HTTPS OTA with Basic Authorization

thethinker
Posts: 58
Joined: Thu Mar 01, 2018 1:26 am

HTTPS OTA with Basic Authorization

Postby thethinker » Mon Oct 01, 2018 11:05 pm

Hello everybody,
So I have the simple https ota working, now I just need to add basic authorization to it. I tried filling in the config structure with use and pass and the authorization type, but that didn't work. Then I noticed the esp_https_ota.c is actually using the function :esp_err_t err = esp_http_client_open(client, 0); in line 54. Checking that function lead me to believe it's not even checking the authorization. Instead esp_http_client_perform(client) function should be used. I tried changing to this function but turns out I need to modify a lot more things.

Is there an easy way for doing this that I'm just not seeing?!
I would appreciate any help.

thethinker
Posts: 58
Joined: Thu Mar 01, 2018 1:26 am

Re: HTTPS OTA with Basic Authorization

Postby thethinker » Thu Oct 04, 2018 1:58 am

Anybody?

talss89
Posts: 2
Joined: Fri Oct 26, 2018 8:12 pm

Re: HTTPS OTA with Basic Authorization

Postby talss89 » Fri Oct 26, 2018 8:25 pm

Hi - I've been working on HTTPS OTA today (not basic auth, admittedly), and saw your post when I was searching around streaming other data to flash with microtar.

From what I've seen, esp_http_client_init() is called by esp_https_ota(), and it's this function that takes the authorisation properties from config struct and populates the client structure. Internally, esp_http_client_init() calls _set_config(), and is passed the config struct. See here: https://github.com/espressif/esp-idf/bl ... ent.c#L300

It does appear that the config->username, config->password and config->auth_type settings are copied to the client struct.

esp_http_client_prepare() is called by esp_http_client_connect() in esp_http_client_open(), so the auth headers should be set AFAIK.

I'll try basic auth soon, and will post my findings here.

Tom.

k.ifantidis
Posts: 33
Joined: Wed Mar 28, 2018 6:58 am

Re: HTTPS OTA with Basic Authorization

Postby k.ifantidis » Tue Nov 13, 2018 6:39 am

Hello Tom,
Have you found out anything about basic authorization ?! I'm trying to do the same thing as you but all I get is the error with "wrong magic number" (see img attached). Could you point me to the right direction if you have found out anything ?

Best regards, Kostas.
Attachments
OTA_BasicAUTH_fail_01.jpg
OTA_BasicAUTH_fail_01.jpg (41.95 KiB) Viewed 13136 times

ESP_igrr
Posts: 2071
Joined: Tue Dec 01, 2015 8:37 am

Re: HTTPS OTA with Basic Authorization

Postby ESP_igrr » Tue Nov 13, 2018 3:27 pm

0x3c is the left angle bracket character, which hints that the server might be returning an HTML page.


k.ifantidis
Posts: 33
Joined: Wed Mar 28, 2018 6:58 am

Re: HTTPS OTA with Basic Authorization

Postby k.ifantidis » Wed Nov 14, 2018 12:10 pm

Thank you both for your answers.
I have to check the received data in order to see what's going on.
I'm developing FW for a customer of mine and I'm looking for a way to secure my OTA from attackers, copiers etc. I've read already Flash encryption and Secure Boot but these things secure other stuff. Now... what happens if someone gets his hands on the url that ESP32 downloads the OTA file ?
Isn't it possible for someone to "sniff" the url and download the OTA file in his PC??
Which is the right way to secure OTA file ?

P.S. I've noticed that in the struct esp_http_client_config exists an auth_type, username and password parameter. (attached image STRUCT_esp_http_client_config)

So i guessed that if i fill these parameters and add a usrname/password in the OTA url directory there I'll have a password protected https FW download. (attached image CODE_simple_ota_example)


Best regards, Kostas.
Attachments
CODE_simple_ota_example.jpg
CODE_simple_ota_example.jpg (33.7 KiB) Viewed 13051 times
STRUCT_esp_http_client_config.jpg
STRUCT_esp_http_client_config.jpg (104.02 KiB) Viewed 13051 times

chegewara
Posts: 2364
Joined: Wed Jun 14, 2017 9:00 pm

Re: HTTPS OTA with Basic Authorization

Postby chegewara » Wed Nov 14, 2018 12:24 pm

You can have 2 step protection. One is to have secured flash and bootloader with eFuse etc. So, even if someone will download your file or make copy from your esp32 product (dump binary) it will be not possible to see how code looks like. Second step can be with key (any value) stored in nvs in production, now your app can test if this key exists and if its correct. In such case you can let them download your OTA bin because its useless to them.

k.ifantidis
Posts: 33
Joined: Wed Mar 28, 2018 6:58 am

Re: HTTPS OTA with Basic Authorization

Postby k.ifantidis » Thu Nov 15, 2018 5:36 am

Thanks for your fast and accurate replies.
I would like to ask a last thing and I'm done with questions :-)
Isn't it possible for someone to recreate ASM code from the OTA binary downloaded file with a disassembler ?
I need to avoid someone getting his hands on my code also due to sensitive data may reside in there. Also if a company for example would make a product, they should protect the FW and sensitive data at all costs and thats because HW is easily copied but the the real innovation is hidden in the FW.
I hope I'm not becoming a burden here but security and system's integrity really matters to me.


Thank you again for answering my questions and for your time!!
Best regards, Kostas.

Dzhest
Posts: 2
Joined: Thu Aug 09, 2018 2:27 pm

Re: HTTPS OTA with Basic Authorization

Postby Dzhest » Thu Nov 15, 2018 5:35 pm

Check this PR github.com/espressif/esp-idf/pull/2688
Authorization by client certificate looks more secure.

Who is online

Users browsing this forum: MicroController and 89 guests