hs20-osu-client: Validate HTTPS server certificate by default (browser)

This changes "hs20-osu-client browser <URL>" behavior to validate the
HTTPS server certificate against the system trust roots. The new command
line argument -T can be used to disable this validation.

This does not change behavior for SPP/OMA-DM triggered OSU operation,
i.e., they continue to not mandate server certificate validation for now
to avoid breaking existing test cases.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c
index b9849cad54ec23fbb7d1e7e94ed0e6570f493fce..f1b078b1aeea21e0538d01ae7018a23c9b70d3ea 100644 (file)
--- a/hs20/client/osu_client.c
+++ b/hs20/client/osu_client.c
@@ -3152,7 +3152,7 @@ static void check_workarounds(struct hs20_osu_client *ctx)
 
 static void usage(void)
 {
-       printf("usage: hs20-osu-client [-dddqqKt] [-S<station ifname>] \\\n"
+       printf("usage: hs20-osu-client [-dddqqKtT] [-S<station ifname>] \\\n"
               "    [-w<wpa_supplicant ctrl_iface dir>] "
               "[-r<result file>] [-f<debug file>] \\\n"
               "    [-s<summary file>] \\\n"
@@ -3198,7 +3198,7 @@ int main(int argc, char *argv[])
                return -1;
 
        for (;;) {
-               c = getopt(argc, argv, "df:hKNo:O:qr:s:S:tw:x:");
+               c = getopt(argc, argv, "df:hKNo:O:qr:s:S:tTw:x:");
                if (c < 0)
                        break;
                switch (c) {
@@ -3236,6 +3236,9 @@ int main(int argc, char *argv[])
                case 't':
                        wpa_debug_timestamp++;
                        break;
+               case 'T':
+                       ctx.ignore_tls = 1;
+                       break;
                case 'w':
                        wpas_ctrl_path = optarg;
                        break;
@@ -3403,7 +3406,7 @@ int main(int argc, char *argv[])
 
                wpa_printf(MSG_INFO, "Launch web browser to URL %s",
                           argv[optind + 1]);
-               ret = hs20_web_browser(argv[optind + 1], 1);
+               ret = hs20_web_browser(argv[optind + 1], ctx.ignore_tls);
                wpa_printf(MSG_INFO, "Web browser result: %d", ret);
        } else if (strcmp(argv[optind], "parse_cert") == 0) {
                if (argc - optind < 2) {

diff --git a/hs20/client/osu_client.h b/hs20/client/osu_client.h
index 5c8e6d00b6bb826af6116009852c03e51d60bbc5..9b45b03febe2413c6d5cf29528cd394dfb2bdaab 100644 (file)
--- a/hs20/client/osu_client.h
+++ b/hs20/client/osu_client.h
@@ -50,6 +50,8 @@ struct hs20_osu_client {
        const char *osu_ssid; /* Enforced OSU_SSID for testing purposes */
 #define WORKAROUND_OCSP_OPTIONAL 0x00000001
        unsigned long int workarounds;
+       int ignore_tls; /* whether to ignore TLS validation issues with HTTPS
+                        * server certificate */
 };