From 559cd57ea653890f4cbe0bee7a6725e8975f036b Mon Sep 17 00:00:00 2001
From: Maximilian Schmidt <maximilian@schmidt.so>
Date: Tue, 3 Dec 2019 12:22:06 +0100
Subject: [PATCH 1/2] Support MutualAuthentication in HTTPsServer

---
 .../include/esp_https_server.h                |  8 ++++++++
 .../esp_https_server/src/https_server.c       | 19 ++++++++++++++++---
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/components/esp_https_server/include/esp_https_server.h b/components/esp_https_server/include/esp_https_server.h
index d41b36245..ad2ef1f15 100644
--- a/components/esp_https_server/include/esp_https_server.h
+++ b/components/esp_https_server/include/esp_https_server.h
@@ -47,6 +47,12 @@ struct httpd_ssl_config {
     /** CA certificate byte length */
     size_t cacert_len;
 
+    /** Server certificate */
+    const uint8_t *servercert_pem;
+
+    /** Server certificate byte length */
+    size_t servercert_len;
+
     /** Private key */
     const uint8_t *prvtkey_pem;
 
@@ -100,6 +106,8 @@ typedef struct httpd_ssl_config httpd_ssl_config_t;
     },                                            \
     .cacert_pem = NULL,                           \
     .cacert_len = 0,                              \
+    .servercert_pem = NULL,                       \
+    .servercert_len = 0,                          \
     .prvtkey_pem = NULL,                          \
     .prvtkey_len = 0,                             \
     .transport_mode = HTTPD_SSL_TRANSPORT_SECURE, \
diff --git a/components/esp_https_server/src/https_server.c b/components/esp_https_server/src/https_server.c
index 47c2abcb0..4d2d3ccc6 100644
--- a/components/esp_https_server/src/https_server.c
+++ b/components/esp_https_server/src/https_server.c
@@ -135,6 +135,9 @@ static void free_secure_context(void *ctx)
     assert(ctx != NULL);
     esp_tls_cfg_server_t *cfg = (esp_tls_cfg_server_t *)ctx;
     ESP_LOGI(TAG, "Server shuts down, releasing SSL context");
+    if (cfg->cacert_buf) {
+        free((void *)cfg->cacert_buf);
+    }
     if (cfg->servercert_buf) {
         free((void *)cfg->servercert_buf);
     }
@@ -150,17 +153,27 @@ static esp_tls_cfg_server_t *create_secure_context(const struct httpd_ssl_config
     if (!cfg) {
         return NULL;
     }
-    cfg->servercert_buf = (unsigned char *)malloc(config->cacert_len);
-    if (!cfg->servercert_buf) {
+    cfg->cacert_buf = (unsigned char *)malloc(config->cacert_len);
+    if (!cfg->cacert_buf) {
         free(cfg);
         return NULL;
     }
-    memcpy((char *)cfg->servercert_buf, config->cacert_pem, config->cacert_len);
+    memcpy((char *)cfg->cacert_buf, config->cacert_pem, config->cacert_len);
+    cfg->cacert_bytes = config->cacert_len;
+
+    cfg->servercert_buf = (unsigned char *)malloc(config->cacert_len);
+    if (!cfg->servercert_buf) {
+        free((void *)cfg->cacert_buf);
+        free(cfg);
+        return NULL;
+    }
+    memcpy((char *)cfg->servercert_buf, config->servercert_pem, config->servercert_len);
     cfg->servercert_bytes = config->cacert_len;
 
     cfg->serverkey_buf = (unsigned char *)malloc(config->prvtkey_len);
     if (!cfg->serverkey_buf) {
         free((void *)cfg->servercert_buf);
+        free((void *)cfg->cacert_buf);
         free(cfg);
         return NULL;
     }

From cc0eec52ffca5154cdd9e766e97a408d349a968b Mon Sep 17 00:00:00 2001
From: Aditya Patwardhan <aditya.patwardhan@espressif.com>
Date: Mon, 17 Feb 2020 22:59:31 +0530
Subject: [PATCH 2/2] esp_https_server: Fixed a PR which adds support for
 mutual auth in https_server Closes
 https://github.com/espressif/esp-idf/pull/4184 Closes IDFGH-2004

---
 .../include/esp_https_server.h                | 18 +++++++++------
 .../esp_https_server/src/https_server.c       | 22 ++++++++++++-------
 2 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/components/esp_https_server/include/esp_https_server.h b/components/esp_https_server/include/esp_https_server.h
index ad2ef1f15..6696d4a39 100644
--- a/components/esp_https_server/include/esp_https_server.h
+++ b/components/esp_https_server/include/esp_https_server.h
@@ -41,17 +41,21 @@ struct httpd_ssl_config {
      */
     httpd_config_t httpd;
 
-    /** CA certificate */
+    /** CA certificate (here it is treated as server cert)
+     * Todo: Fix this change in release/v5.0 as it would be a breaking change
+     * i.e. Rename the nomenclature of variables holding different certs in https_server component as well as example
+     * 1)The cacert variable should hold the CA which is used to authenticate clients (should inherit current role of client_verify_cert_pem var)
+     * 2)There should be another variable servercert which whould hold servers own certificate (should inherit current role of cacert var) */
     const uint8_t *cacert_pem;
 
     /** CA certificate byte length */
     size_t cacert_len;
 
-    /** Server certificate */
-    const uint8_t *servercert_pem;
+    /** Client verify authority certificate (CA used to sign clients, or client cert itself */
+    const uint8_t *client_verify_cert_pem;
 
-    /** Server certificate byte length */
-    size_t servercert_len;
+    /** Client verify authority cert len */
+    size_t client_verify_cert_len;
 
     /** Private key */
     const uint8_t *prvtkey_pem;
@@ -106,10 +110,10 @@ typedef struct httpd_ssl_config httpd_ssl_config_t;
     },                                            \
     .cacert_pem = NULL,                           \
     .cacert_len = 0,                              \
-    .servercert_pem = NULL,                       \
-    .servercert_len = 0,                          \
     .prvtkey_pem = NULL,                          \
     .prvtkey_len = 0,                             \
+    .client_verify_cert_pem = NULL,               \
+    .client_verify_cert_len = 0,                  \
     .transport_mode = HTTPD_SSL_TRANSPORT_SECURE, \
     .port_secure = 443,                           \
     .port_insecure = 80,                          \
diff --git a/components/esp_https_server/src/https_server.c b/components/esp_https_server/src/https_server.c
index 4d2d3ccc6..a5befcf22 100644
--- a/components/esp_https_server/src/https_server.c
+++ b/components/esp_https_server/src/https_server.c
@@ -153,25 +153,31 @@ static esp_tls_cfg_server_t *create_secure_context(const struct httpd_ssl_config
     if (!cfg) {
         return NULL;
     }
-    cfg->cacert_buf = (unsigned char *)malloc(config->cacert_len);
-    if (!cfg->cacert_buf) {
-        free(cfg);
-        return NULL;
+/* cacert = CA which signs client cert, or client cert itself , which is mapped to client_verify_cert_pem */
+    if(config->client_verify_cert_pem != NULL) {
+        cfg->cacert_buf = (unsigned char *)malloc(config->client_verify_cert_len);
+        if (!cfg->cacert_buf) {
+            ESP_LOGE(TAG, "Could not allocate memory");
+            free(cfg);
+            return NULL;
+        }
+        memcpy((char *)cfg->cacert_buf, config->client_verify_cert_pem, config->client_verify_cert_len);
+        cfg->cacert_bytes = config->client_verify_cert_len;
     }
-    memcpy((char *)cfg->cacert_buf, config->cacert_pem, config->cacert_len);
-    cfg->cacert_bytes = config->cacert_len;
-
+/* servercert = cert of server itself ( in our case it is mapped to cacert in https_server example) */
     cfg->servercert_buf = (unsigned char *)malloc(config->cacert_len);
     if (!cfg->servercert_buf) {
+        ESP_LOGE(TAG, "Could not allocate memory");
         free((void *)cfg->cacert_buf);
         free(cfg);
         return NULL;
     }
-    memcpy((char *)cfg->servercert_buf, config->servercert_pem, config->servercert_len);
+    memcpy((char *)cfg->servercert_buf, config->cacert_pem, config->cacert_len);
     cfg->servercert_bytes = config->cacert_len;
 
     cfg->serverkey_buf = (unsigned char *)malloc(config->prvtkey_len);
     if (!cfg->serverkey_buf) {
+        ESP_LOGE(TAG, "Could not allocate memory");
         free((void *)cfg->servercert_buf);
         free((void *)cfg->cacert_buf);
         free(cfg);