hostapd/src/wps/wps_upnp_web.c
Jouni Malinen 80f256a568 WPS: Remove unnecessary filename NULL check
The caller of the GET parser is checking this already and the GET case
was the only one that ended up doing the duplicated validation step.

Signed-off-by: Jouni Malinen <j@w1.fi>
2014-02-22 14:07:23 +02:00

1320 lines
35 KiB
C

/*
* UPnP WPS Device - Web connections
* Copyright (c) 2000-2003 Intel Corporation
* Copyright (c) 2006-2007 Sony Corporation
* Copyright (c) 2008-2009 Atheros Communications
* Copyright (c) 2009, Jouni Malinen <j@w1.fi>
*
* See wps_upnp.c for more details on licensing and code history.
*/
#include "includes.h"
#include "common.h"
#include "base64.h"
#include "uuid.h"
#include "httpread.h"
#include "http_server.h"
#include "wps_i.h"
#include "wps_upnp.h"
#include "wps_upnp_i.h"
#include "upnp_xml.h"
/***************************************************************************
* Web connections (we serve pages of info about ourselves, handle
* requests, etc. etc.).
**************************************************************************/
#define WEB_CONNECTION_TIMEOUT_SEC 30 /* Drop web connection after t.o. */
#define WEB_CONNECTION_MAX_READ 8000 /* Max we'll read for TCP request */
#define MAX_WEB_CONNECTIONS 10 /* max simultaneous web connects */
static const char *urn_wfawlanconfig =
"urn:schemas-wifialliance-org:service:WFAWLANConfig:1";
static const char *http_server_hdr =
"Server: unspecified, UPnP/1.0, unspecified\r\n";
static const char *http_connection_close =
"Connection: close\r\n";
/*
* "Files" that we serve via HTTP. The format of these files is given by
* WFA WPS specifications. Extra white space has been removed to save space.
*/
static const char wps_scpd_xml[] =
"<?xml version=\"1.0\"?>\n"
"<scpd xmlns=\"urn:schemas-upnp-org:service-1-0\">\n"
"<specVersion><major>1</major><minor>0</minor></specVersion>\n"
"<actionList>\n"
"<action>\n"
"<name>GetDeviceInfo</name>\n"
"<argumentList>\n"
"<argument>\n"
"<name>NewDeviceInfo</name>\n"
"<direction>out</direction>\n"
"<relatedStateVariable>DeviceInfo</relatedStateVariable>\n"
"</argument>\n"
"</argumentList>\n"
"</action>\n"
"<action>\n"
"<name>PutMessage</name>\n"
"<argumentList>\n"
"<argument>\n"
"<name>NewInMessage</name>\n"
"<direction>in</direction>\n"
"<relatedStateVariable>InMessage</relatedStateVariable>\n"
"</argument>\n"
"<argument>\n"
"<name>NewOutMessage</name>\n"
"<direction>out</direction>\n"
"<relatedStateVariable>OutMessage</relatedStateVariable>\n"
"</argument>\n"
"</argumentList>\n"
"</action>\n"
"<action>\n"
"<name>PutWLANResponse</name>\n"
"<argumentList>\n"
"<argument>\n"
"<name>NewMessage</name>\n"
"<direction>in</direction>\n"
"<relatedStateVariable>Message</relatedStateVariable>\n"
"</argument>\n"
"<argument>\n"
"<name>NewWLANEventType</name>\n"
"<direction>in</direction>\n"
"<relatedStateVariable>WLANEventType</relatedStateVariable>\n"
"</argument>\n"
"<argument>\n"
"<name>NewWLANEventMAC</name>\n"
"<direction>in</direction>\n"
"<relatedStateVariable>WLANEventMAC</relatedStateVariable>\n"
"</argument>\n"
"</argumentList>\n"
"</action>\n"
"<action>\n"
"<name>SetSelectedRegistrar</name>\n"
"<argumentList>\n"
"<argument>\n"
"<name>NewMessage</name>\n"
"<direction>in</direction>\n"
"<relatedStateVariable>Message</relatedStateVariable>\n"
"</argument>\n"
"</argumentList>\n"
"</action>\n"
"</actionList>\n"
"<serviceStateTable>\n"
"<stateVariable sendEvents=\"no\">\n"
"<name>Message</name>\n"
"<dataType>bin.base64</dataType>\n"
"</stateVariable>\n"
"<stateVariable sendEvents=\"no\">\n"
"<name>InMessage</name>\n"
"<dataType>bin.base64</dataType>\n"
"</stateVariable>\n"
"<stateVariable sendEvents=\"no\">\n"
"<name>OutMessage</name>\n"
"<dataType>bin.base64</dataType>\n"
"</stateVariable>\n"
"<stateVariable sendEvents=\"no\">\n"
"<name>DeviceInfo</name>\n"
"<dataType>bin.base64</dataType>\n"
"</stateVariable>\n"
"<stateVariable sendEvents=\"yes\">\n"
"<name>APStatus</name>\n"
"<dataType>ui1</dataType>\n"
"</stateVariable>\n"
"<stateVariable sendEvents=\"yes\">\n"
"<name>STAStatus</name>\n"
"<dataType>ui1</dataType>\n"
"</stateVariable>\n"
"<stateVariable sendEvents=\"yes\">\n"
"<name>WLANEvent</name>\n"
"<dataType>bin.base64</dataType>\n"
"</stateVariable>\n"
"<stateVariable sendEvents=\"no\">\n"
"<name>WLANEventType</name>\n"
"<dataType>ui1</dataType>\n"
"</stateVariable>\n"
"<stateVariable sendEvents=\"no\">\n"
"<name>WLANEventMAC</name>\n"
"<dataType>string</dataType>\n"
"</stateVariable>\n"
"<stateVariable sendEvents=\"no\">\n"
"<name>WLANResponse</name>\n"
"<dataType>bin.base64</dataType>\n"
"</stateVariable>\n"
"</serviceStateTable>\n"
"</scpd>\n"
;
static const char *wps_device_xml_prefix =
"<?xml version=\"1.0\"?>\n"
"<root xmlns=\"urn:schemas-upnp-org:device-1-0\">\n"
"<specVersion>\n"
"<major>1</major>\n"
"<minor>0</minor>\n"
"</specVersion>\n"
"<device>\n"
"<deviceType>urn:schemas-wifialliance-org:device:WFADevice:1"
"</deviceType>\n";
static const char *wps_device_xml_postfix =
"<serviceList>\n"
"<service>\n"
"<serviceType>urn:schemas-wifialliance-org:service:WFAWLANConfig:1"
"</serviceType>\n"
"<serviceId>urn:wifialliance-org:serviceId:WFAWLANConfig1</serviceId>"
"\n"
"<SCPDURL>" UPNP_WPS_SCPD_XML_FILE "</SCPDURL>\n"
"<controlURL>" UPNP_WPS_DEVICE_CONTROL_FILE "</controlURL>\n"
"<eventSubURL>" UPNP_WPS_DEVICE_EVENT_FILE "</eventSubURL>\n"
"</service>\n"
"</serviceList>\n"
"</device>\n"
"</root>\n";
/* format_wps_device_xml -- produce content of "file" wps_device.xml
* (UPNP_WPS_DEVICE_XML_FILE)
*/
static void format_wps_device_xml(struct upnp_wps_device_sm *sm,
struct wpabuf *buf)
{
const char *s;
char uuid_string[80];
struct upnp_wps_device_interface *iface;
iface = dl_list_first(&sm->interfaces,
struct upnp_wps_device_interface, list);
wpabuf_put_str(buf, wps_device_xml_prefix);
/*
* Add required fields with default values if not configured. Add
* optional and recommended fields only if configured.
*/
s = iface->wps->friendly_name;
s = ((s && *s) ? s : "WPS Access Point");
xml_add_tagged_data(buf, "friendlyName", s);
s = iface->wps->dev.manufacturer;
s = ((s && *s) ? s : "");
xml_add_tagged_data(buf, "manufacturer", s);
if (iface->wps->manufacturer_url)
xml_add_tagged_data(buf, "manufacturerURL",
iface->wps->manufacturer_url);
if (iface->wps->model_description)
xml_add_tagged_data(buf, "modelDescription",
iface->wps->model_description);
s = iface->wps->dev.model_name;
s = ((s && *s) ? s : "");
xml_add_tagged_data(buf, "modelName", s);
if (iface->wps->dev.model_number)
xml_add_tagged_data(buf, "modelNumber",
iface->wps->dev.model_number);
if (iface->wps->model_url)
xml_add_tagged_data(buf, "modelURL", iface->wps->model_url);
if (iface->wps->dev.serial_number)
xml_add_tagged_data(buf, "serialNumber",
iface->wps->dev.serial_number);
uuid_bin2str(iface->wps->uuid, uuid_string, sizeof(uuid_string));
s = uuid_string;
/* Need "uuid:" prefix, thus we can't use xml_add_tagged_data()
* easily...
*/
wpabuf_put_str(buf, "<UDN>uuid:");
xml_data_encode(buf, s, os_strlen(s));
wpabuf_put_str(buf, "</UDN>\n");
if (iface->wps->upc)
xml_add_tagged_data(buf, "UPC", iface->wps->upc);
wpabuf_put_str(buf, wps_device_xml_postfix);
}
static void http_put_reply_code(struct wpabuf *buf, enum http_reply_code code)
{
wpabuf_put_str(buf, "HTTP/1.1 ");
switch (code) {
case HTTP_OK:
wpabuf_put_str(buf, "200 OK\r\n");
break;
case HTTP_BAD_REQUEST:
wpabuf_put_str(buf, "400 Bad request\r\n");
break;
case HTTP_PRECONDITION_FAILED:
wpabuf_put_str(buf, "412 Precondition failed\r\n");
break;
case HTTP_UNIMPLEMENTED:
wpabuf_put_str(buf, "501 Unimplemented\r\n");
break;
case HTTP_INTERNAL_SERVER_ERROR:
default:
wpabuf_put_str(buf, "500 Internal server error\r\n");
break;
}
}
static void http_put_date(struct wpabuf *buf)
{
wpabuf_put_str(buf, "Date: ");
format_date(buf);
wpabuf_put_str(buf, "\r\n");
}
static void http_put_empty(struct wpabuf *buf, enum http_reply_code code)
{
http_put_reply_code(buf, code);
wpabuf_put_str(buf, http_server_hdr);
wpabuf_put_str(buf, http_connection_close);
wpabuf_put_str(buf, "Content-Length: 0\r\n"
"\r\n");
}
/* Given that we have received a header w/ GET, act upon it
*
* Format of GET (case-insensitive):
*
* First line must be:
* GET /<file> HTTP/1.1
* Since we don't do anything fancy we just ignore other lines.
*
* Our response (if no error) which includes only required lines is:
* HTTP/1.1 200 OK
* Connection: close
* Content-Type: text/xml
* Date: <rfc1123-date>
*
* Header lines must end with \r\n
* Per RFC 2616, content-length: is not required but connection:close
* would appear to be required (given that we will be closing it!).
*/
static void web_connection_parse_get(struct upnp_wps_device_sm *sm,
struct http_request *hreq, char *filename)
{
struct wpabuf *buf; /* output buffer, allocated */
char *put_length_here;
char *body_start;
enum {
GET_DEVICE_XML_FILE,
GET_SCPD_XML_FILE
} req;
size_t extra_len = 0;
int body_length;
char len_buf[10];
struct upnp_wps_device_interface *iface;
iface = dl_list_first(&sm->interfaces,
struct upnp_wps_device_interface, list);
/*
* It is not required that filenames be case insensitive but it is
* allowed and cannot hurt here.
*/
if (os_strcasecmp(filename, UPNP_WPS_DEVICE_XML_FILE) == 0) {
wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP GET for device XML");
req = GET_DEVICE_XML_FILE;
extra_len = 3000;
if (iface->wps->friendly_name)
extra_len += os_strlen(iface->wps->friendly_name);
if (iface->wps->manufacturer_url)
extra_len += os_strlen(iface->wps->manufacturer_url);
if (iface->wps->model_description)
extra_len += os_strlen(iface->wps->model_description);
if (iface->wps->model_url)
extra_len += os_strlen(iface->wps->model_url);
if (iface->wps->upc)
extra_len += os_strlen(iface->wps->upc);
} else if (!os_strcasecmp(filename, UPNP_WPS_SCPD_XML_FILE)) {
wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP GET for SCPD XML");
req = GET_SCPD_XML_FILE;
extra_len = os_strlen(wps_scpd_xml);
} else {
/* File not found */
wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP GET file not found: %s",
filename);
buf = wpabuf_alloc(200);
if (buf == NULL) {
http_request_deinit(hreq);
return;
}
wpabuf_put_str(buf,
"HTTP/1.1 404 Not Found\r\n"
"Connection: close\r\n");
http_put_date(buf);
/* terminating empty line */
wpabuf_put_str(buf, "\r\n");
goto send_buf;
}
buf = wpabuf_alloc(1000 + extra_len);
if (buf == NULL) {
http_request_deinit(hreq);
return;
}
wpabuf_put_str(buf,
"HTTP/1.1 200 OK\r\n"
"Content-Type: text/xml; charset=\"utf-8\"\r\n");
wpabuf_put_str(buf, "Server: Unspecified, UPnP/1.0, Unspecified\r\n");
wpabuf_put_str(buf, "Connection: close\r\n");
wpabuf_put_str(buf, "Content-Length: ");
/*
* We will paste the length in later, leaving some extra whitespace.
* HTTP code is supposed to be tolerant of extra whitespace.
*/
put_length_here = wpabuf_put(buf, 0);
wpabuf_put_str(buf, " \r\n");
http_put_date(buf);
/* terminating empty line */
wpabuf_put_str(buf, "\r\n");
body_start = wpabuf_put(buf, 0);
switch (req) {
case GET_DEVICE_XML_FILE:
format_wps_device_xml(sm, buf);
break;
case GET_SCPD_XML_FILE:
wpabuf_put_str(buf, wps_scpd_xml);
break;
}
/* Now patch in the content length at the end */
body_length = (char *) wpabuf_put(buf, 0) - body_start;
os_snprintf(len_buf, 10, "%d", body_length);
os_memcpy(put_length_here, len_buf, os_strlen(len_buf));
send_buf:
http_request_send_and_deinit(hreq, buf);
}
static enum http_reply_code
web_process_get_device_info(struct upnp_wps_device_sm *sm,
struct wpabuf **reply, const char **replyname)
{
static const char *name = "NewDeviceInfo";
struct wps_config cfg;
struct upnp_wps_device_interface *iface;
struct upnp_wps_peer *peer;
iface = dl_list_first(&sm->interfaces,
struct upnp_wps_device_interface, list);
peer = &iface->peer;
wpa_printf(MSG_DEBUG, "WPS UPnP: GetDeviceInfo");
if (iface->ctx->ap_pin == NULL)
return HTTP_INTERNAL_SERVER_ERROR;
/*
* Request for DeviceInfo, i.e., M1 TLVs. This is a start of WPS
* registration over UPnP with the AP acting as an Enrollee. It should
* be noted that this is frequently used just to get the device data,
* i.e., there may not be any intent to actually complete the
* registration.
*/
if (peer->wps)
wps_deinit(peer->wps);
os_memset(&cfg, 0, sizeof(cfg));
cfg.wps = iface->wps;
cfg.pin = (u8 *) iface->ctx->ap_pin;
cfg.pin_len = os_strlen(iface->ctx->ap_pin);
peer->wps = wps_init(&cfg);
if (peer->wps) {
enum wsc_op_code op_code;
*reply = wps_get_msg(peer->wps, &op_code);
if (*reply == NULL) {
wps_deinit(peer->wps);
peer->wps = NULL;
}
} else
*reply = NULL;
if (*reply == NULL) {
wpa_printf(MSG_INFO, "WPS UPnP: Failed to get DeviceInfo");
return HTTP_INTERNAL_SERVER_ERROR;
}
*replyname = name;
return HTTP_OK;
}
static enum http_reply_code
web_process_put_message(struct upnp_wps_device_sm *sm, char *data,
struct wpabuf **reply, const char **replyname)
{
struct wpabuf *msg;
static const char *name = "NewOutMessage";
enum http_reply_code ret;
enum wps_process_res res;
enum wsc_op_code op_code;
struct upnp_wps_device_interface *iface;
iface = dl_list_first(&sm->interfaces,
struct upnp_wps_device_interface, list);
/*
* PutMessage is used by external UPnP-based Registrar to perform WPS
* operation with the access point itself; as compared with
* PutWLANResponse which is for proxying.
*/
wpa_printf(MSG_DEBUG, "WPS UPnP: PutMessage");
msg = xml_get_base64_item(data, "NewInMessage", &ret);
if (msg == NULL)
return ret;
res = wps_process_msg(iface->peer.wps, WSC_UPnP, msg);
if (res == WPS_FAILURE)
*reply = NULL;
else
*reply = wps_get_msg(iface->peer.wps, &op_code);
wpabuf_free(msg);
if (*reply == NULL)
return HTTP_INTERNAL_SERVER_ERROR;
*replyname = name;
return HTTP_OK;
}
static enum http_reply_code
web_process_put_wlan_response(struct upnp_wps_device_sm *sm, char *data,
struct wpabuf **reply, const char **replyname)
{
struct wpabuf *msg;
enum http_reply_code ret;
u8 macaddr[ETH_ALEN];
int ev_type;
int type;
char *val;
struct upnp_wps_device_interface *iface;
int ok = 0;
/*
* External UPnP-based Registrar is passing us a message to be proxied
* over to a Wi-Fi -based client of ours.
*/
wpa_printf(MSG_DEBUG, "WPS UPnP: PutWLANResponse");
msg = xml_get_base64_item(data, "NewMessage", &ret);
if (msg == NULL) {
wpa_printf(MSG_DEBUG, "WPS UPnP: Could not extract NewMessage "
"from PutWLANResponse");
return ret;
}
val = xml_get_first_item(data, "NewWLANEventType");
if (val == NULL) {
wpa_printf(MSG_DEBUG, "WPS UPnP: No NewWLANEventType in "
"PutWLANResponse");
wpabuf_free(msg);
return UPNP_ARG_VALUE_INVALID;
}
ev_type = atol(val);
os_free(val);
val = xml_get_first_item(data, "NewWLANEventMAC");
if (val == NULL) {
wpa_printf(MSG_DEBUG, "WPS UPnP: No NewWLANEventMAC in "
"PutWLANResponse");
wpabuf_free(msg);
return UPNP_ARG_VALUE_INVALID;
}
if (hwaddr_aton(val, macaddr)) {
wpa_printf(MSG_DEBUG, "WPS UPnP: Invalid NewWLANEventMAC in "
"PutWLANResponse: '%s'", val);
#ifdef CONFIG_WPS_STRICT
{
struct wps_parse_attr attr;
if (wps_parse_msg(msg, &attr) < 0 || attr.version2) {
wpabuf_free(msg);
os_free(val);
return UPNP_ARG_VALUE_INVALID;
}
}
#endif /* CONFIG_WPS_STRICT */
if (hwaddr_aton2(val, macaddr) > 0) {
/*
* At least some versions of Intel PROset seem to be
* using dot-deliminated MAC address format here.
*/
wpa_printf(MSG_DEBUG, "WPS UPnP: Workaround - allow "
"incorrect MAC address format in "
"NewWLANEventMAC: %s -> " MACSTR,
val, MAC2STR(macaddr));
} else {
wpabuf_free(msg);
os_free(val);
return UPNP_ARG_VALUE_INVALID;
}
}
os_free(val);
if (ev_type == UPNP_WPS_WLANEVENT_TYPE_EAP) {
struct wps_parse_attr attr;
if (wps_parse_msg(msg, &attr) < 0 ||
attr.msg_type == NULL)
type = -1;
else
type = *attr.msg_type;
wpa_printf(MSG_DEBUG, "WPS UPnP: Message Type %d", type);
} else
type = -1;
dl_list_for_each(iface, &sm->interfaces,
struct upnp_wps_device_interface, list) {
if (iface->ctx->rx_req_put_wlan_response &&
iface->ctx->rx_req_put_wlan_response(iface->priv, ev_type,
macaddr, msg, type)
== 0)
ok = 1;
}
if (!ok) {
wpa_printf(MSG_INFO, "WPS UPnP: Fail: sm->ctx->"
"rx_req_put_wlan_response");
wpabuf_free(msg);
return HTTP_INTERNAL_SERVER_ERROR;
}
wpabuf_free(msg);
*replyname = NULL;
*reply = NULL;
return HTTP_OK;
}
static int find_er_addr(struct subscription *s, struct sockaddr_in *cli)
{
struct subscr_addr *a;
dl_list_for_each(a, &s->addr_list, struct subscr_addr, list) {
if (cli->sin_addr.s_addr == a->saddr.sin_addr.s_addr)
return 1;
}
return 0;
}
static struct subscription * find_er(struct upnp_wps_device_sm *sm,
struct sockaddr_in *cli)
{
struct subscription *s;
dl_list_for_each(s, &sm->subscriptions, struct subscription, list)
if (find_er_addr(s, cli))
return s;
return NULL;
}
static enum http_reply_code
web_process_set_selected_registrar(struct upnp_wps_device_sm *sm,
struct sockaddr_in *cli, char *data,
struct wpabuf **reply,
const char **replyname)
{
struct wpabuf *msg;
enum http_reply_code ret;
struct subscription *s;
struct upnp_wps_device_interface *iface;
int err = 0;
wpa_printf(MSG_DEBUG, "WPS UPnP: SetSelectedRegistrar");
s = find_er(sm, cli);
if (s == NULL) {
wpa_printf(MSG_DEBUG, "WPS UPnP: Ignore SetSelectedRegistrar "
"from unknown ER");
return UPNP_ACTION_FAILED;
}
msg = xml_get_base64_item(data, "NewMessage", &ret);
if (msg == NULL)
return ret;
dl_list_for_each(iface, &sm->interfaces,
struct upnp_wps_device_interface, list) {
if (upnp_er_set_selected_registrar(iface->wps->registrar, s,
msg))
err = 1;
}
wpabuf_free(msg);
if (err)
return HTTP_INTERNAL_SERVER_ERROR;
*replyname = NULL;
*reply = NULL;
return HTTP_OK;
}
static const char *soap_prefix =
"<?xml version=\"1.0\"?>\n"
"<s:Envelope xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\" "
"s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">\n"
"<s:Body>\n";
static const char *soap_postfix =
"</s:Body>\n</s:Envelope>\n";
static const char *soap_error_prefix =
"<s:Fault>\n"
"<faultcode>s:Client</faultcode>\n"
"<faultstring>UPnPError</faultstring>\n"
"<detail>\n"
"<UPnPError xmlns=\"urn:schemas-upnp-org:control-1-0\">\n";
static const char *soap_error_postfix =
"<errorDescription>Error</errorDescription>\n"
"</UPnPError>\n"
"</detail>\n"
"</s:Fault>\n";
static void web_connection_send_reply(struct http_request *req,
enum http_reply_code ret,
const char *action, int action_len,
const struct wpabuf *reply,
const char *replyname)
{
struct wpabuf *buf;
char *replydata;
char *put_length_here = NULL;
char *body_start = NULL;
if (reply) {
size_t len;
replydata = (char *) base64_encode(wpabuf_head(reply),
wpabuf_len(reply), &len);
} else
replydata = NULL;
/* Parameters of the response:
* action(action_len) -- action we are responding to
* replyname -- a name we need for the reply
* replydata -- NULL or null-terminated string
*/
buf = wpabuf_alloc(1000 + (replydata ? os_strlen(replydata) : 0U) +
(action_len > 0 ? action_len * 2 : 0));
if (buf == NULL) {
wpa_printf(MSG_INFO, "WPS UPnP: Cannot allocate reply to "
"POST");
os_free(replydata);
http_request_deinit(req);
return;
}
/*
* Assuming we will be successful, put in the output header first.
* Note: we do not keep connections alive (and httpread does
* not support it)... therefore we must have Connection: close.
*/
if (ret == HTTP_OK) {
wpabuf_put_str(buf,
"HTTP/1.1 200 OK\r\n"
"Content-Type: text/xml; "
"charset=\"utf-8\"\r\n");
} else {
wpabuf_printf(buf, "HTTP/1.1 %d Error\r\n", ret);
}
wpabuf_put_str(buf, http_connection_close);
wpabuf_put_str(buf, "Content-Length: ");
/*
* We will paste the length in later, leaving some extra whitespace.
* HTTP code is supposed to be tolerant of extra whitespace.
*/
put_length_here = wpabuf_put(buf, 0);
wpabuf_put_str(buf, " \r\n");
http_put_date(buf);
/* terminating empty line */
wpabuf_put_str(buf, "\r\n");
body_start = wpabuf_put(buf, 0);
if (ret == HTTP_OK) {
wpabuf_put_str(buf, soap_prefix);
wpabuf_put_str(buf, "<u:");
wpabuf_put_data(buf, action, action_len);
wpabuf_put_str(buf, "Response xmlns:u=\"");
wpabuf_put_str(buf, urn_wfawlanconfig);
wpabuf_put_str(buf, "\">\n");
if (replydata && replyname) {
/* TODO: might possibly need to escape part of reply
* data? ...
* probably not, unlikely to have ampersand(&) or left
* angle bracket (<) in it...
*/
wpabuf_printf(buf, "<%s>", replyname);
wpabuf_put_str(buf, replydata);
wpabuf_printf(buf, "</%s>\n", replyname);
}
wpabuf_put_str(buf, "</u:");
wpabuf_put_data(buf, action, action_len);
wpabuf_put_str(buf, "Response>\n");
wpabuf_put_str(buf, soap_postfix);
} else {
/* Error case */
wpabuf_put_str(buf, soap_prefix);
wpabuf_put_str(buf, soap_error_prefix);
wpabuf_printf(buf, "<errorCode>%d</errorCode>\n", ret);
wpabuf_put_str(buf, soap_error_postfix);
wpabuf_put_str(buf, soap_postfix);
}
os_free(replydata);
/* Now patch in the content length at the end */
if (body_start && put_length_here) {
int body_length = (char *) wpabuf_put(buf, 0) - body_start;
char len_buf[10];
os_snprintf(len_buf, sizeof(len_buf), "%d", body_length);
os_memcpy(put_length_here, len_buf, os_strlen(len_buf));
}
http_request_send_and_deinit(req, buf);
}
static const char * web_get_action(struct http_request *req,
size_t *action_len)
{
const char *match;
int match_len;
char *b;
char *action;
*action_len = 0;
/* The SOAPAction line of the header tells us what we want to do */
b = http_request_get_hdr_line(req, "SOAPAction:");
if (b == NULL)
return NULL;
if (*b == '"')
b++;
else
return NULL;
match = urn_wfawlanconfig;
match_len = os_strlen(urn_wfawlanconfig) - 1;
if (os_strncasecmp(b, match, match_len))
return NULL;
b += match_len;
/* skip over version */
while (isgraph(*b) && *b != '#')
b++;
if (*b != '#')
return NULL;
b++;
/* Following the sharp(#) should be the action and a double quote */
action = b;
while (isgraph(*b) && *b != '"')
b++;
if (*b != '"')
return NULL;
*action_len = b - action;
return action;
}
/* Given that we have received a header w/ POST, act upon it
*
* Format of POST (case-insensitive):
*
* First line must be:
* POST /<file> HTTP/1.1
* Since we don't do anything fancy we just ignore other lines.
*
* Our response (if no error) which includes only required lines is:
* HTTP/1.1 200 OK
* Connection: close
* Content-Type: text/xml
* Date: <rfc1123-date>
*
* Header lines must end with \r\n
* Per RFC 2616, content-length: is not required but connection:close
* would appear to be required (given that we will be closing it!).
*/
static void web_connection_parse_post(struct upnp_wps_device_sm *sm,
struct sockaddr_in *cli,
struct http_request *req,
const char *filename)
{
enum http_reply_code ret;
char *data = http_request_get_data(req); /* body of http msg */
const char *action = NULL;
size_t action_len = 0;
const char *replyname = NULL; /* argument name for the reply */
struct wpabuf *reply = NULL; /* data for the reply */
if (os_strcasecmp(filename, UPNP_WPS_DEVICE_CONTROL_FILE)) {
wpa_printf(MSG_INFO, "WPS UPnP: Invalid POST filename %s",
filename);
ret = HTTP_NOT_FOUND;
goto bad;
}
ret = UPNP_INVALID_ACTION;
action = web_get_action(req, &action_len);
if (action == NULL)
goto bad;
if (!os_strncasecmp("GetDeviceInfo", action, action_len))
ret = web_process_get_device_info(sm, &reply, &replyname);
else if (!os_strncasecmp("PutMessage", action, action_len))
ret = web_process_put_message(sm, data, &reply, &replyname);
else if (!os_strncasecmp("PutWLANResponse", action, action_len))
ret = web_process_put_wlan_response(sm, data, &reply,
&replyname);
else if (!os_strncasecmp("SetSelectedRegistrar", action, action_len))
ret = web_process_set_selected_registrar(sm, cli, data, &reply,
&replyname);
else
wpa_printf(MSG_INFO, "WPS UPnP: Unknown POST type");
bad:
if (ret != HTTP_OK)
wpa_printf(MSG_INFO, "WPS UPnP: POST failure ret=%d", ret);
web_connection_send_reply(req, ret, action, action_len, reply,
replyname);
wpabuf_free(reply);
}
/* Given that we have received a header w/ SUBSCRIBE, act upon it
*
* Format of SUBSCRIBE (case-insensitive):
*
* First line must be:
* SUBSCRIBE /wps_event HTTP/1.1
*
* Our response (if no error) which includes only required lines is:
* HTTP/1.1 200 OK
* Server: xx, UPnP/1.0, xx
* SID: uuid:xxxxxxxxx
* Timeout: Second-<n>
* Content-Length: 0
* Date: xxxx
*
* Header lines must end with \r\n
* Per RFC 2616, content-length: is not required but connection:close
* would appear to be required (given that we will be closing it!).
*/
static void web_connection_parse_subscribe(struct upnp_wps_device_sm *sm,
struct http_request *req,
const char *filename)
{
struct wpabuf *buf;
char *b;
char *hdr = http_request_get_hdr(req);
char *h;
char *match;
int match_len;
char *end;
int len;
int got_nt = 0;
u8 uuid[UUID_LEN];
int got_uuid = 0;
char *callback_urls = NULL;
struct subscription *s = NULL;
enum http_reply_code ret = HTTP_INTERNAL_SERVER_ERROR;
buf = wpabuf_alloc(1000);
if (buf == NULL) {
http_request_deinit(req);
return;
}
wpa_hexdump_ascii(MSG_DEBUG, "WPS UPnP: HTTP SUBSCRIBE",
(u8 *) hdr, os_strlen(hdr));
/* Parse/validate headers */
h = hdr;
/* First line: SUBSCRIBE /wps_event HTTP/1.1
* has already been parsed.
*/
if (os_strcasecmp(filename, UPNP_WPS_DEVICE_EVENT_FILE) != 0) {
ret = HTTP_PRECONDITION_FAILED;
goto error;
}
wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP SUBSCRIBE for event");
end = os_strchr(h, '\n');
for (; end != NULL; h = end + 1) {
/* Option line by option line */
h = end + 1;
end = os_strchr(h, '\n');
if (end == NULL)
break; /* no unterminated lines allowed */
/* NT assures that it is our type of subscription;
* not used for a renewal.
**/
match = "NT:";
match_len = os_strlen(match);
if (os_strncasecmp(h, match, match_len) == 0) {
h += match_len;
while (*h == ' ' || *h == '\t')
h++;
match = "upnp:event";
match_len = os_strlen(match);
if (os_strncasecmp(h, match, match_len) != 0) {
ret = HTTP_BAD_REQUEST;
goto error;
}
got_nt = 1;
continue;
}
/* HOST should refer to us */
#if 0
match = "HOST:";
match_len = os_strlen(match);
if (os_strncasecmp(h, match, match_len) == 0) {
h += match_len;
while (*h == ' ' || *h == '\t')
h++;
.....
}
#endif
/* CALLBACK gives one or more URLs for NOTIFYs
* to be sent as a result of the subscription.
* Each URL is enclosed in angle brackets.
*/
match = "CALLBACK:";
match_len = os_strlen(match);
if (os_strncasecmp(h, match, match_len) == 0) {
h += match_len;
while (*h == ' ' || *h == '\t')
h++;
len = end - h;
os_free(callback_urls);
callback_urls = dup_binstr(h, len);
if (callback_urls == NULL) {
ret = HTTP_INTERNAL_SERVER_ERROR;
goto error;
}
continue;
}
/* SID is only for renewal */
match = "SID:";
match_len = os_strlen(match);
if (os_strncasecmp(h, match, match_len) == 0) {
h += match_len;
while (*h == ' ' || *h == '\t')
h++;
match = "uuid:";
match_len = os_strlen(match);
if (os_strncasecmp(h, match, match_len) != 0) {
ret = HTTP_BAD_REQUEST;
goto error;
}
h += match_len;
while (*h == ' ' || *h == '\t')
h++;
if (uuid_str2bin(h, uuid)) {
ret = HTTP_BAD_REQUEST;
goto error;
}
got_uuid = 1;
continue;
}
/* TIMEOUT is requested timeout, but apparently we can
* just ignore this.
*/
}
if (got_uuid) {
/* renewal */
wpa_printf(MSG_DEBUG, "WPS UPnP: Subscription renewal");
if (callback_urls) {
ret = HTTP_BAD_REQUEST;
goto error;
}
s = subscription_renew(sm, uuid);
if (s == NULL) {
char str[80];
uuid_bin2str(uuid, str, sizeof(str));
wpa_printf(MSG_DEBUG, "WPS UPnP: Could not find "
"SID %s", str);
ret = HTTP_PRECONDITION_FAILED;
goto error;
}
} else if (callback_urls) {
wpa_printf(MSG_DEBUG, "WPS UPnP: New subscription");
if (!got_nt) {
ret = HTTP_PRECONDITION_FAILED;
goto error;
}
s = subscription_start(sm, callback_urls);
if (s == NULL) {
ret = HTTP_INTERNAL_SERVER_ERROR;
goto error;
}
} else {
ret = HTTP_PRECONDITION_FAILED;
goto error;
}
/* success */
http_put_reply_code(buf, HTTP_OK);
wpabuf_put_str(buf, http_server_hdr);
wpabuf_put_str(buf, http_connection_close);
wpabuf_put_str(buf, "Content-Length: 0\r\n");
wpabuf_put_str(buf, "SID: uuid:");
/* subscription id */
b = wpabuf_put(buf, 0);
uuid_bin2str(s->uuid, b, 80);
wpa_printf(MSG_DEBUG, "WPS UPnP: Assigned SID %s", b);
wpabuf_put(buf, os_strlen(b));
wpabuf_put_str(buf, "\r\n");
wpabuf_printf(buf, "Timeout: Second-%d\r\n", UPNP_SUBSCRIBE_SEC);
http_put_date(buf);
/* And empty line to terminate header: */
wpabuf_put_str(buf, "\r\n");
os_free(callback_urls);
http_request_send_and_deinit(req, buf);
return;
error:
/* Per UPnP spec:
* Errors
* Incompatible headers
* 400 Bad Request. If SID header and one of NT or CALLBACK headers
* are present, the publisher must respond with HTTP error
* 400 Bad Request.
* Missing or invalid CALLBACK
* 412 Precondition Failed. If CALLBACK header is missing or does not
* contain a valid HTTP URL, the publisher must respond with HTTP
* error 412 Precondition Failed.
* Invalid NT
* 412 Precondition Failed. If NT header does not equal upnp:event,
* the publisher must respond with HTTP error 412 Precondition
* Failed.
* [For resubscription, use 412 if unknown uuid].
* Unable to accept subscription
* 5xx. If a publisher is not able to accept a subscription (such as
* due to insufficient resources), it must respond with a
* HTTP 500-series error code.
* 599 Too many subscriptions (not a standard HTTP error)
*/
wpa_printf(MSG_DEBUG, "WPS UPnP: SUBSCRIBE failed - return %d", ret);
http_put_empty(buf, ret);
http_request_send_and_deinit(req, buf);
os_free(callback_urls);
}
/* Given that we have received a header w/ UNSUBSCRIBE, act upon it
*
* Format of UNSUBSCRIBE (case-insensitive):
*
* First line must be:
* UNSUBSCRIBE /wps_event HTTP/1.1
*
* Our response (if no error) which includes only required lines is:
* HTTP/1.1 200 OK
* Content-Length: 0
*
* Header lines must end with \r\n
* Per RFC 2616, content-length: is not required but connection:close
* would appear to be required (given that we will be closing it!).
*/
static void web_connection_parse_unsubscribe(struct upnp_wps_device_sm *sm,
struct http_request *req,
const char *filename)
{
struct wpabuf *buf;
char *hdr = http_request_get_hdr(req);
char *h;
char *match;
int match_len;
char *end;
u8 uuid[UUID_LEN];
int got_uuid = 0;
struct subscription *s = NULL;
enum http_reply_code ret = HTTP_INTERNAL_SERVER_ERROR;
/* Parse/validate headers */
h = hdr;
/* First line: UNSUBSCRIBE /wps_event HTTP/1.1
* has already been parsed.
*/
if (os_strcasecmp(filename, UPNP_WPS_DEVICE_EVENT_FILE) != 0) {
ret = HTTP_PRECONDITION_FAILED;
goto send_msg;
}
wpa_printf(MSG_DEBUG, "WPS UPnP: HTTP UNSUBSCRIBE for event");
end = os_strchr(h, '\n');
for (; end != NULL; h = end + 1) {
/* Option line by option line */
h = end + 1;
end = os_strchr(h, '\n');
if (end == NULL)
break; /* no unterminated lines allowed */
/* HOST should refer to us */
#if 0
match = "HOST:";
match_len = os_strlen(match);
if (os_strncasecmp(h, match, match_len) == 0) {
h += match_len;
while (*h == ' ' || *h == '\t')
h++;
.....
}
#endif
/* SID is only for renewal */
match = "SID:";
match_len = os_strlen(match);
if (os_strncasecmp(h, match, match_len) == 0) {
h += match_len;
while (*h == ' ' || *h == '\t')
h++;
match = "uuid:";
match_len = os_strlen(match);
if (os_strncasecmp(h, match, match_len) != 0) {
ret = HTTP_BAD_REQUEST;
goto send_msg;
}
h += match_len;
while (*h == ' ' || *h == '\t')
h++;
if (uuid_str2bin(h, uuid)) {
ret = HTTP_BAD_REQUEST;
goto send_msg;
}
got_uuid = 1;
continue;
}
}
if (got_uuid) {
s = subscription_find(sm, uuid);
if (s) {
struct subscr_addr *sa;
sa = dl_list_first(&s->addr_list, struct subscr_addr,
list);
wpa_printf(MSG_DEBUG, "WPS UPnP: Unsubscribing %p %s",
s, (sa && sa->domain_and_port) ?
sa->domain_and_port : "-null-");
dl_list_del(&s->list);
subscription_destroy(s);
}
} else {
wpa_printf(MSG_INFO, "WPS UPnP: Unsubscribe fails (not "
"found)");
ret = HTTP_PRECONDITION_FAILED;
goto send_msg;
}
ret = HTTP_OK;
send_msg:
buf = wpabuf_alloc(200);
if (buf == NULL) {
http_request_deinit(req);
return;
}
http_put_empty(buf, ret);
http_request_send_and_deinit(req, buf);
}
/* Send error in response to unknown requests */
static void web_connection_unimplemented(struct http_request *req)
{
struct wpabuf *buf;
buf = wpabuf_alloc(200);
if (buf == NULL) {
http_request_deinit(req);
return;
}
http_put_empty(buf, HTTP_UNIMPLEMENTED);
http_request_send_and_deinit(req, buf);
}
/* Called when we have gotten an apparently valid http request.
*/
static void web_connection_check_data(void *ctx, struct http_request *req)
{
struct upnp_wps_device_sm *sm = ctx;
enum httpread_hdr_type htype = http_request_get_type(req);
char *filename = http_request_get_uri(req);
struct sockaddr_in *cli = http_request_get_cli_addr(req);
if (!filename) {
wpa_printf(MSG_INFO, "WPS UPnP: Could not get HTTP URI");
http_request_deinit(req);
return;
}
/* Trim leading slashes from filename */
while (*filename == '/')
filename++;
wpa_printf(MSG_DEBUG, "WPS UPnP: Got HTTP request type %d from %s:%d",
htype, inet_ntoa(cli->sin_addr), htons(cli->sin_port));
switch (htype) {
case HTTPREAD_HDR_TYPE_GET:
web_connection_parse_get(sm, req, filename);
break;
case HTTPREAD_HDR_TYPE_POST:
web_connection_parse_post(sm, cli, req, filename);
break;
case HTTPREAD_HDR_TYPE_SUBSCRIBE:
web_connection_parse_subscribe(sm, req, filename);
break;
case HTTPREAD_HDR_TYPE_UNSUBSCRIBE:
web_connection_parse_unsubscribe(sm, req, filename);
break;
/* We are not required to support M-POST; just plain
* POST is supposed to work, so we only support that.
* If for some reason we need to support M-POST, it is
* mostly the same as POST, with small differences.
*/
default:
/* Send 501 for anything else */
web_connection_unimplemented(req);
break;
}
}
/*
* Listening for web connections
* We have a single TCP listening port, and hand off connections as we get
* them.
*/
void web_listener_stop(struct upnp_wps_device_sm *sm)
{
http_server_deinit(sm->web_srv);
sm->web_srv = NULL;
}
int web_listener_start(struct upnp_wps_device_sm *sm)
{
struct in_addr addr;
addr.s_addr = sm->ip_addr;
sm->web_srv = http_server_init(&addr, -1, web_connection_check_data,
sm);
if (sm->web_srv == NULL) {
web_listener_stop(sm);
return -1;
}
sm->web_port = http_server_get_port(sm->web_srv);
return 0;
}