Add IPsec ESP transport support, packet print debug functions, and misc cleanup.#4
Open
philljj wants to merge 10 commits intowolfSSL:masterfrom
Open
Add IPsec ESP transport support, packet print debug functions, and misc cleanup.#4philljj wants to merge 10 commits intowolfSSL:masterfrom
philljj wants to merge 10 commits intowolfSSL:masterfrom
Conversation
philljj
changed the title
philljj
changed the title
philljj
force-pushed
the
small_cleanup
branch
from
bffa3c2 to
2746fc1
Compare
philljj
force-pushed
the
small_cleanup
branch
from
2746fc1 to
3d47370
Compare
philljj
force-pushed
the
small_cleanup
branch
2 times, most recently
from
562fc2e to
5b92271
Compare
philljj
changed the title
philljj
force-pushed
the
small_cleanup
branch
from
5eb24a1 to
c2c3854
Compare
gasbytes
requested changes
Feb 10, 2026
| printf(esp_str_4hex " (%s, %d bytes)\n", | ||
| val[0], val[1], val[2], val[3], fld, val_len); | ||
| if (val_len > 4) { | ||
| for (size_t i = 4; i < val_len; i += 4) { |
Contributor
There was a problem hiding this comment.
can val_len be a non-multiple of 4? because if so this part of code can result in a buffer over-read in a last iteration.
e.g.: val_len is not a multiple of 4, and is >= 5 and <= 16 the loop could go over I think, and read up to 3 bytes past val_len on the last iteration of the loop.
Contributor
Author
There was a problem hiding this comment.
I think all these fields must be 4 byte multiples, but I'll double check
Contributor
Author
There was a problem hiding this comment.
After looking more I think this should be ok. esp_print_field() is only used with SPI (4 byte), SEQ (4 byte), IV (8 or 16 byte), ICV (12 or 16 byte), and the payload.
The payload can be any length, but will be at least 8 bytes (UDP header), and logs a skip and breaks if (i + 4) > val_len.
This is what it looks like with UDP + rfc4543 (gmac only) sending "00" across UDP
udp hdr:
+-------------------+
| 8 | 12345 | (src_port, dst_port)
+-------------------+
| 11 | 0x6d50 | (len, chksum)
+-------------------+
| 00. | (payload first 16 bytes)
+-------------------+
...
esp packet: (48 bytes)
+------------------+
| 08 08 08 08 | (spi, 4 bytes)
+------------------+
| 00 00 00 28 | (seq, 4 bytes)
+------------------+
| 98 fe d8 93 | (iv, 8 bytes)
| d1 61 ee 57 |
+------------------+
| 00 08 30 39 | (payload, 11 bytes)
| 00 0b 6d 50 |
| .. .. .. .. |
+------------------+
| 0203 | 03 | 0x11 | (padding last 2 bytes, pad len, nxt hdr)
+------------------+
and same for "000"
udp hdr:
+-------------------+
| 8 | 12345 | (src_port, dst_port)
+-------------------+
| 12 | 0x4744 | (len, chksum)
+-------------------+
| 000. | (payload first 16 bytes)
+-------------------+
...
esp packet: (48 bytes)
+------------------+
...
+------------------+
| 00 08 30 39 | (payload, 12 bytes)
| 00 0c 47 44 |
| 30 30 30 0a |
+------------------+
| 0102 | 02 | 0x11 | (padding last 2 bytes, pad len, nxt hdr)
+------------------+
"0000"
+------------------+
| 00 08 30 39 | (payload, 13 bytes)
| 00 0d 3d 1c |
| 30 30 30 30 |
| .. .. .. .. |
+------------------+
"00000"
+------------------+
| 00 08 30 39 | (payload, 14 bytes)
| 00 0e 17 10 |
| 30 30 30 30 |
| .. .. .. .. |
+------------------+
etc
| case ESP_ENC_CBC_AES: | ||
| block_len = AES_BLOCK_SIZE; | ||
| break; | ||
| #ifndef NO_DES3 |
Contributor
There was a problem hiding this comment.
I don't see any definition of a wolfIP_esp_sa_new_des3, is this expected if the user decides to use DES3? Since the enum exists.
Contributor
Author
There was a problem hiding this comment.
I was lazy and hadn't added des3 support yet! Doing it now.
danielinux
reviewed
Feb 11, 2026
src/test/esp/esp_common.c
Outdated
| @@ -0,0 +1,48 @@ | |||
| /* esp_common.c | |||
| * | |||
| * Copyright (C) 2024 wolfSSL Inc. | |||
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds IPsec ESP transport-mode support (with multiple crypto/auth algorithms), introduces packet debug-print helpers, and includes supporting test tooling/scripts plus some cleanup/build fixes across the repo.
Changes:
- Add ESP transport encapsulation/decapsulation for TCP/UDP traffic, plus SA management APIs and tests.
- Add packet print debug helpers for Ethernet/IP/UDP/ESP and wire them into RX/TX paths.
- Add
ip xfrmhelper scripts/README/Wireshark SA config and miscellaneous cleanup (formatting, gitignore, GCC build fix).
Reviewed changes
Copilot reviewed 26 out of 29 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
wolfip.h |
Splits long prototypes, adds tsocket_cb typedef, and includes wolfCrypt headers when ESP is enabled. |
wolfesp.h |
New public header for ESP constants, enums, SA struct, and SA management APIs. |
src/wolfip.c |
Integrates ESP wrap/unwrap into RX/TX paths, adds DHCP helper macros, formatting cleanup. |
src/wolfip_debug.c |
New debug packet print helpers for Ethernet/IP/UDP. |
src/wolfesp.c |
New ESP transport-mode implementation (SA pool, replay window, encrypt/decrypt, send wrapper). |
src/test/esp/test_esp.c |
New standalone ESP test (host + wolfIP threads) with multiple modes. |
src/test/esp/esp_server.c |
New TCP/UDP echo server for manual ESP testing. |
src/test/esp/esp_common.c |
Shared ESP test SA/key material matching the ip xfrm scripts. |
tools/ip-xfrm/README.md |
Documentation for configuring/testing ESP with ip xfrm and Wireshark. |
tools/ip-xfrm/rfc4106 |
Script to configure RFC4106 AES-GCM transport-mode state/policy. |
tools/ip-xfrm/rfc4543 |
Script to configure RFC4543 AES-GMAC transport-mode state/policy. |
tools/ip-xfrm/cbc_auth |
Script to configure AES-CBC + HMAC transport-mode state/policy. |
tools/ip-xfrm/des3_auth |
Script to configure 3DES-CBC + HMAC transport-mode state/policy. |
tools/ip-xfrm/show |
Script to display current xfrm policies/states. |
tools/ip-xfrm/delete_all |
Script to delete all xfrm policies/states. |
tools/ip-xfrm/esp_sa.txt |
Wireshark ESP SA config sample to decrypt captures. |
Makefile |
Adds esp build targets (test-esp, esp-server) and ESP-specific CFLAGS. |
.github/workflows/linux.yml |
Runs ESP tests in CI using ip xfrm scripts. |
src/port/posix/tap_linux.c |
Gates TAP buffer printing behind DEBUG_TAP. |
.gitignore |
Ignores *.swp. |
README.md |
Whitespace cleanup. |
core.md |
ASCII diagram whitespace cleanup. |
src/port/raspberry-pico-usb-server/README.md |
Whitespace cleanup. |
src/test/test_native_wolfssl.c |
Fixes string initializer issue by using explicit bytes. |
src/test/test_eventloop.c |
Fixes string initializer issue by using explicit bytes. |
src/test/test_dhcp_dns.c |
Fixes string initializer issue by using explicit bytes. |
src/test/ipfilter_logger.c |
Fixes string initializer issue by using explicit bytes. |
src/test/test_httpd.c |
Removes stray blank lines. |
src/test/tcp_echo.c |
Removes stray blank line. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
esp_sa.txtconfig totools/ip-xfrm/.DHCP_OPT_data_to_u32(),DHCP_OPT_u32_to_data()to trim duplicated code.error: initializer-string for array), etc.Testing
See
tools/ip-xfrm/README.md:packet print functions
Added packet print functions
wolfIP_print_X()foreth,ip,udp,esp: