Skip to content

Add IPsec ESP transport support, packet print debug functions, and misc cleanup.#4

Open
philljj wants to merge 4 commits intowolfSSL:masterfrom
philljj:small_cleanup
Open

Add IPsec ESP transport support, packet print debug functions, and misc cleanup.#4
philljj wants to merge 4 commits intowolfSSL:masterfrom
philljj:small_cleanup

Conversation

@philljj
Copy link
Contributor

@philljj philljj commented Aug 21, 2025
edited
Loading

Description

  • Add IPsec ESP transport mode support: rfc4106 gcm, aes-cbc, hmac (md5, sha, sha256).
  • Add debug packet print functions for: eth, ip, tcp, esp.
  • Added ip-xfrm scripts, README, and wireshark esp_sa.txt config to tools/ip-xfrm/.
  • Add DHCP macros DHCP_OPT_data_to_u32(), DHCP_OPT_u32_to_data() to trim duplicated code.
  • misc cleanup: overlong lines, trailing whitespace, gitignore, gcc15 build error (error: initializer-string for array), etc.

packet print functions

Added packet print functions wolfIP_print_X() for eth, ip, esp:

eth hdr:                                                                        
+---------------------------------------+                                       
| 6e:50:61:b4:a7:02 | 22:9e:b1:02:39:77 | (src, dst)                            
+---------------------------------------+                                       
| 0x0800 |   110 bytes data             | (eth type, payload)                   
+---------------------------------------+ 

ip hdr:                                                                         
+-----------------------------+                                                 
| 0x04 | 0x45 | 0x00 |     96 | (ipv, hdr_len, tos, ip_len)                     
+-----------------------------+                                                 
|    0xcccf    |    0x4000    | (id, flags_fo)                                  
+-----------------------------+                                                 
|   64  | 0x32 |    0x4586    | (ttl, proto, chksum)                            
+-----------------------------+                                                 
|                10.10.10.1   | (src)                                           
+-----------------------------+                                                 
|                10.10.10.2   | (dst)                                           
+-----------------------------+

esp packet: (76 bytes)                                                          
+------------------+                                                            
|  01  01  01  01  | (spi, 4 bytes)                                             
+------------------+                                                            
|  00  00  00  01  | (seq, 4 bytes)                                             
+------------------+                                                            
|  0a  47  f4  53  | (iv, 8 bytes)                                              
|  19  03  f9  9c  |                                                            
+------------------+                                                            
|  c8  3c  00  08  | (payload, 56 bytes)                                        
|  80  d1  24  26  |                                                            
|  00  00  00  00  |                                                            
|  a0  02  fa  f0  |                                                            
|  60  10  00  00  |                                                            
|  ..  ..  ..  ..  |                                                            
+------------------+                                                            
| 0102 | 02 | 0x06 | (padding last 2 bytes, pad len, nxt hdr)                   
+------------------+                                                            
|  c6  ca  b6  ac  | (icv, 16 bytes)                                            
|  17  f5  39  68  |                                                            
|  0d  0c  18  9f  |                                                            
|  5a  55  71  35  |                                                            
+------------------+

Testing

Added test_esp.c:

$ ./build/test-esp -?
./test-esp [-m <mode>] [-p]

options:
  -p         force plaintext (disable ipsec)
  -m <mode>  0 aead (default), 1 cbc auth

Added github workflow that tests aes-gcm and aes-cbc + hmac auth:

      - name: Run standalone "IPsec esp" test                                   
        run: |                                                                  
          sudo ./tools/ip-xfrm/rfc4106 128                                      
          sudo ./build/test-esp -m 0                                            
          sudo killall tcpdump || true                                          
          sudo ./tools/ip-xfrm/delete_all                                       
          sudo ./tools/ip-xfrm/cbc_auth sha256 128                              
          sudo ./build/test-esp -m 1                                            
          sudo killall tcpdump || true                                          
          sudo ./tools/ip-xfrm/delete_all

rfc4106 gcm example

Setup ip xfrm state/policy with:

./tools/ip-xfrm/delete_all ; ./tools/ip-xfrm/rfc4106 128

then run:

$ sudo LD_LIBRARY_PATH=/usr/local/lib ./build/test-esp -m 0
Successfully initialized tap device wtcp0
IP: manually configured
info: esp_sa_new_aead: in, 0
info: esp_sa_new_aead: out, 0
...
Connecting to echo server
...

cbc hmac auth example

Set ip xfrm state / policy with script:

./tools/ip-xfrm/delete_all ;
./tools/ip-xfrm/cbc_auth sha256 128

test-esp output with debug flags-DDEBUG_IP -DWOLFIP_DEBUG_ESP:

$ sudo LD_LIBRARY_PATH=/usr/local/lib ./build/test-esp -m 1
Successfully initialized tap device wtcp0
IP: manually configured
info: esp_sa_new_cbc_sha256: in, 0
info: esp_sa_new_cbc_sha256: out, 0
...
Connecting to echo server
...

@philljj philljj self-assigned this Aug 21, 2025
@philljj philljj marked this pull request as draft August 25, 2025 02:12
@philljj philljj changed the title cleanup: add packet print debug functions, and small cleanup. cleanup: add packet print debug functions, ESP auth support, and small cleanup. Aug 25, 2025
@philljj philljj changed the title cleanup: add packet print debug functions, ESP auth support, and small cleanup. cleanup: add IPsec ESP transport support, packet print debug functions, and misc cleanup. Sep 21, 2025
@philljj philljj marked this pull request as ready for review February 1, 2026 00:36
@philljj philljj requested a review from danielinux February 6, 2026 02:54
@philljj philljj changed the title cleanup: add IPsec ESP transport support, packet print debug functions, and misc cleanup. Add IPsec ESP transport support, packet print debug functions, and misc cleanup. Feb 6, 2026
@philljj philljj requested a review from gasbytes February 6, 2026 16:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danielinux danielinux Awaiting requested review from danielinux

@gasbytes gasbytes Awaiting requested review from gasbytes

At least 1 approving review is required to merge this pull request.

Assignees

@danielinux danielinux

@philljj philljj

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@philljj @danielinux