| // Copyright 2021 The Chromium Authors |
| // Use of this source code is governed by a BSD-style license that can be |
| // found in the LICENSE file. |
| |
| #include "chromeos/components/onc/onc_utils.h" |
| |
| #include <string> |
| #include <vector> |
| |
| #include "base/base64.h" |
| #include "base/json/json_reader.h" |
| #include "base/logging.h" |
| #include "base/notreached.h" |
| #include "base/strings/string_number_conversions.h" |
| #include "base/values.h" |
| #include "chromeos/components/onc/onc_mapper.h" |
| #include "chromeos/components/onc/onc_signature.h" |
| #include "chromeos/components/onc/onc_validator.h" |
| #include "chromeos/components/onc/variable_expander.h" |
| #include "components/device_event_log/device_event_log.h" |
| #include "crypto/encryptor.h" |
| #include "crypto/hmac.h" |
| #include "crypto/symmetric_key.h" |
| #include "net/cert/x509_certificate.h" |
| #include "third_party/boringssl/src/pki/pem.h" |
| |
| namespace chromeos::onc { |
| namespace { |
| |
| using IdToAPNMap = std::map<std::string, const base::Value::Dict*>; |
| |
| // Error messages that can be reported when decrypting encrypted ONC. |
| constexpr char kUnableToDecrypt[] = "Unable to decrypt encrypted ONC"; |
| constexpr char kUnableToDecode[] = "Unable to decode encrypted ONC"; |
| |
| bool GetString(const base::Value::Dict& dict, |
| const char* key, |
| std::string* result) { |
| const std::string* value = dict.FindString(key); |
| if (!value) { |
| return false; |
| } |
| *result = *value; |
| return true; |
| } |
| |
| bool GetInt(const base::Value::Dict& dict, const char* key, int* result) { |
| const std::optional<int> value = dict.FindInt(key); |
| if (!value) { |
| return false; |
| } |
| *result = value.value(); |
| return true; |
| } |
| |
| // Runs |variable_expander.ExpandString| on the field |fieldname| in |
| // |onc_object|. |
| void ExpandField(const std::string& fieldname, |
| const VariableExpander& variable_expander, |
| base::Value::Dict* onc_object) { |
| std::string* field_value = onc_object->FindString(fieldname); |
| if (!field_value) { |
| return; |
| } |
| variable_expander.ExpandString(field_value); |
| } |
| |
| bool CanContainPasswordPlaceholder(const std::string& field_name, |
| const OncValueSignature& object_signature) { |
| return (&object_signature == &kEAPSignature && |
| field_name == ::onc::eap::kPassword) || |
| (&object_signature == &kL2TPSignature && |
| field_name == ::onc::l2tp::kPassword); |
| } |
| |
| bool IsUserLoginPasswordPlaceholder(const std::string& field_name, |
| const OncValueSignature& object_signature, |
| const base::Value& onc_value) { |
| if (!CanContainPasswordPlaceholder(field_name, object_signature)) { |
| return false; |
| } |
| DCHECK(onc_value.is_string()); |
| return onc_value.GetString() == |
| ::onc::substitutes::kPasswordPlaceholderVerbatim; |
| } |
| |
| // A |Mapper| for masking sensitive fields (e.g. credentials such as |
| // passphrases) in ONC. |
| class OncMaskValues : public Mapper { |
| public: |
| static base::Value::Dict Mask(const OncValueSignature& signature, |
| const base::Value::Dict& onc_object, |
| const std::string& mask) { |
| OncMaskValues masker(mask); |
| bool error = false; |
| base::Value::Dict result = masker.MapObject(signature, onc_object, &error); |
| return result; |
| } |
| |
| protected: |
| explicit OncMaskValues(const std::string& mask) : mask_(mask) {} |
| |
| base::Value MapField(const std::string& field_name, |
| const OncValueSignature& object_signature, |
| const base::Value& onc_value, |
| bool* found_unknown_field, |
| bool* error) override { |
| if (FieldIsCredential(object_signature, field_name)) { |
| // If it's the password field and the substitution string is used, don't |
| // mask it. |
| if (IsUserLoginPasswordPlaceholder(field_name, object_signature, |
| onc_value)) { |
| return Mapper::MapField(field_name, object_signature, onc_value, |
| found_unknown_field, error); |
| } |
| return base::Value(mask_); |
| } else { |
| return Mapper::MapField(field_name, object_signature, onc_value, |
| found_unknown_field, error); |
| } |
| } |
| |
| private: |
| // Mask to insert in place of the sensitive values. |
| std::string mask_; |
| }; |
| |
| // Returns a map GUID->PEM of all server and authority certificates defined in |
| // the Certificates section of ONC, which is passed in as |certificates|. |
| CertPEMsByGUIDMap GetServerAndCACertsByGUID( |
| const base::Value::List& certificates) { |
| CertPEMsByGUIDMap certs_by_guid; |
| for (const auto& cert_value : certificates) { |
| const base::Value::Dict& cert = cert_value.GetDict(); |
| |
| const std::string* guid = cert.FindString(::onc::certificate::kGUID); |
| if (!guid || guid->empty()) { |
| NET_LOG(ERROR) << "Certificate with missing or empty GUID."; |
| continue; |
| } |
| const std::string* cert_type = cert.FindString(::onc::certificate::kType); |
| DCHECK(cert_type); |
| if (*cert_type != ::onc::certificate::kServer && |
| *cert_type != ::onc::certificate::kAuthority) { |
| continue; |
| } |
| const std::string* x509_data = cert.FindString(::onc::certificate::kX509); |
| std::string der; |
| if (x509_data) { |
| der = DecodePEM(*x509_data); |
| } |
| std::string pem; |
| if (der.empty() || !net::X509Certificate::GetPEMEncodedFromDER(der, &pem)) { |
| NET_LOG(ERROR) << "Certificate not PEM encoded, GUID: " << *guid; |
| continue; |
| } |
| certs_by_guid[*guid] = pem; |
| } |
| |
| return certs_by_guid; |
| } |
| |
| // Set APN dictionary and associated recommended values to solve the issue |
| // of setting the APN for managed eSIM profiles (see http://b/295226668) in |
| // old APN UI. |
| void SetAPNDictAndRecommendedIfNone(base::Value::Dict& cellular_fields) { |
| if (cellular_fields.Find(::onc::cellular::kAPN)) { |
| return; |
| } |
| |
| auto apn_recommended_list = base::Value::List() |
| .Append(::onc::cellular_apn::kAccessPointName) |
| .Append(::onc::cellular_apn::kAttach) |
| .Append(::onc::cellular_apn::kAuthentication) |
| .Append(::onc::cellular_apn::kUsername) |
| .Append(::onc::cellular_apn::kPassword); |
| |
| base::Value* apn_dict = cellular_fields.Set( |
| ::onc::cellular::kAPN, base::Value(base::Value::Type::DICT)); |
| apn_dict->GetDict().Set(::onc::kRecommended, std::move(apn_recommended_list)); |
| } |
| |
| // Modify recommended list to include custom APN list field to solve the issue |
| // of setting the APN for managed eSIM profiles (see http://b/295226668) in |
| // revamp APN UI. |
| void AddCustomAPNListToRecommended(base::Value::Dict& cellular_fields) { |
| auto* recommended = cellular_fields.Find(::onc::kRecommended); |
| if (!recommended) { |
| recommended = cellular_fields.Set(::onc::kRecommended, |
| base::Value(base::Value::Type::LIST)); |
| } |
| for (const auto& field : recommended->GetList()) { |
| if (field == ::onc::cellular::kCustomAPNList) { |
| return; |
| } |
| } |
| recommended->GetList().Append(::onc::cellular::kCustomAPNList); |
| } |
| |
| void FillInCellularDefaultsInOncObject(const OncValueSignature& signature, |
| base::Value::Dict& onc_object, |
| bool allow_apn_modification) { |
| if (&signature == &kCellularSignature) { |
| if (allow_apn_modification) { |
| AddCustomAPNListToRecommended(onc_object); |
| } else { |
| onc_object.Set(::onc::cellular::kCustomAPNList, base::Value::List()); |
| } |
| SetAPNDictAndRecommendedIfNone(onc_object); |
| |
| return; |
| } |
| |
| // The function takes any ONC object and recursively searches until it finds a |
| // Cellular dictionary to set the default values. |
| for (auto it : onc_object) { |
| if (!it.second.is_dict()) { |
| continue; |
| } |
| |
| const OncFieldSignature* field_signature = |
| GetFieldSignature(signature, it.first); |
| if (!field_signature) { |
| continue; |
| } |
| |
| FillInCellularDefaultsInOncObject(*field_signature->value_signature, |
| it.second.GetDict(), |
| allow_apn_modification); |
| } |
| } |
| |
| // Creates an APN dict with nested recommended field in cellular entries lacking |
| // an APN dict in |network_configs| list. If |allow_apn_modification| is true, |
| // "CustomAPNList" is added as a recommended field to the cellular config, |
| // otherwise, the CustomAPNList field is set to an empty list. |
| void FillInCellularDefaultsInNetworks(base::Value::List& network_configs, |
| bool allow_apn_modification) { |
| for (auto& network : network_configs) { |
| FillInCellularDefaultsInOncObject(kNetworkConfigurationSignature, |
| network.GetDict(), |
| allow_apn_modification); |
| } |
| } |
| |
| // Creates a map from APN IDs to their corresponding configuration dictionaries. |
| IdToAPNMap BuildIdToAPNMap(const base::Value::List* apn_list) { |
| IdToAPNMap apn_map; |
| |
| if (!apn_list) { |
| return apn_map; |
| } |
| |
| for (const base::Value& apn_value : *apn_list) { |
| const base::Value::Dict& apn_dict = apn_value.GetDict(); |
| const std::string* apn_id = apn_dict.FindString(::onc::cellular_apn::kId); |
| |
| if (apn_id) { |
| apn_map.emplace(*apn_id, &apn_dict); |
| } |
| } |
| |
| return apn_map; |
| } |
| |
| // Extracts a list of APN dictionaries based on a provided list of APN IDs, such |
| // that |apn_id_list| is a list of string IDs representing the APNs to extract, |
| // and |apn_map| is a map of all available APN dictionaries with key being APN |
| // ID. Returns a base::List if IDs are successfully extracted and the source is |
| // set successfully, and an std::nullopt otherwise. |
| std::optional<base::Value::List> ExtractAPNsByIdsAndSetAdminSource( |
| const base::Value::List* apn_id_list, |
| const IdToAPNMap& apn_map) { |
| base::Value::List result = base::Value::List(); |
| |
| for (const base::Value& apn_id_value : *apn_id_list) { |
| const std::string apn_id = apn_id_value.GetString(); |
| |
| // Find the APN in the map |
| auto it = apn_map.find(apn_id); |
| if (it == apn_map.end()) { |
| NET_LOG(ERROR) |
| << "Failed to find an admin provided APN associated to an ID of " |
| << apn_id; |
| return std::nullopt; |
| } |
| base::Value::Dict apn_cpy = it->second->Clone(); |
| apn_cpy.Set(::onc::cellular_apn::kSource, |
| ::onc::cellular_apn::kSourceAdmin); |
| |
| result.Append(std::move(apn_cpy)); |
| } |
| |
| return result; |
| } |
| |
| // Updates a cellular network configuration with custom APN information from |
| // admin-assigned APNs. Looks for a list of admin-assigned APN IDs in |
| // |cellular_fields|. If found, it extracts the corresponding APN dictionaries |
| // from |admin_apn_by_id| and sets the CustomAPNList field in |cellular_fields|. |
| // Note that if |admin_apn_by_id| is null, no changes are made to |
| // |cellular_fields|. Also note that each extracted APN will have a |
| // |::onc::cellular_apn::kSource| of |
| // |::onc::cellular_apn::kSourceAdmin|. Returns true if |cellular_fields| are |
| // successfully updated. |
| bool UpdateCellularFieldsWithAdminApns(base::Value::Dict& cellular_fields, |
| const IdToAPNMap& admin_apn_by_id) { |
| const base::Value::List* admin_apn_id_list = |
| cellular_fields.FindList(::onc::cellular::kAdminAssignedAPNIds); |
| if (!admin_apn_id_list) { |
| return true; |
| } |
| |
| if (admin_apn_id_list->empty()) { |
| cellular_fields.Set(::onc::cellular::kCustomAPNList, base::Value::List()); |
| return true; |
| } |
| |
| std::optional<base::Value::List> admin_apns = |
| ExtractAPNsByIdsAndSetAdminSource(admin_apn_id_list, admin_apn_by_id); |
| if (!admin_apns.has_value()) { |
| NET_LOG(ERROR) << "Failed to extract admin APNs"; |
| return false; |
| } |
| |
| cellular_fields.Set(::onc::cellular::kCustomAPNList, std::move(*admin_apns)); |
| return true; |
| } |
| |
| bool ConstructAndSetPSIMAdminAPNs(base::Value::Dict& global_network_config, |
| const IdToAPNMap& admin_apn_by_id) { |
| if (admin_apn_by_id.empty()) { |
| return true; |
| } |
| const base::Value::List* psim_admin_apn_id_list = |
| global_network_config.FindList( |
| ::onc::global_network_config::kPSIMAdminAssignedAPNIds); |
| if (!psim_admin_apn_id_list) { |
| return true; |
| } |
| |
| std::optional<base::Value::List> psim_admin_apns = |
| ExtractAPNsByIdsAndSetAdminSource(psim_admin_apn_id_list, |
| admin_apn_by_id); |
| if (!psim_admin_apns.has_value()) { |
| NET_LOG(ERROR) << "Failed to extract pSIM admin APNs"; |
| return false; |
| } |
| |
| global_network_config.Set( |
| ::onc::global_network_config::kPSIMAdminAssignedAPNs, |
| std::move(*psim_admin_apns)); |
| return true; |
| } |
| |
| // Recursively traverses the |onc_object|, searching for |
| // cellular dictionaries. If found, it updates the 'CustomAPNList' field within |
| // the Cellular dictionary using |admin_apn_by_id| if applicable. |
| // |
| // The recursion is guided by the |signature|, which defines the structure of |
| // the ONC object and helps the function determine which fields to traverse. |
| // Returns true if admin APNs are successfully applied. |
| bool ApplyAdminApnsToOncObject(const OncValueSignature& signature, |
| base::Value::Dict& onc_object, |
| const IdToAPNMap& admin_apn_by_id) { |
| if (&signature == &kCellularSignature) { |
| return UpdateCellularFieldsWithAdminApns(onc_object, admin_apn_by_id); |
| } |
| |
| // The function takes any ONC object and recursively searches until it finds a |
| // Cellular dictionary to set the Custom APN List. |
| for (auto it : onc_object) { |
| if (!it.second.is_dict()) { |
| continue; |
| } |
| |
| const OncFieldSignature* field_signature = |
| GetFieldSignature(signature, it.first); |
| if (!field_signature) { |
| continue; |
| } |
| |
| if (!ApplyAdminApnsToOncObject(*field_signature->value_signature, |
| it.second.GetDict(), admin_apn_by_id)) { |
| return false; |
| } |
| } |
| return true; |
| } |
| |
| // Processes a list of network configurations, identifying those of cellular |
| // type. For each cellular configuration, it associates and embeds the |
| // corresponding admin defined APN details found in |admin_apn_by_id|. This is |
| // achieved by recursively traversing the cellular configuration's structure and |
| // updating the APN information where applicable. |
| // |
| // The function relies on a top-level ONC configuration that contains a list of |
| // APNs provided by administrators. Cellular networks within the configuration |
| // may reference these APNs using unique identifiers (IDs). |
| // |
| // Ultimately, this function ensures that the cellular networks in the provided |
| // |network_configs| list are populated with the complete APN configurations |
| // that they are associated with. Otherwise, it returns false. |
| bool ConfigureAdminApnsInCellularNetworks(base::Value::List& network_configs, |
| const IdToAPNMap& admin_apn_by_id) { |
| if (admin_apn_by_id.empty()) { |
| return true; |
| } |
| for (auto& network : network_configs) { |
| if (!ApplyAdminApnsToOncObject(kNetworkConfigurationSignature, |
| network.GetDict(), admin_apn_by_id)) { |
| return false; |
| } |
| } |
| return true; |
| } |
| |
| // Fills HexSSID fields in all entries in the |network_configs| list. |
| void FillInHexSSIDFieldsInNetworks(base::Value::List& network_configs) { |
| for (auto& network : network_configs) { |
| FillInHexSSIDFieldsInOncObject(kNetworkConfigurationSignature, |
| network.GetDict()); |
| } |
| } |
| |
| // Sets HiddenSSID fields in all entries in the |network_configs| list. |
| void SetHiddenSSIDFieldsInNetworks(base::Value::List& network_configs) { |
| for (auto& network : network_configs) { |
| SetHiddenSSIDFieldInOncObject(kNetworkConfigurationSignature, |
| network.GetDict()); |
| } |
| } |
| |
| // Given a GUID->PEM certificate mapping |certs_by_guid|, looks up the PEM |
| // encoded certificate referenced by |guid_ref|. If a match is found, sets |
| // |*pem_encoded| to the PEM encoded certificate and returns true. Otherwise, |
| // returns false. |
| bool GUIDRefToPEMEncoding(const CertPEMsByGUIDMap& certs_by_guid, |
| const std::string& guid_ref, |
| std::string* pem_encoded) { |
| CertPEMsByGUIDMap::const_iterator it = certs_by_guid.find(guid_ref); |
| if (it == certs_by_guid.end()) { |
| LOG(ERROR) << "Couldn't resolve certificate reference " << guid_ref; |
| return false; |
| } |
| *pem_encoded = it->second; |
| if (pem_encoded->empty()) { |
| LOG(ERROR) << "Couldn't PEM-encode certificate with GUID " << guid_ref; |
| return false; |
| } |
| return true; |
| } |
| |
| // Given a GUID-> PM certificate mapping |certs_by_guid|, attempts to resolve |
| // the certificate referenced by the |key_guid_ref| field in |onc_object|. |
| // * If |onc_object| has no |key_guid_ref| field, returns true. |
| // * If no matching certificate is found in |certs_by_guid|, returns false. |
| // * If a matching certificate is found, removes the |key_guid_ref| field, |
| // fills the |key_pem| field in |onc_object| and returns true. |
| bool ResolveSingleCertRef(const CertPEMsByGUIDMap& certs_by_guid, |
| const std::string& key_guid_ref, |
| const std::string& key_pem, |
| base::Value::Dict& onc_object) { |
| std::string* guid_ref = onc_object.FindString(key_guid_ref); |
| if (!guid_ref) { |
| return true; |
| } |
| |
| std::string pem_encoded; |
| if (!GUIDRefToPEMEncoding(certs_by_guid, *guid_ref, &pem_encoded)) { |
| return false; |
| } |
| |
| onc_object.Remove(key_guid_ref); |
| onc_object.Set(key_pem, pem_encoded); |
| return true; |
| } |
| |
| // Given a GUID-> PM certificate mapping |certs_by_guid|, attempts to resolve |
| // the certificates referenced by the list-of-strings field |key_guid_ref_list| |
| // in |onc_object|. |
| // * If |key_guid_ref_list| does not exist in |onc_object|, returns true. |
| // * If any element |key_guid_ref_list| can not be found in |certs_by_guid|, |
| // aborts processing and returns false. |onc_object| is unchanged in this |
| // case. |
| // * Otherwise, sets |key_pem_list| to be a list-of-strings field in |
| // |onc_object|, containing all PEM encoded resolved certificates in order and |
| // returns true. |
| bool ResolveCertRefList(const CertPEMsByGUIDMap& certs_by_guid, |
| const std::string& key_guid_ref_list, |
| const std::string& key_pem_list, |
| base::Value::Dict& onc_object) { |
| const base::Value::List* guid_ref_list = |
| onc_object.FindList(key_guid_ref_list); |
| if (!guid_ref_list) { |
| return true; |
| } |
| |
| base::Value::List pem_list; |
| for (const auto& entry : *guid_ref_list) { |
| std::string pem_encoded; |
| if (!GUIDRefToPEMEncoding(certs_by_guid, entry.GetString(), &pem_encoded)) { |
| return false; |
| } |
| |
| pem_list.Append(pem_encoded); |
| } |
| |
| onc_object.Remove(key_guid_ref_list); |
| onc_object.Set(key_pem_list, std::move(pem_list)); |
| return true; |
| } |
| |
| // Same as |ResolveSingleCertRef|, but the output |key_pem_list| will be set to |
| // a list with exactly one value when resolution succeeds. |
| bool ResolveSingleCertRefToList(const CertPEMsByGUIDMap& certs_by_guid, |
| const std::string& key_guid_ref, |
| const std::string& key_pem_list, |
| base::Value::Dict& onc_object) { |
| std::string* guid_ref = onc_object.FindString(key_guid_ref); |
| if (!guid_ref) { |
| return true; |
| } |
| |
| std::string pem_encoded; |
| if (!GUIDRefToPEMEncoding(certs_by_guid, *guid_ref, &pem_encoded)) { |
| return false; |
| } |
| |
| base::Value::List pem_list; |
| pem_list.Append(pem_encoded); |
| onc_object.Remove(key_guid_ref); |
| onc_object.Set(key_pem_list, std::move(pem_list)); |
| return true; |
| } |
| |
| // Resolves the reference list at |key_guid_refs| if present and otherwise the |
| // single reference at |key_guid_ref|. Returns whether the respective resolving |
| // was successful. |
| bool ResolveCertRefsOrRefToList(const CertPEMsByGUIDMap& certs_by_guid, |
| const std::string& key_guid_refs, |
| const std::string& key_guid_ref, |
| const std::string& key_pem_list, |
| base::Value::Dict& onc_dict) { |
| if (onc_dict.contains(key_guid_refs)) { |
| if (onc_dict.contains(key_guid_ref)) { |
| LOG(ERROR) << "Found both " << key_guid_refs << " and " << key_guid_ref |
| << ". Ignoring and removing the latter."; |
| onc_dict.Remove(key_guid_ref); |
| } |
| return ResolveCertRefList(certs_by_guid, key_guid_refs, key_pem_list, |
| onc_dict); |
| } |
| |
| // Only resolve |key_guid_ref| if |key_guid_refs| isn't present. |
| return ResolveSingleCertRefToList(certs_by_guid, key_guid_ref, key_pem_list, |
| onc_dict); |
| } |
| |
| // Resolve known server and authority certificate reference fields in |
| // |onc_object|. |
| bool ResolveServerCertRefsInObject(const CertPEMsByGUIDMap& certs_by_guid, |
| const OncValueSignature& signature, |
| base::Value::Dict& onc_object) { |
| if (&signature == &kCertificatePatternSignature) { |
| if (!ResolveCertRefList(certs_by_guid, ::onc::client_cert::kIssuerCARef, |
| ::onc::client_cert::kIssuerCAPEMs, onc_object)) { |
| return false; |
| } |
| } else if (&signature == &kEAPSignature) { |
| if (!ResolveCertRefsOrRefToList(certs_by_guid, ::onc::eap::kServerCARefs, |
| ::onc::eap::kServerCARef, |
| ::onc::eap::kServerCAPEMs, onc_object)) { |
| return false; |
| } |
| } else if (&signature == &kIPsecSignature) { |
| if (!ResolveCertRefsOrRefToList(certs_by_guid, ::onc::ipsec::kServerCARefs, |
| ::onc::ipsec::kServerCARef, |
| ::onc::ipsec::kServerCAPEMs, onc_object)) { |
| return false; |
| } |
| } else if (&signature == &kIPsecSignature || |
| &signature == &kOpenVPNSignature) { |
| if (!ResolveSingleCertRef(certs_by_guid, ::onc::openvpn::kServerCertRef, |
| ::onc::openvpn::kServerCertPEM, onc_object) || |
| !ResolveCertRefsOrRefToList( |
| certs_by_guid, ::onc::openvpn::kServerCARefs, |
| ::onc::openvpn::kServerCARef, ::onc::openvpn::kServerCAPEMs, |
| onc_object)) { |
| return false; |
| } |
| } |
| |
| // Recurse into nested objects. |
| for (auto it : onc_object) { |
| if (!it.second.is_dict()) { |
| continue; |
| } |
| |
| const OncFieldSignature* field_signature = |
| GetFieldSignature(signature, it.first); |
| if (!field_signature) { |
| continue; |
| } |
| |
| if (!ResolveServerCertRefsInObject(certs_by_guid, |
| *field_signature->value_signature, |
| it.second.GetDict())) { |
| return false; |
| } |
| } |
| return true; |
| } |
| |
| } // namespace |
| |
| std::optional<base::Value::Dict> ReadDictionaryFromJson( |
| const std::string& json) { |
| if (json.empty()) { |
| // Policy may contain empty values, just log a debug message. |
| NET_LOG(DEBUG) << "Empty json string"; |
| return std::nullopt; |
| } |
| auto parsed_json = base::JSONReader::ReadAndReturnValueWithError( |
| json, |
| base::JSON_PARSE_CHROMIUM_EXTENSIONS | base::JSON_ALLOW_TRAILING_COMMAS); |
| if (!parsed_json.has_value()) { |
| NET_LOG(ERROR) << "Invalid JSON Dictionary: " |
| << parsed_json.error().message; |
| return std::nullopt; |
| } |
| if (!parsed_json->is_dict()) { |
| NET_LOG(ERROR) << "Invalid JSON Dictionary: Expected a dictionary."; |
| return std::nullopt; |
| } |
| return std::move(*parsed_json).TakeDict(); |
| } |
| |
| std::optional<base::Value::Dict> Decrypt(const std::string& passphrase, |
| const base::Value::Dict& root) { |
| const int kKeySizeInBits = 256; |
| const int kMaxIterationCount = 500000; |
| std::string onc_type; |
| std::string initial_vector; |
| std::string salt; |
| std::string cipher; |
| std::string stretch_method; |
| std::string hmac_method; |
| std::string hmac; |
| int iterations; |
| std::string ciphertext; |
| |
| if (!GetString(root, ::onc::encrypted::kCiphertext, &ciphertext) || |
| !GetString(root, ::onc::encrypted::kCipher, &cipher) || |
| !GetString(root, ::onc::encrypted::kHMAC, &hmac) || |
| !GetString(root, ::onc::encrypted::kHMACMethod, &hmac_method) || |
| !GetString(root, ::onc::encrypted::kIV, &initial_vector) || |
| !GetInt(root, ::onc::encrypted::kIterations, &iterations) || |
| !GetString(root, ::onc::encrypted::kSalt, &salt) || |
| !GetString(root, ::onc::encrypted::kStretch, &stretch_method) || |
| !GetString(root, ::onc::toplevel_config::kType, &onc_type) || |
| onc_type != ::onc::toplevel_config::kEncryptedConfiguration) { |
| NET_LOG(ERROR) << "Encrypted ONC malformed."; |
| return std::nullopt; |
| } |
| |
| if (hmac_method != ::onc::encrypted::kSHA1 || |
| cipher != ::onc::encrypted::kAES256 || |
| stretch_method != ::onc::encrypted::kPBKDF2) { |
| NET_LOG(ERROR) << "Encrypted ONC unsupported encryption scheme."; |
| return std::nullopt; |
| } |
| |
| // Make sure iterations != 0, since that's not valid. |
| if (iterations == 0) { |
| NET_LOG(ERROR) << kUnableToDecrypt; |
| return std::nullopt; |
| } |
| |
| // Simply a sanity check to make sure we can't lock up the machine |
| // for too long with a huge number (or a negative number). |
| if (iterations < 0 || iterations > kMaxIterationCount) { |
| NET_LOG(ERROR) << "Too many iterations in encrypted ONC"; |
| return std::nullopt; |
| } |
| |
| if (!base::Base64Decode(salt, &salt)) { |
| NET_LOG(ERROR) << kUnableToDecode; |
| return std::nullopt; |
| } |
| |
| std::unique_ptr<crypto::SymmetricKey> key( |
| crypto::SymmetricKey::DeriveKeyFromPasswordUsingPbkdf2( |
| crypto::SymmetricKey::AES, passphrase, salt, iterations, |
| kKeySizeInBits)); |
| |
| if (!base::Base64Decode(initial_vector, &initial_vector)) { |
| NET_LOG(ERROR) << kUnableToDecode; |
| return std::nullopt; |
| } |
| if (!base::Base64Decode(ciphertext, &ciphertext)) { |
| NET_LOG(ERROR) << kUnableToDecode; |
| return std::nullopt; |
| } |
| if (!base::Base64Decode(hmac, &hmac)) { |
| NET_LOG(ERROR) << kUnableToDecode; |
| return std::nullopt; |
| } |
| |
| crypto::HMAC hmac_verifier(crypto::HMAC::SHA1); |
| if (!hmac_verifier.Init(key.get()) || |
| !hmac_verifier.Verify(ciphertext, hmac)) { |
| NET_LOG(ERROR) << kUnableToDecrypt; |
| return std::nullopt; |
| } |
| |
| crypto::Encryptor decryptor; |
| if (!decryptor.Init(key.get(), crypto::Encryptor::CBC, initial_vector)) { |
| NET_LOG(ERROR) << kUnableToDecrypt; |
| return std::nullopt; |
| } |
| |
| std::string plaintext; |
| if (!decryptor.Decrypt(ciphertext, &plaintext)) { |
| NET_LOG(ERROR) << kUnableToDecrypt; |
| return std::nullopt; |
| } |
| |
| std::optional<base::Value::Dict> new_root = ReadDictionaryFromJson(plaintext); |
| if (!new_root) { |
| NET_LOG(ERROR) << "Property dictionary malformed."; |
| } |
| return new_root; |
| } |
| |
| std::string GetSourceAsString(::onc::ONCSource source) { |
| switch (source) { |
| case ::onc::ONC_SOURCE_UNKNOWN: |
| return "unknown"; |
| case ::onc::ONC_SOURCE_NONE: |
| return "none"; |
| case ::onc::ONC_SOURCE_DEVICE_POLICY: |
| return "device policy"; |
| case ::onc::ONC_SOURCE_USER_POLICY: |
| return "user policy"; |
| case ::onc::ONC_SOURCE_USER_IMPORT: |
| return "user import"; |
| } |
| NOTREACHED_IN_MIGRATION(); |
| return "unknown"; |
| } |
| |
| void ExpandStringsInOncObject(const OncValueSignature& signature, |
| const VariableExpander& variable_expander, |
| base::Value::Dict* onc_object) { |
| if (&signature == &kEAPSignature) { |
| ExpandField(::onc::eap::kAnonymousIdentity, variable_expander, onc_object); |
| ExpandField(::onc::eap::kIdentity, variable_expander, onc_object); |
| } else if (&signature == &kL2TPSignature || |
| &signature == &kOpenVPNSignature) { |
| ExpandField(::onc::vpn::kUsername, variable_expander, onc_object); |
| } |
| |
| // Recurse into nested objects. |
| for (auto it : *onc_object) { |
| if (!it.second.is_dict()) |
| continue; |
| |
| const OncFieldSignature* field_signature = |
| GetFieldSignature(signature, it.first); |
| if (!field_signature) |
| continue; |
| |
| ExpandStringsInOncObject(*field_signature->value_signature, |
| variable_expander, &it.second.GetDict()); |
| } |
| } |
| |
| void ExpandStringsInNetworks(const VariableExpander& variable_expander, |
| base::Value::List& network_configs) { |
| for (auto& network : network_configs) { |
| ExpandStringsInOncObject(kNetworkConfigurationSignature, variable_expander, |
| &network.GetDict()); |
| } |
| } |
| |
| void FillInCellularCustomAPNListField( |
| base::Value::Dict& cellular_fields, |
| const base::Value::List* custom_apn_list) { |
| if (cellular_fields.Find(::onc::cellular::kCustomAPNList)) { |
| NET_LOG(DEBUG) << "kCustomAPNList found, skipping"; |
| return; |
| } |
| |
| NET_LOG(DEBUG) << "Filling in kCustomAPNList with " |
| << custom_apn_list->DebugString(); |
| cellular_fields.Set(::onc::cellular::kCustomAPNList, |
| custom_apn_list->Clone()); |
| } |
| |
| void FillInCellularCustomAPNListFieldsInOncObject( |
| const OncValueSignature& signature, |
| base::Value::Dict& onc_object, |
| const base::Value::List* custom_apn_list) { |
| if (&signature == &kCellularSignature) { |
| FillInCellularCustomAPNListField(onc_object, custom_apn_list); |
| } |
| |
| for (auto it : onc_object) { |
| if (!it.second.is_dict()) { |
| continue; |
| } |
| |
| const OncFieldSignature* field_signature = |
| GetFieldSignature(signature, it.first); |
| if (!field_signature) { |
| continue; |
| } |
| |
| FillInCellularCustomAPNListFieldsInOncObject( |
| *field_signature->value_signature, it.second.GetDict(), |
| custom_apn_list); |
| } |
| } |
| |
| void FillInHexSSIDFieldsInOncObject(const OncValueSignature& signature, |
| base::Value::Dict& onc_object) { |
| if (&signature == &kWiFiSignature) |
| FillInHexSSIDField(onc_object); |
| |
| // Recurse into nested objects. |
| for (auto it : onc_object) { |
| if (!it.second.is_dict()) |
| continue; |
| |
| const OncFieldSignature* field_signature = |
| GetFieldSignature(signature, it.first); |
| if (!field_signature) |
| continue; |
| |
| FillInHexSSIDFieldsInOncObject(*field_signature->value_signature, |
| it.second.GetDict()); |
| } |
| } |
| |
| void FillInHexSSIDField(base::Value::Dict& wifi_fields) { |
| if (wifi_fields.Find(::onc::wifi::kHexSSID)) { |
| return; |
| } |
| std::string* ssid = wifi_fields.FindString(::onc::wifi::kSSID); |
| if (!ssid) { |
| return; |
| } |
| if (ssid->empty()) { |
| NET_LOG(ERROR) << "Found empty SSID field."; |
| return; |
| } |
| wifi_fields.Set(::onc::wifi::kHexSSID, base::HexEncode(*ssid)); |
| } |
| |
| void SetHiddenSSIDFieldInOncObject(const OncValueSignature& signature, |
| base::Value::Dict& onc_object) { |
| if (&signature == &kWiFiSignature) { |
| SetHiddenSSIDField(onc_object); |
| } |
| |
| // Recurse into nested objects. |
| for (auto it : onc_object) { |
| if (!it.second.is_dict()) { |
| continue; |
| } |
| |
| const OncFieldSignature* field_signature = |
| GetFieldSignature(signature, it.first); |
| if (!field_signature) { |
| continue; |
| } |
| |
| SetHiddenSSIDFieldInOncObject(*field_signature->value_signature, |
| it.second.GetDict()); |
| } |
| } |
| |
| void SetHiddenSSIDField(base::Value::Dict& wifi_fields) { |
| if (wifi_fields.Find(::onc::wifi::kHiddenSSID)) { |
| return; |
| } |
| wifi_fields.Set(::onc::wifi::kHiddenSSID, false); |
| } |
| |
| base::Value::Dict MaskCredentialsInOncObject( |
| const OncValueSignature& signature, |
| const base::Value::Dict& onc_object, |
| const std::string& mask) { |
| return OncMaskValues::Mask(signature, onc_object, mask); |
| } |
| |
| std::string DecodePEM(const std::string& pem_encoded) { |
| // The PEM block header used for DER certificates |
| const char kCertificateHeader[] = "CERTIFICATE"; |
| |
| // This is an older PEM marker for DER certificates. |
| const char kX509CertificateHeader[] = "X509 CERTIFICATE"; |
| |
| std::vector<std::string> pem_headers; |
| pem_headers.push_back(kCertificateHeader); |
| pem_headers.push_back(kX509CertificateHeader); |
| |
| bssl::PEMTokenizer pem_tokenizer(pem_encoded, pem_headers); |
| std::string decoded; |
| if (pem_tokenizer.GetNext()) { |
| decoded = pem_tokenizer.data(); |
| } else { |
| // If we failed to read the data as a PEM file, then try plain base64 decode |
| // in case the PEM marker strings are missing. For this to work, there has |
| // to be no white space, and it has to only contain the base64-encoded data. |
| if (!base::Base64Decode(pem_encoded, &decoded)) { |
| LOG(ERROR) << "Unable to base64 decode X509 data: " << pem_encoded; |
| return std::string(); |
| } |
| } |
| return decoded; |
| } |
| |
| bool ParseAndValidateOncForImport(const std::string& onc_blob, |
| ::onc::ONCSource onc_source, |
| const std::string& passphrase, |
| base::Value::List* network_configs, |
| base::Value::Dict* global_network_config, |
| base::Value::List* certificates) { |
| if (network_configs) { |
| network_configs->clear(); |
| } |
| if (global_network_config) { |
| global_network_config->clear(); |
| } |
| if (certificates) { |
| certificates->clear(); |
| } |
| if (onc_blob.empty()) { |
| return true; |
| } |
| |
| std::optional<base::Value::Dict> toplevel_onc = |
| ReadDictionaryFromJson(onc_blob); |
| if (!toplevel_onc) { |
| NET_LOG(ERROR) << "Not a valid ONC JSON dictionary: " |
| << GetSourceAsString(onc_source); |
| return false; |
| } |
| |
| // Check and see if this is an encrypted ONC file. If so, decrypt it. |
| std::string onc_type; |
| if (GetString(toplevel_onc.value(), ::onc::toplevel_config::kType, |
| &onc_type) && |
| onc_type == ::onc::toplevel_config::kEncryptedConfiguration) { |
| toplevel_onc = Decrypt(passphrase, toplevel_onc.value()); |
| if (!toplevel_onc.has_value()) { |
| NET_LOG(ERROR) << "Unable to decrypt ONC from " |
| << GetSourceAsString(onc_source); |
| return false; |
| } |
| } |
| |
| bool from_policy = (onc_source == ::onc::ONC_SOURCE_USER_POLICY || |
| onc_source == ::onc::ONC_SOURCE_DEVICE_POLICY); |
| |
| // Validate the ONC dictionary. We are liberal and ignore unknown field |
| // names and ignore invalid field names in kRecommended arrays. |
| Validator validator(/*error_on_unknown_field=*/false, |
| /*error_on_wrong_recommended=*/false, |
| /*error_on_missing_field=*/true, |
| /*managed_onc=*/from_policy, |
| /*log_warnings=*/true); |
| validator.SetOncSource(onc_source); |
| |
| Validator::Result validation_result; |
| std::optional<base::Value::Dict> validated_toplevel_onc = |
| validator.ValidateAndRepairObject(&kToplevelConfigurationSignature, |
| toplevel_onc.value(), |
| &validation_result); |
| |
| bool success = true; |
| if (validation_result == Validator::VALID_WITH_WARNINGS) { |
| NET_LOG(DEBUG) << "ONC validation produced warnings: " |
| << GetSourceAsString(onc_source); |
| success = false; |
| } else if (validation_result == Validator::INVALID || |
| !validated_toplevel_onc.has_value()) { |
| NET_LOG(ERROR) << "ONC is invalid and couldn't be repaired: " |
| << GetSourceAsString(onc_source); |
| return false; |
| } |
| |
| if (certificates) { |
| base::Value::List* validated_certs = |
| validated_toplevel_onc->FindList(::onc::toplevel_config::kCertificates); |
| if (validated_certs) |
| *certificates = std::move(*validated_certs); |
| } |
| |
| // Note that this processing is performed even if |network_configs| is |
| // nullptr, because ResolveServerCertRefsInNetworks could affect the return |
| // value of the function (which is supposed to aggregate validation issues in |
| // all segments of the ONC blob). |
| base::Value::List* validated_networks_list = validated_toplevel_onc->FindList( |
| ::onc::toplevel_config::kNetworkConfigurations); |
| |
| base::Value::Dict* validated_global_config = validated_toplevel_onc->FindDict( |
| ::onc::toplevel_config::kGlobalNetworkConfiguration); |
| |
| const IdToAPNMap id_to_apn_map = BuildIdToAPNMap( |
| validated_toplevel_onc->FindList(::onc::toplevel_config::kAdminAPNList)); |
| |
| if (validated_networks_list) { |
| FillInHexSSIDFieldsInNetworks(*validated_networks_list); |
| |
| bool allow_apn_modification = true; |
| if (validated_global_config) { |
| allow_apn_modification = |
| (validated_global_config->FindBool( |
| ::onc::global_network_config::kAllowAPNModification)) |
| .value_or(allow_apn_modification); |
| } |
| |
| FillInCellularDefaultsInNetworks(*validated_networks_list, |
| allow_apn_modification); |
| |
| // Sets the CustomAPNList for cellular networks if an AdminAPNList and |
| // AdminAssignedAPNIds have been specified for a cellular network. |
| if (!ConfigureAdminApnsInCellularNetworks(*validated_networks_list, |
| id_to_apn_map)) { |
| success = false; |
| } |
| |
| // Set HiddenSSID to default value to solve the issue crbug.com/1171837 |
| SetHiddenSSIDFieldsInNetworks(*validated_networks_list); |
| |
| CertPEMsByGUIDMap server_and_ca_certs = |
| GetServerAndCACertsByGUID(*certificates); |
| |
| if (!ResolveServerCertRefsInNetworks(server_and_ca_certs, |
| *validated_networks_list)) { |
| NET_LOG(ERROR) << "Some certificate references in the ONC policy could " |
| "not be resolved: " |
| << GetSourceAsString(onc_source); |
| success = false; |
| } |
| |
| if (network_configs) { |
| *network_configs = std::move(*validated_networks_list); |
| } |
| } |
| |
| if (global_network_config) { |
| if (validated_global_config) { |
| // Constructs and sets the PSIMAdminAssignedAPNs global network |
| // configuration field if an AdminAPNList and PSIMAdminAssignedAPNIds have |
| // been specified. |
| if (!ConstructAndSetPSIMAdminAPNs(*validated_global_config, |
| id_to_apn_map)) { |
| success = false; |
| } |
| *global_network_config = std::move(*validated_global_config); |
| } |
| } |
| |
| return success; |
| } |
| |
| bool ResolveServerCertRefsInNetworks(const CertPEMsByGUIDMap& certs_by_guid, |
| base::Value::List& network_configs) { |
| bool success = true; |
| base::Value::List filtered_configs; |
| for (base::Value& network : network_configs) { |
| if (!ResolveServerCertRefsInNetwork(certs_by_guid, network.GetDict())) { |
| std::string* guid = |
| network.GetDict().FindString(::onc::network_config::kGUID); |
| // This might happen even with correct validation, if the referenced |
| // certificate couldn't be imported. |
| LOG(ERROR) << "Couldn't resolve some certificate reference of network " |
| << (guid ? *guid : "(unable to find GUID)"); |
| success = false; |
| continue; |
| } |
| |
| filtered_configs.Append(std::move(network)); |
| } |
| network_configs = std::move(filtered_configs); |
| return success; |
| } |
| |
| bool ResolveServerCertRefsInNetwork(const CertPEMsByGUIDMap& certs_by_guid, |
| base::Value::Dict& network_config) { |
| return ResolveServerCertRefsInObject( |
| certs_by_guid, kNetworkConfigurationSignature, network_config); |
| } |
| |
| } // namespace chromeos::onc |
