Add errors for setPasswordHash

Author: lucasssvaz

cores/esp32/HEXBuilder.cpp

@@ -18,6 +18,7 @@
 */
 
 #include "HEXBuilder.h"
+#include "WCharacter.h"
 
 static uint8_t hex_char_to_byte(uint8_t c) {
   return (c >= 'a' && c <= 'f')   ? (c - ((uint8_t)'a' - 0xa))
@@ -26,6 +27,19 @@ static uint8_t hex_char_to_byte(uint8_t c) {
                                   : 0x10;  // unknown char is 16
 }
 
+bool HEXBuilder::isHexString(const char *str, size_t len) {
+  for (size_t i = 0; i < len; i++) {
+    if (!isHexadecimalDigit(str[i])) {
+      return false;
+    }
+  }
+  return true;
+}
+
+bool HEXBuilder::isHexString(String str) {
+  return isHexString(str.c_str(), str.length());
+}
+
 size_t HEXBuilder::hex2bytes(unsigned char *out, size_t maxlen, String &in) {
   return hex2bytes(out, maxlen, in.c_str());
 }

cores/esp32/HEXBuilder.h

@@ -32,5 +32,8 @@ class HEXBuilder {
 
   static String bytes2hex(const unsigned char *in, size_t len);
   static size_t bytes2hex(char *out, size_t maxlen, const unsigned char *in, size_t len);
+
+  static bool isHexString(const char *str, size_t len);
+  static bool isHexString(String str);
 };
 #endif

libraries/ArduinoOTA/src/ArduinoOTA.cpp

@@ -19,6 +19,7 @@
 #include "ArduinoOTA.h"
 #include "NetworkClient.h"
 #include "ESPmDNS.h"
+#include "HEXBuilder.h"
 #include "SHA2Builder.h"
 #include "PBKDF2_HMACBuilder.h"
 #include "Update.h"
@@ -86,30 +87,29 @@ ArduinoOTAClass &ArduinoOTAClass::setPassword(const char *password) {
 
 ArduinoOTAClass &ArduinoOTAClass::setPasswordHash(const char *password) {
   if (_state == OTA_IDLE && password) {
-    // Store the pre-hashed password directly
-    _password.clear();
-    _password = password;
-
     size_t len = strlen(password);
+    bool is_hex = HEXBuilder::isHexString(password, len);
 
-    if (len == 32) {
-      // Check if it's a valid hex string (all chars are 0-9, a-f, A-F)
-      bool is_hex = true;
-      for (size_t i = 0; i < len; i++) {
-        char c = password[i];
-        if (!((c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') || (c >= 'A' && c <= 'F'))) {
-          is_hex = false;
-          break;
-        }
-      }
+    if (!is_hex) {
+      log_e("Invalid password hash. Expected hex string (0-9, a-f, A-F).");
+      return *this;
+    }
 
+    if (len == 32) {
       // Warn if MD5 hash is detected (32 hex characters)
-      if (is_hex) {
-        log_w("MD5 password hash detected. MD5 is deprecated and insecure.");
-        log_w("Please use setPassword() with plain text or setPasswordHash() with SHA256 hash (64 chars).");
-        log_w("To generate SHA256: echo -n 'yourpassword' | sha256sum");
-      }
+      log_w("MD5 password hash detected. MD5 is deprecated and insecure.");
+      log_w("Please use setPassword() with plain text or setPasswordHash() with SHA256 hash (64 chars).");
+      log_w("To generate SHA256: echo -n 'yourpassword' | sha256sum");
+    } else if (len == 64) {
+      log_i("Using SHA256 password hash.");
+    } else {
+      log_e("Invalid password hash length. Expected 32 (deprecated MD5) or 64 (SHA256) characters.");
+      return *this;
     }
+
+    // Store the pre-hashed password directly
+    _password.clear();
+    _password = password;
   }
   return *this;
 }