Files
wolfssl/zephyr
Colton Willey c950a6aa46 zephyr: changes needed for Zephyr 4.3 default TLS support
Follow-up to #7731 ("Changes needed for default TLS support in zephyr
kernel"). Zephyr 4.3's TLS socket integration uses three additional
wolfSSL features that were not needed by the 3.7 integration, plus an
extension to the native_sim time-source gates introduced in #7731.

native_sim timer gates (src/internal.c, wolfcrypt/src/wc_port.c):
  Extend the !CONFIG_BOARD_NATIVE_POSIX gate in LowResTimer() and the
  CONFIG_BOARD_NATIVE_POSIX RTC path in z_time() to also cover
  CONFIG_BOARD_NATIVE_SIM. Zephyr 4.3 renamed the simulator board from
  native_posix to native_sim; without this, k_cpu_idle() on native_sim
  advances simulated time during DTLS retransmit loops and the RTC path
  falls through to uptime-since-boot. Behavior on native_posix is
  unchanged.

New Kconfig options (zephyr/Kconfig, zephyr/user_settings.h):
  CONFIG_WOLFSSL_SESSION_EXPORT   -> HAVE_EXT_CACHE
    Required by consumers that serialize TLS session state across
    connections via wolfSSL_i2d_SSL_SESSION / wolfSSL_d2i_SSL_SESSION.
  CONFIG_WOLFSSL_KEEP_PEER_CERT   -> KEEP_PEER_CERT
    Retain the peer certificate after handshake so the application
    layer can inspect it via wolfSSL_get_peer_certificate.
  CONFIG_WOLFSSL_ALWAYS_VERIFY_CB -> WOLFSSL_ALWAYS_VERIFY_CB
    Invoke an application-set verify callback on successful chain
    validation in addition to validation failures.

All three are default-off; customers opt in the same way they do for
the existing CONFIG_WOLFSSL_DTLS / ALPN / PSK feature options.

.wolfssl_known_macro_extras: register HAVE_EXT_CACHE.
2026-04-20 12:29:26 -07:00
..
2026-03-18 10:48:16 +01:00
2026-02-18 09:52:21 -07:00

Zephyr Project Port

Overview

This port is for the Zephyr RTOS Project, available here.

It provides the following zephyr code.

  • modules/crypto/wolfssl
    • wolfssl library code
  • modules/crypto/wolfssl/zephyr/
    • Configuration and CMake files for wolfSSL as a Zephyr module
  • modules/crypto/wolfssl/zephyr/samples/wolfssl_test
    • wolfCrypt test application
  • modules/crypto/wolfssl/zephyr/samples/wolfssl_bench
    • wolfCrypt benchmark application
  • modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_sock
    • socket based sample of TLS
  • modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_thread
    • socket based sample of TLS using threads

How to setup as a Zephyr Module

Modify your project's west manifest

Add wolfssl as a project to your west.yml:

manifest:
  remotes:
    # <your other remotes>
    - name: wolfssl
      url-base: https://github.com/wolfssl

  projects:
    # <your other projects>
    - name: wolfssl
      path: modules/crypto/wolfssl
      revision: master
      remote: wolfssl

If you are using the Nordic nRF Connect SDK with Zephyr, the sdk-nrf manifest file is located at: vX.X.X/nrf/west.yml. On OSX the default installation location for the nRF Connect SDK is at /opt/nordic/ncs/vX.X.X.

Update west's modules:

west update

Now west recognizes 'wolfssl' as a module, and will include it's Kconfig and CMakeFiles.txt in the build system.

If using the Nordic nRF Connect SDK, to get access to a terminal with west tool access, open "nRF Connect for Desktop", then "Toolchain Manager", and finally next to the SDK version you are using click the drop down arrow, then "Open Terminal".

Build and Run wolfCrypt Test Application

If you want to run build apps without running west zephyr-export then it is possible by setting the CMAKE_PREFIX_PATH variable to the location of the zephyr sdk and building from the zephyr directory. For example:

CMAKE_PREFIX_PATH=/path/to/zephyr-sdk-<VERSION> west build -p always -b qemu_x86 ../modules/crypto/wolfssl/zephyr/samples/wolfssl_test/

build and execute wolfssl_test

cd [zephyrproject]
west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_test
west build -t run

Build and Run wolfCrypt Benchmark Application

build and execute wolfssl_benchmark

cd [zephyrproject]
west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_benchmark
west build -t run

Build and Run wolfSSL example wolfssl_tls_sock

cd [zephyrproject]
west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_sock
west build -t run

Build and Run wolfSSL example wolfssl_tls_thread

cd [zephyrproject]
west build -p auto -b qemu_x86 modules/crypto/wolfssl/zephyr/samples/wolfssl_tls_thread
west build -t run

How to setup wolfSSL support for Zephyr TLS Sockets and RNG

wolfSSL can also be used as the underlying implementation for the default Zephyr TLS socket interface. With this enabled, all existing applications using the Zephyr TLS sockets will now use wolfSSL inside for all TLS operations. This will also enable wolfSSL as the default RNG implementation. To enable this feature, use the patch file and instructions found here:

https://github.com/wolfSSL/osp/tree/master/zephyr