From 5264478007c78b7737972404bda18ab39d792e17 Mon Sep 17 00:00:00 2001 From: Thorsten von Eicken Date: Thu, 2 Jul 2020 12:34:36 -0700 Subject: [PATCH] extmod/modussl_mbedtls: Integrate shorter error strings. The stm32 and esp32 ports now use shorter error strings for mbedtls errors. Also, MBEDTLS_ERROR_C is enabled on stm32 by default to get these strings. --- extmod/modussl_mbedtls.c | 20 ++++++++++++-------- ports/esp32/Makefile | 6 ++++-- ports/stm32/Makefile | 3 +++ ports/stm32/mbedtls/mbedtls_config.h | 1 + tests/net_inet/test_tls_sites.py | 2 +- tests/net_inet/tls_text_errors.py | 4 ++-- 6 files changed, 23 insertions(+), 13 deletions(-) diff --git a/extmod/modussl_mbedtls.c b/extmod/modussl_mbedtls.c index 94061ddc8..1677dc6e1 100644 --- a/extmod/modussl_mbedtls.c +++ b/extmod/modussl_mbedtls.c @@ -77,17 +77,21 @@ STATIC void mbedtls_debug(void *ctx, int level, const char *file, int line, cons #endif STATIC NORETURN void mbedtls_raise_error(int err) { - #if defined(MBEDTLS_ERROR_C) - // Including mbedtls_strerror takes about 16KB on the esp32 due to all the strings. - // MBEDTLS_ERROR_C is the define used by mbedtls to conditionally include mbedtls_strerror. - // It is set/unset in the MBEDTLS_CONFIG_FILE which is defined in the Makefile. - // "small" negative integer error codes come from underlying stream/sockets, not mbedtls + // _mbedtls_ssl_send and _mbedtls_ssl_recv (below) turn positive error codes from the + // underlying socket into negative codes to pass them through mbedtls. Here we turn them + // positive again so they get interpreted as the OSError they really are. The + // cut-off of -256 is a bit hacky, sigh. if (err < 0 && err > -256) { mp_raise_OSError(-err); } + #if defined(MBEDTLS_ERROR_C) + // Including mbedtls_strerror takes about 1.5KB due to the error strings. + // MBEDTLS_ERROR_C is the define used by mbedtls to conditionally include mbedtls_strerror. + // It is set/unset in the MBEDTLS_CONFIG_FILE which is defined in the Makefile. + // Try to allocate memory for the message - #define ERR_STR_MAX 100 // mbedtls_strerror truncates if it doesn't fit + #define ERR_STR_MAX 80 // mbedtls_strerror truncates if it doesn't fit mp_obj_str_t *o_str = m_new_obj_maybe(mp_obj_str_t); byte *o_str_buf = m_new_maybe(byte, ERR_STR_MAX); if (o_str == NULL || o_str_buf == NULL) { @@ -96,7 +100,7 @@ STATIC NORETURN void mbedtls_raise_error(int err) { // print the error message into the allocated buffer mbedtls_strerror(err, (char *)o_str_buf, ERR_STR_MAX); - size_t len = strnlen((char *)o_str_buf, ERR_STR_MAX); + size_t len = strlen((char *)o_str_buf); // Put the exception object together o_str->base.type = &mp_type_str; @@ -108,7 +112,7 @@ STATIC NORETURN void mbedtls_raise_error(int err) { nlr_raise(mp_obj_exception_make_new(&mp_type_OSError, 2, 0, args)); #else // mbedtls is compiled without error strings so we simply return the err number - mp_raise_OSError(err); // typ. err is negative + mp_raise_OSError(err); // err is typically a large negative number #endif } diff --git a/ports/esp32/Makefile b/ports/esp32/Makefile index 0f6a1969a..2cbe9f6be 100644 --- a/ports/esp32/Makefile +++ b/ports/esp32/Makefile @@ -362,6 +362,7 @@ EXTMOD_SRC_C += $(addprefix extmod/,\ ) LIB_SRC_C = $(addprefix lib/,\ + mbedtls_errors/mp_mbedtls_errors.c \ mp-readline/readline.c \ netutils/netutils.c \ timeutils/timeutils.c \ @@ -506,11 +507,12 @@ ESPIDF_LWIP_O = $(patsubst %.c,%.o,\ $(wildcard $(ESPCOMP)/lwip/port/esp32/*/*.c) \ ) -ESPIDF_MBEDTLS_O = $(patsubst %.c,%.o,\ +# Mbedtls source files, exclude error.c in favor of lib/mbedtls_errors/mp_mbedtls_errors.c +ESPIDF_MBEDTLS_O = $(patsubst %.c,%.o, $(filter-out %/error.c,\ $(wildcard $(ESPCOMP)/mbedtls/mbedtls/library/*.c) \ $(wildcard $(ESPCOMP)/mbedtls/port/*.c) \ $(wildcard $(ESPCOMP)/mbedtls/port/esp32/*.c) \ - ) + )) ESPIDF_MDNS_O = $(patsubst %.c,%.o,$(wildcard $(ESPCOMP)/mdns/*.c)) diff --git a/ports/stm32/Makefile b/ports/stm32/Makefile index 2614d4aa0..fe8f0b871 100644 --- a/ports/stm32/Makefile +++ b/ports/stm32/Makefile @@ -472,6 +472,9 @@ endif ifeq ($(MICROPY_SSL_MBEDTLS),1) CFLAGS_MOD += -DMBEDTLS_CONFIG_FILE='"mbedtls/mbedtls_config.h"' SRC_MOD += mbedtls/mbedtls_port.c +# replace mbedtls' error.c by ours +SRC_MOD := $(filter-out %/mbedtls/library/error.c, $(SRC_MOD)) +LIB_SRC_C += lib/mbedtls_errors/mp_mbedtls_errors.c endif ifeq ($(MICROPY_PY_BLUETOOTH),1) diff --git a/ports/stm32/mbedtls/mbedtls_config.h b/ports/stm32/mbedtls/mbedtls_config.h index 338c8b354..56fbbf3aa 100644 --- a/ports/stm32/mbedtls/mbedtls_config.h +++ b/ports/stm32/mbedtls/mbedtls_config.h @@ -67,6 +67,7 @@ #define MBEDTLS_CTR_DRBG_C //#define MBEDTLS_ECP_C #define MBEDTLS_ENTROPY_C +#define MBEDTLS_ERROR_C #define MBEDTLS_MD_C #define MBEDTLS_MD5_C #define MBEDTLS_OID_C diff --git a/tests/net_inet/test_tls_sites.py b/tests/net_inet/test_tls_sites.py index 876343acf..d2cb928c8 100644 --- a/tests/net_inet/test_tls_sites.py +++ b/tests/net_inet/test_tls_sites.py @@ -54,7 +54,7 @@ def main(): test_one(site, opts) print(site, "ok") except Exception as e: - print(site, repr(e)) + print(site, e) main() diff --git a/tests/net_inet/tls_text_errors.py b/tests/net_inet/tls_text_errors.py index 2ba167b86..9e8ccfaf9 100644 --- a/tests/net_inet/tls_text_errors.py +++ b/tests/net_inet/tls_text_errors.py @@ -14,10 +14,10 @@ def test(addr): print("wrap: no exception") except OSError as e: # mbedtls produces "mbedtls -0x7200: SSL - An invalid SSL record was received" - # axtls produces "RECORD_OVERFLOW" + # axtls produces "RECORD_OVERFLOW" but also prints "TLS buffer overflow,..." # CPython produces "[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1108)" ok = ( - "invalid SSL record" in str(e) + "SSL_INVALID_RECORD" in str(e) or "RECORD_OVERFLOW" in str(e) or "wrong version" in str(e) )