Errors in load-testconfig are hidden due to not checking scp
return code and mute all errors. Add -e to trap script on
any errors in this script.
References strongswan/strongswan#2310
Signed-off-by: Maxim Uvarov <muvarov@gmail.com>
The all-zero Ed25519 public key is rejected by botan_pubkey_check_key()
when the key is loaded.
Note that Botan 3 requires GCC 11 or CLANG 14, i.e. can't easily be built
on Debian bullseye or Ubuntu 20.04.
The thread-local storage function gets flagged via various botan FFI
functions when using Botan 3, whitelist that instead of all of them.
Because do-tests runs the restore-defaults script, fstab would get reset
to the default version and the mount point wouldn't be available anymore
after stopping and restarting the guests (unless the guest images were
rebuilt in between).
By default, rsyslog is not installed anymore to avoid storing everything
twice (since journald is the default). If this becomes an issue, we
could delete /var/log/journal to only log via rsyslog.
System-wide installation via pip isn't easily possible anymore on Debian
bookworm, so just use the Debian package for this (is available in old
releases as well).
Without this, Git refuses to operate on the build dirs that are mounted
with weird ownership. When running as root in the chroot, Git checks
SUDO_UID, which won't match.
This is necessary because TKM can't read PKCS#8 files and in some
scenarios we don't have the pkcs8 plugin loaded that would be required
to read/decrypt the non-traditional files.
The wrapper called the command twice for any unit but "strongswan" and
it didn't return the correct exit code. This was noticed when an
if-updown script tried to check if systemd-resolved is active and always
succeeded, which caused failing attempts to configure it.
But now that the return code is correct, trying to enable bind9 won't
fail silently anymore if the unit doesn't exist (similar on older systems
for named), so this is adapted.
The `--enable-heapmath` configure option has been deprecated. As
already described in eae30af029b1 ("Use wolfSSL 5.4.0 for tests"), the
alternative is to configure `--with-max-rsa-bits=8192` instead in order
to test the modp6144 and modp8192 DH groups.
With version 60.0.0 setuptools changed to a local installation of
distutils. This seems to break the installation of swid-generator (causing
an `importlib.metadata.PackageNotFoundError: swid-generator` error).
Note that while Debian ships setuptools 52.0.0, `python-daemon` recently
added a dependency on `setuptools>=62.4.0`, which installs that version
that's then later used to install swid-generator.
The main difference seems to be that the local version installs the
package in `/usr/lib/python3.9/site-packages`, while the stdlib version
does so in `/usr/local/lib/python3.9/dist-packages` (similarly for the
`swid_generator` script and the `distro` dependency).
Not sure if there is a better/proper way to fix this. Might just be an
issue with Debian bullseye and mixing system packages with those installed
via pip3.
The 5.4.0 update changed the default bignum implementation to what
could explicitly be enabled via `--enable-sp-math-all`. Since this uses
fixed-sized buffers sufficient for key sizes of SP_INT_BITS, with a default
of 4096, modp6144 and modp8192 didn't work anymore (wc_DhGenerateKeyPair()
returned MP_EXPTMOD_E). So we have to adapt the feature checks for this.
To support the larger DH groups we can either increase the buffer size
via `--with-max-rsa-bits` or add `--enable-heapmath` so buffers get
(re-)allocated as needed. We go with the latter for now.
A recent security fix for Git added a fatal error if the directory that
contains the .git directory is not owned by the user that runs git in
that directory tree:
Determine strongSwan version fatal: unsafe repository ('...' is owned by someone else)
To avoid this, we call the git commands as owner of the source
directory (the script has to run as root, so this is no problem).
The user/group ID and name is now also determined via `stat(1)` so it
directly depends on the actual source dir and should work even when not
using sudo.
