honour online host verification exemption also in core

Signed-off-by: Caolán McNamara <caolan.mcnamara@collabora.com>
Change-Id: I041b6f428069d5fb62426c80512ced7d00e622d3

common/Session.cpp

@@ -43,7 +43,8 @@ Session::Session(const std::shared_ptr<ProtocolHandlerInterface> &protocol,
     _isDocPasswordProtected(false),
     _isAdminUser(std::nullopt),
     _watermarkOpacity(0.2),
-    _accessibilityState(false)
+    _accessibilityState(false),
+    _disableVerifyHost(false)
 {
 }
 
@@ -226,6 +227,11 @@ void Session::parseDocOptions(const StringVector& tokens, int& part, std::string
             _isAllowChangeComments = value == "true";
             ++offset;
         }
+        else if (name == "verifyHost")
+        {
+            _disableVerifyHost = value == "false";
+            ++offset;
+        }
     }
 
     Util::mapAnonymized(_userId, _userIdAnonym);

common/Session.hpp

@@ -107,6 +107,9 @@ public:
     /// Returns true iff the view is either non-readonly or can change comments.
     bool isEditable() const { return !isReadOnly() || isAllowChangeComments(); }
 
+    /// if certification verification was disabled for the wopi server
+    bool isDisableVerifyHost() const { return _disableVerifyHost; }
+
     /// overridden to prepend client ids on messages by the Kit
     virtual bool sendBinaryFrame(const char* buffer, int length);
     virtual bool sendTextFrame(const char* buffer, const int length);
@@ -393,6 +396,10 @@ private:
 
     /// Specifies whether accessibility support is enabled for this session.
     bool _accessibilityState;
+
+    /// Specifies whether certification verification for the wopi server
+    /// should be disabled in core
+    bool _disableVerifyHost;
 };
 
 /* vim:set shiftwidth=4 softtabstop=4 expandtab: */

kit/Kit.cpp

@@ -1785,6 +1785,16 @@ std::shared_ptr<lok::Document> Document::load(const std::shared_ptr<ChildSession
     if (FileUtil::Stat(pathFromFileURL(wopiCertDir)).exists())
         ::setenv("LO_CERTIFICATE_AUTHORITY_PATH", wopiCertDir.c_str(), 1);
 
+    // if ssl client verification was disabled in online for the wopi server,
+    // and this is a https connection then also exempt that host from ssl host
+    // verification in 'core'
+    if (session->isDisableVerifyHost())
+    {
+        std::string scheme, host, port;
+        if (net::parseUri(session->getDocURL(), scheme, host, port) && scheme == "https://")
+            ::setenv("LOK_EXEMPT_VERIFY_HOST", host.c_str(), 1);
+    }
+
     std::string spellOnline = session->getSpellOnline();
     if (!_loKitDocument)
     {

net/Ssl.hpp

@@ -109,6 +109,12 @@ public:
                                                       cipherList, verification);
     }
 
+    static ssl::CertificateVerification getClientVerification()
+    {
+        assert(isClientContextInitialized() && "client context must be initialized");
+        return ClientInstance->verification();
+    }
+
     static void uninitializeClientContext() { ClientInstance.reset(); }
 
     /// Returns true iff the SslContext has been initialized.

wsd/ClientSession.cpp

@@ -1259,6 +1259,11 @@ bool ClientSession::loadDocument(const char* /*buffer*/, int /*length*/,
         std::ostringstream oss;
         oss << "load url=" << docBroker->getPublicUri().toString();
 
+        // if ssl client verification was disabled in online for the wopi server,
+        // then exempt that host from ssl host verification also in core
+        if (ssl::Manager::getClientVerification() == ssl::CertificateVerification::Disabled)
+            oss << " verifyHost=false";
+
         if (!getUserId().empty() && !getUserName().empty())
         {
             std::string encodedUserId;