HS 2.0 server: Do not set phase2=1 for certificate-based users

These are not really using Phase 2, so use more appropriate
configuration when going through online signup for client certificates.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
Jouni Malinen 2018-12-03 23:45:32 +02:00 committed by Jouni Malinen
parent 6ff4241797
commit 34341b09b4

View File

@ -290,8 +290,7 @@ static void db_update_mo_str(struct hs20_svc *ctx, const char *user,
char *sql; char *sql;
if (user == NULL || realm == NULL || name == NULL) if (user == NULL || realm == NULL || name == NULL)
return; return;
sql = sqlite3_mprintf("UPDATE users SET %s=%Q " sql = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
"WHERE identity=%Q AND realm=%Q AND phase2=1",
name, str, user, realm); name, str, user, realm);
if (sql == NULL) if (sql == NULL)
return; return;
@ -413,8 +412,7 @@ static char * db_get_val(struct hs20_svc *ctx, const char *user,
char *cmd; char *cmd;
struct get_db_field_data data; struct get_db_field_data data;
cmd = sqlite3_mprintf("SELECT %s FROM users WHERE " cmd = sqlite3_mprintf("SELECT %s FROM users WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
"%s=%Q AND realm=%Q AND phase2=1",
field, dmacc ? "osu_user" : "identity", field, dmacc ? "osu_user" : "identity",
user, realm); user, realm);
if (cmd == NULL) if (cmd == NULL)
@ -443,8 +441,7 @@ static int db_update_val(struct hs20_svc *ctx, const char *user,
char *cmd; char *cmd;
int ret; int ret;
cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE " cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
"%s=%Q AND realm=%Q AND phase2=1",
field, val, dmacc ? "osu_user" : "identity", user, field, val, dmacc ? "osu_user" : "identity", user,
realm); realm);
if (cmd == NULL) if (cmd == NULL)
@ -2065,8 +2062,9 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id)
str = db_get_session_val(ctx, NULL, NULL, session_id, "mac_addr"); str = db_get_session_val(ctx, NULL, NULL, session_id, "mac_addr");
sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr) VALUES (%Q,%Q,1,%Q,%Q,%Q,%d,%Q)", sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr) VALUES (%Q,%Q,%d,%Q,%Q,%Q,%d,%Q)",
user, realm, cert ? "TLS" : "TTLS-MSCHAPV2", user, realm, cert ? 0 : 1,
cert ? "TLS" : "TTLS-MSCHAPV2",
fingerprint ? fingerprint : "", fingerprint ? fingerprint : "",
cert_pem ? cert_pem : "", cert_pem ? cert_pem : "",
pw_mm && atoi(pw_mm) ? 1 : 0, pw_mm && atoi(pw_mm) ? 1 : 0,
@ -2088,8 +2086,7 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id)
else else
ret = update_password(ctx, user, realm, pw, 0); ret = update_password(ctx, user, realm, pw, 0);
if (ret < 0) { if (ret < 0) {
sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND " sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
"realm=%Q AND phase2=1",
user, realm); user, realm);
if (sql) { if (sql) {
debug_print(ctx, 1, "DB: %s", sql); debug_print(ctx, 1, "DB: %s", sql);