Home | History | Annotate | Download | only in wpa_supplicant
      1 /*
      2  * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM
      3  * Copyright (c) 2004-2007, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This program is free software; you can redistribute it and/or modify
      6  * it under the terms of the GNU General Public License version 2 as
      7  * published by the Free Software Foundation.
      8  *
      9  * Alternatively, this software may be distributed under the terms of BSD
     10  * license.
     11  *
     12  * See README and COPYING for more details.
     13  *
     14  * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM
     15  * cards through PC/SC smartcard library. These functions are used to implement
     16  * authentication routines for EAP-SIM and EAP-AKA.
     17  */
     18 
     19 #include "includes.h"
     20 #include <winscard.h>
     21 
     22 #include "common.h"
     23 #include "pcsc_funcs.h"
     24 
     25 
     26 /* See ETSI GSM 11.11 and ETSI TS 102 221 for details.
     27  * SIM commands:
     28  * Command APDU: CLA INS P1 P2 P3 Data
     29  *   CLA (class of instruction): A0 for GSM, 00 for USIM
     30  *   INS (instruction)
     31  *   P1 P2 P3 (parameters, P3 = length of Data)
     32  * Response APDU: Data SW1 SW2
     33  *   SW1 SW2 (Status words)
     34  * Commands (INS P1 P2 P3):
     35  *   SELECT: A4 00 00 02 <file_id, 2 bytes>
     36  *   GET RESPONSE: C0 00 00 <len>
     37  *   RUN GSM ALG: 88 00 00 00 <RAND len = 10>
     38  *   RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN
     39  *	P1 = ID of alg in card
     40  *	P2 = ID of secret key
     41  *   READ BINARY: B0 <offset high> <offset low> <len>
     42  *   READ RECORD: B2 <record number> <mode> <len>
     43  *	P2 (mode) = '02' (next record), '03' (previous record),
     44  *		    '04' (absolute mode)
     45  *   VERIFY CHV: 20 00 <CHV number> 08
     46  *   CHANGE CHV: 24 00 <CHV number> 10
     47  *   DISABLE CHV: 26 00 01 08
     48  *   ENABLE CHV: 28 00 01 08
     49  *   UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10
     50  *   SLEEP: FA 00 00 00
     51  */
     52 
     53 /* GSM SIM commands */
     54 #define SIM_CMD_SELECT			0xa0, 0xa4, 0x00, 0x00, 0x02
     55 #define SIM_CMD_RUN_GSM_ALG		0xa0, 0x88, 0x00, 0x00, 0x10
     56 #define SIM_CMD_GET_RESPONSE		0xa0, 0xc0, 0x00, 0x00
     57 #define SIM_CMD_READ_BIN		0xa0, 0xb0, 0x00, 0x00
     58 #define SIM_CMD_READ_RECORD		0xa0, 0xb2, 0x00, 0x00
     59 #define SIM_CMD_VERIFY_CHV1		0xa0, 0x20, 0x00, 0x01, 0x08
     60 
     61 /* USIM commands */
     62 #define USIM_CLA			0x00
     63 #define USIM_CMD_RUN_UMTS_ALG		0x00, 0x88, 0x00, 0x81, 0x22
     64 #define USIM_CMD_GET_RESPONSE		0x00, 0xc0, 0x00, 0x00
     65 
     66 #define SIM_RECORD_MODE_ABSOLUTE 0x04
     67 
     68 #define USIM_FSP_TEMPL_TAG		0x62
     69 
     70 #define USIM_TLV_FILE_DESC		0x82
     71 #define USIM_TLV_FILE_ID		0x83
     72 #define USIM_TLV_DF_NAME		0x84
     73 #define USIM_TLV_PROPR_INFO		0xA5
     74 #define USIM_TLV_LIFE_CYCLE_STATUS	0x8A
     75 #define USIM_TLV_FILE_SIZE		0x80
     76 #define USIM_TLV_TOTAL_FILE_SIZE	0x81
     77 #define USIM_TLV_PIN_STATUS_TEMPLATE	0xC6
     78 #define USIM_TLV_SHORT_FILE_ID		0x88
     79 
     80 #define USIM_PS_DO_TAG			0x90
     81 
     82 #define AKA_RAND_LEN 16
     83 #define AKA_AUTN_LEN 16
     84 #define AKA_AUTS_LEN 14
     85 #define RES_MAX_LEN 16
     86 #define IK_LEN 16
     87 #define CK_LEN 16
     88 
     89 
     90 typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types;
     91 
     92 struct scard_data {
     93 	SCARDCONTEXT ctx;
     94 	SCARDHANDLE card;
     95 	DWORD protocol;
     96 	sim_types sim_type;
     97 	int pin1_required;
     98 };
     99 
    100 #ifdef __MINGW32_VERSION
    101 /* MinGW does not yet support WinScard, so load the needed functions
    102  * dynamically from winscard.dll for now. */
    103 
    104 static HINSTANCE dll = NULL; /* winscard.dll */
    105 
    106 static const SCARD_IO_REQUEST *dll_g_rgSCardT0Pci, *dll_g_rgSCardT1Pci;
    107 #undef SCARD_PCI_T0
    108 #define SCARD_PCI_T0 (dll_g_rgSCardT0Pci)
    109 #undef SCARD_PCI_T1
    110 #define SCARD_PCI_T1 (dll_g_rgSCardT1Pci)
    111 
    112 
    113 static WINSCARDAPI LONG WINAPI
    114 (*dll_SCardEstablishContext)(IN DWORD dwScope,
    115 			     IN LPCVOID pvReserved1,
    116 			     IN LPCVOID pvReserved2,
    117 			     OUT LPSCARDCONTEXT phContext);
    118 #define SCardEstablishContext dll_SCardEstablishContext
    119 
    120 static long (*dll_SCardReleaseContext)(long hContext);
    121 #define SCardReleaseContext dll_SCardReleaseContext
    122 
    123 static WINSCARDAPI LONG WINAPI
    124 (*dll_SCardListReadersA)(IN SCARDCONTEXT hContext,
    125 			 IN LPCSTR mszGroups,
    126 			 OUT LPSTR mszReaders,
    127 			 IN OUT LPDWORD pcchReaders);
    128 #undef SCardListReaders
    129 #define SCardListReaders dll_SCardListReadersA
    130 
    131 static WINSCARDAPI LONG WINAPI
    132 (*dll_SCardConnectA)(IN SCARDCONTEXT hContext,
    133 		     IN LPCSTR szReader,
    134 		     IN DWORD dwShareMode,
    135 		     IN DWORD dwPreferredProtocols,
    136 		     OUT LPSCARDHANDLE phCard,
    137 		     OUT LPDWORD pdwActiveProtocol);
    138 #undef SCardConnect
    139 #define SCardConnect dll_SCardConnectA
    140 
    141 static WINSCARDAPI LONG WINAPI
    142 (*dll_SCardDisconnect)(IN SCARDHANDLE hCard,
    143 		       IN DWORD dwDisposition);
    144 #define SCardDisconnect dll_SCardDisconnect
    145 
    146 static WINSCARDAPI LONG WINAPI
    147 (*dll_SCardTransmit)(IN SCARDHANDLE hCard,
    148 		     IN LPCSCARD_IO_REQUEST pioSendPci,
    149 		     IN LPCBYTE pbSendBuffer,
    150 		     IN DWORD cbSendLength,
    151 		     IN OUT LPSCARD_IO_REQUEST pioRecvPci,
    152 		     OUT LPBYTE pbRecvBuffer,
    153 		     IN OUT LPDWORD pcbRecvLength);
    154 #define SCardTransmit dll_SCardTransmit
    155 
    156 static WINSCARDAPI LONG WINAPI
    157 (*dll_SCardBeginTransaction)(IN SCARDHANDLE hCard);
    158 #define SCardBeginTransaction dll_SCardBeginTransaction
    159 
    160 static WINSCARDAPI LONG WINAPI
    161 (*dll_SCardEndTransaction)(IN SCARDHANDLE hCard, IN DWORD dwDisposition);
    162 #define SCardEndTransaction dll_SCardEndTransaction
    163 
    164 
    165 static int mingw_load_symbols(void)
    166 {
    167 	char *sym;
    168 
    169 	if (dll)
    170 		return 0;
    171 
    172 	dll = LoadLibrary("winscard");
    173 	if (dll == NULL) {
    174 		wpa_printf(MSG_DEBUG, "WinSCard: Could not load winscard.dll "
    175 			   "library");
    176 		return -1;
    177 	}
    178 
    179 #define LOADSYM(s) \
    180 	sym = #s; \
    181 	dll_ ## s = (void *) GetProcAddress(dll, sym); \
    182 	if (dll_ ## s == NULL) \
    183 		goto fail;
    184 
    185 	LOADSYM(SCardEstablishContext);
    186 	LOADSYM(SCardReleaseContext);
    187 	LOADSYM(SCardListReadersA);
    188 	LOADSYM(SCardConnectA);
    189 	LOADSYM(SCardDisconnect);
    190 	LOADSYM(SCardTransmit);
    191 	LOADSYM(SCardBeginTransaction);
    192 	LOADSYM(SCardEndTransaction);
    193 	LOADSYM(g_rgSCardT0Pci);
    194 	LOADSYM(g_rgSCardT1Pci);
    195 
    196 #undef LOADSYM
    197 
    198 	return 0;
    199 
    200 fail:
    201 	wpa_printf(MSG_DEBUG, "WinSCard: Could not get address for %s from "
    202 		   "winscard.dll", sym);
    203 	FreeLibrary(dll);
    204 	dll = NULL;
    205 	return -1;
    206 }
    207 
    208 
    209 static void mingw_unload_symbols(void)
    210 {
    211 	if (dll == NULL)
    212 		return;
    213 
    214 	FreeLibrary(dll);
    215 	dll = NULL;
    216 }
    217 
    218 #else /* __MINGW32_VERSION */
    219 
    220 #define mingw_load_symbols() 0
    221 #define mingw_unload_symbols() do { } while (0)
    222 
    223 #endif /* __MINGW32_VERSION */
    224 
    225 
    226 static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
    227 			      unsigned char *buf, size_t *buf_len,
    228 			      sim_types sim_type, unsigned char *aid,
    229 			      size_t aidlen);
    230 static int scard_select_file(struct scard_data *scard, unsigned short file_id,
    231 			     unsigned char *buf, size_t *buf_len);
    232 static int scard_verify_pin(struct scard_data *scard, const char *pin);
    233 static int scard_get_record_len(struct scard_data *scard,
    234 				unsigned char recnum, unsigned char mode);
    235 static int scard_read_record(struct scard_data *scard,
    236 			     unsigned char *data, size_t len,
    237 			     unsigned char recnum, unsigned char mode);
    238 
    239 
    240 static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
    241 				 int *ps_do, int *file_len)
    242 {
    243 		unsigned char *pos, *end;
    244 
    245 		if (ps_do)
    246 			*ps_do = -1;
    247 		if (file_len)
    248 			*file_len = -1;
    249 
    250 		pos = buf;
    251 		end = pos + buf_len;
    252 		if (*pos != USIM_FSP_TEMPL_TAG) {
    253 			wpa_printf(MSG_DEBUG, "SCARD: file header did not "
    254 				   "start with FSP template tag");
    255 			return -1;
    256 		}
    257 		pos++;
    258 		if (pos >= end)
    259 			return -1;
    260 		if ((pos + pos[0]) < end)
    261 			end = pos + 1 + pos[0];
    262 		pos++;
    263 		wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
    264 			    pos, end - pos);
    265 
    266 		while (pos + 1 < end) {
    267 			wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV "
    268 				   "0x%02x len=%d", pos[0], pos[1]);
    269 			if (pos + 2 + pos[1] > end)
    270 				break;
    271 
    272 			if (pos[0] == USIM_TLV_FILE_SIZE &&
    273 			    (pos[1] == 1 || pos[1] == 2) && file_len) {
    274 				if (pos[1] == 1)
    275 					*file_len = (int) pos[2];
    276 				else
    277 					*file_len = ((int) pos[2] << 8) |
    278 						(int) pos[3];
    279 				wpa_printf(MSG_DEBUG, "SCARD: file_size=%d",
    280 					   *file_len);
    281 			}
    282 
    283 			if (pos[0] == USIM_TLV_PIN_STATUS_TEMPLATE &&
    284 			    pos[1] >= 2 && pos[2] == USIM_PS_DO_TAG &&
    285 			    pos[3] >= 1 && ps_do) {
    286 				wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x",
    287 					   pos[4]);
    288 				*ps_do = (int) pos[4];
    289 			}
    290 
    291 			pos += 2 + pos[1];
    292 
    293 			if (pos == end)
    294 				return 0;
    295 		}
    296 		return -1;
    297 }
    298 
    299 
    300 static int scard_pin_needed(struct scard_data *scard,
    301 			    unsigned char *hdr, size_t hlen)
    302 {
    303 	if (scard->sim_type == SCARD_GSM_SIM) {
    304 		if (hlen > SCARD_CHV1_OFFSET &&
    305 		    !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG))
    306 			return 1;
    307 		return 0;
    308 	}
    309 
    310 	if (scard->sim_type == SCARD_USIM) {
    311 		int ps_do;
    312 		if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL))
    313 			return -1;
    314 		/* TODO: there could be more than one PS_DO entry because of
    315 		 * multiple PINs in key reference.. */
    316 		if (ps_do > 0 && (ps_do & 0x80))
    317 			return 1;
    318 		return 0;
    319 	}
    320 
    321 	return -1;
    322 }
    323 
    324 
    325 static int scard_get_aid(struct scard_data *scard, unsigned char *aid,
    326 			 size_t maxlen)
    327 {
    328 	int rlen, rec;
    329 	struct efdir {
    330 		unsigned char appl_template_tag; /* 0x61 */
    331 		unsigned char appl_template_len;
    332 		unsigned char appl_id_tag; /* 0x4f */
    333 		unsigned char aid_len;
    334 		unsigned char rid[5];
    335 		unsigned char appl_code[2]; /* 0x1002 for 3G USIM */
    336 	} *efdir;
    337 	unsigned char buf[100];
    338 	size_t blen;
    339 
    340 	efdir = (struct efdir *) buf;
    341 	blen = sizeof(buf);
    342 	if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) {
    343 		wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR");
    344 		return -1;
    345 	}
    346 	wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen);
    347 
    348 	for (rec = 1; rec < 10; rec++) {
    349 		rlen = scard_get_record_len(scard, rec,
    350 					    SIM_RECORD_MODE_ABSOLUTE);
    351 		if (rlen < 0) {
    352 			wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR "
    353 				   "record length");
    354 			return -1;
    355 		}
    356 		blen = sizeof(buf);
    357 		if (rlen > (int) blen) {
    358 			wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record");
    359 			return -1;
    360 		}
    361 		if (scard_read_record(scard, buf, rlen, rec,
    362 				      SIM_RECORD_MODE_ABSOLUTE) < 0) {
    363 			wpa_printf(MSG_DEBUG, "SCARD: Failed to read "
    364 				   "EF_DIR record %d", rec);
    365 			return -1;
    366 		}
    367 		wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen);
    368 
    369 		if (efdir->appl_template_tag != 0x61) {
    370 			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
    371 				   "template tag 0x%x",
    372 				   efdir->appl_template_tag);
    373 			continue;
    374 		}
    375 
    376 		if (efdir->appl_template_len > rlen - 2) {
    377 			wpa_printf(MSG_DEBUG, "SCARD: Too long application "
    378 				   "template (len=%d rlen=%d)",
    379 				   efdir->appl_template_len, rlen);
    380 			continue;
    381 		}
    382 
    383 		if (efdir->appl_id_tag != 0x4f) {
    384 			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
    385 				   "identifier tag 0x%x", efdir->appl_id_tag);
    386 			continue;
    387 		}
    388 
    389 		if (efdir->aid_len < 1 || efdir->aid_len > 16) {
    390 			wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %d",
    391 				   efdir->aid_len);
    392 			continue;
    393 		}
    394 
    395 		wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record",
    396 			    efdir->rid, efdir->aid_len);
    397 
    398 		if (efdir->appl_code[0] == 0x10 &&
    399 		    efdir->appl_code[1] == 0x02) {
    400 			wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from "
    401 				   "EF_DIR record %d", rec);
    402 			break;
    403 		}
    404 	}
    405 
    406 	if (rec >= 10) {
    407 		wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found "
    408 			   "from EF_DIR records");
    409 		return -1;
    410 	}
    411 
    412 	if (efdir->aid_len > maxlen) {
    413 		wpa_printf(MSG_DEBUG, "SCARD: Too long AID");
    414 		return -1;
    415 	}
    416 
    417 	os_memcpy(aid, efdir->rid, efdir->aid_len);
    418 
    419 	return efdir->aid_len;
    420 }
    421 
    422 
    423 /**
    424  * scard_init - Initialize SIM/USIM connection using PC/SC
    425  * @sim_type: Allowed SIM types (SIM, USIM, or both)
    426  * Returns: Pointer to private data structure, or %NULL on failure
    427  *
    428  * This function is used to initialize SIM/USIM connection. PC/SC is used to
    429  * open connection to the SIM/USIM card and the card is verified to support the
    430  * selected sim_type. In addition, local flag is set if a PIN is needed to
    431  * access some of the card functions. Once the connection is not needed
    432  * anymore, scard_deinit() can be used to close it.
    433  */
    434 struct scard_data * scard_init(scard_sim_type sim_type)
    435 {
    436 	long ret;
    437 	unsigned long len;
    438 	struct scard_data *scard;
    439 #ifdef CONFIG_NATIVE_WINDOWS
    440 	TCHAR *readers = NULL;
    441 #else /* CONFIG_NATIVE_WINDOWS */
    442 	char *readers = NULL;
    443 #endif /* CONFIG_NATIVE_WINDOWS */
    444 	unsigned char buf[100];
    445 	size_t blen;
    446 	int transaction = 0;
    447 	int pin_needed;
    448 
    449 	wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface");
    450 	if (mingw_load_symbols())
    451 		return NULL;
    452 	scard = os_zalloc(sizeof(*scard));
    453 	if (scard == NULL)
    454 		return NULL;
    455 
    456 	ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL,
    457 				    &scard->ctx);
    458 	if (ret != SCARD_S_SUCCESS) {
    459 		wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card "
    460 			   "context (err=%ld)", ret);
    461 		goto failed;
    462 	}
    463 
    464 	ret = SCardListReaders(scard->ctx, NULL, NULL, &len);
    465 	if (ret != SCARD_S_SUCCESS) {
    466 		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed "
    467 			   "(err=%ld)", ret);
    468 		goto failed;
    469 	}
    470 
    471 #ifdef UNICODE
    472 	len *= 2;
    473 #endif /* UNICODE */
    474 	readers = os_malloc(len);
    475 	if (readers == NULL) {
    476 		wpa_printf(MSG_INFO, "SCARD: malloc failed\n");
    477 		goto failed;
    478 	}
    479 
    480 	ret = SCardListReaders(scard->ctx, NULL, readers, &len);
    481 	if (ret != SCARD_S_SUCCESS) {
    482 		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) "
    483 			   "(err=%ld)", ret);
    484 		goto failed;
    485 	}
    486 	if (len < 3) {
    487 		wpa_printf(MSG_WARNING, "SCARD: No smart card readers "
    488 			   "available.");
    489 		goto failed;
    490 	}
    491 	/* readers is a list of available reader. Last entry is terminated with
    492 	 * double NUL.
    493 	 * TODO: add support for selecting the reader; now just use the first
    494 	 * one.. */
    495 #ifdef UNICODE
    496 	wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%S'", readers);
    497 #else /* UNICODE */
    498 	wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", readers);
    499 #endif /* UNICODE */
    500 
    501 	ret = SCardConnect(scard->ctx, readers, SCARD_SHARE_SHARED,
    502 			   SCARD_PROTOCOL_T0, &scard->card, &scard->protocol);
    503 	if (ret != SCARD_S_SUCCESS) {
    504 		if (ret == (long) SCARD_E_NO_SMARTCARD)
    505 			wpa_printf(MSG_INFO, "No smart card inserted.");
    506 		else
    507 			wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret);
    508 		goto failed;
    509 	}
    510 
    511 	os_free(readers);
    512 	readers = NULL;
    513 
    514 	wpa_printf(MSG_DEBUG, "SCARD: card=0x%x active_protocol=%lu (%s)",
    515 		   (unsigned int) scard->card, scard->protocol,
    516 		   scard->protocol == SCARD_PROTOCOL_T0 ? "T0" : "T1");
    517 
    518 	ret = SCardBeginTransaction(scard->card);
    519 	if (ret != SCARD_S_SUCCESS) {
    520 		wpa_printf(MSG_DEBUG, "SCARD: Could not begin transaction: "
    521 			   "0x%x", (unsigned int) ret);
    522 		goto failed;
    523 	}
    524 	transaction = 1;
    525 
    526 	blen = sizeof(buf);
    527 
    528 	scard->sim_type = SCARD_GSM_SIM;
    529 	if (sim_type == SCARD_USIM_ONLY || sim_type == SCARD_TRY_BOTH) {
    530 		wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support");
    531 		if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen,
    532 				       SCARD_USIM, NULL, 0)) {
    533 			wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported");
    534 			if (sim_type == SCARD_USIM_ONLY)
    535 				goto failed;
    536 			wpa_printf(MSG_DEBUG, "SCARD: Trying to use GSM SIM");
    537 			scard->sim_type = SCARD_GSM_SIM;
    538 		} else {
    539 			wpa_printf(MSG_DEBUG, "SCARD: USIM is supported");
    540 			scard->sim_type = SCARD_USIM;
    541 		}
    542 	}
    543 
    544 	if (scard->sim_type == SCARD_GSM_SIM) {
    545 		blen = sizeof(buf);
    546 		if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) {
    547 			wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF");
    548 			goto failed;
    549 		}
    550 
    551 		blen = sizeof(buf);
    552 		if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) {
    553 			wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF");
    554 			goto failed;
    555 		}
    556 	} else {
    557 		unsigned char aid[32];
    558 		int aid_len;
    559 
    560 		aid_len = scard_get_aid(scard, aid, sizeof(aid));
    561 		if (aid_len < 0) {
    562 			wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for "
    563 				   "3G USIM app - try to use standard 3G RID");
    564 			os_memcpy(aid, "\xa0\x00\x00\x00\x87", 5);
    565 			aid_len = 5;
    566 		}
    567 		wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len);
    568 
    569 		/* Select based on AID = 3G RID from EF_DIR. This is usually
    570 		 * starting with A0 00 00 00 87. */
    571 		blen = sizeof(buf);
    572 		if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type,
    573 				       aid, aid_len)) {
    574 			wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM "
    575 				   "app");
    576 			wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID",
    577 				    aid, aid_len);
    578 			goto failed;
    579 		}
    580 	}
    581 
    582 	/* Verify whether CHV1 (PIN1) is needed to access the card. */
    583 	pin_needed = scard_pin_needed(scard, buf, blen);
    584 	if (pin_needed < 0) {
    585 		wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN "
    586 			   "is needed");
    587 		goto failed;
    588 	}
    589 	if (pin_needed) {
    590 		scard->pin1_required = 1;
    591 		wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access");
    592 	}
    593 
    594 	ret = SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
    595 	if (ret != SCARD_S_SUCCESS) {
    596 		wpa_printf(MSG_DEBUG, "SCARD: Could not end transaction: "
    597 			   "0x%x", (unsigned int) ret);
    598 	}
    599 
    600 	return scard;
    601 
    602 failed:
    603 	if (transaction)
    604 		SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
    605 	os_free(readers);
    606 	scard_deinit(scard);
    607 	return NULL;
    608 }
    609 
    610 
    611 /**
    612  * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands
    613  * @scard: Pointer to private data from scard_init()
    614  * pin: PIN code as an ASCII string (e.g., "1234")
    615  * Returns: 0 on success, -1 on failure
    616  */
    617 int scard_set_pin(struct scard_data *scard, const char *pin)
    618 {
    619 	if (scard == NULL)
    620 		return -1;
    621 
    622 	/* Verify whether CHV1 (PIN1) is needed to access the card. */
    623 	if (scard->pin1_required) {
    624 		if (pin == NULL) {
    625 			wpa_printf(MSG_DEBUG, "No PIN configured for SIM "
    626 				   "access");
    627 			return -1;
    628 		}
    629 		if (scard_verify_pin(scard, pin)) {
    630 			wpa_printf(MSG_INFO, "PIN verification failed for "
    631 				"SIM access");
    632 			return -1;
    633 		}
    634 	}
    635 
    636 	return 0;
    637 }
    638 
    639 
    640 /**
    641  * scard_deinit - Deinitialize SIM/USIM connection
    642  * @scard: Pointer to private data from scard_init()
    643  *
    644  * This function closes the SIM/USIM connect opened with scard_init().
    645  */
    646 void scard_deinit(struct scard_data *scard)
    647 {
    648 	long ret;
    649 
    650 	if (scard == NULL)
    651 		return;
    652 
    653 	wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface");
    654 	if (scard->card) {
    655 		ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD);
    656 		if (ret != SCARD_S_SUCCESS) {
    657 			wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect "
    658 				   "smart card (err=%ld)", ret);
    659 		}
    660 	}
    661 
    662 	if (scard->ctx) {
    663 		ret = SCardReleaseContext(scard->ctx);
    664 		if (ret != SCARD_S_SUCCESS) {
    665 			wpa_printf(MSG_DEBUG, "Failed to release smart card "
    666 				   "context (err=%ld)", ret);
    667 		}
    668 	}
    669 	os_free(scard);
    670 	mingw_unload_symbols();
    671 }
    672 
    673 
    674 static long scard_transmit(struct scard_data *scard,
    675 			   unsigned char *_send, size_t send_len,
    676 			   unsigned char *_recv, size_t *recv_len)
    677 {
    678 	long ret;
    679 	unsigned long rlen;
    680 
    681 	wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send",
    682 			_send, send_len);
    683 	rlen = *recv_len;
    684 	ret = SCardTransmit(scard->card,
    685 			    scard->protocol == SCARD_PROTOCOL_T1 ?
    686 			    SCARD_PCI_T1 : SCARD_PCI_T0,
    687 			    _send, (unsigned long) send_len,
    688 			    NULL, _recv, &rlen);
    689 	*recv_len = rlen;
    690 	if (ret == SCARD_S_SUCCESS) {
    691 		wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv",
    692 			    _recv, rlen);
    693 	} else {
    694 		wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
    695 			   "(err=0x%lx)", ret);
    696 	}
    697 	return ret;
    698 }
    699 
    700 
    701 static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
    702 			      unsigned char *buf, size_t *buf_len,
    703 			      sim_types sim_type, unsigned char *aid,
    704 			      size_t aidlen)
    705 {
    706 	long ret;
    707 	unsigned char resp[3];
    708 	unsigned char cmd[50] = { SIM_CMD_SELECT };
    709 	int cmdlen;
    710 	unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
    711 	size_t len, rlen;
    712 
    713 	if (sim_type == SCARD_USIM) {
    714 		cmd[0] = USIM_CLA;
    715 		cmd[3] = 0x04;
    716 		get_resp[0] = USIM_CLA;
    717 	}
    718 
    719 	wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id);
    720 	if (aid) {
    721 		wpa_hexdump(MSG_DEBUG, "SCARD: select file by AID",
    722 			    aid, aidlen);
    723 		if (5 + aidlen > sizeof(cmd))
    724 			return -1;
    725 		cmd[2] = 0x04; /* Select by AID */
    726 		cmd[4] = aidlen; /* len */
    727 		os_memcpy(cmd + 5, aid, aidlen);
    728 		cmdlen = 5 + aidlen;
    729 	} else {
    730 		cmd[5] = file_id >> 8;
    731 		cmd[6] = file_id & 0xff;
    732 		cmdlen = 7;
    733 	}
    734 	len = sizeof(resp);
    735 	ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
    736 	if (ret != SCARD_S_SUCCESS) {
    737 		wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
    738 			   "(err=0x%lx)", ret);
    739 		return -1;
    740 	}
    741 
    742 	if (len != 2) {
    743 		wpa_printf(MSG_WARNING, "SCARD: unexpected resp len "
    744 			   "%d (expected 2)", (int) len);
    745 		return -1;
    746 	}
    747 
    748 	if (resp[0] == 0x98 && resp[1] == 0x04) {
    749 		/* Security status not satisfied (PIN_WLAN) */
    750 		wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied "
    751 			   "(PIN_WLAN)");
    752 		return -1;
    753 	}
    754 
    755 	if (resp[0] == 0x6e) {
    756 		wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported");
    757 		return -1;
    758 	}
    759 
    760 	if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) {
    761 		wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x "
    762 			   "(expected 0x61, 0x6c, or 0x9f)", resp[0]);
    763 		return -1;
    764 	}
    765 	/* Normal ending of command; resp[1] bytes available */
    766 	get_resp[4] = resp[1];
    767 	wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)",
    768 		   resp[1]);
    769 
    770 	rlen = *buf_len;
    771 	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen);
    772 	if (ret == SCARD_S_SUCCESS) {
    773 		*buf_len = resp[1] < rlen ? resp[1] : rlen;
    774 		return 0;
    775 	}
    776 
    777 	wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret);
    778 	return -1;
    779 }
    780 
    781 
    782 static int scard_select_file(struct scard_data *scard, unsigned short file_id,
    783 			     unsigned char *buf, size_t *buf_len)
    784 {
    785 	return _scard_select_file(scard, file_id, buf, buf_len,
    786 				  scard->sim_type, NULL, 0);
    787 }
    788 
    789 
    790 static int scard_get_record_len(struct scard_data *scard, unsigned char recnum,
    791 				unsigned char mode)
    792 {
    793 	unsigned char buf[255];
    794 	unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
    795 	size_t blen;
    796 	long ret;
    797 
    798 	if (scard->sim_type == SCARD_USIM)
    799 		cmd[0] = USIM_CLA;
    800 	cmd[2] = recnum;
    801 	cmd[3] = mode;
    802 	cmd[4] = sizeof(buf);
    803 
    804 	blen = sizeof(buf);
    805 	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
    806 	if (ret != SCARD_S_SUCCESS) {
    807 		wpa_printf(MSG_DEBUG, "SCARD: failed to determine file "
    808 			   "length for record %d", recnum);
    809 		return -1;
    810 	}
    811 
    812 	wpa_hexdump(MSG_DEBUG, "SCARD: file length determination response",
    813 		    buf, blen);
    814 
    815 	if (blen < 2 || buf[0] != 0x6c) {
    816 		wpa_printf(MSG_DEBUG, "SCARD: unexpected response to file "
    817 			   "length determination");
    818 		return -1;
    819 	}
    820 
    821 	return buf[1];
    822 }
    823 
    824 
    825 static int scard_read_record(struct scard_data *scard,
    826 			     unsigned char *data, size_t len,
    827 			     unsigned char recnum, unsigned char mode)
    828 {
    829 	unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
    830 	size_t blen = len + 3;
    831 	unsigned char *buf;
    832 	long ret;
    833 
    834 	if (scard->sim_type == SCARD_USIM)
    835 		cmd[0] = USIM_CLA;
    836 	cmd[2] = recnum;
    837 	cmd[3] = mode;
    838 	cmd[4] = len;
    839 
    840 	buf = os_malloc(blen);
    841 	if (buf == NULL)
    842 		return -1;
    843 
    844 	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
    845 	if (ret != SCARD_S_SUCCESS) {
    846 		os_free(buf);
    847 		return -2;
    848 	}
    849 	if (blen != len + 2) {
    850 		wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
    851 			   "length %ld (expected %ld)",
    852 			   (long) blen, (long) len + 2);
    853 		os_free(buf);
    854 		return -3;
    855 	}
    856 
    857 	if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
    858 		wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
    859 			   "status %02x %02x (expected 90 00)",
    860 			   buf[len], buf[len + 1]);
    861 		os_free(buf);
    862 		return -4;
    863 	}
    864 
    865 	os_memcpy(data, buf, len);
    866 	os_free(buf);
    867 
    868 	return 0;
    869 }
    870 
    871 
    872 static int scard_read_file(struct scard_data *scard,
    873 			   unsigned char *data, size_t len)
    874 {
    875 	unsigned char cmd[5] = { SIM_CMD_READ_BIN /* , len */ };
    876 	size_t blen = len + 3;
    877 	unsigned char *buf;
    878 	long ret;
    879 
    880 	cmd[4] = len;
    881 
    882 	buf = os_malloc(blen);
    883 	if (buf == NULL)
    884 		return -1;
    885 
    886 	if (scard->sim_type == SCARD_USIM)
    887 		cmd[0] = USIM_CLA;
    888 	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
    889 	if (ret != SCARD_S_SUCCESS) {
    890 		os_free(buf);
    891 		return -2;
    892 	}
    893 	if (blen != len + 2) {
    894 		wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
    895 			   "length %ld (expected %ld)",
    896 			   (long) blen, (long) len + 2);
    897 		os_free(buf);
    898 		return -3;
    899 	}
    900 
    901 	if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
    902 		wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
    903 			   "status %02x %02x (expected 90 00)",
    904 			   buf[len], buf[len + 1]);
    905 		os_free(buf);
    906 		return -4;
    907 	}
    908 
    909 	os_memcpy(data, buf, len);
    910 	os_free(buf);
    911 
    912 	return 0;
    913 }
    914 
    915 
    916 static int scard_verify_pin(struct scard_data *scard, const char *pin)
    917 {
    918 	long ret;
    919 	unsigned char resp[3];
    920 	unsigned char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 };
    921 	size_t len;
    922 
    923 	wpa_printf(MSG_DEBUG, "SCARD: verifying PIN");
    924 
    925 	if (pin == NULL || os_strlen(pin) > 8)
    926 		return -1;
    927 
    928 	if (scard->sim_type == SCARD_USIM)
    929 		cmd[0] = USIM_CLA;
    930 	os_memcpy(cmd + 5, pin, os_strlen(pin));
    931 	os_memset(cmd + 5 + os_strlen(pin), 0xff, 8 - os_strlen(pin));
    932 
    933 	len = sizeof(resp);
    934 	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
    935 	if (ret != SCARD_S_SUCCESS)
    936 		return -2;
    937 
    938 	if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) {
    939 		wpa_printf(MSG_WARNING, "SCARD: PIN verification failed");
    940 		return -1;
    941 	}
    942 
    943 	wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully");
    944 	return 0;
    945 }
    946 
    947 
    948 /**
    949  * scard_get_imsi - Read IMSI from SIM/USIM card
    950  * @scard: Pointer to private data from scard_init()
    951  * @imsi: Buffer for IMSI
    952  * @len: Length of imsi buffer; set to IMSI length on success
    953  * Returns: 0 on success, -1 if IMSI file cannot be selected, -2 if IMSI file
    954  * selection returns invalid result code, -3 if parsing FSP template file fails
    955  * (USIM only), -4 if IMSI does not fit in the provided imsi buffer (len is set
    956  * to needed length), -5 if reading IMSI file fails.
    957  *
    958  * This function can be used to read IMSI from the SIM/USIM card. If the IMSI
    959  * file is PIN protected, scard_set_pin() must have been used to set the
    960  * correct PIN code before calling scard_get_imsi().
    961  */
    962 int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len)
    963 {
    964 	unsigned char buf[100];
    965 	size_t blen, imsilen, i;
    966 	char *pos;
    967 
    968 	wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI");
    969 	blen = sizeof(buf);
    970 	if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen))
    971 		return -1;
    972 	if (blen < 4) {
    973 		wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI "
    974 			   "header (len=%ld)", (long) blen);
    975 		return -2;
    976 	}
    977 
    978 	if (scard->sim_type == SCARD_GSM_SIM) {
    979 		blen = (buf[2] << 8) | buf[3];
    980 	} else {
    981 		int file_size;
    982 		if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
    983 			return -3;
    984 		blen = file_size;
    985 	}
    986 	if (blen < 2 || blen > sizeof(buf)) {
    987 		wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld",
    988 			   (long) blen);
    989 		return -3;
    990 	}
    991 
    992 	imsilen = (blen - 2) * 2 + 1;
    993 	wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld",
    994 		   (long) blen, (long) imsilen);
    995 	if (blen < 2 || imsilen > *len) {
    996 		*len = imsilen;
    997 		return -4;
    998 	}
    999 
   1000 	if (scard_read_file(scard, buf, blen))
   1001 		return -5;
   1002 
   1003 	pos = imsi;
   1004 	*pos++ = '0' + (buf[1] >> 4 & 0x0f);
   1005 	for (i = 2; i < blen; i++) {
   1006 		unsigned char digit;
   1007 
   1008 		digit = buf[i] & 0x0f;
   1009 		if (digit < 10)
   1010 			*pos++ = '0' + digit;
   1011 		else
   1012 			imsilen--;
   1013 
   1014 		digit = buf[i] >> 4 & 0x0f;
   1015 		if (digit < 10)
   1016 			*pos++ = '0' + digit;
   1017 		else
   1018 			imsilen--;
   1019 	}
   1020 	*len = imsilen;
   1021 
   1022 	return 0;
   1023 }
   1024 
   1025 
   1026 /**
   1027  * scard_gsm_auth - Run GSM authentication command on SIM card
   1028  * @scard: Pointer to private data from scard_init()
   1029  * @_rand: 16-byte RAND value from HLR/AuC
   1030  * @sres: 4-byte buffer for SRES
   1031  * @kc: 8-byte buffer for Kc
   1032  * Returns: 0 on success, -1 if SIM/USIM connection has not been initialized,
   1033  * -2 if authentication command execution fails, -3 if unknown response code
   1034  * for authentication command is received, -4 if reading of response fails,
   1035  * -5 if if response data is of unexpected length
   1036  *
   1037  * This function performs GSM authentication using SIM/USIM card and the
   1038  * provided RAND value from HLR/AuC. If authentication command can be completed
   1039  * successfully, SRES and Kc values will be written into sres and kc buffers.
   1040  */
   1041 int scard_gsm_auth(struct scard_data *scard, const unsigned char *_rand,
   1042 		   unsigned char *sres, unsigned char *kc)
   1043 {
   1044 	unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG };
   1045 	int cmdlen;
   1046 	unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
   1047 	unsigned char resp[3], buf[12 + 3 + 2];
   1048 	size_t len;
   1049 	long ret;
   1050 
   1051 	if (scard == NULL)
   1052 		return -1;
   1053 
   1054 	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", _rand, 16);
   1055 	if (scard->sim_type == SCARD_GSM_SIM) {
   1056 		cmdlen = 5 + 16;
   1057 		os_memcpy(cmd + 5, _rand, 16);
   1058 	} else {
   1059 		cmdlen = 5 + 1 + 16;
   1060 		cmd[0] = USIM_CLA;
   1061 		cmd[3] = 0x80;
   1062 		cmd[4] = 17;
   1063 		cmd[5] = 16;
   1064 		os_memcpy(cmd + 6, _rand, 16);
   1065 	}
   1066 	len = sizeof(resp);
   1067 	ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
   1068 	if (ret != SCARD_S_SUCCESS)
   1069 		return -2;
   1070 
   1071 	if ((scard->sim_type == SCARD_GSM_SIM &&
   1072 	     (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) ||
   1073 	    (scard->sim_type == SCARD_USIM &&
   1074 	     (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) {
   1075 		wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM "
   1076 			   "auth request (len=%ld resp=%02x %02x)",
   1077 			   (long) len, resp[0], resp[1]);
   1078 		return -3;
   1079 	}
   1080 	get_resp[4] = resp[1];
   1081 
   1082 	len = sizeof(buf);
   1083 	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
   1084 	if (ret != SCARD_S_SUCCESS)
   1085 		return -4;
   1086 
   1087 	if (scard->sim_type == SCARD_GSM_SIM) {
   1088 		if (len != 4 + 8 + 2) {
   1089 			wpa_printf(MSG_WARNING, "SCARD: unexpected data "
   1090 				   "length for GSM auth (len=%ld, expected 14)",
   1091 				   (long) len);
   1092 			return -5;
   1093 		}
   1094 		os_memcpy(sres, buf, 4);
   1095 		os_memcpy(kc, buf + 4, 8);
   1096 	} else {
   1097 		if (len != 1 + 4 + 1 + 8 + 2) {
   1098 			wpa_printf(MSG_WARNING, "SCARD: unexpected data "
   1099 				   "length for USIM auth (len=%ld, "
   1100 				   "expected 16)", (long) len);
   1101 			return -5;
   1102 		}
   1103 		if (buf[0] != 4 || buf[5] != 8) {
   1104 			wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc "
   1105 				   "length (%d %d, expected 4 8)",
   1106 				   buf[0], buf[5]);
   1107 		}
   1108 		os_memcpy(sres, buf + 1, 4);
   1109 		os_memcpy(kc, buf + 6, 8);
   1110 	}
   1111 
   1112 	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4);
   1113 	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8);
   1114 
   1115 	return 0;
   1116 }
   1117 
   1118 
   1119 /**
   1120  * scard_umts_auth - Run UMTS authentication command on USIM card
   1121  * @scard: Pointer to private data from scard_init()
   1122  * @_rand: 16-byte RAND value from HLR/AuC
   1123  * @autn: 16-byte AUTN value from HLR/AuC
   1124  * @res: 16-byte buffer for RES
   1125  * @res_len: Variable that will be set to RES length
   1126  * @ik: 16-byte buffer for IK
   1127  * @ck: 16-byte buffer for CK
   1128  * @auts: 14-byte buffer for AUTS
   1129  * Returns: 0 on success, -1 on failure, or -2 if USIM reports synchronization
   1130  * failure
   1131  *
   1132  * This function performs AKA authentication using USIM card and the provided
   1133  * RAND and AUTN values from HLR/AuC. If authentication command can be
   1134  * completed successfully, RES, IK, and CK values will be written into provided
   1135  * buffers and res_len is set to length of received RES value. If USIM reports
   1136  * synchronization failure, the received AUTS value will be written into auts
   1137  * buffer. In this case, RES, IK, and CK are not valid.
   1138  */
   1139 int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
   1140 		    const unsigned char *autn,
   1141 		    unsigned char *res, size_t *res_len,
   1142 		    unsigned char *ik, unsigned char *ck, unsigned char *auts)
   1143 {
   1144 	unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] =
   1145 		{ USIM_CMD_RUN_UMTS_ALG };
   1146 	unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE };
   1147 	unsigned char resp[3], buf[64], *pos, *end;
   1148 	size_t len;
   1149 	long ret;
   1150 
   1151 	if (scard == NULL)
   1152 		return -1;
   1153 
   1154 	if (scard->sim_type == SCARD_GSM_SIM) {
   1155 		wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS "
   1156 			   "auth");
   1157 		return -1;
   1158 	}
   1159 
   1160 	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", _rand, AKA_RAND_LEN);
   1161 	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN);
   1162 	cmd[5] = AKA_RAND_LEN;
   1163 	os_memcpy(cmd + 6, _rand, AKA_RAND_LEN);
   1164 	cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN;
   1165 	os_memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN);
   1166 
   1167 	len = sizeof(resp);
   1168 	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
   1169 	if (ret != SCARD_S_SUCCESS)
   1170 		return -1;
   1171 
   1172 	if (len <= sizeof(resp))
   1173 		wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len);
   1174 
   1175 	if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) {
   1176 		wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - "
   1177 			   "MAC != XMAC");
   1178 		return -1;
   1179 	} else if (len != 2 || resp[0] != 0x61) {
   1180 		wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS "
   1181 			   "auth request (len=%ld resp=%02x %02x)",
   1182 			   (long) len, resp[0], resp[1]);
   1183 		return -1;
   1184 	}
   1185 	get_resp[4] = resp[1];
   1186 
   1187 	len = sizeof(buf);
   1188 	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
   1189 	if (ret != SCARD_S_SUCCESS || len > sizeof(buf))
   1190 		return -1;
   1191 
   1192 	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len);
   1193 	if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc &&
   1194 	    buf[1] == AKA_AUTS_LEN) {
   1195 		wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure");
   1196 		os_memcpy(auts, buf + 2, AKA_AUTS_LEN);
   1197 		wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN);
   1198 		return -2;
   1199 	} else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) {
   1200 		pos = buf + 1;
   1201 		end = buf + len;
   1202 
   1203 		/* RES */
   1204 		if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) {
   1205 			wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
   1206 			return -1;
   1207 		}
   1208 		*res_len = *pos++;
   1209 		os_memcpy(res, pos, *res_len);
   1210 		pos += *res_len;
   1211 		wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
   1212 
   1213 		/* CK */
   1214 		if (pos[0] != CK_LEN || pos + CK_LEN > end) {
   1215 			wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
   1216 			return -1;
   1217 		}
   1218 		pos++;
   1219 		os_memcpy(ck, pos, CK_LEN);
   1220 		pos += CK_LEN;
   1221 		wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
   1222 
   1223 		/* IK */
   1224 		if (pos[0] != IK_LEN || pos + IK_LEN > end) {
   1225 			wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
   1226 			return -1;
   1227 		}
   1228 		pos++;
   1229 		os_memcpy(ik, pos, IK_LEN);
   1230 		pos += IK_LEN;
   1231 		wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN);
   1232 
   1233 		return 0;
   1234 	}
   1235 
   1236 	wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response");
   1237 	return -1;
   1238 }
   1239