Add wolfGuard: native FIPS WireGuard driver for wolfIP#86
Merged
danielinux merged 1 commit intowolfSSL:masterfrom Mar 25, 2026
Merged
Add wolfGuard: native FIPS WireGuard driver for wolfIP#86danielinux merged 1 commit intowolfSSL:masterfrom
danielinux merged 1 commit intowolfSSL:masterfrom
Conversation
gasbytes
force-pushed
the
wolfguard
branch
2 times, most recently
from
45f8246 to
89ec684
Compare
gasbytes
force-pushed
the
wolfguard
branch
2 times, most recently
from
a986709 to
fe87d4e
Compare
danielinux
requested changes
Mar 25, 2026
Member
danielinux
left a comment
danielinux
left a comment
There was a problem hiding this comment.
Nit: shorten comment for wolfIP_ll_dev.priv
Core implementation (src/wolfguard/): - wg_crypto.c: FIPS crypto abstraction with PRIVATE_KEY_UNLOCK/LOCK for wolfSSL FIPS v6 compatibility - wg_noise.c: Noise_IKpsk2 handshake (create/consume initiation and response, session key derivation) - wg_cookie.c: mac1/mac2 validation, cookie reply for DoS protection - wg_packet.c: transport data encrypt/decrypt with replay counter - wg_timers.c: rekey, keepalive, retransmit, key zeroing state machine - wg_allowedips.c: flat-table longest-prefix-match for peer routing - wolfguard.c: device init, wg0 virtual interface, UDP outer transport, poll loop integration via wolfIP_recv_ex() Wire format matches kernel wolfGuard: - 32-byte MACs (full SHA-256 HMAC, not truncated to 16) - 16-byte AES-GCM IVs (AES_IV_SIZE, matching kernel ZeroNonce) - TAI64N timestamps with 0x400000000000000a epoch offset - 65-byte uncompressed P-256 public keys Tests: - unit_wolfguard.c: 38 unit tests covering crypto, noise handshake, cookies, allowed-IPs, replay counter, packet processing, timers - test_wolfguard_loopback.c: 3 integration tests (roundtrip, session lifecycle with rekey/reconnect, DoS cookie mechanism) - test_wolfguard_interop.c: bidirectional interop against the kernel wolfGuard module via TUN, tests both wolfIP-initiated and kernel-initiated handshakes with fresh key material Build & CI: - Makefile: wolfguard targets with ASan/UBSan variants - tools/scripts/test-interop-wolfguard.sh: end-to-end interop harness (builds wolfSSL + kernel module, loads modules, generates keys, runs two-phase bidirectional test) - .github/workflows/wolfguard.yml: CI for unit, loopback, and interop
danielinux
approved these changes
Mar 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
core implementation included in src/wolfguard/, tests in src/tests/; which includes unit tests, loopback test that contains integration tests, and interop test against the wolfguard kernel implementation, this last one is also provided as script in tools/scripts/test-interop-wolfguard.sh.
note: added some minor fips guarding to correctly build against wolfssl in fips mode, which is now with this pr supported too.