1214501Srpaulo/* 2214501Srpaulo * 3GPP AKA - Milenage algorithm (3GPP TS 35.205, .206, .207, .208) 3214501Srpaulo * Copyright (c) 2006-2007 <j@w1.fi> 4214501Srpaulo * 5214501Srpaulo * This program is free software; you can redistribute it and/or modify 6214501Srpaulo * it under the terms of the GNU General Public License version 2 as 7214501Srpaulo * published by the Free Software Foundation. 8214501Srpaulo * 9214501Srpaulo * Alternatively, this software may be distributed under the terms of BSD 10214501Srpaulo * license. 11214501Srpaulo * 12214501Srpaulo * See README and COPYING for more details. 13214501Srpaulo * 14214501Srpaulo * This file implements an example authentication algorithm defined for 3GPP 15214501Srpaulo * AKA. This can be used to implement a simple HLR/AuC into hlr_auc_gw to allow 16214501Srpaulo * EAP-AKA to be tested properly with real USIM cards. 17214501Srpaulo * 18214501Srpaulo * This implementations assumes that the r1..r5 and c1..c5 constants defined in 19214501Srpaulo * TS 35.206 are used, i.e., r1=64, r2=0, r3=32, r4=64, r5=96, c1=00..00, 20214501Srpaulo * c2=00..01, c3=00..02, c4=00..04, c5=00..08. The block cipher is assumed to 21214501Srpaulo * be AES (Rijndael). 22214501Srpaulo */ 23214501Srpaulo 24214501Srpaulo#include "includes.h" 25214501Srpaulo 26214501Srpaulo#include "common.h" 27214501Srpaulo#include "crypto/aes_wrap.h" 28214501Srpaulo#include "milenage.h" 29214501Srpaulo 30214501Srpaulo 31214501Srpaulo/** 32214501Srpaulo * milenage_f1 - Milenage f1 and f1* algorithms 33214501Srpaulo * @opc: OPc = 128-bit value derived from OP and K 34214501Srpaulo * @k: K = 128-bit subscriber key 35214501Srpaulo * @_rand: RAND = 128-bit random challenge 36214501Srpaulo * @sqn: SQN = 48-bit sequence number 37214501Srpaulo * @amf: AMF = 16-bit authentication management field 38214501Srpaulo * @mac_a: Buffer for MAC-A = 64-bit network authentication code, or %NULL 39214501Srpaulo * @mac_s: Buffer for MAC-S = 64-bit resync authentication code, or %NULL 40214501Srpaulo * Returns: 0 on success, -1 on failure 41214501Srpaulo */ 42214501Srpauloint milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand, 43214501Srpaulo const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s) 44214501Srpaulo{ 45214501Srpaulo u8 tmp1[16], tmp2[16], tmp3[16]; 46214501Srpaulo int i; 47214501Srpaulo 48214501Srpaulo /* tmp1 = TEMP = E_K(RAND XOR OP_C) */ 49214501Srpaulo for (i = 0; i < 16; i++) 50214501Srpaulo tmp1[i] = _rand[i] ^ opc[i]; 51214501Srpaulo if (aes_128_encrypt_block(k, tmp1, tmp1)) 52214501Srpaulo return -1; 53214501Srpaulo 54214501Srpaulo /* tmp2 = IN1 = SQN || AMF || SQN || AMF */ 55214501Srpaulo os_memcpy(tmp2, sqn, 6); 56214501Srpaulo os_memcpy(tmp2 + 6, amf, 2); 57214501Srpaulo os_memcpy(tmp2 + 8, tmp2, 8); 58214501Srpaulo 59214501Srpaulo /* OUT1 = E_K(TEMP XOR rot(IN1 XOR OP_C, r1) XOR c1) XOR OP_C */ 60214501Srpaulo 61214501Srpaulo /* rotate (tmp2 XOR OP_C) by r1 (= 0x40 = 8 bytes) */ 62214501Srpaulo for (i = 0; i < 16; i++) 63214501Srpaulo tmp3[(i + 8) % 16] = tmp2[i] ^ opc[i]; 64214501Srpaulo /* XOR with TEMP = E_K(RAND XOR OP_C) */ 65214501Srpaulo for (i = 0; i < 16; i++) 66214501Srpaulo tmp3[i] ^= tmp1[i]; 67214501Srpaulo /* XOR with c1 (= ..00, i.e., NOP) */ 68214501Srpaulo 69214501Srpaulo /* f1 || f1* = E_K(tmp3) XOR OP_c */ 70214501Srpaulo if (aes_128_encrypt_block(k, tmp3, tmp1)) 71214501Srpaulo return -1; 72214501Srpaulo for (i = 0; i < 16; i++) 73214501Srpaulo tmp1[i] ^= opc[i]; 74214501Srpaulo if (mac_a) 75214501Srpaulo os_memcpy(mac_a, tmp1, 8); /* f1 */ 76214501Srpaulo if (mac_s) 77214501Srpaulo os_memcpy(mac_s, tmp1 + 8, 8); /* f1* */ 78214501Srpaulo return 0; 79214501Srpaulo} 80214501Srpaulo 81214501Srpaulo 82214501Srpaulo/** 83214501Srpaulo * milenage_f2345 - Milenage f2, f3, f4, f5, f5* algorithms 84214501Srpaulo * @opc: OPc = 128-bit value derived from OP and K 85214501Srpaulo * @k: K = 128-bit subscriber key 86214501Srpaulo * @_rand: RAND = 128-bit random challenge 87214501Srpaulo * @res: Buffer for RES = 64-bit signed response (f2), or %NULL 88214501Srpaulo * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL 89214501Srpaulo * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL 90214501Srpaulo * @ak: Buffer for AK = 48-bit anonymity key (f5), or %NULL 91214501Srpaulo * @akstar: Buffer for AK = 48-bit anonymity key (f5*), or %NULL 92214501Srpaulo * Returns: 0 on success, -1 on failure 93214501Srpaulo */ 94214501Srpauloint milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand, 95214501Srpaulo u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar) 96214501Srpaulo{ 97214501Srpaulo u8 tmp1[16], tmp2[16], tmp3[16]; 98214501Srpaulo int i; 99214501Srpaulo 100214501Srpaulo /* tmp2 = TEMP = E_K(RAND XOR OP_C) */ 101214501Srpaulo for (i = 0; i < 16; i++) 102214501Srpaulo tmp1[i] = _rand[i] ^ opc[i]; 103214501Srpaulo if (aes_128_encrypt_block(k, tmp1, tmp2)) 104214501Srpaulo return -1; 105214501Srpaulo 106214501Srpaulo /* OUT2 = E_K(rot(TEMP XOR OP_C, r2) XOR c2) XOR OP_C */ 107214501Srpaulo /* OUT3 = E_K(rot(TEMP XOR OP_C, r3) XOR c3) XOR OP_C */ 108214501Srpaulo /* OUT4 = E_K(rot(TEMP XOR OP_C, r4) XOR c4) XOR OP_C */ 109214501Srpaulo /* OUT5 = E_K(rot(TEMP XOR OP_C, r5) XOR c5) XOR OP_C */ 110214501Srpaulo 111214501Srpaulo /* f2 and f5 */ 112214501Srpaulo /* rotate by r2 (= 0, i.e., NOP) */ 113214501Srpaulo for (i = 0; i < 16; i++) 114214501Srpaulo tmp1[i] = tmp2[i] ^ opc[i]; 115214501Srpaulo tmp1[15] ^= 1; /* XOR c2 (= ..01) */ 116214501Srpaulo /* f5 || f2 = E_K(tmp1) XOR OP_c */ 117214501Srpaulo if (aes_128_encrypt_block(k, tmp1, tmp3)) 118214501Srpaulo return -1; 119214501Srpaulo for (i = 0; i < 16; i++) 120214501Srpaulo tmp3[i] ^= opc[i]; 121214501Srpaulo if (res) 122214501Srpaulo os_memcpy(res, tmp3 + 8, 8); /* f2 */ 123214501Srpaulo if (ak) 124214501Srpaulo os_memcpy(ak, tmp3, 6); /* f5 */ 125214501Srpaulo 126214501Srpaulo /* f3 */ 127214501Srpaulo if (ck) { 128214501Srpaulo /* rotate by r3 = 0x20 = 4 bytes */ 129214501Srpaulo for (i = 0; i < 16; i++) 130214501Srpaulo tmp1[(i + 12) % 16] = tmp2[i] ^ opc[i]; 131214501Srpaulo tmp1[15] ^= 2; /* XOR c3 (= ..02) */ 132214501Srpaulo if (aes_128_encrypt_block(k, tmp1, ck)) 133214501Srpaulo return -1; 134214501Srpaulo for (i = 0; i < 16; i++) 135214501Srpaulo ck[i] ^= opc[i]; 136214501Srpaulo } 137214501Srpaulo 138214501Srpaulo /* f4 */ 139214501Srpaulo if (ik) { 140214501Srpaulo /* rotate by r4 = 0x40 = 8 bytes */ 141214501Srpaulo for (i = 0; i < 16; i++) 142214501Srpaulo tmp1[(i + 8) % 16] = tmp2[i] ^ opc[i]; 143214501Srpaulo tmp1[15] ^= 4; /* XOR c4 (= ..04) */ 144214501Srpaulo if (aes_128_encrypt_block(k, tmp1, ik)) 145214501Srpaulo return -1; 146214501Srpaulo for (i = 0; i < 16; i++) 147214501Srpaulo ik[i] ^= opc[i]; 148214501Srpaulo } 149214501Srpaulo 150214501Srpaulo /* f5* */ 151214501Srpaulo if (akstar) { 152214501Srpaulo /* rotate by r5 = 0x60 = 12 bytes */ 153214501Srpaulo for (i = 0; i < 16; i++) 154214501Srpaulo tmp1[(i + 4) % 16] = tmp2[i] ^ opc[i]; 155214501Srpaulo tmp1[15] ^= 8; /* XOR c5 (= ..08) */ 156214501Srpaulo if (aes_128_encrypt_block(k, tmp1, tmp1)) 157214501Srpaulo return -1; 158214501Srpaulo for (i = 0; i < 6; i++) 159214501Srpaulo akstar[i] = tmp1[i] ^ opc[i]; 160214501Srpaulo } 161214501Srpaulo 162214501Srpaulo return 0; 163214501Srpaulo} 164214501Srpaulo 165214501Srpaulo 166214501Srpaulo/** 167214501Srpaulo * milenage_generate - Generate AKA AUTN,IK,CK,RES 168214501Srpaulo * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.) 169214501Srpaulo * @amf: AMF = 16-bit authentication management field 170214501Srpaulo * @k: K = 128-bit subscriber key 171214501Srpaulo * @sqn: SQN = 48-bit sequence number 172214501Srpaulo * @_rand: RAND = 128-bit random challenge 173214501Srpaulo * @autn: Buffer for AUTN = 128-bit authentication token 174214501Srpaulo * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL 175214501Srpaulo * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL 176214501Srpaulo * @res: Buffer for RES = 64-bit signed response (f2), or %NULL 177214501Srpaulo * @res_len: Max length for res; set to used length or 0 on failure 178214501Srpaulo */ 179214501Srpaulovoid milenage_generate(const u8 *opc, const u8 *amf, const u8 *k, 180214501Srpaulo const u8 *sqn, const u8 *_rand, u8 *autn, u8 *ik, 181214501Srpaulo u8 *ck, u8 *res, size_t *res_len) 182214501Srpaulo{ 183214501Srpaulo int i; 184214501Srpaulo u8 mac_a[8], ak[6]; 185214501Srpaulo 186214501Srpaulo if (*res_len < 8) { 187214501Srpaulo *res_len = 0; 188214501Srpaulo return; 189214501Srpaulo } 190214501Srpaulo if (milenage_f1(opc, k, _rand, sqn, amf, mac_a, NULL) || 191214501Srpaulo milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL)) { 192214501Srpaulo *res_len = 0; 193214501Srpaulo return; 194214501Srpaulo } 195214501Srpaulo *res_len = 8; 196214501Srpaulo 197214501Srpaulo /* AUTN = (SQN ^ AK) || AMF || MAC */ 198214501Srpaulo for (i = 0; i < 6; i++) 199214501Srpaulo autn[i] = sqn[i] ^ ak[i]; 200214501Srpaulo os_memcpy(autn + 6, amf, 2); 201214501Srpaulo os_memcpy(autn + 8, mac_a, 8); 202214501Srpaulo} 203214501Srpaulo 204214501Srpaulo 205214501Srpaulo/** 206214501Srpaulo * milenage_auts - Milenage AUTS validation 207214501Srpaulo * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.) 208214501Srpaulo * @k: K = 128-bit subscriber key 209214501Srpaulo * @_rand: RAND = 128-bit random challenge 210214501Srpaulo * @auts: AUTS = 112-bit authentication token from client 211214501Srpaulo * @sqn: Buffer for SQN = 48-bit sequence number 212214501Srpaulo * Returns: 0 = success (sqn filled), -1 on failure 213214501Srpaulo */ 214214501Srpauloint milenage_auts(const u8 *opc, const u8 *k, const u8 *_rand, const u8 *auts, 215214501Srpaulo u8 *sqn) 216214501Srpaulo{ 217214501Srpaulo u8 amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */ 218214501Srpaulo u8 ak[6], mac_s[8]; 219214501Srpaulo int i; 220214501Srpaulo 221214501Srpaulo if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak)) 222214501Srpaulo return -1; 223214501Srpaulo for (i = 0; i < 6; i++) 224214501Srpaulo sqn[i] = auts[i] ^ ak[i]; 225214501Srpaulo if (milenage_f1(opc, k, _rand, sqn, amf, NULL, mac_s) || 226214501Srpaulo memcmp(mac_s, auts + 6, 8) != 0) 227214501Srpaulo return -1; 228214501Srpaulo return 0; 229214501Srpaulo} 230214501Srpaulo 231214501Srpaulo 232214501Srpaulo/** 233214501Srpaulo * gsm_milenage - Generate GSM-Milenage (3GPP TS 55.205) authentication triplet 234214501Srpaulo * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.) 235214501Srpaulo * @k: K = 128-bit subscriber key 236214501Srpaulo * @_rand: RAND = 128-bit random challenge 237214501Srpaulo * @sres: Buffer for SRES = 32-bit SRES 238214501Srpaulo * @kc: Buffer for Kc = 64-bit Kc 239214501Srpaulo * Returns: 0 on success, -1 on failure 240214501Srpaulo */ 241214501Srpauloint gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres, u8 *kc) 242214501Srpaulo{ 243214501Srpaulo u8 res[8], ck[16], ik[16]; 244214501Srpaulo int i; 245214501Srpaulo 246214501Srpaulo if (milenage_f2345(opc, k, _rand, res, ck, ik, NULL, NULL)) 247214501Srpaulo return -1; 248214501Srpaulo 249214501Srpaulo for (i = 0; i < 8; i++) 250214501Srpaulo kc[i] = ck[i] ^ ck[i + 8] ^ ik[i] ^ ik[i + 8]; 251214501Srpaulo 252214501Srpaulo#ifdef GSM_MILENAGE_ALT_SRES 253214501Srpaulo os_memcpy(sres, res, 4); 254214501Srpaulo#else /* GSM_MILENAGE_ALT_SRES */ 255214501Srpaulo for (i = 0; i < 4; i++) 256214501Srpaulo sres[i] = res[i] ^ res[i + 4]; 257214501Srpaulo#endif /* GSM_MILENAGE_ALT_SRES */ 258214501Srpaulo return 0; 259214501Srpaulo} 260214501Srpaulo 261214501Srpaulo 262214501Srpaulo/** 263214501Srpaulo * milenage_generate - Generate AKA AUTN,IK,CK,RES 264214501Srpaulo * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.) 265214501Srpaulo * @k: K = 128-bit subscriber key 266214501Srpaulo * @sqn: SQN = 48-bit sequence number 267214501Srpaulo * @_rand: RAND = 128-bit random challenge 268214501Srpaulo * @autn: AUTN = 128-bit authentication token 269214501Srpaulo * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL 270214501Srpaulo * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL 271214501Srpaulo * @res: Buffer for RES = 64-bit signed response (f2), or %NULL 272214501Srpaulo * @res_len: Variable that will be set to RES length 273214501Srpaulo * @auts: 112-bit buffer for AUTS 274214501Srpaulo * Returns: 0 on success, -1 on failure, or -2 on synchronization failure 275214501Srpaulo */ 276214501Srpauloint milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand, 277214501Srpaulo const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len, 278214501Srpaulo u8 *auts) 279214501Srpaulo{ 280214501Srpaulo int i; 281214501Srpaulo u8 mac_a[8], ak[6], rx_sqn[6]; 282214501Srpaulo const u8 *amf; 283214501Srpaulo 284214501Srpaulo wpa_hexdump(MSG_DEBUG, "Milenage: AUTN", autn, 16); 285214501Srpaulo wpa_hexdump(MSG_DEBUG, "Milenage: RAND", _rand, 16); 286214501Srpaulo 287214501Srpaulo if (milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL)) 288214501Srpaulo return -1; 289214501Srpaulo 290214501Srpaulo *res_len = 8; 291214501Srpaulo wpa_hexdump_key(MSG_DEBUG, "Milenage: RES", res, *res_len); 292214501Srpaulo wpa_hexdump_key(MSG_DEBUG, "Milenage: CK", ck, 16); 293214501Srpaulo wpa_hexdump_key(MSG_DEBUG, "Milenage: IK", ik, 16); 294214501Srpaulo wpa_hexdump_key(MSG_DEBUG, "Milenage: AK", ak, 6); 295214501Srpaulo 296214501Srpaulo /* AUTN = (SQN ^ AK) || AMF || MAC */ 297214501Srpaulo for (i = 0; i < 6; i++) 298214501Srpaulo rx_sqn[i] = autn[i] ^ ak[i]; 299214501Srpaulo wpa_hexdump(MSG_DEBUG, "Milenage: SQN", rx_sqn, 6); 300214501Srpaulo 301214501Srpaulo if (os_memcmp(rx_sqn, sqn, 6) <= 0) { 302214501Srpaulo u8 auts_amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */ 303214501Srpaulo if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak)) 304214501Srpaulo return -1; 305214501Srpaulo wpa_hexdump_key(MSG_DEBUG, "Milenage: AK*", ak, 6); 306214501Srpaulo for (i = 0; i < 6; i++) 307214501Srpaulo auts[i] = sqn[i] ^ ak[i]; 308214501Srpaulo if (milenage_f1(opc, k, _rand, sqn, auts_amf, NULL, auts + 6)) 309214501Srpaulo return -1; 310214501Srpaulo wpa_hexdump(MSG_DEBUG, "Milenage: AUTS", auts, 14); 311214501Srpaulo return -2; 312214501Srpaulo } 313214501Srpaulo 314214501Srpaulo amf = autn + 6; 315214501Srpaulo wpa_hexdump(MSG_DEBUG, "Milenage: AMF", amf, 2); 316214501Srpaulo if (milenage_f1(opc, k, _rand, rx_sqn, amf, mac_a, NULL)) 317214501Srpaulo return -1; 318214501Srpaulo 319214501Srpaulo wpa_hexdump(MSG_DEBUG, "Milenage: MAC_A", mac_a, 8); 320214501Srpaulo 321214501Srpaulo if (os_memcmp(mac_a, autn + 8, 8) != 0) { 322214501Srpaulo wpa_printf(MSG_DEBUG, "Milenage: MAC mismatch"); 323214501Srpaulo wpa_hexdump(MSG_DEBUG, "Milenage: Received MAC_A", 324214501Srpaulo autn + 8, 8); 325214501Srpaulo return -1; 326214501Srpaulo } 327214501Srpaulo 328214501Srpaulo return 0; 329214501Srpaulo} 330