hs20_web_browser() to allow TLS server validation to be enabled

hs20_web_browser() was previously hardcoded to not perform strict TLS server validation. Add an argument to this function to allow that behavior to be configured. The hs20-osu-client users are still using the old behavior, i.e., not validating server certificates, to be usable for testing purposes. Signed-off-by: Jouni Malinen <j@w1.fi>
2020-02-16 17:28:58 +02:00 · 2020-02-16 17:28:58 +02:00 · 61bf9819c1
commit 61bf9819c1
parent 921ea4962e
8 changed files with 19 additions and 15 deletions
--- a/hs20/client/oma_dm_client.c
+++ b/hs20/client/oma_dm_client.c
@ -407,7 +407,7 @@ static int oma_dm_exec_browser(struct hs20_osu_client *ctx, xml_node_t *exec)
 	wpa_printf(MSG_INFO, "Data: %s", data);
 	wpa_printf(MSG_INFO, "Launch browser to URI '%s'", data);
 	write_summary(ctx, "Launch browser to URI '%s'", data);
-	res = hs20_web_browser(data);
+	res = hs20_web_browser(data, 1);
 	xml_node_get_text_free(ctx->xml, data);
 	if (res > 0) {
 		wpa_printf(MSG_INFO, "User response in browser completed successfully");
--- a/hs20/client/osu_client.c
+++ b/hs20/client/osu_client.c
@ -2406,7 +2406,7 @@ static int cmd_osu_select(struct hs20_osu_client *ctx, const char *dir,
 	snprintf(fname, sizeof(fname), "file://%s/osu-providers.html", dir);
 	write_summary(ctx, "Start web browser with OSU provider selection page");
-	ret = hs20_web_browser(fname);
+	ret = hs20_web_browser(fname, 0);
 selected:
 	if (ret > 0 && (size_t) ret <= osu_count) {
@ -3403,7 +3403,7 @@ int main(int argc, char *argv[])
 		wpa_printf(MSG_INFO, "Launch web browser to URL %s",
 			   argv[optind + 1]);
-		ret = hs20_web_browser(argv[optind + 1]);
+		ret = hs20_web_browser(argv[optind + 1], 1);
 		wpa_printf(MSG_INFO, "Web browser result: %d", ret);
 	} else if (strcmp(argv[optind], "parse_cert") == 0) {
 		if (argc - optind < 2) {
--- a/hs20/client/spp_client.c
+++ b/hs20/client/spp_client.c
@ -547,7 +547,7 @@ static int hs20_spp_exec(struct hs20_osu_client *ctx, xml_node_t *exec,
 		}
 		wpa_printf(MSG_INFO, "Launch browser to URI '%s'", uri);
 		write_summary(ctx, "Launch browser to URI '%s'", uri);
-		res = hs20_web_browser(uri);
+		res = hs20_web_browser(uri, 1);
 		xml_node_get_text_free(ctx->xml, uri);
 		if (res > 0) {
 			wpa_printf(MSG_INFO, "User response in browser completed successfully - sessionid='%s'",
--- a/src/utils/browser-android.c
+++ b/src/utils/browser-android.c
@ -62,7 +62,7 @@ static void http_req(void *ctx, struct http_request *req)
 }
-int hs20_web_browser(const char *url)
+int hs20_web_browser(const char *url, int ignore_tls)
 {
 	struct http_server *http;
 	struct in_addr addr;
--- a/src/utils/browser-system.c
+++ b/src/utils/browser-system.c
@ -62,7 +62,7 @@ static void http_req(void *ctx, struct http_request *req)
 }
-int hs20_web_browser(const char *url)
+int hs20_web_browser(const char *url, int ignore_tls)
 {
 	struct http_server *http;
 	struct in_addr addr;
--- a/src/utils/browser-wpadebug.c
+++ b/src/utils/browser-wpadebug.c
@ -63,7 +63,7 @@ static void http_req(void *ctx, struct http_request *req)
 }
-int hs20_web_browser(const char *url)
+int hs20_web_browser(const char *url, int ignore_tls)
 {
 	struct http_server *http;
 	struct in_addr addr;
--- a/src/utils/browser.c
+++ b/src/utils/browser.c
@ -207,13 +207,12 @@ static void view_cb_title_changed(WebKitWebView *view, WebKitWebFrame *frame,
 #endif /* USE_WEBKIT2 */
-int hs20_web_browser(const char *url)
+int hs20_web_browser(const char *url, int ignore_tls)
 {
 	GtkWidget *scroll;
 	WebKitWebView *view;
 #ifdef USE_WEBKIT2
 	WebKitSettings *settings;
 	WebKitWebContext *wkctx;
 #else /* USE_WEBKIT2 */
 	WebKitWebSettings *settings;
 	SoupSession *s;
@ -228,7 +227,8 @@ int hs20_web_browser(const char *url)
 	s = webkit_get_default_session();
 	g_object_set(G_OBJECT(s), "ssl-ca-file",
 		     "/etc/ssl/certs/ca-certificates.crt", NULL);
-	g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL);
+	if (ignore_tls)
 		g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL);
 #endif /* USE_WEBKIT2 */
 	ctx.win = gtk_window_new(GTK_WINDOW_TOPLEVEL);
@ -286,9 +286,13 @@ int hs20_web_browser(const char *url)
 	g_object_set(G_OBJECT(settings), "auto-load-images", TRUE, NULL);
 #ifdef USE_WEBKIT2
-	wkctx = webkit_web_context_get_default();
+	if (ignore_tls) {
-	webkit_web_context_set_tls_errors_policy(
+		WebKitWebContext *wkctx;
-		wkctx, WEBKIT_TLS_ERRORS_POLICY_IGNORE);
+
 		wkctx = webkit_web_context_get_default();
 		webkit_web_context_set_tls_errors_policy(
 			wkctx, WEBKIT_TLS_ERRORS_POLICY_IGNORE);
 	}
 #endif /* USE_WEBKIT2 */
 	webkit_web_view_load_uri(view, url);
--- a/src/utils/browser.h
+++ b/src/utils/browser.h
@ -10,12 +10,12 @@
 #define BROWSER_H
 #ifdef CONFIG_NO_BROWSER
-static inline int hs20_web_browser(const char *url)
+static inline int hs20_web_browser(const char *url, int ignore_tls)
 {
 	return -1;
 }
 #else /* CONFIG_NO_BROWSER */
-int hs20_web_browser(const char *url);
+int hs20_web_browser(const char *url, int ignore_tls);
 #endif /* CONFIG_NO_BROWSER */
 #endif /* BROWSER_H */