esp-tls: Add support for the CERTIFICATE SELECTION HOOK. The hook has access to required information so that the application can make a more informed decision on which certificate to serve (such as alpn value, server certificate type, etc.)

Closes https://github.com/espressif/esp-idf/pull/9833 Signed-off-by: Aditya Patwardhan <aditya.patwardhan@espressif.com>
2025-08-08 04:02:27 +00:00 · 2022-09-26 16:14:09 +02:00
parent 3c18cc482c
commit e9e3dc7904
5 changed files with 123 additions and 33 deletions
--- a/components/esp_https_server/src/https_server.c
+++ b/components/esp_https_server/src/https_server.c
@@ -200,65 +200,101 @@ static httpd_ssl_ctx_t *create_secure_context(const struct httpd_ssl_config *con
    }
    esp_tls_cfg_server_t *cfg = (esp_tls_cfg_server_t *)calloc(1, sizeof(esp_tls_cfg_server_t));
    if (!cfg) {
-        free(ssl_ctx);
-        return NULL;
+        goto free_ssl_ctx;
    }

    if (config->session_tickets) {
        if ( esp_tls_cfg_server_session_tickets_init(cfg) != ESP_OK ) {
            ESP_LOGE(TAG, "Failed to init session ticket support");
-            free(ssl_ctx);
-            free(cfg);
-            return NULL;
+            goto free_cfg;
        }
    }

+    cfg->userdata = config->ssl_userdata;
+
+#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
+    cfg->cert_select_cb = config->cert_select_cb;
+#endif
+
    ssl_ctx->tls_cfg = cfg;
    ssl_ctx->user_cb = config->user_cb;

 /* cacert = CA which signs client cert, or client cert itself */
-    if(config->cacert_pem != NULL) {
+    if (config->cacert_pem != NULL && config->cacert_len > 0) {
        cfg->cacert_buf = (unsigned char *)malloc(config->cacert_len);
-        if (!cfg->cacert_buf) {
-            ESP_LOGE(TAG, "Could not allocate memory");
-            free(cfg);
-            free(ssl_ctx);
-            return NULL;
+
+        if (cfg->cacert_buf) {
+            memcpy((char *) cfg->cacert_buf, config->cacert_pem, config->cacert_len);
+            cfg->cacert_bytes = config->cacert_len;
+        } else {
+            ESP_LOGE(TAG, "Could not allocate memory for client certificate authority");
+            goto free_cfg;
        }
-        memcpy((char *)cfg->cacert_buf, config->cacert_pem, config->cacert_len);
-        cfg->cacert_bytes = config->cacert_len;
    }

 /* servercert = cert of server itself */
-    cfg->servercert_buf = (unsigned char *)malloc(config->servercert_len);
-    if (!cfg->servercert_buf) {
-        ESP_LOGE(TAG, "Could not allocate memory");
-        free((void *)cfg->cacert_buf);
-        free(cfg);
-        free(ssl_ctx);
-        return NULL;
+    if (config->servercert != NULL && config->servercert_len > 0) {
+        cfg->servercert_buf = (unsigned char *)malloc(config->servercert_len);
+
+        if (cfg->servercert_buf) {
+            memcpy((char *) cfg->servercert_buf, config->servercert, config->servercert_len);
+            cfg->servercert_bytes = config->servercert_len;
+        } else {
+            ESP_LOGE(TAG, "Could not allocate memory for server certificate");
+            goto free_cacert;
+        }
+    } else {
+#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
+        if (config->cert_select_cb == NULL) {
+#endif
+        ESP_LOGE(TAG, "No Server certificate supplied");
+        goto free_cacert;
+#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
+        } else {
+            ESP_LOGW(TAG, "Server certificate not supplied, make sure to supply it in the certificate selection hook!");
+        }
+#endif
    }
-    memcpy((char *)cfg->servercert_buf, config->servercert, config->servercert_len);
-    cfg->servercert_bytes = config->servercert_len;

    /* Pass on secure element boolean */
    cfg->use_secure_element = config->use_secure_element;
    if (!cfg->use_secure_element) {
-        cfg->serverkey_buf = (unsigned char *)malloc(config->prvtkey_len);
-        if (!cfg->serverkey_buf) {
-            ESP_LOGE(TAG, "Could not allocate memory");
-            free((void *)cfg->servercert_buf);
-            free((void *)cfg->cacert_buf);
-            free(cfg);
-            free(ssl_ctx);
-            return NULL;
+        if (config->prvtkey_pem != NULL && config->prvtkey_len > 0) {
+            cfg->serverkey_buf = (unsigned char *) malloc(config->prvtkey_len);
+
+            if (cfg->serverkey_buf) {
+                memcpy((char *) cfg->serverkey_buf, config->prvtkey_pem, config->prvtkey_len);
+                cfg->serverkey_bytes = config->prvtkey_len;
+            } else {
+                ESP_LOGE(TAG, "Could not allocate memory for server key");
+                goto free_servercert;
+            }
+        } else {
+#if defined(CONFIG_ESP_TLS_SERVER_CERT_SELECT_HOOK)
+            if (config->cert_select_cb == NULL) {
+                ESP_LOGE(TAG, "No Server key supplied and no certificate selection hook is present");
+                goto free_servercert;
+            } else {
+                ESP_LOGW(TAG, "Server key not supplied, make sure to supply it in the certificate selection hook");
+            }
+#else
+            ESP_LOGE(TAG, "No Server key supplied");
+            goto free_servercert;
+#endif
        }
    }

-    memcpy((char *)cfg->serverkey_buf, config->prvtkey_pem, config->prvtkey_len);
-    cfg->serverkey_bytes = config->prvtkey_len;
-
    return ssl_ctx;
+
+free_servercert:
+    free((void *) cfg->servercert_buf);
+free_cacert:
+    free((void *) cfg->cacert_buf);
+free_cfg:
+    free(cfg);
+free_ssl_ctx:
+    free(ssl_ctx);
+    return NULL;
 }

 /** Start the server */