Change in osmo-msc[master]: support A5/4 in Cipher Mode Command

neels gerrit-no-reply at lists.osmocom.org
Wed Jun 23 22:11:28 UTC 2021


neels has uploaded this change for review. ( https://gerrit.osmocom.org/c/osmo-msc/+/24764 )


Change subject: support A5/4 in Cipher Mode Command
......................................................................

support A5/4 in Cipher Mode Command

Related: SYS#5324
Change-Id: I780a739b9bfbefd4f58be051794fe1a491823e67
---
M include/osmocom/msc/msc_common.h
M src/libmsc/msc_a.c
M src/libmsc/ran_msg_a.c
3 files changed, 35 insertions(+), 3 deletions(-)



  git pull ssh://gerrit.osmocom.org:29418/osmo-msc refs/changes/64/24764/1

diff --git a/include/osmocom/msc/msc_common.h b/include/osmocom/msc/msc_common.h
index 8a43e69..e7ac559 100644
--- a/include/osmocom/msc/msc_common.h
+++ b/include/osmocom/msc/msc_common.h
@@ -32,6 +32,8 @@
 	uint8_t alg_id;
 	uint8_t key_len;
 	uint8_t key[MAX_A5_KEY_LEN];
+	bool kc128_present;
+	uint8_t kc128[MAX_A5_KEY_LEN];
 };
 
 enum complete_layer3_type {
diff --git a/src/libmsc/msc_a.c b/src/libmsc/msc_a.c
index 05030d3..4c38c56 100644
--- a/src/libmsc/msc_a.c
+++ b/src/libmsc/msc_a.c
@@ -292,6 +292,14 @@
 	return msc_a_ran_enc_ciphering(msc_a, umts_aka, retrieve_imeisv);
 }
 
+static uint8_t filter_a5(uint8_t a5_mask, bool umts_aka)
+{
+	/* With GSM AKA: allow A5/0, 1, 3 = 0b00001011 = 0xb.
+	 * UMTS aka: allow A5/0, 1, 3, 4 = 0b00011011 = 0x1b.
+	 */
+	return a5_mask & (umts_aka ? 0x1b : 0x0b);
+}
+
 static int msc_a_ran_enc_ciphering(struct msc_a *msc_a, bool umts_aka, bool retrieve_imeisv)
 {
 	struct gsm_network *net;
@@ -321,7 +329,7 @@
 			.geran = {
 				.umts_aka = umts_aka,
 				.retrieve_imeisv = retrieve_imeisv,
-				.a5_encryption_mask = net->a5_encryption_mask,
+				.a5_encryption_mask = filter_a5(net->a5_encryption_mask, umts_aka),
 
 				/* for ran_a.c to store the GERAN key that is actually used */
 				.chosen_key = &msc_a->geran_encr,
diff --git a/src/libmsc/ran_msg_a.c b/src/libmsc/ran_msg_a.c
index 61e5024..106c2df 100644
--- a/src/libmsc/ran_msg_a.c
+++ b/src/libmsc/ran_msg_a.c
@@ -25,6 +25,7 @@
 #include <osmocom/core/byteswap.h>
 
 #include <osmocom/crypt/auth.h>
+#include <osmocom/crypt/kdf.h>
 
 #include <osmocom/gsm/tlv.h>
 #include <osmocom/gsm/gsm0808.h>
@@ -1019,6 +1020,9 @@
 	case 3:
 		*dst = GSM0808_ALG_ID_A5_3;
 		return 0;
+	case 4:
+		*dst = GSM0808_ALG_ID_A5_4;
+		return 0;
 	default:
 		return -ENOTSUP;
 	}
@@ -1078,21 +1082,39 @@
 	/* In case of UMTS AKA, the Kc for ciphering must be derived from the 3G auth
 	 * tokens.  vec->kc was calculated from the GSM algorithm and is not
 	 * necessarily a match for the UMTS AKA tokens. */
-	if (cm->geran.umts_aka)
+	if (cm->geran.umts_aka) {
+		int i;
 		osmo_auth_c3(ei->key, cm->vec->ck, cm->vec->ik);
-	else
+
+		for (i = 0; i < ei->perm_algo_len; i++) {
+			if (ei->perm_algo[i] != GSM0808_ALG_ID_A5_4)
+				continue;
+			/* A5/4 is included, so need to generate Kc128 */
+			osmo_kdf_kc128(cm->vec->ck, cm->vec->ik, cmc.kc128);
+			cmc.kc128_present = true;
+			break;
+		}
+	} else {
 		memcpy(ei->key, cm->vec->kc, sizeof(cm->vec->kc));
+	}
 	ei->key_len = sizeof(cm->vec->kc);
 
 	/* Store chosen GERAN key where the caller asked it to be stored.
 	 * alg_id remains unknown until we receive a Cipher Mode Complete from the BSC */
 	if (cm->geran.chosen_key) {
+		*cm->geran.chosen_key = (struct geran_encr){0};
+
 		if (ei->key_len > sizeof(cm->geran.chosen_key->key)) {
 			LOG_RAN_A_ENC(fi, LOGL_ERROR, "Chosen key is larger than I can store\n");
 			return NULL;
 		}
 		memcpy(cm->geran.chosen_key->key, ei->key, ei->key_len);
 		cm->geran.chosen_key->key_len = ei->key_len;
+
+		if (cmc.kc128_present) {
+			memcpy(cm->geran.chosen_key->kc128, cmc.kc128, 16);
+			cm->geran.chosen_key->kc128_present = true;
+		}
 	}
 
 	LOG_RAN_A_ENC(fi, LOGL_DEBUG, "Tx BSSMAP CIPHER MODE COMMAND to BSC, %u ciphers (%s) key %s\n",

-- 
To view, visit https://gerrit.osmocom.org/c/osmo-msc/+/24764
To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings

Gerrit-Project: osmo-msc
Gerrit-Branch: master
Gerrit-Change-Id: I780a739b9bfbefd4f58be051794fe1a491823e67
Gerrit-Change-Number: 24764
Gerrit-PatchSet: 1
Gerrit-Owner: neels <nhofmeyr at sysmocom.de>
Gerrit-MessageType: newchange
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/gerrit-log/attachments/20210623/32738604/attachment.htm>


More information about the gerrit-log mailing list