xref: /system/connectivity/shill/test-rpc-proxy/proxy_rpc_security_types.h

//
// Copyright (C) 2015 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

#ifndef PROXY_RPC_SECURITY_TYPES_H
#define PROXY_RPC_SECURITY_TYPES_H

#include <string>

#include <XmlRpcValue.h>

#include <brillo/variant_dictionary.h>

// Abstracts the security configuration for a WiFi network.
// This bundle of credentials can be passed to both HostapConfig and
// AssociationParameters so that both shill and hostapd can set up and connect
// to an encrypted WiFi network. By default, we'll assume we're connecting
// to an open network.
class SecurityConfig {
 public:
  enum WpaModeType {
    kWpaModePure = 1,
    kWpaModePure_2 = 2,
    kWpaModeMixed = kWpaModePure | kWpaModePure_2,
    kWpaModeDefault = kWpaModeMixed,
  };
  enum AuthAlgorithmType {
    kAuthAlgorithmTypeOpen = 1,
    kAuthAlgorithmTypeShared = 2,
    kAuthAlgorithmTypeDefault = kAuthAlgorithmTypeOpen
  };
  static const char kDefaultSecurity[];

  // This function creates the appropriate |SecurityConfig| subclass
  // object from the incoming RPC data.
  static std::unique_ptr<SecurityConfig> CreateSecurityConfigObject(
      XmlRpc::XmlRpcValue* xml_rpc_value_in);
  SecurityConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in);
  virtual ~SecurityConfig() = default;
  virtual void GetServiceProperties(brillo::VariantDictionary* properties);

  std::string security_;
};

// Abstracts security configuration for a WiFi network using static WEP.
// Open system authentication means that we don"t do a 4 way AUTH handshake,
// and simply start using the WEP keys after association finishes.
class WEPConfig : public SecurityConfig {
 public:
  WEPConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in);
  virtual void GetServiceProperties(brillo::VariantDictionary* properties) override;

 private:
  std::vector<std::string> wep_keys_;
  int wep_default_key_index_;
  int auth_algorithm_;
};

// Abstracts security configuration for a WPA encrypted WiFi network.
class WPAConfig : public SecurityConfig {
 public:
  WPAConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in);
  void GetServiceProperties(brillo::VariantDictionary* properties) override;

  static const int kMaxPskSize;

 private:
  std::string psk_;
  int wpa_mode_;
  std::vector<std::string> wpa_ciphers_;
  std::vector<std::string> wpa2_ciphers_;
  int wpa_ptk_rekey_period_seconds_;
  int wpa_gtk_rekey_period_seconds_;
  int wpa_gmk_rekey_period_seconds_;
  bool use_strict_rekey_;
};

// Abstract superclass that implements certificate/key installation.
class EAPConfig : public SecurityConfig {
 public:
  static const char kDefaultEapUsers[];
  static const char kDefaultEAPIdentity[];
  static int last_tmp_id;

  EAPConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in);
  void GetServiceProperties(brillo::VariantDictionary* properties) override;

 private:
  bool use_system_cas_;
  std::string server_ca_cert_;
  std::string server_cert_;
  std::string server_key_;
  std::string server_eap_users;
  std::string client_ca_cert_;
  std::string client_cert_;
  std::string client_key_;
  std::string server_ca_cert_file_path_;
  std::string server_cert_file_path_;
  std::string server_key_file_path_;
  std::string server_eap_user_file_path_;
  std::string file_path_suffix_;
  std::string client_cert_id_;
  std::string client_key_id_;
  std::string pin_;
  std::string client_cert_slot_id_;
  std::string client_key_slot_id_;
  std::string eap_identity_;
};

// Configuration settings bundle for dynamic WEP.
// This is a WEP encrypted connection where the keys are negotiated after the
// client authenticates via 802.1x.
class DynamicWEPConfig : public EAPConfig {
 public:
  static const int kDefaultKeyPeriod;

  DynamicWEPConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in);
  void GetServiceProperties(brillo::VariantDictionary* properties) override;

 private:
  bool use_short_keys_;
  int wep_rekey_period_seconds_;
};

// Security type to set up a WPA connection via EAP-TLS negotiation.
class WPAEAPConfig : public EAPConfig {
 public:
  WPAEAPConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in);
  void GetServiceProperties(brillo::VariantDictionary* properties) override;

 private:
  bool use_short_keys_;
  WpaModeType wpa_mode_;
};

// Security type to set up a TTLS/PEAP connection.
// Both PEAP and TTLS are tunneled protocols which use EAP inside of a TLS
// secured tunnel.  The secured tunnel is a symmetric key encryption scheme
// negotiated under the protection of a public key in the server certificate.
// Thus, we"ll see server credentials in the form of certificates, but client
// credentials in the form of passwords and a CA Cert to root the trust chain.
class Tunneled1xConfig : public WPAEAPConfig {
 public:
  static const char kTTLSPrefix[];
  static const char kLayer1TypePEAP[];
  static const char kLayer1TypeTTLS[];
  static const char kLayer2TypeGTC[];
  static const char kLayer2TypeMSCHAPV2[];
  static const char kLayer2TypeMD5[];
  static const char kLayer2TypeTTLSMSCHAPV2[];
  static const char kLayer2TypeTTLSMSCHAP[];
  static const char kLayer2TypeTTLSPAP[];

  Tunneled1xConfig(XmlRpc::XmlRpcValue* xml_rpc_value_in);
  void GetServiceProperties(brillo::VariantDictionary* properties) override;

 private:
  std::string password_;
  std::string inner_protocol_;
};

#endif // PROXY_RPC_SECURITY_TYPES_H