1 // 2 // Copyright (C) 2015 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 // 16 17 #ifndef PROXY_RPC_SECURITY_TYPES_H 18 #define PROXY_RPC_SECURITY_TYPES_H 19 20 #include <string> 21 22 #include <XmlRpcValue.h> 23 24 #include <brillo/variant_dictionary.h> 25 26 // Abstracts the security configuration for a WiFi network. 27 // This bundle of credentials can be passed to both HostapConfig and 28 // AssociationParameters so that both shill and hostapd can set up and connect 29 // to an encrypted WiFi network. By default, we'll assume we're connecting 30 // to an open network. 31 class SecurityConfig { 32 public: 33 enum WpaModeType { 34 kWpaModePure = 1, 35 kWpaModePure_2 = 2, 36 kWpaModeMixed = kWpaModePure | kWpaModePure_2, 37 kWpaModeDefault = kWpaModeMixed, 38 }; 39 enum AuthAlgorithmType { 40 kAuthAlgorithmTypeOpen = 1, 41 kAuthAlgorithmTypeShared = 2, 42 kAuthAlgorithmTypeDefault = kAuthAlgorithmTypeOpen 43 }; 44 static const char kDefaultSecurity[]; 45 46 // This function creates the appropriate |SecurityConfig| subclass 47 // object from the incoming RPC data. 48 static std::unique_ptr<SecurityConfig> CreateSecurityConfigObject( 49 XmlRpc::XmlRpcValue* xml_rpc_value_in); 50 SecurityConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in); 51 virtual ~SecurityConfig() = default; 52 virtual void GetServiceProperties(brillo::VariantDictionary* properties); 53 54 std::string security_; 55 }; 56 57 // Abstracts security configuration for a WiFi network using static WEP. 58 // Open system authentication means that we don"t do a 4 way AUTH handshake, 59 // and simply start using the WEP keys after association finishes. 60 class WEPConfig : public SecurityConfig { 61 public: 62 WEPConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in); 63 virtual void GetServiceProperties(brillo::VariantDictionary* properties) override; 64 65 private: 66 std::vector<std::string> wep_keys_; 67 int wep_default_key_index_; 68 int auth_algorithm_; 69 }; 70 71 // Abstracts security configuration for a WPA encrypted WiFi network. 72 class WPAConfig : public SecurityConfig { 73 public: 74 WPAConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in); 75 void GetServiceProperties(brillo::VariantDictionary* properties) override; 76 77 static const int kMaxPskSize; 78 79 private: 80 std::string psk_; 81 int wpa_mode_; 82 std::vector<std::string> wpa_ciphers_; 83 std::vector<std::string> wpa2_ciphers_; 84 int wpa_ptk_rekey_period_seconds_; 85 int wpa_gtk_rekey_period_seconds_; 86 int wpa_gmk_rekey_period_seconds_; 87 bool use_strict_rekey_; 88 }; 89 90 // Abstract superclass that implements certificate/key installation. 91 class EAPConfig : public SecurityConfig { 92 public: 93 static const char kDefaultEapUsers[]; 94 static const char kDefaultEAPIdentity[]; 95 static int last_tmp_id; 96 97 EAPConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in); 98 void GetServiceProperties(brillo::VariantDictionary* properties) override; 99 100 private: 101 bool use_system_cas_; 102 std::string server_ca_cert_; 103 std::string server_cert_; 104 std::string server_key_; 105 std::string server_eap_users; 106 std::string client_ca_cert_; 107 std::string client_cert_; 108 std::string client_key_; 109 std::string server_ca_cert_file_path_; 110 std::string server_cert_file_path_; 111 std::string server_key_file_path_; 112 std::string server_eap_user_file_path_; 113 std::string file_path_suffix_; 114 std::string client_cert_id_; 115 std::string client_key_id_; 116 std::string pin_; 117 std::string client_cert_slot_id_; 118 std::string client_key_slot_id_; 119 std::string eap_identity_; 120 }; 121 122 // Configuration settings bundle for dynamic WEP. 123 // This is a WEP encrypted connection where the keys are negotiated after the 124 // client authenticates via 802.1x. 125 class DynamicWEPConfig : public EAPConfig { 126 public: 127 static const int kDefaultKeyPeriod; 128 129 DynamicWEPConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in); 130 void GetServiceProperties(brillo::VariantDictionary* properties) override; 131 132 private: 133 bool use_short_keys_; 134 int wep_rekey_period_seconds_; 135 }; 136 137 // Security type to set up a WPA connection via EAP-TLS negotiation. 138 class WPAEAPConfig : public EAPConfig { 139 public: 140 WPAEAPConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in); 141 void GetServiceProperties(brillo::VariantDictionary* properties) override; 142 143 private: 144 bool use_short_keys_; 145 WpaModeType wpa_mode_; 146 }; 147 148 // Security type to set up a TTLS/PEAP connection. 149 // Both PEAP and TTLS are tunneled protocols which use EAP inside of a TLS 150 // secured tunnel. The secured tunnel is a symmetric key encryption scheme 151 // negotiated under the protection of a public key in the server certificate. 152 // Thus, we"ll see server credentials in the form of certificates, but client 153 // credentials in the form of passwords and a CA Cert to root the trust chain. 154 class Tunneled1xConfig : public WPAEAPConfig { 155 public: 156 static const char kTTLSPrefix[]; 157 static const char kLayer1TypePEAP[]; 158 static const char kLayer1TypeTTLS[]; 159 static const char kLayer2TypeGTC[]; 160 static const char kLayer2TypeMSCHAPV2[]; 161 static const char kLayer2TypeMD5[]; 162 static const char kLayer2TypeTTLSMSCHAPV2[]; 163 static const char kLayer2TypeTTLSMSCHAP[]; 164 static const char kLayer2TypeTTLSPAP[]; 165 166 Tunneled1xConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in); 167 void GetServiceProperties(brillo::VariantDictionary* properties) override; 168 169 private: 170 std::string password_; 171 std::string inner_protocol_; 172 }; 173 174 #endif // PROXY_RPC_SECURITY_TYPES_H 175