add verification for cert, freeup heap

2019-10-01 16:10:48 -04:00
parent beb3a98b05
commit ae8a059e89
1 changed files with 24 additions and 4 deletions
--- a/arduino/libraries/WiFi/src/WiFiSSLClient.cpp
+++ b/arduino/libraries/WiFi/src/WiFiSSLClient.cpp
@@ -56,7 +56,7 @@ int WiFiSSLClient::connect(const char* host, uint16_t port)
 {
  char* client_cert = NULL;
  char* client_key = NULL;
-  int ret;
+  int ret, flags;
  synchronized {
    _netContext.fd = -1;
    _connected = false;
@@ -203,13 +203,33 @@ int WiFiSSLClient::connect(const char* host, uint16_t port)
    {
      ets_printf("Protocol is %s Ciphersuite is %s", mbedtls_ssl_get_version(&_sslContext), mbedtls_ssl_get_ciphersuite(&_sslContext));
    }
+    ets_printf("Verifying peer X.509 certificate");
+    char buf[512];
+    if ((flags = mbedtls_ssl_get_verify_result(&_sslContext)) != 0) {
+      bzero(buf, sizeof(buf));
+      mbedtls_x509_crt_verify_info(buf, sizeof(buf), "  ! ", flags);
+      ets_printf("Failed to verify peer certificate! verification info: %s", buf);
+      stop(); // invalid certificate, stop
+      return -1;
+    } else {
+      ets_printf("Certificate chain verified.");
+    }

-
-    
    ets_printf("*** ssl set nonblock\n");
    mbedtls_net_set_nonblock(&_netContext);

-    // TODO: Free heap (all certs, incl. CA cert...)
+    //ets_printf("Free internal heap before cleanup: %u\n", ESP.getFreeHeap());
+    // free up the heap
+    if (certs_data != NULL) {
+      mbedtls_x509_crt_free(&_caCrt);
+    }
+    if (client_cert != NULL) {
+      mbedtls_x509_crt_free(&_clientCrt);
+    }
+    if (client_key !=NULL) {
+      mbedtls_pk_free(&_clientKey);
+    }
+    //ets_printf("Free internal heap after cleanup: %u\n", ESP.getFreeHeap());
    _connected = true;
    return 1;
  }