wolfSSL
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Makefile‎
Lines changed: 17 additions & 0 deletions b/‎Makefile‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 3 additions & 3 deletions b/‎README.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎core.md‎
Lines changed: 37 additions & 42 deletions b/‎core.md‎
Lines changed: 37 additions & 42 deletions
diff --git a/‎scripts/ip-xfrm/README.md‎
Lines changed: 62 additions & 0 deletions b/‎scripts/ip-xfrm/README.md‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎scripts/ip-xfrm/cbc_auth‎
Lines changed: 63 additions & 0 deletions b/‎scripts/ip-xfrm/cbc_auth‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎scripts/ip-xfrm/delete_all‎
Lines changed: 3 additions & 0 deletions b/‎scripts/ip-xfrm/delete_all‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎scripts/ip-xfrm/esp_sa.txt‎
Lines changed: 5 additions & 0 deletions b/‎scripts/ip-xfrm/esp_sa.txt‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎scripts/ip-xfrm/gcm‎
Lines changed: 48 additions & 0 deletions b/‎scripts/ip-xfrm/gcm‎
Lines changed: 48 additions & 0 deletions
@@ -5,6 +5,7 @@
 *.dis
 *.uf2
 *.bin
+*.swp
 CMakeCache.txt
 CMakeFiles
 CMakeScripts
 
@@ -3,6 +3,23 @@ CFLAGS:=-Wall -Werror -Wextra -I. -D_GNU_SOURCE
 CFLAGS+=-g -ggdb
 LDFLAGS+=-pthread
 
+# Debug flags:
+# CFLAGS+=-DDEBUG_TAP
+# print ethernet headers
+# CFLAGS+=-DDEBUG_ETH
+# print ip headers
+ CFLAGS+=-DDEBUG_IP
+# print tcp headers
+# CFLAGS+=-DDEBUG_TCP
+# print esp header data
+CFLAGS+=-DWOLFIP_DEBUG_ESP
+#CFLAGS+=-DWOLFIP_DEBUG_ESP_VERBOSE
+
+# ESP support
+ CFLAGS+=-DWOLFIP_ESP
+ CFLAGS+=-DWOLFSSL_WOLFIP
+ LDFLAGS+=-lwolfssl
+
 CPPCHECK=cppcheck
 CPPCHECK_FLAGS=--enable=all --suppress=missingIncludeSystem \
 			   --suppress=unusedFunction --suppress=unusedVariable \
 
@@ -2,10 +2,10 @@
 
 ## Description and project goals
 
-wolfIP is a TCP/IP stack with no dynamic memory allocations, designed to be 
+wolfIP is a TCP/IP stack with no dynamic memory allocations, designed to be
 used in resource-constrained embedded systems.
 
-Endpoint only mode is supported, which means that wolfip can be used to 
+Endpoint only mode is supported, which means that wolfip can be used to
 establish network connections but it does not route traffic between different
 network interfaces.
 
@@ -19,7 +19,7 @@ A single network interface can be associated with the device.
 - DHCP (RFC 2131): client only
 - DNS  (RFC 1035): client only
 - UDP (RFC 768): unicast only
-- TCP (RFC 793) 
+- TCP (RFC 793)
   - TCP options supported: Timestamps, Maximum Segment Size
 - BSD-like, non blocking socket API, with custom callbacks
 - No dynamic memory allocation
 
@@ -24,19 +24,19 @@
 
 ```
 +---------------------------------------------------------------------------------------------------------------------------+
-|               +-----+---+----+-----+------------------+-----+---+----+-----+------------------+                           | 
+|               +-----+---+----+-----+------------------+-----+---+----+-----+------------------+                           |
 |               | De  | E | IP | TCP |      Payload     | De  | E | IP | TCP |      Payload     |                           |
 |               | sc  | T |    |     |                  | sc  | T |    |     |                  |                           |
 |* FREE SPACE * | ri  | H |    |     |                  | ri  | H |    |     |                  |   * FREE SPACE*           |
 |               | pt  |   |    |     |                  | pt  |   |    |     |                  |                           |
 |               | or  |   |    |     |                  | or  |   |    |     |                  |                           |
 |               +-----+---+----+-----+------------------+-----+---+----+-----+------------------+                           |
 +---------------------------------------------------------------------------------------------------------------------------+
-                ^                                                                               ^                      
-                |                                                                               |                      
-                |                                                                               |                      
-                |                                                                               |                      
-                |Tail                                                                       Head|                      
+                ^                                                                               ^
+                |                                                                               |
+                |                                                                               |
+                |                                                                               |
+                |Tail                                                                       Head|
 
 ```
 
@@ -54,11 +54,11 @@
  |              ||                                          ||                                                               |
  |              |*------------------------------------------*|                                                               |
  +--------------+--------------------------------------------+---------------------------------------------------------------+
-                ^                                            ^                                                         
-                |                                            |                                                         
-                |                                            |                                                         
-                |                                            |                                                         
-                |Tail                                    Head|                                                         
+                ^                                            ^
+                |                                            |
+                |                                            |
+                |                                            |
+                |Tail                                    Head|
 ```
 
 
@@ -71,37 +71,32 @@
                                              +-------------+
                                              |Main loop TX |
                                              +-------------+
-                                                        ^   
-+----------------------------------+                    |   
-|                                  |             +------+   
-|  TCP Socket                      |             |          
-|                                  |             |          
-|                                  |             |          
-|                                  |             |          
-|                                +-----------------------+ 
-|            +---------------+   |                       | 
->DATA OUT==>>|socket send()  |-->|  TX buffer (fifo)     | 
-|            +---------------+   |                       | 
-|                                +-----------------------+ 
-|                                  |                        
-|                                  |                        
-|                                  |                        
-|                                +-----------------------+ 
-|             +-------------+    |                       | 
-<DATA IN<<====|socket recv()|<---|  RX buffer (queue)    | 
-|             +-------------+    |                       | 
-|                                +-----------------------+ 
-+----------------------------------+      ^                 
-                                          |                 
-                                          |                 
-                                          |                 
-                                    +--------------+                 
-                                    |  tcp_recv()  |                 
+                                                        ^
++----------------------------------+                    |
+|                                  |             +------+
+|  TCP Socket                      |             |
+|                                  |             |
+|                                  |             |
+|                                  |             |
+|                                +-----------------------+
+|            +---------------+   |                       |
+>DATA OUT==>>|socket send()  |-->|  TX buffer (fifo)     |
+|            +---------------+   |                       |
+|                                +-----------------------+
+|                                  |
+|                                  |
+|                                  |
+|                                +-----------------------+
+|             +-------------+    |                       |
+<DATA IN<<====|socket recv()|<---|  RX buffer (queue)    |
+|             +-------------+    |                       |
+|                                +-----------------------+
++----------------------------------+      ^
+                                          |
+                                          |
+                                          |
+                                    +--------------+
+                                    |  tcp_recv()  |
                                     +--------------+
 ```
 
-
-
-
-
-
@@ -0,0 +1,62 @@
+# IPsec ESP and ip xfrm support
+
+Some convience scripts and config for testing IPsec with wolfIP:
+
+- delete_all (delete all ip xfrm state and policies)
+- hmac_auth (set auth only state and policies)
+- show (show ip xfrm state and policies)
+- esp_sa.txt (ESP SA config to use in Wireshark)
+
+# Build
+
+## wolfssl
+
+Build wolfssl with:
+
+```sh
+./configure --enable-cryptonly --enable-sha --enable-sha256 --enable-md5 --enable-des3
+  make
+  sudo make install
+```
+
+# wolfip
+
+Build wolfip with:
+```sh
+-DWOLFIP_ESP -DWOLFSSL_WOLFIP
+```
+
+# testing
+
+Use `scripts/ip-xfrm` convenience scripts:
+
+```
+./scripts/ip-xfrm/delete_all && ./scripts/ip-xfrm/cbc_auth sha256 128
+```
+
+Use this to show what is set:
+
+```
+./scripts/ip-xfrm/show
+ip xfrm policy show
+src 0.0.0.0/0 dst 10.10.10.2/32 proto tcp
+	dir out priority 0 ptype main
+	tmpl src 0.0.0.0 dst 0.0.0.0
+		proto esp spi 0x764f47c9 reqid 0 mode transport
+
+ip xfrm state show
+src 10.10.10.2 dst 10.10.10.1
+	proto esp spi 0x49ebfdd4 reqid 0 mode transport
+	replay-window 0
+	auth-trunc hmac(sha256) 0x02020202020202020202020202020202 128
+	enc cbc(aes) 0x04040404040404040404040404040404
+      ...etc...
+```
+
+Use `./scripts/ip-xfrm/watch_stat` to troubleshoot XfrmIn/Out errors.
+
+# wireshark
+
+Use this for your wireshark `esp_sa` file, and wireshark will be able to
+decrypt and verify all ESP traffic:
+- `scripts/ip-xfrm/esp_sa.txt`
@@ -0,0 +1,63 @@
+#!/bin/bash
+#
+# aes-cbc (rfc3602) + hmac-[md5,sha1,sha256]-96,128 example.
+#
+
+print_usage_and_die() {
+  echo "usage:"
+  echo "  cbc_auth [auth]"
+  echo ""
+  echo "  auth = md5, sha1, sha256"
+  echo ""
+  echo "examples:"
+  echo "  ./scripts/ip-xfrm/hmac_auth sha256 128"
+  echo "  ./scripts/ip-xfrm/hmac_auth sha256 96"
+  echo "  ./scripts/ip-xfrm/hmac_auth sha1"
+  echo "  ./scripts/ip-xfrm/hmac_auth md5"
+  exit 1
+}
+
+alg=sha1
+ip_proto=tcp
+len=96
+
+if [ $# -eq 0 ]; then
+  print_usage_and_die
+fi
+
+if [ $# -eq 1 ]; then
+  alg=$1
+fi
+
+if [ $# -eq 2 ]; then
+  alg=$1
+  len=$2
+fi
+
+# State
+# ipv4
+sudo ip xfrm state add \
+  src 10.10.10.1 dst 10.10.10.2 \
+  proto esp \
+  spi 0x764f47c9 \
+  mode transport \
+  replay-window 64 \
+  auth-trunc $alg 0x01010101010101010101010101010101 $len \
+  enc aes 0x03030303030303030303030303030303 \
+  sel src 10.10.10.1 dst 10.10.10.2
+
+sudo ip xfrm state add \
+  src 10.10.10.2 dst 10.10.10.1 \
+  proto esp \
+  spi 0x49ebfdd4 \
+  mode transport \
+  replay-window 64 \
+  auth-trunc $alg 0x02020202020202020202020202020202 $len \
+  enc aes 0x04040404040404040404040404040404 \
+  sel src 10.10.10.2 dst 10.10.10.1
+
+# Policies
+# ipv4
+sudo ip xfrm policy add \
+  dst 10.10.10.2 proto $ip_proto dir out tmpl proto esp spi 0x764f47c9 mode transport
+
@@ -0,0 +1,3 @@
+#!/bin/bash
+sudo ip xfrm policy deleteall
+sudo ip xfrm state deleteall
@@ -0,0 +1,5 @@
+# This file is automatically generated, DO NOT MODIFY.
+"IPv4","10.10.10.2","10.10.10.1","0xf6e9b80d","NULL","","HMAC-SHA-256-128 [RFC4868]","0x02020202020202020202020202020202","32-bit","0"
+"IPv4","10.10.10.1","10.10.10.2","0x2fa9d8c8","NULL","","HMAC-SHA-256-128 [RFC4868]","0x01010101010101010101010101010101","32-bit","0"
+"IPv4","10.10.10.1","10.10.10.2","0x764f47c9","AES-CBC [RFC3602]","0x03030303030303030303030303030303","HMAC-SHA-256-128 [RFC4868]","0x01010101010101010101010101010101","32-bit","0"
+"IPv4","10.10.10.2","10.10.10.1","0x49ebfdd4","AES-CBC [RFC3602]","0x04040404040404040404040404040404","HMAC-SHA-256-128 [RFC4868]","0x02020202020202020202020202020202","32-bit","0"
@@ -0,0 +1,48 @@
+#!/bin/bash
+#
+#
+# rfc4106(gcm(aes)) example: aes-gcm encryption + auth.
+#
+# The 4 byte nonce is placed at end of key, forming 20 bytes
+# of key material.
+#
+
+alg="rfc4106(gcm(aes))"
+
+print_usage_and_die() {
+  echo "usage:"
+  echo "  gcm"
+  echo ""
+  echo "examples:"
+  echo "  ./scripts/ip-xfrm/gcm"
+  exit 1
+}
+
+ip_proto=tcp
+nonce=bdc5448a
+
+# State
+# ipv4
+sudo ip xfrm state add \
+  src 10.10.10.1 dst 10.10.10.2 \
+  proto esp \
+  spi 0xcd65bc5d \
+  mode transport \
+  replay-window 64 \
+  aead $alg 0x03030303030303030303030303030303$nonce 128 \
+  sel src 10.10.10.1 dst 10.10.10.2
+
+sudo ip xfrm state add \
+  src 10.10.10.2 dst 10.10.10.1 \
+  proto esp \
+  spi 0xe99bab7e \
+  mode transport \
+  replay-window 64 \
+  aead $alg 0x03030303030303030303030303030303$nonce 128 \
+  sel src 10.10.10.2 dst 10.10.10.1
+
+# Policies
+# ipv4
+sudo ip xfrm policy add \
+  dst 10.10.10.2 proto $ip_proto dir out tmpl proto esp spi 0xcd65bc5d mode transport
+
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+#!/bin/bash`
	`2`	`+sudo ip xfrm policy deleteall`
	`3`	`+sudo ip xfrm state deleteall`