From dd12e9f8cd151173f722704c46d939293ec91c76 Mon Sep 17 00:00:00 2001
From: Mahavir Jain <mahavir@espressif.com>
Date: Tue, 13 Jul 2021 07:55:49 +0000
Subject: [PATCH] Merge branch 'cert/skipping_keyelements_validation' into
 'master'

MbedTLS: Add config option for key elements and key element extension for SSL connection

See merge request espressif/esp-idf!12898

(cherry picked from commit 76bd33e9a4574829195d5fa4fbe05078ca6d291d)

38d67725 mbedtls: Add config option key element and key element ext
---
 components/mbedtls/Kconfig                       | 16 ++++++++++++++++
 .../mbedtls/port/include/mbedtls/esp_config.h    |  8 ++++++++
 2 files changed, 24 insertions(+)

diff --git a/components/mbedtls/Kconfig b/components/mbedtls/Kconfig
index bbe4009cee..7b0f3c8a3e 100644
--- a/components/mbedtls/Kconfig
+++ b/components/mbedtls/Kconfig
@@ -563,6 +563,22 @@ menu "mbedTLS"
             Client support for RFC 5077 session tickets. See mbedTLS documentation for more details.
             Disabling this option will save some code size.
 
+    config MBEDTLS_X509_CHECK_KEY_USAGE
+        bool "Enable verification of the keyUsage extension"
+        default y
+        depends on MBEDTLS_TLS_ENABLED
+        help
+            Disabling this avoids problems with mis-issued and/or misused (intermediate) CA and leaf certificates.
+            Depending on your PKI use, disabling this can be a security risk.
+
+    config MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+        bool "Enable verification of the extendedKeyUsage extension"
+        default y
+        depends on MBEDTLS_TLS_ENABLED
+        help
+            Disabling this avoids problems with mis-issued and/or misused certificates.
+            Depending on your PKI use, disabling this can be a security risk.
+
     config MBEDTLS_SERVER_SSL_SESSION_TICKETS
         bool "TLS: Server Support for RFC 5077 SSL session tickets"
         default y
diff --git a/components/mbedtls/port/include/mbedtls/esp_config.h b/components/mbedtls/port/include/mbedtls/esp_config.h
index 1ff7ea4ad5..f36ebf9bc7 100644
--- a/components/mbedtls/port/include/mbedtls/esp_config.h
+++ b/components/mbedtls/port/include/mbedtls/esp_config.h
@@ -1193,7 +1193,11 @@
  *
  * Comment to skip keyUsage checking for both CA and leaf certificates.
  */
+#ifdef CONFIG_MBEDTLS_X509_CHECK_KEY_USAGE
 #define MBEDTLS_X509_CHECK_KEY_USAGE
+#else
+#undef MBEDTLS_X509_CHECK_KEY_USAGE
+#endif
 
 /**
  * \def MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
@@ -1206,7 +1210,11 @@
  *
  * Comment to skip extendedKeyUsage checking for certificates.
  */
+#ifdef CONFIG_MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
 #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#else
+#undef MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE
+#endif
 
 /**
  * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT