From 7fbedb1ba3849464921f6514d51686be769f454d Mon Sep 17 00:00:00 2001 From: Gregory Eslinger Date: Tue, 21 May 2019 19:42:18 +0200 Subject: [PATCH 1/6] esp_https_ota: Removed unnecessary free() Closes https://github.com/espressif/esp-idf/issues/3504 Merges https://github.com/espressif/esp-idf/pull/3513 Signed-off-by: Jitin George --- .../esp_https_ota/include/esp_https_ota.h | 1 + components/esp_https_ota/src/esp_https_ota.c | 18 ++++++++++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/components/esp_https_ota/include/esp_https_ota.h b/components/esp_https_ota/include/esp_https_ota.h index a9d7f140db..0c8fd06934 100644 --- a/components/esp_https_ota/include/esp_https_ota.h +++ b/components/esp_https_ota/include/esp_https_ota.h @@ -70,6 +70,7 @@ esp_err_t esp_https_ota(const esp_http_client_config_t *config); * completion of OTA operation or on failure in subsequent operations. * This API supports URL redirection, but if CA cert of URLs differ then it * should be appended to `cert_pem` member of `http_config`, which is a part of `ota_config`. + * In case of error, this API explicitly sets `handle` to NULL. * * @param[in] ota_config pointer to esp_https_ota_config_t structure * @param[out] handle pointer to an allocated data of type `esp_https_ota_handle_t` diff --git a/components/esp_https_ota/src/esp_https_ota.c b/components/esp_https_ota/src/esp_https_ota.c index 515f03d706..baba0bbaa4 100644 --- a/components/esp_https_ota/src/esp_https_ota.c +++ b/components/esp_https_ota/src/esp_https_ota.c @@ -126,14 +126,19 @@ static esp_err_t _ota_write(esp_https_ota_t *https_ota_handle, const void *buffe esp_err_t esp_https_ota_begin(esp_https_ota_config_t *ota_config, esp_https_ota_handle_t *handle) { esp_err_t err; + if (handle == NULL || ota_config == NULL || ota_config->http_config == NULL) { ESP_LOGE(TAG, "esp_https_ota_begin: Invalid argument"); + if (handle) { + *handle = NULL; + } return ESP_ERR_INVALID_ARG; } #if !CONFIG_OTA_ALLOW_HTTP if (!ota_config->http_config->cert_pem) { ESP_LOGE(TAG, "Server certificate not found in esp_http_client config"); + *handle = NULL; return ESP_ERR_INVALID_ARG; } #endif @@ -141,6 +146,7 @@ esp_err_t esp_https_ota_begin(esp_https_ota_config_t *ota_config, esp_https_ota_ esp_https_ota_t *https_ota_handle = calloc(1, sizeof(esp_https_ota_t)); if (!https_ota_handle) { ESP_LOGE(TAG, "Couldn't allocate memory to upgrade data buffer"); + *handle = NULL; return ESP_ERR_NO_MEM; } @@ -188,6 +194,7 @@ http_cleanup: _http_cleanup(https_ota_handle->http_client); failure: free(https_ota_handle); + *handle = NULL; return err; } @@ -286,9 +293,12 @@ esp_err_t esp_https_ota_finish(esp_https_ota_handle_t https_ota_handle) err = esp_ota_end(handle->update_handle); /* falls through */ case ESP_HTTPS_OTA_BEGIN: - free(handle->ota_upgrade_buf); - _http_cleanup(handle->http_client); - free(handle); + if (handle->ota_upgrade_buf) { + free(handle->ota_upgrade_buf); + } + if (handle->http_client) { + _http_cleanup(handle->http_client); + } break; default: ESP_LOGE(TAG, "Invalid ESP HTTPS OTA State"); @@ -301,6 +311,7 @@ esp_err_t esp_https_ota_finish(esp_https_ota_handle_t https_ota_handle) ESP_LOGE(TAG, "esp_ota_set_boot_partition failed! err=0x%d", err); } } + free(handle); return err; } @@ -341,7 +352,6 @@ esp_err_t esp_https_ota(const esp_http_client_config_t *config) } esp_err_t ota_finish_err = esp_https_ota_finish(https_ota_handle); - free(https_ota_handle); if (err != ESP_OK) { /* If there was an error in esp_https_ota_perform(), then it is given more precedence than error in esp_https_ota_finish() From 9fa23bc599a4af7ed59a469c84ccb133eed3f2d7 Mon Sep 17 00:00:00 2001 From: Jitin George Date: Mon, 10 Jun 2019 14:43:24 +0530 Subject: [PATCH 2/6] example/simple_ota_example: Add example test --- .../ota/simple_ota_example/example_test.py | 149 ++++++++++++++++++ .../simple_ota_example/main/Kconfig.projbuild | 13 +- .../main/simple_ota_example.c | 22 ++- .../ota/simple_ota_example/sdkconfig.ci | 1 + .../server_certs/ca_cert.pem | 21 +++ 5 files changed, 201 insertions(+), 5 deletions(-) create mode 100644 examples/system/ota/simple_ota_example/example_test.py create mode 100644 examples/system/ota/simple_ota_example/sdkconfig.ci diff --git a/examples/system/ota/simple_ota_example/example_test.py b/examples/system/ota/simple_ota_example/example_test.py new file mode 100644 index 0000000000..736c611d55 --- /dev/null +++ b/examples/system/ota/simple_ota_example/example_test.py @@ -0,0 +1,149 @@ +import re +import os +import sys +import socket +import BaseHTTPServer +import SimpleHTTPServer +from threading import Thread +import ssl + +try: + import IDF +except ImportError: + # this is a test case write with tiny-test-fw. + # to run test cases outside tiny-test-fw, + # we need to set environment variable `TEST_FW_PATH`, + # then get and insert `TEST_FW_PATH` to sys path before import FW module + test_fw_path = os.getenv("TEST_FW_PATH") + if test_fw_path and test_fw_path not in sys.path: + sys.path.insert(0, test_fw_path) + import IDF + +import DUT + +server_cert = "-----BEGIN CERTIFICATE-----\n" \ + "MIIDXTCCAkWgAwIBAgIJAP4LF7E72HakMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV\n"\ + "BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX\n"\ + "aWRnaXRzIFB0eSBMdGQwHhcNMTkwNjA3MDk1OTE2WhcNMjAwNjA2MDk1OTE2WjBF\n"\ + "MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50\n"\ + "ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB\n"\ + "CgKCAQEAlzfCyv3mIv7TlLkObxunKfCdrJ/zgdANrsx0RBtpEPhV560hWJ0fEin0\n"\ + "nIOMpJSiF9E6QsPdr6Q+eogH4XnOMU9JE+iG743N1dPfGEzJvRlyct/Ck8SswKPC\n"\ + "9+VXsnOdZmUw9y/xtANbURA/TspvPzz3Avv382ffffrJGh7ooOmaZSCZFlSYHLZA\n"\ + "w/XlRr0sSRbLpFGY0gXjaAV8iHHiPDYLy4kZOepjV9U51xi+IGsL4w75zuMgsHyF\n"\ + "3nJeGYHgtGVBrkL0ZKG5udY0wcBjysjubDJC4iSlNiq2HD3fhs7j6CZddV2v845M\n"\ + "lVKNxP0kO4Uj4D8r+5USWC8JKfAwxQIDAQABo1AwTjAdBgNVHQ4EFgQU6OE7ssfY\n"\ + "IIPTDThiUoofUpsD5NwwHwYDVR0jBBgwFoAU6OE7ssfYIIPTDThiUoofUpsD5Nww\n"\ + "DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAXIlHS/FJWfmcinUAxyBd\n"\ + "/xd5Lu8ykeru6oaUCci+Vk9lyoMMES7lQ+b/00d5x7AcTawkTil9EWpBTPTOTraA\n"\ + "lzJMQhNKmSLk0iIoTtAJtSZgUSpIIozqK6lenxQQDsHbXKU6h+u9H6KZE8YcjsFl\n"\ + "6vL7sw9BVotw/VxfgjQ5OSGLgoLrdVT0z5C2qOuwOgz1c7jNiJhtMdwN+cOtnJp2\n"\ + "fuBgEYyE3eeuWogvkWoDcIA8r17Ixzkpq2oJsdvZcHZPIZShPKW2SHUsl98KDemu\n"\ + "y0pQyExmQUbwKE4vbFb9XuWCcL9XaOHQytyszt2DeD67AipvoBwVU7/LBOvqnsmy\n"\ + "hA==\n"\ + "-----END CERTIFICATE-----\n" + +server_key = "-----BEGIN PRIVATE KEY-----\n"\ + "MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCXN8LK/eYi/tOU\n"\ + "uQ5vG6cp8J2sn/OB0A2uzHREG2kQ+FXnrSFYnR8SKfScg4yklKIX0TpCw92vpD56\n"\ + "iAfhec4xT0kT6Ibvjc3V098YTMm9GXJy38KTxKzAo8L35Veyc51mZTD3L/G0A1tR\n"\ + "ED9Oym8/PPcC+/fzZ999+skaHuig6ZplIJkWVJgctkDD9eVGvSxJFsukUZjSBeNo\n"\ + "BXyIceI8NgvLiRk56mNX1TnXGL4gawvjDvnO4yCwfIXecl4ZgeC0ZUGuQvRkobm5\n"\ + "1jTBwGPKyO5sMkLiJKU2KrYcPd+GzuPoJl11Xa/zjkyVUo3E/SQ7hSPgPyv7lRJY\n"\ + "Lwkp8DDFAgMBAAECggEAfBhAfQE7mUByNbxgAgI5fot9eaqR1Nf+QpJ6X2H3KPwC\n"\ + "02sa0HOwieFwYfj6tB1doBoNq7i89mTc+QUlIn4pHgIowHO0OGawomeKz5BEhjCZ\n"\ + "4XeLYGSoODary2+kNkf2xY8JTfFEcyvGBpJEwc4S2VyYgRRx+IgnumTSH+N5mIKZ\n"\ + "SXWNdZIuHEmkwod+rPRXs6/r+PH0eVW6WfpINEbr4zVAGXJx2zXQwd2cuV1GTJWh\n"\ + "cPVOXLu+XJ9im9B370cYN6GqUnR3fui13urYbnWnEf3syvoH/zuZkyrVChauoFf8\n"\ + "8EGb74/HhXK7Q2s8NRakx2c7OxQifCbcy03liUMmyQKBgQDFAob5B/66N4Q2cq/N\n"\ + "MWPf98kYBYoLaeEOhEJhLQlKk0pIFCTmtpmUbpoEes2kCUbH7RwczpYko8tlKyoB\n"\ + "6Fn6RY4zQQ64KZJI6kQVsjkYpcP/ihnOY6rbds+3yyv+4uPX7Eh9sYZwZMggE19M\n"\ + "CkFHkwAjiwqhiiSlUxe20sWmowKBgQDEfx4lxuFzA1PBPeZKGVBTxYPQf+DSLCre\n"\ + "ZFg3ZmrxbCjRq1O7Lra4FXWD3dmRq7NDk79JofoW50yD8wD7I0B7opdDfXD2idO8\n"\ + "0dBnWUKDr2CAXyoLEINce9kJPbx4kFBQRN9PiGF7VkDQxeQ3kfS8CvcErpTKCOdy\n"\ + "5wOwBTwJdwKBgDiTFTeGeDv5nVoVbS67tDao7XKchJvqd9q3WGiXikeELJyuTDqE\n"\ + "zW22pTwMF+m3UEAxcxVCrhMvhkUzNAkANHaOatuFHzj7lyqhO5QPbh4J3FMR0X9X\n"\ + "V8VWRSg+jA/SECP9koOl6zlzd5Tee0tW1pA7QpryXscs6IEhb3ns5R2JAoGAIkzO\n"\ + "RmnhEOKTzDex611f2D+yMsMfy5BKK2f4vjLymBH5TiBKDXKqEpgsW0huoi8Gq9Uu\n"\ + "nvvXXAgkIyRYF36f0vUe0nkjLuYAQAWgC2pZYgNLJR13iVbol0xHJoXQUHtgiaJ8\n"\ + "GLYFzjHQPqFMpSalQe3oELko39uOC1CoJCHFySECgYBeycUnRBikCO2n8DNhY4Eg\n"\ + "9Y3oxcssRt6ea5BZwgW2eAYi7/XqKkmxoSoOykUt3MJx9+EkkrL17bxFSpkj1tvL\n"\ + "qvxn7egtsKjjgGNAxwXC4MwCvhveyUQQxtQb8AqGrGqo4jEEN0L15cnP38i2x1Uo\n"\ + "muhfskWf4MABV0yTUaKcGg==\n"\ + "-----END PRIVATE KEY-----\n" + + +def get_my_ip(): + s1 = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + s1.connect(("8.8.8.8", 80)) + my_ip = s1.getsockname()[0] + s1.close() + return my_ip + + +def start_https_server(ota_image_dir, server_ip, server_port): + # parser = argparse.ArgumentParser() + # parser.add_argument('-p', '--port', dest='port', type= int, + # help= "Server Port", default= 8000) + # args = parser.parse_args() + os.chdir(ota_image_dir) + + server_file = os.path.join(ota_image_dir, "server_cert.pem") + cert_file_handle = open(server_file, "w+") + cert_file_handle.write(server_cert) + cert_file_handle.close() + + key_file = os.path.join(ota_image_dir, "server_key.pem") + key_file_handle = open("server_key.pem", "w+") + key_file_handle.write(server_key) + key_file_handle.close() + + httpd = BaseHTTPServer.HTTPServer((server_ip, server_port), + SimpleHTTPServer.SimpleHTTPRequestHandler) + + print "server cert path: " + server_file + print "key file path: " + key_file + httpd.socket = ssl.wrap_socket(httpd.socket, + keyfile=key_file, + certfile=server_file, server_side=True) + print "serving OTA image at: " + server_ip + "port: " + "port" + httpd.serve_forever() + + +@IDF.idf_example_test(env_tag="Example_WIFI") +def test_examples_protocol_simple_ota_example(env, extra_data): + """ + steps: | + 1. join AP + 2. Fetch OTA image over HTTPS + 3. Reboot with the new OTA image + """ + dut1 = env.get_dut("simple_ota_example", "examples/system/ota/simple_ota_example") + # check and log bin size + binary_file = os.path.join(dut1.app.binary_path, "simple_ota.bin") + bin_size = os.path.getsize(binary_file) + IDF.log_performance("simple_ota_bin_size", "{}KB".format(bin_size // 1024)) + IDF.check_performance("simple_ota_bin_size", bin_size // 1024) + # start test + host_ip = get_my_ip() + thread1 = Thread(target=start_https_server, args=(dut1.app.binary_path,host_ip,8000)) + thread1.daemon = True + thread1.start() + dut1.start_app() + dut1.expect("Loaded app from partition at offset 0x10000", timeout=30) + try: + ip_address = dut1.expect(re.compile(r" sta ip: ([^,]+),"), timeout=30) + print("Connected to AP with IP: {}".format(ip_address)) + except DUT.ExpectTimeout: + raise ValueError('ENV_TEST_FAILURE: Cannot connect to AP') + thread1.close() + dut1.expect("Starting OTA example", timeout=30) + + print("writing to device: {}".format("https://" + host_ip + ":8000/simple_ota.bin")) + dut1.write("https://" + host_ip + ":8000/simple_ota.bin") + dut1.expect("Loaded app from partition at offset 0x110000", timeout=60) + dut1.expect("Starting OTA example", timeout=30) + + +if __name__ == '__main__': + test_examples_protocol_simple_ota_example() diff --git a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild index c5be1f2762..08f7f3d738 100644 --- a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild +++ b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild @@ -1,8 +1,13 @@ menu "Example Configuration" - config EXAMPLE_FIRMWARE_UPGRADE_URL - string "Firmware Upgrade URL" - default "https://192.168.2.106:8070/hello-world.bin" + config FIRMWARE_UPGRADE_URL + string "firmware upgrade url endpoint" + default "https://192.168.0.3:8070/hello-world.bin" help - URL of server which hosts the firmware image. + URL of server which hosts the firmware + image. + + config FIRMWARE_UPGRADE_URL_FROM_STDIN + bool + default y if FIRMWARE_UPGRADE_URL = "FROM_STDIN" endmenu diff --git a/examples/system/ota/simple_ota_example/main/simple_ota_example.c b/examples/system/ota/simple_ota_example/main/simple_ota_example.c index 1b63aec18a..965403a9d3 100644 --- a/examples/system/ota/simple_ota_example/main/simple_ota_example.c +++ b/examples/system/ota/simple_ota_example/main/simple_ota_example.c @@ -15,6 +15,9 @@ #include "esp_ota_ops.h" #include "esp_http_client.h" #include "esp_https_ota.h" +#include "protocol_examples_common.h" +#include "string.h" + #include "nvs.h" #include "nvs_flash.h" #include "protocol_examples_common.h" @@ -23,6 +26,8 @@ static const char *TAG = "simple_ota_example"; extern const uint8_t server_cert_pem_start[] asm("_binary_ca_cert_pem_start"); extern const uint8_t server_cert_pem_end[] asm("_binary_ca_cert_pem_end"); +#define OTA_URL_SIZE 256 + esp_err_t _http_event_handler(esp_http_client_event_t *evt) { switch (evt->event_id) { @@ -56,10 +61,25 @@ void simple_ota_example_task(void *pvParameter) ESP_LOGI(TAG, "Starting OTA example"); esp_http_client_config_t config = { - .url = CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL, + .url = CONFIG_FIRMWARE_UPGRADE_URL, .cert_pem = (char *)server_cert_pem_start, .event_handler = _http_event_handler, }; + +#ifdef CONFIG_FIRMWARE_UPGRADE_URL_FROM_STDIN + char url_buf[OTA_URL_SIZE]; + if (strcmp(config.url, "FROM_STDIN") == 0) { + example_configure_stdin_stdout(); + fgets(url_buf, OTA_URL_SIZE, stdin); + int len = strlen(url_buf); + url_buf[len - 1] = '\0'; + config.url = url_buf; + } else { + ESP_LOGE(TAG, "Configuration mismatch: wrong firmware upgrade image url"); + abort(); + } +#endif + esp_err_t ret = esp_https_ota(&config); if (ret == ESP_OK) { esp_restart(); diff --git a/examples/system/ota/simple_ota_example/sdkconfig.ci b/examples/system/ota/simple_ota_example/sdkconfig.ci new file mode 100644 index 0000000000..813b3adac3 --- /dev/null +++ b/examples/system/ota/simple_ota_example/sdkconfig.ci @@ -0,0 +1 @@ +CONFIG_FIRMWARE_UPGRADE_URL="FROM_STDIN" diff --git a/examples/system/ota/simple_ota_example/server_certs/ca_cert.pem b/examples/system/ota/simple_ota_example/server_certs/ca_cert.pem index e69de29bb2..5b21a5c2ad 100644 --- a/examples/system/ota/simple_ota_example/server_certs/ca_cert.pem +++ b/examples/system/ota/simple_ota_example/server_certs/ca_cert.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDXTCCAkWgAwIBAgIJAP4LF7E72HakMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTkwNjA3MDk1OTE2WhcNMjAwNjA2MDk1OTE2WjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAlzfCyv3mIv7TlLkObxunKfCdrJ/zgdANrsx0RBtpEPhV560hWJ0fEin0 +nIOMpJSiF9E6QsPdr6Q+eogH4XnOMU9JE+iG743N1dPfGEzJvRlyct/Ck8SswKPC +9+VXsnOdZmUw9y/xtANbURA/TspvPzz3Avv382ffffrJGh7ooOmaZSCZFlSYHLZA +w/XlRr0sSRbLpFGY0gXjaAV8iHHiPDYLy4kZOepjV9U51xi+IGsL4w75zuMgsHyF +3nJeGYHgtGVBrkL0ZKG5udY0wcBjysjubDJC4iSlNiq2HD3fhs7j6CZddV2v845M +lVKNxP0kO4Uj4D8r+5USWC8JKfAwxQIDAQABo1AwTjAdBgNVHQ4EFgQU6OE7ssfY +IIPTDThiUoofUpsD5NwwHwYDVR0jBBgwFoAU6OE7ssfYIIPTDThiUoofUpsD5Nww +DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAXIlHS/FJWfmcinUAxyBd +/xd5Lu8ykeru6oaUCci+Vk9lyoMMES7lQ+b/00d5x7AcTawkTil9EWpBTPTOTraA +lzJMQhNKmSLk0iIoTtAJtSZgUSpIIozqK6lenxQQDsHbXKU6h+u9H6KZE8YcjsFl +6vL7sw9BVotw/VxfgjQ5OSGLgoLrdVT0z5C2qOuwOgz1c7jNiJhtMdwN+cOtnJp2 +fuBgEYyE3eeuWogvkWoDcIA8r17Ixzkpq2oJsdvZcHZPIZShPKW2SHUsl98KDemu +y0pQyExmQUbwKE4vbFb9XuWCcL9XaOHQytyszt2DeD67AipvoBwVU7/LBOvqnsmy +hA== +-----END CERTIFICATE----- From c536c8fa5fd8653a0a9f3caf5a39c6bf8ce09750 Mon Sep 17 00:00:00 2001 From: Jitin George Date: Wed, 12 Jun 2019 14:11:00 +0530 Subject: [PATCH 3/6] tcp_transport: Add API to allow skipping of certificate CN validation --- components/tcp_transport/include/esp_transport_ssl.h | 9 +++++++++ components/tcp_transport/transport_ssl.c | 8 ++++++++ 2 files changed, 17 insertions(+) diff --git a/components/tcp_transport/include/esp_transport_ssl.h b/components/tcp_transport/include/esp_transport_ssl.h index c42fd09353..0f83c1d6e4 100644 --- a/components/tcp_transport/include/esp_transport_ssl.h +++ b/components/tcp_transport/include/esp_transport_ssl.h @@ -69,6 +69,15 @@ void esp_transport_ssl_set_client_cert_data(esp_transport_handle_t t, const char */ void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char *data, int len); +/** + * @brief Skip validation of certificate's common name field + * + * @note Skipping CN validation is not recommended + * + * @param t ssl transport + */ +void esp_transport_ssl_skip_common_name_check(esp_transport_handle_t t); + #ifdef __cplusplus } #endif diff --git a/components/tcp_transport/transport_ssl.c b/components/tcp_transport/transport_ssl.c index 257a58cba6..49f71bb2d2 100644 --- a/components/tcp_transport/transport_ssl.c +++ b/components/tcp_transport/transport_ssl.c @@ -192,6 +192,14 @@ void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char } } +void esp_transport_ssl_skip_common_name_check(esp_transport_handle_t t) +{ + transport_ssl_t *ssl = esp_transport_get_context_data(t); + if (t && ssl) { + ssl->cfg.skip_common_name = true; + } +} + esp_transport_handle_t esp_transport_ssl_init() { esp_transport_handle_t t = esp_transport_init(); From ab6dd362432bbec58e6259c57ef3d72fbb221fe2 Mon Sep 17 00:00:00 2001 From: Jitin George Date: Wed, 12 Jun 2019 14:12:59 +0530 Subject: [PATCH 4/6] esp_http_client: Add support to disable validation of certificate's CN field --- components/esp_http_client/esp_http_client.c | 4 ++++ components/esp_http_client/include/esp_http_client.h | 1 + 2 files changed, 5 insertions(+) diff --git a/components/esp_http_client/esp_http_client.c b/components/esp_http_client/esp_http_client.c index baab149f8a..822a02b785 100644 --- a/components/esp_http_client/esp_http_client.c +++ b/components/esp_http_client/esp_http_client.c @@ -506,6 +506,10 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co if (config->client_key_pem) { esp_transport_ssl_set_client_key_data(ssl, config->client_key_pem, strlen(config->client_key_pem)); } + + if (config->skip_cert_common_name_check) { + esp_transport_ssl_skip_common_name_check(ssl); + } #endif if (_set_config(client, config) != ESP_OK) { diff --git a/components/esp_http_client/include/esp_http_client.h b/components/esp_http_client/include/esp_http_client.h index d236921770..e01234a6f6 100644 --- a/components/esp_http_client/include/esp_http_client.h +++ b/components/esp_http_client/include/esp_http_client.h @@ -120,6 +120,7 @@ typedef struct { void *user_data; /*!< HTTP user_data context */ bool is_async; /*!< Set asynchronous mode, only supported with HTTPS for now */ bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which this bool is set. */ + bool skip_cert_common_name_check; /*!< Skip any validation of server certificate CN field */ } esp_http_client_config_t; /** From 83a4e4656f3cdda693945bafaac5996c0848e1ff Mon Sep 17 00:00:00 2001 From: Jitin George Date: Wed, 12 Jun 2019 14:15:06 +0530 Subject: [PATCH 5/6] example/simple_ota_example: Add support for skipping OTA server certificate CN field --- .../ota/simple_ota_example/main/Kconfig.projbuild | 11 +++++++++-- .../ota/simple_ota_example/main/simple_ota_example.c | 4 ++++ examples/system/ota/simple_ota_example/sdkconfig.ci | 1 + 3 files changed, 14 insertions(+), 2 deletions(-) diff --git a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild index 08f7f3d738..be4b8379db 100644 --- a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild +++ b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild @@ -1,13 +1,20 @@ menu "Example Configuration" - config FIRMWARE_UPGRADE_URL + config EXAMPLE_FIRMWARE_UPGRADE_URL string "firmware upgrade url endpoint" default "https://192.168.0.3:8070/hello-world.bin" help URL of server which hosts the firmware image. - config FIRMWARE_UPGRADE_URL_FROM_STDIN + config EXAMPLE_FIRMWARE_UPGRADE_URL_FROM_STDIN bool default y if FIRMWARE_UPGRADE_URL = "FROM_STDIN" + + config EXAMPLE_SKIP_COMMON_NAME_CHECK + bool "Skip server certificate CN fieldcheck" + default n + help + This allows you to skip the validation of OTA server certificate CN field. + endmenu diff --git a/examples/system/ota/simple_ota_example/main/simple_ota_example.c b/examples/system/ota/simple_ota_example/main/simple_ota_example.c index 965403a9d3..e3d521670e 100644 --- a/examples/system/ota/simple_ota_example/main/simple_ota_example.c +++ b/examples/system/ota/simple_ota_example/main/simple_ota_example.c @@ -80,6 +80,10 @@ void simple_ota_example_task(void *pvParameter) } #endif +#ifdef CONFIG_SKIP_COMMON_NAME_CHECK + config.skip_cert_common_name_check = true; +#endif + esp_err_t ret = esp_https_ota(&config); if (ret == ESP_OK) { esp_restart(); diff --git a/examples/system/ota/simple_ota_example/sdkconfig.ci b/examples/system/ota/simple_ota_example/sdkconfig.ci index 813b3adac3..6d493cbf12 100644 --- a/examples/system/ota/simple_ota_example/sdkconfig.ci +++ b/examples/system/ota/simple_ota_example/sdkconfig.ci @@ -1 +1,2 @@ CONFIG_FIRMWARE_UPGRADE_URL="FROM_STDIN" +CONFIG_SKIP_COMMON_NAME_CHECK=y From a2b5a93881ce794a0f3ef10c2f6b8fb5e0608aaa Mon Sep 17 00:00:00 2001 From: Jitin George Date: Thu, 20 Jun 2019 15:48:20 +0530 Subject: [PATCH 6/6] example/simple_ota_example: Fix python formatting and KConfig --- examples/system/ota/simple_ota_example/example_test.py | 5 +---- .../system/ota/simple_ota_example/main/Kconfig.projbuild | 2 +- .../system/ota/simple_ota_example/main/simple_ota_example.c | 6 +++--- examples/system/ota/simple_ota_example/sdkconfig.ci | 4 ++-- 4 files changed, 7 insertions(+), 10 deletions(-) diff --git a/examples/system/ota/simple_ota_example/example_test.py b/examples/system/ota/simple_ota_example/example_test.py index 736c611d55..7c732a5425 100644 --- a/examples/system/ota/simple_ota_example/example_test.py +++ b/examples/system/ota/simple_ota_example/example_test.py @@ -101,12 +101,9 @@ def start_https_server(ota_image_dir, server_ip, server_port): httpd = BaseHTTPServer.HTTPServer((server_ip, server_port), SimpleHTTPServer.SimpleHTTPRequestHandler) - print "server cert path: " + server_file - print "key file path: " + key_file httpd.socket = ssl.wrap_socket(httpd.socket, keyfile=key_file, certfile=server_file, server_side=True) - print "serving OTA image at: " + server_ip + "port: " + "port" httpd.serve_forever() @@ -126,7 +123,7 @@ def test_examples_protocol_simple_ota_example(env, extra_data): IDF.check_performance("simple_ota_bin_size", bin_size // 1024) # start test host_ip = get_my_ip() - thread1 = Thread(target=start_https_server, args=(dut1.app.binary_path,host_ip,8000)) + thread1 = Thread(target=start_https_server, args=(dut1.app.binary_path, host_ip, 8000)) thread1.daemon = True thread1.start() dut1.start_app() diff --git a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild index be4b8379db..2c2eb0c583 100644 --- a/examples/system/ota/simple_ota_example/main/Kconfig.projbuild +++ b/examples/system/ota/simple_ota_example/main/Kconfig.projbuild @@ -9,7 +9,7 @@ menu "Example Configuration" config EXAMPLE_FIRMWARE_UPGRADE_URL_FROM_STDIN bool - default y if FIRMWARE_UPGRADE_URL = "FROM_STDIN" + default y if EXAMPLE_FIRMWARE_UPGRADE_URL = "FROM_STDIN" config EXAMPLE_SKIP_COMMON_NAME_CHECK bool "Skip server certificate CN fieldcheck" diff --git a/examples/system/ota/simple_ota_example/main/simple_ota_example.c b/examples/system/ota/simple_ota_example/main/simple_ota_example.c index e3d521670e..9d7c44e3a1 100644 --- a/examples/system/ota/simple_ota_example/main/simple_ota_example.c +++ b/examples/system/ota/simple_ota_example/main/simple_ota_example.c @@ -61,12 +61,12 @@ void simple_ota_example_task(void *pvParameter) ESP_LOGI(TAG, "Starting OTA example"); esp_http_client_config_t config = { - .url = CONFIG_FIRMWARE_UPGRADE_URL, + .url = CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL, .cert_pem = (char *)server_cert_pem_start, .event_handler = _http_event_handler, }; -#ifdef CONFIG_FIRMWARE_UPGRADE_URL_FROM_STDIN +#ifdef CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL_FROM_STDIN char url_buf[OTA_URL_SIZE]; if (strcmp(config.url, "FROM_STDIN") == 0) { example_configure_stdin_stdout(); @@ -80,7 +80,7 @@ void simple_ota_example_task(void *pvParameter) } #endif -#ifdef CONFIG_SKIP_COMMON_NAME_CHECK +#ifdef CONFIG_EXAMPLE_SKIP_COMMON_NAME_CHECK config.skip_cert_common_name_check = true; #endif diff --git a/examples/system/ota/simple_ota_example/sdkconfig.ci b/examples/system/ota/simple_ota_example/sdkconfig.ci index 6d493cbf12..8367dac01f 100644 --- a/examples/system/ota/simple_ota_example/sdkconfig.ci +++ b/examples/system/ota/simple_ota_example/sdkconfig.ci @@ -1,2 +1,2 @@ -CONFIG_FIRMWARE_UPGRADE_URL="FROM_STDIN" -CONFIG_SKIP_COMMON_NAME_CHECK=y +CONFIG_EXAMPLE_FIRMWARE_UPGRADE_URL="FROM_STDIN" +CONFIG_EXAMPLE_SKIP_COMMON_NAME_CHECK=y