From 20a6888b4101f89ef2fc4ad5e2b4943d31926d05 Mon Sep 17 00:00:00 2001
From: Ashish Sharma <ashish.sharma@espressif.com>
Date: Thu, 5 Feb 2026 16:31:22 +0800
Subject: [PATCH] feat(esp-tls): adds per ssl context state management

---
 .../esp-tls/private_include/esp_tls_private.h | 13 +++++------
 components/mbedtls/port/dynamic/esp_ssl_cli.c | 23 +++++++++----------
 components/mbedtls/port/dynamic/esp_ssl_srv.c | 11 +++++----
 3 files changed, 23 insertions(+), 24 deletions(-)

diff --git a/components/esp-tls/private_include/esp_tls_private.h b/components/esp-tls/private_include/esp_tls_private.h
index e42407bd20..a90e5a26ec 100644
--- a/components/esp-tls/private_include/esp_tls_private.h
+++ b/components/esp-tls/private_include/esp_tls_private.h
@@ -6,10 +6,6 @@
 
 #pragma once
 
-/**
- * @brief      ESP-TLS Connection Handle
- */
-
 #include <stdbool.h>
 #include <sys/socket.h>
 #include <fcntl.h>
@@ -23,12 +19,15 @@
 #include "mbedtls/error.h"
 #ifdef CONFIG_ESP_TLS_SERVER_SESSION_TICKETS
 #include "mbedtls/ssl_ticket.h"
-#endif
+#endif /* CONFIG_ESP_TLS_SERVER_SESSION_TICKETS */
 #ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
 #include "psa/crypto.h"
-#endif
-#endif
+#endif /* CONFIG_MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif /* CONFIG_ESP_TLS_USING_MBEDTLS */
 
+/**
+ * @brief      ESP-TLS Connection Handle
+ */
 struct esp_tls {
 #ifdef CONFIG_ESP_TLS_USING_MBEDTLS
     mbedtls_ssl_context ssl;                                                    /*!< TLS/SSL context */
diff --git a/components/mbedtls/port/dynamic/esp_ssl_cli.c b/components/mbedtls/port/dynamic/esp_ssl_cli.c
index 52e3ef925b..06e51aea73 100644
--- a/components/mbedtls/port/dynamic/esp_ssl_cli.c
+++ b/components/mbedtls/port/dynamic/esp_ssl_cli.c
@@ -17,13 +17,9 @@ int __wrap_mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl);
 
 static const char *TAG = "SSL client";
 
-static int manage_resource(mbedtls_ssl_context *ssl, bool add)
+static int manage_resource(mbedtls_ssl_context *ssl, bool add, int prev_state)
 {
-    static _Thread_local int last_state = 0;
-    int state = add ? ssl->MBEDTLS_PRIVATE(state) : last_state;
-    if (add) {
-        last_state = state;
-    }
+    int state = add ? ssl->MBEDTLS_PRIVATE(state) : prev_state;
 
     if (mbedtls_ssl_is_handshake_over(ssl) || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
         return 0;
@@ -264,33 +260,36 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
 
 int __wrap_mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
 {
-    CHECK_OK(manage_resource(ssl, true));
+    int prev_state = ssl->MBEDTLS_PRIVATE(state);
+    CHECK_OK(manage_resource(ssl, true, prev_state));
 
     CHECK_OK(__real_mbedtls_ssl_handshake_client_step(ssl));
 
-    CHECK_OK(manage_resource(ssl, false));
+    CHECK_OK(manage_resource(ssl, false, prev_state));
 
     return 0;
 }
 
 int __wrap_mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
 {
-    CHECK_OK(manage_resource(ssl, true));
+    int prev_state = ssl->MBEDTLS_PRIVATE(state);
+    CHECK_OK(manage_resource(ssl, true, prev_state));
 
     CHECK_OK(__real_mbedtls_ssl_tls13_handshake_client_step(ssl));
 
-    CHECK_OK(manage_resource(ssl, false));
+    CHECK_OK(manage_resource(ssl, false, prev_state));
 
     return 0;
 }
 
 int __wrap_mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl)
 {
-    CHECK_OK(manage_resource(ssl, true));
+    int prev_state = ssl->MBEDTLS_PRIVATE(state);
+    CHECK_OK(manage_resource(ssl, true, prev_state));
 
     CHECK_OK(__real_mbedtls_ssl_write_client_hello(ssl));
 
-    CHECK_OK(manage_resource(ssl, false));
+    CHECK_OK(manage_resource(ssl, false, prev_state));
 
     return 0;
 }
diff --git a/components/mbedtls/port/dynamic/esp_ssl_srv.c b/components/mbedtls/port/dynamic/esp_ssl_srv.c
index d200009226..9c50894fa7 100644
--- a/components/mbedtls/port/dynamic/esp_ssl_srv.c
+++ b/components/mbedtls/port/dynamic/esp_ssl_srv.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2020-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2020-2026 Espressif Systems (Shanghai) CO LTD
  *
  * SPDX-License-Identifier: Apache-2.0
  */
@@ -29,9 +29,9 @@ static bool ssl_ciphersuite_uses_rsa_key_ex(mbedtls_ssl_context *ssl)
 }
 #endif
 
-static int manage_resource(mbedtls_ssl_context *ssl, bool add)
+static int manage_resource(mbedtls_ssl_context *ssl, bool add, int prev_state)
 {
-    int state = add ? ssl->MBEDTLS_PRIVATE(state) : ssl->MBEDTLS_PRIVATE(state) - 1;
+    int state = add ? ssl->MBEDTLS_PRIVATE(state) : prev_state;
 
     if (mbedtls_ssl_is_handshake_over(ssl) || ssl->MBEDTLS_PRIVATE(handshake) == NULL) {
         return 0;
@@ -207,11 +207,12 @@ static int manage_resource(mbedtls_ssl_context *ssl, bool add)
 
 int __wrap_mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
 {
-    CHECK_OK(manage_resource(ssl, true));
+    int prev_state = ssl->MBEDTLS_PRIVATE(state);
+    CHECK_OK(manage_resource(ssl, true, prev_state));
 
     CHECK_OK(__real_mbedtls_ssl_handshake_server_step(ssl));
 
-    CHECK_OK(manage_resource(ssl, false));
+    CHECK_OK(manage_resource(ssl, false, prev_state));
 
     return 0;
 }