[Swan] libreswan 3.14rc2 Release Candidate
Reuben Farrelly
reuben-libreswan at reub.net
Wed Jun 17 10:52:36 EEST 2015
Hi,
Still seeing compile failures with this RC:
cc -I/var/tmp/libreswan-3.14rc2/lib/libcrypto/libsha2
-I/var/tmp/libreswan-3.14rc2/lib/libcrypto/libaes_xcbc
-I/var/tmp/libreswan-3.14rc2/ports/linux/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include -I.
-I/var/tmp/libreswan-3.14rc2/linux/net/ipsec
-I/var/tmp/libreswan-3.14rc2/linux/include -I/var/tmp/libreswan-3.14rc2
-DPFKEYV2 -DKLIPS -I/usr/include/nss -I/usr/include/nspr
-I/var/tmp/libreswan-3.14rc2/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include -m64 -g -O2
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-all
-fno-strict-aliasing -fPIE -DPIE -DFORCE_PR_ASSERT -DDNSSEC -DKLIPS
-DLIBCURL -DUSE_MD5 -DHAVE_NM -DUSE_SHA2 -DUSE_SHA1
-DFIPSPRODUCTCHECK=\"/etc/system-fips\" -DIPSEC_CONF=\"/etc/ipsec.conf\"
-DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/etc/ipsec.d\"
-DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/local/libexec/ipsec\"
-DIPSEC_SBINDIR=\"/usr/local/sbin\" -DIPSEC_VARDIR=\"/var\"
-DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\"
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations
-Wredundant-decls -Wnested-externs
-I/var/tmp/libreswan-3.14rc2/ports/linux/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include
-I/var/tmp/libreswan-3.14rc2/ports/linux/include \
-MMD -MF ./unbound.d \
-o ./unbound.o \
-c /var/tmp/libreswan-3.14rc2/lib/libswan/unbound.c
/var/tmp/libreswan-3.14rc2/lib/libswan/unbound.c:30:46: fatal error:
unbound.h: No such file or directory
compilation terminated.
../../../mk/depend.mk:28: recipe for target 'unbound.o' failed
make[3]: *** [unbound.o] Error 1
make[3]: Leaving directory
'/var/tmp/libreswan-3.14rc2/OBJ.linux.x86_64/lib/libswan'
Makefile:93: recipe for target 'local-base' failed
make[2]: *** [local-base] Error 2
make[2]: Leaving directory '/var/tmp/libreswan-3.14rc2/lib/libswan'
../mk/subdirs.mk:33: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/var/tmp/libreswan-3.14rc2/lib'
/var/tmp/libreswan-3.14rc2/mk/subdirs.mk:33: recipe for target 'all' failed
make: *** [all] Error 2
This is an up-to-date x86_64 Gentoo box with no special options set.
Simply untar and run 'make all'..
This box has GCC-5.1 though so that could potentially be a factor.
On -git current I'm seeing a different compile error:
make[3]: Entering directory
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish'
mkdir -p ../../../OBJ.linux.amd64/lib/libcrypto/libtwofish
set -e ; \
for f in twofish.o twofish_cbc.o ; do \
case $f in \
*.c ) echo "-include $(basename $f .c).d # $f" ;; \
*.o ) echo "-include $(basename $f .o).d # $f" ;; \
* ) echo "# $f ignored by Makefile.dep" ;; \
esac ; \
done >
../../../OBJ.linux.amd64/lib/libcrypto/libtwofish/Makefile.depend.mk.tmp
mv
../../../OBJ.linux.amd64/lib/libcrypto/libtwofish/Makefile.depend.mk.tmp
../../../OBJ.linux.amd64/lib/libcrypto/libtwofish/Makefile.depend.mk
make -C ../../../OBJ.linux.amd64/lib/libcrypto/libtwofish buildall
make[4]: Entering directory
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/OBJ.linux.amd64/lib/libcrypto/libtwofish'
x86_64-pc-linux-gnu-gcc -O2 -pipe -march=native -mtune=native
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/../include
-I.
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/net/ipsec
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/include
-I/usr/include/nss -I/usr/include/nspr -pthread -g -O2
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DKLIPS -DLIBCURL -DUSE_MD5
-DHAVE_NM -DUSE_SHA2 -DUSE_SHA1 -DFIPSPRODUCTCHECK=\"/etc/system-fips\"
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\"
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\"
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\"
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\"
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations
-Wredundant-decls -Wnested-externs
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/../include
-I.
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/net/ipsec
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/include
-I/usr/include/nss -I/usr/include/nspr -pthread -g -O2
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DKLIPS -DLIBCURL -DUSE_MD5
-DHAVE_NM -DUSE_SHA2 -DUSE_SHA1 -DFIPSPRODUCTCHECK=\"/etc/system-fips\"
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\"
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\"
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\"
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\"
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations
-Wredundant-decls -Wnested-externs \
-MMD -MF ./twofish.d \
-o ./twofish.o \
-c
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c
x86_64-pc-linux-gnu-gcc -O2 -pipe -march=native -mtune=native
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/../include
-I.
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/net/ipsec
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/include
-I/usr/include/nss -I/usr/include/nspr -pthread -g -O2
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DKLIPS -DLIBCURL -DUSE_MD5
-DHAVE_NM -DUSE_SHA2 -DUSE_SHA1 -DFIPSPRODUCTCHECK=\"/etc/system-fips\"
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\"
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\"
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\"
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\"
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations
-Wredundant-decls -Wnested-externs
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/../include
-I.
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/net/ipsec
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/include
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/include
-I/usr/include/nss -I/usr/include/nspr -pthread -g -O2
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -DKLIPS -DLIBCURL -DUSE_MD5
-DHAVE_NM -DUSE_SHA2 -DUSE_SHA1 -DFIPSPRODUCTCHECK=\"/etc/system-fips\"
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\"
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\"
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\"
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\"
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations
-Wredundant-decls -Wnested-externs \
-MMD -MF ./twofish_cbc.d \
-o ./twofish_cbc.o \
-c
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish_cbc.c
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c:
In function 'twofish_set_key':
cc1: error: iteration 254u invokes undefined behavior
[-Werror=aggressive-loop-optimizations]
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c:811:3:
note: containing loop
for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 )
^
cc1: error: iteration 254u invokes undefined behavior
[-Werror=aggressive-loop-optimizations]
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c:838:3:
note: containing loop
for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 )
^
cc1: error: iteration 254u invokes undefined behavior
[-Werror=aggressive-loop-optimizations]
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c:865:3:
note: containing loop
for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 )
^
cc1: all warnings being treated as errors
../../../../mk/depend.mk:28: recipe for target 'twofish.o' failed
make[4]: *** [twofish.o] Error 1
make[4]: Leaving directory
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/OBJ.linux.amd64/lib/libcrypto/libtwofish'
../../../mk/library.mk:41: recipe for target 'local-base' failed
make[3]: *** [local-base] Error 2
make[3]: Leaving directory
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish'
../../mk/subdirs.mk:33: recipe for target 'all' failed
make[2]: *** [all] Error 2
make[2]: Leaving directory
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto'
../mk/subdirs.mk:33: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib'
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/mk/subdirs.mk:33:
recipe for target 'all' failed
make: *** [all] Error 2
* ERROR: net-misc/libreswan-9999::gentoo failed (compile phase):
* emake failed
*
* If you need support, post the output of `emerge --info
'=net-misc/libreswan-9999::gentoo'`,
* the complete build log and the output of `emerge -pqv
'=net-misc/libreswan-9999::gentoo'`.
* The complete build log is located at
'/var/tmp/portage/net-misc/libreswan-9999/temp/build.log'.
* The ebuild environment file is located at
'/var/tmp/portage/net-misc/libreswan-9999/temp/environment'.
* Working directory:
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999'
Reuben
On 15/06/2015 11:32 PM, Paul Wouters wrote:
>
> Hi,
>
> We have been a 3.14rc2 Release Candidate available for testing.
>
> As the changes between 3.13 and 3.14 are significant, we would like
> to hear back from the community for any potential issues they find,
> including the upgrade from 3.13 to 3.14rc2. This upgrade will also
> upgrade the NSS database in /etc/ipsec.d from dbm format to sql format,
> so please do backup /etc/ipsec.d before attempting an upgrade.
>
> The (not fully completed) changelog follows below.
>
> Paul
>
> * NSS: Major rewrite of PRF / PRFPLUS / integrity functions [Andrew]
> * CAVS: Added programs/pluto/cavp for NIST CVAS testing [Andrew]
> * IKEv2: authby=null support (draft-ietf-ipsecme-authnull)
> [Paul/Antony/Hugh]
> * IKEv2: leftid=%null support (draft-ietf-ipsecme-authnull)
> [Paul/Antony/Hugh]
> * IKEv2: whack and smc related time out fixes [Antony]
> * IKEv2: do not pad IKE messages (fix interop w. InsideSecure) [Paul]
> * IKEv2: Fix esp=camellia to use the IKEv2 IANA registry number for ESP
> [Paul]
> * IKEv2: Fix memory leaks in addresspool and child exchange sadb [Antony]
> * IKEv2: Support for INVALID_KE DH group re-transmits [Paul/Hugh]
> * IKEv2: if applicable, add CERTREQ payload to IKE_SA_INIT response
> [Antony]
> * IKEv1: Don't copy isakmp_sa from received packet [Paul]
> * FIPS: Enforce crypto restrictions in FIPS mode (no md5,twofish, etc)
> [Paul]
> * XAUTH: retransmit user/password request in 10s (instead of 30s)
> [Wolfgang]
> * X509: Re-added CRL and OCSP support using NSS [Matt]
> * X509: Expired certificate could crash pluto [Wolfgang]
> * x509: New options: ocsp_enable= ocsp_strict= ocsp_timeout= [Matt]
> ocsp_uri= and ocsp_trust_name=
> * pluto: Converted select() loop to use libevent and subsecond timers
> [Antony]
> * pluto: Added retransmit-timeout= and retransmit-interval= [Antony]
> * pluto: Greatly reduce time to retransmit from 20s to 0.5s [Antony]
> * pluto: Support for IKEv1 and IKEv2 AES_CTR (ike=aes_ctr) [Andrew Cagney]
> * pluto: Support for CBC/CTR test vectors using NSS [Andrew Cagney]
> * pluto: Remove last weary old X.509 patch code and use NSS instead [Matt]
> * pluto: Static IP support using passwd file with addresspool= [Wolfgang]
> * pluto: major tidy of labeled ipsec code [Hugh]
> * pluto: fixes for uninitialized fields in output struct [Hugh/Paul]
> * pluto: audit format and log item update as per audit spec [Paul]
> * pluto: simplify and clarify sa_copy_sa and friends [Hugh]
> * pluto: small steps improving crypto helpers [Hugh]
> * pluto: plutostderrlog= renamed to logfile= [Paul]
> * pluto: plutostderrlogtime= renamed to logtime= [Paul]
> * pluto: New option logappend=yes|no (default yes) [Paul]
> * pluto: Removed obsoleted loopback= support [Paul]
> * pluto/rsasigkey: added --seedbits option (and seedbits= option) [Paul]
> * pluto: do not terminate_connection() in-flight [Hugh]
> * pluto: don't use an expired reserved kernel SPI as fallback [Herbert Xu]
> * pluto: Use "third best" monotime() on mismatched kernel/glibc headers
> [Paul]
> * pluto: removed bool inbound_only from delete_ipsec_sa() [Paul/Herbert]
> * pluto: fix modecfg client/server status display (was swapped) [Herbert]
> * pluto: NFLOG support via nflog-all= and nflog= keywords [Paul]
> * pluto: Fix bogus "no RSA public key known for '%fromcert'" [Herbert Xu]
> * libipsecconf: Improve parser for pipe case (with NM) [Hugh/Lubomir
> Rintel]
> * readwriteconf: improve error handling [Hugh]
> * ipsec: ipsec --import does not need to run restorecon [Paul]
> * ipsec: --checknss option automatically updates NSS DB to SQL [Matt]
> * packaging: Various SPEC file fixes [Tuomo/Kim]
> * packaging: Add v6neighbour-hole.conf for Neighbour Discovery hole [Paul]
> * initsystems: run ipsec --checknss before start [Tuomo]
> * building: overhaul of build system Makefiles (see mk/) [Andrew]
> * testing: docker test type support [Antony]
> * testing: test case updates/additions [Antony/Paul/Andrew/Matt]
> * NETKEY: Increase netlink message buffer for larger SElinux labels [Paul]
> * KLIPS: move udp_encap_enable() to not be within spinlock [Wolfgang]
> * KLIPS: ipsec_rcv_decap_ipip broken for IPv6 lsb#227 [Frank Schmirler]
> * KLIPS: Support for SHA2 via CryptoAPI [Wolfgang]
> * KLIPS: Support for sha2_truncbug [Wolfgang]
> * whack: New command ipsec whack --purgeocsp [Matt]
> * whack: cleanup help text [Tuomo]
> * _stackmanager: Don't load blacklisted modules (rhbz#1207689) [Paul/Tuomo]
> * _updown: add proxy arp for cases where routing won't work
> [Tuomo/Wolfgang]
> * Bugtracker bugs fixed:
> #260: libswan: extra safetey around same_id() when ID_FROMCERT is
> used [Paul]
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan
More information about the Swan
mailing list