From d97cf2a1176c1227173649bb191b033916017776 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 22 Jan 2019 23:31:06 +0200
Subject: [PATCH] HS 2.0 server: Use noMOUpdate in client certificate subrem

There is no point in trying to update the Credential node with the
existing contents in case of subscription remediation using a client
certificate instead of a username/password credential, so use the
noMOUpdate in that case.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 hs20/server/spp_server.c | 42 ++++++++++++++++++++++------------------
 1 file changed, 23 insertions(+), 19 deletions(-)

diff --git a/hs20/server/spp_server.c b/hs20/server/spp_server.c
index bb833bff1..d848278fb 100644
--- a/hs20/server/spp_server.c
+++ b/hs20/server/spp_server.c
@@ -799,30 +799,32 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
 	xml_node_t *spp_node, *cred;
 	char buf[400];
 	char new_pw[33];
-	char *real_user = NULL;
 	char *status;
 	char *cert;
 
-	if (dmacc) {
-		real_user = db_get_val(ctx, user, realm, "identity", dmacc);
-		if (real_user == NULL) {
-			debug_print(ctx, 1, "Could not find user identity for "
-				    "dmacc user '%s'", user);
-			return NULL;
-		}
-	}
-
 	cert = db_get_val(ctx, user, realm, "cert", dmacc);
 	if (cert && cert[0] == '\0') {
 		os_free(cert);
 		cert = NULL;
 	}
 	if (cert) {
-		cred = build_credential_cert(ctx, real_user ? real_user : user,
-					     realm, cert);
+		/* No change needed in PPS MO */
+		cred = NULL;
 	} else {
+		char *real_user = NULL;
 		char *pw;
 
+		if (dmacc) {
+			real_user = db_get_val(ctx, user, realm, "identity",
+					       dmacc);
+			if (!real_user) {
+				debug_print(ctx, 1,
+					    "Could not find user identity for dmacc user '%s'",
+					    user);
+				return NULL;
+			}
+		}
+
 		pw = db_get_session_val(ctx, user, realm, session_id,
 					"password");
 		if (pw && pw[0]) {
@@ -838,12 +840,13 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
 						real_user ? real_user : user,
 						realm, new_pw, sizeof(new_pw));
 		}
-	}
-	free(real_user);
-	if (!cred) {
-		debug_print(ctx, 1, "Could not build credential");
-		os_free(cert);
-		return NULL;
+
+		free(real_user);
+		if (!cred) {
+			debug_print(ctx, 1, "Could not build credential");
+			os_free(cert);
+			return NULL;
+		}
 	}
 
 	status = "Remediation complete, request sppUpdateResponse";
@@ -859,7 +862,8 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
 		 "./Wi-Fi/%s/PerProviderSubscription/Cred01/Credential",
 		 realm);
 
-	if (add_update_node(ctx, spp_node, ns, buf, cred) < 0) {
+	if ((cred && add_update_node(ctx, spp_node, ns, buf, cred) < 0) ||
+	    (!cred && !xml_node_create(ctx->xml, spp_node, ns, "noMOUpdate"))) {
 		debug_print(ctx, 1, "Could not add update node");
 		xml_node_free(ctx->xml, spp_node);
 		os_free(cert);