diff options
Diffstat (limited to 'src/gsm/comp128.c')
-rw-r--r-- | src/gsm/comp128.c | 75 |
1 files changed, 34 insertions, 41 deletions
diff --git a/src/gsm/comp128.c b/src/gsm/comp128.c index 78f0e07c..0fcc67d5 100644 --- a/src/gsm/comp128.c +++ b/src/gsm/comp128.c @@ -1,6 +1,5 @@ -/* - * COMP128 implementation - * +/*! \file comp128.c + * COMP128 v1; common/old GSM Authentication Algorithm (A3/A8). * * This code is inspired by original code from : * Marc Briceno <marc@scard.org>, Ian Goldberg <iang@cs.berkeley.edu>, @@ -11,7 +10,38 @@ * A comment snippet from the original code is included below, it describes * where the doc came from and how the algorithm was reverse engineered. * + * This code derived from a leaked document from the GSM standards. + * Some missing pieces were filled in by reverse-engineering a working SIM. + * We have verified that this is the correct COMP128 algorithm. + * + * The first page of the document identifies it as + * + * _Technical Information: GSM System Security Study_. + * 10-1617-01, 10th June 1988. + * + * The bottom of the title page is marked + * + * Racal Research Ltd. + * Worton Drive, Worton Grange Industrial Estate, + * Reading, Berks. RG2 0SB, England. + * Telephone: Reading (0734) 868601 Telex: 847152 + * + * The relevant bits are in Part I, Section 20 (pages 66--67). Enjoy! * + * Note: There are three typos in the spec (discovered by + * reverse-engineering). + * - First, "z = (2 * x[n] + x[n]) mod 2^(9-j)" should clearly read + * "z = (2 * x[m] + x[n]) mod 2^(9-j)". + * - Second, the "k" loop in the "Form bits from bytes" section is severely + * botched: the k index should run only from 0 to 3, and clearly the range + * on "the (8-k)th bit of byte j" is also off (should be 0..7, not 1..8, + * to be consistent with the subsequent section). + * - Third, SRES is taken from the first 8 nibbles of x[], not the last 8 as + * claimed in the document. (And the document doesn't specify how Kc is + * derived, but that was also easily discovered with reverse engineering.) + * All of these typos have been corrected in the following code. + */ +/* * (C) 2009 by Sylvain Munaut <tnt@246tNt.com> * * All Rights Reserved @@ -32,49 +62,12 @@ * */ -/* - * --- SNIP --- - * - * This code derived from a leaked document from the GSM standards. - * Some missing pieces were filled in by reverse-engineering a working SIM. - * We have verified that this is the correct COMP128 algorithm. - * - * The first page of the document identifies it as - * _Technical Information: GSM System Security Study_. - * 10-1617-01, 10th June 1988. - * The bottom of the title page is marked - * Racal Research Ltd. - * Worton Drive, Worton Grange Industrial Estate, - * Reading, Berks. RG2 0SB, England. - * Telephone: Reading (0734) 868601 Telex: 847152 - * The relevant bits are in Part I, Section 20 (pages 66--67). Enjoy! - * - * Note: There are three typos in the spec (discovered by - * reverse-engineering). - * First, "z = (2 * x[n] + x[n]) mod 2^(9-j)" should clearly read - * "z = (2 * x[m] + x[n]) mod 2^(9-j)". - * Second, the "k" loop in the "Form bits from bytes" section is severely - * botched: the k index should run only from 0 to 3, and clearly the range - * on "the (8-k)th bit of byte j" is also off (should be 0..7, not 1..8, - * to be consistent with the subsequent section). - * Third, SRES is taken from the first 8 nibbles of x[], not the last 8 as - * claimed in the document. (And the document doesn't specify how Kc is - * derived, but that was also easily discovered with reverse engineering.) - * All of these typos have been corrected in the following code. - * - * --- /SNIP --- - */ - #include <string.h> #include <stdint.h> /*! \addtogroup auth * @{ - */ - -/*! \file comp128.c - * COMP128 v1; common/old GSM Authentication Algorithm (A3/A8) - */ + * \file comp128.c */ /* The compression tables (just copied ...) */ static const uint8_t table_0[512] = { |