Skip to content

Add IPsec ESP transport support, packet print debug functions, and misc cleanup. #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
philljj wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Add IPsec ESP transport support, packet print debug functions, and misc cleanup. #4

philljj wants to merge 8 commits into from
+3,395 −146

Conversation

@philljj
Copy link
Contributor

@philljj philljj commented Aug 21, 2025
edited
Loading

Description

  • Add IPsec ESP transport mode support for tcp/udp:
    • rfc4106 gcm, rfc4543 gmac
    • rfc3602 aes-cbc
    • rfc2451 des3
    • hmac (rfc2403 md5, rfc2404 sha, rfc4868 sha256).
  • Add debug packet print functions for: eth, ip, udp, esp.
  • Added ip-xfrm scripts, README, and wireshark esp_sa.txt config to tools/ip-xfrm/.
  • Add DHCP macros DHCP_OPT_data_to_u32(), DHCP_OPT_u32_to_data() to trim duplicated code.
  • misc cleanup: overlong lines, trailing whitespace, gitignore, gcc15 build error (error: initializer-string for array), etc.

Testing

See tools/ip-xfrm/README.md:

packet print functions

Added packet print functions wolfIP_print_X() for eth, ip, udp, esp:

eth hdr:                                                                        
+---------------------------------------+                                       
| 6e:50:61:b4:a7:02 | 22:9e:b1:02:39:77 | (src, dst)                            
+---------------------------------------+                                       
| 0x0800 |   110 bytes data             | (eth type, payload)                   
+---------------------------------------+ 

ip hdr:                                                                         
+-----------------------------+                                                 
| 0x04 | 0x45 | 0x00 |     96 | (ipv, hdr_len, tos, ip_len)                     
+-----------------------------+                                                 
|    0xcccf    |    0x4000    | (id, flags_fo)                                  
+-----------------------------+                                                 
|   64  | 0x32 |    0x4586    | (ttl, proto, chksum)                            
+-----------------------------+                                                 
|                10.10.10.1   | (src)                                           
+-----------------------------+                                                 
|                10.10.10.2   | (dst)                                           
+-----------------------------+

esp packet: (76 bytes)                                                          
+------------------+                                                            
|  01  01  01  01  | (spi, 4 bytes)                                             
+------------------+                                                            
|  00  00  00  01  | (seq, 4 bytes)                                             
+------------------+                                                            
|  0a  47  f4  53  | (iv, 8 bytes)                                              
|  19  03  f9  9c  |                                                            
+------------------+                                                            
|  c8  3c  00  08  | (payload, 56 bytes)                                        
|  80  d1  24  26  |                                                            
|  00  00  00  00  |                                                            
|  a0  02  fa  f0  |                                                            
|  60  10  00  00  |                                                            
|  ..  ..  ..  ..  |                                                            
+------------------+                                                            
| 0102 | 02 | 0x06 | (padding last 2 bytes, pad len, nxt hdr)                   
+------------------+                                                            
|  c6  ca  b6  ac  | (icv, 16 bytes)                                            
|  17  f5  39  68  |                                                            
|  0d  0c  18  9f  |                                                            
|  5a  55  71  35  |                                                            
+------------------+

@philljj philljj self-assigned this Aug 21, 2025
@philljj philljj marked this pull request as draft August 25, 2025 02:12
@philljj philljj changed the title cleanup: add packet print debug functions, and small cleanup. cleanup: add packet print debug functions, ESP auth support, and small cleanup. Aug 25, 2025
@philljj philljj changed the title cleanup: add packet print debug functions, ESP auth support, and small cleanup. cleanup: add IPsec ESP transport support, packet print debug functions, and misc cleanup. Sep 21, 2025
@philljj philljj marked this pull request as ready for review February 1, 2026 00:36
@philljj philljj force-pushed the small_cleanup branch 2 times, most recently from 562fc2e to 5b92271 Compare February 5, 2026 21:28
@philljj philljj requested a review from danielinux February 6, 2026 02:54
@philljj philljj changed the title cleanup: add IPsec ESP transport support, packet print debug functions, and misc cleanup. Add IPsec ESP transport support, packet print debug functions, and misc cleanup. Feb 6, 2026
@philljj philljj requested a review from gasbytes February 6, 2026 16:53
gasbytes
gasbytes requested changes Feb 10, 2026
View reviewed changes
src/wolfesp.c
printf(esp_str_4hex " (%s, %d bytes)\n",
val[0], val[1], val[2], val[3], fld, val_len);
if (val_len > 4) {
for (size_t i = 4; i < val_len; i += 4) {
Copy link
Contributor

@gasbytes gasbytes Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can val_len be a non-multiple of 4? because if so this part of code can result in a buffer over-read in a last iteration.

e.g.: val_len is not a multiple of 4, and is >= 5 and <= 16 the loop could go over I think, and read up to 3 bytes past val_len on the last iteration of the loop.

Copy link
Contributor Author

@philljj philljj Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think all these fields must be 4 byte multiples, but I'll double check

Copy link
Contributor Author

@philljj philljj Feb 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After looking more I think this should be ok. esp_print_field() is only used with SPI (4 byte), SEQ (4 byte), IV (8 or 16 byte), ICV (12 or 16 byte), and the payload.

The payload can be any length, but will be at least 8 bytes (UDP header), and logs a skip and breaks if (i + 4) > val_len.

This is what it looks like with UDP + rfc4543 (gmac only) sending "00" across UDP

udp hdr:
+-------------------+
|      8  |  12345  | (src_port, dst_port)
+-------------------+
|     11  |  0x6d50 | (len, chksum)
+-------------------+
|               00. | (payload first 16 bytes)
+-------------------+
...
esp packet: (48 bytes)
+------------------+
|  08  08  08  08  | (spi, 4 bytes)
+------------------+
|  00  00  00  28  | (seq, 4 bytes)
+------------------+
|  98  fe  d8  93  | (iv, 8 bytes)
|  d1  61  ee  57  |
+------------------+
|  00  08  30  39  | (payload, 11 bytes)
|  00  0b  6d  50  |
|  ..  ..  ..  ..  |
+------------------+
| 0203 | 03 | 0x11 | (padding last 2 bytes, pad len, nxt hdr)
+------------------+

and same for "000"

udp hdr:
+-------------------+
|      8  |  12345  | (src_port, dst_port)
+-------------------+
|     12  |  0x4744 | (len, chksum)
+-------------------+
|              000. | (payload first 16 bytes)
+-------------------+
...
esp packet: (48 bytes)
+------------------+
...
+------------------+
|  00  08  30  39  | (payload, 12 bytes)
|  00  0c  47  44  |
|  30  30  30  0a  |
+------------------+
| 0102 | 02 | 0x11 | (padding last 2 bytes, pad len, nxt hdr)
+------------------+

"0000"

+------------------+
|  00  08  30  39  | (payload, 13 bytes)
|  00  0d  3d  1c  |
|  30  30  30  30  |
|  ..  ..  ..  ..  |
+------------------+

"00000"

+------------------+
|  00  08  30  39  | (payload, 14 bytes)
|  00  0e  17  10  |
|  30  30  30  30  |
|  ..  ..  ..  ..  |
+------------------+

etc

src/wolfesp.c
case ESP_ENC_CBC_AES:
block_len = AES_BLOCK_SIZE;
break;
#ifndef NO_DES3
Copy link
Contributor

@gasbytes gasbytes Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see any definition of a wolfIP_esp_sa_new_des3, is this expected if the user decides to use DES3? Since the enum exists.

Copy link
Contributor Author

@philljj philljj Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I was lazy and hadn't added des3 support yet! Doing it now.

danielinux
danielinux reviewed Feb 11, 2026
View reviewed changes
src/test/esp/esp_common.c Outdated
@@ -0,0 +1,48 @@
/* esp_common.c
*
* Copyright (C) 2024 wolfSSL Inc.
Copy link
Member

@danielinux danielinux Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit:2026?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gasbytes gasbytes Awaiting requested review from gasbytes

@danielinux danielinux Awaiting requested review from danielinux

Requested changes must be addressed to merge this pull request.

Assignees

@danielinux danielinux

@philljj philljj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@philljj @danielinux @gasbytes