From patchwork Thu Feb 27 16:09:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 868973 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1561:b0:38f:210b:807b with SMTP id 1csp339870wrz; Thu, 27 Feb 2025 08:09:54 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVCG11c3U/WwGsNLH6eFHnZm6LgFRUYn+upjo9d8o8qG43ItXHNQdZT58+SgtoCcp89G1kF+g==@linaro.org X-Google-Smtp-Source: AGHT+IGLHeVeT5dl2nHYbfCXFOhgqBMl5QS6+Vz2LtLjHhob1Z4ruubcyoapjLQ3OlbGtpxm3eM3 X-Received: by 2002:a17:907:1b0b:b0:abb:9d27:290b with SMTP id a640c23a62f3a-abf25e99388mr2766766b.9.1740672594140; Thu, 27 Feb 2025 08:09:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740672594; cv=none; d=google.com; s=arc-20240605; b=ZWHzAQwJCNEB4g1UgY/7E15K1rO0a0GWGwXFIGiIEmDgake3Etp3G+mxShHYj9ExSc 9rJ7GkTV60R2SpQzuNtuRBoJZC6nwTemizQAd0kZS0OubOm/xElI0R3D5mF0UuPrZYZt Np8sTlGi2PF7BeQ0ce/DAJdXPkxHbF1DEpsFkfY0Id1ZW/8novuuGVqzoE6tFSB3b7La Wpi9WGpJ4e/tDEKXSI6wVqyiXMitTs5x3HcsQvfpUv+vJhPvRZyQ0osF6wH0jMsw0qwI uA+NAnR0qtqJeCj3iyxQ/YES+XEtSWq7iAR2eIyrA+MC48yw0KlQNMrzAFuqRe6eHRpS pP7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Re+AIhSqVR2ln817oLU/Fn0F9chtKdySN7kwMbfuTZA=; fh=HbXqmQTwdOJx2YMaMLXz5dWP7l4obon3irSJqMYHVec=; b=ID7F0mAsKN7DPcY2Arbi6DmbXxwU3OEOa05oc13L4zIvcgY6zmyxwK9RyPvZL3P9l2 XcPO+IPb4JU/pgGbzBAFzT+SfwjT4NsrNLU/+ctkBkXzd1FZe/tmNJIDRCkCHpPodpJC OCmc5ZoNGC7bWqtePvfw1sHEh6VxPRaNWxGqIvky0Na7IOrlPccPq48teBIDFxIJMp0f 7emMfNcoCdr3qlZW9/zSwu9y3hpbMXUDK3igUa6R1D+sChOBYhSGHiJ1d3xG+aTHzJSb jhOEZIadNtdNfK+pRXrZhLnph87jJer+H2BeebXEtT7d7fpAScb/cXd+Br0EAH9feXWl l21g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="e/4GFmWW"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id a640c23a62f3a-abf0c0b7b34si178588366b.115.2025.02.27.08.09.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:53 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="e/4GFmWW"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B407C81120; Thu, 27 Feb 2025 17:09:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="e/4GFmWW"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2454E81111; Thu, 27 Feb 2025 17:09:35 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9CB3D81112 for ; Thu, 27 Feb 2025 17:09:31 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-43989226283so8117815e9.1 for ; Thu, 27 Feb 2025 08:09:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1740672571; x=1741277371; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Re+AIhSqVR2ln817oLU/Fn0F9chtKdySN7kwMbfuTZA=; b=e/4GFmWWxteNLpDNJhzvsrgGLRmqs0dcCO42OTihIwz4DlVf+RfyeCGiqagbpU7uAe rkdPsnjveTbqHMlfJwjNejrPjttWpS+nser02hzlZn204j1uLVYGydM+4Dx+Xo3Dd7GJ GWrlCBor6IJbs7irD5CNE8ccmUxSKJFRNu6Oo8RtRs/SJYbtjzIpxsg110duMFeY0l/3 lBuMi0MgNaa7iqbtNl7nWu2jDWPmO0Kgdqk1WLjpFRk7VnnOeIpVm7gQi6wFHFOnO8CN O9KW4wJCV3raTDJjDoSMjwVC0cJ0/Ix2xayQTiQjwPDRxP8p/0u6x3VwrofGtE3Nidmk Z0rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740672571; x=1741277371; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Re+AIhSqVR2ln817oLU/Fn0F9chtKdySN7kwMbfuTZA=; b=tlqEDOA1KRBJ7ugWEmH6/vM8zGy0YyFCnzchwXcYNZ77Z8LJrUKvJdJOltHhJbV04o 906Z2OXp5wnY/3UjABo4OeT9GCHDNg6YIuN0jCvPj/Umgg4310+GbFk11Cs3kd6nYpCI ov4Up/lQAI4mIIcZaQvSAdwBSZTDIRSSTmOcQ5q1gEfsBuVqNVpcY01rafbDjeN1HPqO rQKlPykxe5UD/1WnRhj08+VB+fIeajwQ199v9declBYU6K5wxkrVdCzjIMIbwhOoa1cW NDxrhDa6TF9UDEkTI5dVdxdUo/uPNS57dgZVrt8ysoplqcppkxBja0oAzCxCxoamaL3t 2QAA== X-Gm-Message-State: AOJu0Yxq/f7LO0dET7tN27i/1QNaHIe4hqAGcqhXWdNFDGPQF37uuXzc yCCpcaOotim4gePN76ZbXevRmgDhaU+K7AIMIyqO0bYs1N7gYSWoih7PbMBCx8IJuB47c258luH oEoA= X-Gm-Gg: ASbGnctY3DrajLaUBVxsdp7/aoTW+pYhIplcarYkPTwV2ipBaU03Fo47JxqfomKKxna 6xhmrbYnJOTnzmIbHcDW6VHeJQuB9uzgaC5Fe5KjQOASIS9ATVjERMeOjthZ0tz4QQqEsLfTq9K ZnVDB5QmrMjawStzLQz3V6TffeEx3/v2bIAZlW96CtZ2hgeQESMUqDnWiVSF1wWtdSk4KAMTQrZ au/wvXJrA4N1qewWnUZJmcZSs/ORFVIyOXmdrgW+ZFdPNqla005vuWC4T8rvHNoCCbDpexB1oyw kXYy2zrVC9B5WV3v/3IaV2XFvoQb7s/T0qI= X-Received: by 2002:a05:600c:5253:b0:439:a093:fffe with SMTP id 5b1f17b1804b1-439ae1e9601mr233538455e9.7.1740672570578; Thu, 27 Feb 2025 08:09:30 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:af71:dfb2:66ef:80c3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43aba52b925sm59506795e9.7.2025.02.27.08.09.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:30 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Heinrich Schuchardt , Mattijs Korpershoek , Ibai Erkiaga , Michal Simek , Raymond Mao , Philippe Reynes , Adriano Cordova Subject: [PATCH 1/5] net: lwip: extend wget to support CA (root) certificates Date: Thu, 27 Feb 2025 17:09:01 +0100 Message-ID: <3a93751157801fe709d995eae1883f9e3219733c.1740672437.git.jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add the "cacert" (Certification Authority certificates) subcommand to wget to pass root certificates to the code handling the HTTPS protocol. The subcommand is enabled by the WGET_CACERT Kconfig symbol. Usage example: => dhcp # Download some root certificates (note: not authenticated!) => wget https://curl.se/ca/cacert.pem # Enable certificate verification => wget cacert $loadaddr $filesize # Disable certificate verification => wget cacert 0 0 Signed-off-by: Jerome Forissier --- cmd/Kconfig | 15 +++++++++ cmd/net-lwip.c | 15 +++++++-- lib/mbedtls/Makefile | 3 ++ lib/mbedtls/mbedtls_def_config.h | 5 +++ net/lwip/wget.c | 55 +++++++++++++++++++++++++++++++- 5 files changed, 89 insertions(+), 4 deletions(-) diff --git a/cmd/Kconfig b/cmd/Kconfig index 8dd42571abc..a188a2ef24b 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2177,6 +2177,21 @@ config WGET_HTTPS help Enable TLS over http for wget. +config WGET_CACERT + bool "wget cacert" + depends on CMD_WGET + depends on WGET_HTTPS + help + Adds the "cacert" sub-command to wget to provide root certificates + to the HTTPS engine. + +config MBEDTLS_LIB_X509_PEM + depends on WGET_CACERT + bool "Support for PEM-encoded X509 certificates" + help + This option enables MbedTLS to parse PEM-encoded X509 certificates. + When disabled, only DER format is accepted. + endif # if CMD_NET config CMD_PXE diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c index 0fd446ecb20..0672f48a7a8 100644 --- a/cmd/net-lwip.c +++ b/cmd/net-lwip.c @@ -27,9 +27,18 @@ U_BOOT_CMD(dns, 3, 1, do_dns, "lookup the IP of a hostname", #endif #if defined(CONFIG_CMD_WGET) -U_BOOT_CMD(wget, 3, 1, do_wget, - "boot image via network using HTTP/HTTPS protocol", +U_BOOT_CMD(wget, 4, 1, do_wget, + "boot image via network using HTTP/HTTPS protocol" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert - configure wget root certificates" +#endif + , "[loadAddress] url\n" - "wget [loadAddress] [host:]path" + "wget [loadAddress] [host:]path\n" + " - load file" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert
\n" + " - provide CA certificates (0 0 to disable verification)" +#endif ); #endif diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index e66c2018d97..8a0a984e149 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -57,6 +57,9 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/x509_crt.o mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pkcs7.o +mbedtls_lib_x509-$(CONFIG_MBEDTLS_LIB_X509_PEM) += \ + $(MBEDTLS_LIB_DIR)/base64.o \ + $(MBEDTLS_LIB_DIR)/pem.o #mbedTLS TLS support obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h index fd440c392f9..7b6a7f482f0 100644 --- a/lib/mbedtls/mbedtls_def_config.h +++ b/lib/mbedtls/mbedtls_def_config.h @@ -138,6 +138,11 @@ #define MBEDTLS_ECP_DP_BP384R1_ENABLED #define MBEDTLS_ECP_DP_BP512R1_ENABLED +/* CA certificates parsing */ +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509_PEM) +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_BASE64_C +#endif #endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */ #endif /* #if defined CONFIG_MBEDTLS_LIB */ diff --git a/net/lwip/wget.c b/net/lwip/wget.c index 14f27d42998..14466598d7c 100644 --- a/net/lwip/wget.c +++ b/net/lwip/wget.c @@ -285,6 +285,53 @@ static err_t httpc_headers_done_cb(httpc_state_t *connection, void *arg, struct return ERR_OK; } +#if defined CONFIG_WGET_HTTPS +static char *cacert; +size_t cacert_size; +#endif + +#if defined CONFIG_WGET_CACERT +static int set_cacert(char * const saddr, char * const ssz) +{ + mbedtls_x509_crt crt; + ulong addr, sz; + int ret; + + if (cacert) + free(cacert); + + addr = hextoul(saddr, NULL); + sz = hextoul(ssz, NULL); + sz++; /* For the trailing '\0' in case of a text (PEM) file */ + + if (!addr) { + cacert = NULL; + cacert_size = 0; + return CMD_RET_SUCCESS; + } + + cacert = malloc(sz); + if (!cacert) + return CMD_RET_FAILURE; + cacert_size = sz; + + memcpy(cacert, (void *)addr, sz - 1); + cacert[sz] = '\0'; + + mbedtls_x509_crt_init(&crt); + ret = mbedtls_x509_crt_parse(&crt, cacert, cacert_size); + if (ret) { + printf("Could not parse certificates (%d)\n", ret); + free(cacert); + cacert = NULL; + cacert_size = 0; + return CMD_RET_FAILURE; + } + + return CMD_RET_SUCCESS; +} +#endif + static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) { #if defined CONFIG_WGET_HTTPS @@ -316,7 +363,8 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) if (is_https) { tls_allocator.alloc = &altcp_tls_alloc; tls_allocator.arg = - altcp_tls_create_config_client(NULL, 0, ctx.server_name); + altcp_tls_create_config_client(cacert, cacert_size, + ctx.server_name); if (!tls_allocator.arg) { log_err("error: Cannot create a TLS connection\n"); @@ -369,6 +417,11 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[]) ulong dst_addr; char nurl[1024]; +#if defined CONFIG_WGET_CACERT + if (argc == 4 && !strncmp(argv[1], "cacert", strlen("cacert"))) + return set_cacert(argv[2], argv[3]); +#endif + if (argc < 2 || argc > 3) return CMD_RET_USAGE;