Add XFRM-I support to IpSecService
This change adds support for XFRM-I to all IpSecService netd calls. Fallback logic is in netd, and thus both VTI and XFRM-I parameters are always passed down to IpSecService. Bug: 78589502 Test: All java, CTS tests passing Change-Id: Ie4186f0ad7e50763b21831f6fa411b5ee436de78
This commit is contained in:
Benedict Wong
@@ -71,6 +71,9 @@ public class IpSecServiceParameterizedTest {
|
||||
private final LinkAddress mLocalInnerAddress;
|
||||
private final int mFamily;
|
||||
|
||||
private static final int[] ADDRESS_FAMILIES =
|
||||
new int[] {AF_INET, AF_INET6};
|
||||
|
||||
@Parameterized.Parameters
|
||||
public static Collection ipSecConfigs() {
|
||||
return Arrays.asList(
|
||||
@@ -196,6 +199,7 @@ public class IpSecServiceParameterizedTest {
|
||||
anyString(),
|
||||
eq(TEST_SPI),
|
||||
anyInt(),
|
||||
anyInt(),
|
||||
anyInt());
|
||||
|
||||
// Verify quota and RefcountedResource objects cleaned up
|
||||
@@ -231,6 +235,7 @@ public class IpSecServiceParameterizedTest {
|
||||
anyString(),
|
||||
eq(TEST_SPI),
|
||||
anyInt(),
|
||||
anyInt(),
|
||||
anyInt());
|
||||
|
||||
// Verify quota and RefcountedResource objects cleaned up
|
||||
@@ -304,7 +309,8 @@ public class IpSecServiceParameterizedTest {
|
||||
eq((authCrypt != null) ? authCrypt.getTruncationLengthBits() : 0),
|
||||
eq(config.getEncapType()),
|
||||
eq(encapSocketPort),
|
||||
eq(config.getEncapRemotePort()));
|
||||
eq(config.getEncapRemotePort()),
|
||||
eq(config.getXfrmInterfaceId()));
|
||||
}
|
||||
|
||||
@Test
|
||||
@@ -430,6 +436,7 @@ public class IpSecServiceParameterizedTest {
|
||||
anyString(),
|
||||
eq(TEST_SPI),
|
||||
anyInt(),
|
||||
anyInt(),
|
||||
anyInt());
|
||||
// quota is not released until the SPI is released by the Transform
|
||||
assertEquals(1, userRecord.mSpiQuotaTracker.mCurrent);
|
||||
@@ -452,6 +459,7 @@ public class IpSecServiceParameterizedTest {
|
||||
anyString(),
|
||||
eq(TEST_SPI),
|
||||
anyInt(),
|
||||
anyInt(),
|
||||
anyInt());
|
||||
|
||||
// Verify quota and RefcountedResource objects cleaned up
|
||||
@@ -469,6 +477,7 @@ public class IpSecServiceParameterizedTest {
|
||||
anyString(),
|
||||
anyInt(),
|
||||
anyInt(),
|
||||
anyInt(),
|
||||
anyInt());
|
||||
assertEquals(0, userRecord.mSpiQuotaTracker.mCurrent);
|
||||
|
||||
@@ -504,6 +513,7 @@ public class IpSecServiceParameterizedTest {
|
||||
anyString(),
|
||||
eq(TEST_SPI),
|
||||
anyInt(),
|
||||
anyInt(),
|
||||
anyInt());
|
||||
|
||||
// Verify quota and RefcountedResource objects cleaned up
|
||||
@@ -572,11 +582,12 @@ public class IpSecServiceParameterizedTest {
|
||||
|
||||
assertEquals(1, userRecord.mTunnelQuotaTracker.mCurrent);
|
||||
verify(mMockNetd)
|
||||
.addVirtualTunnelInterface(
|
||||
.ipSecAddTunnelInterface(
|
||||
eq(createTunnelResp.interfaceName),
|
||||
eq(mSourceAddr),
|
||||
eq(mDestinationAddr),
|
||||
anyInt(),
|
||||
anyInt(),
|
||||
anyInt());
|
||||
}
|
||||
|
||||
@@ -591,7 +602,7 @@ public class IpSecServiceParameterizedTest {
|
||||
|
||||
// Verify quota and RefcountedResource objects cleaned up
|
||||
assertEquals(0, userRecord.mTunnelQuotaTracker.mCurrent);
|
||||
verify(mMockNetd).removeVirtualTunnelInterface(eq(createTunnelResp.interfaceName));
|
||||
verify(mMockNetd).ipSecRemoveTunnelInterface(eq(createTunnelResp.interfaceName));
|
||||
try {
|
||||
userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow(
|
||||
createTunnelResp.resourceId);
|
||||
@@ -614,7 +625,7 @@ public class IpSecServiceParameterizedTest {
|
||||
|
||||
// Verify quota and RefcountedResource objects cleaned up
|
||||
assertEquals(0, userRecord.mTunnelQuotaTracker.mCurrent);
|
||||
verify(mMockNetd).removeVirtualTunnelInterface(eq(createTunnelResp.interfaceName));
|
||||
verify(mMockNetd).ipSecRemoveTunnelInterface(eq(createTunnelResp.interfaceName));
|
||||
try {
|
||||
userRecord.mTunnelInterfaceRecords.getRefcountedResourceOrThrow(
|
||||
createTunnelResp.resourceId);
|
||||
@@ -623,6 +634,41 @@ public class IpSecServiceParameterizedTest {
|
||||
}
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testApplyTunnelModeTransform() throws Exception {
|
||||
IpSecConfig ipSecConfig = new IpSecConfig();
|
||||
ipSecConfig.setMode(IpSecTransform.MODE_TUNNEL);
|
||||
addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
|
||||
addAuthAndCryptToIpSecConfig(ipSecConfig);
|
||||
|
||||
IpSecTransformResponse createTransformResp =
|
||||
mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage");
|
||||
IpSecTunnelInterfaceResponse createTunnelResp =
|
||||
createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage");
|
||||
|
||||
int transformResourceId = createTransformResp.resourceId;
|
||||
int tunnelResourceId = createTunnelResp.resourceId;
|
||||
mIpSecService.applyTunnelModeTransform(tunnelResourceId, IpSecManager.DIRECTION_OUT,
|
||||
transformResourceId, "blessedPackage");
|
||||
|
||||
for (int selAddrFamily : ADDRESS_FAMILIES) {
|
||||
verify(mMockNetd)
|
||||
.ipSecUpdateSecurityPolicy(
|
||||
eq(mUid),
|
||||
eq(selAddrFamily),
|
||||
eq(IpSecManager.DIRECTION_OUT),
|
||||
anyString(),
|
||||
anyString(),
|
||||
eq(TEST_SPI),
|
||||
anyInt(), // iKey/oKey
|
||||
anyInt(), // mask
|
||||
eq(tunnelResourceId));
|
||||
}
|
||||
|
||||
ipSecConfig.setXfrmInterfaceId(tunnelResourceId);
|
||||
verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void testAddRemoveAddressFromTunnelInterface() throws Exception {
|
||||
for (String pkgName : new String[]{"blessedPackage", "systemPackage"}) {
|
||||
|
||||
Reference in New Issue
Block a user