From 1e538a7ed952f621525b8432fc57cd7c6141c3cd Mon Sep 17 00:00:00 2001 From: Clyne Sullivan Date: Wed, 3 Apr 2024 08:15:48 -0400 Subject: [PATCH] encryption with protected hmac key --- noisemeter-device/noisemeter-device.ino | 6 +-- noisemeter-device/secret-store.cpp | 51 +++++++++++++++++++++++++ noisemeter-device/secret-store.h | 47 +++++------------------ 3 files changed, 63 insertions(+), 41 deletions(-) create mode 100644 noisemeter-device/secret-store.cpp diff --git a/noisemeter-device/noisemeter-device.ino b/noisemeter-device/noisemeter-device.ino index 5d0c4ca..0be4850 100644 --- a/noisemeter-device/noisemeter-device.ino +++ b/noisemeter-device/noisemeter-device.ino @@ -284,8 +284,8 @@ void saveNetworkCreds(WebServer& httpServer) { // Confirm that the form was actually submitted. if (httpServer.hasArg("ssid") && httpServer.hasArg("psk")) { const auto id = String(buildDeviceId()); - const auto ssid = Secret(id).encrypt(httpServer.arg("ssid")); - const auto psk = Secret(id).encrypt(httpServer.arg("psk")); + const auto ssid = Secret::encrypt(id, httpServer.arg("ssid")); + const auto psk = Secret::encrypt(id, httpServer.arg("psk")); // Confirm that the given credentials will fit in the allocated EEPROM space. if (!ssid.isEmpty() && Creds.canStore(ssid) && Creds.canStore(psk)) { @@ -323,7 +323,7 @@ int tryWifiConnection() WiFi.mode(WIFI_STA); const auto id = String(buildDeviceId()); - const auto stat = WiFi.begin(Secret(id).decrypt(ssid).c_str(), Secret(id).decrypt(psk).c_str()); + const auto stat = WiFi.begin(Secret::decrypt(id, ssid).c_str(), Secret::decrypt(id, psk).c_str()); if (stat == WL_CONNECT_FAILED) return -1; diff --git a/noisemeter-device/secret-store.cpp b/noisemeter-device/secret-store.cpp new file mode 100644 index 0000000..f2fa473 --- /dev/null +++ b/noisemeter-device/secret-store.cpp @@ -0,0 +1,51 @@ +#include "secret-store.h" + +#include +#include + +constexpr static unsigned BITS = 256; // do not change + +namespace Secret { + +String encrypt(String key, String in) +{ + mbedtls_aes_context aes; + mbedtls_aes_init(&aes); + + const auto kb = key.c_str(); + const auto kl = key.length(); + { + uint8_t hmac[BITS / 8]; + esp_hmac_calculate(HMAC_KEY0, kb, kl, hmac); + mbedtls_aes_setkey_enc(&aes, hmac, BITS); + } + + char out[in.length()]; + mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_ENCRYPT, + reinterpret_cast(in.c_str()), + reinterpret_cast(out)); + return out; +} + +String decrypt(String key, String in) +{ + mbedtls_aes_context aes; + mbedtls_aes_init(&aes); + + const auto kb = key.c_str(); + const auto kl = key.length(); + { + uint8_t hmac[BITS / 8]; + esp_hmac_calculate(HMAC_KEY0, kb, kl, hmac); + mbedtls_aes_setkey_dec(&aes, hmac, BITS); + } + + char out[in.length()]; + mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_DECRYPT, + reinterpret_cast(in.c_str()), + reinterpret_cast(out)); + return out; +} + +} // namespace Secret + diff --git a/noisemeter-device/secret-store.h b/noisemeter-device/secret-store.h index 3967b98..f707a98 100644 --- a/noisemeter-device/secret-store.h +++ b/noisemeter-device/secret-store.h @@ -1,42 +1,13 @@ -#include -#include +#ifndef SECRET_STORE_H +#define SECRET_STORE_H -class Secret -{ - constexpr static int BITS = 256; // do not change - mbedtls_aes_context aes; - uint8_t hmac[BITS / 8]; - - bool generateKey(String key) { - const auto result = esp_hmac_calculate(HMAC_KEY4, key.c_str(), key.length(), hmac); - return result == ESP_OK; - } - - String process(String in, int mode) { - uint8_t out[64] = {0}; - mbedtls_aes_crypt_ecb(&aes, mode, (const uint8_t *)in.c_str(), out); - return String((char *)out); - } - -public: - Secret(String key) { - mbedtls_aes_init(&aes); - generateKey(key); - } +#include - ~Secret() { - mbedtls_aes_free(&aes); - } - - String encrypt(String in) { - mbedtls_aes_setkey_enc(&aes, hmac, BITS); - return process(in, MBEDTLS_AES_ENCRYPT); - } - - String decrypt(String in) { - mbedtls_aes_setkey_dec(&aes, hmac, BITS); - return process(in, MBEDTLS_AES_DECRYPT); - } -}; +namespace Secret +{ + String encrypt(String key, String in); + String decrypt(String key, String in); +} +#endif // SECRET_STORE_H