net: sockets: tls: Add new option to retrieve cert verification result

Add new TLS socket option, TLS_CERT_VERIFY_RESULT, to obtain the
certificate verification result from the most recent handshake on the
socket. The option works if TLS_PEER_VERIFY_OPTIONAL was set on the
socket, in which case the handshake may succeed even if certificate
verification fails.

Signed-off-by: Robert Lubos <[email protected]>

Author: rlubos

include/zephyr/net/socket.h

@@ -237,6 +237,16 @@ extern "C" {
  *  will take place in consecutive send()/recv() call.
  */
 #define TLS_DTLS_HANDSHAKE_ON_CONNECT 18
+/** Read-only socket option to obtain the result of the certificate verification
+ *  from the most recent handshake if TLS_PEER_VERIFY_OPTIONAL was set on the
+ *  socket.
+ *  The option accepts a pointer to 32-bit unsigned integer, holding the
+ *  verification result on return.The result of 0 indicates that verification
+ *  was successful, otherwise the verification result is indicated by a set of
+ *  flags. For mbed TLS backend, the flags are defined in "X509 Verify codes"
+ *  section of x509.h header.
+ */
+#define TLS_CERT_VERIFY_RESULT 19
 
 /* Valid values for @ref TLS_PEER_VERIFY option */
 #define TLS_PEER_VERIFY_NONE 0     /**< Peer verification disabled. */

subsys/net/lib/sockets/sockets_tls.c

@@ -1945,6 +1945,18 @@ static int tls_opt_session_cache_get(struct tls_context *context,
 	return 0;
 }
 
+static int tls_opt_cert_verify_result_get(struct tls_context *context,
+					  void *optval, socklen_t *optlen)
+{
+	if (*optlen != sizeof(uint32_t)) {
+		return -EINVAL;
+	}
+
+	*(uint32_t *)optval = mbedtls_ssl_get_verify_result(&context->ssl);
+
+	return 0;
+}
+
 static int tls_opt_session_cache_purge_set(struct tls_context *context,
 					   const void *optval, socklen_t optlen)
 {
@@ -3493,6 +3505,10 @@ int ztls_getsockopt_ctx(struct tls_context *ctx, int level, int optname,
 		err = tls_opt_session_cache_get(ctx, optval, optlen);
 		break;
 
+	case TLS_CERT_VERIFY_RESULT:
+		err = tls_opt_cert_verify_result_get(ctx, optval, optlen);
+		break;
+
 #if defined(CONFIG_NET_SOCKETS_ENABLE_DTLS)
 	case TLS_DTLS_HANDSHAKE_TIMEOUT_MIN:
 		err = tls_opt_dtls_handshake_timeout_get(ctx, optval,