The Android Open Source Project | 845e012 | 2009-03-03 19:31:34 -0800 | [diff] [blame] | 1 | /* |
| 2 | * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM |
| 3 | * Copyright (c) 2004-2007, Jouni Malinen <j@w1.fi> |
| 4 | * |
| 5 | * This program is free software; you can redistribute it and/or modify |
| 6 | * it under the terms of the GNU General Public License version 2 as |
| 7 | * published by the Free Software Foundation. |
| 8 | * |
| 9 | * Alternatively, this software may be distributed under the terms of BSD |
| 10 | * license. |
| 11 | * |
| 12 | * See README and COPYING for more details. |
| 13 | * |
| 14 | * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM |
| 15 | * cards through PC/SC smartcard library. These functions are used to implement |
| 16 | * authentication routines for EAP-SIM and EAP-AKA. |
| 17 | */ |
| 18 | |
| 19 | #include "includes.h" |
| 20 | #include <winscard.h> |
| 21 | |
| 22 | #include "common.h" |
| 23 | #include "pcsc_funcs.h" |
| 24 | |
| 25 | |
| 26 | /* See ETSI GSM 11.11 and ETSI TS 102 221 for details. |
| 27 | * SIM commands: |
| 28 | * Command APDU: CLA INS P1 P2 P3 Data |
| 29 | * CLA (class of instruction): A0 for GSM, 00 for USIM |
| 30 | * INS (instruction) |
| 31 | * P1 P2 P3 (parameters, P3 = length of Data) |
| 32 | * Response APDU: Data SW1 SW2 |
| 33 | * SW1 SW2 (Status words) |
| 34 | * Commands (INS P1 P2 P3): |
| 35 | * SELECT: A4 00 00 02 <file_id, 2 bytes> |
| 36 | * GET RESPONSE: C0 00 00 <len> |
| 37 | * RUN GSM ALG: 88 00 00 00 <RAND len = 10> |
| 38 | * RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN |
| 39 | * P1 = ID of alg in card |
| 40 | * P2 = ID of secret key |
| 41 | * READ BINARY: B0 <offset high> <offset low> <len> |
| 42 | * READ RECORD: B2 <record number> <mode> <len> |
| 43 | * P2 (mode) = '02' (next record), '03' (previous record), |
| 44 | * '04' (absolute mode) |
| 45 | * VERIFY CHV: 20 00 <CHV number> 08 |
| 46 | * CHANGE CHV: 24 00 <CHV number> 10 |
| 47 | * DISABLE CHV: 26 00 01 08 |
| 48 | * ENABLE CHV: 28 00 01 08 |
| 49 | * UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10 |
| 50 | * SLEEP: FA 00 00 00 |
| 51 | */ |
| 52 | |
| 53 | /* GSM SIM commands */ |
| 54 | #define SIM_CMD_SELECT 0xa0, 0xa4, 0x00, 0x00, 0x02 |
| 55 | #define SIM_CMD_RUN_GSM_ALG 0xa0, 0x88, 0x00, 0x00, 0x10 |
| 56 | #define SIM_CMD_GET_RESPONSE 0xa0, 0xc0, 0x00, 0x00 |
| 57 | #define SIM_CMD_READ_BIN 0xa0, 0xb0, 0x00, 0x00 |
| 58 | #define SIM_CMD_READ_RECORD 0xa0, 0xb2, 0x00, 0x00 |
| 59 | #define SIM_CMD_VERIFY_CHV1 0xa0, 0x20, 0x00, 0x01, 0x08 |
| 60 | |
| 61 | /* USIM commands */ |
| 62 | #define USIM_CLA 0x00 |
| 63 | #define USIM_CMD_RUN_UMTS_ALG 0x00, 0x88, 0x00, 0x81, 0x22 |
| 64 | #define USIM_CMD_GET_RESPONSE 0x00, 0xc0, 0x00, 0x00 |
| 65 | |
| 66 | #define SIM_RECORD_MODE_ABSOLUTE 0x04 |
| 67 | |
| 68 | #define USIM_FSP_TEMPL_TAG 0x62 |
| 69 | |
| 70 | #define USIM_TLV_FILE_DESC 0x82 |
| 71 | #define USIM_TLV_FILE_ID 0x83 |
| 72 | #define USIM_TLV_DF_NAME 0x84 |
| 73 | #define USIM_TLV_PROPR_INFO 0xA5 |
| 74 | #define USIM_TLV_LIFE_CYCLE_STATUS 0x8A |
| 75 | #define USIM_TLV_FILE_SIZE 0x80 |
| 76 | #define USIM_TLV_TOTAL_FILE_SIZE 0x81 |
| 77 | #define USIM_TLV_PIN_STATUS_TEMPLATE 0xC6 |
| 78 | #define USIM_TLV_SHORT_FILE_ID 0x88 |
| 79 | |
| 80 | #define USIM_PS_DO_TAG 0x90 |
| 81 | |
| 82 | #define AKA_RAND_LEN 16 |
| 83 | #define AKA_AUTN_LEN 16 |
| 84 | #define AKA_AUTS_LEN 14 |
| 85 | #define RES_MAX_LEN 16 |
| 86 | #define IK_LEN 16 |
| 87 | #define CK_LEN 16 |
| 88 | |
| 89 | |
| 90 | typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types; |
| 91 | |
| 92 | struct scard_data { |
| 93 | SCARDCONTEXT ctx; |
| 94 | SCARDHANDLE card; |
| 95 | DWORD protocol; |
| 96 | sim_types sim_type; |
| 97 | int pin1_required; |
| 98 | }; |
| 99 | |
| 100 | #ifdef __MINGW32_VERSION |
| 101 | /* MinGW does not yet support WinScard, so load the needed functions |
| 102 | * dynamically from winscard.dll for now. */ |
| 103 | |
| 104 | static HINSTANCE dll = NULL; /* winscard.dll */ |
| 105 | |
| 106 | static const SCARD_IO_REQUEST *dll_g_rgSCardT0Pci, *dll_g_rgSCardT1Pci; |
| 107 | #undef SCARD_PCI_T0 |
| 108 | #define SCARD_PCI_T0 (dll_g_rgSCardT0Pci) |
| 109 | #undef SCARD_PCI_T1 |
| 110 | #define SCARD_PCI_T1 (dll_g_rgSCardT1Pci) |
| 111 | |
| 112 | |
| 113 | static WINSCARDAPI LONG WINAPI |
| 114 | (*dll_SCardEstablishContext)(IN DWORD dwScope, |
| 115 | IN LPCVOID pvReserved1, |
| 116 | IN LPCVOID pvReserved2, |
| 117 | OUT LPSCARDCONTEXT phContext); |
| 118 | #define SCardEstablishContext dll_SCardEstablishContext |
| 119 | |
| 120 | static long (*dll_SCardReleaseContext)(long hContext); |
| 121 | #define SCardReleaseContext dll_SCardReleaseContext |
| 122 | |
| 123 | static WINSCARDAPI LONG WINAPI |
| 124 | (*dll_SCardListReadersA)(IN SCARDCONTEXT hContext, |
| 125 | IN LPCSTR mszGroups, |
| 126 | OUT LPSTR mszReaders, |
| 127 | IN OUT LPDWORD pcchReaders); |
| 128 | #undef SCardListReaders |
| 129 | #define SCardListReaders dll_SCardListReadersA |
| 130 | |
| 131 | static WINSCARDAPI LONG WINAPI |
| 132 | (*dll_SCardConnectA)(IN SCARDCONTEXT hContext, |
| 133 | IN LPCSTR szReader, |
| 134 | IN DWORD dwShareMode, |
| 135 | IN DWORD dwPreferredProtocols, |
| 136 | OUT LPSCARDHANDLE phCard, |
| 137 | OUT LPDWORD pdwActiveProtocol); |
| 138 | #undef SCardConnect |
| 139 | #define SCardConnect dll_SCardConnectA |
| 140 | |
| 141 | static WINSCARDAPI LONG WINAPI |
| 142 | (*dll_SCardDisconnect)(IN SCARDHANDLE hCard, |
| 143 | IN DWORD dwDisposition); |
| 144 | #define SCardDisconnect dll_SCardDisconnect |
| 145 | |
| 146 | static WINSCARDAPI LONG WINAPI |
| 147 | (*dll_SCardTransmit)(IN SCARDHANDLE hCard, |
| 148 | IN LPCSCARD_IO_REQUEST pioSendPci, |
| 149 | IN LPCBYTE pbSendBuffer, |
| 150 | IN DWORD cbSendLength, |
| 151 | IN OUT LPSCARD_IO_REQUEST pioRecvPci, |
| 152 | OUT LPBYTE pbRecvBuffer, |
| 153 | IN OUT LPDWORD pcbRecvLength); |
| 154 | #define SCardTransmit dll_SCardTransmit |
| 155 | |
| 156 | static WINSCARDAPI LONG WINAPI |
| 157 | (*dll_SCardBeginTransaction)(IN SCARDHANDLE hCard); |
| 158 | #define SCardBeginTransaction dll_SCardBeginTransaction |
| 159 | |
| 160 | static WINSCARDAPI LONG WINAPI |
| 161 | (*dll_SCardEndTransaction)(IN SCARDHANDLE hCard, IN DWORD dwDisposition); |
| 162 | #define SCardEndTransaction dll_SCardEndTransaction |
| 163 | |
| 164 | |
| 165 | static int mingw_load_symbols(void) |
| 166 | { |
| 167 | char *sym; |
| 168 | |
| 169 | if (dll) |
| 170 | return 0; |
| 171 | |
| 172 | dll = LoadLibrary("winscard"); |
| 173 | if (dll == NULL) { |
| 174 | wpa_printf(MSG_DEBUG, "WinSCard: Could not load winscard.dll " |
| 175 | "library"); |
| 176 | return -1; |
| 177 | } |
| 178 | |
| 179 | #define LOADSYM(s) \ |
| 180 | sym = #s; \ |
| 181 | dll_ ## s = (void *) GetProcAddress(dll, sym); \ |
| 182 | if (dll_ ## s == NULL) \ |
| 183 | goto fail; |
| 184 | |
| 185 | LOADSYM(SCardEstablishContext); |
| 186 | LOADSYM(SCardReleaseContext); |
| 187 | LOADSYM(SCardListReadersA); |
| 188 | LOADSYM(SCardConnectA); |
| 189 | LOADSYM(SCardDisconnect); |
| 190 | LOADSYM(SCardTransmit); |
| 191 | LOADSYM(SCardBeginTransaction); |
| 192 | LOADSYM(SCardEndTransaction); |
| 193 | LOADSYM(g_rgSCardT0Pci); |
| 194 | LOADSYM(g_rgSCardT1Pci); |
| 195 | |
| 196 | #undef LOADSYM |
| 197 | |
| 198 | return 0; |
| 199 | |
| 200 | fail: |
| 201 | wpa_printf(MSG_DEBUG, "WinSCard: Could not get address for %s from " |
| 202 | "winscard.dll", sym); |
| 203 | FreeLibrary(dll); |
| 204 | dll = NULL; |
| 205 | return -1; |
| 206 | } |
| 207 | |
| 208 | |
| 209 | static void mingw_unload_symbols(void) |
| 210 | { |
| 211 | if (dll == NULL) |
| 212 | return; |
| 213 | |
| 214 | FreeLibrary(dll); |
| 215 | dll = NULL; |
| 216 | } |
| 217 | |
| 218 | #else /* __MINGW32_VERSION */ |
| 219 | |
| 220 | #define mingw_load_symbols() 0 |
| 221 | #define mingw_unload_symbols() do { } while (0) |
| 222 | |
| 223 | #endif /* __MINGW32_VERSION */ |
| 224 | |
| 225 | |
| 226 | static int _scard_select_file(struct scard_data *scard, unsigned short file_id, |
| 227 | unsigned char *buf, size_t *buf_len, |
| 228 | sim_types sim_type, unsigned char *aid, |
| 229 | size_t aidlen); |
| 230 | static int scard_select_file(struct scard_data *scard, unsigned short file_id, |
| 231 | unsigned char *buf, size_t *buf_len); |
| 232 | static int scard_verify_pin(struct scard_data *scard, const char *pin); |
| 233 | static int scard_get_record_len(struct scard_data *scard, |
| 234 | unsigned char recnum, unsigned char mode); |
| 235 | static int scard_read_record(struct scard_data *scard, |
| 236 | unsigned char *data, size_t len, |
| 237 | unsigned char recnum, unsigned char mode); |
| 238 | |
| 239 | |
| 240 | static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len, |
| 241 | int *ps_do, int *file_len) |
| 242 | { |
| 243 | unsigned char *pos, *end; |
| 244 | |
| 245 | if (ps_do) |
| 246 | *ps_do = -1; |
| 247 | if (file_len) |
| 248 | *file_len = -1; |
| 249 | |
| 250 | pos = buf; |
| 251 | end = pos + buf_len; |
| 252 | if (*pos != USIM_FSP_TEMPL_TAG) { |
| 253 | wpa_printf(MSG_DEBUG, "SCARD: file header did not " |
| 254 | "start with FSP template tag"); |
| 255 | return -1; |
| 256 | } |
| 257 | pos++; |
| 258 | if (pos >= end) |
| 259 | return -1; |
| 260 | if ((pos + pos[0]) < end) |
| 261 | end = pos + 1 + pos[0]; |
| 262 | pos++; |
| 263 | wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template", |
| 264 | pos, end - pos); |
| 265 | |
| 266 | while (pos + 1 < end) { |
| 267 | wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV " |
| 268 | "0x%02x len=%d", pos[0], pos[1]); |
| 269 | if (pos + 2 + pos[1] > end) |
| 270 | break; |
| 271 | |
| 272 | if (pos[0] == USIM_TLV_FILE_SIZE && |
| 273 | (pos[1] == 1 || pos[1] == 2) && file_len) { |
| 274 | if (pos[1] == 1) |
| 275 | *file_len = (int) pos[2]; |
| 276 | else |
| 277 | *file_len = ((int) pos[2] << 8) | |
| 278 | (int) pos[3]; |
| 279 | wpa_printf(MSG_DEBUG, "SCARD: file_size=%d", |
| 280 | *file_len); |
| 281 | } |
| 282 | |
| 283 | if (pos[0] == USIM_TLV_PIN_STATUS_TEMPLATE && |
| 284 | pos[1] >= 2 && pos[2] == USIM_PS_DO_TAG && |
| 285 | pos[3] >= 1 && ps_do) { |
| 286 | wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x", |
| 287 | pos[4]); |
| 288 | *ps_do = (int) pos[4]; |
| 289 | } |
| 290 | |
| 291 | pos += 2 + pos[1]; |
| 292 | |
| 293 | if (pos == end) |
| 294 | return 0; |
| 295 | } |
| 296 | return -1; |
| 297 | } |
| 298 | |
| 299 | |
| 300 | static int scard_pin_needed(struct scard_data *scard, |
| 301 | unsigned char *hdr, size_t hlen) |
| 302 | { |
| 303 | if (scard->sim_type == SCARD_GSM_SIM) { |
| 304 | if (hlen > SCARD_CHV1_OFFSET && |
| 305 | !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG)) |
| 306 | return 1; |
| 307 | return 0; |
| 308 | } |
| 309 | |
| 310 | if (scard->sim_type == SCARD_USIM) { |
| 311 | int ps_do; |
| 312 | if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL)) |
| 313 | return -1; |
| 314 | /* TODO: there could be more than one PS_DO entry because of |
| 315 | * multiple PINs in key reference.. */ |
| 316 | if (ps_do > 0 && (ps_do & 0x80)) |
| 317 | return 1; |
| 318 | return 0; |
| 319 | } |
| 320 | |
| 321 | return -1; |
| 322 | } |
| 323 | |
| 324 | |
| 325 | static int scard_get_aid(struct scard_data *scard, unsigned char *aid, |
| 326 | size_t maxlen) |
| 327 | { |
| 328 | int rlen, rec; |
| 329 | struct efdir { |
| 330 | unsigned char appl_template_tag; /* 0x61 */ |
| 331 | unsigned char appl_template_len; |
| 332 | unsigned char appl_id_tag; /* 0x4f */ |
| 333 | unsigned char aid_len; |
| 334 | unsigned char rid[5]; |
| 335 | unsigned char appl_code[2]; /* 0x1002 for 3G USIM */ |
| 336 | } *efdir; |
| 337 | unsigned char buf[100]; |
| 338 | size_t blen; |
| 339 | |
| 340 | efdir = (struct efdir *) buf; |
| 341 | blen = sizeof(buf); |
| 342 | if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) { |
| 343 | wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR"); |
| 344 | return -1; |
| 345 | } |
| 346 | wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen); |
| 347 | |
| 348 | for (rec = 1; rec < 10; rec++) { |
| 349 | rlen = scard_get_record_len(scard, rec, |
| 350 | SIM_RECORD_MODE_ABSOLUTE); |
| 351 | if (rlen < 0) { |
| 352 | wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR " |
| 353 | "record length"); |
| 354 | return -1; |
| 355 | } |
| 356 | blen = sizeof(buf); |
| 357 | if (rlen > (int) blen) { |
| 358 | wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record"); |
| 359 | return -1; |
| 360 | } |
| 361 | if (scard_read_record(scard, buf, rlen, rec, |
| 362 | SIM_RECORD_MODE_ABSOLUTE) < 0) { |
| 363 | wpa_printf(MSG_DEBUG, "SCARD: Failed to read " |
| 364 | "EF_DIR record %d", rec); |
| 365 | return -1; |
| 366 | } |
| 367 | wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen); |
| 368 | |
| 369 | if (efdir->appl_template_tag != 0x61) { |
| 370 | wpa_printf(MSG_DEBUG, "SCARD: Unexpected application " |
| 371 | "template tag 0x%x", |
| 372 | efdir->appl_template_tag); |
| 373 | continue; |
| 374 | } |
| 375 | |
| 376 | if (efdir->appl_template_len > rlen - 2) { |
| 377 | wpa_printf(MSG_DEBUG, "SCARD: Too long application " |
| 378 | "template (len=%d rlen=%d)", |
| 379 | efdir->appl_template_len, rlen); |
| 380 | continue; |
| 381 | } |
| 382 | |
| 383 | if (efdir->appl_id_tag != 0x4f) { |
| 384 | wpa_printf(MSG_DEBUG, "SCARD: Unexpected application " |
| 385 | "identifier tag 0x%x", efdir->appl_id_tag); |
| 386 | continue; |
| 387 | } |
| 388 | |
| 389 | if (efdir->aid_len < 1 || efdir->aid_len > 16) { |
| 390 | wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %d", |
| 391 | efdir->aid_len); |
| 392 | continue; |
| 393 | } |
| 394 | |
| 395 | wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record", |
| 396 | efdir->rid, efdir->aid_len); |
| 397 | |
| 398 | if (efdir->appl_code[0] == 0x10 && |
| 399 | efdir->appl_code[1] == 0x02) { |
| 400 | wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from " |
| 401 | "EF_DIR record %d", rec); |
| 402 | break; |
| 403 | } |
| 404 | } |
| 405 | |
| 406 | if (rec >= 10) { |
| 407 | wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found " |
| 408 | "from EF_DIR records"); |
| 409 | return -1; |
| 410 | } |
| 411 | |
| 412 | if (efdir->aid_len > maxlen) { |
| 413 | wpa_printf(MSG_DEBUG, "SCARD: Too long AID"); |
| 414 | return -1; |
| 415 | } |
| 416 | |
| 417 | os_memcpy(aid, efdir->rid, efdir->aid_len); |
| 418 | |
| 419 | return efdir->aid_len; |
| 420 | } |
| 421 | |
| 422 | |
| 423 | /** |
| 424 | * scard_init - Initialize SIM/USIM connection using PC/SC |
| 425 | * @sim_type: Allowed SIM types (SIM, USIM, or both) |
| 426 | * Returns: Pointer to private data structure, or %NULL on failure |
| 427 | * |
| 428 | * This function is used to initialize SIM/USIM connection. PC/SC is used to |
| 429 | * open connection to the SIM/USIM card and the card is verified to support the |
| 430 | * selected sim_type. In addition, local flag is set if a PIN is needed to |
| 431 | * access some of the card functions. Once the connection is not needed |
| 432 | * anymore, scard_deinit() can be used to close it. |
| 433 | */ |
| 434 | struct scard_data * scard_init(scard_sim_type sim_type) |
| 435 | { |
| 436 | long ret; |
| 437 | unsigned long len; |
| 438 | struct scard_data *scard; |
| 439 | #ifdef CONFIG_NATIVE_WINDOWS |
| 440 | TCHAR *readers = NULL; |
| 441 | #else /* CONFIG_NATIVE_WINDOWS */ |
| 442 | char *readers = NULL; |
| 443 | #endif /* CONFIG_NATIVE_WINDOWS */ |
| 444 | unsigned char buf[100]; |
| 445 | size_t blen; |
| 446 | int transaction = 0; |
| 447 | int pin_needed; |
| 448 | |
| 449 | wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface"); |
| 450 | if (mingw_load_symbols()) |
| 451 | return NULL; |
| 452 | scard = os_zalloc(sizeof(*scard)); |
| 453 | if (scard == NULL) |
| 454 | return NULL; |
| 455 | |
| 456 | ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL, |
| 457 | &scard->ctx); |
| 458 | if (ret != SCARD_S_SUCCESS) { |
| 459 | wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card " |
| 460 | "context (err=%ld)", ret); |
| 461 | goto failed; |
| 462 | } |
| 463 | |
| 464 | ret = SCardListReaders(scard->ctx, NULL, NULL, &len); |
| 465 | if (ret != SCARD_S_SUCCESS) { |
| 466 | wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed " |
| 467 | "(err=%ld)", ret); |
| 468 | goto failed; |
| 469 | } |
| 470 | |
| 471 | #ifdef UNICODE |
| 472 | len *= 2; |
| 473 | #endif /* UNICODE */ |
| 474 | readers = os_malloc(len); |
| 475 | if (readers == NULL) { |
| 476 | wpa_printf(MSG_INFO, "SCARD: malloc failed\n"); |
| 477 | goto failed; |
| 478 | } |
| 479 | |
| 480 | ret = SCardListReaders(scard->ctx, NULL, readers, &len); |
| 481 | if (ret != SCARD_S_SUCCESS) { |
| 482 | wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) " |
| 483 | "(err=%ld)", ret); |
| 484 | goto failed; |
| 485 | } |
| 486 | if (len < 3) { |
| 487 | wpa_printf(MSG_WARNING, "SCARD: No smart card readers " |
| 488 | "available."); |
| 489 | goto failed; |
| 490 | } |
| 491 | /* readers is a list of available reader. Last entry is terminated with |
| 492 | * double NUL. |
| 493 | * TODO: add support for selecting the reader; now just use the first |
| 494 | * one.. */ |
| 495 | #ifdef UNICODE |
| 496 | wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%S'", readers); |
| 497 | #else /* UNICODE */ |
| 498 | wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", readers); |
| 499 | #endif /* UNICODE */ |
| 500 | |
| 501 | ret = SCardConnect(scard->ctx, readers, SCARD_SHARE_SHARED, |
| 502 | SCARD_PROTOCOL_T0, &scard->card, &scard->protocol); |
| 503 | if (ret != SCARD_S_SUCCESS) { |
| 504 | if (ret == (long) SCARD_E_NO_SMARTCARD) |
| 505 | wpa_printf(MSG_INFO, "No smart card inserted."); |
| 506 | else |
| 507 | wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret); |
| 508 | goto failed; |
| 509 | } |
| 510 | |
| 511 | os_free(readers); |
| 512 | readers = NULL; |
| 513 | |
| 514 | wpa_printf(MSG_DEBUG, "SCARD: card=0x%x active_protocol=%lu (%s)", |
| 515 | (unsigned int) scard->card, scard->protocol, |
| 516 | scard->protocol == SCARD_PROTOCOL_T0 ? "T0" : "T1"); |
| 517 | |
| 518 | ret = SCardBeginTransaction(scard->card); |
| 519 | if (ret != SCARD_S_SUCCESS) { |
| 520 | wpa_printf(MSG_DEBUG, "SCARD: Could not begin transaction: " |
| 521 | "0x%x", (unsigned int) ret); |
| 522 | goto failed; |
| 523 | } |
| 524 | transaction = 1; |
| 525 | |
| 526 | blen = sizeof(buf); |
| 527 | |
| 528 | scard->sim_type = SCARD_GSM_SIM; |
| 529 | if (sim_type == SCARD_USIM_ONLY || sim_type == SCARD_TRY_BOTH) { |
| 530 | wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support"); |
| 531 | if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen, |
| 532 | SCARD_USIM, NULL, 0)) { |
| 533 | wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported"); |
| 534 | if (sim_type == SCARD_USIM_ONLY) |
| 535 | goto failed; |
| 536 | wpa_printf(MSG_DEBUG, "SCARD: Trying to use GSM SIM"); |
| 537 | scard->sim_type = SCARD_GSM_SIM; |
| 538 | } else { |
| 539 | wpa_printf(MSG_DEBUG, "SCARD: USIM is supported"); |
| 540 | scard->sim_type = SCARD_USIM; |
| 541 | } |
| 542 | } |
| 543 | |
| 544 | if (scard->sim_type == SCARD_GSM_SIM) { |
| 545 | blen = sizeof(buf); |
| 546 | if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) { |
| 547 | wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF"); |
| 548 | goto failed; |
| 549 | } |
| 550 | |
| 551 | blen = sizeof(buf); |
| 552 | if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) { |
| 553 | wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF"); |
| 554 | goto failed; |
| 555 | } |
| 556 | } else { |
| 557 | unsigned char aid[32]; |
| 558 | int aid_len; |
| 559 | |
| 560 | aid_len = scard_get_aid(scard, aid, sizeof(aid)); |
| 561 | if (aid_len < 0) { |
| 562 | wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for " |
| 563 | "3G USIM app - try to use standard 3G RID"); |
| 564 | os_memcpy(aid, "\xa0\x00\x00\x00\x87", 5); |
| 565 | aid_len = 5; |
| 566 | } |
| 567 | wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len); |
| 568 | |
| 569 | /* Select based on AID = 3G RID from EF_DIR. This is usually |
| 570 | * starting with A0 00 00 00 87. */ |
| 571 | blen = sizeof(buf); |
| 572 | if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type, |
| 573 | aid, aid_len)) { |
| 574 | wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM " |
| 575 | "app"); |
| 576 | wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID", |
| 577 | aid, aid_len); |
| 578 | goto failed; |
| 579 | } |
| 580 | } |
| 581 | |
| 582 | /* Verify whether CHV1 (PIN1) is needed to access the card. */ |
| 583 | pin_needed = scard_pin_needed(scard, buf, blen); |
| 584 | if (pin_needed < 0) { |
| 585 | wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN " |
| 586 | "is needed"); |
| 587 | goto failed; |
| 588 | } |
| 589 | if (pin_needed) { |
| 590 | scard->pin1_required = 1; |
| 591 | wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access"); |
| 592 | } |
| 593 | |
| 594 | ret = SCardEndTransaction(scard->card, SCARD_LEAVE_CARD); |
| 595 | if (ret != SCARD_S_SUCCESS) { |
| 596 | wpa_printf(MSG_DEBUG, "SCARD: Could not end transaction: " |
| 597 | "0x%x", (unsigned int) ret); |
| 598 | } |
| 599 | |
| 600 | return scard; |
| 601 | |
| 602 | failed: |
| 603 | if (transaction) |
| 604 | SCardEndTransaction(scard->card, SCARD_LEAVE_CARD); |
| 605 | os_free(readers); |
| 606 | scard_deinit(scard); |
| 607 | return NULL; |
| 608 | } |
| 609 | |
| 610 | |
| 611 | /** |
| 612 | * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands |
| 613 | * @scard: Pointer to private data from scard_init() |
| 614 | * pin: PIN code as an ASCII string (e.g., "1234") |
| 615 | * Returns: 0 on success, -1 on failure |
| 616 | */ |
| 617 | int scard_set_pin(struct scard_data *scard, const char *pin) |
| 618 | { |
| 619 | if (scard == NULL) |
| 620 | return -1; |
| 621 | |
| 622 | /* Verify whether CHV1 (PIN1) is needed to access the card. */ |
| 623 | if (scard->pin1_required) { |
| 624 | if (pin == NULL) { |
| 625 | wpa_printf(MSG_DEBUG, "No PIN configured for SIM " |
| 626 | "access"); |
| 627 | return -1; |
| 628 | } |
| 629 | if (scard_verify_pin(scard, pin)) { |
| 630 | wpa_printf(MSG_INFO, "PIN verification failed for " |
| 631 | "SIM access"); |
| 632 | return -1; |
| 633 | } |
| 634 | } |
| 635 | |
| 636 | return 0; |
| 637 | } |
| 638 | |
| 639 | |
| 640 | /** |
| 641 | * scard_deinit - Deinitialize SIM/USIM connection |
| 642 | * @scard: Pointer to private data from scard_init() |
| 643 | * |
| 644 | * This function closes the SIM/USIM connect opened with scard_init(). |
| 645 | */ |
| 646 | void scard_deinit(struct scard_data *scard) |
| 647 | { |
| 648 | long ret; |
| 649 | |
| 650 | if (scard == NULL) |
| 651 | return; |
| 652 | |
| 653 | wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface"); |
| 654 | if (scard->card) { |
| 655 | ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD); |
| 656 | if (ret != SCARD_S_SUCCESS) { |
| 657 | wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect " |
| 658 | "smart card (err=%ld)", ret); |
| 659 | } |
| 660 | } |
| 661 | |
| 662 | if (scard->ctx) { |
| 663 | ret = SCardReleaseContext(scard->ctx); |
| 664 | if (ret != SCARD_S_SUCCESS) { |
| 665 | wpa_printf(MSG_DEBUG, "Failed to release smart card " |
| 666 | "context (err=%ld)", ret); |
| 667 | } |
| 668 | } |
| 669 | os_free(scard); |
| 670 | mingw_unload_symbols(); |
| 671 | } |
| 672 | |
| 673 | |
| 674 | static long scard_transmit(struct scard_data *scard, |
| 675 | unsigned char *_send, size_t send_len, |
| 676 | unsigned char *_recv, size_t *recv_len) |
| 677 | { |
| 678 | long ret; |
| 679 | unsigned long rlen; |
| 680 | |
| 681 | wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send", |
| 682 | _send, send_len); |
| 683 | rlen = *recv_len; |
| 684 | ret = SCardTransmit(scard->card, |
| 685 | scard->protocol == SCARD_PROTOCOL_T1 ? |
| 686 | SCARD_PCI_T1 : SCARD_PCI_T0, |
| 687 | _send, (unsigned long) send_len, |
| 688 | NULL, _recv, &rlen); |
| 689 | *recv_len = rlen; |
| 690 | if (ret == SCARD_S_SUCCESS) { |
| 691 | wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv", |
| 692 | _recv, rlen); |
| 693 | } else { |
| 694 | wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed " |
| 695 | "(err=0x%lx)", ret); |
| 696 | } |
| 697 | return ret; |
| 698 | } |
| 699 | |
| 700 | |
| 701 | static int _scard_select_file(struct scard_data *scard, unsigned short file_id, |
| 702 | unsigned char *buf, size_t *buf_len, |
| 703 | sim_types sim_type, unsigned char *aid, |
| 704 | size_t aidlen) |
| 705 | { |
| 706 | long ret; |
| 707 | unsigned char resp[3]; |
| 708 | unsigned char cmd[50] = { SIM_CMD_SELECT }; |
| 709 | int cmdlen; |
| 710 | unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE }; |
| 711 | size_t len, rlen; |
| 712 | |
| 713 | if (sim_type == SCARD_USIM) { |
| 714 | cmd[0] = USIM_CLA; |
| 715 | cmd[3] = 0x04; |
| 716 | get_resp[0] = USIM_CLA; |
| 717 | } |
| 718 | |
| 719 | wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id); |
| 720 | if (aid) { |
| 721 | wpa_hexdump(MSG_DEBUG, "SCARD: select file by AID", |
| 722 | aid, aidlen); |
| 723 | if (5 + aidlen > sizeof(cmd)) |
| 724 | return -1; |
| 725 | cmd[2] = 0x04; /* Select by AID */ |
| 726 | cmd[4] = aidlen; /* len */ |
| 727 | os_memcpy(cmd + 5, aid, aidlen); |
| 728 | cmdlen = 5 + aidlen; |
| 729 | } else { |
| 730 | cmd[5] = file_id >> 8; |
| 731 | cmd[6] = file_id & 0xff; |
| 732 | cmdlen = 7; |
| 733 | } |
| 734 | len = sizeof(resp); |
| 735 | ret = scard_transmit(scard, cmd, cmdlen, resp, &len); |
| 736 | if (ret != SCARD_S_SUCCESS) { |
| 737 | wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed " |
| 738 | "(err=0x%lx)", ret); |
| 739 | return -1; |
| 740 | } |
| 741 | |
| 742 | if (len != 2) { |
| 743 | wpa_printf(MSG_WARNING, "SCARD: unexpected resp len " |
| 744 | "%d (expected 2)", (int) len); |
| 745 | return -1; |
| 746 | } |
| 747 | |
| 748 | if (resp[0] == 0x98 && resp[1] == 0x04) { |
| 749 | /* Security status not satisfied (PIN_WLAN) */ |
| 750 | wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied " |
| 751 | "(PIN_WLAN)"); |
| 752 | return -1; |
| 753 | } |
| 754 | |
| 755 | if (resp[0] == 0x6e) { |
| 756 | wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported"); |
| 757 | return -1; |
| 758 | } |
| 759 | |
| 760 | if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) { |
| 761 | wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x " |
| 762 | "(expected 0x61, 0x6c, or 0x9f)", resp[0]); |
| 763 | return -1; |
| 764 | } |
| 765 | /* Normal ending of command; resp[1] bytes available */ |
| 766 | get_resp[4] = resp[1]; |
| 767 | wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)", |
| 768 | resp[1]); |
| 769 | |
| 770 | rlen = *buf_len; |
| 771 | ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen); |
| 772 | if (ret == SCARD_S_SUCCESS) { |
| 773 | *buf_len = resp[1] < rlen ? resp[1] : rlen; |
| 774 | return 0; |
| 775 | } |
| 776 | |
| 777 | wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret); |
| 778 | return -1; |
| 779 | } |
| 780 | |
| 781 | |
| 782 | static int scard_select_file(struct scard_data *scard, unsigned short file_id, |
| 783 | unsigned char *buf, size_t *buf_len) |
| 784 | { |
| 785 | return _scard_select_file(scard, file_id, buf, buf_len, |
| 786 | scard->sim_type, NULL, 0); |
| 787 | } |
| 788 | |
| 789 | |
| 790 | static int scard_get_record_len(struct scard_data *scard, unsigned char recnum, |
| 791 | unsigned char mode) |
| 792 | { |
| 793 | unsigned char buf[255]; |
| 794 | unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ }; |
| 795 | size_t blen; |
| 796 | long ret; |
| 797 | |
| 798 | if (scard->sim_type == SCARD_USIM) |
| 799 | cmd[0] = USIM_CLA; |
| 800 | cmd[2] = recnum; |
| 801 | cmd[3] = mode; |
| 802 | cmd[4] = sizeof(buf); |
| 803 | |
| 804 | blen = sizeof(buf); |
| 805 | ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen); |
| 806 | if (ret != SCARD_S_SUCCESS) { |
| 807 | wpa_printf(MSG_DEBUG, "SCARD: failed to determine file " |
| 808 | "length for record %d", recnum); |
| 809 | return -1; |
| 810 | } |
| 811 | |
| 812 | wpa_hexdump(MSG_DEBUG, "SCARD: file length determination response", |
| 813 | buf, blen); |
| 814 | |
| 815 | if (blen < 2 || buf[0] != 0x6c) { |
| 816 | wpa_printf(MSG_DEBUG, "SCARD: unexpected response to file " |
| 817 | "length determination"); |
| 818 | return -1; |
| 819 | } |
| 820 | |
| 821 | return buf[1]; |
| 822 | } |
| 823 | |
| 824 | |
| 825 | static int scard_read_record(struct scard_data *scard, |
| 826 | unsigned char *data, size_t len, |
| 827 | unsigned char recnum, unsigned char mode) |
| 828 | { |
| 829 | unsigned char cmd[5] = { SIM_CMD_READ_RECORD /* , len */ }; |
| 830 | size_t blen = len + 3; |
| 831 | unsigned char *buf; |
| 832 | long ret; |
| 833 | |
| 834 | if (scard->sim_type == SCARD_USIM) |
| 835 | cmd[0] = USIM_CLA; |
| 836 | cmd[2] = recnum; |
| 837 | cmd[3] = mode; |
| 838 | cmd[4] = len; |
| 839 | |
| 840 | buf = os_malloc(blen); |
| 841 | if (buf == NULL) |
| 842 | return -1; |
| 843 | |
| 844 | ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen); |
| 845 | if (ret != SCARD_S_SUCCESS) { |
| 846 | os_free(buf); |
| 847 | return -2; |
| 848 | } |
| 849 | if (blen != len + 2) { |
| 850 | wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected " |
| 851 | "length %ld (expected %ld)", |
| 852 | (long) blen, (long) len + 2); |
| 853 | os_free(buf); |
| 854 | return -3; |
| 855 | } |
| 856 | |
| 857 | if (buf[len] != 0x90 || buf[len + 1] != 0x00) { |
| 858 | wpa_printf(MSG_DEBUG, "SCARD: record read returned unexpected " |
| 859 | "status %02x %02x (expected 90 00)", |
| 860 | buf[len], buf[len + 1]); |
| 861 | os_free(buf); |
| 862 | return -4; |
| 863 | } |
| 864 | |
| 865 | os_memcpy(data, buf, len); |
| 866 | os_free(buf); |
| 867 | |
| 868 | return 0; |
| 869 | } |
| 870 | |
| 871 | |
| 872 | static int scard_read_file(struct scard_data *scard, |
| 873 | unsigned char *data, size_t len) |
| 874 | { |
| 875 | unsigned char cmd[5] = { SIM_CMD_READ_BIN /* , len */ }; |
| 876 | size_t blen = len + 3; |
| 877 | unsigned char *buf; |
| 878 | long ret; |
| 879 | |
| 880 | cmd[4] = len; |
| 881 | |
| 882 | buf = os_malloc(blen); |
| 883 | if (buf == NULL) |
| 884 | return -1; |
| 885 | |
| 886 | if (scard->sim_type == SCARD_USIM) |
| 887 | cmd[0] = USIM_CLA; |
| 888 | ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen); |
| 889 | if (ret != SCARD_S_SUCCESS) { |
| 890 | os_free(buf); |
| 891 | return -2; |
| 892 | } |
| 893 | if (blen != len + 2) { |
| 894 | wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected " |
| 895 | "length %ld (expected %ld)", |
| 896 | (long) blen, (long) len + 2); |
| 897 | os_free(buf); |
| 898 | return -3; |
| 899 | } |
| 900 | |
| 901 | if (buf[len] != 0x90 || buf[len + 1] != 0x00) { |
| 902 | wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected " |
| 903 | "status %02x %02x (expected 90 00)", |
| 904 | buf[len], buf[len + 1]); |
| 905 | os_free(buf); |
| 906 | return -4; |
| 907 | } |
| 908 | |
| 909 | os_memcpy(data, buf, len); |
| 910 | os_free(buf); |
| 911 | |
| 912 | return 0; |
| 913 | } |
| 914 | |
| 915 | |
| 916 | static int scard_verify_pin(struct scard_data *scard, const char *pin) |
| 917 | { |
| 918 | long ret; |
| 919 | unsigned char resp[3]; |
| 920 | unsigned char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 }; |
| 921 | size_t len; |
| 922 | |
| 923 | wpa_printf(MSG_DEBUG, "SCARD: verifying PIN"); |
| 924 | |
| 925 | if (pin == NULL || os_strlen(pin) > 8) |
| 926 | return -1; |
| 927 | |
| 928 | if (scard->sim_type == SCARD_USIM) |
| 929 | cmd[0] = USIM_CLA; |
| 930 | os_memcpy(cmd + 5, pin, os_strlen(pin)); |
| 931 | os_memset(cmd + 5 + os_strlen(pin), 0xff, 8 - os_strlen(pin)); |
| 932 | |
| 933 | len = sizeof(resp); |
| 934 | ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len); |
| 935 | if (ret != SCARD_S_SUCCESS) |
| 936 | return -2; |
| 937 | |
| 938 | if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) { |
| 939 | wpa_printf(MSG_WARNING, "SCARD: PIN verification failed"); |
| 940 | return -1; |
| 941 | } |
| 942 | |
| 943 | wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully"); |
| 944 | return 0; |
| 945 | } |
| 946 | |
| 947 | |
| 948 | /** |
| 949 | * scard_get_imsi - Read IMSI from SIM/USIM card |
| 950 | * @scard: Pointer to private data from scard_init() |
| 951 | * @imsi: Buffer for IMSI |
| 952 | * @len: Length of imsi buffer; set to IMSI length on success |
| 953 | * Returns: 0 on success, -1 if IMSI file cannot be selected, -2 if IMSI file |
| 954 | * selection returns invalid result code, -3 if parsing FSP template file fails |
| 955 | * (USIM only), -4 if IMSI does not fit in the provided imsi buffer (len is set |
| 956 | * to needed length), -5 if reading IMSI file fails. |
| 957 | * |
| 958 | * This function can be used to read IMSI from the SIM/USIM card. If the IMSI |
| 959 | * file is PIN protected, scard_set_pin() must have been used to set the |
| 960 | * correct PIN code before calling scard_get_imsi(). |
| 961 | */ |
| 962 | int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len) |
| 963 | { |
| 964 | unsigned char buf[100]; |
| 965 | size_t blen, imsilen, i; |
| 966 | char *pos; |
| 967 | |
| 968 | wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI"); |
| 969 | blen = sizeof(buf); |
| 970 | if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen)) |
| 971 | return -1; |
| 972 | if (blen < 4) { |
| 973 | wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI " |
| 974 | "header (len=%ld)", (long) blen); |
| 975 | return -2; |
| 976 | } |
| 977 | |
| 978 | if (scard->sim_type == SCARD_GSM_SIM) { |
| 979 | blen = (buf[2] << 8) | buf[3]; |
| 980 | } else { |
| 981 | int file_size; |
| 982 | if (scard_parse_fsp_templ(buf, blen, NULL, &file_size)) |
| 983 | return -3; |
| 984 | blen = file_size; |
| 985 | } |
| 986 | if (blen < 2 || blen > sizeof(buf)) { |
| 987 | wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%ld", |
| 988 | (long) blen); |
| 989 | return -3; |
| 990 | } |
| 991 | |
| 992 | imsilen = (blen - 2) * 2 + 1; |
| 993 | wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%ld imsilen=%ld", |
| 994 | (long) blen, (long) imsilen); |
| 995 | if (blen < 2 || imsilen > *len) { |
| 996 | *len = imsilen; |
| 997 | return -4; |
| 998 | } |
| 999 | |
| 1000 | if (scard_read_file(scard, buf, blen)) |
| 1001 | return -5; |
| 1002 | |
| 1003 | pos = imsi; |
| 1004 | *pos++ = '0' + (buf[1] >> 4 & 0x0f); |
| 1005 | for (i = 2; i < blen; i++) { |
| 1006 | unsigned char digit; |
| 1007 | |
| 1008 | digit = buf[i] & 0x0f; |
| 1009 | if (digit < 10) |
| 1010 | *pos++ = '0' + digit; |
| 1011 | else |
| 1012 | imsilen--; |
| 1013 | |
| 1014 | digit = buf[i] >> 4 & 0x0f; |
| 1015 | if (digit < 10) |
| 1016 | *pos++ = '0' + digit; |
| 1017 | else |
| 1018 | imsilen--; |
| 1019 | } |
| 1020 | *len = imsilen; |
| 1021 | |
| 1022 | return 0; |
| 1023 | } |
| 1024 | |
| 1025 | |
| 1026 | /** |
| 1027 | * scard_gsm_auth - Run GSM authentication command on SIM card |
| 1028 | * @scard: Pointer to private data from scard_init() |
| 1029 | * @_rand: 16-byte RAND value from HLR/AuC |
| 1030 | * @sres: 4-byte buffer for SRES |
| 1031 | * @kc: 8-byte buffer for Kc |
| 1032 | * Returns: 0 on success, -1 if SIM/USIM connection has not been initialized, |
| 1033 | * -2 if authentication command execution fails, -3 if unknown response code |
| 1034 | * for authentication command is received, -4 if reading of response fails, |
| 1035 | * -5 if if response data is of unexpected length |
| 1036 | * |
| 1037 | * This function performs GSM authentication using SIM/USIM card and the |
| 1038 | * provided RAND value from HLR/AuC. If authentication command can be completed |
| 1039 | * successfully, SRES and Kc values will be written into sres and kc buffers. |
| 1040 | */ |
| 1041 | int scard_gsm_auth(struct scard_data *scard, const unsigned char *_rand, |
| 1042 | unsigned char *sres, unsigned char *kc) |
| 1043 | { |
| 1044 | unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG }; |
| 1045 | int cmdlen; |
| 1046 | unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE }; |
| 1047 | unsigned char resp[3], buf[12 + 3 + 2]; |
| 1048 | size_t len; |
| 1049 | long ret; |
| 1050 | |
| 1051 | if (scard == NULL) |
| 1052 | return -1; |
| 1053 | |
| 1054 | wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", _rand, 16); |
| 1055 | if (scard->sim_type == SCARD_GSM_SIM) { |
| 1056 | cmdlen = 5 + 16; |
| 1057 | os_memcpy(cmd + 5, _rand, 16); |
| 1058 | } else { |
| 1059 | cmdlen = 5 + 1 + 16; |
| 1060 | cmd[0] = USIM_CLA; |
| 1061 | cmd[3] = 0x80; |
| 1062 | cmd[4] = 17; |
| 1063 | cmd[5] = 16; |
| 1064 | os_memcpy(cmd + 6, _rand, 16); |
| 1065 | } |
| 1066 | len = sizeof(resp); |
| 1067 | ret = scard_transmit(scard, cmd, cmdlen, resp, &len); |
| 1068 | if (ret != SCARD_S_SUCCESS) |
| 1069 | return -2; |
| 1070 | |
| 1071 | if ((scard->sim_type == SCARD_GSM_SIM && |
| 1072 | (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) || |
| 1073 | (scard->sim_type == SCARD_USIM && |
| 1074 | (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) { |
| 1075 | wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM " |
| 1076 | "auth request (len=%ld resp=%02x %02x)", |
| 1077 | (long) len, resp[0], resp[1]); |
| 1078 | return -3; |
| 1079 | } |
| 1080 | get_resp[4] = resp[1]; |
| 1081 | |
| 1082 | len = sizeof(buf); |
| 1083 | ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len); |
| 1084 | if (ret != SCARD_S_SUCCESS) |
| 1085 | return -4; |
| 1086 | |
| 1087 | if (scard->sim_type == SCARD_GSM_SIM) { |
| 1088 | if (len != 4 + 8 + 2) { |
| 1089 | wpa_printf(MSG_WARNING, "SCARD: unexpected data " |
| 1090 | "length for GSM auth (len=%ld, expected 14)", |
| 1091 | (long) len); |
| 1092 | return -5; |
| 1093 | } |
| 1094 | os_memcpy(sres, buf, 4); |
| 1095 | os_memcpy(kc, buf + 4, 8); |
| 1096 | } else { |
| 1097 | if (len != 1 + 4 + 1 + 8 + 2) { |
| 1098 | wpa_printf(MSG_WARNING, "SCARD: unexpected data " |
| 1099 | "length for USIM auth (len=%ld, " |
| 1100 | "expected 16)", (long) len); |
| 1101 | return -5; |
| 1102 | } |
| 1103 | if (buf[0] != 4 || buf[5] != 8) { |
| 1104 | wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc " |
| 1105 | "length (%d %d, expected 4 8)", |
| 1106 | buf[0], buf[5]); |
| 1107 | } |
| 1108 | os_memcpy(sres, buf + 1, 4); |
| 1109 | os_memcpy(kc, buf + 6, 8); |
| 1110 | } |
| 1111 | |
| 1112 | wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4); |
| 1113 | wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8); |
| 1114 | |
| 1115 | return 0; |
| 1116 | } |
| 1117 | |
| 1118 | |
| 1119 | /** |
| 1120 | * scard_umts_auth - Run UMTS authentication command on USIM card |
| 1121 | * @scard: Pointer to private data from scard_init() |
| 1122 | * @_rand: 16-byte RAND value from HLR/AuC |
| 1123 | * @autn: 16-byte AUTN value from HLR/AuC |
| 1124 | * @res: 16-byte buffer for RES |
| 1125 | * @res_len: Variable that will be set to RES length |
| 1126 | * @ik: 16-byte buffer for IK |
| 1127 | * @ck: 16-byte buffer for CK |
| 1128 | * @auts: 14-byte buffer for AUTS |
| 1129 | * Returns: 0 on success, -1 on failure, or -2 if USIM reports synchronization |
| 1130 | * failure |
| 1131 | * |
| 1132 | * This function performs AKA authentication using USIM card and the provided |
| 1133 | * RAND and AUTN values from HLR/AuC. If authentication command can be |
| 1134 | * completed successfully, RES, IK, and CK values will be written into provided |
| 1135 | * buffers and res_len is set to length of received RES value. If USIM reports |
| 1136 | * synchronization failure, the received AUTS value will be written into auts |
| 1137 | * buffer. In this case, RES, IK, and CK are not valid. |
| 1138 | */ |
| 1139 | int scard_umts_auth(struct scard_data *scard, const unsigned char *_rand, |
| 1140 | const unsigned char *autn, |
| 1141 | unsigned char *res, size_t *res_len, |
| 1142 | unsigned char *ik, unsigned char *ck, unsigned char *auts) |
| 1143 | { |
| 1144 | unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] = |
| 1145 | { USIM_CMD_RUN_UMTS_ALG }; |
| 1146 | unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE }; |
| 1147 | unsigned char resp[3], buf[64], *pos, *end; |
| 1148 | size_t len; |
| 1149 | long ret; |
| 1150 | |
| 1151 | if (scard == NULL) |
| 1152 | return -1; |
| 1153 | |
| 1154 | if (scard->sim_type == SCARD_GSM_SIM) { |
| 1155 | wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS " |
| 1156 | "auth"); |
| 1157 | return -1; |
| 1158 | } |
| 1159 | |
| 1160 | wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", _rand, AKA_RAND_LEN); |
| 1161 | wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN); |
| 1162 | cmd[5] = AKA_RAND_LEN; |
| 1163 | os_memcpy(cmd + 6, _rand, AKA_RAND_LEN); |
| 1164 | cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN; |
| 1165 | os_memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN); |
| 1166 | |
| 1167 | len = sizeof(resp); |
| 1168 | ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len); |
| 1169 | if (ret != SCARD_S_SUCCESS) |
| 1170 | return -1; |
| 1171 | |
| 1172 | if (len <= sizeof(resp)) |
| 1173 | wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len); |
| 1174 | |
| 1175 | if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) { |
| 1176 | wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - " |
| 1177 | "MAC != XMAC"); |
| 1178 | return -1; |
| 1179 | } else if (len != 2 || resp[0] != 0x61) { |
| 1180 | wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS " |
| 1181 | "auth request (len=%ld resp=%02x %02x)", |
| 1182 | (long) len, resp[0], resp[1]); |
| 1183 | return -1; |
| 1184 | } |
| 1185 | get_resp[4] = resp[1]; |
| 1186 | |
| 1187 | len = sizeof(buf); |
| 1188 | ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len); |
| 1189 | if (ret != SCARD_S_SUCCESS || len > sizeof(buf)) |
| 1190 | return -1; |
| 1191 | |
| 1192 | wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len); |
| 1193 | if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc && |
| 1194 | buf[1] == AKA_AUTS_LEN) { |
| 1195 | wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure"); |
| 1196 | os_memcpy(auts, buf + 2, AKA_AUTS_LEN); |
| 1197 | wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN); |
| 1198 | return -2; |
| 1199 | } else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) { |
| 1200 | pos = buf + 1; |
| 1201 | end = buf + len; |
| 1202 | |
| 1203 | /* RES */ |
| 1204 | if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) { |
| 1205 | wpa_printf(MSG_DEBUG, "SCARD: Invalid RES"); |
| 1206 | return -1; |
| 1207 | } |
| 1208 | *res_len = *pos++; |
| 1209 | os_memcpy(res, pos, *res_len); |
| 1210 | pos += *res_len; |
| 1211 | wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len); |
| 1212 | |
| 1213 | /* CK */ |
| 1214 | if (pos[0] != CK_LEN || pos + CK_LEN > end) { |
| 1215 | wpa_printf(MSG_DEBUG, "SCARD: Invalid CK"); |
| 1216 | return -1; |
| 1217 | } |
| 1218 | pos++; |
| 1219 | os_memcpy(ck, pos, CK_LEN); |
| 1220 | pos += CK_LEN; |
| 1221 | wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN); |
| 1222 | |
| 1223 | /* IK */ |
| 1224 | if (pos[0] != IK_LEN || pos + IK_LEN > end) { |
| 1225 | wpa_printf(MSG_DEBUG, "SCARD: Invalid IK"); |
| 1226 | return -1; |
| 1227 | } |
| 1228 | pos++; |
| 1229 | os_memcpy(ik, pos, IK_LEN); |
| 1230 | pos += IK_LEN; |
| 1231 | wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN); |
| 1232 | |
| 1233 | return 0; |
| 1234 | } |
| 1235 | |
| 1236 | wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response"); |
| 1237 | return -1; |
| 1238 | } |