acouzens
/
open5gs
1
0
Fork 1
Code Issues Pull Requests 1 Projects Releases Wiki Activity

enc/int algorithm is added

This commit is contained in:
Sukchan Lee 2017-03-07 17:10:38 +09:00
parent 199c9f8327
commit 362b2339a2
8 changed files with 1647 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/mme/Makefile.am
View File

@ -3,14 +3,14 @@
noinst_LTLIBRARIES = libmme.la
libmme_la_SOURCES = \
kdf.h \
kdf.h kasumi.h snow_3g.h zuc.h \
event.h context.h \
s1ap_build.h s1ap_conv.h s1ap_path.h \
nas_conv.h \
sm.h s6a_sm.h
nodist_libmme_la_SOURCES = \
kdf.c \
kdf.c kasumi.c snow_3g.c zuc.c \
init.c event.c context.c \
s1ap_build.c s1ap_conv.c s1ap_path.c \
nas_conv.c \

2
src/mme/event.h
View File

@ -126,4 +126,4 @@ char* event_get_name(event_t *e);
}
#endif /* __cplusplus */
#endif /* !__EVENT_H__ */
#endif /* __EVENT_H__ */

470
src/mme/kasumi.c Normal file
View File

@ -0,0 +1,470 @@
/*-----------------------------------------------------------------------
* kasumi.c
*-----------------------------------------------------------------------
*
* A sample implementation of KASUMI, the core algorithm for the
* 3GPP Confidentiality and Integrity algorithms.
*
* This has been coded for clarity, not necessarily for efficiency.
*
* This will compile and run correctly on both Intel (little endian)
* and Sparc (big endian) machines. (Compilers used supported 32-bit ints).
*
* Version 1.1 08 May 2000
*
*-----------------------------------------------------------------------*/
#include "kasumi.h"
/*--------- 16 bit rotate left ------------------------------------------*/
#define ROL16(a,b) (u16)((a<<b)|(a>>(16-b)))
/*-------- globals: The subkey arrays -----------------------------------*/
static u16 KLi1[8], KLi2[8];
static u16 KOi1[8], KOi2[8], KOi3[8];
static u16 KIi1[8], KIi2[8], KIi3[8];
/*---------------------------------------------------------------------
* FI()
* The FI function (fig 3). It includes the S7 and S9 tables.
* Transforms a 16-bit value.
*---------------------------------------------------------------------*/
static u16 FI( u16 in, u16 subkey )
{
u16 nine, seven;
static u16 S7[] = {
54, 50, 62, 56, 22, 34, 94, 96, 38, 6, 63, 93, 2, 18,123, 33,
55,113, 39,114, 21, 67, 65, 12, 47, 73, 46, 27, 25,111,124, 81,
53, 9,121, 79, 52, 60, 58, 48,101,127, 40,120,104, 70, 71, 43,
20,122, 72, 61, 23,109, 13,100, 77, 1, 16, 7, 82, 10,105, 98,
117,116, 76, 11, 89,106, 0,125,118, 99, 86, 69, 30, 57,126, 87,
112, 51, 17, 5, 95, 14, 90, 84, 91, 8, 35,103, 32, 97, 28, 66,
102, 31, 26, 45, 75, 4, 85, 92, 37, 74, 80, 49, 68, 29,115, 44,
64,107,108, 24,110, 83, 36, 78, 42, 19, 15, 41, 88,119, 59, 3};
static u16 S9[] = {
167,239,161,379,391,334, 9,338, 38,226, 48,358,452,385, 90,397,
183,253,147,331,415,340, 51,362,306,500,262, 82,216,159,356,177,
175,241,489, 37,206, 17, 0,333, 44,254,378, 58,143,220, 81,400,
95, 3,315,245, 54,235,218,405,472,264,172,494,371,290,399, 76,
165,197,395,121,257,480,423,212,240, 28,462,176,406,507,288,223,
501,407,249,265, 89,186,221,428,164, 74,440,196,458,421,350,163,
232,158,134,354, 13,250,491,142,191, 69,193,425,152,227,366,135,
344,300,276,242,437,320,113,278, 11,243, 87,317, 36, 93,496, 27,
487,446,482, 41, 68,156,457,131,326,403,339, 20, 39,115,442,124,
475,384,508, 53,112,170,479,151,126,169, 73,268,279,321,168,364,
363,292, 46,499,393,327,324, 24,456,267,157,460,488,426,309,229,
439,506,208,271,349,401,434,236, 16,209,359, 52, 56,120,199,277,
465,416,252,287,246, 6, 83,305,420,345,153,502, 65, 61,244,282,
173,222,418, 67,386,368,261,101,476,291,195,430, 49, 79,166,330,
280,383,373,128,382,408,155,495,367,388,274,107,459,417, 62,454,
132,225,203,316,234, 14,301, 91,503,286,424,211,347,307,140,374,
35,103,125,427, 19,214,453,146,498,314,444,230,256,329,198,285,
50,116, 78,410, 10,205,510,171,231, 45,139,467, 29, 86,505, 32,
72, 26,342,150,313,490,431,238,411,325,149,473, 40,119,174,355,
185,233,389, 71,448,273,372, 55,110,178,322, 12,469,392,369,190,
1,109,375,137,181, 88, 75,308,260,484, 98,272,370,275,412,111,
336,318, 4,504,492,259,304, 77,337,435, 21,357,303,332,483, 18,
47, 85, 25,497,474,289,100,269,296,478,270,106, 31,104,433, 84,
414,486,394, 96, 99,154,511,148,413,361,409,255,162,215,302,201,
266,351,343,144,441,365,108,298,251, 34,182,509,138,210,335,133,
311,352,328,141,396,346,123,319,450,281,429,228,443,481, 92,404,
485,422,248,297, 23,213,130,466, 22,217,283, 70,294,360,419,127,
312,377, 7,468,194, 2,117,295,463,258,224,447,247,187, 80,398,
284,353,105,390,299,471,470,184, 57,200,348, 63,204,188, 33,451,
97, 30,310,219, 94,160,129,493, 64,179,263,102,189,207,114,402,
438,477,387,122,192, 42,381, 5,145,118,180,449,293,323,136,380,
43, 66, 60,455,341,445,202,432, 8,237, 15,376,436,464, 59,461};
/* The sixteen bit input is split into two unequal halves, *
* nine bits and seven bits - as is the subkey */
nine = (u16)(in>>7);
seven = (u16)(in&0x7F);
/* Now run the various operations */
nine = (u16)(S9[nine] ^ seven);
seven = (u16)(S7[seven] ^ (nine & 0x7F));
seven ^= (subkey>>9);
nine ^= (subkey&0x1FF);
nine = (u16)(S9[nine] ^ seven);
seven = (u16)(S7[seven] ^ (nine & 0x7F));
in = (u16)((seven<<9) + nine);
return( in );
}
/*---------------------------------------------------------------------
* FO()
* The FO() function.
* Transforms a 32-bit value. Uses <index> to identify the
* appropriate subkeys to use.
*---------------------------------------------------------------------*/
static u32 FO( u32 in, int index )
{
u16 left, right;
/* Split the input into two 16-bit words */
left = (u16)(in>>16);
right = (u16) in;
/* Now apply the same basic transformation three times */
left ^= KOi1[index];
left = FI( left, KIi1[index] );
left ^= right;
right ^= KOi2[index];
right = FI( right, KIi2[index] );
right ^= left;
left ^= KOi3[index];
left = FI( left, KIi3[index] );
left ^= right;
in = (((u32)right)<<16)+left;
return( in );
}
/*---------------------------------------------------------------------
* FL()
* The FL() function.
* Transforms a 32-bit value. Uses <index> to identify the
* appropriate subkeys to use.
*---------------------------------------------------------------------*/
static u32 FL( u32 in, int index )
{
u16 l, r, a, b;
/* split out the left and right halves */
l = (u16)(in>>16);
r = (u16)(in);
/* do the FL() operations */
a = (u16) (l & KLi1[index]);
r ^= ROL16(a,1);
b = (u16)(r | KLi2[index]);
l ^= ROL16(b,1);
/* put the two halves back together */
in = (((u32)l)<<16) + r;
return( in );
}
/*---------------------------------------------------------------------
* kasumi()
* the Main algorithm (fig 1). Apply the same pair of operations
* four times. Transforms the 64-bit input.
*---------------------------------------------------------------------*/
void kasumi( u8 *data )
{
u32 left, right, temp;
REGISTER32 *d;
int n;
/* Start by getting the data into two 32-bit words (endian corect) */
d = (REGISTER32*)data;
left = (((u32)d[0].b8[0])<<24)+(((u32)d[0].b8[1])<<16)
+(d[0].b8[2]<<8)+(d[0].b8[3]);
right = (((u32)d[1].b8[0])<<24)+(((u32)d[1].b8[1])<<16)
+(d[1].b8[2]<<8)+(d[1].b8[3]);
n = 0;
do {
temp = FL( left, n );
temp = FO( temp, n++ );
right ^= temp;
temp = FO( right, n );
temp = FL( temp, n++ );
left ^= temp;
} while( n<=7 );
/* return the correct endian result */
d[0].b8[0] = (u8)(left>>24); d[1].b8[0] = (u8)(right>>24);
d[0].b8[1] = (u8)(left>>16); d[1].b8[1] = (u8)(right>>16);
d[0].b8[2] = (u8)(left>>8); d[1].b8[2] = (u8)(right>>8);
d[0].b8[3] = (u8)(left); d[1].b8[3] = (u8)(right);
/* strange issue with gcc, where data is not updated
with left and right values... give a try like this:
data = d;
actually not working... */
}
/*---------------------------------------------------------------------
* kasumi_key_schedule()
* Build the key schedule. Most "key" operations use 16-bit
* subkeys so we build u16-sized arrays that are "endian" correct.
*---------------------------------------------------------------------*/
void kasumi_key_schedule( u8 *k )
{
static u16 C[] = {
0x0123,0x4567,0x89AB,0xCDEF, 0xFEDC,0xBA98,0x7654,0x3210 };
u16 key[8], Kprime[8];
REGISTER16 *k16;
int n;
/* Start by ensuring the subkeys are endian correct on a 16-bit basis */
k16 = (REGISTER16 *)k;
for( n=0; n<8; ++n )
key[n] = (u16)((k16[n].b8[0]<<8) + (k16[n].b8[1]));
/* Now build the K'[] keys */
for( n=0; n<8; ++n )
Kprime[n] = (u16)(key[n] ^ C[n]);
/* Finally construct the various sub keys */
for( n=0; n<8; ++n )
{
KLi1[n] = ROL16(key[n],1);
KLi2[n] = Kprime[(n+2)&0x7];
KOi1[n] = ROL16(key[(n+1)&0x7],5);
KOi2[n] = ROL16(key[(n+5)&0x7],8);
KOi3[n] = ROL16(key[(n+6)&0x7],13);
KIi1[n] = Kprime[(n+4)&0x7];
KIi2[n] = Kprime[(n+3)&0x7];
KIi3[n] = Kprime[(n+7)&0x7];
}
}
/*---------------------------------------------------------------------
* e n d o f k a s u m i . c
*---------------------------------------------------------------------*/
/*-------------------------------------------------------------------
* F8 - Confidentiality Algorithm
*-------------------------------------------------------------------
*
* A sample implementation of f8, the 3GPP Confidentiality algorithm.
*
* This has been coded for clarity, not necessarily for efficiency.
*
* This will compile and run correctly on both Intel (little endian)
* and Sparc (big endian) machines. (Compilers used supported 32-bit ints)
*
* Version 1.0 05 November 1999
*
*-------------------------------------------------------------------*/
/*---------------------------------------------------------
* f8()
* Given key, count, bearer, direction, data,
* and bit length encrypt the bit stream
*---------------------------------------------------------*/
void kasumi_f8(u8 *key, u32 count, u32 bearer, u32 dir, u8 *data, int length)
{
REGISTER64 A; /* the modifier */
REGISTER64 temp; /* The working register */
int i, n;
int lastbits = (8-(length%8)) % 8;
u8 ModKey[16]; /* Modified key */
u16 blkcnt; /* The block counter */
/* Start by building our global modifier */
temp.b32[0] = temp.b32[1] = 0;
A.b32[0] = A.b32[1] = 0;
/* initialise register in an endian correct manner*/
A.b8[0] = (u8) (count>>24);
A.b8[1] = (u8) (count>>16);
A.b8[2] = (u8) (count>>8);
A.b8[3] = (u8) (count);
A.b8[4] = (u8) (bearer<<3);
A.b8[4] |= (u8) (dir<<2);
/* Construct the modified key and then "kasumi" A */
for( n=0; n<16; ++n )
ModKey[n] = (u8)(key[n] ^ 0x55);
kasumi_key_schedule( ModKey );
kasumi( A.b8 ); /* First encryption to create modifier */
/* Final initialisation steps */
blkcnt = 0;
kasumi_key_schedule( key );
/* Now run the block cipher */
while( length > 0 )
{
/* First we calculate the next 64-bits of keystream */
/* XOR in A and BLKCNT to last value */
temp.b32[0] ^= A.b32[0];
temp.b32[1] ^= A.b32[1];
temp.b8[7] ^= (u8) blkcnt;
temp.b8[6] ^= (u8) (blkcnt>>8);
/* KASUMI it to produce the next block of keystream */
kasumi( temp.b8 );
/* Set <n> to the number of bytes of input data *
* we have to modify. (=8 if length <= 64) */
if( length >= 64 )
n = 8;
else
n = (length+7)/8;
/* XOR the keystream with the input data stream */
for( i=0; i<n; ++i )
*data++ ^= temp.b8[i];
length -= 64; /* done another 64 bits */
++blkcnt; /* increment BLKCNT */
}
/* zero last bits of data in case its length is not byte-aligned
this is an addition to the C reference code, which did not handle it */
#if 0 /* modified by acetcom */
if (lastbits)
*data-- ;
#else
if (lastbits)
data-- ;
#endif
*data &= 256 - (1<<lastbits) ;
}
/*-----------------------------------------------------------
* e n d o f f 8 . c
*-----------------------------------------------------------*/
/*-------------------------------------------------------------------
* F9 - Integrity Algorithm
*-------------------------------------------------------------------
*
* A sample implementation of f9, the 3GPP Integrity algorithm.
*
* This has been coded for clarity, not necessarily for efficiency.
*
* This will compile and run correctly on both Intel (little endian)
* and Sparc (big endian) machines. (Compilers used supported 32-bit ints)
*
* Version 1.1 05 September 2000
*
*-------------------------------------------------------------------*/
/*---------------------------------------------------------
* f9()
* Given key, count, fresh, direction, data,
* and message length, calculate the hash value
*---------------------------------------------------------*/
u8 *kasumi_f9(u8 *key, u32 count, u32 fresh, u32 dir, u8 *data, int length)
{
REGISTER64 A; /* Holds the CBC chained data */
REGISTER64 B; /* Holds the XOR of all KASUMI outputs */
u8 FinalBit[8] = {0x80, 0x40, 0x20, 0x10, 8,4,2,1};
u8 ModKey[16];
static u8 mac_i[4]; /* static memory for the result */
int i, n;
/* Start by initialising the block cipher */
kasumi_key_schedule( key );
/* Next initialise the MAC chain. Make sure we *
* have the data in the right byte order. *
* <A> holds our chaining value... *
* <B> is the running XOR of all KASUMI o/ps */
for( n=0; n<4; ++n )
{
A.b8[n] = (u8)(count>>(24-(n*8)));
A.b8[n+4] = (u8)(fresh>>(24-(n*8)));
}
kasumi( A.b8 );
B.b32[0] = A.b32[0];
B.b32[1] = A.b32[1];
/* Now run the blocks until we reach the last block */
while( length >= 64 )
{
for( n=0; n<8; ++n )
A.b8[n] ^= *data++;
kasumi( A.b8 );
length -= 64;
B.b32[0] ^= A.b32[0]; /* running XOR across */
B.b32[1] ^= A.b32[1]; /* the block outputs */
}
/* Process whole bytes in the last block */
n = 0;
while( length >=8 )
{
A.b8[n++] ^= *data++;
length -= 8;
}
/* Now add the direction bit to the input bit stream *
* If length (which holds the # of data bits in the *
* last byte) is non-zero we add it in, otherwise *
* it has to start a new byte. */
if( length )
{
i = *data;
if( dir )
i |= FinalBit[length];
}
else
i = dir ? 0x80 : 0;
A.b8[n++] ^= (u8)i;
/* Now add in the final '1' bit. The problem here *
* is if the message length happens to be n*64-1. *
* If so we need to process this block and then *
* create a new input block of 0x8000000000000000. */
if( (length==7) && (n==8) ) /* then we've filled the block */
{
kasumi( A.b8 );
B.b32[0] ^= A.b32[0]; /* running XOR across */
B.b32[1] ^= A.b32[1]; /* the block outputs */
A.b8[0] ^= 0x80; /* toggle first bit */
i = 0x80;
n = 1;
}
else
{
if( length == 7 ) /* we finished off the last byte */
A.b8[n] ^= 0x80; /* so start a new one..... */
else
A.b8[n-1] ^= FinalBit[length+1];
}
kasumi( A.b8 );
B.b32[0] ^= A.b32[0]; /* running XOR across */
B.b32[1] ^= A.b32[1]; /* the block outputs */
/* Final step is to KASUMI what we have using the *
* key XORd with 0xAAAA..... */
for( n=0; n<16; ++n )
ModKey[n] = (u8)*key++ ^ 0xAA;
kasumi_key_schedule( ModKey );
kasumi( B.b8 );
/* We return the left-most 32-bits of the result */
for( n=0; n<4; ++n )
mac_i[n] = B.b8[n];
return( mac_i );
}
/*-----------------------------------------------------------
* e n d o f f 9 . c
*-----------------------------------------------------------*/

66
src/mme/kasumi.h Normal file
View File

@ -0,0 +1,66 @@
/*---------------------------------------------------------
* Kasumi.h
*---------------------------------------------------------*/
#ifndef __KASUMI__
#define __KASUMI__
#include "core.h"
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
typedef c_uint8_t u8;
typedef c_uint16_t u16;
/* original reference is using long, which is 64 bits on 64 bits system
I changed to int to make it work on x86 32 / 64 bits system
typedef unsigned long u32;
*/
typedef c_uint32_t u32;
/*------- unions: used to remove "endian" issues ------------------------*/
typedef union {
u32 b32;
u16 b16[2];
u8 b8[4];
} REGISTER32; /* is redefining DWORD */
typedef union {
u16 b16;
u8 b8[2];
} REGISTER16; /* is redefining WORD */
/*----- a 64-bit structure to help with endian issues -----*/
typedef union {
u32 b32[2];
u16 b16[4];
u8 b8[8];
} REGISTER64;
/*------------- prototypes --------------------------------
* take care: length (in f8 and f9) is always in bits
*---------------------------------------------------------*/
/* initialize the 128 bits key into the cipher */
CORE_DECLARE(void) kasumi_key_schedule( u8 *key );
/* cipher a block of 64 bits */
CORE_DECLARE(void) kasumi( u8 *data );
/* cipher a whole message in 3GPP -counter- mode */
CORE_DECLARE(void) kasumi_f8( u8 *key, u32 count, u32 bearer, u32 dir, \
u8 *data, int length );
/* compute a 3GPP MAC on a message */
CORE_DECLARE(u8*) kasumi_f9( u8 *key, u32 count, u32 fresh, u32 dir, \
u8 *data, int length );
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* __KASUMI__ */

592
src/mme/snow_3g.c Normal file
View File

@ -0,0 +1,592 @@
/*------------------------------------------------------------------------
* SNOW_3G.c
*------------------------------------------------------------------------*/
#include "snow_3g.h"
/* LFSR */
u32 LFSR_S0 = 0x00;
u32 LFSR_S1 = 0x00;
u32 LFSR_S2 = 0x00;
u32 LFSR_S3 = 0x00;
u32 LFSR_S4 = 0x00;
u32 LFSR_S5 = 0x00;
u32 LFSR_S6 = 0x00;
u32 LFSR_S7 = 0x00;
u32 LFSR_S8 = 0x00;
u32 LFSR_S9 = 0x00;
u32 LFSR_S10 = 0x00;
u32 LFSR_S11 = 0x00;
u32 LFSR_S12 = 0x00;
u32 LFSR_S13 = 0x00;
u32 LFSR_S14 = 0x00;
u32 LFSR_S15 = 0x00;
/* FSM */
u32 FSM_R1 = 0x00;
u32 FSM_R2 = 0x00;
u32 FSM_R3 = 0x00;
/* Rijndael S-box SR */
u8 SR[256] = {
0x63,0x7C,0x77,0x7B,0xF2,0x6B,0x6F,0xC5,0x30,0x01,0x67,0x2B,0xFE,0xD7,0xAB,0x76,
0xCA,0x82,0xC9,0x7D,0xFA,0x59,0x47,0xF0,0xAD,0xD4,0xA2,0xAF,0x9C,0xA4,0x72,0xC0,
0xB7,0xFD,0x93,0x26,0x36,0x3F,0xF7,0xCC,0x34,0xA5,0xE5,0xF1,0x71,0xD8,0x31,0x15,
0x04,0xC7,0x23,0xC3,0x18,0x96,0x05,0x9A,0x07,0x12,0x80,0xE2,0xEB,0x27,0xB2,0x75,
0x09,0x83,0x2C,0x1A,0x1B,0x6E,0x5A,0xA0,0x52,0x3B,0xD6,0xB3,0x29,0xE3,0x2F,0x84,
0x53,0xD1,0x00,0xED,0x20,0xFC,0xB1,0x5B,0x6A,0xCB,0xBE,0x39,0x4A,0x4C,0x58,0xCF,
0xD0,0xEF,0xAA,0xFB,0x43,0x4D,0x33,0x85,0x45,0xF9,0x02,0x7F,0x50,0x3C,0x9F,0xA8,
0x51,0xA3,0x40,0x8F,0x92,0x9D,0x38,0xF5,0xBC,0xB6,0xDA,0x21,0x10,0xFF,0xF3,0xD2,
0xCD,0x0C,0x13,0xEC,0x5F,0x97,0x44,0x17,0xC4,0xA7,0x7E,0x3D,0x64,0x5D,0x19,0x73,
0x60,0x81,0x4F,0xDC,0x22,0x2A,0x90,0x88,0x46,0xEE,0xB8,0x14,0xDE,0x5E,0x0B,0xDB,
0xE0,0x32,0x3A,0x0A,0x49,0x06,0x24,0x5C,0xC2,0xD3,0xAC,0x62,0x91,0x95,0xE4,0x79,
0xE7,0xC8,0x37,0x6D,0x8D,0xD5,0x4E,0xA9,0x6C,0x56,0xF4,0xEA,0x65,0x7A,0xAE,0x08,
0xBA,0x78,0x25,0x2E,0x1C,0xA6,0xB4,0xC6,0xE8,0xDD,0x74,0x1F,0x4B,0xBD,0x8B,0x8A,
0x70,0x3E,0xB5,0x66,0x48,0x03,0xF6,0x0E,0x61,0x35,0x57,0xB9,0x86,0xC1,0x1D,0x9E,
0xE1,0xF8,0x98,0x11,0x69,0xD9,0x8E,0x94,0x9B,0x1E,0x87,0xE9,0xCE,0x55,0x28,0xDF,
0x8C,0xA1,0x89,0x0D,0xBF,0xE6,0x42,0x68,0x41,0x99,0x2D,0x0F,0xB0,0x54,0xBB,0x16
};
/* S-box SQ */
u8 SQ[256] = {
0x25,0x24,0x73,0x67,0xD7,0xAE,0x5C,0x30,0xA4,0xEE,0x6E,0xCB,0x7D,0xB5,0x82,0xDB,
0xE4,0x8E,0x48,0x49,0x4F,0x5D,0x6A,0x78,0x70,0x88,0xE8,0x5F,0x5E,0x84,0x65,0xE2,
0xD8,0xE9,0xCC,0xED,0x40,0x2F,0x11,0x28,0x57,0xD2,0xAC,0xE3,0x4A,0x15,0x1B,0xB9,
0xB2,0x80,0x85,0xA6,0x2E,0x02,0x47,0x29,0x07,0x4B,0x0E,0xC1,0x51,0xAA,0x89,0xD4,
0xCA,0x01,0x46,0xB3,0xEF,0xDD,0x44,0x7B,0xC2,0x7F,0xBE,0xC3,0x9F,0x20,0x4C,0x64,
0x83,0xA2,0x68,0x42,0x13,0xB4,0x41,0xCD,0xBA,0xC6,0xBB,0x6D,0x4D,0x71,0x21,0xF4,
0x8D,0xB0,0xE5,0x93,0xFE,0x8F,0xE6,0xCF,0x43,0x45,0x31,0x22,0x37,0x36,0x96,0xFA,
0xBC,0x0F,0x08,0x52,0x1D,0x55,0x1A,0xC5,0x4E,0x23,0x69,0x7A,0x92,0xFF,0x5B,0x5A,
0xEB,0x9A,0x1C,0xA9,0xD1,0x7E,0x0D,0xFC,0x50,0x8A,0xB6,0x62,0xF5,0x0A,0xF8,0xDC,
0x03,0x3C,0x0C,0x39,0xF1,0xB8,0xF3,0x3D,0xF2,0xD5,0x97,0x66,0x81,0x32,0xA0,0x00,
0x06,0xCE,0xF6,0xEA,0xB7,0x17,0xF7,0x8C,0x79,0xD6,0xA7,0xBF,0x8B,0x3F,0x1F,0x53,
0x63,0x75,0x35,0x2C,0x60,0xFD,0x27,0xD3,0x94,0xA5,0x7C,0xA1,0x05,0x58,0x2D,0xBD,
0xD9,0xC7,0xAF,0x6B,0x54,0x0B,0xE0,0x38,0x04,0xC8,0x9D,0xE7,0x14,0xB1,0x87,0x9C,
0xDF,0x6F,0xF9,0xDA,0x2A,0xC4,0x59,0x16,0x74,0x91,0xAB,0x26,0x61,0x76,0x34,0x2B,
0xAD,0x99,0xFB,0x72,0xEC,0x33,0x12,0xDE,0x98,0x3B,0xC0,0x9B,0x3E,0x18,0x10,0x3A,
0x56,0xE1,0x77,0xC9,0x1E,0x9E,0x95,0xA3,0x90,0x19,0xA8,0x6C,0x09,0xD0,0xF0,0x86
};
/* MULx.
* Input V: an 8-bit input.
* Input c: an 8-bit input.
* Output : an 8-bit output.
* See section 3.1.1 for details.
*/
u8 MULx(u8 V, u8 c)
{
if ( V & 0x80 )
return ( (V << 1) ^ c);
else
return ( V << 1);
}
/* MULxPOW.
* Input V: an 8-bit input.
* Input i: a positive integer.
* Input c: an 8-bit input.
* Output : an 8-bit output.
* See section 3.1.2 for details.
*/
u8 MULxPOW(u8 V, u8 i, u8 c)
{
if ( i == 0)
return V;
else
return MULx( MULxPOW( V, i-1, c ), c);
}
/* The function MUL alpha.
* Input c: 8-bit input.
* Output : 32-bit output.
* See section 3.4.2 for details.
*/
u32 MULalpha(u8 c)
{
return ( ( ((u32)MULxPOW(c, 23, 0xa9)) << 24 ) |
( ((u32)MULxPOW(c, 245, 0xa9)) << 16 ) |
( ((u32)MULxPOW(c, 48, 0xa9)) << 8 ) |
( ((u32)MULxPOW(c, 239, 0xa9)) ) ) ;
}
/* The function DIV alpha.
* Input c: 8-bit input.
* Output : 32-bit output.
* See section 3.4.3 for details.
*/
u32 DIValpha(u8 c)
{
return ( ( ((u32)MULxPOW(c, 16, 0xa9)) << 24 ) |
( ((u32)MULxPOW(c, 39, 0xa9)) << 16 ) |
( ((u32)MULxPOW(c, 6, 0xa9)) << 8 ) |
( ((u32)MULxPOW(c, 64, 0xa9)) ) ) ;
}
/* The 32x32-bit S-Box S1
* Input: a 32-bit input.
* Output: a 32-bit output of S1 box.
* See section 3.3.1.
*/
u32 S1(u32 w)
{
u8 r0=0, r1=0, r2=0, r3=0;
u8 srw0 = SR[ (u8)((w >> 24) & 0xff) ];
u8 srw1 = SR[ (u8)((w >> 16) & 0xff) ];
u8 srw2 = SR[ (u8)((w >> 8) & 0xff) ];
u8 srw3 = SR[ (u8)((w) & 0xff) ];
r0 = ( ( MULx( srw0 , 0x1b) ) ^
( srw1 ) ^
( srw2 ) ^
( (MULx( srw3, 0x1b)) ^ srw3 )
);
r1 = ( ( ( MULx( srw0 , 0x1b) ) ^ srw0 ) ^
( MULx(srw1, 0x1b) ) ^
( srw2 ) ^
( srw3 )
);
r2 = ( ( srw0 ) ^
( ( MULx( srw1 , 0x1b) ) ^ srw1 ) ^
( MULx(srw2, 0x1b) ) ^
( srw3 )
);
r3 = ( ( srw0 ) ^
( srw1 ) ^
( ( MULx( srw2 , 0x1b) ) ^ srw2 ) ^
( MULx( srw3, 0x1b) )
);
return ( ( ((u32)r0) << 24 ) | ( ((u32)r1) << 16 ) | ( ((u32)r2) << 8 ) |
( ((u32)r3) ) );
}
/* The 32x32-bit S-Box S2
* Input: a 32-bit input.
* Output: a 32-bit output of S2 box.
* See section 3.3.2.
*/
u32 S2(u32 w)
{
u8 r0=0, r1=0, r2=0, r3=0;
u8 sqw0 = SQ[ (u8)((w >> 24) & 0xff) ];
u8 sqw1 = SQ[ (u8)((w >> 16) & 0xff) ];
u8 sqw2 = SQ[ (u8)((w >> 8) & 0xff) ];
u8 sqw3 = SQ[ (u8)((w) & 0xff) ];
r0 = ( ( MULx( sqw0 , 0x69) ) ^
( sqw1 ) ^
( sqw2 ) ^
( (MULx( sqw3, 0x69)) ^ sqw3 )
);
r1 = ( ( ( MULx( sqw0 , 0x69) ) ^ sqw0 ) ^
( MULx(sqw1, 0x69) ) ^
( sqw2 ) ^
( sqw3 )
);
r2 = ( ( sqw0 ) ^
( ( MULx( sqw1 , 0x69) ) ^ sqw1 ) ^
( MULx(sqw2, 0x69) ) ^
( sqw3 )
);
r3 = ( ( sqw0 ) ^
( sqw1 ) ^
( ( MULx( sqw2 , 0x69) ) ^ sqw2 ) ^
( MULx( sqw3, 0x69) )
);
return ( ( ((u32)r0) << 24 ) | ( ((u32)r1) << 16 ) | ( ((u32)r2) << 8 ) |
( ((u32)r3) ) );
}
/* Clocking LFSR in initialization mode.
* LFSR Registers S0 to S15 are updated as the LFSR receives a single clock.
* Input F: a 32-bit word comes from output of FSM.
* See section 3.4.4.
*/
void ClockLFSRInitializationMode(u32 F)
{
u32 v = ( ( (LFSR_S0 << 8) & 0xffffff00 ) ^
( MULalpha( (u8)((LFSR_S0>>24) & 0xff) ) ) ^
( LFSR_S2 ) ^
( (LFSR_S11 >> 8) & 0x00ffffff ) ^
( DIValpha( (u8)( ( LFSR_S11) & 0xff ) ) ) ^
( F )
);
LFSR_S0 = LFSR_S1;
LFSR_S1 = LFSR_S2;
LFSR_S2 = LFSR_S3;
LFSR_S3 = LFSR_S4;
LFSR_S4 = LFSR_S5;
LFSR_S5 = LFSR_S6;
LFSR_S6 = LFSR_S7;
LFSR_S7 = LFSR_S8;
LFSR_S8 = LFSR_S9;
LFSR_S9 = LFSR_S10;
LFSR_S10 = LFSR_S11;
LFSR_S11 = LFSR_S12;
LFSR_S12 = LFSR_S13;
LFSR_S13 = LFSR_S14;
LFSR_S14 = LFSR_S15;
LFSR_S15 = v;
}
/* Clocking LFSR in keystream mode.
* LFSR Registers S0 to S15 are updated as the LFSR receives a single clock.
* See section 3.4.5.
*/
void ClockLFSRKeyStreamMode()
{
u32 v = ( ( (LFSR_S0 << 8) & 0xffffff00 ) ^
( MULalpha( (u8)((LFSR_S0>>24) & 0xff) ) ) ^
( LFSR_S2 ) ^
( (LFSR_S11 >> 8) & 0x00ffffff ) ^
( DIValpha( (u8)( ( LFSR_S11) & 0xff ) ) )
);
LFSR_S0 = LFSR_S1;
LFSR_S1 = LFSR_S2;
LFSR_S2 = LFSR_S3;
LFSR_S3 = LFSR_S4;
LFSR_S4 = LFSR_S5;
LFSR_S5 = LFSR_S6;
LFSR_S6 = LFSR_S7;
LFSR_S7 = LFSR_S8;
LFSR_S8 = LFSR_S9;
LFSR_S9 = LFSR_S10;
LFSR_S10 = LFSR_S11;
LFSR_S11 = LFSR_S12;
LFSR_S12 = LFSR_S13;
LFSR_S13 = LFSR_S14;
LFSR_S14 = LFSR_S15;
LFSR_S15 = v;
}
/* Clocking FSM.
* Produces a 32-bit word F.
* Updates FSM registers R1, R2, R3.
* See Section 3.4.6.
*/
u32 ClockFSM()
{
u32 F = ( ( LFSR_S15 + FSM_R1 ) & 0xffffffff ) ^ FSM_R2 ;
u32 r = ( FSM_R2 + ( FSM_R3 ^ LFSR_S5 ) ) & 0xffffffff ;
FSM_R3 = S2(FSM_R2);
FSM_R2 = S1(FSM_R1);
FSM_R1 = r;
return F;
}
/* Initialization.
* Input k[4]: Four 32-bit words making up 128-bit key.
* Input IV[4]: Four 32-bit words making 128-bit initialization variable.
* Output: All the LFSRs and FSM are initialized for key generation.
* See Section 4.1.
*/
void snow_3g_initialize(u32 k[4], u32 IV[4])
{
u8 i=0;
u32 F = 0x0;
LFSR_S15 = k[3] ^ IV[0];
LFSR_S14 = k[2];
LFSR_S13 = k[1];
LFSR_S12 = k[0] ^ IV[1];
LFSR_S11 = k[3] ^ 0xffffffff;
LFSR_S10 = k[2] ^ 0xffffffff ^ IV[2];
LFSR_S9 = k[1] ^ 0xffffffff ^ IV[3];
LFSR_S8 = k[0] ^ 0xffffffff;
LFSR_S7 = k[3];
LFSR_S6 = k[2];
LFSR_S5 = k[1];
LFSR_S4 = k[0];
LFSR_S3 = k[3] ^ 0xffffffff;
LFSR_S2 = k[2] ^ 0xffffffff;
LFSR_S1 = k[1] ^ 0xffffffff;
LFSR_S0 = k[0] ^ 0xffffffff;
FSM_R1 = 0x0;
FSM_R2 = 0x0;
FSM_R3 = 0x0;
for(i=0;i<32;i++)
{
F = ClockFSM();
ClockLFSRInitializationMode(F);
}
}
/* Generation of Keystream.
* input n: number of 32-bit words of keystream.
* input z: space for the generated keystream, assumes
* memory is allocated already.
* output: generated keystream which is filled in z
* See section 4.2.
*/
void snow_3g_generate_key_stream(u32 n, u32 *ks)
{
u32 t = 0;
u32 F = 0x0;
ClockFSM(); /* Clock FSM once. Discard the output. */
ClockLFSRKeyStreamMode(); /* Clock LFSR in keystream mode once. */
for ( t=0; t<n; t++)
{
F = ClockFSM(); /* STEP 1 */
ks[t] = F ^ LFSR_S0; /* STEP 2 */
/* Note that ks[t] corresponds to z_{t+1} in section 4.2
*/
ClockLFSRKeyStreamMode(); /* STEP 3 */
}
}
/*-----------------------------------------------------------------------
* end of SNOW_3G.c
*-----------------------------------------------------------------------*/
/*---------------------------------------------------------
* f8.c
*---------------------------------------------------------*/
/*
#include "f8.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
*/
/* f8.
* Input key: 128 bit Confidentiality Key.
* Input count:32-bit Count, Frame dependent input.
* Input bearer: 5-bit Bearer identity (in the LSB side).
* Input dir:1 bit, direction of transmission.
* Input data: length number of bits, input bit stream.
* Input length: 32 bit Length, i.e., the number of bits to be encrypted or
* decrypted.
* Output data: Output bit stream. Assumes data is suitably memory
* allocated.
* Encrypts/decrypts blocks of data between 1 and 2^32 bits in length as
* defined in Section 3.
*/
void snow_3g_f8(u8 *key, u32 count, u32 bearer, u32 dir, u8 *data, u32 length)
{
u32 K[4],IV[4];
int n = ( length + 31 ) / 32;
int i=0;
int lastbits = (8-(length%8)) % 8;
u32 *KS;
/*Initialisation*/
/* Load the confidentiality key for SNOW 3G initialization as in section
3.4. */
for (i=0; i<4; i++)
K[3-i] = (key[4*i] << 24) ^ (key[4*i+1] << 16)
^ (key[4*i+2] << 8) ^ (key[4*i+3]);
/* Prepare the initialization vector (IV) for SNOW 3G initialization as in
section 3.4. */
IV[3] = count;
IV[2] = (bearer << 27) | ((dir & 0x1) << 26);
IV[1] = IV[3];
IV[0] = IV[2];
/* Run SNOW 3G algorithm to generate sequence of key stream bits KS*/
snow_3g_initialize(K,IV);
KS = (u32 *)malloc(4*n);
snow_3g_generate_key_stream(n,(u32*)KS);
/* Exclusive-OR the input data with keystream to generate the output bit
stream */
for (i=0; i<n; i++)
{
data[4*i+0] ^= (u8) (KS[i] >> 24) & 0xff;
data[4*i+1] ^= (u8) (KS[i] >> 16) & 0xff;
data[4*i+2] ^= (u8) (KS[i] >> 8) & 0xff;
data[4*i+3] ^= (u8) (KS[i] ) & 0xff;
}
free(KS);
/* zero last bits of data in case its length is not byte-aligned
this is an addition to the C reference code, which did not handle it */
if (lastbits)
data[length/8] &= 256 - (1<<lastbits);
}
/* End of f8.c */
/*---------------------------------------------------------
* f9.c
*---------------------------------------------------------*/
/* MUL64x.
* Input V: a 64-bit input.
* Input c: a 64-bit input.
* Output : a 64-bit output.
* A 64-bit memory is allocated which is to be freed by the calling
* function.
* See section 4.3.2 for details.
*/
u64 MUL64x(u64 V, u64 c)
{
if ( V & 0x8000000000000000 )
return (V << 1) ^ c;
else
return V << 1;
}
/* MUL64xPOW.
* Input V: a 64-bit input.
* Input i: a positive integer.
* Input c: a 64-bit input.
* Output : a 64-bit output.
* A 64-bit memory is allocated which is to be freed by the calling function.
* See section 4.3.3 for details.
*/
u64 MUL64xPOW(u64 V, u8 i, u64 c)
{
if ( i == 0)
return V;
else
return MUL64x( MUL64xPOW(V,i-1,c) , c);
}
/* MUL64.
* Input V: a 64-bit input.
* Input P: a 64-bit input.
* Input c: a 64-bit input.
* Output : a 64-bit output.
* A 64-bit memory is allocated which is to be freed by the calling
* function.
* See section 4.3.4 for details.
*/
u64 MUL64(u64 V, u64 P, u64 c)
{
u64 result = 0;
int i = 0;
for ( i=0; i<64; i++)
{
if( ( P>>i ) & 0x1 )
result ^= MUL64xPOW(V,i,c);
}
return result;
}
/* mask8bit.
* Input n: an integer in 1-7.
* Output : an 8 bit mask.
* Prepares an 8 bit mask with required number of 1 bits on the MSB side.
*/
u8 mask8bit(int n)
{
return 0xFF ^ ((1<<(8-n)) - 1);
}
/* f9.
* Input key: 128 bit Integrity Key.
* Input count:32-bit Count, Frame dependent input.
* Input fresh: 32-bit Random number.
* Input dir:1 bit, direction of transmission (in the LSB).
* Input data: length number of bits, input bit stream.
* Input length: 64 bit Length, i.e., the number of bits to be MAC'd.
* Output : 32 bit block used as MAC
* Generates 32-bit MAC using UIA2 algorithm as defined in Section 4.
*/
u8* snow_3g_f9( u8* key, u32 count, u32 fresh, u32 dir, u8 *data, u64 length)
{
u32 K[4],IV[4], z[5];
u32 i=0, D;
static u8 MAC_I[4] = {0,0,0,0}; /* static memory for the result */
u64 EVAL;
u64 V;
u64 P;
u64 Q;
u64 c;
u64 M_D_2;
int rem_bits = 0;
/* Load the Integrity Key for SNOW3G initialization as in section 4.4. */
for (i=0; i<4; i++)
K[3-i] = (key[4*i] << 24) ^ (key[4*i+1] << 16) ^
(key[4*i+2] << 8) ^ (key[4*i+3]);
/* Prepare the Initialization Vector (IV) for SNOW3G initialization as
in section 4.4. */
IV[3] = count;
IV[2] = fresh;
IV[1] = count ^ ( dir << 31 ) ;
IV[0] = fresh ^ (dir << 15);
z[0] = z[1] = z[2] = z[3] = z[4] = 0;
/* Run SNOW 3G to produce 5 keystream words z_1, z_2, z_3, z_4 and z_5. */
snow_3g_initialize(K, IV);
snow_3g_generate_key_stream(5, z);
P = (u64)z[0] << 32 | (u64)z[1];
Q = (u64)z[2] << 32 | (u64)z[3];
/* Calculation */
if ((length % 64) == 0)
D = (length>>6) + 1;
else
D = (length>>6) + 2;
EVAL = 0;
c = 0x1b;
/* for 0 <= i <= D-3 */
for (i=0; i<D-2; i++)
{
V = EVAL ^ ( (u64)data[8*i ]<<56 | (u64)data[8*i+1]<<48 |
(u64)data[8*i+2]<<40 | (u64)data[8*i+3]<<32 |
(u64)data[8*i+4]<<24 | (u64)data[8*i+5]<<16 |
(u64)data[8*i+6]<< 8 | (u64)data[8*i+7] ) ;
EVAL = MUL64(V,P,c);
}
/* for D-2 */
rem_bits = length % 64;
if (rem_bits == 0)
rem_bits = 64;
M_D_2 = 0;
i = 0;
while (rem_bits > 7)
{
M_D_2 |= (u64)data[8*(D-2)+i] << (8*(7-i));
rem_bits -= 8;
i++;
}
if (rem_bits > 0)
M_D_2 |= (u64)(data[8*(D-2)+i] & mask8bit(rem_bits)) << (8*(7-i));
V = EVAL ^ M_D_2;
EVAL = MUL64(V,P,c);
/* for D-1 */
EVAL ^= length;
/* Multiply by Q */
EVAL = MUL64(EVAL,Q,c);
/* XOR with z_5: this is a modification to the reference C code,
which forgot to XOR z[5] */
for (i=0; i<4; i++)
/*
MAC_I[i] = (mac32 >> (8*(3-i))) & 0xff;
*/
MAC_I[i] = ((EVAL >> (56-(i*8))) ^ (z[4] >> (24-(i*8)))) & 0xff;
return MAC_I;
}
/* End of f9.c */
/*------------------------------------------------------------------------*/

68
src/mme/snow_3g.h Normal file
View File

@ -0,0 +1,68 @@
#ifndef __SNOW_3G__
#define __SNOW_3G__
#include "core.h"
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
typedef c_uint8_t u8;
typedef c_uint32_t u32;
typedef c_uint64_t u64;
/* Initialization.
* Input k[4]: Four 32-bit words making up 128-bit key.
* Input IV[4]: Four 32-bit words making 128-bit initialization variable.
* Output: All the LFSRs and FSM are initialized for key generation.
* See Section 4.1.
*/
CORE_DECLARE(void) snow_3g_initialize(u32 k[4], u32 IV[4]);
/* Generation of Keystream.
* input n: number of 32-bit words of keystream.
* input z: space for the generated keystream, assumes
* memory is allocated already.
* output: generated keystream which is filled in z
* See section 4.2.
*/
CORE_DECLARE(void) snow_3g_generate_key_stream(u32 n, u32 *z);
/* f8.
* Input key: 128 bit Confidentiality Key.
* Input count:32-bit Count, Frame dependent input.
* Input bearer: 5-bit Bearer identity (in the LSB side).
* Input dir:1 bit, direction of transmission.
* Input data: length number of bits, input bit stream.
* Input length: 32 bit Length, i.e., the number of bits to be encrypted or
* decrypted.
* Output data: Output bit stream. Assumes data is suitably memory
* allocated.
* Encrypts/decrypts blocks of data between 1 and 2^32 bits in length as
* defined in Section 3.
*/
CORE_DECLARE(void) snow_3g_f8( u8 *key, u32 count, u32 bearer, u32 dir, \
u8 *data, u32 length );
/* f9.
* Input key: 128 bit Integrity Key.
* Input count:32-bit Count, Frame dependent input.
* Input fresh: 32-bit Random number.
* Input dir:1 bit, direction of transmission (in the LSB).
* Input data: length number of bits, input bit stream.
* Input length: 64 bit Length, i.e., the number of bits to be MAC'd.
* Output : 32 bit block used as MAC
* Generates 32-bit MAC using UIA2 algorithm as defined in Section 4.
*/
CORE_DECLARE(u8*) snow_3g_f9( u8* key, u32 count, u32 fresh, u32 dir, \
u8 *data, u64 length);
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* __SNOW_3G__ */

390
src/mme/zuc.c Normal file
View File

@ -0,0 +1,390 @@
/*---------------------------------------------
* ZUC / EEA3 / EIA3 : LTE security algorithm
*--------------------------------------------*/
#include "zuc.h"
/*--------------------------------------------
* ZUC keystream generator algorithm
*------------------------------------------*/
/* the state registers of LFSR */
u32 LFSR_S0;
u32 LFSR_S1;
u32 LFSR_S2;
u32 LFSR_S3;
u32 LFSR_S4;
u32 LFSR_S5;
u32 LFSR_S6;
u32 LFSR_S7;
u32 LFSR_S8;
u32 LFSR_S9;
u32 LFSR_S10;
u32 LFSR_S11;
u32 LFSR_S12;
u32 LFSR_S13;
u32 LFSR_S14;
u32 LFSR_S15;
/* the registers of F */
u32 F_R1;
u32 F_R2;
/* the outputs of BitReorganization */
u32 BRC_X0;
u32 BRC_X1;
u32 BRC_X2;
u32 BRC_X3;
/* the s-boxes */
u8 S0[256] = {
0x3e,0x72,0x5b,0x47,0xca,0xe0,0x00,0x33,0x04,0xd1,0x54,0x98,0x09,0xb9,0x6d,0xcb,
0x7b,0x1b,0xf9,0x32,0xaf,0x9d,0x6a,0xa5,0xb8,0x2d,0xfc,0x1d,0x08,0x53,0x03,0x90,
0x4d,0x4e,0x84,0x99,0xe4,0xce,0xd9,0x91,0xdd,0xb6,0x85,0x48,0x8b,0x29,0x6e,0xac,
0xcd,0xc1,0xf8,0x1e,0x73,0x43,0x69,0xc6,0xb5,0xbd,0xfd,0x39,0x63,0x20,0xd4,0x38,
0x76,0x7d,0xb2,0xa7,0xcf,0xed,0x57,0xc5,0xf3,0x2c,0xbb,0x14,0x21,0x06,0x55,0x9b,
0xe3,0xef,0x5e,0x31,0x4f,0x7f,0x5a,0xa4,0x0d,0x82,0x51,0x49,0x5f,0xba,0x58,0x1c,
0x4a,0x16,0xd5,0x17,0xa8,0x92,0x24,0x1f,0x8c,0xff,0xd8,0xae,0x2e,0x01,0xd3,0xad,
0x3b,0x4b,0xda,0x46,0xeb,0xc9,0xde,0x9a,0x8f,0x87,0xd7,0x3a,0x80,0x6f,0x2f,0xc8,
0xb1,0xb4,0x37,0xf7,0x0a,0x22,0x13,0x28,0x7c,0xcc,0x3c,0x89,0xc7,0xc3,0x96,0x56,
0x07,0xbf,0x7e,0xf0,0x0b,0x2b,0x97,0x52,0x35,0x41,0x79,0x61,0xa6,0x4c,0x10,0xfe,
0xbc,0x26,0x95,0x88,0x8a,0xb0,0xa3,0xfb,0xc0,0x18,0x94,0xf2,0xe1,0xe5,0xe9,0x5d,
0xd0,0xdc,0x11,0x66,0x64,0x5c,0xec,0x59,0x42,0x75,0x12,0xf5,0x74,0x9c,0xaa,0x23,
0x0e,0x86,0xab,0xbe,0x2a,0x02,0xe7,0x67,0xe6,0x44,0xa2,0x6c,0xc2,0x93,0x9f,0xf1,
0xf6,0xfa,0x36,0xd2,0x50,0x68,0x9e,0x62,0x71,0x15,0x3d,0xd6,0x40,0xc4,0xe2,0x0f,
0x8e,0x83,0x77,0x6b,0x25,0x05,0x3f,0x0c,0x30,0xea,0x70,0xb7,0xa1,0xe8,0xa9,0x65,
0x8d,0x27,0x1a,0xdb,0x81,0xb3,0xa0,0xf4,0x45,0x7a,0x19,0xdf,0xee,0x78,0x34,0x60
};
u8 S1[256] = {
0x55,0xc2,0x63,0x71,0x3b,0xc8,0x47,0x86,0x9f,0x3c,0xda,0x5b,0x29,0xaa,0xfd,0x77,
0x8c,0xc5,0x94,0x0c,0xa6,0x1a,0x13,0x00,0xe3,0xa8,0x16,0x72,0x40,0xf9,0xf8,0x42,
0x44,0x26,0x68,0x96,0x81,0xd9,0x45,0x3e,0x10,0x76,0xc6,0xa7,0x8b,0x39,0x43,0xe1,
0x3a,0xb5,0x56,0x2a,0xc0,0x6d,0xb3,0x05,0x22,0x66,0xbf,0xdc,0x0b,0xfa,0x62,0x48,
0xdd,0x20,0x11,0x06,0x36,0xc9,0xc1,0xcf,0xf6,0x27,0x52,0xbb,0x69,0xf5,0xd4,0x87,
0x7f,0x84,0x4c,0xd2,0x9c,0x57,0xa4,0xbc,0x4f,0x9a,0xdf,0xfe,0xd6,0x8d,0x7a,0xeb,
0x2b,0x53,0xd8,0x5c,0xa1,0x14,0x17,0xfb,0x23,0xd5,0x7d,0x30,0x67,0x73,0x08,0x09,
0xee,0xb7,0x70,0x3f,0x61,0xb2,0x19,0x8e,0x4e,0xe5,0x4b,0x93,0x8f,0x5d,0xdb,0xa9,
0xad,0xf1,0xae,0x2e,0xcb,0x0d,0xfc,0xf4,0x2d,0x46,0x6e,0x1d,0x97,0xe8,0xd1,0xe9,
0x4d,0x37,0xa5,0x75,0x5e,0x83,0x9e,0xab,0x82,0x9d,0xb9,0x1c,0xe0,0xcd,0x49,0x89,
0x01,0xb6,0xbd,0x58,0x24,0xa2,0x5f,0x38,0x78,0x99,0x15,0x90,0x50,0xb8,0x95,0xe4,
0xd0,0x91,0xc7,0xce,0xed,0x0f,0xb4,0x6f,0xa0,0xcc,0xf0,0x02,0x4a,0x79,0xc3,0xde,
0xa3,0xef,0xea,0x51,0xe6,0x6b,0x18,0xec,0x1b,0x2c,0x80,0xf7,0x74,0xe7,0xff,0x21,
0x5a,0x6a,0x54,0x1e,0x41,0x31,0x92,0x35,0xc4,0x33,0x07,0x0a,0xba,0x7e,0x0e,0x34,
0x88,0xb1,0x98,0x7c,0xf3,0x3d,0x60,0x6c,0x7b,0xca,0xd3,0x1f,0x32,0x65,0x04,0x28,
0x64,0xbe,0x85,0x9b,0x2f,0x59,0x8a,0xd7,0xb0,0x25,0xac,0xaf,0x12,0x03,0xe2,0xf2
};
/* the constants D */
u32 EK_d[16] = {
0x44D7, 0x26BC, 0x626B, 0x135E, 0x5789, 0x35E2, 0x7135, 0x09AF,
0x4D78, 0x2F13, 0x6BC4, 0x1AF1, 0x5E26, 0x3C4D, 0x789A, 0x47AC
};
/* ——————————————————————- */
/* c = a + b mod (2^31 1) */
u32 AddM(u32 a, u32 b)
{
u32 c = a + b;
return (c & 0x7FFFFFFF) + (c >> 31);
}
/* LFSR with initialization mode */
#define MulByPow2(x, k) ((((x) << k) | ((x) >> (31 - k))) & 0x7FFFFFFF)
void LFSRWithInitialisationMode(u32 u)
{
u32 f, v;
f = LFSR_S0;
v = MulByPow2(LFSR_S0, 8);
f = AddM(f, v);
v = MulByPow2(LFSR_S4, 20);
f = AddM(f, v);
v = MulByPow2(LFSR_S10, 21);
f = AddM(f, v);
v = MulByPow2(LFSR_S13, 17);
f = AddM(f, v);
v = MulByPow2(LFSR_S15, 15);
f = AddM(f, v);
f = AddM(f, u);
/* update the state */
LFSR_S0 = LFSR_S1;
LFSR_S1 = LFSR_S2;
LFSR_S2 = LFSR_S3;
LFSR_S3 = LFSR_S4;
LFSR_S4 = LFSR_S5;
LFSR_S5 = LFSR_S6;
LFSR_S6 = LFSR_S7;
LFSR_S7 = LFSR_S8;
LFSR_S8 = LFSR_S9;
LFSR_S9 = LFSR_S10;
LFSR_S10 = LFSR_S11;
LFSR_S11 = LFSR_S12;
LFSR_S12 = LFSR_S13;
LFSR_S13 = LFSR_S14;
LFSR_S14 = LFSR_S15;
LFSR_S15 = f;
}
/* LFSR with work mode */
void LFSRWithWorkMode()
{
u32 f, v;
f = LFSR_S0;
v = MulByPow2(LFSR_S0, 8);
f = AddM(f, v);
v = MulByPow2(LFSR_S4, 20);
f = AddM(f, v);
v = MulByPow2(LFSR_S10, 21);
f = AddM(f, v);
v = MulByPow2(LFSR_S13, 17);
f = AddM(f, v);
v = MulByPow2(LFSR_S15, 15);
f = AddM(f, v);
/* update the state */
LFSR_S0 = LFSR_S1;
LFSR_S1 = LFSR_S2;
LFSR_S2 = LFSR_S3;
LFSR_S3 = LFSR_S4;
LFSR_S4 = LFSR_S5;
LFSR_S5 = LFSR_S6;
LFSR_S6 = LFSR_S7;
LFSR_S7 = LFSR_S8;
LFSR_S8 = LFSR_S9;
LFSR_S9 = LFSR_S10;
LFSR_S10 = LFSR_S11;
LFSR_S11 = LFSR_S12;
LFSR_S12 = LFSR_S13;
LFSR_S13 = LFSR_S14;
LFSR_S14 = LFSR_S15;
LFSR_S15 = f;
}
/* BitReorganization */
void BitReorganization()
{
BRC_X0 = ((LFSR_S15 & 0x7FFF8000) << 1) | (LFSR_S14 & 0xFFFF);
BRC_X1 = ((LFSR_S11 & 0xFFFF) << 16) | (LFSR_S9 >> 15);
BRC_X2 = ((LFSR_S7 & 0xFFFF) << 16) | (LFSR_S5 >> 15);
BRC_X3 = ((LFSR_S2 & 0xFFFF) << 16) | (LFSR_S0 >> 15);
}
#define ROT(a, k) (((a) << k) | ((a) >> (32 - k)))
/* L1 */
u32 L1(u32 X)
{
return (X ^ ROT(X, 2) ^ ROT(X, 10) ^ ROT(X, 18) ^ ROT(X, 24));
}
/* L2 */
u32 L2(u32 X)
{
return (X ^ ROT(X, 8) ^ ROT(X, 14) ^ ROT(X, 22) ^ ROT(X, 30));
}
#define MAKEU32(a, b, c, d) (((u32)(a) << 24) | ((u32)(b) << 16) | ((u32)(c) << 8) | ((u32)(d)))
/* F */
u32 F()
{
u32 W, W1, W2, u, v;
W = (BRC_X0 ^ F_R1) + F_R2;
W1 = F_R1 + BRC_X1;
W2 = F_R2 ^ BRC_X2;
u = L1((W1 << 16) | (W2 >> 16));
v = L2((W2 << 16) | (W1 >> 16));
F_R1 = MAKEU32(S0[u >> 24], S1[(u >> 16) & 0xFF],
S0[(u >> 8) & 0xFF], S1[u & 0xFF]);
F_R2 = MAKEU32(S0[v >> 24], S1[(v >> 16) & 0xFF],
S0[(v >> 8) & 0xFF], S1[v & 0xFF]);
return W;
}
#define MAKEU31(a, b, c) (((u32)(a) << 23) | ((u32)(b) << 8) | (u32)(c))
/* initialize */
void zuc_initialize(u8* k, u8* iv)
{
u32 w, nCount;
/* expand key */
LFSR_S0 = MAKEU31(k[0], EK_d[0], iv[0]);
LFSR_S1 = MAKEU31(k[1], EK_d[1], iv[1]);
LFSR_S2 = MAKEU31(k[2], EK_d[2], iv[2]);
LFSR_S3 = MAKEU31(k[3], EK_d[3], iv[3]);
LFSR_S4 = MAKEU31(k[4], EK_d[4], iv[4]);
LFSR_S5 = MAKEU31(k[5], EK_d[5], iv[5]);
LFSR_S6 = MAKEU31(k[6], EK_d[6], iv[6]);
LFSR_S7 = MAKEU31(k[7], EK_d[7], iv[7]);
LFSR_S8 = MAKEU31(k[8], EK_d[8], iv[8]);
LFSR_S9 = MAKEU31(k[9], EK_d[9], iv[9]);
LFSR_S10 = MAKEU31(k[10], EK_d[10], iv[10]);
LFSR_S11 = MAKEU31(k[11], EK_d[11], iv[11]);
LFSR_S12 = MAKEU31(k[12], EK_d[12], iv[12]);
LFSR_S13 = MAKEU31(k[13], EK_d[13], iv[13]);
LFSR_S14 = MAKEU31(k[14], EK_d[14], iv[14]);
LFSR_S15 = MAKEU31(k[15], EK_d[15], iv[15]);
/* set F_R1 and F_R2 to zero */
F_R1 = 0;
F_R2 = 0;
nCount = 32;
while (nCount > 0)
{
BitReorganization();
w = F();
LFSRWithInitialisationMode(w >> 1);
nCount --;
}
}
void zuc_generate_key_stream(u32* pKeystream, u32 KeystreamLen)
{
int i;
BitReorganization();
F(); /* discard the output of F */
LFSRWithWorkMode();
for (i = 0; i < KeystreamLen; i ++)
{
BitReorganization();
pKeystream[i] = F() ^ BRC_X3;
LFSRWithWorkMode();
}
}
/* The ZUC algorithm, see ref. [3]*/
void ZUC(u8* k, u8* iv, u32* ks, u32 len)
{
/* The initialization of ZUC, see page 17 of ref. [3]*/
zuc_initialize(k, iv);
/* The procedure of generating keystream of ZUC, see page 18 of ref. [3]*/
zuc_generate_key_stream(ks, len);
}
/* end of ZUC.c */
/*-----------------------------------------------------
* EEA3
*---------------------------------------------------*/
/*
* EEA3: LTE Encryption Algorithm 3
* EEA3.c
*/
void zuc_eea3(u8* CK, u32 COUNT, u32 BEARER, u32 DIRECTION,
u32 LENGTH, u32* M, u32* C)
{
u32 *z, L, i;
u8 IV[16];
u32 lastbits = (32-(LENGTH%32))%32;
L = (LENGTH+31)/32;
z = (u32 *) malloc(L*sizeof(u32));
IV[0] = (COUNT>>24) & 0xFF;
IV[1] = (COUNT>>16) & 0xFF;
IV[2] = (COUNT>>8) & 0xFF;
IV[3] = COUNT & 0xFF;
IV[4] = ((BEARER << 3) | ((DIRECTION&1)<<2)) & 0xFC;
IV[5] = 0;
IV[6] = 0;
IV[7] = 0;
IV[8] = IV[0];
IV[9] = IV[1];
IV[10] = IV[2];
IV[11] = IV[3];
IV[12] = IV[4];
IV[13] = IV[5];
IV[14] = IV[6];
IV[15] = IV[7];
ZUC(CK, IV, z, L);
for (i=0; i<L; i++)
C[i] = M[i] ^ z[i];
/* zero last bits of data in case its length is not word-aligned (32 bits)
this is an addition to the C reference code, which did not handle it */
if (lastbits)
i--;
C[i] &= 0x100000000 - (1<<lastbits);
free(z);
}
/* end of EEA3.c */
/*-----------------------------------------------------
* EIA3
*---------------------------------------------------*/
/*
* EIA3: LTE Integrity computation algorithm
* EIA3.c
*/
u32 GET_WORD(u32 * DATA, u32 i)
{
u32 WORD, ti;
ti = i % 32;
if (ti == 0)
WORD = DATA[i/32];
else
WORD = (DATA[i/32]<<ti) | (DATA[i/32+1]>>(32-ti));
return WORD;
}
u8 GET_BIT(u32 * DATA, u32 i)
{
return (DATA[i/32] & (1<<(31-(i%32)))) ? 1 : 0;
}
void zuc_eia3(u8* IK, u32 COUNT, u32 BEARER, u32 DIRECTION,
u32 LENGTH, u32* M, u32* MAC)
{
u32 *z, N, L, T, i;
u8 IV[16];
IV[0] = (COUNT>>24) & 0xFF;
IV[1] = (COUNT>>16) & 0xFF;
IV[2] = (COUNT>>8) & 0xFF;
IV[3] = COUNT & 0xFF;
IV[4] = (BEARER << 3) & 0xF8;
IV[5] = IV[6] = IV[7] = 0;
IV[8] = ((COUNT>>24) & 0xFF) ^ ((DIRECTION&1)<<7);
IV[9] = (COUNT>>16) & 0xFF;
IV[10] = (COUNT>>8) & 0xFF;
IV[11] = COUNT & 0xFF;
IV[12] = IV[4];
IV[13] = IV[5];
IV[14] = IV[6] ^ ((DIRECTION&1)<<7);
IV[15] = IV[7];
N = LENGTH + 64;
L = (N + 31) / 32;
z = (u32 *) malloc(L*sizeof(u32));
ZUC(IK, IV, z, L);
T = 0;
for (i=0; i<LENGTH; i++) {
if (GET_BIT(M,i)) {
T ^= GET_WORD(z,i);
}
}
T ^= GET_WORD(z,LENGTH);
*MAC = T ^ z[L-1];
free(z);
}
/* end of EIA3.c */

58
src/mme/zuc.h Normal file
View File

@ -0,0 +1,58 @@
/*------------------------------------------------------------------------
* ZUC.h
* Code taken from the ZUC specification
* available on the GSMA website
*------------------------------------------------------------------------*/
#ifndef __ZUC_H__
#define __ZUC_H__
#include "core.h"
#ifdef __cplusplus
extern "C" {
#endif /* __cplusplus */
/* type definition from */
typedef c_uint8_t u8;
typedef c_uint32_t u32;
/*
* ZUC keystream generator
* k: secret key (input, 16 bytes)
* iv: initialization vector (input, 16 bytes)
* Keystream: produced keystream (output, variable length)
* KeystreamLen: length in bits requested for the keystream (input)
*/
CORE_DECLARE(void) zuc_initialize(u8* k, u8* iv);
CORE_DECLARE(void) zuc_generate_key_stream(u32* pKeystream, u32 KeystreamLen);
/*
* CK: ciphering key
* COUNT: frame counter
* BEARER: radio bearer
* DIRECTION
* LENGTH: length of the frame in bits
* M: original message (input)
* C: processed message (output)
*/
CORE_DECLARE(void) zuc_eea3(u8* CK, u32 COUNT, u32 BEARER, u32 DIRECTION,
u32 LENGTH, u32* M, u32* C);
/*
* IK: integrity key
* COUNT: frame counter
* BEARER: radio bearer
* DIRECTION
* LENGTH: length of the frame in bits
* M: original message (input)
* C: processed message (output)
*/
CORE_DECLARE(void) zuc_eia3(u8* IK, u32 COUNT, u32 BEARER, u32 DIRECTION,
u32 LENGTH, u32* M, u32* MAC);
#ifdef __cplusplus
}
#endif /* __cplusplus */
#endif /* __ZUC_H__ */