Skip to main content

Building and integrating NanoSec

Before beginning integration activities, get familiarized with the NanoSec code base by reviewing the topics in this section.

Supported algorithms

The table below lists the supported algorithms for both IKEv1 and IKEv2 SA negotiations.

Figure 10: Packet flow using IPsec within typical IP stack

APIs

NanoSec is implemented by the following ANSI-C APIs:

  • Common code base: Functions common to all TrustCore SDK components; defined in src/common/mocana.h.

  • Certificate management: Functions for authentication; defined in src/crypto/ca_mgmt.h.

  • IPsec: Functions to configure the NanoSec stack and perform IPsec processing; defined in ipsec.h, ipsecconf.h, and ipseckey.h (all in the directory directory).

  • IKE: Functions to configure the NanoSec stack using automatic keys; defined in src/ike/ike.h.

  • IKEv2: Functions to configure the NanoSec stack using IKE version 2 protocol; defined in src/ike/ike.h, and implemented in src/ike2/ike2.c.

  • Internal data types may be customized in moptions.h by defining the __ENABLE_MOCANA_BASIC_TYPES_OVERRIDE__ flag.

Compilation flags

If an optional flag is applicable to both NanoSec IPsec and IKE, the flag must have the same status (defined or not) for both product builds. (For a complete list of compilation flags and their descriptions, refer to the NanoSec API Reference.)

The table below lists the NanoSec compilation flags. Note that some flags are required only for particular operating systems.

Figure 11: Packet flow using IPsec below a binary IP stack

Building NanoSec sample code

To help with integration of NanoSec into devices, a suite of sample code is included in the source distribution (in the src/examples directory). The sample code should be used as a reference and modified as required for inclusion into an application’s source code:

  • ca_mgmt_example.c Shows how to perform authentication with certificates by using the TrustCore SDK certificate management functions.

  • ike_example.c Shows how to integrate IKE server into devices for any supported operating system.

  • Although not a server in the traditional client-server sense, the IKE server plays a control role in setting up the IPsec peer-to-peer communication.

  • ipsec_example.c Shows how to integrate IPsec services into devices, including setting policies and configuring SAs (security associations) via manual keying.

  • ipseckey_example.c Shows how to integrate IKE server with the IPsec stack for Windows-based devices. This code can be used as a model for any operating system that has separate user and kernel space applications, where IPsec and IKE must run in separate contexts (IPsec in the kernel context, and IKE in the user context).

  • Embedded real time operating systems typically do not separate the user and kernel space. For such systems, NanoSec IPsec and NanoSec IKE can run in the same context.

  • mocana_example.c Shows how to initialize TrustCore SDK code.

A sample version of NanoSec IPsec has also been provided to quickly build and demonstrate features of NanoSec.

To generate the NanoSec IPsec quick build, run the following command:

./scripts/nanosec/build_target_ncrypto.sh ike