From 2da1c6c515acd62d5aff7aa000ab5847cab0cdb9 Mon Sep 17 00:00:00 2001
From: Joel Guittet <joelguittet@gmail.com>
Date: Tue, 26 Sep 2023 21:47:20 +0200
Subject: [PATCH] net: add TLS_PEER_VERIFY option to zephyr net platform

---
 platform/net/zephyr/src/mender-net.c | 19 ++++++++++++++++++-
 zephyr/Kconfig                       |  7 +++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/platform/net/zephyr/src/mender-net.c b/platform/net/zephyr/src/mender-net.c
index f8062df..cd40f18 100644
--- a/platform/net/zephyr/src/mender-net.c
+++ b/platform/net/zephyr/src/mender-net.c
@@ -33,6 +33,13 @@
 #include "mender-net.h"
 #include "mender-utils.h"
 
+/**
+ * @brief Default TLS_PEER_VERIFY option
+ */
+#ifndef CONFIG_MENDER_NET_TLS_PEER_VERIFY
+#define CONFIG_MENDER_NET_TLS_PEER_VERIFY (2)
+#endif /* CONFIG_MENDER_NET_TLS_PEER_VERIFY */
+
 mender_err_t
 mender_net_get_host_port_url(char *path, char *config_host, char **host, char **port, char **url) {
 
@@ -148,7 +155,7 @@ mender_net_connect(const char *host, const char *port, int *sock) {
         goto END;
     }
 
-    /* Set SOL_TLS option */
+    /* Set TLS_HOSTNAME option */
     if ((result = setsockopt(*sock, SOL_TLS, TLS_HOSTNAME, host, strlen(host))) < 0) {
         mender_log_error("Unable to set TLS_HOSTNAME option, result = %d", result);
         close(*sock);
@@ -157,6 +164,16 @@ mender_net_connect(const char *host, const char *port, int *sock) {
         goto END;
     }
 
+    /* Set TLS_PEER_VERIFY option */
+    int verify = CONFIG_MENDER_NET_TLS_PEER_VERIFY;
+    if ((result = setsockopt(*sock, SOL_TLS, TLS_PEER_VERIFY, &verify, sizeof(int))) < 0) {
+        mender_log_error("Unable to set TLS_PEER_VERIFY option, result = %d", result);
+        close(*sock);
+        *sock = -1;
+        ret   = MENDER_FAIL;
+        goto END;
+    }
+
 #endif /* CONFIG_NET_SOCKETS_SOCKOPT_TLS */
 
     /* Connect to the host */
diff --git a/zephyr/Kconfig b/zephyr/Kconfig
index a8c9055..540b4d8 100755
--- a/zephyr/Kconfig
+++ b/zephyr/Kconfig
@@ -167,6 +167,13 @@ if MENDER_MCU_CLIENT
             help
                 A security tag that ROOT CA server credential will be referenced with, see tls_credential_add.
 
+        config MENDER_NET_TLS_PEER_VERIFY
+            int "TLS_PEER_VERIFY option"
+            range 0 2
+            default 2
+            help
+                Peer verification level for TLS connection.
+
         if MENDER_CLIENT_ADD_ON_TROUBLESHOOT
 
             config MENDER_WEBSOCKET_THREAD_STACK_SIZE