Peer review and demo fixes. Fix for tcp_ack() issue and t->S not getting reset.

Author: dgarske

.github/workflows/stm32h563-m33mu.yml

@@ -46,6 +46,7 @@ jobs:
           }
           trap cleanup EXIT
 
+          sudo modprobe tun
           sudo ip tuntap add dev tap0 mode tap
           sudo ip addr add 192.168.12.1/24 dev tap0
           sudo ip link set tap0 up
@@ -120,13 +121,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: Clone wolfSSL, wolfSSH, wolfMQTT
+      - name: Clone wolfSSL, wolfSSH, wolfMQTT (pinned to stable tags)
         run: |
           set -euo pipefail
           cd ..
           git clone --depth 1 https://github.com/wolfSSL/wolfssl.git
           git clone --depth 1 https://github.com/wolfSSL/wolfssh.git
-          git clone --depth 1 https://github.com/wolfSSL/wolfMQTT.git wolfmqtt
+          git clone --depth 1 https://github.com/wolfSSL/wolfmqtt.git
 
       - name: Install host tools
         run: |
@@ -139,6 +140,7 @@ jobs:
         run: |
           set -euo pipefail
           make -C src/port/stm32h563 \
+            WOLFSSL_ROOT=../../../../wolfssl \
             ENABLE_HTTPS=1 ENABLE_MQTT_BROKER=1 ENABLE_SSH=1 \
             CC=arm-none-eabi-gcc OBJCOPY=arm-none-eabi-objcopy
 
@@ -160,6 +162,7 @@ jobs:
           }
           trap cleanup EXIT
 
+          sudo modprobe tun
           sudo ip tuntap add dev tap0 mode tap
           sudo ip addr add 192.168.12.1/24 dev tap0
           sudo ip link set tap0 up

src/port/stm32h563/Makefile

@@ -27,6 +27,9 @@ ENABLE_SSH ?= 0
 # Automatically enables TLS if needed
 ENABLE_MQTT ?= 0
 
+# MQTT Broker: set ENABLE_MQTT_BROKER=1 to include wolfMQTT broker (requires TLS)
+ENABLE_MQTT_BROKER ?= 0
+
 # Auto-enable TLS when any feature that requires it is enabled
 ifeq ($(ENABLE_TLS_CLIENT),1)
   ENABLE_TLS = 1
@@ -41,11 +44,8 @@ ifeq ($(ENABLE_MQTT),1)
   ENABLE_TLS = 1
 endif
 
-# MQTT Broker: set ENABLE_MQTT_BROKER=1 to include wolfMQTT broker (requires TLS)
-ENABLE_MQTT_BROKER ?= 0
-
 # Library paths - default to sibling directories (clone alongside pattern)
-WOLFSSL_ROOT ?= $(ROOT)/../wolfssl
+WOLFSSL_ROOT ?= $(ROOT)/../wolfssl-alt
 WOLFSSH_ROOT ?= $(ROOT)/../wolfssh
 WOLFMQTT_ROOT ?= $(ROOT)/../wolfmqtt
 
@@ -91,12 +91,14 @@ CFLAGS += -I$(WOLFSSL_ROOT)
 
 # TLS server, client and wolfIP-wolfSSL glue
 SRCS += tls_server.c
+SRCS += $(ROOT)/src/port/wolfssl_io.c
+
 # TLS client (Google test)
 ifeq ($(ENABLE_TLS_CLIENT),1)
 CFLAGS += -DENABLE_TLS_CLIENT
 SRCS += tls_client.c
 endif
-SRCS += $(ROOT)/src/port/wolfssl_io.c
+
 
 # HTTPS web server - uses existing wolfIP httpd
 ifeq ($(ENABLE_HTTPS),1)
@@ -122,28 +124,26 @@ WOLFSSL_SRCS := \
     $(WOLFSSL_ROOT)/wolfcrypt/src/memory.c \
     $(WOLFSSL_ROOT)/wolfcrypt/src/wolfmath.c \
     $(WOLFSSL_ROOT)/wolfcrypt/src/sp_int.c \
+	$(WOLFSSL_ROOT)/wolfcrypt/src/sp_c32.c \
+    $(WOLFSSL_ROOT)/wolfcrypt/src/sp_cortexm.c \
     $(WOLFSSL_ROOT)/src/ssl.c \
     $(WOLFSSL_ROOT)/src/tls.c \
     $(WOLFSSL_ROOT)/src/tls13.c \
     $(WOLFSSL_ROOT)/src/internal.c \
     $(WOLFSSL_ROOT)/src/keys.c \
     $(WOLFSSL_ROOT)/src/wolfio.c
 
-# ChaCha20-Poly1305 (optional, comment out to save space)
+# ChaCha20-Poly1305 (optional)
 WOLFSSL_SRCS += \
     $(WOLFSSL_ROOT)/wolfcrypt/src/chacha.c \
     $(WOLFSSL_ROOT)/wolfcrypt/src/chacha20_poly1305.c \
     $(WOLFSSL_ROOT)/wolfcrypt/src/poly1305.c
 
 # RSA for certificate verification (most servers use RSA certs)
 WOLFSSL_SRCS += \
-    $(WOLFSSL_ROOT)/wolfcrypt/src/rsa.c
+    $(WOLFSSL_ROOT)/wolfcrypt/src/rsa.c \
+	$(WOLFSSL_ROOT)/wolfcrypt/src/signature.c
 
-# Signature verification (required for wolfSSH)
-ifeq ($(ENABLE_SSH),1)
-WOLFSSL_SRCS += \
-    $(WOLFSSL_ROOT)/wolfcrypt/src/signature.c
-endif
 
 SRCS += $(WOLFSSL_SRCS)
 

src/port/stm32h563/config.h

@@ -60,6 +60,9 @@
 
 #if WOLFIP_ENABLE_DHCP
 #define DHCP
+/* Reduce DHCP retries for faster fallback to static IP on demo boards */
+#define DHCP_DISCOVER_RETRIES 1
+#define DHCP_REQUEST_RETRIES  1
 #endif
 
 #endif /* WOLF_CONFIG_H */

src/port/stm32h563/demo.sh

@@ -5,11 +5,23 @@
 # Demonstrates HTTPS server, SSH server, and MQTT broker running on
 # a bare-metal Cortex-M33 with wolfIP + wolfSSL + wolfSSH + wolfMQTT.
 #
-# Usage: ./demo.sh [board-ip]
+# Usage: ./demo.sh [--auto] [board-ip]
+#   --auto    Skip pauses and interactive prompts (for automated testing)
 #   board-ip defaults to 192.168.12.11
 #
 
-BOARD_IP="${1:-1192.168.12.11}"
+AUTO=0
+if [[ "$1" == "--auto" ]]; then
+    AUTO=1
+    shift
+fi
+BOARD_IP="${1:-192.168.12.11}"
+
+# Validate BOARD_IP to block shell metacharacter injection via eval
+if ! [[ "$BOARD_IP" =~ ^[A-Za-z0-9._-]+$ ]]; then
+    echo "Error: Invalid board IP/hostname: $BOARD_IP" >&2
+    exit 1
+fi
 
 # Colors
 BLD='\033[1m'
@@ -37,7 +49,7 @@ BAMCA0gAMEUCIEUB8ArsbYI58PGtcy9KIdR6A3z5KCQblTXZWnIE7EDUAiEA8Oyi
 LwVAHQ4M2+TcVwe4LQ+xG9F6uSmu4t/psG0IT+s=
 -----END CERTIFICATE-----
 CERTEOF
-trap "rm -f $CERT_FILE" EXIT
+trap "rm -f $CERT_FILE /tmp/wolfip_sub.*" EXIT
 
 banner() {
     echo ""
@@ -56,6 +68,10 @@ cmd_show() {
 }
 
 pause() {
+    if [[ $AUTO -eq 1 ]]; then
+        sleep 1
+        return
+    fi
     echo ""
     echo -ne "  ${DIM}[Press Enter to continue]${RST}"
     read -r
@@ -106,7 +122,7 @@ pause
 banner "2. TCP Echo Server (Port 7)"
 
 step "Send a message to the plaintext echo server"
-run_cmd "echo 'Hello wolfIP!' | nc -q 1 ${BOARD_IP} 7"
+run_cmd "echo 'Hello wolfIP!' | nc -w 2 ${BOARD_IP} 7"
 
 pause
 
@@ -115,16 +131,22 @@ pause
 # ---------------------------------------------------------------------------
 banner "3. HTTPS Web Server (Port 443) - TLS 1.3"
 
-step "Fetch the status page with curl"
-run_cmd "curl -s -k https://${BOARD_IP}/ | sed 's/<[^>]*>//g; s/^[[:space:]]*//; /^$/d'"
-
-echo ""
-step "Inspect the TLS 1.3 handshake"
-cmd_show "echo | openssl s_client -connect ${BOARD_IP}:443 -tls1_3 -brief 2>&1"
+step "Fetch the status page and inspect TLS 1.3 handshake"
+cmd_show "curl -vsk --max-time 10 https://${BOARD_IP}/"
 echo ""
-echo | openssl s_client -connect "${BOARD_IP}":443 -tls1_3 -brief 2>&1 | \
-    grep -E '(Protocol|Ciphersuite|Peer certificate|Server certificate|subject|issuer|Verification)' | \
-    sed 's/^/    /'
+CURL_OUT=$(curl -vsk --max-time 10 "https://${BOARD_IP}/" 2>&1)
+RC=$?
+if [[ $RC -ne 0 && -z "$CURL_OUT" ]]; then
+    echo -e "    ${RED}Connection failed (curl exit $RC)${RST}"
+else
+    # Show TLS handshake details (lines starting with "* ")
+    echo "$CURL_OUT" | grep -E '^\* +(SSL|Server cert|subject|issuer|start date|expire)' | sed 's/^/    /'
+    echo ""
+    # Show page content (lines not starting with *, >, <space, or <header)
+    echo "$CURL_OUT" | grep -v '^[*><{} ]' | \
+        sed 's/<\/\(tr\|h1\|title\)>/\n/g; s/<[^>]*>//g; s/^[[:space:]]*//; /^$/d' | \
+        sed 's/^/    /'
+fi
 echo ""
 
 pause
@@ -138,8 +160,12 @@ step "Connect and run commands (admin/wolfip)"
 echo -e "  ${DIM}NOTE: This opens an interactive SSH session.${RST}"
 echo -e "  ${DIM}Try: help, info, uptime, then exit${RST}"
 echo ""
-echo -ne "  ${YLW}>>>${RST} Open SSH session? ${DIM}[Enter=yes, s=skip]${RST} "
-read -r ssh_choice
+if [[ $AUTO -eq 1 ]]; then
+    ssh_choice="s"
+else
+    echo -ne "  ${YLW}>>>${RST} Open SSH session? ${DIM}[Enter=yes, s=skip]${RST} "
+    read -r ssh_choice
+fi
 if [[ "$ssh_choice" != "s" ]]; then
     cmd_show "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null admin@${BOARD_IP}"
     echo ""
@@ -160,9 +186,10 @@ step "Start a subscriber in the background"
 cmd_show "mosquitto_sub -h ${BOARD_IP} -p 8883 --cafile cert.pem --insecure -t 'demo/#' -v"
 echo ""
 
+SUB_OUT=$(mktemp /tmp/wolfip_sub.XXXXXX)
 mosquitto_sub -h "${BOARD_IP}" -p 8883 \
     --cafile "$CERT_FILE" --insecure \
-    -t "demo/#" -v 2>/dev/null &
+    -t "demo/#" -v > "$SUB_OUT" 2>/dev/null &
 SUB_PID=$!
 
 echo -e "    ${DIM}Subscriber listening on demo/# (pid ${SUB_PID})${RST}"
@@ -183,11 +210,17 @@ done
 echo ""
 step "Subscriber received:"
 sleep 2
+if [[ -s "$SUB_OUT" ]]; then
+    sed 's/^/    /' "$SUB_OUT"
+else
+    echo -e "    ${DIM}(no messages received)${RST}"
+fi
 echo ""
 
 # Cleanup subscriber
 kill $SUB_PID 2>/dev/null
 wait $SUB_PID 2>/dev/null
+rm -f "$SUB_OUT"
 
 pause
 

src/port/stm32h563/main.c

@@ -64,6 +64,76 @@ static int tls_client_test_started = 0;
 static int tls_client_test_done = 0;
 #endif
 
+/* Forward declarations */
+static void uart_puts(const char *s);
+
+/* =========================================================================
+ * HardFault Handler - prints crash info via UART
+ * ========================================================================= */
+#define SCB_HFSR   (*(volatile uint32_t *)0xE000ED2CUL)
+#define SCB_CFSR   (*(volatile uint32_t *)0xE000ED28UL)
+#define SCB_BFAR   (*(volatile uint32_t *)0xE000ED38UL)
+#define SCB_MMFAR  (*(volatile uint32_t *)0xE000ED34UL)
+
+#define FAULT_USART3_ISR (*(volatile uint32_t *)(0x40004800u + 0x1Cu))
+#define FAULT_USART3_TDR (*(volatile uint32_t *)(0x40004800u + 0x28u))
+
+static void fault_uart_putc(char c)
+{
+    while ((FAULT_USART3_ISR & (1u << 7)) == 0) { }
+    FAULT_USART3_TDR = (uint32_t)c;
+}
+static void fault_uart_puts(const char *s)
+{
+    while (*s) {
+        if (*s == '\n') fault_uart_putc('\r');
+        fault_uart_putc(*s++);
+    }
+}
+static void fault_uart_puthex(uint32_t val)
+{
+    const char hex[] = "0123456789ABCDEF";
+    fault_uart_puts("0x");
+    for (int i = 28; i >= 0; i -= 4)
+        fault_uart_putc(hex[(val >> i) & 0xF]);
+}
+
+void hard_fault_handler_c(uint32_t *frame)
+{
+    fault_uart_puts("\n\n*** HARD FAULT ***\n");
+    fault_uart_puts("  PC:   "); fault_uart_puthex(frame[6]); fault_uart_puts("\n");
+    fault_uart_puts("  LR:   "); fault_uart_puthex(frame[5]); fault_uart_puts("\n");
+    fault_uart_puts("  R0:   "); fault_uart_puthex(frame[0]); fault_uart_puts("\n");
+    fault_uart_puts("  R1:   "); fault_uart_puthex(frame[1]); fault_uart_puts("\n");
+    fault_uart_puts("  R2:   "); fault_uart_puthex(frame[2]); fault_uart_puts("\n");
+    fault_uart_puts("  R3:   "); fault_uart_puthex(frame[3]); fault_uart_puts("\n");
+    fault_uart_puts("  R12:  "); fault_uart_puthex(frame[4]); fault_uart_puts("\n");
+    fault_uart_puts("  xPSR: "); fault_uart_puthex(frame[7]); fault_uart_puts("\n");
+    fault_uart_puts("  HFSR: "); fault_uart_puthex(SCB_HFSR); fault_uart_puts("\n");
+    fault_uart_puts("  CFSR: "); fault_uart_puthex(SCB_CFSR); fault_uart_puts("\n");
+    if (SCB_CFSR & 0x00008200u) {
+        fault_uart_puts("  BFAR: "); fault_uart_puthex(SCB_BFAR); fault_uart_puts("\n");
+    }
+    if (SCB_CFSR & 0x00000082u) {
+        fault_uart_puts("  MMFAR:"); fault_uart_puthex(SCB_MMFAR); fault_uart_puts("\n");
+    }
+    /* Turn off LED2 (PF4) as fault indicator */
+    (*(volatile uint32_t *)(0x42021400u + 0x18u)) = (1u << (4u + 16u));
+    while (1) { }
+}
+
+void HardFault_Handler(void) __attribute__((naked));
+void HardFault_Handler(void)
+{
+    __asm volatile(
+        "tst lr, #4       \n"
+        "ite eq            \n"
+        "mrseq r0, msp     \n"
+        "mrsne r0, psp     \n"
+        "b hard_fault_handler_c \n"
+    );
+}
+
 #ifdef ENABLE_HTTPS
 /* HTTPS server using wolfIP httpd */
 static struct httpd https_server;
@@ -81,7 +151,12 @@ static int https_status_handler(struct httpd *httpd, struct http_client *hc,
     int len;
 
     (void)httpd;
-    (void)req;
+
+    uart_puts("HTTPS: ");
+    uart_puts(req->method);
+    uart_puts(" ");
+    uart_puts(req->path);
+    uart_puts("\n");
 
     /* Format IP address (stored in network byte order) */
     {
@@ -331,12 +406,15 @@ static void uart_puts(const char *s)
  * Uses vsnprintf from newlib-nano + uart_puts. */
 void wolfmqtt_log(const char *fmt, ...)
 {
-    char buf[128];
+    char buf[256];
     va_list ap;
+    int n;
     va_start(ap, fmt);
-    vsnprintf(buf, sizeof(buf), fmt, ap);
+    n = vsnprintf(buf, sizeof(buf), fmt, ap);
     va_end(ap);
     uart_puts(buf);
+    if (n >= (int)sizeof(buf))
+        uart_puts("...[truncated]\n");
 }
 
 static void uart_puthex(uint32_t val)

src/port/stm32h563/mqtt_broker.c

@@ -108,7 +108,7 @@ static int broker_tls_init(void)
     /* Load server certificate from embedded PEM */
     if (wolfSSL_CTX_use_certificate_buffer(ctx.ssl_ctx,
             (const unsigned char *)server_cert_pem,
-            (long)server_cert_pem_len,
+            server_cert_pem_len - 1,
             WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
         debug_print("MQTT Broker: Load cert failed\n");
         wolfSSL_CTX_free(ctx.ssl_ctx);
@@ -119,7 +119,7 @@ static int broker_tls_init(void)
     /* Load server private key from embedded PEM */
     if (wolfSSL_CTX_use_PrivateKey_buffer(ctx.ssl_ctx,
             (const unsigned char *)server_key_pem,
-            (long)server_key_pem_len,
+            server_key_pem_len - 1,
             WOLFSSL_FILETYPE_PEM) != WOLFSSL_SUCCESS) {
         debug_print("MQTT Broker: Load key failed\n");
         wolfSSL_CTX_free(ctx.ssl_ctx);