Merge branch 'espressif:master' into master

Author: bmorcelli

.flake8

@@ -5,6 +5,6 @@
 doctests = True
 # W503 and W504 are mutually exclusive. PEP 8 recommends line break before.
 ignore = W503,E203
-max-complexity = 20
+max-complexity = 30
 max-line-length = 120
 select = E,W,F,C,N

.github/pytools/Sign-File.ps1

@@ -19,7 +19,7 @@ function FindSignTool{
 if (Test-Path-Path $SignTool-PathType Leaf){
 return$SignTool
  }
-$sdkVers="10.0.22000.0","10.0.20348.0","10.0.19041.0","10.0.17763.0"
+$sdkVers="10.0.22000.0","10.0.20348.0","10.0.19041.0","10.0.17763.0","10.0.14393.0","10.0.15063.0","10.0.16299.0","10.0.17134.0","10.0.26100.0"
 Foreach ($verin$sdkVers)
 {
 $SignTool="${env:ProgramFiles(x86)}\Windows Kits\10\bin\${ver}\x64\signtool.exe"

.github/scripts/get_affected.py

@@ -626,11 +626,9 @@ def find_affected_sketches(changed_files: list[str]) -> None:
 q=queue.Queue()
 
 ifcomponent_mode:
-print(f"Affected IDF component examples:", file=sys.stderr)
 # Get all available component examples once for efficiency
 all_examples=list_idf_component_examples()
 else:
-print(f"Affected sketches:", file=sys.stderr)
 all_examples= []
 
 forfileinchanged_files:
@@ -648,11 +646,9 @@ def find_affected_sketches(changed_files: list[str]) -> None:
 # Check if this file belongs to an IDF component example
 forexampleinall_examples:
 iffile.startswith(example+"/") andexamplenotinaffected_sketches:
-print(example, file=sys.stderr)
 affected_sketches.append(example)
 else:
 iffile.endswith('.ino') andfilenotinaffected_sketches:
-print(file, file=sys.stderr)
 affected_sketches.append(file)
 
 # Continue with reverse dependency traversal
@@ -687,18 +683,24 @@ def find_affected_sketches(changed_files: list[str]) -> None:
 ifshould_traverse:
 q.put(dependency)
 ifdependency_exampleanddependency_examplenotinaffected_sketches:
-print(dependency_example, file=sys.stderr)
 affected_sketches.append(dependency_example)
 else:
 q.put(dependency)
 ifdependency.endswith('.ino') anddependencynotinaffected_sketches:
-print(dependency, file=sys.stderr)
 affected_sketches.append(dependency)
 
 ifcomponent_mode:
 print(f"Total affected IDF component examples: {len(affected_sketches)}", file=sys.stderr)
+ifaffected_sketches:
+print("Affected IDF component examples:", file=sys.stderr)
+forexampleinaffected_sketches:
+print(f" {example}", file=sys.stderr)
 else:
 print(f"Total affected sketches: {len(affected_sketches)}", file=sys.stderr)
+ifaffected_sketches:
+print("Affected sketches:", file=sys.stderr)
+forsketchinaffected_sketches:
+print(f" {sketch}", file=sys.stderr)
 
 defsave_dependencies_as_json(output_file: str="dependencies.json") ->None:
 """

.github/scripts/merge_packages.py

@@ -17,7 +17,8 @@
 
 
 defload_package(filename):
-pkg=json.load(open(filename))["packages"][0]
+withopen(filename) asf:
+pkg=json.load(f)["packages"][0]
 print("Loaded package{0} from{1}".format(pkg["name"], filename), file=sys.stderr)
 print("{0} platform(s),{1} tools".format(len(pkg["platforms"]), len(pkg["tools"])), file=sys.stderr)
 returnpkg

libraries/ArduinoOTA/examples/BasicOTA/BasicOTA.ino

@@ -19,6 +19,7 @@
 
 constchar *ssid = "..........";
 constchar *password = "..........";
+uint32_t last_ota_time = 0;
 
 voidsetup(){
  Serial.begin(115200);
@@ -40,9 +41,13 @@ void setup(){
 // No authentication by default
 // ArduinoOTA.setPassword("admin");
 
-// Password can be set with it's md5 value as well
-// MD5(admin) = 21232f297a57a5a743894a0e4a801fc3
-// ArduinoOTA.setPasswordHash("21232f297a57a5a743894a0e4a801fc3");
+// Password can be set with plain text (will be hashed internally)
+// The authentication uses PBKDF2-HMAC-SHA256 with 10,000 iterations
+// ArduinoOTA.setPassword("admin");
+
+// Or set password with pre-hashed value (SHA256 hash of "admin")
+// SHA256(admin) = 8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
+// ArduinoOTA.setPasswordHash("8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918");
 
  ArduinoOTA
  .onStart([](){
@@ -60,7 +65,10 @@ void setup(){
  Serial.println("\nEnd");
  })
  .onProgress([](unsignedint progress, unsignedint total){
- Serial.printf("Progress: %u%%\r", (progress / (total / 100)));
+if (millis() - last_ota_time > 500){
+ Serial.printf("Progress: %u%%\n", (progress / (total / 100)));
+ last_ota_time = millis();
+ }
  })
  .onError([](ota_error_t error){
  Serial.printf("Error[%u]: ", error);

libraries/ArduinoOTA/src/ArduinoOTA.cpp

@@ -19,7 +19,8 @@
 #include"ArduinoOTA.h"
 #include"NetworkClient.h"
 #include"ESPmDNS.h"
-#include"MD5Builder.h"
+#include"SHA2Builder.h"
+#include"PBKDF2_HMACBuilder.h"
 #include"Update.h"
 
 // #define OTA_DEBUG Serial
@@ -72,18 +73,20 @@ String ArduinoOTAClass::getHostname(){
 
 ArduinoOTAClass &ArduinoOTAClass::setPassword(constchar *password){
 if (_state == OTA_IDLE && password){
- MD5Builder passmd5;
- passmd5.begin();
- passmd5.add(password);
- passmd5.calculate();
+// Hash the password with SHA256 for storage (not plain text)
+ SHA256Builder pass_hash;
+ pass_hash.begin();
+ pass_hash.add(password);
+ pass_hash.calculate();
  _password.clear();
- _password = passmd5.toString();
+ _password = pass_hash.toString();
  }
 return *this;
 }
 
 ArduinoOTAClass &ArduinoOTAClass::setPasswordHash(constchar *password){
 if (_state == OTA_IDLE && password){
+// Store the pre-hashed password directly
  _password.clear();
  _password = password;
  }
@@ -188,17 +191,18 @@ void ArduinoOTAClass::_onRx(){
  _udp_ota.read();
  _md5 = readStringUntil('\n');
  _md5.trim();
-if (_md5.length() != 32){
+if (_md5.length() != 32){// MD5 produces 32 character hex string for firmware integrity
 log_e("bad md5 length");
 return;
  }
 
 if (_password.length()){
- MD5Builder nonce_md5;
- nonce_md5.begin();
- nonce_md5.add(String(micros()));
- nonce_md5.calculate();
- _nonce = nonce_md5.toString();
+// Generate a random challenge (nonce)
+ SHA256Builder nonce_sha256;
+ nonce_sha256.begin();
+ nonce_sha256.add(String(micros()) + String(random(1000000)));
+ nonce_sha256.calculate();
+ _nonce = nonce_sha256.toString();
 
  _udp_ota.beginPacket(_udp_ota.remoteIP(), _udp_ota.remotePort());
  _udp_ota.printf("AUTH %s", _nonce.c_str());
@@ -222,20 +226,37 @@ void ArduinoOTAClass::_onRx(){
  _udp_ota.read();
  String cnonce = readStringUntil('');
  String response = readStringUntil('\n');
-if (cnonce.length() != 32 || response.length() != 32){
+if (cnonce.length() != 64 || response.length() != 64){// SHA256 produces 64 character hex string
 log_e("auth param fail");
  _state = OTA_IDLE;
 return;
  }
 
- String challenge = _password + ":" + String(_nonce) + ":" + cnonce;
- MD5Builder _challengemd5;
- _challengemd5.begin();
- _challengemd5.add(challenge);
- _challengemd5.calculate();
- String result = _challengemd5.toString();
-
-if (result.equals(response)){
+// Verify the challenge/response using PBKDF2-HMAC-SHA256
+// The client should derive a key using PBKDF2-HMAC-SHA256 with:
+// - password: the OTA password (or its hash if using setPasswordHash)
+// - salt: nonce + cnonce
+// - iterations: 10000 (or configurable)
+// Then hash the challenge with the derived key
+
+ String salt = _nonce + ":" + cnonce;
+ SHA256Builder sha256;
+// Use the stored password hash for PBKDF2 derivation
+ PBKDF2_HMACBuilder pbkdf2(&sha256, _password, salt, 10000);
+
+ pbkdf2.begin();
+ pbkdf2.calculate();
+ String derived_key = pbkdf2.toString();
+
+// Create challenge: derived_key + nonce + cnonce
+ String challenge = derived_key + ":" + _nonce + ":" + cnonce;
+ SHA256Builder challenge_sha256;
+ challenge_sha256.begin();
+ challenge_sha256.add(challenge);
+ challenge_sha256.calculate();
+ String expected_response = challenge_sha256.toString();
+
+if (expected_response.equals(response)){
  _udp_ota.beginPacket(_udp_ota.remoteIP(), _udp_ota.remotePort());
  _udp_ota.print("OK");
  _udp_ota.endPacket();
@@ -266,7 +287,8 @@ void ArduinoOTAClass::_runUpdate(){
  _state = OTA_IDLE;
 return;
  }
- Update.setMD5(_md5.c_str());
+
+ Update.setMD5(_md5.c_str()); // Note: Update library still uses MD5 for firmware integrity, this is separate from authentication
 
 if (_start_callback){
 _start_callback();

libraries/ArduinoOTA/src/ArduinoOTA.h

@@ -54,7 +54,7 @@ class ArduinoOTAClass{
 //Sets the password that will be required for OTA. Default NULL
  ArduinoOTAClass &setPassword(constchar *password);
 
-//Sets the password as above but in the form MD5(password). Default NULL
+//Sets the password as above but in the form SHA256(password). Default NULL
  ArduinoOTAClass &setPasswordHash(constchar *password);
 
 //Sets the partition label to write to when updating SPIFFS. Default NULL

libraries/BLE/src/BLE2902.h

@@ -56,9 +56,6 @@ This class will be removed in a future version.")]] BLE2902 : public BLEDescript
 boolgetIndications();
 voidsetNotifications(bool flag);
 voidsetIndications(bool flag);
-
-private:
-friendclassBLECharacteristic;
  }; // BLE2902
 
 #endif/* CONFIG_BLUEDROID_ENABLED || CONFIG_NIMBLE_ENABLED */

libraries/BLE/src/BLE2904.h

@@ -95,8 +95,6 @@ class BLE2904 : public BLEDescriptor{
 voidsetUnit(uint16_t unit);
 
 private:
-friendclassBLECharacteristic;
-
 /***************************************************************************
  * Common private properties *
  ***************************************************************************/

libraries/BLE/src/BLEAddress.cpp

@@ -59,13 +59,8 @@ BLEAddress::BLEAddress(){
  * @param [in] otherAddress The other address to compare against.
  * @return True if the addresses are equal.
 */
-boolBLEAddress::equals(BLEAddress otherAddress){
-#if defined(CONFIG_NIMBLE_ENABLED)
-if (m_addrType != otherAddress.m_addrType){
-returnfalse;
- }
-#endif
-returnmemcmp(otherAddress.getNative(), m_address, ESP_BD_ADDR_LEN) == 0;
+boolBLEAddress::equals(const BLEAddress &otherAddress) const{
+return *this == otherAddress;
 }
 
 bool BLEAddress::operator==(const BLEAddress &otherAddress) const{
@@ -116,9 +111,9 @@ uint8_t *BLEAddress::getNative(){
  *
  * @return The string representation of the address.
 */
-String BLEAddress::toString(){
-auto size = 18;
-char*res = (char *)malloc(size);
+String BLEAddress::toString() const{
+constexprsize_t size = 18;
+char res[size];
 
 #if defined(CONFIG_BLUEDROID_ENABLED)
 snprintf(res, size, "%02x:%02x:%02x:%02x:%02x:%02x", m_address[0], m_address[1], m_address[2], m_address[3], m_address[4], m_address[5]);
@@ -129,7 +124,6 @@ String BLEAddress::toString(){
 #endif
 
  String ret(res);
-free(res);
 return ret;
 }
 
@@ -158,7 +152,7 @@ BLEAddress::BLEAddress(esp_bd_addr_t address){
  *
  * @param [in] stringAddress The hex representation of the address.
 */
-BLEAddress::BLEAddress(String stringAddress){
+BLEAddress::BLEAddress(constString &stringAddress){
 if (stringAddress.length() != 17){
 return;
  }
@@ -193,7 +187,7 @@ BLEAddress::BLEAddress(ble_addr_t address){
  m_addrType = address.type;
 }
 
-uint8_tBLEAddress::getType(){
+uint8_tBLEAddress::getType() const{
 return m_addrType;
 }
 
@@ -209,7 +203,7 @@ uint8_t BLEAddress::getType(){
  * @param [in] stringAddress The hex representation of the address.
  * @param [in] type The address type.
 */
-BLEAddress::BLEAddress(String stringAddress, uint8_t type){
+BLEAddress::BLEAddress(constString &stringAddress, uint8_t type){
 if (stringAddress.length() != 17){
 return;
  }