HS 2.0 server: Clear remediation requirement for certificate credentials

Previous implementation updated user database only for username/password
credentials. While client certificates do not need the updated password
to be written, they do need the remediation requirement to be cleared,
so fix that.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2018-12-04 00:11:37 +02:00 committed by Jouni Malinen
parent 34341b09b4
commit 2166651b0c

View file

@ -41,6 +41,7 @@ enum hs20_session_operation {
POLICY_REMEDIATION, POLICY_REMEDIATION,
POLICY_UPDATE, POLICY_UPDATE,
FREE_REMEDIATION, FREE_REMEDIATION,
CLEAR_REMEDIATION,
}; };
@ -521,6 +522,27 @@ static int update_password(struct hs20_svc *ctx, const char *user,
} }
static int clear_remediation(struct hs20_svc *ctx, const char *user,
const char *realm, int dmacc)
{
char *cmd;
cmd = sqlite3_mprintf("UPDATE users SET remediation='' WHERE %s=%Q",
dmacc ? "osu_user" : "identity",
user);
if (cmd == NULL)
return -1;
debug_print(ctx, 1, "DB: %s", cmd);
if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
debug_print(ctx, 1, "Failed to update database for user '%s'",
user);
}
sqlite3_free(cmd);
return 0;
}
static int add_eap_ttls(struct hs20_svc *ctx, xml_node_t *parent) static int add_eap_ttls(struct hs20_svc *ctx, xml_node_t *parent)
{ {
xml_node_t *node; xml_node_t *node;
@ -780,8 +802,9 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
xml_node_free(ctx->xml, cred); xml_node_free(ctx->xml, cred);
if (cert) { if (cert) {
debug_print(ctx, 1, "Certificate credential - no need for DB " debug_print(ctx, 1, "Request DB remediation clearing on success notification (certificate credential)");
"password update on success notification"); db_add_session(ctx, user, realm, session_id, NULL, NULL,
CLEAR_REMEDIATION, NULL);
} else { } else {
debug_print(ctx, 1, "Request DB password update on success " debug_print(ctx, 1, "Request DB password update on success "
"notification"); "notification");
@ -2236,6 +2259,29 @@ static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx,
session_id, "Updated user password " session_id, "Updated user password "
"in database", NULL); "in database", NULL);
} }
if (oper == CLEAR_REMEDIATION) {
debug_print(ctx, 1,
"Clear remediation requirement for user '%s' in DB",
user);
if (clear_remediation(ctx, user, realm, dmacc) < 0) {
debug_print(ctx, 1,
"Failed to clear remediation requirement for user '%s' in DB",
user);
ret = build_spp_exchange_complete(
ctx, session_id, "Error occurred",
"Other");
hs20_eventlog_node(ctx, user, realm,
session_id,
"Failed to update database",
ret);
db_remove_session(ctx, user, realm, session_id);
return ret;
}
hs20_eventlog(ctx, user, realm,
session_id,
"Cleared remediation requirement in database",
NULL);
}
if (oper == SUBSCRIPTION_REGISTRATION) { if (oper == SUBSCRIPTION_REGISTRATION) {
if (add_subscription(ctx, session_id) < 0) { if (add_subscription(ctx, session_id) < 0) {
debug_print(ctx, 1, "Failed to add " debug_print(ctx, 1, "Failed to add "