Hi Jerome, On Fri, 14 Mar 2025 at 22:01, Jerome Forissier <[email protected]> wrote: > > Hi Simon, > > On 3/13/25 14:23, Jerome Forissier wrote: > > > > > > On 3/13/25 13:51, Simon Glass wrote: > >> Hi Jerome, > >> > >> On Fri, 7 Mar 2025 at 10:49, Jerome Forissier > >> <[email protected]> wrote: > >>> > >>> Hi Simon, > >>> > >>> On 3/4/25 16:46, Simon Glass wrote: > >>>> Hi Jerome, > >>>> > >>>> On Thu, 27 Feb 2025 at 09:43, Jerome Forissier > >>>> <[email protected]> wrote: > >>>>> > >>>>> > >>>>> > >>>>> On 2/27/25 17:27, Simon Glass wrote: > >>>>>> Hi Jerome, > >>>>>> > >>>>>> On Thu, 27 Feb 2025 at 09:09, Jerome Forissier > >>>>>> <[email protected]> wrote: > >>>>>>> > >>>>>>> This series adds support for HTTP server authentication using root > >>>>>>> (CA) > >>>>>>> certificates. > >>>>>>> > >>>>>>> As a first step, the wget command is extended to support a > >>>>>>> sub-command: > >>>>>>> cacert <addr> <size>. The memory region shall contain the CA > >>>>>>> certificates. With this, it is possible to load the certificates from > >>>>>>> storage or get them from the network for example, which is convenient > >>>>>>> for testing at least. The Kconfig symbol for this feature is > >>>>>>> WGET_CACERT=y. > >>>>>>> > >>>>>>> Then new Kconfig symbols are added to support providing the > >>>>>>> certificates > >>>>>>> at build time, as a DER or PEM encoded X509 collection: > >>>>>>> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. > >>>>>>> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert > >>>>>>> command as well as for the builtin way). > >>>>>>> > >>>>>>> Here is a complete example (showing only the relevant output from the > >>>>>>> various commands): > >>>>>>> > >>>>>>> make qemu_arm64_lwip_defconfig > >>>>>>> wget https://curl.se/ca/cacert.pem > >>>>>>> echo CONFIG_WGET_BUILTIN_CACERT=y >>.config > >>>>>>> echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config > >>>>>>> make olddefconfig > >>>>>>> make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" > >>>>>>> qemu-system-aarch64 -M virt -nographic -cpu max \ > >>>>>>> -object rng-random,id=rng0,filename=/dev/urandom \ > >>>>>>> -device virtio-rng-pci,rng=rng0 -bios u-boot.bin > >>>>>>> => dhcp > >>>>>>> # HTTPS transfer using the builtin CA certificates > >>>>>>> => wget https://www.google.com/ > >>>>>>> 18724 bytes transferred in 15 ms (1.2 MiB/s) > >>>>>>> # Disable certificate validation > >>>>>>> => wget cacert 0 0 > >>>>>>> # Unsafe HTTPS transfer > >>>>>>> => wget https://www.google.com/ > >>>>>>> WARNING: no CA certificates, HTTPS connections not authenticated > >>>>>>> 16570 bytes transferred in 15 ms (1.1 MiB/s) > >>>>>>> # Dowload and apply CA certificates from the net > >>>>>>> => wget https://curl.se/ca/cacert.pem > >>>>>>> WARNING: no CA certificates, HTTPS connections not authenticated > >>>>>>> ## > >>>>>>> 233263 bytes transferred in 61 ms (3.6 MiB/s) > >>>>>>> => wget cacert $fileaddr $filesize > >>>>>>> # Now HTTPS is authenticated against the new CA > >>>>>>> => wget https://www.google.com/ > >>>>>>> 18743 bytes transferred in 14 ms (1.3 MiB/s) > >>>>>>> # Drop the certificates again... > >>>>>>> => wget cacert 0 0 > >>>>>>> # Check that transfer is not secure > >>>>>>> => wget https://www.google.com/ > >>>>>>> WARNING: no CA certificates, HTTPS connections not authenticated > >>>>>>> # Restore the builtin CA > >>>>>>> => wget cacert builtin > >>>>>>> # No more WARNING > >>>>>>> => wget https://www.google.com/ > >>>>>>> 18738 bytes transferred in 15 ms (1.2 MiB/s) > >>>>>>> > >>>>>>> Jerome Forissier (5): > >>>>>>> net: lwip: extend wget to support CA (root) certificates > >>>>>>> lwip: tls: enforce checking of server certificates based on CA > >>>>>>> availability > >>>>>>> lwip: tls: warn when no CA exists amd log certificate validation > >>>>>>> errors > >>>>>>> net: lwip: add support for built-in root certificates > >>>>>>> configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and > >>>>>>> MBEDTLS_LIB_X509_PEM > >>>>>>> > >>>>>>> cmd/Kconfig | 29 ++++++ > >>>>>>> cmd/net-lwip.c | 19 +++- > >>>>>>> configs/qemu_arm64_lwip_defconfig | 2 + > >>>>>>> .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- > >>>>>>> .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 -- > >>>>>>> lib/mbedtls/Makefile | 3 + > >>>>>>> lib/mbedtls/mbedtls_def_config.h | 5 ++ > >>>>>>> net/lwip/Makefile | 6 ++ > >>>>>>> net/lwip/wget.c | 90 > >>>>>>> ++++++++++++++++++- > >>>>>>> 9 files changed, 158 insertions(+), 11 deletions(-) > >>>>>> > >>>>>> Did you manage to add some sandbox tests for lwip? > >>>>> > >>>>> Unfortunately not. I am testing mostly with QEMU > >>>>> (qemu_arm64_lwip_defconfig) > >>>>> and sometimes with KV260 and i.MX93. > >>>> > >>>> My understanding was that someone was working on it [1] and I had > >>>> assumed it was you? > >>> > >>> Yes, it is on my TODO list. Higher priority things have kept coming in, > >>> but > >>> hopefully I can resume this work soon. > >> > >> Until the tests are added, please stop sending new series for lwip. It > >> is just going to make it harder to add the tests later. > > > > I don't see how exactly it would make things harder, but... > > > >> It should not > >> take long to add a basic test, e.g. for ping. > > > > ...I'm on it. > > Please see https://lists.denx.de/pipermail/u-boot/2025-March/583551.html.
Thank you for doing that! Regards, Simon
