Now validating SSL certs for *.sha2017.org

annejan · annejan · commit c2dd50b99df4 · 2017-07-04T17:11:51.000+02:00
diff --git a/esp32/Makefile b/esp32/Makefile
@@ -155,16 +155,16 @@ SRC_C = \
 	ugfx_styles.c \
 	$(SRC_MOD)
 
-### TODO remove hardcoded images when loader works ;)
-BADGE_MAIN_SRC_C = $(addprefix ../../main/,\
-	imgv2_menu.c \
-	imgv2_nick.c \
-	imgv2_sha.c \
-	imgv2_test.c \
-	imgv2_weather.c \
-	madison_gurkha.c \
-	leaseweb.c \
-	)
+### TODO fix hardcoded images when we can't get image loader to work
+#BADGE_MAIN_SRC_C = $(addprefix ../../main/,\
+#	imgv2_menu.c \
+#	imgv2_nick.c \
+#	imgv2_sha.c \
+#	imgv2_test.c \
+#	imgv2_weather.c \
+#	madison_gurkha.c \
+#	leaseweb.c \
+#	)
 
 EXTMOD_SRC_C = $(addprefix extmod/,\
 	modonewire.c \
diff --git a/esp32/modbadge.c b/esp32/modbadge.c
@@ -57,6 +57,7 @@ STATIC mp_obj_t badge_eink_init_() {
 }
 STATIC MP_DEFINE_CONST_FUN_OBJ_0(badge_eink_init_obj, badge_eink_init_);
 
+/**
 #define NUM_PICTURES 7
 const uint8_t *pictures[NUM_PICTURES] = {
     imgv2_sha, imgv2_menu, imgv2_nick, imgv2_weather, imgv2_test, mg_logo, leaseweb
@@ -72,6 +73,7 @@ STATIC mp_obj_t badge_display_picture_(mp_obj_t picture_id,
 }
 STATIC MP_DEFINE_CONST_FUN_OBJ_2(badge_display_picture_obj,
                                  badge_display_picture_);
+*/
 
  STATIC mp_obj_t badge_eink_busy_() {
    return mp_obj_new_bool(badge_eink_dev_is_busy());
@@ -210,8 +212,10 @@ STATIC const mp_rom_map_elem_t badge_module_globals_table[] = {
     {MP_ROM_QSTR(MP_QSTR_eink_busy), MP_ROM_PTR(&badge_eink_busy_obj)},
     {MP_ROM_QSTR(MP_QSTR_eink_busy_wait), MP_ROM_PTR(&badge_eink_busy_wait_obj)},
 
+/*
     {MP_ROM_QSTR(MP_QSTR_display_picture),
      MP_ROM_PTR(&badge_display_picture_obj)},
+*/
 
 #if defined(PORTEXP_PIN_NUM_CHRGSTAT) || defined(MPR121_PIN_NUM_CHRGSTAT)
     {MP_OBJ_NEW_QSTR(MP_QSTR_battery_charge_status),
diff --git a/esp32/modules/woezel.py b/esp32/modules/woezel.py
@@ -104,10 +104,7 @@ def expandhome(s):
 
 import ussl
 import usocket
-warn_ussl = True
 def url_open(url):
-    global warn_ussl
-
     if debug:
         print(url)
 
@@ -128,9 +125,6 @@ def url_open(url):
 
         if proto == "https:":
             s = ussl.wrap_socket(s, server_hostname=host)
-            if warn_ussl:
-                print("Warning: %s SSL certificate is not validated" % host)
-                warn_ussl = False
 
         # MicroPython rawsocket module supports file interface directly
         s.write("GET /%s HTTP/1.0\r\nHost: %s\r\n\r\n" % (urlpath, host))
diff --git a/extmod/modussl_mbedtls.c b/extmod/modussl_mbedtls.c
@@ -23,13 +23,15 @@
  * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
  * THE SOFTWARE.
  */
+#define _GNU_SOURCE
 
 #include "py/mpconfig.h"
 #if MICROPY_PY_USSL && MICROPY_SSL_MBEDTLS
 
 #include <stdio.h>
 #include <string.h>
 #include <errno.h>
+#include <string.h>
 
 #include "py/nlr.h"
 #include "py/runtime.h"
@@ -148,12 +150,24 @@ STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
         assert(0);
     }
 
-    ret = mbedtls_x509_crt_parse(&o->cacert, wildcard_sha2017_org, 2151);
+    bool sha2017_subdomain = false;
+    if (args->server_hostname.u_obj != mp_const_none) {
+      const char *sni = mp_obj_str_get_str(args->server_hostname.u_obj);
+      char *ptr;
+      sha2017_subdomain = ((ptr = strcasestr(sni, ".sha2017.org")) != NULL && ptr[12] == 0);
+      if (sha2017_subdomain) {
+        printf("Validating certificate for: %s\n", sni);
+      } else {
+        printf("Warning: %s SSL certificate is not validated\n", sni);
+      }
+    }
 
-    if(ret < 0)
-    {
-        printf("mbedtls_x509_crt_parse returned -0x%x\n\n", -ret);
-        assert(0);
+    if (sha2017_subdomain) {
+        ret = mbedtls_x509_crt_parse_der(&o->cacert, wildcard_sha2017_org, 856);
+        if(ret < 0) {
+            printf("mbedtls_x509_crt_parse returned -0x%x\n\n", -ret);
+            assert(0);
+        }
     }
 
     ret = mbedtls_ssl_config_defaults(&o->conf,
@@ -164,7 +178,12 @@ STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
         assert(0);
     }
 
-    mbedtls_ssl_conf_authmode(&o->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+    if (sha2017_subdomain) {
+      mbedtls_ssl_conf_authmode(&o->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+      mbedtls_ssl_conf_ca_chain(&o->conf, &o->cacert, NULL);
+    } else {
+      mbedtls_ssl_conf_authmode(&o->conf, MBEDTLS_SSL_VERIFY_NONE);
+    }
     mbedtls_ssl_conf_rng(&o->conf, mbedtls_ctr_drbg_random, &o->ctr_drbg);
     mbedtls_ssl_conf_dbg(&o->conf, mbedtls_debug, NULL);
 
