Merge branch 'fix/example_sta2eth_more_docs' into 'master'

fix(sta2eth): Document security consideration in sta2eth example Closes IDFGH-13990 See merge request espressif/esp-idf!34518
2024-11-08 00:57:00 +08:00
parent 5e056de1e7 cce9a80aee
commit 457f65195e
4 changed files with 38 additions and 7 deletions
--- a/examples/network/sta2eth/README.md
+++ b/examples/network/sta2eth/README.md
@@ -12,6 +12,8 @@ This example aims to demonstrate 1-1 bridge using WiFi station and one of these
 It also allows for reconfiguring WiFi settings using a virtual network in the Ethernet. The reconfiguration mode is initialized if the WiFi settings are not available, connection fails or manually by long pressing the Boot button (GPIO0).
 It is possible to configure WiFi settings (SSID and password) in a browser on a hostname `"http://wifi.settings"` or using unified provisioning.

+Note: This page is intended solely for initial setup and is not recommended for production use, as it lacks any security measures—data is transmitted in plain text over HTTP. For secure, production-grade configuration, we recommend using the default option: unified provisioning.
+
 ## How to use example

 This example could be used to *bring* wireless connectivity to devices that support only Ethernet (or USB Ethernet implemented as NCM device).
--- a/examples/network/sta2eth/main/Kconfig.projbuild
+++ b/examples/network/sta2eth/main/Kconfig.projbuild
@@ -4,7 +4,7 @@ menu "Example Configuration"

    choice EXAMPLE_WIFI_CONFIGURATION
        prompt "WiFi configuration"
-        default EXAMPLE_WIFI_CONFIGURATION_MANUAL
+        default EXAMPLE_WIFI_CONFIGURATION_PROVISIONING
        help
            Choose how the WiFi settings should be configured.

@@ -86,4 +86,26 @@ menu "Example Configuration"
            the reconfiguration mode, i.e. to restart provisioning
            or manual configuration of Wi-Fi settings (ssid, password)

+    if EXAMPLE_WIRED_INTERFACE_IS_ETHERNET
+
+        config EXAMPLE_MODIFY_DHCP_MESSAGES
+            bool "Modify DHCP messages"
+            default y
+            help
+                This is needed if the client uses 61 option and the DHCP server applies strict rules
+                on assigning addresses.
+                Set this to 'n' if you don't need DHCP or you're using simplified DHCP workflow
+                without HW address options in DHCP messages.
+
+        config EXAMPLE_ETHERNET_USE_PROMISCUOUS
+            bool "Enable promiscuous mode on Ethernet interface"
+            default n
+            help
+                Enable promiscuous mode on the Ethernet interface.
+                Note: Enabling promiscuous mode results in better throughput as MAC addresses
+                in frames are not rewritten with the Ethernet interface's actual MAC address.
+                Note: Enabling promiscuous mode may cause ARP conflicts if the PC
+                is also connected to the same network with another NIC.
+    endif
+
 endmenu
--- a/examples/network/sta2eth/main/ethernet_iface.c
+++ b/examples/network/sta2eth/main/ethernet_iface.c
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2023 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2023-2024 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Unlicense OR CC0-1.0
 */
@@ -20,13 +20,13 @@
 *  - this results in better throughput
 *  - might cause ARP conflicts if the PC is also connected to the same AP with another NIC
 */
-#define ETH_BRIDGE_PROMISCUOUS  0
+#define ETH_BRIDGE_PROMISCUOUS  CONFIG_EXAMPLE_ETHERNET_USE_PROMISCUOUS

 /**
 * Set this to 1 to runtime update HW addresses in DHCP messages
 * (this is needed if the client uses 61 option and the DHCP server applies strict rules on assigning addresses)
 */
-#define MODIFY_DHCP_MSGS        0
+#define MODIFY_DHCP_MSGS        CONFIG_EXAMPLE_MODIFY_DHCP_MESSAGES

 static const char *TAG = "example_wired_ethernet";
 static esp_eth_handle_t s_eth_handle = NULL;
@@ -49,7 +49,11 @@ void eth_event_handler(void *arg, esp_event_base_t event_base,
    switch (event_id) {
    case ETHERNET_EVENT_CONNECTED:
        ESP_LOGI(TAG, "Ethernet Link Up");
+        if (netif) {
+            // Start DHCP server only if we "have" the actual netif (provisioning mode)
+            // (if netif==NULL we are only forwarding frames, no lwip involved)
            esp_netif_dhcps_start(netif);
+        }
        esp_eth_ioctl(eth_handle, ETH_CMD_G_MAC_ADDR, mac_addr);
        ESP_LOGI(TAG, "Ethernet HW Addr %02x:%02x:%02x:%02x:%02x:%02x",
                 mac_addr[0], mac_addr[1], mac_addr[2], mac_addr[3], mac_addr[4], mac_addr[5]);
@@ -57,7 +61,9 @@ void eth_event_handler(void *arg, esp_event_base_t event_base,
        break;
    case ETHERNET_EVENT_DISCONNECTED:
        ESP_LOGI(TAG, "Ethernet Link Down");
+        if (netif) {
            esp_netif_dhcps_stop(netif);
+        }
        s_ethernet_is_connected = false;
        break;
    case ETHERNET_EVENT_START:
--- a/examples/network/sta2eth/main/manual_config.c
+++ b/examples/network/sta2eth/main/manual_config.c
@@ -32,7 +32,8 @@ bool is_provisioned(void)

 static esp_err_t http_get_handler(httpd_req_t *req)
 {
-    const char page[] = "<form action=\"/\" method=\"get\"><br><br>\n"
+    const char page[] = "<h3>WARNING: Configuring Wi-Fi credentials on this page is not secure</h3>\n"
+                        "<form action=\"/\" method=\"get\"><br><br>\n"
                        "SSID:  <input type=\"text\" id=\"ssid\" name=\"ssid\"><br><br>\n"
                        "Password:  <input type=\"text\" id=\"password\" name=\"password\"><br><br>\n"
                        "  <input type=\"submit\" value=\"Connect\">"