Bug Summary

File:epan/dissectors/packet-knxip_decrypt.c
Warning:line 808, column 3
Opened stream never closed. Potential resource leak

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-pc-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name packet-knxip_decrypt.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -fhalf-no-semantic-interposition -fno-delete-null-pointer-checks -mframe-pointer=all -relaxed-aliasing -fmath-errno -ffp-contract=on -fno-rounding-math -ffloat16-excess-precision=fast -fbfloat16-excess-precision=fast -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fdebug-compilation-dir=/builds/wireshark/wireshark/build -fcoverage-compilation-dir=/builds/wireshark/wireshark/build -resource-dir /usr/lib/llvm-21/lib/clang/21 -isystem /usr/include/glib-2.0 -isystem /usr/lib/x86_64-linux-gnu/glib-2.0/include -isystem /builds/wireshark/wireshark/epan/dissectors -isystem /builds/wireshark/wireshark/build/epan/dissectors -isystem /usr/include/mit-krb5 -isystem /usr/include/libxml2 -isystem /builds/wireshark/wireshark/epan -D G_DISABLE_DEPRECATED -D G_DISABLE_SINGLE_INCLUDES -D WS_BUILD_DLL -D WS_DEBUG -D WS_DEBUG_UTF_8 -I /builds/wireshark/wireshark/build -I /builds/wireshark/wireshark -I /builds/wireshark/wireshark/include -D _GLIBCXX_ASSERTIONS -internal-isystem /usr/lib/llvm-21/lib/clang/21/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-linux-gnu/14/../../../../x86_64-linux-gnu/include -internal-externc-isystem /usr/include/x86_64-linux-gnu -internal-externc-isystem /include -internal-externc-isystem /usr/include -fmacro-prefix-map=/builds/wireshark/wireshark/= -fmacro-prefix-map=/builds/wireshark/wireshark/build/= -fmacro-prefix-map=../= -Wno-format-nonliteral -std=gnu11 -ferror-limit 19 -fvisibility=hidden -fwrapv -fwrapv-pointer -fstrict-flex-arrays=3 -stack-protector 2 -fstack-clash-protection -fcf-protection=full -fgnuc-version=4.2.1 -fskip-odr-check-in-gmf -fexceptions -fcolor-diagnostics -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /builds/wireshark/wireshark/sbout/2025-12-17-100330-3573-1 -x c /builds/wireshark/wireshark/epan/dissectors/packet-knxip_decrypt.c
1/* packet-knxip_decrypt.c
2 * Decryption keys and decryption functions for KNX/IP Dissector
3 * Copyright 2018, ise GmbH <Ralf.Nasilowski@ise.de>
4 *
5 * Wireshark - Network traffic analyzer
6 * By Gerald Combs <gerald@wireshark.org>
7 * Copyright 1998 Gerald Combs
8 *
9 * SPDX-License-Identifier: GPL-2.0-or-later
10 */
11
12#include "config.h"
13
14#define WS_LOG_DOMAIN"packet-knxip" "packet-knxip"
15
16#include <wsutil/file_util.h>
17#include <epan/proto.h>
18#include "packet-knxip_decrypt.h"
19#include <epan/wmem_scopes.h>
20#include <wsutil/wsgcrypt.h>
21#include <wsutil/strtoi.h>
22#include <wsutil/wslog.h>
23#include <wsutil/inet_addr.h>
24#include <libxml/tree.h>
25#include <libxml/parser.h>
26#include <libxml/xpath.h>
27
28#define TEXT_BUFFER_SIZE128 128
29
30#define IPA_SIZE4 4 // = size of IPv4 address
31
32#define BASE64_KNX_KEY_LENGTH24 24 // = length of base64 encoded KNX key
33
34struct knx_keyring_mca_keys* knx_keyring_mca_keys;
35struct knx_keyring_ga_keys* knx_keyring_ga_keys;
36struct knx_keyring_ga_senders* knx_keyring_ga_senders;
37struct knx_keyring_ia_keys* knx_keyring_ia_keys;
38struct knx_keyring_ia_seqs* knx_keyring_ia_seqs;
39
40// Encrypt 16-byte block via AES
41static bool_Bool encrypt_block( const uint8_t key[ KNX_KEY_LENGTH16 ], const uint8_t plain[ KNX_KEY_LENGTH16 ], uint8_t p_crypt[ KNX_KEY_LENGTH16 ] )
42{
43 gcry_cipher_hd_t cryptor = NULL((void*)0);
44 gcry_error_t err;
45 err = gcry_cipher_open( &cryptor, GCRY_CIPHER_AES128GCRY_CIPHER_AES, GCRY_CIPHER_MODE_CBC, 0 );
46 if (err != 0) {
47 ws_debug("failed to open AES128 cipher handle: %s/%s", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-knxip", LOG_LEVEL_DEBUG, "epan/dissectors/packet-knxip_decrypt.c"
, 47, __func__, "failed to open AES128 cipher handle: %s/%s",
gcry_strsource(err), gcry_strerror(err)); } } while (0);
48 return false0;
49 }
50 err = gcry_cipher_setkey( cryptor, key, KNX_KEY_LENGTH16 );
51 if (err != 0) {
52 ws_debug("failed to set AES128 cipher key: %s/%s", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-knxip", LOG_LEVEL_DEBUG, "epan/dissectors/packet-knxip_decrypt.c"
, 52, __func__, "failed to set AES128 cipher key: %s/%s", gcry_strsource
(err), gcry_strerror(err)); } } while (0);
53 gcry_cipher_close( cryptor );
54 return false0;
55 }
56 err = gcry_cipher_encrypt( cryptor, p_crypt, KNX_KEY_LENGTH16, plain, KNX_KEY_LENGTH16 );
57 if (err != 0) {
58 ws_debug("failed to encrypt AES128: %s/%s", gcry_strsource(err), gcry_strerror(err))do { if (1) { ws_log_full("packet-knxip", LOG_LEVEL_DEBUG, "epan/dissectors/packet-knxip_decrypt.c"
, 58, __func__, "failed to encrypt AES128: %s/%s", gcry_strsource
(err), gcry_strerror(err)); } } while (0);
59 gcry_cipher_close( cryptor );
60 return false0;
61 }
62 gcry_cipher_close( cryptor );
63 return true1;
64}
65
66// Create B_0 for CBC-MAC
67static void build_b0( uint8_t p_result[ KNX_KEY_LENGTH16 ], const uint8_t* nonce, uint8_t nonce_length )
68{
69 DISSECTOR_ASSERT( nonce_length <= KNX_KEY_LENGTH )((void) ((nonce_length <= 16) ? (void)0 : (proto_report_dissector_bug
("%s:%u: failed assertion \"%s\"", "epan/dissectors/packet-knxip_decrypt.c"
, 69, "nonce_length <= 16"))));
70 if( nonce_length ) memcpy( p_result, nonce, nonce_length );
71 memset( p_result + nonce_length, 0, KNX_KEY_LENGTH16 - nonce_length );
72}
73
74// Create Ctr_0 for CCM encryption/decryption
75static void build_ctr0( uint8_t p_result[ KNX_KEY_LENGTH16 ], const uint8_t* nonce, uint8_t nonce_length )
76{
77 build_b0( p_result, nonce, nonce_length );
78 p_result[ KNX_KEY_LENGTH16 - 2 ] = 0xFF;
79}
80
81// Calculate MAC for KNX IP Security or KNX Data Security
82void knx_ccm_calc_cbc_mac(uint8_t p_mac[ KNX_KEY_LENGTH16 ], const uint8_t key[ KNX_KEY_LENGTH16 ],
83 const uint8_t* a_bytes, int a_length, const uint8_t* p_bytes, int p_length,
84 const uint8_t b_0[ KNX_KEY_LENGTH16 ] )
85{
86 uint8_t plain[ KNX_KEY_LENGTH16 ];
87 uint8_t b_pos;
88
89 // Add B_0
90 memcpy( plain, b_0, KNX_KEY_LENGTH16 );
91 if (!encrypt_block( key, plain, p_mac )) {
92 memset(p_mac, 0, KNX_KEY_LENGTH16);
93 return;
94 }
95
96 // Add a_length
97 plain[ 0 ] = (uint8_t) ((a_length >> 8) ^ p_mac[ 0 ]);
98 plain[ 1 ] = (uint8_t) ((a_length & 0xFF) ^ p_mac[ 1 ]);
99 b_pos = 2;
100
101 // Add a_bytes directly followed by p_bytes
102 while( a_length || p_length )
103 {
104 while( a_length && b_pos < KNX_KEY_LENGTH16 )
105 {
106 plain[ b_pos ] = *a_bytes++ ^ p_mac[ b_pos ];
107 --a_length;
108 ++b_pos;
109 }
110
111 while( p_length && b_pos < KNX_KEY_LENGTH16 )
112 {
113 plain[ b_pos ] = *p_bytes++ ^ p_mac[ b_pos ];
114 --p_length;
115 ++b_pos;
116 }
117
118 while( b_pos < KNX_KEY_LENGTH16 )
119 {
120 plain[ b_pos ] = p_mac[ b_pos ];
121 ++b_pos;
122 }
123
124 if (!encrypt_block( key, plain, p_mac )) {
125 memset(p_mac, 0, KNX_KEY_LENGTH16);
126 return;
127 }
128
129 b_pos = 0;
130 }
131}
132
133// Calculate MAC for KNX IP Security, using 6-byte Sequence ID
134void knxip_ccm_calc_cbc_mac( uint8_t p_mac[ KNX_KEY_LENGTH16 ], const uint8_t key[ KNX_KEY_LENGTH16 ],
135 const uint8_t* a_bytes, int a_length, const uint8_t* p_bytes, int p_length,
136 const uint8_t* nonce, uint8_t nonce_length )
137{
138 uint8_t b_0[ KNX_KEY_LENGTH16 ];
139 build_b0( b_0, nonce, nonce_length );
140 b_0[ KNX_KEY_LENGTH16 - 2 ] = (uint8_t) (p_length >> 8);
141 b_0[ KNX_KEY_LENGTH16 - 1 ] = (uint8_t) (p_length & 0xFF);
142 knx_ccm_calc_cbc_mac( p_mac, key, a_bytes, a_length, p_bytes, p_length, b_0 );
143}
144
145// Encrypt for KNX IP Security or KNX Data Security
146uint8_t* knx_ccm_encrypt(wmem_allocator_t* scope, uint8_t* p_result, const uint8_t key[ KNX_KEY_LENGTH16 ], const uint8_t* p_bytes, int p_length,
147 const uint8_t* mac, uint8_t mac_length, const uint8_t ctr_0[ KNX_KEY_LENGTH16 ], uint8_t s0_bytes_used_for_mac )
148{
149 if( p_length >= 0 && !(p_length && !p_bytes) )
150 {
151 // NB: mac_length = 16 (for IP Security), or 4 (for Data Security)
152
153 uint8_t* result = p_result ? p_result : (uint8_t*) wmem_alloc(scope, p_length + mac_length );
154
155 uint8_t* dest = result;
156
157 uint8_t ctr[ KNX_KEY_LENGTH16 ];
158 uint8_t mask[ KNX_KEY_LENGTH16 ];
159 uint8_t mask_0[ KNX_KEY_LENGTH16 ];
160 uint8_t b_pos;
161
162 // Encrypt ctr_0 for mac
163 memcpy( ctr, ctr_0, KNX_KEY_LENGTH16 );
164 if (!encrypt_block( key, ctr, mask_0 )) {
165 return NULL((void*)0);
166 }
167
168 // Encrypt p_bytes with rest of S_0, only if mac_length < 16.
169 b_pos = s0_bytes_used_for_mac;
170 while (p_length && b_pos < KNX_KEY_LENGTH16 )
171 {
172 *dest++ = mask_0[b_pos++] ^ *p_bytes++;
173 --p_length;
174 }
175
176 // Encrypt p_bytes
177 while( p_length )
178 {
179 // Increment and encrypt ctr
180 ++ctr[ KNX_KEY_LENGTH16 - 1 ];
181 if (!encrypt_block( key, ctr, mask )) {
182 return NULL((void*)0);
183 }
184
185 // Encrypt input block via encrypted ctr
186 b_pos = 0;
187 while( p_length && b_pos < KNX_KEY_LENGTH16 )
188 {
189 *dest++ = mask[ b_pos++] ^ *p_bytes++;
190 --p_length;
191 }
192 }
193
194 if( mac )
195 {
196 if( mac_length > KNX_KEY_LENGTH16 )
197 {
198 mac_length = KNX_KEY_LENGTH16;
199 }
200
201 // Encrypt and append mac
202 b_pos = 0;
203 while( mac_length )
204 {
205 *dest++ = mask_0[ b_pos++] ^ *mac++;
206 --mac_length;
207 }
208 }
209
210 return result;
211 }
212
213 return NULL((void*)0);
214}
215
216// Encrypt for KNX IP Security (with 16-byte MAC and Nonce based on 6-byte Sequence ID)
217uint8_t* knxip_ccm_encrypt(wmem_allocator_t* scope, uint8_t* p_result, const uint8_t key[ KNX_KEY_LENGTH16 ], const uint8_t* p_bytes, int p_length,
218 const uint8_t mac[KNX_KEY_LENGTH16], const uint8_t* nonce, uint8_t nonce_length )
219{
220 uint8_t ctr_0[ KNX_KEY_LENGTH16 ];
221 build_ctr0( ctr_0, nonce, nonce_length );
222 return knx_ccm_encrypt(scope, p_result, key, p_bytes, p_length, mac, KNX_KEY_LENGTH16, ctr_0, KNX_KEY_LENGTH16 );
223}
224
225// Decrypt for KNX-IP Security (with 16-byte MAC and Nonce based on 6-byte Sequence ID)
226uint8_t* knxip_ccm_decrypt(wmem_allocator_t* scope, uint8_t* p_result, const uint8_t key[ KNX_KEY_LENGTH16 ], const uint8_t* crypt, int crypt_length,
227 const uint8_t* nonce, uint8_t nonce_length )
228{
229 int p_length = crypt_length - KNX_KEY_LENGTH16;
230 uint8_t ctr_0[ KNX_KEY_LENGTH16 ];
231 build_ctr0( ctr_0, nonce, nonce_length );
232 return knx_ccm_encrypt(scope, p_result, key, crypt, p_length, crypt + p_length, KNX_KEY_LENGTH16, ctr_0, KNX_KEY_LENGTH16 );
233}
234
235static void fprintf_hex( FILE* f, const uint8_t* data, uint8_t length )
236{
237 for( ; length; --length ) fprintf( f, " %02X", *data++ );
238 fputc( '\n', f );
239}
240
241static void clear_keyring_data( void )
242{
243 while( knx_keyring_mca_keys )
244 {
245 struct knx_keyring_mca_keys* mca_key = knx_keyring_mca_keys;
246 knx_keyring_mca_keys = mca_key->next;
247 wmem_free( wmem_epan_scope(), mca_key );
248 }
249
250 while( knx_keyring_ga_keys )
251 {
252 struct knx_keyring_ga_keys* ga_key = knx_keyring_ga_keys;
253 knx_keyring_ga_keys = ga_key->next;
254 wmem_free( wmem_epan_scope(), ga_key );
255 }
256
257 while( knx_keyring_ga_senders )
258 {
259 struct knx_keyring_ga_senders* ga_sender = knx_keyring_ga_senders;
260 knx_keyring_ga_senders = ga_sender->next;
261 wmem_free( wmem_epan_scope(), ga_sender );
262 }
263
264 while( knx_keyring_ia_keys )
265 {
266 struct knx_keyring_ia_keys* ia_key = knx_keyring_ia_keys;
267 knx_keyring_ia_keys = ia_key->next;
268 wmem_free( wmem_epan_scope(), ia_key );
269 }
270
271 while( knx_keyring_ia_seqs )
272 {
273 struct knx_keyring_ia_seqs* ia_seq = knx_keyring_ia_seqs;
274 knx_keyring_ia_seqs = ia_seq->next;
275 wmem_free( wmem_epan_scope(), ia_seq );
276 }
277}
278
279// Read IP address
280static void read_ip_addr( uint8_t result[ 4 ], const char* text )
281{
282 ws_in4_addr value = 0;
283 if( ws_inet_pton4( text, &value ) )
284 memcpy( result, &value, 4 );
285 else
286 memset( result, 0, 4 );
287}
288
289// Read KNX group address
290static uint16_t read_ga( const char* text )
291{
292 unsigned a[ 3 ];
293 int n = sscanf( text, "%u/%u/%u", a, a + 1, a + 2 );
294 return
295 (n == 1) ? (uint16_t) a[ 0 ] :
296 (n == 2) ? (uint16_t) ((a[ 0 ] << 11) | a[ 1 ]) :
297 (n == 3) ? (uint16_t) ((a[ 0 ] << 11) | (a[ 1 ] << 8) | a[ 2 ]) :
298 0;
299}
300
301// Read KNX individual address
302static uint16_t read_ia( const char* text )
303{
304 unsigned a[ 3 ];
305 int n = sscanf( text, "%u.%u.%u", a, a + 1, a + 2 );
306 return
307 (n == 1) ? (uint16_t) a[ 0 ] :
308 (n == 2) ? (uint16_t) ((a[ 0 ] << 8) | a[ 1 ]) :
309 (n == 3) ? (uint16_t) ((a[ 0 ] << 12) | (a[ 1 ] << 8) | a[ 2 ]) :
310 0;
311}
312
313// Read 6-byte sequence number from decimal representation
314static uint64_t read_seq( const char* text )
315{
316 uint64_t result;
317 return ws_strtou64( text, NULL((void*)0), &result ) ? result : 0;
318}
319
320// Decrypt key
321static void decrypt_key( uint8_t key[] _U___attribute__((unused)), uint8_t password_hash[] _U___attribute__((unused)), uint8_t created_hash[] _U___attribute__((unused)) )
322{
323 // TODO: decrypt as AES128-CBC(key, password_hash, created_hash)
324}
325
326// Decode and decrypt key
327static void decode_and_decrypt_key( uint8_t key[ BASE64_KNX_KEY_LENGTH24 + 1 ], const char* text, uint8_t password_hash[], uint8_t created_hash[] )
328{
329 size_t out_len;
330 snprintf( (char*) key, BASE64_KNX_KEY_LENGTH24 + 1, "%s", text );
331 g_base64_decode_inplace( (char*) key, &out_len );
332 decrypt_key( key, password_hash, created_hash );
333}
334
335// Add MCA <-> key association
336static void add_mca_key( const uint8_t mca[ IPA_SIZE4 ], const char* text, uint8_t password_hash[], uint8_t created_hash[], FILE* f2 )
337{
338 int text_length = (int) strlen( text );
339
340 if( text_length == BASE64_KNX_KEY_LENGTH24 )
341 {
342 uint8_t key[ BASE64_KNX_KEY_LENGTH24 + 1 ];
343 struct knx_keyring_mca_keys** mca_keys_next;
344 struct knx_keyring_mca_keys* mca_key;
345
346 decode_and_decrypt_key( key, text, password_hash, created_hash );
347
348 mca_keys_next = &knx_keyring_mca_keys;
349
350 while( (mca_key = *mca_keys_next) != NULL((void*)0) )
351 {
352 if( memcmp( mca_key->mca, mca, IPA_SIZE4 ) == 0 )
353 {
354 if( memcmp( mca_key->key, key, KNX_KEY_LENGTH16 ) == 0 )
355 {
356 return;
357 }
358 }
359
360 mca_keys_next = &mca_key->next;
361 }
362
363 if( f2 )
364 {
365 fprintf( f2, "MCA %u.%u.%u.%u key", mca[ 0 ], mca[ 1 ], mca[ 2 ], mca[ 3 ] );
366 fprintf_hex( f2, key, KNX_KEY_LENGTH16 );
367 }
368
369 mca_key = wmem_new(wmem_epan_scope(), struct knx_keyring_mca_keys)((struct knx_keyring_mca_keys*)wmem_alloc((wmem_epan_scope())
, sizeof(struct knx_keyring_mca_keys)));
370
371 if( mca_key )
372 {
373 mca_key->next = NULL((void*)0);
374 memcpy( mca_key->mca, mca, IPA_SIZE4 );
375 memcpy( mca_key->key, key, KNX_KEY_LENGTH16 );
376
377 *mca_keys_next = mca_key;
378 }
379 }
380}
381
382// Add GA <-> key association
383static void add_ga_key( uint16_t ga, const char* text, uint8_t password_hash[], uint8_t created_hash[], FILE* f2 )
384{
385 int text_length = (int) strlen( text );
386
387 if( text_length == BASE64_KNX_KEY_LENGTH24 )
388 {
389 uint8_t key[ BASE64_KNX_KEY_LENGTH24 + 1 ];
390 struct knx_keyring_ga_keys** ga_keys_next;
391 struct knx_keyring_ga_keys* ga_key;
392
393 decode_and_decrypt_key( key, text, password_hash, created_hash );
394
395 ga_keys_next = &knx_keyring_ga_keys;
396
397 while( (ga_key = *ga_keys_next) != NULL((void*)0) )
398 {
399 if( ga_key->ga == ga )
400 {
401 if( memcmp( ga_key->key, key, KNX_KEY_LENGTH16 ) == 0 )
402 {
403 return;
404 }
405 }
406
407 ga_keys_next = &ga_key->next;
408 }
409
410 if( f2 )
411 {
412 fprintf( f2, "GA %d/%d/%d key", (ga >> 11) & 0x1F, (ga >> 8) & 0x7, ga & 0xFF );
413 fprintf_hex( f2, key, KNX_KEY_LENGTH16 );
414 }
415
416 ga_key = wmem_new(wmem_epan_scope(), struct knx_keyring_ga_keys)((struct knx_keyring_ga_keys*)wmem_alloc((wmem_epan_scope()),
sizeof(struct knx_keyring_ga_keys)));
417
418 if( ga_key )
419 {
420 ga_key->next = NULL((void*)0);
421 ga_key->ga = ga;
422 memcpy( ga_key->key, key, KNX_KEY_LENGTH16 );
423
424 *ga_keys_next = ga_key;
425 }
426 }
427}
428
429// Add GA <-> sender association
430static void add_ga_sender( uint16_t ga, const char* text, FILE* f2 )
431{
432 uint16_t ia = read_ia( text );
433 struct knx_keyring_ga_senders** ga_senders_next = &knx_keyring_ga_senders;
434 struct knx_keyring_ga_senders* ga_sender;
435
436 while( (ga_sender = *ga_senders_next) != NULL((void*)0) )
437 {
438 if( ga_sender->ga == ga )
439 {
440 if( ga_sender->ia == ia )
441 {
442 return;
443 }
444 }
445
446 ga_senders_next = &ga_sender->next;
447 }
448
449 if( f2 )
450 {
451 fprintf( f2, "GA %d/%d/%d sender %d.%d.%d\n", (ga >> 11) & 0x1F, (ga >> 8) & 0x7, ga & 0xFF, (ia >> 12) & 0xF, (ia >> 8) & 0xF, ia & 0xFF );
452 }
453
454 ga_sender = wmem_new(wmem_epan_scope(), struct knx_keyring_ga_senders)((struct knx_keyring_ga_senders*)wmem_alloc((wmem_epan_scope(
)), sizeof(struct knx_keyring_ga_senders)));
455
456 if( ga_sender )
457 {
458 ga_sender->next = NULL((void*)0);
459 ga_sender->ga = ga;
460 ga_sender->ia = ia;
461
462 *ga_senders_next = ga_sender;
463 }
464}
465
466// Add IA <-> key association
467static void add_ia_key( uint16_t ia, const char* text, uint8_t password_hash[], uint8_t created_hash[], FILE* f2 )
468{
469 int text_length = (int) strlen( text );
470
471 if( text_length == BASE64_KNX_KEY_LENGTH24 )
472 {
473 uint8_t key[ BASE64_KNX_KEY_LENGTH24 + 1 ];
474 struct knx_keyring_ia_keys** ia_keys_next;
475 struct knx_keyring_ia_keys* ia_key;
476
477 decode_and_decrypt_key( key, text, password_hash, created_hash );
478
479 ia_keys_next = &knx_keyring_ia_keys;
480
481 while( (ia_key = *ia_keys_next) != NULL((void*)0) )
482 {
483 if( ia_key->ia == ia )
484 {
485 if( memcmp( ia_key->key, key, KNX_KEY_LENGTH16 ) == 0 )
486 {
487 return;
488 }
489 }
490
491 ia_keys_next = &ia_key->next;
492 }
493
494 if( f2 )
495 {
496 fprintf( f2, "IA %d.%d.%d key", (ia >> 12) & 0xF, (ia >> 8) & 0xF, ia & 0xFF );
497 fprintf_hex( f2, key, KNX_KEY_LENGTH16 );
498 }
499
500 ia_key = wmem_new(wmem_epan_scope(), struct knx_keyring_ia_keys)((struct knx_keyring_ia_keys*)wmem_alloc((wmem_epan_scope()),
sizeof(struct knx_keyring_ia_keys)));
501
502 if( ia_key )
503 {
504 ia_key->next = NULL((void*)0);
505 ia_key->ia = ia;
506 memcpy( ia_key->key, key, KNX_KEY_LENGTH16 );
507
508 *ia_keys_next = ia_key;
509 }
510 }
511}
512
513// Add IA <-> sequence number association
514static void add_ia_seq( uint16_t ia, const char* text, FILE* f2 )
515{
516 uint64_t seq = read_seq( text );
517
518 struct knx_keyring_ia_seqs** ia_seqs_next = &knx_keyring_ia_seqs;
519 struct knx_keyring_ia_seqs* ia_seq;
520
521 while( (ia_seq = *ia_seqs_next) != NULL((void*)0) )
522 {
523 if( ia_seq->ia == ia )
524 {
525 if( ia_seq->seq == seq )
526 {
527 return;
528 }
529 }
530
531 ia_seqs_next = &ia_seq->next;
532 }
533
534 if( f2 )
535 {
536 fprintf( f2, "IA %u.%u.%u SeqNr %" PRIu64"l" "u" "\n", (ia >> 12) & 0xF, (ia >> 8) & 0xF, ia & 0xFF, seq );
537 }
538
539 ia_seq = wmem_new(wmem_epan_scope(), struct knx_keyring_ia_seqs)((struct knx_keyring_ia_seqs*)wmem_alloc((wmem_epan_scope()),
sizeof(struct knx_keyring_ia_seqs)));
540
541 if( ia_seq )
542 {
543 ia_seq->next = NULL((void*)0);
544 ia_seq->ia = ia;
545 ia_seq->seq = seq;
546
547 *ia_seqs_next = ia_seq;
548 }
549}
550
551// Calculate PBKDF2(HMAC-SHA256, password, "1.keyring.ets.knx.org", 65536, 128)
552static void make_password_hash( uint8_t password_hash[] _U___attribute__((unused)), const char* password _U___attribute__((unused)) )
553{
554 // TODO: password_hash = PBKDF2(HMAC-SHA256, password, "1.keyring.ets.knx.org", 65536, 128)
555}
556
557// Calculate MSB128(SHA256(created))
558static void make_created_hash( uint8_t created_hash[] _U___attribute__((unused)), const char* created _U___attribute__((unused)) )
559{
560 // TODO: created_hash = MSB128(SHA256(created))
561}
562
563static void read_knx_keyring_xml_backbone_element(xmlNodePtr backbone, uint8_t password_hash[], uint8_t created_hash[], FILE* f2)
564{
565 bool_Bool address_valid = false0;
566 uint8_t multicast_address[IPA_SIZE4] = { 0 };
567
568 /* Parse out the attributes of the Backbone element */
569 for (xmlAttrPtr attr = backbone->properties; attr; attr = attr->next)
570 {
571 if (xmlStrcmp(attr->name, (const xmlChar*)"MulticastAddress") == 0)
572 {
573 xmlChar* str_address = xmlNodeListGetString(backbone->doc, attr->children, 1);
574 if (str_address != NULL((void*)0))
575 {
576 read_ip_addr(multicast_address, (const char*)str_address);
577 address_valid = true1;
578 xmlFree(str_address);
579 }
580 }
581 else if (xmlStrcmp(attr->name, (const xmlChar*)"Key") == 0)
582 {
583 if (address_valid)
584 {
585 xmlChar* str_key = xmlNodeListGetString(backbone->doc, attr->children, 1);
586 if (str_key != NULL((void*)0))
587 {
588 add_mca_key(multicast_address, (const char*)str_key, password_hash, created_hash, f2);
589 xmlFree(str_key);
590 }
591 }
592 }
593 }
594
595}
596
597static void read_knx_keyring_xml_group_element(xmlNodePtr group, uint8_t password_hash[], uint8_t created_hash[], FILE* f2)
598{
599 bool_Bool address_valid = false0;
600 uint16_t addr = 0;
601
602 /* Parse out the attributes of the Group element */
603 for (xmlAttrPtr attr = group->properties; attr; attr = attr->next)
604 {
605 if (xmlStrcmp(attr->name, (const xmlChar*)"Address") == 0)
606 {
607 xmlChar* str_address = xmlNodeListGetString(group->doc, attr->children, 1);
608 if (str_address != NULL((void*)0))
609 {
610 addr = read_ga((const char*)str_address);
611 address_valid = true1;
612 xmlFree(str_address);
613 }
614 }
615 else if (xmlStrcmp(attr->name, (const xmlChar*)"Key") == 0)
616 {
617 if (address_valid)
618 {
619 xmlChar* str_key = xmlNodeListGetString(group->doc, attr->children, 1);
620 add_ga_key(addr, (const char*)str_key, password_hash, created_hash, f2);
621 xmlFree(str_key);
622 }
623 }
624 else if (xmlStrcmp(attr->name, (const xmlChar*)"Senders") == 0)
625 {
626 if (address_valid)
627 {
628 xmlChar* str_senders = xmlNodeListGetString(group->doc, attr->children, 1);
629 if (str_senders != NULL((void*)0))
630 {
631 // Add senders given by space separated list of KNX IAs
632 static const char delim[] = " ,";
633 const char* token = strtok((char*)str_senders, delim);
634 while (token)
635 {
636 add_ga_sender(addr, token, f2);
637 token = strtok(NULL((void*)0), delim);
638 }
639 xmlFree(str_senders);
640 }
641 }
642 }
643 }
644
645}
646
647static void read_knx_keyring_xml_device_element(xmlNodePtr device, uint8_t password_hash[], uint8_t created_hash[], FILE* f2)
648{
649 bool_Bool address_valid = false0;
650 uint16_t addr = 0;
651
652 /* Parse out the attributes of the Device element */
653 for (xmlAttrPtr attr = device->properties; attr; attr = attr->next)
654 {
655 if (xmlStrcmp(attr->name, (const xmlChar*)"IndividualAddress") == 0)
656 {
657 xmlChar* str_address = xmlNodeListGetString(device->doc, attr->children, 1);
658 if (str_address != NULL((void*)0))
659 {
660 addr = read_ia((const char*)str_address);
661 address_valid = true1;
662 xmlFree(str_address);
663 }
664 }
665 else if (xmlStrcmp(attr->name, (const xmlChar*)"ToolKey") == 0)
666 {
667 if (address_valid)
668 {
669 xmlChar* str_key = xmlNodeListGetString(device->doc, attr->children, 1);
670 if (str_key != NULL((void*)0))
671 {
672 add_ia_key(addr, (const char*)str_key, password_hash, created_hash, f2);
673 xmlFree(str_key);
674 }
675 }
676 }
677 else if (xmlStrcmp(attr->name, (const xmlChar*)"SequenceNumber") == 0)
678 {
679 if (address_valid)
680 {
681 xmlChar* str_seq = xmlNodeListGetString(device->doc, attr->children, 1);
682 if (str_seq != NULL((void*)0))
683 {
684 add_ia_seq(addr, (const char*)str_seq, f2);
685 xmlFree(str_seq);
686 }
687 }
688 }
689 }
690}
691
692// Read KNX security key info from keyring XML file.
693//
694// An example keyring XML file is
695// "test/keys/knx_keyring.xml".
696//
697// Corresponding test is
698// suite_decryption.case_decrypt_knxip.test_knxip_keyring_xml_import
699//
700// Resulting decoded and decrypted 16-byte keys with context info are optionally written to a "key info" text file.
701// This may be useful, as these keys are not directly available from the keyring XML file .
702void read_knx_keyring_xml_file(const char* key_file, const char* password, const char* key_info_file)
703{
704 xmlDocPtr doc;
705 xmlNodePtr root_element = NULL((void*)0);
706 xmlNodePtr key_ring = NULL((void*)0);
707 uint8_t password_hash[KNX_KEY_LENGTH16] = { 0 };
708 uint8_t created_hash[KNX_KEY_LENGTH16] = {0};
709
710 // Clear old keyring data
711 clear_keyring_data();
712
713 doc = xmlReadFile(key_file, NULL((void*)0), 0);
714 if (doc == NULL((void*)0))
1
Assuming 'doc' is not equal to NULL
2
Taking false branch
715 return;
716
717 root_element = xmlDocGetRootElement(doc);
718 if (root_element == NULL((void*)0))
3
Assuming 'root_element' is not equal to NULL
4
Taking false branch
719 {
720 xmlFreeDoc(doc);
721 return;
722 }
723
724 /* Find the Keyring element */
725 if (xmlStrcmp(root_element->name, (const xmlChar*)"Keyring") == 0)
5
Assuming the condition is true
6
Taking true branch
726 {
727 key_ring = root_element;
728 }
729 else
730 {
731 for (xmlNodePtr cur = root_element->children; cur != NULL((void*)0); cur = cur->next)
732 {
733 if (cur->type == XML_ELEMENT_NODE && xmlStrcmp(cur->name, (const xmlChar*)"Keyring") == 0)
734 {
735 key_ring = cur;
736 break;
737 }
738 }
739 }
740
741 if (key_ring
6.1
'key_ring' is not equal to NULL
 == NULL((void*)0)) {
742 xmlFreeDoc(doc);
743 return;
744 }
745
746 // Optionally write extracted data to key info file
747 FILE* f2 = (!key_info_file || !*key_info_file) ? NULL((void*)0) :
7
Assuming 'key_info_file' is non-null
8
Assuming the condition is false
748 (strcmp( key_info_file, "-" ) == 0) ? stdoutstdout :
9
Assuming the condition is false
10
'?' condition is false
749 ws_fopenfopen( key_info_file, "w" );
11
Stream opened here
12
Assuming that 'fopen' is successful
750
751 make_password_hash(password_hash, password);
752
753 /* Parse out the attributes of the Keyring element */
754 for (xmlAttrPtr attr = key_ring->properties; attr; attr = attr->next)
13
Loop condition is true. Entering loop body
18
Loop condition is false. Execution continues on line 768
755 {
756 if (xmlStrcmp(attr->name, (const xmlChar*)"Created") == 0)
14
Assuming the condition is true
15
Taking true branch
757 {
758 xmlChar* str_created = xmlNodeListGetString(key_ring->doc, attr->children, 1);
759 if (str_created != NULL((void*)0))
16
Assuming 'str_created' is not equal to NULL
17
Taking true branch
760 {
761 make_created_hash(created_hash, (const char*)str_created);
762 xmlFree(str_created);
763 }
764 }
765 }
766
767 /* Parse out subelements of Keyring element */
768 for (xmlNodePtr cur = key_ring->children; cur != NULL((void*)0); cur = cur->next)
19
Assuming 'cur' is equal to NULL
769 {
770 if (cur->type == XML_ELEMENT_NODE && xmlStrcmp(cur->name, (const xmlChar*)"Backbone") == 0)
771 {
772 read_knx_keyring_xml_backbone_element(cur, password_hash, created_hash, f2);
773 }
774 else if (cur->type == XML_ELEMENT_NODE && xmlStrcmp(cur->name, (const xmlChar*)"Interface") == 0)
775 {
776 for (xmlNodePtr group = cur->children; group != NULL((void*)0); group = group->next)
777 {
778 if (group->type == XML_ELEMENT_NODE && xmlStrcmp(group->name, (const xmlChar*)"Group") == 0)
779 {
780 read_knx_keyring_xml_group_element(group, password_hash, created_hash, f2);
781 }
782 }
783 }
784 else if (cur->type == XML_ELEMENT_NODE && xmlStrcmp(cur->name, (const xmlChar*)"GroupAddresses") == 0)
785 {
786 for (xmlNodePtr group = cur->children; group != NULL((void*)0); group = group->next)
787 {
788 if (group->type == XML_ELEMENT_NODE && xmlStrcmp(group->name, (const xmlChar*)"Group") == 0)
789 {
790 read_knx_keyring_xml_group_element(group, password_hash, created_hash, f2);
791 }
792 }
793 }
794 else if (cur->type == XML_ELEMENT_NODE && xmlStrcmp(cur->name, (const xmlChar*)"Devices") == 0)
795 {
796 for (xmlNodePtr device = cur->children; device != NULL((void*)0); device = device->next)
797 {
798 if (device->type == XML_ELEMENT_NODE && xmlStrcmp(device->name, (const xmlChar*)"Device") == 0)
799 {
800 read_knx_keyring_xml_device_element(device, password_hash, created_hash, f2);
801 }
802 }
803 }
804 }
805
806 if (f2
19.1
'f2' is non-null
 && f2 != stdoutstdout)
20
Assuming 'f2' is equal to 'stdout'
21
Taking false branch
807 fclose(f2);
808 xmlFreeDoc(doc);
22
Opened stream never closed. Potential resource leak
809}
810
811/*
812 * Editor modelines - https://www.wireshark.org/tools/modelines.html
813 *
814 * Local variables:
815 * c-basic-offset: 2
816 * tab-width: 8
817 * indent-tabs-mode: nil
818 * End:
819 *
820 * vi: set shiftwidth=2 tabstop=8 expandtab:
821 * :indentSize=2:tabSize=8:noTabs=true:
822 */