@@ -63,6 +63,8 @@ struct ssl_args {
6363 mp_arg_val_t cert ;
6464 mp_arg_val_t server_side ;
6565 mp_arg_val_t server_hostname ;
66+ mp_arg_val_t cert_reqs ;
67+ mp_arg_val_t ca_certs ;
6668 mp_arg_val_t do_handshake ;
6769};
6870
@@ -72,7 +74,7 @@ STATIC const mp_obj_type_t ussl_socket_type;
7274STATIC void mbedtls_debug (void * ctx , int level , const char * file , int line , const char * str ) {
7375 (void )ctx ;
7476 (void )level ;
75- printf ( "DBG:%s:%04d: %s\n" , file , line , str );
77+ mp_printf ( & mp_plat_print , "DBG:%s:%04d: %s\n" , file , line , str );
7678}
7779#endif
7880
@@ -173,7 +175,7 @@ STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
173175 mbedtls_ctr_drbg_init (& o -> ctr_drbg );
174176 #ifdef MBEDTLS_DEBUG_C
175177 // Debug level (0-4) 1=warning, 2=info, 3=debug, 4=verbose
176- mbedtls_debug_set_threshold (0 );
178+ mbedtls_debug_set_threshold (3 );
177179 #endif
178180
179181 mbedtls_entropy_init (& o -> entropy );
@@ -191,7 +193,8 @@ STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
191193 goto cleanup ;
192194 }
193195
194- mbedtls_ssl_conf_authmode (& o -> conf , MBEDTLS_SSL_VERIFY_NONE );
196+ mbedtls_ssl_conf_authmode (& o -> conf , args -> cert_reqs .u_int );
197+
195198 mbedtls_ssl_conf_rng (& o -> conf , mbedtls_ctr_drbg_random , & o -> ctr_drbg );
196199 #ifdef MBEDTLS_DEBUG_C
197200 mbedtls_ssl_conf_dbg (& o -> conf , mbedtls_debug , NULL );
@@ -237,6 +240,18 @@ STATIC mp_obj_ssl_socket_t *socket_new(mp_obj_t sock, struct ssl_args *args) {
237240 }
238241 }
239242
243+ if (args -> ca_certs .u_obj != mp_const_none ) {
244+ size_t cacert_len ;
245+ const byte * cacert = (const byte * )mp_obj_str_get_data (args -> ca_certs .u_obj , & cacert_len );
246+ // len should include terminating null
247+ ret = mbedtls_x509_crt_parse (& o -> cacert , cacert , cacert_len + 1 );
248+ if (ret != 0 ) {
249+ ret = MBEDTLS_ERR_X509_BAD_INPUT_DATA ; // use general error for all cert errors
250+ goto cleanup ;
251+ }
252+ mbedtls_ssl_conf_ca_chain (& o -> conf , & o -> cacert , NULL );
253+ }
254+
240255 if (args -> do_handshake .u_bool ) {
241256 while ((ret = mbedtls_ssl_handshake (& o -> ssl )) != 0 ) {
242257 if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE ) {
@@ -395,6 +410,8 @@ STATIC mp_obj_t mod_ssl_wrap_socket(size_t n_args, const mp_obj_t *pos_args, mp_
395410 { MP_QSTR_cert , MP_ARG_KW_ONLY | MP_ARG_OBJ , {.u_rom_obj = MP_ROM_NONE } },
396411 { MP_QSTR_server_side , MP_ARG_KW_ONLY | MP_ARG_BOOL , {.u_bool = false} },
397412 { MP_QSTR_server_hostname , MP_ARG_KW_ONLY | MP_ARG_OBJ , {.u_rom_obj = MP_ROM_NONE } },
413+ { MP_QSTR_cert_reqs , MP_ARG_KW_ONLY | MP_ARG_INT , {.u_int = 0 }},
414+ { MP_QSTR_ca_certs , MP_ARG_KW_ONLY | MP_ARG_OBJ , {.u_rom_obj = MP_ROM_NONE } },
398415 { MP_QSTR_do_handshake , MP_ARG_KW_ONLY | MP_ARG_BOOL , {.u_bool = true} },
399416 };
400417
@@ -412,6 +429,9 @@ STATIC MP_DEFINE_CONST_FUN_OBJ_KW(mod_ssl_wrap_socket_obj, 1, mod_ssl_wrap_socke
412429STATIC const mp_rom_map_elem_t mp_module_ssl_globals_table [] = {
413430 { MP_ROM_QSTR (MP_QSTR___name__ ), MP_ROM_QSTR (MP_QSTR_ussl ) },
414431 { MP_ROM_QSTR (MP_QSTR_wrap_socket ), MP_ROM_PTR (& mod_ssl_wrap_socket_obj ) },
432+ { MP_ROM_QSTR (MP_QSTR_CERT_NONE ), MP_ROM_INT (MBEDTLS_SSL_VERIFY_NONE ) },
433+ { MP_ROM_QSTR (MP_QSTR_CERT_OPTIONAL ), MP_ROM_INT (MBEDTLS_SSL_VERIFY_OPTIONAL ) },
434+ { MP_ROM_QSTR (MP_QSTR_CERT_REQUIRED ), MP_ROM_INT (MBEDTLS_SSL_VERIFY_REQUIRED ) },
415435};
416436
417437STATIC MP_DEFINE_CONST_DICT (mp_module_ssl_globals , mp_module_ssl_globals_table );
0 commit comments