Add validation to IpSecConfig algorithm setters
Adds checks to ensure that users can only set the correct types of algorithms for the Authentication, Encryption and Authenticated Encryption algorithms. Bug: 65223935 Test: Added tests in IpSecConfigTest, and passed on aosp_marlin-eng Change-Id: I462c77d9eb5710b8d03a48866453649d3b6fc6bf
This commit is contained in:
Benedict Wong
@@ -231,6 +231,31 @@ public final class IpSecAlgorithm implements Parcelable {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/** @hide */
|
||||||
|
public boolean isAuthentication() {
|
||||||
|
switch (getName()) {
|
||||||
|
// Fallthrough
|
||||||
|
case AUTH_HMAC_MD5:
|
||||||
|
case AUTH_HMAC_SHA1:
|
||||||
|
case AUTH_HMAC_SHA256:
|
||||||
|
case AUTH_HMAC_SHA384:
|
||||||
|
case AUTH_HMAC_SHA512:
|
||||||
|
return true;
|
||||||
|
default:
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/** @hide */
|
||||||
|
public boolean isEncryption() {
|
||||||
|
return getName().equals(CRYPT_AES_CBC);
|
||||||
|
}
|
||||||
|
|
||||||
|
/** @hide */
|
||||||
|
public boolean isAead() {
|
||||||
|
return getName().equals(AUTH_CRYPT_AES_GCM);
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String toString() {
|
public String toString() {
|
||||||
return new StringBuilder()
|
return new StringBuilder()
|
||||||
|
|||||||
@@ -51,6 +51,7 @@ import android.util.SparseArray;
|
|||||||
|
|
||||||
import com.android.internal.annotations.GuardedBy;
|
import com.android.internal.annotations.GuardedBy;
|
||||||
import com.android.internal.annotations.VisibleForTesting;
|
import com.android.internal.annotations.VisibleForTesting;
|
||||||
|
import com.android.internal.util.Preconditions;
|
||||||
|
|
||||||
import java.io.FileDescriptor;
|
import java.io.FileDescriptor;
|
||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
@@ -1023,6 +1024,30 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
releaseResource(userRecord.mEncapSocketRecords, resourceId);
|
releaseResource(userRecord.mEncapSocketRecords, resourceId);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@VisibleForTesting
|
||||||
|
void validateAlgorithms(IpSecConfig config, int direction) throws IllegalArgumentException {
|
||||||
|
IpSecAlgorithm auth = config.getAuthentication(direction);
|
||||||
|
IpSecAlgorithm crypt = config.getEncryption(direction);
|
||||||
|
IpSecAlgorithm aead = config.getAuthenticatedEncryption(direction);
|
||||||
|
|
||||||
|
// Validate the algorithm set
|
||||||
|
Preconditions.checkArgument(
|
||||||
|
aead != null || crypt != null || auth != null,
|
||||||
|
"No Encryption or Authentication algorithms specified");
|
||||||
|
Preconditions.checkArgument(
|
||||||
|
auth == null || auth.isAuthentication(),
|
||||||
|
"Unsupported algorithm for Authentication");
|
||||||
|
Preconditions.checkArgument(
|
||||||
|
crypt == null || crypt.isEncryption(), "Unsupported algorithm for Encryption");
|
||||||
|
Preconditions.checkArgument(
|
||||||
|
aead == null || aead.isAead(),
|
||||||
|
"Unsupported algorithm for Authenticated Encryption");
|
||||||
|
Preconditions.checkArgument(
|
||||||
|
aead == null || (auth == null && crypt == null),
|
||||||
|
"Authenticated Encryption is mutually exclusive with other Authentication "
|
||||||
|
+ "or Encryption algorithms");
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Checks an IpSecConfig parcel to ensure that the contents are sane and throws an
|
* Checks an IpSecConfig parcel to ensure that the contents are sane and throws an
|
||||||
* IllegalArgumentException if they are not.
|
* IllegalArgumentException if they are not.
|
||||||
@@ -1072,17 +1097,7 @@ public class IpSecService extends IIpSecService.Stub {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for (int direction : DIRECTIONS) {
|
for (int direction : DIRECTIONS) {
|
||||||
IpSecAlgorithm crypt = config.getEncryption(direction);
|
validateAlgorithms(config, direction);
|
||||||
IpSecAlgorithm auth = config.getAuthentication(direction);
|
|
||||||
IpSecAlgorithm authenticatedEncryption = config.getAuthenticatedEncryption(direction);
|
|
||||||
if (authenticatedEncryption == null && crypt == null && auth == null) {
|
|
||||||
throw new IllegalArgumentException(
|
|
||||||
"No Encryption or Authentication algorithms specified");
|
|
||||||
} else if (authenticatedEncryption != null && (auth != null || crypt != null)) {
|
|
||||||
throw new IllegalArgumentException(
|
|
||||||
"Authenticated Encryption is mutually"
|
|
||||||
+ " exclusive with other Authentication or Encryption algorithms");
|
|
||||||
}
|
|
||||||
|
|
||||||
// Retrieve SPI record; will throw IllegalArgumentException if not found
|
// Retrieve SPI record; will throw IllegalArgumentException if not found
|
||||||
userRecord.mSpiRecords.getResourceOrThrow(config.getSpiResourceId(direction));
|
userRecord.mSpiRecords.getResourceOrThrow(config.getSpiResourceId(direction));
|
||||||
|
|||||||
Reference in New Issue
Block a user