fix(esp_tls): Refactor esp-tls to remove ESP_TLS_SERVER config option

components/esp-tls/Kconfig

@@ -38,16 +38,9 @@ menu "ESP-TLS"
         help
             Enable session ticket support as specified in RFC5077.
 
-    config ESP_TLS_SERVER
-        bool "Enable ESP-TLS Server"
-        depends on (ESP_TLS_USING_MBEDTLS && MBEDTLS_TLS_SERVER) || ESP_TLS_USING_WOLFSSL
-        help
-            Enable support for creating server side SSL/TLS session, available for mbedTLS
-            as well as wolfSSL TLS library.
-
     config ESP_TLS_SERVER_SESSION_TICKETS
         bool "Enable server session tickets"
-        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
+        depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
         help
             Enable session ticket support as specified in RFC5077
 
@@ -60,7 +53,7 @@ menu "ESP-TLS"
 
     config ESP_TLS_SERVER_CERT_SELECT_HOOK
         bool "Certificate selection hook"
-        depends on ESP_TLS_USING_MBEDTLS && ESP_TLS_SERVER
+        depends on ESP_TLS_USING_MBEDTLS
         help
             Ability to configure and use a certificate selection callback during server handshake,
             to select a certificate to present to the client based on the TLS extensions supplied in
@@ -68,7 +61,7 @@ menu "ESP-TLS"
 
     config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
         bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"
-        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS
+        depends on ESP_TLS_USING_MBEDTLS
         help
             When this option is enabled, the peer (here, the client) certificate is checked by the server,
             however the handshake continues even if verification failed. By default, the

components/esp-tls/esp_tls.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -64,12 +64,10 @@ static const char *TAG = "esp-tls";
 #define _esp_tls_get_client_session         esp_mbedtls_get_client_session
 #define _esp_tls_free_client_session        esp_mbedtls_free_client_session
 #define _esp_tls_get_ssl_context            esp_mbedtls_get_ssl_context
-#ifdef CONFIG_ESP_TLS_SERVER
 #define _esp_tls_server_session_create      esp_mbedtls_server_session_create
 #define _esp_tls_server_session_delete      esp_mbedtls_server_session_delete
 #define _esp_tls_server_session_ticket_ctx_init    esp_mbedtls_server_session_ticket_ctx_init
 #define _esp_tls_server_session_ticket_ctx_free    esp_mbedtls_server_session_ticket_ctx_free
-#endif  /* CONFIG_ESP_TLS_SERVER */
 #define _esp_tls_get_bytes_avail            esp_mbedtls_get_bytes_avail
 #define _esp_tls_init_global_ca_store       esp_mbedtls_init_global_ca_store
 #define _esp_tls_set_global_ca_store        esp_mbedtls_set_global_ca_store                 /*!< Callback function for setting global CA store data for TLS/SSL */
@@ -83,10 +81,8 @@ static const char *TAG = "esp-tls";
 #define _esp_tls_write                      esp_wolfssl_write
 #define _esp_tls_conn_delete                esp_wolfssl_conn_delete
 #define _esp_tls_net_init                   esp_wolfssl_net_init
-#ifdef CONFIG_ESP_TLS_SERVER
 #define _esp_tls_server_session_create      esp_wolfssl_server_session_create
 #define _esp_tls_server_session_delete      esp_wolfssl_server_session_delete
-#endif  /* CONFIG_ESP_TLS_SERVER */
 #define _esp_tls_get_bytes_avail            esp_wolfssl_get_bytes_avail
 #define _esp_tls_init_global_ca_store       esp_wolfssl_init_global_ca_store
 #define _esp_tls_set_global_ca_store        esp_wolfssl_set_global_ca_store                 /*!< Callback function for setting global CA store data for TLS/SSL */
@@ -108,7 +104,7 @@ static const char *TAG = "esp-tls";
 
 static esp_err_t create_ssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls)
 {
-    return _esp_create_ssl_handle(hostname, hostlen, cfg, tls);
+    return _esp_create_ssl_handle(hostname, hostlen, cfg, tls, NULL);
 }
 
 static esp_err_t esp_tls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
@@ -638,7 +634,6 @@ void esp_tls_free_client_session(esp_tls_client_session_t *client_session)
 #endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
 
 
-#ifdef CONFIG_ESP_TLS_SERVER
 esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg)
 {
 #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
@@ -682,7 +677,6 @@ void esp_tls_server_session_delete(esp_tls_t *tls)
 {
     return _esp_tls_server_session_delete(tls);
 }
-#endif /* CONFIG_ESP_TLS_SERVER */
 
 ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls)
 {

components/esp-tls/esp_tls.h

@@ -213,7 +213,6 @@ typedef struct esp_tls_cfg {
     esp_tls_proto_ver_t tls_version;        /*!< TLS protocol version of the connection, e.g., TLS 1.2, TLS 1.3 (default - no preference) */
 } esp_tls_cfg_t;
 
-#ifdef CONFIG_ESP_TLS_SERVER
 #if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
 /**
  * @brief Data structures necessary to support TLS session tickets according to RFC5077
@@ -228,7 +227,7 @@ typedef struct esp_tls_server_session_ticket_ctx {
 } esp_tls_server_session_ticket_ctx_t;
 #endif
 
-
+#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
 /**
  * @brief tls handshake callback
  * Can be used to configure per-handshake attributes for the TLS connection.
@@ -239,7 +238,11 @@ typedef struct esp_tls_server_session_ticket_ctx {
  *         or a specific MBEDTLS_ERR_XXX code, which will cause the handhsake to abort
  */
 typedef mbedtls_ssl_hs_cb_t esp_tls_handshake_callback;
+#endif
 
+/**
+ * @brief ESP-TLS Server configuration parameters
+ */
 typedef struct esp_tls_cfg_server {
     const char **alpn_protos;                   /*!< Application protocols required for HTTP2.
                                                      If HTTP2/ALPN support is required, a list
@@ -341,7 +344,6 @@ esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg);
  * @param cfg server configuration as esp_tls_cfg_server_t
  */
 void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg);
-#endif /* ! CONFIG_ESP_TLS_SERVER */
 
 typedef struct esp_tls esp_tls_t;
 
@@ -681,7 +683,6 @@ mbedtls_x509_crt *esp_tls_get_global_ca_store(void);
  */
 const int *esp_tls_get_ciphersuites_list(void);
 #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
-#ifdef CONFIG_ESP_TLS_SERVER
 /**
  * @brief      Create TLS/SSL server session
  *
@@ -707,7 +708,6 @@ int esp_tls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp_tls
  * @param[in]  tls  pointer to esp_tls_t
  */
 void esp_tls_server_session_delete(esp_tls_t *tls);
-#endif /* ! CONFIG_ESP_TLS_SERVER */
 
 /**
  * @brief Creates a plain TCP connection, returning a valid socket fd on success or an error handle

components/esp-tls/esp_tls_mbedtls.c

@@ -70,7 +70,9 @@ typedef struct esp_tls_pki_t {
 #endif
 } esp_tls_pki_t;
 
-esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls)
+static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls);
+
+esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params)
 {
     assert(cfg != NULL);
     assert(tls != NULL);
@@ -116,16 +118,16 @@ esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const
             goto exit;
         }
     } else if (tls->role == ESP_TLS_SERVER) {
-#ifdef CONFIG_ESP_TLS_SERVER
-        esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls);
+        if (server_params == NULL) {
+            /* Server params cannot be NULL when TLS role is server */
+            return ESP_ERR_INVALID_ARG;
+        }
+        esp_tls_server_params_t *input_server_params = server_params;
+        esp_ret = input_server_params->set_server_cfg((esp_tls_cfg_server_t *) cfg, tls);
         if (esp_ret != 0) {
             ESP_LOGE(TAG, "Failed to set server configurations, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret));
             goto exit;
         }
-#else
-            ESP_LOGE(TAG, "ESP_TLS_SERVER Not enabled in Kconfig");
-            goto exit;
-#endif
     }
 
     if ((ret = mbedtls_ctr_drbg_seed(&tls->ctr_drbg,
@@ -353,10 +355,6 @@ void esp_mbedtls_cleanup(esp_tls_t *tls)
         mbedtls_x509_crt_free(tls->cacert_ptr);
     }
     tls->cacert_ptr = NULL;
-#ifdef CONFIG_ESP_TLS_SERVER
-    mbedtls_x509_crt_free(&tls->servercert);
-    mbedtls_pk_free(&tls->serverkey);
-#endif
     mbedtls_x509_crt_free(&tls->cacert);
     mbedtls_x509_crt_free(&tls->clientcert);
     mbedtls_pk_free(&tls->clientkey);
@@ -478,7 +476,6 @@ static esp_err_t set_global_ca_store(esp_tls_t *tls)
     return ESP_OK;
 }
 
-#ifdef CONFIG_ESP_TLS_SERVER
 #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
 int esp_mbedtls_server_session_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime)
 {
@@ -547,7 +544,7 @@ void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ct
 }
 #endif
 
-esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
+static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
 {
     assert(cfg != NULL);
     assert(tls != NULL);
@@ -679,7 +676,6 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
 
     return ESP_OK;
 }
-#endif /* ! CONFIG_ESP_TLS_SERVER */
 
 esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t *cfg, esp_tls_t *tls)
 {
@@ -903,7 +899,6 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
     return ESP_OK;
 }
 
-#ifdef CONFIG_ESP_TLS_SERVER
 /**
  * @brief      Create TLS/SSL server session
  */
@@ -914,7 +909,9 @@ int esp_mbedtls_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp
     }
     tls->role = ESP_TLS_SERVER;
     tls->sockfd = sockfd;
-    esp_err_t esp_ret = esp_create_mbedtls_handle(NULL, 0, cfg, tls);
+    esp_tls_server_params_t server_params = {};
+    server_params.set_server_cfg = &set_server_config;
+    esp_err_t esp_ret = esp_create_mbedtls_handle(NULL, 0, cfg, tls, &server_params);
     if (esp_ret != ESP_OK) {
         ESP_LOGE(TAG, "create_ssl_handle failed, returned [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret));
         ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, esp_ret);
@@ -946,7 +943,6 @@ void esp_mbedtls_server_session_delete(esp_tls_t *tls)
         free(tls);
     }
 };
-#endif /* ! CONFIG_ESP_TLS_SERVER */
 
 esp_err_t esp_mbedtls_init_global_ca_store(void)
 {

components/esp-tls/esp_tls_wolfssl.c

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -44,9 +44,7 @@ static uint8_t psk_key_array[PSK_MAX_KEY_LEN];
 static uint8_t psk_key_max_len = 0;
 #endif /* CONFIG_ESP_TLS_PSK_VERIFICATION */
 
-#ifdef CONFIG_ESP_TLS_SERVER
 static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls);
-#endif /* CONFIG_ESP_TLS_SERVER */
 
 
 /* This function shall return the error message when appropriate log level has been set otherwise this function shall do nothing */
@@ -124,7 +122,7 @@ void *esp_wolfssl_get_ssl_context(esp_tls_t *tls)
     return (void*)tls->priv_ssl;
 }
 
-esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls)
+esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params)
 {
 #ifdef CONFIG_ESP_DEBUG_WOLFSSL
     wolfSSL_Debugging_ON();
@@ -152,16 +150,11 @@ esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const
             goto exit;
         }
     } else if (tls->role == ESP_TLS_SERVER) {
-#ifdef CONFIG_ESP_TLS_SERVER
         esp_ret = set_server_config((esp_tls_cfg_server_t *) cfg, tls);
         if (esp_ret != ESP_OK) {
             ESP_LOGE(TAG, "Failed to set server configurations, [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret));
             goto exit;
         }
-#else
-        ESP_LOGE(TAG, "ESP_TLS_SERVER Not enabled in menuconfig");
-        goto exit;
-#endif
     }
     else {
         ESP_LOGE(TAG, "tls->role is not valid");
@@ -321,7 +314,6 @@ static esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls
     return ESP_OK;
 }
 
-#ifdef CONFIG_ESP_TLS_SERVER
 static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
 {
     int ret = WOLFSSL_FAILURE;
@@ -378,7 +370,6 @@ static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
     wolfSSL_set_fd((WOLFSSL *)tls->priv_ssl, tls->sockfd);
     return ESP_OK;
 }
-#endif
 
 int esp_wolfssl_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
 {
@@ -486,7 +477,6 @@ void esp_wolfssl_cleanup(esp_tls_t *tls)
     wolfSSL_Cleanup();
 }
 
-#ifdef CONFIG_ESP_TLS_SERVER
 /**
  * @brief       Create TLS/SSL server session
  */
@@ -497,7 +487,9 @@ int esp_wolfssl_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp
     }
     tls->role = ESP_TLS_SERVER;
     tls->sockfd = sockfd;
-    esp_err_t esp_ret = esp_create_wolfssl_handle(NULL, 0, cfg, tls);
+    esp_tls_server_params_t server_params = {};
+    server_params.set_server_cfg = &set_server_config;
+    esp_err_t esp_ret = esp_create_wolfssl_handle(NULL, 0, cfg, tls, &server_params);
     if (esp_ret != ESP_OK) {
         ESP_LOGE(TAG, "create_ssl_handle failed, [0x%04X] (%s)", esp_ret, esp_err_to_name(esp_ret));
         ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_ESP, esp_ret);
@@ -531,7 +523,6 @@ void esp_wolfssl_server_session_delete(esp_tls_t *tls)
         free(tls);
     }
 }
-#endif /* CONFIG_ESP_TLS_SERVER */
 
 esp_err_t esp_wolfssl_init_global_ca_store(void)
 {

components/esp-tls/private_include/esp_tls_mbedtls.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2019-2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2019-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -46,7 +46,7 @@ ssize_t esp_mbedtls_get_bytes_avail(esp_tls_t *tls);
 /**
  * Internal Callback for creating ssl handle for mbedtls
  */
-esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls);
+esp_err_t esp_create_mbedtls_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void* server_params);
 
 /**
  * mbedTLS function for Initializing socket wrappers
@@ -61,13 +61,6 @@ static inline void esp_mbedtls_net_init(esp_tls_t *tls)
  */
 void *esp_mbedtls_get_ssl_context(esp_tls_t *tls);
 
-#ifdef CONFIG_ESP_TLS_SERVER
-/**
- * Internal Callback for set_server_config
- *
- * /note :- can only be used with mbedtls ssl library
- */
-esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls);
 
 /**
  * Internal Callback for mbedtls_server_session_create
@@ -98,7 +91,6 @@ esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_tick
  */
 void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *cfg);
 #endif
-#endif
 
 /**
  * Internal Callback for set_client_config_function

components/esp-tls/private_include/esp_tls_private.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-2023 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -53,21 +53,21 @@ struct esp_tls {
     mbedtls_x509_crt cacert;                                                    /*!< Container for the X.509 CA certificate */
 
     mbedtls_x509_crt *cacert_ptr;                                               /*!< Pointer to the cacert being used. */
-
+    union {
     mbedtls_x509_crt clientcert;                                                /*!< Container for the X.509 client certificate */
+    mbedtls_x509_crt servercert;                                                /*!< Container for the X.509 server certificate */
+    };
 
+    union {
     mbedtls_pk_context clientkey;                                               /*!< Container for the private key of the client
                                                                                      certificate */
+    mbedtls_pk_context serverkey;                                               /*!< Container for the private key of the server
+                                                                                     certificate */
+    };
 #ifdef CONFIG_MBEDTLS_HARDWARE_ECDSA_SIGN
     bool use_ecdsa_peripheral;                                                  /*!< Use the ECDSA peripheral for the private key operations. */
     uint8_t ecdsa_efuse_blk;                                                    /*!< The efuse block number where the ECDSA key is stored. */
 #endif
-#ifdef CONFIG_ESP_TLS_SERVER
-    mbedtls_x509_crt servercert;                                                /*!< Container for the X.509 server certificate */
-
-    mbedtls_pk_context serverkey;                                               /*!< Container for the private key of the server
-                                                                                   certificate */
-#endif
 #elif CONFIG_ESP_TLS_USING_WOLFSSL
     void *priv_ctx;
     void *priv_ssl;
@@ -95,3 +95,11 @@ struct esp_tls {
     esp_tls_error_handle_t error_handle;                                        /*!< handle to error descriptor */
 
 };
+
+// Function pointer for the server configuration API
+typedef esp_err_t (*set_server_config_func_ptr) (esp_tls_cfg_server_t *cfg, esp_tls_t *tls);
+
+// This struct contains any data that is only specific to the server session and not required by the client.
+typedef struct esp_tls_server_params {
+    set_server_config_func_ptr set_server_cfg;
+} esp_tls_server_params_t;

components/esp-tls/private_include/esp_tls_wolfssl.h

@@ -11,7 +11,7 @@
 /**
  * Internal Callback for creating ssl handle for wolfssl
  */
-int esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls);
+int esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls, void *server_params);
 
 /**
  * Internal Callback for wolfssl_handshake
@@ -76,7 +76,6 @@ static inline void esp_wolfssl_net_init(esp_tls_t *tls)
 {
 }
 
-#ifdef CONFIG_ESP_TLS_SERVER
 
 /**
  * Function to Create ESP-TLS Server session with wolfssl Stack
@@ -87,5 +86,3 @@ int esp_wolfssl_server_session_create(esp_tls_cfg_server_t *cfg, int sockfd, esp
  * Delete Server Session
  */
 void esp_wolfssl_server_session_delete(esp_tls_t *tls);
-
-#endif

components/esp-tls/test_apps/main/test_esp_tls.c

@@ -76,7 +76,6 @@ TEST_CASE("esp-tls global_ca_store set free", "[esp-tls]")
     esp_tls_free_global_ca_store();
 }
 
-#ifdef CONFIG_ESP_TLS_SERVER
 TEST_CASE("esp_tls_server session create delete", "[esp-tls]")
 {
     struct esp_tls *tls = esp_tls_init();
@@ -95,4 +94,3 @@ TEST_CASE("esp_tls_server session create delete", "[esp-tls]")
     esp_tls_server_session_delete(tls);
 
 }
-#endif

components/esp-tls/test_apps/sdkconfig.defaults

@@ -5,6 +5,4 @@ CONFIG_BOOTLOADER_LOG_LEVEL_WARN=y
 CONFIG_FREERTOS_WATCHPOINT_END_OF_STACK=y
 CONFIG_COMPILER_STACK_CHECK_MODE_STRONG=y
 CONFIG_COMPILER_STACK_CHECK=y
-
 CONFIG_ESP_TASK_WDT_EN=n
-CONFIG_ESP_TLS_SERVER=y