diff options
Diffstat (limited to 'extmod')
| -rw-r--r-- | extmod/mbedtls/mbedtls_config_common.h | 10 | ||||
| -rw-r--r-- | extmod/modtls_mbedtls.c | 29 |
2 files changed, 25 insertions, 14 deletions
diff --git a/extmod/mbedtls/mbedtls_config_common.h b/extmod/mbedtls/mbedtls_config_common.h index 6cd14befc..1f7ac8818 100644 --- a/extmod/mbedtls/mbedtls_config_common.h +++ b/extmod/mbedtls/mbedtls_config_common.h @@ -26,6 +26,8 @@ #ifndef MICROPY_INCLUDED_MBEDTLS_CONFIG_COMMON_H #define MICROPY_INCLUDED_MBEDTLS_CONFIG_COMMON_H +#include "py/mpconfig.h" + // If you want to debug MBEDTLS uncomment the following and // pass "3" to mbedtls_debug_set_threshold in socket_new. // #define MBEDTLS_DEBUG_C @@ -89,12 +91,18 @@ #define MBEDTLS_SHA384_C #define MBEDTLS_SHA512_C #define MBEDTLS_SSL_CLI_C -#define MBEDTLS_SSL_PROTO_DTLS #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TLS_C #define MBEDTLS_X509_CRT_PARSE_C #define MBEDTLS_X509_USE_C +#if MICROPY_PY_SSL_DTLS +#define MBEDTLS_SSL_PROTO_DTLS +#define MBEDTLS_SSL_DTLS_ANTI_REPLAY +#define MBEDTLS_SSL_DTLS_HELLO_VERIFY +#define MBEDTLS_SSL_COOKIE_C +#endif + // A port may enable this option to select additional bare-metal configuration. #if MICROPY_MBEDTLS_CONFIG_BARE_METAL diff --git a/extmod/modtls_mbedtls.c b/extmod/modtls_mbedtls.c index 4bd0aea9a..418275440 100644 --- a/extmod/modtls_mbedtls.c +++ b/extmod/modtls_mbedtls.c @@ -78,7 +78,7 @@ #define MP_PROTOCOL_TLS_CLIENT 0 #define MP_PROTOCOL_TLS_SERVER MP_ENDPOINT_IS_SERVER #define MP_PROTOCOL_DTLS_CLIENT MP_TRANSPORT_IS_DTLS -#define MP_PROTOCOL_DTLS_SERVER MP_ENDPOINT_IS_SERVER | MP_TRANSPORT_IS_DTLS +#define MP_PROTOCOL_DTLS_SERVER (MP_ENDPOINT_IS_SERVER | MP_TRANSPORT_IS_DTLS) // This corresponds to an SSLContext object. typedef struct _mp_obj_ssl_context_t { @@ -96,6 +96,7 @@ typedef struct _mp_obj_ssl_context_t { mp_obj_t ecdsa_sign_callback; #endif #ifdef MBEDTLS_SSL_DTLS_HELLO_VERIFY + bool is_dtls_server; mbedtls_ssl_cookie_ctx cookie_ctx; #endif } mp_obj_ssl_context_t; @@ -328,14 +329,17 @@ static mp_obj_t ssl_context_make_new(const mp_obj_type_t *type_in, size_t n_args #endif #ifdef MBEDTLS_SSL_DTLS_HELLO_VERIFY - mbedtls_ssl_cookie_init(&self->cookie_ctx); - ret = mbedtls_ssl_cookie_setup(&self->cookie_ctx, mbedtls_ctr_drbg_random, &self->ctr_drbg); - if (ret != 0) { - mbedtls_raise_error(ret); + self->is_dtls_server = (protocol == MP_PROTOCOL_DTLS_SERVER); + if (self->is_dtls_server) { + mbedtls_ssl_cookie_init(&self->cookie_ctx); + ret = mbedtls_ssl_cookie_setup(&self->cookie_ctx, mbedtls_ctr_drbg_random, &self->ctr_drbg); + if (ret != 0) { + mbedtls_raise_error(ret); + } + mbedtls_ssl_conf_dtls_cookies(&self->conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, + &self->cookie_ctx); } - mbedtls_ssl_conf_dtls_cookies(&self->conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, - &self->cookie_ctx); - #endif + #endif // MBEDTLS_SSL_DTLS_HELLO_VERIFY return MP_OBJ_FROM_PTR(self); } @@ -664,19 +668,18 @@ static mp_obj_t ssl_socket_make_new(mp_obj_ssl_context_t *ssl_context, mp_obj_t #ifdef MBEDTLS_SSL_PROTO_DTLS mbedtls_ssl_set_timer_cb(&o->ssl, o, _mbedtls_timing_set_delay, _mbedtls_timing_get_delay); #endif + #ifdef MBEDTLS_SSL_DTLS_HELLO_VERIFY - if (client_id != mp_const_none) { + if (ssl_context->is_dtls_server) { + // require the client_id parameter for DTLS (as per mbedTLS requirement) + ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; mp_buffer_info_t buf; if (mp_get_buffer(client_id, &buf, MP_BUFFER_READ)) { ret = mbedtls_ssl_set_client_transport_id(&o->ssl, buf.buf, buf.len); - } else { - ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } if (ret != 0) { goto cleanup; } - } else { - // TODO: should it be an error not to provide this argument for DTLS server? } #endif |