1 /* 2 * UPnP SSDP for WPS 3 * Copyright (c) 2000-2003 Intel Corporation 4 * Copyright (c) 2006-2007 Sony Corporation 5 * Copyright (c) 2008-2009 Atheros Communications 6 * Copyright (c) 2009-2013, Jouni Malinen <j@w1.fi> 7 * 8 * See wps_upnp.c for more details on licensing and code history. 9 */ 10 11 #include "includes.h" 12 13 #include <fcntl.h> 14 #include <sys/ioctl.h> 15 #include <net/route.h> 16 #ifdef __linux__ 17 #include <net/if.h> 18 #endif /* __linux__ */ 19 20 #include "common.h" 21 #include "uuid.h" 22 #include "eloop.h" 23 #include "wps.h" 24 #include "wps_upnp.h" 25 #include "wps_upnp_i.h" 26 27 #define UPNP_CACHE_SEC (UPNP_CACHE_SEC_MIN + 1) /* cache time we use */ 28 #define UPNP_CACHE_SEC_MIN 1800 /* min cachable time per UPnP standard */ 29 #define UPNP_ADVERTISE_REPEAT 2 /* no more than 3 */ 30 #define MAX_MSEARCH 20 /* max simultaneous M-SEARCH replies ongoing */ 31 #define SSDP_TARGET "239.0.0.0" 32 #define SSDP_NETMASK "255.0.0.0" 33 34 35 /* Check tokens for equality, where tokens consist of letters, digits, 36 * underscore and hyphen, and are matched case insensitive. 37 */ 38 static int token_eq(const char *s1, const char *s2) 39 { 40 int c1; 41 int c2; 42 int end1 = 0; 43 int end2 = 0; 44 for (;;) { 45 c1 = *s1++; 46 c2 = *s2++; 47 if (isalpha(c1) && isupper(c1)) 48 c1 = tolower(c1); 49 if (isalpha(c2) && isupper(c2)) 50 c2 = tolower(c2); 51 end1 = !(isalnum(c1) || c1 == '_' || c1 == '-'); 52 end2 = !(isalnum(c2) || c2 == '_' || c2 == '-'); 53 if (end1 || end2 || c1 != c2) 54 break; 55 } 56 return end1 && end2; /* reached end of both words? */ 57 } 58 59 60 /* Return length of token (see above for definition of token) */ 61 static int token_length(const char *s) 62 { 63 const char *begin = s; 64 for (;; s++) { 65 int c = *s; 66 int end = !(isalnum(c) || c == '_' || c == '-'); 67 if (end) 68 break; 69 } 70 return s - begin; 71 } 72 73 74 /* return length of interword separation. 75 * This accepts only spaces/tabs and thus will not traverse a line 76 * or buffer ending. 77 */ 78 static int word_separation_length(const char *s) 79 { 80 const char *begin = s; 81 for (;; s++) { 82 int c = *s; 83 if (c == ' ' || c == '\t') 84 continue; 85 break; 86 } 87 return s - begin; 88 } 89 90 91 /* No. of chars through (including) end of line */ 92 static int line_length(const char *l) 93 { 94 const char *lp = l; 95 while (*lp && *lp != '\n') 96 lp++; 97 if (*lp == '\n') 98 lp++; 99 return lp - l; 100 } 101 102 103 static int str_starts(const char *str, const char *start) 104 { 105 return os_strncmp(str, start, os_strlen(start)) == 0; 106 } 107 108 109 /*************************************************************************** 110 * Advertisements. 111 * These are multicast to the world to tell them we are here. 112 * The individual packets are spread out in time to limit loss, 113 * and then after a much longer period of time the whole sequence 114 * is repeated again (for NOTIFYs only). 115 **************************************************************************/ 116 117 /** 118 * next_advertisement - Build next message and advance the state machine 119 * @a: Advertisement state 120 * @islast: Buffer for indicating whether this is the last message (= 1) 121 * Returns: The new message (caller is responsible for freeing this) 122 * 123 * Note: next_advertisement is shared code with msearchreply_* functions 124 */ 125 static struct wpabuf * 126 next_advertisement(struct upnp_wps_device_sm *sm, 127 struct advertisement_state_machine *a, int *islast) 128 { 129 struct wpabuf *msg; 130 char *NTString = ""; 131 char uuid_string[80]; 132 struct upnp_wps_device_interface *iface; 133 134 *islast = 0; 135 iface = dl_list_first(&sm->interfaces, 136 struct upnp_wps_device_interface, list); 137 if (!iface) 138 return NULL; 139 uuid_bin2str(iface->wps->uuid, uuid_string, sizeof(uuid_string)); 140 msg = wpabuf_alloc(800); /* more than big enough */ 141 if (msg == NULL) 142 goto fail; 143 switch (a->type) { 144 case ADVERTISE_UP: 145 case ADVERTISE_DOWN: 146 NTString = "NT"; 147 wpabuf_put_str(msg, "NOTIFY * HTTP/1.1\r\n"); 148 wpabuf_printf(msg, "HOST: %s:%d\r\n", 149 UPNP_MULTICAST_ADDRESS, UPNP_MULTICAST_PORT); 150 wpabuf_printf(msg, "CACHE-CONTROL: max-age=%d\r\n", 151 UPNP_CACHE_SEC); 152 wpabuf_printf(msg, "NTS: %s\r\n", 153 (a->type == ADVERTISE_UP ? 154 "ssdp:alive" : "ssdp:byebye")); 155 break; 156 case MSEARCH_REPLY: 157 NTString = "ST"; 158 wpabuf_put_str(msg, "HTTP/1.1 200 OK\r\n"); 159 wpabuf_printf(msg, "CACHE-CONTROL: max-age=%d\r\n", 160 UPNP_CACHE_SEC); 161 162 wpabuf_put_str(msg, "DATE: "); 163 format_date(msg); 164 wpabuf_put_str(msg, "\r\n"); 165 166 wpabuf_put_str(msg, "EXT:\r\n"); 167 break; 168 } 169 170 if (a->type != ADVERTISE_DOWN) { 171 /* Where others may get our XML files from */ 172 wpabuf_printf(msg, "LOCATION: http://%s:%d/%s\r\n", 173 sm->ip_addr_text, sm->web_port, 174 UPNP_WPS_DEVICE_XML_FILE); 175 } 176 177 /* The SERVER line has three comma-separated fields: 178 * operating system / version 179 * upnp version 180 * software package / version 181 * However, only the UPnP version is really required, the 182 * others can be place holders... for security reasons 183 * it is better to NOT provide extra information. 184 */ 185 wpabuf_put_str(msg, "SERVER: Unspecified, UPnP/1.0, Unspecified\r\n"); 186 187 switch (a->state / UPNP_ADVERTISE_REPEAT) { 188 case 0: 189 wpabuf_printf(msg, "%s: upnp:rootdevice\r\n", NTString); 190 wpabuf_printf(msg, "USN: uuid:%s::upnp:rootdevice\r\n", 191 uuid_string); 192 break; 193 case 1: 194 wpabuf_printf(msg, "%s: uuid:%s\r\n", NTString, uuid_string); 195 wpabuf_printf(msg, "USN: uuid:%s\r\n", uuid_string); 196 break; 197 case 2: 198 wpabuf_printf(msg, "%s: urn:schemas-wifialliance-org:device:" 199 "WFADevice:1\r\n", NTString); 200 wpabuf_printf(msg, "USN: uuid:%s::urn:schemas-wifialliance-" 201 "org:device:WFADevice:1\r\n", uuid_string); 202 break; 203 case 3: 204 wpabuf_printf(msg, "%s: urn:schemas-wifialliance-org:service:" 205 "WFAWLANConfig:1\r\n", NTString); 206 wpabuf_printf(msg, "USN: uuid:%s::urn:schemas-wifialliance-" 207 "org:service:WFAWLANConfig:1\r\n", uuid_string); 208 break; 209 } 210 wpabuf_put_str(msg, "\r\n"); 211 212 if (a->state + 1 >= 4 * UPNP_ADVERTISE_REPEAT) 213 *islast = 1; 214 215 return msg; 216 217 fail: 218 wpabuf_free(msg); 219 return NULL; 220 } 221 222 223 static void advertisement_state_machine_handler(void *eloop_data, 224 void *user_ctx); 225 226 227 /** 228 * advertisement_state_machine_stop - Stop SSDP advertisements 229 * @sm: WPS UPnP state machine from upnp_wps_device_init() 230 * @send_byebye: Send byebye advertisement messages immediately 231 */ 232 void advertisement_state_machine_stop(struct upnp_wps_device_sm *sm, 233 int send_byebye) 234 { 235 struct advertisement_state_machine *a = &sm->advertisement; 236 int islast = 0; 237 struct wpabuf *msg; 238 struct sockaddr_in dest; 239 240 eloop_cancel_timeout(advertisement_state_machine_handler, NULL, sm); 241 if (!send_byebye || sm->multicast_sd < 0) 242 return; 243 244 a->type = ADVERTISE_DOWN; 245 a->state = 0; 246 247 os_memset(&dest, 0, sizeof(dest)); 248 dest.sin_family = AF_INET; 249 dest.sin_addr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 250 dest.sin_port = htons(UPNP_MULTICAST_PORT); 251 252 while (!islast) { 253 msg = next_advertisement(sm, a, &islast); 254 if (msg == NULL) 255 break; 256 if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 257 0, (struct sockaddr *) &dest, sizeof(dest)) < 0) { 258 wpa_printf(MSG_INFO, "WPS UPnP: Advertisement sendto " 259 "failed: %d (%s)", errno, strerror(errno)); 260 } 261 wpabuf_free(msg); 262 a->state++; 263 } 264 } 265 266 267 static void advertisement_state_machine_handler(void *eloop_data, 268 void *user_ctx) 269 { 270 struct upnp_wps_device_sm *sm = user_ctx; 271 struct advertisement_state_machine *a = &sm->advertisement; 272 struct wpabuf *msg; 273 int next_timeout_msec = 100; 274 int next_timeout_sec = 0; 275 struct sockaddr_in dest; 276 int islast = 0; 277 278 /* 279 * Each is sent twice (in case lost) w/ 100 msec delay between; 280 * spec says no more than 3 times. 281 * One pair for rootdevice, one pair for uuid, and a pair each for 282 * each of the two urns. 283 * The entire sequence must be repeated before cache control timeout 284 * (which is min 1800 seconds), 285 * recommend random portion of half of the advertised cache control age 286 * to ensure against loss... perhaps 1800/4 + rand*1800/4 ? 287 * Delay random interval < 100 msec prior to initial sending. 288 * TTL of 4 289 */ 290 291 wpa_printf(MSG_MSGDUMP, "WPS UPnP: Advertisement state=%d", a->state); 292 msg = next_advertisement(sm, a, &islast); 293 if (msg == NULL) 294 return; 295 296 os_memset(&dest, 0, sizeof(dest)); 297 dest.sin_family = AF_INET; 298 dest.sin_addr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 299 dest.sin_port = htons(UPNP_MULTICAST_PORT); 300 301 if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 0, 302 (struct sockaddr *) &dest, sizeof(dest)) == -1) { 303 wpa_printf(MSG_ERROR, "WPS UPnP: Advertisement sendto failed:" 304 "%d (%s)", errno, strerror(errno)); 305 next_timeout_msec = 0; 306 next_timeout_sec = 10; /* ... later */ 307 } else if (islast) { 308 a->state = 0; /* wrap around */ 309 if (a->type == ADVERTISE_DOWN) { 310 wpa_printf(MSG_DEBUG, "WPS UPnP: ADVERTISE_DOWN->UP"); 311 a->type = ADVERTISE_UP; 312 /* do it all over again right away */ 313 } else { 314 u16 r; 315 /* 316 * Start over again after a long timeout 317 * (see notes above) 318 */ 319 next_timeout_msec = 0; 320 if (os_get_random((void *) &r, sizeof(r)) < 0) 321 r = 32768; 322 next_timeout_sec = UPNP_CACHE_SEC / 4 + 323 (((UPNP_CACHE_SEC / 4) * r) >> 16); 324 sm->advertise_count++; 325 wpa_printf(MSG_DEBUG, "WPS UPnP: ADVERTISE_UP (#%u); " 326 "next in %d sec", 327 sm->advertise_count, next_timeout_sec); 328 } 329 } else { 330 a->state++; 331 } 332 333 wpabuf_free(msg); 334 335 eloop_register_timeout(next_timeout_sec, next_timeout_msec, 336 advertisement_state_machine_handler, NULL, sm); 337 } 338 339 340 /** 341 * advertisement_state_machine_start - Start SSDP advertisements 342 * @sm: WPS UPnP state machine from upnp_wps_device_init() 343 * Returns: 0 on success, -1 on failure 344 */ 345 int advertisement_state_machine_start(struct upnp_wps_device_sm *sm) 346 { 347 struct advertisement_state_machine *a = &sm->advertisement; 348 int next_timeout_msec; 349 350 advertisement_state_machine_stop(sm, 0); 351 352 /* 353 * Start out advertising down, this automatically switches 354 * to advertising up which signals our restart. 355 */ 356 a->type = ADVERTISE_DOWN; 357 a->state = 0; 358 /* (other fields not used here) */ 359 360 /* First timeout should be random interval < 100 msec */ 361 next_timeout_msec = (100 * (os_random() & 0xFF)) >> 8; 362 return eloop_register_timeout(0, next_timeout_msec, 363 advertisement_state_machine_handler, 364 NULL, sm); 365 } 366 367 368 /*************************************************************************** 369 * M-SEARCH replies 370 * These are very similar to the multicast advertisements, with some 371 * small changes in data content; and they are sent (UDP) to a specific 372 * unicast address instead of multicast. 373 * They are sent in response to a UDP M-SEARCH packet. 374 **************************************************************************/ 375 376 /** 377 * msearchreply_state_machine_stop - Stop M-SEARCH reply state machine 378 * @a: Selected advertisement/reply state 379 */ 380 void msearchreply_state_machine_stop(struct advertisement_state_machine *a) 381 { 382 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH stop"); 383 dl_list_del(&a->list); 384 os_free(a); 385 } 386 387 388 static void msearchreply_state_machine_handler(void *eloop_data, 389 void *user_ctx) 390 { 391 struct advertisement_state_machine *a = user_ctx; 392 struct upnp_wps_device_sm *sm = eloop_data; 393 struct wpabuf *msg; 394 int next_timeout_msec = 100; 395 int next_timeout_sec = 0; 396 int islast = 0; 397 398 /* 399 * Each response is sent twice (in case lost) w/ 100 msec delay 400 * between; spec says no more than 3 times. 401 * One pair for rootdevice, one pair for uuid, and a pair each for 402 * each of the two urns. 403 */ 404 405 /* TODO: should only send the requested response types */ 406 407 wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH reply state=%d (%s:%d)", 408 a->state, inet_ntoa(a->client.sin_addr), 409 ntohs(a->client.sin_port)); 410 msg = next_advertisement(sm, a, &islast); 411 if (msg == NULL) 412 return; 413 414 /* 415 * Send it on the multicast socket to avoid having to set up another 416 * socket. 417 */ 418 if (sendto(sm->multicast_sd, wpabuf_head(msg), wpabuf_len(msg), 0, 419 (struct sockaddr *) &a->client, sizeof(a->client)) < 0) { 420 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply sendto " 421 "errno %d (%s) for %s:%d", 422 errno, strerror(errno), 423 inet_ntoa(a->client.sin_addr), 424 ntohs(a->client.sin_port)); 425 /* Ignore error and hope for the best */ 426 } 427 wpabuf_free(msg); 428 if (islast) { 429 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply done"); 430 msearchreply_state_machine_stop(a); 431 return; 432 } 433 a->state++; 434 435 wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH reply in %d.%03d sec", 436 next_timeout_sec, next_timeout_msec); 437 eloop_register_timeout(next_timeout_sec, next_timeout_msec, 438 msearchreply_state_machine_handler, sm, a); 439 } 440 441 442 /** 443 * msearchreply_state_machine_start - Reply to M-SEARCH discovery request 444 * @sm: WPS UPnP state machine from upnp_wps_device_init() 445 * @client: Client address 446 * @mx: Maximum delay in seconds 447 * 448 * Use TTL of 4 (this was done when socket set up). 449 * A response should be given in randomized portion of min(MX,120) seconds 450 * 451 * UPnP-arch-DeviceArchitecture, 1.2.3: 452 * To be found, a device must send a UDP response to the source IP address and 453 * port that sent the request to the multicast channel. Devices respond if the 454 * ST header of the M-SEARCH request is "ssdp:all", "upnp:rootdevice", "uuid:" 455 * followed by a UUID that exactly matches one advertised by the device. 456 */ 457 static void msearchreply_state_machine_start(struct upnp_wps_device_sm *sm, 458 struct sockaddr_in *client, 459 int mx) 460 { 461 struct advertisement_state_machine *a; 462 int next_timeout_sec; 463 int next_timeout_msec; 464 int replies; 465 466 replies = dl_list_len(&sm->msearch_replies); 467 wpa_printf(MSG_DEBUG, "WPS UPnP: M-SEARCH reply start (%d " 468 "outstanding)", replies); 469 if (replies >= MAX_MSEARCH) { 470 wpa_printf(MSG_INFO, "WPS UPnP: Too many outstanding " 471 "M-SEARCH replies"); 472 return; 473 } 474 475 a = os_zalloc(sizeof(*a)); 476 if (a == NULL) 477 return; 478 a->type = MSEARCH_REPLY; 479 a->state = 0; 480 os_memcpy(&a->client, client, sizeof(*client)); 481 /* Wait time depending on MX value */ 482 next_timeout_msec = (1000 * mx * (os_random() & 0xFF)) >> 8; 483 next_timeout_sec = next_timeout_msec / 1000; 484 next_timeout_msec = next_timeout_msec % 1000; 485 if (eloop_register_timeout(next_timeout_sec, next_timeout_msec, 486 msearchreply_state_machine_handler, sm, 487 a)) { 488 /* No way to recover (from malloc failure) */ 489 goto fail; 490 } 491 /* Remember for future cleanup */ 492 dl_list_add(&sm->msearch_replies, &a->list); 493 return; 494 495 fail: 496 wpa_printf(MSG_INFO, "WPS UPnP: M-SEARCH reply failure!"); 497 eloop_cancel_timeout(msearchreply_state_machine_handler, sm, a); 498 os_free(a); 499 } 500 501 502 /** 503 * ssdp_parse_msearch - Process a received M-SEARCH 504 * @sm: WPS UPnP state machine from upnp_wps_device_init() 505 * @client: Client address 506 * @data: NULL terminated M-SEARCH message 507 * 508 * Given that we have received a header w/ M-SEARCH, act upon it 509 * 510 * Format of M-SEARCH (case insensitive!): 511 * 512 * First line must be: 513 * M-SEARCH * HTTP/1.1 514 * Other lines in arbitrary order: 515 * HOST:239.255.255.250:1900 516 * ST:<varies -- must match> 517 * MAN:"ssdp:discover" 518 * MX:<varies> 519 * 520 * It should be noted that when Microsoft Vista is still learning its IP 521 * address, it sends out host lines like: HOST:[FF02::C]:1900 522 */ 523 static void ssdp_parse_msearch(struct upnp_wps_device_sm *sm, 524 struct sockaddr_in *client, const char *data) 525 { 526 #ifndef CONFIG_NO_STDOUT_DEBUG 527 const char *start = data; 528 #endif /* CONFIG_NO_STDOUT_DEBUG */ 529 int got_host = 0; 530 int got_st = 0, st_match = 0; 531 int got_man = 0; 532 int got_mx = 0; 533 int mx = 0; 534 535 /* 536 * Skip first line M-SEARCH * HTTP/1.1 537 * (perhaps we should check remainder of the line for syntax) 538 */ 539 data += line_length(data); 540 541 /* Parse remaining lines */ 542 for (; *data != '\0'; data += line_length(data)) { 543 if (token_eq(data, "host")) { 544 /* The host line indicates who the packet 545 * is addressed to... but do we really care? 546 * Note that Microsoft sometimes does funny 547 * stuff with the HOST: line. 548 */ 549 #if 0 /* could be */ 550 data += token_length(data); 551 data += word_separation_length(data); 552 if (*data != ':') 553 goto bad; 554 data++; 555 data += word_separation_length(data); 556 /* UPNP_MULTICAST_ADDRESS */ 557 if (!str_starts(data, "239.255.255.250")) 558 goto bad; 559 data += os_strlen("239.255.255.250"); 560 if (*data == ':') { 561 if (!str_starts(data, ":1900")) 562 goto bad; 563 } 564 #endif /* could be */ 565 got_host = 1; 566 continue; 567 } else if (token_eq(data, "st")) { 568 /* There are a number of forms; we look 569 * for one that matches our case. 570 */ 571 got_st = 1; 572 data += token_length(data); 573 data += word_separation_length(data); 574 if (*data != ':') 575 continue; 576 data++; 577 data += word_separation_length(data); 578 if (str_starts(data, "ssdp:all")) { 579 st_match = 1; 580 continue; 581 } 582 if (str_starts(data, "upnp:rootdevice")) { 583 st_match = 1; 584 continue; 585 } 586 if (str_starts(data, "uuid:")) { 587 char uuid_string[80]; 588 struct upnp_wps_device_interface *iface; 589 iface = dl_list_first( 590 &sm->interfaces, 591 struct upnp_wps_device_interface, 592 list); 593 if (!iface) 594 continue; 595 data += os_strlen("uuid:"); 596 uuid_bin2str(iface->wps->uuid, uuid_string, 597 sizeof(uuid_string)); 598 if (str_starts(data, uuid_string)) 599 st_match = 1; 600 continue; 601 } 602 #if 0 603 /* FIX: should we really reply to IGD string? */ 604 if (str_starts(data, "urn:schemas-upnp-org:device:" 605 "InternetGatewayDevice:1")) { 606 st_match = 1; 607 continue; 608 } 609 #endif 610 if (str_starts(data, "urn:schemas-wifialliance-org:" 611 "service:WFAWLANConfig:1")) { 612 st_match = 1; 613 continue; 614 } 615 if (str_starts(data, "urn:schemas-wifialliance-org:" 616 "device:WFADevice:1")) { 617 st_match = 1; 618 continue; 619 } 620 continue; 621 } else if (token_eq(data, "man")) { 622 data += token_length(data); 623 data += word_separation_length(data); 624 if (*data != ':') 625 continue; 626 data++; 627 data += word_separation_length(data); 628 if (!str_starts(data, "\"ssdp:discover\"")) { 629 wpa_printf(MSG_DEBUG, "WPS UPnP: Unexpected " 630 "M-SEARCH man-field"); 631 goto bad; 632 } 633 got_man = 1; 634 continue; 635 } else if (token_eq(data, "mx")) { 636 data += token_length(data); 637 data += word_separation_length(data); 638 if (*data != ':') 639 continue; 640 data++; 641 data += word_separation_length(data); 642 mx = atol(data); 643 got_mx = 1; 644 continue; 645 } 646 /* ignore anything else */ 647 } 648 if (!got_host || !got_st || !got_man || !got_mx || mx < 0) { 649 wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid M-SEARCH: %d %d %d " 650 "%d mx=%d", got_host, got_st, got_man, got_mx, mx); 651 goto bad; 652 } 653 if (!st_match) { 654 wpa_printf(MSG_DEBUG, "WPS UPnP: Ignored M-SEARCH (no ST " 655 "match)"); 656 return; 657 } 658 if (mx > 120) 659 mx = 120; /* UPnP-arch-DeviceArchitecture, 1.2.3 */ 660 msearchreply_state_machine_start(sm, client, mx); 661 return; 662 663 bad: 664 wpa_printf(MSG_INFO, "WPS UPnP: Failed to parse M-SEARCH"); 665 wpa_printf(MSG_MSGDUMP, "WPS UPnP: M-SEARCH data:\n%s", start); 666 } 667 668 669 /* Listening for (UDP) discovery (M-SEARCH) packets */ 670 671 /** 672 * ssdp_listener_stop - Stop SSDP listered 673 * @sm: WPS UPnP state machine from upnp_wps_device_init() 674 * 675 * This function stops the SSDP listener that was started by calling 676 * ssdp_listener_start(). 677 */ 678 void ssdp_listener_stop(struct upnp_wps_device_sm *sm) 679 { 680 if (sm->ssdp_sd_registered) { 681 eloop_unregister_sock(sm->ssdp_sd, EVENT_TYPE_READ); 682 sm->ssdp_sd_registered = 0; 683 } 684 685 if (sm->ssdp_sd != -1) { 686 close(sm->ssdp_sd); 687 sm->ssdp_sd = -1; 688 } 689 690 eloop_cancel_timeout(msearchreply_state_machine_handler, sm, 691 ELOOP_ALL_CTX); 692 } 693 694 695 static void ssdp_listener_handler(int sd, void *eloop_ctx, void *sock_ctx) 696 { 697 struct upnp_wps_device_sm *sm = sock_ctx; 698 struct sockaddr_in addr; /* client address */ 699 socklen_t addr_len; 700 int nread; 701 char buf[MULTICAST_MAX_READ], *pos; 702 703 addr_len = sizeof(addr); 704 nread = recvfrom(sm->ssdp_sd, buf, sizeof(buf) - 1, 0, 705 (struct sockaddr *) &addr, &addr_len); 706 if (nread <= 0) 707 return; 708 buf[nread] = '\0'; /* need null termination for algorithm */ 709 710 if (str_starts(buf, "NOTIFY ")) { 711 /* 712 * Silently ignore NOTIFYs to avoid filling debug log with 713 * unwanted messages. 714 */ 715 return; 716 } 717 718 pos = os_strchr(buf, '\n'); 719 if (pos) 720 *pos = '\0'; 721 wpa_printf(MSG_MSGDUMP, "WPS UPnP: Received SSDP packet from %s:%d: " 722 "%s", inet_ntoa(addr.sin_addr), ntohs(addr.sin_port), buf); 723 if (pos) 724 *pos = '\n'; 725 726 /* Parse first line */ 727 if (os_strncasecmp(buf, "M-SEARCH", os_strlen("M-SEARCH")) == 0 && 728 !isgraph(buf[strlen("M-SEARCH")])) { 729 ssdp_parse_msearch(sm, &addr, buf); 730 return; 731 } 732 733 /* Ignore anything else */ 734 } 735 736 737 int ssdp_listener_open(void) 738 { 739 struct sockaddr_in addr; 740 struct ip_mreq mcast_addr; 741 int on = 1; 742 /* per UPnP spec, keep IP packet time to live (TTL) small */ 743 unsigned char ttl = 4; 744 int sd; 745 746 sd = socket(AF_INET, SOCK_DGRAM, 0); 747 if (sd < 0) 748 goto fail; 749 if (fcntl(sd, F_SETFL, O_NONBLOCK) != 0) 750 goto fail; 751 if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on))) 752 goto fail; 753 os_memset(&addr, 0, sizeof(addr)); 754 addr.sin_family = AF_INET; 755 addr.sin_addr.s_addr = htonl(INADDR_ANY); 756 addr.sin_port = htons(UPNP_MULTICAST_PORT); 757 if (bind(sd, (struct sockaddr *) &addr, sizeof(addr))) 758 goto fail; 759 os_memset(&mcast_addr, 0, sizeof(mcast_addr)); 760 mcast_addr.imr_interface.s_addr = htonl(INADDR_ANY); 761 mcast_addr.imr_multiaddr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 762 if (setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP, 763 (char *) &mcast_addr, sizeof(mcast_addr))) 764 goto fail; 765 if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_TTL, 766 &ttl, sizeof(ttl))) 767 goto fail; 768 769 return sd; 770 771 fail: 772 if (sd >= 0) 773 close(sd); 774 return -1; 775 } 776 777 778 /** 779 * ssdp_listener_start - Set up for receiving discovery (UDP) packets 780 * @sm: WPS UPnP state machine from upnp_wps_device_init() 781 * Returns: 0 on success, -1 on failure 782 * 783 * The SSDP listener is stopped by calling ssdp_listener_stop(). 784 */ 785 int ssdp_listener_start(struct upnp_wps_device_sm *sm) 786 { 787 sm->ssdp_sd = ssdp_listener_open(); 788 789 if (eloop_register_sock(sm->ssdp_sd, EVENT_TYPE_READ, 790 ssdp_listener_handler, NULL, sm)) 791 goto fail; 792 sm->ssdp_sd_registered = 1; 793 return 0; 794 795 fail: 796 /* Error */ 797 wpa_printf(MSG_ERROR, "WPS UPnP: ssdp_listener_start failed"); 798 ssdp_listener_stop(sm); 799 return -1; 800 } 801 802 803 /** 804 * add_ssdp_network - Add routing entry for SSDP 805 * @net_if: Selected network interface name 806 * Returns: 0 on success, -1 on failure 807 * 808 * This function assures that the multicast address will be properly 809 * handled by Linux networking code (by a modification to routing tables). 810 * This must be done per network interface. It really only needs to be done 811 * once after booting up, but it does not hurt to call this more frequently 812 * "to be safe". 813 */ 814 int add_ssdp_network(const char *net_if) 815 { 816 #ifdef __linux__ 817 int ret = -1; 818 int sock = -1; 819 struct rtentry rt; 820 struct sockaddr_in *sin; 821 822 if (!net_if) 823 goto fail; 824 825 os_memset(&rt, 0, sizeof(rt)); 826 sock = socket(AF_INET, SOCK_DGRAM, 0); 827 if (sock < 0) 828 goto fail; 829 830 rt.rt_dev = (char *) net_if; 831 sin = aliasing_hide_typecast(&rt.rt_dst, struct sockaddr_in); 832 sin->sin_family = AF_INET; 833 sin->sin_port = 0; 834 sin->sin_addr.s_addr = inet_addr(SSDP_TARGET); 835 sin = aliasing_hide_typecast(&rt.rt_genmask, struct sockaddr_in); 836 sin->sin_family = AF_INET; 837 sin->sin_port = 0; 838 sin->sin_addr.s_addr = inet_addr(SSDP_NETMASK); 839 rt.rt_flags = RTF_UP; 840 if (ioctl(sock, SIOCADDRT, &rt) < 0) { 841 if (errno == EPERM) { 842 wpa_printf(MSG_DEBUG, "add_ssdp_network: No " 843 "permissions to add routing table entry"); 844 /* Continue to allow testing as non-root */ 845 } else if (errno != EEXIST) { 846 wpa_printf(MSG_INFO, "add_ssdp_network() ioctl errno " 847 "%d (%s)", errno, strerror(errno)); 848 goto fail; 849 } 850 } 851 852 ret = 0; 853 854 fail: 855 if (sock >= 0) 856 close(sock); 857 858 return ret; 859 #else /* __linux__ */ 860 return 0; 861 #endif /* __linux__ */ 862 } 863 864 865 int ssdp_open_multicast_sock(u32 ip_addr, const char *forced_ifname) 866 { 867 int sd; 868 /* per UPnP-arch-DeviceArchitecture, 1. Discovery, keep IP packet 869 * time to live (TTL) small */ 870 unsigned char ttl = 4; 871 872 sd = socket(AF_INET, SOCK_DGRAM, 0); 873 if (sd < 0) 874 return -1; 875 876 if (forced_ifname) { 877 #ifdef __linux__ 878 struct ifreq req; 879 os_memset(&req, 0, sizeof(req)); 880 os_strlcpy(req.ifr_name, forced_ifname, sizeof(req.ifr_name)); 881 if (setsockopt(sd, SOL_SOCKET, SO_BINDTODEVICE, &req, 882 sizeof(req)) < 0) { 883 wpa_printf(MSG_INFO, "WPS UPnP: Failed to bind " 884 "multicast socket to ifname %s: %s", 885 forced_ifname, strerror(errno)); 886 close(sd); 887 return -1; 888 } 889 #endif /* __linux__ */ 890 } 891 892 #if 0 /* maybe ok if we sometimes block on writes */ 893 if (fcntl(sd, F_SETFL, O_NONBLOCK) != 0) { 894 close(sd); 895 return -1; 896 } 897 #endif 898 899 if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_IF, 900 &ip_addr, sizeof(ip_addr))) { 901 wpa_printf(MSG_DEBUG, "WPS: setsockopt(IP_MULTICAST_IF) %x: " 902 "%d (%s)", ip_addr, errno, strerror(errno)); 903 close(sd); 904 return -1; 905 } 906 if (setsockopt(sd, IPPROTO_IP, IP_MULTICAST_TTL, 907 &ttl, sizeof(ttl))) { 908 wpa_printf(MSG_DEBUG, "WPS: setsockopt(IP_MULTICAST_TTL): " 909 "%d (%s)", errno, strerror(errno)); 910 close(sd); 911 return -1; 912 } 913 914 #if 0 /* not needed, because we don't receive using multicast_sd */ 915 { 916 struct ip_mreq mreq; 917 mreq.imr_multiaddr.s_addr = inet_addr(UPNP_MULTICAST_ADDRESS); 918 mreq.imr_interface.s_addr = ip_addr; 919 wpa_printf(MSG_DEBUG, "WPS UPnP: Multicast addr 0x%x if addr " 920 "0x%x", 921 mreq.imr_multiaddr.s_addr, 922 mreq.imr_interface.s_addr); 923 if (setsockopt(sd, IPPROTO_IP, IP_ADD_MEMBERSHIP, &mreq, 924 sizeof(mreq))) { 925 wpa_printf(MSG_ERROR, 926 "WPS UPnP: setsockopt " 927 "IP_ADD_MEMBERSHIP errno %d (%s)", 928 errno, strerror(errno)); 929 close(sd); 930 return -1; 931 } 932 } 933 #endif /* not needed */ 934 935 /* 936 * TODO: What about IP_MULTICAST_LOOP? It seems to be on by default? 937 * which aids debugging I suppose but isn't really necessary? 938 */ 939 940 return sd; 941 } 942 943 944 /** 945 * ssdp_open_multicast - Open socket for sending multicast SSDP messages 946 * @sm: WPS UPnP state machine from upnp_wps_device_init() 947 * Returns: 0 on success, -1 on failure 948 */ 949 int ssdp_open_multicast(struct upnp_wps_device_sm *sm) 950 { 951 sm->multicast_sd = ssdp_open_multicast_sock(sm->ip_addr, NULL); 952 if (sm->multicast_sd < 0) 953 return -1; 954 return 0; 955 } 956