Signing of messages is ignored. [2.1.1]

DavidZH

I had some trouble with the personalization of a 1 MHz node in this topic. That was resolved swiftly. I chose to abandon the 1MHz node because of a lot of "signing verification fail" in the debug. When I flashed a 8 MHz Optiboot those had vanished completely.

Now the next one. I am testing the behavior of my nodes in different circumstances, like what happens when the GW concks out? Now I have tried to see what happens in the different signing modes.
When both the node and gateway have keys and serials, these get exchanged and verified properly. Now I cleared the EEPROM of the node and reprogrammed a HTU21D sensor. When I have set

#define MY_SIGNING_SOFT
#define MY_SIGNING_REQUEST_SIGNATURES
#define MY_SIGNING_SOFT_RANDOMSEED_PIN 7
#define MY_SIGNING_NODE_WHITELISTING {{.nodeId = 95,.serial = {0x39,0x5D,0xFB,0x7B,0x57,0xDF,0x90,0x70,0x22}}}

in the gateway, I'd expect to see rejected messages, but none of that!

gateway debug:

0;255;3;0;9;MCO:BGN:INIT GW,CP=RRNGAS-,VER=2.1.1
0;255;3;0;9;TSM:INIT
0;255;3;0;9;TSF:WUR:MS=0
0;255;3;0;9;TSM:INIT:TSP OK
0;255;3;0;9;TSM:INIT:GW MODE
0;255;3;0;9;TSM:READY:ID=0,PAR=0,DIS=0
0;255;3;0;9;MCO:REG:NOT NEEDED
0;255;3;0;14;Gateway startup complete.
0;255;0;0;18;2.1.1
0;255;3;0;9;MCO:BGN:STP
0;255;3;0;9;MCO:BGN:INIT OK,TSP=1
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:20.9
100;1;1;0;0;20.9
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:34.8
100;0;1;0;1;34.8
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:20.9
100;1;1;0;0;20.9
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:34.8
100;0;1;0;1;34.8
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:20.9
100;1;1;0;0;20.9
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:34.7
100;0;1;0;1;34.7
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:21.0
100;1;1;0;0;21.0
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:34.6
100;0;1;0;1;34.6
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:20.9
100;1;1;0;0;20.9
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:34.8
100;0;1;0;1;34.8
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:20.9
100;1;1;0;0;20.9
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:34.8
100;0;1;0;1;34.8
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:20.9
100;1;1;0;0;20.9
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:34.8
100;0;1;0;1;34.8
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:20.9
100;1;1;0;0;20.9
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:34.8
100;0;1;0;1;34.8

node debug:

470882 TSF:MSG:SEND,100-100-0-0,s=1,c=1,t=0,pt=7,l=5,sg=0,ft=0,st=OK:21.0
471005 TSF:MSG:SEND,100-100-0-0,s=0,c=1,t=1,pt=7,l=5,sg=0,ft=0,st=OK:34.6
Messages sent. Sleep.

471140 MCO:SLP:MS=9523,SMS=0,I1=255,M1=255,I2=255,M2=255
471150 MCO:SLP:TPD
471152 MCO:SLP:WUP=-1
Wake up.

Reading sensors
Temperature read, humidity read, temperature:	21.01	21.01	0
humidity:		34.58	34.59	0
heartbeat:		1	sendBatt:	2
batt voltage:	0.0

Sending...
471377 TSF:MSG:SEND,100-100-0-0,s=1,c=1,t=0,pt=7,l=5,sg=0,ft=0,st=OK:21.0
471500 TSF:MSG:SEND,100-100-0-0,s=0,c=1,t=1,pt=7,l=5,sg=0,ft=0,st=OK:34.6
Messages sent. Sleep.

471635 MCO:SLP:MS=9523,SMS=0,I1=255,M1=255,I2=255,M2=255
471646 MCO:SLP:TPD
471648 MCO:SLP:WUP=-1
Wake up.

Reading sensors
Temperature read, humidity read, temperature:	21.00	21.01	0
humidity:		34.65	34.58	0
heartbeat:		2	sendBatt:	2
batt voltage:	0.0

Sending...
471873 TSF:MSG:SEND,100-100-0-0,s=1,c=1,t=0,pt=7,l=5,sg=0,ft=0,st=OK:21.0
471996 TSF:MSG:SEND,100-100-0-0,s=0,c=1,t=1,pt=7,l=5,sg=0,ft=0,st=OK:34.7
Messages sent. Sleep.

472131 MCO:SLP:MS=9523,SMS=0,I1=255,M1=255,I2=255,M2=255
472141 MCO:SLP:TPD
472143 MCO:SLP:WUP=-1
Wake up.

Reading sensors
Temperature read, humidity read, temperature:	20.99	21.00	0
humidity:		34.63	34.65	0
heartbeat:		3	sendBatt:	2
batt voltage:	0.0

Sending...
472369 TSF:MSG:SEND,100-100-0-0,s=1,c=1,t=0,pt=7,l=5,sg=0,ft=0,st=OK:21.0
472492 TSF:MSG:SEND,100-100-0-0,s=0,c=1,t=1,pt=7,l=5,sg=0,ft=0,st=OK:34.6
Messages sent. Sleep.

472627 MCO:SLP:MS=9523,SMS=0,I1=255,M1=255,I2=255,M2=255
472637 MCO:SLP:TPD

So, how do I proceed from here? Because there will be some nodes in my setup that I would like to be signed.

Anticimex

@DavidZH
Hi, from what I can see, your node is not set to require signatures? At least it does not appear to be any signed messages in the log. You could try to set the verbose signing debug flag in both node and gw to see exactly what the signing backend does.
Please remember that for a gw to require signatures, the node has to require signatures as well. Unless you set a specific flag to order the GW to require signatures from all nodes.

DavidZH

Ah. I had missed that. I had in my mind that when I use whitelisting in my GW, nodes without a signature would be dismissed.
So actually I can NOT assume my nodes are untouched when the GW receives a message. If I exchange a node that uses signing for one that doesn't with the same ID number, I'd be none the wiser, but could rely on fake info... I'd say that's not what's was originally intended. It makes the signing completely useless! Unless I set that flag that requires ALL nodes to sign their messages (which would be?).

I personally think the GW should be very strict. If there is a whitelist, the GW should ignore unsigned messages from nodes, even if they are on the list. As it is now, signing is only useful between two nodes.

I have added the verbose output for the signing: No mention of any signing action in the GW.

0;255;3;0;9;MCO:BGN:INIT GW,CP=RRNGAS-,VER=2.1.1
0;255;3;0;9;TSM:INIT
0;255;3;0;9;TSF:WUR:MS=0
0;255;3;0;9;TSM:INIT:TSP OK
0;255;3;0;9;TSM:INIT:GW MODE
0;255;3;0;9;TSM:READY:ID=0,PAR=0,DIS=0
0;255;3;0;9;MCO:REG:NOT NEEDED
0;255;3;0;14;Gateway startup complete.
0;255;0;0;18;2.1.1
0;255;3;0;9;MCO:BGN:STP
0;255;3;0;9;MCO:BGN:INIT OK,TSP=1
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:21.2
100;1;1;0;0;21.2
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:36.0
100;0;1;0;1;36.0
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:21.1
100;1;1;0;0;21.1
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:36.0
100;0;1;0;1;36.0 

And after rebooting the NODE:

0;255;3;0;9;TSF:MSG:READ,100-100-255,s=255,c=3,t=7,pt=0,l=0,sg=0:
0;255;3;0;9;TSF:MSG:BC
0;255;3;0;9;TSF:MSG:FPAR REQ,ID=100
0;255;3;0;9;TSF:PNG:SEND,TO=0
0;255;3;0;9;TSF:CKU:OK
0;255;3;0;9;TSF:MSG:GWL OK
0;255;3;0;9;Will not sign message for destination 100 as it does not require it
0;255;3;0;9;TSF:MSG:SEND,0-0-100-100,s=255,c=3,t=8,pt=1,l=1,sg=0,ft=0,st=OK:0
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=255,c=3,t=24,pt=1,l=1,sg=0:1
0;255;3;0;9;TSF:MSG:PINGED,ID=100,HP=1
0;255;3;0;9;Will not sign message for destination 100 as it does not require it
0;255;3;0;9;TSF:MSG:SEND,0-0-100-100,s=255,c=3,t=25,pt=1,l=1,sg=0,ft=0,st=OK:1
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=255,c=3,t=15,pt=6,l=2,sg=0:0100
0;255;3;0;9;Mark node 100 as one that do not require signed messages
0;255;3;0;9;Mark node 100 as one that do not require whitelisting
0;255;3;0;9;Informing node 100 that we do not require signatures
0;255;3;0;9;Informing node 100 that we do not require whitelisting
0;255;3;0;9;Will not sign message for destination 100 as it does not require it
0;255;3;0;9;TSF:MSG:SEND,0-0-100-100,s=255,c=3,t=15,pt=6,l=2,sg=0,ft=0,st=OK:0100
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=255,c=0,t=17,pt=0,l=5,sg=0:2.1.1
100;255;0;0;17;2.1.1
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=255,c=0,t=17,pt=0,l=5,sg=0:2.1.1
100;255;0;0;17;2.1.1
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=255,c=3,t=6,pt=1,l=1,sg=0:0
100;255;3;0;6;0
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=255,c=3,t=11,pt=0,l=17,sg=0:sys-clima-outside
100;255;3;0;11;sys-clima-outside
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=255,c=3,t=12,pt=0,l=3,sg=0:2.0
100;255;3;0;12;2.0
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=0,t=7,pt=0,l=0,sg=0:
100;0;0;0;7;
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=0,t=6,pt=0,l=0,sg=0:
100;1;0;0;6;
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=2,c=0,t=6,pt=0,l=0,sg=0:
100;2;0;0;6;
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=255,c=3,t=26,pt=1,l=1,sg=0:2
0;255;3;0;9;Will not sign message for destination 100 as it does not require it
0;255;3;0;9;TSF:MSG:SEND,0-0-100-100,s=255,c=3,t=27,pt=1,l=1,sg=0,ft=0,st=OK:1
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:21.2
100;1;1;0;0;21.2
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=0,c=1,t=1,pt=7,l=5,sg=0:35.9
100;0;1;0;1;35.9
0;255;3;0;9;TSF:MSG:READ,100-100-0,s=1,c=1,t=0,pt=7,l=5,sg=0:21.2
100;1;1;0;0;21.2

That was with a whitelist of one node (#95) with a random serial.

Anticimex

@DavidZH well, that's why you have a flag just for your use case. Enable the flag to have your gateway require signatures from all and you have the strict gateway you seek.
This is by design.

DavidZH

OK. I have no problem with signing all my nodes. Does a whitelist on the GW make any difference (as in; link nodeID and serial together. No match -> not accepted)?

Anticimex

@DavidZH absolutely. The whitelist is used to revoke secured nodes. The typical usecases is a fully secured network and you have a node compromised and want to revoke it. If someone stole your node and therefore also your hmac key they could attempt to tap into your network (also if you use a atsha and for some reason don't want to replace hmac key on all devices).
As the serials are never transmitted OTA the attacker would have to guess a valid node id+serial match to get past the GW whitelist filter.
Full signing documentation for 2.1.1 is here: https://ci.mysensors.org/job/Verifiers/job/MySensors/job/master/56/Doxygen_HTML/group__MySigninggrp.html