aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@gnumonks.org>2011-03-04 09:24:31 +0100
committerHarald Welte <laforge@gnumonks.org>2011-03-04 09:24:31 +0100
commit5a6b68f4169c0ef55dca02a9644ee8f3bbc97e60 (patch)
tree45867797e97e6efb4324c3e5ec226378d446beec
parentbd34be0a961160e6894f8422ec47a6b97eff4ea6 (diff)
really delete a3a8 code
-rw-r--r--openbsc/src/msc/a3a8.c269
1 files changed, 0 insertions, 269 deletions
diff --git a/openbsc/src/msc/a3a8.c b/openbsc/src/msc/a3a8.c
deleted file mode 100644
index 04470ba1..00000000
--- a/openbsc/src/msc/a3a8.c
+++ /dev/null
@@ -1,269 +0,0 @@
-/* An implementation of the GSM A3A8 algorithm. (Specifically, COMP128.)
- */
-
-/* Copyright 1998, Marc Briceno, Ian Goldberg, and David Wagner.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions are met:
- *
- * * Redistributions of source code must retain the above copyright notice,
- * this list of conditions and the following disclaimer.
- *
- * * Redistributions in binary form must reproduce the above copyright notice,
- * this list of conditions and the following disclaimer in the documentation
- * and/or other materials provided with the distribution.
- *
- * * Neither the name of the authors nor the names of the contributors
- * may be used to endorse or promote products derived from this software
- * without specific prior written permission.
- *
- * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
- * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
- * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * Coded in C merely because C is a much more precise, concise form of
- * expression for these purposes. See Judge Patel if you have any problems
- * with this...
- * Of course, it's only authentication, so it should be exportable for the
- * usual boring reasons.
- */
-
-typedef unsigned char Byte;
-
-#include <stdio.h>
-/* #define TEST */
-
-/*
- * rand[0..15]: the challenge from the base station
- * key[0..15]: the SIM's A3/A8 long-term key Ki
- * simoutput[0..11]: what you'd get back if you fed rand and key to a real
- * SIM.
- *
- * The GSM spec states that simoutput[0..3] is SRES,
- * and simoutput[4..11] is Kc (the A5 session key).
- * (See GSM 11.11, Section 8.16. See also the leaked document
- * referenced below.)
- * Note that Kc is bits 74..127 of the COMP128 output, followed by 10
- * zeros.
- * In other words, A5 is keyed with only 54 bits of entropy. This
- * represents a deliberate weakening of the key used for voice privacy
- * by a factor of over 1000.
- *
- * Verified with a Pacific Bell Schlumberger SIM. Your mileage may vary.
- *
- * Marc Briceno <marc@scard.org>, Ian Goldberg <iang@cs.berkeley.edu>,
- * and David Wagner <daw@cs.berkeley.edu>
- */
-
-void A3A8(/* in */ Byte rand[16], /* in */ Byte key[16],
- /* out */ Byte simoutput[12]);
-
-/* The compression tables. */
-static const Byte table_0[512] = {
- 102,177,186,162, 2,156,112, 75, 55, 25, 8, 12,251,193,246,188,
- 109,213,151, 53, 42, 79,191,115,233,242,164,223,209,148,108,161,
- 252, 37,244, 47, 64,211, 6,237,185,160,139,113, 76,138, 59, 70,
- 67, 26, 13,157, 63,179,221, 30,214, 36,166, 69,152,124,207,116,
- 247,194, 41, 84, 71, 1, 49, 14, 95, 35,169, 21, 96, 78,215,225,
- 182,243, 28, 92,201,118, 4, 74,248,128, 17, 11,146,132,245, 48,
- 149, 90,120, 39, 87,230,106,232,175, 19,126,190,202,141,137,176,
- 250, 27,101, 40,219,227, 58, 20, 51,178, 98,216,140, 22, 32,121,
- 61,103,203, 72, 29,110, 85,212,180,204,150,183, 15, 66,172,196,
- 56,197,158, 0,100, 45,153, 7,144,222,163,167, 60,135,210,231,
- 174,165, 38,249,224, 34,220,229,217,208,241, 68,206,189,125,255,
- 239, 54,168, 89,123,122, 73,145,117,234,143, 99,129,200,192, 82,
- 104,170,136,235, 93, 81,205,173,236, 94,105, 52, 46,228,198, 5,
- 57,254, 97,155,142,133,199,171,187, 50, 65,181,127,107,147,226,
- 184,218,131, 33, 77, 86, 31, 44, 88, 62,238, 18, 24, 43,154, 23,
- 80,159,134,111, 9,114, 3, 91, 16,130, 83, 10,195,240,253,119,
- 177,102,162,186,156, 2, 75,112, 25, 55, 12, 8,193,251,188,246,
- 213,109, 53,151, 79, 42,115,191,242,233,223,164,148,209,161,108,
- 37,252, 47,244,211, 64,237, 6,160,185,113,139,138, 76, 70, 59,
- 26, 67,157, 13,179, 63, 30,221, 36,214, 69,166,124,152,116,207,
- 194,247, 84, 41, 1, 71, 14, 49, 35, 95, 21,169, 78, 96,225,215,
- 243,182, 92, 28,118,201, 74, 4,128,248, 11, 17,132,146, 48,245,
- 90,149, 39,120,230, 87,232,106, 19,175,190,126,141,202,176,137,
- 27,250, 40,101,227,219, 20, 58,178, 51,216, 98, 22,140,121, 32,
- 103, 61, 72,203,110, 29,212, 85,204,180,183,150, 66, 15,196,172,
- 197, 56, 0,158, 45,100, 7,153,222,144,167,163,135, 60,231,210,
- 165,174,249, 38, 34,224,229,220,208,217, 68,241,189,206,255,125,
- 54,239, 89,168,122,123,145, 73,234,117, 99,143,200,129, 82,192,
- 170,104,235,136, 81, 93,173,205, 94,236, 52,105,228, 46, 5,198,
- 254, 57,155, 97,133,142,171,199, 50,187,181, 65,107,127,226,147,
- 218,184, 33,131, 86, 77, 44, 31, 62, 88, 18,238, 43, 24, 23,154,
- 159, 80,111,134,114, 9, 91, 3,130, 16, 10, 83,240,195,119,253
- }, table_1[256] = {
- 19, 11, 80,114, 43, 1, 69, 94, 39, 18,127,117, 97, 3, 85, 43,
- 27,124, 70, 83, 47, 71, 63, 10, 47, 89, 79, 4, 14, 59, 11, 5,
- 35,107,103, 68, 21, 86, 36, 91, 85,126, 32, 50,109, 94,120, 6,
- 53, 79, 28, 45, 99, 95, 41, 34, 88, 68, 93, 55,110,125,105, 20,
- 90, 80, 76, 96, 23, 60, 89, 64,121, 56, 14, 74,101, 8, 19, 78,
- 76, 66,104, 46,111, 50, 32, 3, 39, 0, 58, 25, 92, 22, 18, 51,
- 57, 65,119,116, 22,109, 7, 86, 59, 93, 62,110, 78, 99, 77, 67,
- 12,113, 87, 98,102, 5, 88, 33, 38, 56, 23, 8, 75, 45, 13, 75,
- 95, 63, 28, 49,123,120, 20,112, 44, 30, 15, 98,106, 2,103, 29,
- 82,107, 42,124, 24, 30, 41, 16,108,100,117, 40, 73, 40, 7,114,
- 82,115, 36,112, 12,102,100, 84, 92, 48, 72, 97, 9, 54, 55, 74,
- 113,123, 17, 26, 53, 58, 4, 9, 69,122, 21,118, 42, 60, 27, 73,
- 118,125, 34, 15, 65,115, 84, 64, 62, 81, 70, 1, 24,111,121, 83,
- 104, 81, 49,127, 48,105, 31, 10, 6, 91, 87, 37, 16, 54,116,126,
- 31, 38, 13, 0, 72,106, 77, 61, 26, 67, 46, 29, 96, 37, 61, 52,
- 101, 17, 44,108, 71, 52, 66, 57, 33, 51, 25, 90, 2,119,122, 35
- }, table_2[128] = {
- 52, 50, 44, 6, 21, 49, 41, 59, 39, 51, 25, 32, 51, 47, 52, 43,
- 37, 4, 40, 34, 61, 12, 28, 4, 58, 23, 8, 15, 12, 22, 9, 18,
- 55, 10, 33, 35, 50, 1, 43, 3, 57, 13, 62, 14, 7, 42, 44, 59,
- 62, 57, 27, 6, 8, 31, 26, 54, 41, 22, 45, 20, 39, 3, 16, 56,
- 48, 2, 21, 28, 36, 42, 60, 33, 34, 18, 0, 11, 24, 10, 17, 61,
- 29, 14, 45, 26, 55, 46, 11, 17, 54, 46, 9, 24, 30, 60, 32, 0,
- 20, 38, 2, 30, 58, 35, 1, 16, 56, 40, 23, 48, 13, 19, 19, 27,
- 31, 53, 47, 38, 63, 15, 49, 5, 37, 53, 25, 36, 63, 29, 5, 7
- }, table_3[64] = {
- 1, 5, 29, 6, 25, 1, 18, 23, 17, 19, 0, 9, 24, 25, 6, 31,
- 28, 20, 24, 30, 4, 27, 3, 13, 15, 16, 14, 18, 4, 3, 8, 9,
- 20, 0, 12, 26, 21, 8, 28, 2, 29, 2, 15, 7, 11, 22, 14, 10,
- 17, 21, 12, 30, 26, 27, 16, 31, 11, 7, 13, 23, 10, 5, 22, 19
- }, table_4[32] = {
- 15, 12, 10, 4, 1, 14, 11, 7, 5, 0, 14, 7, 1, 2, 13, 8,
- 10, 3, 4, 9, 6, 0, 3, 2, 5, 6, 8, 9, 11, 13, 15, 12
- }, *table[5] = { table_0, table_1, table_2, table_3, table_4 };
-
-/*
- * This code derived from a leaked document from the GSM standards.
- * Some missing pieces were filled in by reverse-engineering a working SIM.
- * We have verified that this is the correct COMP128 algorithm.
- *
- * The first page of the document identifies it as
- * _Technical Information: GSM System Security Study_.
- * 10-1617-01, 10th June 1988.
- * The bottom of the title page is marked
- * Racal Research Ltd.
- * Worton Drive, Worton Grange Industrial Estate,
- * Reading, Berks. RG2 0SB, England.
- * Telephone: Reading (0734) 868601 Telex: 847152
- * The relevant bits are in Part I, Section 20 (pages 66--67). Enjoy!
- *
- * Note: There are three typos in the spec (discovered by
- * reverse-engineering).
- * First, "z = (2 * x[n] + x[n]) mod 2^(9-j)" should clearly read
- * "z = (2 * x[m] + x[n]) mod 2^(9-j)".
- * Second, the "k" loop in the "Form bits from bytes" section is severely
- * botched: the k index should run only from 0 to 3, and clearly the range
- * on "the (8-k)th bit of byte j" is also off (should be 0..7, not 1..8,
- * to be consistent with the subsequent section).
- * Third, SRES is taken from the first 8 nibbles of x[], not the last 8 as
- * claimed in the document. (And the document doesn't specify how Kc is
- * derived, but that was also easily discovered with reverse engineering.)
- * All of these typos have been corrected in the following code.
- */
-
-void A3A8(/* in */ Byte rand[16], /* in */ Byte key[16],
- /* out */ Byte simoutput[12])
-{
- Byte x[32], bit[128];
- int i, j, k, l, m, n, y, z, next_bit;
-
- /* ( Load RAND into last 16 bytes of input ) */
- for (i=16; i<32; i++)
- x[i] = rand[i-16];
-
- /* ( Loop eight times ) */
- for (i=1; i<9; i++) {
- /* ( Load key into first 16 bytes of input ) */
- for (j=0; j<16; j++)
- x[j] = key[j];
- /* ( Perform substitutions ) */
- for (j=0; j<5; j++)
- for (k=0; k<(1<<j); k++)
- for (l=0; l<(1<<(4-j)); l++) {
- m = l + k*(1<<(5-j));
- n = m + (1<<(4-j));
- y = (x[m]+2*x[n]) % (1<<(9-j));
- z = (2*x[m]+x[n]) % (1<<(9-j));
- x[m] = table[j][y];
- x[n] = table[j][z];
- }
- /* ( Form bits from bytes ) */
- for (j=0; j<32; j++)
- for (k=0; k<4; k++)
- bit[4*j+k] = (x[j]>>(3-k)) & 1;
- /* ( Permutation but not on the last loop ) */
- if (i < 8)
- for (j=0; j<16; j++) {
- x[j+16] = 0;
- for (k=0; k<8; k++) {
- next_bit = ((8*j + k)*17) % 128;
- x[j+16] |= bit[next_bit] << (7-k);
- }
- }
- }
-
- /*
- * ( At this stage the vector x[] consists of 32 nibbles.
- * The first 8 of these are taken as the output SRES. )
- */
-
- /* The remainder of the code is not given explicitly in the
- * standard, but was derived by reverse-engineering.
- */
-
- for (i=0; i<4; i++)
- simoutput[i] = (x[2*i]<<4) | x[2*i+1];
- for (i=0; i<6; i++)
- simoutput[4+i] = (x[2*i+18]<<6) | (x[2*i+18+1]<<2)
- | (x[2*i+18+2]>>2);
- simoutput[4+6] = (x[2*6+18]<<6) | (x[2*6+18+1]<<2);
- simoutput[4+7] = 0;
-}
-
-
-#ifdef TEST
-int hextoint(char x)
-{
- x = toupper(x);
- if (x >= 'A' && x <= 'F')
- return x-'A'+10;
- else if (x >= '0' && x <= '9')
- return x-'0';
- fprintf(stderr, "bad input.\n");
- exit(1);
-}
-
-int main(int argc, char **argv)
-{
- Byte key[16], rand[16], simoutput[12];
- int i;
-
- if (argc != 3 || strlen(argv[1]) != 34 || strlen(argv[2]) != 34
- || strncmp(argv[1], "0x", 2) != 0
- || strncmp(argv[2], "0x", 2) != 0) {
- fprintf(stderr, "Usage: %s 0x<key> 0x<rand>\n", argv[0]);
- exit(1);
- }
-
- for (i=0; i<16; i++)
- key[i] = (hextoint(argv[1][2*i+2])<<4)
- | hextoint(argv[1][2*i+3]);
- for (i=0; i<16; i++)
- rand[i] = (hextoint(argv[2][2*i+2])<<4)
- | hextoint(argv[2][2*i+3]);
- A3A8(rand, key, simoutput);
- printf("simoutput: ");
- for (i=0; i<12; i++)
- printf("%02X", simoutput[i]);
- printf("\n");
- return 0;
-}
-#endif
-