Improving wolfSSL integration with the Espressif ESP-IDF

[gojimmypi]

Version

latest

Description

Improving wolfSSL integration with the Espressif ESP-IDF

This is an anchor GitHub issue to track the various upcoming pull requests and other issues related to improving the wolfSSL cryptographic library integration with the Espressif ESP-IDF.

The wolfSSL libraries are available for a given project, but the integration with the ESP-IDF core is not as robust as it should be.

There's a companion issue at Espressif: https://github.com/espressif/esp-idf/issues/13966

Features To Do

• [ ] Include wolfSSL as an ESP-IDF component. See preview here.
• [ ] Full wolfSSL ESP-TLS integration.
• [ ] Add wolfSSL support to bootloader_support
• [ ] Add wolfSSL support to bt
• [ ] Add wolfSSL support to espcoredump
• [ ] Add wolfSSL support to esp_http_client example
• [ ] Add wolfSSL support to esp_https_server
• [ ] Add wolfSSL support to esp_http_server
• [ ] Add wolfSSL support to esp_rom
• [ ] Add wolfSSL support to lwip
• [ ] Add wolfSSL support to mqtt
• [ ] Add wolfSSL support to openthread
• [ ] Add wolfSSL support to protocomm
• [ ] Add wolfSSL support to wpa_supplicant
• [ ] CI/CD, Testing, Jenkins at wolfSSL

Reasons for choosing wolfSSL instead of mbedTLS

For serious commercial applications needing or users simply needing more capable, flexible, and actively supported libraries developers should choose wolfSSL.

wolfSSL is a TLS library. wolfSSL offers:

• optimal performance
• rapid integration
• hardware crypto support
• support for the most current standards.

wolfSSL is the best tested crypto support, the #1 TLS in IoT and the first embedded TLS 1.3 platform with TPM 2.0, MQTT, FIPS 140 certification, hardware crypto acceleration and secure enclave support. All products are backed by 24/7 support.

	wolfSSL	mbed TLS
TECHNOLOGY
Copyright	wolfSSL Inc.	Multiple Owners
Development Team	Original developers still on project	Based on XySSL/PolarSSL, not maintained by the original developers
Portability	"Portable Out of the Box Win32/64, Linux, OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, TRON/ITRON/µITRON, Micrium's µC OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, Keil RTX, TI-RTOS, Integrity OS"	Win32/64, Linux, OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, SeggerOS
Standards Support	SSLv3 - TLS 1.3, DTLS 1.0,1.2, 1.3	TLS 1.2/TLS 1.3 and DTLS 1.2
Server Support	YES	YES
Performance	Awesome! See our benchmarks page: https://www.wolfssl.com/docs/benchmarks/	Average
Hardware & Assembly Optimizations	- ARM Assembly Optimizations (Aarch32/Aarch64/Arm32/Cortex-M/Neon) - ARMv8 Cryptography Extensions - RISC-V Assembly - STM32 F2/F4/F7/L4/L5/U5/H5/H7 Hardware Crypto - ATECC608B, ST-SAFEA110, SE050, IoT-Safe - Single Precision Math (C and Assembly)	Some ARM optimizations
Command Line Utility	YES	NO
Certifications	YES (FIPS 140-3, DO-178 DAL-A)	NO
Certificate Revocation Support	CRL, OCSP, OCSP Stapling	CRL
Crypto Library Abstraction Layer	YES	NO
SSL Inspection (Sniffer) Support	YES	NO
Compression Support	zlib NO
OpenSSL Compatibility Layer	YES (Actively updated - over 1,600)	YES (Out of date)
Post Quantum Support	Kyber, LMS, XMSS and Dilithum/Falcon	NO
Supported Open Source Projects	OpenSSH, Stunnel, WPA Supplicant, lighttpd (lighty), cURL, mongoose, OpenVPN, NGINX and many others
Quality Assurance Testing	API Tests, Peer Review, Static Analysis, Product Specific Testing, Multiple Compilers, Benchmarks, Wrappers, Hardware Accelerated Testing, Security fuzzers (wolfSSL internal fuzzer, AFL, TLS Fuzzer, libFuzzer), known user configurations, external validation, big/little endian, multiple platforms (Embedded IOT Devices, Windows, Many Linux variants, MacOS, XCODE, Android)	Broken scripts
SUPPORT DOCUMENTATION LICENSING
Documentation	YES (complete manual, API reference, build instructions, extensions reference, tutorials, source code, benchmarking, examples)	PARTIAL (build instructions, API reference, source code)
Vulnerabilities	Fixes available within a few days	Fixes available few months or not at all
License Dual (GPLv2 / Commercial)	Dual (GPLv2 / Apache 2.0)
Royalty Free	YES	YES
Up to 24x7 Support	YES (Full support from native English speakers via email, phone, forums)	NO
FEATURES
Random Entropy	wolfRAND, NIST DRBG (SHA-256)	DRBG SHA-1/SHA2-256
Hashing/Cipher Functions	AES SIV/CFB/OFB, SHAKE, Blake2b/Blake2s, ECIES (ECC Enc/Dec)	NO
Public Key Options	Single Precision math, ECC Fixed Point cache ECC NIST	"modulo p" speedups
TLS Extensions	SNI, Max Fragment, ALPN, Trusted CA Indication, Truncated HMAC, Secure Renegotiation, Renegotiation Indication, Session Ticket, Extended Master Secret, Encrypt-Then-Mac, Quantum-Safe Hybrid Authentication	Max Fragment, Encrypt-Then-Mac

Getting Started with wolfSSL

If you are new to wolfSSL on the Espressif ESP32, this video can help to get started:

Additional ESP-IDF specifics can be found in Espressif/ESP-IDF. The wolfSSL Manual is also a useful resource.

The core Espressif IDE information for wolfSSL can be found here:

https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif

Included are the following examples:

• Bare-bones Template
• Simple TLS Client / TLS Server
• Cryptographic Test
• Cryptographic Benchmark

Managed Components

The wolfSSL libraries are already available as Espressif Managed Components from the ESP Registry for installation to a specific project.

• release
  • wolfSSL wolfssl/wolfssl
  • wolfSSH wolfssl/wolfssh
  • wolfMQTT wolfssl/wolfmqtt
  • wolfTPM wolfssl/wolftpm` (coming soon, see https://github.com/wolfSSL/wolfTPM/pull/351)

staging/test Managed Components at the Espressif Component Registry.

• wolfSSL gojimmypi/mywolfssl
• wolfSSH gojimmypi/mywolfssh
• wolfMQTT gojimmypi/mywolfmqtt
• wolfTPM wolfssl/wolftpm (coming soon, see https://github.com/wolfSSL/wolfTPM/pull/351)

For details on wolfSSL Managed Components, see these blogs:

• https://www.wolfssl.com/wolfssl-now-available-in-espressif-component-registry/
• https://www.wolfssl.com/wolfmqtt-now-available-as-an-espressif-managed-component-includes-aws-iot-mqtt-example/
• https://www.wolfssl.com/wolfssh-now-available-as-an-espressif-managed-component-includes-ssh-echo-server-example/

PlatformIO

We are providing two different Official wolfSSL libraries for the ESP32: standard and another specifically for Arduino:

• wolfssl/wolfSSL

• wolfssl/Arduino-wolfSSL

There are also two different versions: the stable release versions (above) and these staging updates, with the latest post-release changes.

• wolfssl-staging/wolfSSL

• wolfssl-staging/Arduino-wolfSSL

See also the wolfSSL now supported on PlatformIO blog.

https://github.com/wolfSSL/wolfssl/tree/master/IDE/PlatformIO

Arduino

See Getting Started with wolfSSL on Arduino blog.

https://www.arduino.cc/reference/en/libraries/wolfssl/

https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO

wolfSSL for the Apple HomeKit on the ESP32

See the https://github.com/AchimPieters/esp32-homekit-demo

https://github.com/AchimPieters/esp32-homekit-demo/pull/3

Additional wolfSSL updates related to the Espressif environment

See ESP32 Espressif Improvements - Roadmap Summary #6234

Have an idea for other improvements? Feel free to open a new issue or send us an email support@wolfssl.com