Skip to content

Add IPsec ESP transport support, packet print debug functions, and misc cleanup. #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
philljj wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Add IPsec ESP transport support, packet print debug functions, and misc cleanup. #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
ebb5dd3
IPsec transport support, and misc cleanup.
philljj Feb 9, 2026
c2c3854
esp: esp echo server test.
philljj Feb 9, 2026
ca25dc7
cleanup.
philljj Feb 10, 2026
5f53eb9
esp: des3 support.
philljj Feb 10, 2026
93a506e
esp udp support, refactor debug functions.
philljj Feb 10, 2026
55ce272
esp: support rfc4543 gmac.
philljj Feb 11, 2026
065633f
refactor debug to use LOG, ESP README, and general cleanup.
philljj Feb 11, 2026
dda5e3b
esp: add key length checks.
philljj Feb 12, 2026
e309706
esp: address copilot feedback part 1.
philljj Feb 12, 2026
3b62f95
esp: address copilot feedback part 2, and refactor gen_iv.
philljj Feb 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/workflows/linux.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,17 @@ jobs:
sudo ./build/test-evloop
sudo killall tcpdump || true

- name: Run standalone "IPsec esp" test
run: |
sudo ./tools/ip-xfrm/rfc4106 128
sudo ./build/test-esp -m 0
sudo killall tcpdump || true
sudo ./tools/ip-xfrm/delete_all
sudo ./tools/ip-xfrm/cbc_auth sha256 128
sudo ./build/test-esp -m 1
sudo killall tcpdump || true
sudo ./tools/ip-xfrm/delete_all

- name: Run standalone wolfssl test
run: |
sudo ./build/test-wolfssl
Expand Down
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
*.dis
*.uf2
*.bin
*.swp
CMakeCache.txt
CMakeFiles
CMakeScripts
Expand Down
36 changes: 35 additions & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,12 @@ CC?=gcc
CFLAGS:=-Wall -Werror -Wextra -I. -D_GNU_SOURCE
CFLAGS+=-g -ggdb -Wdeclaration-after-statement
LDFLAGS+=-pthread
# additional debug flags:
# CFLAGS+=-DDEBUG_TAP
# CFLAGS+=-DDEBUG_ETH
# CFLAGS+=-DDEBUG_IP
# CFLAGS+=-DDEBUG_UDP
# CFLAGS+=-DDEBUG_ESP

UNAME_S:=$(shell uname -s)
UNAME_M:=$(shell uname -m)
Expand Down Expand Up @@ -105,6 +111,9 @@ OBJ=build/wolfip.o \
IPFILTER_OBJ=build/ipfilter/wolfip.o \
$(TAP_OBJ)

ESP_OBJ=build/esp/wolfip.o \
$(TAP_OBJ)

HAVE_WOLFSSL:=$(shell printf "#include <wolfssl/options.h>\nint main(void){return 0;}\n" | $(CC) $(CFLAGS) -x c - -c -o /dev/null 2>/dev/null && echo 1)

# Require wolfSSL unless the requested goals are wolfSSL-independent (unit/cppcheck/clean).
Expand All @@ -124,7 +133,7 @@ endif
EXE=build/tcpecho build/tcp_netcat_poll build/tcp_netcat_select \
build/test-evloop build/test-dns build/test-wolfssl-forwarding \
build/test-ttl-expired build/test-wolfssl build/test-httpd \
build/ipfilter-logger
build/ipfilter-logger build/test-esp build/esp-server
LIB=libwolfip.so

PREFIX=/usr/local
Expand Down Expand Up @@ -157,6 +166,9 @@ asan: $(EXE) $(LIB)
asan:CFLAGS+=-fsanitize=address
asan:LDFLAGS+=-static-libasan

ESP_CFLAGS = \
-DWOLFIP_ESP -DWOLFSSL_WOLFIP \
-DDEBUG_IP -DDEBUG_UDP -DDEBUG_ESP

# Test

Expand Down Expand Up @@ -212,6 +224,28 @@ build/ipfilter/wolfip.o: src/wolfip.c

build/test/ipfilter_logger.o: CFLAGS+=-DCONFIG_IPFILTER=1

# ipsec esp
build/esp/wolfip.o: src/wolfip.c
@mkdir -p `dirname $@` || true
@echo "[CC] $< (esp)"
@$(CC) $(CFLAGS) $(ESP_CFLAGS) -c $< -o $@

build/test/test_esp.o: src/test/esp/test_esp.c
@echo "[CC] $@"
@$(CC) $(CFLAGS) $(ESP_CFLAGS) -c $< -o $@

build/test-esp: $(ESP_OBJ) build/test/test_esp.o
@echo "[LD] $@"
@$(CC) $(CFLAGS) $(ESP_CFLAGS) $(LDFLAGS) -o $@ $(BEGIN_GROUP) $(^) -lwolfssl $(END_GROUP)

build/test/esp_server.o: src/test/esp/esp_server.c
@echo "[CC] $@"
@$(CC) $(CFLAGS) $(ESP_CFLAGS) -c $< -o $@

build/esp-server: $(ESP_OBJ) build/port/posix/bsd_socket.o build/test/esp_server.o
@echo "[LD] $@"
@$(CC) $(CFLAGS) $(ESP_CFLAGS) $(LDFLAGS) -o $@ $(BEGIN_GROUP) $(^) -lwolfssl $(END_GROUP)

build/test-wolfssl-forwarding: build/test/test_wolfssl_forwarding.o build/test/wolfip_forwarding.o $(TAP_OBJ) build/port/wolfssl_io.o build/certs/server_key.o build/certs/ca_cert.o build/certs/server_cert.o
@echo "[LD] $@"
@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(BEGIN_GROUP) $(^) -lwolfssl $(END_GROUP)
Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@

## Description and project goals

wolfIP is a TCP/IP stack with no dynamic memory allocations, designed to be
wolfIP is a TCP/IP stack with no dynamic memory allocations, designed to be
used in resource-constrained embedded systems.

Endpoint only mode is supported, which means that wolfip can be used to
Endpoint only mode is supported, which means that wolfip can be used to
establish network connections but it does not route traffic between different
network interfaces.

Expand Down
79 changes: 37 additions & 42 deletions core.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,19 @@

```
+---------------------------------------------------------------------------------------------------------------------------+
| +-----+---+----+-----+------------------+-----+---+----+-----+------------------+ |
| +-----+---+----+-----+------------------+-----+---+----+-----+------------------+ |
| | De | E | IP | TCP | Payload | De | E | IP | TCP | Payload | |
| | sc | T | | | | sc | T | | | | |
|* FREE SPACE * | ri | H | | | | ri | H | | | | * FREE SPACE* |
| | pt | | | | | pt | | | | | |
| | or | | | | | or | | | | | |
| +-----+---+----+-----+------------------+-----+---+----+-----+------------------+ |
+---------------------------------------------------------------------------------------------------------------------------+
^ ^
| |
| |
| |
|Tail Head|
^ ^
| |
| |
| |
|Tail Head|

```

Expand All @@ -54,11 +54,11 @@
| || || |
| |*------------------------------------------*| |
+--------------+--------------------------------------------+---------------------------------------------------------------+
^ ^
| |
| |
| |
|Tail Head|
^ ^
| |
| |
| |
|Tail Head|
```


Expand All @@ -71,37 +71,32 @@
+-------------+
|Main loop TX |
+-------------+
^
+----------------------------------+ |
| | +------+
| TCP Socket | |
| | |
| | |
| | |
| +-----------------------+
| +---------------+ | |
>DATA OUT==>>|socket send() |-->| TX buffer (fifo) |
| +---------------+ | |
| +-----------------------+
| |
| |
| |
| +-----------------------+
| +-------------+ | |
<DATA IN<<====|socket recv()|<---| RX buffer (queue) |
| +-------------+ | |
| +-----------------------+
+----------------------------------+ ^
|
|
|
+--------------+
| tcp_recv() |
^
+----------------------------------+ |
| | +------+
| TCP Socket | |
| | |
| | |
| | |
| +-----------------------+
| +---------------+ | |
>DATA OUT==>>|socket send() |-->| TX buffer (fifo) |
| +---------------+ | |
| +-----------------------+
| |
| |
| |
| +-----------------------+
| +-------------+ | |
<DATA IN<<====|socket recv()|<---| RX buffer (queue) |
| +-------------+ | |
| +-----------------------+
+----------------------------------+ ^
|
|
|
+--------------+
| tcp_recv() |
+--------------+
```






6 changes: 5 additions & 1 deletion src/port/posix/tap_linux.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@

static int tap_fd;

#if defined(DEBUG_TAP)
void print_buffer(uint8_t *buf, int len)
{
int i;
Expand All @@ -47,6 +48,7 @@ void print_buffer(uint8_t *buf, int len)
}
printf("\n");
}
#endif /* DEBUG_TAP */

static int tap_poll(struct wolfIP_ll_dev *ll, void *buf, uint32_t len)
{
Expand All @@ -69,7 +71,9 @@ static int tap_poll(struct wolfIP_ll_dev *ll, void *buf, uint32_t len)
static int tap_send(struct wolfIP_ll_dev *ll, void *buf, uint32_t len)
{
(void)ll;
//print_buffer(buf, len);
#if defined(DEBUG_TAP)
print_buffer(buf, len);
#endif /* DEBUG_TAP */
return write(tap_fd, buf, len);
}

Expand Down
2 changes: 1 addition & 1 deletion src/port/raspberry-pico-usb-server/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

- run CMake from this directory, specitying the FAMILY and PICO_COMPILER variables. Also specify the path where you cloned the pico-sdk in the previous step.

cmake . -DPICO_SDK_PATH=/path/to/src/pico-sdk -DFAMILY=rp2040 -DPICO_COMPILER=arm-none-eabi-gcc
cmake . -DPICO_SDK_PATH=/path/to/src/pico-sdk -DFAMILY=rp2040 -DPICO_COMPILER=arm-none-eabi-gcc

- run make

Expand Down
55 changes: 55 additions & 0 deletions src/test/esp/esp_common.c
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,55 @@
/* esp_common.c
*
* Copyright (C) 2026 wolfSSL Inc.
*
* This file is part of wolfIP TCP/IP stack.
*
* wolfIP is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* wolfIP is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA
*/

/* ipsec esp security association info shared by esp tests.
* These match the scripts and esp_sa.txt config file found
* in tools/ip-xfrm/ */
#if defined(WOLFSSL_AESGCM_STREAM)
static uint8_t in_sa_gcm[ESP_SPI_LEN] = {0x01, 0x01, 0x01, 0x01};
static uint8_t out_sa_gcm[ESP_SPI_LEN] = {0x02, 0x02, 0x02, 0x02};
#endif /* WOLFSSL_AESGCM_STREAM */
static uint8_t in_sa_cbc[ESP_SPI_LEN] = {0x03, 0x03, 0x03, 0x03};
static uint8_t out_sa_cbc[ESP_SPI_LEN] = {0x04, 0x04, 0x04, 0x04};
#ifndef NO_DES3
static uint8_t in_sa_des3[ESP_SPI_LEN] = {0x05, 0x05, 0x05, 0x05};
static uint8_t out_sa_des3[ESP_SPI_LEN] = {0x06, 0x06, 0x06, 0x06};
#endif /* !NO_DES3 */
static uint8_t in_sa_gmac[ESP_SPI_LEN] = {0x07, 0x07, 0x07, 0x07};
static uint8_t out_sa_gmac[ESP_SPI_LEN] = {0x08, 0x08, 0x08, 0x08};
/* 32 byte key + 4 byte nonce*/
static uint8_t in_enc_key[36] =
{0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03,
0x0a, 0x0b, 0x0c, 0x0d};
static uint8_t out_enc_key[36] =
{0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
0x0a, 0x0b, 0x0c, 0x0d};
static uint8_t in_auth_key[16] =
{0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01};
static uint8_t out_auth_key[16] =
{0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02,
0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02};
Loading