12 Commits

Author SHA1 Message Date
Jeff Epler
de9233f84a
raspberrypi: SSLSocket: raise OSError when appropriate
Rather than returning the negative error value.

This is intended to close #7606, though I did not test with mqtt.
Instead, I created a simple standalone test program:
```python
import wifi, socketpool, ssl, time
#wifi.radio.connect(<omitted>)
import socketpool
socket = socketpool.SocketPool(wifi.radio)
ctx = ssl.create_default_context()

b = bytearray(8)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sss = ctx.wrap_socket(s, server_hostname='example.com')
sss.connect(('example.com', 443))
sss.setblocking(False)
r = sss.recv_into(b)
print(r, b)  # prints 4294967285 which is -11 as unsigned
sss.close()
```

Before the change, r was the out of range value 4294967285. After the
change, the recv_into call raises OSError instead.

This is comparable to the behavior on standard Python, though an
SSLWantReadError is raised instead.

The original (mis)behavior seems to match what was uncovered deep inside
minimqtt by adding logging:
```
370.578: DEBUG - PKT: _sock_exact_recv: recv_len = 4294967285
```
2023-02-22 10:07:48 -06:00
Jeff Epler
0cf096dda1
pico w: implement sslsocket bind, listen, accept 2022-10-25 14:46:41 -05:00
Jeff Epler
874ddd67bf
Pico W: ssl: factor out do_handshake 2022-10-12 11:38:30 -05:00
Jeff Epler
1641a7c002
Pico W: ssl: Correctly handle errors in send/recv
The prefixed versions raise Python exceptions, the un-prefixed return
negative error values. We don't want to raise an exception from here,
it leaves the SSL stack in an undefined state.
2022-10-12 11:38:30 -05:00
Jeff Epler
7c849fdadb
Pico W: ssl: Raise MemoryError for allocation errors 2022-10-12 11:38:29 -05:00
Jeff Epler
b1f7940297
Pico W: Correctly treat empty cadata= as disabling host checking 2022-10-12 11:38:29 -05:00
Jeff Epler
0c8b261ec9
picow: Add support of self-signed certificates.
## Testing self-signed certificates and `load_verify_locations`

Obtain the badssl "self-signed" certificate in the correct form:

```sh
openssl s_client -servername self-signed.badssl.com -connect untrusted-root.badssl.com:443 < /dev/null | openssl x509 > self-signed.pem
```

Copy it and the script to CIRCUITPY:
```python
import os
import wifi
import socketpool
import ssl
import adafruit_requests

TEXT_URL = "https://self-signed.badssl.com/"
if not wifi.radio.ipv4_address:
    wifi.radio.connect(os.getenv('WIFI_SSID'), os.getenv('WIFI_PASSWORD'))

pool = socketpool.SocketPool(wifi.radio)
context = ssl.create_default_context()
requests = adafruit_requests.Session(pool, context)

print(f"Fetching from {TEXT_URL} without certificate (should fail)")
try:
    response = requests.get(TEXT_URL)
except Exception as e:
    print(f"Failed: {e}")
else:
    print(f"{response.status_code=}, should have failed with exception")

print("Loading server certificate")
with open("/self-signed.pem", "rb") as certfile:
    context.load_verify_locations(cadata=certfile.read())
requests = adafruit_requests.Session(pool, context)

print(f"Fetching from {TEXT_URL} with certificate (should succeed)")
try:
    response = requests.get(TEXT_URL)
except Exception as e:
    print(f"Unexpected exception: {e}")
else:
    print(f"{response.status_code=}, should be 200 OK")
```
2022-10-10 15:53:56 -05:00
Jeff Epler
c98174eea5
Add support for SSL client certificate (load_cert_chain)
Tested with badssl.com:

 1. Get client certificates from https://badssl.com/download/
 2. Convert public portion with `openssl x509 -in badssl.com-client.pem -out CIRCUITPY/cert.pem`
 3. Convert private portion with `openssl rsa -in badssl.com-client.pem -out CIRCUITPY/privkey.pem` and the password `badssl.com`
 4. Put wifi settings in CIRCUITPY/.env
 5. Run the below Python script:

```py
import os
import wifi
import socketpool
import ssl
import adafruit_requests

TEXT_URL = "https://client.badssl.com/"
wifi.radio.connect(os.getenv('WIFI_SSID'), os.getenv('WIFI_PASSWORD'))

pool = socketpool.SocketPool(wifi.radio)
context = ssl.create_default_context()
requests = adafruit_requests.Session(pool, context)

print(f"Fetching from {TEXT_URL} without certificate (should fail)")
response = requests.get(TEXT_URL)
print(f"{response.status_code=}, should be 400 Bad Request")
input("hit enter to continue\r")

print("Loading client certificate")
context.load_cert_chain("/cert.pem", "privkey.pem")
requests = adafruit_requests.Session(pool, context)

print(f"Fetching from {TEXT_URL} with certificate (should succeed)")
response = requests.get(TEXT_URL)
print(f"{response.status_code=}, should be 200 OK")
```
2022-10-10 15:10:53 -05:00
Jeff Epler
2dc283f578
close underlying socket object when closing ssl socket 2022-10-05 15:10:14 -05:00
Jeff Epler
4a9389d347
remove debug message 2022-10-05 14:57:04 -05:00
Jeff Epler
fabfdcf6fe
More ssl work 2022-10-05 14:56:26 -05:00
Jeff Epler
dcb650c513 pico w: add ssl module
Note: at this time, the ssl module on pico_w never verifies the server
certificate. This means it does not actually provide a higher security
level than regular socket / http protocols.
2022-10-05 13:12:43 -04:00