wolfSSL Renesas TSIP Support

wolfSSL has been integrated with the following TSIP capabilities:

• TSIP driver open/close
• Random number generation, tested with SP 800-22
• SHA-1 and SHA-256 hash function support
• AES-128-CBC and AES-256-CBC support
• TLS capabilities including:
  • Root CA verification
  • Client and/or Server certificate verification including intermediate certificate verification
  • Support for four TLS cipher suites:
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA256

Function	TSIP API
TSIP driver open/close	R_TSIP_Open R_TSIP_Close
Random Number Generation	R_TSIP_GenerateRandomNumber
SHA-1 and SHA-256	R_TSIP_Sha1/256Init R_TSIP_Sha1/256Update R_TSIP_Sha1/256Final
AES-128-CBC and AES-256-CBC	R_TSIP_Aes128/256CbcEncryptInit R_TSIP_Aes128/256CbcEncryptUpdate R_TSIP_Aes128/256CbcEncryptFinal R_TSIP_Aes128/256CbcDecryptInit R_TSIP_Aes128/256CbcDecryptUpdate R_TSIP_Aes128/256CbcDecryptFinal
Root CA Verification	R_TSIP_GenerateTlsRsaPublicKeyIndex R_TSIP_TlsRootCertificateVerification
Client or Server Certificate Verification	R_TSIP_TlsCertificateVerification
TLS cipher suite support including AES-128-CBC, AES-256-CBC	R_TSIP_TlsGeneratePreMasterSecret R_TSIP_TlsEncryptPreMasterSecret R_TSIP_TlsGenerateMasterSecret R_TSIP_TlsGenerateSessionKey R_TSIP_TlsGenerateVerifyData R_TSIP_Sha1/256HmacVerifyInit R_TSIP_Sha1/256HmacVerifyUpdate R_TSIP_Sha1HmacVerifyFinal

The Renesas TSIP driver is outside the scope of the wolfSSL package download and needs to be obtained externally from Renesas.

Support for Renesas RX65N and TSIP can be enabled at compile-time in wolfSSL by defining one or both of the following defines:

WOLFSSL_RENESAS_TSIP - enables Renesas TSIP support

WOLFSSL_RENESAS_RX65N - enables support for Renesas RX65N

The following benchmarks show the performance improvement when using hardware cryptography on the Renesas RX65N through the Renesas TSIP driver.

Algorithm	Software Crypto	TSIP Accelerated Crypto
RNG	231.160 KB/s	1.423 MB/s
SHA	1.239 MB/s	22.254 MB/s
SHA-256	515.565 KB/s	25.217 MB/s

Cipher Suite	Software Crypto (sec)	TSIP Accelerated Crypto (sec)
TLS_RSA_WITH_AES_128_CBC_SHA	0.381	0.028
TLS_RSA_WITH_AES_128_CBC_SHA256	0.383	0.028
TLS_RSA_WITH_AES_256_CBC_SHA	0.382	0.030
TLS_RSA_WITH_AES_256_CBC_SHA256	0.385	0.029

The following limitations exist when using wolfSSL with Renesas TSIP:

• TSIP TLS capabilities are fully available only when using one of the TSIP-supported cipher suites.  These cipher suites include:
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
• The TSIP TLS capabilities support generation of the normal TLS master secret, but do not support the TLS Extended Master Secret Extension.  TSIP TLS is not available when Extended Master Secret is used.
• The TSIP TLS certificate verification capability is only available when verifying a certificate signed by "RSA 2048 PSS with SHA-256".
• The TSIP TLS capability, common cryptography, is available on client-side only.  Server-side is not currently supported by the TSIP driver.
• TSIP uses one root CA certificate bundle signature signed by RSA-2048-PSS with SHA-256 available at runtime. When using a different root CA for TSIP TLS capabilities, applications need to call wolfCrypt_Init() to reset the TSIP driver state, then inform TSIP of a new signature and key through the tsip_inform_cert_sign() and tsip_inform_user_keys() APIs.

TSIP (Trusted Secure IP) Module Firmware Integration Technology APPLICATION NOTE Rev. 1.06

TSIP Product Page