hs20_web_browser() to allow TLS server validation to be enabled

hs20_web_browser() was previously hardcoded to not perform strict TLS
server validation. Add an argument to this function to allow that
behavior to be configured. The hs20-osu-client users are still using the
old behavior, i.e., not validating server certificates, to be usable for
testing purposes.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2020-02-16 17:28:58 +02:00
parent 921ea4962e
commit 61bf9819c1
8 changed files with 19 additions and 15 deletions

View File

@ -407,7 +407,7 @@ static int oma_dm_exec_browser(struct hs20_osu_client *ctx, xml_node_t *exec)
wpa_printf(MSG_INFO, "Data: %s", data); wpa_printf(MSG_INFO, "Data: %s", data);
wpa_printf(MSG_INFO, "Launch browser to URI '%s'", data); wpa_printf(MSG_INFO, "Launch browser to URI '%s'", data);
write_summary(ctx, "Launch browser to URI '%s'", data); write_summary(ctx, "Launch browser to URI '%s'", data);
res = hs20_web_browser(data); res = hs20_web_browser(data, 1);
xml_node_get_text_free(ctx->xml, data); xml_node_get_text_free(ctx->xml, data);
if (res > 0) { if (res > 0) {
wpa_printf(MSG_INFO, "User response in browser completed successfully"); wpa_printf(MSG_INFO, "User response in browser completed successfully");

View File

@ -2406,7 +2406,7 @@ static int cmd_osu_select(struct hs20_osu_client *ctx, const char *dir,
snprintf(fname, sizeof(fname), "file://%s/osu-providers.html", dir); snprintf(fname, sizeof(fname), "file://%s/osu-providers.html", dir);
write_summary(ctx, "Start web browser with OSU provider selection page"); write_summary(ctx, "Start web browser with OSU provider selection page");
ret = hs20_web_browser(fname); ret = hs20_web_browser(fname, 0);
selected: selected:
if (ret > 0 && (size_t) ret <= osu_count) { if (ret > 0 && (size_t) ret <= osu_count) {
@ -3403,7 +3403,7 @@ int main(int argc, char *argv[])
wpa_printf(MSG_INFO, "Launch web browser to URL %s", wpa_printf(MSG_INFO, "Launch web browser to URL %s",
argv[optind + 1]); argv[optind + 1]);
ret = hs20_web_browser(argv[optind + 1]); ret = hs20_web_browser(argv[optind + 1], 1);
wpa_printf(MSG_INFO, "Web browser result: %d", ret); wpa_printf(MSG_INFO, "Web browser result: %d", ret);
} else if (strcmp(argv[optind], "parse_cert") == 0) { } else if (strcmp(argv[optind], "parse_cert") == 0) {
if (argc - optind < 2) { if (argc - optind < 2) {

View File

@ -547,7 +547,7 @@ static int hs20_spp_exec(struct hs20_osu_client *ctx, xml_node_t *exec,
} }
wpa_printf(MSG_INFO, "Launch browser to URI '%s'", uri); wpa_printf(MSG_INFO, "Launch browser to URI '%s'", uri);
write_summary(ctx, "Launch browser to URI '%s'", uri); write_summary(ctx, "Launch browser to URI '%s'", uri);
res = hs20_web_browser(uri); res = hs20_web_browser(uri, 1);
xml_node_get_text_free(ctx->xml, uri); xml_node_get_text_free(ctx->xml, uri);
if (res > 0) { if (res > 0) {
wpa_printf(MSG_INFO, "User response in browser completed successfully - sessionid='%s'", wpa_printf(MSG_INFO, "User response in browser completed successfully - sessionid='%s'",

View File

@ -62,7 +62,7 @@ static void http_req(void *ctx, struct http_request *req)
} }
int hs20_web_browser(const char *url) int hs20_web_browser(const char *url, int ignore_tls)
{ {
struct http_server *http; struct http_server *http;
struct in_addr addr; struct in_addr addr;

View File

@ -62,7 +62,7 @@ static void http_req(void *ctx, struct http_request *req)
} }
int hs20_web_browser(const char *url) int hs20_web_browser(const char *url, int ignore_tls)
{ {
struct http_server *http; struct http_server *http;
struct in_addr addr; struct in_addr addr;

View File

@ -63,7 +63,7 @@ static void http_req(void *ctx, struct http_request *req)
} }
int hs20_web_browser(const char *url) int hs20_web_browser(const char *url, int ignore_tls)
{ {
struct http_server *http; struct http_server *http;
struct in_addr addr; struct in_addr addr;

View File

@ -207,13 +207,12 @@ static void view_cb_title_changed(WebKitWebView *view, WebKitWebFrame *frame,
#endif /* USE_WEBKIT2 */ #endif /* USE_WEBKIT2 */
int hs20_web_browser(const char *url) int hs20_web_browser(const char *url, int ignore_tls)
{ {
GtkWidget *scroll; GtkWidget *scroll;
WebKitWebView *view; WebKitWebView *view;
#ifdef USE_WEBKIT2 #ifdef USE_WEBKIT2
WebKitSettings *settings; WebKitSettings *settings;
WebKitWebContext *wkctx;
#else /* USE_WEBKIT2 */ #else /* USE_WEBKIT2 */
WebKitWebSettings *settings; WebKitWebSettings *settings;
SoupSession *s; SoupSession *s;
@ -228,7 +227,8 @@ int hs20_web_browser(const char *url)
s = webkit_get_default_session(); s = webkit_get_default_session();
g_object_set(G_OBJECT(s), "ssl-ca-file", g_object_set(G_OBJECT(s), "ssl-ca-file",
"/etc/ssl/certs/ca-certificates.crt", NULL); "/etc/ssl/certs/ca-certificates.crt", NULL);
g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL); if (ignore_tls)
g_object_set(G_OBJECT(s), "ssl-strict", FALSE, NULL);
#endif /* USE_WEBKIT2 */ #endif /* USE_WEBKIT2 */
ctx.win = gtk_window_new(GTK_WINDOW_TOPLEVEL); ctx.win = gtk_window_new(GTK_WINDOW_TOPLEVEL);
@ -286,9 +286,13 @@ int hs20_web_browser(const char *url)
g_object_set(G_OBJECT(settings), "auto-load-images", TRUE, NULL); g_object_set(G_OBJECT(settings), "auto-load-images", TRUE, NULL);
#ifdef USE_WEBKIT2 #ifdef USE_WEBKIT2
wkctx = webkit_web_context_get_default(); if (ignore_tls) {
webkit_web_context_set_tls_errors_policy( WebKitWebContext *wkctx;
wkctx, WEBKIT_TLS_ERRORS_POLICY_IGNORE);
wkctx = webkit_web_context_get_default();
webkit_web_context_set_tls_errors_policy(
wkctx, WEBKIT_TLS_ERRORS_POLICY_IGNORE);
}
#endif /* USE_WEBKIT2 */ #endif /* USE_WEBKIT2 */
webkit_web_view_load_uri(view, url); webkit_web_view_load_uri(view, url);

View File

@ -10,12 +10,12 @@
#define BROWSER_H #define BROWSER_H
#ifdef CONFIG_NO_BROWSER #ifdef CONFIG_NO_BROWSER
static inline int hs20_web_browser(const char *url) static inline int hs20_web_browser(const char *url, int ignore_tls)
{ {
return -1; return -1;
} }
#else /* CONFIG_NO_BROWSER */ #else /* CONFIG_NO_BROWSER */
int hs20_web_browser(const char *url); int hs20_web_browser(const char *url, int ignore_tls);
#endif /* CONFIG_NO_BROWSER */ #endif /* CONFIG_NO_BROWSER */
#endif /* BROWSER_H */ #endif /* BROWSER_H */