wolfSSL
diff --git a/‎.github/workflows/stm32h563-m33mu.yml‎
Lines changed: 206 additions & 1 deletion b/‎.github/workflows/stm32h563-m33mu.yml‎
Lines changed: 206 additions & 1 deletion
diff --git a/‎src/port/stm32h563/README.md‎
Lines changed: 120 additions & 4 deletions b/‎src/port/stm32h563/README.md‎
Lines changed: 120 additions & 4 deletions
@@ -1,4 +1,4 @@
-name: STM32H563 m33mu (echo only)
+name: STM32H563 m33mu
 
 on:
   push:
@@ -109,3 +109,208 @@ jobs:
           if [ -f /tmp/m33mu.pid ]; then
             sudo kill "$(cat /tmp/m33mu.pid)" 2>/dev/null || true
           fi
+
+  stm32h563_m33mu_full:
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    container:
+      image: ghcr.io/danielinux/m33mu-ci:1.5
+      options: --privileged
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Clone wolfSSL, wolfSSH, wolfMQTT
+        run: |
+          set -euo pipefail
+          cd ..
+          git clone --depth 1 https://github.com/wolfSSL/wolfssl.git
+          git clone --depth 1 https://github.com/wolfSSL/wolfssh.git
+          git clone --depth 1 https://github.com/wolfSSL/wolfMQTT.git wolfmqtt
+
+      - name: Install host tools
+        run: |
+          set -euo pipefail
+          apt-get update
+          apt-get install -y sudo dnsmasq iproute2 netcat-openbsd \
+                             curl mosquitto-clients openssh-client
+
+      - name: Build STM32H563 full firmware
+        run: |
+          set -euo pipefail
+          make -C src/port/stm32h563 \
+            ENABLE_HTTPS=1 ENABLE_MQTT_BROKER=1 ENABLE_SSH=1 \
+            CC=arm-none-eabi-gcc OBJCOPY=arm-none-eabi-objcopy
+
+      - name: Run m33mu + DHCP + full test
+        timeout-minutes: 15
+        run: |
+          set -euo pipefail
+
+          cleanup() {
+            set +e
+            if [ -f /tmp/m33mu.pid ]; then
+              sudo kill "$(cat /tmp/m33mu.pid)" 2>/dev/null || true
+            fi
+            sudo pkill -x m33mu 2>/dev/null || true
+            if [ -f /tmp/dnsmasq.pid ]; then
+              sudo kill "$(cat /tmp/dnsmasq.pid)" 2>/dev/null || true
+            fi
+            sudo ip link del tap0 2>/dev/null || true
+          }
+          trap cleanup EXIT
+
+          sudo ip tuntap add dev tap0 mode tap
+          sudo ip addr add 192.168.12.1/24 dev tap0
+          sudo ip link set tap0 up
+
+          cat > /tmp/dnsmasq.conf <<'EOF'
+          interface=tap0
+          bind-interfaces
+          dhcp-range=192.168.12.50,192.168.12.100,255.255.255.0,12h
+          dhcp-leasefile=/tmp/dnsmasq.leases
+          log-dhcp
+          EOF
+          sudo dnsmasq --conf-file=/tmp/dnsmasq.conf --pid-file=/tmp/dnsmasq.pid
+
+          sudo m33mu src/port/stm32h563/app.bin \
+            --cpu stm32h563 --tap:tap0 --uart-stdout --timeout 240 \
+            2>&1 | tee /tmp/m33mu.log &
+          sleep 1
+          m33mu_pid="$(pgrep -n -x m33mu || true)"
+          if [ -n "${m33mu_pid}" ]; then
+            echo "${m33mu_pid}" > /tmp/m33mu.pid
+          fi
+
+          # Wait for DHCP lease
+          ip=""
+          for _ in $(seq 1 60); do
+            if [ -s /tmp/dnsmasq.leases ]; then
+              ip="$(tail -n1 /tmp/dnsmasq.leases | cut -d' ' -f3)"
+            fi
+            if [ -n "${ip}" ]; then
+              break
+            fi
+            sleep 1
+          done
+          if [ -z "${ip}" ]; then
+            echo "No DHCP lease acquired."
+            tail -n 200 /tmp/m33mu.log || true
+            exit 1
+          fi
+          echo "Leased IP: ${ip}"
+
+          # Helper: check m33mu is still running
+          check_alive() {
+            if ! pgrep -x m33mu >/dev/null 2>&1; then
+              echo "FAIL: m33mu exited unexpectedly."
+              tail -n 200 /tmp/m33mu.log || true
+              exit 1
+            fi
+          }
+
+          # Test 1: TCP Echo (port 7)
+          echo "=== Test 1: TCP Echo ==="
+          ok=0
+          for _ in $(seq 1 20); do
+            check_alive
+            if printf "ping" | nc -w 2 "${ip}" 7 | grep -q "ping"; then
+              ok=1; break
+            fi
+            sleep 0.5
+          done
+          if [ "${ok}" -ne 1 ]; then
+            echo "FAIL: Echo test."
+            tail -n 200 /tmp/m33mu.log || true
+            exit 1
+          fi
+          echo "PASS: Echo test."
+
+          # Test 2: HTTPS Web Server (port 443)
+          echo "=== Test 2: HTTPS Server ==="
+          ok=0
+          for _ in $(seq 1 10); do
+            check_alive
+            resp="$(curl -k -s --max-time 10 "https://${ip}/" 2>/dev/null || true)"
+            if echo "${resp}" | grep -q "wolfIP Status"; then
+              ok=1; break
+            fi
+            sleep 2
+          done
+          if [ "${ok}" -ne 1 ]; then
+            echo "FAIL: HTTPS test."
+            tail -n 200 /tmp/m33mu.log || true
+            exit 1
+          fi
+          echo "PASS: HTTPS test."
+
+          # Test 3: TLS Echo (port 8443)
+          echo "=== Test 3: TLS Echo ==="
+          sleep 5  # allow recovery from HTTPS TLS session
+          ok=0
+          for _ in $(seq 1 5); do
+            check_alive
+            resp="$(echo "TLS-ping" | timeout 10 openssl s_client \
+              -connect "${ip}:8443" -quiet 2>/dev/null || true)"
+            if echo "${resp}" | grep -q "TLS-ping"; then
+              ok=1; break
+            fi
+            sleep 3
+          done
+          if [ "${ok}" -ne 1 ]; then
+            echo "FAIL: TLS echo test."
+            tail -n 200 /tmp/m33mu.log || true
+            exit 1
+          fi
+          echo "PASS: TLS echo test."
+
+          # Test 4: MQTT Broker (port 8883)
+          echo "=== Test 4: MQTT Broker ==="
+          sleep 5  # allow recovery from TLS echo session
+          # Extract cert from certs.h for mosquitto
+          sed -n '/server_cert_pem\[\]/,/^";$/p' src/port/certs.h \
+            | sed 's/^"//; s/"$//; s/\\n$//' \
+            | grep -v '^static\|^;' > /tmp/wolfip_cert.pem
+          ok=0
+          for _ in $(seq 1 5); do
+            check_alive
+            out="$(mosquitto_pub -h "${ip}" -p 8883 \
+              --cafile /tmp/wolfip_cert.pem --insecure \
+              -t "ci/test" -m "hello" -d 2>&1 || true)"
+            if echo "${out}" | grep -q "CONNACK"; then
+              ok=1; break
+            fi
+            sleep 5
+          done
+          if [ "${ok}" -ne 1 ]; then
+            echo "FAIL: MQTT broker test."
+            tail -n 200 /tmp/m33mu.log || true
+            exit 1
+          fi
+          echo "PASS: MQTT broker test."
+
+          # Test 5: SSH Server (port 22)
+          echo "=== Test 5: SSH Server ==="
+          sleep 5  # allow recovery from MQTT TLS session
+          ok=0
+          for _ in $(seq 1 5); do
+            check_alive
+            # Test SSH banner (connection-level check, no auth)
+            resp="$(timeout 10 bash -c "echo '' | nc -w 5 ${ip} 22" 2>/dev/null || true)"
+            if echo "${resp}" | grep -qi "ssh"; then
+              ok=1; break
+            fi
+            sleep 3
+          done
+          if [ "${ok}" -ne 1 ]; then
+            echo "FAIL: SSH banner test."
+            tail -n 200 /tmp/m33mu.log || true
+            exit 1
+          fi
+          echo "PASS: SSH banner test."
+
+          echo ""
+          echo "=== All tests passed ==="
+          if [ -f /tmp/m33mu.pid ]; then
+            sudo kill "$(cat /tmp/m33mu.pid)" 2>/dev/null || true
+          fi
@@ -8,13 +8,13 @@ This directory contains a bare-metal port of wolfIP for the STM32H563 microcontr
    ```bash
    cd src/port/stm32h563
    CC=arm-none-eabi-gcc OBJCOPY=arm-none-eabi-objcopy \
-   make ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT=1
+   make ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT_BROKER=1
    ```
 
 2. **Flash to board:**
    ```bash
    openocd -f interface/stlink-dap.cfg -f target/stm32h5x.cfg \
-       -c "program app.bin 0x08000000 verify reset exit"
+       -c "program app.elf verify reset exit"
    ```
 
 3. **Monitor UART output** (115200 baud on /dev/ttyACM0):
@@ -33,6 +33,11 @@ This directory contains a bare-metal port of wolfIP for the STM32H563 microcontr
 
    # SSH (password: wolfip)
    ssh admin@<device-ip>
+
+   # MQTT Broker (TLS on port 8883)
+   mosquitto_pub -h <device-ip> -p 8883 \
+       --cafile /tmp/wolfip_cert.pem --insecure \
+       -t "test/hello" -m "Hello MQTT!" -d
    ```
 
 ## Hardware Requirements
@@ -349,18 +354,19 @@ make ENABLE_SSH=1 WOLFSSH_ROOT=/path/to/wolfssh
 
 ### Full Featured Build
 
-Build with all features (TLS echo, HTTPS web server, and SSH shell).
+Build with all features (TLS echo, HTTPS web server, SSH shell, and MQTT broker).
 TLS is automatically enabled when any feature that requires it is set:
 
 ```bash
-make ENABLE_HTTPS=1 ENABLE_SSH=1
+make ENABLE_HTTPS=1 ENABLE_SSH=1 ENABLE_MQTT_BROKER=1
 ```
 
 This provides:
 - TCP echo server on port 7
 - TLS echo server on port 8443
 - HTTPS web server on port 443
 - SSH shell on port 22
+- MQTT broker on port 8883 (TLS)
 
 ### TLS Example Output
 
@@ -784,6 +790,116 @@ This provides:
 | `../wolfmqtt_io.c` | wolfMQTT I/O glue layer for wolfIP sockets |
 | `user_settings.h` | wolfMQTT compile-time configuration |
 
+## MQTT Broker
+
+When built with `ENABLE_MQTT_BROKER=1`, the device runs a TLS-secured MQTT broker on port 8883.
+
+### Building MQTT Broker Mode
+
+```bash
+# Clone wolfMQTT alongside wolfip (broker support required)
+cd /path/to/parent
+git clone https://github.com/wolfSSL/wolfMQTT.git wolfmqtt
+
+# Build with broker (and optionally HTTPS + SSH)
+cd wolfip/src/port/stm32h563
+make ENABLE_MQTT_BROKER=1 ENABLE_HTTPS=1 ENABLE_SSH=1
+```
+
+### Expected Serial Output (MQTT Broker)
+
+```
+Initializing MQTT broker...
+MQTT Broker: Initializing
+Entering main loop. Ready for connections!
+MQTT Broker: TLS initialized (TLS 1.3, ECC P-256)
+broker: plain port == TLS port (8883), TLS-only mode
+broker: listening on port 8883 (TLS)
+MQTT Broker: Running on port 8883 (TLS)
+```
+
+When a client connects, the broker logs the full lifecycle:
+```
+broker: accept sock=261 (TLS)
+broker: TLS handshake done sock=261 TLSv1.3
+broker: CONNECT recv sock=261 len=14
+broker: CONNECT proto=4 clean=1 will=0 client_id=(null)
+broker: CONNACK send sock=261 code=0
+broker: disconnect sock=261
+```
+
+### Extracting the Server Certificate
+
+The broker uses a self-signed ECC P-256 certificate embedded in `../certs.h`. To test with TLS clients, extract it to a PEM file:
+
+```bash
+# Manual: copy the PEM block from src/port/certs.h to a file
+cat > /tmp/wolfip_cert.pem << 'EOF'
+-----BEGIN CERTIFICATE-----
+MIIByTCCAW+gAwIBAgIUW3k96+M3BtW7CJRDEO/u5BaaGjgwCgYIKoZIzj0EAwIw
+...
+-----END CERTIFICATE-----
+EOF
+```
+
+### Testing the MQTT Broker
+
+Install mosquitto client tools: `sudo apt install mosquitto-clients`
+
+#### Test 1: Publish (verify broker accepts connections)
+
+```bash
+mosquitto_pub -h <device-ip> -p 8883 \
+    --cafile /tmp/wolfip_cert.pem --insecure \
+    -t "test/hello" -m "Hello wolfIP!" -d
+```
+
+Expected output:
+```
+Client null sending CONNECT
+Client null received CONNACK (0)
+Client null sending PUBLISH (d0, q0, r0, m1, 'test/hello', ... (13 bytes))
+Client null sending DISCONNECT
+```
+
+The `CONNACK (0)` confirms the broker accepted the connection.
+
+#### Test 2: Subscribe and Publish (round-trip)
+
+```bash
+# Terminal 1: Start subscriber (allow time for TLS handshake)
+mosquitto_sub -h <device-ip> -p 8883 \
+    --cafile /tmp/wolfip_cert.pem --insecure \
+    -t "test/#" -v
+
+# Terminal 2: Publish (wait ~10s after subscriber connects)
+mosquitto_pub -h <device-ip> -p 8883 \
+    --cafile /tmp/wolfip_cert.pem --insecure \
+    -t "test/hello" -m "Round-trip works!"
+```
+
+**Important:** The embedded Cortex-M33 needs several seconds per TLS handshake. Allow 8-10 seconds between connecting the subscriber and publisher to avoid overwhelming the device with concurrent TLS negotiations.
+
+### MQTT Broker Configuration
+
+| Setting | Default | File |
+|---------|---------|------|
+| Port (TLS) | 8883 | `mqtt_broker.c` |
+| Max Clients | 4 | `user_settings.h` (`BROKER_MAX_CLIENTS`) |
+| Max Subscriptions | 16 | `user_settings.h` (`BROKER_MAX_SUBS`) |
+| RX/TX Buffer | 1024 bytes | `user_settings.h` |
+| Max Payload | 1024 bytes | `user_settings.h` |
+| Log Level | INFO (2) | `user_settings.h` (`BROKER_LOG_LEVEL_DEFAULT`) |
+| TLS Version | TLS 1.3 | `mqtt_broker.c` |
+
+### MQTT Broker Files
+
+| File | Description |
+|------|-------------|
+| `mqtt_broker.c/h` | Broker state machine wrapper for wolfIP |
+| `../certs.h` | Embedded ECC P-256 cert/key (shared with TLS/HTTPS) |
+| `user_settings.h` | wolfMQTT broker compile-time config |
+
 ## Files
 
 | File | Description |