@@ -141,9 +141,9 @@ https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt.
Bytes transferred = 1864 (748 hex)
# Another server not signed against Digicert will fail
=> wget https://www.google.com/
- Certificate verification failed
HTTP client error 4
+ Certificate verification failed
# Disable authentication to allow the command to proceed anyways
=> wget cacert none
=> wget https://www.google.com/
@@ -555,6 +555,7 @@ enum wget_http_method {
* Filled by client.
* @hdr_cont_len: content length according to headers. Filled by wget
* @headers: buffer for headers. Filled by wget.
+ * @silent: do not print anything to the console. Filled by client.
*/
struct wget_http_info {
enum wget_http_method method;
@@ -565,6 +566,7 @@ struct wget_http_info {
bool check_buffer_size;
u32 hdr_cont_len;
char *headers;
+ bool silent;
};
extern struct wget_http_info default_wget_info;
@@ -51,7 +51,7 @@ static int next_dp_entry;
static struct wget_http_info efi_wget_info = {
.set_bootdev = false,
.check_buffer_size = true,
-
+ .silent = true,
};
#endif
@@ -60,6 +60,8 @@
#if LWIP_ALTCP_TLS && LWIP_ALTCP_TLS_MBEDTLS
+#include "lwip/errno.h"
+
#include "lwip/altcp.h"
#include "lwip/altcp_tls.h"
#include "lwip/priv/altcp_priv.h"
@@ -299,7 +301,8 @@ altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbedtls_state_t *
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_handshake failed: %d\n", ret));
/* handshake failed, connection has to be closed */
if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
- printf("Certificate verification failed\n");
+ /* provide a cause for why the connection is closed to the called */
+ errno = EPERM;
}
if (conn->err) {
conn->err(conn->arg, ERR_CLSD);
@@ -844,9 +847,6 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav
altcp_mbedtls_free_config(conf);
return NULL;
}
- if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
- printf("WARNING: no CA certificates, HTTPS connections not authenticated\n");
- }
mbedtls_ssl_conf_authmode(&conf->conf, authmode);
mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg);
@@ -8,6 +8,7 @@
#include <image.h>
#include <lwip/apps/http_client.h>
#include "lwip/altcp_tls.h"
+#include <lwip/errno.h>
#include <lwip/timeouts.h>
#include <rng.h>
#include <mapmem.h>
@@ -217,7 +218,8 @@ static err_t httpc_recv_cb(void *arg, struct altcp_pcb *pcb, struct pbuf *pbuf,
memcpy((void *)ctx->daddr, buf->payload, buf->len);
ctx->daddr += buf->len;
ctx->size += buf->len;
- if (ctx->size - ctx->prevsize > PROGRESS_PRINT_STEP_BYTES) {
+ if (!wget_info->silent &&
+ ctx->size - ctx->prevsize > PROGRESS_PRINT_STEP_BYTES) {
printf("#");
ctx->prevsize = ctx->size;
}
@@ -255,11 +257,15 @@ static void httpc_result_cb(void *arg, httpc_result_t httpc_result,
elapsed = get_timer(ctx->start_time);
if (!elapsed)
elapsed = 1;
- if (rx_content_len > PROGRESS_PRINT_STEP_BYTES)
- printf("\n");
- printf("%u bytes transferred in %lu ms (", rx_content_len, elapsed);
- print_size(rx_content_len / elapsed * 1000, "/s)\n");
- printf("Bytes transferred = %lu (%lx hex)\n", ctx->size, ctx->size);
+ if (!wget_info->silent) {
+ if (rx_content_len > PROGRESS_PRINT_STEP_BYTES)
+ printf("\n");
+ printf("%u bytes transferred in %lu ms (", rx_content_len,
+ elapsed);
+ print_size(rx_content_len / elapsed * 1000, "/s)\n");
+ printf("Bytes transferred = %lu (%lx hex)\n", ctx->size,
+ ctx->size);
+ }
if (wget_info->set_bootdev)
efi_set_bootdev("Http", ctx->server_name, ctx->path, map_sysmem(ctx->saved_daddr, 0),
rx_content_len);
@@ -339,7 +345,8 @@ static int _set_cacert(const void *addr, size_t sz)
mbedtls_x509_crt_init(&crt);
ret = mbedtls_x509_crt_parse(&crt, cacert, cacert_size);
if (ret) {
- printf("Could not parse certificates (%d)\n", ret);
+ if (!wget_info->silent)
+ printf("Could not parse certificates (%d)\n", ret);
free(cacert);
cacert = NULL;
cacert_size = 0;
@@ -421,9 +428,10 @@ int wget_do_request(ulong dst_addr, char *uri)
if (cacert_auth_mode == AUTH_REQUIRED) {
if (!ca || !ca_sz) {
- printf("Error: cacert authentication mode is "
- "'required' but no CA certificates "
- "given\n");
+ if (!wget_info->silent)
+ printf("Error: cacert authentication "
+ "mode is 'required' but no CA "
+ "certificates given\n");
return CMD_RET_FAILURE;
}
} else if (cacert_auth_mode == AUTH_NONE) {
@@ -438,6 +446,10 @@ int wget_do_request(ulong dst_addr, char *uri)
*/
}
+ if (!ca && !wget_info->silent) {
+ printf("WARNING: no CA certificates, ");
+ printf("HTTPS connections not authenticated\n");
+ }
tls_allocator.alloc = &altcp_tls_alloc;
tls_allocator.arg =
altcp_tls_create_config_client(ca, ca_sz,
@@ -462,6 +474,8 @@ int wget_do_request(ulong dst_addr, char *uri)
return CMD_RET_FAILURE;
}
+ errno = 0;
+
while (!ctx.done) {
net_lwip_rx(udev, netif);
sys_check_timeouts();
@@ -474,6 +488,9 @@ int wget_do_request(ulong dst_addr, char *uri)
if (ctx.done == SUCCESS)
return 0;
+ if (errno == EPERM && !wget_info->silent)
+ printf("Certificate verification failed\n");
+
return -1;
}
@@ -59,8 +59,10 @@ static inline int store_block(uchar *src, unsigned int offset, unsigned int len)
if (CONFIG_IS_ENABLED(LMB) && wget_info->set_bootdev) {
if (store_addr < image_load_addr ||
lmb_read_check(store_addr, len)) {
- printf("\nwget error: ");
- printf("trying to overwrite reserved memory...\n");
+ if (!wget_info->silent) {
+ printf("\nwget error: ");
+ printf("trying to overwrite reserved memory\n");
+ }
return -1;
}
}
@@ -76,6 +78,9 @@ static void show_block_marker(u32 packets)
{
int cnt;
+ if (wget_info->silent)
+ return;
+
if (content_length != -1) {
if (net_boot_file_size > content_length)
content_length = net_boot_file_size;
@@ -101,11 +106,15 @@ static void tcp_stream_on_closed(struct tcp_stream *tcp)
net_set_state(wget_loop_state);
if (wget_loop_state != NETLOOP_SUCCESS) {
net_boot_file_size = 0;
- printf("\nwget: Transfer Fail, TCP status - %d\n", tcp->status);
+ if (!wget_info->silent)
+ printf("\nwget: Transfer Fail, TCP status - %d\n",
+ tcp->status);
return;
}
- printf("\nPackets received %d, Transfer Successful\n", tcp->rx_packets);
+ if (!wget_info->silent)
+ printf("\nPackets received %d, Transfer Successful\n",
+ tcp->rx_packets);
wget_info->file_size = net_boot_file_size;
if (wget_info->method == WGET_HTTP_METHOD_GET && wget_info->set_bootdev) {
efi_set_bootdev("Http", NULL, image_url,
@@ -139,7 +148,8 @@ static void tcp_stream_on_rcv_nxt_update(struct tcp_stream *tcp, u32 rx_bytes)
tcp->state == TCP_ESTABLISHED)
goto end;
- printf("ERROR: misssed HTTP header\n");
+ if (!wget_info->silent)
+ printf("ERROR: misssed HTTP header\n");
tcp_stream_close(tcp);
goto end;
}
@@ -346,7 +356,8 @@ void wget_start(void)
tcp_stream_set_on_create_handler(tcp_stream_on_create);
tcp = tcp_stream_connect(web_server_ip, server_port);
if (!tcp) {
- printf("No free tcp streams\n");
+ if (!wget_info->silent)
+ printf("No free tcp streams\n");
net_set_state(NETLOOP_FAIL);
return;
}
Functions called from EFI applications should not do console output. Refactor the wget code to implement this requirement. The wget_http_info struct is used to hold the boolean that signifies whether the output is allowed or not. Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org> Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de> --- Changes in v5: - Remove extra hunk in wget_do_request() already added by "net-lwip: change static function wget_loop() to be wget_do_request(): - Do not forget to silence the printf's that were added inside lwIP by commit 7a15ccb66217 ("lwip: tls: warn when no CA exists amd log certificate validation errors"). The "no CA certificates" and "verification failed" messages are moved outside of lwIP into wget.c, with the help of errno for the certificate verification case. Changes in v4: - Patch renamed, deals with NET in addition to NET_LWIP Changes in v3: - New patch doc/usage/cmd/wget.rst | 2 +- include/net-common.h | 2 + lib/efi_loader/efi_net.c | 2 +- .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 8 ++-- net/lwip/wget.c | 37 ++++++++++++++----- net/wget.c | 23 +++++++++--- 6 files changed, 52 insertions(+), 22 deletions(-)