First successful HMAC verification

2025-04-24 23:07:19 +00:00 · 2024-10-21 00:06:01 +02:00 · 2024-10-21 00:06:01 +02:00 · f3429a6c93
commit f3429a6c93
parent be997aa755
5 changed files with 62 additions and 41 deletions
--- a/wled00/crypto.cpp
+++ b/wled00/crypto.cpp
@ -34,12 +34,12 @@ void hmacSign(const byte* message, size_t msgLen, const char* pskHex, byte* sign
 bool hmacVerify(const byte* message, size_t msgLen, const char* pskHex, const byte* signature) {
  byte sigCalculated[SHA256HMAC_SIZE];
  hmacSign(message, msgLen, pskHex, sigCalculated);
+  Serial.print(F("Calculated: "));
+  printByteArray(sigCalculated, SHA256HMAC_SIZE);
  if (memcmp(sigCalculated, signature, SHA256HMAC_SIZE) != 0) {
-    DEBUG_PRINTLN(F("HMAC verification failed!"));
+    Serial.println(F("HMAC verification failed!"));
    Serial.print(F("Expected: "));
    printByteArray(signature, SHA256HMAC_SIZE);
-    Serial.print(F("Calculated: "));
-    printByteArray(sigCalculated, SHA256HMAC_SIZE);
    return false;
  }
  Serial.println(F("HMAC verification successful!"));
@ -49,71 +49,89 @@ bool hmacVerify(const byte* message, size_t msgLen, const char* pskHex, const by
 #define WLED_HMAC_TEST_PW "guessihadthekeyafterall"
 #define WLED_HMAC_TEST_PSK "a6f8488da62c5888d7f640276676e78da8639faf0495110b43e226b35ac37a4c"

+bool verifyHmacFromJsonString0Term(byte* jsonStr, size_t len) {
+  // Zero-terminate the JSON string (replace the last character, usually '}', with a null terminator temporarily)
+  char lastChar = jsonStr[len-1];
+  jsonStr[len-1] = '\0';
+  bool result = verifyHmacFromJsonStr((const char*)jsonStr, len);
+  jsonStr[len-1] = lastChar;
+  return result;
+}
+
 bool verifyHmacFromJsonStr(const char* jsonStr, uint32_t maxLen) {
  // Extract the signature from the JSON string
  size_t jsonLen = strlen(jsonStr);
+  Serial.print(F("Length: "));
+  Serial.println(jsonLen);
  if (jsonLen > maxLen) { // memory safety
-    Serial.println(F("JSON string too long!"));
-    Serial.print(F("Length: "));
-    Serial.print(jsonLen);
+    Serial.print(F("JSON string too long!"));
    Serial.print(F(", max: "));
    Serial.println(maxLen);
    return false;
  }
  Serial.print(F("Received JSON: "));
  Serial.println(jsonStr);
-  char* sigPos = strstr(jsonStr, PSTR("\"sig\":\""));
-  if (sigPos == nullptr) {
-    Serial.println(F("No signature found in JSON."));
+  
+  char* macPos = strstr(jsonStr, "\"mac\":\"");
+  if (macPos == nullptr) {
+    Serial.println(F("No MAC found in JSON."));
    return false;
  }
  StaticJsonDocument<256> doc;
-  DeserializationError error = deserializeJson(doc, jsonStr +7);
+  DeserializationError error = deserializeJson(doc, macPos +6);
  if (error) {
    Serial.print(F("deserializeJson() failed: "));
    Serial.println(error.c_str());
    return false;
  }
-  const char* sig = doc.as<const char*>();
-  if (sig == nullptr) {
-    Serial.println(F("Failed signature JSON."));
+  const char* mac = doc.as<const char*>();
+  if (mac == nullptr) {
+    Serial.println(F("Failed MAC JSON."));
    return false;
  }
-  Serial.print(F("Received signature: "));
-  Serial.println(sig);
+  Serial.print(F("Received MAC: "));
+  Serial.println(mac);

  // extract the message object from the JSON string
-  char* msgPos = strstr(jsonStr, PSTR("\"msg\":\""));
-  char* objStart = strchr(msgPos + 7, '{');
+  char* msgPos = strstr(jsonStr, "\"msg\":");
+  char* objStart = strchr(msgPos + 6, '{');
+  if (objStart == nullptr) {
+    Serial.println(F("Couldn't find msg object start."));
+    return false;
+  }
  size_t maxObjLen = jsonLen - (objStart - jsonStr);
-  uint32_t objDepth = 0;
+  Serial.print(F("Max object length: ")); Serial.println(maxObjLen);
+  int32_t objDepth = 0;
  char* objEnd = nullptr;

  for (size_t i = 0; i < maxObjLen; i++) {
+    Serial.write(objStart[i]);
    if (objStart[i] == '{') objDepth++;
-    if (objStart [i] == '}') objDepth--;
+    if (objStart[i] == '}') objDepth--;
    if (objDepth == 0) {
+      Serial.print(F("Found msg object end: "));
+      Serial.println(i);
      objEnd = objStart + i;
      break;
    }
-    i++;
+    //i++;
  }
  if (objEnd == nullptr) {
    Serial.println(F("Couldn't find msg object end."));
    return false;
  }

-  // Convert the signature from hex string to byte array
-  size_t len = strlen(sig) / 2; // This will drop the last character if the string has an odd length
+  // Convert the MAC from hex string to byte array
+  size_t len = strlen(mac) / 2; // This will drop the last character if the string has an odd length
  if (len != SHA256HMAC_SIZE) {
-    Serial.println(F("Received sig not expected size!"));
+    Serial.println(F("Received MAC not expected size!"));
    return false;
  }
-  unsigned char sigByteArray[len];
-  hexStringToByteArray(sig, sigByteArray, len);
+  unsigned char macByteArray[len];
+  hexStringToByteArray(mac, macByteArray, len);

  // Calculate the HMAC of the message object
-  return hmacVerify((const byte*)objStart, objEnd - objStart + 1, WLED_HMAC_TEST_PSK, sigByteArray);
+  return hmacVerify((const byte*)objStart, objEnd - objStart + 1, WLED_HMAC_TEST_PSK, macByteArray);
 }

 bool hmacTest() {
@ -121,17 +139,17 @@ bool hmacTest() {
  unsigned long start = millis();
  const char message[] = "Hello, World!";
  const char psk[] = "d0c0ffeedeadbeef";
-  byte signature[SHA256HMAC_SIZE];
-  hmacSign((const byte*)message, strlen(message), psk, signature);
+  byte mac[SHA256HMAC_SIZE];
+  hmacSign((const byte*)message, strlen(message), psk, mac);
  Serial.print(F("Took "));
  Serial.print(millis() - start);
  Serial.println(F("ms to sign message."));
-  Serial.print(F("Signature: "));
-  printByteArray(signature, SHA256HMAC_SIZE);
+  Serial.print(F("MAC: "));
+  printByteArray(mac, SHA256HMAC_SIZE);
  start = millis();
-  bool result = hmacVerify((const byte*)message, strlen(message), psk, signature);
+  bool result = hmacVerify((const byte*)message, strlen(message), psk, mac);
  Serial.print(F("Took "));
  Serial.print(millis() - start);
-  Serial.println(F("ms to verify signature."));
+  Serial.println(F("ms to verify MAC."));
  return result;
 }
--- a/wled00/data/index.js
+++ b/wled00/data/index.js
@ -326,7 +326,7 @@ function handleWindowMessageEvent(event) {
 		sraWindow = event.source;
 		sraOrigin = event.origin;
 	} else if (json['wled-rc'] === 'hmac') {
-		console.log(`Received HMAC: ${json['sig']}`);
+		console.log(`Received HMAC: ${json['mac']}`);
 		requestJson(json);
 	}
 }
@ -1743,8 +1743,8 @@ function requestJson(command=null)
 		if (req.length >  500 && lastinfo && lastinfo.arch == "esp8266") useWs = false; // esp8266 can only handle 500 bytes
 	};

-	if (command && useSRA && !command['sig']) { // secure remote access integration, need to get HMAC from rc.wled.me
-		// if we already have a command including a signature, we are good to go
+	if (command && useSRA && !command['mac']) { // secure remote access integration, need to get HMAC from rc.wled.me
+		// if we already have a command including a MAC, we are good to go
 		sraWindow.postMessage(JSON.stringify({"wled-ui":"hmac-req", "msg":command}), sraOrigin);
 		return; // TODO need a sort of pending indicator
 	}
--- a/wled00/fcn_declare.h
+++ b/wled00/fcn_declare.h
@ -99,6 +99,7 @@ void setRandomColor(byte* rgb);
 void hmacSign(const byte* message, size_t msgLen, const char* pskHex, byte* signature);
 bool hmacVerify(const byte* message, size_t msgLen, const char* pskHex, const byte* signature);
 bool verifyHmacFromJsonStr(const char* jsonStr, uint32_t maxLen);
+bool verifyHmacFromJsonString0Term(byte* jsonStr, size_t len);
 bool hmacTest();

 //dmx.cpp
--- a/wled00/wled_server.cpp
+++ b/wled00/wled_server.cpp
@ -289,7 +289,7 @@ void initServer()

    Serial.println("JSON request");
    Serial.println((const char*)request->_tempObject);
-    if (!verifyHmacFromJsonStr((const char*)request->_tempObject, request->contentLength())) {
+    if (!verifyHmacFromJsonString0Term((byte*)request->_tempObject, request->contentLength())) {
      //releaseJSONBufferLock();
      serveJsonError(request, 401, ERR_DENIED);
      return;
--- a/wled00/ws.cpp
+++ b/wled00/ws.cpp
@ -43,8 +43,10 @@ void wsEvent(AsyncWebSocket * server, AsyncWebSocketClient * client, AwsEventTyp

        Serial.print(F("WS message: "));
        Serial.println((const char*)data);
+        verifyHmacFromJsonString0Term(data, len);

        DeserializationError error = deserializeJson(*pDoc, data, len);
+        verifyHmacFromJsonString0Term(data, len);
        JsonObject root = pDoc->as<JsonObject>();
        if (error || root.isNull()) {
          releaseJSONBufferLock();
@ -56,11 +58,11 @@ void wsEvent(AsyncWebSocket * server, AsyncWebSocketClient * client, AwsEventTyp
        } else if (root.containsKey("lv")) {
          wsLiveClientId = root["lv"] ? client->id() : 0;
        } else {
-          if (!verifyHmacFromJsonStr((const char*)data, len)) {
-            releaseJSONBufferLock();
-            client->text(F("{\"error\":1}")); // ERR_DENIED
-            return;
-          }
+          // if (!verifyHmacFromJsonString0Term(data, len)) {
+          //   releaseJSONBufferLock();
+          //   client->text(F("{\"error\":1}")); // ERR_DENIED
+          //   return;
+          // }
          verboseResponse = deserializeState(root["msg"]);
        }
        releaseJSONBufferLock();