#217 in progress support for encryption

davetcc · davetcc · commit 03e06d1a4d06 · 2024-07-26T08:54:26.000+01:00
diff --git a/examples/mbed/stm32OledEncoder/generated/MBedEthernetTransport.h b/examples/mbed/stm32OledEncoder/generated/MBedEthernetTransport.h
@@ -31,7 +31,7 @@ namespace tcremote {
         InternetSocket* socket;
         bool isOpen;
     public:
-        MBedEthernetTransport() : BaseBufferedRemoteTransport(BUFFER_MESSAGES_TILL_FULL, 96, 250) {
+        MBedEthernetTransport(EncryptionHandler* encHandler) : BaseBufferedRemoteTransport(BUFFER_ONE_MESSAGE, 250, 250, encHandler) {
             this->socket = nullptr;
             isOpen = false;
         }
diff --git a/examples/mbed/stm32OledEncoder/generated/MbedTlsEncryptionHandler.cpp b/examples/mbed/stm32OledEncoder/generated/MbedTlsEncryptionHandler.cpp
@@ -0,0 +1,56 @@
+#include "MbedTlsEncryptionHandler.h"
+
+using namespace tcremote;
+
+MbedTlsEncryptionHandler::MbedTlsEncryptionHandler(const uint8_t* keyIn) {
+    memcpy(key, keyIn, sizeof key);
+    memset(ivDec, 0, sizeof ivDec);
+    memset(ivEnc, 0, sizeof ivEnc);
+}
+
+void MbedTlsEncryptionHandler::initialise() {
+    // initialise random number generation and aes.
+    mbedtls_aes_init(&aes);
+    mbedtls_entropy_init( &entropy );
+    mbedtls_ctr_drbg_init( &ctr_drbg );
+
+    // create a reasonably random seed, improved if you define TCMENU_ENTROPY_CUSTOM_DATA yourself
+    mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
+                          (unsigned char *) TCMENU_ENTROPY_CUSTOM_DATA,
+                          strlen( TCMENU_ENTROPY_CUSTOM_DATA ));
+
+    // randomize the initialisation vectors
+    mbedtls_ctr_drbg_random(&ctr_drbg, ivDec, sizeof ivDec);
+    mbedtls_ctr_drbg_random(&ctr_drbg, ivEnc, sizeof ivEnc);
+}
+
+size_t roundToNearest(int in) {
+    // we need to send in increments of 16 bytes, so we autofill to that boundary.
+    auto remainder = in % 16;
+    if(remainder == 0) return in;
+    return in + (16-remainder);
+}
+
+int MbedTlsEncryptionHandler::encryptData(uint8_t *plainText, int bytesIn, uint8_t *buffer, size_t buffLen) {
+    mbedtls_aes_setkey_enc(&aes, key, 256);
+    // find the nearest 16 byte boundary that is larger than bytesIn.
+    size_t totalIn = roundToNearest(bytesIn);
+    // ensure the buffers are big enough and then fill the end of the buffer with zeros.
+    if(totalIn + 16 >= buffLen) return 0;
+    for(size_t i=bytesIn; i<totalIn;i++) {
+        plainText[i] = 0;
+    }
+    // then encrypt the data
+    memcpy(buffer, ivEnc, 16);
+    bool ok = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_ENCRYPT, totalIn, ivEnc, plainText, &buffer[16]) == 0;
+    return ok ? (int)totalIn : 0;
+
+}
+
+int MbedTlsEncryptionHandler::decryptData(const uint8_t *encoded, int bytesIn, uint8_t *buffer, size_t buffLen) {
+    if(bytesIn < 32 || buffLen < bytesIn - 16) return 0;
+    memcpy(ivDec, encoded, 16);
+    mbedtls_aes_setkey_dec(&aes, key, 256);
+    bool ok = mbedtls_aes_crypt_cbc(&aes, MBEDTLS_AES_DECRYPT, bytesIn, ivDec, &encoded[16], buffer) == 0;
+    return ok ? bytesIn : 0;
+}
diff --git a/examples/mbed/stm32OledEncoder/generated/MbedTlsEncryptionHandler.h b/examples/mbed/stm32OledEncoder/generated/MbedTlsEncryptionHandler.h
@@ -0,0 +1,36 @@
+//
+// Created by dave on 10/06/2024.
+//
+
+#ifndef TCCLIBSDK_MBEDTLSENCRYPTIONHANDLER_H
+#define TCCLIBSDK_MBEDTLSENCRYPTIONHANDLER_H
+
+#include "remote/BaseBufferedRemoteTransport.h"
+#include <mbedtls/aes.h>
+#include <mbedtls/ctr_drbg.h>
+#include "mbedtls/entropy.h"
+
+#ifndef TCMENU_ENTROPY_CUSTOM_DATA
+#define TCMENU_ENTROPY_CUSTOM_DATA "TcMenu Custom Entropy Str"
+#endif //TCMENU_ENTROPY_CUSTOM_DATA
+
+namespace tcremote {
+
+    class MbedTlsEncryptionHandler : public EncryptionHandler {
+    private:
+        mbedtls_entropy_context entropy;
+        mbedtls_aes_context aes;
+        mbedtls_ctr_drbg_context ctr_drbg;
+        unsigned char key[32];
+        unsigned char ivEnc[16];
+        unsigned char ivDec[16];
+    public:
+        explicit MbedTlsEncryptionHandler(const uint8_t* keyIn);
+        void initialise();
+        int encryptData(uint8_t *plainText, int bytesIn, uint8_t *buffer, size_t buffLen) override;
+        int decryptData(const uint8_t *encoded, int bytesIn, uint8_t *buffer, size_t buffLen) override;
+    };
+
+}
+
+#endif //TCCLIBSDK_MBEDTLSENCRYPTIONHANDLER_H
diff --git a/examples/mbed/stm32OledEncoder/generated/stm32OledEncoder_menu.cpp b/examples/mbed/stm32OledEncoder/generated/stm32OledEncoder_menu.cpp
@@ -12,7 +12,15 @@
 #include "stm32OledEncoder_menu.h"
 #include "../ThemeMonoInverse.h"
 
+
+#include "MbedTlsEncryptionHandler.h"
+
 // Global variable declarations
+
+uint8_t keyData[] = { 0x13, 0x87, 0x6f, 0x1e, 0x3b, 0x66, 0xb6, 0xe2, 0xd5, 0xfc, 0x48, 0xf3, 0xea, 0xba, 0x5d, 0xc9, 0x57, 0x1a, 0x24, 0x3d, 0xbd, 0x3c, 0x8b, 0xf8, 0x61, 0x4f, 0x46, 0x9f, 0xb1, 0x6d, 0xa0, 0x51};
+
+MbedTlsEncryptionHandler encryptionHandler(keyData);
+
 const  ConnectorLocalInfo applicationInfo = { "Demo mbed", "f5325e26-a7f6-40ff-876e-47afa06df532" };
 TcMenuRemoteServer remoteServer(applicationInfo);
 HalStm32EepromAbstraction glBspRom;
@@ -21,7 +29,7 @@ Adafruit_SSD1306_Spi gfx(spi, PD_15, PF_12, PF_13, 64, 128, SSD_1306);
 AdafruitDrawable gfxDrawable(&gfx);
 GraphicsDeviceRenderer renderer(30, applicationInfo.name, &gfxDrawable);
 MbedEthernetInitialiser mbedEthInitialisation(3333);
-MBedEthernetTransport ethernetTransport;
+MBedEthernetTransport ethernetTransport(&encryptionHandler);
 TagValueRemoteServerConnection ethernetConnection(ethernetTransport, mbedEthInitialisation);
 
 // Global Menu Item declarations
@@ -99,6 +107,21 @@ void setupMenu() {
     renderer.setUseSliderForAnalog(false);
     installMonoInverseTitleTheme(renderer, MenuFontDef(nullptr, 1), MenuFontDef(nullptr, 1), true);
 
+    encryptionHandler.initialise();
+
+    char data[64] = {0};
+    uint8_t encrypted[64] = {0};
+
+    strcpy(data, "hello world this is text.");
+    serlogF2(SER_DEBUG, "Source: ", data);
+
+    auto dataLen = encryptionHandler.encryptData((uint8_t*)data, strlen(data), encrypted, sizeof encrypted);
+    serlogHexDump(SER_DEBUG, "encrypted: ", encrypted , 60);
+
+    encryptionHandler.decryptData(encrypted, dataLen, (uint8_t*)data, sizeof data);
+    serlogHexDump(SER_DEBUG, "plaintext: ", data, 60);
+    serlogF2(SER_DEBUG, "pt out: ", data);
+
     // We have an IoT monitor, register the server
     menuIoTMonitor.setRemoteServer(remoteServer);
 
diff --git a/src/remote/BaseBufferedRemoteTransport.cpp b/src/remote/BaseBufferedRemoteTransport.cpp
@@ -9,8 +9,8 @@ namespace tcremote {
 
     BaseBufferedRemoteTransport::BaseBufferedRemoteTransport(BufferingMode bufferMode, uint8_t readBufferSize,
                                                              uint8_t writeBufferSize, EncryptionHandler* encHandler)
-            : TagValueTransport(TVAL_BUFFERED), writeBufferSize(writeBufferSize),
-              readBufferSize(readBufferSize), writeBufferPos(0), readBufferPos(0), encryptionBufferPos(0), readBufferAvail(0),
+            : TagValueTransport(TVAL_BUFFERED), writeBufferSize(writeBufferSize), readBufferSize(readBufferSize),
+              encryptionBuffer(nullptr), writeBufferPos(0), readBufferPos(0), encryptionBufferPos(0), readBufferAvail(0),
               encryptionHandler(encHandler), mode(bufferMode),
               ticksSinceWrite(0) {
         if(mode != BUFFER_ONE_MESSAGE && encHandler != nullptr) {
@@ -19,7 +19,9 @@ namespace tcremote {
         }
         readBuffer = new uint8_t[readBufferSize];
         writeBuffer = new uint8_t[writeBufferSize];
-        encryptionBuffer = new uint8_t[readBufferSize];
+        if(encHandler != nullptr) {
+            encryptionBuffer = new uint8_t[readBufferSize];
+        }
     }
 
     BaseBufferedRemoteTransport::~BaseBufferedRemoteTransport() {
diff --git a/src/remote/BaseBufferedRemoteTransport.h b/src/remote/BaseBufferedRemoteTransport.h
@@ -27,14 +27,15 @@ namespace tcremote {
     class EncryptionHandler {
     public:
         /**
-         * Encrypt plain text data into encrypted format into the buffer
+         * Encrypt plain text data into encrypted format into the buffer. Do note that plainText must be a mutable
+         * buffer and must be a multiple of 16 bytes
          * @param plainText the plain bytes to encrypt
          * @param bytesIn the number of bytes to encrypt
          * @param buffer the output encrypted message
          * @param buffLen the buffer maximum length
          * @return the number of bytes encrypted or 0 if it fails.
          */
-        virtual int encryptData(const uint8_t *plainText, int bytesIn, const uint8_t *buffer, size_t buffLen) = 0;
+        virtual int encryptData(uint8_t *plainText, int bytesIn, uint8_t *buffer, size_t buffLen) = 0;
         /**
          * Decrypt data from the wire into plain text and store the output into the buffer
          * @param encoded the encoded data to decrypt
@@ -43,7 +44,7 @@ namespace tcremote {
          * @param buffLen the size of the buffer
          * @return the number of bytes returned, or 0 if it fails.
          */
-        virtual int decryptData(const uint8_t *encoded, int bytesIn, const uint8_t *buffer, size_t buffLen) = 0;
+        virtual int decryptData(const uint8_t *encoded, int bytesIn, uint8_t *buffer, size_t buffLen) = 0;
     };
 
 

Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ namespace tcremote {`
`31`	`31`	`InternetSocket* socket;`
`32`	`32`	`bool isOpen;`
`33`	`33`	`public:`
`34`		`- MBedEthernetTransport() : BaseBufferedRemoteTransport(BUFFER_MESSAGES_TILL_FULL, 96, 250) {`
	`34`	`+ MBedEthernetTransport(EncryptionHandler* encHandler) : BaseBufferedRemoteTransport(BUFFER_ONE_MESSAGE, 250, 250, encHandler) {`
`35`	`35`	`this->socket = nullptr;`
`36`	`36`	`isOpen = false;`
`37`	`37`	`}`