srsLTE源码学习:安全密钥 liblte_security_xxxxxx
Table of Contents
liblte_security.h
liblte_security.cc
liblte_security.h
lib\include\srslte\common 16502 4/8/2019
/*******************************************************************************
Copyright 2014 Ben Wojtowicz
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see
liblte_security.cc
lib\src\common 64500 4/8/2019 1008
/*******************************************************************************
Copyright 2014 Ben Wojtowicz
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License
along with this program. If not, see N_bits*8+8+16];
aes_context ctx;
uint32 i;
uint32 j;
uint32 n;
uint32 pad_bits;
uint8 const_zero[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
uint8 L[16];
uint8 K1[16];
uint8 K2[16];
uint8 T[16];
uint8 tmp[16];
if(key != NULL &&
msg != NULL &&
mac != NULL)
{
// Subkey L generation
aes_setkey_enc(&ctx, key, 128);
aes_crypt_ecb(&ctx, AES_ENCRYPT, const_zero, L);
// Subkey K1 generation
for(i=0; i<15; i++)
{
K1[i] = (L[i] << 1) | ((L[i+1] >> 7) & 0x01);
}
K1[15] = L[15] << 1;
if(L[0] & 0x80)
{
K1[15] ^= 0x87;
}
// Subkey K2 generation
for(i=0; i<15; i++)
{
K2[i] = (K1[i] << 1) | ((K1[i+1] >> 7) & 0x01);
}
K2[15] = K1[15] << 1;
if(K1[0] & 0x80)
{
K2[15] ^= 0x87;
}
// Construct M
memset(M, 0, msg->N_bits*8+8+16);
M[0] = (count >> 24) & 0xFF;
M[1] = (count >> 16) & 0xFF;
M[2] = (count >> 8) & 0xFF;
M[3] = count & 0xFF;
M[4] = (bearer << 3) | (direction << 2);
for(i=0; iN_bits/8; i++)
{
M[8+i] = 0;
for(j=0; j<8; j++)
{
M[8+i] |= msg->msg[i*8+j] << (7-j);
}
}
if((msg->N_bits % 8) != 0)
{
M[8+i] = 0;
for(j=0; jN_bits % 8; j++)
{
M[8+i] |= msg->msg[i*8+j] << (7-j);
}
}
// MAC generation
n = (uint32)(ceilf((float)(msg->N_bits+64)/(float)(128)));
for(i=0; i<16; i++)
{
T[i] = 0;
}
for(i=0; iN_bits + 64) % 128;
if(pad_bits == 0)
{
for(j=0; j<16; j++)
{
tmp[j] = T[j] ^ K1[j] ^ M[i*16 + j];
}
aes_crypt_ecb(&ctx, AES_ENCRYPT, tmp, T);
}else{
pad_bits = (128 - pad_bits) - 1;
M[i*16 + (15 - (pad_bits/8))] |= 0x1 << (pad_bits % 8);
for(j=0; j<16; j++)
{
tmp[j] = T[j] ^ K2[j] ^ M[i*16 + j];
}
aes_crypt_ecb(&ctx, AES_ENCRYPT, tmp, T);
}
for(i=0; i<4; i++)
{
mac[i] = T[i];
}
err = LIBLTE_SUCCESS;
}
return(err);
}
/*********************************************************************
Name: liblte_security_encryption_eea1
Description: 128-bit encryption algorithm EEA1.
Document Reference: 33.401 v13.1.0 Annex B.1.2
35.215 v13.0.0 References
Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D1 v2.1
*********************************************************************/
LIBLTE_ERROR_ENUM liblte_security_encryption_eea1(uint8 *key,
uint32 count,
uint8 bearer,
uint8 direction,
uint8 *msg,
uint32 msg_len,
uint8 *out)
{
LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS;
S3G_STATE state, *state_ptr;
uint32 k[] = {0,0,0,0};
uint32 iv[] = {0,0,0,0};
uint32 *ks;
int32 i;
uint32 msg_len_block_8, msg_len_block_32, m;
if (key != NULL &&
msg != NULL &&
out != NULL)
{
state_ptr = &state;
msg_len_block_8 = (msg_len + 7) / 8;
msg_len_block_32 = (msg_len + 31) / 32;
// Transform key
for (i = 3; i >= 0; i--) {
k[i] = (key[4 * (3 - i) + 0] << 24) |
(key[4 * (3 - i) + 1] << 16) |
(key[4 * (3 - i) + 2] << 8) |
(key[4 * (3 - i) + 3]);
}
// Construct iv
iv[3] = count;
iv[2] = ((bearer & 0x1F) << 27) | ((direction & 0x01) << 26);
iv[1] = iv[3];
iv[0] = iv[2];
// Initialize keystream
s3g_initialize(state_ptr, k, iv);
// Generate keystream
ks = (uint32 *) calloc(msg_len_block_32, sizeof(uint32));
s3g_generate_keystream(state_ptr, msg_len_block_32, ks);
// Generate output except last block
for (i = 0; i < (int32_t)msg_len_block_32 - 1; i++) {
out[4 * i + 0] = msg[4 * i + 0] ^ ((ks[i] >> 24) & 0xFF);
out[4 * i + 1] = msg[4 * i + 1] ^ ((ks[i] >> 16) & 0xFF);
out[4 * i + 2] = msg[4 * i + 2] ^ ((ks[i] >> 8) & 0xFF);
out[4 * i + 3] = msg[4 * i + 3] ^ ((ks[i] & 0xFF));
}
// Process last bytes
for (i = (msg_len_block_32 - 1) * 4; i < (int32_t)msg_len_block_8; i++) {
out[i] = msg[i] ^ ((ks[i / 4] >> ((3 - (i % 4)) * 8)) & 0xFF);
}
// Zero tailing bits
zero_tailing_bits(out, msg_len);
// Clean up
free(ks);
s3g_deinitialize(state_ptr);
err = LIBLTE_SUCCESS;
}
return(err);
}
/*********************************************************************
Name: liblte_security_decryption_eea1
Description: 128-bit decryption algorithm EEA1.
Document Reference: 33.401 v13.1.0 Annex B.1.2
35.215 v13.0.0 References
Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D1 v2.1
*********************************************************************/
LIBLTE_ERROR_ENUM liblte_security_decryption_eea1(uint8 *key,
uint32 count,
uint8 bearer,
uint8 direction,
uint8 *ct,
uint32 ct_len,
uint8 *out) {
return liblte_security_encryption_eea1(key, count, bearer,
direction, ct, ct_len, out);
}
/*********************************************************************
Name: liblte_security_encryption_eea2
Description: 128-bit encryption algorithm EEA2.
Document Reference: 33.401 v13.1.0 Annex B.1.3
*********************************************************************/
LIBLTE_ERROR_ENUM liblte_security_encryption_eea2(uint8 *key,
uint32 count,
uint8 bearer,
uint8 direction,
uint8 *msg,
uint32 msg_len,
uint8 *out)
{
LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS;
aes_context ctx;
unsigned char stream_blk[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
unsigned char nonce_cnt[16] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};
int32 i;
int ret;
size_t nc_off = 0;
if(key != NULL &&
msg != NULL &&
out != NULL)
{
ret = aes_setkey_enc(&ctx, key, 128);
if (ret == 0) {
// Construct nonce
nonce_cnt[0] = (count >> 24) & 0xFF;
nonce_cnt[1] = (count >> 16) & 0xFF;
nonce_cnt[2] = (count >> 8) & 0xFF;
nonce_cnt[3] = (count) & 0xFF;
nonce_cnt[4] = ((bearer & 0x1F) << 3) |
((direction & 0x01) << 2);
// Encryption
ret = aes_crypt_ctr(&ctx, (msg_len + 7) / 8, &nc_off, nonce_cnt,
stream_blk, msg, out);
}
if (ret == 0) {
// Zero tailing bits
zero_tailing_bits(out, msg_len);
err = LIBLTE_SUCCESS;
}
}
return(err);
}
/*********************************************************************
Name: liblte_security_decryption_eea2
Description: 128-bit decryption algorithm EEA2.
Document Reference: 33.401 v13.1.0 Annex B.1.3
*********************************************************************/
LIBLTE_ERROR_ENUM liblte_security_decryption_eea2(uint8 *key,
uint32 count,
uint8 bearer,
uint8 direction,
uint8 *ct,
uint32 ct_len,
uint8 *out)
{
return liblte_security_encryption_eea2(key, count, bearer,
direction, ct, ct_len, out);
}
/*********************************************************************
Name: liblte_security_milenage_f1
Description: Milenage security function F1. Computes network
authentication code MAC-A from key K, random
challenge RAND, sequence number SQN, and
authentication management field AMF.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
LIBLTE_ERROR_ENUM liblte_security_milenage_f1(uint8 *k,
uint8 *op_c,
uint8 *rand,
uint8 *sqn,
uint8 *amf,
uint8 *mac_a)
{
LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS;
ROUND_KEY_STRUCT round_keys;
uint32 i;
uint8 temp[16];
uint8 in1[16];
uint8 out1[16];
uint8 rijndael_input[16];
if(k != NULL &&
op_c != NULL &&
rand != NULL &&
sqn != NULL &&
amf != NULL &&
mac_a != NULL)
{
// Initialize the round keys
rijndael_key_schedule(k, &round_keys);
// Compute temp
for(i=0; i<16; i++)
{
rijndael_input[i] = rand[i] ^ op_c[i];
}
rijndael_encrypt(rijndael_input, &round_keys, temp);
// Construct in1
for(i=0; i<6; i++)
{
in1[i] = sqn[i];
in1[i+8] = sqn[i];
}
for(i=0; i<2; i++)
{
in1[i+6] = amf[i];
in1[i+14] = amf[i];
}
// Compute out1
for(i=0; i<16; i++)
{
rijndael_input[(i+8) % 16] = in1[i] ^ op_c[i];
}
for(i=0; i<16; i++)
{
rijndael_input[i] ^= temp[i];
}
rijndael_encrypt(rijndael_input, &round_keys, out1);
for(i=0; i<16; i++)
{
out1[i] ^= op_c[i];
}
// Return MAC-A
for(i=0; i<8; i++)
{
mac_a[i] = out1[i];
}
err = LIBLTE_SUCCESS;
}
return(err);
}
/*********************************************************************
Name: liblte_security_milenage_f1_star
Description: Milenage security function F1*. Computes resynch
authentication code MAC-S from key K, random
challenge RAND, sequence number SQN, and
authentication management field AMF.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
LIBLTE_ERROR_ENUM liblte_security_milenage_f1_star(uint8 *k,
uint8 *op_c,
uint8 *rand,
uint8 *sqn,
uint8 *amf,
uint8 *mac_s)
{
LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS;
ROUND_KEY_STRUCT round_keys;
uint32 i;
uint8 temp[16];
uint8 in1[16];
uint8 out1[16];
uint8 rijndael_input[16];
if(k != NULL &&
op_c != NULL &&
rand != NULL &&
sqn != NULL &&
amf != NULL &&
mac_s != NULL)
{
// Initialize the round keys
rijndael_key_schedule(k, &round_keys);
// Compute temp
for(i=0; i<16; i++)
{
rijndael_input[i] = rand[i] ^ op_c[i];
}
rijndael_encrypt(rijndael_input, &round_keys, temp);
// Construct in1
for(i=0; i<6; i++)
{
in1[i] = sqn[i];
in1[i+8] = sqn[i];
}
for(i=0; i<2; i++)
{
in1[i+6] = amf[i];
in1[i+14] = amf[i];
}
// Compute out1
for(i=0; i<16; i++)
{
rijndael_input[(i+8) % 16] = in1[i] ^ op_c[i];
}
for(i=0; i<16; i++)
{
rijndael_input[i] ^= temp[i];
}
rijndael_encrypt(rijndael_input, &round_keys, out1);
for(i=0; i<16; i++)
{
out1[i] ^= op_c[i];
}
// Return MAC-S
for(i=0; i<8; i++)
{
mac_s[i] = out1[i+8];
}
err = LIBLTE_SUCCESS;
}
return(err);
}
/*********************************************************************
Name: liblte_security_milenage_f2345
Description: Milenage security functions F2, F3, F4, and F5.
Computes response RES, confidentiality key CK,
integrity key IK, and anonymity key AK from random
challenge RAND.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
LIBLTE_ERROR_ENUM liblte_security_milenage_f2345(uint8 *k,
uint8 *op_c,
uint8 *rand,
uint8 *res,
uint8 *ck,
uint8 *ik,
uint8 *ak)
{
LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS;
ROUND_KEY_STRUCT round_keys;
uint32 i;
uint8 temp[16];
uint8 out[16];
uint8 rijndael_input[16];
if(k != NULL &&
op_c != NULL &&
rand != NULL &&
res != NULL &&
ck != NULL &&
ik != NULL &&
ak != NULL)
{
// Initialize the round keys
rijndael_key_schedule(k, &round_keys);
// Compute temp
for(i=0; i<16; i++)
{
rijndael_input[i] = rand[i] ^ op_c[i];
}
rijndael_encrypt(rijndael_input, &round_keys, temp);
// Compute out for RES and AK
for(i=0; i<16; i++)
{
rijndael_input[i] = temp[i] ^ op_c[i];
}
rijndael_input[15] ^= 1;
rijndael_encrypt(rijndael_input, &round_keys, out);
for(i=0; i<16; i++)
{
out[i] ^= op_c[i];
}
// Return RES
for(i=0; i<8; i++)
{
res[i] = out[i+8];
}
// Return AK
for(i=0; i<6; i++)
{
ak[i] = out[i];
}
// Compute out for CK
for(i=0; i<16; i++)
{
rijndael_input[(i+12) % 16] = temp[i] ^ op_c[i];
}
rijndael_input[15] ^= 2;
rijndael_encrypt(rijndael_input, &round_keys, out);
for(i=0; i<16; i++)
{
out[i] ^= op_c[i];
}
// Return CK
for(i=0; i<16; i++)
{
ck[i] = out[i];
}
// Compute out for IK
for(i=0; i<16; i++)
{
rijndael_input[(i+8) % 16] = temp[i] ^ op_c[i];
}
rijndael_input[15] ^= 4;
rijndael_encrypt(rijndael_input, &round_keys, out);
for(i=0; i<16; i++)
{
out[i] ^= op_c[i];
}
// Return IK
for(i=0; i<16; i++)
{
ik[i] = out[i];
}
err = LIBLTE_SUCCESS;
}
return(err);
}
/*********************************************************************
Name: liblte_security_milenage_f5_star
Description: Milenage security function F5*. Computes resynch
anonymity key AK from key K and random challenge
RAND.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
LIBLTE_ERROR_ENUM liblte_security_milenage_f5_star(uint8 *k,
uint8 *op_c,
uint8 *rand,
uint8 *ak)
{
LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS;
ROUND_KEY_STRUCT round_keys;
uint32 i;
uint8 temp[16];
uint8 out[16];
uint8 rijndael_input[16];
if(k != NULL &&
op_c != NULL &&
rand != NULL &&
ak != NULL)
{
// Initialize the round keys
rijndael_key_schedule(k, &round_keys);
// Compute temp
for(i=0; i<16; i++)
{
rijndael_input[i] = rand[i] ^ op_c[i];
}
rijndael_encrypt(rijndael_input, &round_keys, temp);
// Compute out
for(i=0; i<16; i++)
{
rijndael_input[(i+4) % 16] = temp[i] ^ op_c[i];
}
rijndael_input[15] ^= 8;
rijndael_encrypt(rijndael_input, &round_keys, out);
for(i=0; i<16; i++)
{
out[i] ^= op_c[i];
}
// Return AK
for(i=0; i<6; i++)
{
ak[i] = out[i];
}
err = LIBLTE_SUCCESS;
}
return(err);
}
/*********************************************************************
Name: liblte_compute_opc
Description: Computes OPc from OP and K.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
LIBLTE_ERROR_ENUM liblte_compute_opc(uint8 *k,
uint8 *op,
uint8 *op_c)
{
uint32 i;
ROUND_KEY_STRUCT round_keys;//uint8 rk[11][4][4];
LIBLTE_ERROR_ENUM err = LIBLTE_ERROR_INVALID_INPUTS;
if(k != NULL &&
op != NULL &&
op_c != NULL)
{
rijndael_key_schedule(k, &round_keys); //附表
rijndael_encrypt(op, &round_keys, op_c); //加密
for(i=0; i<16; i++)
{
op_c[i] ^= op[i];
}
err = LIBLTE_SUCCESS;
}
return err;
}
/*******************************************************************************
LOCAL FUNCTIONS
*******************************************************************************/
/*********************************************************************
Name: rijndael_key_schedule
Description: Computes all Rijndael's internal subkeys from key.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
void rijndael_key_schedule(uint8 *key,
ROUND_KEY_STRUCT *rk)
{
uint32 i;
uint32 j;
uint8 round_const;
// Set first round key to key
for(i=0; i<16; i++)
{
rk->rk[0][i & 0x03][i >> 2] = key[i];
}
round_const = 1;
// Compute the remaining round keys
for(i=1; i<11; i++)
{
rk->rk[i][0][0] = S[rk->rk[i-1][1][3]] ^ rk->rk[i-1][0][0] ^ round_const;
rk->rk[i][1][0] = S[rk->rk[i-1][2][3]] ^ rk->rk[i-1][1][0];
rk->rk[i][2][0] = S[rk->rk[i-1][3][3]] ^ rk->rk[i-1][2][0];
rk->rk[i][3][0] = S[rk->rk[i-1][0][3]] ^ rk->rk[i-1][3][0];
for(j=0; j<4; j++)
{
rk->rk[i][j][1] = rk->rk[i-1][j][1] ^ rk->rk[i][j][0];
rk->rk[i][j][2] = rk->rk[i-1][j][2] ^ rk->rk[i][j][1];
rk->rk[i][j][3] = rk->rk[i-1][j][3] ^ rk->rk[i][j][2];
}
round_const = X_TIME[round_const];
}
}
/*********************************************************************
Name: rijndael_encrypt
Description: Computes output using input and round keys.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
void rijndael_encrypt(uint8 *input,
ROUND_KEY_STRUCT *rk,
uint8 *output)
{
STATE_STRUCT state;
uint32 i;
uint32 r;
// Initialize and perform round 0
for(i=0; i<16; i++)
{
state.state[i & 0x03][i >> 2] = input[i];
}
key_add(&state, rk, 0);
// Perform rounds 1 through 9
for(r=1; r<=9; r++)
{
byte_sub(&state);
shift_row(&state);
mix_column(&state);
key_add(&state, rk, r);
}
// Perform round 10
byte_sub(&state);
shift_row(&state);
key_add(&state, rk, r);
// Return output
for(i=0; i<16; i++)
{
output[i] = state.state[i & 0x03][i >> 2];
}
}
/*********************************************************************
Name: key_add
Description: Round key addition function.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
void key_add(STATE_STRUCT *state,
ROUND_KEY_STRUCT *rk,
uint32 round)
{
uint32 i;
uint32 j;
for(i=0; i<4; i++)
{
for(j=0; j<4; j++)
{
state->state[i][j] ^= rk->rk[round][i][j];
}
}
}
/*********************************************************************
Name: byte_sub
Description: Byte substitution transformation.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
void byte_sub(STATE_STRUCT *state)
{
uint32 i;
uint32 j;
for(i=0; i<4; i++)
{
for(j=0; j<4; j++)
{
state->state[i][j] = S[state->state[i][j]];
}
}
}
/*********************************************************************
Name: shift_row
Description: Row shift transformation.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
void shift_row(STATE_STRUCT *state)
{
uint8 temp;
// Left rotate row 1 by 1
temp = state->state[1][0];
state->state[1][0] = state->state[1][1];
state->state[1][1] = state->state[1][2];
state->state[1][2] = state->state[1][3];
state->state[1][3] = temp;
// Left rotate row 2 by 2
temp = state->state[2][0];
state->state[2][0] = state->state[2][2];
state->state[2][2] = temp;
temp = state->state[2][1];
state->state[2][1] = state->state[2][3];
state->state[2][3] = temp;
// Left rotate row 3 by 3
temp = state->state[3][0];
state->state[3][0] = state->state[3][3];
state->state[3][3] = state->state[3][2];
state->state[3][2] = state->state[3][1];
state->state[3][1] = temp;
}
/*********************************************************************
Name: mix_column
Description: Mix column transformation.
Document Reference: 35.206 v10.0.0 Annex 3
*********************************************************************/
void mix_column(STATE_STRUCT *state)
{
uint32 i;
uint8 temp;
uint8 tmp0;
uint8 tmp;
for(i=0; i<4; i++)
{
temp = state->state[0][i] ^ state->state[1][i] ^ state->state[2][i] ^ state->state[3][i];
tmp0 = state->state[0][i];
tmp = X_TIME[state->state[0][i] ^ state->state[1][i]];
state->state[0][i] ^= temp ^ tmp;
tmp = X_TIME[state->state[1][i] ^ state->state[2][i]];
state->state[1][i] ^= temp ^ tmp;
tmp = X_TIME[state->state[2][i] ^ state->state[3][i]];
state->state[2][i] ^= temp ^ tmp;
tmp = X_TIME[state->state[3][i] ^ tmp0];
state->state[3][i] ^= temp ^ tmp;
}
}
/*********************************************************************
Name: zero_tailing_bits
Description: Fill tailing bits with zeros.
Document Reference: -
*********************************************************************/
void zero_tailing_bits(uint8 * data, uint32 length_bits) {
uint8 bits = (8 - (length_bits & 0x07)) & 0x07;
data[(length_bits + 7) / 8 - 1] &= (uint8) (0xFF << bits);
}
/*********************************************************************
Name: s3g_mul_x
Description: Multiplication with reduction.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 3.1.1
*********************************************************************/
uint8 s3g_mul_x(uint8 v, uint8 c) {
if (v & 0x80)
return ((v << 1) ^ c);
else
return (v << 1);
}
/*********************************************************************
Name: s3g_mul_x_pow
Description: Recursive multiplication with reduction.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 3.1.2
*********************************************************************/
uint8 s3g_mul_x_pow(uint8 v, uint8 i, uint8 c) {
if (i == 0)
return v;
else
return s3g_mul_x(s3g_mul_x_pow(v, i - 1, c), c);
}
/*********************************************************************
Name: s3g_mul_alpha
Description: Multiplication with alpha.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 3.4.2
*********************************************************************/
uint32 s3g_mul_alpha(uint8 c) {
return ((((uint32) s3g_mul_x_pow(c, 23, 0xa9)) << 24) |
(((uint32) s3g_mul_x_pow(c, 245, 0xa9)) << 16) |
(((uint32) s3g_mul_x_pow(c, 48, 0xa9)) << 8) |
(((uint32) s3g_mul_x_pow(c, 239, 0xa9))));
}
/*********************************************************************
Name: s3g_div_alpha
Description: Division by alpha.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 3.4.3
*********************************************************************/
uint32 s3g_div_alpha(uint8 c) {
return ((((uint32) s3g_mul_x_pow(c, 16, 0xa9)) << 24) |
(((uint32) s3g_mul_x_pow(c, 39, 0xa9)) << 16) |
(((uint32) s3g_mul_x_pow(c, 6, 0xa9)) << 8) |
(((uint32) s3g_mul_x_pow(c, 64, 0xa9))));
}
/*********************************************************************
Name: s3g_s1
Description: S-Box S1.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 3.3.1
*********************************************************************/
uint32 s3g_s1(uint32 w) {
uint8 r0 = 0, r1 = 0, r2 = 0, r3 = 0;
uint8 srw0 = S[(uint8) ((w >> 24) & 0xff)];
uint8 srw1 = S[(uint8) ((w >> 16) & 0xff)];
uint8 srw2 = S[(uint8) ((w >> 8) & 0xff)];
uint8 srw3 = S[(uint8) ((w) & 0xff)];
r0 = ((s3g_mul_x(srw0, 0x1b)) ^
(srw1) ^
(srw2) ^
((s3g_mul_x(srw3, 0x1b)) ^ srw3));
r1 = (((s3g_mul_x(srw0, 0x1b)) ^ srw0) ^
(s3g_mul_x(srw1, 0x1b)) ^
(srw2) ^
(srw3));
r2 = ((srw0) ^
((s3g_mul_x(srw1, 0x1b)) ^ srw1) ^
(s3g_mul_x(srw2, 0x1b)) ^
(srw3));
r3 = ((srw0) ^
(srw1) ^
((s3g_mul_x(srw2, 0x1b)) ^ srw2) ^
(s3g_mul_x(srw3, 0x1b)));
return ((((uint32) r0) << 24) |
(((uint32) r1) << 16) |
(((uint32) r2) << 8) |
(((uint32) r3)));
}
/*********************************************************************
Name: s3g_s2
Description: S-Box S2.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 3.3.2
*********************************************************************/
uint32 s3g_s2(uint32 w) {
uint8 r0 = 0, r1 = 0, r2 = 0, r3 = 0;
uint8 sqw0 = SQ[(uint8) ((w >> 24) & 0xff)];
uint8 sqw1 = SQ[(uint8) ((w >> 16) & 0xff)];
uint8 sqw2 = SQ[(uint8) ((w >> 8) & 0xff)];
uint8 sqw3 = SQ[(uint8) ((w) & 0xff)];
r0 = ((s3g_mul_x(sqw0, 0x69)) ^
(sqw1) ^
(sqw2) ^
((s3g_mul_x(sqw3, 0x69)) ^ sqw3));
r1 = (((s3g_mul_x(sqw0, 0x69)) ^ sqw0) ^
(s3g_mul_x(sqw1, 0x69)) ^
(sqw2) ^
(sqw3));
r2 = ((sqw0) ^
((s3g_mul_x(sqw1, 0x69)) ^ sqw1) ^
(s3g_mul_x(sqw2, 0x69)) ^
(sqw3));
r3 = ((sqw0) ^
(sqw1) ^
((s3g_mul_x(sqw2, 0x69)) ^ sqw2) ^
(s3g_mul_x(sqw3, 0x69)));
return ((((uint32) r0) << 24) |
(((uint32) r1) << 16) |
(((uint32) r2) << 8) |
(((uint32) r3)));
}
/*********************************************************************
Name: s3g_clock_lfsr
Description: Clocking LFSR.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 3.4.4 and Section 3.4.5
*********************************************************************/
void s3g_clock_lfsr(S3G_STATE * state, uint32 f) {
uint32 v = (
((state->lfsr[0] << 8) & 0xffffff00) ^
(s3g_mul_alpha((uint8) ((state->lfsr[0] >> 24) & 0xff))) ^
(state->lfsr[2]) ^
((state->lfsr[11] >> 8) & 0x00ffffff) ^
(s3g_div_alpha((uint8) ((state->lfsr[11]) & 0xff))) ^
(f)
);
uint8 i;
for (i = 0; i < 15; i++) {
state->lfsr[i] = state->lfsr[i + 1];
}
state->lfsr[15] = v;
}
/*********************************************************************
Name: s3g_clock_fsm
Description: Clocking FSM.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 3.4.6
*********************************************************************/
uint32 s3g_clock_fsm(S3G_STATE * state) {
uint32 f = ((state->lfsr[15] + state->fsm[0]) & 0xffffffff) ^
state->fsm[1];
uint32 r = (state->fsm[1] + (state->fsm[2] ^ state->lfsr[5])) &
0xffffffff;
state->fsm[2] = s3g_s2(state->fsm[1]);
state->fsm[1] = s3g_s1(state->fsm[0]);
state->fsm[0] = r;
return f;
}
/*********************************************************************
Name: s3g_initialize
Description: Initialization.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 4.1
*********************************************************************/
void s3g_initialize(S3G_STATE * state, uint32 k[4], uint32 iv[4]) {
uint8 i = 0;
uint32 f = 0x0;
state->lfsr = (uint32 *) calloc(16, sizeof(uint32));
state->fsm = (uint32 *) calloc( 3, sizeof(uint32));
state->lfsr[15] = k[3] ^ iv[0];
state->lfsr[14] = k[2];
state->lfsr[13] = k[1];
state->lfsr[12] = k[0] ^ iv[1];
state->lfsr[11] = k[3] ^ 0xffffffff;
state->lfsr[10] = k[2] ^ 0xffffffff ^ iv[2];
state->lfsr[ 9] = k[1] ^ 0xffffffff ^ iv[3];
state->lfsr[ 8] = k[0] ^ 0xffffffff;
state->lfsr[ 7] = k[3];
state->lfsr[ 6] = k[2];
state->lfsr[ 5] = k[1];
state->lfsr[ 4] = k[0];
state->lfsr[ 3] = k[3] ^ 0xffffffff;
state->lfsr[ 2] = k[2] ^ 0xffffffff;
state->lfsr[ 1] = k[1] ^ 0xffffffff;
state->lfsr[ 0] = k[0] ^ 0xffffffff;
state->fsm[0] = 0x0;
state->fsm[1] = 0x0;
state->fsm[2] = 0x0;
for (i = 0; i < 32; i++) {
f = s3g_clock_fsm(state);
s3g_clock_lfsr(state, f);
}
}
/*********************************************************************
Name: s3g_deinitialize
Description: Deinitialization.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
*********************************************************************/
void s3g_deinitialize(S3G_STATE * state) {
free(state->lfsr);
free(state->fsm);
}
/*********************************************************************
Name: s3g_generate_keystream
Description: Generation of Keystream.
Document Reference: Specification of the 3GPP Confidentiality and
Integrity Algorithms UEA2 & UIA2 D2 v1.1
Section 4.2
*********************************************************************/
void s3g_generate_keystream(S3G_STATE * state, uint32 n, uint32 *ks) {
uint32 t = 0;
uint32 f = 0x0;
// Clock FSM once. Discard the output.
s3g_clock_fsm(state);
// Clock LFSR in keystream mode once.
s3g_clock_lfsr(state, 0x0);
for (t = 0; t < n; t++) {
f = s3g_clock_fsm(state);
// Note that ks[t] corresponds to z_{t+1} in section 4.2
ks[t] = f ^ state->lfsr[0];
s3g_clock_lfsr(state, 0x0);
}
}