| Age | Commit message (Collapse) | Author |
|---|
|
This is an annoying regression caused by including mpconfig.h in 36922df -
the mimxrt platform headers define ARRAY_SIZE and mbedtls also defines in
some source files, using a different parameter name which is a warning in
gcc.
Technically mimxrt SDK is to blame here, but as this isn't a named warning
in gcc the only way to work around it in the mimxrt port would be to
disable all warnings when building this particular mbedTLS source file.
This work was funded through GitHub Sponsors.
Signed-off-by: Angus Gratton <angus@redyak.com.au>
|
|
- DTLS spec recommends HelloVerify and Anti Replay protection be enabled,
and these are enabled in the default mbedTLS config. Implement them here.
- To help compensate for the possible increase in code size, add a
MICROPY_PY_SSL_DTLS build config macro that's enabled for EXTRA and
above by default.
This allows bare metal mbedTLS ports to use DTLS with HelloVerify support.
This work was funded through GitHub Sponsors.
Signed-off-by: Angus Gratton <angus@redyak.com.au>
|
|
This commit enables support for DTLS, i.e. TLS over datagram transport
protocols like UDP. While support for DTLS is absent in CPython, it is
worth supporting it in MicroPython because it is the basis of the
ubiquitous CoAP protocol, used in many IoT projects.
To select DTLS, a new set of "protocols" are added to SSLContext:
- ssl.PROTOCOL_DTLS_CLIENT
- ssl.PROTOCOL_DTLS_SERVER
If one of these is set, the library assumes that the underlying socket is a
datagram-like socket (i.e. UDP or similar).
Our own timer callbacks are implemented because the out of the box
implementation relies on `gettimeofday()`.
This new DTLS feature is enabled on all ports that use mbedTLS.
This commit is an update to a previous PR #10062.
Addresses issue #5270 which requested DTLS support.
Signed-off-by: Keenan Johnson <keenan.johnson@gmail.com>
|
|
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
|
|
This commit enables the implementation of alternative mbedTLS cryptography
functions, such as ECDSA sign and verify, in pure Python. Alternative
functions are implemented in Python callbacks, that get invoked from
wrapper functions when needed. The callback can return None to fall back
to the default mbedTLS function.
A common use case for this feature is with secure elements that have
drivers implemented in Python. Currently, only the ECDSA alternate sign
function wrapper is implemented.
Tested signing with a private EC key stored on an NXP SE05x secure element.
Signed-off-by: iabdalkader <i.abdalkader@gmail.com>
|
|
Enable support for cipher suites like
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, as suggested in
https://github.com/micropython/micropython/issues/14204#issuecomment-2024366349
and https://github.com/micropython/micropython/issues/10485#issuecomment-1396426824
Tests have been run on the top 500 domains from moz.com. Without this
patch, 155 out of 500 fail to connect because of TLS issues. This patch
fixes them all. And it seems all existing mbedtls flags are needed to get
good coverage of those top 500 domains.
The `ssl_poll.py` test has the cipher bits increased from 512 to 1024 in
its test key/cert so that it can work with ECDHE-RSA which is now the
chosen cipher.
Signed-off-by: Sylvain Zimmer <sylvain@sylvainzimmer.com>
Signed-off-by: Damien George <damien@micropython.org>
|
|
Changes include:
- Some mbedtls source files renamed or deprecated.
- Our `mbedtls_config.h` files are renamed to `mbedtls_config_port.h`, so
they don't clash with mbedtls's new default configuration file named
`mbedtls_config.h`.
- MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE is deprecated.
- MBEDTLS_HAVE_TIME now requires an `mbedtls_ms_time` function to be
defined but it's only used for TLSv1.3 (currently not enabled in
MicroPython so there is a lazy implementation, i.e. seconds * 1000).
- `tests/multi_net/ssl_data.py` is removed (due to deprecation of
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE), there are the existing
`ssl_cert_rsa.py` and `sslcontext_server_client.py` tests which do very
similar, simple SSL data transfer.
- Tests now use an EC key by default (they are smaller and faster), and the
RSA key has been regenerated due to the old PKCS encoding used by openssl
rsa command, see
https://stackoverflow.com/questions/40822328/openssl-rsa-key-pem-and-der-conversion-does-not-match
(and `tests/README.md` has been updated accordingly).
Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
|
|
All ports using this common configuration already enable time/date
validation, so this commit is a no-op change.
Signed-off-by: Damien George <damien@micropython.org>
|
|
They are much slower than NIST (SECP) curves and shouldn't be needed.
Reduces rp2 PICO_W firmware by 1328 bytes.
Thanks to @Carglglz for the information.
Signed-off-by: Damien George <damien@micropython.org>
|
|
Curve25519 arithmetic is supported in mbedtls, but it's not used for TLS.
So there's no need to have this option enabled.
Reduces rp2 PICO_W firmware by 2440 bytes.
Thanks to @Carglglz for the information.
Signed-off-by: Damien George <damien@micropython.org>
|
|
This is necessary to access sites that only support these protocols.
The rp2 port already has ECDH enabled, so this just adds ECDSA there. The
other ports now gain both ECDH and ECDSA. The code size increase is:
- rp2 (PICO_W): +2916 bytes flash, +24 bytes BSS
- stm32 (PYBD_SF6): +20480 bytes flash, +32 bytes data, +48 bytes BSS
- mimxrt (TEENSY41): +20708 bytes flash, +32 bytes data, +48 bytes BSS
- unix (standard x86-64): +39344 executable, +1744 bytes data, +96 BSS
This is obviously a large increase in code size. But there doesn't seem to
be any other option because without elliptic curve cryptography devices are
partially cut off from the internet. For use cases that require small
firmware size, they'll need to build custom firmware with a custom mbedtls
config.
Signed-off-by: Damien George <damien@micropython.org>
|
|
This was already enabled on all ports except mimxrt. Now it's enabled on
all of them.
Signed-off-by: Damien George <damien@micropython.org>
|
|
This is a no-op change.
Signed-off-by: Damien George <damien@micropython.org>
|
