1 /* 2 * UPnP SSDP for WPS 3 * Copyright (c) 2000-2003 Intel Corporation 4 * Copyright (c) 2006-2007 Sony Corporation 5 * Copyright (c) 2008-2009 Atheros Communications 6 * Copyright (c) 2009-2013, Jouni Malinen <j (at) w1.fi> 7 * 8 * See wps_upnp.c for more details on licensing and code history. 9 */ 10 11 #include "includes.h" 12 13 #include <fcntl.h> 14 #include <sys/ioctl.h> 15 #include <net/route.h> 16 #ifdef __linux__ 17 #include <net/if.h> 18 #endif /* __linux__ */ 19 20 #include "common.h" 21 #include "uuid.h" 22 #include "eloop.h" 23 #include "wps.h" 24 #include "wps_upnp.h" 25 #include "wps_upnp_i.h" 26 27 #define UPNP_CACHE_SEC (UPNP_CACHE_SEC_MIN + 1) /* cache time we use */ 28 #define UPNP_CACHE_SEC_MIN 1800 /* min cachable time per UPnP standard */ 29 #define UPNP_ADVERTISE_REPEAT 2 /* no more than 3 */ 30 #define MAX_MSEARCH 20 /* max simultaneous M-SEARCH replies ongoing */ 31 #define SSDP_TARGET "239.0.0.0" 32 #define SSDP_NETMASK "255.0.0.0" 33 34 35 /* Check tokens for equality, where tokens consist of letters, digits, 36 * underscore and hyphen, and are matched case insensitive. 37 */ 38 static int token_eq(const char *s1, const char *s2) 39 { 40 int c1; 41 int c2; 42 int end1 = 0; 43 int end2 = 0; 44 for (;;) { 45 c1 = *s1++; 46 c2 = *s2++; 47 if (isalpha(c1) && isupper(c1)) 48 c1 = tolower(c1); 49 if (isalpha(c2) && isupper(c2)) 50 c2 = tolower(c2); 51 end1 = !(isalnum(c1) || c1 == '_' || c1 == '-'); 52 end2 = !(isalnum(c2) || c2 == '_' || c2 == '-'); 53 if (end1 || end2 || c1 != c2) 54 break; 55 } 56 return end1 && end2; /* reached end of both words? */ 57 } 58 59 60 /* Return length of token (see above for definition of token) */ 61 static int token_length(const char *s) 62 { 63 const char *begin = s; 64 for (;; s++) { 65 int c = *s; 66 int end = !(isalnum(c) || c == '_' || c == '-'); 67 if (end) 68 break; 69 } 70 return s - begin; 71 } 72 73 74 /* return length of interword separation. 75 * This accepts only spaces/tabs and thus will not traverse a line 76 * or buffer ending. 77 */ 78 static int word_separation_length(const char *s) 79 { 80 const char *begin = s; 81 for (;; s++) { 82 int c = *s; 83 if (c == ' ' || c == '\t') 84 continue; 85 break; 86 } 87 return s - begin; 88 } 89 90 91 /* No. of chars through (including) end of line */ 92 static int line_length(const char *l) 93 { 94 const char *lp = l; 95 while (*lp && *lp != '\n') 96 lp++; 97 if (*lp == '\n') 98 lp++; 99 return lp - l; 100 } 101 102 103 static int str_starts(const char *str, const char *start) 104 { 105 return os_strncmp(str, start, os_strlen(start)) == 0; 106 } 107 108 109 /*************************************************************************** 110 * Advertisements. 111 * These are multicast to the world to tell them we are here. 112 * The individual packets are spread out in time to limit loss, 113 * and then after a much longer period of time the whole sequence 114 * is repeated again (for NOTIFYs only). 115 **************************************************************************/ 116 117 /** 118 * next_advertisement - Build next message and advance the state machine 119 * @a: Advertisement state 120 * @islast: Buffer for indicating whether this is the last message (= 1) 121 * Returns: The new message (caller is responsible for freeing this) 122 * 123 * Note: next_advertisement is shared code with msearchreply_* functions 124 */ 125 static struct wpabuf * 126 next_advertisement(struct upnp_wps_device_sm *sm, 127 struct advertisement_state_machine *a, int *islast) 128 { 129 struct wpabuf *msg; 130 char *NTString = ""; 131 char uuid_string[80]; 132 struct upnp_wps_device_interface *iface; 133 134 *islast = 0; 135 iface = dl_list_first(&sm->interfaces, 136 struct upnp_wps_device_interface, list); 137 if (!iface) 138 return NULL; 139 uuid_bin2str(iface->wps->uuid, uuid_string, sizeof(uuid_string)); 140 msg = wpabuf_alloc(800); /* more than big enough */ 141 if (msg == NULL) 142 goto fail; 143 switch (a->type) { 144 case ADVERTISE_UP: 145 case ADVERTISE_DOWN: 146 NTString = "NT"; 147 wpabuf_put_str(msg, "NOTIFY * HTTP/1.1\r\n"); 148 wpabuf_printf(msg, "HOST: %s:%d\r\n", 149 UPNP_MULTICAST_ADDRESS, UPNP_MULTICAST_PORT); 150 wpabuf_printf(msg, "CACHE-CONTROL: max-age=%d\r\n", 151 UPNP_CACHE_SEC); 152 wpabuf_printf(msg, "NTS: %s\r\n", 153 (a->type == ADVERTISE_UP ? 154 "ssdp:alive" : "ssdp:byebye")); 155 break; 156 case MSEARCH_REPLY: 157 NTString = "ST"; 158 wpabuf_put_str(msg, "HTTP/1.1 200 OK\r\n"); 159 wpabuf_printf(msg, "CACHE-CONTROL: max-age=%d\r\n", 160 UPNP_CACHE_SEC); 161 162 wpabuf_put_str(msg, "DATE: "); 163 format_date(msg); 164 wpabuf_put_str(msg, "\r\n"); 165 166 wpabuf_put_str(msg, "EXT:\r\n"); 167 break; 168 } 169 170 if (a->type != ADVERTISE_DOWN) { 171 /* Where others may get our XML files from */ 172 wpabuf_printf(msg, "LOCATION: http://%s:%d/%s\r\n", 173 sm->ip_addr_text, sm->web_port, 174 UPNP_WPS_DEVICE_XML_FILE); 175 } 176 177 /* The SERVER line has three comma-separated fields: 178 * operating system / version 179 * upnp version 180 * software package / version 181 * However, only the UPnP version is really required, the 182 * others can be place holders... for security reasons 183 * it is better to NOT provide extra information. 184 */ 185 wpabuf_put_str(msg, "SERVER: Unspecified, UPnP/1.0, Unspecified\r\n"); 186 187 switch (a->state / UPNP_ADVERTISE_REPEAT) { 188 case 0: 189 wpabuf_printf(msg, "%s: upnp:rootdevice\r\n", NTString); 190 wpabuf_printf(msg, "USN: uuid:%s::upnp:rootdevice\r\n", 191 uuid_string); 192 break; 193 case 1: 194 wpabuf_printf(msg, "%s: uuid:%s\r\n", NTString, uuid_string); 195 wpabuf_printf(msg, "USN: uuid:%s\r\n", uuid_string); 196 break; 197 case 2: 198 wpabuf_printf(msg, "%s: urn:schemas-wifialliance-org:device:" 199 "WFADevice:1\r\n", NTString); 200 wpabuf_printf(msg, "USN: uuid:%s::urn:schemas-wifialliance-" 201 "org:device:WFADevice:1\r\n", uuid_string); 202 break; 203 case 3: 204 wpabuf_printf(msg, "%s: urn:schemas-wifialliance-org:service:" 205 "WFAWLANConfig:1\r\n", NTString); 206 wpabuf_printf(msg, "USN: uuid:%s::urn:schemas-wifialliance-" 207 "org:service:WFAWLANConfig:1\r\n", uuid_string); 208 break; 209 } 210 wpabuf_put_str(msg, "\r\n"); 211 212 if (a->state + 1 >= 4 * UPNP_ADVERTISE_REPEAT) 213 *islast = 1; 214 215 return msg; 216 217 fail: 218 wpabuf_free(msg); 219 return NULL; 220 } 221 222 223 static void advertisement_state_machine_handler(void *eloop_data, 224 void *user_ctx); 225 226 227 /** 228 * advertisement_state_machine_stop - Stop SSDP advertisements 229 * @sm: WPS UPnP state machine from upnp_wps_device_init() 230 * @send_byebye: Send byebye advertisement messages immediately 231 */ 232 void advertisement_state_machine_stop(struct upnp_wps_device_sm *sm, 233 int send_byebye) 234 { 235 struct advertisement_state_machine *a = &sm->advertisement; 236 int islast = 0; 237 struct wpabuf *msg; 238 struct sockaddr_in dest; 239 240 eloop_cancel_timeout(advertisement_state_machine_handler, NULL, sm); 241 if (!send_byebye || sm->multicast_sd < 0) 242 return; 243 244 a->type = ADVERTISE_DOWN; 245 a->state = 0; 246 247 os_memset(&dest, 0, sizeof(dest)); 248 dest.sin_family = AF_INET; 249 dest.sin_addr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 250 dest.sin_port = htons(UPNP_MULTICAST_PORT); 251 252 while (!islast) { 253 msg = next_advertisement(sm, a, &islast); 254 if (msg == NULL) 255 break; 256 if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 257 0, (struct sockaddr *) &dest, sizeof(dest)) < 0) { 258 wpa_printf(MSG_INFO, "WPS UPnP: Advertisement sendto " 259 "failed: %d (%s)", errno, strerror(errno)); 260 } 261 wpabuf_free(msg); 262 a->state++; 263 } 264 } 265 266 267 static void advertisement_state_machine_handler(void *eloop_data, 268 void *user_ctx) 269 { 270 struct upnp_wps_device_sm *sm = user_ctx; 271 struct advertisement_state_machine *a = &sm->advertisement; 272 struct wpabuf *msg; 273 int next_timeout_msec = 100; 274 int next_timeout_sec = 0; 275 struct sockaddr_in dest; 276 int islast = 0; 277 278 /* 279 * Each is sent twice (in case lost) w/ 100 msec delay between; 280 * spec says no more than 3 times. 281 * One pair for rootdevice, one pair for uuid, and a pair each for 282 * each of the two urns. 283 * The entire sequence must be repeated before cache control timeout 284 * (which is min 1800 seconds), 285 * recommend random portion of half of the advertised cache control age 286 * to ensure against loss... perhaps 1800/4 + rand*1800/4 ? 287 * Delay random interval < 100 msec prior to initial sending. 288 * TTL of 4 289 */ 290 291 wpa_printf(MSG_MSGDUMP, "WPS UPnP: Advertisement state=%d", a->state); 292 msg = next_advertisement(sm, a, &islast); 293 if (msg == NULL) 294 return; 295 296 os_memset(&dest, 0, sizeof(dest)); 297 dest.sin_family = AF_INET; 298 dest.sin_addr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 299 dest.sin_port = htons(UPNP_MULTICAST_PORT); 300 301 if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 0, 302 (struct sockaddr *) &dest, sizeof(dest)) == -1) { 303 wpa_printf(MSG_ERROR, "WPS UPnP: Advertisement sendto failed:" 304 "%d (%s)", errno, strerror(errno)); 305 next_timeout_msec = 0; 306 next_timeout_sec = 10; /* ... later */ 307 } else if (islast) { 308 a->state = 0; /* wrap around */ 309 if (a->type == ADVERTISE_DOWN) { 310 wpa_printf(MSG_DEBUG, "WPS UPnP: ADVERTISE_DOWN->UP"); 311 a->type = ADVERTISE_UP; 312 /* do it all over again right away */ 313 } else { 314 u16 r; 315 /* 316 * Start over again after a long timeout 317 * (see notes above) 318 */ 319 next_timeout_msec = 0; 320 os_get_random((void *) &r, sizeof(r)); 321 next_timeout_sec = UPNP_CACHE_SEC / 4 + 322 (((UPNP_CACHE_SEC / 4) * r) >> 16); 323 sm->advertise_count++; 324 wpa_printf(MSG_DEBUG, "WPS UPnP: ADVERTISE_UP (#%u); " 325 "next in %d sec", 326 sm->advertise_count, next_timeout_sec); 327 } 328 } else { 329 a->state++; 330 } 331 332 wpabuf_free(msg); 333 334 eloop_register_timeout(next_timeout_sec, next_timeout_msec, 335 advertisement_state_machine_handler, NULL, sm); 336 } 337 338 339 /** 340 * advertisement_state_machine_start - Start SSDP advertisements 341 * @sm: WPS UPnP state machine from upnp_wps_device_init() 342 * Returns: 0 on success, -1 on failure 343 */ 344 int advertisement_state_machine_start(struct upnp_wps_device_sm *sm) 345 { 346 struct advertisement_state_machine *a = &sm->advertisement; 347 int next_timeout_msec; 348 349 advertisement_state_machine_stop(sm, 0); 350 351 /* 352 * Start out advertising down, this automatically switches 353 * to advertising up which signals our restart. 354 */ 355 a->type = ADVERTISE_DOWN; 356 a->state = 0; 357 /* (other fields not used here) */ 358 359 /* First timeout should be random interval < 100 msec */ 360 next_timeout_msec = (100 * (os_random() & 0xFF)) >> 8; 361 return eloop_register_timeout(0, next_timeout_msec, 362 advertisement_state_machine_handler, 363 NULL, sm); 364 } 365 366 367 /*************************************************************************** 368 * M-SEARCH replies 369 * These are very similar to the multicast advertisements, with some 370 * small changes in data content; and they are sent (UDP) to a specific 371 * unicast address instead of multicast. 372 * They are sent in response to a UDP M-SEARCH packet. 373 **************************************************************************/ 374 375 /** 376 * msearchreply_state_machine_stop - Stop M-SEARCH reply state machine 377 * @a: Selected advertisement/reply state 378 */ 379 void msearchreply_state_machine_stop(struct advertisement_state_machine *a) 380 { 381 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH stop"); 382 dl_list_del(&a->list); 383 os_free(a); 384 } 385 386 387 static void msearchreply_state_machine_handler(void *eloop_data, 388 void *user_ctx) 389 { 390 struct advertisement_state_machine *a = user_ctx; 391 struct upnp_wps_device_sm *sm = eloop_data; 392 struct wpabuf *msg; 393 int next_timeout_msec = 100; 394 int next_timeout_sec = 0; 395 int islast = 0; 396 397 /* 398 * Each response is sent twice (in case lost) w/ 100 msec delay 399 * between; spec says no more than 3 times. 400 * One pair for rootdevice, one pair for uuid, and a pair each for 401 * each of the two urns. 402 */ 403 404 /* TODO: should only send the requested response types */ 405 406 wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH reply state=%d (%s:%d)", 407 a->state, inet_ntoa(a->client.sin_addr), 408 ntohs(a->client.sin_port)); 409 msg = next_advertisement(sm, a, &islast); 410 if (msg == NULL) 411 return; 412 413 /* 414 * Send it on the multicast socket to avoid having to set up another 415 * socket. 416 */ 417 if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 0, 418 (struct sockaddr *) &a->client, sizeof(a->client)) < 0) { 419 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply sendto " 420 "errno %d (%s) for %s:%d", 421 errno, strerror(errno), 422 inet_ntoa(a->client.sin_addr), 423 ntohs(a->client.sin_port)); 424 /* Ignore error and hope for the best */ 425 } 426 wpabuf_free(msg); 427 if (islast) { 428 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply done"); 429 msearchreply_state_machine_stop(a); 430 return; 431 } 432 a->state++; 433 434 wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH reply in %d.%03d sec", 435 next_timeout_sec, next_timeout_msec); 436 eloop_register_timeout(next_timeout_sec, next_timeout_msec, 437 msearchreply_state_machine_handler, sm, a); 438 } 439 440 441 /** 442 * msearchreply_state_machine_start - Reply to M-SEARCH discovery request 443 * @sm: WPS UPnP state machine from upnp_wps_device_init() 444 * @client: Client address 445 * @mx: Maximum delay in seconds 446 * 447 * Use TTL of 4 (this was done when socket set up). 448 * A response should be given in randomized portion of min(MX,120) seconds 449 * 450 * UPnP-arch-DeviceArchitecture, 1.2.3: 451 * To be found, a device must send a UDP response to the source IP address and 452 * port that sent the request to the multicast channel. Devices respond if the 453 * ST header of the M-SEARCH request is "ssdp:all", "upnp:rootdevice", "uuid:" 454 * followed by a UUID that exactly matches one advertised by the device. 455 */ 456 static void msearchreply_state_machine_start(struct upnp_wps_device_sm *sm, 457 struct sockaddr_in *client, 458 int mx) 459 { 460 struct advertisement_state_machine *a; 461 int next_timeout_sec; 462 int next_timeout_msec; 463 int replies; 464 465 replies = dl_list_len(&sm->msearch_replies); 466 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply start (%d " 467 "outstanding)", replies); 468 if (replies >= MAX_MSEARCH) { 469 wpa_printf(MSG_INFO, "WPS UPnP: Too many outstanding " 470 "M-SEARCH replies"); 471 return; 472 } 473 474 a = os_zalloc(sizeof(*a)); 475 if (a == NULL) 476 return; 477 a->type = MSEARCH_REPLY; 478 a->state = 0; 479 os_memcpy(&a->client, client, sizeof(*client)); 480 /* Wait time depending on MX value */ 481 next_timeout_msec = (1000 * mx * (os_random() & 0xFF)) >> 8; 482 next_timeout_sec = next_timeout_msec / 1000; 483 next_timeout_msec = next_timeout_msec % 1000; 484 if (eloop_register_timeout(next_timeout_sec, next_timeout_msec, 485 msearchreply_state_machine_handler, sm, 486 a)) { 487 /* No way to recover (from malloc failure) */ 488 goto fail; 489 } 490 /* Remember for future cleanup */ 491 dl_list_add(&sm->msearch_replies, &a->list); 492 return; 493 494 fail: 495 wpa_printf(MSG_INFO, "WPS UPnP: M-SEARCH reply failure!"); 496 eloop_cancel_timeout(msearchreply_state_machine_handler, sm, a); 497 os_free(a); 498 } 499 500 501 /** 502 * ssdp_parse_msearch - Process a received M-SEARCH 503 * @sm: WPS UPnP state machine from upnp_wps_device_init() 504 * @client: Client address 505 * @data: NULL terminated M-SEARCH message 506 * 507 * Given that we have received a header w/ M-SEARCH, act upon it 508 * 509 * Format of M-SEARCH (case insensitive!): 510 * 511 * First line must be: 512 * M-SEARCH * HTTP/1.1 513 * Other lines in arbitrary order: 514 * HOST:239.255.255.250:1900 515 * ST:<varies -- must match> 516 * MAN:"ssdp:discover" 517 * MX:<varies> 518 * 519 * It should be noted that when Microsoft Vista is still learning its IP 520 * address, it sends out host lines like: HOST:[FF02::C]:1900 521 */ 522 static void ssdp_parse_msearch(struct upnp_wps_device_sm *sm, 523 struct sockaddr_in *client, const char *data) 524 { 525 #ifndef CONFIG_NO_STDOUT_DEBUG 526 const char *start = data; 527 #endif /* CONFIG_NO_STDOUT_DEBUG */ 528 int got_host = 0; 529 int got_st = 0, st_match = 0; 530 int got_man = 0; 531 int got_mx = 0; 532 int mx = 0; 533 534 /* 535 * Skip first line M-SEARCH * HTTP/1.1 536 * (perhaps we should check remainder of the line for syntax) 537 */ 538 data += line_length(data); 539 540 /* Parse remaining lines */ 541 for (; *data != '\0'; data += line_length(data)) { 542 if (token_eq(data, "host")) { 543 /* The host line indicates who the packet 544 * is addressed to... but do we really care? 545 * Note that Microsoft sometimes does funny 546 * stuff with the HOST: line. 547 */ 548 #if 0 /* could be */ 549 data += token_length(data); 550 data += word_separation_length(data); 551 if (*data != ':') 552 goto bad; 553 data++; 554 data += word_separation_length(data); 555 /* UPNP_MULTICAST_ADDRESS */ 556 if (!str_starts(data, "239.255.255.250")) 557 goto bad; 558 data += os_strlen("239.255.255.250"); 559 if (*data == ':') { 560 if (!str_starts(data, ":1900")) 561 goto bad; 562 } 563 #endif /* could be */ 564 got_host = 1; 565 continue; 566 } else if (token_eq(data, "st")) { 567 /* There are a number of forms; we look 568 * for one that matches our case. 569 */ 570 got_st = 1; 571 data += token_length(data); 572 data += word_separation_length(data); 573 if (*data != ':') 574 continue; 575 data++; 576 data += word_separation_length(data); 577 if (str_starts(data, "ssdp:all")) { 578 st_match = 1; 579 continue; 580 } 581 if (str_starts(data, "upnp:rootdevice")) { 582 st_match = 1; 583 continue; 584 } 585 if (str_starts(data, "uuid:")) { 586 char uuid_string[80]; 587 struct upnp_wps_device_interface *iface; 588 iface = dl_list_first( 589 &sm->interfaces, 590 struct upnp_wps_device_interface, 591 list); 592 if (!iface) 593 continue; 594 data += os_strlen("uuid:"); 595 uuid_bin2str(iface->wps->uuid, uuid_string, 596 sizeof(uuid_string)); 597 if (str_starts(data, uuid_string)) 598 st_match = 1; 599 continue; 600 } 601 #if 0 602 /* FIX: should we really reply to IGD string? */ 603 if (str_starts(data, "urn:schemas-upnp-org:device:" 604 "InternetGatewayDevice:1")) { 605 st_match = 1; 606 continue; 607 } 608 #endif 609 if (str_starts(data, "urn:schemas-wifialliance-org:" 610 "service:WFAWLANConfig:1")) { 611 st_match = 1; 612 continue; 613 } 614 if (str_starts(data, "urn:schemas-wifialliance-org:" 615 "device:WFADevice:1")) { 616 st_match = 1; 617 continue; 618 } 619 continue; 620 } else if (token_eq(data, "man")) { 621 data += token_length(data); 622 data += word_separation_length(data); 623 if (*data != ':') 624 continue; 625 data++; 626 data += word_separation_length(data); 627 if (!str_starts(data, "\"ssdp:discover\"")) { 628 wpa_printf(MSG_DEBUG, "WPS UPnP: Unexpected " 629 "M-SEARCH man-field"); 630 goto bad; 631 } 632 got_man = 1; 633 continue; 634 } else if (token_eq(data, "mx")) { 635 data += token_length(data); 636 data += word_separation_length(data); 637 if (*data != ':') 638 continue; 639 data++; 640 data += word_separation_length(data); 641 mx = atol(data); 642 got_mx = 1; 643 continue; 644 } 645 /* ignore anything else */ 646 } 647 if (!got_host || !got_st || !got_man || !got_mx || mx < 0) { 648 wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid M-SEARCH: %d %d %d " 649 "%d mx=%d", got_host, got_st, got_man, got_mx, mx); 650 goto bad; 651 } 652 if (!st_match) { 653 wpa_printf(MSG_DEBUG, "WPS UPnP: Ignored M-SEARCH (no ST " 654 "match)"); 655 return; 656 } 657 if (mx > 120) 658 mx = 120; /* UPnP-arch-DeviceArchitecture, 1.2.3 */ 659 msearchreply_state_machine_start(sm, client, mx); 660 return; 661 662 bad: 663 wpa_printf(MSG_INFO, "WPS UPnP: Failed to parse M-SEARCH"); 664 wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH data:\n%s", start); 665 } 666 667 668 /* Listening for (UDP) discovery (M-SEARCH) packets */ 669 670 /** 671 * ssdp_listener_stop - Stop SSDP listered 672 * @sm: WPS UPnP state machine from upnp_wps_device_init() 673 * 674 * This function stops the SSDP listener that was started by calling 675 * ssdp_listener_start(). 676 */ 677 void ssdp_listener_stop(struct upnp_wps_device_sm *sm) 678 { 679 if (sm->ssdp_sd_registered) { 680 eloop_unregister_sock(sm->ssdp_sd, EVENT_TYPE_READ); 681 sm->ssdp_sd_registered = 0; 682 } 683 684 if (sm->ssdp_sd != -1) { 685 close(sm->ssdp_sd); 686 sm->ssdp_sd = -1; 687 } 688 689 eloop_cancel_timeout(msearchreply_state_machine_handler, sm, 690 ELOOP_ALL_CTX); 691 } 692 693 694 static void ssdp_listener_handler(int sd, void *eloop_ctx, void *sock_ctx) 695 { 696 struct upnp_wps_device_sm *sm = sock_ctx; 697 struct sockaddr_in addr; /* client address */ 698 socklen_t addr_len; 699 int nread; 700 char buf[MULTICAST_MAX_READ], *pos; 701 702 addr_len = sizeof(addr); 703 nread = recvfrom(sm->ssdp_sd, buf, sizeof(buf) - 1, 0, 704 (struct sockaddr *) &addr, &addr_len); 705 if (nread <= 0) 706 return; 707 buf[nread] = '\0'; /* need null termination for algorithm */ 708 709 if (str_starts(buf, "NOTIFY ")) { 710 /* 711 * Silently ignore NOTIFYs to avoid filling debug log with 712 * unwanted messages. 713 */ 714 return; 715 } 716 717 pos = os_strchr(buf, '\n'); 718 if (pos) 719 *pos = '\0'; 720 wpa_printf(MSG_MSGDUMP, "WPS UPnP: Received SSDP packet from %s:%d: " 721 "%s", inet_ntoa(addr.sin_addr), ntohs(addr.sin_port), buf); 722 if (pos) 723 *pos = '\n'; 724 725 /* Parse first line */ 726 if (os_strncasecmp(buf, "M-SEARCH", os_strlen("M-SEARCH")) == 0 && 727 !isgraph(buf[strlen("M-SEARCH")])) { 728 ssdp_parse_msearch(sm, &addr, buf); 729 return; 730 } 731 732 /* Ignore anything else */ 733 } 734 735 736 int ssdp_listener_open(void) 737 { 738 struct sockaddr_in addr; 739 struct ip_mreq mcast_addr; 740 int on = 1; 741 /* per UPnP spec, keep IP packet time to live (TTL) small */ 742 unsigned char ttl = 4; 743 int sd; 744 745 sd = socket(AF_INET, SOCK_DGRAM, 0); 746 if (sd < 0) 747 goto fail; 748 if (fcntl(sd, F_SETFL, O_NONBLOCK) != 0) 749 goto fail; 750 if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on))) 751 goto fail; 752 os_memset(&addr, 0, sizeof(addr)); 753 addr.sin_family = AF_INET; 754 addr.sin_addr.s_addr = htonl(INADDR_ANY); 755 addr.sin_port = htons(UPNP_MULTICAST_PORT); 756 if (bind(sd, (struct sockaddr *) &addr, sizeof(addr))) 757 goto fail; 758 os_memset(&mcast_addr, 0, sizeof(mcast_addr)); 759 mcast_addr.imr_interface.s_addr = htonl(INADDR_ANY); 760 mcast_addr.imr_multiaddr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 761 if (setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP, 762 (char *) &mcast_addr, sizeof(mcast_addr))) 763 goto fail; 764 if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_TTL, 765 &ttl, sizeof(ttl))) 766 goto fail; 767 768 return sd; 769 770 fail: 771 if (sd >= 0) 772 close(sd); 773 return -1; 774 } 775 776 777 /** 778 * ssdp_listener_start - Set up for receiving discovery (UDP) packets 779 * @sm: WPS UPnP state machine from upnp_wps_device_init() 780 * Returns: 0 on success, -1 on failure 781 * 782 * The SSDP listener is stopped by calling ssdp_listener_stop(). 783 */ 784 int ssdp_listener_start(struct upnp_wps_device_sm *sm) 785 { 786 sm->ssdp_sd = ssdp_listener_open(); 787 788 if (eloop_register_sock(sm->ssdp_sd, EVENT_TYPE_READ, 789 ssdp_listener_handler, NULL, sm)) 790 goto fail; 791 sm->ssdp_sd_registered = 1; 792 return 0; 793 794 fail: 795 /* Error */ 796 wpa_printf(MSG_ERROR, "WPS UPnP: ssdp_listener_start failed"); 797 ssdp_listener_stop(sm); 798 return -1; 799 } 800 801 802 /** 803 * add_ssdp_network - Add routing entry for SSDP 804 * @net_if: Selected network interface name 805 * Returns: 0 on success, -1 on failure 806 * 807 * This function assures that the multicast address will be properly 808 * handled by Linux networking code (by a modification to routing tables). 809 * This must be done per network interface. It really only needs to be done 810 * once after booting up, but it does not hurt to call this more frequently 811 * "to be safe". 812 */ 813 int add_ssdp_network(const char *net_if) 814 { 815 #ifdef __linux__ 816 int ret = -1; 817 int sock = -1; 818 struct rtentry rt; 819 struct sockaddr_in *sin; 820 821 if (!net_if) 822 goto fail; 823 824 os_memset(&rt, 0, sizeof(rt)); 825 sock = socket(AF_INET, SOCK_DGRAM, 0); 826 if (sock < 0) 827 goto fail; 828 829 rt.rt_dev = (char *) net_if; 830 sin = aliasing_hide_typecast(&rt.rt_dst, struct sockaddr_in); 831 sin->sin_family = AF_INET; 832 sin->sin_port = 0; 833 sin->sin_addr.s_addr = inet_addr(SSDP_TARGET); 834 sin = aliasing_hide_typecast(&rt.rt_genmask, struct sockaddr_in); 835 sin->sin_family = AF_INET; 836 sin->sin_port = 0; 837 sin->sin_addr.s_addr = inet_addr(SSDP_NETMASK); 838 rt.rt_flags = RTF_UP; 839 if (ioctl(sock, SIOCADDRT, &rt) < 0) { 840 if (errno == EPERM) { 841 wpa_printf(MSG_DEBUG, "add_ssdp_network: No " 842 "permissions to add routing table entry"); 843 /* Continue to allow testing as non-root */ 844 } else if (errno != EEXIST) { 845 wpa_printf(MSG_INFO, "add_ssdp_network() ioctl errno " 846 "%d (%s)", errno, strerror(errno)); 847 goto fail; 848 } 849 } 850 851 ret = 0; 852 853 fail: 854 if (sock >= 0) 855 close(sock); 856 857 return ret; 858 #else /* __linux__ */ 859 return 0; 860 #endif /* __linux__ */ 861 } 862 863 864 int ssdp_open_multicast_sock(u32 ip_addr, const char *forced_ifname) 865 { 866 int sd; 867 /* per UPnP-arch-DeviceArchitecture, 1. Discovery, keep IP packet 868 * time to live (TTL) small */ 869 unsigned char ttl = 4; 870 871 sd = socket(AF_INET, SOCK_DGRAM, 0); 872 if (sd < 0) 873 return -1; 874 875 if (forced_ifname) { 876 #ifdef __linux__ 877 struct ifreq req; 878 os_memset(&req, 0, sizeof(req)); 879 os_strlcpy(req.ifr_name, forced_ifname, sizeof(req.ifr_name)); 880 if (setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, &req, 881 sizeof(req)) < 0) { 882 wpa_printf(MSG_INFO, "WPS UPnP: Failed to bind " 883 "multicast socket to ifname %s: %s", 884 forced_ifname, strerror(errno)); 885 close(sd); 886 return -1; 887 } 888 #endif /* __linux__ */ 889 } 890 891 #if 0 /* maybe ok if we sometimes block on writes */ 892 if (fcntl(sd, F_SETFL, O_NONBLOCK) != 0) { 893 close(sd); 894 return -1; 895 } 896 #endif 897 898 if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_IF, 899 &ip_addr, sizeof(ip_addr))) { 900 wpa_printf(MSG_DEBUG, "WPS: setsockopt(IP_MULTICAST_IF) %x: " 901 "%d (%s)", ip_addr, errno, strerror(errno)); 902 close(sd); 903 return -1; 904 } 905 if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_TTL, 906 &ttl, sizeof(ttl))) { 907 wpa_printf(MSG_DEBUG, "WPS: setsockopt(IP_MULTICAST_TTL): " 908 "%d (%s)", errno, strerror(errno)); 909 close(sd); 910 return -1; 911 } 912 913 #if 0 /* not needed, because we don't receive using multicast_sd */ 914 { 915 struct ip_mreq mreq; 916 mreq.imr_multiaddr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 917 mreq.imr_interface.s_addr = ip_addr; 918 wpa_printf(MSG_DEBUG, "WPS UPnP: Multicast addr 0x%x if addr " 919 "0x%x", 920 mreq.imr_multiaddr.s_addr, 921 mreq.imr_interface.s_addr); 922 if (setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mreq, 923 sizeof(mreq))) { 924 wpa_printf(MSG_ERROR, 925 "WPS UPnP: setsockopt " 926 "IP_ADD_MEMBERSHIP errno %d (%s)", 927 errno, strerror(errno)); 928 close(sd); 929 return -1; 930 } 931 } 932 #endif /* not needed */ 933 934 /* 935 * TODO: What about IP_MULTICAST_LOOP? It seems to be on by default? 936 * which aids debugging I suppose but isn't really necessary? 937 */ 938 939 return sd; 940 } 941 942 943 /** 944 * ssdp_open_multicast - Open socket for sending multicast SSDP messages 945 * @sm: WPS UPnP state machine from upnp_wps_device_init() 946 * Returns: 0 on success, -1 on failure 947 */ 948 int ssdp_open_multicast(struct upnp_wps_device_sm *sm) 949 { 950 sm->multicast_sd = ssdp_open_multicast_sock(sm->ip_addr, NULL); 951 if (sm->multicast_sd < 0) 952 return -1; 953 return 0; 954 } 955
