1 # Copyright (c) 2013 The Chromium OS Authors. All rights reserved. 2 # Use of this source code is governed by a BSD-style license that can be 3 # found in the LICENSE file. 4 5 import logging 6 7 from autotest_lib.client.bin import utils 8 from autotest_lib.client.cros import network_chroot 9 from autotest_lib.client.common_lib.cros import site_eap_certs 10 11 class VPNServer(object): 12 """Context enclosing the use of a VPN server instance.""" 13 14 def __enter__(self): 15 self.start_server() 16 return self 17 18 19 def __exit__(self, exception, value, traceback): 20 logging.info('Log contents: %s', self.get_log_contents()) 21 self.stop_server() 22 23 24 class L2TPIPSecVPNServer(VPNServer): 25 """Implementation of an L2TP/IPSec VPN. Uses ipsec starter and xl2tpd.""" 26 PRELOAD_MODULES = ('af_key', 'ah4', 'esp4', 'ipcomp', 'xfrm_user', 27 'xfrm4_tunnel') 28 ROOT_DIRECTORIES = ('etc/ipsec.d', 'etc/ipsec.d/cacerts', 29 'etc/ipsec.d/certs', 'etc/ipsec.d/crls', 30 'etc/ipsec.d/private', 'etc/ppp', 'etc/xl2tpd') 31 CHAP_USER = 'chapuser' 32 CHAP_SECRET = 'chapsecret' 33 IPSEC_COMMAND = '/usr/sbin/ipsec' 34 IPSEC_LOGFILE = 'var/log/charon.log' 35 IPSEC_PRESHARED_KEY = 'preshared-key' 36 IPSEC_CA_CERTIFICATE = 'etc/ipsec.d/cacerts/ca.cert' 37 IPSEC_SERVER_CERTIFICATE = 'etc/ipsec.d/certs/server.cert' 38 PPPD_PID_FILE = 'var/run/ppp0.pid' 39 XAUTH_USER = 'xauth_user' 40 XAUTH_PASSWORD = 'xauth_password' 41 XAUTH_SECONDARY_AUTHENTICATION_STANZA = 'rightauth2=xauth' 42 XL2TPD_COMMAND = '/usr/sbin/xl2tpd' 43 XL2TPD_CONFIG_FILE = 'etc/xl2tpd/xl2tpd.conf' 44 XL2TPD_PID_FILE = 'var/run/xl2tpd.pid' 45 SERVER_IP_ADDRESS = '192.168.1.99' 46 IPSEC_COMMON_CONFIGS = { 47 'etc/strongswan.conf' : 48 'charon {\n' 49 ' filelog {\n' 50 ' %(charon-logfile)s {\n' 51 ' time_format = %%b %%e %%T\n' 52 ' default = 3\n' 53 ' }\n' 54 ' }\n' 55 ' install_routes = no\n' 56 ' ignore_routing_tables = 0\n' 57 ' routing_table = 0\n' 58 '}\n', 59 60 'etc/passwd' : 61 'root:x:0:0:root:/root:/bin/bash\n' 62 'ipsec:*:212:212::/dev/null:/bin/false\n', 63 64 'etc/group' : 65 'ipsec:x:212:\n', 66 67 XL2TPD_CONFIG_FILE : 68 '[global]\n' 69 '\n' 70 '[lns default]\n' 71 ' ip range = 192.168.1.128-192.168.1.254\n' 72 ' local ip = 192.168.1.99\n' 73 ' require chap = yes\n' 74 ' refuse pap = yes\n' 75 ' require authentication = yes\n' 76 ' name = LinuxVPNserver\n' 77 ' ppp debug = yes\n' 78 ' pppoptfile = /etc/ppp/options.xl2tpd\n' 79 ' length bit = yes\n', 80 81 'etc/xl2tpd/l2tp-secrets' : 82 '* them l2tp-secret', 83 84 'etc/ppp/chap-secrets' : 85 '%(chap-user)s * %(chap-secret)s *', 86 87 'etc/ppp/options.xl2tpd' : 88 'ipcp-accept-local\n' 89 'ipcp-accept-remote\n' 90 'noccp\n' 91 'auth\n' 92 'crtscts\n' 93 'idle 1800\n' 94 'mtu 1410\n' 95 'mru 1410\n' 96 'nodefaultroute\n' 97 'debug\n' 98 'lock\n' 99 'proxyarp\n' 100 } 101 IPSEC_TYPED_CONFIGS = { 102 'psk': { 103 'etc/ipsec.conf' : 104 'config setup\n' 105 ' charondebug="%(charon-debug-flags)s"\n' 106 'conn L2TP\n' 107 ' keyexchange=ikev1\n' 108 ' authby=psk\n' 109 ' %(xauth-stanza)s\n' 110 ' rekey=no\n' 111 ' left=%(local-ip)s\n' 112 ' leftprotoport=17/1701\n' 113 ' right=%%any\n' 114 ' rightprotoport=17/%%any\n' 115 ' auto=add\n', 116 117 'etc/ipsec.secrets' : 118 '%(local-ip)s %%any : PSK "%(preshared-key)s"\n' 119 '%(xauth-user)s : XAUTH "%(xauth-password)s"\n', 120 }, 121 'cert': { 122 'etc/ipsec.conf' : 123 'config setup\n' 124 ' charondebug="%(charon-debug-flags)s"\n' 125 'conn L2TP\n' 126 ' keyexchange=ikev1\n' 127 ' left=%(local-ip)s\n' 128 ' leftcert=server.cert\n' 129 ' leftid="C=US, ST=California, L=Mountain View, ' 130 'CN=chromelab-wifi-testbed-server.mtv.google.com"\n' 131 ' leftprotoport=17/1701\n' 132 ' right=%%any\n' 133 ' rightca="C=US, ST=California, L=Mountain View, ' 134 'CN=chromelab-wifi-testbed-root.mtv.google.com"\n' 135 ' rightprotoport=17/%%any\n' 136 ' auto=add\n', 137 138 'etc/ipsec.secrets' : ': RSA server.key ""\n', 139 140 IPSEC_SERVER_CERTIFICATE : site_eap_certs.server_cert_1, 141 IPSEC_CA_CERTIFICATE : site_eap_certs.ca_cert_1, 142 'etc/ipsec.d/private/server.key' : 143 site_eap_certs.server_private_key_1, 144 }, 145 } 146 147 """Implementation of an L2TP/IPSec server instance.""" 148 def __init__(self, auth_type, interface_name, address, network_prefix, 149 perform_xauth_authentication=False): 150 self._auth_type = auth_type 151 self._chroot = network_chroot.NetworkChroot(interface_name, 152 address, network_prefix) 153 self._perform_xauth_authentication = perform_xauth_authentication 154 155 156 def start_server(self): 157 """Start VPN server instance""" 158 if self._auth_type not in self.IPSEC_TYPED_CONFIGS: 159 raise RuntimeError('L2TP/IPSec type %s is not define' % 160 self._auth_type) 161 chroot = self._chroot 162 chroot.add_root_directories(self.ROOT_DIRECTORIES) 163 chroot.add_config_templates(self.IPSEC_COMMON_CONFIGS) 164 chroot.add_config_templates(self.IPSEC_TYPED_CONFIGS[self._auth_type]) 165 chroot.add_config_values({ 166 'chap-user': self.CHAP_USER, 167 'chap-secret': self.CHAP_SECRET, 168 'charon-debug-flags': 'dmn 2, mgr 2, ike 2, net 2', 169 'charon-logfile': self.IPSEC_LOGFILE, 170 'preshared-key': self.IPSEC_PRESHARED_KEY, 171 'xauth-user': self.XAUTH_USER, 172 'xauth-password': self.XAUTH_PASSWORD, 173 'xauth-stanza': self.XAUTH_SECONDARY_AUTHENTICATION_STANZA 174 if self._perform_xauth_authentication else '', 175 }) 176 chroot.add_startup_command('%s start' % self.IPSEC_COMMAND) 177 chroot.add_startup_command('%s -c /%s -C /tmp/l2tpd.control' % 178 (self.XL2TPD_COMMAND, 179 self.XL2TPD_CONFIG_FILE)) 180 self.preload_modules() 181 chroot.startup() 182 183 184 def stop_server(self): 185 """Start VPN server instance""" 186 chroot = self._chroot 187 chroot.run([self.IPSEC_COMMAND, 'stop'], ignore_status=True) 188 chroot.kill_pid_file(self.XL2TPD_PID_FILE, missing_ok=True) 189 chroot.kill_pid_file(self.PPPD_PID_FILE, missing_ok=True) 190 chroot.shutdown() 191 192 193 def get_log_contents(self): 194 """Return all logs related to the chroot.""" 195 return self._chroot.get_log_contents() 196 197 198 def preload_modules(self): 199 """Pre-load ipsec modules since they can't be loaded from chroot.""" 200 for module in self.PRELOAD_MODULES: 201 utils.system('modprobe %s' % module) 202 203 204 class OpenVPNServer(VPNServer): 205 """Implementation of an OpenVPN service.""" 206 PRELOAD_MODULES = ('tun',) 207 ROOT_DIRECTORIES = ('etc/openvpn', 'etc/ssl') 208 CA_CERTIFICATE_FILE = 'etc/openvpn/ca.crt' 209 SERVER_CERTIFICATE_FILE = 'etc/openvpn/server.crt' 210 SERVER_KEY_FILE = 'etc/openvpn/server.key' 211 DIFFIE_HELLMAN_FILE = 'etc/openvpn/diffie-hellman.pem' 212 OPENVPN_COMMAND = '/usr/sbin/openvpn' 213 OPENVPN_CONFIG_FILE = 'etc/openvpn/openvpn.conf' 214 OPENVPN_PID_FILE = 'var/run/openvpn.pid' 215 OPENVPN_STATUS_FILE = 'tmp/openvpn.status' 216 AUTHENTICATION_SCRIPT = 'etc/openvpn_authentication_script.sh' 217 EXPECTED_AUTHENTICATION_FILE = 'etc/openvpn_expected_authentication.txt' 218 PASSWORD = 'password' 219 USERNAME = 'username' 220 SERVER_IP_ADDRESS = '10.11.12.1' 221 CONFIGURATION = { 222 'etc/ssl/blacklist' : '', 223 CA_CERTIFICATE_FILE : site_eap_certs.ca_cert_1, 224 SERVER_CERTIFICATE_FILE : site_eap_certs.server_cert_1, 225 SERVER_KEY_FILE : site_eap_certs.server_private_key_1, 226 DIFFIE_HELLMAN_FILE : site_eap_certs.dh1024_pem_key_1, 227 AUTHENTICATION_SCRIPT : 228 '#!/bin/bash\n' 229 'diff -q $1 %(expected-authentication-file)s\n', 230 EXPECTED_AUTHENTICATION_FILE : '%(username)s\n%(password)s\n', 231 OPENVPN_CONFIG_FILE : 232 'ca /%(ca-cert)s\n' 233 'cert /%(server-cert)s\n' 234 'dev tun\n' 235 'dh /%(diffie-hellman-params-file)s\n' 236 'keepalive 10 120\n' 237 'local %(local-ip)s\n' 238 'log /var/log/openvpn.log\n' 239 'ifconfig-pool-persist /tmp/ipp.txt\n' 240 'key /%(server-key)s\n' 241 'persist-key\n' 242 'persist-tun\n' 243 'port 1194\n' 244 'proto udp\n' 245 'server 10.11.12.0 255.255.255.0\n' 246 'status /%(status-file)s\n' 247 'verb 5\n' 248 'writepid /%(pid-file)s\n' 249 '%(optional-user-verification)s\n' 250 } 251 252 def __init__(self, interface_name, address, network_prefix, 253 perform_username_authentication=False): 254 self._chroot = network_chroot.NetworkChroot(interface_name, 255 address, network_prefix) 256 self._perform_username_authentication = perform_username_authentication 257 258 259 def start_server(self): 260 """Start VPN server instance""" 261 chroot = self._chroot 262 chroot.add_root_directories(self.ROOT_DIRECTORIES) 263 # Create a configuration template from the key-value pairs. 264 chroot.add_config_templates(self.CONFIGURATION) 265 config_values = { 266 'ca-cert': self.CA_CERTIFICATE_FILE, 267 'diffie-hellman-params-file': self.DIFFIE_HELLMAN_FILE, 268 'expected-authentication-file': self.EXPECTED_AUTHENTICATION_FILE, 269 'optional-user-verification': '', 270 'password': self.PASSWORD, 271 'pid-file': self.OPENVPN_PID_FILE, 272 'server-cert': self.SERVER_CERTIFICATE_FILE, 273 'server-key': self.SERVER_KEY_FILE, 274 'status-file': self.OPENVPN_STATUS_FILE, 275 'username': self.USERNAME, 276 } 277 if self._perform_username_authentication: 278 config_values['optional-user-verification'] = ( 279 'auth-user-pass-verify /%s via-file\nscript-security 2' % 280 self.AUTHENTICATION_SCRIPT) 281 chroot.add_config_values(config_values) 282 chroot.add_startup_command('chmod 755 %s' % self.AUTHENTICATION_SCRIPT) 283 chroot.add_startup_command('%s --config /%s &' % 284 (self.OPENVPN_COMMAND, 285 self.OPENVPN_CONFIG_FILE)) 286 self.preload_modules() 287 chroot.startup() 288 289 290 def preload_modules(self): 291 """Pre-load modules since they can't be loaded from chroot.""" 292 for module in self.PRELOAD_MODULES: 293 utils.system('modprobe %s' % module) 294 295 296 def get_log_contents(self): 297 """Return all logs related to the chroot.""" 298 return self._chroot.get_log_contents() 299 300 301 def stop_server(self): 302 """Start VPN server instance""" 303 chroot = self._chroot 304 chroot.kill_pid_file(self.OPENVPN_PID_FILE, missing_ok=True) 305 chroot.shutdown() 306