Line data Source code
1 : /*
2 : * UPnP SSDP for WPS
3 : * Copyright (c) 2000-2003 Intel Corporation
4 : * Copyright (c) 2006-2007 Sony Corporation
5 : * Copyright (c) 2008-2009 Atheros Communications
6 : * Copyright (c) 2009-2013, Jouni Malinen <j@w1.fi>
7 : *
8 : * See wps_upnp.c for more details on licensing and code history.
9 : */
10 :
11 : #include "includes.h"
12 :
13 : #include <fcntl.h>
14 : #include <sys/ioctl.h>
15 : #include <net/route.h>
16 : #ifdef __linux__
17 : #include <net/if.h>
18 : #endif /* __linux__ */
19 :
20 : #include "common.h"
21 : #include "uuid.h"
22 : #include "eloop.h"
23 : #include "wps.h"
24 : #include "wps_upnp.h"
25 : #include "wps_upnp_i.h"
26 :
27 : #define UPNP_CACHE_SEC (UPNP_CACHE_SEC_MIN + 1) /* cache time we use */
28 : #define UPNP_CACHE_SEC_MIN 1800 /* min cachable time per UPnP standard */
29 : #define UPNP_ADVERTISE_REPEAT 2 /* no more than 3 */
30 : #define MAX_MSEARCH 20 /* max simultaneous M-SEARCH replies ongoing */
31 : #define SSDP_TARGET "239.0.0.0"
32 : #define SSDP_NETMASK "255.0.0.0"
33 :
34 :
35 : /* Check tokens for equality, where tokens consist of letters, digits,
36 : * underscore and hyphen, and are matched case insensitive.
37 : */
38 1132 : static int token_eq(const char *s1, const char *s2)
39 : {
40 : int c1;
41 : int c2;
42 1132 : int end1 = 0;
43 1132 : int end2 = 0;
44 : for (;;) {
45 2102 : c1 = *s1++;
46 2102 : c2 = *s2++;
47 2102 : if (isalpha(c1) && isupper(c1))
48 1429 : c1 = tolower(c1);
49 2102 : if (isalpha(c2) && isupper(c2))
50 0 : c2 = tolower(c2);
51 2102 : end1 = !(isalnum(c1) || c1 == '_' || c1 == '-');
52 2102 : end2 = !(isalnum(c2) || c2 == '_' || c2 == '-');
53 2102 : if (end1 || end2 || c1 != c2)
54 : break;
55 970 : }
56 1132 : return end1 && end2; /* reached end of both words? */
57 : }
58 :
59 :
60 : /* Return length of token (see above for definition of token) */
61 242 : static int token_length(const char *s)
62 : {
63 242 : const char *begin = s;
64 565 : for (;; s++) {
65 807 : int c = *s;
66 807 : int end = !(isalnum(c) || c == '_' || c == '-');
67 807 : if (end)
68 242 : break;
69 565 : }
70 242 : return s - begin;
71 : }
72 :
73 :
74 : /* return length of interword separation.
75 : * This accepts only spaces/tabs and thus will not traverse a line
76 : * or buffer ending.
77 : */
78 481 : static int word_separation_length(const char *s)
79 : {
80 481 : const char *begin = s;
81 244 : for (;; s++) {
82 725 : int c = *s;
83 725 : if (c == ' ' || c == '\t')
84 244 : continue;
85 481 : break;
86 244 : }
87 481 : return s - begin;
88 : }
89 :
90 :
91 : /* No. of chars through (including) end of line */
92 486 : static int line_length(const char *l)
93 : {
94 486 : const char *lp = l;
95 10124 : while (*lp && *lp != '\n')
96 9152 : lp++;
97 486 : if (*lp == '\n')
98 485 : lp++;
99 486 : return lp - l;
100 : }
101 :
102 :
103 789 : static int str_starts(const char *str, const char *start)
104 : {
105 789 : return os_strncmp(str, start, os_strlen(start)) == 0;
106 : }
107 :
108 :
109 : /***************************************************************************
110 : * Advertisements.
111 : * These are multicast to the world to tell them we are here.
112 : * The individual packets are spread out in time to limit loss,
113 : * and then after a much longer period of time the whole sequence
114 : * is repeated again (for NOTIFYs only).
115 : **************************************************************************/
116 :
117 : /**
118 : * next_advertisement - Build next message and advance the state machine
119 : * @a: Advertisement state
120 : * @islast: Buffer for indicating whether this is the last message (= 1)
121 : * Returns: The new message (caller is responsible for freeing this)
122 : *
123 : * Note: next_advertisement is shared code with msearchreply_* functions
124 : */
125 : static struct wpabuf *
126 772 : next_advertisement(struct upnp_wps_device_sm *sm,
127 : struct advertisement_state_machine *a, int *islast)
128 : {
129 : struct wpabuf *msg;
130 772 : char *NTString = "";
131 : char uuid_string[80];
132 : struct upnp_wps_device_interface *iface;
133 :
134 772 : *islast = 0;
135 772 : iface = dl_list_first(&sm->interfaces,
136 : struct upnp_wps_device_interface, list);
137 772 : if (!iface)
138 0 : return NULL;
139 772 : uuid_bin2str(iface->wps->uuid, uuid_string, sizeof(uuid_string));
140 772 : msg = wpabuf_alloc(800); /* more than big enough */
141 772 : if (msg == NULL)
142 0 : goto fail;
143 772 : switch (a->type) {
144 : case ADVERTISE_UP:
145 : case ADVERTISE_DOWN:
146 360 : NTString = "NT";
147 360 : wpabuf_put_str(msg, "NOTIFY * HTTP/1.1\r\n");
148 360 : wpabuf_printf(msg, "HOST: %s:%d\r\n",
149 : UPNP_MULTICAST_ADDRESS, UPNP_MULTICAST_PORT);
150 360 : wpabuf_printf(msg, "CACHE-CONTROL: max-age=%d\r\n",
151 : UPNP_CACHE_SEC);
152 360 : wpabuf_printf(msg, "NTS: %s\r\n",
153 360 : (a->type == ADVERTISE_UP ?
154 : "ssdp:alive" : "ssdp:byebye"));
155 360 : break;
156 : case MSEARCH_REPLY:
157 412 : NTString = "ST";
158 412 : wpabuf_put_str(msg, "HTTP/1.1 200 OK\r\n");
159 412 : wpabuf_printf(msg, "CACHE-CONTROL: max-age=%d\r\n",
160 : UPNP_CACHE_SEC);
161 :
162 412 : wpabuf_put_str(msg, "DATE: ");
163 412 : format_date(msg);
164 412 : wpabuf_put_str(msg, "\r\n");
165 :
166 412 : wpabuf_put_str(msg, "EXT:\r\n");
167 412 : break;
168 : }
169 :
170 772 : if (a->type != ADVERTISE_DOWN) {
171 : /* Where others may get our XML files from */
172 532 : wpabuf_printf(msg, "LOCATION: http://%s:%d/%s\r\n",
173 : sm->ip_addr_text, sm->web_port,
174 : UPNP_WPS_DEVICE_XML_FILE);
175 : }
176 :
177 : /* The SERVER line has three comma-separated fields:
178 : * operating system / version
179 : * upnp version
180 : * software package / version
181 : * However, only the UPnP version is really required, the
182 : * others can be place holders... for security reasons
183 : * it is better to NOT provide extra information.
184 : */
185 772 : wpabuf_put_str(msg, "SERVER: Unspecified, UPnP/1.0, Unspecified\r\n");
186 :
187 772 : switch (a->state / UPNP_ADVERTISE_REPEAT) {
188 : case 0:
189 208 : wpabuf_printf(msg, "%s: upnp:rootdevice\r\n", NTString);
190 208 : wpabuf_printf(msg, "USN: uuid:%s::upnp:rootdevice\r\n",
191 : uuid_string);
192 208 : break;
193 : case 1:
194 208 : wpabuf_printf(msg, "%s: uuid:%s\r\n", NTString, uuid_string);
195 208 : wpabuf_printf(msg, "USN: uuid:%s\r\n", uuid_string);
196 208 : break;
197 : case 2:
198 184 : wpabuf_printf(msg, "%s: urn:schemas-wifialliance-org:device:"
199 : "WFADevice:1\r\n", NTString);
200 184 : wpabuf_printf(msg, "USN: uuid:%s::urn:schemas-wifialliance-"
201 : "org:device:WFADevice:1\r\n", uuid_string);
202 184 : break;
203 : case 3:
204 172 : wpabuf_printf(msg, "%s: urn:schemas-wifialliance-org:service:"
205 : "WFAWLANConfig:1\r\n", NTString);
206 172 : wpabuf_printf(msg, "USN: uuid:%s::urn:schemas-wifialliance-"
207 : "org:service:WFAWLANConfig:1\r\n", uuid_string);
208 172 : break;
209 : }
210 772 : wpabuf_put_str(msg, "\r\n");
211 :
212 772 : if (a->state + 1 >= 4 * UPNP_ADVERTISE_REPEAT)
213 85 : *islast = 1;
214 :
215 772 : return msg;
216 :
217 : fail:
218 0 : wpabuf_free(msg);
219 0 : return NULL;
220 : }
221 :
222 :
223 : static void advertisement_state_machine_handler(void *eloop_data,
224 : void *user_ctx);
225 :
226 :
227 : /**
228 : * advertisement_state_machine_stop - Stop SSDP advertisements
229 : * @sm: WPS UPnP state machine from upnp_wps_device_init()
230 : * @send_byebye: Send byebye advertisement messages immediately
231 : */
232 30 : void advertisement_state_machine_stop(struct upnp_wps_device_sm *sm,
233 : int send_byebye)
234 : {
235 30 : struct advertisement_state_machine *a = &sm->advertisement;
236 30 : int islast = 0;
237 : struct wpabuf *msg;
238 : struct sockaddr_in dest;
239 :
240 30 : eloop_cancel_timeout(advertisement_state_machine_handler, NULL, sm);
241 30 : if (!send_byebye || sm->multicast_sd < 0)
242 45 : return;
243 :
244 15 : a->type = ADVERTISE_DOWN;
245 15 : a->state = 0;
246 :
247 15 : os_memset(&dest, 0, sizeof(dest));
248 15 : dest.sin_family = AF_INET;
249 15 : dest.sin_addr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS);
250 15 : dest.sin_port = htons(UPNP_MULTICAST_PORT);
251 :
252 150 : while (!islast) {
253 120 : msg = next_advertisement(sm, a, &islast);
254 120 : if (msg == NULL)
255 0 : break;
256 120 : if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg),
257 : 0, (struct sockaddr *) &dest, sizeof(dest)) < 0) {
258 0 : wpa_printf(MSG_INFO, "WPS UPnP: Advertisement sendto "
259 0 : "failed: %d (%s)", errno, strerror(errno));
260 : }
261 120 : wpabuf_free(msg);
262 120 : a->state++;
263 : }
264 : }
265 :
266 :
267 240 : static void advertisement_state_machine_handler(void *eloop_data,
268 : void *user_ctx)
269 : {
270 240 : struct upnp_wps_device_sm *sm = user_ctx;
271 240 : struct advertisement_state_machine *a = &sm->advertisement;
272 : struct wpabuf *msg;
273 240 : int next_timeout_msec = 100;
274 240 : int next_timeout_sec = 0;
275 : struct sockaddr_in dest;
276 240 : int islast = 0;
277 :
278 : /*
279 : * Each is sent twice (in case lost) w/ 100 msec delay between;
280 : * spec says no more than 3 times.
281 : * One pair for rootdevice, one pair for uuid, and a pair each for
282 : * each of the two urns.
283 : * The entire sequence must be repeated before cache control timeout
284 : * (which is min 1800 seconds),
285 : * recommend random portion of half of the advertised cache control age
286 : * to ensure against loss... perhaps 1800/4 + rand*1800/4 ?
287 : * Delay random interval < 100 msec prior to initial sending.
288 : * TTL of 4
289 : */
290 :
291 240 : wpa_printf(MSG_MSGDUMP, "WPS UPnP: Advertisement state=%d", a->state);
292 240 : msg = next_advertisement(sm, a, &islast);
293 240 : if (msg == NULL)
294 240 : return;
295 :
296 240 : os_memset(&dest, 0, sizeof(dest));
297 240 : dest.sin_family = AF_INET;
298 240 : dest.sin_addr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS);
299 240 : dest.sin_port = htons(UPNP_MULTICAST_PORT);
300 :
301 240 : if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 0,
302 : (struct sockaddr *) &dest, sizeof(dest)) == -1) {
303 0 : wpa_printf(MSG_ERROR, "WPS UPnP: Advertisement sendto failed:"
304 0 : "%d (%s)", errno, strerror(errno));
305 0 : next_timeout_msec = 0;
306 0 : next_timeout_sec = 10; /* ... later */
307 240 : } else if (islast) {
308 30 : a->state = 0; /* wrap around */
309 30 : if (a->type == ADVERTISE_DOWN) {
310 15 : wpa_printf(MSG_DEBUG, "WPS UPnP: ADVERTISE_DOWN->UP");
311 15 : a->type = ADVERTISE_UP;
312 : /* do it all over again right away */
313 : } else {
314 : u16 r;
315 : /*
316 : * Start over again after a long timeout
317 : * (see notes above)
318 : */
319 15 : next_timeout_msec = 0;
320 15 : os_get_random((void *) &r, sizeof(r));
321 15 : next_timeout_sec = UPNP_CACHE_SEC / 4 +
322 15 : (((UPNP_CACHE_SEC / 4) * r) >> 16);
323 15 : sm->advertise_count++;
324 15 : wpa_printf(MSG_DEBUG, "WPS UPnP: ADVERTISE_UP (#%u); "
325 : "next in %d sec",
326 : sm->advertise_count, next_timeout_sec);
327 : }
328 : } else {
329 210 : a->state++;
330 : }
331 :
332 240 : wpabuf_free(msg);
333 :
334 240 : eloop_register_timeout(next_timeout_sec, next_timeout_msec,
335 : advertisement_state_machine_handler, NULL, sm);
336 : }
337 :
338 :
339 : /**
340 : * advertisement_state_machine_start - Start SSDP advertisements
341 : * @sm: WPS UPnP state machine from upnp_wps_device_init()
342 : * Returns: 0 on success, -1 on failure
343 : */
344 15 : int advertisement_state_machine_start(struct upnp_wps_device_sm *sm)
345 : {
346 15 : struct advertisement_state_machine *a = &sm->advertisement;
347 : int next_timeout_msec;
348 :
349 15 : advertisement_state_machine_stop(sm, 0);
350 :
351 : /*
352 : * Start out advertising down, this automatically switches
353 : * to advertising up which signals our restart.
354 : */
355 15 : a->type = ADVERTISE_DOWN;
356 15 : a->state = 0;
357 : /* (other fields not used here) */
358 :
359 : /* First timeout should be random interval < 100 msec */
360 15 : next_timeout_msec = (100 * (os_random() & 0xFF)) >> 8;
361 15 : return eloop_register_timeout(0, next_timeout_msec,
362 : advertisement_state_machine_handler,
363 : NULL, sm);
364 : }
365 :
366 :
367 : /***************************************************************************
368 : * M-SEARCH replies
369 : * These are very similar to the multicast advertisements, with some
370 : * small changes in data content; and they are sent (UDP) to a specific
371 : * unicast address instead of multicast.
372 : * They are sent in response to a UDP M-SEARCH packet.
373 : **************************************************************************/
374 :
375 : /**
376 : * msearchreply_state_machine_stop - Stop M-SEARCH reply state machine
377 : * @a: Selected advertisement/reply state
378 : */
379 60 : void msearchreply_state_machine_stop(struct advertisement_state_machine *a)
380 : {
381 60 : wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH stop");
382 60 : dl_list_del(&a->list);
383 60 : os_free(a);
384 60 : }
385 :
386 :
387 412 : static void msearchreply_state_machine_handler(void *eloop_data,
388 : void *user_ctx)
389 : {
390 412 : struct advertisement_state_machine *a = user_ctx;
391 412 : struct upnp_wps_device_sm *sm = eloop_data;
392 : struct wpabuf *msg;
393 412 : int next_timeout_msec = 100;
394 412 : int next_timeout_sec = 0;
395 412 : int islast = 0;
396 :
397 : /*
398 : * Each response is sent twice (in case lost) w/ 100 msec delay
399 : * between; spec says no more than 3 times.
400 : * One pair for rootdevice, one pair for uuid, and a pair each for
401 : * each of the two urns.
402 : */
403 :
404 : /* TODO: should only send the requested response types */
405 :
406 412 : wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH reply state=%d (%s:%d)",
407 : a->state, inet_ntoa(a->client.sin_addr),
408 412 : ntohs(a->client.sin_port));
409 412 : msg = next_advertisement(sm, a, &islast);
410 412 : if (msg == NULL)
411 40 : return;
412 :
413 : /*
414 : * Send it on the multicast socket to avoid having to set up another
415 : * socket.
416 : */
417 412 : if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 0,
418 412 : (struct sockaddr *) &a->client, sizeof(a->client)) < 0) {
419 0 : wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply sendto "
420 : "errno %d (%s) for %s:%d",
421 0 : errno, strerror(errno),
422 : inet_ntoa(a->client.sin_addr),
423 0 : ntohs(a->client.sin_port));
424 : /* Ignore error and hope for the best */
425 : }
426 412 : wpabuf_free(msg);
427 412 : if (islast) {
428 40 : wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply done");
429 40 : msearchreply_state_machine_stop(a);
430 40 : return;
431 : }
432 372 : a->state++;
433 :
434 372 : wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH reply in %d.%03d sec",
435 : next_timeout_sec, next_timeout_msec);
436 372 : eloop_register_timeout(next_timeout_sec, next_timeout_msec,
437 : msearchreply_state_machine_handler, sm, a);
438 : }
439 :
440 :
441 : /**
442 : * msearchreply_state_machine_start - Reply to M-SEARCH discovery request
443 : * @sm: WPS UPnP state machine from upnp_wps_device_init()
444 : * @client: Client address
445 : * @mx: Maximum delay in seconds
446 : *
447 : * Use TTL of 4 (this was done when socket set up).
448 : * A response should be given in randomized portion of min(MX,120) seconds
449 : *
450 : * UPnP-arch-DeviceArchitecture, 1.2.3:
451 : * To be found, a device must send a UDP response to the source IP address and
452 : * port that sent the request to the multicast channel. Devices respond if the
453 : * ST header of the M-SEARCH request is "ssdp:all", "upnp:rootdevice", "uuid:"
454 : * followed by a UUID that exactly matches one advertised by the device.
455 : */
456 70 : static void msearchreply_state_machine_start(struct upnp_wps_device_sm *sm,
457 : struct sockaddr_in *client,
458 : int mx)
459 : {
460 : struct advertisement_state_machine *a;
461 : int next_timeout_sec;
462 : int next_timeout_msec;
463 : int replies;
464 :
465 70 : replies = dl_list_len(&sm->msearch_replies);
466 70 : wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply start (%d "
467 : "outstanding)", replies);
468 70 : if (replies >= MAX_MSEARCH) {
469 10 : wpa_printf(MSG_INFO, "WPS UPnP: Too many outstanding "
470 : "M-SEARCH replies");
471 10 : return;
472 : }
473 :
474 60 : a = os_zalloc(sizeof(*a));
475 60 : if (a == NULL)
476 0 : return;
477 60 : a->type = MSEARCH_REPLY;
478 60 : a->state = 0;
479 60 : os_memcpy(&a->client, client, sizeof(*client));
480 : /* Wait time depending on MX value */
481 60 : next_timeout_msec = (1000 * mx * (os_random() & 0xFF)) >> 8;
482 60 : next_timeout_sec = next_timeout_msec / 1000;
483 60 : next_timeout_msec = next_timeout_msec % 1000;
484 60 : if (eloop_register_timeout(next_timeout_sec, next_timeout_msec,
485 : msearchreply_state_machine_handler, sm,
486 : a)) {
487 : /* No way to recover (from malloc failure) */
488 0 : goto fail;
489 : }
490 : /* Remember for future cleanup */
491 60 : dl_list_add(&sm->msearch_replies, &a->list);
492 60 : return;
493 :
494 : fail:
495 0 : wpa_printf(MSG_INFO, "WPS UPnP: M-SEARCH reply failure!");
496 0 : eloop_cancel_timeout(msearchreply_state_machine_handler, sm, a);
497 0 : os_free(a);
498 : }
499 :
500 :
501 : /**
502 : * ssdp_parse_msearch - Process a received M-SEARCH
503 : * @sm: WPS UPnP state machine from upnp_wps_device_init()
504 : * @client: Client address
505 : * @data: NULL terminated M-SEARCH message
506 : *
507 : * Given that we have received a header w/ M-SEARCH, act upon it
508 : *
509 : * Format of M-SEARCH (case insensitive!):
510 : *
511 : * First line must be:
512 : * M-SEARCH * HTTP/1.1
513 : * Other lines in arbitrary order:
514 : * HOST:239.255.255.250:1900
515 : * ST:<varies -- must match>
516 : * MAN:"ssdp:discover"
517 : * MX:<varies>
518 : *
519 : * It should be noted that when Microsoft Vista is still learning its IP
520 : * address, it sends out host lines like: HOST:[FF02::C]:1900
521 : */
522 83 : static void ssdp_parse_msearch(struct upnp_wps_device_sm *sm,
523 : struct sockaddr_in *client, const char *data)
524 : {
525 : #ifndef CONFIG_NO_STDOUT_DEBUG
526 83 : const char *start = data;
527 : #endif /* CONFIG_NO_STDOUT_DEBUG */
528 83 : int got_host = 0;
529 83 : int got_st = 0, st_match = 0;
530 83 : int got_man = 0;
531 83 : int got_mx = 0;
532 83 : int mx = 0;
533 :
534 : /*
535 : * Skip first line M-SEARCH * HTTP/1.1
536 : * (perhaps we should check remainder of the line for syntax)
537 : */
538 83 : data += line_length(data);
539 :
540 : /* Parse remaining lines */
541 486 : for (; *data != '\0'; data += line_length(data)) {
542 404 : if (token_eq(data, "host")) {
543 : /* The host line indicates who the packet
544 : * is addressed to... but do we really care?
545 : * Note that Microsoft sometimes does funny
546 : * stuff with the HOST: line.
547 : */
548 : #if 0 /* could be */
549 : data += token_length(data);
550 : data += word_separation_length(data);
551 : if (*data != ':')
552 : goto bad;
553 : data++;
554 : data += word_separation_length(data);
555 : /* UPNP_MULTICAST_ADDRESS */
556 : if (!str_starts(data, "239.255.255.250"))
557 : goto bad;
558 : data += os_strlen("239.255.255.250");
559 : if (*data == ':') {
560 : if (!str_starts(data, ":1900"))
561 : goto bad;
562 : }
563 : #endif /* could be */
564 81 : got_host = 1;
565 81 : continue;
566 323 : } else if (token_eq(data, "st")) {
567 : /* There are a number of forms; we look
568 : * for one that matches our case.
569 : */
570 80 : got_st = 1;
571 80 : data += token_length(data);
572 80 : data += word_separation_length(data);
573 80 : if (*data != ':')
574 1 : continue;
575 79 : data++;
576 79 : data += word_separation_length(data);
577 79 : if (str_starts(data, "ssdp:all")) {
578 1 : st_match = 1;
579 1 : continue;
580 : }
581 78 : if (str_starts(data, "upnp:rootdevice")) {
582 1 : st_match = 1;
583 1 : continue;
584 : }
585 77 : if (str_starts(data, "uuid:")) {
586 : char uuid_string[80];
587 : struct upnp_wps_device_interface *iface;
588 4 : iface = dl_list_first(
589 : &sm->interfaces,
590 : struct upnp_wps_device_interface,
591 : list);
592 4 : if (!iface)
593 0 : continue;
594 4 : data += os_strlen("uuid:");
595 4 : uuid_bin2str(iface->wps->uuid, uuid_string,
596 : sizeof(uuid_string));
597 4 : if (str_starts(data, uuid_string))
598 3 : st_match = 1;
599 4 : continue;
600 : }
601 : #if 0
602 : /* FIX: should we really reply to IGD string? */
603 : if (str_starts(data, "urn:schemas-upnp-org:device:"
604 : "InternetGatewayDevice:1")) {
605 : st_match = 1;
606 : continue;
607 : }
608 : #endif
609 73 : if (str_starts(data, "urn:schemas-wifialliance-org:"
610 : "service:WFAWLANConfig:1")) {
611 1 : st_match = 1;
612 1 : continue;
613 : }
614 72 : if (str_starts(data, "urn:schemas-wifialliance-org:"
615 : "device:WFADevice:1")) {
616 70 : st_match = 1;
617 70 : continue;
618 : }
619 2 : continue;
620 243 : } else if (token_eq(data, "man")) {
621 81 : data += token_length(data);
622 81 : data += word_separation_length(data);
623 81 : if (*data != ':')
624 1 : continue;
625 80 : data++;
626 80 : data += word_separation_length(data);
627 80 : if (!str_starts(data, "\"ssdp:discover\"")) {
628 1 : wpa_printf(MSG_DEBUG, "WPS UPnP: Unexpected "
629 : "M-SEARCH man-field");
630 1 : goto bad;
631 : }
632 79 : got_man = 1;
633 79 : continue;
634 162 : } else if (token_eq(data, "mx")) {
635 81 : data += token_length(data);
636 81 : data += word_separation_length(data);
637 81 : if (*data != ':')
638 1 : continue;
639 80 : data++;
640 80 : data += word_separation_length(data);
641 80 : mx = atol(data);
642 80 : got_mx = 1;
643 80 : continue;
644 : }
645 : /* ignore anything else */
646 : }
647 82 : if (!got_host || !got_st || !got_man || !got_mx || mx < 0) {
648 8 : wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid M-SEARCH: %d %d %d "
649 : "%d mx=%d", got_host, got_st, got_man, got_mx, mx);
650 8 : goto bad;
651 : }
652 74 : if (!st_match) {
653 4 : wpa_printf(MSG_DEBUG, "WPS UPnP: Ignored M-SEARCH (no ST "
654 : "match)");
655 4 : return;
656 : }
657 70 : if (mx > 120)
658 1 : mx = 120; /* UPnP-arch-DeviceArchitecture, 1.2.3 */
659 70 : msearchreply_state_machine_start(sm, client, mx);
660 70 : return;
661 :
662 : bad:
663 9 : wpa_printf(MSG_INFO, "WPS UPnP: Failed to parse M-SEARCH");
664 9 : wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH data:\n%s", start);
665 : }
666 :
667 :
668 : /* Listening for (UDP) discovery (M-SEARCH) packets */
669 :
670 : /**
671 : * ssdp_listener_stop - Stop SSDP listered
672 : * @sm: WPS UPnP state machine from upnp_wps_device_init()
673 : *
674 : * This function stops the SSDP listener that was started by calling
675 : * ssdp_listener_start().
676 : */
677 15 : void ssdp_listener_stop(struct upnp_wps_device_sm *sm)
678 : {
679 15 : if (sm->ssdp_sd_registered) {
680 15 : eloop_unregister_sock(sm->ssdp_sd, EVENT_TYPE_READ);
681 15 : sm->ssdp_sd_registered = 0;
682 : }
683 :
684 15 : if (sm->ssdp_sd != -1) {
685 15 : close(sm->ssdp_sd);
686 15 : sm->ssdp_sd = -1;
687 : }
688 :
689 15 : eloop_cancel_timeout(msearchreply_state_machine_handler, sm,
690 : ELOOP_ALL_CTX);
691 15 : }
692 :
693 :
694 326 : static void ssdp_listener_handler(int sd, void *eloop_ctx, void *sock_ctx)
695 : {
696 326 : struct upnp_wps_device_sm *sm = sock_ctx;
697 : struct sockaddr_in addr; /* client address */
698 : socklen_t addr_len;
699 : int nread;
700 : char buf[MULTICAST_MAX_READ], *pos;
701 :
702 326 : addr_len = sizeof(addr);
703 326 : nread = recvfrom(sm->ssdp_sd, buf, sizeof(buf) - 1, 0,
704 : (struct sockaddr *) &addr, &addr_len);
705 326 : if (nread <= 0)
706 324 : return;
707 326 : buf[nread] = '\0'; /* need null termination for algorithm */
708 :
709 326 : if (str_starts(buf, "NOTIFY ")) {
710 : /*
711 : * Silently ignore NOTIFYs to avoid filling debug log with
712 : * unwanted messages.
713 : */
714 241 : return;
715 : }
716 :
717 85 : pos = os_strchr(buf, '\n');
718 85 : if (pos)
719 84 : *pos = '\0';
720 85 : wpa_printf(MSG_MSGDUMP, "WPS UPnP: Received SSDP packet from %s:%d: "
721 85 : "%s", inet_ntoa(addr.sin_addr), ntohs(addr.sin_port), buf);
722 85 : if (pos)
723 84 : *pos = '\n';
724 :
725 : /* Parse first line */
726 169 : if (os_strncasecmp(buf, "M-SEARCH", os_strlen("M-SEARCH")) == 0 &&
727 84 : !isgraph(buf[strlen("M-SEARCH")])) {
728 83 : ssdp_parse_msearch(sm, &addr, buf);
729 83 : return;
730 : }
731 :
732 : /* Ignore anything else */
733 : }
734 :
735 :
736 24 : int ssdp_listener_open(void)
737 : {
738 : struct sockaddr_in addr;
739 : struct ip_mreq mcast_addr;
740 24 : int on = 1;
741 : /* per UPnP spec, keep IP packet time to live (TTL) small */
742 24 : unsigned char ttl = 4;
743 : int sd;
744 :
745 24 : sd = socket(AF_INET, SOCK_DGRAM, 0);
746 24 : if (sd < 0)
747 0 : goto fail;
748 24 : if (fcntl(sd, F_SETFL, O_NONBLOCK) != 0)
749 0 : goto fail;
750 24 : if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)))
751 0 : goto fail;
752 24 : os_memset(&addr, 0, sizeof(addr));
753 24 : addr.sin_family = AF_INET;
754 24 : addr.sin_addr.s_addr = htonl(INADDR_ANY);
755 24 : addr.sin_port = htons(UPNP_MULTICAST_PORT);
756 24 : if (bind(sd, (struct sockaddr *) &addr, sizeof(addr)))
757 0 : goto fail;
758 24 : os_memset(&mcast_addr, 0, sizeof(mcast_addr));
759 24 : mcast_addr.imr_interface.s_addr = htonl(INADDR_ANY);
760 24 : mcast_addr.imr_multiaddr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS);
761 24 : if (setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP,
762 : (char *) &mcast_addr, sizeof(mcast_addr)))
763 0 : goto fail;
764 24 : if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_TTL,
765 : &ttl, sizeof(ttl)))
766 0 : goto fail;
767 :
768 24 : return sd;
769 :
770 : fail:
771 0 : if (sd >= 0)
772 0 : close(sd);
773 0 : return -1;
774 : }
775 :
776 :
777 : /**
778 : * ssdp_listener_start - Set up for receiving discovery (UDP) packets
779 : * @sm: WPS UPnP state machine from upnp_wps_device_init()
780 : * Returns: 0 on success, -1 on failure
781 : *
782 : * The SSDP listener is stopped by calling ssdp_listener_stop().
783 : */
784 15 : int ssdp_listener_start(struct upnp_wps_device_sm *sm)
785 : {
786 15 : sm->ssdp_sd = ssdp_listener_open();
787 :
788 15 : if (eloop_register_sock(sm->ssdp_sd, EVENT_TYPE_READ,
789 : ssdp_listener_handler, NULL, sm))
790 0 : goto fail;
791 15 : sm->ssdp_sd_registered = 1;
792 15 : return 0;
793 :
794 : fail:
795 : /* Error */
796 0 : wpa_printf(MSG_ERROR, "WPS UPnP: ssdp_listener_start failed");
797 0 : ssdp_listener_stop(sm);
798 0 : return -1;
799 : }
800 :
801 :
802 : /**
803 : * add_ssdp_network - Add routing entry for SSDP
804 : * @net_if: Selected network interface name
805 : * Returns: 0 on success, -1 on failure
806 : *
807 : * This function assures that the multicast address will be properly
808 : * handled by Linux networking code (by a modification to routing tables).
809 : * This must be done per network interface. It really only needs to be done
810 : * once after booting up, but it does not hurt to call this more frequently
811 : * "to be safe".
812 : */
813 24 : int add_ssdp_network(const char *net_if)
814 : {
815 : #ifdef __linux__
816 24 : int ret = -1;
817 24 : int sock = -1;
818 : struct rtentry rt;
819 : struct sockaddr_in *sin;
820 :
821 24 : if (!net_if)
822 0 : goto fail;
823 :
824 24 : os_memset(&rt, 0, sizeof(rt));
825 24 : sock = socket(AF_INET, SOCK_DGRAM, 0);
826 24 : if (sock < 0)
827 0 : goto fail;
828 :
829 24 : rt.rt_dev = (char *) net_if;
830 24 : sin = aliasing_hide_typecast(&rt.rt_dst, struct sockaddr_in);
831 24 : sin->sin_family = AF_INET;
832 24 : sin->sin_port = 0;
833 24 : sin->sin_addr.s_addr = inet_addr(SSDP_TARGET);
834 24 : sin = aliasing_hide_typecast(&rt.rt_genmask, struct sockaddr_in);
835 24 : sin->sin_family = AF_INET;
836 24 : sin->sin_port = 0;
837 24 : sin->sin_addr.s_addr = inet_addr(SSDP_NETMASK);
838 24 : rt.rt_flags = RTF_UP;
839 24 : if (ioctl(sock, SIOCADDRT, &rt) < 0) {
840 23 : if (errno == EPERM) {
841 0 : wpa_printf(MSG_DEBUG, "add_ssdp_network: No "
842 : "permissions to add routing table entry");
843 : /* Continue to allow testing as non-root */
844 23 : } else if (errno != EEXIST) {
845 0 : wpa_printf(MSG_INFO, "add_ssdp_network() ioctl errno "
846 0 : "%d (%s)", errno, strerror(errno));
847 0 : goto fail;
848 : }
849 : }
850 :
851 24 : ret = 0;
852 :
853 : fail:
854 24 : if (sock >= 0)
855 24 : close(sock);
856 :
857 24 : return ret;
858 : #else /* __linux__ */
859 : return 0;
860 : #endif /* __linux__ */
861 : }
862 :
863 :
864 24 : int ssdp_open_multicast_sock(u32 ip_addr, const char *forced_ifname)
865 : {
866 : int sd;
867 : /* per UPnP-arch-DeviceArchitecture, 1. Discovery, keep IP packet
868 : * time to live (TTL) small */
869 24 : unsigned char ttl = 4;
870 :
871 24 : sd = socket(AF_INET, SOCK_DGRAM, 0);
872 24 : if (sd < 0)
873 0 : return -1;
874 :
875 24 : if (forced_ifname) {
876 : #ifdef __linux__
877 : struct ifreq req;
878 9 : os_memset(&req, 0, sizeof(req));
879 9 : os_strlcpy(req.ifr_name, forced_ifname, sizeof(req.ifr_name));
880 9 : if (setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, &req,
881 : sizeof(req)) < 0) {
882 0 : wpa_printf(MSG_INFO, "WPS UPnP: Failed to bind "
883 : "multicast socket to ifname %s: %s",
884 0 : forced_ifname, strerror(errno));
885 0 : close(sd);
886 0 : return -1;
887 : }
888 : #endif /* __linux__ */
889 : }
890 :
891 : #if 0 /* maybe ok if we sometimes block on writes */
892 : if (fcntl(sd, F_SETFL, O_NONBLOCK) != 0) {
893 : close(sd);
894 : return -1;
895 : }
896 : #endif
897 :
898 24 : if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_IF,
899 : &ip_addr, sizeof(ip_addr))) {
900 0 : wpa_printf(MSG_DEBUG, "WPS: setsockopt(IP_MULTICAST_IF) %x: "
901 0 : "%d (%s)", ip_addr, errno, strerror(errno));
902 0 : close(sd);
903 0 : return -1;
904 : }
905 24 : if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_TTL,
906 : &ttl, sizeof(ttl))) {
907 0 : wpa_printf(MSG_DEBUG, "WPS: setsockopt(IP_MULTICAST_TTL): "
908 0 : "%d (%s)", errno, strerror(errno));
909 0 : close(sd);
910 0 : return -1;
911 : }
912 :
913 : #if 0 /* not needed, because we don't receive using multicast_sd */
914 : {
915 : struct ip_mreq mreq;
916 : mreq.imr_multiaddr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS);
917 : mreq.imr_interface.s_addr = ip_addr;
918 : wpa_printf(MSG_DEBUG, "WPS UPnP: Multicast addr 0x%x if addr "
919 : "0x%x",
920 : mreq.imr_multiaddr.s_addr,
921 : mreq.imr_interface.s_addr);
922 : if (setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mreq,
923 : sizeof(mreq))) {
924 : wpa_printf(MSG_ERROR,
925 : "WPS UPnP: setsockopt "
926 : "IP_ADD_MEMBERSHIP errno %d (%s)",
927 : errno, strerror(errno));
928 : close(sd);
929 : return -1;
930 : }
931 : }
932 : #endif /* not needed */
933 :
934 : /*
935 : * TODO: What about IP_MULTICAST_LOOP? It seems to be on by default?
936 : * which aids debugging I suppose but isn't really necessary?
937 : */
938 :
939 24 : return sd;
940 : }
941 :
942 :
943 : /**
944 : * ssdp_open_multicast - Open socket for sending multicast SSDP messages
945 : * @sm: WPS UPnP state machine from upnp_wps_device_init()
946 : * Returns: 0 on success, -1 on failure
947 : */
948 15 : int ssdp_open_multicast(struct upnp_wps_device_sm *sm)
949 : {
950 15 : sm->multicast_sd = ssdp_open_multicast_sock(sm->ip_addr, NULL);
951 15 : if (sm->multicast_sd < 0)
952 0 : return -1;
953 15 : return 0;
954 : }
|
