# HG changeset patch # User Edouard Tisserant # Date 1710414036 -3600 # Node ID 32eb6e05008a6479dd0cc108b57fbb15cab854f7 # Parent f831ff63ca6ece112e832d58e491b85da2b79d59 IDE: Fix encrypted ERPC: newer TLS, better error handling, re-add explicit ERPCS scheme, use sslpsk better. diff -r f831ff63ca6e -r 32eb6e05008a connectors/ERPC/PSK_Adapter.py --- a/connectors/ERPC/PSK_Adapter.py Tue Feb 27 12:11:24 2024 +0100 +++ b/connectors/ERPC/PSK_Adapter.py Thu Mar 14 12:00:36 2024 +0100 @@ -1,31 +1,24 @@ #!/usr/bin/env python # -*- coding: utf-8 -*- -# This file is part of Beremiz, a Integrated Development Environment for -# programming IEC 61131-3 automates supporting plcopen standard and CanFestival. -# -# Copyright (C) 2019: Edouard TISSERANT -# +# Written by Edouard TISSERANT (C) 2024 +# This file is part of Beremiz IDE # See COPYING file for copyrights details. -# -# This program is free software; you can redistribute it and/or -# modify it under the terms of the GNU General Public License -# as published by the Free Software Foundation; either version 2 -# of the License, or (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. """ The TLS-PSK adapter that handles SSL connections instead of regular sockets, but using Pre Shared Keys instead of Certificates + +Corresponding stunnel.conf on PLC side: + + [ERPCPSK] + accept = 4000 + connect = 127.0.0.1:3000 + ciphers = PSK + sslVersion = TLSv1.2 + PSKsecrets = psk.txt + """ import socket @@ -44,18 +37,20 @@ super(TCPTransport, self).__init__() self._host = host self._port = port - self._isServer = isServer self._sock = None + self._isServer = False if sslpsk is None: raise ImportError("sslpsk module is not available") + self.sslpskctx = sslpsk.SSLPSKContext(ssl.PROTOCOL_TLSv1_2) + self.sslpskctx.set_ciphers('PSK') + self.sslpskctx.psk = psk + raw_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) raw_sock.setsockopt(socket.SOL_TCP, socket.TCP_NODELAY, 1) raw_sock.connect((self._host, self._port)) - self._sock = sslpsk.wrap_socket( - raw_sock, psk=psk, server_side=False, - ciphers="PSK-AES256-CBC-SHA", # available in openssl 1.0.2 - ssl_version=ssl.PROTOCOL_TLSv1) + + self._sock = self.sslpskctx.wrap_socket(raw_sock, server_side=False) diff -r f831ff63ca6e -r 32eb6e05008a connectors/ERPC/__init__.py --- a/connectors/ERPC/__init__.py Tue Feb 27 12:11:24 2024 +0100 +++ b/connectors/ERPC/__init__.py Thu Mar 14 12:00:36 2024 +0100 @@ -91,7 +91,18 @@ if port: port = int(port) else: - port = 3000 + # default port depends on security + port = 4000 if IDhash else 3000 + + if not IDhash and _scheme=="ERPCS": + confnodesroot.logger.write_error( + f'Invalid URI "{uri}": ERPCS requires PLC ID after "#"\n') + return None + elif IDhash and _scheme!="ERPCS": + confnodesroot.logger.write_error( + f'URI "{uri}": Non-encrypted ERPC does not take a PLC ID after "#"\n') + return None + except Exception as e: confnodesroot.logger.write_error( 'Malformed URI "%s": %s\n' % (uri, str(e))) @@ -136,13 +147,13 @@ if IDhash: ID = IDhash[0] # load PSK from project - secpath = os.path.join(str(confnodesroot.ProjectPath), 'psk', ID + '.secret') + secpath = os.path.join(confnodesroot.ProjectPath, 'psk', ID + '.secret') if not os.path.exists(secpath): confnodesroot.logger.write_error( 'Error: Pre-Shared-Key Secret in %s is missing!\n' % secpath) return None - secret = open(secpath).read().partition(':')[2].rstrip('\n\r') - transport = SSLPSKClientTransport(host, port, (secret, ID)) + secret = open(secpath).read().partition(':')[2].rstrip('\n\r').encode() + transport = SSLPSKClientTransport(host, port, (secret, ID.encode())) else: # TODO if serial URI then # transport = erpc.transport.SerialTransport(device, baudrate) diff -r f831ff63ca6e -r 32eb6e05008a connectors/ERPC_dialog.py --- a/connectors/ERPC_dialog.py Tue Feb 27 12:11:24 2024 +0100 +++ b/connectors/ERPC_dialog.py Thu Mar 14 12:00:36 2024 +0100 @@ -14,7 +14,7 @@ ('port', _("Port:"))] # (scheme, model, secure) -models = [("LOCAL", [], False), ("ERPC", model, False)] +models = [("LOCAL", [], False), ("ERPC", model, False), ("ERPCS", model, True)] Schemes = list(zip(*models))[0]