123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393 |
- /*
- * The MySensors Arduino library handles the wireless radio link and protocol
- * between your home built sensors/actuators and HA controller of choice.
- * The sensors forms a self healing radio network with optional repeaters. Each
- * repeater and gateway builds a routing tables in EEPROM which keeps track of the
- * network topology allowing messages to be routed to nodes.
- *
- * Created by Henrik Ekblad <henrik.ekblad@mysensors.org>
- * Copyright (C) 2013-2018 Sensnology AB
- * Full contributor list: https://github.com/mysensors/MySensors/graphs/contributors
- *
- * Documentation: http://www.mysensors.org
- * Support Forum: http://forum.mysensors.org
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * version 2 as published by the Free Software Foundation.
- *
- *******************************
- *
- * DESCRIPTION
- * Signing support created by Patrick "Anticimex" Fallberg <patrick@fallberg.net>
- * ATSHA204 emulated signing backend. The emulated ATSHA204 implementation offers pseudo random
- * number generation and HMAC-SHA256 authentication compatible with a "physical" ATSHA204.
- * NOTE: Key is stored in clear text in the Arduino firmware. Therefore, the use of this back-end
- * could compromise the key used in the signed message infrastructure if device is lost and its
- * memory dumped.
- *
- */
-
- #include "MySigning.h"
-
- #ifdef MY_SIGNING_SOFT
- #define SIGNING_IDENTIFIER (1) //HMAC-SHA256
-
- #if defined(MY_DEBUG_VERBOSE_SIGNING)
- #define SIGN_DEBUG(x,...) DEBUG_OUTPUT(x, ##__VA_ARGS__)
- static char printStr[65];
- static char i2h(const uint8_t i)
- {
- uint8_t k = i & 0x0F;
- if (k <= 9) {
- return '0' + k;
- } else {
- return 'A' + k - 10;
- }
- }
-
- static void buf2str(const uint8_t *buf, size_t sz)
- {
- if (sz > 32) {
- sz = 32; //clamp to 32 bytes
- }
- for (uint8_t i = 0; i < sz; i++) {
- printStr[i * 2] = i2h(buf[i] >> 4);
- printStr[(i * 2) + 1] = i2h(buf[i]);
- }
- printStr[sz * 2] = '\0';
- }
- #else
- #define SIGN_DEBUG(x,...)
- #endif
-
- static unsigned long _signing_timestamp;
- static bool _signing_verification_ongoing = false;
- static bool _signing_init_ok = false;
- static uint8_t _signing_verifying_nonce[32+9+1];
- static uint8_t _signing_nonce[32+9+1];
- static uint8_t _signing_hmac_key[SIZE_SIGNING_SOFT_HMAC_KEY];
- static uint8_t _signing_hmac[32];
- static uint8_t _signing_node_serial_info[SIZE_SIGNING_SOFT_SERIAL];
-
- #ifdef MY_SIGNING_NODE_WHITELISTING
- static const whitelist_entry_t _signing_whitelist[] = MY_SIGNING_NODE_WHITELISTING;
- #endif
-
- static void signerCalculateSignature(MyMessage &msg, const bool signing);
- static void signerAtsha204AHmac(uint8_t *dest, const uint8_t *nonce, const uint8_t *data);
-
- bool signerAtsha204SoftInit(void)
- {
- _signing_init_ok = true;
- // initialize pseudo-RNG
- hwRandomNumberInit();
- // Set secrets
- #ifdef MY_SIGNING_SIMPLE_PASSWD
- if (strnlen(MY_SIGNING_SIMPLE_PASSWD, 32) < 8) {
- SIGN_DEBUG(PSTR("!SGN:BND:PWD<8\n")); //Password is too short to be acceptable
- _signing_init_ok = false;
- } else {
- (void)memset((void *)_signing_hmac_key, 0x00, sizeof(_signing_hmac_key));
- (void)memcpy((void *)_signing_hmac_key, MY_SIGNING_SIMPLE_PASSWD, strnlen(MY_SIGNING_SIMPLE_PASSWD,
- 32));
- (void)memset((void *)_signing_node_serial_info, 0x00, sizeof(_signing_node_serial_info));
- (void)memcpy((void *)_signing_node_serial_info, MY_SIGNING_SIMPLE_PASSWD,
- strnlen(MY_SIGNING_SIMPLE_PASSWD, 8));
- _signing_node_serial_info[8] = getNodeId();
- }
- #else
- hwReadConfigBlock((void *)_signing_hmac_key, (void *)EEPROM_SIGNING_SOFT_HMAC_KEY_ADDRESS,
- SIZE_SIGNING_SOFT_HMAC_KEY);
- hwReadConfigBlock((void *)_signing_node_serial_info, (void *)EEPROM_SIGNING_SOFT_SERIAL_ADDRESS,
- SIZE_SIGNING_SOFT_SERIAL);
- #endif
-
- uint16_t chk = 0;
- for (uint8_t i = 0; i < SIZE_SIGNING_SOFT_SERIAL; i++) {
- chk += _signing_node_serial_info[i];
- }
- if (chk==SIZE_SIGNING_SOFT_SERIAL *
- 0xFF) { // test if == { 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF }
- unique_id_t uniqueID;
- // There is no serial, attempt to get unique ID for serial instead
- if (hwUniqueID(&uniqueID)) {
- // There is a unique serial, use that
- (void)memcpy((void *)_signing_node_serial_info, (const void *)uniqueID, SIZE_SIGNING_SOFT_SERIAL);
- }
- }
- return _signing_init_ok;
- }
-
- bool signerAtsha204SoftCheckTimer(void)
- {
- if (!_signing_init_ok) {
- return false;
- }
- if (_signing_verification_ongoing) {
- unsigned long time_now = hwMillis();
- // If timestamp is taken so late a rollover can take place during the timeout,
- // offset both timestamp and current time to make sure no rollover takes place during the
- // timeout
- if (_signing_timestamp + MY_VERIFICATION_TIMEOUT_MS < _signing_timestamp) {
- _signing_timestamp += MY_VERIFICATION_TIMEOUT_MS;
- time_now += MY_VERIFICATION_TIMEOUT_MS;
- }
- if (time_now > _signing_timestamp + MY_VERIFICATION_TIMEOUT_MS) {
- SIGN_DEBUG(PSTR("!SGN:BND:TMR\n")); //Verification timeout
- // Purge nonce
- (void)memset((void *)_signing_nonce, 0xAA, sizeof(_signing_nonce));
- (void)memset((void *)_signing_verifying_nonce, 0xAA, sizeof(_signing_verifying_nonce));
- _signing_verification_ongoing = false;
- return false;
- }
- }
- return true;
- }
-
- bool signerAtsha204SoftGetNonce(MyMessage &msg)
- {
- if (!_signing_init_ok) {
- return false;
- }
-
- #ifdef MY_HW_HAS_GETENTROPY
- // Try to get MAX_PAYLOAD random bytes
- while (hwGetentropy(&_signing_verifying_nonce, MAX_PAYLOAD) != MAX_PAYLOAD);
- #else
- // We used a basic whitening technique that XORs a random byte with the current hwMillis() counter
- // and then the byte is hashed (SHA256) to produce the resulting nonce
- uint8_t randBuffer[32];
- for (uint8_t i = 0; i < sizeof(randBuffer); i++) {
- randBuffer[i] = random(256) ^ (hwMillis() & 0xFF);
- }
- SHA256(_signing_verifying_nonce, randBuffer, sizeof(randBuffer));
- #endif
-
- if (MAX_PAYLOAD < 32) {
- // We set the part of the 32-byte nonce that does not fit into a message to 0xAA
- (void)memset((void *)&_signing_verifying_nonce[MAX_PAYLOAD], 0xAA, 32-MAX_PAYLOAD);
- }
-
- // Transfer the first part of the nonce to the message
- msg.set(_signing_verifying_nonce, MIN(MAX_PAYLOAD, 32));
- _signing_verification_ongoing = true;
- _signing_timestamp = hwMillis(); // Set timestamp to determine when to purge nonce
- // Be a little fancy to handle turnover (prolong the time allowed to timeout after turnover)
- // Note that if message is "too" quick, and arrives before turnover, it will be rejected
- // but this is consider such a rare case that it is accepted and rejects are 'safe'
- if (_signing_timestamp + MY_VERIFICATION_TIMEOUT_MS < hwMillis()) {
- _signing_timestamp = 0;
- }
- return true;
- }
-
- void signerAtsha204SoftPutNonce(MyMessage &msg)
- {
- if (!_signing_init_ok) {
- return;
- }
- (void)memcpy((void *)_signing_nonce, (const void *)msg.getCustom(), MIN(MAX_PAYLOAD, 32));
- if (MAX_PAYLOAD < 32) {
- // We set the part of the 32-byte nonce that does not fit into a message to 0xAA
- (void)memset((void *)&_signing_nonce[MAX_PAYLOAD], 0xAA, 32-MAX_PAYLOAD);
- }
- }
-
- bool signerAtsha204SoftSignMsg(MyMessage &msg)
- {
- // If we cannot fit any signature in the message, refuse to sign it
- if (mGetLength(msg) > MAX_PAYLOAD-2) {
- SIGN_DEBUG(PSTR("!SGN:BND:SIG,SIZE,%" PRIu8 ">%" PRIu8 "\n"), mGetLength(msg),
- MAX_PAYLOAD-2); //Message too large
- return false;
- }
-
- // Calculate signature of message
- mSetSigned(msg, 1); // make sure signing flag is set before signature is calculated
- signerCalculateSignature(msg, true);
-
- if (DO_WHITELIST(msg.destination)) {
- // Salt the signature with the senders nodeId and the (hopefully) unique serial The Creator has
- // provided. We can reuse the nonce buffer now since it is no longer needed
- (void)memcpy((void *)_signing_nonce, (const void *)_signing_hmac, 32);
- _signing_nonce[32] = msg.sender;
- (void)memcpy((void *)&_signing_nonce[33], (const void *)_signing_node_serial_info, 9);
- SHA256(_signing_hmac, _signing_nonce, 32+1+9);
- SIGN_DEBUG(PSTR("SGN:BND:SIG WHI,ID=%" PRIu8 "\n"), msg.sender);
- #ifdef MY_DEBUG_VERBOSE_SIGNING
- buf2str(_signing_node_serial_info, 9);
- SIGN_DEBUG(PSTR("SGN:BND:SIG WHI,SERIAL=%s\n"), printStr);
- #endif
- }
-
- // Overwrite the first byte in the signature with the signing identifier
- _signing_hmac[0] = SIGNING_IDENTIFIER;
-
- // Transfer as much signature data as the remaining space in the message permits
- (void)memcpy((void *)&msg.data[mGetLength(msg)], (const void *)_signing_hmac,
- MIN(MAX_PAYLOAD-mGetLength(msg), 32));
-
- return true;
- }
-
- bool signerAtsha204SoftVerifyMsg(MyMessage &msg)
- {
- if (!_signing_verification_ongoing) {
- SIGN_DEBUG(PSTR("!SGN:BND:VER ONGOING\n"));
- return false;
- } else {
- // Make sure we have not expired
- if (!signerCheckTimer()) {
- return false;
- }
-
- _signing_verification_ongoing = false;
-
- if (msg.data[mGetLength(msg)] != SIGNING_IDENTIFIER) {
- SIGN_DEBUG(PSTR("!SGN:BND:VER,IDENT=%" PRIu8 "\n"), msg.data[mGetLength(msg)]);
- return false;
- }
-
- signerCalculateSignature(msg, false); // Get signature of message
-
- #ifdef MY_SIGNING_NODE_WHITELISTING
- // Look up the senders nodeId in our whitelist and salt the signature with that data
- size_t j;
- for (j = 0; j < NUM_OF(_signing_whitelist); j++) {
- if (_signing_whitelist[j].nodeId == msg.sender) {
- // We can reuse the nonce buffer now since it is no longer needed
- (void)memcpy((void *)_signing_verifying_nonce, (const void *)_signing_hmac, 32);
- _signing_verifying_nonce[32] = msg.sender;
- (void)memcpy((void *)&_signing_verifying_nonce[33], (const void *)_signing_whitelist[j].serial, 9);
- SHA256(_signing_hmac, _signing_verifying_nonce, 32+1+9);
- SIGN_DEBUG(PSTR("SGN:BND:VER WHI,ID=%" PRIu8 "\n"), msg.sender);
- #ifdef MY_DEBUG_VERBOSE_SIGNING
- buf2str(_signing_whitelist[j].serial, 9);
- SIGN_DEBUG(PSTR("SGN:BND:VER WHI,SERIAL=%s\n"), printStr);
- #endif
- break;
- }
- }
- if (j == NUM_OF(_signing_whitelist)) {
- SIGN_DEBUG(PSTR("!SGN:BND:VER WHI,ID=%" PRIu8 " MISSING\n"), msg.sender);
- return false;
- }
- #endif
-
- // Overwrite the first byte in the signature with the signing identifier
- _signing_hmac[0] = SIGNING_IDENTIFIER;
-
- // Compare the calculated signature with the provided signature
- if (signerMemcmp(&msg.data[mGetLength(msg)], _signing_hmac,
- MIN(MAX_PAYLOAD-mGetLength(msg), 32))) {
- return false;
- } else {
- return true;
- }
- }
- }
-
- // Helper to calculate signature of msg (returned in _signing_hmac)
- static void signerCalculateSignature(MyMessage &msg, const bool signing)
- {
- // Signature is calculated on everything expect the first byte in the header
- uint8_t bytes_left = mGetLength(msg)+HEADER_SIZE-1;
- int16_t current_pos = 1-(int16_t)HEADER_SIZE; // Start at the second byte in the header
- uint8_t* nonce = signing ? _signing_nonce : _signing_verifying_nonce;
-
- #ifdef MY_DEBUG_VERBOSE_SIGNING
- buf2str(nonce, 32);
- SIGN_DEBUG(PSTR("SGN:BND:NONCE=%s\n"), printStr);
- #endif
-
- uint8_t _signing_temp_message[32];
-
- while (bytes_left) {
- uint8_t bytes_to_include = MIN(bytes_left, 32);
-
- (void)memset((void *)_signing_temp_message, 0x00, sizeof(_signing_temp_message));
- (void)memcpy((void *)_signing_temp_message, (const void *)&msg.data[current_pos], bytes_to_include);
-
- signerAtsha204AHmac(_signing_hmac, nonce, _signing_temp_message);
- // Purge nonce when used
- (void)memset((void *)nonce, 0xAA, 32);
-
- bytes_left -= bytes_to_include;
- current_pos += bytes_to_include;
-
- if (bytes_left) {
- // We will do another pass, use current HMAC as nonce for the next HMAC
- (void)memcpy((void *)nonce, (const void *)_signing_hmac, 32);
- }
- }
- #ifdef MY_DEBUG_VERBOSE_SIGNING
- buf2str(_signing_hmac, 32);
- SIGN_DEBUG(PSTR("SGN:BND:HMAC=%s\n"), printStr);
- #endif
- }
-
- // Helper to calculate a ATSHA204A specific HMAC-SHA256 using provided 32 byte nonce and data
- // (zero padded to 32 bytes)
- // The pointer to the HMAC is returned, but the HMAC is also stored in _signing_hmac
- static void signerAtsha204AHmac(uint8_t *dest, const uint8_t *nonce, const uint8_t *data)
- {
- // ATSHA204 calculates the HMAC with a PSK and a SHA256 digest of the following data:
- // 32 bytes zeroes
- // 32 bytes digest,
- // 1 byte OPCODE (0x11)
- // 1 byte Mode (0x04)
- // 2 bytes SlotID (0x0000)
- // 11 bytes zeroes
- // SN[8] (0xEE)
- // 4 bytes zeroes
- // SN[0:1] (0x0123)
- // 2 bytes zeroes
-
- // The digest is calculated as a SHA256 digest of the following:
- // 32 bytes message
- // 1 byte OPCODE (0x15)
- // 1 byte param1 (0x02)
- // 2 bytes param2 (0x0800)
- // SN[8] (0xEE)
- // SN[0:1] (0x0123)
- // 25 bytes zeroes
- // 32 bytes nonce
-
- #if defined(MY_CRYPTO_SHA256_ASM)
- static uint8_t _signing_buffer[96]; // static for AVR ASM SHA256
- #else
- uint8_t _signing_buffer[96];
- #endif
- // Calculate message digest first
- (void)memset((void *)_signing_buffer, 0x00, sizeof(_signing_buffer));
- (void)memcpy((void *)_signing_buffer, (const void *)data, 32);
- _signing_buffer[0 + 32] = 0x15; // OPCODE
- _signing_buffer[1 + 32] = 0x02; // param1
- _signing_buffer[2 + 32] = 0x08; // param2(1)
- //_signing_buffer[3 + 32] = 0x00; // param2(2)
- _signing_buffer[4 + 32] = 0xEE; // SN[8]
- _signing_buffer[5 + 32] = 0x01; // SN[0]
- _signing_buffer[6 + 32] = 0x23; // SN[1]
- // _signing_buffer[7 + 32..31 + 32] => 0x00;
- (void)memcpy((void *)&_signing_buffer[64], (const void *)nonce, 32);
- SHA256(_signing_hmac, _signing_buffer, 96);
-
- // Feed "message" to HMAC calculator
- (void)memset((void *)_signing_buffer, 0x00, sizeof(_signing_buffer));
- (void)memcpy((void *)&_signing_buffer[32], (const void *)_signing_hmac, 32);
- _signing_buffer[0 + 64] = 0x11; // OPCODE
- _signing_buffer[1 + 64] = 0x04; // Mode
- //_signing_buffer[2 + 64] = 0x00; // SlotID(1)
- //_signing_buffer[3 + 64] = 0x00; // SlotID(2)
- //_signing_buffer[4 + 64..14 + 64] => 0x00; // 11 bytes zeroes
- _signing_buffer[15 + 64] = 0xEE; // SN[8]
- //_signing_buffer[16 + 64..19 + 64] => 0x00; // 4 bytes zeroes
- _signing_buffer[20 + 64] = 0x01;
- _signing_buffer[21 + 64] = 0x23;
- //_signing_buffer[22 + 64] = 0x00; // SN[0]
- //_signing_buffer[23 + 64] = 0x00; // SN[1]
- SHA256HMAC(dest, _signing_hmac_key, 32, _signing_buffer, 88);
- }
-
- #endif //MY_SIGNING_SOFT
|