Disconnect hostapd from building in base
[dragonfly.git] / contrib / hostapd / src / utils / pcsc_funcs.c
CommitLineData
a875087d
JL
1/*
2 * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM
4781064b 3 * Copyright (c) 2004-2007, 2012, Jouni Malinen <j@w1.fi>
a875087d 4 *
4781064b
JM
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
a875087d
JL
7 *
8 * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM
9 * cards through PC/SC smartcard library. These functions are used to implement
10 * authentication routines for EAP-SIM and EAP-AKA.
11 */
12
13#include "includes.h"
14#include <winscard.h>
15
16#include "common.h"
17#include "pcsc_funcs.h"
18
19
20/* See ETSI GSM 11.11 and ETSI TS 102 221 for details.
21 * SIM commands:
22 * Command APDU: CLA INS P1 P2 P3 Data
23 * CLA (class of instruction): A0 for GSM, 00 for USIM
24 * INS (instruction)
25 * P1 P2 P3 (parameters, P3 = length of Data)
26 * Response APDU: Data SW1 SW2
27 * SW1 SW2 (Status words)
28 * Commands (INS P1 P2 P3):
29 * SELECT: A4 00 00 02 <file_id, 2 bytes>
30 * GET RESPONSE: C0 00 00 <len>
31 * RUN GSM ALG: 88 00 00 00 <RAND len = 10>
32 * RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN
33 * P1 = ID of alg in card
34 * P2 = ID of secret key
35 * READ BINARY: B0 <offset high> <offset low> <len>
36 * READ RECORD: B2 <record number> <mode> <len>
37 * P2 (mode) = '02' (next record), '03' (previous record),
38 * '04' (absolute mode)
39 * VERIFY CHV: 20 00 <CHV number> 08
40 * CHANGE CHV: 24 00 <CHV number> 10
41 * DISABLE CHV: 26 00 01 08
42 * ENABLE CHV: 28 00 01 08
43 * UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10
44 * SLEEP: FA 00 00 00
45 */
46
47/* GSM SIM commands */
48#define SIM_CMD_SELECT 0xa0, 0xa4, 0x00, 0x00, 0x02
49#define SIM_CMD_RUN_GSM_ALG 0xa0, 0x88, 0x00, 0x00, 0x10
50#define SIM_CMD_GET_RESPONSE 0xa0, 0xc0, 0x00, 0x00
51#define SIM_CMD_READ_BIN 0xa0, 0xb0, 0x00, 0x00
52#define SIM_CMD_READ_RECORD 0xa0, 0xb2, 0x00, 0x00
53#define SIM_CMD_VERIFY_CHV1 0xa0, 0x20, 0x00, 0x01, 0x08
54
55/* USIM commands */
56#define USIM_CLA 0x00
57#define USIM_CMD_RUN_UMTS_ALG 0x00, 0x88, 0x00, 0x81, 0x22
58#define USIM_CMD_GET_RESPONSE 0x00, 0xc0, 0x00, 0x00
59
60#define SIM_RECORD_MODE_ABSOLUTE 0x04
61
62#define USIM_FSP_TEMPL_TAG 0x62
63
64#define USIM_TLV_FILE_DESC 0x82
65#define USIM_TLV_FILE_ID 0x83
66#define USIM_TLV_DF_NAME 0x84
67#define USIM_TLV_PROPR_INFO 0xA5
68#define USIM_TLV_LIFE_CYCLE_STATUS 0x8A
69#define USIM_TLV_FILE_SIZE 0x80
70#define USIM_TLV_TOTAL_FILE_SIZE 0x81
71#define USIM_TLV_PIN_STATUS_TEMPLATE 0xC6
72#define USIM_TLV_SHORT_FILE_ID 0x88
4781064b
JM
73#define USIM_TLV_SECURITY_ATTR_8B 0x8B
74#define USIM_TLV_SECURITY_ATTR_8C 0x8C
75#define USIM_TLV_SECURITY_ATTR_AB 0xAB
a875087d
JL
76
77#define USIM_PS_DO_TAG 0x90
78
79#define AKA_RAND_LEN 16
80#define AKA_AUTN_LEN 16
81#define AKA_AUTS_LEN 14
82#define RES_MAX_LEN 16
83#define IK_LEN 16
84#define CK_LEN 16
85
86
4781064b
JM
87/* GSM files
88 * File type in first octet:
89 * 3F = Master File
90 * 7F = Dedicated File
91 * 2F = Elementary File under the Master File
92 * 6F = Elementary File under a Dedicated File
93 */
94#define SCARD_FILE_MF 0x3F00
95#define SCARD_FILE_GSM_DF 0x7F20
96#define SCARD_FILE_UMTS_DF 0x7F50
97#define SCARD_FILE_GSM_EF_IMSI 0x6F07
98#define SCARD_FILE_GSM_EF_AD 0x6FAD
99#define SCARD_FILE_EF_DIR 0x2F00
100#define SCARD_FILE_EF_ICCID 0x2FE2
101#define SCARD_FILE_EF_CK 0x6FE1
102#define SCARD_FILE_EF_IK 0x6FE2
103
104#define SCARD_CHV1_OFFSET 13
105#define SCARD_CHV1_FLAG 0x80
106
107
a875087d
JL
108typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types;
109
110struct scard_data {
111 SCARDCONTEXT ctx;
112 SCARDHANDLE card;
113 DWORD protocol;
114 sim_types sim_type;
115 int pin1_required;
116};
117
118#ifdef __MINGW32_VERSION
119/* MinGW does not yet support WinScard, so load the needed functions
120 * dynamically from winscard.dll for now. */
121
122static HINSTANCE dll = NULL; /* winscard.dll */
123
124static const SCARD_IO_REQUEST *dll_g_rgSCardT0Pci, *dll_g_rgSCardT1Pci;
125#undef SCARD_PCI_T0
126#define SCARD_PCI_T0 (dll_g_rgSCardT0Pci)
127#undef SCARD_PCI_T1
128#define SCARD_PCI_T1 (dll_g_rgSCardT1Pci)
129
130
131static WINSCARDAPI LONG WINAPI
132(*dll_SCardEstablishContext)(IN DWORD dwScope,
133 IN LPCVOID pvReserved1,
134 IN LPCVOID pvReserved2,
135 OUT LPSCARDCONTEXT phContext);
136#define SCardEstablishContext dll_SCardEstablishContext
137
138static long (*dll_SCardReleaseContext)(long hContext);
139#define SCardReleaseContext dll_SCardReleaseContext
140
141static WINSCARDAPI LONG WINAPI
142(*dll_SCardListReadersA)(IN SCARDCONTEXT hContext,
143 IN LPCSTR mszGroups,
144 OUT LPSTR mszReaders,
145 IN OUT LPDWORD pcchReaders);
146#undef SCardListReaders
147#define SCardListReaders dll_SCardListReadersA
148
149static WINSCARDAPI LONG WINAPI
150(*dll_SCardConnectA)(IN SCARDCONTEXT hContext,
151 IN LPCSTR szReader,
152 IN DWORD dwShareMode,
153 IN DWORD dwPreferredProtocols,
154 OUT LPSCARDHANDLE phCard,
155 OUT LPDWORD pdwActiveProtocol);
156#undef SCardConnect
157#define SCardConnect dll_SCardConnectA
158
159static WINSCARDAPI LONG WINAPI
160(*dll_SCardDisconnect)(IN SCARDHANDLE hCard,
161 IN DWORD dwDisposition);
162#define SCardDisconnect dll_SCardDisconnect
163
164static WINSCARDAPI LONG WINAPI
165(*dll_SCardTransmit)(IN SCARDHANDLE hCard,
166 IN LPCSCARD_IO_REQUEST pioSendPci,
167 IN LPCBYTE pbSendBuffer,
168 IN DWORD cbSendLength,
169 IN OUT LPSCARD_IO_REQUEST pioRecvPci,
170 OUT LPBYTE pbRecvBuffer,
171 IN OUT LPDWORD pcbRecvLength);
172#define SCardTransmit dll_SCardTransmit
173
174static WINSCARDAPI LONG WINAPI
175(*dll_SCardBeginTransaction)(IN SCARDHANDLE hCard);
176#define SCardBeginTransaction dll_SCardBeginTransaction
177
178static WINSCARDAPI LONG WINAPI
179(*dll_SCardEndTransaction)(IN SCARDHANDLE hCard, IN DWORD dwDisposition);
180#define SCardEndTransaction dll_SCardEndTransaction
181
182
183static int mingw_load_symbols(void)
184{
185 char *sym;
186
187 if (dll)
188 return 0;
189
190 dll = LoadLibrary("winscard");
191 if (dll == NULL) {
192 wpa_printf(MSG_DEBUG, "WinSCard: Could not load winscard.dll "
193 "library");
194 return -1;
195 }
196
197#define LOADSYM(s) \
198 sym = #s; \
199 dll_ ## s = (void *) GetProcAddress(dll, sym); \
200 if (dll_ ## s == NULL) \
201 goto fail;
202
203 LOADSYM(SCardEstablishContext);
204 LOADSYM(SCardReleaseContext);
205 LOADSYM(SCardListReadersA);
206 LOADSYM(SCardConnectA);
207 LOADSYM(SCardDisconnect);
208 LOADSYM(SCardTransmit);
209 LOADSYM(SCardBeginTransaction);
210 LOADSYM(SCardEndTransaction);
211 LOADSYM(g_rgSCardT0Pci);
212 LOADSYM(g_rgSCardT1Pci);
213
214#undef LOADSYM
215
216 return 0;
217
218fail:
219 wpa_printf(MSG_DEBUG, "WinSCard: Could not get address for %s from "
220 "winscard.dll", sym);
221 FreeLibrary(dll);
222 dll = NULL;
223 return -1;
224}
225
226
227static void mingw_unload_symbols(void)
228{
229 if (dll == NULL)
230 return;
231
232 FreeLibrary(dll);
233 dll = NULL;
234}
235
236#else /* __MINGW32_VERSION */
237
238#define mingw_load_symbols() 0
239#define mingw_unload_symbols() do { } while (0)
240
241#endif /* __MINGW32_VERSION */
242
243
244static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
245 unsigned char *buf, size_t *buf_len,
246 sim_types sim_type, unsigned char *aid,
247 size_t aidlen);
248static int scard_select_file(struct scard_data *scard, unsigned short file_id,
249 unsigned char *buf, size_t *buf_len);
250static int scard_verify_pin(struct scard_data *scard, const char *pin);
251static int scard_get_record_len(struct scard_data *scard,
252 unsigned char recnum, unsigned char mode);
253static int scard_read_record(struct scard_data *scard,
254 unsigned char *data, size_t len,
255 unsigned char recnum, unsigned char mode);
256
257
258static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
259 int *ps_do, int *file_len)
260{
4781064b
JM
261 unsigned char *pos, *end;
262
263 if (ps_do)
264 *ps_do = -1;
265 if (file_len)
266 *file_len = -1;
267
268 pos = buf;
269 end = pos + buf_len;
270 if (*pos != USIM_FSP_TEMPL_TAG) {
271 wpa_printf(MSG_DEBUG, "SCARD: file header did not "
272 "start with FSP template tag");
273 return -1;
274 }
275 pos++;
276 if (pos >= end)
277 return -1;
278 if ((pos + pos[0]) < end)
279 end = pos + 1 + pos[0];
280 pos++;
281 wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
282 pos, end - pos);
283
284 while (pos + 1 < end) {
285 wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV 0x%02x len=%d",
286 pos[0], pos[1]);
287 if (pos + 2 + pos[1] > end)
288 break;
a875087d 289
4781064b
JM
290 switch (pos[0]) {
291 case USIM_TLV_FILE_DESC:
292 wpa_hexdump(MSG_MSGDUMP, "SCARD: File Descriptor TLV",
293 pos + 2, pos[1]);
294 break;
295 case USIM_TLV_FILE_ID:
296 wpa_hexdump(MSG_MSGDUMP, "SCARD: File Identifier TLV",
297 pos + 2, pos[1]);
298 break;
299 case USIM_TLV_DF_NAME:
300 wpa_hexdump(MSG_MSGDUMP, "SCARD: DF name (AID) TLV",
301 pos + 2, pos[1]);
302 break;
303 case USIM_TLV_PROPR_INFO:
304 wpa_hexdump(MSG_MSGDUMP, "SCARD: Proprietary "
305 "information TLV", pos + 2, pos[1]);
306 break;
307 case USIM_TLV_LIFE_CYCLE_STATUS:
308 wpa_hexdump(MSG_MSGDUMP, "SCARD: Life Cycle Status "
309 "Integer TLV", pos + 2, pos[1]);
310 break;
311 case USIM_TLV_FILE_SIZE:
312 wpa_hexdump(MSG_MSGDUMP, "SCARD: File size TLV",
313 pos + 2, pos[1]);
314 if ((pos[1] == 1 || pos[1] == 2) && file_len) {
a875087d
JL
315 if (pos[1] == 1)
316 *file_len = (int) pos[2];
317 else
318 *file_len = ((int) pos[2] << 8) |
319 (int) pos[3];
320 wpa_printf(MSG_DEBUG, "SCARD: file_size=%d",
321 *file_len);
322 }
4781064b
JM
323 break;
324 case USIM_TLV_TOTAL_FILE_SIZE:
325 wpa_hexdump(MSG_MSGDUMP, "SCARD: Total file size TLV",
326 pos + 2, pos[1]);
327 break;
328 case USIM_TLV_PIN_STATUS_TEMPLATE:
329 wpa_hexdump(MSG_MSGDUMP, "SCARD: PIN Status Template "
330 "DO TLV", pos + 2, pos[1]);
331 if (pos[1] >= 2 && pos[2] == USIM_PS_DO_TAG &&
a875087d
JL
332 pos[3] >= 1 && ps_do) {
333 wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x",
334 pos[4]);
335 *ps_do = (int) pos[4];
336 }
4781064b
JM
337 break;
338 case USIM_TLV_SHORT_FILE_ID:
339 wpa_hexdump(MSG_MSGDUMP, "SCARD: Short File "
340 "Identifier (SFI) TLV", pos + 2, pos[1]);
341 break;
342 case USIM_TLV_SECURITY_ATTR_8B:
343 case USIM_TLV_SECURITY_ATTR_8C:
344 case USIM_TLV_SECURITY_ATTR_AB:
345 wpa_hexdump(MSG_MSGDUMP, "SCARD: Security attribute "
346 "TLV", pos + 2, pos[1]);
347 break;
348 default:
349 wpa_hexdump(MSG_MSGDUMP, "SCARD: Unrecognized TLV",
350 pos, 2 + pos[1]);
351 break;
352 }
a875087d 353
4781064b 354 pos += 2 + pos[1];
a875087d 355
4781064b
JM
356 if (pos == end)
357 return 0;
358 }
359 return -1;
a875087d
JL
360}
361
362
363static int scard_pin_needed(struct scard_data *scard,
364 unsigned char *hdr, size_t hlen)
365{
366 if (scard->sim_type == SCARD_GSM_SIM) {
367 if (hlen > SCARD_CHV1_OFFSET &&
368 !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG))
369 return 1;
370 return 0;
371 }
372
373 if (scard->sim_type == SCARD_USIM) {
374 int ps_do;
375 if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL))
376 return -1;
377 /* TODO: there could be more than one PS_DO entry because of
378 * multiple PINs in key reference.. */
379 if (ps_do > 0 && (ps_do & 0x80))
380 return 1;
381 return 0;
382 }
383
384 return -1;
385}
386
387
388static int scard_get_aid(struct scard_data *scard, unsigned char *aid,
389 size_t maxlen)
390{
391 int rlen, rec;
392 struct efdir {
393 unsigned char appl_template_tag; /* 0x61 */
394 unsigned char appl_template_len;
395 unsigned char appl_id_tag; /* 0x4f */
396 unsigned char aid_len;
397 unsigned char rid[5];
398 unsigned char appl_code[2]; /* 0x1002 for 3G USIM */
399 } *efdir;
4781064b 400 unsigned char buf[127];
a875087d
JL
401 size_t blen;
402
403 efdir = (struct efdir *) buf;
404 blen = sizeof(buf);
405 if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) {
406 wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR");
407 return -1;
408 }
409 wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen);
410
411 for (rec = 1; rec < 10; rec++) {
412 rlen = scard_get_record_len(scard, rec,
413 SIM_RECORD_MODE_ABSOLUTE);
414 if (rlen < 0) {
415 wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR "
416 "record length");
417 return -1;
418 }
419 blen = sizeof(buf);
420 if (rlen > (int) blen) {
421 wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record");
422 return -1;
423 }
424 if (scard_read_record(scard, buf, rlen, rec,
425 SIM_RECORD_MODE_ABSOLUTE) < 0) {
426 wpa_printf(MSG_DEBUG, "SCARD: Failed to read "
427 "EF_DIR record %d", rec);
428 return -1;
429 }
430 wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen);
431
432 if (efdir->appl_template_tag != 0x61) {
433 wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
434 "template tag 0x%x",
435 efdir->appl_template_tag);
436 continue;
437 }
438
439 if (efdir->appl_template_len > rlen - 2) {
440 wpa_printf(MSG_DEBUG, "SCARD: Too long application "
441 "template (len=%d rlen=%d)",
442 efdir->appl_template_len, rlen);
443 continue;
444 }
445
446 if (efdir->appl_id_tag != 0x4f) {
447 wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
448 "identifier tag 0x%x", efdir->appl_id_tag);
449 continue;
450 }
451
452 if (efdir->aid_len < 1 || efdir->aid_len > 16) {
453 wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %d",
454 efdir->aid_len);
455 continue;
456 }
457
458 wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record",
459 efdir->rid, efdir->aid_len);
460
461 if (efdir->appl_code[0] == 0x10 &&
462 efdir->appl_code[1] == 0x02) {
463 wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from "
464 "EF_DIR record %d", rec);
465 break;
466 }
467 }
468
469 if (rec >= 10) {
470 wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found "
471 "from EF_DIR records");
472 return -1;
473 }
474
475 if (efdir->aid_len > maxlen) {
476 wpa_printf(MSG_DEBUG, "SCARD: Too long AID");
477 return -1;
478 }
479
480 os_memcpy(aid, efdir->rid, efdir->aid_len);
481
482 return efdir->aid_len;
483}
484
485
486/**
487 * scard_init - Initialize SIM/USIM connection using PC/SC
4781064b 488 * @reader: Reader name prefix to search for
a875087d
JL
489 * Returns: Pointer to private data structure, or %NULL on failure
490 *
491 * This function is used to initialize SIM/USIM connection. PC/SC is used to
4781064b
JM
492 * open connection to the SIM/USIM card. In addition, local flag is set if a
493 * PIN is needed to access some of the card functions. Once the connection is
494 * not needed anymore, scard_deinit() can be used to close it.
a875087d 495 */
4781064b 496struct scard_data * scard_init(const char *reader)
a875087d
JL
497{
498 long ret;
4781064b 499 unsigned long len, pos;
a875087d
JL
500 struct scard_data *scard;
501#ifdef CONFIG_NATIVE_WINDOWS
502 TCHAR *readers = NULL;
503#else /* CONFIG_NATIVE_WINDOWS */
504 char *readers = NULL;
505#endif /* CONFIG_NATIVE_WINDOWS */
506 unsigned char buf[100];
507 size_t blen;
508 int transaction = 0;
509 int pin_needed;
510
511 wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface");
512 if (mingw_load_symbols())
513 return NULL;
514 scard = os_zalloc(sizeof(*scard));
515 if (scard == NULL)
516 return NULL;
517
518 ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL,
519 &scard->ctx);
520 if (ret != SCARD_S_SUCCESS) {
521 wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card "
522 "context (err=%ld)", ret);
523 goto failed;
524 }
525
526 ret = SCardListReaders(scard->ctx, NULL, NULL, &len);
527 if (ret != SCARD_S_SUCCESS) {
528 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed "
529 "(err=%ld)", ret);
530 goto failed;
531 }
532
533#ifdef UNICODE
534 len *= 2;
535#endif /* UNICODE */
536 readers = os_malloc(len);
537 if (readers == NULL) {
538 wpa_printf(MSG_INFO, "SCARD: malloc failed\n");
539 goto failed;
540 }
541
542 ret = SCardListReaders(scard->ctx, NULL, readers, &len);
543 if (ret != SCARD_S_SUCCESS) {
544 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) "
545 "(err=%ld)", ret);
546 goto failed;
547 }
548 if (len < 3) {
549 wpa_printf(MSG_WARNING, "SCARD: No smart card readers "
550 "available.");
551 goto failed;
552 }
4781064b
JM
553 wpa_hexdump_ascii(MSG_DEBUG, "SCARD: Readers", (u8 *) readers, len);
554 /*
555 * readers is a list of available readers. The last entry is terminated
556 * with double null.
557 */
558 pos = 0;
559#ifdef UNICODE
560 /* TODO */
561#else /* UNICODE */
562 while (pos < len) {
563 if (reader == NULL ||
564 os_strncmp(&readers[pos], reader, os_strlen(reader)) == 0)
565 break;
566 while (pos < len && readers[pos])
567 pos++;
568 pos++; /* skip separating null */
569 if (pos < len && readers[pos] == '\0')
570 pos = len; /* double null terminates list */
571 }
572#endif /* UNICODE */
573 if (pos >= len) {
574 wpa_printf(MSG_WARNING, "SCARD: No reader with prefix '%s' "
575 "found", reader);
576 goto failed;
577 }
578
a875087d 579#ifdef UNICODE
4781064b 580 wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%S'", &readers[pos]);
a875087d 581#else /* UNICODE */
4781064b 582 wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", &readers[pos]);
a875087d
JL
583#endif /* UNICODE */
584
4781064b
JM
585 ret = SCardConnect(scard->ctx, &readers[pos], SCARD_SHARE_SHARED,
586 SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1,
587 &scard->card, &scard->protocol);
a875087d
JL
588 if (ret != SCARD_S_SUCCESS) {
589 if (ret == (long) SCARD_E_NO_SMARTCARD)
590 wpa_printf(MSG_INFO, "No smart card inserted.");
591 else
592 wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret);
593 goto failed;
594 }
595
596 os_free(readers);
597 readers = NULL;
598
599 wpa_printf(MSG_DEBUG, "SCARD: card=0x%x active_protocol=%lu (%s)",
600 (unsigned int) scard->card, scard->protocol,
601 scard->protocol == SCARD_PROTOCOL_T0 ? "T0" : "T1");
602
603 ret = SCardBeginTransaction(scard->card);
604 if (ret != SCARD_S_SUCCESS) {
605 wpa_printf(MSG_DEBUG, "SCARD: Could not begin transaction: "
606 "0x%x", (unsigned int) ret);
607 goto failed;
608 }
609 transaction = 1;
610
611 blen = sizeof(buf);
612
4781064b
JM
613 wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support");
614 if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen,
615 SCARD_USIM, NULL, 0)) {
616 wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported. Trying to use GSM SIM");
617 scard->sim_type = SCARD_GSM_SIM;
618 } else {
619 wpa_printf(MSG_DEBUG, "SCARD: USIM is supported");
620 scard->sim_type = SCARD_USIM;
a875087d
JL
621 }
622
623 if (scard->sim_type == SCARD_GSM_SIM) {
624 blen = sizeof(buf);
625 if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) {
626 wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF");
627 goto failed;
628 }
629
630 blen = sizeof(buf);
631 if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) {
632 wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF");
633 goto failed;
634 }
635 } else {
636 unsigned char aid[32];
637 int aid_len;
638
639 aid_len = scard_get_aid(scard, aid, sizeof(aid));
640 if (aid_len < 0) {
641 wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for "
642 "3G USIM app - try to use standard 3G RID");
643 os_memcpy(aid, "\xa0\x00\x00\x00\x87", 5);
644 aid_len = 5;
645 }
646 wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len);
647
648 /* Select based on AID = 3G RID from EF_DIR. This is usually
649 * starting with A0 00 00 00 87. */
650 blen = sizeof(buf);
651 if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type,
652 aid, aid_len)) {
653 wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM "
654 "app");
655 wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID",
656 aid, aid_len);
657 goto failed;
658 }
659 }
660
661 /* Verify whether CHV1 (PIN1) is needed to access the card. */
662 pin_needed = scard_pin_needed(scard, buf, blen);
663 if (pin_needed < 0) {
664 wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN "
665 "is needed");
666 goto failed;
667 }
668 if (pin_needed) {
669 scard->pin1_required = 1;
4781064b
JM
670 wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access (retry "
671 "counter=%d)", scard_get_pin_retry_counter(scard));
a875087d
JL
672 }
673
674 ret = SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
675 if (ret != SCARD_S_SUCCESS) {
676 wpa_printf(MSG_DEBUG, "SCARD: Could not end transaction: "
677 "0x%x", (unsigned int) ret);
678 }
679
680 return scard;
681
682failed:
683 if (transaction)
684 SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
685 os_free(readers);
686 scard_deinit(scard);
687 return NULL;
688}
689
690
691/**
692 * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands
693 * @scard: Pointer to private data from scard_init()
694 * @pin: PIN code as an ASCII string (e.g., "1234")
695 * Returns: 0 on success, -1 on failure
696 */
697int scard_set_pin(struct scard_data *scard, const char *pin)
698{
699 if (scard == NULL)
700 return -1;
701
702 /* Verify whether CHV1 (PIN1) is needed to access the card. */
703 if (scard->pin1_required) {
704 if (pin == NULL) {
705 wpa_printf(MSG_DEBUG, "No PIN configured for SIM "
706 "access");
707 return -1;
708 }
709 if (scard_verify_pin(scard, pin)) {
710 wpa_printf(MSG_INFO, "PIN verification failed for "
711 "SIM access");
712 return -1;
713 }
714 }
715
716 return 0;
717}
718
719
720/**
721 * scard_deinit - Deinitialize SIM/USIM connection
722 * @scard: Pointer to private data from scard_init()
723 *
724 * This function closes the SIM/USIM connect opened with scard_init().
725 */
726void scard_deinit(struct scard_data *scard)
727{
728 long ret;
729
730 if (scard == NULL)
731 return;
732
733 wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface");
734 if (scard->card) {
735 ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD);
736 if (ret != SCARD_S_SUCCESS) {
737 wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect "
738 "smart card (err=%ld)", ret);
739 }
740 }
741
742 if (scard->ctx) {
743 ret = SCardReleaseContext(scard->ctx);
744 if (ret != SCARD_S_SUCCESS) {
745 wpa_printf(MSG_DEBUG, "Failed to release smart card "
746 "context (err=%ld)", ret);
747 }
748 }
749 os_free(scard);
750 mingw_unload_symbols();
751}
752
753
754static long scard_transmit(struct scard_data *scard,
755 unsigned char *_send, size_t send_len,
756 unsigned char *_recv, size_t *recv_len)
757{
758 long ret;
759 unsigned long rlen;
760
761 wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send",
762 _send, send_len);
763 rlen = *recv_len;
764 ret = SCardTransmit(scard->card,
765 scard->protocol == SCARD_PROTOCOL_T1 ?
766 SCARD_PCI_T1 : SCARD_PCI_T0,
767 _send, (unsigned long) send_len,
768 NULL, _recv, &rlen);
769 *recv_len = rlen;
770 if (ret == SCARD_S_SUCCESS) {
771 wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv",
772 _recv, rlen);
773 } else {
774 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
775 "(err=0x%lx)", ret);
776 }
777 return ret;
778}
779
780
781static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
782 unsigned char *buf, size_t *buf_len,
783 sim_types sim_type, unsigned char *aid,
784 size_t aidlen)
785{
786 long ret;
787 unsigned char resp[3];
788 unsigned char cmd[50] = { SIM_CMD_SELECT };
789 int cmdlen;
790 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
791 size_t len, rlen;
792
793 if (sim_type == SCARD_USIM) {
794 cmd[0] = USIM_CLA;
795 cmd[3] = 0x04;
796 get_resp[0] = USIM_CLA;
797 }
798
799 wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id);
800 if (aid) {
801 wpa_hexdump(MSG_DEBUG, "SCARD: select file by AID",
802 aid, aidlen);
803 if (5 + aidlen > sizeof(cmd))
804 return -1;
805 cmd[2] = 0x04; /* Select by AID */
806 cmd[4] = aidlen; /* len */
807 os_memcpy(cmd + 5, aid, aidlen);
808 cmdlen = 5 + aidlen;
809 } else {
810 cmd[5] = file_id >> 8;
811 cmd[6] = file_id & 0xff;
812 cmdlen = 7;
813 }
814 len = sizeof(resp);
815 ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
816 if (ret != SCARD_S_SUCCESS) {
817 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
818 "(err=0x%lx)", ret);
819 return -1;
820 }
821
822 if (len != 2) {
823 wpa_printf(MSG_WARNING, "SCARD: unexpected resp len "
824 "%d (expected 2)", (int) len);
825 return -1;
826 }
827
828 if (resp[0] == 0x98 && resp[1] == 0x04) {
829 /* Security status not satisfied (PIN_WLAN) */
830 wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied "
831 "(PIN_WLAN)");
832 return -1;
833 }
834
835 if (resp[0] == 0x6e) {
836 wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported");
837 return -1;
838 }
839
840 if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) {
841 wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x "
842 "(expected 0x61, 0x6c, or 0x9f)", resp[0]);
843 return -1;
844 }
845 /* Normal ending of command; resp[1] bytes available */
846 get_resp[4] = resp[1];
847 wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)",
848 resp[1]);
849
850 rlen = *buf_len;
851 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen);
852 if (ret == SCARD_S_SUCCESS) {
853 *buf_len = resp[1] < rlen ? resp[1] : rlen;
854 return 0;
855 }
856
857 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret);
858 return -1;
859}
860
861
862static int scard_select_file(struct scard_data *scard, unsigned short file_id,
863 unsigned char *buf, size_t *buf_len)
864{
865 return _scard_select_file(scard, file_id, buf, buf_len,
866 scard->sim_type, NULL, 0);
867}
868
869
870static int scard_get_record_len(struct scard_data *scard, unsigned char recnum,
871 unsigned char mode)
872{
873 unsigned char buf[255];
874 unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
875 size_t blen;
876 long ret;
877
878 if (scard->sim_type == SCARD_USIM)
879 cmd[0] = USIM_CLA;
880 cmd[2] = recnum;
881 cmd[3] = mode;
882 cmd[4] = sizeof(buf);
883
884 blen = sizeof(buf);
885 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
886 if (ret != SCARD_S_SUCCESS) {
887 wpa_printf(MSG_DEBUG, "SCARD: failed to determine file "
888 "length for record %d", recnum);
889 return -1;
890 }
891
892 wpa_hexdump(MSG_DEBUG, "SCARD: file length determination response",
893 buf, blen);
894
4781064b 895 if (blen < 2 || (buf[0] != 0x6c && buf[0] != 0x67)) {
a875087d
JL
896 wpa_printf(MSG_DEBUG, "SCARD: unexpected response to file "
897 "length determination");
898 return -1;
899 }
900
901 return buf[1];
902}
903
904
905static int scard_read_record(struct scard_data *scard,
906 unsigned char *data, size_t len,
907 unsigned char recnum, unsigned char mode)
908{
909 unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
910 size_t blen = len + 3;
911 unsigned char *buf;
912 long ret;
913
914 if (scard->sim_type == SCARD_USIM)
915 cmd[0] = USIM_CLA;
916 cmd[2] = recnum;
917 cmd[3] = mode;
918 cmd[4] = len;
919
920 buf = os_malloc(blen);
921 if (buf == NULL)
922 return -1;
923
924 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
925 if (ret != SCARD_S_SUCCESS) {
926 os_free(buf);
927 return -2;
928 }
929 if (blen != len + 2) {
930 wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
931 "length %ld (expected %ld)",
932 (long) blen, (long) len + 2);
933 os_free(buf);
934 return -3;
935 }
936
937 if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
938 wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
939 "status %02x %02x (expected 90 00)",
940 buf[len], buf[len + 1]);
941 os_free(buf);
942 return -4;
943 }
944
945 os_memcpy(data, buf, len);
946 os_free(buf);
947
948 return 0;
949}
950
951
952static int scard_read_file(struct scard_data *scard,
953 unsigned char *data, size_t len)
954{
955 unsigned char cmd[5] = { SIM_CMD_READ_BIN /* , len */ };
956 size_t blen = len + 3;
957 unsigned char *buf;
958 long ret;
959
960 cmd[4] = len;
961
962 buf = os_malloc(blen);
963 if (buf == NULL)
964 return -1;
965
966 if (scard->sim_type == SCARD_USIM)
967 cmd[0] = USIM_CLA;
968 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
969 if (ret != SCARD_S_SUCCESS) {
970 os_free(buf);
971 return -2;
972 }
973 if (blen != len + 2) {
974 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
975 "length %ld (expected %ld)",
976 (long) blen, (long) len + 2);
977 os_free(buf);
978 return -3;
979 }
980
981 if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
982 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
983 "status %02x %02x (expected 90 00)",
984 buf[len], buf[len + 1]);
985 os_free(buf);
986 return -4;
987 }
988
989 os_memcpy(data, buf, len);
990 os_free(buf);
991
992 return 0;
993}
994
995
996static int scard_verify_pin(struct scard_data *scard, const char *pin)
997{
998 long ret;
999 unsigned char resp[3];
1000 unsigned char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 };
1001 size_t len;
1002
1003 wpa_printf(MSG_DEBUG, "SCARD: verifying PIN");
1004
1005 if (pin == NULL || os_strlen(pin) > 8)
1006 return -1;
1007
1008 if (scard->sim_type == SCARD_USIM)
1009 cmd[0] = USIM_CLA;
1010 os_memcpy(cmd + 5, pin, os_strlen(pin));
1011 os_memset(cmd + 5 + os_strlen(pin), 0xff, 8 - os_strlen(pin));
1012
1013 len = sizeof(resp);
1014 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1015 if (ret != SCARD_S_SUCCESS)
1016 return -2;
1017
1018 if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) {
1019 wpa_printf(MSG_WARNING, "SCARD: PIN verification failed");
1020 return -1;
1021 }
1022
1023 wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully");
1024 return 0;
1025}
1026
1027
4781064b
JM
1028int scard_get_pin_retry_counter(struct scard_data *scard)
1029{
1030 long ret;
1031 unsigned char resp[3];
1032 unsigned char cmd[5] = { SIM_CMD_VERIFY_CHV1 };
1033 size_t len;
1034 u16 val;
1035
1036 wpa_printf(MSG_DEBUG, "SCARD: fetching PIN retry counter");
1037
1038 if (scard->sim_type == SCARD_USIM)
1039 cmd[0] = USIM_CLA;
1040 cmd[4] = 0; /* Empty data */
1041
1042 len = sizeof(resp);
1043 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1044 if (ret != SCARD_S_SUCCESS)
1045 return -2;
1046
1047 if (len != 2) {
1048 wpa_printf(MSG_WARNING, "SCARD: failed to fetch PIN retry "
1049 "counter");
1050 return -1;
1051 }
1052
1053 val = WPA_GET_BE16(resp);
1054 if (val == 0x63c0 || val == 0x6983) {
1055 wpa_printf(MSG_DEBUG, "SCARD: PIN has been blocked");
1056 return 0;
1057 }
1058
1059 if (val >= 0x63c0 && val <= 0x63cf)
1060 return val & 0x000f;
1061
1062 wpa_printf(MSG_DEBUG, "SCARD: Unexpected PIN retry counter response "
1063 "value 0x%x", val);
1064 return 0;
1065}
1066
1067
a875087d
JL
1068/**
1069 * scard_get_imsi - Read IMSI from SIM/USIM card
1070 * @scard: Pointer to private data from scard_init()
1071 * @imsi: Buffer for IMSI
1072 * @len: Length of imsi buffer; set to IMSI length on success
1073 * Returns: 0 on success, -1 if IMSI file cannot be selected, -2 if IMSI file
1074 * selection returns invalid result code, -3 if parsing FSP template file fails
1075 * (USIM only), -4 if IMSI does not fit in the provided imsi buffer (len is set
1076 * to needed length), -5 if reading IMSI file fails.
1077 *
1078 * This function can be used to read IMSI from the SIM/USIM card. If the IMSI
1079 * file is PIN protected, scard_set_pin() must have been used to set the
1080 * correct PIN code before calling scard_get_imsi().
1081 */
1082int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len)
1083{
1084 unsigned char buf[100];
1085 size_t blen, imsilen, i;
1086 char *pos;
1087
1088 wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI");
1089 blen = sizeof(buf);
1090 if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen))
1091 return -1;
1092 if (blen < 4) {
1093 wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI "
1094 "header (len=%ld)", (long) blen);
1095 return -2;
1096 }
1097
1098 if (scard->sim_type == SCARD_GSM_SIM) {
1099 blen = (buf[2] << 8) | buf[3];
1100 } else {
1101 int file_size;
1102 if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
1103 return -3;
1104 blen = file_size;
1105 }
1106 if (blen < 2 || blen > sizeof(buf)) {
1107 wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld",
1108 (long) blen);
1109 return -3;
1110 }
1111
1112 imsilen = (blen - 2) * 2 + 1;
1113 wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld",
1114 (long) blen, (long) imsilen);
1115 if (blen < 2 || imsilen > *len) {
1116 *len = imsilen;
1117 return -4;
1118 }
1119
1120 if (scard_read_file(scard, buf, blen))
1121 return -5;
1122
1123 pos = imsi;
1124 *pos++ = '0' + (buf[1] >> 4 & 0x0f);
1125 for (i = 2; i < blen; i++) {
1126 unsigned char digit;
1127
1128 digit = buf[i] & 0x0f;
1129 if (digit < 10)
1130 *pos++ = '0' + digit;
1131 else
1132 imsilen--;
1133
1134 digit = buf[i] >> 4 & 0x0f;
1135 if (digit < 10)
1136 *pos++ = '0' + digit;
1137 else
1138 imsilen--;
1139 }
1140 *len = imsilen;
1141
1142 return 0;
1143}
1144
1145
4781064b
JM
1146/**
1147 * scard_get_mnc_len - Read length of MNC in the IMSI from SIM/USIM card
1148 * @scard: Pointer to private data from scard_init()
1149 * Returns: length (>0) on success, -1 if administrative data file cannot be
1150 * selected, -2 if administrative data file selection returns invalid result
1151 * code, -3 if parsing FSP template file fails (USIM only), -4 if length of
1152 * the file is unexpected, -5 if reading file fails, -6 if MNC length is not
1153 * in range (i.e. 2 or 3), -7 if MNC length is not available.
1154 *
1155 */
1156int scard_get_mnc_len(struct scard_data *scard)
1157{
1158 unsigned char buf[100];
1159 size_t blen;
1160 int file_size;
1161
1162 wpa_printf(MSG_DEBUG, "SCARD: reading MNC len from (GSM) EF-AD");
1163 blen = sizeof(buf);
1164 if (scard_select_file(scard, SCARD_FILE_GSM_EF_AD, buf, &blen))
1165 return -1;
1166 if (blen < 4) {
1167 wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-AD "
1168 "header (len=%ld)", (long) blen);
1169 return -2;
1170 }
1171
1172 if (scard->sim_type == SCARD_GSM_SIM) {
1173 file_size = (buf[2] << 8) | buf[3];
1174 } else {
1175 if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
1176 return -3;
1177 }
1178 if (file_size == 3) {
1179 wpa_printf(MSG_DEBUG, "SCARD: MNC length not available");
1180 return -7;
1181 }
1182 if (file_size < 4 || file_size > (int) sizeof(buf)) {
1183 wpa_printf(MSG_DEBUG, "SCARD: invalid file length=%ld",
1184 (long) file_size);
1185 return -4;
1186 }
1187
1188 if (scard_read_file(scard, buf, file_size))
1189 return -5;
1190 buf[3] = buf[3] & 0x0f; /* upper nibble reserved for future use */
1191 if (buf[3] < 2 || buf[3] > 3) {
1192 wpa_printf(MSG_DEBUG, "SCARD: invalid MNC length=%ld",
1193 (long) buf[3]);
1194 return -6;
1195 }
1196 wpa_printf(MSG_DEBUG, "SCARD: MNC length=%ld", (long) buf[3]);
1197 return buf[3];
1198}
1199
1200
a875087d
JL
1201/**
1202 * scard_gsm_auth - Run GSM authentication command on SIM card
1203 * @scard: Pointer to private data from scard_init()
1204 * @_rand: 16-byte RAND value from HLR/AuC
1205 * @sres: 4-byte buffer for SRES
1206 * @kc: 8-byte buffer for Kc
1207 * Returns: 0 on success, -1 if SIM/USIM connection has not been initialized,
1208 * -2 if authentication command execution fails, -3 if unknown response code
1209 * for authentication command is received, -4 if reading of response fails,
1210 * -5 if if response data is of unexpected length
1211 *
1212 * This function performs GSM authentication using SIM/USIM card and the
1213 * provided RAND value from HLR/AuC. If authentication command can be completed
1214 * successfully, SRES and Kc values will be written into sres and kc buffers.
1215 */
1216int scard_gsm_auth(struct scard_data *scard, const unsigned char *_rand,
1217 unsigned char *sres, unsigned char *kc)
1218{
1219 unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG };
1220 int cmdlen;
1221 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
1222 unsigned char resp[3], buf[12 + 3 + 2];
1223 size_t len;
1224 long ret;
1225
1226 if (scard == NULL)
1227 return -1;
1228
1229 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", _rand, 16);
1230 if (scard->sim_type == SCARD_GSM_SIM) {
1231 cmdlen = 5 + 16;
1232 os_memcpy(cmd + 5, _rand, 16);
1233 } else {
1234 cmdlen = 5 + 1 + 16;
1235 cmd[0] = USIM_CLA;
1236 cmd[3] = 0x80;
1237 cmd[4] = 17;
1238 cmd[5] = 16;
1239 os_memcpy(cmd + 6, _rand, 16);
1240 }
1241 len = sizeof(resp);
1242 ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
1243 if (ret != SCARD_S_SUCCESS)
1244 return -2;
1245
1246 if ((scard->sim_type == SCARD_GSM_SIM &&
1247 (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) ||
1248 (scard->sim_type == SCARD_USIM &&
1249 (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) {
1250 wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM "
1251 "auth request (len=%ld resp=%02x %02x)",
1252 (long) len, resp[0], resp[1]);
1253 return -3;
1254 }
1255 get_resp[4] = resp[1];
1256
1257 len = sizeof(buf);
1258 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
1259 if (ret != SCARD_S_SUCCESS)
1260 return -4;
1261
1262 if (scard->sim_type == SCARD_GSM_SIM) {
1263 if (len != 4 + 8 + 2) {
1264 wpa_printf(MSG_WARNING, "SCARD: unexpected data "
1265 "length for GSM auth (len=%ld, expected 14)",
1266 (long) len);
1267 return -5;
1268 }
1269 os_memcpy(sres, buf, 4);
1270 os_memcpy(kc, buf + 4, 8);
1271 } else {
1272 if (len != 1 + 4 + 1 + 8 + 2) {
1273 wpa_printf(MSG_WARNING, "SCARD: unexpected data "
1274 "length for USIM auth (len=%ld, "
1275 "expected 16)", (long) len);
1276 return -5;
1277 }
1278 if (buf[0] != 4 || buf[5] != 8) {
1279 wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc "
1280 "length (%d %d, expected 4 8)",
1281 buf[0], buf[5]);
1282 }
1283 os_memcpy(sres, buf + 1, 4);
1284 os_memcpy(kc, buf + 6, 8);
1285 }
1286
1287 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4);
1288 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8);
1289
1290 return 0;
1291}
1292
1293
1294/**
1295 * scard_umts_auth - Run UMTS authentication command on USIM card
1296 * @scard: Pointer to private data from scard_init()
1297 * @_rand: 16-byte RAND value from HLR/AuC
1298 * @autn: 16-byte AUTN value from HLR/AuC
1299 * @res: 16-byte buffer for RES
1300 * @res_len: Variable that will be set to RES length
1301 * @ik: 16-byte buffer for IK
1302 * @ck: 16-byte buffer for CK
1303 * @auts: 14-byte buffer for AUTS
1304 * Returns: 0 on success, -1 on failure, or -2 if USIM reports synchronization
1305 * failure
1306 *
1307 * This function performs AKA authentication using USIM card and the provided
1308 * RAND and AUTN values from HLR/AuC. If authentication command can be
1309 * completed successfully, RES, IK, and CK values will be written into provided
1310 * buffers and res_len is set to length of received RES value. If USIM reports
1311 * synchronization failure, the received AUTS value will be written into auts
1312 * buffer. In this case, RES, IK, and CK are not valid.
1313 */
1314int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
1315 const unsigned char *autn,
1316 unsigned char *res, size_t *res_len,
1317 unsigned char *ik, unsigned char *ck, unsigned char *auts)
1318{
1319 unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] =
1320 { USIM_CMD_RUN_UMTS_ALG };
1321 unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE };
1322 unsigned char resp[3], buf[64], *pos, *end;
1323 size_t len;
1324 long ret;
1325
1326 if (scard == NULL)
1327 return -1;
1328
1329 if (scard->sim_type == SCARD_GSM_SIM) {
1330 wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS "
1331 "auth");
1332 return -1;
1333 }
1334
1335 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", _rand, AKA_RAND_LEN);
1336 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN);
1337 cmd[5] = AKA_RAND_LEN;
1338 os_memcpy(cmd + 6, _rand, AKA_RAND_LEN);
1339 cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN;
1340 os_memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN);
1341
1342 len = sizeof(resp);
1343 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1344 if (ret != SCARD_S_SUCCESS)
1345 return -1;
1346
1347 if (len <= sizeof(resp))
1348 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len);
1349
1350 if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) {
1351 wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - "
1352 "MAC != XMAC");
1353 return -1;
1354 } else if (len != 2 || resp[0] != 0x61) {
1355 wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS "
1356 "auth request (len=%ld resp=%02x %02x)",
1357 (long) len, resp[0], resp[1]);
1358 return -1;
1359 }
1360 get_resp[4] = resp[1];
1361
1362 len = sizeof(buf);
1363 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
1364 if (ret != SCARD_S_SUCCESS || len > sizeof(buf))
1365 return -1;
1366
1367 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len);
1368 if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc &&
1369 buf[1] == AKA_AUTS_LEN) {
1370 wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure");
1371 os_memcpy(auts, buf + 2, AKA_AUTS_LEN);
1372 wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN);
1373 return -2;
1374 } else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) {
1375 pos = buf + 1;
1376 end = buf + len;
1377
1378 /* RES */
1379 if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) {
1380 wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
1381 return -1;
1382 }
1383 *res_len = *pos++;
1384 os_memcpy(res, pos, *res_len);
1385 pos += *res_len;
1386 wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
1387
1388 /* CK */
1389 if (pos[0] != CK_LEN || pos + CK_LEN > end) {
1390 wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
1391 return -1;
1392 }
1393 pos++;
1394 os_memcpy(ck, pos, CK_LEN);
1395 pos += CK_LEN;
1396 wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
1397
1398 /* IK */
1399 if (pos[0] != IK_LEN || pos + IK_LEN > end) {
1400 wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
1401 return -1;
1402 }
1403 pos++;
1404 os_memcpy(ik, pos, IK_LEN);
1405 pos += IK_LEN;
1406 wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN);
1407
1408 return 0;
1409 }
1410
1411 wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response");
1412 return -1;
1413}
4781064b
JM
1414
1415
1416int scard_supports_umts(struct scard_data *scard)
1417{
1418 return scard->sim_type == SCARD_USIM;
1419}