summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNate Jiang <qiangjiang@google.com>2020-06-03 15:14:14 -0700
committerNate Jiang <qiangjiang@google.com>2020-06-05 11:30:02 -0700
commitcdd9dbff03f7c7712f68d80f67390a4f03001158 (patch)
treedf7e6d2c4dabd252811f12f848b737909e35ba46
parent590b4f71df5ffb5ef17da48e9d73b919de85b002 (diff)
[Suggestion] block insecure Enterprise suggestion
Block adding and connecting to insecure Enterprise suggestion. Bug: 157822251 Test: atest com.android.server.wifi Change-Id: Ic0741df81a5b50b4e9f98e17d95262946a659118
-rw-r--r--service/java/com/android/server/wifi/NetworkSuggestionNominator.java5
-rw-r--r--service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java6
-rw-r--r--tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java8
-rw-r--r--tests/wifitests/src/com/android/server/wifi/NetworkSuggestionNominatorTest.java42
-rw-r--r--tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java1
-rw-r--r--tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java7
-rw-r--r--tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java19
7 files changed, 83 insertions, 5 deletions
diff --git a/service/java/com/android/server/wifi/NetworkSuggestionNominator.java b/service/java/com/android/server/wifi/NetworkSuggestionNominator.java
index fbc1f5fdb..b174be5e0 100644
--- a/service/java/com/android/server/wifi/NetworkSuggestionNominator.java
+++ b/service/java/com/android/server/wifi/NetworkSuggestionNominator.java
@@ -145,6 +145,11 @@ public class NetworkSuggestionNominator implements WifiNetworkSelector.NetworkNo
}
Set<ExtendedWifiNetworkSuggestion> autojoinEnableSuggestions = new HashSet<>();
for (ExtendedWifiNetworkSuggestion ewns : matchingExtNetworkSuggestions) {
+ // Ignore insecure enterprise config.
+ if (ewns.wns.wifiConfiguration.isEnterprise()
+ && ewns.wns.wifiConfiguration.enterpriseConfig.isInsecure()) {
+ continue;
+ }
// If untrusted network is not allowed, ignore untrusted suggestion.
WifiConfiguration config = ewns.wns.wifiConfiguration;
if (!untrustedNetworkAllowed && !config.trusted) {
diff --git a/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java b/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java
index 5d5a7d782..464ced0ad 100644
--- a/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java
+++ b/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java
@@ -993,6 +993,12 @@ public class WifiNetworkSuggestionsManager {
WifiConfigurationUtil.VALIDATE_FOR_ADD)) {
return false;
}
+ if (wns.wifiConfiguration.isEnterprise()
+ && wns.wifiConfiguration.enterpriseConfig.isInsecure()) {
+ Log.e(TAG, "Insecure enterprise suggestion is invalid.");
+ return false;
+ }
+
} else {
if (!wns.passpointConfiguration.validate()) {
return false;
diff --git a/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java b/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java
index 80dfd7ae5..c59c8c441 100644
--- a/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java
@@ -183,8 +183,8 @@ public class NetworkListStoreDataTest extends WifiBaseTest {
+ "<string name=\"EngineId\"></string>\n"
+ "<string name=\"PrivateKeyId\"></string>\n"
+ "<string name=\"AltSubjectMatch\"></string>\n"
- + "<string name=\"DomSuffixMatch\"></string>\n"
- + "<string name=\"CaPath\"></string>\n"
+ + "<string name=\"DomSuffixMatch\">%s</string>\n"
+ + "<string name=\"CaPath\">%s</string>\n"
+ "<int name=\"EapMethod\" value=\"2\" />\n"
+ "<int name=\"Phase2Method\" value=\"0\" />\n"
+ "<string name=\"PLMN\"></string>\n"
@@ -413,7 +413,9 @@ public class NetworkListStoreDataTest extends WifiBaseTest {
eapNetwork.getKey().replaceAll("\"", "&quot;"),
eapNetwork.SSID.replaceAll("\"", "&quot;"),
eapNetwork.shared, eapNetwork.creatorUid,
- eapNetwork.creatorName, eapNetwork.getRandomizedMacAddress());
+ eapNetwork.creatorName, eapNetwork.getRandomizedMacAddress(),
+ eapNetwork.enterpriseConfig.getDomainSuffixMatch(),
+ eapNetwork.enterpriseConfig.getCaPath());
String saeNetworkXml = String.format(SINGLE_SAE_NETWORK_DATA_XML_STRING_FORMAT,
saeNetwork.getKey().replaceAll("\"", "&quot;"),
saeNetwork.SSID.replaceAll("\"", "&quot;"),
diff --git a/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionNominatorTest.java b/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionNominatorTest.java
index 94b14ecff..9c5631882 100644
--- a/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionNominatorTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionNominatorTest.java
@@ -163,12 +163,50 @@ public class NetworkSuggestionNominatorTest extends WifiBaseTest {
connectableNetworks.add(Pair.create(scanDetail, configuration));
});
-
validateConnectableNetworks(connectableNetworks, scanSsids[0]);
-
verifyAddToWifiConfigManager(suggestions[0].wns.wifiConfiguration);
}
+ @Test
+ public void testSelectNetworkSuggestionForOneMatchWithInsecureEnterpriseSuggestion() {
+ String[] scanSsids = {"test1"};
+ String[] bssids = {"6c:f3:7f:ae:8c:f3"};
+ int[] freqs = {2470};
+ String[] caps = {"[WPA2-EAP-CCMP][ESS]"};
+ int[] levels = {-67};
+ String[] suggestionSsids = {"\"" + scanSsids[0] + "\""};
+ int[] securities = {SECURITY_EAP};
+ boolean[] appInteractions = {true};
+ boolean[] meteredness = {true};
+ int[] priorities = {-1};
+ int[] uids = {TEST_UID};
+ String[] packageNames = {TEST_PACKAGE};
+ boolean[] autojoin = {true};
+ boolean[] shareWithUser = {true};
+
+ ScanDetail[] scanDetails =
+ buildScanDetails(scanSsids, bssids, freqs, caps, levels, mClock);
+ ExtendedWifiNetworkSuggestion[] suggestions = buildNetworkSuggestions(suggestionSsids,
+ securities, appInteractions, meteredness, priorities, uids,
+ packageNames, autojoin, shareWithUser);
+ WifiConfiguration config = suggestions[0].wns.wifiConfiguration;
+ config.enterpriseConfig.setCaPath(null);
+ // Link the scan result with suggestions.
+ linkScanDetailsWithNetworkSuggestions(scanDetails, suggestions);
+ // setup config manager interactions.
+ setupAddToWifiConfigManager(suggestions[0].wns.wifiConfiguration);
+
+ List<Pair<ScanDetail, WifiConfiguration>> connectableNetworks = new ArrayList<>();
+ mNetworkSuggestionNominator.nominateNetworks(
+ Arrays.asList(scanDetails), null, null, true, false,
+ (ScanDetail scanDetail, WifiConfiguration configuration) -> {
+ connectableNetworks.add(Pair.create(scanDetail, configuration));
+ });
+
+ // Verify no network is nominated.
+ assertTrue(connectableNetworks.isEmpty());
+ }
+
/**
* Ensure that we nominate the all network suggestion corresponding to the scan results
* Expected connectable Networks: {suggestionSsids[0], suggestionSsids[1]}
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java b/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
index d1e476b6f..dcd0fa8c5 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java
@@ -1682,6 +1682,7 @@ public class WifiConfigManagerTest extends WifiBaseTest {
assertAndSetNetworkEnterprisePassword(network, "test");
verifyUpdateNetworkToWifiConfigManagerWithoutIpChange(network);
+ network.enterpriseConfig.setCaPath(WifiConfigurationTestUtil.TEST_CA_CERT_PATH);
WifiConfigurationTestUtil.assertConfigurationEqualForConfigManagerAddOrUpdate(
network, mWifiConfigManager.getConfiguredNetworkWithPassword(network.networkId));
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java b/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java
index b991104f3..5a03d1411 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java
@@ -86,6 +86,8 @@ public class WifiConfigurationTestUtil {
public static final String TEST_STATIC_PROXY_EXCLUSION_LIST = "";
public static final String TEST_PAC_PROXY_LOCATION = "http://";
public static final String TEST_CA_CERT_ALIAS = "WifiConfigurationTestUtilCaCertAlias";
+ public static final String TEST_CA_CERT_PATH = "caPath";
+ public static final String TEST_DOM_SUBJECT_MATCH = "domSubjectMatch";
private static final int MAX_SSID_LENGTH = 32;
/**
@@ -162,6 +164,8 @@ public class WifiConfigurationTestUtil {
config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.WPA_EAP);
config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.IEEE8021X);
config.enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TTLS);
+ config.enterpriseConfig.setCaPath(TEST_CA_CERT_PATH);
+ config.enterpriseConfig.setDomainSuffixMatch(TEST_DOM_SUBJECT_MATCH);
}
if ((security & SECURITY_EAP_SUITE_B) != 0) {
@@ -488,6 +492,7 @@ public class WifiConfigurationTestUtil {
config.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC);
config.setCaCertificateAliases(new String[] {TEST_CA_CERT_ALIAS + "PEAP"});
config.setCaCertificates(new X509Certificate[] {FakeKeys.CA_CERT0, FakeKeys.CA_CERT1});
+ config.setDomainSuffixMatch(TEST_DOM_SUBJECT_MATCH);
return config;
}
@@ -497,6 +502,7 @@ public class WifiConfigurationTestUtil {
config.setPhase2Method(WifiEnterpriseConfig.Phase2.NONE);
config.setCaCertificateAliases(new String[] {TEST_CA_CERT_ALIAS + "TLS"});
config.setCaCertificates(new X509Certificate[] {FakeKeys.CA_CERT0, FakeKeys.CA_CERT1});
+ config.setDomainSuffixMatch(TEST_DOM_SUBJECT_MATCH);
return config;
}
@@ -504,6 +510,7 @@ public class WifiConfigurationTestUtil {
WifiEnterpriseConfig config = new WifiEnterpriseConfig();
config.setEapMethod(WifiEnterpriseConfig.Eap.TLS);
config.setPhase2Method(WifiEnterpriseConfig.Phase2.AKA);
+ config.setDomainSuffixMatch(TEST_DOM_SUBJECT_MATCH);
return config;
}
diff --git a/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java b/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java
index e7e866084..38a0026df 100644
--- a/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java
+++ b/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java
@@ -429,6 +429,25 @@ public class WifiNetworkSuggestionsManagerTest extends WifiBaseTest {
verify(mLruConnectionTracker).removeNetwork(any());
}
+ @Test
+ public void testAddInsecureEnterpriseNetworkSuggestion() {
+ WifiNetworkSuggestion networkSuggestion = new WifiNetworkSuggestion(
+ WifiConfigurationTestUtil.createEapNetwork(), null, false, false, true, true);
+ networkSuggestion.wifiConfiguration.enterpriseConfig.setCaPath(null);
+ List<WifiNetworkSuggestion> networkSuggestionList = Arrays.asList(networkSuggestion);
+ assertEquals(WifiManager.STATUS_NETWORK_SUGGESTIONS_ERROR_ADD_INVALID,
+ mWifiNetworkSuggestionsManager.add(networkSuggestionList, TEST_UID_1,
+ TEST_PACKAGE_1, TEST_FEATURE));
+
+ networkSuggestion = new WifiNetworkSuggestion(
+ WifiConfigurationTestUtil.createEapNetwork(), null, false, false, true, true);
+ networkSuggestion.wifiConfiguration.enterpriseConfig.setDomainSuffixMatch("");
+ networkSuggestionList = Arrays.asList(networkSuggestion);
+ assertEquals(WifiManager.STATUS_NETWORK_SUGGESTIONS_ERROR_ADD_INVALID,
+ mWifiNetworkSuggestionsManager.add(networkSuggestionList, TEST_UID_1,
+ TEST_PACKAGE_1, TEST_FEATURE));
+ }
+
/**
* Verify successful removal of all network suggestions.
*/