/* * Copyright (C) 2017 Tobias Brunner * Copyright (C) 2008-2009 Martin Willi * HSR Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ /* * Copyright (C) 2015 Thomas Strangert * Polystar System AB, Sweden * * Permission is hereby granted, free of charge, to any person obtaining a copy * of this software and associated documentation files (the "Software"), to deal * in the Software without restriction, including without limitation the rights * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the Software is * furnished to do so, subject to the following conditions: * * The above copyright notice and this permission notice shall be included in * all copies or substantial portions of the Software. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN * THE SOFTWARE. */ #include "eap_aka_3gpp_functions.h" #include #include #include typedef struct private_eap_aka_3gpp_functions_t private_eap_aka_3gpp_functions_t; /** * Private data of an eap_aka_3gpp_functions_t object. */ struct private_eap_aka_3gpp_functions_t { /** * Public eap_aka_3gpp_functions_t interface. */ eap_aka_3gpp_functions_t public; /** * AES instance */ crypter_t *crypter; }; /* * Described in header */ bool eap_aka_3gpp_get_k_opc(identification_t *id, uint8_t k[AKA_K_LEN], uint8_t opc[AKA_OPC_LEN]) { shared_key_t *shared; chunk_t key; shared = lib->credmgr->get_shared(lib->credmgr, SHARED_EAP, id, NULL); if (!shared) { return FALSE; } key = shared->get_key(shared); if (key.len == AKA_K_LEN) { memcpy(k, key.ptr, AKA_K_LEN); /* set OPc to a neutral default value, harmless to XOR with */ memset(opc, '\0', AKA_OPC_LEN); } else if (key.len == AKA_K_LEN + AKA_OPC_LEN) { memcpy(k, key.ptr, AKA_K_LEN); memcpy(opc, key.ptr + AKA_K_LEN, AKA_OPC_LEN); } else { DBG1(DBG_IKE, "invalid EAP K or K+OPc key found for %Y to authenticate " "with AKA, should be a %d or %d byte long binary value", id, AKA_K_LEN, AKA_K_LEN + AKA_OPC_LEN); shared->destroy(shared); return FALSE; } shared->destroy(shared); return TRUE; } /* * Described in header */ void eap_aka_3gpp_get_sqn(uint8_t sqn[AKA_SQN_LEN], int offset) { timeval_t time; gettimeofday(&time, NULL); /* set sqn to an integer containing 4 bytes seconds + 2 bytes usecs */ time.tv_sec = htonl(time.tv_sec + offset); /* usec's are never larger than 0x000f423f, so we shift the 12 first bits */ time.tv_usec = htonl(time.tv_usec << 12); memcpy(sqn, (uint8_t*)&time.tv_sec + sizeof(time_t) - 4, 4); memcpy(sqn + 4, &time.tv_usec, 2); } static bool f1andf1star(private_eap_aka_3gpp_functions_t *this, const uint8_t k[AKA_K_LEN], const uint8_t opc[AKA_OPC_LEN], const uint8_t rand[AKA_RAND_LEN], const uint8_t sqn[AKA_SQN_LEN], const uint8_t amf[AKA_AMF_LEN], uint8_t mac[16]) { uint8_t i, data[16], in[16], iv[16] = { 0 }; if (!this->crypter->set_key(this->crypter, chunk_create((uint8_t*)k, AKA_K_LEN))) { return FALSE; } /* XOR RAND and OPc */ memcpy(data, rand, sizeof(data)); memxor(data, opc, sizeof(data)); if (!this->crypter->encrypt(this->crypter, chunk_create(data, sizeof(data)), chunk_create(iv, sizeof(iv)), NULL)) { return FALSE; } /* concatenate SQN || AMF ||SQN || AMF */ memcpy(in, sqn, 6); memcpy(&in[6], amf, 2); memcpy(&in[8], in, 8); /* XOR opc and in, rotate by r1=64, and XOR * on the constant c1 (which is all zeroes) and finally the output above */ for (i = 0; i < 16; i++) { data[(i + 8) % 16] ^= in[i] ^ opc[i]; } if (!this->crypter->encrypt(this->crypter, chunk_create(data, sizeof(data)), chunk_create(iv, sizeof(iv)), NULL)) { return FALSE; } memxor(data, opc, sizeof(data)); memcpy(mac, data, 16); return TRUE; } METHOD(eap_aka_3gpp_functions_t, f1, bool, private_eap_aka_3gpp_functions_t *this, const uint8_t k[AKA_K_LEN], const uint8_t opc[AKA_OPC_LEN], const uint8_t rand[AKA_RAND_LEN], const uint8_t sqn[AKA_SQN_LEN], const uint8_t amf[AKA_AMF_LEN], uint8_t maca[AKA_MAC_LEN]) { uint8_t mac[16]; if (!f1andf1star(this, k, opc, rand, sqn, amf, mac)) { return FALSE; } /* only diff between f1 and f1* is here: * f1 uses bytes 0-7 as MAC-A * f1* uses bytes 8-15 as MAC-S */ memcpy(maca, mac, AKA_MAC_LEN); return TRUE; } METHOD(eap_aka_3gpp_functions_t, f1star, bool, private_eap_aka_3gpp_functions_t *this, const uint8_t k[AKA_K_LEN], const uint8_t opc[AKA_OPC_LEN], const uint8_t rand[AKA_RAND_LEN], const uint8_t sqn[AKA_SQN_LEN], const uint8_t amf[AKA_AMF_LEN], uint8_t macs[AKA_MAC_LEN]) { uint8_t mac[16]; if (!f1andf1star(this, k, opc, rand, sqn, amf, mac)) { return FALSE; } /* only diff between f1 and f1* is here: * f1 uses bytes 0-7 as MAC-A * f1* uses bytes 8-15 as MAC-S */ memcpy(macs, &mac[8], AKA_MAC_LEN); return TRUE; } METHOD(eap_aka_3gpp_functions_t, f2345, bool, private_eap_aka_3gpp_functions_t *this, const uint8_t k[AKA_K_LEN], const uint8_t opc[AKA_OPC_LEN], const uint8_t rand[AKA_RAND_LEN], uint8_t res[AKA_RES_LEN], uint8_t ck[AKA_CK_LEN], uint8_t ik[AKA_IK_LEN], uint8_t ak[AKA_AK_LEN]) { uint8_t data[16], iv[16] = { 0 }; chunk_t temp; uint8_t i; if (!this->crypter->set_key(this->crypter, chunk_create((uint8_t*)k, AKA_K_LEN))) { return FALSE; } /* XOR RAND and OPc */ memcpy(data, rand, sizeof(data)); memxor(data, opc, sizeof(data)); if (!this->crypter->encrypt(this->crypter, chunk_create(data, sizeof(data)), chunk_create(iv, sizeof(iv)), &temp)) { return FALSE; } /* to obtain output block OUT2: XOR OPc and TEMP, * rotate by r2=0, and XOR on the constant c2 (which is all zeroes except * that the last bit is 1). */ for (i = 0; i < 16; i++) { data[i] = temp.ptr[i] ^ opc[i]; } data[15] ^= 1; if (!this->crypter->encrypt(this->crypter, chunk_create(data, sizeof(data)), chunk_create(iv, sizeof(iv)), NULL)) { chunk_free(&temp); return FALSE; } memxor(data, opc, sizeof(data)); /* f5 output */ memcpy(ak, data, 6); /* f2 output */ memcpy(res, &data[8], 8); /* to obtain output block OUT3: XOR OPc and TEMP, * rotate by r3=32, and XOR on the constant c3 (which * is all zeroes except that the next to last bit is 1) */ for (i = 0; i < 16; i++) { data[(i + 12) % 16] = temp.ptr[i] ^ opc[i]; } data[15] ^= 2; if (!this->crypter->encrypt(this->crypter, chunk_create(data, sizeof(data)), chunk_create(iv, sizeof(iv)), NULL)) { chunk_free(&temp); return FALSE; } memxor(data, opc, sizeof(data)); /* f3 output */ memcpy(ck, data, 16); /* to obtain output block OUT4: XOR OPc and TEMP, * rotate by r4=64, and XOR on the constant c4 (which * is all zeroes except that the 2nd from last bit is 1). */ for (i = 0; i < 16; i++) { data[(i + 8) % 16] = temp.ptr[i] ^ opc[i]; } data[15] ^= 4; if (!this->crypter->encrypt(this->crypter, chunk_create(data, sizeof(data)), chunk_create(iv, sizeof(iv)), NULL)) { chunk_free(&temp); return FALSE; } memxor(data, opc, sizeof(data)); /* f4 output */ memcpy(ik, data, 16); chunk_free(&temp); return TRUE; } METHOD(eap_aka_3gpp_functions_t, f5star, bool, private_eap_aka_3gpp_functions_t *this, const uint8_t k[AKA_K_LEN], const uint8_t opc[AKA_OPC_LEN], const uint8_t rand[AKA_RAND_LEN], uint8_t aks[AKA_AK_LEN]) { uint8_t i, data[16], iv[16] = { 0 }; chunk_t temp; if (!this->crypter->set_key(this->crypter, chunk_create((uint8_t*)k, AKA_K_LEN))) { return FALSE; } /* XOR RAND and OPc */ memcpy(data, rand, sizeof(data)); memxor(data, opc, sizeof(data)); if (!this->crypter->encrypt(this->crypter, chunk_create(data, sizeof(data)), chunk_create(iv, sizeof(iv)), &temp)) { return FALSE; } /* to obtain output block OUT5: XOR OPc and the output above, * rotate by r5=96, and XOR on the constant c5 (which * is all zeroes except that the 3rd from last bit is 1). */ for (i = 0; i < 16; i++) { data[(i + 4) % 16] = temp.ptr[i] ^ opc[i]; } data[15] ^= 8; chunk_free(&temp); if (!this->crypter->encrypt(this->crypter, chunk_create(data, sizeof(data)), chunk_create(iv, sizeof(iv)), NULL)) { return FALSE; } memxor(data, opc, sizeof(data)); memcpy(aks, data, 6); return TRUE; } METHOD(eap_aka_3gpp_functions_t, destroy, void, private_eap_aka_3gpp_functions_t *this) { this->crypter->destroy(this->crypter); free(this); } /** * See header */ eap_aka_3gpp_functions_t *eap_aka_3gpp_functions_create() { private_eap_aka_3gpp_functions_t *this; INIT(this, .public = { .f1 = _f1, .f1star = _f1star, .f2345 = _f2345, .f5star = _f5star, .destroy = _destroy, }, .crypter = lib->crypto->create_crypter(lib->crypto, ENCR_AES_CBC, 16), ); if (!this->crypter) { DBG1(DBG_IKE, "%N not supported, unable to use 3GPP algorithm", encryption_algorithm_names, ENCR_AES_CBC); free(this); return NULL; } return &this->public; }