1 /* 2 * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM 3 * Copyright (c) 2004-2007, 2012, Jouni Malinen <j@w1.fi> 4 * 5 * This software may be distributed under the terms of the BSD license. 6 * See README for more details. 7 * 8 * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM 9 * cards through PC/SC smartcard library. These functions are used to implement 10 * authentication routines for EAP-SIM and EAP-AKA. 11 */ 12 13 #include "includes.h" 14 #ifdef __APPLE__ 15 #include <PCSC/winscard.h> 16 #else 17 #include <winscard.h> 18 #endif 19 20 #include "common.h" 21 #include "pcsc_funcs.h" 22 23 24 /* See ETSI GSM 11.11 and ETSI TS 102 221 for details. 25 * SIM commands: 26 * Command APDU: CLA INS P1 P2 P3 Data 27 * CLA (class of instruction): A0 for GSM, 00 for USIM 28 * INS (instruction) 29 * P1 P2 P3 (parameters, P3 = length of Data) 30 * Response APDU: Data SW1 SW2 31 * SW1 SW2 (Status words) 32 * Commands (INS P1 P2 P3): 33 * SELECT: A4 00 00 02 <file_id, 2 bytes> 34 * GET RESPONSE: C0 00 00 <len> 35 * RUN GSM ALG: 88 00 00 00 <RAND len = 10> 36 * RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN 37 * P1 = ID of alg in card 38 * P2 = ID of secret key 39 * READ BINARY: B0 <offset high> <offset low> <len> 40 * READ RECORD: B2 <record number> <mode> <len> 41 * P2 (mode) = '02' (next record), '03' (previous record), 42 * '04' (absolute mode) 43 * VERIFY CHV: 20 00 <CHV number> 08 44 * CHANGE CHV: 24 00 <CHV number> 10 45 * DISABLE CHV: 26 00 01 08 46 * ENABLE CHV: 28 00 01 08 47 * UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10 48 * SLEEP: FA 00 00 00 49 */ 50 51 /* GSM SIM commands */ 52 #define SIM_CMD_SELECT 0xa0, 0xa4, 0x00, 0x00, 0x02 53 #define SIM_CMD_RUN_GSM_ALG 0xa0, 0x88, 0x00, 0x00, 0x10 54 #define SIM_CMD_GET_RESPONSE 0xa0, 0xc0, 0x00, 0x00 55 #define SIM_CMD_READ_BIN 0xa0, 0xb0, 0x00, 0x00 56 #define SIM_CMD_READ_RECORD 0xa0, 0xb2, 0x00, 0x00 57 #define SIM_CMD_VERIFY_CHV1 0xa0, 0x20, 0x00, 0x01, 0x08 58 59 /* USIM commands */ 60 #define USIM_CLA 0x00 61 #define USIM_CMD_RUN_UMTS_ALG 0x00, 0x88, 0x00, 0x81, 0x22 62 #define USIM_CMD_GET_RESPONSE 0x00, 0xc0, 0x00, 0x00 63 64 #define SIM_RECORD_MODE_ABSOLUTE 0x04 65 66 #define USIM_FSP_TEMPL_TAG 0x62 67 68 #define USIM_TLV_FILE_DESC 0x82 69 #define USIM_TLV_FILE_ID 0x83 70 #define USIM_TLV_DF_NAME 0x84 71 #define USIM_TLV_PROPR_INFO 0xA5 72 #define USIM_TLV_LIFE_CYCLE_STATUS 0x8A 73 #define USIM_TLV_FILE_SIZE 0x80 74 #define USIM_TLV_TOTAL_FILE_SIZE 0x81 75 #define USIM_TLV_PIN_STATUS_TEMPLATE 0xC6 76 #define USIM_TLV_SHORT_FILE_ID 0x88 77 #define USIM_TLV_SECURITY_ATTR_8B 0x8B 78 #define USIM_TLV_SECURITY_ATTR_8C 0x8C 79 #define USIM_TLV_SECURITY_ATTR_AB 0xAB 80 81 #define USIM_PS_DO_TAG 0x90 82 83 #define AKA_RAND_LEN 16 84 #define AKA_AUTN_LEN 16 85 #define AKA_AUTS_LEN 14 86 #define RES_MAX_LEN 16 87 #define IK_LEN 16 88 #define CK_LEN 16 89 90 91 /* GSM files 92 * File type in first octet: 93 * 3F = Master File 94 * 7F = Dedicated File 95 * 2F = Elementary File under the Master File 96 * 6F = Elementary File under a Dedicated File 97 */ 98 #define SCARD_FILE_MF 0x3F00 99 #define SCARD_FILE_GSM_DF 0x7F20 100 #define SCARD_FILE_UMTS_DF 0x7F50 101 #define SCARD_FILE_GSM_EF_IMSI 0x6F07 102 #define SCARD_FILE_GSM_EF_AD 0x6FAD 103 #define SCARD_FILE_EF_DIR 0x2F00 104 #define SCARD_FILE_EF_ICCID 0x2FE2 105 #define SCARD_FILE_EF_CK 0x6FE1 106 #define SCARD_FILE_EF_IK 0x6FE2 107 108 #define SCARD_CHV1_OFFSET 13 109 #define SCARD_CHV1_FLAG 0x80 110 111 112 typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types; 113 114 struct scard_data { 115 SCARDCONTEXT ctx; 116 SCARDHANDLE card; 117 #ifdef __APPLE__ 118 uint32_t protocol; 119 #else 120 DWORD protocol; 121 #endif 122 sim_types sim_type; 123 int pin1_required; 124 }; 125 126 #ifdef __MINGW32_VERSION 127 /* MinGW does not yet support WinScard, so load the needed functions 128 * dynamically from winscard.dll for now. */ 129 130 static HINSTANCE dll = NULL; /* winscard.dll */ 131 132 static const SCARD_IO_REQUEST *dll_g_rgSCardT0Pci, *dll_g_rgSCardT1Pci; 133 #undef SCARD_PCI_T0 134 #define SCARD_PCI_T0 (dll_g_rgSCardT0Pci) 135 #undef SCARD_PCI_T1 136 #define SCARD_PCI_T1 (dll_g_rgSCardT1Pci) 137 138 139 static WINSCARDAPI LONG WINAPI 140 (*dll_SCardEstablishContext)(IN DWORD dwScope, 141 IN LPCVOID pvReserved1, 142 IN LPCVOID pvReserved2, 143 OUT LPSCARDCONTEXT phContext); 144 #define SCardEstablishContext dll_SCardEstablishContext 145 146 static long (*dll_SCardReleaseContext)(long hContext); 147 #define SCardReleaseContext dll_SCardReleaseContext 148 149 static WINSCARDAPI LONG WINAPI 150 (*dll_SCardListReadersA)(IN SCARDCONTEXT hContext, 151 IN LPCSTR mszGroups, 152 OUT LPSTR mszReaders, 153 IN OUT LPDWORD pcchReaders); 154 #undef SCardListReaders 155 #define SCardListReaders dll_SCardListReadersA 156 157 static WINSCARDAPI LONG WINAPI 158 (*dll_SCardConnectA)(IN SCARDCONTEXT hContext, 159 IN LPCSTR szReader, 160 IN DWORD dwShareMode, 161 IN DWORD dwPreferredProtocols, 162 OUT LPSCARDHANDLE phCard, 163 OUT LPDWORD pdwActiveProtocol); 164 #undef SCardConnect 165 #define SCardConnect dll_SCardConnectA 166 167 static WINSCARDAPI LONG WINAPI 168 (*dll_SCardDisconnect)(IN SCARDHANDLE hCard, 169 IN DWORD dwDisposition); 170 #define SCardDisconnect dll_SCardDisconnect 171 172 static WINSCARDAPI LONG WINAPI 173 (*dll_SCardTransmit)(IN SCARDHANDLE hCard, 174 IN LPCSCARD_IO_REQUEST pioSendPci, 175 IN LPCBYTE pbSendBuffer, 176 IN DWORD cbSendLength, 177 IN OUT LPSCARD_IO_REQUEST pioRecvPci, 178 OUT LPBYTE pbRecvBuffer, 179 IN OUT LPDWORD pcbRecvLength); 180 #define SCardTransmit dll_SCardTransmit 181 182 static WINSCARDAPI LONG WINAPI 183 (*dll_SCardBeginTransaction)(IN SCARDHANDLE hCard); 184 #define SCardBeginTransaction dll_SCardBeginTransaction 185 186 static WINSCARDAPI LONG WINAPI 187 (*dll_SCardEndTransaction)(IN SCARDHANDLE hCard, IN DWORD dwDisposition); 188 #define SCardEndTransaction dll_SCardEndTransaction 189 190 mingw_load_symbols(void)191 static int mingw_load_symbols(void) 192 { 193 char *sym; 194 195 if (dll) 196 return 0; 197 198 dll = LoadLibrary("winscard"); 199 if (dll == NULL) { 200 wpa_printf(MSG_DEBUG, "WinSCard: Could not load winscard.dll " 201 "library"); 202 return -1; 203 } 204 205 #define LOADSYM(s) \ 206 sym = #s; \ 207 dll_ ## s = (void *) GetProcAddress(dll, sym); \ 208 if (dll_ ## s == NULL) \ 209 goto fail; 210 211 LOADSYM(SCardEstablishContext); 212 LOADSYM(SCardReleaseContext); 213 LOADSYM(SCardListReadersA); 214 LOADSYM(SCardConnectA); 215 LOADSYM(SCardDisconnect); 216 LOADSYM(SCardTransmit); 217 LOADSYM(SCardBeginTransaction); 218 LOADSYM(SCardEndTransaction); 219 LOADSYM(g_rgSCardT0Pci); 220 LOADSYM(g_rgSCardT1Pci); 221 222 #undef LOADSYM 223 224 return 0; 225 226 fail: 227 wpa_printf(MSG_DEBUG, "WinSCard: Could not get address for %s from " 228 "winscard.dll", sym); 229 FreeLibrary(dll); 230 dll = NULL; 231 return -1; 232 } 233 234 mingw_unload_symbols(void)235 static void mingw_unload_symbols(void) 236 { 237 if (dll == NULL) 238 return; 239 240 FreeLibrary(dll); 241 dll = NULL; 242 } 243 244 #else /* __MINGW32_VERSION */ 245 246 #define mingw_load_symbols() 0 247 #define mingw_unload_symbols() do { } while (0) 248 249 #endif /* __MINGW32_VERSION */ 250 251 252 static int _scard_select_file(struct scard_data *scard, unsigned short file_id, 253 unsigned char *buf, size_t *buf_len, 254 sim_types sim_type, unsigned char *aid, 255 size_t aidlen); 256 static int scard_select_file(struct scard_data *scard, unsigned short file_id, 257 unsigned char *buf, size_t *buf_len); 258 static int scard_verify_pin(struct scard_data *scard, const char *pin); 259 static int scard_get_record_len(struct scard_data *scard, 260 unsigned char recnum, unsigned char mode); 261 static int scard_read_record(struct scard_data *scard, 262 unsigned char *data, size_t len, 263 unsigned char recnum, unsigned char mode); 264 265 scard_parse_fsp_templ(unsigned char * buf,size_t buf_len,int * ps_do,int * file_len)266 static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len, 267 int *ps_do, int *file_len) 268 { 269 unsigned char *pos, *end; 270 271 if (ps_do) 272 *ps_do = -1; 273 if (file_len) 274 *file_len = -1; 275 276 pos = buf; 277 end = pos + buf_len; 278 if (*pos != USIM_FSP_TEMPL_TAG) { 279 wpa_printf(MSG_DEBUG, "SCARD: file header did not " 280 "start with FSP template tag"); 281 return -1; 282 } 283 pos++; 284 if (pos >= end) 285 return -1; 286 if (pos[0] < end - pos) 287 end = pos + 1 + pos[0]; 288 pos++; 289 wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template", 290 pos, end - pos); 291 292 while (end - pos >= 2) { 293 unsigned char type, len; 294 295 type = pos[0]; 296 len = pos[1]; 297 wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV 0x%02x len=%d", 298 type, len); 299 pos += 2; 300 301 if (len > (unsigned int) (end - pos)) 302 break; 303 304 switch (type) { 305 case USIM_TLV_FILE_DESC: 306 wpa_hexdump(MSG_MSGDUMP, "SCARD: File Descriptor TLV", 307 pos, len); 308 break; 309 case USIM_TLV_FILE_ID: 310 wpa_hexdump(MSG_MSGDUMP, "SCARD: File Identifier TLV", 311 pos, len); 312 break; 313 case USIM_TLV_DF_NAME: 314 wpa_hexdump(MSG_MSGDUMP, "SCARD: DF name (AID) TLV", 315 pos, len); 316 break; 317 case USIM_TLV_PROPR_INFO: 318 wpa_hexdump(MSG_MSGDUMP, "SCARD: Proprietary " 319 "information TLV", pos, len); 320 break; 321 case USIM_TLV_LIFE_CYCLE_STATUS: 322 wpa_hexdump(MSG_MSGDUMP, "SCARD: Life Cycle Status " 323 "Integer TLV", pos, len); 324 break; 325 case USIM_TLV_FILE_SIZE: 326 wpa_hexdump(MSG_MSGDUMP, "SCARD: File size TLV", 327 pos, len); 328 if ((len == 1 || len == 2) && file_len) { 329 if (len == 1) 330 *file_len = (int) pos[0]; 331 else 332 *file_len = WPA_GET_BE16(pos); 333 wpa_printf(MSG_DEBUG, "SCARD: file_size=%d", 334 *file_len); 335 } 336 break; 337 case USIM_TLV_TOTAL_FILE_SIZE: 338 wpa_hexdump(MSG_MSGDUMP, "SCARD: Total file size TLV", 339 pos, len); 340 break; 341 case USIM_TLV_PIN_STATUS_TEMPLATE: 342 wpa_hexdump(MSG_MSGDUMP, "SCARD: PIN Status Template " 343 "DO TLV", pos, len); 344 if (len >= 2 && pos[0] == USIM_PS_DO_TAG && 345 pos[1] >= 1 && ps_do) { 346 wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x", 347 pos[2]); 348 *ps_do = (int) pos[2]; 349 } 350 break; 351 case USIM_TLV_SHORT_FILE_ID: 352 wpa_hexdump(MSG_MSGDUMP, "SCARD: Short File " 353 "Identifier (SFI) TLV", pos, len); 354 break; 355 case USIM_TLV_SECURITY_ATTR_8B: 356 case USIM_TLV_SECURITY_ATTR_8C: 357 case USIM_TLV_SECURITY_ATTR_AB: 358 wpa_hexdump(MSG_MSGDUMP, "SCARD: Security attribute " 359 "TLV", pos, len); 360 break; 361 default: 362 wpa_hexdump(MSG_MSGDUMP, "SCARD: Unrecognized TLV", 363 pos, len); 364 break; 365 } 366 367 pos += len; 368 369 if (pos == end) 370 return 0; 371 } 372 return -1; 373 } 374 375 scard_pin_needed(struct scard_data * scard,unsigned char * hdr,size_t hlen)376 static int scard_pin_needed(struct scard_data *scard, 377 unsigned char *hdr, size_t hlen) 378 { 379 if (scard->sim_type == SCARD_GSM_SIM) { 380 if (hlen > SCARD_CHV1_OFFSET && 381 !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG)) 382 return 1; 383 return 0; 384 } 385 386 if (scard->sim_type == SCARD_USIM) { 387 int ps_do; 388 if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL)) 389 return -1; 390 /* TODO: there could be more than one PS_DO entry because of 391 * multiple PINs in key reference.. */ 392 if (ps_do > 0 && (ps_do & 0x80)) 393 return 1; 394 return 0; 395 } 396 397 return -1; 398 } 399 400 scard_get_aid(struct scard_data * scard,unsigned char * aid,size_t maxlen)401 static int scard_get_aid(struct scard_data *scard, unsigned char *aid, 402 size_t maxlen) 403 { 404 int rlen, rec; 405 struct efdir { 406 unsigned char appl_template_tag; /* 0x61 */ 407 unsigned char appl_template_len; 408 unsigned char appl_id_tag; /* 0x4f */ 409 unsigned char aid_len; 410 unsigned char rid[5]; 411 unsigned char appl_code[2]; /* 0x1002 for 3G USIM */ 412 } *efdir; 413 unsigned char buf[127], *aid_pos; 414 size_t blen; 415 unsigned int aid_len = 0; 416 417 efdir = (struct efdir *) buf; 418 aid_pos = &buf[4]; 419 blen = sizeof(buf); 420 if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) { 421 wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR"); 422 return -1; 423 } 424 wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen); 425 426 for (rec = 1; rec < 10; rec++) { 427 rlen = scard_get_record_len(scard, rec, 428 SIM_RECORD_MODE_ABSOLUTE); 429 if (rlen < 0) { 430 wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR " 431 "record length"); 432 return -1; 433 } 434 blen = sizeof(buf); 435 if (rlen > (int) blen) { 436 wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record"); 437 return -1; 438 } 439 if (scard_read_record(scard, buf, rlen, rec, 440 SIM_RECORD_MODE_ABSOLUTE) < 0) { 441 wpa_printf(MSG_DEBUG, "SCARD: Failed to read " 442 "EF_DIR record %d", rec); 443 return -1; 444 } 445 wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen); 446 447 if (efdir->appl_template_tag != 0x61) { 448 wpa_printf(MSG_DEBUG, "SCARD: Unexpected application " 449 "template tag 0x%x", 450 efdir->appl_template_tag); 451 continue; 452 } 453 454 if (efdir->appl_template_len > rlen - 2) { 455 wpa_printf(MSG_DEBUG, "SCARD: Too long application " 456 "template (len=%d rlen=%d)", 457 efdir->appl_template_len, rlen); 458 continue; 459 } 460 461 if (efdir->appl_id_tag != 0x4f) { 462 wpa_printf(MSG_DEBUG, "SCARD: Unexpected application " 463 "identifier tag 0x%x", efdir->appl_id_tag); 464 continue; 465 } 466 467 aid_len = efdir->aid_len; 468 if (aid_len < 1 || aid_len > 16) { 469 wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %u", 470 aid_len); 471 continue; 472 } 473 474 wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record", 475 aid_pos, aid_len); 476 477 if (efdir->appl_code[0] == 0x10 && 478 efdir->appl_code[1] == 0x02) { 479 wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from " 480 "EF_DIR record %d", rec); 481 break; 482 } 483 } 484 485 if (rec >= 10) { 486 wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found " 487 "from EF_DIR records"); 488 return -1; 489 } 490 491 if (aid_len > maxlen) { 492 wpa_printf(MSG_DEBUG, "SCARD: Too long AID"); 493 return -1; 494 } 495 496 os_memcpy(aid, aid_pos, aid_len); 497 498 return aid_len; 499 } 500 501 502 /** 503 * scard_init - Initialize SIM/USIM connection using PC/SC 504 * @reader: Reader name prefix to search for 505 * Returns: Pointer to private data structure, or %NULL on failure 506 * 507 * This function is used to initialize SIM/USIM connection. PC/SC is used to 508 * open connection to the SIM/USIM card. In addition, local flag is set if a 509 * PIN is needed to access some of the card functions. Once the connection is 510 * not needed anymore, scard_deinit() can be used to close it. 511 */ scard_init(const char * reader)512 struct scard_data * scard_init(const char *reader) 513 { 514 long ret; 515 #ifdef __APPLE__ 516 uint32_t len; 517 #else 518 unsigned long len; 519 #endif 520 unsigned long pos; 521 struct scard_data *scard; 522 #ifdef CONFIG_NATIVE_WINDOWS 523 TCHAR *readers = NULL; 524 #else /* CONFIG_NATIVE_WINDOWS */ 525 char *readers = NULL; 526 #endif /* CONFIG_NATIVE_WINDOWS */ 527 unsigned char buf[100]; 528 size_t blen; 529 int transaction = 0; 530 int pin_needed; 531 532 wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface"); 533 if (mingw_load_symbols()) 534 return NULL; 535 scard = os_zalloc(sizeof(*scard)); 536 if (scard == NULL) 537 return NULL; 538 539 ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, 540 &scard->ctx); 541 if (ret != SCARD_S_SUCCESS) { 542 wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card " 543 "context (err=%ld)", ret); 544 goto failed; 545 } 546 547 ret = SCardListReaders(scard->ctx, NULL, NULL, &len); 548 if (ret != SCARD_S_SUCCESS) { 549 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed " 550 "(err=%ld)", ret); 551 goto failed; 552 } 553 554 #ifdef UNICODE 555 len *= 2; 556 #endif /* UNICODE */ 557 readers = os_malloc(len); 558 if (readers == NULL) { 559 wpa_printf(MSG_INFO, "SCARD: malloc failed\n"); 560 goto failed; 561 } 562 563 ret = SCardListReaders(scard->ctx, NULL, readers, &len); 564 if (ret != SCARD_S_SUCCESS) { 565 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) " 566 "(err=%ld)", ret); 567 goto failed; 568 } 569 if (len < 3) { 570 wpa_printf(MSG_WARNING, "SCARD: No smart card readers " 571 "available."); 572 goto failed; 573 } 574 wpa_hexdump_ascii(MSG_DEBUG, "SCARD: Readers", (u8 *) readers, len); 575 /* 576 * readers is a list of available readers. The last entry is terminated 577 * with double null. 578 */ 579 pos = 0; 580 #ifdef UNICODE 581 /* TODO */ 582 #else /* UNICODE */ 583 while (pos < len) { 584 if (reader == NULL || 585 os_strncmp(&readers[pos], reader, os_strlen(reader)) == 0) 586 break; 587 while (pos < len && readers[pos]) 588 pos++; 589 pos++; /* skip separating null */ 590 if (pos < len && readers[pos] == '\0') 591 pos = len; /* double null terminates list */ 592 } 593 #endif /* UNICODE */ 594 if (pos >= len) { 595 wpa_printf(MSG_WARNING, "SCARD: No reader with prefix '%s' " 596 "found", reader); 597 goto failed; 598 } 599 600 #ifdef UNICODE 601 wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%S'", &readers[pos]); 602 #else /* UNICODE */ 603 wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", &readers[pos]); 604 #endif /* UNICODE */ 605 606 ret = SCardConnect(scard->ctx, &readers[pos], SCARD_SHARE_SHARED, 607 SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1, 608 &scard->card, &scard->protocol); 609 if (ret != SCARD_S_SUCCESS) { 610 if (ret == (long) SCARD_E_NO_SMARTCARD) 611 wpa_printf(MSG_INFO, "No smart card inserted."); 612 else 613 wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret); 614 goto failed; 615 } 616 617 os_free(readers); 618 readers = NULL; 619 620 wpa_printf(MSG_DEBUG, "SCARD: card=0x%x active_protocol=%lu (%s)", 621 (unsigned int) scard->card, (unsigned long) scard->protocol, 622 scard->protocol == SCARD_PROTOCOL_T0 ? "T0" : "T1"); 623 624 ret = SCardBeginTransaction(scard->card); 625 if (ret != SCARD_S_SUCCESS) { 626 wpa_printf(MSG_DEBUG, "SCARD: Could not begin transaction: " 627 "0x%x", (unsigned int) ret); 628 goto failed; 629 } 630 transaction = 1; 631 632 blen = sizeof(buf); 633 634 wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support"); 635 if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen, 636 SCARD_USIM, NULL, 0)) { 637 wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported. Trying to use GSM SIM"); 638 scard->sim_type = SCARD_GSM_SIM; 639 } else { 640 wpa_printf(MSG_DEBUG, "SCARD: USIM is supported"); 641 scard->sim_type = SCARD_USIM; 642 } 643 644 if (scard->sim_type == SCARD_GSM_SIM) { 645 blen = sizeof(buf); 646 if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) { 647 wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF"); 648 goto failed; 649 } 650 651 blen = sizeof(buf); 652 if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) { 653 wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF"); 654 goto failed; 655 } 656 } else { 657 unsigned char aid[32]; 658 int aid_len; 659 660 aid_len = scard_get_aid(scard, aid, sizeof(aid)); 661 if (aid_len < 0) { 662 wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for " 663 "3G USIM app - try to use standard 3G RID"); 664 os_memcpy(aid, "\xa0\x00\x00\x00\x87", 5); 665 aid_len = 5; 666 } 667 wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len); 668 669 /* Select based on AID = 3G RID from EF_DIR. This is usually 670 * starting with A0 00 00 00 87. */ 671 blen = sizeof(buf); 672 if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type, 673 aid, aid_len)) { 674 wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM " 675 "app"); 676 wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID", 677 aid, aid_len); 678 goto failed; 679 } 680 } 681 682 /* Verify whether CHV1 (PIN1) is needed to access the card. */ 683 pin_needed = scard_pin_needed(scard, buf, blen); 684 if (pin_needed < 0) { 685 wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN " 686 "is needed"); 687 goto failed; 688 } 689 if (pin_needed) { 690 scard->pin1_required = 1; 691 wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access (retry " 692 "counter=%d)", scard_get_pin_retry_counter(scard)); 693 } 694 695 ret = SCardEndTransaction(scard->card, SCARD_LEAVE_CARD); 696 if (ret != SCARD_S_SUCCESS) { 697 wpa_printf(MSG_DEBUG, "SCARD: Could not end transaction: " 698 "0x%x", (unsigned int) ret); 699 } 700 701 return scard; 702 703 failed: 704 if (transaction) 705 SCardEndTransaction(scard->card, SCARD_LEAVE_CARD); 706 os_free(readers); 707 scard_deinit(scard); 708 return NULL; 709 } 710 711 712 /** 713 * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands 714 * @scard: Pointer to private data from scard_init() 715 * @pin: PIN code as an ASCII string (e.g., "1234") 716 * Returns: 0 on success, -1 on failure 717 */ scard_set_pin(struct scard_data * scard,const char * pin)718 int scard_set_pin(struct scard_data *scard, const char *pin) 719 { 720 if (scard == NULL) 721 return -1; 722 723 /* Verify whether CHV1 (PIN1) is needed to access the card. */ 724 if (scard->pin1_required) { 725 if (pin == NULL) { 726 wpa_printf(MSG_DEBUG, "No PIN configured for SIM " 727 "access"); 728 return -1; 729 } 730 if (scard_verify_pin(scard, pin)) { 731 wpa_printf(MSG_INFO, "PIN verification failed for " 732 "SIM access"); 733 return -1; 734 } 735 } 736 737 return 0; 738 } 739 740 741 /** 742 * scard_deinit - Deinitialize SIM/USIM connection 743 * @scard: Pointer to private data from scard_init() 744 * 745 * This function closes the SIM/USIM connect opened with scard_init(). 746 */ scard_deinit(struct scard_data * scard)747 void scard_deinit(struct scard_data *scard) 748 { 749 long ret; 750 751 if (scard == NULL) 752 return; 753 754 wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface"); 755 if (scard->card) { 756 ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD); 757 if (ret != SCARD_S_SUCCESS) { 758 wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect " 759 "smart card (err=%ld)", ret); 760 } 761 } 762 763 if (scard->ctx) { 764 ret = SCardReleaseContext(scard->ctx); 765 if (ret != SCARD_S_SUCCESS) { 766 wpa_printf(MSG_DEBUG, "Failed to release smart card " 767 "context (err=%ld)", ret); 768 } 769 } 770 os_free(scard); 771 mingw_unload_symbols(); 772 } 773 774 scard_transmit(struct scard_data * scard,unsigned char * _send,size_t send_len,unsigned char * _recv,size_t * recv_len)775 static long scard_transmit(struct scard_data *scard, 776 unsigned char *_send, size_t send_len, 777 unsigned char *_recv, size_t *recv_len) 778 { 779 long ret; 780 #ifdef __APPLE__ 781 uint32_t rlen; 782 #else 783 unsigned long rlen; 784 #endif 785 786 wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send", 787 _send, send_len); 788 rlen = *recv_len; 789 ret = SCardTransmit(scard->card, 790 scard->protocol == SCARD_PROTOCOL_T1 ? 791 SCARD_PCI_T1 : SCARD_PCI_T0, 792 _send, (unsigned long) send_len, 793 NULL, _recv, &rlen); 794 *recv_len = rlen; 795 if (ret == SCARD_S_SUCCESS) { 796 wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv", 797 _recv, rlen); 798 } else { 799 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed " 800 "(err=0x%lx)", ret); 801 } 802 return ret; 803 } 804 805 _scard_select_file(struct scard_data * scard,unsigned short file_id,unsigned char * buf,size_t * buf_len,sim_types sim_type,unsigned char * aid,size_t aidlen)806 static int _scard_select_file(struct scard_data *scard, unsigned short file_id, 807 unsigned char *buf, size_t *buf_len, 808 sim_types sim_type, unsigned char *aid, 809 size_t aidlen) 810 { 811 long ret; 812 unsigned char resp[3]; 813 unsigned char cmd[50] = { SIM_CMD_SELECT }; 814 int cmdlen; 815 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE }; 816 size_t len, rlen; 817 818 if (sim_type == SCARD_USIM) { 819 cmd[0] = USIM_CLA; 820 cmd[3] = 0x04; 821 get_resp[0] = USIM_CLA; 822 } 823 824 wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id); 825 if (aid) { 826 wpa_hexdump(MSG_DEBUG, "SCARD: select file by AID", 827 aid, aidlen); 828 if (5 + aidlen > sizeof(cmd)) 829 return -1; 830 cmd[2] = 0x04; /* Select by AID */ 831 cmd[4] = aidlen; /* len */ 832 os_memcpy(cmd + 5, aid, aidlen); 833 cmdlen = 5 + aidlen; 834 } else { 835 cmd[5] = file_id >> 8; 836 cmd[6] = file_id & 0xff; 837 cmdlen = 7; 838 } 839 len = sizeof(resp); 840 ret = scard_transmit(scard, cmd, cmdlen, resp, &len); 841 if (ret != SCARD_S_SUCCESS) { 842 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed " 843 "(err=0x%lx)", ret); 844 return -1; 845 } 846 847 if (len != 2) { 848 wpa_printf(MSG_WARNING, "SCARD: unexpected resp len " 849 "%d (expected 2)", (int) len); 850 return -1; 851 } 852 853 if (resp[0] == 0x98 && resp[1] == 0x04) { 854 /* Security status not satisfied (PIN_WLAN) */ 855 wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied " 856 "(PIN_WLAN)"); 857 return -1; 858 } 859 860 if (resp[0] == 0x6e) { 861 wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported"); 862 return -1; 863 } 864 865 if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) { 866 wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x " 867 "(expected 0x61, 0x6c, or 0x9f)", resp[0]); 868 return -1; 869 } 870 /* Normal ending of command; resp[1] bytes available */ 871 get_resp[4] = resp[1]; 872 wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)", 873 resp[1]); 874 875 rlen = *buf_len; 876 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen); 877 if (ret == SCARD_S_SUCCESS) { 878 *buf_len = resp[1] < rlen ? resp[1] : rlen; 879 return 0; 880 } 881 882 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret); 883 return -1; 884 } 885 886 scard_select_file(struct scard_data * scard,unsigned short file_id,unsigned char * buf,size_t * buf_len)887 static int scard_select_file(struct scard_data *scard, unsigned short file_id, 888 unsigned char *buf, size_t *buf_len) 889 { 890 return _scard_select_file(scard, file_id, buf, buf_len, 891 scard->sim_type, NULL, 0); 892 } 893 894 scard_get_record_len(struct scard_data * scard,unsigned char recnum,unsigned char mode)895 static int scard_get_record_len(struct scard_data *scard, unsigned char recnum, 896 unsigned char mode) 897 { 898 unsigned char buf[255]; 899 unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ }; 900 size_t blen; 901 long ret; 902 903 if (scard->sim_type == SCARD_USIM) 904 cmd[0] = USIM_CLA; 905 cmd[2] = recnum; 906 cmd[3] = mode; 907 cmd[4] = sizeof(buf); 908 909 blen = sizeof(buf); 910 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen); 911 if (ret != SCARD_S_SUCCESS) { 912 wpa_printf(MSG_DEBUG, "SCARD: failed to determine file " 913 "length for record %d", recnum); 914 return -1; 915 } 916 917 wpa_hexdump(MSG_DEBUG, "SCARD: file length determination response", 918 buf, blen); 919 920 if (blen < 2 || (buf[0] != 0x6c && buf[0] != 0x67)) { 921 wpa_printf(MSG_DEBUG, "SCARD: unexpected response to file " 922 "length determination"); 923 return -1; 924 } 925 926 return buf[1]; 927 } 928 929 scard_read_record(struct scard_data * scard,unsigned char * data,size_t len,unsigned char recnum,unsigned char mode)930 static int scard_read_record(struct scard_data *scard, 931 unsigned char *data, size_t len, 932 unsigned char recnum, unsigned char mode) 933 { 934 unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ }; 935 size_t blen = len + 3; 936 unsigned char *buf; 937 long ret; 938 939 if (scard->sim_type == SCARD_USIM) 940 cmd[0] = USIM_CLA; 941 cmd[2] = recnum; 942 cmd[3] = mode; 943 cmd[4] = len; 944 945 buf = os_malloc(blen); 946 if (buf == NULL) 947 return -1; 948 949 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen); 950 if (ret != SCARD_S_SUCCESS) { 951 os_free(buf); 952 return -2; 953 } 954 if (blen != len + 2) { 955 wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected " 956 "length %ld (expected %ld)", 957 (long) blen, (long) len + 2); 958 os_free(buf); 959 return -3; 960 } 961 962 if (buf[len] != 0x90 || buf[len + 1] != 0x00) { 963 wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected " 964 "status %02x %02x (expected 90 00)", 965 buf[len], buf[len + 1]); 966 os_free(buf); 967 return -4; 968 } 969 970 os_memcpy(data, buf, len); 971 os_free(buf); 972 973 return 0; 974 } 975 976 scard_read_file(struct scard_data * scard,unsigned char * data,size_t len)977 static int scard_read_file(struct scard_data *scard, 978 unsigned char *data, size_t len) 979 { 980 unsigned char cmd[5] = { SIM_CMD_READ_BIN /* , len */ }; 981 size_t blen = len + 3; 982 unsigned char *buf; 983 long ret; 984 985 cmd[4] = len; 986 987 buf = os_malloc(blen); 988 if (buf == NULL) 989 return -1; 990 991 if (scard->sim_type == SCARD_USIM) 992 cmd[0] = USIM_CLA; 993 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen); 994 if (ret != SCARD_S_SUCCESS) { 995 os_free(buf); 996 return -2; 997 } 998 if (blen != len + 2) { 999 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected " 1000 "length %ld (expected %ld)", 1001 (long) blen, (long) len + 2); 1002 os_free(buf); 1003 return -3; 1004 } 1005 1006 if (buf[len] != 0x90 || buf[len + 1] != 0x00) { 1007 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected " 1008 "status %02x %02x (expected 90 00)", 1009 buf[len], buf[len + 1]); 1010 os_free(buf); 1011 return -4; 1012 } 1013 1014 os_memcpy(data, buf, len); 1015 os_free(buf); 1016 1017 return 0; 1018 } 1019 1020 scard_verify_pin(struct scard_data * scard,const char * pin)1021 static int scard_verify_pin(struct scard_data *scard, const char *pin) 1022 { 1023 long ret; 1024 unsigned char resp[3]; 1025 unsigned char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 }; 1026 size_t len; 1027 1028 wpa_printf(MSG_DEBUG, "SCARD: verifying PIN"); 1029 1030 if (pin == NULL || os_strlen(pin) > 8) 1031 return -1; 1032 1033 if (scard->sim_type == SCARD_USIM) 1034 cmd[0] = USIM_CLA; 1035 os_memcpy(cmd + 5, pin, os_strlen(pin)); 1036 os_memset(cmd + 5 + os_strlen(pin), 0xff, 8 - os_strlen(pin)); 1037 1038 len = sizeof(resp); 1039 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len); 1040 if (ret != SCARD_S_SUCCESS) 1041 return -2; 1042 1043 if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) { 1044 wpa_printf(MSG_WARNING, "SCARD: PIN verification failed"); 1045 return -1; 1046 } 1047 1048 wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully"); 1049 return 0; 1050 } 1051 1052 scard_get_pin_retry_counter(struct scard_data * scard)1053 int scard_get_pin_retry_counter(struct scard_data *scard) 1054 { 1055 long ret; 1056 unsigned char resp[3]; 1057 unsigned char cmd[5] = { SIM_CMD_VERIFY_CHV1 }; 1058 size_t len; 1059 u16 val; 1060 1061 wpa_printf(MSG_DEBUG, "SCARD: fetching PIN retry counter"); 1062 1063 if (scard->sim_type == SCARD_USIM) 1064 cmd[0] = USIM_CLA; 1065 cmd[4] = 0; /* Empty data */ 1066 1067 len = sizeof(resp); 1068 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len); 1069 if (ret != SCARD_S_SUCCESS) 1070 return -2; 1071 1072 if (len != 2) { 1073 wpa_printf(MSG_WARNING, "SCARD: failed to fetch PIN retry " 1074 "counter"); 1075 return -1; 1076 } 1077 1078 val = WPA_GET_BE16(resp); 1079 if (val == 0x63c0 || val == 0x6983) { 1080 wpa_printf(MSG_DEBUG, "SCARD: PIN has been blocked"); 1081 return 0; 1082 } 1083 1084 if (val >= 0x63c0 && val <= 0x63cf) 1085 return val & 0x000f; 1086 1087 wpa_printf(MSG_DEBUG, "SCARD: Unexpected PIN retry counter response " 1088 "value 0x%x", val); 1089 return 0; 1090 } 1091 1092 1093 /** 1094 * scard_get_imsi - Read IMSI from SIM/USIM card 1095 * @scard: Pointer to private data from scard_init() 1096 * @imsi: Buffer for IMSI 1097 * @len: Length of imsi buffer; set to IMSI length on success 1098 * Returns: 0 on success, -1 if IMSI file cannot be selected, -2 if IMSI file 1099 * selection returns invalid result code, -3 if parsing FSP template file fails 1100 * (USIM only), -4 if IMSI does not fit in the provided imsi buffer (len is set 1101 * to needed length), -5 if reading IMSI file fails. 1102 * 1103 * This function can be used to read IMSI from the SIM/USIM card. If the IMSI 1104 * file is PIN protected, scard_set_pin() must have been used to set the 1105 * correct PIN code before calling scard_get_imsi(). 1106 */ scard_get_imsi(struct scard_data * scard,char * imsi,size_t * len)1107 int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len) 1108 { 1109 unsigned char buf[100]; 1110 size_t blen, imsilen, i; 1111 char *pos; 1112 1113 wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI"); 1114 blen = sizeof(buf); 1115 if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen)) 1116 return -1; 1117 if (blen < 4) { 1118 wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI " 1119 "header (len=%ld)", (long) blen); 1120 return -2; 1121 } 1122 1123 if (scard->sim_type == SCARD_GSM_SIM) { 1124 blen = WPA_GET_BE16(&buf[2]); 1125 } else { 1126 int file_size; 1127 if (scard_parse_fsp_templ(buf, blen, NULL, &file_size)) 1128 return -3; 1129 blen = file_size; 1130 } 1131 if (blen < 2 || blen > sizeof(buf)) { 1132 wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld", 1133 (long) blen); 1134 return -3; 1135 } 1136 1137 imsilen = (blen - 2) * 2 + 1; 1138 wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld", 1139 (long) blen, (long) imsilen); 1140 if (blen < 2 || imsilen > *len) { 1141 *len = imsilen; 1142 return -4; 1143 } 1144 1145 if (scard_read_file(scard, buf, blen)) 1146 return -5; 1147 1148 pos = imsi; 1149 *pos++ = '0' + (buf[1] >> 4 & 0x0f); 1150 for (i = 2; i < blen; i++) { 1151 unsigned char digit; 1152 1153 digit = buf[i] & 0x0f; 1154 if (digit < 10) 1155 *pos++ = '0' + digit; 1156 else 1157 imsilen--; 1158 1159 digit = buf[i] >> 4 & 0x0f; 1160 if (digit < 10) 1161 *pos++ = '0' + digit; 1162 else 1163 imsilen--; 1164 } 1165 *len = imsilen; 1166 1167 return 0; 1168 } 1169 1170 1171 /** 1172 * scard_get_mnc_len - Read length of MNC in the IMSI from SIM/USIM card 1173 * @scard: Pointer to private data from scard_init() 1174 * Returns: length (>0) on success, -1 if administrative data file cannot be 1175 * selected, -2 if administrative data file selection returns invalid result 1176 * code, -3 if parsing FSP template file fails (USIM only), -4 if length of 1177 * the file is unexpected, -5 if reading file fails, -6 if MNC length is not 1178 * in range (i.e. 2 or 3), -7 if MNC length is not available. 1179 * 1180 */ scard_get_mnc_len(struct scard_data * scard)1181 int scard_get_mnc_len(struct scard_data *scard) 1182 { 1183 unsigned char buf[100]; 1184 size_t blen; 1185 int file_size; 1186 1187 wpa_printf(MSG_DEBUG, "SCARD: reading MNC len from (GSM) EF-AD"); 1188 blen = sizeof(buf); 1189 if (scard_select_file(scard, SCARD_FILE_GSM_EF_AD, buf, &blen)) 1190 return -1; 1191 if (blen < 4) { 1192 wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-AD " 1193 "header (len=%ld)", (long) blen); 1194 return -2; 1195 } 1196 1197 if (scard->sim_type == SCARD_GSM_SIM) { 1198 file_size = WPA_GET_BE16(&buf[2]); 1199 } else { 1200 if (scard_parse_fsp_templ(buf, blen, NULL, &file_size)) 1201 return -3; 1202 } 1203 if (file_size == 3) { 1204 wpa_printf(MSG_DEBUG, "SCARD: MNC length not available"); 1205 return -7; 1206 } 1207 if (file_size < 4 || file_size > (int) sizeof(buf)) { 1208 wpa_printf(MSG_DEBUG, "SCARD: invalid file length=%ld", 1209 (long) file_size); 1210 return -4; 1211 } 1212 1213 if (scard_read_file(scard, buf, file_size)) 1214 return -5; 1215 buf[3] = buf[3] & 0x0f; /* upper nibble reserved for future use */ 1216 if (buf[3] < 2 || buf[3] > 3) { 1217 wpa_printf(MSG_DEBUG, "SCARD: invalid MNC length=%ld", 1218 (long) buf[3]); 1219 return -6; 1220 } 1221 wpa_printf(MSG_DEBUG, "SCARD: MNC length=%ld", (long) buf[3]); 1222 return buf[3]; 1223 } 1224 1225 1226 /** 1227 * scard_gsm_auth - Run GSM authentication command on SIM card 1228 * @scard: Pointer to private data from scard_init() 1229 * @_rand: 16-byte RAND value from HLR/AuC 1230 * @sres: 4-byte buffer for SRES 1231 * @kc: 8-byte buffer for Kc 1232 * Returns: 0 on success, -1 if SIM/USIM connection has not been initialized, 1233 * -2 if authentication command execution fails, -3 if unknown response code 1234 * for authentication command is received, -4 if reading of response fails, 1235 * -5 if if response data is of unexpected length 1236 * 1237 * This function performs GSM authentication using SIM/USIM card and the 1238 * provided RAND value from HLR/AuC. If authentication command can be completed 1239 * successfully, SRES and Kc values will be written into sres and kc buffers. 1240 */ scard_gsm_auth(struct scard_data * scard,const unsigned char * _rand,unsigned char * sres,unsigned char * kc)1241 int scard_gsm_auth(struct scard_data *scard, const unsigned char *_rand, 1242 unsigned char *sres, unsigned char *kc) 1243 { 1244 unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG }; 1245 int cmdlen; 1246 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE }; 1247 unsigned char resp[3], buf[12 + 3 + 2]; 1248 size_t len; 1249 long ret; 1250 1251 if (scard == NULL) 1252 return -1; 1253 1254 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", _rand, 16); 1255 if (scard->sim_type == SCARD_GSM_SIM) { 1256 cmdlen = 5 + 16; 1257 os_memcpy(cmd + 5, _rand, 16); 1258 } else { 1259 cmdlen = 5 + 1 + 16; 1260 cmd[0] = USIM_CLA; 1261 cmd[3] = 0x80; 1262 cmd[4] = 17; 1263 cmd[5] = 16; 1264 os_memcpy(cmd + 6, _rand, 16); 1265 get_resp[0] = USIM_CLA; 1266 } 1267 len = sizeof(resp); 1268 ret = scard_transmit(scard, cmd, cmdlen, resp, &len); 1269 if (ret != SCARD_S_SUCCESS) 1270 return -2; 1271 1272 if ((scard->sim_type == SCARD_GSM_SIM && 1273 (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) || 1274 (scard->sim_type == SCARD_USIM && 1275 (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) { 1276 wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM " 1277 "auth request (len=%ld resp=%02x %02x)", 1278 (long) len, resp[0], resp[1]); 1279 return -3; 1280 } 1281 get_resp[4] = resp[1]; 1282 1283 len = sizeof(buf); 1284 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len); 1285 if (ret != SCARD_S_SUCCESS) 1286 return -4; 1287 1288 if (scard->sim_type == SCARD_GSM_SIM) { 1289 if (len != 4 + 8 + 2) { 1290 wpa_printf(MSG_WARNING, "SCARD: unexpected data " 1291 "length for GSM auth (len=%ld, expected 14)", 1292 (long) len); 1293 return -5; 1294 } 1295 os_memcpy(sres, buf, 4); 1296 os_memcpy(kc, buf + 4, 8); 1297 } else { 1298 if (len != 1 + 4 + 1 + 8 + 2) { 1299 wpa_printf(MSG_WARNING, "SCARD: unexpected data " 1300 "length for USIM auth (len=%ld, " 1301 "expected 16)", (long) len); 1302 return -5; 1303 } 1304 if (buf[0] != 4 || buf[5] != 8) { 1305 wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc " 1306 "length (%d %d, expected 4 8)", 1307 buf[0], buf[5]); 1308 } 1309 os_memcpy(sres, buf + 1, 4); 1310 os_memcpy(kc, buf + 6, 8); 1311 } 1312 1313 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4); 1314 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8); 1315 1316 return 0; 1317 } 1318 1319 1320 /** 1321 * scard_umts_auth - Run UMTS authentication command on USIM card 1322 * @scard: Pointer to private data from scard_init() 1323 * @_rand: 16-byte RAND value from HLR/AuC 1324 * @autn: 16-byte AUTN value from HLR/AuC 1325 * @res: 16-byte buffer for RES 1326 * @res_len: Variable that will be set to RES length 1327 * @ik: 16-byte buffer for IK 1328 * @ck: 16-byte buffer for CK 1329 * @auts: 14-byte buffer for AUTS 1330 * Returns: 0 on success, -1 on failure, or -2 if USIM reports synchronization 1331 * failure 1332 * 1333 * This function performs AKA authentication using USIM card and the provided 1334 * RAND and AUTN values from HLR/AuC. If authentication command can be 1335 * completed successfully, RES, IK, and CK values will be written into provided 1336 * buffers and res_len is set to length of received RES value. If USIM reports 1337 * synchronization failure, the received AUTS value will be written into auts 1338 * buffer. In this case, RES, IK, and CK are not valid. 1339 */ scard_umts_auth(struct scard_data * scard,const unsigned char * _rand,const unsigned char * autn,unsigned char * res,size_t * res_len,unsigned char * ik,unsigned char * ck,unsigned char * auts)1340 int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand, 1341 const unsigned char *autn, 1342 unsigned char *res, size_t *res_len, 1343 unsigned char *ik, unsigned char *ck, unsigned char *auts) 1344 { 1345 unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] = 1346 { USIM_CMD_RUN_UMTS_ALG }; 1347 unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE }; 1348 unsigned char resp[3], buf[64], *pos, *end; 1349 size_t len; 1350 long ret; 1351 1352 if (scard == NULL) 1353 return -1; 1354 1355 if (scard->sim_type == SCARD_GSM_SIM) { 1356 wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS " 1357 "auth"); 1358 return -1; 1359 } 1360 1361 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", _rand, AKA_RAND_LEN); 1362 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN); 1363 cmd[5] = AKA_RAND_LEN; 1364 os_memcpy(cmd + 6, _rand, AKA_RAND_LEN); 1365 cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN; 1366 os_memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN); 1367 1368 len = sizeof(resp); 1369 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len); 1370 if (ret != SCARD_S_SUCCESS) 1371 return -1; 1372 1373 if (len <= sizeof(resp)) 1374 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len); 1375 1376 if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) { 1377 wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - " 1378 "MAC != XMAC"); 1379 return -1; 1380 } else if (len != 2 || resp[0] != 0x61) { 1381 wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS " 1382 "auth request (len=%ld resp=%02x %02x)", 1383 (long) len, resp[0], resp[1]); 1384 return -1; 1385 } 1386 get_resp[4] = resp[1]; 1387 1388 len = sizeof(buf); 1389 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len); 1390 if (ret != SCARD_S_SUCCESS || len > sizeof(buf)) 1391 return -1; 1392 1393 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len); 1394 if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc && 1395 buf[1] == AKA_AUTS_LEN) { 1396 wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure"); 1397 os_memcpy(auts, buf + 2, AKA_AUTS_LEN); 1398 wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN); 1399 return -2; 1400 } else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) { 1401 pos = buf + 1; 1402 end = buf + len; 1403 1404 /* RES */ 1405 if (pos[0] > RES_MAX_LEN || pos[0] > end - pos) { 1406 wpa_printf(MSG_DEBUG, "SCARD: Invalid RES"); 1407 return -1; 1408 } 1409 *res_len = *pos++; 1410 os_memcpy(res, pos, *res_len); 1411 pos += *res_len; 1412 wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len); 1413 1414 /* CK */ 1415 if (pos[0] != CK_LEN || CK_LEN > end - pos) { 1416 wpa_printf(MSG_DEBUG, "SCARD: Invalid CK"); 1417 return -1; 1418 } 1419 pos++; 1420 os_memcpy(ck, pos, CK_LEN); 1421 pos += CK_LEN; 1422 wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN); 1423 1424 /* IK */ 1425 if (pos[0] != IK_LEN || IK_LEN > end - pos) { 1426 wpa_printf(MSG_DEBUG, "SCARD: Invalid IK"); 1427 return -1; 1428 } 1429 pos++; 1430 os_memcpy(ik, pos, IK_LEN); 1431 pos += IK_LEN; 1432 wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN); 1433 1434 if (end > pos) { 1435 wpa_hexdump(MSG_DEBUG, 1436 "SCARD: Ignore extra data in end", 1437 pos, end - pos); 1438 } 1439 1440 return 0; 1441 } 1442 1443 wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response"); 1444 return -1; 1445 } 1446 1447 scard_supports_umts(struct scard_data * scard)1448 int scard_supports_umts(struct scard_data *scard) 1449 { 1450 return scard->sim_type == SCARD_USIM; 1451 } 1452