Commit Graph

45 Commits

Author SHA1 Message Date
Damien Tournoud
ed58d6e4ce extmod/modussl_mbedtls: Fix support for ioctl(MP_STREAM_POLL).
During the initial handshake or subsequent renegotiation, the protocol
might need to read in order to write (or conversely to write in order
to read). It might be blocked from doing so by the state of the
underlying socket (i.e. there is no data to read, or there is no space
to write).

The library indicates this condition by returning one of the errors
`MBEDTLS_ERR_SSL_WANT_READ` or `MBEDTLS_ERR_SSL_WANT_WRITE`. When that
happens, we need to enforce that the next poll operation only considers
the direction that the library indicated.

In addition, mbedtls does its own read buffering that we need to take
into account while polling, and we need to save the last error between
read()/write() and ioctl().
2022-12-15 12:06:22 -08:00
Jim Mussared
94beeabd2e py/obj: Convert make_new into a mp_obj_type_t slot.
Instead of being an explicit field, it's now a slot like all the other
methods.

This is a marginal code size improvement because most types have a make_new
(100/138 on PYBV11), however it improves consistency in how types are
declared, removing the special case for make_new.

Signed-off-by: Jim Mussared <jim.mussared@gmail.com>
2022-09-19 19:06:15 +10:00
Jim Mussared
6da41b5900 py/obj: Merge getiter and iternext mp_obj_type_t slots.
The goal here is to remove a slot (making way to turn make_new into a slot)
as well as reduce code size by the ~40 references to mp_identity_getiter
and mp_stream_unbuffered_iter.

This introduces two new type flags:
- MP_TYPE_FLAG_ITER_IS_ITERNEXT: This means that the "iter" slot in the
  type is "iternext", and should use the identity getiter.
- MP_TYPE_FLAG_ITER_IS_CUSTOM: This means that the "iter" slot is a pointer
  to a mp_getiter_iternext_custom_t instance, which then defines both
  getiter and iternext.

And a third flag that is the OR of both, MP_TYPE_FLAG_ITER_IS_STREAM: This
means that the type should use the identity getiter, and
mp_stream_unbuffered_iter as iternext.

Finally, MP_TYPE_FLAG_ITER_IS_GETITER is defined as a no-op flag to give
the default case where "iter" is "getiter".

Signed-off-by: Jim Mussared <jim.mussared@gmail.com>
2022-09-19 19:06:13 +10:00
Jim Mussared
9dce82776d all: Remove unnecessary locals_dict cast.
Signed-off-by: Jim Mussared <jim.mussared@gmail.com>
2022-09-19 19:06:01 +10:00
Jim Mussared
662b9761b3 all: Make all mp_obj_type_t defs use MP_DEFINE_CONST_OBJ_TYPE.
In preparation for upcoming rework of mp_obj_type_t layout.

Signed-off-by: Jim Mussared <jim.mussared@gmail.com>
2022-09-19 19:06:01 +10:00
Ian Davies
1bf2fd0592 extmod/modussl_mbedtls: Set a more sensible default debug log level. 2022-08-06 00:11:46 +10:00
Carlosgg
b41cfea02a extmod/modussl_mbedtls: Implement cert_reqs and cadata arguments.
Add cert_reqs and cadata keyword-args to ssl.wrap_socket() and
ssl.CERT_NONE, ssl.CERT_OPTIONAL, ssl.CERT_REQUIRED constants to allow
certificate validation.

CPython doesn't accept cadata in ssl.wrap_socket(), but it does in
SSLContext.load_verify_locations(), so we use this name to at least match
the same name in load_verify_locations().

Add docs for these new arguments, as well as docs for the existing
server_hostname argument which is important for certificate validation.

Tests are added as well.

Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
2022-07-20 16:46:04 +10:00
Andrew Leech
4188bbd3d3 extmod/modussl_mbedtls: Poll EVENT_POLL_HOOK in ssl handshake loop.
Otherwise this is essentially an infinite loop on ports that do not use
interrupts to service network interfaces.

Signed-off-by: Andrew Leech <andrew@alelec.net>
2022-06-03 14:34:29 +10:00
Damien George
efe23aca71 all: Remove third argument to MP_REGISTER_MODULE.
It's no longer needed because this macro is now processed after
preprocessing the source code via cpp (in the qstr extraction stage), which
means unused MP_REGISTER_MODULE's are filtered out by the preprocessor.

Signed-off-by: Damien George <damien@micropython.org>
2022-06-02 16:31:37 +10:00
Jim Mussared
4eab44a1ec extmod: Make extmod modules use MP_REGISTER_MODULE.
Signed-off-by: Jim Mussared <jim.mussared@gmail.com>
2022-05-18 20:49:12 +10:00
Thorsten von Eicken
2c1299b007 extmod/modussl: Fix ussl read/recv/send/write errors when non-blocking.
Also fix related problems with socket on esp32, improve docs for
wrap_socket, and add more tests.
2021-02-17 11:50:54 +11:00
Thorsten von Eicken
5264478007 extmod/modussl_mbedtls: Integrate shorter error strings.
The stm32 and esp32 ports now use shorter error strings for mbedtls errors.
Also, MBEDTLS_ERROR_C is enabled on stm32 by default to get these strings.
2020-07-21 00:31:05 +10:00
Thorsten von Eicken
9aa214077e extmod/modussl: Improve exception error messages.
This commit adds human readable error messages when mbedtls or axtls raise
an exception.  Currently often just an EIO error is raised so the user is
lost and can't tell whether it's a cert error, buffer overrun, connecting
to a non-ssl port, etc.  The axtls and mbedtls error raising in the ussl
module is modified to raise:

    OSError(-err_num, "error string")

For axtls a small error table of strings is added and used for the second
argument of the OSErrer.  For mbedtls the code uses mbedtls' built-in
strerror function, and if there is an out of memory condition it just
produces OSError(-err_num).  Producing the error string for mbedtls is
conditional on them being included in the mbedtls build, via
MBEDTLS_ERROR_C.
2020-07-20 23:41:45 +10:00
Jim Mussared
def76fe4d9 all: Use MP_ERROR_TEXT for all error messages. 2020-04-05 15:02:06 +10:00
Damien George
69661f3343 all: Reformat C and Python source code with tools/codeformat.py.
This is run with uncrustify 0.70.1, and black 19.10b0.
2020-02-28 10:33:03 +11:00
Damien George
09376f0e47 py: Introduce MP_ROM_NONE macro for ROM to refer to None object.
This helps to prevent mistakes, and allows easily changing the ROM value of
None if needed.
2019-12-27 22:51:17 +11:00
Damien George
9dd9f9ff06 extmod/modussl_mbedtls: Check for invalid key/cert data. 2019-10-31 16:22:42 +11:00
Damien George
07ea81fbc5 extmod/modussl_mbedtls: Fix getpeercert to return None if no cert avail. 2019-10-31 13:42:24 +11:00
Damien George
ef7357d4ab extmod/modussl_mbedtls: Allow to build with object representation D. 2019-06-05 15:33:15 +10:00
Paul Sokolovsky
9c7c082396 extmod/modussl_mbedtls: Support non-blocking handshake.
For this, add wrap_socket(do_handshake=False) param. CPython doesn't have
such a param at a module's global function, and at SSLContext.wrap_socket()
it has do_handshake_on_connect param, but that uselessly long.

Beyond that, make write() handle not just MBEDTLS_ERR_SSL_WANT_WRITE, but
also MBEDTLS_ERR_SSL_WANT_READ, as during handshake, write call may be
actually preempted by need to read next handshake message from peer.
Likewise, for read(). And even after the initial negotiation, situations
like that may happen e.g. with renegotiation. Both
MBEDTLS_ERR_SSL_WANT_READ and MBEDTLS_ERR_SSL_WANT_WRITE are however mapped
to the same None return code. The idea is that if the same read()/write()
method is called repeatedly, the progress will be made step by step anyway.
The caveat is if user wants to add the underlying socket to uselect.poll().
To be reliable, in this case, the socket should be polled for both POLL_IN
and POLL_OUT, as we don't know the actual expected direction. But that's
actually problematic. Consider for example that write() ends with
MBEDTLS_ERR_SSL_WANT_READ, but gets converted to None. We put the
underlying socket on pull using POLL_IN|POLL_OUT but that probably returns
immediately with POLL_OUT, as underlyings socket is writable. We call the
same ussl write() again, which again results in MBEDTLS_ERR_SSL_WANT_READ,
etc. We thus go into busy-loop.

So, the handling in this patch is temporary and needs fixing. But exact way
to fix it is not clear. One way is to provide explicit function for
handshake (CPython has do_handshake()), and let *that* return distinct
codes like WANT_READ/WANT_WRITE. But as mentioned above, past the initial
handshake, such situation may happen again with at least renegotiation. So
apparently, the only robust solution is to return "out of bound" special
sentinels like WANT_READ/WANT_WRITE from read()/write() directly. CPython
throws exceptions for these, but those are expensive to adopt that way for
efficiency-conscious implementation like MicroPython.
2019-04-30 17:24:46 +10:00
Paul Sokolovsky
c7ed17bc4b extmod/modussl_mbedtls: Remove deprecated mbedtls/net.h header include.
This header is deprecated as of mbedtls 2.8.0, as shipped with Ubuntu
18.04.  Leads to #warning which is promoted to error with uPy compile
options.

Note that the current version of mbedtls is 2.14 at the time of writing.
2019-01-27 12:26:09 +11:00
Damien George
7a67f057d7 extmod/modussl: Support polling in ussl objects by passing through ioctl
The underlying socket can handling polling, and any other transparent ioctl
requests.  Note that CPython handles the case of polling an ssl object by
polling the file descriptor of the underlying socket file, and that
behaviour is emulated here.
2018-07-20 13:05:04 +10:00
Damien George
e8398a5856 extmod: Update to use new mp_get_stream helper.
With this patch objects are only checked that they have the stream protocol
at the start of their use as a stream, and afterwards the efficient
mp_get_stream() helper is used to extract the stream protocol C methods.
2018-06-18 12:35:56 +10:00
Damien George
ea22406f76 extmod/modussl_mbedtls: Use mbedtls_entropy_func for CTR-DRBG entropy.
If mbedtls_ctr_drbg_seed() is available in the mbedtls bulid then so should
be mbedtls_entropy_func().  Then it's up to the port to configure a valid
entropy source, eg via MBEDTLS_ENTROPY_HARDWARE_ALT.
2018-05-31 21:52:29 +10:00
Damien George
98b9f0fc9d extmod/modussl_mbedtls: Populate sock member right away in wrap_socket.
Otherwise the "sock" member may have an undefined value if wrap_socket
fails with an exception and exits early, and then if the finaliser runs it
will try to close an invalid stream object.

Fixes issue #3828.
2018-05-31 21:47:26 +10:00
Damien George
cf31d384f1 py/stream: Switch stream close operation from method to ioctl.
This patch moves the implementation of stream closure from a dedicated
method to the ioctl of the stream protocol, for each type that implements
closing.  The benefits of this are:

1. Rounds out the stream ioctl function, which already includes flush,
   seek and poll (among other things).

2. Makes calling mp_stream_close() on an object slightly more efficient
   because it now no longer needs to lookup the close method and call it,
   rather it just delegates straight to the ioctl function (if it exists).

3. Reduces code size and allows future types that implement the stream
   protocol to be smaller because they don't need a dedicated close method.

Code size reduction is around 200 bytes smaller for x86 archs and around
30 bytes smaller for the bare-metal archs.
2018-04-10 13:41:32 +10:00
Damien George
7df2ebbfea extmod/modussl_mbedtls: Clean up mbedtls state when error during setup.
Without this patch, if the SSL handshake fails (eg the connection was lost)
then the mbedtls state (memory) will never be freed.
2017-12-13 14:48:53 +11:00
Damien George
10b76a9620 extmod/modussl_mbedtls: Allow to compile with unix coverage build.
Fixes a few C warnings.  No functional changes.
2017-10-30 15:41:37 +11:00
Eric Poulsen
74ec52d857 extmod/modussl: Add finaliser support for ussl objects.
Per the comment found here
https://github.com/micropython/micropython-esp32/issues/209#issuecomment-339855157,
this patch adds finaliser code to prevent memory leaks from ussl objects,
which is especially useful when memory for a ussl context is allocated
outside the uPy heap.  This patch is in-line with the finaliser code found
in many modsocket implementations for various ports.

This feature is configured via MICROPY_PY_USSL_FINALISER and is disabled by
default because there may be issues using it when the ussl state *is*
allocated on the uPy heap, rather than externally.
2017-10-30 15:25:32 +11:00
Damien George
a3dc1b1957 all: Remove inclusion of internal py header files.
Header files that are considered internal to the py core and should not
normally be included directly are:
    py/nlr.h - internal nlr configuration and declarations
    py/bc0.h - contains bytecode macro definitions
    py/runtime0.h - contains basic runtime enums

Instead, the top-level header files to include are one of:
    py/obj.h - includes runtime0.h and defines everything to use the
        mp_obj_t type
    py/runtime.h - includes mpstate.h and hence nlr.h, obj.h, runtime0.h,
        and defines everything to use the general runtime support functions

Additional, specific headers (eg py/objlist.h) can be included if needed.
2017-10-04 12:37:50 +11:00
Damien George
beeb7483d8 extmod/modussl_mbedtls: Allow to compile with MBEDTLS_DEBUG_C disabled.
With MBEDTLS_DEBUG_C disabled the function mbedtls_debug_set_threshold()
doesn't exist.  There's also no need to call mbedtls_ssl_conf_dbg() so a
few bytes can be saved on disabling that and not needing the mbedtls_debug
callback.
2017-09-06 17:34:45 +10:00
Eric Poulsen
d5191edf7f extmod/modussl_mbedtls.c: Add ussl.getpeercert() method.
Behaviour is as per CPython but only the binary form is implemented here.
A test is included.
2017-08-16 15:01:00 +10:00
Eric Poulsen
6b4d4a25ce extmod/modussl_mbedtls: Implement non-blocking SSL sockets. 2017-07-26 11:34:33 +10:00
Damien George
0893b273b9 extmod/modussl_mbedtls: Make socket.close() free all TLS resources.
Also, use mp_stream_close() helper to close the underlying socket.
2017-07-25 14:00:45 +10:00
Damien George
a10467b58a extmod/modussl_mbedtls: When reading and peer wants to close, return 0.
If this particular code is returned then there's no more data, it's not
really an error.
2017-07-25 11:53:26 +10:00
Damien George
aa7be82a4d all: Don't include system errno.h when it's not needed. 2017-07-24 18:43:14 +10:00
Damien George
513dfcf4fe extmod/modussl_mbedtls: Support server_side mode.
To use server_side mode one must pass valid values in the "key" and "cert"
parameters.
2017-07-24 15:08:59 +10:00
Damien George
204ded848e extmod: Update for changes to mp_obj_str_get_data. 2017-03-29 12:56:45 +11:00
Paul Sokolovsky
59a1201da9 all: Remove readall() method, which is equivalent to read() w/o args.
Its addition was due to an early exploration on how to add CPython-like
stream interface. It's clear that it's not needed and just takes up
bytes in all ports.
2016-11-14 00:24:22 +03:00
Paul Sokolovsky
06234a6115 extmod/modussl_mbedtls: Add dummy setblocking() method.
Accepts only value of True.
2016-10-15 23:46:13 +03:00
Damien George
75af908c0e extmod: Use mp_raise_OSError helper function. 2016-10-07 13:52:14 +11:00
Paul Sokolovsky
46ab042230 extmod/modussl_mbedtls: Add server_hostname param for wrap_socket().
In CPython, module-level .wrap_socket() function actually doesn't accept
(or document) this param, only SSLContext.wrap_socket() has.
2016-09-23 01:44:23 +03:00
Paul Sokolovsky
080e4d44f3 extmod/modussl_mbedtls: Use 2-component include paths.
This is required to use mbedTLS versions from various sources, e.g.
mainline vs embedded into Zephyr RTOS.
2016-09-22 01:30:48 +03:00
Paul Sokolovsky
5f0ecb72c2 extmod/modussl_mbedtls: Implement key= and cert= args to wrap_socket().
Unlike standard keyfile= and certfile=, these accept byte buffer objects
(to not depend on FS implementation).
2016-09-22 00:17:44 +03:00
Paul Sokolovsky
9ea2882317 extmod/modussl_mbedtls: Initial implementation of mbedTLS ussl module. 2016-09-21 21:25:33 +03:00