1*03f9172cSAndroid Build Coastguard Worker /*
2*03f9172cSAndroid Build Coastguard Worker * 3GPP AKA - Milenage algorithm (3GPP TS 35.205, .206, .207, .208)
3*03f9172cSAndroid Build Coastguard Worker * Copyright (c) 2006-2007 <[email protected]>
4*03f9172cSAndroid Build Coastguard Worker *
5*03f9172cSAndroid Build Coastguard Worker * This software may be distributed under the terms of the BSD license.
6*03f9172cSAndroid Build Coastguard Worker * See README for more details.
7*03f9172cSAndroid Build Coastguard Worker *
8*03f9172cSAndroid Build Coastguard Worker * This file implements an example authentication algorithm defined for 3GPP
9*03f9172cSAndroid Build Coastguard Worker * AKA. This can be used to implement a simple HLR/AuC into hlr_auc_gw to allow
10*03f9172cSAndroid Build Coastguard Worker * EAP-AKA to be tested properly with real USIM cards.
11*03f9172cSAndroid Build Coastguard Worker *
12*03f9172cSAndroid Build Coastguard Worker * This implementations assumes that the r1..r5 and c1..c5 constants defined in
13*03f9172cSAndroid Build Coastguard Worker * TS 35.206 are used, i.e., r1=64, r2=0, r3=32, r4=64, r5=96, c1=00..00,
14*03f9172cSAndroid Build Coastguard Worker * c2=00..01, c3=00..02, c4=00..04, c5=00..08. The block cipher is assumed to
15*03f9172cSAndroid Build Coastguard Worker * be AES (Rijndael).
16*03f9172cSAndroid Build Coastguard Worker */
17*03f9172cSAndroid Build Coastguard Worker
18*03f9172cSAndroid Build Coastguard Worker #include "includes.h"
19*03f9172cSAndroid Build Coastguard Worker
20*03f9172cSAndroid Build Coastguard Worker #include "common.h"
21*03f9172cSAndroid Build Coastguard Worker #include "crypto/aes_wrap.h"
22*03f9172cSAndroid Build Coastguard Worker #include "milenage.h"
23*03f9172cSAndroid Build Coastguard Worker
24*03f9172cSAndroid Build Coastguard Worker
25*03f9172cSAndroid Build Coastguard Worker /**
26*03f9172cSAndroid Build Coastguard Worker * milenage_f1 - Milenage f1 and f1* algorithms
27*03f9172cSAndroid Build Coastguard Worker * @opc: OPc = 128-bit value derived from OP and K
28*03f9172cSAndroid Build Coastguard Worker * @k: K = 128-bit subscriber key
29*03f9172cSAndroid Build Coastguard Worker * @_rand: RAND = 128-bit random challenge
30*03f9172cSAndroid Build Coastguard Worker * @sqn: SQN = 48-bit sequence number
31*03f9172cSAndroid Build Coastguard Worker * @amf: AMF = 16-bit authentication management field
32*03f9172cSAndroid Build Coastguard Worker * @mac_a: Buffer for MAC-A = 64-bit network authentication code, or %NULL
33*03f9172cSAndroid Build Coastguard Worker * @mac_s: Buffer for MAC-S = 64-bit resync authentication code, or %NULL
34*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure
35*03f9172cSAndroid Build Coastguard Worker */
milenage_f1(const u8 * opc,const u8 * k,const u8 * _rand,const u8 * sqn,const u8 * amf,u8 * mac_a,u8 * mac_s)36*03f9172cSAndroid Build Coastguard Worker int milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand,
37*03f9172cSAndroid Build Coastguard Worker const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s)
38*03f9172cSAndroid Build Coastguard Worker {
39*03f9172cSAndroid Build Coastguard Worker u8 tmp1[16], tmp2[16], tmp3[16];
40*03f9172cSAndroid Build Coastguard Worker int i;
41*03f9172cSAndroid Build Coastguard Worker
42*03f9172cSAndroid Build Coastguard Worker /* tmp1 = TEMP = E_K(RAND XOR OP_C) */
43*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
44*03f9172cSAndroid Build Coastguard Worker tmp1[i] = _rand[i] ^ opc[i];
45*03f9172cSAndroid Build Coastguard Worker if (aes_128_encrypt_block(k, tmp1, tmp1))
46*03f9172cSAndroid Build Coastguard Worker return -1;
47*03f9172cSAndroid Build Coastguard Worker
48*03f9172cSAndroid Build Coastguard Worker /* tmp2 = IN1 = SQN || AMF || SQN || AMF */
49*03f9172cSAndroid Build Coastguard Worker os_memcpy(tmp2, sqn, 6);
50*03f9172cSAndroid Build Coastguard Worker os_memcpy(tmp2 + 6, amf, 2);
51*03f9172cSAndroid Build Coastguard Worker os_memcpy(tmp2 + 8, tmp2, 8);
52*03f9172cSAndroid Build Coastguard Worker
53*03f9172cSAndroid Build Coastguard Worker /* OUT1 = E_K(TEMP XOR rot(IN1 XOR OP_C, r1) XOR c1) XOR OP_C */
54*03f9172cSAndroid Build Coastguard Worker
55*03f9172cSAndroid Build Coastguard Worker /* rotate (tmp2 XOR OP_C) by r1 (= 0x40 = 8 bytes) */
56*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
57*03f9172cSAndroid Build Coastguard Worker tmp3[(i + 8) % 16] = tmp2[i] ^ opc[i];
58*03f9172cSAndroid Build Coastguard Worker /* XOR with TEMP = E_K(RAND XOR OP_C) */
59*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
60*03f9172cSAndroid Build Coastguard Worker tmp3[i] ^= tmp1[i];
61*03f9172cSAndroid Build Coastguard Worker /* XOR with c1 (= ..00, i.e., NOP) */
62*03f9172cSAndroid Build Coastguard Worker
63*03f9172cSAndroid Build Coastguard Worker /* f1 || f1* = E_K(tmp3) XOR OP_c */
64*03f9172cSAndroid Build Coastguard Worker if (aes_128_encrypt_block(k, tmp3, tmp1))
65*03f9172cSAndroid Build Coastguard Worker return -1;
66*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
67*03f9172cSAndroid Build Coastguard Worker tmp1[i] ^= opc[i];
68*03f9172cSAndroid Build Coastguard Worker if (mac_a)
69*03f9172cSAndroid Build Coastguard Worker os_memcpy(mac_a, tmp1, 8); /* f1 */
70*03f9172cSAndroid Build Coastguard Worker if (mac_s)
71*03f9172cSAndroid Build Coastguard Worker os_memcpy(mac_s, tmp1 + 8, 8); /* f1* */
72*03f9172cSAndroid Build Coastguard Worker return 0;
73*03f9172cSAndroid Build Coastguard Worker }
74*03f9172cSAndroid Build Coastguard Worker
75*03f9172cSAndroid Build Coastguard Worker
76*03f9172cSAndroid Build Coastguard Worker /**
77*03f9172cSAndroid Build Coastguard Worker * milenage_f2345 - Milenage f2, f3, f4, f5, f5* algorithms
78*03f9172cSAndroid Build Coastguard Worker * @opc: OPc = 128-bit value derived from OP and K
79*03f9172cSAndroid Build Coastguard Worker * @k: K = 128-bit subscriber key
80*03f9172cSAndroid Build Coastguard Worker * @_rand: RAND = 128-bit random challenge
81*03f9172cSAndroid Build Coastguard Worker * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
82*03f9172cSAndroid Build Coastguard Worker * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
83*03f9172cSAndroid Build Coastguard Worker * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
84*03f9172cSAndroid Build Coastguard Worker * @ak: Buffer for AK = 48-bit anonymity key (f5), or %NULL
85*03f9172cSAndroid Build Coastguard Worker * @akstar: Buffer for AK = 48-bit anonymity key (f5*), or %NULL
86*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure
87*03f9172cSAndroid Build Coastguard Worker */
milenage_f2345(const u8 * opc,const u8 * k,const u8 * _rand,u8 * res,u8 * ck,u8 * ik,u8 * ak,u8 * akstar)88*03f9172cSAndroid Build Coastguard Worker int milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand,
89*03f9172cSAndroid Build Coastguard Worker u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar)
90*03f9172cSAndroid Build Coastguard Worker {
91*03f9172cSAndroid Build Coastguard Worker u8 tmp1[16], tmp2[16], tmp3[16];
92*03f9172cSAndroid Build Coastguard Worker int i;
93*03f9172cSAndroid Build Coastguard Worker
94*03f9172cSAndroid Build Coastguard Worker /* tmp2 = TEMP = E_K(RAND XOR OP_C) */
95*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
96*03f9172cSAndroid Build Coastguard Worker tmp1[i] = _rand[i] ^ opc[i];
97*03f9172cSAndroid Build Coastguard Worker if (aes_128_encrypt_block(k, tmp1, tmp2))
98*03f9172cSAndroid Build Coastguard Worker return -1;
99*03f9172cSAndroid Build Coastguard Worker
100*03f9172cSAndroid Build Coastguard Worker /* OUT2 = E_K(rot(TEMP XOR OP_C, r2) XOR c2) XOR OP_C */
101*03f9172cSAndroid Build Coastguard Worker /* OUT3 = E_K(rot(TEMP XOR OP_C, r3) XOR c3) XOR OP_C */
102*03f9172cSAndroid Build Coastguard Worker /* OUT4 = E_K(rot(TEMP XOR OP_C, r4) XOR c4) XOR OP_C */
103*03f9172cSAndroid Build Coastguard Worker /* OUT5 = E_K(rot(TEMP XOR OP_C, r5) XOR c5) XOR OP_C */
104*03f9172cSAndroid Build Coastguard Worker
105*03f9172cSAndroid Build Coastguard Worker /* f2 and f5 */
106*03f9172cSAndroid Build Coastguard Worker /* rotate by r2 (= 0, i.e., NOP) */
107*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
108*03f9172cSAndroid Build Coastguard Worker tmp1[i] = tmp2[i] ^ opc[i];
109*03f9172cSAndroid Build Coastguard Worker tmp1[15] ^= 1; /* XOR c2 (= ..01) */
110*03f9172cSAndroid Build Coastguard Worker /* f5 || f2 = E_K(tmp1) XOR OP_c */
111*03f9172cSAndroid Build Coastguard Worker if (aes_128_encrypt_block(k, tmp1, tmp3))
112*03f9172cSAndroid Build Coastguard Worker return -1;
113*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
114*03f9172cSAndroid Build Coastguard Worker tmp3[i] ^= opc[i];
115*03f9172cSAndroid Build Coastguard Worker if (res)
116*03f9172cSAndroid Build Coastguard Worker os_memcpy(res, tmp3 + 8, 8); /* f2 */
117*03f9172cSAndroid Build Coastguard Worker if (ak)
118*03f9172cSAndroid Build Coastguard Worker os_memcpy(ak, tmp3, 6); /* f5 */
119*03f9172cSAndroid Build Coastguard Worker
120*03f9172cSAndroid Build Coastguard Worker /* f3 */
121*03f9172cSAndroid Build Coastguard Worker if (ck) {
122*03f9172cSAndroid Build Coastguard Worker /* rotate by r3 = 0x20 = 4 bytes */
123*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
124*03f9172cSAndroid Build Coastguard Worker tmp1[(i + 12) % 16] = tmp2[i] ^ opc[i];
125*03f9172cSAndroid Build Coastguard Worker tmp1[15] ^= 2; /* XOR c3 (= ..02) */
126*03f9172cSAndroid Build Coastguard Worker if (aes_128_encrypt_block(k, tmp1, ck))
127*03f9172cSAndroid Build Coastguard Worker return -1;
128*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
129*03f9172cSAndroid Build Coastguard Worker ck[i] ^= opc[i];
130*03f9172cSAndroid Build Coastguard Worker }
131*03f9172cSAndroid Build Coastguard Worker
132*03f9172cSAndroid Build Coastguard Worker /* f4 */
133*03f9172cSAndroid Build Coastguard Worker if (ik) {
134*03f9172cSAndroid Build Coastguard Worker /* rotate by r4 = 0x40 = 8 bytes */
135*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
136*03f9172cSAndroid Build Coastguard Worker tmp1[(i + 8) % 16] = tmp2[i] ^ opc[i];
137*03f9172cSAndroid Build Coastguard Worker tmp1[15] ^= 4; /* XOR c4 (= ..04) */
138*03f9172cSAndroid Build Coastguard Worker if (aes_128_encrypt_block(k, tmp1, ik))
139*03f9172cSAndroid Build Coastguard Worker return -1;
140*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
141*03f9172cSAndroid Build Coastguard Worker ik[i] ^= opc[i];
142*03f9172cSAndroid Build Coastguard Worker }
143*03f9172cSAndroid Build Coastguard Worker
144*03f9172cSAndroid Build Coastguard Worker /* f5* */
145*03f9172cSAndroid Build Coastguard Worker if (akstar) {
146*03f9172cSAndroid Build Coastguard Worker /* rotate by r5 = 0x60 = 12 bytes */
147*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 16; i++)
148*03f9172cSAndroid Build Coastguard Worker tmp1[(i + 4) % 16] = tmp2[i] ^ opc[i];
149*03f9172cSAndroid Build Coastguard Worker tmp1[15] ^= 8; /* XOR c5 (= ..08) */
150*03f9172cSAndroid Build Coastguard Worker if (aes_128_encrypt_block(k, tmp1, tmp1))
151*03f9172cSAndroid Build Coastguard Worker return -1;
152*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 6; i++)
153*03f9172cSAndroid Build Coastguard Worker akstar[i] = tmp1[i] ^ opc[i];
154*03f9172cSAndroid Build Coastguard Worker }
155*03f9172cSAndroid Build Coastguard Worker
156*03f9172cSAndroid Build Coastguard Worker return 0;
157*03f9172cSAndroid Build Coastguard Worker }
158*03f9172cSAndroid Build Coastguard Worker
159*03f9172cSAndroid Build Coastguard Worker
160*03f9172cSAndroid Build Coastguard Worker /**
161*03f9172cSAndroid Build Coastguard Worker * milenage_generate - Generate AKA AUTN,IK,CK,RES
162*03f9172cSAndroid Build Coastguard Worker * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
163*03f9172cSAndroid Build Coastguard Worker * @amf: AMF = 16-bit authentication management field
164*03f9172cSAndroid Build Coastguard Worker * @k: K = 128-bit subscriber key
165*03f9172cSAndroid Build Coastguard Worker * @sqn: SQN = 48-bit sequence number
166*03f9172cSAndroid Build Coastguard Worker * @_rand: RAND = 128-bit random challenge
167*03f9172cSAndroid Build Coastguard Worker * @autn: Buffer for AUTN = 128-bit authentication token
168*03f9172cSAndroid Build Coastguard Worker * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
169*03f9172cSAndroid Build Coastguard Worker * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
170*03f9172cSAndroid Build Coastguard Worker * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
171*03f9172cSAndroid Build Coastguard Worker * @res_len: Max length for res; set to used length or 0 on failure
172*03f9172cSAndroid Build Coastguard Worker */
milenage_generate(const u8 * opc,const u8 * amf,const u8 * k,const u8 * sqn,const u8 * _rand,u8 * autn,u8 * ik,u8 * ck,u8 * res,size_t * res_len)173*03f9172cSAndroid Build Coastguard Worker void milenage_generate(const u8 *opc, const u8 *amf, const u8 *k,
174*03f9172cSAndroid Build Coastguard Worker const u8 *sqn, const u8 *_rand, u8 *autn, u8 *ik,
175*03f9172cSAndroid Build Coastguard Worker u8 *ck, u8 *res, size_t *res_len)
176*03f9172cSAndroid Build Coastguard Worker {
177*03f9172cSAndroid Build Coastguard Worker int i;
178*03f9172cSAndroid Build Coastguard Worker u8 mac_a[8], ak[6];
179*03f9172cSAndroid Build Coastguard Worker
180*03f9172cSAndroid Build Coastguard Worker if (*res_len < 8) {
181*03f9172cSAndroid Build Coastguard Worker *res_len = 0;
182*03f9172cSAndroid Build Coastguard Worker return;
183*03f9172cSAndroid Build Coastguard Worker }
184*03f9172cSAndroid Build Coastguard Worker if (milenage_f1(opc, k, _rand, sqn, amf, mac_a, NULL) ||
185*03f9172cSAndroid Build Coastguard Worker milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL)) {
186*03f9172cSAndroid Build Coastguard Worker *res_len = 0;
187*03f9172cSAndroid Build Coastguard Worker return;
188*03f9172cSAndroid Build Coastguard Worker }
189*03f9172cSAndroid Build Coastguard Worker *res_len = 8;
190*03f9172cSAndroid Build Coastguard Worker
191*03f9172cSAndroid Build Coastguard Worker /* AUTN = (SQN ^ AK) || AMF || MAC */
192*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 6; i++)
193*03f9172cSAndroid Build Coastguard Worker autn[i] = sqn[i] ^ ak[i];
194*03f9172cSAndroid Build Coastguard Worker os_memcpy(autn + 6, amf, 2);
195*03f9172cSAndroid Build Coastguard Worker os_memcpy(autn + 8, mac_a, 8);
196*03f9172cSAndroid Build Coastguard Worker }
197*03f9172cSAndroid Build Coastguard Worker
198*03f9172cSAndroid Build Coastguard Worker
199*03f9172cSAndroid Build Coastguard Worker /**
200*03f9172cSAndroid Build Coastguard Worker * milenage_auts - Milenage AUTS validation
201*03f9172cSAndroid Build Coastguard Worker * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
202*03f9172cSAndroid Build Coastguard Worker * @k: K = 128-bit subscriber key
203*03f9172cSAndroid Build Coastguard Worker * @_rand: RAND = 128-bit random challenge
204*03f9172cSAndroid Build Coastguard Worker * @auts: AUTS = 112-bit authentication token from client
205*03f9172cSAndroid Build Coastguard Worker * @sqn: Buffer for SQN = 48-bit sequence number
206*03f9172cSAndroid Build Coastguard Worker * Returns: 0 = success (sqn filled), -1 on failure
207*03f9172cSAndroid Build Coastguard Worker */
milenage_auts(const u8 * opc,const u8 * k,const u8 * _rand,const u8 * auts,u8 * sqn)208*03f9172cSAndroid Build Coastguard Worker int milenage_auts(const u8 *opc, const u8 *k, const u8 *_rand, const u8 *auts,
209*03f9172cSAndroid Build Coastguard Worker u8 *sqn)
210*03f9172cSAndroid Build Coastguard Worker {
211*03f9172cSAndroid Build Coastguard Worker u8 amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
212*03f9172cSAndroid Build Coastguard Worker u8 ak[6], mac_s[8];
213*03f9172cSAndroid Build Coastguard Worker int i;
214*03f9172cSAndroid Build Coastguard Worker
215*03f9172cSAndroid Build Coastguard Worker if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
216*03f9172cSAndroid Build Coastguard Worker return -1;
217*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 6; i++)
218*03f9172cSAndroid Build Coastguard Worker sqn[i] = auts[i] ^ ak[i];
219*03f9172cSAndroid Build Coastguard Worker if (milenage_f1(opc, k, _rand, sqn, amf, NULL, mac_s) ||
220*03f9172cSAndroid Build Coastguard Worker os_memcmp_const(mac_s, auts + 6, 8) != 0)
221*03f9172cSAndroid Build Coastguard Worker return -1;
222*03f9172cSAndroid Build Coastguard Worker return 0;
223*03f9172cSAndroid Build Coastguard Worker }
224*03f9172cSAndroid Build Coastguard Worker
225*03f9172cSAndroid Build Coastguard Worker
226*03f9172cSAndroid Build Coastguard Worker /**
227*03f9172cSAndroid Build Coastguard Worker * gsm_milenage - Generate GSM-Milenage (3GPP TS 55.205) authentication triplet
228*03f9172cSAndroid Build Coastguard Worker * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
229*03f9172cSAndroid Build Coastguard Worker * @k: K = 128-bit subscriber key
230*03f9172cSAndroid Build Coastguard Worker * @_rand: RAND = 128-bit random challenge
231*03f9172cSAndroid Build Coastguard Worker * @sres: Buffer for SRES = 32-bit SRES
232*03f9172cSAndroid Build Coastguard Worker * @kc: Buffer for Kc = 64-bit Kc
233*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure
234*03f9172cSAndroid Build Coastguard Worker */
gsm_milenage(const u8 * opc,const u8 * k,const u8 * _rand,u8 * sres,u8 * kc)235*03f9172cSAndroid Build Coastguard Worker int gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres, u8 *kc)
236*03f9172cSAndroid Build Coastguard Worker {
237*03f9172cSAndroid Build Coastguard Worker u8 res[8], ck[16], ik[16];
238*03f9172cSAndroid Build Coastguard Worker int i;
239*03f9172cSAndroid Build Coastguard Worker
240*03f9172cSAndroid Build Coastguard Worker if (milenage_f2345(opc, k, _rand, res, ck, ik, NULL, NULL))
241*03f9172cSAndroid Build Coastguard Worker return -1;
242*03f9172cSAndroid Build Coastguard Worker
243*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 8; i++)
244*03f9172cSAndroid Build Coastguard Worker kc[i] = ck[i] ^ ck[i + 8] ^ ik[i] ^ ik[i + 8];
245*03f9172cSAndroid Build Coastguard Worker
246*03f9172cSAndroid Build Coastguard Worker #ifdef GSM_MILENAGE_ALT_SRES
247*03f9172cSAndroid Build Coastguard Worker os_memcpy(sres, res, 4);
248*03f9172cSAndroid Build Coastguard Worker #else /* GSM_MILENAGE_ALT_SRES */
249*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 4; i++)
250*03f9172cSAndroid Build Coastguard Worker sres[i] = res[i] ^ res[i + 4];
251*03f9172cSAndroid Build Coastguard Worker #endif /* GSM_MILENAGE_ALT_SRES */
252*03f9172cSAndroid Build Coastguard Worker return 0;
253*03f9172cSAndroid Build Coastguard Worker }
254*03f9172cSAndroid Build Coastguard Worker
255*03f9172cSAndroid Build Coastguard Worker
256*03f9172cSAndroid Build Coastguard Worker /**
257*03f9172cSAndroid Build Coastguard Worker * milenage_generate - Generate AKA AUTN,IK,CK,RES
258*03f9172cSAndroid Build Coastguard Worker * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
259*03f9172cSAndroid Build Coastguard Worker * @k: K = 128-bit subscriber key
260*03f9172cSAndroid Build Coastguard Worker * @sqn: SQN = 48-bit sequence number
261*03f9172cSAndroid Build Coastguard Worker * @_rand: RAND = 128-bit random challenge
262*03f9172cSAndroid Build Coastguard Worker * @autn: AUTN = 128-bit authentication token
263*03f9172cSAndroid Build Coastguard Worker * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
264*03f9172cSAndroid Build Coastguard Worker * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
265*03f9172cSAndroid Build Coastguard Worker * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
266*03f9172cSAndroid Build Coastguard Worker * @res_len: Variable that will be set to RES length
267*03f9172cSAndroid Build Coastguard Worker * @auts: 112-bit buffer for AUTS
268*03f9172cSAndroid Build Coastguard Worker * Returns: 0 on success, -1 on failure, or -2 on synchronization failure
269*03f9172cSAndroid Build Coastguard Worker */
milenage_check(const u8 * opc,const u8 * k,const u8 * sqn,const u8 * _rand,const u8 * autn,u8 * ik,u8 * ck,u8 * res,size_t * res_len,u8 * auts)270*03f9172cSAndroid Build Coastguard Worker int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand,
271*03f9172cSAndroid Build Coastguard Worker const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len,
272*03f9172cSAndroid Build Coastguard Worker u8 *auts)
273*03f9172cSAndroid Build Coastguard Worker {
274*03f9172cSAndroid Build Coastguard Worker int i;
275*03f9172cSAndroid Build Coastguard Worker u8 mac_a[8], ak[6], rx_sqn[6];
276*03f9172cSAndroid Build Coastguard Worker const u8 *amf;
277*03f9172cSAndroid Build Coastguard Worker
278*03f9172cSAndroid Build Coastguard Worker wpa_hexdump(MSG_DEBUG, "Milenage: AUTN", autn, 16);
279*03f9172cSAndroid Build Coastguard Worker wpa_hexdump(MSG_DEBUG, "Milenage: RAND", _rand, 16);
280*03f9172cSAndroid Build Coastguard Worker
281*03f9172cSAndroid Build Coastguard Worker if (milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL))
282*03f9172cSAndroid Build Coastguard Worker return -1;
283*03f9172cSAndroid Build Coastguard Worker
284*03f9172cSAndroid Build Coastguard Worker *res_len = 8;
285*03f9172cSAndroid Build Coastguard Worker wpa_hexdump_key(MSG_DEBUG, "Milenage: RES", res, *res_len);
286*03f9172cSAndroid Build Coastguard Worker wpa_hexdump_key(MSG_DEBUG, "Milenage: CK", ck, 16);
287*03f9172cSAndroid Build Coastguard Worker wpa_hexdump_key(MSG_DEBUG, "Milenage: IK", ik, 16);
288*03f9172cSAndroid Build Coastguard Worker wpa_hexdump_key(MSG_DEBUG, "Milenage: AK", ak, 6);
289*03f9172cSAndroid Build Coastguard Worker
290*03f9172cSAndroid Build Coastguard Worker /* AUTN = (SQN ^ AK) || AMF || MAC */
291*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 6; i++)
292*03f9172cSAndroid Build Coastguard Worker rx_sqn[i] = autn[i] ^ ak[i];
293*03f9172cSAndroid Build Coastguard Worker wpa_hexdump(MSG_DEBUG, "Milenage: SQN", rx_sqn, 6);
294*03f9172cSAndroid Build Coastguard Worker
295*03f9172cSAndroid Build Coastguard Worker if (os_memcmp(rx_sqn, sqn, 6) <= 0) {
296*03f9172cSAndroid Build Coastguard Worker u8 auts_amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
297*03f9172cSAndroid Build Coastguard Worker if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
298*03f9172cSAndroid Build Coastguard Worker return -1;
299*03f9172cSAndroid Build Coastguard Worker wpa_hexdump_key(MSG_DEBUG, "Milenage: AK*", ak, 6);
300*03f9172cSAndroid Build Coastguard Worker for (i = 0; i < 6; i++)
301*03f9172cSAndroid Build Coastguard Worker auts[i] = sqn[i] ^ ak[i];
302*03f9172cSAndroid Build Coastguard Worker if (milenage_f1(opc, k, _rand, sqn, auts_amf, NULL, auts + 6))
303*03f9172cSAndroid Build Coastguard Worker return -1;
304*03f9172cSAndroid Build Coastguard Worker wpa_hexdump(MSG_DEBUG, "Milenage: AUTS", auts, 14);
305*03f9172cSAndroid Build Coastguard Worker return -2;
306*03f9172cSAndroid Build Coastguard Worker }
307*03f9172cSAndroid Build Coastguard Worker
308*03f9172cSAndroid Build Coastguard Worker amf = autn + 6;
309*03f9172cSAndroid Build Coastguard Worker wpa_hexdump(MSG_DEBUG, "Milenage: AMF", amf, 2);
310*03f9172cSAndroid Build Coastguard Worker if (milenage_f1(opc, k, _rand, rx_sqn, amf, mac_a, NULL))
311*03f9172cSAndroid Build Coastguard Worker return -1;
312*03f9172cSAndroid Build Coastguard Worker
313*03f9172cSAndroid Build Coastguard Worker wpa_hexdump(MSG_DEBUG, "Milenage: MAC_A", mac_a, 8);
314*03f9172cSAndroid Build Coastguard Worker
315*03f9172cSAndroid Build Coastguard Worker if (os_memcmp_const(mac_a, autn + 8, 8) != 0) {
316*03f9172cSAndroid Build Coastguard Worker wpa_printf(MSG_DEBUG, "Milenage: MAC mismatch");
317*03f9172cSAndroid Build Coastguard Worker wpa_hexdump(MSG_DEBUG, "Milenage: Received MAC_A",
318*03f9172cSAndroid Build Coastguard Worker autn + 8, 8);
319*03f9172cSAndroid Build Coastguard Worker return -1;
320*03f9172cSAndroid Build Coastguard Worker }
321*03f9172cSAndroid Build Coastguard Worker
322*03f9172cSAndroid Build Coastguard Worker return 0;
323*03f9172cSAndroid Build Coastguard Worker }
324