8000 extmod/modussl_mbedtls: Deprecate wrap_socket in C. · micropython/micropython@8aaff88 · GitHub
[go: up one dir, main page]

Skip to content

Commit 8aaff88

Browse files
committed
extmod/modussl_mbedtls: Deprecate wrap_socket in C.
Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
1 parent b4acc32 commit 8aaff88

12 files changed

+170
-164
lines changed

extmod/modussl_mbedtls.c

Lines changed: 153 additions & 153 deletions
Original file line numberDiff line numberDiff line change
@@ -589,136 +589,136 @@ STATIC MP_DEFINE_CONST_FUN_OBJ_0(mod_ssl_ctx_init_obj, mod_ssl_ctx_init);
589589

590590

591591

592-
STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
593-
// Verify the socket object has the full stream protocol
594-
mp_get_stream_raise(sock, MP_STREAM_OP_READ | MP_STREAM_OP_WRITE | MP_STREAM_OP_IOCTL);
595-
596-
#if MICROPY_PY_USSL_FINALISER
597-
mp_obj_ssl_socket_t *o = m_new_obj_with_finaliser(mp_obj_ssl_socket_t);
598-
#else
599-
mp_obj_ssl_socket_t *o = m_new_obj(mp_obj_ssl_socket_t);
600-
#endif
601-
o->base.type = &ussl_socket_type;
602-
o->sock = sock;
603-
604-
int ret;
605-
mbedtls_ssl_init(&o->ssl);
606-
mbedtls_ssl_config_init(&o->conf);
607-
mbedtls_x509_crt_init(&o->cacert);
608-
mbedtls_x509_crt_init(&o->cert);
609-
mbedtls_pk_init(&o->pkey);
610-
mbedtls_ctr_drbg_init(&o->ctr_drbg);
611-
#ifdef MBEDTLS_DEBUG_C
612-
// Debug level (0-4) 1=warning, 2=info, 3=debug, 4=verbose
613-
mbedtls_debug_set_threshold(3);
614-
#endif
615-
616-
mbedtls_entropy_init(&o->entropy);
617-
const byte seed[] = "upy";
618-
ret = mbedtls_ctr_drbg_seed(&o->ctr_drbg, mbedtls_entropy_func, &o->entropy, seed, sizeof(seed));
619-
if (ret != 0) {
620-
goto cleanup;
621-
}
622-
623-
ret = mbedtls_ssl_config_defaults(&o->conf,
624-
args->server_side.u_bool ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
625-
MBEDTLS_SSL_TRANSPORT_STREAM,
626-
MBEDTLS_SSL_PRESET_DEFAULT);
627-
if (ret != 0) {
628-
goto cleanup;
629-
}
630-
631-
mbedtls_ssl_conf_authmode(&o->conf, args->cert_reqs.u_int);
632-
mbedtls_ssl_conf_rng(&o->conf, mbedtls_ctr_drbg_random, &o->ctr_drbg);
633-
#ifdef MBEDTLS_DEBUG_C
634-
mbedtls_ssl_conf_dbg(&o->conf, mbedtls_debug, NULL);
635-
#endif
636-
637-
ret = mbedtls_ssl_setup(&o->ssl, &o->conf);
638-
if (ret != 0) {
639-
goto cleanup;
640-
}
641-
642-
if (args->server_hostname.u_obj != mp_const_none) {
643-
const char *sni = mp_obj_str_get_str(args->server_hostname.u_obj);
644-
ret = mbedtls_ssl_set_hostname(&o->ssl, sni);
645-
if (ret != 0) {
646-
goto cleanup;
647-
}
648-
}
649-
650-
mbedtls_ssl_set_bio(&o->ssl, &o->sock, _mbedtls_ssl_send, _mbedtls_ssl_recv, NULL);
651-
652-
if (args->key.u_obj != mp_const_none) {
653-
size_t key_len;
654-
const byte *key = (const byte *)mp_obj_str_get_data(args->key.u_obj, &key_len);
655-
// len should include terminating null
656-
ret = mbedtls_pk_parse_key(&o->pkey, key, key_len + 1, NULL, 0);
657-
if (ret != 0) {
658-
ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; // use general error for all key errors
659-
goto cleanup;
660-
}
661-
662-
size_t cert_len;
663-
const byte *cert = (const byte *)mp_obj_str_get_data(args->cert.u_obj, &cert_len);
664-
// len should include terminating null
665-
ret = mbedtls_x509_crt_parse(&o->cert, cert, cert_len + 1);
666-
if (ret != 0) {
667-
ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; // use general error for all cert errors
668-
goto cleanup;
669-
}
670-
671-
ret = mbedtls_ssl_conf_own_cert(&o->conf, &o->cert, &o->pkey);
672-
if (ret != 0) {
673-
goto cleanup;
674-
}
675-
}
676-
677-
if (args->cadata.u_obj != mp_const_none) {
678-
size_t cacert_len;
679-
const byte *cacert = (const byte *)mp_obj_str_get_data(args->cadata.u_obj, &cacert_len);
680-
// len should include terminating null
681-
ret = mbedtls_x509_crt_parse(&o->cacert, cacert, cacert_len + 1);
682-
if (ret != 0) {
683-
ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; // use general error for all cert errors
684-
goto cleanup;
685-
}
686-
687-
mbedtls_ssl_conf_ca_chain(&o->conf, &o->cacert, NULL);
688-
}
689-
690-
if (args->do_handshake.u_bool) {
691-
while ((ret = mbedtls_ssl_handshake(&o->ssl)) != 0) {
692-
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
693-
goto cleanup;
694-
}
695-
#ifdef MICROPY_EVENT_POLL_HOOK
696-
MICROPY_EVENT_POLL_HOOK
697-
#endif
698-
}
699-
}
700-
701-
return o;
702-
703-
cleanup:
704-
mbedtls_pk_free(&o->pkey);
705-
mbedtls_x509_crt_free(&o->cert);
706-
mbedtls_x509_crt_free(&o->cacert);
707-
mbedtls_ssl_free(&o->ssl);
708-
mbedtls_ssl_config_free(&o->conf);
709-
mbedtls_ctr_drbg_free(&o->ctr_drbg);
710-
mbedtls_entropy_free(&o->entropy);
711-
712-
if (ret == MBEDTLS_ERR_SSL_ALLOC_FAILED) {
713-
mp_raise_OSError(MP_ENOMEM);
714-
} else if (ret == MBEDTLS_ERR_PK_BAD_INPUT_DATA) {
715-
mp_raise_ValueError(MP_ERROR_TEXT("invalid key"));
716-
} else if (ret == MBEDTLS_ERR_X509_BAD_INPUT_DATA) {
717-
mp_raise_ValueError(MP_ERROR_TEXT("invalid cert"));
718-
} else {
719-
mbedtls_raise_error(ret);
720-
}
721-
}
592+
// STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
593+
// // Verify the socket object has the full stream protocol
594+
// mp_get_stream_raise(sock, MP_STREAM_OP_READ | MP_STREAM_OP_WRITE | MP_STREAM_OP_IOCTL);
595+
//
596+
// #if MICROPY_PY_USSL_FINALISER
597+
// mp_obj_ssl_socket_t *o = m_new_obj_with_finaliser(mp_obj_ssl_socket_t);
598+
// #else
599+
// mp_obj_ssl_socket_t *o = m_new_obj(mp_obj_ssl_socket_t);
600+
// #endif
601+
// o->base.type = &ussl_socket_type;
602+
// o->sock = sock;
603+
//
604+
// int ret;
605+
// mbedtls_ssl_init(&o->ssl);
606+
// mbedtls_ssl_config_init(&o->conf);
607+
// mbedtls_x509_crt_init(&o->cacert);
608+
// mbedtls_x509_crt_init(&o->cert);
609+
// mbedtls_pk_init(&o->pkey);
610+
// mbedtls_ctr_drbg_init(&o->ctr_drbg);
611+
// #ifdef MBEDTLS_DEBUG_C
612+
// // Debug level (0-4) 1=warning, 2=info, 3=debug, 4=verbose
613+
// mbedtls_debug_set_threshold(3);
614+
// #endif
615+
//
616+
// mbedtls_entropy_init(&o->entropy);
617+
// const byte seed[] = "upy";
618+
// ret = mbedtls_ctr_drbg_seed(&o->ctr_drbg, mbedtls_entropy_func, &o->entropy, seed, sizeof(seed));
619+
// if (ret != 0) {
620+
// goto cleanup;
621+
// }
622+
//
623+
// ret = mbedtls_ssl_config_defaults(&o->conf,
624+
// args->server_side.u_bool ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
625+
// MBEDTLS_SSL_TRANSPORT_STREAM,
626+
// MBEDTLS_SSL_PRESET_DEFAULT);
627+
// if (ret != 0) {
628+
// goto cleanup;
629+
// }
630+
//
631+
// mbedtls_ssl_conf_authmode(&o->conf, args->cert_reqs.u_int);
632+
// mbedtls_ssl_conf_rng(&o->conf, mbedtls_ctr_drbg_random, &o->ctr_drbg);
633+
// #ifdef MBEDTLS_DEBUG_C
634+
// mbedtls_ssl_conf_dbg(&o->conf, mbedtls_debug, NULL);
635+
// #endif
636+
//
637+
// ret = mbedtls_ssl_setup(&o->ssl, &o->conf);
638+
// if (ret != 0) {
639+
// goto cleanup;
640+
// }
641+
//
642+
// if (args->server_hostname.u_obj != mp_c 10000 onst_none) {
643+
// const char *sni = mp_obj_str_get_str(args->server_hostname.u_obj);
644+
// ret = mbedtls_ssl_set_hostname(&o->ssl, sni);
645+
// if (ret != 0) {
646+
// goto cleanup;
647+
// }
648+
// }
649+
//
650+
// mbedtls_ssl_set_bio(&o->ssl, &o->sock, _mbedtls_ssl_send, _mbedtls_ssl_recv, NULL);
651+
//
652+
// if (args->key.u_obj != mp_const_none) {
653+
// size_t key_len;
654+
// const byte *key = (const byte *)mp_obj_str_get_data(args->key.u_obj, &key_len);
655+
// // len should include terminating null
656+
// ret = mbedtls_pk_parse_key(&o->pkey, key, key_len + 1, NULL, 0);
657+
// if (ret != 0) {
658+
// ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; // use general error for all key errors
659+
// goto cleanup;
660+
// }
661+
//
662+
// size_t cert_len;
663+
// const byte *cert = (const byte *)mp_obj_str_get_data(args->cert.u_obj, &cert_len);
664+
// // len should include terminating null
665+
// ret = mbedtls_x509_crt_parse(&o->cert, cert, cert_len + 1);
666+
// if (ret != 0) {
667+
// ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; // use general error for all cert errors
668+
// goto cleanup;
669+
// }
670+
//
671+
// ret = mbedtls_ssl_conf_own_cert(&o->conf, &o->cert, &o->pkey);
672+
// if (ret != 0) {
673+
// goto cleanup;
674+
// }
675+
// }
676+
//
677+
// if (args->cadata.u_obj != mp_const_none) {
678+
// size_t cacert_len;
679+
// const byte *cacert = (const byte *)mp_obj_str_get_data(args->cadata.u_obj, &cacert_len);
680+
// // len should include terminating null
681+
// ret = mbedtls_x509_crt_parse(&o->cacert, cacert, cacert_len + 1);
682+
// if (ret != 0) {
683+
// ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; // use general error for all cert errors
684+
// goto cleanup;
685+
// }
686+
//
687+
// mbedtls_ssl_conf_ca_chain(&o->conf, &o->cacert, NULL);
688+
// }
689+
//
690+
// if (args->do_handshake.u_bool) {
691+
// while ((ret = mbedtls_ssl_handshake(&o->ssl)) != 0) {
692+
// if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
693+
// goto cleanup;
694+
// }
695+
// #ifdef MICROPY_EVENT_POLL_HOOK
696+
// MICROPY_EVENT_POLL_HOOK
697+
// #endif
698+
// }
699+
// }
700+
//
701+
// return o;
702+
//
703+
// cleanup:
704+
// mbedtls_pk_free(&o->pkey);
705+
// mbedtls_x509_crt_free(&o->cert);
706+
// mbedtls_x509_crt_free(&o->cacert);
707+
// mbedtls_ssl_free(&o->ssl);
708+
// mbedtls_ssl_config_free(&o->conf);
709+
// mbedtls_ctr_drbg_free(&o->ctr_drbg);
710+
// mbedtls_entropy_free(&o->entropy);
711+
//
712+
// if (ret == MBEDTLS_ERR_SSL_ALLOC_FAILED) {
713+
// mp_raise_OSError(MP_ENOMEM);
714+
// } else if (ret == MBEDTLS_ERR_PK_BAD_INPUT_DATA) {
715+
// mp_raise_ValueError(MP_ERROR_TEXT("invalid key"));
716+
// } else if (ret == MBEDTLS_ERR_X509_BAD_INPUT_DATA) {
717+
// mp_raise_ValueError(MP_ERROR_TEXT("invalid cert"));
718+
// } else {
719+
// mbedtls_raise_error(ret);
720+
// }
721+
// }
722722

723723
STATIC mp_obj_t mod_ssl_getpeercert(mp_obj_t o_in, mp_obj_t binary_form) {
724724
mp_obj_ssl_socket_t *o = MP_OBJ_TO_PTR(o_in);
@@ -851,32 +851,32 @@ STATIC const mp_obj_type_t ussl_socket_type = {
851851
.locals_dict = (void *)&ussl_socket_locals_dict,
852852
};
853853

854-
STATIC mp_obj_t mod_ssl_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) {
855-
// TODO: Implement more args
856-
static const mp_arg_t allowed_args[] = {
857-
{ MP_QSTR_key, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
858-
{ MP_QSTR_cert, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
859-
{ MP_QSTR_server_side, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = false} },
860-
{ MP_QSTR_server_hostname, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
861-
{ MP_QSTR_cert_reqs, MP_ARG_KW_ONLY | MP_ARG_INT, {.u_int = MBEDTLS_SSL_VERIFY_NONE}},
862-
{ MP_QSTR_cadata, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
863-
{ MP_QSTR_do_handshake, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = true} },
864-
};
865-
866-
// TODO: Check that sock implements stream protocol
867-
mp_obj_t sock = pos_args[0];
868-
869-
struct ssl_args args;
870-
mp_arg_parse_all(n_args - 1, pos_args + 1, kw_args,
871-
MP_ARRAY_SIZE(allowed_args), allowed_args, (mp_arg_val_t *)&args);
872-
873-
return MP_OBJ_FROM_PTR(socket_new(sock, &args));
874-
}
875-
STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socket);
854+
// STATIC mp_obj_t mod_ssl_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) {
855+
// // TODO: Implement more args
856+
// static const mp_arg_t allowed_args[] = {
857+
// { MP_QSTR_key, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
858+
// { MP_QSTR_cert, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
859+
// { MP_QSTR_server_side, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = false} },
860+
// { MP_QSTR_server_hostname, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
861+
// { MP_QSTR_cert_reqs, MP_ARG_KW_ONLY | MP_ARG_INT, {.u_int = MBEDTLS_SSL_VERIFY_NONE}},
862+
// { MP_QSTR_cadata, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
863+
// { MP_QSTR_do_handshake, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = true} },
864+
// };
865+
//
866+
// // TODO: Check that sock implements stream protocol
867+
// mp_obj_t sock = pos_args[0];
868+
//
869+
// struct ssl_args args;
870+
// mp_arg_parse_all(n_args - 1, pos_args + 1, kw_args,
871+
// MP_ARRAY_SIZE(allowed_args), allowed_args, (mp_arg_val_t *)&args);
872+
//
873+
// return MP_OBJ_FROM_PTR(socket_new(sock, &args));
874+
// }
875+
// STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socket);
876876

877877
STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table[] = {
878878
{ MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_ussl) },
879-
{ MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&mod_ssl_wrap_socket_obj) },
879+
// { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&mod_ssl_wrap_socket_obj) },
880880
{ MP_ROM_QSTR(MP_QSTR_ctx_init), MP_ROM_PTR(&mod_ssl_ctx_init_obj) },
881881
{ MP_ROM_QSTR(MP_QSTR_MBEDTLS_VERSION), MP_ROM_PTR(&mbedtls_version_obj)},
882882
{ MP_ROM_QSTR(MP_QSTR_CERT_NONE), MP_ROM_INT(MBEDTLS_SSL_VERIFY_NONE) },

extmod/ssl/ssl.py

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,15 @@ def wrap_socket(
1515
cadata=None,
1616
server_hostname=None,
1717
do_handshake=True,
18+
keyfile=None,
19+
certfile=None,
1820
):
1921
ctx = _ussl.ctx_init()
20-
if (key is not None) and (cert is not None):
22+
if keyfile:
23+
key = keyfile
24+
if certfile:
25+
cert = certfile
26+
if key is not None: # and (cert is not None):
2127
ctx.load_certchain(key=key, cert=cert)
2228
if cadata:
2329
ctx.load_cadata(cadata)

tests/extmod/ussl_basic.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
try:
44
import uio as io
5-
import ussl as ssl
5+
import ssl
66
except ImportError:
77
print("SKIP")
88
raise SystemExit

tests/extmod/ussl_keycert.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
try:
44
import uio as io
5-
import ussl as ssl
5+
import ssl
6 10000 6
except ImportError:
77
print("SKIP")
88
raise SystemExit

tests/multi_net/ssl_cert_rsa.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
# This test won't run under CPython because CPython doesn't have key/cert
33

44
try:
5-
import ubinascii as binascii, usocket as socket, ussl as ssl
5+
import ubinascii as binascii, usocket as socket, ssl
66
except ImportError:
77
print("SKIP")
88
raise SystemExit

tests/multi_net/ssl_data.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
# This test won't run under CPython because it requires key/cert
33

44
try:
5-
import ubinascii as binascii, usocket as socket, ussl as ssl
5+
import ubinascii as binascii, usocket as socket, ssl
66
except ImportError:
77
print("SKIP")
88
raise SystemExit

tests/net_inet/ssl_cert.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import ubinascii as binascii
22
import usocket as socket
3-
import ussl as ssl
3+
import ssl
44

55

66
# This certificate was obtained from micropython.org using openssl:

tests/net_inet/ssl_errors.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
import sys
55

66
try:
7-
import uerrno as errno, usocket as socket, ussl as ssl
7+
import uerrno as errno, usocket as socket, ssl
88
except:
99
import errno, socket, ssl
1010

tests/net_inet/test_tls_nonblock.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
try:
2-
import usocket as socket, ussl as ssl, uerrno as errno, sys
2+
import usocket as socket, ssl, uerrno as errno, sys
33
except:
44
import socket, ssl, errno, sys, time, select
55

0 commit comments

Comments
 (0)
0