Merge branch 'fix/make_esp_tls_t_private' into 'master'

Make esp_tls_t as private structure

Closes IDF-2812

See merge request espressif/esp-idf!17812

components/esp-tls/CMakeLists.txt

@@ -12,10 +12,10 @@ endif()
 idf_component_register(SRCS "${srcs}"
                     INCLUDE_DIRS . esp-tls-crypto
                     PRIV_INCLUDE_DIRS "private_include"
-                    # lwip and mbedtls are public requirements becasue esp_tls.h
-                    # includes sys/socket.h and mbedtls header files.
-                    REQUIRES mbedtls lwip
-                    PRIV_REQUIRES http_parser)
+                    # mbedtls is public requirements becasue esp_tls.h
+                    # includes mbedtls header files.
+                    REQUIRES mbedtls
+                    PRIV_REQUIRES lwip http_parser)
 
 if(CONFIG_ESP_TLS_USING_WOLFSSL)
     idf_component_get_property(wolfssl esp-wolfssl COMPONENT_LIB)

components/esp-tls/esp_tls.c

@@ -14,6 +14,7 @@
 
 #include <http_parser.h>
 #include "esp_tls.h"
+#include "esp_tls_private.h"
 #include "esp_tls_error_capture_internal.h"
 #include <errno.h>
 static const char *TAG = "esp-tls";
@@ -39,6 +40,7 @@ static const char *TAG = "esp-tls";
 #define _esp_tls_conn_delete                esp_mbedtls_conn_delete
 #define _esp_tls_net_init                   esp_mbedtls_net_init
 #define _esp_tls_get_client_session         esp_mbedtls_get_client_session
+#define _esp_tls_get_ssl_context            esp_mbedtls_get_ssl_context
 #ifdef CONFIG_ESP_TLS_SERVER
 #define _esp_tls_server_session_create      esp_mbedtls_server_session_create
 #define _esp_tls_server_session_delete      esp_mbedtls_server_session_delete
@@ -65,6 +67,7 @@ static const char *TAG = "esp-tls";
 #define _esp_tls_init_global_ca_store       esp_wolfssl_init_global_ca_store
 #define _esp_tls_set_global_ca_store        esp_wolfssl_set_global_ca_store                 /*!< Callback function for setting global CA store data for TLS/SSL */
 #define _esp_tls_free_global_ca_store       esp_wolfssl_free_global_ca_store                /*!< Callback function for freeing global ca store for TLS/SSL */
+#define _esp_tls_get_ssl_context            esp_wolfssl_get_ssl_context
 #else   /* ESP_TLS_USING_WOLFSSL */
 #error "No TLS stack configured"
 #endif
@@ -89,6 +92,18 @@ static ssize_t tcp_write(esp_tls_t *tls, const char *data, size_t datalen)
     return send(tls->sockfd, data, datalen, 0);
 }
 
+ssize_t esp_tls_conn_read(esp_tls_t *tls, void  *data, size_t datalen)
+{
+    return tls->read(tls, (char *)data, datalen);
+
+}
+
+ssize_t esp_tls_conn_write(esp_tls_t *tls, const void  *data, size_t datalen)
+{
+    return tls->write(tls, (char *)data, datalen);
+
+}
+
 /**
  * @brief      Close the TLS connection and free any allocated resources.
  */
@@ -603,6 +618,11 @@ ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls)
     return _esp_tls_get_bytes_avail(tls);
 }
 
+void *esp_tls_get_ssl_context(esp_tls_t *tls)
+{
+    return _esp_tls_get_ssl_context(tls);
+}
+
 esp_err_t esp_tls_get_conn_sockfd(esp_tls_t *tls, int *sockfd)
 {
     if (!tls || !sockfd) {
@@ -629,6 +649,16 @@ esp_err_t esp_tls_get_and_clear_last_error(esp_tls_error_handle_t h, int *esp_tl
     return last_err;
 }
 
+esp_err_t esp_tls_get_error_handle(esp_tls_t *tls, esp_tls_error_handle_t *error_handle)
+{
+    if (!tls || !error_handle) {
+        return ESP_ERR_INVALID_ARG;
+    }
+
+    *error_handle = tls->error_handle;
+    return ESP_OK;
+}
+
 esp_err_t esp_tls_init_global_ca_store(void)
 {
     return _esp_tls_init_global_ca_store();

components/esp-tls/esp_tls.h

@@ -7,18 +7,11 @@
 #define _ESP_TLS_H_
 
 #include <stdbool.h>
-#include <sys/socket.h>
-#include <fcntl.h>
 #include "esp_err.h"
 #include "esp_tls_errors.h"
+#include "sdkconfig.h"
 #ifdef CONFIG_ESP_TLS_USING_MBEDTLS
-#include "mbedtls/platform.h"
-#include "mbedtls/net_sockets.h"
-#include "mbedtls/esp_debug.h"
 #include "mbedtls/ssl.h"
-#include "mbedtls/entropy.h"
-#include "mbedtls/ctr_drbg.h"
-#include "mbedtls/error.h"
 #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
 #include "mbedtls/ssl_ticket.h"
 #endif
@@ -27,6 +20,7 @@
 #include "wolfssl/ssl.h"
 #endif
 
+
 #ifdef __cplusplus
 extern "C" {
 #endif
@@ -290,66 +284,7 @@ esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg);
 void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg);
 #endif /* ! CONFIG_ESP_TLS_SERVER */
 
-/**
- * @brief      ESP-TLS Connection Handle
- */
-typedef struct esp_tls {
-#ifdef CONFIG_ESP_TLS_USING_MBEDTLS
-    mbedtls_ssl_context ssl;                                                    /*!< TLS/SSL context */
-
-    mbedtls_entropy_context entropy;                                            /*!< mbedTLS entropy context structure */
-
-    mbedtls_ctr_drbg_context ctr_drbg;                                          /*!< mbedTLS ctr drbg context structure.
-                                                                                     CTR_DRBG is deterministic random
-                                                                                     bit generation based on AES-256 */
-
-    mbedtls_ssl_config conf;                                                    /*!< TLS/SSL configuration to be shared
-                                                                                     between mbedtls_ssl_context
-                                                                                     structures */
-
-    mbedtls_net_context server_fd;                                              /*!< mbedTLS wrapper type for sockets */
-
-    mbedtls_x509_crt cacert;                                                    /*!< Container for the X.509 CA certificate */
-
-    mbedtls_x509_crt *cacert_ptr;                                               /*!< Pointer to the cacert being used. */
-
-    mbedtls_x509_crt clientcert;                                                /*!< Container for the X.509 client certificate */
-
-    mbedtls_pk_context clientkey;                                               /*!< Container for the private key of the client
-                                                                                     certificate */
-#ifdef CONFIG_ESP_TLS_SERVER
-    mbedtls_x509_crt servercert;                                                /*!< Container for the X.509 server certificate */
-
-    mbedtls_pk_context serverkey;                                               /*!< Container for the private key of the server
-                                                                                   certificate */
-#endif
-#elif CONFIG_ESP_TLS_USING_WOLFSSL
-    void *priv_ctx;
-    void *priv_ssl;
-#endif
-    int sockfd;                                                                 /*!< Underlying socket file descriptor. */
-
-    ssize_t (*read)(struct esp_tls  *tls, char *data, size_t datalen);          /*!< Callback function for reading data from TLS/SSL
-                                                                                     connection. */
-
-    ssize_t (*write)(struct esp_tls *tls, const char *data, size_t datalen);    /*!< Callback function for writing data to TLS/SSL
-                                                                                     connection. */
-
-    esp_tls_conn_state_t  conn_state;                                           /*!< ESP-TLS Connection state */
-
-    fd_set rset;                                                                /*!< read file descriptors */
-
-    fd_set wset;                                                                /*!< write file descriptors */
-
-    bool is_tls;                                                                /*!< indicates connection type (TLS or NON-TLS) */
-
-    esp_tls_role_t role;                                                        /*!< esp-tls role
-                                                                                     - ESP_TLS_CLIENT
-                                                                                     - ESP_TLS_SERVER */
-
-    esp_tls_error_handle_t error_handle;                                        /*!< handle to error descriptor */
-
-} esp_tls_t;
+typedef struct esp_tls esp_tls_t;
 
 /**
  * @brief      Create TLS connection
@@ -470,10 +405,7 @@ int esp_tls_conn_http_new_async(const char *url, const esp_tls_cfg_t *cfg, esp_t
  *                  if the handshake is incomplete and waiting for data to be available for reading.
  *                  In this case this functions needs to be called again when the underlying transport is ready for operation.
  */
-static inline ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen)
-{
-    return tls->write(tls, (char *)data, datalen);
-}
+ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen);
 
 /**
  * @brief      Read from specified tls connection into the buffer 'data'.
@@ -490,10 +422,7 @@ static inline ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_
  *             - <0  if read operation was not successful, because either an
  *                   error occured or an action must be taken by the calling process.
  */
-static inline ssize_t esp_tls_conn_read(esp_tls_t *tls, void  *data, size_t datalen)
-{
-    return tls->read(tls, (char *)data, datalen);
-}
+ssize_t esp_tls_conn_read(esp_tls_t *tls, void  *data, size_t datalen);
 
 /**
  * @brief      Close the TLS/SSL connection and free any allocated resources.
@@ -536,6 +465,17 @@ ssize_t esp_tls_get_bytes_avail(esp_tls_t *tls);
  */
 esp_err_t esp_tls_get_conn_sockfd(esp_tls_t *tls, int *sockfd);
 
+/**
+ * @brief       Returns the ssl context
+ *
+ * @param[in]   tls          handle to esp_tls context
+ *
+ *
+ * @return     - ssl_ctx pointer to ssl context of underlying TLS layer on success
+ *             - NULL  in case of error
+ */
+void *esp_tls_get_ssl_context(esp_tls_t *tls);
+
 /**
  * @brief      Create a global CA store, initially empty.
  *
@@ -607,6 +547,20 @@ esp_err_t esp_tls_get_and_clear_last_error(esp_tls_error_handle_t h, int *esp_tl
  */
 esp_err_t esp_tls_get_and_clear_error_type(esp_tls_error_handle_t h, esp_tls_error_type_t err_type, int *error_code);
 
+/**
+ * @brief       Returns the ESP-TLS error_handle
+ *
+ * @param[in]   tls             handle to esp_tls context
+ *
+ * @param[out]  error_handle    pointer to the error handle.
+ *
+ * @return
+ *             - ESP_OK             on success and error_handle will be updated with the ESP-TLS error handle.
+ *
+ *             - ESP_ERR_INVALID_ARG if (tls == NULL || error_handle == NULL)
+ */
+esp_err_t esp_tls_get_error_handle(esp_tls_t *tls, esp_tls_error_handle_t *error_handle);
+
 #if CONFIG_ESP_TLS_USING_MBEDTLS
 /**
  * @brief      Get the pointer to the global CA store currently being used.

components/esp-tls/esp_tls_errors.h

@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2021-22 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -8,6 +8,10 @@
 #define _ESP_TLS_ERRORS_H_
 
 #include "esp_err.h"
+#ifdef CONFIG_ESP_TLS_USING_MBEDTLS
+#include "mbedtls/error.h"
+#endif
+/* For wolfSSL, errors are included through ssl.h which is included by default by esp_tls.h */
 
 #ifdef __cplusplus
 extern "C" {

components/esp-tls/esp_tls_mbedtls.c

@@ -14,9 +14,11 @@
 
 #include <http_parser.h>
 #include "esp_tls_mbedtls.h"
+#include "esp_tls_private.h"
 #include "esp_tls_error_capture_internal.h"
 #include <errno.h>
 #include "esp_log.h"
+#include "esp_check.h"
 
 #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 #include "esp_crt_bundle.h"
@@ -139,6 +141,15 @@ exit:
 
 }
 
+void *esp_mbedtls_get_ssl_context(esp_tls_t *tls)
+{
+    if (tls == NULL) {
+        ESP_LOGE(TAG, "Invalid arguments");
+        return NULL;
+    }
+    return (void*)&tls->ssl;
+}
+
 #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
 esp_tls_client_session_t *esp_mbedtls_get_client_session(esp_tls_t *tls)
 {

components/esp-tls/esp_tls_wolfssl.c

@@ -115,6 +115,15 @@ static esp_err_t esp_load_wolfssl_verify_buffer(esp_tls_t *tls, const unsigned c
     }
 }
 
+void *esp_wolfssl_get_ssl_context(esp_tls_t *tls)
+{
+    if (tls == NULL) {
+        ESP_LOGE(TAG, "Invalid arguments");
+        return NULL;
+    }
+    return (void*)tls->priv_ssl;
+}
+
 esp_err_t esp_create_wolfssl_handle(const char *hostname, size_t hostlen, const void *cfg, esp_tls_t *tls)
 {
 #ifdef CONFIG_ESP_DEBUG_WOLFSSL

components/esp-tls/private_include/esp_tls_mbedtls.h

@@ -6,6 +6,7 @@
 
 #pragma once
 #include "esp_tls.h"
+#include "esp_tls_private.h"
 
 /**
  * Internal Callback API for mbedtls_ssl_read
@@ -55,6 +56,11 @@ static inline void esp_mbedtls_net_init(esp_tls_t *tls)
     mbedtls_net_init(&tls->server_fd);
 }
 
+/**
+ * Return ssl context for mbedTLS stack
+ */
+void *esp_mbedtls_get_ssl_context(esp_tls_t *tls);
+
 #ifdef CONFIG_ESP_TLS_SERVER
 /**
  * Internal Callback for set_server_config

components/esp-tls/private_include/esp_tls_private.h

@@ -0,0 +1,90 @@
+/*
+ * SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#pragma once
+
+/**
+ * @brief      ESP-TLS Connection Handle
+ */
+
+#include <stdbool.h>
+#include <sys/socket.h>
+#include <fcntl.h>
+#include "esp_err.h"
+#include "esp_tls_errors.h"
+#ifdef CONFIG_ESP_TLS_USING_MBEDTLS
+#include "mbedtls/platform.h"
+#include "mbedtls/net_sockets.h"
+#include "mbedtls/esp_debug.h"
+#include "mbedtls/ssl.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/error.h"
+#ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
+#include "mbedtls/ssl_ticket.h"
+#endif
+#elif CONFIG_ESP_TLS_USING_WOLFSSL
+#include "wolfssl/wolfcrypt/settings.h"
+#include "wolfssl/ssl.h"
+#endif
+
+struct esp_tls {
+#ifdef CONFIG_ESP_TLS_USING_MBEDTLS
+    mbedtls_ssl_context ssl;                                                    /*!< TLS/SSL context */
+
+    mbedtls_entropy_context entropy;                                            /*!< mbedTLS entropy context structure */
+
+    mbedtls_ctr_drbg_context ctr_drbg;                                          /*!< mbedTLS ctr drbg context structure.
+                                                                                     CTR_DRBG is deterministic random
+                                                                                     bit generation based on AES-256 */
+
+    mbedtls_ssl_config conf;                                                    /*!< TLS/SSL configuration to be shared
+                                                                                     between mbedtls_ssl_context
+                                                                                     structures */
+
+    mbedtls_net_context server_fd;                                              /*!< mbedTLS wrapper type for sockets */
+
+    mbedtls_x509_crt cacert;                                                    /*!< Container for the X.509 CA certificate */
+
+    mbedtls_x509_crt *cacert_ptr;                                               /*!< Pointer to the cacert being used. */
+
+    mbedtls_x509_crt clientcert;                                                /*!< Container for the X.509 client certificate */
+
+    mbedtls_pk_context clientkey;                                               /*!< Container for the private key of the client
+                                                                                     certificate */
+#ifdef CONFIG_ESP_TLS_SERVER
+    mbedtls_x509_crt servercert;                                                /*!< Container for the X.509 server certificate */
+
+    mbedtls_pk_context serverkey;                                               /*!< Container for the private key of the server
+                                                                                   certificate */
+#endif
+#elif CONFIG_ESP_TLS_USING_WOLFSSL
+    void *priv_ctx;
+    void *priv_ssl;
+#endif
+    int sockfd;                                                                 /*!< Underlying socket file descriptor. */
+
+    ssize_t (*read)(esp_tls_t  *tls, char *data, size_t datalen);          /*!< Callback function for reading data from TLS/SSL
+                                                                                     connection. */
+
+    ssize_t (*write)(esp_tls_t *tls, const char *data, size_t datalen);    /*!< Callback function for writing data to TLS/SSL
+                                                                                     connection. */
+
+    esp_tls_conn_state_t  conn_state;                                           /*!< ESP-TLS Connection state */
+
+    fd_set rset;                                                                /*!< read file descriptors */
+
+    fd_set wset;                                                                /*!< write file descriptors */
+
+    bool is_tls;                                                                /*!< indicates connection type (TLS or NON-TLS) */
+
+    esp_tls_role_t role;                                                        /*!< esp-tls role
+                                                                                     - ESP_TLS_CLIENT
+                                                                                     - ESP_TLS_SERVER */
+
+    esp_tls_error_handle_t error_handle;                                        /*!< handle to error descriptor */
+
+};

components/esp-tls/private_include/esp_tls_wolfssl.h

@@ -6,6 +6,7 @@
 
 #pragma once
 #include "esp_tls.h"
+#include "esp_tls_private.h"
 
 /**
  * Internal Callback for creating ssl handle for wolfssl
@@ -63,6 +64,11 @@ void esp_wolfssl_free_global_ca_store(void);
  */
 esp_err_t esp_wolfssl_init_global_ca_store(void);
 
+/**
+ *  Return ssl context for wolfSSL stack
+ */
+void *esp_wolfssl_get_ssl_context(esp_tls_t *tls);
+
 /**
  * wolfSSL function for Initializing socket wrappers (no-operation for wolfSSL)
  */

components/esp-tls/test/test_esp_tls.c

@@ -10,6 +10,7 @@
 #include "esp_err.h"
 #include "esp_log.h"
 #include "esp_mac.h"
+#include "sys/socket.h"
 #if SOC_SHA_SUPPORT_PARALLEL_ENG
 #include "sha/sha_parallel_engine.h"
 #elif SOC_SHA_SUPPORT_DMA

components/esp_https_server/include/esp_https_server.h

@@ -36,7 +36,7 @@ typedef enum {
  */
 typedef struct esp_https_server_user_cb_arg {
     httpd_ssl_user_cb_state_t user_cb_state;
-    const esp_tls_t *tls;
+    esp_tls_t *tls;
 } esp_https_server_user_cb_arg_t;
 
 /**

components/esp_https_server/src/https_server.c

@@ -118,7 +118,7 @@ static esp_err_t httpd_ssl_open(httpd_handle_t server, int sockfd)
     httpd_ssl_ctx_t *global_ctx = httpd_get_global_transport_ctx(server);
     assert(global_ctx != NULL);
 
-    esp_tls_t *tls = (esp_tls_t *)calloc(1, sizeof(esp_tls_t));
+    esp_tls_t *tls = esp_tls_init();
     if (!tls) {
         return ESP_ERR_NO_MEM;
     }

components/tcp_transport/private_include/esp_transport_internal.h

@@ -1,23 +1,20 @@
-// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
+/*
+ * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
 
 #ifndef _ESP_TRANSPORT_INTERNAL_H_
 #define _ESP_TRANSPORT_INTERNAL_H_
 
 #include "esp_transport.h"
+#include "sys/socket.h"
 #include "sys/queue.h"
 
+#ifdef __cplusplus
+extern "C" {
+#endif
+
 typedef int (*get_socket_func)(esp_transport_handle_t t);
 
 typedef struct esp_foundation_transport {
@@ -116,4 +113,8 @@ void esp_transport_esp_tls_destroy(struct transport_esp_tls* transport_esp_tls);
  */
 void esp_transport_set_errors(esp_transport_handle_t t, const esp_tls_error_handle_t error_handle);
 
+#ifdef __cplusplus
+}
+#endif
+
 #endif //_ESP_TRANSPORT_INTERNAL_H_

components/tcp_transport/transport_ssl.c

@@ -76,7 +76,11 @@ static int esp_tls_connect_async(esp_transport_handle_t t, const char *host, int
     if (ssl->conn_state == TRANS_SSL_CONNECTING) {
         int progress = esp_tls_conn_new_async(host, strlen(host), port, &ssl->cfg, ssl->tls);
         if (progress >= 0) {
-            ssl->sockfd = ssl->tls->sockfd;
+            if (esp_tls_get_conn_sockfd(ssl->tls, &ssl->sockfd) != ESP_OK) {
+                ESP_LOGE(TAG, "Error in obtaining socket fd for the session");
+                esp_tls_conn_destroy(ssl->tls);
+                return -1;
+            }
         }
         return progress;
 
@@ -110,14 +114,23 @@ static int ssl_connect(esp_transport_handle_t t, const char *host, int port, int
     }
     if (esp_tls_conn_new_sync(host, strlen(host), port, &ssl->cfg, ssl->tls) <= 0) {
         ESP_LOGE(TAG, "Failed to open a new connection");
-        esp_transport_set_errors(t, ssl->tls->error_handle);
+        esp_tls_error_handle_t esp_tls_error_handle;
+        esp_tls_get_error_handle(ssl->tls, &esp_tls_error_handle);
+        esp_transport_set_errors(t, esp_tls_error_handle);
+        goto exit_failure;
+    }
+
+    if (esp_tls_get_conn_sockfd(ssl->tls, &ssl->sockfd) != ESP_OK) {
+        ESP_LOGE(TAG, "Error in obtaining socket fd for the session");
+        goto exit_failure;
+    }
+    return 0;
+
+exit_failure:
         esp_tls_conn_destroy(ssl->tls);
         ssl->tls = NULL;
         ssl->sockfd = INVALID_SOCKET;
         return -1;
-    }
-    ssl->sockfd = ssl->tls->sockfd;
-    return 0;
 }
 
 static int tcp_connect(esp_transport_handle_t t, const char *host, int port, int timeout_ms)
@@ -200,7 +213,12 @@ static int ssl_write(esp_transport_handle_t t, const char *buffer, int len, int
     int ret = esp_tls_conn_write(ssl->tls, (const unsigned char *) buffer, len);
     if (ret < 0) {
         ESP_LOGE(TAG, "esp_tls_conn_write error, errno=%s", strerror(errno));
-        esp_transport_set_errors(t, ssl->tls->error_handle);
+        esp_tls_error_handle_t esp_tls_error_handle;
+        if (esp_tls_get_error_handle(ssl->tls, &esp_tls_error_handle) == ESP_OK) {
+            esp_transport_set_errors(t, esp_tls_error_handle);
+        } else {
+            ESP_LOGE(TAG, "Error in obtaining the error handle");
+        }
     }
     return ret;
 }
@@ -233,7 +251,12 @@ static int ssl_read(esp_transport_handle_t t, char *buffer, int len, int timeout
     int ret = esp_tls_conn_read(ssl->tls, (unsigned char *)buffer, len);
     if (ret < 0) {
         ESP_LOGE(TAG, "esp_tls_conn_read error, errno=%s", strerror(errno));
-        esp_transport_set_errors(t, ssl->tls->error_handle);
+        esp_tls_error_handle_t esp_tls_error_handle;
+        if (esp_tls_get_error_handle(ssl->tls, &esp_tls_error_handle) == ESP_OK) {
+            esp_transport_set_errors(t, esp_tls_error_handle);
+        } else {
+            ESP_LOGE(TAG, "Error in obtaining the error handle");
+        }
     }
     if (ret == 0) {
         if (poll > 0) {

docs/en/migration-guides/protocols.rst

@@ -20,6 +20,7 @@ Most structure fields are now private
 - Appropriate accessor functions (getter/setter) must be used for the same. A temporary workaround would be to use ``MBEDTLS_PRIVATE`` macro (**not recommended**).
 - For more details, refer to the official guide `here <https://github.com/espressif/mbedtls/blob/9bb5effc3298265f829878825d9bd38478e67514/docs/3.0-migration-guide.md#most-structure-fields-are-now-private>`__.
 
+
 SSL
 ^^^
 - Removed support for TLS 1.0, 1.1 and DTLS 1.0
@@ -103,6 +104,19 @@ ESP-TLS
 Breaking Changes (Summary)
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+esp_tls_t structure is now private
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The :cpp:type:`esp_tls_t` has now been made completely private. You cannot access its internal structures directly. Any necessary data that needs to be obtained from the esp-tls handle can be done through respective getter/setter functions. If there is a requirement of a specific getter/setter function please raise an issue on ESP-IDF.
+
+
+The list of newly added getter/setter function is as as follows:
+
+.. list::
+    * :cpp:func:`esp_tls_get_ssl_context` - Obtain the ssl context of the underlying ssl stack from the esp-tls handle.
+
+Function deprecations and recommended alternatives
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 Following table summarizes the deprecated functions removed and their alternatives to be used from ESP-IDF v5.0 onwards.
 
 +-----------------------------------+----------------------------------------+

examples/protocols/http2_request/main/http2_request_example_main.c

@@ -22,6 +22,8 @@
 #include "nvs_flash.h"
 #include "protocol_examples_common.h"
 #include "esp_netif.h"
+#include "sdkconfig.h"
+
 #if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 #include "esp_crt_bundle.h"
 #endif

examples/protocols/http_request/main/http_request_example_main.c

@@ -21,6 +21,7 @@
 #include "lwip/sys.h"
 #include "lwip/netdb.h"
 #include "lwip/dns.h"
+#include "sdkconfig.h"
 
 /* Constants that aren't configurable in menuconfig */
 #define WEB_SERVER "example.com"

examples/protocols/https_request/main/https_request_example_main.c

@@ -38,6 +38,7 @@
 #include "lwip/dns.h"
 
 #include "esp_tls.h"
+#include "sdkconfig.h"
 #if CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
 #include "esp_crt_bundle.h"
 #endif

examples/protocols/https_server/simple/main/main.c

@@ -19,6 +19,7 @@
 
 #include <esp_https_server.h>
 #include "esp_tls.h"
+#include "sdkconfig.h"
 
 /* A simple example that demonstrates how to create GET and POST
  * handlers and start an HTTPS server.
@@ -36,7 +37,7 @@ static esp_err_t root_get_handler(httpd_req_t *req)
 }
 
 #if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
-
+#ifdef CONFIG_ESP_TLS_USING_MBEDTLS
 static void print_peer_cert_info(const mbedtls_ssl_context *ssl)
 {
     const mbedtls_x509_crt *cert;
@@ -58,7 +59,7 @@ static void print_peer_cert_info(const mbedtls_ssl_context *ssl)
 
     free(buf);
 }
-
+#endif
 /**
  * Example callback function to get the certificate of connected clients,
  * whenever a new SSL connection is created and closed
@@ -75,22 +76,44 @@ static void print_peer_cert_info(const mbedtls_ssl_context *ssl)
 static void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
 {
     ESP_LOGI(TAG, "User callback invoked!");
-
+#ifdef CONFIG_ESP_TLS_USING_MBEDTLS
+    mbedtls_ssl_context *ssl_ctx = NULL;
+#endif
     switch(user_cb->user_cb_state) {
         case HTTPD_SSL_USER_CB_SESS_CREATE:
             ESP_LOGD(TAG, "At session creation");
 
             // Logging the socket FD
-            ESP_LOGI(TAG, "Socket FD: %d", user_cb->tls->sockfd);
-
+            int sockfd = -1;
+            esp_err_t esp_ret;
+            esp_ret = esp_tls_get_conn_sockfd(user_cb->tls, &sockfd);
+            if (esp_ret != ESP_OK) {
+                ESP_LOGE(TAG, "Error in obtaining the sockfd from tls context");
+                break;
+            }
+            ESP_LOGI(TAG, "Socket FD: %d", sockfd);
+#ifdef CONFIG_ESP_TLS_USING_MBEDTLS
+            ssl_ctx = (mbedtls_ssl_context *) esp_tls_get_ssl_context(user_cb->tls);
+            if (ssl_ctx == NULL) {
+                ESP_LOGE(TAG, "Error in obtaining ssl context");
+                break;
+            }
             // Logging the current ciphersuite
-            ESP_LOGI(TAG, "Current Ciphersuite: %s", mbedtls_ssl_get_ciphersuite(&user_cb->tls->ssl));
+            ESP_LOGI(TAG, "Current Ciphersuite: %s", mbedtls_ssl_get_ciphersuite(ssl_ctx));
+#endif
             break;
+
         case HTTPD_SSL_USER_CB_SESS_CLOSE:
             ESP_LOGD(TAG, "At session close");
-
+#ifdef CONFIG_ESP_TLS_USING_MBEDTLS
             // Logging the peer certificate
-            print_peer_cert_info(&user_cb->tls->ssl);
+            ssl_ctx = (mbedtls_ssl_context *) esp_tls_get_ssl_context(user_cb->tls);
+            if (ssl_ctx == NULL) {
+                ESP_LOGE(TAG, "Error in obtaining ssl context");
+                break;
+            }
+            print_peer_cert_info(ssl_ctx);
+#endif
             break;
         default:
             ESP_LOGE(TAG, "Illegal state!");

examples/protocols/https_server/wss_server/main/wss_server_example.c

@@ -18,6 +18,7 @@
 
 #include <esp_https_server.h>
 #include "keep_alive.h"
+#include "sdkconfig.h"
 
 #if !CONFIG_HTTPD_WS_SUPPORT
 #error This example cannot be used unless HTTPD_WS_SUPPORT is enabled in esp-http-server component configuration

tools/ci/check_copyright_ignore.txt

@@ -1605,7 +1605,6 @@ components/spi_flash/test/test_spi_flash.c
 components/tcp_transport/include/esp_transport_ssl.h
 components/tcp_transport/include/esp_transport_tcp.h
 components/tcp_transport/include/esp_transport_ws.h
-components/tcp_transport/private_include/esp_transport_internal.h
 components/tcp_transport/private_include/esp_transport_utils.h
 components/tcp_transport/test/tcp_transport_fixtures.h
 components/tcp_transport/test/test_transport_basic.c