Skip to content

cleanup: add IPsec ESP transport support, packet print debug functions, and misc cleanup. #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

cleanup: add IPsec ESP transport support, packet print debug functions, and misc cleanup. #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@
*.dis
*.uf2
*.bin
*.swp
CMakeCache.txt
CMakeFiles
CMakeScripts
Expand Down
17 changes: 17 additions & 0 deletions Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,23 @@ CFLAGS:=-Wall -Werror -Wextra -I. -D_GNU_SOURCE
CFLAGS+=-g -ggdb
LDFLAGS+=-pthread

# Debug flags:
# CFLAGS+=-DDEBUG_TAP
# print ethernet headers
# CFLAGS+=-DDEBUG_ETH
# print ip headers
CFLAGS+=-DDEBUG_IP
# print tcp headers
# CFLAGS+=-DDEBUG_TCP
# print esp header data
CFLAGS+=-DWOLFIP_DEBUG_ESP
#CFLAGS+=-DWOLFIP_DEBUG_ESP_VERBOSE

# ESP support
CFLAGS+=-DWOLFIP_ESP
CFLAGS+=-DWOLFSSL_WOLFIP
LDFLAGS+=-lwolfssl

CPPCHECK=cppcheck
CPPCHECK_FLAGS=--enable=all --suppress=missingIncludeSystem \
--suppress=unusedFunction --suppress=unusedVariable \
Expand Down
6 changes: 3 additions & 3 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@

## Description and project goals

wolfIP is a TCP/IP stack with no dynamic memory allocations, designed to be
wolfIP is a TCP/IP stack with no dynamic memory allocations, designed to be
used in resource-constrained embedded systems.

Endpoint only mode is supported, which means that wolfip can be used to
Endpoint only mode is supported, which means that wolfip can be used to
establish network connections but it does not route traffic between different
network interfaces.

Expand All @@ -19,7 +19,7 @@ A single network interface can be associated with the device.
- DHCP (RFC 2131): client only
- DNS (RFC 1035): client only
- UDP (RFC 768): unicast only
- TCP (RFC 793)
- TCP (RFC 793)
- TCP options supported: Timestamps, Maximum Segment Size
- BSD-like, non blocking socket API, with custom callbacks
- No dynamic memory allocation
Expand Down
79 changes: 37 additions & 42 deletions core.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,19 +24,19 @@

```
+---------------------------------------------------------------------------------------------------------------------------+
| +-----+---+----+-----+------------------+-----+---+----+-----+------------------+ |
| +-----+---+----+-----+------------------+-----+---+----+-----+------------------+ |
| | De | E | IP | TCP | Payload | De | E | IP | TCP | Payload | |
| | sc | T | | | | sc | T | | | | |
|* FREE SPACE * | ri | H | | | | ri | H | | | | * FREE SPACE* |
| | pt | | | | | pt | | | | | |
| | or | | | | | or | | | | | |
| +-----+---+----+-----+------------------+-----+---+----+-----+------------------+ |
+---------------------------------------------------------------------------------------------------------------------------+
^ ^
| |
| |
| |
|Tail Head|
^ ^
| |
| |
| |
|Tail Head|

```

Expand All @@ -54,11 +54,11 @@
| || || |
| |*------------------------------------------*| |
+--------------+--------------------------------------------+---------------------------------------------------------------+
^ ^
| |
| |
| |
|Tail Head|
^ ^
| |
| |
| |
|Tail Head|
```


Expand All @@ -71,37 +71,32 @@
+-------------+
|Main loop TX |
+-------------+
^
+----------------------------------+ |
| | +------+
| TCP Socket | |
| | |
| | |
| | |
| +-----------------------+
| +---------------+ | |
>DATA OUT==>>|socket send() |-->| TX buffer (fifo) |
| +---------------+ | |
| +-----------------------+
| |
| |
| |
| +-----------------------+
| +-------------+ | |
<DATA IN<<====|socket recv()|<---| RX buffer (queue) |
| +-------------+ | |
| +-----------------------+
+----------------------------------+ ^
|
|
|
+--------------+
| tcp_recv() |
^
+----------------------------------+ |
| | +------+
| TCP Socket | |
| | |
| | |
| | |
| +-----------------------+
| +---------------+ | |
>DATA OUT==>>|socket send() |-->| TX buffer (fifo) |
| +---------------+ | |
| +-----------------------+
| |
| |
| |
| +-----------------------+
| +-------------+ | |
<DATA IN<<====|socket recv()|<---| RX buffer (queue) |
| +-------------+ | |
| +-----------------------+
+----------------------------------+ ^
|
|
|
+--------------+
| tcp_recv() |
+--------------+
```






62 changes: 62 additions & 0 deletions scripts/ip-xfrm/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# IPsec ESP and ip xfrm support

Some convience scripts and config for testing IPsec with wolfIP:

- delete_all (delete all ip xfrm state and policies)
- hmac_auth (set auth only state and policies)
- show (show ip xfrm state and policies)
- esp_sa.txt (ESP SA config to use in Wireshark)

# Build

## wolfssl

Build wolfssl with:

```sh
./configure --enable-cryptonly --enable-sha --enable-sha256 --enable-md5 --enable-des3
make
sudo make install
```

# wolfip

Build wolfip with:
```sh
-DWOLFIP_ESP -DWOLFSSL_WOLFIP
```

# testing

Use `scripts/ip-xfrm` convenience scripts:

```
./scripts/ip-xfrm/delete_all && ./scripts/ip-xfrm/cbc_auth sha256 128
```

Use this to show what is set:

```
./scripts/ip-xfrm/show
ip xfrm policy show
src 0.0.0.0/0 dst 10.10.10.2/32 proto tcp
dir out priority 0 ptype main
tmpl src 0.0.0.0 dst 0.0.0.0
proto esp spi 0x764f47c9 reqid 0 mode transport

ip xfrm state show
src 10.10.10.2 dst 10.10.10.1
proto esp spi 0x49ebfdd4 reqid 0 mode transport
replay-window 0
auth-trunc hmac(sha256) 0x02020202020202020202020202020202 128
enc cbc(aes) 0x04040404040404040404040404040404
...etc...
```

Use `./scripts/ip-xfrm/watch_stat` to troubleshoot XfrmIn/Out errors.

# wireshark

Use this for your wireshark `esp_sa` file, and wireshark will be able to
decrypt and verify all ESP traffic:
- `scripts/ip-xfrm/esp_sa.txt`
63 changes: 63 additions & 0 deletions scripts/ip-xfrm/cbc_auth
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#!/bin/bash
#
# aes-cbc (rfc3602) + hmac-[md5,sha1,sha256]-96,128 example.
#

print_usage_and_die() {
echo "usage:"
echo " cbc_auth [auth]"
echo ""
echo " auth = md5, sha1, sha256"
echo ""
echo "examples:"
echo " ./scripts/ip-xfrm/hmac_auth sha256 128"
echo " ./scripts/ip-xfrm/hmac_auth sha256 96"
echo " ./scripts/ip-xfrm/hmac_auth sha1"
echo " ./scripts/ip-xfrm/hmac_auth md5"
exit 1
}

alg=sha1
ip_proto=tcp
len=96

if [ $# -eq 0 ]; then
print_usage_and_die
fi

if [ $# -eq 1 ]; then
alg=$1
fi

if [ $# -eq 2 ]; then
alg=$1
len=$2
fi

# State
# ipv4
sudo ip xfrm state add \
src 10.10.10.1 dst 10.10.10.2 \
proto esp \
spi 0x764f47c9 \
mode transport \
replay-window 64 \
auth-trunc $alg 0x01010101010101010101010101010101 $len \
enc aes 0x03030303030303030303030303030303 \
sel src 10.10.10.1 dst 10.10.10.2

sudo ip xfrm state add \
src 10.10.10.2 dst 10.10.10.1 \
proto esp \
spi 0x49ebfdd4 \
mode transport \
replay-window 64 \
auth-trunc $alg 0x02020202020202020202020202020202 $len \
enc aes 0x04040404040404040404040404040404 \
sel src 10.10.10.2 dst 10.10.10.1

# Policies
# ipv4
sudo ip xfrm policy add \
dst 10.10.10.2 proto $ip_proto dir out tmpl proto esp spi 0x764f47c9 mode transport

3 changes: 3 additions & 0 deletions scripts/ip-xfrm/delete_all
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
#!/bin/bash
sudo ip xfrm policy deleteall
sudo ip xfrm state deleteall
5 changes: 5 additions & 0 deletions scripts/ip-xfrm/esp_sa.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# This file is automatically generated, DO NOT MODIFY.
"IPv4","10.10.10.2","10.10.10.1","0xf6e9b80d","NULL","","HMAC-SHA-256-128 [RFC4868]","0x02020202020202020202020202020202","32-bit","0"
"IPv4","10.10.10.1","10.10.10.2","0x2fa9d8c8","NULL","","HMAC-SHA-256-128 [RFC4868]","0x01010101010101010101010101010101","32-bit","0"
"IPv4","10.10.10.1","10.10.10.2","0x764f47c9","AES-CBC [RFC3602]","0x03030303030303030303030303030303","HMAC-SHA-256-128 [RFC4868]","0x01010101010101010101010101010101","32-bit","0"
"IPv4","10.10.10.2","10.10.10.1","0x49ebfdd4","AES-CBC [RFC3602]","0x04040404040404040404040404040404","HMAC-SHA-256-128 [RFC4868]","0x02020202020202020202020202020202","32-bit","0"
48 changes: 48 additions & 0 deletions scripts/ip-xfrm/gcm
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
#!/bin/bash
#
#
# rfc4106(gcm(aes)) example: aes-gcm encryption + auth.
#
# The 4 byte nonce is placed at end of key, forming 20 bytes
# of key material.
#

alg="rfc4106(gcm(aes))"

print_usage_and_die() {
echo "usage:"
echo " gcm"
echo ""
echo "examples:"
echo " ./scripts/ip-xfrm/gcm"
exit 1
}

ip_proto=tcp
nonce=bdc5448a

# State
# ipv4
sudo ip xfrm state add \
src 10.10.10.1 dst 10.10.10.2 \
proto esp \
spi 0xcd65bc5d \
mode transport \
replay-window 64 \
aead $alg 0x03030303030303030303030303030303$nonce 128 \
sel src 10.10.10.1 dst 10.10.10.2

sudo ip xfrm state add \
src 10.10.10.2 dst 10.10.10.1 \
proto esp \
spi 0xe99bab7e \
mode transport \
replay-window 64 \
aead $alg 0x03030303030303030303030303030303$nonce 128 \
sel src 10.10.10.2 dst 10.10.10.1

# Policies
# ipv4
sudo ip xfrm policy add \
dst 10.10.10.2 proto $ip_proto dir out tmpl proto esp spi 0xcd65bc5d mode transport

Loading