diff --git a/tests/cts/net/src/android/net/cts/Ikev2VpnTest.java b/tests/cts/net/src/android/net/cts/Ikev2VpnTest.java index 04843f90a0..7286bf6d24 100644 --- a/tests/cts/net/src/android/net/cts/Ikev2VpnTest.java +++ b/tests/cts/net/src/android/net/cts/Ikev2VpnTest.java @@ -20,8 +20,6 @@ import static android.net.NetworkCapabilities.NET_CAPABILITY_INTERNET; import static android.net.NetworkCapabilities.NET_CAPABILITY_VALIDATED; import static android.net.NetworkCapabilities.TRANSPORT_VPN; import static android.net.cts.util.CtsNetUtils.TestNetworkCallback; -import static android.net.cts.util.IkeSessionTestUtils.CHILD_PARAMS; -import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS; import static com.android.compatibility.common.util.SystemUtil.runWithShellPermissionIdentity; import static com.android.testutils.DevSdkIgnoreRuleKt.SC_V2; @@ -51,6 +49,7 @@ import android.net.ProxyInfo; import android.net.TestNetworkInterface; import android.net.VpnManager; import android.net.cts.util.CtsNetUtils; +import android.net.cts.util.IkeSessionTestUtils; import android.net.ipsec.ike.IkeTunnelConnectionParams; import android.os.Build; import android.os.Process; @@ -252,6 +251,28 @@ public class Ikev2VpnTest { return builder.build(); } + private Ikev2VpnProfile buildIkev2VpnProfileIkeTunConnParams( + final boolean isRestrictedToTestNetworks, final boolean requiresValidation, + final boolean testIpv6) throws Exception { + final IkeTunnelConnectionParams params = + new IkeTunnelConnectionParams(testIpv6 + ? IkeSessionTestUtils.IKE_PARAMS_V6 : IkeSessionTestUtils.IKE_PARAMS_V4, + IkeSessionTestUtils.CHILD_PARAMS); + + final Ikev2VpnProfileBuilderShim builderShim = + Ikev2VpnProfileBuilderShimImpl.newInstance(null, null, params) + .setRequiresInternetValidation(requiresValidation) + .setProxy(TEST_PROXY_INFO) + .setMaxMtu(TEST_MTU) + .setMetered(false); + + final Ikev2VpnProfile.Builder builder = (Ikev2VpnProfile.Builder) builderShim.getBuilder(); + if (isRestrictedToTestNetworks) { + builder.restrictToTestNetworks(); + } + return builder.build(); + } + private Ikev2VpnProfile buildIkev2VpnProfilePsk(@NonNull String remote, boolean isRestrictedToTestNetworks, boolean requiresValidation) throws Exception { final Ikev2VpnProfileBuilderShim builder = @@ -325,8 +346,8 @@ public class Ikev2VpnTest { assumeTrue(mCtsNetUtils.hasIpsecTunnelsFeature()); assumeTrue(TestUtils.shouldTestTApis()); - final IkeTunnelConnectionParams expectedParams = - new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS); + final IkeTunnelConnectionParams expectedParams = new IkeTunnelConnectionParams( + IkeSessionTestUtils.IKE_PARAMS_V6, IkeSessionTestUtils.CHILD_PARAMS); final Ikev2VpnProfileBuilderShim ikeProfileBuilder = Ikev2VpnProfileBuilderShimImpl.newInstance(null, null, expectedParams); // Verify the other Ike options could not be set with IkeTunnelConnectionParams. @@ -472,7 +493,8 @@ public class Ikev2VpnTest { } private void checkStartStopVpnProfileBuildsNetworks(@NonNull IkeTunUtils tunUtils, - boolean testIpv6, boolean requiresValidation, boolean testSessionKey) + boolean testIpv6, boolean requiresValidation, boolean testSessionKey, + boolean testIkeTunConnParams) throws Exception { String serverAddr = testIpv6 ? TEST_SERVER_ADDR_V6 : TEST_SERVER_ADDR_V4; String initResp = testIpv6 ? SUCCESSFUL_IKE_INIT_RESP_V6 : SUCCESSFUL_IKE_INIT_RESP_V4; @@ -482,8 +504,11 @@ public class Ikev2VpnTest { // Requires MANAGE_TEST_NETWORKS to provision a test-mode profile. mCtsNetUtils.setAppopPrivileged(AppOpsManager.OP_ACTIVATE_PLATFORM_VPN, true); - final Ikev2VpnProfile profile = buildIkev2VpnProfilePsk(serverAddr, - true /* isRestrictedToTestNetworks */, requiresValidation); + final Ikev2VpnProfile profile = testIkeTunConnParams + ? buildIkev2VpnProfileIkeTunConnParams(true /* isRestrictedToTestNetworks */, + requiresValidation, testIpv6) + : buildIkev2VpnProfilePsk(serverAddr, true /* isRestrictedToTestNetworks */, + requiresValidation); assertNull(sVpnMgr.provisionVpnProfile(profile)); final TestableNetworkCallback cb = new TestableNetworkCallback(TIMEOUT_MS); @@ -564,6 +589,7 @@ public class Ikev2VpnTest { private final boolean mTestIpv6Only; private final boolean mRequiresValidation; private final boolean mTestSessionKey; + private final boolean mTestIkeTunConnParams; /** * Constructs the test @@ -573,10 +599,11 @@ public class Ikev2VpnTest { * @param testSessionKey if true, start VPN by calling startProvisionedVpnProfileSession() */ VerifyStartStopVpnProfileTest(boolean testIpv6Only, boolean requiresValidation, - boolean testSessionKey) { + boolean testSessionKey, boolean testIkeTunConnParams) { mTestIpv6Only = testIpv6Only; mRequiresValidation = requiresValidation; mTestSessionKey = testSessionKey; + mTestIkeTunConnParams = testIkeTunConnParams; } @Override @@ -584,8 +611,8 @@ public class Ikev2VpnTest { throws Exception { final IkeTunUtils tunUtils = new IkeTunUtils(testIface.getFileDescriptor()); - checkStartStopVpnProfileBuildsNetworks( - tunUtils, mTestIpv6Only, mRequiresValidation, mTestSessionKey); + checkStartStopVpnProfileBuildsNetworks(tunUtils, mTestIpv6Only, mRequiresValidation, + mTestSessionKey, mTestIkeTunConnParams); } @Override @@ -603,53 +630,83 @@ public class Ikev2VpnTest { } } - @Test - public void testStartStopVpnProfileV4() throws Exception { + private void doTestStartStopVpnProfile(boolean testIpv6Only, boolean requiresValidation, + boolean testSessionKey, boolean testIkeTunConnParams) throws Exception { assumeTrue(mCtsNetUtils.hasIpsecTunnelsFeature()); - // Requires shell permission to update appops. runWithShellPermissionIdentity( new TestNetworkRunnable(new VerifyStartStopVpnProfileTest( - false /* testIpv6Only */, false /* requiresValidation */, - false /* testSessionKey */))); + testIpv6Only, requiresValidation, testSessionKey , testIkeTunConnParams))); + } - runWithShellPermissionIdentity( - new TestNetworkRunnable(new VerifyStartStopVpnProfileTest( - false /* testIpv6Only */, true /* requiresValidation */, - false /* testSessionKey */))); + @Test + public void testStartStopVpnProfileV4() throws Exception { + doTestStartStopVpnProfile(false /* testIpv6Only */, false /* requiresValidation */, + false /* testSessionKey */, false /* testIkeTunConnParams */); + } + + @Test @IgnoreUpTo(SC_V2) + public void testStartStopVpnProfileV4WithValidation() throws Exception { + assumeTrue(TestUtils.shouldTestTApis()); + doTestStartStopVpnProfile(false /* testIpv6Only */, true /* requiresValidation */, + false /* testSessionKey */, false /* testIkeTunConnParams */); } @Test public void testStartStopVpnProfileV6() throws Exception { - assumeTrue(mCtsNetUtils.hasIpsecTunnelsFeature()); + doTestStartStopVpnProfile(true /* testIpv6Only */, false /* requiresValidation */, + false /* testSessionKey */, false /* testIkeTunConnParams */); + } - // Requires shell permission to update appops. - runWithShellPermissionIdentity( - new TestNetworkRunnable(new VerifyStartStopVpnProfileTest( - true /* testIpv6Only */, false /* requiresValidation */, - false /* testSessionKey */))); - runWithShellPermissionIdentity( - new TestNetworkRunnable(new VerifyStartStopVpnProfileTest( - true /* testIpv6Only */, true /* requiresValidation */, - false /* testSessionKey */))); + @Test @IgnoreUpTo(SC_V2) + public void testStartStopVpnProfileV6WithValidation() throws Exception { + assumeTrue(TestUtils.shouldTestTApis()); + doTestStartStopVpnProfile(true /* testIpv6Only */, true /* requiresValidation */, + false /* testSessionKey */, false /* testIkeTunConnParams */); + } + + @Test @IgnoreUpTo(SC_V2) + public void testStartStopVpnProfileIkeTunConnParamsV4() throws Exception { + assumeTrue(TestUtils.shouldTestTApis()); + doTestStartStopVpnProfile(false /* testIpv6Only */, false /* requiresValidation */, + false /* testSessionKey */, true /* testIkeTunConnParams */); + } + + @Test @IgnoreUpTo(SC_V2) + public void testStartStopVpnProfileIkeTunConnParamsV4WithValidation() throws Exception { + assumeTrue(TestUtils.shouldTestTApis()); + doTestStartStopVpnProfile(false /* testIpv6Only */, true /* requiresValidation */, + false /* testSessionKey */, true /* testIkeTunConnParams */); + } + + @Test @IgnoreUpTo(SC_V2) + public void testStartStopVpnProfileIkeTunConnParamsV6() throws Exception { + assumeTrue(TestUtils.shouldTestTApis()); + doTestStartStopVpnProfile(true /* testIpv6Only */, false /* requiresValidation */, + false /* testSessionKey */, true /* testIkeTunConnParams */); + } + + @Test @IgnoreUpTo(SC_V2) + public void testStartStopVpnProfileIkeTunConnParamsV6WithValidation() throws Exception { + assumeTrue(TestUtils.shouldTestTApis()); + doTestStartStopVpnProfile(true /* testIpv6Only */, true /* requiresValidation */, + false /* testSessionKey */, true /* testIkeTunConnParams */); } @IgnoreUpTo(SC_V2) @Test - public void testStartProvisionedVpnProfileSession() throws Exception { - assumeTrue(mCtsNetUtils.hasIpsecTunnelsFeature()); + public void testStartProvisionedVpnV4ProfileSession() throws Exception { assumeTrue(TestUtils.shouldTestTApis()); + doTestStartStopVpnProfile(false /* testIpv6Only */, false /* requiresValidation */, + true /* testSessionKey */, false /* testIkeTunConnParams */); + } - // Requires shell permission to update appops. - runWithShellPermissionIdentity( - new TestNetworkRunnable(new VerifyStartStopVpnProfileTest( - false /* testIpv6Only */, false /* requiresValidation */, - true /* testSessionKey */))); - - runWithShellPermissionIdentity( - new TestNetworkRunnable(new VerifyStartStopVpnProfileTest( - true /* testIpv6Only */, false /* requiresValidation */, - true /* testSessionKey */))); + @IgnoreUpTo(SC_V2) + @Test + public void testStartProvisionedVpnV6ProfileSession() throws Exception { + assumeTrue(TestUtils.shouldTestTApis()); + doTestStartStopVpnProfile(true /* testIpv6Only */, false /* requiresValidation */, + true /* testSessionKey */, false /* testIkeTunConnParams */); } private static class CertificateAndKey { diff --git a/tests/cts/net/util/java/android/net/cts/util/IkeSessionTestUtils.java b/tests/cts/net/util/java/android/net/cts/util/IkeSessionTestUtils.java index b4ebcdb611..244bfc51fd 100644 --- a/tests/cts/net/util/java/android/net/cts/util/IkeSessionTestUtils.java +++ b/tests/cts/net/util/java/android/net/cts/util/IkeSessionTestUtils.java @@ -16,44 +16,73 @@ package android.net.cts.util; +import static android.net.ipsec.ike.SaProposal.DH_GROUP_4096_BIT_MODP; +import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_CBC; +import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_GCM_12; +import static android.net.ipsec.ike.SaProposal.INTEGRITY_ALGORITHM_HMAC_SHA2_256_128; import static android.net.ipsec.ike.SaProposal.KEY_LEN_AES_128; -import static android.net.ipsec.ike.SaProposal.KEY_LEN_UNUSED; +import static android.net.ipsec.ike.SaProposal.KEY_LEN_AES_256; +import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC; +import android.net.InetAddresses; import android.net.ipsec.ike.ChildSaProposal; import android.net.ipsec.ike.IkeFqdnIdentification; +import android.net.ipsec.ike.IkeIpv4AddrIdentification; +import android.net.ipsec.ike.IkeIpv6AddrIdentification; import android.net.ipsec.ike.IkeSaProposal; import android.net.ipsec.ike.IkeSessionParams; -import android.net.ipsec.ike.SaProposal; import android.net.ipsec.ike.TunnelModeChildSessionParams; +import java.net.Inet4Address; +import java.net.Inet6Address; +import java.net.InetAddress; + /** Shared testing parameters and util methods for testing IKE */ public class IkeSessionTestUtils { - private static final String TEST_CLIENT_ADDR = "test.client.com"; - private static final String TEST_SERVER_ADDR = "test.server.com"; - private static final String TEST_SERVER = "2001:0db8:85a3:0000:0000:8a2e:0370:7334"; + private static final String TEST_SERVER_ADDR_V4 = "192.0.2.2"; + private static final String TEST_SERVER_ADDR_V6 = "2001:db8::2"; + private static final String TEST_IDENTITY = "client.cts.android.com"; + private static final byte[] TEST_PSK = "ikeAndroidPsk".getBytes(); + public static final IkeSessionParams IKE_PARAMS_V4 = getTestIkeSessionParams(false); + public static final IkeSessionParams IKE_PARAMS_V6 = getTestIkeSessionParams(true); - public static final IkeSaProposal SA_PROPOSAL = new IkeSaProposal.Builder() - .addEncryptionAlgorithm(SaProposal.ENCRYPTION_ALGORITHM_3DES, KEY_LEN_UNUSED) - .addIntegrityAlgorithm(SaProposal.INTEGRITY_ALGORITHM_HMAC_SHA1_96) - .addPseudorandomFunction(SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC) - .addDhGroup(SaProposal.DH_GROUP_1024_BIT_MODP) - .build(); - public static final ChildSaProposal CHILD_PROPOSAL = new ChildSaProposal.Builder() - .addEncryptionAlgorithm(SaProposal.ENCRYPTION_ALGORITHM_AES_CBC, KEY_LEN_AES_128) - .addIntegrityAlgorithm(SaProposal.INTEGRITY_ALGORITHM_NONE) - .addDhGroup(SaProposal.DH_GROUP_1024_BIT_MODP) - .build(); + public static final TunnelModeChildSessionParams CHILD_PARAMS = getChildSessionParams(); - public static final IkeSessionParams IKE_PARAMS = - new IkeSessionParams.Builder() - .setServerHostname(TEST_SERVER) - .addSaProposal(SA_PROPOSAL) - .setLocalIdentification(new IkeFqdnIdentification(TEST_CLIENT_ADDR)) - .setRemoteIdentification(new IkeFqdnIdentification(TEST_SERVER_ADDR)) - .setAuthPsk("psk".getBytes()) - .build(); - public static final TunnelModeChildSessionParams CHILD_PARAMS = - new TunnelModeChildSessionParams.Builder() - .addSaProposal(CHILD_PROPOSAL) - .build(); + private static TunnelModeChildSessionParams getChildSessionParams() { + final TunnelModeChildSessionParams.Builder childOptionsBuilder = + new TunnelModeChildSessionParams.Builder() + .addSaProposal(getChildSaProposals()); + + return childOptionsBuilder.build(); + } + + private static IkeSessionParams getTestIkeSessionParams(boolean testIpv6) { + final String testServer = testIpv6 ? TEST_SERVER_ADDR_V6 : TEST_SERVER_ADDR_V4; + final InetAddress addr = InetAddresses.parseNumericAddress(testServer); + final IkeSessionParams.Builder ikeOptionsBuilder = + new IkeSessionParams.Builder() + .setServerHostname(testServer) + .setLocalIdentification(new IkeFqdnIdentification(TEST_IDENTITY)) + .setRemoteIdentification(testIpv6 + ? new IkeIpv6AddrIdentification((Inet6Address) addr) + : new IkeIpv4AddrIdentification((Inet4Address) addr)) + .setAuthPsk(TEST_PSK) + .addSaProposal(getIkeSaProposals()); + + return ikeOptionsBuilder.build(); + } + + private static IkeSaProposal getIkeSaProposals() { + return new IkeSaProposal.Builder() + .addEncryptionAlgorithm(ENCRYPTION_ALGORITHM_AES_CBC, KEY_LEN_AES_256) + .addIntegrityAlgorithm(INTEGRITY_ALGORITHM_HMAC_SHA2_256_128) + .addDhGroup(DH_GROUP_4096_BIT_MODP) + .addPseudorandomFunction(PSEUDORANDOM_FUNCTION_AES128_XCBC).build(); + } + + private static ChildSaProposal getChildSaProposals() { + return new ChildSaProposal.Builder() + .addEncryptionAlgorithm(ENCRYPTION_ALGORITHM_AES_GCM_12, KEY_LEN_AES_128) + .build(); + } } diff --git a/tests/unit/java/android/net/Ikev2VpnProfileTest.java b/tests/unit/java/android/net/Ikev2VpnProfileTest.java index 8222ca1482..5cb014f106 100644 --- a/tests/unit/java/android/net/Ikev2VpnProfileTest.java +++ b/tests/unit/java/android/net/Ikev2VpnProfileTest.java @@ -17,7 +17,7 @@ package android.net; import static android.net.cts.util.IkeSessionTestUtils.CHILD_PARAMS; -import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS; +import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS_V6; import static com.android.testutils.DevSdkIgnoreRuleKt.SC_V2; @@ -448,7 +448,7 @@ public class Ikev2VpnProfileTest { @Test public void testConversionIsLosslessWithIkeTunConnParams() throws Exception { final IkeTunnelConnectionParams tunnelParams = - new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS); + new IkeTunnelConnectionParams(IKE_PARAMS_V6, CHILD_PARAMS); // Config authentication related fields is not required while building with // IkeTunnelConnectionParams. final Ikev2VpnProfile ikeProfile = new Ikev2VpnProfile.Builder(tunnelParams).build(); @@ -464,9 +464,9 @@ public class Ikev2VpnProfileTest { // Verify building with IkeTunnelConnectionParams final IkeTunnelConnectionParams tunnelParams = - new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS); + new IkeTunnelConnectionParams(IKE_PARAMS_V6, CHILD_PARAMS); final IkeTunnelConnectionParams tunnelParams2 = - new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS); + new IkeTunnelConnectionParams(IKE_PARAMS_V6, CHILD_PARAMS); assertEquals(new Ikev2VpnProfile.Builder(tunnelParams).build(), new Ikev2VpnProfile.Builder(tunnelParams2).build()); } diff --git a/tests/unit/java/com/android/internal/net/VpnProfileTest.java b/tests/unit/java/com/android/internal/net/VpnProfileTest.java index 360390dfb9..0a6d2f25cc 100644 --- a/tests/unit/java/com/android/internal/net/VpnProfileTest.java +++ b/tests/unit/java/com/android/internal/net/VpnProfileTest.java @@ -17,7 +17,7 @@ package com.android.internal.net; import static android.net.cts.util.IkeSessionTestUtils.CHILD_PARAMS; -import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS; +import static android.net.cts.util.IkeSessionTestUtils.IKE_PARAMS_V4; import static com.android.modules.utils.build.SdkLevel.isAtLeastT; import static com.android.testutils.ParcelUtils.assertParcelSane; @@ -128,7 +128,7 @@ public class VpnProfileTest { private VpnProfile getSampleIkev2ProfileWithIkeTunConnParams(String key) { final VpnProfile p = new VpnProfile(key, true /* isRestrictedToTestNetworks */, false /* excludesLocalRoutes */, true /* requiresPlatformValidation */, - new IkeTunnelConnectionParams(IKE_PARAMS, CHILD_PARAMS)); + new IkeTunnelConnectionParams(IKE_PARAMS_V4, CHILD_PARAMS)); p.name = "foo"; p.server = "bar";