Home | History | Annotate | Download | only in utils
      1 /*
      2  * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM
      3  * Copyright (c) 2004-2007, 2012, Jouni Malinen <j (at) w1.fi>
      4  *
      5  * This software may be distributed under the terms of the BSD license.
      6  * See README for more details.
      7  *
      8  * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM
      9  * cards through PC/SC smartcard library. These functions are used to implement
     10  * authentication routines for EAP-SIM and EAP-AKA.
     11  */
     12 
     13 #include "includes.h"
     14 #include <winscard.h>
     15 
     16 #include "common.h"
     17 #include "pcsc_funcs.h"
     18 
     19 
     20 /* See ETSI GSM 11.11 and ETSI TS 102 221 for details.
     21  * SIM commands:
     22  * Command APDU: CLA INS P1 P2 P3 Data
     23  *   CLA (class of instruction): A0 for GSM, 00 for USIM
     24  *   INS (instruction)
     25  *   P1 P2 P3 (parameters, P3 = length of Data)
     26  * Response APDU: Data SW1 SW2
     27  *   SW1 SW2 (Status words)
     28  * Commands (INS P1 P2 P3):
     29  *   SELECT: A4 00 00 02 <file_id, 2 bytes>
     30  *   GET RESPONSE: C0 00 00 <len>
     31  *   RUN GSM ALG: 88 00 00 00 <RAND len = 10>
     32  *   RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN
     33  *	P1 = ID of alg in card
     34  *	P2 = ID of secret key
     35  *   READ BINARY: B0 <offset high> <offset low> <len>
     36  *   READ RECORD: B2 <record number> <mode> <len>
     37  *	P2 (mode) = '02' (next record), '03' (previous record),
     38  *		    '04' (absolute mode)
     39  *   VERIFY CHV: 20 00 <CHV number> 08
     40  *   CHANGE CHV: 24 00 <CHV number> 10
     41  *   DISABLE CHV: 26 00 01 08
     42  *   ENABLE CHV: 28 00 01 08
     43  *   UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10
     44  *   SLEEP: FA 00 00 00
     45  */
     46 
     47 /* GSM SIM commands */
     48 #define SIM_CMD_SELECT			0xa0, 0xa4, 0x00, 0x00, 0x02
     49 #define SIM_CMD_RUN_GSM_ALG		0xa0, 0x88, 0x00, 0x00, 0x10
     50 #define SIM_CMD_GET_RESPONSE		0xa0, 0xc0, 0x00, 0x00
     51 #define SIM_CMD_READ_BIN		0xa0, 0xb0, 0x00, 0x00
     52 #define SIM_CMD_READ_RECORD		0xa0, 0xb2, 0x00, 0x00
     53 #define SIM_CMD_VERIFY_CHV1		0xa0, 0x20, 0x00, 0x01, 0x08
     54 
     55 /* USIM commands */
     56 #define USIM_CLA			0x00
     57 #define USIM_CMD_RUN_UMTS_ALG		0x00, 0x88, 0x00, 0x81, 0x22
     58 #define USIM_CMD_GET_RESPONSE		0x00, 0xc0, 0x00, 0x00
     59 
     60 #define SIM_RECORD_MODE_ABSOLUTE 0x04
     61 
     62 #define USIM_FSP_TEMPL_TAG		0x62
     63 
     64 #define USIM_TLV_FILE_DESC		0x82
     65 #define USIM_TLV_FILE_ID		0x83
     66 #define USIM_TLV_DF_NAME		0x84
     67 #define USIM_TLV_PROPR_INFO		0xA5
     68 #define USIM_TLV_LIFE_CYCLE_STATUS	0x8A
     69 #define USIM_TLV_FILE_SIZE		0x80
     70 #define USIM_TLV_TOTAL_FILE_SIZE	0x81
     71 #define USIM_TLV_PIN_STATUS_TEMPLATE	0xC6
     72 #define USIM_TLV_SHORT_FILE_ID		0x88
     73 #define USIM_TLV_SECURITY_ATTR_8B	0x8B
     74 #define USIM_TLV_SECURITY_ATTR_8C	0x8C
     75 #define USIM_TLV_SECURITY_ATTR_AB	0xAB
     76 
     77 #define USIM_PS_DO_TAG			0x90
     78 
     79 #define AKA_RAND_LEN 16
     80 #define AKA_AUTN_LEN 16
     81 #define AKA_AUTS_LEN 14
     82 #define RES_MAX_LEN 16
     83 #define IK_LEN 16
     84 #define CK_LEN 16
     85 
     86 
     87 /* GSM files
     88  * File type in first octet:
     89  * 3F = Master File
     90  * 7F = Dedicated File
     91  * 2F = Elementary File under the Master File
     92  * 6F = Elementary File under a Dedicated File
     93  */
     94 #define SCARD_FILE_MF		0x3F00
     95 #define SCARD_FILE_GSM_DF	0x7F20
     96 #define SCARD_FILE_UMTS_DF	0x7F50
     97 #define SCARD_FILE_GSM_EF_IMSI	0x6F07
     98 #define SCARD_FILE_GSM_EF_AD	0x6FAD
     99 #define SCARD_FILE_EF_DIR	0x2F00
    100 #define SCARD_FILE_EF_ICCID	0x2FE2
    101 #define SCARD_FILE_EF_CK	0x6FE1
    102 #define SCARD_FILE_EF_IK	0x6FE2
    103 
    104 #define SCARD_CHV1_OFFSET	13
    105 #define SCARD_CHV1_FLAG		0x80
    106 
    107 
    108 typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types;
    109 
    110 struct scard_data {
    111 	SCARDCONTEXT ctx;
    112 	SCARDHANDLE card;
    113 	DWORD protocol;
    114 	sim_types sim_type;
    115 	int pin1_required;
    116 };
    117 
    118 #ifdef __MINGW32_VERSION
    119 /* MinGW does not yet support WinScard, so load the needed functions
    120  * dynamically from winscard.dll for now. */
    121 
    122 static HINSTANCE dll = NULL; /* winscard.dll */
    123 
    124 static const SCARD_IO_REQUEST *dll_g_rgSCardT0Pci, *dll_g_rgSCardT1Pci;
    125 #undef SCARD_PCI_T0
    126 #define SCARD_PCI_T0 (dll_g_rgSCardT0Pci)
    127 #undef SCARD_PCI_T1
    128 #define SCARD_PCI_T1 (dll_g_rgSCardT1Pci)
    129 
    130 
    131 static WINSCARDAPI LONG WINAPI
    132 (*dll_SCardEstablishContext)(IN DWORD dwScope,
    133 			     IN LPCVOID pvReserved1,
    134 			     IN LPCVOID pvReserved2,
    135 			     OUT LPSCARDCONTEXT phContext);
    136 #define SCardEstablishContext dll_SCardEstablishContext
    137 
    138 static long (*dll_SCardReleaseContext)(long hContext);
    139 #define SCardReleaseContext dll_SCardReleaseContext
    140 
    141 static WINSCARDAPI LONG WINAPI
    142 (*dll_SCardListReadersA)(IN SCARDCONTEXT hContext,
    143 			 IN LPCSTR mszGroups,
    144 			 OUT LPSTR mszReaders,
    145 			 IN OUT LPDWORD pcchReaders);
    146 #undef SCardListReaders
    147 #define SCardListReaders dll_SCardListReadersA
    148 
    149 static WINSCARDAPI LONG WINAPI
    150 (*dll_SCardConnectA)(IN SCARDCONTEXT hContext,
    151 		     IN LPCSTR szReader,
    152 		     IN DWORD dwShareMode,
    153 		     IN DWORD dwPreferredProtocols,
    154 		     OUT LPSCARDHANDLE phCard,
    155 		     OUT LPDWORD pdwActiveProtocol);
    156 #undef SCardConnect
    157 #define SCardConnect dll_SCardConnectA
    158 
    159 static WINSCARDAPI LONG WINAPI
    160 (*dll_SCardDisconnect)(IN SCARDHANDLE hCard,
    161 		       IN DWORD dwDisposition);
    162 #define SCardDisconnect dll_SCardDisconnect
    163 
    164 static WINSCARDAPI LONG WINAPI
    165 (*dll_SCardTransmit)(IN SCARDHANDLE hCard,
    166 		     IN LPCSCARD_IO_REQUEST pioSendPci,
    167 		     IN LPCBYTE pbSendBuffer,
    168 		     IN DWORD cbSendLength,
    169 		     IN OUT LPSCARD_IO_REQUEST pioRecvPci,
    170 		     OUT LPBYTE pbRecvBuffer,
    171 		     IN OUT LPDWORD pcbRecvLength);
    172 #define SCardTransmit dll_SCardTransmit
    173 
    174 static WINSCARDAPI LONG WINAPI
    175 (*dll_SCardBeginTransaction)(IN SCARDHANDLE hCard);
    176 #define SCardBeginTransaction dll_SCardBeginTransaction
    177 
    178 static WINSCARDAPI LONG WINAPI
    179 (*dll_SCardEndTransaction)(IN SCARDHANDLE hCard, IN DWORD dwDisposition);
    180 #define SCardEndTransaction dll_SCardEndTransaction
    181 
    182 
    183 static int mingw_load_symbols(void)
    184 {
    185 	char *sym;
    186 
    187 	if (dll)
    188 		return 0;
    189 
    190 	dll = LoadLibrary("winscard");
    191 	if (dll == NULL) {
    192 		wpa_printf(MSG_DEBUG, "WinSCard: Could not load winscard.dll "
    193 			   "library");
    194 		return -1;
    195 	}
    196 
    197 #define LOADSYM(s) \
    198 	sym = #s; \
    199 	dll_ ## s = (void *) GetProcAddress(dll, sym); \
    200 	if (dll_ ## s == NULL) \
    201 		goto fail;
    202 
    203 	LOADSYM(SCardEstablishContext);
    204 	LOADSYM(SCardReleaseContext);
    205 	LOADSYM(SCardListReadersA);
    206 	LOADSYM(SCardConnectA);
    207 	LOADSYM(SCardDisconnect);
    208 	LOADSYM(SCardTransmit);
    209 	LOADSYM(SCardBeginTransaction);
    210 	LOADSYM(SCardEndTransaction);
    211 	LOADSYM(g_rgSCardT0Pci);
    212 	LOADSYM(g_rgSCardT1Pci);
    213 
    214 #undef LOADSYM
    215 
    216 	return 0;
    217 
    218 fail:
    219 	wpa_printf(MSG_DEBUG, "WinSCard: Could not get address for %s from "
    220 		   "winscard.dll", sym);
    221 	FreeLibrary(dll);
    222 	dll = NULL;
    223 	return -1;
    224 }
    225 
    226 
    227 static void mingw_unload_symbols(void)
    228 {
    229 	if (dll == NULL)
    230 		return;
    231 
    232 	FreeLibrary(dll);
    233 	dll = NULL;
    234 }
    235 
    236 #else /* __MINGW32_VERSION */
    237 
    238 #define mingw_load_symbols() 0
    239 #define mingw_unload_symbols() do { } while (0)
    240 
    241 #endif /* __MINGW32_VERSION */
    242 
    243 
    244 static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
    245 			      unsigned char *buf, size_t *buf_len,
    246 			      sim_types sim_type, unsigned char *aid,
    247 			      size_t aidlen);
    248 static int scard_select_file(struct scard_data *scard, unsigned short file_id,
    249 			     unsigned char *buf, size_t *buf_len);
    250 static int scard_verify_pin(struct scard_data *scard, const char *pin);
    251 static int scard_get_record_len(struct scard_data *scard,
    252 				unsigned char recnum, unsigned char mode);
    253 static int scard_read_record(struct scard_data *scard,
    254 			     unsigned char *data, size_t len,
    255 			     unsigned char recnum, unsigned char mode);
    256 
    257 
    258 static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
    259 				 int *ps_do, int *file_len)
    260 {
    261 	unsigned char *pos, *end;
    262 
    263 	if (ps_do)
    264 		*ps_do = -1;
    265 	if (file_len)
    266 		*file_len = -1;
    267 
    268 	pos = buf;
    269 	end = pos + buf_len;
    270 	if (*pos != USIM_FSP_TEMPL_TAG) {
    271 		wpa_printf(MSG_DEBUG, "SCARD: file header did not "
    272 			   "start with FSP template tag");
    273 		return -1;
    274 	}
    275 	pos++;
    276 	if (pos >= end)
    277 		return -1;
    278 	if ((pos + pos[0]) < end)
    279 		end = pos + 1 + pos[0];
    280 	pos++;
    281 	wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
    282 		    pos, end - pos);
    283 
    284 	while (pos + 1 < end) {
    285 		wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV 0x%02x len=%d",
    286 			   pos[0], pos[1]);
    287 		if (pos + 2 + pos[1] > end)
    288 			break;
    289 
    290 		switch (pos[0]) {
    291 		case USIM_TLV_FILE_DESC:
    292 			wpa_hexdump(MSG_MSGDUMP, "SCARD: File Descriptor TLV",
    293 				    pos + 2, pos[1]);
    294 			break;
    295 		case USIM_TLV_FILE_ID:
    296 			wpa_hexdump(MSG_MSGDUMP, "SCARD: File Identifier TLV",
    297 				    pos + 2, pos[1]);
    298 			break;
    299 		case USIM_TLV_DF_NAME:
    300 			wpa_hexdump(MSG_MSGDUMP, "SCARD: DF name (AID) TLV",
    301 				    pos + 2, pos[1]);
    302 			break;
    303 		case USIM_TLV_PROPR_INFO:
    304 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Proprietary "
    305 				    "information TLV", pos + 2, pos[1]);
    306 			break;
    307 		case USIM_TLV_LIFE_CYCLE_STATUS:
    308 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Life Cycle Status "
    309 				    "Integer TLV", pos + 2, pos[1]);
    310 			break;
    311 		case USIM_TLV_FILE_SIZE:
    312 			wpa_hexdump(MSG_MSGDUMP, "SCARD: File size TLV",
    313 				    pos + 2, pos[1]);
    314 			if ((pos[1] == 1 || pos[1] == 2) && file_len) {
    315 				if (pos[1] == 1)
    316 					*file_len = (int) pos[2];
    317 				else
    318 					*file_len = ((int) pos[2] << 8) |
    319 						(int) pos[3];
    320 				wpa_printf(MSG_DEBUG, "SCARD: file_size=%d",
    321 					   *file_len);
    322 			}
    323 			break;
    324 		case USIM_TLV_TOTAL_FILE_SIZE:
    325 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Total file size TLV",
    326 				    pos + 2, pos[1]);
    327 			break;
    328 		case USIM_TLV_PIN_STATUS_TEMPLATE:
    329 			wpa_hexdump(MSG_MSGDUMP, "SCARD: PIN Status Template "
    330 				    "DO TLV", pos + 2, pos[1]);
    331 			if (pos[1] >= 2 && pos[2] == USIM_PS_DO_TAG &&
    332 			    pos[3] >= 1 && ps_do) {
    333 				wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x",
    334 					   pos[4]);
    335 				*ps_do = (int) pos[4];
    336 			}
    337 			break;
    338 		case USIM_TLV_SHORT_FILE_ID:
    339 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Short File "
    340 				    "Identifier (SFI) TLV", pos + 2, pos[1]);
    341 			break;
    342 		case USIM_TLV_SECURITY_ATTR_8B:
    343 		case USIM_TLV_SECURITY_ATTR_8C:
    344 		case USIM_TLV_SECURITY_ATTR_AB:
    345 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Security attribute "
    346 				    "TLV", pos + 2, pos[1]);
    347 			break;
    348 		default:
    349 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Unrecognized TLV",
    350 				    pos, 2 + pos[1]);
    351 			break;
    352 		}
    353 
    354 		pos += 2 + pos[1];
    355 
    356 		if (pos == end)
    357 			return 0;
    358 	}
    359 	return -1;
    360 }
    361 
    362 
    363 static int scard_pin_needed(struct scard_data *scard,
    364 			    unsigned char *hdr, size_t hlen)
    365 {
    366 	if (scard->sim_type == SCARD_GSM_SIM) {
    367 		if (hlen > SCARD_CHV1_OFFSET &&
    368 		    !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG))
    369 			return 1;
    370 		return 0;
    371 	}
    372 
    373 	if (scard->sim_type == SCARD_USIM) {
    374 		int ps_do;
    375 		if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL))
    376 			return -1;
    377 		/* TODO: there could be more than one PS_DO entry because of
    378 		 * multiple PINs in key reference.. */
    379 		if (ps_do > 0 && (ps_do & 0x80))
    380 			return 1;
    381 		return 0;
    382 	}
    383 
    384 	return -1;
    385 }
    386 
    387 
    388 static int scard_get_aid(struct scard_data *scard, unsigned char *aid,
    389 			 size_t maxlen)
    390 {
    391 	int rlen, rec;
    392 	struct efdir {
    393 		unsigned char appl_template_tag; /* 0x61 */
    394 		unsigned char appl_template_len;
    395 		unsigned char appl_id_tag; /* 0x4f */
    396 		unsigned char aid_len;
    397 		unsigned char rid[5];
    398 		unsigned char appl_code[2]; /* 0x1002 for 3G USIM */
    399 	} *efdir;
    400 	unsigned char buf[127];
    401 	size_t blen;
    402 
    403 	efdir = (struct efdir *) buf;
    404 	blen = sizeof(buf);
    405 	if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) {
    406 		wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR");
    407 		return -1;
    408 	}
    409 	wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen);
    410 
    411 	for (rec = 1; rec < 10; rec++) {
    412 		rlen = scard_get_record_len(scard, rec,
    413 					    SIM_RECORD_MODE_ABSOLUTE);
    414 		if (rlen < 0) {
    415 			wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR "
    416 				   "record length");
    417 			return -1;
    418 		}
    419 		blen = sizeof(buf);
    420 		if (rlen > (int) blen) {
    421 			wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record");
    422 			return -1;
    423 		}
    424 		if (scard_read_record(scard, buf, rlen, rec,
    425 				      SIM_RECORD_MODE_ABSOLUTE) < 0) {
    426 			wpa_printf(MSG_DEBUG, "SCARD: Failed to read "
    427 				   "EF_DIR record %d", rec);
    428 			return -1;
    429 		}
    430 		wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen);
    431 
    432 		if (efdir->appl_template_tag != 0x61) {
    433 			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
    434 				   "template tag 0x%x",
    435 				   efdir->appl_template_tag);
    436 			continue;
    437 		}
    438 
    439 		if (efdir->appl_template_len > rlen - 2) {
    440 			wpa_printf(MSG_DEBUG, "SCARD: Too long application "
    441 				   "template (len=%d rlen=%d)",
    442 				   efdir->appl_template_len, rlen);
    443 			continue;
    444 		}
    445 
    446 		if (efdir->appl_id_tag != 0x4f) {
    447 			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
    448 				   "identifier tag 0x%x", efdir->appl_id_tag);
    449 			continue;
    450 		}
    451 
    452 		if (efdir->aid_len < 1 || efdir->aid_len > 16) {
    453 			wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %d",
    454 				   efdir->aid_len);
    455 			continue;
    456 		}
    457 
    458 		wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record",
    459 			    efdir->rid, efdir->aid_len);
    460 
    461 		if (efdir->appl_code[0] == 0x10 &&
    462 		    efdir->appl_code[1] == 0x02) {
    463 			wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from "
    464 				   "EF_DIR record %d", rec);
    465 			break;
    466 		}
    467 	}
    468 
    469 	if (rec >= 10) {
    470 		wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found "
    471 			   "from EF_DIR records");
    472 		return -1;
    473 	}
    474 
    475 	if (efdir->aid_len > maxlen) {
    476 		wpa_printf(MSG_DEBUG, "SCARD: Too long AID");
    477 		return -1;
    478 	}
    479 
    480 	os_memcpy(aid, efdir->rid, efdir->aid_len);
    481 
    482 	return efdir->aid_len;
    483 }
    484 
    485 
    486 /**
    487  * scard_init - Initialize SIM/USIM connection using PC/SC
    488  * @sim_type: Allowed SIM types (SIM, USIM, or both)
    489  * @reader: Reader name prefix to search for
    490  * Returns: Pointer to private data structure, or %NULL on failure
    491  *
    492  * This function is used to initialize SIM/USIM connection. PC/SC is used to
    493  * open connection to the SIM/USIM card and the card is verified to support the
    494  * selected sim_type. In addition, local flag is set if a PIN is needed to
    495  * access some of the card functions. Once the connection is not needed
    496  * anymore, scard_deinit() can be used to close it.
    497  */
    498 struct scard_data * scard_init(scard_sim_type sim_type, const char *reader)
    499 {
    500 	long ret;
    501 	unsigned long len, pos;
    502 	struct scard_data *scard;
    503 #ifdef CONFIG_NATIVE_WINDOWS
    504 	TCHAR *readers = NULL;
    505 #else /* CONFIG_NATIVE_WINDOWS */
    506 	char *readers = NULL;
    507 #endif /* CONFIG_NATIVE_WINDOWS */
    508 	unsigned char buf[100];
    509 	size_t blen;
    510 	int transaction = 0;
    511 	int pin_needed;
    512 
    513 	wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface");
    514 	if (mingw_load_symbols())
    515 		return NULL;
    516 	scard = os_zalloc(sizeof(*scard));
    517 	if (scard == NULL)
    518 		return NULL;
    519 
    520 	ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL,
    521 				    &scard->ctx);
    522 	if (ret != SCARD_S_SUCCESS) {
    523 		wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card "
    524 			   "context (err=%ld)", ret);
    525 		goto failed;
    526 	}
    527 
    528 	ret = SCardListReaders(scard->ctx, NULL, NULL, &len);
    529 	if (ret != SCARD_S_SUCCESS) {
    530 		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed "
    531 			   "(err=%ld)", ret);
    532 		goto failed;
    533 	}
    534 
    535 #ifdef UNICODE
    536 	len *= 2;
    537 #endif /* UNICODE */
    538 	readers = os_malloc(len);
    539 	if (readers == NULL) {
    540 		wpa_printf(MSG_INFO, "SCARD: malloc failed\n");
    541 		goto failed;
    542 	}
    543 
    544 	ret = SCardListReaders(scard->ctx, NULL, readers, &len);
    545 	if (ret != SCARD_S_SUCCESS) {
    546 		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) "
    547 			   "(err=%ld)", ret);
    548 		goto failed;
    549 	}
    550 	if (len < 3) {
    551 		wpa_printf(MSG_WARNING, "SCARD: No smart card readers "
    552 			   "available.");
    553 		goto failed;
    554 	}
    555 	wpa_hexdump_ascii(MSG_DEBUG, "SCARD: Readers", (u8 *) readers, len);
    556 	/*
    557 	 * readers is a list of available readers. The last entry is terminated
    558 	 * with double null.
    559 	 */
    560 	pos = 0;
    561 #ifdef UNICODE
    562 	/* TODO */
    563 #else /* UNICODE */
    564 	while (pos < len) {
    565 		if (reader == NULL ||
    566 		    os_strncmp(&readers[pos], reader, os_strlen(reader)) == 0)
    567 			break;
    568 		while (pos < len && readers[pos])
    569 			pos++;
    570 		pos++; /* skip separating null */
    571 		if (pos < len && readers[pos] == '\0')
    572 			pos = len; /* double null terminates list */
    573 	}
    574 #endif /* UNICODE */
    575 	if (pos >= len) {
    576 		wpa_printf(MSG_WARNING, "SCARD: No reader with prefix '%s' "
    577 			   "found", reader);
    578 		goto failed;
    579 	}
    580 
    581 #ifdef UNICODE
    582 	wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%S'", &readers[pos]);
    583 #else /* UNICODE */
    584 	wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", &readers[pos]);
    585 #endif /* UNICODE */
    586 
    587 	ret = SCardConnect(scard->ctx, &readers[pos], SCARD_SHARE_SHARED,
    588 			   SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1,
    589 			   &scard->card, &scard->protocol);
    590 	if (ret != SCARD_S_SUCCESS) {
    591 		if (ret == (long) SCARD_E_NO_SMARTCARD)
    592 			wpa_printf(MSG_INFO, "No smart card inserted.");
    593 		else
    594 			wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret);
    595 		goto failed;
    596 	}
    597 
    598 	os_free(readers);
    599 	readers = NULL;
    600 
    601 	wpa_printf(MSG_DEBUG, "SCARD: card=0x%x active_protocol=%lu (%s)",
    602 		   (unsigned int) scard->card, scard->protocol,
    603 		   scard->protocol == SCARD_PROTOCOL_T0 ? "T0" : "T1");
    604 
    605 	ret = SCardBeginTransaction(scard->card);
    606 	if (ret != SCARD_S_SUCCESS) {
    607 		wpa_printf(MSG_DEBUG, "SCARD: Could not begin transaction: "
    608 			   "0x%x", (unsigned int) ret);
    609 		goto failed;
    610 	}
    611 	transaction = 1;
    612 
    613 	blen = sizeof(buf);
    614 
    615 	scard->sim_type = SCARD_GSM_SIM;
    616 	if (sim_type == SCARD_USIM_ONLY || sim_type == SCARD_TRY_BOTH) {
    617 		wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support");
    618 		if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen,
    619 				       SCARD_USIM, NULL, 0)) {
    620 			wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported");
    621 			if (sim_type == SCARD_USIM_ONLY)
    622 				goto failed;
    623 			wpa_printf(MSG_DEBUG, "SCARD: Trying to use GSM SIM");
    624 			scard->sim_type = SCARD_GSM_SIM;
    625 		} else {
    626 			wpa_printf(MSG_DEBUG, "SCARD: USIM is supported");
    627 			scard->sim_type = SCARD_USIM;
    628 		}
    629 	}
    630 
    631 	if (scard->sim_type == SCARD_GSM_SIM) {
    632 		blen = sizeof(buf);
    633 		if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) {
    634 			wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF");
    635 			goto failed;
    636 		}
    637 
    638 		blen = sizeof(buf);
    639 		if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) {
    640 			wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF");
    641 			goto failed;
    642 		}
    643 	} else {
    644 		unsigned char aid[32];
    645 		int aid_len;
    646 
    647 		aid_len = scard_get_aid(scard, aid, sizeof(aid));
    648 		if (aid_len < 0) {
    649 			wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for "
    650 				   "3G USIM app - try to use standard 3G RID");
    651 			os_memcpy(aid, "\xa0\x00\x00\x00\x87", 5);
    652 			aid_len = 5;
    653 		}
    654 		wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len);
    655 
    656 		/* Select based on AID = 3G RID from EF_DIR. This is usually
    657 		 * starting with A0 00 00 00 87. */
    658 		blen = sizeof(buf);
    659 		if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type,
    660 				       aid, aid_len)) {
    661 			wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM "
    662 				   "app");
    663 			wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID",
    664 				    aid, aid_len);
    665 			goto failed;
    666 		}
    667 	}
    668 
    669 	/* Verify whether CHV1 (PIN1) is needed to access the card. */
    670 	pin_needed = scard_pin_needed(scard, buf, blen);
    671 	if (pin_needed < 0) {
    672 		wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN "
    673 			   "is needed");
    674 		goto failed;
    675 	}
    676 	if (pin_needed) {
    677 		scard->pin1_required = 1;
    678 		wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access (retry "
    679 			   "counter=%d)", scard_get_pin_retry_counter(scard));
    680 	}
    681 
    682 	ret = SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
    683 	if (ret != SCARD_S_SUCCESS) {
    684 		wpa_printf(MSG_DEBUG, "SCARD: Could not end transaction: "
    685 			   "0x%x", (unsigned int) ret);
    686 	}
    687 
    688 	return scard;
    689 
    690 failed:
    691 	if (transaction)
    692 		SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
    693 	os_free(readers);
    694 	scard_deinit(scard);
    695 	return NULL;
    696 }
    697 
    698 
    699 /**
    700  * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands
    701  * @scard: Pointer to private data from scard_init()
    702  * @pin: PIN code as an ASCII string (e.g., "1234")
    703  * Returns: 0 on success, -1 on failure
    704  */
    705 int scard_set_pin(struct scard_data *scard, const char *pin)
    706 {
    707 	if (scard == NULL)
    708 		return -1;
    709 
    710 	/* Verify whether CHV1 (PIN1) is needed to access the card. */
    711 	if (scard->pin1_required) {
    712 		if (pin == NULL) {
    713 			wpa_printf(MSG_DEBUG, "No PIN configured for SIM "
    714 				   "access");
    715 			return -1;
    716 		}
    717 		if (scard_verify_pin(scard, pin)) {
    718 			wpa_printf(MSG_INFO, "PIN verification failed for "
    719 				"SIM access");
    720 			return -1;
    721 		}
    722 	}
    723 
    724 	return 0;
    725 }
    726 
    727 
    728 /**
    729  * scard_deinit - Deinitialize SIM/USIM connection
    730  * @scard: Pointer to private data from scard_init()
    731  *
    732  * This function closes the SIM/USIM connect opened with scard_init().
    733  */
    734 void scard_deinit(struct scard_data *scard)
    735 {
    736 	long ret;
    737 
    738 	if (scard == NULL)
    739 		return;
    740 
    741 	wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface");
    742 	if (scard->card) {
    743 		ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD);
    744 		if (ret != SCARD_S_SUCCESS) {
    745 			wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect "
    746 				   "smart card (err=%ld)", ret);
    747 		}
    748 	}
    749 
    750 	if (scard->ctx) {
    751 		ret = SCardReleaseContext(scard->ctx);
    752 		if (ret != SCARD_S_SUCCESS) {
    753 			wpa_printf(MSG_DEBUG, "Failed to release smart card "
    754 				   "context (err=%ld)", ret);
    755 		}
    756 	}
    757 	os_free(scard);
    758 	mingw_unload_symbols();
    759 }
    760 
    761 
    762 static long scard_transmit(struct scard_data *scard,
    763 			   unsigned char *_send, size_t send_len,
    764 			   unsigned char *_recv, size_t *recv_len)
    765 {
    766 	long ret;
    767 	unsigned long rlen;
    768 
    769 	wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send",
    770 			_send, send_len);
    771 	rlen = *recv_len;
    772 	ret = SCardTransmit(scard->card,
    773 			    scard->protocol == SCARD_PROTOCOL_T1 ?
    774 			    SCARD_PCI_T1 : SCARD_PCI_T0,
    775 			    _send, (unsigned long) send_len,
    776 			    NULL, _recv, &rlen);
    777 	*recv_len = rlen;
    778 	if (ret == SCARD_S_SUCCESS) {
    779 		wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv",
    780 			    _recv, rlen);
    781 	} else {
    782 		wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
    783 			   "(err=0x%lx)", ret);
    784 	}
    785 	return ret;
    786 }
    787 
    788 
    789 static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
    790 			      unsigned char *buf, size_t *buf_len,
    791 			      sim_types sim_type, unsigned char *aid,
    792 			      size_t aidlen)
    793 {
    794 	long ret;
    795 	unsigned char resp[3];
    796 	unsigned char cmd[50] = { SIM_CMD_SELECT };
    797 	int cmdlen;
    798 	unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
    799 	size_t len, rlen;
    800 
    801 	if (sim_type == SCARD_USIM) {
    802 		cmd[0] = USIM_CLA;
    803 		cmd[3] = 0x04;
    804 		get_resp[0] = USIM_CLA;
    805 	}
    806 
    807 	wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id);
    808 	if (aid) {
    809 		wpa_hexdump(MSG_DEBUG, "SCARD: select file by AID",
    810 			    aid, aidlen);
    811 		if (5 + aidlen > sizeof(cmd))
    812 			return -1;
    813 		cmd[2] = 0x04; /* Select by AID */
    814 		cmd[4] = aidlen; /* len */
    815 		os_memcpy(cmd + 5, aid, aidlen);
    816 		cmdlen = 5 + aidlen;
    817 	} else {
    818 		cmd[5] = file_id >> 8;
    819 		cmd[6] = file_id & 0xff;
    820 		cmdlen = 7;
    821 	}
    822 	len = sizeof(resp);
    823 	ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
    824 	if (ret != SCARD_S_SUCCESS) {
    825 		wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
    826 			   "(err=0x%lx)", ret);
    827 		return -1;
    828 	}
    829 
    830 	if (len != 2) {
    831 		wpa_printf(MSG_WARNING, "SCARD: unexpected resp len "
    832 			   "%d (expected 2)", (int) len);
    833 		return -1;
    834 	}
    835 
    836 	if (resp[0] == 0x98 && resp[1] == 0x04) {
    837 		/* Security status not satisfied (PIN_WLAN) */
    838 		wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied "
    839 			   "(PIN_WLAN)");
    840 		return -1;
    841 	}
    842 
    843 	if (resp[0] == 0x6e) {
    844 		wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported");
    845 		return -1;
    846 	}
    847 
    848 	if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) {
    849 		wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x "
    850 			   "(expected 0x61, 0x6c, or 0x9f)", resp[0]);
    851 		return -1;
    852 	}
    853 	/* Normal ending of command; resp[1] bytes available */
    854 	get_resp[4] = resp[1];
    855 	wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)",
    856 		   resp[1]);
    857 
    858 	rlen = *buf_len;
    859 	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen);
    860 	if (ret == SCARD_S_SUCCESS) {
    861 		*buf_len = resp[1] < rlen ? resp[1] : rlen;
    862 		return 0;
    863 	}
    864 
    865 	wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret);
    866 	return -1;
    867 }
    868 
    869 
    870 static int scard_select_file(struct scard_data *scard, unsigned short file_id,
    871 			     unsigned char *buf, size_t *buf_len)
    872 {
    873 	return _scard_select_file(scard, file_id, buf, buf_len,
    874 				  scard->sim_type, NULL, 0);
    875 }
    876 
    877 
    878 static int scard_get_record_len(struct scard_data *scard, unsigned char recnum,
    879 				unsigned char mode)
    880 {
    881 	unsigned char buf[255];
    882 	unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
    883 	size_t blen;
    884 	long ret;
    885 
    886 	if (scard->sim_type == SCARD_USIM)
    887 		cmd[0] = USIM_CLA;
    888 	cmd[2] = recnum;
    889 	cmd[3] = mode;
    890 	cmd[4] = sizeof(buf);
    891 
    892 	blen = sizeof(buf);
    893 	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
    894 	if (ret != SCARD_S_SUCCESS) {
    895 		wpa_printf(MSG_DEBUG, "SCARD: failed to determine file "
    896 			   "length for record %d", recnum);
    897 		return -1;
    898 	}
    899 
    900 	wpa_hexdump(MSG_DEBUG, "SCARD: file length determination response",
    901 		    buf, blen);
    902 
    903 	if (blen < 2 || (buf[0] != 0x6c && buf[0] != 0x67)) {
    904 		wpa_printf(MSG_DEBUG, "SCARD: unexpected response to file "
    905 			   "length determination");
    906 		return -1;
    907 	}
    908 
    909 	return buf[1];
    910 }
    911 
    912 
    913 static int scard_read_record(struct scard_data *scard,
    914 			     unsigned char *data, size_t len,
    915 			     unsigned char recnum, unsigned char mode)
    916 {
    917 	unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
    918 	size_t blen = len + 3;
    919 	unsigned char *buf;
    920 	long ret;
    921 
    922 	if (scard->sim_type == SCARD_USIM)
    923 		cmd[0] = USIM_CLA;
    924 	cmd[2] = recnum;
    925 	cmd[3] = mode;
    926 	cmd[4] = len;
    927 
    928 	buf = os_malloc(blen);
    929 	if (buf == NULL)
    930 		return -1;
    931 
    932 	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
    933 	if (ret != SCARD_S_SUCCESS) {
    934 		os_free(buf);
    935 		return -2;
    936 	}
    937 	if (blen != len + 2) {
    938 		wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
    939 			   "length %ld (expected %ld)",
    940 			   (long) blen, (long) len + 2);
    941 		os_free(buf);
    942 		return -3;
    943 	}
    944 
    945 	if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
    946 		wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
    947 			   "status %02x %02x (expected 90 00)",
    948 			   buf[len], buf[len + 1]);
    949 		os_free(buf);
    950 		return -4;
    951 	}
    952 
    953 	os_memcpy(data, buf, len);
    954 	os_free(buf);
    955 
    956 	return 0;
    957 }
    958 
    959 
    960 static int scard_read_file(struct scard_data *scard,
    961 			   unsigned char *data, size_t len)
    962 {
    963 	unsigned char cmd[5] = { SIM_CMD_READ_BIN /* , len */ };
    964 	size_t blen = len + 3;
    965 	unsigned char *buf;
    966 	long ret;
    967 
    968 	cmd[4] = len;
    969 
    970 	buf = os_malloc(blen);
    971 	if (buf == NULL)
    972 		return -1;
    973 
    974 	if (scard->sim_type == SCARD_USIM)
    975 		cmd[0] = USIM_CLA;
    976 	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
    977 	if (ret != SCARD_S_SUCCESS) {
    978 		os_free(buf);
    979 		return -2;
    980 	}
    981 	if (blen != len + 2) {
    982 		wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
    983 			   "length %ld (expected %ld)",
    984 			   (long) blen, (long) len + 2);
    985 		os_free(buf);
    986 		return -3;
    987 	}
    988 
    989 	if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
    990 		wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
    991 			   "status %02x %02x (expected 90 00)",
    992 			   buf[len], buf[len + 1]);
    993 		os_free(buf);
    994 		return -4;
    995 	}
    996 
    997 	os_memcpy(data, buf, len);
    998 	os_free(buf);
    999 
   1000 	return 0;
   1001 }
   1002 
   1003 
   1004 static int scard_verify_pin(struct scard_data *scard, const char *pin)
   1005 {
   1006 	long ret;
   1007 	unsigned char resp[3];
   1008 	unsigned char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 };
   1009 	size_t len;
   1010 
   1011 	wpa_printf(MSG_DEBUG, "SCARD: verifying PIN");
   1012 
   1013 	if (pin == NULL || os_strlen(pin) > 8)
   1014 		return -1;
   1015 
   1016 	if (scard->sim_type == SCARD_USIM)
   1017 		cmd[0] = USIM_CLA;
   1018 	os_memcpy(cmd + 5, pin, os_strlen(pin));
   1019 	os_memset(cmd + 5 + os_strlen(pin), 0xff, 8 - os_strlen(pin));
   1020 
   1021 	len = sizeof(resp);
   1022 	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
   1023 	if (ret != SCARD_S_SUCCESS)
   1024 		return -2;
   1025 
   1026 	if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) {
   1027 		wpa_printf(MSG_WARNING, "SCARD: PIN verification failed");
   1028 		return -1;
   1029 	}
   1030 
   1031 	wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully");
   1032 	return 0;
   1033 }
   1034 
   1035 
   1036 int scard_get_pin_retry_counter(struct scard_data *scard)
   1037 {
   1038 	long ret;
   1039 	unsigned char resp[3];
   1040 	unsigned char cmd[5] = { SIM_CMD_VERIFY_CHV1 };
   1041 	size_t len;
   1042 	u16 val;
   1043 
   1044 	wpa_printf(MSG_DEBUG, "SCARD: fetching PIN retry counter");
   1045 
   1046 	if (scard->sim_type == SCARD_USIM)
   1047 		cmd[0] = USIM_CLA;
   1048 	cmd[4] = 0; /* Empty data */
   1049 
   1050 	len = sizeof(resp);
   1051 	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
   1052 	if (ret != SCARD_S_SUCCESS)
   1053 		return -2;
   1054 
   1055 	if (len != 2) {
   1056 		wpa_printf(MSG_WARNING, "SCARD: failed to fetch PIN retry "
   1057 			   "counter");
   1058 		return -1;
   1059 	}
   1060 
   1061 	val = WPA_GET_BE16(resp);
   1062 	if (val == 0x63c0 || val == 0x6983) {
   1063 		wpa_printf(MSG_DEBUG, "SCARD: PIN has been blocked");
   1064 		return 0;
   1065 	}
   1066 
   1067 	if (val >= 0x63c0 && val <= 0x63cf)
   1068 		return val & 0x000f;
   1069 
   1070 	wpa_printf(MSG_DEBUG, "SCARD: Unexpected PIN retry counter response "
   1071 		   "value 0x%x", val);
   1072 	return 0;
   1073 }
   1074 
   1075 
   1076 /**
   1077  * scard_get_imsi - Read IMSI from SIM/USIM card
   1078  * @scard: Pointer to private data from scard_init()
   1079  * @imsi: Buffer for IMSI
   1080  * @len: Length of imsi buffer; set to IMSI length on success
   1081  * Returns: 0 on success, -1 if IMSI file cannot be selected, -2 if IMSI file
   1082  * selection returns invalid result code, -3 if parsing FSP template file fails
   1083  * (USIM only), -4 if IMSI does not fit in the provided imsi buffer (len is set
   1084  * to needed length), -5 if reading IMSI file fails.
   1085  *
   1086  * This function can be used to read IMSI from the SIM/USIM card. If the IMSI
   1087  * file is PIN protected, scard_set_pin() must have been used to set the
   1088  * correct PIN code before calling scard_get_imsi().
   1089  */
   1090 int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len)
   1091 {
   1092 	unsigned char buf[100];
   1093 	size_t blen, imsilen, i;
   1094 	char *pos;
   1095 
   1096 	wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI");
   1097 	blen = sizeof(buf);
   1098 	if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen))
   1099 		return -1;
   1100 	if (blen < 4) {
   1101 		wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI "
   1102 			   "header (len=%ld)", (long) blen);
   1103 		return -2;
   1104 	}
   1105 
   1106 	if (scard->sim_type == SCARD_GSM_SIM) {
   1107 		blen = (buf[2] << 8) | buf[3];
   1108 	} else {
   1109 		int file_size;
   1110 		if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
   1111 			return -3;
   1112 		blen = file_size;
   1113 	}
   1114 	if (blen < 2 || blen > sizeof(buf)) {
   1115 		wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld",
   1116 			   (long) blen);
   1117 		return -3;
   1118 	}
   1119 
   1120 	imsilen = (blen - 2) * 2 + 1;
   1121 	wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld",
   1122 		   (long) blen, (long) imsilen);
   1123 	if (blen < 2 || imsilen > *len) {
   1124 		*len = imsilen;
   1125 		return -4;
   1126 	}
   1127 
   1128 	if (scard_read_file(scard, buf, blen))
   1129 		return -5;
   1130 
   1131 	pos = imsi;
   1132 	*pos++ = '0' + (buf[1] >> 4 & 0x0f);
   1133 	for (i = 2; i < blen; i++) {
   1134 		unsigned char digit;
   1135 
   1136 		digit = buf[i] & 0x0f;
   1137 		if (digit < 10)
   1138 			*pos++ = '0' + digit;
   1139 		else
   1140 			imsilen--;
   1141 
   1142 		digit = buf[i] >> 4 & 0x0f;
   1143 		if (digit < 10)
   1144 			*pos++ = '0' + digit;
   1145 		else
   1146 			imsilen--;
   1147 	}
   1148 	*len = imsilen;
   1149 
   1150 	return 0;
   1151 }
   1152 
   1153 
   1154 /**
   1155  * scard_get_mnc_len - Read length of MNC in the IMSI from SIM/USIM card
   1156  * @scard: Pointer to private data from scard_init()
   1157  * Returns: length (>0) on success, -1 if administrative data file cannot be
   1158  * selected, -2 if administrative data file selection returns invalid result
   1159  * code, -3 if parsing FSP template file fails (USIM only), -4 if length of
   1160  * the file is unexpected, -5 if reading file fails, -6 if MNC length is not
   1161  * in range (i.e. 2 or 3), -7 if MNC length is not available.
   1162  *
   1163  */
   1164 int scard_get_mnc_len(struct scard_data *scard)
   1165 {
   1166 	unsigned char buf[100];
   1167 	size_t blen;
   1168 	int file_size;
   1169 
   1170 	wpa_printf(MSG_DEBUG, "SCARD: reading MNC len from (GSM) EF-AD");
   1171 	blen = sizeof(buf);
   1172 	if (scard_select_file(scard, SCARD_FILE_GSM_EF_AD, buf, &blen))
   1173 		return -1;
   1174 	if (blen < 4) {
   1175 		wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-AD "
   1176 			   "header (len=%ld)", (long) blen);
   1177 		return -2;
   1178 	}
   1179 
   1180 	if (scard->sim_type == SCARD_GSM_SIM) {
   1181 		file_size = (buf[2] << 8) | buf[3];
   1182 	} else {
   1183 		if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
   1184 			return -3;
   1185 	}
   1186 	if (file_size == 3) {
   1187 		wpa_printf(MSG_DEBUG, "SCARD: MNC length not available");
   1188 		return -7;
   1189 	}
   1190 	if (file_size < 4 || file_size > (int) sizeof(buf)) {
   1191 		wpa_printf(MSG_DEBUG, "SCARD: invalid file length=%ld",
   1192 			   (long) file_size);
   1193 		return -4;
   1194 	}
   1195 
   1196 	if (scard_read_file(scard, buf, file_size))
   1197 		return -5;
   1198 	buf[3] = buf[3] & 0x0f; /* upper nibble reserved for future use  */
   1199 	if (buf[3] < 2 || buf[3] > 3) {
   1200 		wpa_printf(MSG_DEBUG, "SCARD: invalid MNC length=%ld",
   1201 			   (long) buf[3]);
   1202 		return -6;
   1203 	}
   1204 	wpa_printf(MSG_DEBUG, "SCARD: MNC length=%ld", (long) buf[3]);
   1205 	return buf[3];
   1206 }
   1207 
   1208 
   1209 /**
   1210  * scard_gsm_auth - Run GSM authentication command on SIM card
   1211  * @scard: Pointer to private data from scard_init()
   1212  * @_rand: 16-byte RAND value from HLR/AuC
   1213  * @sres: 4-byte buffer for SRES
   1214  * @kc: 8-byte buffer for Kc
   1215  * Returns: 0 on success, -1 if SIM/USIM connection has not been initialized,
   1216  * -2 if authentication command execution fails, -3 if unknown response code
   1217  * for authentication command is received, -4 if reading of response fails,
   1218  * -5 if if response data is of unexpected length
   1219  *
   1220  * This function performs GSM authentication using SIM/USIM card and the
   1221  * provided RAND value from HLR/AuC. If authentication command can be completed
   1222  * successfully, SRES and Kc values will be written into sres and kc buffers.
   1223  */
   1224 int scard_gsm_auth(struct scard_data *scard, const unsigned char *_rand,
   1225 		   unsigned char *sres, unsigned char *kc)
   1226 {
   1227 	unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG };
   1228 	int cmdlen;
   1229 	unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
   1230 	unsigned char resp[3], buf[12 + 3 + 2];
   1231 	size_t len;
   1232 	long ret;
   1233 
   1234 	if (scard == NULL)
   1235 		return -1;
   1236 
   1237 	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", _rand, 16);
   1238 	if (scard->sim_type == SCARD_GSM_SIM) {
   1239 		cmdlen = 5 + 16;
   1240 		os_memcpy(cmd + 5, _rand, 16);
   1241 	} else {
   1242 		cmdlen = 5 + 1 + 16;
   1243 		cmd[0] = USIM_CLA;
   1244 		cmd[3] = 0x80;
   1245 		cmd[4] = 17;
   1246 		cmd[5] = 16;
   1247 		os_memcpy(cmd + 6, _rand, 16);
   1248 	}
   1249 	len = sizeof(resp);
   1250 	ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
   1251 	if (ret != SCARD_S_SUCCESS)
   1252 		return -2;
   1253 
   1254 	if ((scard->sim_type == SCARD_GSM_SIM &&
   1255 	     (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) ||
   1256 	    (scard->sim_type == SCARD_USIM &&
   1257 	     (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) {
   1258 		wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM "
   1259 			   "auth request (len=%ld resp=%02x %02x)",
   1260 			   (long) len, resp[0], resp[1]);
   1261 		return -3;
   1262 	}
   1263 	get_resp[4] = resp[1];
   1264 
   1265 	len = sizeof(buf);
   1266 	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
   1267 	if (ret != SCARD_S_SUCCESS)
   1268 		return -4;
   1269 
   1270 	if (scard->sim_type == SCARD_GSM_SIM) {
   1271 		if (len != 4 + 8 + 2) {
   1272 			wpa_printf(MSG_WARNING, "SCARD: unexpected data "
   1273 				   "length for GSM auth (len=%ld, expected 14)",
   1274 				   (long) len);
   1275 			return -5;
   1276 		}
   1277 		os_memcpy(sres, buf, 4);
   1278 		os_memcpy(kc, buf + 4, 8);
   1279 	} else {
   1280 		if (len != 1 + 4 + 1 + 8 + 2) {
   1281 			wpa_printf(MSG_WARNING, "SCARD: unexpected data "
   1282 				   "length for USIM auth (len=%ld, "
   1283 				   "expected 16)", (long) len);
   1284 			return -5;
   1285 		}
   1286 		if (buf[0] != 4 || buf[5] != 8) {
   1287 			wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc "
   1288 				   "length (%d %d, expected 4 8)",
   1289 				   buf[0], buf[5]);
   1290 		}
   1291 		os_memcpy(sres, buf + 1, 4);
   1292 		os_memcpy(kc, buf + 6, 8);
   1293 	}
   1294 
   1295 	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4);
   1296 	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8);
   1297 
   1298 	return 0;
   1299 }
   1300 
   1301 
   1302 /**
   1303  * scard_umts_auth - Run UMTS authentication command on USIM card
   1304  * @scard: Pointer to private data from scard_init()
   1305  * @_rand: 16-byte RAND value from HLR/AuC
   1306  * @autn: 16-byte AUTN value from HLR/AuC
   1307  * @res: 16-byte buffer for RES
   1308  * @res_len: Variable that will be set to RES length
   1309  * @ik: 16-byte buffer for IK
   1310  * @ck: 16-byte buffer for CK
   1311  * @auts: 14-byte buffer for AUTS
   1312  * Returns: 0 on success, -1 on failure, or -2 if USIM reports synchronization
   1313  * failure
   1314  *
   1315  * This function performs AKA authentication using USIM card and the provided
   1316  * RAND and AUTN values from HLR/AuC. If authentication command can be
   1317  * completed successfully, RES, IK, and CK values will be written into provided
   1318  * buffers and res_len is set to length of received RES value. If USIM reports
   1319  * synchronization failure, the received AUTS value will be written into auts
   1320  * buffer. In this case, RES, IK, and CK are not valid.
   1321  */
   1322 int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
   1323 		    const unsigned char *autn,
   1324 		    unsigned char *res, size_t *res_len,
   1325 		    unsigned char *ik, unsigned char *ck, unsigned char *auts)
   1326 {
   1327 	unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] =
   1328 		{ USIM_CMD_RUN_UMTS_ALG };
   1329 	unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE };
   1330 	unsigned char resp[3], buf[64], *pos, *end;
   1331 	size_t len;
   1332 	long ret;
   1333 
   1334 	if (scard == NULL)
   1335 		return -1;
   1336 
   1337 	if (scard->sim_type == SCARD_GSM_SIM) {
   1338 		wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS "
   1339 			   "auth");
   1340 		return -1;
   1341 	}
   1342 
   1343 	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", _rand, AKA_RAND_LEN);
   1344 	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN);
   1345 	cmd[5] = AKA_RAND_LEN;
   1346 	os_memcpy(cmd + 6, _rand, AKA_RAND_LEN);
   1347 	cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN;
   1348 	os_memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN);
   1349 
   1350 	len = sizeof(resp);
   1351 	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
   1352 	if (ret != SCARD_S_SUCCESS)
   1353 		return -1;
   1354 
   1355 	if (len <= sizeof(resp))
   1356 		wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len);
   1357 
   1358 	if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) {
   1359 		wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - "
   1360 			   "MAC != XMAC");
   1361 		return -1;
   1362 	} else if (len != 2 || resp[0] != 0x61) {
   1363 		wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS "
   1364 			   "auth request (len=%ld resp=%02x %02x)",
   1365 			   (long) len, resp[0], resp[1]);
   1366 		return -1;
   1367 	}
   1368 	get_resp[4] = resp[1];
   1369 
   1370 	len = sizeof(buf);
   1371 	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
   1372 	if (ret != SCARD_S_SUCCESS || len > sizeof(buf))
   1373 		return -1;
   1374 
   1375 	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len);
   1376 	if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc &&
   1377 	    buf[1] == AKA_AUTS_LEN) {
   1378 		wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure");
   1379 		os_memcpy(auts, buf + 2, AKA_AUTS_LEN);
   1380 		wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN);
   1381 		return -2;
   1382 	} else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) {
   1383 		pos = buf + 1;
   1384 		end = buf + len;
   1385 
   1386 		/* RES */
   1387 		if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) {
   1388 			wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
   1389 			return -1;
   1390 		}
   1391 		*res_len = *pos++;
   1392 		os_memcpy(res, pos, *res_len);
   1393 		pos += *res_len;
   1394 		wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
   1395 
   1396 		/* CK */
   1397 		if (pos[0] != CK_LEN || pos + CK_LEN > end) {
   1398 			wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
   1399 			return -1;
   1400 		}
   1401 		pos++;
   1402 		os_memcpy(ck, pos, CK_LEN);
   1403 		pos += CK_LEN;
   1404 		wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
   1405 
   1406 		/* IK */
   1407 		if (pos[0] != IK_LEN || pos + IK_LEN > end) {
   1408 			wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
   1409 			return -1;
   1410 		}
   1411 		pos++;
   1412 		os_memcpy(ik, pos, IK_LEN);
   1413 		pos += IK_LEN;
   1414 		wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN);
   1415 
   1416 		return 0;
   1417 	}
   1418 
   1419 	wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response");
   1420 	return -1;
   1421 }
   1422 
   1423 
   1424 int scard_supports_umts(struct scard_data *scard)
   1425 {
   1426 	return scard->sim_type == SCARD_USIM;
   1427 }
   1428