Changes include:
- Some mbedtls source files renamed or deprecated.
- Our `mbedtls_config.h` files are renamed to `mbedtls_config_port.h`, so
they don't clash with mbedtls's new default configuration file named
`mbedtls_config.h`.
- MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE is deprecated.
- MBEDTLS_HAVE_TIME now requires an `mbedtls_ms_time` function to be
defined but it's only used for TLSv1.3 (currently not enabled in
MicroPython so there is a lazy implementation, i.e. seconds * 1000).
- `tests/multi_net/ssl_data.py` is removed (due to deprecation of
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE), there are the existing
`ssl_cert_rsa.py` and `sslcontext_server_client.py` tests which do very
similar, simple SSL data transfer.
- Tests now use an EC key by default (they are smaller and faster), and the
RSA key has been regenerated due to the old PKCS encoding used by openssl
rsa command, see
https://stackoverflow.com/questions/40822328/openssl-rsa-key-pem-and-der-conversion-does-not-match
(and `tests/README.md` has been updated accordingly).
Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
And only enable this method when the relevant feature is available in
mbedtls. Otherwise, if mbedtls doesn't support getting the peer
certificate, this method always returns None and it's confusing why it does
that. It's better to remove the method altogether, so the error trying to
use it is more obvious.
Signed-off-by: Damien George <damien@micropython.org>
This commit adds:
1) Methods to SSLContext class that match CPython signature:
- `SSLContext.load_cert_chain(certfile, keyfile)`
- `SSLContext.load_verify_locations(cafile=, cadata=)`
- `SSLContext.get_ciphers()` --> ["CIPHERSUITE"]
- `SSLContext.set_ciphers(["CIPHERSUITE"])`
2) `sslsocket.cipher()` to get current ciphersuite and protocol
version.
3) `ssl.MBEDTLS_VERSION` string constant.
4) Certificate verification errors info instead of
`MBEDTLS_ERR_X509_CERT_VERIFY_FAILED`.
5) Tests in `net_inet` and `multi_net` to test these new methods.
`SSLContext.load_cert_chain` method allows loading key and cert from disk
passing a filepath in `certfile` or `keyfile` options.
`SSLContext.load_verify_locations`'s `cafile` option enables the same
functionality for ca files.
Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
Add cert_reqs and cadata keyword-args to ssl.wrap_socket() and
ssl.CERT_NONE, ssl.CERT_OPTIONAL, ssl.CERT_REQUIRED constants to allow
certificate validation.
CPython doesn't accept cadata in ssl.wrap_socket(), but it does in
SSLContext.load_verify_locations(), so we use this name to at least match
the same name in load_verify_locations().
Add docs for these new arguments, as well as docs for the existing
server_hostname argument which is important for certificate validation.
Tests are added as well.
Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
Felix Dörre
Carlosgg
Damien George
Damien George