HS 2.0 server: Clear remediation requirement for certificate credentials

Previous implementation updated user database only for username/password
credentials. While client certificates do not need the updated password
to be written, they do need the remediation requirement to be cleared,
so fix that.

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

diff --git a/hs20/server/spp_server.c b/hs20/server/spp_server.c
index d9014a6a699147296e34d797f60ed4db6415bd7e..3600f571fe71376f1790348fd45962fdf3975280 100644 (file)
--- a/hs20/server/spp_server.c
+++ b/hs20/server/spp_server.c
@@ -41,6 +41,7 @@ enum hs20_session_operation {
        POLICY_REMEDIATION,
        POLICY_UPDATE,
        FREE_REMEDIATION,
+       CLEAR_REMEDIATION,
 };
 
 
@@ -521,6 +522,27 @@ static int update_password(struct hs20_svc *ctx, const char *user,
 }
 
 
+static int clear_remediation(struct hs20_svc *ctx, const char *user,
+                            const char *realm, int dmacc)
+{
+       char *cmd;
+
+       cmd = sqlite3_mprintf("UPDATE users SET remediation='' WHERE %s=%Q",
+                             dmacc ? "osu_user" : "identity",
+                             user);
+       if (cmd == NULL)
+               return -1;
+       debug_print(ctx, 1, "DB: %s", cmd);
+       if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
+               debug_print(ctx, 1, "Failed to update database for user '%s'",
+                           user);
+       }
+       sqlite3_free(cmd);
+
+       return 0;
+}
+
+
 static int add_eap_ttls(struct hs20_svc *ctx, xml_node_t *parent)
 {
        xml_node_t *node;
@@ -780,8 +802,9 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
        xml_node_free(ctx->xml, cred);
 
        if (cert) {
-               debug_print(ctx, 1, "Certificate credential - no need for DB "
-                           "password update on success notification");
+               debug_print(ctx, 1, "Request DB remediation clearing on success notification (certificate credential)");
+               db_add_session(ctx, user, realm, session_id, NULL, NULL,
+                              CLEAR_REMEDIATION, NULL);
        } else {
                debug_print(ctx, 1, "Request DB password update on success "
                            "notification");
@@ -2236,6 +2259,29 @@ static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx,
                                      session_id, "Updated user password "
                                      "in database", NULL);
                }
+               if (oper == CLEAR_REMEDIATION) {
+                       debug_print(ctx, 1,
+                                   "Clear remediation requirement for user '%s' in DB",
+                                   user);
+                       if (clear_remediation(ctx, user, realm, dmacc) < 0) {
+                               debug_print(ctx, 1,
+                                           "Failed to clear remediation requirement for user '%s' in DB",
+                                           user);
+                               ret = build_spp_exchange_complete(
+                                       ctx, session_id, "Error occurred",
+                                       "Other");
+                               hs20_eventlog_node(ctx, user, realm,
+                                                  session_id,
+                                                  "Failed to update database",
+                                                  ret);
+                               db_remove_session(ctx, user, realm, session_id);
+                               return ret;
+                       }
+                       hs20_eventlog(ctx, user, realm,
+                                     session_id,
+                                     "Cleared remediation requirement in database",
+                                     NULL);
+               }
                if (oper == SUBSCRIPTION_REGISTRATION) {
                        if (add_subscription(ctx, session_id) < 0) {
                                debug_print(ctx, 1, "Failed to add "