ssl: Restructure micropython interface in a tls module.

felixdoerre · felixdoerre · commit dada5258d130 · 2024-01-30T08:49:49.000Z
Signed-off-by: Felix Dörre &lt;felix@dogcraft.de&gt;
diff --git a/micropython/umqtt.simple/umqtt/simple.py b/micropython/umqtt.simple/umqtt/simple.py
@@ -16,17 +16,15 @@ def __init__(
         user=None,
         password=None,
         keepalive=0,
-        ssl=False,
-        ssl_params={},
+        ssl=None,
     ):
         if port == 0:
-            port = 8883 if ssl else 1883
+            port = 8883 if ssl is not None else 1883
         self.client_id = client_id
         self.sock = None
         self.server = server
         self.port = port
         self.ssl = ssl
-        self.ssl_params = ssl_params
         self.pid = 0
         self.cb = None
         self.user = user
@@ -66,10 +64,8 @@ def connect(self, clean_session=True):
         self.sock = socket.socket()
         addr = socket.getaddrinfo(self.server, self.port)[0][-1]
         self.sock.connect(addr)
-        if self.ssl:
-            import ussl
-
-            self.sock = ussl.wrap_socket(self.sock, **self.ssl_params)
+        if self.ssl is not None:
+            self.sock = self.ssl.wrap_socket(self.sock, server_hostname=self.server)
         premsg = bytearray(b"\x10\0\0\0\0\0")
         msg = bytearray(b"\x04MQTT\x04\x02\0\0")
 
diff --git a/micropython/urllib.urequest/urllib/urequest.py b/micropython/urllib.urequest/urllib/urequest.py
@@ -12,7 +12,7 @@ def urlopen(url, data=None, method="GET"):
     if proto == "http:":
         port = 80
     elif proto == "https:":
-        import ussl
+        import ssl
 
         port = 443
     else:
@@ -29,7 +29,7 @@ def urlopen(url, data=None, method="GET"):
     try:
         s.connect(ai[-1])
         if proto == "https:":
-            s = ussl.wrap_socket(s, server_hostname=host)
+            s = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT).wrap_socket(s, server_hostname=host)
 
         s.write(method)
         s.write(b" /")
diff --git a/python-ecosys/requests/requests/__init__.py b/python-ecosys/requests/requests/__init__.py
@@ -63,7 +63,7 @@ def request(
     if proto == "http:":
         port = 80
     elif proto == "https:":
-        import ussl
+        import ssl
 
         port = 443
     else:
@@ -90,7 +90,7 @@ def request(
     try:
         s.connect(ai[-1])
         if proto == "https:":
-            s = ussl.wrap_socket(s, server_hostname=host)
+            s = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT).wrap_socket(s, server_hostname=host)
         s.write(b"%s /%s HTTP/1.0\r\n" % (method, path))
         if "Host" not in headers:
             s.write(b"Host: %s\r\n" % host)
diff --git a/python-stdlib/ssl/ssl.py b/python-stdlib/ssl/ssl.py
@@ -1,36 +1,72 @@
-from ussl import *
-import ussl as _ussl
+import tls
+from tls import (
+    CERT_NONE,
+    CERT_OPTIONAL,
+    CERT_REQUIRED,
+    MBEDTLS_VERSION,
+    PROTOCOL_TLS_CLIENT,
+    PROTOCOL_TLS_SERVER,
+)
 
-# Constants
-for sym in "CERT_NONE", "CERT_OPTIONAL", "CERT_REQUIRED":
-    if sym not in globals():
-        globals()[sym] = object()
+
+class SSLContext:
+    def __init__(self, *args):
+        self._context = tls.SSLContext(*args)
+        self._context.verify_mode = CERT_NONE
+
+    @property
+    def verify_mode(self):
+        return self._context.verify_mode
+
+    @verify_mode.setter
+    def verify_mode(self, val):
+        self._context.verify_mode = val
+
+    def load_cert_chain(self, certfile, keyfile):
+        if isinstance(certfile, str):
+            with open(certfile, "rb") as f:
+                certfile = f.read()
+        if isinstance(keyfile, str):
+            with open(keyfile, "rb") as f:
+                keyfile = f.read()
+        self._context.load_cert_chain(certfile, keyfile)
+
+    def load_verify_locations(self, cafile=None, cadata=None):
+        if cafile is not None:
+            with open(cafile, "rb") as f:
+                cadata = f.read()
+        self._context.load_verify_locations(cadata=cadata)
+
+    def wrap_socket(
+        self, sock, server_side=False, do_handshake_on_connect=True, server_hostname=None
+    ):
+        return self._context.wrap_socket(
+            sock,
+            server_side=server_side,
+            do_handshake_on_connect=do_handshake_on_connect,
+            server_hostname=server_hostname,
+        )
 
 
 def wrap_socket(
     sock,
-    keyfile=None,
-    certfile=None,
     server_side=False,
+    key=None,
+    cert=None,
     cert_reqs=CERT_NONE,
-    *,
-    ca_certs=None,
-    server_hostname=None
+    cadata=None,
+    server_hostname=None,
+    do_handshake=True,
 ):
-    # TODO: More arguments accepted by CPython could also be handled here.
-    # That would allow us to accept ca_certs as a positional argument, which
-    # we should.
-    kw = {}
-    if keyfile is not None:
-        kw["keyfile"] = keyfile
-    if certfile is not None:
-        kw["certfile"] = certfile
-    if server_side is not False:
-        kw["server_side"] = server_side
-    if cert_reqs is not CERT_NONE:
-        kw["cert_reqs"] = cert_reqs
-    if ca_certs is not None:
-        kw["ca_certs"] = ca_certs
-    if server_hostname is not None:
-        kw["server_hostname"] = server_hostname
-    return _ussl.wrap_socket(sock, **kw)
+    con = SSLContext(PROTOCOL_TLS_SERVER if server_side else PROTOCOL_TLS_CLIENT)
+    if cert is not None or key is not None:
+        con.load_cert_chain(cert, key)
+    if cadata is not None:
+        con.load_verify_locations(cadata=cadata)
+    con.verify_mode = cert_reqs
+    return con.wrap_socket(
+        sock,
+        server_side=server_side,
+        do_handshake_on_connect=do_handshake,
+        server_hostname=server_hostname,
+    )
