From 124386425da099aee7e972db76db498711f96fa3 Mon Sep 17 00:00:00 2001 From: Alberto Ponces Date: Thu, 12 Oct 2023 17:09:07 +0000 Subject: [PATCH] feat: Disable domain validation on Enterprise networks --- ...s.patch => 0001-Import-vendor-gapps.patch} | 4 +- ...patch => 0002-Rework-securize-tweak.patch} | 12 +- ...or-customization-and-set-Google-San.patch} | 4 +- ...ble-domain-validation-on-Enterprise-.patch | 89 +++++ ...e-Override-media-volume-steps-to-25.patch} | 8 +- ...ck-if-domain-field-is-not-empty-when.patch | 87 +++++ ...ove-Do-not-validate-option-in-CA-cer.patch | 311 ------------------ 7 files changed, 190 insertions(+), 325 deletions(-) rename patches/personal/device_phh_treble/{0003-Import-vendor-gapps.patch => 0001-Import-vendor-gapps.patch} (85%) rename patches/personal/device_phh_treble/{0001-Rework-securize-tweak.patch => 0002-Rework-securize-tweak.patch} (95%) rename patches/personal/device_phh_treble/{0002-fonts-Add-fonts-for-customization-and-set-Google-San.patch => 0003-fonts-Add-fonts-for-customization-and-set-Google-San.patch} (99%) create mode 100644 patches/personal/device_phh_treble/0004-WifiOverlay-Disable-domain-validation-on-Enterprise-.patch rename patches/personal/device_phh_treble/{0004-Revert-treble-Override-media-volume-steps-to-25.patch => 0005-Revert-treble-Override-media-volume-steps-to-25.patch} (76%) create mode 100644 patches/personal/platform_packages_apps_Settings/0001-Revert-Wi-Fi-Check-if-domain-field-is-not-empty-when.patch delete mode 100644 patches/personal/platform_packages_apps_Settings/0001-Revert-Wi-Fi-Remove-Do-not-validate-option-in-CA-cer.patch diff --git a/patches/personal/device_phh_treble/0003-Import-vendor-gapps.patch b/patches/personal/device_phh_treble/0001-Import-vendor-gapps.patch similarity index 85% rename from patches/personal/device_phh_treble/0003-Import-vendor-gapps.patch rename to patches/personal/device_phh_treble/0001-Import-vendor-gapps.patch index 5b2af9ae..1f044696 100644 --- a/patches/personal/device_phh_treble/0003-Import-vendor-gapps.patch +++ b/patches/personal/device_phh_treble/0001-Import-vendor-gapps.patch @@ -1,7 +1,7 @@ -From 35e411820e4af4b2695e0e492b447855b703c162 Mon Sep 17 00:00:00 2001 +From c79c4dc8738af985576b708d0f146fd342c527af Mon Sep 17 00:00:00 2001 From: Alberto Ponces Date: Tue, 21 Feb 2023 22:51:12 +0000 -Subject: [PATCH 3/4] Import vendor/gapps +Subject: [PATCH 1/5] Import vendor/gapps --- generate.sh | 2 +- diff --git a/patches/personal/device_phh_treble/0001-Rework-securize-tweak.patch b/patches/personal/device_phh_treble/0002-Rework-securize-tweak.patch similarity index 95% rename from patches/personal/device_phh_treble/0001-Rework-securize-tweak.patch rename to patches/personal/device_phh_treble/0002-Rework-securize-tweak.patch index ed431f13..d334e45f 100644 --- a/patches/personal/device_phh_treble/0001-Rework-securize-tweak.patch +++ b/patches/personal/device_phh_treble/0002-Rework-securize-tweak.patch @@ -1,7 +1,7 @@ -From 2975460eef8a8f76ca1598b68cbc23d1d0f67a2c Mon Sep 17 00:00:00 2001 +From ba12a8041804ea46005d6d23225aff1f96e28135 Mon Sep 17 00:00:00 2001 From: Alberto Ponces Date: Wed, 25 Dec 2019 12:34:05 +0200 -Subject: [PATCH 1/4] Rework securize tweak +Subject: [PATCH 2/5] Rework securize tweak --- base.mk | 1 - @@ -9,7 +9,7 @@ Subject: [PATCH 1/4] Rework securize tweak 2 files changed, 30 insertions(+), 20 deletions(-) diff --git a/base.mk b/base.mk -index b9298a2..32a797f 100644 +index a096d0b..d6c34d3 100644 --- a/base.mk +++ b/base.mk @@ -180,7 +180,6 @@ PRODUCT_PACKAGES += \ @@ -21,10 +21,10 @@ index b9298a2..32a797f 100644 PRODUCT_COPY_FILES += \ diff --git a/rw-system.sh b/rw-system.sh -index 9a90a29..f178bd1 100644 +index 8cc3241..1b69198 100644 --- a/rw-system.sh +++ b/rw-system.sh -@@ -739,32 +739,59 @@ copyprop() { +@@ -742,32 +742,59 @@ copyprop() { resetprop_phh "$1" "$(getprop "$2")" fi } @@ -87,7 +87,7 @@ index 9a90a29..f178bd1 100644 (getprop ro.vendor.build.security_patch; getprop ro.keymaster.xxx.security_patch) |sort |tail -n 1 |while read v;do [ -n "$v" ] && resetprop_phh ro.build.version.security_patch "$v" done -@@ -783,22 +810,6 @@ if [ -f /system/phh/secure ] || [ -f /metadata/phh/secure ];then +@@ -786,22 +813,6 @@ if [ -f /system/phh/secure ] || [ -f /metadata/phh/secure ];then resetprop_phh ro.adb.secure 1 diff --git a/patches/personal/device_phh_treble/0002-fonts-Add-fonts-for-customization-and-set-Google-San.patch b/patches/personal/device_phh_treble/0003-fonts-Add-fonts-for-customization-and-set-Google-San.patch similarity index 99% rename from patches/personal/device_phh_treble/0002-fonts-Add-fonts-for-customization-and-set-Google-San.patch rename to patches/personal/device_phh_treble/0003-fonts-Add-fonts-for-customization-and-set-Google-San.patch index 619d2ec3..79882656 100644 --- a/patches/personal/device_phh_treble/0002-fonts-Add-fonts-for-customization-and-set-Google-San.patch +++ b/patches/personal/device_phh_treble/0003-fonts-Add-fonts-for-customization-and-set-Google-San.patch @@ -1,7 +1,7 @@ -From e92322790c9cc820e0f7985a85abf0ee375b8032 Mon Sep 17 00:00:00 2001 +From 0e9961bddc54911d0464d9ed5dc8c17c3e4650e0 Mon Sep 17 00:00:00 2001 From: Alberto Ponces Date: Wed, 22 Feb 2023 14:43:58 +0000 -Subject: [PATCH 2/4] fonts: Add fonts for customization and set Google Sans as +Subject: [PATCH 3/5] fonts: Add fonts for customization and set Google Sans as default font --- diff --git a/patches/personal/device_phh_treble/0004-WifiOverlay-Disable-domain-validation-on-Enterprise-.patch b/patches/personal/device_phh_treble/0004-WifiOverlay-Disable-domain-validation-on-Enterprise-.patch new file mode 100644 index 00000000..50fbbef8 --- /dev/null +++ b/patches/personal/device_phh_treble/0004-WifiOverlay-Disable-domain-validation-on-Enterprise-.patch @@ -0,0 +1,89 @@ +From 13ce93569ae27bf947f61b3abf01b930f9dae5df Mon Sep 17 00:00:00 2001 +From: Alberto Ponces +Date: Thu, 12 Oct 2023 17:00:26 +0000 +Subject: [PATCH 4/5] WifiOverlay: Disable domain validation on Enterprise + networks + +--- + base.mk | 3 +++ + rro_overlays/WifiOverlay/Android.bp | 6 +++++ + rro_overlays/WifiOverlay/AndroidManifest.xml | 26 +++++++++++++++++++ + .../WifiOverlay/res/values/config.xml | 6 +++++ + 4 files changed, 41 insertions(+) + create mode 100644 rro_overlays/WifiOverlay/Android.bp + create mode 100644 rro_overlays/WifiOverlay/AndroidManifest.xml + create mode 100644 rro_overlays/WifiOverlay/res/values/config.xml + +diff --git a/base.mk b/base.mk +index d6c34d3..1e176b5 100644 +--- a/base.mk ++++ b/base.mk +@@ -156,6 +156,9 @@ SELINUX_IGNORE_NEVERALLOWS := true + PRODUCT_PACKAGES += \ + NoCutoutOverlay + ++PRODUCT_PACKAGES += \ ++ WifiOverlay ++ + PRODUCT_PACKAGES += \ + lightsctl \ + lightsctl-aidl \ +diff --git a/rro_overlays/WifiOverlay/Android.bp b/rro_overlays/WifiOverlay/Android.bp +new file mode 100644 +index 0000000..c2089a1 +--- /dev/null ++++ b/rro_overlays/WifiOverlay/Android.bp +@@ -0,0 +1,6 @@ ++runtime_resource_overlay { ++ name: "WifiOverlay", ++ theme: "WifiOverlay", ++ sdk_version: "current", ++ product_specific: true ++} +diff --git a/rro_overlays/WifiOverlay/AndroidManifest.xml b/rro_overlays/WifiOverlay/AndroidManifest.xml +new file mode 100644 +index 0000000..f01dffc +--- /dev/null ++++ b/rro_overlays/WifiOverlay/AndroidManifest.xml +@@ -0,0 +1,26 @@ ++ ++ ++ ++ ++ ++ +diff --git a/rro_overlays/WifiOverlay/res/values/config.xml b/rro_overlays/WifiOverlay/res/values/config.xml +new file mode 100644 +index 0000000..39974be +--- /dev/null ++++ b/rro_overlays/WifiOverlay/res/values/config.xml +@@ -0,0 +1,6 @@ ++ ++ ++ ++ true ++ +-- +2.34.1 + diff --git a/patches/personal/device_phh_treble/0004-Revert-treble-Override-media-volume-steps-to-25.patch b/patches/personal/device_phh_treble/0005-Revert-treble-Override-media-volume-steps-to-25.patch similarity index 76% rename from patches/personal/device_phh_treble/0004-Revert-treble-Override-media-volume-steps-to-25.patch rename to patches/personal/device_phh_treble/0005-Revert-treble-Override-media-volume-steps-to-25.patch index b1f0c8f1..84ebd767 100644 --- a/patches/personal/device_phh_treble/0004-Revert-treble-Override-media-volume-steps-to-25.patch +++ b/patches/personal/device_phh_treble/0005-Revert-treble-Override-media-volume-steps-to-25.patch @@ -1,7 +1,7 @@ -From 3b0f0c247c6d7522af15869ca01f94c5b476b7fb Mon Sep 17 00:00:00 2001 +From bc7b5f9d7ab6cecf44513515f5b2982cf098806a Mon Sep 17 00:00:00 2001 From: Alberto Ponces Date: Sat, 7 Oct 2023 21:41:53 +0000 -Subject: [PATCH 4/4] Revert "treble: Override media volume steps to 25" +Subject: [PATCH 5/5] Revert "treble: Override media volume steps to 25" This reverts commit a5d5328f43b8d05a67dda385c66d7952a107d0e4. --- @@ -9,7 +9,7 @@ This reverts commit a5d5328f43b8d05a67dda385c66d7952a107d0e4. 1 file changed, 2 insertions(+) diff --git a/rw-system.sh b/rw-system.sh -index fcabb01..557ce81 100644 +index 1b69198..3cf0571 100644 --- a/rw-system.sh +++ b/rw-system.sh @@ -1026,6 +1026,8 @@ fi @@ -21,6 +21,6 @@ index fcabb01..557ce81 100644 fi if [ "$board" = universal8825 ];then --- +-- 2.34.1 diff --git a/patches/personal/platform_packages_apps_Settings/0001-Revert-Wi-Fi-Check-if-domain-field-is-not-empty-when.patch b/patches/personal/platform_packages_apps_Settings/0001-Revert-Wi-Fi-Check-if-domain-field-is-not-empty-when.patch new file mode 100644 index 00000000..d70f239e --- /dev/null +++ b/patches/personal/platform_packages_apps_Settings/0001-Revert-Wi-Fi-Check-if-domain-field-is-not-empty-when.patch @@ -0,0 +1,87 @@ +From e4dfa33f48a26ff8aad08ae712a73511fbc551f9 Mon Sep 17 00:00:00 2001 +From: Alberto Ponces +Date: Wed, 11 Oct 2023 17:18:16 +0000 +Subject: [PATCH] Revert "[Wi-Fi] Check if domain field is not empty when users + choose a ca certificate" + +Change-Id: I8f71fe85cd035fd241386500136830cfdbe981dd +--- + .../settings/wifi/WifiConfigController.java | 14 +++++++++----- + .../settings/wifi/WifiConfigController2.java | 14 +++++++++----- + 2 files changed, 18 insertions(+), 10 deletions(-) + +diff --git a/src/com/android/settings/wifi/WifiConfigController.java b/src/com/android/settings/wifi/WifiConfigController.java +index 8f0a983d1f..0aa0314a1b 100644 +--- a/src/com/android/settings/wifi/WifiConfigController.java ++++ b/src/com/android/settings/wifi/WifiConfigController.java +@@ -544,10 +544,11 @@ public class WifiConfigController implements TextWatcher, + // Disallow submit if the user has not selected a CA certificate for an EAP network + // configuration. + enabled = false; +- } else if (mEapDomainView != null ++ } else if (caCertSelection.equals(mUseSystemCertsString) ++ && mEapDomainView != null + && mView.findViewById(R.id.l_domain).getVisibility() != View.GONE + && TextUtils.isEmpty(mEapDomainView.getText().toString())) { +- // Disallow submit if the user chooses to use a certificate for EAP server ++ // Disallow submit if the user chooses to use a system certificate for EAP server + // validation, but does not provide a domain. + enabled = false; + } +@@ -578,11 +579,14 @@ public class WifiConfigController implements TextWatcher, + } + if (mEapCaCertSpinner != null + && mView.findViewById(R.id.l_ca_cert).getVisibility() != View.GONE) { +- if (mEapDomainView != null ++ String caCertSelection = (String) mEapCaCertSpinner.getSelectedItem(); ++ if (caCertSelection.equals(mUseSystemCertsString) ++ && mEapDomainView != null + && mView.findViewById(R.id.l_domain).getVisibility() != View.GONE + && TextUtils.isEmpty(mEapDomainView.getText().toString())) { +- // Display warning if user chooses to use a certificate without restricting the +- // server domain that these certificates can be used to validate. ++ // Display warning if user chooses to use pre-installed public CA certificates ++ // without restricting the server domain that these certificates can be used to ++ // validate. + mView.findViewById(R.id.no_domain_warning).setVisibility(View.VISIBLE); + } + } +diff --git a/src/com/android/settings/wifi/WifiConfigController2.java b/src/com/android/settings/wifi/WifiConfigController2.java +index f92b58fbd1..11d301e85e 100644 +--- a/src/com/android/settings/wifi/WifiConfigController2.java ++++ b/src/com/android/settings/wifi/WifiConfigController2.java +@@ -532,10 +532,11 @@ public class WifiConfigController2 implements TextWatcher, + // Disallow submit if the user has not selected a CA certificate for an EAP network + // configuration. + enabled = false; +- } else if (mEapDomainView != null ++ } else if (caCertSelection.equals(mUseSystemCertsString) ++ && mEapDomainView != null + && mView.findViewById(R.id.l_domain).getVisibility() != View.GONE + && TextUtils.isEmpty(mEapDomainView.getText().toString())) { +- // Disallow submit if the user chooses to use a certificate for EAP server ++ // Disallow submit if the user chooses to use a system certificate for EAP server + // validation, but does not provide a domain. + enabled = false; + } +@@ -566,11 +567,14 @@ public class WifiConfigController2 implements TextWatcher, + } + if (mEapCaCertSpinner != null + && mView.findViewById(R.id.l_ca_cert).getVisibility() != View.GONE) { +- if (mEapDomainView != null ++ String caCertSelection = (String) mEapCaCertSpinner.getSelectedItem(); ++ if (caCertSelection.equals(mUseSystemCertsString) ++ && mEapDomainView != null + && mView.findViewById(R.id.l_domain).getVisibility() != View.GONE + && TextUtils.isEmpty(mEapDomainView.getText().toString())) { +- // Display warning if user chooses to use a certificate without restricting the +- // server domain that these certificates can be used to validate. ++ // Display warning if user chooses to use pre-installed public CA certificates ++ // without restricting the server domain that these certificates can be used to ++ // validate. + mView.findViewById(R.id.no_domain_warning).setVisibility(View.VISIBLE); + } + } +-- +2.34.1 + diff --git a/patches/personal/platform_packages_apps_Settings/0001-Revert-Wi-Fi-Remove-Do-not-validate-option-in-CA-cer.patch b/patches/personal/platform_packages_apps_Settings/0001-Revert-Wi-Fi-Remove-Do-not-validate-option-in-CA-cer.patch deleted file mode 100644 index c2b6e93c..00000000 --- a/patches/personal/platform_packages_apps_Settings/0001-Revert-Wi-Fi-Remove-Do-not-validate-option-in-CA-cer.patch +++ /dev/null @@ -1,311 +0,0 @@ -From b71670d4f645f6ea985ec3cc7e9950ad379818f9 Mon Sep 17 00:00:00 2001 -From: TogoFire -Date: Fri, 6 Aug 2021 08:54:07 -0300 -Subject: [PATCH] Revert "[Wi-Fi] Remove 'Do not validate' option in CA - certificate spinner" - -This is not a definitive fix, so revert it. WPA2-Enterprise (802.1X) or -WPA2-PSK. - -[xawlw]: -- Sometimes we can't connect to some Enterprise WiFi networks because we - don't know its domain so let's revert this 'Security' feature -- Read more about it here: - https://www.xda-developers.com/android-11-break-enterprise-wifi-connection/ - -This reverts commit 33cde5dbeee934269f16d72e26e651d56a13733e. -This reverts commit 94b8579607c6f1201cea9d6601e88cec897b2ff6. - -Signed-off-by: TogoFire -Signed-off-by: xawlw -Change-Id: I3cec92b74a419b5463c5e5db496863e66d034703 ---- - res/layout/wifi_network_config.xml | 12 +++++++ - res/values/strings.xml | 4 +++ - .../settings/wifi/WifiConfigController.java | 33 +++++++++++++------ - .../settings/wifi/WifiConfigController2.java | 33 +++++++++++++------ - 4 files changed, 62 insertions(+), 20 deletions(-) - -diff --git a/res/layout/wifi_network_config.xml b/res/layout/wifi_network_config.xml -index 6fe39bf026..5a9d6e64df 100644 ---- a/res/layout/wifi_network_config.xml -+++ b/res/layout/wifi_network_config.xml -@@ -224,6 +224,18 @@ - android:entries="@array/eap_ocsp_type"/> - - -+ -+ -+ -+ - Use system certificates - - Do not provide -+ -+ Do not validate -+ -+ No certificate specified. Your connection will not be private. - - Trust on First Use - -diff --git a/src/com/android/settings/wifi/WifiConfigController.java b/src/com/android/settings/wifi/WifiConfigController.java -index 8f0a983d1f..6ca97c329c 100644 ---- a/src/com/android/settings/wifi/WifiConfigController.java -+++ b/src/com/android/settings/wifi/WifiConfigController.java -@@ -166,6 +166,7 @@ public class WifiConfigController implements TextWatcher, - private String mMultipleCertSetString; - private String mUseSystemCertsString; - private String mDoNotProvideEapUserCertString; -+ private String mDoNotValidateEapServerString; - - private Spinner mSecuritySpinner; - @VisibleForTesting Spinner mEapMethodSpinner; -@@ -272,6 +273,8 @@ public class WifiConfigController implements TextWatcher, - mUseSystemCertsString = mContext.getString(R.string.wifi_use_system_certs); - mDoNotProvideEapUserCertString = - mContext.getString(R.string.wifi_do_not_provide_eap_user_cert); -+ mDoNotValidateEapServerString = -+ mContext.getString(R.string.wifi_do_not_validate_eap_server); - - mSsidScanButton = (ImageButton) mView.findViewById(R.id.ssid_scanner_button); - mIpSettingsSpinner = (Spinner) mView.findViewById(R.id.ip_settings); -@@ -544,7 +547,8 @@ public class WifiConfigController implements TextWatcher, - // Disallow submit if the user has not selected a CA certificate for an EAP network - // configuration. - enabled = false; -- } else if (mEapDomainView != null -+ } else if (!caCertSelection.equals(mDoNotValidateEapServerString) -+ && mEapDomainView != null - && mView.findViewById(R.id.l_domain).getVisibility() != View.GONE - && TextUtils.isEmpty(mEapDomainView.getText().toString())) { - // Disallow submit if the user chooses to use a certificate for EAP server -@@ -566,6 +570,7 @@ public class WifiConfigController implements TextWatcher, - } - - void showWarningMessagesIfAppropriate() { -+ mView.findViewById(R.id.no_ca_cert_warning).setVisibility(View.GONE); - mView.findViewById(R.id.no_user_cert_warning).setVisibility(View.GONE); - mView.findViewById(R.id.no_domain_warning).setVisibility(View.GONE); - mView.findViewById(R.id.ssid_too_long_warning).setVisibility(View.GONE); -@@ -578,7 +583,13 @@ public class WifiConfigController implements TextWatcher, - } - if (mEapCaCertSpinner != null - && mView.findViewById(R.id.l_ca_cert).getVisibility() != View.GONE) { -- if (mEapDomainView != null -+ String caCertSelection = (String) mEapCaCertSpinner.getSelectedItem(); -+ if (caCertSelection.equals(mDoNotValidateEapServerString)) { -+ // Display warning if user chooses not to validate the EAP server with a -+ // user-supplied CA certificate in an EAP network configuration. -+ mView.findViewById(R.id.no_ca_cert_warning).setVisibility(View.VISIBLE); -+ } else if (!caCertSelection.equals(mUnspecifiedCertString) -+ && mEapDomainView != null - && mView.findViewById(R.id.l_domain).getVisibility() != View.GONE - && TextUtils.isEmpty(mEapDomainView.getText().toString())) { - // Display warning if user chooses to use a certificate without restricting the -@@ -719,7 +730,8 @@ public class WifiConfigController implements TextWatcher, - config.enterpriseConfig.setCaCertificateAliases(null); - config.enterpriseConfig.setCaPath(null); - config.enterpriseConfig.setDomainSuffixMatch(mEapDomainView.getText().toString()); -- if (caCert.equals(mUnspecifiedCertString)) { -+ if (caCert.equals(mUnspecifiedCertString) -+ || caCert.equals(mDoNotValidateEapServerString)) { - // ca_cert already set to null, so do nothing. - } else if (caCert.equals(mUseSystemCertsString)) { - config.enterpriseConfig.setCaPath(SYSTEM_CA_STORE_PATH); -@@ -753,7 +765,8 @@ public class WifiConfigController implements TextWatcher, - } - - // Only set OCSP option if there is a valid CA certificate. -- if (caCert.equals(mUnspecifiedCertString)) { -+ if (caCert.equals(mUnspecifiedCertString) -+ || caCert.equals(mDoNotValidateEapServerString)) { - config.enterpriseConfig.setOcsp(WifiEnterpriseConfig.OCSP_NONE); - } else { - config.enterpriseConfig.setOcsp(mEapOcspSpinner.getSelectedItemPosition()); -@@ -1057,7 +1070,7 @@ public class WifiConfigController implements TextWatcher, - loadCertificates( - mEapCaCertSpinner, - androidKeystoreAliasLoader.getCaCertAliases(), -- null /* noCertificateString */, -+ mDoNotValidateEapServerString /* noCertificateString */, - false /* showMultipleCerts */, - true /* showUsePreinstalledCertOption */); - loadCertificates( -@@ -1141,7 +1154,7 @@ public class WifiConfigController implements TextWatcher, - } else { - String[] caCerts = enterpriseConfig.getCaCertificateAliases(); - if (caCerts == null) { -- setSelection(mEapCaCertSpinner, mUnspecifiedCertString); -+ setSelection(mEapCaCertSpinner, mDoNotValidateEapServerString); - } else if (caCerts.length == 1) { - setSelection(mEapCaCertSpinner, caCerts[0]); - } else { -@@ -1152,7 +1165,7 @@ public class WifiConfigController implements TextWatcher, - loadCertificates( - mEapCaCertSpinner, - androidKeystoreAliasLoader.getCaCertAliases(), -- null /* noCertificateString */, -+ mDoNotValidateEapServerString /* noCertificateString */, - true /* showMultipleCerts */, - true /* showUsePreinstalledCertOption */); - setSelection(mEapCaCertSpinner, mMultipleCertSetString); -@@ -1285,7 +1298,8 @@ public class WifiConfigController implements TextWatcher, - - if (mView.findViewById(R.id.l_ca_cert).getVisibility() != View.GONE) { - String eapCertSelection = (String) mEapCaCertSpinner.getSelectedItem(); -- if (eapCertSelection.equals(mUnspecifiedCertString)) { -+ if (eapCertSelection.equals(mDoNotValidateEapServerString) -+ || eapCertSelection.equals(mUnspecifiedCertString)) { - // Domain suffix matching is not relevant if the user hasn't chosen a CA - // certificate yet, or chooses not to validate the EAP server. - setDomainInvisible(); -@@ -1546,8 +1560,7 @@ public class WifiConfigController implements TextWatcher, - }).collect(Collectors.toList())); - } - -- if (!TextUtils.isEmpty(noCertificateString) -- && mAccessPointSecurity != AccessPoint.SECURITY_EAP_SUITE_B) { -+ if (mAccessPointSecurity != AccessPoint.SECURITY_EAP_SUITE_B) { - certs.add(noCertificateString); - } - -diff --git a/src/com/android/settings/wifi/WifiConfigController2.java b/src/com/android/settings/wifi/WifiConfigController2.java -index f92b58fbd1..6074202a97 100644 ---- a/src/com/android/settings/wifi/WifiConfigController2.java -+++ b/src/com/android/settings/wifi/WifiConfigController2.java -@@ -174,6 +174,7 @@ public class WifiConfigController2 implements TextWatcher, - private String mUseSystemCertsString; - private String mTrustOnFirstUse; - private String mDoNotProvideEapUserCertString; -+ private String mDoNotValidateEapServerString; - @VisibleForTesting String mInstallCertsString; - - private Spinner mSecuritySpinner; -@@ -279,6 +280,8 @@ public class WifiConfigController2 implements TextWatcher, - mTrustOnFirstUse = mContext.getString(R.string.wifi_trust_on_first_use); - mDoNotProvideEapUserCertString = - mContext.getString(R.string.wifi_do_not_provide_eap_user_cert); -+ mDoNotValidateEapServerString = -+ mContext.getString(R.string.wifi_do_not_validate_eap_server); - mInstallCertsString = mContext.getString(R.string.wifi_install_credentials); - - mSsidScanButton = (ImageButton) mView.findViewById(R.id.ssid_scanner_button); -@@ -532,7 +535,8 @@ public class WifiConfigController2 implements TextWatcher, - // Disallow submit if the user has not selected a CA certificate for an EAP network - // configuration. - enabled = false; -- } else if (mEapDomainView != null -+ } else if (!caCertSelection.equals(mDoNotValidateEapServerString) -+ && mEapDomainView != null - && mView.findViewById(R.id.l_domain).getVisibility() != View.GONE - && TextUtils.isEmpty(mEapDomainView.getText().toString())) { - // Disallow submit if the user chooses to use a certificate for EAP server -@@ -554,6 +558,7 @@ public class WifiConfigController2 implements TextWatcher, - } - - void showWarningMessagesIfAppropriate() { -+ mView.findViewById(R.id.no_ca_cert_warning).setVisibility(View.GONE); - mView.findViewById(R.id.no_user_cert_warning).setVisibility(View.GONE); - mView.findViewById(R.id.no_domain_warning).setVisibility(View.GONE); - mView.findViewById(R.id.ssid_too_long_warning).setVisibility(View.GONE); -@@ -566,7 +571,13 @@ public class WifiConfigController2 implements TextWatcher, - } - if (mEapCaCertSpinner != null - && mView.findViewById(R.id.l_ca_cert).getVisibility() != View.GONE) { -- if (mEapDomainView != null -+ String caCertSelection = (String) mEapCaCertSpinner.getSelectedItem(); -+ if (caCertSelection.equals(mDoNotValidateEapServerString)) { -+ // Display warning if user chooses not to validate the EAP server with a -+ // user-supplied CA certificate in an EAP network configuration. -+ mView.findViewById(R.id.no_ca_cert_warning).setVisibility(View.VISIBLE); -+ } else if (!caCertSelection.equals(mUnspecifiedCertString) -+ && mEapDomainView != null - && mView.findViewById(R.id.l_domain).getVisibility() != View.GONE - && TextUtils.isEmpty(mEapDomainView.getText().toString())) { - // Display warning if user chooses to use a certificate without restricting the -@@ -723,7 +734,8 @@ public class WifiConfigController2 implements TextWatcher, - config.enterpriseConfig.setCaCertificateAliases(null); - config.enterpriseConfig.setCaPath(null); - config.enterpriseConfig.setDomainSuffixMatch(mEapDomainView.getText().toString()); -- if (caCert.equals(mUnspecifiedCertString)) { -+ if (caCert.equals(mUnspecifiedCertString) -+ || caCert.equals(mDoNotValidateEapServerString)) { - // ca_cert already set to null, so do nothing. - } else if (mIsTrustOnFirstUseSupported && caCert.equals(mTrustOnFirstUse)) { - config.enterpriseConfig.enableTrustOnFirstUse(true); -@@ -758,7 +770,8 @@ public class WifiConfigController2 implements TextWatcher, - } - - // Only set certificate option if there is a valid CA certificate. -- if (caCert.equals(mUnspecifiedCertString)) { -+ if (caCert.equals(mUnspecifiedCertString) -+ || caCert.equals(mDoNotValidateEapServerString)) { - config.enterpriseConfig.setOcsp(WifiEnterpriseConfig.OCSP_NONE); - config.enterpriseConfig.setMinimumTlsVersion(WifiEnterpriseConfig.TLS_V1_0); - } else { -@@ -1067,7 +1080,7 @@ public class WifiConfigController2 implements TextWatcher, - loadCertificates( - mEapCaCertSpinner, - androidKeystoreAliasLoader.getCaCertAliases(), -- null /* noCertificateString */, -+ mDoNotValidateEapServerString /* noCertificateString */, - false /* showMultipleCerts */, - true /* showUsePreinstalledCertOption */); - loadCertificates( -@@ -1153,7 +1166,7 @@ public class WifiConfigController2 implements TextWatcher, - && enterpriseConfig.isTrustOnFirstUseEnabled()) { - setSelection(mEapCaCertSpinner, mTrustOnFirstUse); - } else { -- setSelection(mEapCaCertSpinner, mUnspecifiedCertString); -+ setSelection(mEapCaCertSpinner, mDoNotValidateEapServerString); - } - } else if (caCerts.length == 1) { - setSelection(mEapCaCertSpinner, caCerts[0]); -@@ -1164,7 +1177,7 @@ public class WifiConfigController2 implements TextWatcher, - loadCertificates( - mEapCaCertSpinner, - androidKeystoreAliasLoader.getCaCertAliases(), -- null /* noCertificateString */, -+ mDoNotValidateEapServerString /* noCertificateString */, - true /* showMultipleCerts */, - true /* showUsePreinstalledCertOption */); - setSelection(mEapCaCertSpinner, mMultipleCertSetString); -@@ -1306,7 +1319,8 @@ public class WifiConfigController2 implements TextWatcher, - String eapCertSelection = (String) mEapCaCertSpinner.getSelectedItem(); - if (eapCertSelection.equals(mUnspecifiedCertString) - || (mIsTrustOnFirstUseSupported -- && eapCertSelection.equals(mTrustOnFirstUse))) { -+ && eapCertSelection.equals(mTrustOnFirstUse)) -+ || eapCertSelection.equals(mUnspecifiedCertString)) { - setMinTlsVerInvisible(); - // Domain suffix matching is not relevant if the user hasn't chosen a CA - // certificate yet, or chooses not to validate the EAP server. -@@ -1590,8 +1604,7 @@ public class WifiConfigController2 implements TextWatcher, - }).collect(Collectors.toList())); - } - -- if (!TextUtils.isEmpty(noCertificateString) -- && mWifiEntrySecurity != WifiEntry.SECURITY_EAP_SUITE_B) { -+ if (mWifiEntrySecurity != WifiEntry.SECURITY_EAP_SUITE_B) { - certs.add(noCertificateString); - } - --- -2.34.1 -