1# Copyright (c) 2013 The Chromium OS Authors. All rights reserved. 2# Use of this source code is governed by a BSD-style license that can be 3# found in the LICENSE file. 4 5import logging 6 7from autotest_lib.client.bin import utils 8from autotest_lib.client.cros import network_chroot 9from autotest_lib.client.common_lib.cros import site_eap_certs 10 11class VPNServer(object): 12 """Context enclosing the use of a VPN server instance.""" 13 14 def __enter__(self): 15 self.start_server() 16 return self 17 18 19 def __exit__(self, exception, value, traceback): 20 logging.info('Log contents: %s', self.get_log_contents()) 21 self.stop_server() 22 23 24class L2TPIPSecVPNServer(VPNServer): 25 """Implementation of an L2TP/IPSec VPN. Uses ipsec starter and xl2tpd.""" 26 ROOT_DIRECTORIES = ('etc/ipsec.d', 'etc/ipsec.d/cacerts', 27 'etc/ipsec.d/certs', 'etc/ipsec.d/crls', 28 'etc/ipsec.d/private', 'etc/ppp', 'etc/xl2tpd') 29 CHAP_USER = 'chapuser' 30 CHAP_SECRET = 'chapsecret' 31 IPSEC_COMMAND = '/usr/sbin/ipsec' 32 IPSEC_LOGFILE = 'var/log/charon.log' 33 IPSEC_PRESHARED_KEY = 'preshared-key' 34 IPSEC_CA_CERTIFICATE = 'etc/ipsec.d/cacerts/ca.cert' 35 IPSEC_SERVER_CERTIFICATE = 'etc/ipsec.d/certs/server.cert' 36 PPPD_PID_FILE = 'run/ppp0.pid' 37 XAUTH_USER = 'xauth_user' 38 XAUTH_PASSWORD = 'xauth_password' 39 XAUTH_SECONDARY_AUTHENTICATION_STANZA = 'rightauth2=xauth' 40 XL2TPD_COMMAND = '/usr/sbin/xl2tpd' 41 XL2TPD_CONFIG_FILE = 'etc/xl2tpd/xl2tpd.conf' 42 XL2TPD_PID_FILE = 'run/xl2tpd.pid' 43 SERVER_IP_ADDRESS = '192.168.1.99' 44 IPSEC_COMMON_CONFIGS = { 45 'etc/strongswan.conf' : 46 'charon {\n' 47 ' filelog {\n' 48 ' test_vpn {\n' 49 ' path = %(charon-logfile)s\n' 50 ' default = 3\n' 51 ' time_format = %%b %%e %%T\n' 52 ' }\n' 53 ' }\n' 54 ' install_routes = no\n' 55 ' ignore_routing_tables = 0\n' 56 ' routing_table = 0\n' 57 '}\n', 58 59 'etc/passwd' : 60 'root:x:0:0:root:/root:/bin/bash\n' 61 'ipsec:*:212:212::/dev/null:/bin/false\n', 62 63 'etc/group' : 64 'ipsec:x:212:\n', 65 66 XL2TPD_CONFIG_FILE : 67 '[global]\n' 68 '\n' 69 '[lns default]\n' 70 ' ip range = 192.168.1.128-192.168.1.254\n' 71 ' local ip = 192.168.1.99\n' 72 ' require chap = yes\n' 73 ' refuse pap = yes\n' 74 ' require authentication = yes\n' 75 ' name = LinuxVPNserver\n' 76 ' ppp debug = yes\n' 77 ' pppoptfile = /etc/ppp/options.xl2tpd\n' 78 ' length bit = yes\n', 79 80 'etc/xl2tpd/l2tp-secrets' : 81 '* them l2tp-secret', 82 83 'etc/ppp/chap-secrets' : 84 '%(chap-user)s * %(chap-secret)s *', 85 86 'etc/ppp/options.xl2tpd' : 87 'ipcp-accept-local\n' 88 'ipcp-accept-remote\n' 89 'noccp\n' 90 'auth\n' 91 'crtscts\n' 92 'idle 1800\n' 93 'mtu 1410\n' 94 'mru 1410\n' 95 'nodefaultroute\n' 96 'debug\n' 97 'lock\n' 98 'proxyarp\n' 99 } 100 IPSEC_TYPED_CONFIGS = { 101 'psk': { 102 'etc/ipsec.conf' : 103 'config setup\n' 104 ' charondebug="%(charon-debug-flags)s"\n' 105 'conn L2TP\n' 106 ' keyexchange=ikev1\n' 107 ' ike=aes128-sha1-modp2048!\n' 108 ' esp=3des-sha1!\n' 109 ' type=transport\n' 110 ' authby=psk\n' 111 ' %(xauth-stanza)s\n' 112 ' rekey=no\n' 113 ' left=%(local-ip)s\n' 114 ' leftprotoport=17/1701\n' 115 ' right=%%any\n' 116 ' rightprotoport=17/%%any\n' 117 ' auto=add\n', 118 119 'etc/ipsec.secrets' : 120 '%(local-ip)s %%any : PSK "%(preshared-key)s"\n' 121 '%(xauth-user)s : XAUTH "%(xauth-password)s"\n', 122 }, 123 'cert': { 124 'etc/ipsec.conf' : 125 'config setup\n' 126 ' charondebug="%(charon-debug-flags)s"\n' 127 'conn L2TP\n' 128 ' keyexchange=ikev1\n' 129 ' ike=aes128-sha1-modp2048!\n' 130 ' esp=3des-sha1!\n' 131 ' type=transport\n' 132 ' left=%(local-ip)s\n' 133 ' leftcert=server.cert\n' 134 ' leftid="C=US, ST=California, L=Mountain View, ' 135 'CN=chromelab-wifi-testbed-server.mtv.google.com"\n' 136 ' leftprotoport=17/1701\n' 137 ' right=%%any\n' 138 ' rightca="C=US, ST=California, L=Mountain View, ' 139 'CN=chromelab-wifi-testbed-root.mtv.google.com"\n' 140 ' rightprotoport=17/%%any\n' 141 ' auto=add\n', 142 143 'etc/ipsec.secrets' : ': RSA server.key ""\n', 144 145 IPSEC_SERVER_CERTIFICATE : site_eap_certs.server_cert_1, 146 IPSEC_CA_CERTIFICATE : site_eap_certs.ca_cert_1, 147 'etc/ipsec.d/private/server.key' : 148 site_eap_certs.server_private_key_1, 149 }, 150 } 151 152 """Implementation of an L2TP/IPSec server instance.""" 153 def __init__(self, auth_type, interface_name, address, network_prefix, 154 perform_xauth_authentication=False, 155 local_ip_is_public_ip=False): 156 self._auth_type = auth_type 157 self._chroot = network_chroot.NetworkChroot(interface_name, 158 address, network_prefix) 159 self._perform_xauth_authentication = perform_xauth_authentication 160 161 if local_ip_is_public_ip: 162 self.IPSEC_COMMON_CONFIGS[self.XL2TPD_CONFIG_FILE] = \ 163 self.IPSEC_COMMON_CONFIGS[self.XL2TPD_CONFIG_FILE].replace( 164 self.SERVER_IP_ADDRESS, address) 165 self.SERVER_IP_ADDRESS = address 166 167 168 def start_server(self): 169 """Start VPN server instance""" 170 if self._auth_type not in self.IPSEC_TYPED_CONFIGS: 171 raise RuntimeError('L2TP/IPSec type %s is not define' % 172 self._auth_type) 173 chroot = self._chroot 174 chroot.add_root_directories(self.ROOT_DIRECTORIES) 175 chroot.add_config_templates(self.IPSEC_COMMON_CONFIGS) 176 chroot.add_config_templates(self.IPSEC_TYPED_CONFIGS[self._auth_type]) 177 chroot.add_config_values({ 178 'chap-user': self.CHAP_USER, 179 'chap-secret': self.CHAP_SECRET, 180 'charon-debug-flags': 'dmn 2, mgr 2, ike 2, net 2', 181 'charon-logfile': self.IPSEC_LOGFILE, 182 'preshared-key': self.IPSEC_PRESHARED_KEY, 183 'xauth-user': self.XAUTH_USER, 184 'xauth-password': self.XAUTH_PASSWORD, 185 'xauth-stanza': self.XAUTH_SECONDARY_AUTHENTICATION_STANZA 186 if self._perform_xauth_authentication else '', 187 }) 188 chroot.add_startup_command('%s start' % self.IPSEC_COMMAND) 189 chroot.add_startup_command('%s -c /%s -C /tmp/l2tpd.control' % 190 (self.XL2TPD_COMMAND, 191 self.XL2TPD_CONFIG_FILE)) 192 chroot.startup() 193 194 195 def stop_server(self): 196 """Start VPN server instance""" 197 chroot = self._chroot 198 chroot.run([self.IPSEC_COMMAND, 'stop'], ignore_status=True) 199 chroot.kill_pid_file(self.XL2TPD_PID_FILE, missing_ok=True) 200 chroot.kill_pid_file(self.PPPD_PID_FILE, missing_ok=True) 201 chroot.shutdown() 202 203 204 def get_log_contents(self): 205 """Return all logs related to the chroot.""" 206 return self._chroot.get_log_contents() 207 208 209class OpenVPNServer(VPNServer): 210 """Implementation of an OpenVPN service.""" 211 PRELOAD_MODULES = ('tun',) 212 ROOT_DIRECTORIES = ('etc/openvpn',) 213 CA_CERTIFICATE_FILE = 'etc/openvpn/ca.crt' 214 SERVER_CERTIFICATE_FILE = 'etc/openvpn/server.crt' 215 SERVER_KEY_FILE = 'etc/openvpn/server.key' 216 DIFFIE_HELLMAN_FILE = 'etc/openvpn/diffie-hellman.pem' 217 OPENVPN_COMMAND = '/usr/sbin/openvpn' 218 OPENVPN_CONFIG_FILE = 'etc/openvpn/openvpn.conf' 219 OPENVPN_PID_FILE = 'run/openvpn.pid' 220 OPENVPN_STATUS_FILE = 'tmp/openvpn.status' 221 AUTHENTICATION_SCRIPT = 'etc/openvpn_authentication_script.sh' 222 EXPECTED_AUTHENTICATION_FILE = 'etc/openvpn_expected_authentication.txt' 223 PASSWORD = 'password' 224 USERNAME = 'username' 225 SERVER_IP_ADDRESS = '10.11.12.1' 226 # TODO b:169251326 terms below are set outside of this codebase 227 # and should be updated when possible. ("blacklist" -> "blocklist") 228 CONFIGURATION = { 229 'etc/ssl/blacklist' : '', 230 CA_CERTIFICATE_FILE : site_eap_certs.ca_cert_1, 231 SERVER_CERTIFICATE_FILE : site_eap_certs.server_cert_1, 232 SERVER_KEY_FILE : site_eap_certs.server_private_key_1, 233 DIFFIE_HELLMAN_FILE : site_eap_certs.dh1024_pem_key_1, 234 AUTHENTICATION_SCRIPT : 235 '#!/bin/bash\n' 236 'diff -q $1 %(expected-authentication-file)s\n', 237 EXPECTED_AUTHENTICATION_FILE : '%(username)s\n%(password)s\n', 238 OPENVPN_CONFIG_FILE : 239 'ca /%(ca-cert)s\n' 240 'cert /%(server-cert)s\n' 241 'dev tun\n' 242 'dh /%(diffie-hellman-params-file)s\n' 243 'keepalive 10 120\n' 244 'local %(local-ip)s\n' 245 'log /var/log/openvpn.log\n' 246 'ifconfig-pool-persist /tmp/ipp.txt\n' 247 'key /%(server-key)s\n' 248 'persist-key\n' 249 'persist-tun\n' 250 'port 1194\n' 251 'proto udp\n' 252 'server 10.11.12.0 255.255.255.0\n' 253 'status /%(status-file)s\n' 254 'verb 5\n' 255 'writepid /%(pid-file)s\n' 256 '%(optional-user-verification)s\n' 257 } 258 259 def __init__(self, interface_name, address, network_prefix, 260 perform_username_authentication=False): 261 self._chroot = network_chroot.NetworkChroot(interface_name, 262 address, network_prefix) 263 self._perform_username_authentication = perform_username_authentication 264 265 266 def start_server(self): 267 """Start VPN server instance""" 268 chroot = self._chroot 269 chroot.add_root_directories(self.ROOT_DIRECTORIES) 270 # Create a configuration template from the key-value pairs. 271 chroot.add_config_templates(self.CONFIGURATION) 272 config_values = { 273 'ca-cert': self.CA_CERTIFICATE_FILE, 274 'diffie-hellman-params-file': self.DIFFIE_HELLMAN_FILE, 275 'expected-authentication-file': self.EXPECTED_AUTHENTICATION_FILE, 276 'optional-user-verification': '', 277 'password': self.PASSWORD, 278 'pid-file': self.OPENVPN_PID_FILE, 279 'server-cert': self.SERVER_CERTIFICATE_FILE, 280 'server-key': self.SERVER_KEY_FILE, 281 'status-file': self.OPENVPN_STATUS_FILE, 282 'username': self.USERNAME, 283 } 284 if self._perform_username_authentication: 285 config_values['optional-user-verification'] = ( 286 'auth-user-pass-verify /%s via-file\nscript-security 2' % 287 self.AUTHENTICATION_SCRIPT) 288 chroot.add_config_values(config_values) 289 chroot.add_startup_command('chmod 755 %s' % self.AUTHENTICATION_SCRIPT) 290 chroot.add_startup_command('%s --config /%s &' % 291 (self.OPENVPN_COMMAND, 292 self.OPENVPN_CONFIG_FILE)) 293 chroot.add_environment({ 294 'OPENSSL_CONF': '/etc/ssl/openssl.cnf.compat', 295 'OPENSSL_CHROMIUM_SKIP_TRUSTED_PURPOSE_CHECK': '1' 296 }); 297 self.preload_modules() 298 chroot.startup() 299 300 301 def preload_modules(self): 302 """Pre-load modules since they can't be loaded from chroot.""" 303 for module in self.PRELOAD_MODULES: 304 utils.system('modprobe %s' % module) 305 306 307 def get_log_contents(self): 308 """Return all logs related to the chroot.""" 309 return self._chroot.get_log_contents() 310 311 312 def stop_server(self): 313 """Start VPN server instance""" 314 chroot = self._chroot 315 chroot.kill_pid_file(self.OPENVPN_PID_FILE, missing_ok=True) 316 chroot.shutdown() 317