http CBC

Author: urbanze

http/README.md

@@ -1,6 +1,6 @@
 # ESP32 Ultimate OTA (HTTP)
 ESP32 OTA over many forms!\
-Crypted functions use AES-256 ECB.
+Crypted functions use AES-256 CBC.
 
 WiFi library: [WiFi](https://github.com/urbanze/esp32-wifi)
 
@@ -13,32 +13,35 @@ WiFi library: [WiFi](https://github.com/urbanze/esp32-wifi)
 
 ## How it works?
 * Basically, OTA HTTP get file (MIME MEDIA bytes) sent to ESP32 and write in OTA partition.
-* .PROCESS() will host TCP server, wait new client in HTTP web page, wait upload file and write all new incoming bytes to OTA partition.
+* .PROCESS() will host HTTP/HTML server, wait new client in HTTP web page, wait upload file and write all new incoming bytes to OTA partition.
 * This library will write **ALL BYTES** received in MIME MEDIA. After start, your external software can't send any byte that are not from the binary file.
 * If you use this library in separate task, stack of 4096B should be enough.
 * This library can do Factory Reset (last binary burned by USB).
 
-## Simple example to use HTTP (Crypto OFF)
+## Simple example to use OTA HTTP (Crypto OFF)
 ```
 WF wifi;
 OTA_HTTP ota;
 wifi.ap_start("wifi", "1234567890");
 
-ota.init(""); //Default port 80 (you can change in second param)
+ota.init(); //Default port 80
 while (1)
 {
 	ota.process(); //Wait client connection (up to 1sec) and read bytes sent by client in HTTP web page.
 }
 ```
 
-## Simple example to use HTTP (Crypto ON)
+## Simple example to use OTA HTTP (Crypto ON)
 Insert your desired key.
 ```
 WF wifi;
 OTA_HTTP ota;
 wifi.ap_start("wifi", "1234567890");
 
-ota.init("1234567890"); //Default port 80 (you can change in second param)
+ota.init(); //Default port 80
+
+//Set AES-256-CBC KEY and initial IV.
+ota.crypto("12345678901234567890123456789012", "0123456789012345");
 while (1)
 {
 	ota.process(); //Wait client connection (up to 1sec) and read bytes sent by client in HTTP web page.

http/ota-http.cpp

@@ -43,7 +43,7 @@ void OTA_HTTP::decrypt(uint8_t *data, uint16_t size)
                 aes_inp[i] = (j+i > size) ? 0 : data[j+i];
             }
 
-            mbedtls_aes_crypt_ecb(&aes, MBEDTLS_AES_DECRYPT, aes_inp, aes_out);
+            mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, 16, _iv, aes_inp, aes_out);
 
             for (int8_t i = 0; i < 16; i++)
             {
@@ -116,6 +116,10 @@ void OTA_HTTP::iterator(uint8_t *data, uint16_t data_size)
     const esp_partition_t *ota_partition = NULL;
     ota_partition = esp_ota_get_next_update_partition(NULL);
 
+	for (uint8_t i = 0; i < 16; i++)
+    {
+        _iv[i] = _firstiv[i];
+    }
 
     err = esp_ota_begin(ota_partition, OTA_SIZE_UNKNOWN, &ota_handle);
     if (err != ESP_OK)
@@ -124,6 +128,11 @@ void OTA_HTTP::iterator(uint8_t *data, uint16_t data_size)
 		tcp.printf("OTA begin fail [0x%x]</body></html>\r\n", err);
 		return;
     }
+	else
+	{
+		ESP_LOGI(tag, "OTA Started");
+	}
+	
 
 
 	//First write comming from packet read in process()
@@ -148,14 +157,15 @@ void OTA_HTTP::iterator(uint8_t *data, uint16_t data_size)
 			//After all bytes sent, tcp.available() may not be MODULE of 16, causing infinity loop.
 			//This instructions break if this loop occurs, removing desnecessary bytes.
 			if (!th) {th = esp_timer_get_time();}
-			if (esp_timer_get_time() - th < 2000000)
+			if (esp_timer_get_time() - th > 2000000)
 			{
-				for (int16_t i = 0; i < (avl%16); i++)
-					{tcp.read();}
+				//Nothing
+			}
+			else
+			{
+				vTaskDelay(100);
+				continue;
 			}
-
-			vTaskDelay(1);
-			continue;
 		}
 
 		th = 0;//Crypted loop aux.
@@ -386,6 +396,36 @@ void OTA_HTTP::process()
 	tcp.stop();
 }
 
+/**
+ * @brief Enable AES-256 CBC crypto.
+ * 
+ * @attention IV is modified by MBEDTLS.
+ * 
+ * @attention Key must be 32 Chars.
+ * @attention IV must be 16 Chars.
+ * 
+ * @param [*key]: AES key.
+ * @param [*iv]: Initial IV.
+ */
+void OTA_HTTP::crypto(const char *key="", const char *iv="")
+{
+    _cry = 0;
+
+    if (strlen(key) != 32) {ESP_LOGE(tag, "Key must be 32 Chars. Crypto OFF."); return;}
+    if (strlen(iv)  != 16) {ESP_LOGE(tag, "IV must be 16 Chars. Crypto OFF."); return;}
+
+
+    mbedtls_aes_init(&aes);
+    mbedtls_aes_setkey_enc(&aes, (uint8_t*)key, 256);
+    
+    for (uint8_t i = 0; i < 16; i++)
+    {
+        _firstiv[i] = iv[i];
+    }
+
+    _cry = 1;
+}
+
 /**
  * @brief Init OTA HTTP functions.
  * 
@@ -394,23 +434,8 @@ void OTA_HTTP::process()
  * @param [*key]: AES-256 ECB decrypt key (<=32 chars).
  * @param [port]: Port to use in HTTP web server. (eg: 8080, 80, etc)
  */
-void OTA_HTTP::init(const char *key, uint16_t port=80)
+void OTA_HTTP::init(uint16_t port=80)
 {
 	_port = port;
     host.begin(_port);
-
-    if (strlen(key))
-	{
-		char key2[32] = {0};
-        _cry = 1;
-        
-        strncpy(key2, key, sizeof(key2));
-
-        mbedtls_aes_init(&aes);
-        mbedtls_aes_setkey_enc(&aes, (uint8_t*)key2, 256);
-	}
-	else
-	{
-		_cry = 0;
-	}
 }

http/ota-http.h

@@ -19,6 +19,8 @@ class OTA_HTTP
 	private:
 		const char tag[9] = "OTA_HTTP";
 		int8_t _cry = 0;
+		uint8_t _firstiv[16] = {0};
+		uint8_t _iv[16] = {0};
 		uint16_t _port = 80;
 		mbedtls_aes_context aes;
 		TCP_CLIENT tcp;
@@ -32,7 +34,8 @@ class OTA_HTTP
 
 
 	public:
-		void init(const char *key, uint16_t port);
+		void init(uint16_t port);
+		void crypto(const char *key, const char *iv);
 		void process();
 
 

tcp/esp32-tcp/tcp.cpp

@@ -199,6 +199,17 @@ int16_t TCP_CLIENT::printf(const char *format, ...)
     return write((uint8_t*)bff, size);
 }
 
+/**
+ * @brief Send data over TCP connection.
+ * 
+ *  
+ * @return Data wrote.
+ */
+int16_t TCP_CLIENT::print(const char *str)
+{
+    return write((uint8_t*)str, strlen(str));
+}
+
 /**
  * @brief Read only one Byte of data available.
  * 
@@ -286,7 +297,8 @@ void TCP_SERVER::begin(uint16_t port)
  * When client connect in TCP Server, this function will return immediately and
  * return instance to use in TCP_CLIENT object (read/write/etc).
  * 
- * See "How to use in "Github example in README.md
+ * See "How to use" in Github example (README.md)
+ * Attention: This function block current task.
  * 
  * @param [timeout]: Max seconds to wait client connection.
  * 
@@ -304,10 +316,11 @@ int16_t TCP_SERVER::sv(int32_t timeout)
     stv.tv_sec = timeout;
     stv.tv_usec = 0;
 
+    memset(rmt_ip, 0, sizeof(rmt_ip));
     select(max, &fds, NULL, NULL, &stv);
     if (FD_ISSET(s, &fds))
     {
-        struct sockaddr_in6 src;
+        struct sockaddr_in src;
         socklen_t src_len = sizeof(src);
 
         c = accept(s, (struct sockaddr *)&src, &src_len);
@@ -316,7 +329,17 @@ int16_t TCP_SERVER::sv(int32_t timeout)
             ESP_LOGE(tag, "Fail to accept socket connections [%d]", errno);
             close(s);
         }
+
+        inet_ntop(AF_INET, &src.sin_addr , rmt_ip, sizeof(rmt_ip));
     }
 
     return c;
+}
+
+/**
+ * @brief Get source IP from last received packet.
+ */
+char *TCP_SERVER::remoteIP()
+{
+    return rmt_ip;
 }

tcp/esp32-tcp/tcp.h

@@ -71,6 +71,7 @@ class TCP_CLIENT
 
 		int16_t write(uint8_t *data, uint16_t size);
 		int16_t printf(const char *format, ...);
+		int16_t print(const char *str);
 
 		uint8_t read();
 		void readBytes(uint8_t *bff, uint16_t size);
@@ -83,13 +84,16 @@ class TCP_SERVER
 	private:
 		const char tag[11] = "TCP_SERVER";
 		int s = 0;
+		char rmt_ip[16] = {0};
 
 	public:
 		~TCP_SERVER();
 
 		void begin(uint16_t port);
 		int16_t sv(int32_t timeout);
+		char *remoteIP();
+
 };
 
 
-#endif
+#endif