Merge pull request arduino#71 from fallberg/sign_dev

Signing support for MySensors

Author: henrikekblad

Bootloader/MyOtaBootloader.c

@@ -152,6 +152,12 @@ int main () {
 		address(nc.nodeId);
 	}
 
+	// Inform gateway that bootloader does not accept signed messages
+	msg.type = I_REQUEST_SIGNING;
+	mSetLength(msg, 1);
+	msg.data[0] = 0;
+	sendWrite(msg);
+
 	// Read settings from EEPROM
 	eeprom_read_block((void*)&fc, (void*)EEPROM_FIRMWARE_TYPE_ADDRESS, sizeof(struct FirmwareConfig));
 

libraries/MySensors/MyConfig.h

@@ -15,9 +15,15 @@
 #define MYSENSORS_RF_NRF24
 //#define MYSENSORS_RF_RF69
 
+// Choose signing backend by enabling one of the following
+#define MYSENSORS_SIGNING_DUMMY
+//#define MYSENSORS_SIGNING_ATSHA204
+//#define MYSENSORS_SIGNING_ATSHA204SOFT
 
-
-
+// Define a suitable timeout for a signature verification session
+// Consider the turnaround from a nonce being generated to a signed message being received
+// which might vary, especially in networks with many hops. 5s ought to be enough for anyone.
+#define VERIFICATION_TIMEOUT_MS 5000
 
 #ifdef MYSENSORS_RF_NRF24
 #include "MyRFDriverNRF24.h"
@@ -29,6 +35,57 @@ typedef class MyRFDriverNRF24 MyRFDriverClass;
 typedef class MyRFDriverRF69 MyRFDriverClass;
 #endif
 
+#ifdef MYSENSORS_SIGNING_DUMMY
+#include "MySigningDriverDummy.h"
+#define SIGNING_IDENTIFIER (0) // Reserved for dummy implementation, will not work with other backends
+typedef class MySigningDriverDummy MySigningDriverClass;
+#endif
+
+#ifdef MYSENSORS_SIGNING_ATSHA204
+#ifdef MYSENSORS_SENSOR
+#define ATSHA204_PIN 17 //A3
+#endif
+
+#ifdef MYSENSORS_SERIAL_GATEWAY
+#define ATSHA204_PIN 17 //A3
+#endif
+
+#ifdef MYSENSORS_ETHERNET_MQTT_GATEWAY
+#define ATSHA204_PIN 17 //A3
+#endif
+
+#include "MySigningDriverAtsha204.h"
+#define SIGNING_IDENTIFIER (1) // SHA256-based HMAC (ATSHA204 specific)
+typedef class MySigningDriverAtsha204 MySigningDriverClass;
+#endif
+
+#ifdef MYSENSORS_SIGNING_ATSHA204SOFT
+// Key to use for HMAC calculation
+static uint8_t hmacKey[32] = {
+0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
+0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
+};
+
+// Pick an unconnected analog pin for RANDOMSEED_PIN
+#ifdef MYSENSORS_SENSOR
+#define RANDOMSEED_PIN 7 //A7
+#endif
+
+#ifdef MYSENSORS_SERIAL_GATEWAY
+#define RANDOMSEED_PIN 7 //A7
+#endif
+
+#ifdef MYSENSORS_ETHERNET_MQTT_GATEWAY
+#define RANDOMSEED_PIN 7 //A7
+#endif
+
+#include "MySigningDriverAtsha204Soft.h"
+#define SIGNING_IDENTIFIER (1) // SHA256-based HMAC (ATSHA204 specific)
+typedef class MySigningDriverAtsha204Soft MySigningDriverClass;
+#endif
+
 /***
  * Enable/Disable debug logging
  */

libraries/MySensors/MyMessage.h

@@ -47,7 +47,7 @@ typedef enum {
 	I_BATTERY_LEVEL, I_TIME, I_VERSION, I_ID_REQUEST, I_ID_RESPONSE,
 	I_INCLUSION_MODE, I_CONFIG, I_FIND_PARENT, I_FIND_PARENT_RESPONSE,
 	I_LOG_MESSAGE, I_CHILDREN, I_SKETCH_NAME, I_SKETCH_VERSION,
-	I_REBOOT, I_GATEWAY_READY
+	I_REBOOT, I_GATEWAY_READY, I_REQUEST_SIGNING, I_GET_NONCE, I_GET_NONCE_RESPONSE
 } mysensor_internal;
 
 // Type of sensor  (for presentation message)
@@ -84,8 +84,11 @@ typedef enum {
 #define BF_SET(y, x, start, len)    ( y= ((y) &~ BF_MASK(start, len)) | BF_PREP(x, start, len) )
 
 // Getters/setters for special bit fields in header
-#define mSetVersion(_msg,_version) BF_SET(_msg.version_length, _version, 0, 3)
-#define mGetVersion(_msg) BF_GET(_msg.version_length, 0, 3)
+#define mSetVersion(_msg,_version) BF_SET(_msg.version_length, _version, 0, 2)
+#define mGetVersion(_msg) BF_GET(_msg.version_length, 0, 2)
+
+#define mSetSigned(_msg,_signed) BF_SET(_msg.version_length, _signed, 2, 1)
+#define mGetSigned(_msg) BF_GET(_msg.version_length, 2, 1)
 
 #define mSetLength(_msg,_length) BF_SET(_msg.version_length, _length, 3, 5)
 #define mGetLength(_msg) BF_GET(_msg.version_length, 3, 5)
@@ -179,7 +182,8 @@ struct
 	uint8_t sender;          	 // 8 bit - Id of sender node (origin)
 	uint8_t destination;     	 // 8 bit - Id of destination node
 
-	uint8_t version_length;      // 3 bit - Protocol version
+	uint8_t version_length;		 // 2 bit - Protocol version
+			                     // 1 bit - Signed flag
 			                     // 5 bit - Length of payload
 	uint8_t command_ack_payload; // 3 bit - Command type
 	                             // 1 bit - Request an ack - Indicator that receiver should send an ack back.

libraries/MySensors/MySensor.cpp

@@ -13,6 +13,10 @@
 
 #define DISTANCE_INVALID (0xFF)
 
+// Macros for manipulating signing requirement table
+#define DO_SIGN(node) (doSign[node>>4]&(node%16))
+#define SET_SIGN(node) (doSign[node>>4]|=(node%16))
+#define CLEAR_SIGN(node) (doSign[node>>4]&=~(node%16))
 
 // Inline function and macros
 static inline MyMessage& build (MyMessage &msg, uint8_t sender, uint8_t destination, uint8_t sensor, uint8_t command, uint8_t type, bool enableAck) {
@@ -35,14 +39,17 @@ static inline bool isValidDistance( const uint8_t distance ) {
 
 MySensor::MySensor() {
 	radio = (MyRFDriver*) new MyRFDriverClass();
+	signer = (MySigningDriver*) new MySigningDriverClass();
 }
 
 
-void MySensor::begin(void (*_msgCallback)(const MyMessage &), uint8_t _nodeId, boolean _repeaterMode, uint8_t _parentNodeId) {
+void MySensor::begin(void (*_msgCallback)(const MyMessage &), uint8_t _nodeId, boolean _repeaterMode, uint8_t _parentNodeId, bool requestSignatures) {
 	Serial.begin(BAUD_RATE);
 	repeaterMode = _repeaterMode;
 	msgCallback = _msgCallback;
 	failedTransmissions = 0;
+	requireSigning = requestSignatures;
+
 	// Only gateway should use node id 0
 	isGateway = _nodeId == 0;
 
@@ -55,6 +62,8 @@ void MySensor::begin(void (*_msgCallback)(const MyMessage &), uint8_t _nodeId, b
 	eeprom_read_block((void*)&nc, (void*)EEPROM_NODE_ID_ADDRESS, sizeof(NodeConfig));
 	// Read latest received controller configuration from EEPROM
 	eeprom_read_block((void*)&cc, (void*)EEPROM_CONTROLLER_CONFIG_ADDRESS, sizeof(ControllerConfig));
+	// Read out the signing requirements from EEPROM
+	eeprom_read_block((void*)doSign, (void*)EEPROM_SIGNING_REQUIREMENT_TABLE_ADDRESS, sizeof(doSign));
 
 	if (isGateway) {
 		nc.distance = 0;
@@ -137,6 +146,9 @@ void MySensor::setupNode() {
 	// Send presentation for this radio node (attach
 	present(NODE_SENSOR_ID, repeaterMode? S_ARDUINO_REPEATER_NODE : S_ARDUINO_NODE);
 
+	// Notify gateway (and possibly controller) about the signing preferences of this node
+	sendRoute(build(msg, nc.nodeId, GATEWAY_ADDRESS, NODE_SENSOR_ID, C_INTERNAL, I_REQUEST_SIGNING, false).set(requireSigning));
+
 	// Send a configuration exchange request to controller
 	// Node sends parent node. Controller answers with latest node configuration
 	// which is picked up in process()
@@ -178,6 +190,19 @@ boolean MySensor::sendRoute(MyMessage &message) {
 		return false;
 	}
 
+	mSetVersion(message, PROTOCOL_VERSION);
+
+	// If destination is known to require signed messages and we are the sender, sign this message unless it is an ACK or a signing handshake message
+	if (DO_SIGN(message.destination) && message.sender == nc.nodeId && !mGetAck(message) && mGetLength(msg) &&
+		(mGetCommand(message) != C_INTERNAL || (message.type != I_GET_NONCE && message.type != I_GET_NONCE_RESPONSE && message.type != I_REQUEST_SIGNING))) {
+		if (!sign(message)) {
+			debug(PSTR("Message signing failed\n"));
+			return false;
+		}
+		// After this point, only the 'last' member of the message structure is allowed to be altered if the message has been signed,
+		// or signature will become invalid and the message rejected by the receiver
+	} else mSetSigned(message, 0); // Message is not supposed to be signed, make sure it is marked unsigned
+
 	if (dest == GATEWAY_ADDRESS || !repeaterMode) {
 		// If destination is the gateway or if we aren't a repeater, let
 		// our parent take care of the message
@@ -240,14 +265,13 @@ boolean MySensor::sendRoute(MyMessage &message) {
 }
 
 boolean MySensor::sendWrite(uint8_t to, MyMessage &message) {
-	uint8_t length = mGetLength(message);
+	uint8_t length = mGetSigned(message) ? MAX_MESSAGE_LENGTH : mGetLength(message);
 	message.last = nc.nodeId;
-	mSetVersion(message, PROTOCOL_VERSION);
 	bool ok = radio->send(to, &message, min(MAX_MESSAGE_LENGTH, HEADER_SIZE + length));
 
-	debug(PSTR("send: %d-%d-%d-%d s=%d,c=%d,t=%d,pt=%d,l=%d,st=%s:%s\n"),
+	debug(PSTR("send: %d-%d-%d-%d s=%d,c=%d,t=%d,pt=%d,l=%d,sg=%d,st=%s:%s\n"),
 			message.sender,message.last, to, message.destination, message.sensor, mGetCommand(message), message.type,
-			mGetPayloadType(message), mGetLength(message), to==BROADCAST_ADDRESS ? "bc" : (ok ? "ok":"fail"), message.getString(convBuf));
+			mGetPayloadType(message), mGetLength(message), mGetSigned(message), to==BROADCAST_ADDRESS ? "bc" : (ok ? "ok":"fail"), message.getString(convBuf));
 
 	return ok;
 }
@@ -290,12 +314,26 @@ boolean MySensor::process() {
 	if (!radio->available(&to))
 		return false;
 
+	(void)signer->checkTimer(); // Manage signing timeout
+	
 	uint8_t len = radio->receive((uint8_t *)&msg);
 
+	// Before processing message, reject unsigned messages if signing is required and check signature (if it is signed and addressed to us)
+	// Note that we do not care at all about any signature found if we do not require signing
+	if (requireSigning && msg.destination == nc.nodeId && mGetLength(msg) &&
+		(mGetCommand(msg) != C_INTERNAL || (msg.type != I_GET_NONCE_RESPONSE && msg.type != I_GET_NONCE && msg.type != I_REQUEST_SIGNING))) {
+		if (!mGetSigned(msg)) return false; // Received an unsigned message but we do require signing. This message gets nowhere!
+		else if (!signer->verifyMsg(msg)) {
+			debug(PSTR("Message verification failed\n"));
+			return false; // This signed message has been tampered with!
+		}
+	}
+
 	// Add string termination, good if we later would want to print it.
 	msg.data[mGetLength(msg)] = '\0';
-	debug(PSTR("read: %d-%d-%d s=%d,c=%d,t=%d,pt=%d,l=%d:%s\n"),
-				msg.sender, msg.last, msg.destination,  msg.sensor, mGetCommand(msg), msg.type, mGetPayloadType(msg), mGetLength(msg), msg.getString(convBuf));
+	debug(PSTR("read: %d-%d-%d s=%d,c=%d,t=%d,pt=%d,l=%d,sg=%d:%s\n"),
+				msg.sender, msg.last, msg.destination, msg.sensor, mGetCommand(msg), msg.type, mGetPayloadType(msg), mGetLength(msg), mGetSigned(msg), msg.getString(convBuf));
+	mSetSigned(msg,0); // Clear the sign-flag now as verification (and debug printing) is completed
 
 	if(!(mGetVersion(msg) == PROTOCOL_VERSION)) {
 		debug(PSTR("version: %d\n"),mGetVersion(msg));
@@ -349,6 +387,32 @@ boolean MySensor::process() {
 					}
 				}
 				return false;
+			} else if (type == I_GET_NONCE) {
+				if (signer->getNonce(msg)) {
+					sendRoute(build(msg, nc.nodeId, GATEWAY_ADDRESS, NODE_SENSOR_ID, C_INTERNAL, I_GET_NONCE_RESPONSE, false));
+				} else {
+					return false;
+				}
+			} else if (type == I_REQUEST_SIGNING) {
+				if (msg.getBool()) {
+					// We received an indicator that the sender require us to sign all messages we send to it
+					SET_SIGN(msg.sender);
+				} else {
+					// We received an indicator that the sender does not require us to sign all messages we send to it
+					CLEAR_SIGN(msg.sender);
+				}
+				// Save updated table
+				eeprom_write_block((void*)EEPROM_SIGNING_REQUIREMENT_TABLE_ADDRESS, (void*)doSign, sizeof(doSign));
+
+				// Inform sender about our preference if we are a gateway, but only require signing if the sender required signing
+				// We do not currently want a gateway to require signing from all nodes in a network just because it wants one node
+				// to sign it's messages
+				if (isGateway) {
+					if (requireSigning)
+						sendRoute(build(msg, nc.nodeId, msg.sender, NODE_SENSOR_ID, C_INTERNAL, I_REQUEST_SIGNING, false).set(requireSigning));
+					else
+						sendRoute(build(msg, nc.nodeId, msg.sender, NODE_SENSOR_ID, C_INTERNAL, I_REQUEST_SIGNING, false).set(false));
+				}
 			} else if (sender == GATEWAY_ADDRESS) {
 				bool isMetric;
 
@@ -543,6 +607,27 @@ int8_t MySensor::sleep(uint8_t interrupt1, uint8_t mode1, uint8_t interrupt2, ui
 	return retVal;
 }
 
+bool MySensor::sign(MyMessage &message) {
+	MyMessage msgNonce;
+	if (!sendRoute(build(msgNonce, nc.nodeId, message.destination, message.sensor, C_INTERNAL, I_GET_NONCE, false).set(""))) {
+		return false;
+	} else {
+		// We have to wait for the nonce to arrive before we can sign our original message
+		// Other messages could come in-between. We trust process() takes care of them
+		unsigned long enter = millis();
+		while (millis() - enter < 5000) {
+			if (process()) {
+				if (getLastMessage().type == I_GET_NONCE_RESPONSE) {
+					// Proceed with signing if nonce has been received
+					if (signer->putNonce(getLastMessage()) && signer->signMsg(message)) return true;
+					break;
+				}
+			}
+		}
+	}
+	return false;
+}
+
 #ifdef DEBUG
 void MySensor::debugPrint(const char *fmt, ... ) {
 	char fmtBuffer[300];

libraries/MySensors/MySensor.h

@@ -14,6 +14,7 @@
 
 #include "Version.h"   // Auto generated by bot
 #include "MyRFDriver.h"
+#include "MySigningDriver.h"
 #include "MyConfig.h"
 #include "MyMessage.h"
 #include <stddef.h>
@@ -50,7 +51,8 @@
 #define EEPROM_FIRMWARE_VERSION_ADDRESS (EEPROM_FIRMWARE_TYPE_ADDRESS+2)
 #define EEPROM_FIRMWARE_BLOCKS_ADDRESS (EEPROM_FIRMWARE_VERSION_ADDRESS+2)
 #define EEPROM_FIRMWARE_CRC_ADDRESS (EEPROM_FIRMWARE_BLOCKS_ADDRESS+2)
-#define EEPROM_LOCAL_CONFIG_ADDRESS (EEPROM_FIRMWARE_CRC_ADDRESS+2) // First free address for sketch static configuration
+#define EEPROM_SIGNING_REQUIREMENT_TABLE_ADDRESS (EEPROM_FIRMWARE_CRC_ADDRESS+2)
+#define EEPROM_LOCAL_CONFIG_ADDRESS (EEPROM_SIGNING_REQUIREMENT_TABLE_ADDRESS+32) // First free address for sketch static configuration
 
 // Search for a new parent node after this many transmission failures
 #define SEARCH_FAILURES  5
@@ -86,9 +88,10 @@ class MySensor
 	* @param nodeId The unique id (1-254) for this sensor. Default is AUTO(255) which means sensor tries to fetch an id from controller.
 	* @param repeaterMode Activate repeater mode. This node will forward messages to other nodes in the radio network. Make sure to call process() regularly. Default in false
 	* @param parentNodeId Use this to force node to always communicate with a certain parent node. Default is AUTO which means node automatically tries to find a parent.
+	* @param requestSignatures Set this to true if you want destination node to sign all messages sent to this node. Default is not to require signing.
 	*/
 
-	void begin(void (* msgCallback)(const MyMessage &)=NULL, uint8_t nodeId=AUTO, boolean repeaterMode=false, uint8_t parentNodeId=AUTO);
+	void begin(void (* msgCallback)(const MyMessage &)=NULL, uint8_t nodeId=AUTO, boolean repeaterMode=false, uint8_t parentNodeId=AUTO, bool requestSignatures=false);
 
 	/**
 	 * Return the nodes nodeId.
@@ -238,10 +241,15 @@ class MySensor
 	bool repeaterMode;
 	bool autoFindParent;
 	bool isGateway;
+	bool requireSigning;
+	uint16_t doSign[16]; // Bitfield indicating which sensors require signed communication
+
 	MyMessage msg;  // Buffer for incoming messages.
 	MyMessage ack;  // Buffer for ack messages.
 
 	MyRFDriver *radio;
+
+	MySigningDriver *signer;
 
 	void setupRepeaterMode();
 	void setupRadio();
@@ -264,6 +272,7 @@ class MySensor
 	void addChildRoute(uint8_t childId, uint8_t route);
 	void removeChildRoute(uint8_t childId);
 	void internalSleep(unsigned long ms);
+	bool sign(MyMessage &message);
 };
 #endif
 

libraries/MySensors/MySigningDriver.cpp

@@ -0,0 +1,4 @@
+#include "MySigningDriver.h"
+
+MySigningDriver::MySigningDriver() {
+}