Added OpenSSL to make use of ADS Secure Protocols.

[UserwithnoUsername]

Reason for the Pull Request

I had several Problems in the Past to acquire huge amounts of data, from different Beckhoff PLCs. For Security Reasons our PLCs and also most of the new PLCs have as default ADS Secure. Currently there is no clean way, to connect to a ADS Secure Route, without Installing TwinCAT on Windows, with an enormous overhead. Not to talk about a ADS Secure Route to Linux. When i found https://github.com/kevinherron/beckhoff-secure-ads/tree/main I thought, I also can Add it to this library. But to be fair the real Primary reason is, that i can switch to Linux at work because i don´t have the need for TwinCAT anymore as a Software Developer. Also i can change the Servers to Linux, which are connecting to the PLCs.

Summary

Adds TLS-secured ADS communication using OpenSSL, enabling connections to TwinCAT PLCs via three secure transport modes alongside the existing plain ADS. A new standalone test binary and interactive shell script are included
to validate all modes end-to-end.

New secure transport modes

Mode	Description
SSC (Self-Signed Certificate)	Client presents a self-signed X.509 certificate; optional username/password for first-time route registration on the PLC
SCA (Shared CA Certificate)	Mutual TLS with a common root CA; client cert must be signed by the same CA trusted by the PLC
PSK (Pre-Shared Key)	TLS-PSK using a derived key: SHA-256(UPPER(identity) + password) — no certificates required

Plain ADS continues to work unchanged.

New files

File	Purpose
AdsLib/SecureAdsConfig.h	SecureAdsConfig struct — unified config for all three modes
AdsLib/standalone/TlsSocket.{h,cpp}	OpenSSL wrapper (TLS 1.2+, PSK callback, cert/CA loading, select-based timeout)
AdsLib/standalone/TlsConnectInfo.h	Wire layout for the TLS handshake info frame (64-byte packed struct)
AdsLib/standalone/SecureAmsConnection.{h,cpp}	AmsConnectionBase subclass that routes traffic through TlsSocket
tools/test_connections.cpp	End-to-end test binary (read/write round-trip, latency benchmark, ADS state check)
tools/test_connections.sh	Interactive shell wrapper — builds automatically and runs selected test suites

Changed files

• AdsLib/AdsLib.h / standalone/AdsLib.{h,cpp} — new AdsAddSecureRoute / AdsAddSecureRouteByDns API entry points
• AdsLib/AmsRouter.{h,cpp} — AmsRouter dispatches to SecureAmsConnection when a SecureAdsConfig is present
• AdsLib/AmsConnection.h — AmsConnectionBase interface extended for virtual dispatch
• meson.build / AdsLib/CMakeLists.txt — OpenSSL dependency wired up; test_connections target added

How to test

Run tools/test_connections.sh. It builds the project automatically and presents an interactive menu to test each connection mode individually or all at once.

PLC configuration per mode

SSC (Self-Signed Certificate)

Works out of the box — the script auto-generates a self-signed client certificate if none exists. No static route pre-configuration is required on the PLC; the first connection registers the route using the supplied
credentials.

SCA (Shared CA Certificate)

Requires a shared root CA. The client certificate must be signed by the same CA that the PLC trusts. Exchange the CA and signed certificates between client and PLC before connecting.

Required StaticRoutes entry on the PLC:

  <Server>        
    <Tls IgnoreCn="true">
      <Ca>/etc/TwinCAT/3.1/Target/rootCA.pem</Ca>
      <Cert>/etc/TwinCAT/3.1/Target/ipc.crt</Cert>
      <Key>/etc/TwinCAT/3.1/Target/ipc.key</Key>                                                                                                                                                                                   
    </Tls>
  </Server>           

PSK (Pre-Shared Key)

No certificates needed. Identity and password must match what is configured on the PLC.

Required StaticRoutes entry on the PLC:

  <Server>
    <Tls>
      <Psk>
        <Identity>MY_IDENTITY</Identity>
        <Pwd>MySecret</Pwd>                                                                                                                                                                                                        
      </Psk>
    </Tls>                                                                                                                                                                                                                         
  </Server>       

Important constraints

• SCA and PSK are mutually exclusive — only one can be active on the PLC at a time; enabling both is not supported.
• PSK fails if an SSC session or a plain route already exists for the same device. Clear existing routes on the PLC before switching to PSK.
• The test script runs PSK first in the "All tests" mode for this reason — an existing SSC or plain route will cause PSK to be rejected.

Dependencies

• OpenSSL ≥ 1.1.1 (TLS 1.2 minimum; TLS-PSK via SSL_CTX_set_psk_client_callback)
• Tested on TwinCAT/BSD (Linux target), TwinCAT 3

Test plan

• tools/test_connections.sh builds successfully with OpenSSL present
• Plain ADS connects and passes read/write round-trip
• SSC connects on first attempt (with credentials) and on re-connect (without credentials)
• SCA connects after cert exchange and PLC StaticRoutes configuration
• PSK connects with matching identity and password configured on PLC
• SCA and PSK tests skip gracefully when prerequisites are absent
• Write/verify round-trip restores the original Main.dint1 value on failure

Further Considerations

What is considerable, is to change the build, that it is an Optional Feature. So when OpenSSL is available and you want to have Secure ADS in your library that you can choose between the build Type.

Regards Thomas

[pbruenn]

Hi @UserwithnoUsername,
Thanks for the PR. To be honest ADS-s is on my list for quite some time. The problem is its no so easy to integrate in a nice way. In your PR you duplicate the code for the entire AmsConnection handling. This is something I want to omit and cannot merge as is. I will keep your PR for others to use. And will try to refactor it when I find the time. Things which definitely need a cleanup are the white-space changes and minor fixups in the error logs. when you split them off into separate commits I might be able to merge them early and you PR stays easy to rebase.