separate test esp build.

Author: philljj

Makefile

@@ -3,22 +3,23 @@ CFLAGS:=-Wall -Werror -Wextra -I. -D_GNU_SOURCE
 CFLAGS+=-g -ggdb -Wdeclaration-after-statement
 LDFLAGS+=-pthread
 
+#
 # Debug flags:
-# CFLAGS+=-DDEBUG_TAP
-# print ethernet headers
-# CFLAGS+=-DDEBUG_ETH
-# print ip headers
-# CFLAGS+=-DDEBUG_IP
-# print tcp headers
-# CFLAGS+=-DDEBUG_TCP
-# print esp header data
- CFLAGS+=-DWOLFIP_DEBUG_ESP
-#CFLAGS+=-DWOLFIP_DEBUG_ESP_VERBOSE
-
-# ESP support
-# CFLAGS+=-DWOLFIP_ESP
-# CFLAGS+=-DWOLFSSL_WOLFIP
-# LDFLAGS+=-lwolfssl
+#   tap debug:
+#     CFLAGS+=-DDEBUG_TAP
+#
+#   print ethernet headers:
+#     CFLAGS+=-DDEBUG_ETH
+#
+#   print ip headers:
+#     CFLAGS+=-DDEBUG_IP
+#
+#   print tcp headers:
+#     CFLAGS+=-DDEBUG_TCP
+#
+#   print esp header data:
+#     CFLAGS+=-DWOLFIP_DEBUG_ESP
+#
 
 UNAME_S:=$(shell uname -s)
 UNAME_M:=$(shell uname -m)
@@ -119,6 +120,9 @@ OBJ=build/wolfip.o \
 IPFILTER_OBJ=build/ipfilter/wolfip.o \
 	$(TAP_OBJ)
 
+ESP_OBJ=build/esp/wolfip.o \
+	$(TAP_OBJ)
+
 HAVE_WOLFSSL:=$(shell printf "#include <wolfssl/options.h>\nint main(void){return 0;}\n" | $(CC) $(CFLAGS) -x c - -c -o /dev/null 2>/dev/null && echo 1)
 
 # Require wolfSSL unless the requested goals are wolfSSL-independent (unit/cppcheck/clean).
@@ -171,6 +175,11 @@ asan: $(EXE) $(LIB)
 asan:CFLAGS+=-fsanitize=address
 asan:LDFLAGS+=-static-libasan
 
+ESP_CFLAGS = \
+    -DWOLFIP_ESP \
+    -DWOLFSSL_WOLFIP \
+    -DDEBUG_IP \
+    -DWOLFIP_DEBUG_ESP
 
 # Test
 
@@ -206,9 +215,6 @@ build/tcp_netcat_select: $(OBJ) build/port/posix/bsd_socket.o build/test/tcp_net
 	@echo "[LD] $@"
 	@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(BEGIN_GROUP) $(^) $(END_GROUP)
 
-build/test-esp: $(OBJ) build/test/test_esp.o
-	@echo "[LD] $@"
-	@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(BEGIN_GROUP) $(^) $(END_GROUP)
 
 build/test-wolfssl:CFLAGS+=-Wno-cpp -DWOLFSSL_DEBUG -DWOLFSSL_WOLFIP
 build/test-httpd:CFLAGS+=-Wno-cpp -DWOLFSSL_DEBUG -DWOLFSSL_WOLFIP -Isrc/http
@@ -229,6 +235,20 @@ build/ipfilter/wolfip.o: src/wolfip.c
 
 build/test/ipfilter_logger.o: CFLAGS+=-DCONFIG_IPFILTER=1
 
+# ipsec esp
+build/esp/wolfip.o: src/wolfip.c
+	@mkdir -p `dirname $@` || true
+	@echo "[CC] $< (esp)"
+	@$(CC) $(CFLAGS) $(ESP_CFLAGS) -c $< -o $@
+
+build/test/test_esp.o: src/test/test_esp.c
+	@echo "[CC] $@"
+	@$(CC) $(CFLAGS) $(ESP_CFLAGS) -c $< -o $@
+
+build/test-esp: $(ESP_OBJ) build/test/test_esp.o
+	@echo "[LD] $@"
+	@$(CC) $(CFLAGS) $(ESP_CFLAGS) $(LDFLAGS) -o $@ $(BEGIN_GROUP) $(^) -lwolfssl $(END_GROUP)
+
 build/test-wolfssl-forwarding: build/test/test_wolfssl_forwarding.o build/test/wolfip_forwarding.o $(TAP_OBJ) build/port/wolfssl_io.o build/certs/server_key.o build/certs/ca_cert.o build/certs/server_cert.o
 	@echo "[LD] $@"
 	@$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(BEGIN_GROUP) $(^) -lwolfssl $(END_GROUP)

src/wolfesp.c

@@ -33,6 +33,10 @@ static uint16_t               out_sa_num = 0;
 void
 esp_load_sa_list(struct wolfIP_esp_sa * sa_list, uint16_t num, uint16_t in)
 {
+    #ifdef WOLFIP_DEBUG_ESP
+    printf("info: esp_load_sa_list: %p, %d, %d\n", sa_list, num, in);
+    #endif /* WOLFIP_DEBUG_ESP */
+
     if (in == 1) {
         in_sa_list = sa_list;
         in_sa_num = num;
@@ -568,7 +572,7 @@ esp_aes_rfc4106_enc(const struct wolfIP_esp_sa * esp_sa, uint8_t * esp_data,
         /* copy in the pre_iv. */
         memcpy(iv, esp_sa->pre_iv, sizeof(esp_sa->pre_iv));
 
-        /* xor salt with current sequence number. */
+        /* xor pre-iv salt with current sequence number. */
         for (size_t i = 0; i < sizeof(uint32_t); ++i) {
             iv[i + sizeof(uint32_t)] ^= seq_num_u8[i];
         }