xref: /freebsd/contrib/wpa/src/crypto/milenage.c (revision 884a2a699669ec61e2366e3e358342dbc94be24a) 
1 /*
2  * 3GPP AKA - Milenage algorithm (3GPP TS 35.205, .206, .207, .208)
3  * Copyright (c) 2006-2007 <j@w1.fi>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License version 2 as
7  * published by the Free Software Foundation.
8  *
9  * Alternatively, this software may be distributed under the terms of BSD
10  * license.
11  *
12  * See README and COPYING for more details.
13  *
14  * This file implements an example authentication algorithm defined for 3GPP
15  * AKA. This can be used to implement a simple HLR/AuC into hlr_auc_gw to allow
16  * EAP-AKA to be tested properly with real USIM cards.
17  *
18  * This implementations assumes that the r1..r5 and c1..c5 constants defined in
19  * TS 35.206 are used, i.e., r1=64, r2=0, r3=32, r4=64, r5=96, c1=00..00,
20  * c2=00..01, c3=00..02, c4=00..04, c5=00..08. The block cipher is assumed to
21  * be AES (Rijndael).
22  */
23 
24 #include "includes.h"
25 
26 #include "common.h"
27 #include "crypto/aes_wrap.h"
28 #include "milenage.h"
29 
30 
31 /**
32  * milenage_f1 - Milenage f1 and f1* algorithms
33  * @opc: OPc = 128-bit value derived from OP and K
34  * @k: K = 128-bit subscriber key
35  * @_rand: RAND = 128-bit random challenge
36  * @sqn: SQN = 48-bit sequence number
37  * @amf: AMF = 16-bit authentication management field
38  * @mac_a: Buffer for MAC-A = 64-bit network authentication code, or %NULL
39  * @mac_s: Buffer for MAC-S = 64-bit resync authentication code, or %NULL
40  * Returns: 0 on success, -1 on failure
41  */
42 int milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand,
43 		const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s)
44 {
45 	u8 tmp1[16], tmp2[16], tmp3[16];
46 	int i;
47 
48 	/* tmp1 = TEMP = E_K(RAND XOR OP_C) */
49 	for (i = 0; i < 16; i++)
50 		tmp1[i] = _rand[i] ^ opc[i];
51 	if (aes_128_encrypt_block(k, tmp1, tmp1))
52 		return -1;
53 
54 	/* tmp2 = IN1 = SQN || AMF || SQN || AMF */
55 	os_memcpy(tmp2, sqn, 6);
56 	os_memcpy(tmp2 + 6, amf, 2);
57 	os_memcpy(tmp2 + 8, tmp2, 8);
58 
59 	/* OUT1 = E_K(TEMP XOR rot(IN1 XOR OP_C, r1) XOR c1) XOR OP_C */
60 
61 	/* rotate (tmp2 XOR OP_C) by r1 (= 0x40 = 8 bytes) */
62 	for (i = 0; i < 16; i++)
63 		tmp3[(i + 8) % 16] = tmp2[i] ^ opc[i];
64 	/* XOR with TEMP = E_K(RAND XOR OP_C) */
65 	for (i = 0; i < 16; i++)
66 		tmp3[i] ^= tmp1[i];
67 	/* XOR with c1 (= ..00, i.e., NOP) */
68 
69 	/* f1 || f1* = E_K(tmp3) XOR OP_c */
70 	if (aes_128_encrypt_block(k, tmp3, tmp1))
71 		return -1;
72 	for (i = 0; i < 16; i++)
73 		tmp1[i] ^= opc[i];
74 	if (mac_a)
75 		os_memcpy(mac_a, tmp1, 8); /* f1 */
76 	if (mac_s)
77 		os_memcpy(mac_s, tmp1 + 8, 8); /* f1* */
78 	return 0;
79 }
80 
81 
82 /**
83  * milenage_f2345 - Milenage f2, f3, f4, f5, f5* algorithms
84  * @opc: OPc = 128-bit value derived from OP and K
85  * @k: K = 128-bit subscriber key
86  * @_rand: RAND = 128-bit random challenge
87  * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
88  * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
89  * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
90  * @ak: Buffer for AK = 48-bit anonymity key (f5), or %NULL
91  * @akstar: Buffer for AK = 48-bit anonymity key (f5*), or %NULL
92  * Returns: 0 on success, -1 on failure
93  */
94 int milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand,
95 		   u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar)
96 {
97 	u8 tmp1[16], tmp2[16], tmp3[16];
98 	int i;
99 
100 	/* tmp2 = TEMP = E_K(RAND XOR OP_C) */
101 	for (i = 0; i < 16; i++)
102 		tmp1[i] = _rand[i] ^ opc[i];
103 	if (aes_128_encrypt_block(k, tmp1, tmp2))
104 		return -1;
105 
106 	/* OUT2 = E_K(rot(TEMP XOR OP_C, r2) XOR c2) XOR OP_C */
107 	/* OUT3 = E_K(rot(TEMP XOR OP_C, r3) XOR c3) XOR OP_C */
108 	/* OUT4 = E_K(rot(TEMP XOR OP_C, r4) XOR c4) XOR OP_C */
109 	/* OUT5 = E_K(rot(TEMP XOR OP_C, r5) XOR c5) XOR OP_C */
110 
111 	/* f2 and f5 */
112 	/* rotate by r2 (= 0, i.e., NOP) */
113 	for (i = 0; i < 16; i++)
114 		tmp1[i] = tmp2[i] ^ opc[i];
115 	tmp1[15] ^= 1; /* XOR c2 (= ..01) */
116 	/* f5 || f2 = E_K(tmp1) XOR OP_c */
117 	if (aes_128_encrypt_block(k, tmp1, tmp3))
118 		return -1;
119 	for (i = 0; i < 16; i++)
120 		tmp3[i] ^= opc[i];
121 	if (res)
122 		os_memcpy(res, tmp3 + 8, 8); /* f2 */
123 	if (ak)
124 		os_memcpy(ak, tmp3, 6); /* f5 */
125 
126 	/* f3 */
127 	if (ck) {
128 		/* rotate by r3 = 0x20 = 4 bytes */
129 		for (i = 0; i < 16; i++)
130 			tmp1[(i + 12) % 16] = tmp2[i] ^ opc[i];
131 		tmp1[15] ^= 2; /* XOR c3 (= ..02) */
132 		if (aes_128_encrypt_block(k, tmp1, ck))
133 			return -1;
134 		for (i = 0; i < 16; i++)
135 			ck[i] ^= opc[i];
136 	}
137 
138 	/* f4 */
139 	if (ik) {
140 		/* rotate by r4 = 0x40 = 8 bytes */
141 		for (i = 0; i < 16; i++)
142 			tmp1[(i + 8) % 16] = tmp2[i] ^ opc[i];
143 		tmp1[15] ^= 4; /* XOR c4 (= ..04) */
144 		if (aes_128_encrypt_block(k, tmp1, ik))
145 			return -1;
146 		for (i = 0; i < 16; i++)
147 			ik[i] ^= opc[i];
148 	}
149 
150 	/* f5* */
151 	if (akstar) {
152 		/* rotate by r5 = 0x60 = 12 bytes */
153 		for (i = 0; i < 16; i++)
154 			tmp1[(i + 4) % 16] = tmp2[i] ^ opc[i];
155 		tmp1[15] ^= 8; /* XOR c5 (= ..08) */
156 		if (aes_128_encrypt_block(k, tmp1, tmp1))
157 			return -1;
158 		for (i = 0; i < 6; i++)
159 			akstar[i] = tmp1[i] ^ opc[i];
160 	}
161 
162 	return 0;
163 }
164 
165 
166 /**
167  * milenage_generate - Generate AKA AUTN,IK,CK,RES
168  * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
169  * @amf: AMF = 16-bit authentication management field
170  * @k: K = 128-bit subscriber key
171  * @sqn: SQN = 48-bit sequence number
172  * @_rand: RAND = 128-bit random challenge
173  * @autn: Buffer for AUTN = 128-bit authentication token
174  * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
175  * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
176  * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
177  * @res_len: Max length for res; set to used length or 0 on failure
178  */
179 void milenage_generate(const u8 *opc, const u8 *amf, const u8 *k,
180 		       const u8 *sqn, const u8 *_rand, u8 *autn, u8 *ik,
181 		       u8 *ck, u8 *res, size_t *res_len)
182 {
183 	int i;
184 	u8 mac_a[8], ak[6];
185 
186 	if (*res_len < 8) {
187 		*res_len = 0;
188 		return;
189 	}
190 	if (milenage_f1(opc, k, _rand, sqn, amf, mac_a, NULL) ||
191 	    milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL)) {
192 		*res_len = 0;
193 		return;
194 	}
195 	*res_len = 8;
196 
197 	/* AUTN = (SQN ^ AK) || AMF || MAC */
198 	for (i = 0; i < 6; i++)
199 		autn[i] = sqn[i] ^ ak[i];
200 	os_memcpy(autn + 6, amf, 2);
201 	os_memcpy(autn + 8, mac_a, 8);
202 }
203 
204 
205 /**
206  * milenage_auts - Milenage AUTS validation
207  * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
208  * @k: K = 128-bit subscriber key
209  * @_rand: RAND = 128-bit random challenge
210  * @auts: AUTS = 112-bit authentication token from client
211  * @sqn: Buffer for SQN = 48-bit sequence number
212  * Returns: 0 = success (sqn filled), -1 on failure
213  */
214 int milenage_auts(const u8 *opc, const u8 *k, const u8 *_rand, const u8 *auts,
215 		  u8 *sqn)
216 {
217 	u8 amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
218 	u8 ak[6], mac_s[8];
219 	int i;
220 
221 	if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
222 		return -1;
223 	for (i = 0; i < 6; i++)
224 		sqn[i] = auts[i] ^ ak[i];
225 	if (milenage_f1(opc, k, _rand, sqn, amf, NULL, mac_s) ||
226 	    memcmp(mac_s, auts + 6, 8) != 0)
227 		return -1;
228 	return 0;
229 }
230 
231 
232 /**
233  * gsm_milenage - Generate GSM-Milenage (3GPP TS 55.205) authentication triplet
234  * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
235  * @k: K = 128-bit subscriber key
236  * @_rand: RAND = 128-bit random challenge
237  * @sres: Buffer for SRES = 32-bit SRES
238  * @kc: Buffer for Kc = 64-bit Kc
239  * Returns: 0 on success, -1 on failure
240  */
241 int gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres, u8 *kc)
242 {
243 	u8 res[8], ck[16], ik[16];
244 	int i;
245 
246 	if (milenage_f2345(opc, k, _rand, res, ck, ik, NULL, NULL))
247 		return -1;
248 
249 	for (i = 0; i < 8; i++)
250 		kc[i] = ck[i] ^ ck[i + 8] ^ ik[i] ^ ik[i + 8];
251 
252 #ifdef GSM_MILENAGE_ALT_SRES
253 	os_memcpy(sres, res, 4);
254 #else /* GSM_MILENAGE_ALT_SRES */
255 	for (i = 0; i < 4; i++)
256 		sres[i] = res[i] ^ res[i + 4];
257 #endif /* GSM_MILENAGE_ALT_SRES */
258 	return 0;
259 }
260 
261 
262 /**
263  * milenage_generate - Generate AKA AUTN,IK,CK,RES
264  * @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
265  * @k: K = 128-bit subscriber key
266  * @sqn: SQN = 48-bit sequence number
267  * @_rand: RAND = 128-bit random challenge
268  * @autn: AUTN = 128-bit authentication token
269  * @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
270  * @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
271  * @res: Buffer for RES = 64-bit signed response (f2), or %NULL
272  * @res_len: Variable that will be set to RES length
273  * @auts: 112-bit buffer for AUTS
274  * Returns: 0 on success, -1 on failure, or -2 on synchronization failure
275  */
276 int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand,
277 		   const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len,
278 		   u8 *auts)
279 {
280 	int i;
281 	u8 mac_a[8], ak[6], rx_sqn[6];
282 	const u8 *amf;
283 
284 	wpa_hexdump(MSG_DEBUG, "Milenage: AUTN", autn, 16);
285 	wpa_hexdump(MSG_DEBUG, "Milenage: RAND", _rand, 16);
286 
287 	if (milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL))
288 		return -1;
289 
290 	*res_len = 8;
291 	wpa_hexdump_key(MSG_DEBUG, "Milenage: RES", res, *res_len);
292 	wpa_hexdump_key(MSG_DEBUG, "Milenage: CK", ck, 16);
293 	wpa_hexdump_key(MSG_DEBUG, "Milenage: IK", ik, 16);
294 	wpa_hexdump_key(MSG_DEBUG, "Milenage: AK", ak, 6);
295 
296 	/* AUTN = (SQN ^ AK) || AMF || MAC */
297 	for (i = 0; i < 6; i++)
298 		rx_sqn[i] = autn[i] ^ ak[i];
299 	wpa_hexdump(MSG_DEBUG, "Milenage: SQN", rx_sqn, 6);
300 
301 	if (os_memcmp(rx_sqn, sqn, 6) <= 0) {
302 		u8 auts_amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
303 		if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
304 			return -1;
305 		wpa_hexdump_key(MSG_DEBUG, "Milenage: AK*", ak, 6);
306 		for (i = 0; i < 6; i++)
307 			auts[i] = sqn[i] ^ ak[i];
308 		if (milenage_f1(opc, k, _rand, sqn, auts_amf, NULL, auts + 6))
309 			return -1;
310 		wpa_hexdump(MSG_DEBUG, "Milenage: AUTS", auts, 14);
311 		return -2;
312 	}
313 
314 	amf = autn + 6;
315 	wpa_hexdump(MSG_DEBUG, "Milenage: AMF", amf, 2);
316 	if (milenage_f1(opc, k, _rand, rx_sqn, amf, mac_a, NULL))
317 		return -1;
318 
319 	wpa_hexdump(MSG_DEBUG, "Milenage: MAC_A", mac_a, 8);
320 
321 	if (os_memcmp(mac_a, autn + 8, 8) != 0) {
322 		wpa_printf(MSG_DEBUG, "Milenage: MAC mismatch");
323 		wpa_hexdump(MSG_DEBUG, "Milenage: Received MAC_A",
324 			    autn + 8, 8);
325 		return -1;
326 	}
327 
328 	return 0;
329 }
330