From ac630e44178a10bf333b7984a8bb590a2657c2c6 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Tue, 29 Oct 2024 16:52:25 +0100 Subject: [PATCH 1/3] fix(sta2eth): Document security considerations in sta2eth example --- examples/network/sta2eth/README.md | 2 ++ examples/network/sta2eth/main/Kconfig.projbuild | 2 +- examples/network/sta2eth/main/manual_config.c | 3 ++- 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/examples/network/sta2eth/README.md b/examples/network/sta2eth/README.md index 12e812d1f4..2665071dca 100644 --- a/examples/network/sta2eth/README.md +++ b/examples/network/sta2eth/README.md @@ -12,6 +12,8 @@ This example aims to demonstrate 1-1 bridge using WiFi station and one of these It also allows for reconfiguring WiFi settings using a virtual network in the Ethernet. The reconfiguration mode is initialized if the WiFi settings are not available, connection fails or manually by long pressing the Boot button (GPIO0). It is possible to configure WiFi settings (SSID and password) in a browser on a hostname `"http://wifi.settings"` or using unified provisioning. +Note: This page is intended solely for initial setup and is not recommended for production use, as it lacks any security measures—data is transmitted in plain text over HTTP. For secure, production-grade configuration, we recommend using the default option: unified provisioning. + ## How to use example This example could be used to *bring* wireless connectivity to devices that support only Ethernet (or USB Ethernet implemented as NCM device). diff --git a/examples/network/sta2eth/main/Kconfig.projbuild b/examples/network/sta2eth/main/Kconfig.projbuild index 7b85896e38..44b8c32b09 100644 --- a/examples/network/sta2eth/main/Kconfig.projbuild +++ b/examples/network/sta2eth/main/Kconfig.projbuild @@ -4,7 +4,7 @@ menu "Example Configuration" choice EXAMPLE_WIFI_CONFIGURATION prompt "WiFi configuration" - default EXAMPLE_WIFI_CONFIGURATION_MANUAL + default EXAMPLE_WIFI_CONFIGURATION_PROVISIONING help Choose how the WiFi settings should be configured. diff --git a/examples/network/sta2eth/main/manual_config.c b/examples/network/sta2eth/main/manual_config.c index e95d041822..ded7346c15 100644 --- a/examples/network/sta2eth/main/manual_config.c +++ b/examples/network/sta2eth/main/manual_config.c @@ -32,7 +32,8 @@ bool is_provisioned(void) static esp_err_t http_get_handler(httpd_req_t *req) { - const char page[] = "


\n" + const char page[] = "

WARNING: Configuring Wi-Fi credentials on this page is not secure

\n" + "

\n" "SSID:

\n" "Password:

\n" " " From 94536cb51283bfb6e87b790f9b23a61e89867338 Mon Sep 17 00:00:00 2001 From: David Cermak Date: Tue, 29 Oct 2024 17:01:11 +0100 Subject: [PATCH 2/3] fix(sta2eth): Make some Ethernet options configurable --- .../network/sta2eth/main/Kconfig.projbuild | 22 +++++++++++++++++++ .../network/sta2eth/main/ethernet_iface.c | 4 ++-- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/examples/network/sta2eth/main/Kconfig.projbuild b/examples/network/sta2eth/main/Kconfig.projbuild index 44b8c32b09..23e90de006 100644 --- a/examples/network/sta2eth/main/Kconfig.projbuild +++ b/examples/network/sta2eth/main/Kconfig.projbuild @@ -86,4 +86,26 @@ menu "Example Configuration" the reconfiguration mode, i.e. to restart provisioning or manual configuration of Wi-Fi settings (ssid, password) + if EXAMPLE_WIRED_INTERFACE_IS_ETHERNET + + config EXAMPLE_MODIFY_DHCP_MESSAGES + bool "Modify DHCP messages" + default y + help + This is needed if the client uses 61 option and the DHCP server applies strict rules + on assigning addresses. + Set this to 'n' if you don't need DHCP or you're using simplified DHCP workflow + without HW address options in DHCP messages. + + config EXAMPLE_ETHERNET_USE_PROMISCUOUS + bool "Enable promiscuous mode on Ethernet interface" + default n + help + Enable promiscuous mode on the Ethernet interface. + Note: Enabling promiscuous mode results in better throughput as MAC addresses + in frames are not rewritten with the Ethernet interface's actual MAC address. + Note: Enabling promiscuous mode may cause ARP conflicts if the PC + is also connected to the same network with another NIC. + endif + endmenu diff --git a/examples/network/sta2eth/main/ethernet_iface.c b/examples/network/sta2eth/main/ethernet_iface.c index edc451a0c3..e67fd70097 100644 --- a/examples/network/sta2eth/main/ethernet_iface.c +++ b/examples/network/sta2eth/main/ethernet_iface.c @@ -20,13 +20,13 @@ * - this results in better throughput * - might cause ARP conflicts if the PC is also connected to the same AP with another NIC */ -#define ETH_BRIDGE_PROMISCUOUS 0 +#define ETH_BRIDGE_PROMISCUOUS CONFIG_EXAMPLE_ETHERNET_USE_PROMISCUOUS /** * Set this to 1 to runtime update HW addresses in DHCP messages * (this is needed if the client uses 61 option and the DHCP server applies strict rules on assigning addresses) */ -#define MODIFY_DHCP_MSGS 0 +#define MODIFY_DHCP_MSGS CONFIG_EXAMPLE_MODIFY_DHCP_MESSAGES static const char *TAG = "example_wired_ethernet"; static esp_eth_handle_t s_eth_handle = NULL; From cce9a80aee6fed285a1d5a7cfe2feb221d929d6b Mon Sep 17 00:00:00 2001 From: David Cermak Date: Thu, 7 Nov 2024 10:38:48 +0100 Subject: [PATCH 3/3] fix(sta2eth): Check for null `netif` before starting/stopping DHCP server Fixes a potential null pointer dereference in `esp_netif` when PPP mode is enabled. In the Ethernet event handler, `esp_netif_dhcps_start()` and `esp_netif_dhcps_stop()` are now only called if `netif` is non-null (in provisioning mode when the actual TCP/IP stack from IDF is used, in work mode the `netif` is null, since the trafic is simply forwarded between wireless and wired networks without TCP/IP stack involved) Closes https://github.com/espressif/esp-idf/issues/14816 --- examples/network/sta2eth/main/ethernet_iface.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/examples/network/sta2eth/main/ethernet_iface.c b/examples/network/sta2eth/main/ethernet_iface.c index e67fd70097..c856a05537 100644 --- a/examples/network/sta2eth/main/ethernet_iface.c +++ b/examples/network/sta2eth/main/ethernet_iface.c @@ -1,5 +1,5 @@ /* - * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD + * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD * * SPDX-License-Identifier: Unlicense OR CC0-1.0 */ @@ -49,7 +49,11 @@ void eth_event_handler(void *arg, esp_event_base_t event_base, switch (event_id) { case ETHERNET_EVENT_CONNECTED: ESP_LOGI(TAG, "Ethernet Link Up"); - esp_netif_dhcps_start(netif); + if (netif) { + // Start DHCP server only if we "have" the actual netif (provisioning mode) + // (if netif==NULL we are only forwarding frames, no lwip involved) + esp_netif_dhcps_start(netif); + } esp_eth_ioctl(eth_handle, ETH_CMD_G_MAC_ADDR, mac_addr); ESP_LOGI(TAG, "Ethernet HW Addr %02x:%02x:%02x:%02x:%02x:%02x", mac_addr[0], mac_addr[1], mac_addr[2], mac_addr[3], mac_addr[4], mac_addr[5]); @@ -57,7 +61,9 @@ void eth_event_handler(void *arg, esp_event_base_t event_base, break; case ETHERNET_EVENT_DISCONNECTED: ESP_LOGI(TAG, "Ethernet Link Down"); - esp_netif_dhcps_stop(netif); + if (netif) { + esp_netif_dhcps_stop(netif); + } s_ethernet_is_connected = false; break; case ETHERNET_EVENT_START: