diff options
| author | Jouni Malinen <j@w1.fi> | 2020-02-16 17:33:58 +0200 |
|---|---|---|
| committer | Jouni Malinen <j@w1.fi> | 2020-02-16 17:40:52 +0200 |
| commit | e33a0eecece8799306652ca50d3c5f1c3b3b4fff (patch) | |
| tree | 73791c09b0a8887e94e3828c14bb512af717149a /hs20 | |
| parent | 61bf9819c1b6f88807b1cc7bb77e1614e798a939 (diff) | |
| download | hostap-e33a0eecece8799306652ca50d3c5f1c3b3b4fff.tar.gz | |
hs20-osu-client: Validate HTTPS server certificate by default (browser)
This changes "hs20-osu-client browser <URL>" behavior to validate the
HTTPS server certificate against the system trust roots. The new command
line argument -T can be used to disable this validation.
This does not change behavior for SPP/OMA-DM triggered OSU operation,
i.e., they continue to not mandate server certificate validation for now
to avoid breaking existing test cases.
Signed-off-by: Jouni Malinen <j@w1.fi>
Diffstat (limited to 'hs20')
| -rw-r--r-- | hs20/client/osu_client.c | 9 | ||||
| -rw-r--r-- | hs20/client/osu_client.h | 2 |
2 files changed, 8 insertions, 3 deletions
diff --git a/hs20/client/osu_client.c b/hs20/client/osu_client.c index b9849cad5..f1b078b1a 100644 --- a/hs20/client/osu_client.c +++ b/hs20/client/osu_client.c @@ -3152,7 +3152,7 @@ static void check_workarounds(struct hs20_osu_client *ctx) static void usage(void) { - printf("usage: hs20-osu-client [-dddqqKt] [-S<station ifname>] \\\n" + printf("usage: hs20-osu-client [-dddqqKtT] [-S<station ifname>] \\\n" " [-w<wpa_supplicant ctrl_iface dir>] " "[-r<result file>] [-f<debug file>] \\\n" " [-s<summary file>] \\\n" @@ -3198,7 +3198,7 @@ int main(int argc, char *argv[]) return -1; for (;;) { - c = getopt(argc, argv, "df:hKNo:O:qr:s:S:tw:x:"); + c = getopt(argc, argv, "df:hKNo:O:qr:s:S:tTw:x:"); if (c < 0) break; switch (c) { @@ -3236,6 +3236,9 @@ int main(int argc, char *argv[]) case 't': wpa_debug_timestamp++; break; + case 'T': + ctx.ignore_tls = 1; + break; case 'w': wpas_ctrl_path = optarg; break; @@ -3403,7 +3406,7 @@ int main(int argc, char *argv[]) wpa_printf(MSG_INFO, "Launch web browser to URL %s", argv[optind + 1]); - ret = hs20_web_browser(argv[optind + 1], 1); + ret = hs20_web_browser(argv[optind + 1], ctx.ignore_tls); wpa_printf(MSG_INFO, "Web browser result: %d", ret); } else if (strcmp(argv[optind], "parse_cert") == 0) { if (argc - optind < 2) { diff --git a/hs20/client/osu_client.h b/hs20/client/osu_client.h index 5c8e6d00b..9b45b03fe 100644 --- a/hs20/client/osu_client.h +++ b/hs20/client/osu_client.h @@ -50,6 +50,8 @@ struct hs20_osu_client { const char *osu_ssid; /* Enforced OSU_SSID for testing purposes */ #define WORKAROUND_OCSP_OPTIONAL 0x00000001 unsigned long int workarounds; + int ignore_tls; /* whether to ignore TLS validation issues with HTTPS + * server certificate */ }; |