diff options
| author | Felix Dörre <felix@dogcraft.de> | 2024-02-01 12:07:06 +0000 |
|---|---|---|
| committer | Damien George <damien@micropython.org> | 2024-02-07 12:58:52 +1100 |
| commit | b802f0f8abf3c198d4d373d934f4ab13ec1552f9 (patch) | |
| tree | de1e689a592646a3f321a0a9a452cb455822ded2 /extmod/modssl_mbedtls.c | |
| parent | f8f1f29ac0b5ef837e7c277b2777080c1d82e080 (diff) | |
| download | micropython-b802f0f8abf3c198d4d373d934f4ab13ec1552f9.tar.gz micropython-b802f0f8abf3c198d4d373d934f4ab13ec1552f9.zip | |
extmod/modtls: Move the native ssl module to tls.
The current `ssl` module has quite a few differences to the CPython
implementation. This change moves the MicroPython variant to a new `tls`
module and provides a wrapper module for `ssl` (in micropython-lib).
Users who only rely on implemented comparible behavior can continue to use
`ssl`, while users that rely on non-compatible behavior should switch to
`tls`. Then we can make the facade in `ssl` more strictly adhere to
CPython.
Signed-off-by: Felix Dörre <felix@dogcraft.de>
Diffstat (limited to 'extmod/modssl_mbedtls.c')
| -rw-r--r-- | extmod/modssl_mbedtls.c | 867 |
1 files changed, 0 insertions, 867 deletions
diff --git a/extmod/modssl_mbedtls.c b/extmod/modssl_mbedtls.c deleted file mode 100644 index b6275d8d88..0000000000 --- a/extmod/modssl_mbedtls.c +++ /dev/null @@ -1,867 +0,0 @@ -/* - * This file is part of the MicroPython project, http://micropython.org/ - * - * The MIT License (MIT) - * - * Copyright (c) 2016 Linaro Ltd. - * Copyright (c) 2019 Paul Sokolovsky - * Copyright (c) 2023 Damien P. George - * - * Permission is hereby granted, free of charge, to any person obtaining a copy - * of this software and associated documentation files (the "Software"), to deal - * in the Software without restriction, including without limitation the rights - * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell - * copies of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in - * all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR - * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, - * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE - * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER - * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, - * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN - * THE SOFTWARE. - */ - -#include "py/mpconfig.h" -#if MICROPY_PY_SSL && MICROPY_SSL_MBEDTLS - -#include <stdio.h> -#include <string.h> -#include <errno.h> // needed because mp_is_nonblocking_error uses system error codes - -#include "py/runtime.h" -#include "py/stream.h" -#include "py/objstr.h" -#include "py/reader.h" -#include "extmod/vfs.h" - -// mbedtls_time_t -#include "mbedtls/platform.h" -#include "mbedtls/ssl.h" -#include "mbedtls/x509_crt.h" -#include "mbedtls/pk.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/debug.h" -#include "mbedtls/error.h" -#if MBEDTLS_VERSION_NUMBER >= 0x03000000 -#include "mbedtls/build_info.h" -#else -#include "mbedtls/version.h" -#endif - -#define MP_STREAM_POLL_RDWR (MP_STREAM_POLL_RD | MP_STREAM_POLL_WR) - -// This corresponds to an SSLContext object. -typedef struct _mp_obj_ssl_context_t { - mp_obj_base_t base; - mbedtls_entropy_context entropy; - mbedtls_ctr_drbg_context ctr_drbg; - mbedtls_ssl_config conf; - mbedtls_x509_crt cacert; - mbedtls_x509_crt cert; - mbedtls_pk_context pkey; - int authmode; - int *ciphersuites; -} mp_obj_ssl_context_t; - -// This corresponds to an SSLSocket object. -typedef struct _mp_obj_ssl_socket_t { - mp_obj_base_t base; - mp_obj_ssl_context_t *ssl_context; - mp_obj_t sock; - mbedtls_ssl_context ssl; - - uintptr_t poll_mask; // Indicates which read or write operations the protocol needs next - int last_error; // The last error code, if any -} mp_obj_ssl_socket_t; - -STATIC const mp_obj_type_t ssl_context_type; -STATIC const mp_obj_type_t ssl_socket_type; - -STATIC const MP_DEFINE_STR_OBJ(mbedtls_version_obj, MBEDTLS_VERSION_STRING_FULL); - -STATIC mp_obj_t ssl_socket_make_new(mp_obj_ssl_context_t *ssl_context, mp_obj_t sock, - bool server_side, bool do_handshake_on_connect, mp_obj_t server_hostname); - -/******************************************************************************/ -// Helper functions. - -STATIC mp_obj_t read_file(mp_obj_t self_in) { - // file = open(args[0], "rb") - mp_obj_t f_args[2] = { - self_in, - MP_OBJ_NEW_QSTR(MP_QSTR_rb), - }; - mp_obj_t file = mp_vfs_open(2, &f_args[0], (mp_map_t *)&mp_const_empty_map); - - // data = file.read() - mp_obj_t dest[2]; - mp_load_method(file, MP_QSTR_read, dest); - mp_obj_t data = mp_call_method_n_kw(0, 0, dest); - - // file.close() - mp_stream_close(file); - return data; -} - -#ifdef MBEDTLS_DEBUG_C -STATIC void mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str) { - (void)ctx; - (void)level; - mp_printf(&mp_plat_print, "DBG:%s:%04d: %s\n", file, line, str); -} -#endif - -STATIC NORETURN void mbedtls_raise_error(int err) { - // Handle special cases. - if (err == MBEDTLS_ERR_SSL_ALLOC_FAILED) { - mp_raise_OSError(MP_ENOMEM); - } else if (err == MBEDTLS_ERR_PK_BAD_INPUT_DATA) { - mp_raise_ValueError(MP_ERROR_TEXT("invalid key")); - } else if (err == MBEDTLS_ERR_X509_BAD_INPUT_DATA) { - mp_raise_ValueError(MP_ERROR_TEXT("invalid cert")); - } - - // _mbedtls_ssl_send and _mbedtls_ssl_recv (below) turn positive error codes from the - // underlying socket into negative codes to pass them through mbedtls. Here we turn them - // positive again so they get interpreted as the OSError they really are. The - // cut-off of -256 is a bit hacky, sigh. - if (err < 0 && err > -256) { - mp_raise_OSError(-err); - } - - #if defined(MBEDTLS_ERROR_C) - // Including mbedtls_strerror takes about 1.5KB due to the error strings. - // MBEDTLS_ERROR_C is the define used by mbedtls to conditionally include mbedtls_strerror. - // It is set/unset in the MBEDTLS_CONFIG_FILE which is defined in the Makefile. - - // Try to allocate memory for the message - #define ERR_STR_MAX 80 // mbedtls_strerror truncates if it doesn't fit - mp_obj_str_t *o_str = m_new_obj_maybe(mp_obj_str_t); - byte *o_str_buf = m_new_maybe(byte, ERR_STR_MAX); - if (o_str == NULL || o_str_buf == NULL) { - mp_raise_OSError(err); - } - - // print the error message into the allocated buffer - mbedtls_strerror(err, (char *)o_str_buf, ERR_STR_MAX); - size_t len = strlen((char *)o_str_buf); - - // Put the exception object together - o_str->base.type = &mp_type_str; - o_str->data = o_str_buf; - o_str->len = len; - o_str->hash = qstr_compute_hash(o_str->data, o_str->len); - // raise - mp_obj_t args[2] = { MP_OBJ_NEW_SMALL_INT(err), MP_OBJ_FROM_PTR(o_str)}; - nlr_raise(mp_obj_exception_make_new(&mp_type_OSError, 2, 0, args)); - #else - // mbedtls is compiled without error strings so we simply return the err number - mp_raise_OSError(err); // err is typically a large negative number - #endif -} - -STATIC void ssl_check_async_handshake_failure(mp_obj_ssl_socket_t *sslsock, int *errcode) { - if ( - #if MBEDTLS_VERSION_NUMBER >= 0x03000000 - (*errcode < 0) && (mbedtls_ssl_is_handshake_over(&sslsock->ssl) == 0) && (*errcode != MBEDTLS_ERR_SSL_CONN_EOF) - #else - (*errcode < 0) && (*errcode != MBEDTLS_ERR_SSL_CONN_EOF) - #endif - ) { - // Asynchronous handshake is done by mbdetls_ssl_read/write. If the return code is - // MBEDTLS_ERR_XX (i.e < 0) and the handshake is not done due to a handshake failure, - // then notify peer with proper error code and raise local error with mbedtls_raise_error. - - if (*errcode == MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE) { - // Check if TLSv1.3 and use proper alert for this case (to be implemented) - // uint8_t alert = MBEDTLS_SSL_ALERT_MSG_CERT_REQUIRED; tlsv1.3 - // uint8_t alert = MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE; tlsv1.2 - mbedtls_ssl_send_alert_message(&sslsock->ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); - } - - if (*errcode == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { - // The certificate may have been rejected for several reasons. - char xcbuf[256]; - uint32_t flags = mbedtls_ssl_get_verify_result(&sslsock->ssl); - int ret = mbedtls_x509_crt_verify_info(xcbuf, sizeof(xcbuf), "\n", flags); - // The length of the string written (not including the terminated nul byte), - // or a negative err code. - if (ret > 0) { - sslsock->sock = MP_OBJ_NULL; - mbedtls_ssl_free(&sslsock->ssl); - mp_raise_msg_varg(&mp_type_ValueError, MP_ERROR_TEXT("%s"), xcbuf); - } - } - - sslsock->sock = MP_OBJ_NULL; - mbedtls_ssl_free(&sslsock->ssl); - mbedtls_raise_error(*errcode); - } -} - -/******************************************************************************/ -// SSLContext type. - -STATIC mp_obj_t ssl_context_make_new(const mp_obj_type_t *type_in, size_t n_args, size_t n_kw, const mp_obj_t *args) { - mp_arg_check_num(n_args, n_kw, 1, 1, false); - - // This is the "protocol" argument. - mp_int_t endpoint = mp_obj_get_int(args[0]); - - // Create SSLContext object. - #if MICROPY_PY_SSL_FINALISER - mp_obj_ssl_context_t *self = m_new_obj_with_finaliser(mp_obj_ssl_context_t); - #else - mp_obj_ssl_context_t *self = m_new_obj(mp_obj_ssl_context_t); - #endif - self->base.type = type_in; - - // Initialise mbedTLS state. - mbedtls_ssl_config_init(&self->conf); - mbedtls_entropy_init(&self->entropy); - mbedtls_ctr_drbg_init(&self->ctr_drbg); - mbedtls_x509_crt_init(&self->cacert); - mbedtls_x509_crt_init(&self->cert); - mbedtls_pk_init(&self->pkey); - self->ciphersuites = NULL; - - #ifdef MBEDTLS_DEBUG_C - // Debug level (0-4) 1=warning, 2=info, 3=debug, 4=verbose - mbedtls_debug_set_threshold(3); - #endif - - // Whenever the PSA interface is used (if MBEDTLS_PSA_CRYPTO), psa_crypto_init() needs to be called before any TLS related operations. - // TLSv1.3 depends on the PSA interface, TLSv1.2 only uses the PSA stack if MBEDTLS_USE_PSA_CRYPTO is defined. - #if defined(MBEDTLS_SSL_PROTO_TLS1_3) || defined(MBEDTLS_USE_PSA_CRYPTO) - psa_crypto_init(); - #endif - - const byte seed[] = "upy"; - int ret = mbedtls_ctr_drbg_seed(&self->ctr_drbg, mbedtls_entropy_func, &self->entropy, seed, sizeof(seed)); - if (ret != 0) { - mbedtls_raise_error(ret); - } - - ret = mbedtls_ssl_config_defaults(&self->conf, endpoint, - MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); - if (ret != 0) { - mbedtls_raise_error(ret); - } - - if (endpoint == MBEDTLS_SSL_IS_CLIENT) { - // The CPython default is MBEDTLS_SSL_VERIFY_REQUIRED, but to maintain - // backwards compatibility we use MBEDTLS_SSL_VERIFY_NONE for now. - self->authmode = MBEDTLS_SSL_VERIFY_NONE; - } else { - self->authmode = MBEDTLS_SSL_VERIFY_NONE; - } - mbedtls_ssl_conf_authmode(&self->conf, self->authmode); - mbedtls_ssl_conf_rng(&self->conf, mbedtls_ctr_drbg_random, &self->ctr_drbg); - #ifdef MBEDTLS_DEBUG_C - mbedtls_ssl_conf_dbg(&self->conf, mbedtls_debug, NULL); - #endif - - return MP_OBJ_FROM_PTR(self); -} - -STATIC void ssl_context_attr(mp_obj_t self_in, qstr attr, mp_obj_t *dest) { - mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in); - if (dest[0] == MP_OBJ_NULL) { - // Load attribute. - if (attr == MP_QSTR_verify_mode) { - dest[0] = MP_OBJ_NEW_SMALL_INT(self->authmode); - } else { - // Continue lookup in locals_dict. - dest[1] = MP_OBJ_SENTINEL; - } - } else if (dest[1] != MP_OBJ_NULL) { - // Store attribute. - if (attr == MP_QSTR_verify_mode) { - self->authmode = mp_obj_get_int(dest[1]); - dest[0] = MP_OBJ_NULL; - mbedtls_ssl_conf_authmode(&self->conf, self->authmode); - } - } -} - -#if MICROPY_PY_SSL_FINALISER -STATIC mp_obj_t ssl_context___del__(mp_obj_t self_in) { - mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in); - mbedtls_pk_free(&self->pkey); - mbedtls_x509_crt_free(&self->cert); - mbedtls_x509_crt_free(&self->cacert); - mbedtls_ctr_drbg_free(&self->ctr_drbg); - mbedtls_entropy_free(&self->entropy); - mbedtls_ssl_config_free(&self->conf); - return mp_const_none; -} -STATIC MP_DEFINE_CONST_FUN_OBJ_1(ssl_context___del___obj, ssl_context___del__); -#endif - -// SSLContext.get_ciphers() -STATIC mp_obj_t ssl_context_get_ciphers(mp_obj_t self_in) { - mp_obj_t list = mp_obj_new_list(0, NULL); - for (const int *cipher_list = mbedtls_ssl_list_ciphersuites(); *cipher_list; ++cipher_list) { - const char *cipher_name = mbedtls_ssl_get_ciphersuite_name(*cipher_list); - mp_obj_list_append(list, MP_OBJ_FROM_PTR(mp_obj_new_str(cipher_name, strlen(cipher_name)))); - } - return list; -} -STATIC MP_DEFINE_CONST_FUN_OBJ_1(ssl_context_get_ciphers_obj, ssl_context_get_ciphers); - -// SSLContext.set_ciphers(ciphersuite) -STATIC mp_obj_t ssl_context_set_ciphers(mp_obj_t self_in, mp_obj_t ciphersuite) { - mp_obj_ssl_context_t *ssl_context = MP_OBJ_TO_PTR(self_in); - - // Check that ciphersuite is a list or tuple. - size_t len = 0; - mp_obj_t *ciphers; - mp_obj_get_array(ciphersuite, &len, &ciphers); - if (len == 0) { - mbedtls_raise_error(MBEDTLS_ERR_SSL_BAD_CONFIG); - } - - // Parse list of ciphers. - ssl_context->ciphersuites = m_new(int, len + 1); - for (size_t i = 0; i < len; ++i) { - const char *ciphername = mp_obj_str_get_str(ciphers[i]); - const int id = mbedtls_ssl_get_ciphersuite_id(ciphername); - if (id == 0) { - mbedtls_raise_error(MBEDTLS_ERR_SSL_BAD_CONFIG); - } - ssl_context->ciphersuites[i] = id; - } - ssl_context->ciphersuites[len] = 0; - - // Configure ciphersuite. - mbedtls_ssl_conf_ciphersuites(&ssl_context->conf, (const int *)ssl_context->ciphersuites); - - return mp_const_none; -} -STATIC MP_DEFINE_CONST_FUN_OBJ_2(ssl_context_set_ciphers_obj, ssl_context_set_ciphers); - -STATIC void ssl_context_load_key(mp_obj_ssl_context_t *self, mp_obj_t key_obj, mp_obj_t cert_obj) { - size_t key_len; - const byte *key = (const byte *)mp_obj_str_get_data(key_obj, &key_len); - // len should include terminating null - int ret; - #if MBEDTLS_VERSION_NUMBER >= 0x03000000 - ret = mbedtls_pk_parse_key(&self->pkey, key, key_len + 1, NULL, 0, mbedtls_ctr_drbg_random, &self->ctr_drbg); - #else - ret = mbedtls_pk_parse_key(&self->pkey, key, key_len + 1, NULL, 0); - #endif - if (ret != 0) { - mbedtls_raise_error(MBEDTLS_ERR_PK_BAD_INPUT_DATA); // use general error for all key errors - } - - size_t cert_len; - const byte *cert = (const byte *)mp_obj_str_get_data(cert_obj, &cert_len); - // len should include terminating null - ret = mbedtls_x509_crt_parse(&self->cert, cert, cert_len + 1); - if (ret != 0) { - mbedtls_raise_error(MBEDTLS_ERR_X509_BAD_INPUT_DATA); // use general error for all cert errors - } - - ret = mbedtls_ssl_conf_own_cert(&self->conf, &self->cert, &self->pkey); - if (ret != 0) { - mbedtls_raise_error(ret); - } -} - -// SSLContext.load_cert_chain(certfile, keyfile) -STATIC mp_obj_t ssl_context_load_cert_chain(mp_obj_t self_in, mp_obj_t certfile, mp_obj_t keyfile) { - mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in); - mp_obj_t pkey; - mp_obj_t cert; - if (certfile != mp_const_none) { - // check if key is a string/path - if (!(mp_obj_is_type(keyfile, &mp_type_bytes))) { - pkey = read_file(keyfile); - } else { - pkey = keyfile; - } - // check if cert is a string/path - if (!(mp_obj_is_type(certfile, &mp_type_bytes))) { - cert = read_file(certfile); - } else { - cert = certfile; - } - ssl_context_load_key(self, pkey, cert); - } - return mp_const_none; -} -STATIC MP_DEFINE_CONST_FUN_OBJ_3(ssl_context_load_cert_chain_obj, ssl_context_load_cert_chain); - -STATIC void ssl_context_load_cadata(mp_obj_ssl_context_t *self, mp_obj_t cadata_obj) { - size_t cacert_len; - const byte *cacert = (const byte *)mp_obj_str_get_data(cadata_obj, &cacert_len); - // len should include terminating null - int ret = mbedtls_x509_crt_parse(&self->cacert, cacert, cacert_len + 1); - if (ret != 0) { - mbedtls_raise_error(MBEDTLS_ERR_X509_BAD_INPUT_DATA); // use general error for all cert errors - } - - mbedtls_ssl_conf_ca_chain(&self->conf, &self->cacert, NULL); -} - -// SSLContext.load_verify_locations(cafile=None, *, cadata=None) -STATIC mp_obj_t ssl_context_load_verify_locations(size_t n_args, const mp_obj_t *pos_args, - mp_map_t *kw_args) { - - static const mp_arg_t allowed_args[] = { - { MP_QSTR_cafile, MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} }, - { MP_QSTR_cadata, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} }, - }; - - mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(pos_args[0]); - mp_arg_val_t args[MP_ARRAY_SIZE(allowed_args)]; - mp_arg_parse_all(n_args - 1, pos_args + 1, kw_args, MP_ARRAY_SIZE(allowed_args), allowed_args, args); - // cafile - if (args[0].u_obj != mp_const_none) { - ssl_context_load_cadata(self, read_file(args[0].u_obj)); - } - // cadata - if (args[1].u_obj != mp_const_none) { - ssl_context_load_cadata(self, args[1].u_obj); - } - return mp_const_none; -} -STATIC MP_DEFINE_CONST_FUN_OBJ_KW(ssl_context_load_verify_locations_obj, 1, ssl_context_load_verify_locations); - -STATIC mp_obj_t ssl_context_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) { - enum { ARG_server_side, ARG_do_handshake_on_connect, ARG_server_hostname }; - static const mp_arg_t allowed_args[] = { - { MP_QSTR_server_side, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = false} }, - { MP_QSTR_do_handshake_on_connect, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = true} }, - { MP_QSTR_server_hostname, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} }, - }; - - // Parse arguments. - mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(pos_args[0]); - mp_obj_t sock = pos_args[1]; - mp_arg_val_t args[MP_ARRAY_SIZE(allowed_args)]; - mp_arg_parse_all(n_args - 2, pos_args + 2, kw_args, MP_ARRAY_SIZE(allowed_args), allowed_args, args); - - // Create and return the new SSLSocket object. - return ssl_socket_make_new(self, sock, args[ARG_server_side].u_bool, - args[ARG_do_handshake_on_connect].u_bool, args[ARG_server_hostname].u_obj); -} -STATIC MP_DEFINE_CONST_FUN_OBJ_KW(ssl_context_wrap_socket_obj, 2, ssl_context_wrap_socket); - -STATIC const mp_rom_map_elem_t ssl_context_locals_dict_table[] = { - #if MICROPY_PY_SSL_FINALISER - { MP_ROM_QSTR(MP_QSTR___del__), MP_ROM_PTR(&ssl_context___del___obj) }, - #endif - { MP_ROM_QSTR(MP_QSTR_get_ciphers), MP_ROM_PTR(&ssl_context_get_ciphers_obj)}, - { MP_ROM_QSTR(MP_QSTR_set_ciphers), MP_ROM_PTR(&ssl_context_set_ciphers_obj)}, - { MP_ROM_QSTR(MP_QSTR_load_cert_chain), MP_ROM_PTR(&ssl_context_load_cert_chain_obj)}, - { MP_ROM_QSTR(MP_QSTR_load_verify_locations), MP_ROM_PTR(&ssl_context_load_verify_locations_obj)}, - { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&ssl_context_wrap_socket_obj) }, -}; -STATIC MP_DEFINE_CONST_DICT(ssl_context_locals_dict, ssl_context_locals_dict_table); - -STATIC MP_DEFINE_CONST_OBJ_TYPE( - ssl_context_type, - MP_QSTR_SSLContext, - MP_TYPE_FLAG_NONE, - make_new, ssl_context_make_new, - attr, ssl_context_attr, - locals_dict, &ssl_context_locals_dict - ); - -/******************************************************************************/ -// SSLSocket type. - -STATIC int _mbedtls_ssl_send(void *ctx, const byte *buf, size_t len) { - mp_obj_t sock = *(mp_obj_t *)ctx; - - const mp_stream_p_t *sock_stream = mp_get_stream(sock); - int err; - - mp_uint_t out_sz = sock_stream->write(sock, buf, len, &err); - if (out_sz == MP_STREAM_ERROR) { - if (mp_is_nonblocking_error(err)) { - return MBEDTLS_ERR_SSL_WANT_WRITE; - } - return -err; // convert an MP_ERRNO to something mbedtls passes through as error - } else { - return out_sz; - } -} - -// _mbedtls_ssl_recv is called by mbedtls to receive bytes from the underlying socket -STATIC int _mbedtls_ssl_recv(void *ctx, byte *buf, size_t len) { - mp_obj_t sock = *(mp_obj_t *)ctx; - - const mp_stream_p_t *sock_stream = mp_get_stream(sock); - int err; - - mp_uint_t out_sz = sock_stream->read(sock, buf, len, &err); - if (out_sz == MP_STREAM_ERROR) { - if (mp_is_nonblocking_error(err)) { - return MBEDTLS_ERR_SSL_WANT_READ; - } - return -err; - } else { - return out_sz; - } -} - -STATIC mp_obj_t ssl_socket_make_new(mp_obj_ssl_context_t *ssl_context, mp_obj_t sock, - bool server_side, bool do_handshake_on_connect, mp_obj_t server_hostname) { - - // Verify the socket object has the full stream protocol - mp_get_stream_raise(sock, MP_STREAM_OP_READ | MP_STREAM_OP_WRITE | MP_STREAM_OP_IOCTL); - - #if MICROPY_PY_SSL_FINALISER - mp_obj_ssl_socket_t *o = m_new_obj_with_finaliser(mp_obj_ssl_socket_t); - #else - mp_obj_ssl_socket_t *o = m_new_obj(mp_obj_ssl_socket_t); - #endif - o->base.type = &ssl_socket_type; - o->ssl_context = ssl_context; - o->sock = sock; - o->poll_mask = 0; - o->last_error = 0; - - int ret; - uint32_t flags = 0; - - mbedtls_ssl_init(&o->ssl); - - ret = mbedtls_ssl_setup(&o->ssl, &ssl_context->conf); - if (ret != 0) { - goto cleanup; - } - - if (server_hostname != mp_const_none) { - const char *sni = mp_obj_str_get_str(server_hostname); - ret = mbedtls_ssl_set_hostname(&o->ssl, sni); - if (ret != 0) { - goto cleanup; - } - } else if (ssl_context->authmode == MBEDTLS_SSL_VERIFY_REQUIRED && server_side == false) { - - o->sock = MP_OBJ_NULL; - mbedtls_ssl_free(&o->ssl); - mp_raise_ValueError(MP_ERROR_TEXT("CERT_REQUIRED requires server_hostname")); - } - - mbedtls_ssl_set_bio(&o->ssl, &o->sock, _mbedtls_ssl_send, _mbedtls_ssl_recv, NULL); - - if (do_handshake_on_connect) { - while ((ret = mbedtls_ssl_handshake(&o->ssl)) != 0) { - if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { - goto cleanup; - } - mp_event_wait_ms(1); - } - } - - return MP_OBJ_FROM_PTR(o); - -cleanup: - if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { - flags = mbedtls_ssl_get_verify_result(&o->ssl); - } - - o->sock = MP_OBJ_NULL; - mbedtls_ssl_free(&o->ssl); - - if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { - char xcbuf[256]; - int ret_info = mbedtls_x509_crt_verify_info(xcbuf, sizeof(xcbuf), "\n", flags); - // The length of the string written (not including the terminated nul byte), - // or a negative err code. - if (ret_info > 0) { - mp_raise_msg_varg(&mp_type_ValueError, MP_ERROR_TEXT("%s"), xcbuf); - } - } - - mbedtls_raise_error(ret); -} - -#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) -STATIC mp_obj_t mod_ssl_getpeercert(mp_obj_t o_in, mp_obj_t binary_form) { - mp_obj_ssl_socket_t *o = MP_OBJ_TO_PTR(o_in); - if (!mp_obj_is_true(binary_form)) { - mp_raise_NotImplementedError(NULL); - } - const mbedtls_x509_crt *peer_cert = mbedtls_ssl_get_peer_cert(&o->ssl); - if (peer_cert == NULL) { - return mp_const_none; - } - return mp_obj_new_bytes(peer_cert->raw.p, peer_cert->raw.len); -} -STATIC MP_DEFINE_CONST_FUN_OBJ_2(mod_ssl_getpeercert_obj, mod_ssl_getpeercert); -#endif - -STATIC mp_obj_t mod_ssl_cipher(mp_obj_t o_in) { - mp_obj_ssl_socket_t *o = MP_OBJ_TO_PTR(o_in); - const char *cipher_suite = mbedtls_ssl_get_ciphersuite(&o->ssl); - const char *tls_version = mbedtls_ssl_get_version(&o->ssl); - mp_obj_t tuple[2] = {mp_obj_new_str(cipher_suite, strlen(cipher_suite)), - mp_obj_new_str(tls_version, strlen(tls_version))}; - - return mp_obj_new_tuple(2, tuple); -} -STATIC MP_DEFINE_CONST_FUN_OBJ_1(mod_ssl_cipher_obj, mod_ssl_cipher); - -STATIC mp_uint_t socket_read(mp_obj_t o_in, void *buf, mp_uint_t size, int *errcode) { - mp_obj_ssl_socket_t *o = MP_OBJ_TO_PTR(o_in); - o->poll_mask = 0; - - if (o->last_error) { - *errcode = o->last_error; - return MP_STREAM_ERROR; - } - - int ret = mbedtls_ssl_read(&o->ssl, buf, size); - if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) { - // end of stream - return 0; - } - if (ret >= 0) { - return ret; - } - if (ret == MBEDTLS_ERR_SSL_WANT_READ) { - ret = MP_EWOULDBLOCK; - } else if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) { - // If handshake is not finished, read attempt may end up in protocol - // wanting to write next handshake message. The same may happen with - // renegotiation. - ret = MP_EWOULDBLOCK; - o->poll_mask = MP_STREAM_POLL_WR; - #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - } else if (ret == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET) { - // It appears a new session ticket being issued by the server right after - // completed handshake is not uncommon and shouldn't be treated as fatal. - // mbedtls itself states "This error code is experimental and may be - // changed or removed without notice." - ret = MP_EWOULDBLOCK; - #endif - } else { - o->last_error = ret; - } - ssl_check_async_handshake_failure(o, &ret); - *errcode = ret; - return MP_STREAM_ERROR; -} - -STATIC mp_uint_t socket_write(mp_obj_t o_in, const void *buf, mp_uint_t size, int *errcode) { - mp_obj_ssl_socket_t *o = MP_OBJ_TO_PTR(o_in); - o->poll_mask = 0; - - if (o->last_error) { - *errcode = o->last_error; - return MP_STREAM_ERROR; - } - - int ret = mbedtls_ssl_write(&o->ssl, buf, size); - if (ret >= 0) { - return ret; - } - if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) { - ret = MP_EWOULDBLOCK; - } else if (ret == MBEDTLS_ERR_SSL_WANT_READ) { - // If handshake is not finished, write attempt may end up in protocol - // wanting to read next handshake message. The same may happen with - // renegotiation. - ret = MP_EWOULDBLOCK; - o->poll_mask = MP_STREAM_POLL_RD; - } else { - o->last_error = ret; - } - ssl_check_async_handshake_failure(o, &ret); - *errcode = ret; - return MP_STREAM_ERROR; -} - -STATIC mp_obj_t socket_setblocking(mp_obj_t self_in, mp_obj_t flag_in) { - mp_obj_ssl_socket_t *o = MP_OBJ_TO_PTR(self_in); - mp_obj_t sock = o->sock; - mp_obj_t dest[3]; - mp_load_method(sock, MP_QSTR_setblocking, dest); - dest[2] = flag_in; - return mp_call_method_n_kw(1, 0, dest); -} -STATIC MP_DEFINE_CONST_FUN_OBJ_2(socket_setblocking_obj, socket_setblocking); - -STATIC mp_uint_t socket_ioctl(mp_obj_t o_in, mp_uint_t request, uintptr_t arg, int *errcode) { - mp_obj_ssl_socket_t *self = MP_OBJ_TO_PTR(o_in); - mp_uint_t ret = 0; - uintptr_t saved_arg = 0; - mp_obj_t sock = self->sock; - - if (request == MP_STREAM_CLOSE) { - if (sock == MP_OBJ_NULL) { - // Already closed socket, do nothing. - return 0; - } - self->sock = MP_OBJ_NULL; - mbedtls_ssl_free(&self->ssl); - } else if (request == MP_STREAM_POLL) { - if (sock == MP_OBJ_NULL || self->last_error != 0) { - // Closed or error socket, return NVAL flag. - return MP_STREAM_POLL_NVAL; - } - - // If the library signaled us that it needs reading or writing, only check that direction, - // but save what the caller asked because we need to restore it later - if (self->poll_mask && (arg & MP_STREAM_POLL_RDWR)) { - saved_arg = arg & MP_STREAM_POLL_RDWR; - arg = (arg & ~saved_arg) | self->poll_mask; - } - - // Take into account that the library might have buffered data already - int has_pending = 0; - if (arg & MP_STREAM_POLL_RD) { - has_pending = mbedtls_ssl_check_pending(&self->ssl); - if (has_pending) { - ret |= MP_STREAM_POLL_RD; - if (arg == MP_STREAM_POLL_RD) { - // Shortcut if we only need to read and we have buffered data, no need to go to the underlying socket - return MP_STREAM_POLL_RD; - } - } - } - } else { - // Unsupported ioctl. - *errcode = MP_EINVAL; - return MP_STREAM_ERROR; - } - - // Pass all requests down to the underlying socket - ret |= mp_get_stream(sock)->ioctl(sock, request, arg, errcode); - - if (request == MP_STREAM_POLL) { - // The direction the library needed is available, return a fake result to the caller so that - // it reenters a read or a write to allow the handshake to progress - if (ret & self->poll_mask) { - ret |= saved_arg; - } - } - return ret; -} - -STATIC const mp_rom_map_elem_t ssl_socket_locals_dict_table[] = { - { MP_ROM_QSTR(MP_QSTR_read), MP_ROM_PTR(&mp_stream_read_obj) }, - { MP_ROM_QSTR(MP_QSTR_readinto), MP_ROM_PTR(&mp_stream_readinto_obj) }, - { MP_ROM_QSTR(MP_QSTR_readline), MP_ROM_PTR(&mp_stream_unbuffered_readline_obj) }, - { MP_ROM_QSTR(MP_QSTR_write), MP_ROM_PTR(&mp_stream_write_obj) }, - { MP_ROM_QSTR(MP_QSTR_setblocking), MP_ROM_PTR(&socket_setblocking_obj) }, - { MP_ROM_QSTR(MP_QSTR_close), MP_ROM_PTR(&mp_stream_close_obj) }, - #if MICROPY_PY_SSL_FINALISER - { MP_ROM_QSTR(MP_QSTR___del__), MP_ROM_PTR(&mp_stream_close_obj) }, - #endif - #if MICROPY_UNIX_COVERAGE - { MP_ROM_QSTR(MP_QSTR_ioctl), MP_ROM_PTR(&mp_stream_ioctl_obj) }, - #endif - #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - { MP_ROM_QSTR(MP_QSTR_getpeercert), MP_ROM_PTR(&mod_ssl_getpeercert_obj) }, - #endif - { MP_ROM_QSTR(MP_QSTR_cipher), MP_ROM_PTR(&mod_ssl_cipher_obj) }, -}; -STATIC MP_DEFINE_CONST_DICT(ssl_socket_locals_dict, ssl_socket_locals_dict_table); - -STATIC const mp_stream_p_t ssl_socket_stream_p = { - .read = socket_read, - .write = socket_write, - .ioctl = socket_ioctl, -}; - -STATIC MP_DEFINE_CONST_OBJ_TYPE( - ssl_socket_type, - MP_QSTR_SSLSocket, - MP_TYPE_FLAG_NONE, - protocol, &ssl_socket_stream_p, - locals_dict, &ssl_socket_locals_dict - ); - -/******************************************************************************/ -// ssl module. - -STATIC mp_obj_t mod_ssl_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) { - enum { - ARG_key, - ARG_cert, - ARG_server_side, - ARG_server_hostname, - ARG_cert_reqs, - ARG_cadata, - ARG_do_handshake, - }; - static const mp_arg_t allowed_args[] = { - { MP_QSTR_key, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} }, - { MP_QSTR_cert, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} }, - { MP_QSTR_server_side, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = false} }, - { MP_QSTR_server_hostname, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} }, - { MP_QSTR_cert_reqs, MP_ARG_KW_ONLY | MP_ARG_INT, {.u_int = MBEDTLS_SSL_VERIFY_NONE}}, - { MP_QSTR_cadata, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} }, - { MP_QSTR_do_handshake, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = true} }, - }; - - // Parse arguments. - mp_obj_t sock = pos_args[0]; - mp_arg_val_t args[MP_ARRAY_SIZE(allowed_args)]; - mp_arg_parse_all(n_args - 1, pos_args + 1, kw_args, MP_ARRAY_SIZE(allowed_args), allowed_args, args); - - // Create SSLContext. - mp_int_t protocol = args[ARG_server_side].u_bool ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT; - mp_obj_t ssl_context_args[1] = { MP_OBJ_NEW_SMALL_INT(protocol) }; - mp_obj_ssl_context_t *ssl_context = MP_OBJ_TO_PTR(ssl_context_make_new(&ssl_context_type, 1, 0, ssl_context_args)); - - // Load key and cert if given. - if (args[ARG_key].u_obj != mp_const_none) { - ssl_context_load_key(ssl_context, args[ARG_key].u_obj, args[ARG_cert].u_obj); - } - - // Set the verify_mode. - mp_obj_t dest[2] = { MP_OBJ_SENTINEL, MP_OBJ_NEW_SMALL_INT(args[ARG_cert_reqs].u_int) }; - ssl_context_attr(MP_OBJ_FROM_PTR(ssl_context), MP_QSTR_verify_mode, dest); - - // Load cadata if given. - if (args[ARG_cadata].u_obj != mp_const_none) { - ssl_context_load_cadata(ssl_context, args[ARG_cadata].u_obj); - } - - // Create and return the new SSLSocket object. - return ssl_socket_make_new(ssl_context, sock, args[ARG_server_side].u_bool, - args[ARG_do_handshake].u_bool, args[ARG_server_hostname].u_obj); -} -STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socket); - -STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table[] = { - { MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_ssl) }, - - // Functions. - { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&mod_ssl_wrap_socket_obj) }, - - // Classes. - { MP_ROM_QSTR(MP_QSTR_SSLContext), MP_ROM_PTR(&ssl_context_type) }, - - // Constants. - { MP_ROM_QSTR(MP_QSTR_MBEDTLS_VERSION), MP_ROM_PTR(&mbedtls_version_obj)}, - { MP_ROM_QSTR(MP_QSTR_PROTOCOL_TLS_CLIENT), MP_ROM_INT(MBEDTLS_SSL_IS_CLIENT) }, - { MP_ROM_QSTR(MP_QSTR_PROTOCOL_TLS_SERVER), MP_ROM_INT(MBEDTLS_SSL_IS_SERVER) }, - { MP_ROM_QSTR(MP_QSTR_CERT_NONE), MP_ROM_INT(MBEDTLS_SSL_VERIFY_NONE) }, - { MP_ROM_QSTR(MP_QSTR_CERT_OPTIONAL), MP_ROM_INT(MBEDTLS_SSL_VERIFY_OPTIONAL) }, - { MP_ROM_QSTR(MP_QSTR_CERT_REQUIRED), MP_ROM_INT(MBEDTLS_SSL_VERIFY_REQUIRED) }, -}; -STATIC MP_DEFINE_CONST_DICT(mp_module_ssl_globals, mp_module_ssl_globals_table); - -const mp_obj_module_t mp_module_ssl = { - .base = { &mp_type_module }, - .globals = (mp_obj_dict_t *)&mp_module_ssl_globals, -}; - -MP_REGISTER_EXTENSIBLE_MODULE(MP_QSTR_ssl, mp_module_ssl); - -#endif // MICROPY_PY_SSL && MICROPY_SSL_MBEDTLS |