hs20-osu-client: Validate HTTPS server certificate by default (browser)

This changes "hs20-osu-client browser <URL>" behavior to validate the
HTTPS server certificate against the system trust roots. The new command
line argument -T can be used to disable this validation.

This does not change behavior for SPP/OMA-DM triggered OSU operation,
i.e., they continue to not mandate server certificate validation for now
to avoid breaking existing test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2020-02-16 17:33:58 +02:00
parent 61bf9819c1
commit e33a0eecec
2 changed files with 8 additions and 3 deletions

View file

@ -3152,7 +3152,7 @@ static void check_workarounds(struct hs20_osu_client *ctx)
static void usage(void) static void usage(void)
{ {
printf("usage: hs20-osu-client [-dddqqKt] [-S<station ifname>] \\\n" printf("usage: hs20-osu-client [-dddqqKtT] [-S<station ifname>] \\\n"
" [-w<wpa_supplicant ctrl_iface dir>] " " [-w<wpa_supplicant ctrl_iface dir>] "
"[-r<result file>] [-f<debug file>] \\\n" "[-r<result file>] [-f<debug file>] \\\n"
" [-s<summary file>] \\\n" " [-s<summary file>] \\\n"
@ -3198,7 +3198,7 @@ int main(int argc, char *argv[])
return -1; return -1;
for (;;) { for (;;) {
c = getopt(argc, argv, "df:hKNo:O:qr:s:S:tw:x:"); c = getopt(argc, argv, "df:hKNo:O:qr:s:S:tTw:x:");
if (c < 0) if (c < 0)
break; break;
switch (c) { switch (c) {
@ -3236,6 +3236,9 @@ int main(int argc, char *argv[])
case 't': case 't':
wpa_debug_timestamp++; wpa_debug_timestamp++;
break; break;
case 'T':
ctx.ignore_tls = 1;
break;
case 'w': case 'w':
wpas_ctrl_path = optarg; wpas_ctrl_path = optarg;
break; break;
@ -3403,7 +3406,7 @@ int main(int argc, char *argv[])
wpa_printf(MSG_INFO, "Launch web browser to URL %s", wpa_printf(MSG_INFO, "Launch web browser to URL %s",
argv[optind + 1]); argv[optind + 1]);
ret = hs20_web_browser(argv[optind + 1], 1); ret = hs20_web_browser(argv[optind + 1], ctx.ignore_tls);
wpa_printf(MSG_INFO, "Web browser result: %d", ret); wpa_printf(MSG_INFO, "Web browser result: %d", ret);
} else if (strcmp(argv[optind], "parse_cert") == 0) { } else if (strcmp(argv[optind], "parse_cert") == 0) {
if (argc - optind < 2) { if (argc - optind < 2) {

View file

@ -50,6 +50,8 @@ struct hs20_osu_client {
const char *osu_ssid; /* Enforced OSU_SSID for testing purposes */ const char *osu_ssid; /* Enforced OSU_SSID for testing purposes */
#define WORKAROUND_OCSP_OPTIONAL 0x00000001 #define WORKAROUND_OCSP_OPTIONAL 0x00000001
unsigned long int workarounds; unsigned long int workarounds;
int ignore_tls; /* whether to ignore TLS validation issues with HTTPS
* server certificate */
}; };