From 7ef2379549379c21badcb9fe9d08a875158e5df5 Mon Sep 17 00:00:00 2001
From: David Cermak <cermak@espressif.com>
Date: Mon, 18 Nov 2024 07:47:50 +0100
Subject: [PATCH 1/2] feat(esp_tls): Add support for PSK authentication on
 server side

---
 components/esp-tls/esp_tls.h         | 22 ++++++++++++++--------
 components/esp-tls/esp_tls_mbedtls.c | 14 +++++++++++++-
 2 files changed, 27 insertions(+), 9 deletions(-)

diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h
index b4a90b8f4c..c0d81c5815 100644
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2017-2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2017-2024 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -322,6 +322,12 @@ typedef struct esp_tls_cfg_server {
                                                      TLS extensions, such as ALPN and server_certificate_type . */
 #endif
 
+#if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
+    const psk_hint_key_t* psk_hint_key;         /*!< Pointer to PSK hint and key. if not NULL (and the certificate/key is NULL)
+                                                  then PSK authentication is enabled with configured setup.
+                                                  Important note: the pointer must be valid for connection */
+#endif
+
 } esp_tls_cfg_server_t;
 
 /**
@@ -464,7 +470,7 @@ int esp_tls_conn_http_new_async(const char *url, const esp_tls_cfg_t *cfg, esp_t
  *             - >=0  if write operation was successful, the return value is the number
  *                   of bytes actually written to the TLS/SSL connection.
  *             - <0  if write operation was not successful, because either an
- *                   error occured or an action must be taken by the calling process.
+ *                   error occurred or an action must be taken by the calling process.
  *             - ESP_TLS_ERR_SSL_WANT_READ/
  *               ESP_TLS_ERR_SSL_WANT_WRITE.
  *                  if the handshake is incomplete and waiting for data to be available for reading.
@@ -485,7 +491,7 @@ ssize_t esp_tls_conn_write(esp_tls_t *tls, const void *data, size_t datalen);
  *             -  0  if read operation was not successful. The underlying
  *                   connection was closed.
  *             - <0  if read operation was not successful, because either an
- *                   error occured or an action must be taken by the calling process.
+ *                   error occurred or an action must be taken by the calling process.
  */
 ssize_t esp_tls_conn_read(esp_tls_t *tls, void  *data, size_t datalen);
 
@@ -537,7 +543,7 @@ esp_err_t esp_tls_get_conn_sockfd(esp_tls_t *tls, int *sockfd);
  *
  * @param[in]   sockfd       sockfd value to set.
  *
- * @return     - ESP_OK on success and value of sockfd for the tls connection shall updated withthe provided value
+ * @return     - ESP_OK on success and value of sockfd for the tls connection shall updated with the provided value
  *             - ESP_ERR_INVALID_ARG if (tls == NULL || sockfd < 0)
  */
 esp_err_t esp_tls_set_conn_sockfd(esp_tls_t *tls, int sockfd);
@@ -549,7 +555,7 @@ esp_err_t esp_tls_set_conn_sockfd(esp_tls_t *tls, int sockfd);
  *
  * @param[out]   conn_state   pointer to the connection state value.
  *
- * @return     - ESP_OK on success and value of sockfd for the tls connection shall updated withthe provided value
+ * @return     - ESP_OK on success and value of sockfd for the tls connection shall updated with the provided value
  *             - ESP_ERR_INVALID_ARG (Invalid arguments)
  */
 esp_err_t esp_tls_get_conn_state(esp_tls_t *tls, esp_tls_conn_state_t *conn_state);
@@ -561,7 +567,7 @@ esp_err_t esp_tls_get_conn_state(esp_tls_t *tls, esp_tls_conn_state_t *conn_stat
  *
  * @param[in]   conn_state   connection state value to set.
  *
- * @return     - ESP_OK on success and value of sockfd for the tls connection shall updated withthe provided value
+ * @return     - ESP_OK on success and value of sockfd for the tls connection shall updated with the provided value
  *             - ESP_ERR_INVALID_ARG (Invalid arguments)
  */
 esp_err_t esp_tls_set_conn_state(esp_tls_t *tls, esp_tls_conn_state_t conn_state);
@@ -586,7 +592,7 @@ void *esp_tls_get_ssl_context(esp_tls_t *tls);
  *
  * @return
  *             - ESP_OK             if creating global CA store was successful.
- *             - ESP_ERR_NO_MEM     if an error occured when allocating the mbedTLS resources.
+ *             - ESP_ERR_NO_MEM     if an error occurred when allocating the mbedTLS resources.
  */
 esp_err_t esp_tls_init_global_ca_store(void);
 
@@ -605,7 +611,7 @@ esp_err_t esp_tls_init_global_ca_store(void);
  *
  * @return
  *             - ESP_OK  if adding certificates was successful.
- *             - Other   if an error occured or an action must be taken by the calling process.
+ *             - Other   if an error occurred or an action must be taken by the calling process.
  */
 esp_err_t esp_tls_set_global_ca_store(const unsigned char *cacert_pem_buf, const unsigned int cacert_pem_bytes);
 
diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index a861db4e47..c0cd6f4048 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -659,6 +659,18 @@ static esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
             ESP_LOGE(TAG, "Failed to set server pki context");
             return esp_ret;
         }
+#if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
+    } else if (cfg->psk_hint_key) {
+        ESP_LOGD(TAG, "PSK authentication");
+        ret = mbedtls_ssl_conf_psk(&tls->conf, cfg->psk_hint_key->key, cfg->psk_hint_key->key_size,
+                                   (const unsigned char *)cfg->psk_hint_key->hint, strlen(cfg->psk_hint_key->hint));
+        if (ret != 0) {
+            ESP_LOGE(TAG, "mbedtls_ssl_conf_psk returned -0x%04X", -ret);
+            mbedtls_print_error_msg(ret);
+            ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
+            return ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED;
+        }
+#endif
     } else {
 #if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
         if (cfg->cert_select_cb == NULL) {
@@ -789,7 +801,7 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
 #endif
 #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
     } else if (cfg->client_session != NULL) {
-        ESP_LOGD(TAG, "Resuing the saved client session");
+        ESP_LOGD(TAG, "Resuming the saved client session");
 #endif
     } else {
 #ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY

From 7801d118d447f063a84080e5017a86fccc5801fc Mon Sep 17 00:00:00 2001
From: David Cermak <cermak@espressif.com>
Date: Mon, 18 Nov 2024 13:52:00 +0100
Subject: [PATCH 2/2] fix(esp_tls): PSK available in headers only if enabled in
 Kconfig

---
 components/esp-tls/esp_tls.h         | 2 ++
 components/esp-tls/esp_tls_mbedtls.c | 7 ++-----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/components/esp-tls/esp_tls.h b/components/esp-tls/esp_tls.h
index c0d81c5815..2449f6665a 100644
--- a/components/esp-tls/esp_tls.h
+++ b/components/esp-tls/esp_tls.h
@@ -187,9 +187,11 @@ typedef struct esp_tls_cfg {
 
     tls_keep_alive_cfg_t *keep_alive_cfg;   /*!< Enable TCP keep-alive timeout for SSL connection */
 
+#if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
     const psk_hint_key_t* psk_hint_key;     /*!< Pointer to PSK hint and key. if not NULL (and certificates are NULL)
                                                  then PSK authentication is enabled with configured setup.
                                                  Important note: the pointer must be valid for connection */
+#endif /* CONFIG_ESP_TLS_PSK_VERIFICATION */
 
     esp_err_t (*crt_bundle_attach)(void *conf);
                                             /*!< Function pointer to esp_crt_bundle_attach. Enables the use of certification
diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index c0cd6f4048..4759f2f892 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -782,8 +782,8 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
             return esp_ret;
         }
         mbedtls_ssl_conf_ca_chain(&tls->conf, tls->cacert_ptr, NULL);
-    } else if (cfg->psk_hint_key) {
 #if defined(CONFIG_ESP_TLS_PSK_VERIFICATION)
+    } else if (cfg->psk_hint_key) {
         //
         // PSK encryption mode is configured only if no certificate supplied and psk pointer not null
         ESP_LOGD(TAG, "ssl psk authentication");
@@ -795,13 +795,10 @@ esp_err_t set_client_config(const char *hostname, size_t hostlen, esp_tls_cfg_t
             ESP_INT_EVENT_TRACKER_CAPTURE(tls->error_handle, ESP_TLS_ERR_TYPE_MBEDTLS, -ret);
             return ESP_ERR_MBEDTLS_SSL_CONF_PSK_FAILED;
         }
-#else
-        ESP_LOGE(TAG, "psk_hint_key configured but not enabled in menuconfig: Please enable ESP_TLS_PSK_VERIFICATION option");
-        return ESP_ERR_INVALID_STATE;
 #endif
 #ifdef CONFIG_ESP_TLS_CLIENT_SESSION_TICKETS
     } else if (cfg->client_session != NULL) {
-        ESP_LOGD(TAG, "Resuming the saved client session");
+        ESP_LOGD(TAG, "Reusing the saved client session");
 #endif
     } else {
 #ifdef CONFIG_ESP_TLS_SKIP_SERVER_CERT_VERIFY