aboutsummaryrefslogtreecommitdiffstats
path: root/hs20
diff options
context:
space:
mode:
authorJouni Malinen <jouni@codeaurora.org>2018-12-03 22:11:37 (GMT)
committerJouni Malinen <j@w1.fi>2018-12-03 22:34:10 (GMT)
commit2166651b0c262248fa64c22a2426b6c9cff94ca2 (patch)
tree3b8ebff585cfb6c4ba4f4feafdd32897c5414034 /hs20
parent34341b09b4323589460e7db3d758f6764715d2f8 (diff)
downloadhostap-2166651b0c262248fa64c22a2426b6c9cff94ca2.zip
hostap-2166651b0c262248fa64c22a2426b6c9cff94ca2.tar.gz
hostap-2166651b0c262248fa64c22a2426b6c9cff94ca2.tar.bz2
HS 2.0 server: Clear remediation requirement for certificate credentials
Previous implementation updated user database only for username/password credentials. While client certificates do not need the updated password to be written, they do need the remediation requirement to be cleared, so fix that. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Diffstat (limited to 'hs20')
-rw-r--r--hs20/server/spp_server.c50
1 files changed, 48 insertions, 2 deletions
diff --git a/hs20/server/spp_server.c b/hs20/server/spp_server.c
index d9014a6..3600f57 100644
--- a/hs20/server/spp_server.c
+++ b/hs20/server/spp_server.c
@@ -41,6 +41,7 @@ enum hs20_session_operation {
POLICY_REMEDIATION,
POLICY_UPDATE,
FREE_REMEDIATION,
+ CLEAR_REMEDIATION,
};
@@ -521,6 +522,27 @@ static int update_password(struct hs20_svc *ctx, const char *user,
}
+static int clear_remediation(struct hs20_svc *ctx, const char *user,
+ const char *realm, int dmacc)
+{
+ char *cmd;
+
+ cmd = sqlite3_mprintf("UPDATE users SET remediation='' WHERE %s=%Q",
+ dmacc ? "osu_user" : "identity",
+ user);
+ if (cmd == NULL)
+ return -1;
+ debug_print(ctx, 1, "DB: %s", cmd);
+ if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
+ debug_print(ctx, 1, "Failed to update database for user '%s'",
+ user);
+ }
+ sqlite3_free(cmd);
+
+ return 0;
+}
+
+
static int add_eap_ttls(struct hs20_svc *ctx, xml_node_t *parent)
{
xml_node_t *node;
@@ -780,8 +802,9 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
xml_node_free(ctx->xml, cred);
if (cert) {
- debug_print(ctx, 1, "Certificate credential - no need for DB "
- "password update on success notification");
+ debug_print(ctx, 1, "Request DB remediation clearing on success notification (certificate credential)");
+ db_add_session(ctx, user, realm, session_id, NULL, NULL,
+ CLEAR_REMEDIATION, NULL);
} else {
debug_print(ctx, 1, "Request DB password update on success "
"notification");
@@ -2236,6 +2259,29 @@ static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx,
session_id, "Updated user password "
"in database", NULL);
}
+ if (oper == CLEAR_REMEDIATION) {
+ debug_print(ctx, 1,
+ "Clear remediation requirement for user '%s' in DB",
+ user);
+ if (clear_remediation(ctx, user, realm, dmacc) < 0) {
+ debug_print(ctx, 1,
+ "Failed to clear remediation requirement for user '%s' in DB",
+ user);
+ ret = build_spp_exchange_complete(
+ ctx, session_id, "Error occurred",
+ "Other");
+ hs20_eventlog_node(ctx, user, realm,
+ session_id,
+ "Failed to update database",
+ ret);
+ db_remove_session(ctx, user, realm, session_id);
+ return ret;
+ }
+ hs20_eventlog(ctx, user, realm,
+ session_id,
+ "Cleared remediation requirement in database",
+ NULL);
+ }
if (oper == SUBSCRIPTION_REGISTRATION) {
if (add_subscription(ctx, session_id) < 0) {
debug_print(ctx, 1, "Failed to add "