mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-28 18:28:23 -05:00
HS 2.0 server: Do not set phase2=1 for certificate-based users
These are not really using Phase 2, so use more appropriate configuration when going through online signup for client certificates. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
6ff4241797
commit
34341b09b4
@ -290,8 +290,7 @@ static void db_update_mo_str(struct hs20_svc *ctx, const char *user,
|
|||||||
char *sql;
|
char *sql;
|
||||||
if (user == NULL || realm == NULL || name == NULL)
|
if (user == NULL || realm == NULL || name == NULL)
|
||||||
return;
|
return;
|
||||||
sql = sqlite3_mprintf("UPDATE users SET %s=%Q "
|
sql = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
|
||||||
"WHERE identity=%Q AND realm=%Q AND phase2=1",
|
|
||||||
name, str, user, realm);
|
name, str, user, realm);
|
||||||
if (sql == NULL)
|
if (sql == NULL)
|
||||||
return;
|
return;
|
||||||
@ -413,8 +412,7 @@ static char * db_get_val(struct hs20_svc *ctx, const char *user,
|
|||||||
char *cmd;
|
char *cmd;
|
||||||
struct get_db_field_data data;
|
struct get_db_field_data data;
|
||||||
|
|
||||||
cmd = sqlite3_mprintf("SELECT %s FROM users WHERE "
|
cmd = sqlite3_mprintf("SELECT %s FROM users WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
|
||||||
"%s=%Q AND realm=%Q AND phase2=1",
|
|
||||||
field, dmacc ? "osu_user" : "identity",
|
field, dmacc ? "osu_user" : "identity",
|
||||||
user, realm);
|
user, realm);
|
||||||
if (cmd == NULL)
|
if (cmd == NULL)
|
||||||
@ -443,8 +441,7 @@ static int db_update_val(struct hs20_svc *ctx, const char *user,
|
|||||||
char *cmd;
|
char *cmd;
|
||||||
int ret;
|
int ret;
|
||||||
|
|
||||||
cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE "
|
cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
|
||||||
"%s=%Q AND realm=%Q AND phase2=1",
|
|
||||||
field, val, dmacc ? "osu_user" : "identity", user,
|
field, val, dmacc ? "osu_user" : "identity", user,
|
||||||
realm);
|
realm);
|
||||||
if (cmd == NULL)
|
if (cmd == NULL)
|
||||||
@ -2065,8 +2062,9 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id)
|
|||||||
|
|
||||||
str = db_get_session_val(ctx, NULL, NULL, session_id, "mac_addr");
|
str = db_get_session_val(ctx, NULL, NULL, session_id, "mac_addr");
|
||||||
|
|
||||||
sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr) VALUES (%Q,%Q,1,%Q,%Q,%Q,%d,%Q)",
|
sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr) VALUES (%Q,%Q,%d,%Q,%Q,%Q,%d,%Q)",
|
||||||
user, realm, cert ? "TLS" : "TTLS-MSCHAPV2",
|
user, realm, cert ? 0 : 1,
|
||||||
|
cert ? "TLS" : "TTLS-MSCHAPV2",
|
||||||
fingerprint ? fingerprint : "",
|
fingerprint ? fingerprint : "",
|
||||||
cert_pem ? cert_pem : "",
|
cert_pem ? cert_pem : "",
|
||||||
pw_mm && atoi(pw_mm) ? 1 : 0,
|
pw_mm && atoi(pw_mm) ? 1 : 0,
|
||||||
@ -2088,8 +2086,7 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id)
|
|||||||
else
|
else
|
||||||
ret = update_password(ctx, user, realm, pw, 0);
|
ret = update_password(ctx, user, realm, pw, 0);
|
||||||
if (ret < 0) {
|
if (ret < 0) {
|
||||||
sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND "
|
sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
|
||||||
"realm=%Q AND phase2=1",
|
|
||||||
user, realm);
|
user, realm);
|
||||||
if (sql) {
|
if (sql) {
|
||||||
debug_print(ctx, 1, "DB: %s", sql);
|
debug_print(ctx, 1, "DB: %s", sql);
|
||||||
|
Loading…
Reference in New Issue
Block a user