HTTPS OTA with Basic Authorization
-
- Posts: 58
- Joined: Thu Mar 01, 2018 1:26 am
HTTPS OTA with Basic Authorization
Hello everybody,
So I have the simple https ota working, now I just need to add basic authorization to it. I tried filling in the config structure with use and pass and the authorization type, but that didn't work. Then I noticed the esp_https_ota.c is actually using the function :esp_err_t err = esp_http_client_open(client, 0); in line 54. Checking that function lead me to believe it's not even checking the authorization. Instead esp_http_client_perform(client) function should be used. I tried changing to this function but turns out I need to modify a lot more things.
Is there an easy way for doing this that I'm just not seeing?!
I would appreciate any help.
So I have the simple https ota working, now I just need to add basic authorization to it. I tried filling in the config structure with use and pass and the authorization type, but that didn't work. Then I noticed the esp_https_ota.c is actually using the function :esp_err_t err = esp_http_client_open(client, 0); in line 54. Checking that function lead me to believe it's not even checking the authorization. Instead esp_http_client_perform(client) function should be used. I tried changing to this function but turns out I need to modify a lot more things.
Is there an easy way for doing this that I'm just not seeing?!
I would appreciate any help.
-
- Posts: 58
- Joined: Thu Mar 01, 2018 1:26 am
Re: HTTPS OTA with Basic Authorization
Hi - I've been working on HTTPS OTA today (not basic auth, admittedly), and saw your post when I was searching around streaming other data to flash with microtar.
From what I've seen, esp_http_client_init() is called by esp_https_ota(), and it's this function that takes the authorisation properties from config struct and populates the client structure. Internally, esp_http_client_init() calls _set_config(), and is passed the config struct. See here: https://github.com/espressif/esp-idf/bl ... ent.c#L300
It does appear that the config->username, config->password and config->auth_type settings are copied to the client struct.
esp_http_client_prepare() is called by esp_http_client_connect() in esp_http_client_open(), so the auth headers should be set AFAIK.
I'll try basic auth soon, and will post my findings here.
Tom.
From what I've seen, esp_http_client_init() is called by esp_https_ota(), and it's this function that takes the authorisation properties from config struct and populates the client structure. Internally, esp_http_client_init() calls _set_config(), and is passed the config struct. See here: https://github.com/espressif/esp-idf/bl ... ent.c#L300
It does appear that the config->username, config->password and config->auth_type settings are copied to the client struct.
esp_http_client_prepare() is called by esp_http_client_connect() in esp_http_client_open(), so the auth headers should be set AFAIK.
I'll try basic auth soon, and will post my findings here.
Tom.
-
- Posts: 33
- Joined: Wed Mar 28, 2018 6:58 am
Re: HTTPS OTA with Basic Authorization
Hello Tom,
Have you found out anything about basic authorization ?! I'm trying to do the same thing as you but all I get is the error with "wrong magic number" (see img attached). Could you point me to the right direction if you have found out anything ?
Best regards, Kostas.
Have you found out anything about basic authorization ?! I'm trying to do the same thing as you but all I get is the error with "wrong magic number" (see img attached). Could you point me to the right direction if you have found out anything ?
Best regards, Kostas.
- Attachments
-
- OTA_BasicAUTH_fail_01.jpg (41.95 KiB) Viewed 13224 times
Re: HTTPS OTA with Basic Authorization
0x3c is the left angle bracket character, which hints that the server might be returning an HTML page.
-
- Posts: 33
- Joined: Wed Mar 28, 2018 6:58 am
Re: HTTPS OTA with Basic Authorization
Thank you both for your answers.
I have to check the received data in order to see what's going on.
I'm developing FW for a customer of mine and I'm looking for a way to secure my OTA from attackers, copiers etc. I've read already Flash encryption and Secure Boot but these things secure other stuff. Now... what happens if someone gets his hands on the url that ESP32 downloads the OTA file ?
Isn't it possible for someone to "sniff" the url and download the OTA file in his PC??
Which is the right way to secure OTA file ?
P.S. I've noticed that in the struct esp_http_client_config exists an auth_type, username and password parameter. (attached image STRUCT_esp_http_client_config)
So i guessed that if i fill these parameters and add a usrname/password in the OTA url directory there I'll have a password protected https FW download. (attached image CODE_simple_ota_example)
Best regards, Kostas.
I have to check the received data in order to see what's going on.
I'm developing FW for a customer of mine and I'm looking for a way to secure my OTA from attackers, copiers etc. I've read already Flash encryption and Secure Boot but these things secure other stuff. Now... what happens if someone gets his hands on the url that ESP32 downloads the OTA file ?
Isn't it possible for someone to "sniff" the url and download the OTA file in his PC??
Which is the right way to secure OTA file ?
P.S. I've noticed that in the struct esp_http_client_config exists an auth_type, username and password parameter. (attached image STRUCT_esp_http_client_config)
So i guessed that if i fill these parameters and add a usrname/password in the OTA url directory there I'll have a password protected https FW download. (attached image CODE_simple_ota_example)
Best regards, Kostas.
- Attachments
-
- CODE_simple_ota_example.jpg (33.7 KiB) Viewed 13139 times
-
- STRUCT_esp_http_client_config.jpg (104.02 KiB) Viewed 13139 times
Re: HTTPS OTA with Basic Authorization
You can have 2 step protection. One is to have secured flash and bootloader with eFuse etc. So, even if someone will download your file or make copy from your esp32 product (dump binary) it will be not possible to see how code looks like. Second step can be with key (any value) stored in nvs in production, now your app can test if this key exists and if its correct. In such case you can let them download your OTA bin because its useless to them.
-
- Posts: 33
- Joined: Wed Mar 28, 2018 6:58 am
Re: HTTPS OTA with Basic Authorization
Thanks for your fast and accurate replies.
I would like to ask a last thing and I'm done with questions
Isn't it possible for someone to recreate ASM code from the OTA binary downloaded file with a disassembler ?
I need to avoid someone getting his hands on my code also due to sensitive data may reside in there. Also if a company for example would make a product, they should protect the FW and sensitive data at all costs and thats because HW is easily copied but the the real innovation is hidden in the FW.
I hope I'm not becoming a burden here but security and system's integrity really matters to me.
Thank you again for answering my questions and for your time!!
Best regards, Kostas.
I would like to ask a last thing and I'm done with questions
Isn't it possible for someone to recreate ASM code from the OTA binary downloaded file with a disassembler ?
I need to avoid someone getting his hands on my code also due to sensitive data may reside in there. Also if a company for example would make a product, they should protect the FW and sensitive data at all costs and thats because HW is easily copied but the the real innovation is hidden in the FW.
I hope I'm not becoming a burden here but security and system's integrity really matters to me.
Thank you again for answering my questions and for your time!!
Best regards, Kostas.
Re: HTTPS OTA with Basic Authorization
Check this PR github.com/espressif/esp-idf/pull/2688
Authorization by client certificate looks more secure.
Authorization by client certificate looks more secure.
Who is online
Users browsing this forum: No registered users and 116 guests