The wolfSSL embedded SSL/TLS library supports the Renesas Trusted Secure IP Driver (TSIP) and has been tested on the Renesas RX65N platform. Using the TSIP driver, wolfSSL can offload supported cryptographic and TLS operations to the underlying Renesas hardware for increased performance.
Supported TSIP Capabilities
wolfSSL has been integrated with the following TSIP capabilities:
- TSIP driver open/close
- Random number generation, tested with SP 800-22
- SHA-1 and SHA-256 hash function support
- AES-128-CBC and AES-256-CBC support
- TLS capabilities including:
- Root CA verification
- Client and/or Server certificate verification including intermediate certificate verification
- Support for four TLS cipher suites:
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
Function TSIP API
TSIP driver open/close R_TSIP_Open
R_TSIP_Close
Random Number Generation R_TSIP_GenerateRandomNumber
SHA-1 and SHA-256 R_TSIP_Sha1/256Init
R_TSIP_Sha1/256Update
R_TSIP_Sha1/256Final
AES-128-CBC and AES-256-CBC R_TSIP_Aes128/256CbcEncryptInit
R_TSIP_Aes128/256CbcEncryptUpdate
R_TSIP_Aes128/256CbcEncryptFinal
R_TSIP_Aes128/256CbcDecryptInit
R_TSIP_Aes128/256CbcDecryptUpdate
R_TSIP_Aes128/256CbcDecryptFinal
Root CA Verification R_TSIP_GenerateTlsRsaPublicKeyIndex
R_TSIP_TlsRootCertificateVerification
Client or Server Certificate Verification R_TSIP_TlsCertificateVerification
TLS cipher suite support including AES-128-CBC, AES-256-CBC R_TSIP_TlsGeneratePreMasterSecret
R_TSIP_TlsEncryptPreMasterSecret
R_TSIP_TlsGenerateMasterSecret
R_TSIP_TlsGenerateSessionKey
R_TSIP_TlsGenerateVerifyData
R_TSIP_Sha1/256HmacVerifyInit
R_TSIP_Sha1/256HmacVerifyUpdate
R_TSIP_Sha1HmacVerifyFinal
The Renesas TSIP driver is outside the scope of the wolfSSL package download and needs to be obtained externally from Renesas.
Building wolfSSL with RX65N and TSIP Support
Support for Renesas RX65N and TSIP can be enabled at compile-time in wolfSSL by defining one or both of the following defines:
WOLFSSL_RENESAS_TSIP – enables Renesas TSIP support
WOLFSSL_RENESAS_RX65N – enables support for Renesas RX65N
wolfSSL TSIP Benchmarks
The following benchmarks show the performance improvement when using hardware cryptography on the Renesas RX65N through the Renesas TSIP driver.
Algorithm Software Crypto TSIP Accelerated Crypto
RNG 231.160 KB/s 1.423 MB/s
SHA 1.239 MB/s 22.254 MB/s
SHA-256 515.565 KB/s 25.217 MB/s
Cipher Suite Software Crypto (sec) TSIP Accelerated Crypto (sec)
TLS_RSA_WITH_AES_128_CBC_SHA 0.381 0.028
TLS_RSA_WITH_AES_128_CBC_SHA256 0.383 0.028
TLS_RSA_WITH_AES_256_CBC_SHA 0.382 0.030
TLS_RSA_WITH_AES_256_CBC_SHA256 0.385 0.029
Our tests have shown that the implementation of TSIP Accelerated Crypto increased processing speed by an average of 2334%, resulting in 92% faster processing times.
Limitations of TSIP with wolfSSL
The following limitations exist when using wolfSSL with Renesas TSIP:
- TSIP TLS capabilities are fully available only when using one of the TSIP-supported cipher suites. These cipher suites include:
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
- The TSIP TLS capabilities support generation of the normal TLS master secret, but do not support the TLS Extended Master Secret Extension. TSIP TLS is not available when Extended Master Secret is used.
- The TSIP TLS certificate verification capability is only available when verifying a certificate signed by “RSA 2048 PSS with SHA-256”.
- The TSIP TLS capability, common cryptography, is available on client-side only. Server-side is not currently supported by the TSIP driver.
- TSIP uses one root CA certificate bundle signature signed by RSA-2048-PSS with SHA-256 available at runtime. When using a different root CA for TSIP TLS capabilities, applications need to call wolfCrypt_Init() to reset the TSIP driver state, then inform TSIP of a new signature and key through the tsip_inform_cert_sign() and tsip_inform_user_keys() APIs.
References
TSIP (Trusted Secure IP) Module Firmware Integration Technology APPLICATION NOTE Rev. 1.06
Support
More information on using wolfSSL in combination with Renesas and wolfSSL’s support for Renesas can be found here: https://www.wolfssl.com/docs/renesas/
If you have any questions or run into any issues, contact us at facts@wolfssl.com, or call us at +1 425 245 8247.