encrypt wifi credentials

ByteWelder · Jan 14, 2024 · 4ba71bf · 4ba71bf
1 parent 9104622
commit 4ba71bf
Show file tree

Hide file tree

Showing 3 changed files with 55 additions and 2 deletions.
diff --git a/components/tactility-core/src/secure.c b/components/tactility-core/src/secure.c
@@ -108,6 +108,20 @@ static void get_key(uint8_t key[32]) {
     xor_key(hardware_key, nvs_key, key, 32);
 }
 
+void tt_secure_get_iv_from_string(const char* input, uint8_t iv[16]) {
+    memset((void*)iv, 0, 16);
+    char c = *input++;
+    int index = 0;
+    printf("IV: ");
+    while (c) {
+        printf(" %0X:%02d", c, index);
+        iv[index] = c;
+        index++;
+        c = *input++;
+    }
+    printf("\n");
+}
+
 int tt_secure_encrypt(const uint8_t iv[16], uint8_t* in_data, uint8_t* out_data, size_t length) {
     tt_check(length % 16 == 0, "Length is not a multiple of 16 bytes (for AES 256");
     uint8_t key[32];

diff --git a/components/tactility-core/src/secure.h b/components/tactility-core/src/secure.h
@@ -24,6 +24,13 @@
 extern "C" {
 #endif
 
+/**
+ * @brief Fills the IV with zeros and then copies up to 16 characters of the string into the IV.
+ * @param input input text
+ * @param iv output IV
+ */
+void tt_secure_get_iv_from_string(const char* input, uint8_t iv[16]);
+
 /**
  * @brief Encrypt data.
  *

diff --git a/components/tactility/src/services/wifi/wifi_credentials.c b/components/tactility/src/services/wifi/wifi_credentials.c
@@ -5,6 +5,7 @@
 #include "hash.h"
 #include "check.h"
 #include "mutex.h"
+#include "secure.h"
 
 #define TAG "wifi_credentials"
 #define TT_NVS_NAMESPACE "tt_wifi_cred" // limited by NVS_KEY_NAME_MAX_SIZE
@@ -155,8 +156,24 @@ bool tt_wifi_credentials_get(const char* ssid, char password[TT_WIFI_CREDENTIALS
         return false;
     }
 
+    char password_encrypted[TT_WIFI_CREDENTIALS_PASSWORD_LIMIT];
     size_t length = TT_WIFI_CREDENTIALS_PASSWORD_LIMIT;
-    result = nvs_get_blob(handle, ssid, password, &length);
+    result = nvs_get_blob(handle, ssid, password_encrypted, &length);
+
+    uint8_t iv[16];
+    tt_secure_get_iv_from_string(ssid, iv);
+    int decrypt_result = tt_secure_decrypt(
+        iv,
+        (uint8_t*)password_encrypted,
+        (uint8_t*)password,
+        TT_WIFI_CREDENTIALS_PASSWORD_LIMIT
+    );
+
+    if (decrypt_result != 0) {
+        result = ESP_FAIL;
+        TT_LOG_E(TAG, "Failed to decrypt credentials for \"%s\": %d", ssid, decrypt_result);
+    }
+
     if (result != ESP_OK && result != ESP_ERR_NVS_NOT_FOUND) {
         TT_LOG_E(TAG, "Failed to get credentials for \"%s\": %s", ssid, esp_err_to_name(result));
     }
@@ -173,7 +190,22 @@ bool tt_wifi_credentials_set(const char* ssid, char password[TT_WIFI_CREDENTIALS
         return false;
     }
 
-    result = nvs_set_blob(handle, ssid, password, TT_WIFI_CREDENTIALS_PASSWORD_LIMIT);
+    char password_encrypted[TT_WIFI_CREDENTIALS_PASSWORD_LIMIT];
+    uint8_t iv[16];
+    tt_secure_get_iv_from_string(ssid, iv);
+    int encrypt_result = tt_secure_encrypt(
+        iv,
+        (uint8_t*)password,
+        (uint8_t*)password_encrypted,
+        TT_WIFI_CREDENTIALS_PASSWORD_LIMIT
+    );
+
+    if (encrypt_result != 0) {
+        result = ESP_FAIL;
+        TT_LOG_E(TAG, "Failed to encrypt credentials for \"%s\": %d", ssid, encrypt_result);
+    }
+
+    result = nvs_set_blob(handle, ssid, password_encrypted, TT_WIFI_CREDENTIALS_PASSWORD_LIMIT);
     if (result != ESP_OK) {
         TT_LOG_E(TAG, "Failed to get credentials for \"%s\": %s", ssid, esp_err_to_name(result));
     }