357 lines
9.5 KiB
C
Executable File
357 lines
9.5 KiB
C
Executable File
/*
|
|
* Partial Copyright (C) 2010-2011 Mamadou Diop.
|
|
*
|
|
* Contact: Mamadou Diop <diopmamadou(at)doubango[dot]org>
|
|
*
|
|
* This file is part of Open Source Doubango Framework.
|
|
*
|
|
* DOUBANGO is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* DOUBANGO is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with DOUBANGO.
|
|
*
|
|
*/
|
|
|
|
/**@file tsip_milenage.c
|
|
* @brief 3GPP authentication and key agreement functions f1, f1*, f2, f3, f4, f5 and f5*.
|
|
*
|
|
* @section DESCRIPTION
|
|
*
|
|
* @sa 3G Security
|
|
* <a href="http://www.3gpp.org/ftp/Specs/html-info/35205.htm"> 3GPP TS 35.205 </a>
|
|
* <a href="http://www.3gpp.org/ftp/Specs/html-info/35206.htm"> 3GPP TS 35.206 </a>
|
|
* <a href="http://www.3gpp.org/ftp/Specs/html-info/35207.htm"> 3GPP TS 35.207 </a>
|
|
* <a href="http://www.3gpp.org/ftp/Specs/html-info/35208.htm"> 3GPP TS 35.208 </a>
|
|
* <a href="http://www.3gpp.org/ftp/Specs/html-info/35909.htm"> 3GPP TS 35.909 </a>
|
|
*-------------------------------------------------------------------
|
|
* Example algorithms f1, f1*, f2, f3, f4, f5, f5*
|
|
*-------------------------------------------------------------------
|
|
*
|
|
* A sample implementation of the example 3GPP authentication and
|
|
* key agreement functions f1, f1*, f2, f3, f4, f5 and f5*. This is
|
|
* a byte-oriented implementation of the functions, and of the block
|
|
* cipher kernel function Rijndael.
|
|
*
|
|
* This has been coded for clarity, not necessarily for efficiency.
|
|
*
|
|
* The functions f2, f3, f4 and f5 share the same inputs and have
|
|
* been coded together as a single function. f1, f1* and f5* are
|
|
* all coded separately.
|
|
*
|
|
*-----------------------------------------------------------------
|
|
*
|
|
*/
|
|
|
|
#include "tinysip/authentication/tsip_milenage.h"
|
|
#include "tinysip/authentication/tsip_rijndael.h"
|
|
|
|
/*--------- Operator Variant Algorithm Configuration Field --------*/
|
|
|
|
/*------- Insert your value of OP here -------*/
|
|
//uint8_t OP[16] = {0x63, 0xbf, 0xa5, 0x0e, 0xe6, 0x52, 0x33, 0x65,
|
|
// 0xff, 0x14, 0xc1, 0xf4, 0x5f, 0x88, 0x73, 0x7d};
|
|
/*------- Insert your value of OP here -------*/
|
|
uint8_t OP[16] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
|
};
|
|
|
|
/*-------------------------------------------------------------------
|
|
* Algorithm f1
|
|
*-------------------------------------------------------------------
|
|
*
|
|
* Computes network authentication code MAC-A from key K, random
|
|
* challenge RAND, sequence number SQN and authentication management
|
|
* field AMF.
|
|
*
|
|
*-----------------------------------------------------------------*/
|
|
|
|
void f1 ( uint8_t k[16], uint8_t rand[16], uint8_t sqn[6], uint8_t amf[2],
|
|
uint8_t mac_a[8] )
|
|
{
|
|
uint8_t op_c[16];
|
|
uint8_t temp[16];
|
|
uint8_t in1[16];
|
|
uint8_t out1[16];
|
|
uint8_t rijndaelInput[16];
|
|
uint8_t i;
|
|
|
|
RijndaelKeySchedule( k );
|
|
|
|
ComputeOPc( op_c );
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[i] = rand[i] ^ op_c[i];
|
|
}
|
|
RijndaelEncrypt( rijndaelInput, temp );
|
|
|
|
for (i=0; i<6; i++) {
|
|
in1[i] = sqn[i];
|
|
in1[i+8] = sqn[i];
|
|
}
|
|
|
|
for (i=0; i<2; i++) {
|
|
in1[i+6] = amf[i];
|
|
in1[i+14] = amf[i];
|
|
}
|
|
|
|
/* XOR op_c and in1, rotate by r1=64, and XOR *
|
|
* on the constant c1 (which is all zeroes) */
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[(i+8) % 16] = in1[i] ^ op_c[i];
|
|
}
|
|
|
|
/* XOR on the value temp computed before */
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[i] ^= temp[i];
|
|
}
|
|
|
|
RijndaelEncrypt( rijndaelInput, out1 );
|
|
for (i=0; i<16; i++) {
|
|
out1[i] ^= op_c[i];
|
|
}
|
|
|
|
for (i=0; i<8; i++) {
|
|
mac_a[i] = out1[i];
|
|
}
|
|
|
|
return;
|
|
} /* end of function f1 */
|
|
|
|
|
|
|
|
/*-------------------------------------------------------------------
|
|
* Algorithms f2-f5
|
|
*-------------------------------------------------------------------
|
|
*
|
|
* Takes key K and random challenge RAND, and returns response RES,
|
|
* confidentiality key CK, integrity key IK and anonymity key AK.
|
|
*
|
|
*-----------------------------------------------------------------*/
|
|
|
|
void f2345 ( uint8_t k[16], uint8_t rand[16],
|
|
uint8_t res[8], uint8_t ck[16], uint8_t ik[16], uint8_t ak[6] )
|
|
{
|
|
uint8_t op_c[16];
|
|
uint8_t temp[16];
|
|
uint8_t out[16];
|
|
uint8_t rijndaelInput[16];
|
|
uint8_t i;
|
|
|
|
RijndaelKeySchedule( k );
|
|
|
|
ComputeOPc( op_c );
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[i] = rand[i] ^ op_c[i];
|
|
}
|
|
RijndaelEncrypt( rijndaelInput, temp );
|
|
|
|
/* To obtain output block OUT2: XOR OPc and TEMP, *
|
|
* rotate by r2=0, and XOR on the constant c2 (which *
|
|
* is all zeroes except that the last bit is 1). */
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[i] = temp[i] ^ op_c[i];
|
|
}
|
|
rijndaelInput[15] ^= 1;
|
|
|
|
RijndaelEncrypt( rijndaelInput, out );
|
|
for (i=0; i<16; i++) {
|
|
out[i] ^= op_c[i];
|
|
}
|
|
|
|
for (i=0; i<8; i++) {
|
|
res[i] = out[i+8];
|
|
}
|
|
for (i=0; i<6; i++) {
|
|
ak[i] = out[i];
|
|
}
|
|
|
|
/* To obtain output block OUT3: XOR OPc and TEMP, *
|
|
* rotate by r3=32, and XOR on the constant c3 (which *
|
|
* is all zeroes except that the next to last bit is 1). */
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[(i+12) % 16] = temp[i] ^ op_c[i];
|
|
}
|
|
rijndaelInput[15] ^= 2;
|
|
|
|
RijndaelEncrypt( rijndaelInput, out );
|
|
for (i=0; i<16; i++) {
|
|
out[i] ^= op_c[i];
|
|
}
|
|
|
|
for (i=0; i<16; i++) {
|
|
ck[i] = out[i];
|
|
}
|
|
|
|
/* To obtain output block OUT4: XOR OPc and TEMP, *
|
|
* rotate by r4=64, and XOR on the constant c4 (which *
|
|
* is all zeroes except that the 2nd from last bit is 1). */
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[(i+8) % 16] = temp[i] ^ op_c[i];
|
|
}
|
|
rijndaelInput[15] ^= 4;
|
|
|
|
RijndaelEncrypt( rijndaelInput, out );
|
|
for (i=0; i<16; i++) {
|
|
out[i] ^= op_c[i];
|
|
}
|
|
|
|
for (i=0; i<16; i++) {
|
|
ik[i] = out[i];
|
|
}
|
|
|
|
return;
|
|
} /* end of function f2345 */
|
|
|
|
|
|
/*-------------------------------------------------------------------
|
|
* Algorithm f1*
|
|
*-------------------------------------------------------------------
|
|
*
|
|
* Computes resynch authentication code MAC-S from key K, random
|
|
* challenge RAND, sequence number SQN and authentication management
|
|
* field AMF.
|
|
*
|
|
*-----------------------------------------------------------------*/
|
|
|
|
void f1star( uint8_t k[16], uint8_t rand[16], uint8_t sqn[6], uint8_t amf[2],
|
|
uint8_t mac_s[8] )
|
|
{
|
|
uint8_t op_c[16];
|
|
uint8_t temp[16];
|
|
uint8_t in1[16];
|
|
uint8_t out1[16];
|
|
uint8_t rijndaelInput[16];
|
|
uint8_t i;
|
|
|
|
RijndaelKeySchedule( k );
|
|
|
|
ComputeOPc( op_c );
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[i] = rand[i] ^ op_c[i];
|
|
}
|
|
RijndaelEncrypt( rijndaelInput, temp );
|
|
|
|
for (i=0; i<6; i++) {
|
|
in1[i] = sqn[i];
|
|
in1[i+8] = sqn[i];
|
|
}
|
|
for (i=0; i<2; i++) {
|
|
in1[i+6] = amf[i];
|
|
in1[i+14] = amf[i];
|
|
}
|
|
|
|
/* XOR op_c and in1, rotate by r1=64, and XOR *
|
|
* on the constant c1 (which is all zeroes) */
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[(i+8) % 16] = in1[i] ^ op_c[i];
|
|
}
|
|
|
|
/* XOR on the value temp computed before */
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[i] ^= temp[i];
|
|
}
|
|
|
|
RijndaelEncrypt( rijndaelInput, out1 );
|
|
for (i=0; i<16; i++) {
|
|
out1[i] ^= op_c[i];
|
|
}
|
|
|
|
for (i=0; i<8; i++) {
|
|
mac_s[i] = out1[i+8];
|
|
}
|
|
|
|
return;
|
|
} /* end of function f1star */
|
|
|
|
|
|
/*-------------------------------------------------------------------
|
|
* Algorithm f5*
|
|
*-------------------------------------------------------------------
|
|
*
|
|
* Takes key K and random challenge RAND, and returns resynch
|
|
* anonymity key AK.
|
|
*
|
|
*-----------------------------------------------------------------*/
|
|
|
|
void f5star( uint8_t k[16], uint8_t rand[16],
|
|
uint8_t ak[6] )
|
|
{
|
|
uint8_t op_c[16];
|
|
uint8_t temp[16];
|
|
uint8_t out[16];
|
|
uint8_t rijndaelInput[16];
|
|
uint8_t i;
|
|
|
|
RijndaelKeySchedule( k );
|
|
|
|
ComputeOPc( op_c );
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[i] = rand[i] ^ op_c[i];
|
|
}
|
|
RijndaelEncrypt( rijndaelInput, temp );
|
|
|
|
/* To obtain output block OUT5: XOR OPc and TEMP, *
|
|
* rotate by r5=96, and XOR on the constant c5 (which *
|
|
* is all zeroes except that the 3rd from last bit is 1). */
|
|
|
|
for (i=0; i<16; i++) {
|
|
rijndaelInput[(i+4) % 16] = temp[i] ^ op_c[i];
|
|
}
|
|
rijndaelInput[15] ^= 8;
|
|
|
|
RijndaelEncrypt( rijndaelInput, out );
|
|
for (i=0; i<16; i++) {
|
|
out[i] ^= op_c[i];
|
|
}
|
|
|
|
for (i=0; i<6; i++) {
|
|
ak[i] = out[i];
|
|
}
|
|
|
|
return;
|
|
} /* end of function f5star */
|
|
|
|
|
|
/*-------------------------------------------------------------------
|
|
* Function to compute OPc from OP and K. Assumes key schedule has
|
|
already been performed.
|
|
*-----------------------------------------------------------------*/
|
|
|
|
void ComputeOPc( uint8_t op_c[16] )
|
|
{
|
|
uint8_t i;
|
|
|
|
//RijndaelEncrypt( OP, op_c );
|
|
for (i=0; i<16; i++) {
|
|
op_c[i] = OP[i];
|
|
}
|
|
|
|
return;
|
|
} /* end of function ComputeOPc */
|
|
|
|
void ComputeOP( uint8_t op[16] )
|
|
{
|
|
int i;
|
|
for(i=0; i<16; i++) {
|
|
OP[i]=op[i];
|
|
}
|
|
}
|