Added support for client session tickets in esp-tls (with mbedtls)

* client session tickets for individual tls connections are supported
* reorganize the esp-tls error codes.
* Update esp_err_to_name.c
* Fix styling

components/esp-tls/Kconfig

@@ -41,8 +41,15 @@ menu "ESP-TLS"
             Enable support for creating server side SSL/TLS session, available for mbedTLS
             as well as wolfSSL TLS library.
 
+    config ESP_TLS_CLIENT_SESSION_TICKETS
+        bool "Enable client session tickets"
+        depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
+        default n
+        help
+            Enable session ticket support as specified in RFC5077.
+
     config ESP_TLS_SERVER_SESSION_TICKETS
-        bool "Enable session tickets"
+        bool "Enable server session tickets"
         depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
         default n
         help

components/esp-tls/esp_tls.c

@@ -38,11 +38,12 @@ static const char *TAG = "esp-tls";
 #define _esp_tls_write                      esp_mbedtls_write
 #define _esp_tls_conn_delete                esp_mbedtls_conn_delete
 #define _esp_tls_net_init                   esp_mbedtls_net_init
+#define _esp_tls_get_client_session         esp_mbedtls_get_client_session
 #ifdef CONFIG_ESP_TLS_SERVER
 #define _esp_tls_server_session_create      esp_mbedtls_server_session_create
 #define _esp_tls_server_session_delete      esp_mbedtls_server_session_delete
-#define _esp_tls_session_ticket_ctx_init    esp_mbedtls_session_ticket_ctx_init
-#define _esp_tls_session_ticket_ctx_free    esp_mbedtls_session_ticket_ctx_free
+#define _esp_tls_server_session_ticket_ctx_init    esp_mbedtls_server_session_ticket_ctx_init
+#define _esp_tls_server_session_ticket_ctx_free    esp_mbedtls_server_session_ticket_ctx_free
 #endif  /* CONFIG_ESP_TLS_SERVER */
 #define _esp_tls_get_bytes_avail            esp_mbedtls_get_bytes_avail
 #define _esp_tls_init_global_ca_store       esp_mbedtls_init_global_ca_store
@@ -570,19 +571,31 @@ mbedtls_x509_crt *esp_tls_get_global_ca_store(void)
 }
 
 #endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
-#ifdef CONFIG_ESP_TLS_SERVER
 
+#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
+esp_tls_client_session_t *esp_tls_get_client_session(esp_tls_t *tls)
+{
+    return _esp_tls_get_client_session(tls);
+}
+#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
+
+
+#ifdef CONFIG_ESP_TLS_SERVER
 esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg)
 {
-#if defined(CONFIG_ESP_TLS_USING_MBEDTLS) && defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
+#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
     if (!cfg || cfg->ticket_ctx) {
         return ESP_ERR_INVALID_ARG;
     }
-    cfg->ticket_ctx = calloc(1, sizeof(esp_tls_session_ticket_ctx_t));
+    cfg->ticket_ctx = calloc(1, sizeof(esp_tls_server_session_ticket_ctx_t));
     if (!cfg->ticket_ctx) {
         return ESP_ERR_NO_MEM;
     }
-    return _esp_tls_session_ticket_ctx_init(cfg->ticket_ctx);
+    esp_err_t ret =  _esp_tls_server_session_ticket_ctx_init(cfg->ticket_ctx);
+    if (ret != ESP_OK) {
+        free(cfg->ticket_ctx);
+    }
+    return ret;
 #else
     return ESP_ERR_NOT_SUPPORTED;
 #endif
@@ -590,9 +603,9 @@ esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg)
 
 void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg)
 {
-#if defined(CONFIG_ESP_TLS_USING_MBEDTLS) && defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
+#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
     if (cfg && cfg->ticket_ctx) {
-        _esp_tls_session_ticket_ctx_free(cfg->ticket_ctx);
+        _esp_tls_server_session_ticket_ctx_free(cfg->ticket_ctx);
     }
 #endif
 }

components/esp-tls/esp_tls.h

@@ -57,6 +57,15 @@ typedef struct psk_key_hint {
     const char* hint;                       /*!< hint in PSK authentication mode in string format */
 } psk_hint_key_t;
 
+/**
+ * @brief esp-tls client session ticket ctx
+ */
+#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
+typedef struct esp_tls_client_session {
+    mbedtls_ssl_session saved_session;
+} esp_tls_client_session_t;
+#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
+
 /**
 *  @brief Keep alive parameters structure
 */
@@ -171,21 +180,25 @@ typedef struct esp_tls_cfg {
                                                  directly with esp_tls_plain_tcp_connect() API */
 
     struct ifreq *if_name;                  /*!< The name of interface for data to go through. Use the default interface without setting */
+
+#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
+    esp_tls_client_session_t *client_session; /*! Pointer for the client session ticket context. */
+#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
 } esp_tls_cfg_t;
 
 #ifdef CONFIG_ESP_TLS_SERVER
-#if defined(CONFIG_ESP_TLS_USING_MBEDTLS) && defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
+#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
 /**
  * @brief Data structures necessary to support TLS session tickets according to RFC5077
  */
-typedef struct esp_tls_session_ticket_ctx {
+typedef struct esp_tls_server_session_ticket_ctx {
     mbedtls_entropy_context entropy;                                            /*!< mbedTLS entropy context structure */
 
     mbedtls_ctr_drbg_context ctr_drbg;                                          /*!< mbedTLS ctr drbg context structure.
                                                                                      CTR_DRBG is deterministic random
                                                                                      bit generation based on AES-256 */
     mbedtls_ssl_ticket_context ticket_ctx;                                     /*!< Session ticket generation context */
-} esp_tls_session_ticket_ctx_t;
+} esp_tls_server_session_ticket_ctx_t;
 #endif
 
 typedef struct esp_tls_cfg_server {
@@ -239,8 +252,8 @@ typedef struct esp_tls_cfg_server {
     unsigned int serverkey_password_len;        /*!< String length of the password pointed to by
                                                      serverkey_password */
 
-#if defined(CONFIG_ESP_TLS_USING_MBEDTLS) && defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
-    esp_tls_session_ticket_ctx_t * ticket_ctx; /*!< Session ticket generation context.
+#if defined(CONFIG_ESP_TLS_SERVER_SESSION_TICKETS)
+    esp_tls_server_session_ticket_ctx_t * ticket_ctx; /*!< Session ticket generation context.
                                                     You have to call esp_tls_cfg_server_session_tickets_init
                                                     to use it.
                                                     Call esp_tls_cfg_server_session_tickets_free
@@ -268,6 +281,8 @@ esp_err_t esp_tls_cfg_server_session_tickets_init(esp_tls_cfg_server_t *cfg);
 
 /**
  * @brief Free the server side TLS session ticket context
+ *
+ * @param cfg server configuration as esp_tls_cfg_server_t
  */
 void esp_tls_cfg_server_session_tickets_free(esp_tls_cfg_server_t *cfg);
 #endif /* ! CONFIG_ESP_TLS_SERVER */
@@ -656,6 +671,20 @@ void esp_tls_server_session_delete(esp_tls_t *tls);
  */
 esp_err_t esp_tls_plain_tcp_connect(const char *host, int hostlen, int port, const esp_tls_cfg_t *cfg, esp_tls_error_handle_t error_handle, int *sockfd);
 
+#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
+/**
+ * @brief Obtain the client session ticket
+ *
+ * This function should be called when the TLS connection is already established.
+ * This can be passed again in the esp_tls_cfg_t structure, to appropriate tls session create (e.g. esp_tls_conn_http_new) API for session resumption.
+ *
+ * @param[in]  esp_tls context as esp_tls_t
+ * @return
+ *             Pointer to the saved client session.
+ *             NULL     on Failure
+ */
+esp_tls_client_session_t *esp_tls_get_client_session(esp_tls_t *tls);
+#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
 #ifdef __cplusplus
 }
 #endif

components/esp-tls/esp_tls_errors.h

@@ -14,36 +14,42 @@ extern "C" {
 #endif
 
 #define ESP_ERR_ESP_TLS_BASE           0x8000             /*!< Starting number of ESP-TLS error codes */
+
+/* generic esp-tls error codes */
 #define ESP_ERR_ESP_TLS_CANNOT_RESOLVE_HOSTNAME           (ESP_ERR_ESP_TLS_BASE + 0x01)  /*!< Error if hostname couldn't be resolved upon tls connection */
 #define ESP_ERR_ESP_TLS_CANNOT_CREATE_SOCKET              (ESP_ERR_ESP_TLS_BASE + 0x02)  /*!< Failed to create socket */
 #define ESP_ERR_ESP_TLS_UNSUPPORTED_PROTOCOL_FAMILY       (ESP_ERR_ESP_TLS_BASE + 0x03)  /*!< Unsupported protocol family */
 #define ESP_ERR_ESP_TLS_FAILED_CONNECT_TO_HOST            (ESP_ERR_ESP_TLS_BASE + 0x04)  /*!< Failed to connect to host */
 #define ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED              (ESP_ERR_ESP_TLS_BASE + 0x05)  /*!< failed to set/get socket option */
-#define ESP_ERR_MBEDTLS_CERT_PARTLY_OK                    (ESP_ERR_ESP_TLS_BASE + 0x06)  /*!< mbedtls parse certificates was partly successful */
-#define ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED              (ESP_ERR_ESP_TLS_BASE + 0x07)  /*!< mbedtls api returned error */
-#define ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED           (ESP_ERR_ESP_TLS_BASE + 0x08)  /*!< mbedtls api returned error */
-#define ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED        (ESP_ERR_ESP_TLS_BASE + 0x09)  /*!< mbedtls api returned error */
-#define ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED    (ESP_ERR_ESP_TLS_BASE + 0x0A)  /*!< mbedtls api returned error */
-#define ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED             (ESP_ERR_ESP_TLS_BASE + 0x0B)  /*!< mbedtls api returned error */
-#define ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED          (ESP_ERR_ESP_TLS_BASE + 0x0C)  /*!< mbedtls api returned error */
-#define ESP_ERR_MBEDTLS_SSL_SETUP_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x0D)  /*!< mbedtls api returned error */
-#define ESP_ERR_MBEDTLS_SSL_WRITE_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x0E)  /*!< mbedtls api returned error */
-#define ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED               (ESP_ERR_ESP_TLS_BASE + 0x0F)  /*!< mbedtls api returned failed  */
-#define ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED              (ESP_ERR_ESP_TLS_BASE + 0x10)  /*!< mbedtls api returned failed  */
-#define ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED               (ESP_ERR_ESP_TLS_BASE + 0x11)  /*!< mbedtls api returned failed  */
-#define ESP_ERR_MBEDTLS_SSL_SESSION_TICKET_SETUP_FAILED   (ESP_ERR_ESP_TLS_BASE + 0x12)  /*!< mbedtls api returned failed  */
-#define ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT                (ESP_ERR_ESP_TLS_BASE + 0x13)  /*!< new connection in esp_tls_low_level_conn connection timeouted */
-#define ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED           (ESP_ERR_ESP_TLS_BASE + 0x14)  /*!< wolfSSL api returned error */
-#define ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED    (ESP_ERR_ESP_TLS_BASE + 0x15)  /*!< wolfSSL api returned error */
-#define ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED          (ESP_ERR_ESP_TLS_BASE + 0x16)  /*!< wolfSSL api returned error */
-#define ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED           (ESP_ERR_ESP_TLS_BASE + 0x17)  /*!< wolfSSL api returned error */
-#define ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED              (ESP_ERR_ESP_TLS_BASE + 0x18)  /*!< wolfSSL api returned failed  */
-#define ESP_ERR_WOLFSSL_CTX_SETUP_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x19)  /*!< wolfSSL api returned failed */
-#define ESP_ERR_WOLFSSL_SSL_SETUP_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x1A)  /*!< wolfSSL api returned failed */
-#define ESP_ERR_WOLFSSL_SSL_WRITE_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x1B)  /*!< wolfSSL api returned failed */
+#define ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT                (ESP_ERR_ESP_TLS_BASE + 0x06)  /*!< new connection in esp_tls_low_level_conn connection timeouted */
+#define ESP_ERR_ESP_TLS_SE_FAILED                         (ESP_ERR_ESP_TLS_BASE + 0x07)  /*< esp-tls use Secure Element returned failed */
+#define ESP_ERR_ESP_TLS_TCP_CLOSED_FIN                    (ESP_ERR_ESP_TLS_BASE + 0x08)  /*< esp-tls's TPC transport connection has benn closed (in a clean way) */
+
+/* mbedtls specific error codes */
+#define ESP_ERR_MBEDTLS_CERT_PARTLY_OK                    (ESP_ERR_ESP_TLS_BASE + 0x10)  /*!< mbedtls parse certificates was partly successful */
+#define ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED              (ESP_ERR_ESP_TLS_BASE + 0x11)  /*!< mbedtls api returned error */
+#define ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED           (ESP_ERR_ESP_TLS_BASE + 0x12)  /*!< mbedtls api returned error */
+#define ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED        (ESP_ERR_ESP_TLS_BASE + 0x13)  /*!< mbedtls api returned error */
+#define ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED    (ESP_ERR_ESP_TLS_BASE + 0x14)  /*!< mbedtls api returned error */
+#define ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED             (ESP_ERR_ESP_TLS_BASE + 0x15)  /*!< mbedtls api returned error */
+#define ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED          (ESP_ERR_ESP_TLS_BASE + 0x16)  /*!< mbedtls api returned error */
+#define ESP_ERR_MBEDTLS_SSL_SETUP_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x17)  /*!< mbedtls api returned error */
+#define ESP_ERR_MBEDTLS_SSL_WRITE_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x18)  /*!< mbedtls api returned error */
+#define ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED               (ESP_ERR_ESP_TLS_BASE + 0x19)  /*!< mbedtls api returned failed  */
+#define ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED              (ESP_ERR_ESP_TLS_BASE + 0x1A)  /*!< mbedtls api returned failed  */
+#define ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED               (ESP_ERR_ESP_TLS_BASE + 0x1B)  /*!< mbedtls api returned failed  */
+#define ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED           (ESP_ERR_ESP_TLS_BASE + 0x1C)  /*!< mbedtls api returned failed  */
+
+/* wolfssl specific error codes */
+#define ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED           (ESP_ERR_ESP_TLS_BASE + 0x31)  /*!< wolfSSL api returned error */
+#define ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED    (ESP_ERR_ESP_TLS_BASE + 0x32)  /*!< wolfSSL api returned error */
+#define ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED          (ESP_ERR_ESP_TLS_BASE + 0x33)  /*!< wolfSSL api returned error */
+#define ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED           (ESP_ERR_ESP_TLS_BASE + 0x34)  /*!< wolfSSL api returned error */
+#define ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED              (ESP_ERR_ESP_TLS_BASE + 0x35)  /*!< wolfSSL api returned failed  */
+#define ESP_ERR_WOLFSSL_CTX_SETUP_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x36)  /*!< wolfSSL api returned failed */
+#define ESP_ERR_WOLFSSL_SSL_SETUP_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x37)  /*!< wolfSSL api returned failed */
+#define ESP_ERR_WOLFSSL_SSL_WRITE_FAILED                  (ESP_ERR_ESP_TLS_BASE + 0x38)  /*!< wolfSSL api returned failed */
 
-#define ESP_ERR_ESP_TLS_SE_FAILED                         (ESP_ERR_ESP_TLS_BASE + 0x1C)  /*< esp-tls use Secure Element returned failed */
-#define ESP_ERR_ESP_TLS_TCP_CLOSED_FIN                    (ESP_ERR_ESP_TLS_BASE + 0x1D)  /*< esp-tls's TPC transport connection has benn closed (in a clean way) */
 
 /**
 * Definition of errors reported from IO API (potentially non-blocking) in case of error:

components/esp-tls/esp_tls_mbedtls.c

@@ -44,7 +44,6 @@ static esp_err_t esp_mbedtls_init_pk_ctx_for_ds(const void *pki);
 static const char *TAG = "esp-tls-mbedtls";
 static mbedtls_x509_crt *global_cacert = NULL;
 
-
 /* This function shall return the error message when appropriate log level has been set, otherwise this function shall do nothing */
 static void mbedtls_print_error_msg(int error)
 {
@@ -132,12 +131,48 @@ exit:
 
 }
 
+#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
+esp_tls_client_session_t *esp_mbedtls_get_client_session(esp_tls_t *tls)
+{
+    if (tls == NULL) {
+        ESP_LOGE(TAG, "esp_tls session context cannot be NULL");
+        return NULL;
+    }
+
+    esp_tls_client_session_t *client_session = (esp_tls_client_session_t*)calloc(1, sizeof(esp_tls_client_session_t));
+    if (client_session == NULL) {
+        ESP_LOGE(TAG, "Failed to allocate memory for client session ctx");
+        return NULL;
+    }
+
+    int ret = mbedtls_ssl_get_session(&tls->ssl, &(client_session->saved_session));
+    if (ret != 0) {
+        ESP_LOGE(TAG, "Error in obtaining the client ssl session");
+        mbedtls_print_error_msg(ret);
+        free(client_session);
+        return NULL;
+    }
+
+    return client_session;
+}
+#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
+
 int esp_mbedtls_handshake(esp_tls_t *tls, const esp_tls_cfg_t *cfg)
 {
     int ret;
+#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
+    if (cfg->client_session != NULL) {
+        ESP_LOGD(TAG, "Reusing the already saved client session context");
+        if ((ret = mbedtls_ssl_set_session(&tls->ssl, &(cfg->client_session->saved_session))) != 0 ) {
+            ESP_LOGE(TAG, " mbedtls_ssl_conf_session returned -0x%04X", -ret);
+            return -1;
+        }
+    }
+#endif
     ret = mbedtls_ssl_handshake(&tls->ssl);
     if (ret == 0) {
         tls->conn_state = ESP_TLS_DONE;
+
 #ifdef CONFIG_ESP_TLS_USE_DS_PERIPHERAL
         esp_ds_release_ds_lock();
 #endif
@@ -370,7 +405,7 @@ static esp_err_t set_global_ca_store(esp_tls_t *tls)
 
 #ifdef CONFIG_ESP_TLS_SERVER
 #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
-int esp_mbedtls_session_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime)
+int esp_mbedtls_server_session_ticket_write(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime)
 {
     int ret = mbedtls_ssl_ticket_write(p_ticket, session, start, end, tlen, lifetime);
 #ifndef NDEBUG
@@ -382,7 +417,7 @@ int esp_mbedtls_session_ticket_write(void *p_ticket, const mbedtls_ssl_session *
     return ret;
 }
 
-int esp_mbedtls_session_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, unsigned char *buf, size_t len)
+int esp_mbedtls_server_session_ticket_parse(void *p_ticket, mbedtls_ssl_session *session, unsigned char *buf, size_t len)
 {
     int ret = mbedtls_ssl_ticket_parse(p_ticket, session, buf, len);
 #ifndef NDEBUG
@@ -394,7 +429,7 @@ int esp_mbedtls_session_ticket_parse(void *p_ticket, mbedtls_ssl_session *sessio
     return ret;
 }
 
-esp_err_t esp_mbedtls_session_ticket_ctx_init(esp_tls_session_ticket_ctx_t *ctx)
+esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_ticket_ctx_t *ctx)
 {
     if (!ctx) {
         return ESP_ERR_INVALID_ARG;
@@ -403,26 +438,31 @@ esp_err_t esp_mbedtls_session_ticket_ctx_init(esp_tls_session_ticket_ctx_t *ctx)
     mbedtls_entropy_init(&ctx->entropy);
     mbedtls_ssl_ticket_init(&ctx->ticket_ctx);
     int ret;
+    esp_err_t esp_ret;
     if ((ret = mbedtls_ctr_drbg_seed(&ctx->ctr_drbg,
-                                     mbedtls_entropy_func, &ctx->entropy, NULL, 0)) != 0) {
+                    mbedtls_entropy_func, &ctx->entropy, NULL, 0)) != 0) {
         ESP_LOGE(TAG, "mbedtls_ctr_drbg_seed returned -0x%04X", -ret);
         mbedtls_print_error_msg(ret);
-        return ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED;
+        esp_ret = ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED;
+        goto exit;
     }
 
-    if( ( ret = mbedtls_ssl_ticket_setup( &ctx->ticket_ctx,
+    if((ret = mbedtls_ssl_ticket_setup(&ctx->ticket_ctx,
                     mbedtls_ctr_drbg_random, &ctx->ctr_drbg,
                     MBEDTLS_CIPHER_AES_256_GCM,
-                    CONFIG_ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT ) ) != 0 )
-        {
-            ESP_LOGE(TAG, "mbedtls_ssl_ticket_setup returned -0x%04X", -ret);
-            mbedtls_print_error_msg(ret);
-            return ESP_ERR_MBEDTLS_SSL_SESSION_TICKET_SETUP_FAILED;
-        }
+                    CONFIG_ESP_TLS_SERVER_SESSION_TICKET_TIMEOUT)) != 0) {
+        ESP_LOGE(TAG, "mbedtls_ssl_ticket_setup returned -0x%04X", -ret);
+        mbedtls_print_error_msg(ret);
+        esp_ret = ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED;
+        goto exit;
+    }
     return ESP_OK;
+exit:
+    esp_mbedtls_server_session_ticket_ctx_free(ctx);
+    return esp_ret;
 }
 
-void esp_mbedtls_session_ticket_ctx_free(esp_tls_session_ticket_ctx_t *ctx)
+void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *ctx)
 {
     if (ctx) {
         mbedtls_ssl_ticket_free(&ctx->ticket_ctx);
@@ -489,8 +529,8 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
         ESP_LOGD(TAG, "Enabling server-side tls session ticket support");
 
         mbedtls_ssl_conf_session_tickets_cb( &tls->conf,
-                esp_mbedtls_session_ticket_write,
-                esp_mbedtls_session_ticket_parse,
+                esp_mbedtls_server_session_ticket_write,
+                esp_mbedtls_server_session_ticket_parse,
                 &cfg->ticket_ctx->ticket_ctx );
     }
 #endif
@@ -554,6 +594,13 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
 #endif
     }
 
+#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
+    ESP_LOGD(TAG, "Enabling client-side tls session ticket support");
+    mbedtls_ssl_conf_session_tickets(&tls->conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
+    mbedtls_ssl_conf_renegotiation(&tls->conf, MBEDTLS_SSL_RENEGOTIATION_ENABLED);
+
+#endif /* CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS */
+
     if (cfg->crt_bundle_attach != NULL) {
 #ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
         ESP_LOGD(TAG, "Use certificate bundle");
@@ -590,6 +637,10 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
 #else
         ESP_LOGE(TAG, "psk_hint_key configured but not enabled in menuconfig: Please enable ESP_TLS_PSK_VERIFICATION option");
         return ESP_ERR_INVALID_STATE;
+#endif
+#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
+    } else if (cfg->client_session != NULL) {
+        ESP_LOGD(TAG, "Resuing the saved client session");
 #endif
     } else {
 #ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY

components/esp-tls/private_include/esp_tls_mbedtls.h

@@ -83,14 +83,14 @@ void esp_mbedtls_server_session_delete(esp_tls_t *tls);
  *
  * /note :- The function can only be used with mbedtls ssl library
  */
-esp_err_t esp_mbedtls_session_ticket_ctx_init(esp_tls_session_ticket_ctx_t *cfg);
+esp_err_t esp_mbedtls_server_session_ticket_ctx_init(esp_tls_server_session_ticket_ctx_t *cfg);
 
 /**
  * Internal function to free server side session ticket context
  *
  * /note :- The function can only be used with mbedtls ssl library
  */
-void esp_mbedtls_session_ticket_ctx_free(esp_tls_session_ticket_ctx_t *cfg);
+void esp_mbedtls_server_session_ticket_ctx_free(esp_tls_server_session_ticket_ctx_t *cfg);
 #endif
 #endif
 
@@ -99,6 +99,13 @@ void esp_mbedtls_session_ticket_ctx_free(esp_tls_session_ticket_ctx_t *cfg);
  */
 esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t *cfg, esp_tls_t *tls);
 
+#ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
+/**
+ * Internal Callback for mbedtls_get_client_session
+ */
+esp_tls_client_session_t *esp_mbedtls_get_client_session(esp_tls_t *tls);
+#endif
+
 /**
  * Internal Callback for mbedtls_init_global_ca_store
  */

components/esp_common/src/esp_err_to_name.c

@@ -620,75 +620,78 @@ static const esp_err_msg_t esp_err_msg_table[] = {
 #   ifdef      ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED
     ERR_TBL_IT(ESP_ERR_ESP_TLS_SOCKET_SETOPT_FAILED),           /* 32773 0x8005 failed to set/get socket option */
 #   endif
+#   ifdef      ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT
+    ERR_TBL_IT(ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT),             /* 32774 0x8006 new connection in esp_tls_low_level_conn
+                                                                                connection timeouted */
+#   endif
+#   ifdef      ESP_ERR_ESP_TLS_SE_FAILED
+    ERR_TBL_IT(ESP_ERR_ESP_TLS_SE_FAILED),                      /* 32775 0x8007 */
+#   endif
+#   ifdef      ESP_ERR_ESP_TLS_TCP_CLOSED_FIN
+    ERR_TBL_IT(ESP_ERR_ESP_TLS_TCP_CLOSED_FIN),                 /* 32776 0x8008 */
+#   endif
 #   ifdef      ESP_ERR_MBEDTLS_CERT_PARTLY_OK
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_CERT_PARTLY_OK),                 /* 32774 0x8006 mbedtls parse certificates was partly successful */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_CERT_PARTLY_OK),                 /* 32784 0x8010 mbedtls parse certificates was partly successful */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED),           /* 32775 0x8007 mbedtls api returned error */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_CTR_DRBG_SEED_FAILED),           /* 32785 0x8011 mbedtls api returned error */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED),        /* 32776 0x8008 mbedtls api returned error */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SET_HOSTNAME_FAILED),        /* 32786 0x8012 mbedtls api returned error */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED),     /* 32777 0x8009 mbedtls api returned error */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONFIG_DEFAULTS_FAILED),     /* 32787 0x8013 mbedtls api returned error */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32778 0x800a mbedtls api returned error */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32788 0x8014 mbedtls api returned error */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED),          /* 32779 0x800b mbedtls api returned error */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_X509_CRT_PARSE_FAILED),          /* 32789 0x8015 mbedtls api returned error */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED),       /* 32780 0x800c mbedtls api returned error */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_OWN_CERT_FAILED),       /* 32790 0x8016 mbedtls api returned error */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_SSL_SETUP_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SETUP_FAILED),               /* 32781 0x800d mbedtls api returned error */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_SETUP_FAILED),               /* 32791 0x8017 mbedtls api returned error */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_SSL_WRITE_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_WRITE_FAILED),               /* 32782 0x800e mbedtls api returned error */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_WRITE_FAILED),               /* 32792 0x8018 mbedtls api returned error */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED),            /* 32783 0x800f mbedtls api returned failed */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_PK_PARSE_KEY_FAILED),            /* 32793 0x8019 mbedtls api returned failed */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED),           /* 32784 0x8010 mbedtls api returned failed */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_HANDSHAKE_FAILED),           /* 32794 0x801a mbedtls api returned failed */
 #   endif
 #   ifdef      ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED
-    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED),            /* 32785 0x8011 mbedtls api returned failed */
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED),            /* 32795 0x801b mbedtls api returned failed */
 #   endif
-#   ifdef      ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT
-    ERR_TBL_IT(ESP_ERR_ESP_TLS_CONNECTION_TIMEOUT),             /* 32786 0x8012 new connection in esp_tls_low_level_conn
-                                                                                connection timeouted */
+#   ifdef      ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED
+    ERR_TBL_IT(ESP_ERR_MBEDTLS_SSL_TICKET_SETUP_FAILED),        /* 32796 0x801c mbedtls api returned failed */
 #   endif
 #   ifdef      ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED
-    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED),        /* 32787 0x8013 wolfSSL api returned error */
+    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SET_HOSTNAME_FAILED),        /* 32817 0x8031 wolfSSL api returned error */
 #   endif
 #   ifdef      ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED
-    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32788 0x8014 wolfSSL api returned error */
+    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_CONF_ALPN_PROTOCOLS_FAILED), /* 32818 0x8032 wolfSSL api returned error */
 #   endif
 #   ifdef      ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED
-    ERR_TBL_IT(ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED),       /* 32789 0x8015 wolfSSL api returned error */
+    ERR_TBL_IT(ESP_ERR_WOLFSSL_CERT_VERIFY_SETUP_FAILED),       /* 32819 0x8033 wolfSSL api returned error */
 #   endif
 #   ifdef      ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED
-    ERR_TBL_IT(ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED),        /* 32790 0x8016 wolfSSL api returned error */
+    ERR_TBL_IT(ESP_ERR_WOLFSSL_KEY_VERIFY_SETUP_FAILED),        /* 32820 0x8034 wolfSSL api returned error */
 #   endif
 #   ifdef      ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED
-    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED),           /* 32791 0x8017 wolfSSL api returned failed */
+    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_HANDSHAKE_FAILED),           /* 32821 0x8035 wolfSSL api returned failed */
 #   endif
 #   ifdef      ESP_ERR_WOLFSSL_CTX_SETUP_FAILED
-    ERR_TBL_IT(ESP_ERR_WOLFSSL_CTX_SETUP_FAILED),               /* 32792 0x8018 wolfSSL api returned failed */
+    ERR_TBL_IT(ESP_ERR_WOLFSSL_CTX_SETUP_FAILED),               /* 32822 0x8036 wolfSSL api returned failed */
 #   endif
 #   ifdef      ESP_ERR_WOLFSSL_SSL_SETUP_FAILED
-    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SETUP_FAILED),               /* 32793 0x8019 wolfSSL api returned failed */
+    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_SETUP_FAILED),               /* 32823 0x8037 wolfSSL api returned failed */
 #   endif
 #   ifdef      ESP_ERR_WOLFSSL_SSL_WRITE_FAILED
-    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_WRITE_FAILED),               /* 32794 0x801a wolfSSL api returned failed */
-#   endif
-#   ifdef      ESP_ERR_ESP_TLS_SE_FAILED
-    ERR_TBL_IT(ESP_ERR_ESP_TLS_SE_FAILED),                      /* 32795 0x801b */
-#   endif
-#   ifdef      ESP_ERR_ESP_TLS_TCP_CLOSED_FIN
-    ERR_TBL_IT(ESP_ERR_ESP_TLS_TCP_CLOSED_FIN),                 /* 32796 0x801c */
+    ERR_TBL_IT(ESP_ERR_WOLFSSL_SSL_WRITE_FAILED),               /* 32824 0x8038 wolfSSL api returned failed */
 #   endif
     // components/esp_https_ota/include/esp_https_ota.h
 #   ifdef      ESP_ERR_HTTPS_OTA_BASE