HS 2.0 server: Clear remediation requirement for certificate credentials

Previous implementation updated user database only for username/password credentials. While client certificates do not need the updated password to be written, they do need the remediation requirement to be cleared, so fix that. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
6 years ago · 2166651b0c
parent 34341b09b4
commit 2166651b0c
1 changed files with 48 additions and 2 deletions
--- a/hs20/server/spp_server.c
+++ b/hs20/server/spp_server.c
@ -41,6 +41,7 @@ enum hs20_session_operation {
 	POLICY_REMEDIATION,
 	POLICY_UPDATE,
 	FREE_REMEDIATION,
+	CLEAR_REMEDIATION,
 };


@ -521,6 +522,27 @@ static int update_password(struct hs20_svc *ctx, const char *user,
 }


+static int clear_remediation(struct hs20_svc *ctx, const char *user,
+			     const char *realm, int dmacc)
+{
+	char *cmd;
+
+	cmd = sqlite3_mprintf("UPDATE users SET remediation='' WHERE %s=%Q",
+			      dmacc ? "osu_user" : "identity",
+			      user);
+	if (cmd == NULL)
+		return -1;
+	debug_print(ctx, 1, "DB: %s", cmd);
+	if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
+		debug_print(ctx, 1, "Failed to update database for user '%s'",
+			    user);
+	}
+	sqlite3_free(cmd);
+
+	return 0;
+}
+
+
 static int add_eap_ttls(struct hs20_svc *ctx, xml_node_t *parent)
 {
 	xml_node_t *node;
@ -780,8 +802,9 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
 	xml_node_free(ctx->xml, cred);

 	if (cert) {
-		debug_print(ctx, 1, "Certificate credential - no need for DB "
-			    "password update on success notification");
+		debug_print(ctx, 1, "Request DB remediation clearing on success notification (certificate credential)");
+		db_add_session(ctx, user, realm, session_id, NULL, NULL,
+			       CLEAR_REMEDIATION, NULL);
 	} else {
 		debug_print(ctx, 1, "Request DB password update on success "
 			    "notification");
@ -2236,6 +2259,29 @@ static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx,
 				      session_id, "Updated user password "
 				      "in database", NULL);
 		}
+		if (oper == CLEAR_REMEDIATION) {
+			debug_print(ctx, 1,
+				    "Clear remediation requirement for user '%s' in DB",
+				    user);
+			if (clear_remediation(ctx, user, realm, dmacc) < 0) {
+				debug_print(ctx, 1,
+					    "Failed to clear remediation requirement for user '%s' in DB",
+					    user);
+				ret = build_spp_exchange_complete(
+					ctx, session_id, "Error occurred",
+					"Other");
+				hs20_eventlog_node(ctx, user, realm,
+						   session_id,
+						   "Failed to update database",
+						   ret);
+				db_remove_session(ctx, user, realm, session_id);
+				return ret;
+			}
+			hs20_eventlog(ctx, user, realm,
+				      session_id,
+				      "Cleared remediation requirement in database",
+				      NULL);
+		}
 		if (oper == SUBSCRIPTION_REGISTRATION) {
 			if (add_subscription(ctx, session_id) < 0) {
 				debug_print(ctx, 1, "Failed to add "