diff options
| author | Jouni Malinen <jouni@codeaurora.org> | 2018-12-04 00:11:37 +0200 |
|---|---|---|
| committer | Jouni Malinen <j@w1.fi> | 2018-12-04 00:34:10 +0200 |
| commit | 2166651b0c262248fa64c22a2426b6c9cff94ca2 (patch) | |
| tree | 3b8ebff585cfb6c4ba4f4feafdd32897c5414034 /hs20 | |
| parent | 34341b09b4323589460e7db3d758f6764715d2f8 (diff) | |
| download | hostap-2166651b0c262248fa64c22a2426b6c9cff94ca2.tar.gz | |
HS 2.0 server: Clear remediation requirement for certificate credentials
Previous implementation updated user database only for username/password
credentials. While client certificates do not need the updated password
to be written, they do need the remediation requirement to be cleared,
so fix that.
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Diffstat (limited to 'hs20')
| -rw-r--r-- | hs20/server/spp_server.c | 50 |
1 files changed, 48 insertions, 2 deletions
diff --git a/hs20/server/spp_server.c b/hs20/server/spp_server.c index d9014a6a6..3600f571f 100644 --- a/hs20/server/spp_server.c +++ b/hs20/server/spp_server.c @@ -41,6 +41,7 @@ enum hs20_session_operation { POLICY_REMEDIATION, POLICY_UPDATE, FREE_REMEDIATION, + CLEAR_REMEDIATION, }; @@ -521,6 +522,27 @@ static int update_password(struct hs20_svc *ctx, const char *user, } +static int clear_remediation(struct hs20_svc *ctx, const char *user, + const char *realm, int dmacc) +{ + char *cmd; + + cmd = sqlite3_mprintf("UPDATE users SET remediation='' WHERE %s=%Q", + dmacc ? "osu_user" : "identity", + user); + if (cmd == NULL) + return -1; + debug_print(ctx, 1, "DB: %s", cmd); + if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) { + debug_print(ctx, 1, "Failed to update database for user '%s'", + user); + } + sqlite3_free(cmd); + + return 0; +} + + static int add_eap_ttls(struct hs20_svc *ctx, xml_node_t *parent) { xml_node_t *node; @@ -780,8 +802,9 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx, xml_node_free(ctx->xml, cred); if (cert) { - debug_print(ctx, 1, "Certificate credential - no need for DB " - "password update on success notification"); + debug_print(ctx, 1, "Request DB remediation clearing on success notification (certificate credential)"); + db_add_session(ctx, user, realm, session_id, NULL, NULL, + CLEAR_REMEDIATION, NULL); } else { debug_print(ctx, 1, "Request DB password update on success " "notification"); @@ -2236,6 +2259,29 @@ static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx, session_id, "Updated user password " "in database", NULL); } + if (oper == CLEAR_REMEDIATION) { + debug_print(ctx, 1, + "Clear remediation requirement for user '%s' in DB", + user); + if (clear_remediation(ctx, user, realm, dmacc) < 0) { + debug_print(ctx, 1, + "Failed to clear remediation requirement for user '%s' in DB", + user); + ret = build_spp_exchange_complete( + ctx, session_id, "Error occurred", + "Other"); + hs20_eventlog_node(ctx, user, realm, + session_id, + "Failed to update database", + ret); + db_remove_session(ctx, user, realm, session_id); + return ret; + } + hs20_eventlog(ctx, user, realm, + session_id, + "Cleared remediation requirement in database", + NULL); + } if (oper == SUBSCRIPTION_REGISTRATION) { if (add_subscription(ctx, session_id) < 0) { debug_print(ctx, 1, "Failed to add " |