act as clients
too - the version in Ubuntu 18.04 apparently doesn't support it anymore
at all).
AES-GCM should actually be faster (at least for larger amounts of data and
in particular with hardware acceleration).
ClientAuthentication is known in OpenSSL 1.1 and the redefinition, therefore,
causes an error. These two OIDs are not used anyway in these config
files.
We could make the same change for charon (actually setting it for charon
in strongswan.conf.testing would work for charon-systemd too), however,
there are dozens of test cases that currently set charondebug in
ipsec.conf.
When charon is started via service command LEAK_DETECTIVE_LOG is not set
because the command strips the environment. Since we only want the
variable to be set during the automated test runs we can't just set it
in /etc/default/charon. Instead, we do so in this wrapper when charon is
started and remove the variable again when it is stopped.
