hs20-osu-client: Validate HTTPS server certificate by default (browser)

This changes "hs20-osu-client browser <URL>" behavior to validate the HTTPS server certificate against the system trust roots. The new command line argument -T can be used to disable this validation. This does not change behavior for SPP/OMA-DM triggered OSU operation, i.e., they continue to not mandate server certificate validation for now to avoid breaking existing test cases. Signed-off-by: Jouni Malinen <j@w1.fi>
4 years ago · e33a0eecec
parent 61bf9819c1
commit e33a0eecec
2 changed files with 8 additions and 3 deletions
--- a/hs20/client/osu_client.c
+++ b/hs20/client/osu_client.c
@ -3152,7 +3152,7 @@ static void check_workarounds(struct hs20_osu_client *ctx)

 static void usage(void)
 {
-	printf("usage: hs20-osu-client [-dddqqKt] [-S<station ifname>] \\\n"
+	printf("usage: hs20-osu-client [-dddqqKtT] [-S<station ifname>] \\\n"
 	       "    [-w<wpa_supplicant ctrl_iface dir>] "
 	       "[-r<result file>] [-f<debug file>] \\\n"
 	       "    [-s<summary file>] \\\n"
@ -3198,7 +3198,7 @@ int main(int argc, char *argv[])
 		return -1;

 	for (;;) {
-		c = getopt(argc, argv, "df:hKNo:O:qr:s:S:tw:x:");
+		c = getopt(argc, argv, "df:hKNo:O:qr:s:S:tTw:x:");
 		if (c < 0)
 			break;
 		switch (c) {
@ -3236,6 +3236,9 @@ int main(int argc, char *argv[])
 		case 't':
 			wpa_debug_timestamp++;
 			break;
+		case 'T':
+			ctx.ignore_tls = 1;
+			break;
 		case 'w':
 			wpas_ctrl_path = optarg;
 			break;
@ -3403,7 +3406,7 @@ int main(int argc, char *argv[])

 		wpa_printf(MSG_INFO, "Launch web browser to URL %s",
 			   argv[optind + 1]);
-		ret = hs20_web_browser(argv[optind + 1], 1);
+		ret = hs20_web_browser(argv[optind + 1], ctx.ignore_tls);
 		wpa_printf(MSG_INFO, "Web browser result: %d", ret);
 	} else if (strcmp(argv[optind], "parse_cert") == 0) {
 		if (argc - optind < 2) {
--- a/hs20/client/osu_client.h
+++ b/hs20/client/osu_client.h
@ -50,6 +50,8 @@ struct hs20_osu_client {
 	const char *osu_ssid; /* Enforced OSU_SSID for testing purposes */
 #define WORKAROUND_OCSP_OPTIONAL 0x00000001
 	unsigned long int workarounds;
+	int ignore_tls; /* whether to ignore TLS validation issues with HTTPS
+			 * server certificate */
 };