1 /* 2 * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM 3 * Copyright (c) 2004-2007, 2012, Jouni Malinen <j (at) w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 * 8 * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM 9 * cards through PC/SC smartcard library. These functions are used to implement 10 * authentication routines for EAP-SIM and EAP-AKA. 11 */ 12 13 #include "includes.h" 14 #include <winscard.h> 15 16 #include "common.h" 17 #include "pcsc_funcs.h" 18 19 20 /* See ETSI GSM 11.11 and ETSI TS 102 221 for details. 21 * SIM commands: 22 * Command APDU: CLA INS P1 P2 P3 Data 23 * CLA (class of instruction): A0 for GSM, 00 for USIM 24 * INS (instruction) 25 * P1 P2 P3 (parameters, P3 = length of Data) 26 * Response APDU: Data SW1 SW2 27 * SW1 SW2 (Status words) 28 * Commands (INS P1 P2 P3): 29 * SELECT: A4 00 00 02 <file_id, 2 bytes> 30 * GET RESPONSE: C0 00 00 <len> 31 * RUN GSM ALG: 88 00 00 00 <RAND len = 10> 32 * RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN 33 * P1 = ID of alg in card 34 * P2 = ID of secret key 35 * READ BINARY: B0 <offset high> <offset low> <len> 36 * READ RECORD: B2 <record number> <mode> <len> 37 * P2 (mode) = '02' (next record), '03' (previous record), 38 * '04' (absolute mode) 39 * VERIFY CHV: 20 00 <CHV number> 08 40 * CHANGE CHV: 24 00 <CHV number> 10 41 * DISABLE CHV: 26 00 01 08 42 * ENABLE CHV: 28 00 01 08 43 * UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10 44 * SLEEP: FA 00 00 00 45 */ 46 47 /* GSM SIM commands */ 48 #define SIM_CMD_SELECT 0xa0, 0xa4, 0x00, 0x00, 0x02 49 #define SIM_CMD_RUN_GSM_ALG 0xa0, 0x88, 0x00, 0x00, 0x10 50 #define SIM_CMD_GET_RESPONSE 0xa0, 0xc0, 0x00, 0x00 51 #define SIM_CMD_READ_BIN 0xa0, 0xb0, 0x00, 0x00 52 #define SIM_CMD_READ_RECORD 0xa0, 0xb2, 0x00, 0x00 53 #define SIM_CMD_VERIFY_CHV1 0xa0, 0x20, 0x00, 0x01, 0x08 54 55 /* USIM commands */ 56 #define USIM_CLA 0x00 57 #define USIM_CMD_RUN_UMTS_ALG 0x00, 0x88, 0x00, 0x81, 0x22 58 #define USIM_CMD_GET_RESPONSE 0x00, 0xc0, 0x00, 0x00 59 60 #define SIM_RECORD_MODE_ABSOLUTE 0x04 61 62 #define USIM_FSP_TEMPL_TAG 0x62 63 64 #define USIM_TLV_FILE_DESC 0x82 65 #define USIM_TLV_FILE_ID 0x83 66 #define USIM_TLV_DF_NAME 0x84 67 #define USIM_TLV_PROPR_INFO 0xA5 68 #define USIM_TLV_LIFE_CYCLE_STATUS 0x8A 69 #define USIM_TLV_FILE_SIZE 0x80 70 #define USIM_TLV_TOTAL_FILE_SIZE 0x81 71 #define USIM_TLV_PIN_STATUS_TEMPLATE 0xC6 72 #define USIM_TLV_SHORT_FILE_ID 0x88 73 #define USIM_TLV_SECURITY_ATTR_8B 0x8B 74 #define USIM_TLV_SECURITY_ATTR_8C 0x8C 75 #define USIM_TLV_SECURITY_ATTR_AB 0xAB 76 77 #define USIM_PS_DO_TAG 0x90 78 79 #define AKA_RAND_LEN 16 80 #define AKA_AUTN_LEN 16 81 #define AKA_AUTS_LEN 14 82 #define RES_MAX_LEN 16 83 #define IK_LEN 16 84 #define CK_LEN 16 85 86 87 /* GSM files 88 * File type in first octet: 89 * 3F = Master File 90 * 7F = Dedicated File 91 * 2F = Elementary File under the Master File 92 * 6F = Elementary File under a Dedicated File 93 */ 94 #define SCARD_FILE_MF 0x3F00 95 #define SCARD_FILE_GSM_DF 0x7F20 96 #define SCARD_FILE_UMTS_DF 0x7F50 97 #define SCARD_FILE_GSM_EF_IMSI 0x6F07 98 #define SCARD_FILE_GSM_EF_AD 0x6FAD 99 #define SCARD_FILE_EF_DIR 0x2F00 100 #define SCARD_FILE_EF_ICCID 0x2FE2 101 #define SCARD_FILE_EF_CK 0x6FE1 102 #define SCARD_FILE_EF_IK 0x6FE2 103 104 #define SCARD_CHV1_OFFSET 13 105 #define SCARD_CHV1_FLAG 0x80 106 107 108 typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types; 109 110 struct scard_data { 111 SCARDCONTEXT ctx; 112 SCARDHANDLE card; 113 DWORD protocol; 114 sim_types sim_type; 115 int pin1_required; 116 }; 117 118 #ifdef __MINGW32_VERSION 119 /* MinGW does not yet support WinScard, so load the needed functions 120 * dynamically from winscard.dll for now. */ 121 122 static HINSTANCE dll = NULL; /* winscard.dll */ 123 124 static const SCARD_IO_REQUEST *dll_g_rgSCardT0Pci, *dll_g_rgSCardT1Pci; 125 #undef SCARD_PCI_T0 126 #define SCARD_PCI_T0 (dll_g_rgSCardT0Pci) 127 #undef SCARD_PCI_T1 128 #define SCARD_PCI_T1 (dll_g_rgSCardT1Pci) 129 130 131 static WINSCARDAPI LONG WINAPI 132 (*dll_SCardEstablishContext)(IN DWORD dwScope, 133 IN LPCVOID pvReserved1, 134 IN LPCVOID pvReserved2, 135 OUT LPSCARDCONTEXT phContext); 136 #define SCardEstablishContext dll_SCardEstablishContext 137 138 static long (*dll_SCardReleaseContext)(long hContext); 139 #define SCardReleaseContext dll_SCardReleaseContext 140 141 static WINSCARDAPI LONG WINAPI 142 (*dll_SCardListReadersA)(IN SCARDCONTEXT hContext, 143 IN LPCSTR mszGroups, 144 OUT LPSTR mszReaders, 145 IN OUT LPDWORD pcchReaders); 146 #undef SCardListReaders 147 #define SCardListReaders dll_SCardListReadersA 148 149 static WINSCARDAPI LONG WINAPI 150 (*dll_SCardConnectA)(IN SCARDCONTEXT hContext, 151 IN LPCSTR szReader, 152 IN DWORD dwShareMode, 153 IN DWORD dwPreferredProtocols, 154 OUT LPSCARDHANDLE phCard, 155 OUT LPDWORD pdwActiveProtocol); 156 #undef SCardConnect 157 #define SCardConnect dll_SCardConnectA 158 159 static WINSCARDAPI LONG WINAPI 160 (*dll_SCardDisconnect)(IN SCARDHANDLE hCard, 161 IN DWORD dwDisposition); 162 #define SCardDisconnect dll_SCardDisconnect 163 164 static WINSCARDAPI LONG WINAPI 165 (*dll_SCardTransmit)(IN SCARDHANDLE hCard, 166 IN LPCSCARD_IO_REQUEST pioSendPci, 167 IN LPCBYTE pbSendBuffer, 168 IN DWORD cbSendLength, 169 IN OUT LPSCARD_IO_REQUEST pioRecvPci, 170 OUT LPBYTE pbRecvBuffer, 171 IN OUT LPDWORD pcbRecvLength); 172 #define SCardTransmit dll_SCardTransmit 173 174 static WINSCARDAPI LONG WINAPI 175 (*dll_SCardBeginTransaction)(IN SCARDHANDLE hCard); 176 #define SCardBeginTransaction dll_SCardBeginTransaction 177 178 static WINSCARDAPI LONG WINAPI 179 (*dll_SCardEndTransaction)(IN SCARDHANDLE hCard, IN DWORD dwDisposition); 180 #define SCardEndTransaction dll_SCardEndTransaction 181 182 183 static int mingw_load_symbols(void) 184 { 185 char *sym; 186 187 if (dll) 188 return 0; 189 190 dll = LoadLibrary("winscard"); 191 if (dll == NULL) { 192 wpa_printf(MSG_DEBUG, "WinSCard: Could not load winscard.dll " 193 "library"); 194 return -1; 195 } 196 197 #define LOADSYM(s) \ 198 sym = #s; \ 199 dll_ ## s = (void *) GetProcAddress(dll, sym); \ 200 if (dll_ ## s == NULL) \ 201 goto fail; 202 203 LOADSYM(SCardEstablishContext); 204 LOADSYM(SCardReleaseContext); 205 LOADSYM(SCardListReadersA); 206 LOADSYM(SCardConnectA); 207 LOADSYM(SCardDisconnect); 208 LOADSYM(SCardTransmit); 209 LOADSYM(SCardBeginTransaction); 210 LOADSYM(SCardEndTransaction); 211 LOADSYM(g_rgSCardT0Pci); 212 LOADSYM(g_rgSCardT1Pci); 213 214 #undef LOADSYM 215 216 return 0; 217 218 fail: 219 wpa_printf(MSG_DEBUG, "WinSCard: Could not get address for %s from " 220 "winscard.dll", sym); 221 FreeLibrary(dll); 222 dll = NULL; 223 return -1; 224 } 225 226 227 static void mingw_unload_symbols(void) 228 { 229 if (dll == NULL) 230 return; 231 232 FreeLibrary(dll); 233 dll = NULL; 234 } 235 236 #else /* __MINGW32_VERSION */ 237 238 #define mingw_load_symbols() 0 239 #define mingw_unload_symbols() do { } while (0) 240 241 #endif /* __MINGW32_VERSION */ 242 243 244 static int _scard_select_file(struct scard_data *scard, unsigned short file_id, 245 unsigned char *buf, size_t *buf_len, 246 sim_types sim_type, unsigned char *aid, 247 size_t aidlen); 248 static int scard_select_file(struct scard_data *scard, unsigned short file_id, 249 unsigned char *buf, size_t *buf_len); 250 static int scard_verify_pin(struct scard_data *scard, const char *pin); 251 static int scard_get_record_len(struct scard_data *scard, 252 unsigned char recnum, unsigned char mode); 253 static int scard_read_record(struct scard_data *scard, 254 unsigned char *data, size_t len, 255 unsigned char recnum, unsigned char mode); 256 257 258 static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len, 259 int *ps_do, int *file_len) 260 { 261 unsigned char *pos, *end; 262 263 if (ps_do) 264 *ps_do = -1; 265 if (file_len) 266 *file_len = -1; 267 268 pos = buf; 269 end = pos + buf_len; 270 if (*pos != USIM_FSP_TEMPL_TAG) { 271 wpa_printf(MSG_DEBUG, "SCARD: file header did not " 272 "start with FSP template tag"); 273 return -1; 274 } 275 pos++; 276 if (pos >= end) 277 return -1; 278 if ((pos + pos[0]) < end) 279 end = pos + 1 + pos[0]; 280 pos++; 281 wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template", 282 pos, end - pos); 283 284 while (pos + 1 < end) { 285 wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV 0x%02x len=%d", 286 pos[0], pos[1]); 287 if (pos + 2 + pos[1] > end) 288 break; 289 290 switch (pos[0]) { 291 case USIM_TLV_FILE_DESC: 292 wpa_hexdump(MSG_MSGDUMP, "SCARD: File Descriptor TLV", 293 pos + 2, pos[1]); 294 break; 295 case USIM_TLV_FILE_ID: 296 wpa_hexdump(MSG_MSGDUMP, "SCARD: File Identifier TLV", 297 pos + 2, pos[1]); 298 break; 299 case USIM_TLV_DF_NAME: 300 wpa_hexdump(MSG_MSGDUMP, "SCARD: DF name (AID) TLV", 301 pos + 2, pos[1]); 302 break; 303 case USIM_TLV_PROPR_INFO: 304 wpa_hexdump(MSG_MSGDUMP, "SCARD: Proprietary " 305 "information TLV", pos + 2, pos[1]); 306 break; 307 case USIM_TLV_LIFE_CYCLE_STATUS: 308 wpa_hexdump(MSG_MSGDUMP, "SCARD: Life Cycle Status " 309 "Integer TLV", pos + 2, pos[1]); 310 break; 311 case USIM_TLV_FILE_SIZE: 312 wpa_hexdump(MSG_MSGDUMP, "SCARD: File size TLV", 313 pos + 2, pos[1]); 314 if ((pos[1] == 1 || pos[1] == 2) && file_len) { 315 if (pos[1] == 1) 316 *file_len = (int) pos[2]; 317 else 318 *file_len = ((int) pos[2] << 8) | 319 (int) pos[3]; 320 wpa_printf(MSG_DEBUG, "SCARD: file_size=%d", 321 *file_len); 322 } 323 break; 324 case USIM_TLV_TOTAL_FILE_SIZE: 325 wpa_hexdump(MSG_MSGDUMP, "SCARD: Total file size TLV", 326 pos + 2, pos[1]); 327 break; 328 case USIM_TLV_PIN_STATUS_TEMPLATE: 329 wpa_hexdump(MSG_MSGDUMP, "SCARD: PIN Status Template " 330 "DO TLV", pos + 2, pos[1]); 331 if (pos[1] >= 2 && pos[2] == USIM_PS_DO_TAG && 332 pos[3] >= 1 && ps_do) { 333 wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x", 334 pos[4]); 335 *ps_do = (int) pos[4]; 336 } 337 break; 338 case USIM_TLV_SHORT_FILE_ID: 339 wpa_hexdump(MSG_MSGDUMP, "SCARD: Short File " 340 "Identifier (SFI) TLV", pos + 2, pos[1]); 341 break; 342 case USIM_TLV_SECURITY_ATTR_8B: 343 case USIM_TLV_SECURITY_ATTR_8C: 344 case USIM_TLV_SECURITY_ATTR_AB: 345 wpa_hexdump(MSG_MSGDUMP, "SCARD: Security attribute " 346 "TLV", pos + 2, pos[1]); 347 break; 348 default: 349 wpa_hexdump(MSG_MSGDUMP, "SCARD: Unrecognized TLV", 350 pos, 2 + pos[1]); 351 break; 352 } 353 354 pos += 2 + pos[1]; 355 356 if (pos == end) 357 return 0; 358 } 359 return -1; 360 } 361 362 363 static int scard_pin_needed(struct scard_data *scard, 364 unsigned char *hdr, size_t hlen) 365 { 366 if (scard->sim_type == SCARD_GSM_SIM) { 367 if (hlen > SCARD_CHV1_OFFSET && 368 !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG)) 369 return 1; 370 return 0; 371 } 372 373 if (scard->sim_type == SCARD_USIM) { 374 int ps_do; 375 if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL)) 376 return -1; 377 /* TODO: there could be more than one PS_DO entry because of 378 * multiple PINs in key reference.. */ 379 if (ps_do > 0 && (ps_do & 0x80)) 380 return 1; 381 return 0; 382 } 383 384 return -1; 385 } 386 387 388 static int scard_get_aid(struct scard_data *scard, unsigned char *aid, 389 size_t maxlen) 390 { 391 int rlen, rec; 392 struct efdir { 393 unsigned char appl_template_tag; /* 0x61 */ 394 unsigned char appl_template_len; 395 unsigned char appl_id_tag; /* 0x4f */ 396 unsigned char aid_len; 397 unsigned char rid[5]; 398 unsigned char appl_code[2]; /* 0x1002 for 3G USIM */ 399 } *efdir; 400 unsigned char buf[127]; 401 size_t blen; 402 403 efdir = (struct efdir *) buf; 404 blen = sizeof(buf); 405 if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) { 406 wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR"); 407 return -1; 408 } 409 wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen); 410 411 for (rec = 1; rec < 10; rec++) { 412 rlen = scard_get_record_len(scard, rec, 413 SIM_RECORD_MODE_ABSOLUTE); 414 if (rlen < 0) { 415 wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR " 416 "record length"); 417 return -1; 418 } 419 blen = sizeof(buf); 420 if (rlen > (int) blen) { 421 wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record"); 422 return -1; 423 } 424 if (scard_read_record(scard, buf, rlen, rec, 425 SIM_RECORD_MODE_ABSOLUTE) < 0) { 426 wpa_printf(MSG_DEBUG, "SCARD: Failed to read " 427 "EF_DIR record %d", rec); 428 return -1; 429 } 430 wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen); 431 432 if (efdir->appl_template_tag != 0x61) { 433 wpa_printf(MSG_DEBUG, "SCARD: Unexpected application " 434 "template tag 0x%x", 435 efdir->appl_template_tag); 436 continue; 437 } 438 439 if (efdir->appl_template_len > rlen - 2) { 440 wpa_printf(MSG_DEBUG, "SCARD: Too long application " 441 "template (len=%d rlen=%d)", 442 efdir->appl_template_len, rlen); 443 continue; 444 } 445 446 if (efdir->appl_id_tag != 0x4f) { 447 wpa_printf(MSG_DEBUG, "SCARD: Unexpected application " 448 "identifier tag 0x%x", efdir->appl_id_tag); 449 continue; 450 } 451 452 if (efdir->aid_len < 1 || efdir->aid_len > 16) { 453 wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %d", 454 efdir->aid_len); 455 continue; 456 } 457 458 wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record", 459 efdir->rid, efdir->aid_len); 460 461 if (efdir->appl_code[0] == 0x10 && 462 efdir->appl_code[1] == 0x02) { 463 wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from " 464 "EF_DIR record %d", rec); 465 break; 466 } 467 } 468 469 if (rec >= 10) { 470 wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found " 471 "from EF_DIR records"); 472 return -1; 473 } 474 475 if (efdir->aid_len > maxlen) { 476 wpa_printf(MSG_DEBUG, "SCARD: Too long AID"); 477 return -1; 478 } 479 480 os_memcpy(aid, efdir->rid, efdir->aid_len); 481 482 return efdir->aid_len; 483 } 484 485 486 /** 487 * scard_init - Initialize SIM/USIM connection using PC/SC 488 * @sim_type: Allowed SIM types (SIM, USIM, or both) 489 * @reader: Reader name prefix to search for 490 * Returns: Pointer to private data structure, or %NULL on failure 491 * 492 * This function is used to initialize SIM/USIM connection. PC/SC is used to 493 * open connection to the SIM/USIM card and the card is verified to support the 494 * selected sim_type. In addition, local flag is set if a PIN is needed to 495 * access some of the card functions. Once the connection is not needed 496 * anymore, scard_deinit() can be used to close it. 497 */ 498 struct scard_data * scard_init(scard_sim_type sim_type, const char *reader) 499 { 500 long ret; 501 unsigned long len, pos; 502 struct scard_data *scard; 503 #ifdef CONFIG_NATIVE_WINDOWS 504 TCHAR *readers = NULL; 505 #else /* CONFIG_NATIVE_WINDOWS */ 506 char *readers = NULL; 507 #endif /* CONFIG_NATIVE_WINDOWS */ 508 unsigned char buf[100]; 509 size_t blen; 510 int transaction = 0; 511 int pin_needed; 512 513 wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface"); 514 if (mingw_load_symbols()) 515 return NULL; 516 scard = os_zalloc(sizeof(*scard)); 517 if (scard == NULL) 518 return NULL; 519 520 ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, 521 &scard->ctx); 522 if (ret != SCARD_S_SUCCESS) { 523 wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card " 524 "context (err=%ld)", ret); 525 goto failed; 526 } 527 528 ret = SCardListReaders(scard->ctx, NULL, NULL, &len); 529 if (ret != SCARD_S_SUCCESS) { 530 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed " 531 "(err=%ld)", ret); 532 goto failed; 533 } 534 535 #ifdef UNICODE 536 len *= 2; 537 #endif /* UNICODE */ 538 readers = os_malloc(len); 539 if (readers == NULL) { 540 wpa_printf(MSG_INFO, "SCARD: malloc failed\n"); 541 goto failed; 542 } 543 544 ret = SCardListReaders(scard->ctx, NULL, readers, &len); 545 if (ret != SCARD_S_SUCCESS) { 546 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) " 547 "(err=%ld)", ret); 548 goto failed; 549 } 550 if (len < 3) { 551 wpa_printf(MSG_WARNING, "SCARD: No smart card readers " 552 "available."); 553 goto failed; 554 } 555 wpa_hexdump_ascii(MSG_DEBUG, "SCARD: Readers", (u8 *) readers, len); 556 /* 557 * readers is a list of available readers. The last entry is terminated 558 * with double null. 559 */ 560 pos = 0; 561 #ifdef UNICODE 562 /* TODO */ 563 #else /* UNICODE */ 564 while (pos < len) { 565 if (reader == NULL || 566 os_strncmp(&readers[pos], reader, os_strlen(reader)) == 0) 567 break; 568 while (pos < len && readers[pos]) 569 pos++; 570 pos++; /* skip separating null */ 571 if (pos < len && readers[pos] == '\0') 572 pos = len; /* double null terminates list */ 573 } 574 #endif /* UNICODE */ 575 if (pos >= len) { 576 wpa_printf(MSG_WARNING, "SCARD: No reader with prefix '%s' " 577 "found", reader); 578 goto failed; 579 } 580 581 #ifdef UNICODE 582 wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%S'", &readers[pos]); 583 #else /* UNICODE */ 584 wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", &readers[pos]); 585 #endif /* UNICODE */ 586 587 ret = SCardConnect(scard->ctx, &readers[pos], SCARD_SHARE_SHARED, 588 SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, 589 &scard->card, &scard->protocol); 590 if (ret != SCARD_S_SUCCESS) { 591 if (ret == (long) SCARD_E_NO_SMARTCARD) 592 wpa_printf(MSG_INFO, "No smart card inserted."); 593 else 594 wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret); 595 goto failed; 596 } 597 598 os_free(readers); 599 readers = NULL; 600 601 wpa_printf(MSG_DEBUG, "SCARD: card=0x%x active_protocol=%lu (%s)", 602 (unsigned int) scard->card, scard->protocol, 603 scard->protocol == SCARD_PROTOCOL_T0 ? "T0" : "T1"); 604 605 ret = SCardBeginTransaction(scard->card); 606 if (ret != SCARD_S_SUCCESS) { 607 wpa_printf(MSG_DEBUG, "SCARD: Could not begin transaction: " 608 "0x%x", (unsigned int) ret); 609 goto failed; 610 } 611 transaction = 1; 612 613 blen = sizeof(buf); 614 615 scard->sim_type = SCARD_GSM_SIM; 616 if (sim_type == SCARD_USIM_ONLY || sim_type == SCARD_TRY_BOTH) { 617 wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support"); 618 if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen, 619 SCARD_USIM, NULL, 0)) { 620 wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported"); 621 if (sim_type == SCARD_USIM_ONLY) 622 goto failed; 623 wpa_printf(MSG_DEBUG, "SCARD: Trying to use GSM SIM"); 624 scard->sim_type = SCARD_GSM_SIM; 625 } else { 626 wpa_printf(MSG_DEBUG, "SCARD: USIM is supported"); 627 scard->sim_type = SCARD_USIM; 628 } 629 } 630 631 if (scard->sim_type == SCARD_GSM_SIM) { 632 blen = sizeof(buf); 633 if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) { 634 wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF"); 635 goto failed; 636 } 637 638 blen = sizeof(buf); 639 if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) { 640 wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF"); 641 goto failed; 642 } 643 } else { 644 unsigned char aid[32]; 645 int aid_len; 646 647 aid_len = scard_get_aid(scard, aid, sizeof(aid)); 648 if (aid_len < 0) { 649 wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for " 650 "3G USIM app - try to use standard 3G RID"); 651 os_memcpy(aid, "\xa0\x00\x00\x00\x87", 5); 652 aid_len = 5; 653 } 654 wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len); 655 656 /* Select based on AID = 3G RID from EF_DIR. This is usually 657 * starting with A0 00 00 00 87. */ 658 blen = sizeof(buf); 659 if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type, 660 aid, aid_len)) { 661 wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM " 662 "app"); 663 wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID", 664 aid, aid_len); 665 goto failed; 666 } 667 } 668 669 /* Verify whether CHV1 (PIN1) is needed to access the card. */ 670 pin_needed = scard_pin_needed(scard, buf, blen); 671 if (pin_needed < 0) { 672 wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN " 673 "is needed"); 674 goto failed; 675 } 676 if (pin_needed) { 677 scard->pin1_required = 1; 678 wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access (retry " 679 "counter=%d)", scard_get_pin_retry_counter(scard)); 680 } 681 682 ret = SCardEndTransaction(scard->card, SCARD_LEAVE_CARD); 683 if (ret != SCARD_S_SUCCESS) { 684 wpa_printf(MSG_DEBUG, "SCARD: Could not end transaction: " 685 "0x%x", (unsigned int) ret); 686 } 687 688 return scard; 689 690 failed: 691 if (transaction) 692 SCardEndTransaction(scard->card, SCARD_LEAVE_CARD); 693 os_free(readers); 694 scard_deinit(scard); 695 return NULL; 696 } 697 698 699 /** 700 * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands 701 * @scard: Pointer to private data from scard_init() 702 * @pin: PIN code as an ASCII string (e.g., "1234") 703 * Returns: 0 on success, -1 on failure 704 */ 705 int scard_set_pin(struct scard_data *scard, const char *pin) 706 { 707 if (scard == NULL) 708 return -1; 709 710 /* Verify whether CHV1 (PIN1) is needed to access the card. */ 711 if (scard->pin1_required) { 712 if (pin == NULL) { 713 wpa_printf(MSG_DEBUG, "No PIN configured for SIM " 714 "access"); 715 return -1; 716 } 717 if (scard_verify_pin(scard, pin)) { 718 wpa_printf(MSG_INFO, "PIN verification failed for " 719 "SIM access"); 720 return -1; 721 } 722 } 723 724 return 0; 725 } 726 727 728 /** 729 * scard_deinit - Deinitialize SIM/USIM connection 730 * @scard: Pointer to private data from scard_init() 731 * 732 * This function closes the SIM/USIM connect opened with scard_init(). 733 */ 734 void scard_deinit(struct scard_data *scard) 735 { 736 long ret; 737 738 if (scard == NULL) 739 return; 740 741 wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface"); 742 if (scard->card) { 743 ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD); 744 if (ret != SCARD_S_SUCCESS) { 745 wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect " 746 "smart card (err=%ld)", ret); 747 } 748 } 749 750 if (scard->ctx) { 751 ret = SCardReleaseContext(scard->ctx); 752 if (ret != SCARD_S_SUCCESS) { 753 wpa_printf(MSG_DEBUG, "Failed to release smart card " 754 "context (err=%ld)", ret); 755 } 756 } 757 os_free(scard); 758 mingw_unload_symbols(); 759 } 760 761 762 static long scard_transmit(struct scard_data *scard, 763 unsigned char *_send, size_t send_len, 764 unsigned char *_recv, size_t *recv_len) 765 { 766 long ret; 767 unsigned long rlen; 768 769 wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send", 770 _send, send_len); 771 rlen = *recv_len; 772 ret = SCardTransmit(scard->card, 773 scard->protocol == SCARD_PROTOCOL_T1 ? 774 SCARD_PCI_T1 : SCARD_PCI_T0, 775 _send, (unsigned long) send_len, 776 NULL, _recv, &rlen); 777 *recv_len = rlen; 778 if (ret == SCARD_S_SUCCESS) { 779 wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv", 780 _recv, rlen); 781 } else { 782 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed " 783 "(err=0x%lx)", ret); 784 } 785 return ret; 786 } 787 788 789 static int _scard_select_file(struct scard_data *scard, unsigned short file_id, 790 unsigned char *buf, size_t *buf_len, 791 sim_types sim_type, unsigned char *aid, 792 size_t aidlen) 793 { 794 long ret; 795 unsigned char resp[3]; 796 unsigned char cmd[50] = { SIM_CMD_SELECT }; 797 int cmdlen; 798 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE }; 799 size_t len, rlen; 800 801 if (sim_type == SCARD_USIM) { 802 cmd[0] = USIM_CLA; 803 cmd[3] = 0x04; 804 get_resp[0] = USIM_CLA; 805 } 806 807 wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id); 808 if (aid) { 809 wpa_hexdump(MSG_DEBUG, "SCARD: select file by AID", 810 aid, aidlen); 811 if (5 + aidlen > sizeof(cmd)) 812 return -1; 813 cmd[2] = 0x04; /* Select by AID */ 814 cmd[4] = aidlen; /* len */ 815 os_memcpy(cmd + 5, aid, aidlen); 816 cmdlen = 5 + aidlen; 817 } else { 818 cmd[5] = file_id >> 8; 819 cmd[6] = file_id & 0xff; 820 cmdlen = 7; 821 } 822 len = sizeof(resp); 823 ret = scard_transmit(scard, cmd, cmdlen, resp, &len); 824 if (ret != SCARD_S_SUCCESS) { 825 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed " 826 "(err=0x%lx)", ret); 827 return -1; 828 } 829 830 if (len != 2) { 831 wpa_printf(MSG_WARNING, "SCARD: unexpected resp len " 832 "%d (expected 2)", (int) len); 833 return -1; 834 } 835 836 if (resp[0] == 0x98 && resp[1] == 0x04) { 837 /* Security status not satisfied (PIN_WLAN) */ 838 wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied " 839 "(PIN_WLAN)"); 840 return -1; 841 } 842 843 if (resp[0] == 0x6e) { 844 wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported"); 845 return -1; 846 } 847 848 if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) { 849 wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x " 850 "(expected 0x61, 0x6c, or 0x9f)", resp[0]); 851 return -1; 852 } 853 /* Normal ending of command; resp[1] bytes available */ 854 get_resp[4] = resp[1]; 855 wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)", 856 resp[1]); 857 858 rlen = *buf_len; 859 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen); 860 if (ret == SCARD_S_SUCCESS) { 861 *buf_len = resp[1] < rlen ? resp[1] : rlen; 862 return 0; 863 } 864 865 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret); 866 return -1; 867 } 868 869 870 static int scard_select_file(struct scard_data *scard, unsigned short file_id, 871 unsigned char *buf, size_t *buf_len) 872 { 873 return _scard_select_file(scard, file_id, buf, buf_len, 874 scard->sim_type, NULL, 0); 875 } 876 877 878 static int scard_get_record_len(struct scard_data *scard, unsigned char recnum, 879 unsigned char mode) 880 { 881 unsigned char buf[255]; 882 unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ }; 883 size_t blen; 884 long ret; 885 886 if (scard->sim_type == SCARD_USIM) 887 cmd[0] = USIM_CLA; 888 cmd[2] = recnum; 889 cmd[3] = mode; 890 cmd[4] = sizeof(buf); 891 892 blen = sizeof(buf); 893 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen); 894 if (ret != SCARD_S_SUCCESS) { 895 wpa_printf(MSG_DEBUG, "SCARD: failed to determine file " 896 "length for record %d", recnum); 897 return -1; 898 } 899 900 wpa_hexdump(MSG_DEBUG, "SCARD: file length determination response", 901 buf, blen); 902 903 if (blen < 2 || (buf[0] != 0x6c && buf[0] != 0x67)) { 904 wpa_printf(MSG_DEBUG, "SCARD: unexpected response to file " 905 "length determination"); 906 return -1; 907 } 908 909 return buf[1]; 910 } 911 912 913 static int scard_read_record(struct scard_data *scard, 914 unsigned char *data, size_t len, 915 unsigned char recnum, unsigned char mode) 916 { 917 unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ }; 918 size_t blen = len + 3; 919 unsigned char *buf; 920 long ret; 921 922 if (scard->sim_type == SCARD_USIM) 923 cmd[0] = USIM_CLA; 924 cmd[2] = recnum; 925 cmd[3] = mode; 926 cmd[4] = len; 927 928 buf = os_malloc(blen); 929 if (buf == NULL) 930 return -1; 931 932 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen); 933 if (ret != SCARD_S_SUCCESS) { 934 os_free(buf); 935 return -2; 936 } 937 if (blen != len + 2) { 938 wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected " 939 "length %ld (expected %ld)", 940 (long) blen, (long) len + 2); 941 os_free(buf); 942 return -3; 943 } 944 945 if (buf[len] != 0x90 || buf[len + 1] != 0x00) { 946 wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected " 947 "status %02x %02x (expected 90 00)", 948 buf[len], buf[len + 1]); 949 os_free(buf); 950 return -4; 951 } 952 953 os_memcpy(data, buf, len); 954 os_free(buf); 955 956 return 0; 957 } 958 959 960 static int scard_read_file(struct scard_data *scard, 961 unsigned char *data, size_t len) 962 { 963 unsigned char cmd[5] = { SIM_CMD_READ_BIN /* , len */ }; 964 size_t blen = len + 3; 965 unsigned char *buf; 966 long ret; 967 968 cmd[4] = len; 969 970 buf = os_malloc(blen); 971 if (buf == NULL) 972 return -1; 973 974 if (scard->sim_type == SCARD_USIM) 975 cmd[0] = USIM_CLA; 976 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen); 977 if (ret != SCARD_S_SUCCESS) { 978 os_free(buf); 979 return -2; 980 } 981 if (blen != len + 2) { 982 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected " 983 "length %ld (expected %ld)", 984 (long) blen, (long) len + 2); 985 os_free(buf); 986 return -3; 987 } 988 989 if (buf[len] != 0x90 || buf[len + 1] != 0x00) { 990 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected " 991 "status %02x %02x (expected 90 00)", 992 buf[len], buf[len + 1]); 993 os_free(buf); 994 return -4; 995 } 996 997 os_memcpy(data, buf, len); 998 os_free(buf); 999 1000 return 0; 1001 } 1002 1003 1004 static int scard_verify_pin(struct scard_data *scard, const char *pin) 1005 { 1006 long ret; 1007 unsigned char resp[3]; 1008 unsigned char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 }; 1009 size_t len; 1010 1011 wpa_printf(MSG_DEBUG, "SCARD: verifying PIN"); 1012 1013 if (pin == NULL || os_strlen(pin) > 8) 1014 return -1; 1015 1016 if (scard->sim_type == SCARD_USIM) 1017 cmd[0] = USIM_CLA; 1018 os_memcpy(cmd + 5, pin, os_strlen(pin)); 1019 os_memset(cmd + 5 + os_strlen(pin), 0xff, 8 - os_strlen(pin)); 1020 1021 len = sizeof(resp); 1022 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len); 1023 if (ret != SCARD_S_SUCCESS) 1024 return -2; 1025 1026 if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) { 1027 wpa_printf(MSG_WARNING, "SCARD: PIN verification failed"); 1028 return -1; 1029 } 1030 1031 wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully"); 1032 return 0; 1033 } 1034 1035 1036 int scard_get_pin_retry_counter(struct scard_data *scard) 1037 { 1038 long ret; 1039 unsigned char resp[3]; 1040 unsigned char cmd[5] = { SIM_CMD_VERIFY_CHV1 }; 1041 size_t len; 1042 u16 val; 1043 1044 wpa_printf(MSG_DEBUG, "SCARD: fetching PIN retry counter"); 1045 1046 if (scard->sim_type == SCARD_USIM) 1047 cmd[0] = USIM_CLA; 1048 cmd[4] = 0; /* Empty data */ 1049 1050 len = sizeof(resp); 1051 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len); 1052 if (ret != SCARD_S_SUCCESS) 1053 return -2; 1054 1055 if (len != 2) { 1056 wpa_printf(MSG_WARNING, "SCARD: failed to fetch PIN retry " 1057 "counter"); 1058 return -1; 1059 } 1060 1061 val = WPA_GET_BE16(resp); 1062 if (val == 0x63c0 || val == 0x6983) { 1063 wpa_printf(MSG_DEBUG, "SCARD: PIN has been blocked"); 1064 return 0; 1065 } 1066 1067 if (val >= 0x63c0 && val <= 0x63cf) 1068 return val & 0x000f; 1069 1070 wpa_printf(MSG_DEBUG, "SCARD: Unexpected PIN retry counter response " 1071 "value 0x%x", val); 1072 return 0; 1073 } 1074 1075 1076 /** 1077 * scard_get_imsi - Read IMSI from SIM/USIM card 1078 * @scard: Pointer to private data from scard_init() 1079 * @imsi: Buffer for IMSI 1080 * @len: Length of imsi buffer; set to IMSI length on success 1081 * Returns: 0 on success, -1 if IMSI file cannot be selected, -2 if IMSI file 1082 * selection returns invalid result code, -3 if parsing FSP template file fails 1083 * (USIM only), -4 if IMSI does not fit in the provided imsi buffer (len is set 1084 * to needed length), -5 if reading IMSI file fails. 1085 * 1086 * This function can be used to read IMSI from the SIM/USIM card. If the IMSI 1087 * file is PIN protected, scard_set_pin() must have been used to set the 1088 * correct PIN code before calling scard_get_imsi(). 1089 */ 1090 int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len) 1091 { 1092 unsigned char buf[100]; 1093 size_t blen, imsilen, i; 1094 char *pos; 1095 1096 wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI"); 1097 blen = sizeof(buf); 1098 if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen)) 1099 return -1; 1100 if (blen < 4) { 1101 wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI " 1102 "header (len=%ld)", (long) blen); 1103 return -2; 1104 } 1105 1106 if (scard->sim_type == SCARD_GSM_SIM) { 1107 blen = (buf[2] << 8) | buf[3]; 1108 } else { 1109 int file_size; 1110 if (scard_parse_fsp_templ(buf, blen, NULL, &file_size)) 1111 return -3; 1112 blen = file_size; 1113 } 1114 if (blen < 2 || blen > sizeof(buf)) { 1115 wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld", 1116 (long) blen); 1117 return -3; 1118 } 1119 1120 imsilen = (blen - 2) * 2 + 1; 1121 wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld", 1122 (long) blen, (long) imsilen); 1123 if (blen < 2 || imsilen > *len) { 1124 *len = imsilen; 1125 return -4; 1126 } 1127 1128 if (scard_read_file(scard, buf, blen)) 1129 return -5; 1130 1131 pos = imsi; 1132 *pos++ = '0' + (buf[1] >> 4 & 0x0f); 1133 for (i = 2; i < blen; i++) { 1134 unsigned char digit; 1135 1136 digit = buf[i] & 0x0f; 1137 if (digit < 10) 1138 *pos++ = '0' + digit; 1139 else 1140 imsilen--; 1141 1142 digit = buf[i] >> 4 & 0x0f; 1143 if (digit < 10) 1144 *pos++ = '0' + digit; 1145 else 1146 imsilen--; 1147 } 1148 *len = imsilen; 1149 1150 return 0; 1151 } 1152 1153 1154 /** 1155 * scard_get_mnc_len - Read length of MNC in the IMSI from SIM/USIM card 1156 * @scard: Pointer to private data from scard_init() 1157 * Returns: length (>0) on success, -1 if administrative data file cannot be 1158 * selected, -2 if administrative data file selection returns invalid result 1159 * code, -3 if parsing FSP template file fails (USIM only), -4 if length of 1160 * the file is unexpected, -5 if reading file fails, -6 if MNC length is not 1161 * in range (i.e. 2 or 3), -7 if MNC length is not available. 1162 * 1163 */ 1164 int scard_get_mnc_len(struct scard_data *scard) 1165 { 1166 unsigned char buf[100]; 1167 size_t blen; 1168 int file_size; 1169 1170 wpa_printf(MSG_DEBUG, "SCARD: reading MNC len from (GSM) EF-AD"); 1171 blen = sizeof(buf); 1172 if (scard_select_file(scard, SCARD_FILE_GSM_EF_AD, buf, &blen)) 1173 return -1; 1174 if (blen < 4) { 1175 wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-AD " 1176 "header (len=%ld)", (long) blen); 1177 return -2; 1178 } 1179 1180 if (scard->sim_type == SCARD_GSM_SIM) { 1181 file_size = (buf[2] << 8) | buf[3]; 1182 } else { 1183 if (scard_parse_fsp_templ(buf, blen, NULL, &file_size)) 1184 return -3; 1185 } 1186 if (file_size == 3) { 1187 wpa_printf(MSG_DEBUG, "SCARD: MNC length not available"); 1188 return -7; 1189 } 1190 if (file_size < 4 || file_size > (int) sizeof(buf)) { 1191 wpa_printf(MSG_DEBUG, "SCARD: invalid file length=%ld", 1192 (long) file_size); 1193 return -4; 1194 } 1195 1196 if (scard_read_file(scard, buf, file_size)) 1197 return -5; 1198 buf[3] = buf[3] & 0x0f; /* upper nibble reserved for future use */ 1199 if (buf[3] < 2 || buf[3] > 3) { 1200 wpa_printf(MSG_DEBUG, "SCARD: invalid MNC length=%ld", 1201 (long) buf[3]); 1202 return -6; 1203 } 1204 wpa_printf(MSG_DEBUG, "SCARD: MNC length=%ld", (long) buf[3]); 1205 return buf[3]; 1206 } 1207 1208 1209 /** 1210 * scard_gsm_auth - Run GSM authentication command on SIM card 1211 * @scard: Pointer to private data from scard_init() 1212 * @_rand: 16-byte RAND value from HLR/AuC 1213 * @sres: 4-byte buffer for SRES 1214 * @kc: 8-byte buffer for Kc 1215 * Returns: 0 on success, -1 if SIM/USIM connection has not been initialized, 1216 * -2 if authentication command execution fails, -3 if unknown response code 1217 * for authentication command is received, -4 if reading of response fails, 1218 * -5 if if response data is of unexpected length 1219 * 1220 * This function performs GSM authentication using SIM/USIM card and the 1221 * provided RAND value from HLR/AuC. If authentication command can be completed 1222 * successfully, SRES and Kc values will be written into sres and kc buffers. 1223 */ 1224 int scard_gsm_auth(struct scard_data *scard, const unsigned char *_rand, 1225 unsigned char *sres, unsigned char *kc) 1226 { 1227 unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG }; 1228 int cmdlen; 1229 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE }; 1230 unsigned char resp[3], buf[12 + 3 + 2]; 1231 size_t len; 1232 long ret; 1233 1234 if (scard == NULL) 1235 return -1; 1236 1237 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", _rand, 16); 1238 if (scard->sim_type == SCARD_GSM_SIM) { 1239 cmdlen = 5 + 16; 1240 os_memcpy(cmd + 5, _rand, 16); 1241 } else { 1242 cmdlen = 5 + 1 + 16; 1243 cmd[0] = USIM_CLA; 1244 cmd[3] = 0x80; 1245 cmd[4] = 17; 1246 cmd[5] = 16; 1247 os_memcpy(cmd + 6, _rand, 16); 1248 } 1249 len = sizeof(resp); 1250 ret = scard_transmit(scard, cmd, cmdlen, resp, &len); 1251 if (ret != SCARD_S_SUCCESS) 1252 return -2; 1253 1254 if ((scard->sim_type == SCARD_GSM_SIM && 1255 (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) || 1256 (scard->sim_type == SCARD_USIM && 1257 (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) { 1258 wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM " 1259 "auth request (len=%ld resp=%02x %02x)", 1260 (long) len, resp[0], resp[1]); 1261 return -3; 1262 } 1263 get_resp[4] = resp[1]; 1264 1265 len = sizeof(buf); 1266 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len); 1267 if (ret != SCARD_S_SUCCESS) 1268 return -4; 1269 1270 if (scard->sim_type == SCARD_GSM_SIM) { 1271 if (len != 4 + 8 + 2) { 1272 wpa_printf(MSG_WARNING, "SCARD: unexpected data " 1273 "length for GSM auth (len=%ld, expected 14)", 1274 (long) len); 1275 return -5; 1276 } 1277 os_memcpy(sres, buf, 4); 1278 os_memcpy(kc, buf + 4, 8); 1279 } else { 1280 if (len != 1 + 4 + 1 + 8 + 2) { 1281 wpa_printf(MSG_WARNING, "SCARD: unexpected data " 1282 "length for USIM auth (len=%ld, " 1283 "expected 16)", (long) len); 1284 return -5; 1285 } 1286 if (buf[0] != 4 || buf[5] != 8) { 1287 wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc " 1288 "length (%d %d, expected 4 8)", 1289 buf[0], buf[5]); 1290 } 1291 os_memcpy(sres, buf + 1, 4); 1292 os_memcpy(kc, buf + 6, 8); 1293 } 1294 1295 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4); 1296 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8); 1297 1298 return 0; 1299 } 1300 1301 1302 /** 1303 * scard_umts_auth - Run UMTS authentication command on USIM card 1304 * @scard: Pointer to private data from scard_init() 1305 * @_rand: 16-byte RAND value from HLR/AuC 1306 * @autn: 16-byte AUTN value from HLR/AuC 1307 * @res: 16-byte buffer for RES 1308 * @res_len: Variable that will be set to RES length 1309 * @ik: 16-byte buffer for IK 1310 * @ck: 16-byte buffer for CK 1311 * @auts: 14-byte buffer for AUTS 1312 * Returns: 0 on success, -1 on failure, or -2 if USIM reports synchronization 1313 * failure 1314 * 1315 * This function performs AKA authentication using USIM card and the provided 1316 * RAND and AUTN values from HLR/AuC. If authentication command can be 1317 * completed successfully, RES, IK, and CK values will be written into provided 1318 * buffers and res_len is set to length of received RES value. If USIM reports 1319 * synchronization failure, the received AUTS value will be written into auts 1320 * buffer. In this case, RES, IK, and CK are not valid. 1321 */ 1322 int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand, 1323 const unsigned char *autn, 1324 unsigned char *res, size_t *res_len, 1325 unsigned char *ik, unsigned char *ck, unsigned char *auts) 1326 { 1327 unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] = 1328 { USIM_CMD_RUN_UMTS_ALG }; 1329 unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE }; 1330 unsigned char resp[3], buf[64], *pos, *end; 1331 size_t len; 1332 long ret; 1333 1334 if (scard == NULL) 1335 return -1; 1336 1337 if (scard->sim_type == SCARD_GSM_SIM) { 1338 wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS " 1339 "auth"); 1340 return -1; 1341 } 1342 1343 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", _rand, AKA_RAND_LEN); 1344 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN); 1345 cmd[5] = AKA_RAND_LEN; 1346 os_memcpy(cmd + 6, _rand, AKA_RAND_LEN); 1347 cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN; 1348 os_memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN); 1349 1350 len = sizeof(resp); 1351 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len); 1352 if (ret != SCARD_S_SUCCESS) 1353 return -1; 1354 1355 if (len <= sizeof(resp)) 1356 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len); 1357 1358 if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) { 1359 wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - " 1360 "MAC != XMAC"); 1361 return -1; 1362 } else if (len != 2 || resp[0] != 0x61) { 1363 wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS " 1364 "auth request (len=%ld resp=%02x %02x)", 1365 (long) len, resp[0], resp[1]); 1366 return -1; 1367 } 1368 get_resp[4] = resp[1]; 1369 1370 len = sizeof(buf); 1371 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len); 1372 if (ret != SCARD_S_SUCCESS || len > sizeof(buf)) 1373 return -1; 1374 1375 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len); 1376 if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc && 1377 buf[1] == AKA_AUTS_LEN) { 1378 wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure"); 1379 os_memcpy(auts, buf + 2, AKA_AUTS_LEN); 1380 wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN); 1381 return -2; 1382 } else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) { 1383 pos = buf + 1; 1384 end = buf + len; 1385 1386 /* RES */ 1387 if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) { 1388 wpa_printf(MSG_DEBUG, "SCARD: Invalid RES"); 1389 return -1; 1390 } 1391 *res_len = *pos++; 1392 os_memcpy(res, pos, *res_len); 1393 pos += *res_len; 1394 wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len); 1395 1396 /* CK */ 1397 if (pos[0] != CK_LEN || pos + CK_LEN > end) { 1398 wpa_printf(MSG_DEBUG, "SCARD: Invalid CK"); 1399 return -1; 1400 } 1401 pos++; 1402 os_memcpy(ck, pos, CK_LEN); 1403 pos += CK_LEN; 1404 wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN); 1405 1406 /* IK */ 1407 if (pos[0] != IK_LEN || pos + IK_LEN > end) { 1408 wpa_printf(MSG_DEBUG, "SCARD: Invalid IK"); 1409 return -1; 1410 } 1411 pos++; 1412 os_memcpy(ik, pos, IK_LEN); 1413 pos += IK_LEN; 1414 wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN); 1415 1416 return 0; 1417 } 1418 1419 wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response"); 1420 return -1; 1421 } 1422 1423 1424 int scard_supports_umts(struct scard_data *scard) 1425 { 1426 return scard->sim_type == SCARD_USIM; 1427 } 1428
