micropython
diff --git a/‎extmod/asyncio/stream.py
Lines changed: 24 additions & 5 deletions b/‎extmod/asyncio/stream.py
Lines changed: 24 additions & 5 deletions
diff --git a/‎extmod/modssl_mbedtls.c
Lines changed: 46 additions & 0 deletions b/‎extmod/modssl_mbedtls.c
Lines changed: 46 additions & 0 deletions
diff --git a/‎tests/multi_net/asyncio_tcp_tls_server_client.py
Lines changed: 126 additions & 0 deletions b/‎tests/multi_net/asyncio_tcp_tls_server_client.py
Lines changed: 126 additions & 0 deletions
diff --git a/‎tests/multi_net/asyncio_tcp_tls_server_client.py.exp
Lines changed: 20 additions & 0 deletions b/‎tests/multi_net/asyncio_tcp_tls_server_client.py.exp
Lines changed: 20 additions & 0 deletions
diff --git a/‎tests/multi_net/asyncio_tls_server_client.py
Lines changed: 69 additions & 0 deletions b/‎tests/multi_net/asyncio_tls_server_client.py
Lines changed: 69 additions & 0 deletions
diff --git a/‎tests/multi_net/asyncio_tls_server_client.py.exp
Lines changed: 8 additions & 0 deletions b/‎tests/multi_net/asyncio_tls_server_client.py.exp
Lines changed: 8 additions & 0 deletions
@@ -63,6 +63,8 @@ def readline(self):
         while True:
             yield core._io_queue.queue_read(self.s)
             l2 = self.s.readline()  # may do multiple reads but won't block
+            if l2 is None:
+                continue
             l += l2
             if not l2 or l[-1] == 10:  # \n (check l in case l2 is str)
                 return l
@@ -100,19 +102,29 @@ def drain(self):
 # Create a TCP stream connection to a remote host
 #
 # async
-def open_connection(host, port):
+def open_connection(host, port, ssl=None, server_hostname=None):
     from errno import EINPROGRESS
     import socket
 
     ai = socket.getaddrinfo(host, port, 0, socket.SOCK_STREAM)[0]  # TODO this is blocking!
     s = socket.socket(ai[0], ai[1], ai[2])
     s.set
6D40
blocking(False)
-    ss = Stream(s)
     try:
         s.connect(ai[-1])
     except OSError as er:
         if er.errno != EINPROGRESS:
             raise er
+    # wrap with SSL, if requested
+    if ssl:
+        if ssl is True:
+            import ssl as _ssl
+
+            ssl = _ssl.SSLContext(_ssl.PROTOCOL_TLS_CLIENT)
+        if not server_hostname:
+            server_hostname = host
+        s = ssl.wrap_socket(s, server_hostname=server_hostname, do_handshake_on_connect=False)
+        s.setblocking(False)
+    ss = Stream(s)
     yield core._io_queue.queue_write(s)
     return ss, ss
 
@@ -135,7 +147,7 @@ def close(self):
     async def wait_closed(self):
         await self.task
 
-    async def _serve(self, s, cb):
+    async def _serve(self, s, cb, ssl):
         self.state = False
         # Accept incoming connections
         while True:
@@ -156,14 +168,21 @@ async def _serve(self, s, cb):
             except:
                 # Ignore a failed accept
                 continue
+            if ssl:
+                try:
+                    s2 = ssl.wrap_socket(s2, server_side=True, do_handshake_on_connect=False)
+                except OSError as e:
+                    core.sys.print_exception(e)
+                    s2.close()
+                    continue
             s2.setblocking(False)
             s2s = Stream(s2, {"peername": addr})
             core.create_task(cb(s2s, s2s))
 
 
 # Helper function to start a TCP stream server, running as a new task
 # TODO could use an accept-callback on socket read activity instead of creating a task
 async def start_server(cb, host, port, backlog=5):
+async def start_server(cb, host, port, backlog=5, ssl=None):
     import socket
 
     # Create and bind server socket.
@@ -176,7 +195,7 @@ async def start_server(cb, host, port, backlog=5):
 
     # Create and return server object and task.
     srv = Server()
-    srv.task = core.create_task(srv._serve(s, cb))
+    srv.task = core.create_task(srv._serve(s, cb, ssl))
     try:
         # Ensure that the _serve task has been scheduled so that it gets to
         # handle cancellation.
 
@@ -165,6 +165,50 @@ STATIC NORETURN void mbedtls_raise_error(int err) {
     #endif
 }
 
+STATIC void ssl_check_async_handshake_failure(mp_obj_ssl_socket_t *sslsock, int *errcode) {
+
+    if (
+        #if MBEDTLS_VERSION_NUMBER >= 0x03000000
+        (*errcode < 0) && (mbedtls_ssl_is_handshake_over(&sslsock->ssl) == 0) && (*errcode != MBEDTLS_ERR_SSL_CONN_EOF)
+        #else
+        (*errcode < 0) && (*errcode != MBEDTLS_ERR_SSL_CONN_EOF)
+        #endif
+        ) {
+        // Async handshake is done by mbdetls_ssl_read/write
+        // if return code is MBEDTLS_ERR_XX (i.e < 0) and handshake is not done due to
+        // handshake failure notify peer
+        // with proper error code and raise mp error with mbedtls_raise_error
+
+        if (*errcode == MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE) {
+            // Check if TLSv1.3 and use proper alert for this case (to be implemented)
+            // uint8_t alert = MBEDTLS_SSL_ALERT_MSG_CERT_REQUIRED; tlsv1.3
+            // uint8_t alert = MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE; tlsv1.2
+            mbedtls_ssl_send_alert_message(&sslsock->ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
+                MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE);
+        }
+
+        if (*errcode == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
+            // The certificate may have been rejected for several reasons.
+            uint32_t flags = 0;
+            uint ret = 0;
+            char xcbuf[512];
+            flags = mbedtls_ssl_get_verify_result(&sslsock->ssl);
+            ret = mbedtls_x509_crt_verify_info(xcbuf, sizeof(xcbuf), "\n", flags);
+            // The length of the string written (not including the terminated nul byte),
+            // or a negative err code.
+            if (ret > 0) {
+                sslsock->sock = MP_OBJ_NULL;
+                mbedtls_ssl_free(&sslsock->ssl);
+                mp_raise_msg_varg(&mp_type_ValueError, MP_ERROR_TEXT("%s"), xcbuf);
+            }
+        }
+
+        sslsock->sock = MP_OBJ_NULL;
+        mbedtls_ssl_free(&sslsock->ssl);
+        mbedtls_raise_error(*errcode);
+
+    }
+}
 /******************************************************************************/
 // SSLContext type.
 
@@ -630,6 +674,7 @@ STATIC mp_uint_t socket_read(mp_obj_t o_in, void *buf, mp_uint_t size, int *errc
     } else {
         o->last_error = ret;
     }
+    ssl_check_async_handshake_failure(o, &ret);
     *errcode = ret;
     return MP_STREAM_ERROR;
 }
@@ -658,6 +703,7 @@ STATIC mp_uint_t socket_write(mp_obj_t o_in, const void *buf, mp_uint_t size, in
     } else {
         o->last_error = ret;
     }
+    ssl_check_async_handshake_failure(o, &ret);
     *errcode = ret;
     return MP_STREAM_ERROR;
 }
 
@@ -0,0 +1,126 @@
+# Test asyncio TCP server and client using start_server() and open_connection()
+
+try:
+    import asyncio
+    import ssl
+except ImportError:
+    print("SKIP")
+    raise SystemExit
+
+PORT = 8000
+PORT_TLS = 8004
+
+
+async def handle_tcp_connection(reader, writer):
+    # Test that peername exists (but don't check its value, it changes)
+    writer.get_extra_info("peername")
+
+    data = await reader.read(100)
+    print("echo:", data)
+    writer.write(data)
+    await writer.drain()
+
+    print("close")
+    writer.close()
+    await writer.wait_closed()
+
+    print("done")
+    ev.set()
+
+
+async def handle_tls_connection(reader, writer):
+    # Test that peername exists (but don't check its value, it changes)
+    writer.get_extra_info("peername")
+
+    data = await reader.read(100)
+    print("echo:", data)
+    writer.write(data)
+    await writer.drain()
+
+    print("close")
+    writer.close()
+    await writer.wait_closed()
+
+    print("done")
+    ev1.set()
+
+
+async def tcp_server():
+    global ev
+    ev = asyncio.Event()
+    server = await asyncio.start_server(handle_tcp_connection, "0.0.0.0", PORT)
+    print("tcp server running")
+
+    multitest.next()
+    async with server:
+        await asyncio.wait_for(ev.wait(), 10)
+
+
+async def tcp_client(message):
+    await asyncio.sleep(1)
+    reader, writer = await asyncio.open_connection(IP, PORT)
+    print("write:", message)
+    writer.write(message)
+    await writer.drain()
+    data = await reader.read(100)
+    print("read:", data)
+
+
+# These are test certificates. See tests/README.md for details.
+cert = cafile = "multi_net/rsa_cert.der"
+
+key = "multi_net/rsa_key.der"
+
+
+async def tls_server():
+    global ev1
+
+    server_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    server_ctx.load_cert_chain(cert, keyfile=key)
+    ev1 = asyncio.Event()
+    server = await asyncio.start_server(handle_tls_connection, "0.0.0.0", PORT_TLS, ssl=server_ctx)
+    print("tls server running")
+    multitest.next()
+    async with server:
+        await asyncio.wait_for(ev1.wait(), 10)
+
+
+async def tls_client(message):
+    client_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    client_ctx.verify_mode = ssl.CERT_REQUIRED
+    client_ctx.load_verify_locations(cafile=cafile)
+    await asyncio.sleep(1)
+    reader, writer = await asyncio.open_connection(
+        IP, PORT_TLS, ssl=client_ctx, server_hostname="micropython.local"
+    )
+    print("write:", message)
+    writer.write(message)
+    await writer.drain()
+    data = await reader.read(100)
+    print("read:", data)
+
+
+async def tcp_tls_server():
+    print("TCP SERVER")
+    await tcp_server()
+
+    print("TLS SERVER")
+    await tls_server()
+
+
+async def tcp_tls_client():
+    print("TCP CLIENT")
+    await tcp_client(b"client data")
+    multitest.next()
+    print("TLS CLIENT")
+    await tls_client(b"client data")
+
+
+def instance0():
+    multitest.globals(IP=multitest.get_network_ip())
+    asyncio.run(tcp_tls_server())
+
+
+def instance1():
+    multitest.next()
+    asyncio.run(tcp_tls_client())
@@ -0,0 +1,20 @@
+--- instance0 ---
+TCP SERVER
+tcp server running
+echo: b'client data'
+close
+done
+TLS SERVER
+tls server running
+NEXT
+echo: b'client data'
+close
+done
+--- instance1 ---
+TCP CLIENT
+write: b'client data'
+read: b'client data'
+NEXT
+TLS CLIENT
+write: b'client data'
+read: b'client data'
@@ -0,0 +1,69 @@
+# Test uasyncio TCP server and client using start_server() and open_connection()
+
+try:
+    import asyncio
+    import ssl
+except ImportError:
+    print("SKIP")
+    raise SystemExit
+
+PORT = 8000
+
+# These are test certificates. See tests/README.md for details.
+cert = cafile = "multi_net/rsa_cert.der"
+
+key = "multi_net/rsa_key.der"
+
+
+async def handle_connection(reader, writer):
+    # Test that peername exists (but don't check its value, it changes)
+    writer.get_extra_info("peername")
+
+    data = await reader.read(100)
+    print("echo:", data)
+    writer.write(data)
+    await writer.drain()
+
+    print("close")
+    writer.close()
+    await writer.wait_closed()
+
+    print("done")
+    ev.set()
+
+
+async def tcp_server():
+    global ev
+
+    server_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_SERVER)
+    server_ctx.load_cert_chain(cert, keyfile=key)
+    ev = asyncio.Event()
+    server = await asyncio.start_server(handle_connection, "0.0.0.0", PORT, ssl=server_ctx)
+    print("server running")
+    multitest.next()
+    async with server:
+        await asyncio.wait_for(ev.wait(), 10)
+
+
+async def tcp_client(message):
+    client_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+    client_ctx.verify_mode = ssl.CERT_REQUIRED
+    client_ctx.load_verify_locations(cafile=cafile)
+    reader, writer = await asyncio.open_connection(
+        IP, PORT, ssl=client_ctx, server_hostname="micropython.local"
+    )
+    print("write:", message)
+    writer.write(message)
+    await writer.drain()
+    data = await reader.read(100)
+    print("read:", data)
+
+
+def instance0():
+    multitest.globals(IP=multitest.get_network_ip())
+    asyncio.run(tcp_server())
+
+
+def instance1():
+    multitest.next()
+    asyncio.run(tcp_client(b"client data"))
@@ -0,0 +1,8 @@
+--- instance0 ---
+server running
+echo: b'client data'
+close
+done
+--- instance1 ---
+write: b'client data'
+read: b'client data'