Skip to content

cleanup: add IPsec ESP transport support, packet print debug functions, and misc cleanup. #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
philljj wants to merge 3 commits into
base: master
Choose a base branch
from
Open

cleanup: add IPsec ESP transport support, packet print debug functions, and misc cleanup. #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
85e2802
IPsec transport support, and misc cleanup.
philljj Feb 4, 2026
3985096
esp: use 32 byte gcm key in example, and cleanup.
philljj Feb 4, 2026
eaa6bec
esp: remove iv_len from esp_sa struct.
philljj Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions .github/workflows/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,13 @@ jobs:
sudo ./build/test-evloop
sudo killall tcpdump || true

- name: Run standalone "IPsec esp" test
run: |
sudo ./scripts/ip-xfrm/rfc4106 128
sudo ./build/test-esp
sudo killall tcpdump || true
sudo ./scripts/ip-xfrm/delete_all

- name: Run standalone wolfssl test
run: |
sudo ./build/test-wolfssl
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
*.dis
*.uf2
*.bin
*.swp
CMakeCache.txt
CMakeFiles
CMakeScripts
Expand Down
42 changes: 41 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,24 @@ CFLAGS:=-Wall -Werror -Wextra -I. -D_GNU_SOURCE
CFLAGS+=-g -ggdb -Wdeclaration-after-statement
LDFLAGS+=-pthread

#
# Debug flags:
# tap debug:
# CFLAGS+=-DDEBUG_TAP
#
# print ethernet headers:
# CFLAGS+=-DDEBUG_ETH
#
# print ip headers:
# CFLAGS+=-DDEBUG_IP
#
# print tcp headers:
# CFLAGS+=-DDEBUG_TCP
#
# print esp header data:
# CFLAGS+=-DWOLFIP_DEBUG_ESP
#

UNAME_S:=$(shell uname -s)
UNAME_M:=$(shell uname -m)
UNAME_LC:=$(shell echo $(UNAME_S) | tr 'A-Z' 'a-z')
Expand Down Expand Up @@ -105,6 +123,9 @@ OBJ=build/wolfip.o \
IPFILTER_OBJ=build/ipfilter/wolfip.o \
$(TAP_OBJ)

ESP_OBJ=build/esp/wolfip.o \
$(TAP_OBJ)

HAVE_WOLFSSL:=$(shell printf "#include <wolfssl/options.h>\nint main(void){return 0;}\n" | $(CC) $(CFLAGS) -x c - -c -o /dev/null 2>/dev/null && echo 1)

# Require wolfSSL unless the requested goals are wolfSSL-independent (unit/cppcheck/clean).
Expand All @@ -124,7 +145,7 @@ endif
EXE=build/tcpecho build/tcp_netcat_poll build/tcp_netcat_select \
build/test-evloop build/test-dns build/test-wolfssl-forwarding \
build/test-ttl-expired build/test-wolfssl build/test-httpd \
build/ipfilter-logger
build/ipfilter-logger build/test-esp
LIB=libwolfip.so

PREFIX=/usr/local
Expand Down Expand Up @@ -157,6 +178,11 @@ asan: $(EXE) $(LIB)
asan:CFLAGS+=-fsanitize=address
asan:LDFLAGS+=-static-libasan

ESP_CFLAGS = \
-DWOLFIP_ESP \
-DWOLFSSL_WOLFIP \
-DDEBUG_IP \
-DWOLFIP_DEBUG_ESP

# Test

Expand Down Expand Up @@ -212,6 +238,20 @@ build/ipfilter/wolfip.o: src/wolfip.c

build/test/ipfilter_logger.o: CFLAGS+=-DCONFIG_IPFILTER=1

# ipsec esp
build/esp/wolfip.o: src/wolfip.c
@mkdir -p `dirname $@` || true
@echo "[CC] $< (esp)"
@$(CC) $(CFLAGS) $(ESP_CFLAGS) -c $< -o $@

build/test/test_esp.o: src/test/test_esp.c
@echo "[CC] $@"
@$(CC) $(CFLAGS) $(ESP_CFLAGS) -c $< -o $@

build/test-esp: $(ESP_OBJ) build/test/test_esp.o
@echo "[LD] $@"
@$(CC) $(CFLAGS) $(ESP_CFLAGS) $(LDFLAGS) -o $@ $(BEGIN_GROUP) $(^) -lwolfssl $(END_GROUP)

build/test-wolfssl-forwarding: build/test/test_wolfssl_forwarding.o build/test/wolfip_forwarding.o $(TAP_OBJ) build/port/wolfssl_io.o build/certs/server_key.o build/certs/ca_cert.o build/certs/server_cert.o
@echo "[LD] $@"
@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(BEGIN_GROUP) $(^) -lwolfssl $(END_GROUP)
Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@

## Description and project goals

wolfIP is a TCP/IP stack with no dynamic memory allocations, designed to be
wolfIP is a TCP/IP stack with no dynamic memory allocations, designed to be
used in resource-constrained embedded systems.

Endpoint only mode is supported, which means that wolfip can be used to
Endpoint only mode is supported, which means that wolfip can be used to
establish network connections but it does not route traffic between different
network interfaces.

Expand Down
79 changes: 37 additions & 42 deletions core.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,19 @@

```
+---------------------------------------------------------------------------------------------------------------------------+
| +-----+---+----+-----+------------------+-----+---+----+-----+------------------+ |
| +-----+---+----+-----+------------------+-----+---+----+-----+------------------+ |
| | De | E | IP | TCP | Payload | De | E | IP | TCP | Payload | |
| | sc | T | | | | sc | T | | | | |
|* FREE SPACE * | ri | H | | | | ri | H | | | | * FREE SPACE* |
| | pt | | | | | pt | | | | | |
| | or | | | | | or | | | | | |
| +-----+---+----+-----+------------------+-----+---+----+-----+------------------+ |
+---------------------------------------------------------------------------------------------------------------------------+
^ ^
| |
| |
| |
|Tail Head|
^ ^
| |
| |
| |
|Tail Head|

```

Expand All @@ -54,11 +54,11 @@
| || || |
| |*------------------------------------------*| |
+--------------+--------------------------------------------+---------------------------------------------------------------+
^ ^
| |
| |
| |
|Tail Head|
^ ^
| |
| |
| |
|Tail Head|
```


Expand All @@ -71,37 +71,32 @@
+-------------+
|Main loop TX |
+-------------+
^
+----------------------------------+ |
| | +------+
| TCP Socket | |
| | |
| | |
| | |
| +-----------------------+
| +---------------+ | |
>DATA OUT==>>|socket send() |-->| TX buffer (fifo) |
| +---------------+ | |
| +-----------------------+
| |
| |
| |
| +-----------------------+
| +-------------+ | |
<DATA IN<<====|socket recv()|<---| RX buffer (queue) |
| +-------------+ | |
| +-----------------------+
+----------------------------------+ ^
|
|
|
+--------------+
| tcp_recv() |
^
+----------------------------------+ |
| | +------+
| TCP Socket | |
| | |
| | |
| | |
| +-----------------------+
| +---------------+ | |
>DATA OUT==>>|socket send() |-->| TX buffer (fifo) |
| +---------------+ | |
| +-----------------------+
| |
| |
| |
| +-----------------------+
| +-------------+ | |
<DATA IN<<====|socket recv()|<---| RX buffer (queue) |
| +-------------+ | |
| +-----------------------+
+----------------------------------+ ^
|
|
|
+--------------+
| tcp_recv() |
+--------------+
```






40 changes: 40 additions & 0 deletions scripts/ip-xfrm/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# IPsec ESP and ip xfrm support

Convenience scripts for testing IPsec with wolfIP:

- `rfc4106` sets up rfc4106 aes-gcm xp frm state and policies.
- `delete_all` (deletes all ip xfrm state and policies)
- `hmac_auth` (set auth only state and policies)
- `show` (show ip xfrm state and policies)
- `esp_sa.txt` (ESP SA config to use in Wireshark)

Copy `esp_sa.txt` to you wireshark config, and you can decrypt and inspect
ESP payloads, verify ESP ICV and TCP/IP checksums, etc:

```
cp scripts/ip-xfrm/esp_sa.txt ~/.config/wireshark/esp_sa
wireshark test.pcap
```

## Testing

Build wolfssl with:
```sh
./configure --enable-aesgcm-stream
make
sudo make install
```

Build wolfIP like normal:
```sh
make
```

Test rfc4106 gcm with wolfIP:
```
./scripts/ip-xfrm/rfc4106 128
sudo LD_LIBRARY_PATH=/usr/local/lib ./build/test-esp
./scripts/ip-xfrm/delete_all
cp scripts/ip-xfrm/esp_sa.txt ~/.config/wireshark/esp_sa
wireshark test.pcap
```
63 changes: 63 additions & 0 deletions scripts/ip-xfrm/cbc_auth
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#!/bin/bash
#
# aes-cbc (rfc3602) + hmac-[md5,sha1,sha256]-96,128 example.
#

print_usage_and_die() {
echo "usage:"
echo " cbc_auth [auth]"
echo ""
echo " auth = md5, sha1, sha256"
echo ""
echo "examples:"
echo " ./scripts/ip-xfrm/cbc_auth sha256 128"
echo " ./scripts/ip-xfrm/cbc_auth sha256 96"
echo " ./scripts/ip-xfrm/cbc_auth sha1"
echo " ./scripts/ip-xfrm/cbc_auth md5"
exit 1
}

alg=sha1
ip_proto=tcp
len=96

if [ $# -eq 0 ]; then
print_usage_and_die
fi

if [ $# -eq 1 ]; then
alg=$1
fi

if [ $# -eq 2 ]; then
alg=$1
len=$2
fi

# State
# ipv4
sudo ip xfrm state add \
src 10.10.10.1 dst 10.10.10.2 \
proto esp \
spi 0x764f47c9 \
mode transport \
replay-window 64 \
auth-trunc $alg 0x01010101010101010101010101010101 $len \
enc aes 0x03030303030303030303030303030303 \
sel src 10.10.10.1 dst 10.10.10.2

sudo ip xfrm state add \
src 10.10.10.2 dst 10.10.10.1 \
proto esp \
spi 0x49ebfdd4 \
mode transport \
replay-window 64 \
auth-trunc $alg 0x02020202020202020202020202020202 $len \
enc aes 0x04040404040404040404040404040404 \
sel src 10.10.10.2 dst 10.10.10.1

# Policies
# ipv4
sudo ip xfrm policy add \
dst 10.10.10.2 proto $ip_proto dir out tmpl proto esp spi 0x764f47c9 mode transport

3 changes: 3 additions & 0 deletions scripts/ip-xfrm/delete_all
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash
sudo ip xfrm policy deleteall
sudo ip xfrm state deleteall
10 changes: 10 additions & 0 deletions scripts/ip-xfrm/esp_sa.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# This file is automatically generated. BE CAREFUL MODIFYING.
# You can add (but not modify or delete) records with the command line option:
# -o 'uat:esp_sa:"protocol","srcIP","dstIP","spi","encryption_algo","encryption_key_string","authentication_algo","authentication_key_string","sn_length","sn_upper"'
#"Protocol","Src IP","Dest IP","SPI","Encryption","Encryption Key","Authentication","Authentication Key","SN","ESN High Bits"
"IPv4","10.10.10.2","10.10.10.1","0xf6e9b80d","NULL","","HMAC-SHA-256-128 [RFC4868]","0x02020202020202020202020202020202","32-bit","0"
"IPv4","10.10.10.1","10.10.10.2","0x2fa9d8c8","NULL","","HMAC-SHA-256-128 [RFC4868]","0x01010101010101010101010101010101","32-bit","0"
"IPv4","10.10.10.1","10.10.10.2","0x764f47c9","AES-CBC [RFC3602]","0x03030303030303030303030303030303","HMAC-SHA-256-128 [RFC4868]","0x01010101010101010101010101010101","32-bit","0"
"IPv4","10.10.10.2","10.10.10.1","0x49ebfdd4","AES-CBC [RFC3602]","0x04040404040404040404040404040404","HMAC-SHA-256-128 [RFC4868]","0x02020202020202020202020202020202","32-bit","0"
"IPv4","10.10.10.2","10.10.10.1","0x02020202","AES-GCM with 16 octet ICV [RFC4106]","0x04040404040404040404040404040404040404040404040404040404040404040a0b0c0d","NULL","","32-bit","0"
"IPv4","10.10.10.1","10.10.10.2","0x01010101","AES-GCM with 16 octet ICV [RFC4106]","0x03030303030303030303030303030303030303030303030303030303030303030a0b0c0d","NULL","","32-bit","0"
Loading