From 34341b09b4323589460e7db3d758f6764715d2f8 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Mon, 3 Dec 2018 23:45:32 +0200 Subject: [PATCH] HS 2.0 server: Do not set phase2=1 for certificate-based users These are not really using Phase 2, so use more appropriate configuration when going through online signup for client certificates. Signed-off-by: Jouni Malinen --- hs20/server/spp_server.c | 17 +++++++---------- 1 file changed, 7 insertions(+), 10 deletions(-) diff --git a/hs20/server/spp_server.c b/hs20/server/spp_server.c index e5af4c255..d9014a6a6 100644 --- a/hs20/server/spp_server.c +++ b/hs20/server/spp_server.c @@ -290,8 +290,7 @@ static void db_update_mo_str(struct hs20_svc *ctx, const char *user, char *sql; if (user == NULL || realm == NULL || name == NULL) return; - sql = sqlite3_mprintf("UPDATE users SET %s=%Q " - "WHERE identity=%Q AND realm=%Q AND phase2=1", + sql = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')", name, str, user, realm); if (sql == NULL) return; @@ -413,8 +412,7 @@ static char * db_get_val(struct hs20_svc *ctx, const char *user, char *cmd; struct get_db_field_data data; - cmd = sqlite3_mprintf("SELECT %s FROM users WHERE " - "%s=%Q AND realm=%Q AND phase2=1", + cmd = sqlite3_mprintf("SELECT %s FROM users WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')", field, dmacc ? "osu_user" : "identity", user, realm); if (cmd == NULL) @@ -443,8 +441,7 @@ static int db_update_val(struct hs20_svc *ctx, const char *user, char *cmd; int ret; - cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE " - "%s=%Q AND realm=%Q AND phase2=1", + cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')", field, val, dmacc ? "osu_user" : "identity", user, realm); if (cmd == NULL) @@ -2065,8 +2062,9 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id) str = db_get_session_val(ctx, NULL, NULL, session_id, "mac_addr"); - sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr) VALUES (%Q,%Q,1,%Q,%Q,%Q,%d,%Q)", - user, realm, cert ? "TLS" : "TTLS-MSCHAPV2", + sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr) VALUES (%Q,%Q,%d,%Q,%Q,%Q,%d,%Q)", + user, realm, cert ? 0 : 1, + cert ? "TLS" : "TTLS-MSCHAPV2", fingerprint ? fingerprint : "", cert_pem ? cert_pem : "", pw_mm && atoi(pw_mm) ? 1 : 0, @@ -2088,8 +2086,7 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id) else ret = update_password(ctx, user, realm, pw, 0); if (ret < 0) { - sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND " - "realm=%Q AND phase2=1", + sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')", user, realm); if (sql) { debug_print(ctx, 1, "DB: %s", sql);