v1.2.1

cpp_ext/CMakeLists.txt

@@ -27,12 +27,42 @@ add_library(archery_netcore MODULE
 target_include_directories(archery_netcore PRIVATE
   "${PY_INCLUDE_DIR}"
   "${MAIXCDK_PATH}/components/3rd_party/pybind11/pybind11/include"
+  "${MAIXCDK_PATH}/components/3rd_party/openssl/include"
   "${CMAKE_CURRENT_SOURCE_DIR}/third_party"  # 添加 nlohmann/json 路径
 )
 
+# 尽量减少 .so 体积并增加逆向成本
+target_compile_options(archery_netcore PRIVATE
+  -Os
+  -ffunction-sections
+  -fdata-sections
+  -fvisibility=hidden
+  -fvisibility-inlines-hidden
+)
+target_link_options(archery_netcore PRIVATE
+  -Wl,--gc-sections
+  -Wl,-s
+)
+
 set_target_properties(archery_netcore PROPERTIES
   PREFIX ""
   SUFFIX "${PY_EXT_SUFFIX}"
 )
 
-target_link_libraries(archery_netcore PRIVATE "${PY_LIB}")
+# OpenSSL (for AES-256-GCM decrypt)
+# 使用 MaixCDK 提供的 OpenSSL 库（在 so/maixcam 目录下）
+set(OPENSSL_LIB_DIR "${MAIXCDK_PATH}/components/3rd_party/openssl/so/maixcam")
+if(EXISTS "${OPENSSL_LIB_DIR}/libcrypto.so")
+    target_link_directories(archery_netcore PRIVATE "${OPENSSL_LIB_DIR}")
+    target_link_libraries(archery_netcore PRIVATE "${PY_LIB}" crypto ssl)
+    message(STATUS "Using OpenSSL from MaixCDK: ${OPENSSL_LIB_DIR}")
+else()
+    # Fallback: 尝试 find_package 或系统库
+    find_package(OpenSSL QUIET)
+    if(OpenSSL_FOUND)
+        target_link_libraries(archery_netcore PRIVATE "${PY_LIB}" OpenSSL::Crypto OpenSSL::SSL)
+    else()
+        message(WARNING "OpenSSL not found in MaixCDK, trying system libraries (may fail)")
+        target_link_libraries(archery_netcore PRIVATE "${PY_LIB}" crypto ssl)
+    endif()
+endif()

cpp_ext/archery_netcore.cpp

@@ -5,6 +5,10 @@
 #include <cstdint>
 #include <vector>
 #include <string>
+#include <fstream>
+#include <array>
+#include <algorithm>
+#include <openssl/evp.h>
 #include "native_logger.hpp"
 
 namespace py = pybind11;
@@ -14,6 +18,29 @@ namespace {
     // 配置项
     const std::string _cfg_server_ip = "www.shelingxingqiu.com";
     const int _cfg_server_port = 50005;
+
+    // OTA AEAD format: MAGIC(7) | nonce(12) | ciphertext(N) | tag(16)
+    constexpr const char* kOtaMagic = "AROTAE1";
+    constexpr size_t kOtaMagicLen = 7;
+    constexpr size_t kGcmNonceLen = 12;
+    constexpr size_t kGcmTagLen = 16;
+
+    // 固定 32-byte AES-256-GCM key（提高被直接查看的成本；不是绝对安全）
+    // 注意：需要与打包端传入的 --aead-key-hex 保持一致。
+    static std::array<uint8_t, 32> ota_key_bytes() {
+        // 简单拆分混淆：key = a XOR b
+        static const std::array<uint8_t, 32> a = {
+            0x92,0x99,0x4d,0x06,0x6f,0xb6,0xa6,0x3d,0x85,0x08,0xbe,0x73,0x5e,0x73,0x4d,0x8a,
+            0x53,0x88,0xe6,0x99,0xfc,0x10,0x29,0xb9,0x16,0x9b,0xe7,0x0c,0x65,0x21,0x1c,0xce
+        };
+        static const std::array<uint8_t, 32> b = {
+            0xcf,0x60,0xa2,0xc2,0x32,0x7a,0x61,0xb0,0x4c,0x8e,0x8a,0x62,0x31,0xc7,0x82,0xff,
+            0xec,0xac,0xa1,0x04,0x2a,0x4d,0xaa,0xf2,0xb0,0x5b,0x39,0x2b,0xf4,0xb3,0xad,0xad
+        };
+        std::array<uint8_t, 32> k{};
+        for (size_t i = 0; i < k.size(); i++) k[i] = static_cast<uint8_t>(a[i] ^ b[i]);
+        return k;
+    }
 }
 
 // 定义获取配置的函数
@@ -109,6 +136,103 @@ py::dict json_to_py_dict(const json& j) {
     return d;
 }
 
+static bool read_file_all(const std::string& path, std::vector<uint8_t>& out) {
+    std::ifstream ifs(path, std::ios::binary);
+    if (!ifs) return false;
+    ifs.seekg(0, std::ios::end);
+    std::streampos size = ifs.tellg();
+    if (size <= 0) return false;
+    ifs.seekg(0, std::ios::beg);
+    out.resize(static_cast<size_t>(size));
+    if (!ifs.read(reinterpret_cast<char*>(out.data()), size)) return false;
+    return true;
+}
+
+static bool write_file_all(const std::string& path, const uint8_t* data, size_t len) {
+    std::ofstream ofs(path, std::ios::binary | std::ios::trunc);
+    if (!ofs) return false;
+    ofs.write(reinterpret_cast<const char*>(data), static_cast<std::streamsize>(len));
+    return static_cast<bool>(ofs);
+}
+
+static bool decrypt_ota_file_impl(const std::string& input_path, const std::string& output_zip_path) {
+    std::vector<uint8_t> in;
+    if (!read_file_all(input_path, in)) {
+        netcore::log_error(std::string("decrypt_ota_file: read failed: ") + input_path);
+        return false;
+    }
+
+    const size_t min_len = kOtaMagicLen + kGcmNonceLen + kGcmTagLen + 1;
+    if (in.size() < min_len) {
+        netcore::log_error("decrypt_ota_file: too short");
+        return false;
+    }
+    if (!std::equal(in.begin(), in.begin() + kOtaMagicLen, reinterpret_cast<const uint8_t*>(kOtaMagic))) {
+        netcore::log_error("decrypt_ota_file: bad magic");
+        return false;
+    }
+
+    const uint8_t* nonce = in.data() + kOtaMagicLen;
+    const uint8_t* ct_and_tag = in.data() + kOtaMagicLen + kGcmNonceLen;
+    const size_t ct_and_tag_len = in.size() - (kOtaMagicLen + kGcmNonceLen);
+    if (ct_and_tag_len <= kGcmTagLen) {
+        netcore::log_error("decrypt_ota_file: no ciphertext");
+        return false;
+    }
+    const size_t ciphertext_len = ct_and_tag_len - kGcmTagLen;
+    const uint8_t* ciphertext = ct_and_tag;
+    const uint8_t* tag = ct_and_tag + ciphertext_len;
+
+    std::vector<uint8_t> plain(ciphertext_len);
+    int out_len1 = 0;
+    int out_len2 = 0;
+
+    EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
+    if (!ctx) {
+        netcore::log_error("decrypt_ota_file: EVP_CIPHER_CTX_new failed");
+        return false;
+    }
+
+    bool ok = false;
+    auto key = ota_key_bytes();
+
+    do {
+        if (1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), nullptr, nullptr, nullptr)) {
+            netcore::log_error("decrypt_ota_file: DecryptInit failed");
+            break;
+        }
+        if (1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, static_cast<int>(kGcmNonceLen), nullptr)) {
+            netcore::log_error("decrypt_ota_file: set ivlen failed");
+            break;
+        }
+        if (1 != EVP_DecryptInit_ex(ctx, nullptr, nullptr, key.data(), nonce)) {
+            netcore::log_error("decrypt_ota_file: set key/iv failed");
+            break;
+        }
+        if (1 != EVP_DecryptUpdate(ctx, plain.data(), &out_len1, ciphertext, static_cast<int>(ciphertext_len))) {
+            netcore::log_error("decrypt_ota_file: update failed");
+            break;
+        }
+        if (1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, static_cast<int>(kGcmTagLen), const_cast<uint8_t*>(tag))) {
+            netcore::log_error("decrypt_ota_file: set tag failed");
+            break;
+        }
+        if (1 != EVP_DecryptFinal_ex(ctx, plain.data() + out_len1, &out_len2)) {
+            netcore::log_error("decrypt_ota_file: final failed (auth tag mismatch?)");
+            break;
+        }
+        const size_t plain_len = static_cast<size_t>(out_len1 + out_len2);
+        if (!write_file_all(output_zip_path, plain.data(), plain_len)) {
+            netcore::log_error(std::string("decrypt_ota_file: write failed: ") + output_zip_path);
+            break;
+        }
+        ok = true;
+    } while (false);
+
+    EVP_CIPHER_CTX_free(ctx);
+    return ok;
+}
+
 // 打包 TCP 数据包
 py::bytes make_packet(int msg_type, py::dict body_dict) {
     netcore::log_debug(std::string("make_packet msg_type=") + std::to_string(msg_type));
@@ -233,6 +357,17 @@ PYBIND11_MODULE(archery_netcore, m) {
 
     m.def("get_config", &get_config, "Get system configuration");
 
+    m.def(
+        "decrypt_ota_file",
+        [](const std::string& input_path, const std::string& output_zip_path) {
+            netcore::log_info(std::string("decrypt_ota_file in=") + input_path + " out=" + output_zip_path);
+            return decrypt_ota_file_impl(input_path, output_zip_path);
+        },
+        py::arg("input_path"),
+        py::arg("output_zip_path"),
+        "Decrypt OTA encrypted file (MAGIC|nonce|ciphertext|tag) to plaintext zip."
+    );
+
     // Minimal demo: return actions for inner_cmd=41 (manual trigger + ack)
     m.def("actions_for_inner_cmd", [](int inner_cmd) {
         py::list actions;