The wolfSSL embedded SSL/TLS library supports the Renesas Trusted Secure IP Driver (TSIP) and has been tested on the Renesas RX65N platform. Using the TSIP driver, wolfSSL can offload supported cryptographic and TLS operations to the underlying Renesas hardware for increased performance.
Supported TSIP Capabilities
wolfSSL has been integrated with the following TSIP capabilities:
- TSIP driver open/close
- Random number generation, tested with SP 800-22
- SHA-1 and SHA-256 hash function support
- AES-128-CBC and AES-256-CBC support
- TLS capabilities including:
- Root CA verification
- Client and/or Server certificate verification including intermediate certificate verification
- Support for four TLS cipher suites:
|TSIP driver open/close||R_TSIP_Open
|Random Number Generation||R_TSIP_GenerateRandomNumber
|SHA-1 and SHA-256||R_TSIP_Sha1/256Init
|AES-128-CBC and AES-256-CBC||R_TSIP_Aes128/256CbcEncryptInit
|Root CA Verification||R_TSIP_GenerateTlsRsaPublicKeyIndex
|Client or Server Certificate Verification||R_TSIP_TlsCertificateVerification|
|TLS cipher suite support including AES-128-CBC, AES-256-CBC||R_TSIP_TlsGeneratePreMasterSecret
The Renesas TSIP driver is outside the scope of the wolfSSL package download and needs to be obtained externally from Renesas.
Building wolfSSL with RX65N and TSIP Support
Support for Renesas RX65N and TSIP can be enabled at compile-time in wolfSSL by defining one or both of the following defines:
WOLFSSL_RENESAS_TSIP - enables Renesas TSIP support
WOLFSSL_RENESAS_RX65N - enables support for Renesas RX65N
wolfSSL TSIP Benchmarks
The following benchmarks show the performance improvement when using hardware cryptography on the Renesas RX65N through the Renesas TSIP driver.
|Algorithm||Software Crypto||TSIP Accelerated Crypto|
|RNG||231.160 KB/s||1.423 MB/s|
|SHA||1.239 MB/s||22.254 MB/s|
|SHA-256||515.565 KB/s||25.217 MB/s|
|Cipher Suite||Software Crypto (sec)||TSIP Accelerated Crypto (sec)|
Limitations of TSIP with wolfSSL
The following limitations exist when using wolfSSL with Renesas TSIP:
- TSIP TLS capabilities are fully available only when using one of the TSIP-supported cipher suites. These cipher suites include:
- The TSIP TLS capabilities support generation of the normal TLS master secret, but do not support the TLS Extended Master Secret Extension. TSIP TLS is not available when Extended Master Secret is used.
- The TSIP TLS certificate verification capability is only available when verifying a certificate signed by "RSA 2048 PSS with SHA-256".
- The TSIP TLS capability, common cryptography, is available on client-side only. Server-side is not currently supported by the TSIP driver.
- TSIP uses one root CA certificate bundle signature signed by RSA-2048-PSS with SHA-256 available at runtime. When using a different root CA for TSIP TLS capabilities, applications need to call wolfCrypt_Init() to reset the TSIP driver state, then inform TSIP of a new signature and key through the tsip_inform_cert_sign() and tsip_inform_user_keys() APIs.
TSIP (Trusted Secure IP) Module Firmware Integration Technology APPLICATION NOTE Rev. 1.06
More information on using wolfSSL in combination with Renesas and wolfSSL's support for Renesas can be found here: https://www.wolfssl.com/docs/renesas/
For support and more information about wolfSSL TSIP support, please contact the wolfSSL support team at email@example.com.