From patchwork Thu Feb 27 16:09:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 868976 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1561:b0:38f:210b:807b with SMTP id 1csp340182wrz; Thu, 27 Feb 2025 08:10:18 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXl6nTs6z9pip5I8RBzubUoh1tzqanG7tEnpYPZoUKI396buVTISK8NAZfM1bGqHMH5hfRzYA==@linaro.org X-Google-Smtp-Source: AGHT+IF303dqVvnuQWGXH+2OCh4jpJpqSm/vAnr6+jdeYZj/AnFV1WdXvMsg9zgEnFB+pFMdRFOP X-Received: by 2002:a05:6402:34c8:b0:5d9:cde9:29c6 with SMTP id 4fb4d7f45d1cf-5e44b66be2cmr13629770a12.27.1740672618435; Thu, 27 Feb 2025 08:10:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740672618; cv=none; d=google.com; s=arc-20240605; b=KsNad+MU+NSfeXPuWeL3rwBDIozXaa6feC0YhSEa2wkuO+zISuLepdhrlZo29ZNqIZ lQvCuD3HW3ahImI/BpGJQraGSvevY1qadHERUet/khl4GkYucvvXLCE4IS1skPDQ52CY Ry//we8baYlHP2QBq6FzqBA0GG5lj/FuXy8ljkba9GD+gkJWFLUAxm7jzR1h48YPvOjS lG+LKnH1l4Z3m9pyojOc5D6E0PEOlWYCUAZodyDLrexJvatkY1kAwEeW0lIB19HqgpA+ 5g1ql5/xxiJPP9LLsnFfxIm98SivBY+nn6USp1SvlBJW0629Ek/Tdr1oCJVG7+hInG6D eK4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zfI6d9OG2eQBM8ef+VTF0Zzv0JfUrlSXEUI5pOss0zo=; fh=d246zcDbMrsoOHk81h4crL234TifMM9ORbgE9yUgIzo=; b=EQEXVZwVqZqx/ELITZI04EToVQFVPVM8V/80FYEQmO/g89aYBx7fbaAVupFfJXdZUM 6h4fjmz9X4IILaJ5UnnvadK1UoGOL5ZHHY0JKJnkSLS+hQvuYVKjw0yY2SxXirfg4vRJ bXWv8R0UXqIbbpqNKlAu869vpcT0J2hqooJ+ONNKap2zd1/9QM1gAjhFkYTjIcbYq8Yu 6oJdUrN9DXczzT0riQ21l2ifkUy/BOjg2qFqbjwMeKF77hk0JlgH75q7oz6yxwga/fkm uWIr8IQit3EgTxbQMA3gTxK0PeUzax/FEiMIBnUXA5ifC5scN9ofQG1Dwxg7fvylQ68J U7gQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rYsTPhcG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-5e4c43a6d6asi1822317a12.451.2025.02.27.08.10.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:10:18 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rYsTPhcG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A156581249; Thu, 27 Feb 2025 17:09:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rYsTPhcG"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id CC0CE81111; Thu, 27 Feb 2025 17:09:39 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 58F99811D8 for ; Thu, 27 Feb 2025 17:09:37 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-43995b907cfso7667655e9.3 for ; Thu, 27 Feb 2025 08:09:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1740672576; x=1741277376; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zfI6d9OG2eQBM8ef+VTF0Zzv0JfUrlSXEUI5pOss0zo=; b=rYsTPhcGgtzEoXLQDOD5Al8sHAjCpClg7OXQLcz7Rhf43CgEJ8AKvIIqgCy/wdnYkE Wn+wpKnd5eWZaoVcg5C19F/5tZ8B8OFjcz9fUoAk/by6AclcwaBj+De+PazdYXF7MSAy crGTGy8m03GZ861aOqK8D9D+vMUrOfQ0sQYBC49LYIUvJUYv+DliPJ67oxQMyzTPvyyF V+LIuaavh1fXrdyrHICkSmiBbkMKuS/GJzRWQNZ8VTSlDBURScsecAkXzvXdsshya96M za8Ska2mE0DKqmdjvFvJF8drc46vOjz3TH1WJOywlbhteB7oGswKiV7QEd6NvDA4GBln GOcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740672576; x=1741277376; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zfI6d9OG2eQBM8ef+VTF0Zzv0JfUrlSXEUI5pOss0zo=; b=k5MGPRPtUCeBOvCDxFuWO1rUTg0J6PTPV/VoKvyh3EQryfftj3n7u7Wn8yhSmZgTyt 5G2ZFIcZXqrFfnuDrQUziN595UNHUbLIq+5v1rJ2OycDROA8VwmGF46jOC9KMUBt83w4 S8Lmu1CujGg6TEUHs8hnL1bxkS4hasFRbzEFNuD60Kzes6dtHLFZ1l8MBWu7MgW5+NM4 tCJs+Kdi70XWVRp3pU1EpWtT3uo3PZUsHuGsi8czLSOWMW6xqOCtahK5HjMcvoKKj5Jz USMbSE+krbYlFohRwIGfXxtpaxB3xoWfunYRd7m4dgbdgTet1/bvuT57lX08mhOaiLXY D0yw== X-Gm-Message-State: AOJu0YwCuAza3FYevlSRCejQJFuPH8KW1rqE5FyOEp3/Q4TYedUuzDV3 DjMW6qFrQAnUlrw2KwWht4yLLnTduVh+TvWSwUCcXZR4YY9I5UzaGFnZaEMnJPoez6aNWC1PVnx uVgk= X-Gm-Gg: ASbGncvzYRuOWAz43mJ8ikxk57zEKA2DK3AHmTssyUk6UFrxpp16mZSKquvNNRFvWTu eHIaM3J35ZAVwdZD72/1MUUpydN3Dt5aSyKmoFFtZ2+0zzqz4FAVHux1ftrj5Cyvg0Dli3egKRc d27puj6fwZxj9oL770xGfcXgDOffY9HR0EJyyw1UHRN8I3SjqVPMho1iDkkaJa4Uj4k4JN6R/4H kbEvuLhOK+lwNEuHZQnz6CjRf9i5yUyF0JvFQFB/3ySWcc0BmzlXhMeqFIzRVPICgkFiIDGbcRs TVMQoeAa5IdOLOOoSAeH7eB8NKZc2qDJzt8= X-Received: by 2002:a05:600c:3ba8:b0:439:a138:20 with SMTP id 5b1f17b1804b1-43ab0f65faemr94196405e9.20.1740672574726; Thu, 27 Feb 2025 08:09:34 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:af71:dfb2:66ef:80c3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43aba52b925sm59506795e9.7.2025.02.27.08.09.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:34 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Heinrich Schuchardt , Mattijs Korpershoek , Ibai Erkiaga , Michal Simek , Adriano Cordova Subject: [PATCH 4/5] net: lwip: add support for built-in root certificates Date: Thu, 27 Feb 2025 17:09:04 +0100 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Introduce Kconfig symbols WGET_BUILTIN_CACERT and WGET_BUILTIN_CACERT_PATH to provide root certificates at build time. The file may be a DER-encoded (.crt) or PEM-encoded (.pem) X509 collection of one or more certificates. PEM encoding needs MBEDTLS_LIB_X509_PEM. Usage example: wget https://curl.se/ca/cacert.pem make qemu_arm64_lwip_defconfig echo CONFIG_WGET_BUILTIN_CACERT=y >>.config echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config echo CONFIG_MBEDTLS_LIB_X509_PEM=y >>.config make olddefconfig make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" qemu-system-aarch64 -M virt -nographic -cpu max \ -object rng-random,id=rng0,filename=/dev/urandom \ -device virtio-rng-pci,rng=rng0 -bios u-boot.bin => dhcp # HTTPS transfer using the builtin CA certificates => wget https://www.google.com/ 18724 bytes transferred in 15 ms (1.2 MiB/s) Bytes transferred = 18724 (4924 hex) Signed-off-by: Jerome Forissier --- cmd/Kconfig | 16 +++++++++++++- cmd/net-lwip.c | 4 ++++ net/lwip/Makefile | 6 ++++++ net/lwip/wget.c | 53 +++++++++++++++++++++++++++++++++++++++-------- 4 files changed, 69 insertions(+), 10 deletions(-) diff --git a/cmd/Kconfig b/cmd/Kconfig index a188a2ef24b..cb3cc859616 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2186,12 +2186,26 @@ config WGET_CACERT to the HTTPS engine. config MBEDTLS_LIB_X509_PEM - depends on WGET_CACERT + depends on WGET_HTTPS bool "Support for PEM-encoded X509 certificates" help This option enables MbedTLS to parse PEM-encoded X509 certificates. When disabled, only DER format is accepted. +config WGET_BUILTIN_CACERT + bool "Built-in CA certificates" + depends on WGET_HTTPS + +config WGET_BUILTIN_CACERT_PATH + string "Path to root certificates" + depends on WGET_BUILTIN_CACERT + default "cacert.crt" + help + Set this to the path to a DER- or PEM-encoded X509 file containing + Certification Authority certificates, a.k.a. root certificates, for + the purpose of authenticating HTTPS connections. Do not forget to + enable MBEDTLS_LIB_X509_PEM if the file is PEM. + endif # if CMD_NET config CMD_PXE diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c index 0672f48a7a8..a848d0b1dcf 100644 --- a/cmd/net-lwip.c +++ b/cmd/net-lwip.c @@ -39,6 +39,10 @@ U_BOOT_CMD(wget, 4, 1, do_wget, #if defined(CONFIG_WGET_CACERT) "\nwget cacert
\n" " - provide CA certificates (0 0 to disable verification)" +#if defined(CONFIG_WGET_BUILTIN_CACERT) + "\nwget cacert builtin\n" + " - use the builtin CA certificates" +#endif #endif ); #endif diff --git a/net/lwip/Makefile b/net/lwip/Makefile index 79dd6b3fb50..950c5316bb9 100644 --- a/net/lwip/Makefile +++ b/net/lwip/Makefile @@ -6,3 +6,9 @@ obj-$(CONFIG_CMD_DNS) += dns.o obj-$(CONFIG_CMD_PING) += ping.o obj-$(CONFIG_CMD_TFTPBOOT) += tftp.o obj-$(CONFIG_WGET) += wget.o + +ifeq (y,$(CONFIG_WGET_BUILTIN_CACERT)) +$(obj)/builtin_cacert.c: $(CONFIG_WGET_BUILTIN_CACERT_PATH:"%"=%) FORCE + $(call if_changed,bin2c,builtin_cacert) +obj-y += builtin_cacert.o +endif diff --git a/net/lwip/wget.c b/net/lwip/wget.c index 14466598d7c..f24aa9c2380 100644 --- a/net/lwip/wget.c +++ b/net/lwip/wget.c @@ -288,31 +288,34 @@ static err_t httpc_headers_done_cb(httpc_state_t *connection, void *arg, struct #if defined CONFIG_WGET_HTTPS static char *cacert; size_t cacert_size; + +#if defined CONFIG_WGET_BUILTIN_CACERT +extern char builtin_cacert[]; +extern const size_t builtin_cacert_size; +static bool cacert_initialized; +#endif #endif -#if defined CONFIG_WGET_CACERT -static int set_cacert(char * const saddr, char * const ssz) +#if defined CONFIG_WGET_CACERT || defined CONFIG_WGET_BUILTIN_CACERT +static int _set_cacert(void *addr, size_t sz) { mbedtls_x509_crt crt; - ulong addr, sz; + void *p; int ret; if (cacert) free(cacert); - addr = hextoul(saddr, NULL); - sz = hextoul(ssz, NULL); - sz++; /* For the trailing '\0' in case of a text (PEM) file */ - if (!addr) { cacert = NULL; cacert_size = 0; return CMD_RET_SUCCESS; } - cacert = malloc(sz); - if (!cacert) + p = malloc(sz); + if (!p) return CMD_RET_FAILURE; + cacert = p; cacert_size = sz; memcpy(cacert, (void *)addr, sz - 1); @@ -328,10 +331,33 @@ static int set_cacert(char * const saddr, char * const ssz) return CMD_RET_FAILURE; } +#if defined CONFIG_WGET_BUILTIN_CACERT + cacert_initialized = true; +#endif return CMD_RET_SUCCESS; } + +#if defined CONFIG_WGET_BUILTIN_CACERT +static int set_cacert_builtin(void) +{ + return _set_cacert(builtin_cacert, builtin_cacert_size); +} #endif +#if defined CONFIG_WGET_CACERT +static int set_cacert(char * const saddr, char * const ssz) +{ + ulong addr, sz; + + addr = hextoul(saddr, NULL); + sz = hextoul(ssz, NULL); + sz++; /* For the trailing '\0' in case of a text (PEM) file */ + + return _set_cacert((void *)addr, sz); +} +#endif +#endif /* CONFIG_WGET_CACERT || CONFIG_WGET_BUILTIN_CACERT */ + static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) { #if defined CONFIG_WGET_HTTPS @@ -361,6 +387,10 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) memset(&conn, 0, sizeof(conn)); #if defined CONFIG_WGET_HTTPS if (is_https) { +#if defined CONFIG_WGET_BUILTIN_CACERT + if (!cacert_initialized) + set_cacert_builtin(); +#endif tls_allocator.alloc = &altcp_tls_alloc; tls_allocator.arg = altcp_tls_create_config_client(cacert, cacert_size, @@ -420,6 +450,11 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[]) #if defined CONFIG_WGET_CACERT if (argc == 4 && !strncmp(argv[1], "cacert", strlen("cacert"))) return set_cacert(argv[2], argv[3]); +#if defined CONFIG_WGET_BUILTIN_CACERT + if (argc == 3 && !strncmp(argv[1], "cacert", strlen("cacert")) && + !strncmp(argv[2], "builtin", strlen("builtin"))) + return set_cacert_builtin(); +#endif #endif if (argc < 2 || argc > 3)