Hi Simon, On 3/13/25 14:23, Jerome Forissier wrote: > > > On 3/13/25 13:51, Simon Glass wrote: >> Hi Jerome, >> >> On Fri, 7 Mar 2025 at 10:49, Jerome Forissier >> <[email protected]> wrote: >>> >>> Hi Simon, >>> >>> On 3/4/25 16:46, Simon Glass wrote: >>>> Hi Jerome, >>>> >>>> On Thu, 27 Feb 2025 at 09:43, Jerome Forissier >>>> <[email protected]> wrote: >>>>> >>>>> >>>>> >>>>> On 2/27/25 17:27, Simon Glass wrote: >>>>>> Hi Jerome, >>>>>> >>>>>> On Thu, 27 Feb 2025 at 09:09, Jerome Forissier >>>>>> <[email protected]> wrote: >>>>>>> >>>>>>> This series adds support for HTTP server authentication using root (CA) >>>>>>> certificates. >>>>>>> >>>>>>> As a first step, the wget command is extended to support a sub-command: >>>>>>> cacert <addr> <size>. The memory region shall contain the CA >>>>>>> certificates. With this, it is possible to load the certificates from >>>>>>> storage or get them from the network for example, which is convenient >>>>>>> for testing at least. The Kconfig symbol for this feature is >>>>>>> WGET_CACERT=y. >>>>>>> >>>>>>> Then new Kconfig symbols are added to support providing the certificates >>>>>>> at build time, as a DER or PEM encoded X509 collection: >>>>>>> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. >>>>>>> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert >>>>>>> command as well as for the builtin way). >>>>>>> >>>>>>> Here is a complete example (showing only the relevant output from the >>>>>>> various commands): >>>>>>> >>>>>>> make qemu_arm64_lwip_defconfig >>>>>>> wget https://curl.se/ca/cacert.pem >>>>>>> echo CONFIG_WGET_BUILTIN_CACERT=y >>.config >>>>>>> echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config >>>>>>> make olddefconfig >>>>>>> make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" >>>>>>> qemu-system-aarch64 -M virt -nographic -cpu max \ >>>>>>> -object rng-random,id=rng0,filename=/dev/urandom \ >>>>>>> -device virtio-rng-pci,rng=rng0 -bios u-boot.bin >>>>>>> => dhcp >>>>>>> # HTTPS transfer using the builtin CA certificates >>>>>>> => wget https://www.google.com/ >>>>>>> 18724 bytes transferred in 15 ms (1.2 MiB/s) >>>>>>> # Disable certificate validation >>>>>>> => wget cacert 0 0 >>>>>>> # Unsafe HTTPS transfer >>>>>>> => wget https://www.google.com/ >>>>>>> WARNING: no CA certificates, HTTPS connections not authenticated >>>>>>> 16570 bytes transferred in 15 ms (1.1 MiB/s) >>>>>>> # Dowload and apply CA certificates from the net >>>>>>> => wget https://curl.se/ca/cacert.pem >>>>>>> WARNING: no CA certificates, HTTPS connections not authenticated >>>>>>> ## >>>>>>> 233263 bytes transferred in 61 ms (3.6 MiB/s) >>>>>>> => wget cacert $fileaddr $filesize >>>>>>> # Now HTTPS is authenticated against the new CA >>>>>>> => wget https://www.google.com/ >>>>>>> 18743 bytes transferred in 14 ms (1.3 MiB/s) >>>>>>> # Drop the certificates again... >>>>>>> => wget cacert 0 0 >>>>>>> # Check that transfer is not secure >>>>>>> => wget https://www.google.com/ >>>>>>> WARNING: no CA certificates, HTTPS connections not authenticated >>>>>>> # Restore the builtin CA >>>>>>> => wget cacert builtin >>>>>>> # No more WARNING >>>>>>> => wget https://www.google.com/ >>>>>>> 18738 bytes transferred in 15 ms (1.2 MiB/s) >>>>>>> >>>>>>> Jerome Forissier (5): >>>>>>> net: lwip: extend wget to support CA (root) certificates >>>>>>> lwip: tls: enforce checking of server certificates based on CA >>>>>>> availability >>>>>>> lwip: tls: warn when no CA exists amd log certificate validation >>>>>>> errors >>>>>>> net: lwip: add support for built-in root certificates >>>>>>> configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and >>>>>>> MBEDTLS_LIB_X509_PEM >>>>>>> >>>>>>> cmd/Kconfig | 29 ++++++ >>>>>>> cmd/net-lwip.c | 19 +++- >>>>>>> configs/qemu_arm64_lwip_defconfig | 2 + >>>>>>> .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- >>>>>>> .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 -- >>>>>>> lib/mbedtls/Makefile | 3 + >>>>>>> lib/mbedtls/mbedtls_def_config.h | 5 ++ >>>>>>> net/lwip/Makefile | 6 ++ >>>>>>> net/lwip/wget.c | 90 ++++++++++++++++++- >>>>>>> 9 files changed, 158 insertions(+), 11 deletions(-) >>>>>> >>>>>> Did you manage to add some sandbox tests for lwip? >>>>> >>>>> Unfortunately not. I am testing mostly with QEMU >>>>> (qemu_arm64_lwip_defconfig) >>>>> and sometimes with KV260 and i.MX93. >>>> >>>> My understanding was that someone was working on it [1] and I had >>>> assumed it was you? >>> >>> Yes, it is on my TODO list. Higher priority things have kept coming in, but >>> hopefully I can resume this work soon. >> >> Until the tests are added, please stop sending new series for lwip. It >> is just going to make it harder to add the tests later. > > I don't see how exactly it would make things harder, but... > >> It should not >> take long to add a basic test, e.g. for ping. > > ...I'm on it.
Please see https://lists.denx.de/pipermail/u-boot/2025-March/583551.html. Thanks, -- Jerome > >> Regards, >> Simon > > Thanks,
