From d894e133adcb8642851d40606acf233202e27692 Mon Sep 17 00:00:00 2001 From: Mahavir Jain Date: Mon, 31 Dec 2018 14:32:35 +0530 Subject: [PATCH] esp_https_ota: add config option to (optionally) allow http --- components/esp_https_ota/Kconfig | 12 ++++++++++++ components/esp_https_ota/include/esp_https_ota.h | 1 + components/esp_https_ota/src/esp_https_ota.c | 6 +++++- 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 components/esp_https_ota/Kconfig diff --git a/components/esp_https_ota/Kconfig b/components/esp_https_ota/Kconfig new file mode 100644 index 0000000000..c38dd49020 --- /dev/null +++ b/components/esp_https_ota/Kconfig @@ -0,0 +1,12 @@ +menu "ESP HTTPS OTA" + + config OTA_ALLOW_HTTP + bool "Allow HTTP for OTA (WARNING: ONLY FOR TESTING PURPOSE, READ HELP)" + default n + help + It is highly recommended to keep HTTPS (along with server certificate validation) enabled. + Enabling this option comes with potential risk of: + - Non-encrypted communication channel with server + - Accepting firmware upgrade image from server with fake identity + +endmenu diff --git a/components/esp_https_ota/include/esp_https_ota.h b/components/esp_https_ota/include/esp_https_ota.h index 157195601c..c87ec3bdf4 100644 --- a/components/esp_https_ota/include/esp_https_ota.h +++ b/components/esp_https_ota/include/esp_https_ota.h @@ -33,6 +33,7 @@ extern "C" { * @return * - ESP_OK: OTA data updated, next reboot will use specified partition. * - ESP_FAIL: For generic failure. + * - ESP_ERR_INVALID_ARG: Invalid argument * - ESP_ERR_OTA_VALIDATE_FAILED: Invalid app image * - ESP_ERR_NO_MEM: Cannot allocate memory for OTA operation. * - ESP_ERR_FLASH_OP_TIMEOUT or ESP_ERR_FLASH_OP_FAIL: Flash write failed. diff --git a/components/esp_https_ota/src/esp_https_ota.c b/components/esp_https_ota/src/esp_https_ota.c index 9929a18560..3e18f9d4b1 100644 --- a/components/esp_https_ota/src/esp_https_ota.c +++ b/components/esp_https_ota/src/esp_https_ota.c @@ -35,10 +35,12 @@ esp_err_t esp_https_ota(const esp_http_client_config_t *config) return ESP_ERR_INVALID_ARG; } +#if !CONFIG_OTA_ALLOW_HTTP if (!config->cert_pem) { ESP_LOGE(TAG, "Server certificate not found in esp_http_client config"); - return ESP_FAIL; + return ESP_ERR_INVALID_ARG; } +#endif esp_http_client_handle_t client = esp_http_client_init(config); if (client == NULL) { @@ -46,10 +48,12 @@ esp_err_t esp_https_ota(const esp_http_client_config_t *config) return ESP_FAIL; } +#if !CONFIG_OTA_ALLOW_HTTP if (esp_http_client_get_transport_type(client) != HTTP_TRANSPORT_OVER_SSL) { ESP_LOGE(TAG, "Transport is not over HTTPS"); return ESP_FAIL; } +#endif esp_err_t err = esp_http_client_open(client, 0); if (err != ESP_OK) { -- 2.40.0