espressif: Use mbedtls implementation of ssl module.

the mbedtls version is a bit different so there are some new #ifdefs
needed.

Tested with the ssl test from #8910
on Adafruit MatrixPortal S3 (no pico w testing done)

Author: jepler

lib/mbedtls_config/crt_bundle.c

@@ -19,7 +19,8 @@
 
 #include "py/runtime.h"
 #include "py/mperrno.h"
-#include "lib/mbedtls/include/mbedtls/x509_crt.h"
+#include "mbedtls/version.h"
+#include "mbedtls/x509_crt.h"
 #include "lib/mbedtls_config/crt_bundle.h"
 
 #define BUNDLE_HEADER_OFFSET 2
@@ -55,6 +56,10 @@ static crt_bundle_t s_crt_bundle;
 static int crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len);
 
 
+#if MBEDTLS_VERSION_MAJOR < 3
+#define MBEDTLS_PRIVATE(x) x
+#endif
+
 static int crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_buf, size_t pub_key_len) {
     int ret = 0;
     mbedtls_x509_crt parent;
@@ -70,21 +75,22 @@ static int crt_check_signature(mbedtls_x509_crt *child, const uint8_t *pub_key_b
 
 
     // Fast check to avoid expensive computations when not necessary
-    if (!mbedtls_pk_can_do(&parent.pk, child->sig_pk)) {
+    if (!mbedtls_pk_can_do(&parent.pk, child->MBEDTLS_PRIVATE(sig_pk))) {
         LOGE(TAG, "Simple compare failed");
         ret = -1;
         goto cleanup;
     }
 
-    md_info = mbedtls_md_info_from_type(child->sig_md);
+    md_info = mbedtls_md_info_from_type(child->MBEDTLS_PRIVATE(sig_md));
     if ((ret = mbedtls_md(md_info, child->tbs.p, child->tbs.len, hash)) != 0) {
         LOGE(TAG, "Internal mbedTLS error %X", ret);
         goto cleanup;
     }
 
-    if ((ret = mbedtls_pk_verify_ext(child->sig_pk, child->sig_opts, &parent.pk,
-        child->sig_md, hash, mbedtls_md_get_size(md_info),
-        child->sig.p, child->sig.len)) != 0) {
+    if ((ret = mbedtls_pk_verify_ext(
+        child->MBEDTLS_PRIVATE(sig_pk), child->MBEDTLS_PRIVATE(sig_opts), &parent.pk,
+        child->MBEDTLS_PRIVATE(sig_md), hash, mbedtls_md_get_size(md_info),
+        child->MBEDTLS_PRIVATE(sig).p, child->MBEDTLS_PRIVATE(sig).len)) != 0) {
 
         LOGE(TAG, "PK verify failed with error %X", ret);
         goto cleanup;

lib/mbedtls_errors/mp_mbedtls_errors.c

@@ -154,8 +154,12 @@
 #endif
 
 #if defined(MBEDTLS_PADLOCK_C)
+#if defined(MBEDTLS_PADLOCK_FILE)
+#include MBEDTLS_PADLOCK_FILE
+#else
 #include "mbedtls/padlock.h"
 #endif
+#endif
 
 #if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
 #include "mbedtls/pem.h"
@@ -235,7 +239,9 @@ static const struct ssl_errs mbedtls_high_level_error_tab[] = {
         { -(MBEDTLS_ERR_CIPHER_FULL_BLOCK_EXPECTED), "CIPHER_FULL_BLOCK_EXPECTED" },
         { -(MBEDTLS_ERR_CIPHER_AUTH_FAILED), "CIPHER_AUTH_FAILED" },
         { -(MBEDTLS_ERR_CIPHER_INVALID_CONTEXT), "CIPHER_INVALID_CONTEXT" },
+#if defined(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED)
         { -(MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED), "CIPHER_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_CIPHER_C */
 
 #if defined(MBEDTLS_DHM_C)
@@ -261,7 +267,9 @@ static const struct ssl_errs mbedtls_high_level_error_tab[] = {
         { -(MBEDTLS_ERR_ECP_RANDOM_FAILED), "ECP_RANDOM_FAILED" },
         { -(MBEDTLS_ERR_ECP_INVALID_KEY), "ECP_INVALID_KEY" },
         { -(MBEDTLS_ERR_ECP_SIG_LEN_MISMATCH), "ECP_SIG_LEN_MISMATCH" },
+#if defined(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED)
         { -(MBEDTLS_ERR_ECP_HW_ACCEL_FAILED), "ECP_HW_ACCEL_FAILED" },
+#endif
         { -(MBEDTLS_ERR_ECP_IN_PROGRESS), "ECP_IN_PROGRESS" },
 #endif /* MBEDTLS_ECP_C */
 
@@ -270,7 +278,9 @@ static const struct ssl_errs mbedtls_high_level_error_tab[] = {
         { -(MBEDTLS_ERR_MD_BAD_INPUT_DATA), "MD_BAD_INPUT_DATA" },
         { -(MBEDTLS_ERR_MD_ALLOC_FAILED), "MD_ALLOC_FAILED" },
         { -(MBEDTLS_ERR_MD_FILE_IO_ERROR), "MD_FILE_IO_ERROR" },
+#if defined(MBEDTLS_ERR_MD_HW_ACCEL_FAILED)
         { -(MBEDTLS_ERR_MD_HW_ACCEL_FAILED), "MD_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_MD_C */
 
 #if defined(MBEDTLS_PEM_PARSE_C) || defined(MBEDTLS_PEM_WRITE_C)
@@ -300,7 +310,9 @@ static const struct ssl_errs mbedtls_high_level_error_tab[] = {
         { -(MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE), "PK_UNKNOWN_NAMED_CURVE" },
         { -(MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE), "PK_FEATURE_UNAVAILABLE" },
         { -(MBEDTLS_ERR_PK_SIG_LEN_MISMATCH), "PK_SIG_LEN_MISMATCH" },
+#if defined(MBEDTLS_ERR_PK_HW_ACCEL_FAILED)
         { -(MBEDTLS_ERR_PK_HW_ACCEL_FAILED), "PK_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_PK_C */
 
 #if defined(MBEDTLS_PKCS12_C)
@@ -327,8 +339,12 @@ static const struct ssl_errs mbedtls_high_level_error_tab[] = {
         { -(MBEDTLS_ERR_RSA_VERIFY_FAILED), "RSA_VERIFY_FAILED" },
         { -(MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE), "RSA_OUTPUT_TOO_LARGE" },
         { -(MBEDTLS_ERR_RSA_RNG_FAILED), "RSA_RNG_FAILED" },
+#if defined(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION)
         { -(MBEDTLS_ERR_RSA_UNSUPPORTED_OPERATION), "RSA_UNSUPPORTED_OPERATION" },
+#endif
+#if defined(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED)
         { -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED), "RSA_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_RSA_C */
 
 #if defined(MBEDTLS_SSL_TLS_C)
@@ -337,35 +353,75 @@ static const struct ssl_errs mbedtls_high_level_error_tab[] = {
         { -(MBEDTLS_ERR_SSL_INVALID_MAC), "SSL_INVALID_MAC" },
         { -(MBEDTLS_ERR_SSL_INVALID_RECORD), "SSL_INVALID_RECORD" },
         { -(MBEDTLS_ERR_SSL_CONN_EOF), "SSL_CONN_EOF" },
+#if defined(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER)
         { -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER), "SSL_UNKNOWN_CIPHER" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN)
         { -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN), "SSL_NO_CIPHER_CHOSEN" },
+#endif
         { -(MBEDTLS_ERR_SSL_NO_RNG), "SSL_NO_RNG" },
         { -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE), "SSL_NO_CLIENT_CERTIFICATE" },
+#if defined(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE)
         { -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE), "SSL_CERTIFICATE_TOO_LARGE" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED)
         { -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED), "SSL_CERTIFICATE_REQUIRED" },
+#endif
         { -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED), "SSL_PRIVATE_KEY_REQUIRED" },
         { -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED), "SSL_CA_CHAIN_REQUIRED" },
         { -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE), "SSL_UNEXPECTED_MESSAGE" },
+#if defined(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED)
         { -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED), "SSL_PEER_VERIFY_FAILED" },
+#endif
         { -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY), "SSL_PEER_CLOSE_NOTIFY" },
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO)
         { -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO), "SSL_BAD_HS_CLIENT_HELLO" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO)
         { -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO), "SSL_BAD_HS_SERVER_HELLO" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE)
         { -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE), "SSL_BAD_HS_CERTIFICATE" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST)
         { -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST), "SSL_BAD_HS_CERTIFICATE_REQUEST" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE)
         { -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE), "SSL_BAD_HS_SERVER_KEY_EXCHANGE" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE)
         { -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE), "SSL_BAD_HS_SERVER_HELLO_DONE" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE)
         { -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE), "SSL_BAD_HS_CLIENT_KEY_EXCHANGE" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP)
         { -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP), "SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS)
         { -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS), "SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY)
         { -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY), "SSL_BAD_HS_CERTIFICATE_VERIFY" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC)
         { -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC), "SSL_BAD_HS_CHANGE_CIPHER_SPEC" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_FINISHED)
         { -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED), "SSL_BAD_HS_FINISHED" },
+#endif
         { -(MBEDTLS_ERR_SSL_ALLOC_FAILED), "SSL_ALLOC_FAILED" },
         { -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED), "SSL_HW_ACCEL_FAILED" },
         { -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH), "SSL_HW_ACCEL_FALLTHROUGH" },
+#if defined(MBEDTLS_ERR_SSL_COMPRESSION_FAILED)
         { -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED), "SSL_COMPRESSION_FAILED" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION)
         { -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION), "SSL_BAD_HS_PROTOCOL_VERSION" },
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET)
         { -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET), "SSL_BAD_HS_NEW_SESSION_TICKET" },
+#endif
         { -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED), "SSL_SESSION_TICKET_EXPIRED" },
         { -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH), "SSL_PK_TYPE_MISMATCH" },
         { -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY), "SSL_UNKNOWN_IDENTITY" },
@@ -374,14 +430,18 @@ static const struct ssl_errs mbedtls_high_level_error_tab[] = {
         { -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO), "SSL_WAITING_SERVER_HELLO_RENEGO" },
         { -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED), "SSL_HELLO_VERIFY_REQUIRED" },
         { -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL), "SSL_BUFFER_TOO_SMALL" },
+#if defined(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE)
         { -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE), "SSL_NO_USABLE_CIPHERSUITE" },
+#endif
         { -(MBEDTLS_ERR_SSL_WANT_READ), "SSL_WANT_READ" },
         { -(MBEDTLS_ERR_SSL_WANT_WRITE), "SSL_WANT_WRITE" },
         { -(MBEDTLS_ERR_SSL_TIMEOUT), "SSL_TIMEOUT" },
         { -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT), "SSL_CLIENT_RECONNECT" },
         { -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD), "SSL_UNEXPECTED_RECORD" },
         { -(MBEDTLS_ERR_SSL_NON_FATAL), "SSL_NON_FATAL" },
+#if defined(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH)
         { -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH), "SSL_INVALID_VERIFY_HASH" },
+#endif
         { -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING), "SSL_CONTINUE_PROCESSING" },
         { -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS), "SSL_ASYNC_IN_PROGRESS" },
         { -(MBEDTLS_ERR_SSL_EARLY_MESSAGE), "SSL_EARLY_MESSAGE" },
@@ -424,8 +484,12 @@ static const struct ssl_errs mbedtls_low_level_error_tab[] = {
     { -(MBEDTLS_ERR_AES_INVALID_KEY_LENGTH), "AES_INVALID_KEY_LENGTH" },
     { -(MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH), "AES_INVALID_INPUT_LENGTH" },
     { -(MBEDTLS_ERR_AES_BAD_INPUT_DATA), "AES_BAD_INPUT_DATA" },
+#if defined(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE)
     { -(MBEDTLS_ERR_AES_FEATURE_UNAVAILABLE), "AES_FEATURE_UNAVAILABLE" },
+#endif
+#if defined(MBEDTLS_ERR_AES_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_AES_HW_ACCEL_FAILED), "AES_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_AES_C */
 
 #if defined(MBEDTLS_ARC4_C)
@@ -435,8 +499,12 @@ static const struct ssl_errs mbedtls_low_level_error_tab[] = {
 #if defined(MBEDTLS_ARIA_C)
     { -(MBEDTLS_ERR_ARIA_BAD_INPUT_DATA), "ARIA_BAD_INPUT_DATA" },
     { -(MBEDTLS_ERR_ARIA_INVALID_INPUT_LENGTH), "ARIA_INVALID_INPUT_LENGTH" },
+#if defined(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE)
     { -(MBEDTLS_ERR_ARIA_FEATURE_UNAVAILABLE), "ARIA_FEATURE_UNAVAILABLE" },
+#endif
+#if defined(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_ARIA_HW_ACCEL_FAILED), "ARIA_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_ARIA_C */
 
 #if defined(MBEDTLS_ASN1_PARSE_C)
@@ -480,13 +548,17 @@ static const struct ssl_errs mbedtls_low_level_error_tab[] = {
 #if defined(MBEDTLS_CCM_C)
     { -(MBEDTLS_ERR_CCM_BAD_INPUT), "CCM_BAD_INPUT" },
     { -(MBEDTLS_ERR_CCM_AUTH_FAILED), "CCM_AUTH_FAILED" },
+#if defined(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_CCM_HW_ACCEL_FAILED), "CCM_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_CCM_C */
 
 #if defined(MBEDTLS_CHACHA20_C)
     { -(MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA), "CHACHA20_BAD_INPUT_DATA" },
     { -(MBEDTLS_ERR_CHACHA20_FEATURE_UNAVAILABLE), "CHACHA20_FEATURE_UNAVAILABLE" },
+#if defined(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_CHACHA20_HW_ACCEL_FAILED), "CHACHA20_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_CHACHA20_C */
 
 #if defined(MBEDTLS_CHACHAPOLY_C)
@@ -495,7 +567,9 @@ static const struct ssl_errs mbedtls_low_level_error_tab[] = {
 #endif /* MBEDTLS_CHACHAPOLY_C */
 
 #if defined(MBEDTLS_CMAC_C)
+#if defined(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_CMAC_HW_ACCEL_FAILED), "CMAC_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_CMAC_C */
 
 #if defined(MBEDTLS_CTR_DRBG_C)
@@ -525,7 +599,9 @@ static const struct ssl_errs mbedtls_low_level_error_tab[] = {
 
 #if defined(MBEDTLS_GCM_C)
     { -(MBEDTLS_ERR_GCM_AUTH_FAILED), "GCM_AUTH_FAILED" },
+#if defined(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_GCM_HW_ACCEL_FAILED), "GCM_HW_ACCEL_FAILED" },
+#endif
     { -(MBEDTLS_ERR_GCM_BAD_INPUT), "GCM_BAD_INPUT" },
 #endif /* MBEDTLS_GCM_C */
 
@@ -549,7 +625,9 @@ static const struct ssl_errs mbedtls_low_level_error_tab[] = {
 #endif /* MBEDTLS_MD4_C */
 
 #if defined(MBEDTLS_MD5_C)
+#if defined(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_MD5_HW_ACCEL_FAILED), "MD5_HW_ACCEL_FAILED" },
+#endif
 #endif /* MBEDTLS_MD5_C */
 
 #if defined(MBEDTLS_NET_C)
@@ -593,17 +671,23 @@ static const struct ssl_errs mbedtls_low_level_error_tab[] = {
 #endif /* MBEDTLS_RIPEMD160_C */
 
 #if defined(MBEDTLS_SHA1_C)
+#if defined(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_SHA1_HW_ACCEL_FAILED), "SHA1_HW_ACCEL_FAILED" },
+#endif
     { -(MBEDTLS_ERR_SHA1_BAD_INPUT_DATA), "SHA1_BAD_INPUT_DATA" },
 #endif /* MBEDTLS_SHA1_C */
 
 #if defined(MBEDTLS_SHA256_C)
+#if defined(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_SHA256_HW_ACCEL_FAILED), "SHA256_HW_ACCEL_FAILED" },
+#endif
     { -(MBEDTLS_ERR_SHA256_BAD_INPUT_DATA), "SHA256_BAD_INPUT_DATA" },
 #endif /* MBEDTLS_SHA256_C */
 
 #if defined(MBEDTLS_SHA512_C)
+#if defined(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED)
     { -(MBEDTLS_ERR_SHA512_HW_ACCEL_FAILED), "SHA512_HW_ACCEL_FAILED" },
+#endif
     { -(MBEDTLS_ERR_SHA512_BAD_INPUT_DATA), "SHA512_BAD_INPUT_DATA" },
 #endif /* MBEDTLS_SHA512_C */
 

ports/espressif/Makefile

@@ -146,6 +146,7 @@ CFLAGS += \
 	-DHAVE_CONFIG_H \
 	-DESP_PLATFORM=1 \
 	-DMBEDTLS_CONFIG_FILE=\"mbedtls/esp_config.h\" \
+	-DMBEDTLS_PADLOCK_FILE=\"ports/espressif/esp-idf/components/mbedtls/mbedtls/library/padlock.h\" \
 	-DUNITY_INCLUDE_CONFIG_H -DWITH_POSIX
 
 # Make our canary value match FreeRTOS's
@@ -285,6 +286,8 @@ SRC_C += \
 	peripherals/i2c.c \
 	peripherals/$(IDF_TARGET)/pins.c
 
+SRC_C += lib/mbedtls_config/crt_bundle.c
+
 SRC_C += $(wildcard common-hal/espidf/*.c)
 
 ifneq ($(CIRCUITPY_ESP_USB_SERIAL_JTAG),0)

ports/espressif/common-hal/socketpool/Socket.c

@@ -32,7 +32,7 @@
 #include "py/runtime.h"
 #include "shared-bindings/socketpool/SocketPool.h"
 #include "shared-bindings/ssl/SSLSocket.h"
-#include "common-hal/ssl/SSLSocket.h"
+#include "shared-module/ssl/SSLSocket.h"
 #include "supervisor/port.h"
 #include "supervisor/shared/tick.h"
 #include "supervisor/workflow.h"

ports/espressif/common-hal/socketpool/Socket.h

@@ -29,7 +29,6 @@
 #include "py/obj.h"
 
 #include "common-hal/socketpool/SocketPool.h"
-#include "common-hal/ssl/SSLContext.h"
 
 #include "components/esp-tls/esp_tls.h"
 #include "components/lwip/lwip/src/include/lwip/sockets.h"