From c5ec83f1bdaa6543b8575adc644f5686551a01a2 Mon Sep 17 00:00:00 2001
From: Weng Su <wengsu@google.com>
Date: Wed, 9 Nov 2022 14:57:07 +0800
Subject: [PATCH] Add minimum TLS version for Wi-Fi EAP network

- Remove "TLS v1.3" if device does not support it

Bug: 258372351
Test: manual test
make RunSettingsRoboTests ROBOTEST_FILTER=WifiConfigController2Test

Change-Id: If7e41e8c404b4fbf92268afddd92bc6553e60576
---
 res/layout/wifi_network_config.xml            | 18 ++++++++++
 res/values/arrays.xml                         |  9 +++++
 res/values/strings.xml                        |  2 ++
 .../settings/wifi/WifiConfigController2.java  | 35 ++++++++++++++++++-
 .../wifi/WifiConfigController2Test.java       | 25 +++++++++++++
 5 files changed, 88 insertions(+), 1 deletion(-)

diff --git a/res/layout/wifi_network_config.xml b/res/layout/wifi_network_config.xml
index f91f7385c17..6fe39bf0261 100644
--- a/res/layout/wifi_network_config.xml
+++ b/res/layout/wifi_network_config.xml
@@ -187,6 +187,24 @@
                          android:prompt="@string/wifi_eap_ca_cert"/>
             </LinearLayout>
 
+            <LinearLayout android:id="@+id/l_min_tls_ver"
+                          android:layout_width="match_parent"
+                          android:layout_height="wrap_content"
+                          android:visibility="gone"
+                          style="@style/wifi_item">
+                <TextView
+                    android:layout_width="wrap_content"
+                    android:layout_height="wrap_content"
+                    style="@style/wifi_item_label"
+                    android:text="@string/wifi_eap_min_tls_ver"/>
+
+                <Spinner android:id="@+id/min_tls_ver"
+                         android:layout_width="match_parent"
+                         android:layout_height="wrap_content"
+                         style="@style/wifi_item_spinner"
+                         android:prompt="@string/wifi_eap_min_tls_ver"/>
+            </LinearLayout>
+
             <LinearLayout android:id="@+id/l_ocsp"
                           android:layout_width="match_parent"
                           android:layout_height="wrap_content"
diff --git a/res/values/arrays.xml b/res/values/arrays.xml
index 46114cbe11d..d97850ff979 100644
--- a/res/values/arrays.xml
+++ b/res/values/arrays.xml
@@ -211,6 +211,15 @@
         <item>Require certificate status</item>
     </string-array>
 
+    <!-- Match this with the integer value of WifiEnterpriseConfig.TlsVersion -->
+    <!-- Type of TlsVersion -->
+    <string-array name="wifi_eap_tls_ver" translatable="false">
+        <item>TLS v1.0</item>
+        <item>TLS v1.1</item>
+        <item>TLS v1.2</item>
+        <item>TLS v1.3</item>
+    </string-array>
+
     <!-- Wi-Fi AP band settings.  Either 2.4GHz or 5GHz prefer. -->
     <!-- Note that adding/removing/moving the items will need wifi settings code change. -->
     <string-array translatable="false" name="wifi_ap_band">
diff --git a/res/values/strings.xml b/res/values/strings.xml
index d91cb88c499..9fdbaf1511c 100644
--- a/res/values/strings.xml
+++ b/res/values/strings.xml
@@ -1534,6 +1534,8 @@
     <string name="please_select_phase2">Phase 2 authentication</string>
     <!-- Label for the EAP CA certificate of the network -->
     <string name="wifi_eap_ca_cert">CA certificate</string>
+    <!-- Label for the EAP minimum TLS version of the network -->
+    <string name="wifi_eap_min_tls_ver">Minimum TLS version</string>
     <!-- Label for the OCSP type of the network. [CHAR LIMIT=32] -->
     <string name="wifi_eap_ocsp">Online Certificate Status</string>
     <!-- Label for the domain name that the EAP CA certificate(s) can be used to validate. -->
diff --git a/src/com/android/settings/wifi/WifiConfigController2.java b/src/com/android/settings/wifi/WifiConfigController2.java
index d2daa00f644..957d2fba650 100644
--- a/src/com/android/settings/wifi/WifiConfigController2.java
+++ b/src/com/android/settings/wifi/WifiConfigController2.java
@@ -179,6 +179,7 @@ public class WifiConfigController2 implements TextWatcher,
     private int mLastShownEapMethod;
     @VisibleForTesting Spinner mEapSimSpinner;    // For EAP-SIM, EAP-AKA and EAP-AKA-PRIME.
     @VisibleForTesting Spinner mEapCaCertSpinner;
+    private Spinner mEapMinTlsVerSpinner;
     private Spinner mEapOcspSpinner;
     private TextView mEapDomainView;
     private Spinner mPhase2Spinner;
@@ -744,11 +745,14 @@ public class WifiConfigController2 implements TextWatcher,
                             + ") should not both be non-null");
                 }
 
-                // Only set OCSP option if there is a valid CA certificate.
+                // Only set certificate option if there is a valid CA certificate.
                 if (caCert.equals(mUnspecifiedCertString)) {
                     config.enterpriseConfig.setOcsp(WifiEnterpriseConfig.OCSP_NONE);
+                    config.enterpriseConfig.setMinimumTlsVersion(WifiEnterpriseConfig.TLS_V1_0);
                 } else {
                     config.enterpriseConfig.setOcsp(mEapOcspSpinner.getSelectedItemPosition());
+                    config.enterpriseConfig.setMinimumTlsVersion(
+                            mEapMinTlsVerSpinner.getSelectedItemPosition());
                 }
 
                 String clientCert = (String) mEapUserCertSpinner.getSelectedItem();
@@ -1005,6 +1009,8 @@ public class WifiConfigController2 implements TextWatcher,
             mPhase2Spinner.setOnItemSelectedListener(this);
             mEapCaCertSpinner = (Spinner) mView.findViewById(R.id.ca_cert);
             mEapCaCertSpinner.setOnItemSelectedListener(this);
+            mEapMinTlsVerSpinner = getEapMinTlsVerSpinner(mWifiManager.isTlsV13Supported());
+
             mEapOcspSpinner = (Spinner) mView.findViewById(R.id.ocsp);
             mEapDomainView = (TextView) mView.findViewById(R.id.domain);
             mEapDomainView.addTextChangedListener(this);
@@ -1148,6 +1154,7 @@ public class WifiConfigController2 implements TextWatcher,
                     setSelection(mEapCaCertSpinner, mMultipleCertSetString);
                 }
             }
+            mEapMinTlsVerSpinner.setSelection(enterpriseConfig.getMinimumTlsVersion());
             mEapOcspSpinner.setSelection(enterpriseConfig.getOcsp());
             mEapDomainView.setText(enterpriseConfig.getDomainSuffixMatch());
             String userCert = enterpriseConfig.getClientCertificateAlias();
@@ -1179,6 +1186,7 @@ public class WifiConfigController2 implements TextWatcher,
         mEapMethodSpinner.setAccessibilityDelegate(selectedEventBlocker);
         mPhase2Spinner.setAccessibilityDelegate(selectedEventBlocker);
         mEapCaCertSpinner.setAccessibilityDelegate(selectedEventBlocker);
+        mEapMinTlsVerSpinner.setAccessibilityDelegate(selectedEventBlocker);
         mEapOcspSpinner.setAccessibilityDelegate(selectedEventBlocker);
         mEapUserCertSpinner.setAccessibilityDelegate(selectedEventBlocker);
     }
@@ -1214,6 +1222,9 @@ public class WifiConfigController2 implements TextWatcher,
         // Defaults for most of the EAP methods and over-riden by
         // by certain EAP methods
         mView.findViewById(R.id.l_ca_cert).setVisibility(View.VISIBLE);
+        if (mWifiManager.isTlsMinimumVersionSupported()) {
+            mView.findViewById(R.id.l_min_tls_ver).setVisibility(View.VISIBLE);
+        }
         mView.findViewById(R.id.l_ocsp).setVisibility(View.VISIBLE);
         mView.findViewById(R.id.password_layout).setVisibility(View.VISIBLE);
         mView.findViewById(R.id.show_password_layout).setVisibility(View.VISIBLE);
@@ -1224,6 +1235,7 @@ public class WifiConfigController2 implements TextWatcher,
             case WIFI_EAP_METHOD_PWD:
                 setPhase2Invisible();
                 setCaCertInvisible();
+                setMinTlsVerInvisible();
                 setOcspInvisible();
                 setDomainInvisible();
                 setAnonymousIdentInvisible();
@@ -1265,6 +1277,7 @@ public class WifiConfigController2 implements TextWatcher,
                 setPhase2Invisible();
                 setAnonymousIdentInvisible();
                 setCaCertInvisible();
+                setMinTlsVerInvisible();
                 setOcspInvisible();
                 setDomainInvisible();
                 setUserCertInvisible();
@@ -1278,6 +1291,7 @@ public class WifiConfigController2 implements TextWatcher,
             if (eapCertSelection.equals(mUnspecifiedCertString)
                     || (mIsTrustOnFirstUseSupported
                             && eapCertSelection.equals(mTrustOnFirstUse))) {
+                setMinTlsVerInvisible();
                 // Domain suffix matching is not relevant if the user hasn't chosen a CA
                 // certificate yet, or chooses not to validate the EAP server.
                 setDomainInvisible();
@@ -1319,6 +1333,11 @@ public class WifiConfigController2 implements TextWatcher,
         setSelection(mEapCaCertSpinner, mUnspecifiedCertString);
     }
 
+    private void setMinTlsVerInvisible() {
+        mView.findViewById(R.id.l_min_tls_ver).setVisibility(View.GONE);
+        mEapMinTlsVerSpinner.setSelection(WifiEnterpriseConfig.TLS_V1_0);
+    }
+
     private void setOcspInvisible() {
         mView.findViewById(R.id.l_ocsp).setVisibility(View.GONE);
         mEapOcspSpinner.setSelection(WifiEnterpriseConfig.OCSP_NONE);
@@ -1920,4 +1939,18 @@ public class WifiConfigController2 implements TextWatcher,
             }
         });
     }
+
+    @VisibleForTesting
+    Spinner getEapMinTlsVerSpinner(boolean isTlsV13Supported) {
+        Spinner spinner = mView.findViewById(R.id.min_tls_ver);
+        String[] stringArray = mContext.getResources().getStringArray(R.array.wifi_eap_tls_ver);
+        if (!isTlsV13Supported) {
+            Log.w(TAG, "Wi-Fi Enterprise TLS v1.3 is not supported on this device");
+            List<String> list = new ArrayList<>(Arrays.asList(stringArray));
+            list.remove(WifiEnterpriseConfig.TLS_V1_3);
+            stringArray = list.toArray(new String[0]);
+        }
+        spinner.setAdapter(getSpinnerAdapter(stringArray));
+        return spinner;
+    }
 }
diff --git a/tests/robotests/src/com/android/settings/wifi/WifiConfigController2Test.java b/tests/robotests/src/com/android/settings/wifi/WifiConfigController2Test.java
index 9139a285e14..4a24ffae811 100644
--- a/tests/robotests/src/com/android/settings/wifi/WifiConfigController2Test.java
+++ b/tests/robotests/src/com/android/settings/wifi/WifiConfigController2Test.java
@@ -73,11 +73,16 @@ import org.robolectric.shadows.ShadowInputMethodManager;
 import org.robolectric.shadows.ShadowSubscriptionManager;
 
 import java.util.Arrays;
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.IntStream;
 
 @RunWith(RobolectricTestRunner.class)
 @Config(shadows = ShadowConnectivityManager.class)
 public class WifiConfigController2Test {
 
+    static final String WIFI_EAP_TLS_V1_3 = "TLS v1.3";
+
     @Mock
     private WifiConfigUiBase2 mConfigUiBase;
     @Mock
@@ -938,6 +943,26 @@ public class WifiConfigController2Test {
         assertThat(mEapUserCertSpinner.getSelectedItem()).isEqualTo(SAVED_USER_CERT);
     }
 
+    @Test
+    public void getEapMinTlsVerSpinner_isTlsV13Supported_containsTlsV13() {
+        Spinner spinner = mController.getEapMinTlsVerSpinner(true /* isTlsV13Supported */);
+
+        List<Object> list = IntStream.range(0, spinner.getAdapter().getCount())
+                .mapToObj(spinner.getAdapter()::getItem)
+                .collect(Collectors.toList());
+        assertThat(list).contains(WIFI_EAP_TLS_V1_3);
+    }
+
+    @Test
+    public void getEapMinTlsVerSpinner_isNotTlsV13Supported_doesNotContainTlsV13() {
+        Spinner spinner = mController.getEapMinTlsVerSpinner(false /* isTlsV13Supported */);
+
+        List<Object> list = IntStream.range(0, spinner.getAdapter().getCount())
+                .mapToObj(spinner.getAdapter()::getItem)
+                .collect(Collectors.toList());
+        assertThat(list).doesNotContain(WIFI_EAP_TLS_V1_3);
+    }
+
     private void setUpModifyingSavedCertificateConfigController(String savedCaCertificate,
             String savedUserCertificate) {
         final WifiConfiguration mockWifiConfig = mock(WifiConfiguration.class);