Improving wolfSSL integration with the Espressif ESP-IDF (IDFGH-13019) #13966
Description
Answers checklist.
- I have read the documentation ESP-IDF Programming Guide and the issue is not addressed there.
- I have updated my IDF branch (master or release) to the latest version and checked that the issue is present there.
- I have searched the issue tracker for a similar issue and not found a similar issue.
General issue report
Improving wolfSSL integration with the Espressif ESP-IDF
This is an anchor GitHub issue to track the various upcoming pull requests and other issues related to improving the wolfSSL cryptographic library integration with the Espressif ESP-IDF.
The wolfSSL libraries are available for a given project, but the integration with the ESP-IDF core is not as robust as it should be.
There's a companion issue at wolfSSL: wolfSSL/wolfssl#7640
Features To Do
- Include wolfSSL as an ESP-IDF component. See preview here.
- Full wolfSSL ESP-TLS integration.
- Add wolfSSL support to bootloader_support
- Add wolfSSL support to bt
- Add wolfSSL support to espcoredump
- Add wolfSSL support to esp_http_client example
- Add wolfSSL support to esp_https_server
- Add wolfSSL support to esp_http_server
- Add wolfSSL support to esp_rom
- Add wolfSSL support to lwip
- Add wolfSSL support to mqtt
- Add wolfSSL support to openthread
- Add wolfSSL support to protocomm
- Add wolfSSL support to wpa_supplicant
- CI/CD, Testing, Jenkins at wolfSSL
- change(esp-wolfssl): allow to enable OCSP support esp-wolfssl#24
- fix(esp-tls): make the wolfSSL backend send entire client certificate… (IDFGH-12621) #13618
- Change(component.cmake): check for missing component_target (IDFGH-13091) #14036
Reasons for choosing wolfSSL instead of mbedTLS
For serious commercial applications needing or users simply needing more capable, flexible, and actively supported libraries developers should choose wolfSSL.
wolfSSL is a TLS library. wolfSSL offers:
- optimal performance
- rapid integration
- hardware crypto support
- support for the most current standards.
wolfSSL is the best tested crypto support, the #1 TLS in IoT and the first embedded TLS 1.3 platform with TPM 2.0, MQTT, FIPS 140 certification, hardware crypto acceleration and secure enclave support. All products are backed by 24/7 support.
| wolfSSL | mbed TLS | |
|---|---|---|
| TECHNOLOGY | ||
| Copyright | wolfSSL Inc. | Multiple Owners |
| Development Team | Original developers still on project | Based on XySSL/PolarSSL, not maintained by the original developers |
| Portability | "Portable Out of the Box Win32/64, Linux, OS X, Solaris, ThreadX, VxWorks, FreeBSD, NetBSD, OpenBSD, embedded Linux, Haiku, OpenWRT, iPhone (iOS), Android, Nintendo Wii and Gamecube through DevKitPro, QNX, MontaVista, OpenCL, NonStop, TRON/ITRON/µITRON, Micrium's µC OS, FreeRTOS, SafeRTOS, Freescale MQX, Nucleus, TinyOS, HP/UX, Keil RTX, TI-RTOS, Integrity OS" |
Win32/64, Linux, OS X, Solaris, FreeBSD, NetBSD, OpenBSD, OpenWRT, iPhone (iOS), Xbox, Android, SeggerOS |
| Standards Support | SSLv3 - TLS 1.3, DTLS 1.0,1.2, 1.3 | TLS 1.2/TLS 1.3 and DTLS 1.2 |
| Server Support | YES | YES |
| Performance | Awesome! See our benchmarks page: https://www.wolfssl.com/docs/benchmarks/ | Average |
| Hardware & Assembly Optimizations | - ARM Assembly Optimizations (Aarch32/Aarch64/Arm32/Cortex-M/Neon) - ARMv8 Cryptography Extensions - RISC-V Assembly - STM32 F2/F4/F7/L4/L5/U5/H5/H7 Hardware Crypto - ATECC608B, ST-SAFEA110, SE050, IoT-Safe - Single Precision Math (C and Assembly) |
Some ARM optimizations |
| Command Line Utility | YES | NO |
| Certifications | YES (FIPS 140-3, DO-178 DAL-A) | NO |
| Certificate Revocation Support | CRL, OCSP, OCSP Stapling | CRL |
| Crypto Library Abstraction Layer | YES | NO |
| SSL Inspection (Sniffer) Support | YES | NO |
| Compression Support | zlib NO | |
| OpenSSL Compatibility Layer | YES (Actively updated - over 1,600) | YES (Out of date) |
| Post Quantum Support | Kyber, LMS, XMSS and Dilithum/Falcon | NO |
| Supported Open Source Projects | OpenSSH, Stunnel, WPA Supplicant, lighttpd (lighty), cURL, mongoose, OpenVPN, NGINX and many others | |
| Quality Assurance Testing | API Tests, Peer Review, Static Analysis, Product Specific Testing, Multiple Compilers, Benchmarks, Wrappers, Hardware Accelerated Testing, Security fuzzers (wolfSSL internal fuzzer, AFL, TLS Fuzzer, libFuzzer), known user configurations, external validation, big/little endian, multiple platforms (Embedded IOT Devices, Windows, Many Linux variants, MacOS, XCODE, Android) | Broken scripts |
| SUPPORT DOCUMENTATION LICENSING | ||
| Documentation | YES (complete manual, API reference, build instructions, extensions reference, tutorials, source code, benchmarking, examples) |
PARTIAL (build instructions, API reference, source code) |
| Vulnerabilities | Fixes available within a few days | Fixes available few months or not at all |
| License Dual (GPLv2 / Commercial) | Dual (GPLv2 / Apache 2.0) | |
| Royalty Free | YES | YES |
| Up to 24x7 Support | YES (Full support from native English speakers via email, phone, forums) | NO |
| FEATURES | ||
| Random Entropy | wolfRAND, NIST DRBG (SHA-256) | DRBG SHA-1/SHA2-256 |
| Hashing/Cipher Functions | AES SIV/CFB/OFB, SHAKE, Blake2b/Blake2s, ECIES (ECC Enc/Dec) | NO |
| Public Key Options | Single Precision math, ECC Fixed Point cache ECC NIST | "modulo p" speedups |
| TLS Extensions | SNI, Max Fragment, ALPN, Trusted CA Indication, Truncated HMAC, Secure Renegotiation, Renegotiation Indication, Session Ticket, Extended Master Secret, Encrypt-Then-Mac, Quantum-Safe Hybrid Authentication | Max Fragment, Encrypt-Then-Mac |
Getting Started with wolfSSL
If you are new to wolfSSL on the Espressif ESP32, this video
can help to get started:
Additional ESP-IDF specifics can be found in Espressif/ESP-IDF. The wolfSSL Manual is also a useful
resource.
The core Espressif IDE information for wolfSSL can be found here:
https://github.com/wolfSSL/wolfssl/tree/master/IDE/Espressif
Included are the following examples:
- Bare-bones Template
- Simple TLS Client / TLS Server
- Cryptographic Test
- Cryptographic Benchmark
Managed Components
The wolfSSL libraries are already available as Espressif Managed Components from the ESP Registry for installation to a specific project.
wolfSSLwolfssl/wolfsslwolfSSHwolfssl/wolfsshwolfMQTTwolfssl/wolfmqttwolfTPMwolfssl/wolftpm` (coming soon, see Initial Infineon I2C TPM support for Espressif ESP32 wolfSSL/wolfTPM#351)
staging/test Managed Components at the Espressif Component Registry.
wolfSSLgojimmypi/mywolfsslwolfSSHgojimmypi/mywolfsshwolfMQTTgojimmypi/mywolfmqttwolfTPMwolfssl/wolftpm (coming soon, see Initial Infineon I2C TPM support for Espressif ESP32 wolfSSL/wolfTPM#351)
For details on wolfSSL Managed Components, see these blogs:
- https://www.wolfssl.com/wolfssl-now-available-in-espressif-component-registry/
- https://www.wolfssl.com/wolfmqtt-now-available-as-an-espressif-managed-component-includes-aws-iot-mqtt-example/
- https://www.wolfssl.com/wolfssh-now-available-as-an-espressif-managed-component-includes-ssh-echo-server-example/
PlatformIO
We are providing two different Official wolfSSL libraries for the ESP32: standard and another specifically for Arduino:
There are also two different versions: the stable release versions (above) and these staging updates, with the latest post-release changes.
See also the wolfSSL now supported on PlatformIO blog.
https://github.com/wolfSSL/wolfssl/tree/master/IDE/PlatformIO
Arduino
See Getting Started with wolfSSL on Arduino blog.
https://www.arduino.cc/reference/en/libraries/wolfssl/
https://github.com/wolfSSL/wolfssl/tree/master/IDE/ARDUINO
wolfSSL for the Apple HomeKit on the ESP32
See the https://github.com/AchimPieters/esp32-homekit-demo
AchimPieters/esp32-homekit-demo#3
Additional wolfSSL updates related to the Espressif environment
See ESP32 Espressif Improvements - Roadmap Summary #6234
Have an idea for other improvements? Feel free to open a new issue or send us an email support@wolfssl.com