From 882a00de6972515f1075b0eae9ba7fb43a067d88 Mon Sep 17 00:00:00 2001
From: Ian Davies <git@iandavies.org>
Date: Sun, 3 Jul 2022 18:35:17 +0100
Subject: [PATCH 1/3] rp2/mbedtls: Enable certificate validity time validation.

---
 ports/rp2/mbedtls/mbedtls_config.h | 6 ++++++
 ports/rp2/mbedtls/mbedtls_port.c   | 9 +++++++++
 2 files changed, 15 insertions(+)

diff --git a/ports/rp2/mbedtls/mbedtls_config.h b/ports/rp2/mbedtls/mbedtls_config.h
index 4bf606f5ea23b..743d0a6a8425e 100644
--- a/ports/rp2/mbedtls/mbedtls_config.h
+++ b/ports/rp2/mbedtls/mbedtls_config.h
@@ -93,6 +93,8 @@
 #define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 #define MBEDTLS_X509_CRT_PARSE_C
 #define MBEDTLS_X509_USE_C
+#define MBEDTLS_HAVE_TIME
+#define MBEDTLS_HAVE_TIME_DATE
 
 // Memory allocation hooks
 #include <stdlib.h>
@@ -103,6 +105,10 @@ void m_tracked_free(void *ptr);
 #define MBEDTLS_PLATFORM_STD_FREE m_tracked_free
 #define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
 
+// Time hook
+time_t rp2_rtctime_seconds(time_t *timer);
+#define MBEDTLS_PLATFORM_TIME_MACRO rp2_rtctime_seconds
+
 #include "mbedtls/check_config.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_H */
diff --git a/ports/rp2/mbedtls/mbedtls_port.c b/ports/rp2/mbedtls/mbedtls_port.c
index aa0f9a36e0eaa..9067eca90ee55 100644
--- a/ports/rp2/mbedtls/mbedtls_port.c
+++ b/ports/rp2/mbedtls/mbedtls_port.c
@@ -29,6 +29,9 @@
 
 #include "mbedtls_config.h"
 
+#include "hardware/rtc.h"
+#include "shared/timeutils/timeutils.h"
+
 extern uint8_t rosc_random_u8(size_t cycles);
 
 int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) {
@@ -39,4 +42,10 @@ int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t
     return 0;
 }
 
+time_t rp2_rtctime_seconds(time_t *timer) {
+    datetime_t t;
+    rtc_get_datetime(&t);
+    return timeutils_seconds_since_epoch(t.year, t.month, t.day, t.hour, t.min, t.sec);
+}
+
 #endif

From 5c13fbcad407a8527e2066d3abbcb4daeaf07e7d Mon Sep 17 00:00:00 2001
From: Ian Davies <git@iandavies.org>
Date: Wed, 6 Jul 2022 16:22:57 +0100
Subject: [PATCH 2/3] extmod/ntptime.py: Factor out ntptime module.

The ntptime module was previously only included in the ESP8266 port.
This commit factors that module out into the extmod directory.
---
 {ports/esp8266/modules => extmod}/ntptime.py  | 17 +++++++++++++----
 ports/esp32/boards/manifest.py                |  2 +-
 ports/esp8266/boards/GENERIC_512K/manifest.py |  1 -
 ports/esp8266/boards/manifest.py              |  1 +
 ports/rp2/boards/PICO_W/manifest.py           |  1 +
 5 files changed, 16 insertions(+), 6 deletions(-)
 rename {ports/esp8266/modules => extmod}/ntptime.py (69%)

diff --git a/ports/esp8266/modules/ntptime.py b/extmod/ntptime.py
similarity index 69%
rename from ports/esp8266/modules/ntptime.py
rename to extmod/ntptime.py
index dd07e46f1d3b4..05d7e9717d82d 100644
--- a/ports/esp8266/modules/ntptime.py
+++ b/extmod/ntptime.py
@@ -1,3 +1,5 @@
+import utime
+
 try:
     import usocket as socket
 except:
@@ -7,9 +9,6 @@
 except:
     import struct
 
-# (date(2000, 1, 1) - date(1900, 1, 1)).days * 24*60*60
-NTP_DELTA = 3155673600
-
 # The NTP host can be configured at runtime by doing: ntptime.host = 'myhost.org'
 host = "pool.ntp.org"
 
@@ -26,6 +25,17 @@ def time():
     finally:
         s.close()
     val = struct.unpack("!I", msg[40:44])[0]
+
+    EPOCH_YEAR = utime.gmtime(0)[0]
+    if EPOCH_YEAR == 2000:
+        # (date(2000, 1, 1) - date(1900, 1, 1)).days * 24*60*60
+        NTP_DELTA = 3155673600
+    elif EPOCH_YEAR == 1970:
+        # (date(1970, 1, 1) - date(1900, 1, 1)).days * 24*60*60
+        NTP_DELTA = 2208988800
+    else:
+        raise Exception("Unsupported epoch: {}".format(EPOCH_YEAR))
+
     return val - NTP_DELTA
 
 
@@ -33,7 +43,6 @@ def time():
 def settime():
     t = time()
     import machine
-    import utime
 
     tm = utime.gmtime(t)
     machine.RTC().datetime((tm[0], tm[1], tm[2], tm[6] + 1, tm[3], tm[4], tm[5], 0))
diff --git a/ports/esp32/boards/manifest.py b/ports/esp32/boards/manifest.py
index 1dc1481a420df..f0ed38b515c71 100644
--- a/ports/esp32/boards/manifest.py
+++ b/ports/esp32/boards/manifest.py
@@ -1,6 +1,6 @@
 freeze("$(PORT_DIR)/modules")
 freeze("$(MPY_DIR)/tools", ("upip.py", "upip_utarfile.py"))
-freeze("$(MPY_DIR)/ports/esp8266/modules", "ntptime.py")
+freeze("$(MPY_DIR)/extmod", "ntptime.py")
 freeze("$(MPY_DIR)/drivers/dht", "dht.py")
 freeze("$(MPY_DIR)/drivers/onewire")
 include("$(MPY_DIR)/extmod/uasyncio/manifest.py")
diff --git a/ports/esp8266/boards/GENERIC_512K/manifest.py b/ports/esp8266/boards/GENERIC_512K/manifest.py
index ee148c80892d8..e43d94843fdba 100644
--- a/ports/esp8266/boards/GENERIC_512K/manifest.py
+++ b/ports/esp8266/boards/GENERIC_512K/manifest.py
@@ -1,5 +1,4 @@
 freeze("$(BOARD_DIR)", "_boot.py", opt=3)
-freeze("$(PORT_DIR)/modules", ("apa102.py", "ntptime.py", "port_diag.py"))
 freeze("$(MPY_DIR)/drivers/dht", "dht.py")
 freeze("$(MPY_DIR)/drivers/onewire")
 include("$(MPY_DIR)/extmod/webrepl/manifest.py")
diff --git a/ports/esp8266/boards/manifest.py b/ports/esp8266/boards/manifest.py
index 598572d62ad48..c5809717e6927 100644
--- a/ports/esp8266/boards/manifest.py
+++ b/ports/esp8266/boards/manifest.py
@@ -1,4 +1,5 @@
 freeze("$(PORT_DIR)/modules")
+freeze("$(MPY_DIR)/extmod", "ntptime.py")
 freeze("$(MPY_DIR)/tools", ("upip.py", "upip_utarfile.py"))
 freeze("$(MPY_DIR)/drivers/dht", "dht.py")
 freeze("$(MPY_DIR)/drivers/onewire")
diff --git a/ports/rp2/boards/PICO_W/manifest.py b/ports/rp2/boards/PICO_W/manifest.py
index 1953d5cbd0693..eb748da485c98 100644
--- a/ports/rp2/boards/PICO_W/manifest.py
+++ b/ports/rp2/boards/PICO_W/manifest.py
@@ -2,6 +2,7 @@
 
 freeze("$(MPY_DIR)/tools", "upip.py")
 freeze("$(MPY_DIR)/tools", "upip_utarfile.py")
+freeze("$(MPY_DIR)/extmod", "ntptime.py")
 
 if os.path.isdir(convert_path("$(MPY_LIB_DIR)")):
     freeze("$(MPY_LIB_DIR)/python-ecosys/urequests", "urequests.py")

From 0f6bd962458bed4c1ac3e8049d6fe8f3a9419953 Mon Sep 17 00:00:00 2001
From: Ian Davies <git@iandavies.org>
Date: Thu, 21 Jul 2022 21:00:24 +0100
Subject: [PATCH 3/3] extmod/modussl_mbedtls.c: More sensible default debug log
 level.

---
 extmod/modussl_mbedtls.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/extmod/modussl_mbedtls.c b/extmod/modussl_mbedtls.c
index 8365c7a4a4d2e..b14ed9ad0e3d0 100644
--- a/extmod/modussl_mbedtls.c
+++ b/extmod/modussl_mbedtls.c
@@ -74,7 +74,7 @@ STATIC const mp_obj_type_t ussl_socket_type;
 STATIC void mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str) {
     (void)ctx;
     (void)level;
-    printf("DBG:%s:%04d: %s\n", file, line, str);
+    mp_printf(&mp_plat_print, "DBG:%s:%04d: %s\n", file, line, str);
 }
 #endif
 
@@ -175,7 +175,7 @@ STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
     mbedtls_ctr_drbg_init(&o->ctr_drbg);
     #ifdef MBEDTLS_DEBUG_C
     // Debug level (0-4) 1=warning, 2=info, 3=debug, 4=verbose
-    mbedtls_debug_set_threshold(0);
+    mbedtls_debug_set_threshold(3);
     #endif
 
     mbedtls_entropy_init(&o->entropy);