Add 4 byte MIC signature to each mesh payload.

Author: brocaar

Cargo.lock

@@ -40,6 +40,8 @@
   futures = "0.3"
   prost-types = "0.12"
   zmq = "0.10"
+  cmac = { version = "0.7" }
+  aes = { version = "0.8" }
 
 [dev-dependencies]
   zeromq = "0.3.5"
@@ -52,24 +54,24 @@
   codegen-units = 1
   panic = "abort"
 
-# Debian packaging.
-[package.metadata.deb]
-  assets = [
-    [
-      "target/release/chirpstack-gateway-mesh",
-      "usr/bin/",
-      "755",
-    ],
-    [
-      "configuration/*.toml",
-      "etc/chirpstack-gateway-mesh/",
-      "640",
-    ],
-  ]
-  conf-files = [
-    "/etc/chirpstack-gateway-mesh/chirpstack-gateway-mesh.toml",
-    "/etc/chirpstack-gateway-mesh/region_eu868.toml",
-    "/etc/chirpstack-gateway-mesh/region_us915.toml",
-  ]
-  maintainer-scripts = "packaging/debian/"
-  systemd-units = { enable = true }
+  # Debian packaging.
+  [package.metadata.deb]
+    assets = [
+      [
+        "target/release/chirpstack-gateway-mesh",
+        "usr/bin/",
+        "755",
+      ],
+      [
+        "configuration/*.toml",
+        "etc/chirpstack-gateway-mesh/",
+        "640",
+      ],
+    ]
+    conf-files = [
+      "/etc/chirpstack-gateway-mesh/chirpstack-gateway-mesh.toml",
+      "/etc/chirpstack-gateway-mesh/region_eu868.toml",
+      "/etc/chirpstack-gateway-mesh/region_us915.toml",
+    ]
+    maintainer-scripts = "packaging/debian/"
+    systemd-units = { enable = true }

Cargo.toml

@@ -1,4 +1,4 @@
-{ pkgs ? import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-23.11.tar.gz") {} }:
+{ pkgs ? import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-24.05.tar.gz") {} }:
 
 pkgs.mkShell {
   buildInputs = [

shell.nix

@@ -0,0 +1,97 @@
+use std::fmt;
+use std::str::FromStr;
+
+use anyhow::{Error, Result};
+use serde::{
+    de::{self, Visitor},
+    Deserialize, Deserializer, Serialize, Serializer,
+};
+
+#[derive(Copy, Clone, PartialEq, Eq, Default)]
+pub struct Aes128Key([u8; 16]);
+
+impl Aes128Key {
+    pub fn null() -> Self {
+        Aes128Key([0; 16])
+    }
+
+    pub fn from_slice(b: &[u8]) -> Result<Self, Error> {
+        if b.len() != 16 {
+            return Err(anyhow!("16 bytes are expected"));
+        }
+
+        let mut bb: [u8; 16] = [0; 16];
+        bb.copy_from_slice(b);
+
+        Ok(Aes128Key(bb))
+    }
+
+    pub fn from_bytes(b: [u8; 16]) -> Self {
+        Aes128Key(b)
+    }
+
+    pub fn to_bytes(&self) -> [u8; 16] {
+        self.0
+    }
+
+    pub fn to_vec(&self) -> Vec<u8> {
+        self.0.to_vec()
+    }
+}
+
+impl fmt::Display for Aes128Key {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", hex::encode(self.0))
+    }
+}
+
+impl fmt::Debug for Aes128Key {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "{}", hex::encode(self.0))
+    }
+}
+
+impl FromStr for Aes128Key {
+    type Err = Error;
+
+    fn from_str(s: &str) -> Result<Self, Self::Err> {
+        let mut bytes: [u8; 16] = [0; 16];
+        hex::decode_to_slice(s, &mut bytes)?;
+        Ok(Aes128Key(bytes))
+    }
+}
+
+impl Serialize for Aes128Key {
+    fn serialize<S>(&self, serializer: S) -> Result<S::Ok, S::Error>
+    where
+        S: Serializer,
+    {
+        serializer.serialize_str(&self.to_string())
+    }
+}
+
+impl<'de> Deserialize<'de> for Aes128Key {
+    fn deserialize<D>(deserializer: D) -> Result<Self, D::Error>
+    where
+        D: Deserializer<'de>,
+    {
+        deserializer.deserialize_str(Aes128KeyVisitor)
+    }
+}
+
+struct Aes128KeyVisitor;
+
+impl<'de> Visitor<'de> for Aes128KeyVisitor {
+    type Value = Aes128Key;
+
+    fn expecting(&self, formatter: &mut fmt::Formatter) -> fmt::Result {
+        formatter.write_str("A hex encoded AES key of 128 bit is expected")
+    }
+
+    fn visit_str<E>(self, value: &str) -> Result<Self::Value, E>
+    where
+        E: de::Error,
+    {
+        Aes128Key::from_str(value).map_err(|e| E::custom(format!("{}", e)))
+    }
+}

src/aes128.rs

@@ -25,6 +25,11 @@ pub fn run() {
 
 # Mesh configuration.
 [mesh]
+  # Signing key (AES128, HEX encoded).
+  #
+  # This key is used to sign and validate each mesh packet. This key must be
+  # configured on every Border / Relay gateway equally.
+  signing_key="{{ mesh.signing_key }}"
 
   # Border Gateway.
   #

src/cmd/configfile.rs

@@ -6,6 +6,8 @@ use once_cell::sync::OnceCell;
 use serde::de::Error;
 use serde::{Deserialize, Deserializer, Serialize, Serializer};
 
+use crate::aes128::Aes128Key;
+
 static CONFIG: OnceCell<Mutex<Arc<Configuration>>> = OnceCell::new();
 
 #[derive(Serialize, Deserialize, Default)]
@@ -48,6 +50,7 @@ impl Default for Logging {
 #[derive(Serialize, Deserialize)]
 #[serde(default)]
 pub struct Mesh {
+    pub signing_key: Aes128Key,
     pub frequencies: Vec<u32>,
     pub data_rate: DataRate,
     pub tx_power: i32,
@@ -61,6 +64,7 @@ pub struct Mesh {
 impl Default for Mesh {
     fn default() -> Self {
         Mesh {
+            signing_key: Aes128Key::null(),
             frequencies: vec![868100000, 868300000, 868500000],
             data_rate: DataRate {
                 modulation: Modulation::LORA,

src/config.rs

@@ -1,6 +1,7 @@
 #[macro_use]
 extern crate anyhow;
 
+pub mod aes128;
 pub mod backend;
 pub mod cache;
 pub mod cmd;

src/lib.rs

@@ -36,7 +36,12 @@ pub async fn handle_uplink(border_gateway: bool, pl: gw::UplinkFrame) -> Result<
 
 // Handle Proprietary LoRaWAN payload (mesh encapsulated).
 pub async fn handle_mesh(border_gateway: bool, pl: gw::UplinkFrame) -> Result<()> {
+    let conf = config::get();
     let packet = MeshPacket::from_slice(&pl.phy_payload)?;
+    if !packet.validate_mic(conf.mesh.signing_key)? {
+        warn!("Dropping packet, invalid MIC, mesh_packet: {}", packet);
+        return Ok(());
+    }
 
     // If we can't add the packet to the cache, it means we have already seen the packet and we can
     // drop it.
@@ -205,6 +210,7 @@ async fn relay_mesh_packet(_: &gw::UplinkFrame, mut packet: MeshPacket) -> Resul
 
     // Increment hop count.
     packet.mhdr.hop_count += 1;
+    packet.set_mic(conf.mesh.signing_key)?;
 
     if packet.mhdr.hop_count > conf.mesh.max_hop_count {
         return Err(anyhow!("Max hop count exceeded"));
@@ -256,7 +262,7 @@ async fn relay_uplink_lora_packet(pl: &gw::UplinkFrame) -> Result<()> {
         .as_ref()
         .ok_or_else(|| anyhow!("modulation is None"))?;
 
-    let packet = MeshPacket {
+    let mut packet = MeshPacket {
         mhdr: MHDR {
             payload_type: PayloadType::Uplink,
             hop_count: 1,
@@ -272,7 +278,9 @@ async fn relay_uplink_lora_packet(pl: &gw::UplinkFrame) -> Result<()> {
             relay_id: backend::get_relay_id().await?,
             phy_payload: pl.phy_payload.clone(),
         }),
+        mic: None,
     };
+    packet.set_mic(conf.mesh.signing_key)?;
 
     let pl = gw::DownlinkFrame {
         downlink_id: random(),
@@ -345,7 +353,7 @@ async fn relay_downlink_lora_packet(pl: &gw::DownlinkFrame) -> Result<gw::Downli
             .get(CTX_PREFIX.len()..CTX_PREFIX.len() + 6)
             .ok_or_else(|| anyhow!("context does not contain enough bytes"))?;
 
-        let packet = packets::MeshPacket {
+        let mut packet = packets::MeshPacket {
             mhdr: packets::MHDR {
                 payload_type: packets::PayloadType::Downlink,
                 hop_count: 1,
@@ -369,7 +377,9 @@ async fn relay_downlink_lora_packet(pl: &gw::DownlinkFrame) -> Result<gw::Downli
                     delay,
                 },
             }),
+            mic: None,
         };
+        packet.set_mic(conf.mesh.signing_key)?;
 
         let pl = gw::DownlinkFrame {
             downlink_id: pl.downlink_id,