From patchwork Wed Mar 5 14:26:42 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 870549 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:178f:b0:38f:210b:807b with SMTP id e15csp810493wrg; Wed, 5 Mar 2025 06:27:34 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVeoxLOpYe9MYGvAzcJd3ixGReMyd7dnbjhaNEF5juKNcgvEm2UTM8fcWObKXABQB2L5M8mxg==@linaro.org X-Google-Smtp-Source: AGHT+IFGxIrSLZjalC0oaJSjm3Lf4B9v8DvIKW2Rz8LRY3qkGAPl7AWAQ11XIFaU9ICVzKjH4uv4 X-Received: by 2002:a05:6a00:1401:b0:736:47a5:e268 with SMTP id d2e1a72fcca58-73682b5512cmr5161776b3a.1.1741184853639; Wed, 05 Mar 2025 06:27:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1741184853; cv=none; d=google.com; s=arc-20240605; b=KuDk897zL8Ez0nWdjW+PVSxm2rYfyUViCXdTr32gCa00xfhsw2i4sDfwsQs6vHuW7D aEHyvLRZ3kQ7Jb+KgmIttk1LZEeqh/iNsoW47ayG5b1BAmzMhmPHcybzjYT1HS8UmK/X bn0IWT7NCj9SBItokkkXUjkBxUOazIwNzP939N9hwzrfofjggQqxvWbEA/1Rjvxv6RPN PnnMhVEuHcEfUwecTRRMcLcfeQge/th6PlXg2oTfXPV/wBBaMxTRs40K0Np43OfODfHd mSGdBoMytVbp9zBkLPtku05q1P3C9jwsHF2DRxAuzOFI4hD9TyxxmtH5ZmYlO4hfX+Cz mufA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=8OM/CQnAr6FiV5DCMs4qVGKNCQbCRd11dI1O97N7MLA=; fh=d246zcDbMrsoOHk81h4crL234TifMM9ORbgE9yUgIzo=; b=GYK1jbwayX/XdadkL15SOzUhXKaaf6K5XbBSPh9sKQ7X/RpohYPF5WpG+pMPrloDkL CRL5nCYnBbMWdOcMxmiVEtb3bKuzUPnyURzfI2ruaXoZHmtv4Hi5Ruh3zl4b42Gly7UF 5KFyxlgJskpMr71PYP6wnm7rFoYnhy5I+vqBMnowdE+LhNRETgmKfLItVCKT09IFm9k1 JuudcKblhCY9TNDAhGm9N+h04UpK5StPQXttFz0zSpaKNow3MvegqURx6u/6dK9GXSYl DRdcng4sksmgvU9yvKW5GOjwHLDOiIoHS9uu5qDeKu+D5uwAOczxJpI8RrTg5S7t46io D+Ig==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TCqg61kx; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id d2e1a72fcca58-73653f2acb0si10622447b3a.94.2025.03.05.06.27.32 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:33 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TCqg61kx; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 670DE80F56; Wed, 5 Mar 2025 15:27:19 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="TCqg61kx"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 38EBF80F92; Wed, 5 Mar 2025 15:27:18 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x429.google.com (mail-wr1-x429.google.com [IPv6:2a00:1450:4864:20::429]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id CACA680F92 for ; Wed, 5 Mar 2025 15:27:15 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wr1-x429.google.com with SMTP id ffacd0b85a97d-3910e101d0fso2277282f8f.2 for ; Wed, 05 Mar 2025 06:27:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741184835; x=1741789635; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8OM/CQnAr6FiV5DCMs4qVGKNCQbCRd11dI1O97N7MLA=; b=TCqg61kxHY/aK1ymDlz9gsD/IpgTuDBgKu6QgAy6nRCR6EnCfAZ5s6A0EK2q0V4rCs WNiJ8ERvRP4DSWC+3aAnj0PEfnGCi2sUvsYMPOrp9D+ToW8BgNehVK50/o8WPCAxIbsK mlpILY++MT+lhU9sWMIe/Hon3P5fWc6RButYjQ07rS4Q9DsiVxZvaGmaL6P7sVVW7uXa HlhuuMqvIklNJSCOj7M8+xOAkaNqSKWn8xe9ykxlPDAwpWxRGTiZDeSd+Gpwv0pvIbOP 8TdnlUDPBsu2+MNlWW6oizK3Av7rWJ4eyPL4IfajMr7erqF60UBxKexbz62yCBIjMrdG RPWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741184835; x=1741789635; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8OM/CQnAr6FiV5DCMs4qVGKNCQbCRd11dI1O97N7MLA=; b=NK8LE5QA/013LWXb8RPQgQH7G+e70SeLziVkBeVRaM101tjdhgkArmBXhvE6GUs2Xd whci8AAHmWSgIc4zHlLGHM0sGTu4RnCPG7LG6HOghulP4El0gRyW46G3CXSIV3yHTr6k eeHJvPSEE+NC7THZkh13cKZYlo18B2QoENiDjyrupsfAoXLnHwPomdSfZAXjjyyfwBV7 pVAvB+Cbe3i6L4SqFAfm4TX1nJQFR/bT+Rg4c9MjQrEgsJEx/iOzcL8J7FM84xaI1OdW 30wvD4ZcPONBK+eaG3as9QdOOGMuMcCIAxOKoPX54PZEN0PNCg1YMaI+HlPET9ivJDUg fM/A== X-Gm-Message-State: AOJu0Ywtt/RifvLTg0fl3GIYo0yzWra4i+JDVY4Sr3iBT68IfGnfu92F 4JChIHl1AMU+iL9vragSpFGkpcx4YIJcY7dtOZCRRF1GSjsE8r9gww9gaW+Hi5uTFnCyvdawkfZ s X-Gm-Gg: ASbGncvhZy8NiOIH5vU34SxnbOCTz019hKH88RpKV3MghvPHJWIgUUMp/yL6u4zapXO Mo8iMomQ4L+w3wwqJy8tRSHjnwsvHC82kqoK60bBfbwuLl3cJ0PIYjfFsfbWvlkV5XsbBVRGFKn YP0oco7jgCohdXukjMwTdzCkEtvG75Sc4WcUY2CNmm5Y6qNaO284UEPaBeDL+sCXw2t91wwYqGD xhGT0Uo1fWN0Uyf+h8PSo4k7go52rVbZjtrlPgBmAglxr80acRpMcXfJlKgP8nQC6Yfle3GW1Ur 2u+2GVgHRbUOTnI5as6SXsl5OSioXcJWWmMA+Nsxxmr92f9Z+q5PEA== X-Received: by 2002:a5d:5846:0:b0:391:2353:8a57 with SMTP id ffacd0b85a97d-39123538ab5mr1918042f8f.34.1741184835084; Wed, 05 Mar 2025 06:27:15 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.14 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:14 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Heinrich Schuchardt , Mattijs Korpershoek , Ibai Erkiaga , Michal Simek , Adriano Cordova Subject: [PATCH v2 1/6] net: lwip: extend wget to support CA (root) certificates Date: Wed, 5 Mar 2025 15:26:42 +0100 Message-ID: <20250305142650.2966738-2-jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250305142650.2966738-1-jerome.forissier@linaro.org> References: <20250305142650.2966738-1-jerome.forissier@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Add the "cacert" (Certification Authority certificates) subcommand to wget to pass root certificates to the code handling the HTTPS protocol. The subcommand is enabled by the WGET_CACERT Kconfig symbol. Usage example: => dhcp # Download some root certificates (note: not authenticated!) => wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt # Provide root certificates => wget cacert $fileaddr $filesize # Enforce verification (it is optional by default) => wget cacert required # Forget the root certificates => wget cacert 0 0 # Disable verification => wget cacert none Signed-off-by: Jerome Forissier --- cmd/Kconfig | 8 ++++ cmd/net-lwip.c | 17 ++++++-- net/lwip/wget.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 121 insertions(+), 6 deletions(-) diff --git a/cmd/Kconfig b/cmd/Kconfig index 8dd42571abc..d469217c0ea 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2177,6 +2177,14 @@ config WGET_HTTPS help Enable TLS over http for wget. +config WGET_CACERT + bool "wget cacert" + depends on CMD_WGET + depends on WGET_HTTPS + help + Adds the "cacert" sub-command to wget to provide root certificates + to the HTTPS engine. Must be in DER format. + endif # if CMD_NET config CMD_PXE diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c index 0fd446ecb20..1152c94a6dc 100644 --- a/cmd/net-lwip.c +++ b/cmd/net-lwip.c @@ -27,9 +27,20 @@ U_BOOT_CMD(dns, 3, 1, do_dns, "lookup the IP of a hostname", #endif #if defined(CONFIG_CMD_WGET) -U_BOOT_CMD(wget, 3, 1, do_wget, - "boot image via network using HTTP/HTTPS protocol", +U_BOOT_CMD(wget, 4, 1, do_wget, + "boot image via network using HTTP/HTTPS protocol" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert - configure wget root certificates" +#endif + , "[loadAddress] url\n" - "wget [loadAddress] [host:]path" + "wget [loadAddress] [host:]path\n" + " - load file" +#if defined(CONFIG_WGET_CACERT) + "\nwget cacert
\n" + " - provide CA certificates (0 0 to remove current)" + "\nwget cacert none|optional|required\n" + " - set server certificate verification mode (default: optional)" +#endif ); #endif diff --git a/net/lwip/wget.c b/net/lwip/wget.c index 14f27d42998..c22843ee10d 100644 --- a/net/lwip/wget.c +++ b/net/lwip/wget.c @@ -285,9 +285,68 @@ static err_t httpc_headers_done_cb(httpc_state_t *connection, void *arg, struct return ERR_OK; } +#if CONFIG_IS_ENABLED(WGET_HTTPS) +enum auth_mode { + AUTH_NONE, + AUTH_OPTIONAL, + AUTH_REQUIRED, +}; + +static char *cacert; +static size_t cacert_size; +static enum auth_mode cacert_auth_mode = AUTH_OPTIONAL; +#endif + +#if CONFIG_IS_ENABLED(WGET_CACERT) +static int set_auth(enum auth_mode auth) +{ + cacert_auth_mode = auth; + + return CMD_RET_SUCCESS; +} + +static int set_cacert(char * const saddr, char * const ssz) +{ + mbedtls_x509_crt crt; + ulong addr, sz; + int ret; + + if (cacert) + free(cacert); + + addr = hextoul(saddr, NULL); + sz = hextoul(ssz, NULL); + + if (!addr) { + cacert = NULL; + cacert_size = 0; + return CMD_RET_SUCCESS; + } + + cacert = malloc(sz); + if (!cacert) + return CMD_RET_FAILURE; + cacert_size = sz; + + memcpy(cacert, (void *)addr, sz); + + mbedtls_x509_crt_init(&crt); + ret = mbedtls_x509_crt_parse(&crt, cacert, cacert_size); + if (ret) { + printf("Could not parse certificates (%d)\n", ret); + free(cacert); + cacert = NULL; + cacert_size = 0; + return CMD_RET_FAILURE; + } + + return CMD_RET_SUCCESS; +} +#endif + static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) { -#if defined CONFIG_WGET_HTTPS +#if CONFIG_IS_ENABLED(WGET_HTTPS) altcp_allocator_t tls_allocator; #endif httpc_connection_t conn; @@ -312,11 +371,34 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) return -1; memset(&conn, 0, sizeof(conn)); -#if defined CONFIG_WGET_HTTPS +#if CONFIG_IS_ENABLED(WGET_HTTPS) if (is_https) { + char *ca = cacert; + size_t ca_sz = cacert_size; + + if (cacert_auth_mode == AUTH_REQUIRED) { + if (!ca || !ca_sz) { + printf("Error: cacert authentication mode is " + "'required' but no CA certificates " + "given\n"); + return CMD_RET_FAILURE; + } + } else if (cacert_auth_mode == AUTH_NONE) { + ca = NULL; + ca_sz = 0; + } else if (cacert_auth_mode == AUTH_OPTIONAL) { + /* + * Nothing to do, this is the default behavior of + * altcp_tls to check server certificates against CA + * certificates when the latter are provided and proceed + * with no verification if not. + */ + } + tls_allocator.alloc = &altcp_tls_alloc; tls_allocator.arg = - altcp_tls_create_config_client(NULL, 0, ctx.server_name); + altcp_tls_create_config_client(ca, ca_sz, + ctx.server_name); if (!tls_allocator.arg) { log_err("error: Cannot create a TLS connection\n"); @@ -369,6 +451,20 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[]) ulong dst_addr; char nurl[1024]; +#if CONFIG_IS_ENABLED(WGET_CACERT) + if (argc == 4 && !strncmp(argv[1], "cacert", strlen("cacert"))) + return set_cacert(argv[2], argv[3]); + if (argc == 3 && !strncmp(argv[1], "cacert", strlen("cacert"))) { + if (!strncmp(argv[2], "none", strlen("none"))) + return set_auth(AUTH_NONE); + if (!strncmp(argv[2], "optional", strlen("optional"))) + return set_auth(AUTH_OPTIONAL); + if (!strncmp(argv[2], "required", strlen("required"))) + return set_auth(AUTH_REQUIRED); + return CMD_RET_USAGE; + } +#endif + if (argc < 2 || argc > 3) return CMD_RET_USAGE; From patchwork Wed Mar 5 14:26:43 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 870550 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:178f:b0:38f:210b:807b with SMTP id e15csp810607wrg; Wed, 5 Mar 2025 06:27:46 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUt2aoZYZ5jTmgqwnHzN2lC9zItCltqVHT6W0netBfVhQpbWDvxieND1/vJn26RCH0Xho0W8Q==@linaro.org X-Google-Smtp-Source: AGHT+IFUMgqPi9RlaaA5q1ZBbzA3XE8R/DnJwf4THsnei96rrKSY5X6Z3KGuSCNUR9Q50og4Lnxa X-Received: by 2002:a05:6a21:1f81:b0:1ee:d06c:cddc with SMTP id adf61e73a8af0-1f3495950cbmr7060943637.30.1741184865884; Wed, 05 Mar 2025 06:27:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1741184865; cv=none; d=google.com; s=arc-20240605; b=c2GnRj2OEv2wM1jpxpHJR6zk1v+z3grP5KU63zVNvqS35Pa50bfVQWRRtlIFQn632e tQ7y+RIXj2awYvkla/44rSo0KZeCEiSueARXvG5MwV5/Ushv7DzDrBBX/i/ZZiHFzcrZ vYjTzoMbrqYuqd5qRF95LxtwarkHzDYbD+zqTpdqSehyTw1g7u07juoNbdkUx3m3Q9lR P3d66RpCGvD/POkQ/FHuATEEY2g6y6g4ziXFDRamMKmza3zoIWYYUeRJewN/ely3kStP bCeE+C51W1AhaAspTf9KX8NIKejlhEajp4bACzTXqHIJgVFokjYsIHNBDeVJ2FYRqStQ zl5w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=G2s5Icwnuj6cOD5wt7+DAoUp8NjQQGsscIFURIpb1s8=; fh=fg4LVIfV3Czg8uvW+fGOIorR7ZZ+p3HapcCebnt7RUs=; b=Wl7A6b8GqaGobofeb4F9EzqEfCedTPmoNA3h/b+aWzh0eiazGIXstzZ1r5wuZjeeKg aOwF+fiH0K5JGMVZLNevJP6jYux47AVF2DAHrkOjFg9pswWLF8zim8imjDIpNNZKid2S fMxJ8Ev/Y7WGzufKzAaiMX6Lx4XZTv+cq68siAjINmysD3tbat1b34gxW0rKn/0fqKNT u8FbHCYdd+T/Nop2JZ4Ox8lJzE4ZruCA+SjW2Ob3GVkAF+zcLA4KewZ+SUdZGqSReig6 Ruoxg7OskD/PCRRRdYnCriJMOxd/fiPPhnYipdn6R2X/AYA/FYNWXI4N09BYxr5ybZiG Gajw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=kuEi6mBj; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id 41be03b00d2f7-aee7deaf635si21330374a12.358.2025.03.05.06.27.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:45 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=kuEi6mBj; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id B12F4812C8; Wed, 5 Mar 2025 15:27:19 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="kuEi6mBj"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id A189F811B3; Wed, 5 Mar 2025 15:27:18 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 98866808B6 for ; Wed, 5 Mar 2025 15:27:16 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-390dd362848so5296697f8f.3 for ; Wed, 05 Mar 2025 06:27:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741184836; x=1741789636; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=G2s5Icwnuj6cOD5wt7+DAoUp8NjQQGsscIFURIpb1s8=; b=kuEi6mBj9bXqcuummPKsrg24W/QHnadgkZR87J2nD06JyZWAJW+R/TRB7cxOWCv3g1 zkS0NRTN7Tgd0XkEw7eqkNkimStojUefg9AgRGQu0zJEuyb63vHA1ji9r8EOOhMoG2JT Y1JV1alTh79QoDokVcB9TxKAaRiX3D9POoZEq3crVYNXyRFbrpyMlE9DPeFXnSN7/oFF g76BIzvmgP7TKYnnIEHzHM4a6/q6q+QLTAiBWMEhXZ/2+eLDUUuj7eGOXjaztB1rRvnV oGUzSkSoy4oSOIjkk1jWfkRJvVarlIlQpJYLOd+I4VGU7h5jA4jW1W54QmakXeb6UESB 2Zdg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741184836; x=1741789636; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=G2s5Icwnuj6cOD5wt7+DAoUp8NjQQGsscIFURIpb1s8=; b=p/ZJgstaITBUwee0/ePtZhrzoI0VlJKFQ5fMNpYUA9ZQEDbvY90H9vQXQcaEcZ+l0z Ht9wjGYoUe1QJ0CcD0vtdlE6jb/SEQVObsdSolSnXO3euB2qSkJawLa0yvla6ED3CeEB 9btN5Ah7QrCTnfdXWpjzbhmvBQmb5WlElwavpY+XL4/HquKHpr8Y+C3FVWvkq84NOgng VZ3aegDUFqeyfJnC0fUUkUWVMkQKvU/ERsdNZDg59jDlSVXzlMbSC6X8R/HXc7uv6fzF E5QaFjLwfAXTG6GyIA5mzJYOpBH4hL3tyB4lHFZItCOWJWEWud6XtizIkv5UGd3KC3kA 5PFw== X-Gm-Message-State: AOJu0YyQM96dfY64NF4YCycJLDhB4hdFL3zoknWPEPJzehhkPy2q5We5 DjktIMh76UC7CrCbAxUwSLhPiYUo7o8ANp/s4CeuTJMw8KzoRVmjaseiHa7PnGTgio4doTEZU02 z X-Gm-Gg: ASbGncvK085JHjTCG3qdIqqf0Ll7HeFfmmGsr7ZFRYQzNkmBh2smk/w8S2Ga6RGO99P 8/QQGjgCPjPkj1LErT3uXLUubs5bbV8sHWdGPa+uxd+7vUL8jmXBZFXn15YepUIreuOZ8ZIUmtN L9jAyJmEahnrH2uA53W2I+3XVVT4rPYDXx7vCltTw41ZXg3sdK0UHZIUxOOwyQbCsoWK/WHOUU8 D6vDinphsIQVMTTuJNgS42mYk1tBrpPZrjAxn0Hb2dhqDOBD6pJoVF5v8VbN2R9+JxkytUOPNkj MUhBVqzAMkkLbno8yi4AKx99XXPG1JcHCt9fJghJps5EhAqdWMitTg== X-Received: by 2002:a5d:6da7:0:b0:38f:2766:759f with SMTP id ffacd0b85a97d-3911f7a8406mr2848139f8f.41.1741184835910; Wed, 05 Mar 2025 06:27:15 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:15 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Javier Tia , Heinrich Schuchardt Subject: [PATCH v2 2/6] lwip: tls: enforce checking of server certificates based on CA availability Date: Wed, 5 Mar 2025 15:26:43 +0100 Message-ID: <20250305142650.2966738-3-jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250305142650.2966738-1-jerome.forissier@linaro.org> References: <20250305142650.2966738-1-jerome.forissier@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Instead of relying on some build time configuration to determine if server certificates need to be checked against CA certificates, do it based on the availability of such certificates. If no CA is configured then no check can succeed; on the other hand if we have CA certs then we should not ignore them. It is always possible to remove the CA certs (via 'wget cacert 0 0') to force an HTTPS download that would fail certificate validation. Signed-off-by: Jerome Forissier Reviewed-by: Ilias Apalodimas --- lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 3 ++- .../lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h | 6 ------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index 46421588fef..fa3d1d74fed 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -786,6 +786,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav int ret; struct altcp_tls_config *conf; mbedtls_x509_crt *mem; + int authmode = have_ca ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE; if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND < MBEDTLS_SSL_OUT_CONTENT_LEN) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS, @@ -840,7 +841,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav altcp_mbedtls_free_config(conf); return NULL; } - mbedtls_ssl_conf_authmode(&conf->conf, ALTCP_MBEDTLS_AUTHMODE); + mbedtls_ssl_conf_authmode(&conf->conf, authmode); mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); #if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF diff --git a/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h b/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h index e41301c061c..71aa5993935 100644 --- a/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h +++ b/lib/lwip/lwip/src/include/lwip/apps/altcp_tls_mbedtls_opts.h @@ -100,12 +100,6 @@ #define ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS (60 * 60 * 24) #endif -/** Certificate verification mode: MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL (default), - * MBEDTLS_SSL_VERIFY_REQUIRED (recommended)*/ -#ifndef ALTCP_MBEDTLS_AUTHMODE -#define ALTCP_MBEDTLS_AUTHMODE MBEDTLS_SSL_VERIFY_OPTIONAL -#endif - #endif /* LWIP_ALTCP */ #endif /* LWIP_HDR_ALTCP_TLS_OPTS_H */ From patchwork Wed Mar 5 14:26:44 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 870551 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:178f:b0:38f:210b:807b with SMTP id e15csp810702wrg; Wed, 5 Mar 2025 06:27:58 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVS7Wdl+uybIWEaJLzr5/De+6oIaK+C/JV4nNjTEzC+MoYdFqo+GULjw1DCWtWKcr2HfULUsQ==@linaro.org X-Google-Smtp-Source: AGHT+IHG0GNZiIWI568tSvJJb1vjlnDvjoCjvT+ss4KQCOQAMsOi7z8RWgos1o363RyT6UFOOO4g X-Received: by 2002:a05:6a21:4c85:b0:1f3:3771:d46 with SMTP id adf61e73a8af0-1f349496b85mr6071153637.22.1741184878025; Wed, 05 Mar 2025 06:27:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1741184878; cv=none; d=google.com; s=arc-20240605; b=AoIjl9jS3IRXmElmK2CCwcFq/ElFAjIKeBFTKlDc+TCrzJC/03zHeF/mDGoGm83TGd 1vZ4D8n4UzNKNUGp4LSRD1NAXicpQcHiB05d7tW1oVD5/cf2VWVh52NPJApGapRxngHB gDOYPEDg9VfNFVpqrJA1huqnwUqz6l23wUT33TxOu/lWh3NXAUzZVe883q+7gNG9eI+m 2UQFAuZ0ZsnlR2brr8QGAKWrh5w1ZH8MtWrb/fUPvMFwlzouQc1FNWN3KiQBtQQYa5q7 BpqQkiMnDVvoJwXuCsJvryyrREuJgUoCAzhgkEgFpJzgNc2+UKoIZEmsTV0oYuDO/jk7 97Ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=tqKYtD3GqjUkCBmF0aRwBJEerlGo6a56Ic88y4V845c=; fh=fg4LVIfV3Czg8uvW+fGOIorR7ZZ+p3HapcCebnt7RUs=; b=kUeSiHea2Ode+KvcPtB+lpl1v89gU0ljm3HcITiLcgjnredmJRrm3Ld0ZUieGwNRDt FDqk7OPJjGwmOZvzlJfe9fr3Pem1BHz6OAED92PMTOlKuLugl9Qa3QtNtU56gjPrGHQe CpWvvM4qbIsk/dGNjsHbxA9nxDUJRTNqYD6NFRctDVPf9CwMGlZ6Ci1vnbFa1klbEhYA WJNnnSGJHjKcTLIUAUljEPq07caadbgSXzfMe0VhcRlu03KyWkZ5hQ4wAAsYVinZnahy rAnV8AOb3cRRwDS/03FBcMhasVABRojCcn3TZ6MMTRR6m4OhUAc/Vh2m4mz49zLMdxqv +fkQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=mdssnb0b; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 41be03b00d2f7-aee9067ab56si17917156a12.307.2025.03.05.06.27.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:58 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=mdssnb0b; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 016478141D; Wed, 5 Mar 2025 15:27:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="mdssnb0b"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 27D6881417; Wed, 5 Mar 2025 15:27:20 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 6344E811C1 for ; Wed, 5 Mar 2025 15:27:17 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-38f403edb4eso4147077f8f.3 for ; Wed, 05 Mar 2025 06:27:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741184837; x=1741789637; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tqKYtD3GqjUkCBmF0aRwBJEerlGo6a56Ic88y4V845c=; b=mdssnb0bWACfl8l4JRXNe0IEYvclXfP5eHVM+NylP6Te+5Dx9g60g7Dn6/zRzMKzPZ tDAuBUgrToKbB391yMa4CVfEBZbOKpjVBzCGqDLFHESICAT6cFHGKMRlxNYeXzApgkXf 0S5WFo/j9OPULvvurs2Wl2VKf0WBU4IC902UEa8Nx9YJdZ+ugiP2kDZkQraEOygjGKyv ZS4DPufjNigoqiL5EeEqwezsMMXMSKEaDYB+P/wnnBE5TCr5zu4gCQu5sEwEMGES/+10 +19WatQnkbdZ2Z8OcfDBRQRPueYUAI75ZXva4T1/z8dDUWe/1slklqZvtpwZY856WXDT DrKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741184837; x=1741789637; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tqKYtD3GqjUkCBmF0aRwBJEerlGo6a56Ic88y4V845c=; b=O+xqMXklKpGWqRBb1G1+J5Ukk2KMz68uj1nHNQ6PMCrYIGyBx/dChtD8zy7Vtc3Yjl KsCl94grZ+bPRExY+CpghU0NxgoWHA9OqKGv4t59VIceHd5jGO8pddV13elU9EUXnbed Z5TFYeyBz2zdzExnfqisT4XIc1Bc1PgGJsa5dWt0vGfaOFjO+dpbdGy7qbcZ4+x/r4rb x9Nnv3YF6ZCVU9ReggaX28JPcj72Vd8Vt+WuNF2wepBA3NLwaoEMKXk+jyEm0WhQ04sX vzCCSNCaaMt6PRhZSm8PdTVash++7jeKdYuTsgV8SMlUTBarAGKsZy8YtTQgVxHBoG7P 6qPg== X-Gm-Message-State: AOJu0YyJugvdx45P0ubagnWYwaDmRM2q+X84uAWXzmoWG7ks/TjtTpOR mtz3viqOgtIvwNkjL/CqB2fj1ySna8eiCUAPAefEb2Fl+BdqMX8PnPchWNJko0dLcNWi3XZB7p1 D X-Gm-Gg: ASbGncsWdAgkCZG8FxUwf5Ztyq6ohULAW9dFQPV39b+Jopyov8LifxSegHj1hoXJIfH B2ySrdK25W8MSOi6mI2IOpips0g3NAtuDMOBKXh3Deg31gRDNZNf8+D+nMuD/BziBEXL9cm14DG rE0kQBvw9455/tD/1H0svI9HfmbfIs2vVuUULNXlQtdqsn+bRfm81Rq91JituWcdomF7KvNHpAe 2T9/pHOcvmVRMMWikrOnguTqNuAADi6NAqRhyYSITjxIiIBtOKNOQ3GMN71Q2VDSiHrKXmY7/e6 DBbEYZezF0Zg5TkHFRAHqCHilzdmLS7O3EwOKLAEfkVQRi3G9ddrmg== X-Received: by 2002:a05:6000:1f8f:b0:391:253b:4046 with SMTP id ffacd0b85a97d-391253b4203mr2335945f8f.16.1741184836737; Wed, 05 Mar 2025 06:27:16 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:16 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Javier Tia , Heinrich Schuchardt Subject: [PATCH v2 3/6] lwip: tls: warn when no CA exists amd log certificate validation errors Date: Wed, 5 Mar 2025 15:26:44 +0100 Message-ID: <20250305142650.2966738-4-jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250305142650.2966738-1-jerome.forissier@linaro.org> References: <20250305142650.2966738-1-jerome.forissier@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Using HTTPS without root (CA) certificates is a security issue. Print a warning in this case. Also, when certificate verification fail, print an additional message because "HTTP client error 4" is not very informative (4 is HTTPC_RESULT_ERR_CLOSED). Signed-off-by: Jerome Forissier Reviewed-by: Ilias Apalodimas --- lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index fa3d1d74fed..ef51a5ac168 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -298,6 +298,9 @@ altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbedtls_state_t * if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_handshake failed: %d\n", ret)); /* handshake failed, connection has to be closed */ + if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { + printf("Certificate verification failed\n"); + } if (conn->err) { conn->err(conn->arg, ERR_CLSD); } @@ -841,6 +844,9 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav altcp_mbedtls_free_config(conf); return NULL; } + if (authmode == MBEDTLS_SSL_VERIFY_NONE) { + printf("WARNING: no CA certificates, HTTPS connections not authenticated\n"); + } mbedtls_ssl_conf_authmode(&conf->conf, authmode); mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); From patchwork Wed Mar 5 14:26:45 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 870553 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:178f:b0:38f:210b:807b with SMTP id e15csp810867wrg; Wed, 5 Mar 2025 06:28:21 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXb89qMvyBkg0gQL4QVtH9tWwJppjjC5ay+VEkpw0A8Ag7eE2v4ULKUGlhECNJO74Jy0vks1g==@linaro.org X-Google-Smtp-Source: AGHT+IF0g2x7Yk7gRPzpGNguWEl0TKqK2BTSX+0HmDPVD+gCTzdbhrPPxkEErjvT48RaafhJpYZS X-Received: by 2002:a05:6a00:3e04:b0:730:4c55:4fdf with SMTP id d2e1a72fcca58-73682bb37bemr5557721b3a.7.1741184901295; Wed, 05 Mar 2025 06:28:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1741184901; cv=none; d=google.com; s=arc-20240605; b=D8031mwIS6XIGGKWWPzz3lFWvxxHvrj+ev1DQiIVNWsOU5GFzxRqgntBSHIKaayjAa fh3z3r7SFM8r/Dn5i15VZRqsj02xVGrTpf+LN9ssBNnLfoPPIbh9exgRTTAwbCugIpya 7LHQguYYswy1oTXH+fzwQOnieWwK1srLpHfw9ParVPUZiBrhqlcmkgPdXuN8vhu3DSAE FZHrK2ysGnYSl05FeEcLDqb7WfZZuav6VD1xdm6lW/+2Uq14thyG7ICU+MM28Qnm0IRJ yhRUIrwJbnzkN2WwNi7gEATBsxoZgagN6bScF64ivqv+Y5dx3+NumfLyYTOmSFWv8K7v 7aaw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Iw0NmlvEY0kN52IQfHtiNuKhb/OHaYv9SiWJGV1BIyA=; fh=d246zcDbMrsoOHk81h4crL234TifMM9ORbgE9yUgIzo=; b=bmcFzY6EZWuKHjIdoE5Sq/5LbTnw/I6jEAPuW24g6+StXQOA3DPo05+u78QQNWxF6i cmwg/9GfAS+pmz+0quaiA0h0+JRch9TNW84nn258KM1KGxikltyJYTAZBiAj95STbOKe /qd+5idHWjq3g/qiJt12+Lo9Q8FNWfs5/T2TlCM9okfYaMowhfbNMwHNGyHkPGxBqKt4 PtTXe6ah+BsZEylBN0FoueI4pBIe6gK1Z6/RKg7aoOoz3paV2Q6P2/7pIfn7Arcy9BTE OC/8wDUMCk8IkLjfMO50SrFtjo5BJz5Scz35p9sO2gxTDHmBtOFrOWYgmUFPLTCjj2rU K0Bg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="wQSj/Lei"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id d2e1a72fcca58-7364fa44137si11522344b3a.154.2025.03.05.06.28.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:28:21 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="wQSj/Lei"; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 90B1781420; Wed, 5 Mar 2025 15:27:24 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="wQSj/Lei"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 6AC6181276; Wed, 5 Mar 2025 15:27:23 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DDAB8811C1 for ; Wed, 5 Mar 2025 15:27:20 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-43bcad638efso14366965e9.2 for ; Wed, 05 Mar 2025 06:27:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741184840; x=1741789640; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Iw0NmlvEY0kN52IQfHtiNuKhb/OHaYv9SiWJGV1BIyA=; b=wQSj/LeiJRSLX1rxl9bXGhMvNfsgPruyx0izSaphMhaVhgvu5gFWrki8IGrEqXXZuv yfXc14jNUDiyPJfUuolLZ0aR6pquchW3EJUX8FMTXPDe0a8YMxYmQNLKg8gdgDfBjd/c bn0AzFWLMhPS6zNyhzqNyLgs3h55MvaAlzIYexcNQefMJDw/6J/n4SxSdguFXhARIJAa JScOTqla6U0iYEWukDgiIYZtCjm7GntZCVkt7xf91VK1zTNR1jml96fajAOzPYxyCzyJ MGJlJrBtYM4SiZ9R9830Bd2MiSeYoyBQr1J7LcAuCSuvND3egXVzAf3kN3yijhcjitGZ 33lg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741184840; x=1741789640; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Iw0NmlvEY0kN52IQfHtiNuKhb/OHaYv9SiWJGV1BIyA=; b=NyzdW9AFcmE4ltq8e0gyqx30SudNyXyoqXJREThniT5mbZHVtwwmF850OzZ4+3qp7H psvqSSS2xqWZ56oWS2lcCZaq1F5Rmn2TgJEYlhevxbp/o5pzcga2kvDN0FDMG+egJvxW lFX0dLa+Cx80flNteLOcerWXlh9Hj6oUTp4xghKrBlvQIL0zWIhfG6uNNDGyRTN5JJdo V5P0HD9uVU7q56e7V999E2ASV0TLLBou5NI/HlfpPHa37xMglwD0g5vYU+6KTTKRMOIN vz8DiWBWjvjFYiQCSw5wpYfZreigwibyaNtAtQSY/yi7Sw9O8AzZcAf6THFzJgPGSdZj Tg6w== X-Gm-Message-State: AOJu0YzkHKoeOoYmvoB7IkIUODRhtplZGP3JmQL2Ki5rzA7LSq5MIrsS LiufUsHmR8TUqzz4bd1KsL2XeduJVnNYI4PzneOzCnPmCb1o5ocqZzFRrG+gY7i49q7VmaUJGFp C X-Gm-Gg: ASbGncsKhYoBys38g1ooZ6+RKntdiR90kksKsZxZO3MRyQH6TE0AYqgrrU/rG6c/gGn QbOLYHrpnv4fvER2Gal5Wm6rTCc1WVwPBRx/M9zyYbRQbX4C94itM9GO73cI/Ud4dJQM4adZaab eQBizRgoSp3WBVHS7rkmqWm3q9A/o6KZ0lRVFcFUPrE0Me5Vm3Q3TaqmgdHDVqK7rmoExu15TmU hyZDn6Qmz3n+swYPtbld0zUVCXc2bf+Sp2AxTKvW80cmFdUhOci0JqS2vtb42vhq+zvbBnOkHFg /ThIQKhy/kVzCTAVeIqM0xe9tKLJuHZVBdFaU3BG+mVAb8kplr/HeQ== X-Received: by 2002:a05:600c:45c6:b0:43b:c034:57b1 with SMTP id 5b1f17b1804b1-43bd2aed7a7mr21852965e9.20.1741184838559; Wed, 05 Mar 2025 06:27:18 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:18 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Heinrich Schuchardt , Mattijs Korpershoek , Ibai Erkiaga , Michal Simek , Adriano Cordova Subject: [PATCH v2 4/6] net: lwip: add support for built-in root certificates Date: Wed, 5 Mar 2025 15:26:45 +0100 Message-ID: <20250305142650.2966738-5-jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250305142650.2966738-1-jerome.forissier@linaro.org> References: <20250305142650.2966738-1-jerome.forissier@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Introduce Kconfig symbols WGET_BUILTIN_CACERT and WGET_BUILTIN_CACERT_PATH to provide root certificates at build time. Usage example: wget -O cacert.crt https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt make qemu_arm64_lwip_defconfig echo CONFIG_WGET_BUILTIN_CACERT=y >>.config echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.crt >>.config make olddefconfig make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" qemu-system-aarch64 -M virt -nographic -cpu max \ -object rng-random,id=rng0,filename=/dev/urandom \ -device virtio-rng-pci,rng=rng0 -bios u-boot.bin => dhcp # HTTPS transfer using the builtin CA certificates => wget https://digicert-tls-ecc-p384-root-g5.chain-demos.digicert.com/ 1867 bytes transferred in 1 ms (1.8 MiB/s) Bytes transferred = 1867 (74b hex) Signed-off-by: Jerome Forissier --- cmd/Kconfig | 14 ++++++++++++ cmd/net-lwip.c | 4 ++++ net/lwip/Makefile | 6 +++++ net/lwip/wget.c | 57 +++++++++++++++++++++++++++++++++++++++-------- 4 files changed, 72 insertions(+), 9 deletions(-) diff --git a/cmd/Kconfig b/cmd/Kconfig index d469217c0ea..312bf94d4e8 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2185,6 +2185,20 @@ config WGET_CACERT Adds the "cacert" sub-command to wget to provide root certificates to the HTTPS engine. Must be in DER format. +config WGET_BUILTIN_CACERT + bool "Built-in CA certificates" + depends on WGET_HTTPS + select BUILD_BIN2C + +config WGET_BUILTIN_CACERT_PATH + string "Path to root certificates" + depends on WGET_BUILTIN_CACERT + default "cacert.crt" + help + Set this to the path to a DER-encoded X509 file containing + Certification Authority certificates, a.k.a. root certificates, for + the purpose of authenticating HTTPS connections. + endif # if CMD_NET config CMD_PXE diff --git a/cmd/net-lwip.c b/cmd/net-lwip.c index 1152c94a6dc..58c10fbec7d 100644 --- a/cmd/net-lwip.c +++ b/cmd/net-lwip.c @@ -41,6 +41,10 @@ U_BOOT_CMD(wget, 4, 1, do_wget, " - provide CA certificates (0 0 to remove current)" "\nwget cacert none|optional|required\n" " - set server certificate verification mode (default: optional)" +#if defined(CONFIG_WGET_BUILTIN_CACERT) + "\nwget cacert builtin\n" + " - use the builtin CA certificates" +#endif #endif ); #endif diff --git a/net/lwip/Makefile b/net/lwip/Makefile index 79dd6b3fb50..950c5316bb9 100644 --- a/net/lwip/Makefile +++ b/net/lwip/Makefile @@ -6,3 +6,9 @@ obj-$(CONFIG_CMD_DNS) += dns.o obj-$(CONFIG_CMD_PING) += ping.o obj-$(CONFIG_CMD_TFTPBOOT) += tftp.o obj-$(CONFIG_WGET) += wget.o + +ifeq (y,$(CONFIG_WGET_BUILTIN_CACERT)) +$(obj)/builtin_cacert.c: $(CONFIG_WGET_BUILTIN_CACERT_PATH:"%"=%) FORCE + $(call if_changed,bin2c,builtin_cacert) +obj-y += builtin_cacert.o +endif diff --git a/net/lwip/wget.c b/net/lwip/wget.c index c22843ee10d..ec098148835 100644 --- a/net/lwip/wget.c +++ b/net/lwip/wget.c @@ -304,28 +304,34 @@ static int set_auth(enum auth_mode auth) return CMD_RET_SUCCESS; } +#endif -static int set_cacert(char * const saddr, char * const ssz) +#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT) +extern const char builtin_cacert[]; +extern const size_t builtin_cacert_size; +static bool cacert_initialized; +#endif + +#if CONFIG_IS_ENABLED(WGET_CACERT) || CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT) +static int _set_cacert(const void *addr, size_t sz) { mbedtls_x509_crt crt; - ulong addr, sz; + void *p; int ret; if (cacert) free(cacert); - addr = hextoul(saddr, NULL); - sz = hextoul(ssz, NULL); - if (!addr) { cacert = NULL; cacert_size = 0; return CMD_RET_SUCCESS; } - cacert = malloc(sz); - if (!cacert) + p = malloc(sz); + if (!p) return CMD_RET_FAILURE; + cacert = p; cacert_size = sz; memcpy(cacert, (void *)addr, sz); @@ -340,10 +346,32 @@ static int set_cacert(char * const saddr, char * const ssz) return CMD_RET_FAILURE; } +#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT) + cacert_initialized = true; +#endif return CMD_RET_SUCCESS; } + +#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT) +static int set_cacert_builtin(void) +{ + return _set_cacert(builtin_cacert, builtin_cacert_size); +} #endif +#if CONFIG_IS_ENABLED(WGET_CACERT) +static int set_cacert(char * const saddr, char * const ssz) +{ + ulong addr, sz; + + addr = hextoul(saddr, NULL); + sz = hextoul(ssz, NULL); + + return _set_cacert((void *)addr, sz); +} +#endif +#endif /* CONFIG_WGET_CACERT || CONFIG_WGET_BUILTIN_CACERT */ + static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) { #if CONFIG_IS_ENABLED(WGET_HTTPS) @@ -373,8 +401,15 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) memset(&conn, 0, sizeof(conn)); #if CONFIG_IS_ENABLED(WGET_HTTPS) if (is_https) { - char *ca = cacert; - size_t ca_sz = cacert_size; + char *ca; + size_t ca_sz; + +#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT) + if (!cacert_initialized) + set_cacert_builtin(); +#endif + ca = cacert; + ca_sz = cacert_size; if (cacert_auth_mode == AUTH_REQUIRED) { if (!ca || !ca_sz) { @@ -455,6 +490,10 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[]) if (argc == 4 && !strncmp(argv[1], "cacert", strlen("cacert"))) return set_cacert(argv[2], argv[3]); if (argc == 3 && !strncmp(argv[1], "cacert", strlen("cacert"))) { +#if CONFIG_IS_ENABLED(WGET_BUILTIN_CACERT) + if (!strncmp(argv[2], "builtin", strlen("builtin"))) + return set_cacert_builtin(); +#endif if (!strncmp(argv[2], "none", strlen("none"))) return set_auth(AUTH_NONE); if (!strncmp(argv[2], "optional", strlen("optional"))) From patchwork Wed Mar 5 14:26:46 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 870554 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:178f:b0:38f:210b:807b with SMTP id e15csp811093wrg; Wed, 5 Mar 2025 06:28:53 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUS6uJ6cXgxLrIXIfcOGJtLTHcgHqEGnnZWOcDbh/gGePrs3FU+0VruVcZQoV5diDH+BsLhVQ==@linaro.org X-Google-Smtp-Source: AGHT+IFmf3NdL6paPGmNgWcqCLfqMk5erRYR8Sf7DGqZABG8bj3QGxe8H0gP9WCyovWFE8WMrt4u X-Received: by 2002:a17:90b:2ece:b0:2ff:4e8f:b055 with SMTP id 98e67ed59e1d1-2ff4e8fb0d1mr3704648a91.35.1741184914393; Wed, 05 Mar 2025 06:28:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1741184914; cv=none; d=google.com; s=arc-20240605; b=QzdW16RwN+REVG5wkW1YLskgvQ3OAHKLDnHmoqOa1JM7PZMm2/PQci4UNOkRuY1e94 wjIjNT3zBUT6ODFL5iUFPlfbsh9OIYccnsm6HYGGEMF17nW+kAxU/gQzsSn0SfRYp3me OM5vWn+5HdDjSym3KdrMFqaZEvWA+51FtyKfcrl61qWcVjQFvZIKg/ss8VYoEOuoAOV+ UGczKDQutuDhTqw9Riry4ZW2HnglFrv1qA2MNGnoUV7uwY5/VJdaznJOcY8RjtBaTlVP Sg72yOrKO+zBE52Ad7UPZgcUDFGwUAfikgsM8CfpPp5fWUZrhT1JWG3M6Xr5pJOuUk1G Luxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=VToeK9rvmge7vGIsjMizB5Qvqb2KL2Jo2850qAV1D5k=; fh=LC7qjD8Vaf/Hhib+XFwsQd6V36PmBYOB24YltGnFnfA=; b=VuPG2IweNewGSV81L6Q/JGRTjUVSeqk2XrxJasHe2fyOsJUcoiggSonJ5JI9WnDYTs rxe4yLvaCjONCWAnpAqDahyfdhaHwc2QhiIgbnUXjXF3ET6bSr0CT8kMoKUcObgt4+im pcbob2oJxMU7wZiAaz2SfJavYSCBQMY6qz7OqpS33z7Ywf6yv0gU2OaCcRHmvvGMTRoE qoKm3jsiByGHljNlrA3nwVVn4LbT/x5c4M+hCsA7GwCiSXvDwFlTUcw3HTF6L9MDxG2Y FL0GzADpo3kooRJNvTwKGjf0ZyW8kC0l8e0Cmqk80pneUVFNItQAASp+oyf8FuOe/n/8 XjNA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vQyRlEnJ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id 98e67ed59e1d1-2ff4e78ed5esi2171447a91.24.2025.03.05.06.28.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:28:34 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=vQyRlEnJ; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id D84768164E; Wed, 5 Mar 2025 15:27:26 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="vQyRlEnJ"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id B658681428; Wed, 5 Mar 2025 15:27:25 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id D1E0E81428 for ; Wed, 5 Mar 2025 15:27:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-43bcad638efso14367145e9.2 for ; Wed, 05 Mar 2025 06:27:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741184841; x=1741789641; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=VToeK9rvmge7vGIsjMizB5Qvqb2KL2Jo2850qAV1D5k=; b=vQyRlEnJJN1UJgqZ8t6Ut8C2S/T1mnkkS9UYQv//qx4LQbvMI+EFMxO37h5DnWmQDB SX9fTCDUNZmpK0NZzActmCbIxwarz4f438iJ+TS0YhHYaLnRiJKQQfIFZGqeDtBht9bi 3uM9S2E0BSxH2AD2fhv2gPvtMgX6M/VduXCCgVjVOUakhJszmWs858rcebJoTuJKdOPZ KSFSP/yL9G/+p1s6EeIcW8XH3I/LriaJ1oG0r/5+Slcp4se7iIvuy6c97kUz/RVCdxOI uVGaZDeYo5osmT4KGVV8avF+JE0Ff6dO9KBnLC8hFRpQMj5EEwl3gypgQpNA4uB6hdme ieAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741184841; x=1741789641; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=VToeK9rvmge7vGIsjMizB5Qvqb2KL2Jo2850qAV1D5k=; b=HawUPYhZq5bOfO/wCiIM9DyWNhLhQmWhy2bpLdK5KL6N7w2C14JC3C4iDk5tHpbiAM MDrtyL1BRAT0UlYnFAWzpml2OFXxvsd1B1WwP9u/hBjjOhSSR+/mnx/d9gsZM6B9thJ8 9ZiwoUVN2JTBJh8mHWPl1iViYsg0AB5ejnQulImf/Sct25o7/cpjuEq5hO8fMpAkKilv BZYxXUaPWpI9qjdP66+E6mb2e2OXpRnEHYgcOBs/rYHBx+WRjsi1VygoEkv4mZuMr/Qa sVnM0bOlwo/OC69qvn1XJ7IZVq7ycXRHgPPAEEk1kypjPnSZ5dNmms0ylJTwGl3nK+Vk kUhw== X-Gm-Message-State: AOJu0Yx+7jOw+2FLjDDCv3VB6w/YzaEUPbxYub3NwN1xZRdjgL1TaJro bm3KHnwFtmEUmQ872ZLR6psVM/RfY22pL1YxcpnfgaajwfND2fYhwZNMhUNOh9sYmNFVtClOxuX C X-Gm-Gg: ASbGncuF4Fduox0DT7sHL2HanF8705ThtOmaB0st8jB+6/WJwhjIPlgk5Xf07M33Rlp oY2BUHU5oA+m4gXSaTNuzJhlc45ADI2GxB+xowRCjGGfuiRN5Y2Si/wGmhPYbxb180lmP6ceFzT 28M1t2zb2VDfLKIgYX8dt0bUOWP92e0l3qrx58rYvzTaIqNgNGx1J6Pyl0oh3XTJ7XEO4zOIhLB U2PSNHHF9vnPVh03Hm0NM3YYPe6ejNuSfM8heYEqGPlKjlBAbB9l2CRQvXKTxShCcygLrgFkMwM q/73292hx6JDG2EKoK4OunuhasZ7LmnOlZ7b9T3aHOQmbezWgHv9Cw== X-Received: by 2002:a05:600c:474b:b0:43b:c528:d0b8 with SMTP id 5b1f17b1804b1-43bd294e07fmr30738155e9.5.1741184839631; Wed, 05 Mar 2025 06:27:19 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:19 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Heinrich Schuchardt , Simon Glass Subject: [PATCH v2 5/6] doc: cmd: wget: document cacert subcommand Date: Wed, 5 Mar 2025 15:26:46 +0100 Message-ID: <20250305142650.2966738-6-jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250305142650.2966738-1-jerome.forissier@linaro.org> References: <20250305142650.2966738-1-jerome.forissier@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Document the 'wget cacert' subcommand which allows to configure root (CA) certificates for HTTPS. Signed-off-by: Jerome Forissier --- doc/usage/cmd/wget.rst | 82 ++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 80 insertions(+), 2 deletions(-) diff --git a/doc/usage/cmd/wget.rst b/doc/usage/cmd/wget.rst index 48bedf1e845..cc82e495a29 100644 --- a/doc/usage/cmd/wget.rst +++ b/doc/usage/cmd/wget.rst @@ -12,7 +12,9 @@ Synopsis :: wget [address] [host:]path - wget [address] url # lwIP only + wget [address] url # lwIP only + wget cacert none|optional|required # lwIP only + wget cacert
# lwIP only Description @@ -54,6 +56,32 @@ address url HTTP or HTTPS URL, that is: http[s]://[:]/. +The cacert (stands for 'Certification Authority certificates') subcommand is +used to provide root certificates for the purpose of HTTPS authentication. It +also allows to enable or disable authentication. + +wget cacert
+ +address + memory address of the root certificates in X509 DER format + +size + the size of the root certificates + +wget cacert none|optional|required + +none + certificate verification is disabled. HTTPS is used without any server + authentication (unsafe) +optional + certificate verification is enabled provided root certificates have been + provided via wget cacert or wget cacert builtin. Otherwise + HTTPS is used without any server authentication (unsafe). +required + certificate verification is mandatory. If no root certificates have been + configured, HTTPS transfers will fail. + + Examples -------- @@ -97,11 +125,61 @@ In the example the following steps are executed: 1694892032 bytes transferred in 492181 ms (3.3 MiB/s) Bytes transferred = 1694892032 (65060000 hex) +Here is an example showing how to configure built-in root certificates as +well as providing some at run time. In this example it is assumed that +CONFIG_WGET_BUILTIN_CACERT_PATH=DigiCertTLSRSA4096RootG5.crt downloaded from +https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt. + +:: + + # Make sure IP is configured + => dhcp + # When built-in certificates are configured, authentication is mandatory + # (i.e., "wget cacert required"). Use a test server... + => wget https://digicert-tls-rsa4096-root-g5.chain-demos.digicert.com/ + 1864 bytes transferred in 1 ms (1.8 MiB/s) + Bytes transferred = 1864 (748 hex) + # Another server not signed against Digicert will fail + => wget https://www.google.com/ + Certificate verification failed + + HTTP client error 4 + # Disable authentication to allow the command to proceed anyways + => wget cacert none + => wget https://www.google.com/ + WARNING: no CA certificates, HTTPS connections not authenticated + 16683 bytes transferred in 15 ms (1.1 MiB/s) + Bytes transferred = 16683 (412b hex) + # Force verification but unregister the CA certificates + => wget cacert required + => wget cacert 0 0 + # Unsurprisingly, download fails + => wget https://digicert-tls-rsa4096-root-g5.chain-demos.digicert.com/ + Error: cacert authentication mode is 'required' but no CA certificates given + # Get the same certificates as above from the network + => wget cacert none + => wget https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt + WARNING: no CA certificates, HTTPS connections not authenticated + 1386 bytes transferred in 1 ms (1.3 MiB/s) + Bytes transferred = 1386 (56a hex) + # Register them and force authentication + => wget cacert $fileaddr $filesize + => wget cacert required + # Authentication is operational again + => wget https://digicert-tls-rsa4096-root-g5.chain-demos.digicert.com/ + 1864 bytes transferred in 1 ms (1.8 MiB/s) + Bytes transferred = 1864 (748 hex) + # The builtin certificates can be restored at any time + => wget cacert builtin + Configuration ------------- The command is only available if CONFIG_CMD_WGET=y. -To enable lwIP support set CONFIG_NET_LWIP=y. +To enable lwIP support set CONFIG_NET_LWIP=y. In this case, root certificates +support can be enabled via CONFIG_WGET_BUILTIN_CACERT=y +CONFIG_WGET_BUILTIN_CACERT_PATH= (for built-in certificates) and/or +CONFIG_WGET_CACERT=y (for the wget cacert command). TCP Selective Acknowledgments in the legacy network stack can be enabled via CONFIG_PROT_TCP_SACK=y. This will improve the download speed. Selective From patchwork Wed Mar 5 14:26:47 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jerome Forissier X-Patchwork-Id: 870552 Delivered-To: patch@linaro.org Received: by 2002:a05:6000:178f:b0:38f:210b:807b with SMTP id e15csp810784wrg; Wed, 5 Mar 2025 06:28:10 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCX1lqaTv8oLQ4T9tNT2ddSwCCDA1Gb+jjkvKVuNnmdOfAmbDI854N6I5vLJ4fDuJ+JAnKRDsQ==@linaro.org X-Google-Smtp-Source: AGHT+IFrhHCeogURe6Mnp7yMIfayYRobFsJ8vy+zmjyav7gyGBznyOMD/eM8+TIYhKyxUq2YG+Rr X-Received: by 2002:a17:903:230b:b0:223:4998:a76c with SMTP id d9443c01a7336-223f1cfacd0mr47077285ad.28.1741184889741; Wed, 05 Mar 2025 06:28:09 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1741184889; cv=none; d=google.com; s=arc-20240605; b=HaiZPBPsyk+kKMYCUb3vEDUo49RII6iyxlToYpF6W9t3uTBcqQAoZZ1c0y8ZgYmxp3 YIRRUIatAN+ckoav5xxgpzluJ8aP5OGnh7SL1bVSJ7nztVtlsMZ/DcUW0FrlsBiOQJyG KVa4kHHQVSXyh2s6fFRlIk5BszhfSRRsny140TKEI/N3zdOa5FKNYLDU4wkbWMssaKDU OdDBwSS0hlVd+NntixUFlHL1lGAI5xvuGhSRBK3YE0Kuv034OBqhQniI5YVuDIJdbcC6 k79UyCfna8YjL58qltS8CQLhXwD6URPA6dNw34M+FtTzL5qNoHpae/rTx0sBNjpCgWdA z3pg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=SUsynbjk3mnS2CZGpd4zam4j3kNmvGMUxHDIT15oNDs=; fh=wFWuO/her0jGA+8aUFoyI8P9bmb8foIeWsLh5WyCtYs=; b=Qt80Ier2aigbj3ymIP/0VgGjGMRGzIeQy24HJ5R7c6jR35Mqh+Rp3ycVwZDGftGWbL 66KEDB4j7j1/lmG1rm9BmZlQZ6KNwIERCAB+Rf4T27qYieiL+FkKWDPBA2kzkOekrHpv w58x+w/p9QqHQz1yTR5qWXFG84THTsCd7poa6cJqDoLvrKeHvsbrmVmIvfrxYrk1VzaS IkSKUVweVjpPBVMC34PGfn2HqI+M1CNy8lTsGOvywMt9r0e+yAYro7DbVrkOWU80y877 F4dGpMQ1nUS1HVjEsUE1b3tOsbur0u206ZIvrKYhMQ2jTZrov5ignlc4Wgd7SKgTCTYv dfbw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YLdS+4Bj; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id d9443c01a7336-223504b418dsi216811225ad.487.2025.03.05.06.28.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:28:09 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=YLdS+4Bj; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 4AE6D81276; Wed, 5 Mar 2025 15:27:24 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="YLdS+4Bj"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 512B881276; Wed, 5 Mar 2025 15:27:23 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-wm1-x32a.google.com (mail-wm1-x32a.google.com [IPv6:2a00:1450:4864:20::32a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4CDD381420 for ; Wed, 5 Mar 2025 15:27:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=jerome.forissier@linaro.org Received: by mail-wm1-x32a.google.com with SMTP id 5b1f17b1804b1-43bc4b16135so20858905e9.1 for ; Wed, 05 Mar 2025 06:27:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1741184840; x=1741789640; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=SUsynbjk3mnS2CZGpd4zam4j3kNmvGMUxHDIT15oNDs=; b=YLdS+4BjsYC3GbNzrh6Ev8ZEhrINHDC7ZKnJXgxOJ/OXBhPXq4VgZeIiOnRaZ85fcV XVJq+XVTSLdbzIsP5t99fvxqLoIkbdTNlx0PFZmjuKdhyK5MYy7AXAECJZD4tkuYQl7a uxfDOxAebnaFVVW9G9TLSZX6vIIn2RwLs7IKjFWzFN3SB8OBIyK0h9SeioN+EEDj4mWt BQUWVcCMEGsQT8UbaI0WPtd02ifUayRc3wg9GZ0Ba5fUalE/MInYsQs4yaRXJuC96GDg lgXuIgRqPo33twJtFfxoM6DhkTHR99c4LDlWdNgOQwyBXAwlNWESw/0HhE0QpmAT3dme JH9A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1741184840; x=1741789640; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SUsynbjk3mnS2CZGpd4zam4j3kNmvGMUxHDIT15oNDs=; b=X1yd6XBwgfXQ0TBbM4ZQtKTlPoyWq0w7obrwCEWzLQHnajoIpzG80rTERPIr7JT1tU lsxWYVx/mGdjFvwD/iy0Q2rRlH4PYozo9BHdWyPLFkOz+MIvF+m3lv1FGrOoW5k4ai4W Z0oIXshDswi/hAmxmTi7TuvZ/dT1Lx3M0GXtExSfnjOzH5ztby4SOzrj7ziBf2M4f/FZ vAE7yowWFsV8I0QXvg+6DhZIsC9X/npZwdeJUONPGq1cd6ak3tchFA2l5vR0Hvh3uD0x 9iaK0wo4na5vC6RBZiu7Q3J6CAb671xi3bynCSV1dQcKar2a1O/1PzJNv24T4wf/rmdX 77Kw== X-Gm-Message-State: AOJu0YyILjC+NO8mvnDp8bg8w2K4J3X+ou9hMcAcB4FUbX79DyebUAyB DdWxSwGDnLbk1jlfgkhjhlP5liZTcnokMXKCZJWtlcCwsbTaRkZlVXJkr7KQHhm3zclCO7FbvDc M X-Gm-Gg: ASbGncshatlSLfRf9OVj201zvqQYmp/TyVL6hLoaSs0Gw7rru7wFOSviyBvIxWtLm7E TvCagsHUvdqrBnQFjN1Ly6K3Ino6+aV3mnzVg+0+KlfLgMQ5TZAidulD7C8mNALU6EQuXODY/9N sifbcc/9pa7Kz8Ko0A61VIqtrK1k67DufZlJ7xwE33vL7XuS+0E6ALev/K+AbkWWoTS1838l3A2 87ltFrNQT2Yin15uTbdfHc2mCcaDkt+AjziTnMGCzIFVbTXZmaDg+b+on/LEV4KCwpQtaded1po jYUWlBBQ5r0RYCTH/5jbNt34RrTwe6PMpaZnPPbwk/En0L9aNoi88g== X-Received: by 2002:a5d:64cb:0:b0:390:df75:ddc4 with SMTP id ffacd0b85a97d-3911f7cba2amr3267715f8f.44.1741184840507; Wed, 05 Mar 2025 06:27:20 -0800 (PST) Received: from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 05 Mar 2025 06:27:20 -0800 (PST) From: Jerome Forissier To: u-boot@lists.denx.de Cc: Ilias Apalodimas , Jerome Forissier , Tom Rini , Peter Robinson , Simon Glass Subject: [PATCH v2 6/6] configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT Date: Wed, 5 Mar 2025 15:26:47 +0100 Message-ID: <20250305142650.2966738-7-jerome.forissier@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20250305142650.2966738-1-jerome.forissier@linaro.org> References: <20250305142650.2966738-1-jerome.forissier@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Enable the "wget cacert" command. Signed-off-by: Jerome Forissier Reviewed-by: Ilias Apalodimas --- configs/qemu_arm64_lwip_defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/qemu_arm64_lwip_defconfig b/configs/qemu_arm64_lwip_defconfig index 754c770c33f..814e98729a3 100644 --- a/configs/qemu_arm64_lwip_defconfig +++ b/configs/qemu_arm64_lwip_defconfig @@ -8,3 +8,4 @@ CONFIG_CMD_DNS=y CONFIG_CMD_WGET=y CONFIG_EFI_HTTP_BOOT=y CONFIG_WGET_HTTPS=y +CONFIG_WGET_CACERT=y