123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374 |
- /*
- * The MySensors Arduino library handles the wireless radio link and protocol
- * between your home built sensors/actuators and HA controller of choice.
- * The sensors forms a self healing radio network with optional repeaters. Each
- * repeater and gateway builds a routing tables in EEPROM which keeps track of the
- * network topology allowing messages to be routed to nodes.
- *
- * Created by Henrik Ekblad <henrik.ekblad@mysensors.org>
- * Copyright (C) 2013-2018 Sensnology AB
- * Full contributor list: https://github.com/mysensors/MySensors/graphs/contributors
- *
- * Documentation: http://www.mysensors.org
- * Support Forum: http://forum.mysensors.org
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * version 2 as published by the Free Software Foundation.
- *
- *******************************
- *
- * DESCRIPTION
- * Signing support created by Patrick "Anticimex" Fallberg <patrick@fallberg.net>
- * ATSHA204 signing backend. The Atmel ATSHA204 offers true random number generation and
- * HMAC-SHA256 authentication with a readout-protected key.
- *
- */
-
- #include "MySigning.h"
-
- #ifdef MY_SIGNING_ATSHA204
- #define SIGNING_IDENTIFIER (1) //HMAC-SHA256
-
- #if defined(MY_DEBUG_VERBOSE_SIGNING)
- #define SIGN_DEBUG(x,...) DEBUG_OUTPUT(x, ##__VA_ARGS__)
- static char printStr[65];
- static char i2h(uint8_t i)
- {
- uint8_t k = i & 0x0F;
- if (k <= 9) {
- return '0' + k;
- } else {
- return 'A' + k - 10;
- }
- }
-
- static void buf2str(const uint8_t* buf, size_t sz)
- {
- uint8_t i;
- if (sz > 32) {
- sz = 32; //clamp to 32 bytes
- }
- for (i = 0; i < sz; i++) {
- printStr[i * 2] = i2h(buf[i] >> 4);
- printStr[(i * 2) + 1] = i2h(buf[i]);
- }
- printStr[sz * 2] = '\0';
- }
- #else
- #define SIGN_DEBUG(x,...)
- #endif
-
- static unsigned long _signing_timestamp;
- static bool _signing_verification_ongoing = false;
- static uint8_t _signing_verifying_nonce[32+9+1];
- static uint8_t _signing_signing_nonce[32+9+1];
- static uint8_t _signing_temp_message[SHA_MSG_SIZE];
- static uint8_t _signing_rx_buffer[SHA204_RSP_SIZE_MAX];
- static uint8_t _signing_tx_buffer[SHA204_CMD_SIZE_MAX];
- static uint8_t* const _signing_hmac = &_signing_rx_buffer[SHA204_BUFFER_POS_DATA];
- static uint8_t _signing_node_serial_info[9];
- #ifdef MY_SIGNING_NODE_WHITELISTING
- static const whitelist_entry_t _signing_whitelist[] = MY_SIGNING_NODE_WHITELISTING;
- #endif
-
- static bool init_ok = false;
-
- static void signerCalculateSignature(MyMessage &msg, bool signing);
- static uint8_t* signerAtsha204AHmac(const uint8_t* nonce, const uint8_t* data);
- static uint8_t* signerSha256(const uint8_t* data, size_t sz);
-
- bool signerAtsha204Init(void)
- {
- init_ok = true;
- atsha204_init(MY_SIGNING_ATSHA204_PIN);
-
- (void)atsha204_wakeup(_signing_temp_message);
- // Read the configuration lock flag to determine if device is personalized or not
- if (atsha204_read(_signing_tx_buffer, _signing_rx_buffer,
- SHA204_ZONE_CONFIG, 0x15<<2) != SHA204_SUCCESS) {
- SIGN_DEBUG(PSTR("!SGN:BND:INIT FAIL\n")); //Could not read ATSHA204A lock config
- init_ok = false;
- } else if (_signing_rx_buffer[SHA204_BUFFER_POS_DATA+3] != 0x00) {
- SIGN_DEBUG(PSTR("!SGN:BND:PER\n")); //ATSHA204A not personalized
- init_ok = false;
- }
- if (init_ok) {
- // Get and cache the serial of the ATSHA204A
- if (atsha204_getSerialNumber(_signing_node_serial_info) != SHA204_SUCCESS) {
- SIGN_DEBUG(PSTR("!SGN:BND:SER\n")); //Could not get ATSHA204A serial
- init_ok = false;
- }
- }
- return init_ok;
- }
-
- bool signerAtsha204CheckTimer(void)
- {
- if (!init_ok) {
- return false;
- }
- if (_signing_verification_ongoing) {
- unsigned long time_now = hwMillis();
- // If timestamp is taken so late a rollover can take place during the timeout,
- // offset both timestamp and current time to make sure no rollover takes place during the
- // timeout
- if (_signing_timestamp + MY_VERIFICATION_TIMEOUT_MS < _signing_timestamp) {
- _signing_timestamp += MY_VERIFICATION_TIMEOUT_MS;
- time_now += MY_VERIFICATION_TIMEOUT_MS;
- }
- if (time_now > _signing_timestamp + MY_VERIFICATION_TIMEOUT_MS) {
- SIGN_DEBUG(PSTR("!SGN:BND:TMR\n")); //Verification timeout
- // Purge nonce
- memset(_signing_signing_nonce, 0xAA, 32);
- memset(_signing_verifying_nonce, 0xAA, 32);
- _signing_verification_ongoing = false;
- return false;
- }
- }
- return true;
- }
-
- bool signerAtsha204GetNonce(MyMessage &msg)
- {
- if (!init_ok) {
- return false;
- }
-
- // We used a basic whitening technique that XORs each byte in a 32byte random value with current
- // hwMillis() counter. This 32-byte random value is then hashed (SHA256) to produce the resulting
- // nonce
- (void)atsha204_wakeup(_signing_temp_message);
- if (atsha204_execute(SHA204_RANDOM, RANDOM_SEED_UPDATE, 0, 0, NULL,
- RANDOM_COUNT, _signing_tx_buffer, RANDOM_RSP_SIZE, _signing_rx_buffer) !=
- SHA204_SUCCESS) {
- return false;
- }
- for (int i = 0; i < 32; i++) {
- _signing_verifying_nonce[i] = _signing_rx_buffer[SHA204_BUFFER_POS_DATA+i] ^ (hwMillis()&0xFF);
- }
- memcpy(_signing_verifying_nonce, signerSha256(_signing_verifying_nonce, 32),
- min(MAX_PAYLOAD, 32));
-
- // We just idle the chip now since we expect to use it soon when the signed message arrives
- atsha204_idle();
-
- if (MAX_PAYLOAD < 32) {
- // We set the part of the 32-byte nonce that does not fit into a message to 0xAA
- memset(&_signing_verifying_nonce[MAX_PAYLOAD], 0xAA, 32-MAX_PAYLOAD);
- }
-
- // Transfer the first part of the nonce to the message
- msg.set(_signing_verifying_nonce, min(MAX_PAYLOAD, 32));
- _signing_verification_ongoing = true;
- _signing_timestamp = hwMillis(); // Set timestamp to determine when to purge nonce
- return true;
- }
-
- void signerAtsha204PutNonce(MyMessage &msg)
- {
- if (!init_ok) {
- return;
- }
-
- memcpy(_signing_signing_nonce, (uint8_t*)msg.getCustom(), min(MAX_PAYLOAD, 32));
- if (MAX_PAYLOAD < 32) {
- // We set the part of the 32-byte nonce that does not fit into a message to 0xAA
- memset(&_signing_signing_nonce[MAX_PAYLOAD], 0xAA, 32-MAX_PAYLOAD);
- }
- }
-
- bool signerAtsha204SignMsg(MyMessage &msg)
- {
- // If we cannot fit any signature in the message, refuse to sign it
- if (mGetLength(msg) > MAX_PAYLOAD-2) {
- SIGN_DEBUG(PSTR("!SGN:BND:SIG,SIZE,%" PRIu8 ">%" PRIu8 "\n"), mGetLength(msg),
- MAX_PAYLOAD-2); //Message too large
- return false;
- }
-
- // Calculate signature of message
- mSetSigned(msg, 1); // make sure signing flag is set before signature is calculated
- signerCalculateSignature(msg, true);
-
- if (DO_WHITELIST(msg.destination)) {
- // Salt the signature with the senders nodeId and the unique serial of the ATSHA device
- // We can reuse the nonce buffer now since it is no longer needed
- memcpy(_signing_signing_nonce, _signing_hmac, 32);
- _signing_signing_nonce[32] = msg.sender;
- memcpy(&_signing_signing_nonce[33], _signing_node_serial_info, 9);
- // We can 'void' sha256 because the hash is already put in the correct place
- (void)signerSha256(_signing_signing_nonce, 32+1+9);
- SIGN_DEBUG(PSTR("SGN:BND:SIG WHI,ID=%" PRIu8 "\n"), msg.sender);
- #ifdef MY_DEBUG_VERBOSE_SIGNING
- buf2str(_signing_node_serial_info, 9);
- SIGN_DEBUG(PSTR("SGN:BND:SIG WHI,SERIAL=%s\n"), printStr);
- #endif
- }
-
- // Put device back to sleep
- atsha204_sleep();
-
- // Overwrite the first byte in the signature with the signing identifier
- _signing_hmac[0] = SIGNING_IDENTIFIER;
-
- // Transfer as much signature data as the remaining space in the message permits
- memcpy(&msg.data[mGetLength(msg)], _signing_hmac, min(MAX_PAYLOAD-mGetLength(msg), 32));
-
- return true;
- }
-
- bool signerAtsha204VerifyMsg(MyMessage &msg)
- {
- if (!_signing_verification_ongoing) {
- SIGN_DEBUG(PSTR("!SGN:BND:VER ONGOING\n"));
- return false;
- } else {
- // Make sure we have not expired
- if (!signerCheckTimer()) {
- return false;
- }
-
- _signing_verification_ongoing = false;
-
- if (msg.data[mGetLength(msg)] != SIGNING_IDENTIFIER) {
- SIGN_DEBUG(PSTR("!SGN:BND:VER,IDENT=%" PRIu8 "\n"), msg.data[mGetLength(msg)]);
- return false;
- }
-
- signerCalculateSignature(msg, false); // Get signature of message
-
- #ifdef MY_SIGNING_NODE_WHITELISTING
- // Look up the senders nodeId in our whitelist and salt the signature with that data
- size_t j;
- for (j=0; j < NUM_OF(_signing_whitelist); j++) {
- if (_signing_whitelist[j].nodeId == msg.sender) {
- // We can reuse the nonce buffer now since it is no longer needed
- memcpy(_signing_verifying_nonce, _signing_hmac, 32);
- _signing_verifying_nonce[32] = msg.sender;
- memcpy(&_signing_verifying_nonce[33], _signing_whitelist[j].serial, 9);
- // We can 'void' sha256 because the hash is already put in the correct place
- (void)signerSha256(_signing_verifying_nonce, 32+1+9);
- SIGN_DEBUG(PSTR("SGN:BND:VER WHI,ID=%" PRIu8 "\n"), msg.sender);
- #ifdef MY_DEBUG_VERBOSE_SIGNING
- buf2str(_signing_whitelist[j].serial, 9);
- SIGN_DEBUG(PSTR("SGN:BND:VER WHI,SERIAL=%s\n"), printStr);
- #endif
- break;
- }
- }
- if (j == NUM_OF(_signing_whitelist)) {
- SIGN_DEBUG(PSTR("!SGN:BND:VER WHI,ID=%" PRIu8 " MISSING\n"), msg.sender);
- // Put device back to sleep
- atsha204_sleep();
- return false;
- }
- #endif
-
- // Put device back to sleep
- atsha204_sleep();
-
- // Overwrite the first byte in the signature with the signing identifier
- _signing_hmac[0] = SIGNING_IDENTIFIER;
-
- // Compare the calculated signature with the provided signature
- if (signerMemcmp(&msg.data[mGetLength(msg)], _signing_hmac,
- min(MAX_PAYLOAD-mGetLength(msg), 32))) {
- return false;
- } else {
- return true;
- }
- }
- }
-
- // Helper to calculate signature of msg (returned in _signing_rx_buffer[SHA204_BUFFER_POS_DATA])
- // (=_signing_hmac)
- static void signerCalculateSignature(MyMessage &msg, bool signing)
- {
- // Signature is calculated on everything expect the first byte in the header
- uint16_t bytes_left = mGetLength(msg)+HEADER_SIZE-1;
- int16_t current_pos = 1-(int16_t)HEADER_SIZE; // Start at the second byte in the header
- uint8_t* nonce = signing ? _signing_signing_nonce : _signing_verifying_nonce;
-
- #ifdef MY_DEBUG_VERBOSE_SIGNING
- buf2str(nonce, 32);
- SIGN_DEBUG(PSTR("SGN:BND:NONCE=%s\n"), printStr);
- #endif
-
- while (bytes_left) {
- uint16_t bytes_to_include = min(bytes_left, 32);
-
- (void)atsha204_wakeup(_signing_temp_message); // Issue wakeup to reset watchdog
- memset(_signing_temp_message, 0, 32);
- memcpy(_signing_temp_message, (uint8_t*)&msg.data[current_pos], bytes_to_include);
-
- // We can 'void' signerAtsha204AHmac because the HMAC is already put in the correct place
- (void)signerAtsha204AHmac(nonce, _signing_temp_message);
- // Purge nonce when used
- memset(nonce, 0xAA, 32);
-
- bytes_left -= bytes_to_include;
- current_pos += bytes_to_include;
-
- if (bytes_left > 0) {
- // We will do another pass, use current HMAC as nonce for the next HMAC
- memcpy(nonce, _signing_hmac, 32);
- atsha204_idle(); // Idle the chip to allow the wakeup call to reset the watchdog
- }
- }
- #ifdef MY_DEBUG_VERBOSE_SIGNING
- buf2str(_signing_hmac, 32);
- SIGN_DEBUG(PSTR("SGN:BND:HMAC=%s\n"), printStr);
- #endif
- }
-
- // Helper to calculate a ATSHA204A specific HMAC-SHA256 using provided 32 byte nonce and data
- // (zero padded to 32 bytes)
- // The pointer to the HMAC is returned, but the HMAC is also stored in
- // _signing_rx_buffer[SHA204_BUFFER_POS_DATA] (=_signing_hmac)
- static uint8_t* signerAtsha204AHmac(const uint8_t* nonce, const uint8_t* data)
- {
- // Program the data to sign into the ATSHA204
- (void)atsha204_execute(SHA204_WRITE, SHA204_ZONE_DATA | SHA204_ZONE_COUNT_FLAG, 8 << 3, 32,
- (uint8_t*)data,
- WRITE_COUNT_LONG, _signing_tx_buffer, WRITE_RSP_SIZE, _signing_rx_buffer);
-
- // Program the nonce to use for the signature (has to be done just before GENDIG
- // due to chip limitations)
- (void)atsha204_execute(SHA204_NONCE, NONCE_MODE_PASSTHROUGH, 0, 32, (uint8_t*)nonce,
- NONCE_COUNT_LONG, _signing_tx_buffer, NONCE_RSP_SIZE_SHORT,
- _signing_rx_buffer);
-
- // Generate digest of data and nonce
- (void)atsha204_execute(SHA204_GENDIG, GENDIG_ZONE_DATA, 8, 0, NULL,
- GENDIG_COUNT_DATA, _signing_tx_buffer, GENDIG_RSP_SIZE,
- _signing_rx_buffer);
-
- // Calculate HMAC of message+nonce digest and secret key
- (void)atsha204_execute(SHA204_HMAC, HMAC_MODE_SOURCE_FLAG_MATCH, 0, 0, NULL,
- HMAC_COUNT, _signing_tx_buffer, HMAC_RSP_SIZE, _signing_rx_buffer);
- return &_signing_rx_buffer[SHA204_BUFFER_POS_DATA];
- }
-
- // Helper to calculate a generic SHA256 digest of provided buffer (only supports one block)
- // The pointer to the hash is returned, but the hash is also stored in
- // _signing_rx_buffer[SHA204_BUFFER_POS_DATA])
- static uint8_t* signerSha256(const uint8_t* data, size_t sz)
- {
- // Initiate SHA256 calculator
- (void)atsha204_execute(SHA204_SHA, SHA_INIT, 0, 0, NULL,
- SHA_COUNT_SHORT, _signing_tx_buffer, SHA_RSP_SIZE_SHORT,
- _signing_rx_buffer);
-
- // Calculate a hash
- memset(_signing_temp_message, 0x00, SHA_MSG_SIZE);
- memcpy(_signing_temp_message, data, sz);
- _signing_temp_message[sz] = 0x80;
- // Write length data to the last bytes
- _signing_temp_message[SHA_MSG_SIZE-2] = (sz >> 5);
- _signing_temp_message[SHA_MSG_SIZE-1] = (sz << 3);
- (void)atsha204_execute(SHA204_SHA, SHA_CALC, 0, SHA_MSG_SIZE, _signing_temp_message,
- SHA_COUNT_LONG, _signing_tx_buffer, SHA_RSP_SIZE_LONG, _signing_rx_buffer);
- return &_signing_rx_buffer[SHA204_BUFFER_POS_DATA];
- }
- #endif //MY_SIGNING_ATSHA204
|