<div dir="ltr"><div>Patch seemed to get past the cap-ng issue.<br><br></div>Next error was <br><br>/usr/local/src/libreswan-3.8/programs/pluto/kernel_bsdkame.c:32:10: fatal error: 'netipsec/keydb.h' file not found<br><div class="gmail_extra"><br></div><div class="gmail_extra">It may be trivial to get past that as well, but I've been unable to spend any time on it.<br><br></div><div class="gmail_extra">Here's the patch of what I've done thus far:<br><br>diff --git a/Makefile.inc b/Makefile.inc<br>index 59394d9..a486949 100644<br>--- a/Makefile.inc<br>+++ b/Makefile.inc<br>@@ -369,9 +369,15 @@ USE_LABELED_IPSEC?=false<br> <br> # Support for LIBCAP-NG to drop unneeded capabilities for the pluto daemon<br> USE_LIBCAP_NG?=true<br>+ifeq ($(OSDEP),darwin)<br>+USE_LIBCAP_NG=false<br>+endif<br> <br> # Support for Network Manager<br> USE_NM?=true<br>+ifeq ($(OSDEP),darwin)<br>+USE_NM=false<br>+endif<br> <br> # Include LDAP support (currently used for fetching CRLs)<br> USE_LDAP?=false<br>diff --git a/linux/include/libreswan.h b/linux/include/libreswan.h<br>index 6eda2df..fbcd827 100644<br>--- a/linux/include/libreswan.h<br>+++ b/linux/include/libreswan.h<br>@@ -114,7 +114,6 @@ typedef int bool;<br> #include <string.h><br> #include <netinet/in.h><br> #include <arpa/inet.h><br>-#include <tcpd.h><br> #include <assert.h><br> #define user_assert(foo) assert(foo)<br> #define __u32 unsigned int<br>diff --git a/ports/darwin/include/netkey/key_debug.h b/ports/darwin/include/netkey/key_debug.h<br>new file mode 100644<br>index 0000000..b2e94a3<br>--- /dev/null<br>+++ b/ports/darwin/include/netkey/key_debug.h<br>@@ -0,0 +1,92 @@<br>+/* $KAME: key_debug.h,v 1.7 2000/07/04 04:08:16 itojun Exp $ */<br>+<br>+/*<br>+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.<br>+ * All rights reserved.<br>+ *<br>+ * Redistribution and use in source and binary forms, with or without<br>+ * modification, are permitted provided that the following conditions<br>+ * are met:<br>+ * 1. Redistributions of source code must retain the above copyright<br>+ * notice, this list of conditions and the following disclaimer.<br>+ * 2. Redistributions in binary form must reproduce the above copyright<br>+ * notice, this list of conditions and the following disclaimer in the<br>+ * documentation and/or other materials provided with the distribution.<br>+ * 3. Neither the name of the project nor the names of its contributors<br>+ * may be used to endorse or promote products derived from this software<br>+ * without specific prior written permission.<br>+ *<br>+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND<br>+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br>+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE<br>+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE<br>+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL<br>+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS<br>+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)<br>+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT<br>+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY<br>+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF<br>+ * SUCH DAMAGE.<br>+ */<br>+<br>+#ifndef _NETKEY_KEY_DEBUG_H_<br>+#define _NETKEY_KEY_DEBUG_H_<br>+#include <sys/appleapiopts.h><br>+<br>+/* debug flags */<br>+#define KEYDEBUG_STAMP 0x00000001 /* path */<br>+#define KEYDEBUG_DATA 0x00000002 /* data */<br>+#define KEYDEBUG_DUMP 0x00000004 /* dump */<br>+<br>+#define KEYDEBUG_KEY 0x00000010 /* key processing */<br>+#define KEYDEBUG_ALG 0x00000020 /* ciph & auth algorithm */<br>+#define KEYDEBUG_IPSEC 0x00000040 /* ipsec processing */<br>+<br>+#define KEYDEBUG_KEY_STAMP (KEYDEBUG_KEY | KEYDEBUG_STAMP)<br>+#define KEYDEBUG_KEY_DATA (KEYDEBUG_KEY | KEYDEBUG_DATA)<br>+#define KEYDEBUG_KEY_DUMP (KEYDEBUG_KEY | KEYDEBUG_DUMP)<br>+#define KEYDEBUG_ALG_STAMP (KEYDEBUG_ALG | KEYDEBUG_STAMP)<br>+#define KEYDEBUG_ALG_DATA (KEYDEBUG_ALG | KEYDEBUG_DATA)<br>+#define KEYDEBUG_ALG_DUMP (KEYDEBUG_ALG | KEYDEBUG_DUMP)<br>+#define KEYDEBUG_IPSEC_STAMP (KEYDEBUG_IPSEC | KEYDEBUG_STAMP)<br>+#define KEYDEBUG_IPSEC_DATA (KEYDEBUG_IPSEC | KEYDEBUG_DATA)<br>+#define KEYDEBUG_IPSEC_DUMP (KEYDEBUG_IPSEC | KEYDEBUG_DUMP)<br>+<br>+#if 0<br>+#define KEYDEBUG(lev,arg) \<br>+ do { if ((key_debug_level & (lev)) == (lev)) { arg; } } while (0)<br>+#else<br>+#define KEYDEBUG(lev,arg)<br>+#endif<br>+<br>+struct sadb_msg;<br>+struct sadb_ext;<br>+extern void kdebug_sadb(struct sadb_msg *);<br>+extern void kdebug_sadb_x_policy(struct sadb_ext *);<br>+<br>+#ifdef KERNEL<br>+extern u_int32_t key_debug_level;<br>+<br>+struct secpolicy;<br>+struct secpolicyindex;<br>+struct secasindex;<br>+struct secasvar;<br>+struct secreplay;<br>+struct mbuf;<br>+extern void kdebug_secpolicy(struct secpolicy *);<br>+extern void kdebug_secpolicyindex(struct secpolicyindex *);<br>+extern void kdebug_secasindex(struct secasindex *);<br>+extern void kdebug_secasv(struct secasvar *);<br>+extern void kdebug_mbufhdr(struct mbuf *);<br>+extern void kdebug_mbuf(struct mbuf *);<br>+#endif /* KERNEL */<br>+<br>+struct sockaddr;<br>+extern void kdebug_sockaddr(struct sockaddr *);<br>+<br>+extern void ipsec_hexdump(caddr_t, int);<br>+extern void ipsec_bindump(caddr_t, int);<br>+<br>+<br>+#endif /* _NETKEY_KEY_DEBUG_H_ */<br>+<br>diff --git a/ports/darwin/include/netkey/key_var.h b/ports/darwin/include/netkey/key_var.h<br>new file mode 100644<br>index 0000000..7f3f45c<br>--- /dev/null<br>+++ b/ports/darwin/include/netkey/key_var.h<br>@@ -0,0 +1,97 @@<br>+/* $KAME: key_var.h,v 1.5 2000/02/22 14:06:41 itojun Exp $ */<br>+<br>+/*<br>+ * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.<br>+ * All rights reserved.<br>+ *<br>+ * Redistribution and use in source and binary forms, with or without<br>+ * modification, are permitted provided that the following conditions<br>+ * are met:<br>+ * 1. Redistributions of source code must retain the above copyright<br>+ * notice, this list of conditions and the following disclaimer.<br>+ * 2. Redistributions in binary form must reproduce the above copyright<br>+ * notice, this list of conditions and the following disclaimer in the<br>+ * documentation and/or other materials provided with the distribution.<br>+ * 3. Neither the name of the project nor the names of its contributors<br>+ * may be used to endorse or promote products derived from this software<br>+ * without specific prior written permission.<br>+ *<br>+ * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND<br>+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE<br>+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE<br>+ * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE<br>+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL<br>+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS<br>+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)<br>+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT<br>+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY<br>+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF<br>+ * SUCH DAMAGE.<br>+ */<br>+<br>+#ifndef _NETKEY_KEY_VAR_H_<br>+#define _NETKEY_KEY_VAR_H_<br>+#include <sys/appleapiopts.h><br>+<br>+/* sysctl */<br>+#define KEYCTL_DEBUG_LEVEL 1<br>+#define KEYCTL_SPI_TRY 2<br>+#define KEYCTL_SPI_MIN_VALUE 3<br>+#define KEYCTL_SPI_MAX_VALUE 4<br>+#define KEYCTL_RANDOM_INT 5<br>+#define KEYCTL_LARVAL_LIFETIME 6<br>+#define KEYCTL_BLOCKACQ_COUNT 7<br>+#define KEYCTL_BLOCKACQ_LIFETIME 8<br>+#define KEYCTL_ESP_KEYMIN 9<br>+#define KEYCTL_ESP_AUTH 10<br>+#define KEYCTL_AH_KEYMIN 11<br>+#define KEYCTL_PREFERED_OLDSA 12<br>+#define KEYCTL_NATT_KEEPALIVE_INTERVAL 13<br>+#define KEYCTL_PFKEYSTAT 14<br>+#define KEYCTL_MAXID 15<br>+<br>+#ifdef KERNEL_PRIVATE<br>+#define KEYCTL_NAMES { \<br>+ { 0, 0 }, \<br>+ { "debug", CTLTYPE_INT }, \<br>+ { "spi_try", CTLTYPE_INT }, \<br>+ { "spi_min_value", CTLTYPE_INT }, \<br>+ { "spi_max_value", CTLTYPE_INT }, \<br>+ { "random_int", CTLTYPE_INT }, \<br>+ { "larval_lifetime", CTLTYPE_INT }, \<br>+ { "blockacq_count", CTLTYPE_INT }, \<br>+ { "blockacq_lifetime", CTLTYPE_INT }, \<br>+ { "esp_keymin", CTLTYPE_INT }, \<br>+ { "esp_auth", CTLTYPE_INT }, \<br>+ { "ah_keymin", CTLTYPE_INT }, \<br>+ { "prefered_oldsa", CTLTYPE_INT }, \<br>+ { "natt_keepalive_interval", CTLTYPE_INT }, \<br>+ { "pfkeystat", CTLTYPE_STRUCT }, \<br>+}<br>+<br>+#define KEYCTL_VARS { \<br>+ 0, \<br>+ &key_debug_level, \<br>+ &key_spi_trycnt, \<br>+ &key_spi_minval, \<br>+ &key_spi_maxval, \<br>+ &key_int_random, \<br>+ &key_larval_lifetime, \<br>+ &key_blockacq_count, \<br>+ &key_blockacq_lifetime, \<br>+ &ipsec_esp_keymin, \<br>+ &ipsec_ah_keymin, \<br>+ &ipsec_prefered_oldsa, \<br>+ &natt_keepalive_interval, \<br>+}<br>+<br>+#ifdef KERNEL<br>+#define _ARRAYLEN(p) (sizeof(p)/sizeof(p[0]))<br>+#define _KEYLEN(key) ((u_int)((key)->sadb_key_bits >> 3))<br>+#define _KEYBITS(key) ((u_int)((key)->sadb_key_bits))<br>+#define _KEYBUF(key) ((caddr_t)((caddr_t)(key) + sizeof(struct sadb_key)))<br>+#endif /*KERNEL*/<br>+<br>+#endif /* KERNEL_PRIVATE */<br>+#endif /* _NETKEY_KEY_VAR_H_ */<br>+<br>diff --git a/ports/darwin/include/sysdep.h b/ports/darwin/include/sysdep.h<br>index 6d1b181..4446f0f 100644<br>--- a/ports/darwin/include/sysdep.h<br>+++ b/ports/darwin/include/sysdep.h<br>@@ -24,3 +24,7 @@<br> #ifndef IPSEC_MANUAL_REQID_MAX<br> # define IPSEC_MANUAL_REQID_MAX 0x3fff<br> #endif<br>+<br>+/* udpfromto socket option for BSD */<br>+#define HAVE_UDPFROMTO 1<br>+#define HAVE_IP_RECVDSTADDR 1<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Oct 27, 2014 at 2:56 PM, Paul Wouters <span dir="ltr"><<a>paul@nohats.ca</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Mon, 27 Oct 2014, Noah Easterly wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Subject: Re: [Swan] Building on OSX 10.9 Mavericks<span><br>
<br>
Yep, I can remove that line without obvious issue, but the build still has issues:<br>
<br>
Next attempt at `make programs` got<br>
<br>
/usr/local/src/libreswan-3.8/<u></u>lib/libswan/udpfromto.c:75:2: error: "Must have either IP_PKTINFO or IP_RECVDSTADDR"<br>
<br>
So I added the following to ports/darwin/include/sysdep.h, as OSX supports IP_RECVDSTADDR (<a href="https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man4/ip.4.html" target="_blank">https://developer.apple.com/<u></u>library/mac/documentation/<u></u>Darwin/Reference/ManPages/<u></u>man4/ip.4.html</a>)<br>
<br>
/* udpfromto socket option for BSD */<br>
#define HAVE_UDPFROMTO 1<br>
#define HAVE_IP_RECVDSTADDR 1<br>
<br>
The next error after that proved to be<br>
<br>
/usr/local/src/libreswan-3.8/<u></u>lib/libbsdpfkey/pfkey.c:38:10: fatal error: 'netkey/key_var.h' file not found<br>
<br>
The racoon macport had a similar issue (<a href="http://article.gmane.org/gmane.os.opendarwin.darwinports/6225" target="_blank">http://article.gmane.org/<u></u>gmane.os.opendarwin.<u></u>darwinports/6225</a>) and I solved it the same way they did (<a href="https://trac.macports.org/ticket/2173" target="_blank">https://trac.macports.org/<u></u>ticket/2173</a>), by creating an<br>
include/netkey directory and putting netkey/key_var.h and netkey/key_debug.h (from <a href="http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/netkey/" target="_blank">http://www.opensource.apple.<u></u>com/source/xnu/xnu-1456.1.26/<u></u>bsd/netkey/</a>) in there.<br>
</span></blockquote>
<br>
Sounds all reasonable. If you have a patch with all of this in it, that<br>
would be great :)<span><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
The next error was<br>
<br>
/usr/local/src/libreswan-3.8/<u></u>programs/pluto/plutomain.c:<u></u>100:11: fatal error: 'cap-ng.h' file not found<br>
<br>
And a quick google doesn't seem sufficient to solve that. I don't think OSX supports capng_change_id, and I'm not sure what the local analogue would be.<br>
</blockquote>
<br></span>
Try this patch:<br>
<br>
diff --git a/Makefile.inc b/Makefile.inc<br>
index 67d9b63..f28e952 100644<br>
--- a/Makefile.inc<br>
+++ b/Makefile.inc<br>
@@ -375,9 +375,15 @@ USE_LABELED_IPSEC?=false<br>
<br>
# Support for LIBCAP-NG to drop unneeded capabilities for the pluto<br>
# daemon<br>
USE_LIBCAP_NG?=true<br>
+ifeq ($(OSDEP),darwin)<br>
+USE_LIBCAP_NG=false<br>
+endif<br>
<br>
# Support for Network Manager<br>
USE_NM?=true<br>
+ifeq ($(OSDEP),darwin)<br>
+USE_NM=false<br>
+endif<br>
<br>
# Include LDAP support (currently used for fetching CRLs)<br>
USE_LDAP?=false<span><font color="#888888"><br>
<br>
Paul<br>
</font></span></blockquote></div><br></div></div>