treewide: support TLS 1.3

Now that we're on ESP-IDF v5.2, TLS 1.3 is properly supported. Let's
enable it.

This requires us to increase the WAS WebSocket client task stack to
avoid a stack overflow:

***ERROR*** A stack overflow in task websocket_task has been detected.

Let's set it to the same value as the Home Assistant WS client.

It appears with TLS 1.3, the WIS nginx config forces Willow to use the
TLS_AES_256_GCM_SHA384 cipher. This is due to the
ssl_prefer_server_ciphers being enabled. I've done several torture test
runs with different combinations of ciphers. The shortest time between
AUDIO_REC_WAKEUP_END and receiving the response from Home Assistant was
120ms:

I (11:04:27.300) WILLOW/AUDIO: AUDIO_REC_WAKEUP_END
I (11:04:27.307) WILLOW/AUDIO: WIS HTTP client HTTP_STREAM_POST_REQUEST, write end chunked marker
I (11:04:27.383) WILLOW/AUDIO: WIS HTTP client HTTP_STREAM_FINISH_REQUEST
I (11:04:27.384) WILLOW/AUDIO: WIS HTTP Response = {"infer_time":66.789,"infer_speedup":29,"audio_duration":1984,"language":"en","text":"Turn off dining room."}
I (11:04:27.421) WILLOW/WAS: received text data on WebSocket: {"result":{"ok":true,"speech":"Turned off the light"}}

This was with WAS/TLS_AES_256_GCM_SHA384 and
WIS/TLS_CHACHA20_POLY1305_SHA256. With different cipher combinations.
the results were similar. In any case, the 2 ciphers used in torture
testing seem to work well.

Torture test results: 1000/1000. [WAS: AES - WIS: ChachaPoly]
Torture test results: 1000/1000. [WAS/WIS: ChachaPoly]
Torture test results: 1000/1000. [WAS/ ChachaPoly - WIS: AES]

Closes #272

Author: stintel

main/main.c

@@ -24,6 +24,10 @@
 
 #include "endpoint/hass.h"
 
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
+#include "psa/crypto.h"
+#endif
+
 #if defined(CONFIG_WILLOW_ETHERNET)
 #include "net/ethernet.h"
 #endif
@@ -125,6 +129,15 @@ void app_main(void)
         ESP_LOGE(TAG, "failed to open NVS namespace WAS: %s", esp_err_to_name(err));
         goto err_nvs;
     }
+
+#ifdef CONFIG_MBEDTLS_SSL_PROTO_TLS1_3
+    // initialize mbedtls PSA library after wifi to have entropy
+    psa_status_t status = psa_crypto_init();
+    if (status != PSA_SUCCESS) {
+        ESP_LOGE(TAG, "failed to initialize Mbed TLS PSA library, TLS will not work");
+    }
+#endif
+
     sz = sizeof(was_url);
     err = nvs_get_str(hdl_nvs, "URL", was_url, &sz);
     if (err != ESP_OK) {

main/was.c

@@ -388,6 +388,7 @@ esp_err_t init_was(void)
     const esp_websocket_client_config_t cfg_wc = {
         .buffer_size = 4096,
         .reconnect_timeout_ms = WAS_RECONNECT_TIMEOUT_MS,
+        .task_stack = 6 * 1024, // default 4 * 1024
         .uri = was_url,
         .user_agent = WILLOW_USER_AGENT,
     };

sdkconfig.defaults

@@ -107,6 +107,7 @@ CONFIG_MBEDTLS_HARDWARE_AES=y
 CONFIG_MBEDTLS_POLY1305_C=y
 # CONFIG_MBEDTLS_SSL_PROTO_TLS1 is not set
 # CONFIG_MBEDTLS_SSL_PROTO_TLS1_1 is not set
+CONFIG_MBEDTLS_SSL_PROTO_TLS1_3=y
 CONFIG_MBEDTLS_TLS_CLIENT_ONLY=y
 # CONFIG_MEDIA_PROTOCOL_LIB_ENABLE is not set
 CONFIG_PARTITION_TABLE_CUSTOM=y