From a0c54504cdc54521309364609883c002f88ae137 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Fri, 16 Aug 2024 00:27:23 +0100
Subject: [PATCH] Add HMAC-MD5 support for authenticating OTA updates (#7200)

Co-authored-by: Jesse Hills <3060199+jesserockz@users.noreply.github.com>
---
 CODEOWNERS                               |  1 +
 esphome/components/hmac_md5/__init__.py  |  2 +
 esphome/components/hmac_md5/hmac_md5.cpp | 56 ++++++++++++++++++++++++
 esphome/components/hmac_md5/hmac_md5.h   | 48 ++++++++++++++++++++
 4 files changed, 107 insertions(+)
 create mode 100644 esphome/components/hmac_md5/__init__.py
 create mode 100644 esphome/components/hmac_md5/hmac_md5.cpp
 create mode 100644 esphome/components/hmac_md5/hmac_md5.h

diff --git a/CODEOWNERS b/CODEOWNERS
index 1236c8d842..9159f5f843 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -169,6 +169,7 @@ esphome/components/he60r/* @clydebarrow
 esphome/components/heatpumpir/* @rob-deutsch
 esphome/components/hitachi_ac424/* @sourabhjaiswal
 esphome/components/hm3301/* @freekode
+esphome/components/hmac_md5/* @dwmw2
 esphome/components/homeassistant/* @OttoWinter @esphome/core
 esphome/components/homeassistant/number/* @landonr
 esphome/components/homeassistant/switch/* @Links2004
diff --git a/esphome/components/hmac_md5/__init__.py b/esphome/components/hmac_md5/__init__.py
new file mode 100644
index 0000000000..fe245c0cfd
--- /dev/null
+++ b/esphome/components/hmac_md5/__init__.py
@@ -0,0 +1,2 @@
+AUTO_LOAD = ["md5"]
+CODEOWNERS = ["@dwmw2"]
diff --git a/esphome/components/hmac_md5/hmac_md5.cpp b/esphome/components/hmac_md5/hmac_md5.cpp
new file mode 100644
index 0000000000..90bf91882f
--- /dev/null
+++ b/esphome/components/hmac_md5/hmac_md5.cpp
@@ -0,0 +1,56 @@
+#include <cstdio>
+#include <cstring>
+#include "hmac_md5.h"
+#include "esphome/core/helpers.h"
+
+namespace esphome {
+namespace hmac_md5 {
+void HmacMD5::init(const uint8_t *key, size_t len) {
+  uint8_t ipad[64], opad[64];
+
+  memset(ipad, 0, sizeof(ipad));
+  if (len > 64) {
+    md5::MD5Digest keymd5;
+    keymd5.init();
+    keymd5.add(key, len);
+    keymd5.calculate();
+    keymd5.get_bytes(ipad);
+  } else {
+    memcpy(ipad, key, len);
+  }
+  memcpy(opad, ipad, sizeof(opad));
+
+  for (int i = 0; i < 64; i++) {
+    ipad[i] ^= 0x36;
+    opad[i] ^= 0x5c;
+  }
+
+  this->ihash_.init();
+  this->ihash_.add(ipad, sizeof(ipad));
+
+  this->ohash_.init();
+  this->ohash_.add(opad, sizeof(opad));
+}
+
+void HmacMD5::add(const uint8_t *data, size_t len) { this->ihash_.add(data, len); }
+
+void HmacMD5::calculate() {
+  uint8_t ibytes[16];
+
+  this->ihash_.calculate();
+  this->ihash_.get_bytes(ibytes);
+
+  this->ohash_.add(ibytes, sizeof(ibytes));
+  this->ohash_.calculate();
+}
+
+void HmacMD5::get_bytes(uint8_t *output) { this->ohash_.get_bytes(output); }
+
+void HmacMD5::get_hex(char *output) { this->ohash_.get_hex(output); }
+
+bool HmacMD5::equals_bytes(const uint8_t *expected) { return this->ohash_.equals_bytes(expected); }
+
+bool HmacMD5::equals_hex(const char *expected) { return this->ohash_.equals_hex(expected); }
+
+}  // namespace hmac_md5
+}  // namespace esphome
diff --git a/esphome/components/hmac_md5/hmac_md5.h b/esphome/components/hmac_md5/hmac_md5.h
new file mode 100644
index 0000000000..e6a97ad2e3
--- /dev/null
+++ b/esphome/components/hmac_md5/hmac_md5.h
@@ -0,0 +1,48 @@
+#pragma once
+
+#include "esphome/core/defines.h"
+#include "esphome/components/md5/md5.h"
+
+#include <string>
+
+namespace esphome {
+namespace hmac_md5 {
+
+class HmacMD5 {
+ public:
+  HmacMD5() = default;
+  ~HmacMD5() = default;
+
+  /// Initialize a new MD5 digest computation.
+  void init(const uint8_t *key, size_t len);
+  void init(const char *key, size_t len) { this->init((const uint8_t *) key, len); }
+  void init(const std::string &key) { this->init(key.c_str(), key.length()); }
+
+  /// Add bytes of data for the digest.
+  void add(const uint8_t *data, size_t len);
+  void add(const char *data, size_t len) { this->add((const uint8_t *) data, len); }
+
+  /// Compute the digest, based on the provided data.
+  void calculate();
+
+  /// Retrieve the HMAC-MD5 digest as bytes.
+  /// The output must be able to hold 16 bytes or more.
+  void get_bytes(uint8_t *output);
+
+  /// Retrieve the HMAC-MD5 digest as hex characters.
+  /// The output must be able to hold 32 bytes or more.
+  void get_hex(char *output);
+
+  /// Compare the digest against a provided byte-encoded digest (16 bytes).
+  bool equals_bytes(const uint8_t *expected);
+
+  /// Compare the digest against a provided hex-encoded digest (32 bytes).
+  bool equals_hex(const char *expected);
+
+ protected:
+  md5::MD5Digest ihash_;
+  md5::MD5Digest ohash_;
+};
+
+}  // namespace hmac_md5
+}  // namespace esphome