Skip to content

Commit fc4b81f

Browse files
CarglglzCarglglz
committed
extmod/modussl_mbedtls: Deprecate wrap_socket in C.
Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
1 parent a967e4e commit fc4b81f

12 files changed

+170
-164
lines changed

extmod/modussl_mbedtls.c

+153-153
Original file line numberDiff line numberDiff line change
@@ -607,136 +607,136 @@ STATIC MP_DEFINE_CONST_FUN_OBJ_0(mod_ssl_ctx_init_obj, mod_ssl_ctx_init);
607607

608608

609609

610-
STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
611-
// Verify the socket object has the full stream protocol
612-
mp_get_stream_raise(sock, MP_STREAM_OP_READ | MP_STREAM_OP_WRITE | MP_STREAM_OP_IOCTL);
613-
614-
#if MICROPY_PY_USSL_FINALISER
615-
mp_obj_ssl_socket_t *o = m_new_obj_with_finaliser(mp_obj_ssl_socket_t);
616-
#else
617-
mp_obj_ssl_socket_t *o = m_new_obj(mp_obj_ssl_socket_t);
618-
#endif
619-
o->base.type = &ussl_socket_type;
620-
o->sock = sock;
621-
622-
int ret;
623-
mbedtls_ssl_init(&o->ssl);
624-
mbedtls_ssl_config_init(&o->conf);
625-
mbedtls_x509_crt_init(&o->cacert);
626-
mbedtls_x509_crt_init(&o->cert);
627-
mbedtls_pk_init(&o->pkey);
628-
mbedtls_ctr_drbg_init(&o->ctr_drbg);
629-
#ifdef MBEDTLS_DEBUG_C
630-
// Debug level (0-4) 1=warning, 2=info, 3=debug, 4=verbose
631-
mbedtls_debug_set_threshold(3);
632-
#endif
633-
634-
mbedtls_entropy_init(&o->entropy);
635-
const byte seed[] = "upy";
636-
ret = mbedtls_ctr_drbg_seed(&o->ctr_drbg, mbedtls_entropy_func, &o->entropy, seed, sizeof(seed));
637-
if (ret != 0) {
638-
goto cleanup;
639-
}
640-
641-
ret = mbedtls_ssl_config_defaults(&o->conf,
642-
args->server_side.u_bool ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
643-
MBEDTLS_SSL_TRANSPORT_STREAM,
644-
MBEDTLS_SSL_PRESET_DEFAULT);
645-
if (ret != 0) {
646-
goto cleanup;
647-
}
648-
649-
mbedtls_ssl_conf_authmode(&o->conf, args->cert_reqs.u_int);
650-
mbedtls_ssl_conf_rng(&o->conf, mbedtls_ctr_drbg_random, &o->ctr_drbg);
651-
#ifdef MBEDTLS_DEBUG_C
652-
mbedtls_ssl_conf_dbg(&o->conf, mbedtls_debug, NULL);
653-
#endif
654-
655-
ret = mbedtls_ssl_setup(&o->ssl, &o->conf);
656-
if (ret != 0) {
657-
goto cleanup;
658-
}
659-
660-
if (args->server_hostname.u_obj != mp_const_none) {
661-
const char *sni = mp_obj_str_get_str(args->server_hostname.u_obj);
662-
ret = mbedtls_ssl_set_hostname(&o->ssl, sni);
663-
if (ret != 0) {
664-
goto cleanup;
665-
}
666-
}
667-
668-
mbedtls_ssl_set_bio(&o->ssl, &o->sock, _mbedtls_ssl_send, _mbedtls_ssl_recv, NULL);
669-
670-
if (args->key.u_obj != mp_const_none) {
671-
size_t key_len;
672-
const byte *key = (const byte *)mp_obj_str_get_data(args->key.u_obj, &key_len);
673-
// len should include terminating null
674-
ret = mbedtls_pk_parse_key(&o->pkey, key, key_len + 1, NULL, 0);
675-
if (ret != 0) {
676-
ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; // use general error for all key errors
677-
goto cleanup;
678-
}
679-
680-
size_t cert_len;
681-
const byte *cert = (const byte *)mp_obj_str_get_data(args->cert.u_obj, &cert_len);
682-
// len should include terminating null
683-
ret = mbedtls_x509_crt_parse(&o->cert, cert, cert_len + 1);
684-
if (ret != 0) {
685-
ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; // use general error for all cert errors
686-
goto cleanup;
687-
}
688-
689-
ret = mbedtls_ssl_conf_own_cert(&o->conf, &o->cert, &o->pkey);
690-
if (ret != 0) {
691-
goto cleanup;
692-
}
693-
}
694-
695-
if (args->cadata.u_obj != mp_const_none) {
696-
size_t cacert_len;
697-
const byte *cacert = (const byte *)mp_obj_str_get_data(args->cadata.u_obj, &cacert_len);
698-
// len should include terminating null
699-
ret = mbedtls_x509_crt_parse(&o->cacert, cacert, cacert_len + 1);
700-
if (ret != 0) {
701-
ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; // use general error for all cert errors
702-
goto cleanup;
703-
}
704-
705-
mbedtls_ssl_conf_ca_chain(&o->conf, &o->cacert, NULL);
706-
}
707-
708-
if (args->do_handshake.u_bool) {
709-
while ((ret = mbedtls_ssl_handshake(&o->ssl)) != 0) {
710-
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
711-
goto cleanup;
712-
}
713-
#ifdef MICROPY_EVENT_POLL_HOOK
714-
MICROPY_EVENT_POLL_HOOK
715-
#endif
716-
}
717-
}
718-
719-
return o;
720-
721-
cleanup:
722-
mbedtls_pk_free(&o->pkey);
723-
mbedtls_x509_crt_free(&o->cert);
724-
mbedtls_x509_crt_free(&o->cacert);
725-
mbedtls_ssl_free(&o->ssl);
726-
mbedtls_ssl_config_free(&o->conf);
727-
mbedtls_ctr_drbg_free(&o->ctr_drbg);
728-
mbedtls_entropy_free(&o->entropy);
729-
730-
if (ret == MBEDTLS_ERR_SSL_ALLOC_FAILED) {
731-
mp_raise_OSError(MP_ENOMEM);
732-
} else if (ret == MBEDTLS_ERR_PK_BAD_INPUT_DATA) {
733-
mp_raise_ValueError(MP_ERROR_TEXT("invalid key"));
734-
} else if (ret == MBEDTLS_ERR_X509_BAD_INPUT_DATA) {
735-
mp_raise_ValueError(MP_ERROR_TEXT("invalid cert"));
736-
} else {
737-
mbedtls_raise_error(ret);
738-
}
739-
}
610+
// STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
611+
// // Verify the socket object has the full stream protocol
612+
// mp_get_stream_raise(sock, MP_STREAM_OP_READ | MP_STREAM_OP_WRITE | MP_STREAM_OP_IOCTL);
613+
//
614+
// #if MICROPY_PY_USSL_FINALISER
615+
// mp_obj_ssl_socket_t *o = m_new_obj_with_finaliser(mp_obj_ssl_socket_t);
616+
// #else
617+
// mp_obj_ssl_socket_t *o = m_new_obj(mp_obj_ssl_socket_t);
618+
// #endif
619+
// o->base.type = &ussl_socket_type;
620+
// o->sock = sock;
621+
//
622+
// int ret;
623+
// mbedtls_ssl_init(&o->ssl);
624+
// mbedtls_ssl_config_init(&o->conf);
625+
// mbedtls_x509_crt_init(&o->cacert);
626+
// mbedtls_x509_crt_init(&o->cert);
627+
// mbedtls_pk_init(&o->pkey);
628+
// mbedtls_ctr_drbg_init(&o->ctr_drbg);
629+
// #ifdef MBEDTLS_DEBUG_C
630+
// // Debug level (0-4) 1=warning, 2=info, 3=debug, 4=verbose
631+
// mbedtls_debug_set_threshold(3);
632+
// #endif
633+
//
634+
// mbedtls_entropy_init(&o->entropy);
635+
// const byte seed[] = "upy";
636+
// ret = mbedtls_ctr_drbg_seed(&o->ctr_drbg, mbedtls_entropy_func, &o->entropy, seed, sizeof(seed));
637+
// if (ret != 0) {
638+
// goto cleanup;
639+
// }
640+
//
641+
// ret = mbedtls_ssl_config_defaults(&o->conf,
642+
// args->server_side.u_bool ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
643+
// MBEDTLS_SSL_TRANSPORT_STREAM,
644+
// MBEDTLS_SSL_PRESET_DEFAULT);
645+
// if (ret != 0) {
646+
// goto cleanup;
647+
// }
648+
//
649+
// mbedtls_ssl_conf_authmode(&o->conf, args->cert_reqs.u_int);
650+
// mbedtls_ssl_conf_rng(&o->conf, mbedtls_ctr_drbg_random, &o->ctr_drbg);
651+
// #ifdef MBEDTLS_DEBUG_C
652+
// mbedtls_ssl_conf_dbg(&o->conf, mbedtls_debug, NULL);
653+
// #endif
654+
//
655+
// ret = mbedtls_ssl_setup(&o->ssl, &o->conf);
656+
// if (ret != 0) {
657+
// goto cleanup;
658+
// }
659+
//
660+
// if (args->server_hostname.u_obj != mp_const_none) {
661+
// const char *sni = mp_obj_str_get_str(args->server_hostname.u_obj);
662+
// ret = mbedtls_ssl_set_hostname(&o->ssl, sni);
663+
// if (ret != 0) {
664+
// goto cleanup;
665+
// }
666+
// }
667+
//
668+
// mbedtls_ssl_set_bio(&o->ssl, &o->sock, _mbedtls_ssl_send, _mbedtls_ssl_recv, NULL);
669+
//
670+
// if (args->key.u_obj != mp_const_none) {
671+
// size_t key_len;
672+
// const byte *key = (const byte *)mp_obj_str_get_data(args->key.u_obj, &key_len);
673+
// // len should include terminating null
674+
// ret = mbedtls_pk_parse_key(&o->pkey, key, key_len + 1, NULL, 0);
675+
// if (ret != 0) {
676+
// ret = MBEDTLS_ERR_PK_BAD_INPUT_DATA; // use general error for all key errors
677+
// goto cleanup;
678+
// }
679+
//
680+
// size_t cert_len;
681+
// const byte *cert = (const byte *)mp_obj_str_get_data(args->cert.u_obj, &cert_len);
682+
// // len should include terminating null
683+
// ret = mbedtls_x509_crt_parse(&o->cert, cert, cert_len + 1);
684+
// if (ret != 0) {
685+
// ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; // use general error for all cert errors
686+
// goto cleanup;
687+
// }
688+
//
689+
// ret = mbedtls_ssl_conf_own_cert(&o->conf, &o->cert, &o->pkey);
690+
// if (ret != 0) {
691+
// goto cleanup;
692+
// }
693+
// }
694+
//
695+
// if (args->cadata.u_obj != mp_const_none) {
696+
// size_t cacert_len;
697+
// const byte *cacert = (const byte *)mp_obj_str_get_data(args->cadata.u_obj, &cacert_len);
698+
// // len should include terminating null
699+
// ret = mbedtls_x509_crt_parse(&o->cacert, cacert, cacert_len + 1);
700+
// if (ret != 0) {
701+
// ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA; // use general error for all cert errors
702+
// goto cleanup;
703+
// }
704+
//
705+
// mbedtls_ssl_conf_ca_chain(&o->conf, &o->cacert, NULL);
706+
// }
707+
//
708+
// if (args->do_handshake.u_bool) {
709+
// while ((ret = mbedtls_ssl_handshake(&o->ssl)) != 0) {
710+
// if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
711+
// goto cleanup;
712+
// }
713+
// #ifdef MICROPY_EVENT_POLL_HOOK
714+
// MICROPY_EVENT_POLL_HOOK
715+
// #endif
716+
// }
717+
// }
718+
//
719+
// return o;
720+
//
721+
// cleanup:
722+
// mbedtls_pk_free(&o->pkey);
723+
// mbedtls_x509_crt_free(&o->cert);
724+
// mbedtls_x509_crt_free(&o->cacert);
725+
// mbedtls_ssl_free(&o->ssl);
726+
// mbedtls_ssl_config_free(&o->conf);
727+
// mbedtls_ctr_drbg_free(&o->ctr_drbg);
728+
// mbedtls_entropy_free(&o->entropy);
729+
//
730+
// if (ret == MBEDTLS_ERR_SSL_ALLOC_FAILED) {
731+
// mp_raise_OSError(MP_ENOMEM);
732+
// } else if (ret == MBEDTLS_ERR_PK_BAD_INPUT_DATA) {
733+
// mp_raise_ValueError(MP_ERROR_TEXT("invalid key"));
734+
// } else if (ret == MBEDTLS_ERR_X509_BAD_INPUT_DATA) {
735+
// mp_raise_ValueError(MP_ERROR_TEXT("invalid cert"));
736+
// } else {
737+
// mbedtls_raise_error(ret);
738+
// }
739+
// }
740740

741741
STATIC mp_obj_t mod_ssl_getpeercert(mp_obj_t o_in, mp_obj_t binary_form) {
742742
mp_obj_ssl_socket_t *o = MP_OBJ_TO_PTR(o_in);
@@ -869,32 +869,32 @@ STATIC const mp_obj_type_t ussl_socket_type = {
869869
.locals_dict = (void *)&ussl_socket_locals_dict,
870870
};
871871

872-
STATIC mp_obj_t mod_ssl_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) {
873-
// TODO: Implement more args
874-
static const mp_arg_t allowed_args[] = {
875-
{ MP_QSTR_key, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
876-
{ MP_QSTR_cert, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
877-
{ MP_QSTR_server_side, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = false} },
878-
{ MP_QSTR_server_hostname, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
879-
{ MP_QSTR_cert_reqs, MP_ARG_KW_ONLY | MP_ARG_INT, {.u_int = MBEDTLS_SSL_VERIFY_NONE}},
880-
{ MP_QSTR_cadata, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
881-
{ MP_QSTR_do_handshake, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = true} },
882-
};
883-
884-
// TODO: Check that sock implements stream protocol
885-
mp_obj_t sock = pos_args[0];
886-
887-
struct ssl_args args;
888-
mp_arg_parse_all(n_args - 1, pos_args + 1, kw_args,
889-
MP_ARRAY_SIZE(allowed_args), allowed_args, (mp_arg_val_t *)&args);
890-
891-
return MP_OBJ_FROM_PTR(socket_new(sock, &args));
892-
}
893-
STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socket);
872+
// STATIC mp_obj_t mod_ssl_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) {
873+
// // TODO: Implement more args
874+
// static const mp_arg_t allowed_args[] = {
875+
// { MP_QSTR_key, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
876+
// { MP_QSTR_cert, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
877+
// { MP_QSTR_server_side, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = false} },
878+
// { MP_QSTR_server_hostname, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
879+
// { MP_QSTR_cert_reqs, MP_ARG_KW_ONLY | MP_ARG_INT, {.u_int = MBEDTLS_SSL_VERIFY_NONE}},
880+
// { MP_QSTR_cadata, MP_ARG_KW_ONLY | MP_ARG_OBJ, {.u_rom_obj = MP_ROM_NONE} },
881+
// { MP_QSTR_do_handshake, MP_ARG_KW_ONLY | MP_ARG_BOOL, {.u_bool = true} },
882+
// };
883+
//
884+
// // TODO: Check that sock implements stream protocol
885+
// mp_obj_t sock = pos_args[0];
886+
//
887+
// struct ssl_args args;
888+
// mp_arg_parse_all(n_args - 1, pos_args + 1, kw_args,
889+
// MP_ARRAY_SIZE(allowed_args), allowed_args, (mp_arg_val_t *)&args);
890+
//
891+
// return MP_OBJ_FROM_PTR(socket_new(sock, &args));
892+
// }
893+
// STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socket);
894894

895895
STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table[] = {
896896
{ MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_ussl) },
897-
{ MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&mod_ssl_wrap_socket_obj) },
897+
// { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&mod_ssl_wrap_socket_obj) },
898898
{ MP_ROM_QSTR(MP_QSTR_ctx_init), MP_ROM_PTR(&mod_ssl_ctx_init_obj) },
899899
{ MP_ROM_QSTR(MP_QSTR_MBEDTLS_VERSION), MP_ROM_PTR(&mbedtls_version_obj)},
900900
{ MP_ROM_QSTR(MP_QSTR_CERT_NONE), MP_ROM_INT(MBEDTLS_SSL_VERIFY_NONE) },

extmod/ssl/ssl.py

+7-1
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,15 @@ def wrap_socket(
1515
cadata=None,
1616
server_hostname=None,
1717
do_handshake=True,
18+
keyfile=None,
19+
certfile=None,
1820
):
1921
ctx = _ussl.ctx_init()
20-
if (key is not None) and (cert is not None):
22+
if keyfile:
23+
key = keyfile
24+
if certfile:
25+
cert = certfile
26+
if key is not None: # and (cert is not None):
2127
ctx.load_certchain(key=key, cert=cert)
2228
if cadata:
2329
ctx.load_cadata(cadata)

tests/extmod/ussl_basic.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
try:
44
import uio as io
5-
import ussl as ssl
5+
import ssl
66
except ImportError:
77
print("SKIP")
88
raise SystemExit

tests/extmod/ussl_keycert.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
try:
44
import uio as io
5-
import ussl as ssl
5+
import ssl
66
except ImportError:
77
print("SKIP")
88
raise SystemExit

tests/multi_net/ssl_cert_rsa.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
# This test won't run under CPython because CPython doesn't have key/cert
33

44
try:
5-
import ubinascii as binascii, usocket as socket, ussl as ssl
5+
import ubinascii as binascii, usocket as socket, ssl
66
except ImportError:
77
print("SKIP")
88
raise SystemExit

tests/multi_net/ssl_data.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
# This test won't run under CPython because it requires key/cert
33

44
try:
5-
import ubinascii as binascii, usocket as socket, ussl as ssl
5+
import ubinascii as binascii, usocket as socket, ssl
66
except ImportError:
77
print("SKIP")
88
raise SystemExit

tests/net_inet/ssl_cert.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
import ubinascii as binascii
22
import usocket as socket
3-
import ussl as ssl
3+
import ssl
44

55

66
# This certificate was obtained from micropython.org using openssl:

tests/net_inet/ssl_errors.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
import sys
55

66
try:
7-
import uerrno as errno, usocket as socket, ussl as ssl
7+
import uerrno as errno, usocket as socket, ssl
88
except:
99
import errno, socket, ssl
1010

tests/net_inet/test_tls_nonblock.py

+1-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,5 @@
11
try:
2-
import usocket as socket, ussl as ssl, uerrno as errno, sys
2+
import usocket as socket, ssl, uerrno as errno, sys
33
except:
44
import socket, ssl, errno, sys, time, select
55

0 commit comments

Comments
 (0)