workbench/network/WirelessManager/src/crypto/milenage.c

   1 /*
   2  * 3GPP AKA - Milenage algorithm (3GPP TS 35.205, .206, .207, .208)
   3  * Copyright (c) 2006-2007 <j@w1.fi>
   4  *
   5  * This program is free software; you can redistribute it and/or modify
   6  * it under the terms of the GNU General Public License version 2 as
   7  * published by the Free Software Foundation.
   8  *
   9  * Alternatively, this software may be distributed under the terms of BSD
  10  * license.
  11  *
  12  * See README and COPYING for more details.
  13  *
  14  * This file implements an example authentication algorithm defined for 3GPP
  15  * AKA. This can be used to implement a simple HLR/AuC into hlr_auc_gw to allow
  16  * EAP-AKA to be tested properly with real USIM cards.
  17  *
  18  * This implementations assumes that the r1..r5 and c1..c5 constants defined in
  19  * TS 35.206 are used, i.e., r1=64, r2=0, r3=32, r4=64, r5=96, c1=00..00,
  20  * c2=00..01, c3=00..02, c4=00..04, c5=00..08. The block cipher is assumed to
  21  * be AES (Rijndael).
  22  */
  23
  24 #include "includes.h"
  25
  26 #include "common.h"
  27 #include "crypto/aes_wrap.h"
  28 #include "milenage.h"
  29
  30
  31 /**
  32  * milenage_f1 - Milenage f1 and f1* algorithms
  33  * @opc: OPc = 128-bit value derived from OP and K
  34  * @k: K = 128-bit subscriber key
  35  * @_rand: RAND = 128-bit random challenge
  36  * @sqn: SQN = 48-bit sequence number
  37  * @amf: AMF = 16-bit authentication management field
  38  * @mac_a: Buffer for MAC-A = 64-bit network authentication code, or %NULL
  39  * @mac_s: Buffer for MAC-S = 64-bit resync authentication code, or %NULL
  40  * Returns: 0 on success, -1 on failure
  41  */
  42 int milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand,
  43                 const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s)
  44 {
  45         u8 tmp1[16], tmp2[16], tmp3[16];
  46         int i;
  47
  48         /* tmp1 = TEMP = E_K(RAND XOR OP_C) */
  49         for (i = 0; i < 16; i++)
  50                 tmp1[i] = _rand[i] ^ opc[i];
  51         if (aes_128_encrypt_block(k, tmp1, tmp1))
  52                 return -1;
  53
  54         /* tmp2 = IN1 = SQN || AMF || SQN || AMF */
  55         os_memcpy(tmp2, sqn, 6);
  56         os_memcpy(tmp2 + 6, amf, 2);
  57         os_memcpy(tmp2 + 8, tmp2, 8);
  58
  59         /* OUT1 = E_K(TEMP XOR rot(IN1 XOR OP_C, r1) XOR c1) XOR OP_C */
  60
  61         /* rotate (tmp2 XOR OP_C) by r1 (= 0x40 = 8 bytes) */
  62         for (i = 0; i < 16; i++)
  63                 tmp3[(i + 8) % 16] = tmp2[i] ^ opc[i];
  64         /* XOR with TEMP = E_K(RAND XOR OP_C) */
  65         for (i = 0; i < 16; i++)
  66                 tmp3[i] ^= tmp1[i];
  67         /* XOR with c1 (= ..00, i.e., NOP) */
  68
  69         /* f1 || f1* = E_K(tmp3) XOR OP_c */
  70         if (aes_128_encrypt_block(k, tmp3, tmp1))
  71                 return -1;
  72         for (i = 0; i < 16; i++)
  73                 tmp1[i] ^= opc[i];
  74         if (mac_a)
  75                 os_memcpy(mac_a, tmp1, 8); /* f1 */
  76         if (mac_s)
  77                 os_memcpy(mac_s, tmp1 + 8, 8); /* f1* */
  78         return 0;
  79 }
  80
  81
  82 /**
  83  * milenage_f2345 - Milenage f2, f3, f4, f5, f5* algorithms
  84  * @opc: OPc = 128-bit value derived from OP and K
  85  * @k: K = 128-bit subscriber key
  86  * @_rand: RAND = 128-bit random challenge
  87  * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
  88  * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
  89  * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
  90  * @ak: Buffer for AK = 48-bit anonymity key (f5), or %NULL
  91  * @akstar: Buffer for AK = 48-bit anonymity key (f5*), or %NULL
  92  * Returns: 0 on success, -1 on failure
  93  */
  94 int milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand,
  95                    u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar)
  96 {
  97         u8 tmp1[16], tmp2[16], tmp3[16];
  98         int i;
  99
 100         /* tmp2 = TEMP = E_K(RAND XOR OP_C) */
 101         for (i = 0; i < 16; i++)
 102                 tmp1[i] = _rand[i] ^ opc[i];
 103         if (aes_128_encrypt_block(k, tmp1, tmp2))
 104                 return -1;
 105
 106         /* OUT2 = E_K(rot(TEMP XOR OP_C, r2) XOR c2) XOR OP_C */
 107         /* OUT3 = E_K(rot(TEMP XOR OP_C, r3) XOR c3) XOR OP_C */
 108         /* OUT4 = E_K(rot(TEMP XOR OP_C, r4) XOR c4) XOR OP_C */
 109         /* OUT5 = E_K(rot(TEMP XOR OP_C, r5) XOR c5) XOR OP_C */
 110
 111         /* f2 and f5 */
 112         /* rotate by r2 (= 0, i.e., NOP) */
 113         for (i = 0; i < 16; i++)
 114                 tmp1[i] = tmp2[i] ^ opc[i];
 115         tmp1[15] ^= 1; /* XOR c2 (= ..01) */
 116         /* f5 || f2 = E_K(tmp1) XOR OP_c */
 117         if (aes_128_encrypt_block(k, tmp1, tmp3))
 118                 return -1;
 119         for (i = 0; i < 16; i++)
 120                 tmp3[i] ^= opc[i];
 121         if (res)
 122                 os_memcpy(res, tmp3 + 8, 8); /* f2 */
 123         if (ak)
 124                 os_memcpy(ak, tmp3, 6); /* f5 */
 125
 126         /* f3 */
 127         if (ck) {
 128                 /* rotate by r3 = 0x20 = 4 bytes */
 129                 for (i = 0; i < 16; i++)
 130                         tmp1[(i + 12) % 16] = tmp2[i] ^ opc[i];
 131                 tmp1[15] ^= 2; /* XOR c3 (= ..02) */
 132                 if (aes_128_encrypt_block(k, tmp1, ck))
 133                         return -1;
 134                 for (i = 0; i < 16; i++)
 135                         ck[i] ^= opc[i];
 136         }
 137
 138         /* f4 */
 139         if (ik) {
 140                 /* rotate by r4 = 0x40 = 8 bytes */
 141                 for (i = 0; i < 16; i++)
 142                         tmp1[(i + 8) % 16] = tmp2[i] ^ opc[i];
 143                 tmp1[15] ^= 4; /* XOR c4 (= ..04) */
 144                 if (aes_128_encrypt_block(k, tmp1, ik))
 145                         return -1;
 146                 for (i = 0; i < 16; i++)
 147                         ik[i] ^= opc[i];
 148         }
 149
 150         /* f5* */
 151         if (akstar) {
 152                 /* rotate by r5 = 0x60 = 12 bytes */
 153                 for (i = 0; i < 16; i++)
 154                         tmp1[(i + 4) % 16] = tmp2[i] ^ opc[i];
 155                 tmp1[15] ^= 8; /* XOR c5 (= ..08) */
 156                 if (aes_128_encrypt_block(k, tmp1, tmp1))
 157                         return -1;
 158                 for (i = 0; i < 6; i++)
 159                         akstar[i] = tmp1[i] ^ opc[i];
 160         }
 161
 162         return 0;
 163 }
 164
 165
 166 /**
 167  * milenage_generate - Generate AKA AUTN,IK,CK,RES
 168  * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
 169  * @amf: AMF = 16-bit authentication management field
 170  * @k: K = 128-bit subscriber key
 171  * @sqn: SQN = 48-bit sequence number
 172  * @_rand: RAND = 128-bit random challenge
 173  * @autn: Buffer for AUTN = 128-bit authentication token
 174  * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
 175  * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
 176  * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
 177  * @res_len: Max length for res; set to used length or 0 on failure
 178  */
 179 void milenage_generate(const u8 *opc, const u8 *amf, const u8 *k,
 180                        const u8 *sqn, const u8 *_rand, u8 *autn, u8 *ik,
 181                        u8 *ck, u8 *res, size_t *res_len)
 182 {
 183         int i;
 184         u8 mac_a[8], ak[6];
 185
 186         if (*res_len < 8) {
 187                 *res_len = 0;
 188                 return;
 189         }
 190         if (milenage_f1(opc, k, _rand, sqn, amf, mac_a, NULL) ||
 191             milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL)) {
 192                 *res_len = 0;
 193                 return;
 194         }
 195         *res_len = 8;
 196
 197         /* AUTN = (SQN ^ AK) || AMF || MAC */
 198         for (i = 0; i < 6; i++)
 199                 autn[i] = sqn[i] ^ ak[i];
 200         os_memcpy(autn + 6, amf, 2);
 201         os_memcpy(autn + 8, mac_a, 8);
 202 }
 203
 204
 205 /**
 206  * milenage_auts - Milenage AUTS validation
 207  * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
 208  * @k: K = 128-bit subscriber key
 209  * @_rand: RAND = 128-bit random challenge
 210  * @auts: AUTS = 112-bit authentication token from client
 211  * @sqn: Buffer for SQN = 48-bit sequence number
 212  * Returns: 0 = success (sqn filled), -1 on failure
 213  */
 214 int milenage_auts(const u8 *opc, const u8 *k, const u8 *_rand, const u8 *auts,
 215                   u8 *sqn)
 216 {
 217         u8 amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
 218         u8 ak[6], mac_s[8];
 219         int i;
 220
 221         if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
 222                 return -1;
 223         for (i = 0; i < 6; i++)
 224                 sqn[i] = auts[i] ^ ak[i];
 225         if (milenage_f1(opc, k, _rand, sqn, amf, NULL, mac_s) ||
 226             memcmp(mac_s, auts + 6, 8) != 0)
 227                 return -1;
 228         return 0;
 229 }
 230
 231
 232 /**
 233  * gsm_milenage - Generate GSM-Milenage (3GPP TS 55.205) authentication triplet
 234  * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
 235  * @k: K = 128-bit subscriber key
 236  * @_rand: RAND = 128-bit random challenge
 237  * @sres: Buffer for SRES = 32-bit SRES
 238  * @kc: Buffer for Kc = 64-bit Kc
 239  * Returns: 0 on success, -1 on failure
 240  */
 241 int gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres, u8 *kc)
 242 {
 243         u8 res[8], ck[16], ik[16];
 244         int i;
 245
 246         if (milenage_f2345(opc, k, _rand, res, ck, ik, NULL, NULL))
 247                 return -1;
 248
 249         for (i = 0; i < 8; i++)
 250                 kc[i] = ck[i] ^ ck[i + 8] ^ ik[i] ^ ik[i + 8];
 251
 252 #ifdef GSM_MILENAGE_ALT_SRES
 253         os_memcpy(sres, res, 4);
 254 #else /* GSM_MILENAGE_ALT_SRES */
 255         for (i = 0; i < 4; i++)
 256                 sres[i] = res[i] ^ res[i + 4];
 257 #endif /* GSM_MILENAGE_ALT_SRES */
 258         return 0;
 259 }
 260
 261
 262 /**
 263  * milenage_generate - Generate AKA AUTN,IK,CK,RES
 264  * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
 265  * @k: K = 128-bit subscriber key
 266  * @sqn: SQN = 48-bit sequence number
 267  * @_rand: RAND = 128-bit random challenge
 268  * @autn: AUTN = 128-bit authentication token
 269  * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
 270  * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
 271  * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
 272  * @res_len: Variable that will be set to RES length
 273  * @auts: 112-bit buffer for AUTS
 274  * Returns: 0 on success, -1 on failure, or -2 on synchronization failure
 275  */
 276 int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand,
 277                    const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len,
 278                    u8 *auts)
 279 {
 280         int i;
 281         u8 mac_a[8], ak[6], rx_sqn[6];
 282         const u8 *amf;
 283
 284         wpa_hexdump(MSG_DEBUG, "Milenage: AUTN", autn, 16);
 285         wpa_hexdump(MSG_DEBUG, "Milenage: RAND", _rand, 16);
 286
 287         if (milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL))
 288                 return -1;
 289
 290         *res_len = 8;
 291         wpa_hexdump_key(MSG_DEBUG, "Milenage: RES", res, *res_len);
 292         wpa_hexdump_key(MSG_DEBUG, "Milenage: CK", ck, 16);
 293         wpa_hexdump_key(MSG_DEBUG, "Milenage: IK", ik, 16);
 294         wpa_hexdump_key(MSG_DEBUG, "Milenage: AK", ak, 6);
 295
 296         /* AUTN = (SQN ^ AK) || AMF || MAC */
 297         for (i = 0; i < 6; i++)
 298                 rx_sqn[i] = autn[i] ^ ak[i];
 299         wpa_hexdump(MSG_DEBUG, "Milenage: SQN", rx_sqn, 6);
 300
 301         if (os_memcmp(rx_sqn, sqn, 6) <= 0) {
 302                 u8 auts_amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
 303                 if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
 304                         return -1;
 305                 wpa_hexdump_key(MSG_DEBUG, "Milenage: AK*", ak, 6);
 306                 for (i = 0; i < 6; i++)
 307                         auts[i] = sqn[i] ^ ak[i];
 308                 if (milenage_f1(opc, k, _rand, sqn, auts_amf, NULL, auts + 6))
 309                         return -1;
 310                 wpa_hexdump(MSG_DEBUG, "Milenage: AUTS", auts, 14);
 311                 return -2;
 312         }
 313
 314         amf = autn + 6;
 315         wpa_hexdump(MSG_DEBUG, "Milenage: AMF", amf, 2);
 316         if (milenage_f1(opc, k, _rand, rx_sqn, amf, mac_a, NULL))
 317                 return -1;
 318
 319         wpa_hexdump(MSG_DEBUG, "Milenage: MAC_A", mac_a, 8);
 320
 321         if (os_memcmp(mac_a, autn + 8, 8) != 0) {
 322                 wpa_printf(MSG_DEBUG, "Milenage: MAC mismatch");
 323                 wpa_hexdump(MSG_DEBUG, "Milenage: Received MAC_A",
 324                             autn + 8, 8);
 325                 return -1;
 326         }
 327
 328         return 0;
 329 }