mirror of
https://github.com/vanhoefm/fragattacks.git
synced 2024-11-25 00:38:24 -05:00
HS 2.0 server: Store device MAC address into database
This is needed for tracking status of certificate enrollment cases. Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
This commit is contained in:
parent
31157568f2
commit
cc6263ef60
@ -57,19 +57,26 @@ static int db_add_session(struct hs20_svc *ctx,
|
|||||||
const char *user, const char *realm,
|
const char *user, const char *realm,
|
||||||
const char *sessionid, const char *pw,
|
const char *sessionid, const char *pw,
|
||||||
const char *redirect_uri,
|
const char *redirect_uri,
|
||||||
enum hs20_session_operation operation)
|
enum hs20_session_operation operation,
|
||||||
|
const u8 *mac_addr)
|
||||||
{
|
{
|
||||||
char *sql;
|
char *sql;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
char addr[20];
|
||||||
|
|
||||||
|
if (mac_addr)
|
||||||
|
snprintf(addr, sizeof(addr), MACSTR, MAC2STR(mac_addr));
|
||||||
|
else
|
||||||
|
addr[0] = '\0';
|
||||||
sql = sqlite3_mprintf("INSERT INTO sessions(timestamp,id,user,realm,"
|
sql = sqlite3_mprintf("INSERT INTO sessions(timestamp,id,user,realm,"
|
||||||
"operation,password,redirect_uri) "
|
"operation,password,redirect_uri,mac_addr) "
|
||||||
"VALUES "
|
"VALUES "
|
||||||
"(strftime('%%Y-%%m-%%d %%H:%%M:%%f','now'),"
|
"(strftime('%%Y-%%m-%%d %%H:%%M:%%f','now'),"
|
||||||
"%Q,%Q,%Q,%d,%Q,%Q)",
|
"%Q,%Q,%Q,%d,%Q,%Q,%Q)",
|
||||||
sessionid, user ? user : "", realm ? realm : "",
|
sessionid, user ? user : "", realm ? realm : "",
|
||||||
operation, pw ? pw : "",
|
operation, pw ? pw : "",
|
||||||
redirect_uri ? redirect_uri : "");
|
redirect_uri ? redirect_uri : "",
|
||||||
|
addr);
|
||||||
if (sql == NULL)
|
if (sql == NULL)
|
||||||
return -1;
|
return -1;
|
||||||
debug_print(ctx, 1, "DB: %s", sql);
|
debug_print(ctx, 1, "DB: %s", sql);
|
||||||
@ -742,7 +749,7 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
|
|||||||
debug_print(ctx, 1, "Request DB password update on success "
|
debug_print(ctx, 1, "Request DB password update on success "
|
||||||
"notification");
|
"notification");
|
||||||
db_add_session(ctx, user, realm, session_id, new_pw, NULL,
|
db_add_session(ctx, user, realm, session_id, new_pw, NULL,
|
||||||
UPDATE_PASSWORD);
|
UPDATE_PASSWORD, NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
return spp_node;
|
return spp_node;
|
||||||
@ -771,7 +778,7 @@ static xml_node_t * policy_remediation(struct hs20_svc *ctx,
|
|||||||
"requires policy remediation", NULL);
|
"requires policy remediation", NULL);
|
||||||
|
|
||||||
db_add_session(ctx, user, realm, session_id, NULL, NULL,
|
db_add_session(ctx, user, realm, session_id, NULL, NULL,
|
||||||
POLICY_REMEDIATION);
|
POLICY_REMEDIATION, NULL);
|
||||||
|
|
||||||
policy = build_policy(ctx, user, realm, dmacc);
|
policy = build_policy(ctx, user, realm, dmacc);
|
||||||
if (!policy) {
|
if (!policy) {
|
||||||
@ -844,7 +851,7 @@ static xml_node_t * user_remediation(struct hs20_svc *ctx, const char *user,
|
|||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
db_add_session(ctx, user, realm, session_id, NULL, redirect_uri,
|
db_add_session(ctx, user, realm, session_id, NULL, redirect_uri,
|
||||||
USER_REMEDIATION);
|
USER_REMEDIATION, NULL);
|
||||||
|
|
||||||
snprintf(uri, sizeof(uri), "%s%s", val, session_id);
|
snprintf(uri, sizeof(uri), "%s%s", val, session_id);
|
||||||
os_free(val);
|
os_free(val);
|
||||||
@ -866,7 +873,7 @@ static xml_node_t * free_remediation(struct hs20_svc *ctx,
|
|||||||
return NULL;
|
return NULL;
|
||||||
|
|
||||||
db_add_session(ctx, user, realm, session_id, NULL, redirect_uri,
|
db_add_session(ctx, user, realm, session_id, NULL, redirect_uri,
|
||||||
FREE_REMEDIATION);
|
FREE_REMEDIATION, NULL);
|
||||||
|
|
||||||
snprintf(uri, sizeof(uri), "%s%s", val, session_id);
|
snprintf(uri, sizeof(uri), "%s%s", val, session_id);
|
||||||
os_free(val);
|
os_free(val);
|
||||||
@ -1033,7 +1040,8 @@ static xml_node_t * hs20_policy_update(struct hs20_svc *ctx,
|
|||||||
"No update available at this time", NULL);
|
"No update available at this time", NULL);
|
||||||
}
|
}
|
||||||
|
|
||||||
db_add_session(ctx, user, realm, session_id, NULL, NULL, POLICY_UPDATE);
|
db_add_session(ctx, user, realm, session_id, NULL, NULL, POLICY_UPDATE,
|
||||||
|
NULL);
|
||||||
|
|
||||||
status = "Update complete, request sppUpdateResponse";
|
status = "Update complete, request sppUpdateResponse";
|
||||||
spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
|
spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
|
||||||
@ -1146,14 +1154,15 @@ static xml_node_t * spp_exec_upload_mo(struct hs20_svc *ctx,
|
|||||||
static xml_node_t * hs20_subscription_registration(struct hs20_svc *ctx,
|
static xml_node_t * hs20_subscription_registration(struct hs20_svc *ctx,
|
||||||
const char *realm,
|
const char *realm,
|
||||||
const char *session_id,
|
const char *session_id,
|
||||||
const char *redirect_uri)
|
const char *redirect_uri,
|
||||||
|
const u8 *mac_addr)
|
||||||
{
|
{
|
||||||
xml_namespace_t *ns;
|
xml_namespace_t *ns;
|
||||||
xml_node_t *spp_node, *exec_node;
|
xml_node_t *spp_node, *exec_node;
|
||||||
char uri[300], *val;
|
char uri[300], *val;
|
||||||
|
|
||||||
if (db_add_session(ctx, NULL, realm, session_id, NULL, redirect_uri,
|
if (db_add_session(ctx, NULL, realm, session_id, NULL, redirect_uri,
|
||||||
SUBSCRIPTION_REGISTRATION) < 0)
|
SUBSCRIPTION_REGISTRATION, mac_addr) < 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
val = db_get_osu_config_val(ctx, realm, "signup_url");
|
val = db_get_osu_config_val(ctx, realm, "signup_url");
|
||||||
if (val == NULL)
|
if (val == NULL)
|
||||||
@ -1606,11 +1615,12 @@ static xml_node_t * hs20_spp_post_dev_data(struct hs20_svc *ctx,
|
|||||||
char *req_reason_buf = NULL;
|
char *req_reason_buf = NULL;
|
||||||
char str[200];
|
char str[200];
|
||||||
xml_node_t *ret = NULL, *devinfo = NULL, *devdetail = NULL;
|
xml_node_t *ret = NULL, *devinfo = NULL, *devdetail = NULL;
|
||||||
xml_node_t *mo;
|
xml_node_t *mo, *macaddr;
|
||||||
char *version;
|
char *version;
|
||||||
int valid;
|
int valid;
|
||||||
char *supp, *pos;
|
char *supp, *pos;
|
||||||
char *err;
|
char *err;
|
||||||
|
u8 wifi_mac_addr[ETH_ALEN];
|
||||||
|
|
||||||
version = xml_node_get_attr_value_ns(ctx->xml, node, SPP_NS_URI,
|
version = xml_node_get_attr_value_ns(ctx->xml, node, SPP_NS_URI,
|
||||||
"sppVersion");
|
"sppVersion");
|
||||||
@ -1716,6 +1726,29 @@ static xml_node_t * hs20_spp_post_dev_data(struct hs20_svc *ctx,
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
os_free(err);
|
os_free(err);
|
||||||
|
|
||||||
|
os_memset(wifi_mac_addr, 0, ETH_ALEN);
|
||||||
|
macaddr = get_node(ctx->xml, devdetail,
|
||||||
|
"Ext/org.wi-fi/Wi-Fi/Wi-FiMACAddress");
|
||||||
|
if (macaddr) {
|
||||||
|
char *addr, buf[50];
|
||||||
|
|
||||||
|
addr = xml_node_get_text(ctx->xml, macaddr);
|
||||||
|
if (addr && hwaddr_compact_aton(addr, wifi_mac_addr) == 0) {
|
||||||
|
snprintf(buf, sizeof(buf), "DevDetail MAC address: "
|
||||||
|
MACSTR, MAC2STR(wifi_mac_addr));
|
||||||
|
hs20_eventlog(ctx, user, realm, session_id, buf, NULL);
|
||||||
|
xml_node_get_text_free(ctx->xml, addr);
|
||||||
|
} else {
|
||||||
|
hs20_eventlog(ctx, user, realm, session_id,
|
||||||
|
"Could not extract MAC address from DevDetail",
|
||||||
|
NULL);
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
hs20_eventlog(ctx, user, realm, session_id,
|
||||||
|
"No MAC address in DevDetail", NULL);
|
||||||
|
}
|
||||||
|
|
||||||
if (user)
|
if (user)
|
||||||
db_update_mo(ctx, user, realm, "devdetail", devdetail);
|
db_update_mo(ctx, user, realm, "devdetail", devdetail);
|
||||||
|
|
||||||
@ -1762,7 +1795,7 @@ static xml_node_t * hs20_spp_post_dev_data(struct hs20_svc *ctx,
|
|||||||
else
|
else
|
||||||
oper = NO_OPERATION;
|
oper = NO_OPERATION;
|
||||||
if (db_add_session(ctx, user, realm, session_id, NULL,
|
if (db_add_session(ctx, user, realm, session_id, NULL,
|
||||||
NULL, oper) < 0)
|
NULL, oper, NULL) < 0)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
ret = spp_exec_upload_mo(ctx, session_id,
|
ret = spp_exec_upload_mo(ctx, session_id,
|
||||||
@ -1799,7 +1832,8 @@ static xml_node_t * hs20_spp_post_dev_data(struct hs20_svc *ctx,
|
|||||||
|
|
||||||
if (strcasecmp(req_reason, "Subscription registration") == 0) {
|
if (strcasecmp(req_reason, "Subscription registration") == 0) {
|
||||||
ret = hs20_subscription_registration(ctx, realm, session_id,
|
ret = hs20_subscription_registration(ctx, realm, session_id,
|
||||||
redirect_uri);
|
redirect_uri,
|
||||||
|
wifi_mac_addr);
|
||||||
hs20_eventlog_node(ctx, user, realm, session_id,
|
hs20_eventlog_node(ctx, user, realm, session_id,
|
||||||
"subscription registration response",
|
"subscription registration response",
|
||||||
ret);
|
ret);
|
||||||
@ -1948,13 +1982,15 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id)
|
|||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,"
|
str = db_get_session_val(ctx, NULL, NULL, session_id, "mac_addr");
|
||||||
"methods,cert,cert_pem,machine_managed) VALUES "
|
|
||||||
"(%Q,%Q,1,%Q,%Q,%Q,%d)",
|
sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr) VALUES (%Q,%Q,1,%Q,%Q,%Q,%d,%Q)",
|
||||||
user, realm, cert ? "TLS" : "TTLS-MSCHAPV2",
|
user, realm, cert ? "TLS" : "TTLS-MSCHAPV2",
|
||||||
fingerprint ? fingerprint : "",
|
fingerprint ? fingerprint : "",
|
||||||
cert_pem ? cert_pem : "",
|
cert_pem ? cert_pem : "",
|
||||||
pw_mm && atoi(pw_mm) ? 1 : 0);
|
pw_mm && atoi(pw_mm) ? 1 : 0,
|
||||||
|
str ? str : "");
|
||||||
|
free(str);
|
||||||
if (sql == NULL)
|
if (sql == NULL)
|
||||||
goto out;
|
goto out;
|
||||||
debug_print(ctx, 1, "DB: %s", sql);
|
debug_print(ctx, 1, "DB: %s", sql);
|
||||||
@ -1996,6 +2032,32 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id)
|
|||||||
free(str);
|
free(str);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (cert && user) {
|
||||||
|
const char *serialnum;
|
||||||
|
|
||||||
|
str = db_get_session_val(ctx, NULL, NULL, session_id,
|
||||||
|
"mac_addr");
|
||||||
|
|
||||||
|
if (os_strncmp(user, "cert-", 5) == 0)
|
||||||
|
serialnum = user + 5;
|
||||||
|
else
|
||||||
|
serialnum = "";
|
||||||
|
sql = sqlite3_mprintf("INSERT OR REPLACE INTO cert_enroll (mac_addr,user,realm,serialnum) VALUES(%Q,%Q,%Q,%Q)",
|
||||||
|
str ? str : "", user, realm ? realm : "",
|
||||||
|
serialnum);
|
||||||
|
free(str);
|
||||||
|
if (sql) {
|
||||||
|
debug_print(ctx, 1, "DB: %s", sql);
|
||||||
|
if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) !=
|
||||||
|
SQLITE_OK) {
|
||||||
|
debug_print(ctx, 1,
|
||||||
|
"Failed to add cert_enroll entry into sqlite database: %s",
|
||||||
|
sqlite3_errmsg(ctx->db));
|
||||||
|
}
|
||||||
|
sqlite3_free(sql);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
hs20_eventlog(ctx, user, realm, session_id,
|
hs20_eventlog(ctx, user, realm, session_id,
|
||||||
"completed subscription registration", NULL);
|
"completed subscription registration", NULL);
|
||||||
|
@ -22,7 +22,8 @@ CREATE TABLE sessions(
|
|||||||
devinfo TEXT,
|
devinfo TEXT,
|
||||||
devdetail TEXT,
|
devdetail TEXT,
|
||||||
cert TEXT,
|
cert TEXT,
|
||||||
cert_pem TEXT
|
cert_pem TEXT,
|
||||||
|
mac_addr TEXT
|
||||||
);
|
);
|
||||||
|
|
||||||
CREATE index sessions_id_index ON sessions(id);
|
CREATE index sessions_id_index ON sessions(id);
|
||||||
@ -51,7 +52,8 @@ CREATE TABLE users(
|
|||||||
shared INTEGER,
|
shared INTEGER,
|
||||||
cert TEXT,
|
cert TEXT,
|
||||||
cert_pem TEXT,
|
cert_pem TEXT,
|
||||||
t_c_timestamp INTEGER
|
t_c_timestamp INTEGER,
|
||||||
|
mac_addr TEXT
|
||||||
);
|
);
|
||||||
|
|
||||||
CREATE TABLE wildcards(
|
CREATE TABLE wildcards(
|
||||||
@ -81,3 +83,10 @@ CREATE TABLE current_sessions(
|
|||||||
waiting_coa_ack BOOLEAN,
|
waiting_coa_ack BOOLEAN,
|
||||||
coa_ack_received BOOLEAN
|
coa_ack_received BOOLEAN
|
||||||
);
|
);
|
||||||
|
|
||||||
|
CREATE TABLE cert_enroll(
|
||||||
|
mac_addr TEXT PRIMARY KEY,
|
||||||
|
user TEXT,
|
||||||
|
realm TEXT,
|
||||||
|
serialnum TEXT
|
||||||
|
);
|
||||||
|
@ -314,7 +314,7 @@ echo "[<a href=\"users.php?cmd=eventlog&limit=50\">Eventlog</a>] ";
|
|||||||
echo "<br>\n";
|
echo "<br>\n";
|
||||||
|
|
||||||
echo "<table border=1>\n";
|
echo "<table border=1>\n";
|
||||||
echo "<tr><th>User<th>Realm<th>Remediation<th>Policy<th>Account type<th>Phase 2 method(s)<th>DevId<th>T&C\n";
|
echo "<tr><th>User<th>Realm<th>Remediation<th>Policy<th>Account type<th>Phase 2 method(s)<th>DevId<th>MAC Address<th>T&C\n";
|
||||||
|
|
||||||
$res = $db->query('SELECT rowid,* FROM users WHERE phase2=1');
|
$res = $db->query('SELECT rowid,* FROM users WHERE phase2=1');
|
||||||
foreach ($res as $row) {
|
foreach ($res as $row) {
|
||||||
@ -349,6 +349,7 @@ foreach ($res as $row) {
|
|||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
echo "<td>" . $row['mac_addr'];
|
||||||
echo "<td>" . $row['t_c_timestamp'];
|
echo "<td>" . $row['t_c_timestamp'];
|
||||||
echo "\n";
|
echo "\n";
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user