/************************************************************************** * * Copyright (C) 2015 Nikola Jelic * * Permission is hereby granted, free of charge, to any person obtaining * a copy of this software and associated documentation files (the * "Software"), to deal in the Software without restriction, including * without limitation the rights to use, copy, modify, merge, publish, * distribute, sublicense, and/or sell copies of the Software, and to * permit persons to whom the Software is furnished to do so, subject to * the following conditions: * * The above copyright notice and this permission notice shall be included * in all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. * IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY * CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, * TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. * *********************************************************************/ #include #include #include #include "bacnet/bacdcode.h" #include "bacnet/datalink/bacsec.h" BACNET_KEY_IDENTIFIER_ALGORITHM key_algorithm(uint16_t id) { return (BACNET_KEY_IDENTIFIER_ALGORITHM)((id >> 8) & 0xFF); } BACNET_KEY_IDENTIFIER_KEY_NUMBER key_number(uint16_t id) { return (BACNET_KEY_IDENTIFIER_KEY_NUMBER)(id & 0xFF); } #if 0 /* FIXME: please fix? */ int encode_security_wrapper( int bytes_before, uint8_t *apdu, BACNET_SECURITY_WRAPPER *wrapper) { int curr = 0; int enc_begin = 0; BACNET_KEY_ENTRY key; BACNET_SECURITY_RESPONSE_CODE res = SEC_RESP_SUCCESS; apdu[curr] = 0; /* control byte */ if (wrapper->payload_net_or_bvll_flag) { apdu[curr] |= 1 << 7; } /* encryption flag will be set after signature calculation */ /* bit 5 is reserved and shall be 0 */ if (wrapper->authentication_flag) { apdu[curr] |= 1 << 4; } if (wrapper->do_not_unwrap_flag) { apdu[curr] |= 1 << 3; } if (wrapper->do_not_decrypt_flag) { apdu[curr] |= 1 << 2; } if (wrapper->non_trusted_source_flag) { apdu[curr] |= 1 << 1; } if (wrapper->secured_by_router_flag) { apdu[curr] |= 1; } curr++; /* basic integrity checks */ if (wrapper->do_not_decrypt_flag && !wrapper->do_not_unwrap_flag) { return -SEC_RESP_MALFORMED_MESSAGE; } if (!wrapper->encrypted_flag && wrapper->do_not_decrypt_flag) { return -SEC_RESP_MALFORMED_MESSAGE; } /* key */ apdu[curr++] = wrapper->key_revision; curr += encode_unsigned16(&apdu[curr], wrapper->key_identifier); /* find appropriate key */ key.key_identifier = wrapper->key_identifier; res = bacnet_find_key(wrapper->key_revision, &key); if (res != SEC_RESP_SUCCESS) { return -res; } /* source device instance */ curr += encode_unsigned24(&apdu[curr], wrapper->source_device_instance); /* message id */ curr += encode_unsigned32(&apdu[curr], wrapper->message_id); /* timestamp */ curr += encode_unsigned32(&apdu[curr], wrapper->timestamp); /* begin encryption starting from destination device instance */ enc_begin = curr; /* destination device instance */ curr += encode_unsigned24(&apdu[curr], wrapper->destination_device_instance); /* dst address */ curr += encode_unsigned16(&apdu[curr], wrapper->dnet); apdu[curr++] = wrapper->dlen; memcpy(&apdu[curr], wrapper->dadr, wrapper->dlen); curr += wrapper->dlen; /* src address */ curr += encode_unsigned16(&apdu[curr], wrapper->snet); apdu[curr++] = wrapper->slen; memcpy(&apdu[curr], wrapper->sadr, wrapper->slen); curr += wrapper->slen; /* authentication */ if (wrapper->authentication_flag) { apdu[curr++] = wrapper->authentication_mechanism; /* authentication data */ curr += encode_unsigned16(&apdu[curr], wrapper->user_id); apdu[curr++] = wrapper->user_role; if ((wrapper->authentication_mechanism >= 1) && (wrapper->authentication_mechanism <= 199)) { curr += encode_unsigned16( &apdu[curr], wrapper->authentication_data_length + 5); memcpy(&apdu[curr], wrapper->authentication_data, wrapper->authentication_data_length); curr += wrapper->authentication_data_length; } else if (wrapper->authentication_mechanism >= 200) { curr += encode_unsigned16( &apdu[curr], wrapper->authentication_data_length + 7); curr += encode_unsigned16(&apdu[curr], wrapper->vendor_id); memcpy(&apdu[curr], wrapper->authentication_data, wrapper->authentication_data_length); curr += wrapper->authentication_data_length; } } memcpy(&apdu[curr], wrapper->service_data, wrapper->service_data_len); curr += wrapper->service_data_len; /* signature calculation */ key_sign_msg(&key, &apdu[-bytes_before], (uint32_t)(bytes_before + curr), wrapper->signature); /* padding and encryption */ if (wrapper->encrypted_flag) { /* set encryption flag, signing is done */ apdu[0] |= 1 << 6; /* handle padding */ key_set_padding( &key, curr - enc_begin, &wrapper->padding_len, wrapper->padding); if (wrapper->padding_len > 2) { memcpy(&apdu[curr], wrapper->padding, wrapper->padding_len - 2); curr += wrapper->padding_len - 2; } curr += encode_unsigned16(&apdu[curr], wrapper->padding_len); /* encryption */ key_encrypt_msg(&key, &apdu[enc_begin], (uint32_t)(curr - enc_begin), wrapper->signature); } memcpy(&apdu[curr], wrapper->signature, SIGNATURE_LEN); curr += SIGNATURE_LEN; return curr; } #endif int encode_challenge_request(uint8_t *apdu, BACNET_CHALLENGE_REQUEST *bc_req) { int curr = 0; apdu[curr++] = bc_req->message_challenge; curr += encode_unsigned32(&apdu[curr], bc_req->orig_message_id); curr += encode_unsigned32(&apdu[curr], bc_req->orig_timestamp); return curr; } int encode_security_payload(uint8_t *apdu, BACNET_SECURITY_PAYLOAD *payload) { encode_unsigned16(&apdu[0], payload->payload_length); memcpy(&apdu[2], payload->payload, payload->payload_length); return (int)(2 + payload->payload_length); } int encode_security_response(uint8_t *apdu, BACNET_SECURITY_RESPONSE *resp) { int curr = 0; int i; apdu[curr++] = resp->response_code; curr += encode_unsigned32(&apdu[curr], resp->orig_message_id); curr += encode_unsigned32(&apdu[curr], resp->orig_timestamp); switch ((BACNET_SECURITY_RESPONSE_CODE)resp->response_code) { case SEC_RESP_BAD_TIMESTAMP: curr += encode_unsigned32( &apdu[curr], resp->response.bad_timestamp.expected_timestamp); break; case SEC_RESP_CANNOT_USE_KEY: curr += encode_unsigned16( &apdu[curr], resp->response.cannot_use_key.key); break; case SEC_RESP_INCORRECT_KEY: apdu[curr++] = resp->response.incorrect_key.number_of_keys; for (i = 0; i < (int)resp->response.incorrect_key.number_of_keys; i++) { curr += encode_unsigned16( &apdu[curr], resp->response.incorrect_key.keys[i]); } break; case SEC_RESP_UNKNOWN_AUTHENTICATION_TYPE: apdu[curr++] = resp->response.unknown_authentication_type .original_authentication_type; curr += encode_unsigned16(&apdu[curr], resp->response.unknown_authentication_type.vendor_id); break; case SEC_RESP_UNKNOWN_KEY: curr += encode_unsigned16( &apdu[curr], resp->response.unknown_key.original_key); break; case SEC_RESP_UNKNOWN_KEY_REVISION: apdu[curr++] = resp->response.unknown_key_revision.original_key_revision; break; case SEC_RESP_TOO_MANY_KEYS: apdu[curr++] = resp->response.too_many_keys.max_num_of_keys; break; case SEC_RESP_INVALID_KEY_DATA: curr += encode_unsigned16( &apdu[curr], resp->response.invalid_key_data.key); break; case SEC_RESP_SUCCESS: case SEC_RESP_ACCESS_DENIED: case SEC_RESP_BAD_DESTINATION_ADDRESS: case SEC_RESP_BAD_DESTINATION_DEVICE_ID: case SEC_RESP_BAD_SIGNATURE: case SEC_RESP_BAD_SOURCE_ADDRESS: case SEC_RESP_CANNOT_VERIFY_MESSAGE_ID: case SEC_RESP_CORRECT_KEY_REVISION: case SEC_RESP_DESTINATION_DEVICE_ID_REQUIRED: case SEC_RESP_DUPLICATE_MESSAGE: case SEC_RESP_ENCRYPTION_NOT_CONFIGURED: case SEC_RESP_ENCRYPTION_REQUIRED: case SEC_RESP_KEY_UPDATE_IN_PROGRESS: case SEC_RESP_MALFORMED_MESSAGE: case SEC_RESP_NOT_KEY_SERVER: case SEC_RESP_SECURITY_NOT_CONFIGURED: case SEC_RESP_SOURCE_SECURITY_REQUIRED: case SEC_RESP_UNKNOWN_SOURCE_MESSAGE: break; default: return -1; /* unknown message type */ } return curr; } int encode_request_key_update(uint8_t *apdu, BACNET_REQUEST_KEY_UPDATE *req) { int curr = 0; apdu[curr++] = req->set_1_key_revision; curr += encode_unsigned32(&apdu[curr], req->set_1_activation_time); curr += encode_unsigned32(&apdu[curr], req->set_1_expiration_time); apdu[curr++] = req->set_2_key_revision; curr += encode_unsigned32(&apdu[curr], req->set_2_activation_time); curr += encode_unsigned32(&apdu[curr], req->set_2_expiration_time); apdu[curr++] = req->distribution_key_revision; return curr; } int encode_key_entry(uint8_t *apdu, BACNET_KEY_ENTRY *entry) { int curr = 0; curr += encode_unsigned16(&apdu[curr], entry->key_identifier); apdu[curr++] = entry->key_len; memcpy(&apdu[curr], entry->key, entry->key_len); curr += entry->key_len; return curr; } int encode_update_key_set(uint8_t *apdu, BACNET_UPDATE_KEY_SET *key_set) { int curr = 0; int i, res; apdu[curr] = 0; if (key_set->remove) { apdu[curr] |= 1; } if (key_set->more) { apdu[curr] |= 1 << 1; } if (key_set->set_clr[1]) { apdu[curr] |= 1 << 2; } if (key_set->set_ck[1]) { apdu[curr] |= 1 << 3; } if (key_set->set_rae[1]) { apdu[curr] |= 1 << 4; } if (key_set->set_clr[0]) { apdu[curr] |= 1 << 5; } if (key_set->set_ck[0]) { apdu[curr] |= 1 << 6; } if (key_set->set_rae[0]) { apdu[curr] |= 1 << 7; } curr++; if (key_set->set_rae[0]) { apdu[curr++] = key_set->set_key_revision[0]; curr += encode_unsigned32(&apdu[curr], key_set->set_activation_time[0]); curr += encode_unsigned32(&apdu[curr], key_set->set_expiration_time[0]); } if (key_set->set_ck[0]) { apdu[curr++] = key_set->set_key_count[0]; if (key_set->set_key_count[0] > MAX_UPDATE_KEY_COUNT) { return -1; } for (i = 0; i < (int)key_set->set_key_count[0]; i++) { res = encode_key_entry(&apdu[curr], &key_set->set_keys[0][i]); if (res < 0) { return -1; } curr += res; } } if (key_set->set_rae[1]) { apdu[curr++] = key_set->set_key_revision[1]; curr += encode_unsigned32(&apdu[curr], key_set->set_activation_time[1]); curr += encode_unsigned32(&apdu[curr], key_set->set_expiration_time[1]); } if (key_set->set_ck[1]) { apdu[curr++] = key_set->set_key_count[1]; if (key_set->set_key_count[1] > MAX_UPDATE_KEY_COUNT) { return -1; } for (i = 0; i < (int)key_set->set_key_count[1]; i++) { res = encode_key_entry(&apdu[curr], &key_set->set_keys[1][i]); if (res < 0) { return -1; } curr += res; } } return curr; } int encode_update_distribution_key( uint8_t *apdu, BACNET_UPDATE_DISTRIBUTION_KEY *dist_key) { int curr = 0; int res; apdu[curr++] = dist_key->key_revision; res = encode_key_entry(&apdu[curr], &dist_key->key); if (res < 0) { return -1; } return curr + res; } int encode_request_master_key( uint8_t *apdu, BACNET_REQUEST_MASTER_KEY *req_master_key) { int curr = 0; apdu[curr++] = req_master_key->no_supported_algorithms; memcpy(&apdu[curr], req_master_key->es_algorithms, req_master_key->no_supported_algorithms); return (int)(curr + req_master_key->no_supported_algorithms); } int encode_set_master_key(uint8_t *apdu, BACNET_SET_MASTER_KEY *set_master_key) { return encode_key_entry(apdu, &set_master_key->key); } #if 0 /* FIXME: please fix? */ int decode_security_wrapper_safe(int bytes_before, uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_SECURITY_WRAPPER *wrapper) { int curr = 0; int enc_begin = 0; int real_len = (int)(apdu_len_remaining - SIGNATURE_LEN); BACNET_KEY_ENTRY key; BACNET_SECURITY_RESPONSE_CODE res = SEC_RESP_SUCCESS; if (apdu_len_remaining < 40) { return -SEC_RESP_MALFORMED_MESSAGE; } wrapper->payload_net_or_bvll_flag = ((apdu[curr] & (1 << 7)) != 0); wrapper->encrypted_flag = ((apdu[curr] & (1 << 6)) != 0); wrapper->authentication_flag = ((apdu[curr] & (1 << 4)) != 0); wrapper->do_not_unwrap_flag = ((apdu[curr] & (1 << 3)) != 0); wrapper->do_not_decrypt_flag = ((apdu[curr] & (1 << 2)) != 0); wrapper->non_trusted_source_flag = ((apdu[curr] & (1 << 1)) != 0); wrapper->secured_by_router_flag = ((apdu[curr] & 1) != 0); /* basic integrity checks */ if (wrapper->do_not_decrypt_flag && !wrapper->do_not_unwrap_flag) { return -SEC_RESP_MALFORMED_MESSAGE; } if (!wrapper->encrypted_flag && wrapper->do_not_decrypt_flag) { return -SEC_RESP_MALFORMED_MESSAGE; } /* remove encryption flag for signature validation */ apdu[curr] &= ~((uint8_t)(1 << 6)); curr++; /* key */ wrapper->key_revision = apdu[curr++]; curr += decode_unsigned16(&apdu[curr], &wrapper->key_identifier); /* find appropriate key */ key.key_identifier = wrapper->key_identifier; res = bacnet_find_key(wrapper->key_revision, &key); if (res != SEC_RESP_SUCCESS) { return -res; } /* source device instance */ curr += decode_unsigned24(&apdu[curr], &wrapper->source_device_instance); /* message id */ curr += decode_unsigned32(&apdu[curr], &wrapper->message_id); /* timestamp */ curr += decode_unsigned32(&apdu[curr], &wrapper->timestamp); /* begin decryption starting from destination device instance */ enc_begin = curr; /* read signature */ memcpy(wrapper->signature, &apdu[real_len], SIGNATURE_LEN); if (wrapper->encrypted_flag) { if (!key_decrypt_msg(&key, &apdu[enc_begin], (uint32_t)(real_len - enc_begin), wrapper->signature)) { return -SEC_RESP_MALFORMED_MESSAGE; } curr += decode_unsigned16(&apdu[real_len - 2], &wrapper->padding_len); real_len -= wrapper->padding_len; memcpy(wrapper->padding, &apdu[wrapper->padding_len], wrapper->padding_len - 2); } /* destination device instance */ curr += decode_unsigned24(&apdu[curr], &wrapper->destination_device_instance); /* dst address */ curr += decode_unsigned16(&apdu[curr], &wrapper->dnet); wrapper->dlen = apdu[curr++]; memcpy(wrapper->dadr, &apdu[curr], wrapper->dlen); curr += wrapper->dlen; /* src address */ curr += decode_unsigned16(&apdu[curr], &wrapper->snet); wrapper->slen = apdu[curr++]; memcpy(wrapper->sadr, &apdu[curr], wrapper->slen); curr += wrapper->slen; /* authentication */ if (wrapper->authentication_flag) { wrapper->authentication_mechanism = apdu[curr++]; /* authentication data */ curr += decode_unsigned16(&apdu[curr], &wrapper->user_id); wrapper->user_role = apdu[curr++]; if ((wrapper->authentication_mechanism >= 1) && (wrapper->authentication_mechanism <= 199)) { curr += decode_unsigned16( &apdu[curr], &wrapper->authentication_data_length); wrapper->authentication_data_length -= 5; memcpy(wrapper->authentication_data, &apdu[curr], wrapper->authentication_data_length); curr += wrapper->authentication_data_length; } else if (wrapper->authentication_mechanism >= 200) { curr += decode_unsigned16( &apdu[curr], &wrapper->authentication_data_length); wrapper->authentication_data_length -= 7; curr += decode_unsigned16(&apdu[curr], &wrapper->vendor_id); memcpy(wrapper->authentication_data, &apdu[curr], wrapper->authentication_data_length); curr += wrapper->authentication_data_length; } } wrapper->service_data_len = (uint16_t)(real_len - curr); memcpy(wrapper->service_data, &apdu[curr], wrapper->service_data_len); curr += wrapper->service_data_len; if (!key_verify_sign_msg(&key, &apdu[-bytes_before], (uint32_t)(bytes_before + real_len), wrapper->signature)) { return -SEC_RESP_BAD_SIGNATURE; } return curr; } #endif int decode_challenge_request_safe(uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_CHALLENGE_REQUEST *bc_req) { int curr = 0; if (apdu_len_remaining < 9) { return -1; } bc_req->message_challenge = apdu[curr++]; curr += decode_unsigned32(&apdu[curr], &bc_req->orig_message_id); curr += decode_unsigned32(&apdu[curr], &bc_req->orig_timestamp); return curr; /* always 9! */ } int decode_security_payload_safe(uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_SECURITY_PAYLOAD *payload) { if (apdu_len_remaining < 2) { return -1; } decode_unsigned16(&apdu[0], &payload->payload_length); if (apdu_len_remaining - 2 < payload->payload_length) { return -1; } memcpy(payload->payload, &apdu[2], payload->payload_length); return (int)(2 + payload->payload_length); } int decode_security_response_safe( uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_SECURITY_RESPONSE *resp) { int curr = 0; int i; if (apdu_len_remaining < 9) { return -1; } resp->response_code = apdu[curr++]; curr += decode_unsigned32(&apdu[curr], &resp->orig_message_id); curr += decode_unsigned32(&apdu[curr], &resp->orig_timestamp); switch ((BACNET_SECURITY_RESPONSE_CODE)resp->response_code) { case SEC_RESP_BAD_TIMESTAMP: if (apdu_len_remaining < 13) { return -1; } curr += decode_unsigned32( &apdu[curr], &resp->response.bad_timestamp.expected_timestamp); break; case SEC_RESP_CANNOT_USE_KEY: if (apdu_len_remaining < 11) { return -1; } curr += decode_unsigned16( &apdu[curr], &resp->response.cannot_use_key.key); break; case SEC_RESP_INCORRECT_KEY: if (apdu_len_remaining < 10) { return -1; } resp->response.incorrect_key.number_of_keys = apdu[curr++]; if (apdu_len_remaining - 10 < resp->response.incorrect_key.number_of_keys * 2) { return -1; } for (i = 0; i < (int)resp->response.incorrect_key.number_of_keys; i++) { curr += decode_unsigned16( &apdu[curr], &resp->response.incorrect_key.keys[i]); } break; case SEC_RESP_UNKNOWN_AUTHENTICATION_TYPE: if (apdu_len_remaining < 12) { return -1; } resp->response.unknown_authentication_type .original_authentication_type = apdu[curr++]; curr += decode_unsigned16(&apdu[curr], &resp->response.unknown_authentication_type.vendor_id); if (resp->response.unknown_authentication_type .original_authentication_type < 200 && resp->response.unknown_authentication_type.vendor_id != 0) { return -1; } break; case SEC_RESP_UNKNOWN_KEY: if (apdu_len_remaining < 11) { return -1; } curr += decode_unsigned16( &apdu[curr], &resp->response.unknown_key.original_key); break; case SEC_RESP_UNKNOWN_KEY_REVISION: if (apdu_len_remaining < 10) { return -1; } resp->response.unknown_key_revision.original_key_revision = apdu[curr++]; break; case SEC_RESP_TOO_MANY_KEYS: if (apdu_len_remaining < 10) { return -1; } resp->response.too_many_keys.max_num_of_keys = apdu[curr++]; break; case SEC_RESP_INVALID_KEY_DATA: if (apdu_len_remaining < 11) { return -1; } curr += decode_unsigned16( &apdu[curr], &resp->response.invalid_key_data.key); break; case SEC_RESP_SUCCESS: case SEC_RESP_ACCESS_DENIED: case SEC_RESP_BAD_DESTINATION_ADDRESS: case SEC_RESP_BAD_DESTINATION_DEVICE_ID: case SEC_RESP_BAD_SIGNATURE: case SEC_RESP_BAD_SOURCE_ADDRESS: case SEC_RESP_CANNOT_VERIFY_MESSAGE_ID: case SEC_RESP_CORRECT_KEY_REVISION: case SEC_RESP_DESTINATION_DEVICE_ID_REQUIRED: case SEC_RESP_DUPLICATE_MESSAGE: case SEC_RESP_ENCRYPTION_NOT_CONFIGURED: case SEC_RESP_ENCRYPTION_REQUIRED: case SEC_RESP_KEY_UPDATE_IN_PROGRESS: case SEC_RESP_MALFORMED_MESSAGE: case SEC_RESP_NOT_KEY_SERVER: case SEC_RESP_SECURITY_NOT_CONFIGURED: case SEC_RESP_SOURCE_SECURITY_REQUIRED: case SEC_RESP_UNKNOWN_SOURCE_MESSAGE: break; default: return -1; /* unknown message type */ } return curr; } int decode_request_key_update_safe( uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_REQUEST_KEY_UPDATE *req) { int curr = 0; if (apdu_len_remaining < 19) { return -1; } req->set_1_key_revision = apdu[curr++]; curr += decode_unsigned32(&apdu[curr], &req->set_1_activation_time); curr += decode_unsigned32(&apdu[curr], &req->set_1_expiration_time); req->set_2_key_revision = apdu[curr++]; curr += decode_unsigned32(&apdu[curr], &req->set_2_activation_time); curr += decode_unsigned32(&apdu[curr], &req->set_2_expiration_time); req->distribution_key_revision = apdu[curr++]; return curr; } int decode_key_entry_safe( uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_KEY_ENTRY *entry) { int curr = 0; if (apdu_len_remaining < 3) { return -1; } curr += decode_unsigned16(&apdu[curr], &entry->key_identifier); entry->key_len = apdu[curr++]; if (apdu_len_remaining - 3 < entry->key_len || entry->key_len > MAX_KEY_LEN) { return -1; } memcpy(entry->key, &apdu[curr], entry->key_len); curr += entry->key_len; return curr; } int decode_update_key_set_safe( uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_UPDATE_KEY_SET *key_set) { int curr = 0; int i, res; if (apdu_len_remaining < 1) { return -1; } if (apdu[curr] & 1) { key_set->remove = true; } if ((apdu[curr] >> 1) & 1) { key_set->more = true; } if ((apdu[curr] >> 2) & 1) { key_set->set_clr[1] = true; } if ((apdu[curr] >> 3) & 1) { key_set->set_ck[1] = true; } if ((apdu[curr] >> 4) & 1) { key_set->set_rae[1] = true; } if ((apdu[curr] >> 5) & 1) { key_set->set_clr[0] = true; } if ((apdu[curr] >> 6) & 1) { key_set->set_ck[0] = true; } if ((apdu[curr] >> 7) & 1) { key_set->set_rae[0] = true; } curr++; if (key_set->set_rae[0]) { if (apdu_len_remaining - curr < 9) { return -1; } key_set->set_key_revision[0] = apdu[curr++]; curr += decode_unsigned32(&apdu[curr], &key_set->set_activation_time[0]); curr += decode_unsigned32(&apdu[curr], &key_set->set_expiration_time[0]); } if (key_set->set_ck[0]) { if (apdu_len_remaining - curr < 1) { return -1; } key_set->set_key_count[0] = apdu[curr++]; if (key_set->set_key_count[0] > MAX_UPDATE_KEY_COUNT) { return -1; } for (i = 0; i < (int)key_set->set_key_count[0]; i++) { res = decode_key_entry_safe(apdu + curr, apdu_len_remaining - curr, &key_set->set_keys[0][i]); if (res < 0) { return -1; } curr += res; } } if (key_set->set_rae[1]) { if (apdu_len_remaining - curr < 9) { return -1; } key_set->set_key_revision[1] = apdu[curr++]; curr += decode_unsigned32(&apdu[curr], &key_set->set_activation_time[1]); curr += decode_unsigned32(&apdu[curr], &key_set->set_expiration_time[1]); } if (key_set->set_ck[1]) { if (apdu_len_remaining - curr < 1) { return -1; } key_set->set_key_count[1] = apdu[curr++]; if (key_set->set_key_count[1] > MAX_UPDATE_KEY_COUNT) { return -1; } for (i = 0; i < (int)key_set->set_key_count[1]; i++) { res = decode_key_entry_safe(apdu + curr, apdu_len_remaining - curr, &key_set->set_keys[1][i]); if (res < 0) { return -1; } curr += res; } } return curr; } int decode_update_distribution_key_safe(uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_UPDATE_DISTRIBUTION_KEY *dist_key) { int curr = 0; int res; if (apdu_len_remaining < 1) { return -1; } dist_key->key_revision = apdu[curr++]; res = decode_key_entry_safe( &apdu[curr], apdu_len_remaining - curr, &dist_key->key); if (res < 0) { return -1; } return curr + res; } int decode_request_master_key_safe(uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_REQUEST_MASTER_KEY *req_master_key) { uint32_t curr = 0; if (apdu_len_remaining < 1) { return -1; } req_master_key->no_supported_algorithms = apdu[curr++]; if (apdu_len_remaining < curr + req_master_key->no_supported_algorithms) { return -1; } memcpy(req_master_key->es_algorithms, &apdu[curr], req_master_key->no_supported_algorithms); return (int)(curr + req_master_key->no_supported_algorithms); } int decode_set_master_key_safe(uint8_t *apdu, uint32_t apdu_len_remaining, BACNET_SET_MASTER_KEY *set_master_key) { return decode_key_entry_safe( apdu, apdu_len_remaining, &set_master_key->key); }