mbedtls: Add mbedTLS backend support

CMakeLists.txt

@@ -170,7 +170,6 @@ endif()
 
 if (LWS_WITH_ESP32)
  set(LWS_WITH_SHARED OFF)
- set(LWS_WITH_SSL ON)
  set(LWS_USE_MBEDTLS ON)
   # set(LWS_WITHOUT_CLIENT ON)
  set(LWS_WITHOUT_TESTAPPS ON)
@@ -595,22 +594,35 @@ if (NOT LWS_WITHOUT_CLIENT)
 		lib/client-parser.c)
 endif()
 
-if (LWS_WITH_SSL)
-	list(APPEND SOURCES
-		lib/ssl.c)
-		
-	if (NOT LWS_WITHOUT_SERVER)
-		list(APPEND SOURCES
-		lib/ssl-server.c)
-	endif()
-	if (NOT LWS_WITHOUT_CLIENT)
-		list(APPEND SOURCES
-		lib/ssl-client.c)
-	endif()
-endif()
+if (LWS_USE_MBEDTLS)
+ 	set(LWS_WITH_SSL ON)
+
+	list(APPEND HDR_PRIVATE
+		lib/mbedtls_wrapper/include/internal/ssl3.h
+		lib/mbedtls_wrapper/include/internal/ssl_cert.h
+		lib/mbedtls_wrapper/include/internal/ssl_code.h
+		lib/mbedtls_wrapper/include/internal/ssl_dbg.h
+		lib/mbedtls_wrapper/include/internal/ssl_lib.h
+		lib/mbedtls_wrapper/include/internal/ssl_methods.h
+		lib/mbedtls_wrapper/include/internal/ssl_pkey.h
+		lib/mbedtls_wrapper/include/internal/ssl_stack.h
+		lib/mbedtls_wrapper/include/internal/ssl_types.h
+		lib/mbedtls_wrapper/include/internal/ssl_x509.h
+		lib/mbedtls_wrapper/include/internal/tls1.h
+		lib/mbedtls_wrapper/include/internal/x509_vfy.h)
+
+	list(APPEND HDR_PRIVATE
+		lib/mbedtls_wrapper/include/openssl/ssl.h)
+
+	list(APPEND HDR_PRIVATE
+		lib/mbedtls_wrapper/include/platform/ssl_pm.h
+		lib/mbedtls_wrapper/include/platform/ssl_port.h)
+
+	include_directories(lib/mbedtls_wrapper/include)
+	include_directories(lib/mbedtls_wrapper/include/platform)
+	include_directories(lib/mbedtls_wrapper/include/internal)
+	include_directories(lib/mbedtls_wrapper/include/openssl)
 
-if (LWS_WITH_MBEDTLS)
-	#	list(APPEND HDR_PRIVATE)
 	list(APPEND SOURCES
 		lib/mbedtls_wrapper/library/ssl_cert.c
 		lib/mbedtls_wrapper/library/ssl_lib.c
@@ -624,6 +636,19 @@ if (LWS_WITH_MBEDTLS)
 		lib/mbedtls_wrapper/platform/ssl_port.c)
 endif()
 
+if (LWS_WITH_SSL)
+	list(APPEND SOURCES
+		lib/ssl.c)
+		
+	if (NOT LWS_WITHOUT_SERVER)
+		list(APPEND SOURCES
+		lib/ssl-server.c)
+	endif()
+	if (NOT LWS_WITHOUT_CLIENT)
+		list(APPEND SOURCES
+		lib/ssl-client.c)
+	endif()
+endif()
 
 if (NOT LWS_WITHOUT_BUILTIN_SHA1)
 	list(APPEND SOURCES
@@ -1087,7 +1112,7 @@ set(CMAKE_REQUIRED_LIBRARIES ${LIB_LIST})
 CHECK_FUNCTION_EXISTS(SSL_CTX_set1_param LWS_HAVE_SSL_CTX_set1_param)
 CHECK_FUNCTION_EXISTS(SSL_set_info_callback LWS_HAVE_SSL_SET_INFO_CALLBACK)
 CHECK_FUNCTION_EXISTS(X509_VERIFY_PARAM_set1_host LWS_HAVE_X509_VERIFY_PARAM_set1_host)
-if (LWS_WITH_ESP32)
+if (LWS_USE_MBEDTLS)
 	set(LWS_HAVE_TLS_CLIENT_METHOD 1)
 else()
 CHECK_FUNCTION_EXISTS(TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD)

lib/libwebsockets.h

@@ -204,7 +204,7 @@ typedef unsigned long long lws_intptr_t;
 #endif /* not USE_OLD_CYASSL */
 #else
 #include <openssl/ssl.h>
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 #include <openssl/err.h>
 #endif
 #endif /* not USE_WOLFSSL */

lib/mbedtls_wrapper/include/internal/ssl_dbg.h

@@ -15,7 +15,6 @@
 #ifndef _SSL_DEBUG_H_
 #define _SSL_DEBUG_H_
 
-#include "platform/ssl_opt.h"
 #include "platform/ssl_port.h"
 
 #ifdef __cplusplus

lib/mbedtls_wrapper/include/internal/ssl_x509.h

@@ -101,6 +101,8 @@ int SSL_add_client_CA(SSL *ssl, X509 *x);
  */
 int SSL_use_certificate_ASN1(SSL *ssl, int len, const unsigned char *d);
 
+const char *X509_verify_cert_error_string(long n);
+
 #ifdef __cplusplus
 }
 #endif

lib/mbedtls_wrapper/include/internal/x509_vfy.h

@@ -104,6 +104,11 @@
 
 #define         X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION         72
 
+typedef void X509_STORE_CTX;
+int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
+int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
+
+
 #ifdef __cplusplus
 }
 #endif

lib/mbedtls_wrapper/include/openssl/ssl.h

@@ -19,6 +19,7 @@
  extern "C" {
 #endif
 
+#include <stdlib.h>
 #include "internal/ssl_x509.h"
 #include "internal/ssl_pkey.h"
 
@@ -26,6 +27,7 @@
 {
 */
 
+#define SSL_CB_ALERT 0x4000
 /**
  * @brief create a SSL context
  *

lib/mbedtls_wrapper/include/platform/ssl_opt.h

@@ -1,20 +0,0 @@
-// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-#ifndef _SSL_OPT_H_
-#define _SSL_OPT_H_
-
-#include "sdkconfig.h"
-
-#endif

lib/mbedtls_wrapper/include/platform/ssl_port.h

@@ -19,8 +19,10 @@
  extern "C" {
 #endif
 
+/*
 #include "esp_types.h"
 #include "esp_log.h"
+*/
 #include "string.h"
 #include "malloc.h"
 

lib/mbedtls_wrapper/library/ssl_lib.c

@@ -1554,3 +1554,26 @@ void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_C
     ssl->verify_mode = mode;
     ssl->verify_callback = verify_callback;
 }
+
+void ERR_error_string_n(unsigned long e, char *buf, size_t len)
+{
+	strncpy(buf, "unknown", len);
+}
+
+void ERR_free_strings(void)
+{
+}
+
+char *ERR_error_string(unsigned long e, char *buf)
+{
+	if (buf) {
+		strcpy(buf, "unknown");
+	}
+
+	return "unknown";
+}
+
+void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)
+{
+	return NULL;
+}

lib/mbedtls_wrapper/library/ssl_x509.c

@@ -283,3 +283,17 @@ X509 *SSL_get_peer_certificate(const SSL *ssl)
     return ssl->session->peer;
 }
 
+int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
+{
+	return X509_V_ERR_UNSPECIFIED;
+}
+
+int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
+{
+	return 0;
+}
+
+const char *X509_verify_cert_error_string(long n)
+{
+	return "unknown";
+}

lib/mbedtls_wrapper/platform/ssl_pm.c

@@ -18,7 +18,7 @@
 
 /* mbedtls include */
 #include "mbedtls/platform.h"
-#include "mbedtls/net.h"
+#include "mbedtls/net_sockets.h"
 #include "mbedtls/debug.h"
 #include "mbedtls/entropy.h"
 #include "mbedtls/ctr_drbg.h"

lib/private-libwebsockets.h

@@ -274,7 +274,7 @@ lws_plat_get_peer_simple(struct lws *wsi, char *name, int namelen);
 #endif /* not USE_OLD_CYASSL */
 #else
 #include <openssl/ssl.h>
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 #include <openssl/evp.h>
 #include <openssl/err.h>
 #include <openssl/md5.h>

lib/ssl-client.c

@@ -35,7 +35,7 @@ extern int lws_ssl_get_error(struct lws *wsi, int n);
 static int
 OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 {
-#if defined(LWS_WITH_ESP32)
+#if defined(LWS_USE_MBEDTLS)
 //	long gvr = ssl_pm_get_verify_result(
 	lwsl_notice("%s\n", __func__);
 
@@ -149,14 +149,14 @@ lws_ssl_client_bio_create(struct lws *wsi)
 
 #endif
 
-#if !defined(USE_WOLFSSL) && !defined(LWS_WITH_ESP32)
+#if !defined(USE_WOLFSSL) && !defined(LWS_USE_MBEDTLS)
 #ifndef USE_OLD_CYASSL
 	/* OpenSSL_client_verify_callback will be called @ SSL_connect() */
 	SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
 #endif
 #endif
 
-#if !defined(USE_WOLFSSL) && !defined(LWS_WITH_ESP32)
+#if !defined(USE_WOLFSSL) && !defined(LWS_USE_MBEDTLS)
 	SSL_set_mode(wsi->ssl,  SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
 #endif
 	/*
@@ -174,7 +174,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
 #endif
 #endif
 #else
-#if defined(LWS_WITH_ESP32)
+#if defined(LWS_USE_MBEDTLS)
 // esp-idf openssl shim does not seem ready for this
 //	SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
 	SSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, OpenSSL_client_verify_callback);
@@ -203,7 +203,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
 #endif
 #endif /* USE_WOLFSSL */
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	wsi->client_bio = BIO_new_socket(wsi->desc.sockfd, BIO_NOCLOSE);
 	SSL_set_bio(wsi->ssl, wsi->client_bio, wsi->client_bio);
 #else
@@ -217,12 +217,12 @@ lws_ssl_client_bio_create(struct lws *wsi)
 	wolfSSL_set_using_nonblock(wsi->ssl, 1);
 #endif
 #else
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	BIO_set_nbio(wsi->client_bio, 1); /* nonblocking */
 #endif
 #endif
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	SSL_set_ex_data(wsi->ssl, openssl_websocket_private_data_index,
 			wsi);
 #endif
@@ -230,7 +230,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
 	return 0;
 }
 
-#if defined(LWS_WITH_ESP32)
+#if defined(LWS_USE_MBEDTLS)
 int ERR_get_error(void)
 {
 	return 0;
@@ -377,7 +377,7 @@ lws_ssl_client_connect2(struct lws *wsi)
 		}
 	}
 
-#if defined(LWS_WITH_ESP32)
+#if defined(LWS_USE_MBEDTLS)
 	{
 		X509 *peer = SSL_get_peer_certificate(wsi->ssl);
 
@@ -434,7 +434,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
 	SSL_METHOD *method = NULL;
 	struct lws wsi;
 	unsigned long error;
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	const char *cipher_list = info->ssl_cipher_list;
 	const char *ca_filepath = info->ssl_ca_filepath;
 	const char *private_key_filepath = info->ssl_private_key_filepath;
@@ -502,7 +502,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
 	SSL_CTX_set_options(vhost->ssl_client_ctx, SSL_OP_NO_COMPRESSION);
 #endif
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	SSL_CTX_set_options(vhost->ssl_client_ctx,
 			    SSL_OP_CIPHER_SERVER_PREFERENCE);
 
@@ -541,7 +541,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
 	 * callback allowing user code to load extra verification certs
 	 * helping the client to verify server identity
 	 */
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 
 	/* support for client-side certificate authentication */
 	if (cert_filepath) {

lib/ssl-server.c

@@ -27,7 +27,7 @@ extern int openssl_websocket_private_data_index,
 extern void
 lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info);
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 static int
 OpenSSL_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
 {
@@ -130,7 +130,7 @@ lws_context_ssl_init_ecdh_curve(struct lws_context_creation_info *info,
 
 	lwsl_notice(" SSL ECDH curve '%s'\n", ecdh_curve);
 #else
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	lwsl_notice(" OpenSSL doesn't support ECDH\n");
 #endif
 #endif
@@ -230,7 +230,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 	 * versions", compared to e.g. TLSv1_2_server_method() which only allows
 	 * tlsv1.2. Unwanted versions must be disabled using SSL_CTX_set_options()
 	 */
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	{
 		SSL_METHOD *method;
 
@@ -263,7 +263,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 
 	}
 #endif
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 
 	/* associate the lws context with the SSL_CTX */
 
@@ -292,7 +292,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 				   LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
 			verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 		SSL_CTX_set_session_id_context(vhost->ssl_ctx,
 				(unsigned char *)context, sizeof(void *));
 
@@ -312,7 +312,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 	 * give user code a chance to load certs into the server
 	 * allowing it to verify incoming client certs
 	 */
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	if (info->ssl_ca_filepath &&
 	    !SSL_CTX_load_verify_locations(vhost->ssl_ctx,
 					   info->ssl_ca_filepath, NULL)) {
@@ -346,7 +346,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 
 	if (vhost->use_ssl) {
 		/* openssl init for server sockets */
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 		/* set the local certificate from CertFile */
 		n = SSL_CTX_use_certificate_chain_file(vhost->ssl_ctx,
 					info->ssl_cert_filepath);
@@ -377,6 +377,10 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 			lwsl_err("Problem loading cert\n");
 			return 1;
 		}
+#if !defined(LWS_WITH_ESP32)
+		free(p);
+		p = NULL;
+#endif
 
 		if (alloc_pem_to_der_file(vhost->context,
 			       info->ssl_private_key_filepath, &p, &flen)) {
@@ -392,10 +396,13 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 			return 1;
 		}
 
-//		free(p);
+#if !defined(LWS_WITH_ESP32)
+		free(p);
+		p = NULL;
+#endif
 #endif
 		if (info->ssl_private_key_filepath != NULL) {
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 			/* set the private key from KeyFile */
 			if (SSL_CTX_use_PrivateKey_file(vhost->ssl_ctx,
 				     info->ssl_private_key_filepath,
@@ -416,7 +423,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
 
 				return 1;
 			}
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 		/* verify private key */
 		if (!SSL_CTX_check_private_key(vhost->ssl_ctx)) {
 			lwsl_err("Private SSL key doesn't match cert\n");

lib/ssl.c

@@ -54,6 +54,7 @@ bail:
 	return ret;
 }
 
+#if defined(LWS_USE_MBEDTLS)
 #if defined(LWS_WITH_ESP32)
 int alloc_file(struct lws_context *context, const char *filename, uint8_t **buf,
 	       lws_filepos_t *amount)
@@ -85,6 +86,56 @@ bail:
 
 	return n;
 }
+#else
+int alloc_file(struct lws_context *context, const char *filename, uint8_t **buf,
+		lws_filepos_t *amount)
+{
+	FILE *f;
+	size_t s;
+	int n = 0;
+
+	f =fopen(filename, "rb");
+	if (f == NULL) {
+		n = 1;
+		goto bail;
+	}
+
+	if (fseek(f, 0, SEEK_END) != 0) {
+		n = 1;
+		goto bail;
+	}
+
+	s = ftell(f);
+	if (s == -1) {
+		n = 1;
+		goto bail;
+	}
+
+	if (fseek(f, 0, SEEK_SET) != 0) {
+		n = 1;
+		goto bail;
+	}
+
+	*buf = malloc(s);
+	if (!*buf) {
+		n = 2;
+		goto bail;
+	}
+
+	if (fread(*buf, s, 1, f) != 1) {
+		free(*buf);
+		n = 1;
+		goto bail;
+	}
+
+	*amount = s;
+
+bail:
+	fclose(f);
+	return n;
+
+}
+#endif
 int alloc_pem_to_der_file(struct lws_context *context, const char *filename, uint8_t **buf,
 	       lws_filepos_t *amount)
 {
@@ -199,7 +250,7 @@ char* lws_ssl_get_error_string(int status, int ret, char *buf, size_t len) {
 void
 lws_ssl_elaborate_error(void)
 {
-#if defined(LWS_WITH_ESP32)
+#if defined(LWS_USE_MBEDTLS)
 #else
 	char buf[256];
 	u_long err;
@@ -211,7 +262,7 @@ lws_ssl_elaborate_error(void)
 #endif
 }
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 
 static int
 lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag, void *userdata)
@@ -265,7 +316,7 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info)
 
 	lwsl_notice("Doing SSL library init\n");
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	SSL_library_init();
 	OpenSSL_add_all_algorithms();
 	SSL_load_error_strings();
@@ -291,7 +342,7 @@ lws_ssl_destroy(struct lws_vhost *vhost)
 		SSL_CTX_free(vhost->ssl_ctx);
 	if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx)
 		SSL_CTX_free(vhost->ssl_client_ctx);
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 
 // after 1.1.0 no need
 #if (OPENSSL_VERSION_NUMBER <  0x10100000)
@@ -352,7 +403,7 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
 	struct lws_context *context = wsi->context;
 	struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
 	int n = 0;
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 	int ssl_read_errno = 0;
 #endif
 
@@ -388,7 +439,7 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
 			return LWS_SSL_CAPABLE_ERROR;
 
 		if (n == SSL_ERROR_SYSCALL) {
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 			int err = ERR_get_error();
 			if (err == 0 && (ssl_read_errno == EPIPE ||
 					 ssl_read_errno == ECONNABORTED ||
@@ -483,7 +534,7 @@ LWS_VISIBLE int
 lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
 {
 	int n;
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
        	int ssl_read_errno = 0;
 #endif
 
@@ -506,7 +557,7 @@ lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
  if (n == SSL_ERROR_ZERO_RETURN)
   return LWS_SSL_CAPABLE_ERROR;
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
  if (n == SSL_ERROR_SYSCALL) {
 
   int err = ERR_get_error();
@@ -618,7 +669,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
 	struct lws_context *context = wsi->context;
 	struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
 	int n, m;
-#if !defined(USE_WOLFSSL) && !defined(LWS_WITH_ESP32)
+#if !defined(USE_WOLFSSL) && !defined(LWS_USE_MBEDTLS)
 	BIO *bio;
 #endif
         char buf[256];
@@ -661,7 +712,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
 	context->updated = 1;
 #endif
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 		SSL_set_ex_data(wsi->ssl,
 			openssl_websocket_private_data_index, wsi);
 #endif
@@ -674,7 +725,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
 		wolfSSL_set_using_nonblock(wsi->ssl, 1);
 #endif
 #else
-#if defined(LWS_WITH_ESP32)
+#if defined(LWS_USE_MBEDTLS)
 		lws_plat_set_socket_options(wsi->vhost, accept_fd);
 #else
 		SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
@@ -791,7 +842,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
 
 		m = lws_ssl_get_error(wsi, n);
 
-#if defined(LWS_WITH_ESP32)
+#if defined(LWS_USE_MBEDTLS)
 		if (m == 5 && errno == 11)
 			m = SSL_ERROR_WANT_READ;
 #endif
@@ -864,7 +915,7 @@ void
 lws_ssl_context_destroy(struct lws_context *context)
 {
 
-#if !defined(LWS_WITH_ESP32)
+#if !defined(LWS_USE_MBEDTLS)
 
 // after 1.1.0 no need
 #if (OPENSSL_VERSION_NUMBER <  0x10100000)