WPS ER: Allow AP filtering based on IP address

wps_er_start command now takes an optional parameter that can be used
to configure a filter to only allow UPnP SSDP messages from the
specified IP address. In practice, this limits the WPS ER operations
to a single AP and filters out all other devices in the network.

diff --git a/src/wps/wps.h b/src/wps/wps.h
index 1fd1e52bbd77c65d11f8b4c4c59bb8e04f9b3032..2ddb81b0bfe91933280665fdf02bb4c6a325ca35 100644 (file)
--- a/src/wps/wps.h
+++ b/src/wps/wps.h
@@ -718,7 +718,8 @@ int wps_process_oob(struct wps_context *wps, struct oob_device_data *oob_dev,
                    int registrar);
 int wps_attr_text(struct wpabuf *data, char *buf, char *end);
 
-struct wps_er * wps_er_init(struct wps_context *wps, const char *ifname);
+struct wps_er * wps_er_init(struct wps_context *wps, const char *ifname,
+                           const char *filter);
 void wps_er_refresh(struct wps_er *er);
 void wps_er_deinit(struct wps_er *er, void (*cb)(void *ctx), void *ctx);
 void wps_er_set_sel_reg(struct wps_er *er, int sel_reg, u16 dev_passwd_id,

diff --git a/src/wps/wps_er.c b/src/wps/wps_er.c
index d750ecdb2204ff46b22c21b3efef2dd1228b34df..e088567ac79b7a4ec207ba519ff374fd8ae235d5 100644 (file)
--- a/src/wps/wps_er.c
+++ b/src/wps/wps_er.c
@@ -1151,7 +1151,7 @@ static void wps_er_http_req(void *ctx, struct http_request *req)
 
 
 struct wps_er *
-wps_er_init(struct wps_context *wps, const char *ifname)
+wps_er_init(struct wps_context *wps, const char *ifname, const char *filter)
 {
        struct wps_er *er;
        struct in_addr addr;
@@ -1173,6 +1173,16 @@ wps_er_init(struct wps_context *wps, const char *ifname)
                return NULL;
        }
 
+       if (filter) {
+               if (inet_aton(filter, &er->filter_addr) == 0) {
+                       wpa_printf(MSG_INFO, "WPS UPnP: Invalid filter "
+                                  "address %s", filter);
+                       wps_er_deinit(er, NULL, NULL);
+                       return NULL;
+               }
+               wpa_printf(MSG_DEBUG, "WPS UPnP: Only accepting connections "
+                          "with %s", filter);
+       }
        if (get_netif_info(ifname, &er->ip_addr, &er->ip_addr_text,
                           er->mac_addr)) {
                wpa_printf(MSG_INFO, "WPS UPnP: Could not get IP/MAC address "

diff --git a/src/wps/wps_er.h b/src/wps/wps_er.h
index b13b950fbeaa68f90e33584eaf2a69f017cfa786..af07d5ec5184d2acbccb48e5a46f5b06395663a3 100644 (file)
--- a/src/wps/wps_er.h
+++ b/src/wps/wps_er.h
@@ -90,6 +90,7 @@ struct wps_er {
        int deinitializing;
        void (*deinit_done_cb)(void *ctx);
        void *deinit_done_ctx;
+       struct in_addr filter_addr;
 };
 
 

diff --git a/src/wps/wps_er_ssdp.c b/src/wps/wps_er_ssdp.c
index f108435d1eb92e89cbe69574e14bc55e84c60763..55cd105e52a874d226156239244faf465242b6a4 100644 (file)
--- a/src/wps/wps_er_ssdp.c
+++ b/src/wps/wps_er_ssdp.c
@@ -41,6 +41,9 @@ static void wps_er_ssdp_rx(int sd, void *eloop_ctx, void *sock_ctx)
        if (nread <= 0)
                return;
        buf[nread] = '\0';
+       if (er->filter_addr.s_addr &&
+           er->filter_addr.s_addr != addr.sin_addr.s_addr)
+               return;
 
        wpa_printf(MSG_DEBUG, "WPS ER: Received SSDP from %s",
                   inet_ntoa(addr.sin_addr));

diff --git a/wpa_supplicant/ctrl_iface.c b/wpa_supplicant/ctrl_iface.c
index d4383e79945e23abc2ed0ba8044ee7334c623b4e..7df65c1f4126475da44d5ed84bcdde00d385bf97 100644 (file)
--- a/wpa_supplicant/ctrl_iface.c
+++ b/wpa_supplicant/ctrl_iface.c
@@ -1793,7 +1793,10 @@ char * wpa_supplicant_ctrl_iface_process(struct wpa_supplicant *wpa_s,
                        reply_len = -1;
 #ifdef CONFIG_WPS_ER
        } else if (os_strcmp(buf, "WPS_ER_START") == 0) {
-               if (wpas_wps_er_start(wpa_s))
+               if (wpas_wps_er_start(wpa_s, NULL))
+                       reply_len = -1;
+       } else if (os_strncmp(buf, "WPS_ER_START ", 13) == 0) {
+               if (wpas_wps_er_start(wpa_s, buf + 13))
                        reply_len = -1;
        } else if (os_strcmp(buf, "WPS_ER_STOP") == 0) {
                if (wpas_wps_er_stop(wpa_s))

diff --git a/wpa_supplicant/wpa_cli.c b/wpa_supplicant/wpa_cli.c
index 162a0b82884bcb972210e3b505da24c01391036c..bd258ab55a7a714b0e5f0282997725726a976677 100644 (file)
--- a/wpa_supplicant/wpa_cli.c
+++ b/wpa_supplicant/wpa_cli.c
@@ -651,8 +651,12 @@ static int wpa_cli_cmd_wps_reg(struct wpa_ctrl *ctrl, int argc, char *argv[])
 static int wpa_cli_cmd_wps_er_start(struct wpa_ctrl *ctrl, int argc,
                                    char *argv[])
 {
+       char cmd[100];
+       if (argc > 0) {
+               os_snprintf(cmd, sizeof(cmd), "WPS_ER_START %s", argv[0]);
+               return wpa_ctrl_command(ctrl, cmd);
+       }
        return wpa_ctrl_command(ctrl, "WPS_ER_START");
-
 }
 
 
@@ -1630,7 +1634,7 @@ static struct wpa_cli_cmd wpa_cli_commands[] = {
          "<BSSID> <AP PIN> = start WPS Registrar to configure an AP" },
        { "wps_er_start", wpa_cli_cmd_wps_er_start,
          cli_cmd_flag_none,
-         "= start Wi-Fi Protected Setup External Registrar" },
+         "[IP address] = start Wi-Fi Protected Setup External Registrar" },
        { "wps_er_stop", wpa_cli_cmd_wps_er_stop,
          cli_cmd_flag_none,
          "= stop Wi-Fi Protected Setup External Registrar" },

diff --git a/wpa_supplicant/wps_supplicant.c b/wpa_supplicant/wps_supplicant.c
index ba94d330b46379c7adc47890f9745419496a9585..28526daad89e53829dd40cfbece4d249f082bf7b 100644 (file)
--- a/wpa_supplicant/wps_supplicant.c
+++ b/wpa_supplicant/wps_supplicant.c
@@ -1099,14 +1099,14 @@ int wpas_wps_scan_result_text(const u8 *ies, size_t ies_len, char *buf,
 }
 
 
-int wpas_wps_er_start(struct wpa_supplicant *wpa_s)
+int wpas_wps_er_start(struct wpa_supplicant *wpa_s, const char *filter)
 {
 #ifdef CONFIG_WPS_ER
        if (wpa_s->wps_er) {
                wps_er_refresh(wpa_s->wps_er);
                return 0;
        }
-       wpa_s->wps_er = wps_er_init(wpa_s->wps, wpa_s->ifname);
+       wpa_s->wps_er = wps_er_init(wpa_s->wps, wpa_s->ifname, filter);
        if (wpa_s->wps_er == NULL)
                return -1;
        return 0;

diff --git a/wpa_supplicant/wps_supplicant.h b/wpa_supplicant/wps_supplicant.h
index ba2fb1620b0702e087ed4cde22918b702305be66..ab45c0f9d760eec35b1450b7280d1bdd214f5af6 100644 (file)
--- a/wpa_supplicant/wps_supplicant.h
+++ b/wpa_supplicant/wps_supplicant.h
@@ -52,7 +52,7 @@ void wpas_wps_notify_scan_results(struct wpa_supplicant *wpa_s);
 int wpas_wps_searching(struct wpa_supplicant *wpa_s);
 int wpas_wps_scan_result_text(const u8 *ies, size_t ies_len, char *pos,
                              char *end);
-int wpas_wps_er_start(struct wpa_supplicant *wpa_s);
+int wpas_wps_er_start(struct wpa_supplicant *wpa_s, const char *filter);
 int wpas_wps_er_stop(struct wpa_supplicant *wpa_s);
 int wpas_wps_er_add_pin(struct wpa_supplicant *wpa_s, const char *uuid,
                        const char *pin);