[Swan] libreswan 3.14rc2 Release Candidate

Reuben Farrelly reuben-libreswan at reub.net
Wed Jun 17 10:52:36 EEST 2015


Hi,

Still seeing compile failures with this RC:

cc -I/var/tmp/libreswan-3.14rc2/lib/libcrypto/libsha2 
-I/var/tmp/libreswan-3.14rc2/lib/libcrypto/libaes_xcbc 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include  -I. 
-I/var/tmp/libreswan-3.14rc2/linux/net/ipsec 
-I/var/tmp/libreswan-3.14rc2/linux/include -I/var/tmp/libreswan-3.14rc2 
-DPFKEYV2 -DKLIPS  -I/usr/include/nss -I/usr/include/nspr 
-I/var/tmp/libreswan-3.14rc2/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include   -m64 -g -O2 
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-all 
-fno-strict-aliasing -fPIE -DPIE -DFORCE_PR_ASSERT -DDNSSEC -DKLIPS 
-DLIBCURL -DUSE_MD5 -DHAVE_NM -DUSE_SHA2 -DUSE_SHA1 
-DFIPSPRODUCTCHECK=\"/etc/system-fips\" -DIPSEC_CONF=\"/etc/ipsec.conf\" 
-DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/etc/ipsec.d\" 
-DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/local/libexec/ipsec\" 
-DIPSEC_SBINDIR=\"/usr/local/sbin\" -DIPSEC_VARDIR=\"/var\" 
-DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" 
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT 
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat 
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations 
-Wredundant-decls -Wnested-externs 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include 
-I/var/tmp/libreswan-3.14rc2/ports/linux/include   \
         -MMD -MF ./unbound.d \
         -o ./unbound.o \
         -c /var/tmp/libreswan-3.14rc2/lib/libswan/unbound.c
/var/tmp/libreswan-3.14rc2/lib/libswan/unbound.c:30:46: fatal error: 
unbound.h: No such file or directory
compilation terminated.
../../../mk/depend.mk:28: recipe for target 'unbound.o' failed
make[3]: *** [unbound.o] Error 1
make[3]: Leaving directory 
'/var/tmp/libreswan-3.14rc2/OBJ.linux.x86_64/lib/libswan'
Makefile:93: recipe for target 'local-base' failed
make[2]: *** [local-base] Error 2
make[2]: Leaving directory '/var/tmp/libreswan-3.14rc2/lib/libswan'
../mk/subdirs.mk:33: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/var/tmp/libreswan-3.14rc2/lib'
/var/tmp/libreswan-3.14rc2/mk/subdirs.mk:33: recipe for target 'all' failed
make: *** [all] Error 2

This is an up-to-date x86_64 Gentoo box with no special options set. 
Simply untar and run 'make all'..

This box has GCC-5.1 though so that could potentially be a factor.

On -git current I'm seeing a different compile error:

make[3]: Entering directory 
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish'
mkdir -p ../../../OBJ.linux.amd64/lib/libcrypto/libtwofish
set -e ; \
for f in twofish.o twofish_cbc.o ; do \
         case $f in \
                 *.c ) echo "-include $(basename $f .c).d # $f" ;; \
                 *.o ) echo "-include $(basename $f .o).d # $f" ;; \
                 * ) echo "# $f ignored by Makefile.dep" ;; \
         esac ; \
done > 
../../../OBJ.linux.amd64/lib/libcrypto/libtwofish/Makefile.depend.mk.tmp
mv 
../../../OBJ.linux.amd64/lib/libcrypto/libtwofish/Makefile.depend.mk.tmp 
../../../OBJ.linux.amd64/lib/libcrypto/libtwofish/Makefile.depend.mk
make -C ../../../OBJ.linux.amd64/lib/libcrypto/libtwofish buildall
make[4]: Entering directory 
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/OBJ.linux.amd64/lib/libcrypto/libtwofish'
x86_64-pc-linux-gnu-gcc -O2 -pipe -march=native -mtune=native 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/../include 
-I. 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/net/ipsec 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/include 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/include 
-I/usr/include/nss -I/usr/include/nspr   -pthread   -g -O2 
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2  -DKLIPS -DLIBCURL -DUSE_MD5 
-DHAVE_NM -DUSE_SHA2 -DUSE_SHA1 -DFIPSPRODUCTCHECK=\"/etc/system-fips\" 
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" 
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\" 
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" 
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" 
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT 
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat 
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations 
-Wredundant-decls -Wnested-externs 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/../include 
-I. 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/net/ipsec 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/include 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/include 
-I/usr/include/nss -I/usr/include/nspr   -pthread   -g -O2 
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2  -DKLIPS -DLIBCURL -DUSE_MD5 
-DHAVE_NM -DUSE_SHA2 -DUSE_SHA1 -DFIPSPRODUCTCHECK=\"/etc/system-fips\" 
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" 
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\" 
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" 
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" 
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT 
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat 
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations 
-Wredundant-decls -Wnested-externs \
         -MMD -MF ./twofish.d \
         -o ./twofish.o \
         -c 
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c
x86_64-pc-linux-gnu-gcc -O2 -pipe -march=native -mtune=native 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/../include 
-I. 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/net/ipsec 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/include 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/include 
-I/usr/include/nss -I/usr/include/nspr   -pthread   -g -O2 
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2  -DKLIPS -DLIBCURL -DUSE_MD5 
-DHAVE_NM -DUSE_SHA2 -DUSE_SHA1 -DFIPSPRODUCTCHECK=\"/etc/system-fips\" 
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" 
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\" 
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" 
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" 
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT 
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat 
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations 
-Wredundant-decls -Wnested-externs 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/ports/linux/include 
 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/../include 
-I. 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/net/ipsec 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/linux/include 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999 
-I/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/include 
-I/usr/include/nss -I/usr/include/nspr   -pthread   -g -O2 
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2  -DKLIPS -DLIBCURL -DUSE_MD5 
-DHAVE_NM -DUSE_SHA2 -DUSE_SHA1 -DFIPSPRODUCTCHECK=\"/etc/system-fips\" 
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\" 
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\" 
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\" 
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\" 
-DSHARED_SECRETS_FILE=\"/etc/ipsec.secrets\" -DGCC_LINT 
-DALLOW_MICROSOFT_BAD_PROPOSAL -Werror -Wall -Wextra -Wformat 
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations 
-Wredundant-decls -Wnested-externs \
         -MMD -MF ./twofish_cbc.d \
         -o ./twofish_cbc.o \
         -c 
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish_cbc.c
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c: 
In function 'twofish_set_key':
cc1: error: iteration 254u invokes undefined behavior 
[-Werror=aggressive-loop-optimizations]
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c:811:3: 
note: containing loop
    for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 )
    ^
cc1: error: iteration 254u invokes undefined behavior 
[-Werror=aggressive-loop-optimizations]
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c:838:3: 
note: containing loop
    for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 )
    ^
cc1: error: iteration 254u invokes undefined behavior 
[-Werror=aggressive-loop-optimizations]
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish/twofish.c:865:3: 
note: containing loop
    for ( i = j = 0, k = 1; i < 256; i++, j += 2, k += 2 )
    ^
cc1: all warnings being treated as errors
../../../../mk/depend.mk:28: recipe for target 'twofish.o' failed
make[4]: *** [twofish.o] Error 1
make[4]: Leaving directory 
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/OBJ.linux.amd64/lib/libcrypto/libtwofish'
../../../mk/library.mk:41: recipe for target 'local-base' failed
make[3]: *** [local-base] Error 2
make[3]: Leaving directory 
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto/libtwofish'
../../mk/subdirs.mk:33: recipe for target 'all' failed
make[2]: *** [all] Error 2
make[2]: Leaving directory 
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib/libcrypto'
../mk/subdirs.mk:33: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory 
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/lib'
/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999/mk/subdirs.mk:33: 
recipe for target 'all' failed
make: *** [all] Error 2
  * ERROR: net-misc/libreswan-9999::gentoo failed (compile phase):
  *   emake failed
  *
  * If you need support, post the output of `emerge --info 
'=net-misc/libreswan-9999::gentoo'`,
  * the complete build log and the output of `emerge -pqv 
'=net-misc/libreswan-9999::gentoo'`.
  * The complete build log is located at 
'/var/tmp/portage/net-misc/libreswan-9999/temp/build.log'.
  * The ebuild environment file is located at 
'/var/tmp/portage/net-misc/libreswan-9999/temp/environment'.
  * Working directory: 
'/var/tmp/portage/net-misc/libreswan-9999/work/libreswan-9999'

Reuben


On 15/06/2015 11:32 PM, Paul Wouters wrote:
>
> Hi,
>
> We have been a 3.14rc2 Release Candidate available for testing.
>
> As the changes between 3.13 and 3.14 are significant, we would like
> to hear back from the community for any potential issues they find,
> including the upgrade from 3.13 to 3.14rc2. This upgrade will also
> upgrade the NSS database in /etc/ipsec.d from dbm format to sql format,
> so please do backup /etc/ipsec.d before attempting an upgrade.
>
> The (not fully completed) changelog follows below.
>
> Paul
>
> * NSS: Major rewrite of PRF / PRFPLUS / integrity functions [Andrew]
> * CAVS: Added programs/pluto/cavp for NIST CVAS testing [Andrew]
> * IKEv2: authby=null support (draft-ietf-ipsecme-authnull)
> [Paul/Antony/Hugh]
> * IKEv2: leftid=%null support (draft-ietf-ipsecme-authnull)
> [Paul/Antony/Hugh]
> * IKEv2: whack and smc related time out fixes [Antony]
> * IKEv2: do not pad IKE messages (fix interop w. InsideSecure) [Paul]
> * IKEv2: Fix esp=camellia to use the IKEv2 IANA registry number for ESP
> [Paul]
> * IKEv2: Fix memory leaks in addresspool and child exchange sadb [Antony]
> * IKEv2: Support for INVALID_KE DH group re-transmits [Paul/Hugh]
> * IKEv2: if applicable, add CERTREQ payload to IKE_SA_INIT response
> [Antony]
> * IKEv1: Don't copy isakmp_sa from received packet [Paul]
> * FIPS: Enforce crypto restrictions in FIPS mode (no md5,twofish, etc)
> [Paul]
> * XAUTH: retransmit user/password request in 10s (instead of 30s)
> [Wolfgang]
> * X509: Re-added CRL and OCSP support using NSS [Matt]
> * X509: Expired certificate could crash pluto [Wolfgang]
> * x509: New options: ocsp_enable= ocsp_strict= ocsp_timeout= [Matt]
>          ocsp_uri= and ocsp_trust_name=
> * pluto: Converted select() loop to use libevent and subsecond timers
> [Antony]
> * pluto: Added retransmit-timeout= and retransmit-interval= [Antony]
> * pluto: Greatly reduce time to retransmit from 20s to 0.5s [Antony]
> * pluto: Support for IKEv1 and IKEv2 AES_CTR (ike=aes_ctr) [Andrew Cagney]
> * pluto: Support for CBC/CTR test vectors using NSS [Andrew Cagney]
> * pluto: Remove last weary old X.509 patch code and use NSS instead [Matt]
> * pluto: Static IP support using passwd file with addresspool= [Wolfgang]
> * pluto: major tidy of labeled ipsec code [Hugh]
> * pluto: fixes for uninitialized fields in output struct [Hugh/Paul]
> * pluto: audit format and log item update as per audit spec [Paul]
> * pluto: simplify and clarify sa_copy_sa and friends [Hugh]
> * pluto: small steps improving crypto helpers [Hugh]
> * pluto: plutostderrlog= renamed to logfile= [Paul]
> * pluto: plutostderrlogtime= renamed to logtime= [Paul]
> * pluto: New option logappend=yes|no (default yes) [Paul]
> * pluto: Removed obsoleted loopback= support [Paul]
> * pluto/rsasigkey: added --seedbits option (and seedbits= option) [Paul]
> * pluto: do not terminate_connection() in-flight [Hugh]
> * pluto: don't use an expired reserved kernel SPI as fallback [Herbert Xu]
> * pluto: Use "third best" monotime() on mismatched kernel/glibc headers
> [Paul]
> * pluto: removed bool inbound_only from delete_ipsec_sa() [Paul/Herbert]
> * pluto: fix modecfg client/server status display (was swapped) [Herbert]
> * pluto: NFLOG support via nflog-all= and nflog= keywords [Paul]
> * pluto: Fix bogus "no RSA public key known for '%fromcert'" [Herbert Xu]
> * libipsecconf: Improve parser for pipe case (with NM) [Hugh/Lubomir
> Rintel]
> * readwriteconf: improve error handling [Hugh]
> * ipsec: ipsec --import does not need to run restorecon [Paul]
> * ipsec: --checknss option automatically updates NSS DB to SQL [Matt]
> * packaging: Various SPEC file fixes [Tuomo/Kim]
> * packaging: Add v6neighbour-hole.conf for Neighbour Discovery hole [Paul]
> * initsystems: run ipsec --checknss before start [Tuomo]
> * building: overhaul of build system Makefiles (see mk/) [Andrew]
> * testing: docker test type support [Antony]
> * testing: test case updates/additions [Antony/Paul/Andrew/Matt]
> * NETKEY: Increase netlink message buffer for larger SElinux labels [Paul]
> * KLIPS: move udp_encap_enable() to not be within spinlock [Wolfgang]
> * KLIPS: ipsec_rcv_decap_ipip broken for IPv6 lsb#227 [Frank Schmirler]
> * KLIPS: Support for SHA2 via CryptoAPI [Wolfgang]
> * KLIPS: Support for sha2_truncbug [Wolfgang]
> * whack: New command ipsec whack --purgeocsp [Matt]
> * whack: cleanup help text [Tuomo]
> * _stackmanager: Don't load blacklisted modules (rhbz#1207689) [Paul/Tuomo]
> * _updown: add proxy arp for cases where routing won't work
> [Tuomo/Wolfgang]
> * Bugtracker bugs fixed:
>    #260: libswan: extra safetey around same_id() when ID_FROMCERT is
> used [Paul]
> _______________________________________________
> Swan mailing list
> Swan at lists.libreswan.org
> https://lists.libreswan.org/mailman/listinfo/swan


More information about the Swan mailing list