1/*
2 * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM
3 * Copyright (c) 2004-2007, 2012, Jouni Malinen <j@w1.fi>
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 *
8 * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM
9 * cards through PC/SC smartcard library. These functions are used to implement
10 * authentication routines for EAP-SIM and EAP-AKA.
11 */
12
13#include "includes.h"
14#include <winscard.h>
15
16#include "common.h"
17#include "pcsc_funcs.h"
18
19
20/* See ETSI GSM 11.11 and ETSI TS 102 221 for details.
21 * SIM commands:
22 * Command APDU: CLA INS P1 P2 P3 Data
23 *   CLA (class of instruction): A0 for GSM, 00 for USIM
24 *   INS (instruction)
25 *   P1 P2 P3 (parameters, P3 = length of Data)
26 * Response APDU: Data SW1 SW2
27 *   SW1 SW2 (Status words)
28 * Commands (INS P1 P2 P3):
29 *   SELECT: A4 00 00 02 <file_id, 2 bytes>
30 *   GET RESPONSE: C0 00 00 <len>
31 *   RUN GSM ALG: 88 00 00 00 <RAND len = 10>
32 *   RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN
33 *	P1 = ID of alg in card
34 *	P2 = ID of secret key
35 *   READ BINARY: B0 <offset high> <offset low> <len>
36 *   READ RECORD: B2 <record number> <mode> <len>
37 *	P2 (mode) = '02' (next record), '03' (previous record),
38 *		    '04' (absolute mode)
39 *   VERIFY CHV: 20 00 <CHV number> 08
40 *   CHANGE CHV: 24 00 <CHV number> 10
41 *   DISABLE CHV: 26 00 01 08
42 *   ENABLE CHV: 28 00 01 08
43 *   UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10
44 *   SLEEP: FA 00 00 00
45 */
46
47/* GSM SIM commands */
48#define SIM_CMD_SELECT			0xa0, 0xa4, 0x00, 0x00, 0x02
49#define SIM_CMD_RUN_GSM_ALG		0xa0, 0x88, 0x00, 0x00, 0x10
50#define SIM_CMD_GET_RESPONSE		0xa0, 0xc0, 0x00, 0x00
51#define SIM_CMD_READ_BIN		0xa0, 0xb0, 0x00, 0x00
52#define SIM_CMD_READ_RECORD		0xa0, 0xb2, 0x00, 0x00
53#define SIM_CMD_VERIFY_CHV1		0xa0, 0x20, 0x00, 0x01, 0x08
54
55/* USIM commands */
56#define USIM_CLA			0x00
57#define USIM_CMD_RUN_UMTS_ALG		0x00, 0x88, 0x00, 0x81, 0x22
58#define USIM_CMD_GET_RESPONSE		0x00, 0xc0, 0x00, 0x00
59
60#define SIM_RECORD_MODE_ABSOLUTE 0x04
61
62#define USIM_FSP_TEMPL_TAG		0x62
63
64#define USIM_TLV_FILE_DESC		0x82
65#define USIM_TLV_FILE_ID		0x83
66#define USIM_TLV_DF_NAME		0x84
67#define USIM_TLV_PROPR_INFO		0xA5
68#define USIM_TLV_LIFE_CYCLE_STATUS	0x8A
69#define USIM_TLV_FILE_SIZE		0x80
70#define USIM_TLV_TOTAL_FILE_SIZE	0x81
71#define USIM_TLV_PIN_STATUS_TEMPLATE	0xC6
72#define USIM_TLV_SHORT_FILE_ID		0x88
73#define USIM_TLV_SECURITY_ATTR_8B	0x8B
74#define USIM_TLV_SECURITY_ATTR_8C	0x8C
75#define USIM_TLV_SECURITY_ATTR_AB	0xAB
76
77#define USIM_PS_DO_TAG			0x90
78
79#define AKA_RAND_LEN 16
80#define AKA_AUTN_LEN 16
81#define AKA_AUTS_LEN 14
82#define RES_MAX_LEN 16
83#define IK_LEN 16
84#define CK_LEN 16
85
86
87/* GSM files
88 * File type in first octet:
89 * 3F = Master File
90 * 7F = Dedicated File
91 * 2F = Elementary File under the Master File
92 * 6F = Elementary File under a Dedicated File
93 */
94#define SCARD_FILE_MF		0x3F00
95#define SCARD_FILE_GSM_DF	0x7F20
96#define SCARD_FILE_UMTS_DF	0x7F50
97#define SCARD_FILE_GSM_EF_IMSI	0x6F07
98#define SCARD_FILE_GSM_EF_AD	0x6FAD
99#define SCARD_FILE_EF_DIR	0x2F00
100#define SCARD_FILE_EF_ICCID	0x2FE2
101#define SCARD_FILE_EF_CK	0x6FE1
102#define SCARD_FILE_EF_IK	0x6FE2
103
104#define SCARD_CHV1_OFFSET	13
105#define SCARD_CHV1_FLAG		0x80
106
107
108typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types;
109
110struct scard_data {
111	SCARDCONTEXT ctx;
112	SCARDHANDLE card;
113	DWORD protocol;
114	sim_types sim_type;
115	int pin1_required;
116};
117
118#ifdef __MINGW32_VERSION
119/* MinGW does not yet support WinScard, so load the needed functions
120 * dynamically from winscard.dll for now. */
121
122static HINSTANCE dll = NULL; /* winscard.dll */
123
124static const SCARD_IO_REQUEST *dll_g_rgSCardT0Pci, *dll_g_rgSCardT1Pci;
125#undef SCARD_PCI_T0
126#define SCARD_PCI_T0 (dll_g_rgSCardT0Pci)
127#undef SCARD_PCI_T1
128#define SCARD_PCI_T1 (dll_g_rgSCardT1Pci)
129
130
131static WINSCARDAPI LONG WINAPI
132(*dll_SCardEstablishContext)(IN DWORD dwScope,
133			     IN LPCVOID pvReserved1,
134			     IN LPCVOID pvReserved2,
135			     OUT LPSCARDCONTEXT phContext);
136#define SCardEstablishContext dll_SCardEstablishContext
137
138static long (*dll_SCardReleaseContext)(long hContext);
139#define SCardReleaseContext dll_SCardReleaseContext
140
141static WINSCARDAPI LONG WINAPI
142(*dll_SCardListReadersA)(IN SCARDCONTEXT hContext,
143			 IN LPCSTR mszGroups,
144			 OUT LPSTR mszReaders,
145			 IN OUT LPDWORD pcchReaders);
146#undef SCardListReaders
147#define SCardListReaders dll_SCardListReadersA
148
149static WINSCARDAPI LONG WINAPI
150(*dll_SCardConnectA)(IN SCARDCONTEXT hContext,
151		     IN LPCSTR szReader,
152		     IN DWORD dwShareMode,
153		     IN DWORD dwPreferredProtocols,
154		     OUT LPSCARDHANDLE phCard,
155		     OUT LPDWORD pdwActiveProtocol);
156#undef SCardConnect
157#define SCardConnect dll_SCardConnectA
158
159static WINSCARDAPI LONG WINAPI
160(*dll_SCardDisconnect)(IN SCARDHANDLE hCard,
161		       IN DWORD dwDisposition);
162#define SCardDisconnect dll_SCardDisconnect
163
164static WINSCARDAPI LONG WINAPI
165(*dll_SCardTransmit)(IN SCARDHANDLE hCard,
166		     IN LPCSCARD_IO_REQUEST pioSendPci,
167		     IN LPCBYTE pbSendBuffer,
168		     IN DWORD cbSendLength,
169		     IN OUT LPSCARD_IO_REQUEST pioRecvPci,
170		     OUT LPBYTE pbRecvBuffer,
171		     IN OUT LPDWORD pcbRecvLength);
172#define SCardTransmit dll_SCardTransmit
173
174static WINSCARDAPI LONG WINAPI
175(*dll_SCardBeginTransaction)(IN SCARDHANDLE hCard);
176#define SCardBeginTransaction dll_SCardBeginTransaction
177
178static WINSCARDAPI LONG WINAPI
179(*dll_SCardEndTransaction)(IN SCARDHANDLE hCard, IN DWORD dwDisposition);
180#define SCardEndTransaction dll_SCardEndTransaction
181
182
183static int mingw_load_symbols(void)
184{
185	char *sym;
186
187	if (dll)
188		return 0;
189
190	dll = LoadLibrary("winscard");
191	if (dll == NULL) {
192		wpa_printf(MSG_DEBUG, "WinSCard: Could not load winscard.dll "
193			   "library");
194		return -1;
195	}
196
197#define LOADSYM(s) \
198	sym = #s; \
199	dll_ ## s = (void *) GetProcAddress(dll, sym); \
200	if (dll_ ## s == NULL) \
201		goto fail;
202
203	LOADSYM(SCardEstablishContext);
204	LOADSYM(SCardReleaseContext);
205	LOADSYM(SCardListReadersA);
206	LOADSYM(SCardConnectA);
207	LOADSYM(SCardDisconnect);
208	LOADSYM(SCardTransmit);
209	LOADSYM(SCardBeginTransaction);
210	LOADSYM(SCardEndTransaction);
211	LOADSYM(g_rgSCardT0Pci);
212	LOADSYM(g_rgSCardT1Pci);
213
214#undef LOADSYM
215
216	return 0;
217
218fail:
219	wpa_printf(MSG_DEBUG, "WinSCard: Could not get address for %s from "
220		   "winscard.dll", sym);
221	FreeLibrary(dll);
222	dll = NULL;
223	return -1;
224}
225
226
227static void mingw_unload_symbols(void)
228{
229	if (dll == NULL)
230		return;
231
232	FreeLibrary(dll);
233	dll = NULL;
234}
235
236#else /* __MINGW32_VERSION */
237
238#define mingw_load_symbols() 0
239#define mingw_unload_symbols() do { } while (0)
240
241#endif /* __MINGW32_VERSION */
242
243
244static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
245			      unsigned char *buf, size_t *buf_len,
246			      sim_types sim_type, unsigned char *aid,
247			      size_t aidlen);
248static int scard_select_file(struct scard_data *scard, unsigned short file_id,
249			     unsigned char *buf, size_t *buf_len);
250static int scard_verify_pin(struct scard_data *scard, const char *pin);
251static int scard_get_record_len(struct scard_data *scard,
252				unsigned char recnum, unsigned char mode);
253static int scard_read_record(struct scard_data *scard,
254			     unsigned char *data, size_t len,
255			     unsigned char recnum, unsigned char mode);
256
257
258static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
259				 int *ps_do, int *file_len)
260{
261	unsigned char *pos, *end;
262
263	if (ps_do)
264		*ps_do = -1;
265	if (file_len)
266		*file_len = -1;
267
268	pos = buf;
269	end = pos + buf_len;
270	if (*pos != USIM_FSP_TEMPL_TAG) {
271		wpa_printf(MSG_DEBUG, "SCARD: file header did not "
272			   "start with FSP template tag");
273		return -1;
274	}
275	pos++;
276	if (pos >= end)
277		return -1;
278	if ((pos + pos[0]) < end)
279		end = pos + 1 + pos[0];
280	pos++;
281	wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
282		    pos, end - pos);
283
284	while (pos + 1 < end) {
285		wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV 0x%02x len=%d",
286			   pos[0], pos[1]);
287		if (pos + 2 + pos[1] > end)
288			break;
289
290		switch (pos[0]) {
291		case USIM_TLV_FILE_DESC:
292			wpa_hexdump(MSG_MSGDUMP, "SCARD: File Descriptor TLV",
293				    pos + 2, pos[1]);
294			break;
295		case USIM_TLV_FILE_ID:
296			wpa_hexdump(MSG_MSGDUMP, "SCARD: File Identifier TLV",
297				    pos + 2, pos[1]);
298			break;
299		case USIM_TLV_DF_NAME:
300			wpa_hexdump(MSG_MSGDUMP, "SCARD: DF name (AID) TLV",
301				    pos + 2, pos[1]);
302			break;
303		case USIM_TLV_PROPR_INFO:
304			wpa_hexdump(MSG_MSGDUMP, "SCARD: Proprietary "
305				    "information TLV", pos + 2, pos[1]);
306			break;
307		case USIM_TLV_LIFE_CYCLE_STATUS:
308			wpa_hexdump(MSG_MSGDUMP, "SCARD: Life Cycle Status "
309				    "Integer TLV", pos + 2, pos[1]);
310			break;
311		case USIM_TLV_FILE_SIZE:
312			wpa_hexdump(MSG_MSGDUMP, "SCARD: File size TLV",
313				    pos + 2, pos[1]);
314			if ((pos[1] == 1 || pos[1] == 2) && file_len) {
315				if (pos[1] == 1)
316					*file_len = (int) pos[2];
317				else
318					*file_len = ((int) pos[2] << 8) |
319						(int) pos[3];
320				wpa_printf(MSG_DEBUG, "SCARD: file_size=%d",
321					   *file_len);
322			}
323			break;
324		case USIM_TLV_TOTAL_FILE_SIZE:
325			wpa_hexdump(MSG_MSGDUMP, "SCARD: Total file size TLV",
326				    pos + 2, pos[1]);
327			break;
328		case USIM_TLV_PIN_STATUS_TEMPLATE:
329			wpa_hexdump(MSG_MSGDUMP, "SCARD: PIN Status Template "
330				    "DO TLV", pos + 2, pos[1]);
331			if (pos[1] >= 2 && pos[2] == USIM_PS_DO_TAG &&
332			    pos[3] >= 1 && ps_do) {
333				wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x",
334					   pos[4]);
335				*ps_do = (int) pos[4];
336			}
337			break;
338		case USIM_TLV_SHORT_FILE_ID:
339			wpa_hexdump(MSG_MSGDUMP, "SCARD: Short File "
340				    "Identifier (SFI) TLV", pos + 2, pos[1]);
341			break;
342		case USIM_TLV_SECURITY_ATTR_8B:
343		case USIM_TLV_SECURITY_ATTR_8C:
344		case USIM_TLV_SECURITY_ATTR_AB:
345			wpa_hexdump(MSG_MSGDUMP, "SCARD: Security attribute "
346				    "TLV", pos + 2, pos[1]);
347			break;
348		default:
349			wpa_hexdump(MSG_MSGDUMP, "SCARD: Unrecognized TLV",
350				    pos, 2 + pos[1]);
351			break;
352		}
353
354		pos += 2 + pos[1];
355
356		if (pos == end)
357			return 0;
358	}
359	return -1;
360}
361
362
363static int scard_pin_needed(struct scard_data *scard,
364			    unsigned char *hdr, size_t hlen)
365{
366	if (scard->sim_type == SCARD_GSM_SIM) {
367		if (hlen > SCARD_CHV1_OFFSET &&
368		    !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG))
369			return 1;
370		return 0;
371	}
372
373	if (scard->sim_type == SCARD_USIM) {
374		int ps_do;
375		if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL))
376			return -1;
377		/* TODO: there could be more than one PS_DO entry because of
378		 * multiple PINs in key reference.. */
379		if (ps_do > 0 && (ps_do & 0x80))
380			return 1;
381		return 0;
382	}
383
384	return -1;
385}
386
387
388static int scard_get_aid(struct scard_data *scard, unsigned char *aid,
389			 size_t maxlen)
390{
391	int rlen, rec;
392	struct efdir {
393		unsigned char appl_template_tag; /* 0x61 */
394		unsigned char appl_template_len;
395		unsigned char appl_id_tag; /* 0x4f */
396		unsigned char aid_len;
397		unsigned char rid[5];
398		unsigned char appl_code[2]; /* 0x1002 for 3G USIM */
399	} *efdir;
400	unsigned char buf[127];
401	size_t blen;
402
403	efdir = (struct efdir *) buf;
404	blen = sizeof(buf);
405	if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) {
406		wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR");
407		return -1;
408	}
409	wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen);
410
411	for (rec = 1; rec < 10; rec++) {
412		rlen = scard_get_record_len(scard, rec,
413					    SIM_RECORD_MODE_ABSOLUTE);
414		if (rlen < 0) {
415			wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR "
416				   "record length");
417			return -1;
418		}
419		blen = sizeof(buf);
420		if (rlen > (int) blen) {
421			wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record");
422			return -1;
423		}
424		if (scard_read_record(scard, buf, rlen, rec,
425				      SIM_RECORD_MODE_ABSOLUTE) < 0) {
426			wpa_printf(MSG_DEBUG, "SCARD: Failed to read "
427				   "EF_DIR record %d", rec);
428			return -1;
429		}
430		wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen);
431
432		if (efdir->appl_template_tag != 0x61) {
433			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
434				   "template tag 0x%x",
435				   efdir->appl_template_tag);
436			continue;
437		}
438
439		if (efdir->appl_template_len > rlen - 2) {
440			wpa_printf(MSG_DEBUG, "SCARD: Too long application "
441				   "template (len=%d rlen=%d)",
442				   efdir->appl_template_len, rlen);
443			continue;
444		}
445
446		if (efdir->appl_id_tag != 0x4f) {
447			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "
448				   "identifier tag 0x%x", efdir->appl_id_tag);
449			continue;
450		}
451
452		if (efdir->aid_len < 1 || efdir->aid_len > 16) {
453			wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %d",
454				   efdir->aid_len);
455			continue;
456		}
457
458		wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record",
459			    efdir->rid, efdir->aid_len);
460
461		if (efdir->appl_code[0] == 0x10 &&
462		    efdir->appl_code[1] == 0x02) {
463			wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from "
464				   "EF_DIR record %d", rec);
465			break;
466		}
467	}
468
469	if (rec >= 10) {
470		wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found "
471			   "from EF_DIR records");
472		return -1;
473	}
474
475	if (efdir->aid_len > maxlen) {
476		wpa_printf(MSG_DEBUG, "SCARD: Too long AID");
477		return -1;
478	}
479
480	os_memcpy(aid, efdir->rid, efdir->aid_len);
481
482	return efdir->aid_len;
483}
484
485
486/**
487 * scard_init - Initialize SIM/USIM connection using PC/SC
488 * @sim_type: Allowed SIM types (SIM, USIM, or both)
489 * @reader: Reader name prefix to search for
490 * Returns: Pointer to private data structure, or %NULL on failure
491 *
492 * This function is used to initialize SIM/USIM connection. PC/SC is used to
493 * open connection to the SIM/USIM card and the card is verified to support the
494 * selected sim_type. In addition, local flag is set if a PIN is needed to
495 * access some of the card functions. Once the connection is not needed
496 * anymore, scard_deinit() can be used to close it.
497 */
498struct scard_data * scard_init(scard_sim_type sim_type, const char *reader)
499{
500	long ret;
501	unsigned long len, pos;
502	struct scard_data *scard;
503#ifdef CONFIG_NATIVE_WINDOWS
504	TCHAR *readers = NULL;
505#else /* CONFIG_NATIVE_WINDOWS */
506	char *readers = NULL;
507#endif /* CONFIG_NATIVE_WINDOWS */
508	unsigned char buf[100];
509	size_t blen;
510	int transaction = 0;
511	int pin_needed;
512
513	wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface");
514	if (mingw_load_symbols())
515		return NULL;
516	scard = os_zalloc(sizeof(*scard));
517	if (scard == NULL)
518		return NULL;
519
520	ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL,
521				    &scard->ctx);
522	if (ret != SCARD_S_SUCCESS) {
523		wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card "
524			   "context (err=%ld)", ret);
525		goto failed;
526	}
527
528	ret = SCardListReaders(scard->ctx, NULL, NULL, &len);
529	if (ret != SCARD_S_SUCCESS) {
530		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed "
531			   "(err=%ld)", ret);
532		goto failed;
533	}
534
535#ifdef UNICODE
536	len *= 2;
537#endif /* UNICODE */
538	readers = os_malloc(len);
539	if (readers == NULL) {
540		wpa_printf(MSG_INFO, "SCARD: malloc failed\n");
541		goto failed;
542	}
543
544	ret = SCardListReaders(scard->ctx, NULL, readers, &len);
545	if (ret != SCARD_S_SUCCESS) {
546		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) "
547			   "(err=%ld)", ret);
548		goto failed;
549	}
550	if (len < 3) {
551		wpa_printf(MSG_WARNING, "SCARD: No smart card readers "
552			   "available.");
553		goto failed;
554	}
555	wpa_hexdump_ascii(MSG_DEBUG, "SCARD: Readers", (u8 *) readers, len);
556	/*
557	 * readers is a list of available readers. The last entry is terminated
558	 * with double null.
559	 */
560	pos = 0;
561#ifdef UNICODE
562	/* TODO */
563#else /* UNICODE */
564	while (pos < len) {
565		if (reader == NULL ||
566		    os_strncmp(&readers[pos], reader, os_strlen(reader)) == 0)
567			break;
568		while (pos < len && readers[pos])
569			pos++;
570		pos++; /* skip separating null */
571		if (pos < len && readers[pos] == '\0')
572			pos = len; /* double null terminates list */
573	}
574#endif /* UNICODE */
575	if (pos >= len) {
576		wpa_printf(MSG_WARNING, "SCARD: No reader with prefix '%s' "
577			   "found", reader);
578		goto failed;
579	}
580
581#ifdef UNICODE
582	wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%S'", &readers[pos]);
583#else /* UNICODE */
584	wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", &readers[pos]);
585#endif /* UNICODE */
586
587	ret = SCardConnect(scard->ctx, &readers[pos], SCARD_SHARE_SHARED,
588			   SCARD_PROTOCOL_T0 | SCARD_PROTOCOL_T1,
589			   &scard->card, &scard->protocol);
590	if (ret != SCARD_S_SUCCESS) {
591		if (ret == (long) SCARD_E_NO_SMARTCARD)
592			wpa_printf(MSG_INFO, "No smart card inserted.");
593		else
594			wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret);
595		goto failed;
596	}
597
598	os_free(readers);
599	readers = NULL;
600
601	wpa_printf(MSG_DEBUG, "SCARD: card=0x%x active_protocol=%lu (%s)",
602		   (unsigned int) scard->card, scard->protocol,
603		   scard->protocol == SCARD_PROTOCOL_T0 ? "T0" : "T1");
604
605	ret = SCardBeginTransaction(scard->card);
606	if (ret != SCARD_S_SUCCESS) {
607		wpa_printf(MSG_DEBUG, "SCARD: Could not begin transaction: "
608			   "0x%x", (unsigned int) ret);
609		goto failed;
610	}
611	transaction = 1;
612
613	blen = sizeof(buf);
614
615	scard->sim_type = SCARD_GSM_SIM;
616	if (sim_type == SCARD_USIM_ONLY || sim_type == SCARD_TRY_BOTH) {
617		wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support");
618		if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen,
619				       SCARD_USIM, NULL, 0)) {
620			wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported");
621			if (sim_type == SCARD_USIM_ONLY)
622				goto failed;
623			wpa_printf(MSG_DEBUG, "SCARD: Trying to use GSM SIM");
624			scard->sim_type = SCARD_GSM_SIM;
625		} else {
626			wpa_printf(MSG_DEBUG, "SCARD: USIM is supported");
627			scard->sim_type = SCARD_USIM;
628		}
629	}
630
631	if (scard->sim_type == SCARD_GSM_SIM) {
632		blen = sizeof(buf);
633		if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) {
634			wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF");
635			goto failed;
636		}
637
638		blen = sizeof(buf);
639		if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) {
640			wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF");
641			goto failed;
642		}
643	} else {
644		unsigned char aid[32];
645		int aid_len;
646
647		aid_len = scard_get_aid(scard, aid, sizeof(aid));
648		if (aid_len < 0) {
649			wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for "
650				   "3G USIM app - try to use standard 3G RID");
651			os_memcpy(aid, "\xa0\x00\x00\x00\x87", 5);
652			aid_len = 5;
653		}
654		wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len);
655
656		/* Select based on AID = 3G RID from EF_DIR. This is usually
657		 * starting with A0 00 00 00 87. */
658		blen = sizeof(buf);
659		if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type,
660				       aid, aid_len)) {
661			wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM "
662				   "app");
663			wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID",
664				    aid, aid_len);
665			goto failed;
666		}
667	}
668
669	/* Verify whether CHV1 (PIN1) is needed to access the card. */
670	pin_needed = scard_pin_needed(scard, buf, blen);
671	if (pin_needed < 0) {
672		wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN "
673			   "is needed");
674		goto failed;
675	}
676	if (pin_needed) {
677		scard->pin1_required = 1;
678		wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access (retry "
679			   "counter=%d)", scard_get_pin_retry_counter(scard));
680	}
681
682	ret = SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
683	if (ret != SCARD_S_SUCCESS) {
684		wpa_printf(MSG_DEBUG, "SCARD: Could not end transaction: "
685			   "0x%x", (unsigned int) ret);
686	}
687
688	return scard;
689
690failed:
691	if (transaction)
692		SCardEndTransaction(scard->card, SCARD_LEAVE_CARD);
693	os_free(readers);
694	scard_deinit(scard);
695	return NULL;
696}
697
698
699/**
700 * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands
701 * @scard: Pointer to private data from scard_init()
702 * @pin: PIN code as an ASCII string (e.g., "1234")
703 * Returns: 0 on success, -1 on failure
704 */
705int scard_set_pin(struct scard_data *scard, const char *pin)
706{
707	if (scard == NULL)
708		return -1;
709
710	/* Verify whether CHV1 (PIN1) is needed to access the card. */
711	if (scard->pin1_required) {
712		if (pin == NULL) {
713			wpa_printf(MSG_DEBUG, "No PIN configured for SIM "
714				   "access");
715			return -1;
716		}
717		if (scard_verify_pin(scard, pin)) {
718			wpa_printf(MSG_INFO, "PIN verification failed for "
719				"SIM access");
720			return -1;
721		}
722	}
723
724	return 0;
725}
726
727
728/**
729 * scard_deinit - Deinitialize SIM/USIM connection
730 * @scard: Pointer to private data from scard_init()
731 *
732 * This function closes the SIM/USIM connect opened with scard_init().
733 */
734void scard_deinit(struct scard_data *scard)
735{
736	long ret;
737
738	if (scard == NULL)
739		return;
740
741	wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface");
742	if (scard->card) {
743		ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD);
744		if (ret != SCARD_S_SUCCESS) {
745			wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect "
746				   "smart card (err=%ld)", ret);
747		}
748	}
749
750	if (scard->ctx) {
751		ret = SCardReleaseContext(scard->ctx);
752		if (ret != SCARD_S_SUCCESS) {
753			wpa_printf(MSG_DEBUG, "Failed to release smart card "
754				   "context (err=%ld)", ret);
755		}
756	}
757	os_free(scard);
758	mingw_unload_symbols();
759}
760
761
762static long scard_transmit(struct scard_data *scard,
763			   unsigned char *_send, size_t send_len,
764			   unsigned char *_recv, size_t *recv_len)
765{
766	long ret;
767	unsigned long rlen;
768
769	wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send",
770			_send, send_len);
771	rlen = *recv_len;
772	ret = SCardTransmit(scard->card,
773			    scard->protocol == SCARD_PROTOCOL_T1 ?
774			    SCARD_PCI_T1 : SCARD_PCI_T0,
775			    _send, (unsigned long) send_len,
776			    NULL, _recv, &rlen);
777	*recv_len = rlen;
778	if (ret == SCARD_S_SUCCESS) {
779		wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv",
780			    _recv, rlen);
781	} else {
782		wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
783			   "(err=0x%lx)", ret);
784	}
785	return ret;
786}
787
788
789static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
790			      unsigned char *buf, size_t *buf_len,
791			      sim_types sim_type, unsigned char *aid,
792			      size_t aidlen)
793{
794	long ret;
795	unsigned char resp[3];
796	unsigned char cmd[50] = { SIM_CMD_SELECT };
797	int cmdlen;
798	unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
799	size_t len, rlen;
800
801	if (sim_type == SCARD_USIM) {
802		cmd[0] = USIM_CLA;
803		cmd[3] = 0x04;
804		get_resp[0] = USIM_CLA;
805	}
806
807	wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id);
808	if (aid) {
809		wpa_hexdump(MSG_DEBUG, "SCARD: select file by AID",
810			    aid, aidlen);
811		if (5 + aidlen > sizeof(cmd))
812			return -1;
813		cmd[2] = 0x04; /* Select by AID */
814		cmd[4] = aidlen; /* len */
815		os_memcpy(cmd + 5, aid, aidlen);
816		cmdlen = 5 + aidlen;
817	} else {
818		cmd[5] = file_id >> 8;
819		cmd[6] = file_id & 0xff;
820		cmdlen = 7;
821	}
822	len = sizeof(resp);
823	ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
824	if (ret != SCARD_S_SUCCESS) {
825		wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
826			   "(err=0x%lx)", ret);
827		return -1;
828	}
829
830	if (len != 2) {
831		wpa_printf(MSG_WARNING, "SCARD: unexpected resp len "
832			   "%d (expected 2)", (int) len);
833		return -1;
834	}
835
836	if (resp[0] == 0x98 && resp[1] == 0x04) {
837		/* Security status not satisfied (PIN_WLAN) */
838		wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied "
839			   "(PIN_WLAN)");
840		return -1;
841	}
842
843	if (resp[0] == 0x6e) {
844		wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported");
845		return -1;
846	}
847
848	if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) {
849		wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x "
850			   "(expected 0x61, 0x6c, or 0x9f)", resp[0]);
851		return -1;
852	}
853	/* Normal ending of command; resp[1] bytes available */
854	get_resp[4] = resp[1];
855	wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)",
856		   resp[1]);
857
858	rlen = *buf_len;
859	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen);
860	if (ret == SCARD_S_SUCCESS) {
861		*buf_len = resp[1] < rlen ? resp[1] : rlen;
862		return 0;
863	}
864
865	wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret);
866	return -1;
867}
868
869
870static int scard_select_file(struct scard_data *scard, unsigned short file_id,
871			     unsigned char *buf, size_t *buf_len)
872{
873	return _scard_select_file(scard, file_id, buf, buf_len,
874				  scard->sim_type, NULL, 0);
875}
876
877
878static int scard_get_record_len(struct scard_data *scard, unsigned char recnum,
879				unsigned char mode)
880{
881	unsigned char buf[255];
882	unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
883	size_t blen;
884	long ret;
885
886	if (scard->sim_type == SCARD_USIM)
887		cmd[0] = USIM_CLA;
888	cmd[2] = recnum;
889	cmd[3] = mode;
890	cmd[4] = sizeof(buf);
891
892	blen = sizeof(buf);
893	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
894	if (ret != SCARD_S_SUCCESS) {
895		wpa_printf(MSG_DEBUG, "SCARD: failed to determine file "
896			   "length for record %d", recnum);
897		return -1;
898	}
899
900	wpa_hexdump(MSG_DEBUG, "SCARD: file length determination response",
901		    buf, blen);
902
903	if (blen < 2 || (buf[0] != 0x6c && buf[0] != 0x67)) {
904		wpa_printf(MSG_DEBUG, "SCARD: unexpected response to file "
905			   "length determination");
906		return -1;
907	}
908
909	return buf[1];
910}
911
912
913static int scard_read_record(struct scard_data *scard,
914			     unsigned char *data, size_t len,
915			     unsigned char recnum, unsigned char mode)
916{
917	unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ };
918	size_t blen = len + 3;
919	unsigned char *buf;
920	long ret;
921
922	if (scard->sim_type == SCARD_USIM)
923		cmd[0] = USIM_CLA;
924	cmd[2] = recnum;
925	cmd[3] = mode;
926	cmd[4] = len;
927
928	buf = os_malloc(blen);
929	if (buf == NULL)
930		return -1;
931
932	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
933	if (ret != SCARD_S_SUCCESS) {
934		os_free(buf);
935		return -2;
936	}
937	if (blen != len + 2) {
938		wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
939			   "length %ld (expected %ld)",
940			   (long) blen, (long) len + 2);
941		os_free(buf);
942		return -3;
943	}
944
945	if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
946		wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected "
947			   "status %02x %02x (expected 90 00)",
948			   buf[len], buf[len + 1]);
949		os_free(buf);
950		return -4;
951	}
952
953	os_memcpy(data, buf, len);
954	os_free(buf);
955
956	return 0;
957}
958
959
960static int scard_read_file(struct scard_data *scard,
961			   unsigned char *data, size_t len)
962{
963	unsigned char cmd[5] = { SIM_CMD_READ_BIN /* , len */ };
964	size_t blen = len + 3;
965	unsigned char *buf;
966	long ret;
967
968	cmd[4] = len;
969
970	buf = os_malloc(blen);
971	if (buf == NULL)
972		return -1;
973
974	if (scard->sim_type == SCARD_USIM)
975		cmd[0] = USIM_CLA;
976	ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
977	if (ret != SCARD_S_SUCCESS) {
978		os_free(buf);
979		return -2;
980	}
981	if (blen != len + 2) {
982		wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
983			   "length %ld (expected %ld)",
984			   (long) blen, (long) len + 2);
985		os_free(buf);
986		return -3;
987	}
988
989	if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
990		wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
991			   "status %02x %02x (expected 90 00)",
992			   buf[len], buf[len + 1]);
993		os_free(buf);
994		return -4;
995	}
996
997	os_memcpy(data, buf, len);
998	os_free(buf);
999
1000	return 0;
1001}
1002
1003
1004static int scard_verify_pin(struct scard_data *scard, const char *pin)
1005{
1006	long ret;
1007	unsigned char resp[3];
1008	unsigned char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 };
1009	size_t len;
1010
1011	wpa_printf(MSG_DEBUG, "SCARD: verifying PIN");
1012
1013	if (pin == NULL || os_strlen(pin) > 8)
1014		return -1;
1015
1016	if (scard->sim_type == SCARD_USIM)
1017		cmd[0] = USIM_CLA;
1018	os_memcpy(cmd + 5, pin, os_strlen(pin));
1019	os_memset(cmd + 5 + os_strlen(pin), 0xff, 8 - os_strlen(pin));
1020
1021	len = sizeof(resp);
1022	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1023	if (ret != SCARD_S_SUCCESS)
1024		return -2;
1025
1026	if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) {
1027		wpa_printf(MSG_WARNING, "SCARD: PIN verification failed");
1028		return -1;
1029	}
1030
1031	wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully");
1032	return 0;
1033}
1034
1035
1036int scard_get_pin_retry_counter(struct scard_data *scard)
1037{
1038	long ret;
1039	unsigned char resp[3];
1040	unsigned char cmd[5] = { SIM_CMD_VERIFY_CHV1 };
1041	size_t len;
1042	u16 val;
1043
1044	wpa_printf(MSG_DEBUG, "SCARD: fetching PIN retry counter");
1045
1046	if (scard->sim_type == SCARD_USIM)
1047		cmd[0] = USIM_CLA;
1048	cmd[4] = 0; /* Empty data */
1049
1050	len = sizeof(resp);
1051	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1052	if (ret != SCARD_S_SUCCESS)
1053		return -2;
1054
1055	if (len != 2) {
1056		wpa_printf(MSG_WARNING, "SCARD: failed to fetch PIN retry "
1057			   "counter");
1058		return -1;
1059	}
1060
1061	val = WPA_GET_BE16(resp);
1062	if (val == 0x63c0 || val == 0x6983) {
1063		wpa_printf(MSG_DEBUG, "SCARD: PIN has been blocked");
1064		return 0;
1065	}
1066
1067	if (val >= 0x63c0 && val <= 0x63cf)
1068		return val & 0x000f;
1069
1070	wpa_printf(MSG_DEBUG, "SCARD: Unexpected PIN retry counter response "
1071		   "value 0x%x", val);
1072	return 0;
1073}
1074
1075
1076/**
1077 * scard_get_imsi - Read IMSI from SIM/USIM card
1078 * @scard: Pointer to private data from scard_init()
1079 * @imsi: Buffer for IMSI
1080 * @len: Length of imsi buffer; set to IMSI length on success
1081 * Returns: 0 on success, -1 if IMSI file cannot be selected, -2 if IMSI file
1082 * selection returns invalid result code, -3 if parsing FSP template file fails
1083 * (USIM only), -4 if IMSI does not fit in the provided imsi buffer (len is set
1084 * to needed length), -5 if reading IMSI file fails.
1085 *
1086 * This function can be used to read IMSI from the SIM/USIM card. If the IMSI
1087 * file is PIN protected, scard_set_pin() must have been used to set the
1088 * correct PIN code before calling scard_get_imsi().
1089 */
1090int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len)
1091{
1092	unsigned char buf[100];
1093	size_t blen, imsilen, i;
1094	char *pos;
1095
1096	wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI");
1097	blen = sizeof(buf);
1098	if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen))
1099		return -1;
1100	if (blen < 4) {
1101		wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI "
1102			   "header (len=%ld)", (long) blen);
1103		return -2;
1104	}
1105
1106	if (scard->sim_type == SCARD_GSM_SIM) {
1107		blen = (buf[2] << 8) | buf[3];
1108	} else {
1109		int file_size;
1110		if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
1111			return -3;
1112		blen = file_size;
1113	}
1114	if (blen < 2 || blen > sizeof(buf)) {
1115		wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld",
1116			   (long) blen);
1117		return -3;
1118	}
1119
1120	imsilen = (blen - 2) * 2 + 1;
1121	wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld",
1122		   (long) blen, (long) imsilen);
1123	if (blen < 2 || imsilen > *len) {
1124		*len = imsilen;
1125		return -4;
1126	}
1127
1128	if (scard_read_file(scard, buf, blen))
1129		return -5;
1130
1131	pos = imsi;
1132	*pos++ = '0' + (buf[1] >> 4 & 0x0f);
1133	for (i = 2; i < blen; i++) {
1134		unsigned char digit;
1135
1136		digit = buf[i] & 0x0f;
1137		if (digit < 10)
1138			*pos++ = '0' + digit;
1139		else
1140			imsilen--;
1141
1142		digit = buf[i] >> 4 & 0x0f;
1143		if (digit < 10)
1144			*pos++ = '0' + digit;
1145		else
1146			imsilen--;
1147	}
1148	*len = imsilen;
1149
1150	return 0;
1151}
1152
1153
1154/**
1155 * scard_get_mnc_len - Read length of MNC in the IMSI from SIM/USIM card
1156 * @scard: Pointer to private data from scard_init()
1157 * Returns: length (>0) on success, -1 if administrative data file cannot be
1158 * selected, -2 if administrative data file selection returns invalid result
1159 * code, -3 if parsing FSP template file fails (USIM only), -4 if length of
1160 * the file is unexpected, -5 if reading file fails, -6 if MNC length is not
1161 * in range (i.e. 2 or 3), -7 if MNC length is not available.
1162 *
1163 */
1164int scard_get_mnc_len(struct scard_data *scard)
1165{
1166	unsigned char buf[100];
1167	size_t blen;
1168	int file_size;
1169
1170	wpa_printf(MSG_DEBUG, "SCARD: reading MNC len from (GSM) EF-AD");
1171	blen = sizeof(buf);
1172	if (scard_select_file(scard, SCARD_FILE_GSM_EF_AD, buf, &blen))
1173		return -1;
1174	if (blen < 4) {
1175		wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-AD "
1176			   "header (len=%ld)", (long) blen);
1177		return -2;
1178	}
1179
1180	if (scard->sim_type == SCARD_GSM_SIM) {
1181		file_size = (buf[2] << 8) | buf[3];
1182	} else {
1183		if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
1184			return -3;
1185	}
1186	if (file_size == 3) {
1187		wpa_printf(MSG_DEBUG, "SCARD: MNC length not available");
1188		return -7;
1189	}
1190	if (file_size < 4 || file_size > (int) sizeof(buf)) {
1191		wpa_printf(MSG_DEBUG, "SCARD: invalid file length=%ld",
1192			   (long) file_size);
1193		return -4;
1194	}
1195
1196	if (scard_read_file(scard, buf, file_size))
1197		return -5;
1198	buf[3] = buf[3] & 0x0f; /* upper nibble reserved for future use  */
1199	if (buf[3] < 2 || buf[3] > 3) {
1200		wpa_printf(MSG_DEBUG, "SCARD: invalid MNC length=%ld",
1201			   (long) buf[3]);
1202		return -6;
1203	}
1204	wpa_printf(MSG_DEBUG, "SCARD: MNC length=%ld", (long) buf[3]);
1205	return buf[3];
1206}
1207
1208
1209/**
1210 * scard_gsm_auth - Run GSM authentication command on SIM card
1211 * @scard: Pointer to private data from scard_init()
1212 * @_rand: 16-byte RAND value from HLR/AuC
1213 * @sres: 4-byte buffer for SRES
1214 * @kc: 8-byte buffer for Kc
1215 * Returns: 0 on success, -1 if SIM/USIM connection has not been initialized,
1216 * -2 if authentication command execution fails, -3 if unknown response code
1217 * for authentication command is received, -4 if reading of response fails,
1218 * -5 if if response data is of unexpected length
1219 *
1220 * This function performs GSM authentication using SIM/USIM card and the
1221 * provided RAND value from HLR/AuC. If authentication command can be completed
1222 * successfully, SRES and Kc values will be written into sres and kc buffers.
1223 */
1224int scard_gsm_auth(struct scard_data *scard, const unsigned char *_rand,
1225		   unsigned char *sres, unsigned char *kc)
1226{
1227	unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG };
1228	int cmdlen;
1229	unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
1230	unsigned char resp[3], buf[12 + 3 + 2];
1231	size_t len;
1232	long ret;
1233
1234	if (scard == NULL)
1235		return -1;
1236
1237	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", _rand, 16);
1238	if (scard->sim_type == SCARD_GSM_SIM) {
1239		cmdlen = 5 + 16;
1240		os_memcpy(cmd + 5, _rand, 16);
1241	} else {
1242		cmdlen = 5 + 1 + 16;
1243		cmd[0] = USIM_CLA;
1244		cmd[3] = 0x80;
1245		cmd[4] = 17;
1246		cmd[5] = 16;
1247		os_memcpy(cmd + 6, _rand, 16);
1248	}
1249	len = sizeof(resp);
1250	ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
1251	if (ret != SCARD_S_SUCCESS)
1252		return -2;
1253
1254	if ((scard->sim_type == SCARD_GSM_SIM &&
1255	     (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) ||
1256	    (scard->sim_type == SCARD_USIM &&
1257	     (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) {
1258		wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM "
1259			   "auth request (len=%ld resp=%02x %02x)",
1260			   (long) len, resp[0], resp[1]);
1261		return -3;
1262	}
1263	get_resp[4] = resp[1];
1264
1265	len = sizeof(buf);
1266	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
1267	if (ret != SCARD_S_SUCCESS)
1268		return -4;
1269
1270	if (scard->sim_type == SCARD_GSM_SIM) {
1271		if (len != 4 + 8 + 2) {
1272			wpa_printf(MSG_WARNING, "SCARD: unexpected data "
1273				   "length for GSM auth (len=%ld, expected 14)",
1274				   (long) len);
1275			return -5;
1276		}
1277		os_memcpy(sres, buf, 4);
1278		os_memcpy(kc, buf + 4, 8);
1279	} else {
1280		if (len != 1 + 4 + 1 + 8 + 2) {
1281			wpa_printf(MSG_WARNING, "SCARD: unexpected data "
1282				   "length for USIM auth (len=%ld, "
1283				   "expected 16)", (long) len);
1284			return -5;
1285		}
1286		if (buf[0] != 4 || buf[5] != 8) {
1287			wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc "
1288				   "length (%d %d, expected 4 8)",
1289				   buf[0], buf[5]);
1290		}
1291		os_memcpy(sres, buf + 1, 4);
1292		os_memcpy(kc, buf + 6, 8);
1293	}
1294
1295	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4);
1296	wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8);
1297
1298	return 0;
1299}
1300
1301
1302/**
1303 * scard_umts_auth - Run UMTS authentication command on USIM card
1304 * @scard: Pointer to private data from scard_init()
1305 * @_rand: 16-byte RAND value from HLR/AuC
1306 * @autn: 16-byte AUTN value from HLR/AuC
1307 * @res: 16-byte buffer for RES
1308 * @res_len: Variable that will be set to RES length
1309 * @ik: 16-byte buffer for IK
1310 * @ck: 16-byte buffer for CK
1311 * @auts: 14-byte buffer for AUTS
1312 * Returns: 0 on success, -1 on failure, or -2 if USIM reports synchronization
1313 * failure
1314 *
1315 * This function performs AKA authentication using USIM card and the provided
1316 * RAND and AUTN values from HLR/AuC. If authentication command can be
1317 * completed successfully, RES, IK, and CK values will be written into provided
1318 * buffers and res_len is set to length of received RES value. If USIM reports
1319 * synchronization failure, the received AUTS value will be written into auts
1320 * buffer. In this case, RES, IK, and CK are not valid.
1321 */
1322int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand,
1323		    const unsigned char *autn,
1324		    unsigned char *res, size_t *res_len,
1325		    unsigned char *ik, unsigned char *ck, unsigned char *auts)
1326{
1327	unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] =
1328		{ USIM_CMD_RUN_UMTS_ALG };
1329	unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE };
1330	unsigned char resp[3], buf[64], *pos, *end;
1331	size_t len;
1332	long ret;
1333
1334	if (scard == NULL)
1335		return -1;
1336
1337	if (scard->sim_type == SCARD_GSM_SIM) {
1338		wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS "
1339			   "auth");
1340		return -1;
1341	}
1342
1343	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", _rand, AKA_RAND_LEN);
1344	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN);
1345	cmd[5] = AKA_RAND_LEN;
1346	os_memcpy(cmd + 6, _rand, AKA_RAND_LEN);
1347	cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN;
1348	os_memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN);
1349
1350	len = sizeof(resp);
1351	ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
1352	if (ret != SCARD_S_SUCCESS)
1353		return -1;
1354
1355	if (len <= sizeof(resp))
1356		wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len);
1357
1358	if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) {
1359		wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - "
1360			   "MAC != XMAC");
1361		return -1;
1362	} else if (len != 2 || resp[0] != 0x61) {
1363		wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS "
1364			   "auth request (len=%ld resp=%02x %02x)",
1365			   (long) len, resp[0], resp[1]);
1366		return -1;
1367	}
1368	get_resp[4] = resp[1];
1369
1370	len = sizeof(buf);
1371	ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
1372	if (ret != SCARD_S_SUCCESS || len > sizeof(buf))
1373		return -1;
1374
1375	wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len);
1376	if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc &&
1377	    buf[1] == AKA_AUTS_LEN) {
1378		wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure");
1379		os_memcpy(auts, buf + 2, AKA_AUTS_LEN);
1380		wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN);
1381		return -2;
1382	} else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) {
1383		pos = buf + 1;
1384		end = buf + len;
1385
1386		/* RES */
1387		if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) {
1388			wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
1389			return -1;
1390		}
1391		*res_len = *pos++;
1392		os_memcpy(res, pos, *res_len);
1393		pos += *res_len;
1394		wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
1395
1396		/* CK */
1397		if (pos[0] != CK_LEN || pos + CK_LEN > end) {
1398			wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
1399			return -1;
1400		}
1401		pos++;
1402		os_memcpy(ck, pos, CK_LEN);
1403		pos += CK_LEN;
1404		wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
1405
1406		/* IK */
1407		if (pos[0] != IK_LEN || pos + IK_LEN > end) {
1408			wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
1409			return -1;
1410		}
1411		pos++;
1412		os_memcpy(ik, pos, IK_LEN);
1413		pos += IK_LEN;
1414		wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN);
1415
1416		return 0;
1417	}
1418
1419	wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response");
1420	return -1;
1421}
1422
1423
1424int scard_supports_umts(struct scard_data *scard)
1425{
1426	return scard->sim_type == SCARD_USIM;
1427}
1428