Merge branch 'feature/cert_key_length_options' into 'master'

esp_http_client: Add cert and key length options, add config option for HTTP digest auth

Closes IDFGH-4752 and IDF-642

See merge request espressif/esp-idf!12736

components/esp_http_client/Kconfig

@@ -14,4 +14,11 @@ menu "ESP HTTP client"
             This option will enable HTTP Basic Authentication. It is disabled by default as Basic
             auth uses unencrypted encoding, so it introduces a vulnerability when not using TLS
 
+    config ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
+        bool "Enable HTTP Digest Authentication"
+        default y
+        help
+            This option will enable HTTP Digest Authentication. It is enabled by default, but use of this
+            configuration is not recommended as the password can be derived from the exchange, so it introduces
+            a vulnerability when not using TLS
 endmenu

components/esp_http_client/esp_http_client.c

@@ -510,11 +510,13 @@ static esp_err_t esp_http_client_prepare(esp_http_client_handle_t client)
 
         if (client->connection_info.auth_type == HTTP_AUTH_TYPE_BASIC) {
             auth_response = http_auth_basic(client->connection_info.username, client->connection_info.password);
+#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
         } else if (client->connection_info.auth_type == HTTP_AUTH_TYPE_DIGEST && client->auth_data) {
             client->auth_data->uri = client->connection_info.path;
             client->auth_data->cnonce = ((uint64_t)esp_random() << 32) + esp_random();
             auth_response = http_auth_digest(client->connection_info.username, client->connection_info.password, client->auth_data);
             client->auth_data->nc ++;
+#endif
         }
 
         if (auth_response) {
@@ -609,15 +611,27 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co
     if (config->use_global_ca_store == true) {
         esp_transport_ssl_enable_global_ca_store(ssl);
     } else if (config->cert_pem) {
-        esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem));
+        if (!config->cert_len) {
+            esp_transport_ssl_set_cert_data(ssl, config->cert_pem, strlen(config->cert_pem));
+        } else {
+            esp_transport_ssl_set_cert_data_der(ssl, config->cert_pem, config->cert_len);
+        }
     }
 
     if (config->client_cert_pem) {
-        esp_transport_ssl_set_client_cert_data(ssl, config->client_cert_pem, strlen(config->client_cert_pem));
+        if (!config->client_cert_len) {
+            esp_transport_ssl_set_client_cert_data(ssl, config->client_cert_pem, strlen(config->client_cert_pem));
+        } else {
+            esp_transport_ssl_set_client_cert_data_der(ssl, config->client_cert_pem, config->client_cert_len);
+        }
     }
 
     if (config->client_key_pem) {
-        esp_transport_ssl_set_client_key_data(ssl, config->client_key_pem, strlen(config->client_key_pem));
+        if (!config->client_key_len) {
+            esp_transport_ssl_set_client_key_data(ssl, config->client_key_pem, strlen(config->client_key_pem));
+        } else {
+            esp_transport_ssl_set_client_key_data_der(ssl, config->client_key_pem, config->client_key_len);
+        }
     }
 
     if (config->skip_cert_common_name_check) {
@@ -1398,19 +1412,27 @@ void esp_http_client_add_auth(esp_http_client_handle_t client)
         http_utils_trim_whitespace(&auth_header);
         ESP_LOGD(TAG, "UNAUTHORIZED: %s", auth_header);
         client->redirect_counter++;
+#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
         if (http_utils_str_starts_with(auth_header, "Digest") == 0) {
             ESP_LOGD(TAG, "type = Digest");
             client->connection_info.auth_type = HTTP_AUTH_TYPE_DIGEST;
+        } else {
+#endif
 #ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
-        } else if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
+        if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
             ESP_LOGD(TAG, "type = Basic");
             client->connection_info.auth_type = HTTP_AUTH_TYPE_BASIC;
-#endif
         } else {
+#endif
             client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
             ESP_LOGE(TAG, "This authentication method is not supported: %s", auth_header);
             return;
+#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
         }
+#endif
+#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
+        }
+#endif
 
         _clear_auth_data(client);
 

components/esp_http_client/include/esp_http_client.h

@@ -116,8 +116,11 @@ typedef struct {
     const char                  *path;               /*!< HTTP Path, if not set, default is `/` */
     const char                  *query;              /*!< HTTP query */
     const char                  *cert_pem;           /*!< SSL server certification, PEM format as string, if the client requires to verify server */
+    size_t                      cert_len;            /*!< Length of the buffer pointed to by cert_pem. May be 0 for null-terminated pem */
     const char                  *client_cert_pem;    /*!< SSL client certification, PEM format as string, if the server requires to verify client */
+    size_t                      client_cert_len;     /*!< Length of the buffer pointed to by client_cert_pem. May be 0 for null-terminated pem */
     const char                  *client_key_pem;     /*!< SSL client key, PEM format as string, if the server requires to verify client */
+    size_t                      client_key_len;      /*!< Length of the buffer pointed to by client_key_pem. May be 0 for null-terminated pem */
     const char                  *user_agent;         /*!< The User Agent string to send with HTTP requests */
     esp_http_client_method_t    method;                   /*!< HTTP Method */
     int                         timeout_ms;               /*!< Network timeout in milliseconds */

examples/protocols/esp_http_client/main/esp_http_client_example.c

@@ -341,6 +341,7 @@ static void http_auth_basic_redirect(void)
 }
 #endif
 
+#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
 static void http_auth_digest(void)
 {
     esp_http_client_config_t config = {
@@ -359,6 +360,7 @@ static void http_auth_digest(void)
     }
     esp_http_client_cleanup(client);
 }
+#endif
 
 static void https_with_url(void)
 {
@@ -681,7 +683,9 @@ static void http_test_task(void *pvParameters)
     http_auth_basic();
     http_auth_basic_redirect();
 #endif
+#if CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH
     http_auth_digest();
+#endif
     http_relative_redirect();
     http_absolute_redirect();
     https_with_url();

examples/protocols/esp_http_client/sdkconfig.ci

@@ -8,3 +8,4 @@ CONFIG_EXAMPLE_ETH_PHY_RST_GPIO=5
 CONFIG_EXAMPLE_ETH_PHY_ADDR=1
 CONFIG_EXAMPLE_CONNECT_IPV6=y
 CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH=y
+CONFIG_ESP_HTTP_CLIENT_ENABLE_DIGEST_AUTH=y