2 * WPA Supplicant / PC/SC smartcard interface for USIM, GSM SIM
3 * Copyright (c) 2004-2005, Jouni Malinen <jkmaline@cc.hut.fi>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Alternatively, this software may be distributed under the terms of BSD
12 * See README and COPYING for more details.
21 #include "wpa_supplicant.h"
22 #include "pcsc_funcs.h"
25 /* See ETSI GSM 11.11 and ETSI TS 102 221 for details.
27 * Command APDU: CLA INS P1 P2 P3 Data
28 * CLA (class of instruction): A0 for GSM, 00 for USIM
30 * P1 P2 P3 (parameters, P3 = length of Data)
31 * Response APDU: Data SW1 SW2
32 * SW1 SW2 (Status words)
33 * Commands (INS P1 P2 P3):
34 * SELECT: A4 00 00 02 <file_id, 2 bytes>
35 * GET RESPONSE: C0 00 00 <len>
36 * RUN GSM ALG: 88 00 00 00 <RAND len = 10>
37 * RUN UMTS ALG: 88 00 81 <len=0x22> data: 0x10 | RAND | 0x10 | AUTN
38 * P1 = ID of alg in card
39 * P2 = ID of secret key
40 * READ BINARY: B0 <offset high> <offset low> <len>
41 * VERIFY CHV: 20 00 <CHV number> 08
42 * CHANGE CHV: 24 00 <CHV number> 10
43 * DISABLE CHV: 26 00 01 08
44 * ENABLE CHV: 28 00 01 08
45 * UNBLOCK CHV: 2C 00 <00=CHV1, 02=CHV2> 10
49 /* GSM SIM commands */
50 #define SIM_CMD_SELECT 0xa0, 0xa4, 0x00, 0x00, 0x02
51 #define SIM_CMD_RUN_GSM_ALG 0xa0, 0x88, 0x00, 0x00, 0x10
52 #define SIM_CMD_GET_RESPONSE 0xa0, 0xc0, 0x00, 0x00
53 #define SIM_CMD_READ_BIN 0xa0, 0xb0, 0x00, 0x00
54 #define SIM_CMD_VERIFY_CHV1 0xa0, 0x20, 0x00, 0x01, 0x08
58 #define USIM_CMD_RUN_UMTS_ALG 0x00, 0x88, 0x00, 0x81, 0x22
59 #define USIM_CMD_GET_RESPONSE 0x00, 0xc0, 0x00, 0x00
61 #define USIM_FSP_TEMPL_TAG 0x62
63 #define USIM_TLV_FILE_DESC 0x82
64 #define USIM_TLV_FILE_ID 0x83
65 #define USIM_TLV_DF_NAME 0x84
66 #define USIM_TLV_PROPR_INFO 0xA5
67 #define USIM_TLV_LIFE_CYCLE_STATUS 0x8A
68 #define USIM_TLV_FILE_SIZE 0x80
69 #define USIM_TLV_TOTAL_FILE_SIZE 0x81
70 #define USIM_TLV_PIN_STATUS_TEMPLATE 0xC6
71 #define USIM_TLV_SHORT_FILE_ID 0x88
73 #define USIM_PS_DO_TAG 0x90
75 #define AKA_RAND_LEN 16
76 #define AKA_AUTN_LEN 16
77 #define AKA_AUTS_LEN 14
78 #define RES_MAX_LEN 16
83 typedef enum { SCARD_GSM_SIM, SCARD_USIM } sim_types;
88 unsigned long protocol;
94 static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
95 unsigned char *buf, size_t *buf_len,
96 sim_types sim_type, unsigned char *aid);
97 static int scard_select_file(struct scard_data *scard, unsigned short file_id,
98 unsigned char *buf, size_t *buf_len);
99 static int scard_verify_pin(struct scard_data *scard, const char *pin);
102 static int scard_parse_fsp_templ(unsigned char *buf, size_t buf_len,
103 int *ps_do, int *file_len)
105 unsigned char *pos, *end;
114 if (*pos != USIM_FSP_TEMPL_TAG) {
115 wpa_printf(MSG_DEBUG, "SCARD: file header did not "
116 "start with FSP template tag");
122 if ((pos + pos[0]) < end)
123 end = pos + 1 + pos[0];
125 wpa_hexdump(MSG_DEBUG, "SCARD: file header FSP template",
128 while (pos + 1 < end) {
129 wpa_printf(MSG_MSGDUMP, "SCARD: file header TLV "
130 "0x%02x len=%d", pos[0], pos[1]);
131 if (pos + 2 + pos[1] > end)
134 if (pos[0] == USIM_TLV_FILE_SIZE &&
135 (pos[1] == 1 || pos[1] == 2) && file_len) {
137 *file_len = (int) pos[2];
139 *file_len = ((int) pos[2] << 8) |
141 wpa_printf(MSG_DEBUG, "SCARD: file_size=%d",
145 if (pos[0] == USIM_TLV_PIN_STATUS_TEMPLATE &&
146 pos[1] >= 2 && pos[2] == USIM_PS_DO_TAG &&
147 pos[3] >= 1 && ps_do) {
148 wpa_printf(MSG_DEBUG, "SCARD: PS_DO=0x%02x",
150 *ps_do = (int) pos[4];
162 static int scard_pin_needed(struct scard_data *scard,
163 unsigned char *hdr, size_t hlen)
165 if (scard->sim_type == SCARD_GSM_SIM) {
166 if (hlen > SCARD_CHV1_OFFSET &&
167 !(hdr[SCARD_CHV1_OFFSET] & SCARD_CHV1_FLAG))
172 if (scard->sim_type == SCARD_USIM) {
174 if (scard_parse_fsp_templ(hdr, hlen, &ps_do, NULL))
176 /* TODO: there could be more than one PS_DO entry because of
177 * multiple PINs in key reference.. */
186 struct scard_data * scard_init(scard_sim_type sim_type)
189 struct scard_data *scard;
190 char *readers = NULL;
194 wpa_printf(MSG_DEBUG, "SCARD: initializing smart card interface");
195 scard = malloc(sizeof(*scard));
198 memset(scard, 0, sizeof(*scard));
200 ret = SCardEstablishContext(SCARD_SCOPE_SYSTEM, NULL, NULL,
202 if (ret != SCARD_S_SUCCESS) {
203 wpa_printf(MSG_DEBUG, "SCARD: Could not establish smart card "
204 "context (err=%ld)", ret);
208 ret = SCardListReaders(scard->ctx, NULL, NULL, &len);
209 if (ret != SCARD_S_SUCCESS) {
210 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed "
215 readers = malloc(len);
216 if (readers == NULL) {
217 printf("malloc failed\n");
221 ret = SCardListReaders(scard->ctx, NULL, readers, &len);
222 if (ret != SCARD_S_SUCCESS) {
223 wpa_printf(MSG_DEBUG, "SCARD: SCardListReaders failed(2) "
228 wpa_printf(MSG_WARNING, "SCARD: No smart card readers "
232 /* readers is a list of available reader. Last entry is terminated with
234 * TODO: add support for selecting the reader; now just use the first
236 wpa_printf(MSG_DEBUG, "SCARD: Selected reader='%s'", readers);
238 ret = SCardConnect(scard->ctx, readers, SCARD_SHARE_SHARED,
239 SCARD_PROTOCOL_T0, &scard->card, &scard->protocol);
240 if (ret != SCARD_S_SUCCESS) {
241 if (ret == SCARD_E_NO_SMARTCARD)
242 wpa_printf(MSG_INFO, "No smart card inserted.");
244 wpa_printf(MSG_WARNING, "SCardConnect err=%lx", ret);
251 wpa_printf(MSG_DEBUG, "SCARD: card=%ld active_protocol=%lu",
252 scard->card, scard->protocol);
256 scard->sim_type = SCARD_GSM_SIM;
257 if (sim_type == SCARD_USIM_ONLY || sim_type == SCARD_TRY_BOTH) {
258 wpa_printf(MSG_DEBUG, "SCARD: verifying USIM support");
259 if (_scard_select_file(scard, SCARD_FILE_MF, buf, &blen,
261 wpa_printf(MSG_DEBUG, "SCARD: USIM is not supported");
262 if (sim_type == SCARD_USIM_ONLY)
264 wpa_printf(MSG_DEBUG, "SCARD: Trying to use GSM SIM");
265 scard->sim_type = SCARD_GSM_SIM;
267 wpa_printf(MSG_DEBUG, "SCARD: USIM is supported");
268 scard->sim_type = SCARD_USIM;
272 if (scard->sim_type == SCARD_GSM_SIM) {
274 if (scard_select_file(scard, SCARD_FILE_MF, buf, &blen)) {
275 wpa_printf(MSG_DEBUG, "SCARD: Failed to read MF");
280 if (scard_select_file(scard, SCARD_FILE_GSM_DF, buf, &blen)) {
281 wpa_printf(MSG_DEBUG, "SCARD: Failed to read GSM DF");
285 /* Select based on AID = 3G RID */
287 if (_scard_select_file(scard, 0, buf, &blen, scard->sim_type,
288 "\xA0\x00\x00\x00\x87")) {
289 wpa_printf(MSG_DEBUG, "SCARD: Failed to read 3G RID "
295 /* Verify whether CHV1 (PIN1) is needed to access the card. */
296 if (scard_pin_needed(scard, buf, blen)) {
297 scard->pin1_required = 1;
298 wpa_printf(MSG_DEBUG, "PIN1 needed for SIM access");
310 int scard_set_pin(struct scard_data *scard, const char *pin)
315 /* Verify whether CHV1 (PIN1) is needed to access the card. */
316 if (scard->pin1_required) {
318 wpa_printf(MSG_DEBUG, "No PIN configured for SIM "
322 if (scard_verify_pin(scard, pin)) {
323 wpa_printf(MSG_INFO, "PIN verification failed for "
333 void scard_deinit(struct scard_data *scard)
340 wpa_printf(MSG_DEBUG, "SCARD: deinitializing smart card interface");
342 ret = SCardDisconnect(scard->card, SCARD_UNPOWER_CARD);
343 if (ret != SCARD_S_SUCCESS) {
344 wpa_printf(MSG_DEBUG, "SCARD: Failed to disconnect "
345 "smart card (err=%ld)", ret);
350 ret = SCardReleaseContext(scard->ctx);
351 if (ret != SCARD_S_SUCCESS) {
352 wpa_printf(MSG_DEBUG, "Failed to release smart card "
353 "context (err=%ld)", ret);
360 static long scard_transmit(struct scard_data *scard,
361 unsigned char *send, size_t send_len,
362 unsigned char *recv, size_t *recv_len)
367 wpa_hexdump_key(MSG_DEBUG, "SCARD: scard_transmit: send",
370 ret = SCardTransmit(scard->card,
371 scard->protocol == SCARD_PROTOCOL_T1 ?
372 SCARD_PCI_T1 : SCARD_PCI_T0,
373 send, (unsigned long) send_len,
376 if (ret == SCARD_S_SUCCESS) {
377 wpa_hexdump(MSG_DEBUG, "SCARD: scard_transmit: recv",
380 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
387 static int _scard_select_file(struct scard_data *scard, unsigned short file_id,
388 unsigned char *buf, size_t *buf_len,
389 sim_types sim_type, unsigned char *aid)
392 unsigned char resp[3];
393 unsigned char cmd[10] = { SIM_CMD_SELECT };
395 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
398 if (sim_type == SCARD_USIM) {
401 get_resp[0] = USIM_CLA;
404 wpa_printf(MSG_DEBUG, "SCARD: select file %04x", file_id);
406 cmd[2] = 0x04; /* Select by AID */
407 cmd[4] = 5; /* len */
408 memcpy(cmd + 5, aid, 5);
411 cmd[5] = file_id >> 8;
412 cmd[6] = file_id & 0xff;
416 ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
417 if (ret != SCARD_S_SUCCESS) {
418 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit failed "
424 wpa_printf(MSG_WARNING, "SCARD: unexpected resp len "
425 "%d (expected 2)", (int) len);
429 if (resp[0] == 0x98 && resp[1] == 0x04) {
430 /* Security status not satisfied (PIN_WLAN) */
431 wpa_printf(MSG_WARNING, "SCARD: Security status not satisfied "
436 if (resp[0] == 0x6e) {
437 wpa_printf(MSG_DEBUG, "SCARD: used CLA not supported");
441 if (resp[0] != 0x6c && resp[0] != 0x9f && resp[0] != 0x61) {
442 wpa_printf(MSG_WARNING, "SCARD: unexpected response 0x%02x "
443 "(expected 0x61, 0x6c, or 0x9f)", resp[0]);
446 /* Normal ending of command; resp[1] bytes available */
447 get_resp[4] = resp[1];
448 wpa_printf(MSG_DEBUG, "SCARD: trying to get response (%d bytes)",
452 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &rlen);
453 if (ret == SCARD_S_SUCCESS) {
454 *buf_len = resp[1] < rlen ? resp[1] : rlen;
458 wpa_printf(MSG_WARNING, "SCARD: SCardTransmit err=0x%lx\n", ret);
463 static int scard_select_file(struct scard_data *scard, unsigned short file_id,
464 unsigned char *buf, size_t *buf_len)
466 return _scard_select_file(scard, file_id, buf, buf_len,
467 scard->sim_type, NULL);
471 static int scard_read_file(struct scard_data *scard,
472 unsigned char *data, size_t len)
474 char cmd[5] = { SIM_CMD_READ_BIN, len };
475 size_t blen = len + 3;
483 if (scard->sim_type == SCARD_USIM)
485 ret = scard_transmit(scard, cmd, sizeof(cmd), buf, &blen);
486 if (ret != SCARD_S_SUCCESS) {
490 if (blen != len + 2) {
491 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
492 "length %d (expected %d)", blen, len + 2);
497 if (buf[len] != 0x90 || buf[len + 1] != 0x00) {
498 wpa_printf(MSG_DEBUG, "SCARD: file read returned unexpected "
499 "status %02x %02x (expected 90 00)",
500 buf[len], buf[len + 1]);
505 memcpy(data, buf, len);
512 static int scard_verify_pin(struct scard_data *scard, const char *pin)
515 unsigned char resp[3];
516 char cmd[5 + 8] = { SIM_CMD_VERIFY_CHV1 };
519 wpa_printf(MSG_DEBUG, "SCARD: verifying PIN");
521 if (pin == NULL || strlen(pin) > 8)
524 if (scard->sim_type == SCARD_USIM)
526 memcpy(cmd + 5, pin, strlen(pin));
527 memset(cmd + 5 + strlen(pin), 0xff, 8 - strlen(pin));
530 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
531 if (ret != SCARD_S_SUCCESS)
534 if (len != 2 || resp[0] != 0x90 || resp[1] != 0x00) {
535 wpa_printf(MSG_WARNING, "SCARD: PIN verification failed");
539 wpa_printf(MSG_DEBUG, "SCARD: PIN verified successfully");
544 int scard_get_imsi(struct scard_data *scard, char *imsi, size_t *len)
547 size_t blen, imsilen;
551 wpa_printf(MSG_DEBUG, "SCARD: reading IMSI from (GSM) EF-IMSI");
553 if (scard_select_file(scard, SCARD_FILE_GSM_EF_IMSI, buf, &blen))
556 wpa_printf(MSG_WARNING, "SCARD: too short (GSM) EF-IMSI "
557 "header (len=%d)", blen);
561 if (scard->sim_type == SCARD_GSM_SIM) {
562 blen = (buf[2] << 8) | buf[3];
565 if (scard_parse_fsp_templ(buf, blen, NULL, &file_size))
569 if (blen < 2 || blen > sizeof(buf)) {
570 wpa_printf(MSG_DEBUG, "SCARD: invalid IMSI file length=%d",
575 imsilen = (blen - 2) * 2 + 1;
576 wpa_printf(MSG_DEBUG, "SCARD: IMSI file length=%d imsilen=%d",
578 if (blen < 2 || imsilen > *len) {
583 if (scard_read_file(scard, buf, blen))
587 *pos++ = '0' + (buf[1] >> 4 & 0x0f);
588 for (i = 2; i < blen; i++) {
591 digit = buf[i] & 0x0f;
593 *pos++ = '0' + digit;
597 digit = buf[i] >> 4 & 0x0f;
599 *pos++ = '0' + digit;
609 int scard_gsm_auth(struct scard_data *scard, unsigned char *rand,
610 unsigned char *sres, unsigned char *kc)
612 unsigned char cmd[5 + 1 + 16] = { SIM_CMD_RUN_GSM_ALG };
614 unsigned char get_resp[5] = { SIM_CMD_GET_RESPONSE };
615 unsigned char resp[3], buf[12 + 3 + 2];
622 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - RAND", rand, 16);
623 if (scard->sim_type == SCARD_GSM_SIM) {
625 memcpy(cmd + 5, rand, 16);
632 memcpy(cmd + 6, rand, 16);
635 ret = scard_transmit(scard, cmd, cmdlen, resp, &len);
636 if (ret != SCARD_S_SUCCESS)
639 if ((scard->sim_type == SCARD_GSM_SIM &&
640 (len != 2 || resp[0] != 0x9f || resp[1] != 0x0c)) ||
641 (scard->sim_type == SCARD_USIM &&
642 (len != 2 || resp[0] != 0x61 || resp[1] != 0x0e))) {
643 wpa_printf(MSG_WARNING, "SCARD: unexpected response for GSM "
644 "auth request (len=%d resp=%02x %02x)",
645 len, resp[0], resp[1]);
648 get_resp[4] = resp[1];
651 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
652 if (ret != SCARD_S_SUCCESS)
655 if (scard->sim_type == SCARD_GSM_SIM) {
656 if (len != 4 + 8 + 2) {
657 wpa_printf(MSG_WARNING, "SCARD: unexpected data "
658 "length for GSM auth (len=%d, expected 14)",
662 memcpy(sres, buf, 4);
663 memcpy(kc, buf + 4, 8);
665 if (len != 1 + 4 + 1 + 8 + 2) {
666 wpa_printf(MSG_WARNING, "SCARD: unexpected data "
667 "length for USIM auth (len=%d, "
668 "expected 16)", len);
671 if (buf[0] != 4 || buf[5] != 8) {
672 wpa_printf(MSG_WARNING, "SCARD: unexpected SREC/Kc "
673 "length (%d %d, expected 4 8)",
676 memcpy(sres, buf + 1, 4);
677 memcpy(kc, buf + 6, 8);
680 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - SRES", sres, 4);
681 wpa_hexdump(MSG_DEBUG, "SCARD: GSM auth - Kc", kc, 8);
687 int scard_umts_auth(struct scard_data *scard, unsigned char *rand,
688 unsigned char *autn, unsigned char *res, size_t *res_len,
689 unsigned char *ik, unsigned char *ck, unsigned char *auts)
691 unsigned char cmd[5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN] =
692 { USIM_CMD_RUN_UMTS_ALG };
694 unsigned char get_resp[5] = { USIM_CMD_GET_RESPONSE };
695 unsigned char resp[3], buf[64], *pos, *end;
702 if (scard->sim_type == SCARD_GSM_SIM) {
703 wpa_printf(MSG_ERROR, "SCARD: Non-USIM card - cannot do UMTS "
708 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - RAND", rand, AKA_RAND_LEN);
709 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS auth - AUTN", autn, AKA_AUTN_LEN);
710 cmdlen = 5 + 1 + AKA_RAND_LEN + 1 + AKA_AUTN_LEN;
711 cmd[5] = AKA_RAND_LEN;
712 memcpy(cmd + 6, rand, AKA_RAND_LEN);
713 cmd[6 + AKA_RAND_LEN] = AKA_AUTN_LEN;
714 memcpy(cmd + 6 + AKA_RAND_LEN + 1, autn, AKA_AUTN_LEN);
717 ret = scard_transmit(scard, cmd, sizeof(cmd), resp, &len);
718 if (ret != SCARD_S_SUCCESS)
721 if (len >= 0 && len <= sizeof(resp))
722 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS alg response", resp, len);
724 if (len == 2 && resp[0] == 0x98 && resp[1] == 0x62) {
725 wpa_printf(MSG_WARNING, "SCARD: UMTS auth failed - "
728 } else if (len != 2 || resp[0] != 0x61) {
729 wpa_printf(MSG_WARNING, "SCARD: unexpected response for UMTS "
730 "auth request (len=%d resp=%02x %02x)",
731 len, resp[0], resp[1]);
734 get_resp[4] = resp[1];
737 ret = scard_transmit(scard, get_resp, sizeof(get_resp), buf, &len);
738 if (ret != SCARD_S_SUCCESS || len < 0 || len > sizeof(buf))
741 wpa_hexdump(MSG_DEBUG, "SCARD: UMTS get response result", buf, len);
742 if (len >= 2 + AKA_AUTS_LEN && buf[0] == 0xdc &&
743 buf[1] == AKA_AUTS_LEN) {
744 wpa_printf(MSG_DEBUG, "SCARD: UMTS Synchronization-Failure");
745 memcpy(auts, buf + 2, AKA_AUTS_LEN);
746 wpa_hexdump(MSG_DEBUG, "SCARD: AUTS", auts, AKA_AUTS_LEN);
748 } else if (len >= 6 + IK_LEN + CK_LEN && buf[0] == 0xdb) {
753 if (pos[0] > RES_MAX_LEN || pos + pos[0] > end) {
754 wpa_printf(MSG_DEBUG, "SCARD: Invalid RES");
758 memcpy(res, pos, *res_len);
760 wpa_hexdump(MSG_DEBUG, "SCARD: RES", res, *res_len);
763 if (pos[0] != CK_LEN || pos + CK_LEN > end) {
764 wpa_printf(MSG_DEBUG, "SCARD: Invalid CK");
768 memcpy(ck, pos, CK_LEN);
770 wpa_hexdump(MSG_DEBUG, "SCARD: CK", ck, CK_LEN);
773 if (pos[0] != IK_LEN || pos + IK_LEN > end) {
774 wpa_printf(MSG_DEBUG, "SCARD: Invalid IK");
778 memcpy(ik, pos, IK_LEN);
780 wpa_hexdump(MSG_DEBUG, "SCARD: IK", ik, IK_LEN);
785 wpa_printf(MSG_DEBUG, "SCARD: Unrecognized response");