Gitiles
Code Review Sign In
gerrit.omnirom.org / android_external_wpa_supplicant_8 / 03f9172ca588f91df233974f4258bab95191f931 / . / src / utils / pcsc_funcs.c
blob: 383ed3ddfeed588a05f281ac2c798874631a3f2f [file] [log] [blame]
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1/*
2 * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]3 * Copyright (c) 2004-2007, 2012, Jouni Malinen <j@w1.fi>
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]4 *
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800[diff] [blame]5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]7 *
8 * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM
9 * cards through PC/SC smartcard library. These functions are used to implement
10 * authentication routines for EAP-SIM and EAP-AKA.
11 */
12
13#include "includes.h"
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -0700[diff] [blame]14#ifdef __APPLE__
15#include <PCSC/winscard.h>
16#else
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]17#include <winscard.h>
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -0700[diff] [blame]18#endif
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]19
20#include "common.h"
21#include "pcsc_funcs.h"
22
23
24/* See ETSI GSM 11.11 and ETSI TS 102 221 for details.
25 * SIM commands:
26 * Command APDU: CLA INS P1 P2 P3 Data
27 * CLA (class of instruction): A0 for GSM, 00 for USIM
28 * INS (instruction)
29 * P1 P2 P3 (parameters, P3 = length of Data)
30 * Response APDU: Data SW1 SW2
31 * SW1 SW2 (Status words)
32 * Commands (INS P1 P2 P3):
33 * SELECT: A4 00 00 02 <file_id, 2 bytes>
34 * GET RESPONSE: C0 00 00 <len>
35 * RUN GSM ALG: 88 00 00 00 <RAND len = 10>
36 * RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN
37 * P1 = ID of alg in card
38 * P2 = ID of secret key
39 * READ BINARY: B0 <offset high> <offset low> <len>
40 * READ RECORD: B2 <record number> <mode> <len>
41 * P2 (mode) = '02' (next record), '03' (previous record),
42 * '04' (absolute mode)
43 * VERIFY CHV: 20 00 <CHV number> 08
44 * CHANGE CHV: 24 00 <CHV number> 10
45 * DISABLE CHV: 26 00 01 08
46 * ENABLE CHV: 28 00 01 08
47 * UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10
48 * SLEEP: FA 00 00 00
49 */
50
51/* GSM SIM commands */
52#define SIM_CMD_SELECT 0xa0, 0xa4, 0x00, 0x00, 0x02
53#define SIM_CMD_RUN_GSM_ALG 0xa0, 0x88, 0x00, 0x00, 0x10
54#define SIM_CMD_GET_RESPONSE 0xa0, 0xc0, 0x00, 0x00
55#define SIM_CMD_READ_BIN 0xa0, 0xb0, 0x00, 0x00
56#define SIM_CMD_READ_RECORD 0xa0, 0xb2, 0x00, 0x00
57#define SIM_CMD_VERIFY_CHV1 0xa0, 0x20, 0x00, 0x01, 0x08
58
59/* USIM commands */
60#define USIM_CLA 0x00
61#define USIM_CMD_RUN_UMTS_ALG 0x00, 0x88, 0x00, 0x81, 0x22
62#define USIM_CMD_GET_RESPONSE 0x00, 0xc0, 0x00, 0x00
63
64#define SIM_RECORD_MODE_ABSOLUTE 0x04
65
66#define USIM_FSP_TEMPL_TAG 0x62
67
68#define USIM_TLV_FILE_DESC 0x82
69#define USIM_TLV_FILE_ID 0x83
70#define USIM_TLV_DF_NAME 0x84
71#define USIM_TLV_PROPR_INFO 0xA5
72#define USIM_TLV_LIFE_CYCLE_STATUS 0x8A
73#define USIM_TLV_FILE_SIZE 0x80
74#define USIM_TLV_TOTAL_FILE_SIZE 0x81
75#define USIM_TLV_PIN_STATUS_TEMPLATE 0xC6
76#define USIM_TLV_SHORT_FILE_ID 0x88
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]77#define USIM_TLV_SECURITY_ATTR_8B 0x8B
78#define USIM_TLV_SECURITY_ATTR_8C 0x8C
79#define USIM_TLV_SECURITY_ATTR_AB 0xAB
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]80
81#define USIM_PS_DO_TAG 0x90
82
83#define AKA_RAND_LEN 16
84#define AKA_AUTN_LEN 16
85#define AKA_AUTS_LEN 14
86#define RES_MAX_LEN 16
87#define IK_LEN 16
88#define CK_LEN 16
89
90
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]91/* GSM files
92 * File type in first octet:
93 * 3F = Master File
94 * 7F = Dedicated File
95 * 2F = Elementary File under the Master File
96 * 6F = Elementary File under a Dedicated File
97 */
98#define SCARD_FILE_MF 0x3F00
99#define SCARD_FILE_GSM_DF 0x7F20
100#define SCARD_FILE_UMTS_DF 0x7F50
101#define SCARD_FILE_GSM_EF_IMSI 0x6F07
102#define SCARD_FILE_GSM_EF_AD 0x6FAD
103#define SCARD_FILE_EF_DIR 0x2F00
104#define SCARD_FILE_EF_ICCID 0x2FE2
105#define SCARD_FILE_EF_CK 0x6FE1
106#define SCARD_FILE_EF_IK 0x6FE2
107
108#define SCARD_CHV1_OFFSET 13
109#define SCARD_CHV1_FLAG 0x80
110
111
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]112typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types;
113
114struct scard_data {
115 SCARDCONTEXT ctx;
116 SCARDHANDLE card;
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -0700[diff] [blame]117#ifdef __APPLE__
118 uint32_t protocol;
119#else
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]120 DWORD protocol;
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -0700[diff] [blame]121#endif
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]122 sim_types sim_type;
123 int pin1_required;
124};
125
126#ifdef __MINGW32_VERSION
127/* MinGW does not yet support WinScard, so load the needed functions
128 * dynamically from winscard.dll for now. */
129
130static HINSTANCE dll = NULL; /* winscard.dll */
131
132static const SCARD_IO_REQUEST *dll_g_rgSCardT0Pci, *dll_g_rgSCardT1Pci;
133#undef SCARD_PCI_T0
134#define SCARD_PCI_T0 (dll_g_rgSCardT0Pci)
135#undef SCARD_PCI_T1
136#define SCARD_PCI_T1 (dll_g_rgSCardT1Pci)
137
138
139static WINSCARDAPI LONG WINAPI
140(*dll_SCardEstablishContext)(IN DWORD dwScope,
141 IN LPCVOID pvReserved1,
142 IN LPCVOID pvReserved2,
143 OUT LPSCARDCONTEXT phContext);
144#define SCardEstablishContext dll_SCardEstablishContext
145
146static long (*dll_SCardReleaseContext)(long hContext);
147#define SCardReleaseContext dll_SCardReleaseContext
148
149static WINSCARDAPI LONG WINAPI
150(*dll_SCardListReadersA)(IN SCARDCONTEXT hContext,
151 IN LPCSTR mszGroups,
152 OUT LPSTR mszReaders,
153 IN OUT LPDWORD pcchReaders);
154#undef SCardListReaders
155#define SCardListReaders dll_SCardListReadersA
156
157static WINSCARDAPI LONG WINAPI
158(*dll_SCardConnectA)(IN SCARDCONTEXT hContext,
159 IN LPCSTR szReader,
160 IN DWORD dwShareMode,
161 IN DWORD dwPreferredProtocols,
162 OUT LPSCARDHANDLE phCard,
163 OUT LPDWORD pdwActiveProtocol);
164#undef SCardConnect
165#define SCardConnect dll_SCardConnectA
166
167static WINSCARDAPI LONG WINAPI
168(*dll_SCardDisconnect)(IN SCARDHANDLE hCard,
169 IN DWORD dwDisposition);
170#define SCardDisconnect dll_SCardDisconnect
171
172static WINSCARDAPI LONG WINAPI
173(*dll_SCardTransmit)(IN SCARDHANDLE hCard,
174 IN LPCSCARD_IO_REQUEST pioSendPci,
175 IN LPCBYTE pbSendBuffer,
176 IN DWORD cbSendLength,
177 IN OUT LPSCARD_IO_REQUEST pioRecvPci,
178 OUT LPBYTE pbRecvBuffer,
179 IN OUT LPDWORD pcbRecvLength);
180#define SCardTransmit dll_SCardTransmit
181
182static WINSCARDAPI LONG WINAPI
183(*dll_SCardBeginTransaction)(IN SCARDHANDLE hCard);
184#define SCardBeginTransaction dll_SCardBeginTransaction
185
186static WINSCARDAPI LONG WINAPI
187(*dll_SCardEndTransaction)(IN SCARDHANDLE hCard, IN DWORD dwDisposition);
188#define SCardEndTransaction dll_SCardEndTransaction
189
190
191static int mingw_load_symbols(void)
192{
193 char *sym;
194
195 if (dll)
196 return 0;
197
198 dll = LoadLibrary("winscard");
199 if (dll == NULL) {
200 wpa_printf(MSG_DEBUG, "WinSCard: Could not load winscard.dll "
201 "library");
202 return -1;
203 }
204
205#define LOADSYM(s) \
206 sym = #s; \
207 dll_ ## s = (void *) GetProcAddress(dll, sym); \
208 if (dll_ ## s == NULL) \
209 goto fail;
210
211 LOADSYM(SCardEstablishContext);
212 LOADSYM(SCardReleaseContext);
213 LOADSYM(SCardListReadersA);
214 LOADSYM(SCardConnectA);
215 LOADSYM(SCardDisconnect);
216 LOADSYM(SCardTransmit);
217 LOADSYM(SCardBeginTransaction);
218 LOADSYM(SCardEndTransaction);
219 LOADSYM(g_rgSCardT0Pci);
220 LOADSYM(g_rgSCardT1Pci);
221
222#undef LOADSYM
223
224 return 0;
225
226fail:
227 wpa_printf(MSG_DEBUG, "WinSCard: Could not get address for %s from "
228 "winscard.dll", sym);
229 FreeLibrary(dll);
230 dll = NULL;
231 return -1;
232}
233
234
235static void mingw_unload_symbols(void)
236{
237 if (dll == NULL)
238 return;
239
240 FreeLibrary(dll);
241 dll = NULL;
242}
243
244#else /* __MINGW32_VERSION */
245
246#define mingw_load_symbols() 0
247#define mingw_unload_symbols() do { } while (0)
248
249#endif /* __MINGW32_VERSION */
250
251
252static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
253 unsigned char *buf, size_t *buf_len,
254 sim_types sim_type, unsigned char *aid,
255 size_t aidlen);
256static int scard_select_file(struct scard_data *scard, unsigned short file_id,
257 unsigned char *buf, size_t *buf_len);
258static int scard_verify_pin(struct scard_data *scard, const char *pin);
259static int scard_get_record_len(struct scard_data *scard,
260 unsigned char recnum, unsigned char mode);
261static int scard_read_record(struct scard_data *scard,
262 unsigned char *data, size_t len,
263 unsigned char recnum, unsigned char mode);
264
265
266static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
267 int *ps_do, int *file_len)
268{
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]269 unsigned char *pos, *end;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]270
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]271 if (ps_do)
272 *ps_do = -1;
273 if (file_len)
274 *file_len = -1;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]275
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]276 pos = buf;
277 end = pos + buf_len;
278 if (*pos != USIM_FSP_TEMPL_TAG) {
279 wpa_printf(MSG_DEBUG, "SCARD: file header did not "
280 "start with FSP template tag");
281 return -1;
282 }
283 pos++;
284 if (pos >= end)
285 return -1;
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]286 if (pos[0] < end - pos)
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]287 end = pos + 1 + pos[0];
288 pos++;
289 wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
290 pos, end - pos);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]291
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]292 while (end - pos >= 2) {
293 unsigned char type, len;
294
295 type = pos[0];
296 len = pos[1];
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]297 wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV 0x%02x len=%d",
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]298 type, len);
299 pos += 2;
300
301 if (len > (unsigned int) (end - pos))
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]302 break;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]303
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]304 switch (type) {
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]305 case USIM_TLV_FILE_DESC:
306 wpa_hexdump(MSG_MSGDUMP, "SCARD: File Descriptor TLV",
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]307 pos, len);
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]308 break;
309 case USIM_TLV_FILE_ID:
310 wpa_hexdump(MSG_MSGDUMP, "SCARD: File Identifier TLV",
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]311 pos, len);
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]312 break;
313 case USIM_TLV_DF_NAME:
314 wpa_hexdump(MSG_MSGDUMP, "SCARD: DF name (AID) TLV",
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]315 pos, len);
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]316 break;
317 case USIM_TLV_PROPR_INFO:
318 wpa_hexdump(MSG_MSGDUMP, "SCARD: Proprietary "
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]319 "information TLV", pos, len);
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]320 break;
321 case USIM_TLV_LIFE_CYCLE_STATUS:
322 wpa_hexdump(MSG_MSGDUMP, "SCARD: Life Cycle Status "
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]323 "Integer TLV", pos, len);
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]324 break;
325 case USIM_TLV_FILE_SIZE:
326 wpa_hexdump(MSG_MSGDUMP, "SCARD: File size TLV",
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]327 pos, len);
328 if ((len == 1 || len == 2) && file_len) {
329 if (len == 1)
330 *file_len = (int) pos[0];
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]331 else
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]332 *file_len = WPA_GET_BE16(pos);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]333 wpa_printf(MSG_DEBUG, "SCARD: file_size=%d",
334 *file_len);
335 }
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]336 break;
337 case USIM_TLV_TOTAL_FILE_SIZE:
338 wpa_hexdump(MSG_MSGDUMP, "SCARD: Total file size TLV",
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]339 pos, len);
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]340 break;
341 case USIM_TLV_PIN_STATUS_TEMPLATE:
342 wpa_hexdump(MSG_MSGDUMP, "SCARD: PIN Status Template "
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]343 "DO TLV", pos, len);
344 if (len >= 2 && pos[0] == USIM_PS_DO_TAG &&
345 pos[1] >= 1 && ps_do) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]346 wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x",
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]347 pos[2]);
348 *ps_do = (int) pos[2];
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]349 }
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]350 break;
351 case USIM_TLV_SHORT_FILE_ID:
352 wpa_hexdump(MSG_MSGDUMP, "SCARD: Short File "
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]353 "Identifier (SFI) TLV", pos, len);
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]354 break;
355 case USIM_TLV_SECURITY_ATTR_8B:
356 case USIM_TLV_SECURITY_ATTR_8C:
357 case USIM_TLV_SECURITY_ATTR_AB:
358 wpa_hexdump(MSG_MSGDUMP, "SCARD: Security attribute "
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]359 "TLV", pos, len);
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]360 break;
361 default:
362 wpa_hexdump(MSG_MSGDUMP, "SCARD: Unrecognized TLV",
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]363 pos, len);
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]364 break;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]365 }
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]366
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]367 pos += len;
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]368
369 if (pos == end)
370 return 0;
371 }
372 return -1;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]373}
374
375
376static int scard_pin_needed(struct scard_data *scard,
377 unsigned char *hdr, size_t hlen)
378{
379 if (scard->sim_type == SCARD_GSM_SIM) {
380 if (hlen > SCARD_CHV1_OFFSET &&
381 !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG))
382 return 1;
383 return 0;
384 }
385
386 if (scard->sim_type == SCARD_USIM) {
387 int ps_do;
388 if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL))
389 return -1;
390 /* TODO: there could be more than one PS_DO entry because of
391 * multiple PINs in key reference.. */
392 if (ps_do > 0 && (ps_do & 0x80))
393 return 1;
394 return 0;
395 }
396
397 return -1;
398}
399
400
401static int scard_get_aid(struct scard_data *scard, unsigned char *aid,
402 size_t maxlen)
403{
404 int rlen, rec;
405 struct efdir {
406 unsigned char appl_template_tag; /* 0x61 */
407 unsigned char appl_template_len;
408 unsigned char appl_id_tag; /* 0x4f */
409 unsigned char aid_len;
410 unsigned char rid[5];
411 unsigned char appl_code[2]; /* 0x1002 for 3G USIM */
412 } *efdir;
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]413 unsigned char buf[127], *aid_pos;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]414 size_t blen;
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]415 unsigned int aid_len = 0;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]416
417 efdir = (struct efdir *) buf;
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]418 aid_pos = &buf[4];
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]419 blen = sizeof(buf);
420 if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) {
421 wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR");
422 return -1;
423 }
424 wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen);
425
426 for (rec = 1; rec < 10; rec++) {
427 rlen = scard_get_record_len(scard, rec,
428 SIM_RECORD_MODE_ABSOLUTE);
429 if (rlen < 0) {
430 wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR "
431 "record length");
432 return -1;
433 }
434 blen = sizeof(buf);
435 if (rlen > (int) blen) {
436 wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record");
437 return -1;
438 }
439 if (scard_read_record(scard, buf, rlen, rec,
440 SIM_RECORD_MODE_ABSOLUTE) < 0) {
441 wpa_printf(MSG_DEBUG, "SCARD: Failed to read "
442 "EF_DIR record %d", rec);
443 return -1;
444 }
445 wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen);
446
447 if (efdir->appl_template_tag != 0x61) {
448 wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
449 "template tag 0x%x",
450 efdir->appl_template_tag);
451 continue;
452 }
453
454 if (efdir->appl_template_len > rlen - 2) {
455 wpa_printf(MSG_DEBUG, "SCARD: Too long application "
456 "template (len=%d rlen=%d)",
457 efdir->appl_template_len, rlen);
458 continue;
459 }
460
461 if (efdir->appl_id_tag != 0x4f) {
462 wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
463 "identifier tag 0x%x", efdir->appl_id_tag);
464 continue;
465 }
466
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]467 aid_len = efdir->aid_len;
468 if (aid_len < 1 || aid_len > 16) {
469 wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %u",
470 aid_len);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]471 continue;
472 }
473
474 wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record",
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]475 aid_pos, aid_len);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]476
477 if (efdir->appl_code[0] == 0x10 &&
478 efdir->appl_code[1] == 0x02) {
479 wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from "
480 "EF_DIR record %d", rec);
481 break;
482 }
483 }
484
485 if (rec >= 10) {
486 wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found "
487 "from EF_DIR records");
488 return -1;
489 }
490
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]491 if (aid_len > maxlen) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]492 wpa_printf(MSG_DEBUG, "SCARD: Too long AID");
493 return -1;
494 }
495
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]496 os_memcpy(aid, aid_pos, aid_len);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]497
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]498 return aid_len;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]499}
500
501
502/**
503 * scard_init - Initialize SIM/USIM connection using PC/SC
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]504 * @reader: Reader name prefix to search for
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]505 * Returns: Pointer to private data structure, or %NULL on failure
506 *
507 * This function is used to initialize SIM/USIM connection. PC/SC is used to
Dmitry Shmidte0e48dc2013-11-18 12:00:06 -0800[diff] [blame]508 * open connection to the SIM/USIM card. In addition, local flag is set if a
509 * PIN is needed to access some of the card functions. Once the connection is
510 * not needed anymore, scard_deinit() can be used to close it.
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]511 */
Dmitry Shmidte0e48dc2013-11-18 12:00:06 -0800[diff] [blame]512struct scard_data * scard_init(const char *reader)
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]513{
514 long ret;
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -0700[diff] [blame]515#ifdef __APPLE__
516 uint32_t len;
517#else
518 unsigned long len;
519#endif
520 unsigned long pos;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]521 struct scard_data *scard;
522#ifdef CONFIG_NATIVE_WINDOWS
523 TCHAR *readers = NULL;
524#else /* CONFIG_NATIVE_WINDOWS */
525 char *readers = NULL;
526#endif /* CONFIG_NATIVE_WINDOWS */
527 unsigned char buf[100];
528 size_t blen;
529 int transaction = 0;
530 int pin_needed;
531
532 wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface");
533 if (mingw_load_symbols())
534 return NULL;
535 scard = os_zalloc(sizeof(*scard));
536 if (scard == NULL)
537 return NULL;
538
539 ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL,
540 &scard->ctx);
541 if (ret != SCARD_S_SUCCESS) {
542 wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card "
543 "context (err=%ld)", ret);
544 goto failed;
545 }
546
547 ret = SCardListReaders(scard->ctx, NULL, NULL, &len);
548 if (ret != SCARD_S_SUCCESS) {
549 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed "
550 "(err=%ld)", ret);
551 goto failed;
552 }
553
554#ifdef UNICODE
555 len *= 2;
556#endif /* UNICODE */
557 readers = os_malloc(len);
558 if (readers == NULL) {
559 wpa_printf(MSG_INFO, "SCARD: malloc failed\n");
560 goto failed;
561 }
562
563 ret = SCardListReaders(scard->ctx, NULL, readers, &len);
564 if (ret != SCARD_S_SUCCESS) {
565 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) "
566 "(err=%ld)", ret);
567 goto failed;
568 }
569 if (len < 3) {
570 wpa_printf(MSG_WARNING, "SCARD: No smart card readers "
571 "available.");
572 goto failed;
573 }
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]574 wpa_hexdump_ascii(MSG_DEBUG, "SCARD: Readers", (u8 *) readers, len);
575 /*
576 * readers is a list of available readers. The last entry is terminated
577 * with double null.
578 */
579 pos = 0;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]580#ifdef UNICODE
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]581 /* TODO */
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]582#else /* UNICODE */
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]583 while (pos < len) {
584 if (reader == NULL ||
585 os_strncmp(&readers[pos], reader, os_strlen(reader)) == 0)
586 break;
587 while (pos < len && readers[pos])
588 pos++;
589 pos++; /* skip separating null */
590 if (pos < len && readers[pos] == '\0')
591 pos = len; /* double null terminates list */
592 }
593#endif /* UNICODE */
594 if (pos >= len) {
595 wpa_printf(MSG_WARNING, "SCARD: No reader with prefix '%s' "
596 "found", reader);
597 goto failed;
598 }
599
600#ifdef UNICODE
601 wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%S'", &readers[pos]);
602#else /* UNICODE */
603 wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", &readers[pos]);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]604#endif /* UNICODE */
605
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]606 ret = SCardConnect(scard->ctx, &readers[pos], SCARD_SHARE_SHARED,
607 SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1,
608 &scard->card, &scard->protocol);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]609 if (ret != SCARD_S_SUCCESS) {
610 if (ret == (long) SCARD_E_NO_SMARTCARD)
611 wpa_printf(MSG_INFO, "No smart card inserted.");
612 else
613 wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret);
614 goto failed;
615 }
616
617 os_free(readers);
618 readers = NULL;
619
620 wpa_printf(MSG_DEBUG, "SCARD: card=0x%x active_protocol=%lu (%s)",
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -0700[diff] [blame]621 (unsigned int) scard->card, (unsigned long) scard->protocol,
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]622 scard->protocol == SCARD_PROTOCOL_T0 ? "T0" : "T1");
623
624 ret = SCardBeginTransaction(scard->card);
625 if (ret != SCARD_S_SUCCESS) {
626 wpa_printf(MSG_DEBUG, "SCARD: Could not begin transaction: "
627 "0x%x", (unsigned int) ret);
628 goto failed;
629 }
630 transaction = 1;
631
632 blen = sizeof(buf);
633
Dmitry Shmidte0e48dc2013-11-18 12:00:06 -0800[diff] [blame]634 wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support");
635 if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen,
636 SCARD_USIM, NULL, 0)) {
637 wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported. Trying to use GSM SIM");
638 scard->sim_type = SCARD_GSM_SIM;
639 } else {
640 wpa_printf(MSG_DEBUG, "SCARD: USIM is supported");
641 scard->sim_type = SCARD_USIM;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]642 }
643
644 if (scard->sim_type == SCARD_GSM_SIM) {
645 blen = sizeof(buf);
646 if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) {
647 wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF");
648 goto failed;
649 }
650
651 blen = sizeof(buf);
652 if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) {
653 wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF");
654 goto failed;
655 }
656 } else {
657 unsigned char aid[32];
658 int aid_len;
659
660 aid_len = scard_get_aid(scard, aid, sizeof(aid));
661 if (aid_len < 0) {
662 wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for "
663 "3G USIM app - try to use standard 3G RID");
664 os_memcpy(aid, "\xa0\x00\x00\x00\x87", 5);
665 aid_len = 5;
666 }
667 wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len);
668
669 /* Select based on AID = 3G RID from EF_DIR. This is usually
670 * starting with A0 00 00 00 87. */
671 blen = sizeof(buf);
672 if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type,
673 aid, aid_len)) {
674 wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM "
675 "app");
676 wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID",
677 aid, aid_len);
678 goto failed;
679 }
680 }
681
682 /* Verify whether CHV1 (PIN1) is needed to access the card. */
683 pin_needed = scard_pin_needed(scard, buf, blen);
684 if (pin_needed < 0) {
685 wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN "
686 "is needed");
687 goto failed;
688 }
689 if (pin_needed) {
690 scard->pin1_required = 1;
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]691 wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access (retry "
692 "counter=%d)", scard_get_pin_retry_counter(scard));
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]693 }
694
695 ret = SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
696 if (ret != SCARD_S_SUCCESS) {
697 wpa_printf(MSG_DEBUG, "SCARD: Could not end transaction: "
698 "0x%x", (unsigned int) ret);
699 }
700
701 return scard;
702
703failed:
704 if (transaction)
705 SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
706 os_free(readers);
707 scard_deinit(scard);
708 return NULL;
709}
710
711
712/**
713 * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands
714 * @scard: Pointer to private data from scard_init()
715 * @pin: PIN code as an ASCII string (e.g., "1234")
716 * Returns: 0 on success, -1 on failure
717 */
718int scard_set_pin(struct scard_data *scard, const char *pin)
719{
720 if (scard == NULL)
721 return -1;
722
723 /* Verify whether CHV1 (PIN1) is needed to access the card. */
724 if (scard->pin1_required) {
725 if (pin == NULL) {
726 wpa_printf(MSG_DEBUG, "No PIN configured for SIM "
727 "access");
728 return -1;
729 }
730 if (scard_verify_pin(scard, pin)) {
731 wpa_printf(MSG_INFO, "PIN verification failed for "
732 "SIM access");
733 return -1;
734 }
735 }
736
737 return 0;
738}
739
740
741/**
742 * scard_deinit - Deinitialize SIM/USIM connection
743 * @scard: Pointer to private data from scard_init()
744 *
745 * This function closes the SIM/USIM connect opened with scard_init().
746 */
747void scard_deinit(struct scard_data *scard)
748{
749 long ret;
750
751 if (scard == NULL)
752 return;
753
754 wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface");
755 if (scard->card) {
756 ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD);
757 if (ret != SCARD_S_SUCCESS) {
758 wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect "
759 "smart card (err=%ld)", ret);
760 }
761 }
762
763 if (scard->ctx) {
764 ret = SCardReleaseContext(scard->ctx);
765 if (ret != SCARD_S_SUCCESS) {
766 wpa_printf(MSG_DEBUG, "Failed to release smart card "
767 "context (err=%ld)", ret);
768 }
769 }
770 os_free(scard);
771 mingw_unload_symbols();
772}
773
774
775static long scard_transmit(struct scard_data *scard,
776 unsigned char *_send, size_t send_len,
777 unsigned char *_recv, size_t *recv_len)
778{
779 long ret;
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -0700[diff] [blame]780#ifdef __APPLE__
781 uint32_t rlen;
782#else
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]783 unsigned long rlen;
Dmitry Shmidt7f2c7532016-08-15 09:48:12 -0700[diff] [blame]784#endif
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]785
786 wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send",
787 _send, send_len);
788 rlen = *recv_len;
789 ret = SCardTransmit(scard->card,
790 scard->protocol == SCARD_PROTOCOL_T1 ?
791 SCARD_PCI_T1 : SCARD_PCI_T0,
792 _send, (unsigned long) send_len,
793 NULL, _recv, &rlen);
794 *recv_len = rlen;
795 if (ret == SCARD_S_SUCCESS) {
796 wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv",
797 _recv, rlen);
798 } else {
799 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
800 "(err=0x%lx)", ret);
801 }
802 return ret;
803}
804
805
806static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
807 unsigned char *buf, size_t *buf_len,
808 sim_types sim_type, unsigned char *aid,
809 size_t aidlen)
810{
811 long ret;
812 unsigned char resp[3];
813 unsigned char cmd[50] = { SIM_CMD_SELECT };
814 int cmdlen;
815 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
816 size_t len, rlen;
817
818 if (sim_type == SCARD_USIM) {
819 cmd[0] = USIM_CLA;
820 cmd[3] = 0x04;
821 get_resp[0] = USIM_CLA;
822 }
823
824 wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id);
825 if (aid) {
826 wpa_hexdump(MSG_DEBUG, "SCARD: select file by AID",
827 aid, aidlen);
828 if (5 + aidlen > sizeof(cmd))
829 return -1;
830 cmd[2] = 0x04; /* Select by AID */
831 cmd[4] = aidlen; /* len */
832 os_memcpy(cmd + 5, aid, aidlen);
833 cmdlen = 5 + aidlen;
834 } else {
835 cmd[5] = file_id >> 8;
836 cmd[6] = file_id & 0xff;
837 cmdlen = 7;
838 }
839 len = sizeof(resp);
840 ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
841 if (ret != SCARD_S_SUCCESS) {
842 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
843 "(err=0x%lx)", ret);
844 return -1;
845 }
846
847 if (len != 2) {
848 wpa_printf(MSG_WARNING, "SCARD: unexpected resp len "
849 "%d (expected 2)", (int) len);
850 return -1;
851 }
852
853 if (resp[0] == 0x98 && resp[1] == 0x04) {
854 /* Security status not satisfied (PIN_WLAN) */
855 wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied "
856 "(PIN_WLAN)");
857 return -1;
858 }
859
860 if (resp[0] == 0x6e) {
861 wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported");
862 return -1;
863 }
864
865 if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) {
866 wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x "
867 "(expected 0x61, 0x6c, or 0x9f)", resp[0]);
868 return -1;
869 }
870 /* Normal ending of command; resp[1] bytes available */
871 get_resp[4] = resp[1];
872 wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)",
873 resp[1]);
874
875 rlen = *buf_len;
876 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen);
877 if (ret == SCARD_S_SUCCESS) {
878 *buf_len = resp[1] < rlen ? resp[1] : rlen;
879 return 0;
880 }
881
882 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret);
883 return -1;
884}
885
886
887static int scard_select_file(struct scard_data *scard, unsigned short file_id,
888 unsigned char *buf, size_t *buf_len)
889{
890 return _scard_select_file(scard, file_id, buf, buf_len,
891 scard->sim_type, NULL, 0);
892}
893
894
895static int scard_get_record_len(struct scard_data *scard, unsigned char recnum,
896 unsigned char mode)
897{
898 unsigned char buf[255];
899 unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
900 size_t blen;
901 long ret;
902
903 if (scard->sim_type == SCARD_USIM)
904 cmd[0] = USIM_CLA;
905 cmd[2] = recnum;
906 cmd[3] = mode;
907 cmd[4] = sizeof(buf);
908
909 blen = sizeof(buf);
910 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
911 if (ret != SCARD_S_SUCCESS) {
912 wpa_printf(MSG_DEBUG, "SCARD: failed to determine file "
913 "length for record %d", recnum);
914 return -1;
915 }
916
917 wpa_hexdump(MSG_DEBUG, "SCARD: file length determination response",
918 buf, blen);
919
Dmitry Shmidt1f69aa52012-01-24 16:10:04 -0800[diff] [blame]920 if (blen < 2 || (buf[0] != 0x6c && buf[0] != 0x67)) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]921 wpa_printf(MSG_DEBUG, "SCARD: unexpected response to file "
922 "length determination");
923 return -1;
924 }
925
926 return buf[1];
927}
928
929
930static int scard_read_record(struct scard_data *scard,
931 unsigned char *data, size_t len,
932 unsigned char recnum, unsigned char mode)
933{
934 unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
935 size_t blen = len + 3;
936 unsigned char *buf;
937 long ret;
938
939 if (scard->sim_type == SCARD_USIM)
940 cmd[0] = USIM_CLA;
941 cmd[2] = recnum;
942 cmd[3] = mode;
943 cmd[4] = len;
944
945 buf = os_malloc(blen);
946 if (buf == NULL)
947 return -1;
948
949 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
950 if (ret != SCARD_S_SUCCESS) {
951 os_free(buf);
952 return -2;
953 }
954 if (blen != len + 2) {
955 wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
956 "length %ld (expected %ld)",
957 (long) blen, (long) len + 2);
958 os_free(buf);
959 return -3;
960 }
961
962 if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
963 wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
964 "status %02x %02x (expected 90 00)",
965 buf[len], buf[len + 1]);
966 os_free(buf);
967 return -4;
968 }
969
970 os_memcpy(data, buf, len);
971 os_free(buf);
972
973 return 0;
974}
975
976
977static int scard_read_file(struct scard_data *scard,
978 unsigned char *data, size_t len)
979{
980 unsigned char cmd[5] = { SIM_CMD_READ_BIN /* , len */ };
981 size_t blen = len + 3;
982 unsigned char *buf;
983 long ret;
984
985 cmd[4] = len;
986
987 buf = os_malloc(blen);
988 if (buf == NULL)
989 return -1;
990
991 if (scard->sim_type == SCARD_USIM)
992 cmd[0] = USIM_CLA;
993 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
994 if (ret != SCARD_S_SUCCESS) {
995 os_free(buf);
996 return -2;
997 }
998 if (blen != len + 2) {
999 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
1000 "length %ld (expected %ld)",
1001 (long) blen, (long) len + 2);
1002 os_free(buf);
1003 return -3;
1004 }
1005
1006 if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
1007 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
1008 "status %02x %02x (expected 90 00)",
1009 buf[len], buf[len + 1]);
1010 os_free(buf);
1011 return -4;
1012 }
1013
1014 os_memcpy(data, buf, len);
1015 os_free(buf);
1016
1017 return 0;
1018}
1019
1020
1021static int scard_verify_pin(struct scard_data *scard, const char *pin)
1022{
1023 long ret;
1024 unsigned char resp[3];
1025 unsigned char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 };
1026 size_t len;
1027
1028 wpa_printf(MSG_DEBUG, "SCARD: verifying PIN");
1029
1030 if (pin == NULL || os_strlen(pin) > 8)
1031 return -1;
1032
1033 if (scard->sim_type == SCARD_USIM)
1034 cmd[0] = USIM_CLA;
1035 os_memcpy(cmd + 5, pin, os_strlen(pin));
1036 os_memset(cmd + 5 + os_strlen(pin), 0xff, 8 - os_strlen(pin));
1037
1038 len = sizeof(resp);
1039 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1040 if (ret != SCARD_S_SUCCESS)
1041 return -2;
1042
1043 if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) {
1044 wpa_printf(MSG_WARNING, "SCARD: PIN verification failed");
1045 return -1;
1046 }
1047
1048 wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully");
1049 return 0;
1050}
1051
1052
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]1053int scard_get_pin_retry_counter(struct scard_data *scard)
1054{
1055 long ret;
1056 unsigned char resp[3];
1057 unsigned char cmd[5] = { SIM_CMD_VERIFY_CHV1 };
1058 size_t len;
1059 u16 val;
1060
1061 wpa_printf(MSG_DEBUG, "SCARD: fetching PIN retry counter");
1062
1063 if (scard->sim_type == SCARD_USIM)
1064 cmd[0] = USIM_CLA;
1065 cmd[4] = 0; /* Empty data */
1066
1067 len = sizeof(resp);
1068 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1069 if (ret != SCARD_S_SUCCESS)
1070 return -2;
1071
1072 if (len != 2) {
1073 wpa_printf(MSG_WARNING, "SCARD: failed to fetch PIN retry "
1074 "counter");
1075 return -1;
1076 }
1077
1078 val = WPA_GET_BE16(resp);
1079 if (val == 0x63c0 || val == 0x6983) {
1080 wpa_printf(MSG_DEBUG, "SCARD: PIN has been blocked");
1081 return 0;
1082 }
1083
1084 if (val >= 0x63c0 && val <= 0x63cf)
1085 return val & 0x000f;
1086
1087 wpa_printf(MSG_DEBUG, "SCARD: Unexpected PIN retry counter response "
1088 "value 0x%x", val);
1089 return 0;
1090}
1091
1092
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1093/**
1094 * scard_get_imsi - Read IMSI from SIM/USIM card
1095 * @scard: Pointer to private data from scard_init()
1096 * @imsi: Buffer for IMSI
1097 * @len: Length of imsi buffer; set to IMSI length on success
1098 * Returns: 0 on success, -1 if IMSI file cannot be selected, -2 if IMSI file
1099 * selection returns invalid result code, -3 if parsing FSP template file fails
1100 * (USIM only), -4 if IMSI does not fit in the provided imsi buffer (len is set
1101 * to needed length), -5 if reading IMSI file fails.
1102 *
1103 * This function can be used to read IMSI from the SIM/USIM card. If the IMSI
1104 * file is PIN protected, scard_set_pin() must have been used to set the
1105 * correct PIN code before calling scard_get_imsi().
1106 */
1107int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len)
1108{
1109 unsigned char buf[100];
1110 size_t blen, imsilen, i;
1111 char *pos;
1112
1113 wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI");
1114 blen = sizeof(buf);
1115 if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen))
1116 return -1;
1117 if (blen < 4) {
1118 wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI "
1119 "header (len=%ld)", (long) blen);
1120 return -2;
1121 }
1122
1123 if (scard->sim_type == SCARD_GSM_SIM) {
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]1124 blen = WPA_GET_BE16(&buf[2]);
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1125 } else {
1126 int file_size;
1127 if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
1128 return -3;
1129 blen = file_size;
1130 }
1131 if (blen < 2 || blen > sizeof(buf)) {
1132 wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld",
1133 (long) blen);
1134 return -3;
1135 }
1136
1137 imsilen = (blen - 2) * 2 + 1;
1138 wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld",
1139 (long) blen, (long) imsilen);
1140 if (blen < 2 || imsilen > *len) {
1141 *len = imsilen;
1142 return -4;
1143 }
1144
1145 if (scard_read_file(scard, buf, blen))
1146 return -5;
1147
1148 pos = imsi;
1149 *pos++ = '0' + (buf[1] >> 4 & 0x0f);
1150 for (i = 2; i < blen; i++) {
1151 unsigned char digit;
1152
1153 digit = buf[i] & 0x0f;
1154 if (digit < 10)
1155 *pos++ = '0' + digit;
1156 else
1157 imsilen--;
1158
1159 digit = buf[i] >> 4 & 0x0f;
1160 if (digit < 10)
1161 *pos++ = '0' + digit;
1162 else
1163 imsilen--;
1164 }
1165 *len = imsilen;
1166
1167 return 0;
1168}
1169
1170
1171/**
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800[diff] [blame]1172 * scard_get_mnc_len - Read length of MNC in the IMSI from SIM/USIM card
1173 * @scard: Pointer to private data from scard_init()
1174 * Returns: length (>0) on success, -1 if administrative data file cannot be
1175 * selected, -2 if administrative data file selection returns invalid result
1176 * code, -3 if parsing FSP template file fails (USIM only), -4 if length of
1177 * the file is unexpected, -5 if reading file fails, -6 if MNC length is not
1178 * in range (i.e. 2 or 3), -7 if MNC length is not available.
1179 *
1180 */
1181int scard_get_mnc_len(struct scard_data *scard)
1182{
1183 unsigned char buf[100];
1184 size_t blen;
1185 int file_size;
1186
1187 wpa_printf(MSG_DEBUG, "SCARD: reading MNC len from (GSM) EF-AD");
1188 blen = sizeof(buf);
1189 if (scard_select_file(scard, SCARD_FILE_GSM_EF_AD, buf, &blen))
1190 return -1;
1191 if (blen < 4) {
1192 wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-AD "
1193 "header (len=%ld)", (long) blen);
1194 return -2;
1195 }
1196
1197 if (scard->sim_type == SCARD_GSM_SIM) {
Dmitry Shmidtfb45fd52015-01-05 13:08:17 -0800[diff] [blame]1198 file_size = WPA_GET_BE16(&buf[2]);
Dmitry Shmidtc5ec7f52012-03-06 16:33:24 -0800[diff] [blame]1199 } else {
1200 if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
1201 return -3;
1202 }
1203 if (file_size == 3) {
1204 wpa_printf(MSG_DEBUG, "SCARD: MNC length not available");
1205 return -7;
1206 }
1207 if (file_size < 4 || file_size > (int) sizeof(buf)) {
1208 wpa_printf(MSG_DEBUG, "SCARD: invalid file length=%ld",
1209 (long) file_size);
1210 return -4;
1211 }
1212
1213 if (scard_read_file(scard, buf, file_size))
1214 return -5;
1215 buf[3] = buf[3] & 0x0f; /* upper nibble reserved for future use */
1216 if (buf[3] < 2 || buf[3] > 3) {
1217 wpa_printf(MSG_DEBUG, "SCARD: invalid MNC length=%ld",
1218 (long) buf[3]);
1219 return -6;
1220 }
1221 wpa_printf(MSG_DEBUG, "SCARD: MNC length=%ld", (long) buf[3]);
1222 return buf[3];
1223}
1224
1225
1226/**
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1227 * scard_gsm_auth - Run GSM authentication command on SIM card
1228 * @scard: Pointer to private data from scard_init()
1229 * @_rand: 16-byte RAND value from HLR/AuC
1230 * @sres: 4-byte buffer for SRES
1231 * @kc: 8-byte buffer for Kc
1232 * Returns: 0 on success, -1 if SIM/USIM connection has not been initialized,
1233 * -2 if authentication command execution fails, -3 if unknown response code
1234 * for authentication command is received, -4 if reading of response fails,
1235 * -5 if if response data is of unexpected length
1236 *
1237 * This function performs GSM authentication using SIM/USIM card and the
1238 * provided RAND value from HLR/AuC. If authentication command can be completed
1239 * successfully, SRES and Kc values will be written into sres and kc buffers.
1240 */
1241int scard_gsm_auth(struct scard_data *scard, const unsigned char *_rand,
1242 unsigned char *sres, unsigned char *kc)
1243{
1244 unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG };
1245 int cmdlen;
1246 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
1247 unsigned char resp[3], buf[12 + 3 + 2];
1248 size_t len;
1249 long ret;
1250
1251 if (scard == NULL)
1252 return -1;
1253
1254 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", _rand, 16);
1255 if (scard->sim_type == SCARD_GSM_SIM) {
1256 cmdlen = 5 + 16;
1257 os_memcpy(cmd + 5, _rand, 16);
1258 } else {
1259 cmdlen = 5 + 1 + 16;
1260 cmd[0] = USIM_CLA;
1261 cmd[3] = 0x80;
1262 cmd[4] = 17;
1263 cmd[5] = 16;
1264 os_memcpy(cmd + 6, _rand, 16);
Dmitry Shmidt6dc03bd2014-05-16 10:40:13 -0700[diff] [blame]1265 get_resp[0] = USIM_CLA;
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1266 }
1267 len = sizeof(resp);
1268 ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
1269 if (ret != SCARD_S_SUCCESS)
1270 return -2;
1271
1272 if ((scard->sim_type == SCARD_GSM_SIM &&
1273 (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) ||
1274 (scard->sim_type == SCARD_USIM &&
1275 (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) {
1276 wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM "
1277 "auth request (len=%ld resp=%02x %02x)",
1278 (long) len, resp[0], resp[1]);
1279 return -3;
1280 }
1281 get_resp[4] = resp[1];
1282
1283 len = sizeof(buf);
1284 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
1285 if (ret != SCARD_S_SUCCESS)
1286 return -4;
1287
1288 if (scard->sim_type == SCARD_GSM_SIM) {
1289 if (len != 4 + 8 + 2) {
1290 wpa_printf(MSG_WARNING, "SCARD: unexpected data "
1291 "length for GSM auth (len=%ld, expected 14)",
1292 (long) len);
1293 return -5;
1294 }
1295 os_memcpy(sres, buf, 4);
1296 os_memcpy(kc, buf + 4, 8);
1297 } else {
1298 if (len != 1 + 4 + 1 + 8 + 2) {
1299 wpa_printf(MSG_WARNING, "SCARD: unexpected data "
1300 "length for USIM auth (len=%ld, "
1301 "expected 16)", (long) len);
1302 return -5;
1303 }
1304 if (buf[0] != 4 || buf[5] != 8) {
1305 wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc "
1306 "length (%d %d, expected 4 8)",
1307 buf[0], buf[5]);
1308 }
1309 os_memcpy(sres, buf + 1, 4);
1310 os_memcpy(kc, buf + 6, 8);
1311 }
1312
1313 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4);
1314 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8);
1315
1316 return 0;
1317}
1318
1319
1320/**
1321 * scard_umts_auth - Run UMTS authentication command on USIM card
1322 * @scard: Pointer to private data from scard_init()
1323 * @_rand: 16-byte RAND value from HLR/AuC
1324 * @autn: 16-byte AUTN value from HLR/AuC
1325 * @res: 16-byte buffer for RES
1326 * @res_len: Variable that will be set to RES length
1327 * @ik: 16-byte buffer for IK
1328 * @ck: 16-byte buffer for CK
1329 * @auts: 14-byte buffer for AUTS
1330 * Returns: 0 on success, -1 on failure, or -2 if USIM reports synchronization
1331 * failure
1332 *
1333 * This function performs AKA authentication using USIM card and the provided
1334 * RAND and AUTN values from HLR/AuC. If authentication command can be
1335 * completed successfully, RES, IK, and CK values will be written into provided
1336 * buffers and res_len is set to length of received RES value. If USIM reports
1337 * synchronization failure, the received AUTS value will be written into auts
1338 * buffer. In this case, RES, IK, and CK are not valid.
1339 */
1340int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
1341 const unsigned char *autn,
1342 unsigned char *res, size_t *res_len,
1343 unsigned char *ik, unsigned char *ck, unsigned char *auts)
1344{
1345 unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] =
1346 { USIM_CMD_RUN_UMTS_ALG };
1347 unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE };
1348 unsigned char resp[3], buf[64], *pos, *end;
1349 size_t len;
1350 long ret;
1351
1352 if (scard == NULL)
1353 return -1;
1354
1355 if (scard->sim_type == SCARD_GSM_SIM) {
1356 wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS "
1357 "auth");
1358 return -1;
1359 }
1360
1361 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", _rand, AKA_RAND_LEN);
1362 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN);
1363 cmd[5] = AKA_RAND_LEN;
1364 os_memcpy(cmd + 6, _rand, AKA_RAND_LEN);
1365 cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN;
1366 os_memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN);
1367
1368 len = sizeof(resp);
1369 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1370 if (ret != SCARD_S_SUCCESS)
1371 return -1;
1372
1373 if (len <= sizeof(resp))
1374 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len);
1375
1376 if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) {
1377 wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - "
1378 "MAC != XMAC");
1379 return -1;
1380 } else if (len != 2 || resp[0] != 0x61) {
1381 wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS "
1382 "auth request (len=%ld resp=%02x %02x)",
1383 (long) len, resp[0], resp[1]);
1384 return -1;
1385 }
1386 get_resp[4] = resp[1];
1387
1388 len = sizeof(buf);
1389 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
1390 if (ret != SCARD_S_SUCCESS || len > sizeof(buf))
1391 return -1;
1392
1393 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len);
1394 if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc &&
1395 buf[1] == AKA_AUTS_LEN) {
1396 wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure");
1397 os_memcpy(auts, buf + 2, AKA_AUTS_LEN);
1398 wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN);
1399 return -2;
1400 } else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) {
1401 pos = buf + 1;
1402 end = buf + len;
1403
1404 /* RES */
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]1405 if (pos[0] > RES_MAX_LEN || pos[0] > end - pos) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1406 wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
1407 return -1;
1408 }
1409 *res_len = *pos++;
1410 os_memcpy(res, pos, *res_len);
1411 pos += *res_len;
1412 wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
1413
1414 /* CK */
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]1415 if (pos[0] != CK_LEN || CK_LEN > end - pos) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1416 wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
1417 return -1;
1418 }
1419 pos++;
1420 os_memcpy(ck, pos, CK_LEN);
1421 pos += CK_LEN;
1422 wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
1423
1424 /* IK */
Dmitry Shmidtd80a4012015-11-05 16:35:40 -0800[diff] [blame]1425 if (pos[0] != IK_LEN || IK_LEN > end - pos) {
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1426 wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
1427 return -1;
1428 }
1429 pos++;
1430 os_memcpy(ik, pos, IK_LEN);
1431 pos += IK_LEN;
1432 wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN);
1433
Dmitry Shmidtc2817022014-07-02 10:32:10 -0700[diff] [blame]1434 if (end > pos) {
1435 wpa_hexdump(MSG_DEBUG,
1436 "SCARD: Ignore extra data in end",
1437 pos, end - pos);
1438 }
1439
Dmitry Shmidt8d520ff2011-05-09 14:06:53 -0700[diff] [blame]1440 return 0;
1441 }
1442
1443 wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response");
1444 return -1;
1445}
Dmitry Shmidt04949592012-07-19 12:16:46 -0700[diff] [blame]1446
1447
1448int scard_supports_umts(struct scard_data *scard)
1449{
1450 return scard->sim_type == SCARD_USIM;
1451}