Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add two-fold avoidance of tls issues. #360

Merged
merged 1 commit into from
May 9, 2024
Merged

add two-fold avoidance of tls issues. #360

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,9 @@ docs/.jekyll-metadata
docs/vendor

.DS_Store

# for people installing pio venv style
venv

# jetbrains
.idea
11 changes: 7 additions & 4 deletions src/Firmware.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,10 @@ static const size_t APP_PARTITION_SIZE = 0x380000; // read from part?
static const int SHA256_HASH_LEN = 32;

// todo: error handling
void Firmware::downloadToSd(String url, String filename) {
void Firmware::downloadToSd(String url, String filename, bool unsafe) {
WiFiClientSecure client;
client.setCACert(trustedRootCACertificates);
if (!unsafe) client.setCACert(trustedRootCACertificates);
else client.setInsecure();
HTTPClient http;
http.setUserAgent(mUserAgent);
http.setFollowRedirects(HTTPC_STRICT_FOLLOW_REDIRECTS);
Expand All @@ -58,10 +59,12 @@ void Firmware::downloadToSd(String url, String filename) {
}

bool Firmware::downloadToFlash(String url,
std::function<void(uint32_t pos, uint32_t size)> progress) {
std::function<void(uint32_t pos, uint32_t size)> progress,
bool unsafe) {
bool success = false;
WiFiClientSecure client;
client.setCACert(trustedRootCACertificates);
if (!unsafe) client.setCACert(trustedRootCACertificates);
if (unsafe) client.setInsecure();
HTTPClient http;
http.setUserAgent(mUserAgent);
http.setFollowRedirects(HTTPC_STRICT_FOLLOW_REDIRECTS);
Expand Down
4 changes: 2 additions & 2 deletions src/Firmware.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,8 @@
class Firmware {
public:
explicit Firmware(String userAgent) : mUserAgent(userAgent) {};
void downloadToSd(String url, String filename);
bool downloadToFlash(String url, std::function<void(uint32_t, uint32_t)> progress);
void downloadToSd(String url, String filename, bool unsafe);
bool downloadToFlash(String url, std::function<void(uint32_t, uint32_t)> progress, bool unsafe);
String getLastMessage();

static String getFlashAppVersion();
Expand Down
21 changes: 19 additions & 2 deletions src/configServer.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,7 @@ static const char* const updateSdIndex = R""""(
<p>{description}</p>
<h3>From Github (preferred)</h3>
List also pre-releases<br><input type='checkbox' id='preReleases' onchange='selectFirmware()'>
Ignore TLS Errors (see documentation)<br><input type='checkbox' id='ignoreSSL' onchange='selectFirmware()'>
<script>
let availableReleases;
async function updateFirmwareList() {
Expand All @@ -259,6 +260,7 @@ async function updateFirmwareList() {
}
function selectFirmware() {
const displayPreReleases = (document.getElementById('preReleases').checked == true);
const ignoreSSL = (document.getElementById('ignoreSSL').checked == true);
url = "";
version = "";
availableReleases.filter(r => displayPreReleases || !r.prerelease).forEach(release => {
Expand All @@ -276,16 +278,25 @@ function selectFirmware() {
document.getElementById('version').value = "Update to " + version;
document.getElementById('version').disabled = false;
document.getElementById('downloadUrl').value = url;
document.getElementById('directlink').href = url;
} else {
document.getElementById('version').value = "No version found";
document.getElementById('version').disabled = true;
document.getElementById('downloadUrl').value = "";
document.getElementById('directlink').href = "";
}
if (ignoreSSL) {
document.getElementById('unsafe').value = "1";
} else {
document.getElementById('unsafe').value = "0";
}
}
updateFirmwareList();
</script>
<input type='hidden' name='downloadUrl' id='downloadUrl' value=''/>
<input type='hidden' name='unsafe' id='unsafe' value='0'/>
<input type='submit' name='version' id='version' class=btn value='Update' />
If the upgrade via the button above does not work<br/><a id="directlink" href="">download firmware.bin</a><br/> and upload manually below.
<h3>File Upload</h3>
)"""";

Expand Down Expand Up @@ -1675,11 +1686,13 @@ void updateProgress(size_t pos, size_t all) {
static void handleFlashUpdateUrlAction(HTTPRequest * req, HTTPResponse * res) {
const auto params = extractParameters(req);
const auto url = getParameter(params, "downloadUrl");
const auto unsafe = getParameter(params,"unsafe");

log_i("Flash App Url is '%s'", url.c_str());

Firmware f(String("OBS/") + String(OBSVersion));
sensorManager->detachInterrupts();
if (f.downloadToFlash(url, updateProgress)) {
if (f.downloadToFlash(url, updateProgress, unsafe[0] == '1')) {
obsDisplay->showTextOnGrid(0, 3, "Success!");
sendRedirect(res, "/updatesd");
} else {
Expand Down Expand Up @@ -2111,6 +2124,8 @@ static bool mkSdFlashDir() {
static void handleFirmwareUpdateSdUrlAction(HTTPRequest * req, HTTPResponse * res) {
const auto params = extractParameters(req);
const auto url = getParameter(params, "downloadUrl");
const auto unsafe = getParameter(params, "unsafe");

log_i("OBS Firmware URL is '%s'", url.c_str());

if (!mkSdFlashDir()) {
Expand All @@ -2121,7 +2136,9 @@ static void handleFirmwareUpdateSdUrlAction(HTTPRequest * req, HTTPResponse * re
}
// TODO: Progress bar display && http!
Firmware f(String("OBS/") + String(OBSVersion));
f.downloadToSd(url, "/sdflash/app.bin");
f.downloadToSd(url, "/sdflash/app.bin", unsafe[0] == '1');
obsDisplay->showTextOnGrid(0, 3, unsafe);


String firmwareError = Firmware::checkSdFirmware();
if (Firmware::getFlashAppVersion().isEmpty()) {
Expand Down
73 changes: 48 additions & 25 deletions src/utils/cacerts.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -147,30 +147,6 @@ const char *const trustedRootCACertificates =
"MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n"
"nLRbwHOoq7hHwg==\n"
"-----END CERTIFICATE-----\n"
// GITHUB_ROOT_CA
"-----BEGIN CERTIFICATE-----\n"
"MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs\n"
"MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
"d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n"
"ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL\n"
"MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n"
"LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug\n"
"RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm\n"
"+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW\n"
"PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM\n"
"xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB\n"
"Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3\n"
"hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg\n"
"EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF\n"
"MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA\n"
"FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec\n"
"nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z\n"
"eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF\n"
"hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2\n"
"Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe\n"
"vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep\n"
"+OkuE6N36B9K\n"
"-----END CERTIFICATE-----\n"
// DigiCert Global Root CA (new github root CA 2022-03-15)
"-----BEGIN CERTIFICATE-----\n"
"MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n"
Expand All @@ -193,4 +169,51 @@ const char *const trustedRootCACertificates =
"PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n"
"YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n"
"CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n"
"-----END CERTIFICATE-----\n";
"-----END CERTIFICATE-----\n"
// USERTRUST ECC Certification Authority (new github root CA 2024-05-11)
"-----BEGIN CERTIFICATE-----\n"
"MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7\n"
"MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD\n"
"VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE\n"
"AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4\n"
"MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5\n"
"MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO\n"
"ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0\n"
"aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL\n"
"q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc\n"
"JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA\n"
"FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1\n"
"xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI\n"
"MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j\n"
"b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG\n"
"CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM\n"
"BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy\n"
"ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+\n"
"FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV\n"
"bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY\n"
"CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf\n"
"8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=\n"
"-----END CERTIFICATE-----\n"
"-----BEGIN CERTIFICATE-----\n"
"MIIDqDCCAy6gAwIBAgIRAPNkTmtuAFAjfglGvXvh9R0wCgYIKoZIzj0EAwMwgYgx\n"
"CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz\n"
"ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQD\n"
"EyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4MTEw\n"
"MjAwMDAwMFoXDTMwMTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAkdCMRswGQYDVQQI\n"
"ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoT\n"
"D1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMuU2VjdGlnbyBFQ0MgRG9tYWluIFZh\n"
"bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH\n"
"A0IABHkYk8qfbZ5sVwAjBTcLXw9YWsTef1Wj6R7W2SUKiKAgSh16TwUwimNJE4xk\n"
"IQeV/To14UrOkPAY9z2vaKb71EijggFuMIIBajAfBgNVHSMEGDAWgBQ64QmG1M8Z\n"
"wpZ2dEl23OA1xmNjmjAdBgNVHQ4EFgQU9oUKOxGG4QR9DqoLLNLuzGR7e64wDgYD\n"
"VR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYB\n"
"BQUHAwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEwUAYD\n"
"VR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVz\n"
"dEVDQ0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/\n"
"BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVD\n"
"Q0FkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1\n"
"c3QuY29tMAoGCCqGSM49BAMDA2gAMGUCMEvnx3FcsVwJbZpCYF9z6fDWJtS1UVRs\n"
"cS0chWBNKPFNpvDKdrdKRe+oAkr2jU+ubgIxAODheSr2XhcA7oz9HmedGdMhlrd9\n"
"4ToKFbZl+/OnFFzqnvOhcjHvClECEQcKmc8fmA==\n"
"-----END CERTIFICATE-----\n"
;