From d7090b4d52c1874eb3383e2d6223ea6911f3fc49 Mon Sep 17 00:00:00 2001
From: Laukik Hase <laukik.hase@espressif.com>
Date: Mon, 28 Mar 2022 17:34:38 +0530
Subject: [PATCH] https_server: Add config option to min. cert. auth mode -
 Added a config option to set the minimum Certificate Verification   mode to
 Optional - When this option is enabled, the peer (the client) certificate  
 is checked by the server, however the handshake continues even if  
 verification failed. - By default, the peer certificate is not checked and
 ignored by the server.

Closes https://github.com/espressif/esp-idf/issues/8664
---
 components/esp-tls/Kconfig                    | 29 +++++++++++--------
 components/esp-tls/esp_tls_mbedtls.c          |  4 +++
 .../simple/main/Kconfig.projbuild             |  1 +
 .../protocols/https_server/simple/main/main.c | 20 ++++++++++---
 4 files changed, 38 insertions(+), 16 deletions(-)

diff --git a/components/esp-tls/Kconfig b/components/esp-tls/Kconfig
index 03db196e88..afd38d22a9 100644
--- a/components/esp-tls/Kconfig
+++ b/components/esp-tls/Kconfig
@@ -19,7 +19,6 @@ menu "ESP-TLS"
         select ATCA_MBEDTLS_ECDSA
         select ATCA_MBEDTLS_ECDSA_SIGN
         select ATCA_MBEDTLS_ECDSA_VERIFY
-        default n
         help
             Enable use of Secure Element for ESP-TLS, this enables internal support for
             ATECC608A peripheral on ESPWROOM32SE, which can be used for TLS connection.
@@ -33,24 +32,21 @@ menu "ESP-TLS"
             can only be used when it is appropriately configured for TLS.
             Consult the ESP-TLS documentation in ESP-IDF Programming Guide for more details.
 
+    config ESP_TLS_CLIENT_SESSION_TICKETS
+        bool "Enable client session tickets"
+        depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
+        help
+            Enable session ticket support as specified in RFC5077.
+
     config ESP_TLS_SERVER
         bool "Enable ESP-TLS Server"
-        default n
         help
             Enable support for creating server side SSL/TLS session, available for mbedTLS
             as well as wolfSSL TLS library.
 
-    config ESP_TLS_CLIENT_SESSION_TICKETS
-        bool "Enable client session tickets"
-        depends on ESP_TLS_USING_MBEDTLS && MBEDTLS_CLIENT_SSL_SESSION_TICKETS
-        default n
-        help
-            Enable session ticket support as specified in RFC5077.
-
     config ESP_TLS_SERVER_SESSION_TICKETS
         bool "Enable server session tickets"
         depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS && MBEDTLS_SERVER_SSL_SESSION_TICKETS
-        default n
         help
             Enable session ticket support as specified in RFC5077
 
@@ -61,6 +57,17 @@ menu "ESP-TLS"
         help
             Sets the session ticket timeout used in the tls server.
 
+    config ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
+        bool "ESP-TLS Server: Set minimum Certificate Verification mode to Optional"
+        depends on ESP_TLS_SERVER && ESP_TLS_USING_MBEDTLS
+        help
+            When this option is enabled, the peer (here, the client) certificate is checked by the server,
+            however the handshake continues even if verification failed. By default, the
+            peer certificate is not checked and ignored by the server.
+
+            mbedtls_ssl_get_verify_result() can be called after the handshake is complete to
+            retrieve status of verification.
+
     config ESP_TLS_PSK_VERIFICATION
         bool "Enable PSK verification"
         select MBEDTLS_PSK_MODES if ESP_TLS_USING_MBEDTLS
@@ -68,7 +75,6 @@ menu "ESP-TLS"
         select MBEDTLS_KEY_EXCHANGE_DHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_DHM_C
         select MBEDTLS_KEY_EXCHANGE_ECDHE_PSK if ESP_TLS_USING_MBEDTLS && MBEDTLS_ECDH_C
         select MBEDTLS_KEY_EXCHANGE_RSA_PSK if ESP_TLS_USING_MBEDTLS
-        default n
         help
             Enable support for pre shared key ciphers, supported for both mbedTLS as well as
             wolfSSL TLS library.
@@ -104,7 +110,6 @@ menu "ESP-TLS"
     config ESP_DEBUG_WOLFSSL
         bool "Enable debug logs for wolfSSL"
         depends on ESP_TLS_USING_WOLFSSL
-        default n
         help
             Enable detailed debug prints for wolfSSL SSL library.
 
diff --git a/components/esp-tls/esp_tls_mbedtls.c b/components/esp-tls/esp_tls_mbedtls.c
index 9bc6e87e4b..37a1ca8c48 100644
--- a/components/esp-tls/esp_tls_mbedtls.c
+++ b/components/esp-tls/esp_tls_mbedtls.c
@@ -509,7 +509,11 @@ esp_err_t set_server_config(esp_tls_cfg_server_t *cfg, esp_tls_t *tls)
             return esp_ret;
         }
     } else {
+#ifdef CONFIG_ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
         mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+#else
+        mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
+#endif
     }
 
     if (cfg->use_secure_element) {
diff --git a/examples/protocols/https_server/simple/main/Kconfig.projbuild b/examples/protocols/https_server/simple/main/Kconfig.projbuild
index 462905e413..23a891cd59 100644
--- a/examples/protocols/https_server/simple/main/Kconfig.projbuild
+++ b/examples/protocols/https_server/simple/main/Kconfig.projbuild
@@ -2,6 +2,7 @@ menu "Example Configuration"
 
     config EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
         bool "Enable user callback with HTTPS Server"
+        select ESP_TLS_SERVER_MIN_AUTH_MODE_OPTIONAL
         help
             Enable user callback for esp_https_server which can be used to get SSL context (connection information)
             E.g. Certificate of the connected client
diff --git a/examples/protocols/https_server/simple/main/main.c b/examples/protocols/https_server/simple/main/main.c
index bb6074e032..8d4c852c1d 100644
--- a/examples/protocols/https_server/simple/main/main.c
+++ b/examples/protocols/https_server/simple/main/main.c
@@ -41,12 +41,20 @@ static esp_err_t root_get_handler(httpd_req_t *req)
  * whenever a new SSL connection is created
  *
  * Can also be used to other information like Socket FD, Connection state, etc.
+ *
+ * NOTE: This callback will not be able to obtain the client certificate if the
+ * following config `Set minimum Certificate Verification mode to Optional` is
+ * not enabled (enabled by default in this example).
+ *
+ * The config option is found here - Component config → ESP-TLS
+ *
  */
 void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
 {
     ESP_LOGI(TAG, "Session Created!");
-    const mbedtls_x509_crt *cert;
+    ESP_LOGI(TAG, "Socket FD: %d", user_cb->tls->sockfd);
 
+    const mbedtls_x509_crt *cert;
     const size_t buf_size = 1024;
     char *buf = calloc(buf_size, sizeof(char));
     if (buf == NULL) {
@@ -54,9 +62,13 @@ void https_server_user_callback(esp_https_server_user_cb_arg_t *user_cb)
         return;
     }
 
+    mbedtls_x509_crt_info((char *) buf, buf_size - 1, "    ", &user_cb->tls->servercert);
+    ESP_LOGI(TAG, "Server certificate info:\n%s", buf);
+    memset(buf, 0x00, buf_size);
+
     cert = mbedtls_ssl_get_peer_cert(&user_cb->tls->ssl);
     if (cert != NULL) {
-        mbedtls_x509_crt_info((char *) buf, buf_size - 1, "      ", cert);
+        mbedtls_x509_crt_info((char *) buf, buf_size - 1, "    ", cert);
         ESP_LOGI(TAG, "Peer certificate info:\n%s", buf);
     } else {
         ESP_LOGW(TAG, "Could not obtain the peer certificate!");
@@ -91,9 +103,9 @@ static httpd_handle_t start_webserver(void)
     conf.prvtkey_pem = prvtkey_pem_start;
     conf.prvtkey_len = prvtkey_pem_end - prvtkey_pem_start;
 
-    #if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
+#if CONFIG_EXAMPLE_ENABLE_HTTPS_USER_CALLBACK
     conf.user_cb = https_server_user_callback;
-    #endif
+#endif
     esp_err_t ret = httpd_ssl_start(&server, &conf);
     if (ESP_OK != ret) {
         ESP_LOGI(TAG, "Error starting server!");