Follow-up to #7731 ("Changes needed for default TLS support in zephyr kernel"). Zephyr 4.3's TLS socket integration uses three additional wolfSSL features that were not needed by the 3.7 integration, plus an extension to the native_sim time-source gates introduced in #7731. native_sim timer gates (src/internal.c, wolfcrypt/src/wc_port.c): Extend the !CONFIG_BOARD_NATIVE_POSIX gate in LowResTimer() and the CONFIG_BOARD_NATIVE_POSIX RTC path in z_time() to also cover CONFIG_BOARD_NATIVE_SIM. Zephyr 4.3 renamed the simulator board from native_posix to native_sim; without this, k_cpu_idle() on native_sim advances simulated time during DTLS retransmit loops and the RTC path falls through to uptime-since-boot. Behavior on native_posix is unchanged. New Kconfig options (zephyr/Kconfig, zephyr/user_settings.h): CONFIG_WOLFSSL_SESSION_EXPORT -> HAVE_EXT_CACHE Required by consumers that serialize TLS session state across connections via wolfSSL_i2d_SSL_SESSION / wolfSSL_d2i_SSL_SESSION. CONFIG_WOLFSSL_KEEP_PEER_CERT -> KEEP_PEER_CERT Retain the peer certificate after handshake so the application layer can inspect it via wolfSSL_get_peer_certificate. CONFIG_WOLFSSL_ALWAYS_VERIFY_CB -> WOLFSSL_ALWAYS_VERIFY_CB Invoke an application-set verify callback on successful chain validation in addition to validation failures. All three are default-off; customers opt in the same way they do for the existing CONFIG_WOLFSSL_DTLS / ALPN / PSK feature options. .wolfssl_known_macro_extras: register HAVE_EXT_CACHE.
Zephyr Project Port
Overview
This port is for the Zephyr RTOS Project, available here.
It provides the following zephyr code.
- modules/crypto/wolfssl
- wolfssl library code
- modules/crypto/wolfssl/zephyr/
- Configuration and CMake files for wolfSSL as a Zephyr module
- modules/crypto/wolfssl/zephyr/samples/wolfssl_test
- wolfCrypt test application
- modules/crypto/wolfssl/zephyr/samples/wolfssl_bench
- wolfCrypt benchmark application
- modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_sock
- socket based sample of TLS
- modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_thread
- socket based sample of TLS using threads
How to setup as a Zephyr Module
Modify your project's west manifest
Add wolfssl as a project to your west.yml:
manifest:
remotes:
# <your other remotes>
- name: wolfssl
url-base: https://github.com/wolfssl
projects:
# <your other projects>
- name: wolfssl
path: modules/crypto/wolfssl
revision: master
remote: wolfssl
If you are using the Nordic nRF Connect SDK with Zephyr, the sdk-nrf manifest
file is located at: vX.X.X/nrf/west.yml. On OSX the default installation
location for the nRF Connect SDK is at /opt/nordic/ncs/vX.X.X.
Update west's modules:
west update
Now west recognizes 'wolfssl' as a module, and will include it's Kconfig and CMakeFiles.txt in the build system.
If using the Nordic nRF Connect SDK, to get access to a terminal with west tool access, open "nRF Connect for Desktop", then "Toolchain Manager", and finally next to the SDK version you are using click the drop down arrow, then "Open Terminal".
Build and Run wolfCrypt Test Application
If you want to run build apps without running west zephyr-export then it is
possible by setting the CMAKE_PREFIX_PATH variable to the location of the
zephyr sdk and building from the zephyr directory. For example:
CMAKE_PREFIX_PATH=/path/to/zephyr-sdk-<VERSION> west build -p always -b qemu_x86 ../modules/crypto/wolfssl/zephyr/samples/wolfssl_test/
build and execute wolfssl_test
cd [zephyrproject]
west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_test
west build -t run
Build and Run wolfCrypt Benchmark Application
build and execute wolfssl_benchmark
cd [zephyrproject]
west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_benchmark
west build -t run
Build and Run wolfSSL example wolfssl_tls_sock
cd [zephyrproject]
west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_sock
west build -t run
Build and Run wolfSSL example wolfssl_tls_thread
cd [zephyrproject]
west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_thread
west build -t run
How to setup wolfSSL support for Zephyr TLS Sockets and RNG
wolfSSL can also be used as the underlying implementation for the default Zephyr TLS socket interface. With this enabled, all existing applications using the Zephyr TLS sockets will now use wolfSSL inside for all TLS operations. This will also enable wolfSSL as the default RNG implementation. To enable this feature, use the patch file and instructions found here: