From 18fd6082866aaa960b6343637cc959449bbb19d5 Mon Sep 17 00:00:00 2001 From: Nathan Harold Date: Wed, 29 Mar 2017 10:47:59 -0700 Subject: [PATCH] Change reserveSecurityParameterIndex() to take a remoteAddress To make the SPI reservation more semantically consistent with the transform creation API, and to ensure that we always create SPI reservations relative to a well-known remote, we should take the SPI request relative to a remote (rather than to a destination). This necessitates that we now consider direction separately, which is used for keying the SA-Id. Bug: 36073210 Test: compilation Change-Id: I81e955c20128c1f8e04fd68eb26669561f827a78 (cherry picked from commit c4f879925b58b1b5ca9a3cfdc898c20cbf56355a) --- core/java/android/net/IpSecManager.java | 26 ++++++++++------------- core/java/android/net/IpSecTransform.java | 4 ++-- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/core/java/android/net/IpSecManager.java b/core/java/android/net/IpSecManager.java index 93a76dfbb4..83f4cc97b8 100644 --- a/core/java/android/net/IpSecManager.java +++ b/core/java/android/net/IpSecManager.java @@ -81,7 +81,7 @@ public final class IpSecManager { public static final class SecurityParameterIndex implements AutoCloseable { private final IIpSecService mService; - private final InetAddress mDestinationAddress; + private final InetAddress mRemoteAddress; private final CloseGuard mCloseGuard = CloseGuard.get(); private int mSpi; @@ -91,10 +91,10 @@ public final class IpSecManager { } private SecurityParameterIndex( - IIpSecService service, InetAddress destinationAddress, int spi) + IIpSecService service, int direction, InetAddress remoteAddress, int spi) throws ResourceUnavailableException, SpiUnavailableException { mService = service; - mDestinationAddress = destinationAddress; + mRemoteAddress = remoteAddress; mSpi = spi; mCloseGuard.open("open"); } @@ -102,13 +102,9 @@ public final class IpSecManager { /** * Release an SPI that was previously reserved. * - *

Release an SPI for use by other users in the system. This will fail if the SPI is - * currently in use by an IpSecTransform. - * - * @param destinationAddress SPIs must be unique for each combination of SPI and destination - * address. Thus, the destinationAddress to which the SPI will communicate must be - * supplied. - * @param spi the previously reserved SPI to be freed. + *

Release an SPI for use by other users in the system. If a SecurityParameterIndex is + * applied to an IpSecTransform, it will become unusable for future transforms but should + * still be closed to ensure system resources are released. */ @Override public void close() { @@ -134,13 +130,13 @@ public final class IpSecManager { public static final int INVALID_SECURITY_PARAMETER_INDEX = 0; /** - * Reserve an SPI for traffic bound towards the specified destination address. + * Reserve an SPI for traffic bound towards the specified remote address. * *

If successful, this SPI is guaranteed available until released by a call to {@link * SecurityParameterIndex#close()}. * - * @param destinationAddress SPIs must be unique for each combination of SPI and destination - * address. + * @param direction {@link IpSecTransform#DIRECTION_IN} or {@link IpSecTransform#DIRECTION_OUT} + * @param remoteAddress address of the remote. SPIs must be unique for each remoteAddress. * @param requestedSpi the requested SPI, or '0' to allocate a random SPI. * @return the reserved SecurityParameterIndex * @throws ResourceUnavailableException indicating that too many SPIs are currently allocated @@ -148,9 +144,9 @@ public final class IpSecManager { * @throws SpiUnavailableException indicating that a particular SPI cannot be reserved */ public SecurityParameterIndex reserveSecurityParameterIndex( - InetAddress destinationAddress, int requestedSpi) + int direction, InetAddress remoteAddress, int requestedSpi) throws SpiUnavailableException, ResourceUnavailableException { - return new SecurityParameterIndex(mService, destinationAddress, requestedSpi); + return new SecurityParameterIndex(mService, direction, remoteAddress, requestedSpi); } /** diff --git a/core/java/android/net/IpSecTransform.java b/core/java/android/net/IpSecTransform.java index d6dd28bec3..5c0bbe6a14 100644 --- a/core/java/android/net/IpSecTransform.java +++ b/core/java/android/net/IpSecTransform.java @@ -307,7 +307,7 @@ public final class IpSecTransform implements AutoCloseable { *

Care should be chosen when selecting an SPI to ensure that is is as unique as * possible. Random number generation is a reasonable approach to selecting an SPI. For * outbound SPIs, they must be reserved by calling {@link - * IpSecManager#reserveSecurityParameterIndex(InetAddress, int)}. Otherwise, Transforms will + * IpSecManager#reserveSecurityParameterIndex(int, InetAddress, int)}. Otherwise, Transforms will * fail to build. * *

Unless an SPI is set for a given direction, traffic in that direction will be @@ -329,7 +329,7 @@ public final class IpSecTransform implements AutoCloseable { *

Care should be chosen when selecting an SPI to ensure that is is as unique as * possible. Random number generation is a reasonable approach to selecting an SPI. For * outbound SPIs, they must be reserved by calling {@link - * IpSecManager#reserveSecurityParameterIndex(InetAddress, int)}. Otherwise, Transforms will + * IpSecManager#reserveSecurityParameterIndex(int, InetAddress, int)}. Otherwise, Transforms will * fail to activate. * *

Unless an SPI is set for a given direction, traffic in that direction will be