xref: /freebsd/contrib/wpa/src/wps/wps_upnp_web.c (revision f37852c17391fdf0e8309bcf684384dd0d854e43)
1 /*
2  * UPnP WPS Device - Web connections
3  * Copyright (c) 2000-2003 Intel Corporation
4  * Copyright (c) 2006-2007 Sony Corporation
5  * Copyright (c) 2008-2009 Atheros Communications
6  * Copyright (c) 2009, Jouni Malinen <j@w1.fi>
7  *
8  * See wps_upnp.c for more details on licensing and code history.
9  */
10 
11 #include "includes.h"
12 
13 #include "common.h"
14 #include "base64.h"
15 #include "uuid.h"
16 #include "httpread.h"
17 #include "http_server.h"
18 #include "wps_i.h"
19 #include "wps_upnp.h"
20 #include "wps_upnp_i.h"
21 #include "upnp_xml.h"
22 
23 /***************************************************************************
24  * Web connections (we serve pages of info about ourselves, handle
25  * requests, etc. etc.).
26  **************************************************************************/
27 
28 #define WEB_CONNECTION_TIMEOUT_SEC 30   /* Drop web connection after t.o. */
29 #define WEB_CONNECTION_MAX_READ 8000    /* Max we'll read for TCP request */
30 #define MAX_WEB_CONNECTIONS 10          /* max simultaneous web connects */
31 
32 
33 static const char *urn_wfawlanconfig =
34 	"urn:schemas-wifialliance-org:service:WFAWLANConfig:1";
35 static const char *http_server_hdr =
36 	"Server: unspecified, UPnP/1.0, unspecified\r\n";
37 static const char *http_connection_close =
38 	"Connection: close\r\n";
39 
40 /*
41  * "Files" that we serve via HTTP. The format of these files is given by
42  * WFA WPS specifications. Extra white space has been removed to save space.
43  */
44 
45 static const char wps_scpd_xml[] =
46 "<?xml version=\"1.0\"?>\n"
47 "<scpd xmlns=\"urn:schemas-upnp-org:service-1-0\">\n"
48 "<specVersion><major>1</major><minor>0</minor></specVersion>\n"
49 "<actionList>\n"
50 "<action>\n"
51 "<name>GetDeviceInfo</name>\n"
52 "<argumentList>\n"
53 "<argument>\n"
54 "<name>NewDeviceInfo</name>\n"
55 "<direction>out</direction>\n"
56 "<relatedStateVariable>DeviceInfo</relatedStateVariable>\n"
57 "</argument>\n"
58 "</argumentList>\n"
59 "</action>\n"
60 "<action>\n"
61 "<name>PutMessage</name>\n"
62 "<argumentList>\n"
63 "<argument>\n"
64 "<name>NewInMessage</name>\n"
65 "<direction>in</direction>\n"
66 "<relatedStateVariable>InMessage</relatedStateVariable>\n"
67 "</argument>\n"
68 "<argument>\n"
69 "<name>NewOutMessage</name>\n"
70 "<direction>out</direction>\n"
71 "<relatedStateVariable>OutMessage</relatedStateVariable>\n"
72 "</argument>\n"
73 "</argumentList>\n"
74 "</action>\n"
75 "<action>\n"
76 "<name>PutWLANResponse</name>\n"
77 "<argumentList>\n"
78 "<argument>\n"
79 "<name>NewMessage</name>\n"
80 "<direction>in</direction>\n"
81 "<relatedStateVariable>Message</relatedStateVariable>\n"
82 "</argument>\n"
83 "<argument>\n"
84 "<name>NewWLANEventType</name>\n"
85 "<direction>in</direction>\n"
86 "<relatedStateVariable>WLANEventType</relatedStateVariable>\n"
87 "</argument>\n"
88 "<argument>\n"
89 "<name>NewWLANEventMAC</name>\n"
90 "<direction>in</direction>\n"
91 "<relatedStateVariable>WLANEventMAC</relatedStateVariable>\n"
92 "</argument>\n"
93 "</argumentList>\n"
94 "</action>\n"
95 "<action>\n"
96 "<name>SetSelectedRegistrar</name>\n"
97 "<argumentList>\n"
98 "<argument>\n"
99 "<name>NewMessage</name>\n"
100 "<direction>in</direction>\n"
101 "<relatedStateVariable>Message</relatedStateVariable>\n"
102 "</argument>\n"
103 "</argumentList>\n"
104 "</action>\n"
105 "</actionList>\n"
106 "<serviceStateTable>\n"
107 "<stateVariable sendEvents=\"no\">\n"
108 "<name>Message</name>\n"
109 "<dataType>bin.base64</dataType>\n"
110 "</stateVariable>\n"
111 "<stateVariable sendEvents=\"no\">\n"
112 "<name>InMessage</name>\n"
113 "<dataType>bin.base64</dataType>\n"
114 "</stateVariable>\n"
115 "<stateVariable sendEvents=\"no\">\n"
116 "<name>OutMessage</name>\n"
117 "<dataType>bin.base64</dataType>\n"
118 "</stateVariable>\n"
119 "<stateVariable sendEvents=\"no\">\n"
120 "<name>DeviceInfo</name>\n"
121 "<dataType>bin.base64</dataType>\n"
122 "</stateVariable>\n"
123 "<stateVariable sendEvents=\"yes\">\n"
124 "<name>APStatus</name>\n"
125 "<dataType>ui1</dataType>\n"
126 "</stateVariable>\n"
127 "<stateVariable sendEvents=\"yes\">\n"
128 "<name>STAStatus</name>\n"
129 "<dataType>ui1</dataType>\n"
130 "</stateVariable>\n"
131 "<stateVariable sendEvents=\"yes\">\n"
132 "<name>WLANEvent</name>\n"
133 "<dataType>bin.base64</dataType>\n"
134 "</stateVariable>\n"
135 "<stateVariable sendEvents=\"no\">\n"
136 "<name>WLANEventType</name>\n"
137 "<dataType>ui1</dataType>\n"
138 "</stateVariable>\n"
139 "<stateVariable sendEvents=\"no\">\n"
140 "<name>WLANEventMAC</name>\n"
141 "<dataType>string</dataType>\n"
142 "</stateVariable>\n"
143 "<stateVariable sendEvents=\"no\">\n"
144 "<name>WLANResponse</name>\n"
145 "<dataType>bin.base64</dataType>\n"
146 "</stateVariable>\n"
147 "</serviceStateTable>\n"
148 "</scpd>\n"
149 ;
150 
151 
152 static const char *wps_device_xml_prefix =
153 	"<?xml version=\"1.0\"?>\n"
154 	"<root xmlns=\"urn:schemas-upnp-org:device-1-0\">\n"
155 	"<specVersion>\n"
156 	"<major>1</major>\n"
157 	"<minor>0</minor>\n"
158 	"</specVersion>\n"
159 	"<device>\n"
160 	"<deviceType>urn:schemas-wifialliance-org:device:WFADevice:1"
161 	"</deviceType>\n";
162 
163 static const char *wps_device_xml_postfix =
164 	"<serviceList>\n"
165 	"<service>\n"
166 	"<serviceType>urn:schemas-wifialliance-org:service:WFAWLANConfig:1"
167 	"</serviceType>\n"
168 	"<serviceId>urn:wifialliance-org:serviceId:WFAWLANConfig1</serviceId>"
169 	"\n"
170 	"<SCPDURL>" UPNP_WPS_SCPD_XML_FILE "</SCPDURL>\n"
171 	"<controlURL>" UPNP_WPS_DEVICE_CONTROL_FILE "</controlURL>\n"
172 	"<eventSubURL>" UPNP_WPS_DEVICE_EVENT_FILE "</eventSubURL>\n"
173 	"</service>\n"
174 	"</serviceList>\n"
175 	"</device>\n"
176 	"</root>\n";
177 
178 
179 /* format_wps_device_xml -- produce content of "file" wps_device.xml
180  * (UPNP_WPS_DEVICE_XML_FILE)
181  */
182 static void format_wps_device_xml(struct upnp_wps_device_interface *iface,
183 				  struct upnp_wps_device_sm *sm,
184 				  struct wpabuf *buf)
185 {
186 	const char *s;
187 	char uuid_string[80];
188 
189 	wpabuf_put_str(buf, wps_device_xml_prefix);
190 
191 	/*
192 	 * Add required fields with default values if not configured. Add
193 	 * optional and recommended fields only if configured.
194 	 */
195 	s = iface->wps->friendly_name;
196 	s = ((s && *s) ? s : "WPS Access Point");
197 	xml_add_tagged_data(buf, "friendlyName", s);
198 
199 	s = iface->wps->dev.manufacturer;
200 	s = ((s && *s) ? s : "");
201 	xml_add_tagged_data(buf, "manufacturer", s);
202 
203 	if (iface->wps->manufacturer_url)
204 		xml_add_tagged_data(buf, "manufacturerURL",
205 				    iface->wps->manufacturer_url);
206 
207 	if (iface->wps->model_description)
208 		xml_add_tagged_data(buf, "modelDescription",
209 				    iface->wps->model_description);
210 
211 	s = iface->wps->dev.model_name;
212 	s = ((s && *s) ? s : "");
213 	xml_add_tagged_data(buf, "modelName", s);
214 
215 	if (iface->wps->dev.model_number)
216 		xml_add_tagged_data(buf, "modelNumber",
217 				    iface->wps->dev.model_number);
218 
219 	if (iface->wps->model_url)
220 		xml_add_tagged_data(buf, "modelURL", iface->wps->model_url);
221 
222 	if (iface->wps->dev.serial_number)
223 		xml_add_tagged_data(buf, "serialNumber",
224 				    iface->wps->dev.serial_number);
225 
226 	uuid_bin2str(iface->wps->uuid, uuid_string, sizeof(uuid_string));
227 	s = uuid_string;
228 	/* Need "uuid:" prefix, thus we can't use xml_add_tagged_data()
229 	 * easily...
230 	 */
231 	wpabuf_put_str(buf, "<UDN>uuid:");
232 	xml_data_encode(buf, s, os_strlen(s));
233 	wpabuf_put_str(buf, "</UDN>\n");
234 
235 	if (iface->wps->upc)
236 		xml_add_tagged_data(buf, "UPC", iface->wps->upc);
237 
238 	wpabuf_put_str(buf, wps_device_xml_postfix);
239 }
240 
241 
242 static void http_put_reply_code(struct wpabuf *buf, enum http_reply_code code)
243 {
244 	wpabuf_put_str(buf, "HTTP/1.1 ");
245 	switch (code) {
246 	case HTTP_OK:
247 		wpabuf_put_str(buf, "200 OK\r\n");
248 		break;
249 	case HTTP_BAD_REQUEST:
250 		wpabuf_put_str(buf, "400 Bad request\r\n");
251 		break;
252 	case HTTP_PRECONDITION_FAILED:
253 		wpabuf_put_str(buf, "412 Precondition failed\r\n");
254 		break;
255 	case HTTP_UNIMPLEMENTED:
256 		wpabuf_put_str(buf, "501 Unimplemented\r\n");
257 		break;
258 	case HTTP_INTERNAL_SERVER_ERROR:
259 	default:
260 		wpabuf_put_str(buf, "500 Internal server error\r\n");
261 		break;
262 	}
263 }
264 
265 
266 static void http_put_date(struct wpabuf *buf)
267 {
268 	wpabuf_put_str(buf, "Date: ");
269 	format_date(buf);
270 	wpabuf_put_str(buf, "\r\n");
271 }
272 
273 
274 static void http_put_empty(struct wpabuf *buf, enum http_reply_code code)
275 {
276 	http_put_reply_code(buf, code);
277 	wpabuf_put_str(buf, http_server_hdr);
278 	wpabuf_put_str(buf, http_connection_close);
279 	wpabuf_put_str(buf, "Content-Length: 0\r\n"
280 		       "\r\n");
281 }
282 
283 
284 /* Given that we have received a header w/ GET, act upon it
285  *
286  * Format of GET (case-insensitive):
287  *
288  * First line must be:
289  *      GET /<file> HTTP/1.1
290  * Since we don't do anything fancy we just ignore other lines.
291  *
292  * Our response (if no error) which includes only required lines is:
293  * HTTP/1.1 200 OK
294  * Connection: close
295  * Content-Type: text/xml
296  * Date: <rfc1123-date>
297  *
298  * Header lines must end with \r\n
299  * Per RFC 2616, content-length: is not required but connection:close
300  * would appear to be required (given that we will be closing it!).
301  */
302 static void web_connection_parse_get(struct upnp_wps_device_sm *sm,
303 				     struct http_request *hreq, char *filename)
304 {
305 	struct wpabuf *buf; /* output buffer, allocated */
306 	char *put_length_here;
307 	char *body_start;
308 	enum {
309 		GET_DEVICE_XML_FILE,
310 		GET_SCPD_XML_FILE
311 	} req;
312 	size_t extra_len = 0;
313 	int body_length;
314 	char len_buf[10];
315 	struct upnp_wps_device_interface *iface;
316 
317 	iface = dl_list_first(&sm->interfaces,
318 			      struct upnp_wps_device_interface, list);
319 	if (iface == NULL) {
320 		http_request_deinit(hreq);
321 		return;
322 	}
323 
324 	/*
325 	 * It is not required that filenames be case insensitive but it is
326 	 * allowed and cannot hurt here.
327 	 */
328 	if (os_strcasecmp(filename, UPNP_WPS_DEVICE_XML_FILE) == 0) {
329 		wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP GET for device XML");
330 		req = GET_DEVICE_XML_FILE;
331 		extra_len = 3000;
332 		if (iface->wps->friendly_name)
333 			extra_len += os_strlen(iface->wps->friendly_name);
334 		if (iface->wps->manufacturer_url)
335 			extra_len += os_strlen(iface->wps->manufacturer_url);
336 		if (iface->wps->model_description)
337 			extra_len += os_strlen(iface->wps->model_description);
338 		if (iface->wps->model_url)
339 			extra_len += os_strlen(iface->wps->model_url);
340 		if (iface->wps->upc)
341 			extra_len += os_strlen(iface->wps->upc);
342 	} else if (!os_strcasecmp(filename, UPNP_WPS_SCPD_XML_FILE)) {
343 		wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP GET for SCPD XML");
344 		req = GET_SCPD_XML_FILE;
345 		extra_len = os_strlen(wps_scpd_xml);
346 	} else {
347 		/* File not found */
348 		wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP GET file not found: %s",
349 			   filename);
350 		buf = wpabuf_alloc(200);
351 		if (buf == NULL) {
352 			http_request_deinit(hreq);
353 			return;
354 		}
355 		wpabuf_put_str(buf,
356 			       "HTTP/1.1 404 Not Found\r\n"
357 			       "Connection: close\r\n");
358 
359 		http_put_date(buf);
360 
361 		/* terminating empty line */
362 		wpabuf_put_str(buf, "\r\n");
363 
364 		goto send_buf;
365 	}
366 
367 	buf = wpabuf_alloc(1000 + extra_len);
368 	if (buf == NULL) {
369 		http_request_deinit(hreq);
370 		return;
371 	}
372 
373 	wpabuf_put_str(buf,
374 		       "HTTP/1.1 200 OK\r\n"
375 		       "Content-Type: text/xml; charset=\"utf-8\"\r\n");
376 	wpabuf_put_str(buf, "Server: Unspecified, UPnP/1.0, Unspecified\r\n");
377 	wpabuf_put_str(buf, "Connection: close\r\n");
378 	wpabuf_put_str(buf, "Content-Length: ");
379 	/*
380 	 * We will paste the length in later, leaving some extra whitespace.
381 	 * HTTP code is supposed to be tolerant of extra whitespace.
382 	 */
383 	put_length_here = wpabuf_put(buf, 0);
384 	wpabuf_put_str(buf, "        \r\n");
385 
386 	http_put_date(buf);
387 
388 	/* terminating empty line */
389 	wpabuf_put_str(buf, "\r\n");
390 
391 	body_start = wpabuf_put(buf, 0);
392 
393 	switch (req) {
394 	case GET_DEVICE_XML_FILE:
395 		format_wps_device_xml(iface, sm, buf);
396 		break;
397 	case GET_SCPD_XML_FILE:
398 		wpabuf_put_str(buf, wps_scpd_xml);
399 		break;
400 	}
401 
402 	/* Now patch in the content length at the end */
403 	body_length = (char *) wpabuf_put(buf, 0) - body_start;
404 	os_snprintf(len_buf, 10, "%d", body_length);
405 	os_memcpy(put_length_here, len_buf, os_strlen(len_buf));
406 
407 send_buf:
408 	http_request_send_and_deinit(hreq, buf);
409 }
410 
411 
412 static enum http_reply_code
413 web_process_get_device_info(struct upnp_wps_device_sm *sm,
414 			    struct wpabuf **reply, const char **replyname)
415 {
416 	static const char *name = "NewDeviceInfo";
417 	struct wps_config cfg;
418 	struct upnp_wps_device_interface *iface;
419 	struct upnp_wps_peer *peer;
420 
421 	iface = dl_list_first(&sm->interfaces,
422 			      struct upnp_wps_device_interface, list);
423 
424 	wpa_printf(MSG_DEBUG, "WPS UPnP: GetDeviceInfo");
425 
426 	if (!iface || iface->ctx->ap_pin == NULL)
427 		return HTTP_INTERNAL_SERVER_ERROR;
428 
429 	peer = &iface->peer;
430 
431 	/*
432 	 * Request for DeviceInfo, i.e., M1 TLVs. This is a start of WPS
433 	 * registration over UPnP with the AP acting as an Enrollee. It should
434 	 * be noted that this is frequently used just to get the device data,
435 	 * i.e., there may not be any intent to actually complete the
436 	 * registration.
437 	 */
438 
439 	if (peer->wps)
440 		wps_deinit(peer->wps);
441 
442 	os_memset(&cfg, 0, sizeof(cfg));
443 	cfg.wps = iface->wps;
444 	cfg.pin = (u8 *) iface->ctx->ap_pin;
445 	cfg.pin_len = os_strlen(iface->ctx->ap_pin);
446 	peer->wps = wps_init(&cfg);
447 	if (peer->wps) {
448 		enum wsc_op_code op_code;
449 		*reply = wps_get_msg(peer->wps, &op_code);
450 		if (*reply == NULL) {
451 			wps_deinit(peer->wps);
452 			peer->wps = NULL;
453 		}
454 	} else
455 		*reply = NULL;
456 	if (*reply == NULL) {
457 		wpa_printf(MSG_INFO, "WPS UPnP: Failed to get DeviceInfo");
458 		return HTTP_INTERNAL_SERVER_ERROR;
459 	}
460 	*replyname = name;
461 	return HTTP_OK;
462 }
463 
464 
465 static enum http_reply_code
466 web_process_put_message(struct upnp_wps_device_sm *sm, char *data,
467 			struct wpabuf **reply, const char **replyname)
468 {
469 	struct wpabuf *msg;
470 	static const char *name = "NewOutMessage";
471 	enum http_reply_code ret;
472 	enum wps_process_res res;
473 	enum wsc_op_code op_code;
474 	struct upnp_wps_device_interface *iface;
475 
476 	iface = dl_list_first(&sm->interfaces,
477 			      struct upnp_wps_device_interface, list);
478 	if (!iface)
479 		return HTTP_INTERNAL_SERVER_ERROR;
480 
481 	/*
482 	 * PutMessage is used by external UPnP-based Registrar to perform WPS
483 	 * operation with the access point itself; as compared with
484 	 * PutWLANResponse which is for proxying.
485 	 */
486 	wpa_printf(MSG_DEBUG, "WPS UPnP: PutMessage");
487 	msg = xml_get_base64_item(data, "NewInMessage", &ret);
488 	if (msg == NULL)
489 		return ret;
490 	res = wps_process_msg(iface->peer.wps, WSC_UPnP, msg);
491 	if (res == WPS_FAILURE)
492 		*reply = NULL;
493 	else
494 		*reply = wps_get_msg(iface->peer.wps, &op_code);
495 	wpabuf_free(msg);
496 	if (*reply == NULL)
497 		return HTTP_INTERNAL_SERVER_ERROR;
498 	*replyname = name;
499 	return HTTP_OK;
500 }
501 
502 
503 static enum http_reply_code
504 web_process_put_wlan_response(struct upnp_wps_device_sm *sm, char *data,
505 			      struct wpabuf **reply, const char **replyname)
506 {
507 	struct wpabuf *msg;
508 	enum http_reply_code ret;
509 	u8 macaddr[ETH_ALEN];
510 	int ev_type;
511 	int type;
512 	char *val;
513 	struct upnp_wps_device_interface *iface;
514 	int ok = 0;
515 
516 	/*
517 	 * External UPnP-based Registrar is passing us a message to be proxied
518 	 * over to a Wi-Fi -based client of ours.
519 	 */
520 
521 	wpa_printf(MSG_DEBUG, "WPS UPnP: PutWLANResponse");
522 	msg = xml_get_base64_item(data, "NewMessage", &ret);
523 	if (msg == NULL) {
524 		wpa_printf(MSG_DEBUG, "WPS UPnP: Could not extract NewMessage "
525 			   "from PutWLANResponse");
526 		return ret;
527 	}
528 	val = xml_get_first_item(data, "NewWLANEventType");
529 	if (val == NULL) {
530 		wpa_printf(MSG_DEBUG, "WPS UPnP: No NewWLANEventType in "
531 			   "PutWLANResponse");
532 		wpabuf_free(msg);
533 		return UPNP_ARG_VALUE_INVALID;
534 	}
535 	ev_type = atol(val);
536 	os_free(val);
537 	val = xml_get_first_item(data, "NewWLANEventMAC");
538 	if (val == NULL) {
539 		wpa_printf(MSG_DEBUG, "WPS UPnP: No NewWLANEventMAC in "
540 			   "PutWLANResponse");
541 		wpabuf_free(msg);
542 		return UPNP_ARG_VALUE_INVALID;
543 	}
544 	if (hwaddr_aton(val, macaddr)) {
545 		wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid NewWLANEventMAC in "
546 			   "PutWLANResponse: '%s'", val);
547 #ifdef CONFIG_WPS_STRICT
548 		{
549 			struct wps_parse_attr attr;
550 			if (wps_parse_msg(msg, &attr) < 0 || attr.version2) {
551 				wpabuf_free(msg);
552 				os_free(val);
553 				return UPNP_ARG_VALUE_INVALID;
554 			}
555 		}
556 #endif /* CONFIG_WPS_STRICT */
557 		if (hwaddr_aton2(val, macaddr) > 0) {
558 			/*
559 			 * At least some versions of Intel PROset seem to be
560 			 * using dot-deliminated MAC address format here.
561 			 */
562 			wpa_printf(MSG_DEBUG, "WPS UPnP: Workaround - allow "
563 				   "incorrect MAC address format in "
564 				   "NewWLANEventMAC: %s -> " MACSTR,
565 				   val, MAC2STR(macaddr));
566 		} else {
567 			wpabuf_free(msg);
568 			os_free(val);
569 			return UPNP_ARG_VALUE_INVALID;
570 		}
571 	}
572 	os_free(val);
573 	if (ev_type == UPNP_WPS_WLANEVENT_TYPE_EAP) {
574 		struct wps_parse_attr attr;
575 		if (wps_parse_msg(msg, &attr) < 0 ||
576 		    attr.msg_type == NULL)
577 			type = -1;
578 		else
579 			type = *attr.msg_type;
580 		wpa_printf(MSG_DEBUG, "WPS UPnP: Message Type %d", type);
581 	} else
582 		type = -1;
583 	dl_list_for_each(iface, &sm->interfaces,
584 			 struct upnp_wps_device_interface, list) {
585 		if (iface->ctx->rx_req_put_wlan_response &&
586 		    iface->ctx->rx_req_put_wlan_response(iface->priv, ev_type,
587 							 macaddr, msg, type)
588 		    == 0)
589 			ok = 1;
590 	}
591 
592 	if (!ok) {
593 		wpa_printf(MSG_INFO, "WPS UPnP: Fail: sm->ctx->"
594 			   "rx_req_put_wlan_response");
595 		wpabuf_free(msg);
596 		return HTTP_INTERNAL_SERVER_ERROR;
597 	}
598 	wpabuf_free(msg);
599 	*replyname = NULL;
600 	*reply = NULL;
601 	return HTTP_OK;
602 }
603 
604 
605 static int find_er_addr(struct subscription *s, struct sockaddr_in *cli)
606 {
607 	struct subscr_addr *a;
608 
609 	dl_list_for_each(a, &s->addr_list, struct subscr_addr, list) {
610 		if (cli->sin_addr.s_addr == a->saddr.sin_addr.s_addr)
611 			return 1;
612 	}
613 	return 0;
614 }
615 
616 
617 static struct subscription * find_er(struct upnp_wps_device_sm *sm,
618 				     struct sockaddr_in *cli)
619 {
620 	struct subscription *s;
621 	dl_list_for_each(s, &sm->subscriptions, struct subscription, list)
622 		if (find_er_addr(s, cli))
623 			return s;
624 	return NULL;
625 }
626 
627 
628 static enum http_reply_code
629 web_process_set_selected_registrar(struct upnp_wps_device_sm *sm,
630 				   struct sockaddr_in *cli, char *data,
631 				   struct wpabuf **reply,
632 				   const char **replyname)
633 {
634 	struct wpabuf *msg;
635 	enum http_reply_code ret;
636 	struct subscription *s;
637 	struct upnp_wps_device_interface *iface;
638 	int err = 0;
639 
640 	wpa_printf(MSG_DEBUG, "WPS UPnP: SetSelectedRegistrar");
641 	s = find_er(sm, cli);
642 	if (s == NULL) {
643 		wpa_printf(MSG_DEBUG, "WPS UPnP: Ignore SetSelectedRegistrar "
644 			   "from unknown ER");
645 		return UPNP_ACTION_FAILED;
646 	}
647 	msg = xml_get_base64_item(data, "NewMessage", &ret);
648 	if (msg == NULL)
649 		return ret;
650 	dl_list_for_each(iface, &sm->interfaces,
651 			 struct upnp_wps_device_interface, list) {
652 		if (upnp_er_set_selected_registrar(iface->wps->registrar, s,
653 						   msg))
654 			err = 1;
655 	}
656 	wpabuf_free(msg);
657 	if (err)
658 		return HTTP_INTERNAL_SERVER_ERROR;
659 	*replyname = NULL;
660 	*reply = NULL;
661 	return HTTP_OK;
662 }
663 
664 
665 static const char *soap_prefix =
666 	"<?xml version=\"1.0\"?>\n"
667 	"<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" "
668 	"s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n"
669 	"<s:Body>\n";
670 static const char *soap_postfix =
671 	"</s:Body>\n</s:Envelope>\n";
672 
673 static const char *soap_error_prefix =
674 	"<s:Fault>\n"
675 	"<faultcode>s:Client</faultcode>\n"
676 	"<faultstring>UPnPError</faultstring>\n"
677 	"<detail>\n"
678 	"<UPnPError xmlns=\"urn:schemas-upnp-org:control-1-0\">\n";
679 static const char *soap_error_postfix =
680 	"<errorDescription>Error</errorDescription>\n"
681 	"</UPnPError>\n"
682 	"</detail>\n"
683 	"</s:Fault>\n";
684 
685 static void web_connection_send_reply(struct http_request *req,
686 				      enum http_reply_code ret,
687 				      const char *action, int action_len,
688 				      const struct wpabuf *reply,
689 				      const char *replyname)
690 {
691 	struct wpabuf *buf;
692 	char *replydata;
693 	char *put_length_here = NULL;
694 	char *body_start = NULL;
695 
696 	if (reply) {
697 		size_t len;
698 		replydata = (char *) base64_encode(wpabuf_head(reply),
699 						   wpabuf_len(reply), &len);
700 	} else
701 		replydata = NULL;
702 
703 	/* Parameters of the response:
704 	 *      action(action_len) -- action we are responding to
705 	 *      replyname -- a name we need for the reply
706 	 *      replydata -- NULL or null-terminated string
707 	 */
708 	buf = wpabuf_alloc(1000 + (replydata ? os_strlen(replydata) : 0U) +
709 			   (action_len > 0 ? action_len * 2 : 0));
710 	if (buf == NULL) {
711 		wpa_printf(MSG_INFO, "WPS UPnP: Cannot allocate reply to "
712 			   "POST");
713 		os_free(replydata);
714 		http_request_deinit(req);
715 		return;
716 	}
717 
718 	/*
719 	 * Assuming we will be successful, put in the output header first.
720 	 * Note: we do not keep connections alive (and httpread does
721 	 * not support it)... therefore we must have Connection: close.
722 	 */
723 	if (ret == HTTP_OK) {
724 		wpabuf_put_str(buf,
725 			       "HTTP/1.1 200 OK\r\n"
726 			       "Content-Type: text/xml; "
727 			       "charset=\"utf-8\"\r\n");
728 	} else {
729 		wpabuf_printf(buf, "HTTP/1.1 %d Error\r\n", ret);
730 	}
731 	wpabuf_put_str(buf, http_connection_close);
732 
733 	wpabuf_put_str(buf, "Content-Length: ");
734 	/*
735 	 * We will paste the length in later, leaving some extra whitespace.
736 	 * HTTP code is supposed to be tolerant of extra whitespace.
737 	 */
738 	put_length_here = wpabuf_put(buf, 0);
739 	wpabuf_put_str(buf, "        \r\n");
740 
741 	http_put_date(buf);
742 
743 	/* terminating empty line */
744 	wpabuf_put_str(buf, "\r\n");
745 
746 	body_start = wpabuf_put(buf, 0);
747 
748 	if (ret == HTTP_OK) {
749 		wpabuf_put_str(buf, soap_prefix);
750 		wpabuf_put_str(buf, "<u:");
751 		wpabuf_put_data(buf, action, action_len);
752 		wpabuf_put_str(buf, "Response xmlns:u=\"");
753 		wpabuf_put_str(buf, urn_wfawlanconfig);
754 		wpabuf_put_str(buf, "\">\n");
755 		if (replydata && replyname) {
756 			/* TODO: might possibly need to escape part of reply
757 			 * data? ...
758 			 * probably not, unlikely to have ampersand(&) or left
759 			 * angle bracket (<) in it...
760 			 */
761 			wpabuf_printf(buf, "<%s>", replyname);
762 			wpabuf_put_str(buf, replydata);
763 			wpabuf_printf(buf, "</%s>\n", replyname);
764 		}
765 		wpabuf_put_str(buf, "</u:");
766 		wpabuf_put_data(buf, action, action_len);
767 		wpabuf_put_str(buf, "Response>\n");
768 		wpabuf_put_str(buf, soap_postfix);
769 	} else {
770 		/* Error case */
771 		wpabuf_put_str(buf, soap_prefix);
772 		wpabuf_put_str(buf, soap_error_prefix);
773 		wpabuf_printf(buf, "<errorCode>%d</errorCode>\n", ret);
774 		wpabuf_put_str(buf, soap_error_postfix);
775 		wpabuf_put_str(buf, soap_postfix);
776 	}
777 	os_free(replydata);
778 
779 	/* Now patch in the content length at the end */
780 	if (body_start && put_length_here) {
781 		int body_length = (char *) wpabuf_put(buf, 0) - body_start;
782 		char len_buf[10];
783 		os_snprintf(len_buf, sizeof(len_buf), "%d", body_length);
784 		os_memcpy(put_length_here, len_buf, os_strlen(len_buf));
785 	}
786 
787 	http_request_send_and_deinit(req, buf);
788 }
789 
790 
791 static const char * web_get_action(struct http_request *req,
792 				   size_t *action_len)
793 {
794 	const char *match;
795 	int match_len;
796 	char *b;
797 	char *action;
798 
799 	*action_len = 0;
800 	/* The SOAPAction line of the header tells us what we want to do */
801 	b = http_request_get_hdr_line(req, "SOAPAction:");
802 	if (b == NULL)
803 		return NULL;
804 	if (*b == '"')
805 		b++;
806 	else
807 		return NULL;
808 	match = urn_wfawlanconfig;
809 	match_len = os_strlen(urn_wfawlanconfig) - 1;
810 	if (os_strncasecmp(b, match, match_len))
811 		return NULL;
812 	b += match_len;
813 	/* skip over version */
814 	while (isgraph(*b) && *b != '#')
815 		b++;
816 	if (*b != '#')
817 		return NULL;
818 	b++;
819 	/* Following the sharp(#) should be the action and a double quote */
820 	action = b;
821 	while (isgraph(*b) && *b != '"')
822 		b++;
823 	if (*b != '"')
824 		return NULL;
825 	*action_len = b - action;
826 	return action;
827 }
828 
829 
830 /* Given that we have received a header w/ POST, act upon it
831  *
832  * Format of POST (case-insensitive):
833  *
834  * First line must be:
835  *      POST /<file> HTTP/1.1
836  * Since we don't do anything fancy we just ignore other lines.
837  *
838  * Our response (if no error) which includes only required lines is:
839  * HTTP/1.1 200 OK
840  * Connection: close
841  * Content-Type: text/xml
842  * Date: <rfc1123-date>
843  *
844  * Header lines must end with \r\n
845  * Per RFC 2616, content-length: is not required but connection:close
846  * would appear to be required (given that we will be closing it!).
847  */
848 static void web_connection_parse_post(struct upnp_wps_device_sm *sm,
849 				      struct sockaddr_in *cli,
850 				      struct http_request *req,
851 				      const char *filename)
852 {
853 	enum http_reply_code ret;
854 	char *data = http_request_get_data(req); /* body of http msg */
855 	const char *action = NULL;
856 	size_t action_len = 0;
857 	const char *replyname = NULL; /* argument name for the reply */
858 	struct wpabuf *reply = NULL; /* data for the reply */
859 
860 	if (os_strcasecmp(filename, UPNP_WPS_DEVICE_CONTROL_FILE)) {
861 		wpa_printf(MSG_INFO, "WPS UPnP: Invalid POST filename %s",
862 			   filename);
863 		ret = HTTP_NOT_FOUND;
864 		goto bad;
865 	}
866 
867 	ret = UPNP_INVALID_ACTION;
868 	action = web_get_action(req, &action_len);
869 	if (action == NULL)
870 		goto bad;
871 
872 	if (!os_strncasecmp("GetDeviceInfo", action, action_len))
873 		ret = web_process_get_device_info(sm, &reply, &replyname);
874 	else if (!os_strncasecmp("PutMessage", action, action_len))
875 		ret = web_process_put_message(sm, data, &reply, &replyname);
876 	else if (!os_strncasecmp("PutWLANResponse", action, action_len))
877 		ret = web_process_put_wlan_response(sm, data, &reply,
878 						    &replyname);
879 	else if (!os_strncasecmp("SetSelectedRegistrar", action, action_len))
880 		ret = web_process_set_selected_registrar(sm, cli, data, &reply,
881 							 &replyname);
882 	else
883 		wpa_printf(MSG_INFO, "WPS UPnP: Unknown POST type");
884 
885 bad:
886 	if (ret != HTTP_OK)
887 		wpa_printf(MSG_INFO, "WPS UPnP: POST failure ret=%d", ret);
888 	web_connection_send_reply(req, ret, action, action_len, reply,
889 				  replyname);
890 	wpabuf_free(reply);
891 }
892 
893 
894 /* Given that we have received a header w/ SUBSCRIBE, act upon it
895  *
896  * Format of SUBSCRIBE (case-insensitive):
897  *
898  * First line must be:
899  *      SUBSCRIBE /wps_event HTTP/1.1
900  *
901  * Our response (if no error) which includes only required lines is:
902  * HTTP/1.1 200 OK
903  * Server: xx, UPnP/1.0, xx
904  * SID: uuid:xxxxxxxxx
905  * Timeout: Second-<n>
906  * Content-Length: 0
907  * Date: xxxx
908  *
909  * Header lines must end with \r\n
910  * Per RFC 2616, content-length: is not required but connection:close
911  * would appear to be required (given that we will be closing it!).
912  */
913 static void web_connection_parse_subscribe(struct upnp_wps_device_sm *sm,
914 					   struct http_request *req,
915 					   const char *filename)
916 {
917 	struct wpabuf *buf;
918 	char *b;
919 	char *hdr = http_request_get_hdr(req);
920 	char *h;
921 	char *match;
922 	int match_len;
923 	char *end;
924 	int len;
925 	int got_nt = 0;
926 	u8 uuid[UUID_LEN];
927 	int got_uuid = 0;
928 	char *callback_urls = NULL;
929 	struct subscription *s = NULL;
930 	enum http_reply_code ret = HTTP_INTERNAL_SERVER_ERROR;
931 
932 	buf = wpabuf_alloc(1000);
933 	if (buf == NULL) {
934 		http_request_deinit(req);
935 		return;
936 	}
937 
938 	wpa_hexdump_ascii(MSG_DEBUG, "WPS UPnP: HTTP SUBSCRIBE",
939 			  (u8 *) hdr, os_strlen(hdr));
940 
941 	/* Parse/validate headers */
942 	h = hdr;
943 	/* First line: SUBSCRIBE /wps_event HTTP/1.1
944 	 * has already been parsed.
945 	 */
946 	if (os_strcasecmp(filename, UPNP_WPS_DEVICE_EVENT_FILE) != 0) {
947 		ret = HTTP_PRECONDITION_FAILED;
948 		goto error;
949 	}
950 	wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP SUBSCRIBE for event");
951 	end = os_strchr(h, '\n');
952 
953 	while (end) {
954 		/* Option line by option line */
955 		h = end + 1;
956 		end = os_strchr(h, '\n');
957 		if (end == NULL)
958 			break; /* no unterminated lines allowed */
959 
960 		/* NT assures that it is our type of subscription;
961 		 * not used for a renewal.
962 		 **/
963 		match = "NT:";
964 		match_len = os_strlen(match);
965 		if (os_strncasecmp(h, match, match_len) == 0) {
966 			h += match_len;
967 			while (*h == ' ' || *h == '\t')
968 				h++;
969 			match = "upnp:event";
970 			match_len = os_strlen(match);
971 			if (os_strncasecmp(h, match, match_len) != 0) {
972 				ret = HTTP_BAD_REQUEST;
973 				goto error;
974 			}
975 			got_nt = 1;
976 			continue;
977 		}
978 		/* HOST should refer to us */
979 #if 0
980 		match = "HOST:";
981 		match_len = os_strlen(match);
982 		if (os_strncasecmp(h, match, match_len) == 0) {
983 			h += match_len;
984 			while (*h == ' ' || *h == '\t')
985 				h++;
986 			.....
987 		}
988 #endif
989 		/* CALLBACK gives one or more URLs for NOTIFYs
990 		 * to be sent as a result of the subscription.
991 		 * Each URL is enclosed in angle brackets.
992 		 */
993 		match = "CALLBACK:";
994 		match_len = os_strlen(match);
995 		if (os_strncasecmp(h, match, match_len) == 0) {
996 			h += match_len;
997 			while (*h == ' ' || *h == '\t')
998 				h++;
999 			len = end - h;
1000 			os_free(callback_urls);
1001 			callback_urls = dup_binstr(h, len);
1002 			if (callback_urls == NULL) {
1003 				ret = HTTP_INTERNAL_SERVER_ERROR;
1004 				goto error;
1005 			}
1006 			if (len > 0 && callback_urls[len - 1] == '\r')
1007 				callback_urls[len - 1] = '\0';
1008 			continue;
1009 		}
1010 		/* SID is only for renewal */
1011 		match = "SID:";
1012 		match_len = os_strlen(match);
1013 		if (os_strncasecmp(h, match, match_len) == 0) {
1014 			h += match_len;
1015 			while (*h == ' ' || *h == '\t')
1016 				h++;
1017 			match = "uuid:";
1018 			match_len = os_strlen(match);
1019 			if (os_strncasecmp(h, match, match_len) != 0) {
1020 				ret = HTTP_BAD_REQUEST;
1021 				goto error;
1022 			}
1023 			h += match_len;
1024 			while (*h == ' ' || *h == '\t')
1025 				h++;
1026 			if (uuid_str2bin(h, uuid)) {
1027 				ret = HTTP_BAD_REQUEST;
1028 				goto error;
1029 			}
1030 			got_uuid = 1;
1031 			continue;
1032 		}
1033 		/* TIMEOUT is requested timeout, but apparently we can
1034 		 * just ignore this.
1035 		 */
1036 	}
1037 
1038 	if (got_uuid) {
1039 		/* renewal */
1040 		wpa_printf(MSG_DEBUG, "WPS UPnP: Subscription renewal");
1041 		if (callback_urls) {
1042 			ret = HTTP_BAD_REQUEST;
1043 			goto error;
1044 		}
1045 		s = subscription_renew(sm, uuid);
1046 		if (s == NULL) {
1047 			char str[80];
1048 			uuid_bin2str(uuid, str, sizeof(str));
1049 			wpa_printf(MSG_DEBUG, "WPS UPnP: Could not find "
1050 				   "SID %s", str);
1051 			ret = HTTP_PRECONDITION_FAILED;
1052 			goto error;
1053 		}
1054 	} else if (callback_urls) {
1055 		wpa_printf(MSG_DEBUG, "WPS UPnP: New subscription");
1056 		if (!got_nt) {
1057 			ret = HTTP_PRECONDITION_FAILED;
1058 			goto error;
1059 		}
1060 		s = subscription_start(sm, callback_urls);
1061 		if (s == NULL) {
1062 			ret = HTTP_INTERNAL_SERVER_ERROR;
1063 			goto error;
1064 		}
1065 	} else {
1066 		ret = HTTP_PRECONDITION_FAILED;
1067 		goto error;
1068 	}
1069 
1070 	/* success */
1071 	http_put_reply_code(buf, HTTP_OK);
1072 	wpabuf_put_str(buf, http_server_hdr);
1073 	wpabuf_put_str(buf, http_connection_close);
1074 	wpabuf_put_str(buf, "Content-Length: 0\r\n");
1075 	wpabuf_put_str(buf, "SID: uuid:");
1076 	/* subscription id */
1077 	b = wpabuf_put(buf, 0);
1078 	uuid_bin2str(s->uuid, b, 80);
1079 	wpa_printf(MSG_DEBUG, "WPS UPnP: Assigned SID %s", b);
1080 	wpabuf_put(buf, os_strlen(b));
1081 	wpabuf_put_str(buf, "\r\n");
1082 	wpabuf_printf(buf, "Timeout: Second-%d\r\n", UPNP_SUBSCRIBE_SEC);
1083 	http_put_date(buf);
1084 	/* And empty line to terminate header: */
1085 	wpabuf_put_str(buf, "\r\n");
1086 
1087 	os_free(callback_urls);
1088 	http_request_send_and_deinit(req, buf);
1089 	return;
1090 
1091 error:
1092 	/* Per UPnP spec:
1093 	* Errors
1094 	* Incompatible headers
1095 	*   400 Bad Request. If SID header and one of NT or CALLBACK headers
1096 	*     are present, the publisher must respond with HTTP error
1097 	*     400 Bad Request.
1098 	* Missing or invalid CALLBACK
1099 	*   412 Precondition Failed. If CALLBACK header is missing or does not
1100 	*     contain a valid HTTP URL, the publisher must respond with HTTP
1101 	*     error 412 Precondition Failed.
1102 	* Invalid NT
1103 	*   412 Precondition Failed. If NT header does not equal upnp:event,
1104 	*     the publisher must respond with HTTP error 412 Precondition
1105 	*     Failed.
1106 	* [For resubscription, use 412 if unknown uuid].
1107 	* Unable to accept subscription
1108 	*   5xx. If a publisher is not able to accept a subscription (such as
1109 	*     due to insufficient resources), it must respond with a
1110 	*     HTTP 500-series error code.
1111 	*   599 Too many subscriptions (not a standard HTTP error)
1112 	*/
1113 	wpa_printf(MSG_DEBUG, "WPS UPnP: SUBSCRIBE failed - return %d", ret);
1114 	http_put_empty(buf, ret);
1115 	http_request_send_and_deinit(req, buf);
1116 	os_free(callback_urls);
1117 }
1118 
1119 
1120 /* Given that we have received a header w/ UNSUBSCRIBE, act upon it
1121  *
1122  * Format of UNSUBSCRIBE (case-insensitive):
1123  *
1124  * First line must be:
1125  *      UNSUBSCRIBE /wps_event HTTP/1.1
1126  *
1127  * Our response (if no error) which includes only required lines is:
1128  * HTTP/1.1 200 OK
1129  * Content-Length: 0
1130  *
1131  * Header lines must end with \r\n
1132  * Per RFC 2616, content-length: is not required but connection:close
1133  * would appear to be required (given that we will be closing it!).
1134  */
1135 static void web_connection_parse_unsubscribe(struct upnp_wps_device_sm *sm,
1136 					     struct http_request *req,
1137 					     const char *filename)
1138 {
1139 	struct wpabuf *buf;
1140 	char *hdr = http_request_get_hdr(req);
1141 	char *h;
1142 	char *match;
1143 	int match_len;
1144 	char *end;
1145 	u8 uuid[UUID_LEN];
1146 	int got_uuid = 0;
1147 	struct subscription *s = NULL;
1148 	enum http_reply_code ret = HTTP_INTERNAL_SERVER_ERROR;
1149 
1150 	/* Parse/validate headers */
1151 	h = hdr;
1152 	/* First line: UNSUBSCRIBE /wps_event HTTP/1.1
1153 	 * has already been parsed.
1154 	 */
1155 	if (os_strcasecmp(filename, UPNP_WPS_DEVICE_EVENT_FILE) != 0) {
1156 		ret = HTTP_PRECONDITION_FAILED;
1157 		goto send_msg;
1158 	}
1159 	wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP UNSUBSCRIBE for event");
1160 	end = os_strchr(h, '\n');
1161 
1162 	while (end) {
1163 		/* Option line by option line */
1164 		h = end + 1;
1165 		end = os_strchr(h, '\n');
1166 		if (end == NULL)
1167 			break; /* no unterminated lines allowed */
1168 
1169 		/* HOST should refer to us */
1170 #if 0
1171 		match = "HOST:";
1172 		match_len = os_strlen(match);
1173 		if (os_strncasecmp(h, match, match_len) == 0) {
1174 			h += match_len;
1175 			while (*h == ' ' || *h == '\t')
1176 				h++;
1177 			.....
1178 		}
1179 #endif
1180 		match = "SID:";
1181 		match_len = os_strlen(match);
1182 		if (os_strncasecmp(h, match, match_len) == 0) {
1183 			h += match_len;
1184 			while (*h == ' ' || *h == '\t')
1185 				h++;
1186 			match = "uuid:";
1187 			match_len = os_strlen(match);
1188 			if (os_strncasecmp(h, match, match_len) != 0) {
1189 				ret = HTTP_BAD_REQUEST;
1190 				goto send_msg;
1191 			}
1192 			h += match_len;
1193 			while (*h == ' ' || *h == '\t')
1194 				h++;
1195 			if (uuid_str2bin(h, uuid)) {
1196 				ret = HTTP_BAD_REQUEST;
1197 				goto send_msg;
1198 			}
1199 			got_uuid = 1;
1200 			continue;
1201 		}
1202 
1203 		match = "NT:";
1204 		match_len = os_strlen(match);
1205 		if (os_strncasecmp(h, match, match_len) == 0) {
1206 			ret = HTTP_BAD_REQUEST;
1207 			goto send_msg;
1208 		}
1209 
1210 		match = "CALLBACK:";
1211 		match_len = os_strlen(match);
1212 		if (os_strncasecmp(h, match, match_len) == 0) {
1213 			ret = HTTP_BAD_REQUEST;
1214 			goto send_msg;
1215 		}
1216 	}
1217 
1218 	if (got_uuid) {
1219 		char str[80];
1220 
1221 		uuid_bin2str(uuid, str, sizeof(str));
1222 
1223 		s = subscription_find(sm, uuid);
1224 		if (s) {
1225 			struct subscr_addr *sa;
1226 			sa = dl_list_first(&s->addr_list, struct subscr_addr,
1227 					   list);
1228 			wpa_printf(MSG_DEBUG,
1229 				   "WPS UPnP: Unsubscribing %p (SID %s) %s",
1230 				   s, str, (sa && sa->domain_and_port) ?
1231 				   sa->domain_and_port : "-null-");
1232 			dl_list_del(&s->list);
1233 			subscription_destroy(s);
1234 		} else {
1235 			wpa_printf(MSG_INFO,
1236 				   "WPS UPnP: Could not find matching subscription to unsubscribe (SID %s)",
1237 				   str);
1238 			ret = HTTP_PRECONDITION_FAILED;
1239 			goto send_msg;
1240 		}
1241 	} else {
1242 		wpa_printf(MSG_INFO, "WPS UPnP: Unsubscribe fails (not "
1243 			   "found)");
1244 		ret = HTTP_PRECONDITION_FAILED;
1245 		goto send_msg;
1246 	}
1247 
1248 	ret = HTTP_OK;
1249 
1250 send_msg:
1251 	buf = wpabuf_alloc(200);
1252 	if (buf == NULL) {
1253 		http_request_deinit(req);
1254 		return;
1255 	}
1256 	http_put_empty(buf, ret);
1257 	http_request_send_and_deinit(req, buf);
1258 }
1259 
1260 
1261 /* Send error in response to unknown requests */
1262 static void web_connection_unimplemented(struct http_request *req)
1263 {
1264 	struct wpabuf *buf;
1265 	buf = wpabuf_alloc(200);
1266 	if (buf == NULL) {
1267 		http_request_deinit(req);
1268 		return;
1269 	}
1270 	http_put_empty(buf, HTTP_UNIMPLEMENTED);
1271 	http_request_send_and_deinit(req, buf);
1272 }
1273 
1274 
1275 
1276 /* Called when we have gotten an apparently valid http request.
1277  */
1278 static void web_connection_check_data(void *ctx, struct http_request *req)
1279 {
1280 	struct upnp_wps_device_sm *sm = ctx;
1281 	enum httpread_hdr_type htype = http_request_get_type(req);
1282 	char *filename = http_request_get_uri(req);
1283 	struct sockaddr_in *cli = http_request_get_cli_addr(req);
1284 
1285 	if (!filename) {
1286 		wpa_printf(MSG_INFO, "WPS UPnP: Could not get HTTP URI");
1287 		http_request_deinit(req);
1288 		return;
1289 	}
1290 	/* Trim leading slashes from filename */
1291 	while (*filename == '/')
1292 		filename++;
1293 
1294 	wpa_printf(MSG_DEBUG, "WPS UPnP: Got HTTP request type %d from %s:%d",
1295 		   htype, inet_ntoa(cli->sin_addr), htons(cli->sin_port));
1296 
1297 	switch (htype) {
1298 	case HTTPREAD_HDR_TYPE_GET:
1299 		web_connection_parse_get(sm, req, filename);
1300 		break;
1301 	case HTTPREAD_HDR_TYPE_POST:
1302 		web_connection_parse_post(sm, cli, req, filename);
1303 		break;
1304 	case HTTPREAD_HDR_TYPE_SUBSCRIBE:
1305 		web_connection_parse_subscribe(sm, req, filename);
1306 		break;
1307 	case HTTPREAD_HDR_TYPE_UNSUBSCRIBE:
1308 		web_connection_parse_unsubscribe(sm, req, filename);
1309 		break;
1310 
1311 		/* We are not required to support M-POST; just plain
1312 		 * POST is supposed to work, so we only support that.
1313 		 * If for some reason we need to support M-POST, it is
1314 		 * mostly the same as POST, with small differences.
1315 		 */
1316 	default:
1317 		/* Send 501 for anything else */
1318 		web_connection_unimplemented(req);
1319 		break;
1320 	}
1321 }
1322 
1323 
1324 /*
1325  * Listening for web connections
1326  * We have a single TCP listening port, and hand off connections as we get
1327  * them.
1328  */
1329 
1330 void web_listener_stop(struct upnp_wps_device_sm *sm)
1331 {
1332 	http_server_deinit(sm->web_srv);
1333 	sm->web_srv = NULL;
1334 }
1335 
1336 
1337 int web_listener_start(struct upnp_wps_device_sm *sm)
1338 {
1339 	struct in_addr addr;
1340 	addr.s_addr = sm->ip_addr;
1341 	sm->web_srv = http_server_init(&addr, -1, web_connection_check_data,
1342 				       sm);
1343 	if (sm->web_srv == NULL) {
1344 		web_listener_stop(sm);
1345 		return -1;
1346 	}
1347 	sm->web_port = http_server_get_port(sm->web_srv);
1348 
1349 	return 0;
1350 }
1351