From patchwork Thu Oct 24 11:24:08 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 838115 Delivered-To: patch@linaro.org Received: by 2002:adf:a399:0:b0:37d:45d0:187 with SMTP id l25csp306789wrb; Thu, 24 Oct 2024 04:25:27 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCUqJsEWr8Oz3yiWn3pZ7xcAzacpiC/XYf3zyxLuV6cZkIJeMQBJy48sPourSR+o2f+ROfUuLw==@linaro.org X-Google-Smtp-Source: AGHT+IGjTcs5ZcvfZnSOU2gFe9LOlPYSu7s73bvFhox04gymG44F5XUui9Czn9G+FOJQEgHmmzed X-Received: by 2002:a2e:4e02:0:b0:2fa:fc41:cf80 with SMTP id 38308e7fff4ca-2fc9d48c2a0mr25288021fa.43.1729769127340; Thu, 24 Oct 2024 04:25:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1729769127; cv=none; d=google.com; s=arc-20240605; b=KzxS5U+NwaZeuc6Nip9FLQzU7IKeerPy0CZ1OX44wjtSQaPJwurNkDcqhS/HeIfDJm Gi7VuC0xM8UXwUU7Bg9kBJhF8DmSa1ix2ZAVcePk7E+7JdREkhNjrpRPu4fZHplGL2s8 bMFfGaGCLcKgmE07cIKr+LcJaJnVB/p9Vma/44b+BmDaCUh9oRwhbyGymMFczRQx5Tcj /QxeqogQZ9f9ZjqeMs8KaAw1mzL4i7utroMB1lTXpzNoNXGfqCDo9oIf4avBfpFnkUVm hE7Q7Ks7lMVPivutfVxQYRRQck+yraeLCRF9BrC1pm7sobcmBYAWtN4v/BVoqm2LOEe6 UatQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Zs+NGUFYtW9cLpOstJpdzvzW6CNb2t22qVaYqByjTRU=; fh=st3Ek+1dXrC8tJeZ70dzoyaOnZgsPUmig3YY8RX7z1o=; b=JI8K340ByCI79aR3X11vUpFSdX/5yzSUEuF+RC+m0bBfBQCGKIUUnpmj/NJhYM1fZ+ rn8kTEWyCL5RZnyKAxVsMYZyT2YJXkCWIUL9NNQj5gSO0pJwAgBAwlr1jip/rFaixyaC fEgC+Do6HymxlYVIE89p1NQKPcCYeQxGYvExoWMctb9iqpBhIMgsFvx5HeeDwQI4/yCg KvAAJ+SyINByL9PXB6S1L0G6Tpcqoa5Qov67ueoetkkblMVHDcc2gC8PPnj3rCfCG+U0 eP/9DZXtzMIl8m7je+8JNWVjG11l3p66IaWWdQJnTGqugyng+HpakZNNiFQGh6Wpo5e2 Dz6Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=XSHyKMKv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 38308e7fff4ca-2fb9adc7411si30910561fa.86.2024.10.24.04.25.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:25:27 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=XSHyKMKv; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id E2CC588EE1; Thu, 24 Oct 2024 13:25:15 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="XSHyKMKv"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id E0F9B88EF7; Thu, 24 Oct 2024 13:25:14 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS,UPPERCASE_50_75 autolearn=no autolearn_force=no version=3.4.2 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id E9AE088EE0 for ; Thu, 24 Oct 2024 13:25:12 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a9a3dc089d8so99619866b.3 for ; Thu, 24 Oct 2024 04:25:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1729769112; x=1730373912; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Zs+NGUFYtW9cLpOstJpdzvzW6CNb2t22qVaYqByjTRU=; b=XSHyKMKvAyi+v3lZHS7Pg7j81gjNQ1lA3dLOlCBOJZaNsoHzlsmXvNG7z6YjwWVABR /NSFYKMD6NhMSp0Q/S6vuL5bghXGTnMaSCn0bq/RXLmCmVvpTDVzLS10STEfwPj06BL1 2lQgFBRMfS+SmeWfYNPY9HX2QzLEh1nS/R62D/hHE34jGCs9+b2CzYzURy1PsCFcK+wJ VrCTNKtoIbMZRpzXX1S6lDR8yqOd+NDhCPG34eV7gk1gW7JNb+V562IX99faEie4+/py EPOW2/Mwzf45iGuJ/bLO8QCo+uOxVvFKb5BlVYSE+QLJHxDfDiAPUyr6mm+84DdKiWum F6Kg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729769112; x=1730373912; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zs+NGUFYtW9cLpOstJpdzvzW6CNb2t22qVaYqByjTRU=; b=eYzPsUWxgn6EOlp6Khq+AzjAt9nk7ZuxnYv01xz6ZCgSKO/xaWHWY44ZSOFIe5/y1A SBNrAoyXT7rfmXJxAhe1fQKQhCqLjTMScW8hhp7RHIpu53VtTC7vCecPWSM0UhaTbZYj /yJqqqQuJlsC61I9c8JycPpvQVy+cWypqZHogXHyMZtfB+wSR9oNjaGvIGdbllWV90h5 tV0LXhK42JHDmp/y4ftThy//hHwcO3AEEChcja59oxlHKgQyWO8mS7WVltsrSigQKCQp yk/SxuYbaNfMUO2Ec1Yp2jyjagrlWQo8+3NfF4Hf7U/+noQCWe4lhBBETvXEg2+0Xzfy uq6Q== X-Forwarded-Encrypted: i=1; AJvYcCX5BFtT7e78JcPimOUTDBo05BfjDRwiW/QgKmWJ++X5xId5xkEPMuASwkKtp2yK2mN1d1H+Wls=@lists.denx.de X-Gm-Message-State: AOJu0YyOzEjjQDxjCQsRwACrHS4jOiRCEtGw3qF/gTdr6ZQ1jjnzZCtE d98fNJp0EcyZAY5G52pK26eF+Ntq6cZ+rrqqLDzB7kSPHSrO6grSQD9ROmT2TZ0= X-Received: by 2002:a17:907:9496:b0:a99:46dd:f397 with SMTP id a640c23a62f3a-a9abf96f1f5mr510022966b.64.1729769112305; Thu, 24 Oct 2024 04:25:12 -0700 (PDT) Received: from localhost.localdomain (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9a91572c0dsm611534466b.177.2024.10.24.04.25.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:25:10 -0700 (PDT) From: Ilias Apalodimas To: jerome.forissier@linaro.org, raymond.mao@linaro.org Cc: xypron.glpk@gmx.de, Ilias Apalodimas , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Mattijs Korpershoek , AKASHI Takahiro , Peter Robinson , Jonathan Humphreys , Wei Ming Chen , Caleb Connolly , Masahisa Kojima , Javier Tia , u-boot@lists.denx.de Subject: [PATCH v2 1/6] mbedtls: Enable TLS 1.2 support Date: Thu, 24 Oct 2024 14:24:08 +0300 Message-ID: <20241024112449.1362319-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> References: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Since lwIP and mbedTLS have been merged we can tweak the config options and enable TLS1.2 support. Add RSA and ECDSA by default and enable enough block cipher modes of operation to be comatible with modern TLS requirements and webservers Signed-off-by: Ilias Apalodimas Reviewed-by: Raymond Mao --- lib/mbedtls/Kconfig | 12 ++++++++ lib/mbedtls/Makefile | 31 +++++++++++++++++++ lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+) diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index d71adc3648ad..f3e172633999 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -430,4 +430,16 @@ endif # SPL endif # MBEDTLS_LIB_X509 +config MBEDTLS_LIB_TLS + bool "MbedTLS TLS library" + depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS + depends on X509_CERTIFICATE_PARSER_MBEDTLS + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + depends on ASN1_DECODER_MBEDTLS + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + depends on MBEDTLS_LIB_CRYPTO + help + Enable MbedTLS TLS library. If enabled HTTPs support will be enabled + in wget + endif # MBEDTLS_LIB diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 83cb3c2fa705..ce0a61e40541 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -26,6 +26,7 @@ mbedtls_lib_crypto-y := \ $(MBEDTLS_LIB_DIR)/platform_util.o \ $(MBEDTLS_LIB_DIR)/constant_time.o \ $(MBEDTLS_LIB_DIR)/md.o + mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ @@ -54,3 +55,33 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/x509_crt.o mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pkcs7.o + +#mbedTLS TLS support +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o +mbedtls_lib_tls-y := \ + $(MBEDTLS_LIB_DIR)/mps_reader.o \ + $(MBEDTLS_LIB_DIR)/mps_trace.o \ + $(MBEDTLS_LIB_DIR)/net_sockets.o \ + $(MBEDTLS_LIB_DIR)/pk_ecc.o \ + $(MBEDTLS_LIB_DIR)/ssl_cache.o \ + $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \ + $(MBEDTLS_LIB_DIR)/ssl_client.o \ + $(MBEDTLS_LIB_DIR)/ssl_cookie.o \ + $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \ + $(MBEDTLS_LIB_DIR)/ssl_msg.o \ + $(MBEDTLS_LIB_DIR)/ssl_ticket.o \ + $(MBEDTLS_LIB_DIR)/ssl_tls.o \ + $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \ + $(MBEDTLS_LIB_DIR)/hmac_drbg.o \ + $(MBEDTLS_LIB_DIR)/ctr_drbg.o \ + $(MBEDTLS_LIB_DIR)/entropy.o \ + $(MBEDTLS_LIB_DIR)/entropy_poll.o \ + $(MBEDTLS_LIB_DIR)/aes.o \ + $(MBEDTLS_LIB_DIR)/cipher.o \ + $(MBEDTLS_LIB_DIR)/cipher_wrap.o \ + $(MBEDTLS_LIB_DIR)/ecdh.o \ + $(MBEDTLS_LIB_DIR)/ecdsa.o \ + $(MBEDTLS_LIB_DIR)/ecp.o \ + $(MBEDTLS_LIB_DIR)/ecp_curves.o \ + $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \ + $(MBEDTLS_LIB_DIR)/gcm.o \ diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h index 1af911c2003f..ac8f0bbf2c0e 100644 --- a/lib/mbedtls/mbedtls_def_config.h +++ b/lib/mbedtls/mbedtls_def_config.h @@ -87,4 +87,56 @@ #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */ +#if CONFIG_IS_ENABLED(MBEDTLS_LIB_TLS) +#include "rtc.h" + +/* Generic options */ +#define MBEDTLS_ENTROPY_HARDWARE_ALT +#define MBEDTLS_HAVE_TIME +#define MBEDTLS_PLATFORM_MS_TIME_ALT +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_CIPHER_C +#define MBEDTLS_MD_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_AES_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_NO_PLATFORM_ENTROPY +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_SERVER_NAME_INDICATION +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + +/* RSA */ +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +#define MBEDTLS_GCM_C + +/* ECDSA */ +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#define MBEDTLS_CAN_ECDH +#define MBEDTLS_PK_CAN_ECDSA_SIGN +#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_BP256R1_ENABLED +#define MBEDTLS_ECP_DP_BP384R1_ENABLED +#define MBEDTLS_ECP_DP_BP512R1_ENABLED + +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */ + #endif /* #if defined CONFIG_MBEDTLS_LIB */ From patchwork Thu Oct 24 11:24:09 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 838117 Delivered-To: patch@linaro.org Received: by 2002:adf:a399:0:b0:37d:45d0:187 with SMTP id l25csp306919wrb; Thu, 24 Oct 2024 04:25:44 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWPSymTnPe3WCfnipNm4ioDTASAVDdgipOv6r03mzlyfgEdqT6Jmr7ayeYWZZD3xYhzhRfUfg==@linaro.org X-Google-Smtp-Source: AGHT+IF9gsIgNKJQlTent4jNDBWCeOq8qmtPio57Oo2tQmf/D/3qyu9oOSY7B7eAECxro5NsMoLi X-Received: by 2002:a2e:515a:0:b0:2fb:8920:99c6 with SMTP id 38308e7fff4ca-2fc9d364faemr25946901fa.23.1729769144296; Thu, 24 Oct 2024 04:25:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1729769144; cv=none; d=google.com; s=arc-20240605; b=BzS5j3hIDWcFoEyeqsHLneh1aval/vj2VzqaCmGeomTLA9yzlJQngeDzW3qxzuSLiu Xldsh1NJ05wNDFOtfEcxdZ5pSpLpQ1W0QXeWDqYBO74Oo3q+X9SdUaejFKHm1tAixuPz stK6+H0MhL7f6VD8pox2jnMwSMK+0Ach9+smp97O3i+IP7ARQOIM9u+OLePLpDH4Juc4 vGcrlOnKMeZFOtNtHUuGT1rc0MEIFFeZ7mo5zZBZHJYNKfX8JSwPUrCF50y8en1NWJKY v70TMlpKa+pphyO9xm5dZk29p9gyJIoIS71OzoYstee8VC7xTHRdRPSPfCSFQThRAIC5 gXzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dcQxmocUYN9YZanZXFkaHkeGtaePH92QkvXfFuthaH4=; fh=BGl3ahYuCylUeyTT0wHS4IkdhGNGloBQysDISS5sTm0=; b=SULf0j1xG1EiH5Pb9kT61V6PP/ccGm/1/1Gh9KPkE/Z/yxQ6cgH5SQDyuE5mHlCaqU bYDTFoGfwgGqxCfdPapJmXO+UsiOP92vmnkJ+6/iaRYNP9h4X9mZGJjxq9lT822m1w3I 4ZP3u8SwQpAMJu5oud0oTbmb5kqtpw5NmuA4yUUDCxXJqJxgwGlYU2C+cwVZg8u3ixUJ qBGYf3wVaZMdF7f46Tc9UIs5qWhLqQffIwhDpSA4JLmSMSX9CnI3WY9I3yTJ2JJEjXG/ 37mtVjuUdtaoiRkBQzBkThTjW98fTcYYMgAsGVfYfkk+YMRwl3xbtDayOOhoU1IdwQqf 97Pg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lsacNo7L; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 38308e7fff4ca-2fb9addfb8fsi31342891fa.183.2024.10.24.04.25.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:25:44 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=lsacNo7L; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id AF12B88FA0; Thu, 24 Oct 2024 13:25:27 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="lsacNo7L"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 3BE7388F83; Thu, 24 Oct 2024 13:25:26 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id CC46688EE0 for ; Thu, 24 Oct 2024 13:25:23 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a9a6b4ca29bso83441366b.3 for ; Thu, 24 Oct 2024 04:25:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1729769123; x=1730373923; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dcQxmocUYN9YZanZXFkaHkeGtaePH92QkvXfFuthaH4=; b=lsacNo7LPaGP0rTsBCEYd4AlmWF3jup4lrOsfd0T3uJcwhbWnkIzGsRAvbgcToDeO4 Q8Pxsw/uTh5HlJbEVLbcou88wEht++s8jw766eVa6JmYHI8TeEt9uuoRa6O42CYsSZW9 gnlHvFZ6FMxebbwEXJ+afkp4qRijOh6y7xpoyCryz+bcDOSyN+vUT7Kx4sNzKHzrpyol 2/xByLijqwgZh0YowWti7Z41l6u/XjNR3Jwpt3P8OSTHgi2flpPm6Kr2q+YVLSMvnepB +rUaaJ+uf04ApGQN9aZrz7D0KHYMC3S3rp42TPQqmN4/UTzysnk1tZH5comVED2uIGFH q/kw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729769123; x=1730373923; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dcQxmocUYN9YZanZXFkaHkeGtaePH92QkvXfFuthaH4=; b=eAVV/0frj19uAfiA8wSq8qKL6xCJnMExCNLo9Z7Ck+wVzHX/Qj8a4yO3l9goB923OF BclV/uHgSOj2KYCI3s74TVPLstuYgGYB1X6mTw26v8D3F28ZwbAFWNEmFCUQerBwu+yI N1I43PcMAZCFDqpqlJlBcTbe77/A5IiY1HBpjdqjVgRDFFl9CmcXW9p52UAARfQ32Ild rCOV9yejcBNCD4e8GPDgO+yxKRH3Kb14xMHfxBhhIMAveoIXHwTTxgEKHA+RmKgrVcq9 b6nS1wTGa4O5e4VJ59sIcOhBMDuq+xPOarbPEy6M8WZm98wjEZe7a3JriaBcz/GunGzx 1UzQ== X-Forwarded-Encrypted: i=1; AJvYcCVlATX1c3zSUxtmmG135W5MdmuC1Dv5LyECcL64UswUJj/yZeLCDKmUGKC47DEBeaXWThMCens=@lists.denx.de X-Gm-Message-State: AOJu0Yw71XY94GGR4iknuL86VW5kM6zTtnL7R5/rIgWDfVv022FAZcMT +qZpR+O7EKtoeVGhR324gSMYydeFmxvck7+qHan8AZd7cJatTTzA7gwThnpWo7g= X-Received: by 2002:a17:907:3dac:b0:a99:ce2f:b0ff with SMTP id a640c23a62f3a-a9abf8a4f1dmr580357266b.33.1729769123216; Thu, 24 Oct 2024 04:25:23 -0700 (PDT) Received: from localhost.localdomain (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9a91572c0dsm611534466b.177.2024.10.24.04.25.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:25:18 -0700 (PDT) From: Ilias Apalodimas To: jerome.forissier@linaro.org, raymond.mao@linaro.org Cc: xypron.glpk@gmx.de, Javier Tia , Ilias Apalodimas , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Mattijs Korpershoek , AKASHI Takahiro , Peter Robinson , Wei Ming Chen , Jonathan Humphreys , Caleb Connolly , Masahisa Kojima , u-boot@lists.denx.de Subject: [PATCH v2 2/6] net: lwip: Update lwIP for mbedTLS > 3.0 support and enable https Date: Thu, 24 Oct 2024 14:24:09 +0300 Message-ID: <20241024112449.1362319-3-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> References: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: Javier Tia The current code support mbedTLS 2.28. Since we are using a newer version in U-Boot, update the necessary accessors and the lwIP codebase to work with mbedTLS 3.6.0. It's worth noting that the patches are already sent to lwIP [0] While at it enable LWIP_ALTCP_TLS and enable TLS support in lwIP [0] https://github.com/lwip-tcpip/lwip/pull/47 Signed-off-by: Javier Tia Signed-off-by: Ilias Apalodimas --- lib/lwip/Makefile | 3 ++ .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 39 ++++++++++++------- lib/lwip/lwip/src/core/tcp_out.c | 10 +---- lib/lwip/u-boot/lwipopts.h | 6 +++ 4 files changed, 34 insertions(+), 24 deletions(-) diff --git a/lib/lwip/Makefile b/lib/lwip/Makefile index dfcd700ca474..19e5c6897f5a 100644 --- a/lib/lwip/Makefile +++ b/lib/lwip/Makefile @@ -53,3 +53,6 @@ obj-y += \ lwip/src/core/timeouts.o \ lwip/src/core/udp.o \ lwip/src/netif/ethernet.o + +obj-$(CONFIG_MBEDTLS_LIB_TLS) += lwip/src/apps/altcp_tls/altcp_tls_mbedtls.o \ + lwip/src/apps/altcp_tls/altcp_tls_mbedtls_mem.o diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index a8c2fc2ee2cd..ef19821b89e0 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -3,7 +3,7 @@ * Application layered TCP/TLS connection API (to be used from TCPIP thread) * * This file provides a TLS layer using mbedTLS - * + * * This version is currently compatible with the 2.x.x branch (current LTS). */ @@ -70,7 +70,6 @@ /* @todo: which includes are really needed? */ #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" -#include "mbedtls/certs.h" #include "mbedtls/x509.h" #include "mbedtls/ssl.h" #include "mbedtls/net_sockets.h" @@ -81,8 +80,6 @@ #include "mbedtls/ssl_cache.h" #include "mbedtls/ssl_ticket.h" -#include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */ - #include #ifndef ALTCP_MBEDTLS_ENTROPY_PTR @@ -132,6 +129,16 @@ static err_t altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbed static err_t altcp_mbedtls_handle_rx_appldata(struct altcp_pcb *conn, altcp_mbedtls_state_t *state); static int altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size); +static void +altcp_mbedtls_flush_output(altcp_mbedtls_state_t *state) +{ + if (state->ssl_context.MBEDTLS_PRIVATE(out_left) != 0) { + int flushed = mbedtls_ssl_send_alert_message(&state->ssl_context, 0, 0); + if (flushed) { + LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_send_alert_message failed: %d\n", flushed)); + } + } +} /* callback functions from inner/lower connection: */ @@ -524,14 +531,14 @@ altcp_mbedtls_lower_sent(void *arg, struct altcp_pcb *inner_conn, u16_t len) LWIP_ASSERT("state", state != NULL); LWIP_ASSERT("pcb mismatch", conn->inner_conn == inner_conn); /* calculate TLS overhead part to not send it to application */ - overhead = state->overhead_bytes_adjust + state->ssl_context.out_left; + overhead = state->overhead_bytes_adjust + state->ssl_context.MBEDTLS_PRIVATE(out_left); if ((unsigned)overhead > len) { overhead = len; } /* remove ACKed bytes from overhead adjust counter */ state->overhead_bytes_adjust -= len; /* try to send more if we failed before (may increase overhead adjust counter) */ - mbedtls_ssl_flush_output(&state->ssl_context); + altcp_mbedtls_flush_output(state); /* remove calculated overhead from ACKed bytes len */ app_len = len - (u16_t)overhead; /* update application write counter and inform application */ @@ -559,7 +566,7 @@ altcp_mbedtls_lower_poll(void *arg, struct altcp_pcb *inner_conn) if (conn->state) { altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state; /* try to send more if we failed before */ - mbedtls_ssl_flush_output(&state->ssl_context); + altcp_mbedtls_flush_output(state); if (altcp_mbedtls_handle_rx_appldata(conn, state) == ERR_ABRT) { return ERR_ABRT; } @@ -683,7 +690,7 @@ altcp_tls_set_session(struct altcp_pcb *conn, struct altcp_tls_session *session) if (session && conn && conn->state) { altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state; int ret = -1; - if (session->data.start) + if (session->data.MBEDTLS_PRIVATE(start)) ret = mbedtls_ssl_set_session(&state->ssl_context, &session->data); return ret < 0 ? ERR_VAL : ERR_OK; } @@ -776,7 +783,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav struct altcp_tls_config *conf; mbedtls_x509_crt *mem; - if (TCP_WND < MBEDTLS_SSL_MAX_CONTENT_LEN) { + if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND < MBEDTLS_SSL_OUT_CONTENT_LEN) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS, ("altcp_tls: TCP_WND is smaller than the RX decrypion buffer, connection RX might stall!\n")); } @@ -900,7 +907,7 @@ err_t altcp_tls_config_server_add_privkey_cert(struct altcp_tls_config *config, return ERR_VAL; } - ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len); + ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_public_key failed: %d\n", ret)); mbedtls_x509_crt_free(srvcert); @@ -1003,7 +1010,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_ } mbedtls_pk_init(conf->pkey); - ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len); + ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_key failed: %d 0x%x\n", ret, -1*ret)); altcp_tls_free_config(conf); @@ -1189,7 +1196,7 @@ altcp_mbedtls_sndbuf(struct altcp_pcb *conn) size_t ret; #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /* @todo: adjust ssl_added to real value related to negotiated cipher */ - size_t max_frag_len = mbedtls_ssl_get_max_frag_len(&state->ssl_context); + size_t max_frag_len = mbedtls_ssl_get_max_in_record_payload(&state->ssl_context); max_len = LWIP_MIN(max_frag_len, max_len); #endif /* Adjust sndbuf of inner_conn with what added by SSL */ @@ -1232,9 +1239,9 @@ altcp_mbedtls_write(struct altcp_pcb *conn, const void *dataptr, u16_t len, u8_t /* HACK: if there is something left to send, try to flush it and only allow sending more if this succeeded (this is a hack because neither returning 0 nor MBEDTLS_ERR_SSL_WANT_WRITE worked for me) */ - if (state->ssl_context.out_left) { - mbedtls_ssl_flush_output(&state->ssl_context); - if (state->ssl_context.out_left) { + if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) { + altcp_mbedtls_flush_output(state); + if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) { return ERR_MEM; } } @@ -1284,6 +1291,8 @@ altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size) while (size_left) { u16_t write_len = (u16_t)LWIP_MIN(size_left, 0xFFFF); err_t err = altcp_write(conn->inner_conn, (const void *)dataptr, write_len, apiflags); + /* try to send data... */ + altcp_output(conn->inner_conn); if (err == ERR_OK) { written += write_len; size_left -= write_len; diff --git a/lib/lwip/lwip/src/core/tcp_out.c b/lib/lwip/lwip/src/core/tcp_out.c index 64579ee5cbd8..b5d312137368 100644 --- a/lib/lwip/lwip/src/core/tcp_out.c +++ b/lib/lwip/lwip/src/core/tcp_out.c @@ -1255,14 +1255,6 @@ tcp_output(struct tcp_pcb *pcb) LWIP_ASSERT("don't call tcp_output for listen-pcbs", pcb->state != LISTEN); - /* First, check if we are invoked by the TCP input processing - code. If so, we do not output anything. Instead, we rely on the - input processing code to call us when input processing is done - with. */ - if (tcp_input_pcb == pcb) { - return ERR_OK; - } - wnd = LWIP_MIN(pcb->snd_wnd, pcb->cwnd); seg = pcb->unsent; @@ -2036,7 +2028,7 @@ tcp_rst(const struct tcp_pcb *pcb, u32_t seqno, u32_t ackno, u16_t local_port, u16_t remote_port) { struct pbuf *p; - + p = tcp_rst_common(pcb, seqno, ackno, local_ip, remote_ip, local_port, remote_port); if (p != NULL) { tcp_output_control_segment(pcb, p, local_ip, remote_ip); diff --git a/lib/lwip/u-boot/lwipopts.h b/lib/lwip/u-boot/lwipopts.h index 9d618625facb..88d6faf327ae 100644 --- a/lib/lwip/u-boot/lwipopts.h +++ b/lib/lwip/u-boot/lwipopts.h @@ -154,4 +154,10 @@ #define MEMP_MEM_INIT 1 #define MEM_LIBC_MALLOC 1 +#if defined(CONFIG_MBEDTLS_LIB_TLS) +#define LWIP_ALTCP 1 +#define LWIP_ALTCP_TLS 1 +#define LWIP_ALTCP_TLS_MBEDTLS 1 +#endif + #endif /* LWIP_UBOOT_LWIPOPTS_H */ From patchwork Thu Oct 24 11:24:10 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 838118 Delivered-To: patch@linaro.org Received: by 2002:adf:a399:0:b0:37d:45d0:187 with SMTP id l25csp307094wrb; Thu, 24 Oct 2024 04:26:04 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVj4QlFZH4r50PY8nggoDR8W9+z5wKqw8ljr07p2K69USTFALx5VJHxb7fwmHzLu+fmq0YhSw==@linaro.org X-Google-Smtp-Source: AGHT+IG7mfPcJz4uiksOyQkIUAsZ06DQ55lHcnYH+OZhg6HMw8aWeb6k7UYOIUaBknT34MkYP5Q1 X-Received: by 2002:a2e:be24:0:b0:2ef:17f7:6e1d with SMTP id 38308e7fff4ca-2fca81c2448mr12164291fa.4.1729769164394; Thu, 24 Oct 2024 04:26:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1729769164; cv=none; d=google.com; s=arc-20240605; b=GuSz9dKSmO/QAPdEle1iN6L231KfECAOOalZpDGVs7Br74HOc+bFnxXMgdSis7R11K L6YmRVbNmyDYeo1BFYHslp+BwG9uH9zmvuNbxxOvL16eqfP4EuxC3kjXfM8pnIRj4Pmh 6DmZDMo8EPHBtNPPiTew9TAyikiPv8ZJFzntBkEiyzH8pOjMGmnD+zP9a89YQNolLKCd cUwW/kUkq39qireDqbuMMxHzgUbE52qJrkTWkLiaAV8hHY5S2MEsDL1ukM8RBCfMoUcy RrZACK/KSxJGskd6g62ICV2cs7T8ZT6Q2eUoINTTrTaBMCj5+xXaZngIP7aemTHJ7taH l0xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kcu8YE5sVDxrapWp+sBeZLFxERfJYVHXUsD7NwBjx6k=; fh=hsrTthzAR1DQ8e2AdgDdW93gzBIDEGuai8bEVdxkvyA=; b=U4ClP7k+oSqKnsDuwOX4jaa+Sokk7xqAD74UzHpuy0OE2aaDGAwV7s/BnVpw7Mn4Dp eCNZevSVS2garTPa6Ek66L8r1T/4pPgr13rIM9u6u2+pMXu/Qbo26QAwtfZv14z6yrKu 8UguJL+vAdzAJIB85m9RIM7R1lPyJ+iyjaO/aP+o6hoU4Ech827XWqzUKvz41utx9e/1 jYIr4mC3uy5PTueThrTT6om2bI+25AMNU/g22j3hixhiIlJSsdIAm6Qzb5hZEyK3Wg+o A78baYDfBo8zc6/tQ632LLR7Yf9Sk7sSX68xJRVUlBo+XOQf32C0eKqZggZoYE561SbS j5VQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZV9dcrDo; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 38308e7fff4ca-2fb9ae7d00asi32050051fa.365.2024.10.24.04.26.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:26:04 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=ZV9dcrDo; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 1F62888FA7; Thu, 24 Oct 2024 13:25:35 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="ZV9dcrDo"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 86DE188F48; Thu, 24 Oct 2024 13:25:34 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 4A2A188F47 for ; Thu, 24 Oct 2024 13:25:32 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x635.google.com with SMTP id a640c23a62f3a-a9a4031f69fso106242966b.0 for ; Thu, 24 Oct 2024 04:25:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1729769132; x=1730373932; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=kcu8YE5sVDxrapWp+sBeZLFxERfJYVHXUsD7NwBjx6k=; b=ZV9dcrDo3MJnHmYL8/h3lDE6zREfESglz8AjUvwROJY6PCu/QbpaddkCJ3F7MHPuKo E2LEgyZM9edATgJloJ9g2XhaEX57cMhxnHhh/KhSs2DykWa6gAdHgR5Js0v4FTkJUwjO XkGxvQPj55f+PpD9goZ/Qcf80wiAYxNhxUYsoexEOBCpu4Udepnq5JauR3hiNoOB4bit zlUJRzG+nr1crStKo7UOdTVlyWYhuIjqY/WlsFT/ts87navoawkZOXesaEMwC6kctmJr FJ2uFQNx7shGGIc+hkC+GXe3dhcCkvqO8v9rj/uXdjwX4qSN5GZjwgi2y5pgoPDA1K3v F6ag== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729769132; x=1730373932; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=kcu8YE5sVDxrapWp+sBeZLFxERfJYVHXUsD7NwBjx6k=; b=RXnn3TKK32f4igMIFLm541r0M1sOxUfe2b1Y4UT0HHUsfXq8fSsCdXS6TgVta/IlY1 o9xfJrmNJBbOscwQklXVuMbjF9S8FYx2DMHYxyPm4QoFVSeSQ2pcx3+Iv33RE+gDh/TO nI/SsB5Nr+GQ5HPvqqa8J9duqsrI2xJ0WJSvn8YsiieYmqCWWNcue4vwzgeUbt1dPGvR Tu5lNRxnO+5Ef4xxd7e3FqMBaAId+M3deJI6dgrO0XC8RNILpDrQBbk91iwPyfBi5qDC R2eXd2tB+kCKSx0IVA74z2w4fBmcyfYWpzI77Wql8eb+0GDbvGZItT0QdfS3STR0k/hf 9drw== X-Forwarded-Encrypted: i=1; AJvYcCWIaTYYj8Vb2qNngCBXLYxSyNAWDkcjsClT7+mC3uLhOLCj8tnMOHmcGASblj/K0U5LP7U3yVA=@lists.denx.de X-Gm-Message-State: AOJu0YxJCMOWk6D41ZsTgB3a4wQBw56fZwnz5oFpUv0Jf9hOnm7+uHjH 6IekMLQAAJykqLM9Uum6NQfbeiTfhOx29xuteFKDMww7K61StaWGjlbsMcVsW2E= X-Received: by 2002:a17:907:1c22:b0:a99:f29a:bc9a with SMTP id a640c23a62f3a-a9ad2710be1mr170993966b.7.1729769131738; Thu, 24 Oct 2024 04:25:31 -0700 (PDT) Received: from localhost.localdomain (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9a91572c0dsm611534466b.177.2024.10.24.04.25.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:25:29 -0700 (PDT) From: Ilias Apalodimas To: jerome.forissier@linaro.org, raymond.mao@linaro.org Cc: xypron.glpk@gmx.de, Javier Tia , Ilias Apalodimas , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Mattijs Korpershoek , AKASHI Takahiro , Peter Robinson , Jonathan Humphreys , Wei Ming Chen , Caleb Connolly , Masahisa Kojima , u-boot@lists.denx.de Subject: [PATCH v2 3/6] net: lwip: Add Support Server Name Indication support Date: Thu, 24 Oct 2024 14:24:10 +0300 Message-ID: <20241024112449.1362319-4-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> References: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: Javier Tia SNI, or Server Name Indication, is an addition to the TLS encryption protocol that enables a client device to specify the domain name it is trying to reach in the first step of the TLS handshake, preventing common name mismatch errors and not reaching to HTTPS server that enforce this condition. Since most of the websites require it nowadays add support for it. It's worth noting that this is already sent to lwIP [0] [0] https://github.com/lwip-tcpip/lwip/pull/47 Signed-off-by: Javier Tia Signed-off-by: Ilias Apalodimas --- lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 11 +++++++---- lib/lwip/lwip/src/include/lwip/altcp_tls.h | 2 +- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index ef19821b89e0..24b432966312 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -106,6 +106,7 @@ struct altcp_tls_config { u8_t pkey_count; u8_t pkey_max; mbedtls_x509_crt *ca; + char host[256]; #if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE /** Inter-connection cache for fast connection startup */ struct mbedtls_ssl_cache_context cache; @@ -642,6 +643,7 @@ altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_ /* tell mbedtls about our I/O functions */ mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL); + mbedtls_ssl_set_hostname(&state->ssl_context, config->host); altcp_mbedtls_setup_callbacks(conn, inner_conn); conn->inner_conn = inner_conn; conn->fns = &altcp_mbedtls_functions; @@ -951,7 +953,7 @@ altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_ } static struct altcp_tls_config * -altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth) +altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth, char *host) { int ret; struct altcp_tls_config *conf = altcp_tls_create_config(0, (is_2wayauth) ? 1 : 0, (is_2wayauth) ? 1 : 0, ca != NULL); @@ -973,13 +975,14 @@ altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2way mbedtls_ssl_conf_ca_chain(&conf->conf, conf->ca, NULL); } + memcpy(conf->host, host, sizeof(conf->host)); return conf; } struct altcp_tls_config * -altcp_tls_create_config_client(const u8_t *ca, size_t ca_len) +altcp_tls_create_config_client(const u8_t *ca, size_t ca_len, char *host) { - return altcp_tls_create_config_client_common(ca, ca_len, 0); + return altcp_tls_create_config_client_common(ca, ca_len, 0, host); } struct altcp_tls_config * @@ -995,7 +998,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_ return NULL; } - conf = altcp_tls_create_config_client_common(ca, ca_len, 1); + conf = altcp_tls_create_config_client_common(ca, ca_len, 1, NULL); if (conf == NULL) { return NULL; } diff --git a/lib/lwip/lwip/src/include/lwip/altcp_tls.h b/lib/lwip/lwip/src/include/lwip/altcp_tls.h index fcb784d89d70..fb0618234481 100644 --- a/lib/lwip/lwip/src/include/lwip/altcp_tls.h +++ b/lib/lwip/lwip/src/include/lwip/altcp_tls.h @@ -92,7 +92,7 @@ struct altcp_tls_config *altcp_tls_create_config_server_privkey_cert(const u8_t /** @ingroup altcp_tls * Create an ALTCP_TLS client configuration handle */ -struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len); +struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len, char *host); /** @ingroup altcp_tls * Create an ALTCP_TLS client configuration handle with two-way server/client authentication From patchwork Thu Oct 24 11:24:11 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 838119 Delivered-To: patch@linaro.org Received: by 2002:adf:a399:0:b0:37d:45d0:187 with SMTP id l25csp307211wrb; Thu, 24 Oct 2024 04:26:20 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXD1TQwWk2xkt7HMo9GeVX4pKsyez9GFJeEFOmPUc1NgHH96YebP2UVgQVcG3wMA5DGhD7mGw==@linaro.org X-Google-Smtp-Source: AGHT+IHUeeK9baixaLWPxufZPegFwfww07ZnzB7Aq3m19pHp0U41+lQujDG/9FqVWm6Ct8l5Y+ek X-Received: by 2002:a2e:b2c7:0:b0:2fb:36df:3b4 with SMTP id 38308e7fff4ca-2fc9d37ff0emr38411391fa.34.1729769180013; Thu, 24 Oct 2024 04:26:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1729769179; cv=none; d=google.com; s=arc-20240605; b=hd+0nolNleIzxkFY117/v+t/Al8/xD4M6nL52XflFshQHrrOpcA+Pgksngw1+WSDbc ZEDGAdennxIP3/ytZDvJLIkQpc+lpmzdA/rz9qIVx+JKeFO/E7pnOB0e0D0MDLCsKU5k kc0mXHhZa58uhWmDYlLQq0U4/Bq6jCkqMpLJWCP1ync7lCXJtAgYiW7m8PAKTA71m1JD 52fQvwdYDyHCbb5p6Excn2zp5Q18OPc7zQWcvzvcncA/Eet41x3i4oHypgFmY9F++nOY iwAgllQ3vsz5xbJd25FLy4KpXV7ebUBmAtV+2TLXE7Quafo6ZFohKN2uoCiiFaNHUn4H 1a1Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MtlHHgZ03dQdRkQG9XQdATB0IN61C4W/Z9C+ygjSaG0=; fh=H6PSczf5TcX4xREE6Sw/6ktALI6sBZEjtMNLk7TtSVc=; b=Ox0N6bjXPQat9dJvPyUDRxswdxx2gh39KgT0YIH5hXbMkMdZsBljUBoOrH8fso+BBc mA47A+Vt0+u96OcjP0GddFSOwMfEjcH3UVYKLZ7Au2rpsrafar2LYwaYp9FlMpBsYyee DPzm9ZzSZvBa7vvGHx9aLdUiXFKqQ7JAFaIyluAeOaQAn2L02eitLl6e62M6Z9Pr1958 Oe6lpjFXm4YMcOxQRZpcmBVAlJ12El3QdRofyizjB+NKrvyzYqoc5aqM4KStbm5/qpUk AGbDVYT4LwqrBgKn/gpfzypgUzQFz4fdUv3UMF9rwD8jzBwMAKe1XOwOH9OWJxW0FRY5 ThNg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TGqh+dfz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 38308e7fff4ca-2fb9ae69ff8si32396541fa.285.2024.10.24.04.26.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:26:19 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=TGqh+dfz; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8CFFE88F55; Thu, 24 Oct 2024 13:25:44 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="TGqh+dfz"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id AF1C688F47; Thu, 24 Oct 2024 13:25:43 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id CADB688F7B for ; Thu, 24 Oct 2024 13:25:39 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-lj1-x236.google.com with SMTP id 38308e7fff4ca-2fabb837ddbso11927611fa.1 for ; Thu, 24 Oct 2024 04:25:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1729769139; x=1730373939; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MtlHHgZ03dQdRkQG9XQdATB0IN61C4W/Z9C+ygjSaG0=; b=TGqh+dfzErm1L2kDRaNVNyLBq5qajnW+dmJ071WcZbrU5X8zcCcwIXL0xfSCz3nbyA eiGUsNKXUjl90dUuuiKcjm4r6LigpboDGWGDA399sqe3cl1QtV9fByIqZcBlXClBNwZH p2Zln2lyfaAQwZqFx4iKhvrBO7/4zCwVClX3eDKVLU2uHgybdRr4Z0gsurQCdSeYgeBS 96qLZFTNVTLRouTHHFYdOSAkDAzXGD9YF0MopoTv5WOlp7SMuxsC9WDbcC8q51B1+iwP Qu4a3OCmazXtcDtsUkF3s5d8f5d4mOuBjXXsCaq0YTTI4UAFJlTkar6nfyto+ki1emfc wIxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729769139; x=1730373939; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MtlHHgZ03dQdRkQG9XQdATB0IN61C4W/Z9C+ygjSaG0=; b=FBaKWnVf1QxHboasBYfhwbjduJKXPVTsYe+hTdNLKB0Qn53UdRHUh3nmsm4Xz34Hri 6hKPs1K/wELqPwmPrKDyFud0jxJfZGnlxfrd8qoq3387YpvKpF14PaVPm2hqM/2cirF5 YsnnNi0RGAHmOHhjcO6krsc2x9ooSsUL8m9sVYibb0bYN8Np486VM/F4r+4fpPxEG3Ao R4mKCxnHx3qTz+HhXefe9hwpPiUVP7PVeyVnxoeuz9YSt17vLiWhXZhprGmT1Gi3KgAz /lLATPdh945PqeH8+HM0HUgGO46o0gsS7SQdTflZEQ4T+qM2v+R68MJlPey9FMXGRS0j Hl3g== X-Forwarded-Encrypted: i=1; AJvYcCUv0LcxXH7v/ImJpZL18GAum5BEjomDsGFMp5gS2b+m2P+ejY6F25RU3xK3pBEy4rORywFOhH8=@lists.denx.de X-Gm-Message-State: AOJu0Yw4RiTsi6CODcM93PKuPzaletmhuCn++U7eYvz8KCuDTO9YEQva BVJ4/Hl19WYxp8n0GizurpEeXXrjkSgek0YKNYv57zMCquar391xJMPMLK4o2IA= X-Received: by 2002:a05:651c:1508:b0:2f0:27da:6864 with SMTP id 38308e7fff4ca-2fc9d3252a9mr45495181fa.17.1729769139015; Thu, 24 Oct 2024 04:25:39 -0700 (PDT) Received: from localhost.localdomain (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9a91572c0dsm611534466b.177.2024.10.24.04.25.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:25:37 -0700 (PDT) From: Ilias Apalodimas To: jerome.forissier@linaro.org, raymond.mao@linaro.org Cc: xypron.glpk@gmx.de, Ilias Apalodimas , Tom Rini , Joe Hershberger , Ramon Fried , Simon Glass , Mattijs Korpershoek , AKASHI Takahiro , Peter Robinson , Wei Ming Chen , Jonathan Humphreys , Masahisa Kojima , Caleb Connolly , Javier Tia , u-boot@lists.denx.de Subject: [PATCH v2 4/6] net: lwip: Enable https:// support for wget Date: Thu, 24 Oct 2024 14:24:11 +0300 Message-ID: <20241024112449.1362319-5-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> References: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean With the recent changes of lwip & mbedTLS we can now download from https:// urls instead of just http://. Adjust our wget lwip version parsing to support both URLs. While at it adjust the default TCP window for QEMU since https seems to require at least 16384 Signed-off-by: Ilias Apalodimas --- cmd/Kconfig | 19 ++++++++++++ net/lwip/Kconfig | 2 +- net/lwip/wget.c | 78 +++++++++++++++++++++++++++++++++++++++++++----- 3 files changed, 91 insertions(+), 8 deletions(-) diff --git a/cmd/Kconfig b/cmd/Kconfig index 3ee70f31b142..1d90a884e2c1 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2126,6 +2126,25 @@ config CMD_WGET wget is a simple command to download kernel, or other files, from a http server over TCP. +config WGET_HTTPS + bool "wget https" + depends on CMD_WGET + depends on PROT_TCP_LWIP + depends on MBEDTLS_LIB + select SHA256 + select RSA + select ASYMMETRIC_KEY_TYPE + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + select MBEDTLS_LIB_CRYPTO + select MBEDTLS_LIB_TLS + select RSA_VERIFY_WITH_PKEY + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + help + Enable TLS over http for wget. + endif # if CMD_NET config CMD_PXE diff --git a/net/lwip/Kconfig b/net/lwip/Kconfig index 8a67de4cf335..a9ae9bf7fa2a 100644 --- a/net/lwip/Kconfig +++ b/net/lwip/Kconfig @@ -37,7 +37,7 @@ config PROT_UDP_LWIP config LWIP_TCP_WND int "Value of TCP_WND" - default 8000 if ARCH_QEMU + default 32768 if ARCH_QEMU default 3000000 help Default value for TCP_WND in the lwIP configuration diff --git a/net/lwip/wget.c b/net/lwip/wget.c index b495ebd1aa96..1a2ecdcddf34 100644 --- a/net/lwip/wget.c +++ b/net/lwip/wget.c @@ -7,13 +7,17 @@ #include #include #include +#include "lwip/altcp_tls.h" #include +#include #include #include #include +#include #define SERVER_NAME_SIZE 200 #define HTTP_PORT_DEFAULT 80 +#define HTTPS_PORT_DEFAULT 443 #define PROGRESS_PRINT_STEP_BYTES (100 * 1024) enum done_state { @@ -32,18 +36,53 @@ struct wget_ctx { enum done_state done; }; +bool wget_validate_uri(char *uri); + +int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, + size_t *olen) +{ + struct udevice *dev; + u64 rng = 0; + int ret; + + *olen = 0; + + ret = uclass_get_device(UCLASS_RNG, 0, &dev); + if (ret) { + log_err("Failed to get an rng: %d\n", ret); + return ret; + } + ret = dm_rng_read(dev, &rng, sizeof(rng)); + if (ret) + return ret; + + memcpy(output, &rng, len); + *olen = sizeof(rng); + + return 0; +} + static int parse_url(char *url, char *host, u16 *port, char **path) { char *p, *pp; long lport; + size_t prefix_len = 0; + + if (!wget_validate_uri(url)) { + log_err("Invalid URL. Use http(s)://\n"); + return -EINVAL; + } + *port = HTTP_PORT_DEFAULT; + prefix_len = strlen("http://"); p = strstr(url, "http://"); if (!p) { - log_err("only http:// is supported\n"); - return -EINVAL; + p = strstr(url, "https://"); + prefix_len = strlen("https://"); + *port = HTTPS_PORT_DEFAULT; } - p += strlen("http://"); + p += prefix_len; /* Parse hostname */ pp = strchr(p, ':'); @@ -67,9 +106,8 @@ static int parse_url(char *url, char *host, u16 *port, char **path) if (lport > 65535) return -EINVAL; *port = (u16)lport; - } else { - *port = HTTP_PORT_DEFAULT; } + if (*pp != '/') return -EINVAL; *path = pp; @@ -210,6 +248,9 @@ static void httpc_result_cb(void *arg, httpc_result_t httpc_result, static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) { char server_name[SERVER_NAME_SIZE]; +#if defined CONFIG_WGET_HTTPS + altcp_allocator_t tls_allocator; +#endif httpc_connection_t conn; httpc_state_t *state; struct netif *netif; @@ -232,6 +273,22 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) return -1; memset(&conn, 0, sizeof(conn)); +#if defined CONFIG_WGET_HTTPS + if (port == HTTPS_PORT_DEFAULT) { + tls_allocator.alloc = &altcp_tls_alloc; + tls_allocator.arg = + altcp_tls_create_config_client(NULL, 0, server_name); + + if (!tls_allocator.arg) { + log_err("error: Cannot create a TLS connection\n"); + net_lwip_remove_netif(netif); + return -1; + } + + conn.altcp_allocator = &tls_allocator; + } +#endif + conn.result_fn = httpc_result_cb; ctx.path = path; if (httpc_get_file_dns(server_name, port, path, &conn, httpc_recv_cb, @@ -316,6 +373,7 @@ bool wget_validate_uri(char *uri) char c; bool ret = true; char *str_copy, *s, *authority; + size_t prefix_len = 0; for (c = 0x1; c < 0x21; c++) { if (strchr(uri, c)) { @@ -323,15 +381,21 @@ bool wget_validate_uri(char *uri) return false; } } + if (strchr(uri, 0x7f)) { log_err("invalid character is used\n"); return false; } - if (strncmp(uri, "http://", 7)) { - log_err("only http:// is supported\n"); + if (!strncmp(uri, "http://", strlen("http://"))) { + prefix_len = strlen("http://"); + } else if (!strncmp(uri, "https://", strlen("https://"))) { + prefix_len = strlen("https://"); + } else { + log_err("only http(s):// is supported\n"); return false; } + str_copy = strdup(uri); if (!str_copy) return false; From patchwork Thu Oct 24 11:24:12 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 838120 Delivered-To: patch@linaro.org Received: by 2002:adf:a399:0:b0:37d:45d0:187 with SMTP id l25csp307270wrb; Thu, 24 Oct 2024 04:26:29 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXSRDYcckn0D1as4Yg+aJnRnZ+Y5k6OY6zA8iOfeQhRFXMe+odDOnD/0t79Ix1A+XcbtCXbMQ==@linaro.org X-Google-Smtp-Source: AGHT+IGZkW1VBmQBGZBX6ybvCaU09ZtXScgQZ+eeMErPYcdHDG88hZbKVuTjtLCyZspm9umE3Gx1 X-Received: by 2002:a2e:4601:0:b0:2fb:4b0d:909b with SMTP id 38308e7fff4ca-2fc9d375a9dmr27092811fa.26.1729769189748; Thu, 24 Oct 2024 04:26:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1729769189; cv=none; d=google.com; s=arc-20240605; b=WJUOpuemf36VDfj6JErKDFh79B0hDf1ic6tTcEVKtcyEXQAkuJM4LiQHwf486sg9CN 82uQmdRqeQeuktzyumU9/ZEJfRgbu9iteeUFViALOteNGViSkDkR7rGLtS278zlGR/53 PfcwBAOC99SPz4mEk87vSCA6/p4VXYVc9ttGTsB+Moq0Ir2koJX88SqO7N2iduA5/9v4 kWvWWpYwb1LxWjqMOmL223H6cv3rBhkYhpgY/SJxGoo5Yy2XMe40TlAsIjmUWO0NR69u HMEzUzNtsgMSr7oJ1TU9erVmlL2YLQNcQkKiDyWc2ZF32TogeFaUPrSf5B/G2EDwrxSI D8Aw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Y988mXFVlw/ZvqvO8EpMiKq+MdDOfWgrkrGomVG+qSc=; fh=JWvlK2FACh1pPP9DcugrFVr73A4LgY/e9FBdiGs/OaU=; b=Ew5gstAApKiMZLnk0CMkidtlhkwOd0SinjuRprFUzNQa4NYx3qUmfIffG4HvQu7ooO WR5Icse5SbUMyXtly2yMYPVyNm+JOa4/Zj08/BH1FfwtyYpfN19dLk9pVOIxcwa5ffHB o7HKy35rCnQOYl4ypoLE0d1Qb7/FCpHYTG+sMJ7UiufBgJre9olu8YgZG4Kxmqp30ySi ugFuI8gJrpdROi4g2FPD46LvQ+Gl+Z+A98lfDq5V2MGIl3OzbvUqxSKQZ/j/P9P05Mkz 4cMTdxvlY2jfaa+QWJoSlgJvjDR8FT6MIljCVouZPxlbMwvNI12TM2gHjiRz1o29gbMo KwtA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wT7Ianl+; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id 38308e7fff4ca-2fb9ae6a1cbsi28568961fa.295.2024.10.24.04.26.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:26:29 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=wT7Ianl+; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id EF2C488FC0; Thu, 24 Oct 2024 13:25:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="wT7Ianl+"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 03B1088F2C; Thu, 24 Oct 2024 13:25:54 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_INVALID, DKIM_SIGNED,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.2 Received: from mail-lf1-x12f.google.com (mail-lf1-x12f.google.com [IPv6:2a00:1450:4864:20::12f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 0BCC988C7B for ; Thu, 24 Oct 2024 13:25:49 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-lf1-x12f.google.com with SMTP id 2adb3069b0e04-539f76a6f0dso751341e87.1 for ; Thu, 24 Oct 2024 04:25:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1729769148; x=1730373948; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Y988mXFVlw/ZvqvO8EpMiKq+MdDOfWgrkrGomVG+qSc=; b=wT7Ianl+GjTdhyG2sGIrpS9KK9lD+yizwysdY2lWVEcBpQLkzrSjWy53dDNZ5qBW9q 7hsIqry7V9kmpSgc/t2yk5uQeUAELRTihy1ENRU4T6RSLwlom4NjBhWn+4wWAMLebUev 9xxF99DGK705+athSgjBoP2+SGOVhxau+n7XsUiezgmQ39dktXSJDtJVDwtm22NeePcu 40wjNRCofIR6sKU5iK+G8CAFKcMAFhU6tnxxI3ccwwyvRRnhtChqkm+spivL7tuwSzmy pDUt5OWZvItYNCiBIK8hT4zcnRmeyjknzPDo+grxJSlI4rcECPsIx60MwoM3xvirGbMf qR+g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729769148; x=1730373948; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Y988mXFVlw/ZvqvO8EpMiKq+MdDOfWgrkrGomVG+qSc=; b=CjjmK2RW1UcykwpqSIWJgJBsRT4w8WQM/SQEXd4vtN0jqoBsRTYrMz6QFPz1Tg2Ygl nxZvXttGFb4kDZk0IUr31hiY85bDQO6hjcOq2hOE53aiZudbePEVN7W1Fs4oyrwKQB9v fOXuZXGrJWBkqaq8QjrseNNLcZhQPa+dX0nGa2GCV/H3mJFADz/fOh+aGCQ562yjZxmC 4P4JRIvsb/8yQwYk8WxKhQx9MV9GXaKFa241toKO6w+CF5gwGp08WnebqqsjRAnAC1+e aYR8MUDhyjcEzL4fWjz0DRxMEgsXjqr6/EZkjo4ZxQu+Jv55yN1Jt4sgZNj3ckXbwC4k 19xQ== X-Forwarded-Encrypted: i=1; AJvYcCVvmNREcLzEOa5vZ3zYaAT9pF/hHrqcpMMEzeMPvlc7fmIaJMhCIEc4y8Ity2tWR6wcN9jdbyc=@lists.denx.de X-Gm-Message-State: AOJu0YyjY42zpeTTR6b7iuqBful2N3p3Cycbwy+cFG9jwdIzOqG3b6oA KhQyDNSbM+my1Q/Y0HSYZMErrfGs5ciKLemx0kM3M9bGs0BTQk9+cK9k1wki5NM= X-Received: by 2002:a05:6512:31c3:b0:539:9f52:9e4 with SMTP id 2adb3069b0e04-53b1a375da2mr3506942e87.48.1729769146791; Thu, 24 Oct 2024 04:25:46 -0700 (PDT) Received: from localhost.localdomain (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9a91572c0dsm611534466b.177.2024.10.24.04.25.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:25:45 -0700 (PDT) From: Ilias Apalodimas To: jerome.forissier@linaro.org, raymond.mao@linaro.org Cc: xypron.glpk@gmx.de, Ilias Apalodimas , Peter Robinson , Simon Glass , Tom Rini , Joe Hershberger , Ramon Fried , Mattijs Korpershoek , AKASHI Takahiro , Jonathan Humphreys , Wei Ming Chen , Masahisa Kojima , Caleb Connolly , Javier Tia , u-boot@lists.denx.de Subject: [PATCH v2 5/6] configs: Enable https for wget on qemu arm64 Date: Thu, 24 Oct 2024 14:24:12 +0300 Message-ID: <20241024112449.1362319-6-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> References: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean QEMU already has an lwip variant of a defconfig. That defconfig is also configured with mbedTLS by default. So let's enable the remaining config options to enable wget for https:// as well and test that codepath in the CI Reviewed-by: Jerome Forissier Reviewed-by: Peter Robinson Reviewed-by: Simon Glass Signed-off-by: Ilias Apalodimas --- configs/qemu_arm64_lwip_defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/qemu_arm64_lwip_defconfig b/configs/qemu_arm64_lwip_defconfig index d3d8ef16e668..754c770c33fc 100644 --- a/configs/qemu_arm64_lwip_defconfig +++ b/configs/qemu_arm64_lwip_defconfig @@ -7,3 +7,4 @@ CONFIG_NET_LWIP=y CONFIG_CMD_DNS=y CONFIG_CMD_WGET=y CONFIG_EFI_HTTP_BOOT=y +CONFIG_WGET_HTTPS=y From patchwork Thu Oct 24 11:24:13 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 838121 Delivered-To: patch@linaro.org Received: by 2002:adf:a399:0:b0:37d:45d0:187 with SMTP id l25csp307410wrb; Thu, 24 Oct 2024 04:26:53 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCVD2O6HOa0j5t7VvLLWg8TThXa7lE7haLyiBfj10KcYc9NBwtvSFCo7dLCLF3Rb4pOCUPu7xQ==@linaro.org X-Google-Smtp-Source: AGHT+IHiodC49LXfW8IGuQ74GZSEMujsZKPf+domeWkz015il/KfRUZq4kVMydoTnaxN5n7aoCTg X-Received: by 2002:a2e:851:0:b0:2fb:59ec:4a32 with SMTP id 38308e7fff4ca-2fc9d342c53mr25740541fa.25.1729769213771; Thu, 24 Oct 2024 04:26:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1729769213; cv=none; d=google.com; s=arc-20240605; b=BMdiGzLoDSvSDqOV4uScAFGT3PL2/Lbh2fx+cS6sgC3BYnmMWci1xwnbeTMAnJTfk7 mxc70XR0tC0yZw60sxSBIaMwDtSKakEOa65a81nxiIUdAkWADXYqly9smL0MZrWahokh xJZyx1DoGyNS6vcIffMBmxAVc585ZTXtg65vdX0DAoaMhv/UtqrhC740GJK9UUrIyUwh Ll1hcM4YdTr/2RBBRg/JvNX2wTiDnRaWnVidBfn+Vzi0pIlatje61OewA2VMHsfKAQux zBfWYSsAB3rNegBuBdf/UlMJA2KO2TNWj2FpcyP0SvLIw6XDfV7Pnt88vhuzqBQeoWz5 GhKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=z0uM6ntOYMs0q92YYMNWqhN3ZZP/ZZqsv1+VRN9gK0Y=; fh=XnLzTqYltRXr3DYfpGMFYHUmv7S0yZLhlK6BtEB0V+U=; b=LUyTl9w2UOiYfmJiGWjxBWZzVQ6kL51AlAHAf2sLehw+6NVC9yxL4rbj4H7f3GE81X sO11LOH5ZE4CZTt7WZ1UeszD/fRcnrvZZSCLU/U9TxAIo94X7EEIrjYpazyrEl60Tjc8 YBZ/a6mTERLuWDPdBCxCXwvSDCZwCsph1AE3plfGC0hboGflAVh20hAmG+jw7mHGXNBi obnwURCmYSzKCLAac6ORsZCuuo7Xkgj5kJl14WhQO1SEMsp0gKGhzYZcaJDjeFJ8jc5r uQtgluFEbdPbA2qTabjv0WZw2iufBm7aig4jAXqmKA6t8jSIB7UACTrD5N5ZfHW/9RBh YNkw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=AJLA79RU; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id 38308e7fff4ca-2fb9aead5a3si30188691fa.554.2024.10.24.04.26.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:26:53 -0700 (PDT) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=AJLA79RU; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 5DC4588EE0; Thu, 24 Oct 2024 13:26:02 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="AJLA79RU"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 2DAC688EE0; Thu, 24 Oct 2024 13:26:01 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,T_SPF_TEMPERROR autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x633.google.com (mail-ej1-x633.google.com [IPv6:2a00:1450:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 2B34388FB9 for ; Thu, 24 Oct 2024 13:25:55 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x633.google.com with SMTP id a640c23a62f3a-a9a0cee600aso91466566b.1 for ; Thu, 24 Oct 2024 04:25:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1729769154; x=1730373954; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=z0uM6ntOYMs0q92YYMNWqhN3ZZP/ZZqsv1+VRN9gK0Y=; b=AJLA79RUxSJfXEqVGSniAN20yj7n+H7NSMi+NbayUuMTEhD8aNaiw1kK1FbAicKdr2 8fDvL0FESFLfd4BBWT0vAvToXXevNhu7MHGyfu2DnUb3OkEhN+1GtYLvT5KVtad8WpO0 pMZlLpYZD/2Aqx6uo337/LGLdWFTOyiD13gh/fYGhgXTwq1sHY65hsFth4yrR0liJ/EJ CU0NPqHYazlwWgcijf1CkmG9zHiT2pAvar+/74vFy3ymMTHQr+V1AlUy2IyxoPsuQ+am iru0+I98LOOTc/3IQ09GxZa5Go5u1yX2cJeMrnSINgkAbYh2seYGMg40qJde2YaS0xPL 23yQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729769154; x=1730373954; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=z0uM6ntOYMs0q92YYMNWqhN3ZZP/ZZqsv1+VRN9gK0Y=; b=bRl1Alyv+YGcyrNWUU9jt67Qbij7ACycpHIRTtg1RqSFm2eD7wCkxkJ4YNEMsDRS1k 8X9L0Kv+ZWglnQuDiupEEzycHX8MLyMicoamaRPqYuhL6u+iSdt3v24WJ0OaB6GAPKk6 hQ4c1IspMDPTuZipKNnTi7TlJRWY0OLIvpgHQ4FaK8gZ76v+Rz5n2df45M7HP4eOsu9r 08AuYI8l76kJqgm4S+XRJNy5e7eTys6UB4d2mAe5KxnebQZ4+PzmzTpiEfrxekiTJ1qU QckuykSIwdyZV44YDYaf4BOdPIpDeSqrL6yMewenM7KRrDSl8WwvgbBx4vUaehO1hw8T MJiA== X-Forwarded-Encrypted: i=1; AJvYcCXs/YbeGCXJFeXxULsGDbl4rU7SV8fPDYiC9KAR8altVLpR2JJ/eih175FntHlbLAmrWnix+Ws=@lists.denx.de X-Gm-Message-State: AOJu0YxZ6H9MBzg/YAxyMqDpGDkTFyVMQVGqqtzEJIqFkgDqngll7Kqn Hzt26eVixvkCH4NEbDy1tsyJmgh5Hzo6MWctMqQp6zuNEHye6xTfT2fTTMbmPn0= X-Received: by 2002:a17:907:98d:b0:a9a:e91:68c5 with SMTP id a640c23a62f3a-a9abf8ba5c5mr472918066b.33.1729769154523; Thu, 24 Oct 2024 04:25:54 -0700 (PDT) Received: from localhost.localdomain (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9a91572c0dsm611534466b.177.2024.10.24.04.25.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 24 Oct 2024 04:25:52 -0700 (PDT) From: Ilias Apalodimas To: jerome.forissier@linaro.org, raymond.mao@linaro.org Cc: xypron.glpk@gmx.de, Ilias Apalodimas , Simon Glass , Tom Rini , Joe Hershberger , Ramon Fried , Mattijs Korpershoek , AKASHI Takahiro , Peter Robinson , Jonathan Humphreys , Wei Ming Chen , Caleb Connolly , Masahisa Kojima , Javier Tia , u-boot@lists.denx.de Subject: [PATCH v2 6/6] doc: uefi: Describe UEFI HTTPs boot Date: Thu, 24 Oct 2024 14:24:13 +0300 Message-ID: <20241024112449.1362319-7-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.45.2 In-Reply-To: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> References: <20241024112449.1362319-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean We now can use a combination og lwIP & mbedTLS and download from https://. Describe the config options needed to enable it as well as some limitations Reviewed-by: Simon Glass Signed-off-by: Ilias Apalodimas --- doc/develop/uefi/uefi.rst | 45 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 0760ca91d4fc..e19dcaac8056 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -681,8 +681,8 @@ UEFI variables. Booting according to these variables is possible via:: As of U-Boot v2020.10 UEFI variables cannot be set at runtime. The U-Boot command 'efidebug' can be used to set the variables. -UEFI HTTP Boot -~~~~~~~~~~~~~~ +UEFI HTTP Boot using the legacy TCP stack +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP Boot provides the capability for system deployment and configuration over the network. HTTP Boot can be activated by specifying:: @@ -715,6 +715,47 @@ We need to preset the "httpserverip" environment variable to proceed the wget:: setenv httpserverip 192.168.1.1 +UEFI HTTP(s) Boot using lwIP +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Similar to the above U-Boot can do EFI HTTP boot using lwIP. If we combine this +with mbedTLS we can also download from https:// + +HTTP(s) Boot can be activated by specifying:: + + CONFIG_EFI_HTTP_BOOT + CONFIG_NET_LWIP + CONFIG_WGET_HTTPS + +For QEMU targets there's a Kconfig that supports this by default:: + + make qemu_arm64_lwip_defconfig + +The commands and functionality are similar to the legacy stack, with the notable +exception of not having to define an "httpserverip" if you are trying to resolve +an IP. However, lwIP code doesn't yet support redirects:: + + => efidebug boot add -u 1 netinst https://cdimage.debian.org/cdimage/weekly-builds/arm64/iso-cd/debian-testing-arm64-netinst.iso + => dhcp + DHCP client bound to address 10.0.2.15 (3 ms) + => efidebug boot order 1 + => bootefi bootmgr + + HTTP server error 302 + Loading Boot0001 'netinst' failed + EFI boot manager: Cannot load any image + +If the url you specified isn't a redirect:: + + => efidebug boot add -u 1 netinst https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.4-aarch64-minimal.iso + => dhcp + => bootefi bootmgr + ####################################### + +If the downloaded file extension is .iso or .img file, efibootmgr tries to +mount the image and boot with the default file(e.g. EFI/BOOT/BOOTAA64.EFI). +If the downloaded file is PE-COFF image, load the downloaded file and +start it. + Executing the built in hello world application ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~