Commit Graph

26 Commits

Author SHA1 Message Date
Paul Sokolovsky
9c7c082396 extmod/modussl_mbedtls: Support non-blocking handshake.
For this, add wrap_socket(do_handshake=False) param. CPython doesn't have
such a param at a module's global function, and at SSLContext.wrap_socket()
it has do_handshake_on_connect param, but that uselessly long.

Beyond that, make write() handle not just MBEDTLS_ERR_SSL_WANT_WRITE, but
also MBEDTLS_ERR_SSL_WANT_READ, as during handshake, write call may be
actually preempted by need to read next handshake message from peer.
Likewise, for read(). And even after the initial negotiation, situations
like that may happen e.g. with renegotiation. Both
MBEDTLS_ERR_SSL_WANT_READ and MBEDTLS_ERR_SSL_WANT_WRITE are however mapped
to the same None return code. The idea is that if the same read()/write()
method is called repeatedly, the progress will be made step by step anyway.
The caveat is if user wants to add the underlying socket to uselect.poll().
To be reliable, in this case, the socket should be polled for both POLL_IN
and POLL_OUT, as we don't know the actual expected direction. But that's
actually problematic. Consider for example that write() ends with
MBEDTLS_ERR_SSL_WANT_READ, but gets converted to None. We put the
underlying socket on pull using POLL_IN|POLL_OUT but that probably returns
immediately with POLL_OUT, as underlyings socket is writable. We call the
same ussl write() again, which again results in MBEDTLS_ERR_SSL_WANT_READ,
etc. We thus go into busy-loop.

So, the handling in this patch is temporary and needs fixing. But exact way
to fix it is not clear. One way is to provide explicit function for
handshake (CPython has do_handshake()), and let *that* return distinct
codes like WANT_READ/WANT_WRITE. But as mentioned above, past the initial
handshake, such situation may happen again with at least renegotiation. So
apparently, the only robust solution is to return "out of bound" special
sentinels like WANT_READ/WANT_WRITE from read()/write() directly. CPython
throws exceptions for these, but those are expensive to adopt that way for
efficiency-conscious implementation like MicroPython.
2019-04-30 17:24:46 +10:00
Paul Sokolovsky
c7ed17bc4b extmod/modussl_mbedtls: Remove deprecated mbedtls/net.h header include.
This header is deprecated as of mbedtls 2.8.0, as shipped with Ubuntu
18.04.  Leads to #warning which is promoted to error with uPy compile
options.

Note that the current version of mbedtls is 2.14 at the time of writing.
2019-01-27 12:26:09 +11:00
Damien George
7a67f057d7 extmod/modussl: Support polling in ussl objects by passing through ioctl
The underlying socket can handling polling, and any other transparent ioctl
requests.  Note that CPython handles the case of polling an ssl object by
polling the file descriptor of the underlying socket file, and that
behaviour is emulated here.
2018-07-20 13:05:04 +10:00
Damien George
e8398a5856 extmod: Update to use new mp_get_stream helper.
With this patch objects are only checked that they have the stream protocol
at the start of their use as a stream, and afterwards the efficient
mp_get_stream() helper is used to extract the stream protocol C methods.
2018-06-18 12:35:56 +10:00
Damien George
ea22406f76 extmod/modussl_mbedtls: Use mbedtls_entropy_func for CTR-DRBG entropy.
If mbedtls_ctr_drbg_seed() is available in the mbedtls bulid then so should
be mbedtls_entropy_func().  Then it's up to the port to configure a valid
entropy source, eg via MBEDTLS_ENTROPY_HARDWARE_ALT.
2018-05-31 21:52:29 +10:00
Damien George
98b9f0fc9d extmod/modussl_mbedtls: Populate sock member right away in wrap_socket.
Otherwise the "sock" member may have an undefined value if wrap_socket
fails with an exception and exits early, and then if the finaliser runs it
will try to close an invalid stream object.

Fixes issue #3828.
2018-05-31 21:47:26 +10:00
Damien George
cf31d384f1 py/stream: Switch stream close operation from method to ioctl.
This patch moves the implementation of stream closure from a dedicated
method to the ioctl of the stream protocol, for each type that implements
closing.  The benefits of this are:

1. Rounds out the stream ioctl function, which already includes flush,
   seek and poll (among other things).

2. Makes calling mp_stream_close() on an object slightly more efficient
   because it now no longer needs to lookup the close method and call it,
   rather it just delegates straight to the ioctl function (if it exists).

3. Reduces code size and allows future types that implement the stream
   protocol to be smaller because they don't need a dedicated close method.

Code size reduction is around 200 bytes smaller for x86 archs and around
30 bytes smaller for the bare-metal archs.
2018-04-10 13:41:32 +10:00
Damien George
7df2ebbfea extmod/modussl_mbedtls: Clean up mbedtls state when error during setup.
Without this patch, if the SSL handshake fails (eg the connection was lost)
then the mbedtls state (memory) will never be freed.
2017-12-13 14:48:53 +11:00
Damien George
10b76a9620 extmod/modussl_mbedtls: Allow to compile with unix coverage build.
Fixes a few C warnings.  No functional changes.
2017-10-30 15:41:37 +11:00
Eric Poulsen
74ec52d857 extmod/modussl: Add finaliser support for ussl objects.
Per the comment found here
https://github.com/micropython/micropython-esp32/issues/209#issuecomment-339855157,
this patch adds finaliser code to prevent memory leaks from ussl objects,
which is especially useful when memory for a ussl context is allocated
outside the uPy heap.  This patch is in-line with the finaliser code found
in many modsocket implementations for various ports.

This feature is configured via MICROPY_PY_USSL_FINALISER and is disabled by
default because there may be issues using it when the ussl state *is*
allocated on the uPy heap, rather than externally.
2017-10-30 15:25:32 +11:00
Damien George
a3dc1b1957 all: Remove inclusion of internal py header files.
Header files that are considered internal to the py core and should not
normally be included directly are:
    py/nlr.h - internal nlr configuration and declarations
    py/bc0.h - contains bytecode macro definitions
    py/runtime0.h - contains basic runtime enums

Instead, the top-level header files to include are one of:
    py/obj.h - includes runtime0.h and defines everything to use the
        mp_obj_t type
    py/runtime.h - includes mpstate.h and hence nlr.h, obj.h, runtime0.h,
        and defines everything to use the general runtime support functions

Additional, specific headers (eg py/objlist.h) can be included if needed.
2017-10-04 12:37:50 +11:00
Damien George
beeb7483d8 extmod/modussl_mbedtls: Allow to compile with MBEDTLS_DEBUG_C disabled.
With MBEDTLS_DEBUG_C disabled the function mbedtls_debug_set_threshold()
doesn't exist.  There's also no need to call mbedtls_ssl_conf_dbg() so a
few bytes can be saved on disabling that and not needing the mbedtls_debug
callback.
2017-09-06 17:34:45 +10:00
Eric Poulsen
d5191edf7f extmod/modussl_mbedtls.c: Add ussl.getpeercert() method.
Behaviour is as per CPython but only the binary form is implemented here.
A test is included.
2017-08-16 15:01:00 +10:00
Eric Poulsen
6b4d4a25ce extmod/modussl_mbedtls: Implement non-blocking SSL sockets. 2017-07-26 11:34:33 +10:00
Damien George
0893b273b9 extmod/modussl_mbedtls: Make socket.close() free all TLS resources.
Also, use mp_stream_close() helper to close the underlying socket.
2017-07-25 14:00:45 +10:00
Damien George
a10467b58a extmod/modussl_mbedtls: When reading and peer wants to close, return 0.
If this particular code is returned then there's no more data, it's not
really an error.
2017-07-25 11:53:26 +10:00
Damien George
aa7be82a4d all: Don't include system errno.h when it's not needed. 2017-07-24 18:43:14 +10:00
Damien George
513dfcf4fe extmod/modussl_mbedtls: Support server_side mode.
To use server_side mode one must pass valid values in the "key" and "cert"
parameters.
2017-07-24 15:08:59 +10:00
Damien George
204ded848e extmod: Update for changes to mp_obj_str_get_data. 2017-03-29 12:56:45 +11:00
Paul Sokolovsky
59a1201da9 all: Remove readall() method, which is equivalent to read() w/o args.
Its addition was due to an early exploration on how to add CPython-like
stream interface. It's clear that it's not needed and just takes up
bytes in all ports.
2016-11-14 00:24:22 +03:00
Paul Sokolovsky
06234a6115 extmod/modussl_mbedtls: Add dummy setblocking() method.
Accepts only value of True.
2016-10-15 23:46:13 +03:00
Damien George
75af908c0e extmod: Use mp_raise_OSError helper function. 2016-10-07 13:52:14 +11:00
Paul Sokolovsky
46ab042230 extmod/modussl_mbedtls: Add server_hostname param for wrap_socket().
In CPython, module-level .wrap_socket() function actually doesn't accept
(or document) this param, only SSLContext.wrap_socket() has.
2016-09-23 01:44:23 +03:00
Paul Sokolovsky
080e4d44f3 extmod/modussl_mbedtls: Use 2-component include paths.
This is required to use mbedTLS versions from various sources, e.g.
mainline vs embedded into Zephyr RTOS.
2016-09-22 01:30:48 +03:00
Paul Sokolovsky
5f0ecb72c2 extmod/modussl_mbedtls: Implement key= and cert= args to wrap_socket().
Unlike standard keyfile= and certfile=, these accept byte buffer objects
(to not depend on FS implementation).
2016-09-22 00:17:44 +03:00
Paul Sokolovsky
9ea2882317 extmod/modussl_mbedtls: Initial implementation of mbedTLS ussl module. 2016-09-21 21:25:33 +03:00