Skip to content

Use TLS over transport for authentication of peer #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
billphipps merged 14 commits into from
Jan 21, 2026
Merged

Use TLS over transport for authentication of peer #227

billphipps merged 14 commits into from
Jan 21, 2026

Conversation

@JacobBarthelmeh
Copy link
Contributor

@JacobBarthelmeh JacobBarthelmeh commented Oct 27, 2025

No description provided.

Copilot AI reviewed Oct 27, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds TLS transport support to wolfHSM for secure client-server communication. The implementation extends the existing TCP transport with TLS encryption using wolfSSL, supporting both certificate-based and PSK (Pre-Shared Key) authentication methods.

Key Changes:

  • New TLS transport layer built on top of TCP transport with wolfSSL integration
  • Support for both mutual TLS authentication and PSK modes
  • Configuration changes to enable TLS/PSK in the build system

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 10 comments.

Show a summary per file
File Description
port/posix/posix_transport_tls.h Header defining TLS transport structures and function declarations
port/posix/posix_transport_tls.c Implementation of TLS transport client/server functions
port/posix/posix_transport_tcp.c Exposed HandleConnect function and fixed null pointer check
examples/posix/wh_posix_server/wh_posix_server_cfg.h Added TLS and PSK configuration function declarations
examples/posix/wh_posix_server/wh_posix_server_cfg.c Implemented TLS and PSK server configuration with certificate loading
examples/posix/wh_posix_server/wh_posix_server.c Added TLS/PSK transport options to CLI
examples/posix/wh_posix_server/user_settings.h Enabled TLS, TLS12, PSK, and debug settings
examples/posix/wh_posix_client/wh_posix_client_cfg.h Added TLS and PSK client configuration declarations
examples/posix/wh_posix_client/wh_posix_client_cfg.c Implemented TLS and PSK client configuration with certificate loading
examples/posix/wh_posix_client/wh_posix_client.c Added TLS/PSK transport options to client CLI

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@JacobBarthelmeh JacobBarthelmeh self-assigned this Oct 29, 2025
@JacobBarthelmeh JacobBarthelmeh force-pushed the auth branch 2 times, most recently from e9a4e7e to fcb0a97 Compare October 30, 2025 20:43
@JacobBarthelmeh JacobBarthelmeh marked this pull request as ready for review October 30, 2025 21:10
bigbrett
bigbrett requested changes Oct 31, 2025
View reviewed changes
Copy link
Contributor

@bigbrett bigbrett left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

quick initial skim - I'd like to see test coverage added to this before diving much deeper. Looks very promising though, I'm super excited about this !!!

Copilot AI reviewed Nov 3, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot AI reviewed Nov 3, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 18 out of 18 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@JacobBarthelmeh
Copy link
Contributor Author

JacobBarthelmeh commented Nov 4, 2025

Investigating SHE tests with TLS.

bigbrett
bigbrett previously approved these changes Nov 4, 2025
View reviewed changes
@bigbrett bigbrett assigned billphipps and unassigned bigbrett Nov 4, 2025
@bigbrett bigbrett requested a review from billphipps November 4, 2025 19:59
@bigbrett
Copy link
Contributor

bigbrett commented Nov 4, 2025

Random thoughts for future work: It would be really cool to have a built-in way to initialize and setup the WOLFSSL_CTX, perhaps even following the config/context paradigm we use elsewhere. Is there any way we can absolve the user from needing to directly manage the context? Or is that a dangerous road to go down? I envision a basic set of wolfSSL configuration options (keys, certs, basic modes) just being supplied in the transport config struct and us taking care of everything else internally.

@JacobBarthelmeh
Copy link
Contributor Author

JacobBarthelmeh commented Nov 24, 2025
edited
Loading

Rebased on top of recent examples and yaml changes. Assigning back to me until CI tests are passing

Copilot AI reviewed Dec 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated 7 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@JacobBarthelmeh JacobBarthelmeh marked this pull request as ready for review December 5, 2025 18:10
billphipps
billphipps previously approved these changes Jan 20, 2026
View reviewed changes
Copy link
Contributor

@billphipps billphipps left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great! Let me know when you want me to merge it!

Thank you!

@JacobBarthelmeh
Use TLS over transport for authentication of peer
4a8353d
@JacobBarthelmeh
add test cases and update user_settings.h
0435e1d
@JacobBarthelmeh
handle race condition with connect
1037672
@JacobBarthelmeh
typo fix, trim down struct, connect fd variable update
a77c72e
@JacobBarthelmeh
use WOLFSSL_* instead of CTC_* and fix typo
4a4363c
@JacobBarthelmeh
add SHE test with client only TLS
6c0d06b
@JacobBarthelmeh
update client only test case for TLS
bc95646
@JacobBarthelmeh
combined client only test macro, added TLS option to example Makefile…
5e47d04 
…s, moved setting of TLS certificates into config and internal transport file
@JacobBarthelmeh
use WOLFHSM_CFG_TLS macro guard with posix_transport_tls.c|h files
615becd
@JacobBarthelmeh
updating test case for TLS use and macro guards in posix client example
1f9ab1d
@JacobBarthelmeh
clean up of macro names after refactor
c46438e
@JacobBarthelmeh
result of running git-clang-format
bd1790c
@JacobBarthelmeh
fix spelling in comments, make fd use more clear, update to macro guards
6e5a8df
@JacobBarthelmeh
add free'ing of ssl object on error
18a15ed
@JacobBarthelmeh
Copy link
Contributor Author

JacobBarthelmeh commented Jan 20, 2026

Force pushed to resolve merge conflict.

@billphipps billphipps merged commit 7eaba42 into wolfSSL:main Jan 21, 2026
100 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bigbrett bigbrett bigbrett left review comments

Copilot code review Copilot Copilot left review comments

@billphipps billphipps billphipps approved these changes

Assignees

@bigbrett bigbrett

@billphipps billphipps

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@JacobBarthelmeh @bigbrett @billphipps