/* * UPnP WPS Device - Web connections * Copyright (c) 2000-2003 Intel Corporation * Copyright (c) 2006-2007 Sony Corporation * Copyright (c) 2008-2009 Atheros Communications * Copyright (c) 2009, Jouni Malinen * * See wps_upnp.c for more details on licensing and code history. */ #include "includes.h" #include #include "common.h" #include "base64.h" #include "eloop.h" #include "uuid.h" #include "httpread.h" #include "wps_i.h" #include "wps_upnp.h" #include "wps_upnp_i.h" /*************************************************************************** * Web connections (we serve pages of info about ourselves, handle * requests, etc. etc.). **************************************************************************/ #define WEB_CONNECTION_TIMEOUT_SEC 30 /* Drop web connection after t.o. */ #define WEB_CONNECTION_MAX_READ 8000 /* Max we'll read for TCP request */ #define MAX_WEB_CONNECTIONS 10 /* max simultaneous web connects */ static const char *urn_wfawlanconfig = "urn:schemas-wifialliance-org:service:WFAWLANConfig:1"; static const char *http_server_hdr = "Server: unspecified, UPnP/1.0, unspecified\r\n"; static const char *http_connection_close = "Connection: close\r\n"; /* * Incoming web connections are recorded in this struct. * A web connection is a TCP connection to us, the server; * it is called a "web connection" because we use http and serve * data that looks like web pages. * State information is need to track the connection until we figure * out what they want and what we want to do about it. */ struct web_connection { /* double linked list */ struct web_connection *next; struct web_connection *prev; struct upnp_wps_device_sm *sm; /* parent */ int sd; /* socket to read from */ struct sockaddr_in cli_addr; int sd_registered; /* nonzero if we must cancel registration */ struct httpread *hread; /* state machine for reading socket */ int n_rcvd_data; /* how much data read so far */ int done; /* internal flag, set when we've finished */ }; /* * XML parsing and formatting * * XML is a markup language based on unicode; usually (and in our case, * always!) based on utf-8. utf-8 uses a variable number of bytes per * character. utf-8 has the advantage that all non-ASCII unicode characters are * represented by sequences of non-ascii (high bit set) bytes, whereas ASCII * characters are single ascii bytes, thus we can use typical text processing. * * (One other interesting thing about utf-8 is that it is possible to look at * any random byte and determine if it is the first byte of a character as * versus a continuation byte). * * The base syntax of XML uses a few ASCII punctionation characters; any * characters that would appear in the payload data are rewritten using * sequences, e.g., & for ampersand(&) and < for left angle bracket (<). * Five such escapes total (more can be defined but that does not apply to our * case). Thus we can safely parse for angle brackets etc. * * XML describes tree structures of tagged data, with each element beginning * with an opening tag and ending with a closing tag with * matching label. (There is also a self-closing tag which is supposed * to be equivalent to , i.e., no payload, but we are unlikely * to see it for our purpose). * * Actually the opening tags are a little more complicated because they can * contain "attributes" after the label (delimited by ascii space or tab chars) * of the form attribute_label="value" or attribute_label='value'; as it turns * out we do not have to read any of these attributes, just ignore them. * * Labels are any sequence of chars other than space, tab, right angle bracket * (and ?), but may have an inner structure of . * As it turns out, we can ignore the namespaces, in fact we can ignore the * entire tree hierarchy, because the plain labels we are looking for will be * unique (not in general, but for this application). We do however have to be * careful to skip over the namespaces. * * In generating XML we have to be more careful, but that is easy because * everything we do is pretty canned. The only real care to take is to escape * any special chars in our payload. */ /** * xml_next_tag - Advance to next tag * @in: Input * @out: OUT: start of tag just after '<' * @out_tagname: OUT: start of name of tag, skipping namespace * @end: OUT: one after tag * Returns: 0 on success, 1 on failure * * A tag has form: * <...> * Within the angle brackets, there is an optional leading forward slash (which * makes the tag an ending tag), then an optional leading label (followed by * colon) and then the tag name itself. * * Note that angle brackets present in the original data must have been encoded * as < and > so they will not trouble us. */ static int xml_next_tag(char *in, char **out, char **out_tagname, char **end) { while (*in && *in != '<') in++; if (*in != '<') return 1; *out = ++in; if (*in == '/') in++; *out_tagname = in; /* maybe */ while (isalnum(*in) || *in == '-') in++; if (*in == ':') *out_tagname = ++in; while (*in && *in != '>') in++; if (*in != '>') return 1; *end = ++in; return 0; } /* xml_data_encode -- format data for xml file, escaping special characters. * * Note that we assume we are using utf8 both as input and as output! * In utf8, characters may be classed as follows: * 0xxxxxxx(2) -- 1 byte ascii char * 11xxxxxx(2) -- 1st byte of multi-byte char w/ unicode value >= 0x80 * 110xxxxx(2) -- 1st byte of 2 byte sequence (5 payload bits here) * 1110xxxx(2) -- 1st byte of 3 byte sequence (4 payload bits here) * 11110xxx(2) -- 1st byte of 4 byte sequence (3 payload bits here) * 10xxxxxx(2) -- extension byte (6 payload bits per byte) * Some values implied by the above are however illegal because they * do not represent unicode chars or are not the shortest encoding. * Actually, we can almost entirely ignore the above and just do * text processing same as for ascii text. * * XML is written with arbitrary unicode characters, except that five * characters have special meaning and so must be escaped where they * appear in payload data... which we do here. */ static void xml_data_encode(struct wpabuf *buf, const char *data, int len) { int i; for (i = 0; i < len; i++) { u8 c = ((u8 *) data)[i]; if (c == '<') { wpabuf_put_str(buf, "<"); continue; } if (c == '>') { wpabuf_put_str(buf, ">"); continue; } if (c == '&') { wpabuf_put_str(buf, "&"); continue; } if (c == '\'') { wpabuf_put_str(buf, "'"); continue; } if (c == '"') { wpabuf_put_str(buf, """); continue; } /* * We could try to represent control characters using the * sequence: &#x; where x is replaced by a hex numeral, but not * clear why we would do this. */ wpabuf_put_u8(buf, c); } } /* xml_add_tagged_data -- format tagged data as a new xml line. * * tag must not have any special chars. * data may have special chars, which are escaped. */ static void xml_add_tagged_data(struct wpabuf *buf, const char *tag, const char *data) { wpabuf_printf(buf, "<%s>", tag); xml_data_encode(buf, data, os_strlen(data)); wpabuf_printf(buf, "\n", tag); } /* A POST body looks something like (per upnp spec): * * * * * in arg value * other in args and their values go here, if any * * * * * where : * s: might be some other namespace name followed by colon * u: might be some other namespace name followed by colon * actionName will be replaced according to action requested * schema following actionName will be WFA scheme instead * argumentName will be actual argument name * (in arg value) will be actual argument value */ static int upnp_get_first_document_item(char *doc, const char *item, char **value) { const char *match = item; int match_len = os_strlen(item); char *tag; char *tagname; char *end; *value = NULL; /* default, bad */ /* * This is crude: ignore any possible tag name conflicts and go right * to the first tag of this name. This should be ok for the limited * domain of UPnP messages. */ for (;;) { if (xml_next_tag(doc, &tag, &tagname, &end)) return 1; doc = end; if (!os_strncasecmp(tagname, match, match_len) && *tag != '/' && (tagname[match_len] == '>' || !isgraph(tagname[match_len]))) { break; } } end = doc; while (*end && *end != '<') end++; *value = os_zalloc(1 + (end - doc)); if (*value == NULL) return 1; os_memcpy(*value, doc, end - doc); return 0; } /* * "Files" that we serve via HTTP. The format of these files is given by * WFA WPS specifications. Extra white space has been removed to save space. */ static const char wps_scpd_xml[] = "\n" "\n" "10\n" "\n" "\n" "GetDeviceInfo\n" "\n" "\n" "NewDeviceInfo\n" "out\n" "DeviceInfo\n" "\n" "\n" "\n" "\n" "PutMessage\n" "\n" "\n" "NewInMessage\n" "in\n" "InMessage\n" "\n" "\n" "NewOutMessage\n" "out\n" "OutMessage\n" "\n" "\n" "\n" "\n" "GetAPSettings\n" "\n" "\n" "NewMessage\n" "in\n" "Message\n" "\n" "\n" "NewAPSettings\n" "out\n" "APSettings\n" "\n" "\n" "\n" "\n" "SetAPSettings\n" "\n" "\n" "APSettings\n" "in\n" "APSettings\n" "\n" "\n" "\n" "\n" "DelAPSettings\n" "\n" "\n" "NewAPSettings\n" "in\n" "APSettings\n" "\n" "\n" "\n" "\n" "GetSTASettings\n" "\n" "\n" "NewMessage\n" "in\n" "Message\n" "\n" "\n" "NewSTASettings\n" "out\n" "STASettings\n" "\n" "\n" "\n" "\n" "SetSTASettings\n" "\n" "\n" "NewSTASettings\n" "out\n" "STASettings\n" "\n" "\n" "\n" "\n" "DelSTASettings\n" "\n" "\n" "NewSTASettings\n" "in\n" "STASettings\n" "\n" "\n" "\n" "\n" "PutWLANResponse\n" "\n" "\n" "NewMessage\n" "in\n" "Message\n" "\n" "\n" "NewWLANEventType\n" "in\n" "WLANEventType\n" "\n" "\n" "NewWLANEventMAC\n" "in\n" "WLANEventMAC\n" "\n" "\n" "\n" "\n" "SetSelectedRegistrar\n" "\n" "\n" "NewMessage\n" "in\n" "Message\n" "\n" "\n" "\n" "\n" "RebootAP\n" "\n" "\n" "NewAPSettings\n" "in\n" "APSettings\n" "\n" "\n" "\n" "\n" "ResetAP\n" "\n" "\n" "NewMessage\n" "in\n" "Message\n" "\n" "\n" "\n" "\n" "RebootSTA\n" "\n" "\n" "NewSTASettings\n" "in\n" "APSettings\n" "\n" "\n" "\n" "\n" "ResetSTA\n" "\n" "\n" "NewMessage\n" "in\n" "Message\n" "\n" "\n" "\n" "\n" "\n" "\n" "Message\n" "bin.base64\n" "\n" "\n" "InMessage\n" "bin.base64\n" "\n" "\n" "OutMessage\n" "bin.base64\n" "\n" "\n" "DeviceInfo\n" "bin.base64\n" "\n" "\n" "APSettings\n" "bin.base64\n" "\n" "\n" "APStatus\n" "ui1\n" "\n" "\n" "STASettings\n" "bin.base64\n" "\n" "\n" "STAStatus\n" "ui1\n" "\n" "\n" "WLANEvent\n" "bin.base64\n" "\n" "\n" "WLANEventType\n" "ui1\n" "\n" "\n" "WLANEventMAC\n" "string\n" "\n" "\n" "WLANResponse\n" "bin.base64\n" "\n" "\n" "\n" ; static const char *wps_device_xml_prefix = "\n" "\n" "\n" "1\n" "0\n" "\n" "\n" "urn:schemas-wifialliance-org:device:WFADevice:1" "\n"; static const char *wps_device_xml_postfix = "\n" "\n" "urn:schemas-wifialliance-org:service:WFAWLANConfig:1" "\n" "urn:wifialliance-org:serviceId:WFAWLANConfig1" "\n" "" UPNP_WPS_SCPD_XML_FILE "\n" "" UPNP_WPS_DEVICE_CONTROL_FILE "\n" "" UPNP_WPS_DEVICE_EVENT_FILE "\n" "\n" "\n" "\n" "\n"; /* format_wps_device_xml -- produce content of "file" wps_device.xml * (UPNP_WPS_DEVICE_XML_FILE) */ static void format_wps_device_xml(struct upnp_wps_device_sm *sm, struct wpabuf *buf) { const char *s; char uuid_string[80]; wpabuf_put_str(buf, wps_device_xml_prefix); /* * Add required fields with default values if not configured. Add * optional and recommended fields only if configured. */ s = sm->wps->friendly_name; s = ((s && *s) ? s : "WPS Access Point"); xml_add_tagged_data(buf, "friendlyName", s); s = sm->wps->dev.manufacturer; s = ((s && *s) ? s : ""); xml_add_tagged_data(buf, "manufacturer", s); if (sm->wps->manufacturer_url) xml_add_tagged_data(buf, "manufacturerURL", sm->wps->manufacturer_url); if (sm->wps->model_description) xml_add_tagged_data(buf, "modelDescription", sm->wps->model_description); s = sm->wps->dev.model_name; s = ((s && *s) ? s : ""); xml_add_tagged_data(buf, "modelName", s); if (sm->wps->dev.model_number) xml_add_tagged_data(buf, "modelNumber", sm->wps->dev.model_number); if (sm->wps->model_url) xml_add_tagged_data(buf, "modelURL", sm->wps->model_url); if (sm->wps->dev.serial_number) xml_add_tagged_data(buf, "serialNumber", sm->wps->dev.serial_number); uuid_bin2str(sm->wps->uuid, uuid_string, sizeof(uuid_string)); s = uuid_string; /* Need "uuid:" prefix, thus we can't use xml_add_tagged_data() * easily... */ wpabuf_put_str(buf, "uuid:"); xml_data_encode(buf, s, os_strlen(s)); wpabuf_put_str(buf, "\n"); if (sm->wps->upc) xml_add_tagged_data(buf, "UPC", sm->wps->upc); wpabuf_put_str(buf, wps_device_xml_postfix); } void web_connection_stop(struct web_connection *c) { struct upnp_wps_device_sm *sm = c->sm; httpread_destroy(c->hread); c->hread = NULL; close(c->sd); c->sd = -1; if (c->next == c) { sm->web_connections = NULL; } else { if (sm->web_connections == c) sm->web_connections = c->next; c->next->prev = c->prev; c->prev->next = c->next; } os_free(c); sm->n_web_connections--; } static void http_put_reply_code(struct wpabuf *buf, enum http_reply_code code) { wpabuf_put_str(buf, "HTTP/1.1 "); switch (code) { case HTTP_OK: wpabuf_put_str(buf, "200 OK\r\n"); break; case HTTP_BAD_REQUEST: wpabuf_put_str(buf, "400 Bad request\r\n"); break; case HTTP_PRECONDITION_FAILED: wpabuf_put_str(buf, "412 Precondition failed\r\n"); break; case HTTP_UNIMPLEMENTED: wpabuf_put_str(buf, "501 Unimplemented\r\n"); break; case HTTP_INTERNAL_SERVER_ERROR: default: wpabuf_put_str(buf, "500 Internal server error\r\n"); break; } } static void http_put_date(struct wpabuf *buf) { wpabuf_put_str(buf, "Date: "); format_date(buf); wpabuf_put_str(buf, "\r\n"); } static void http_put_empty(struct wpabuf *buf, enum http_reply_code code) { http_put_reply_code(buf, code); wpabuf_put_str(buf, http_server_hdr); wpabuf_put_str(buf, http_connection_close); wpabuf_put_str(buf, "Content-Length: 0\r\n" "\r\n"); } /* Given that we have received a header w/ GET, act upon it * * Format of GET (case-insensitive): * * First line must be: * GET / HTTP/1.1 * Since we don't do anything fancy we just ignore other lines. * * Our response (if no error) which includes only required lines is: * HTTP/1.1 200 OK * Connection: close * Content-Type: text/xml * Date: * * Header lines must end with \r\n * Per RFC 2616, content-length: is not required but connection:close * would appear to be required (given that we will be closing it!). */ static void web_connection_parse_get(struct web_connection *c, char *filename) { struct upnp_wps_device_sm *sm = c->sm; struct wpabuf *buf; /* output buffer, allocated */ char *put_length_here; char *body_start; enum { GET_DEVICE_XML_FILE, GET_SCPD_XML_FILE } req; size_t extra_len = 0; int body_length; char len_buf[10]; /* * It is not required that filenames be case insensitive but it is * allowed and cannot hurt here. */ if (filename == NULL) filename = "(null)"; /* just in case */ if (os_strcasecmp(filename, UPNP_WPS_DEVICE_XML_FILE) == 0) { wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP GET for device XML"); req = GET_DEVICE_XML_FILE; extra_len = 3000; if (sm->wps->friendly_name) extra_len += os_strlen(sm->wps->friendly_name); if (sm->wps->manufacturer_url) extra_len += os_strlen(sm->wps->manufacturer_url); if (sm->wps->model_description) extra_len += os_strlen(sm->wps->model_description); if (sm->wps->model_url) extra_len += os_strlen(sm->wps->model_url); if (sm->wps->upc) extra_len += os_strlen(sm->wps->upc); } else if (!os_strcasecmp(filename, UPNP_WPS_SCPD_XML_FILE)) { wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP GET for SCPD XML"); req = GET_SCPD_XML_FILE; extra_len = os_strlen(wps_scpd_xml); } else { /* File not found */ wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP GET file not found: %s", filename); buf = wpabuf_alloc(200); if (buf == NULL) return; wpabuf_put_str(buf, "HTTP/1.1 404 Not Found\r\n" "Connection: close\r\n"); http_put_date(buf); /* terminating empty line */ wpabuf_put_str(buf, "\r\n"); goto send_buf; } buf = wpabuf_alloc(1000 + extra_len); if (buf == NULL) return; wpabuf_put_str(buf, "HTTP/1.1 200 OK\r\n" "Content-Type: text/xml; charset=\"utf-8\"\r\n"); wpabuf_put_str(buf, "Server: Unspecified, UPnP/1.0, Unspecified\r\n"); wpabuf_put_str(buf, "Connection: close\r\n"); wpabuf_put_str(buf, "Content-Length: "); /* * We will paste the length in later, leaving some extra whitespace. * HTTP code is supposed to be tolerant of extra whitespace. */ put_length_here = wpabuf_put(buf, 0); wpabuf_put_str(buf, " \r\n"); http_put_date(buf); /* terminating empty line */ wpabuf_put_str(buf, "\r\n"); body_start = wpabuf_put(buf, 0); switch (req) { case GET_DEVICE_XML_FILE: format_wps_device_xml(sm, buf); break; case GET_SCPD_XML_FILE: wpabuf_put_str(buf, wps_scpd_xml); break; } /* Now patch in the content length at the end */ body_length = (char *) wpabuf_put(buf, 0) - body_start; os_snprintf(len_buf, 10, "%d", body_length); os_memcpy(put_length_here, len_buf, os_strlen(len_buf)); send_buf: send_wpabuf(c->sd, buf); wpabuf_free(buf); } static struct wpabuf * web_get_item(char *data, const char *name, enum http_reply_code *ret) { char *msg; struct wpabuf *buf; unsigned char *decoded; size_t len; if (upnp_get_first_document_item(data, name, &msg)) { *ret = UPNP_ARG_VALUE_INVALID; return NULL; } decoded = base64_decode((unsigned char *) msg, os_strlen(msg), &len); os_free(msg); if (decoded == NULL) { *ret = UPNP_OUT_OF_MEMORY; return NULL; } buf = wpabuf_alloc_ext_data(decoded, len); if (buf == NULL) { os_free(decoded); *ret = UPNP_OUT_OF_MEMORY; return NULL; } return buf; } static enum http_reply_code web_process_get_device_info(struct upnp_wps_device_sm *sm, struct wpabuf **reply, const char **replyname) { static const char *name = "NewDeviceInfo"; wpa_printf(MSG_DEBUG, "WPS UPnP: GetDeviceInfo"); if (sm->ctx->rx_req_get_device_info == NULL) return HTTP_INTERNAL_SERVER_ERROR; *reply = sm->ctx->rx_req_get_device_info(sm->priv, &sm->peer); if (*reply == NULL) { wpa_printf(MSG_INFO, "WPS UPnP: Failed to get DeviceInfo"); return HTTP_INTERNAL_SERVER_ERROR; } *replyname = name; return HTTP_OK; } static enum http_reply_code web_process_put_message(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; static const char *name = "NewOutMessage"; enum http_reply_code ret; /* * PutMessage is used by external UPnP-based Registrar to perform WPS * operation with the access point itself; as compared with * PutWLANResponse which is for proxying. */ wpa_printf(MSG_DEBUG, "WPS UPnP: PutMessage"); if (sm->ctx->rx_req_put_message == NULL) return HTTP_INTERNAL_SERVER_ERROR; msg = web_get_item(data, "NewInMessage", &ret); if (msg == NULL) return ret; *reply = sm->ctx->rx_req_put_message(sm->priv, &sm->peer, msg); wpabuf_free(msg); if (*reply == NULL) return HTTP_INTERNAL_SERVER_ERROR; *replyname = name; return HTTP_OK; } static enum http_reply_code web_process_get_ap_settings(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; static const char *name = "NewAPSettings"; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: GetAPSettings"); if (sm->ctx->rx_req_get_ap_settings == NULL) return HTTP_INTERNAL_SERVER_ERROR; msg = web_get_item(data, "NewMessage", &ret); if (msg == NULL) return ret; *reply = sm->ctx->rx_req_get_ap_settings(sm->priv, msg); wpabuf_free(msg); if (*reply == NULL) return HTTP_INTERNAL_SERVER_ERROR; *replyname = name; return HTTP_OK; } static enum http_reply_code web_process_set_ap_settings(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: SetAPSettings"); msg = web_get_item(data, "NewAPSettings", &ret); if (msg == NULL) return ret; if (!sm->ctx->rx_req_set_ap_settings || sm->ctx->rx_req_set_ap_settings(sm->priv, msg)) { wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static enum http_reply_code web_process_del_ap_settings(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: DelAPSettings"); msg = web_get_item(data, "NewAPSettings", &ret); if (msg == NULL) return ret; if (!sm->ctx->rx_req_del_ap_settings || sm->ctx->rx_req_del_ap_settings(sm->priv, msg)) { wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static enum http_reply_code web_process_get_sta_settings(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; static const char *name = "NewSTASettings"; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: GetSTASettings"); if (sm->ctx->rx_req_get_sta_settings == NULL) return HTTP_INTERNAL_SERVER_ERROR; msg = web_get_item(data, "NewMessage", &ret); if (msg == NULL) return ret; *reply = sm->ctx->rx_req_get_sta_settings(sm->priv, msg); wpabuf_free(msg); if (*reply == NULL) return HTTP_INTERNAL_SERVER_ERROR; *replyname = name; return HTTP_OK; } static enum http_reply_code web_process_set_sta_settings(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: SetSTASettings"); msg = web_get_item(data, "NewSTASettings", &ret); if (msg == NULL) return ret; if (!sm->ctx->rx_req_set_sta_settings || sm->ctx->rx_req_set_sta_settings(sm->priv, msg)) { wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static enum http_reply_code web_process_del_sta_settings(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: DelSTASettings"); msg = web_get_item(data, "NewSTASettings", &ret); if (msg == NULL) return ret; if (!sm->ctx->rx_req_del_sta_settings || sm->ctx->rx_req_del_sta_settings(sm->priv, msg)) { wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static enum http_reply_code web_process_put_wlan_response(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; u8 macaddr[ETH_ALEN]; int ev_type; int type; char *val; /* * External UPnP-based Registrar is passing us a message to be proxied * over to a Wi-Fi -based client of ours. */ wpa_printf(MSG_DEBUG, "WPS UPnP: PutWLANResponse"); msg = web_get_item(data, "NewMessage", &ret); if (msg == NULL) return ret; if (upnp_get_first_document_item(data, "NewWLANEventType", &val)) { wpabuf_free(msg); return UPNP_ARG_VALUE_INVALID; } ev_type = atol(val); os_free(val); val = NULL; if (upnp_get_first_document_item(data, "NewWLANEventMAC", &val) || hwaddr_aton(val, macaddr)) { wpabuf_free(msg); os_free(val); return UPNP_ARG_VALUE_INVALID; } os_free(val); if (ev_type == UPNP_WPS_WLANEVENT_TYPE_EAP) { struct wps_parse_attr attr; if (wps_parse_msg(msg, &attr) < 0 || attr.msg_type == NULL) type = -1; else type = *attr.msg_type; wpa_printf(MSG_DEBUG, "WPS UPnP: Message Type %d", type); } else type = -1; if (!sm->ctx->rx_req_put_wlan_response || sm->ctx->rx_req_put_wlan_response(sm->priv, ev_type, macaddr, msg, type)) { wpa_printf(MSG_INFO, "WPS UPnP: Fail: sm->ctx->" "rx_req_put_wlan_response"); wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static enum http_reply_code web_process_set_selected_registrar(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: SetSelectedRegistrar"); msg = web_get_item(data, "NewMessage", &ret); if (msg == NULL) return ret; if (!sm->ctx->rx_req_set_selected_registrar || sm->ctx->rx_req_set_selected_registrar(sm->priv, msg)) { wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static enum http_reply_code web_process_reboot_ap(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: RebootAP"); msg = web_get_item(data, "NewAPSettings", &ret); if (msg == NULL) return ret; if (!sm->ctx->rx_req_reboot_ap || sm->ctx->rx_req_reboot_ap(sm->priv, msg)) { wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static enum http_reply_code web_process_reset_ap(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: ResetAP"); msg = web_get_item(data, "NewMessage", &ret); if (msg == NULL) return ret; if (!sm->ctx->rx_req_reset_ap || sm->ctx->rx_req_reset_ap(sm->priv, msg)) { wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static enum http_reply_code web_process_reboot_sta(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: RebootSTA"); msg = web_get_item(data, "NewSTASettings", &ret); if (msg == NULL) return ret; if (!sm->ctx->rx_req_reboot_sta || sm->ctx->rx_req_reboot_sta(sm->priv, msg)) { wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static enum http_reply_code web_process_reset_sta(struct upnp_wps_device_sm *sm, char *data, struct wpabuf **reply, const char **replyname) { struct wpabuf *msg; enum http_reply_code ret; wpa_printf(MSG_DEBUG, "WPS UPnP: ResetSTA"); msg = web_get_item(data, "NewMessage", &ret); if (msg == NULL) return ret; if (!sm->ctx->rx_req_reset_sta || sm->ctx->rx_req_reset_sta(sm->priv, msg)) { wpabuf_free(msg); return HTTP_INTERNAL_SERVER_ERROR; } wpabuf_free(msg); *replyname = NULL; *reply = NULL; return HTTP_OK; } static const char *soap_prefix = "\n" "\n" "\n"; static const char *soap_postfix = "\n\n"; static const char *soap_error_prefix = "\n" "s:Client\n" "UPnPError\n" "\n" "\n"; static const char *soap_error_postfix = "Error\n" "\n" "\n" "\n"; static void web_connection_send_reply(struct web_connection *c, enum http_reply_code ret, const char *action, int action_len, const struct wpabuf *reply, const char *replyname) { struct wpabuf *buf; char *replydata; char *put_length_here = NULL; char *body_start = NULL; if (reply) { size_t len; replydata = (char *) base64_encode(wpabuf_head(reply), wpabuf_len(reply), &len); } else replydata = NULL; /* Parameters of the response: * action(action_len) -- action we are responding to * replyname -- a name we need for the reply * replydata -- NULL or null-terminated string */ buf = wpabuf_alloc(1000 + (replydata ? os_strlen(replydata) : 0U) + (action_len > 0 ? action_len * 2 : 0)); if (buf == NULL) { wpa_printf(MSG_INFO, "WPS UPnP: Cannot allocate reply to " "POST"); wpabuf_free(buf); os_free(replydata); return; } /* * Assuming we will be successful, put in the output header first. * Note: we do not keep connections alive (and httpread does * not support it)... therefore we must have Connection: close. */ if (ret == HTTP_OK) { wpabuf_put_str(buf, "HTTP/1.1 200 OK\r\n" "Content-Type: text/xml; " "charset=\"utf-8\"\r\n"); } else { wpabuf_printf(buf, "HTTP/1.1 %d Error\r\n", ret); } wpabuf_put_str(buf, http_connection_close); wpabuf_put_str(buf, "Content-Length: "); /* * We will paste the length in later, leaving some extra whitespace. * HTTP code is supposed to be tolerant of extra whitespace. */ put_length_here = wpabuf_put(buf, 0); wpabuf_put_str(buf, " \r\n"); http_put_date(buf); /* terminating empty line */ wpabuf_put_str(buf, "\r\n"); body_start = wpabuf_put(buf, 0); if (ret == HTTP_OK) { wpabuf_put_str(buf, soap_prefix); wpabuf_put_str(buf, "\n"); if (replydata && replyname) { /* TODO: might possibly need to escape part of reply * data? ... * probably not, unlikely to have ampersand(&) or left * angle bracket (<) in it... */ wpabuf_printf(buf, "<%s>", replyname); wpabuf_put_str(buf, replydata); wpabuf_printf(buf, "\n", replyname); } wpabuf_put_str(buf, "\n"); wpabuf_put_str(buf, soap_postfix); } else { /* Error case */ wpabuf_put_str(buf, soap_prefix); wpabuf_put_str(buf, soap_error_prefix); wpabuf_printf(buf, "%d\n", ret); wpabuf_put_str(buf, soap_error_postfix); wpabuf_put_str(buf, soap_postfix); } os_free(replydata); /* Now patch in the content length at the end */ if (body_start && put_length_here) { int body_length = (char *) wpabuf_put(buf, 0) - body_start; char len_buf[10]; os_snprintf(len_buf, sizeof(len_buf), "%d", body_length); os_memcpy(put_length_here, len_buf, os_strlen(len_buf)); } send_wpabuf(c->sd, buf); wpabuf_free(buf); } static const char * web_get_action(struct web_connection *c, const char *filename, size_t *action_len) { const char *match; int match_len; char *b; char *action; *action_len = 0; if (os_strcasecmp(filename, UPNP_WPS_DEVICE_CONTROL_FILE)) { wpa_printf(MSG_INFO, "WPS UPnP: Invalid POST filename %s", filename); return NULL; } /* The SOAPAction line of the header tells us what we want to do */ b = httpread_hdr_line_get(c->hread, "SOAPAction:"); if (b == NULL) return NULL; if (*b == '"') b++; else return NULL; match = urn_wfawlanconfig; match_len = os_strlen(urn_wfawlanconfig) - 1; if (os_strncasecmp(b, match, match_len)) return NULL; b += match_len; /* skip over version */ while (isgraph(*b) && *b != '#') b++; if (*b != '#') return NULL; b++; /* Following the sharp(#) should be the action and a double quote */ action = b; while (isgraph(*b) && *b != '"') b++; if (*b != '"') return NULL; *action_len = b - action; return action; } /* Given that we have received a header w/ POST, act upon it * * Format of POST (case-insensitive): * * First line must be: * POST / HTTP/1.1 * Since we don't do anything fancy we just ignore other lines. * * Our response (if no error) which includes only required lines is: * HTTP/1.1 200 OK * Connection: close * Content-Type: text/xml * Date: * * Header lines must end with \r\n * Per RFC 2616, content-length: is not required but connection:close * would appear to be required (given that we will be closing it!). */ static void web_connection_parse_post(struct web_connection *c, const char *filename) { enum http_reply_code ret; struct upnp_wps_device_sm *sm = c->sm; char *data = httpread_data_get(c->hread); /* body of http msg */ const char *action; size_t action_len; const char *replyname = NULL; /* argument name for the reply */ struct wpabuf *reply = NULL; /* data for the reply */ ret = UPNP_INVALID_ACTION; action = web_get_action(c, filename, &action_len); if (action == NULL) goto bad; /* * There are quite a few possible actions. Although we appear to * support them all here, not all of them are necessarily supported by * callbacks at higher levels. */ if (!os_strncasecmp("GetDeviceInfo", action, action_len)) ret = web_process_get_device_info(sm, &reply, &replyname); else if (!os_strncasecmp("PutMessage", action, action_len)) ret = web_process_put_message(sm, data, &reply, &replyname); else if (!os_strncasecmp("GetAPSettings", action, action_len)) ret = web_process_get_ap_settings(sm, data, &reply, &replyname); else if (!os_strncasecmp("SetAPSettings", action, action_len)) ret = web_process_set_ap_settings(sm, data, &reply, &replyname); else if (!os_strncasecmp("DelAPSettings", action, action_len)) ret = web_process_del_ap_settings(sm, data, &reply, &replyname); else if (!os_strncasecmp("GetSTASettings", action, action_len)) ret = web_process_get_sta_settings(sm, data, &reply, &replyname); else if (!os_strncasecmp("SetSTASettings", action, action_len)) ret = web_process_set_sta_settings(sm, data, &reply, &replyname); else if (!os_strncasecmp("DelSTASettings", action, action_len)) ret = web_process_del_sta_settings(sm, data, &reply, &replyname); else if (!os_strncasecmp("PutWLANResponse", action, action_len)) ret = web_process_put_wlan_response(sm, data, &reply, &replyname); else if (!os_strncasecmp("SetSelectedRegistrar", action, action_len)) ret = web_process_set_selected_registrar(sm, data, &reply, &replyname); else if (!os_strncasecmp("RebootAP", action, action_len)) ret = web_process_reboot_ap(sm, data, &reply, &replyname); else if (!os_strncasecmp("ResetAP", action, action_len)) ret = web_process_reset_ap(sm, data, &reply, &replyname); else if (!os_strncasecmp("RebootSTA", action, action_len)) ret = web_process_reboot_sta(sm, data, &reply, &replyname); else if (!os_strncasecmp("ResetSTA", action, action_len)) ret = web_process_reset_sta(sm, data, &reply, &replyname); else wpa_printf(MSG_INFO, "WPS UPnP: Unknown POST type"); bad: if (ret != HTTP_OK) wpa_printf(MSG_INFO, "WPS UPnP: POST failure ret=%d", ret); web_connection_send_reply(c, ret, action, action_len, reply, replyname); wpabuf_free(reply); } /* Given that we have received a header w/ SUBSCRIBE, act upon it * * Format of SUBSCRIBE (case-insensitive): * * First line must be: * SUBSCRIBE /wps_event HTTP/1.1 * * Our response (if no error) which includes only required lines is: * HTTP/1.1 200 OK * Server: xx, UPnP/1.0, xx * SID: uuid:xxxxxxxxx * Timeout: Second- * Content-Length: 0 * Date: xxxx * * Header lines must end with \r\n * Per RFC 2616, content-length: is not required but connection:close * would appear to be required (given that we will be closing it!). */ static void web_connection_parse_subscribe(struct web_connection *c, const char *filename) { struct upnp_wps_device_sm *sm = c->sm; struct wpabuf *buf; char *b; char *hdr = httpread_hdr_get(c->hread); char *h; char *match; int match_len; char *end; int len; int got_nt = 0; u8 uuid[UUID_LEN]; int got_uuid = 0; char *callback_urls = NULL; struct subscription *s = NULL; enum http_reply_code ret = HTTP_INTERNAL_SERVER_ERROR; buf = wpabuf_alloc(1000); if (buf == NULL) return; /* Parse/validate headers */ h = hdr; /* First line: SUBSCRIBE /wps_event HTTP/1.1 * has already been parsed. */ if (os_strcasecmp(filename, UPNP_WPS_DEVICE_EVENT_FILE) != 0) { ret = HTTP_PRECONDITION_FAILED; goto error; } wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP SUBSCRIBE for event"); end = os_strchr(h, '\n'); for (; end != NULL; h = end + 1) { /* Option line by option line */ h = end + 1; end = os_strchr(h, '\n'); if (end == NULL) break; /* no unterminated lines allowed */ /* NT assures that it is our type of subscription; * not used for a renewl. **/ match = "NT:"; match_len = os_strlen(match); if (os_strncasecmp(h, match, match_len) == 0) { h += match_len; while (*h == ' ' || *h == '\t') h++; match = "upnp:event"; match_len = os_strlen(match); if (os_strncasecmp(h, match, match_len) != 0) { ret = HTTP_BAD_REQUEST; goto error; } got_nt = 1; continue; } /* HOST should refer to us */ #if 0 match = "HOST:"; match_len = os_strlen(match); if (os_strncasecmp(h, match, match_len) == 0) { h += match_len; while (*h == ' ' || *h == '\t') h++; ..... } #endif /* CALLBACK gives one or more URLs for NOTIFYs * to be sent as a result of the subscription. * Each URL is enclosed in angle brackets. */ match = "CALLBACK:"; match_len = os_strlen(match); if (os_strncasecmp(h, match, match_len) == 0) { h += match_len; while (*h == ' ' || *h == '\t') h++; len = end - h; os_free(callback_urls); callback_urls = os_malloc(len + 1); if (callback_urls == NULL) { ret = HTTP_INTERNAL_SERVER_ERROR; goto error; } os_memcpy(callback_urls, h, len); callback_urls[len] = 0; continue; } /* SID is only for renewal */ match = "SID:"; match_len = os_strlen(match); if (os_strncasecmp(h, match, match_len) == 0) { h += match_len; while (*h == ' ' || *h == '\t') h++; match = "uuid:"; match_len = os_strlen(match); if (os_strncasecmp(h, match, match_len) != 0) { ret = HTTP_BAD_REQUEST; goto error; } h += match_len; while (*h == ' ' || *h == '\t') h++; if (uuid_str2bin(h, uuid)) { ret = HTTP_BAD_REQUEST; goto error; } got_uuid = 1; continue; } /* TIMEOUT is requested timeout, but apparently we can * just ignore this. */ } if (got_uuid) { /* renewal */ if (callback_urls) { ret = HTTP_BAD_REQUEST; goto error; } s = subscription_renew(sm, uuid); if (s == NULL) { ret = HTTP_PRECONDITION_FAILED; goto error; } } else if (callback_urls) { if (!got_nt) { ret = HTTP_PRECONDITION_FAILED; goto error; } s = subscription_start(sm, callback_urls); if (s == NULL) { ret = HTTP_INTERNAL_SERVER_ERROR; goto error; } } else { ret = HTTP_PRECONDITION_FAILED; goto error; } /* success */ http_put_reply_code(buf, HTTP_OK); wpabuf_put_str(buf, http_server_hdr); wpabuf_put_str(buf, http_connection_close); wpabuf_put_str(buf, "Content-Length: 0\r\n"); wpabuf_put_str(buf, "SID: uuid:"); /* subscription id */ b = wpabuf_put(buf, 0); uuid_bin2str(s->uuid, b, 80); wpabuf_put(buf, os_strlen(b)); wpabuf_put_str(buf, "\r\n"); wpabuf_printf(buf, "Timeout: Second-%d\r\n", UPNP_SUBSCRIBE_SEC); http_put_date(buf); /* And empty line to terminate header: */ wpabuf_put_str(buf, "\r\n"); send_wpabuf(c->sd, buf); wpabuf_free(buf); os_free(callback_urls); return; error: /* Per UPnP spec: * Errors * Incompatible headers * 400 Bad Request. If SID header and one of NT or CALLBACK headers * are present, the publisher must respond with HTTP error * 400 Bad Request. * Missing or invalid CALLBACK * 412 Precondition Failed. If CALLBACK header is missing or does not * contain a valid HTTP URL, the publisher must respond with HTTP * error 412 Precondition Failed. * Invalid NT * 412 Precondition Failed. If NT header does not equal upnp:event, * the publisher must respond with HTTP error 412 Precondition * Failed. * [For resubscription, use 412 if unknown uuid]. * Unable to accept subscription * 5xx. If a publisher is not able to accept a subscription (such as * due to insufficient resources), it must respond with a * HTTP 500-series error code. * 599 Too many subscriptions (not a standard HTTP error) */ http_put_empty(buf, ret); send_wpabuf(c->sd, buf); wpabuf_free(buf); os_free(callback_urls); } /* Given that we have received a header w/ UNSUBSCRIBE, act upon it * * Format of UNSUBSCRIBE (case-insensitive): * * First line must be: * UNSUBSCRIBE /wps_event HTTP/1.1 * * Our response (if no error) which includes only required lines is: * HTTP/1.1 200 OK * Content-Length: 0 * * Header lines must end with \r\n * Per RFC 2616, content-length: is not required but connection:close * would appear to be required (given that we will be closing it!). */ static void web_connection_parse_unsubscribe(struct web_connection *c, const char *filename) { struct upnp_wps_device_sm *sm = c->sm; struct wpabuf *buf; char *hdr = httpread_hdr_get(c->hread); char *h; char *match; int match_len; char *end; u8 uuid[UUID_LEN]; int got_uuid = 0; struct subscription *s = NULL; enum http_reply_code ret = HTTP_INTERNAL_SERVER_ERROR; /* Parse/validate headers */ h = hdr; /* First line: UNSUBSCRIBE /wps_event HTTP/1.1 * has already been parsed. */ if (os_strcasecmp(filename, UPNP_WPS_DEVICE_EVENT_FILE) != 0) { ret = HTTP_PRECONDITION_FAILED; goto send_msg; } wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP UNSUBSCRIBE for event"); end = os_strchr(h, '\n'); for (; end != NULL; h = end + 1) { /* Option line by option line */ h = end + 1; end = os_strchr(h, '\n'); if (end == NULL) break; /* no unterminated lines allowed */ /* HOST should refer to us */ #if 0 match = "HOST:"; match_len = os_strlen(match); if (os_strncasecmp(h, match, match_len) == 0) { h += match_len; while (*h == ' ' || *h == '\t') h++; ..... } #endif /* SID is only for renewal */ match = "SID:"; match_len = os_strlen(match); if (os_strncasecmp(h, match, match_len) == 0) { h += match_len; while (*h == ' ' || *h == '\t') h++; match = "uuid:"; match_len = os_strlen(match); if (os_strncasecmp(h, match, match_len) != 0) { ret = HTTP_BAD_REQUEST; goto send_msg; } h += match_len; while (*h == ' ' || *h == '\t') h++; if (uuid_str2bin(h, uuid)) { ret = HTTP_BAD_REQUEST; goto send_msg; } got_uuid = 1; continue; } } if (got_uuid) { s = subscription_find(sm, uuid); if (s) { wpa_printf(MSG_DEBUG, "WPS UPnP: Unsubscribing %p %s", s, (s && s->addr_list && s->addr_list->domain_and_port) ? s->addr_list->domain_and_port : "-null-"); subscription_unlink(s); subscription_destroy(s); } } else { wpa_printf(MSG_INFO, "WPS UPnP: Unsubscribe fails (not " "found)"); ret = HTTP_PRECONDITION_FAILED; goto send_msg; } ret = HTTP_OK; send_msg: buf = wpabuf_alloc(200); if (buf == NULL) return; http_put_empty(buf, ret); send_wpabuf(c->sd, buf); wpabuf_free(buf); } /* Send error in response to unknown requests */ static void web_connection_unimplemented(struct web_connection *c) { struct wpabuf *buf; buf = wpabuf_alloc(200); if (buf == NULL) return; http_put_empty(buf, HTTP_UNIMPLEMENTED); send_wpabuf(c->sd, buf); wpabuf_free(buf); } /* Called when we have gotten an apparently valid http request. */ static void web_connection_check_data(struct web_connection *c) { struct httpread *hread = c->hread; enum httpread_hdr_type htype = httpread_hdr_type_get(hread); /* char *data = httpread_data_get(hread); */ char *filename = httpread_uri_get(hread); c->done = 1; if (!filename) { wpa_printf(MSG_INFO, "WPS UPnP: Could not get HTTP URI"); return; } /* Trim leading slashes from filename */ while (*filename == '/') filename++; wpa_printf(MSG_DEBUG, "WPS UPnP: Got HTTP request type %d from %s:%d", htype, inet_ntoa(c->cli_addr.sin_addr), htons(c->cli_addr.sin_port)); switch (htype) { case HTTPREAD_HDR_TYPE_GET: web_connection_parse_get(c, filename); break; case HTTPREAD_HDR_TYPE_POST: web_connection_parse_post(c, filename); break; case HTTPREAD_HDR_TYPE_SUBSCRIBE: web_connection_parse_subscribe(c, filename); break; case HTTPREAD_HDR_TYPE_UNSUBSCRIBE: web_connection_parse_unsubscribe(c, filename); break; /* We are not required to support M-POST; just plain * POST is supposed to work, so we only support that. * If for some reason we need to support M-POST, it is * mostly the same as POST, with small differences. */ default: /* Send 501 for anything else */ web_connection_unimplemented(c); break; } } /* called back when we have gotten request */ static void web_connection_got_file_handler(struct httpread *handle, void *cookie, enum httpread_event en) { struct web_connection *c = cookie; if (en == HTTPREAD_EVENT_FILE_READY) web_connection_check_data(c); web_connection_stop(c); } /* web_connection_start - Start web connection * @sm: WPS UPnP state machine from upnp_wps_device_init() * @sd: Socket descriptor * @addr: Client address * * The socket descriptor sd is handed over for ownership by the WPS UPnP * state machine. */ static void web_connection_start(struct upnp_wps_device_sm *sm, int sd, struct sockaddr_in *addr) { struct web_connection *c = NULL; /* if too many connections, bail */ if (sm->n_web_connections >= MAX_WEB_CONNECTIONS) { close(sd); return; } c = os_zalloc(sizeof(*c)); if (c == NULL) return; os_memcpy(&c->cli_addr, addr, sizeof(c->cli_addr)); c->sm = sm; c->sd = sd; #if 0 /* * Setting non-blocking should not be necessary for read, and can mess * up sending where blocking might be better. */ if (fcntl(sd, F_SETFL, O_NONBLOCK) != 0) break; #endif c->hread = httpread_create(c->sd, web_connection_got_file_handler, c /* cookie */, WEB_CONNECTION_MAX_READ, WEB_CONNECTION_TIMEOUT_SEC); if (c->hread == NULL) goto fail; if (sm->web_connections) { c->next = sm->web_connections; c->prev = c->next->prev; c->prev->next = c; c->next->prev = c; } else { sm->web_connections = c->next = c->prev = c; } sm->n_web_connections++; return; fail: if (c) web_connection_stop(c); } /* * Listening for web connections * We have a single TCP listening port, and hand off connections as we get * them. */ void web_listener_stop(struct upnp_wps_device_sm *sm) { if (sm->web_sd_registered) { sm->web_sd_registered = 0; eloop_unregister_sock(sm->web_sd, EVENT_TYPE_READ); } if (sm->web_sd >= 0) close(sm->web_sd); sm->web_sd = -1; } static void web_listener_handler(int sd, void *eloop_ctx, void *sock_ctx) { struct sockaddr_in addr; socklen_t addr_len = sizeof(addr); struct upnp_wps_device_sm *sm = sock_ctx; int new_sd; /* Create state for new connection */ /* Remember so we can cancel if need be */ new_sd = accept(sm->web_sd, (struct sockaddr *) &addr, &addr_len); if (new_sd < 0) { wpa_printf(MSG_ERROR, "WPS UPnP: web listener accept " "errno=%d (%s) web_sd=%d", errno, strerror(errno), sm->web_sd); return; } web_connection_start(sm, new_sd, &addr); } int web_listener_start(struct upnp_wps_device_sm *sm) { struct sockaddr_in addr; int port; sm->web_sd = socket(AF_INET, SOCK_STREAM, 0); if (sm->web_sd < 0) goto fail; if (fcntl(sm->web_sd, F_SETFL, O_NONBLOCK) != 0) goto fail; port = 49152; /* first non-reserved port */ for (;;) { os_memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = sm->ip_addr; addr.sin_port = htons(port); if (bind(sm->web_sd, (struct sockaddr *) &addr, sizeof(addr)) == 0) break; if (errno == EADDRINUSE) { /* search for unused port */ if (++port == 65535) goto fail; continue; } goto fail; } if (listen(sm->web_sd, 10 /* max backlog */) != 0) goto fail; if (fcntl(sm->web_sd, F_SETFL, O_NONBLOCK) != 0) goto fail; if (eloop_register_sock(sm->web_sd, EVENT_TYPE_READ, web_listener_handler, NULL, sm)) goto fail; sm->web_sd_registered = 1; sm->web_port = port; return 0; fail: /* Error */ web_listener_stop(sm); return -1; }