ONC: Reject ServerCARef in IPsec if PSK is used.

Looking at IpsecManager::Initialize in platform/vpn-manager/ipsec_manager.cc, then a CA certificate for server verification is rejected if a PSK is set.

However, in ONC, the ServerCARef was silently ignored if PSK was used. This might unintentionally reduce security.

Note: ServerCARef from ONC maps to server_ca_file in  IpsecManager::Initialize.
PSK from ONC maps to psk_file in IpsecManager::Initialize.

BUG=276291
R=bartfab@chromium.org

Review URL: https://codereview.chromium.org/62173002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@240865 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 12 insertions, 0 deletions

diff --git a/chromeos/test/data/network/invalid_settings_with_repairs.json b/chromeos/test/data/network/invalid_settings_with_repairs.json
index 4f80434..0815629 100644
--- a/chromeos/test/data/network/invalid_settings_with_repairs.json
+++ b/chromeos/test/data/network/invalid_settings_with_repairs.json
@@ -187,6 +187,18 @@
             }
         }
     },
+    "ipsec-with-psk-and-cacert": {
+      "AuthenticationType": "PSK",
+      "IKEVersion": 1,
+      "PSK": "some psk",
+      "ServerCARef": "a cert ref"
+    },
+    "ipsec-with-client-cert-missing-cacert": {
+      "AuthenticationType": "Cert",
+      "IKEVersion": 1,
+      "ClientCertType": "Ref",
+      "ClientCertRef": "a cert ref"
+    },
     "openvpn-missing-verify-x509-name": {
       "GUID": "guid",
       "Type": "VPN",