[Swan] Building on OSX 10.9 Mavericks

Noah Easterly noah.easterly at gmail.com
Thu Oct 30 22:06:20 EET 2014


Patch seemed to get past the cap-ng issue.

Next error was

/usr/local/src/libreswan-3.8/programs/pluto/kernel_bsdkame.c:32:10: fatal
error: 'netipsec/keydb.h' file not found

It may be trivial to get past that as well, but I've been unable to spend
any time on it.

Here's the patch of what I've done thus far:

diff --git a/Makefile.inc b/Makefile.inc
index 59394d9..a486949 100644
--- a/Makefile.inc
+++ b/Makefile.inc
@@ -369,9 +369,15 @@ USE_LABELED_IPSEC?=false

 # Support for LIBCAP-NG to drop unneeded capabilities for the pluto daemon
 USE_LIBCAP_NG?=true
+ifeq ($(OSDEP),darwin)
+USE_LIBCAP_NG=false
+endif

 # Support for Network Manager
 USE_NM?=true
+ifeq ($(OSDEP),darwin)
+USE_NM=false
+endif

 # Include LDAP support (currently used for fetching CRLs)
 USE_LDAP?=false
diff --git a/linux/include/libreswan.h b/linux/include/libreswan.h
index 6eda2df..fbcd827 100644
--- a/linux/include/libreswan.h
+++ b/linux/include/libreswan.h
@@ -114,7 +114,6 @@ typedef int bool;
 #include <string.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
-#include <tcpd.h>
 #include <assert.h>
 #define user_assert(foo) assert(foo)
 #define __u32  unsigned int
diff --git a/ports/darwin/include/netkey/key_debug.h
b/ports/darwin/include/netkey/key_debug.h
new file mode 100644
index 0000000..b2e94a3
--- /dev/null
+++ b/ports/darwin/include/netkey/key_debug.h
@@ -0,0 +1,92 @@
+/*    $KAME: key_debug.h,v 1.7 2000/07/04 04:08:16 itojun Exp $    */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETKEY_KEY_DEBUG_H_
+#define _NETKEY_KEY_DEBUG_H_
+#include <sys/appleapiopts.h>
+
+/* debug flags */
+#define KEYDEBUG_STAMP        0x00000001 /* path */
+#define KEYDEBUG_DATA        0x00000002 /* data */
+#define KEYDEBUG_DUMP        0x00000004 /* dump */
+
+#define KEYDEBUG_KEY        0x00000010 /* key processing */
+#define KEYDEBUG_ALG        0x00000020 /* ciph & auth algorithm */
+#define KEYDEBUG_IPSEC        0x00000040 /* ipsec processing */
+
+#define KEYDEBUG_KEY_STAMP    (KEYDEBUG_KEY | KEYDEBUG_STAMP)
+#define KEYDEBUG_KEY_DATA    (KEYDEBUG_KEY | KEYDEBUG_DATA)
+#define KEYDEBUG_KEY_DUMP    (KEYDEBUG_KEY | KEYDEBUG_DUMP)
+#define KEYDEBUG_ALG_STAMP    (KEYDEBUG_ALG | KEYDEBUG_STAMP)
+#define KEYDEBUG_ALG_DATA    (KEYDEBUG_ALG | KEYDEBUG_DATA)
+#define KEYDEBUG_ALG_DUMP    (KEYDEBUG_ALG | KEYDEBUG_DUMP)
+#define KEYDEBUG_IPSEC_STAMP    (KEYDEBUG_IPSEC | KEYDEBUG_STAMP)
+#define KEYDEBUG_IPSEC_DATA    (KEYDEBUG_IPSEC | KEYDEBUG_DATA)
+#define KEYDEBUG_IPSEC_DUMP    (KEYDEBUG_IPSEC | KEYDEBUG_DUMP)
+
+#if 0
+#define KEYDEBUG(lev,arg) \
+    do { if ((key_debug_level & (lev)) == (lev)) { arg; } } while (0)
+#else
+#define KEYDEBUG(lev,arg)
+#endif
+
+struct sadb_msg;
+struct sadb_ext;
+extern void kdebug_sadb(struct sadb_msg *);
+extern void kdebug_sadb_x_policy(struct sadb_ext *);
+
+#ifdef KERNEL
+extern u_int32_t key_debug_level;
+
+struct secpolicy;
+struct secpolicyindex;
+struct secasindex;
+struct secasvar;
+struct secreplay;
+struct mbuf;
+extern void kdebug_secpolicy(struct secpolicy *);
+extern void kdebug_secpolicyindex(struct secpolicyindex *);
+extern void kdebug_secasindex(struct secasindex *);
+extern void kdebug_secasv(struct secasvar *);
+extern void kdebug_mbufhdr(struct mbuf *);
+extern void kdebug_mbuf(struct mbuf *);
+#endif /* KERNEL */
+
+struct sockaddr;
+extern void kdebug_sockaddr(struct sockaddr *);
+
+extern void ipsec_hexdump(caddr_t, int);
+extern void ipsec_bindump(caddr_t, int);
+
+
+#endif /* _NETKEY_KEY_DEBUG_H_ */
+
diff --git a/ports/darwin/include/netkey/key_var.h
b/ports/darwin/include/netkey/key_var.h
new file mode 100644
index 0000000..7f3f45c
--- /dev/null
+++ b/ports/darwin/include/netkey/key_var.h
@@ -0,0 +1,97 @@
+/*    $KAME: key_var.h,v 1.5 2000/02/22 14:06:41 itojun Exp $    */
+
+/*
+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the project nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY
WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef _NETKEY_KEY_VAR_H_
+#define _NETKEY_KEY_VAR_H_
+#include <sys/appleapiopts.h>
+
+/* sysctl */
+#define KEYCTL_DEBUG_LEVEL        1
+#define KEYCTL_SPI_TRY            2
+#define KEYCTL_SPI_MIN_VALUE        3
+#define KEYCTL_SPI_MAX_VALUE        4
+#define KEYCTL_RANDOM_INT        5
+#define KEYCTL_LARVAL_LIFETIME        6
+#define KEYCTL_BLOCKACQ_COUNT        7
+#define KEYCTL_BLOCKACQ_LIFETIME    8
+#define KEYCTL_ESP_KEYMIN        9
+#define KEYCTL_ESP_AUTH            10
+#define KEYCTL_AH_KEYMIN        11
+#define KEYCTL_PREFERED_OLDSA        12
+#define KEYCTL_NATT_KEEPALIVE_INTERVAL    13
+#define KEYCTL_PFKEYSTAT        14
+#define KEYCTL_MAXID            15
+
+#ifdef KERNEL_PRIVATE
+#define KEYCTL_NAMES { \
+    { 0, 0 }, \
+    { "debug", CTLTYPE_INT }, \
+    { "spi_try", CTLTYPE_INT }, \
+    { "spi_min_value", CTLTYPE_INT }, \
+    { "spi_max_value", CTLTYPE_INT }, \
+    { "random_int", CTLTYPE_INT }, \
+    { "larval_lifetime", CTLTYPE_INT }, \
+    { "blockacq_count", CTLTYPE_INT }, \
+    { "blockacq_lifetime", CTLTYPE_INT }, \
+    { "esp_keymin", CTLTYPE_INT }, \
+    { "esp_auth", CTLTYPE_INT }, \
+    { "ah_keymin", CTLTYPE_INT }, \
+    { "prefered_oldsa", CTLTYPE_INT }, \
+    { "natt_keepalive_interval", CTLTYPE_INT }, \
+    { "pfkeystat", CTLTYPE_STRUCT }, \
+}
+
+#define KEYCTL_VARS { \
+    0, \
+    &key_debug_level, \
+    &key_spi_trycnt, \
+    &key_spi_minval, \
+    &key_spi_maxval, \
+    &key_int_random, \
+    &key_larval_lifetime, \
+    &key_blockacq_count, \
+    &key_blockacq_lifetime, \
+    &ipsec_esp_keymin, \
+    &ipsec_ah_keymin, \
+    &ipsec_prefered_oldsa, \
+    &natt_keepalive_interval, \
+}
+
+#ifdef KERNEL
+#define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))
+#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))
+#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits))
+#define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key)))
+#endif /*KERNEL*/
+
+#endif /* KERNEL_PRIVATE */
+#endif /* _NETKEY_KEY_VAR_H_ */
+
diff --git a/ports/darwin/include/sysdep.h b/ports/darwin/include/sysdep.h
index 6d1b181..4446f0f 100644
--- a/ports/darwin/include/sysdep.h
+++ b/ports/darwin/include/sysdep.h
@@ -24,3 +24,7 @@
 #ifndef IPSEC_MANUAL_REQID_MAX
 # define IPSEC_MANUAL_REQID_MAX  0x3fff
 #endif
+
+/* udpfromto socket option for BSD */
+#define HAVE_UDPFROMTO 1
+#define HAVE_IP_RECVDSTADDR 1


On Mon, Oct 27, 2014 at 2:56 PM, Paul Wouters <paul at nohats.ca> wrote:

> On Mon, 27 Oct 2014, Noah Easterly wrote:
>
>  Subject: Re: [Swan] Building on OSX 10.9 Mavericks
>>
>> Yep, I can remove that line without obvious issue, but the build still
>> has issues:
>>
>> Next attempt at `make programs` got
>>
>> /usr/local/src/libreswan-3.8/lib/libswan/udpfromto.c:75:2: error: "Must
>> have either IP_PKTINFO or IP_RECVDSTADDR"
>>
>> So I added the following to ports/darwin/include/sysdep.h, as OSX
>> supports IP_RECVDSTADDR (https://developer.apple.com/
>> library/mac/documentation/Darwin/Reference/ManPages/man4/ip.4.html)
>>
>> /* udpfromto socket option for BSD */
>> #define HAVE_UDPFROMTO 1
>> #define HAVE_IP_RECVDSTADDR 1
>>
>> The next error after that proved to be
>>
>> /usr/local/src/libreswan-3.8/lib/libbsdpfkey/pfkey.c:38:10: fatal error:
>> 'netkey/key_var.h' file not found
>>
>> The racoon macport had a similar issue (http://article.gmane.org/
>> gmane.os.opendarwin.darwinports/6225) and I solved it the same way they
>> did (https://trac.macports.org/ticket/2173), by creating an
>> include/netkey directory and putting netkey/key_var.h and
>> netkey/key_debug.h (from http://www.opensource.apple.
>> com/source/xnu/xnu-1456.1.26/bsd/netkey/) in there.
>>
>
> Sounds all reasonable. If you have a patch with all of this in it, that
> would be great :)
>
>  The next error was
>>
>> /usr/local/src/libreswan-3.8/programs/pluto/plutomain.c:100:11: fatal
>> error: 'cap-ng.h' file not found
>>
>> And a quick google doesn't seem sufficient to solve that. I don't think
>> OSX supports capng_change_id, and I'm not sure what the local analogue
>> would be.
>>
>
> Try this patch:
>
> diff --git a/Makefile.inc b/Makefile.inc
> index 67d9b63..f28e952 100644
> --- a/Makefile.inc
> +++ b/Makefile.inc
> @@ -375,9 +375,15 @@ USE_LABELED_IPSEC?=false
>
>  # Support for LIBCAP-NG to drop unneeded capabilities for the pluto
>  # daemon
>  USE_LIBCAP_NG?=true
> +ifeq ($(OSDEP),darwin)
> +USE_LIBCAP_NG=false
> +endif
>
>  # Support for Network Manager
>  USE_NM?=true
> +ifeq ($(OSDEP),darwin)
> +USE_NM=false
> +endif
>
>  # Include LDAP support (currently used for fetching CRLs)
>  USE_LDAP?=false
>
> Paul
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.libreswan.org/pipermail/swan/attachments/20141030/0bf59a27/attachment-0001.html>


More information about the Swan mailing list