Added class for challenge-response authentication

2019-11-25 22:00:48 +01:00 · 2019-11-25 22:00:48 +01:00 · 373bed9121
parent fdf26d1669
commit 373bed9121
3 changed files with 91 additions and 0 deletions
--- a/include/ChallengeResponse.h
+++ b/include/ChallengeResponse.h
@ -0,0 +1,29 @@
+#pragma once
+
+#include <string>
+
+class ChallengeResponse
+{
+    public:
+        const unsigned long NONCE_LIFETIME_MS = 3000;
+
+        ChallengeResponse(const std::string &pw);
+
+        bool verify(const std::string &hash);
+
+        /*!
+         * Initiate a new challenge-response round.
+         * 
+         * Updates the internal state and returns the nonce to be sent to the client.
+         * The challenge must be answered within NONCE_LIFETIME_MS milliseconds.
+         * 
+         * \returns The nonce.
+         */
+        uint32_t nonce(void);
+
+    private:
+        std::string m_passwd;
+        uint32_t    m_currentNonce;
+        
+        unsigned long m_expireTime;
+};
--- a/include/Crypto_Config.h.example
+++ b/include/Crypto_Config.h.example
@ -0,0 +1,8 @@
+#pragma once
+
+namespace crypto
+{
+    // replace these with your own values!
+    static const char * const HTTP_PASSWORD = "secure!1";
+    static const char * const SALT = "1234567890abcdefghijklmnopqrstuv";
+}
--- a/src/ChallengeResponse.cpp
+++ b/src/ChallengeResponse.cpp
@ -0,0 +1,54 @@
+#include <sstream>
+#include <algorithm>
+
+#include <Arduino.h> // for esp_random() and millis()
+#include <mbedtls/sha256.h>
+
+#include "ChallengeResponse.h"
+
+#include "Crypto_Config.h"
+
+ChallengeResponse::ChallengeResponse(const std::string &pw)
+    : m_passwd(pw), m_expireTime(0)
+{
+}
+
+bool ChallengeResponse::verify(const std::string &hash)
+{
+    if(millis() > m_expireTime) {
+        // challenge timed out
+        return false;
+    }
+
+    std::ostringstream refResponse;
+    refResponse << m_passwd << ":" << m_currentNonce << ":" << crypto::SALT;
+
+    // calculate hash of reference response
+    uint8_t sha256sum[32];
+    mbedtls_sha256_ret(reinterpret_cast<const unsigned char*>(refResponse.str().data()),
+        refResponse.str().length(), sha256sum, 0);
+
+    // convert hash to hex
+    std::ostringstream hexHash;
+    for(size_t i = 0; i < 32; i++) {
+        static const char *conv = "0123456789abcdef";
+
+        uint8_t b = sha256sum[i];
+
+        hexHash << conv[(b >> 4)];
+        hexHash << conv[(b &0x0F)];
+    }
+
+    std::string lowerHash;
+    std::transform(hash.begin(), hash.end(), lowerHash.begin(),
+        [](char c) { return std::tolower(c);});
+
+    return hexHash.str() == hash;
+}
+
+uint32_t ChallengeResponse::nonce(void)
+{
+    m_currentNonce = esp_random();
+    m_expireTime = millis() + NONCE_LIFETIME_MS;
+    return m_currentNonce;
+}