Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add basic IPSec support to wire #821

Merged
merged 20 commits into from
Aug 18, 2023
Merged

Add basic IPSec support to wire #821

merged 20 commits into from
Aug 18, 2023

Conversation

thegreathir
Copy link
Contributor

As mentioned #816 here, supporting the IPSec protocol kernel aspects would be nice.
The first step for supporting IPSec will be implementing AH and ESP related Packet and Repr in the wire.
I don't know if it is OK to merge the wire representations and then add complete support to other layers or not.

@codecov
Copy link

codecov bot commented Jul 25, 2023
edited
Loading

Codecov Report

Merging #821 (c18e4e5) into main (d3cea95) will increase coverage by 0.13%.
The diff coverage is 93.79%.

@@            Coverage Diff             @@
##             main     #821      +/-   ##
==========================================
+ Coverage   79.39%   79.52%   +0.13%     
==========================================
  Files          76       78       +2     
  Lines       27504    27762     +258     
==========================================
+ Hits        21836    22078     +242     
- Misses       5668     5684      +16
Files Changed Coverage Δ
src/wire/ip.rs 77.85% <0.00%> (-0.28%) ⬇️
src/wire/mod.rs 71.96% <ø> (ø)
src/wire/ipsec_esp.rs 92.63% <92.63%> (ø)
src/wire/ipsec_ah.rs 95.65% <95.65%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@thegreathir thegreathir marked this pull request as ready for review July 28, 2023 11:03
@whitequark
Copy link
Contributor

I don't know if it is OK to merge the wire representations and then add complete support to other layers or not.

This is completely normal for smoltcp; the wire module is intended to be usable without the rest anyways.

@thegreathir
Copy link
Contributor Author

@Dirbaio What is your opinion?
Do you think this PR (and IPSec in general!) is valid and aligned with the purposes of the project?

thvdveld
thvdveld reviewed Aug 9, 2023
View reviewed changes
Copy link
Contributor

@thvdveld thvdveld left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR! Some nitpicks.

src/wire/ip.rs Outdated Show resolved Hide resolved
src/wire/ipsec_ah.rs Outdated
#[test]
fn test_construct() {
let mut bytes = vec![0xa5; 24];
let mut packet: Packet<&mut Vec<u8>> = Packet::new_unchecked(&mut bytes);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do you need to specify the type of packet?

src/wire/ipsec_ah.rs Outdated
0xaf, 0xd2, 0xe7, 0xa1, 0x73, 0xd3, 0x29, 0x0b, 0xfe, 0x6b, 0x63, 0x73,
];
packet.integrity_check_value_mut().copy_from_slice(&ICV);
assert_eq!(&*packet.into_inner(), &PACKET_BYTES2[..]);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you could just compare with bytes here.

src/wire/ipsec_ah.rs Outdated
Comment on lines 273 to 278
fn test_emit() {
let mut bytes = vec![0x17; 24];
let mut packet = Packet::new_unchecked(&mut bytes);
packet_repr().emit(&mut packet);
assert_eq!(&*packet.into_inner(), &PACKET_BYTES2[..]);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you add an assert for the buffer_len function?

src/wire/ipsec_esp.rs Outdated
#[test]
fn test_construct() {
let mut bytes = vec![0xa5; 8];
let mut packet: Packet<&mut Vec<u8>> = Packet::new_unchecked(&mut bytes);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as previous remark about the type.

src/wire/ipsec_esp.rs Outdated
let mut packet: Packet<&mut Vec<u8>> = Packet::new_unchecked(&mut bytes);
packet.set_security_parameters_index(0xfb5128a6);
packet.set_sequence_number(2);
assert_eq!(&*packet.into_inner(), &PACKET_BYTES[..8]);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think you can compare with bytes here.

src/wire/ipsec_esp.rs Outdated
Comment on lines 163 to 169
#[test]
fn test_emit() {
let mut bytes = vec![0x17; 8];
let mut packet = Packet::new_unchecked(&mut bytes);
packet_repr().emit(&mut packet);
assert_eq!(&*packet.into_inner(), &PACKET_BYTES[..8]);
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add an assert for the buffer_len function?

src/wire/mod.rs Outdated
Comment on lines 281 to 285
#[cfg(feature = "proto-ipsec-ah")]
pub use self::ipsec_ah::{Packet as IPSecAuthHeaderPacket, Repr as IPSecAuthHeaderRepr};

#[cfg(feature = "proto-ipsec-esp")]
pub use self::ipsec_esp::{Packet as IPSecEspPacket, Repr as IPSecEspRepr};
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe the letter P should be lowercase, then it matches the other types that have IP in their name.

Cargo.toml Outdated
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe you could add a proto-ipsec feature flag that enables proto-ipsec-esp and proto-ipsec-ah. Then use that one in the default feature set.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or maybe don't add the feature to the default feature set since it is not used anywhere other than the wire module.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added the proto-ipsec feature. It is added in the default features to make CI run its tests, otherwise there is no need for it to be in the defaults as it is not actually implemented yet.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can add a line in the ci.sh file with the proto-ipsec feature.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

proto-ipsec has been added to FEATURES_TEST and FEATURES_CHECK

Copy link
Contributor Author

@thegreathir thegreathir Aug 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think all of your comments are fixed now

@thvdveld
Copy link
Contributor

Thank you very much!

@thvdveld thvdveld added this pull request to the merge queue Aug 18, 2023
Merged via the queue into smoltcp-rs:main with commit 01e1acb Aug 18, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@thvdveld thvdveld thvdveld left review comments

@HKalbasi HKalbasi HKalbasi left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@thegreathir @whitequark @thvdveld @HKalbasi