Thomas Kolb
24ba2242a4
Sensitive data are WiFi Logins and authentication data. This is done in preparation for the OTA update, where the firmware image will be transferred unencrypted and therefore passwords could be extracted from a dumped image.
54 lines
No EOL
1.3 KiB
C++
54 lines
No EOL
1.3 KiB
C++
#include <sstream>
|
|
#include <algorithm>
|
|
|
|
#include <Arduino.h> // for esp_random() and millis()
|
|
#include <mbedtls/sha256.h>
|
|
|
|
#include "ChallengeResponse.h"
|
|
|
|
#include "Config.h"
|
|
|
|
ChallengeResponse::ChallengeResponse(const std::string &pw)
|
|
: m_passwd(pw), m_expireTime(0)
|
|
{
|
|
}
|
|
|
|
bool ChallengeResponse::verify(const std::string &hash)
|
|
{
|
|
if(millis() > m_expireTime) {
|
|
// challenge timed out
|
|
return false;
|
|
}
|
|
|
|
std::ostringstream refResponse;
|
|
refResponse << m_passwd << ":" << m_currentNonce << ":" << Config::instance().getCRSalt();
|
|
|
|
// calculate hash of reference response
|
|
uint8_t sha256sum[32];
|
|
mbedtls_sha256_ret(reinterpret_cast<const unsigned char*>(refResponse.str().data()),
|
|
refResponse.str().length(), sha256sum, 0);
|
|
|
|
// convert hash to hex
|
|
std::ostringstream hexHash;
|
|
for(size_t i = 0; i < 32; i++) {
|
|
static const char *conv = "0123456789abcdef";
|
|
|
|
uint8_t b = sha256sum[i];
|
|
|
|
hexHash << conv[(b >> 4)];
|
|
hexHash << conv[(b &0x0F)];
|
|
}
|
|
|
|
std::string lowerHash;
|
|
std::transform(hash.begin(), hash.end(), lowerHash.begin(),
|
|
[](char c) { return std::tolower(c);});
|
|
|
|
return hexHash.str() == hash;
|
|
}
|
|
|
|
uint32_t ChallengeResponse::nonce(void)
|
|
{
|
|
m_currentNonce = esp_random();
|
|
m_expireTime = millis() + NONCE_LIFETIME_MS;
|
|
return m_currentNonce;
|
|
} |