[Swan] libreswan v3.29, Kernel 4.9.119, enable klips

Brian T btuch at usa.net
Wed Sep 4 15:40:26 UTC 2019


I am trying to enable KLIPS support on a cross-compile platform for ARM (I
understand that it is going away).  Paul mentioned don't use VTI and wait for
XFRMi, but I am looking for a solution until XFRMi is usable.

Compiling without KLIPS turned on at make time works fine, netkey works,
tunnels can be used and pass traffic.

When I enable building KLIPS with  USE_KLIPS=true BUILD_KLIPS=true I get the
following compile error (please ignore the NSS complaints, they are always
there even when not compiling KLIPS, the libs are available).

After a compile fix in pf_key.c

diff --git a/programs/pf_key/pf_key.c b/programs/pf_key/pf_key.c
index 856e8b80a..28d9c3a70 100644
--- a/programs/pf_key/pf_key.c
+++ b/programs/pf_key/pf_key.c
@@ -322,10 +322,10 @@ int main(int argc, char *argv[])
        char *infilename = NULL;
        char *outfilename = NULL;
-       int ah_register = 0;
-       int esp_register = 0;
-       int ipip_register = 0;
-       int ipcomp_register = 0;
+       static int ah_register = 0;
+       static int esp_register = 0;
+       static int ipip_register = 0;
+       static int ipcomp_register = 0; 

I am hitting errors that I do not think I can fix:

/usr/bin/ccache arm-linux-gnueabihf-gcc -O2 -Wno-missing-field-initializers
-Wno-sign-compare -I../../programs/pluto -pthread -DTimeZoneOffset=timezone
-DHAVE_IP_PKTINFO=1 -std=gnu99 -g -Werror -Wall -Wextra -Wformat
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations
-Wredundant-decls -Wnested-externs -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
-fstack-protector-all -fno-strict-aliasing -fPIE -DPIE -DKLIPS
-DUSE_XCBC -DDEFAULT_RUNDIR=\"/var/run/pluto\"
-DFIPSPRODUCTCHECK=\"/etc/system-fips\" -DIPSEC_CONF=\"/etc/ipsec.conf\"
-DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/etc/ipsec.d\"
-DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/libexec/ipsec\"
-DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\"/var\"
-I../../programs/pluto -pthread -DTimeZoneOffset=timezone -DHAVE_SYS_TYPES_H=1
-Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef
-Wmissing-declarations -Wredundant-decls -Wnested-externs -O2
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-all
-DDEFAULT_RUNDIR=\"/var/run/pluto\" -DFIPSPRODUCTCHECK=\"/etc/system-fips\"
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\"
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\"
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\"
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\"
        -MF ../../OBJ.linux.arm/programs/spi/spi.d \
        -MP -MMD -MT spi.o \
        -o ../../OBJ.linux.arm/programs/spi/spi.o \
        -c /tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c
Package nss was not found in the pkg-config search path.
Perhaps you should add the directory containing `nss.pc'
to the PKG_CONFIG_PATH environment variable
No package 'nss' found
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:412:3: error: 'const struct
proposal_policy' has no member named 'ikev1'
  .ikev1 = false,
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:413:3: error: 'const struct
proposal_policy' has no member named 'ikev2'
  .ikev2 = false,
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c: In function 'decode_esp':
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:422:34: error: implicit
declaration of function 'alg_info_esp_create_from_str'
  struct alg_info_esp *alg_info = alg_info_esp_create_from_str(&policy,
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:422:34: error: nested extern
declaration of 'alg_info_esp_create_from_str' [-Werror=nested-externs]
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:422:34: error:
initialization makes pointer from integer without a cast
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:429:15: error: dereferencing
pointer to incomplete type 'struct alg_info_esp'
   if (alg_info->ai.alg_info_cnt > 1) {
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:444:13: error: dereferencing
pointer to incomplete type 'struct proposal_info'
cc1: all warnings being treated as errors
../../mk/depend.mk:34: recipe for target 'spi.o' failed

Is KLIPS no longer working completely?


-Brian T.

More information about the Swan mailing list