From patchwork Wed Mar 5 14:26:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 870549 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:178f:b0:38f:210b:807b with SMTP id e15csp810493wrg; Wed, 5 Mar 2025 06:27:34 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVeoxLOpYe9MYGvAzcJd3ixGReMyd7dnbjhaNEF5juKNcgvEm2UTM8fcWObKXABQB2L5M8mxg==@linaro.org X-Google-Smtp-Source: AGHT+IFGxIrSLZjalC0oaJSjm3Lf4B9v8DvIKW2Rz8LRY3qkGAPl7AWAQ11XIFaU9ICVzKjH4uv4 X-Received: by 2002:a05:6a00:1401:b0:736:47a5:e268 with SMTP id d2e1a72fcca58-73682b5512cmr5161776b3a.1.1741184853639; Wed, 05 Mar 2025 06:27:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1741184853; cv=none; d=google.com; s=arc-20240605; b=KuDk897zL8Ez0nWdjW+PVSxm2rYfyUViCXdTr32gCa00xfhsw2i4sDfwsQs6vHuW7D aEHyvLRZ3kQ7Jb+KgmIttk1LZEeqh/iNsoW47ayG5b1BAmzMhmPHcybzjYT1HS8UmK/X bn0IWT7NCj9SBItokkkXUjkBxUOazIwNzP939N9hwzrfofjggQqxvWbEA/1Rjvxv6RPN PnnMhVEuHcEfUwecTRRMcLcfeQge/th6PlXg2oTfXPV/wBBaMxTRs40K0Np43OfODfHd mSGdBoMytVbp9zBkLPtku05q1P3C9jwsHF2DRxAuzOFI4hD9TyxxmtH5ZmYlO4hfX+Cz mufA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8OM/CQnAr6FiV5DCMs4qVGKNCQbCRd11dI1O97N7MLA=; fh=d246zcDbMrsoOHk81h4crL234TifMM9ORbgE9yUgIzo=; b=GYK1jbwayX/XdadkL15SOzUhXKaaf6K5XbBSPh9sKQ7X/RpohYPF5WpG+pMPrloDkL CRL5nCYnBbMWdOcMxmiVEtb3bKuzUPnyURzfI2ruaXoZHmtv4Hi5Ruh3zl4b42Gly7UF 5KFyxlgJskpMr71PYP6wnm7rFoYnhy5I+vqBMnowdE+LhNRETgmKfLItVCKT09IFm9k1 JuudcKblhCY9TNDAhGm9N+h04UpK5StPQXttFz0zSpaKNow3MvegqURx6u/6dK9GXSYl DRdcng4sksmgvU9yvKW5GOjwHLDOiIoHS9uu5qDeKu+D5uwAOczxJpI8RrTg5S7t46io D+Ig==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TCqg61kx; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id d2e1a72fcca58-73653f2acb0si10622447b3a.94.2025.03.05.06.27.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:33 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TCqg61kx; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 670DE80F56; Wed, 5 Mar 2025 15:27:19 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="TCqg61kx"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 38EBF80F92; Wed, 5 Mar 2025 15:27:18 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id CACA680F92 for ; Wed, 5 Mar 2025 15:27:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wr1-x429.google.com with SMTP id ffacd0b85a97d-3910e101d0fso2277282f8f.2 for ; Wed, 05 Mar 2025 06:27:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741184835; x=1741789635; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8OM/CQnAr6FiV5DCMs4qVGKNCQbCRd11dI1O97N7MLA=; b=TCqg61kxHY/aK1ymDlz9gsD/IpgTuDBgKu6QgAy6nRCR6EnCfAZ5s6A0EK2q0V4rCs WNiJ8ERvRP4DSWC+3aAnj0PEfnGCi2sUvsYMPOrp9D+ToW8BgNehVK50/o8WPCAxIbsK mlpILY++MT+lhU9sWMIe/Hon3P5fWc6RButYjQ07rS4Q9DsiVxZvaGmaL6P7sVVW7uXa HlhuuMqvIklNJSCOj7M8+xOAkaNqSKWn8xe9ykxlPDAwpWxRGTiZDeSd+Gpwv0pvIbOP 8TdnlUDPBsu2+MNlWW6oizK3Av7rWJ4eyPL4IfajMr7erqF60UBxKexbz62yCBIjMrdG RPWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741184835; x=1741789635; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8OM/CQnAr6FiV5DCMs4qVGKNCQbCRd11dI1O97N7MLA=; b=NK8LE5QA/013LWXb8RPQgQH7G+e70SeLziVkBeVRaM101tjdhgkArmBXhvE6GUs2Xd whci8AAHmWSgIc4zHlLGHM0sGTu4RnCPG7LG6HOghulP4El0gRyW46G3CXSIV3yHTr6k eeHJvPSEE+NC7THZkh13cKZYlo18B2QoENiDjyrupsfAoXLnHwPomdSfZAXjjyyfwBV7 pVAvB+Cbe3i6L4SqFAfm4TX1nJQFR/bT+Rg4c9MjQrEgsJEx/iOzcL8J7FM84xaI1OdW 30wvD4ZcPONBK+eaG3as9QdOOGMuMcCIAxOKoPX54PZEN0PNCg1YMaI+HlPET9ivJDUg fM/A== X-Gm-Message-State: AOJu0Ywtt/RifvLTg0fl3GIYo0yzWra4i+JDVY4Sr3iBT68IfGnfu92F 4JChIHl1AMU+iL9vragSpFGkpcx4YIJcY7dtOZCRRF1GSjsE8r9gww9gaW+Hi5uTFnCyvdawkfZ s X-Gm-Gg: ASbGncvhZy8NiOIH5vU34SxnbOCTz019hKH88RpKV3MghvPHJWIgUUMp/yL6u4zapXO Mo8iMomQ4L+w3wwqJy8tRSHjnwsvHC82kqoK60bBfbwuLl3cJ0PIYjfFsfbWvlkV5XsbBVRGFKn YP0oco7jgCohdXukjMwTdzCkEtvG75Sc4WcUY2CNmm5Y6qNaO284UEPaBeDL+sCXw2t91wwYqGD xhGT0Uo1fWN0Uyf+h8PSo4k7go52rVbZjtrlPgBmAglxr80acRpMcXfJlKgP8nQC6Yfle3GW1Ur 2u+2GVgHRbUOTnI5as6SXsl5OSioXcJWWmMA+Nsxxmr92f9Z+q5PEA== X-Received: by 2002:a5d:5846:0:b0:391:2353:8a57 with SMTP id ffacd0b85a97d-39123538ab5mr1918042f8f.34.1741184835084; Wed, 05 Mar 2025 06:27:15 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:14 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Heinrich Schuchardt , Mattijs Korpershoek , Ibai Erkiaga , Michal Simek , Adriano Cordova Subject: [PATCH v2 1/6] net: lwip: extend wget to support CA (root) certificates Date: Wed, 5 Mar 2025 15:26:42 +0100 Message-ID: <20250305142650.2966738-2-jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250305142650.2966738-1-jerome.forissier@linaro.org> References: <20250305142650.2966738-1-jerome.forissier@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add the "cacert" (Certification Authority certificates) subcommand to wget to pass root certificates to the code handling the HTTPS protocol. The subcommand is enabled by the WGET_CACERT Kconfig symbol. Usage example: => dhcp # Download some root certificates (note: not authenticated!) => wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt # Provide root certificates => wget cacert $fileaddr $filesize # Enforce verification (it is optional by default) => wget cacert required # Forget the root certificates => wget cacert 0 0 # Disable verification => wget cacert none Signed-off-by: Jerome Forissier --- cmd/Kconfig | 8 ++++ cmd/net-lwip.c | 17 ++++++-- net/lwip/wget.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 121 insertions(+), 6 deletions(-) diff --git a/cmd/Kconfig b/cmd/Kconfig index 8dd42571abc..d469217c0ea 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2177,6 +2177,14 @@ config WGET_HTTPS help Enable TLS over http for wget. +config WGET_CACERT + bool "wget cacert" + depends on CMD_WGET + depends on WGET_HTTPS + help + Adds the "cacert" sub-command to wget to provide root certificates + to the HTTPS engine. Must be in DER format. + endif # if CMD_NET config CMD_PXE diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c index 0fd446ecb20..1152c94a6dc 100644 --- a/cmd/net-lwip.c +++ b/cmd/net-lwip.c @@ -27,9 +27,20 @@ U_BOOT_CMD(dns, 3, 1, do_dns, "lookup the IP of a hostname", #endif #if defined(CONFIG_CMD_WGET) -U_BOOT_CMD(wget, 3, 1, do_wget, - "boot image via network using HTTP/HTTPS protocol", +U_BOOT_CMD(wget, 4, 1, do_wget, + "boot image via network using HTTP/HTTPS protocol" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert - configure wget root certificates" +#endif + , "[loadAddress] url\n" - "wget [loadAddress] [host:]path" + "wget [loadAddress] [host:]path\n" + " - load file" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert
\n" + " - provide CA certificates (0 0 to remove current)" + "\nwget cacert none|optional|required\n" + " - set server certificate verification mode (default: optional)" +#endif ); #endif diff --git a/net/lwip/wget.c b/net/lwip/wget.c index 14f27d42998..c22843ee10d 100644 --- a/net/lwip/wget.c +++ b/net/lwip/wget.c @@ -285,9 +285,68 @@ static err_t httpc_headers_done_cb(httpc_state_t *connection, void *arg, struct return ERR_OK; } +#if CONFIG_IS_ENABLED(WGET_HTTPS) +enum auth_mode { + AUTH_NONE, + AUTH_OPTIONAL, + AUTH_REQUIRED, +}; + +static char *cacert; +static size_t cacert_size; +static enum auth_mode cacert_auth_mode = AUTH_OPTIONAL; +#endif + +#if CONFIG_IS_ENABLED(WGET_CACERT) +static int set_auth(enum auth_mode auth) +{ + cacert_auth_mode = auth; + + return CMD_RET_SUCCESS; +} + +static int set_cacert(char * const saddr, char * const ssz) +{ + mbedtls_x509_crt crt; + ulong addr, sz; + int ret; + + if (cacert) + free(cacert); + + addr = hextoul(saddr, NULL); + sz = hextoul(ssz, NULL); + + if (!addr) { + cacert = NULL; + cacert_size = 0; + return CMD_RET_SUCCESS; + } + + cacert = malloc(sz); + if (!cacert) + return CMD_RET_FAILURE; + cacert_size = sz; + + memcpy(cacert, (void *)addr, sz); + + mbedtls_x509_crt_init(&crt); + ret = mbedtls_x509_crt_parse(&crt, cacert, cacert_size); + if (ret) { + printf("Could not parse certificates (%d)\n", ret); + free(cacert); + cacert = NULL; + cacert_size = 0; + return CMD_RET_FAILURE; + } + + return CMD_RET_SUCCESS; +} +#endif + static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) { -#if defined CONFIG_WGET_HTTPS +#if CONFIG_IS_ENABLED(WGET_HTTPS) altcp_allocator_t tls_allocator; #endif httpc_connection_t conn; @@ -312,11 +371,34 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) return -1; memset(&conn, 0, sizeof(conn)); -#if defined CONFIG_WGET_HTTPS +#if CONFIG_IS_ENABLED(WGET_HTTPS) if (is_https) { + char *ca = cacert; + size_t ca_sz = cacert_size; + + if (cacert_auth_mode == AUTH_REQUIRED) { + if (!ca || !ca_sz) { + printf("Error: cacert authentication mode is " + "'required' but no CA certificates " + "given\n"); + return CMD_RET_FAILURE; + } + } else if (cacert_auth_mode == AUTH_NONE) { + ca = NULL; + ca_sz = 0; + } else if (cacert_auth_mode == AUTH_OPTIONAL) { + /* + * Nothing to do, this is the default behavior of + * altcp_tls to check server certificates against CA + * certificates when the latter are provided and proceed + * with no verification if not. + */ + } + tls_allocator.alloc = &altcp_tls_alloc; tls_allocator.arg = - altcp_tls_create_config_client(NULL, 0, ctx.server_name); + altcp_tls_create_config_client(ca, ca_sz, + ctx.server_name); if (!tls_allocator.arg) { log_err("error: Cannot create a TLS connection\n"); @@ -369,6 +451,20 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[]) ulong dst_addr; char nurl[1024]; +#if CONFIG_IS_ENABLED(WGET_CACERT) + if (argc == 4 && !strncmp(argv[1], "cacert", strlen("cacert"))) + return set_cacert(argv[2], argv[3]); + if (argc == 3 && !strncmp(argv[1], "cacert", strlen("cacert"))) { + if (!strncmp(argv[2], "none", strlen("none"))) + return set_auth(AUTH_NONE); + if (!strncmp(argv[2], "optional", strlen("optional"))) + return set_auth(AUTH_OPTIONAL); + if (!strncmp(argv[2], "required", strlen("required"))) + return set_auth(AUTH_REQUIRED); + return CMD_RET_USAGE; + } +#endif + if (argc < 2 || argc > 3) return CMD_RET_USAGE;