| Message ID | 20250305142650.2966738-1-jerome.forissier@linaro.org |
|---|---|
| Headers | show
Delivered-To: patch@linaro.org
Received: by 2002:a05:6000:178f:b0:38f:210b:807b with SMTP id e15csp810398wrg;
Wed, 5 Mar 2025 06:27:23 -0800 (PST)
X-Forwarded-Encrypted: i=2;
AJvYcCVpT0lKB4F3314dtdYDAnm9rLIPobGExnvecOwLwJUnkFnRMupvEa+9WlMAOMvVYVUAriTN3A==@linaro.org
X-Google-Smtp-Source:
AGHT+IFdRk0oO28S6H2PcKO4jCwXROSAnPplv2BI6N6czY4p74rVYEYBmDY8OJ/OyrJD+UQVqm9b
X-Received: by 2002:a17:903:2a86:b0:220:c813:dfcc with SMTP id
d9443c01a7336-223f1cf4799mr63490105ad.40.1741184843082;
Wed, 05 Mar 2025 06:27:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1741184843; cv=none;
d=google.com; s=arc-20240605;
b=YkcBnZZ/jP8NA93jOoHu2CCi2+xMultQshkJ3afu64fp3J0X1gGkS3zcd8CEE+K8YA
BiTxtTtkfxeHYpPQx6Gb52E80uWxRJYYO9ZLSVlSO7rj3cF3QXwXLOQcGy40yAdNd1uF
f/q1DcaHCATmo6AVPZbO7B0GoS+KYkMmVabCuLREHMqpM/nbQvck+rGwVbOAVIlPhbix
QXrxrFphSaO3EiBmj5wFW898y/OKwkHHZf3A+e9GlspgD2DLE+WL9TMLEAHC1c9GyV2B
tlLcEvGqcAQMa+2SpXPQdi8e3I2W0mdYly11phJ/Kng74Qk8qXzxnqlgsRsNTEXogsuo
adIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20240605;
h=sender:errors-to:list-subscribe:list-help:list-post:list-archive
:list-unsubscribe:list-id:precedence:content-transfer-encoding
:mime-version:message-id:date:subject:cc:to:from:dkim-signature;
bh=uTZuNaTK+mvgzVaEWxdEblzN7YSYIb+54sho3OLonmI=;
fh=h6aAVEeZBlEjv+vPa+An2K+XRkhpZcjcZcS2M4TGdaU=;
b=GpgYEQLo0BBrUcTvh53N2s2meLJvyTR0xdv3i26zDOZqoDyI1GjYSr+iy9g/57SY9t
xjS5o0rZQ6pYVMqh8DLw7pGCAU74HEzzATtVTL0op73ojudOdOARJ9/Zsb5bQ0Iq+7S9
Wk/mPAG/UMYDQr3We4dtdxbTk6e/vFLeENnSJQgfpfnMTJP5kfLyowavDbsWPT9TcRUK
iNmtnQRfHDqjA3OL+IQG/rBLvXXuG9fQFYTL6VbqdJSVcR2k8V/jpRvz+Gxb4vx0EyWL
RnNgqZx16HmsYi6dSt4QlUM6ka0DAuF57AnSDB8cdP/vrp0eM05zCVlIy2UfKNAWwib1
ZW3Q==;
dara=google.com
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@linaro.org header.s=google header.b="Q1/lA3Y+";
spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org;
dara=neutral header.i=@linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61])
by mx.google.com with ESMTPS id
d9443c01a7336-22404e8c09asi4431015ad.512.2025.03.05.06.27.21
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 05 Mar 2025 06:27:23 -0800 (PST)
Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de
designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61;
Authentication-Results: mx.google.com;
dkim=pass header.i=@linaro.org header.s=google header.b="Q1/lA3Y+";
spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates
85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org;
dara=neutral header.i=@linaro.org
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
by phobos.denx.de (Postfix) with ESMTP id 19C6D81280;
Wed, 5 Mar 2025 15:27:18 +0100 (CET)
Authentication-Results: phobos.denx.de;
dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
dkim=pass (2048-bit key;
unprotected) header.d=linaro.org header.i=@linaro.org header.b="Q1/lA3Y+";
dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
id 5C6BF811C1; Wed, 5 Mar 2025 15:27:16 +0100 (CET)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level:
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,
SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com
[IPv6:2a00:1450:4864:20::42a])
(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
(No client certificate requested)
by phobos.denx.de (Postfix) with ESMTPS id 35D6B808B6
for <u-boot@lists.denx.de>; Wed, 5 Mar 2025 15:27:14 +0100 (CET)
Authentication-Results: phobos.denx.de;
dmarc=pass (p=none dis=none) header.from=linaro.org
Authentication-Results: phobos.denx.de;
spf=pass smtp.mailfrom=jerome.forissier@linaro.org
Received: by mail-wr1-x42a.google.com with SMTP id
ffacd0b85a97d-390fdaf2897so3991626f8f.0
for <u-boot@lists.denx.de>; Wed, 05 Mar 2025 06:27:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=linaro.org; s=google; t=1741184833; x=1741789633; darn=lists.denx.de;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=uTZuNaTK+mvgzVaEWxdEblzN7YSYIb+54sho3OLonmI=;
b=Q1/lA3Y+ASANgIq7naLlJ0rnNwUmsWVvuqkPL3210EZ+g4hgc5lUznnH5CshXu6HZl
x4awlz1RFa5IvgsT1vHYA6rOx24BdRlm039gtxBpv0hDMtP9hcweTCBZfXE41NkgLYTg
GYHrQ/ywdKN96dyU5Ah+uaj2cQrtmhk6DqnPJGBDbJk6hekTIi/a/56AeXNnhAkSUfWD
Mr/CfViuX2jxfJiJ2wQnOqC1DQtW/g/oT9RxpJjqO0RTHD0r8svwT6A0qWw1OhK3Pxc9
QQU5tlt91nN+1x1D4sLwVosM/pveoGGV2L47oEdsH3iuJa43nZYO3tpsK0mmmuA1z/Hn
qSTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1741184833; x=1741789633;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=uTZuNaTK+mvgzVaEWxdEblzN7YSYIb+54sho3OLonmI=;
b=rCvAuZSG9UpkQNUs+2qACfyYaCSUW14OBbPSfYESXIt+0n+tmeV/nvclDx/34YxZH8
8U9DwiEP+S2MC7Vqp6HE/WUcUQ8DFPlMNXlgRZrrzP/GjEtaUz0GXlQFeFmhohXeGGGj
bYrEsIHB3ZE/ghq3QTM2cc4CZlnoitudjSc19bIwZMmNJkYLhOCXaBJ1j+YhaO7v2fUU
RAEh9EMda2uRpKGA+cydyy8c0lkvGb38RMIWJrcVow5stdMemTgcwO+ys3ldn5QdUR79
RbOXvjDA5Ru7bIFmURHsqeb/v26WPcUDkiWc6ImmQJBMYQDi+twi93Yh0M49epg3p/7G
0kNw==
X-Gm-Message-State: AOJu0Yw8yN45UdSED9yNKOH1DG8dvDw4H8PsAIhhA2yjnVvTofSYqvg2
WhVoBKtH5C2nzpr2FO1kKz4souv8NEUeZ/ySVr/e44gFA4pvGCvEFwyKUDAk1dKplk9EFK7zqoZ
U
X-Gm-Gg: ASbGncurD9VggEMPcIPxtCXvkeRLThwJn8iC5zVkRNRih0L4E8h5V0c6M+/pbN9rThb
uco8CXz8y+tpO5pT8inOXFm+aB9Z8Lvi/GNZe06iEcOlP6efv1r1sGUYFOgMgEcuCGxBqCgxPn0
It8F7p7Sc5w9PVQYmutxG+E5Sqi1fLYiEXYgXbReab0r2VVWd0ISbZGp1ZpNIE5r14h5kgOqe8Z
4Sf0LlaN+fxuG+BfY/eHs4cswdx2Gtgpyt+gqewjU0sYe77W7WSCwsYs+/pbHQyjhPhBrX/xfXS
c8AWmUOgOgQPtlvtwk/GkZkcQX9HX/kn7x6Gv4TXYSRHz6DUOiGH4w==
X-Received: by 2002:a5d:6d8f:0:b0:390:fbcf:56d5 with SMTP id
ffacd0b85a97d-3911f58f3a1mr3394838f8f.0.1741184833454;
Wed, 05 Mar 2025 06:27:13 -0800 (PST)
Received: from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39])
by smtp.gmail.com with ESMTPSA id
ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.13
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 05 Mar 2025 06:27:13 -0800 (PST)
From: Jerome Forissier <jerome.forissier@linaro.org>
To: u-boot@lists.denx.de
Cc: Ilias Apalodimas <ilias.apalodimas@linaro.org>,
Jerome Forissier <jerome.forissier@linaro.org>
Subject: [PATCH v2 0/6] net: lwip: root certificates
Date: Wed, 5 Mar 2025 15:26:41 +0100
Message-ID: <20250305142650.2966738-1-jerome.forissier@linaro.org>
X-Mailer: git-send-email 2.43.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
<mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean
|
| Series |
net: lwip: root certificates
|
expand
|
This series adds support for HTTP server authentication using root (CA) certificates. As a first step, the wget command is extended to support a sub-command: cacert <addr> <size>. The memory region shall contain the CA certificates. With this, it is possible to load the certificates from storage or get them from the network for example, which is convenient for testing at least. The Kconfig symbol for this feature is WGET_CACERT=y. Then new Kconfig symbols are added to support providing the certificates at build time as a DER encoded X509 collection: WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. An example of how to use this feature is given in patch "doc: cmd: wget: document cacert subcommand". Changes in v2: - Drop PEM support. It is unnecessary since conversion from PEM to DER is easy, and PEM takes more space in memory. Another reason is the ugly hack requiring to allocate one more byte for the null terminator in case the file is PEM (therefore, text). - Add 'wget cacert none|optional|required' - Replace '#if defined CONFIG_X' with '#if CONFIG_IS_ENABLED(X)' in net/lwip/wget.c Do NOT replace '#if defined(CONFIG_X)' in net/net-lwip.c for consistency with how other symbols are treated in that file. - Make builtin_cacert const - Make cacert_size static - BUILTIN_CACERT selects BUILD_BIN2C - Add documentation in doc/cmd/wget.rst - Apply review tags Jerome Forissier (6): net: lwip: extend wget to support CA (root) certificates lwip: tls: enforce checking of server certificates based on CA availability lwip: tls: warn when no CA exists amd log certificate validation errors net: lwip: add support for built-in root certificates doc: cmd: wget: document cacert subcommand configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT cmd/Kconfig | 22 +++ cmd/net-lwip.c | 21 ++- configs/qemu_arm64_lwip_defconfig | 1 + doc/usage/cmd/wget.rst | 82 +++++++++- .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 - net/lwip/Makefile | 6 + net/lwip/wget.c | 141 +++++++++++++++++- 8 files changed, 273 insertions(+), 15 deletions(-)