diff options
author | Hai Shalom <haishalom@google.com> | 2019-02-11 12:01:50 -0800 |
---|---|---|
committer | Peiyong Lin <lpy@google.com> | 2019-02-11 22:30:04 +0000 |
commit | bf6e0baa89b80019dee7ebfbee1fc34581255a19 (patch) | |
tree | fcd62236b41c2ce5b04923ba7a5a0213c8397ead /hs20 | |
parent | 39bc25d3a79c1375de430a7918d949c1a86f70c6 (diff) | |
download | wpa_supplicant_8-bf6e0baa89b80019dee7ebfbee1fc34581255a19.tar.gz |
Revert "[wpa_supplicant] Cumulative patch from c4e90da6d"
This reverts commit 39bc25d3a79c1375de430a7918d949c1a86f70c6.
Test: Compilation
Change-Id: Iae7670429466958911b5296cb1359bceecc0b03e
Exempt-From-Owner-Approval: Revert since it's breaking the build
Diffstat (limited to 'hs20')
-rw-r--r-- | hs20/client/.gitignore | 1 | ||||
-rw-r--r-- | hs20/client/Makefile | 5 | ||||
-rw-r--r-- | hs20/client/est.c | 13 | ||||
-rw-r--r-- | hs20/client/oma_dm_client.c | 6 | ||||
-rw-r--r-- | hs20/client/osu_client.c | 31 | ||||
-rw-r--r-- | hs20/server/Makefile | 10 | ||||
-rw-r--r-- | hs20/server/hs20-osu-server.txt | 5 | ||||
-rw-r--r-- | hs20/server/hs20_spp_server.c | 18 | ||||
-rw-r--r-- | hs20/server/spp_server.c | 630 | ||||
-rw-r--r-- | hs20/server/spp_server.h | 3 | ||||
-rw-r--r-- | hs20/server/sql.txt | 13 | ||||
-rw-r--r-- | hs20/server/www/est.php | 50 | ||||
-rw-r--r-- | hs20/server/www/spp.php | 34 | ||||
-rw-r--r-- | hs20/server/www/users.php | 14 |
14 files changed, 95 insertions, 738 deletions
diff --git a/hs20/client/.gitignore b/hs20/client/.gitignore deleted file mode 100644 index d2fd60fb..00000000 --- a/hs20/client/.gitignore +++ /dev/null @@ -1 +0,0 @@ -hs20-osu-client diff --git a/hs20/client/Makefile b/hs20/client/Makefile index 67f6f55c..fc9b6194 100644 --- a/hs20/client/Makefile +++ b/hs20/client/Makefile @@ -8,17 +8,12 @@ ifndef LDO LDO=$(CC) endif -ifeq ($(QUIET), 1) -Q=@ -E=true -else Q=@ E=echo ifeq ($(V), 1) Q= E=true endif -endif ifndef CFLAGS CFLAGS = -MMD -O2 -Wall -g diff --git a/hs20/client/est.c b/hs20/client/est.c index db65334b..b1aacb8f 100644 --- a/hs20/client/est.c +++ b/hs20/client/est.c @@ -16,7 +16,6 @@ #include <openssl/asn1t.h> #include <openssl/x509.h> #include <openssl/x509v3.h> -#include <openssl/opensslv.h> #ifdef OPENSSL_IS_BORINGSSL #include <openssl/buf.h> #endif /* OPENSSL_IS_BORINGSSL */ @@ -220,10 +219,6 @@ typedef struct { } d; } AttrOrOID; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(OPENSSL_IS_BORINGSSL) -DEFINE_STACK_OF(AttrOrOID) -#endif - typedef struct { int type; STACK_OF(AttrOrOID) *attrs; @@ -357,17 +352,9 @@ static void add_csrattrs(struct hs20_osu_client *ctx, CsrAttrs *csrattrs, } } #else /* OPENSSL_IS_BORINGSSL */ -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(OPENSSL_IS_BORINGSSL) - num = sk_AttrOrOID_num(csrattrs->attrs); -#else num = SKM_sk_num(AttrOrOID, csrattrs->attrs); -#endif for (i = 0; i < num; i++) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(OPENSSL_IS_BORINGSSL) - AttrOrOID *ao = sk_AttrOrOID_value(csrattrs->attrs, i); -#else AttrOrOID *ao = SKM_sk_value(AttrOrOID, csrattrs->attrs, i); -#endif switch (ao->type) { case 0: add_csrattrs_oid(ctx, ao->d.oid, exts); diff --git a/hs20/client/oma_dm_client.c b/hs20/client/oma_dm_client.c index d75c8456..5854b726 100644 --- a/hs20/client/oma_dm_client.c +++ b/hs20/client/oma_dm_client.c @@ -111,12 +111,6 @@ static xml_node_t * oma_dm_build_hdr(struct hs20_osu_client *ctx, xml_node_t *syncml, *synchdr; xml_namespace_t *ns; - if (!ctx->devid) { - wpa_printf(MSG_ERROR, - "DevId from devinfo.xml is not available - cannot use OMA DM"); - return NULL; - } - syncml = xml_node_create_root(ctx->xml, "SYNCML:SYNCML1.2", NULL, &ns, "SyncML"); diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c index b48903dc..9e1b0c72 100644 --- a/hs20/client/osu_client.c +++ b/hs20/client/osu_client.c @@ -117,8 +117,8 @@ static int android_update_permission(const char *path, mode_t mode) /* Allow processes running with Group ID as AID_WIFI, * to read files from SP, SP/<fqdn>, Cert and osu-info directories */ - if (lchown(path, -1, AID_WIFI)) { - wpa_printf(MSG_INFO, "CTRL: Could not lchown directory: %s", + if (chown(path, -1, AID_WIFI)) { + wpa_printf(MSG_INFO, "CTRL: Could not chown directory: %s", strerror(errno)); return -1; } @@ -3068,17 +3068,24 @@ static int init_ctx(struct hs20_osu_client *ctx) return -1; devinfo = node_from_file(ctx->xml, "devinfo.xml"); - if (devinfo) { - devid = get_node(ctx->xml, devinfo, "DevId"); - if (devid) { - char *tmp = xml_node_get_text(ctx->xml, devid); - - if (tmp) { - ctx->devid = os_strdup(tmp); - xml_node_get_text_free(ctx->xml, tmp); - } + if (!devinfo) { + wpa_printf(MSG_ERROR, "devinfo.xml not found"); + return -1; + } + + devid = get_node(ctx->xml, devinfo, "DevId"); + if (devid) { + char *tmp = xml_node_get_text(ctx->xml, devid); + if (tmp) { + ctx->devid = os_strdup(tmp); + xml_node_get_text_free(ctx->xml, tmp); } - xml_node_free(ctx->xml, devinfo); + } + xml_node_free(ctx->xml, devinfo); + + if (ctx->devid == NULL) { + wpa_printf(MSG_ERROR, "Could not fetch DevId from devinfo.xml"); + return -1; } ctx->http = http_init_ctx(ctx, ctx->xml); diff --git a/hs20/server/Makefile b/hs20/server/Makefile index 9b737279..248ed5cc 100644 --- a/hs20/server/Makefile +++ b/hs20/server/Makefile @@ -21,16 +21,6 @@ LIBS += -lsqlite3 # Using glibc < 2.17 requires -lrt for clock_gettime() LIBS += -lrt -ifndef CONFIG_NO_GITVER -# Add VERSION_STR postfix for builds from a git repository -ifeq ($(wildcard ../../.git),../../.git) -GITVER := $(shell git describe --dirty=+) -ifneq ($(GITVER),) -CFLAGS += -DGIT_VERSION_STR_POSTFIX=\"-$(GITVER)\" -endif -endif -endif - OBJS=spp_server.o OBJS += hs20_spp_server.o OBJS += ../../src/utils/xml-utils.o diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt index 22478ad9..70f13135 100644 --- a/hs20/server/hs20-osu-server.txt +++ b/hs20/server/hs20-osu-server.txt @@ -228,17 +228,12 @@ Add following block just before "SSL Engine Switch" line": Options Indexes MultiViews FollowSymLinks AllowOverride None Require all granted - SSLOptions +StdEnvVars </Directory> Update SSL configuration to use the OSU server certificate/key. They keys and certs are called 'server.key' and 'server.pem' from ca/setup.sh. -To support subscription remediation using client certificates, set -"SSLVerifyClient optional" and configure the trust root CA(s) for the -client certificates with SSLCACertificateFile. - Enable default-ssl site and restart Apache2: sudo a2ensite default-ssl sudo a2enmod ssl diff --git a/hs20/server/hs20_spp_server.c b/hs20/server/hs20_spp_server.c index 6c74f541..abd6867d 100644 --- a/hs20/server/hs20_spp_server.c +++ b/hs20/server/hs20_spp_server.c @@ -11,7 +11,6 @@ #include <sqlite3.h> #include "common.h" -#include "common/version.h" #include "xml-utils.h" #include "spp_server.h" @@ -90,18 +89,6 @@ static int process(struct hs20_svc *ctx) return -1; } - ctx->imsi = getenv("HS20IMSI"); - if (ctx->imsi) - debug_print(ctx, 1, "IMSI %s", ctx->imsi); - - ctx->eap_method = getenv("HS20EAPMETHOD"); - if (ctx->eap_method) - debug_print(ctx, 1, "EAP method %s", ctx->eap_method); - - ctx->id_hash = getenv("HS20IDHASH"); - if (ctx->id_hash) - debug_print(ctx, 1, "ID-HASH %s", ctx->id_hash); - soap = xml_node_from_buf(ctx->xml, post); if (soap == NULL) { debug_print(ctx, 1, "Could not parse SOAP data"); @@ -159,7 +146,7 @@ int main(int argc, char *argv[]) os_memset(&ctx, 0, sizeof(ctx)); for (;;) { - int c = getopt(argc, argv, "f:r:v"); + int c = getopt(argc, argv, "f:r:"); if (c < 0) break; switch (c) { @@ -175,9 +162,6 @@ int main(int argc, char *argv[]) case 'r': ctx.root_dir = optarg; break; - case 'v': - printf("hs20_spp_server v" VERSION_STR "\n"); - return 0; default: usage(); return -1; diff --git a/hs20/server/spp_server.c b/hs20/server/spp_server.c index 4bef0ffb..e5af4c25 100644 --- a/hs20/server/spp_server.c +++ b/hs20/server/spp_server.c @@ -41,8 +41,6 @@ enum hs20_session_operation { POLICY_REMEDIATION, POLICY_UPDATE, FREE_REMEDIATION, - CLEAR_REMEDIATION, - CERT_REENROLL, }; @@ -53,11 +51,6 @@ static char * db_get_osu_config_val(struct hs20_svc *ctx, const char *realm, const char *field); static xml_node_t * build_policy(struct hs20_svc *ctx, const char *user, const char *realm, int use_dmacc); -static xml_node_t * spp_exec_get_certificate(struct hs20_svc *ctx, - const char *session_id, - const char *user, - const char *realm, - int add_est_user); static int db_add_session(struct hs20_svc *ctx, @@ -211,61 +204,6 @@ static void db_add_session_devdetail(struct hs20_svc *ctx, } -static void db_add_session_dmacc(struct hs20_svc *ctx, const char *sessionid, - const char *username, const char *password) -{ - char *sql; - - sql = sqlite3_mprintf("UPDATE sessions SET osu_user=%Q, osu_password=%Q WHERE id=%Q", - username, password, sessionid); - if (!sql) - return; - debug_print(ctx, 1, "DB: %s", sql); - if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) { - debug_print(ctx, 1, "Failed to add session DMAcc: %s", - sqlite3_errmsg(ctx->db)); - } - sqlite3_free(sql); -} - - -static void db_add_session_eap_method(struct hs20_svc *ctx, - const char *sessionid, - const char *method) -{ - char *sql; - - sql = sqlite3_mprintf("UPDATE sessions SET eap_method=%Q WHERE id=%Q", - method, sessionid); - if (!sql) - return; - debug_print(ctx, 1, "DB: %s", sql); - if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) { - debug_print(ctx, 1, "Failed to add session EAP method: %s", - sqlite3_errmsg(ctx->db)); - } - sqlite3_free(sql); -} - - -static void db_add_session_id_hash(struct hs20_svc *ctx, const char *sessionid, - const char *id_hash) -{ - char *sql; - - sql = sqlite3_mprintf("UPDATE sessions SET mobile_identifier_hash=%Q WHERE id=%Q", - id_hash, sessionid); - if (!sql) - return; - debug_print(ctx, 1, "DB: %s", sql); - if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) { - debug_print(ctx, 1, "Failed to add session ID hash: %s", - sqlite3_errmsg(ctx->db)); - } - sqlite3_free(sql); -} - - static void db_remove_session(struct hs20_svc *ctx, const char *user, const char *realm, const char *sessionid) @@ -352,7 +290,8 @@ static void db_update_mo_str(struct hs20_svc *ctx, const char *user, char *sql; if (user == NULL || realm == NULL || name == NULL) return; - sql = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')", + sql = sqlite3_mprintf("UPDATE users SET %s=%Q " + "WHERE identity=%Q AND realm=%Q AND phase2=1", name, str, user, realm); if (sql == NULL) return; @@ -474,7 +413,8 @@ static char * db_get_val(struct hs20_svc *ctx, const char *user, char *cmd; struct get_db_field_data data; - cmd = sqlite3_mprintf("SELECT %s FROM users WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')", + cmd = sqlite3_mprintf("SELECT %s FROM users WHERE " + "%s=%Q AND realm=%Q AND phase2=1", field, dmacc ? "osu_user" : "identity", user, realm); if (cmd == NULL) @@ -503,7 +443,8 @@ static int db_update_val(struct hs20_svc *ctx, const char *user, char *cmd; int ret; - cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')", + cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE " + "%s=%Q AND realm=%Q AND phase2=1", field, val, dmacc ? "osu_user" : "identity", user, realm); if (cmd == NULL) @@ -583,27 +524,6 @@ static int update_password(struct hs20_svc *ctx, const char *user, } -static int clear_remediation(struct hs20_svc *ctx, const char *user, - const char *realm, int dmacc) -{ - char *cmd; - - cmd = sqlite3_mprintf("UPDATE users SET remediation='' WHERE %s=%Q", - dmacc ? "osu_user" : "identity", - user); - if (cmd == NULL) - return -1; - debug_print(ctx, 1, "DB: %s", cmd); - if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) { - debug_print(ctx, 1, "Failed to update database for user '%s'", - user); - } - sqlite3_free(cmd); - - return 0; -} - - static int add_eap_ttls(struct hs20_svc *ctx, xml_node_t *parent) { xml_node_t *node; @@ -625,7 +545,6 @@ static xml_node_t * build_username_password(struct hs20_svc *ctx, { xml_node_t *node; char *b64; - size_t len; node = xml_node_create(ctx->xml, parent, NULL, "UsernamePassword"); if (node == NULL) @@ -636,9 +555,6 @@ static xml_node_t * build_username_password(struct hs20_svc *ctx, b64 = (char *) base64_encode((unsigned char *) pw, strlen(pw), NULL); if (b64 == NULL) return NULL; - len = os_strlen(b64); - if (len > 0 && b64[len - 1] == '\n') - b64[len - 1] = '\0'; add_text_node(ctx, node, "Password", b64); free(b64); @@ -790,45 +706,6 @@ static int add_update_node(struct hs20_svc *ctx, xml_node_t *spp_node, } -static xml_node_t * read_subrem_file(struct hs20_svc *ctx, - const char *subrem_id, - char *uri, size_t uri_size) -{ - char fname[200]; - char *buf, *buf2, *pos; - size_t len; - xml_node_t *node; - - os_snprintf(fname, sizeof(fname), "%s/spp/subrem/%s", - ctx->root_dir, subrem_id); - debug_print(ctx, 1, "Use subrem file %s", fname); - - buf = os_readfile(fname, &len); - if (!buf) - return NULL; - buf2 = os_realloc(buf, len + 1); - if (!buf2) { - os_free(buf); - return NULL; - } - buf = buf2; - buf[len] = '\0'; - - pos = os_strchr(buf, '\n'); - if (!pos) { - os_free(buf); - return NULL; - } - *pos++ = '\0'; - os_strlcpy(uri, buf, uri_size); - - node = xml_node_from_buf(ctx->xml, pos); - os_free(buf); - - return node; -} - - static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx, const char *user, const char *realm, const char *session_id, @@ -838,48 +715,28 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx, xml_node_t *spp_node, *cred; char buf[400]; char new_pw[33]; + char *real_user = NULL; char *status; char *cert; + if (dmacc) { + real_user = db_get_val(ctx, user, realm, "identity", dmacc); + if (real_user == NULL) { + debug_print(ctx, 1, "Could not find user identity for " + "dmacc user '%s'", user); + return NULL; + } + } + cert = db_get_val(ctx, user, realm, "cert", dmacc); - if (cert && cert[0] == '\0') { - os_free(cert); + if (cert && cert[0] == '\0') cert = NULL; - } if (cert) { - char *subrem; - - /* No change needed in PPS MO unless specifically asked to */ - cred = NULL; - buf[0] = '\0'; - - subrem = db_get_val(ctx, user, realm, "subrem", dmacc); - if (subrem && subrem[0]) { - cred = read_subrem_file(ctx, subrem, buf, sizeof(buf)); - if (!cred) { - debug_print(ctx, 1, - "Could not create updateNode from subrem file"); - os_free(subrem); - os_free(cert); - return NULL; - } - } - os_free(subrem); + cred = build_credential_cert(ctx, real_user ? real_user : user, + realm, cert); } else { - char *real_user = NULL; char *pw; - if (dmacc) { - real_user = db_get_val(ctx, user, realm, "identity", - dmacc); - if (!real_user) { - debug_print(ctx, 1, - "Could not find user identity for dmacc user '%s'", - user); - return NULL; - } - } - pw = db_get_session_val(ctx, user, realm, session_id, "password"); if (pw && pw[0]) { @@ -895,17 +752,11 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx, real_user ? real_user : user, realm, new_pw, sizeof(new_pw)); } - - free(real_user); - if (!cred) { - debug_print(ctx, 1, "Could not build credential"); - os_free(cert); - return NULL; - } - - snprintf(buf, sizeof(buf), - "./Wi-Fi/%s/PerProviderSubscription/Cred01/Credential", - realm); + } + free(real_user); + if (!cred) { + debug_print(ctx, 1, "Could not build credential"); + return NULL; } status = "Remediation complete, request sppUpdateResponse"; @@ -913,15 +764,16 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx, NULL); if (spp_node == NULL) { debug_print(ctx, 1, "Could not build sppPostDevDataResponse"); - os_free(cert); return NULL; } - if ((cred && add_update_node(ctx, spp_node, ns, buf, cred) < 0) || - (!cred && !xml_node_create(ctx->xml, spp_node, ns, "noMOUpdate"))) { + snprintf(buf, sizeof(buf), + "./Wi-Fi/%s/PerProviderSubscription/Cred01/Credential", + realm); + + if (add_update_node(ctx, spp_node, ns, buf, cred) < 0) { debug_print(ctx, 1, "Could not add update node"); xml_node_free(ctx->xml, spp_node); - os_free(cert); return NULL; } @@ -931,16 +783,14 @@ static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx, xml_node_free(ctx->xml, cred); if (cert) { - debug_print(ctx, 1, "Request DB remediation clearing on success notification (certificate credential)"); - db_add_session(ctx, user, realm, session_id, NULL, NULL, - CLEAR_REMEDIATION, NULL); + debug_print(ctx, 1, "Certificate credential - no need for DB " + "password update on success notification"); } else { debug_print(ctx, 1, "Request DB password update on success " "notification"); db_add_session(ctx, user, realm, session_id, new_pw, NULL, UPDATE_PASSWORD, NULL); } - os_free(cert); return spp_node; } @@ -955,17 +805,6 @@ static xml_node_t * machine_remediation(struct hs20_svc *ctx, } -static xml_node_t * cert_reenroll(struct hs20_svc *ctx, - const char *user, - const char *realm, - const char *session_id) -{ - db_add_session(ctx, user, realm, session_id, NULL, NULL, - CERT_REENROLL, NULL); - return spp_exec_get_certificate(ctx, session_id, user, realm, 0); -} - - static xml_node_t * policy_remediation(struct hs20_svc *ctx, const char *user, const char *realm, const char *session_id, int dmacc) @@ -1150,8 +989,6 @@ static xml_node_t * hs20_subscription_remediation(struct hs20_svc *ctx, ret = policy_remediation(ctx, user, realm, session_id, dmacc); else if (type && strcmp(type, "machine") == 0) ret = machine_remediation(ctx, user, realm, session_id, dmacc); - else if (type && strcmp(type, "reenroll") == 0) - ret = cert_reenroll(ctx, user, realm, session_id); else ret = no_sub_rem(ctx, user, realm, session_id); free(type); @@ -1160,41 +997,11 @@ static xml_node_t * hs20_subscription_remediation(struct hs20_svc *ctx, } -static xml_node_t * read_policy_file(struct hs20_svc *ctx, - const char *policy_id) -{ - char fname[200]; - - snprintf(fname, sizeof(fname), "%s/spp/policy/%s.xml", - ctx->root_dir, policy_id); - debug_print(ctx, 1, "Use policy file %s", fname); - - return node_from_file(ctx->xml, fname); -} - - -static void update_policy_update_uri(struct hs20_svc *ctx, const char *realm, - xml_node_t *policy) -{ - xml_node_t *node; - char *url; - - node = get_node_uri(ctx->xml, policy, "Policy/PolicyUpdate/URI"); - if (!node) - return; - - url = db_get_osu_config_val(ctx, realm, "policy_url"); - if (!url) - return; - xml_node_set_text(ctx->xml, node, url); - free(url); -} - - static xml_node_t * build_policy(struct hs20_svc *ctx, const char *user, const char *realm, int use_dmacc) { char *policy_id; + char fname[200]; xml_node_t *policy, *node; policy_id = db_get_val(ctx, user, realm, "policy", use_dmacc); @@ -1204,12 +1011,27 @@ static xml_node_t * build_policy(struct hs20_svc *ctx, const char *user, if (policy_id == NULL) return NULL; } - policy = read_policy_file(ctx, policy_id); + + snprintf(fname, sizeof(fname), "%s/spp/policy/%s.xml", + ctx->root_dir, policy_id); free(policy_id); + debug_print(ctx, 1, "Use policy file %s", fname); + + policy = node_from_file(ctx->xml, fname); if (policy == NULL) return NULL; - update_policy_update_uri(ctx, realm, policy); + node = get_node_uri(ctx->xml, policy, "Policy/PolicyUpdate/URI"); + if (node) { + char *url; + url = db_get_osu_config_val(ctx, realm, "policy_url"); + if (url == NULL) { + xml_node_free(ctx->xml, policy); + return NULL; + } + xml_node_set_text(ctx->xml, node, url); + free(url); + } node = get_node_uri(ctx->xml, policy, "Policy/PolicyUpdate"); if (node && use_dmacc) { @@ -1442,20 +1264,15 @@ static char * db_get_osu_config_val(struct hs20_svc *ctx, const char *realm, static xml_node_t * build_pps(struct hs20_svc *ctx, const char *user, const char *realm, const char *pw, const char *cert, - int machine_managed, const char *test, - const char *imsi, const char *dmacc_username, - const char *dmacc_password, - xml_node_t *policy_node) + int machine_managed, const char *test) { xml_node_t *pps, *c, *trust, *aaa, *aaa1, *upd, *homesp, *p; xml_node_t *cred, *eap, *userpw; pps = xml_node_create_root(ctx->xml, NULL, NULL, NULL, "PerProviderSubscription"); - if (!pps) { - xml_node_free(ctx->xml, policy_node); + if (pps == NULL) return NULL; - } add_text_node(ctx, pps, "UpdateIdentifier", "1"); @@ -1463,8 +1280,6 @@ static xml_node_t * build_pps(struct hs20_svc *ctx, add_text_node(ctx, c, "CredentialPriority", "1"); - if (imsi) - goto skip_aaa_trust_root; aaa = xml_node_create(ctx->xml, c, NULL, "AAAServerTrustRoot"); aaa1 = xml_node_create(ctx->xml, aaa, NULL, "AAA1"); add_text_node_conf(ctx, realm, aaa1, "CertURL", @@ -1496,7 +1311,6 @@ static xml_node_t * build_pps(struct hs20_svc *ctx, "CertSHA256Fingerprint", "policy_trust_root_cert_fingerprint"); } -skip_aaa_trust_root: upd = xml_node_create(ctx->xml, c, NULL, "SubscriptionUpdate"); add_text_node(ctx, upd, "UpdateInterval", "4294967295"); @@ -1516,17 +1330,6 @@ skip_aaa_trust_root: "trust_root_cert_fingerprint"); } - if (dmacc_username && - !build_username_password(ctx, upd, dmacc_username, - dmacc_password)) { - xml_node_free(ctx->xml, pps); - xml_node_free(ctx->xml, policy_node); - return NULL; - } - - if (policy_node) - xml_node_add_child(ctx->xml, c, policy_node); - homesp = xml_node_create(ctx->xml, c, NULL, "HomeSP"); add_text_node_conf(ctx, realm, homesp, "FriendlyName", "friendly_name"); add_text_node_conf(ctx, realm, homesp, "FQDN", "fqdn"); @@ -1535,19 +1338,7 @@ skip_aaa_trust_root: cred = xml_node_create(ctx->xml, c, NULL, "Credential"); add_creation_date(ctx, cred); - if (imsi) { - xml_node_t *sim; - const char *type = "18"; /* default to EAP-SIM */ - - sim = xml_node_create(ctx->xml, cred, NULL, "SIM"); - add_text_node(ctx, sim, "IMSI", imsi); - if (ctx->eap_method && os_strcmp(ctx->eap_method, "AKA") == 0) - type = "23"; - else if (ctx->eap_method && - os_strcmp(ctx->eap_method, "AKA'") == 0) - type = "50"; - add_text_node(ctx, sim, "EAPType", type); - } else if (cert) { + if (cert) { xml_node_t *dc; dc = xml_node_create(ctx->xml, cred, NULL, "DigitalCertificate"); @@ -1570,8 +1361,7 @@ skip_aaa_trust_root: static xml_node_t * spp_exec_get_certificate(struct hs20_svc *ctx, const char *session_id, const char *user, - const char *realm, - int add_est_user) + const char *realm) { xml_namespace_t *ns; xml_node_t *spp_node, *enroll, *exec_node; @@ -1579,7 +1369,7 @@ static xml_node_t * spp_exec_get_certificate(struct hs20_svc *ctx, char password[11]; char *b64; - if (add_est_user && new_password(password, sizeof(password)) < 0) + if (new_password(password, sizeof(password)) < 0) return NULL; spp_node = build_post_dev_data_response(ctx, &ns, session_id, "OK", @@ -1596,10 +1386,6 @@ static xml_node_t * spp_exec_get_certificate(struct hs20_svc *ctx, xml_node_create_text(ctx->xml, enroll, ns, "enrollmentServerURI", val ? val : ""); os_free(val); - - if (!add_est_user) - return spp_node; - xml_node_create_text(ctx->xml, enroll, ns, "estUserID", user); b64 = (char *) base64_encode((unsigned char *) password, @@ -1659,7 +1445,7 @@ static xml_node_t * hs20_user_input_registration(struct hs20_svc *ctx, xml_node_t *ret; hs20_eventlog(ctx, user, realm, session_id, "request client certificate enrollment", NULL); - ret = spp_exec_get_certificate(ctx, session_id, user, realm, 1); + ret = spp_exec_get_certificate(ctx, session_id, user, realm); free(user); free(realm); free(pw); @@ -1691,7 +1477,7 @@ static xml_node_t * hs20_user_input_registration(struct hs20_svc *ctx, test); pps = build_pps(ctx, user, realm, pw, fingerprint ? fingerprint : NULL, machine_managed, - test, NULL, NULL, NULL, NULL); + test); free(fingerprint); free(test); if (!pps) { @@ -1832,72 +1618,6 @@ static xml_node_t * hs20_user_input_complete(struct hs20_svc *ctx, } -static xml_node_t * hs20_cert_reenroll_complete(struct hs20_svc *ctx, - const char *session_id) -{ - char *user, *realm, *cert; - char *status; - xml_namespace_t *ns; - xml_node_t *spp_node, *cred; - char buf[400]; - - user = db_get_session_val(ctx, NULL, NULL, session_id, "user"); - realm = db_get_session_val(ctx, NULL, NULL, session_id, "realm"); - cert = db_get_session_val(ctx, NULL, NULL, session_id, "cert"); - if (!user || !realm || !cert) { - debug_print(ctx, 1, - "Could not find session info from DB for certificate reenrollment"); - free(user); - free(realm); - free(cert); - return NULL; - } - - cred = build_credential_cert(ctx, user, realm, cert); - if (!cred) { - debug_print(ctx, 1, "Could not build credential"); - free(user); - free(realm); - free(cert); - return NULL; - } - - status = "Remediation complete, request sppUpdateResponse"; - spp_node = build_post_dev_data_response(ctx, &ns, session_id, status, - NULL); - if (spp_node == NULL) { - debug_print(ctx, 1, "Could not build sppPostDevDataResponse"); - free(user); - free(realm); - free(cert); - xml_node_free(ctx->xml, cred); - return NULL; - } - - snprintf(buf, sizeof(buf), - "./Wi-Fi/%s/PerProviderSubscription/Cred01/Credential", - realm); - - if (add_update_node(ctx, spp_node, ns, buf, cred) < 0) { - debug_print(ctx, 1, "Could not add update node"); - xml_node_free(ctx->xml, spp_node); - free(user); - free(realm); - free(cert); - return NULL; - } - - hs20_eventlog_node(ctx, user, realm, session_id, - "certificate reenrollment", cred); - xml_node_free(ctx->xml, cred); - - free(user); - free(realm); - free(cert); - return spp_node; -} - - static xml_node_t * hs20_cert_enroll_completed(struct hs20_svc *ctx, const char *user, const char *realm, int dmacc, @@ -1906,7 +1626,7 @@ static xml_node_t * hs20_cert_enroll_completed(struct hs20_svc *ctx, char *val; enum hs20_session_operation oper; - val = db_get_session_val(ctx, NULL, NULL, session_id, "operation"); + val = db_get_session_val(ctx, user, realm, session_id, "operation"); if (val == NULL) { debug_print(ctx, 1, "No session %s found to continue", session_id); @@ -1917,8 +1637,6 @@ static xml_node_t * hs20_cert_enroll_completed(struct hs20_svc *ctx, if (oper == SUBSCRIPTION_REGISTRATION) return hs20_user_input_registration(ctx, session_id, 1); - if (oper == CERT_REENROLL) - return hs20_cert_reenroll_complete(ctx, session_id); debug_print(ctx, 1, "User session %s not in state for certificate " "enrollment completion", session_id); @@ -1966,103 +1684,6 @@ static xml_node_t * hs20_cert_enroll_failed(struct hs20_svc *ctx, } -static xml_node_t * hs20_sim_provisioning(struct hs20_svc *ctx, - const char *user, - const char *realm, int dmacc, - const char *session_id) -{ - xml_namespace_t *ns; - xml_node_t *spp_node, *node = NULL; - xml_node_t *pps, *tnds; - char buf[400]; - char *str; - const char *status; - char dmacc_username[32]; - char dmacc_password[32]; - char *policy; - xml_node_t *policy_node = NULL; - - if (!ctx->imsi) { - debug_print(ctx, 1, "IMSI not available for SIM provisioning"); - return NULL; - } - - if (new_password(dmacc_username, sizeof(dmacc_username)) < 0 || - new_password(dmacc_password, sizeof(dmacc_password)) < 0) { - debug_print(ctx, 1, - "Failed to generate DMAcc username/password"); - return NULL; - } - - status = "Provisioning complete, request sppUpdateResponse"; - spp_node = build_post_dev_data_response(ctx, &ns, session_id, status, - NULL); - if (!spp_node) - return NULL; - - policy = db_get_osu_config_val(ctx, realm, "sim_policy"); - if (policy) { - policy_node = read_policy_file(ctx, policy); - os_free(policy); - if (!policy_node) { - xml_node_free(ctx->xml, spp_node); - return NULL; - } - update_policy_update_uri(ctx, realm, policy_node); - node = get_node_uri(ctx->xml, policy_node, - "Policy/PolicyUpdate"); - if (node) - build_username_password(ctx, node, dmacc_username, - dmacc_password); - } - - pps = build_pps(ctx, NULL, realm, NULL, NULL, 0, NULL, ctx->imsi, - dmacc_username, dmacc_password, policy_node); - if (!pps) { - xml_node_free(ctx->xml, spp_node); - return NULL; - } - - debug_print(ctx, 1, - "Request DB subscription registration on success notification"); - if (!user || !user[0]) - user = ctx->imsi; - db_add_session(ctx, user, realm, session_id, NULL, NULL, - SUBSCRIPTION_REGISTRATION, NULL); - db_add_session_dmacc(ctx, session_id, dmacc_username, dmacc_password); - if (ctx->eap_method) - db_add_session_eap_method(ctx, session_id, ctx->eap_method); - if (ctx->id_hash) - db_add_session_id_hash(ctx, session_id, ctx->id_hash); - db_add_session_pps(ctx, user, realm, session_id, pps); - - hs20_eventlog_node(ctx, user, realm, session_id, - "new subscription", pps); - - tnds = mo_to_tnds(ctx->xml, pps, 0, URN_HS20_PPS, NULL); - xml_node_free(ctx->xml, pps); - if (!tnds) { - xml_node_free(ctx->xml, spp_node); - return NULL; - } - - str = xml_node_to_str(ctx->xml, tnds); - xml_node_free(ctx->xml, tnds); - if (!str) { - xml_node_free(ctx->xml, spp_node); - return NULL; - } - - node = xml_node_create_text(ctx->xml, spp_node, ns, "addMO", str); - free(str); - snprintf(buf, sizeof(buf), "./Wi-Fi/%s/PerProviderSubscription", realm); - xml_node_add_attr(ctx->xml, node, ns, "managementTreeURI", buf); - xml_node_add_attr(ctx->xml, node, ns, "moURN", URN_HS20_PPS); - - return spp_node; -} - - static xml_node_t * hs20_spp_post_dev_data(struct hs20_svc *ctx, xml_node_t *node, const char *user, @@ -2343,15 +1964,6 @@ static xml_node_t * hs20_spp_post_dev_data(struct hs20_svc *ctx, goto out; } - if (strcasecmp(req_reason, "Subscription provisioning") == 0) { - ret = hs20_sim_provisioning(ctx, user, realm, dmacc, - session_id); - hs20_eventlog_node(ctx, user, realm, session_id, - "subscription provisioning response", - ret); - goto out; - } - debug_print(ctx, 1, "Unsupported requestReason '%s' user '%s'", req_reason, user); out: @@ -2394,8 +2006,6 @@ static xml_node_t * build_spp_exchange_complete(struct hs20_svc *ctx, static int add_subscription(struct hs20_svc *ctx, const char *session_id) { char *user, *realm, *pw, *pw_mm, *pps, *str; - char *osu_user, *osu_password, *eap_method; - char *policy = NULL; char *sql; int ret = -1; char *free_account; @@ -2403,7 +2013,6 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id) char *type; int cert = 0; char *cert_pem, *fingerprint; - const char *method; user = db_get_session_val(ctx, NULL, NULL, session_id, "user"); realm = db_get_session_val(ctx, NULL, NULL, session_id, "realm"); @@ -2417,11 +2026,6 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id) if (type && strcmp(type, "cert") == 0) cert = 1; free(type); - osu_user = db_get_session_val(ctx, NULL, NULL, session_id, "osu_user"); - osu_password = db_get_session_val(ctx, NULL, NULL, session_id, - "osu_password"); - eap_method = db_get_session_val(ctx, NULL, NULL, session_id, - "eap_method"); if (!user || !realm || !pw) { debug_print(ctx, 1, "Could not find session info from DB for " @@ -2433,8 +2037,6 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id) free_acc = free_account && strcmp(free_account, user) == 0; free(free_account); - policy = db_get_osu_config_val(ctx, realm, "sim_policy"); - debug_print(ctx, 1, "New subscription: user='%s' realm='%s' free_acc=%d", user, realm, free_acc); @@ -2463,20 +2065,12 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id) str = db_get_session_val(ctx, NULL, NULL, session_id, "mac_addr"); - if (eap_method && eap_method[0]) - method = eap_method; - else - method = cert ? "TLS" : "TTLS-MSCHAPV2"; - sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr,osu_user,osu_password,policy) VALUES (%Q,%Q,%d,%Q,%Q,%Q,%d,%Q,%Q,%Q,%Q)", - user, realm, cert ? 0 : 1, - method, + sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr) VALUES (%Q,%Q,1,%Q,%Q,%Q,%d,%Q)", + user, realm, cert ? "TLS" : "TTLS-MSCHAPV2", fingerprint ? fingerprint : "", cert_pem ? cert_pem : "", pw_mm && atoi(pw_mm) ? 1 : 0, - str ? str : "", - osu_user ? osu_user : "", - osu_password ? osu_password : "", - policy ? policy : ""); + str ? str : ""); free(str); if (sql == NULL) goto out; @@ -2494,7 +2088,8 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id) else ret = update_password(ctx, user, realm, pw, 0); if (ret < 0) { - sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')", + sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND " + "realm=%Q AND phase2=1", user, realm); if (sql) { debug_print(ctx, 1, "DB: %s", sql); @@ -2544,24 +2139,6 @@ static int add_subscription(struct hs20_svc *ctx, const char *session_id) } } - str = db_get_session_val(ctx, NULL, NULL, session_id, - "mobile_identifier_hash"); - if (str) { - sql = sqlite3_mprintf("DELETE FROM sim_provisioning WHERE mobile_identifier_hash=%Q", - str); - if (sql) { - debug_print(ctx, 1, "DB: %s", sql); - if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != - SQLITE_OK) { - debug_print(ctx, 1, - "Failed to delete pending sim_provisioning entry: %s", - sqlite3_errmsg(ctx->db)); - } - sqlite3_free(sql); - } - os_free(str); - } - if (ret == 0) { hs20_eventlog(ctx, user, realm, session_id, "completed subscription registration", NULL); @@ -2575,10 +2152,6 @@ out: free(pps); free(cert_pem); free(fingerprint); - free(osu_user); - free(osu_password); - free(eap_method); - os_free(policy); return ret; } @@ -2605,11 +2178,11 @@ static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx, debug_print(ctx, 1, "sppUpdateResponse: sppStatus: %s sessionID: %s", status, session_id); - val = db_get_session_val(ctx, NULL, NULL, session_id, "operation"); + val = db_get_session_val(ctx, user, realm, session_id, "operation"); if (!val) { debug_print(ctx, 1, - "No session active for sessionID: %s", - session_id); + "No session active for user: %s sessionID: %s", + user, session_id); oper = NO_OPERATION; } else oper = atoi(val); @@ -2666,29 +2239,6 @@ static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx, session_id, "Updated user password " "in database", NULL); } - if (oper == CLEAR_REMEDIATION) { - debug_print(ctx, 1, - "Clear remediation requirement for user '%s' in DB", - user); - if (clear_remediation(ctx, user, realm, dmacc) < 0) { - debug_print(ctx, 1, - "Failed to clear remediation requirement for user '%s' in DB", - user); - ret = build_spp_exchange_complete( - ctx, session_id, "Error occurred", - "Other"); - hs20_eventlog_node(ctx, user, realm, - session_id, - "Failed to update database", - ret); - db_remove_session(ctx, user, realm, session_id); - return ret; - } - hs20_eventlog(ctx, user, realm, - session_id, - "Cleared remediation requirement in database", - NULL); - } if (oper == SUBSCRIPTION_REGISTRATION) { if (add_subscription(ctx, session_id) < 0) { debug_print(ctx, 1, "Failed to add " @@ -2715,60 +2265,12 @@ static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx, if (oper == POLICY_UPDATE) db_update_val(ctx, user, realm, "polupd_done", "1", dmacc); - if (oper == CERT_REENROLL) { - char *new_user; - char event[200]; - - new_user = db_get_session_val(ctx, NULL, NULL, - session_id, "user"); - if (!new_user) { - debug_print(ctx, 1, - "Failed to find new user name (cert-serialnum)"); - ret = build_spp_exchange_complete( - ctx, session_id, "Error occurred", - "Other"); - hs20_eventlog_node(ctx, user, realm, - session_id, - "Failed to find new user name (cert reenroll)", - ret); - db_remove_session(ctx, NULL, NULL, session_id); - return ret; - } - - debug_print(ctx, 1, - "Update certificate user entry to use the new serial number (old=%s new=%s)", - user, new_user); - os_snprintf(event, sizeof(event), "renamed user to: %s", - new_user); - hs20_eventlog(ctx, user, realm, session_id, event, - NULL); - - if (db_update_val(ctx, user, realm, "identity", - new_user, 0) < 0 || - db_update_val(ctx, new_user, realm, "remediation", - "", 0) < 0) { - debug_print(ctx, 1, - "Failed to update user name (cert-serialnum)"); - ret = build_spp_exchange_complete( - ctx, session_id, "Error occurred", - "Other"); - hs20_eventlog_node(ctx, user, realm, - session_id, - "Failed to update user name (cert reenroll)", - ret); - db_remove_session(ctx, NULL, NULL, session_id); - os_free(new_user); - return ret; - } - - os_free(new_user); - } ret = build_spp_exchange_complete( ctx, session_id, "Exchange complete, release TLS connection", NULL); hs20_eventlog_node(ctx, user, realm, session_id, "Exchange completed", ret); - db_remove_session(ctx, NULL, NULL, session_id); + db_remove_session(ctx, user, realm, session_id); return ret; } diff --git a/hs20/server/spp_server.h b/hs20/server/spp_server.h index 421974c6..3556f5c9 100644 --- a/hs20/server/spp_server.h +++ b/hs20/server/spp_server.h @@ -17,9 +17,6 @@ struct hs20_svc { sqlite3 *db; const char *addr; const char *test; - const char *imsi; - const char *eap_method; - const char *id_hash; }; diff --git a/hs20/server/sql.txt b/hs20/server/sql.txt index 2cc6edea..666ef131 100644 --- a/hs20/server/sql.txt +++ b/hs20/server/sql.txt @@ -24,10 +24,6 @@ CREATE TABLE sessions( cert TEXT, cert_pem TEXT, mac_addr TEXT, - osu_user TEXT, - osu_password TEXT, - eap_method TEXT, - mobile_identifier_hash TEXT, test TEXT ); @@ -61,7 +57,6 @@ CREATE TABLE users( mac_addr TEXT, last_msk TEXT, polupd_done TEXT, - subrem TEXT ); CREATE TABLE wildcards( @@ -98,11 +93,3 @@ CREATE TABLE cert_enroll( realm TEXT, serialnum TEXT ); - -CREATE TABLE sim_provisioning( - mobile_identifier_hash TEXT PRIMARY KEY, - imsi TEXT, - mac_addr TEXT, - eap_method TEXT, - timestamp TEXT -); diff --git a/hs20/server/www/est.php b/hs20/server/www/est.php index b7fb260d..6983ec9e 100644 --- a/hs20/server/www/est.php +++ b/hs20/server/www/est.php @@ -10,12 +10,6 @@ $method = $_SERVER["REQUEST_METHOD"]; unset($user); unset($rowid); -$db = new PDO($osu_db); -if (!$db) { - error_log("EST: Could not access database"); - die("Could not access database"); -} - if (!empty($_SERVER['PHP_AUTH_DIGEST'])) { $needed = array('nonce'=>1, 'nc'=>1, 'cnonce'=>1, 'qop'=>1, 'username'=>1, 'uri'=>1, 'response'=>1); @@ -37,6 +31,12 @@ if (!empty($_SERVER['PHP_AUTH_DIGEST'])) { die('Authentication failed'); } + $db = new PDO($osu_db); + if (!$db) { + error_log("EST: Could not access database"); + die("Could not access database"); + } + $sql = "SELECT rowid,password,operation FROM sessions " . "WHERE user='$user' AND realm='$realm'"; $q = $db->query($sql); @@ -70,29 +70,6 @@ if (!empty($_SERVER['PHP_AUTH_DIGEST'])) { error_log("EST: Incorrect authentication response for user=$user realm=$realm"); die('Authentication failed'); } -} else if (isset($_SERVER["SSL_CLIENT_VERIFY"]) && - $_SERVER["SSL_CLIENT_VERIFY"] == "SUCCESS" && - isset($_SERVER["SSL_CLIENT_M_SERIAL"])) { - $user = "cert-" . $_SERVER["SSL_CLIENT_M_SERIAL"]; - $sql = "SELECT rowid,password,operation FROM sessions " . - "WHERE user='$user' AND realm='$realm'"; - $q = $db->query($sql); - if (!$q) { - error_log("EST: Session not found for user=$user realm=$realm"); - die("Session not found"); - } - $row = $q->fetch(); - if (!$row) { - error_log("EST: Session fetch failed for user=$user realm=$realm"); - die('Session not found'); - } - $rowid = $row['rowid']; - - $oper = $row['operation']; - if ($oper != '10') { - error_log("EST: Unexpected operation $oper for user=$user realm=$realm"); - die("Session not found"); - } } @@ -115,24 +92,14 @@ if ($method == "GET" && $cmd == "cacerts") { header("Content-Type: application/csrattrs"); readfile("$osu_root/est/est-attrs.b64"); error_log("EST: csrattrs"); -} else if ($method == "POST" && - ($cmd == "simpleenroll" || $cmd == "simplereenroll")) { - $reenroll = $cmd == "simplereenroll"; - if (!$reenroll && (!isset($user) || strlen($user) == 0)) { +} else if ($method == "POST" && $cmd == "simpleenroll") { + if (!isset($user) || strlen($user) == 0) { header('HTTP/1.1 401 Unauthorized'); header('WWW-Authenticate: Digest realm="'.$realm. '",qop="auth",nonce="'.uniqid().'",opaque="'.md5($realm).'"'); error_log("EST: simpleenroll - require authentication"); die('Authentication required'); } - if ($reenroll && - (!isset($user) || - !isset($_SERVER["SSL_CLIENT_VERIFY"]) || - $_SERVER["SSL_CLIENT_VERIFY"] != "SUCCESS")) { - header('HTTP/1.1 403 Forbidden'); - error_log("EST: simplereenroll - require certificate authentication"); - die('Authentication required'); - } if (!isset($_SERVER["CONTENT_TYPE"])) { error_log("EST: simpleenroll without Content-Type"); die("Missing Content-Type"); @@ -200,7 +167,6 @@ if ($method == "GET" && $cmd == "cacerts") { } $der = file_get_contents($cert_der); $fingerprint = hash("sha256", $der); - error_log("EST: sha256(DER cert): $fingerprint"); $pkcs7 = "$cadir/tmp/est-client.pkcs7"; if (file_exists($pkcs7)) diff --git a/hs20/server/www/spp.php b/hs20/server/www/spp.php index c56d3d69..f10e5ab8 100644 --- a/hs20/server/www/spp.php +++ b/hs20/server/www/spp.php @@ -85,40 +85,6 @@ if (!empty($_SERVER['PHP_AUTH_DIGEST'])) { isset($_SERVER["SSL_CLIENT_M_SERIAL"])) { $user = "cert-" . $_SERVER["SSL_CLIENT_M_SERIAL"]; putenv("HS20CERT=yes"); -} else if (isset($_GET["hotspot2dot0-mobile-identifier-hash"])) { - $id_hash = $_GET["hotspot2dot0-mobile-identifier-hash"]; - $id_hash = PREG_REPLACE("/[^0-9a-h]/i", '', $id_hash); - - $db = new PDO($osu_db); - if (!$db) { - error_log("spp.php - Could not access database"); - die("Could not access database"); - } - - $row = $db->query("SELECT * FROM sim_provisioning " . - "WHERE mobile_identifier_hash='$id_hash'")->fetch(); - if (!$row) { - error_log("spp.php - SIM provisioning failed - mobile_identifier_hash not found"); - die('SIM provisioning failed - mobile_identifier_hash not found'); - } - - $imsi = $row['imsi']; - $mac_addr = $row['mac_addr']; - $eap_method = $row['eap_method']; - - $row = $db->query("SELECT COUNT(*) FROM osu_config " . - "WHERE realm='$realm'")->fetch(); - if (!$row || intval($row[0]) < 1) { - error_log("spp.php - SIM provisioning failed - realm $realm not found"); - die('SIM provisioning failed'); - } - - error_log("spp.php - SIM provisioning for IMSI $imsi"); - putenv("HS20SIMPROV=yes"); - putenv("HS20IMSI=$imsi"); - putenv("HS20MACADDR=$mac_addr"); - putenv("HS20EAPMETHOD=$eap_method"); - putenv("HS20IDHASH=$id_hash"); } else if (!isset($_SERVER["PATH_INFO"]) || $_SERVER["PATH_INFO"] != "/signup") { header('HTTP/1.1 401 Unauthorized'); diff --git a/hs20/server/www/users.php b/hs20/server/www/users.php index 2bd55527..f546de3a 100644 --- a/hs20/server/www/users.php +++ b/hs20/server/www/users.php @@ -69,9 +69,6 @@ if ($cmd == 'subrem-add-user' && $id > 0) { if ($cmd == 'subrem-add-machine' && $id > 0) { $db->exec("UPDATE users SET remediation='machine' WHERE rowid=$id"); } -if ($cmd == 'subrem-add-reenroll' && $id > 0) { - $db->exec("UPDATE users SET remediation='reenroll' WHERE rowid=$id"); -} if ($cmd == 'subrem-add-policy' && $id > 0) { $db->exec("UPDATE users SET remediation='policy' WHERE rowid=$id"); } @@ -175,10 +172,6 @@ if ($rem == "") { $row['rowid'] . "\">add:user</a>]"; echo " [<a href=\"users.php?cmd=subrem-add-machine&id=" . $row['rowid'] . "\">add:machine</a>]"; - if ($row['methods'] == 'TLS') { - echo " [<a href=\"users.php?cmd=subrem-add-reenroll&id=" . - $row['rowid'] . "\">add:reenroll</a>]"; - } echo " [<a href=\"users.php?cmd=subrem-add-policy&id=" . $row['rowid'] . "\">add:policy</a>]"; echo " [<a href=\"users.php?cmd=subrem-add-free&id=" . @@ -192,9 +185,6 @@ if ($rem == "") { } else if ($rem == "free") { echo "Free [<a href=\"users.php?cmd=subrem-clear&id=" . $row['rowid'] . "\">clear</a>]"; -} else if ($rem == "reenroll") { - echo "Reenroll [<a href=\"users.php?cmd=subrem-clear&id=" . - $row['rowid'] . "\">clear</a>]"; } else { echo "Machine [<a href=\"users.php?cmd=subrem-clear&id=" . $row['rowid'] . "\">clear</a>]"; @@ -329,7 +319,7 @@ echo "<br>\n"; echo "<table border=1 cellspacing=0 cellpadding=0>\n"; echo "<tr><th>User<th>Realm<th><small>Remediation</small><th>Policy<th><small>Account type</small><th><small>Phase 2 method(s)</small><th>DevId<th>MAC Address<th>T&C\n"; -$res = $db->query('SELECT rowid,* FROM users WHERE (phase2=1 OR methods=\'TLS\') ORDER BY identity'); +$res = $db->query('SELECT rowid,* FROM users WHERE phase2=1 ORDER BY identity'); foreach ($res as $row) { echo "<tr><td><a href=\"users.php?id=" . $row['rowid'] . "\"> " . $row['identity'] . " </a>"; @@ -344,8 +334,6 @@ foreach ($res as $row) { echo "Policy"; } else if ($rem == "free") { echo "Free"; - } else if ($rem == "reenroll") { - echo "Reenroll"; } else { echo "Machine"; } |