Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[knx] Allow decoding of KNX Data Secure frames #12434

Merged
merged 4 commits into from
Sep 15, 2024

Conversation

holgerfriedrich
Copy link
Member

@holgerfriedrich holgerfriedrich commented Mar 6, 2022

  • add passive (listening only) access for KNX Data Secure frames, [knx] support for KNX secure #8872
  • add config options for KNX keyring file and password
  • ease setup if IP Secure, as required parameters can be read from keyring
  • add tests for security functions
  • update user documentation

Signed-off-by: Holger Friedrich mail@holger-friedrich.de

@holgerfriedrich
Copy link
Member Author

holgerfriedrich commented Mar 6, 2022

This PR brings support to KNX IP secure, and partial support for KNX data secure (listening only). See previous discussions in #8872.

What has been tested:

  • Secure tunneling, seems to work fine for a few days

What is to be tested by someone else:

  • Secure routing (don't have a secure router at hand)

@holgerfriedrich holgerfriedrich force-pushed the pr-knx-ip-secure branch 2 times, most recently from 2e2d5d3 to ca6de24 Compare March 6, 2022 16:33
@holgerfriedrich
Copy link
Member Author

@kaikreuzer I followed your advise and have only included the passive support for data secure. Outgoing writes and poll requests for secure group adresses are dropped at lowest level.

Though, when I change a switch connected to a secure GA, the event log still shows the "Item ... predicted to become ..." (which of course will not happen as I drop the write). Is there a clean way to signal a failed write to the upper layer? Throwing an exception is probably too much, as it gets logged with a full stack trace.

@wborn wborn added the enhancement An enhancement or new feature for an existing add-on label Mar 6, 2022
<default>false</default>
<advanced>true</advanced>
</parameter>
<parameter name="keyringFile" type="text" groupName="knxsecure">
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't it make sense to add that directly to the JSON database (i.e. add the file content directly here instead of a filename).

Copy link
Member Author

@holgerfriedrich holgerfriedrich Mar 7, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@J-N-K thanks for looking into this. I am not sure. At least there are a few practical reasons to keep it as a separate file:

  • keyring files need to be replaced everytime you add devices or secure group adresses, this is much easier if you can copy it over using scp
  • Calimero Keyring expects an URI for a file location, and does not provide other constructors besides Keyring::load()
  • Keyring files contain a signature, which might be invalid if we use a copy-paste approach here....

@wborn wborn added the work in progress A PR that is not yet ready to be merged label Mar 9, 2022
@holgerfriedrich holgerfriedrich changed the title [knx] add initial support for KNX secure [WIP] [knx] add initial support for KNX secure Mar 11, 2022
@openhab-bot
Copy link
Collaborator

This pull request has been mentioned on openHAB Community. There might be relevant details there:

https://community.openhab.org/t/knx-secure-initial-implementation/134133/1

@holgerfriedrich holgerfriedrich force-pushed the pr-knx-ip-secure branch 2 times, most recently from 2553802 to 021cd88 Compare March 14, 2022 23:40
@holgerfriedrich holgerfriedrich force-pushed the pr-knx-ip-secure branch 7 times, most recently from 84bc872 to 14daa8d Compare April 9, 2022 19:42
@holgerfriedrich
Copy link
Member Author

holgerfriedrich commented Apr 12, 2022

@slueder
During the last days, I tried to factor out everything which was not related to the feature itself. Give me a few days until I have a "release candidate" to test.

Not sure about the problem with Keyring files you mentioned in #8872. I have added several keyrings to the tests in this PR, all working fine. Spaces may be a problem, the code uses trim() to strip whitespace (maybe I will remove that).
Overall, for the first merge it might be way to remove the whole keyring stuff and go for the password parameters. If we cannot find out why keyrings are not working for you, this will be the way. Though, for me the keyring is working fine and gives the additional benefit that openHAB can listen to and decode data secure GAs as well....

Which branch did you use for your testing?

@slueder
Copy link

slueder commented Apr 14, 2022

@holgerfriedrich

I retested the keyring approach with the latest version of ETS (6.0.4) and reasonably strong keyring export passwords (8 characters, consisting of upper & lower letters, digits and a limited set of special chars :#,;) and it worked now.

I am using commit ID holgerfriedrich@c7114f5

Happy to re-test as soon as you let me know.

@florian-h05
Copy link
Contributor

Just FYI you program KNX using a program called ETS and the keyring required here is exported from the ETS, it’s the same keyring that allows the ETS full access to the KNX bus.

@lsiepel
Copy link
Contributor

lsiepel commented Aug 20, 2024

@holgerfriedrich did this PR get some test mileage on different installations ?

@holgerfriedrich
Copy link
Member Author

@lsiepel unfortunately not yet, at least not after the rebase and latest modifications.

I typically deploy to RPI, and I am using Enertex IP interface (connected via IP, with IP secure), Weinzierl 730 (IP w/o IP secure), or Weinzierl kBerry (RPI hat, using serial connection).

Give me some time to double check that data secure (decoding incoming encrypted frames) still works as expected.....

Copy link
Contributor

@lsiepel lsiepel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left two comments. LGTM, but ift would also be nice of @J-N-K and @florian-h05 to confirm.

@florian-h05
Copy link
Contributor

I am currently busy till beginning of October, but then should be able to review.

Copy link
Contributor

@lsiepel lsiepel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, let's wait for @florian-h05's review before merge.

* add passive (listening only) access for KNX Data Secure frames, openhab#8872
* add config options for KNX keyring file and password
* ease setup if IP Secure, as required parameters can be read from keyring
* add tests for security functions
* update user documentation

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
@holgerfriedrich holgerfriedrich added rebuild Triggers Jenkins PR build and removed rebuild Triggers Jenkins PR build labels Sep 15, 2024
@holgerfriedrich
Copy link
Member Author

Accidentally pushed to this PR when working on a followup PR, rolled back, rebased to current main as a force push was anyway necessary.
Sorry for the noise.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
Copy link
Contributor

@florian-h05 florian-h05 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, thanks! Just one minor comment:

I would have loved to give it a try, but I don't have KNX Data nor IP Secure devices.
I have of course tested it against my system - everything still works as expected.

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
@holgerfriedrich holgerfriedrich added rebuild Triggers Jenkins PR build and removed rebuild Triggers Jenkins PR build labels Sep 15, 2024
@florian-h05
Copy link
Contributor

@lsiepel You can merge now 🚀

@lsiepel lsiepel merged commit dbc607a into openhab:main Sep 15, 2024
5 checks passed
@lsiepel lsiepel added this to the 4.3 milestone Sep 15, 2024
@holgerfriedrich holgerfriedrich deleted the pr-knx-ip-secure branch September 15, 2024 20:00
@holgerfriedrich holgerfriedrich restored the pr-knx-ip-secure branch September 15, 2024 20:00
digitaldan pushed a commit to digitaldan/openhab-addons that referenced this pull request Sep 24, 2024
* [knx] Allow decoding of KNX Data Secure frames

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
joni1993 pushed a commit to joni1993/openhab-addons that referenced this pull request Oct 15, 2024
* [knx] Allow decoding of KNX Data Secure frames

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
matchews pushed a commit to matchews/openhab-addons that referenced this pull request Oct 18, 2024
* [knx] Allow decoding of KNX Data Secure frames

Signed-off-by: Holger Friedrich <mail@holger-friedrich.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement An enhancement or new feature for an existing add-on
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants