Hi Jerome, On Thu, 27 Feb 2025 at 09:43, Jerome Forissier <jerome.foriss...@linaro.org> wrote: > > > > On 2/27/25 17:27, Simon Glass wrote: > > Hi Jerome, > > > > On Thu, 27 Feb 2025 at 09:09, Jerome Forissier > > <jerome.foriss...@linaro.org> wrote: > >> > >> This series adds support for HTTP server authentication using root (CA) > >> certificates. > >> > >> As a first step, the wget command is extended to support a sub-command: > >> cacert <addr> <size>. The memory region shall contain the CA > >> certificates. With this, it is possible to load the certificates from > >> storage or get them from the network for example, which is convenient > >> for testing at least. The Kconfig symbol for this feature is > >> WGET_CACERT=y. > >> > >> Then new Kconfig symbols are added to support providing the certificates > >> at build time, as a DER or PEM encoded X509 collection: > >> WGET_BUILTIN_CACERT=y and WGET_BUILTIN_CACERT_PATH=<some path>. > >> Note that PEM support requires MBEDTLS_LIB_X509_PEM=y (for the cacert > >> command as well as for the builtin way). > >> > >> Here is a complete example (showing only the relevant output from the > >> various commands): > >> > >> make qemu_arm64_lwip_defconfig > >> wget https://curl.se/ca/cacert.pem > >> echo CONFIG_WGET_BUILTIN_CACERT=y >>.config > >> echo CONFIG_WGET_BUILTIN_CACERT_PATH=cacert.pem >>.config > >> make olddefconfig > >> make -j$(nproc) CROSS_COMPILE="ccache aarch64-linux-gnu-" > >> qemu-system-aarch64 -M virt -nographic -cpu max \ > >> -object rng-random,id=rng0,filename=/dev/urandom \ > >> -device virtio-rng-pci,rng=rng0 -bios u-boot.bin > >> => dhcp > >> # HTTPS transfer using the builtin CA certificates > >> => wget https://www.google.com/ > >> 18724 bytes transferred in 15 ms (1.2 MiB/s) > >> # Disable certificate validation > >> => wget cacert 0 0 > >> # Unsafe HTTPS transfer > >> => wget https://www.google.com/ > >> WARNING: no CA certificates, HTTPS connections not authenticated > >> 16570 bytes transferred in 15 ms (1.1 MiB/s) > >> # Dowload and apply CA certificates from the net > >> => wget https://curl.se/ca/cacert.pem > >> WARNING: no CA certificates, HTTPS connections not authenticated > >> ## > >> 233263 bytes transferred in 61 ms (3.6 MiB/s) > >> => wget cacert $fileaddr $filesize > >> # Now HTTPS is authenticated against the new CA > >> => wget https://www.google.com/ > >> 18743 bytes transferred in 14 ms (1.3 MiB/s) > >> # Drop the certificates again... > >> => wget cacert 0 0 > >> # Check that transfer is not secure > >> => wget https://www.google.com/ > >> WARNING: no CA certificates, HTTPS connections not authenticated > >> # Restore the builtin CA > >> => wget cacert builtin > >> # No more WARNING > >> => wget https://www.google.com/ > >> 18738 bytes transferred in 15 ms (1.2 MiB/s) > >> > >> Jerome Forissier (5): > >> net: lwip: extend wget to support CA (root) certificates > >> lwip: tls: enforce checking of server certificates based on CA > >> availability > >> lwip: tls: warn when no CA exists amd log certificate validation > >> errors > >> net: lwip: add support for built-in root certificates > >> configs: qemu_arm64_lwip_defconfig: enable WGET_CACERT and > >> MBEDTLS_LIB_X509_PEM > >> > >> cmd/Kconfig | 29 ++++++ > >> cmd/net-lwip.c | 19 +++- > >> configs/qemu_arm64_lwip_defconfig | 2 + > >> .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 9 +- > >> .../lwip/apps/altcp_tls_mbedtls_opts.h | 6 -- > >> lib/mbedtls/Makefile | 3 + > >> lib/mbedtls/mbedtls_def_config.h | 5 ++ > >> net/lwip/Makefile | 6 ++ > >> net/lwip/wget.c | 90 ++++++++++++++++++- > >> 9 files changed, 158 insertions(+), 11 deletions(-) > > > > Did you manage to add some sandbox tests for lwip? > > Unfortunately not. I am testing mostly with QEMU (qemu_arm64_lwip_defconfig) > and sometimes with KV260 and i.MX93.
My understanding was that someone was working on it [1] and I had assumed it was you? Regards, SImon [1] https://lore.kernel.org/u-boot/CAC_iWjKMo7=RE3=1=y3mpgc95ito170rujyk6omh-4nuaj8...@mail.gmail.com/
