[Swan] libreswan v3.29, Kernel 4.9.119, enable klips

Brian T btuch at usa.net
Wed Sep 4 15:40:26 UTC 2019


Hello,

I am trying to enable KLIPS support on a cross-compile platform for ARM (I
understand that it is going away).  Paul mentioned don't use VTI and wait for
XFRMi, but I am looking for a solution until XFRMi is usable.

Compiling without KLIPS turned on at make time works fine, netkey works,
tunnels can be used and pass traffic.

When I enable building KLIPS with  USE_KLIPS=true BUILD_KLIPS=true I get the
following compile error (please ignore the NSS complaints, they are always
there even when not compiling KLIPS, the libs are available).

After a compile fix in pf_key.c

diff --git a/programs/pf_key/pf_key.c b/programs/pf_key/pf_key.c
index 856e8b80a..28d9c3a70 100644
--- a/programs/pf_key/pf_key.c
+++ b/programs/pf_key/pf_key.c
@@ -322,10 +322,10 @@ int main(int argc, char *argv[])
        char *infilename = NULL;
        char *outfilename = NULL;
 
-       int ah_register = 0;
-       int esp_register = 0;
-       int ipip_register = 0;
-       int ipcomp_register = 0;
+       static int ah_register = 0;
+       static int esp_register = 0;
+       static int ipip_register = 0;
+       static int ipcomp_register = 0; 



I am hitting errors that I do not think I can fix:

/usr/bin/ccache arm-linux-gnueabihf-gcc -O2 -Wno-missing-field-initializers
-Wno-sign-compare -I../../programs/pluto -pthread -DTimeZoneOffset=timezone
-DHAVE_SYS_TYPES_H=1 -DHAVE_UNISTD_H=1 -Dlinux -DHAVE_UDPFROMTO=1
-DHAVE_IP_PKTINFO=1 -std=gnu99 -g -Werror -Wall -Wextra -Wformat
-Wformat-nonliteral -Wformat-security -Wundef -Wmissing-declarations
-Wredundant-decls -Wnested-externs -O2 -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2
-fstack-protector-all -fno-strict-aliasing -fPIE -DPIE -DKLIPS
-DNETKEY_SUPPORT -DPFKEY -DUSE_NIC_OFFLOAD -DLIBCURL -DHAVE_NM
-DXAUTH_HAVE_PAM -DUSE_3DES -DUSE_AES -DUSE_CAMELLIA -DUSE_CHACHA -DUSE_DH2
-DUSE_DH31 -DUSE_MD5 -DUSE_SERPENT -DUSE_SHA1 -DUSE_SHA2 -DUSE_TWOFISH
-DUSE_XCBC -DDEFAULT_RUNDIR=\"/var/run/pluto\"
-DFIPSPRODUCTCHECK=\"/etc/system-fips\" -DIPSEC_CONF=\"/etc/ipsec.conf\"
-DIPSEC_CONFDDIR=\"/etc/ipsec.d\" -DIPSEC_NSSDIR=\"/etc/ipsec.d\"
-DIPSEC_CONFDIR=\"/etc\" -DIPSEC_EXECDIR=\"/usr/libexec/ipsec\"
-DIPSEC_SBINDIR=\"/usr/sbin\" -DIPSEC_VARDIR=\"/var\"
-DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\"
-DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DFORCE_PR_ASSERT -DUSE_FORK=1
-DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT
-DALLOW_MICROSOFT_BAD_PROPOSAL  -I../../include  -DNSS_IPSEC_PROFILE 
-I../../programs/pluto -pthread -DTimeZoneOffset=timezone -DHAVE_SYS_TYPES_H=1
-DHAVE_UNISTD_H=1 -Dlinux -DHAVE_UDPFROMTO=1 -DHAVE_IP_PKTINFO=1 -std=gnu99 -g
-Werror -Wall -Wextra -Wformat -Wformat-nonliteral -Wformat-security -Wundef
-Wmissing-declarations -Wredundant-decls -Wnested-externs -O2
-U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fstack-protector-all
-fno-strict-aliasing -fPIE -DPIE -DKLIPS -DNETKEY_SUPPORT -DPFKEY
-DUSE_NIC_OFFLOAD -DLIBCURL -DHAVE_NM -DXAUTH_HAVE_PAM -DUSE_3DES -DUSE_AES
-DUSE_CAMELLIA -DUSE_CHACHA -DUSE_DH2 -DUSE_DH31 -DUSE_MD5 -DUSE_SERPENT
-DUSE_SHA1 -DUSE_SHA2 -DUSE_TWOFISH -DUSE_XCBC
-DDEFAULT_RUNDIR=\"/var/run/pluto\" -DFIPSPRODUCTCHECK=\"/etc/system-fips\"
-DIPSEC_CONF=\"/etc/ipsec.conf\" -DIPSEC_CONFDDIR=\"/etc/ipsec.d\"
-DIPSEC_NSSDIR=\"/etc/ipsec.d\" -DIPSEC_CONFDIR=\"/etc\"
-DIPSEC_EXECDIR=\"/usr/libexec/ipsec\" -DIPSEC_SBINDIR=\"/usr/sbin\"
-DIPSEC_VARDIR=\"/var\" -DPOLICYGROUPSDIR=\"/etc/ipsec.d/policies\"
-DIPSEC_SECRETS_FILE=\"/etc/ipsec.secrets\" -DFORCE_PR_ASSERT -DUSE_FORK=1
-DUSE_VFORK=0 -DUSE_DAEMON=0 -DUSE_PTHREAD_SETSCHEDPRIO=1 -DGCC_LINT
-DALLOW_MICROSOFT_BAD_PROPOSAL  -I../../include  -DNSS_IPSEC_PROFILE  \
        -MF ../../OBJ.linux.arm/programs/spi/spi.d \
        -MP -MMD -MT spi.o \
        -o ../../OBJ.linux.arm/programs/spi/spi.o \
        -c /tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c
Package nss was not found in the pkg-config search path.
Perhaps you should add the directory containing `nss.pc'
to the PKG_CONFIG_PATH environment variable
No package 'nss' found
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:412:3: error: 'const struct
proposal_policy' has no member named 'ikev1'
  .ikev1 = false,
   ^~~~~
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:413:3: error: 'const struct
proposal_policy' has no member named 'ikev2'
  .ikev2 = false,
   ^~~~~
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c: In function 'decode_esp':
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:422:34: error: implicit
declaration of function 'alg_info_esp_create_from_str'
[-Werror=implicit-function-declaration]
  struct alg_info_esp *alg_info = alg_info_esp_create_from_str(&policy,
algname,
                                  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:422:34: error: nested extern
declaration of 'alg_info_esp_create_from_str' [-Werror=nested-externs]
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:422:34: error:
initialization makes pointer from integer without a cast
[-Werror=int-conversion]
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:429:15: error: dereferencing
pointer to incomplete type 'struct alg_info_esp'
   if (alg_info->ai.alg_info_cnt > 1) {
               ^~
/tmp/wsbu/s5t/shadow/libreswan/programs/spi/spi.c:444:13: error: dereferencing
pointer to incomplete type 'struct proposal_info'
     esp_info->encrypt->common.id[IKEv1_ESP_ID],
             ^~
cc1: all warnings being treated as errors
../../mk/depend.mk:34: recipe for target 'spi.o' failed



Is KLIPS no longer working completely?

Thanks!

-Brian T.



More information about the Swan mailing list