carglglz / upydev Goto Github PK

In the adc_config, Pin needs to be imported as well for my ESP32 board with Micropython.

Is there any way to disable standard webrepl access to the device, so that only SSLWebREPL can be used?

thanks,
Chris

When I was switching back and forth between wrepl via WiFi and sh_srepl via USB-serial, I found a glitch.

conf for sh_srepl via USB-serial:
upydev config -t /dev/tty.SLAB_USBtoUART -p pass 

conf for wrepl via WiFi
upydev config -t 192.168.1.32  -p pass 

and in the conf file, port and ip is stored bound with the same key "ip". So I have to specify the port or ip inline like follows:

upydev sh_srepl -port /dev/tty.SLAB_USBtoUART
upydev wrepl -t 192.168.1.32

It could be bettrt if port was stored as "port".

Description:

In the upydev repository, specifically within the keygen.py script, the RSA algorithm is implemented with PKCS 1v1.5 padding, which is known to be insecure and vulnerable to Bleichenbacher](https://link.springer.com/content/pdf/10.1007/bfb0055716.pdf) attack which is a chosen-ciphertext attack that exploits vulnerabilities within the RSA PKCS1v1.5 padding scheme. The use of this padding scheme can lead to security issues where an attacker may exploit the vulnerability to decipher encrypted messages or forge signatures.

Affect Version

upydev 0.4.3

Location:

https://github.com/Carglglz/upydev/blob/master/upydev/keygen.py#L919
https://github.com/Carglglz/upydev/blob/master/upydev/keygen.py#L1176
https://github.com/Carglglz/upydev/blob/master/upydev/keygen.py#L1253
https://github.com/Carglglz/upydev/blob/master/upydev/keygen.py#L1311
https://github.com/Carglglz/upydev/blob/master/upydev/keygen.py#L1125

Expected Behavior:
The cryptographic module should utilize a secure padding scheme for RSA such as OAEP (Optimal Asymmetric Encryption Padding) which is currently recommended as a safer alternative to PKCS 1v1.5.

Actual Behavior:
The current implementation of the RSA encryption and signature verification in keygen.py uses PKCS 1v1.5 padding, which is outdated and has known vulnerabilities that compromise the security of cryptographic operations.

Reference:

CWE-780: Use of RSA Algorithm without OAEP

Recommendations:

It is recommended to use OAEP (Optimal Asymmetric Encryption Padding) as the encryption scheme and PSS (Probabilistic Signature Scheme) as the signature scheme, as they offer better security.

1. Refactor the RSA implementation to use OAEP padding for encryption and PSS padding for signature, which are both provided by the RSA module in standard libraries like PyCryptodome and cryptography.io.
   2 . Conduct a thorough audit of the cryptographic operations throughout the application to ensure that secure practices are being followed.

It's crucial for the security of upydev users that this issue is addressed promptly, as cryptographic weaknesses can have severe implications for the privacy and integrity of communications facilitated by this tool.

message = b"encrypted data"
ciphertext = public_key.encrypt(
    message,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)

https://cryptography.io/en/latest/hazmat/primitives/asymmetric/rsa/#encryption

Please let me know if you require any further information or assistance in addressing this issue.

upydev watch -fre ./src/*.py would watch for any changes in files in a project directory. If change occurred it will upload only the changed file.

I tried sh_srepl and the connection established successfully but I got no echo back to the terminal.
No, it was there but in white. If I changed the color theme from light to dark, it turned to visible.

It seems the character color for the local echo is hard coded to white.

The target is ESP32 and I'm on macOS Mojave with iterm2 app.

It would be nice to be able to use upydev get main.py without uploading aditional files onto the device

get the file tree from the device and make all the filtering on the pc

this concept should be applied to other scripts where possible.

OSError: [Errno 113] No route to host
File Uploaded!

Should throw an error.

When generating private key and certs for SSLWebREPL with

upydev sslgen_key -tfkey

It failed with:

Generating SSL ECDSA key and certificates...
Getting unique id...
ID: 30aea42313e0
Passphrase:
Traceback (most recent call last):
  File "/home/chris/.espressif/python_env/idf3.3_py3.6_env/bin/upydev", line 5147, in <module>
    get_ssl_keycert(args.t, args.p)
  File "/home/chris/.espressif/python_env/idf3.3_py3.6_env/bin/upydev", line 4176, in get_ssl_keycert
    ssl_ECDSA_key_certgen(ip, passwd, dir=upydev.__path__[0]+'/')
  File "/home/chris/.espressif/python_env/idf3.3_py3.6_env/bin/upydev", line 1730, in ssl_ECDSA_key_certgen
    host_ip = netifaces.ifaddresses('en0')[netifaces.AF_INET][0]['addr']
ValueError: You must specify a valid interface name.

When looking at upydev#L1730 I could see it expected network interface of the host to be 'en0', which does not exist in my env (Ubuntu WSL in Windows 10). I edited the file and changed this to a network interface from ifconfig and the key generation and upload then succeeded.

upydev is getting stuck, how can i debug what's going wrong with it? I read all docs but there is no hint how to turn on a more verbose mode.

shell-repl @ upydev
WebREPL connected
WARNING: ENCRYPTION DISABLED IN THIS MODE

MicroPython v1.18 on 2022-01-17; ESP module (1M) with ESP8266
Type "help()" for more information.

• CTRL-k to see keybindings or -h to see help
• CTRL-s to toggle shell/repl mode
• CTRL-x or "exit" to exit
  esp8266@temp1:~ $

for i in [1,2]:
print(i)

............
....

no key combination will get you out of this situation
you have to close the terminal and start another one

It would be easier to checkout to specific version.
Also would be cool to make releases also on Github. 😄

If I use upydev in a virtual environment utilising poetry:

$ upydev config -t /dev/ttyACM3 -g -@ pybd
SerialDevice pybd settings saved globally!

$  pybd
[Errno 2] No such file or directory: '/home/ser/.cache/pypoetry/virtualenvs/mymgnss-enA7ukaw-py3.12/lib/python3.11/site-packages/upydev/UPY_G.config'
Traceback (most recent call last):
  File "/home/ser/.cache/pypoetry/virtualenvs/mymgnss-enA7ukaw-py3.12/lib/python3.11/site-packages/upydev/devicemanagement.py", line 476, in devicemanagement_action
    target, passwd = address_entry_point(dev, args=args)
                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/ser/.cache/pypoetry/virtualenvs/mymgnss-enA7ukaw-py3.12/lib/python3.11/site-packages/upydev/devicemanagement.py", line 313, in address_entry_point
    with open('{}.config'.format(group_file), 'r', encoding='utf-8') as group:
         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/home/ser/.cache/pypoetry/virtualenvs/mymgnss-enA7ukaw-py3.12/lib/python3.11/site-packages/upydev/UPY_G.config'

in summary, upydev should use ~/.config directory to store config :)

upydev/upydev/upyutils_dir/ has a copy of files in upydev/upyutils/. Not sure, is it on purpose?

First of all: this tool is amazing! Thank You!
But the readme file is huge, it is hard to find how to do basic things.
IMHO: Readme should be decluttered and must include most basic things, other specific options and functions should be on gitbook or wiki.

If You're ok with this, I'll try to make a PR.
Thanks again for this utility and please continue <3

I ran into the error:

$ upydev -h
Traceback (most recent call last):
  File "/Users/thomas/Programming/HA/MicroPython/venv/bin/upydev", line 17, in <module>
    import requests
ModuleNotFoundError: No module named 'requests'

which was resolved by:
pip install requests

I am using python 3.7.4 from MacPorts wrapped via venv under Mac OS Mojave

I'm using upydev put -fre src/*

Traceback (most recent call last):
  File "/home/stsdc/.local/bin/upytool", line 385, in <module>
    main()
  File "/home/stsdc/.local/bin/upytool", line 379, in main
    put_file(ws, src_file, dst_file)
  File "/home/stsdc/.local/bin/upytool", line 178, in put_file
    with open(local_file, "rb") as f:
IsADirectoryError: [Errno 21] Is a directory: 'src/ble'
File Uploaded!

BTW how to upload a folder? My project structure:

├── dev-requirements.txt
├── micropy.json
├── pymakr.conf
├── requirements.txt
├── src
│   ├── ble
│   │   ├── ble_advertising.py
│   │   ├── ble.py
│   │   └── ble_temperature.py
│   ├── boot.py
│   └── main.py
└── upydev_.config

When I removed global conf and local conf,
upydev sh_srepl causes an error, even if port and password were set inline, but wrepl is ok with it.

$ upydev sh_srepl -port /dev/tty.SLAB_USBtoUART -p pass

upydev_.config file not found, please provide target and         password or create config file with command "config" (see help)