From 9e44313714b385661ebc3268c4ca2d409bd1a870 Mon Sep 17 00:00:00 2001 From: Florian Date: Tue, 11 Jun 2024 14:05:37 -0500 Subject: [PATCH] Add Github Digicert cert hash check to avoid loading a deprecated certificate --- main/User_config.h | 2 ++ main/ZboardTheengs.ino | 3 ++- main/certs/default_ota_cert.h | 2 +- main/main.ino | 32 +++++++++++++++++++++++++++++++- 4 files changed, 36 insertions(+), 3 deletions(-) diff --git a/main/User_config.h b/main/User_config.h index 5aabd582..930826ce 100644 --- a/main/User_config.h +++ b/main/User_config.h @@ -215,6 +215,8 @@ const char* certificate PROGMEM = R"EOF(" # define MQTT_CERT_VALIDATE_DEFAULT false # endif +# define GITHUB_OTA_SERVER_CERT_HASH "d4d211b4553af9fac371f24c2268d59d2b0fec6b9aa0fdbbde068f078d7daf86" // SHA256 fingerprint of the certificate used by the OTA server + # ifndef AWS_IOT # define AWS_IOT false # endif diff --git a/main/ZboardTheengs.ino b/main/ZboardTheengs.ino index abfa687b..74286967 100644 --- a/main/ZboardTheengs.ino +++ b/main/ZboardTheengs.ino @@ -31,7 +31,7 @@ void addTestMessage(JsonArray& data, String name, String value, String result) { } void testDevice() { - StaticJsonDocument<1200> doc; + StaticJsonDocument<1280> doc; JsonArray data = doc.to(); addTestMessage(data, "Mac Address", String(WiFi.macAddress()), "OK"); @@ -46,6 +46,7 @@ void testDevice() { addTestMessage(data, "ETH Link Speed", String(ETH.linkSpeed()) + "Mbs", ETH.linkSpeed() ? "OK" : "NOK"); addTestMessage(data, "Build Date", String(__DATE__), "OK"); addTestMessage(data, "Build Time", String(__TIME__), "OK"); + Serial.println(); serializeJson(doc, Serial); Serial.println(); } diff --git a/main/certs/default_ota_cert.h b/main/certs/default_ota_cert.h index 1d5f55a7..48385d17 100644 --- a/main/certs/default_ota_cert.h +++ b/main/certs/default_ota_cert.h @@ -1,5 +1,5 @@ // The certificate must be in PEM ascii format. -// The default certificate is for github. +// The default certificate is for ota.openmqttgateway.com const char* OTAserver_cert PROGMEM = R"EOF(" -----BEGIN CERTIFICATE----- MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF diff --git a/main/main.ino b/main/main.ino index 97f6697d..20169973 100644 --- a/main/main.ino +++ b/main/main.ino @@ -1695,6 +1695,22 @@ void saveConfig() { configFile.close(); } +# ifdef ESP32 +# include "mbedtls/sha256.h" + +std::string generateHash(const std::string& input) { + unsigned char hash[32]; + mbedtls_sha256((unsigned char*)input.c_str(), input.length(), hash, 0); + + char hashString[65]; // Room for null terminator + for (int i = 0; i < 32; ++i) { + sprintf(&hashString[i * 2], "%02x", hash[i]); + } + + return std::string(hashString); +} +# endif + bool loadConfigFromFlash() { Log.trace(F("mounting FS..." CR)); bool result = false; @@ -1751,8 +1767,22 @@ bool loadConfigFromFlash() { } # endif } - if (json.containsKey("ota_server_cert")) + if (json.containsKey("ota_server_cert")) { +# ifdef ESP32 + // Read hash from the file + std::string hash = generateHash(json["ota_server_cert"]); + // Compare the hash with the expected hash + if (hash == GITHUB_OTA_SERVER_CERT_HASH) { + // Do nothing + Log.warning(F("Old Github OTA server detected, skipping" CR)); + } else { + Log.notice(F("OTA server cert hash: %s" CR), hash.c_str()); + ota_server_cert = json["ota_server_cert"].as(); + } +# else ota_server_cert = json["ota_server_cert"].as(); +# endif + } result = true; } else { Log.warning(F("failed to load json config" CR));