Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2055648/?format=api
{ "id": 2055648, "url": "http://patchwork.ozlabs.org/api/patches/2055648/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/patch/20250305142650.2966738-2-jerome.forissier@linaro.org/", "project": { "id": 18, "url": "http://patchwork.ozlabs.org/api/projects/18/?format=api", "name": "U-Boot", "link_name": "uboot", "list_id": "u-boot.lists.denx.de", "list_email": "u-boot@lists.denx.de", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20250305142650.2966738-2-jerome.forissier@linaro.org>", "list_archive_url": null, "date": "2025-03-05T14:26:42", "name": "[v2,1/6] net: lwip: extend wget to support CA (root) certificates", "commit_ref": "2df965d385872b2ae49a79c2cab4679a8999467f", "pull_url": null, "state": "accepted", "archived": false, "hash": "e157380c2303f20ab4b1b1fa2a6c43f28daf969f", "submitter": { "id": 69192, "url": "http://patchwork.ozlabs.org/api/people/69192/?format=api", "name": "Jerome Forissier", "email": "jerome.forissier@linaro.org" }, "delegate": { "id": 157425, "url": "http://patchwork.ozlabs.org/api/users/157425/?format=api", "username": "jforissier", "first_name": "Jerome", "last_name": "Forissier", "email": "jerome.forissier@linaro.org" }, "mbox": "http://patchwork.ozlabs.org/project/uboot/patch/20250305142650.2966738-2-jerome.forissier@linaro.org/mbox/", "series": [ { "id": 447137, "url": "http://patchwork.ozlabs.org/api/series/447137/?format=api", "web_url": "http://patchwork.ozlabs.org/project/uboot/list/?series=447137", "date": "2025-03-05T14:26:41", "name": "net: lwip: root certificates", "version": 2, "mbox": "http://patchwork.ozlabs.org/series/447137/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2055648/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2055648/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<u-boot-bounces@lists.denx.de>", "X-Original-To": "incoming@patchwork.ozlabs.org", "Delivered-To": "patchwork-incoming@legolas.ozlabs.org", "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.a=rsa-sha256\n header.s=google header.b=TCqg61kx;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de\n (client-ip=85.214.62.61; helo=phobos.denx.de;\n envelope-from=u-boot-bounces@lists.denx.de; receiver=patchwork.ozlabs.org)", "phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=linaro.org", "phobos.denx.de;\n spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de", "phobos.denx.de;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=linaro.org header.i=@linaro.org header.b=\"TCqg61kx\";\n\tdkim-atps=neutral", "phobos.denx.de;\n dmarc=pass (p=none dis=none) header.from=linaro.org", "phobos.denx.de;\n spf=pass smtp.mailfrom=jerome.forissier@linaro.org" ], "Received": [ "from phobos.denx.de (phobos.denx.de [85.214.62.61])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature ECDSA (secp384r1))\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4Z7FJ21VmXz1yVg\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 6 Mar 2025 01:27:30 +1100 (AEDT)", "from h2850616.stratoserver.net (localhost [IPv6:::1])\n\tby phobos.denx.de (Postfix) with ESMTP id 670DE80F56;\n\tWed, 5 Mar 2025 15:27:19 +0100 (CET)", "by phobos.denx.de (Postfix, from userid 109)\n id 38EBF80F92; Wed, 5 Mar 2025 15:27:18 +0100 (CET)", "from mail-wr1-x429.google.com (mail-wr1-x429.google.com\n [IPv6:2a00:1450:4864:20::429])\n (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))\n (No client certificate requested)\n by phobos.denx.de (Postfix) with ESMTPS id CACA680F92\n for <u-boot@lists.denx.de>; Wed, 5 Mar 2025 15:27:15 +0100 (CET)", "by mail-wr1-x429.google.com with SMTP id\n ffacd0b85a97d-3910e101d0fso2277282f8f.2\n for <u-boot@lists.denx.de>; Wed, 05 Mar 2025 06:27:15 -0800 (PST)", "from builder.. ([2a01:e0a:3cb:7bb0:369c:9bd8:7c87:9a39])\n by smtp.gmail.com with ESMTPSA id\n ffacd0b85a97d-391188029e0sm5442456f8f.52.2025.03.05.06.27.14\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Wed, 05 Mar 2025 06:27:14 -0800 (PST)" ], "X-Spam-Checker-Version": "SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de", "X-Spam-Level": "", "X-Spam-Status": "No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,\n DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_BLOCKED,\n SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.2", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=linaro.org; s=google; t=1741184835; x=1741789635; darn=lists.denx.de;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:from:to:cc:subject:date\n :message-id:reply-to;\n bh=8OM/CQnAr6FiV5DCMs4qVGKNCQbCRd11dI1O97N7MLA=;\n b=TCqg61kxHY/aK1ymDlz9gsD/IpgTuDBgKu6QgAy6nRCR6EnCfAZ5s6A0EK2q0V4rCs\n WNiJ8ERvRP4DSWC+3aAnj0PEfnGCi2sUvsYMPOrp9D+ToW8BgNehVK50/o8WPCAxIbsK\n mlpILY++MT+lhU9sWMIe/Hon3P5fWc6RButYjQ07rS4Q9DsiVxZvaGmaL6P7sVVW7uXa\n HlhuuMqvIklNJSCOj7M8+xOAkaNqSKWn8xe9ykxlPDAwpWxRGTiZDeSd+Gpwv0pvIbOP\n 8TdnlUDPBsu2+MNlWW6oizK3Av7rWJ4eyPL4IfajMr7erqF60UBxKexbz62yCBIjMrdG\n RPWw==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20230601; t=1741184835; x=1741789635;\n h=content-transfer-encoding:mime-version:references:in-reply-to\n :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc\n :subject:date:message-id:reply-to;\n bh=8OM/CQnAr6FiV5DCMs4qVGKNCQbCRd11dI1O97N7MLA=;\n b=NK8LE5QA/013LWXb8RPQgQH7G+e70SeLziVkBeVRaM101tjdhgkArmBXhvE6GUs2Xd\n whci8AAHmWSgIc4zHlLGHM0sGTu4RnCPG7LG6HOghulP4El0gRyW46G3CXSIV3yHTr6k\n eeHJvPSEE+NC7THZkh13cKZYlo18B2QoENiDjyrupsfAoXLnHwPomdSfZAXjjyyfwBV7\n pVAvB+Cbe3i6L4SqFAfm4TX1nJQFR/bT+Rg4c9MjQrEgsJEx/iOzcL8J7FM84xaI1OdW\n 30wvD4ZcPONBK+eaG3as9QdOOGMuMcCIAxOKoPX54PZEN0PNCg1YMaI+HlPET9ivJDUg\n fM/A==", "X-Gm-Message-State": "AOJu0Ywtt/RifvLTg0fl3GIYo0yzWra4i+JDVY4Sr3iBT68IfGnfu92F\n 4JChIHl1AMU+iL9vragSpFGkpcx4YIJcY7dtOZCRRF1GSjsE8r9gww9gaW+Hi5uTFnCyvdawkfZ\n s", "X-Gm-Gg": "ASbGncvhZy8NiOIH5vU34SxnbOCTz019hKH88RpKV3MghvPHJWIgUUMp/yL6u4zapXO\n Mo8iMomQ4L+w3wwqJy8tRSHjnwsvHC82kqoK60bBfbwuLl3cJ0PIYjfFsfbWvlkV5XsbBVRGFKn\n YP0oco7jgCohdXukjMwTdzCkEtvG75Sc4WcUY2CNmm5Y6qNaO284UEPaBeDL+sCXw2t91wwYqGD\n xhGT0Uo1fWN0Uyf+h8PSo4k7go52rVbZjtrlPgBmAglxr80acRpMcXfJlKgP8nQC6Yfle3GW1Ur\n 2u+2GVgHRbUOTnI5as6SXsl5OSioXcJWWmMA+Nsxxmr92f9Z+q5PEA==", "X-Google-Smtp-Source": "\n AGHT+IHTS+CdkgdNKNoYwFzjb26CYkqtfQwyT+IGXQN2kRUIRhbCVekH/ki6NE5vvz3coPEV8RxQmA==", "X-Received": "by 2002:a5d:5846:0:b0:391:2353:8a57 with SMTP id\n ffacd0b85a97d-39123538ab5mr1918042f8f.34.1741184835084;\n Wed, 05 Mar 2025 06:27:15 -0800 (PST)", "From": "Jerome Forissier <jerome.forissier@linaro.org>", "To": "u-boot@lists.denx.de", "Cc": "Ilias Apalodimas <ilias.apalodimas@linaro.org>,\n Jerome Forissier <jerome.forissier@linaro.org>,\n Tom Rini <trini@konsulko.com>, Joe Hershberger <joe.hershberger@ni.com>,\n Ramon Fried <rfried.dev@gmail.com>, Simon Glass <sjg@chromium.org>,\n Heinrich Schuchardt <xypron.glpk@gmx.de>,\n Mattijs Korpershoek <mkorpershoek@baylibre.com>,\n Ibai Erkiaga <ibai.erkiaga-elorza@amd.com>,\n Michal Simek <michal.simek@amd.com>, Adriano Cordova <adrianox@gmail.com>", "Subject": "[PATCH v2 1/6] net: lwip: extend wget to support CA (root)\n certificates", "Date": "Wed, 5 Mar 2025 15:26:42 +0100", "Message-ID": "<20250305142650.2966738-2-jerome.forissier@linaro.org>", "X-Mailer": "git-send-email 2.43.0", "In-Reply-To": "<20250305142650.2966738-1-jerome.forissier@linaro.org>", "References": "<20250305142650.2966738-1-jerome.forissier@linaro.org>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "X-BeenThere": "u-boot@lists.denx.de", "X-Mailman-Version": "2.1.39", "Precedence": "list", "List-Id": "U-Boot discussion <u-boot.lists.denx.de>", "List-Unsubscribe": "<https://lists.denx.de/options/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>", "List-Archive": "<https://lists.denx.de/pipermail/u-boot/>", "List-Post": "<mailto:u-boot@lists.denx.de>", "List-Help": "<mailto:u-boot-request@lists.denx.de?subject=help>", "List-Subscribe": "<https://lists.denx.de/listinfo/u-boot>,\n <mailto:u-boot-request@lists.denx.de?subject=subscribe>", "Errors-To": "u-boot-bounces@lists.denx.de", "Sender": "\"U-Boot\" <u-boot-bounces@lists.denx.de>", "X-Virus-Scanned": "clamav-milter 0.103.8 at phobos.denx.de", "X-Virus-Status": "Clean" }, "content": "Add the \"cacert\" (Certification Authority certificates) subcommand to\nwget to pass root certificates to the code handling the HTTPS protocol.\nThe subcommand is enabled by the WGET_CACERT Kconfig symbol.\n\nUsage example:\n\n => dhcp\n # Download some root certificates (note: not authenticated!)\n => wget https://cacerts.digicert.com/DigiCertTLSECCP384RootG5.crt\n # Provide root certificates\n => wget cacert $fileaddr $filesize\n # Enforce verification (it is optional by default)\n => wget cacert required\n # Forget the root certificates\n => wget cacert 0 0\n # Disable verification\n => wget cacert none\n\nSigned-off-by: Jerome Forissier <jerome.forissier@linaro.org>\n---\n cmd/Kconfig | 8 ++++\n cmd/net-lwip.c | 17 ++++++--\n net/lwip/wget.c | 102 ++++++++++++++++++++++++++++++++++++++++++++++--\n 3 files changed, 121 insertions(+), 6 deletions(-)", "diff": "diff --git a/cmd/Kconfig b/cmd/Kconfig\nindex 8dd42571abc..d469217c0ea 100644\n--- a/cmd/Kconfig\n+++ b/cmd/Kconfig\n@@ -2177,6 +2177,14 @@ config WGET_HTTPS\n \thelp\n \t Enable TLS over http for wget.\n \n+config WGET_CACERT\n+\tbool \"wget cacert\"\n+\tdepends on CMD_WGET\n+\tdepends on WGET_HTTPS\n+\thelp\n+\t Adds the \"cacert\" sub-command to wget to provide root certificates\n+\t to the HTTPS engine. Must be in DER format.\n+\n endif # if CMD_NET\n \n config CMD_PXE\ndiff --git a/cmd/net-lwip.c b/cmd/net-lwip.c\nindex 0fd446ecb20..1152c94a6dc 100644\n--- a/cmd/net-lwip.c\n+++ b/cmd/net-lwip.c\n@@ -27,9 +27,20 @@ U_BOOT_CMD(dns, 3, 1, do_dns, \"lookup the IP of a hostname\",\n #endif\n \n #if defined(CONFIG_CMD_WGET)\n-U_BOOT_CMD(wget, 3, 1, do_wget,\n-\t \"boot image via network using HTTP/HTTPS protocol\",\n+U_BOOT_CMD(wget, 4, 1, do_wget,\n+\t \"boot image via network using HTTP/HTTPS protocol\"\n+#if defined(CONFIG_WGET_CACERT)\n+\t \"\\nwget cacert - configure wget root certificates\"\n+#endif\n+\t ,\n \t \"[loadAddress] url\\n\"\n-\t \"wget [loadAddress] [host:]path\"\n+\t \"wget [loadAddress] [host:]path\\n\"\n+\t \" - load file\"\n+#if defined(CONFIG_WGET_CACERT)\n+\t \"\\nwget cacert <address> <length>\\n\"\n+\t \" - provide CA certificates (0 0 to remove current)\"\n+\t \"\\nwget cacert none|optional|required\\n\"\n+\t \" - set server certificate verification mode (default: optional)\"\n+#endif\n );\n #endif\ndiff --git a/net/lwip/wget.c b/net/lwip/wget.c\nindex 14f27d42998..c22843ee10d 100644\n--- a/net/lwip/wget.c\n+++ b/net/lwip/wget.c\n@@ -285,9 +285,68 @@ static err_t httpc_headers_done_cb(httpc_state_t *connection, void *arg, struct\n \treturn ERR_OK;\n }\n \n+#if CONFIG_IS_ENABLED(WGET_HTTPS)\n+enum auth_mode {\n+\tAUTH_NONE,\n+\tAUTH_OPTIONAL,\n+\tAUTH_REQUIRED,\n+};\n+\n+static char *cacert;\n+static size_t cacert_size;\n+static enum auth_mode cacert_auth_mode = AUTH_OPTIONAL;\n+#endif\n+\n+#if CONFIG_IS_ENABLED(WGET_CACERT)\n+static int set_auth(enum auth_mode auth)\n+{\n+\tcacert_auth_mode = auth;\n+\n+\treturn CMD_RET_SUCCESS;\n+}\n+\n+static int set_cacert(char * const saddr, char * const ssz)\n+{\n+\tmbedtls_x509_crt crt;\n+\tulong addr, sz;\n+\tint ret;\n+\n+\tif (cacert)\n+\t\tfree(cacert);\n+\n+\taddr = hextoul(saddr, NULL);\n+\tsz = hextoul(ssz, NULL);\n+\n+\tif (!addr) {\n+\t\tcacert = NULL;\n+\t\tcacert_size = 0;\n+\t\treturn CMD_RET_SUCCESS;\n+\t}\n+\n+\tcacert = malloc(sz);\n+\tif (!cacert)\n+\t\treturn CMD_RET_FAILURE;\n+\tcacert_size = sz;\n+\n+\tmemcpy(cacert, (void *)addr, sz);\n+\n+\tmbedtls_x509_crt_init(&crt);\n+\tret = mbedtls_x509_crt_parse(&crt, cacert, cacert_size);\n+\tif (ret) {\n+\t\tprintf(\"Could not parse certificates (%d)\\n\", ret);\n+\t\tfree(cacert);\n+\t\tcacert = NULL;\n+\t\tcacert_size = 0;\n+\t\treturn CMD_RET_FAILURE;\n+\t}\n+\n+\treturn CMD_RET_SUCCESS;\n+}\n+#endif\n+\n static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)\n {\n-#if defined CONFIG_WGET_HTTPS\n+#if CONFIG_IS_ENABLED(WGET_HTTPS)\n \taltcp_allocator_t tls_allocator;\n #endif\n \thttpc_connection_t conn;\n@@ -312,11 +371,34 @@ static int wget_loop(struct udevice *udev, ulong dst_addr, char *uri)\n \t\treturn -1;\n \n \tmemset(&conn, 0, sizeof(conn));\n-#if defined CONFIG_WGET_HTTPS\n+#if CONFIG_IS_ENABLED(WGET_HTTPS)\n \tif (is_https) {\n+\t\tchar *ca = cacert;\n+\t\tsize_t ca_sz = cacert_size;\n+\n+\t\tif (cacert_auth_mode == AUTH_REQUIRED) {\n+\t\t\tif (!ca || !ca_sz) {\n+\t\t\t\tprintf(\"Error: cacert authentication mode is \"\n+\t\t\t\t \"'required' but no CA certificates \"\n+\t\t\t\t \"given\\n\");\n+\t\t\t\treturn CMD_RET_FAILURE;\n+\t\t }\n+\t\t} else if (cacert_auth_mode == AUTH_NONE) {\n+\t\t\tca = NULL;\n+\t\t\tca_sz = 0;\n+\t\t} else if (cacert_auth_mode == AUTH_OPTIONAL) {\n+\t\t\t/*\n+\t\t\t * Nothing to do, this is the default behavior of\n+\t\t\t * altcp_tls to check server certificates against CA\n+\t\t\t * certificates when the latter are provided and proceed\n+\t\t\t * with no verification if not.\n+\t\t\t */\n+\t\t}\n+\n \t\ttls_allocator.alloc = &altcp_tls_alloc;\n \t\ttls_allocator.arg =\n-\t\t\taltcp_tls_create_config_client(NULL, 0, ctx.server_name);\n+\t\t\taltcp_tls_create_config_client(ca, ca_sz,\n+\t\t\t\t\t\t ctx.server_name);\n \n \t\tif (!tls_allocator.arg) {\n \t\t\tlog_err(\"error: Cannot create a TLS connection\\n\");\n@@ -369,6 +451,20 @@ int do_wget(struct cmd_tbl *cmdtp, int flag, int argc, char * const argv[])\n \tulong dst_addr;\n \tchar nurl[1024];\n \n+#if CONFIG_IS_ENABLED(WGET_CACERT)\n+\tif (argc == 4 && !strncmp(argv[1], \"cacert\", strlen(\"cacert\")))\n+\t\treturn set_cacert(argv[2], argv[3]);\n+\tif (argc == 3 && !strncmp(argv[1], \"cacert\", strlen(\"cacert\"))) {\n+\t\tif (!strncmp(argv[2], \"none\", strlen(\"none\")))\n+\t\t\treturn set_auth(AUTH_NONE);\n+\t\tif (!strncmp(argv[2], \"optional\", strlen(\"optional\")))\n+\t\t\treturn set_auth(AUTH_OPTIONAL);\n+\t\tif (!strncmp(argv[2], \"required\", strlen(\"required\")))\n+\t\t\treturn set_auth(AUTH_REQUIRED);\n+\t\treturn CMD_RET_USAGE;\n+\t}\n+#endif\n+\n \tif (argc < 2 || argc > 3)\n \t\treturn CMD_RET_USAGE;\n \n", "prefixes": [ "v2", "1/6" ] }