doc/usage/cmd/wget.rst

.. SPDX-License-Identifier: GPL-2.0+:

.. index::
   single: wget (command)

wget command
============

Synopsis
--------

::

    wget [address] [host:]path
    wget [address] url                  # lwIP only
    wget cacert none|optional|required  # lwIP only
    wget cacert <address> <size>        # lwIP only


Description
-----------

The wget command is used to download a file from an HTTP(S) server.
In order to use HTTPS you will need to compile wget with lwIP support.

Legacy syntax
~~~~~~~~~~~~~

The legacy syntax is supported by the legacy network stack (CONFIG_NET=y)
as well as by the lwIP base network stack (CONFIG_NET_LWIP=y). It supports HTTP
only.

By default the destination port is 80 and the source port is pseudo-random.
On the legacy nework stack the environment variable *httpdstp* can be used to
set the destination port

address
    memory address for the data downloaded

host
    IP address (or host name if `CONFIG_CMD_DNS` is enabled) of the HTTP
    server, defaults to the value of environment variable *serverip*.

path
    path of the file to be downloaded.

New syntax (lwIP only)
~~~~~~~~~~~~~~~~~~~~~~

In addition to the syntax described above, wget accepts URLs if the network
stack is lwIP.

address
    memory address for the data downloaded

url
    HTTP or HTTPS URL, that is: http[s]://<host>[:<port>]/<path>.

The cacert (stands for 'Certification Authority certificates') subcommand is
used to provide root certificates for the purpose of HTTPS authentication. It
also allows to enable or disable authentication.

wget cacert <address> <size>

address
    memory address of the root certificates in X509 DER format

size
    the size of the root certificates

wget cacert none|optional|required

none
    certificate verification is disabled. HTTPS is used without any server
    authentication (unsafe)
optional
    certificate verification is enabled provided root certificates have been
    provided via wget cacert <addr> <size> or wget cacert builtin. Otherwise
    HTTPS is used without any server authentication (unsafe).
required
    certificate verification is mandatory. If no root certificates have been
    configured, HTTPS transfers will fail.


Examples
--------

Example with the legacy network stack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

In the example the following steps are executed:

* setup client network address
* download a file from the HTTP server

::

    => setenv autoload no
    => dhcp
    BOOTP broadcast 1
    *** Unhandled DHCP Option in OFFER/ACK: 23
    *** Unhandled DHCP Option in OFFER/ACK: 23
    DHCP client bound to address 192.168.1.105 (210 ms)
    => wget ${loadaddr} 192.168.1.254:/index.html
    HTTP/1.0 302 Found
    Packets received 4, Transfer Successful

Example with lwIP
~~~~~~~~~~~~~~~~~

In the example the following steps are executed:

* setup client network address
* download a file from the HTTPS server

::

   => dhcp
   DHCP client bound to address 10.0.2.15 (3 ms)
   => wget https://download.rockylinux.org/pub/rocky/9/isos/aarch64/Rocky-9.4-aarch64-minimal.iso
   ##########################################################################
   ##########################################################################
   ##########################################################################
   [...]
   1694892032 bytes transferred in 492181 ms (3.3 MiB/s)
   Bytes transferred = 1694892032 (65060000 hex)

Here is an example showing how to configure built-in root certificates as
well as providing some at run time. In this example it is assumed that
CONFIG_WGET_BUILTIN_CACERT_PATH=DigiCertTLSRSA4096RootG5.crt downloaded from
https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt.

::

   # Make sure IP is configured
   => dhcp
   # When built-in certificates are configured, authentication is mandatory
   # (i.e., "wget cacert required"). Use a test server...
   => wget https://digicert-tls-rsa4096-root-g5.chain-demos.digicert.com/
   1864 bytes transferred in 1 ms (1.8 MiB/s)
   Bytes transferred = 1864 (748 hex)
   # Another server not signed against Digicert will fail
   => wget https://www.google.com/
   Certificate verification failed

   HTTP client error 4
   # Disable authentication to allow the command to proceed anyways
   => wget cacert none
   => wget https://www.google.com/
   WARNING: no CA certificates, HTTPS connections not authenticated
   16683 bytes transferred in 15 ms (1.1 MiB/s)
   Bytes transferred = 16683 (412b hex)
   # Force verification but unregister the CA certificates
   => wget cacert required
   => wget cacert 0 0
   # Unsurprisingly, download fails
   => wget https://digicert-tls-rsa4096-root-g5.chain-demos.digicert.com/
   Error: cacert authentication mode is 'required' but no CA certificates given
   # Get the same certificates as above from the network
   => wget cacert none
   => wget https://cacerts.digicert.com/DigiCertTLSRSA4096RootG5.crt
   WARNING: no CA certificates, HTTPS connections not authenticated
   1386 bytes transferred in 1 ms (1.3 MiB/s)
   Bytes transferred = 1386 (56a hex)
   # Register them and force authentication
   => wget cacert $fileaddr $filesize
   => wget cacert required
   # Authentication is operational again
   => wget https://digicert-tls-rsa4096-root-g5.chain-demos.digicert.com/
   1864 bytes transferred in 1 ms (1.8 MiB/s)
   Bytes transferred = 1864 (748 hex)
   # The builtin certificates can be restored at any time
   => wget cacert builtin

Configuration
-------------

The command is only available if CONFIG_CMD_WGET=y.
To enable lwIP support set CONFIG_NET_LWIP=y. In this case, root certificates
support can be enabled via CONFIG_WGET_BUILTIN_CACERT=y
CONFIG_WGET_BUILTIN_CACERT_PATH=<some path> (for built-in certificates) and/or
CONFIG_WGET_CACERT=y (for the wget cacert command).

TCP Selective Acknowledgments in the legacy network stack can be enabled via
CONFIG_PROT_TCP_SACK=y. This will improve the download speed. Selective
Acknowledgments are enabled by default with lwIP.

.. note::

    U-Boot currently has no way to verify certificates for HTTPS.
    A place to store the root CA certificates is needed, and then MBed TLS would
    need to walk the entire chain. Therefore, man-in-the middle attacks are
    possible and HTTPS should not be relied upon for payload authentication.

Return value
------------

The return value $? is 0 (true) on success and 1 (false) otherwise.