/* * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM * Copyright (c) 2004-2006, Jouni Malinen <j@w1.fi> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * Alternatively, this software may be distributed under the terms of BSD * license. * * See README and COPYING for more details. * * This file implements wrapper functions for accessing GSM SIM and 3GPP USIM * cards through PC/SC smartcard library. These functions are used to implement * authentication routines for EAP-SIM and EAP-AKA. */#include <stdlib.h>#include <stdio.h>#include <string.h>#include <winscard.h>#include "common.h"#include "wpa_supplicant.h"#include "pcsc_funcs.h"/* See ETSI GSM 11.11 and ETSI TS 102 221 for details. * SIM commands: * Command APDU: CLA INS P1 P2 P3 Data *   CLA (class of instruction): A0 for GSM, 00 for USIM *   INS (instruction) *   P1 P2 P3 (parameters, P3 = length of Data) * Response APDU: Data SW1 SW2 *   SW1 SW2 (Status words) * Commands (INS P1 P2 P3): *   SELECT: A4 00 00 02 <file_id, 2 bytes> *   GET RESPONSE: C0 00 00 <len> *   RUN GSM ALG: 88 00 00 00 <RAND len = 10> *   RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN *	P1 = ID of alg in card *	P2 = ID of secret key *   READ BINARY: B0 <offset high> <offset low> <len> *   READ RECORD: B2 <record number> <mode> <len> *	P2 (mode) = '02' (next record), '03' (previous record), *		    '04' (absolute mode) *   VERIFY CHV: 20 00 <CHV number> 08 *   CHANGE CHV: 24 00 <CHV number> 10 *   DISABLE CHV: 26 00 01 08 *   ENABLE CHV: 28 00 01 08 *   UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10 *   SLEEP: FA 00 00 00 *//* GSM SIM commands */#define SIM_CMD_SELECT			0xa0, 0xa4, 0x00, 0x00, 0x02#define SIM_CMD_RUN_GSM_ALG		0xa0, 0x88, 0x00, 0x00, 0x10#define SIM_CMD_GET_RESPONSE		0xa0, 0xc0, 0x00, 0x00#define SIM_CMD_READ_BIN		0xa0, 0xb0, 0x00, 0x00#define SIM_CMD_READ_RECORD		0xa0, 0xb2, 0x00, 0x00#define SIM_CMD_VERIFY_CHV1		0xa0, 0x20, 0x00, 0x01, 0x08/* USIM commands */#define USIM_CLA			0x00#define USIM_CMD_RUN_UMTS_ALG		0x00, 0x88, 0x00, 0x81, 0x22#define USIM_CMD_GET_RESPONSE		0x00, 0xc0, 0x00, 0x00#define SIM_RECORD_MODE_ABSOLUTE 0x04#define USIM_FSP_TEMPL_TAG		0x62#define USIM_TLV_FILE_DESC		0x82#define USIM_TLV_FILE_ID		0x83#define USIM_TLV_DF_NAME		0x84#define USIM_TLV_PROPR_INFO		0xA5#define USIM_TLV_LIFE_CYCLE_STATUS	0x8A#define USIM_TLV_FILE_SIZE		0x80#define USIM_TLV_TOTAL_FILE_SIZE	0x81#define USIM_TLV_PIN_STATUS_TEMPLATE	0xC6#define USIM_TLV_SHORT_FILE_ID		0x88#define USIM_PS_DO_TAG			0x90#define AKA_RAND_LEN 16#define AKA_AUTN_LEN 16#define AKA_AUTS_LEN 14#define RES_MAX_LEN 16#define IK_LEN 16#define CK_LEN 16typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types;struct scard_data {	long ctx;	long card;	unsigned long protocol;	sim_types sim_type;	int pin1_required;};static int _scard_select_file(struct scard_data *scard, unsigned short file_id,			      unsigned char *buf, size_t *buf_len,			      sim_types sim_type, unsigned char *aid,			      size_t aidlen);static int scard_select_file(struct scard_data *scard, unsigned short file_id,			     unsigned char *buf, size_t *buf_len);static int scard_verify_pin(struct scard_data *scard, const char *pin);static int scard_get_record_len(struct scard_data *scard,				unsigned char recnum, unsigned char mode);static int scard_read_record(struct scard_data *scard,			     unsigned char *data, size_t len,			     unsigned char recnum, unsigned char mode);static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,				 int *ps_do, int *file_len){		unsigned char *pos, *end;		if (ps_do)			*ps_do = -1;		if (file_len)			*file_len = -1;		pos = buf;		end = pos + buf_len;		if (*pos != USIM_FSP_TEMPL_TAG) {			wpa_printf(MSG_DEBUG, "SCARD: file header did not "				   "start with FSP template tag");			return -1;		}		pos++;		if (pos >= end)			return -1;		if ((pos + pos[0]) < end)			end = pos + 1 + pos[0];		pos++;		wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",			    pos, end - pos);		while (pos + 1 < end) {			wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV "				   "0x%02x len=%d", pos[0], pos[1]);			if (pos + 2 + pos[1] > end)				break;			if (pos[0] == USIM_TLV_FILE_SIZE &&			    (pos[1] == 1 || pos[1] == 2) && file_len) {				if (pos[1] == 1)					*file_len = (int) pos[2];				else					*file_len = ((int) pos[2] << 8) |						(int) pos[3];				wpa_printf(MSG_DEBUG, "SCARD: file_size=%d",					   *file_len);			}			if (pos[0] == USIM_TLV_PIN_STATUS_TEMPLATE &&			    pos[1] >= 2 && pos[2] == USIM_PS_DO_TAG &&			    pos[3] >= 1 && ps_do) {				wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x",					   pos[4]);				*ps_do = (int) pos[4];			}			pos += 2 + pos[1];			if (pos == end)				return 0;		}		return -1;}static int scard_pin_needed(struct scard_data *scard,			    unsigned char *hdr, size_t hlen){	if (scard->sim_type == SCARD_GSM_SIM) {		if (hlen > SCARD_CHV1_OFFSET &&		    !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG))			return 1;		return 0;	}	if (scard->sim_type == SCARD_USIM) {		int ps_do;		if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL))			return -1;		/* TODO: there could be more than one PS_DO entry because of		 * multiple PINs in key reference.. */		if (ps_do > 0 && (ps_do & 0x80))			return 1;		return 0;	}	return -1;}static int scard_get_aid(struct scard_data *scard, unsigned char *aid,			 size_t maxlen){	int rlen, rec;	struct efdir {		unsigned char appl_template_tag; /* 0x61 */		unsigned char appl_template_len;		unsigned char appl_id_tag; /* 0x4f */		unsigned char aid_len;		unsigned char rid[5];		unsigned char appl_code[2]; /* 0x1002 for 3G USIM */	} *efdir;	unsigned char buf[100];	size_t blen;	efdir = (struct efdir *) buf;	blen = sizeof(buf);	if (scard_select_file(scard, SCARD_FILE_EF_DIR, buf, &blen)) {		wpa_printf(MSG_DEBUG, "SCARD: Failed to read EF_DIR");		return -1;	}	wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR select", buf, blen);	for (rec = 1; rec < 10; rec++) {		rlen = scard_get_record_len(scard, rec,					    SIM_RECORD_MODE_ABSOLUTE);		if (rlen < 0) {			wpa_printf(MSG_DEBUG, "SCARD: Failed to get EF_DIR "				   "record length");			return -1;		}		blen = sizeof(buf);		if (rlen > (int) blen) {			wpa_printf(MSG_DEBUG, "SCARD: Too long EF_DIR record");			return -1;		}		if (scard_read_record(scard, buf, rlen, rec,				      SIM_RECORD_MODE_ABSOLUTE) < 0) {			wpa_printf(MSG_DEBUG, "SCARD: Failed to read "				   "EF_DIR record %d", rec);			return -1;		}		wpa_hexdump(MSG_DEBUG, "SCARD: EF_DIR record", buf, rlen);		if (efdir->appl_template_tag != 0x61) {			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "				   "template tag 0x%x",				   efdir->appl_template_tag);			continue;		}		if (efdir->appl_template_len > rlen - 2) {			wpa_printf(MSG_DEBUG, "SCARD: Too long application "				   "template (len=%d rlen=%d)",				   efdir->appl_template_len, rlen);			continue;		}		if (efdir->appl_id_tag != 0x4f) {			wpa_printf(MSG_DEBUG, "SCARD: Unexpected application "				   "identifier tag 0x%x", efdir->appl_id_tag);			continue;		}		if (efdir->aid_len < 1 || efdir->aid_len > 16) {			wpa_printf(MSG_DEBUG, "SCARD: Invalid AID length %d",				   efdir->aid_len);			continue;		}		wpa_hexdump(MSG_DEBUG, "SCARD: AID from EF_DIR record",			    efdir->rid, efdir->aid_len);		if (efdir->appl_code[0] == 0x10 &&		    efdir->appl_code[1] == 0x02) {			wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app found from "				   "EF_DIR record %d", rec);			break;		}	}	if (rec >= 10) {		wpa_printf(MSG_DEBUG, "SCARD: 3G USIM app not found "			   "from EF_DIR records");		return -1;	}	if (efdir->aid_len > maxlen) {		wpa_printf(MSG_DEBUG, "SCARD: Too long AID");		return -1;	}	memcpy(aid, efdir->rid, efdir->aid_len);	return efdir->aid_len;}/** * scard_init - Initialize SIM/USIM connection using PC/SC * @sim_type: Allowed SIM types (SIM, USIM, or both) * Returns: Pointer to private data structure, or %NULL on failure * * This function is used to initialize SIM/USIM connection. PC/SC is used to * open connection to the SIM/USIM card and the card is verified to support the * selected sim_type. In addition, local flag is set if a PIN is needed to * access some of the card functions. Once the connection is not needed * anymore, scard_deinit() can be used to close it. */struct scard_data * scard_init(scard_sim_type sim_type){	long ret;	unsigned long len;	struct scard_data *scard;	char *readers = NULL;	unsigned char buf[100];	size_t blen;	int pin_needed;	wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface");	scard = malloc(sizeof(*scard));	if (scard == NULL)		return NULL;	memset(scard, 0, sizeof(*scard));	ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL,				    &scard->ctx);	if (ret != SCARD_S_SUCCESS) {		wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card "			   "context (err=%ld)", ret);		goto failed;	}	ret = SCardListReaders(scard->ctx, NULL, NULL, &len);	if (ret != SCARD_S_SUCCESS) {		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed "			   "(err=%ld)", ret);		goto failed;	}	readers = malloc(len);	if (readers == NULL) {		printf("malloc failed\n");		goto failed;	}	ret = SCardListReaders(scard->ctx, NULL, readers, &len);	if (ret != SCARD_S_SUCCESS) {		wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) "			   "(err=%ld)", ret);		goto failed;	}	if (len < 3) {		wpa_printf(MSG_WARNING, "SCARD: No smart card readers "			   "available.");		goto failed;	}	/* readers is a list of available reader. Last entry is terminated with	 * double NUL.	 * TODO: add support for selecting the reader; now just use the first	 * one.. */	wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", readers);	ret = SCardConnect(scard->ctx, readers, SCARD_SHARE_SHARED,			   SCARD_PROTOCOL_T0, &scard->card, &scard->protocol);	if (ret != SCARD_S_SUCCESS) {		if (ret == SCARD_E_NO_SMARTCARD)			wpa_printf(MSG_INFO, "No smart card inserted.");		else			wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret);		goto failed;	}	free(readers);	readers = NULL;	wpa_printf(MSG_DEBUG, "SCARD: card=%ld active_protocol=%lu",		   scard->card, scard->protocol);	blen = sizeof(buf);	scard->sim_type = SCARD_GSM_SIM;	if (sim_type == SCARD_USIM_ONLY || sim_type == SCARD_TRY_BOTH) {		wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support");		if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen,				       SCARD_USIM, NULL, 0)) {			wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported");			if (sim_type == SCARD_USIM_ONLY)				goto failed;			wpa_printf(MSG_DEBUG, "SCARD: Trying to use GSM SIM");			scard->sim_type = SCARD_GSM_SIM;		} else {			wpa_printf(MSG_DEBUG, "SCARD: USIM is supported");			scard->sim_type = SCARD_USIM;		}	}	if (scard->sim_type == SCARD_GSM_SIM) {		blen = sizeof(buf);		if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) {			wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF");			goto failed;		}		blen = sizeof(buf);		if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) {			wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF");			goto failed;		}	} else {		unsigned char aid[32];		int aid_len;		aid_len = scard_get_aid(scard, aid, sizeof(aid));		if (aid_len < 0) {			wpa_printf(MSG_DEBUG, "SCARD: Failed to find AID for "				   "3G USIM app - try to use standard 3G RID");			memcpy(aid, "\xa0\x00\x00\x00\x87", 5);			aid_len = 5;		}		wpa_hexdump(MSG_DEBUG, "SCARD: 3G USIM AID", aid, aid_len);		/* Select based on AID = 3G RID from EF_DIR. This is usually		 * starting with A0 00 00 00 87. */		blen = sizeof(buf);		if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type,				       aid, aid_len)) {			wpa_printf(MSG_INFO, "SCARD: Failed to read 3G USIM "				   "app");			wpa_hexdump(MSG_INFO, "SCARD: 3G USIM AID",				    aid, aid_len);			goto failed;		}	}	/* Verify whether CHV1 (PIN1) is needed to access the card. */	pin_needed = scard_pin_needed(scard, buf, blen);	if (pin_needed < 0) {		wpa_printf(MSG_DEBUG, "SCARD: Failed to determine whether PIN "			   "is needed");		goto failed;	}	if (pin_needed) {		scard->pin1_required = 1;		wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access");	}	return scard;failed:	free(readers);	scard_deinit(scard);	return NULL;}/** * scard_set_pin - Set PIN (CHV1/PIN1) code for accessing SIM/USIM commands * @scard: Pointer to private data from scard_init() * pin: PIN code as an ASCII string (e.g., "1234") * Returns: 0 on success, -1 on failure */int scard_set_pin(struct scard_data *scard, const char *pin){	if (scard == NULL)		return -1;	/* Verify whether CHV1 (PIN1) is needed to access the card. */	if (scard->pin1_required) {		if (pin == NULL) {			wpa_printf(MSG_DEBUG, "No PIN configured for SIM "				   "access");			return -1;		}		if (scard_verify_pin(scard, pin)) {			wpa_printf(MSG_INFO, "PIN verification failed for "				"SIM access");			return -1;		}	}	return 0;}/** * scard_deinit - Deinitialize SIM/USIM connection * @scard: Pointer to private data from scard_init() * * This function closes the SIM/USIM connect opened with scard_init(). */void scard_deinit(struct scard_data *scard){	long ret;	if (scard == NULL)		return;	wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface");	if (scard->card) {		ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD);		if (ret != SCARD_S_SUCCESS) {			wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect "				   "smart card (err=%ld)", ret);		}	}	if (scard->ctx) {		ret = SCardReleaseContext(scard->ctx);		if (ret != SCARD_S_SUCCESS) {			wpa_printf(MSG_DEBUG, "Failed to release smart card "				   "context (err=%ld)", ret);		}	}	free(scard);}static long scard_transmit(struct scard_data *scard,			   unsigned char *send, size_t send_len,			   unsigned char *recv, size_t *recv_len){	long ret;	unsigned long rlen;	wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send",			send, send_len);	rlen = *recv_len;	ret = SCardTransmit(scard->card,			    scard->protocol == SCARD_PROTOCOL_T1 ?			    SCARD_PCI_T1 : SCARD_PCI_T0,			    send, (unsigned long) send_len,			    NULL, recv, &rlen);	*recv_len = rlen;	if (ret == SCARD_S_SUCCESS) {		wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv",			    recv, rlen);	} else {		wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "			   "(err=0x%lx)", ret);	}