First draft on SHA256 calculation, needs a bit of cleanup

Author: aentinger

src/ArduinoIoTCloudTCP.cpp

@@ -27,8 +27,13 @@
 #ifdef BOARD_HAS_ECCX08
   #include "tls/BearSSLTrustAnchors.h"
   #include "tls/utility/CryptoUtil.h"
+  #include "tls/utility/SHA256.h"
 #endif
 
+#undef max
+#undef min
+#include <algorithm>
+
 #include "utility/ota/OTAStorage_SNU.h"
 #include "utility/ota/OTAStorage_SFU.h"
 #include "utility/ota/OTAStorage_SSU.h"
@@ -119,6 +124,85 @@ int ArduinoIoTCloudTCP::begin(String brokerAddress, uint16_t brokerPort)
   _brokerAddress = brokerAddress;
   _brokerPort = brokerPort;
 
+#ifdef OTA_ENABLED
+  /* Calculate the SHA256 checksum over the firmware stored in the flash of the
+   * MCU. Note: As we don't know the length per-se we read chunks of the flash
+   * until we detect one containing only 0xFF (= flash erased). This only works
+   * for firmware updated via OTA and second stage bootloaders (SxU family)
+   * because only those erase the complete flash before performing an update.
+   * Since the SHA256 firmware image is only required for the cloud servers to
+   * perform a version check after the OTA update this is a acceptable trade off.
+   */
+  SHA256 sha256;
+  sha256.begin();
+
+  uint32_t const APP_START_ADDR = 0x2000; /* Start after the bootloader. */
+  #undef FLASH_SIZE
+  uint32_t const FLASH_READ_SIZE = 0x40000 - APP_START_ADDR;
+  uint32_t const FLASH_READ_CHUNK_SIZE = 64;
+
+  uint32_t flash_addr = APP_START_ADDR;
+  for(; flash_addr < FLASH_READ_SIZE; flash_addr += FLASH_READ_CHUNK_SIZE)
+  {
+    /* Read from the MCU's flash. */
+    uint8_t buf[FLASH_READ_CHUNK_SIZE];
+    memcpy(buf, reinterpret_cast<const void *>(flash_addr), FLASH_READ_CHUNK_SIZE);
+
+    /* Check if the next segment is erased, that is if all bytes within
+     * a read segment are 0xFF -> then we've reached the end of the
+     * firmware.
+     */
+    uint8_t buf_2[FLASH_READ_CHUNK_SIZE];
+    memcpy(buf_2, reinterpret_cast<const void *>(flash_addr + FLASH_READ_CHUNK_SIZE), FLASH_READ_CHUNK_SIZE);
+    size_t valid_bytes_in_buf = 0;
+    DBG_VERBOSE("[%X]", flash_addr);
+      char msg[4];
+      for(size_t i=0; i<FLASH_READ_CHUNK_SIZE; i++)
+      {
+        snprintf(msg, 4, "%02X", buf[i]);
+        Serial.print(msg);
+      }
+      Serial.println();
+
+
+    if (std::all_of(buf_2, buf_2+FLASH_READ_CHUNK_SIZE, [](uint8_t const elem) { return (elem == 0xFF); }))
+    {
+      /* Eliminate trailing 0xFF. */
+      for(valid_bytes_in_buf = FLASH_READ_CHUNK_SIZE; valid_bytes_in_buf > 0; valid_bytes_in_buf--) {
+        if (buf[valid_bytes_in_buf-1] != 0xFF)
+          break;
+      }
+      /* Update with the remaining bytes. */
+      DBG_VERBOSE("End of firmware, %d valid bytes in last read segment", valid_bytes_in_buf);
+      sha256.update(buf, valid_bytes_in_buf);
+      break;
+    }
+    else
+    {
+      /* Otherwise update the SHA256 hash. */
+      sha256.update(buf, FLASH_READ_CHUNK_SIZE);
+    }
+  }
+  Serial.println();
+  /* Retrieve the final hash string. */
+  uint8_t sha256_hash[SHA256::HASH_SIZE] = {0};
+  sha256.finalize(sha256_hash);
+  String sha256_str;
+  std::for_each(sha256_hash,
+                sha256_hash + SHA256::HASH_SIZE,
+                [&sha256_str](uint8_t const elem)
+                {
+                  char buf[4];
+                  snprintf(buf, 4, "%02X", elem);
+                  sha256_str += buf;
+                });
+  /* Update the property. */
+  _ota_img_sha256 = sha256_str;
+  /* Do some debug printout. */
+  DBG_VERBOSE("SHA256: %d bytes read", flash_addr);
+  DBG_VERBOSE("SHA256: HASH(%d) = %s", strlen(_ota_img_sha256.c_str()), _ota_img_sha256.c_str());
+#endif /* OTA_ENABLED */
+
   #ifdef BOARD_HAS_ECCX08
   if (!ECCX08.begin())                                                                                                                                                         { DBG_ERROR("Cryptography processor failure. Make sure you have a compatible board."); return 0; }
   if (!CryptoUtil::readDeviceId(ECCX08, getDeviceId(), ECCX08Slot::DeviceId))                                                                                                  { DBG_ERROR("Cryptography processor read failure."); return 0; }
@@ -187,6 +271,8 @@ void ArduinoIoTCloudTCP::update()
     _mqtt_data_request_retransmit = false;
   }
 
+  //DBG_VERBOSE("SHA256: HASH(%d) = %s", strlen(_ota_img_sha256.c_str()), _ota_img_sha256.c_str());
+
   // MTTQClient connected!, poll() used to retrieve data from MQTT broker
   _mqttClient.poll();
 

src/tls/utility/SHA256.cpp

@@ -21,6 +21,12 @@
 
 #include "SHA256.h"
 
+/******************************************************************************
+ * STATIC MEMBER DECLARATION
+ ******************************************************************************/
+
+constexpr size_t SHA256::HASH_SIZE;
+
 /******************************************************************************
  * PUBLIC MEMBER FUNCTIONS
  ******************************************************************************/
@@ -35,7 +41,7 @@ void SHA256::update(uint8_t const * data, size_t const len)
   br_sha256_update(&_ctx, data, len);
 }
 
-void SHA256::finalize(char * hash)
+void SHA256::finalize(uint8_t * hash)
 {
   br_sha256_out(&_ctx, hash);
 }

src/tls/utility/SHA256.h

@@ -33,9 +33,11 @@ class SHA256
 
 public:
 
+  static constexpr size_t HASH_SIZE = 32;
+
   void begin   ();
   void update  (uint8_t const * data, size_t const len);
-  void finalize(char * hash);
+  void finalize(uint8_t * hash);
 
 private: