1 /*
2 * Hotspot 2.0 SPP server
3 * Copyright (c) 2012-2013, Qualcomm Atheros, Inc.
4 *
5 * This software may be distributed under the terms of the BSD license.
6 * See README for more details.
7 */
8
9 #include <stdlib.h>
10 #include <stdio.h>
11 #include <string.h>
12 #include <ctype.h>
13 #include <time.h>
14 #include <errno.h>
15 #include <sqlite3.h>
16
17 #include "common.h"
18 #include "base64.h"
19 #include "md5_i.h"
20 #include "xml-utils.h"
21 #include "spp_server.h"
22
23
24 #define SPP_NS_URI "http://www.wi-fi.org/specifications/hotspot2dot0/v1.0/spp"
25
26 #define URN_OMA_DM_DEVINFO "urn:oma:mo:oma-dm-devinfo:1.0"
27 #define URN_OMA_DM_DEVDETAIL "urn:oma:mo:oma-dm-devdetail:1.0"
28 #define URN_OMA_DM_DMACC "urn:oma:mo:oma-dm-dmacc:1.0"
29 #define URN_HS20_PPS "urn:wfa:mo:hotspot2dot0-perprovidersubscription:1.0"
30
31
32 /* TODO: timeout to expire sessions */
33
34 enum hs20_session_operation {
35 NO_OPERATION,
36 UPDATE_PASSWORD,
37 CONTINUE_SUBSCRIPTION_REMEDIATION,
38 CONTINUE_POLICY_UPDATE,
39 USER_REMEDIATION,
40 SUBSCRIPTION_REGISTRATION,
41 POLICY_REMEDIATION,
42 POLICY_UPDATE,
43 FREE_REMEDIATION,
44 CLEAR_REMEDIATION,
45 CERT_REENROLL,
46 };
47
48
49 static char * db_get_session_val(struct hs20_svc *ctx, const char *user,
50 const char *realm, const char *session_id,
51 const char *field);
52 static char * db_get_osu_config_val(struct hs20_svc *ctx, const char *realm,
53 const char *field);
54 static xml_node_t * build_policy(struct hs20_svc *ctx, const char *user,
55 const char *realm, int use_dmacc);
56 static xml_node_t * spp_exec_get_certificate(struct hs20_svc *ctx,
57 const char *session_id,
58 const char *user,
59 const char *realm,
60 int add_est_user);
61
62
db_add_session(struct hs20_svc * ctx,const char * user,const char * realm,const char * sessionid,const char * pw,const char * redirect_uri,enum hs20_session_operation operation,const u8 * mac_addr)63 static int db_add_session(struct hs20_svc *ctx,
64 const char *user, const char *realm,
65 const char *sessionid, const char *pw,
66 const char *redirect_uri,
67 enum hs20_session_operation operation,
68 const u8 *mac_addr)
69 {
70 char *sql;
71 int ret = 0;
72 char addr[20];
73
74 if (mac_addr)
75 snprintf(addr, sizeof(addr), MACSTR, MAC2STR(mac_addr));
76 else
77 addr[0] = '\0';
78 sql = sqlite3_mprintf("INSERT INTO sessions(timestamp,id,user,realm,"
79 "operation,password,redirect_uri,mac_addr,test) "
80 "VALUES "
81 "(strftime('%%Y-%%m-%%d %%H:%%M:%%f','now'),"
82 "%Q,%Q,%Q,%d,%Q,%Q,%Q,%Q)",
83 sessionid, user ? user : "", realm ? realm : "",
84 operation, pw ? pw : "",
85 redirect_uri ? redirect_uri : "",
86 addr, ctx->test);
87 if (sql == NULL)
88 return -1;
89 debug_print(ctx, 1, "DB: %s", sql);
90 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
91 debug_print(ctx, 1, "Failed to add session entry into sqlite "
92 "database: %s", sqlite3_errmsg(ctx->db));
93 ret = -1;
94 }
95 sqlite3_free(sql);
96 return ret;
97 }
98
99
db_update_session_password(struct hs20_svc * ctx,const char * user,const char * realm,const char * sessionid,const char * pw)100 static void db_update_session_password(struct hs20_svc *ctx, const char *user,
101 const char *realm, const char *sessionid,
102 const char *pw)
103 {
104 char *sql;
105
106 sql = sqlite3_mprintf("UPDATE sessions SET password=%Q WHERE id=%Q AND "
107 "user=%Q AND realm=%Q",
108 pw, sessionid, user, realm);
109 if (sql == NULL)
110 return;
111 debug_print(ctx, 1, "DB: %s", sql);
112 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
113 debug_print(ctx, 1, "Failed to update session password: %s",
114 sqlite3_errmsg(ctx->db));
115 }
116 sqlite3_free(sql);
117 }
118
119
db_update_session_machine_managed(struct hs20_svc * ctx,const char * user,const char * realm,const char * sessionid,const int pw_mm)120 static void db_update_session_machine_managed(struct hs20_svc *ctx,
121 const char *user,
122 const char *realm,
123 const char *sessionid,
124 const int pw_mm)
125 {
126 char *sql;
127
128 sql = sqlite3_mprintf("UPDATE sessions SET machine_managed=%Q WHERE id=%Q AND user=%Q AND realm=%Q",
129 pw_mm ? "1" : "0", sessionid, user, realm);
130 if (sql == NULL)
131 return;
132 debug_print(ctx, 1, "DB: %s", sql);
133 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
134 debug_print(ctx, 1,
135 "Failed to update session machine_managed: %s",
136 sqlite3_errmsg(ctx->db));
137 }
138 sqlite3_free(sql);
139 }
140
141
db_add_session_pps(struct hs20_svc * ctx,const char * user,const char * realm,const char * sessionid,xml_node_t * node)142 static void db_add_session_pps(struct hs20_svc *ctx, const char *user,
143 const char *realm, const char *sessionid,
144 xml_node_t *node)
145 {
146 char *str;
147 char *sql;
148
149 str = xml_node_to_str(ctx->xml, node);
150 if (str == NULL)
151 return;
152 sql = sqlite3_mprintf("UPDATE sessions SET pps=%Q WHERE id=%Q AND "
153 "user=%Q AND realm=%Q",
154 str, sessionid, user, realm);
155 free(str);
156 if (sql == NULL)
157 return;
158 debug_print(ctx, 1, "DB: %s", sql);
159 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
160 debug_print(ctx, 1, "Failed to add session pps: %s",
161 sqlite3_errmsg(ctx->db));
162 }
163 sqlite3_free(sql);
164 }
165
166
db_add_session_devinfo(struct hs20_svc * ctx,const char * sessionid,xml_node_t * node)167 static void db_add_session_devinfo(struct hs20_svc *ctx, const char *sessionid,
168 xml_node_t *node)
169 {
170 char *str;
171 char *sql;
172
173 str = xml_node_to_str(ctx->xml, node);
174 if (str == NULL)
175 return;
176 sql = sqlite3_mprintf("UPDATE sessions SET devinfo=%Q WHERE id=%Q",
177 str, sessionid);
178 free(str);
179 if (sql == NULL)
180 return;
181 debug_print(ctx, 1, "DB: %s", sql);
182 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
183 debug_print(ctx, 1, "Failed to add session devinfo: %s",
184 sqlite3_errmsg(ctx->db));
185 }
186 sqlite3_free(sql);
187 }
188
189
db_add_session_devdetail(struct hs20_svc * ctx,const char * sessionid,xml_node_t * node)190 static void db_add_session_devdetail(struct hs20_svc *ctx,
191 const char *sessionid,
192 xml_node_t *node)
193 {
194 char *str;
195 char *sql;
196
197 str = xml_node_to_str(ctx->xml, node);
198 if (str == NULL)
199 return;
200 sql = sqlite3_mprintf("UPDATE sessions SET devdetail=%Q WHERE id=%Q",
201 str, sessionid);
202 free(str);
203 if (sql == NULL)
204 return;
205 debug_print(ctx, 1, "DB: %s", sql);
206 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
207 debug_print(ctx, 1, "Failed to add session devdetail: %s",
208 sqlite3_errmsg(ctx->db));
209 }
210 sqlite3_free(sql);
211 }
212
213
db_add_session_dmacc(struct hs20_svc * ctx,const char * sessionid,const char * username,const char * password)214 static void db_add_session_dmacc(struct hs20_svc *ctx, const char *sessionid,
215 const char *username, const char *password)
216 {
217 char *sql;
218
219 sql = sqlite3_mprintf("UPDATE sessions SET osu_user=%Q, osu_password=%Q WHERE id=%Q",
220 username, password, sessionid);
221 if (!sql)
222 return;
223 debug_print(ctx, 1, "DB: %s", sql);
224 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
225 debug_print(ctx, 1, "Failed to add session DMAcc: %s",
226 sqlite3_errmsg(ctx->db));
227 }
228 sqlite3_free(sql);
229 }
230
231
db_add_session_eap_method(struct hs20_svc * ctx,const char * sessionid,const char * method)232 static void db_add_session_eap_method(struct hs20_svc *ctx,
233 const char *sessionid,
234 const char *method)
235 {
236 char *sql;
237
238 sql = sqlite3_mprintf("UPDATE sessions SET eap_method=%Q WHERE id=%Q",
239 method, sessionid);
240 if (!sql)
241 return;
242 debug_print(ctx, 1, "DB: %s", sql);
243 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
244 debug_print(ctx, 1, "Failed to add session EAP method: %s",
245 sqlite3_errmsg(ctx->db));
246 }
247 sqlite3_free(sql);
248 }
249
250
db_add_session_id_hash(struct hs20_svc * ctx,const char * sessionid,const char * id_hash)251 static void db_add_session_id_hash(struct hs20_svc *ctx, const char *sessionid,
252 const char *id_hash)
253 {
254 char *sql;
255
256 sql = sqlite3_mprintf("UPDATE sessions SET mobile_identifier_hash=%Q WHERE id=%Q",
257 id_hash, sessionid);
258 if (!sql)
259 return;
260 debug_print(ctx, 1, "DB: %s", sql);
261 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
262 debug_print(ctx, 1, "Failed to add session ID hash: %s",
263 sqlite3_errmsg(ctx->db));
264 }
265 sqlite3_free(sql);
266 }
267
268
db_remove_session(struct hs20_svc * ctx,const char * user,const char * realm,const char * sessionid)269 static void db_remove_session(struct hs20_svc *ctx,
270 const char *user, const char *realm,
271 const char *sessionid)
272 {
273 char *sql;
274
275 if (user == NULL || realm == NULL) {
276 sql = sqlite3_mprintf("DELETE FROM sessions WHERE "
277 "id=%Q", sessionid);
278 } else {
279 sql = sqlite3_mprintf("DELETE FROM sessions WHERE "
280 "user=%Q AND realm=%Q AND id=%Q",
281 user, realm, sessionid);
282 }
283 if (sql == NULL)
284 return;
285 debug_print(ctx, 1, "DB: %s", sql);
286 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
287 debug_print(ctx, 1, "Failed to delete session entry from "
288 "sqlite database: %s", sqlite3_errmsg(ctx->db));
289 }
290 sqlite3_free(sql);
291 }
292
293
hs20_eventlog(struct hs20_svc * ctx,const char * user,const char * realm,const char * sessionid,const char * notes,const char * dump)294 static void hs20_eventlog(struct hs20_svc *ctx,
295 const char *user, const char *realm,
296 const char *sessionid, const char *notes,
297 const char *dump)
298 {
299 char *sql;
300 char *user_buf = NULL, *realm_buf = NULL;
301
302 debug_print(ctx, 1, "eventlog: %s", notes);
303
304 if (user == NULL) {
305 user_buf = db_get_session_val(ctx, NULL, NULL, sessionid,
306 "user");
307 user = user_buf;
308 realm_buf = db_get_session_val(ctx, NULL, NULL, sessionid,
309 "realm");
310 realm = realm_buf;
311 }
312
313 sql = sqlite3_mprintf("INSERT INTO eventlog"
314 "(user,realm,sessionid,timestamp,notes,dump,addr)"
315 " VALUES (%Q,%Q,%Q,"
316 "strftime('%%Y-%%m-%%d %%H:%%M:%%f','now'),"
317 "%Q,%Q,%Q)",
318 user, realm, sessionid, notes,
319 dump ? dump : "", ctx->addr ? ctx->addr : "");
320 free(user_buf);
321 free(realm_buf);
322 if (sql == NULL)
323 return;
324 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
325 debug_print(ctx, 1, "Failed to add eventlog entry into sqlite "
326 "database: %s", sqlite3_errmsg(ctx->db));
327 }
328 sqlite3_free(sql);
329 }
330
331
hs20_eventlog_node(struct hs20_svc * ctx,const char * user,const char * realm,const char * sessionid,const char * notes,xml_node_t * node)332 static void hs20_eventlog_node(struct hs20_svc *ctx,
333 const char *user, const char *realm,
334 const char *sessionid, const char *notes,
335 xml_node_t *node)
336 {
337 char *str;
338
339 if (node)
340 str = xml_node_to_str(ctx->xml, node);
341 else
342 str = NULL;
343 hs20_eventlog(ctx, user, realm, sessionid, notes, str);
344 free(str);
345 }
346
347
db_update_mo_str(struct hs20_svc * ctx,const char * user,const char * realm,const char * name,const char * str)348 static void db_update_mo_str(struct hs20_svc *ctx, const char *user,
349 const char *realm, const char *name,
350 const char *str)
351 {
352 char *sql;
353 if (user == NULL || realm == NULL || name == NULL)
354 return;
355 sql = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
356 name, str, user, realm);
357 if (sql == NULL)
358 return;
359 debug_print(ctx, 1, "DB: %s", sql);
360 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
361 debug_print(ctx, 1, "Failed to update user MO entry in sqlite "
362 "database: %s", sqlite3_errmsg(ctx->db));
363 }
364 sqlite3_free(sql);
365 }
366
367
db_update_mo(struct hs20_svc * ctx,const char * user,const char * realm,const char * name,xml_node_t * mo)368 static void db_update_mo(struct hs20_svc *ctx, const char *user,
369 const char *realm, const char *name, xml_node_t *mo)
370 {
371 char *str;
372
373 str = xml_node_to_str(ctx->xml, mo);
374 if (str == NULL)
375 return;
376
377 db_update_mo_str(ctx, user, realm, name, str);
378 free(str);
379 }
380
381
add_text_node(struct hs20_svc * ctx,xml_node_t * parent,const char * name,const char * value)382 static void add_text_node(struct hs20_svc *ctx, xml_node_t *parent,
383 const char *name, const char *value)
384 {
385 xml_node_create_text(ctx->xml, parent, NULL, name, value ? value : "");
386 }
387
388
add_text_node_conf(struct hs20_svc * ctx,const char * realm,xml_node_t * parent,const char * name,const char * field)389 static void add_text_node_conf(struct hs20_svc *ctx, const char *realm,
390 xml_node_t *parent, const char *name,
391 const char *field)
392 {
393 char *val;
394 val = db_get_osu_config_val(ctx, realm, field);
395 xml_node_create_text(ctx->xml, parent, NULL, name, val ? val : "");
396 os_free(val);
397 }
398
399
add_text_node_conf_corrupt(struct hs20_svc * ctx,const char * realm,xml_node_t * parent,const char * name,const char * field)400 static void add_text_node_conf_corrupt(struct hs20_svc *ctx, const char *realm,
401 xml_node_t *parent, const char *name,
402 const char *field)
403 {
404 char *val;
405
406 val = db_get_osu_config_val(ctx, realm, field);
407 if (val) {
408 size_t len;
409
410 len = os_strlen(val);
411 if (len > 0) {
412 if (val[len - 1] == '0')
413 val[len - 1] = '1';
414 else
415 val[len - 1] = '0';
416 }
417 }
418 xml_node_create_text(ctx->xml, parent, NULL, name, val ? val : "");
419 os_free(val);
420 }
421
422
new_password(char * buf,int buflen)423 static int new_password(char *buf, int buflen)
424 {
425 int i;
426
427 if (buflen < 1)
428 return -1;
429 buf[buflen - 1] = '\0';
430 if (os_get_random((unsigned char *) buf, buflen - 1) < 0)
431 return -1;
432
433 for (i = 0; i < buflen - 1; i++) {
434 unsigned char val = buf[i];
435 val %= 2 * 26 + 10;
436 if (val < 26)
437 buf[i] = 'a' + val;
438 else if (val < 2 * 26)
439 buf[i] = 'A' + val - 26;
440 else
441 buf[i] = '0' + val - 2 * 26;
442 }
443
444 return 0;
445 }
446
447
448 struct get_db_field_data {
449 const char *field;
450 char *value;
451 };
452
453
get_db_field(void * ctx,int argc,char * argv[],char * col[])454 static int get_db_field(void *ctx, int argc, char *argv[], char *col[])
455 {
456 struct get_db_field_data *data = ctx;
457 int i;
458
459 for (i = 0; i < argc; i++) {
460 if (os_strcmp(col[i], data->field) == 0 && argv[i]) {
461 os_free(data->value);
462 data->value = os_strdup(argv[i]);
463 break;
464 }
465 }
466
467 return 0;
468 }
469
470
db_get_val(struct hs20_svc * ctx,const char * user,const char * realm,const char * field,int dmacc)471 static char * db_get_val(struct hs20_svc *ctx, const char *user,
472 const char *realm, const char *field, int dmacc)
473 {
474 char *cmd;
475 struct get_db_field_data data;
476
477 cmd = sqlite3_mprintf("SELECT %s FROM users WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
478 field, dmacc ? "osu_user" : "identity",
479 user, realm);
480 if (cmd == NULL)
481 return NULL;
482 memset(&data, 0, sizeof(data));
483 data.field = field;
484 if (sqlite3_exec(ctx->db, cmd, get_db_field, &data, NULL) != SQLITE_OK)
485 {
486 debug_print(ctx, 1, "Could not find user '%s'", user);
487 sqlite3_free(cmd);
488 return NULL;
489 }
490 sqlite3_free(cmd);
491
492 debug_print(ctx, 1, "DB: user='%s' realm='%s' field='%s' dmacc=%d --> "
493 "value='%s'", user, realm, field, dmacc, data.value);
494
495 return data.value;
496 }
497
498
db_update_val(struct hs20_svc * ctx,const char * user,const char * realm,const char * field,const char * val,int dmacc)499 static int db_update_val(struct hs20_svc *ctx, const char *user,
500 const char *realm, const char *field,
501 const char *val, int dmacc)
502 {
503 char *cmd;
504 int ret;
505
506 cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE %s=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
507 field, val, dmacc ? "osu_user" : "identity", user,
508 realm);
509 if (cmd == NULL)
510 return -1;
511 debug_print(ctx, 1, "DB: %s", cmd);
512 if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
513 debug_print(ctx, 1,
514 "Failed to update user in sqlite database: %s",
515 sqlite3_errmsg(ctx->db));
516 ret = -1;
517 } else {
518 debug_print(ctx, 1,
519 "DB: user='%s' realm='%s' field='%s' set to '%s'",
520 user, realm, field, val);
521 ret = 0;
522 }
523 sqlite3_free(cmd);
524
525 return ret;
526 }
527
528
db_get_session_val(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id,const char * field)529 static char * db_get_session_val(struct hs20_svc *ctx, const char *user,
530 const char *realm, const char *session_id,
531 const char *field)
532 {
533 char *cmd;
534 struct get_db_field_data data;
535
536 if (user == NULL || realm == NULL) {
537 cmd = sqlite3_mprintf("SELECT %s FROM sessions WHERE "
538 "id=%Q", field, session_id);
539 } else {
540 cmd = sqlite3_mprintf("SELECT %s FROM sessions WHERE "
541 "user=%Q AND realm=%Q AND id=%Q",
542 field, user, realm, session_id);
543 }
544 if (cmd == NULL)
545 return NULL;
546 debug_print(ctx, 1, "DB: %s", cmd);
547 memset(&data, 0, sizeof(data));
548 data.field = field;
549 if (sqlite3_exec(ctx->db, cmd, get_db_field, &data, NULL) != SQLITE_OK)
550 {
551 debug_print(ctx, 1, "DB: Could not find session %s: %s",
552 session_id, sqlite3_errmsg(ctx->db));
553 sqlite3_free(cmd);
554 return NULL;
555 }
556 sqlite3_free(cmd);
557
558 debug_print(ctx, 1, "DB: return '%s'", data.value);
559 return data.value;
560 }
561
562
update_password(struct hs20_svc * ctx,const char * user,const char * realm,const char * pw,int dmacc)563 static int update_password(struct hs20_svc *ctx, const char *user,
564 const char *realm, const char *pw, int dmacc)
565 {
566 char *cmd;
567
568 cmd = sqlite3_mprintf("UPDATE users SET password=%Q, "
569 "remediation='' "
570 "WHERE %s=%Q AND phase2=1",
571 pw, dmacc ? "osu_user" : "identity",
572 user);
573 if (cmd == NULL)
574 return -1;
575 debug_print(ctx, 1, "DB: %s", cmd);
576 if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
577 debug_print(ctx, 1, "Failed to update database for user '%s'",
578 user);
579 }
580 sqlite3_free(cmd);
581
582 return 0;
583 }
584
585
clear_remediation(struct hs20_svc * ctx,const char * user,const char * realm,int dmacc)586 static int clear_remediation(struct hs20_svc *ctx, const char *user,
587 const char *realm, int dmacc)
588 {
589 char *cmd;
590
591 cmd = sqlite3_mprintf("UPDATE users SET remediation='' WHERE %s=%Q",
592 dmacc ? "osu_user" : "identity",
593 user);
594 if (cmd == NULL)
595 return -1;
596 debug_print(ctx, 1, "DB: %s", cmd);
597 if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
598 debug_print(ctx, 1, "Failed to update database for user '%s'",
599 user);
600 }
601 sqlite3_free(cmd);
602
603 return 0;
604 }
605
606
add_eap_ttls(struct hs20_svc * ctx,xml_node_t * parent)607 static int add_eap_ttls(struct hs20_svc *ctx, xml_node_t *parent)
608 {
609 xml_node_t *node;
610
611 node = xml_node_create(ctx->xml, parent, NULL, "EAPMethod");
612 if (node == NULL)
613 return -1;
614
615 add_text_node(ctx, node, "EAPType", "21");
616 add_text_node(ctx, node, "InnerMethod", "MS-CHAP-V2");
617
618 return 0;
619 }
620
621
build_username_password(struct hs20_svc * ctx,xml_node_t * parent,const char * user,const char * pw)622 static xml_node_t * build_username_password(struct hs20_svc *ctx,
623 xml_node_t *parent,
624 const char *user, const char *pw)
625 {
626 xml_node_t *node;
627 char *b64;
628 size_t len;
629
630 node = xml_node_create(ctx->xml, parent, NULL, "UsernamePassword");
631 if (node == NULL)
632 return NULL;
633
634 add_text_node(ctx, node, "Username", user);
635
636 b64 = base64_encode(pw, strlen(pw), NULL);
637 if (b64 == NULL)
638 return NULL;
639 len = os_strlen(b64);
640 if (len > 0 && b64[len - 1] == '\n')
641 b64[len - 1] = '\0';
642 add_text_node(ctx, node, "Password", b64);
643 free(b64);
644
645 return node;
646 }
647
648
add_username_password(struct hs20_svc * ctx,xml_node_t * cred,const char * user,const char * pw,int machine_managed)649 static int add_username_password(struct hs20_svc *ctx, xml_node_t *cred,
650 const char *user, const char *pw,
651 int machine_managed)
652 {
653 xml_node_t *node;
654
655 node = build_username_password(ctx, cred, user, pw);
656 if (node == NULL)
657 return -1;
658
659 add_text_node(ctx, node, "MachineManaged",
660 machine_managed ? "TRUE" : "FALSE");
661 add_text_node(ctx, node, "SoftTokenApp", "");
662 add_eap_ttls(ctx, node);
663
664 return 0;
665 }
666
667
add_creation_date(struct hs20_svc * ctx,xml_node_t * cred)668 static void add_creation_date(struct hs20_svc *ctx, xml_node_t *cred)
669 {
670 char str[30];
671 time_t now;
672 struct tm tm;
673
674 time(&now);
675 gmtime_r(&now, &tm);
676 snprintf(str, sizeof(str), "%04u-%02u-%02uT%02u:%02u:%02uZ",
677 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
678 tm.tm_hour, tm.tm_min, tm.tm_sec);
679 xml_node_create_text(ctx->xml, cred, NULL, "CreationDate", str);
680 }
681
682
build_credential_pw(struct hs20_svc * ctx,const char * user,const char * realm,const char * pw,int machine_managed)683 static xml_node_t * build_credential_pw(struct hs20_svc *ctx,
684 const char *user, const char *realm,
685 const char *pw, int machine_managed)
686 {
687 xml_node_t *cred;
688
689 cred = xml_node_create_root(ctx->xml, NULL, NULL, NULL, "Credential");
690 if (cred == NULL) {
691 debug_print(ctx, 1, "Failed to create Credential node");
692 return NULL;
693 }
694 add_creation_date(ctx, cred);
695 if (add_username_password(ctx, cred, user, pw, machine_managed) < 0) {
696 xml_node_free(ctx->xml, cred);
697 return NULL;
698 }
699 add_text_node(ctx, cred, "Realm", realm);
700
701 return cred;
702 }
703
704
build_credential(struct hs20_svc * ctx,const char * user,const char * realm,char * new_pw,size_t new_pw_len)705 static xml_node_t * build_credential(struct hs20_svc *ctx,
706 const char *user, const char *realm,
707 char *new_pw, size_t new_pw_len)
708 {
709 if (new_password(new_pw, new_pw_len) < 0)
710 return NULL;
711 debug_print(ctx, 1, "Update password to '%s'", new_pw);
712 return build_credential_pw(ctx, user, realm, new_pw, 1);
713 }
714
715
build_credential_cert(struct hs20_svc * ctx,const char * user,const char * realm,const char * cert_fingerprint)716 static xml_node_t * build_credential_cert(struct hs20_svc *ctx,
717 const char *user, const char *realm,
718 const char *cert_fingerprint)
719 {
720 xml_node_t *cred, *cert;
721
722 cred = xml_node_create_root(ctx->xml, NULL, NULL, NULL, "Credential");
723 if (cred == NULL) {
724 debug_print(ctx, 1, "Failed to create Credential node");
725 return NULL;
726 }
727 add_creation_date(ctx, cred);
728 cert = xml_node_create(ctx->xml, cred, NULL, "DigitalCertificate");
729 add_text_node(ctx, cert, "CertificateType", "x509v3");
730 add_text_node(ctx, cert, "CertSHA256Fingerprint", cert_fingerprint);
731 add_text_node(ctx, cred, "Realm", realm);
732
733 return cred;
734 }
735
736
build_post_dev_data_response(struct hs20_svc * ctx,xml_namespace_t ** ret_ns,const char * session_id,const char * status,const char * error_code)737 static xml_node_t * build_post_dev_data_response(struct hs20_svc *ctx,
738 xml_namespace_t **ret_ns,
739 const char *session_id,
740 const char *status,
741 const char *error_code)
742 {
743 xml_node_t *spp_node = NULL;
744 xml_namespace_t *ns;
745
746 spp_node = xml_node_create_root(ctx->xml, SPP_NS_URI, "spp", &ns,
747 "sppPostDevDataResponse");
748 if (spp_node == NULL)
749 return NULL;
750 if (ret_ns)
751 *ret_ns = ns;
752
753 xml_node_add_attr(ctx->xml, spp_node, ns, "sppVersion", "1.0");
754 xml_node_add_attr(ctx->xml, spp_node, ns, "sessionID", session_id);
755 xml_node_add_attr(ctx->xml, spp_node, ns, "sppStatus", status);
756
757 if (error_code) {
758 xml_node_t *node;
759 node = xml_node_create(ctx->xml, spp_node, ns, "sppError");
760 if (node)
761 xml_node_add_attr(ctx->xml, node, NULL, "errorCode",
762 error_code);
763 }
764
765 return spp_node;
766 }
767
768
add_update_node(struct hs20_svc * ctx,xml_node_t * spp_node,xml_namespace_t * ns,const char * uri,xml_node_t * upd_node)769 static int add_update_node(struct hs20_svc *ctx, xml_node_t *spp_node,
770 xml_namespace_t *ns, const char *uri,
771 xml_node_t *upd_node)
772 {
773 xml_node_t *node, *tnds;
774 char *str;
775
776 tnds = mo_to_tnds(ctx->xml, upd_node, 0, NULL, NULL);
777 if (!tnds)
778 return -1;
779
780 str = xml_node_to_str(ctx->xml, tnds);
781 xml_node_free(ctx->xml, tnds);
782 if (str == NULL)
783 return -1;
784 node = xml_node_create_text(ctx->xml, spp_node, ns, "updateNode", str);
785 free(str);
786
787 xml_node_add_attr(ctx->xml, node, ns, "managementTreeURI", uri);
788
789 return 0;
790 }
791
792
read_subrem_file(struct hs20_svc * ctx,const char * subrem_id,char * uri,size_t uri_size)793 static xml_node_t * read_subrem_file(struct hs20_svc *ctx,
794 const char *subrem_id,
795 char *uri, size_t uri_size)
796 {
797 char fname[200];
798 char *buf, *buf2, *pos;
799 size_t len;
800 xml_node_t *node;
801
802 os_snprintf(fname, sizeof(fname), "%s/spp/subrem/%s",
803 ctx->root_dir, subrem_id);
804 debug_print(ctx, 1, "Use subrem file %s", fname);
805
806 buf = os_readfile(fname, &len);
807 if (!buf)
808 return NULL;
809 buf2 = os_realloc(buf, len + 1);
810 if (!buf2) {
811 os_free(buf);
812 return NULL;
813 }
814 buf = buf2;
815 buf[len] = '\0';
816
817 pos = os_strchr(buf, '\n');
818 if (!pos) {
819 os_free(buf);
820 return NULL;
821 }
822 *pos++ = '\0';
823 os_strlcpy(uri, buf, uri_size);
824
825 node = xml_node_from_buf(ctx->xml, pos);
826 os_free(buf);
827
828 return node;
829 }
830
831
build_sub_rem_resp(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id,int machine_rem,int dmacc)832 static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
833 const char *user, const char *realm,
834 const char *session_id,
835 int machine_rem, int dmacc)
836 {
837 xml_namespace_t *ns;
838 xml_node_t *spp_node, *cred;
839 char buf[400];
840 char new_pw[33];
841 char *status;
842 char *cert;
843
844 cert = db_get_val(ctx, user, realm, "cert", dmacc);
845 if (cert && cert[0] == '\0') {
846 os_free(cert);
847 cert = NULL;
848 }
849 if (cert) {
850 char *subrem;
851
852 /* No change needed in PPS MO unless specifically asked to */
853 cred = NULL;
854 buf[0] = '\0';
855
856 subrem = db_get_val(ctx, user, realm, "subrem", dmacc);
857 if (subrem && subrem[0]) {
858 cred = read_subrem_file(ctx, subrem, buf, sizeof(buf));
859 if (!cred) {
860 debug_print(ctx, 1,
861 "Could not create updateNode from subrem file");
862 os_free(subrem);
863 os_free(cert);
864 return NULL;
865 }
866 }
867 os_free(subrem);
868 } else {
869 char *real_user = NULL;
870 char *pw;
871
872 if (dmacc) {
873 real_user = db_get_val(ctx, user, realm, "identity",
874 dmacc);
875 if (!real_user) {
876 debug_print(ctx, 1,
877 "Could not find user identity for dmacc user '%s'",
878 user);
879 return NULL;
880 }
881 }
882
883 pw = db_get_session_val(ctx, user, realm, session_id,
884 "password");
885 if (pw && pw[0]) {
886 debug_print(ctx, 1, "New password from the user: '%s'",
887 pw);
888 snprintf(new_pw, sizeof(new_pw), "%s", pw);
889 free(pw);
890 cred = build_credential_pw(ctx,
891 real_user ? real_user : user,
892 realm, new_pw, 0);
893 } else {
894 cred = build_credential(ctx,
895 real_user ? real_user : user,
896 realm, new_pw, sizeof(new_pw));
897 }
898
899 free(real_user);
900 if (!cred) {
901 debug_print(ctx, 1, "Could not build credential");
902 os_free(cert);
903 return NULL;
904 }
905
906 snprintf(buf, sizeof(buf),
907 "./Wi-Fi/%s/PerProviderSubscription/Cred01/Credential",
908 realm);
909 }
910
911 status = "Remediation complete, request sppUpdateResponse";
912 spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
913 NULL);
914 if (spp_node == NULL) {
915 debug_print(ctx, 1, "Could not build sppPostDevDataResponse");
916 os_free(cert);
917 return NULL;
918 }
919
920 if ((cred && add_update_node(ctx, spp_node, ns, buf, cred) < 0) ||
921 (!cred && !xml_node_create(ctx->xml, spp_node, ns, "noMOUpdate"))) {
922 debug_print(ctx, 1, "Could not add update node");
923 xml_node_free(ctx->xml, spp_node);
924 os_free(cert);
925 return NULL;
926 }
927
928 hs20_eventlog_node(ctx, user, realm, session_id,
929 machine_rem ? "machine remediation" :
930 "user remediation", cred);
931 xml_node_free(ctx->xml, cred);
932
933 if (cert) {
934 debug_print(ctx, 1, "Request DB remediation clearing on success notification (certificate credential)");
935 db_add_session(ctx, user, realm, session_id, NULL, NULL,
936 CLEAR_REMEDIATION, NULL);
937 } else {
938 debug_print(ctx, 1, "Request DB password update on success "
939 "notification");
940 db_add_session(ctx, user, realm, session_id, new_pw, NULL,
941 UPDATE_PASSWORD, NULL);
942 }
943 os_free(cert);
944
945 return spp_node;
946 }
947
948
machine_remediation(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id,int dmacc)949 static xml_node_t * machine_remediation(struct hs20_svc *ctx,
950 const char *user,
951 const char *realm,
952 const char *session_id, int dmacc)
953 {
954 return build_sub_rem_resp(ctx, user, realm, session_id, 1, dmacc);
955 }
956
957
cert_reenroll(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id)958 static xml_node_t * cert_reenroll(struct hs20_svc *ctx,
959 const char *user,
960 const char *realm,
961 const char *session_id)
962 {
963 db_add_session(ctx, user, realm, session_id, NULL, NULL,
964 CERT_REENROLL, NULL);
965 return spp_exec_get_certificate(ctx, session_id, user, realm, 0);
966 }
967
968
policy_remediation(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id,int dmacc)969 static xml_node_t * policy_remediation(struct hs20_svc *ctx,
970 const char *user, const char *realm,
971 const char *session_id, int dmacc)
972 {
973 xml_namespace_t *ns;
974 xml_node_t *spp_node, *policy;
975 char buf[400];
976 const char *status;
977
978 hs20_eventlog(ctx, user, realm, session_id,
979 "requires policy remediation", NULL);
980
981 db_add_session(ctx, user, realm, session_id, NULL, NULL,
982 POLICY_REMEDIATION, NULL);
983
984 policy = build_policy(ctx, user, realm, dmacc);
985 if (!policy) {
986 return build_post_dev_data_response(
987 ctx, NULL, session_id,
988 "No update available at this time", NULL);
989 }
990
991 status = "Remediation complete, request sppUpdateResponse";
992 spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
993 NULL);
994 if (spp_node == NULL)
995 return NULL;
996
997 snprintf(buf, sizeof(buf),
998 "./Wi-Fi/%s/PerProviderSubscription/Cred01/Policy",
999 realm);
1000
1001 if (add_update_node(ctx, spp_node, ns, buf, policy) < 0) {
1002 xml_node_free(ctx->xml, spp_node);
1003 xml_node_free(ctx->xml, policy);
1004 return NULL;
1005 }
1006
1007 hs20_eventlog_node(ctx, user, realm, session_id,
1008 "policy update (sub rem)", policy);
1009 xml_node_free(ctx->xml, policy);
1010
1011 return spp_node;
1012 }
1013
1014
browser_remediation(struct hs20_svc * ctx,const char * session_id,const char * redirect_uri,const char * uri)1015 static xml_node_t * browser_remediation(struct hs20_svc *ctx,
1016 const char *session_id,
1017 const char *redirect_uri,
1018 const char *uri)
1019 {
1020 xml_namespace_t *ns;
1021 xml_node_t *spp_node, *exec_node;
1022
1023 if (redirect_uri == NULL) {
1024 debug_print(ctx, 1, "Missing redirectURI attribute for user "
1025 "remediation");
1026 return NULL;
1027 }
1028 debug_print(ctx, 1, "redirectURI %s", redirect_uri);
1029
1030 spp_node = build_post_dev_data_response(ctx, &ns, session_id, "OK",
1031 NULL);
1032 if (spp_node == NULL)
1033 return NULL;
1034
1035 exec_node = xml_node_create(ctx->xml, spp_node, ns, "exec");
1036 xml_node_create_text(ctx->xml, exec_node, ns, "launchBrowserToURI",
1037 uri);
1038 return spp_node;
1039 }
1040
1041
user_remediation(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id,const char * redirect_uri)1042 static xml_node_t * user_remediation(struct hs20_svc *ctx, const char *user,
1043 const char *realm, const char *session_id,
1044 const char *redirect_uri)
1045 {
1046 char uri[300], *val;
1047
1048 hs20_eventlog(ctx, user, realm, session_id,
1049 "requires user remediation", NULL);
1050 val = db_get_osu_config_val(ctx, realm, "remediation_url");
1051 if (val == NULL)
1052 return NULL;
1053
1054 db_add_session(ctx, user, realm, session_id, NULL, redirect_uri,
1055 USER_REMEDIATION, NULL);
1056
1057 snprintf(uri, sizeof(uri), "%s%s", val, session_id);
1058 os_free(val);
1059 return browser_remediation(ctx, session_id, redirect_uri, uri);
1060 }
1061
1062
free_remediation(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id,const char * redirect_uri)1063 static xml_node_t * free_remediation(struct hs20_svc *ctx,
1064 const char *user, const char *realm,
1065 const char *session_id,
1066 const char *redirect_uri)
1067 {
1068 char uri[300], *val;
1069
1070 hs20_eventlog(ctx, user, realm, session_id,
1071 "requires free/public account remediation", NULL);
1072 val = db_get_osu_config_val(ctx, realm, "free_remediation_url");
1073 if (val == NULL)
1074 return NULL;
1075
1076 db_add_session(ctx, user, realm, session_id, NULL, redirect_uri,
1077 FREE_REMEDIATION, NULL);
1078
1079 snprintf(uri, sizeof(uri), "%s%s", val, session_id);
1080 os_free(val);
1081 return browser_remediation(ctx, session_id, redirect_uri, uri);
1082 }
1083
1084
no_sub_rem(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id)1085 static xml_node_t * no_sub_rem(struct hs20_svc *ctx,
1086 const char *user, const char *realm,
1087 const char *session_id)
1088 {
1089 const char *status;
1090
1091 hs20_eventlog(ctx, user, realm, session_id,
1092 "no subscription mediation available", NULL);
1093
1094 status = "No update available at this time";
1095 return build_post_dev_data_response(ctx, NULL, session_id, status,
1096 NULL);
1097 }
1098
1099
hs20_subscription_remediation(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id,int dmacc,const char * redirect_uri)1100 static xml_node_t * hs20_subscription_remediation(struct hs20_svc *ctx,
1101 const char *user,
1102 const char *realm,
1103 const char *session_id,
1104 int dmacc,
1105 const char *redirect_uri)
1106 {
1107 char *type, *identity;
1108 xml_node_t *ret;
1109 char *free_account;
1110
1111 identity = db_get_val(ctx, user, realm, "identity", dmacc);
1112 if (identity == NULL || strlen(identity) == 0) {
1113 hs20_eventlog(ctx, user, realm, session_id,
1114 "user not found in database for remediation",
1115 NULL);
1116 os_free(identity);
1117 return build_post_dev_data_response(ctx, NULL, session_id,
1118 "Error occurred",
1119 "Not found");
1120 }
1121 os_free(identity);
1122
1123 free_account = db_get_osu_config_val(ctx, realm, "free_account");
1124 if (free_account && strcmp(free_account, user) == 0) {
1125 free(free_account);
1126 return no_sub_rem(ctx, user, realm, session_id);
1127 }
1128 free(free_account);
1129
1130 type = db_get_val(ctx, user, realm, "remediation", dmacc);
1131 if (type && strcmp(type, "free") != 0) {
1132 char *val;
1133 int shared = 0;
1134 val = db_get_val(ctx, user, realm, "shared", dmacc);
1135 if (val)
1136 shared = atoi(val);
1137 free(val);
1138 if (shared) {
1139 free(type);
1140 return no_sub_rem(ctx, user, realm, session_id);
1141 }
1142 }
1143 if (type && strcmp(type, "user") == 0)
1144 ret = user_remediation(ctx, user, realm, session_id,
1145 redirect_uri);
1146 else if (type && strcmp(type, "free") == 0)
1147 ret = free_remediation(ctx, user, realm, session_id,
1148 redirect_uri);
1149 else if (type && strcmp(type, "policy") == 0)
1150 ret = policy_remediation(ctx, user, realm, session_id, dmacc);
1151 else if (type && strcmp(type, "machine") == 0)
1152 ret = machine_remediation(ctx, user, realm, session_id, dmacc);
1153 else if (type && strcmp(type, "reenroll") == 0)
1154 ret = cert_reenroll(ctx, user, realm, session_id);
1155 else
1156 ret = no_sub_rem(ctx, user, realm, session_id);
1157 free(type);
1158
1159 return ret;
1160 }
1161
1162
read_policy_file(struct hs20_svc * ctx,const char * policy_id)1163 static xml_node_t * read_policy_file(struct hs20_svc *ctx,
1164 const char *policy_id)
1165 {
1166 char fname[200];
1167
1168 snprintf(fname, sizeof(fname), "%s/spp/policy/%s.xml",
1169 ctx->root_dir, policy_id);
1170 debug_print(ctx, 1, "Use policy file %s", fname);
1171
1172 return node_from_file(ctx->xml, fname);
1173 }
1174
1175
update_policy_update_uri(struct hs20_svc * ctx,const char * realm,xml_node_t * policy)1176 static void update_policy_update_uri(struct hs20_svc *ctx, const char *realm,
1177 xml_node_t *policy)
1178 {
1179 xml_node_t *node;
1180 char *url;
1181
1182 node = get_node_uri(ctx->xml, policy, "Policy/PolicyUpdate/URI");
1183 if (!node)
1184 return;
1185
1186 url = db_get_osu_config_val(ctx, realm, "policy_url");
1187 if (!url)
1188 return;
1189 xml_node_set_text(ctx->xml, node, url);
1190 free(url);
1191 }
1192
1193
build_policy(struct hs20_svc * ctx,const char * user,const char * realm,int use_dmacc)1194 static xml_node_t * build_policy(struct hs20_svc *ctx, const char *user,
1195 const char *realm, int use_dmacc)
1196 {
1197 char *policy_id;
1198 xml_node_t *policy, *node;
1199
1200 policy_id = db_get_val(ctx, user, realm, "policy", use_dmacc);
1201 if (policy_id == NULL || strlen(policy_id) == 0) {
1202 free(policy_id);
1203 policy_id = strdup("default");
1204 if (policy_id == NULL)
1205 return NULL;
1206 }
1207 policy = read_policy_file(ctx, policy_id);
1208 free(policy_id);
1209 if (policy == NULL)
1210 return NULL;
1211
1212 update_policy_update_uri(ctx, realm, policy);
1213
1214 node = get_node_uri(ctx->xml, policy, "Policy/PolicyUpdate");
1215 if (node && use_dmacc) {
1216 char *pw;
1217 pw = db_get_val(ctx, user, realm, "osu_password", use_dmacc);
1218 if (pw == NULL ||
1219 build_username_password(ctx, node, user, pw) == NULL) {
1220 debug_print(ctx, 1, "Failed to add Policy/PolicyUpdate/"
1221 "UsernamePassword");
1222 free(pw);
1223 xml_node_free(ctx->xml, policy);
1224 return NULL;
1225 }
1226 free(pw);
1227 }
1228
1229 return policy;
1230 }
1231
1232
hs20_policy_update(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id,int dmacc)1233 static xml_node_t * hs20_policy_update(struct hs20_svc *ctx,
1234 const char *user, const char *realm,
1235 const char *session_id, int dmacc)
1236 {
1237 xml_namespace_t *ns;
1238 xml_node_t *spp_node;
1239 xml_node_t *policy;
1240 char buf[400];
1241 const char *status;
1242 char *identity;
1243
1244 identity = db_get_val(ctx, user, realm, "identity", dmacc);
1245 if (identity == NULL || strlen(identity) == 0) {
1246 hs20_eventlog(ctx, user, realm, session_id,
1247 "user not found in database for policy update",
1248 NULL);
1249 os_free(identity);
1250 return build_post_dev_data_response(ctx, NULL, session_id,
1251 "Error occurred",
1252 "Not found");
1253 }
1254 os_free(identity);
1255
1256 policy = build_policy(ctx, user, realm, dmacc);
1257 if (!policy) {
1258 return build_post_dev_data_response(
1259 ctx, NULL, session_id,
1260 "No update available at this time", NULL);
1261 }
1262
1263 db_add_session(ctx, user, realm, session_id, NULL, NULL, POLICY_UPDATE,
1264 NULL);
1265
1266 status = "Update complete, request sppUpdateResponse";
1267 spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
1268 NULL);
1269 if (spp_node == NULL)
1270 return NULL;
1271
1272 snprintf(buf, sizeof(buf),
1273 "./Wi-Fi/%s/PerProviderSubscription/Cred01/Policy",
1274 realm);
1275
1276 if (add_update_node(ctx, spp_node, ns, buf, policy) < 0) {
1277 xml_node_free(ctx->xml, spp_node);
1278 xml_node_free(ctx->xml, policy);
1279 return NULL;
1280 }
1281
1282 hs20_eventlog_node(ctx, user, realm, session_id, "policy update",
1283 policy);
1284 xml_node_free(ctx->xml, policy);
1285
1286 return spp_node;
1287 }
1288
1289
spp_get_mo(struct hs20_svc * ctx,xml_node_t * node,const char * urn,int * valid,char ** ret_err)1290 static xml_node_t * spp_get_mo(struct hs20_svc *ctx, xml_node_t *node,
1291 const char *urn, int *valid, char **ret_err)
1292 {
1293 xml_node_t *child, *tnds, *mo;
1294 const char *name;
1295 char *mo_urn;
1296 char *str;
1297 char fname[200];
1298
1299 *valid = -1;
1300 if (ret_err)
1301 *ret_err = NULL;
1302
1303 xml_node_for_each_child(ctx->xml, child, node) {
1304 xml_node_for_each_check(ctx->xml, child);
1305 name = xml_node_get_localname(ctx->xml, child);
1306 if (strcmp(name, "moContainer") != 0)
1307 continue;
1308 mo_urn = xml_node_get_attr_value_ns(ctx->xml, child, SPP_NS_URI,
1309 "moURN");
1310 if (strcasecmp(urn, mo_urn) == 0) {
1311 xml_node_get_attr_value_free(ctx->xml, mo_urn);
1312 break;
1313 }
1314 xml_node_get_attr_value_free(ctx->xml, mo_urn);
1315 }
1316
1317 if (child == NULL)
1318 return NULL;
1319
1320 debug_print(ctx, 1, "moContainer text for %s", urn);
1321 debug_dump_node(ctx, "moContainer", child);
1322
1323 str = xml_node_get_text(ctx->xml, child);
1324 debug_print(ctx, 1, "moContainer payload: '%s'", str);
1325 tnds = xml_node_from_buf(ctx->xml, str);
1326 xml_node_get_text_free(ctx->xml, str);
1327 if (tnds == NULL) {
1328 debug_print(ctx, 1, "could not parse moContainer text");
1329 return NULL;
1330 }
1331
1332 snprintf(fname, sizeof(fname), "%s/spp/dm_ddf-v1_2.dtd", ctx->root_dir);
1333 if (xml_validate_dtd(ctx->xml, tnds, fname, ret_err) == 0)
1334 *valid = 1;
1335 else if (ret_err && *ret_err &&
1336 os_strcmp(*ret_err, "No declaration for attribute xmlns of element MgmtTree\n") == 0) {
1337 free(*ret_err);
1338 debug_print(ctx, 1, "Ignore OMA-DM DDF DTD validation error for MgmtTree namespace declaration with xmlns attribute");
1339 *ret_err = NULL;
1340 *valid = 1;
1341 } else
1342 *valid = 0;
1343
1344 mo = tnds_to_mo(ctx->xml, tnds);
1345 xml_node_free(ctx->xml, tnds);
1346 if (mo == NULL) {
1347 debug_print(ctx, 1, "invalid moContainer for %s", urn);
1348 }
1349
1350 return mo;
1351 }
1352
1353
spp_exec_upload_mo(struct hs20_svc * ctx,const char * session_id,const char * urn)1354 static xml_node_t * spp_exec_upload_mo(struct hs20_svc *ctx,
1355 const char *session_id, const char *urn)
1356 {
1357 xml_namespace_t *ns;
1358 xml_node_t *spp_node, *node, *exec_node;
1359
1360 spp_node = build_post_dev_data_response(ctx, &ns, session_id, "OK",
1361 NULL);
1362 if (spp_node == NULL)
1363 return NULL;
1364
1365 exec_node = xml_node_create(ctx->xml, spp_node, ns, "exec");
1366
1367 node = xml_node_create(ctx->xml, exec_node, ns, "uploadMO");
1368 xml_node_add_attr(ctx->xml, node, ns, "moURN", urn);
1369
1370 return spp_node;
1371 }
1372
1373
hs20_subscription_registration(struct hs20_svc * ctx,const char * realm,const char * session_id,const char * redirect_uri,const u8 * mac_addr)1374 static xml_node_t * hs20_subscription_registration(struct hs20_svc *ctx,
1375 const char *realm,
1376 const char *session_id,
1377 const char *redirect_uri,
1378 const u8 *mac_addr)
1379 {
1380 xml_namespace_t *ns;
1381 xml_node_t *spp_node, *exec_node;
1382 char uri[300], *val;
1383
1384 if (db_add_session(ctx, NULL, realm, session_id, NULL, redirect_uri,
1385 SUBSCRIPTION_REGISTRATION, mac_addr) < 0)
1386 return NULL;
1387 val = db_get_osu_config_val(ctx, realm, "signup_url");
1388 if (val == NULL)
1389 return NULL;
1390
1391 spp_node = build_post_dev_data_response(ctx, &ns, session_id, "OK",
1392 NULL);
1393 if (spp_node == NULL)
1394 return NULL;
1395
1396 exec_node = xml_node_create(ctx->xml, spp_node, ns, "exec");
1397
1398 snprintf(uri, sizeof(uri), "%s%s", val, session_id);
1399 os_free(val);
1400 xml_node_create_text(ctx->xml, exec_node, ns, "launchBrowserToURI",
1401 uri);
1402 return spp_node;
1403 }
1404
1405
hs20_user_input_remediation(struct hs20_svc * ctx,const char * user,const char * realm,int dmacc,const char * session_id)1406 static xml_node_t * hs20_user_input_remediation(struct hs20_svc *ctx,
1407 const char *user,
1408 const char *realm, int dmacc,
1409 const char *session_id)
1410 {
1411 return build_sub_rem_resp(ctx, user, realm, session_id, 0, dmacc);
1412 }
1413
1414
db_get_osu_config_val(struct hs20_svc * ctx,const char * realm,const char * field)1415 static char * db_get_osu_config_val(struct hs20_svc *ctx, const char *realm,
1416 const char *field)
1417 {
1418 char *cmd;
1419 struct get_db_field_data data;
1420
1421 cmd = sqlite3_mprintf("SELECT value FROM osu_config WHERE realm=%Q AND "
1422 "field=%Q", realm, field);
1423 if (cmd == NULL)
1424 return NULL;
1425 debug_print(ctx, 1, "DB: %s", cmd);
1426 memset(&data, 0, sizeof(data));
1427 data.field = "value";
1428 if (sqlite3_exec(ctx->db, cmd, get_db_field, &data, NULL) != SQLITE_OK)
1429 {
1430 debug_print(ctx, 1, "DB: Could not find osu_config %s: %s",
1431 realm, sqlite3_errmsg(ctx->db));
1432 sqlite3_free(cmd);
1433 return NULL;
1434 }
1435 sqlite3_free(cmd);
1436
1437 debug_print(ctx, 1, "DB: return '%s'", data.value);
1438 return data.value;
1439 }
1440
1441
build_pps(struct hs20_svc * ctx,const char * user,const char * realm,const char * pw,const char * cert,int machine_managed,const char * test,const char * imsi,const char * dmacc_username,const char * dmacc_password,xml_node_t * policy_node)1442 static xml_node_t * build_pps(struct hs20_svc *ctx,
1443 const char *user, const char *realm,
1444 const char *pw, const char *cert,
1445 int machine_managed, const char *test,
1446 const char *imsi, const char *dmacc_username,
1447 const char *dmacc_password,
1448 xml_node_t *policy_node)
1449 {
1450 xml_node_t *pps, *c, *trust, *aaa, *aaa1, *upd, *homesp, *p;
1451 xml_node_t *cred, *eap, *userpw;
1452
1453 pps = xml_node_create_root(ctx->xml, NULL, NULL, NULL,
1454 "PerProviderSubscription");
1455 if (!pps) {
1456 xml_node_free(ctx->xml, policy_node);
1457 return NULL;
1458 }
1459
1460 add_text_node(ctx, pps, "UpdateIdentifier", "1");
1461
1462 c = xml_node_create(ctx->xml, pps, NULL, "Cred01");
1463
1464 add_text_node(ctx, c, "CredentialPriority", "1");
1465
1466 if (imsi)
1467 goto skip_aaa_trust_root;
1468 aaa = xml_node_create(ctx->xml, c, NULL, "AAAServerTrustRoot");
1469 aaa1 = xml_node_create(ctx->xml, aaa, NULL, "AAA1");
1470 add_text_node_conf(ctx, realm, aaa1, "CertURL",
1471 "aaa_trust_root_cert_url");
1472 if (test && os_strcmp(test, "corrupt_aaa_hash") == 0) {
1473 debug_print(ctx, 1,
1474 "TEST: Corrupt PPS/Cred*/AAAServerTrustRoot/Root*/CertSHA256FingerPrint");
1475 add_text_node_conf_corrupt(ctx, realm, aaa1,
1476 "CertSHA256Fingerprint",
1477 "aaa_trust_root_cert_fingerprint");
1478 } else {
1479 add_text_node_conf(ctx, realm, aaa1, "CertSHA256Fingerprint",
1480 "aaa_trust_root_cert_fingerprint");
1481 }
1482
1483 if (test && os_strcmp(test, "corrupt_polupd_hash") == 0) {
1484 debug_print(ctx, 1,
1485 "TEST: Corrupt PPS/Cred*/Policy/PolicyUpdate/Trustroot/CertSHA256FingerPrint");
1486 p = xml_node_create(ctx->xml, c, NULL, "Policy");
1487 upd = xml_node_create(ctx->xml, p, NULL, "PolicyUpdate");
1488 add_text_node(ctx, upd, "UpdateInterval", "30");
1489 add_text_node(ctx, upd, "UpdateMethod", "SPP-ClientInitiated");
1490 add_text_node(ctx, upd, "Restriction", "Unrestricted");
1491 add_text_node_conf(ctx, realm, upd, "URI", "policy_url");
1492 trust = xml_node_create(ctx->xml, upd, NULL, "TrustRoot");
1493 add_text_node_conf(ctx, realm, trust, "CertURL",
1494 "policy_trust_root_cert_url");
1495 add_text_node_conf_corrupt(ctx, realm, trust,
1496 "CertSHA256Fingerprint",
1497 "policy_trust_root_cert_fingerprint");
1498 }
1499 skip_aaa_trust_root:
1500
1501 upd = xml_node_create(ctx->xml, c, NULL, "SubscriptionUpdate");
1502 add_text_node(ctx, upd, "UpdateInterval", "4294967295");
1503 add_text_node(ctx, upd, "UpdateMethod", "SPP-ClientInitiated");
1504 add_text_node(ctx, upd, "Restriction", "HomeSP");
1505 add_text_node_conf(ctx, realm, upd, "URI", "spp_http_auth_url");
1506 trust = xml_node_create(ctx->xml, upd, NULL, "TrustRoot");
1507 add_text_node_conf(ctx, realm, trust, "CertURL", "trust_root_cert_url");
1508 if (test && os_strcmp(test, "corrupt_subrem_hash") == 0) {
1509 debug_print(ctx, 1,
1510 "TEST: Corrupt PPS/Cred*/SubscriptionUpdate/Trustroot/CertSHA256FingerPrint");
1511 add_text_node_conf_corrupt(ctx, realm, trust,
1512 "CertSHA256Fingerprint",
1513 "trust_root_cert_fingerprint");
1514 } else {
1515 add_text_node_conf(ctx, realm, trust, "CertSHA256Fingerprint",
1516 "trust_root_cert_fingerprint");
1517 }
1518
1519 if (dmacc_username &&
1520 !build_username_password(ctx, upd, dmacc_username,
1521 dmacc_password)) {
1522 xml_node_free(ctx->xml, pps);
1523 xml_node_free(ctx->xml, policy_node);
1524 return NULL;
1525 }
1526
1527 if (policy_node)
1528 xml_node_add_child(ctx->xml, c, policy_node);
1529
1530 homesp = xml_node_create(ctx->xml, c, NULL, "HomeSP");
1531 add_text_node_conf(ctx, realm, homesp, "FriendlyName", "friendly_name");
1532 add_text_node_conf(ctx, realm, homesp, "FQDN", "fqdn");
1533
1534 xml_node_create(ctx->xml, c, NULL, "SubscriptionParameters");
1535
1536 cred = xml_node_create(ctx->xml, c, NULL, "Credential");
1537 add_creation_date(ctx, cred);
1538 if (imsi) {
1539 xml_node_t *sim;
1540 const char *type = "18"; /* default to EAP-SIM */
1541
1542 sim = xml_node_create(ctx->xml, cred, NULL, "SIM");
1543 add_text_node(ctx, sim, "IMSI", imsi);
1544 if (ctx->eap_method && os_strcmp(ctx->eap_method, "AKA") == 0)
1545 type = "23";
1546 else if (ctx->eap_method &&
1547 os_strcmp(ctx->eap_method, "AKA'") == 0)
1548 type = "50";
1549 add_text_node(ctx, sim, "EAPType", type);
1550 } else if (cert) {
1551 xml_node_t *dc;
1552 dc = xml_node_create(ctx->xml, cred, NULL,
1553 "DigitalCertificate");
1554 add_text_node(ctx, dc, "CertificateType", "x509v3");
1555 add_text_node(ctx, dc, "CertSHA256Fingerprint", cert);
1556 } else {
1557 userpw = build_username_password(ctx, cred, user, pw);
1558 add_text_node(ctx, userpw, "MachineManaged",
1559 machine_managed ? "TRUE" : "FALSE");
1560 eap = xml_node_create(ctx->xml, userpw, NULL, "EAPMethod");
1561 add_text_node(ctx, eap, "EAPType", "21");
1562 add_text_node(ctx, eap, "InnerMethod", "MS-CHAP-V2");
1563 }
1564 add_text_node(ctx, cred, "Realm", realm);
1565
1566 return pps;
1567 }
1568
1569
spp_exec_get_certificate(struct hs20_svc * ctx,const char * session_id,const char * user,const char * realm,int add_est_user)1570 static xml_node_t * spp_exec_get_certificate(struct hs20_svc *ctx,
1571 const char *session_id,
1572 const char *user,
1573 const char *realm,
1574 int add_est_user)
1575 {
1576 xml_namespace_t *ns;
1577 xml_node_t *spp_node, *enroll, *exec_node;
1578 char *val;
1579 char password[11];
1580 char *b64;
1581
1582 if (add_est_user && new_password(password, sizeof(password)) < 0)
1583 return NULL;
1584
1585 spp_node = build_post_dev_data_response(ctx, &ns, session_id, "OK",
1586 NULL);
1587 if (spp_node == NULL)
1588 return NULL;
1589
1590 exec_node = xml_node_create(ctx->xml, spp_node, ns, "exec");
1591
1592 enroll = xml_node_create(ctx->xml, exec_node, ns, "getCertificate");
1593 xml_node_add_attr(ctx->xml, enroll, NULL, "enrollmentProtocol", "EST");
1594
1595 val = db_get_osu_config_val(ctx, realm, "est_url");
1596 xml_node_create_text(ctx->xml, enroll, ns, "enrollmentServerURI",
1597 val ? val : "");
1598 os_free(val);
1599
1600 if (!add_est_user)
1601 return spp_node;
1602
1603 xml_node_create_text(ctx->xml, enroll, ns, "estUserID", user);
1604
1605 b64 = base64_encode(password, strlen(password), NULL);
1606 if (b64 == NULL) {
1607 xml_node_free(ctx->xml, spp_node);
1608 return NULL;
1609 }
1610 xml_node_create_text(ctx->xml, enroll, ns, "estPassword", b64);
1611 free(b64);
1612
1613 db_update_session_password(ctx, user, realm, session_id, password);
1614
1615 return spp_node;
1616 }
1617
1618
hs20_user_input_registration(struct hs20_svc * ctx,const char * session_id,int enrollment_done)1619 static xml_node_t * hs20_user_input_registration(struct hs20_svc *ctx,
1620 const char *session_id,
1621 int enrollment_done)
1622 {
1623 xml_namespace_t *ns;
1624 xml_node_t *spp_node, *node = NULL;
1625 xml_node_t *pps, *tnds;
1626 char buf[400];
1627 char *str;
1628 char *user, *realm, *pw, *type, *mm, *test;
1629 const char *status;
1630 int cert = 0;
1631 int machine_managed = 0;
1632 char *fingerprint;
1633
1634 user = db_get_session_val(ctx, NULL, NULL, session_id, "user");
1635 realm = db_get_session_val(ctx, NULL, NULL, session_id, "realm");
1636 pw = db_get_session_val(ctx, NULL, NULL, session_id, "password");
1637
1638 if (!user || !realm || !pw) {
1639 debug_print(ctx, 1, "Could not find session info from DB for "
1640 "the new subscription");
1641 free(user);
1642 free(realm);
1643 free(pw);
1644 return NULL;
1645 }
1646
1647 mm = db_get_session_val(ctx, NULL, NULL, session_id, "machine_managed");
1648 if (mm && atoi(mm))
1649 machine_managed = 1;
1650 free(mm);
1651
1652 type = db_get_session_val(ctx, NULL, NULL, session_id, "type");
1653 if (type && strcmp(type, "cert") == 0)
1654 cert = 1;
1655 free(type);
1656
1657 if (cert && !enrollment_done) {
1658 xml_node_t *ret;
1659 hs20_eventlog(ctx, user, realm, session_id,
1660 "request client certificate enrollment", NULL);
1661 ret = spp_exec_get_certificate(ctx, session_id, user, realm, 1);
1662 free(user);
1663 free(realm);
1664 free(pw);
1665 return ret;
1666 }
1667
1668 if (!cert && strlen(pw) == 0) {
1669 machine_managed = 1;
1670 free(pw);
1671 pw = malloc(11);
1672 if (pw == NULL || new_password(pw, 11) < 0) {
1673 free(user);
1674 free(realm);
1675 free(pw);
1676 return NULL;
1677 }
1678 }
1679
1680 status = "Provisioning complete, request sppUpdateResponse";
1681 spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
1682 NULL);
1683 if (spp_node == NULL)
1684 return NULL;
1685
1686 fingerprint = db_get_session_val(ctx, NULL, NULL, session_id, "cert");
1687 test = db_get_session_val(ctx, NULL, NULL, session_id, "test");
1688 if (test)
1689 debug_print(ctx, 1, "TEST: Requested special behavior: %s",
1690 test);
1691 pps = build_pps(ctx, user, realm, pw,
1692 fingerprint ? fingerprint : NULL, machine_managed,
1693 test, NULL, NULL, NULL, NULL);
1694 free(fingerprint);
1695 free(test);
1696 if (!pps) {
1697 xml_node_free(ctx->xml, spp_node);
1698 free(user);
1699 free(realm);
1700 free(pw);
1701 return NULL;
1702 }
1703
1704 debug_print(ctx, 1, "Request DB subscription registration on success "
1705 "notification");
1706 if (machine_managed) {
1707 db_update_session_password(ctx, user, realm, session_id, pw);
1708 db_update_session_machine_managed(ctx, user, realm, session_id,
1709 machine_managed);
1710 }
1711 db_add_session_pps(ctx, user, realm, session_id, pps);
1712
1713 hs20_eventlog_node(ctx, user, realm, session_id,
1714 "new subscription", pps);
1715 free(user);
1716 free(pw);
1717
1718 tnds = mo_to_tnds(ctx->xml, pps, 0, URN_HS20_PPS, NULL);
1719 xml_node_free(ctx->xml, pps);
1720 if (!tnds) {
1721 xml_node_free(ctx->xml, spp_node);
1722 free(realm);
1723 return NULL;
1724 }
1725
1726 str = xml_node_to_str(ctx->xml, tnds);
1727 xml_node_free(ctx->xml, tnds);
1728 if (str == NULL) {
1729 xml_node_free(ctx->xml, spp_node);
1730 free(realm);
1731 return NULL;
1732 }
1733
1734 node = xml_node_create_text(ctx->xml, spp_node, ns, "addMO", str);
1735 free(str);
1736 snprintf(buf, sizeof(buf), "./Wi-Fi/%s/PerProviderSubscription", realm);
1737 free(realm);
1738 xml_node_add_attr(ctx->xml, node, ns, "managementTreeURI", buf);
1739 xml_node_add_attr(ctx->xml, node, ns, "moURN", URN_HS20_PPS);
1740
1741 return spp_node;
1742 }
1743
1744
hs20_user_input_free_remediation(struct hs20_svc * ctx,const char * user,const char * realm,const char * session_id)1745 static xml_node_t * hs20_user_input_free_remediation(struct hs20_svc *ctx,
1746 const char *user,
1747 const char *realm,
1748 const char *session_id)
1749 {
1750 xml_namespace_t *ns;
1751 xml_node_t *spp_node;
1752 xml_node_t *cred;
1753 char buf[400];
1754 char *status;
1755 char *free_account, *pw;
1756
1757 free_account = db_get_osu_config_val(ctx, realm, "free_account");
1758 if (free_account == NULL)
1759 return NULL;
1760 pw = db_get_val(ctx, free_account, realm, "password", 0);
1761 if (pw == NULL) {
1762 free(free_account);
1763 return NULL;
1764 }
1765
1766 cred = build_credential_pw(ctx, free_account, realm, pw, 1);
1767 free(free_account);
1768 free(pw);
1769 if (!cred) {
1770 xml_node_free(ctx->xml, cred);
1771 return NULL;
1772 }
1773
1774 status = "Remediation complete, request sppUpdateResponse";
1775 spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
1776 NULL);
1777 if (spp_node == NULL)
1778 return NULL;
1779
1780 snprintf(buf, sizeof(buf),
1781 "./Wi-Fi/%s/PerProviderSubscription/Cred01/Credential",
1782 realm);
1783
1784 if (add_update_node(ctx, spp_node, ns, buf, cred) < 0) {
1785 xml_node_free(ctx->xml, spp_node);
1786 return NULL;
1787 }
1788
1789 hs20_eventlog_node(ctx, user, realm, session_id,
1790 "free/public remediation", cred);
1791 xml_node_free(ctx->xml, cred);
1792
1793 return spp_node;
1794 }
1795
1796
hs20_user_input_complete(struct hs20_svc * ctx,const char * user,const char * realm,int dmacc,const char * session_id)1797 static xml_node_t * hs20_user_input_complete(struct hs20_svc *ctx,
1798 const char *user,
1799 const char *realm, int dmacc,
1800 const char *session_id)
1801 {
1802 char *val;
1803 enum hs20_session_operation oper;
1804
1805 val = db_get_session_val(ctx, user, realm, session_id, "operation");
1806 if (val == NULL) {
1807 debug_print(ctx, 1, "No session %s found to continue",
1808 session_id);
1809 return NULL;
1810 }
1811 oper = atoi(val);
1812 free(val);
1813
1814 if (oper == USER_REMEDIATION) {
1815 return hs20_user_input_remediation(ctx, user, realm, dmacc,
1816 session_id);
1817 }
1818
1819 if (oper == FREE_REMEDIATION) {
1820 return hs20_user_input_free_remediation(ctx, user, realm,
1821 session_id);
1822 }
1823
1824 if (oper == SUBSCRIPTION_REGISTRATION) {
1825 return hs20_user_input_registration(ctx, session_id, 0);
1826 }
1827
1828 debug_print(ctx, 1, "User session %s not in state for user input "
1829 "completion", session_id);
1830 return NULL;
1831 }
1832
1833
hs20_cert_reenroll_complete(struct hs20_svc * ctx,const char * session_id)1834 static xml_node_t * hs20_cert_reenroll_complete(struct hs20_svc *ctx,
1835 const char *session_id)
1836 {
1837 char *user, *realm, *cert;
1838 char *status;
1839 xml_namespace_t *ns;
1840 xml_node_t *spp_node, *cred;
1841 char buf[400];
1842
1843 user = db_get_session_val(ctx, NULL, NULL, session_id, "user");
1844 realm = db_get_session_val(ctx, NULL, NULL, session_id, "realm");
1845 cert = db_get_session_val(ctx, NULL, NULL, session_id, "cert");
1846 if (!user || !realm || !cert) {
1847 debug_print(ctx, 1,
1848 "Could not find session info from DB for certificate reenrollment");
1849 free(user);
1850 free(realm);
1851 free(cert);
1852 return NULL;
1853 }
1854
1855 cred = build_credential_cert(ctx, user, realm, cert);
1856 if (!cred) {
1857 debug_print(ctx, 1, "Could not build credential");
1858 free(user);
1859 free(realm);
1860 free(cert);
1861 return NULL;
1862 }
1863
1864 status = "Remediation complete, request sppUpdateResponse";
1865 spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
1866 NULL);
1867 if (spp_node == NULL) {
1868 debug_print(ctx, 1, "Could not build sppPostDevDataResponse");
1869 free(user);
1870 free(realm);
1871 free(cert);
1872 xml_node_free(ctx->xml, cred);
1873 return NULL;
1874 }
1875
1876 snprintf(buf, sizeof(buf),
1877 "./Wi-Fi/%s/PerProviderSubscription/Cred01/Credential",
1878 realm);
1879
1880 if (add_update_node(ctx, spp_node, ns, buf, cred) < 0) {
1881 debug_print(ctx, 1, "Could not add update node");
1882 xml_node_free(ctx->xml, spp_node);
1883 free(user);
1884 free(realm);
1885 free(cert);
1886 return NULL;
1887 }
1888
1889 hs20_eventlog_node(ctx, user, realm, session_id,
1890 "certificate reenrollment", cred);
1891 xml_node_free(ctx->xml, cred);
1892
1893 free(user);
1894 free(realm);
1895 free(cert);
1896 return spp_node;
1897 }
1898
1899
hs20_cert_enroll_completed(struct hs20_svc * ctx,const char * user,const char * realm,int dmacc,const char * session_id)1900 static xml_node_t * hs20_cert_enroll_completed(struct hs20_svc *ctx,
1901 const char *user,
1902 const char *realm, int dmacc,
1903 const char *session_id)
1904 {
1905 char *val;
1906 enum hs20_session_operation oper;
1907
1908 val = db_get_session_val(ctx, NULL, NULL, session_id, "operation");
1909 if (val == NULL) {
1910 debug_print(ctx, 1, "No session %s found to continue",
1911 session_id);
1912 return NULL;
1913 }
1914 oper = atoi(val);
1915 free(val);
1916
1917 if (oper == SUBSCRIPTION_REGISTRATION)
1918 return hs20_user_input_registration(ctx, session_id, 1);
1919 if (oper == CERT_REENROLL)
1920 return hs20_cert_reenroll_complete(ctx, session_id);
1921
1922 debug_print(ctx, 1, "User session %s not in state for certificate "
1923 "enrollment completion", session_id);
1924 return NULL;
1925 }
1926
1927
hs20_cert_enroll_failed(struct hs20_svc * ctx,const char * user,const char * realm,int dmacc,const char * session_id)1928 static xml_node_t * hs20_cert_enroll_failed(struct hs20_svc *ctx,
1929 const char *user,
1930 const char *realm, int dmacc,
1931 const char *session_id)
1932 {
1933 char *val;
1934 enum hs20_session_operation oper;
1935 xml_node_t *spp_node, *node;
1936 char *status;
1937 xml_namespace_t *ns;
1938
1939 val = db_get_session_val(ctx, user, realm, session_id, "operation");
1940 if (val == NULL) {
1941 debug_print(ctx, 1, "No session %s found to continue",
1942 session_id);
1943 return NULL;
1944 }
1945 oper = atoi(val);
1946 free(val);
1947
1948 if (oper != SUBSCRIPTION_REGISTRATION) {
1949 debug_print(ctx, 1, "User session %s not in state for "
1950 "enrollment failure", session_id);
1951 return NULL;
1952 }
1953
1954 status = "Error occurred";
1955 spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
1956 NULL);
1957 if (spp_node == NULL)
1958 return NULL;
1959 node = xml_node_create(ctx->xml, spp_node, ns, "sppError");
1960 xml_node_add_attr(ctx->xml, node, NULL, "errorCode",
1961 "Credentials cannot be provisioned at this time");
1962 db_remove_session(ctx, user, realm, session_id);
1963
1964 return spp_node;
1965 }
1966
1967
hs20_sim_provisioning(struct hs20_svc * ctx,const char * user,const char * realm,int dmacc,const char * session_id)1968 static xml_node_t * hs20_sim_provisioning(struct hs20_svc *ctx,
1969 const char *user,
1970 const char *realm, int dmacc,
1971 const char *session_id)
1972 {
1973 xml_namespace_t *ns;
1974 xml_node_t *spp_node, *node = NULL;
1975 xml_node_t *pps, *tnds;
1976 char buf[400];
1977 char *str;
1978 const char *status;
1979 char dmacc_username[32];
1980 char dmacc_password[32];
1981 char *policy;
1982 xml_node_t *policy_node = NULL;
1983
1984 if (!ctx->imsi) {
1985 debug_print(ctx, 1, "IMSI not available for SIM provisioning");
1986 return NULL;
1987 }
1988
1989 if (new_password(dmacc_username, sizeof(dmacc_username)) < 0 ||
1990 new_password(dmacc_password, sizeof(dmacc_password)) < 0) {
1991 debug_print(ctx, 1,
1992 "Failed to generate DMAcc username/password");
1993 return NULL;
1994 }
1995
1996 status = "Provisioning complete, request sppUpdateResponse";
1997 spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
1998 NULL);
1999 if (!spp_node)
2000 return NULL;
2001
2002 policy = db_get_osu_config_val(ctx, realm, "sim_policy");
2003 if (policy) {
2004 policy_node = read_policy_file(ctx, policy);
2005 os_free(policy);
2006 if (!policy_node) {
2007 xml_node_free(ctx->xml, spp_node);
2008 return NULL;
2009 }
2010 update_policy_update_uri(ctx, realm, policy_node);
2011 node = get_node_uri(ctx->xml, policy_node,
2012 "Policy/PolicyUpdate");
2013 if (node)
2014 build_username_password(ctx, node, dmacc_username,
2015 dmacc_password);
2016 }
2017
2018 pps = build_pps(ctx, NULL, realm, NULL, NULL, 0, NULL, ctx->imsi,
2019 dmacc_username, dmacc_password, policy_node);
2020 if (!pps) {
2021 xml_node_free(ctx->xml, spp_node);
2022 return NULL;
2023 }
2024
2025 debug_print(ctx, 1,
2026 "Request DB subscription registration on success notification");
2027 if (!user || !user[0])
2028 user = ctx->imsi;
2029 db_add_session(ctx, user, realm, session_id, NULL, NULL,
2030 SUBSCRIPTION_REGISTRATION, NULL);
2031 db_add_session_dmacc(ctx, session_id, dmacc_username, dmacc_password);
2032 if (ctx->eap_method)
2033 db_add_session_eap_method(ctx, session_id, ctx->eap_method);
2034 if (ctx->id_hash)
2035 db_add_session_id_hash(ctx, session_id, ctx->id_hash);
2036 db_add_session_pps(ctx, user, realm, session_id, pps);
2037
2038 hs20_eventlog_node(ctx, user, realm, session_id,
2039 "new subscription", pps);
2040
2041 tnds = mo_to_tnds(ctx->xml, pps, 0, URN_HS20_PPS, NULL);
2042 xml_node_free(ctx->xml, pps);
2043 if (!tnds) {
2044 xml_node_free(ctx->xml, spp_node);
2045 return NULL;
2046 }
2047
2048 str = xml_node_to_str(ctx->xml, tnds);
2049 xml_node_free(ctx->xml, tnds);
2050 if (!str) {
2051 xml_node_free(ctx->xml, spp_node);
2052 return NULL;
2053 }
2054
2055 node = xml_node_create_text(ctx->xml, spp_node, ns, "addMO", str);
2056 free(str);
2057 snprintf(buf, sizeof(buf), "./Wi-Fi/%s/PerProviderSubscription", realm);
2058 xml_node_add_attr(ctx->xml, node, ns, "managementTreeURI", buf);
2059 xml_node_add_attr(ctx->xml, node, ns, "moURN", URN_HS20_PPS);
2060
2061 return spp_node;
2062 }
2063
2064
hs20_spp_post_dev_data(struct hs20_svc * ctx,xml_node_t * node,const char * user,const char * realm,const char * session_id,int dmacc)2065 static xml_node_t * hs20_spp_post_dev_data(struct hs20_svc *ctx,
2066 xml_node_t *node,
2067 const char *user,
2068 const char *realm,
2069 const char *session_id,
2070 int dmacc)
2071 {
2072 const char *req_reason;
2073 char *redirect_uri = NULL;
2074 char *req_reason_buf = NULL;
2075 char str[200];
2076 xml_node_t *ret = NULL, *devinfo = NULL, *devdetail = NULL;
2077 xml_node_t *mo, *macaddr;
2078 char *version;
2079 int valid;
2080 char *supp, *pos;
2081 char *err;
2082 u8 wifi_mac_addr[ETH_ALEN];
2083
2084 version = xml_node_get_attr_value_ns(ctx->xml, node, SPP_NS_URI,
2085 "sppVersion");
2086 if (version == NULL || strstr(version, "1.0") == NULL) {
2087 ret = build_post_dev_data_response(
2088 ctx, NULL, session_id, "Error occurred",
2089 "SPP version not supported");
2090 hs20_eventlog_node(ctx, user, realm, session_id,
2091 "Unsupported sppVersion", ret);
2092 xml_node_get_attr_value_free(ctx->xml, version);
2093 return ret;
2094 }
2095 xml_node_get_attr_value_free(ctx->xml, version);
2096
2097 mo = get_node(ctx->xml, node, "supportedMOList");
2098 if (mo == NULL) {
2099 ret = build_post_dev_data_response(
2100 ctx, NULL, session_id, "Error occurred",
2101 "Other");
2102 hs20_eventlog_node(ctx, user, realm, session_id,
2103 "No supportedMOList element", ret);
2104 return ret;
2105 }
2106 supp = xml_node_get_text(ctx->xml, mo);
2107 for (pos = supp; pos && *pos; pos++)
2108 *pos = tolower(*pos);
2109 if (supp == NULL ||
2110 strstr(supp, URN_OMA_DM_DEVINFO) == NULL ||
2111 strstr(supp, URN_OMA_DM_DEVDETAIL) == NULL ||
2112 strstr(supp, URN_HS20_PPS) == NULL) {
2113 xml_node_get_text_free(ctx->xml, supp);
2114 ret = build_post_dev_data_response(
2115 ctx, NULL, session_id, "Error occurred",
2116 "One or more mandatory MOs not supported");
2117 hs20_eventlog_node(ctx, user, realm, session_id,
2118 "Unsupported MOs", ret);
2119 return ret;
2120 }
2121 xml_node_get_text_free(ctx->xml, supp);
2122
2123 req_reason_buf = xml_node_get_attr_value(ctx->xml, node,
2124 "requestReason");
2125 if (req_reason_buf == NULL) {
2126 debug_print(ctx, 1, "No requestReason attribute");
2127 return NULL;
2128 }
2129 req_reason = req_reason_buf;
2130
2131 redirect_uri = xml_node_get_attr_value(ctx->xml, node, "redirectURI");
2132
2133 debug_print(ctx, 1, "requestReason: %s sessionID: %s redirectURI: %s",
2134 req_reason, session_id, redirect_uri);
2135 snprintf(str, sizeof(str), "sppPostDevData: requestReason=%s",
2136 req_reason);
2137 hs20_eventlog(ctx, user, realm, session_id, str, NULL);
2138
2139 devinfo = spp_get_mo(ctx, node, URN_OMA_DM_DEVINFO, &valid, &err);
2140 if (devinfo == NULL) {
2141 ret = build_post_dev_data_response(ctx, NULL, session_id,
2142 "Error occurred", "Other");
2143 hs20_eventlog_node(ctx, user, realm, session_id,
2144 "No DevInfo moContainer in sppPostDevData",
2145 ret);
2146 os_free(err);
2147 goto out;
2148 }
2149
2150 hs20_eventlog_node(ctx, user, realm, session_id,
2151 "Received DevInfo MO", devinfo);
2152 if (valid == 0) {
2153 hs20_eventlog(ctx, user, realm, session_id,
2154 "OMA-DM DDF DTD validation errors in DevInfo MO",
2155 err);
2156 ret = build_post_dev_data_response(ctx, NULL, session_id,
2157 "Error occurred", "Other");
2158 os_free(err);
2159 goto out;
2160 }
2161 os_free(err);
2162 if (user)
2163 db_update_mo(ctx, user, realm, "devinfo", devinfo);
2164
2165 devdetail = spp_get_mo(ctx, node, URN_OMA_DM_DEVDETAIL, &valid, &err);
2166 if (devdetail == NULL) {
2167 ret = build_post_dev_data_response(ctx, NULL, session_id,
2168 "Error occurred", "Other");
2169 hs20_eventlog_node(ctx, user, realm, session_id,
2170 "No DevDetail moContainer in sppPostDevData",
2171 ret);
2172 os_free(err);
2173 goto out;
2174 }
2175
2176 hs20_eventlog_node(ctx, user, realm, session_id,
2177 "Received DevDetail MO", devdetail);
2178 if (valid == 0) {
2179 hs20_eventlog(ctx, user, realm, session_id,
2180 "OMA-DM DDF DTD validation errors "
2181 "in DevDetail MO", err);
2182 ret = build_post_dev_data_response(ctx, NULL, session_id,
2183 "Error occurred", "Other");
2184 os_free(err);
2185 goto out;
2186 }
2187 os_free(err);
2188
2189 os_memset(wifi_mac_addr, 0, ETH_ALEN);
2190 macaddr = get_node(ctx->xml, devdetail,
2191 "Ext/org.wi-fi/Wi-Fi/Wi-FiMACAddress");
2192 if (macaddr) {
2193 char *addr, buf[50];
2194
2195 addr = xml_node_get_text(ctx->xml, macaddr);
2196 if (addr && hwaddr_compact_aton(addr, wifi_mac_addr) == 0) {
2197 snprintf(buf, sizeof(buf), "DevDetail MAC address: "
2198 MACSTR, MAC2STR(wifi_mac_addr));
2199 hs20_eventlog(ctx, user, realm, session_id, buf, NULL);
2200 xml_node_get_text_free(ctx->xml, addr);
2201 } else {
2202 hs20_eventlog(ctx, user, realm, session_id,
2203 "Could not extract MAC address from DevDetail",
2204 NULL);
2205 }
2206 } else {
2207 hs20_eventlog(ctx, user, realm, session_id,
2208 "No MAC address in DevDetail", NULL);
2209 }
2210
2211 if (user)
2212 db_update_mo(ctx, user, realm, "devdetail", devdetail);
2213
2214 if (user)
2215 mo = spp_get_mo(ctx, node, URN_HS20_PPS, &valid, &err);
2216 else {
2217 mo = NULL;
2218 err = NULL;
2219 }
2220 if (user && mo) {
2221 hs20_eventlog_node(ctx, user, realm, session_id,
2222 "Received PPS MO", mo);
2223 if (valid == 0) {
2224 hs20_eventlog(ctx, user, realm, session_id,
2225 "OMA-DM DDF DTD validation errors "
2226 "in PPS MO", err);
2227 xml_node_get_attr_value_free(ctx->xml, redirect_uri);
2228 os_free(err);
2229 return build_post_dev_data_response(
2230 ctx, NULL, session_id,
2231 "Error occurred", "Other");
2232 }
2233 db_update_mo(ctx, user, realm, "pps", mo);
2234 db_update_val(ctx, user, realm, "fetch_pps", "0", dmacc);
2235 xml_node_free(ctx->xml, mo);
2236 }
2237 os_free(err);
2238
2239 if (user && !mo) {
2240 char *fetch;
2241 int fetch_pps;
2242
2243 fetch = db_get_val(ctx, user, realm, "fetch_pps", dmacc);
2244 fetch_pps = fetch ? atoi(fetch) : 0;
2245 free(fetch);
2246
2247 if (fetch_pps) {
2248 enum hs20_session_operation oper;
2249 if (strcasecmp(req_reason, "Subscription remediation")
2250 == 0)
2251 oper = CONTINUE_SUBSCRIPTION_REMEDIATION;
2252 else if (strcasecmp(req_reason, "Policy update") == 0)
2253 oper = CONTINUE_POLICY_UPDATE;
2254 else
2255 oper = NO_OPERATION;
2256 if (db_add_session(ctx, user, realm, session_id, NULL,
2257 NULL, oper, NULL) < 0)
2258 goto out;
2259
2260 ret = spp_exec_upload_mo(ctx, session_id,
2261 URN_HS20_PPS);
2262 hs20_eventlog_node(ctx, user, realm, session_id,
2263 "request PPS MO upload",
2264 ret);
2265 goto out;
2266 }
2267 }
2268
2269 if (user && strcasecmp(req_reason, "MO upload") == 0) {
2270 char *val = db_get_session_val(ctx, user, realm, session_id,
2271 "operation");
2272 enum hs20_session_operation oper;
2273 if (!val) {
2274 debug_print(ctx, 1, "No session %s found to continue",
2275 session_id);
2276 goto out;
2277 }
2278 oper = atoi(val);
2279 free(val);
2280 if (oper == CONTINUE_SUBSCRIPTION_REMEDIATION)
2281 req_reason = "Subscription remediation";
2282 else if (oper == CONTINUE_POLICY_UPDATE)
2283 req_reason = "Policy update";
2284 else {
2285 debug_print(ctx, 1,
2286 "No pending operation in session %s",
2287 session_id);
2288 goto out;
2289 }
2290 }
2291
2292 if (strcasecmp(req_reason, "Subscription registration") == 0) {
2293 ret = hs20_subscription_registration(ctx, realm, session_id,
2294 redirect_uri,
2295 wifi_mac_addr);
2296 hs20_eventlog_node(ctx, user, realm, session_id,
2297 "subscription registration response",
2298 ret);
2299 goto out;
2300 }
2301 if (user && strcasecmp(req_reason, "Subscription remediation") == 0) {
2302 ret = hs20_subscription_remediation(ctx, user, realm,
2303 session_id, dmacc,
2304 redirect_uri);
2305 hs20_eventlog_node(ctx, user, realm, session_id,
2306 "subscription remediation response",
2307 ret);
2308 goto out;
2309 }
2310 if (user && strcasecmp(req_reason, "Policy update") == 0) {
2311 ret = hs20_policy_update(ctx, user, realm, session_id, dmacc);
2312 hs20_eventlog_node(ctx, user, realm, session_id,
2313 "policy update response",
2314 ret);
2315 goto out;
2316 }
2317
2318 if (strcasecmp(req_reason, "User input completed") == 0) {
2319 db_add_session_devinfo(ctx, session_id, devinfo);
2320 db_add_session_devdetail(ctx, session_id, devdetail);
2321 ret = hs20_user_input_complete(ctx, user, realm, dmacc,
2322 session_id);
2323 hs20_eventlog_node(ctx, user, realm, session_id,
2324 "user input completed response", ret);
2325 goto out;
2326 }
2327
2328 if (strcasecmp(req_reason, "Certificate enrollment completed") == 0) {
2329 ret = hs20_cert_enroll_completed(ctx, user, realm, dmacc,
2330 session_id);
2331 hs20_eventlog_node(ctx, user, realm, session_id,
2332 "certificate enrollment response", ret);
2333 goto out;
2334 }
2335
2336 if (strcasecmp(req_reason, "Certificate enrollment failed") == 0) {
2337 ret = hs20_cert_enroll_failed(ctx, user, realm, dmacc,
2338 session_id);
2339 hs20_eventlog_node(ctx, user, realm, session_id,
2340 "certificate enrollment failed response",
2341 ret);
2342 goto out;
2343 }
2344
2345 if (strcasecmp(req_reason, "Subscription provisioning") == 0) {
2346 ret = hs20_sim_provisioning(ctx, user, realm, dmacc,
2347 session_id);
2348 hs20_eventlog_node(ctx, user, realm, session_id,
2349 "subscription provisioning response",
2350 ret);
2351 goto out;
2352 }
2353
2354 debug_print(ctx, 1, "Unsupported requestReason '%s' user '%s'",
2355 req_reason, user);
2356 out:
2357 xml_node_get_attr_value_free(ctx->xml, req_reason_buf);
2358 xml_node_get_attr_value_free(ctx->xml, redirect_uri);
2359 if (devinfo)
2360 xml_node_free(ctx->xml, devinfo);
2361 if (devdetail)
2362 xml_node_free(ctx->xml, devdetail);
2363 return ret;
2364 }
2365
2366
build_spp_exchange_complete(struct hs20_svc * ctx,const char * session_id,const char * status,const char * error_code)2367 static xml_node_t * build_spp_exchange_complete(struct hs20_svc *ctx,
2368 const char *session_id,
2369 const char *status,
2370 const char *error_code)
2371 {
2372 xml_namespace_t *ns;
2373 xml_node_t *spp_node, *node;
2374
2375 spp_node = xml_node_create_root(ctx->xml, SPP_NS_URI, "spp", &ns,
2376 "sppExchangeComplete");
2377
2378
2379 xml_node_add_attr(ctx->xml, spp_node, ns, "sppVersion", "1.0");
2380 xml_node_add_attr(ctx->xml, spp_node, ns, "sessionID", session_id);
2381 xml_node_add_attr(ctx->xml, spp_node, ns, "sppStatus", status);
2382
2383 if (error_code) {
2384 node = xml_node_create(ctx->xml, spp_node, ns, "sppError");
2385 xml_node_add_attr(ctx->xml, node, NULL, "errorCode",
2386 error_code);
2387 }
2388
2389 return spp_node;
2390 }
2391
2392
add_subscription(struct hs20_svc * ctx,const char * session_id)2393 static int add_subscription(struct hs20_svc *ctx, const char *session_id)
2394 {
2395 char *user, *realm, *pw, *pw_mm, *pps, *str;
2396 char *osu_user, *osu_password, *eap_method;
2397 char *policy = NULL;
2398 char *sql;
2399 int ret = -1;
2400 char *free_account;
2401 int free_acc;
2402 char *type;
2403 int cert = 0;
2404 char *cert_pem, *fingerprint;
2405 const char *method;
2406
2407 user = db_get_session_val(ctx, NULL, NULL, session_id, "user");
2408 realm = db_get_session_val(ctx, NULL, NULL, session_id, "realm");
2409 pw = db_get_session_val(ctx, NULL, NULL, session_id, "password");
2410 pw_mm = db_get_session_val(ctx, NULL, NULL, session_id,
2411 "machine_managed");
2412 pps = db_get_session_val(ctx, NULL, NULL, session_id, "pps");
2413 cert_pem = db_get_session_val(ctx, NULL, NULL, session_id, "cert_pem");
2414 fingerprint = db_get_session_val(ctx, NULL, NULL, session_id, "cert");
2415 type = db_get_session_val(ctx, NULL, NULL, session_id, "type");
2416 if (type && strcmp(type, "cert") == 0)
2417 cert = 1;
2418 free(type);
2419 osu_user = db_get_session_val(ctx, NULL, NULL, session_id, "osu_user");
2420 osu_password = db_get_session_val(ctx, NULL, NULL, session_id,
2421 "osu_password");
2422 eap_method = db_get_session_val(ctx, NULL, NULL, session_id,
2423 "eap_method");
2424
2425 if (!user || !realm || !pw) {
2426 debug_print(ctx, 1, "Could not find session info from DB for "
2427 "the new subscription");
2428 goto out;
2429 }
2430
2431 free_account = db_get_osu_config_val(ctx, realm, "free_account");
2432 free_acc = free_account && strcmp(free_account, user) == 0;
2433 free(free_account);
2434
2435 policy = db_get_osu_config_val(ctx, realm, "sim_policy");
2436
2437 debug_print(ctx, 1,
2438 "New subscription: user='%s' realm='%s' free_acc=%d",
2439 user, realm, free_acc);
2440 debug_print(ctx, 1, "New subscription: pps='%s'", pps);
2441
2442 sql = sqlite3_mprintf("UPDATE eventlog SET user=%Q, realm=%Q WHERE "
2443 "sessionid=%Q AND (user='' OR user IS NULL)",
2444 user, realm, session_id);
2445 if (sql) {
2446 debug_print(ctx, 1, "DB: %s", sql);
2447 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
2448 debug_print(ctx, 1, "Failed to update eventlog in "
2449 "sqlite database: %s",
2450 sqlite3_errmsg(ctx->db));
2451 }
2452 sqlite3_free(sql);
2453 }
2454
2455 if (free_acc) {
2456 hs20_eventlog(ctx, user, realm, session_id,
2457 "completed shared free account registration",
2458 NULL);
2459 ret = 0;
2460 goto out;
2461 }
2462
2463 str = db_get_session_val(ctx, NULL, NULL, session_id, "mac_addr");
2464
2465 if (eap_method && eap_method[0])
2466 method = eap_method;
2467 else
2468 method = cert ? "TLS" : "TTLS-MSCHAPV2";
2469 sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,methods,cert,cert_pem,machine_managed,mac_addr,osu_user,osu_password,policy) VALUES (%Q,%Q,%d,%Q,%Q,%Q,%d,%Q,%Q,%Q,%Q)",
2470 user, realm, cert ? 0 : 1,
2471 method,
2472 fingerprint ? fingerprint : "",
2473 cert_pem ? cert_pem : "",
2474 pw_mm && atoi(pw_mm) ? 1 : 0,
2475 str ? str : "",
2476 osu_user ? osu_user : "",
2477 osu_password ? osu_password : "",
2478 policy ? policy : "");
2479 free(str);
2480 if (sql == NULL)
2481 goto out;
2482 debug_print(ctx, 1, "DB: %s", sql);
2483 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
2484 debug_print(ctx, 1, "Failed to add user in sqlite database: %s",
2485 sqlite3_errmsg(ctx->db));
2486 sqlite3_free(sql);
2487 goto out;
2488 }
2489 sqlite3_free(sql);
2490
2491 if (cert)
2492 ret = 0;
2493 else
2494 ret = update_password(ctx, user, realm, pw, 0);
2495 if (ret < 0) {
2496 sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND realm=%Q AND (phase2=1 OR methods='TLS')",
2497 user, realm);
2498 if (sql) {
2499 debug_print(ctx, 1, "DB: %s", sql);
2500 sqlite3_exec(ctx->db, sql, NULL, NULL, NULL);
2501 sqlite3_free(sql);
2502 }
2503 }
2504
2505 if (pps)
2506 db_update_mo_str(ctx, user, realm, "pps", pps);
2507
2508 str = db_get_session_val(ctx, NULL, NULL, session_id, "devinfo");
2509 if (str) {
2510 db_update_mo_str(ctx, user, realm, "devinfo", str);
2511 free(str);
2512 }
2513
2514 str = db_get_session_val(ctx, NULL, NULL, session_id, "devdetail");
2515 if (str) {
2516 db_update_mo_str(ctx, user, realm, "devdetail", str);
2517 free(str);
2518 }
2519
2520 if (cert && user) {
2521 const char *serialnum;
2522
2523 str = db_get_session_val(ctx, NULL, NULL, session_id,
2524 "mac_addr");
2525
2526 if (os_strncmp(user, "cert-", 5) == 0)
2527 serialnum = user + 5;
2528 else
2529 serialnum = "";
2530 sql = sqlite3_mprintf("INSERT OR REPLACE INTO cert_enroll (mac_addr,user,realm,serialnum) VALUES(%Q,%Q,%Q,%Q)",
2531 str ? str : "", user, realm ? realm : "",
2532 serialnum);
2533 free(str);
2534 if (sql) {
2535 debug_print(ctx, 1, "DB: %s", sql);
2536 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) !=
2537 SQLITE_OK) {
2538 debug_print(ctx, 1,
2539 "Failed to add cert_enroll entry into sqlite database: %s",
2540 sqlite3_errmsg(ctx->db));
2541 }
2542 sqlite3_free(sql);
2543 }
2544 }
2545
2546 str = db_get_session_val(ctx, NULL, NULL, session_id,
2547 "mobile_identifier_hash");
2548 if (str) {
2549 sql = sqlite3_mprintf("DELETE FROM sim_provisioning WHERE mobile_identifier_hash=%Q",
2550 str);
2551 if (sql) {
2552 debug_print(ctx, 1, "DB: %s", sql);
2553 if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) !=
2554 SQLITE_OK) {
2555 debug_print(ctx, 1,
2556 "Failed to delete pending sim_provisioning entry: %s",
2557 sqlite3_errmsg(ctx->db));
2558 }
2559 sqlite3_free(sql);
2560 }
2561 os_free(str);
2562 }
2563
2564 if (ret == 0) {
2565 hs20_eventlog(ctx, user, realm, session_id,
2566 "completed subscription registration", NULL);
2567 }
2568
2569 out:
2570 free(user);
2571 free(realm);
2572 free(pw);
2573 free(pw_mm);
2574 free(pps);
2575 free(cert_pem);
2576 free(fingerprint);
2577 free(osu_user);
2578 free(osu_password);
2579 free(eap_method);
2580 os_free(policy);
2581 return ret;
2582 }
2583
2584
hs20_spp_update_response(struct hs20_svc * ctx,xml_node_t * node,const char * user,const char * realm,const char * session_id,int dmacc)2585 static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx,
2586 xml_node_t *node,
2587 const char *user,
2588 const char *realm,
2589 const char *session_id,
2590 int dmacc)
2591 {
2592 char *status;
2593 xml_node_t *ret;
2594 char *val;
2595 enum hs20_session_operation oper;
2596
2597 status = xml_node_get_attr_value_ns(ctx->xml, node, SPP_NS_URI,
2598 "sppStatus");
2599 if (status == NULL) {
2600 debug_print(ctx, 1, "No sppStatus attribute");
2601 return NULL;
2602 }
2603
2604 debug_print(ctx, 1, "sppUpdateResponse: sppStatus: %s sessionID: %s",
2605 status, session_id);
2606
2607 val = db_get_session_val(ctx, NULL, NULL, session_id, "operation");
2608 if (!val) {
2609 debug_print(ctx, 1,
2610 "No session active for sessionID: %s",
2611 session_id);
2612 oper = NO_OPERATION;
2613 } else
2614 oper = atoi(val);
2615
2616 if (strcasecmp(status, "OK") == 0) {
2617 char *new_pw = NULL;
2618
2619 xml_node_get_attr_value_free(ctx->xml, status);
2620
2621 if (oper == USER_REMEDIATION) {
2622 new_pw = db_get_session_val(ctx, user, realm,
2623 session_id, "password");
2624 if (new_pw == NULL || strlen(new_pw) == 0) {
2625 free(new_pw);
2626 ret = build_spp_exchange_complete(
2627 ctx, session_id, "Error occurred",
2628 "Other");
2629 hs20_eventlog_node(ctx, user, realm,
2630 session_id, "No password "
2631 "had been assigned for "
2632 "session", ret);
2633 db_remove_session(ctx, user, realm, session_id);
2634 return ret;
2635 }
2636 oper = UPDATE_PASSWORD;
2637 }
2638 if (oper == UPDATE_PASSWORD) {
2639 if (!new_pw) {
2640 new_pw = db_get_session_val(ctx, user, realm,
2641 session_id,
2642 "password");
2643 if (!new_pw) {
2644 db_remove_session(ctx, user, realm,
2645 session_id);
2646 return NULL;
2647 }
2648 }
2649 debug_print(ctx, 1, "Update user '%s' password in DB",
2650 user);
2651 if (update_password(ctx, user, realm, new_pw, dmacc) <
2652 0) {
2653 debug_print(ctx, 1, "Failed to update user "
2654 "'%s' password in DB", user);
2655 ret = build_spp_exchange_complete(
2656 ctx, session_id, "Error occurred",
2657 "Other");
2658 hs20_eventlog_node(ctx, user, realm,
2659 session_id, "Failed to "
2660 "update database", ret);
2661 db_remove_session(ctx, user, realm, session_id);
2662 return ret;
2663 }
2664 hs20_eventlog(ctx, user, realm,
2665 session_id, "Updated user password "
2666 "in database", NULL);
2667 }
2668 if (oper == CLEAR_REMEDIATION) {
2669 debug_print(ctx, 1,
2670 "Clear remediation requirement for user '%s' in DB",
2671 user);
2672 if (clear_remediation(ctx, user, realm, dmacc) < 0) {
2673 debug_print(ctx, 1,
2674 "Failed to clear remediation requirement for user '%s' in DB",
2675 user);
2676 ret = build_spp_exchange_complete(
2677 ctx, session_id, "Error occurred",
2678 "Other");
2679 hs20_eventlog_node(ctx, user, realm,
2680 session_id,
2681 "Failed to update database",
2682 ret);
2683 db_remove_session(ctx, user, realm, session_id);
2684 return ret;
2685 }
2686 hs20_eventlog(ctx, user, realm,
2687 session_id,
2688 "Cleared remediation requirement in database",
2689 NULL);
2690 }
2691 if (oper == SUBSCRIPTION_REGISTRATION) {
2692 if (add_subscription(ctx, session_id) < 0) {
2693 debug_print(ctx, 1, "Failed to add "
2694 "subscription into DB");
2695 ret = build_spp_exchange_complete(
2696 ctx, session_id, "Error occurred",
2697 "Other");
2698 hs20_eventlog_node(ctx, user, realm,
2699 session_id, "Failed to "
2700 "update database", ret);
2701 db_remove_session(ctx, user, realm, session_id);
2702 return ret;
2703 }
2704 }
2705 if (oper == POLICY_REMEDIATION || oper == POLICY_UPDATE) {
2706 char *val;
2707 val = db_get_val(ctx, user, realm, "remediation",
2708 dmacc);
2709 if (val && strcmp(val, "policy") == 0)
2710 db_update_val(ctx, user, realm, "remediation",
2711 "", dmacc);
2712 free(val);
2713 }
2714 if (oper == POLICY_UPDATE)
2715 db_update_val(ctx, user, realm, "polupd_done", "1",
2716 dmacc);
2717 if (oper == CERT_REENROLL) {
2718 char *new_user;
2719 char event[200];
2720
2721 new_user = db_get_session_val(ctx, NULL, NULL,
2722 session_id, "user");
2723 if (!new_user) {
2724 debug_print(ctx, 1,
2725 "Failed to find new user name (cert-serialnum)");
2726 ret = build_spp_exchange_complete(
2727 ctx, session_id, "Error occurred",
2728 "Other");
2729 hs20_eventlog_node(ctx, user, realm,
2730 session_id,
2731 "Failed to find new user name (cert reenroll)",
2732 ret);
2733 db_remove_session(ctx, NULL, NULL, session_id);
2734 return ret;
2735 }
2736
2737 debug_print(ctx, 1,
2738 "Update certificate user entry to use the new serial number (old=%s new=%s)",
2739 user, new_user);
2740 os_snprintf(event, sizeof(event), "renamed user to: %s",
2741 new_user);
2742 hs20_eventlog(ctx, user, realm, session_id, event,
2743 NULL);
2744
2745 if (db_update_val(ctx, user, realm, "identity",
2746 new_user, 0) < 0 ||
2747 db_update_val(ctx, new_user, realm, "remediation",
2748 "", 0) < 0) {
2749 debug_print(ctx, 1,
2750 "Failed to update user name (cert-serialnum)");
2751 ret = build_spp_exchange_complete(
2752 ctx, session_id, "Error occurred",
2753 "Other");
2754 hs20_eventlog_node(ctx, user, realm,
2755 session_id,
2756 "Failed to update user name (cert reenroll)",
2757 ret);
2758 db_remove_session(ctx, NULL, NULL, session_id);
2759 os_free(new_user);
2760 return ret;
2761 }
2762
2763 os_free(new_user);
2764 }
2765 ret = build_spp_exchange_complete(
2766 ctx, session_id,
2767 "Exchange complete, release TLS connection", NULL);
2768 hs20_eventlog_node(ctx, user, realm, session_id,
2769 "Exchange completed", ret);
2770 db_remove_session(ctx, NULL, NULL, session_id);
2771 return ret;
2772 }
2773
2774 ret = build_spp_exchange_complete(ctx, session_id, "Error occurred",
2775 "Other");
2776 hs20_eventlog_node(ctx, user, realm, session_id, "Error occurred", ret);
2777 db_remove_session(ctx, user, realm, session_id);
2778 xml_node_get_attr_value_free(ctx->xml, status);
2779 return ret;
2780 }
2781
2782
2783 #define SPP_SESSION_ID_LEN 16
2784
gen_spp_session_id(void)2785 static char * gen_spp_session_id(void)
2786 {
2787 FILE *f;
2788 int i;
2789 char *session;
2790
2791 session = os_malloc(SPP_SESSION_ID_LEN * 2 + 1);
2792 if (session == NULL)
2793 return NULL;
2794
2795 f = fopen("/dev/urandom", "r");
2796 if (f == NULL) {
2797 os_free(session);
2798 return NULL;
2799 }
2800 for (i = 0; i < SPP_SESSION_ID_LEN; i++)
2801 os_snprintf(session + i * 2, 3, "%02x", fgetc(f));
2802
2803 fclose(f);
2804 return session;
2805 }
2806
hs20_spp_server_process(struct hs20_svc * ctx,xml_node_t * node,const char * auth_user,const char * auth_realm,int dmacc)2807 xml_node_t * hs20_spp_server_process(struct hs20_svc *ctx, xml_node_t *node,
2808 const char *auth_user,
2809 const char *auth_realm, int dmacc)
2810 {
2811 xml_node_t *ret = NULL;
2812 char *session_id;
2813 const char *op_name;
2814 char *xml_err;
2815 char fname[200];
2816
2817 debug_dump_node(ctx, "received request", node);
2818
2819 if (!dmacc && auth_user && auth_realm) {
2820 char *real;
2821 real = db_get_val(ctx, auth_user, auth_realm, "identity", 0);
2822 if (!real) {
2823 real = db_get_val(ctx, auth_user, auth_realm,
2824 "identity", 1);
2825 if (real)
2826 dmacc = 1;
2827 }
2828 os_free(real);
2829 }
2830
2831 snprintf(fname, sizeof(fname), "%s/spp/spp.xsd", ctx->root_dir);
2832 if (xml_validate(ctx->xml, node, fname, &xml_err) < 0) {
2833 /*
2834 * We may not be able to extract the sessionID from invalid
2835 * input, but well, we can try.
2836 */
2837 session_id = xml_node_get_attr_value_ns(ctx->xml, node,
2838 SPP_NS_URI,
2839 "sessionID");
2840 debug_print(ctx, 1,
2841 "SPP message failed validation, xsd file: %s xml-error: %s",
2842 fname, xml_err);
2843 hs20_eventlog_node(ctx, auth_user, auth_realm, session_id,
2844 "SPP message failed validation", node);
2845 hs20_eventlog(ctx, auth_user, auth_realm, session_id,
2846 "Validation errors", xml_err);
2847 os_free(xml_err);
2848 xml_node_get_attr_value_free(ctx->xml, session_id);
2849 /* TODO: what to return here? */
2850 ret = xml_node_create_root(ctx->xml, NULL, NULL, NULL,
2851 "SppValidationError");
2852 return ret;
2853 }
2854
2855 session_id = xml_node_get_attr_value_ns(ctx->xml, node, SPP_NS_URI,
2856 "sessionID");
2857 if (session_id) {
2858 char *tmp;
2859 debug_print(ctx, 1, "Received sessionID %s", session_id);
2860 tmp = os_strdup(session_id);
2861 xml_node_get_attr_value_free(ctx->xml, session_id);
2862 if (tmp == NULL)
2863 return NULL;
2864 session_id = tmp;
2865 } else {
2866 session_id = gen_spp_session_id();
2867 if (session_id == NULL) {
2868 debug_print(ctx, 1, "Failed to generate sessionID");
2869 return NULL;
2870 }
2871 debug_print(ctx, 1, "Generated sessionID %s", session_id);
2872 }
2873
2874 op_name = xml_node_get_localname(ctx->xml, node);
2875 if (op_name == NULL) {
2876 debug_print(ctx, 1, "Could not get op_name");
2877 return NULL;
2878 }
2879
2880 if (strcmp(op_name, "sppPostDevData") == 0) {
2881 hs20_eventlog_node(ctx, auth_user, auth_realm, session_id,
2882 "sppPostDevData received and validated",
2883 node);
2884 ret = hs20_spp_post_dev_data(ctx, node, auth_user, auth_realm,
2885 session_id, dmacc);
2886 } else if (strcmp(op_name, "sppUpdateResponse") == 0) {
2887 hs20_eventlog_node(ctx, auth_user, auth_realm, session_id,
2888 "sppUpdateResponse received and validated",
2889 node);
2890 ret = hs20_spp_update_response(ctx, node, auth_user,
2891 auth_realm, session_id, dmacc);
2892 } else {
2893 hs20_eventlog_node(ctx, auth_user, auth_realm, session_id,
2894 "Unsupported SPP message received and "
2895 "validated", node);
2896 debug_print(ctx, 1, "Unsupported operation '%s'", op_name);
2897 /* TODO: what to return here? */
2898 ret = xml_node_create_root(ctx->xml, NULL, NULL, NULL,
2899 "SppUnknownCommandError");
2900 }
2901 os_free(session_id);
2902
2903 if (ret == NULL) {
2904 /* TODO: what to return here? */
2905 ret = xml_node_create_root(ctx->xml, NULL, NULL, NULL,
2906 "SppInternalError");
2907 }
2908
2909 return ret;
2910 }
2911
2912
hs20_spp_server_init(struct hs20_svc * ctx)2913 int hs20_spp_server_init(struct hs20_svc *ctx)
2914 {
2915 char fname[200];
2916 ctx->db = NULL;
2917 snprintf(fname, sizeof(fname), "%s/AS/DB/eap_user.db", ctx->root_dir);
2918 if (sqlite3_open(fname, &ctx->db)) {
2919 printf("Failed to open sqlite database: %s\n",
2920 sqlite3_errmsg(ctx->db));
2921 sqlite3_close(ctx->db);
2922 return -1;
2923 }
2924
2925 return 0;
2926 }
2927
2928
hs20_spp_server_deinit(struct hs20_svc * ctx)2929 void hs20_spp_server_deinit(struct hs20_svc *ctx)
2930 {
2931 sqlite3_close(ctx->db);
2932 ctx->db = NULL;
2933 }
2934