examples: add wolfHSM DTLS client

.github/workflows/build-and-test-dtls-client.yml

@@ -0,0 +1,105 @@
+name: Build and Test DTLS Client Example
+
+on:
+  push:
+    branches: [ 'master', 'main', 'release/**' ]
+  pull_request:
+    branches: [ '*' ]
+
+jobs:
+  build-and-test-dtls:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+
+    steps:
+    #  Checkout repositories
+    - name: Checkout wolfHSM
+      uses: actions/checkout@v4
+
+    - name: Checkout wolfSSL
+      uses: actions/checkout@v4
+      with:
+        repository: wolfssl/wolfssl
+        path: wolfssl
+
+    #  Build wolfSSL with DTLS support
+    - name: Build wolfSSL with DTLS
+      run: |
+        cd wolfssl
+        ./autogen.sh
+        ./configure --enable-dtls --enable-dtls13 --enable-ecc
+        make -j
+
+    #  Build wolfHSM server
+    - name: Build wolfHSM POSIX server
+      run: |
+        cd examples/posix/wh_posix_server
+        make clean
+        make -j WOLFSSL_DIR=../../../wolfssl
+
+    #  Build DTLS client
+    - name: Build DTLS client
+      run: |
+        cd examples/posix/tls/wh_posix_dtls_client
+        make clean
+        make
+
+    #  Start wolfHSM server in background
+    - name: Start wolfHSM server
+      run: |
+        cd examples/posix/wh_posix_server
+        ./Build/wh_posix_server.elf --type tcp \
+          --key ../../../wolfssl/certs/ecc-client-key.der \
+          --id 1 \
+          --client 12 &
+        SERVER_PID=$!
+        echo "WOLFHSM_SERVER_PID=$SERVER_PID" >> $GITHUB_ENV
+        echo "Started wolfHSM server with PID $SERVER_PID"
+        sleep 2
+
+    #  Start wolfSSL DTLS server in background
+    - name: Start wolfSSL DTLS server
+      run: |
+        cd wolfssl
+        ./examples/server/server -u -v 4 \
+          -c ./certs/server-ecc.pem \
+          -k ./certs/ecc-key.pem \
+          -A ./certs/client-ecc-cert.pem \
+          -p 11111 \
+          -i &
+        DTLS_SERVER_PID=$!
+        echo "DTLS_SERVER_PID=$DTLS_SERVER_PID" >> $GITHUB_ENV
+        echo "Started DTLS server with PID $DTLS_SERVER_PID"
+        sleep 2
+
+    #  Run DTLS client test
+    - name: Run DTLS client test
+      run: |
+        cd examples/posix/tls/wh_posix_dtls_client
+
+        # Send test message with 5 second timeout
+        echo "Hello from CI test" | timeout 5 ./Build/wh_posix_dtls_client.elf 127.0.0.1 > client_output.txt 2>&1 || CLIENT_EXIT=$?
+
+        # Display output for debugging
+        cat client_output.txt
+
+        # Check for successful handshake (exit code 0 = clean exit, 124 = timeout)
+        if grep -q "DTLS handshake successful!" client_output.txt; then
+          echo "✓ DTLS client test completed successfully"
+          exit 0
+        else
+          echo "✗ DTLS handshake did not complete"
+          exit 1
+        fi
+
+    #  Cleanup servers (always run)
+    - name: Cleanup servers
+      if: always()
+      run: |
+        echo "Cleaning up server processes..."
+        kill ${{ env.WOLFHSM_SERVER_PID }} 2>/dev/null || true
+        kill ${{ env.DTLS_SERVER_PID }} 2>/dev/null || true
+        sleep 1
+        kill -9 ${{ env.WOLFHSM_SERVER_PID }} 2>/dev/null || true
+        kill -9 ${{ env.DTLS_SERVER_PID }} 2>/dev/null || true
+        echo "Cleanup complete"

examples/posix/tls/wh_posix_dtls_client/Makefile

@@ -0,0 +1,184 @@
+## Makefile for wolfHSM DTLS Client example using POSIX port
+
+## Project name
+# Sets output filenames
+BIN = wh_posix_dtls_client
+
+## Important directories
+# Base directory for additional project files
+PROJECT_DIR				?= .
+CONFIG_DIR				?= $(PROJECT_DIR)
+SHARED_CONFIG_DIR       ?= $(PROJECT_DIR)/../../
+# wolfSSL and wolfHSM directories
+WOLFSSL_DIR				?= ../../../../wolfssl
+WOLFHSM_DIR				?= ../../../../
+WOLFHSM_PORT_DIR		?= $(WOLFHSM_DIR)/port/posix
+
+# Output directory for build files
+BUILD_DIR				?= $(PROJECT_DIR)/Build
+
+# Includes
+INC =   -I$(PROJECT_DIR) \
+		-I$(CONFIG_DIR) \
+		-I$(SHARED_CONFIG_DIR) \
+		-I$(WOLFSSL_DIR) \
+		-I$(WOLFHSM_DIR) \
+		-I$(WOLFHSM_PORT_DIR)
+
+# POSIX requires C source be defined before any header
+DEF += -D_POSIX_C_SOURCE=200809L
+
+# Library configuration defines for user-supplied settings
+DEF += -DWOLFSSL_USER_SETTINGS -DWOLFHSM_CFG
+
+# Architecture flags for assembler, C compiler and linker
+ARCHFLAGS ?=
+
+# Enable extra C compiler warnings
+CFLAGS_EXTRA = -Werror -Wall -Wextra
+# Place functions / data into separate sections to allow unused code removal
+CFLAGS_EXTRA += -ffunction-sections -fdata-sections
+
+# C standard to use
+CSTD 		?= -std=c99
+
+ASFLAGS 	?= $(ARCHFLAGS)
+CFLAGS 		?= $(ARCHFLAGS) $(CSTD) $(CFLAGS_EXTRA)
+LDFLAGS 	?= $(ARCHFLAGS)
+
+# Enable garbage collection.  Inexact handling of dead_strip
+OS_NAME := $(shell uname -s | tr A-Z a-z)
+ifeq ($(OS_NAME),darwin)
+	LDFLAGS += -Wl,-dead_strip
+else
+	LDFLAGS += -Wl,--gc-sections
+endif
+
+# Libc for printf, libm for math (used with DH)
+LIBS = -lc -lm
+
+## Makefile options
+
+# Set to @ if you want to suppress command echo
+CMD_ECHO ?=
+
+# Check if DEBUG is set to 1 and append debug flags
+ifeq ($(DEBUG),1)
+	DBGFLAGS = -ggdb -g3
+	CFLAGS += $(DBGFLAGS)
+	LDFLAGS += $(DBGFLAGS)
+	DEF += -DWOLFHSM_CFG_DEBUG
+endif
+
+# Check if DEBUG_VERBOSE is set to 1 and enable verbose WOLFHSM debug output
+# Note: DEBUG_VERBOSE implies DEBUG
+ifeq ($(DEBUG_VERBOSE),1)
+	DBGFLAGS = -ggdb -g3
+	CFLAGS += $(DBGFLAGS)
+	LDFLAGS += $(DBGFLAGS)
+	DEF += -DWOLFHSM_CFG_DEBUG -DWOLFHSM_CFG_DEBUG_VERBOSE
+endif
+
+# Add address sanitizer option
+ifeq ($(ASAN),1)
+    CFLAGS += -fsanitize=address
+    LDFLAGS += -fsanitize=address
+endif
+
+## Source files
+# Assembly source files
+SRC_ASM +=
+
+# wolfCrypt source files
+WOLFCRYPT_SRC := $(wildcard $(WOLFSSL_DIR)/wolfcrypt/src/*.c)
+SRC_C += $(filter-out %/evp.c %/misc.c,$(WOLFCRYPT_SRC))
+
+# wolfSSL source files (needed for DTLS)
+WOLFSSL_SRC := $(wildcard $(WOLFSSL_DIR)/src/*.c)
+SRC_C += $(filter-out %/bio.c %/conf.c %/pk.c %/ssl_asn1.c %/ssl_bn.c %/ssl_certman.c %/ssl_crypto.c %/ssl_load.c %/ssl_misc.c %/ssl_p7p12.c %/ssl_sess.c %/ssl_sk.c %/x509.c %/x509_str.c,$(WOLFSSL_SRC))
+
+# wolfHSM source files
+SRC_C +=  $(wildcard $(WOLFHSM_DIR)/src/*.c)
+
+# wolfHSM port/HAL code
+SRC_C +=  $(wildcard $(WOLFHSM_PORT_DIR)/*.c)
+
+# Project source files
+SRC_C +=  $(wildcard $(PROJECT_DIR)/*.c)
+
+# Set the default device ID for wolfCrypt operations
+DEF += -DWC_USE_DEVID=0x5748534D
+
+ifeq ($(SCAN),1)
+SCAN_LOG = scan_posix_dtls_client.log
+# Default target
+.DEFAULT_GOAL := scan
+endif
+
+## Automated processing below
+
+FILENAMES_C = $(notdir $(SRC_C))
+OBJS_C = $(addprefix $(BUILD_DIR)/, $(FILENAMES_C:.c=.o))
+vpath %.c $(dir $(SRC_C))
+
+OBJS_ASM = $(addprefix $(BUILD_DIR)/, $(notdir $(SRC_ASM:.s=.o)))
+vpath %.s $(dir $(SRC_ASM))
+
+
+## Makefile Targets
+
+.PHONY: build_app build_hex build_static clean run
+
+build_app: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).elf
+	@echo Build complete.
+
+build_hex: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).hex
+	@echo ""
+	$(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).elf
+
+build_static: $(BUILD_DIR) $(BUILD_DIR)/$(BIN).a
+	@echo ""
+	$(CMD_ECHO) $(SIZE) $(BUILD_DIR)/$(BIN).a
+
+$(BUILD_DIR):
+	$(CMD_ECHO) mkdir -p $(BUILD_DIR)
+
+$(BUILD_DIR)/$(BIN).hex: $(BUILD_DIR)/$(BIN).elf
+	@echo "Generating HEX binary: $(notdir $@)"
+	$(CMD_ECHO) $(OBJCOPY) -O ihex $< $@
+
+$(BUILD_DIR)/%.o: %.s
+	@echo "Compiling ASM file: $(notdir $<)"
+	$(CMD_ECHO) $(AS) $(ASFLAGS) $(DEF) $(INC) -c -o $@ $<
+
+$(BUILD_DIR)/%.o: %.c
+	@echo "Compiling C file: $(notdir $<)"
+	$(CMD_ECHO) $(CC) $(CFLAGS) $(DEF) $(INC) -c -o $@ $<
+
+$(BUILD_DIR)/$(BIN).elf: $(OBJS_ASM) $(OBJS_C)
+	@echo "Linking ELF binary: $(notdir $@)"
+	$(CMD_ECHO) $(CC) $(LDFLAGS) $(SRC_LD) -o $@ $^ $(LIBS)
+
+$(BUILD_DIR)/$(BIN).a: $(OBJS_ASM) $(OBJS_C)
+	@echo "Building static library: $(notdir $@)"
+	$(CMD_ECHO) $(AR) -r $@ $^
+
+analyze: $(OBJS_ASM) $(OBJS_C)
+
+scan:$(BUILD_DIR)
+	@echo "Running scan-build static analysis"
+	@mkdir -p $(WOLFHSM_DIR)/scan_out/
+	@scan-build --exclude $(WOLFSSL_DIR)/wolfcrypt \
+	            --exclude $(WOLFSSL_DIR)/src \
+	            --status-bugs $(MAKE) analyze 2> $(WOLFHSM_DIR)/scan_out/$(SCAN_LOG)
+
+clean:
+	@echo "Cleaning build files"
+	@rm -f 	\
+			$(BUILD_DIR)/*.elf \
+			$(BUILD_DIR)/*.hex \
+			$(BUILD_DIR)/*.map \
+			$(BUILD_DIR)/*.o \
+			$(BUILD_DIR)/*.a \
+			$(BUILD_DIR)/*.sym \
+			$(BUILD_DIR)/*.disasm

examples/posix/tls/wh_posix_dtls_client/user_settings.h

@@ -0,0 +1,52 @@
+#ifndef USER_SETTINGS_H_
+#define USER_SETTINGS_H_
+
+/** wolfHSM Client required settings */
+
+/* POSIX system headers */
+#define HAVE_SYS_TIME_H
+
+/* CryptoCB support - required for offloading crypto to HSM */
+#define WOLF_CRYPTO_CB
+#define HAVE_ANONYMOUS_INLINE_AGGREGATES 1
+
+/* PK callbacks - required for TLS-level HSM key operations */
+#define HAVE_PK_CALLBACKS
+
+/* Enable DTLS support */
+#define WOLFSSL_DTLS
+#define WOLFSSL_DTLS13
+#define WOLFSSL_TLS13
+#define HAVE_TLS_EXTENSIONS
+#define WOLFSSL_SEND_HRR_COOKIE
+
+/* Remove old TLS versions */
+#define NO_OLD_TLS
+
+/** Crypto Algorithm Options */
+
+/* ECC for ECDHE key exchange and ECDSA authentication */
+#define HAVE_ECC
+#define HAVE_SUPPORTED_CURVES
+
+/* AES-GCM for symmetric encryption */
+#define HAVE_AESGCM
+
+/* HKDF for key derivation */
+#define HAVE_HKDF
+
+/* Timing resistance / side-channel attack protection */
+#define TFM_TIMING_RESISTANT
+#define ECC_TIMING_RESISTANT
+#define WC_RSA_BLINDING
+
+/* Use wolfSSL's internal string comparison instead of system strcasecmp */
+#define USE_WOLF_STRCASECMP
+
+/* Remove unneeded features */
+#define NO_MAIN_DRIVER
+#define NO_DO178
+#define NO_RSA
+#define NO_DH
+
+#endif /* USER_SETTINGS_H_ */