1 # Copyright (c) 2013 The Chromium OS Authors. All rights reserved. 2 # Use of this source code is governed by a BSD-style license that can be 3 # found in the LICENSE file. 4 5 import logging 6 7 from autotest_lib.client.bin import utils 8 from autotest_lib.client.cros import network_chroot 9 from autotest_lib.client.common_lib.cros import site_eap_certs 10 11 class VPNServer(object): 12 """Context enclosing the use of a VPN server instance.""" 13 14 def __enter__(self): 15 self.start_server() 16 return self 17 18 19 def __exit__(self, exception, value, traceback): 20 logging.info('Log contents: %s', self.get_log_contents()) 21 self.stop_server() 22 23 24 class L2TPIPSecVPNServer(VPNServer): 25 """Implementation of an L2TP/IPSec VPN. Uses ipsec starter and xl2tpd.""" 26 PRELOAD_MODULES = ('af_key', 'ah4', 'esp4', 'ipcomp', 'xfrm_user', 27 'xfrm4_tunnel') 28 ROOT_DIRECTORIES = ('etc/ipsec.d', 'etc/ipsec.d/cacerts', 29 'etc/ipsec.d/certs', 'etc/ipsec.d/crls', 30 'etc/ipsec.d/private', 'etc/ppp', 'etc/xl2tpd') 31 CHAP_USER = 'chapuser' 32 CHAP_SECRET = 'chapsecret' 33 IPSEC_COMMAND = '/usr/sbin/ipsec' 34 IPSEC_LOGFILE = 'var/log/charon.log' 35 IPSEC_PRESHARED_KEY = 'preshared-key' 36 IPSEC_CA_CERTIFICATE = 'etc/ipsec.d/cacerts/ca.cert' 37 IPSEC_SERVER_CERTIFICATE = 'etc/ipsec.d/certs/server.cert' 38 PPPD_PID_FILE = 'var/run/ppp0.pid' 39 XAUTH_USER = 'xauth_user' 40 XAUTH_PASSWORD = 'xauth_password' 41 XAUTH_SECONDARY_AUTHENTICATION_STANZA = 'rightauth2=xauth' 42 XL2TPD_COMMAND = '/usr/sbin/xl2tpd' 43 XL2TPD_CONFIG_FILE = 'etc/xl2tpd/xl2tpd.conf' 44 XL2TPD_PID_FILE = 'var/run/xl2tpd.pid' 45 SERVER_IP_ADDRESS = '192.168.1.99' 46 IPSEC_COMMON_CONFIGS = { 47 'etc/strongswan.conf' : 48 'charon {\n' 49 ' filelog {\n' 50 ' %(charon-logfile)s {\n' 51 ' time_format = %%b %%e %%T\n' 52 ' default = 3\n' 53 ' }\n' 54 ' }\n' 55 ' install_routes = no\n' 56 ' ignore_routing_tables = 0\n' 57 ' routing_table = 0\n' 58 '}\n', 59 60 'etc/passwd' : 61 'root:x:0:0:root:/root:/bin/bash\n' 62 'ipsec:*:212:212::/dev/null:/bin/false\n', 63 64 'etc/group' : 65 'ipsec:x:212:\n', 66 67 XL2TPD_CONFIG_FILE : 68 '[global]\n' 69 '\n' 70 '[lns default]\n' 71 ' ip range = 192.168.1.128-192.168.1.254\n' 72 ' local ip = 192.168.1.99\n' 73 ' require chap = yes\n' 74 ' refuse pap = yes\n' 75 ' require authentication = yes\n' 76 ' name = LinuxVPNserver\n' 77 ' ppp debug = yes\n' 78 ' pppoptfile = /etc/ppp/options.xl2tpd\n' 79 ' length bit = yes\n', 80 81 'etc/xl2tpd/l2tp-secrets' : 82 '* them l2tp-secret', 83 84 'etc/ppp/chap-secrets' : 85 '%(chap-user)s * %(chap-secret)s *', 86 87 'etc/ppp/options.xl2tpd' : 88 'ipcp-accept-local\n' 89 'ipcp-accept-remote\n' 90 'noccp\n' 91 'auth\n' 92 'crtscts\n' 93 'idle 1800\n' 94 'mtu 1410\n' 95 'mru 1410\n' 96 'nodefaultroute\n' 97 'debug\n' 98 'lock\n' 99 'proxyarp\n' 100 } 101 IPSEC_TYPED_CONFIGS = { 102 'psk': { 103 'etc/ipsec.conf' : 104 'config setup\n' 105 ' charondebug="%(charon-debug-flags)s"\n' 106 'conn L2TP\n' 107 ' keyexchange=ikev1\n' 108 ' ike=aes128-sha1-modp2048!\n' 109 ' esp=3des-sha1!\n' 110 ' type=transport\n' 111 ' authby=psk\n' 112 ' %(xauth-stanza)s\n' 113 ' rekey=no\n' 114 ' left=%(local-ip)s\n' 115 ' leftprotoport=17/1701\n' 116 ' right=%%any\n' 117 ' rightprotoport=17/%%any\n' 118 ' auto=add\n', 119 120 'etc/ipsec.secrets' : 121 '%(local-ip)s %%any : PSK "%(preshared-key)s"\n' 122 '%(xauth-user)s : XAUTH "%(xauth-password)s"\n', 123 }, 124 'cert': { 125 'etc/ipsec.conf' : 126 'config setup\n' 127 ' charondebug="%(charon-debug-flags)s"\n' 128 'conn L2TP\n' 129 ' keyexchange=ikev1\n' 130 ' ike=aes128-sha1-modp2048!\n' 131 ' esp=3des-sha1!\n' 132 ' type=transport\n' 133 ' left=%(local-ip)s\n' 134 ' leftcert=server.cert\n' 135 ' leftid="C=US, ST=California, L=Mountain View, ' 136 'CN=chromelab-wifi-testbed-server.mtv.google.com"\n' 137 ' leftprotoport=17/1701\n' 138 ' right=%%any\n' 139 ' rightca="C=US, ST=California, L=Mountain View, ' 140 'CN=chromelab-wifi-testbed-root.mtv.google.com"\n' 141 ' rightprotoport=17/%%any\n' 142 ' auto=add\n', 143 144 'etc/ipsec.secrets' : ': RSA server.key ""\n', 145 146 IPSEC_SERVER_CERTIFICATE : site_eap_certs.server_cert_1, 147 IPSEC_CA_CERTIFICATE : site_eap_certs.ca_cert_1, 148 'etc/ipsec.d/private/server.key' : 149 site_eap_certs.server_private_key_1, 150 }, 151 } 152 153 """Implementation of an L2TP/IPSec server instance.""" 154 def __init__(self, auth_type, interface_name, address, network_prefix, 155 perform_xauth_authentication=False): 156 self._auth_type = auth_type 157 self._chroot = network_chroot.NetworkChroot(interface_name, 158 address, network_prefix) 159 self._perform_xauth_authentication = perform_xauth_authentication 160 161 162 def start_server(self): 163 """Start VPN server instance""" 164 if self._auth_type not in self.IPSEC_TYPED_CONFIGS: 165 raise RuntimeError('L2TP/IPSec type %s is not define' % 166 self._auth_type) 167 chroot = self._chroot 168 chroot.add_root_directories(self.ROOT_DIRECTORIES) 169 chroot.add_config_templates(self.IPSEC_COMMON_CONFIGS) 170 chroot.add_config_templates(self.IPSEC_TYPED_CONFIGS[self._auth_type]) 171 chroot.add_config_values({ 172 'chap-user': self.CHAP_USER, 173 'chap-secret': self.CHAP_SECRET, 174 'charon-debug-flags': 'dmn 2, mgr 2, ike 2, net 2', 175 'charon-logfile': self.IPSEC_LOGFILE, 176 'preshared-key': self.IPSEC_PRESHARED_KEY, 177 'xauth-user': self.XAUTH_USER, 178 'xauth-password': self.XAUTH_PASSWORD, 179 'xauth-stanza': self.XAUTH_SECONDARY_AUTHENTICATION_STANZA 180 if self._perform_xauth_authentication else '', 181 }) 182 chroot.add_startup_command('%s start' % self.IPSEC_COMMAND) 183 chroot.add_startup_command('%s -c /%s -C /tmp/l2tpd.control' % 184 (self.XL2TPD_COMMAND, 185 self.XL2TPD_CONFIG_FILE)) 186 self.preload_modules() 187 chroot.startup() 188 189 190 def stop_server(self): 191 """Start VPN server instance""" 192 chroot = self._chroot 193 chroot.run([self.IPSEC_COMMAND, 'stop'], ignore_status=True) 194 chroot.kill_pid_file(self.XL2TPD_PID_FILE, missing_ok=True) 195 chroot.kill_pid_file(self.PPPD_PID_FILE, missing_ok=True) 196 chroot.shutdown() 197 198 199 def get_log_contents(self): 200 """Return all logs related to the chroot.""" 201 return self._chroot.get_log_contents() 202 203 204 def preload_modules(self): 205 """Pre-load ipsec modules since they can't be loaded from chroot.""" 206 for module in self.PRELOAD_MODULES: 207 utils.system('modprobe %s' % module) 208 209 210 class OpenVPNServer(VPNServer): 211 """Implementation of an OpenVPN service.""" 212 PRELOAD_MODULES = ('tun',) 213 ROOT_DIRECTORIES = ('etc/openvpn', 'etc/ssl') 214 CA_CERTIFICATE_FILE = 'etc/openvpn/ca.crt' 215 SERVER_CERTIFICATE_FILE = 'etc/openvpn/server.crt' 216 SERVER_KEY_FILE = 'etc/openvpn/server.key' 217 DIFFIE_HELLMAN_FILE = 'etc/openvpn/diffie-hellman.pem' 218 OPENVPN_COMMAND = '/usr/sbin/openvpn' 219 OPENVPN_CONFIG_FILE = 'etc/openvpn/openvpn.conf' 220 OPENVPN_PID_FILE = 'var/run/openvpn.pid' 221 OPENVPN_STATUS_FILE = 'tmp/openvpn.status' 222 AUTHENTICATION_SCRIPT = 'etc/openvpn_authentication_script.sh' 223 EXPECTED_AUTHENTICATION_FILE = 'etc/openvpn_expected_authentication.txt' 224 PASSWORD = 'password' 225 USERNAME = 'username' 226 SERVER_IP_ADDRESS = '10.11.12.1' 227 CONFIGURATION = { 228 'etc/ssl/blacklist' : '', 229 CA_CERTIFICATE_FILE : site_eap_certs.ca_cert_1, 230 SERVER_CERTIFICATE_FILE : site_eap_certs.server_cert_1, 231 SERVER_KEY_FILE : site_eap_certs.server_private_key_1, 232 DIFFIE_HELLMAN_FILE : site_eap_certs.dh1024_pem_key_1, 233 AUTHENTICATION_SCRIPT : 234 '#!/bin/bash\n' 235 'diff -q $1 %(expected-authentication-file)s\n', 236 EXPECTED_AUTHENTICATION_FILE : '%(username)s\n%(password)s\n', 237 OPENVPN_CONFIG_FILE : 238 'ca /%(ca-cert)s\n' 239 'cert /%(server-cert)s\n' 240 'dev tun\n' 241 'dh /%(diffie-hellman-params-file)s\n' 242 'keepalive 10 120\n' 243 'local %(local-ip)s\n' 244 'log /var/log/openvpn.log\n' 245 'ifconfig-pool-persist /tmp/ipp.txt\n' 246 'key /%(server-key)s\n' 247 'persist-key\n' 248 'persist-tun\n' 249 'port 1194\n' 250 'proto udp\n' 251 'server 10.11.12.0 255.255.255.0\n' 252 'status /%(status-file)s\n' 253 'verb 5\n' 254 'writepid /%(pid-file)s\n' 255 '%(optional-user-verification)s\n' 256 } 257 258 def __init__(self, interface_name, address, network_prefix, 259 perform_username_authentication=False): 260 self._chroot = network_chroot.NetworkChroot(interface_name, 261 address, network_prefix) 262 self._perform_username_authentication = perform_username_authentication 263 264 265 def start_server(self): 266 """Start VPN server instance""" 267 chroot = self._chroot 268 chroot.add_root_directories(self.ROOT_DIRECTORIES) 269 # Create a configuration template from the key-value pairs. 270 chroot.add_config_templates(self.CONFIGURATION) 271 config_values = { 272 'ca-cert': self.CA_CERTIFICATE_FILE, 273 'diffie-hellman-params-file': self.DIFFIE_HELLMAN_FILE, 274 'expected-authentication-file': self.EXPECTED_AUTHENTICATION_FILE, 275 'optional-user-verification': '', 276 'password': self.PASSWORD, 277 'pid-file': self.OPENVPN_PID_FILE, 278 'server-cert': self.SERVER_CERTIFICATE_FILE, 279 'server-key': self.SERVER_KEY_FILE, 280 'status-file': self.OPENVPN_STATUS_FILE, 281 'username': self.USERNAME, 282 } 283 if self._perform_username_authentication: 284 config_values['optional-user-verification'] = ( 285 'auth-user-pass-verify /%s via-file\nscript-security 2' % 286 self.AUTHENTICATION_SCRIPT) 287 chroot.add_config_values(config_values) 288 chroot.add_startup_command('chmod 755 %s' % self.AUTHENTICATION_SCRIPT) 289 chroot.add_startup_command('%s --config /%s &' % 290 (self.OPENVPN_COMMAND, 291 self.OPENVPN_CONFIG_FILE)) 292 self.preload_modules() 293 chroot.startup() 294 295 296 def preload_modules(self): 297 """Pre-load modules since they can't be loaded from chroot.""" 298 for module in self.PRELOAD_MODULES: 299 utils.system('modprobe %s' % module) 300 301 302 def get_log_contents(self): 303 """Return all logs related to the chroot.""" 304 return self._chroot.get_log_contents() 305 306 307 def stop_server(self): 308 """Start VPN server instance""" 309 chroot = self._chroot 310 chroot.kill_pid_file(self.OPENVPN_PID_FILE, missing_ok=True) 311 chroot.shutdown() 312
