From patchwork Thu Feb 27 16:09:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 868973 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1561:b0:38f:210b:807b with SMTP id 1csp339870wrz; Thu, 27 Feb 2025 08:09:54 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVCG11c3U/WwGsNLH6eFHnZm6LgFRUYn+upjo9d8o8qG43ItXHNQdZT58+SgtoCcp89G1kF+g==@linaro.org X-Google-Smtp-Source: AGHT+IGLHeVeT5dl2nHYbfCXFOhgqBMl5QS6+Vz2LtLjHhob1Z4ruubcyoapjLQ3OlbGtpxm3eM3 X-Received: by 2002:a17:907:1b0b:b0:abb:9d27:290b with SMTP id a640c23a62f3a-abf25e99388mr2766766b.9.1740672594140; Thu, 27 Feb 2025 08:09:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740672594; cv=none; d=google.com; s=arc-20240605; b=ZWHzAQwJCNEB4g1UgY/7E15K1rO0a0GWGwXFIGiIEmDgake3Etp3G+mxShHYj9ExSc 9rJ7GkTV60R2SpQzuNtuRBoJZC6nwTemizQAd0kZS0OubOm/xElI0R3D5mF0UuPrZYZt Np8sTlGi2PF7BeQ0ce/DAJdXPkxHbF1DEpsFkfY0Id1ZW/8novuuGVqzoE6tFSB3b7La Wpi9WGpJ4e/tDEKXSI6wVqyiXMitTs5x3HcsQvfpUv+vJhPvRZyQ0osF6wH0jMsw0qwI uA+NAnR0qtqJeCj3iyxQ/YES+XEtSWq7iAR2eIyrA+MC48yw0KlQNMrzAFuqRe6eHRpS pP7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Re+AIhSqVR2ln817oLU/Fn0F9chtKdySN7kwMbfuTZA=; fh=HbXqmQTwdOJx2YMaMLXz5dWP7l4obon3irSJqMYHVec=; b=ID7F0mAsKN7DPcY2Arbi6DmbXxwU3OEOa05oc13L4zIvcgY6zmyxwK9RyPvZL3P9l2 XcPO+IPb4JU/pgGbzBAFzT+SfwjT4NsrNLU/+ctkBkXzd1FZe/tmNJIDRCkCHpPodpJC OCmc5ZoNGC7bWqtePvfw1sHEh6VxPRaNWxGqIvky0Na7IOrlPccPq48teBIDFxIJMp0f 7emMfNcoCdr3qlZW9/zSwu9y3hpbMXUDK3igUa6R1D+sChOBYhSGHiJ1d3xG+aTHzJSb jhOEZIadNtdNfK+pRXrZhLnph87jJer+H2BeebXEtT7d7fpAScb/cXd+Br0EAH9feXWl l21g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="e/4GFmWW"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id a640c23a62f3a-abf0c0b7b34si178588366b.115.2025.02.27.08.09.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:53 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="e/4GFmWW"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B407C81120; Thu, 27 Feb 2025 17:09:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="e/4GFmWW"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2454E81111; Thu, 27 Feb 2025 17:09:35 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9CB3D81112 for ; Thu, 27 Feb 2025 17:09:31 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-43989226283so8117815e9.1 for ; Thu, 27 Feb 2025 08:09:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1740672571; x=1741277371; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Re+AIhSqVR2ln817oLU/Fn0F9chtKdySN7kwMbfuTZA=; b=e/4GFmWWxteNLpDNJhzvsrgGLRmqs0dcCO42OTihIwz4DlVf+RfyeCGiqagbpU7uAe rkdPsnjveTbqHMlfJwjNejrPjttWpS+nser02hzlZn204j1uLVYGydM+4Dx+Xo3Dd7GJ GWrlCBor6IJbs7irD5CNE8ccmUxSKJFRNu6Oo8RtRs/SJYbtjzIpxsg110duMFeY0l/3 lBuMi0MgNaa7iqbtNl7nWu2jDWPmO0Kgdqk1WLjpFRk7VnnOeIpVm7gQi6wFHFOnO8CN O9KW4wJCV3raTDJjDoSMjwVC0cJ0/Ix2xayQTiQjwPDRxP8p/0u6x3VwrofGtE3Nidmk Z0rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740672571; x=1741277371; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Re+AIhSqVR2ln817oLU/Fn0F9chtKdySN7kwMbfuTZA=; b=tlqEDOA1KRBJ7ugWEmH6/vM8zGy0YyFCnzchwXcYNZ77Z8LJrUKvJdJOltHhJbV04o 906Z2OXp5wnY/3UjABo4OeT9GCHDNg6YIuN0jCvPj/Umgg4310+GbFk11Cs3kd6nYpCI ov4Up/lQAI4mIIcZaQvSAdwBSZTDIRSSTmOcQ5q1gEfsBuVqNVpcY01rafbDjeN1HPqO rQKlPykxe5UD/1WnRhj08+VB+fIeajwQ199v9declBYU6K5wxkrVdCzjIMIbwhOoa1cW NDxrhDa6TF9UDEkTI5dVdxdUo/uPNS57dgZVrt8ysoplqcppkxBja0oAzCxCxoamaL3t 2QAA== X-Gm-Message-State: AOJu0Yxq/f7LO0dET7tN27i/1QNaHIe4hqAGcqhXWdNFDGPQF37uuXzc yCCpcaOotim4gePN76ZbXevRmgDhaU+K7AIMIyqO0bYs1N7gYSWoih7PbMBCx8IJuB47c258luH oEoA= X-Gm-Gg: ASbGnctY3DrajLaUBVxsdp7/aoTW+pYhIplcarYkPTwV2ipBaU03Fo47JxqfomKKxna 6xhmrbYnJOTnzmIbHcDW6VHeJQuB9uzgaC5Fe5KjQOASIS9ATVjERMeOjthZ0tz4QQqEsLfTq9K ZnVDB5QmrMjawStzLQz3V6TffeEx3/v2bIAZlW96CtZ2hgeQESMUqDnWiVSF1wWtdSk4KAMTQrZ au/wvXJrA4N1qewWnUZJmcZSs/ORFVIyOXmdrgW+ZFdPNqla005vuWC4T8rvHNoCCbDpexB1oyw kXYy2zrVC9B5WV3v/3IaV2XFvoQb7s/T0qI= X-Received: by 2002:a05:600c:5253:b0:439:a093:fffe with SMTP id 5b1f17b1804b1-439ae1e9601mr233538455e9.7.1740672570578; Thu, 27 Feb 2025 08:09:30 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:af71:dfb2:66ef:80c3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43aba52b925sm59506795e9.7.2025.02.27.08.09.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:30 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Heinrich Schuchardt , Mattijs Korpershoek , Ibai Erkiaga , Michal Simek , Raymond Mao , Philippe Reynes , Adriano Cordova Subject: [PATCH 1/5] net: lwip: extend wget to support CA (root) certificates Date: Thu, 27 Feb 2025 17:09:01 +0100 Message-ID: <3a93751157801fe709d995eae1883f9e3219733c.1740672437.git.jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add the "cacert" (Certification Authority certificates) subcommand to wget to pass root certificates to the code handling the HTTPS protocol. The subcommand is enabled by the WGET_CACERT Kconfig symbol. Usage example: => dhcp # Download some root certificates (note: not authenticated!) => wget https://curl.se/ca/cacert.pem # Enable certificate verification => wget cacert $loadaddr $filesize # Disable certificate verification => wget cacert 0 0 Signed-off-by: Jerome Forissier --- cmd/Kconfig | 15 +++++++++ cmd/net-lwip.c | 15 +++++++-- lib/mbedtls/Makefile | 3 ++ lib/mbedtls/mbedtls_def_config.h | 5 +++ net/lwip/wget.c | 55 +++++++++++++++++++++++++++++++- 5 files changed, 89 insertions(+), 4 deletions(-) diff --git a/cmd/Kconfig b/cmd/Kconfig index 8dd42571abc..a188a2ef24b 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2177,6 +2177,21 @@ config WGET_HTTPS help Enable TLS over http for wget. +config WGET_CACERT + bool "wget cacert" + depends on CMD_WGET + depends on WGET_HTTPS + help + Adds the "cacert" sub-command to wget to provide root certificates + to the HTTPS engine. + +config MBEDTLS_LIB_X509_PEM + depends on WGET_CACERT + bool "Support for PEM-encoded X509 certificates" + help + This option enables MbedTLS to parse PEM-encoded X509 certificates. + When disabled, only DER format is accepted. + endif # if CMD_NET config CMD_PXE diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c index 0fd446ecb20..0672f48a7a8 100644 --- a/cmd/net-lwip.c +++ b/cmd/net-lwip.c @@ -27,9 +27,18 @@ U_BOOT_CMD(dns, 3, 1, do_dns, "lookup the IP of a hostname", #endif #if defined(CONFIG_CMD_WGET) -U_BOOT_CMD(wget, 3, 1, do_wget, - "boot image via network using HTTP/HTTPS protocol", +U_BOOT_CMD(wget, 4, 1, do_wget, + "boot image via network using HTTP/HTTPS protocol" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert - configure wget root certificates" +#endif + , "[loadAddress] url\n" - "wget [loadAddress] [host:]path" + "wget [loadAddress] [host:]path\n" + " - load file" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert
\n" + " - provide CA certificates (0 0 to disable verification)" +#endif ); #endif diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index e66c2018d97..8a0a984e149 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -57,6 +57,9 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/x509_crt.o mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pkcs7.o +mbedtls_lib_x509-$(CONFIG_MBEDTLS_LIB_X509_PEM) += \ + $(MBEDTLS_LIB_DIR)/base64.o \ + $(MBEDTLS_LIB_DIR)/pem.o #mbedTLS TLS support obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h index fd440c392f9..7b6a7f482f0 100644 --- a/lib/mbedtls/mbedtls_def_config.h +++ b/lib/mbedtls/mbedtls_def_config.h @@ -138,6 +138,11 @@ #define MBEDTLS_ECP_DP_BP384R1_ENABLED #define MBEDTLS_ECP_DP_BP512R1_ENABLED +/* CA certificates parsing */ +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_X509_PEM) +#define MBEDTLS_PEM_PARSE_C +#define MBEDTLS_BASE64_C +#endif #endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */ #endif /* #if defined CONFIG_MBEDTLS_LIB */ diff --git a/net/lwip/wget.c b/net/lwip/wget.c index 14f27d42998..14466598d7c 100644 --- a/net/lwip/wget.c +++ b/net/lwip/wget.c @@ -285,6 +285,53 @@ static err_t httpc_headers_done_cb(httpc_state_t *connection, void *arg, struct return ERR_OK; } +#if defined CONFIG_WGET_HTTPS +static char *cacert; +size_t cacert_size; +#endif + +#if defined CONFIG_WGET_CACERT +static int set_cacert(char * const saddr, char * const ssz) +{ + mbedtls_x509_crt crt; + ulong addr, sz; + int ret; + + if (cacert) + free(cacert); + + addr = hextoul(saddr, NULL); + sz = hextoul(ssz, NULL); + sz++; /* For the trailing '\0' in case of a text (PEM) file */ + + if (!addr) { + cacert = NULL; + cacert_size = 0; + return CMD_RET_SUCCESS; + } + + cacert = malloc(sz); + if (!cacert) + return CMD_RET_FAILURE; + cacert_size = sz; + + memcpy(cacert, (void *)addr, sz - 1); + cacert[sz] = '\0'; + + mbedtls_x509_crt_init(&crt); + ret = mbedtls_x509_crt_parse(&crt, cacert, cacert_size); + if (ret) { + printf("Could not parse certificates (%d)\n", ret); + free(cacert); + cacert = NULL; + cacert_size = 0; + return CMD_RET_FAILURE; + } + + return CMD_RET_SUCCESS; +} +#endif + static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) { #if defined CONFIG_WGET_HTTPS @@ -316,7 +363,8 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) if (is_https) { tls_allocator.alloc = &altcp_tls_alloc; tls_allocator.arg = - altcp_tls_create_config_client(NULL, 0, ctx.server_name); + altcp_tls_create_config_client(cacert, cacert_size, + ctx.server_name); if (!tls_allocator.arg) { log_err("error: Cannot create a TLS connection\n"); @@ -369,6 +417,11 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[]) ulong dst_addr; char nurl[1024]; +#if defined CONFIG_WGET_CACERT + if (argc == 4 && !strncmp(argv[1], "cacert", strlen("cacert"))) + return set_cacert(argv[2], argv[3]); +#endif + if (argc < 2 || argc > 3) return CMD_RET_USAGE; From patchwork Thu Feb 27 16:09:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 868972 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1561:b0:38f:210b:807b with SMTP id 1csp339789wrz; Thu, 27 Feb 2025 08:09:44 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCW+p5kdmEHxp6qgFi6HKnLMRmtUn04/m6VgUVcbIcCHwP11Ae1+wD4VVP916ZdWFGQR02+/WA==@linaro.org X-Google-Smtp-Source: AGHT+IGYsmqTX5UHBJo8HOsfsbDIXykbbUoT81L5T6GnZVUun+ZZTREbi20HxQ4YtJjEPcMBwgSG X-Received: by 2002:a17:906:6a1d:b0:ab7:e41d:34b6 with SMTP id a640c23a62f3a-abf261cd5a6mr856166b.28.1740672584362; Thu, 27 Feb 2025 08:09:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740672584; cv=none; d=google.com; s=arc-20240605; b=Si6VvxQlDgPPDRg57YywWhAm8xq9xQrOW848DaiaHc+XxkvpUg4+dvqhvGsS0MAzsD oHPAtX98hqN99E3YuHnoFBe40DhICCKB4haN0J+9RgwVI82cWulKY9R5Mh50fuRuiCT6 u18cVTzJxLeAe4YCe8TsLuCBz164QpBZBUzY/XFQAo4eW4ROOtPefHrpd5OCwUR28EBO GRNCLNT96oDoIlBqduVGORR/FCLP8am0DfRHncfybJI8C5+TAxPR9mVzgRSL4ZUImHfP rUlYlTyfs115ANL8HPO2enkYscDEy5P9y/mMPrQiY4H2N55o3gDxj6jnuVXrR6L39jmD /zAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ITtlE9O7HzP32DFn3Uy1Zsk/2rnNtHcVc0ynn2ckNAU=; fh=fg4LVIfV3Czg8uvW+fGOIorR7ZZ+p3HapcCebnt7RUs=; b=X/jAdG/XRZREgqrzXZa5JYSwdH4iPEB4vm7Jp2r67/blzzY4Ik7wf0ceOB/BI0ZBFq 93P4pnzYfMCgXdXEFeUQqrU9c4Cv+tUchj8IxPVkKubdJG2+3rP3TSQy6+58ixyd3hwI UN4N5rBZ8Qes5jfnLps4+MKt0fz4ErFYe9dgzha6RZuE1bmZVd66SknCq1xFeGpX1v1p RpEWRZHCYCQMBgVsF1IXTIVywUSR01SM4MVYT/hVRGCIq3qXtxR4/MF5atBPsmqlFH4f PvfJzY+OFbeg5kkVpZgbUKOHv24DH21TGeM+3TM/bkgU3seC35Cz2zUao5WEzilZqTGy 7+jA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ubrpapJ9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id a640c23a62f3a-abf0c70ef61si185276366b.316.2025.02.27.08.09.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:44 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ubrpapJ9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 6B1DD81112; Thu, 27 Feb 2025 17:09:35 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ubrpapJ9"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A30FE811B2; Thu, 27 Feb 2025 17:09:34 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 9F2B8810F5 for ; Thu, 27 Feb 2025 17:09:32 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-439a2780b44so7951695e9.1 for ; Thu, 27 Feb 2025 08:09:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1740672572; x=1741277372; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=ITtlE9O7HzP32DFn3Uy1Zsk/2rnNtHcVc0ynn2ckNAU=; b=ubrpapJ9LLZ9uZE9ISl6YHJU09ogW5cRvegCNKiny7N3XBjpk9QrqkKcYM95fAk+eT do4aSVCtD6lrseMOOaxfc4i412jMKfuqDh/uQivQHegJu0psAhmLvjmu4lD6wv/BuFCe nOt4MOuXWO3A/CV245HFcYKRNlls/61FZO4DKBNTpt8qOxoMKoxU6Ewo7fuEIH7Bre9S bvj/l2BQ9hH05QYsgjwpICedJ+Wz/MQOwd8jEyi8zxxCeMSsP4Uxw4uQBOYqSqgZWFlb 3VZk8XK8p8tbqWP8CbVn1fSJDjmGH2B+egtGUaWDe625PHfGHEJutYxGt5WrgLAqKlqF XudA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740672572; x=1741277372; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ITtlE9O7HzP32DFn3Uy1Zsk/2rnNtHcVc0ynn2ckNAU=; b=v1W0QOCYAgW7oQPlqpJY6wDOiuvOCXHz+/R2QLXsOrtk4CufOgrVunrGfuuH6r7tHW nIrsUWsDSKg3n2hmCGu1t0m90dc1v78fL/RVwd4qeZzm/NmYm7FNMTKrOj3IkEK57/GY SO4/X6rmBGdDP03PcvRzSaxBdBhjtcSkOI/YFgrAxsu/6OsdOtUVvfB1zKgYQVNW3Edw PcRc+RCU9Q40TVK1kY7dYak2rspHm40QldVg9B0KR3eaHnLral1Vrv6KLhdbLvZ8Vm+P 0+TDw2nz8cuOKoG+/p+7GqHwV3d31fZ6I41gNz8jWZ6idr7FNSu94Awyvr4z3mj3BrZ2 FpLw== X-Gm-Message-State: AOJu0Yw1lz/0nrHOiNE42BI8Y+TywKr9/8l/g/jm8WlPwkXlKM60R7Tk f+dEMicLF523P/hte9dFBD9auLPBTDjOF9oF2ISjxIKem2j8ZrW/ltTHj8Z0Q1sjqbvsx7rPXoX Wcx8= X-Gm-Gg: ASbGnctWMP/9rMpRrpB7FARcrNMeHESB6U53+od6gFb2KNZipsLw6xbpxebvrj1mR5D EIN3qECWkTOKJ43ccBDAmLFT5zElxiWaOXDkhCR+jV1Ax5A/qnKtb5TvtvQyF/cLpxtMX7scy1z u32NhBBJG93hi7xI0Vq6GW0Fon+yiVvpwDKqrJrD/JvHPe/V2TZgJF9fBn+Ka9IpQ4hSok7775B 6jW9SdLq6K/Up1KgiDfeHCJl9HHPF8bMZ2vsyV7rA5TUzK5ZFf+n8PoSIlhQiIw3BsUOXz7IRZv ErqzZRLjqQqHtGRddPdL7GP0XTU0z2Hf1jM= X-Received: by 2002:a05:600c:4fc8:b0:439:955d:7ad9 with SMTP id 5b1f17b1804b1-43ab8fe9333mr82783595e9.14.1740672571689; Thu, 27 Feb 2025 08:09:31 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:af71:dfb2:66ef:80c3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43aba52b925sm59506795e9.7.2025.02.27.08.09.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:31 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Javier Tia , Heinrich Schuchardt Subject: [PATCH 2/5] lwip: tls: enforce checking of server certificates based on CA availability Date: Thu, 27 Feb 2025 17:09:02 +0100 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Instead of relying on some build time configuration to determine if server certificates need to be checked against CA certificates, do it based on the availability of such certificates. If no CA is configured then no check can succeed; on the other hand if we have CA certs then we should not ignore them. It is always possible to remove the CA certs (via 'wget cacert 0 0') to force an HTTPS download that would fail certificate validation. Signed-off-by: Jerome Forissier --- lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 3 ++- .../lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h | 6 ------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index 46421588fef..fa3d1d74fed 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -786,6 +786,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav int ret; struct altcp_tls_config *conf; mbedtls_x509_crt *mem; + int authmode = have_ca ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE; if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND < MBEDTLS_SSL_OUT_CONTENT_LEN) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS, @@ -840,7 +841,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav altcp_mbedtls_free_config(conf); return NULL; } - mbedtls_ssl_conf_authmode(&conf->conf, ALTCP_MBEDTLS_AUTHMODE); + mbedtls_ssl_conf_authmode(&conf->conf, authmode); mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); #if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF diff --git a/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h b/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h index e41301c061c..71aa5993935 100644 --- a/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h +++ b/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h @@ -100,12 +100,6 @@ #define ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS (60 * 60 * 24) #endif -/** Certificate verification mode: MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL (default), - * MBEDTLS_SSL_VERIFY_REQUIRED (recommended)*/ -#ifndef ALTCP_MBEDTLS_AUTHMODE -#define ALTCP_MBEDTLS_AUTHMODE MBEDTLS_SSL_VERIFY_OPTIONAL -#endif - #endif /* LWIP_ALTCP */ #endif /* LWIP_HDR_ALTCP_TLS_OPTS_H */ From patchwork Thu Feb 27 16:09:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 868974 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1561:b0:38f:210b:807b with SMTP id 1csp339966wrz; Thu, 27 Feb 2025 08:10:01 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCU4iL/hypfvITlfxIiCBP8+xU90kYujuDNqsHlTlQCEdxDOBErZnefTjqWFcSuWpzqedxaCYg==@linaro.org X-Google-Smtp-Source: AGHT+IFq0M6H7PIU1LJUvYr2Lujht8glK/VkJsr9uhSwdlhSVU+NhJoBvUzeeLlFoJYzjA4Kgues X-Received: by 2002:a17:907:9690:b0:ab7:cd83:98b6 with SMTP id a640c23a62f3a-abf261f96d8mr523966b.6.1740672601245; Thu, 27 Feb 2025 08:10:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740672601; cv=none; d=google.com; s=arc-20240605; b=jEger8LI/DTNNt29xiIfM86g2L12i9uxqV7rkH9/CCuB27woxO0+OL/MpzXd8K7UqU DVKaNDujNmVXl4HcoyiMFLXPE6c9cZcJ2/0kmc96q+tFCKRbLwJLI64n5NodT9eqx0ld cDjz8N2RX+Q+FgD64s4eVy1RLiWKx0WQQt+6oVDQDd3rNhU3TVqEdnOdfLdDACgojEQ0 ea2Le/5TrnU9dxqeGO8AJIcfabqNtiO98PvdZ4ItjaedL82PaDl0rsGGsuzv4nfoF0Kt eeR7ejIJsZMxryaU6pZFpm0iJxud4jdCV3Nuzw7SDcWDqzozYRQ5zwvv15gnmtBE+oqT z2Iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=nTbwl3F9OXzHhhDZT6BDLFMulx1o2E75GIczBDbdv8A=; fh=fg4LVIfV3Czg8uvW+fGOIorR7ZZ+p3HapcCebnt7RUs=; b=ThC7LK8EImZUpuZ2RHtXWvLK5dkCpOusPa1fpAE1y2CSJ1/KByC9wj0OsqrFDWoGkT hXmSKKO3gDfTLEx49LvWaFj5av3TjOrwrJ4jEx8fwB9b3jK2+new3Bg/D8YULfTZ1oJj OMxpyDfhVkbAi+7Ch4hxRMSjM/8tijjyIzLkFufhOXnmp9Uo1VzLhzQhnDhRv2zrxx6l BTzk6UC4msWZ3I/2nqrFeE2kDHlm7cOSOg3nAMDnMjPLhMY7rrD39njbIcI+h17lzpVB FLkRZTWUo7bof7dplp9stBsCC+hcjQqCwJJ96ibulBKGml1QaHLlnuGdb7bq2Bme9arf ixaw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Lyt4ugn9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id a640c23a62f3a-abf15bcc1d7si121276466b.290.2025.02.27.08.10.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:10:01 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Lyt4ugn9; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 08DF3811C5; Thu, 27 Feb 2025 17:09:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="Lyt4ugn9"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A1317811B3; Thu, 27 Feb 2025 17:09:36 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 8302F81115 for ; Thu, 27 Feb 2025 17:09:33 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-4394a823036so11752235e9.0 for ; Thu, 27 Feb 2025 08:09:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1740672573; x=1741277373; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=nTbwl3F9OXzHhhDZT6BDLFMulx1o2E75GIczBDbdv8A=; b=Lyt4ugn9S9FwCH5nTn4Bhz4T5i/hFOkSOgrVso8UyqLjtVBxlvoRQ/DjYz1NsxS7Ix Al2XCl4fq8+gK9kiMhxbjUTTer7WL9I99m1Q1o630t0091kzG2L64oXhmYksQsu/cOYf hD2NYmU/VC10yljVeXW2nYdKygn9FhbLhFDqpCNRWxvZtrAxLT67irv7tTnl6EiyFnQL q5RCvkR+ZV3zIFMwH5GBNeChIiGPcyVPf8j36ARjClOzE7YeZZRDg1PPG8HYM9ch+omB vKKqKoE67rnhD4CkElQ03PsToWlTMEjO2cqAsJ7S3hHkEV4pjU+sJfWXDmZX5SbYfQVT y5cw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740672573; x=1741277373; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=nTbwl3F9OXzHhhDZT6BDLFMulx1o2E75GIczBDbdv8A=; b=HyKmy8CDxjykaZpLLV7e/p6s8fMNR0QDFHUxEyXeH8I6hr4+heYyh/BGkqFthgrlMd 1Bez/4XZOOCvtrJriTGi6dzIawXc5+JVaz+slHijWE1nkO6qCsFK6x4P+VnYBQuluGpe Deo4YMzJRJLzOOiJ9TvOPj90353bsMuhkLZT5uiqHx93Jz7opzq8ByoCSFqqjkJ6bqw0 jJO7chnduUHu2cZyFXhmiMk0XTYEtV00Hs6C6+Q4ul6C8HcndsnwzuF9WhoZl8UhaTHB nVWGGx1dHZuOnZy1dAnJLZWYyvnfNlnHXe4SdHdPp03yBkMlSX49zXEC6dXMqhl++pW1 uwjw== X-Gm-Message-State: AOJu0YyTyCxev1Xg98HU3u2DGZV/q50q5lNmSXp5U60/THc9OryymaXb 06D4iVCEjQbioaMDHpEpczgyvd1/yDvlGu4t8ugC8dXd8dCqWE1mPDeolRuz9rEGy7nPIHdcwBp ghHk= X-Gm-Gg: ASbGncvLGN1AC5FCe1GcnuG94URc4HYv8RPGBsxmwgTzsQr9X6mtsJanVppQVpHM+Dv SrNPjMKdqY4XoPNmaHas5uxfd5ygLiPDj4xS9GhCzliVZqkjInOnwMDJyVLtQG6sS49G0W3tx8Z GfsygkaiE2DjqGTfv3GVkM+9vWGKEArBovVcRxQmJmS04DVvV6HUqx0CaRZsOZQp4Lc5PcHi0Nf rdOmzJHu3uOvr8oM3+8MS2Q9D4m/mU+t/I7nheAze+GrB/lmdOtDk2fJQX6OU7ixuXd6UfTh/OZ cfNFvmVI+jl1Idrqz3e7e+CB/pgSI/c4aBk= X-Received: by 2002:a05:600c:3ca1:b0:439:9595:c8e7 with SMTP id 5b1f17b1804b1-439aea9d78bmr244851715e9.0.1740672572679; Thu, 27 Feb 2025 08:09:32 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:af71:dfb2:66ef:80c3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43aba52b925sm59506795e9.7.2025.02.27.08.09.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:32 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Javier Tia , Heinrich Schuchardt Subject: [PATCH 3/5] lwip: tls: warn when no CA exists amd log certificate validation errors Date: Thu, 27 Feb 2025 17:09:03 +0100 Message-ID: <13cea41b33f62ddbd606a926bd1f79ddff8569fb.1740672437.git.jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Using HTTPS without root (CA) certificates is a security issue. Print a warning in this case. Also, when certificate verification fail, print an additional message because "HTTP client error 4" is not very informative (4 is HTTPC_RESULT_ERR_CLOSED). Signed-off-by: Jerome Forissier --- lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index fa3d1d74fed..ef51a5ac168 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -298,6 +298,9 @@ altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbedtls_state_t * if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_handshake failed: %d\n", ret)); /* handshake failed, connection has to be closed */ + if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { + printf("Certificate verification failed\n"); + } if (conn->err) { conn->err(conn->arg, ERR_CLSD); } @@ -841,6 +844,9 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav altcp_mbedtls_free_config(conf); return NULL; } + if (authmode == MBEDTLS_SSL_VERIFY_NONE) { + printf("WARNING: no CA certificates, HTTPS connections not authenticated\n"); + } mbedtls_ssl_conf_authmode(&conf->conf, authmode); mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); From patchwork Thu Feb 27 16:09:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 868976 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1561:b0:38f:210b:807b with SMTP id 1csp340182wrz; Thu, 27 Feb 2025 08:10:18 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXl6nTs6z9pip5I8RBzubUoh1tzqanG7tEnpYPZoUKI396buVTISK8NAZfM1bGqHMH5hfRzYA==@linaro.org X-Google-Smtp-Source: AGHT+IF303dqVvnuQWGXH+2OCh4jpJpqSm/vAnr6+jdeYZj/AnFV1WdXvMsg9zgEnFB+pFMdRFOP X-Received: by 2002:a05:6402:34c8:b0:5d9:cde9:29c6 with SMTP id 4fb4d7f45d1cf-5e44b66be2cmr13629770a12.27.1740672618435; Thu, 27 Feb 2025 08:10:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740672618; cv=none; d=google.com; s=arc-20240605; b=KsNad+MU+NSfeXPuWeL3rwBDIozXaa6feC0YhSEa2wkuO+zISuLepdhrlZo29ZNqIZ lQvCuD3HW3ahImI/BpGJQraGSvevY1qadHERUet/khl4GkYucvvXLCE4IS1skPDQ52CY Ry//we8baYlHP2QBq6FzqBA0GG5lj/FuXy8ljkba9GD+gkJWFLUAxm7jzR1h48YPvOjS lG+LKnH1l4Z3m9pyojOc5D6E0PEOlWYCUAZodyDLrexJvatkY1kAwEeW0lIB19HqgpA+ 5g1ql5/xxiJPP9LLsnFfxIm98SivBY+nn6USp1SvlBJW0629Ek/Tdr1oCJVG7+hInG6D eK4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=zfI6d9OG2eQBM8ef+VTF0Zzv0JfUrlSXEUI5pOss0zo=; fh=d246zcDbMrsoOHk81h4crL234TifMM9ORbgE9yUgIzo=; b=EQEXVZwVqZqx/ELITZI04EToVQFVPVM8V/80FYEQmO/g89aYBx7fbaAVupFfJXdZUM 6h4fjmz9X4IILaJ5UnnvadK1UoGOL5ZHHY0JKJnkSLS+hQvuYVKjw0yY2SxXirfg4vRJ bXWv8R0UXqIbbpqNKlAu869vpcT0J2hqooJ+ONNKap2zd1/9QM1gAjhFkYTjIcbYq8Yu 6oJdUrN9DXczzT0riQ21l2ifkUy/BOjg2qFqbjwMeKF77hk0JlgH75q7oz6yxwga/fkm uWIr8IQit3EgTxbQMA3gTxK0PeUzax/FEiMIBnUXA5ifC5scN9ofQG1Dwxg7fvylQ68J U7gQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rYsTPhcG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-5e4c43a6d6asi1822317a12.451.2025.02.27.08.10.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:10:18 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=rYsTPhcG; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A156581249; Thu, 27 Feb 2025 17:09:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="rYsTPhcG"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id CC0CE81111; Thu, 27 Feb 2025 17:09:39 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 58F99811D8 for ; Thu, 27 Feb 2025 17:09:37 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-43995b907cfso7667655e9.3 for ; Thu, 27 Feb 2025 08:09:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1740672576; x=1741277376; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=zfI6d9OG2eQBM8ef+VTF0Zzv0JfUrlSXEUI5pOss0zo=; b=rYsTPhcGgtzEoXLQDOD5Al8sHAjCpClg7OXQLcz7Rhf43CgEJ8AKvIIqgCy/wdnYkE Wn+wpKnd5eWZaoVcg5C19F/5tZ8B8OFjcz9fUoAk/by6AclcwaBj+De+PazdYXF7MSAy crGTGy8m03GZ861aOqK8D9D+vMUrOfQ0sQYBC49LYIUvJUYv+DliPJ67oxQMyzTPvyyF V+LIuaavh1fXrdyrHICkSmiBbkMKuS/GJzRWQNZ8VTSlDBURScsecAkXzvXdsshya96M za8Ska2mE0DKqmdjvFvJF8drc46vOjz3TH1WJOywlbhteB7oGswKiV7QEd6NvDA4GBln GOcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740672576; x=1741277376; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zfI6d9OG2eQBM8ef+VTF0Zzv0JfUrlSXEUI5pOss0zo=; b=k5MGPRPtUCeBOvCDxFuWO1rUTg0J6PTPV/VoKvyh3EQryfftj3n7u7Wn8yhSmZgTyt 5G2ZFIcZXqrFfnuDrQUziN595UNHUbLIq+5v1rJ2OycDROA8VwmGF46jOC9KMUBt83w4 S8Lmu1CujGg6TEUHs8hnL1bxkS4hasFRbzEFNuD60Kzes6dtHLFZ1l8MBWu7MgW5+NM4 tCJs+Kdi70XWVRp3pU1EpWtT3uo3PZUsHuGsi8czLSOWMW6xqOCtahK5HjMcvoKKj5Jz USMbSE+krbYlFohRwIGfXxtpaxB3xoWfunYRd7m4dgbdgTet1/bvuT57lX08mhOaiLXY D0yw== X-Gm-Message-State: AOJu0YwCuAza3FYevlSRCejQJFuPH8KW1rqE5FyOEp3/Q4TYedUuzDV3 DjMW6qFrQAnUlrw2KwWht4yLLnTduVh+TvWSwUCcXZR4YY9I5UzaGFnZaEMnJPoez6aNWC1PVnx uVgk= X-Gm-Gg: ASbGncvzYRuOWAz43mJ8ikxk57zEKA2DK3AHmTssyUk6UFrxpp16mZSKquvNNRFvWTu eHIaM3J35ZAVwdZD72/1MUUpydN3Dt5aSyKmoFFtZ2+0zzqz4FAVHux1ftrj5Cyvg0Dli3egKRc d27puj6fwZxj9oL770xGfcXgDOffY9HR0EJyyw1UHRN8I3SjqVPMho1iDkkaJa4Uj4k4JN6R/4H kbEvuLhOK+lwNEuHZQnz6CjRf9i5yUyF0JvFQFB/3ySWcc0BmzlXhMeqFIzRVPICgkFiIDGbcRs TVMQoeAa5IdOLOOoSAeH7eB8NKZc2qDJzt8= X-Received: by 2002:a05:600c:3ba8:b0:439:a138:20 with SMTP id 5b1f17b1804b1-43ab0f65faemr94196405e9.20.1740672574726; Thu, 27 Feb 2025 08:09:34 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:af71:dfb2:66ef:80c3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43aba52b925sm59506795e9.7.2025.02.27.08.09.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:34 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Heinrich Schuchardt , Mattijs Korpershoek , Ibai Erkiaga , Michal Simek , Adriano Cordova Subject: [PATCH 4/5] net: lwip: add support for built-in root certificates Date: Thu, 27 Feb 2025 17:09:04 +0100 Message-ID: X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Introduce Kconfig symbols WGET_BUILTIN_CACERT and WGET_BUILTIN_CACERT_PATH to provide root certificates at build time. The file may be a DER-encoded (.crt) or PEM-encoded (.pem) X509 collection of one or more certificates. PEM encoding needs MBEDTLS_LIB_X509_PEM. Usage example: wget https://curl.se/ca/cacert.pem make qemu_arm64_lwip_defconfig echo CONFIG_WGET_BUILTIN_CACERT=y >>.config echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config echo CONFIG_MBEDTLS_LIB_X509_PEM=y >>.config make olddefconfig make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" qemu-system-aarch64 -M virt -nographic -cpu max \ -object rng-random,id=rng0,filename=/dev/urandom \ -device virtio-rng-pci,rng=rng0 -bios u-boot.bin => dhcp # HTTPS transfer using the builtin CA certificates => wget https://www.google.com/ 18724 bytes transferred in 15 ms (1.2 MiB/s) Bytes transferred = 18724 (4924 hex) Signed-off-by: Jerome Forissier --- cmd/Kconfig | 16 +++++++++++++- cmd/net-lwip.c | 4 ++++ net/lwip/Makefile | 6 ++++++ net/lwip/wget.c | 53 +++++++++++++++++++++++++++++++++++++++-------- 4 files changed, 69 insertions(+), 10 deletions(-) diff --git a/cmd/Kconfig b/cmd/Kconfig index a188a2ef24b..cb3cc859616 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2186,12 +2186,26 @@ config WGET_CACERT to the HTTPS engine. config MBEDTLS_LIB_X509_PEM - depends on WGET_CACERT + depends on WGET_HTTPS bool "Support for PEM-encoded X509 certificates" help This option enables MbedTLS to parse PEM-encoded X509 certificates. When disabled, only DER format is accepted. +config WGET_BUILTIN_CACERT + bool "Built-in CA certificates" + depends on WGET_HTTPS + +config WGET_BUILTIN_CACERT_PATH + string "Path to root certificates" + depends on WGET_BUILTIN_CACERT + default "cacert.crt" + help + Set this to the path to a DER- or PEM-encoded X509 file containing + Certification Authority certificates, a.k.a. root certificates, for + the purpose of authenticating HTTPS connections. Do not forget to + enable MBEDTLS_LIB_X509_PEM if the file is PEM. + endif # if CMD_NET config CMD_PXE diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c index 0672f48a7a8..a848d0b1dcf 100644 --- a/cmd/net-lwip.c +++ b/cmd/net-lwip.c @@ -39,6 +39,10 @@ U_BOOT_CMD(wget, 4, 1, do_wget, #if defined(CONFIG_WGET_CACERT) "\nwget cacert
\n" " - provide CA certificates (0 0 to disable verification)" +#if defined(CONFIG_WGET_BUILTIN_CACERT) + "\nwget cacert builtin\n" + " - use the builtin CA certificates" +#endif #endif ); #endif diff --git a/net/lwip/Makefile b/net/lwip/Makefile index 79dd6b3fb50..950c5316bb9 100644 --- a/net/lwip/Makefile +++ b/net/lwip/Makefile @@ -6,3 +6,9 @@ obj-$(CONFIG_CMD_DNS) += dns.o obj-$(CONFIG_CMD_PING) += ping.o obj-$(CONFIG_CMD_TFTPBOOT) += tftp.o obj-$(CONFIG_WGET) += wget.o + +ifeq (y,$(CONFIG_WGET_BUILTIN_CACERT)) +$(obj)/builtin_cacert.c: $(CONFIG_WGET_BUILTIN_CACERT_PATH:"%"=%) FORCE + $(call if_changed,bin2c,builtin_cacert) +obj-y += builtin_cacert.o +endif diff --git a/net/lwip/wget.c b/net/lwip/wget.c index 14466598d7c..f24aa9c2380 100644 --- a/net/lwip/wget.c +++ b/net/lwip/wget.c @@ -288,31 +288,34 @@ static err_t httpc_headers_done_cb(httpc_state_t *connection, void *arg, struct #if defined CONFIG_WGET_HTTPS static char *cacert; size_t cacert_size; + +#if defined CONFIG_WGET_BUILTIN_CACERT +extern char builtin_cacert[]; +extern const size_t builtin_cacert_size; +static bool cacert_initialized; +#endif #endif -#if defined CONFIG_WGET_CACERT -static int set_cacert(char * const saddr, char * const ssz) +#if defined CONFIG_WGET_CACERT || defined CONFIG_WGET_BUILTIN_CACERT +static int _set_cacert(void *addr, size_t sz) { mbedtls_x509_crt crt; - ulong addr, sz; + void *p; int ret; if (cacert) free(cacert); - addr = hextoul(saddr, NULL); - sz = hextoul(ssz, NULL); - sz++; /* For the trailing '\0' in case of a text (PEM) file */ - if (!addr) { cacert = NULL; cacert_size = 0; return CMD_RET_SUCCESS; } - cacert = malloc(sz); - if (!cacert) + p = malloc(sz); + if (!p) return CMD_RET_FAILURE; + cacert = p; cacert_size = sz; memcpy(cacert, (void *)addr, sz - 1); @@ -328,10 +331,33 @@ static int set_cacert(char * const saddr, char * const ssz) return CMD_RET_FAILURE; } +#if defined CONFIG_WGET_BUILTIN_CACERT + cacert_initialized = true; +#endif return CMD_RET_SUCCESS; } + +#if defined CONFIG_WGET_BUILTIN_CACERT +static int set_cacert_builtin(void) +{ + return _set_cacert(builtin_cacert, builtin_cacert_size); +} #endif +#if defined CONFIG_WGET_CACERT +static int set_cacert(char * const saddr, char * const ssz) +{ + ulong addr, sz; + + addr = hextoul(saddr, NULL); + sz = hextoul(ssz, NULL); + sz++; /* For the trailing '\0' in case of a text (PEM) file */ + + return _set_cacert((void *)addr, sz); +} +#endif +#endif /* CONFIG_WGET_CACERT || CONFIG_WGET_BUILTIN_CACERT */ + static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) { #if defined CONFIG_WGET_HTTPS @@ -361,6 +387,10 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) memset(&conn, 0, sizeof(conn)); #if defined CONFIG_WGET_HTTPS if (is_https) { +#if defined CONFIG_WGET_BUILTIN_CACERT + if (!cacert_initialized) + set_cacert_builtin(); +#endif tls_allocator.alloc = &altcp_tls_alloc; tls_allocator.arg = altcp_tls_create_config_client(cacert, cacert_size, @@ -420,6 +450,11 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[]) #if defined CONFIG_WGET_CACERT if (argc == 4 && !strncmp(argv[1], "cacert", strlen("cacert"))) return set_cacert(argv[2], argv[3]); +#if defined CONFIG_WGET_BUILTIN_CACERT + if (argc == 3 && !strncmp(argv[1], "cacert", strlen("cacert")) && + !strncmp(argv[2], "builtin", strlen("builtin"))) + return set_cacert_builtin(); +#endif #endif if (argc < 2 || argc > 3) From patchwork Thu Feb 27 16:09:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 868975 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:1561:b0:38f:210b:807b with SMTP id 1csp340081wrz; Thu, 27 Feb 2025 08:10:10 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUimxOeKqYdvvZoRB9WMkVAO6JcC8euXOavheXAJ/CrrBQMtC/dKVUbStei0DKKBA52cuKJ3A==@linaro.org X-Google-Smtp-Source: AGHT+IEs8Oo8zj4+eWH2wdRULH9Eno61H5zAn/LK9cX8xyzl1AJ1M0+odf4kkSHY2PHFecE3OGYn X-Received: by 2002:a17:907:1807:b0:ab7:d44b:355f with SMTP id a640c23a62f3a-abf06251b16mr537943266b.25.1740672609563; Thu, 27 Feb 2025 08:10:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1740672609; cv=none; d=google.com; s=arc-20240605; b=WUZxlB8gQhqQ6Km5hKki1Bl7/O0Uw4v8xZia0+DNoAh28Gxo08brRfzOm67XMY9k1H 27NYWHsrxGezkea9XgFNxxPyFb4HHGBDpjDAH4Cj1IrPbu4SbmiGgsb4k89juqsSRXU1 qfFJcotIFJ0stgY8Aq2ZsDtM5RKJtwDj2zREMggiEhKArmfCogtyRQtKAocb/MYDqdPM r279DSmCXVchSG11neTG503/pZvituVkjruuPK35yu4ndMOuBWJC3KutVuhjRFUf5sTG rTHtldsJDISyl3YJRSJdUozLS8NyBFo4juFMKTxkgLLFEeRSVNp6TmpTW0jKPQWZF592 pL5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=yWF+fxiOoeOpBYzE4LlCi86ujBamhNHaAWVHdIZG6gA=; fh=wFWuO/her0jGA+8aUFoyI8P9bmb8foIeWsLh5WyCtYs=; b=Oj24ukclVdi01Gk39IyirJ6D3R2gVQYuc9LwgjqC4saWt6D+7mhZkuf52NKJN2C+9e +rIMY/WAUQC27E0D201SQAoQcMfQCkrBNUqkevOsboV2zTEnJxZPartsNn+zAIz/jjfW JQEk71D5SqqgvQTIjSeVJ8A+Qz/jQwiCp4rXYcvdx9O7HxwvwqjGrOp830oM0m0Q96p6 +7R3vyumK/KMZYwqdlOgksPnGH0Zkriel0qMc3yIU3kixXgrF0qqBa5GiOYhKpGHwpH7 +N2d4LXayz5l1zpc/VjUgjllMD5Ahbbu3g448fBt+kqlbzav4ZnDN0T3k1Sghn9AXiny GWIQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QkD4DJut; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id a640c23a62f3a-abf0c86c474si179885766b.869.2025.02.27.08.10.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:10:09 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=QkD4DJut; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 58DE1811E1; Thu, 27 Feb 2025 17:09:41 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="QkD4DJut"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4A6EF81111; Thu, 27 Feb 2025 17:09:39 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id B6421811C1 for ; Thu, 27 Feb 2025 17:09:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wr1-x429.google.com with SMTP id ffacd0b85a97d-38f31f7732dso775139f8f.1 for ; Thu, 27 Feb 2025 08:09:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1740672576; x=1741277376; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=yWF+fxiOoeOpBYzE4LlCi86ujBamhNHaAWVHdIZG6gA=; b=QkD4DJutRRFhaLJ7wPjw+CCF4XOP2GvWo4xadzquV7M9MqOhfAAXbAyshUMZBNPMho xXE+Wdo8r3x1qm2tJLkisYLn/t6IwTaMAWMWl07uCm7VoRgHMjjl7EEaXHHWQTA/FXKO 12rU3Bai0HFSL3iO5dd4Czebarq9XN845VMNNqzUrxU+sm/lkX1qI3iAv/1371myHMS6 b1MD0ZRX7SEYnQZvbm3qo4tKhIApbltw3DVh8EaYAePOanw6z2/+6sgWylz52XGwzw/K EobA9/RL+PT5Y3VXQkc1r8Gb9XFaBMpwjdQo95drS9OIEd/kcLEB9LGtqTsCRmInnUdX Kn5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1740672576; x=1741277376; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=yWF+fxiOoeOpBYzE4LlCi86ujBamhNHaAWVHdIZG6gA=; b=jFZaAz/h7U5BrybNSfZ03ukpG2Q4LqqKPc148GC+E2K/lB9Ew9XTPdYOc0I34Jhkbp Dw9mZd42qyIQQcd63g9rSzhr5idMiqBIII3hTx6UISYhipPFKt3wXV7aE5zFkrGh6AnV /pJd7aG7uYBC8s2VDoLBHD0et7UeSpHCy7g+Ltpxp4RrnvFm1qH+qygrPvomEeareHxn kzRpsjj8W6M4hyn0U9hTgWh+iiCBy/TLvVvITh++aEYZ6tdngWOY7K3e4g+rn++dQdVZ U+bk4NQYr/A54nek4FAuM1lYQ+WL7euQmu8clTd+SQNAwIJQk3vinEbJry2Mbmo3TNDI WZtw== X-Gm-Message-State: AOJu0YzMai21bhxDizBcUP6MA3Y3l4al5W+xKfOIkGwJgOGNyGtLZP0C wJYxcUUwPZRlvid6jH1fCKG86qbwoOGPL7zlttdgFJDjGD15jlULG1wh+u8dsHxSDY/FGUV8cSZ 284g= X-Gm-Gg: ASbGncvuxZvCCREwl7pOcrZfEMeabdvSB4cMVrvHNaxsivrEoeUO2fLptzlyf2CcJiF MoKwY6bWMf4Y/wTnAsG2mq6cABwUOrbRQbU3+caJZEUT0qK8VNmN1H1iGmiEZkPuyLaxpTXLMUJ C10Q1zKqN5smSaggdaIs11HhPRZzZR92CRiJGkQZxq0sDiEy5ef9YmEIR+/gxFSPDKWJVi2YHv2 ErzO7AX3bjJ3bqc5Km0TIzMOpqbA6/+oOvBEYOf6ocKHyGU+eeWeGYR2kkjbu77ezt0EuM4T/hV Cxz0uE8b/1xRCrVWss2w/o95W2+GynRc17Y= X-Received: by 2002:a05:6000:4594:b0:390:e535:8740 with SMTP id ffacd0b85a97d-390e535884fmr2047090f8f.14.1740672575936; Thu, 27 Feb 2025 08:09:35 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:af71:dfb2:66ef:80c3]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43aba52b925sm59506795e9.7.2025.02.27.08.09.35 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2025 08:09:35 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Peter Robinson , Simon Glass Subject: [PATCH 5/5] configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and MBEDTLS_LIB_X509_PEM Date: Thu, 27 Feb 2025 17:09:05 +0100 Message-ID: <328b4225800ab778089f095019fcd4b75e872a37.1740672437.git.jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: References: MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Enable the "wget cacert" command as well as support for parsing X509 certificates in PEM format. Signed-off-by: Jerome Forissier --- configs/qemu_arm64_lwip_defconfig | 2 ++ 1 file changed, 2 insertions(+) diff --git a/configs/qemu_arm64_lwip_defconfig b/configs/qemu_arm64_lwip_defconfig index 754c770c33f..f48c132743c 100644 --- a/configs/qemu_arm64_lwip_defconfig +++ b/configs/qemu_arm64_lwip_defconfig @@ -8,3 +8,5 @@ CONFIG_CMD_DNS=y CONFIG_CMD_WGET=y CONFIG_EFI_HTTP_BOOT=y CONFIG_WGET_HTTPS=y +CONFIG_WGET_CACERT=y +CONFIG_MBEDTLS_LIB_X509_PEM=y