1 /* packet-zbee-security.c
2 * Dissector helper routines for encrypted ZigBee frames.
3 * By Owen Kirby <osk@exegin.com>; portions by Fred Fierling <fff@exegin.com>
4 * Copyright 2009 Exegin Technologies Limited
6 * Wireshark - Network traffic analyzer
7 * By Gerald Combs <gerald@wireshark.org>
8 * Copyright 1998 Gerald Combs
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License
12 * as published by the Free Software Foundation; either version 2
13 * of the License, or (at your option) any later version.
15 * This program is distributed in the hope that it will be useful,
16 * but WITHOUT ANY WARRANTY; without even the implied warranty of
17 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
18 * GNU General Public License for more details.
20 * You should have received a copy of the GNU General Public License
21 * along with this program; if not, write to the Free Software
22 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
29 #include <epan/packet.h>
30 #include <epan/exceptions.h>
32 #include <epan/prefs.h>
33 #include <epan/expert.h>
35 #include <epan/proto_data.h>
37 /* We require libgcrpyt in order to decrypt ZigBee packets. Without it the best
38 * we can do is parse the security header and give up.
40 #include <wsutil/wsgcrypt.h>
42 #include "packet-ieee802154.h"
43 #include "packet-zbee.h"
44 #include "packet-zbee-nwk.h"
45 #include "packet-zbee-security.h"
47 /* Helper Functions */
49 static void zbee_sec_key_hash(guint8 *, guint8, guint8 *);
50 static void zbee_sec_make_nonce (zbee_security_packet *, guint8 *);
51 static gboolean zbee_sec_decrypt_payload(zbee_security_packet *, const gchar *, const gchar, guint8 *,
52 guint, guint, guint8 *);
54 static gboolean zbee_security_parse_key(const gchar *, guint8 *, gboolean);
57 static int hf_zbee_sec_field = -1;
58 static int hf_zbee_sec_key_id = -1;
59 static int hf_zbee_sec_nonce = -1;
60 static int hf_zbee_sec_counter = -1;
61 static int hf_zbee_sec_src64 = -1;
62 static int hf_zbee_sec_key_seqno = -1;
63 static int hf_zbee_sec_mic = -1;
64 static int hf_zbee_sec_key = -1;
65 static int hf_zbee_sec_key_origin = -1;
66 static int hf_zbee_sec_decryption_key = -1;
68 /* Subtree pointers. */
69 static gint ett_zbee_sec = -1;
70 static gint ett_zbee_sec_control = -1;
72 static expert_field ei_zbee_sec_encrypted_payload = EI_INIT;
73 static expert_field ei_zbee_sec_encrypted_payload_sliced = EI_INIT;
74 static expert_field ei_zbee_sec_extended_source_unknown = EI_INIT;
76 static const value_string zbee_sec_key_names[] = {
77 { ZBEE_SEC_KEY_LINK, "Link Key" },
78 { ZBEE_SEC_KEY_NWK, "Network Key" },
79 { ZBEE_SEC_KEY_TRANSPORT, "Key-Transport Key" },
80 { ZBEE_SEC_KEY_LOAD, "Key-Load Key" },
85 /* These aren't really used anymore, as ZigBee no longer includes them in the
86 * security control field. If we were to display them all we would ever see is
89 static const value_string zbee_sec_level_names[] = {
90 { ZBEE_SEC_NONE, "None" },
91 { ZBEE_SEC_MIC32, "No Encryption, 32-bit MIC" },
92 { ZBEE_SEC_MIC64, "No Encryption, 64-bit MIC" },
93 { ZBEE_SEC_MIC128, "No Encryption, 128-bit MIC" },
94 { ZBEE_SEC_ENC, "Encryption, No MIC" },
95 { ZBEE_SEC_ENC_MIC32, "Encryption, 32-bit MIC" },
96 { ZBEE_SEC_ENC_MIC64, "Encryption, 64-bit MIC" },
97 { ZBEE_SEC_ENC_MIC128, "Encryption, 128-bit MIC" },
102 /* The ZigBee security level, in enum_val_t for the security preferences. */
103 static const enum_val_t zbee_sec_level_enums[] = {
104 { "None", "No Security", ZBEE_SEC_NONE },
105 { "MIC32", "No Encryption, 32-bit Integrity Protection", ZBEE_SEC_MIC32 },
106 { "MIC64", "No Encryption, 64-bit Integrity Protection", ZBEE_SEC_MIC64 },
107 { "MIC128", "No Encryption, 128-bit Integrity Protection", ZBEE_SEC_MIC128 },
108 { "ENC", "AES-128 Encryption, No Integrity Protection", ZBEE_SEC_ENC },
109 { "ENC-MIC32", "AES-128 Encryption, 32-bit Integrity Protection", ZBEE_SEC_ENC_MIC32 },
110 { "ENC-MIC64", "AES-128 Encryption, 64-bit Integrity Protection", ZBEE_SEC_ENC_MIC64 },
111 { "ENC-MIC128", "AES-128 Encryption, 128-bit Integrity Protection", ZBEE_SEC_ENC_MIC128 },
115 static gint gPREF_zbee_sec_level = ZBEE_SEC_ENC_MIC32;
116 static uat_t *zbee_sec_key_table_uat;
118 static const value_string byte_order_vals[] = {
125 typedef struct _uat_key_record_t {
131 UAT_CSTRING_CB_DEF(uat_key_records, string, uat_key_record_t)
132 UAT_VS_DEF(uat_key_records, byte_order, uat_key_record_t, guint8, 0, "Normal")
133 UAT_CSTRING_CB_DEF(uat_key_records, label, uat_key_record_t)
135 static GSList *zbee_pc_keyring = NULL;
136 static uat_key_record_t *uat_key_records = NULL;
137 static guint num_uat_key_records = 0;
139 static void* uat_key_record_copy_cb(void* n, const void* o, size_t siz _U_) {
140 uat_key_record_t* new_key = (uat_key_record_t *)n;
141 const uat_key_record_t* old_key = (const uat_key_record_t *)o;
143 if (old_key->string) {
144 new_key->string = g_strdup(old_key->string);
146 new_key->string = NULL;
149 if (old_key->label) {
150 new_key->label = g_strdup(old_key->label);
152 new_key->label = NULL;
155 new_key->byte_order = old_key->byte_order;
160 static gboolean uat_key_record_update_cb(void* r, char** err) {
161 uat_key_record_t* rec = (uat_key_record_t *)r;
162 guint8 key[ZBEE_SEC_CONST_KEYSIZE];
164 if (rec->string == NULL) {
165 *err = g_strdup("Key can't be blank");
168 g_strstrip(rec->string);
170 if (rec->string[0] != 0) {
172 if ( !zbee_security_parse_key(rec->string, key, rec->byte_order) ) {
173 *err = g_strdup_printf("Expecting %d hexadecimal bytes or\n"
174 "a %d character double-quoted string", ZBEE_SEC_CONST_KEYSIZE, ZBEE_SEC_CONST_KEYSIZE);
178 *err = g_strdup("Key can't be blank");
185 static void uat_key_record_free_cb(void*r) {
186 uat_key_record_t* key = (uat_key_record_t *)r;
188 if (key->string) g_free(key->string);
189 if (key->label) g_free(key->label);
192 static void uat_key_record_post_update(void) {
194 key_record_t key_record;
195 guint8 key[ZBEE_SEC_CONST_KEYSIZE];
197 /* empty the key ring */
198 if (zbee_pc_keyring) {
199 g_slist_free(zbee_pc_keyring);
200 zbee_pc_keyring = NULL;
203 /* Load the pre-configured slist from the UAT. */
204 for (i=0; (uat_key_records) && (i<num_uat_key_records) ; i++) {
205 key_record.frame_num = ZBEE_SEC_PC_KEY; /* means it's a user PC key */
206 key_record.label = g_strdup(uat_key_records[i].label);
207 if (zbee_security_parse_key(uat_key_records[i].string, key, uat_key_records[i].byte_order)) {
208 memcpy(key_record.key, key, ZBEE_SEC_CONST_KEYSIZE);
209 zbee_pc_keyring = g_slist_prepend(zbee_pc_keyring, g_memdup(&key_record, sizeof(key_record_t)));
215 * Enable this macro to use libgcrypt's CBC_MAC mode for the authentication
216 * phase. Unfortunately, this is broken, and I don't know why. However, using
217 * the messier EBC mode (to emulate CCM*) still works fine.
220 #define ZBEE_SEC_USE_GCRYPT_CBC_MAC
222 /*FUNCTION:------------------------------------------------------
224 * zbee_security_register
226 * Called by proto_register_zbee_nwk() to initialize the security
229 * module_t zbee_prefs - Prefs module to load preferences under.
232 *---------------------------------------------------------------
234 void zbee_security_register(module_t *zbee_prefs, int proto)
236 static hf_register_info hf[] = {
237 { &hf_zbee_sec_field,
238 { "Security Control Field", "zbee.sec.field", FT_UINT8, BASE_HEX, NULL,
241 { &hf_zbee_sec_key_id,
242 { "Key Id", "zbee.sec.key_id", FT_UINT8, BASE_HEX, VALS(zbee_sec_key_names),
243 ZBEE_SEC_CONTROL_KEY, NULL, HFILL }},
245 { &hf_zbee_sec_nonce,
246 { "Extended Nonce", "zbee.sec.ext_nonce", FT_BOOLEAN, 8, NULL, ZBEE_SEC_CONTROL_NONCE,
249 { &hf_zbee_sec_counter,
250 { "Frame Counter", "zbee.sec.counter", FT_UINT32, BASE_DEC, NULL, 0x0,
253 { &hf_zbee_sec_src64,
254 { "Extended Source", "zbee.sec.src64", FT_EUI64, BASE_NONE, NULL, 0x0,
257 { &hf_zbee_sec_key_seqno,
258 { "Key Sequence Number", "zbee.sec.key_seqno", FT_UINT8, BASE_DEC, NULL, 0x0,
262 { "Message Integrity Code", "zbee.sec.mic", FT_BYTES, BASE_NONE, NULL, 0x0,
266 { "Key", "zbee.sec.key", FT_BYTES, BASE_NONE, NULL, 0x0,
269 { &hf_zbee_sec_key_origin,
270 { "Key Origin", "zbee.sec.key.origin", FT_FRAMENUM, BASE_NONE, NULL, 0x0,
273 { &hf_zbee_sec_decryption_key,
274 { "Key Label", "zbee.sec.decryption_key", FT_STRING, BASE_NONE, NULL, 0x0,
278 static gint *ett[] = {
280 &ett_zbee_sec_control
283 static ei_register_info ei[] = {
284 { &ei_zbee_sec_encrypted_payload, { "zbee_sec.encrypted_payload", PI_UNDECODED, PI_WARN, "Encrypted Payload", EXPFILL }},
285 { &ei_zbee_sec_encrypted_payload_sliced, { "zbee_sec.encrypted_payload_sliced", PI_UNDECODED, PI_WARN, "Encrypted payload, cut short when capturing - can't decrypt", EXPFILL }},
286 { &ei_zbee_sec_extended_source_unknown, { "zbee_sec.extended_source_unknown", PI_PROTOCOL, PI_NOTE, "Extended Source: Unknown", EXPFILL }},
289 expert_module_t* expert_zbee_sec;
291 static uat_field_t key_uat_fields[] = {
292 UAT_FLD_CSTRING(uat_key_records, string, "Key",
293 "A 16-byte key in hexadecimal with optional dash-,\n"
294 "colon-, or space-separator characters, or a\n"
295 "a 16-character string in double-quotes."),
296 UAT_FLD_VS(uat_key_records, byte_order, "Byte Order", byte_order_vals,
297 "Byte order of key."),
298 UAT_FLD_CSTRING(uat_key_records, label, "Label", "User label for key."),
302 /* If no prefs module was supplied, register our own. */
303 if (zbee_prefs == NULL) {
304 zbee_prefs = prefs_register_protocol(proto, NULL);
307 /* Register preferences */
308 prefs_register_enum_preference(zbee_prefs, "seclevel", "Security Level",
309 "Specifies the security level to use in the\n"
310 "decryption process. This value is ignored\n"
311 "for ZigBee 2004 and unsecured networks.",
312 &gPREF_zbee_sec_level, zbee_sec_level_enums, FALSE);
314 zbee_sec_key_table_uat = uat_new("Pre-configured Keys",
315 sizeof(uat_key_record_t),
319 &num_uat_key_records,
320 UAT_AFFECTS_DISSECTION, /* affects dissection of packets, but not set of named fields */
321 NULL, /* TODO: ptr to help manual? */
322 uat_key_record_copy_cb,
323 uat_key_record_update_cb,
324 uat_key_record_free_cb,
325 uat_key_record_post_update,
329 prefs_register_uat_preference(zbee_prefs,
331 "Pre-configured Keys",
332 "Pre-configured link or network keys.",
333 zbee_sec_key_table_uat);
335 proto_register_field_array(proto, hf, array_length(hf));
336 proto_register_subtree_array(ett, array_length(ett));
337 expert_zbee_sec = expert_register_protocol(proto);
338 expert_register_field_array(expert_zbee_sec, ei, array_length(ei));
340 } /* zbee_security_register */
342 /*FUNCTION:------------------------------------------------------
344 * zbee_security_parse_key
346 * Parses a key string from left to right into a buffer with
347 * increasing (normal byte order) or decreasing (reverse byte
350 * const gchar *key_str - pointer to the string
351 * guint8 *key_buf - destination buffer in memory
352 * gboolean big_end - fill key_buf with incrementing address
355 *---------------------------------------------------------------
358 zbee_security_parse_key(const gchar *key_str, guint8 *key_buf, gboolean byte_order)
362 gboolean string_mode = FALSE;
365 memset(key_buf, 0, ZBEE_SEC_CONST_KEYSIZE);
366 if (key_str == NULL) {
371 * Attempt to parse the key string. The key string must
372 * be at least 16 pairs of hexidecimal digits with the
373 * following optional separators: ':', '-', " ", or 16
374 * alphanumeric characters after a double-quote.
376 if ( (temp = *key_str++) == '"') {
381 j = byte_order?ZBEE_SEC_CONST_KEYSIZE-1:0;
382 for (i=ZBEE_SEC_CONST_KEYSIZE-1; i>=0; i--) {
384 if ( g_ascii_isprint(temp) ) {
392 /* If this character is a separator, skip it. */
393 if ( (temp == ':') || (temp == '-') || (temp == ' ') ) temp = *(key_str++);
395 /* Process a nibble. */
396 if ( g_ascii_isxdigit (temp) ) key_buf[j] = g_ascii_xdigit_value(temp)<<4;
399 /* Get the next nibble. */
402 /* Process another nibble. */
403 if ( g_ascii_isxdigit (temp) ) key_buf[j] |= g_ascii_xdigit_value(temp);
406 /* Get the next nibble. */
410 /* Move key_buf pointer */
419 /* If we get this far, then the key was good. */
421 } /* zbee_security_parse_key */
423 /*FUNCTION:------------------------------------------------------
425 * dissect_zbee_secure
427 * Dissects and decrypts secured ZigBee frames.
429 * Will return a valid tvbuff only if security processing was
430 * successful. If processing fails, then this function will
431 * handle internally and return NULL.
433 * tvbuff_t *tvb - pointer to buffer containing raw packet.
434 * packet_info *pinfo - pointer to packet information fields
435 * proto_tree *tree - pointer to data tree Wireshark uses to display packet.
436 * guint offset - pointer to the start of the auxiliary security header.
437 * guint64 src64 - extended source address, or 0 if unknown.
440 *---------------------------------------------------------------
443 dissect_zbee_secure(tvbuff_t *tvb, packet_info *pinfo, proto_tree* tree, guint offset)
445 proto_tree *sec_tree;
447 zbee_security_packet packet;
450 tvbuff_t *payload_tvb;
452 #ifdef HAVE_LIBGCRYPT
454 proto_item *key_item;
458 GSList **nwk_keyring;
460 key_record_t *key_rec = NULL;
462 zbee_nwk_hints_t *nwk_hints;
463 ieee802154_hints_t *ieee_hints;
464 ieee802154_map_rec *map_rec = NULL;
466 static const int * sec_flags[] = {
473 memset(&packet, 0, sizeof(zbee_security_packet));
475 /* Get pointers to any useful frame data from lower layers */
476 nwk_hints = (zbee_nwk_hints_t *)p_get_proto_data(wmem_file_scope(), pinfo,
477 proto_get_id_by_filter_name(ZBEE_PROTOABBREV_NWK), 0);
478 ieee_hints = (ieee802154_hints_t *)p_get_proto_data(wmem_file_scope(), pinfo,
479 proto_get_id_by_filter_name(IEEE802154_PROTOABBREV_WPAN), 0);
481 /* Create a subtree for the security information. */
482 sec_tree = proto_tree_add_subtree(tree, tvb, offset, -1, ett_zbee_sec, NULL, "ZigBee Security Header");
484 /* Get and display the Security control field */
485 packet.control = tvb_get_guint8(tvb, offset);
487 /* Patch the security level. */
488 packet.control &= ~ZBEE_SEC_CONTROL_LEVEL;
489 packet.control |= (ZBEE_SEC_CONTROL_LEVEL & gPREF_zbee_sec_level);
492 * Eww, I think I just threw up a little... ZigBee requires this field
493 * to be patched before computing the MIC, but we don't have write-access
494 * to the tvbuff. So we need to allocate a copy of the whole thing just
495 * so we can fix these 3 bits. Memory allocated by tvb_memdup(wmem_packet_scope(),...)
496 * is automatically freed before the next packet is processed.
498 #ifdef HAVE_LIBGCRYPT
499 enc_buffer = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, 0, tvb_captured_length(tvb));
501 * Override the const qualifiers and patch the security level field, we
502 * know it is safe to overide the const qualifiers because we just
503 * allocated this memory via tvb_memdup(wmem_packet_scope(),...).
505 enc_buffer[offset] = packet.control;
506 #endif /* HAVE_LIBGCRYPT */
507 packet.level = zbee_get_bit_field(packet.control, ZBEE_SEC_CONTROL_LEVEL);
508 packet.key_id = zbee_get_bit_field(packet.control, ZBEE_SEC_CONTROL_KEY);
509 packet.nonce = zbee_get_bit_field(packet.control, ZBEE_SEC_CONTROL_NONCE);
511 proto_tree_add_bitmask(sec_tree, tvb, offset, hf_zbee_sec_field, ett_zbee_sec_control, sec_flags, ENC_NA);
514 /* Get and display the frame counter field. */
515 packet.counter = tvb_get_letohl(tvb, offset);
516 proto_tree_add_uint(sec_tree, hf_zbee_sec_counter, tvb, offset, 4, packet.counter);
520 /* Get and display the source address of the device that secured this payload. */
521 packet.src64 = tvb_get_letoh64(tvb, offset);
522 proto_tree_add_item(sec_tree, hf_zbee_sec_src64, tvb, offset, 8, ENC_LITTLE_ENDIAN);
524 if (!pinfo->fd->flags.visited) {
525 switch ( packet.key_id ) {
526 case ZBEE_SEC_KEY_LINK:
527 if (nwk_hints && ieee_hints) {
528 /* Map this long address with the nwk layer short address. */
529 nwk_hints->map_rec = ieee802154_addr_update(&zbee_nwk_map, nwk_hints->src,
530 ieee_hints->src_pan, packet.src64, pinfo->current_proto, pinfo->num);
534 case ZBEE_SEC_KEY_NWK:
536 /* Map this long address with the ieee short address. */
537 ieee_hints->map_rec = ieee802154_addr_update(&zbee_nwk_map, ieee_hints->src16,
538 ieee_hints->src_pan, packet.src64, pinfo->current_proto, pinfo->num);
542 /* We ignore the extended source addresses used to encrypt payloads with these
543 * types of keys, because they can emerge from APS tunnels created by nodes whose
544 * short address is not recorded in the packet. */
545 case ZBEE_SEC_KEY_TRANSPORT:
546 case ZBEE_SEC_KEY_LOAD:
554 /* Look for a source address in hints */
555 switch ( packet.key_id ) {
556 case ZBEE_SEC_KEY_NWK:
557 /* use the ieee extended source address for NWK decryption */
558 if ( ieee_hints && (map_rec = ieee_hints->map_rec) )
559 packet.src64 = map_rec->addr64;
561 proto_tree_add_expert(sec_tree, pinfo, &ei_zbee_sec_extended_source_unknown, tvb, 0, 0);
565 /* use the nwk extended source address for APS decryption */
566 if ( nwk_hints && (map_rec = nwk_hints->map_rec) )
567 packet.src64 = map_rec->addr64;
569 proto_tree_add_expert(sec_tree, pinfo, &ei_zbee_sec_extended_source_unknown, tvb, 0, 0);
574 if (packet.key_id == ZBEE_SEC_KEY_NWK) {
575 /* Get and display the key sequence number. */
576 packet.key_seqno = tvb_get_guint8(tvb, offset);
577 proto_tree_add_uint(sec_tree, hf_zbee_sec_key_seqno, tvb, offset, 1, packet.key_seqno);
581 /* Determine the length of the MIC. */
582 switch (packet.level) {
589 case ZBEE_SEC_ENC_MIC32:
594 case ZBEE_SEC_ENC_MIC64:
599 case ZBEE_SEC_ENC_MIC128:
600 case ZBEE_SEC_MIC128:
605 /* Get and display the MIC. */
607 /* Display the MIC. */
608 proto_tree_add_item(sec_tree, hf_zbee_sec_mic, tvb, (gint)(tvb_captured_length(tvb)-mic_len),
612 /* Check for null payload. */
613 payload_len = tvb_reported_length_remaining(tvb, offset+mic_len);
614 if (payload_len == 0)
617 /**********************************************
618 * Perform Security Operations on the Frame *
619 **********************************************
621 if ((packet.level == ZBEE_SEC_NONE) ||
622 (packet.level == ZBEE_SEC_MIC32) ||
623 (packet.level == ZBEE_SEC_MIC64) ||
624 (packet.level == ZBEE_SEC_MIC128)) {
626 /* Payload is only integrity protected. Just return the sub-tvbuff. */
627 return tvb_new_subset_length(tvb, offset, payload_len);
630 #ifdef HAVE_LIBGCRYPT
631 /* Have we captured all the payload? */
632 if (tvb_captured_length_remaining(tvb, offset+mic_len) < payload_len) {
634 * No - don't try to decrypt it.
636 * XXX - it looks as if the decryption code is assuming we have the
637 * MIC, which won't be the case if the packet was cut short. Is
638 * that in fact that case, or can we still make this work with a
639 * partially-captured packet?
641 /* Add expert info. */
642 expert_add_info(pinfo, sec_tree, &ei_zbee_sec_encrypted_payload_sliced);
643 /* Create a buffer for the undecrypted payload. */
644 payload_tvb = tvb_new_subset_length(tvb, offset, payload_len);
645 /* Dump the payload to the data dissector. */
646 call_data_dissector(payload_tvb, pinfo, tree);
647 /* Couldn't decrypt, so return NULL. */
651 /* Allocate memory to decrypt the payload into. */
652 dec_buffer = (guint8 *)wmem_alloc(pinfo->pool, payload_len);
655 if ( packet.src64 ) {
656 if (pinfo->fd->flags.visited) {
658 /* Use previously found key */
659 switch ( packet.key_id ) {
660 case ZBEE_SEC_KEY_NWK:
661 if ( (key_rec = nwk_hints->nwk) ) {
662 decrypted = zbee_sec_decrypt_payload( &packet, enc_buffer, offset, dec_buffer,
663 payload_len, mic_len, nwk_hints->nwk->key);
668 if ( (key_rec = nwk_hints->link) ) {
669 decrypted = zbee_sec_decrypt_payload( &packet, enc_buffer, offset, dec_buffer,
670 payload_len, mic_len, nwk_hints->link->key);
675 } /* ( !pinfo->fd->flags.visited ) */
677 /* We only search for sniffed keys in the first pass,
678 * to save time, and because decrypting with keys
679 * transported in future packets is cheating */
681 /* Lookup NWK and link key in hash for this pan. */
682 /* This overkill approach is a placeholder for a hash that looks up
683 * a key ring for a link key associated with a pair of devices.
686 nwk_keyring = (GSList **)g_hash_table_lookup(zbee_table_nwk_keyring, &nwk_hints->src_pan);
689 GSList_i = *nwk_keyring;
690 while ( GSList_i && !decrypted ) {
691 decrypted = zbee_sec_decrypt_payload( &packet, enc_buffer, offset, dec_buffer,
692 payload_len, mic_len, ((key_record_t *)(GSList_i->data))->key);
695 /* save pointer to the successful key record */
696 switch (packet.key_id) {
697 case ZBEE_SEC_KEY_NWK:
698 key_rec = nwk_hints->nwk = (key_record_t *)(GSList_i->data);
702 key_rec = nwk_hints->link = (key_record_t *)(GSList_i->data);
706 GSList_i = g_slist_next(GSList_i);
711 /* Loop through user's password table for preconfigured keys, our last resort */
712 GSList_i = zbee_pc_keyring;
713 while ( GSList_i && !decrypted ) {
714 decrypted = zbee_sec_decrypt_payload( &packet, enc_buffer, offset, dec_buffer,
715 payload_len, mic_len, ((key_record_t *)(GSList_i->data))->key);
718 /* save pointer to the successful key record */
719 switch (packet.key_id) {
720 case ZBEE_SEC_KEY_NWK:
721 key_rec = nwk_hints->nwk = (key_record_t *)(GSList_i->data);
725 key_rec = nwk_hints->link = (key_record_t *)(GSList_i->data);
729 GSList_i = g_slist_next(GSList_i);
733 } /* ( ! pinfo->fd->flags.visited ) */
734 } /* ( packet.src64 ) */
737 if ( tree && key_rec ) {
738 key_item = proto_tree_add_bytes(sec_tree, hf_zbee_sec_key, tvb, 0, ZBEE_SEC_CONST_KEYSIZE, key_rec->key);
739 PROTO_ITEM_SET_GENERATED(key_item);
741 if ( key_rec->frame_num == ZBEE_SEC_PC_KEY ) {
742 ti = proto_tree_add_string(sec_tree, hf_zbee_sec_decryption_key, tvb, 0, 0, key_rec->label);
744 ti = proto_tree_add_uint(sec_tree, hf_zbee_sec_key_origin, tvb, 0, 0,
747 PROTO_ITEM_SET_GENERATED(ti);
750 /* Found a key that worked, setup the new tvbuff_t and return */
751 payload_tvb = tvb_new_child_real_data(tvb, dec_buffer, payload_len, payload_len);
752 add_new_data_source(pinfo, payload_tvb, "Decrypted ZigBee Payload");
757 #endif /* HAVE_LIBGCRYPT */
759 /* Add expert info. */
760 expert_add_info(pinfo, sec_tree, &ei_zbee_sec_encrypted_payload);
761 /* Create a buffer for the undecrypted payload. */
762 payload_tvb = tvb_new_subset_length(tvb, offset, payload_len);
763 /* Dump the payload to the data dissector. */
764 call_data_dissector(payload_tvb, pinfo, tree);
765 /* Couldn't decrypt, so return NULL. */
767 } /* dissect_zbee_secure */
769 #ifdef HAVE_LIBGCRYPT
770 /*FUNCTION:------------------------------------------------------
772 * zbee_sec_decrypt_payload
774 * Creates a nonce and decrypts a secured payload.
776 * gchar *nonce - Nonce Buffer.
777 * zbee_security_packet *packet - Security information.
780 *---------------------------------------------------------------
783 zbee_sec_decrypt_payload(zbee_security_packet *packet, const gchar *enc_buffer, const gchar offset, guint8 *dec_buffer,
784 guint payload_len, guint mic_len, guint8 *key)
786 guint8 nonce[ZBEE_SEC_CONST_NONCE_LEN];
787 guint8 buffer[ZBEE_SEC_CONST_BLOCKSIZE+1];
788 guint8 *key_buffer = buffer;
790 switch (packet->key_id) {
791 case ZBEE_SEC_KEY_NWK:
792 /* Decrypt with the PAN's current network key */
793 case ZBEE_SEC_KEY_LINK:
794 /* Decrypt with the unhashed link key assigned by the trust center to this
795 * source/destination pair */
799 case ZBEE_SEC_KEY_TRANSPORT:
800 /* Decrypt with a Key-Transport key, a hashed link key that protects network
801 * keys sent from the trust center */
802 zbee_sec_key_hash(key, 0x00, buffer);
806 case ZBEE_SEC_KEY_LOAD:
807 /* Decrypt with a Key-Load key, a hashed link key that protects link keys
808 * sent from the trust center. */
809 zbee_sec_key_hash(key, 0x02, buffer);
817 /* Perform Decryption. */
818 zbee_sec_make_nonce(packet, nonce);
820 if ( zbee_sec_ccm_decrypt(key_buffer, /* key */
822 enc_buffer, /* a, length l(a) */
823 enc_buffer+offset, /* c, length l(c) = l(m) + M */
824 dec_buffer, /* m, length l(m) */
826 payload_len, /* l(m) */
833 /*FUNCTION:------------------------------------------------------
835 * zbee_sec_make_nonce
837 * Fills in the ZigBee security nonce from the provided security
840 * zbee_security_packet *packet - Security information.
841 * gchar *nonce - Nonce Buffer.
844 *---------------------------------------------------------------
847 zbee_sec_make_nonce(zbee_security_packet *packet, guint8 *nonce)
849 /* First 8 bytes are the extended source address (little endian). */
850 *(nonce++) = (guint8)((packet->src64)>>0 & 0xff);
851 *(nonce++) = (guint8)((packet->src64)>>8 & 0xff);
852 *(nonce++) = (guint8)((packet->src64)>>16 & 0xff);
853 *(nonce++) = (guint8)((packet->src64)>>24 & 0xff);
854 *(nonce++) = (guint8)((packet->src64)>>32 & 0xff);
855 *(nonce++) = (guint8)((packet->src64)>>40 & 0xff);
856 *(nonce++) = (guint8)((packet->src64)>>48 & 0xff);
857 *(nonce++) = (guint8)((packet->src64)>>56 & 0xff);
858 /* Next 4 bytes are the frame counter (little endian). */
859 *(nonce++) = (guint8)((packet->counter)>>0 & 0xff);
860 *(nonce++) = (guint8)((packet->counter)>>8 & 0xff);
861 *(nonce++) = (guint8)((packet->counter)>>16 & 0xff);
862 *(nonce++) = (guint8)((packet->counter)>>24 & 0xff);
863 /* Next byte is the security control field. */
864 *(nonce) = packet->control;
865 } /* zbee_sec_make_nonce */
868 #ifdef HAVE_LIBGCRYPT
869 /*FUNCTION:------------------------------------------------------
871 * zbee_sec_ccm_decrypt
873 * Performs the Reverse CCM* Transformation (specified in
874 * section A.3 of ZigBee Specification (053474r17).
876 * The length of parameter c (l(c)) is derived from the length
877 * of the payload and length of the MIC tag. Input buffer a
878 * will NOT be modified.
880 * When l_m is 0, then there is no payload to encrypt (ie: the
881 * payload is in plaintext), and this function will perform
882 * MIC verification only. When l_m is 0, m may be NULL.
884 * gchar *key - ZigBee Security Key (must be ZBEE_SEC_CONST_KEYSIZE) in length.
885 * gchar *nonce - ZigBee CCM* Nonce (must be ZBEE_SEC_CONST_NONCE_LEN) in length.
886 * gchar *a - CCM* Parameter a (must be l(a) in length). Additional data covered
887 * by the authentication process.
888 * gchar *c - CCM* Parameter c (must be l(c) = l(m) + M in length). Encrypted
889 * payload + encrypted authentication tag U.
890 * gchar *m - CCM* Output (must be l(m) in length). Decrypted Payload.
891 * guint l_a - l(a), length of CCM* parameter a.
892 * guint l_m - l(m), length of expected payload.
893 * guint M - M, length of CCM* authentication tag.
895 * gboolean - TRUE if successful.
896 *---------------------------------------------------------------
899 zbee_sec_ccm_decrypt(const gchar *key, /* Input */
900 const gchar *nonce, /* Input */
901 const gchar *a, /* Input */
902 const gchar *c, /* Input */
903 gchar *m, /* Output */
904 guint l_a, /* sizeof(a) */
905 guint l_m, /* sizeof(m) */
906 guint M) /* sizeof(c) - sizeof(m) = sizeof(MIC) */
908 guint8 cipher_in[ZBEE_SEC_CONST_BLOCKSIZE];
909 guint8 cipher_out[ZBEE_SEC_CONST_BLOCKSIZE];
910 guint8 decrypted_mic[ZBEE_SEC_CONST_BLOCKSIZE];
912 /* Cipher Instance. */
913 gcry_cipher_hd_t cipher_hd;
916 if (M > ZBEE_SEC_CONST_BLOCKSIZE) return FALSE;
918 * The CCM* counter is L bytes in length, ensure that the payload
919 * isn't long enough to overflow it.
921 if ((1 + (l_a/ZBEE_SEC_CONST_BLOCKSIZE)) > (1<<(ZBEE_SEC_CONST_L*8))) return FALSE;
923 /******************************************************
924 * Step 1: Encryption/Decryption Transformation
925 ******************************************************
927 /* Create the CCM* counter block A0 */
928 memset(cipher_in, 0, ZBEE_SEC_CONST_BLOCKSIZE);
929 cipher_in[0] = ZBEE_SEC_CCM_FLAG_L;
930 memcpy(cipher_in + 1, nonce, ZBEE_SEC_CONST_NONCE_LEN);
932 * The encryption/decryption process of CCM* works in CTR mode. Open a CTR
933 * mode cipher for this phase. NOTE: The 'counter' part of the CCM* counter
934 * block is the last two bytes, and is big-endian.
936 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 0)) {
940 if (gcry_cipher_setkey(cipher_hd, key, ZBEE_SEC_CONST_KEYSIZE)) {
941 gcry_cipher_close(cipher_hd);
944 /* Set the counter. */
945 if (gcry_cipher_setctr(cipher_hd, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE)) {
946 gcry_cipher_close(cipher_hd);
950 * Copy the MIC into the stack buffer. We need to feed the cipher a full
951 * block when decrypting the MIC (so that the payload starts on the second
952 * block). However, the MIC may be less than a full block so use a fixed
953 * size buffer to store the MIC, letting the CTR cipher overstep the MIC
956 memset(decrypted_mic, 0, ZBEE_SEC_CONST_BLOCKSIZE);
957 memcpy(decrypted_mic, c + l_m, M);
958 /* Encrypt/Decrypt the MIC in-place. */
959 if (gcry_cipher_encrypt(cipher_hd, decrypted_mic, ZBEE_SEC_CONST_BLOCKSIZE, decrypted_mic, ZBEE_SEC_CONST_BLOCKSIZE)) {
960 gcry_cipher_close(cipher_hd);
963 /* Encrypt/Decrypt the payload. */
964 if (gcry_cipher_encrypt(cipher_hd, m, l_m, c, l_m)) {
965 gcry_cipher_close(cipher_hd);
968 /* Done with the CTR Cipher. */
969 gcry_cipher_close(cipher_hd);
971 /******************************************************
972 * Step 3: Authentication Transformation
973 ******************************************************
976 /* There is no authentication tag. We're done! */
980 * The authentication process in CCM* operates in CBC-MAC mode, but
981 * unfortunately, the input to the CBC-MAC process needs some substantial
982 * transformation and padding before we can feed it into the CBC-MAC
983 * algorithm. Instead we will operate in ECB mode and perform the
984 * transformation and padding on the fly.
986 * I also think that libgcrypt requires the input to be memory-aligned
987 * when using CBC-MAC mode, in which case can't just feed it with data
988 * from the packet buffer. All things considered it's just a lot easier
989 * to use ECB mode and do CBC-MAC manually.
991 /* Re-open the cipher in ECB mode. */
992 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_ECB, 0)) {
995 /* Re-load the key. */
996 if (gcry_cipher_setkey(cipher_hd, key, ZBEE_SEC_CONST_KEYSIZE)) {
997 gcry_cipher_close(cipher_hd);
1000 /* Generate the first cipher block B0. */
1001 cipher_in[0] = ZBEE_SEC_CCM_FLAG_M(M) |
1002 ZBEE_SEC_CCM_FLAG_ADATA(l_a) |
1003 ZBEE_SEC_CCM_FLAG_L;
1004 memcpy(cipher_in+sizeof(gchar), nonce, ZBEE_SEC_CONST_NONCE_LEN);
1005 for (i=0;i<ZBEE_SEC_CONST_L; i++) {
1006 cipher_in[(ZBEE_SEC_CONST_BLOCKSIZE-1)-i] = (l_m >> (8*i)) & 0xff;
1008 /* Generate the first cipher block, X1 = E(Key, 0^128 XOR B0). */
1009 if (gcry_cipher_encrypt(cipher_hd, cipher_out, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE)) {
1010 gcry_cipher_close(cipher_hd);
1014 * We avoid mallocing() big chunks of memory by recycling small stack
1015 * buffers for the encryption process. Throughout this process, j is always
1016 * pointed to the position within the current buffer.
1019 /* AuthData = L(a) || a || Padding || m || Padding
1021 * - an empty string if l(a) == 0.
1022 * - 2-octet encoding of l(a) if 0 < l(a) < (2^16 - 2^8)
1023 * - 0xff || 0xfe || 4-octet encoding of l(a) if (2^16 - 2^8) <= l(a) < 2^32
1024 * - 0xff || 0xff || 8-octet encoding of l(a)
1025 * But for ZigBee, the largest packet size we should ever see is 2^7, so we
1026 * are only really concerned with the first two cases.
1028 * To generate the MIC tag CCM* operates similar to CBC-MAC mode. Each block
1029 * of AuthData is XOR'd with the last block of cipher output to produce the
1030 * next block of cipher output. Padding sections have the minimum non-negative
1031 * length such that the padding ends on a block boundary. Padded bytes are 0.
1034 /* Process L(a) into the cipher block. */
1035 cipher_in[j] = cipher_out[j] ^ ((l_a >> 8) & 0xff);
1037 cipher_in[j] = cipher_out[j] ^ ((l_a >> 0) & 0xff);
1039 /* Process a into the cipher block. */
1040 for (i=0;i<l_a;i++,j++) {
1041 if (j>=ZBEE_SEC_CONST_BLOCKSIZE) {
1042 /* Generate the next cipher block. */
1043 if (gcry_cipher_encrypt(cipher_hd, cipher_out, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in,
1044 ZBEE_SEC_CONST_BLOCKSIZE)) {
1045 gcry_cipher_close(cipher_hd);
1048 /* Reset j to point back to the start of the new cipher block. */
1051 /* Cipher in = cipher_out ^ a */
1052 cipher_in[j] = cipher_out[j] ^ a[i];
1054 /* Process padding into the cipher block. */
1055 for (;j<ZBEE_SEC_CONST_BLOCKSIZE;j++)
1056 cipher_in[j] = cipher_out[j];
1058 /* Process m into the cipher block. */
1059 for (i=0; i<l_m; i++, j++) {
1060 if (j>=ZBEE_SEC_CONST_BLOCKSIZE) {
1061 /* Generate the next cipher block. */
1062 if (gcry_cipher_encrypt(cipher_hd, cipher_out, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in,
1063 ZBEE_SEC_CONST_BLOCKSIZE)) {
1064 gcry_cipher_close(cipher_hd);
1067 /* Reset j to point back to the start of the new cipher block. */
1070 /* Cipher in = cipher out ^ m */
1071 cipher_in[j] = cipher_out[j] ^ m[i];
1074 for (;j<ZBEE_SEC_CONST_BLOCKSIZE;j++)
1075 cipher_in[j] = cipher_out[j];
1076 /* Generate the last cipher block, which will be the MIC tag. */
1077 if (gcry_cipher_encrypt(cipher_hd, cipher_out, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE)) {
1078 gcry_cipher_close(cipher_hd);
1081 /* Done with the Cipher. */
1082 gcry_cipher_close(cipher_hd);
1084 /* Compare the MIC's */
1085 return (memcmp(cipher_out, decrypted_mic, M) == 0);
1086 } /* zbee_ccm_decrypt */
1088 /*FUNCTION:------------------------------------------------------
1092 * ZigBee Cryptographic Hash Function, described in ZigBee
1093 * specification sections B.1.3 and B.6.
1095 * This is a Matyas-Meyer-Oseas hash function using the AES-128
1096 * cipher. We use the ECB mode of libgcrypt to get a raw block
1099 * Input may be any length, and the output must be exactly 1-block in length.
1101 * Implements the function:
1102 * Hash(text) = Hash[t];
1103 * Hash[0] = 0^(blocksize).
1104 * Hash[i] = E(Hash[i-1], M[i]) XOR M[j];
1105 * M[i] = i'th block of text, with some padding and flags concatenated.
1107 * guint8 * input - Hash Input (any length).
1108 * guint8 input_len - Hash Input Length.
1109 * guint8 * output - Hash Output (exactly one block in length).
1112 *---------------------------------------------------------------
1115 zbee_sec_hash(guint8 *input, guint input_len, guint8 *output)
1117 guint8 cipher_in[ZBEE_SEC_CONST_BLOCKSIZE];
1119 /* Cipher Instance. */
1120 gcry_cipher_hd_t cipher_hd;
1122 /* Clear the first hash block (Hash0). */
1123 memset(output, 0, ZBEE_SEC_CONST_BLOCKSIZE);
1124 /* Create the cipher instance in ECB mode. */
1125 if (gcry_cipher_open(&cipher_hd, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_ECB, 0)) {
1126 return; /* Failed. */
1128 /* Create the subsequent hash blocks using the formula: Hash[i] = E(Hash[i-1], M[i]) XOR M[i]
1130 * because we can't guarantee that M will be exactly a multiple of the
1131 * block size, we will need to copy it into local buffers and pad it.
1133 * Note that we check for the next cipher block at the end of the loop
1134 * rather than the start. This is so that if the input happens to end
1135 * on a block boundary, the next cipher block will be generated for the
1136 * start of the padding to be placed into.
1140 while (i<input_len) {
1141 /* Copy data into the cipher input. */
1142 cipher_in[j++] = input[i++];
1143 /* Check if this cipher block is done. */
1144 if (j >= ZBEE_SEC_CONST_BLOCKSIZE) {
1145 /* We have reached the end of this block. Process it with the
1146 * cipher, note that the Key input to the cipher is actually
1147 * the previous hash block, which we are keeping in output.
1149 (void)gcry_cipher_setkey(cipher_hd, output, ZBEE_SEC_CONST_BLOCKSIZE);
1150 (void)gcry_cipher_encrypt(cipher_hd, output, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE);
1151 /* Now we have to XOR the input into the hash block. */
1152 for (j=0;j<ZBEE_SEC_CONST_BLOCKSIZE;j++) output[j] ^= cipher_in[j];
1153 /* Reset j to start again at the beginning at the next block. */
1157 /* Need to append the bit '1', followed by '0' padding long enough to end
1158 * the hash input on a block boundary. However, because 'n' is 16, and 'l'
1159 * will be a multiple of 8, the padding will be >= 7-bits, and we can just
1160 * append the byte 0x80.
1162 cipher_in[j++] = 0x80;
1163 /* Pad with '0' until the the current block is exactly 'n' bits from the
1166 while (j!=(ZBEE_SEC_CONST_BLOCKSIZE-2)) {
1167 if (j >= ZBEE_SEC_CONST_BLOCKSIZE) {
1168 /* We have reached the end of this block. Process it with the
1169 * cipher, note that the Key input to the cipher is actually
1170 * the previous hash block, which we are keeping in output.
1172 (void)gcry_cipher_setkey(cipher_hd, output, ZBEE_SEC_CONST_BLOCKSIZE);
1173 (void)gcry_cipher_encrypt(cipher_hd, output, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE);
1174 /* Now we have to XOR the input into the hash block. */
1175 for (j=0;j<ZBEE_SEC_CONST_BLOCKSIZE;j++) output[j] ^= cipher_in[j];
1176 /* Reset j to start again at the beginning at the next block. */
1179 /* Pad the input with 0. */
1180 cipher_in[j++] = 0x00;
1182 /* Add the 'n'-bit representation of 'l' to the end of the block. */
1183 cipher_in[j++] = ((input_len * 8) >> 8) & 0xff;
1184 cipher_in[j] = ((input_len * 8) >> 0) & 0xff;
1185 /* Process the last cipher block. */
1186 (void)gcry_cipher_setkey(cipher_hd, output, ZBEE_SEC_CONST_BLOCKSIZE);
1187 (void)gcry_cipher_encrypt(cipher_hd, output, ZBEE_SEC_CONST_BLOCKSIZE, cipher_in, ZBEE_SEC_CONST_BLOCKSIZE);
1188 /* XOR the last input block back into the cipher output to get the hash. */
1189 for (j=0;j<ZBEE_SEC_CONST_BLOCKSIZE;j++) output[j] ^= cipher_in[j];
1190 /* Cleanup the cipher. */
1191 gcry_cipher_close(cipher_hd);
1193 } /* zbee_sec_hash */
1195 /*FUNCTION:------------------------------------------------------
1199 * ZigBee Keyed Hash Function. Described in ZigBee specification
1200 * section B.1.4, and in FIPS Publication 198. Strictly speaking
1201 * there is nothing about the Keyed Hash Function which restricts
1202 * it to only a single byte input, but that's all ZigBee ever uses.
1204 * This function implements the hash function:
1205 * Hash(Key, text) = H((Key XOR opad) || H((Key XOR ipad) || text));
1206 * ipad = 0x36 repeated.
1207 * opad = 0x5c repeated.
1208 * H() = ZigBee Cryptographic Hash (B.1.3 and B.6).
1210 * guint8 *key - ZigBee Security Key (must be ZBEE_SEC_CONST_KEYSIZE) in length.
1211 * guint8 input - ZigBee CCM* Nonce (must be ZBEE_SEC_CONST_NONCE_LEN) in length.
1212 * guint8 *hash_out - buffer into which the key-hashed output is placed
1215 *---------------------------------------------------------------
1218 zbee_sec_key_hash(guint8 *key, guint8 input, guint8 *hash_out)
1220 guint8 hash_in[2*ZBEE_SEC_CONST_BLOCKSIZE];
1222 static const guint8 ipad = 0x36;
1223 static const guint8 opad = 0x5c;
1225 /* Copy the key into hash_in and XOR with opad to form: (Key XOR opad) */
1226 for (i=0; i<ZBEE_SEC_CONST_KEYSIZE; i++) hash_in[i] = key[i] ^ opad;
1227 /* Copy the Key into hash_out and XOR with ipad to form: (Key XOR ipad) */
1228 for (i=0; i<ZBEE_SEC_CONST_KEYSIZE; i++) hash_out[i] = key[i] ^ ipad;
1229 /* Append the input byte to form: (Key XOR ipad) || text. */
1230 hash_out[ZBEE_SEC_CONST_BLOCKSIZE] = input;
1231 /* Hash the contents of hash_out and append the contents to hash_in to
1232 * form: (Key XOR opad) || H((Key XOR ipad) || text).
1234 zbee_sec_hash(hash_out, ZBEE_SEC_CONST_BLOCKSIZE+1, hash_in+ZBEE_SEC_CONST_BLOCKSIZE);
1235 /* Hash the contents of hash_in to get the final result. */
1236 zbee_sec_hash(hash_in, 2*ZBEE_SEC_CONST_BLOCKSIZE, hash_out);
1237 } /* zbee_sec_key_hash */
1238 #else /* HAVE_LIBGCRYPT */
1240 zbee_sec_ccm_decrypt(const gchar *key _U_, /* Input */
1241 const gchar *nonce _U_, /* Input */
1242 const gchar *a _U_, /* Input */
1243 const gchar *c _U_, /* Input */
1244 gchar *m _U_, /* Output */
1245 guint l_a _U_, /* sizeof(a) */
1246 guint l_m _U_, /* sizeof(m) */
1247 guint M _U_) /* sizeof(c) - sizeof(m) = sizeof(MIC) */
1249 /* No libgcrypt, no decryption. */
1252 #endif /* HAVE_LIBGCRYPT */
1255 * Editor modelines - http://www.wireshark.org/tools/modelines.html
1260 * indent-tabs-mode: nil
1263 * vi: set shiftwidth=4 tabstop=8 expandtab:
1264 * :indentSize=4:tabSize=8:noTabs=true: