diff options
author | Nate Jiang <qiangjiang@google.com> | 2020-06-03 15:14:14 -0700 |
---|---|---|
committer | Nate Jiang <qiangjiang@google.com> | 2020-06-05 11:30:02 -0700 |
commit | cdd9dbff03f7c7712f68d80f67390a4f03001158 (patch) | |
tree | df7e6d2c4dabd252811f12f848b737909e35ba46 | |
parent | 590b4f71df5ffb5ef17da48e9d73b919de85b002 (diff) |
[Suggestion] block insecure Enterprise suggestion
Block adding and connecting to insecure Enterprise suggestion.
Bug: 157822251
Test: atest com.android.server.wifi
Change-Id: Ic0741df81a5b50b4e9f98e17d95262946a659118
7 files changed, 83 insertions, 5 deletions
diff --git a/service/java/com/android/server/wifi/NetworkSuggestionNominator.java b/service/java/com/android/server/wifi/NetworkSuggestionNominator.java index fbc1f5fdb..b174be5e0 100644 --- a/service/java/com/android/server/wifi/NetworkSuggestionNominator.java +++ b/service/java/com/android/server/wifi/NetworkSuggestionNominator.java @@ -145,6 +145,11 @@ public class NetworkSuggestionNominator implements WifiNetworkSelector.NetworkNo } Set<ExtendedWifiNetworkSuggestion> autojoinEnableSuggestions = new HashSet<>(); for (ExtendedWifiNetworkSuggestion ewns : matchingExtNetworkSuggestions) { + // Ignore insecure enterprise config. + if (ewns.wns.wifiConfiguration.isEnterprise() + && ewns.wns.wifiConfiguration.enterpriseConfig.isInsecure()) { + continue; + } // If untrusted network is not allowed, ignore untrusted suggestion. WifiConfiguration config = ewns.wns.wifiConfiguration; if (!untrustedNetworkAllowed && !config.trusted) { diff --git a/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java b/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java index 5d5a7d782..464ced0ad 100644 --- a/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java +++ b/service/java/com/android/server/wifi/WifiNetworkSuggestionsManager.java @@ -993,6 +993,12 @@ public class WifiNetworkSuggestionsManager { WifiConfigurationUtil.VALIDATE_FOR_ADD)) { return false; } + if (wns.wifiConfiguration.isEnterprise() + && wns.wifiConfiguration.enterpriseConfig.isInsecure()) { + Log.e(TAG, "Insecure enterprise suggestion is invalid."); + return false; + } + } else { if (!wns.passpointConfiguration.validate()) { return false; diff --git a/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java b/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java index 80dfd7ae5..c59c8c441 100644 --- a/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java +++ b/tests/wifitests/src/com/android/server/wifi/NetworkListStoreDataTest.java @@ -183,8 +183,8 @@ public class NetworkListStoreDataTest extends WifiBaseTest { + "<string name=\"EngineId\"></string>\n" + "<string name=\"PrivateKeyId\"></string>\n" + "<string name=\"AltSubjectMatch\"></string>\n" - + "<string name=\"DomSuffixMatch\"></string>\n" - + "<string name=\"CaPath\"></string>\n" + + "<string name=\"DomSuffixMatch\">%s</string>\n" + + "<string name=\"CaPath\">%s</string>\n" + "<int name=\"EapMethod\" value=\"2\" />\n" + "<int name=\"Phase2Method\" value=\"0\" />\n" + "<string name=\"PLMN\"></string>\n" @@ -413,7 +413,9 @@ public class NetworkListStoreDataTest extends WifiBaseTest { eapNetwork.getKey().replaceAll("\"", """), eapNetwork.SSID.replaceAll("\"", """), eapNetwork.shared, eapNetwork.creatorUid, - eapNetwork.creatorName, eapNetwork.getRandomizedMacAddress()); + eapNetwork.creatorName, eapNetwork.getRandomizedMacAddress(), + eapNetwork.enterpriseConfig.getDomainSuffixMatch(), + eapNetwork.enterpriseConfig.getCaPath()); String saeNetworkXml = String.format(SINGLE_SAE_NETWORK_DATA_XML_STRING_FORMAT, saeNetwork.getKey().replaceAll("\"", """), saeNetwork.SSID.replaceAll("\"", """), diff --git a/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionNominatorTest.java b/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionNominatorTest.java index 94b14ecff..9c5631882 100644 --- a/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionNominatorTest.java +++ b/tests/wifitests/src/com/android/server/wifi/NetworkSuggestionNominatorTest.java @@ -163,12 +163,50 @@ public class NetworkSuggestionNominatorTest extends WifiBaseTest { connectableNetworks.add(Pair.create(scanDetail, configuration)); }); - validateConnectableNetworks(connectableNetworks, scanSsids[0]); - verifyAddToWifiConfigManager(suggestions[0].wns.wifiConfiguration); } + @Test + public void testSelectNetworkSuggestionForOneMatchWithInsecureEnterpriseSuggestion() { + String[] scanSsids = {"test1"}; + String[] bssids = {"6c:f3:7f:ae:8c:f3"}; + int[] freqs = {2470}; + String[] caps = {"[WPA2-EAP-CCMP][ESS]"}; + int[] levels = {-67}; + String[] suggestionSsids = {"\"" + scanSsids[0] + "\""}; + int[] securities = {SECURITY_EAP}; + boolean[] appInteractions = {true}; + boolean[] meteredness = {true}; + int[] priorities = {-1}; + int[] uids = {TEST_UID}; + String[] packageNames = {TEST_PACKAGE}; + boolean[] autojoin = {true}; + boolean[] shareWithUser = {true}; + + ScanDetail[] scanDetails = + buildScanDetails(scanSsids, bssids, freqs, caps, levels, mClock); + ExtendedWifiNetworkSuggestion[] suggestions = buildNetworkSuggestions(suggestionSsids, + securities, appInteractions, meteredness, priorities, uids, + packageNames, autojoin, shareWithUser); + WifiConfiguration config = suggestions[0].wns.wifiConfiguration; + config.enterpriseConfig.setCaPath(null); + // Link the scan result with suggestions. + linkScanDetailsWithNetworkSuggestions(scanDetails, suggestions); + // setup config manager interactions. + setupAddToWifiConfigManager(suggestions[0].wns.wifiConfiguration); + + List<Pair<ScanDetail, WifiConfiguration>> connectableNetworks = new ArrayList<>(); + mNetworkSuggestionNominator.nominateNetworks( + Arrays.asList(scanDetails), null, null, true, false, + (ScanDetail scanDetail, WifiConfiguration configuration) -> { + connectableNetworks.add(Pair.create(scanDetail, configuration)); + }); + + // Verify no network is nominated. + assertTrue(connectableNetworks.isEmpty()); + } + /** * Ensure that we nominate the all network suggestion corresponding to the scan results * Expected connectable Networks: {suggestionSsids[0], suggestionSsids[1]} diff --git a/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java b/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java index d1e476b6f..dcd0fa8c5 100644 --- a/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java +++ b/tests/wifitests/src/com/android/server/wifi/WifiConfigManagerTest.java @@ -1682,6 +1682,7 @@ public class WifiConfigManagerTest extends WifiBaseTest { assertAndSetNetworkEnterprisePassword(network, "test"); verifyUpdateNetworkToWifiConfigManagerWithoutIpChange(network); + network.enterpriseConfig.setCaPath(WifiConfigurationTestUtil.TEST_CA_CERT_PATH); WifiConfigurationTestUtil.assertConfigurationEqualForConfigManagerAddOrUpdate( network, mWifiConfigManager.getConfiguredNetworkWithPassword(network.networkId)); diff --git a/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java b/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java index b991104f3..5a03d1411 100644 --- a/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java +++ b/tests/wifitests/src/com/android/server/wifi/WifiConfigurationTestUtil.java @@ -86,6 +86,8 @@ public class WifiConfigurationTestUtil { public static final String TEST_STATIC_PROXY_EXCLUSION_LIST = ""; public static final String TEST_PAC_PROXY_LOCATION = "http://"; public static final String TEST_CA_CERT_ALIAS = "WifiConfigurationTestUtilCaCertAlias"; + public static final String TEST_CA_CERT_PATH = "caPath"; + public static final String TEST_DOM_SUBJECT_MATCH = "domSubjectMatch"; private static final int MAX_SSID_LENGTH = 32; /** @@ -162,6 +164,8 @@ public class WifiConfigurationTestUtil { config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.WPA_EAP); config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.IEEE8021X); config.enterpriseConfig.setEapMethod(WifiEnterpriseConfig.Eap.TTLS); + config.enterpriseConfig.setCaPath(TEST_CA_CERT_PATH); + config.enterpriseConfig.setDomainSuffixMatch(TEST_DOM_SUBJECT_MATCH); } if ((security & SECURITY_EAP_SUITE_B) != 0) { @@ -488,6 +492,7 @@ public class WifiConfigurationTestUtil { config.setPhase2Method(WifiEnterpriseConfig.Phase2.GTC); config.setCaCertificateAliases(new String[] {TEST_CA_CERT_ALIAS + "PEAP"}); config.setCaCertificates(new X509Certificate[] {FakeKeys.CA_CERT0, FakeKeys.CA_CERT1}); + config.setDomainSuffixMatch(TEST_DOM_SUBJECT_MATCH); return config; } @@ -497,6 +502,7 @@ public class WifiConfigurationTestUtil { config.setPhase2Method(WifiEnterpriseConfig.Phase2.NONE); config.setCaCertificateAliases(new String[] {TEST_CA_CERT_ALIAS + "TLS"}); config.setCaCertificates(new X509Certificate[] {FakeKeys.CA_CERT0, FakeKeys.CA_CERT1}); + config.setDomainSuffixMatch(TEST_DOM_SUBJECT_MATCH); return config; } @@ -504,6 +510,7 @@ public class WifiConfigurationTestUtil { WifiEnterpriseConfig config = new WifiEnterpriseConfig(); config.setEapMethod(WifiEnterpriseConfig.Eap.TLS); config.setPhase2Method(WifiEnterpriseConfig.Phase2.AKA); + config.setDomainSuffixMatch(TEST_DOM_SUBJECT_MATCH); return config; } diff --git a/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java b/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java index e7e866084..38a0026df 100644 --- a/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java +++ b/tests/wifitests/src/com/android/server/wifi/WifiNetworkSuggestionsManagerTest.java @@ -429,6 +429,25 @@ public class WifiNetworkSuggestionsManagerTest extends WifiBaseTest { verify(mLruConnectionTracker).removeNetwork(any()); } + @Test + public void testAddInsecureEnterpriseNetworkSuggestion() { + WifiNetworkSuggestion networkSuggestion = new WifiNetworkSuggestion( + WifiConfigurationTestUtil.createEapNetwork(), null, false, false, true, true); + networkSuggestion.wifiConfiguration.enterpriseConfig.setCaPath(null); + List<WifiNetworkSuggestion> networkSuggestionList = Arrays.asList(networkSuggestion); + assertEquals(WifiManager.STATUS_NETWORK_SUGGESTIONS_ERROR_ADD_INVALID, + mWifiNetworkSuggestionsManager.add(networkSuggestionList, TEST_UID_1, + TEST_PACKAGE_1, TEST_FEATURE)); + + networkSuggestion = new WifiNetworkSuggestion( + WifiConfigurationTestUtil.createEapNetwork(), null, false, false, true, true); + networkSuggestion.wifiConfiguration.enterpriseConfig.setDomainSuffixMatch(""); + networkSuggestionList = Arrays.asList(networkSuggestion); + assertEquals(WifiManager.STATUS_NETWORK_SUGGESTIONS_ERROR_ADD_INVALID, + mWifiNetworkSuggestionsManager.add(networkSuggestionList, TEST_UID_1, + TEST_PACKAGE_1, TEST_FEATURE)); + } + /** * Verify successful removal of all network suggestions. */ |