mbedtls: fix poll ioctl

tve · tve · commit f68a1cae2624 · 2020-04-20T18:26:58.000-07:00
diff --git a/extmod/modussl_mbedtls.c b/extmod/modussl_mbedtls.c
@@ -64,6 +64,7 @@ typedef struct _mp_obj_ssl_socket_t {
     mbedtls_x509_crt cert;
     mbedtls_pk_context pkey;
     uint8_t poll_flag;
+    uint8_t poll_by_read; // true: at next poll try to read first
 } mp_obj_ssl_socket_t;
 
 struct ssl_args {
@@ -226,6 +227,7 @@ STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
     }
 
     o->poll_flag = 0;
+    o->poll_by_read = 0;
     if (args->do_handshake.u_bool) {
         while ((ret = mbedtls_ssl_handshake(&o->ssl)) != 0) {
             if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
@@ -285,6 +287,9 @@ STATIC mp_uint_t socket_read(mp_obj_t o_in, void *buf, mp_uint_t size, int *errc
         return 0;
     }
     if (ret >= 0) {
+        // if we got all we wanted, for the next poll try a read first 'cause
+        // there may be data in the mbedtls record buffer
+        o->poll_by_read = ret == size;
         return ret;
     }
     if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
@@ -342,6 +347,13 @@ STATIC mp_uint_t socket_ioctl(mp_obj_t o_in, mp_uint_t request, uintptr_t arg, i
         mbedtls_ctr_drbg_free(&self->ctr_drbg);
         mbedtls_entropy_free(&self->entropy);
     } else if (request == MP_STREAM_POLL) {
+        mp_uint_t ret = 0;
+        // If the last read returned everything asked for there may be more in the mbedtls buffer,
+        // so find out. (There doesn't seem to be an equivalent issue with writes.)
+        if ((arg & MP_STREAM_POLL_RD) && self->poll_by_read) {
+            size_t avail = mbedtls_ssl_get_bytes_avail(&self->ssl);
+            if (avail > 0) ret = MP_STREAM_POLL_RD;
+        }
         // If we're polling to read but not write but mbedtls previously said it needs to write in
         // order to be able to read then poll for both and if either is available pretend the socket
         // is readable. When the app then performs a read, mbedtls is happy to perform the writes as
@@ -350,7 +362,7 @@ STATIC mp_uint_t socket_ioctl(mp_obj_t o_in, mp_uint_t request, uintptr_t arg, i
         if ((arg & MP_STREAM_POLL_RD) && !(arg & MP_STREAM_POLL_WR) &&
                 self->poll_flag & READ_NEEDS_WRITE) {
             arg |= MP_STREAM_POLL_WR;
-            mp_uint_t ret = mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
+            ret |= mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
             if (ret & MP_STREAM_POLL_WR) {
                 ret |= MP_STREAM_POLL_RD;
                 ret &= ~MP_STREAM_POLL_WR;
@@ -360,14 +372,15 @@ STATIC mp_uint_t socket_ioctl(mp_obj_t o_in, mp_uint_t request, uintptr_t arg, i
         } else if ((arg & MP_STREAM_POLL_WR) && !(arg & MP_STREAM_POLL_RD) &&
                 self->poll_flag & WRITE_NEEDS_READ) {
             arg |= MP_STREAM_POLL_RD;
-            mp_uint_t ret = mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
+            ret |= mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
             if (ret & MP_STREAM_POLL_RD) {
                 ret |= MP_STREAM_POLL_WR;
                 ret &= ~MP_STREAM_POLL_RD;
             }
             return ret;
         }
-        // fall-through if there's no wonky XX_NEEDS_YY situation
+        // Pass down to underlying socket
+        return ret | mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
     }
     // Pass all requests down to the underlying socket
     return mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
diff --git a/tests/multi_net/ssl_data.py b/tests/multi_net/ssl_data.py
@@ -1,10 +1,58 @@
 # Simple test creating an SSL connection and transferring some data
 # This test won't run under CPython because it requires key/cert
 
-import usocket as socket, ussl as ssl
+try:
+    import usocket as socket, ussl as ssl, ubinascii as binascii, uselect as select
+except ModuleNotFoundError:
+    import socket, ssl, binascii, select
 
 PORT = 8000
 
+# This self-signed key/cert pair is randomly generated and to be used for
+# testing/demonstration only.
+# openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days 36500 -nodes
+cert = """
+-----BEGIN CERTIFICATE-----
+MIICaDCCAdGgAwIBAgIUaYEwlY581HuPWHm2ndTWejuggAIwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yMDA0MTgxOTAwMDBaGA8yMTIw
+MDMyNTE5MDAwMFowRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAxmACtMgGR2tTKVHzxG67Yx61pWNynXUE0q00yJ0a34AK
+uQKzvyEdvkk5lL3snV4N5wKeRgWmS3/krl/YQO+Rk4eSJRqJc8INd3qSOFSNUgPg
+W0VPP9vPox8au5Ngqn06jgtdD1F0a6Z+f+N3+JyRPAaetIWlFC9WEn+zzz0/cmkC
+AwEAAaNTMFEwHQYDVR0OBBYEFBaI7GVj4GjxPWq+RO7A/4INOq2RMB8GA1UdIwQY
+MBaAFBaI7GVj4GjxPWq+RO7A/4INOq2RMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADgYEAMpdYd8jkWxoXMxV+X2rpyx/BnPrPa+l2LehlulrU7lRh4QIU
+t4f+W+yBvkFscPatpRfJoXXqregmhLxo8poKw08pjn7DNKBzcsPsxnmRIvFZuL2J
+wYHGyP9HcMpsnx+UW2YjjQ4R1I0smRI7ZKiax8AJkN/P9eHH9Xku6ostXYk=
+-----END CERTIFICATE-----
+"""
+key = """
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMZgArTIBkdrUylR
+88Ruu2MetaVjcp11BNKtNMidGt+ACrkCs78hHb5JOZS97J1eDecCnkYFpkt/5K5f
+2EDvkZOHkiUaiXPCDXd6kjhUjVID4FtFTz/bz6MfGruTYKp9Oo4LXQ9RdGumfn/j
+d/ickTwGnrSFpRQvVhJ/s889P3JpAgMBAAECgYBPkxnizM3//iRY0d/37vdKFnqF
+AnRqhxNNM1+WDbdG6kTi3BugUrdsqlDnwpvUsHLhNOKqcf+4D3B7JkVIHxGEqLSl
+YMbQrldodPwIP0ycf9hegzuhEvuYGkex22edmQ5brkdIt6QCv0QRtProYowJx4p6
+CuM5423ORejs6Vw9gQJBAOF//1Ovmm5Q1d90ZzjFhZCwG3/z5uwqZMGBxJTaibSC
+O5cci3n9Tcc4AebnMf5eyrXHovtSg1FfDxS+IUccXRECQQDhNM3R31YvYmRZwrTn
+f71y+buXpUtMDUDhFK8FNZN1/zJ6dJVrWQ/MVj+TaNjLUYNdPmRPHQdt8+Fx65y9
+95/ZAkEAqgmkdGwz3P9jZm4V778xqhrBgche1rJY63l4zG3F7LFPUfEaU1BoN9LJ
+zF2FWzQLUutIwI5FqzQs4Q1FdqOyoQJBALAL1iUMwFO0R5v/X+lj6xXY8PM/jJf7
++E67G4In+okQIEanojJTYc0rUvGJ0YdGxjj6z/EkUS17qy2hsFq0GykCQQCiucp9
+7kbPpzw/gW+ERfoLgtZKrP/+Au9C5sz2wxUpeKhYihVePF8pmytyD8mqt/3LIJhZ
+NA2FEss2+KJUCjHc
+-----END PRIVATE KEY-----
+"""
+chain = cert + key
+# Produce cert/key for MicroPython
+cert = cert[cert.index("M"):cert.index("=")+2]
+key = key[key.index("M"):key.rstrip().rindex("\n")+1]
+cert = binascii.a2b_base64(cert)
+key = binascii.a2b_base64(key)
+
 
 # Server
 def instance0():
@@ -15,7 +63,15 @@ def instance0():
     s.listen(1)
     multitest.next()
     s2, _ = s.accept()
-    s2 = ssl.wrap_socket(s2, server_side=True)
+    if hasattr(ssl, 'SSLContext'):
+        fn = '/tmp/MP_test_cert.pem'
+        with open(fn, "w") as f:
+            f.write(chain)
+        ctx = ssl.SSLContext()
+        ctx.load_cert_chain(fn)
+        s2 = ctx.wrap_socket(s2, server_side=True)
+    else:
+        s2 = ssl.wrap_socket(s2, server_side=True, key=key, cert=cert)
     print(s2.read(16))
     s2.write(b"server to client")
     s.close()
diff --git a/tests/multi_net/ssl_data.py.exp b/tests/multi_net/ssl_data.py.exp
diff --git a/tests/multi_net/ssl_select.py b/tests/multi_net/ssl_select.py
@@ -0,0 +1,114 @@
+# Test creating an SSL connection and transferring some data, and specifically
+# using select to "poll" for reading while reading chunks that are smaller than
+# the SSL record transmitted to make sure that the poll ioctl handles the case
+# where the ssl layer has some bytes buffered internally and the underlying
+# raw socket is not readable.
+# This test won't run under CPython because it doesn't fix the bug this test tests:
+# https://docs.python.org/3/library/ssl.html#notes-on-non-blocking-sockets
+
+try:
+    import usocket as socket, ussl as ssl, ubinascii as binascii, uselect as select
+except ModuleNotFoundError:
+    import socket, ssl, binascii, select
+
+PORT = 8000
+
+# This self-signed key/cert pair is randomly generated and to be used for
+# testing/demonstration only.
+# openssl req -x509 -newkey rsa:1024 -keyout key.pem -out cert.pem -days 36500 -nodes
+cert = """
+-----BEGIN CERTIFICATE-----
+MIICaDCCAdGgAwIBAgIUaYEwlY581HuPWHm2ndTWejuggAIwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yMDA0MTgxOTAwMDBaGA8yMTIw
+MDMyNTE5MDAwMFowRTELMAkGA1UEBhMCVVMxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0B
+AQEFAAOBjQAwgYkCgYEAxmACtMgGR2tTKVHzxG67Yx61pWNynXUE0q00yJ0a34AK
+uQKzvyEdvkk5lL3snV4N5wKeRgWmS3/krl/YQO+Rk4eSJRqJc8INd3qSOFSNUgPg
+W0VPP9vPox8au5Ngqn06jgtdD1F0a6Z+f+N3+JyRPAaetIWlFC9WEn+zzz0/cmkC
+AwEAAaNTMFEwHQYDVR0OBBYEFBaI7GVj4GjxPWq+RO7A/4INOq2RMB8GA1UdIwQY
+MBaAFBaI7GVj4GjxPWq+RO7A/4INOq2RMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADgYEAMpdYd8jkWxoXMxV+X2rpyx/BnPrPa+l2LehlulrU7lRh4QIU
+t4f+W+yBvkFscPatpRfJoXXqregmhLxo8poKw08pjn7DNKBzcsPsxnmRIvFZuL2J
+wYHGyP9HcMpsnx+UW2YjjQ4R1I0smRI7ZKiax8AJkN/P9eHH9Xku6ostXYk=
+-----END CERTIFICATE-----
+"""
+key = """
+-----BEGIN PRIVATE KEY-----
+MIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAMZgArTIBkdrUylR
+88Ruu2MetaVjcp11BNKtNMidGt+ACrkCs78hHb5JOZS97J1eDecCnkYFpkt/5K5f
+2EDvkZOHkiUaiXPCDXd6kjhUjVID4FtFTz/bz6MfGruTYKp9Oo4LXQ9RdGumfn/j
+d/ickTwGnrSFpRQvVhJ/s889P3JpAgMBAAECgYBPkxnizM3//iRY0d/37vdKFnqF
+AnRqhxNNM1+WDbdG6kTi3BugUrdsqlDnwpvUsHLhNOKqcf+4D3B7JkVIHxGEqLSl
+YMbQrldodPwIP0ycf9hegzuhEvuYGkex22edmQ5brkdIt6QCv0QRtProYowJx4p6
+CuM5423ORejs6Vw9gQJBAOF//1Ovmm5Q1d90ZzjFhZCwG3/z5uwqZMGBxJTaibSC
+O5cci3n9Tcc4AebnMf5eyrXHovtSg1FfDxS+IUccXRECQQDhNM3R31YvYmRZwrTn
+f71y+buXpUtMDUDhFK8FNZN1/zJ6dJVrWQ/MVj+TaNjLUYNdPmRPHQdt8+Fx65y9
+95/ZAkEAqgmkdGwz3P9jZm4V778xqhrBgche1rJY63l4zG3F7LFPUfEaU1BoN9LJ
+zF2FWzQLUutIwI5FqzQs4Q1FdqOyoQJBALAL1iUMwFO0R5v/X+lj6xXY8PM/jJf7
++E67G4In+okQIEanojJTYc0rUvGJ0YdGxjj6z/EkUS17qy2hsFq0GykCQQCiucp9
+7kbPpzw/gW+ERfoLgtZKrP/+Au9C5sz2wxUpeKhYihVePF8pmytyD8mqt/3LIJhZ
+NA2FEss2+KJUCjHc
+-----END PRIVATE KEY-----
+"""
+chain = cert + key
+# Produce cert/key for MicroPython
+cert = cert[cert.index("M"):cert.index("=")+2]
+key = key[key.index("M"):key.rstrip().rindex("\n")+1]
+cert = binascii.a2b_base64(cert)
+key = binascii.a2b_base64(key)
+
+# Server
+def instance0():
+    multitest.globals(IP=multitest.get_network_ip())
+    s = socket.socket()
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1])
+    s.listen(1)
+    multitest.next()
+    s2, _ = s.accept()
+    if hasattr(ssl, 'SSLContext'):
+        fn = '/tmp/MP_test_cert.pem'
+        with open(fn, "w") as f:
+            f.write(chain)
+        ctx = ssl.SSLContext()
+        ctx.load_cert_chain(fn)
+        s2 = ctx.wrap_socket(s2, server_side=True)
+    else:
+        s2 = ssl.wrap_socket(s2, server_side=True, key=key, cert=cert)
+    print(s2.read(16))
+    s2.write(b"server to client")
+    # test larger client->server record being read in small chunks
+    total = 0
+    fileno = s2
+    if hasattr(s2, 'fileno'):
+        fileno = s2.fileno()
+    while True:
+        if hasattr(ssl, 'SSLContext'):
+            # select doesn't actually work right in CPython! so skip it
+            sel = [[1]]
+        else:
+            sel = select.select([fileno], [], [])
+        if len(sel[0]) == 1:
+            buf = s2.read(20)
+            print("got", len(buf))
+            total += len(buf)
+            if total == 200:
+                break
+    print("got", total)
+    s2.write(b"server to client 2")
+    print("DONE", len(buf))
+    s.close()
+
+
+# Client
+def instance1():
+    multitest.next()
+    s = socket.socket()
+    s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
+    s = ssl.wrap_socket(s)
+    s.write(b"client to server")
+    print(s.read(16))
+    s.write(bytes(200))
+    print(s.read(18))
+    s.close()
