1 /* 2 * UPnP SSDP for WPS 3 * Copyright (c) 2000-2003 Intel Corporation 4 * Copyright (c) 2006-2007 Sony Corporation 5 * Copyright (c) 2008-2009 Atheros Communications 6 * Copyright (c) 2009-2013, Jouni Malinen <j (at) w1.fi> 7 * 8 * See wps_upnp.c for more details on licensing and code history. 9 */ 10 11 #include "includes.h" 12 13 #include <fcntl.h> 14 #include <sys/ioctl.h> 15 #include <net/route.h> 16 #ifdef __linux__ 17 #include <net/if.h> 18 #endif /* __linux__ */ 19 20 #include "common.h" 21 #include "uuid.h" 22 #include "eloop.h" 23 #include "wps.h" 24 #include "wps_upnp.h" 25 #include "wps_upnp_i.h" 26 27 #define UPNP_CACHE_SEC (UPNP_CACHE_SEC_MIN + 1) /* cache time we use */ 28 #define UPNP_CACHE_SEC_MIN 1800 /* min cachable time per UPnP standard */ 29 #define UPNP_ADVERTISE_REPEAT 2 /* no more than 3 */ 30 #define MAX_MSEARCH 20 /* max simultaneous M-SEARCH replies ongoing */ 31 #define SSDP_TARGET "239.0.0.0" 32 #define SSDP_NETMASK "255.0.0.0" 33 34 35 /* Check tokens for equality, where tokens consist of letters, digits, 36 * underscore and hyphen, and are matched case insensitive. 37 */ 38 static int token_eq(const char *s1, const char *s2) 39 { 40 int c1; 41 int c2; 42 int end1 = 0; 43 int end2 = 0; 44 for (;;) { 45 c1 = *s1++; 46 c2 = *s2++; 47 if (isalpha(c1) && isupper(c1)) 48 c1 = tolower(c1); 49 if (isalpha(c2) && isupper(c2)) 50 c2 = tolower(c2); 51 end1 = !(isalnum(c1) || c1 == '_' || c1 == '-'); 52 end2 = !(isalnum(c2) || c2 == '_' || c2 == '-'); 53 if (end1 || end2 || c1 != c2) 54 break; 55 } 56 return end1 && end2; /* reached end of both words? */ 57 } 58 59 60 /* Return length of token (see above for definition of token) */ 61 static int token_length(const char *s) 62 { 63 const char *begin = s; 64 for (;; s++) { 65 int c = *s; 66 int end = !(isalnum(c) || c == '_' || c == '-'); 67 if (end) 68 break; 69 } 70 return s - begin; 71 } 72 73 74 /* return length of interword separation. 75 * This accepts only spaces/tabs and thus will not traverse a line 76 * or buffer ending. 77 */ 78 static int word_separation_length(const char *s) 79 { 80 const char *begin = s; 81 for (;; s++) { 82 int c = *s; 83 if (c == ' ' || c == '\t') 84 continue; 85 break; 86 } 87 return s - begin; 88 } 89 90 91 /* No. of chars through (including) end of line */ 92 static int line_length(const char *l) 93 { 94 const char *lp = l; 95 while (*lp && *lp != '\n') 96 lp++; 97 if (*lp == '\n') 98 lp++; 99 return lp - l; 100 } 101 102 103 static int str_starts(const char *str, const char *start) 104 { 105 return os_strncmp(str, start, os_strlen(start)) == 0; 106 } 107 108 109 /*************************************************************************** 110 * Advertisements. 111 * These are multicast to the world to tell them we are here. 112 * The individual packets are spread out in time to limit loss, 113 * and then after a much longer period of time the whole sequence 114 * is repeated again (for NOTIFYs only). 115 **************************************************************************/ 116 117 /** 118 * next_advertisement - Build next message and advance the state machine 119 * @a: Advertisement state 120 * @islast: Buffer for indicating whether this is the last message (= 1) 121 * Returns: The new message (caller is responsible for freeing this) 122 * 123 * Note: next_advertisement is shared code with msearchreply_* functions 124 */ 125 static struct wpabuf * 126 next_advertisement(struct upnp_wps_device_sm *sm, 127 struct advertisement_state_machine *a, int *islast) 128 { 129 struct wpabuf *msg; 130 char *NTString = ""; 131 char uuid_string[80]; 132 struct upnp_wps_device_interface *iface; 133 134 *islast = 0; 135 iface = dl_list_first(&sm->interfaces, 136 struct upnp_wps_device_interface, list); 137 uuid_bin2str(iface->wps->uuid, uuid_string, sizeof(uuid_string)); 138 msg = wpabuf_alloc(800); /* more than big enough */ 139 if (msg == NULL) 140 goto fail; 141 switch (a->type) { 142 case ADVERTISE_UP: 143 case ADVERTISE_DOWN: 144 NTString = "NT"; 145 wpabuf_put_str(msg, "NOTIFY * HTTP/1.1\r\n"); 146 wpabuf_printf(msg, "HOST: %s:%d\r\n", 147 UPNP_MULTICAST_ADDRESS, UPNP_MULTICAST_PORT); 148 wpabuf_printf(msg, "CACHE-CONTROL: max-age=%d\r\n", 149 UPNP_CACHE_SEC); 150 wpabuf_printf(msg, "NTS: %s\r\n", 151 (a->type == ADVERTISE_UP ? 152 "ssdp:alive" : "ssdp:byebye")); 153 break; 154 case MSEARCH_REPLY: 155 NTString = "ST"; 156 wpabuf_put_str(msg, "HTTP/1.1 200 OK\r\n"); 157 wpabuf_printf(msg, "CACHE-CONTROL: max-age=%d\r\n", 158 UPNP_CACHE_SEC); 159 160 wpabuf_put_str(msg, "DATE: "); 161 format_date(msg); 162 wpabuf_put_str(msg, "\r\n"); 163 164 wpabuf_put_str(msg, "EXT:\r\n"); 165 break; 166 } 167 168 if (a->type != ADVERTISE_DOWN) { 169 /* Where others may get our XML files from */ 170 wpabuf_printf(msg, "LOCATION: http://%s:%d/%s\r\n", 171 sm->ip_addr_text, sm->web_port, 172 UPNP_WPS_DEVICE_XML_FILE); 173 } 174 175 /* The SERVER line has three comma-separated fields: 176 * operating system / version 177 * upnp version 178 * software package / version 179 * However, only the UPnP version is really required, the 180 * others can be place holders... for security reasons 181 * it is better to NOT provide extra information. 182 */ 183 wpabuf_put_str(msg, "SERVER: Unspecified, UPnP/1.0, Unspecified\r\n"); 184 185 switch (a->state / UPNP_ADVERTISE_REPEAT) { 186 case 0: 187 wpabuf_printf(msg, "%s: upnp:rootdevice\r\n", NTString); 188 wpabuf_printf(msg, "USN: uuid:%s::upnp:rootdevice\r\n", 189 uuid_string); 190 break; 191 case 1: 192 wpabuf_printf(msg, "%s: uuid:%s\r\n", NTString, uuid_string); 193 wpabuf_printf(msg, "USN: uuid:%s\r\n", uuid_string); 194 break; 195 case 2: 196 wpabuf_printf(msg, "%s: urn:schemas-wifialliance-org:device:" 197 "WFADevice:1\r\n", NTString); 198 wpabuf_printf(msg, "USN: uuid:%s::urn:schemas-wifialliance-" 199 "org:device:WFADevice:1\r\n", uuid_string); 200 break; 201 case 3: 202 wpabuf_printf(msg, "%s: urn:schemas-wifialliance-org:service:" 203 "WFAWLANConfig:1\r\n", NTString); 204 wpabuf_printf(msg, "USN: uuid:%s::urn:schemas-wifialliance-" 205 "org:service:WFAWLANConfig:1\r\n", uuid_string); 206 break; 207 } 208 wpabuf_put_str(msg, "\r\n"); 209 210 if (a->state + 1 >= 4 * UPNP_ADVERTISE_REPEAT) 211 *islast = 1; 212 213 return msg; 214 215 fail: 216 wpabuf_free(msg); 217 return NULL; 218 } 219 220 221 static void advertisement_state_machine_handler(void *eloop_data, 222 void *user_ctx); 223 224 225 /** 226 * advertisement_state_machine_stop - Stop SSDP advertisements 227 * @sm: WPS UPnP state machine from upnp_wps_device_init() 228 * @send_byebye: Send byebye advertisement messages immediately 229 */ 230 void advertisement_state_machine_stop(struct upnp_wps_device_sm *sm, 231 int send_byebye) 232 { 233 struct advertisement_state_machine *a = &sm->advertisement; 234 int islast = 0; 235 struct wpabuf *msg; 236 struct sockaddr_in dest; 237 238 eloop_cancel_timeout(advertisement_state_machine_handler, NULL, sm); 239 if (!send_byebye || sm->multicast_sd < 0) 240 return; 241 242 a->type = ADVERTISE_DOWN; 243 a->state = 0; 244 245 os_memset(&dest, 0, sizeof(dest)); 246 dest.sin_family = AF_INET; 247 dest.sin_addr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 248 dest.sin_port = htons(UPNP_MULTICAST_PORT); 249 250 while (!islast) { 251 msg = next_advertisement(sm, a, &islast); 252 if (msg == NULL) 253 break; 254 if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 255 0, (struct sockaddr *) &dest, sizeof(dest)) < 0) { 256 wpa_printf(MSG_INFO, "WPS UPnP: Advertisement sendto " 257 "failed: %d (%s)", errno, strerror(errno)); 258 } 259 wpabuf_free(msg); 260 a->state++; 261 } 262 } 263 264 265 static void advertisement_state_machine_handler(void *eloop_data, 266 void *user_ctx) 267 { 268 struct upnp_wps_device_sm *sm = user_ctx; 269 struct advertisement_state_machine *a = &sm->advertisement; 270 struct wpabuf *msg; 271 int next_timeout_msec = 100; 272 int next_timeout_sec = 0; 273 struct sockaddr_in dest; 274 int islast = 0; 275 276 /* 277 * Each is sent twice (in case lost) w/ 100 msec delay between; 278 * spec says no more than 3 times. 279 * One pair for rootdevice, one pair for uuid, and a pair each for 280 * each of the two urns. 281 * The entire sequence must be repeated before cache control timeout 282 * (which is min 1800 seconds), 283 * recommend random portion of half of the advertised cache control age 284 * to ensure against loss... perhaps 1800/4 + rand*1800/4 ? 285 * Delay random interval < 100 msec prior to initial sending. 286 * TTL of 4 287 */ 288 289 wpa_printf(MSG_MSGDUMP, "WPS UPnP: Advertisement state=%d", a->state); 290 msg = next_advertisement(sm, a, &islast); 291 if (msg == NULL) 292 return; 293 294 os_memset(&dest, 0, sizeof(dest)); 295 dest.sin_family = AF_INET; 296 dest.sin_addr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 297 dest.sin_port = htons(UPNP_MULTICAST_PORT); 298 299 if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 0, 300 (struct sockaddr *) &dest, sizeof(dest)) == -1) { 301 wpa_printf(MSG_ERROR, "WPS UPnP: Advertisement sendto failed:" 302 "%d (%s)", errno, strerror(errno)); 303 next_timeout_msec = 0; 304 next_timeout_sec = 10; /* ... later */ 305 } else if (islast) { 306 a->state = 0; /* wrap around */ 307 if (a->type == ADVERTISE_DOWN) { 308 wpa_printf(MSG_DEBUG, "WPS UPnP: ADVERTISE_DOWN->UP"); 309 a->type = ADVERTISE_UP; 310 /* do it all over again right away */ 311 } else { 312 u16 r; 313 /* 314 * Start over again after a long timeout 315 * (see notes above) 316 */ 317 next_timeout_msec = 0; 318 os_get_random((void *) &r, sizeof(r)); 319 next_timeout_sec = UPNP_CACHE_SEC / 4 + 320 (((UPNP_CACHE_SEC / 4) * r) >> 16); 321 sm->advertise_count++; 322 wpa_printf(MSG_DEBUG, "WPS UPnP: ADVERTISE_UP (#%u); " 323 "next in %d sec", 324 sm->advertise_count, next_timeout_sec); 325 } 326 } else { 327 a->state++; 328 } 329 330 wpabuf_free(msg); 331 332 eloop_register_timeout(next_timeout_sec, next_timeout_msec, 333 advertisement_state_machine_handler, NULL, sm); 334 } 335 336 337 /** 338 * advertisement_state_machine_start - Start SSDP advertisements 339 * @sm: WPS UPnP state machine from upnp_wps_device_init() 340 * Returns: 0 on success, -1 on failure 341 */ 342 int advertisement_state_machine_start(struct upnp_wps_device_sm *sm) 343 { 344 struct advertisement_state_machine *a = &sm->advertisement; 345 int next_timeout_msec; 346 347 advertisement_state_machine_stop(sm, 0); 348 349 /* 350 * Start out advertising down, this automatically switches 351 * to advertising up which signals our restart. 352 */ 353 a->type = ADVERTISE_DOWN; 354 a->state = 0; 355 /* (other fields not used here) */ 356 357 /* First timeout should be random interval < 100 msec */ 358 next_timeout_msec = (100 * (os_random() & 0xFF)) >> 8; 359 return eloop_register_timeout(0, next_timeout_msec, 360 advertisement_state_machine_handler, 361 NULL, sm); 362 } 363 364 365 /*************************************************************************** 366 * M-SEARCH replies 367 * These are very similar to the multicast advertisements, with some 368 * small changes in data content; and they are sent (UDP) to a specific 369 * unicast address instead of multicast. 370 * They are sent in response to a UDP M-SEARCH packet. 371 **************************************************************************/ 372 373 /** 374 * msearchreply_state_machine_stop - Stop M-SEARCH reply state machine 375 * @a: Selected advertisement/reply state 376 */ 377 void msearchreply_state_machine_stop(struct advertisement_state_machine *a) 378 { 379 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH stop"); 380 dl_list_del(&a->list); 381 os_free(a); 382 } 383 384 385 static void msearchreply_state_machine_handler(void *eloop_data, 386 void *user_ctx) 387 { 388 struct advertisement_state_machine *a = user_ctx; 389 struct upnp_wps_device_sm *sm = eloop_data; 390 struct wpabuf *msg; 391 int next_timeout_msec = 100; 392 int next_timeout_sec = 0; 393 int islast = 0; 394 395 /* 396 * Each response is sent twice (in case lost) w/ 100 msec delay 397 * between; spec says no more than 3 times. 398 * One pair for rootdevice, one pair for uuid, and a pair each for 399 * each of the two urns. 400 */ 401 402 /* TODO: should only send the requested response types */ 403 404 wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH reply state=%d (%s:%d)", 405 a->state, inet_ntoa(a->client.sin_addr), 406 ntohs(a->client.sin_port)); 407 msg = next_advertisement(sm, a, &islast); 408 if (msg == NULL) 409 return; 410 411 /* 412 * Send it on the multicast socket to avoid having to set up another 413 * socket. 414 */ 415 if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 0, 416 (struct sockaddr *) &a->client, sizeof(a->client)) < 0) { 417 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply sendto " 418 "errno %d (%s) for %s:%d", 419 errno, strerror(errno), 420 inet_ntoa(a->client.sin_addr), 421 ntohs(a->client.sin_port)); 422 /* Ignore error and hope for the best */ 423 } 424 wpabuf_free(msg); 425 if (islast) { 426 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply done"); 427 msearchreply_state_machine_stop(a); 428 return; 429 } 430 a->state++; 431 432 wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH reply in %d.%03d sec", 433 next_timeout_sec, next_timeout_msec); 434 eloop_register_timeout(next_timeout_sec, next_timeout_msec, 435 msearchreply_state_machine_handler, sm, a); 436 } 437 438 439 /** 440 * msearchreply_state_machine_start - Reply to M-SEARCH discovery request 441 * @sm: WPS UPnP state machine from upnp_wps_device_init() 442 * @client: Client address 443 * @mx: Maximum delay in seconds 444 * 445 * Use TTL of 4 (this was done when socket set up). 446 * A response should be given in randomized portion of min(MX,120) seconds 447 * 448 * UPnP-arch-DeviceArchitecture, 1.2.3: 449 * To be found, a device must send a UDP response to the source IP address and 450 * port that sent the request to the multicast channel. Devices respond if the 451 * ST header of the M-SEARCH request is "ssdp:all", "upnp:rootdevice", "uuid:" 452 * followed by a UUID that exactly matches one advertised by the device. 453 */ 454 static void msearchreply_state_machine_start(struct upnp_wps_device_sm *sm, 455 struct sockaddr_in *client, 456 int mx) 457 { 458 struct advertisement_state_machine *a; 459 int next_timeout_sec; 460 int next_timeout_msec; 461 int replies; 462 463 replies = dl_list_len(&sm->msearch_replies); 464 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply start (%d " 465 "outstanding)", replies); 466 if (replies >= MAX_MSEARCH) { 467 wpa_printf(MSG_INFO, "WPS UPnP: Too many outstanding " 468 "M-SEARCH replies"); 469 return; 470 } 471 472 a = os_zalloc(sizeof(*a)); 473 if (a == NULL) 474 return; 475 a->type = MSEARCH_REPLY; 476 a->state = 0; 477 os_memcpy(&a->client, client, sizeof(*client)); 478 /* Wait time depending on MX value */ 479 next_timeout_msec = (1000 * mx * (os_random() & 0xFF)) >> 8; 480 next_timeout_sec = next_timeout_msec / 1000; 481 next_timeout_msec = next_timeout_msec % 1000; 482 if (eloop_register_timeout(next_timeout_sec, next_timeout_msec, 483 msearchreply_state_machine_handler, sm, 484 a)) { 485 /* No way to recover (from malloc failure) */ 486 goto fail; 487 } 488 /* Remember for future cleanup */ 489 dl_list_add(&sm->msearch_replies, &a->list); 490 return; 491 492 fail: 493 wpa_printf(MSG_INFO, "WPS UPnP: M-SEARCH reply failure!"); 494 eloop_cancel_timeout(msearchreply_state_machine_handler, sm, a); 495 os_free(a); 496 } 497 498 499 /** 500 * ssdp_parse_msearch - Process a received M-SEARCH 501 * @sm: WPS UPnP state machine from upnp_wps_device_init() 502 * @client: Client address 503 * @data: NULL terminated M-SEARCH message 504 * 505 * Given that we have received a header w/ M-SEARCH, act upon it 506 * 507 * Format of M-SEARCH (case insensitive!): 508 * 509 * First line must be: 510 * M-SEARCH * HTTP/1.1 511 * Other lines in arbitrary order: 512 * HOST:239.255.255.250:1900 513 * ST:<varies -- must match> 514 * MAN:"ssdp:discover" 515 * MX:<varies> 516 * 517 * It should be noted that when Microsoft Vista is still learning its IP 518 * address, it sends out host lines like: HOST:[FF02::C]:1900 519 */ 520 static void ssdp_parse_msearch(struct upnp_wps_device_sm *sm, 521 struct sockaddr_in *client, const char *data) 522 { 523 #ifndef CONFIG_NO_STDOUT_DEBUG 524 const char *start = data; 525 #endif /* CONFIG_NO_STDOUT_DEBUG */ 526 int got_host = 0; 527 int got_st = 0, st_match = 0; 528 int got_man = 0; 529 int got_mx = 0; 530 int mx = 0; 531 532 /* 533 * Skip first line M-SEARCH * HTTP/1.1 534 * (perhaps we should check remainder of the line for syntax) 535 */ 536 data += line_length(data); 537 538 /* Parse remaining lines */ 539 for (; *data != '\0'; data += line_length(data)) { 540 if (token_eq(data, "host")) { 541 /* The host line indicates who the packet 542 * is addressed to... but do we really care? 543 * Note that Microsoft sometimes does funny 544 * stuff with the HOST: line. 545 */ 546 #if 0 /* could be */ 547 data += token_length(data); 548 data += word_separation_length(data); 549 if (*data != ':') 550 goto bad; 551 data++; 552 data += word_separation_length(data); 553 /* UPNP_MULTICAST_ADDRESS */ 554 if (!str_starts(data, "239.255.255.250")) 555 goto bad; 556 data += os_strlen("239.255.255.250"); 557 if (*data == ':') { 558 if (!str_starts(data, ":1900")) 559 goto bad; 560 } 561 #endif /* could be */ 562 got_host = 1; 563 continue; 564 } else if (token_eq(data, "st")) { 565 /* There are a number of forms; we look 566 * for one that matches our case. 567 */ 568 got_st = 1; 569 data += token_length(data); 570 data += word_separation_length(data); 571 if (*data != ':') 572 continue; 573 data++; 574 data += word_separation_length(data); 575 if (str_starts(data, "ssdp:all")) { 576 st_match = 1; 577 continue; 578 } 579 if (str_starts(data, "upnp:rootdevice")) { 580 st_match = 1; 581 continue; 582 } 583 if (str_starts(data, "uuid:")) { 584 char uuid_string[80]; 585 struct upnp_wps_device_interface *iface; 586 iface = dl_list_first( 587 &sm->interfaces, 588 struct upnp_wps_device_interface, 589 list); 590 data += os_strlen("uuid:"); 591 uuid_bin2str(iface->wps->uuid, uuid_string, 592 sizeof(uuid_string)); 593 if (str_starts(data, uuid_string)) 594 st_match = 1; 595 continue; 596 } 597 #if 0 598 /* FIX: should we really reply to IGD string? */ 599 if (str_starts(data, "urn:schemas-upnp-org:device:" 600 "InternetGatewayDevice:1")) { 601 st_match = 1; 602 continue; 603 } 604 #endif 605 if (str_starts(data, "urn:schemas-wifialliance-org:" 606 "service:WFAWLANConfig:1")) { 607 st_match = 1; 608 continue; 609 } 610 if (str_starts(data, "urn:schemas-wifialliance-org:" 611 "device:WFADevice:1")) { 612 st_match = 1; 613 continue; 614 } 615 continue; 616 } else if (token_eq(data, "man")) { 617 data += token_length(data); 618 data += word_separation_length(data); 619 if (*data != ':') 620 continue; 621 data++; 622 data += word_separation_length(data); 623 if (!str_starts(data, "\"ssdp:discover\"")) { 624 wpa_printf(MSG_DEBUG, "WPS UPnP: Unexpected " 625 "M-SEARCH man-field"); 626 goto bad; 627 } 628 got_man = 1; 629 continue; 630 } else if (token_eq(data, "mx")) { 631 data += token_length(data); 632 data += word_separation_length(data); 633 if (*data != ':') 634 continue; 635 data++; 636 data += word_separation_length(data); 637 mx = atol(data); 638 got_mx = 1; 639 continue; 640 } 641 /* ignore anything else */ 642 } 643 if (!got_host || !got_st || !got_man || !got_mx || mx < 0) { 644 wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid M-SEARCH: %d %d %d " 645 "%d mx=%d", got_host, got_st, got_man, got_mx, mx); 646 goto bad; 647 } 648 if (!st_match) { 649 wpa_printf(MSG_DEBUG, "WPS UPnP: Ignored M-SEARCH (no ST " 650 "match)"); 651 return; 652 } 653 if (mx > 120) 654 mx = 120; /* UPnP-arch-DeviceArchitecture, 1.2.3 */ 655 msearchreply_state_machine_start(sm, client, mx); 656 return; 657 658 bad: 659 wpa_printf(MSG_INFO, "WPS UPnP: Failed to parse M-SEARCH"); 660 wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH data:\n%s", start); 661 } 662 663 664 /* Listening for (UDP) discovery (M-SEARCH) packets */ 665 666 /** 667 * ssdp_listener_stop - Stop SSDP listered 668 * @sm: WPS UPnP state machine from upnp_wps_device_init() 669 * 670 * This function stops the SSDP listener that was started by calling 671 * ssdp_listener_start(). 672 */ 673 void ssdp_listener_stop(struct upnp_wps_device_sm *sm) 674 { 675 if (sm->ssdp_sd_registered) { 676 eloop_unregister_sock(sm->ssdp_sd, EVENT_TYPE_READ); 677 sm->ssdp_sd_registered = 0; 678 } 679 680 if (sm->ssdp_sd != -1) { 681 close(sm->ssdp_sd); 682 sm->ssdp_sd = -1; 683 } 684 685 eloop_cancel_timeout(msearchreply_state_machine_handler, sm, 686 ELOOP_ALL_CTX); 687 } 688 689 690 static void ssdp_listener_handler(int sd, void *eloop_ctx, void *sock_ctx) 691 { 692 struct upnp_wps_device_sm *sm = sock_ctx; 693 struct sockaddr_in addr; /* client address */ 694 socklen_t addr_len; 695 int nread; 696 char buf[MULTICAST_MAX_READ], *pos; 697 698 addr_len = sizeof(addr); 699 nread = recvfrom(sm->ssdp_sd, buf, sizeof(buf) - 1, 0, 700 (struct sockaddr *) &addr, &addr_len); 701 if (nread <= 0) 702 return; 703 buf[nread] = '\0'; /* need null termination for algorithm */ 704 705 if (str_starts(buf, "NOTIFY ")) { 706 /* 707 * Silently ignore NOTIFYs to avoid filling debug log with 708 * unwanted messages. 709 */ 710 return; 711 } 712 713 pos = os_strchr(buf, '\n'); 714 if (pos) 715 *pos = '\0'; 716 wpa_printf(MSG_MSGDUMP, "WPS UPnP: Received SSDP packet from %s:%d: " 717 "%s", inet_ntoa(addr.sin_addr), ntohs(addr.sin_port), buf); 718 if (pos) 719 *pos = '\n'; 720 721 /* Parse first line */ 722 if (os_strncasecmp(buf, "M-SEARCH", os_strlen("M-SEARCH")) == 0 && 723 !isgraph(buf[strlen("M-SEARCH")])) { 724 ssdp_parse_msearch(sm, &addr, buf); 725 return; 726 } 727 728 /* Ignore anything else */ 729 } 730 731 732 int ssdp_listener_open(void) 733 { 734 struct sockaddr_in addr; 735 struct ip_mreq mcast_addr; 736 int on = 1; 737 /* per UPnP spec, keep IP packet time to live (TTL) small */ 738 unsigned char ttl = 4; 739 int sd; 740 741 sd = socket(AF_INET, SOCK_DGRAM, 0); 742 if (sd < 0) 743 goto fail; 744 if (fcntl(sd, F_SETFL, O_NONBLOCK) != 0) 745 goto fail; 746 if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on))) 747 goto fail; 748 os_memset(&addr, 0, sizeof(addr)); 749 addr.sin_family = AF_INET; 750 addr.sin_addr.s_addr = htonl(INADDR_ANY); 751 addr.sin_port = htons(UPNP_MULTICAST_PORT); 752 if (bind(sd, (struct sockaddr *) &addr, sizeof(addr))) 753 goto fail; 754 os_memset(&mcast_addr, 0, sizeof(mcast_addr)); 755 mcast_addr.imr_interface.s_addr = htonl(INADDR_ANY); 756 mcast_addr.imr_multiaddr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 757 if (setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP, 758 (char *) &mcast_addr, sizeof(mcast_addr))) 759 goto fail; 760 if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_TTL, 761 &ttl, sizeof(ttl))) 762 goto fail; 763 764 return sd; 765 766 fail: 767 if (sd >= 0) 768 close(sd); 769 return -1; 770 } 771 772 773 /** 774 * ssdp_listener_start - Set up for receiving discovery (UDP) packets 775 * @sm: WPS UPnP state machine from upnp_wps_device_init() 776 * Returns: 0 on success, -1 on failure 777 * 778 * The SSDP listener is stopped by calling ssdp_listener_stop(). 779 */ 780 int ssdp_listener_start(struct upnp_wps_device_sm *sm) 781 { 782 sm->ssdp_sd = ssdp_listener_open(); 783 784 if (eloop_register_sock(sm->ssdp_sd, EVENT_TYPE_READ, 785 ssdp_listener_handler, NULL, sm)) 786 goto fail; 787 sm->ssdp_sd_registered = 1; 788 return 0; 789 790 fail: 791 /* Error */ 792 wpa_printf(MSG_ERROR, "WPS UPnP: ssdp_listener_start failed"); 793 ssdp_listener_stop(sm); 794 return -1; 795 } 796 797 798 /** 799 * add_ssdp_network - Add routing entry for SSDP 800 * @net_if: Selected network interface name 801 * Returns: 0 on success, -1 on failure 802 * 803 * This function assures that the multicast address will be properly 804 * handled by Linux networking code (by a modification to routing tables). 805 * This must be done per network interface. It really only needs to be done 806 * once after booting up, but it does not hurt to call this more frequently 807 * "to be safe". 808 */ 809 int add_ssdp_network(const char *net_if) 810 { 811 #ifdef __linux__ 812 int ret = -1; 813 int sock = -1; 814 struct rtentry rt; 815 struct sockaddr_in *sin; 816 817 if (!net_if) 818 goto fail; 819 820 os_memset(&rt, 0, sizeof(rt)); 821 sock = socket(AF_INET, SOCK_DGRAM, 0); 822 if (sock < 0) 823 goto fail; 824 825 rt.rt_dev = (char *) net_if; 826 sin = aliasing_hide_typecast(&rt.rt_dst, struct sockaddr_in); 827 sin->sin_family = AF_INET; 828 sin->sin_port = 0; 829 sin->sin_addr.s_addr = inet_addr(SSDP_TARGET); 830 sin = aliasing_hide_typecast(&rt.rt_genmask, struct sockaddr_in); 831 sin->sin_family = AF_INET; 832 sin->sin_port = 0; 833 sin->sin_addr.s_addr = inet_addr(SSDP_NETMASK); 834 rt.rt_flags = RTF_UP; 835 if (ioctl(sock, SIOCADDRT, &rt) < 0) { 836 if (errno == EPERM) { 837 wpa_printf(MSG_DEBUG, "add_ssdp_network: No " 838 "permissions to add routing table entry"); 839 /* Continue to allow testing as non-root */ 840 } else if (errno != EEXIST) { 841 wpa_printf(MSG_INFO, "add_ssdp_network() ioctl errno " 842 "%d (%s)", errno, strerror(errno)); 843 goto fail; 844 } 845 } 846 847 ret = 0; 848 849 fail: 850 if (sock >= 0) 851 close(sock); 852 853 return ret; 854 #else /* __linux__ */ 855 return 0; 856 #endif /* __linux__ */ 857 } 858 859 860 int ssdp_open_multicast_sock(u32 ip_addr, const char *forced_ifname) 861 { 862 int sd; 863 /* per UPnP-arch-DeviceArchitecture, 1. Discovery, keep IP packet 864 * time to live (TTL) small */ 865 unsigned char ttl = 4; 866 867 sd = socket(AF_INET, SOCK_DGRAM, 0); 868 if (sd < 0) 869 return -1; 870 871 if (forced_ifname) { 872 #ifdef __linux__ 873 struct ifreq req; 874 os_memset(&req, 0, sizeof(req)); 875 os_strlcpy(req.ifr_name, forced_ifname, sizeof(req.ifr_name)); 876 if (setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, &req, 877 sizeof(req)) < 0) { 878 wpa_printf(MSG_INFO, "WPS UPnP: Failed to bind " 879 "multicast socket to ifname %s: %s", 880 forced_ifname, strerror(errno)); 881 close(sd); 882 return -1; 883 } 884 #endif /* __linux__ */ 885 } 886 887 #if 0 /* maybe ok if we sometimes block on writes */ 888 if (fcntl(sd, F_SETFL, O_NONBLOCK) != 0) { 889 close(sd); 890 return -1; 891 } 892 #endif 893 894 if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_IF, 895 &ip_addr, sizeof(ip_addr))) { 896 wpa_printf(MSG_DEBUG, "WPS: setsockopt(IP_MULTICAST_IF) %x: " 897 "%d (%s)", ip_addr, errno, strerror(errno)); 898 close(sd); 899 return -1; 900 } 901 if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_TTL, 902 &ttl, sizeof(ttl))) { 903 wpa_printf(MSG_DEBUG, "WPS: setsockopt(IP_MULTICAST_TTL): " 904 "%d (%s)", errno, strerror(errno)); 905 close(sd); 906 return -1; 907 } 908 909 #if 0 /* not needed, because we don't receive using multicast_sd */ 910 { 911 struct ip_mreq mreq; 912 mreq.imr_multiaddr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 913 mreq.imr_interface.s_addr = ip_addr; 914 wpa_printf(MSG_DEBUG, "WPS UPnP: Multicast addr 0x%x if addr " 915 "0x%x", 916 mreq.imr_multiaddr.s_addr, 917 mreq.imr_interface.s_addr); 918 if (setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mreq, 919 sizeof(mreq))) { 920 wpa_printf(MSG_ERROR, 921 "WPS UPnP: setsockopt " 922 "IP_ADD_MEMBERSHIP errno %d (%s)", 923 errno, strerror(errno)); 924 close(sd); 925 return -1; 926 } 927 } 928 #endif /* not needed */ 929 930 /* 931 * TODO: What about IP_MULTICAST_LOOP? It seems to be on by default? 932 * which aids debugging I suppose but isn't really necessary? 933 */ 934 935 return sd; 936 } 937 938 939 /** 940 * ssdp_open_multicast - Open socket for sending multicast SSDP messages 941 * @sm: WPS UPnP state machine from upnp_wps_device_init() 942 * Returns: 0 on success, -1 on failure 943 */ 944 int ssdp_open_multicast(struct upnp_wps_device_sm *sm) 945 { 946 sm->multicast_sd = ssdp_open_multicast_sock(sm->ip_addr, NULL); 947 if (sm->multicast_sd < 0) 948 return -1; 949 return 0; 950 } 951
