From patchwork Thu Feb 27 16:09:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 868971 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1561:b0:38f:210b:807b with SMTP id 1csp339689wrz; Thu, 27 Feb 2025 08:09:35 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCV9m2FvnQYmfmzNsNJKL85FoW4bXDV1oId5k/Djwe3jRVWEXJCqOkHkHCXLfWu+px76B9tp2g==@linaro.org X-Google-Smtp-Source: AGHT+IED/0xXVUS88xoA21ZzupwyQQpJpNzvQPv8rGuCKX89MN2vWE6NbIgwjzU6KgCyvJljZYv0 X-Received: by 2002:a05:6402:50d1:b0:5df:35ff:dc47 with SMTP id 4fb4d7f45d1cf-5e0b7244679mr25089474a12.26.1740672575227; Thu, 27 Feb 2025 08:09:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740672575; cv=none; d=google.com; s=arc-20240605; b=XD+OO2l6m4IXWdPMB1D1W84KSR7K3MnQYvQ/fM5OZVcWCl/Mc61QWQWDTcuNapFlw7 ma5reZl3QgrFHjzj2JPP/uvZhrKyMFgcjo5l6waMwVTjAMSn78a5Z4S4qoUiny0jByEx 0jTTwoaGDg4dfyaHDUD49ZIiligEjlvI1TvrlREtH8tE/kLKHvtQwKg5dAjw/8ipttx5 EaG2tQ3ZiSqYBvOWBP8U8bxP8oR73z/5g/4S6KuOXAZKfSSCgH81VJM4MqtPeMta1h0D p8QCU8gPwGAB5xkcO+GVHBdHe/Jc4wEp7yHknm4gl3tbeFP1BE5uFvYnI5hjco/PejJS TmfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:message-id:date:subject:cc:to:from:dkim-signature; bh=AUTFTMtQY5Y4pkpoYi9iWnyUxPpZ04akN1jjL4yxe9A=; fh=h6aAVEeZBlEjv+vPa+An2K+XRkhpZcjcZcS2M4TGdaU=; b=ZzsfBnTj024wkHXGG2ksFeAQrxP8Ac1r0yTL1A/Luk4Dul9fhrYhmQ8F1vu9XJLjwb 2CMAo5K7OXmCqMsYWf3W+NsNofVkADl3hX0MdICuQAbkgDu2xI4BcS7RJemRiNkslaBj dIz/WR0C5yPxNgUX2QZo5nUheleFtcy3Kl1x/LlXiK+9eD5zmLNDGHjiNSv+pYX9ivvf IOTX8TDCQy9pCRmfk6NM5Aa8+JaemsD8d6OzSQfmCVuaQnLmjUUBY4y9ItmN5/xZs0qZ iUsw/5Hm0H5T+DCF+99kyuzMGq/n3keVXYWxBNH8EFo1YujYyA10u55ZDEhzjrntPA/t 2SHw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=KnvrVkBF; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-5e4c3b60f69si1816845a12.67.2025.02.27.08.09.34 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:35 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=KnvrVkBF; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 241DA8118B; Thu, 27 Feb 2025 17:09:34 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="KnvrVkBF"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6FFC081115; Thu, 27 Feb 2025 17:09:32 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E9159810F5 for ; Thu, 27 Feb 2025 17:09:28 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-439ac3216dcso8377945e9.1 for ; Thu, 27 Feb 2025 08:09:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1740672568; x=1741277368; darn=lists.denx.de; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=AUTFTMtQY5Y4pkpoYi9iWnyUxPpZ04akN1jjL4yxe9A=; b=KnvrVkBFMXlE/FykRU13IPXuxnnbmgsDMWJSWuKu4yBWZeRw7Q5CcNtRfL3g+TAn0t qxoH9Y2iCknK/aQhV7VqdHhrllgIoh+5VSQy3WSylGbf3V/a7dS+LlLptE3eIKbBCBMB 8R7YJeZl7+5gM3gPvSHPBceE8NhPMfbeqnvmy0rDd4B1C2W7harB/f94u47mxBKlRVJS Atxm7P95W/u4Qbdrgc5C0EQia+IMyxtWWv+ipBbwJHq6uE8XQxTLwXwNKk423hp8SXu/ gXHEdqy6cFfJwpeXYo4UtoibNL9o2Et3ElJzzO3bnS6i+r22mpLmFKRi4Y1eFGBJhhVJ NLzQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740672568; x=1741277368; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=AUTFTMtQY5Y4pkpoYi9iWnyUxPpZ04akN1jjL4yxe9A=; b=UT9iCb0rLObnzI9z/fEfjo55VrMgO9krbgJ5yENbs+cPQ6b5s/LrP3iaLsSunoVKhs Jv/2I0aWRrZylAhxjUvXgZGnrV/i7GgANuoiiye4oPjmtqRJXHPvl0AfQqSGXMIlBk7w QKka+4wwiIJezS9DYsDK5DqKrdRLumiASSq4jx/zU0XzFp2Fa6T+teJSjAfpxHo8JDVb gTjiOcmUupwMFocUPgo11NcLJOXxhQ34XeEz6U2VeTUF+gcHhbx97g94hLaRv+ZcyL2N wBWp4iYP7o+365bBen/aypU5MFUbXkevonqvP8ScNvhcntIwf5OJcS5zGk68Gba5ARiY UyoA== X-Gm-Message-State: AOJu0YweMPxyY5v5Giuq+mSOZ6d2fUocyFdm39Ceavw6rd4RRIFHWHk3 J5TpeTcfU6p1xhMi6qAtPpkwoxUf7Xqh6Ea6j6MN2GNJNIzP6R9Kuj+ybb1aLhNKjZ0QkYFW2qy WKeg= X-Gm-Gg: ASbGncslMSfPqhk8BcT8Clj+8iX3yt4ox/ud+taXkxV7nYwdQUQhe6kM1uwvlbsUT0X w6DxZpx06Eho093UcP6iCnCoOmDeiVcON9IPGjRPrTpEKQC98AzbDvX+isY6I/CNa98PPbjWZ75 26Y2NvrIAqY0NHSyUiXCa2qXBQGr0zvtpKClCsuqQgeQGkuSevMMtixxJQhI09EgHpwfivq30ga lmlG6oTJntCCrFtIN7mLx58m5tfgvvGWA2naMDU1acJKO3dYc+iZ7LjxOEup8eUPpkxWu/xe3vi De0i6oO0oW9Xh4QRsBYijbbX8ARMQAw3Pe8= X-Received: by 2002:a05:600c:4fcf:b0:439:5a37:8157 with SMTP id 5b1f17b1804b1-439aebf3613mr259797175e9.30.1740672568016; Thu, 27 Feb 2025 08:09:28 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:af71:dfb2:66ef:80c3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43aba52b925sm59506795e9.7.2025.02.27.08.09.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:27 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier Subject: [PATCH 0/5] net: lwip: root certificates Date: Thu, 27 Feb 2025 17:09:00 +0100 Message-ID: X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean This series adds support for HTTP server authentication using root (CA) certificates. As a first step, the wget command is extended to support a sub-command: cacert . The memory region shall contain the CA certificates. With this, it is possible to load the certificates from storage or get them from the network for example, which is convenient for testing at least. The Kconfig symbol for this feature is WGET_CACERT=y. Then new Kconfig symbols are added to support providing the certificates at build time, as a DER or PEM encoded X509 collection: WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=. Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert command as well as for the builtin way). Here is a complete example (showing only the relevant output from the various commands): make qemu_arm64_lwip_defconfig wget https://curl.se/ca/cacert.pem echo CONFIG_WGET_BUILTIN_CACERT=y >>.config echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config make olddefconfig make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" qemu-system-aarch64 -M virt -nographic -cpu max \ -object rng-random,id=rng0,filename=/dev/urandom \ -device virtio-rng-pci,rng=rng0 -bios u-boot.bin => dhcp # HTTPS transfer using the builtin CA certificates => wget https://www.google.com/ 18724 bytes transferred in 15 ms (1.2 MiB/s) # Disable certificate validation => wget cacert 0 0 # Unsafe HTTPS transfer => wget https://www.google.com/ WARNING: no CA certificates, HTTPS connections not authenticated 16570 bytes transferred in 15 ms (1.1 MiB/s) # Dowload and apply CA certificates from the net => wget https://curl.se/ca/cacert.pem WARNING: no CA certificates, HTTPS connections not authenticated ## 233263 bytes transferred in 61 ms (3.6 MiB/s) => wget cacert $fileaddr $filesize # Now HTTPS is authenticated against the new CA => wget https://www.google.com/ 18743 bytes transferred in 14 ms (1.3 MiB/s) # Drop the certificates again... => wget cacert 0 0 # Check that transfer is not secure => wget https://www.google.com/ WARNING: no CA certificates, HTTPS connections not authenticated # Restore the builtin CA => wget cacert builtin # No more WARNING => wget https://www.google.com/ 18738 bytes transferred in 15 ms (1.2 MiB/s) Jerome Forissier (5): net: lwip: extend wget to support CA (root) certificates lwip: tls: enforce checking of server certificates based on CA availability lwip: tls: warn when no CA exists amd log certificate validation errors net: lwip: add support for built-in root certificates configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and MBEDTLS_LIB_X509_PEM cmd/Kconfig | 29 ++++++ cmd/net-lwip.c | 19 +++- configs/qemu_arm64_lwip_defconfig | 2 + .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 -- lib/mbedtls/Makefile | 3 + lib/mbedtls/mbedtls_def_config.h | 5 ++ net/lwip/Makefile | 6 ++ net/lwip/wget.c | 90 ++++++++++++++++++- 9 files changed, 158 insertions(+), 11 deletions(-)