From b073954a92b9ae1f39ee1f564dd918a025aec4fe Mon Sep 17 00:00:00 2001
From: gluap <44007906+gluap@users.noreply.github.com>
Date: Thu, 9 May 2024 17:53:12 +0200
Subject: [PATCH] add two-fold avoidance of tls issues. (#360)

---
 .gitignore            |  6 ++++
 src/Firmware.cpp      | 11 ++++---
 src/Firmware.h        |  4 +--
 src/configServer.cpp  | 21 +++++++++++--
 src/utils/cacerts.cpp | 73 ++++++++++++++++++++++++++++---------------
 5 files changed, 82 insertions(+), 33 deletions(-)

diff --git a/.gitignore b/.gitignore
index 1eb0a35c..3a923bcc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -24,3 +24,9 @@ docs/.jekyll-metadata
 docs/vendor
 
 .DS_Store
+
+# for people installing pio venv style
+venv
+
+# jetbrains
+.idea
\ No newline at end of file
diff --git a/src/Firmware.cpp b/src/Firmware.cpp
index 27badc89..61f4e562 100644
--- a/src/Firmware.cpp
+++ b/src/Firmware.cpp
@@ -35,9 +35,10 @@ static const size_t APP_PARTITION_SIZE = 0x380000; // read from part?
 static const int SHA256_HASH_LEN = 32;
 
 // todo: error handling
-void Firmware::downloadToSd(String url, String filename) {
+void Firmware::downloadToSd(String url, String filename, bool unsafe) {
   WiFiClientSecure client;
-  client.setCACert(trustedRootCACertificates);
+  if (!unsafe) client.setCACert(trustedRootCACertificates);
+  else client.setInsecure();
   HTTPClient http;
   http.setUserAgent(mUserAgent);
   http.setFollowRedirects(HTTPC_STRICT_FOLLOW_REDIRECTS);
@@ -58,10 +59,12 @@ void Firmware::downloadToSd(String url, String filename) {
 }
 
 bool Firmware::downloadToFlash(String url,
-                               std::function<void(uint32_t pos, uint32_t size)> progress) {
+                               std::function<void(uint32_t pos, uint32_t size)> progress,
+                               bool unsafe) {
   bool success = false;
   WiFiClientSecure client;
-  client.setCACert(trustedRootCACertificates);
+  if (!unsafe) client.setCACert(trustedRootCACertificates);
+  if (unsafe) client.setInsecure();
   HTTPClient http;
   http.setUserAgent(mUserAgent);
   http.setFollowRedirects(HTTPC_STRICT_FOLLOW_REDIRECTS);
diff --git a/src/Firmware.h b/src/Firmware.h
index 1846a040..504eea77 100644
--- a/src/Firmware.h
+++ b/src/Firmware.h
@@ -29,8 +29,8 @@
 class Firmware {
   public:
     explicit Firmware(String userAgent) : mUserAgent(userAgent) {};
-    void downloadToSd(String url, String filename);
-    bool downloadToFlash(String url, std::function<void(uint32_t, uint32_t)> progress);
+    void downloadToSd(String url, String filename, bool unsafe);
+    bool downloadToFlash(String url, std::function<void(uint32_t, uint32_t)> progress, bool unsafe);
     String getLastMessage();
 
     static String getFlashAppVersion();
diff --git a/src/configServer.cpp b/src/configServer.cpp
index 5a4c118c..87558c07 100644
--- a/src/configServer.cpp
+++ b/src/configServer.cpp
@@ -249,6 +249,7 @@ static const char* const updateSdIndex = R""""(
 <p>{description}</p>
 <h3>From Github (preferred)</h3>
 List also pre-releases<br><input type='checkbox' id='preReleases' onchange='selectFirmware()'>
+Ignore TLS Errors (see documentation)<br><input type='checkbox' id='ignoreSSL' onchange='selectFirmware()'>
 <script>
 let availableReleases;
 async function updateFirmwareList() {
@@ -259,6 +260,7 @@ async function updateFirmwareList() {
 }
 function selectFirmware() {
    const displayPreReleases = (document.getElementById('preReleases').checked == true);
+   const ignoreSSL = (document.getElementById('ignoreSSL').checked == true);
    url = "";
    version = "";
    availableReleases.filter(r => displayPreReleases || !r.prerelease).forEach(release => {
@@ -276,16 +278,25 @@ function selectFirmware() {
      document.getElementById('version').value = "Update to " + version;
      document.getElementById('version').disabled = false;
      document.getElementById('downloadUrl').value = url;
+     document.getElementById('directlink').href = url;
    } else {
      document.getElementById('version').value = "No version found";
      document.getElementById('version').disabled = true;
      document.getElementById('downloadUrl').value = "";
+     document.getElementById('directlink').href = "";
+   }
+   if (ignoreSSL) {
+    document.getElementById('unsafe').value = "1";
+   } else {
+    document.getElementById('unsafe').value = "0";
    }
 }
 updateFirmwareList();
 </script>
 <input type='hidden' name='downloadUrl' id='downloadUrl' value=''/>
+<input type='hidden' name='unsafe' id='unsafe' value='0'/>
 <input type='submit' name='version' id='version' class=btn value='Update' />
+If the upgrade via the button above does not work<br/><a id="directlink" href="">download firmware.bin</a><br/> and upload manually below.
 <h3>File Upload</h3>
 )"""";
 
@@ -1675,11 +1686,13 @@ void updateProgress(size_t pos, size_t all) {
 static void handleFlashUpdateUrlAction(HTTPRequest * req, HTTPResponse * res) {
   const auto params = extractParameters(req);
   const auto url = getParameter(params, "downloadUrl");
+  const auto unsafe = getParameter(params,"unsafe");
+
   log_i("Flash App Url is '%s'", url.c_str());
 
   Firmware f(String("OBS/") + String(OBSVersion));
   sensorManager->detachInterrupts();
-  if (f.downloadToFlash(url, updateProgress)) {
+  if (f.downloadToFlash(url, updateProgress, unsafe[0] == '1')) {
     obsDisplay->showTextOnGrid(0, 3, "Success!");
     sendRedirect(res, "/updatesd");
   } else {
@@ -2111,6 +2124,8 @@ static bool mkSdFlashDir() {
 static void handleFirmwareUpdateSdUrlAction(HTTPRequest * req, HTTPResponse * res) {
   const auto params = extractParameters(req);
   const auto url = getParameter(params, "downloadUrl");
+  const auto unsafe = getParameter(params, "unsafe");
+
   log_i("OBS Firmware URL is '%s'", url.c_str());
 
   if (!mkSdFlashDir()) {
@@ -2121,7 +2136,9 @@ static void handleFirmwareUpdateSdUrlAction(HTTPRequest * req, HTTPResponse * re
   }
   // TODO: Progress bar display && http!
   Firmware f(String("OBS/") + String(OBSVersion));
-  f.downloadToSd(url, "/sdflash/app.bin");
+  f.downloadToSd(url, "/sdflash/app.bin", unsafe[0] == '1');
+  obsDisplay->showTextOnGrid(0, 3, unsafe);
+
 
   String firmwareError = Firmware::checkSdFirmware();
   if (Firmware::getFlashAppVersion().isEmpty()) {
diff --git a/src/utils/cacerts.cpp b/src/utils/cacerts.cpp
index 17361465..f4b1a031 100644
--- a/src/utils/cacerts.cpp
+++ b/src/utils/cacerts.cpp
@@ -147,30 +147,6 @@ const char *const trustedRootCACertificates =
   "MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n"
   "nLRbwHOoq7hHwg==\n"
   "-----END CERTIFICATE-----\n"
-  // GITHUB_ROOT_CA
-  "-----BEGIN CERTIFICATE-----\n"
-  "MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs\n"
-  "MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\n"
-  "d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j\n"
-  "ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL\n"
-  "MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3\n"
-  "LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug\n"
-  "RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm\n"
-  "+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW\n"
-  "PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM\n"
-  "xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB\n"
-  "Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3\n"
-  "hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg\n"
-  "EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF\n"
-  "MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA\n"
-  "FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec\n"
-  "nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z\n"
-  "eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF\n"
-  "hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2\n"
-  "Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe\n"
-  "vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep\n"
-  "+OkuE6N36B9K\n"
-  "-----END CERTIFICATE-----\n"
   // DigiCert Global Root CA (new github root CA 2022-03-15)
   "-----BEGIN CERTIFICATE-----\n"
   "MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh\n"
@@ -193,4 +169,51 @@ const char *const trustedRootCACertificates =
   "PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls\n"
   "YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk\n"
   "CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=\n"
-  "-----END CERTIFICATE-----\n";
+  "-----END CERTIFICATE-----\n"
+  // USERTRUST ECC Certification Authority (new github root CA 2024-05-11)
+  "-----BEGIN CERTIFICATE-----\n"
+  "MIID0zCCArugAwIBAgIQVmcdBOpPmUxvEIFHWdJ1lDANBgkqhkiG9w0BAQwFADB7\n"
+  "MQswCQYDVQQGEwJHQjEbMBkGA1UECAwSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYD\n"
+  "VQQHDAdTYWxmb3JkMRowGAYDVQQKDBFDb21vZG8gQ0EgTGltaXRlZDEhMB8GA1UE\n"
+  "AwwYQUFBIENlcnRpZmljYXRlIFNlcnZpY2VzMB4XDTE5MDMxMjAwMDAwMFoXDTI4\n"
+  "MTIzMTIzNTk1OVowgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5\n"
+  "MRQwEgYDVQQHEwtKZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBO\n"
+  "ZXR3b3JrMS4wLAYDVQQDEyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0\n"
+  "aG9yaXR5MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEGqxUWqn5aCPnetUkb1PGWthL\n"
+  "q8bVttHmc3Gu3ZzWDGH926CJA7gFFOxXzu5dP+Ihs8731Ip54KODfi2X0GHE8Znc\n"
+  "JZFjq38wo7Rw4sehM5zzvy5cU7Ffs30yf4o043l5o4HyMIHvMB8GA1UdIwQYMBaA\n"
+  "FKARCiM+lvEH7OKvKe+CpX/QMKS0MB0GA1UdDgQWBBQ64QmG1M8ZwpZ2dEl23OA1\n"
+  "xmNjmjAOBgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zARBgNVHSAECjAI\n"
+  "MAYGBFUdIAAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC5jb21vZG9jYS5j\n"
+  "b20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNAYIKwYBBQUHAQEEKDAmMCQG\n"
+  "CCsGAQUFBzABhhhodHRwOi8vb2NzcC5jb21vZG9jYS5jb20wDQYJKoZIhvcNAQEM\n"
+  "BQADggEBABns652JLCALBIAdGN5CmXKZFjK9Dpx1WywV4ilAbe7/ctvbq5AfjJXy\n"
+  "ij0IckKJUAfiORVsAYfZFhr1wHUrxeZWEQff2Ji8fJ8ZOd+LygBkc7xGEJuTI42+\n"
+  "FsMuCIKchjN0djsoTI0DQoWz4rIjQtUfenVqGtF8qmchxDM6OW1TyaLtYiKou+JV\n"
+  "bJlsQ2uRl9EMC5MCHdK8aXdJ5htN978UeAOwproLtOGFfy/cQjutdAFI3tZs4RmY\n"
+  "CV4Ks2dH/hzg1cEo70qLRDEmBDeNiXQ2Lu+lIg+DdEmSx/cQwgwp+7e9un/jX9Wf\n"
+  "8qn0dNW44bOwgeThpWOjzOoEeJBuv/c=\n"
+  "-----END CERTIFICATE-----\n"
+  "-----BEGIN CERTIFICATE-----\n"
+  "MIIDqDCCAy6gAwIBAgIRAPNkTmtuAFAjfglGvXvh9R0wCgYIKoZIzj0EAwMwgYgx\n"
+  "CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtKZXJz\n"
+  "ZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYDVQQD\n"
+  "EyVVU0VSVHJ1c3QgRUNDIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTE4MTEw\n"
+  "MjAwMDAwMFoXDTMwMTIzMTIzNTk1OVowgY8xCzAJBgNVBAYTAkdCMRswGQYDVQQI\n"
+  "ExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoT\n"
+  "D1NlY3RpZ28gTGltaXRlZDE3MDUGA1UEAxMuU2VjdGlnbyBFQ0MgRG9tYWluIFZh\n"
+  "bGlkYXRpb24gU2VjdXJlIFNlcnZlciBDQTBZMBMGByqGSM49AgEGCCqGSM49AwEH\n"
+  "A0IABHkYk8qfbZ5sVwAjBTcLXw9YWsTef1Wj6R7W2SUKiKAgSh16TwUwimNJE4xk\n"
+  "IQeV/To14UrOkPAY9z2vaKb71EijggFuMIIBajAfBgNVHSMEGDAWgBQ64QmG1M8Z\n"
+  "wpZ2dEl23OA1xmNjmjAdBgNVHQ4EFgQU9oUKOxGG4QR9DqoLLNLuzGR7e64wDgYD\n"
+  "VR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAwHQYDVR0lBBYwFAYIKwYB\n"
+  "BQUHAwEGCCsGAQUFBwMCMBsGA1UdIAQUMBIwBgYEVR0gADAIBgZngQwBAgEwUAYD\n"
+  "VR0fBEkwRzBFoEOgQYY/aHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VTRVJUcnVz\n"
+  "dEVDQ0NlcnRpZmljYXRpb25BdXRob3JpdHkuY3JsMHYGCCsGAQUFBwEBBGowaDA/\n"
+  "BggrBgEFBQcwAoYzaHR0cDovL2NydC51c2VydHJ1c3QuY29tL1VTRVJUcnVzdEVD\n"
+  "Q0FkZFRydXN0Q0EuY3J0MCUGCCsGAQUFBzABhhlodHRwOi8vb2NzcC51c2VydHJ1\n"
+  "c3QuY29tMAoGCCqGSM49BAMDA2gAMGUCMEvnx3FcsVwJbZpCYF9z6fDWJtS1UVRs\n"
+  "cS0chWBNKPFNpvDKdrdKRe+oAkr2jU+ubgIxAODheSr2XhcA7oz9HmedGdMhlrd9\n"
+  "4ToKFbZl+/OnFFzqnvOhcjHvClECEQcKmc8fmA==\n"
+  "-----END CERTIFICATE-----\n"
+  ;