The wolfSSL embedded SSL/TLS library supports the Renesas Trusted Secure IP Driver (TSIP) and has been tested on the Renesas RX65N platform. Using the TSIP driver, wolfSSL can offload supported cryptographic and TLS operations to the underlying Renesas hardware for increased performance.
Supported TSIP Capabilities
wolfSSL has been integrated with the following TSIP capabilities:
- TSIP driver open/close
- Random number generation, tested with SP 800-22
- SHA-1 and SHA-256 hash function support
- AES-128-CBC and AES-256-CBC support
- TLS capabilities including:
- Root CA verification
- Client and/or Server certificate verification including intermediate certificate verification
- Support for four TLS cipher suites:
Function TSIP API
TSIP driver open/close R_TSIP_Open
Random Number Generation R_TSIP_GenerateRandomNumber
SHA-1 and SHA-256 R_TSIP_Sha1/256Init
AES-128-CBC and AES-256-CBC R_TSIP_Aes128/256CbcEncryptInit
Root CA Verification R_TSIP_GenerateTlsRsaPublicKeyIndex
Client or Server Certificate Verification R_TSIP_TlsCertificateVerification
TLS cipher suite support including AES-128-CBC, AES-256-CBC R_TSIP_TlsGeneratePreMasterSecret
The Renesas TSIP driver is outside the scope of the wolfSSL package download and needs to be obtained externally from Renesas.
Building wolfSSL with RX65N and TSIP Support
Support for Renesas RX65N and TSIP can be enabled at compile-time in wolfSSL by defining one or both of the following defines:
WOLFSSL_RENESAS_TSIP – enables Renesas TSIP support
WOLFSSL_RENESAS_RX65N – enables support for Renesas RX65N
wolfSSL TSIP Benchmarks
Algorithm Software Crypto TSIP Accelerated Crypto
RNG 231.160 KB/s 1.423 MB/s
SHA 1.239 MB/s 22.254 MB/s
SHA-256 515.565 KB/s 25.217 MB/s
Cipher Suite Software Crypto (sec) TSIP Accelerated Crypto (sec)
TLS_RSA_WITH_AES_128_CBC_SHA 0.381 0.028
TLS_RSA_WITH_AES_128_CBC_SHA256 0.383 0.028
TLS_RSA_WITH_AES_256_CBC_SHA 0.382 0.030
TLS_RSA_WITH_AES_256_CBC_SHA256 0.385 0.029
Our tests have shown that the implementation of TSIP Accelerated Crypto increased processing speed by an average of 2334%, resulting in 92% faster processing times.
Limitations of TSIP with wolfSSL
The following limitations exist when using wolfSSL with Renesas TSIP:
- TSIP TLS capabilities are fully available only when using one of the TSIP-supported cipher suites. These cipher suites include:
- The TSIP TLS capabilities support generation of the normal TLS master secret, but do not support the TLS Extended Master Secret Extension. TSIP TLS is not available when Extended Master Secret is used.
- The TSIP TLS certificate verification capability is only available when verifying a certificate signed by “RSA 2048 PSS with SHA-256”.
- The TSIP TLS capability, common cryptography, is available on client-side only. Server-side is not currently supported by the TSIP driver.
- TSIP uses one root CA certificate bundle signature signed by RSA-2048-PSS with SHA-256 available at runtime. When using a different root CA for TSIP TLS capabilities, applications need to call wolfCrypt_Init() to reset the TSIP driver state, then inform TSIP of a new signature and key through the tsip_inform_cert_sign() and tsip_inform_user_keys() APIs.
TSIP (Trusted Secure IP) Module Firmware Integration Technology APPLICATION NOTE Rev. 1.06
More information on using wolfSSL in combination with Renesas and wolfSSL’s support for Renesas can be found here: https://www.wolfssl.com/docs/renesas/
For support and more information about wolfSSL TSIP support, please contact the wolfSSL support team at email@example.com.