net: tls: Add socket option to set peer verification level

Add write only TLS secure option to set peer verification level for TLS connection. This option accepts an integer with a peer verification level, compatible with mbedtls values (0 - none, 1 - optional, 2 - required. By default, socket mimics mebdTLS behavior - (none for server, required for client). Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
zephyrproject-rtos · Jul 26, 2018 · 7826228 · 7826228
1 parent 3d560e1
commit 7826228
Show file tree

Hide file tree

Showing 2 changed files with 57 additions and 1 deletion.
diff --git a/include/net/socket.h b/include/net/socket.h
@@ -72,6 +72,16 @@ struct zsock_pollfd {
  * of chosen ciphersuite.
  */
 #define TLS_CIPHERSUITE_USED 4
+/* Write-only socket option to set peer verification level for TLS connection.
+ * This option accepts an integer with a peer verification level, compatible
+ * with mbedTLS values:
+ * 0 - none,
+ * 1 - optional
+ * 2 - required.
+ * If not set, socket will use mbedTLS defaults (none for servers, required
+ * for clients).
+ */
+#define TLS_PEER_VERIFY 5
 
 struct zsock_addrinfo {
 	struct zsock_addrinfo *ai_next;

diff --git a/subsys/net/lib/sockets/sockets_tls.c b/subsys/net/lib/sockets/sockets_tls.c
@@ -66,6 +66,9 @@ struct tls_context {
 
 		/** Information if hostname was explicitly set on a socket. */
 		bool is_hostname_set;
+
+		/** Peer verification level. */
+		s8_t verify_level;
 	} options;
 
 #if defined(CONFIG_MBEDTLS)
@@ -207,6 +210,7 @@ static struct tls_context *tls_alloc(void)
 			tls = &tls_contexts[i];
 			memset(tls, 0, sizeof(*tls));
 			tls->is_used = true;
+			tls->options.verify_level = -1;
 
 			NET_DBG("Allocated TLS context, %p", tls);
 			break;
@@ -341,7 +345,6 @@ static void tls_set_ca_chain(struct tls_context *tls)
 {
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 	mbedtls_ssl_conf_ca_chain(&tls->config, &tls->ca_chain, NULL);
-	mbedtls_ssl_conf_authmode(&tls->config, MBEDTLS_SSL_VERIFY_REQUIRED);
 	mbedtls_ssl_conf_cert_profile(&tls->config,
 				      &mbedtls_x509_crt_profile_default);
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
@@ -541,6 +544,14 @@ static int tls_mbedtls_init(struct net_context *context, bool is_server)
 		mbedtls_ssl_set_hostname(&context->tls->ssl, "");
 	}
 
+	/* If verification level was specified explicitly, set it. Otherwise,
+	 * use mbedTLS default values (required for client, none for server)
+	 */
+	if (context->tls->options.verify_level != -1) {
+		mbedtls_ssl_conf_authmode(&context->tls->config,
+					  context->tls->options.verify_level);
+	}
+
 	mbedtls_ssl_conf_rng(&context->tls->config,
 			     mbedtls_ctr_drbg_random,
 			     &tls_ctr_drbg);
@@ -696,6 +707,32 @@ static int tls_opt_ciphersuite_used_get(struct net_context *context,
 	return 0;
 }
 
+static int tls_opt_peer_verify_set(struct net_context *context,
+				   const void *optval, socklen_t optlen)
+{
+	int *peer_verify;
+
+	if (!optval) {
+		return -EFAULT;
+	}
+
+	if (optlen != sizeof(int)) {
+		return -EINVAL;
+	}
+
+	peer_verify = (int *)optval;
+
+	if (*peer_verify != MBEDTLS_SSL_VERIFY_NONE &&
+	    *peer_verify != MBEDTLS_SSL_VERIFY_OPTIONAL &&
+	    *peer_verify != MBEDTLS_SSL_VERIFY_REQUIRED) {
+		return -EINVAL;
+	}
+
+	context->tls->options.verify_level = *peer_verify;
+
+	return 0;
+}
+
 int ztls_socket(int family, int type, int proto)
 {
 	enum net_ip_protocol_secure tls_proto = 0;
@@ -1059,6 +1096,11 @@ int ztls_getsockopt(int sock, int level, int optname,
 		err = tls_opt_ciphersuite_used_get(context, optval, optlen);
 		break;
 
+	case TLS_PEER_VERIFY:
+		/* Write-only option. */
+		err = -ENOPROTOOPT;
+		break;
+
 	default:
 		err = -ENOPROTOOPT;
 		break;
@@ -1104,6 +1146,10 @@ int ztls_setsockopt(int sock, int level, int optname,
 		err = -ENOPROTOOPT;
 		break;
 
+	case TLS_PEER_VERIFY:
+		err = tls_opt_peer_verify_set(context, optval, optlen);
+		break;
+
 	default:
 		err = -ENOPROTOOPT;
 		break;