Daniel Willmann | a981f9d | 2018-03-16 01:59:42 +0700 | [diff] [blame] | 1 | /*! \file auth_xor.c |
| 2 | * GSM/GPRS/3G authentication core infrastructure */ |
| 3 | /* |
| 4 | * (C) 2018 by Harald Welte <laforge@gnumonks.org> |
| 5 | * (C) 2017 by sysmocom s.f.m.c. GmbH |
| 6 | * |
| 7 | * All Rights Reserved |
| 8 | * |
| 9 | * Author: Daniel Willmann <dwillmann@sysmocom.de> |
| 10 | * |
| 11 | * All Rights Reserved |
| 12 | * |
| 13 | * This program is free software; you can redistribute it and/or modify |
| 14 | * it under the terms of the GNU General Public License as published by |
| 15 | * the Free Software Foundation; either version 2 of the License, or |
| 16 | * (at your option) any later version. |
| 17 | * |
| 18 | * This program is distributed in the hope that it will be useful, |
| 19 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 20 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 21 | * GNU General Public License for more details. |
| 22 | * |
| 23 | * You should have received a copy of the GNU General Public License along |
| 24 | * with this program; if not, write to the Free Software Foundation, Inc., |
| 25 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
| 26 | * |
| 27 | */ |
| 28 | |
| 29 | #include <string.h> |
| 30 | #include <stdint.h> |
| 31 | #include <errno.h> |
| 32 | |
| 33 | #include <osmocom/core/bit64gen.h> |
| 34 | #include <osmocom/crypt/auth.h> |
| 35 | |
| 36 | /*! \addtogroup auth |
| 37 | * @{ |
| 38 | */ |
| 39 | |
| 40 | static void xor(uint8_t *out, const uint8_t *a, const uint8_t *b, size_t len) |
| 41 | { |
| 42 | size_t i; |
| 43 | |
| 44 | for (i = 0; i < len; i++) |
| 45 | out[i] = a[i] ^ b[i]; |
| 46 | } |
| 47 | |
| 48 | /* 3GPP TS 34.108, section 8.1.2.1 */ |
| 49 | static int xor_gen_vec(struct osmo_auth_vector *vec, |
| 50 | struct osmo_sub_auth_data *aud, |
| 51 | const uint8_t *_rand) |
| 52 | { |
| 53 | uint8_t xdout[16], cdout[8]; |
| 54 | uint8_t ak[6], xmac[8]; |
| 55 | int i; |
| 56 | |
| 57 | /* Step 1: xdout = (ki or k) ^ rand */ |
| 58 | if (aud->type == OSMO_AUTH_TYPE_GSM) |
| 59 | xor(xdout, aud->u.gsm.ki, _rand, sizeof(xdout)); |
| 60 | else if (aud->type == OSMO_AUTH_TYPE_UMTS) |
| 61 | xor(xdout, aud->u.umts.k, _rand, sizeof(xdout)); |
| 62 | else |
| 63 | return -ENOTSUP; |
| 64 | |
| 65 | /** |
| 66 | * Step 2: res = xdout |
| 67 | * |
| 68 | * Suggested length for res is 128 bits, i.e. 16 bytes, |
| 69 | * but also can be in range: 30 < n < 128 bits. |
| 70 | */ |
| 71 | memcpy(vec->res, xdout, sizeof(xdout)); |
| 72 | vec->res_len = sizeof(xdout); |
| 73 | |
| 74 | /* ck = xdout[1-15,0] */ |
| 75 | memcpy(vec->ck, xdout + 1, sizeof(xdout) - 1); |
| 76 | vec->ck[15] = xdout[0]; |
| 77 | |
| 78 | /* ik = xdout[2-15,0-1] */ |
| 79 | memcpy(vec->ik, xdout + 2, sizeof(xdout) - 2); |
| 80 | memcpy(vec->ik + sizeof(xdout) - 2, xdout, 2); |
| 81 | |
| 82 | /* ak = xdout[3-8] */ |
| 83 | memcpy(ak, xdout + 3, sizeof(ak)); |
| 84 | |
| 85 | /** |
| 86 | * 3GPP TS 33.102, clause 6.8.1.2, b |
| 87 | * sres = c2(res) = res[0-3] ^ res[4-7] ^ res[8-11] ^ res[12-15] |
| 88 | */ |
| 89 | for (i = 0; i < 4; i++) { |
| 90 | vec->sres[i] = vec->res[i] ^ vec->res[i + 4]; |
| 91 | vec->sres[i] ^= vec->res[i + 8] ^ vec->res[i + 12]; |
| 92 | } |
| 93 | |
| 94 | /** |
| 95 | * 3GPP TS 33.102, clause 6.8.1.2, c |
| 96 | * kc = c3(ck, ik) = ck[0-7] ^ ck[8-15] ^ ik[0-7] ^ ik[8-15] |
| 97 | * FIXME: do we really have CK/IK for GSM? |
| 98 | */ |
| 99 | osmo_auth_c3(vec->kc, vec->ck, vec->ik); |
| 100 | |
| 101 | /* The further part is UMTS specific */ |
| 102 | if (aud->type != OSMO_AUTH_TYPE_UMTS) { |
| 103 | vec->auth_types = OSMO_AUTH_TYPE_GSM; |
| 104 | return 0; |
| 105 | } |
| 106 | |
| 107 | /** |
| 108 | * Step 3: cdout = sqn[0-5] || amf[0-1] |
| 109 | * NOTE (for USIM): sqn[0-5] = autn[0-5] ^ ak[0-5] |
| 110 | */ |
| 111 | osmo_store64be_ext(aud->u.umts.sqn, cdout, 6); |
| 112 | memcpy(cdout + 6, aud->u.umts.amf, 2); |
| 113 | |
| 114 | /* Step 4: xmac = xdout[0-8] ^ cdout[0-8] */ |
| 115 | xor(xmac, xdout, cdout, sizeof(xmac)); |
| 116 | |
| 117 | /** |
| 118 | * Step 5: autn = sqn ^ ak || amf || mac |
| 119 | * NOTE: cdout still contains SQN from step 3 |
| 120 | */ |
| 121 | xor(vec->autn, cdout, ak, sizeof(ak)); |
| 122 | memcpy(vec->autn + 6, aud->u.umts.amf, 2); |
| 123 | memcpy(vec->autn + 8, xmac, sizeof(xmac)); |
| 124 | |
| 125 | vec->auth_types = OSMO_AUTH_TYPE_UMTS | OSMO_AUTH_TYPE_GSM; |
| 126 | |
| 127 | return 0; |
| 128 | } |
| 129 | |
| 130 | /* 3GPP TS 34.108, section 8.1.2.2 */ |
| 131 | static int xor_gen_vec_auts(struct osmo_auth_vector *vec, |
| 132 | struct osmo_sub_auth_data *aud, |
| 133 | const uint8_t *auts, |
| 134 | const uint8_t *rand_auts, |
| 135 | const uint8_t *_rand) |
| 136 | { |
| 137 | uint8_t xdout[16], cdout[8]; |
| 138 | uint8_t ak[6], xmac[8]; |
| 139 | uint8_t sqnms[6]; |
| 140 | |
| 141 | /* Step 1: xdout = (ki or k) ^ rand */ |
| 142 | if (aud->type == OSMO_AUTH_TYPE_GSM) |
| 143 | xor(xdout, aud->u.gsm.ki, _rand, sizeof(xdout)); |
| 144 | else if (aud->type == OSMO_AUTH_TYPE_UMTS) |
| 145 | xor(xdout, aud->u.umts.k, _rand, sizeof(xdout)); |
| 146 | else |
| 147 | return -ENOTSUP; |
| 148 | |
| 149 | /* Step 2: ak = xdout[2-8] */ |
| 150 | memcpy(ak, xdout + 3, 6); |
| 151 | |
| 152 | /* sqnms = auts[0-5] ^ ak[0-5] */ |
| 153 | xor(sqnms, auts, ak, sizeof(ak)); |
| 154 | |
| 155 | /* cdout = sqnms || amf* (dummy) */ |
| 156 | memcpy(cdout, sqnms, 6); |
| 157 | memset(cdout + 6, 0x00, 2); |
| 158 | |
| 159 | /* xmac = xdout[0-7] ^ cdout[0-7] */ |
| 160 | xor(xmac, xdout, cdout, 8); |
| 161 | |
| 162 | /* Compare the last 64 bits of received AUTS with the locally-generated MAC-S */ |
| 163 | if (memcmp(auts + 6, xmac, 8)) |
| 164 | return -1; |
| 165 | |
| 166 | /* Update the "largest used SQN" from the USIM, |
| 167 | * milenage_gen_vec() will increment it. */ |
| 168 | aud->u.umts.sqn_ms = osmo_load64be_ext(sqnms, 6) >> 16; |
| 169 | aud->u.umts.sqn = aud->u.umts.sqn_ms; |
| 170 | |
| 171 | return xor_gen_vec(vec, aud, _rand); |
| 172 | } |
| 173 | |
| 174 | static struct osmo_auth_impl xor_alg = { |
| 175 | .algo = OSMO_AUTH_ALG_XOR, |
| 176 | .name = "XOR (libosmogsm built-in)", |
| 177 | .priority = 1000, |
| 178 | .gen_vec = &xor_gen_vec, |
| 179 | .gen_vec_auts = &xor_gen_vec_auts, |
| 180 | }; |
| 181 | |
| 182 | static __attribute__((constructor)) void on_dso_load_xor(void) |
| 183 | { |
| 184 | osmo_auth_register(&xor_alg); |
| 185 | } |
| 186 | |
| 187 | /*! @} */ |