krackattacks/hs20/server/spp_server.c

/*
 * Hotspot 2.0 SPP server
 * Copyright (c) 2012-2013, Qualcomm Atheros, Inc.
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <time.h>
#include <errno.h>
#include <sqlite3.h>

#include "common.h"
#include "base64.h"
#include "md5_i.h"
#include "xml-utils.h"
#include "spp_server.h"


#define SPP_NS_URI "http://www.wi-fi.org/specifications/hotspot2dot0/v1.0/spp"

#define URN_OMA_DM_DEVINFO "urn:oma:mo:oma-dm-devinfo:1.0"
#define URN_OMA_DM_DEVDETAIL "urn:oma:mo:oma-dm-devdetail:1.0"
#define URN_OMA_DM_DMACC "urn:oma:mo:oma-dm-dmacc:1.0"
#define URN_HS20_PPS "urn:wfa:mo:hotspot2dot0-perprovidersubscription:1.0"


/* TODO: timeout to expire sessions */

enum hs20_session_operation {
	NO_OPERATION,
	UPDATE_PASSWORD,
	CONTINUE_SUBSCRIPTION_REMEDIATION,
	CONTINUE_POLICY_UPDATE,
	USER_REMEDIATION,
	SUBSCRIPTION_REGISTRATION,
	POLICY_REMEDIATION,
	POLICY_UPDATE,
	FREE_REMEDIATION,
};


static char * db_get_session_val(struct hs20_svc *ctx, const char *user,
				 const char *realm, const char *session_id,
				 const char *field);
static char * db_get_osu_config_val(struct hs20_svc *ctx, const char *realm,
				    const char *field);
static xml_node_t * build_policy(struct hs20_svc *ctx, const char *user,
				 const char *realm, int use_dmacc);


static int db_add_session(struct hs20_svc *ctx,
			  const char *user, const char *realm,
			  const char *sessionid, const char *pw,
			  const char *redirect_uri,
			  enum hs20_session_operation operation)
{
	char *sql;
	int ret = 0;

	sql = sqlite3_mprintf("INSERT INTO sessions(timestamp,id,user,realm,"
			      "operation,password,redirect_uri) "
			      "VALUES "
			      "(strftime('%%Y-%%m-%%d %%H:%%M:%%f','now'),"
			      "%Q,%Q,%Q,%d,%Q,%Q)",
			      sessionid, user ? user : "", realm ? realm : "",
			      operation, pw ? pw : "",
			      redirect_uri ? redirect_uri : "");
	if (sql == NULL)
		return -1;
	debug_print(ctx, 1, "DB: %s", sql);
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to add session entry into sqlite "
			    "database: %s", sqlite3_errmsg(ctx->db));
		ret = -1;
	}
	sqlite3_free(sql);
	return ret;
}


static void db_update_session_password(struct hs20_svc *ctx, const char *user,
				       const char *realm, const char *sessionid,
				       const char *pw)
{
	char *sql;

	sql = sqlite3_mprintf("UPDATE sessions SET password=%Q WHERE id=%Q AND "
			      "user=%Q AND realm=%Q",
			      pw, sessionid, user, realm);
	if (sql == NULL)
		return;
	debug_print(ctx, 1, "DB: %s", sql);
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to update session password: %s",
			    sqlite3_errmsg(ctx->db));
	}
	sqlite3_free(sql);
}


static void db_update_session_machine_managed(struct hs20_svc *ctx,
					      const char *user,
					      const char *realm,
					      const char *sessionid,
					      const int pw_mm)
{
	char *sql;

	sql = sqlite3_mprintf("UPDATE sessions SET machine_managed=%Q WHERE id=%Q AND user=%Q AND realm=%Q",
			      pw_mm ? "1" : "0", sessionid, user, realm);
	if (sql == NULL)
		return;
	debug_print(ctx, 1, "DB: %s", sql);
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1,
			    "Failed to update session machine_managed: %s",
			    sqlite3_errmsg(ctx->db));
	}
	sqlite3_free(sql);
}


static void db_add_session_pps(struct hs20_svc *ctx, const char *user,
			       const char *realm, const char *sessionid,
			       xml_node_t *node)
{
	char *str;
	char *sql;

	str = xml_node_to_str(ctx->xml, node);
	if (str == NULL)
		return;
	sql = sqlite3_mprintf("UPDATE sessions SET pps=%Q WHERE id=%Q AND "
			      "user=%Q AND realm=%Q",
			      str, sessionid, user, realm);
	free(str);
	if (sql == NULL)
		return;
	debug_print(ctx, 1, "DB: %s", sql);
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to add session pps: %s",
			    sqlite3_errmsg(ctx->db));
	}
	sqlite3_free(sql);
}


static void db_add_session_devinfo(struct hs20_svc *ctx, const char *sessionid,
				   xml_node_t *node)
{
	char *str;
	char *sql;

	str = xml_node_to_str(ctx->xml, node);
	if (str == NULL)
		return;
	sql = sqlite3_mprintf("UPDATE sessions SET devinfo=%Q WHERE id=%Q",
			      str, sessionid);
	free(str);
	if (sql == NULL)
		return;
	debug_print(ctx, 1, "DB: %s", sql);
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to add session devinfo: %s",
			    sqlite3_errmsg(ctx->db));
	}
	sqlite3_free(sql);
}


static void db_add_session_devdetail(struct hs20_svc *ctx,
				     const char *sessionid,
				     xml_node_t *node)
{
	char *str;
	char *sql;

	str = xml_node_to_str(ctx->xml, node);
	if (str == NULL)
		return;
	sql = sqlite3_mprintf("UPDATE sessions SET devdetail=%Q WHERE id=%Q",
			      str, sessionid);
	free(str);
	if (sql == NULL)
		return;
	debug_print(ctx, 1, "DB: %s", sql);
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to add session devdetail: %s",
			    sqlite3_errmsg(ctx->db));
	}
	sqlite3_free(sql);
}


static void db_remove_session(struct hs20_svc *ctx,
			      const char *user, const char *realm,
			      const char *sessionid)
{
	char *sql;

	if (user == NULL || realm == NULL) {
		sql = sqlite3_mprintf("DELETE FROM sessions WHERE "
				      "id=%Q", sessionid);
	} else {
		sql = sqlite3_mprintf("DELETE FROM sessions WHERE "
				      "user=%Q AND realm=%Q AND id=%Q",
				      user, realm, sessionid);
	}
	if (sql == NULL)
		return;
	debug_print(ctx, 1, "DB: %s", sql);
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to delete session entry from "
			    "sqlite database: %s", sqlite3_errmsg(ctx->db));
	}
	sqlite3_free(sql);
}


static void hs20_eventlog(struct hs20_svc *ctx,
			  const char *user, const char *realm,
			  const char *sessionid, const char *notes,
			  const char *dump)
{
	char *sql;
	char *user_buf = NULL, *realm_buf = NULL;

	debug_print(ctx, 1, "eventlog: %s", notes);

	if (user == NULL) {
		user_buf = db_get_session_val(ctx, NULL, NULL, sessionid,
					      "user");
		user = user_buf;
		realm_buf = db_get_session_val(ctx, NULL, NULL, sessionid,
					       "realm");
		realm = realm_buf;
	}

	sql = sqlite3_mprintf("INSERT INTO eventlog"
			      "(user,realm,sessionid,timestamp,notes,dump,addr)"
			      " VALUES (%Q,%Q,%Q,"
			      "strftime('%%Y-%%m-%%d %%H:%%M:%%f','now'),"
			      "%Q,%Q,%Q)",
			      user, realm, sessionid, notes,
			      dump ? dump : "", ctx->addr ? ctx->addr : "");
	free(user_buf);
	free(realm_buf);
	if (sql == NULL)
		return;
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to add eventlog entry into sqlite "
			    "database: %s", sqlite3_errmsg(ctx->db));
	}
	sqlite3_free(sql);
}


static void hs20_eventlog_node(struct hs20_svc *ctx,
			       const char *user, const char *realm,
			       const char *sessionid, const char *notes,
			       xml_node_t *node)
{
	char *str;

	if (node)
		str = xml_node_to_str(ctx->xml, node);
	else
		str = NULL;
	hs20_eventlog(ctx, user, realm, sessionid, notes, str);
	free(str);
}


static void db_update_mo_str(struct hs20_svc *ctx, const char *user,
			     const char *realm, const char *name,
			     const char *str)
{
	char *sql;
	if (user == NULL || realm == NULL || name == NULL)
		return;
	sql = sqlite3_mprintf("UPDATE users SET %s=%Q "
		 "WHERE identity=%Q AND realm=%Q AND phase2=1",
			      name, str, user, realm);
	if (sql == NULL)
		return;
	debug_print(ctx, 1, "DB: %s", sql);
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to update user MO entry in sqlite "
			    "database: %s", sqlite3_errmsg(ctx->db));
	}
	sqlite3_free(sql);
}


static void db_update_mo(struct hs20_svc *ctx, const char *user,
			 const char *realm, const char *name, xml_node_t *mo)
{
	char *str;

	str = xml_node_to_str(ctx->xml, mo);
	if (str == NULL)
		return;

	db_update_mo_str(ctx, user, realm, name, str);
	free(str);
}


static void add_text_node(struct hs20_svc *ctx, xml_node_t *parent,
			  const char *name, const char *value)
{
	xml_node_create_text(ctx->xml, parent, NULL, name, value ? value : "");
}


static void add_text_node_conf(struct hs20_svc *ctx, const char *realm,
			       xml_node_t *parent, const char *name,
			       const char *field)
{
	char *val;
	val = db_get_osu_config_val(ctx, realm, field);
	xml_node_create_text(ctx->xml, parent, NULL, name, val ? val : "");
	os_free(val);
}


static int new_password(char *buf, int buflen)
{
	int i;

	if (buflen < 1)
		return -1;
	buf[buflen - 1] = '\0';
	if (os_get_random((unsigned char *) buf, buflen - 1) < 0)
		return -1;

	for (i = 0; i < buflen - 1; i++) {
		unsigned char val = buf[i];
		val %= 2 * 26 + 10;
		if (val < 26)
			buf[i] = 'a' + val;
		else if (val < 2 * 26)
			buf[i] = 'A' + val - 26;
		else
			buf[i] = '0' + val - 2 * 26;
	}

	return 0;
}


struct get_db_field_data {
	const char *field;
	char *value;
};


static int get_db_field(void *ctx, int argc, char *argv[], char *col[])
{
	struct get_db_field_data *data = ctx;
	int i;

	for (i = 0; i < argc; i++) {
		if (os_strcmp(col[i], data->field) == 0 && argv[i]) {
			os_free(data->value);
			data->value = os_strdup(argv[i]);
			break;
		}
	}

	return 0;
}


static char * db_get_val(struct hs20_svc *ctx, const char *user,
			 const char *realm, const char *field, int dmacc)
{
	char *cmd;
	struct get_db_field_data data;

	cmd = sqlite3_mprintf("SELECT %s FROM users WHERE "
			      "%s=%Q AND realm=%Q AND phase2=1",
			      field, dmacc ? "osu_user" : "identity",
			      user, realm);
	if (cmd == NULL)
		return NULL;
	memset(&data, 0, sizeof(data));
	data.field = field;
	if (sqlite3_exec(ctx->db, cmd, get_db_field, &data, NULL) != SQLITE_OK)
	{
		debug_print(ctx, 1, "Could not find user '%s'", user);
		sqlite3_free(cmd);
		return NULL;
	}
	sqlite3_free(cmd);

	debug_print(ctx, 1, "DB: user='%s' realm='%s' field='%s' dmacc=%d --> "
		    "value='%s'", user, realm, field, dmacc, data.value);

	return data.value;
}


static int db_update_val(struct hs20_svc *ctx, const char *user,
			 const char *realm, const char *field,
			 const char *val, int dmacc)
{
	char *cmd;
	int ret;

	cmd = sqlite3_mprintf("UPDATE users SET %s=%Q WHERE "
			      "%s=%Q AND realm=%Q AND phase2=1",
			      field, val, dmacc ? "osu_user" : "identity", user,
			      realm);
	if (cmd == NULL)
		return -1;
	debug_print(ctx, 1, "DB: %s", cmd);
	if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1,
			    "Failed to update user in sqlite database: %s",
			    sqlite3_errmsg(ctx->db));
		ret = -1;
	} else {
		debug_print(ctx, 1,
			    "DB: user='%s' realm='%s' field='%s' set to '%s'",
			    user, realm, field, val);
		ret = 0;
	}
	sqlite3_free(cmd);

	return ret;
}


static char * db_get_session_val(struct hs20_svc *ctx, const char *user,
				 const char *realm, const char *session_id,
				 const char *field)
{
	char *cmd;
	struct get_db_field_data data;

	if (user == NULL || realm == NULL) {
		cmd = sqlite3_mprintf("SELECT %s FROM sessions WHERE "
				      "id=%Q", field, session_id);
	} else {
		cmd = sqlite3_mprintf("SELECT %s FROM sessions WHERE "
				      "user=%Q AND realm=%Q AND id=%Q",
				      field, user, realm, session_id);
	}
	if (cmd == NULL)
		return NULL;
	debug_print(ctx, 1, "DB: %s", cmd);
	memset(&data, 0, sizeof(data));
	data.field = field;
	if (sqlite3_exec(ctx->db, cmd, get_db_field, &data, NULL) != SQLITE_OK)
	{
		debug_print(ctx, 1, "DB: Could not find session %s: %s",
			    session_id, sqlite3_errmsg(ctx->db));
		sqlite3_free(cmd);
		return NULL;
	}
	sqlite3_free(cmd);

	debug_print(ctx, 1, "DB: return '%s'", data.value);
	return data.value;
}


static int update_password(struct hs20_svc *ctx, const char *user,
			   const char *realm, const char *pw, int dmacc)
{
	char *cmd;

	cmd = sqlite3_mprintf("UPDATE users SET password=%Q, "
			      "remediation='' "
			      "WHERE %s=%Q AND phase2=1",
			      pw, dmacc ? "osu_user" : "identity",
			      user);
	if (cmd == NULL)
		return -1;
	debug_print(ctx, 1, "DB: %s", cmd);
	if (sqlite3_exec(ctx->db, cmd, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to update database for user '%s'",
			    user);
	}
	sqlite3_free(cmd);

	return 0;
}


static int add_eap_ttls(struct hs20_svc *ctx, xml_node_t *parent)
{
	xml_node_t *node;

	node = xml_node_create(ctx->xml, parent, NULL, "EAPMethod");
	if (node == NULL)
		return -1;

	add_text_node(ctx, node, "EAPType", "21");
	add_text_node(ctx, node, "InnerMethod", "MS-CHAP-V2");

	return 0;
}


static xml_node_t * build_username_password(struct hs20_svc *ctx,
					    xml_node_t *parent,
					    const char *user, const char *pw)
{
	xml_node_t *node;
	char *b64;

	node = xml_node_create(ctx->xml, parent, NULL, "UsernamePassword");
	if (node == NULL)
		return NULL;

	add_text_node(ctx, node, "Username", user);

	b64 = (char *) base64_encode((unsigned char *) pw, strlen(pw), NULL);
	if (b64 == NULL)
		return NULL;
	add_text_node(ctx, node, "Password", b64);
	free(b64);

	return node;
}


static int add_username_password(struct hs20_svc *ctx, xml_node_t *cred,
				 const char *user, const char *pw)
{
	xml_node_t *node;

	node = build_username_password(ctx, cred, user, pw);
	if (node == NULL)
		return -1;

	add_text_node(ctx, node, "MachineManaged", "TRUE");
	add_text_node(ctx, node, "SoftTokenApp", "");
	add_eap_ttls(ctx, node);

	return 0;
}


static void add_creation_date(struct hs20_svc *ctx, xml_node_t *cred)
{
	char str[30];
	time_t now;
	struct tm tm;

	time(&now);
	gmtime_r(&now, &tm);
	snprintf(str, sizeof(str), "%04u-%02u-%02uT%02u:%02u:%02uZ",
		 tm.tm_year + 1900, tm.tm_mon + 1, tm.tm_mday,
		 tm.tm_hour, tm.tm_min, tm.tm_sec);
	xml_node_create_text(ctx->xml, cred, NULL, "CreationDate", str);
}


static xml_node_t * build_credential_pw(struct hs20_svc *ctx,
					const char *user, const char *realm,
					const char *pw)
{
	xml_node_t *cred;

	cred = xml_node_create_root(ctx->xml, NULL, NULL, NULL, "Credential");
	if (cred == NULL) {
		debug_print(ctx, 1, "Failed to create Credential node");
		return NULL;
	}
	add_creation_date(ctx, cred);
	if (add_username_password(ctx, cred, user, pw) < 0) {
		xml_node_free(ctx->xml, cred);
		return NULL;
	}
	add_text_node(ctx, cred, "Realm", realm);

	return cred;
}


static xml_node_t * build_credential(struct hs20_svc *ctx,
				     const char *user, const char *realm,
				     char *new_pw, size_t new_pw_len)
{
	if (new_password(new_pw, new_pw_len) < 0)
		return NULL;
	debug_print(ctx, 1, "Update password to '%s'", new_pw);
	return build_credential_pw(ctx, user, realm, new_pw);
}


static xml_node_t * build_credential_cert(struct hs20_svc *ctx,
					  const char *user, const char *realm,
					  const char *cert_fingerprint)
{
	xml_node_t *cred, *cert;

	cred = xml_node_create_root(ctx->xml, NULL, NULL, NULL, "Credential");
	if (cred == NULL) {
		debug_print(ctx, 1, "Failed to create Credential node");
		return NULL;
	}
	add_creation_date(ctx, cred);
	cert = xml_node_create(ctx->xml, cred, NULL, "DigitalCertificate");
	add_text_node(ctx, cert, "CertificateType", "x509v3");
	add_text_node(ctx, cert, "CertSHA256Fingerprint", cert_fingerprint);
	add_text_node(ctx, cred, "Realm", realm);

	return cred;
}


static xml_node_t * build_post_dev_data_response(struct hs20_svc *ctx,
						 xml_namespace_t **ret_ns,
						 const char *session_id,
						 const char *status,
						 const char *error_code)
{
	xml_node_t *spp_node = NULL;
	xml_namespace_t *ns;

	spp_node = xml_node_create_root(ctx->xml, SPP_NS_URI, "spp", &ns,
					"sppPostDevDataResponse");
	if (spp_node == NULL)
		return NULL;
	if (ret_ns)
		*ret_ns = ns;

	xml_node_add_attr(ctx->xml, spp_node, ns, "sppVersion", "1.0");
	xml_node_add_attr(ctx->xml, spp_node, ns, "sessionID", session_id);
	xml_node_add_attr(ctx->xml, spp_node, ns, "sppStatus", status);

	if (error_code) {
		xml_node_t *node;
		node = xml_node_create(ctx->xml, spp_node, ns, "sppError");
		if (node)
			xml_node_add_attr(ctx->xml, node, NULL, "errorCode",
					  error_code);
	}

	return spp_node;
}


static int add_update_node(struct hs20_svc *ctx, xml_node_t *spp_node,
			   xml_namespace_t *ns, const char *uri,
			   xml_node_t *upd_node)
{
	xml_node_t *node, *tnds;
	char *str;

	tnds = mo_to_tnds(ctx->xml, upd_node, 0, NULL, NULL);
	if (!tnds)
		return -1;

	str = xml_node_to_str(ctx->xml, tnds);
	xml_node_free(ctx->xml, tnds);
	if (str == NULL)
		return -1;
	node = xml_node_create_text(ctx->xml, spp_node, ns, "updateNode", str);
	free(str);

	xml_node_add_attr(ctx->xml, node, ns, "managementTreeURI", uri);

	return 0;
}


static xml_node_t * build_sub_rem_resp(struct hs20_svc *ctx,
				       const char *user, const char *realm,
				       const char *session_id,
				       int machine_rem, int dmacc)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node, *cred;
	char buf[400];
	char new_pw[33];
	char *real_user = NULL;
	char *status;
	char *cert;

	if (dmacc) {
		real_user = db_get_val(ctx, user, realm, "identity", dmacc);
		if (real_user == NULL) {
			debug_print(ctx, 1, "Could not find user identity for "
				    "dmacc user '%s'", user);
			return NULL;
		}
	}

	cert = db_get_val(ctx, user, realm, "cert", dmacc);
	if (cert && cert[0] == '\0')
		cert = NULL;
	if (cert) {
		cred = build_credential_cert(ctx, real_user ? real_user : user,
					     realm, cert);
	} else {
		cred = build_credential(ctx, real_user ? real_user : user,
					realm, new_pw, sizeof(new_pw));
	}
	free(real_user);
	if (!cred) {
		debug_print(ctx, 1, "Could not build credential");
		return NULL;
	}

	status = "Remediation complete, request sppUpdateResponse";
	spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
						NULL);
	if (spp_node == NULL) {
		debug_print(ctx, 1, "Could not build sppPostDevDataResponse");
		return NULL;
	}

	snprintf(buf, sizeof(buf),
		 "./Wi-Fi/%s/PerProviderSubscription/Credential1/Credential",
		 realm);

	if (add_update_node(ctx, spp_node, ns, buf, cred) < 0) {
		debug_print(ctx, 1, "Could not add update node");
		xml_node_free(ctx->xml, spp_node);
		return NULL;
	}

	hs20_eventlog_node(ctx, user, realm, session_id,
			   machine_rem ? "machine remediation" :
			   "user remediation", cred);
	xml_node_free(ctx->xml, cred);

	if (cert) {
		debug_print(ctx, 1, "Certificate credential - no need for DB "
			    "password update on success notification");
	} else {
		debug_print(ctx, 1, "Request DB password update on success "
			    "notification");
		db_add_session(ctx, user, realm, session_id, new_pw, NULL,
			       UPDATE_PASSWORD);
	}

	return spp_node;
}


static xml_node_t * machine_remediation(struct hs20_svc *ctx,
					const char *user,
					const char *realm,
					const char *session_id, int dmacc)
{
	return build_sub_rem_resp(ctx, user, realm, session_id, 1, dmacc);
}


static xml_node_t * policy_remediation(struct hs20_svc *ctx,
				       const char *user, const char *realm,
				       const char *session_id, int dmacc)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node, *policy;
	char buf[400];
	const char *status;

	hs20_eventlog(ctx, user, realm, session_id,
		      "requires policy remediation", NULL);

	db_add_session(ctx, user, realm, session_id, NULL, NULL,
		       POLICY_REMEDIATION);

	policy = build_policy(ctx, user, realm, dmacc);
	if (!policy) {
		return build_post_dev_data_response(
			ctx, NULL, session_id,
			"No update available at this time", NULL);
	}

	status = "Remediation complete, request sppUpdateResponse";
	spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
						NULL);
	if (spp_node == NULL)
		return NULL;

	snprintf(buf, sizeof(buf),
		 "./Wi-Fi/%s/PerProviderSubscription/Credential1/Policy",
		 realm);

	if (add_update_node(ctx, spp_node, ns, buf, policy) < 0) {
		xml_node_free(ctx->xml, spp_node);
		xml_node_free(ctx->xml, policy);
		return NULL;
	}

	hs20_eventlog_node(ctx, user, realm, session_id,
			   "policy update (sub rem)", policy);
	xml_node_free(ctx->xml, policy);

	return spp_node;
}


static xml_node_t * browser_remediation(struct hs20_svc *ctx,
					const char *session_id,
					const char *redirect_uri,
					const char *uri)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node, *exec_node;

	if (redirect_uri == NULL) {
		debug_print(ctx, 1, "Missing redirectURI attribute for user "
			    "remediation");
		return NULL;
	}
	debug_print(ctx, 1, "redirectURI %s", redirect_uri);

	spp_node = build_post_dev_data_response(ctx, &ns, session_id, "OK",
		NULL);
	if (spp_node == NULL)
		return NULL;

	exec_node = xml_node_create(ctx->xml, spp_node, ns, "exec");
	xml_node_create_text(ctx->xml, exec_node, ns, "launchBrowserToURI",
			     uri);
	return spp_node;
}


static xml_node_t * user_remediation(struct hs20_svc *ctx, const char *user,
				     const char *realm, const char *session_id,
				     const char *redirect_uri)
{
	char uri[300], *val;

	hs20_eventlog(ctx, user, realm, session_id,
		      "requires user remediation", NULL);
	val = db_get_osu_config_val(ctx, realm, "remediation_url");
	if (val == NULL)
		return NULL;

	db_add_session(ctx, user, realm, session_id, NULL, redirect_uri,
		       USER_REMEDIATION);

	snprintf(uri, sizeof(uri), "%s%s", val, session_id);
	os_free(val);
	return browser_remediation(ctx, session_id, redirect_uri, uri);
}


static xml_node_t * free_remediation(struct hs20_svc *ctx,
				     const char *user, const char *realm,
				     const char *session_id,
				     const char *redirect_uri)
{
	char uri[300], *val;

	hs20_eventlog(ctx, user, realm, session_id,
		      "requires free/public account remediation", NULL);
	val = db_get_osu_config_val(ctx, realm, "free_remediation_url");
	if (val == NULL)
		return NULL;

	db_add_session(ctx, user, realm, session_id, NULL, redirect_uri,
		       FREE_REMEDIATION);

	snprintf(uri, sizeof(uri), "%s%s", val, session_id);
	os_free(val);
	return browser_remediation(ctx, session_id, redirect_uri, uri);
}


static xml_node_t * no_sub_rem(struct hs20_svc *ctx,
			       const char *user, const char *realm,
			       const char *session_id)
{
	const char *status;

	hs20_eventlog(ctx, user, realm, session_id,
		      "no subscription mediation available", NULL);

	status = "No update available at this time";
	return build_post_dev_data_response(ctx, NULL, session_id, status,
					    NULL);
}


static xml_node_t * hs20_subscription_remediation(struct hs20_svc *ctx,
						  const char *user,
						  const char *realm,
						  const char *session_id,
						  int dmacc,
						  const char *redirect_uri)
{
	char *type, *identity;
	xml_node_t *ret;
	char *free_account;

	identity = db_get_val(ctx, user, realm, "identity", dmacc);
	if (identity == NULL || strlen(identity) == 0) {
		hs20_eventlog(ctx, user, realm, session_id,
			      "user not found in database for remediation",
			      NULL);
		os_free(identity);
		return build_post_dev_data_response(ctx, NULL, session_id,
						    "Error occurred",
						    "Not found");
	}
	os_free(identity);

	free_account = db_get_osu_config_val(ctx, realm, "free_account");
	if (free_account && strcmp(free_account, user) == 0) {
		free(free_account);
		return no_sub_rem(ctx, user, realm, session_id);
	}
	free(free_account);

	type = db_get_val(ctx, user, realm, "remediation", dmacc);
	if (type && strcmp(type, "free") != 0) {
		char *val;
		int shared = 0;
		val = db_get_val(ctx, user, realm, "shared", dmacc);
		if (val)
			shared = atoi(val);
		free(val);
		if (shared) {
			free(type);
			return no_sub_rem(ctx, user, realm, session_id);
		}
	}
	if (type && strcmp(type, "user") == 0)
		ret = user_remediation(ctx, user, realm, session_id,
				       redirect_uri);
	else if (type && strcmp(type, "free") == 0)
		ret = free_remediation(ctx, user, realm, session_id,
				       redirect_uri);
	else if (type && strcmp(type, "policy") == 0)
		ret = policy_remediation(ctx, user, realm, session_id, dmacc);
	else
		ret = machine_remediation(ctx, user, realm, session_id, dmacc);
	free(type);

	return ret;
}


static xml_node_t * build_policy(struct hs20_svc *ctx, const char *user,
				 const char *realm, int use_dmacc)
{
	char *policy_id;
	char fname[200];
	xml_node_t *policy, *node;

	policy_id = db_get_val(ctx, user, realm, "policy", use_dmacc);
	if (policy_id == NULL || strlen(policy_id) == 0) {
		free(policy_id);
		policy_id = strdup("default");
		if (policy_id == NULL)
			return NULL;
	}

	snprintf(fname, sizeof(fname), "%s/spp/policy/%s.xml",
		 ctx->root_dir, policy_id);
	free(policy_id);
	debug_print(ctx, 1, "Use policy file %s", fname);

	policy = node_from_file(ctx->xml, fname);
	if (policy == NULL)
		return NULL;

	node = get_node_uri(ctx->xml, policy, "Policy/PolicyUpdate/URI");
	if (node) {
		char *url;
		url = db_get_osu_config_val(ctx, realm, "policy_url");
		if (url == NULL) {
			xml_node_free(ctx->xml, policy);
			return NULL;
		}
		xml_node_set_text(ctx->xml, node, url);
		free(url);
	}

	node = get_node_uri(ctx->xml, policy, "Policy/PolicyUpdate");
	if (node && use_dmacc) {
		char *pw;
		pw = db_get_val(ctx, user, realm, "osu_password", use_dmacc);
		if (pw == NULL ||
		    build_username_password(ctx, node, user, pw) == NULL) {
			debug_print(ctx, 1, "Failed to add Policy/PolicyUpdate/"
				    "UsernamePassword");
			free(pw);
			xml_node_free(ctx->xml, policy);
			return NULL;
		}
		free(pw);
	}

	return policy;
}


static xml_node_t * hs20_policy_update(struct hs20_svc *ctx,
				       const char *user, const char *realm,
				       const char *session_id, int dmacc)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node;
	xml_node_t *policy;
	char buf[400];
	const char *status;
	char *identity;

	identity = db_get_val(ctx, user, realm, "identity", dmacc);
	if (identity == NULL || strlen(identity) == 0) {
		hs20_eventlog(ctx, user, realm, session_id,
			      "user not found in database for policy update",
			      NULL);
		os_free(identity);
		return build_post_dev_data_response(ctx, NULL, session_id,
						    "Error occurred",
						    "Not found");
	}
	os_free(identity);

	policy = build_policy(ctx, user, realm, dmacc);
	if (!policy) {
		return build_post_dev_data_response(
			ctx, NULL, session_id,
			"No update available at this time", NULL);
	}

	db_add_session(ctx, user, realm, session_id, NULL, NULL, POLICY_UPDATE);

	status = "Update complete, request sppUpdateResponse";
	spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
						NULL);
	if (spp_node == NULL)
		return NULL;

	snprintf(buf, sizeof(buf),
		 "./Wi-Fi/%s/PerProviderSubscription/Credential1/Policy",
		 realm);

	if (add_update_node(ctx, spp_node, ns, buf, policy) < 0) {
		xml_node_free(ctx->xml, spp_node);
		xml_node_free(ctx->xml, policy);
		return NULL;
	}

	hs20_eventlog_node(ctx, user, realm, session_id, "policy update",
			   policy);
	xml_node_free(ctx->xml, policy);

	return spp_node;
}


static xml_node_t * spp_get_mo(struct hs20_svc *ctx, xml_node_t *node,
			       const char *urn, int *valid, char **ret_err)
{
	xml_node_t *child, *tnds, *mo;
	const char *name;
	char *mo_urn;
	char *str;
	char fname[200];

	*valid = -1;
	if (ret_err)
		*ret_err = NULL;

	xml_node_for_each_child(ctx->xml, child, node) {
		xml_node_for_each_check(ctx->xml, child);
		name = xml_node_get_localname(ctx->xml, child);
		if (strcmp(name, "moContainer") != 0)
			continue;
		mo_urn = xml_node_get_attr_value_ns(ctx->xml, child, SPP_NS_URI,
						    "moURN");
		if (strcasecmp(urn, mo_urn) == 0) {
			xml_node_get_attr_value_free(ctx->xml, mo_urn);
			break;
		}
		xml_node_get_attr_value_free(ctx->xml, mo_urn);
	}

	if (child == NULL)
		return NULL;

	debug_print(ctx, 1, "moContainer text for %s", urn);
	debug_dump_node(ctx, "moContainer", child);

	str = xml_node_get_text(ctx->xml, child);
	debug_print(ctx, 1, "moContainer payload: '%s'", str);
	tnds = xml_node_from_buf(ctx->xml, str);
	xml_node_get_text_free(ctx->xml, str);
	if (tnds == NULL) {
		debug_print(ctx, 1, "could not parse moContainer text");
		return NULL;
	}

	snprintf(fname, sizeof(fname), "%s/spp/dm_ddf-v1_2.dtd", ctx->root_dir);
	if (xml_validate_dtd(ctx->xml, tnds, fname, ret_err) == 0)
		*valid = 1;
	else if (ret_err && *ret_err &&
		 os_strcmp(*ret_err, "No declaration for attribute xmlns of element MgmtTree\n") == 0) {
		free(*ret_err);
		debug_print(ctx, 1, "Ignore OMA-DM DDF DTD validation error for MgmtTree namespace declaration with xmlns attribute");
		*ret_err = NULL;
		*valid = 1;
	} else
		*valid = 0;

	mo = tnds_to_mo(ctx->xml, tnds);
	xml_node_free(ctx->xml, tnds);
	if (mo == NULL) {
		debug_print(ctx, 1, "invalid moContainer for %s", urn);
	}

	return mo;
}


static xml_node_t * spp_exec_upload_mo(struct hs20_svc *ctx,
				       const char *session_id, const char *urn)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node, *node, *exec_node;

	spp_node = build_post_dev_data_response(ctx, &ns, session_id, "OK",
						NULL);
	if (spp_node == NULL)
		return NULL;

	exec_node = xml_node_create(ctx->xml, spp_node, ns, "exec");

	node = xml_node_create(ctx->xml, exec_node, ns, "uploadMO");
	xml_node_add_attr(ctx->xml, node, ns, "moURN", urn);

	return spp_node;
}


static xml_node_t * hs20_subscription_registration(struct hs20_svc *ctx,
						   const char *realm,
						   const char *session_id,
						   const char *redirect_uri)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node, *exec_node;
	char uri[300], *val;

	if (db_add_session(ctx, NULL, realm, session_id, NULL, redirect_uri,
			   SUBSCRIPTION_REGISTRATION) < 0)
		return NULL;
	val = db_get_osu_config_val(ctx, realm, "signup_url");
	if (val == NULL)
		return NULL;

	spp_node = build_post_dev_data_response(ctx, &ns, session_id, "OK",
						NULL);
	if (spp_node == NULL)
		return NULL;

	exec_node = xml_node_create(ctx->xml, spp_node, ns, "exec");

	snprintf(uri, sizeof(uri), "%s%s", val, session_id);
	os_free(val);
	xml_node_create_text(ctx->xml, exec_node, ns, "launchBrowserToURI",
			     uri);
	return spp_node;
}


static xml_node_t * hs20_user_input_remediation(struct hs20_svc *ctx,
						const char *user,
						const char *realm, int dmacc,
						const char *session_id)
{
	return build_sub_rem_resp(ctx, user, realm, session_id, 0, dmacc);
}


static char * db_get_osu_config_val(struct hs20_svc *ctx, const char *realm,
				    const char *field)
{
	char *cmd;
	struct get_db_field_data data;

	cmd = sqlite3_mprintf("SELECT value FROM osu_config WHERE realm=%Q AND "
			      "field=%Q", realm, field);
	if (cmd == NULL)
		return NULL;
	debug_print(ctx, 1, "DB: %s", cmd);
	memset(&data, 0, sizeof(data));
	data.field = "value";
	if (sqlite3_exec(ctx->db, cmd, get_db_field, &data, NULL) != SQLITE_OK)
	{
		debug_print(ctx, 1, "DB: Could not find osu_config %s: %s",
			    realm, sqlite3_errmsg(ctx->db));
		sqlite3_free(cmd);
		return NULL;
	}
	sqlite3_free(cmd);

	debug_print(ctx, 1, "DB: return '%s'", data.value);
	return data.value;
}


static xml_node_t * build_pps(struct hs20_svc *ctx,
			      const char *user, const char *realm,
			      const char *pw, const char *cert,
			      int machine_managed)
{
	xml_node_t *pps, *c, *trust, *aaa, *aaa1, *upd, *homesp;
	xml_node_t *cred, *eap, *userpw;

	pps = xml_node_create_root(ctx->xml, NULL, NULL, NULL,
				   "PerProviderSubscription");
	if (pps == NULL)
		return NULL;

	add_text_node(ctx, pps, "UpdateIdentifier", "1");

	c = xml_node_create(ctx->xml, pps, NULL, "Credential1");

	add_text_node(ctx, c, "CredentialPriority", "1");

	aaa = xml_node_create(ctx->xml, c, NULL, "AAAServerTrustRoot");
	aaa1 = xml_node_create(ctx->xml, aaa, NULL, "AAA1");
	add_text_node_conf(ctx, realm, aaa1, "CertURL",
			   "aaa_trust_root_cert_url");
	add_text_node_conf(ctx, realm, aaa1, "CertSHA256Fingerprint",
			   "aaa_trust_root_cert_fingerprint");

	upd = xml_node_create(ctx->xml, c, NULL, "SubscriptionUpdate");
	add_text_node(ctx, upd, "UpdateInterval", "4294967295");
	add_text_node(ctx, upd, "UpdateMethod", "ClientInitiated");
	add_text_node(ctx, upd, "Restriction", "HomeSP");
	add_text_node_conf(ctx, realm, upd, "URI", "spp_http_auth_url");
	trust = xml_node_create(ctx->xml, upd, NULL, "TrustRoot");
	add_text_node_conf(ctx, realm, trust, "CertURL", "trust_root_cert_url");
	add_text_node_conf(ctx, realm, trust, "CertSHA256Fingerprint",
			   "trust_root_cert_fingerprint");

	homesp = xml_node_create(ctx->xml, c, NULL, "HomeSP");
	add_text_node_conf(ctx, realm, homesp, "FriendlyName", "friendly_name");
	add_text_node_conf(ctx, realm, homesp, "FQDN", "fqdn");

	xml_node_create(ctx->xml, c, NULL, "SubscriptionParameters");

	cred = xml_node_create(ctx->xml, c, NULL, "Credential");
	add_creation_date(ctx, cred);
	if (cert) {
		xml_node_t *dc;
		dc = xml_node_create(ctx->xml, cred, NULL,
				     "DigitalCertificate");
		add_text_node(ctx, dc, "CertificateType", "x509v3");
		add_text_node(ctx, dc, "CertSHA256Fingerprint", cert);
	} else {
		userpw = build_username_password(ctx, cred, user, pw);
		add_text_node(ctx, userpw, "MachineManaged",
			      machine_managed ? "TRUE" : "FALSE");
		eap = xml_node_create(ctx->xml, userpw, NULL, "EAPMethod");
		add_text_node(ctx, eap, "EAPType", "21");
		add_text_node(ctx, eap, "InnerMethod", "MS-CHAP-V2");
	}
	add_text_node(ctx, cred, "Realm", realm);

	return pps;
}


static xml_node_t * spp_exec_get_certificate(struct hs20_svc *ctx,
					     const char *session_id,
					     const char *user,
					     const char *realm)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node, *enroll, *exec_node;
	char *val;
	char password[11];
	char *b64;

	if (new_password(password, sizeof(password)) < 0)
		return NULL;

	spp_node = build_post_dev_data_response(ctx, &ns, session_id, "OK",
						NULL);
	if (spp_node == NULL)
		return NULL;

	exec_node = xml_node_create(ctx->xml, spp_node, ns, "exec");

	enroll = xml_node_create(ctx->xml, exec_node, ns, "getCertificate");
	xml_node_add_attr(ctx->xml, enroll, NULL, "enrollmentProtocol", "EST");

	val = db_get_osu_config_val(ctx, realm, "est_url");
	xml_node_create_text(ctx->xml, enroll, ns, "enrollmentServerURI",
			     val ? val : "");
	os_free(val);
	xml_node_create_text(ctx->xml, enroll, ns, "estUserID", user);

	b64 = (char *) base64_encode((unsigned char *) password,
				     strlen(password), NULL);
	if (b64 == NULL) {
		xml_node_free(ctx->xml, spp_node);
		return NULL;
	}
	xml_node_create_text(ctx->xml, enroll, ns, "estPassword", b64);
	free(b64);

	db_update_session_password(ctx, user, realm, session_id, password);

	return spp_node;
}


static xml_node_t * hs20_user_input_registration(struct hs20_svc *ctx,
						 const char *session_id,
						 int enrollment_done)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node, *node = NULL;
	xml_node_t *pps, *tnds;
	char buf[400];
	char *str;
	char *user, *realm, *pw, *type, *mm;
	const char *status;
	int cert = 0;
	int machine_managed = 0;
	char *fingerprint;

	user = db_get_session_val(ctx, NULL, NULL, session_id, "user");
	realm = db_get_session_val(ctx, NULL, NULL, session_id, "realm");
	pw = db_get_session_val(ctx, NULL, NULL, session_id, "password");

	if (!user || !realm || !pw) {
		debug_print(ctx, 1, "Could not find session info from DB for "
			    "the new subscription");
		free(user);
		free(realm);
		free(pw);
		return NULL;
	}

	mm = db_get_session_val(ctx, NULL, NULL, session_id, "machine_managed");
	if (mm && atoi(mm))
		machine_managed = 1;
	free(mm);

	type = db_get_session_val(ctx, NULL, NULL, session_id, "type");
	if (type && strcmp(type, "cert") == 0)
		cert = 1;
	free(type);

	if (cert && !enrollment_done) {
		xml_node_t *ret;
		hs20_eventlog(ctx, user, realm, session_id,
			      "request client certificate enrollment", NULL);
		ret = spp_exec_get_certificate(ctx, session_id, user, realm);
		free(user);
		free(realm);
		free(pw);
		return ret;
	}

	if (!cert && strlen(pw) == 0) {
		machine_managed = 1;
		free(pw);
		pw = malloc(11);
		if (pw == NULL || new_password(pw, 11) < 0) {
			free(user);
			free(realm);
			free(pw);
			return NULL;
		}
	}

	status = "Provisioning complete, request sppUpdateResponse";
	spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
						NULL);
	if (spp_node == NULL)
		return NULL;

	fingerprint = db_get_session_val(ctx, NULL, NULL, session_id, "cert");
	pps = build_pps(ctx, user, realm, pw,
			fingerprint ? fingerprint : NULL, machine_managed);
	free(fingerprint);
	if (!pps) {
		xml_node_free(ctx->xml, spp_node);
		free(user);
		free(realm);
		free(pw);
		return NULL;
	}

	debug_print(ctx, 1, "Request DB subscription registration on success "
		    "notification");
	if (machine_managed) {
		db_update_session_password(ctx, user, realm, session_id, pw);
		db_update_session_machine_managed(ctx, user, realm, session_id,
						  machine_managed);
	}
	db_add_session_pps(ctx, user, realm, session_id, pps);

	hs20_eventlog_node(ctx, user, realm, session_id,
			   "new subscription", pps);
	free(user);
	free(pw);

	tnds = mo_to_tnds(ctx->xml, pps, 0, URN_HS20_PPS, NULL);
	xml_node_free(ctx->xml, pps);
	if (!tnds) {
		xml_node_free(ctx->xml, spp_node);
		free(realm);
		return NULL;
	}

	str = xml_node_to_str(ctx->xml, tnds);
	xml_node_free(ctx->xml, tnds);
	if (str == NULL) {
		xml_node_free(ctx->xml, spp_node);
		free(realm);
		return NULL;
	}

	node = xml_node_create_text(ctx->xml, spp_node, ns, "addMO", str);
	free(str);
	snprintf(buf, sizeof(buf), "./Wi-Fi/%s/PerProviderSubscription", realm);
	free(realm);
	xml_node_add_attr(ctx->xml, node, ns, "managementTreeURI", buf);
	xml_node_add_attr(ctx->xml, node, ns, "moURN", URN_HS20_PPS);

	return spp_node;
}


static xml_node_t * hs20_user_input_free_remediation(struct hs20_svc *ctx,
						     const char *user,
						     const char *realm,
						     const char *session_id)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node;
	xml_node_t *cred;
	char buf[400];
	char *status;
	char *free_account, *pw;

	free_account = db_get_osu_config_val(ctx, realm, "free_account");
	if (free_account == NULL)
		return NULL;
	pw = db_get_val(ctx, free_account, realm, "password", 0);
	if (pw == NULL) {
		free(free_account);
		return NULL;
	}

	cred = build_credential_pw(ctx, free_account, realm, pw);
	free(free_account);
	free(pw);
	if (!cred) {
		xml_node_free(ctx->xml, cred);
		return NULL;
	}

	status = "Remediation complete, request sppUpdateResponse";
	spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
						NULL);
	if (spp_node == NULL)
		return NULL;

	snprintf(buf, sizeof(buf),
		 "./Wi-Fi/%s/PerProviderSubscription/Credential1/Credential",
		 realm);

	if (add_update_node(ctx, spp_node, ns, buf, cred) < 0) {
		xml_node_free(ctx->xml, spp_node);
		return NULL;
	}

	hs20_eventlog_node(ctx, user, realm, session_id,
			   "free/public remediation", cred);
	xml_node_free(ctx->xml, cred);

	return spp_node;
}


static xml_node_t * hs20_user_input_complete(struct hs20_svc *ctx,
					     const char *user,
					     const char *realm, int dmacc,
					     const char *session_id)
{
	char *val;
	enum hs20_session_operation oper;

	val = db_get_session_val(ctx, user, realm, session_id, "operation");
	if (val == NULL) {
		debug_print(ctx, 1, "No session %s found to continue",
			    session_id);
		return NULL;
	}
	oper = atoi(val);
	free(val);

	if (oper == USER_REMEDIATION) {
		return hs20_user_input_remediation(ctx, user, realm, dmacc,
						   session_id);
	}

	if (oper == FREE_REMEDIATION) {
		return hs20_user_input_free_remediation(ctx, user, realm,
							session_id);
	}

	if (oper == SUBSCRIPTION_REGISTRATION) {
		return hs20_user_input_registration(ctx, session_id, 0);
	}

	debug_print(ctx, 1, "User session %s not in state for user input "
		    "completion", session_id);
	return NULL;
}


static xml_node_t * hs20_cert_enroll_completed(struct hs20_svc *ctx,
					       const char *user,
					       const char *realm, int dmacc,
					       const char *session_id)
{
	char *val;
	enum hs20_session_operation oper;

	val = db_get_session_val(ctx, user, realm, session_id, "operation");
	if (val == NULL) {
		debug_print(ctx, 1, "No session %s found to continue",
			    session_id);
		return NULL;
	}
	oper = atoi(val);
	free(val);

	if (oper == SUBSCRIPTION_REGISTRATION)
		return hs20_user_input_registration(ctx, session_id, 1);

	debug_print(ctx, 1, "User session %s not in state for certificate "
		    "enrollment completion", session_id);
	return NULL;
}


static xml_node_t * hs20_cert_enroll_failed(struct hs20_svc *ctx,
					    const char *user,
					    const char *realm, int dmacc,
					    const char *session_id)
{
	char *val;
	enum hs20_session_operation oper;
	xml_node_t *spp_node, *node;
	char *status;
	xml_namespace_t *ns;

	val = db_get_session_val(ctx, user, realm, session_id, "operation");
	if (val == NULL) {
		debug_print(ctx, 1, "No session %s found to continue",
			    session_id);
		return NULL;
	}
	oper = atoi(val);
	free(val);

	if (oper != SUBSCRIPTION_REGISTRATION) {
		debug_print(ctx, 1, "User session %s not in state for "
			    "enrollment failure", session_id);
		return NULL;
	}

	status = "Error occurred";
	spp_node = build_post_dev_data_response(ctx, &ns, session_id, status,
						NULL);
	if (spp_node == NULL)
		return NULL;
	node = xml_node_create(ctx->xml, spp_node, ns, "sppError");
	xml_node_add_attr(ctx->xml, node, NULL, "errorCode",
			  "Credentials cannot be provisioned at this time");
	db_remove_session(ctx, user, realm, session_id);

	return spp_node;
}


static xml_node_t * hs20_spp_post_dev_data(struct hs20_svc *ctx,
					   xml_node_t *node,
					   const char *user,
					   const char *realm,
					   const char *session_id,
					   int dmacc)
{
	const char *req_reason;
	char *redirect_uri = NULL;
	char *req_reason_buf = NULL;
	char str[200];
	xml_node_t *ret = NULL, *devinfo = NULL, *devdetail = NULL;
	xml_node_t *mo;
	char *version;
	int valid;
	char *supp, *pos;
	char *err;

	version = xml_node_get_attr_value_ns(ctx->xml, node, SPP_NS_URI,
					     "sppVersion");
	if (version == NULL || strstr(version, "1.0") == NULL) {
		ret = build_post_dev_data_response(
			ctx, NULL, session_id, "Error occurred",
			"SPP version not supported");
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "Unsupported sppVersion", ret);
		xml_node_get_attr_value_free(ctx->xml, version);
		return ret;
	}
	xml_node_get_attr_value_free(ctx->xml, version);

	mo = get_node(ctx->xml, node, "supportedMOList");
	if (mo == NULL) {
		ret = build_post_dev_data_response(
			ctx, NULL, session_id, "Error occurred",
			"Other");
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "No supportedMOList element", ret);
		return ret;
	}
	supp = xml_node_get_text(ctx->xml, mo);
	for (pos = supp; pos && *pos; pos++)
		*pos = tolower(*pos);
	if (supp == NULL ||
	    strstr(supp, URN_OMA_DM_DEVINFO) == NULL ||
	    strstr(supp, URN_OMA_DM_DEVDETAIL) == NULL ||
	    strstr(supp, URN_HS20_PPS) == NULL) {
		xml_node_get_text_free(ctx->xml, supp);
		ret = build_post_dev_data_response(
			ctx, NULL, session_id, "Error occurred",
			"One or more mandatory MOs not supported");
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "Unsupported MOs", ret);
		return ret;
	}
	xml_node_get_text_free(ctx->xml, supp);

	req_reason_buf = xml_node_get_attr_value(ctx->xml, node,
						 "requestReason");
	if (req_reason_buf == NULL) {
		debug_print(ctx, 1, "No requestReason attribute");
		return NULL;
	}
	req_reason = req_reason_buf;

	redirect_uri = xml_node_get_attr_value(ctx->xml, node, "redirectURI");

	debug_print(ctx, 1, "requestReason: %s  sessionID: %s  redirectURI: %s",
		    req_reason, session_id, redirect_uri);
	snprintf(str, sizeof(str), "sppPostDevData: requestReason=%s",
		 req_reason);
	hs20_eventlog(ctx, user, realm, session_id, str, NULL);

	devinfo = spp_get_mo(ctx, node, URN_OMA_DM_DEVINFO, &valid, &err);
	if (devinfo == NULL) {
		ret = build_post_dev_data_response(ctx, NULL, session_id,
						   "Error occurred", "Other");
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "No DevInfo moContainer in sppPostDevData",
				   ret);
		os_free(err);
		goto out;
	}

	hs20_eventlog_node(ctx, user, realm, session_id,
			   "Received DevInfo MO", devinfo);
	if (valid == 0) {
		hs20_eventlog(ctx, user, realm, session_id,
			      "OMA-DM DDF DTD validation errors in DevInfo MO",
			      err);
		ret = build_post_dev_data_response(ctx, NULL, session_id,
						   "Error occurred", "Other");
		os_free(err);
		goto out;
	}
	os_free(err);
	if (user)
		db_update_mo(ctx, user, realm, "devinfo", devinfo);

	devdetail = spp_get_mo(ctx, node, URN_OMA_DM_DEVDETAIL, &valid, &err);
	if (devdetail == NULL) {
		ret = build_post_dev_data_response(ctx, NULL, session_id,
						   "Error occurred", "Other");
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "No DevDetail moContainer in sppPostDevData",
				   ret);
		os_free(err);
		goto out;
	}

	hs20_eventlog_node(ctx, user, realm, session_id,
			   "Received DevDetail MO", devdetail);
	if (valid == 0) {
		hs20_eventlog(ctx, user, realm, session_id,
			      "OMA-DM DDF DTD validation errors "
			      "in DevDetail MO", err);
		ret = build_post_dev_data_response(ctx, NULL, session_id,
						   "Error occurred", "Other");
		os_free(err);
		goto out;
	}
	os_free(err);
	if (user)
		db_update_mo(ctx, user, realm, "devdetail", devdetail);

	if (user)
		mo = spp_get_mo(ctx, node, URN_HS20_PPS, &valid, &err);
	else {
		mo = NULL;
		err = NULL;
	}
	if (user && mo) {
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "Received PPS MO", mo);
		if (valid == 0) {
			hs20_eventlog(ctx, user, realm, session_id,
				      "OMA-DM DDF DTD validation errors "
				      "in PPS MO", err);
			xml_node_get_attr_value_free(ctx->xml, redirect_uri);
			os_free(err);
			return build_post_dev_data_response(
				ctx, NULL, session_id,
				"Error occurred", "Other");
		}
		db_update_mo(ctx, user, realm, "pps", mo);
		db_update_val(ctx, user, realm, "fetch_pps", "0", dmacc);
		xml_node_free(ctx->xml, mo);
	}
	os_free(err);

	if (user && !mo) {
		char *fetch;
		int fetch_pps;

		fetch = db_get_val(ctx, user, realm, "fetch_pps", dmacc);
		fetch_pps = fetch ? atoi(fetch) : 0;
		free(fetch);

		if (fetch_pps) {
			enum hs20_session_operation oper;
			if (strcasecmp(req_reason, "Subscription remediation")
			    == 0)
				oper = CONTINUE_SUBSCRIPTION_REMEDIATION;
			else if (strcasecmp(req_reason, "Policy update") == 0)
				oper = CONTINUE_POLICY_UPDATE;
			else
				oper = NO_OPERATION;
			if (db_add_session(ctx, user, realm, session_id, NULL,
					   NULL, oper) < 0)
				goto out;

			ret = spp_exec_upload_mo(ctx, session_id,
						 URN_HS20_PPS);
			hs20_eventlog_node(ctx, user, realm, session_id,
					   "request PPS MO upload",
					   ret);
			goto out;
		}
	}

	if (user && strcasecmp(req_reason, "MO upload") == 0) {
		char *val = db_get_session_val(ctx, user, realm, session_id,
					       "operation");
		enum hs20_session_operation oper;
		if (!val) {
			debug_print(ctx, 1, "No session %s found to continue",
				    session_id);
			goto out;
		}
		oper = atoi(val);
		free(val);
		if (oper == CONTINUE_SUBSCRIPTION_REMEDIATION)
			req_reason = "Subscription remediation";
		else if (oper == CONTINUE_POLICY_UPDATE)
			req_reason = "Policy update";
		else {
			debug_print(ctx, 1,
				    "No pending operation in session %s",
				    session_id);
			goto out;
		}
	}

	if (strcasecmp(req_reason, "Subscription registration") == 0) {
		ret = hs20_subscription_registration(ctx, realm, session_id,
						     redirect_uri);
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "subscription registration response",
				   ret);
		goto out;
	}
	if (user && strcasecmp(req_reason, "Subscription remediation") == 0) {
		ret = hs20_subscription_remediation(ctx, user, realm,
						    session_id, dmacc,
						    redirect_uri);
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "subscription remediation response",
				   ret);
		goto out;
	}
	if (user && strcasecmp(req_reason, "Policy update") == 0) {
		ret = hs20_policy_update(ctx, user, realm, session_id, dmacc);
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "policy update response",
				   ret);
		goto out;
	}

	if (strcasecmp(req_reason, "User input completed") == 0) {
		db_add_session_devinfo(ctx, session_id, devinfo);
		db_add_session_devdetail(ctx, session_id, devdetail);
		ret = hs20_user_input_complete(ctx, user, realm, dmacc,
					       session_id);
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "user input completed response", ret);
		goto out;
	}

	if (strcasecmp(req_reason, "Certificate enrollment completed") == 0) {
		ret = hs20_cert_enroll_completed(ctx, user, realm, dmacc,
						 session_id);
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "certificate enrollment response", ret);
		goto out;
	}

	if (strcasecmp(req_reason, "Certificate enrollment failed") == 0) {
		ret = hs20_cert_enroll_failed(ctx, user, realm, dmacc,
					      session_id);
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "certificate enrollment failed response",
				   ret);
		goto out;
	}

	debug_print(ctx, 1, "Unsupported requestReason '%s' user '%s'",
		    req_reason, user);
out:
	xml_node_get_attr_value_free(ctx->xml, req_reason_buf);
	xml_node_get_attr_value_free(ctx->xml, redirect_uri);
	if (devinfo)
		xml_node_free(ctx->xml, devinfo);
	if (devdetail)
		xml_node_free(ctx->xml, devdetail);
	return ret;
}


static xml_node_t * build_spp_exchange_complete(struct hs20_svc *ctx,
						const char *session_id,
						const char *status,
						const char *error_code)
{
	xml_namespace_t *ns;
	xml_node_t *spp_node, *node;

	spp_node = xml_node_create_root(ctx->xml, SPP_NS_URI, "spp", &ns,
					"sppExchangeComplete");


	xml_node_add_attr(ctx->xml, spp_node, ns, "sppVersion", "1.0");
	xml_node_add_attr(ctx->xml, spp_node, ns, "sessionID", session_id);
	xml_node_add_attr(ctx->xml, spp_node, ns, "sppStatus", status);

	if (error_code) {
		node = xml_node_create(ctx->xml, spp_node, ns, "sppError");
		xml_node_add_attr(ctx->xml, node, NULL, "errorCode",
				  error_code);
	}

	return spp_node;
}


static int add_subscription(struct hs20_svc *ctx, const char *session_id)
{
	char *user, *realm, *pw, *pw_mm, *pps, *str;
	char *sql;
	int ret = -1;
	char *free_account;
	int free_acc;
	char *type;
	int cert = 0;
	char *cert_pem, *fingerprint;

	user = db_get_session_val(ctx, NULL, NULL, session_id, "user");
	realm = db_get_session_val(ctx, NULL, NULL, session_id, "realm");
	pw = db_get_session_val(ctx, NULL, NULL, session_id, "password");
	pw_mm = db_get_session_val(ctx, NULL, NULL, session_id,
				   "machine_managed");
	pps = db_get_session_val(ctx, NULL, NULL, session_id, "pps");
	cert_pem = db_get_session_val(ctx, NULL, NULL, session_id, "cert_pem");
	fingerprint = db_get_session_val(ctx, NULL, NULL, session_id, "cert");
	type = db_get_session_val(ctx, NULL, NULL, session_id, "type");
	if (type && strcmp(type, "cert") == 0)
		cert = 1;
	free(type);

	if (!user || !realm || !pw) {
		debug_print(ctx, 1, "Could not find session info from DB for "
			    "the new subscription");
		goto out;
	}

	free_account = db_get_osu_config_val(ctx, realm, "free_account");
	free_acc = free_account && strcmp(free_account, user) == 0;
	free(free_account);

	debug_print(ctx, 1,
		    "New subscription: user='%s' realm='%s' free_acc=%d",
		    user, realm, free_acc);
	debug_print(ctx, 1, "New subscription: pps='%s'", pps);

	sql = sqlite3_mprintf("UPDATE eventlog SET user=%Q, realm=%Q WHERE "
			      "sessionid=%Q AND (user='' OR user IS NULL)",
			      user, realm, session_id);
	if (sql) {
		debug_print(ctx, 1, "DB: %s", sql);
		if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
			debug_print(ctx, 1, "Failed to update eventlog in "
				    "sqlite database: %s",
				    sqlite3_errmsg(ctx->db));
		}
		sqlite3_free(sql);
	}

	if (free_acc) {
		hs20_eventlog(ctx, user, realm, session_id,
			      "completed shared free account registration",
			      NULL);
		ret = 0;
		goto out;
	}

	sql = sqlite3_mprintf("INSERT INTO users(identity,realm,phase2,"
			      "methods,cert,cert_pem,machine_managed) VALUES "
			      "(%Q,%Q,1,%Q,%Q,%Q,%d)",
			      user, realm, cert ? "TLS" : "TTLS-MSCHAPV2",
			      fingerprint ? fingerprint : "",
			      cert_pem ? cert_pem : "",
			      pw_mm && atoi(pw_mm) ? 1 : 0);
	if (sql == NULL)
		goto out;
	debug_print(ctx, 1, "DB: %s", sql);
	if (sqlite3_exec(ctx->db, sql, NULL, NULL, NULL) != SQLITE_OK) {
		debug_print(ctx, 1, "Failed to add user in sqlite database: %s",
			    sqlite3_errmsg(ctx->db));
		sqlite3_free(sql);
		goto out;
	}
	sqlite3_free(sql);

	if (cert)
		ret = 0;
	else
		ret = update_password(ctx, user, realm, pw, 0);
	if (ret < 0) {
		sql = sqlite3_mprintf("DELETE FROM users WHERE identity=%Q AND "
				      "realm=%Q AND phase2=1",
				      user, realm);
		if (sql) {
			debug_print(ctx, 1, "DB: %s", sql);
			sqlite3_exec(ctx->db, sql, NULL, NULL, NULL);
			sqlite3_free(sql);
		}
	}

	if (pps)
		db_update_mo_str(ctx, user, realm, "pps", pps);

	str = db_get_session_val(ctx, NULL, NULL, session_id, "devinfo");
	if (str) {
		db_update_mo_str(ctx, user, realm, "devinfo", str);
		free(str);
	}

	str = db_get_session_val(ctx, NULL, NULL, session_id, "devdetail");
	if (str) {
		db_update_mo_str(ctx, user, realm, "devdetail", str);
		free(str);
	}

	if (ret == 0) {
		hs20_eventlog(ctx, user, realm, session_id,
			      "completed subscription registration", NULL);
	}

out:
	free(user);
	free(realm);
	free(pw);
	free(pw_mm);
	free(pps);
	free(cert_pem);
	free(fingerprint);
	return ret;
}


static xml_node_t * hs20_spp_update_response(struct hs20_svc *ctx,
					     xml_node_t *node,
					     const char *user,
					     const char *realm,
					     const char *session_id,
					     int dmacc)
{
	char *status;
	xml_node_t *ret;
	char *val;
	enum hs20_session_operation oper;

	status = xml_node_get_attr_value_ns(ctx->xml, node, SPP_NS_URI,
					    "sppStatus");
	if (status == NULL) {
		debug_print(ctx, 1, "No sppStatus attribute");
		return NULL;
	}

	debug_print(ctx, 1, "sppUpdateResponse: sppStatus: %s  sessionID: %s",
		    status, session_id);

	val = db_get_session_val(ctx, user, realm, session_id, "operation");
	if (!val) {
		debug_print(ctx, 1,
			    "No session active for user: %s  sessionID: %s",
			    user, session_id);
		oper = NO_OPERATION;
	} else
		oper = atoi(val);

	if (strcasecmp(status, "OK") == 0) {
		char *new_pw = NULL;

		xml_node_get_attr_value_free(ctx->xml, status);

		if (oper == USER_REMEDIATION) {
			new_pw = db_get_session_val(ctx, user, realm,
						    session_id, "password");
			if (new_pw == NULL || strlen(new_pw) == 0) {
				free(new_pw);
				ret = build_spp_exchange_complete(
					ctx, session_id, "Error occurred",
					"Other");
				hs20_eventlog_node(ctx, user, realm,
						   session_id, "No password "
						   "had been assigned for "
						   "session", ret);
				db_remove_session(ctx, user, realm, session_id);
				return ret;
			}
			oper = UPDATE_PASSWORD;
		}
		if (oper == UPDATE_PASSWORD) {
			if (!new_pw) {
				new_pw = db_get_session_val(ctx, user, realm,
							    session_id,
							    "password");
				if (!new_pw) {
					db_remove_session(ctx, user, realm,
							  session_id);
					return NULL;
				}
			}
			debug_print(ctx, 1, "Update user '%s' password in DB",
				    user);
			if (update_password(ctx, user, realm, new_pw, dmacc) <
			    0) {
				debug_print(ctx, 1, "Failed to update user "
					    "'%s' password in DB", user);
				ret = build_spp_exchange_complete(
					ctx, session_id, "Error occurred",
					"Other");
				hs20_eventlog_node(ctx, user, realm,
						   session_id, "Failed to "
						   "update database", ret);
				db_remove_session(ctx, user, realm, session_id);
				return ret;
			}
			hs20_eventlog(ctx, user, realm,
				      session_id, "Updated user password "
				      "in database", NULL);
		}
		if (oper == SUBSCRIPTION_REGISTRATION) {
			if (add_subscription(ctx, session_id) < 0) {
				debug_print(ctx, 1, "Failed to add "
					    "subscription into DB");
				ret = build_spp_exchange_complete(
					ctx, session_id, "Error occurred",
					"Other");
				hs20_eventlog_node(ctx, user, realm,
						   session_id, "Failed to "
						   "update database", ret);
				db_remove_session(ctx, user, realm, session_id);
				return ret;
			}
		}
		if (oper == POLICY_REMEDIATION || oper == POLICY_UPDATE) {
			char *val;
			val = db_get_val(ctx, user, realm, "remediation",
					 dmacc);
			if (val && strcmp(val, "policy") == 0)
				db_update_val(ctx, user, realm, "remediation",
					      "", dmacc);
			free(val);
		}
		ret = build_spp_exchange_complete(
			ctx, session_id,
			"Exchange complete, release TLS connection", NULL);
		hs20_eventlog_node(ctx, user, realm, session_id,
				   "Exchange completed", ret);
		db_remove_session(ctx, user, realm, session_id);
		return ret;
	}

	ret = build_spp_exchange_complete(ctx, session_id, "Error occurred",
					  "Other");
	hs20_eventlog_node(ctx, user, realm, session_id, "Error occurred", ret);
	db_remove_session(ctx, user, realm, session_id);
	xml_node_get_attr_value_free(ctx->xml, status);
	return ret;
}


#define SPP_SESSION_ID_LEN 16

static char * gen_spp_session_id(void)
{
	FILE *f;
	int i;
	char *session;

	session = os_malloc(SPP_SESSION_ID_LEN * 2 + 1);
	if (session == NULL)
		return NULL;

	f = fopen("/dev/urandom", "r");
	if (f == NULL) {
		os_free(session);
		return NULL;
	}
	for (i = 0; i < SPP_SESSION_ID_LEN; i++)
		os_snprintf(session + i * 2, 3, "%02x", fgetc(f));

	fclose(f);
	return session;
}

xml_node_t * hs20_spp_server_process(struct hs20_svc *ctx, xml_node_t *node,
				     const char *auth_user,
				     const char *auth_realm, int dmacc)
{
	xml_node_t *ret = NULL;
	char *session_id;
	const char *op_name;
	char *xml_err;
	char fname[200];

	debug_dump_node(ctx, "received request", node);

	if (!dmacc && auth_user && auth_realm) {
		char *real;
		real = db_get_val(ctx, auth_user, auth_realm, "identity", 0);
		if (!real) {
			real = db_get_val(ctx, auth_user, auth_realm,
					  "identity", 1);
			if (real)
				dmacc = 1;
		}
		os_free(real);
	}

	snprintf(fname, sizeof(fname), "%s/spp/spp.xsd", ctx->root_dir);
	if (xml_validate(ctx->xml, node, fname, &xml_err) < 0) {
		/*
		 * We may not be able to extract the sessionID from invalid
		 * input, but well, we can try.
		 */
		session_id = xml_node_get_attr_value_ns(ctx->xml, node,
							SPP_NS_URI,
							"sessionID");
		debug_print(ctx, 1,
			    "SPP message failed validation, xsd file: %s  xml-error: %s",
			    fname, xml_err);
		hs20_eventlog_node(ctx, auth_user, auth_realm, session_id,
				   "SPP message failed validation", node);
		hs20_eventlog(ctx, auth_user, auth_realm, session_id,
			      "Validation errors", xml_err);
		os_free(xml_err);
		xml_node_get_attr_value_free(ctx->xml, session_id);
		/* TODO: what to return here? */
		ret = xml_node_create_root(ctx->xml, NULL, NULL, NULL,
					   "SppValidationError");
		return ret;
	}

	session_id = xml_node_get_attr_value_ns(ctx->xml, node, SPP_NS_URI,
						"sessionID");
	if (session_id) {
		char *tmp;
		debug_print(ctx, 1, "Received sessionID %s", session_id);
		tmp = os_strdup(session_id);
		xml_node_get_attr_value_free(ctx->xml, session_id);
		if (tmp == NULL)
			return NULL;
		session_id = tmp;
	} else {
		session_id = gen_spp_session_id();
		if (session_id == NULL) {
			debug_print(ctx, 1, "Failed to generate sessionID");
			return NULL;
		}
		debug_print(ctx, 1, "Generated sessionID %s", session_id);
	}

	op_name = xml_node_get_localname(ctx->xml, node);
	if (op_name == NULL) {
		debug_print(ctx, 1, "Could not get op_name");
		return NULL;
	}

	if (strcmp(op_name, "sppPostDevData") == 0) {
		hs20_eventlog_node(ctx, auth_user, auth_realm, session_id,
				   "sppPostDevData received and validated",
				   node);
		ret = hs20_spp_post_dev_data(ctx, node, auth_user, auth_realm,
					     session_id, dmacc);
	} else if (strcmp(op_name, "sppUpdateResponse") == 0) {
		hs20_eventlog_node(ctx, auth_user, auth_realm, session_id,
				   "sppUpdateResponse received and validated",
				   node);
		ret = hs20_spp_update_response(ctx, node, auth_user,
					       auth_realm, session_id, dmacc);
	} else {
		hs20_eventlog_node(ctx, auth_user, auth_realm, session_id,
				   "Unsupported SPP message received and "
				   "validated", node);
		debug_print(ctx, 1, "Unsupported operation '%s'", op_name);
		/* TODO: what to return here? */
		ret = xml_node_create_root(ctx->xml, NULL, NULL, NULL,
					   "SppUnknownCommandError");
	}
	os_free(session_id);

	if (ret == NULL) {
		/* TODO: what to return here? */
		ret = xml_node_create_root(ctx->xml, NULL, NULL, NULL,
					   "SppInternalError");
	}

	return ret;
}


int hs20_spp_server_init(struct hs20_svc *ctx)
{
	char fname[200];
	ctx->db = NULL;
	snprintf(fname, sizeof(fname), "%s/AS/DB/eap_user.db", ctx->root_dir);
	if (sqlite3_open(fname, &ctx->db)) {
		printf("Failed to open sqlite database: %s\n",
		       sqlite3_errmsg(ctx->db));
		sqlite3_close(ctx->db);
		return -1;
	}

	return 0;
}


void hs20_spp_server_deinit(struct hs20_svc *ctx)
{
	sqlite3_close(ctx->db);
	ctx->db = NULL;
}