ONC: Add TLSVersionMax EAP property

This allows CPanel to disable TLSv1.1/TLSv1.2 for compatibility with
buggy wifi APs.

BUG=605728
TEST=chromeos_unittests
TEST="sideload" an .onc file through chrome://net-internals and verify
     in the RADIUS logs that the TLSVersionMax setting takes effect
TEST=manually set value through shill and check in
     networkingPrivate.getProperties

Change-Id: I1c8447ca5f7c8b0c8ff3c4ce44be01955454d215
Reviewed-on: https://chromium-review.googlesource.com/789792Reviewed-by: Steven Bennetts <stevenjb@chromium.org>
Reviewed-by: Toni Barzic <tbarzic@chromium.org>
Commit-Queue: Kevin Cernekee <cernekee@chromium.org>
Cr-Commit-Position: refs/heads/master@{#519926}

chromeos/network/onc/onc_signature.cc

@@ -61,6 +61,7 @@ const OncFieldSignature eap_fields[] = {
     // Deprecated.
     {::onc::eap::kServerCARef, &kStringSignature},
     {::onc::eap::kServerCARefs, &kStringListSignature},
+    {::onc::eap::kTLSVersionMax, &kStringSignature},
     {::onc::eap::kUseProactiveKeyCaching, &kBoolSignature},
     {::onc::eap::kUseSystemCAs, &kBoolSignature},
     {NULL}};

chromeos/network/onc/onc_translation_tables.cc

@@ -33,6 +33,7 @@ const FieldTranslationEntry eap_fields[] = {
     {::onc::eap::kSaveCredentials, shill::kSaveCredentialsProperty},
     {::onc::eap::kServerCAPEMs, shill::kEapCaCertPemProperty},
     {::onc::eap::kSubjectMatch, shill::kEapSubjectMatchProperty},
+    {::onc::eap::kTLSVersionMax, shill::kEapTLSVersionMaxProperty},
     {::onc::eap::kUseSystemCAs, shill::kEapUseSystemCasProperty},
     {::onc::eap::kUseProactiveKeyCaching,
      shill::kEapUseProactiveKeyCachingProperty},

chromeos/test/data/network/shill_wifi_eap_tls.json

@@ -4,6 +4,7 @@
    "EAP.Identity": "my_identity",
    "EAP.KeyID": "1:123456abcdef",
    "EAP.PIN": "111111",
+   "EAP.TLSVersionMax": "1.2",
    "EAP.UseSystemCAs": true,
    "GUID": "{77db0089-0bc8-4358-929c-123xcv}",
    "Mode": "managed",

chromeos/test/data/network/translation_of_shill_wifi_eap_tls.onc

@@ -9,6 +9,7 @@
       "ClientCertPKCS11Id": "1:123456abcdef",
       "Outer": "EAP-TLS",
       "Identity": "my_identity",
+      "TLSVersionMax": "1.2",
       "UseSystemCAs": true,
       "SaveCredentials": true
     }

chromeos/test/data/network/wifi_eap_tls.onc

@@ -11,6 +11,7 @@
       "ClientCertType": "PKCS11Id",
       "ClientCertPKCS11Id": "1:123456abcdef",
       "SaveCredentials": true,
+      "TLSVersionMax": "1.2",
       "UseSystemCAs": true
     }
   },

components/onc/docs/onc_spec.md

@@ -1207,6 +1207,16 @@ type exists to configure the authentication.
     * WiFi only. A substring which a remote RADIUS service certificate subject
       name must contain in order to connect.
 
+* **TLSVersionMax**
+    * (optional) - **string**
+    * Sets the maximum TLS protocol version used by the OS for EAP.
+      This is only needed when connecting to an AP with a buggy TLS
+      implementation, as the protocol will normally auto-negotiate.
+    * Allowed values are:
+        * *1.0*
+        * *1.1*
+        * *1.2*
+
 * **UseSystemCAs**
     * (optional, defaults to *true*) - **boolean**
     * Required server certificate to be signed by "system default certificate

components/onc/onc_constants.cc

@@ -315,6 +315,7 @@ const char kServerCAPEMs[] = "ServerCAPEMs";
 const char kServerCARef[] = "ServerCARef";
 const char kServerCARefs[] = "ServerCARefs";
 const char kSubjectMatch[] = "SubjectMatch";
+const char kTLSVersionMax[] = "TLSVersionMax";
 const char kUseSystemCAs[] = "UseSystemCAs";
 const char kUseProactiveKeyCaching[] = "UseProactiveKeyCaching";
 }  // namespace eap

components/onc/onc_constants.h

@@ -328,6 +328,7 @@ ONC_EXPORT extern const char kServerCAPEMs[];
 ONC_EXPORT extern const char kServerCARef[];
 ONC_EXPORT extern const char kServerCARefs[];
 ONC_EXPORT extern const char kSubjectMatch[];
+ONC_EXPORT extern const char kTLSVersionMax[];
 ONC_EXPORT extern const char kUseSystemCAs[];
 ONC_EXPORT extern const char kUseProactiveKeyCaching[];
 }  // namespace eap

extensions/common/api/networking_private.idl

@@ -242,6 +242,7 @@ namespace networkingPrivate {
     DOMString[]? ServerCAPEMs;
     DOMString[]? ServerCARefs;
     DOMString? SubjectMatch;
+    DOMString? TLSVersionMax;
     boolean? UseProactiveKeyCaching;
     boolean? UseSystemCAs;
   };
@@ -262,6 +263,7 @@ namespace networkingPrivate {
     ManagedDOMStringList? ServerCAPEMs;
     ManagedDOMStringList? ServerCARefs;
     ManagedDOMString? SubjectMatch;
+    ManagedDOMString? TLSVersionMax;
     ManagedBoolean? UseProactiveKeyCaching;
     ManagedBoolean? UseSystemCAs;
   };

third_party/closure_compiler/externs/networking_private.js

@@ -306,6 +306,7 @@ chrome.networkingPrivate.ManagedCertificatePattern;
  *   ServerCAPEMs: (!Array<string>|undefined),
  *   ServerCARefs: (!Array<string>|undefined),
  *   SubjectMatch: (string|undefined),
+ *   TLSVersionMax: (string|undefined),
  *   UseProactiveKeyCaching: (boolean|undefined),
  *   UseSystemCAs: (boolean|undefined)
  * }}
@@ -328,6 +329,7 @@ chrome.networkingPrivate.EAPProperties;
  *   ServerCAPEMs: (!chrome.networkingPrivate.ManagedDOMStringList|undefined),
  *   ServerCARefs: (!chrome.networkingPrivate.ManagedDOMStringList|undefined),
  *   SubjectMatch: (!chrome.networkingPrivate.ManagedDOMString|undefined),
+ *   TLSVersionMax: (!chrome.networkingPrivate.ManagedDOMString|undefined),
  *   UseProactiveKeyCaching: (!chrome.networkingPrivate.ManagedBoolean|undefined),
  *   UseSystemCAs: (!chrome.networkingPrivate.ManagedBoolean|undefined)
  * }}