| blob | d7e9524f20a409b5b2118bcdf5cd364e2489927d |
1 /* packet-zbee-security.c
2 * Dissector helper routines for encrypted ZigBee frames.
3 * By Owen Kirby <osk@exegin.com>; portions by Fred Fierling <fff@exegin.com>
4 * Copyright 2009 Exegin Technologies Limited
5 *
6 * $Id$
7 *
8 * Wireshark - Network traffic analyzer
9 * By Gerald Combs <gerald@wireshark.org>
10 * Copyright 1998 Gerald Combs
11 *
12 * This program is free software; you can redistribute it and/or
13 * modify it under the terms of the GNU General Public License
14 * as published by the Free Software Foundation; either version 2
15 * of the License, or (at your option) any later version.
16 *
17 * This program is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with this program; if not, write to the Free Software
24 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
25 */
27 /* Include Files */
30 #include <string.h>
32 #include <epan/packet.h>
33 #include <epan/exceptions.h>
35 #include <epan/prefs.h>
36 #include <epan/expert.h>
37 #include <epan/emem.h>
38 #include <epan/uat.h>
40 /* We require libgcrpyt in order to decrypt ZigBee packets. Without it the best
41 * we can do is parse the security header and give up.
42 */
43 #ifdef HAVE_LIBGCRYPT
44 #include <wsutil/wsgcrypt.h>
52 /* Helper Functions */
53 #ifdef HAVE_LIBGCRYPT
54 static gboolean zbee_sec_ccm_decrypt(const gchar *, const gchar *, const gchar *, const gchar *, gchar *,
58 static gboolean zbee_sec_decrypt_payload(zbee_security_packet *, const gchar *, const gchar, guint8 *,
60 #endif
64 /* Field pointers. */
73 /* Subtree pointers. */
87 };
89 #if 0
90 /* These aren't really used anymore, as ZigBee no longer includes them in the
91 * security control field. If we were to display them all we would ever see is
92 * security level 0.
93 */
104 };
105 #endif
107 /* The ZigBee security level, in enum_val_t for the security preferences. */
118 };
127 };
129 /* UAT Key Entry */
132 guint8 byte_order;
137 /* */
149 }
155 }
158 }
173 }
176 }
177 }
178 }
185 }
193 /*
194 * Enable this macro to use libgcrypt's CBC_MAC mode for the authentication
195 * phase. Unfortunately, this is broken, and I don't know why. However, using
196 * the messier EBC mode (to emulate CCM*) still works fine.
197 */
198 #if 0
199 #define ZBEE_SEC_USE_GCRYPT_CBC_MAC
200 #endif
201 /*FUNCTION:------------------------------------------------------
202 * NAME
203 * zbee_security_register
204 * DESCRIPTION
205 * Called by proto_register_zbee_nwk() to initialize the security
206 * dissectors.
207 * PARAMETERS
208 * module_t zbee_prefs - Prefs module to load preferences under.
209 * RETURNS
210 * none
211 *---------------------------------------------------------------
212 */
214 {
243 };
247 &ett_zbee_sec_control
248 };
251 { &ei_zbee_sec_encrypted_payload, { "zbee_sec.encrypted_payload", PI_UNDECODED, PI_WARN, "Encrypted Payload", EXPFILL }},
252 };
264 UAT_END_FIELDS
265 };
267 /* If no prefs module was supplied, register our own. */
270 }
272 /* Register preferences */
282 TRUE,
287 uat_key_record_copy_cb,
288 uat_key_record_update_cb,
289 uat_key_record_free_cb,
291 key_uat_fields );
297 zbee_sec_key_table_uat);
304 /* Register the init routine. */
308 /*FUNCTION:------------------------------------------------------
309 * NAME
310 * zbee_security_parse_key
311 * DESCRIPTION
312 * Parses a key string from left to right into a buffer with
313 * increasing (normal byte order) or decreasing (reverse byte
314 * order) address.
315 * PARAMETERS
316 * const gchar *key_str - pointer to the string
317 * guint8 *key_buf - destination buffer in memory
318 * gboolean big_end - fill key_buf with incrementing address
319 * RETURNS
320 * gboolean
321 *---------------------------------------------------------------
322 */
323 static gboolean
325 {
327 gchar temp;
330 /* Clear the key. */
334 }
336 /*
337 * Attempt to parse the key string. The key string must
338 * be at least 16 pairs of hexidecimal digits with the
339 * following optional separators: ':', '-', " ", or 16
340 * alphanumeric characters after a double-quote.
341 */
345 }
355 }
356 }
358 /* If this character is a separator, skip it. */
361 /* Process a nibble. */
365 /* Get the next nibble. */
368 /* Process another nibble. */
372 /* Get the next nibble. */
374 }
376 /* Move key_buf pointer */
378 j--;
380 j++;
381 }
385 /* If we get this far, then the key was good. */
389 /*FUNCTION:------------------------------------------------------
390 * NAME
391 * zbee_security_handoff
392 * DESCRIPTION
393 * Hands off the security dissector.
394 * PARAMETERS
395 * none
396 * RETURNS
397 * tvbuff_t *
398 *---------------------------------------------------------------
399 */
400 void
402 {
403 /* Lookup the data dissector. */
407 /*FUNCTION:------------------------------------------------------
408 * NAME
409 * dissect_zbee_secure
410 * DESCRIPTION
411 * Dissects and decrypts secured ZigBee frames.
412 *
413 * Will return a valid tvbuff only if security processing was
414 * successful. If processing fails, then this function will
415 * handle internally and return NULL.
416 * PARAMETERS
417 * tvbuff_t *tvb - pointer to buffer containing raw packet.
418 * packet_info *pinfo - pointer to packet information fields
419 * proto_tree *tree - pointer to data tree Wireshark uses to display packet.
420 * guint offset - pointer to the start of the auxilliary security header.
421 * guint64 src64 - extended source address, or 0 if unknown.
422 * RETURNS
423 * tvbuff_t *
424 *---------------------------------------------------------------
425 */
426 tvbuff_t *
428 {
434 zbee_security_packet packet;
435 guint mic_len;
436 gint payload_len;
439 #ifdef HAVE_LIBGCRYPT
442 gboolean decrypted;
446 #endif
451 /* Init */
454 /* Get pointers to any useful frame data from lower layers */
460 /* Create a subtree for the security information. */
462 sec_root = proto_tree_add_text(tree, tvb, offset, tvb_length_remaining(tvb, offset), "ZigBee Security Header");
464 }
466 /* Get and display the Security control field */
469 /* Patch the security level. */
473 /*
474 * Eww, I think I just threw up a little... ZigBee requires this field
475 * to be patched before computing the MIC, but we don't have write-access
476 * to the tvbuff. So we need to allocate a copy of the whole thing just
477 * so we can fix these 3 bits. Memory allocated by tvb_memdup(wmem_packet_scope(),...)
478 * is automatically freed before the next packet is processed.
479 */
480 #ifdef HAVE_LIBGCRYPT
482 /*
483 * Override the const qualifiers and patch the security level field, we
484 * know it is safe to overide the const qualifiers because we just
485 * allocated this memory via tvb_memdup(wmem_packet_scope(),...).
486 */
500 }
503 /* Get and display the frame counter field. */
507 }
511 /* Get and display the source address of the device that secured this payload. */
515 }
516 #if 1
521 /* Map this long address with the nwk layer short address. */
524 }
529 /* Map this long address with the ieee short address. */
532 }
535 /* We ignore the extended source addresses used to encrypt payloads with these
536 * types of keys, because they can emerge from APS tunnels created by nodes whose
537 * short address is not recorded in the packet. */
541 }
542 }
543 #endif
545 }
547 /* Look for a source address in hints */
550 /* use the ieee extended source address for NWK decryption */
558 /* use the nwk extended source address for APS decryption */
564 }
565 }
568 /* Get and display the key sequence number. */
572 }
574 }
576 /* Determine the length of the MIC. */
600 /* Get and display the MIC. */
602 /* Display the MIC. */
606 }
607 }
609 /* Check for null payload. */
614 }
616 /**********************************************
617 * Perform Security Operations on the Frame *
618 **********************************************
619 */
625 /* Payload is only integrity protected. Just return the sub-tvbuff. */
627 }
629 #ifdef HAVE_LIBGCRYPT
630 /* Allocate memory to decrypt the payload into. */
637 /* Use previously found key */
643 }
650 }
652 }
653 }
656 /* We only search for sniffed keys in the first pass,
657 * to save time, and because decrypting with keys
658 * transported in future packets is cheating */
660 /* Lookup NWK and link key in hash for this pan. */
661 /* This overkill approach is a placeholder for a hash that looks up
662 * a key ring for a link key associated with a pair of devices.
663 */
674 /* save pointer to the successful key record */
683 }
686 }
687 }
688 }
690 /* Loop through user's password table for preconfigured keys, our last resort */
697 /* save pointer to the successful key record */
706 }
709 }
710 }
711 }
722 }
724 }
726 /* Found a key that worked, setup the new tvbuff_t and return */
731 /* Done! */
733 }
738 /* Add expert info. */
740 /* Create a buffer for the undecrypted payload. */
742 /* Dump the payload to the data dissector. */
744 /* Couldn't decrypt, so return NULL. */
748 #ifdef HAVE_LIBGCRYPT
749 /*FUNCTION:------------------------------------------------------
750 * NAME
751 * zbee_sec_decrypt_payload
752 * DESCRIPTION
753 * Creates a nonce and decrypts a secured payload.
754 * PARAMETERS
755 * gchar *nonce - Nonce Buffer.
756 * zbee_security_packet *packet - Security information.
757 * RETURNS
758 * void
759 *---------------------------------------------------------------
760 */
761 static gboolean
762 zbee_sec_decrypt_payload(zbee_security_packet *packet, const gchar *enc_buffer, const gchar offset, guint8 *dec_buffer,
764 {
771 /* Decrypt with the PAN's current network key */
773 /* Decrypt with the unhashed link key assigned by the trust center to this
774 * source/destination pair */
779 /* Decrypt with a Key-Transport key, a hashed link key that protects network
780 * keys sent from the trust center */
786 /* Decrypt with a Key-Load key, a hashed link key that protects link keys
787 * sent from the trust center. */
796 /* Perform Decryption. */
808 }
810 }
812 /*FUNCTION:------------------------------------------------------
813 * NAME
814 * zbee_sec_make_nonce
815 * DESCRIPTION
816 * Fills in the ZigBee security nonce from the provided security
817 * packet structure.
818 * PARAMETERS
819 * zbee_security_packet *packet - Security information.
820 * gchar *nonce - Nonce Buffer.
821 * RETURNS
822 * void
823 *---------------------------------------------------------------
824 */
825 static void
827 {
828 /* First 8 bytes are the extended source address (little endian). */
837 /* Next 4 bytes are the frame counter (little endian). */
842 /* Next byte is the security control field. */
845 #endif
847 #ifdef HAVE_LIBGCRYPT
848 /*FUNCTION:------------------------------------------------------
849 * NAME
850 * zbee_sec_ccm_decrypt
851 * DESCRIPTION
852 * Performs the Reverse CCM* Transformation (specified in
853 * section A.3 of ZigBee Specification (053474r17).
854 *
855 * The length of parameter c (l(c)) is derived from the length
856 * of the payload and length of the MIC tag. Input buffer a
857 * will NOT be modified.
858 *
859 * When l_m is 0, then there is no payload to encrypt (ie: the
860 * payload is in plaintext), and this function will perform
861 * MIC verification only. When l_m is 0, m may be NULL.
862 * PARAMETERS
863 * gchar *key - ZigBee Security Key (must be ZBEE_SEC_CONST_KEYSIZE) in length.
864 * gchar *nonce - ZigBee CCM* Nonce (must be ZBEE_SEC_CONST_NONCE_LEN) in length.
865 * gchar *a - CCM* Parameter a (must be l(a) in length). Additional data covered
866 * by the authentication process.
867 * gchar *c - CCM* Parameter c (must be l(c) = l(m) + M in length). Encrypted
868 * payload + encrypted authentication tag U.
869 * gchar *m - CCM* Output (must be l(m) in length). Decrypted Payload.
870 * guint l_a - l(a), length of CCM* parameter a.
871 * guint l_m - l(m), length of expected payload.
872 * guint M - M, length of CCM* authentication tag.
873 * RETURNS
874 * gboolean - TRUE if successful.
875 *---------------------------------------------------------------
876 */
877 static gboolean
886 {
891 /* Cipher Instance. */
892 gcry_cipher_hd_t cipher_hd;
894 /* Sanity-Check. */
896 /*
897 * The CCM* counter is L bytes in length, ensure that the payload
898 * isn't long enough to overflow it.
899 */
902 /******************************************************
903 * Step 1: Encryption/Decryption Transformation
904 ******************************************************
905 */
906 /* Create the CCM* counter block A0 */
910 /*
911 * The encryption/decryption process of CCM* works in CTR mode. Open a CTR
912 * mode cipher for this phase. NOTE: The 'counter' part of the CCM* counter
913 * block is the last two bytes, and is big-endian.
914 */
917 }
918 /* Set the Key. */
922 }
923 /* Set the counter. */
927 }
928 /*
929 * Copy the MIC into the stack buffer. We need to feed the cipher a full
930 * block when decrypting the MIC (so that the payload starts on the second
931 * block). However, the MIC may be less than a full block so use a fixed
932 * size buffer to store the MIC, letting the CTR cipher overstep the MIC
933 * if need be.
934 */
937 /* Encrypt/Decrypt the MIC in-place. */
938 if (gcry_cipher_encrypt(cipher_hd, decrypted_mic, ZBEE_SEC_CONST_BLOCKSIZE, decrypted_mic, ZBEE_SEC_CONST_BLOCKSIZE)) {
941 }
942 /* Encrypt/Decrypt the payload. */
946 }
947 /* Done with the CTR Cipher. */
950 /******************************************************
951 * Step 3: Authentication Transformation
952 ******************************************************
953 */
955 /* There is no authentication tag. We're done! */
957 }
958 /*
959 * The authentication process in CCM* operates in CBC-MAC mode, but
960 * unfortunately, the input to the CBC-MAC process needs some substantial
961 * transformation and padding before we can feed it into the CBC-MAC
962 * algorithm. Instead we will operate in ECB mode and perform the
963 * transformation and padding on the fly.
964 *
965 * I also think that libgcrypt requires the input to be memory-aligned
966 * when using CBC-MAC mode, in which case can't just feed it with data
967 * from the packet buffer. All things considered it's just a lot easier
968 * to use ECB mode and do CBC-MAC manually.
969 */
970 /* Re-open the cipher in ECB mode. */
973 }
974 /* Re-load the key. */
978 }
979 /* Generate the first cipher block B0. */
982 ZBEE_SEC_CCM_FLAG_L;
987 /* Generate the first cipher block, X1 = E(Key, 0^128 XOR B0). */
988 if (gcry_cipher_encrypt(cipher_hd, cipher_out, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE)) {
991 }
992 /*
993 * We avoid mallocing() big chunks of memory by recycling small stack
994 * buffers for the encryption process. Throughout this process, j is always
995 * pointed to the position within the current buffer.
996 */
998 /* AuthData = L(a) || a || Padding || m || Padding
999 * Where L(a) =
1000 * - an empty string if l(a) == 0.
1001 * - 2-octet encoding of l(a) if 0 < l(a) < (2^16 - 2^8)
1002 * - 0xff || 0xfe || 4-octet encoding of l(a) if (2^16 - 2^8) <= l(a) < 2^32
1003 * - 0xff || 0xff || 8-octet encoding of l(a)
1004 * But for ZigBee, the largest packet size we should ever see is 2^7, so we
1005 * are only really concerned with the first two cases.
1006 *
1007 * To generate the MIC tag CCM* operates similar to CBC-MAC mode. Each block
1008 * of AuthData is XOR'd with the last block of cipher output to produce the
1009 * next block of cipher output. Padding sections have the minimum non-negative
1010 * length such that the padding ends on a block boundary. Padded bytes are 0.
1011 */
1013 /* Process L(a) into the cipher block. */
1015 j++;
1017 j++;
1018 /* Process a into the cipher block. */
1021 /* Generate the next cipher block. */
1023 ZBEE_SEC_CONST_BLOCKSIZE)) {
1026 }
1027 /* Reset j to point back to the start of the new cipher block. */
1029 }
1030 /* Cipher in = cipher_out ^ a */
1033 /* Process padding into the cipher block. */
1036 }
1037 /* Process m into the cipher block. */
1040 /* Generate the next cipher block. */
1042 ZBEE_SEC_CONST_BLOCKSIZE)) {
1045 }
1046 /* Reset j to point back to the start of the new cipher block. */
1048 }
1049 /* Cipher in = cipher out ^ m */
1052 /* Padding. */
1055 /* Generate the last cipher block, which will be the MIC tag. */
1056 if (gcry_cipher_encrypt(cipher_hd, cipher_out, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE)) {
1059 }
1060 /* Done with the Cipher. */
1063 /* Compare the MIC's */
1067 /*FUNCTION:------------------------------------------------------
1068 * NAME
1069 * zbee_sec_hash
1070 * DESCRIPTION
1071 * ZigBee Cryptographic Hash Function, described in ZigBee
1072 * specification sections B.1.3 and B.6.
1073 *
1074 * This is a Matyas-Meyer-Oseas hash function using the AES-128
1075 * cipher. We use the ECB mode of libgcrypt to get a raw block
1076 * cipher.
1077 *
1078 * Input may be any length, and the output must be exactly 1-block in length.
1079 *
1080 * Implements the function:
1081 * Hash(text) = Hash[t];
1082 * Hash[0] = 0^(blocksize).
1083 * Hash[i] = E(Hash[i-1], M[i]) XOR M[j];
1084 * M[i] = i'th block of text, with some padding and flags concatenated.
1085 * PARAMETERS
1086 * guint8 * input - Hash Input (any length).
1087 * guint8 input_len - Hash Input Length.
1088 * guint8 * output - Hash Output (exactly one block in length).
1089 * RETURNS
1090 * void
1091 *---------------------------------------------------------------
1092 */
1093 static void
1095 {
1098 /* Cipher Instance. */
1099 gcry_cipher_hd_t cipher_hd;
1101 /* Clear the first hash block (Hash0). */
1103 /* Create the cipher instance in ECB mode. */
1106 }
1107 /* Create the subsequent hash blocks using the formula: Hash[i] = E(Hash[i-1], M[i]) XOR M[i]
1108 *
1109 * because we can't garauntee that M will be exactly a multiple of the
1110 * block size, we will need to copy it into local buffers and pad it.
1111 *
1112 * Note that we check for the next cipher block at the end of the loop
1113 * rather than the start. This is so that if the input happens to end
1114 * on a block boundary, the next cipher block will be generated for the
1115 * start of the padding to be placed into.
1116 */
1120 /* Copy data into the cipher input. */
1122 /* Check if this cipher block is done. */
1124 /* We have reached the end of this block. Process it with the
1125 * cipher, note that the Key input to the cipher is actually
1126 * the previous hash block, which we are keeping in output.
1127 */
1129 (void)gcry_cipher_encrypt(cipher_hd, output, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE);
1130 /* Now we have to XOR the input into the hash block. */
1132 /* Reset j to start again at the beginning at the next block. */
1134 }
1136 /* Need to append the bit '1', followed by '0' padding long enough to end
1137 * the hash input on a block boundary. However, because 'n' is 16, and 'l'
1138 * will be a multiple of 8, the padding will be >= 7-bits, and we can just
1139 * append the byte 0x80.
1140 */
1142 /* Pad with '0' until the the current block is exactly 'n' bits from the
1143 * end.
1144 */
1147 /* We have reached the end of this block. Process it with the
1148 * cipher, note that the Key input to the cipher is actually
1149 * the previous hash block, which we are keeping in output.
1150 */
1152 (void)gcry_cipher_encrypt(cipher_hd, output, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE);
1153 /* Now we have to XOR the input into the hash block. */
1155 /* Reset j to start again at the beginning at the next block. */
1157 }
1158 /* Pad the input with 0. */
1161 /* Add the 'n'-bit representation of 'l' to the end of the block. */
1164 /* Process the last cipher block. */
1166 (void)gcry_cipher_encrypt(cipher_hd, output, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE);
1167 /* XOR the last input block back into the cipher output to get the hash. */
1169 /* Cleanup the cipher. */
1171 /* Done */
1174 /*FUNCTION:------------------------------------------------------
1175 * NAME
1176 * zbee_sec_key_hash
1177 * DESCRIPTION
1178 * ZigBee Keyed Hash Function. Described in ZigBee specification
1179 * section B.1.4, and in FIPS Publication 198. Strictly speaking
1180 * there is nothing about the Keyed Hash Function which restricts
1181 * it to only a single byte input, but that's all ZigBee ever uses.
1182 *
1183 * This function implements the hash function:
1184 * Hash(Key, text) = H((Key XOR opad) || H((Key XOR ipad) || text));
1185 * ipad = 0x36 repeated.
1186 * opad = 0x5c repeated.
1187 * H() = ZigBee Cryptographic Hash (B.1.3 and B.6).
1188 *
1189 * The output of this function is an ep_alloced buffer containing
1190 * the key-hashed output, and is garaunteed never to return NULL.
1191 * PARAMETERS
1192 * guint8 *key - ZigBee Security Key (must be ZBEE_SEC_CONST_KEYSIZE) in length.
1193 * guint8 input - ZigBee CCM* Nonce (must be ZBEE_SEC_CONST_NONCE_LEN) in length.
1194 * packet_info *pinfo - pointer to packet information fields
1195 * RETURNS
1196 * guint8*
1197 *---------------------------------------------------------------
1198 */
1201 {
1207 /* Copy the key into hash_in and XOR with opad to form: (Key XOR opad) */
1209 /* Copy the Key into hash_out and XOR with ipad to form: (Key XOR ipad) */
1211 /* Append the input byte to form: (Key XOR ipad) || text. */
1213 /* Hash the contents of hash_out and append the contents to hash_in to
1214 * form: (Key XOR opad) || H((Key XOR ipad) || text).
1215 */
1217 /* Hash the contents of hash_in to get the final result. */
1223 /*FUNCTION:------------------------------------------------------
1224 * NAME
1225 * proto_init_zbee_security
1226 * DESCRIPTION
1227 * Init routine for the
1228 * PARAMETERS
1229 * none
1230 * RETURNS
1231 * void
1232 *---------------------------------------------------------------
1233 */
1234 static void
1236 {
1237 guint i;
1238 key_record_t key_record;
1240 /* empty the key ring */
1244 }
1246 /* Load the pre-configured slist from the UAT. */
1252 zbee_pc_keyring = g_slist_prepend(zbee_pc_keyring, se_memdup(&key_record, sizeof(key_record_t)));