1 /*
2  * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM
3  * Copyright (c) 2004-2007, 2012, Jouni Malinen <j@w1.fi>
4  *
5  * This software may be distributed under the terms of the BSD license.
6  * See README for more details.
7  *
8  * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM
9  * cards through PC/SC smartcard library. These functions are used to implement
10  * authentication routines for EAP-SIM and EAP-AKA.
11  */
12 
13 #include "includes.h"
14 #ifdef __APPLE__
15 #include <PCSC/winscard.h>
16 #else
17 #include <winscard.h>
18 #endif
19 
20 #include "common.h"
21 #include "pcsc_funcs.h"
22 
23 
24 /* See ETSI GSM 11.11 and ETSI TS 102 221 for details.
25  * SIM commands:
26  * Command APDU: CLA INS P1 P2 P3 Data
27  *   CLA (class of instruction): A0 for GSM, 00 for USIM
28  *   INS (instruction)
29  *   P1 P2 P3 (parameters, P3 = length of Data)
30  * Response APDU: Data SW1 SW2
31  *   SW1 SW2 (Status words)
32  * Commands (INS P1 P2 P3):
33  *   SELECT: A4 00 00 02 <file_id, 2 bytes>
34  *   GET RESPONSE: C0 00 00 <len>
35  *   RUN GSM ALG: 88 00 00 00 <RAND len = 10>
36  *   RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN
37  *	P1 = ID of alg in card
38  *	P2 = ID of secret key
39  *   READ BINARY: B0 <offset high> <offset low> <len>
40  *   READ RECORD: B2 <record number> <mode> <len>
41  *	P2 (mode) = '02' (next record), '03' (previous record),
42  *		    '04' (absolute mode)
43  *   VERIFY CHV: 20 00 <CHV number> 08
44  *   CHANGE CHV: 24 00 <CHV number> 10
45  *   DISABLE CHV: 26 00 01 08
46  *   ENABLE CHV: 28 00 01 08
47  *   UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10
48  *   SLEEP: FA 00 00 00
49  */
50 
51 /* GSM SIM commands */
52 #define SIM_CMD_SELECT			0xa0, 0xa4, 0x00, 0x00, 0x02
53 #define SIM_CMD_RUN_GSM_ALG		0xa0, 0x88, 0x00, 0x00, 0x10
54 #define SIM_CMD_GET_RESPONSE		0xa0, 0xc0, 0x00, 0x00
55 #define SIM_CMD_READ_BIN		0xa0, 0xb0, 0x00, 0x00
56 #define SIM_CMD_READ_RECORD		0xa0, 0xb2, 0x00, 0x00
57 #define SIM_CMD_VERIFY_CHV1		0xa0, 0x20, 0x00, 0x01, 0x08
58 
59 /* USIM commands */
60 #define USIM_CLA			0x00
61 #define USIM_CMD_RUN_UMTS_ALG		0x00, 0x88, 0x00, 0x81, 0x22
62 #define USIM_CMD_GET_RESPONSE		0x00, 0xc0, 0x00, 0x00
63 
64 #define SIM_RECORD_MODE_ABSOLUTE 0x04
65 
66 #define USIM_FSP_TEMPL_TAG		0x62
67 
68 #define USIM_TLV_FILE_DESC		0x82
69 #define USIM_TLV_FILE_ID		0x83
70 #define USIM_TLV_DF_NAME		0x84
71 #define USIM_TLV_PROPR_INFO		0xA5
72 #define USIM_TLV_LIFE_CYCLE_STATUS	0x8A
73 #define USIM_TLV_FILE_SIZE		0x80
74 #define USIM_TLV_TOTAL_FILE_SIZE	0x81
75 #define USIM_TLV_PIN_STATUS_TEMPLATE	0xC6
76 #define USIM_TLV_SHORT_FILE_ID		0x88
77 #define USIM_TLV_SECURITY_ATTR_8B	0x8B
78 #define USIM_TLV_SECURITY_ATTR_8C	0x8C
79 #define USIM_TLV_SECURITY_ATTR_AB	0xAB
80 
81 #define USIM_PS_DO_TAG			0x90
82 
83 #define AKA_RAND_LEN 16
84 #define AKA_AUTN_LEN 16
85 #define AKA_AUTS_LEN 14
86 #define RES_MAX_LEN 16
87 #define IK_LEN 16
88 #define CK_LEN 16
89 
90 
91 /* GSM files
92  * File type in first octet:
93  * 3F = Master File
94  * 7F = Dedicated File
95  * 2F = Elementary File under the Master File
96  * 6F = Elementary File under a Dedicated File
97  */
98 #define SCARD_FILE_MF		0x3F00
99 #define SCARD_FILE_GSM_DF	0x7F20
100 #define SCARD_FILE_UMTS_DF	0x7F50
101 #define SCARD_FILE_GSM_EF_IMSI	0x6F07
102 #define SCARD_FILE_GSM_EF_AD	0x6FAD
103 #define SCARD_FILE_EF_DIR	0x2F00
104 #define SCARD_FILE_EF_ICCID	0x2FE2
105 #define SCARD_FILE_EF_CK	0x6FE1
106 #define SCARD_FILE_EF_IK	0x6FE2
107 
108 #define SCARD_CHV1_OFFSET	13
109 #define SCARD_CHV1_FLAG		0x80
110 
111 
112 typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types;
113 
114 struct scard_data {
115 	SCARDCONTEXT ctx;
116 	SCARDHANDLE card;
117 #ifdef __APPLE__
118 	uint32_t protocol;
119 #else
120 	DWORD protocol;
121 #endif
122 	sim_types sim_type;
123 	int pin1_required;
124 };
125 
126 #ifdef __MINGW32_VERSION
127 /* MinGW does not yet support WinScard, so load the needed functions
128  * dynamically from winscard.dll for now. */
129 
130 static HINSTANCE dll = NULL; /* winscard.dll */
131 
132 static const SCARD_IO_REQUEST *dll_g_rgSCardT0Pci, *dll_g_rgSCardT1Pci;
133 #undef SCARD_PCI_T0
134 #define SCARD_PCI_T0 (dll_g_rgSCardT0Pci)
135 #undef SCARD_PCI_T1
136 #define SCARD_PCI_T1 (dll_g_rgSCardT1Pci)
137 
138 
139 static WINSCARDAPI LONG WINAPI
140 (*dll_SCardEstablishContext)(IN DWORD dwScope,
141 			     IN LPCVOID pvReserved1,
142 			     IN LPCVOID pvReserved2,
143 			     OUT LPSCARDCONTEXT phContext);
144 #define SCardEstablishContext dll_SCardEstablishContext
145 
146 static long (*dll_SCardReleaseContext)(long hContext);
147 #define SCardReleaseContext dll_SCardReleaseContext
148 
149 static WINSCARDAPI LONG WINAPI
150 (*dll_SCardListReadersA)(IN SCARDCONTEXT hContext,
151 			 IN LPCSTR mszGroups,
152 			 OUT LPSTR mszReaders,
153 			 IN OUT LPDWORD pcchReaders);
154 #undef SCardListReaders
155 #define SCardListReaders dll_SCardListReadersA
156 
157 static WINSCARDAPI LONG WINAPI
158 (*dll_SCardConnectA)(IN SCARDCONTEXT hContext,
159 		     IN LPCSTR szReader,
160 		     IN DWORD dwShareMode,
161 		     IN DWORD dwPreferredProtocols,
162 		     OUT LPSCARDHANDLE phCard,
163 		     OUT LPDWORD pdwActiveProtocol);
164 #undef SCardConnect
165 #define SCardConnect dll_SCardConnectA
166 
167 static WINSCARDAPI LONG WINAPI
168 (*dll_SCardDisconnect)(IN SCARDHANDLE hCard,
169 		       IN DWORD dwDisposition);
170 #define SCardDisconnect dll_SCardDisconnect
171 
172 static WINSCARDAPI LONG WINAPI
173 (*dll_SCardTransmit)(IN SCARDHANDLE hCard,
174 		     IN LPCSCARD_IO_REQUEST pioSendPci,
175 		     IN LPCBYTE pbSendBuffer,
176 		     IN DWORD cbSendLength,
177 		     IN OUT LPSCARD_IO_REQUEST pioRecvPci,
178 		     OUT LPBYTE pbRecvBuffer,
179 		     IN OUT LPDWORD pcbRecvLength);
180 #define SCardTransmit dll_SCardTransmit
181 
182 static WINSCARDAPI LONG WINAPI
183 (*dll_SCardBeginTransaction)(IN SCARDHANDLE hCard);
184 #define SCardBeginTransaction dll_SCardBeginTransaction
185 
186 static WINSCARDAPI LONG WINAPI
187 (*dll_SCardEndTransaction)(IN SCARDHANDLE hCard, IN DWORD dwDisposition);
188 #define SCardEndTransaction dll_SCardEndTransaction
189 
190 
mingw_load_symbols(void)191 static int mingw_load_symbols(void)
192 {
193 	char *sym;
194 
195 	if (dll)
196 		return 0;
197 
198 	dll = LoadLibrary("winscard");
199 	if (dll == NULL) {
200 		wpa_printf(MSG_DEBUG, "WinSCard: Could not load winscard.dll "
201 			   "library");
202 		return -1;
203 	}
204 
205 #define LOADSYM(s) \
206 	sym = #s; \
207 	dll_ ## s = (void *) GetProcAddress(dll, sym); \
208 	if (dll_ ## s == NULL) \
209 		goto fail;
210 
211 	LOADSYM(SCardEstablishContext);
212 	LOADSYM(SCardReleaseContext);
213 	LOADSYM(SCardListReadersA);
214 	LOADSYM(SCardConnectA);
215 	LOADSYM(SCardDisconnect);
216 	LOADSYM(SCardTransmit);
217 	LOADSYM(SCardBeginTransaction);
218 	LOADSYM(SCardEndTransaction);
219 	LOADSYM(g_rgSCardT0Pci);
220 	LOADSYM(g_rgSCardT1Pci);
221 
222 #undef LOADSYM
223 
224 	return 0;
225 
226 fail:
227 	wpa_printf(MSG_DEBUG, "WinSCard: Could not get address for %s from "
228 		   "winscard.dll", sym);
229 	FreeLibrary(dll);
230 	dll = NULL;
231 	return -1;
232 }
233 
234 
mingw_unload_symbols(void)235 static void mingw_unload_symbols(void)
236 {
237 	if (dll == NULL)
238 		return;
239 
240 	FreeLibrary(dll);
241 	dll = NULL;
242 }
243 
244 #else /* __MINGW32_VERSION */
245 
246 #define mingw_load_symbols() 0
247 #define mingw_unload_symbols() do { } while (0)
248 
249 #endif /* __MINGW32_VERSION */
250 
251 
252 static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
253 			      unsigned char *buf, size_t *buf_len,
254 			      sim_types sim_type, unsigned char *aid,
255 			      size_t aidlen);
256 static int scard_select_file(struct scard_data *scard, unsigned short file_id,
257 			     unsigned char *buf, size_t *buf_len);
258 static int scard_verify_pin(struct scard_data *scard, const char *pin);
259 static int scard_get_record_len(struct scard_data *scard,
260 				unsigned char recnum, unsigned char mode);
261 static int scard_read_record(struct scard_data *scard,
262 			     unsigned char *data, size_t len,
263 			     unsigned char recnum, unsigned char mode);
264 
265 
scard_parse_fsp_templ(unsigned char * buf,size_t buf_len,int * ps_do,int * file_len)266 static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
267 				 int *ps_do, int *file_len)
268 {
269 	unsigned char *pos, *end;
270 
271 	if (ps_do)
272 		*ps_do = -1;
273 	if (file_len)
274 		*file_len = -1;
275 
276 	pos = buf;
277 	end = pos + buf_len;
278 	if (*pos != USIM_FSP_TEMPL_TAG) {
279 		wpa_printf(MSG_DEBUG, "SCARD: file header did not "
280 			   "start with FSP template tag");
281 		return -1;
282 	}
283 	pos++;
284 	if (pos >= end)
285 		return -1;
286 	if (pos[0] < end - pos)
287 		end = pos + 1 + pos[0];
288 	pos++;
289 	wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
290 		    pos, end - pos);
291 
292 	while (end - pos >= 2) {
293 		unsigned char type, len;
294 
295 		type = pos[0];
296 		len = pos[1];
297 		wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV 0x%02x len=%d",
298 			   type, len);
299 		pos += 2;
300 
301 		if (len > (unsigned int) (end - pos))
302 			break;
303 
304 		switch (type) {
305 		case USIM_TLV_FILE_DESC:
306 			wpa_hexdump(MSG_MSGDUMP, "SCARD: File Descriptor TLV",
307 				    pos, len);
308 			break;
309 		case USIM_TLV_FILE_ID:
310 			wpa_hexdump(MSG_MSGDUMP, "SCARD: File Identifier TLV",
311 				    pos, len);
312 			break;
313 		case USIM_TLV_DF_NAME:
314 			wpa_hexdump(MSG_MSGDUMP, "SCARD: DF name (AID) TLV",
315 				    pos, len);
316 			break;
317 		case USIM_TLV_PROPR_INFO:
318 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Proprietary "
319 				    "information TLV", pos, len);
320 			break;
321 		case USIM_TLV_LIFE_CYCLE_STATUS:
322 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Life Cycle Status "
323 				    "Integer TLV", pos, len);
324 			break;
325 		case USIM_TLV_FILE_SIZE:
326 			wpa_hexdump(MSG_MSGDUMP, "SCARD: File size TLV",
327 				    pos, len);
328 			if ((len == 1 || len == 2) && file_len) {
329 				if (len == 1)
330 					*file_len = (int) pos[0];
331 				else
332 					*file_len = WPA_GET_BE16(pos);
333 				wpa_printf(MSG_DEBUG, "SCARD: file_size=%d",
334 					   *file_len);
335 			}
336 			break;
337 		case USIM_TLV_TOTAL_FILE_SIZE:
338 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Total file size TLV",
339 				    pos, len);
340 			break;
341 		case USIM_TLV_PIN_STATUS_TEMPLATE:
342 			wpa_hexdump(MSG_MSGDUMP, "SCARD: PIN Status Template "
343 				    "DO TLV", pos, len);
344 			if (len >= 2 && pos[0] == USIM_PS_DO_TAG &&
345 			    pos[1] >= 1 && ps_do) {
346 				wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x",
347 					   pos[2]);
348 				*ps_do = (int) pos[2];
349 			}
350 			break;
351 		case USIM_TLV_SHORT_FILE_ID:
352 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Short File "
353 				    "Identifier (SFI) TLV", pos, len);
354 			break;
355 		case USIM_TLV_SECURITY_ATTR_8B:
356 		case USIM_TLV_SECURITY_ATTR_8C:
357 		case USIM_TLV_SECURITY_ATTR_AB:
358 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Security attribute "
359 				    "TLV", pos, len);
360 			break;
361 		default:
362 			wpa_hexdump(MSG_MSGDUMP, "SCARD: Unrecognized TLV",
363 				    pos, len);
364 			break;
365 		}
366 
367 		pos += len;
368 
369 		if (pos == end)
370 			return 0;
371 	}
372 	return -1;
373 }
374 
375 
scard_pin_needed(struct scard_data * scard,unsigned char * hdr,size_t hlen)376 static int scard_pin_needed(struct scard_data *scard,
377 			    unsigned char *hdr, size_t hlen)
378 {
379 	if (scard->sim_type == SCARD_GSM_SIM) {
380 		if (hlen > SCARD_CHV1_OFFSET &&
381 		    !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG))
382 			return 1;
383 		return 0;
384 	}
385 
386 	if (scard->sim_type == SCARD_USIM) {
387 		int ps_do;
388 		if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL))
389 			return -1;
390 		/* TODO: there could be more than one PS_DO entry because of
391 		 * multiple PINs in key reference.. */
392 		if (ps_do > 0 && (ps_do & 0x80))
393 			return 1;
394 		return 0;
395 	}
396 
397 	return -1;
398 }
399 
400 
scard_get_aid(struct scard_data * scard,unsigned char * aid,size_t maxlen)401 static int scard_get_aid(struct scard_data *scard, unsigned char *aid,
402 			 size_t maxlen)
403 {
404 	int rlen, rec;
405 	struct efdir {
406 		unsigned char appl_template_tag; /* 0x61 */
407 		unsigned char appl_template_len;
408 		unsigned char appl_id_tag; /* 0x4f */
409 		unsigned char aid_len;
410 		unsigned char rid[5];
411 		unsigned char appl_code[2]; /* 0x1002 for 3G USIM */
412 	} *efdir;
413 	unsigned char buf[127], *aid_pos;
414 	size_t blen;
415 	unsigned int aid_len = 0;
416 
417 	efdir = (struct efdir *) buf;
418 	aid_pos = &buf[4];
419 	blen = sizeof(buf);
420 	if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) {
421 		wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR");
422 		return -1;
423 	}
424 	wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen);
425 
426 	for (rec = 1; rec < 10; rec++) {
427 		rlen = scard_get_record_len(scard, rec,
428 					    SIM_RECORD_MODE_ABSOLUTE);
429 		if (rlen < 0) {
430 			wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR "
431 				   "record length");
432 			return -1;
433 		}
434 		blen = sizeof(buf);
435 		if (rlen > (int) blen) {
436 			wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record");
437 			return -1;
438 		}
439 		if (scard_read_record(scard, buf, rlen, rec,
440 				      SIM_RECORD_MODE_ABSOLUTE) < 0) {
441 			wpa_printf(MSG_DEBUG, "SCARD: Failed to read "
442 				   "EF_DIR record %d", rec);
443 			return -1;
444 		}
445 		wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen);
446 
447 		if (efdir->appl_template_tag != 0x61) {
448 			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
449 				   "template tag 0x%x",
450 				   efdir->appl_template_tag);
451 			continue;
452 		}
453 
454 		if (efdir->appl_template_len > rlen - 2) {
455 			wpa_printf(MSG_DEBUG, "SCARD: Too long application "
456 				   "template (len=%d rlen=%d)",
457 				   efdir->appl_template_len, rlen);
458 			continue;
459 		}
460 
461 		if (efdir->appl_id_tag != 0x4f) {
462 			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
463 				   "identifier tag 0x%x", efdir->appl_id_tag);
464 			continue;
465 		}
466 
467 		aid_len = efdir->aid_len;
468 		if (aid_len < 1 || aid_len > 16) {
469 			wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %u",
470 				   aid_len);
471 			continue;
472 		}
473 
474 		wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record",
475 			    aid_pos, aid_len);
476 
477 		if (efdir->appl_code[0] == 0x10 &&
478 		    efdir->appl_code[1] == 0x02) {
479 			wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from "
480 				   "EF_DIR record %d", rec);
481 			break;
482 		}
483 	}
484 
485 	if (rec >= 10) {
486 		wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found "
487 			   "from EF_DIR records");
488 		return -1;
489 	}
490 
491 	if (aid_len > maxlen) {
492 		wpa_printf(MSG_DEBUG, "SCARD: Too long AID");
493 		return -1;
494 	}
495 
496 	os_memcpy(aid, aid_pos, aid_len);
497 
498 	return aid_len;
499 }
500 
501 
502 /**
503  * scard_init - Initialize SIM/USIM connection using PC/SC
504  * @reader: Reader name prefix to search for
505  * Returns: Pointer to private data structure, or %NULL on failure
506  *
507  * This function is used to initialize SIM/USIM connection. PC/SC is used to
508  * open connection to the SIM/USIM card. In addition, local flag is set if a
509  * PIN is needed to access some of the card functions. Once the connection is
510  * not needed anymore, scard_deinit() can be used to close it.
511  */
scard_init(const char * reader)512 struct scard_data * scard_init(const char *reader)
513 {
514 	long ret;
515 #ifdef __APPLE__
516 	uint32_t len;
517 #else
518 	unsigned long len;
519 #endif
520 	unsigned long pos;
521 	struct scard_data *scard;
522 #ifdef CONFIG_NATIVE_WINDOWS
523 	TCHAR *readers = NULL;
524 #else /* CONFIG_NATIVE_WINDOWS */
525 	char *readers = NULL;
526 #endif /* CONFIG_NATIVE_WINDOWS */
527 	unsigned char buf[100];
528 	size_t blen;
529 	int transaction = 0;
530 	int pin_needed;
531 
532 	wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface");
533 	if (mingw_load_symbols())
534 		return NULL;
535 	scard = os_zalloc(sizeof(*scard));
536 	if (scard == NULL)
537 		return NULL;
538 
539 	ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL,
540 				    &scard->ctx);
541 	if (ret != SCARD_S_SUCCESS) {
542 		wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card "
543 			   "context (err=%ld)", ret);
544 		goto failed;
545 	}
546 
547 	ret = SCardListReaders(scard->ctx, NULL, NULL, &len);
548 	if (ret != SCARD_S_SUCCESS) {
549 		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed "
550 			   "(err=%ld)", ret);
551 		goto failed;
552 	}
553 
554 #ifdef UNICODE
555 	len *= 2;
556 #endif /* UNICODE */
557 	readers = os_malloc(len);
558 	if (readers == NULL) {
559 		wpa_printf(MSG_INFO, "SCARD: malloc failed\n");
560 		goto failed;
561 	}
562 
563 	ret = SCardListReaders(scard->ctx, NULL, readers, &len);
564 	if (ret != SCARD_S_SUCCESS) {
565 		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) "
566 			   "(err=%ld)", ret);
567 		goto failed;
568 	}
569 	if (len < 3) {
570 		wpa_printf(MSG_WARNING, "SCARD: No smart card readers "
571 			   "available.");
572 		goto failed;
573 	}
574 	wpa_hexdump_ascii(MSG_DEBUG, "SCARD: Readers", (u8 *) readers, len);
575 	/*
576 	 * readers is a list of available readers. The last entry is terminated
577 	 * with double null.
578 	 */
579 	pos = 0;
580 #ifdef UNICODE
581 	/* TODO */
582 #else /* UNICODE */
583 	while (pos < len) {
584 		if (reader == NULL ||
585 		    os_strncmp(&readers[pos], reader, os_strlen(reader)) == 0)
586 			break;
587 		while (pos < len && readers[pos])
588 			pos++;
589 		pos++; /* skip separating null */
590 		if (pos < len && readers[pos] == '\0')
591 			pos = len; /* double null terminates list */
592 	}
593 #endif /* UNICODE */
594 	if (pos >= len) {
595 		wpa_printf(MSG_WARNING, "SCARD: No reader with prefix '%s' "
596 			   "found", reader);
597 		goto failed;
598 	}
599 
600 #ifdef UNICODE
601 	wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%S'", &readers[pos]);
602 #else /* UNICODE */
603 	wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", &readers[pos]);
604 #endif /* UNICODE */
605 
606 	ret = SCardConnect(scard->ctx, &readers[pos], SCARD_SHARE_SHARED,
607 			   SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1,
608 			   &scard->card, &scard->protocol);
609 	if (ret != SCARD_S_SUCCESS) {
610 		if (ret == (long) SCARD_E_NO_SMARTCARD)
611 			wpa_printf(MSG_INFO, "No smart card inserted.");
612 		else
613 			wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret);
614 		goto failed;
615 	}
616 
617 	os_free(readers);
618 	readers = NULL;
619 
620 	wpa_printf(MSG_DEBUG, "SCARD: card=0x%x active_protocol=%lu (%s)",
621 		   (unsigned int) scard->card, (unsigned long) scard->protocol,
622 		   scard->protocol == SCARD_PROTOCOL_T0 ? "T0" : "T1");
623 
624 	ret = SCardBeginTransaction(scard->card);
625 	if (ret != SCARD_S_SUCCESS) {
626 		wpa_printf(MSG_DEBUG, "SCARD: Could not begin transaction: "
627 			   "0x%x", (unsigned int) ret);
628 		goto failed;
629 	}
630 	transaction = 1;
631 
632 	blen = sizeof(buf);
633 
634 	wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support");
635 	if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen,
636 			       SCARD_USIM, NULL, 0)) {
637 		wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported. Trying to use GSM SIM");
638 		scard->sim_type = SCARD_GSM_SIM;
639 	} else {
640 		wpa_printf(MSG_DEBUG, "SCARD: USIM is supported");
641 		scard->sim_type = SCARD_USIM;
642 	}
643 
644 	if (scard->sim_type == SCARD_GSM_SIM) {
645 		blen = sizeof(buf);
646 		if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) {
647 			wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF");
648 			goto failed;
649 		}
650 
651 		blen = sizeof(buf);
652 		if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) {
653 			wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF");
654 			goto failed;
655 		}
656 	} else {
657 		unsigned char aid[32];
658 		int aid_len;
659 
660 		aid_len = scard_get_aid(scard, aid, sizeof(aid));
661 		if (aid_len < 0) {
662 			wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for "
663 				   "3G USIM app - try to use standard 3G RID");
664 			os_memcpy(aid, "\xa0\x00\x00\x00\x87", 5);
665 			aid_len = 5;
666 		}
667 		wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len);
668 
669 		/* Select based on AID = 3G RID from EF_DIR. This is usually
670 		 * starting with A0 00 00 00 87. */
671 		blen = sizeof(buf);
672 		if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type,
673 				       aid, aid_len)) {
674 			wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM "
675 				   "app");
676 			wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID",
677 				    aid, aid_len);
678 			goto failed;
679 		}
680 	}
681 
682 	/* Verify whether CHV1 (PIN1) is needed to access the card. */
683 	pin_needed = scard_pin_needed(scard, buf, blen);
684 	if (pin_needed < 0) {
685 		wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN "
686 			   "is needed");
687 		goto failed;
688 	}
689 	if (pin_needed) {
690 		scard->pin1_required = 1;
691 		wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access (retry "
692 			   "counter=%d)", scard_get_pin_retry_counter(scard));
693 	}
694 
695 	ret = SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
696 	if (ret != SCARD_S_SUCCESS) {
697 		wpa_printf(MSG_DEBUG, "SCARD: Could not end transaction: "
698 			   "0x%x", (unsigned int) ret);
699 	}
700 
701 	return scard;
702 
703 failed:
704 	if (transaction)
705 		SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
706 	os_free(readers);
707 	scard_deinit(scard);
708 	return NULL;
709 }
710 
711 
712 /**
713  * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands
714  * @scard: Pointer to private data from scard_init()
715  * @pin: PIN code as an ASCII string (e.g., "1234")
716  * Returns: 0 on success, -1 on failure
717  */
scard_set_pin(struct scard_data * scard,const char * pin)718 int scard_set_pin(struct scard_data *scard, const char *pin)
719 {
720 	if (scard == NULL)
721 		return -1;
722 
723 	/* Verify whether CHV1 (PIN1) is needed to access the card. */
724 	if (scard->pin1_required) {
725 		if (pin == NULL) {
726 			wpa_printf(MSG_DEBUG, "No PIN configured for SIM "
727 				   "access");
728 			return -1;
729 		}
730 		if (scard_verify_pin(scard, pin)) {
731 			wpa_printf(MSG_INFO, "PIN verification failed for "
732 				"SIM access");
733 			return -1;
734 		}
735 	}
736 
737 	return 0;
738 }
739 
740 
741 /**
742  * scard_deinit - Deinitialize SIM/USIM connection
743  * @scard: Pointer to private data from scard_init()
744  *
745  * This function closes the SIM/USIM connect opened with scard_init().
746  */
scard_deinit(struct scard_data * scard)747 void scard_deinit(struct scard_data *scard)
748 {
749 	long ret;
750 
751 	if (scard == NULL)
752 		return;
753 
754 	wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface");
755 	if (scard->card) {
756 		ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD);
757 		if (ret != SCARD_S_SUCCESS) {
758 			wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect "
759 				   "smart card (err=%ld)", ret);
760 		}
761 	}
762 
763 	if (scard->ctx) {
764 		ret = SCardReleaseContext(scard->ctx);
765 		if (ret != SCARD_S_SUCCESS) {
766 			wpa_printf(MSG_DEBUG, "Failed to release smart card "
767 				   "context (err=%ld)", ret);
768 		}
769 	}
770 	os_free(scard);
771 	mingw_unload_symbols();
772 }
773 
774 
scard_transmit(struct scard_data * scard,unsigned char * _send,size_t send_len,unsigned char * _recv,size_t * recv_len)775 static long scard_transmit(struct scard_data *scard,
776 			   unsigned char *_send, size_t send_len,
777 			   unsigned char *_recv, size_t *recv_len)
778 {
779 	long ret;
780 #ifdef __APPLE__
781 	uint32_t rlen;
782 #else
783 	unsigned long rlen;
784 #endif
785 
786 	wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send",
787 			_send, send_len);
788 	rlen = *recv_len;
789 	ret = SCardTransmit(scard->card,
790 			    scard->protocol == SCARD_PROTOCOL_T1 ?
791 			    SCARD_PCI_T1 : SCARD_PCI_T0,
792 			    _send, (unsigned long) send_len,
793 			    NULL, _recv, &rlen);
794 	*recv_len = rlen;
795 	if (ret == SCARD_S_SUCCESS) {
796 		wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv",
797 			    _recv, rlen);
798 	} else {
799 		wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
800 			   "(err=0x%lx)", ret);
801 	}
802 	return ret;
803 }
804 
805 
_scard_select_file(struct scard_data * scard,unsigned short file_id,unsigned char * buf,size_t * buf_len,sim_types sim_type,unsigned char * aid,size_t aidlen)806 static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
807 			      unsigned char *buf, size_t *buf_len,
808 			      sim_types sim_type, unsigned char *aid,
809 			      size_t aidlen)
810 {
811 	long ret;
812 	unsigned char resp[3];
813 	unsigned char cmd[50] = { SIM_CMD_SELECT };
814 	int cmdlen;
815 	unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
816 	size_t len, rlen;
817 
818 	if (sim_type == SCARD_USIM) {
819 		cmd[0] = USIM_CLA;
820 		cmd[3] = 0x04;
821 		get_resp[0] = USIM_CLA;
822 	}
823 
824 	wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id);
825 	if (aid) {
826 		wpa_hexdump(MSG_DEBUG, "SCARD: select file by AID",
827 			    aid, aidlen);
828 		if (5 + aidlen > sizeof(cmd))
829 			return -1;
830 		cmd[2] = 0x04; /* Select by AID */
831 		cmd[4] = aidlen; /* len */
832 		os_memcpy(cmd + 5, aid, aidlen);
833 		cmdlen = 5 + aidlen;
834 	} else {
835 		cmd[5] = file_id >> 8;
836 		cmd[6] = file_id & 0xff;
837 		cmdlen = 7;
838 	}
839 	len = sizeof(resp);
840 	ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
841 	if (ret != SCARD_S_SUCCESS) {
842 		wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
843 			   "(err=0x%lx)", ret);
844 		return -1;
845 	}
846 
847 	if (len != 2) {
848 		wpa_printf(MSG_WARNING, "SCARD: unexpected resp len "
849 			   "%d (expected 2)", (int) len);
850 		return -1;
851 	}
852 
853 	if (resp[0] == 0x98 && resp[1] == 0x04) {
854 		/* Security status not satisfied (PIN_WLAN) */
855 		wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied "
856 			   "(PIN_WLAN)");
857 		return -1;
858 	}
859 
860 	if (resp[0] == 0x6e) {
861 		wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported");
862 		return -1;
863 	}
864 
865 	if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) {
866 		wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x "
867 			   "(expected 0x61, 0x6c, or 0x9f)", resp[0]);
868 		return -1;
869 	}
870 	/* Normal ending of command; resp[1] bytes available */
871 	get_resp[4] = resp[1];
872 	wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)",
873 		   resp[1]);
874 
875 	rlen = *buf_len;
876 	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen);
877 	if (ret == SCARD_S_SUCCESS) {
878 		*buf_len = resp[1] < rlen ? resp[1] : rlen;
879 		return 0;
880 	}
881 
882 	wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret);
883 	return -1;
884 }
885 
886 
scard_select_file(struct scard_data * scard,unsigned short file_id,unsigned char * buf,size_t * buf_len)887 static int scard_select_file(struct scard_data *scard, unsigned short file_id,
888 			     unsigned char *buf, size_t *buf_len)
889 {
890 	return _scard_select_file(scard, file_id, buf, buf_len,
891 				  scard->sim_type, NULL, 0);
892 }
893 
894 
scard_get_record_len(struct scard_data * scard,unsigned char recnum,unsigned char mode)895 static int scard_get_record_len(struct scard_data *scard, unsigned char recnum,
896 				unsigned char mode)
897 {
898 	unsigned char buf[255];
899 	unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
900 	size_t blen;
901 	long ret;
902 
903 	if (scard->sim_type == SCARD_USIM)
904 		cmd[0] = USIM_CLA;
905 	cmd[2] = recnum;
906 	cmd[3] = mode;
907 	cmd[4] = sizeof(buf);
908 
909 	blen = sizeof(buf);
910 	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
911 	if (ret != SCARD_S_SUCCESS) {
912 		wpa_printf(MSG_DEBUG, "SCARD: failed to determine file "
913 			   "length for record %d", recnum);
914 		return -1;
915 	}
916 
917 	wpa_hexdump(MSG_DEBUG, "SCARD: file length determination response",
918 		    buf, blen);
919 
920 	if (blen < 2 || (buf[0] != 0x6c && buf[0] != 0x67)) {
921 		wpa_printf(MSG_DEBUG, "SCARD: unexpected response to file "
922 			   "length determination");
923 		return -1;
924 	}
925 
926 	return buf[1];
927 }
928 
929 
scard_read_record(struct scard_data * scard,unsigned char * data,size_t len,unsigned char recnum,unsigned char mode)930 static int scard_read_record(struct scard_data *scard,
931 			     unsigned char *data, size_t len,
932 			     unsigned char recnum, unsigned char mode)
933 {
934 	unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
935 	size_t blen = len + 3;
936 	unsigned char *buf;
937 	long ret;
938 
939 	if (scard->sim_type == SCARD_USIM)
940 		cmd[0] = USIM_CLA;
941 	cmd[2] = recnum;
942 	cmd[3] = mode;
943 	cmd[4] = len;
944 
945 	buf = os_malloc(blen);
946 	if (buf == NULL)
947 		return -1;
948 
949 	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
950 	if (ret != SCARD_S_SUCCESS) {
951 		os_free(buf);
952 		return -2;
953 	}
954 	if (blen != len + 2) {
955 		wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
956 			   "length %ld (expected %ld)",
957 			   (long) blen, (long) len + 2);
958 		os_free(buf);
959 		return -3;
960 	}
961 
962 	if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
963 		wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
964 			   "status %02x %02x (expected 90 00)",
965 			   buf[len], buf[len + 1]);
966 		os_free(buf);
967 		return -4;
968 	}
969 
970 	os_memcpy(data, buf, len);
971 	os_free(buf);
972 
973 	return 0;
974 }
975 
976 
scard_read_file(struct scard_data * scard,unsigned char * data,size_t len)977 static int scard_read_file(struct scard_data *scard,
978 			   unsigned char *data, size_t len)
979 {
980 	unsigned char cmd[5] = { SIM_CMD_READ_BIN /* , len */ };
981 	size_t blen = len + 3;
982 	unsigned char *buf;
983 	long ret;
984 
985 	cmd[4] = len;
986 
987 	buf = os_malloc(blen);
988 	if (buf == NULL)
989 		return -1;
990 
991 	if (scard->sim_type == SCARD_USIM)
992 		cmd[0] = USIM_CLA;
993 	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
994 	if (ret != SCARD_S_SUCCESS) {
995 		os_free(buf);
996 		return -2;
997 	}
998 	if (blen != len + 2) {
999 		wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
1000 			   "length %ld (expected %ld)",
1001 			   (long) blen, (long) len + 2);
1002 		os_free(buf);
1003 		return -3;
1004 	}
1005 
1006 	if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
1007 		wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
1008 			   "status %02x %02x (expected 90 00)",
1009 			   buf[len], buf[len + 1]);
1010 		os_free(buf);
1011 		return -4;
1012 	}
1013 
1014 	os_memcpy(data, buf, len);
1015 	os_free(buf);
1016 
1017 	return 0;
1018 }
1019 
1020 
scard_verify_pin(struct scard_data * scard,const char * pin)1021 static int scard_verify_pin(struct scard_data *scard, const char *pin)
1022 {
1023 	long ret;
1024 	unsigned char resp[3];
1025 	unsigned char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 };
1026 	size_t len;
1027 
1028 	wpa_printf(MSG_DEBUG, "SCARD: verifying PIN");
1029 
1030 	if (pin == NULL || os_strlen(pin) > 8)
1031 		return -1;
1032 
1033 	if (scard->sim_type == SCARD_USIM)
1034 		cmd[0] = USIM_CLA;
1035 	os_memcpy(cmd + 5, pin, os_strlen(pin));
1036 	os_memset(cmd + 5 + os_strlen(pin), 0xff, 8 - os_strlen(pin));
1037 
1038 	len = sizeof(resp);
1039 	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1040 	if (ret != SCARD_S_SUCCESS)
1041 		return -2;
1042 
1043 	if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) {
1044 		wpa_printf(MSG_WARNING, "SCARD: PIN verification failed");
1045 		return -1;
1046 	}
1047 
1048 	wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully");
1049 	return 0;
1050 }
1051 
1052 
scard_get_pin_retry_counter(struct scard_data * scard)1053 int scard_get_pin_retry_counter(struct scard_data *scard)
1054 {
1055 	long ret;
1056 	unsigned char resp[3];
1057 	unsigned char cmd[5] = { SIM_CMD_VERIFY_CHV1 };
1058 	size_t len;
1059 	u16 val;
1060 
1061 	wpa_printf(MSG_DEBUG, "SCARD: fetching PIN retry counter");
1062 
1063 	if (scard->sim_type == SCARD_USIM)
1064 		cmd[0] = USIM_CLA;
1065 	cmd[4] = 0; /* Empty data */
1066 
1067 	len = sizeof(resp);
1068 	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1069 	if (ret != SCARD_S_SUCCESS)
1070 		return -2;
1071 
1072 	if (len != 2) {
1073 		wpa_printf(MSG_WARNING, "SCARD: failed to fetch PIN retry "
1074 			   "counter");
1075 		return -1;
1076 	}
1077 
1078 	val = WPA_GET_BE16(resp);
1079 	if (val == 0x63c0 || val == 0x6983) {
1080 		wpa_printf(MSG_DEBUG, "SCARD: PIN has been blocked");
1081 		return 0;
1082 	}
1083 
1084 	if (val >= 0x63c0 && val <= 0x63cf)
1085 		return val & 0x000f;
1086 
1087 	wpa_printf(MSG_DEBUG, "SCARD: Unexpected PIN retry counter response "
1088 		   "value 0x%x", val);
1089 	return 0;
1090 }
1091 
1092 
1093 /**
1094  * scard_get_imsi - Read IMSI from SIM/USIM card
1095  * @scard: Pointer to private data from scard_init()
1096  * @imsi: Buffer for IMSI
1097  * @len: Length of imsi buffer; set to IMSI length on success
1098  * Returns: 0 on success, -1 if IMSI file cannot be selected, -2 if IMSI file
1099  * selection returns invalid result code, -3 if parsing FSP template file fails
1100  * (USIM only), -4 if IMSI does not fit in the provided imsi buffer (len is set
1101  * to needed length), -5 if reading IMSI file fails.
1102  *
1103  * This function can be used to read IMSI from the SIM/USIM card. If the IMSI
1104  * file is PIN protected, scard_set_pin() must have been used to set the
1105  * correct PIN code before calling scard_get_imsi().
1106  */
scard_get_imsi(struct scard_data * scard,char * imsi,size_t * len)1107 int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len)
1108 {
1109 	unsigned char buf[100];
1110 	size_t blen, imsilen, i;
1111 	char *pos;
1112 
1113 	wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI");
1114 	blen = sizeof(buf);
1115 	if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen))
1116 		return -1;
1117 	if (blen < 4) {
1118 		wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI "
1119 			   "header (len=%ld)", (long) blen);
1120 		return -2;
1121 	}
1122 
1123 	if (scard->sim_type == SCARD_GSM_SIM) {
1124 		blen = WPA_GET_BE16(&buf[2]);
1125 	} else {
1126 		int file_size;
1127 		if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
1128 			return -3;
1129 		blen = file_size;
1130 	}
1131 	if (blen < 2 || blen > sizeof(buf)) {
1132 		wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld",
1133 			   (long) blen);
1134 		return -3;
1135 	}
1136 
1137 	imsilen = (blen - 2) * 2 + 1;
1138 	wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld",
1139 		   (long) blen, (long) imsilen);
1140 	if (blen < 2 || imsilen > *len) {
1141 		*len = imsilen;
1142 		return -4;
1143 	}
1144 
1145 	if (scard_read_file(scard, buf, blen))
1146 		return -5;
1147 
1148 	pos = imsi;
1149 	*pos++ = '0' + (buf[1] >> 4 & 0x0f);
1150 	for (i = 2; i < blen; i++) {
1151 		unsigned char digit;
1152 
1153 		digit = buf[i] & 0x0f;
1154 		if (digit < 10)
1155 			*pos++ = '0' + digit;
1156 		else
1157 			imsilen--;
1158 
1159 		digit = buf[i] >> 4 & 0x0f;
1160 		if (digit < 10)
1161 			*pos++ = '0' + digit;
1162 		else
1163 			imsilen--;
1164 	}
1165 	*len = imsilen;
1166 
1167 	return 0;
1168 }
1169 
1170 
1171 /**
1172  * scard_get_mnc_len - Read length of MNC in the IMSI from SIM/USIM card
1173  * @scard: Pointer to private data from scard_init()
1174  * Returns: length (>0) on success, -1 if administrative data file cannot be
1175  * selected, -2 if administrative data file selection returns invalid result
1176  * code, -3 if parsing FSP template file fails (USIM only), -4 if length of
1177  * the file is unexpected, -5 if reading file fails, -6 if MNC length is not
1178  * in range (i.e. 2 or 3), -7 if MNC length is not available.
1179  *
1180  */
scard_get_mnc_len(struct scard_data * scard)1181 int scard_get_mnc_len(struct scard_data *scard)
1182 {
1183 	unsigned char buf[100];
1184 	size_t blen;
1185 	int file_size;
1186 
1187 	wpa_printf(MSG_DEBUG, "SCARD: reading MNC len from (GSM) EF-AD");
1188 	blen = sizeof(buf);
1189 	if (scard_select_file(scard, SCARD_FILE_GSM_EF_AD, buf, &blen))
1190 		return -1;
1191 	if (blen < 4) {
1192 		wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-AD "
1193 			   "header (len=%ld)", (long) blen);
1194 		return -2;
1195 	}
1196 
1197 	if (scard->sim_type == SCARD_GSM_SIM) {
1198 		file_size = WPA_GET_BE16(&buf[2]);
1199 	} else {
1200 		if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
1201 			return -3;
1202 	}
1203 	if (file_size == 3) {
1204 		wpa_printf(MSG_DEBUG, "SCARD: MNC length not available");
1205 		return -7;
1206 	}
1207 	if (file_size < 4 || file_size > (int) sizeof(buf)) {
1208 		wpa_printf(MSG_DEBUG, "SCARD: invalid file length=%ld",
1209 			   (long) file_size);
1210 		return -4;
1211 	}
1212 
1213 	if (scard_read_file(scard, buf, file_size))
1214 		return -5;
1215 	buf[3] = buf[3] & 0x0f; /* upper nibble reserved for future use  */
1216 	if (buf[3] < 2 || buf[3] > 3) {
1217 		wpa_printf(MSG_DEBUG, "SCARD: invalid MNC length=%ld",
1218 			   (long) buf[3]);
1219 		return -6;
1220 	}
1221 	wpa_printf(MSG_DEBUG, "SCARD: MNC length=%ld", (long) buf[3]);
1222 	return buf[3];
1223 }
1224 
1225 
1226 /**
1227  * scard_gsm_auth - Run GSM authentication command on SIM card
1228  * @scard: Pointer to private data from scard_init()
1229  * @_rand: 16-byte RAND value from HLR/AuC
1230  * @sres: 4-byte buffer for SRES
1231  * @kc: 8-byte buffer for Kc
1232  * Returns: 0 on success, -1 if SIM/USIM connection has not been initialized,
1233  * -2 if authentication command execution fails, -3 if unknown response code
1234  * for authentication command is received, -4 if reading of response fails,
1235  * -5 if if response data is of unexpected length
1236  *
1237  * This function performs GSM authentication using SIM/USIM card and the
1238  * provided RAND value from HLR/AuC. If authentication command can be completed
1239  * successfully, SRES and Kc values will be written into sres and kc buffers.
1240  */
scard_gsm_auth(struct scard_data * scard,const unsigned char * _rand,unsigned char * sres,unsigned char * kc)1241 int scard_gsm_auth(struct scard_data *scard, const unsigned char *_rand,
1242 		   unsigned char *sres, unsigned char *kc)
1243 {
1244 	unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG };
1245 	int cmdlen;
1246 	unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
1247 	unsigned char resp[3], buf[12 + 3 + 2];
1248 	size_t len;
1249 	long ret;
1250 
1251 	if (scard == NULL)
1252 		return -1;
1253 
1254 	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", _rand, 16);
1255 	if (scard->sim_type == SCARD_GSM_SIM) {
1256 		cmdlen = 5 + 16;
1257 		os_memcpy(cmd + 5, _rand, 16);
1258 	} else {
1259 		cmdlen = 5 + 1 + 16;
1260 		cmd[0] = USIM_CLA;
1261 		cmd[3] = 0x80;
1262 		cmd[4] = 17;
1263 		cmd[5] = 16;
1264 		os_memcpy(cmd + 6, _rand, 16);
1265 		get_resp[0] = USIM_CLA;
1266 	}
1267 	len = sizeof(resp);
1268 	ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
1269 	if (ret != SCARD_S_SUCCESS)
1270 		return -2;
1271 
1272 	if ((scard->sim_type == SCARD_GSM_SIM &&
1273 	     (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) ||
1274 	    (scard->sim_type == SCARD_USIM &&
1275 	     (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) {
1276 		wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM "
1277 			   "auth request (len=%ld resp=%02x %02x)",
1278 			   (long) len, resp[0], resp[1]);
1279 		return -3;
1280 	}
1281 	get_resp[4] = resp[1];
1282 
1283 	len = sizeof(buf);
1284 	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
1285 	if (ret != SCARD_S_SUCCESS)
1286 		return -4;
1287 
1288 	if (scard->sim_type == SCARD_GSM_SIM) {
1289 		if (len != 4 + 8 + 2) {
1290 			wpa_printf(MSG_WARNING, "SCARD: unexpected data "
1291 				   "length for GSM auth (len=%ld, expected 14)",
1292 				   (long) len);
1293 			return -5;
1294 		}
1295 		os_memcpy(sres, buf, 4);
1296 		os_memcpy(kc, buf + 4, 8);
1297 	} else {
1298 		if (len != 1 + 4 + 1 + 8 + 2) {
1299 			wpa_printf(MSG_WARNING, "SCARD: unexpected data "
1300 				   "length for USIM auth (len=%ld, "
1301 				   "expected 16)", (long) len);
1302 			return -5;
1303 		}
1304 		if (buf[0] != 4 || buf[5] != 8) {
1305 			wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc "
1306 				   "length (%d %d, expected 4 8)",
1307 				   buf[0], buf[5]);
1308 		}
1309 		os_memcpy(sres, buf + 1, 4);
1310 		os_memcpy(kc, buf + 6, 8);
1311 	}
1312 
1313 	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4);
1314 	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8);
1315 
1316 	return 0;
1317 }
1318 
1319 
1320 /**
1321  * scard_umts_auth - Run UMTS authentication command on USIM card
1322  * @scard: Pointer to private data from scard_init()
1323  * @_rand: 16-byte RAND value from HLR/AuC
1324  * @autn: 16-byte AUTN value from HLR/AuC
1325  * @res: 16-byte buffer for RES
1326  * @res_len: Variable that will be set to RES length
1327  * @ik: 16-byte buffer for IK
1328  * @ck: 16-byte buffer for CK
1329  * @auts: 14-byte buffer for AUTS
1330  * Returns: 0 on success, -1 on failure, or -2 if USIM reports synchronization
1331  * failure
1332  *
1333  * This function performs AKA authentication using USIM card and the provided
1334  * RAND and AUTN values from HLR/AuC. If authentication command can be
1335  * completed successfully, RES, IK, and CK values will be written into provided
1336  * buffers and res_len is set to length of received RES value. If USIM reports
1337  * synchronization failure, the received AUTS value will be written into auts
1338  * buffer. In this case, RES, IK, and CK are not valid.
1339  */
scard_umts_auth(struct scard_data * scard,const unsigned char * _rand,const unsigned char * autn,unsigned char * res,size_t * res_len,unsigned char * ik,unsigned char * ck,unsigned char * auts)1340 int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
1341 		    const unsigned char *autn,
1342 		    unsigned char *res, size_t *res_len,
1343 		    unsigned char *ik, unsigned char *ck, unsigned char *auts)
1344 {
1345 	unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] =
1346 		{ USIM_CMD_RUN_UMTS_ALG };
1347 	unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE };
1348 	unsigned char resp[3], buf[64], *pos, *end;
1349 	size_t len;
1350 	long ret;
1351 
1352 	if (scard == NULL)
1353 		return -1;
1354 
1355 	if (scard->sim_type == SCARD_GSM_SIM) {
1356 		wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS "
1357 			   "auth");
1358 		return -1;
1359 	}
1360 
1361 	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", _rand, AKA_RAND_LEN);
1362 	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN);
1363 	cmd[5] = AKA_RAND_LEN;
1364 	os_memcpy(cmd + 6, _rand, AKA_RAND_LEN);
1365 	cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN;
1366 	os_memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN);
1367 
1368 	len = sizeof(resp);
1369 	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1370 	if (ret != SCARD_S_SUCCESS)
1371 		return -1;
1372 
1373 	if (len <= sizeof(resp))
1374 		wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len);
1375 
1376 	if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) {
1377 		wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - "
1378 			   "MAC != XMAC");
1379 		return -1;
1380 	} else if (len != 2 || resp[0] != 0x61) {
1381 		wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS "
1382 			   "auth request (len=%ld resp=%02x %02x)",
1383 			   (long) len, resp[0], resp[1]);
1384 		return -1;
1385 	}
1386 	get_resp[4] = resp[1];
1387 
1388 	len = sizeof(buf);
1389 	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
1390 	if (ret != SCARD_S_SUCCESS || len > sizeof(buf))
1391 		return -1;
1392 
1393 	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len);
1394 	if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc &&
1395 	    buf[1] == AKA_AUTS_LEN) {
1396 		wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure");
1397 		os_memcpy(auts, buf + 2, AKA_AUTS_LEN);
1398 		wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN);
1399 		return -2;
1400 	} else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) {
1401 		pos = buf + 1;
1402 		end = buf + len;
1403 
1404 		/* RES */
1405 		if (pos[0] > RES_MAX_LEN || pos[0] > end - pos) {
1406 			wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
1407 			return -1;
1408 		}
1409 		*res_len = *pos++;
1410 		os_memcpy(res, pos, *res_len);
1411 		pos += *res_len;
1412 		wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
1413 
1414 		/* CK */
1415 		if (pos[0] != CK_LEN || CK_LEN > end - pos) {
1416 			wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
1417 			return -1;
1418 		}
1419 		pos++;
1420 		os_memcpy(ck, pos, CK_LEN);
1421 		pos += CK_LEN;
1422 		wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
1423 
1424 		/* IK */
1425 		if (pos[0] != IK_LEN || IK_LEN > end - pos) {
1426 			wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
1427 			return -1;
1428 		}
1429 		pos++;
1430 		os_memcpy(ik, pos, IK_LEN);
1431 		pos += IK_LEN;
1432 		wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN);
1433 
1434 		if (end > pos) {
1435 			wpa_hexdump(MSG_DEBUG,
1436 				    "SCARD: Ignore extra data in end",
1437 				    pos, end - pos);
1438 		}
1439 
1440 		return 0;
1441 	}
1442 
1443 	wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response");
1444 	return -1;
1445 }
1446 
1447 
scard_supports_umts(struct scard_data * scard)1448 int scard_supports_umts(struct scard_data *scard)
1449 {
1450 	return scard->sim_type == SCARD_USIM;
1451 }
1452