From 56844364692d22feec8acdf899e61048f4bc0d3d Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Fri, 4 Apr 2025 00:38:39 -0700 Subject: [PATCH 01/21] extmod/modtls_mbedtls: Add support for TLS PSK Signed-off-by: Keenan Johnson --- extmod/mbedtls/mbedtls_config_common.h | 5 + extmod/modtls_mbedtls.c | 95 +++++++++++++++++++ ports/esp32/boards/sdkconfig.base | 7 ++ .../sslcontext_server_client_psk.exp | 4 + .../multi_net/sslcontext_server_client_psk.py | 63 ++++++++++++ 5 files changed, 174 insertions(+) create mode 100644 tests/multi_net/sslcontext_server_client_psk.exp create mode 100644 tests/multi_net/sslcontext_server_client_psk.py diff --git a/extmod/mbedtls/mbedtls_config_common.h b/extmod/mbedtls/mbedtls_config_common.h index 6cd14befc3196..b4fc5e627837b 100644 --- a/extmod/mbedtls/mbedtls_config_common.h +++ b/extmod/mbedtls/mbedtls_config_common.h @@ -47,6 +47,11 @@ #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +// Enable PSK key exchange methods +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED +#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED #define MBEDTLS_CAN_ECDH #define MBEDTLS_PK_CAN_ECDSA_SIGN #define MBEDTLS_PKCS1_V15 diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index 6c34805da42cb..4c94855c635dc 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -92,6 +92,11 @@ typedef struct _mp_obj_ssl_context_t { #if MICROPY_PY_SSL_ECDSA_SIGN_ALT mp_obj_t ecdsa_sign_callback; #endif + // Fields for PSK support + unsigned char *psk; + size_t psk_len; + unsigned char *psk_identity; + size_t psk_identity_len; } mp_obj_ssl_context_t; // This corresponds to an SSLSocket object. @@ -284,6 +289,11 @@ static mp_obj_t ssl_context_make_new(const mp_obj_type_t *type_in, size_t n_args #if MICROPY_PY_SSL_ECDSA_SIGN_ALT self->ecdsa_sign_callback = mp_const_none; #endif + // Initialize PSK fields + self->psk = NULL; + self->psk_len = 0; + self->psk_identity = NULL; + self->psk_identity_len = 0; #ifdef MBEDTLS_DEBUG_C // Debug level (0-4) 1=warning, 2=info, 3=debug, 4=verbose @@ -467,6 +477,89 @@ static mp_obj_t ssl_context_load_verify_locations(mp_obj_t self_in, mp_obj_t cad } static MP_DEFINE_CONST_FUN_OBJ_2(ssl_context_load_verify_locations_obj, ssl_context_load_verify_locations); +// SSLContext.set_psk(psk, psk_identity) +static mp_obj_t ssl_context_set_psk(mp_obj_t self_in, mp_obj_t psk_obj, mp_obj_t psk_identity_obj) { + mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in); + + // Free any previously allocated PSK data + if (self->psk != NULL) { + m_free(self->psk); + self->psk = NULL; + self->psk_len = 0; + } + + if (self->psk_identity != NULL) { + m_free(self->psk_identity); + self->psk_identity = NULL; + self->psk_identity_len = 0; + } + + // Parse the PSK and PSK identity + mp_buffer_info_t psk_buf; + mp_buffer_info_t psk_id_buf; + + mp_get_buffer_raise(psk_obj, &psk_buf, MP_BUFFER_READ); + mp_get_buffer_raise(psk_identity_obj, &psk_id_buf, MP_BUFFER_READ); + + // Allocate and copy the PSK and PSK identity + self->psk = m_new(unsigned char, psk_buf.len); + self->psk_len = psk_buf.len; + memcpy(self->psk, psk_buf.buf, psk_buf.len); + + self->psk_identity = m_new(unsigned char, psk_id_buf.len); + self->psk_identity_len = psk_id_buf.len; + memcpy(self->psk_identity, psk_id_buf.buf, psk_id_buf.len); + + // Configure mbedTLS to use the PSK + int ret = mbedtls_ssl_conf_psk(&self->conf, self->psk, self->psk_len, + self->psk_identity, self->psk_identity_len); + if (ret != 0) { + mbedtls_raise_error(ret); + } + + return mp_const_none; +} +static MP_DEFINE_CONST_FUN_OBJ_3(ssl_context_set_psk_obj, ssl_context_set_psk); + +// SSLContext.set_psk_ciphersuites(ciphersuite_list) +static mp_obj_t ssl_context_set_psk_ciphersuites(mp_obj_t self_in, mp_obj_t ciphersuite_obj) { + mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in); + + // Configure preferred PSK ciphersuites + int ret = 0; + + // Check that ciphersuite is a list or tuple. + size_t len = 0; + mp_obj_t *ciphers; + mp_obj_get_array(ciphersuite_obj, &len, &ciphers); + if (len == 0) { + mbedtls_raise_error(MBEDTLS_ERR_SSL_BAD_CONFIG); + } + + // Free any previously allocated ciphersuites array + if (self->ciphersuites != NULL) { + m_free(self->ciphersuites); + } + + // Parse list of ciphers. + self->ciphersuites = m_new(int, len + 1); + for (size_t i = 0; i < len; ++i) { + const char *ciphername = mp_obj_str_get_str(ciphers[i]); + const int id = mbedtls_ssl_get_ciphersuite_id(ciphername); + if (id == 0) { + mbedtls_raise_error(MBEDTLS_ERR_SSL_BAD_CONFIG); + } + self->ciphersuites[i] = id; + } + self->ciphersuites[len] = 0; + + // Configure ciphersuite. + mbedtls_ssl_conf_ciphersuites(&self->conf, (const int *)self->ciphersuites); + + return mp_const_none; +} +static MP_DEFINE_CONST_FUN_OBJ_2(ssl_context_set_psk_ciphersuites_obj, ssl_context_set_psk_ciphersuites); + static mp_obj_t ssl_context_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) { enum { ARG_server_side, ARG_do_handshake_on_connect, ARG_server_hostname }; static const mp_arg_t allowed_args[] = { @@ -495,6 +588,8 @@ static const mp_rom_map_elem_t ssl_context_locals_dict_table[] = { { MP_ROM_QSTR(MP_QSTR_set_ciphers), MP_ROM_PTR(&ssl_context_set_ciphers_obj)}, { MP_ROM_QSTR(MP_QSTR_load_cert_chain), MP_ROM_PTR(&ssl_context_load_cert_chain_obj)}, { MP_ROM_QSTR(MP_QSTR_load_verify_locations), MP_ROM_PTR(&ssl_context_load_verify_locations_obj)}, + { MP_ROM_QSTR(MP_QSTR_set_psk), MP_ROM_PTR(&ssl_context_set_psk_obj)}, + { MP_ROM_QSTR(MP_QSTR_set_psk_ciphersuites), MP_ROM_PTR(&ssl_context_set_psk_ciphersuites_obj)}, { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&ssl_context_wrap_socket_obj) }, }; static MP_DEFINE_CONST_DICT(ssl_context_locals_dict, ssl_context_locals_dict_table); diff --git a/ports/esp32/boards/sdkconfig.base b/ports/esp32/boards/sdkconfig.base index 530db427119ca..34d15e7b9a0c4 100644 --- a/ports/esp32/boards/sdkconfig.base +++ b/ports/esp32/boards/sdkconfig.base @@ -67,6 +67,13 @@ CONFIG_MBEDTLS_HAVE_TIME=y # Enable DTLS CONFIG_MBEDTLS_SSL_PROTO_DTLS=y +# Enable PSK (Pre-Shared Key) support +CONFIG_MBEDTLS_PSK_MODES=y +CONFIG_MBEDTLS_KEY_EXCHANGE_PSK=y +CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK=y +CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK=y +CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK=y + # Disable ALPN support as it's not implemented in MicroPython CONFIG_MBEDTLS_SSL_ALPN=n diff --git a/tests/multi_net/sslcontext_server_client_psk.exp b/tests/multi_net/sslcontext_server_client_psk.exp new file mode 100644 index 0000000000000..7c0f3843e6194 --- /dev/null +++ b/tests/multi_net/sslcontext_server_client_psk.exp @@ -0,0 +1,4 @@ +--- instance0 --- +client to server +--- instance1 --- +server to client \ No newline at end of file diff --git a/tests/multi_net/sslcontext_server_client_psk.py b/tests/multi_net/sslcontext_server_client_psk.py new file mode 100644 index 0000000000000..42b1e26b66996 --- /dev/null +++ b/tests/multi_net/sslcontext_server_client_psk.py @@ -0,0 +1,63 @@ +# Test creating an SSL connection using PSK (Pre-Shared Key). + +try: + import socket + import tls +except ImportError: + print("SKIP") + raise SystemExit + +PORT = 8000 + +# PSK and identity values +psk = b"micropython-psk-secret" +psk_identity = b"micropython-client" + +# Server +def instance0(): + multitest.globals(IP=multitest.get_network_ip()) + s = socket.socket() + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1]) + s.listen(1) + multitest.next() + s2, _ = s.accept() + server_ctx = tls.SSLContext(tls.PROTOCOL_TLS_SERVER) + + # Set PSK and identity for server + server_ctx.set_psk(psk, psk_identity) + + # Configure PSK ciphersuites + server_ctx.set_psk_ciphersuites(["TLS-PSK-WITH-AES-128-CBC-SHA256"]) + + s2 = server_ctx.wrap_socket(s2, server_side=True) + assert isinstance(s2.cipher(), tuple) + cipher_info = s2.cipher() + # PSK cipher should be used + assert "PSK" in cipher_info[0], f"Expected PSK cipher, got {cipher_info[0]}" + print(s2.read(16)) + s2.write(b"server to client") + s2.close() + s.close() + + +# Client +def instance1(): + multitest.next() + s = socket.socket() + s.connect(socket.getaddrinfo(IP, PORT)[0][-1]) + client_ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) + + # Set PSK and identity for client + client_ctx.set_psk(psk, psk_identity) + + # Configure PSK ciphersuites + client_ctx.set_psk_ciphersuites(["TLS-PSK-WITH-AES-128-CBC-SHA256"]) + + s = client_ctx.wrap_socket(s, server_hostname="micropython.local") + cipher_info = s.cipher() + # PSK cipher should be used + assert "PSK" in cipher_info[0], f"Expected PSK cipher, got {cipher_info[0]}" + s.write(b"client to server") + print(s.read(16)) + s.close() \ No newline at end of file From cf630220c8fe9b6fb4c7e5ef51bc8111e2044b66 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Fri, 4 Apr 2025 00:45:08 -0700 Subject: [PATCH 02/21] Update to fix build --- extmod/mbedtls/mbedtls_config_common.h | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/extmod/mbedtls/mbedtls_config_common.h b/extmod/mbedtls/mbedtls_config_common.h index b4fc5e627837b..bfb9097800ddc 100644 --- a/extmod/mbedtls/mbedtls_config_common.h +++ b/extmod/mbedtls/mbedtls_config_common.h @@ -47,8 +47,15 @@ #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED -// Enable PSK key exchange methods + +// Enable PSK support #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + +// Enable DHE support (required for DHE-PSK) +#define MBEDTLS_DHM_C +#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED + +// Enable PSK key exchange methods that need additional prerequisites #define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED #define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED @@ -73,6 +80,7 @@ #define MBEDTLS_BIGNUM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_DHM_C #define MBEDTLS_ECDH_C #define MBEDTLS_ECDSA_C #define MBEDTLS_ECP_C From b0ce06e02d019285484668e1564820bb04a90ad2 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Fri, 4 Apr 2025 00:50:41 -0700 Subject: [PATCH 03/21] update --- extmod/modtls_mbedtls.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index 4c94855c635dc..295c94cedde2a 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -483,13 +483,13 @@ static mp_obj_t ssl_context_set_psk(mp_obj_t self_in, mp_obj_t psk_obj, mp_obj_t // Free any previously allocated PSK data if (self->psk != NULL) { - m_free(self->psk); + m_free(self->psk, self->psk_len); self->psk = NULL; self->psk_len = 0; } if (self->psk_identity != NULL) { - m_free(self->psk_identity); + m_free(self->psk_identity, self->psk_identity_len); self->psk_identity = NULL; self->psk_identity_len = 0; } @@ -526,7 +526,6 @@ static mp_obj_t ssl_context_set_psk_ciphersuites(mp_obj_t self_in, mp_obj_t ciph mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in); // Configure preferred PSK ciphersuites - int ret = 0; // Check that ciphersuite is a list or tuple. size_t len = 0; @@ -538,7 +537,7 @@ static mp_obj_t ssl_context_set_psk_ciphersuites(mp_obj_t self_in, mp_obj_t ciph // Free any previously allocated ciphersuites array if (self->ciphersuites != NULL) { - m_free(self->ciphersuites); + m_free(self->ciphersuites, (len + 1) * sizeof(int)); } // Parse list of ciphers. From 239842152501b47fc225f57e35f4a2d151bcb29c Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Fri, 4 Apr 2025 00:57:42 -0700 Subject: [PATCH 04/21] update test output --- tests/multi_net/sslcontext_server_client_psk.exp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/multi_net/sslcontext_server_client_psk.exp b/tests/multi_net/sslcontext_server_client_psk.exp index 7c0f3843e6194..ddb18187868ab 100644 --- a/tests/multi_net/sslcontext_server_client_psk.exp +++ b/tests/multi_net/sslcontext_server_client_psk.exp @@ -1,4 +1,4 @@ --- instance0 --- -client to server +b'client to server' --- instance1 --- -server to client \ No newline at end of file +b'server to client' \ No newline at end of file From a8cc3f9031d9b9eeea9fb045289196100e9746d4 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Fri, 4 Apr 2025 01:02:24 -0700 Subject: [PATCH 05/21] update test --- tests/multi_net/sslcontext_server_client_psk.exp | 2 +- tests/multi_net/sslcontext_server_client_psk.py | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/tests/multi_net/sslcontext_server_client_psk.exp b/tests/multi_net/sslcontext_server_client_psk.exp index ddb18187868ab..909c496d019e1 100644 --- a/tests/multi_net/sslcontext_server_client_psk.exp +++ b/tests/multi_net/sslcontext_server_client_psk.exp @@ -1,4 +1,4 @@ --- instance0 --- b'client to server' --- instance1 --- -b'server to client' \ No newline at end of file +b'server to client' diff --git a/tests/multi_net/sslcontext_server_client_psk.py b/tests/multi_net/sslcontext_server_client_psk.py index 42b1e26b66996..4620ee7729e92 100644 --- a/tests/multi_net/sslcontext_server_client_psk.py +++ b/tests/multi_net/sslcontext_server_client_psk.py @@ -3,6 +3,7 @@ try: import socket import tls + import multitest except ImportError: print("SKIP") raise SystemExit From 07ae0c138dad0157dfb7a2075e7b7b0f0179f53c Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Fri, 4 Apr 2025 01:14:42 -0700 Subject: [PATCH 06/21] fix build --- extmod/modtls_mbedtls.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index 295c94cedde2a..ad7482293e54f 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -483,13 +483,21 @@ static mp_obj_t ssl_context_set_psk(mp_obj_t self_in, mp_obj_t psk_obj, mp_obj_t // Free any previously allocated PSK data if (self->psk != NULL) { + #if defined(MICROPY_MBEDTLS_CONFIG_BARE_METAL) + m_free(self->psk); + #else m_free(self->psk, self->psk_len); + #endif self->psk = NULL; self->psk_len = 0; } if (self->psk_identity != NULL) { + #if defined(MICROPY_MBEDTLS_CONFIG_BARE_METAL) + m_free(self->psk_identity); + #else m_free(self->psk_identity, self->psk_identity_len); + #endif self->psk_identity = NULL; self->psk_identity_len = 0; } @@ -537,7 +545,11 @@ static mp_obj_t ssl_context_set_psk_ciphersuites(mp_obj_t self_in, mp_obj_t ciph // Free any previously allocated ciphersuites array if (self->ciphersuites != NULL) { + #if defined(MICROPY_MBEDTLS_CONFIG_BARE_METAL) + m_free(self->ciphersuites); + #else m_free(self->ciphersuites, (len + 1) * sizeof(int)); + #endif } // Parse list of ciphers. From 76407e3129303e1b48ccdc33919c9ec3f13249af Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Fri, 4 Apr 2025 01:20:22 -0700 Subject: [PATCH 07/21] update and fix tests --- extmod/modtls_mbedtls.c | 12 ++++++------ tests/extmod/tls_sslcontext_psk.exp | 1 + tests/extmod/tls_sslcontext_psk.py | 25 +++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 6 deletions(-) create mode 100644 tests/extmod/tls_sslcontext_psk.exp create mode 100644 tests/extmod/tls_sslcontext_psk.py diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index ad7482293e54f..7944c7e988c8b 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -483,20 +483,20 @@ static mp_obj_t ssl_context_set_psk(mp_obj_t self_in, mp_obj_t psk_obj, mp_obj_t // Free any previously allocated PSK data if (self->psk != NULL) { - #if defined(MICROPY_MBEDTLS_CONFIG_BARE_METAL) - m_free(self->psk); - #else + #if MICROPY_MALLOC_USES_ALLOCATED_SIZE m_free(self->psk, self->psk_len); + #else + m_free(self->psk); #endif self->psk = NULL; self->psk_len = 0; } if (self->psk_identity != NULL) { - #if defined(MICROPY_MBEDTLS_CONFIG_BARE_METAL) - m_free(self->psk_identity); - #else + #if MICROPY_MALLOC_USES_ALLOCATED_SIZE m_free(self->psk_identity, self->psk_identity_len); + #else + m_free(self->psk_identity); #endif self->psk_identity = NULL; self->psk_identity_len = 0; diff --git a/tests/extmod/tls_sslcontext_psk.exp b/tests/extmod/tls_sslcontext_psk.exp new file mode 100644 index 0000000000000..bb3d222bc96d7 --- /dev/null +++ b/tests/extmod/tls_sslcontext_psk.exp @@ -0,0 +1 @@ +PSK test complete \ No newline at end of file diff --git a/tests/extmod/tls_sslcontext_psk.py b/tests/extmod/tls_sslcontext_psk.py new file mode 100644 index 0000000000000..fd5c4a4aa070c --- /dev/null +++ b/tests/extmod/tls_sslcontext_psk.py @@ -0,0 +1,25 @@ +# Test for the PSK (Pre-Shared Key) functionality in tls.SSLContext + +try: + import tls +except ImportError: + print("SKIP") + raise SystemExit + +# Create a TLS context +ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) + +# Test setting PSK and identity +psk = b"test-preshared-key" +identity = b"test-identity" + +ctx.set_psk(psk, identity) + +# Test setting PSK ciphersuites +# This list contains common PSK ciphersuites +ctx.set_psk_ciphersuites([ + "TLS-PSK-WITH-AES-128-CBC-SHA256", + "TLS-PSK-WITH-AES-128-GCM-SHA256" +]) + +print("PSK test complete") \ No newline at end of file From e30a916d8c790f991295dcfbcc8a72fa97936b78 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Fri, 4 Apr 2025 01:23:32 -0700 Subject: [PATCH 08/21] fix test --- extmod/modtls_mbedtls.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index 7944c7e988c8b..ff62d0878b9a8 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -545,10 +545,10 @@ static mp_obj_t ssl_context_set_psk_ciphersuites(mp_obj_t self_in, mp_obj_t ciph // Free any previously allocated ciphersuites array if (self->ciphersuites != NULL) { - #if defined(MICROPY_MBEDTLS_CONFIG_BARE_METAL) - m_free(self->ciphersuites); - #else + #if MICROPY_MALLOC_USES_ALLOCATED_SIZE m_free(self->ciphersuites, (len + 1) * sizeof(int)); + #else + m_free(self->ciphersuites); #endif } From 66c9c14a26a0338221463f233d7ff6e83fb4fe85 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Fri, 4 Apr 2025 01:29:58 -0700 Subject: [PATCH 09/21] test update --- tests/extmod/tls_sslcontext_psk.exp | 2 ++ tests/extmod/tls_sslcontext_psk.py | 22 +++++++++++++++------- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/tests/extmod/tls_sslcontext_psk.exp b/tests/extmod/tls_sslcontext_psk.exp index bb3d222bc96d7..42d4daaac48c5 100644 --- a/tests/extmod/tls_sslcontext_psk.exp +++ b/tests/extmod/tls_sslcontext_psk.exp @@ -1 +1,3 @@ +PSK successfully set +PSK ciphersuites set PSK test complete \ No newline at end of file diff --git a/tests/extmod/tls_sslcontext_psk.py b/tests/extmod/tls_sslcontext_psk.py index fd5c4a4aa070c..1814711486c0c 100644 --- a/tests/extmod/tls_sslcontext_psk.py +++ b/tests/extmod/tls_sslcontext_psk.py @@ -13,13 +13,21 @@ psk = b"test-preshared-key" identity = b"test-identity" -ctx.set_psk(psk, identity) +# Test the PSK functionality - this will throw an exception if PSK is not supported +try: + ctx.set_psk(psk, identity) + print("PSK successfully set") +except Exception as e: + print("Failed to set PSK:", e) + raise SystemExit -# Test setting PSK ciphersuites -# This list contains common PSK ciphersuites -ctx.set_psk_ciphersuites([ - "TLS-PSK-WITH-AES-128-CBC-SHA256", - "TLS-PSK-WITH-AES-128-GCM-SHA256" -]) +# Test setting PSK ciphersuites with error handling +# Try with one basic PSK ciphersuite that should be widely supported +try: + ctx.set_psk_ciphersuites(["TLS-PSK-WITH-AES-128-CBC-SHA256"]) + print("PSK ciphersuites set") +except Exception as e: + print("Failed to set PSK ciphersuites:", e) + raise SystemExit print("PSK test complete") \ No newline at end of file From fbd11fc796fa03d24f662f45332f98f051f6834b Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 16:18:59 -0700 Subject: [PATCH 10/21] Update implementation and tests --- extmod/mbedtls/mbedtls_config_common.h | 12 -- extmod/modtls_mbedtls.c | 183 ++++++++---------- ports/esp32/boards/sdkconfig.base | 6 +- .../multi_net/sslcontext_server_client_psk.py | 41 ++-- ...xp => sslcontext_server_client_psk.py.exp} | 0 5 files changed, 104 insertions(+), 138 deletions(-) rename tests/multi_net/{sslcontext_server_client_psk.exp => sslcontext_server_client_psk.py.exp} (100%) diff --git a/extmod/mbedtls/mbedtls_config_common.h b/extmod/mbedtls/mbedtls_config_common.h index bfb9097800ddc..9d2730dae6d1e 100644 --- a/extmod/mbedtls/mbedtls_config_common.h +++ b/extmod/mbedtls/mbedtls_config_common.h @@ -47,18 +47,7 @@ #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - -// Enable PSK support #define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED - -// Enable DHE support (required for DHE-PSK) -#define MBEDTLS_DHM_C -#define MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED - -// Enable PSK key exchange methods that need additional prerequisites -#define MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -#define MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED #define MBEDTLS_CAN_ECDH #define MBEDTLS_PK_CAN_ECDSA_SIGN #define MBEDTLS_PKCS1_V15 @@ -80,7 +69,6 @@ #define MBEDTLS_BIGNUM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_DHM_C #define MBEDTLS_ECDH_C #define MBEDTLS_ECDSA_C #define MBEDTLS_ECP_C diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index ff62d0878b9a8..2113d6f2c893f 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -53,6 +53,7 @@ #endif #include "mbedtls/debug.h" #include "mbedtls/error.h" +#include "mbedtls/ssl_ciphersuites.h" #if MBEDTLS_VERSION_NUMBER >= 0x03000000 #include "mbedtls/build_info.h" #else @@ -92,11 +93,11 @@ typedef struct _mp_obj_ssl_context_t { #if MICROPY_PY_SSL_ECDSA_SIGN_ALT mp_obj_t ecdsa_sign_callback; #endif - // Fields for PSK support - unsigned char *psk; - size_t psk_len; - unsigned char *psk_identity; - size_t psk_identity_len; + + // PSK support + mp_obj_t psk_identity; // PSK identity (string) + mp_obj_t psk_key; // PSK key (bytes) + bool use_psk; // Flag to indicate if PSK should be used } mp_obj_ssl_context_t; // This corresponds to an SSLSocket object. @@ -289,11 +290,11 @@ static mp_obj_t ssl_context_make_new(const mp_obj_type_t *type_in, size_t n_args #if MICROPY_PY_SSL_ECDSA_SIGN_ALT self->ecdsa_sign_callback = mp_const_none; #endif + // Initialize PSK fields - self->psk = NULL; - self->psk_len = 0; - self->psk_identity = NULL; - self->psk_identity_len = 0; + self->psk_identity = mp_const_none; + self->psk_key = mp_const_none; + self->use_psk = false; #ifdef MBEDTLS_DEBUG_C // Debug level (0-4) 1=warning, 2=info, 3=debug, 4=verbose @@ -392,10 +393,60 @@ static mp_obj_t ssl_context_get_ciphers(mp_obj_t self_in) { } static MP_DEFINE_CONST_FUN_OBJ_1(ssl_context_get_ciphers_obj, ssl_context_get_ciphers); +// Helper function to set PSK ciphersuites +static void set_psk_ciphersuites(mbedtls_ssl_config *conf) { + // Create a list of PSK ciphersuites + static int *psk_ciphersuites = NULL; + + if (psk_ciphersuites == NULL) { + // Define known PSK ciphersuites + // These are common PSK ciphersuites supported by mbedtls + static const int known_psk_ciphersuites[] = { + MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256, + MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA, + MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA, + MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256, + MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, + 0 // Terminating zero + }; + + // Count available PSK ciphersuites + int count = 0; + for (int i = 0; known_psk_ciphersuites[i] != 0; i++) { + count++; + } + + // Allocate memory for PSK ciphersuites + psk_ciphersuites = m_new(int, count + 1); + if (psk_ciphersuites == NULL) { + mp_raise_OSError(MP_ENOMEM); + } + + // Copy the PSK ciphersuites + for (int i = 0; i <= count; i++) { // Include terminating zero + psk_ciphersuites[i] = known_psk_ciphersuites[i]; + } + } + + // Set PSK ciphersuites + mbedtls_ssl_conf_ciphersuites(conf, psk_ciphersuites); +} + // SSLContext.set_ciphers(ciphersuite) static mp_obj_t ssl_context_set_ciphers(mp_obj_t self_in, mp_obj_t ciphersuite) { mp_obj_ssl_context_t *ssl_context = MP_OBJ_TO_PTR(self_in); + // Check if ciphersuite is a string "PSK" + if (mp_obj_is_str(ciphersuite)) { + const char *ciphername = mp_obj_str_get_str(ciphersuite); + if (strcmp(ciphername, "PSK") == 0) { + ssl_context->use_psk = true; + set_psk_ciphersuites(&ssl_context->conf); + return mp_const_none; + } + } + + // Original implementation for non-PSK ciphersuites // Check that ciphersuite is a list or tuple. size_t len = 0; mp_obj_t *ciphers; @@ -477,99 +528,21 @@ static mp_obj_t ssl_context_load_verify_locations(mp_obj_t self_in, mp_obj_t cad } static MP_DEFINE_CONST_FUN_OBJ_2(ssl_context_load_verify_locations_obj, ssl_context_load_verify_locations); -// SSLContext.set_psk(psk, psk_identity) -static mp_obj_t ssl_context_set_psk(mp_obj_t self_in, mp_obj_t psk_obj, mp_obj_t psk_identity_obj) { +// SSLContext.set_psk_identity(identity) +static mp_obj_t ssl_context_set_psk_identity(mp_obj_t self_in, mp_obj_t identity) { mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in); - - // Free any previously allocated PSK data - if (self->psk != NULL) { - #if MICROPY_MALLOC_USES_ALLOCATED_SIZE - m_free(self->psk, self->psk_len); - #else - m_free(self->psk); - #endif - self->psk = NULL; - self->psk_len = 0; - } - - if (self->psk_identity != NULL) { - #if MICROPY_MALLOC_USES_ALLOCATED_SIZE - m_free(self->psk_identity, self->psk_identity_len); - #else - m_free(self->psk_identity); - #endif - self->psk_identity = NULL; - self->psk_identity_len = 0; - } - - // Parse the PSK and PSK identity - mp_buffer_info_t psk_buf; - mp_buffer_info_t psk_id_buf; - - mp_get_buffer_raise(psk_obj, &psk_buf, MP_BUFFER_READ); - mp_get_buffer_raise(psk_identity_obj, &psk_id_buf, MP_BUFFER_READ); - - // Allocate and copy the PSK and PSK identity - self->psk = m_new(unsigned char, psk_buf.len); - self->psk_len = psk_buf.len; - memcpy(self->psk, psk_buf.buf, psk_buf.len); - - self->psk_identity = m_new(unsigned char, psk_id_buf.len); - self->psk_identity_len = psk_id_buf.len; - memcpy(self->psk_identity, psk_id_buf.buf, psk_id_buf.len); - - // Configure mbedTLS to use the PSK - int ret = mbedtls_ssl_conf_psk(&self->conf, self->psk, self->psk_len, - self->psk_identity, self->psk_identity_len); - if (ret != 0) { - mbedtls_raise_error(ret); - } - + self->psk_identity = identity; return mp_const_none; } -static MP_DEFINE_CONST_FUN_OBJ_3(ssl_context_set_psk_obj, ssl_context_set_psk); +static MP_DEFINE_CONST_FUN_OBJ_2(ssl_context_set_psk_identity_obj, ssl_context_set_psk_identity); -// SSLContext.set_psk_ciphersuites(ciphersuite_list) -static mp_obj_t ssl_context_set_psk_ciphersuites(mp_obj_t self_in, mp_obj_t ciphersuite_obj) { +// SSLContext.set_psk_key(key) +static mp_obj_t ssl_context_set_psk_key(mp_obj_t self_in, mp_obj_t key) { mp_obj_ssl_context_t *self = MP_OBJ_TO_PTR(self_in); - - // Configure preferred PSK ciphersuites - - // Check that ciphersuite is a list or tuple. - size_t len = 0; - mp_obj_t *ciphers; - mp_obj_get_array(ciphersuite_obj, &len, &ciphers); - if (len == 0) { - mbedtls_raise_error(MBEDTLS_ERR_SSL_BAD_CONFIG); - } - - // Free any previously allocated ciphersuites array - if (self->ciphersuites != NULL) { - #if MICROPY_MALLOC_USES_ALLOCATED_SIZE - m_free(self->ciphersuites, (len + 1) * sizeof(int)); - #else - m_free(self->ciphersuites); - #endif - } - - // Parse list of ciphers. - self->ciphersuites = m_new(int, len + 1); - for (size_t i = 0; i < len; ++i) { - const char *ciphername = mp_obj_str_get_str(ciphers[i]); - const int id = mbedtls_ssl_get_ciphersuite_id(ciphername); - if (id == 0) { - mbedtls_raise_error(MBEDTLS_ERR_SSL_BAD_CONFIG); - } - self->ciphersuites[i] = id; - } - self->ciphersuites[len] = 0; - - // Configure ciphersuite. - mbedtls_ssl_conf_ciphersuites(&self->conf, (const int *)self->ciphersuites); - + self->psk_key = key; return mp_const_none; } -static MP_DEFINE_CONST_FUN_OBJ_2(ssl_context_set_psk_ciphersuites_obj, ssl_context_set_psk_ciphersuites); +static MP_DEFINE_CONST_FUN_OBJ_2(ssl_context_set_psk_key_obj, ssl_context_set_psk_key); static mp_obj_t ssl_context_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_map_t *kw_args) { enum { ARG_server_side, ARG_do_handshake_on_connect, ARG_server_hostname }; @@ -599,9 +572,9 @@ static const mp_rom_map_elem_t ssl_context_locals_dict_table[] = { { MP_ROM_QSTR(MP_QSTR_set_ciphers), MP_ROM_PTR(&ssl_context_set_ciphers_obj)}, { MP_ROM_QSTR(MP_QSTR_load_cert_chain), MP_ROM_PTR(&ssl_context_load_cert_chain_obj)}, { MP_ROM_QSTR(MP_QSTR_load_verify_locations), MP_ROM_PTR(&ssl_context_load_verify_locations_obj)}, - { MP_ROM_QSTR(MP_QSTR_set_psk), MP_ROM_PTR(&ssl_context_set_psk_obj)}, - { MP_ROM_QSTR(MP_QSTR_set_psk_ciphersuites), MP_ROM_PTR(&ssl_context_set_psk_ciphersuites_obj)}, { MP_ROM_QSTR(MP_QSTR_wrap_socket), MP_ROM_PTR(&ssl_context_wrap_socket_obj) }, + { MP_ROM_QSTR(MP_QSTR_set_psk_identity), MP_ROM_PTR(&ssl_context_set_psk_identity_obj) }, + { MP_ROM_QSTR(MP_QSTR_set_psk_key), MP_ROM_PTR(&ssl_context_set_psk_key_obj) }, }; static MP_DEFINE_CONST_DICT(ssl_context_locals_dict, ssl_context_locals_dict_table); @@ -709,6 +682,22 @@ static mp_obj_t ssl_socket_make_new(mp_obj_ssl_context_t *ssl_context, mp_obj_t mbedtls_ssl_init(&o->ssl); + // Configure PSK if enabled + if (ssl_context->use_psk && ssl_context->psk_identity != mp_const_none && ssl_context->psk_key != mp_const_none) { + // Get PSK identity and key + size_t psk_identity_len; + const byte *psk_identity = (const byte *)mp_obj_str_get_data(ssl_context->psk_identity, &psk_identity_len); + + size_t psk_key_len; + const byte *psk_key = (const byte *)mp_obj_str_get_data(ssl_context->psk_key, &psk_key_len); + + // Configure PSK + ret = mbedtls_ssl_conf_psk(&ssl_context->conf, psk_key, psk_key_len, psk_identity, psk_identity_len); + if (ret != 0) { + goto cleanup; + } + } + ret = mbedtls_ssl_setup(&o->ssl, &ssl_context->conf); #if !MICROPY_MBEDTLS_CONFIG_BARE_METAL if (ret == MBEDTLS_ERR_SSL_ALLOC_FAILED) { diff --git a/ports/esp32/boards/sdkconfig.base b/ports/esp32/boards/sdkconfig.base index 34d15e7b9a0c4..73c131f9cfb89 100644 --- a/ports/esp32/boards/sdkconfig.base +++ b/ports/esp32/boards/sdkconfig.base @@ -68,11 +68,7 @@ CONFIG_MBEDTLS_HAVE_TIME=y CONFIG_MBEDTLS_SSL_PROTO_DTLS=y # Enable PSK (Pre-Shared Key) support -CONFIG_MBEDTLS_PSK_MODES=y -CONFIG_MBEDTLS_KEY_EXCHANGE_PSK=y -CONFIG_MBEDTLS_KEY_EXCHANGE_DHE_PSK=y -CONFIG_MBEDTLS_KEY_EXCHANGE_ECDHE_PSK=y -CONFIG_MBEDTLS_KEY_EXCHANGE_RSA_PSK=y +CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y # Disable ALPN support as it's not implemented in MicroPython CONFIG_MBEDTLS_SSL_ALPN=n diff --git a/tests/multi_net/sslcontext_server_client_psk.py b/tests/multi_net/sslcontext_server_client_psk.py index 4620ee7729e92..bb1ad2dd3f4e5 100644 --- a/tests/multi_net/sslcontext_server_client_psk.py +++ b/tests/multi_net/sslcontext_server_client_psk.py @@ -1,64 +1,57 @@ -# Test creating an SSL connection using PSK (Pre-Shared Key). +# Test TCP server and client with TLS-PSK, using set_psk_identity(), +# set_psk_key(), and set_ciphers("PSK"). try: import socket import tls - import multitest except ImportError: print("SKIP") raise SystemExit PORT = 8000 -# PSK and identity values -psk = b"micropython-psk-secret" -psk_identity = b"micropython-client" -# Server +# TLS Server def instance0(): multitest.globals(IP=multitest.get_network_ip()) + s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1]) s.listen(1) + multitest.next() + s2, _ = s.accept() server_ctx = tls.SSLContext(tls.PROTOCOL_TLS_SERVER) - # Set PSK and identity for server - server_ctx.set_psk(psk, psk_identity) - - # Configure PSK ciphersuites - server_ctx.set_psk_ciphersuites(["TLS-PSK-WITH-AES-128-CBC-SHA256"]) + # Configure PSK + server_ctx.set_psk_identity("PSK-Identity-1") + server_ctx.set_psk_key(bytes.fromhex("c0ffee")) + server_ctx.set_ciphers("PSK") s2 = server_ctx.wrap_socket(s2, server_side=True) - assert isinstance(s2.cipher(), tuple) - cipher_info = s2.cipher() - # PSK cipher should be used - assert "PSK" in cipher_info[0], f"Expected PSK cipher, got {cipher_info[0]}" + print(s2.read(16)) s2.write(b"server to client") + s2.close() s.close() -# Client +# TLS Client def instance1(): multitest.next() s = socket.socket() s.connect(socket.getaddrinfo(IP, PORT)[0][-1]) client_ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) - # Set PSK and identity for client - client_ctx.set_psk(psk, psk_identity) - - # Configure PSK ciphersuites - client_ctx.set_psk_ciphersuites(["TLS-PSK-WITH-AES-128-CBC-SHA256"]) + # Configure PSK + client_ctx.set_psk_identity("PSK-Identity-1") + client_ctx.set_psk_key(bytes.fromhex("c0ffee")) + client_ctx.set_ciphers("PSK") s = client_ctx.wrap_socket(s, server_hostname="micropython.local") - cipher_info = s.cipher() - # PSK cipher should be used - assert "PSK" in cipher_info[0], f"Expected PSK cipher, got {cipher_info[0]}" s.write(b"client to server") print(s.read(16)) s.close() \ No newline at end of file diff --git a/tests/multi_net/sslcontext_server_client_psk.exp b/tests/multi_net/sslcontext_server_client_psk.py.exp similarity index 100% rename from tests/multi_net/sslcontext_server_client_psk.exp rename to tests/multi_net/sslcontext_server_client_psk.py.exp From 7b988253f7958ff80106f992352bcaf785da940a Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 16:33:52 -0700 Subject: [PATCH 11/21] updates --- tests/extmod/tls_sslcontext_psk.py | 7 ++++--- .../{tls_sslcontext_psk.exp => tls_sslcontext_psk.py.exp} | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) rename tests/extmod/{tls_sslcontext_psk.exp => tls_sslcontext_psk.py.exp} (70%) diff --git a/tests/extmod/tls_sslcontext_psk.py b/tests/extmod/tls_sslcontext_psk.py index 1814711486c0c..4bf531efc16d8 100644 --- a/tests/extmod/tls_sslcontext_psk.py +++ b/tests/extmod/tls_sslcontext_psk.py @@ -10,12 +10,13 @@ ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) # Test setting PSK and identity -psk = b"test-preshared-key" identity = b"test-identity" +psk = b"test-preshared-key" # Test the PSK functionality - this will throw an exception if PSK is not supported try: - ctx.set_psk(psk, identity) + ctx.set_psk_identity(identity) + ctx.set_psk_key(psk) print("PSK successfully set") except Exception as e: print("Failed to set PSK:", e) @@ -30,4 +31,4 @@ print("Failed to set PSK ciphersuites:", e) raise SystemExit -print("PSK test complete") \ No newline at end of file +print("PSK test complete") diff --git a/tests/extmod/tls_sslcontext_psk.exp b/tests/extmod/tls_sslcontext_psk.py.exp similarity index 70% rename from tests/extmod/tls_sslcontext_psk.exp rename to tests/extmod/tls_sslcontext_psk.py.exp index 42d4daaac48c5..94990e4cd2efb 100644 --- a/tests/extmod/tls_sslcontext_psk.exp +++ b/tests/extmod/tls_sslcontext_psk.py.exp @@ -1,3 +1,3 @@ PSK successfully set PSK ciphersuites set -PSK test complete \ No newline at end of file +PSK test complete From d02d16c54abafd620245b85252f5bdc9bc80c92d Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 16:43:51 -0700 Subject: [PATCH 12/21] fix test --- tests/extmod/tls_sslcontext_psk.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/extmod/tls_sslcontext_psk.py b/tests/extmod/tls_sslcontext_psk.py index 4bf531efc16d8..f338a4e6896e8 100644 --- a/tests/extmod/tls_sslcontext_psk.py +++ b/tests/extmod/tls_sslcontext_psk.py @@ -23,9 +23,9 @@ raise SystemExit # Test setting PSK ciphersuites with error handling -# Try with one basic PSK ciphersuite that should be widely supported +# Use set_ciphers("PSK") to enable PSK mode try: - ctx.set_psk_ciphersuites(["TLS-PSK-WITH-AES-128-CBC-SHA256"]) + ctx.set_ciphers("PSK") print("PSK ciphersuites set") except Exception as e: print("Failed to set PSK ciphersuites:", e) From d959f85695c33f188a75a38c0b9589826f31739e Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 17:16:17 -0700 Subject: [PATCH 13/21] Update to specific ciphersuite --- extmod/modtls_mbedtls.c | 29 +++++++++++++++- tests/extmod/tls_sslcontext_psk.py | 34 ------------------- tests/extmod/tls_sslcontext_psk.py.exp | 3 -- .../multi_net/sslcontext_server_client_psk.py | 4 +-- 4 files changed, 30 insertions(+), 40 deletions(-) delete mode 100644 tests/extmod/tls_sslcontext_psk.py delete mode 100644 tests/extmod/tls_sslcontext_psk.py.exp diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index 2113d6f2c893f..9fbcebc6b81ba 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -436,14 +436,41 @@ static void set_psk_ciphersuites(mbedtls_ssl_config *conf) { static mp_obj_t ssl_context_set_ciphers(mp_obj_t self_in, mp_obj_t ciphersuite) { mp_obj_ssl_context_t *ssl_context = MP_OBJ_TO_PTR(self_in); - // Check if ciphersuite is a string "PSK" + // Check if ciphersuite is a string if (mp_obj_is_str(ciphersuite)) { const char *ciphername = mp_obj_str_get_str(ciphersuite); + + // Check for generic "PSK" mode if (strcmp(ciphername, "PSK") == 0) { ssl_context->use_psk = true; set_psk_ciphersuites(&ssl_context->conf); return mp_const_none; } + + // Check if this is a PSK ciphersuite name + if (strncmp(ciphername, "PSK-", 4) == 0 || + strncmp(ciphername, "TLS-PSK-", 8) == 0 || + strncmp(ciphername, "TLS_PSK_", 8) == 0) { + + // Try to look up the ciphersuite ID + const int id = mbedtls_ssl_get_ciphersuite_id(ciphername); + if (id != 0) { + // Enable PSK mode + ssl_context->use_psk = true; + + // Create a ciphersuite array with just this one ciphersuite + ssl_context->ciphersuites = m_new(int, 2); + if (ssl_context->ciphersuites == NULL) { + mp_raise_OSError(MP_ENOMEM); + } + ssl_context->ciphersuites[0] = id; + ssl_context->ciphersuites[1] = 0; // Terminating zero + + // Configure the ciphersuite + mbedtls_ssl_conf_ciphersuites(&ssl_context->conf, (const int *)ssl_context->ciphersuites); + return mp_const_none; + } + } } // Original implementation for non-PSK ciphersuites diff --git a/tests/extmod/tls_sslcontext_psk.py b/tests/extmod/tls_sslcontext_psk.py deleted file mode 100644 index f338a4e6896e8..0000000000000 --- a/tests/extmod/tls_sslcontext_psk.py +++ /dev/null @@ -1,34 +0,0 @@ -# Test for the PSK (Pre-Shared Key) functionality in tls.SSLContext - -try: - import tls -except ImportError: - print("SKIP") - raise SystemExit - -# Create a TLS context -ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) - -# Test setting PSK and identity -identity = b"test-identity" -psk = b"test-preshared-key" - -# Test the PSK functionality - this will throw an exception if PSK is not supported -try: - ctx.set_psk_identity(identity) - ctx.set_psk_key(psk) - print("PSK successfully set") -except Exception as e: - print("Failed to set PSK:", e) - raise SystemExit - -# Test setting PSK ciphersuites with error handling -# Use set_ciphers("PSK") to enable PSK mode -try: - ctx.set_ciphers("PSK") - print("PSK ciphersuites set") -except Exception as e: - print("Failed to set PSK ciphersuites:", e) - raise SystemExit - -print("PSK test complete") diff --git a/tests/extmod/tls_sslcontext_psk.py.exp b/tests/extmod/tls_sslcontext_psk.py.exp deleted file mode 100644 index 94990e4cd2efb..0000000000000 --- a/tests/extmod/tls_sslcontext_psk.py.exp +++ /dev/null @@ -1,3 +0,0 @@ -PSK successfully set -PSK ciphersuites set -PSK test complete diff --git a/tests/multi_net/sslcontext_server_client_psk.py b/tests/multi_net/sslcontext_server_client_psk.py index bb1ad2dd3f4e5..69b3237871c48 100644 --- a/tests/multi_net/sslcontext_server_client_psk.py +++ b/tests/multi_net/sslcontext_server_client_psk.py @@ -28,7 +28,7 @@ def instance0(): # Configure PSK server_ctx.set_psk_identity("PSK-Identity-1") server_ctx.set_psk_key(bytes.fromhex("c0ffee")) - server_ctx.set_ciphers("PSK") + server_ctx.set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256") # Use specific PSK ciphersuite s2 = server_ctx.wrap_socket(s2, server_side=True) @@ -49,7 +49,7 @@ def instance1(): # Configure PSK client_ctx.set_psk_identity("PSK-Identity-1") client_ctx.set_psk_key(bytes.fromhex("c0ffee")) - client_ctx.set_ciphers("PSK") + client_ctx.set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256") # Use specific PSK ciphersuite s = client_ctx.wrap_socket(s, server_hostname="micropython.local") s.write(b"client to server") From f228895887821afdb7c0beee9e9934141e1d1821 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 17:29:38 -0700 Subject: [PATCH 14/21] Update tests --- .../multi_net/sslcontext_server_client_psk.py | 16 ++---- .../sslcontext_server_client_psk_cipher.py | 52 +++++++++++++++++++ ...sslcontext_server_client_psk_cipher.py.exp | 4 ++ 3 files changed, 61 insertions(+), 11 deletions(-) create mode 100644 tests/multi_net/sslcontext_server_client_psk_cipher.py create mode 100644 tests/multi_net/sslcontext_server_client_psk_cipher.py.exp diff --git a/tests/multi_net/sslcontext_server_client_psk.py b/tests/multi_net/sslcontext_server_client_psk.py index 69b3237871c48..31ffde6d19550 100644 --- a/tests/multi_net/sslcontext_server_client_psk.py +++ b/tests/multi_net/sslcontext_server_client_psk.py @@ -1,4 +1,4 @@ -# Test TCP server and client with TLS-PSK, using set_psk_identity(), +# Test TCP server and client with TLS-PSK, using set_psk_identity(), # set_psk_key(), and set_ciphers("PSK"). try: @@ -10,36 +10,30 @@ PORT = 8000 - -# TLS Server +# Server def instance0(): multitest.globals(IP=multitest.get_network_ip()) - s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1]) s.listen(1) - multitest.next() - s2, _ = s.accept() server_ctx = tls.SSLContext(tls.PROTOCOL_TLS_SERVER) # Configure PSK server_ctx.set_psk_identity("PSK-Identity-1") server_ctx.set_psk_key(bytes.fromhex("c0ffee")) - server_ctx.set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256") # Use specific PSK ciphersuite + server_ctx.set_ciphers("PSK") # Use generic PSK mode s2 = server_ctx.wrap_socket(s2, server_side=True) - print(s2.read(16)) s2.write(b"server to client") - s2.close() s.close() -# TLS Client +# Client def instance1(): multitest.next() s = socket.socket() @@ -49,7 +43,7 @@ def instance1(): # Configure PSK client_ctx.set_psk_identity("PSK-Identity-1") client_ctx.set_psk_key(bytes.fromhex("c0ffee")) - client_ctx.set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256") # Use specific PSK ciphersuite + client_ctx.set_ciphers("PSK") # Use generic PSK mode s = client_ctx.wrap_socket(s, server_hostname="micropython.local") s.write(b"client to server") diff --git a/tests/multi_net/sslcontext_server_client_psk_cipher.py b/tests/multi_net/sslcontext_server_client_psk_cipher.py new file mode 100644 index 0000000000000..d0df879af0dce --- /dev/null +++ b/tests/multi_net/sslcontext_server_client_psk_cipher.py @@ -0,0 +1,52 @@ +# Test TCP server and client with TLS-PSK, using set_psk_identity(), +# set_psk_key(), and set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256"). + +try: + import socket + import tls +except ImportError: + print("SKIP") + raise SystemExit + +PORT = 8000 + +# Server +def instance0(): + multitest.globals(IP=multitest.get_network_ip()) + s = socket.socket() + s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) + s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1]) + s.listen(1) + multitest.next() + s2, _ = s.accept() + server_ctx = tls.SSLContext(tls.PROTOCOL_TLS_SERVER) + + # Configure PSK with specific ciphersuite + server_ctx.set_psk_identity("PSK-Identity-1") + server_ctx.set_psk_key(bytes.fromhex("c0ffee")) + server_ctx.set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256") + + s2 = server_ctx.wrap_socket(s2, server_side=True) + print(s2.read(16)) + s2.write(b"server to client") + s2.close() + s.close() + + +# Client +def instance1(): + multitest.next() + s = socket.socket() + s.connect(socket.getaddrinfo(IP, PORT)[0][-1]) + client_ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) + + # Configure PSK with specific ciphersuite + client_ctx.set_psk_identity("PSK-Identity-1") + client_ctx.set_psk_key(bytes.fromhex("c0ffee")) + client_ctx.set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256") + + s = client_ctx.wrap_socket(s, server_hostname="micropython.local") + s.write(b"client to server") + print(s.read(16)) + s.close() + \ No newline at end of file diff --git a/tests/multi_net/sslcontext_server_client_psk_cipher.py.exp b/tests/multi_net/sslcontext_server_client_psk_cipher.py.exp new file mode 100644 index 0000000000000..909c496d019e1 --- /dev/null +++ b/tests/multi_net/sslcontext_server_client_psk_cipher.py.exp @@ -0,0 +1,4 @@ +--- instance0 --- +b'client to server' +--- instance1 --- +b'server to client' From cc855c98e525429e3951a905ce25eb31ee7a0022 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 19:26:29 -0700 Subject: [PATCH 15/21] Update test --- .../multi_net/sslcontext_server_client_psk.py | 20 +++++++++++++------ .../sslcontext_server_client_psk_cipher.py | 20 +++++++++++++------ 2 files changed, 28 insertions(+), 12 deletions(-) diff --git a/tests/multi_net/sslcontext_server_client_psk.py b/tests/multi_net/sslcontext_server_client_psk.py index 31ffde6d19550..36d78ded565f6 100644 --- a/tests/multi_net/sslcontext_server_client_psk.py +++ b/tests/multi_net/sslcontext_server_client_psk.py @@ -10,21 +10,28 @@ PORT = 8000 +PSK_ID = "PSK-Identity-1" +PSK_KEY = "c0ffee" +PSK_CIPHER = "PSK" + # Server def instance0(): multitest.globals(IP=multitest.get_network_ip()) + s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1]) s.listen(1) + multitest.next() + s2, _ = s.accept() server_ctx = tls.SSLContext(tls.PROTOCOL_TLS_SERVER) # Configure PSK - server_ctx.set_psk_identity("PSK-Identity-1") - server_ctx.set_psk_key(bytes.fromhex("c0ffee")) - server_ctx.set_ciphers("PSK") # Use generic PSK mode + server_ctx.set_psk_identity(PSK_ID) + server_ctx.set_psk_key(bytes.fromhex(PSK_KEY)) + server_ctx.set_ciphers(PSK_CIPHER) s2 = server_ctx.wrap_socket(s2, server_side=True) print(s2.read(16)) @@ -36,14 +43,15 @@ def instance0(): # Client def instance1(): multitest.next() + s = socket.socket() s.connect(socket.getaddrinfo(IP, PORT)[0][-1]) client_ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) # Configure PSK - client_ctx.set_psk_identity("PSK-Identity-1") - client_ctx.set_psk_key(bytes.fromhex("c0ffee")) - client_ctx.set_ciphers("PSK") # Use generic PSK mode + client_ctx.set_psk_identity(PSK_ID) + client_ctx.set_psk_key(bytes.fromhex(PSK_KEY)) + client_ctx.set_ciphers(PSK_CIPHER) s = client_ctx.wrap_socket(s, server_hostname="micropython.local") s.write(b"client to server") diff --git a/tests/multi_net/sslcontext_server_client_psk_cipher.py b/tests/multi_net/sslcontext_server_client_psk_cipher.py index d0df879af0dce..60a0c034105f6 100644 --- a/tests/multi_net/sslcontext_server_client_psk_cipher.py +++ b/tests/multi_net/sslcontext_server_client_psk_cipher.py @@ -10,21 +10,28 @@ PORT = 8000 +PSK_ID = "PSK-Identity-1" +PSK_KEY = "c0ffee" +PSK_CIPHER = "TLS-PSK-WITH-AES-128-CBC-SHA256" + # Server def instance0(): multitest.globals(IP=multitest.get_network_ip()) + s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1]) s.listen(1) + multitest.next() + s2, _ = s.accept() server_ctx = tls.SSLContext(tls.PROTOCOL_TLS_SERVER) # Configure PSK with specific ciphersuite - server_ctx.set_psk_identity("PSK-Identity-1") - server_ctx.set_psk_key(bytes.fromhex("c0ffee")) - server_ctx.set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256") + server_ctx.set_psk_identity(PSK_ID) + server_ctx.set_psk_key(bytes.fromhex(PSK_KEY)) + server_ctx.set_ciphers(PSK_CIPHER) s2 = server_ctx.wrap_socket(s2, server_side=True) print(s2.read(16)) @@ -36,14 +43,15 @@ def instance0(): # Client def instance1(): multitest.next() + s = socket.socket() s.connect(socket.getaddrinfo(IP, PORT)[0][-1]) client_ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) # Configure PSK with specific ciphersuite - client_ctx.set_psk_identity("PSK-Identity-1") - client_ctx.set_psk_key(bytes.fromhex("c0ffee")) - client_ctx.set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256") + client_ctx.set_psk_identity(PSK_ID) + client_ctx.set_psk_key(bytes.fromhex(PSK_KEY)) + client_ctx.set_ciphers(PSK_CIPHER) s = client_ctx.wrap_socket(s, server_hostname="micropython.local") s.write(b"client to server") From 531ca9366b4d942638b9b6053c3184587b0e2034 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 19:53:25 -0700 Subject: [PATCH 16/21] test --- extmod/modtls_mbedtls.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index 9fbcebc6b81ba..53984ae5e6c8b 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -64,6 +64,13 @@ #include "mbedtls/asn1.h" #endif +// Forward declaration of mbedtls_ssl_conf_psk +// This is needed because the function might not be declared in the included headers +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) +int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf, const unsigned char *psk, size_t psk_len, + const unsigned char *psk_identity, size_t psk_identity_len); +#endif + #ifndef MICROPY_MBEDTLS_CONFIG_BARE_METAL #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (0) #endif @@ -711,6 +718,9 @@ static mp_obj_t ssl_socket_make_new(mp_obj_ssl_context_t *ssl_context, mp_obj_t // Configure PSK if enabled if (ssl_context->use_psk && ssl_context->psk_identity != mp_const_none && ssl_context->psk_key != mp_const_none) { + #if !defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) + mp_raise_msg(&mp_type_NotImplementedError, MP_ERROR_TEXT("PSK not supported")); + #endif // Get PSK identity and key size_t psk_identity_len; const byte *psk_identity = (const byte *)mp_obj_str_get_data(ssl_context->psk_identity, &psk_identity_len); From f53c433d670e867196359376faddbb8bf963270b Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 19:58:44 -0700 Subject: [PATCH 17/21] Fix formatting --- tests/multi_net/sslcontext_server_client_psk.py | 10 +--------- tests/multi_net/sslcontext_server_client_psk_cipher.py | 8 -------- 2 files changed, 1 insertion(+), 17 deletions(-) diff --git a/tests/multi_net/sslcontext_server_client_psk.py b/tests/multi_net/sslcontext_server_client_psk.py index 36d78ded565f6..b83cb749a9014 100644 --- a/tests/multi_net/sslcontext_server_client_psk.py +++ b/tests/multi_net/sslcontext_server_client_psk.py @@ -17,22 +17,17 @@ # Server def instance0(): multitest.globals(IP=multitest.get_network_ip()) - s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1]) s.listen(1) - multitest.next() - s2, _ = s.accept() server_ctx = tls.SSLContext(tls.PROTOCOL_TLS_SERVER) - # Configure PSK server_ctx.set_psk_identity(PSK_ID) server_ctx.set_psk_key(bytes.fromhex(PSK_KEY)) server_ctx.set_ciphers(PSK_CIPHER) - s2 = server_ctx.wrap_socket(s2, server_side=True) print(s2.read(16)) s2.write(b"server to client") @@ -43,17 +38,14 @@ def instance0(): # Client def instance1(): multitest.next() - s = socket.socket() s.connect(socket.getaddrinfo(IP, PORT)[0][-1]) client_ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) - # Configure PSK client_ctx.set_psk_identity(PSK_ID) client_ctx.set_psk_key(bytes.fromhex(PSK_KEY)) client_ctx.set_ciphers(PSK_CIPHER) - s = client_ctx.wrap_socket(s, server_hostname="micropython.local") s.write(b"client to server") print(s.read(16)) - s.close() \ No newline at end of file + s.close() diff --git a/tests/multi_net/sslcontext_server_client_psk_cipher.py b/tests/multi_net/sslcontext_server_client_psk_cipher.py index 60a0c034105f6..b6c39135cb215 100644 --- a/tests/multi_net/sslcontext_server_client_psk_cipher.py +++ b/tests/multi_net/sslcontext_server_client_psk_cipher.py @@ -17,22 +17,17 @@ # Server def instance0(): multitest.globals(IP=multitest.get_network_ip()) - s = socket.socket() s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1]) s.listen(1) - multitest.next() - s2, _ = s.accept() server_ctx = tls.SSLContext(tls.PROTOCOL_TLS_SERVER) - # Configure PSK with specific ciphersuite server_ctx.set_psk_identity(PSK_ID) server_ctx.set_psk_key(bytes.fromhex(PSK_KEY)) server_ctx.set_ciphers(PSK_CIPHER) - s2 = server_ctx.wrap_socket(s2, server_side=True) print(s2.read(16)) s2.write(b"server to client") @@ -43,16 +38,13 @@ def instance0(): # Client def instance1(): multitest.next() - s = socket.socket() s.connect(socket.getaddrinfo(IP, PORT)[0][-1]) client_ctx = tls.SSLContext(tls.PROTOCOL_TLS_CLIENT) - # Configure PSK with specific ciphersuite client_ctx.set_psk_identity(PSK_ID) client_ctx.set_psk_key(bytes.fromhex(PSK_KEY)) client_ctx.set_ciphers(PSK_CIPHER) - s = client_ctx.wrap_socket(s, server_hostname="micropython.local") s.write(b"client to server") print(s.read(16)) From 95d4950b2e0e52a1280531a4aab5882b911f2549 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 20:02:56 -0700 Subject: [PATCH 18/21] fix formatting --- tests/multi_net/sslcontext_server_client_psk.py | 1 + tests/multi_net/sslcontext_server_client_psk_cipher.py | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/multi_net/sslcontext_server_client_psk.py b/tests/multi_net/sslcontext_server_client_psk.py index b83cb749a9014..edbef11c314f3 100644 --- a/tests/multi_net/sslcontext_server_client_psk.py +++ b/tests/multi_net/sslcontext_server_client_psk.py @@ -14,6 +14,7 @@ PSK_KEY = "c0ffee" PSK_CIPHER = "PSK" + # Server def instance0(): multitest.globals(IP=multitest.get_network_ip()) diff --git a/tests/multi_net/sslcontext_server_client_psk_cipher.py b/tests/multi_net/sslcontext_server_client_psk_cipher.py index b6c39135cb215..9182b225d8f2b 100644 --- a/tests/multi_net/sslcontext_server_client_psk_cipher.py +++ b/tests/multi_net/sslcontext_server_client_psk_cipher.py @@ -1,4 +1,4 @@ -# Test TCP server and client with TLS-PSK, using set_psk_identity(), +# Test TCP server and client with TLS-PSK, using set_psk_identity(), # set_psk_key(), and set_ciphers("TLS-PSK-WITH-AES-128-CBC-SHA256"). try: @@ -14,6 +14,7 @@ PSK_KEY = "c0ffee" PSK_CIPHER = "TLS-PSK-WITH-AES-128-CBC-SHA256" + # Server def instance0(): multitest.globals(IP=multitest.get_network_ip()) From f2e233e8a25665c81382d80e71f8a6d307ec73e6 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 20:06:43 -0700 Subject: [PATCH 19/21] Update sslcontext_server_client_psk_cipher.py --- tests/multi_net/sslcontext_server_client_psk_cipher.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tests/multi_net/sslcontext_server_client_psk_cipher.py b/tests/multi_net/sslcontext_server_client_psk_cipher.py index 9182b225d8f2b..e2401d4733f45 100644 --- a/tests/multi_net/sslcontext_server_client_psk_cipher.py +++ b/tests/multi_net/sslcontext_server_client_psk_cipher.py @@ -50,4 +50,3 @@ def instance1(): s.write(b"client to server") print(s.read(16)) s.close() - \ No newline at end of file From 4718d44452341639891c53d8bde411a02ca4c61e Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Tue, 29 Apr 2025 20:34:01 -0700 Subject: [PATCH 20/21] Remove esp32 for now --- ports/esp32/boards/sdkconfig.base | 3 --- 1 file changed, 3 deletions(-) diff --git a/ports/esp32/boards/sdkconfig.base b/ports/esp32/boards/sdkconfig.base index 73c131f9cfb89..530db427119ca 100644 --- a/ports/esp32/boards/sdkconfig.base +++ b/ports/esp32/boards/sdkconfig.base @@ -67,9 +67,6 @@ CONFIG_MBEDTLS_HAVE_TIME=y # Enable DTLS CONFIG_MBEDTLS_SSL_PROTO_DTLS=y -# Enable PSK (Pre-Shared Key) support -CONFIG_MBEDTLS_KEY_EXCHANGE_PSK_ENABLED=y - # Disable ALPN support as it's not implemented in MicroPython CONFIG_MBEDTLS_SSL_ALPN=n From 162278775b14124c23336fcc077d84168d6dcc77 Mon Sep 17 00:00:00 2001 From: Keenan Johnson Date: Wed, 30 Apr 2025 10:59:05 -0700 Subject: [PATCH 21/21] Fix formatting --- extmod/modtls_mbedtls.c | 31 ++++++++++--------------------- 1 file changed, 10 insertions(+), 21 deletions(-) diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index 53984ae5e6c8b..8ef28005c8b34 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -64,13 +64,6 @@ #include "mbedtls/asn1.h" #endif -// Forward declaration of mbedtls_ssl_conf_psk -// This is needed because the function might not be declared in the included headers -#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) -int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf, const unsigned char *psk, size_t psk_len, - const unsigned char *psk_identity, size_t psk_identity_len); -#endif - #ifndef MICROPY_MBEDTLS_CONFIG_BARE_METAL #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (0) #endif @@ -101,7 +94,6 @@ typedef struct _mp_obj_ssl_context_t { mp_obj_t ecdsa_sign_callback; #endif - // PSK support mp_obj_t psk_identity; // PSK identity (string) mp_obj_t psk_key; // PSK key (bytes) bool use_psk; // Flag to indicate if PSK should be used @@ -297,7 +289,7 @@ static mp_obj_t ssl_context_make_new(const mp_obj_type_t *type_in, size_t n_args #if MICROPY_PY_SSL_ECDSA_SIGN_ALT self->ecdsa_sign_callback = mp_const_none; #endif - + // Initialize PSK fields self->psk_identity = mp_const_none; self->psk_key = mp_const_none; @@ -404,7 +396,7 @@ static MP_DEFINE_CONST_FUN_OBJ_1(ssl_context_get_ciphers_obj, ssl_context_get_ci static void set_psk_ciphersuites(mbedtls_ssl_config *conf) { // Create a list of PSK ciphersuites static int *psk_ciphersuites = NULL; - + if (psk_ciphersuites == NULL) { // Define known PSK ciphersuites // These are common PSK ciphersuites supported by mbedtls @@ -422,19 +414,19 @@ static void set_psk_ciphersuites(mbedtls_ssl_config *conf) { for (int i = 0; known_psk_ciphersuites[i] != 0; i++) { count++; } - + // Allocate memory for PSK ciphersuites psk_ciphersuites = m_new(int, count + 1); if (psk_ciphersuites == NULL) { mp_raise_OSError(MP_ENOMEM); } - + // Copy the PSK ciphersuites for (int i = 0; i <= count; i++) { // Include terminating zero psk_ciphersuites[i] = known_psk_ciphersuites[i]; } } - + // Set PSK ciphersuites mbedtls_ssl_conf_ciphersuites(conf, psk_ciphersuites); } @@ -453,18 +445,18 @@ static mp_obj_t ssl_context_set_ciphers(mp_obj_t self_in, mp_obj_t ciphersuite) set_psk_ciphersuites(&ssl_context->conf); return mp_const_none; } - + // Check if this is a PSK ciphersuite name if (strncmp(ciphername, "PSK-", 4) == 0 || strncmp(ciphername, "TLS-PSK-", 8) == 0 || strncmp(ciphername, "TLS_PSK_", 8) == 0) { - + // Try to look up the ciphersuite ID const int id = mbedtls_ssl_get_ciphersuite_id(ciphername); if (id != 0) { // Enable PSK mode ssl_context->use_psk = true; - + // Create a ciphersuite array with just this one ciphersuite ssl_context->ciphersuites = m_new(int, 2); if (ssl_context->ciphersuites == NULL) { @@ -472,7 +464,7 @@ static mp_obj_t ssl_context_set_ciphers(mp_obj_t self_in, mp_obj_t ciphersuite) } ssl_context->ciphersuites[0] = id; ssl_context->ciphersuites[1] = 0; // Terminating zero - + // Configure the ciphersuite mbedtls_ssl_conf_ciphersuites(&ssl_context->conf, (const int *)ssl_context->ciphersuites); return mp_const_none; @@ -718,16 +710,13 @@ static mp_obj_t ssl_socket_make_new(mp_obj_ssl_context_t *ssl_context, mp_obj_t // Configure PSK if enabled if (ssl_context->use_psk && ssl_context->psk_identity != mp_const_none && ssl_context->psk_key != mp_const_none) { - #if !defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - mp_raise_msg(&mp_type_NotImplementedError, MP_ERROR_TEXT("PSK not supported")); - #endif // Get PSK identity and key size_t psk_identity_len; const byte *psk_identity = (const byte *)mp_obj_str_get_data(ssl_context->psk_identity, &psk_identity_len); size_t psk_key_len; const byte *psk_key = (const byte *)mp_obj_str_get_data(ssl_context->psk_key, &psk_key_len); - + // Configure PSK ret = mbedtls_ssl_conf_psk(&ssl_context->conf, psk_key, psk_key_len, psk_identity, psk_identity_len); if (ret != 0) { pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy