From patchwork Sun Nov 10 08:28:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 842364 Delivered-To: patch@linaro.org Received: by 2002:a5d:6307:0:b0:381:e71e:8f7b with SMTP id i7csp2451884wru; Sun, 10 Nov 2024 00:31:22 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVg6W0NGltAQ+Fkhn8epGeMpb6NJpUjLM9qdCdcbyWmSnm2dCMI+F+Ay17Kg6Mf8atXVzp4GQ==@linaro.org X-Google-Smtp-Source: AGHT+IF4RqE29hXEws9S82PSNRbruGpljIvYeFiUW7+D0N3Q0XxasglMdahtV8MCk/ReRnQ+Y6Mp X-Received: by 2002:a17:906:c14d:b0:a99:f67c:2314 with SMTP id a640c23a62f3a-a9eeff44998mr744180566b.35.1731227482175; Sun, 10 Nov 2024 00:31:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731227482; cv=none; d=google.com; s=arc-20240605; b=W45EJNSUDGIgk0mZ3FIHMUKMcaiIiqw05qz4lSihxEJeWBPRjiZBzThDNatkAkH8ZI 2j2nsMUquC7Q4y+g/uB1CjSRtvP61sagyMgHgYk089vmTNDwNFW0jHMP8BxlgP6Bl1sA uK8Mefw1VROUuqAEY/wzspvW9e3wEAN3GFfOwkuIdx0OWdCXJWC4MdMW294iVuVXi37K BezvPwpGAcc4jsiBru/LP4bhkTeWZxi68SakrIfogjkkAstqKEk1Bm8Rdh/JlrNVyvSS vaHkxdDmpcHOQYJ8wdkhu2ZkjDorqf7qsm7YdJ9I2TJjkL5KGkpL333asub6k9QBZTvW tywQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=viEi+HFScF82aH3Zr9LnZ1fbegZHAnL/ByGWJd+Q0II=; fh=ynLSDQdbMrMzWspsYBcezMpXagQ6v5mH4o59Yk0Wu2Y=; b=IuQl4iW87RmmD4iRtFewTiO5BTydRgspnawUu9i8wArxaY9FFxYgk8+y8lfOvmc30O 6i13sqEJehOn/0fs9/+JsCPEChrikao6KUZEgNq8d+sle2EN1rirtceq2Q8tM3R+uK3M BOhesCm9nZ2Lfp/ic7C5sAdJzGYOCQe++4+KOfSuKrR72TJ+kq9zwfDNa06qTFY+zvwW kf9jI0EsoU00HOE9fSD4X6eZcH2l1OnRIpWOtauTdJTIIeWP5HPJrp85uRXJljDu1Y6I 8lP3kImmoUdXb2eU13zneXF4qnl2iW7YSqxctIDateed9FH4Kd3DfgMkPrR3eiC5HIon zY7g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=uCKb7lEC; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [2a01:238:438b:c500:173d:9f52:ddab:ee01]) by mx.google.com with ESMTPS id a640c23a62f3a-a9ee0e0ee5csi525448166b.681.2024.11.10.00.31.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:31:22 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=uCKb7lEC; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 2a01:238:438b:c500:173d:9f52:ddab:ee01 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 9408089357; Sun, 10 Nov 2024 09:31:21 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="uCKb7lEC"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id D643989359; Sun, 10 Nov 2024 09:31:19 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id DBAD688FBF for ; Sun, 10 Nov 2024 09:31:17 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a9a68480164so517528066b.3 for ; Sun, 10 Nov 2024 00:31:17 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1731227477; x=1731832277; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=viEi+HFScF82aH3Zr9LnZ1fbegZHAnL/ByGWJd+Q0II=; b=uCKb7lEC13nxD4Eq3VkSSrvxgJt3IpzTG2P2rHjfGs0ZUonKEZfU2aLuGSZnSYCvh/ +L8785N6/3nFsMwEkK+F81b50sdMsRI2ia8Dw3XJX7oFDKVYEHc/bAPqXW75KbBI5Ch2 k0T+1KU06lVqUAb/cbj5thebNazRx4jMd/zJP31f/1QmgRGI4dBSz+58LSKt+Y+28hAz 8oacDVrKKbR/PZq9RLo59y1dn8QU9afOGTV84JHJDQC9qxgM5YBdHsYTZtMSKuaXqb3r Y36L8iTy209XNERwdV+N0SmgaZ1xsZixqSFSsQ6Efa2v5BTqVATfh1pJXxe8CTLJkkOT MGnQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731227477; x=1731832277; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=viEi+HFScF82aH3Zr9LnZ1fbegZHAnL/ByGWJd+Q0II=; b=EoNP0imQbdgy2mxpUp5D62R2FIogsPEoPAfedt4plEjTSTYnbcBWPAZdo3KZO2UEjM RfGiZ132UUoAe5ywYRhBHEJfEStgLJ/AmbWGh4khV7ZEMPR9ZBbMLP91s6pKbZOPNo7K 6bHcIpcC9LO6kvDKKjAOaQcdIdYgpv32NBrkHR+lwQ3Vg6R5rcgE8MPTJPL28vGMM092 L1Qt/UoPXLyTH+DuUV/lG8Xy+2sGgFUQoUycH7LHwsBbDM22+4F2sQgFSJ3h3anzIJHZ Vp9rIXX/aV48+THi7qSrYyMp3U6/uidgGm5/FrTzo+xnGrVmlE5Ca5qFtVfSX5RU6anG ZgPQ== X-Forwarded-Encrypted: i=1; AJvYcCUfRx26ePBs5k4X90G+jO6jENiTqMyGob7arEDvw2lUUKuMyqbUvA0DQo0n51FGaMQWy59heso=@lists.denx.de X-Gm-Message-State: AOJu0YzKgymbD8XxGaHV6CaiEX1bU6SY6lz/wNzmN2C2zRf6L2dxhS6B FJDWk9pUcLdf5eX5N6WF77VvefLbw9ffkFW2p9NCBsB6/JOSb0cfK/OrhLAJIbI= X-Received: by 2002:a17:907:7f2a:b0:a9a:e0b8:5b7c with SMTP id a640c23a62f3a-a9eefebd003mr797568566b.7.1731227477153; Sun, 10 Nov 2024 00:31:17 -0800 (PST) Received: from hades.. (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9ee0a17b3csm451909166b.19.2024.11.10.00.31.12 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:31:15 -0800 (PST) From: Ilias Apalodimas To: jerome.forissier@linaro.org Cc: Anton.Antonov@arm.com, Ilias Apalodimas , Raymond Mao , Tom Rini , Heinrich Schuchardt , Joe Hershberger , Ramon Fried , Simon Glass , Mattijs Korpershoek , AKASHI Takahiro , Dmitry Rokosov , Peter Robinson , Jonathan Humphreys , Wei Ming Chen , Masahisa Kojima , Caleb Connolly , Javier Tia , u-boot@lists.denx.de Subject: [PATCH v3 1/6] mbedtls: Enable TLS 1.2 support Date: Sun, 10 Nov 2024 10:28:37 +0200 Message-ID: <20241110083017.367565-2-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241110083017.367565-1-ilias.apalodimas@linaro.org> References: <20241110083017.367565-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean Since lwIP and mbedTLS have been merged we can tweak the config options and enable TLS1.2 support. Add RSA and ECDSA by default and enable enough block cipher modes of operation to be comatible with modern TLS requirements and webservers Reviewed-by: Raymond Mao Acked-by: Jerome Forissier Signed-off-by: Ilias Apalodimas --- lib/mbedtls/Kconfig | 12 ++++++++ lib/mbedtls/Makefile | 31 +++++++++++++++++++ lib/mbedtls/mbedtls_def_config.h | 52 ++++++++++++++++++++++++++++++++ 3 files changed, 95 insertions(+) diff --git a/lib/mbedtls/Kconfig b/lib/mbedtls/Kconfig index d71adc3648ad..78167ffa2520 100644 --- a/lib/mbedtls/Kconfig +++ b/lib/mbedtls/Kconfig @@ -430,4 +430,16 @@ endif # SPL endif # MBEDTLS_LIB_X509 +config MBEDTLS_LIB_TLS + bool "MbedTLS TLS library" + depends on RSA_PUBLIC_KEY_PARSER_MBEDTLS + depends on X509_CERTIFICATE_PARSER_MBEDTLS + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + depends on ASN1_DECODER_MBEDTLS + depends on ASYMMETRIC_PUBLIC_KEY_MBEDTLS + depends on MBEDTLS_LIB_CRYPTO + help + Enable MbedTLS TLS library. Required for HTTPs support + in wget + endif # MBEDTLS_LIB diff --git a/lib/mbedtls/Makefile b/lib/mbedtls/Makefile index 83cb3c2fa705..ce0a61e40541 100644 --- a/lib/mbedtls/Makefile +++ b/lib/mbedtls/Makefile @@ -26,6 +26,7 @@ mbedtls_lib_crypto-y := \ $(MBEDTLS_LIB_DIR)/platform_util.o \ $(MBEDTLS_LIB_DIR)/constant_time.o \ $(MBEDTLS_LIB_DIR)/md.o + mbedtls_lib_crypto-$(CONFIG_$(SPL_)MD5_MBEDTLS) += $(MBEDTLS_LIB_DIR)/md5.o mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA1_MBEDTLS) += $(MBEDTLS_LIB_DIR)/sha1.o mbedtls_lib_crypto-$(CONFIG_$(SPL_)SHA256_MBEDTLS) += \ @@ -54,3 +55,33 @@ mbedtls_lib_x509-$(CONFIG_$(SPL_)X509_CERTIFICATE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/x509_crt.o mbedtls_lib_x509-$(CONFIG_$(SPL_)PKCS7_MESSAGE_PARSER_MBEDTLS) += \ $(MBEDTLS_LIB_DIR)/pkcs7.o + +#mbedTLS TLS support +obj-$(CONFIG_MBEDTLS_LIB_TLS) += mbedtls_lib_tls.o +mbedtls_lib_tls-y := \ + $(MBEDTLS_LIB_DIR)/mps_reader.o \ + $(MBEDTLS_LIB_DIR)/mps_trace.o \ + $(MBEDTLS_LIB_DIR)/net_sockets.o \ + $(MBEDTLS_LIB_DIR)/pk_ecc.o \ + $(MBEDTLS_LIB_DIR)/ssl_cache.o \ + $(MBEDTLS_LIB_DIR)/ssl_ciphersuites.o \ + $(MBEDTLS_LIB_DIR)/ssl_client.o \ + $(MBEDTLS_LIB_DIR)/ssl_cookie.o \ + $(MBEDTLS_LIB_DIR)/ssl_debug_helpers_generated.o \ + $(MBEDTLS_LIB_DIR)/ssl_msg.o \ + $(MBEDTLS_LIB_DIR)/ssl_ticket.o \ + $(MBEDTLS_LIB_DIR)/ssl_tls.o \ + $(MBEDTLS_LIB_DIR)/ssl_tls12_client.o \ + $(MBEDTLS_LIB_DIR)/hmac_drbg.o \ + $(MBEDTLS_LIB_DIR)/ctr_drbg.o \ + $(MBEDTLS_LIB_DIR)/entropy.o \ + $(MBEDTLS_LIB_DIR)/entropy_poll.o \ + $(MBEDTLS_LIB_DIR)/aes.o \ + $(MBEDTLS_LIB_DIR)/cipher.o \ + $(MBEDTLS_LIB_DIR)/cipher_wrap.o \ + $(MBEDTLS_LIB_DIR)/ecdh.o \ + $(MBEDTLS_LIB_DIR)/ecdsa.o \ + $(MBEDTLS_LIB_DIR)/ecp.o \ + $(MBEDTLS_LIB_DIR)/ecp_curves.o \ + $(MBEDTLS_LIB_DIR)/ecp_curves_new.o \ + $(MBEDTLS_LIB_DIR)/gcm.o \ diff --git a/lib/mbedtls/mbedtls_def_config.h b/lib/mbedtls/mbedtls_def_config.h index 1af911c2003f..d27f017d0847 100644 --- a/lib/mbedtls/mbedtls_def_config.h +++ b/lib/mbedtls/mbedtls_def_config.h @@ -87,4 +87,56 @@ #endif /* #if defined CONFIG_MBEDTLS_LIB_X509 */ +#if IS_ENABLED(CONFIG_MBEDTLS_LIB_TLS) +#include "rtc.h" + +/* Generic options */ +#define MBEDTLS_ENTROPY_HARDWARE_ALT +#define MBEDTLS_HAVE_TIME +#define MBEDTLS_PLATFORM_MS_TIME_ALT +#define MBEDTLS_PLATFORM_TIME_MACRO rtc_mktime +#define MBEDTLS_PLATFORM_C +#define MBEDTLS_SSL_CLI_C +#define MBEDTLS_SSL_TLS_C +#define MBEDTLS_CIPHER_C +#define MBEDTLS_MD_C +#define MBEDTLS_CTR_DRBG_C +#define MBEDTLS_AES_C +#define MBEDTLS_ENTROPY_C +#define MBEDTLS_NO_PLATFORM_ENTROPY +#define MBEDTLS_SSL_PROTO_TLS1_2 +#define MBEDTLS_SSL_SERVER_NAME_INDICATION +#define MBEDTLS_KEY_EXCHANGE_PSK_ENABLED + +/* RSA */ +#define MBEDTLS_KEY_EXCHANGE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED +#define MBEDTLS_GCM_C + +/* ECDSA */ +#define MBEDTLS_ECDSA_C +#define MBEDTLS_ECDH_C +#define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED +#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED +#define MBEDTLS_CAN_ECDH +#define MBEDTLS_PK_CAN_ECDSA_SIGN +#define MBEDTLS_ECP_C +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_SECP192R1_ENABLED +#define MBEDTLS_ECP_DP_SECP224R1_ENABLED +#define MBEDTLS_ECP_DP_SECP256R1_ENABLED +#define MBEDTLS_ECP_DP_SECP384R1_ENABLED +#define MBEDTLS_ECP_DP_SECP521R1_ENABLED +#define MBEDTLS_ECP_DP_SECP192K1_ENABLED +#define MBEDTLS_ECP_DP_SECP224K1_ENABLED +#define MBEDTLS_ECP_DP_SECP256K1_ENABLED +#define MBEDTLS_ECP_DP_BP256R1_ENABLED +#define MBEDTLS_ECP_DP_BP384R1_ENABLED +#define MBEDTLS_ECP_DP_BP512R1_ENABLED + +#endif /* #if defined CONFIG_MBEDTLS_LIB_TLS */ + #endif /* #if defined CONFIG_MBEDTLS_LIB */ From patchwork Sun Nov 10 08:28:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 842365 Delivered-To: patch@linaro.org Received: by 2002:a5d:6307:0:b0:381:e71e:8f7b with SMTP id i7csp2451952wru; Sun, 10 Nov 2024 00:31:38 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUtsIRQmSwdYcy538oRXwhOcJStUOoCXKzhiBBC8AMb98HzIOFLSfEnq527BfR5GkZob88+/Q==@linaro.org X-Google-Smtp-Source: AGHT+IHfgTbrhAvPxYVQQz+QP4I+sLw0DNzEZVnSi+j5+ayrJBg1Nvm3WqG8T5MYX0IdIgfG9tAC X-Received: by 2002:a05:6402:4311:b0:5cf:f82:eb65 with SMTP id 4fb4d7f45d1cf-5cf0f82eca8mr5987250a12.9.1731227497906; Sun, 10 Nov 2024 00:31:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731227497; cv=none; d=google.com; s=arc-20240605; b=jvANR8rCQRir1K61R1chtKFzI1p6Saqc7GUKaO3Z8UoOTA70AXPB/o3JYbcu4gqCAm svl+QC8EGbKhWALLoLk1/EAPWdNini4yA/dV9WdXK8QV0PZN68vNyImUBC5bG9agGgc5 jsg/ne3zjR17s3KlaaSf0xYgtYEATW/PybSlhbw0HxUuYMhYEfWyzZEy/x8V/eevYilk DF07US5f3GtdH6cqnssFyax6TB6thz7tOiD2bpcVC5BQ33w9RSuCHpINV7Zh+DtevSau BxGvlO4YwqxWuTfLFEIkV/PKdMJaBqUmBEh1sHX/sHx4XKI4Dl3Y9mJlc5v0keYDTzy/ ANIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=1pvgXNLo6is1S+HbOJAwv8eaTVm8h3w/Ce9t8VEq4AA=; fh=KoNQLT01upIJwscGvv0QF2LW4w701kTYrydNCoTGmeo=; b=SH+Gn2PcZulYyFlFlH0di2nJT39HQBcpKn9+7rGTkBT3kd53/x1AqxIw4ioAADZLKV PWVQtGj8QHrLrPKQpM2848vLz8lwJBcciSwS277edHn2f5ErF63iDYByJUEDty9ILXgV RQeMDxi8JadfWdhur4IM/gPNS2MAJIRCnDag6ehGuBsQATWr+/mGu1+CJJ5/pjWLUnAH q4HqDBD5NFpG54hMshZ28eKhEEsHP2a+zr5cpjqQ7EVG0koyBmoM7mrw1cZUOpwM/tox 1vkJPVLkyc1fqza9QeTTPIoJ6t4RkFh1/xcJ6paQ0mQLlfJqu08s56WbNDRyvgAhN11u ag1Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=to5SKH1Z; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-5cf03b7dd4fsi4937644a12.69.2024.11.10.00.31.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:31:37 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=to5SKH1Z; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id EE4F489363; Sun, 10 Nov 2024 09:31:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="to5SKH1Z"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BD83889364; Sun, 10 Nov 2024 09:31:36 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5EEAA88FBF for ; Sun, 10 Nov 2024 09:31:34 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a9a6acac4c3so580137866b.0 for ; Sun, 10 Nov 2024 00:31:34 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1731227494; x=1731832294; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1pvgXNLo6is1S+HbOJAwv8eaTVm8h3w/Ce9t8VEq4AA=; b=to5SKH1Zj2FoIuwGoQYgOw2hj7hHvXId0O+mRNRM52nok+8a9x6Ly0SHZ6+dczFN2c NGr7Dvcsph7ZktKJQyl1HMgPkxfbFZRuGVeeQ5VeJS6Y2dHlOipV/PLGEH8U+EHowbv+ D0S9BYft4mbUPbhsAwTzTAlbgScPmZNCo+i3332LGBmoYP5iOVjQUgpY+kikYYuhzIfS t4FBU0l/oRz6f/6E7PBCd6GEe7kbWXJ591aRpcwMXaPRLY3tt7gGqUh80LSDd9+nIsHk 8IX50iHOJ36rZuLflAL7DzmpIJj8zQ/fqblV/IsrbwDbzmnGjEC2SHXCT7cKov6yu0bH +Zyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731227494; x=1731832294; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1pvgXNLo6is1S+HbOJAwv8eaTVm8h3w/Ce9t8VEq4AA=; b=BpyTKYAlHoLfPoaeYUO4f4MdCn/fPbcD4swcHNN7m0uItR/qMdja1fMBC+QR/Z37ED xJfBcZpXJySeNucWZeyjRzLst8J/lJGEd7fro2p6nIB90UFWGVM3GSffmKTz+iT88PMh XzcyeQpKDNzHeyIl35wOLxTNHjQBeEoxZRKGFln7DucKu9XYcbncBgrac/dZl22lUX9c 0AiIMBf+G5l4x2zItJTDJqtsXIQSLkE5iVGVji+ZH10oZlwrE9wAFX4RGKXaqGPGngdR xZgxIEd7FQP1USmN6NN9vDkjMNPcxuGjNFLYXMULfrIACqy0N0GV1G+jdm17hz5KKxiG qeqA== X-Forwarded-Encrypted: i=1; AJvYcCWwB+HaftU+CjbAi7HrzoZomfySjSSbLLkx5nt4THq8qUeqa2Tg70qV7GjXdSdSlTmwcCzkaMo=@lists.denx.de X-Gm-Message-State: AOJu0YyUDx/pzS21D534BxAeGGVnzYYpEZWhjjpwU1gRhEjDvSCe59/k n4bO92lXsvYJP8lUfpoI54IyqDaxFUJmKmjUtlC3VP9R3zfvDOsdcyCePAhgyRM= X-Received: by 2002:a17:907:1c9e:b0:a99:eedd:6466 with SMTP id a640c23a62f3a-a9eefee4dbbmr851473566b.19.1731227493508; Sun, 10 Nov 2024 00:31:33 -0800 (PST) Received: from hades.. (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9ee0a17b3csm451909166b.19.2024.11.10.00.31.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:31:31 -0800 (PST) From: Ilias Apalodimas To: jerome.forissier@linaro.org Cc: Anton.Antonov@arm.com, Javier Tia , Ilias Apalodimas , Tom Rini , Heinrich Schuchardt , Joe Hershberger , Ramon Fried , Simon Glass , Mattijs Korpershoek , AKASHI Takahiro , Dmitry Rokosov , Peter Robinson , Jonathan Humphreys , Wei Ming Chen , Masahisa Kojima , Caleb Connolly , Raymond Mao , u-boot@lists.denx.de Subject: [PATCH v3 2/6] net: lwip: Update lwIP for mbedTLS > 3.0 support and enable https Date: Sun, 10 Nov 2024 10:28:38 +0200 Message-ID: <20241110083017.367565-3-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241110083017.367565-1-ilias.apalodimas@linaro.org> References: <20241110083017.367565-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: Javier Tia The current code support mbedTLS 2.28. Since we are using a newer version in U-Boot, update the necessary accessors and the lwIP codebase to work with mbedTLS 3.6.0. It's worth noting that the patches are already sent to lwIP [0] While at it enable LWIP_ALTCP_TLS and enable TLS support in lwIP [0] https://github.com/lwip-tcpip/lwip/pull/47 Signed-off-by: Javier Tia Acked-by: Jerome Forissier Signed-off-by: Ilias Apalodimas --- lib/lwip/Makefile | 3 ++ .../src/apps/altcp_tls/altcp_tls_mbedtls.c | 39 ++++++++++++------- lib/lwip/lwip/src/core/tcp_out.c | 10 +---- lib/lwip/u-boot/lwipopts.h | 6 +++ 4 files changed, 34 insertions(+), 24 deletions(-) diff --git a/lib/lwip/Makefile b/lib/lwip/Makefile index dfcd700ca474..19e5c6897f5a 100644 --- a/lib/lwip/Makefile +++ b/lib/lwip/Makefile @@ -53,3 +53,6 @@ obj-y += \ lwip/src/core/timeouts.o \ lwip/src/core/udp.o \ lwip/src/netif/ethernet.o + +obj-$(CONFIG_MBEDTLS_LIB_TLS) += lwip/src/apps/altcp_tls/altcp_tls_mbedtls.o \ + lwip/src/apps/altcp_tls/altcp_tls_mbedtls_mem.o diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index a8c2fc2ee2cd..ef19821b89e0 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -3,7 +3,7 @@ * Application layered TCP/TLS connection API (to be used from TCPIP thread) * * This file provides a TLS layer using mbedTLS - * + * * This version is currently compatible with the 2.x.x branch (current LTS). */ @@ -70,7 +70,6 @@ /* @todo: which includes are really needed? */ #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" -#include "mbedtls/certs.h" #include "mbedtls/x509.h" #include "mbedtls/ssl.h" #include "mbedtls/net_sockets.h" @@ -81,8 +80,6 @@ #include "mbedtls/ssl_cache.h" #include "mbedtls/ssl_ticket.h" -#include "mbedtls/ssl_internal.h" /* to call mbedtls_flush_output after ERR_MEM */ - #include #ifndef ALTCP_MBEDTLS_ENTROPY_PTR @@ -132,6 +129,16 @@ static err_t altcp_mbedtls_lower_recv_process(struct altcp_pcb *conn, altcp_mbed static err_t altcp_mbedtls_handle_rx_appldata(struct altcp_pcb *conn, altcp_mbedtls_state_t *state); static int altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size); +static void +altcp_mbedtls_flush_output(altcp_mbedtls_state_t *state) +{ + if (state->ssl_context.MBEDTLS_PRIVATE(out_left) != 0) { + int flushed = mbedtls_ssl_send_alert_message(&state->ssl_context, 0, 0); + if (flushed) { + LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_send_alert_message failed: %d\n", flushed)); + } + } +} /* callback functions from inner/lower connection: */ @@ -524,14 +531,14 @@ altcp_mbedtls_lower_sent(void *arg, struct altcp_pcb *inner_conn, u16_t len) LWIP_ASSERT("state", state != NULL); LWIP_ASSERT("pcb mismatch", conn->inner_conn == inner_conn); /* calculate TLS overhead part to not send it to application */ - overhead = state->overhead_bytes_adjust + state->ssl_context.out_left; + overhead = state->overhead_bytes_adjust + state->ssl_context.MBEDTLS_PRIVATE(out_left); if ((unsigned)overhead > len) { overhead = len; } /* remove ACKed bytes from overhead adjust counter */ state->overhead_bytes_adjust -= len; /* try to send more if we failed before (may increase overhead adjust counter) */ - mbedtls_ssl_flush_output(&state->ssl_context); + altcp_mbedtls_flush_output(state); /* remove calculated overhead from ACKed bytes len */ app_len = len - (u16_t)overhead; /* update application write counter and inform application */ @@ -559,7 +566,7 @@ altcp_mbedtls_lower_poll(void *arg, struct altcp_pcb *inner_conn) if (conn->state) { altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state; /* try to send more if we failed before */ - mbedtls_ssl_flush_output(&state->ssl_context); + altcp_mbedtls_flush_output(state); if (altcp_mbedtls_handle_rx_appldata(conn, state) == ERR_ABRT) { return ERR_ABRT; } @@ -683,7 +690,7 @@ altcp_tls_set_session(struct altcp_pcb *conn, struct altcp_tls_session *session) if (session && conn && conn->state) { altcp_mbedtls_state_t *state = (altcp_mbedtls_state_t *)conn->state; int ret = -1; - if (session->data.start) + if (session->data.MBEDTLS_PRIVATE(start)) ret = mbedtls_ssl_set_session(&state->ssl_context, &session->data); return ret < 0 ? ERR_VAL : ERR_OK; } @@ -776,7 +783,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav struct altcp_tls_config *conf; mbedtls_x509_crt *mem; - if (TCP_WND < MBEDTLS_SSL_MAX_CONTENT_LEN) { + if (TCP_WND < MBEDTLS_SSL_IN_CONTENT_LEN || TCP_WND < MBEDTLS_SSL_OUT_CONTENT_LEN) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS, ("altcp_tls: TCP_WND is smaller than the RX decrypion buffer, connection RX might stall!\n")); } @@ -900,7 +907,7 @@ err_t altcp_tls_config_server_add_privkey_cert(struct altcp_tls_config *config, return ERR_VAL; } - ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len); + ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_public_key failed: %d\n", ret)); mbedtls_x509_crt_free(srvcert); @@ -1003,7 +1010,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_ } mbedtls_pk_init(conf->pkey); - ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len); + ret = mbedtls_pk_parse_key(conf->pkey, privkey, privkey_len, privkey_pass, privkey_pass_len, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); if (ret != 0) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_key failed: %d 0x%x\n", ret, -1*ret)); altcp_tls_free_config(conf); @@ -1189,7 +1196,7 @@ altcp_mbedtls_sndbuf(struct altcp_pcb *conn) size_t ret; #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) /* @todo: adjust ssl_added to real value related to negotiated cipher */ - size_t max_frag_len = mbedtls_ssl_get_max_frag_len(&state->ssl_context); + size_t max_frag_len = mbedtls_ssl_get_max_in_record_payload(&state->ssl_context); max_len = LWIP_MIN(max_frag_len, max_len); #endif /* Adjust sndbuf of inner_conn with what added by SSL */ @@ -1232,9 +1239,9 @@ altcp_mbedtls_write(struct altcp_pcb *conn, const void *dataptr, u16_t len, u8_t /* HACK: if there is something left to send, try to flush it and only allow sending more if this succeeded (this is a hack because neither returning 0 nor MBEDTLS_ERR_SSL_WANT_WRITE worked for me) */ - if (state->ssl_context.out_left) { - mbedtls_ssl_flush_output(&state->ssl_context); - if (state->ssl_context.out_left) { + if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) { + altcp_mbedtls_flush_output(state); + if (state->ssl_context.MBEDTLS_PRIVATE(out_left)) { return ERR_MEM; } } @@ -1284,6 +1291,8 @@ altcp_mbedtls_bio_send(void *ctx, const unsigned char *dataptr, size_t size) while (size_left) { u16_t write_len = (u16_t)LWIP_MIN(size_left, 0xFFFF); err_t err = altcp_write(conn->inner_conn, (const void *)dataptr, write_len, apiflags); + /* try to send data... */ + altcp_output(conn->inner_conn); if (err == ERR_OK) { written += write_len; size_left -= write_len; diff --git a/lib/lwip/lwip/src/core/tcp_out.c b/lib/lwip/lwip/src/core/tcp_out.c index 64579ee5cbd8..b5d312137368 100644 --- a/lib/lwip/lwip/src/core/tcp_out.c +++ b/lib/lwip/lwip/src/core/tcp_out.c @@ -1255,14 +1255,6 @@ tcp_output(struct tcp_pcb *pcb) LWIP_ASSERT("don't call tcp_output for listen-pcbs", pcb->state != LISTEN); - /* First, check if we are invoked by the TCP input processing - code. If so, we do not output anything. Instead, we rely on the - input processing code to call us when input processing is done - with. */ - if (tcp_input_pcb == pcb) { - return ERR_OK; - } - wnd = LWIP_MIN(pcb->snd_wnd, pcb->cwnd); seg = pcb->unsent; @@ -2036,7 +2028,7 @@ tcp_rst(const struct tcp_pcb *pcb, u32_t seqno, u32_t ackno, u16_t local_port, u16_t remote_port) { struct pbuf *p; - + p = tcp_rst_common(pcb, seqno, ackno, local_ip, remote_ip, local_port, remote_port); if (p != NULL) { tcp_output_control_segment(pcb, p, local_ip, remote_ip); diff --git a/lib/lwip/u-boot/lwipopts.h b/lib/lwip/u-boot/lwipopts.h index 9d618625facb..88d6faf327ae 100644 --- a/lib/lwip/u-boot/lwipopts.h +++ b/lib/lwip/u-boot/lwipopts.h @@ -154,4 +154,10 @@ #define MEMP_MEM_INIT 1 #define MEM_LIBC_MALLOC 1 +#if defined(CONFIG_MBEDTLS_LIB_TLS) +#define LWIP_ALTCP 1 +#define LWIP_ALTCP_TLS 1 +#define LWIP_ALTCP_TLS_MBEDTLS 1 +#endif + #endif /* LWIP_UBOOT_LWIPOPTS_H */ From patchwork Sun Nov 10 08:28:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 842366 Delivered-To: patch@linaro.org Received: by 2002:a5d:6307:0:b0:381:e71e:8f7b with SMTP id i7csp2452011wru; Sun, 10 Nov 2024 00:31:52 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUZNw9AWIKKve7KnAf3Erqdba8Mu1WNDivdSzBGvHX0uzCTCTP2CPyLam4NHIqBDopI5erWVw==@linaro.org X-Google-Smtp-Source: AGHT+IHI4zP8KDtIxT2q9ViClYvCrI1VXBkq3vFyGwFzxeY6af9fbhGV9oNvScPm2Y7M3YhMmVHq X-Received: by 2002:a17:907:94c4:b0:a9a:4f78:b8 with SMTP id a640c23a62f3a-a9eefebd6d9mr886136566b.2.1731227512757; Sun, 10 Nov 2024 00:31:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731227512; cv=none; d=google.com; s=arc-20240605; b=g6q9XcUOYrnVYWyfVtdEzVWofXjKDARMl/ssYU92JUsNG4WKOQwg3DZdoc9K5M+oDs 9SqT9/qtoF4YpLzIlvHw9zRJhRx28+4gNINe+X1xBmIkvoLl+rz3nj0Ox9YRPNkhHJ5i Tq/j7iQkn8xccjgF2MkZU5Tc9O5vAL1SYSsCpl2ND1jjJ6sCQFuPlLQ16H2MWPKGj3+O T1p1M0/bIjjCZ4Dh0szkNWvFrb3ecGYyfMkyNosDjQ/QomvipKjth0CmhKTVP4WzEbxE KNLn7OW3pXLWQPJ8TFxM5D10yb3yA5N61SmKMO4MwgRtXvl1xBwSysncFObLGKaoGTfc +HUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/C1Mgr2FaVCgTqvSk7UzY3gLKlYCDdfALXgmnhzHth8=; fh=wWfoUeQRlX5QIA3OgLQnbr7/ZLVOg0FVGWykd7j0PZA=; b=UaQCAvQgwfM4wPTxCz8KluxQGbAbiTxTXRRNSMZCS+dCYLhYkwY93k/TlJSv8sHopf At4lQ7MYDtXlHOkZZNcZDsWUHFQc3eKHe2S5gzh600dxPGqOScUK1kajqm2gmQi9Mm5f Vv0+0QE8y9jvdtBFBPfkqSwb2cwPUP/Jc+w4LKznxw98GIxnM4TTj2SVYWO4pJA6hc5d plpcfZlBu6rviNtvDeAUVvXWI5kj4nJQhVXjWptES4hrS0ook+rcSKmE7oGxUmcl9kN5 rcyy8vzsKkOtl5kxfmUB4ZyNNmpVEBhmdonkqm+vK4vY0iI8WGwozzOJY5T15yNgHDtA vWKw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=jjl+0tam; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id a640c23a62f3a-a9ee0dc1918si487489866b.277.2024.11.10.00.31.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:31:52 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=jjl+0tam; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 440F688FCB; Sun, 10 Nov 2024 09:31:52 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="jjl+0tam"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BE75889368; Sun, 10 Nov 2024 09:31:51 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 7EA0388FBF for ; Sun, 10 Nov 2024 09:31:49 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a99f1fd20c4so541753866b.0 for ; Sun, 10 Nov 2024 00:31:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1731227509; x=1731832309; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/C1Mgr2FaVCgTqvSk7UzY3gLKlYCDdfALXgmnhzHth8=; b=jjl+0tamHoExAoN+JuBSB7yjo2aeSyEKVc025nBbl9Xtv6k+QXnVfuRh/OaBhMYMtM R3yuN54JNI5dIhIKnBgKdTIbc5P/8yFZfeyFXuysL78xWmorBv1ACS7UFP96tD8oPDLh kpQoEXna/iX2RwFJ7K7iAWXo7DR4jT9xH8Tfb2E+IouFYTlmnpbXQRjp3TmhFb0NVGr2 OZRyvb47mp9kKhTZuYrDZ/HkZiRgXSA3At625jHlYDQm0afsyreMCLLnnisPvR6J8MJt KD1DQiT3ygEpMUf38YuRKiZqZkSGvURO0wEmIiGYGp58eGBD4VVyXnPMSHavkWQGt+gE Tiyg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731227509; x=1731832309; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/C1Mgr2FaVCgTqvSk7UzY3gLKlYCDdfALXgmnhzHth8=; b=uX7Kg4rs1pqnBkaflRqyb/c28Z5q2SFflddrhUIzMdytOqvIwXHK4f/g99Uf+lmDnx CcVURqQ+rNm74mhv1tQgT+C/mCIBHr55dfEu1voBAIIrQoR8jym7iDUqpu+4Kr0SILRq nHs2DiEJMjLwCiGk4n3zR67rHWOcwgLBZf4+OeJoEFRwk9bzRVKAIfCi/4hM88DzgRzU EDFCRZvihD9wqO0k+Uzu/2wYxH6uVxhfLCAZ/5YMV+lEv7C8Y7ifiiortzcz9KXtbUFY +wmrirShi+PCGtdEVgMAFDqg8NUTO0PjRTTsOkG1LQmBVF8mjOi2slqZsAqcl6iaIBqy PzLw== X-Forwarded-Encrypted: i=1; AJvYcCWR0wHtlVzMGto6Ii1tggtrL28oInGimkAAgGunyk2DeJvqFgg6RfW62Drk6oFOtqvNaSpjtTw=@lists.denx.de X-Gm-Message-State: AOJu0Yw7+3KiKW2DCBcauK9PC2uw+LuaYWNOyGX8AYNx+EEeH1P3Pr1C 6+AR5WC8FeWz//DcYAwLkh6KKG2cCIlG29XaNidRoFyypiJxNs0Zv8Z8M4mq3Rs= X-Received: by 2002:a17:907:1c20:b0:a9a:558:3929 with SMTP id a640c23a62f3a-a9eefff12d2mr871712466b.48.1731227508811; Sun, 10 Nov 2024 00:31:48 -0800 (PST) Received: from hades.. (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9ee0a17b3csm451909166b.19.2024.11.10.00.31.45 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:31:47 -0800 (PST) From: Ilias Apalodimas To: jerome.forissier@linaro.org Cc: Anton.Antonov@arm.com, Javier Tia , Ilias Apalodimas , Tom Rini , Heinrich Schuchardt , Joe Hershberger , Ramon Fried , Simon Glass , Mattijs Korpershoek , AKASHI Takahiro , Dmitry Rokosov , Peter Robinson , Wei Ming Chen , Jonathan Humphreys , Masahisa Kojima , Caleb Connolly , Raymond Mao , u-boot@lists.denx.de Subject: [PATCH v3 3/6] net: lwip: Add Support Server Name Indication support Date: Sun, 10 Nov 2024 10:28:39 +0200 Message-ID: <20241110083017.367565-4-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241110083017.367565-1-ilias.apalodimas@linaro.org> References: <20241110083017.367565-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean From: Javier Tia SNI, or Server Name Indication, is an addition to the TLS encryption protocol that enables a client device to specify the domain name it is trying to reach in the first step of the TLS handshake, preventing common name mismatch errors and not reaching to HTTPS server that enforce this condition. Since most of the websites require it nowadays add support for it. It's worth noting that this is already sent to lwIP [0] [0] https://github.com/lwip-tcpip/lwip/pull/47 Signed-off-by: Javier Tia Reviewed-by: Jerome Forissier Signed-off-by: Ilias Apalodimas --- .../lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c | 14 +++++++++----- lib/lwip/lwip/src/core/tcp_out.c | 2 +- lib/lwip/lwip/src/include/lwip/altcp_tls.h | 2 +- 3 files changed, 11 insertions(+), 7 deletions(-) diff --git a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c index ef19821b89e0..6643b05ee94d 100644 --- a/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/lib/lwip/lwip/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -3,7 +3,7 @@ * Application layered TCP/TLS connection API (to be used from TCPIP thread) * * This file provides a TLS layer using mbedTLS - * + * * This version is currently compatible with the 2.x.x branch (current LTS). */ @@ -106,6 +106,7 @@ struct altcp_tls_config { u8_t pkey_count; u8_t pkey_max; mbedtls_x509_crt *ca; + char host[256]; #if defined(MBEDTLS_SSL_CACHE_C) && ALTCP_MBEDTLS_USE_SESSION_CACHE /** Inter-connection cache for fast connection startup */ struct mbedtls_ssl_cache_context cache; @@ -642,6 +643,7 @@ altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_ /* tell mbedtls about our I/O functions */ mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL); + mbedtls_ssl_set_hostname(&state->ssl_context, config->host); altcp_mbedtls_setup_callbacks(conn, inner_conn); conn->inner_conn = inner_conn; conn->fns = &altcp_mbedtls_functions; @@ -951,7 +953,7 @@ altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_ } static struct altcp_tls_config * -altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth) +altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2wayauth, char *host) { int ret; struct altcp_tls_config *conf = altcp_tls_create_config(0, (is_2wayauth) ? 1 : 0, (is_2wayauth) ? 1 : 0, ca != NULL); @@ -973,13 +975,15 @@ altcp_tls_create_config_client_common(const u8_t *ca, size_t ca_len, int is_2way mbedtls_ssl_conf_ca_chain(&conf->conf, conf->ca, NULL); } + strlcpy(conf->host, host, sizeof(conf->host)); + return conf; } struct altcp_tls_config * -altcp_tls_create_config_client(const u8_t *ca, size_t ca_len) +altcp_tls_create_config_client(const u8_t *ca, size_t ca_len, char *host) { - return altcp_tls_create_config_client_common(ca, ca_len, 0); + return altcp_tls_create_config_client_common(ca, ca_len, 0, host); } struct altcp_tls_config * @@ -995,7 +999,7 @@ altcp_tls_create_config_client_2wayauth(const u8_t *ca, size_t ca_len, const u8_ return NULL; } - conf = altcp_tls_create_config_client_common(ca, ca_len, 1); + conf = altcp_tls_create_config_client_common(ca, ca_len, 1, NULL); if (conf == NULL) { return NULL; } diff --git a/lib/lwip/lwip/src/core/tcp_out.c b/lib/lwip/lwip/src/core/tcp_out.c index b5d312137368..6dbc5f96b60e 100644 --- a/lib/lwip/lwip/src/core/tcp_out.c +++ b/lib/lwip/lwip/src/core/tcp_out.c @@ -2028,7 +2028,7 @@ tcp_rst(const struct tcp_pcb *pcb, u32_t seqno, u32_t ackno, u16_t local_port, u16_t remote_port) { struct pbuf *p; - + p = tcp_rst_common(pcb, seqno, ackno, local_ip, remote_ip, local_port, remote_port); if (p != NULL) { tcp_output_control_segment(pcb, p, local_ip, remote_ip); diff --git a/lib/lwip/lwip/src/include/lwip/altcp_tls.h b/lib/lwip/lwip/src/include/lwip/altcp_tls.h index fcb784d89d70..fb0618234481 100644 --- a/lib/lwip/lwip/src/include/lwip/altcp_tls.h +++ b/lib/lwip/lwip/src/include/lwip/altcp_tls.h @@ -92,7 +92,7 @@ struct altcp_tls_config *altcp_tls_create_config_server_privkey_cert(const u8_t /** @ingroup altcp_tls * Create an ALTCP_TLS client configuration handle */ -struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len); +struct altcp_tls_config *altcp_tls_create_config_client(const u8_t *cert, size_t cert_len, char *host); /** @ingroup altcp_tls * Create an ALTCP_TLS client configuration handle with two-way server/client authentication From patchwork Sun Nov 10 08:28:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 842367 Delivered-To: patch@linaro.org Received: by 2002:a5d:6307:0:b0:381:e71e:8f7b with SMTP id i7csp2452069wru; Sun, 10 Nov 2024 00:32:07 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCWv5l9s+0MAE9USdHgDdU+UWnsIcniRfKnT5OCaTyrXL9J6qkmFj3xc+rcW9evs+FZEf7xnfQ==@linaro.org X-Google-Smtp-Source: AGHT+IE5MCYmUhBYlJ0cOXWmYbngT5mIuU98VHZNE4Fnucx1m7QvEc8/Xz3AP/BxojZ8bWVNZd0x X-Received: by 2002:a17:906:f598:b0:a9a:3dc0:8911 with SMTP id a640c23a62f3a-a9eeff0a644mr815213466b.16.1731227527111; Sun, 10 Nov 2024 00:32:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731227527; cv=none; d=google.com; s=arc-20240605; b=ENy9wELkKHdB+YQXAodjTmmhL+ibZlJ5JMAcCyL9fGakmoVISUo82Ca/hOu3lk1F5d 2HV8iIL37you4Mt62dJfB2HdoLLLnx2o3ToOWQqHzioAq/dXV4752kKaHaqzjJlAm+Pz wOQeNDqk9C9qzrgPvztoQQdlRYlu1GB55jm2H6LWWmSCLkcxU5IfukXcgFh1nBfFaMGU V5e6hDLcdcTJaJ4MBPm7QW2jF6tKtZhol7HlnTs7ZYnHUVArPpeoRU0MlvJ6oCrCCfMy VYQFvsNJ4FUctFq4018bAT+EBIViWtyySj+QvSypFA4Zn0SQFr4A4c95PM8omGXvaa0x NuRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=admDE4/bizsiymrBJH4OfpWSL1b72cHZuDI39oj7fMs=; fh=Ddx/Wss7kKeFSVn3jkTf9flc5+w3Gq6oSGTY2jdBHxQ=; b=fYy8hPnP0cdDQWke9nPnEFDiIzsXmVg5MDMODUY3MLD2sLKjb/hcVx9OAS9Y8779Yv pNSIv4gUw1UBW7mQJzYc8XT7/f8e19NdYKb9RolcF1Secl7VAmP+0U31sNAHnSupNhxm sHIegZxJfX2r3tFgUmtp9av6REuEVeeZwefpce8Aw/W/dUcro4DJ/zQGR4t4erm7cSDN 97nrM98u0yMkpeK8vxlq4dYKUcrGL1ScwO1STu0yn00n2grwKQdXIrxKsw8crg3DCo8z v1hBaoMXhKUUTtpioNW5zliutfQGAbobVXqDAL+LaUSXPuSWkUYQIFRM0g/BsB0LTjOw XA9g==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=o+xllEF2; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id a640c23a62f3a-a9ee0deecb2si520551566b.645.2024.11.10.00.32.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:32:07 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=o+xllEF2; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 8F65C89357; Sun, 10 Nov 2024 09:32:06 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="o+xllEF2"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id BA2CC89363; Sun, 10 Nov 2024 09:32:05 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id ADF8488FBF for ; Sun, 10 Nov 2024 09:32:03 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-a9f1d76dab1so6136166b.0 for ; Sun, 10 Nov 2024 00:32:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1731227523; x=1731832323; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=admDE4/bizsiymrBJH4OfpWSL1b72cHZuDI39oj7fMs=; b=o+xllEF2OhmGnsZz0e5lfiCeCkflEI9MxomDVRuNjFaIe/Z5BODqJ2lWbOgbQw844j jcgVxcNExO/j1KAKLNFeU7DF1UvZBy3bt32l8osCdzAVdtYc5O8cU/rmZUKbI5qWymCt yCa2q9/gtwn3heBvoN/lNkWloPBifn4N9KKFKpZQd++lSg8nga0qh9DOb/hbw9nI2EKY ZpswiQHysv5HZaSTB3QpJJ+zK+R9AhTKY1DAmitJo5r0ABgHFDlBOKmAP/l/6IygcMDb oz1dkJKYY/HOEhF8knRcTuU+v6OIoYVJrvtsm3GdwZyQ3ulni3NsU+OHc8frRtoSfJRS HsBw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731227523; x=1731832323; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=admDE4/bizsiymrBJH4OfpWSL1b72cHZuDI39oj7fMs=; b=F9ywKH3h4QETyNZ5/gN8HSnt0LbBESDJKn5L9mlpj6kNId0IRNlJ3FDW5hO4dhhYa2 7pAQbvv4l9MheZOj9fQ+8sm6wFeyr8Iw1FIc5E6q8TT252Swdxf+lCQcZODtbZojJ5pw tM8A6hzLI7mMkj341DuMfB96J7eaAIfUmeoL+u1Kw6PEqb0UfCrndTiG9dBI9HgKId4T PWlKijRBQHTPbuKaJMcTlNm3Ijpk/d0nNbXkvvlhk1cUD6oQrcI+zX6PXQG/TgVL+NoO Ch9ZFdjj40xcj6Xhv49P3ovk5+6di1+3b7ouBcQV1uVR1+F+m/CXX4ooV9jt5bLUjfyX ouiw== X-Forwarded-Encrypted: i=1; AJvYcCUOO1/TKLGEVsN0tAGCAonpumOVACgrqI9yuttMTA1d6GM+CR92mS4Ddlqad0VDRZzHmNlxiDE=@lists.denx.de X-Gm-Message-State: AOJu0YwRwZ5kKJ8z6rJlDiw5iqIjEhRdKTl9267twPCcZiT0LE3D7cB2 Ef5lGhDdj5V+9c7A7soh8byUbU6gs1AZ7xZ3piF0uBS1mewafaKj2q9KHfG9klg= X-Received: by 2002:a17:907:2d0c:b0:a9a:7f87:904b with SMTP id a640c23a62f3a-a9eeff44762mr907096566b.29.1731227523108; Sun, 10 Nov 2024 00:32:03 -0800 (PST) Received: from hades.. (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9ee0a17b3csm451909166b.19.2024.11.10.00.32.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:32:02 -0800 (PST) From: Ilias Apalodimas To: jerome.forissier@linaro.org Cc: Anton.Antonov@arm.com, Ilias Apalodimas , Tom Rini , Heinrich Schuchardt , Joe Hershberger , Ramon Fried , Simon Glass , Mattijs Korpershoek , AKASHI Takahiro , Dmitry Rokosov , Peter Robinson , Jonathan Humphreys , Wei Ming Chen , Masahisa Kojima , Caleb Connolly , Javier Tia , Raymond Mao , u-boot@lists.denx.de Subject: [PATCH v3 4/6] net: lwip: Enable https:// support for wget Date: Sun, 10 Nov 2024 10:28:40 +0200 Message-ID: <20241110083017.367565-5-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241110083017.367565-1-ilias.apalodimas@linaro.org> References: <20241110083017.367565-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean With the recent changes of lwip & mbedTLS we can now download from https:// urls instead of just http://. Adjust our wget lwip version parsing to support both URLs. While at it adjust the default TCP window for QEMU since https seems to require at least 16384 Signed-off-by: Ilias Apalodimas Reviewed-by: Simon Glass Reviewed-by: Jerome Forissier --- cmd/Kconfig | 19 +++++++++++ net/lwip/Kconfig | 2 +- net/lwip/wget.c | 86 +++++++++++++++++++++++++++++++++++++++++++----- 3 files changed, 97 insertions(+), 10 deletions(-) diff --git a/cmd/Kconfig b/cmd/Kconfig index 636833646f6e..b2d0348fe309 100644 --- a/cmd/Kconfig +++ b/cmd/Kconfig @@ -2124,6 +2124,25 @@ config CMD_WGET wget is a simple command to download kernel, or other files, from a http server over TCP. +config WGET_HTTPS + bool "wget https" + depends on CMD_WGET + depends on PROT_TCP_LWIP + depends on MBEDTLS_LIB + select SHA256 + select RSA + select ASYMMETRIC_KEY_TYPE + select ASYMMETRIC_PUBLIC_KEY_SUBTYPE + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + select MBEDTLS_LIB_CRYPTO + select MBEDTLS_LIB_TLS + select RSA_VERIFY_WITH_PKEY + select X509_CERTIFICATE_PARSER + select PKCS7_MESSAGE_PARSER + help + Enable TLS over http for wget. + endif # if CMD_NET config CMD_PXE diff --git a/net/lwip/Kconfig b/net/lwip/Kconfig index 8a67de4cf335..a9ae9bf7fa2a 100644 --- a/net/lwip/Kconfig +++ b/net/lwip/Kconfig @@ -37,7 +37,7 @@ config PROT_UDP_LWIP config LWIP_TCP_WND int "Value of TCP_WND" - default 8000 if ARCH_QEMU + default 32768 if ARCH_QEMU default 3000000 help Default value for TCP_WND in the lwIP configuration diff --git a/net/lwip/wget.c b/net/lwip/wget.c index b495ebd1aa96..ba8579899002 100644 --- a/net/lwip/wget.c +++ b/net/lwip/wget.c @@ -7,13 +7,17 @@ #include #include #include +#include "lwip/altcp_tls.h" #include +#include #include #include #include +#include #define SERVER_NAME_SIZE 200 #define HTTP_PORT_DEFAULT 80 +#define HTTPS_PORT_DEFAULT 443 #define PROGRESS_PRINT_STEP_BYTES (100 * 1024) enum done_state { @@ -32,18 +36,56 @@ struct wget_ctx { enum done_state done; }; -static int parse_url(char *url, char *host, u16 *port, char **path) +bool wget_validate_uri(char *uri); + +int mbedtls_hardware_poll(void *data, unsigned char *output, size_t len, + size_t *olen) +{ + struct udevice *dev; + u64 rng = 0; + int ret; + + *olen = 0; + + ret = uclass_get_device(UCLASS_RNG, 0, &dev); + if (ret) { + log_err("Failed to get an rng: %d\n", ret); + return ret; + } + ret = dm_rng_read(dev, &rng, sizeof(rng)); + if (ret) + return ret; + + memcpy(output, &rng, len); + *olen = sizeof(rng); + + return 0; +} + +static int parse_url(char *url, char *host, u16 *port, char **path, + bool *is_https) { char *p, *pp; long lport; + size_t prefix_len = 0; + + if (!wget_validate_uri(url)) { + log_err("Invalid URL. Use http(s)://\n"); + return -EINVAL; + } + *is_https = false; + *port = HTTP_PORT_DEFAULT; + prefix_len = strlen("http://"); p = strstr(url, "http://"); if (!p) { - log_err("only http:// is supported\n"); - return -EINVAL; + p = strstr(url, "https://"); + prefix_len = strlen("https://"); + *port = HTTPS_PORT_DEFAULT; + *is_https = true; } - p += strlen("http://"); + p += prefix_len; /* Parse hostname */ pp = strchr(p, ':'); @@ -67,9 +109,8 @@ static int parse_url(char *url, char *host, u16 *port, char **path) if (lport > 65535) return -EINVAL; *port = (u16)lport; - } else { - *port = HTTP_PORT_DEFAULT; } + if (*pp != '/') return -EINVAL; *path = pp; @@ -210,12 +251,16 @@ static void httpc_result_cb(void *arg, httpc_result_t httpc_result, static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) { char server_name[SERVER_NAME_SIZE]; +#if defined CONFIG_WGET_HTTPS + altcp_allocator_t tls_allocator; +#endif httpc_connection_t conn; httpc_state_t *state; struct netif *netif; struct wget_ctx ctx; char *path; u16 port; + bool is_https; ctx.daddr = dst_addr; ctx.saved_daddr = dst_addr; @@ -224,7 +269,7 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) ctx.prevsize = 0; ctx.start_time = 0; - if (parse_url(uri, server_name, &port, &path)) + if (parse_url(uri, server_name, &port, &path, &is_https)) return CMD_RET_USAGE; netif = net_lwip_new_netif(udev); @@ -232,6 +277,22 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri) return -1; memset(&conn, 0, sizeof(conn)); +#if defined CONFIG_WGET_HTTPS + if (is_https) { + tls_allocator.alloc = &altcp_tls_alloc; + tls_allocator.arg = + altcp_tls_create_config_client(NULL, 0, server_name); + + if (!tls_allocator.arg) { + log_err("error: Cannot create a TLS connection\n"); + net_lwip_remove_netif(netif); + return -1; + } + + conn.altcp_allocator = &tls_allocator; + } +#endif + conn.result_fn = httpc_result_cb; ctx.path = path; if (httpc_get_file_dns(server_name, port, path, &conn, httpc_recv_cb, @@ -316,6 +377,7 @@ bool wget_validate_uri(char *uri) char c; bool ret = true; char *str_copy, *s, *authority; + size_t prefix_len = 0; for (c = 0x1; c < 0x21; c++) { if (strchr(uri, c)) { @@ -323,15 +385,21 @@ bool wget_validate_uri(char *uri) return false; } } + if (strchr(uri, 0x7f)) { log_err("invalid character is used\n"); return false; } - if (strncmp(uri, "http://", 7)) { - log_err("only http:// is supported\n"); + if (!strncmp(uri, "http://", strlen("http://"))) { + prefix_len = strlen("http://"); + } else if (!strncmp(uri, "https://", strlen("https://"))) { + prefix_len = strlen("https://"); + } else { + log_err("only http(s):// is supported\n"); return false; } + str_copy = strdup(uri); if (!str_copy) return false; From patchwork Sun Nov 10 08:28:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 842368 Delivered-To: patch@linaro.org Received: by 2002:a5d:6307:0:b0:381:e71e:8f7b with SMTP id i7csp2452141wru; Sun, 10 Nov 2024 00:32:24 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCVuFWM1sraHkdGc0iwHSiLc9nv8L3VKv0E2fiTPHw5KH+la1KfRcb5amE8oXnLBtYXvmtzEEA==@linaro.org X-Google-Smtp-Source: AGHT+IHcWN1tU78jFewF/ddJJleIutq9tg8/vwcRTSxrthqFJgH+b1KRBVaFE7IeCj1bdwBgar55 X-Received: by 2002:aa7:c444:0:b0:5c9:76ca:705b with SMTP id 4fb4d7f45d1cf-5cf0a478e7dmr6066048a12.34.1731227543764; Sun, 10 Nov 2024 00:32:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731227543; cv=none; d=google.com; s=arc-20240605; b=gfQ8wWlpLEQoJcDrDz6B4pc2QnONMqxRFgfg8qUaRXQH3gbEA9TuX4Y3tfva47D1cr KPi7fP5fp2n3aPhF6dmAwyRH+UfX6yeX1FdMqgXxXWUilLl6hW7aNukec7DZz6mk1x8Y xlyc12xRn9jW65I6eh7UFnGkd2qCYd7ABJQeqmny3vcSlETndJtP1BdVTFhQLOQ8ipi1 TpHAjQypmNH5IlURxLQLaz/MBBJd2mPDpJH5ywFkOshBg2mMHneEEHRyMbJ1+0/9WesU 73ktQCo2b4uZOBTKGCi4XLJlup1Tqj8rpJe2tc16bOsP163UfOsdl7A3zyEzTL1ro0I4 qwZA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=M8PP/afT4t8Z4V0qEyMkUnErtkCf5VAhOBrltgBATK0=; fh=HF4EK5ObJoUvzH2zWNfRVkp+W3VMfjHnsCgNDgVvF+o=; b=SoRdEapCJEfoXGSWvTbfWXruI0Q0Ve0ggSnVYYWH/nPy0vgs7CgbodmcUop9yBFOVX vadDeASAas6trj1Uekqq646plPSqW0Dkqx3UTLpCuduP/wKTK5phWzgFz3tfYo4bVnD3 CvVUOZ4BE9YOt5bni6/vnoAiakKT30RlfqBdPO8haq1LC+gfJ4aVUkkDXqniuYC1aszS c/ztviIEFjKg+UkXzV6N6DoTDLoSId8RmZqMwvY3XrYtYMV679R+pL15p7EtLlLA2nlC dt5r/Ak+DiA8lFQh+Jar/7Px7cwmYURg1iAolPqs3wgJ6pD3wygjxxiBkCKGB99HOIRA uSqg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=bCFGgTBY; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id 4fb4d7f45d1cf-5cf03cc7c38si4919931a12.510.2024.11.10.00.32.23 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:32:23 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=bCFGgTBY; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 37AF18888F; Sun, 10 Nov 2024 09:32:23 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="bCFGgTBY"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id CFCAE8898B; Sun, 10 Nov 2024 09:32:21 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id EAADE87E30 for ; Sun, 10 Nov 2024 09:32:19 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-a99f646ff1bso538420566b.2 for ; Sun, 10 Nov 2024 00:32:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1731227539; x=1731832339; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=M8PP/afT4t8Z4V0qEyMkUnErtkCf5VAhOBrltgBATK0=; b=bCFGgTBYlitbGXYq5FlA8ub7KMDztQE2LN0yw6f9GFwdgOi5jYUV+5TIbOe04BrV6I rs2vn5L7YwXET68aP/rSvR7sZFBA4RmBWcvxsak/u+y9bjxe2mgr8pBWC1h3+yQSwizP K+4sgD7dGOoUgy2vFFFJLY0TY/Tj25TAKg6gf3X5zp5vE8msqL2ZwwxPea9VaqH4nqbf aooUtdOIIaosUs9UIaXu4QWnGKHjf1e1x/uSJ6GFNQ9Us4Xaz4dnVuKcX4Yqixp0qam+ YmYctHgd0Pjt9x6IIjqOcwzofiHjO+HxnOP4NBgVWRXbYHwt5LeBcdfl318mtEOZqTxp 8ViA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731227539; x=1731832339; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=M8PP/afT4t8Z4V0qEyMkUnErtkCf5VAhOBrltgBATK0=; b=kK2pbk9mBqFTbvteEbZ4KKvuIfv9f+49Uk1aDqzFLp/4gbdVR27GO8YW0SGOiQVI4m gDLg+NW1qoIieM2joiMWh4CdHp8SfNnwGy1q0Zk2QNRomBqvLNCOH4qFCcD0eDB0yqaF RFxdlf1LWe4u5KGM0f8/my+A2huN7If2COc8N6biesDLb8kZCicvtzolD53nCqVfJNxD brB1Tgmk4yvDSD1O/EmNd+dopQjrO1sWjtPpoPOoknzatJx3Ryd5QCHoaANfChuztSAn T1CgIt7TmRu+KAZR4qPodBUHH6uZo0uGBkqr9CcOMqWOqpbqFU9fdjTfe/NJgywAqTva UQvw== X-Forwarded-Encrypted: i=1; AJvYcCXeYOywyemVsUmU0uktt2HpNbiLWJizLEOY25X/Sj9jxAy/Y1gI3qlPg+6xs4Bl4SWNLwdBIZ4=@lists.denx.de X-Gm-Message-State: AOJu0Ywn21Hoxn1KSMs/j8VhY78WkmGO9y42GKaDGP7od5qfE9B2VkPM jvE5K3/wjPY+h4FS0+SxBYPjpj3K2hpoUpk2yAQHRN7nkQvVjLQIXfLyZVxevOs= X-Received: by 2002:a17:907:2688:b0:a9e:b610:409c with SMTP id a640c23a62f3a-a9eefff12e8mr755204766b.48.1731227539348; Sun, 10 Nov 2024 00:32:19 -0800 (PST) Received: from hades.. (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9ee0a17b3csm451909166b.19.2024.11.10.00.32.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:32:17 -0800 (PST) From: Ilias Apalodimas To: jerome.forissier@linaro.org Cc: Anton.Antonov@arm.com, Ilias Apalodimas , Peter Robinson , Simon Glass , Tom Rini , Heinrich Schuchardt , Joe Hershberger , Ramon Fried , Mattijs Korpershoek , AKASHI Takahiro , Dmitry Rokosov , Jonathan Humphreys , Wei Ming Chen , Masahisa Kojima , Caleb Connolly , Javier Tia , Raymond Mao , u-boot@lists.denx.de Subject: [PATCH v3 5/6] configs: Enable https for wget on qemu arm64 Date: Sun, 10 Nov 2024 10:28:41 +0200 Message-ID: <20241110083017.367565-6-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241110083017.367565-1-ilias.apalodimas@linaro.org> References: <20241110083017.367565-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean QEMU already has an lwip variant of a defconfig. That defconfig is also configured with mbedTLS by default. So let's enable the remaining config options to enable wget for https:// as well and test that codepath in the CI Reviewed-by: Jerome Forissier Reviewed-by: Peter Robinson Reviewed-by: Simon Glass Signed-off-by: Ilias Apalodimas --- configs/qemu_arm64_lwip_defconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/configs/qemu_arm64_lwip_defconfig b/configs/qemu_arm64_lwip_defconfig index d3d8ef16e668..754c770c33fc 100644 --- a/configs/qemu_arm64_lwip_defconfig +++ b/configs/qemu_arm64_lwip_defconfig @@ -7,3 +7,4 @@ CONFIG_NET_LWIP=y CONFIG_CMD_DNS=y CONFIG_CMD_WGET=y CONFIG_EFI_HTTP_BOOT=y +CONFIG_WGET_HTTPS=y From patchwork Sun Nov 10 08:28:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ilias Apalodimas X-Patchwork-Id: 842369 Delivered-To: patch@linaro.org Received: by 2002:a5d:6307:0:b0:381:e71e:8f7b with SMTP id i7csp2452220wru; Sun, 10 Nov 2024 00:32:41 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCUF0XJEIvCeoIBRL8B6Wi/UDqLobH2bAaJKrQIGDMRU/aKnwxfLL8naMy500FmTBJe7/XCfTw==@linaro.org X-Google-Smtp-Source: AGHT+IGhCOLewG9p0qQADEKyYSdRKHoNxlwuS4c11KgNYqgTqstlq+cqY1qXnS9tNcqnan0xHHLQ X-Received: by 2002:a17:907:6092:b0:a9a:1e4d:856d with SMTP id a640c23a62f3a-a9eeff0e3e1mr765612266b.22.1731227561518; Sun, 10 Nov 2024 00:32:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1731227561; cv=none; d=google.com; s=arc-20240605; b=GDrajpMk/pd7h0GXPGy8qG+Oa2VXVBXnES+yguZ4z+hP9DpXgGPmnTI+2XznmzHohw kqWNMjaTJ7Rl0SLsRfP6Ul1L+nzwLiECatrGzNSAQiS4/7/rH1fW128lqUpsvxntpSz3 Oxc4oCnFZ/Geu2SaGC9sKmw9W+5DMkLbP67cp+bQ+u+aD+uv73hp2PGbs330bp2Cg5sJ vSUVuwkdlHvM9H3RdZguTVSPLk/lBUKzVDlD5xiK/OQsQAgn1EvfoywU9T31mY6sk/a5 5pEyaZJ/LzeRWHR0T5wESiyxr04IEyk+y3bjb83BKTsj9XK3MZsS3TUN3pqydN5C9TSr MWBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=sender:errors-to:list-subscribe:list-help:list-post:list-archive :list-unsubscribe:list-id:precedence:content-transfer-encoding :mime-version:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=MTO0Kxk0iggDXXIa3ZiQy7xO/LXQRz1tP65CoYNYwig=; fh=8PtuKUlfbsx2RLLsK9luj1ZmmOpxOjoUEJOuUkbXq+g=; b=JMP8gV4MCIHNc4JIobvRJC/YtVIr+7afgtGWPGvWxyh/njLShIwBL0nwl5fTWBay8D 3McdnjVVmd9YSxfIQtrysh70WWWQqWbXXzwlCq2w3FAgfkQD5urd7gIQeOgxFB40bjfk ROtewXTo1w7viLrF9aw0Mx4PpuZsmX9NjwfSmOH9e3JHu+7QML7UooCvB2wT7bQXBhIA 78wleIB2JzeLLFgZQHVpeKaMQjl0mMxIjiyww/1ogN7RI/AG1S0DXy/6yZkBJlX5GgMe sVm98Z6sSr4uL6PrNuCl6ZAxab5Sy71YfZz64h5iqK4d7JnCVBga95EzA17X3SoJ0/C3 C/WA==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=WH70mPS5; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Return-Path: Received: from phobos.denx.de (phobos.denx.de. [85.214.62.61]) by mx.google.com with ESMTPS id a640c23a62f3a-a9ee0a0bb63si490763366b.188.2024.11.10.00.32.41 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:32:41 -0800 (PST) Received-SPF: pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) client-ip=85.214.62.61; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=WH70mPS5; spf=pass (google.com: domain of u-boot-bounces@lists.denx.de designates 85.214.62.61 as permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org; dara=neutral header.i=@linaro.org Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 44AD688A37; Sun, 10 Nov 2024 09:32:39 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=linaro.org header.i=@linaro.org header.b="WH70mPS5"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 4FFE388E1C; Sun, 10 Nov 2024 09:32:38 +0100 (CET) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5970B87E30 for ; Sun, 10 Nov 2024 09:32:36 +0100 (CET) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=linaro.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=ilias.apalodimas@linaro.org Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a9a0ef5179dso611857866b.1 for ; Sun, 10 Nov 2024 00:32:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; t=1731227556; x=1731832356; darn=lists.denx.de; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=MTO0Kxk0iggDXXIa3ZiQy7xO/LXQRz1tP65CoYNYwig=; b=WH70mPS5Q6HNMdplE7heda/vpJ5wGz0oJ57/vJtS53224hbYw+udskzycc6ngxdL2O dQiOgRZ7V9Mxl7ZuZP/JuwZyM7iMVuWC26KW+LDdkzIiSqWLgwhwsvX3f5MSRc83z+Hh hV5IqgIjdKRa/xrroooalRRi8iSRKxM4FV+T9l/XZXw/har2wzsRTTXvI9FryRLeAlPo DI1kd6SROyXNkq4vYRXAshMj4sRWObyYf8/NrhQIbxNplWM+glYiqEVYwZC63/KFQUx8 M0SjIdBbZJL98aCZek4d6ueWtOEu+Z/YVao/a7hZ31MB+wDSPiOwA/bSZMXzVZ79SleC pHdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731227556; x=1731832356; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=MTO0Kxk0iggDXXIa3ZiQy7xO/LXQRz1tP65CoYNYwig=; b=BV+WKExB4+sNf5taVSNu/gNBxIlrhmRMZRIcqltP2f605q86l0KCIzwcHn0fBMTLAI 05O7RA6qWLsVXGWg7uIC7fDBSHc6PFiVbppvNI0QYyiAWxM7PbaJ7dyZRQVcFVZ8EJzQ yjmzGPQsNHuyYOjF7SoOuFeYL1mbOEN8Lr/XA3jU6prEoNaprs7yLgwAWFowevJdjsH9 bSiL5FF6ajucpcaMFmtHdNR0Ntlbqg4ObOGOj4mw9bBbyuWPG6AxOe0B6tTywIWZcMJ/ bcP6s8KOs2mm+G4Y1IEcjsaOnuPl6d2WAC3W7lNsnjxCIL91dLzFhIdJeH7J8XSOiBBQ IEow== X-Forwarded-Encrypted: i=1; AJvYcCUIZmPeKekRtdaU1FH9dwthPqk+dVQcF5SsZHDWV2ZyBp6si990579qCakWE/GFcvrEdZ6rrWI=@lists.denx.de X-Gm-Message-State: AOJu0YxwrwglvgeU5hmaffz0ivKptfrW/hZonUhw7/cYYyDh2L2X/x5P larmK1gK4If087jG4NoeY3bfkRyl/7vlgAcOkVLPJKWD2Vanh7Lwf95NC3GC/uc= X-Received: by 2002:a17:906:7315:b0:a99:368d:dad3 with SMTP id a640c23a62f3a-a9eeff4477amr880369666b.30.1731227555621; Sun, 10 Nov 2024 00:32:35 -0800 (PST) Received: from hades.. (ppp176092143132.access.hol.gr. [176.92.143.132]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-a9ee0a17b3csm451909166b.19.2024.11.10.00.32.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 10 Nov 2024 00:32:33 -0800 (PST) From: Ilias Apalodimas To: jerome.forissier@linaro.org Cc: Anton.Antonov@arm.com, Ilias Apalodimas , Simon Glass , Tom Rini , Heinrich Schuchardt , Joe Hershberger , Ramon Fried , Mattijs Korpershoek , AKASHI Takahiro , Dmitry Rokosov , Peter Robinson , Jonathan Humphreys , Wei Ming Chen , Caleb Connolly , Masahisa Kojima , Javier Tia , Raymond Mao , u-boot@lists.denx.de Subject: [PATCH v3 6/6] doc: uefi: Describe UEFI HTTPs boot Date: Sun, 10 Nov 2024 10:28:42 +0200 Message-ID: <20241110083017.367565-7-ilias.apalodimas@linaro.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20241110083017.367565-1-ilias.apalodimas@linaro.org> References: <20241110083017.367565-1-ilias.apalodimas@linaro.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.39 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de X-Virus-Status: Clean We now can use a combination og lwIP & mbedTLS and download from https://. Describe the config options needed to enable it as well as some limitations Reviewed-by: Simon Glass Reviewed-by: Jerome Forissier Signed-off-by: Ilias Apalodimas --- doc/develop/uefi/uefi.rst | 45 +++++++++++++++++++++++++++++++++++++-- 1 file changed, 43 insertions(+), 2 deletions(-) diff --git a/doc/develop/uefi/uefi.rst b/doc/develop/uefi/uefi.rst index 0760ca91d4fc..48d6110b2ad1 100644 --- a/doc/develop/uefi/uefi.rst +++ b/doc/develop/uefi/uefi.rst @@ -681,8 +681,8 @@ UEFI variables. Booting according to these variables is possible via:: As of U-Boot v2020.10 UEFI variables cannot be set at runtime. The U-Boot command 'efidebug' can be used to set the variables. -UEFI HTTP Boot -~~~~~~~~~~~~~~ +UEFI HTTP Boot using the legacy TCP stack +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ HTTP Boot provides the capability for system deployment and configuration over the network. HTTP Boot can be activated by specifying:: @@ -715,6 +715,47 @@ We need to preset the "httpserverip" environment variable to proceed the wget:: setenv httpserverip 192.168.1.1 +UEFI HTTP(s) Boot using lwIP +~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Similar to the above U-Boot can do EFI HTTP boot using lwIP. If we combine this +with Mbed TLS we can also download from https:// + +HTTP(s) Boot can be activated by specifying:: + + CONFIG_EFI_HTTP_BOOT + CONFIG_NET_LWIP + CONFIG_WGET_HTTPS + +For QEMU targets there's a Kconfig that supports this by default:: + + make qemu_arm64_lwip_defconfig + +The commands and functionality are similar to the legacy stack, with the notable +exception of not having to define an "httpserverip" if you are trying to resolve +an IP. However, lwIP code doesn't yet support redirects:: + + => efidebug boot add -u 1 netinst https://cdimage.debian.org/cdimage/weekly-builds/arm64/iso-cd/debian-testing-arm64-netinst.iso + => dhcp + DHCP client bound to address 10.0.2.15 (3 ms) + => efidebug boot order 1 + => bootefi bootmgr + + HTTP server error 302 + Loading Boot0001 'netinst' failed + EFI boot manager: Cannot load any image + +If the url you specified isn't a redirect:: + + => efidebug boot add -u 1 netinst https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.4-aarch64-minimal.iso + => dhcp + => bootefi bootmgr + ####################################### + +If the downloaded file extension is .iso or .img file, efibootmgr tries to +mount the image and boot with the default file(e.g. EFI/BOOT/BOOTAA64.EFI). +If the downloaded file is PE-COFF image, load the downloaded file and +start it. + Executing the built in hello world application ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~