From patchwork Wed Mar 5 14:26:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 870551 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:178f:b0:38f:210b:807b with SMTP id e15csp810702wrg; Wed, 5 Mar 2025 06:27:58 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVS7Wdl+uybIWEaJLzr5/De+6oIaK+C/JV4nNjTEzC+MoYdFqo+GULjw1DCWtWKcr2HfULUsQ==@linaro.org X-Google-Smtp-Source: AGHT+IHG0GNZiIWI568tSvJJb1vjlnDvjoCjvT+ss4KQCOQAMsOi7z8RWgos1o363RyT6UFOOO4g X-Received: by 2002:a05:6a21:4c85:b0:1f3:3771:d46 with SMTP id adf61e73a8af0-1f349496b85mr6071153637.22.1741184878025; Wed, 05 Mar 2025 06:27:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1741184878; cv=none; d=google.com; s=arc-20240605; b=AoIjl9jS3IRXmElmK2CCwcFq/ElFAjIKeBFTKlDc+TCrzJC/03zHeF/mDGoGm83TGd 1vZ4D8n4UzNKNUGp4LSRD1NAXicpQcHiB05d7tW1oVD5/cf2VWVh52NPJApGapRxngHB gDOYPEDg9VfNFVpqrJA1huqnwUqz6l23wUT33TxOu/lWh3NXAUzZVe883q+7gNG9eI+m 2UQFAuZ0ZsnlR2brr8QGAKWrh5w1ZH8MtWrb/fUPvMFwlzouQc1FNWN3KiQBtQQYa5q7 BpqQkiMnDVvoJwXuCsJvryyrREuJgUoCAzhgkEgFpJzgNc2+UKoIZEmsTV0oYuDO/jk7 97Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=tqKYtD3GqjUkCBmF0aRwBJEerlGo6a56Ic88y4V845c=; fh=fg4LVIfV3Czg8uvW+fGOIorR7ZZ+p3HapcCebnt7RUs=; b=kUeSiHea2Ode+KvcPtB+lpl1v89gU0ljm3HcITiLcgjnredmJRrm3Ld0ZUieGwNRDt FDqk7OPJjGwmOZvzlJfe9fr3Pem1BHz6OAED92PMTOlKuLugl9Qa3QtNtU56gjPrGHQe CpWvvM4qbIsk/dGNjsHbxA9nxDUJRTNqYD6NFRctDVPf9CwMGlZ6Ci1vnbFa1klbEhYA WJNnnSGJHjKcTLIUAUljEPq07caadbgSXzfMe0VhcRlu03KyWkZ5hQ4wAAsYVinZnahy rAnV8AOb3cRRwDS/03FBcMhasVABRojCcn3TZ6MMTRR6m4OhUAc/Vh2m4mz49zLMdxqv +fkQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=mdssnb0b; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 41be03b00d2f7-aee9067ab56si17917156a12.307.2025.03.05.06.27.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:58 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=mdssnb0b; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 016478141D; Wed, 5 Mar 2025 15:27:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="mdssnb0b"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 27D6881417; Wed, 5 Mar 2025 15:27:20 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6344E811C1 for ; Wed, 5 Mar 2025 15:27:17 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-38f403edb4eso4147077f8f.3 for ; Wed, 05 Mar 2025 06:27:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741184837; x=1741789637; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tqKYtD3GqjUkCBmF0aRwBJEerlGo6a56Ic88y4V845c=; b=mdssnb0bWACfl8l4JRXNe0IEYvclXfP5eHVM+NylP6Te+5Dx9g60g7Dn6/zRzMKzPZ tDAuBUgrToKbB391yMa4CVfEBZbOKpjVBzCGqDLFHESICAT6cFHGKMRlxNYeXzApgkXf 0S5WFo/j9OPULvvurs2Wl2VKf0WBU4IC902UEa8Nx9YJdZ+ugiP2kDZkQraEOygjGKyv ZS4DPufjNigoqiL5EeEqwezsMMXMSKEaDYB+P/wnnBE5TCr5zu4gCQu5sEwEMGES/+10 +19WatQnkbdZ2Z8OcfDBRQRPueYUAI75ZXva4T1/z8dDUWe/1slklqZvtpwZY856WXDT DrKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741184837; x=1741789637; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tqKYtD3GqjUkCBmF0aRwBJEerlGo6a56Ic88y4V845c=; b=O+xqMXklKpGWqRBb1G1+J5Ukk2KMz68uj1nHNQ6PMCrYIGyBx/dChtD8zy7Vtc3Yjl KsCl94grZ+bPRExY+CpghU0NxgoWHA9OqKGv4t59VIceHd5jGO8pddV13elU9EUXnbed Z5TFYeyBz2zdzExnfqisT4XIc1Bc1PgGJsa5dWt0vGfaOFjO+dpbdGy7qbcZ4+x/r4rb x9Nnv3YF6ZCVU9ReggaX28JPcj72Vd8Vt+WuNF2wepBA3NLwaoEMKXk+jyEm0WhQ04sX vzCCSNCaaMt6PRhZSm8PdTVash++7jeKdYuTsgV8SMlUTBarAGKsZy8YtTQgVxHBoG7P 6qPg== X-Gm-Message-State: AOJu0YyJugvdx45P0ubagnWYwaDmRM2q+X84uAWXzmoWG7ks/TjtTpOR mtz3viqOgtIvwNkjL/CqB2fj1ySna8eiCUAPAefEb2Fl+BdqMX8PnPchWNJko0dLcNWi3XZB7p1 D X-Gm-Gg: ASbGncsWdAgkCZG8FxUwf5Ztyq6ohULAW9dFQPV39b+Jopyov8LifxSegHj1hoXJIfH B2ySrdK25W8MSOi6mI2IOpips0g3NAtuDMOBKXh3Deg31gRDNZNf8+D+nMuD/BziBEXL9cm14DG rE0kQBvw9455/tD/1H0svI9HfmbfIs2vVuUULNXlQtdqsn+bRfm81Rq91JituWcdomF7KvNHpAe 2T9/pHOcvmVRMMWikrOnguTqNuAADi6NAqRhyYSITjxIiIBtOKNOQ3GMN71Q2VDSiHrKXmY7/e6 DBbEYZezF0Zg5TkHFRAHqCHilzdmLS7O3EwOKLAEfkVQRi3G9ddrmg== X-Received: by 2002:a05:6000:1f8f:b0:391:253b:4046 with SMTP id ffacd0b85a97d-391253b4203mr2335945f8f.16.1741184836737; Wed, 05 Mar 2025 06:27:16 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:16 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Javier Tia , Heinrich Schuchardt Subject: [PATCH v2 3/6] lwip: tls: warn when no CA exists amd log certificate validation errors Date: Wed, 5 Mar 2025 15:26:44 +0100 Message-ID: <20250305142650.2966738-4-jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250305142650.2966738-1-jerome.forissier@linaro.org> References: <20250305142650.2966738-1-jerome.forissier@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Using HTTPS without root (CA) certificates is a security issue. Print a warning in this case. Also, when certificate verification fail, print an additional message because "HTTP client error 4" is not very informative (4 is HTTPC_RESULT_ERR_CLOSED). Signed-off-by: Jerome Forissier Reviewed-by: Ilias Apalodimas --- lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index fa3d1d74fed..ef51a5ac168 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -298,6 +298,9 @@ altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbedtls_state_t * if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_handshake failed: %d\n", ret)); /* handshake failed, connection has to be closed */ + if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { + printf("Certificate verification failed\n"); + } if (conn->err) { conn->err(conn->arg, ERR_CLSD); } @@ -841,6 +844,9 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav altcp_mbedtls_free_config(conf); return NULL; } + if (authmode == MBEDTLS_SSL_VERIFY_NONE) { + printf("WARNING: no CA certificates, HTTPS connections not authenticated\n"); + } mbedtls_ssl_conf_authmode(&conf->conf, authmode); mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);