eaw/esp-idf
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feature/esp_https_ota_improvements' into 'release/v3.3'

Browse Source 
esp_https_ota: component refactoring, bugfixes and feature additions (backport v3.3)

See merge request espressif/esp-idf!6047
This commit is contained in:
Jiang Jiang Jian
2019-10-21 10:40:37 +08:00
parent b51f89d827 25f837a148
commit 4e27cbb89f
22 changed files with 1036 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
components/esp-tls/esp_tls.c
View File

@@ -242,18 +242,26 @@ static int create_ssl_handle(esp_tls_t *tls, const char *hostname, size_t hostle
goto exit;
}
/* Hostname set here should match CN in server certificate */
char *use_host = strndup(hostname, hostlen);
if (!use_host) {
goto exit;
}
if (!cfg->skip_common_name) {
char *use_host = NULL;
if (cfg->common_name != NULL) {
use_host = strndup(cfg->common_name, strlen(cfg->common_name));
} else {
use_host = strndup(hostname, hostlen);
}
if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) {
ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
if (use_host == NULL) {
goto exit;
}
/* Hostname set here should match CN in server certificate */
if ((ret = mbedtls_ssl_set_hostname(&tls->ssl, use_host)) != 0) {
ESP_LOGE(TAG, "mbedtls_ssl_set_hostname returned -0x%x", -ret);
free(use_host);
goto exit;
}
free(use_host);
goto exit;
}
free(use_host);
if ((ret = mbedtls_ssl_config_defaults(&tls->conf,
MBEDTLS_SSL_IS_CLIENT,

14
components/esp-tls/esp_tls.h
View File

@@ -57,17 +57,20 @@ typedef struct esp_tls_cfg {
- where the first '2' is the length of the protocol and
- the subsequent 'h2' is the protocol name */
const unsigned char *cacert_pem_buf; /*!< Certificate Authority's certificate in a buffer */
const unsigned char *cacert_pem_buf; /*!< Certificate Authority's certificate in a buffer.
This buffer should be NULL terminated */
unsigned int cacert_pem_bytes; /*!< Size of Certificate Authority certificate
pointed to by cacert_pem_buf */
const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer */
const unsigned char *clientcert_pem_buf;/*!< Client certificate in a buffer
This buffer should be NULL terminated */
unsigned int clientcert_pem_bytes; /*!< Size of client certificate pointed to by
clientcert_pem_buf */
const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer */
const unsigned char *clientkey_pem_buf; /*!< Client key in a buffer
This buffer should be NULL terminated */
unsigned int clientkey_pem_bytes; /*!< Size of client key pointed to by
clientkey_pem_buf */
@@ -85,6 +88,11 @@ typedef struct esp_tls_cfg {
bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which
this bool is set. */
const char *common_name; /*!< If non-NULL, server certificate CN must match this name.
If NULL, server certificate CN must match hostname. */
bool skip_common_name; /*!< Skip any validation of server certificate CN field */
} esp_tls_cfg_t;
/**

10
components/esp32/esp_err_to_name.c
View File

@@ -19,6 +19,9 @@
#if __has_include("esp_http_server.h")
#include "esp_http_server.h"
#endif
#if __has_include("esp_https_ota.h")
#include "esp_https_ota.h"
#endif
#if __has_include("esp_image_format.h")
#include "esp_image_format.h"
#endif
@@ -531,6 +534,13 @@ static const esp_err_msg_t esp_err_msg_table[] = {
# endif
# ifdef ESP_ERR_HTTPD_TASK
ERR_TBL_IT(ESP_ERR_HTTPD_TASK), /* 32776 0x8008 Failed to launch server task/thread */
# endif
// components/esp_https_ota/include/esp_https_ota.h
# ifdef ESP_ERR_HTTPS_OTA_BASE
ERR_TBL_IT(ESP_ERR_HTTPS_OTA_BASE), /* 36864 0x9000 */
# endif
# ifdef ESP_ERR_HTTPS_OTA_IN_PROGRESS
ERR_TBL_IT(ESP_ERR_HTTPS_OTA_IN_PROGRESS), /* 36865 0x9001 */
# endif
// components/spi_flash/include/esp_spi_flash.h
# ifdef ESP_ERR_FLASH_BASE

7
components/esp_http_client/Kconfig
View File

@@ -7,4 +7,11 @@ menu "ESP HTTP client"
help
This option will enable https protocol by linking mbedtls library and initializing SSL transport
config ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
bool "Enable HTTP Basic Authentication"
default n
help
This option will enable HTTP Basic Authentication. It is disabled by default as Basic
auth uses unencrypted encoding, so it introduces a vulnerability when not using TLS
endmenu

102
components/esp_http_client/esp_http_client.c
View File

@@ -152,20 +152,6 @@ static const char *HTTP_METHOD_MAPPING[] = {
"OPTIONS"
};
/**
* Enum for the HTTP status codes.
*/
enum HttpStatus_Code
{
/* 3xx - Redirection */
HttpStatus_MovedPermanently = 301,
HttpStatus_Found = 302,
/* 4xx - Client Error */
HttpStatus_Unauthorized = 401
};
static esp_err_t esp_http_client_request_send(esp_http_client_handle_t client, int write_len);
static esp_err_t esp_http_client_connect(esp_http_client_handle_t client);
static esp_err_t esp_http_client_send_post_data(esp_http_client_handle_t client);
@@ -551,6 +537,10 @@ esp_http_client_handle_t esp_http_client_init(const esp_http_client_config_t *co
if (config->client_key_pem) {
esp_transport_ssl_set_client_key_data(ssl, config->client_key_pem, strlen(config->client_key_pem));
}
if (config->skip_cert_common_name_check) {
esp_transport_ssl_skip_common_name_check(ssl);
}
#endif
if (_set_config(client, config) != ESP_OK) {
@@ -648,13 +638,12 @@ esp_err_t esp_http_client_set_redirection(esp_http_client_handle_t client)
if (client->location == NULL) {
return ESP_ERR_INVALID_ARG;
}
ESP_LOGD(TAG, "Redirect to %s", client->location);
return esp_http_client_set_url(client, client->location);
}
static esp_err_t esp_http_check_response(esp_http_client_handle_t client)
{
char *auth_header = NULL;
if (client->redirect_counter >= client->max_redirection_count || client->disable_auto_redirect) {
ESP_LOGE(TAG, "Error, reach max_redirection_count count=%d", client->redirect_counter);
return ESP_ERR_HTTP_MAX_REDIRECT;
@@ -662,44 +651,12 @@ static esp_err_t esp_http_check_response(esp_http_client_handle_t client)
switch (client->response->status_code) {
case HttpStatus_MovedPermanently:
case HttpStatus_Found:
ESP_LOGI(TAG, "Redirect to %s", client->location);
esp_http_client_set_url(client, client->location);
esp_http_client_set_redirection(client);
client->redirect_counter ++;
client->process_again = 1;
break;
case HttpStatus_Unauthorized:
auth_header = client->auth_header;
if (auth_header) {
http_utils_trim_whitespace(&auth_header);
ESP_LOGD(TAG, "UNAUTHORIZED: %s", auth_header);
client->redirect_counter ++;
if (http_utils_str_starts_with(auth_header, "Digest") == 0) {
ESP_LOGD(TAG, "type = Digest");
client->connection_info.auth_type = HTTP_AUTH_TYPE_DIGEST;
} else if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
ESP_LOGD(TAG, "type = Basic");
client->connection_info.auth_type = HTTP_AUTH_TYPE_BASIC;
} else {
client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
ESP_LOGE(TAG, "This authentication method is not supported: %s", auth_header);
break;
}
_clear_auth_data(client);
client->auth_data->method = strdup(HTTP_METHOD_MAPPING[client->connection_info.method]);
client->auth_data->nc = 1;
client->auth_data->realm = http_utils_get_string_between(auth_header, "realm=\"", "\"");
client->auth_data->algorithm = http_utils_get_string_between(auth_header, "algorithm=", ",");
client->auth_data->qop = http_utils_get_string_between(auth_header, "qop=\"", "\"");
client->auth_data->nonce = http_utils_get_string_between(auth_header, "nonce=\"", "\"");
client->auth_data->opaque = http_utils_get_string_between(auth_header, "opaque=\"", "\"");
client->process_again = 1;
} else {
client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
ESP_LOGW(TAG, "This request requires authentication, but does not provide header information for that");
}
esp_http_client_add_auth(client);
}
return ESP_OK;
}
@@ -1271,3 +1228,48 @@ esp_http_client_transport_t esp_http_client_get_transport_type(esp_http_client_h
return HTTP_TRANSPORT_UNKNOWN;
}
}
void esp_http_client_add_auth(esp_http_client_handle_t client)
{
if (client == NULL) {
return;
}
if (client->state != HTTP_STATE_RES_COMPLETE_HEADER) {
return;
}
char *auth_header = client->auth_header;
if (auth_header) {
http_utils_trim_whitespace(&auth_header);
ESP_LOGD(TAG, "UNAUTHORIZED: %s", auth_header);
client->redirect_counter++;
if (http_utils_str_starts_with(auth_header, "Digest") == 0) {
ESP_LOGD(TAG, "type = Digest");
client->connection_info.auth_type = HTTP_AUTH_TYPE_DIGEST;
#ifdef CONFIG_ESP_HTTP_CLIENT_ENABLE_BASIC_AUTH
} else if (http_utils_str_starts_with(auth_header, "Basic") == 0) {
ESP_LOGD(TAG, "type = Basic");
client->connection_info.auth_type = HTTP_AUTH_TYPE_BASIC;
#endif
} else {
client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
ESP_LOGE(TAG, "This authentication method is not supported: %s", auth_header);
return;
}
_clear_auth_data(client);
client->auth_data->method = strdup(HTTP_METHOD_MAPPING[client->connection_info.method]);
client->auth_data->nc = 1;
client->auth_data->realm = http_utils_get_string_between(auth_header, "realm=\"", "\"");
client->auth_data->algorithm = http_utils_get_string_between(auth_header, "algorithm=", ",");
client->auth_data->qop = http_utils_get_string_between(auth_header, "qop=\"", "\"");
client->auth_data->nonce = http_utils_get_string_between(auth_header, "nonce=\"", "\"");
client->auth_data->opaque = http_utils_get_string_between(auth_header, "opaque=\"", "\"");
client->process_again = 1;
} else {
client->connection_info.auth_type = HTTP_AUTH_TYPE_NONE;
ESP_LOGW(TAG, "This request requires authentication, but does not provide header information for that");
}
}

25
components/esp_http_client/include/esp_http_client.h
View File

@@ -118,8 +118,20 @@ typedef struct {
void *user_data; /*!< HTTP user_data context */
bool is_async; /*!< Set asynchronous mode, only supported with HTTPS for now */
bool use_global_ca_store; /*!< Use a global ca_store for all the connections in which this bool is set. */
bool skip_cert_common_name_check; /*!< Skip any validation of server certificate CN field */
} esp_http_client_config_t;
/**
* Enum for the HTTP status codes.
*/
typedef enum {
/* 3xx - Redirection */
HttpStatus_MovedPermanently = 301,
HttpStatus_Found = 302,
/* 4xx - Client Error */
HttpStatus_Unauthorized = 401
} HttpStatus_Code;
#define ESP_ERR_HTTP_BASE (0x7000) /*!< Starting number of HTTP error codes */
#define ESP_ERR_HTTP_MAX_REDIRECT (ESP_ERR_HTTP_BASE + 1) /*!< The error exceeds the number of HTTP redirects */
@@ -441,12 +453,23 @@ esp_http_client_transport_t esp_http_client_get_transport_type(esp_http_client_h
*
* @param[in] client The esp_http_client handle
*
* @return
* @return
* - ESP_OK
* - ESP_FAIL
*/
esp_err_t esp_http_client_set_redirection(esp_http_client_handle_t client);
/**
* @brief On receiving HTTP Status code 401, this API can be invoked to add authorization
* information.
*
* @note There is a possibility of receiving body message with redirection status codes, thus make sure
* to flush off body data after calling this API.
*
* @param[in] client The esp_http_client handle
*/
void esp_http_client_add_auth(esp_http_client_handle_t client);
#ifdef __cplusplus
}
#endif

130
components/esp_https_ota/include/esp_https_ota.h
View File

@@ -15,20 +15,40 @@
#pragma once
#include <esp_http_client.h>
#include <esp_ota_ops.h>
#ifdef __cplusplus
extern "C" {
#endif
typedef void *esp_https_ota_handle_t;
/**
* @brief ESP HTTPS OTA configuration
*/
typedef struct {
const esp_http_client_config_t *http_config; /*!< ESP HTTP client configuration */
} esp_https_ota_config_t;
#define ESP_ERR_HTTPS_OTA_BASE (0x9000)
#define ESP_ERR_HTTPS_OTA_IN_PROGRESS (ESP_ERR_HTTPS_OTA_BASE + 1) /* OTA operation in progress */
/**
* @brief HTTPS OTA Firmware upgrade.
*
* This function performs HTTPS OTA Firmware upgrade
*
* This function allocates HTTPS OTA Firmware upgrade context, establishes HTTPS connection,
* reads image data from HTTP stream and writes it to OTA partition and
* finishes HTTPS OTA Firmware upgrade operation.
* This API supports URL redirection, but if CA cert of URLs differ then it
* should be appended to `cert_pem` member of `config`.
*
* @param[in] config pointer to esp_http_client_config_t structure.
*
* @note For secure HTTPS updates, the `cert_pem` member of `config`
* structure must be set to the server certificate.
* @note This API handles the entire OTA operation, so if this API is being used
* then no other APIs from `esp_https_ota` component should be called.
* If more information and control is needed during the HTTPS OTA process,
* then one can use `esp_https_ota_begin` and subsequent APIs. If this API returns
* successfully, esp_restart() must be called to boot from the new firmware image.
*
* @return
* - ESP_OK: OTA data updated, next reboot will use specified partition.
@@ -41,6 +61,108 @@ extern "C" {
*/
esp_err_t esp_https_ota(const esp_http_client_config_t *config);
/**
* @brief Start HTTPS OTA Firmware upgrade
*
* This function initializes ESP HTTPS OTA context and establishes HTTPS connection.
* This function must be invoked first. If this function returns successfully, then `esp_https_ota_perform` should be
* called to continue with the OTA process and there should be a call to `esp_https_ota_finish` on
* completion of OTA operation or on failure in subsequent operations.
* This API supports URL redirection, but if CA cert of URLs differ then it
* should be appended to `cert_pem` member of `http_config`, which is a part of `ota_config`.
* In case of error, this API explicitly sets `handle` to NULL.
*
* @param[in] ota_config pointer to esp_https_ota_config_t structure
* @param[out] handle pointer to an allocated data of type `esp_https_ota_handle_t`
* which will be initialised in this function
*
* @note This API is blocking, so setting `is_async` member of `http_config` structure will
* result in an error.
*
* @return
* - ESP_OK: HTTPS OTA Firmware upgrade context initialised and HTTPS connection established
* - ESP_FAIL: For generic failure.
* - ESP_ERR_INVALID_ARG: Invalid argument (missing/incorrect config, certificate, etc.)
* - For other return codes, refer documentation in app_update component and esp_http_client
* component in esp-idf.
*/
esp_err_t esp_https_ota_begin(esp_https_ota_config_t *ota_config, esp_https_ota_handle_t *handle);
/**
* @brief Read image data from HTTP stream and write it to OTA partition
*
* This function reads image data from HTTP stream and writes it to OTA partition. This function
* must be called only if esp_https_ota_begin() returns successfully.
* This function must be called in a loop since it returns after every HTTP read operation thus
* giving you the flexibility to stop OTA operation midway.
*
* @param[in] https_ota_handle pointer to esp_https_ota_handle_t structure
*
* @return
* - ESP_ERR_HTTPS_OTA_IN_PROGRESS: OTA update is in progress, call this API again to continue.
* - ESP_OK: OTA update was successful
* - ESP_FAIL: OTA update failed
* - ESP_ERR_INVALID_ARG: Invalid argument
* - ESP_ERR_OTA_VALIDATE_FAILED: Invalid app image
* - ESP_ERR_NO_MEM: Cannot allocate memory for OTA operation.
* - ESP_ERR_FLASH_OP_TIMEOUT or ESP_ERR_FLASH_OP_FAIL: Flash write failed.
* - For other return codes, refer OTA documentation in esp-idf's app_update component.
*/
esp_err_t esp_https_ota_perform(esp_https_ota_handle_t https_ota_handle);
/**
* @brief Clean-up HTTPS OTA Firmware upgrade and close HTTPS connection
*
* This function closes the HTTP connection and frees the ESP HTTPS OTA context.
* This function switches the boot partition to the OTA partition containing the
* new firmware image.
*
* @note If this API returns successfully, esp_restart() must be called to
* boot from the new firmware image
*
* @param[in] https_ota_handle pointer to esp_https_ota_handle_t structure
*
* @return
* - ESP_OK: Clean-up successful
* - ESP_ERR_INVALID_STATE
* - ESP_ERR_INVALID_ARG: Invalid argument
* - ESP_ERR_OTA_VALIDATE_FAILED: Invalid app image
*/
esp_err_t esp_https_ota_finish(esp_https_ota_handle_t https_ota_handle);
/**
* @brief Reads app description from image header. The app description provides information
* like the "Firmware version" of the image.
*
* @note This API can be called only after esp_https_ota_begin() and before esp_https_ota_perform().
* Calling this API is not mandatory.
*
* @param[in] https_ota_handle pointer to esp_https_ota_handle_t structure
* @param[out] new_app_info pointer to an allocated esp_app_desc_t structure
*
* @return
* - ESP_ERR_INVALID_ARG: Invalid arguments
* - ESP_FAIL: Failed to read image descriptor
* - ESP_OK: Successfully read image descriptor
*/
esp_err_t esp_https_ota_get_img_desc(esp_https_ota_handle_t https_ota_handle, esp_app_desc_t *new_app_info);
/*
* @brief This function returns OTA image data read so far.
*
* @note This API should be called only if `esp_https_ota_perform()` has been called atleast once or
* if `esp_https_ota_get_img_desc` has been called before.
*
* @param[in] https_ota_handle pointer to esp_https_ota_handle_t structure
*
* @return
* - -1 On failure
* - total bytes read so far
*/
int esp_https_ota_get_image_len_read(esp_https_ota_handle_t https_ota_handle);
#ifdef __cplusplus
}
#endif

408
components/esp_https_ota/src/esp_https_ota.c
View File

@@ -16,121 +16,349 @@
#include <stdlib.h>
#include <string.h>
#include <esp_https_ota.h>
#include <esp_ota_ops.h>
#include <esp_log.h>
#define DEFAULT_OTA_BUF_SIZE 256
#define IMAGE_HEADER_SIZE sizeof(esp_image_header_t) + sizeof(esp_image_segment_header_t) + sizeof(esp_app_desc_t) + 1
#define DEFAULT_OTA_BUF_SIZE IMAGE_HEADER_SIZE
static const char *TAG = "esp_https_ota";
static void http_cleanup(esp_http_client_handle_t client)
typedef enum {
ESP_HTTPS_OTA_INIT,
ESP_HTTPS_OTA_BEGIN,
ESP_HTTPS_OTA_IN_PROGRESS,
ESP_HTTPS_OTA_SUCCESS,
} esp_https_ota_state;
struct esp_https_ota_handle {
esp_ota_handle_t update_handle;
const esp_partition_t *update_partition;
esp_http_client_handle_t http_client;
char *ota_upgrade_buf;
size_t ota_upgrade_buf_size;
int binary_file_len;
esp_https_ota_state state;
};
typedef struct esp_https_ota_handle esp_https_ota_t;
static bool process_again(int status_code)
{
switch (status_code) {
case HttpStatus_MovedPermanently:
case HttpStatus_Found:
case HttpStatus_Unauthorized:
return true;
default:
return false;
}
return false;
}
static esp_err_t _http_handle_response_code(esp_http_client_handle_t http_client, int status_code)
{
esp_err_t err;
if (status_code == HttpStatus_MovedPermanently || status_code == HttpStatus_Found) {
err = esp_http_client_set_redirection(http_client);
if (err != ESP_OK) {
ESP_LOGE(TAG, "URL redirection Failed");
return err;
}
} else if (status_code == HttpStatus_Unauthorized) {
esp_http_client_add_auth(http_client);
}
char upgrade_data_buf[DEFAULT_OTA_BUF_SIZE];
if (process_again(status_code)) {
while (1) {
int data_read = esp_http_client_read(http_client, upgrade_data_buf, DEFAULT_OTA_BUF_SIZE);
if (data_read < 0) {
ESP_LOGE(TAG, "Error: SSL data read error");
return ESP_FAIL;
} else if (data_read == 0) {
return ESP_OK;
}
}
}
return ESP_OK;
}
static esp_err_t _http_connect(esp_http_client_handle_t http_client)
{
esp_err_t err = ESP_FAIL;
int status_code;
do {
err = esp_http_client_open(http_client, 0);
if (err != ESP_OK) {
ESP_LOGE(TAG, "Failed to open HTTP connection: %s", esp_err_to_name(err));
return err;
}
esp_http_client_fetch_headers(http_client);
status_code = esp_http_client_get_status_code(http_client);
if (_http_handle_response_code(http_client, status_code) != ESP_OK) {
return ESP_FAIL;
}
} while (process_again(status_code));
return err;
}
static void _http_cleanup(esp_http_client_handle_t client)
{
esp_http_client_close(client);
esp_http_client_cleanup(client);
}
static esp_err_t _ota_write(esp_https_ota_t *https_ota_handle, const void *buffer, size_t buf_len)
{
if (buffer == NULL || https_ota_handle == NULL) {
return ESP_FAIL;
}
esp_err_t err = esp_ota_write(https_ota_handle->update_handle, buffer, buf_len);
if (err != ESP_OK) {
ESP_LOGE(TAG, "Error: esp_ota_write failed! err=0x%d", err);
} else {
https_ota_handle->binary_file_len += buf_len;
ESP_LOGD(TAG, "Written image length %d", https_ota_handle->binary_file_len);
err = ESP_ERR_HTTPS_OTA_IN_PROGRESS;
}
return err;
}
esp_err_t esp_https_ota_begin(esp_https_ota_config_t *ota_config, esp_https_ota_handle_t *handle)
{
esp_err_t err;
if (handle == NULL || ota_config == NULL || ota_config->http_config == NULL) {
ESP_LOGE(TAG, "esp_https_ota_begin: Invalid argument");
if (handle) {
*handle = NULL;
}
return ESP_ERR_INVALID_ARG;
}
#if !CONFIG_OTA_ALLOW_HTTP
if (!ota_config->http_config->cert_pem) {
ESP_LOGE(TAG, "Server certificate not found in esp_http_client config");
*handle = NULL;
return ESP_ERR_INVALID_ARG;
}
#endif
esp_https_ota_t *https_ota_handle = calloc(1, sizeof(esp_https_ota_t));
if (!https_ota_handle) {
ESP_LOGE(TAG, "Couldn't allocate memory to upgrade data buffer");
*handle = NULL;
return ESP_ERR_NO_MEM;
}
/* Initiate HTTP Connection */
https_ota_handle->http_client = esp_http_client_init(ota_config->http_config);
if (https_ota_handle->http_client == NULL) {
ESP_LOGE(TAG, "Failed to initialise HTTP connection");
err = ESP_FAIL;
goto failure;
}
err = _http_connect(https_ota_handle->http_client);
if (err != ESP_OK) {
ESP_LOGE(TAG, "Failed to establish HTTP connection");
goto http_cleanup;
}
https_ota_handle->update_partition = NULL;
ESP_LOGI(TAG, "Starting OTA...");
https_ota_handle->update_partition = esp_ota_get_next_update_partition(NULL);
if (https_ota_handle->update_partition == NULL) {
ESP_LOGE(TAG, "Passive OTA partition not found");
err = ESP_FAIL;
goto http_cleanup;
}
ESP_LOGI(TAG, "Writing to partition subtype %d at offset 0x%x",
https_ota_handle->update_partition->subtype, https_ota_handle->update_partition->address);
const int alloc_size = (ota_config->http_config->buffer_size > DEFAULT_OTA_BUF_SIZE) ?
ota_config->http_config->buffer_size : DEFAULT_OTA_BUF_SIZE;
https_ota_handle->ota_upgrade_buf = (char *)malloc(alloc_size);
if (!https_ota_handle->ota_upgrade_buf) {
ESP_LOGE(TAG, "Couldn't allocate memory to upgrade data buffer");
err = ESP_ERR_NO_MEM;
goto http_cleanup;
}
https_ota_handle->ota_upgrade_buf_size = alloc_size;
https_ota_handle->binary_file_len = 0;
*handle = (esp_https_ota_handle_t)https_ota_handle;
https_ota_handle->state = ESP_HTTPS_OTA_BEGIN;
return ESP_OK;
http_cleanup:
_http_cleanup(https_ota_handle->http_client);
failure:
free(https_ota_handle);
*handle = NULL;
return err;
}
esp_err_t esp_https_ota_get_img_desc(esp_https_ota_handle_t https_ota_handle, esp_app_desc_t *new_app_info)
{
esp_https_ota_t *handle = (esp_https_ota_t *)https_ota_handle;
if (handle == NULL || new_app_info == NULL) {
ESP_LOGE(TAG, "esp_https_ota_read_img_desc: Invalid argument");
return ESP_ERR_INVALID_ARG;
}
if (handle->state < ESP_HTTPS_OTA_BEGIN) {
ESP_LOGE(TAG, "esp_https_ota_read_img_desc: Invalid state");
return ESP_FAIL;
}
int data_read_size = IMAGE_HEADER_SIZE;
int data_read = esp_http_client_read(handle->http_client,
handle->ota_upgrade_buf,
data_read_size);
if (data_read < 0) {
return ESP_FAIL;
}
if (data_read >= sizeof(esp_image_header_t) + sizeof(esp_image_segment_header_t) + sizeof(esp_app_desc_t)) {
memcpy(new_app_info, &handle->ota_upgrade_buf[sizeof(esp_image_header_t) + sizeof(esp_image_segment_header_t)], sizeof(esp_app_desc_t));
handle->binary_file_len += data_read;
} else {
return ESP_FAIL;
}
return ESP_OK;
}
esp_err_t esp_https_ota_perform(esp_https_ota_handle_t https_ota_handle)
{
esp_https_ota_t *handle = (esp_https_ota_t *)https_ota_handle;
if (handle == NULL) {
ESP_LOGE(TAG, "esp_https_ota_perform: Invalid argument");
return ESP_ERR_INVALID_ARG;
}
if (handle->state < ESP_HTTPS_OTA_BEGIN) {
ESP_LOGE(TAG, "esp_https_ota_perform: Invalid state");
return ESP_FAIL;
}
esp_err_t err;
int data_read;
switch (handle->state) {
case ESP_HTTPS_OTA_BEGIN:
err = esp_ota_begin(handle->update_partition, OTA_SIZE_UNKNOWN, &handle->update_handle);
if (err != ESP_OK) {
ESP_LOGE(TAG, "esp_ota_begin failed (%s)", esp_err_to_name(err));
return err;
}
handle->state = ESP_HTTPS_OTA_IN_PROGRESS;
/* In case `esp_https_ota_read_img_desc` was invoked first,
then the image data read there should be written to OTA partition
*/
if (handle->binary_file_len) {
return _ota_write(handle, (const void *)handle->ota_upgrade_buf, handle->binary_file_len);
}
/* falls through */
case ESP_HTTPS_OTA_IN_PROGRESS:
data_read = esp_http_client_read(handle->http_client,
handle->ota_upgrade_buf,
handle->ota_upgrade_buf_size);
if (data_read == 0) {
ESP_LOGI(TAG, "Connection closed, all data received");
} else if (data_read < 0) {
ESP_LOGE(TAG, "Error: SSL data read error");
return ESP_FAIL;
} else if (data_read > 0) {
return _ota_write(handle, (const void *)handle->ota_upgrade_buf, data_read);
}
handle->state = ESP_HTTPS_OTA_SUCCESS;
break;
default:
ESP_LOGE(TAG, "Invalid ESP HTTPS OTA State");
return ESP_FAIL;
break;
}
return ESP_OK;
}
esp_err_t esp_https_ota_finish(esp_https_ota_handle_t https_ota_handle)
{
esp_https_ota_t *handle = (esp_https_ota_t *)https_ota_handle;
if (handle == NULL) {
return ESP_ERR_INVALID_ARG;
}
if (handle->state < ESP_HTTPS_OTA_BEGIN) {
return ESP_FAIL;
}
esp_err_t err = ESP_OK;
switch (handle->state) {
case ESP_HTTPS_OTA_SUCCESS:
case ESP_HTTPS_OTA_IN_PROGRESS:
err = esp_ota_end(handle->update_handle);
/* falls through */
case ESP_HTTPS_OTA_BEGIN:
if (handle->ota_upgrade_buf) {
free(handle->ota_upgrade_buf);
}
if (handle->http_client) {
_http_cleanup(handle->http_client);
}
break;
default:
ESP_LOGE(TAG, "Invalid ESP HTTPS OTA State");
break;
}
if ((err == ESP_OK) && (handle->state == ESP_HTTPS_OTA_SUCCESS)) {
esp_err_t err = esp_ota_set_boot_partition(handle->update_partition);
if (err != ESP_OK) {
ESP_LOGE(TAG, "esp_ota_set_boot_partition failed! err=0x%d", err);
}
}
free(handle);
return err;
}
int esp_https_ota_get_image_len_read(esp_https_ota_handle_t https_ota_handle)
{
esp_https_ota_t *handle = (esp_https_ota_t *)https_ota_handle;
if (handle == NULL) {
return -1;
}
if (handle->state < ESP_HTTPS_OTA_IN_PROGRESS) {
return -1;
}
return handle->binary_file_len;
}
esp_err_t esp_https_ota(const esp_http_client_config_t *config)
{
if (!config) {
ESP_LOGE(TAG, "esp_http_client config not found");
return ESP_ERR_INVALID_ARG;
}
}
#if !CONFIG_OTA_ALLOW_HTTP
if (!config->cert_pem && !config->use_global_ca_store) {
ESP_LOGE(TAG, "Server certificate not found, either through configuration or global CA store");
return ESP_ERR_INVALID_ARG;
}
#endif
esp_https_ota_config_t ota_config = {
.http_config = config,
};
esp_http_client_handle_t client = esp_http_client_init(config);
if (client == NULL) {
ESP_LOGE(TAG, "Failed to initialise HTTP connection");
esp_https_ota_handle_t https_ota_handle = NULL;
esp_err_t err = esp_https_ota_begin(&ota_config, &https_ota_handle);
if (https_ota_handle == NULL) {
return ESP_FAIL;
}
#if !CONFIG_OTA_ALLOW_HTTP
if (esp_http_client_get_transport_type(client) != HTTP_TRANSPORT_OVER_SSL) {
ESP_LOGE(TAG, "Transport is not over HTTPS");
return ESP_FAIL;
}
#endif
esp_err_t err = esp_http_client_open(client, 0);
if (err != ESP_OK) {
esp_http_client_cleanup(client);
ESP_LOGE(TAG, "Failed to open HTTP connection: %s", esp_err_to_name(err));
return err;
}
esp_http_client_fetch_headers(client);
esp_ota_handle_t update_handle = 0;
const esp_partition_t *update_partition = NULL;
ESP_LOGI(TAG, "Starting OTA...");
update_partition = esp_ota_get_next_update_partition(NULL);
if (update_partition == NULL) {
ESP_LOGE(TAG, "Passive OTA partition not found");
http_cleanup(client);
return ESP_FAIL;
}
ESP_LOGI(TAG, "Writing to partition subtype %d at offset 0x%x",
update_partition->subtype, update_partition->address);
err = esp_ota_begin(update_partition, OTA_SIZE_UNKNOWN, &update_handle);
if (err != ESP_OK) {
ESP_LOGE(TAG, "esp_ota_begin failed, error=%d", err);
http_cleanup(client);
return err;
}
ESP_LOGI(TAG, "esp_ota_begin succeeded");
ESP_LOGI(TAG, "Please Wait. This may take time");
esp_err_t ota_write_err = ESP_OK;
const int alloc_size = (config->buffer_size > 0) ? config->buffer_size : DEFAULT_OTA_BUF_SIZE;
char *upgrade_data_buf = (char *)malloc(alloc_size);
if (!upgrade_data_buf) {
ESP_LOGE(TAG, "Couldn't allocate memory to upgrade data buffer");
return ESP_ERR_NO_MEM;
}
int binary_file_len = 0;
while (1) {
int data_read = esp_http_client_read(client, upgrade_data_buf, alloc_size);
if (data_read == 0) {
ESP_LOGI(TAG, "Connection closed, all data received");
err = esp_https_ota_perform(https_ota_handle);
if (err != ESP_ERR_HTTPS_OTA_IN_PROGRESS) {
break;
}
if (data_read < 0) {
ESP_LOGE(TAG, "Error: SSL data read error");
break;
}
if (data_read > 0) {
ota_write_err = esp_ota_write(update_handle, (const void *) upgrade_data_buf, data_read);
if (ota_write_err != ESP_OK) {
break;
}
binary_file_len += data_read;
ESP_LOGD(TAG, "Written image length %d", binary_file_len);
}
}
free(upgrade_data_buf);
http_cleanup(client);
ESP_LOGD(TAG, "Total binary data length writen: %d", binary_file_len);
esp_err_t ota_end_err = esp_ota_end(update_handle);
if (ota_write_err != ESP_OK) {
ESP_LOGE(TAG, "Error: esp_ota_write failed! err=0x%d", err);
return ota_write_err;
} else if (ota_end_err != ESP_OK) {
ESP_LOGE(TAG, "Error: esp_ota_end failed! err=0x%d. Image is invalid", ota_end_err);
return ota_end_err;
}
err = esp_ota_set_boot_partition(update_partition);
esp_err_t ota_finish_err = esp_https_ota_finish(https_ota_handle);
if (err != ESP_OK) {
ESP_LOGE(TAG, "esp_ota_set_boot_partition failed! err=0x%d", err);
/* If there was an error in esp_https_ota_perform(),
then it is given more precedence than error in esp_https_ota_finish()
*/
return err;
} else if (ota_finish_err != ESP_OK) {
return ota_finish_err;
}
ESP_LOGI(TAG, "esp_ota_set_boot_partition succeeded");
return ESP_OK;
}
}

9
components/tcp_transport/include/esp_transport_ssl.h
View File

@@ -69,6 +69,15 @@ void esp_transport_ssl_set_client_cert_data(esp_transport_handle_t t, const char
*/
void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char *data, int len);
/**
* @brief Skip validation of certificate's common name field
*
* @note Skipping CN validation is not recommended
*
* @param t ssl transport
*/
void esp_transport_ssl_skip_common_name_check(esp_transport_handle_t t);
#ifdef __cplusplus
}
#endif

8
components/tcp_transport/transport_ssl.c
View File

@@ -190,6 +190,14 @@ void esp_transport_ssl_set_client_key_data(esp_transport_handle_t t, const char
}
}
void esp_transport_ssl_skip_common_name_check(esp_transport_handle_t t)
{
transport_ssl_t *ssl = esp_transport_get_context_data(t);
if (t && ssl) {
ssl->cfg.skip_common_name = true;
}
}
esp_transport_handle_t esp_transport_ssl_init()
{
esp_transport_handle_t t = esp_transport_init();