all: Update bindings, ports and tests for mbedtls v3.5.1.

Changes include:

- Some mbedtls source files renamed or deprecated.

- Our `mbedtls_config.h` files are renamed to `mbedtls_config_port.h`, so
  they don't clash with mbedtls's new default configuration file named
  `mbedtls_config.h`.

- MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE is deprecated.

- MBEDTLS_HAVE_TIME now requires an `mbedtls_ms_time` function to be
  defined but it's only used for TLSv1.3 (currently not enabled in
  MicroPython so there is a lazy implementation, i.e. seconds * 1000).

- `tests/multi_net/ssl_data.py` is removed (due to deprecation of
  MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE), there are the existing
  `ssl_cert_rsa.py` and `sslcontext_server_client.py` tests which do very
  similar, simple SSL data transfer.

- Tests now use an EC key by default (they are smaller and faster), and the
  RSA key has been regenerated due to the old PKCS encoding used by openssl
  rsa command, see
  https://stackoverflow.com/questions/40822328/openssl-rsa-key-pem-and-der-conversion-does-not-match
  (and `tests/README.md` has been updated accordingly).

Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>

tests/README.md

@@ -189,7 +189,7 @@ In this case CN is: micropython.local
 
 Convert them to DER format:
 ```
-$ openssl rsa -in rsa_key.pem -out rsa_key.der -outform DER
+$ openssl pkey -in rsa_key.pem -out rsa_key.der -outform DER
 $ openssl x509 -in rsa_cert.pem -out rsa_cert.der -outform DER
 ```
 

tests/multi_net/asyncio_tls_server_client.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/asyncio_tls_server_client_cert_required_error.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/asyncio_tls_server_client_readline.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/asyncio_tls_server_client_verify_error.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/ssl_cert_ec.py

@@ -0,0 +1,56 @@
+# Simple test creating an SSL connection and transferring some data
+# This test won't run under CPython because CPython doesn't have key/cert
+
+try:
+    import binascii, os, socket, ssl
+except ImportError:
+    print("SKIP")
+    raise SystemExit
+
+PORT = 8000
+
+# These are test certificates. See tests/README.md for details.
+certfile = "ec_cert.der"
+keyfile = "ec_key.der"
+
+try:
+    os.stat(certfile)
+    os.stat(keyfile)
+except OSError:
+    print("SKIP")
+    raise SystemExit
+
+with open(certfile, "rb") as cf:
+    cert = cadata = cf.read()
+
+with open(keyfile, "rb") as kf:
+    key = kf.read()
+
+
+# Server
+def instance0():
+    multitest.globals(IP=multitest.get_network_ip())
+    s = socket.socket()
+    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+    s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1])
+    s.listen(1)
+    multitest.next()
+    s2, _ = s.accept()
+    s2 = ssl.wrap_socket(s2, server_side=True, key=key, cert=cert)
+    print(s2.read(16))
+    s2.write(b"server to client")
+    s2.close()
+    s.close()
+
+
+# Client
+def instance1():
+    multitest.next()
+    s = socket.socket()
+    s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
+    s = ssl.wrap_socket(
+        s, cert_reqs=ssl.CERT_REQUIRED, server_hostname="micropython.local", cadata=cadata
+    )
+    s.write(b"client to server")
+    print(s.read(16))
+    s.close()

tests/multi_net/ssl_data.py

@@ -1,67 +0,0 @@
-# Simple test creating an SSL connection and transferring some data
-# This test won't run under CPython because it requires key/cert
-
-try:
-    import binascii, socket, ssl
-except ImportError:
-    print("SKIP")
-    raise SystemExit
-
-PORT = 8000
-
-# This self-signed key/cert pair is randomly generated and to be used for
-# testing/demonstration only.  You should always generate your own key/cert.
-key = binascii.unhexlify(
-    b"3082013b020100024100cc20643fd3d9c21a0acba4f48f61aadd675f52175a9dcf07fbef"
-    b"610a6a6ba14abb891745cd18a1d4c056580d8ff1a639460f867013c8391cdc9f2e573b0f"
-    b"872d0203010001024100bb17a54aeb3dd7ae4edec05e775ca9632cf02d29c2a089b563b0"
-    b"d05cdf95aeca507de674553f28b4eadaca82d5549a86058f9996b07768686a5b02cb240d"
-    b"d9f1022100f4a63f5549e817547dca97b5c658038e8593cb78c5aba3c4642cc4cd031d86"
-    b"8f022100d598d870ffe4a34df8de57047a50b97b71f4d23e323f527837c9edae88c79483"
-    b"02210098560c89a70385c36eb07fd7083235c4c1184e525d838aedf7128958bedfdbb102"
-    b"2051c0dab7057a8176ca966f3feb81123d4974a733df0f958525f547dfd1c271f9022044"
-    b"6c2cafad455a671a8cf398e642e1be3b18a3d3aec2e67a9478f83c964c4f1f"
-)
-cert = binascii.unhexlify(
-    b"308201d53082017f020203e8300d06092a864886f70d01010505003075310b3009060355"
-    b"0406130258583114301206035504080c0b54686550726f76696e63653110300e06035504"
-    b"070c075468654369747931133011060355040a0c0a436f6d70616e7958595a3113301106"
-    b"0355040b0c0a436f6d70616e7958595a3114301206035504030c0b546865486f73744e61"
-    b"6d65301e170d3139313231383033333935355a170d3239313231353033333935355a3075"
-    b"310b30090603550406130258583114301206035504080c0b54686550726f76696e636531"
-    b"10300e06035504070c075468654369747931133011060355040a0c0a436f6d70616e7958"
-    b"595a31133011060355040b0c0a436f6d70616e7958595a3114301206035504030c0b5468"
-    b"65486f73744e616d65305c300d06092a864886f70d0101010500034b003048024100cc20"
-    b"643fd3d9c21a0acba4f48f61aadd675f52175a9dcf07fbef610a6a6ba14abb891745cd18"
-    b"a1d4c056580d8ff1a639460f867013c8391cdc9f2e573b0f872d0203010001300d06092a"
-    b"864886f70d0101050500034100b0513fe2829e9ecbe55b6dd14c0ede7502bde5d46153c8"
-    b"e960ae3ebc247371b525caeb41bbcf34686015a44c50d226e66aef0a97a63874ca5944ef"
-    b"979b57f0b3"
-)
-
-
-# Server
-def instance0():
-    multitest.globals(IP=multitest.get_network_ip())
-    s = socket.socket()
-    s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
-    s.bind(socket.getaddrinfo("0.0.0.0", PORT)[0][-1])
-    s.listen(1)
-    multitest.next()
-    s2, _ = s.accept()
-    s2 = ssl.wrap_socket(s2, server_side=True, key=key, cert=cert)
-    print(s2.read(16))
-    s2.write(b"server to client")
-    s2.close()
-    s.close()
-
-
-# Client
-def instance1():
-    multitest.next()
-    s = socket.socket()
-    s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
-    s = ssl.wrap_socket(s)
-    s.write(b"client to server")
-    print(s.read(16))
-    s.close()

tests/multi_net/sslcontext_check_hostname_error.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/sslcontext_getpeercert.py

@@ -12,8 +12,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/sslcontext_getpeercert.py.exp

@@ -1,5 +1,5 @@
 --- instance0 ---
 b'client to server'
 --- instance1 ---
-3082058930820371a00302010202141b3da08b15005eea265d0b57b8ba99812ab274cb300d06092a864886f70d01010b05003054310b30090603550406130241553113301106035504080c0a536f6d652d537461746531143012060355040a0c0b4d6963726f507974686f6e311a301806035504030c116d6963726f707974686f6e2e6c6f63616c301e170d3233313131393032323932375a170d3238313131373032323932375a3054310b30090603550406130241553113301106035504080c0a536f6d652d537461746531143012060355040a0c0b4d6963726f507974686f6e311a301806035504030c116d6963726f707974686f6e2e6c6f63616c30820222300d06092a864886f70d01010105000382020f003082020a0282020100deee37780ebca47e0f414ba033ebe692d2bc374a0eb1f42556bf266ad704208116ee0d8b2fd0b518074ad0981c4fd1322de81696ccea838884b06f56d3ebe49cf0561050f6f8ced5f7f4f13d086b28779a9647bbfae6c3f3ad68a5b28ee8a1ceb260d87ea300316599c4dd9f6082f89164b590df8695add518339f6730dec4f05b1ef63548329b0a48823035b23737f3303b56aa251dd8dcf0c20e6c1d291374c185ae657b349c20721c7c01a1b393c96d4c5f2bc8e2dfca7dab896e2fa84dee53d2bb6dbd1056970fa1812315e8ee9d92b3cb93e0b563d274bf07dd79600ef403b91d4ce814418b28cfaeb2b7d8401e64f6d4f39283df3204f2fe01f2fd289f5d2078d9ee2f96b6de1fd4284d9274fa38b0ad9ffcce8ffe66673be2cf304ee1b27c7cacaaf4ca76f1e84419e6e80f540add3e91cd469903e9ceb6bd2b1c33caa59acb5516ce8ac00e73d7a551bb65d39bd6af04411e81c20e6bd474d797a0bcd498e26720bd60ae4f900bb1afa59c7ac7a336273c7734ca5874ea63fb8ec787ab702041442da11a922baf5fbeb9eeea4f9f49cb1f659b561806d2169dbed07c43558c908c94e16491fe1a22cd92b8f33c1184353bdc985c88722f65e48024910f723035c0d33b789928296fb193cec6350884243b00bf51422ad09fb7012bd9cad4716803422be0d111deace913fac8cb2be1e96fa8449068430e5424bd0bd10203010001a3533051301d0603551d0e041604147d392a82ab464936fd7d74226694556a2945fd8d301f0603551d230418301680147d392a82ab464936fd7d74226694556a2945fd8d300f0603551d130101ff040530030101ff300d06092a864886f70d01010b05000382020100ae40c015e3eade8dabc84ee357ac9d694e7cd69ce4a1b265880273d16257119aa72fb2aa8b841e2899bea3e8690146f24d963a37825c93bf745447dc6ab09b5f2947671dca13b1e71f5c3e43011d74cdc688ed1215b3016071ae7235d77f79d7bb81f097bb04a08ccf400717721b29e2ea913eb23614610597deee477ed716db7e8ebe11aed39c7035f48259dfa54d88871c1f67159d52ce11eb111fa00708a7d7081c07fd92d54abbaec7ff1b50ce2f6f358857d2f55d1c7b5aa6dd66b9c3c2e654397e2d5330aca9834ff8fd749ce968c706fe3bb1b8510a379ec1910d7ece0212c34d56a2073fb7f25c88fe298568e448d03ec30b348f7d9a8836390216a6da7a8efed50dfb8c21a8531efc158e7f4398f87af18d1bd2926d08d34364bf5d85e88040dff3d3f1da6268dbc0cafa64f544c065380fa695a8d015b385aed0a1fd9ff1d7c2b28a549e04c1132b421f85a85640acac11c69416859fb9b461eeddffa92ae303b35c7233537077068de558dd02715e25aee976a97879038d2952be0d327892ab2fc78716b0d7aab4b923d5d79905f7f8b6a18c42e466fec62f84b6e5957deae0964dab8436b0e0cd4e08012661bafb9588fbfd7068fd6c08ab79101a4bdfe21d95cd0ee0aad7dd8a3ed128071c0ec2d063dc6dfa63189e51bf5d9259e776d7623f745a73f4e12e5c2b90493de1c6436b339e1400891e3e35c31057
+308201d330820179a00302010202144315a7cd8f69febe2640314e7c97d60a2523ad15300a06082a8648ce3d040302303f311a301806035504030c116d6963726f707974686f6e2e6c6f63616c31143012060355040a0c0b4d6963726f507974686f6e310b3009060355040613024155301e170d3234303131343034353335335a170d3235303131333034353335335a303f311a301806035504030c116d6963726f707974686f6e2e6c6f63616c31143012060355040a0c0b4d6963726f507974686f6e310b30090603550406130241553059301306072a8648ce3d020106082a8648ce3d0301070342000449b7f5fa687cb25a9464c397508149992f445c860bcf7002958eb4337636c6af840cd4c8cf3b96f2384860d8ae3ee3fa135dba051e8605e62bd871689c6af43ca3533051301d0603551d0e0416041441b3ae171d91e330411d8543ba45e0f2d5b2951b301f0603551d2304183016801441b3ae171d91e330411d8543ba45e0f2d5b2951b300f0603551d130101ff040530030101ff300a06082a8648ce3d04030203480030450220587f61c34739d6fab5802a674dcc54443ae9c87da374078c4ee1cd83f4ad1694022100cfc45dcf264888c6ba2c36e78bd27bb67856d7879a052dd7aa7ecf7215f7b992
 b'server to client'

tests/multi_net/sslcontext_server_client.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-certfile = "rsa_cert.der"
-keyfile = "rsa_key.der"
+certfile = "ec_cert.der"
+keyfile = "ec_key.der"
 
 try:
     os.stat(certfile)

tests/multi_net/sslcontext_server_client_ciphers.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)
@@ -48,8 +48,8 @@ def instance1():
     s.connect(socket.getaddrinfo(IP, PORT)[0][-1])
     client_ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
     ciphers = client_ctx.get_ciphers()
-    assert "TLS-RSA-WITH-AES-256-CBC-SHA256" in ciphers
-    client_ctx.set_ciphers(["TLS-RSA-WITH-AES-256-CBC-SHA256"])
+    assert "TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256" in ciphers
+    client_ctx.set_ciphers(["TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256"])
     client_ctx.verify_mode = ssl.CERT_REQUIRED
     client_ctx.load_verify_locations(cafile=cafile)
     s = client_ctx.wrap_socket(s, server_hostname="micropython.local")

tests/multi_net/sslcontext_server_client_files.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/sslcontext_verify_error.py

@@ -11,8 +11,8 @@ except ImportError:
 PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
-cert = cafile = "rsa_cert.der"
-key = "rsa_key.der"
+cert = cafile = "ec_cert.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)

tests/multi_net/sslcontext_verify_time_error.py

@@ -12,7 +12,7 @@ PORT = 8000
 
 # These are test certificates. See tests/README.md for details.
 cert = cafile = "expired_cert.der"
-key = "rsa_key.der"
+key = "ec_key.der"
 
 try:
     os.stat(cafile)