all: Update bindings, ports and tests for mbedtls v3.5.1.

Changes include:

- Some mbedtls source files renamed or deprecated.

- Our `mbedtls_config.h` files are renamed to `mbedtls_config_port.h`, so
  they don't clash with mbedtls's new default configuration file named
  `mbedtls_config.h`.

- MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE is deprecated.

- MBEDTLS_HAVE_TIME now requires an `mbedtls_ms_time` function to be
  defined but it's only used for TLSv1.3 (currently not enabled in
  MicroPython so there is a lazy implementation, i.e. seconds * 1000).

- `tests/multi_net/ssl_data.py` is removed (due to deprecation of
  MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE), there are the existing
  `ssl_cert_rsa.py` and `sslcontext_server_client.py` tests which do very
  similar, simple SSL data transfer.

- Tests now use an EC key by default (they are smaller and faster), and the
  RSA key has been regenerated due to the old PKCS encoding used by openssl
  rsa command, see
  https://stackoverflow.com/questions/40822328/openssl-rsa-key-pem-and-der-conversion-does-not-match
  (and `tests/README.md` has been updated accordingly).

Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>

extmod/extmod.cmake

@@ -174,20 +174,24 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_DIR}/lib/mbedtls_errors/mp_mbedtls_errors.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/aes.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/aesni.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/arc4.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/asn1parse.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/asn1write.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/base64.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum_core.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum_mod.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum_mod_raw.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/bignum.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/blowfish.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/camellia.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ccm.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/certs.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/chacha20.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/chachapoly.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/cipher.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/cipher_wrap.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/nist_kw.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/aria.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/cmac.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/mps_reader.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/mps_trace.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ctr_drbg.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/debug.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/des.c
@@ -200,17 +204,13 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_LIB_MBEDTLS_DIR}/library/entropy.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/entropy_poll.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/gcm.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/havege.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/hmac_drbg.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/md2.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/md4.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/md5.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/md.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/oid.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/padlock.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pem.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pk.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/pkcs11.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pkcs12.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pkcs5.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/pkparse.c
@@ -221,15 +221,17 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_LIB_MBEDTLS_DIR}/library/poly1305.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ripemd160.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/rsa.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/rsa_internal.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/rsa_alt_helpers.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/sha1.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/sha256.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/sha512.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_cache.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_ciphersuites.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_cli.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_tls12_client.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_tls12_server.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_client.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_cookie.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_srv.c
+        ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_debug_helpers_generated.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_msg.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_ticket.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/ssl_tls.c
@@ -242,11 +244,10 @@ if(MICROPY_SSL_MBEDTLS)
         ${MICROPY_LIB_MBEDTLS_DIR}/library/x509_csr.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/x509write_crt.c
         ${MICROPY_LIB_MBEDTLS_DIR}/library/x509write_csr.c
-        ${MICROPY_LIB_MBEDTLS_DIR}/library/xtea.c
     )
 
     if(NOT MBEDTLS_CONFIG_FILE)
-        set(MBEDTLS_CONFIG_FILE "${MICROPY_PORT_DIR}/mbedtls/mbedtls_config.h")
+        set(MBEDTLS_CONFIG_FILE "${MICROPY_PORT_DIR}/mbedtls/mbedtls_config_port.h")
     endif()
 
     target_compile_definitions(micropy_lib_mbedtls INTERFACE

extmod/extmod.mk

@@ -231,7 +231,7 @@ SRC_THIRDPARTY_C += $(addprefix $(AXTLS_DIR)/,\
 	)
 else ifeq ($(MICROPY_SSL_MBEDTLS),1)
 MBEDTLS_DIR = lib/mbedtls
-MBEDTLS_CONFIG_FILE ?= \"mbedtls/mbedtls_config.h\"
+MBEDTLS_CONFIG_FILE ?= \"mbedtls/mbedtls_config_port.h\"
 GIT_SUBMODULES += $(MBEDTLS_DIR)
 CFLAGS_EXTMOD += -DMBEDTLS_CONFIG_FILE=$(MBEDTLS_CONFIG_FILE)
 CFLAGS_EXTMOD += -DMICROPY_SSL_MBEDTLS=1 -I$(TOP)/$(MBEDTLS_DIR)/include
@@ -239,20 +239,25 @@ SRC_THIRDPARTY_C += lib/mbedtls_errors/mp_mbedtls_errors.c
 SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	aes.c \
 	aesni.c \
-	arc4.c \
 	asn1parse.c \
 	asn1write.c \
 	base64.c \
+	bignum_core.c \
+	bignum_mod.c \
+	bignum_mod_raw.c \
 	bignum.c \
-	blowfish.c \
 	camellia.c \
 	ccm.c \
-	certs.c \
 	chacha20.c \
 	chachapoly.c \
 	cipher.c \
 	cipher_wrap.c \
+	nist_kw.c \
+	aria.c \
 	cmac.c \
+	constant_time.c \
+	mps_reader.c \
+	mps_trace.c \
 	ctr_drbg.c \
 	debug.c \
 	des.c \
@@ -265,17 +270,13 @@ SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	entropy.c \
 	entropy_poll.c \
 	gcm.c \
-	havege.c \
 	hmac_drbg.c \
-	md2.c \
-	md4.c \
 	md5.c \
 	md.c \
 	oid.c \
 	padlock.c \
 	pem.c \
 	pk.c \
-	pkcs11.c \
 	pkcs12.c \
 	pkcs5.c \
 	pkparse.c \
@@ -286,20 +287,21 @@ SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	poly1305.c \
 	ripemd160.c \
 	rsa.c \
-	rsa_internal.c \
+	rsa_alt_helpers.c \
 	sha1.c \
 	sha256.c \
 	sha512.c \
 	ssl_cache.c \
 	ssl_ciphersuites.c \
-	ssl_cli.c \
+	ssl_client.c \
 	ssl_cookie.c \
-	ssl_srv.c \
+	ssl_debug_helpers_generated.c \
 	ssl_msg.c \
 	ssl_ticket.c \
 	ssl_tls.c \
+	ssl_tls12_client.c \
+	ssl_tls12_server.c \
 	timing.c \
-	constant_time.c \
 	x509.c \
 	x509_create.c \
 	x509_crl.c \
@@ -307,7 +309,6 @@ SRC_THIRDPARTY_C += $(addprefix $(MBEDTLS_DIR)/library/,\
 	x509_csr.c \
 	x509write_crt.c \
 	x509write_csr.c \
-	xtea.c \
 	)
 endif
 endif

extmod/mbedtls/mbedtls_config_common.h

@@ -45,9 +45,9 @@
 #define MBEDTLS_ECP_DP_SECP224K1_ENABLED
 #define MBEDTLS_ECP_DP_SECP256K1_ENABLED
 #define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
-// #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED // enabling this currently breaks ssl_data.py test
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
-#define MBEDTLS_NO_PLATFORM_ENTROPY
+#define MBEDTLS_CAN_ECDH
+#define MBEDTLS_PK_CAN_ECDSA_SIGN
 #define MBEDTLS_PKCS1_V15
 #define MBEDTLS_SHA256_SMALLER
 #define MBEDTLS_SSL_PROTO_TLS1
@@ -81,12 +81,13 @@
 #define MBEDTLS_PLATFORM_C
 #define MBEDTLS_RSA_C
 #define MBEDTLS_SHA1_C
+#define MBEDTLS_SHA224_C
 #define MBEDTLS_SHA256_C
+#define MBEDTLS_SHA384_C
 #define MBEDTLS_SHA512_C
 #define MBEDTLS_SSL_CLI_C
 #define MBEDTLS_SSL_SRV_C
 #define MBEDTLS_SSL_TLS_C
-#define MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE
 #define MBEDTLS_X509_CRT_PARSE_C
 #define MBEDTLS_X509_USE_C
 
@@ -97,6 +98,7 @@
 #define MBEDTLS_PLATFORM_MEMORY
 #define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
 #define MBEDTLS_ENTROPY_HARDWARE_ALT
+#define MBEDTLS_NO_PLATFORM_ENTROPY
 
 // Bare-metal memory allocation hooks.
 #include <stdlib.h>
@@ -109,7 +111,4 @@ void m_tracked_free(void *ptr);
 
 #endif
 
-// Include mbedtls configuration checker.
-#include "mbedtls/check_config.h"
-
 #endif // MICROPY_INCLUDED_MBEDTLS_CONFIG_COMMON_H

ports/mimxrt/mbedtls/mbedtls_config_port.h

@@ -30,6 +30,7 @@
 #include <time.h>
 extern time_t mimxrt_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO mimxrt_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)

ports/mimxrt/mbedtls/mbedtls_port.c

@@ -28,10 +28,11 @@
 
 #ifdef MICROPY_SSL_MBEDTLS
 
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 #if defined(MBEDTLS_HAVE_TIME) || defined(MBEDTLS_HAVE_TIME_DATE)
 #include "fsl_snvs_lp.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 #endif
 
 void trng_random_data(unsigned char *output, size_t len);
@@ -52,6 +53,13 @@ time_t mimxrt_rtctime_seconds(time_t *timer) {
     SNVS_LP_SRTC_GetDatetime(SNVS, &date);
     return timeutils_seconds_since_epoch(date.year, date.month, date.day, date.hour, date.minute, date.second);
 }
+
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = mimxrt_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME_DATE)

ports/renesas-ra/boards/ARDUINO_PORTENTA_C33/mbedtls_config_board.h

@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/renesas-ra/mbedtls/mbedtls_config.h"
+#include "ports/renesas-ra/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */

ports/renesas-ra/mbedtls/mbedtls_config_port.h

@@ -30,6 +30,7 @@
 #include <time.h>
 extern time_t ra_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO ra_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)

ports/renesas-ra/mbedtls/mbedtls_port.c

@@ -25,11 +25,12 @@
  */
 
 #include "rng.h"
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 
 #if defined(MBEDTLS_HAVE_TIME) || defined(MBEDTLS_HAVE_TIME_DATE)
 #include "rtc.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 #endif
 
 int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) {
@@ -57,6 +58,13 @@ time_t ra_rtctime_seconds(time_t *timer) {
     rtc_get_date(&date);
     return timeutils_seconds_since_epoch(2000 + date.Year, date.Month, date.Date, time.Hours, time.Minutes, time.Seconds);
 }
+
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = ra_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME_DATE)

ports/rp2/mbedtls/mbedtls_config_port.h

@@ -37,6 +37,7 @@
 #include <time.h>
 time_t rp2_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO rp2_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)

ports/rp2/mbedtls/mbedtls_port.c

@@ -27,10 +27,11 @@
 
 #ifdef MICROPY_SSL_MBEDTLS
 
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 
 #include "hardware/rtc.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 
 extern uint8_t rosc_random_u8(size_t cycles);
 
@@ -48,4 +49,10 @@ time_t rp2_rtctime_seconds(time_t *timer) {
     return timeutils_seconds_since_epoch(t.year, t.month, t.day, t.hour, t.min, t.sec);
 }
 
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = rp2_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif

ports/stm32/boards/ARDUINO_GIGA/mbedtls_config_board.h

@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/stm32/mbedtls/mbedtls_config.h"
+#include "ports/stm32/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */

ports/stm32/boards/ARDUINO_NICLA_VISION/mbedtls_config_board.h

@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/stm32/mbedtls/mbedtls_config.h"
+#include "ports/stm32/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */

ports/stm32/boards/ARDUINO_PORTENTA_H7/mbedtls_config_board.h

@@ -3,6 +3,6 @@
 
 #define MBEDTLS_ECP_NIST_OPTIM
 
-#include "ports/stm32/mbedtls/mbedtls_config.h"
+#include "ports/stm32/mbedtls/mbedtls_config_port.h"
 
 #endif /* MICROPY_INCLUDED_MBEDTLS_CONFIG_BOARD_H */

ports/stm32/mbedtls/mbedtls_config_port.h

@@ -30,6 +30,7 @@
 #include <time.h>
 extern time_t stm32_rtctime_seconds(time_t *timer);
 #define MBEDTLS_PLATFORM_TIME_MACRO stm32_rtctime_seconds
+#define MBEDTLS_PLATFORM_MS_TIME_ALT mbedtls_ms_time
 
 // Set MicroPython-specific options.
 #define MICROPY_MBEDTLS_CONFIG_BARE_METAL (1)

ports/stm32/mbedtls/mbedtls_port.c

@@ -25,11 +25,12 @@
  */
 
 #include "rng.h"
-#include "mbedtls_config.h"
+#include "mbedtls_config_port.h"
 
 #if defined(MBEDTLS_HAVE_TIME) || defined(MBEDTLS_HAVE_TIME_DATE)
 #include "rtc.h"
 #include "shared/timeutils/timeutils.h"
+#include "mbedtls/platform_time.h"
 #endif
 
 int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, size_t *olen) {
@@ -57,6 +58,13 @@ time_t stm32_rtctime_seconds(time_t *timer) {
     HAL_RTC_GetDate(&RTCHandle, &date, RTC_FORMAT_BIN);
     return timeutils_seconds_since_epoch(2000 + date.Year, date.Month, date.Date, time.Hours, time.Minutes, time.Seconds);
 }
+
+mbedtls_ms_time_t mbedtls_ms_time(void) {
+    time_t *tv = NULL;
+    mbedtls_ms_time_t current_ms;
+    current_ms = stm32_rtctime_seconds(tv) * 1000;
+    return current_ms;
+}
 #endif
 
 #if defined(MBEDTLS_HAVE_TIME_DATE)

ports/unix/mbedtls/mbedtls_config_port.h

@@ -30,7 +30,6 @@
 #define MBEDTLS_CIPHER_MODE_CTR // needed for MICROPY_PY_CRYPTOLIB_CTR
 
 // Enable mbedtls modules
-#define MBEDTLS_HAVEGE_C
 #define MBEDTLS_TIMING_C
 
 // Include common mbedtls configuration.

tests/README.md

@@ -189,7 +189,7 @@ In this case CN is: micropython.local
 
 Convert them to DER format:
 ```
-$ openssl rsa -in rsa_key.pem -out rsa_key.der -outform DER
+$ openssl pkey -in rsa_key.pem -out rsa_key.der -outform DER
 $ openssl x509 -in rsa_cert.pem -out rsa_cert.der -outform DER
 ```
 

tests/multi_net/asyncio_tls_server_client.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/asyncio_tls_server_client_cert_required_error.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/asyncio_tls_server_client_readline.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/asyncio_tls_server_client_verify_error.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/ssl_cert_ec.py

@@ -0,0 +1,56 @@
+# Simple test creating an SSL connection and transferring some data
+# This test won't run under CPython because CPython doesn't have key/cert
+
+try:
+    import binascii, os, socket, ssl
+except ImportError:
+    print("SKIP")
+    raise SystemExit
+
+PORT = 8000
+
+# These are test certificates. See tests/README.md for details.
+certfile = "ec_cert.der"
+keyfile = "ec_key.der"
+
+try:
+    os.stat(certfile)
+    os.stat(keyfile)
+except OSError:
+    print("SKIP")
+    raise SystemExit
+
+with open(certfile, "rb") as cf:
+    cert = cadata = cf.read()
+
+with open(keyfile, "rb") as kf:
+    key = kf.read()
+
+
+# Server
+def instance0():
+    multitest.globals(IP=multitest.get_network_ip())
+    s = socket.socket()
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1])
+    s.listen(1)
+    multitest.next()
+    s2, _ = s.accept()
+    s2 = ssl.wrap_socket(s2, server_side=True, key=key, cert=cert)
+    print(s2.read(16))
+    s2.write(b"server to client")
+    s2.close()
+    s.close()
+
+
+# Client
+def instance1():
+    multitest.next()
+    s = socket.socket()
+    s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
+    s = ssl.wrap_socket(
+        s, cert_reqs=ssl.CERT_REQUIRED, server_hostname="micropython.local", cadata=cadata
+    )
+    s.write(b"client to server")
+    print(s.read(16))
+    s.close()

tests/multi_net/ssl_data.py

@@ -1,67 +0,0 @@
-# Simple test creating an SSL connection and transferring some data
-# This test won't run under CPython because it requires key/cert
-
-try:
-    import binascii, socket, ssl
-except ImportError:
-    print("SKIP")
-    raise SystemExit
-
-PORT = 8000
-
-# This self-signed key/cert pair is randomly generated and to be used for
-# testing/demonstration only.  You should always generate your own key/cert.
-key = binascii.unhexlify(
-    b"3082013b020100024100cc20643fd3d9c21a0acba4f48f61aadd675f52175a9dcf07fbef"
-    b"610a6a6ba14abb891745cd18a1d4c056580d8ff1a639460f867013c8391cdc9f2e573b0f"
-    b"872d0203010001024100bb17a54aeb3dd7ae4edec05e775ca9632cf02d29c2a089b563b0"
-    b"d05cdf95aeca507de674553f28b4eadaca82d5549a86058f9996b07768686a5b02cb240d"
-    b"d9f1022100f4a63f5549e817547dca97b5c658038e8593cb78c5aba3c4642cc4cd031d86"
-    b"8f022100d598d870ffe4a34df8de57047a50b97b71f4d23e323f527837c9edae88c79483"
-    b"02210098560c89a70385c36eb07fd7083235c4c1184e525d838aedf7128958bedfdbb102"
-    b"2051c0dab7057a8176ca966f3feb81123d4974a733df0f958525f547dfd1c271f9022044"
-    b"6c2cafad455a671a8cf398e642e1be3b18a3d3aec2e67a9478f83c964c4f1f"
-)
-cert = binascii.unhexlify(
-    b"308201d53082017f020203e8300d06092a864886f70d01010505003075310b3009060355"
-    b"0406130258583114301206035504080c0b54686550726f76696e63653110300e06035504"
-    b"070c075468654369747931133011060355040a0c0a436f6d70616e7958595a3113301106"
-    b"0355040b0c0a436f6d70616e7958595a3114301206035504030c0b546865486f73744e61"
-    b"6d65301e170d3139313231383033333935355a170d3239313231353033333935355a3075"
-    b"310b30090603550406130258583114301206035504080c0b54686550726f76696e636531"
-    b"10300e06035504070c075468654369747931133011060355040a0c0a436f6d70616e7958"
-    b"595a31133011060355040b0c0a436f6d70616e7958595a3114301206035504030c0b5468"
-    b"65486f73744e616d65305c300d06092a864886f70d0101010500034b003048024100cc20"
-    b"643fd3d9c21a0acba4f48f61aadd675f52175a9dcf07fbef610a6a6ba14abb891745cd18"
-    b"a1d4c056580d8ff1a639460f867013c8391cdc9f2e573b0f872d0203010001300d06092a"
-    b"864886f70d0101050500034100b0513fe2829e9ecbe55b6dd14c0ede7502bde5d46153c8"
-    b"e960ae3ebc247371b525caeb41bbcf34686015a44c50d226e66aef0a97a63874ca5944ef"
-    b"979b57f0b3"
-)
-
-
-# Server
-def instance0():
-    multitest.globals(IP=multitest.get_network_ip())
-    s = socket.socket()
-    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-    s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1])
-    s.listen(1)
-    multitest.next()
-    s2, _ = s.accept()
-    s2 = ssl.wrap_socket(s2, server_side=True, key=key, cert=cert)
-    print(s2.read(16))
-    s2.write(b"server to client")
-    s2.close()
-    s.close()
-
-
-# Client
-def instance1():
-    multitest.next()
-    s = socket.socket()
-    s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
-    s = ssl.wrap_socket(s)
-    s.write(b"client to server")
-    print(s.read(16))
-    s.close()

tests/multi_net/sslcontext_check_hostname_error.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/sslcontext_getpeercert.py

@@ -12,8 +12,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/sslcontext_getpeercert.py.exp

@@ -1,5 +1,5 @@
 --- instance0 ---
 b'client to server'
 --- instance1 ---
-3082058930820371a00302010202141b3da08b15005eea265d0b57b8ba99812ab274cb300d06092a864886f70d01010b05003054310b30090603550406130241553113301106035504080c0a536f6d652d537461746531143012060355040a0c0b4d6963726f507974686f6e311a301806035504030c116d6963726f707974686f6e2e6c6f63616c301e170d3233313131393032323932375a170d3238313131373032323932375a3054310b30090603550406130241553113301106035504080c0a536f6d652d537461746531143012060355040a0c0b4d6963726f507974686f6e311a301806035504030c116d6963726f707974686f6e2e6c6f63616c30820222300d06092a864886f70d01010105000382020f003082020a0282020100deee37780ebca47e0f414ba033ebe692d2bc374a0eb1f42556bf266ad704208116ee0d8b2fd0b518074ad0981c4fd1322de81696ccea838884b06f56d3ebe49cf0561050f6f8ced5f7f4f13d086b28779a9647bbfae6c3f3ad68a5b28ee8a1ceb260d87ea300316599c4dd9f6082f89164b590df8695add518339f6730dec4f05b1ef63548329b0a48823035b23737f3303b56aa251dd8dcf0c20e6c1d291374c185ae657b349c20721c7c01a1b393c96d4c5f2bc8e2dfca7dab896e2fa84dee53d2bb6dbd1056970fa1812315e8ee9d92b3cb93e0b563d274bf07dd79600ef403b91d4ce814418b28cfaeb2b7d8401e64f6d4f39283df3204f2fe01f2fd289f5d2078d9ee2f96b6de1fd4284d9274fa38b0ad9ffcce8ffe66673be2cf304ee1b27c7cacaaf4ca76f1e84419e6e80f540add3e91cd469903e9ceb6bd2b1c33caa59acb5516ce8ac00e73d7a551bb65d39bd6af04411e81c20e6bd474d797a0bcd498e26720bd60ae4f900bb1afa59c7ac7a336273c7734ca5874ea63fb8ec787ab702041442da11a922baf5fbeb9eeea4f9f49cb1f659b561806d2169dbed07c43558c908c94e16491fe1a22cd92b8f33c1184353bdc985c88722f65e48024910f723035c0d33b789928296fb193cec6350884243b00bf51422ad09fb7012bd9cad4716803422be0d111deace913fac8cb2be1e96fa8449068430e5424bd0bd10203010001a3533051301d0603551d0e041604147d392a82ab464936fd7d74226694556a2945fd8d301f0603551d230418301680147d392a82ab464936fd7d74226694556a2945fd8d300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382020100ae40c015e3eade8dabc84ee357ac9d694e7cd69ce4a1b265880273d16257119aa72fb2aa8b841e2899bea3e8690146f24d963a37825c93bf745447dc6ab09b5f2947671dca13b1e71f5c3e43011d74cdc688ed1215b3016071ae7235d77f79d7bb81f097bb04a08ccf400717721b29e2ea913eb23614610597deee477ed716db7e8ebe11aed39c7035f48259dfa54d88871c1f67159d52ce11eb111fa00708a7d7081c07fd92d54abbaec7ff1b50ce2f6f358857d2f55d1c7b5aa6dd66b9c3c2e654397e2d5330aca9834ff8fd749ce968c706fe3bb1b8510a379ec1910d7ece0212c34d56a2073fb7f25c88fe298568e448d03ec30b348f7d9a8836390216a6da7a8efed50dfb8c21a8531efc158e7f4398f87af18d1bd2926d08d34364bf5d85e88040dff3d3f1da6268dbc0cafa64f544c065380fa695a8d015b385aed0a1fd9ff1d7c2b28a549e04c1132b421f85a85640acac11c69416859fb9b461eeddffa92ae303b35c7233537077068de558dd02715e25aee976a97879038d2952be0d327892ab2fc78716b0d7aab4b923d5d79905f7f8b6a18c42e466fec62f84b6e5957deae0964dab8436b0e0cd4e08012661bafb9588fbfd7068fd6c08ab79101a4bdfe21d95cd0ee0aad7dd8a3ed128071c0ec2d063dc6dfa63189e51bf5d9259e776d7623f745a73f4e12e5c2b90493de1c6436b339e1400891e3e35c31057
+308201d330820179a00302010202144315a7cd8f69febe2640314e7c97d60a2523ad15300a06082a8648ce3d040302303f311a301806035504030c116d6963726f707974686f6e2e6c6f63616c31143012060355040a0c0b4d6963726f507974686f6e310b3009060355040613024155301e170d3234303131343034353335335a170d3235303131333034353335335a303f311a301806035504030c116d6963726f707974686f6e2e6c6f63616c31143012060355040a0c0b4d6963726f507974686f6e310b30090603550406130241553059301306072a8648ce3d020106082a8648ce3d0301070342000449b7f5fa687cb25a9464c397508149992f445c860bcf7002958eb4337636c6af840cd4c8cf3b96f2384860d8ae3ee3fa135dba051e8605e62bd871689c6af43ca3533051301d0603551d0e0416041441b3ae171d91e330411d8543ba45e0f2d5b2951b301f0603551d2304183016801441b3ae171d91e330411d8543ba45e0f2d5b2951b300f0603551d130101ff040530030101ff300a06082a8648ce3d04030203480030450220587f61c34739d6fab5802a674dcc54443ae9c87da374078c4ee1cd83f4ad1694022100cfc45dcf264888c6ba2c36e78bd27bb67856d7879a052dd7aa7ecf7215f7b992
 b'server to client'

tests/multi_net/sslcontext_server_client.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-certfile = "rsa_cert.der"
-keyfile = "rsa_key.der"
+certfile = "ec_cert.der"
+keyfile = "ec_key.der"
 
 try:
     os.stat(certfile)

tests/multi_net/sslcontext_server_client_ciphers.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
@@ -48,8 +48,8 @@ def instance1():
     s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
     client_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
     ciphers = client_ctx.get_ciphers()
-    assert "TLS-RSA-WITH-AES-256-CBC-SHA256" in ciphers
-    client_ctx.set_ciphers(["TLS-RSA-WITH-AES-256-CBC-SHA256"])
+    assert "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" in ciphers
+    client_ctx.set_ciphers(["TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"])
     client_ctx.verify_mode = ssl.CERT_REQUIRED
     client_ctx.load_verify_locations(cafile=cafile)
     s = client_ctx.wrap_socket(s, server_hostname="micropython.local")

tests/multi_net/sslcontext_server_client_files.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/sslcontext_verify_error.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/sslcontext_verify_time_error.py

@@ -12,7 +12,7 @@ PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
 cert = cafile = "expired_cert.der"
-key = "rsa_key.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)