Merge changes Ib3e80315,If19fb12c,Ic50d70f3 into rvc-dev

* changes: Test setting config requests for TunnelModeChildSessionParams Test setting proposal, TS and lifetime for ChildSessionParams Add CTS for building IKE and Child SaProposal
2020-04-16 17:24:17 +00:00
parent 3d4d6bf577 5e89d115fb
commit 6742ce7ab1
3 changed files with 579 additions and 3 deletions
--- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/ChildSessionParamsTest.java
+++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/ChildSessionParamsTest.java
@@ -0,0 +1,230 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net.ipsec.ike.cts;
+
+import static android.system.OsConstants.AF_INET;
+import static android.system.OsConstants.AF_INET6;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import android.net.LinkAddress;
+import android.net.ipsec.ike.ChildSaProposal;
+import android.net.ipsec.ike.ChildSessionParams;
+import android.net.ipsec.ike.TransportModeChildSessionParams;
+import android.net.ipsec.ike.TunnelModeChildSessionParams;
+import android.net.ipsec.ike.TunnelModeChildSessionParams.ConfigRequestIpv4Address;
+import android.net.ipsec.ike.TunnelModeChildSessionParams.ConfigRequestIpv4DhcpServer;
+import android.net.ipsec.ike.TunnelModeChildSessionParams.ConfigRequestIpv4DnsServer;
+import android.net.ipsec.ike.TunnelModeChildSessionParams.ConfigRequestIpv4Netmask;
+import android.net.ipsec.ike.TunnelModeChildSessionParams.ConfigRequestIpv6Address;
+import android.net.ipsec.ike.TunnelModeChildSessionParams.ConfigRequestIpv6DnsServer;
+import android.net.ipsec.ike.TunnelModeChildSessionParams.TunnelModeChildConfigRequest;
+
+import androidx.test.ext.junit.runners.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.net.Inet4Address;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+import java.util.concurrent.TimeUnit;
+
+@RunWith(AndroidJUnit4.class)
+public class ChildSessionParamsTest extends IkeTestBase {
+    private static final int HARD_LIFETIME_SECONDS = (int) TimeUnit.HOURS.toSeconds(3L);
+    private static final int SOFT_LIFETIME_SECONDS = (int) TimeUnit.HOURS.toSeconds(1L);
+
+    // Random proposal. Content doesn't matter
+    private final ChildSaProposal mSaProposal =
+            SaProposalTest.buildChildSaProposalWithCombinedModeCipher();
+
+    private void verifyTunnelModeChildParamsWithDefaultValues(ChildSessionParams childParams) {
+        assertTrue(childParams instanceof TunnelModeChildSessionParams);
+        verifyChildParamsWithDefaultValues(childParams);
+    }
+
+    private void verifyTunnelModeChildParamsWithCustomizedValues(ChildSessionParams childParams) {
+        assertTrue(childParams instanceof TunnelModeChildSessionParams);
+        verifyChildParamsWithCustomizedValues(childParams);
+    }
+
+    private void verifyTransportModeChildParamsWithDefaultValues(ChildSessionParams childParams) {
+        assertTrue(childParams instanceof TransportModeChildSessionParams);
+        verifyChildParamsWithDefaultValues(childParams);
+    }
+
+    private void verifyTransportModeChildParamsWithCustomizedValues(
+            ChildSessionParams childParams) {
+        assertTrue(childParams instanceof TransportModeChildSessionParams);
+        verifyChildParamsWithCustomizedValues(childParams);
+    }
+
+    private void verifyChildParamsWithDefaultValues(ChildSessionParams childParams) {
+        assertEquals(Arrays.asList(mSaProposal), childParams.getSaProposals());
+
+        // Do not do assertEquals to the default values to be avoid being a change-detector test
+        assertTrue(childParams.getHardLifetimeSeconds() > childParams.getSoftLifetimeSeconds());
+        assertTrue(childParams.getSoftLifetimeSeconds() > 0);
+
+        assertEquals(
+                Arrays.asList(DEFAULT_V4_TS, DEFAULT_V6_TS),
+                childParams.getInboundTrafficSelectors());
+        assertEquals(
+                Arrays.asList(DEFAULT_V4_TS, DEFAULT_V6_TS),
+                childParams.getOutboundTrafficSelectors());
+    }
+
+    private void verifyChildParamsWithCustomizedValues(ChildSessionParams childParams) {
+        assertEquals(Arrays.asList(mSaProposal), childParams.getSaProposals());
+
+        assertEquals(HARD_LIFETIME_SECONDS, childParams.getHardLifetimeSeconds());
+        assertEquals(SOFT_LIFETIME_SECONDS, childParams.getSoftLifetimeSeconds());
+
+        assertEquals(
+                Arrays.asList(INBOUND_V4_TS, INBOUND_V6_TS),
+                childParams.getInboundTrafficSelectors());
+        assertEquals(
+                Arrays.asList(OUTBOUND_V4_TS, OUTBOUND_V6_TS),
+                childParams.getOutboundTrafficSelectors());
+    }
+
+    @Test
+    public void testBuildTransportModeParamsWithDefaultValues() {
+        TransportModeChildSessionParams childParams =
+                new TransportModeChildSessionParams.Builder().addSaProposal(mSaProposal).build();
+
+        verifyTransportModeChildParamsWithDefaultValues(childParams);
+    }
+
+    @Test
+    public void testBuildTunnelModeParamsWithDefaultValues() {
+        TunnelModeChildSessionParams childParams =
+                new TunnelModeChildSessionParams.Builder().addSaProposal(mSaProposal).build();
+
+        verifyTunnelModeChildParamsWithDefaultValues(childParams);
+        assertTrue(childParams.getConfigurationRequests().isEmpty());
+    }
+
+    @Test
+    public void testBuildTransportModeParamsWithCustomizedValues() {
+        TransportModeChildSessionParams childParams =
+                new TransportModeChildSessionParams.Builder()
+                        .addSaProposal(mSaProposal)
+                        .setLifetimeSeconds(HARD_LIFETIME_SECONDS, SOFT_LIFETIME_SECONDS)
+                        .addInboundTrafficSelectors(INBOUND_V4_TS)
+                        .addInboundTrafficSelectors(INBOUND_V6_TS)
+                        .addOutboundTrafficSelectors(OUTBOUND_V4_TS)
+                        .addOutboundTrafficSelectors(OUTBOUND_V6_TS)
+                        .build();
+
+        verifyTransportModeChildParamsWithCustomizedValues(childParams);
+    }
+
+    @Test
+    public void testBuildTunnelModeParamsWithCustomizedValues() {
+        TunnelModeChildSessionParams childParams =
+                new TunnelModeChildSessionParams.Builder()
+                        .addSaProposal(mSaProposal)
+                        .setLifetimeSeconds(HARD_LIFETIME_SECONDS, SOFT_LIFETIME_SECONDS)
+                        .addInboundTrafficSelectors(INBOUND_V4_TS)
+                        .addInboundTrafficSelectors(INBOUND_V6_TS)
+                        .addOutboundTrafficSelectors(OUTBOUND_V4_TS)
+                        .addOutboundTrafficSelectors(OUTBOUND_V6_TS)
+                        .build();
+
+        verifyTunnelModeChildParamsWithCustomizedValues(childParams);
+    }
+
+    @Test
+    public void testBuildChildSessionParamsWithConfigReq() {
+        TunnelModeChildSessionParams childParams =
+                new TunnelModeChildSessionParams.Builder()
+                        .addSaProposal(mSaProposal)
+                        .addInternalAddressRequest(AF_INET)
+                        .addInternalAddressRequest(AF_INET6)
+                        .addInternalAddressRequest(AF_INET6)
+                        .addInternalAddressRequest(IPV4_ADDRESS_REMOTE)
+                        .addInternalAddressRequest(IPV6_ADDRESS_REMOTE, IP6_PREFIX_LEN)
+                        .addInternalDnsServerRequest(AF_INET)
+                        .addInternalDnsServerRequest(AF_INET6)
+                        .addInternalDhcpServerRequest(AF_INET)
+                        .addInternalDhcpServerRequest(AF_INET)
+                        .build();
+
+        verifyTunnelModeChildParamsWithDefaultValues(childParams);
+
+        // Verify config request types and number of requests for each type
+        Map<Class<? extends TunnelModeChildConfigRequest>, Integer> expectedAttributeCounts =
+                new HashMap<>();
+        expectedAttributeCounts.put(ConfigRequestIpv4Address.class, 2);
+        expectedAttributeCounts.put(ConfigRequestIpv6Address.class, 3);
+        expectedAttributeCounts.put(ConfigRequestIpv4Netmask.class, 1);
+        expectedAttributeCounts.put(ConfigRequestIpv4DnsServer.class, 1);
+        expectedAttributeCounts.put(ConfigRequestIpv6DnsServer.class, 1);
+        expectedAttributeCounts.put(ConfigRequestIpv4DhcpServer.class, 2);
+        verifyConfigRequestTypes(expectedAttributeCounts, childParams.getConfigurationRequests());
+
+        // Verify specific IPv4 address request
+        Set<Inet4Address> expectedV4Addresses = new HashSet<>();
+        expectedV4Addresses.add(IPV4_ADDRESS_REMOTE);
+        verifySpecificV4AddrConfigReq(expectedV4Addresses, childParams);
+
+        // Verify specific IPv6 address request
+        Set<LinkAddress> expectedV6Addresses = new HashSet<>();
+        expectedV6Addresses.add(new LinkAddress(IPV6_ADDRESS_REMOTE, IP6_PREFIX_LEN));
+        verifySpecificV6AddrConfigReq(expectedV6Addresses, childParams);
+    }
+
+    protected void verifySpecificV4AddrConfigReq(
+            Set<Inet4Address> expectedAddresses, TunnelModeChildSessionParams childParams) {
+        for (TunnelModeChildConfigRequest req : childParams.getConfigurationRequests()) {
+            if (req instanceof ConfigRequestIpv4Address
+                    && ((ConfigRequestIpv4Address) req).getAddress() != null) {
+                Inet4Address address = ((ConfigRequestIpv4Address) req).getAddress();
+
+                // Fail if expectedAddresses does not contain this address
+                assertTrue(expectedAddresses.remove(address));
+            }
+        }
+
+        // Fail if any expected address is not found in result
+        assertTrue(expectedAddresses.isEmpty());
+    }
+
+    protected void verifySpecificV6AddrConfigReq(
+            Set<LinkAddress> expectedAddresses, TunnelModeChildSessionParams childParams) {
+        for (TunnelModeChildConfigRequest req : childParams.getConfigurationRequests()) {
+            if (req instanceof ConfigRequestIpv6Address
+                    && ((ConfigRequestIpv6Address) req).getAddress() != null) {
+                ConfigRequestIpv6Address ipv6AddrReq = (ConfigRequestIpv6Address) req;
+
+                // Fail if expectedAddresses does not contain this address
+                LinkAddress address =
+                        new LinkAddress(ipv6AddrReq.getAddress(), ipv6AddrReq.getPrefixLength());
+                assertTrue(expectedAddresses.remove(address));
+            }
+        }
+
+        // Fail if any expected address is not found in result
+        assertTrue(expectedAddresses.isEmpty());
+    }
+}
--- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeTestBase.java
+++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeTestBase.java
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net.ipsec.ike.cts;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.fail;
+
+import android.net.InetAddresses;
+import android.net.ipsec.ike.IkeTrafficSelector;
+
+import java.net.Inet4Address;
+import java.net.Inet6Address;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+/** Shared parameters and util methods for testing different components of IKE */
+abstract class IkeTestBase {
+    private static final int MIN_PORT = 0;
+    private static final int MAX_PORT = 65535;
+    private static final int INBOUND_TS_START_PORT = MIN_PORT;
+    private static final int INBOUND_TS_END_PORT = 65520;
+    private static final int OUTBOUND_TS_START_PORT = 16;
+    private static final int OUTBOUND_TS_END_PORT = MAX_PORT;
+
+    static final int IP4_PREFIX_LEN = 32;
+    static final int IP6_PREFIX_LEN = 64;
+
+    static final Inet4Address IPV4_ADDRESS_LOCAL =
+            (Inet4Address) (InetAddresses.parseNumericAddress("192.0.2.100"));
+    static final Inet4Address IPV4_ADDRESS_REMOTE =
+            (Inet4Address) (InetAddresses.parseNumericAddress("198.51.100.100"));
+    static final Inet6Address IPV6_ADDRESS_LOCAL =
+            (Inet6Address) (InetAddresses.parseNumericAddress("2001:db8::100"));
+    static final Inet6Address IPV6_ADDRESS_REMOTE =
+            (Inet6Address) (InetAddresses.parseNumericAddress("2001:db8:255::100"));
+
+    static final IkeTrafficSelector DEFAULT_V4_TS =
+            new IkeTrafficSelector(
+                    MIN_PORT,
+                    MAX_PORT,
+                    InetAddresses.parseNumericAddress("0.0.0.0"),
+                    InetAddresses.parseNumericAddress("255.255.255.255"));
+    static final IkeTrafficSelector DEFAULT_V6_TS =
+            new IkeTrafficSelector(
+                    MIN_PORT,
+                    MAX_PORT,
+                    InetAddresses.parseNumericAddress("::"),
+                    InetAddresses.parseNumericAddress("ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff"));
+    static final IkeTrafficSelector INBOUND_V4_TS =
+            new IkeTrafficSelector(
+                    INBOUND_TS_START_PORT,
+                    INBOUND_TS_END_PORT,
+                    InetAddresses.parseNumericAddress("192.0.2.10"),
+                    InetAddresses.parseNumericAddress("192.0.2.20"));
+    static final IkeTrafficSelector OUTBOUND_V4_TS =
+            new IkeTrafficSelector(
+                    OUTBOUND_TS_START_PORT,
+                    OUTBOUND_TS_END_PORT,
+                    InetAddresses.parseNumericAddress("198.51.100.0"),
+                    InetAddresses.parseNumericAddress("198.51.100.255"));
+
+    static final IkeTrafficSelector INBOUND_V6_TS =
+            new IkeTrafficSelector(
+                    INBOUND_TS_START_PORT,
+                    INBOUND_TS_END_PORT,
+                    InetAddresses.parseNumericAddress("2001:db8::10"),
+                    InetAddresses.parseNumericAddress("2001:db8::128"));
+    static final IkeTrafficSelector OUTBOUND_V6_TS =
+            new IkeTrafficSelector(
+                    OUTBOUND_TS_START_PORT,
+                    OUTBOUND_TS_END_PORT,
+                    InetAddresses.parseNumericAddress("2001:db8:255::64"),
+                    InetAddresses.parseNumericAddress("2001:db8:255::255"));
+
+    // Verify Config requests in TunnelModeChildSessionParams and IkeSessionParams
+    <T> void verifyConfigRequestTypes(
+            Map<Class<? extends T>, Integer> expectedReqCntMap, List<? extends T> resultReqList) {
+        Map<Class<? extends T>, Integer> resultReqCntMap = new HashMap<>();
+
+        // Verify that every config request type in resultReqList is expected, and build
+        // resultReqCntMap at the same time
+        for (T resultReq : resultReqList) {
+            boolean isResultReqExpected = false;
+
+            for (Class<? extends T> expectedReqInterface : expectedReqCntMap.keySet()) {
+                if (expectedReqInterface.isInstance(resultReq)) {
+                    isResultReqExpected = true;
+
+                    resultReqCntMap.put(
+                            expectedReqInterface,
+                            resultReqCntMap.getOrDefault(expectedReqInterface, 0) + 1);
+                }
+            }
+
+            if (!isResultReqExpected) {
+                fail("Failed due to unexpected config request " + resultReq);
+            }
+        }
+
+        assertEquals(expectedReqCntMap, resultReqCntMap);
+
+        // TODO: Think of a neat way to validate both counts and values in this method. Probably can
+        // build Runnables as validators for count and values.
+    }
+}
--- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/SaProposalTest.java
+++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/SaProposalTest.java
@@ -16,15 +16,241 @@

 package android.net.ipsec.ike.cts;

+import static android.net.ipsec.ike.SaProposal.DH_GROUP_1024_BIT_MODP;
+import static android.net.ipsec.ike.SaProposal.DH_GROUP_2048_BIT_MODP;
+import static android.net.ipsec.ike.SaProposal.DH_GROUP_NONE;
+import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_3DES;
+import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_CBC;
+import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_GCM_12;
+import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_GCM_16;
+import static android.net.ipsec.ike.SaProposal.ENCRYPTION_ALGORITHM_AES_GCM_8;
+import static android.net.ipsec.ike.SaProposal.INTEGRITY_ALGORITHM_AES_XCBC_96;
+import static android.net.ipsec.ike.SaProposal.INTEGRITY_ALGORITHM_HMAC_SHA1_96;
+import static android.net.ipsec.ike.SaProposal.INTEGRITY_ALGORITHM_HMAC_SHA2_256_128;
+import static android.net.ipsec.ike.SaProposal.INTEGRITY_ALGORITHM_HMAC_SHA2_384_192;
+import static android.net.ipsec.ike.SaProposal.INTEGRITY_ALGORITHM_HMAC_SHA2_512_256;
+import static android.net.ipsec.ike.SaProposal.INTEGRITY_ALGORITHM_NONE;
+import static android.net.ipsec.ike.SaProposal.KEY_LEN_AES_128;
+import static android.net.ipsec.ike.SaProposal.KEY_LEN_AES_192;
+import static android.net.ipsec.ike.SaProposal.KEY_LEN_AES_256;
+import static android.net.ipsec.ike.SaProposal.KEY_LEN_UNUSED;
+import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_AES128_XCBC;
+import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_HMAC_SHA1;
+import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_SHA2_256;
+import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_SHA2_384;
+import static android.net.ipsec.ike.SaProposal.PSEUDORANDOM_FUNCTION_SHA2_512;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+
+import android.net.ipsec.ike.ChildSaProposal;
+import android.net.ipsec.ike.IkeSaProposal;
+import android.util.Pair;
+
 import androidx.test.ext.junit.runners.AndroidJUnit4;

 import org.junit.Test;
 import org.junit.runner.RunWith;

+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
@RunWith(AndroidJUnit4.class)
 public class SaProposalTest {
-    @Test
-    public void testBuildIkeSaProposal() {
-        // TODO(b/148689509): Add real tests here
+    private static final List<Pair<Integer, Integer>> NORMAL_MODE_CIPHERS = new ArrayList<>();
+    private static final List<Pair<Integer, Integer>> COMBINED_MODE_CIPHERS = new ArrayList<>();
+    private static final List<Integer> INTEGRITY_ALGOS = new ArrayList<>();
+    private static final List<Integer> DH_GROUPS = new ArrayList<>();
+    private static final List<Integer> DH_GROUPS_WITH_NONE = new ArrayList<>();
+    private static final List<Integer> PRFS = new ArrayList<>();
+
+    static {
+        NORMAL_MODE_CIPHERS.add(new Pair<>(ENCRYPTION_ALGORITHM_3DES, KEY_LEN_UNUSED));
+        NORMAL_MODE_CIPHERS.add(new Pair<>(ENCRYPTION_ALGORITHM_AES_CBC, KEY_LEN_AES_128));
+        NORMAL_MODE_CIPHERS.add(new Pair<>(ENCRYPTION_ALGORITHM_AES_CBC, KEY_LEN_AES_192));
+        NORMAL_MODE_CIPHERS.add(new Pair<>(ENCRYPTION_ALGORITHM_AES_CBC, KEY_LEN_AES_256));
+
+        COMBINED_MODE_CIPHERS.add(new Pair<>(ENCRYPTION_ALGORITHM_AES_GCM_8, KEY_LEN_AES_128));
+        COMBINED_MODE_CIPHERS.add(new Pair<>(ENCRYPTION_ALGORITHM_AES_GCM_12, KEY_LEN_AES_192));
+        COMBINED_MODE_CIPHERS.add(new Pair<>(ENCRYPTION_ALGORITHM_AES_GCM_16, KEY_LEN_AES_256));
+
+        INTEGRITY_ALGOS.add(INTEGRITY_ALGORITHM_HMAC_SHA1_96);
+        INTEGRITY_ALGOS.add(INTEGRITY_ALGORITHM_AES_XCBC_96);
+        INTEGRITY_ALGOS.add(INTEGRITY_ALGORITHM_HMAC_SHA2_256_128);
+        INTEGRITY_ALGOS.add(INTEGRITY_ALGORITHM_HMAC_SHA2_384_192);
+        INTEGRITY_ALGOS.add(INTEGRITY_ALGORITHM_HMAC_SHA2_512_256);
+
+        DH_GROUPS.add(DH_GROUP_1024_BIT_MODP);
+        DH_GROUPS.add(DH_GROUP_2048_BIT_MODP);
+
+        DH_GROUPS_WITH_NONE.add(DH_GROUP_NONE);
+        DH_GROUPS_WITH_NONE.addAll(DH_GROUPS);
+
+        PRFS.add(PSEUDORANDOM_FUNCTION_HMAC_SHA1);
+        PRFS.add(PSEUDORANDOM_FUNCTION_AES128_XCBC);
+        PRFS.add(PSEUDORANDOM_FUNCTION_SHA2_256);
+        PRFS.add(PSEUDORANDOM_FUNCTION_SHA2_384);
+        PRFS.add(PSEUDORANDOM_FUNCTION_SHA2_512);
    }
+
+    // Package private
+    static IkeSaProposal buildIkeSaProposalWithNormalModeCipher() {
+        return buildIkeSaProposal(NORMAL_MODE_CIPHERS, INTEGRITY_ALGOS, PRFS, DH_GROUPS);
+    }
+
+    // Package private
+    static IkeSaProposal buildIkeSaProposalWithCombinedModeCipher() {
+        return buildIkeSaProposalWithCombinedModeCipher(true /* hasIntegrityNone */);
+    }
+
+    private static IkeSaProposal buildIkeSaProposalWithCombinedModeCipher(
+            boolean hasIntegrityNone) {
+        List<Integer> integerAlgos = new ArrayList<>();
+        if (hasIntegrityNone) {
+            integerAlgos.add(INTEGRITY_ALGORITHM_NONE);
+        }
+        return buildIkeSaProposal(COMBINED_MODE_CIPHERS, integerAlgos, PRFS, DH_GROUPS);
+    }
+
+    private static IkeSaProposal buildIkeSaProposal(
+            List<Pair<Integer, Integer>> ciphers,
+            List<Integer> integrityAlgos,
+            List<Integer> prfs,
+            List<Integer> dhGroups) {
+        IkeSaProposal.Builder builder = new IkeSaProposal.Builder();
+
+        for (Pair<Integer, Integer> pair : ciphers) {
+            builder.addEncryptionAlgorithm(pair.first, pair.second);
+        }
+        for (int algo : integrityAlgos) {
+            builder.addIntegrityAlgorithm(algo);
+        }
+        for (int algo : prfs) {
+            builder.addPseudorandomFunction(algo);
+        }
+        for (int algo : dhGroups) {
+            builder.addDhGroup(algo);
+        }
+
+        return builder.build();
+    }
+
+    // Package private
+    static ChildSaProposal buildChildSaProposalWithNormalModeCipher() {
+        return buildChildSaProposal(NORMAL_MODE_CIPHERS, INTEGRITY_ALGOS, DH_GROUPS_WITH_NONE);
+    }
+
+    // Package private
+    static ChildSaProposal buildChildSaProposalWithCombinedModeCipher() {
+        return buildChildSaProposalWithCombinedModeCipher(true /* hasIntegrityNone */);
+    }
+
+    private static ChildSaProposal buildChildSaProposalWithCombinedModeCipher(
+            boolean hasIntegrityNone) {
+        List<Integer> integerAlgos = new ArrayList<>();
+        if (hasIntegrityNone) {
+            integerAlgos.add(INTEGRITY_ALGORITHM_NONE);
+        }
+
+        return buildChildSaProposal(COMBINED_MODE_CIPHERS, integerAlgos, DH_GROUPS_WITH_NONE);
+    }
+
+    private static ChildSaProposal buildChildSaProposal(
+            List<Pair<Integer, Integer>> ciphers,
+            List<Integer> integrityAlgos,
+            List<Integer> dhGroups) {
+        ChildSaProposal.Builder builder = new ChildSaProposal.Builder();
+
+        for (Pair<Integer, Integer> pair : ciphers) {
+            builder.addEncryptionAlgorithm(pair.first, pair.second);
+        }
+        for (int algo : integrityAlgos) {
+            builder.addIntegrityAlgorithm(algo);
+        }
+        for (int algo : dhGroups) {
+            builder.addDhGroup(algo);
+        }
+
+        return builder.build();
+    }
+
+    // Package private
+    static ChildSaProposal buildChildSaProposalWithOnlyCiphers() {
+        return buildChildSaProposal(
+                COMBINED_MODE_CIPHERS, Collections.EMPTY_LIST, Collections.EMPTY_LIST);
+    }
+
+    @Test
+    public void testBuildIkeSaProposalWithNormalModeCipher() {
+        IkeSaProposal saProposal = buildIkeSaProposalWithNormalModeCipher();
+
+        assertEquals(NORMAL_MODE_CIPHERS, saProposal.getEncryptionAlgorithms());
+        assertEquals(INTEGRITY_ALGOS, saProposal.getIntegrityAlgorithms());
+        assertEquals(PRFS, saProposal.getPseudorandomFunctions());
+        assertEquals(DH_GROUPS, saProposal.getDhGroups());
+    }
+
+    @Test
+    public void testBuildIkeSaProposalWithCombinedModeCipher() {
+        IkeSaProposal saProposal =
+                buildIkeSaProposalWithCombinedModeCipher(false /* hasIntegrityNone */);
+
+        assertEquals(COMBINED_MODE_CIPHERS, saProposal.getEncryptionAlgorithms());
+        assertEquals(PRFS, saProposal.getPseudorandomFunctions());
+        assertEquals(DH_GROUPS, saProposal.getDhGroups());
+        assertTrue(saProposal.getIntegrityAlgorithms().isEmpty());
+    }
+
+    @Test
+    public void testBuildIkeSaProposalWithCombinedModeCipherAndIntegrityNone() {
+        IkeSaProposal saProposal =
+                buildIkeSaProposalWithCombinedModeCipher(true /* hasIntegrityNone */);
+
+        assertEquals(COMBINED_MODE_CIPHERS, saProposal.getEncryptionAlgorithms());
+        assertEquals(PRFS, saProposal.getPseudorandomFunctions());
+        assertEquals(DH_GROUPS, saProposal.getDhGroups());
+        assertEquals(Arrays.asList(INTEGRITY_ALGORITHM_NONE), saProposal.getIntegrityAlgorithms());
+    }
+
+    @Test
+    public void testBuildChildSaProposalWithNormalModeCipher() {
+        ChildSaProposal saProposal = buildChildSaProposalWithNormalModeCipher();
+
+        assertEquals(NORMAL_MODE_CIPHERS, saProposal.getEncryptionAlgorithms());
+        assertEquals(INTEGRITY_ALGOS, saProposal.getIntegrityAlgorithms());
+        assertEquals(DH_GROUPS_WITH_NONE, saProposal.getDhGroups());
+    }
+
+    @Test
+    public void testBuildChildProposalWithCombinedModeCipher() {
+        ChildSaProposal saProposal =
+                buildChildSaProposalWithCombinedModeCipher(false /* hasIntegrityNone */);
+
+        assertEquals(COMBINED_MODE_CIPHERS, saProposal.getEncryptionAlgorithms());
+        assertTrue(saProposal.getIntegrityAlgorithms().isEmpty());
+        assertEquals(DH_GROUPS_WITH_NONE, saProposal.getDhGroups());
+    }
+
+    @Test
+    public void testBuildChildProposalWithCombinedModeCipherAndIntegrityNone() {
+        ChildSaProposal saProposal =
+                buildChildSaProposalWithCombinedModeCipher(true /* hasIntegrityNone */);
+
+        assertEquals(COMBINED_MODE_CIPHERS, saProposal.getEncryptionAlgorithms());
+        assertEquals(Arrays.asList(INTEGRITY_ALGORITHM_NONE), saProposal.getIntegrityAlgorithms());
+        assertEquals(DH_GROUPS_WITH_NONE, saProposal.getDhGroups());
+    }
+
+    @Test
+    public void testBuildChildSaProposalWithOnlyCiphers() {
+        ChildSaProposal saProposal = buildChildSaProposalWithOnlyCiphers();
+
+        assertEquals(COMBINED_MODE_CIPHERS, saProposal.getEncryptionAlgorithms());
+        assertTrue(saProposal.getIntegrityAlgorithms().isEmpty());
+        assertTrue(saProposal.getDhGroups().isEmpty());
+    }
+
+    // TODO(b/148689509): Test throwing exception when algorithm combination is invalid
 }