From 61bf9819c1b6f88807b1cc7bb77e1614e798a939 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Sun, 16 Feb 2020 17:28:58 +0200 Subject: [PATCH] hs20_web_browser() to allow TLS server validation to be enabled hs20_web_browser() was previously hardcoded to not perform strict TLS server validation. Add an argument to this function to allow that behavior to be configured. The hs20-osu-client users are still using the old behavior, i.e., not validating server certificates, to be usable for testing purposes. Signed-off-by: Jouni Malinen --- hs20/client/oma_dm_client.c | 2 +- hs20/client/osu_client.c | 4 ++-- hs20/client/spp_client.c | 2 +- src/utils/browser-android.c | 2 +- src/utils/browser-system.c | 2 +- src/utils/browser-wpadebug.c | 2 +- src/utils/browser.c | 16 ++++++++++------ src/utils/browser.h | 4 ++-- 8 files changed, 19 insertions(+), 15 deletions(-) diff --git a/hs20/client/oma_dm_client.c b/hs20/client/oma_dm_client.c index d75c84562..bcd68b877 100644 --- a/hs20/client/oma_dm_client.c +++ b/hs20/client/oma_dm_client.c @@ -407,7 +407,7 @@ static int oma_dm_exec_browser(struct hs20_osu_client *ctx, xml_node_t *exec) wpa_printf(MSG_INFO, "Data: %s", data); wpa_printf(MSG_INFO, "Launch browser to URI '%s'", data); write_summary(ctx, "Launch browser to URI '%s'", data); - res = hs20_web_browser(data); + res = hs20_web_browser(data, 1); xml_node_get_text_free(ctx->xml, data); if (res > 0) { wpa_printf(MSG_INFO, "User response in browser completed successfully"); diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c index a94f40c51..b9849cad5 100644 --- a/hs20/client/osu_client.c +++ b/hs20/client/osu_client.c @@ -2406,7 +2406,7 @@ static int cmd_osu_select(struct hs20_osu_client *ctx, const char *dir, snprintf(fname, sizeof(fname), "file://%s/osu-providers.html", dir); write_summary(ctx, "Start web browser with OSU provider selection page"); - ret = hs20_web_browser(fname); + ret = hs20_web_browser(fname, 0); selected: if (ret > 0 && (size_t) ret <= osu_count) { @@ -3403,7 +3403,7 @@ int main(int argc, char *argv[]) wpa_printf(MSG_INFO, "Launch web browser to URL %s", argv[optind + 1]); - ret = hs20_web_browser(argv[optind + 1]); + ret = hs20_web_browser(argv[optind + 1], 1); wpa_printf(MSG_INFO, "Web browser result: %d", ret); } else if (strcmp(argv[optind], "parse_cert") == 0) { if (argc - optind < 2) { diff --git a/hs20/client/spp_client.c b/hs20/client/spp_client.c index c619541ae..39d10e036 100644 --- a/hs20/client/spp_client.c +++ b/hs20/client/spp_client.c @@ -547,7 +547,7 @@ static int hs20_spp_exec(struct hs20_osu_client *ctx, xml_node_t *exec, } wpa_printf(MSG_INFO, "Launch browser to URI '%s'", uri); write_summary(ctx, "Launch browser to URI '%s'", uri); - res = hs20_web_browser(uri); + res = hs20_web_browser(uri, 1); xml_node_get_text_free(ctx->xml, uri); if (res > 0) { wpa_printf(MSG_INFO, "User response in browser completed successfully - sessionid='%s'", diff --git a/src/utils/browser-android.c b/src/utils/browser-android.c index 71a165269..26c83d630 100644 --- a/src/utils/browser-android.c +++ b/src/utils/browser-android.c @@ -62,7 +62,7 @@ static void http_req(void *ctx, struct http_request *req) } -int hs20_web_browser(const char *url) +int hs20_web_browser(const char *url, int ignore_tls) { struct http_server *http; struct in_addr addr; diff --git a/src/utils/browser-system.c b/src/utils/browser-system.c index aed39706c..d87d97b5a 100644 --- a/src/utils/browser-system.c +++ b/src/utils/browser-system.c @@ -62,7 +62,7 @@ static void http_req(void *ctx, struct http_request *req) } -int hs20_web_browser(const char *url) +int hs20_web_browser(const char *url, int ignore_tls) { struct http_server *http; struct in_addr addr; diff --git a/src/utils/browser-wpadebug.c b/src/utils/browser-wpadebug.c index dfb4b6797..d32a85bdf 100644 --- a/src/utils/browser-wpadebug.c +++ b/src/utils/browser-wpadebug.c @@ -63,7 +63,7 @@ static void http_req(void *ctx, struct http_request *req) } -int hs20_web_browser(const char *url) +int hs20_web_browser(const char *url, int ignore_tls) { struct http_server *http; struct in_addr addr; diff --git a/src/utils/browser.c b/src/utils/browser.c index 504523625..6d59cf740 100644 --- a/src/utils/browser.c +++ b/src/utils/browser.c @@ -207,13 +207,12 @@ static void view_cb_title_changed(WebKitWebView *view, WebKitWebFrame *frame, #endif /* USE_WEBKIT2 */ -int hs20_web_browser(const char *url) +int hs20_web_browser(const char *url, int ignore_tls) { GtkWidget *scroll; WebKitWebView *view; #ifdef USE_WEBKIT2 WebKitSettings *settings; - WebKitWebContext *wkctx; #else /* USE_WEBKIT2 */ WebKitWebSettings *settings; SoupSession *s; @@ -228,7 +227,8 @@ int hs20_web_browser(const char *url) s = webkit_get_default_session(); g_object_set(G_OBJECT(s), "ssl-ca-file", "/etc/ssl/certs/ca-certificates.crt", NULL); - g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL); + if (ignore_tls) + g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL); #endif /* USE_WEBKIT2 */ ctx.win = gtk_window_new(GTK_WINDOW_TOPLEVEL); @@ -286,9 +286,13 @@ int hs20_web_browser(const char *url) g_object_set(G_OBJECT(settings), "auto-load-images", TRUE, NULL); #ifdef USE_WEBKIT2 - wkctx = webkit_web_context_get_default(); - webkit_web_context_set_tls_errors_policy( - wkctx, WEBKIT_TLS_ERRORS_POLICY_IGNORE); + if (ignore_tls) { + WebKitWebContext *wkctx; + + wkctx = webkit_web_context_get_default(); + webkit_web_context_set_tls_errors_policy( + wkctx, WEBKIT_TLS_ERRORS_POLICY_IGNORE); + } #endif /* USE_WEBKIT2 */ webkit_web_view_load_uri(view, url); diff --git a/src/utils/browser.h b/src/utils/browser.h index aaa0eed26..3af13b9a1 100644 --- a/src/utils/browser.h +++ b/src/utils/browser.h @@ -10,12 +10,12 @@ #define BROWSER_H #ifdef CONFIG_NO_BROWSER -static inline int hs20_web_browser(const char *url) +static inline int hs20_web_browser(const char *url, int ignore_tls) { return -1; } #else /* CONFIG_NO_BROWSER */ -int hs20_web_browser(const char *url); +int hs20_web_browser(const char *url, int ignore_tls); #endif /* CONFIG_NO_BROWSER */ #endif /* BROWSER_H */