feat: add openHiTLS backend support#2058
Conversation
tlhc
commented
Jun 16, 2026
tlhc
commented
- Add openHiTLS DTLS/TLS backend
- Integrate openHiTLS crypto into libcoap (D)TLS and OSCORE paths.
- Extend TLS tests and add interop validation script.
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds openHiTLS as a supported DTLS/TLS (and OSCORE-only) backend, with build-system integration and expanded TLS/crypto test coverage.
Changes:
- Introduce a new openHiTLS backend implementation (
coap_openhitls.c) and expose it via the TLS library enum and debug/version string reporting. - Integrate openHiTLS into Autotools + CMake builds (including OSCORE-only mode) and update licensing notes.
- Expand TLS/DTLS/OSCORE unit tests and add a backend smoke-test script for coap-client/coap-server.
Reviewed changes
Copilot reviewed 16 out of 16 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/test_tls.c | Adds openHiTLS detection plus a large set of TLS/DTLS/OSCORE capability and behavior tests. |
| src/coap_sha1.c | Avoids compiling internal SHA1 fallback when openHiTLS (or openHiTLS OSCORE) is present. |
| src/coap_oscore.c | Consolidates recipient sequence APIs into a new function signature. |
| src/coap_openhitls.c | New openHiTLS DTLS/TLS + OSCORE crypto backend implementation. |
| src/coap_notls.c | Updates NOTLS compilation guards to exclude openHiTLS builds. |
| src/coap_debug.c | Adds openHiTLS to coap_string_tls_version() formatting. |
| include/coap3/coap_dtls.h | Adds COAP_TLS_LIBRARY_OPENHITLS enum value. |
| examples/tls_backend_testcases.sh | Adds a comprehensive local smoke test script for TLS backends (focused on openHiTLS). |
| examples/coap-server.c | Guards OSCORE helper functions behind COAP_OSCORE_SUPPORT to match build options. |
| examples/Makefile.am | Installs/distributes the new TLS backend test script. |
| configure.ac | Adds Autotools options and link checks for openHiTLS (DTLS/TLS + OSCORE-only). |
| cmake_coap_defines.h.in | Adds CMake config defines for openHiTLS and openHiTLS OSCORE-only. |
| cmake/FindopenHiTLS.cmake | New CMake find-module providing openHiTLS::openhitls target. |
| Makefile.am | Adds the new CMake find-module and includes src/coap_openhitls.c in sources. |
| LICENSE | Documents openHiTLS license implications. |
| CMakeLists.txt | Adds openHiTLS to selectable DTLS/OSCORE backends and links it via openHiTLS::openhitls. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
currently can build libcoap with openhitls support use this scripts https://gist.github.com/tlhc/16b4ad85967c9039d006e3d4e621b698 |
tlhc
force-pushed
the
develop
branch
3 times, most recently
from
7407365 to
140aa5f
Compare
|
Hi @mrdeep1, should I add GitHub actions coverage for the new openHiTLS SSL backend in this PR? |
Yes, this makes sense. As an FYI (have not looked into why yet), building and installing the openHiTLS libraries (into /usr/local/lib), and then (in the libcoap directory) running fails with |
Thanks, I reproduced this, the current autotools detection handles the openHiTLS source-tree layout, but not the installed layout. |
|
I suspect you may need he equivalent to |
make sense, I will fix, it's much clear for autotools |
|
A very quick test shows that |
OK, thanks for the guidance.I also used gcov to check the coverage for lines: 69.2% (1021 / 1476)
functions: 96.0% (97 / 101)
branches: 49.9% (638 / 1279)I will continue improving the test coverage. |
tlhc
force-pushed
the
develop
branch
3 times, most recently
from
13062c4 to
e4b7b1b
Compare
|
The ASan issue is fixed by validating the backend env |
|
@mrdeep1 Add some tests, pls take a look thanks |
mrdeep1
left a comment
mrdeep1
left a comment
There was a problem hiding this comment.
Thanks for doing all this work.
I have done an initial review of the code.
In general all looks to be fine, but I need to do some general interop between different TLS libraries type tests.
My real concern is the use of =DIR (or providing directory hints) to a openHiTLS build environment that has not had the libraries / include files installed like the other TLS library backends. I think this needs to be changed so things are consistent with the other backends.
It would be nice if openHiTLS provided a pkg-config .pc file at some point.
| "${OPENHITLS_INCLUDE_DIR}" | ||
| "${OPENHITLS_INCLUDE_DIR}/bsl" | ||
| "${OPENHITLS_INCLUDE_DIR}/crypto") |
There was a problem hiding this comment.
There is no need for the additional /tls, /bsl, /crypto and /pki suffixes as src/coap_openhitls.c has them in the #include statements.
Same for all the instances that follow.
There was a problem hiding this comment.
libcoap sources already use the prefix
The per-module dirs are still listed because the installed openHiTLS headers include sibling-module headers by bare name(without prefix)
when openHiTLS upstream fixed install path, we remove this submodule include
| else | ||
| AC_MSG_ERROR([==> Option '--enable-dtls' is set but none of the needed cryptography libraries GnuTLS, OpenSSL, wolfSSL, Mbed TLS or TinyDTLS could be found! | ||
| Install at least one of the package(s) that contains the development files for GnuTLS (>= $gnutls_version_required), OpenSSL(>= $openssl_version_required), wolfSSL(>= $wolfssl_version_required), Mbed TLS(>= $mbedtls_version_required), or TinyDTLS(>= $tinydtls_version_required) | ||
| Install at least one of the package(s) that contains the development files for GnuTLS (>= $gnutls_version_required), OpenSSL(>= $openssl_version_required), wolfSSL(>= $wolfssl_version_required), Mbed TLS(>= $mbedtls_version_required), or TinyDTLS(>= $tinydtls_version_required), explicitly select openHiTLS using '--with-openhitls', |
There was a problem hiding this comment.
I would like to see openHiTLS hving the develop environment as well.
There was a problem hiding this comment.
add auto fallback for dtls backend detection
| t_tls3(void) { | ||
| const coap_tls_version_t *v = coap_get_tls_library_version(); | ||
| t_tls_support_t support = t_tls_expected_support(); | ||
|
|
||
| ReturnIf_CU_ASSERT_PTR_NOT_NULL(v); | ||
| CU_ASSERT(v->type == support.type); | ||
| CU_ASSERT(coap_dtls_is_supported() == support.dtls); | ||
| CU_ASSERT(coap_tls_is_supported() == support.tls); | ||
| CU_ASSERT(coap_dtls_psk_is_supported() == support.psk); | ||
| CU_ASSERT(coap_dtls_pki_is_supported() == support.pki); | ||
| CU_ASSERT(coap_dtls_pkcs11_is_supported() == support.pkcs11); | ||
| CU_ASSERT(coap_dtls_rpk_is_supported() == support.rpk); | ||
| CU_ASSERT(coap_dtls_cid_is_supported() == support.cid); |
There was a problem hiding this comment.
Depending on the version of the TLS library, not all the options are available. For example, OpenSSL 4.0 does not (yet) have PKCS11 support, but OpenSSL 3.0 does which has ENGINE support.
Not sure we should be doing this set of testing unless there are wrappers as needed for the different library versions.
|
These changes in |
@mrdeep1 Thank you for your review. I’ve checked the issues and will fix them one by one. |
|
Thanks for doing all this work. I would like to see I am continuing to check things. |
OK, done, applied this patch |
applied |
tlhc
force-pushed
the
develop
branch
7 times, most recently
from
e25ad8f to
396cc55
Compare
mrdeep1
left a comment
mrdeep1
left a comment
There was a problem hiding this comment.
Thanks for doing all this work.
A couple of other changes required.
I'm still doing ongoing testing.
| #if defined(_WIN32) | ||
| *(int32_t *)parg = -1; | ||
| #else /* ! _WIN32 */ | ||
| *(int32_t *)parg = (int32_t)env->session->sock.fd; |
There was a problem hiding this comment.
Unfortunately, this needs to be
+#if COAP_SERVER_SUPPORT
+ *(int32_t *)parg = COAP_PROTO_NOT_RELIABLE(env->session->proto) ? env->session->type !=
+ COAP_SESSION_TYPE_CLIENT ? env->session->endpoint->sock.fd :
+ env->session->sock.fd : env->session->sock.fd;
+#else /* ! COAP_SERVER_SUPPORT */
*(int32_t *)parg = (int32_t)env->session->sock.fd;
+#endif /* ! COAP_SERVER_SUPPORT */
as server UDP sockets hang off the endpoints, not the sessions.
| version.version = BSL_LOG_GetVersionNum(); | ||
| version.built_version = OPENHITLS_VERSION_I; |
There was a problem hiding this comment.
openHiTLS CMakeLists.txt does a
set(OPENHITLS_VERSION_I "4194304" CACHE STRING "openHiTLS version integer")
which overrides the definition in include/bsl/bsl_log.h when building the code, but when compiling libcoap, this hand coded definition override is not there. This should be in one place. openHiTLS issue raised.
This is a note for now.
| if((OSCORE_BACKEND STREQUAL "openhitls") OR ((DTLS_BACKEND STREQUAL "default") AND (NOT DTLS_FOUND))) | ||
| # libopenhitls | ||
| find_package(openHiTLS ${DTLS_REQUIRED}) | ||
| if(openHiTLS_FOUND) | ||
| set(WITH_OPENHITLS ON) | ||
| message(STATUS "compiling with openHiTLS support") | ||
| set(COAP_WITH_LIBOPENHITLS 1) | ||
| set(DTLS_FOUND ON) | ||
| endif() | ||
| endif() | ||
|
|
There was a problem hiding this comment.
With the latest changes in the libcoap develop branch, this is no longer needed.
There was a problem hiding this comment.
syncd with libcoap upstream dev, removed
| if((OSCORE_BACKEND STREQUAL "openhitls") AND (NOT DTLS_FOUND)) | ||
| find_package(openHiTLS REQUIRED) | ||
| set(WITH_OPENHITLS_OSCORE ON) | ||
| message(STATUS "compiling with openHiTLS OSCORE support") | ||
| set(COAP_WITH_LIBOPENHITLS_OSCORE 1) | ||
| set(DTLS_FOUND ON) | ||
| endif() | ||
|
|
There was a problem hiding this comment.
This needs to be
if((OSCORE_BACKEND STREQUAL "openhitls") AND (NOT DTLS_FOUND))
# libopenhitls
find_package(openHiTLS REQUIRED)
if(openHiTLS_FOUND)
set(WITH_OPENHITLS_OSCORE ON)
message(STATUS "compiling with openHiTLS OSCORE support")
set(COAP_WITH_LIBOPENHITLS_OSCORE 1)
set(DTLS_FOUND ON)
endif()
endif()
|
The latest update to the openHiTLS main branch replaces |
Update with the new version check API |
tlhc
force-pushed
the
develop
branch
2 times, most recently
from
b30698b to
f780fba
Compare
|
Thanks for all this. I will run some overnight regression tests to check that all is OK before merging. |
Sounds good, and thank you for taking the time to verify everything. |
tlhc
force-pushed
the
develop
branch
2 times, most recently
from
53176cf to
37fd3e4
Compare
|
It would be good to add this change, |
Done, Applied this patch, looks good and clean |
- Add openHiTLS DTLS/TLS backend - Integrate openHiTLS crypto into libcoap (D)TLS and OSCORE paths. - Extend TLS tests and add interop validation script.
