sysmocom
/
asterisk
11
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

WIP VoLTE support for Asterisk

This commit is contained in:
Andreas Eversberg 2024-04-21 09:17:42 +02:00
parent 93c9780637
commit 05c9684302
7 changed files with 620 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
res/res_pjsip/config_transport.c
View File

@ -847,6 +847,7 @@ static int transport_apply(const struct ast_sorcery *sorcery, void *obj)
usleep(BIND_DELAY_US);
}
printf("TRANSPORT HIER\n");
res = pjsip_tcp_transport_start3(ast_sip_get_pjsip_endpoint(), &cfg,
&temp_state->state->factory);
}

4
res/res_pjsip_outbound_authenticator_digest.c
View File

@ -313,7 +313,9 @@ static pj_status_t set_outbound_authentication_credentials(pjsip_auth_clt_sess *
pj_cstr(&auth_cred.scheme, "digest");
switch (auth->type) {
case AST_SIP_AUTH_TYPE_USER_PASS:
if (volte_auth)
if (volte_auth == (void *)0x1)
pj_cstr(&auth_cred.data, "");
else if (volte_auth)
pj_strset(&auth_cred.data, (char *)volte_auth, 8);
else
pj_cstr(&auth_cred.data, auth->auth_pass);

16
res/res_pjsip_outbound_registration.c
View File

@ -92,6 +92,12 @@
are made.
</para></description>
</configOption>
<configOption name="max_auth" default="1">
<synopsis>Maximum number of authentication attempts.</synopsis>
<description><para>
This sets the maximum number of authentications attempts that are made.
</para></description>
</configOption>
<configOption name="security_negotiation" default="no">
<synopsis>The kind of security agreement negotiation to use. Currently, only mediasec is supported.</synopsis>
<description>
@ -361,6 +367,8 @@ struct sip_outbound_registration {
unsigned int auth_rejection_permanent;
/*! \brief Maximum number of retries permitted */
unsigned int max_retries;
/*! \brief Maximum number of authentication attemps permitted */
unsigned int max_auth;
/*! \brief Whether to add a line parameter to the outbound Contact or not */
unsigned int line;
/*! \brief Type of security negotiation to use (RFC 3329). */
@ -402,6 +410,8 @@ struct sip_outbound_registration_client_state {
unsigned int retries;
/*! \brief Maximum number of retries permitted */
unsigned int max_retries;
/*! \brief Maximum number of authentication attemps permitted */
unsigned int max_auth;
/*! \brief Interval at which retries should occur for temporal responses */
unsigned int retry_interval;
/*! \brief Interval at which retries should occur for permanent responses */
@ -1278,7 +1288,7 @@ static int handle_registration_response(void *data)
}
}
} else if ((response->code == 401 || response->code == 407 || response->code == 494)
&& (!response->client_state->auth_attempted
&& (response->client_state->auth_attempted < response->client_state->max_auth
|| response->rdata->msg_info.cseq->cseq != response->client_state->auth_cseq)) {
int res;
pjsip_cseq_hdr *cseq_hdr;
@ -1326,7 +1336,7 @@ static int handle_registration_response(void *data)
return 0;
} else if (!ast_sip_create_request_with_auth(&response->client_state->outbound_auths,
response->rdata, response->old_request, &tdata)) {
response->client_state->auth_attempted = 1;
response->client_state->auth_attempted++;
ast_debug(1, "Sending authenticated REGISTER to server '%s' from client '%s'\n",
server_uri, client_uri);
pjsip_tx_data_add_ref(tdata);
@ -1965,6 +1975,7 @@ static int sip_outbound_registration_perform(void *data)
state->client_state->forbidden_retry_interval = registration->forbidden_retry_interval;
state->client_state->fatal_retry_interval = registration->fatal_retry_interval;
state->client_state->max_retries = registration->max_retries;
state->client_state->max_auth = registration->max_auth;
state->client_state->retries = 0;
state->client_state->support_path = registration->support_path;
state->client_state->support_outbound = registration->support_outbound;
@ -2827,6 +2838,7 @@ static int load_module(void)
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "forbidden_retry_interval", "0", OPT_UINT_T, 0, FLDSET(struct sip_outbound_registration, forbidden_retry_interval));
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "fatal_retry_interval", "0", OPT_UINT_T, 0, FLDSET(struct sip_outbound_registration, fatal_retry_interval));
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "max_retries", "10", OPT_UINT_T, 0, FLDSET(struct sip_outbound_registration, max_retries));
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "max_auth", "1", OPT_UINT_T, 0, FLDSET(struct sip_outbound_registration, max_auth));
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "auth_rejection_permanent", "yes", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, auth_rejection_permanent));
ast_sorcery_object_field_register_custom(ast_sip_get_sorcery(), "registration", "outbound_auth", "", outbound_auth_handler, outbound_auths_to_str, outbound_auths_to_var_list, 0, 0);
ast_sorcery_object_field_register(ast_sip_get_sorcery(), "registration", "support_path", "no", OPT_BOOL_T, 1, FLDSET(struct sip_outbound_registration, support_path));

298
res/res_pjsip_volte.c
View File

@ -34,8 +34,10 @@ const pj_str_t STR_PROXY_REQUIRE = { "Proxy-Require", 13 };
const pj_str_t STR_PATH = { "path", 4 };
const pj_str_t STR_SEC_AGREE = { "sec-agree", 9 };
const pj_str_t STR_AUTHORIZATION = { "Authorization", 13 };
const pj_str_t STR_AUTS = { "auts", 4 };
const pj_str_t STR_SECURITY_CLIENT = { "Security-Client", 15 };
const pj_str_t STR_SECURITY_SERVER = { "Security-Server", 15 };
const pj_str_t STR_SECURITY_VERIFY = { "Security-Verify", 15 };
const pj_str_t STR_Q = { "q", 1 };
const pj_str_t STR_PROT = { "prot", 4 };
const pj_str_t STR_MOD = { "mod", 3 };
@ -62,13 +64,23 @@ const struct ipsec_alg ipsec_ealg[] = {
{ NULL, NULL }
};
static unsigned char aka_res[8];
enum auth_state {
AUTH_STATE_NONE,
AUTH_STATE_RESYNC,
AUTH_STATE_RESULT,
};
static enum auth_state g_auth_state = AUTH_STATE_NONE;
static unsigned char g_aka_res[8];
static unsigned char g_auts[14];
static char g_security_server[1024] = "";
static struct mnl_socket *g_mnl_socket = NULL;
struct sockaddr_storage g_local_addr_c, g_local_addr_s;
struct sockaddr_storage g_remote_addr_c, g_remote_addr_s;
static pj_sockaddr g_local_addr_c, g_local_addr_s;
static pj_sockaddr g_remote_addr_c, g_remote_addr_s;
static uint32_t g_local_spi_c, g_local_spi_s;
static uint32_t g_remote_spi_c, g_remote_spi_s;
static int hacking_port;
static pj_bool_t g_local_sa_c_set = PJ_FALSE, g_local_sa_s_set = PJ_FALSE;
static pj_bool_t g_remote_sa_c_set = PJ_FALSE, g_remote_sa_s_set = PJ_FALSE;
static pj_bool_t g_local_sp_c_set = PJ_FALSE, g_local_sp_s_set = PJ_FALSE;
@ -83,12 +95,12 @@ static void copy_pj_sockaddr_to_sockaddr_storage(const pj_sockaddr *src, struct
if (dst->ss_family == AF_INET) {
struct sockaddr_in *dst_in = (struct sockaddr_in *)dst;
const pj_sockaddr_in *src_in = (const pj_sockaddr_in *)src;
dst_in->sin_port = htons(src_in->sin_port);
dst_in->sin_port = src_in->sin_port;
memcpy(&dst_in->sin_addr, &src_in->sin_addr, sizeof(struct in_addr));
} else if (dst->ss_family == AF_INET6) {
struct sockaddr_in6 *dst_in6 = (struct sockaddr_in6 *)dst;
const pj_sockaddr_in6 *src_in6 = (const pj_sockaddr_in6 *)src;
dst_in6->sin6_port = htons(src_in6->sin6_port);
dst_in6->sin6_port = src_in6->sin6_port;
memcpy(&dst_in6->sin6_addr, &src_in6->sin6_addr, sizeof(struct in6_addr));
}
}
@ -108,53 +120,51 @@ static char *sockaddr_storage_to_string(const struct sockaddr_storage *addr, cha
return ip_string;
}
static void sockaddr_storage_port(struct sockaddr_storage *addr, uint16_t port)
{
switch (((struct sockaddr *)addr)->sa_family) {
case AF_INET:
((struct sockaddr_in *)addr)->sin_port = htons(port);
break;
case AF_INET6:
((struct sockaddr_in6 *)addr)->sin6_port = htons(port);
break;
}
}
/* Delete old SA and SP entries upon new registration or module exit. */
static void cleanup_xfrm(void)
{
struct sockaddr_storage local_addr_c, local_addr_s;
struct sockaddr_storage remote_addr_c, remote_addr_s;
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_c, &local_addr_c);
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_c, &remote_addr_c);
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_s, &local_addr_s);
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_s, &remote_addr_s);
if (g_local_sa_c_set) {
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c, g_local_spi_c);
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_s, g_remote_spi_s);
g_local_sa_c_set = PJ_FALSE;
}
if (g_local_sa_s_set) {
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s, g_local_spi_s);
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_c, g_remote_spi_c);
g_local_sa_s_set = PJ_FALSE;
}
if (g_remote_sa_c_set) {
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_c, (const struct sockaddr *)&g_local_addr_c, g_remote_spi_c);
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&remote_addr_c, (const struct sockaddr *)&local_addr_s, g_local_spi_s);
g_remote_sa_c_set = PJ_FALSE;
}
if (g_remote_sa_s_set) {
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_s, (const struct sockaddr *)&g_local_addr_s, g_remote_spi_s);
xfrm_sa_del(g_mnl_socket, (const struct sockaddr *)&remote_addr_s, (const struct sockaddr *)&local_addr_c, g_local_spi_c);
g_remote_sa_s_set = PJ_FALSE;
}
puts("x");
if (g_local_sp_c_set) {
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c, false);
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_s, false);
g_local_sp_c_set = PJ_FALSE;
}
if (g_local_sp_s_set) {
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s, false);
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_c, false);
g_local_sp_s_set = PJ_FALSE;
}
if (g_remote_sp_c_set) {
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_c, (const struct sockaddr *)&g_local_addr_c, true);
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&remote_addr_c, (const struct sockaddr *)&local_addr_s, true);
g_remote_sp_c_set = PJ_FALSE;
}
if (g_remote_sp_s_set) {
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_s, (const struct sockaddr *)&g_local_addr_s, true);
xfrm_policy_del(g_mnl_socket, (const struct sockaddr *)&remote_addr_s, (const struct sockaddr *)&local_addr_c, true);
g_remote_sp_s_set = PJ_FALSE;
}
puts("y");
}
@ -337,9 +347,10 @@ static void add_value_array_hdr(pjsip_tx_data *tdata, const pj_str_t *name, cons
static pj_status_t on_tx_register_request(pjsip_tx_data *tdata)
{
char src_str[64], dst_str[64];
pjsip_generic_array_hdr *hdr;
pjsip_generic_array_hdr *sec_hdr;
pjsip_authorization_hdr *auth_hdr, *auth_hdr2;
int rc;
pj_status_t status;
volte_auth = NULL;
@ -349,29 +360,82 @@ static pj_status_t on_tx_register_request(pjsip_tx_data *tdata)
pj_bool_t created = PJ_FALSE;
/* Create header, if not yet created. */
hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SECURITY_CLIENT, NULL);
if (!hdr) {
puts("first register\n");
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SECURITY_CLIENT, NULL);
if (!sec_hdr) {
struct sockaddr_storage local_addr_c, local_addr_s;
struct sockaddr_storage remote_addr_c, remote_addr_s;
uint16_t local_port_c, local_port_s;
char src_str[64], dst_str[64];
g_auth_state = AUTH_STATE_NONE;
cleanup_xfrm();
/* Get local and remote peer address. */
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.transport->local_addr, &g_local_addr_c);
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.transport->local_addr, &g_local_addr_s);
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.dst_addr, &g_remote_addr_c);
copy_pj_sockaddr_to_sockaddr_storage(&tdata->tp_info.dst_addr, &g_remote_addr_s);
sockaddr_storage_port(&g_remote_addr_c, 0x0001);
sockaddr_storage_port(&g_remote_addr_s, 0x0001);
ast_log(LOG_DEBUG, "peers %s->%s\n", sockaddr_storage_to_string(&g_local_addr_c, src_str, sizeof(src_str)), sockaddr_storage_to_string(&g_remote_addr_c, dst_str, sizeof(dst_str)));
printf("was ist local=%d\n", pj_sockaddr_get_port(&g_local_addr_c));
memcpy(&g_local_addr_c, &tdata->tp_info.transport->local_addr, sizeof(pj_sockaddr));
memcpy(&g_local_addr_s, &tdata->tp_info.transport->factory->local_addr, sizeof(pj_sockaddr));
memcpy(&g_remote_addr_c, &tdata->tp_info.dst_addr, sizeof(pj_sockaddr));
memcpy(&g_remote_addr_s, &tdata->tp_info.dst_addr, sizeof(pj_sockaddr));
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_c, &remote_addr_c);
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_s, &remote_addr_s);
ast_log(LOG_DEBUG, "old local client: %s:%d remote server: %s:%d\n", sockaddr_storage_to_string(&local_addr_c, src_str, sizeof(src_str)), pj_sockaddr_get_port(&g_local_addr_c), sockaddr_storage_to_string(&remote_addr_s, dst_str, sizeof(dst_str)), pj_sockaddr_get_port(&g_remote_addr_s));
printf("was ist jetzt local=%d\n", pj_sockaddr_get_port(&g_local_addr_c));
if (pj_sockaddr_get_port(&g_local_addr_c) == 5050) {
puts("switch to old transport");
/* Create socket with new port. */
if (!tdata->tp_info.transport->create_new_sock) {
ast_log(LOG_ERROR, "Cannot get connection addresses. The transport protocol does not support it. Please add support.\n");
return PJ_SUCCESS;
}
#define HACK
status = tdata->tp_info.transport->create_new_sock(tdata->tp_info.transport, NULL);
if (status != PJ_SUCCESS) {
ast_log(LOG_ERROR, "Failed to get connection addresses (errno=%d).\n", errno);
return PJ_CONSUME;
}
if (!tdata->tp_info.transport->connect_new_sock) {
ast_log(LOG_ERROR, "Cannot change connection addresses. The transport protocol does not support it. Please add support.\n");
return PJ_SUCCESS;
}
status = tdata->tp_info.transport->connect_new_sock(tdata->tp_info.transport, &g_local_addr_c, &g_remote_addr_s);
if (status != PJ_SUCCESS) {
ast_log(LOG_ERROR, "Failed to change connection addresses.\n");
return PJ_CONSUME;
}
puts("switch to old transport done!");
}
pj_sockaddr_set_port(&g_remote_addr_c, 0);
pj_sockaddr_set_port(&g_remote_addr_s, 0);
/* Create socket with new port. */
if (!tdata->tp_info.transport->create_new_sock) {
ast_log(LOG_ERROR, "Cannot get connection addresses. The transport protocol does not support it. Please add support.\n");
return PJ_SUCCESS;
}
#define HACK
pj_sockaddr_set_port(&g_local_addr_c, 5050); /* client */
status = tdata->tp_info.transport->create_new_sock(tdata->tp_info.transport, &g_local_addr_c);
if (status != PJ_SUCCESS) {
ast_log(LOG_ERROR, "Failed to get connection addresses (errno=%d).\n", errno);
return PJ_CONSUME;
}
printf("%d\n", pj_sockaddr_get_port(&g_local_addr_c));
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_c, &local_addr_c);
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_c, &remote_addr_c);
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_s, &local_addr_s);
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_s, &remote_addr_s);
ast_log(LOG_DEBUG, "local client: %s:%d remote server: %s:%d\n", sockaddr_storage_to_string(&local_addr_c, src_str, sizeof(src_str)), pj_sockaddr_get_port(&g_local_addr_c), sockaddr_storage_to_string(&remote_addr_s, dst_str, sizeof(dst_str)), pj_sockaddr_get_port(&g_remote_addr_s));
ast_log(LOG_DEBUG, "local server: %s:%d remote client: %s:%d\n", sockaddr_storage_to_string(&local_addr_s, src_str, sizeof(src_str)), pj_sockaddr_get_port(&g_local_addr_s), sockaddr_storage_to_string(&remote_addr_c, dst_str, sizeof(dst_str)), pj_sockaddr_get_port(&g_remote_addr_c));
/* Allocate SPI-C and SPI-S towards remote peer. */
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_local_spi_c, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c);
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_local_spi_c, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_c);
if (rc < 0) {
spi_alloc_failed:
ast_log(LOG_ERROR, "Failed to request SPI.\n");
return PJ_CONSUME;
}
g_local_sa_s_set = PJ_TRUE;
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_local_spi_s, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s);
rc = xfrm_spi_alloc(g_mnl_socket, 2342, &g_local_spi_s, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_s);
if (rc < 0)
goto spi_alloc_failed;
g_local_sa_c_set = PJ_TRUE;
@ -384,22 +448,87 @@ spi_alloc_failed:
add_value_string_hdr(tdata, &STR_PROXY_REQUIRE, &STR_SEC_AGREE);
/* "Supported: path,sec-agree" */
add_value_array_hdr(tdata, &STR_SUPPORTED, &STR_PATH);
/* "Security-Client: ..." */
add_value_array_hdr(tdata, &STR_SUPPORTED, &STR_SEC_AGREE);
#warning fix port numbers
add_securety_client_hdr(tdata, ipsec_alg, ipsec_ealg, g_local_spi_c, g_local_spi_s, 43419, 42318);
/* "Security-Client: ..." */
local_port_c = pj_sockaddr_get_port(&g_local_addr_c);
local_port_s = pj_sockaddr_get_port(&g_local_addr_s);
add_securety_client_hdr(tdata, ipsec_alg, ipsec_ealg, g_local_spi_c, g_local_spi_s, local_port_c, local_port_s);
}
/* remove double authentication header */
auth_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_AUTHORIZATION, NULL);
if (auth_hdr) {
auth_hdr2 = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_AUTHORIZATION, auth_hdr->next);
if (auth_hdr2) {
puts("erase double entry");
pj_list_erase(auth_hdr);
}
}
switch (g_auth_state) {
case AUTH_STATE_NONE:
puts("fist register\n");
#warning HACKING: Asterisk must do this on first register! Or we must do it!
char xxx[] = "Digest uri=\"sip:ims.mnc001.mcc238.3gppnetwork.org\",username=\"238010000090828@ims.mnc001.mcc238.3gppnetwork.org\",response=\"\",realm=\"ims.mnc001.mcc238.3gppnetwork.org\",nonce=\"\"";
const pj_str_t STR_XXX = { xxx, strlen(xxx)};
add_value_string_hdr(tdata, &STR_AUTHORIZATION, &STR_XXX);
} else {
puts("second register\n");
hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_AUTHORIZATION, NULL);
if (hdr)
pj_list_erase(hdr);
break;
case AUTH_STATE_RESULT:
printf("next register (result)\n");
#warning HACKING: changing transport
if (!tdata->tp_info.transport->connect_new_sock) {
ast_log(LOG_ERROR, "Cannot change connection addresses. The transport protocol does not support it. Please add support.\n");
return PJ_SUCCESS;
}
status = tdata->tp_info.transport->connect_new_sock(tdata->tp_info.transport, &g_local_addr_c, &g_remote_addr_s);
if (status != PJ_SUCCESS) {
ast_log(LOG_ERROR, "Failed to change connection addresses.\n");
return PJ_CONSUME;
}
const pj_str_t STR_YYY = { g_security_server, strlen(g_security_server)};
add_value_string_hdr(tdata, &STR_SECURITY_VERIFY, &STR_YYY);
break;
case AUTH_STATE_RESYNC:
puts("next register (resnchronization)\n");
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SECURITY_VERIFY, NULL);
if (sec_hdr)
pj_list_erase(sec_hdr);
auth_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_AUTHORIZATION, NULL);
if (auth_hdr) {
/* Append auts to Authorization header and replace that header. */
char enc_auts[23] = "\" \"";
pjsip_param *param;
ast_base64encode(enc_auts + 1, g_auts, 14, 21);
enc_auts[21] = '"';
printf("enc=%s\n", enc_auts);
param = PJ_POOL_ALLOC_T(tdata->pool, pjsip_param);
param->name = STR_AUTS;
pj_strdup2(tdata->pool, &param->value, enc_auts);
pj_list_insert_before(&auth_hdr->credential.digest.other_param, param);
}
break;
}
#if 0
if (g_auth_state == AUTH_STATE_RESYNC) {
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_REQUIRE, NULL);
if (sec_hdr)
pj_list_erase(sec_hdr);
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_PROXY_REQUIRE, NULL);
if (sec_hdr)
pj_list_erase(sec_hdr);
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SUPPORTED, NULL);
if (sec_hdr)
pj_list_erase(sec_hdr);
sec_hdr = pjsip_msg_find_hdr_by_name(tdata->msg, &STR_SECURITY_CLIENT, NULL);
if (sec_hdr)
pj_list_erase(sec_hdr);
}
#endif
return PJ_SUCCESS;
}
@ -443,6 +572,13 @@ static pj_bool_t on_rx_401_407_response(pjsip_rx_data *rdata, pjsip_hdr_e auth_t
ast_log(LOG_ERROR, "Missing 'Security-Server' in REGISTER response.");
return PJ_FALSE;
}
if (sec_hdr->hvalue.slen < sizeof(g_security_server)) {
memcpy(g_security_server, sec_hdr->hvalue.ptr, sec_hdr->hvalue.slen);
g_security_server[sec_hdr->hvalue.slen] = '\0';
} else {
ast_log(LOG_ERROR, "Security-Server' too large.");
return PJ_FALSE;
}
parse_security_server(rdata->tp_info.pool, sec_hdr->hvalue.ptr, sec_hdr->hvalue.slen, &sec);
if (!sec.prot.ptr || !sec.spi_c.ptr || !sec.spi_s.ptr || !sec.port_c.ptr || !sec.port_s.ptr || !sec.alg.ptr || !sec.ealg.ptr) {
ast_log(LOG_ERROR, "Missing 'Security-Server' elements in REGISTER response. header=\"%.*s\", prot=%.*s, spi-c=%.*s, spi-s=%.*s, port-c=%.*s, port-s=%.*s, alg=%.*s, ealg=%.*s", fmt_str(sec_hdr->hvalue), fmt_str(sec.prot), fmt_str(sec.spi_c), fmt_str(sec.spi_s), fmt_str(sec.port_c), fmt_str(sec.port_s), fmt_str(sec.alg), fmt_str(sec.ealg));
@ -466,28 +602,41 @@ static pj_bool_t on_rx_401_407_response(pjsip_rx_data *rdata, pjsip_hdr_e auth_t
#warning hacking
const uint8_t opc[16] = { 0x77, 0x5A, 0x1F, 0x88, 0x7D, 0x2A, 0xD6, 0x6F, 0x97, 0x19, 0xC2, 0xC7, 0x9F, 0x84, 0x7B, 0x50 };
const uint8_t ki[16] = { 0xD5, 0x34, 0xE0, 0x78, 0x54, 0xB7, 0x5E, 0x47, 0x5C, 0x66, 0x7A, 0x85, 0x6A, 0xA3, 0x1F, 0x9C };
const uint8_t k[16] = { 0xD5, 0x34, 0xE0, 0x78, 0x54, 0xB7, 0x5E, 0x47, 0x5C, 0x66, 0x7A, 0x85, 0x6A, 0xA3, 0x1F, 0x9C };
const uint8_t amf[2] = { 0x80, 0x00 };
const uint8_t sqn[6] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
uint8_t rand_auth[32], *rand = rand_auth, *auth = rand_auth + 16;
uint8_t out_autn[16], out_ik[16], out_ck[16];
const uint8_t sqn[6] = { 0x00, 0x00, 0x00, 0x00, 0xd0, 0x00 };
uint8_t rand_auth[32], *rand = rand_auth, *autn = rand_auth + 16;
uint8_t out_ik[16], out_ck[16];
size_t out_res_len = 8;
int rc;
ast_base64decode(rand_auth, auth_hdr->challenge.digest.nonce.ptr, sizeof(rand_auth));
hexdump(LOG_DEBUG, "nonce", rand_auth, 32);
milenage_generate(opc, amf, ki, sqn, rand, out_autn, out_ik, out_ck, aka_res, &out_res_len);
if (out_res_len != 8) {
ast_log(LOG_ERROR, "Milenage computation failed.\n");
// milenage_generate(opc, amf, ki, sqn, rand, out_autn, out_ik, out_ck, g_aka_res, &out_res_len);
rc = milenage_check(opc, k, sqn, rand, autn, out_ik, out_ck, g_aka_res, &out_res_len, g_auts);
printf("mileange rc=%d\n", rc);
if (rc == -1) {
ast_log(LOG_ERROR, "Milenage check failed, Changing the response to 403, so that SIP stack will stop the outgoing registration.\n");
rdata->msg_info.msg->line.req.method.id = 403;
g_auth_state = AUTH_STATE_NONE;
return PJ_FALSE;
}
hexdump(LOG_DEBUG, "IK", out_ik, 16);
hexdump(LOG_DEBUG, "CK", out_ck, 16);
volte_auth = aka_res;
if (rc == -2) {
g_auth_state = AUTH_STATE_RESYNC;
#warning hier muss eventuell die authentication im stack geändert werden. oder wir machen es selber
volte_auth = (void *)0x1;
// volte_auth = g_aka_res;
return PJ_FALSE;
}
g_auth_state = AUTH_STATE_RESULT;
volte_auth = g_aka_res;
struct xfrm_algobuf auth_algo, ciph_algo;
int i, j;
int rc;
for (i = 0; ipsec_alg[i].sip_name; i++) {
if (!pj_strncmp2(&sec.alg, ipsec_alg[i].sip_name, strlen(ipsec_alg[i].sip_name)))
break;
@ -502,19 +651,21 @@ static pj_bool_t on_rx_401_407_response(pjsip_rx_data *rdata, pjsip_hdr_e auth_t
}
g_remote_spi_c = atoi(sec.spi_c.ptr);
g_remote_spi_s = atoi(sec.spi_s.ptr);
ast_log(LOG_DEBUG, "remote SPI-C=0x%08x SPI-S=0x%08x\n", g_remote_spi_s, g_remote_spi_c);
sockaddr_storage_port(&g_remote_addr_c, atoi(sec.port_c.ptr));
sockaddr_storage_port(&g_remote_addr_s, atoi(sec.port_s.ptr));
ast_log(LOG_DEBUG, "remote SPI-C=0x%08x SPI-S=0x%08x\n", g_remote_spi_c, g_remote_spi_s);
pj_sockaddr_set_port(&g_remote_addr_c, atoi(sec.port_c.ptr));
pj_sockaddr_set_port(&g_remote_addr_s, atoi(sec.port_s.ptr));
ast_log(LOG_DEBUG, "remote PORT-C=%d PORT-S=%d\n", pj_sockaddr_get_port(&g_remote_addr_c), pj_sockaddr_get_port(&g_remote_addr_s));
hacking_port = atoi(sec.port_s.ptr);
strcpy(auth_algo.algo.alg_name, ipsec_alg[i].kernel_name);
switch (i) {
case 0:
memcpy(auth_algo.algo.alg_key, out_ik, 16);
auth_algo.algo.alg_key_len = 16;
auth_algo.algo.alg_key_len = 128;
break;
case 1:
memcpy(auth_algo.algo.alg_key, out_ik, 16);
memset(auth_algo.algo.alg_key + 16, 0x00, 4);
auth_algo.algo.alg_key_len = 20;
auth_algo.algo.alg_key_len = 160;
break;
}
strcpy(ciph_algo.algo.alg_name, ipsec_ealg[j].kernel_name);
@ -524,42 +675,51 @@ static pj_bool_t on_rx_401_407_response(pjsip_rx_data *rdata, pjsip_hdr_e auth_t
break;
}
cleanup_xfrm();
rc = xfrm_sa_add(g_mnl_socket, g_local_spi_c, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c, g_local_spi_c, &auth_algo.algo, &ciph_algo.algo);
struct sockaddr_storage local_addr_c, local_addr_s;
struct sockaddr_storage remote_addr_c, remote_addr_s;
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_c, &local_addr_c);
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_c, &remote_addr_c);
copy_pj_sockaddr_to_sockaddr_storage(&g_local_addr_s, &local_addr_s);
copy_pj_sockaddr_to_sockaddr_storage(&g_remote_addr_s, &remote_addr_s);
rc = xfrm_sa_add(g_mnl_socket, g_remote_spi_s, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_s, g_remote_spi_s, &auth_algo.algo, &ciph_algo.algo);
if (rc < 0)
ast_log(LOG_ERROR, "Failed to add IPSec SA.\n");
else
g_local_sa_c_set = PJ_TRUE;
rc = xfrm_sa_add(g_mnl_socket, g_local_spi_s, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s, g_local_spi_s, &auth_algo.algo, &ciph_algo.algo);
rc = xfrm_sa_add(g_mnl_socket, g_remote_spi_c, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_c, g_remote_spi_c, &auth_algo.algo, &ciph_algo.algo);
if (rc < 0)
ast_log(LOG_ERROR, "Failed to add IPSec SA.\n");
else
g_local_sa_s_set = PJ_TRUE;
rc = xfrm_sa_add(g_mnl_socket, g_remote_spi_c, (const struct sockaddr *)&g_remote_addr_c, (const struct sockaddr *)&g_local_addr_c, g_remote_spi_c, &auth_algo.algo, &ciph_algo.algo);
rc = xfrm_sa_add(g_mnl_socket, g_local_spi_s, (const struct sockaddr *)&remote_addr_c, (const struct sockaddr *)&local_addr_s, g_local_spi_s, &auth_algo.algo, &ciph_algo.algo);
if (rc < 0)
ast_log(LOG_ERROR, "Failed to add IPSec SA.\n");
else
g_remote_sa_c_set = PJ_TRUE;
rc = xfrm_sa_add(g_mnl_socket, g_remote_spi_s, (const struct sockaddr *)&g_remote_addr_s, (const struct sockaddr *)&g_local_addr_s, g_remote_spi_s, &auth_algo.algo, &ciph_algo.algo);
rc = xfrm_sa_add(g_mnl_socket, g_local_spi_c, (const struct sockaddr *)&remote_addr_s, (const struct sockaddr *)&local_addr_c, g_local_spi_c, &auth_algo.algo, &ciph_algo.algo);
if (rc < 0)
ast_log(LOG_ERROR, "Failed to add IPSec SA.\n");
else
g_remote_sa_s_set = PJ_TRUE;
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&g_local_addr_c, (const struct sockaddr *)&g_remote_addr_c, g_local_spi_c, false);
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&local_addr_c, (const struct sockaddr *)&remote_addr_s, g_remote_spi_s, false);
if (rc < 0)
ast_log(LOG_ERROR, "Failed to add IPSec SP.\n");
else
g_local_sp_c_set = PJ_TRUE;
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&g_local_addr_s, (const struct sockaddr *)&g_remote_addr_s, g_local_spi_s, false);
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&local_addr_s, (const struct sockaddr *)&remote_addr_c, g_remote_spi_c, false);
if (rc < 0)
ast_log(LOG_ERROR, "Failed to add IPSec SP.\n");
else
g_local_sp_s_set = PJ_TRUE;
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_c, (const struct sockaddr *)&g_local_addr_c, g_remote_spi_c, true);
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&remote_addr_c, (const struct sockaddr *)&local_addr_s, g_local_spi_s, true);
if (rc < 0)
ast_log(LOG_ERROR, "Failed to add IPSec SP.\n");
else
g_remote_sp_c_set = PJ_TRUE;
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&g_remote_addr_s, (const struct sockaddr *)&g_local_addr_s, g_remote_spi_s, true);
rc = xfrm_policy_add(g_mnl_socket, (const struct sockaddr *)&remote_addr_s, (const struct sockaddr *)&local_addr_c, g_local_spi_c, true);
if (rc < 0)
ast_log(LOG_ERROR, "Failed to add IPSec SP.\n");
else
@ -585,6 +745,8 @@ static pj_bool_t on_rx_response(pjsip_rx_data *rdata)
return on_rx_401_407_response(rdata, PJSIP_H_WWW_AUTHENTICATE);
case 407:
return on_rx_401_407_response(rdata, PJSIP_H_PROXY_AUTHENTICATE);
case 200:
break;
default:
break;
}

347
res/res_pjsip_volte/milenage.c Normal file
View File

@ -0,0 +1,347 @@
/*
* 3GPP AKA - Milenage algorithm (3GPP TS 35.205, .206, .207, .208)
* Copyright (c) 2006-2007 <j@w1.fi>
*
* This software may be distributed under the terms of the BSD license.
* See README for more details.
*
* This file implements an example authentication algorithm defined for 3GPP
* AKA. This can be used to implement a simple HLR/AuC into hlr_auc_gw to allow
* EAP-AKA to be tested properly with real USIM cards.
*
* This implementations assumes that the r1..r5 and c1..c5 constants defined in
* TS 35.206 are used, i.e., r1=64, r2=0, r3=32, r4=64, r5=96, c1=00..00,
* c2=00..01, c3=00..02, c4=00..04, c5=00..08. The block cipher is assumed to
* be AES (Rijndael).
*/
#include "milenage.h"
#include "asterisk.h"
#include "asterisk/utils.h"
#include "asterisk/crypto.h"
static int aes_128_encrypt_block(const u8 *key, const u8 *plain, u8 *encr)
{
ast_aes_encrypt_key aes_key;
ast_aes_set_encrypt_key(key, &aes_key);
if (ast_aes_encrypt(plain, encr, &aes_key) <= 0) {
ast_log(LOG_ERROR, "Failed to ecrypt AES 128.");
return -1;
}
return 0;
}
void hexdump(int level, const char *file, int line, const char *func, const char *text, const uint8_t *data, int len)
{
char s[3 * len + 2], *p;
int f;
for (p = s, f = 0; f < len; f++, p += 3) {
sprintf(p, "%02hhX ", (unsigned char)data[f]);
}
ast_log(level, file, line, func, "%s: %s\n", text, s);
}
/**
* milenage_f1 - Milenage f1 and f1* algorithms
* @opc: OPc = 128-bit value derived from OP and K
* @k: K = 128-bit subscriber key
* @_rand: RAND = 128-bit random challenge
* @sqn: SQN = 48-bit sequence number
* @amf: AMF = 16-bit authentication management field
* @mac_a: Buffer for MAC-A = 64-bit network authentication code, or %NULL
* @mac_s: Buffer for MAC-S = 64-bit resync authentication code, or %NULL
* Returns: 0 on success, -1 on failure
*/
int milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand,
const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s)
{
u8 tmp1[16], tmp2[16], tmp3[16];
int i;
/* tmp1 = TEMP = E_K(RAND XOR OP_C) */
for (i = 0; i < 16; i++)
tmp1[i] = _rand[i] ^ opc[i];
if (aes_128_encrypt_block(k, tmp1, tmp1))
return -1;
/* tmp2 = IN1 = SQN || AMF || SQN || AMF */
memcpy(tmp2, sqn, 6);
memcpy(tmp2 + 6, amf, 2);
memcpy(tmp2 + 8, tmp2, 8);
/* OUT1 = E_K(TEMP XOR rot(IN1 XOR OP_C, r1) XOR c1) XOR OP_C */
/* rotate (tmp2 XOR OP_C) by r1 (= 0x40 = 8 bytes) */
for (i = 0; i < 16; i++)
tmp3[(i + 8) % 16] = tmp2[i] ^ opc[i];
/* XOR with TEMP = E_K(RAND XOR OP_C) */
for (i = 0; i < 16; i++)
tmp3[i] ^= tmp1[i];
/* XOR with c1 (= ..00, i.e., NOP) */
/* f1 || f1* = E_K(tmp3) XOR OP_c */
if (aes_128_encrypt_block(k, tmp3, tmp1))
return -1;
for (i = 0; i < 16; i++)
tmp1[i] ^= opc[i];
if (mac_a)
memcpy(mac_a, tmp1, 8); /* f1 */
if (mac_s)
memcpy(mac_s, tmp1 + 8, 8); /* f1* */
return 0;
}
/**
* milenage_f2345 - Milenage f2, f3, f4, f5, f5* algorithms
* @opc: OPc = 128-bit value derived from OP and K
* @k: K = 128-bit subscriber key
* @_rand: RAND = 128-bit random challenge
* @res: Buffer for RES = 64-bit signed response (f2), or %NULL
* @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
* @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
* @ak: Buffer for AK = 48-bit anonymity key (f5), or %NULL
* @akstar: Buffer for AK = 48-bit anonymity key (f5*), or %NULL
* Returns: 0 on success, -1 on failure
*/
int milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand,
u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar)
{
u8 tmp1[16], tmp2[16], tmp3[16];
int i;
/* tmp2 = TEMP = E_K(RAND XOR OP_C) */
for (i = 0; i < 16; i++)
tmp1[i] = _rand[i] ^ opc[i];
if (aes_128_encrypt_block(k, tmp1, tmp2))
return -1;
/* OUT2 = E_K(rot(TEMP XOR OP_C, r2) XOR c2) XOR OP_C */
/* OUT3 = E_K(rot(TEMP XOR OP_C, r3) XOR c3) XOR OP_C */
/* OUT4 = E_K(rot(TEMP XOR OP_C, r4) XOR c4) XOR OP_C */
/* OUT5 = E_K(rot(TEMP XOR OP_C, r5) XOR c5) XOR OP_C */
/* f2 and f5 */
/* rotate by r2 (= 0, i.e., NOP) */
for (i = 0; i < 16; i++)
tmp1[i] = tmp2[i] ^ opc[i];
tmp1[15] ^= 1; /* XOR c2 (= ..01) */
/* f5 || f2 = E_K(tmp1) XOR OP_c */
if (aes_128_encrypt_block(k, tmp1, tmp3))
return -1;
for (i = 0; i < 16; i++)
tmp3[i] ^= opc[i];
if (res)
memcpy(res, tmp3 + 8, 8); /* f2 */
if (ak)
memcpy(ak, tmp3, 6); /* f5 */
/* f3 */
if (ck) {
/* rotate by r3 = 0x20 = 4 bytes */
for (i = 0; i < 16; i++)
tmp1[(i + 12) % 16] = tmp2[i] ^ opc[i];
tmp1[15] ^= 2; /* XOR c3 (= ..02) */
if (aes_128_encrypt_block(k, tmp1, ck))
return -1;
for (i = 0; i < 16; i++)
ck[i] ^= opc[i];
}
/* f4 */
if (ik) {
/* rotate by r4 = 0x40 = 8 bytes */
for (i = 0; i < 16; i++)
tmp1[(i + 8) % 16] = tmp2[i] ^ opc[i];
tmp1[15] ^= 4; /* XOR c4 (= ..04) */
if (aes_128_encrypt_block(k, tmp1, ik))
return -1;
for (i = 0; i < 16; i++)
ik[i] ^= opc[i];
}
/* f5* */
if (akstar) {
/* rotate by r5 = 0x60 = 12 bytes */
for (i = 0; i < 16; i++)
tmp1[(i + 4) % 16] = tmp2[i] ^ opc[i];
tmp1[15] ^= 8; /* XOR c5 (= ..08) */
if (aes_128_encrypt_block(k, tmp1, tmp1))
return -1;
for (i = 0; i < 6; i++)
akstar[i] = tmp1[i] ^ opc[i];
}
return 0;
}
/**
* milenage_generate - Generate AKA AUTN,IK,CK,RES
* @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
* @amf: AMF = 16-bit authentication management field
* @k: K = 128-bit subscriber key
* @sqn: SQN = 48-bit sequence number
* @_rand: RAND = 128-bit random challenge
* @autn: Buffer for AUTN = 128-bit authentication token
* @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
* @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
* @res: Buffer for RES = 64-bit signed response (f2), or %NULL
* @res_len: Max length for res; set to used length or 0 on failure
*/
void milenage_generate(const u8 *opc, const u8 *amf, const u8 *k,
const u8 *sqn, const u8 *_rand, u8 *autn, u8 *ik,
u8 *ck, u8 *res, size_t *res_len)
{
int i;
u8 mac_a[8], ak[6];
if (*res_len < 8) {
*res_len = 0;
return;
}
if (milenage_f1(opc, k, _rand, sqn, amf, mac_a, NULL) ||
milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL)) {
*res_len = 0;
return;
}
*res_len = 8;
/* AUTN = (SQN ^ AK) || AMF || MAC */
for (i = 0; i < 6; i++)
autn[i] = sqn[i] ^ ak[i];
memcpy(autn + 6, amf, 2);
memcpy(autn + 8, mac_a, 8);
}
/**
* milenage_auts - Milenage AUTS validation
* @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
* @k: K = 128-bit subscriber key
* @_rand: RAND = 128-bit random challenge
* @auts: AUTS = 112-bit authentication token from client
* @sqn: Buffer for SQN = 48-bit sequence number
* Returns: 0 = success (sqn filled), -1 on failure
*/
int milenage_auts(const u8 *opc, const u8 *k, const u8 *_rand, const u8 *auts,
u8 *sqn)
{
u8 amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
u8 ak[6], mac_s[8];
int i;
if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
return -1;
for (i = 0; i < 6; i++)
sqn[i] = auts[i] ^ ak[i];
if (milenage_f1(opc, k, _rand, sqn, amf, NULL, mac_s) ||
memcmp(mac_s, auts + 6, 8) != 0)
return -1;
return 0;
}
/**
* gsm_milenage - Generate GSM-Milenage (3GPP TS 55.205) authentication triplet
* @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
* @k: K = 128-bit subscriber key
* @_rand: RAND = 128-bit random challenge
* @sres: Buffer for SRES = 32-bit SRES
* @kc: Buffer for Kc = 64-bit Kc
* Returns: 0 on success, -1 on failure
*/
int gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres, u8 *kc)
{
u8 res[8], ck[16], ik[16];
int i;
if (milenage_f2345(opc, k, _rand, res, ck, ik, NULL, NULL))
return -1;
for (i = 0; i < 8; i++)
kc[i] = ck[i] ^ ck[i + 8] ^ ik[i] ^ ik[i + 8];
#ifdef GSM_MILENAGE_ALT_SRES
memcpy(sres, res, 4);
#else /* GSM_MILENAGE_ALT_SRES */
for (i = 0; i < 4; i++)
sres[i] = res[i] ^ res[i + 4];
#endif /* GSM_MILENAGE_ALT_SRES */
return 0;
}
/**
* milenage_generate - Generate AKA AUTN,IK,CK,RES
* @opc: OPc = 128-bit operator variant algorithm configuration field (encr.)
* @k: K = 128-bit subscriber key
* @sqn: SQN = 48-bit sequence number
* @_rand: RAND = 128-bit random challenge
* @autn: AUTN = 128-bit authentication token
* @ik: Buffer for IK = 128-bit integrity key (f4), or %NULL
* @ck: Buffer for CK = 128-bit confidentiality key (f3), or %NULL
* @res: Buffer for RES = 64-bit signed response (f2), or %NULL
* @res_len: Variable that will be set to RES length
* @auts: 112-bit buffer for AUTS
* Returns: 0 on success, -1 on failure, or -2 on synchronization failure
*/
int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand,
const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len,
u8 *auts)
{
int i;
u8 mac_a[8], ak[6], rx_sqn[6];
const u8 *amf;
hexdump(LOG_DEBUG, "Milenage: AUTN", autn, 16);
hexdump(LOG_DEBUG, "Milenage: RAND", _rand, 16);
if (milenage_f2345(opc, k, _rand, res, ck, ik, ak, NULL))
return -1;
*res_len = 8;
hexdump(LOG_DEBUG, "Milenage: RES", res, *res_len);
hexdump(LOG_DEBUG, "Milenage: CK", ck, 16);
hexdump(LOG_DEBUG, "Milenage: IK", ik, 16);
hexdump(LOG_DEBUG, "Milenage: AK", ak, 6);
/* AUTN = (SQN ^ AK) || AMF || MAC */
for (i = 0; i < 6; i++)
rx_sqn[i] = autn[i] ^ ak[i];
hexdump(LOG_DEBUG, "Milenage: SQN", rx_sqn, 6);
if (memcmp(rx_sqn, sqn, 6) <= 0) {
u8 auts_amf[2] = { 0x00, 0x00 }; /* TS 33.102 v7.0.0, 6.3.3 */
if (milenage_f2345(opc, k, _rand, NULL, NULL, NULL, NULL, ak))
return -1;
hexdump(LOG_DEBUG, "Milenage: AK*", ak, 6);
for (i = 0; i < 6; i++)
auts[i] = sqn[i] ^ ak[i];
if (milenage_f1(opc, k, _rand, sqn, auts_amf, NULL, auts + 6))
return -1;
hexdump(LOG_DEBUG, "Milenage: AUTS", auts, 14);
return -2;
}
amf = autn + 6;
hexdump(LOG_DEBUG, "Milenage: AMF", amf, 2);
if (milenage_f1(opc, k, _rand, rx_sqn, amf, mac_a, NULL))
return -1;
hexdump(LOG_DEBUG, "Milenage: MAC_A", mac_a, 8);
if (memcmp(mac_a, autn + 8, 8) != 0) {
ast_log(LOG_DEBUG, "Milenage: MAC mismatch");
hexdump(LOG_DEBUG, "Milenage: Received MAC_A",
autn + 8, 8);
return -1;
}
return 0;
}

24
res/res_pjsip_volte/milenage.h Normal file
View File

@ -0,0 +1,24 @@
#include <stdint.h>
#include <stddef.h>
#include <string.h>
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
void hexdump(int level, const char *file, int line, const char *func, const char *text, const uint8_t *data, int len);
int milenage_f1(const u8 *opc, const u8 *k, const u8 *_rand,
const u8 *sqn, const u8 *amf, u8 *mac_a, u8 *mac_s);
int milenage_f2345(const u8 *opc, const u8 *k, const u8 *_rand,
u8 *res, u8 *ck, u8 *ik, u8 *ak, u8 *akstar);
void milenage_generate(const u8 *opc, const u8 *amf, const u8 *k,
const u8 *sqn, const u8 *_rand, u8 *autn, u8 *ik,
u8 *ck, u8 *res, size_t *res_len);
int milenage_auts(const u8 *opc, const u8 *k, const u8 *_rand, const u8 *auts,
u8 *sqn);
int gsm_milenage(const u8 *opc, const u8 *k, const u8 *_rand, u8 *sres, u8 *kc);
int milenage_check(const u8 *opc, const u8 *k, const u8 *sqn, const u8 *_rand,
const u8 *autn, u8 *ik, u8 *ck, u8 *res, size_t *res_len,
u8 *auts);

1
res/res_pjsip_volte/netlink_xfrm.c
View File

@ -289,6 +289,7 @@ int xfrm_sa_add(struct mnl_socket *mnl_sock, uint32_t reqid,
struct nlmsghdr *nlh, *rx_nlh;
int rc;
printf("al=%s, al=%s\n", auth_algo->alg_name, ciph_algo->alg_name);
nlh = mnl_nlmsg_put_header(msg_buf);
nlh->nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE | NLM_F_EXCL | NLM_F_ACK;
nlh->nlmsg_type = XFRM_MSG_NEWSA;