From 7660370a8353e16d44ed7e33adc94d82cda554cb Mon Sep 17 00:00:00 2001 From: Benedict Wong Date: Wed, 24 Jan 2018 15:31:39 -0800 Subject: [PATCH] Fix minor bugs with tunnel mode implementation This change makes sure tunnel mode transforms are properly activated upon construction, and corrects bugs with how policy selectors were being generated for tunnel mode policies. Specifically, the source/destination could not be empty strings, even for cases where an empty selector was desired. Bug: 72457770 Test: GTS tests run Change-Id: I9a9f64c34b07883a02a5c996614f958486d214fc --- core/java/android/net/IpSecTransform.java | 2 +- .../java/com/android/server/IpSecService.java | 57 +++++++++++-------- 2 files changed, 35 insertions(+), 24 deletions(-) diff --git a/core/java/android/net/IpSecTransform.java b/core/java/android/net/IpSecTransform.java index 9ccdbe2b1b..0829b4a3e9 100644 --- a/core/java/android/net/IpSecTransform.java +++ b/core/java/android/net/IpSecTransform.java @@ -462,7 +462,7 @@ public final class IpSecTransform implements AutoCloseable { mConfig.setMode(MODE_TUNNEL); mConfig.setSourceAddress(sourceAddress.getHostAddress()); mConfig.setSpiResourceId(spi.getResourceId()); - return new IpSecTransform(mContext, mConfig); + return new IpSecTransform(mContext, mConfig).activate(); } /** diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java index fe4ac6d771..a07a982abc 100644 --- a/services/core/java/com/android/server/IpSecService.java +++ b/services/core/java/com/android/server/IpSecService.java @@ -87,6 +87,7 @@ public class IpSecService extends IIpSecService.Stub { private static final String NETD_SERVICE_NAME = "netd"; private static final int[] DIRECTIONS = new int[] {IpSecManager.DIRECTION_OUT, IpSecManager.DIRECTION_IN}; + private static final String[] WILDCARD_ADDRESSES = new String[]{"0.0.0.0", "::"}; private static final int NETD_FETCH_TIMEOUT_MS = 5000; // ms private static final int MAX_PORT_BIND_ATTEMPTS = 10; @@ -413,12 +414,16 @@ public class IpSecService extends IIpSecService.Stub { .append(mTransformQuotaTracker) .append(", mSocketQuotaTracker=") .append(mSocketQuotaTracker) + .append(", mTunnelQuotaTracker=") + .append(mTunnelQuotaTracker) .append(", mSpiRecords=") .append(mSpiRecords) .append(", mTransformRecords=") .append(mTransformRecords) .append(", mEncapSocketRecords=") .append(mEncapSocketRecords) + .append(", mTunnelInterfaceRecords=") + .append(mTunnelInterfaceRecords) .append("}") .toString(); } @@ -815,12 +820,14 @@ public class IpSecService extends IIpSecService.Stub { try { mSrvConfig.getNetdInstance().removeVirtualTunnelInterface(mInterfaceName); - for (int direction : DIRECTIONS) { - int mark = (direction == IpSecManager.DIRECTION_IN) ? mIkey : mOkey; - mSrvConfig - .getNetdInstance() - .ipSecDeleteSecurityPolicy( - 0, direction, mLocalAddress, mRemoteAddress, mark, 0xffffffff); + for(String wildcardAddr : WILDCARD_ADDRESSES) { + for (int direction : DIRECTIONS) { + int mark = (direction == IpSecManager.DIRECTION_IN) ? mIkey : mOkey; + mSrvConfig + .getNetdInstance() + .ipSecDeleteSecurityPolicy( + 0, direction, wildcardAddr, wildcardAddr, mark, 0xffffffff); + } } } catch (ServiceSpecificException e) { // FIXME: get the error code and throw is at an IOException from Errno Exception @@ -1261,19 +1268,21 @@ public class IpSecService extends IIpSecService.Stub { .getNetdInstance() .addVirtualTunnelInterface(intfName, localAddr, remoteAddr, ikey, okey); - for (int direction : DIRECTIONS) { - int mark = (direction == IpSecManager.DIRECTION_OUT) ? okey : ikey; + for(String wildcardAddr : WILDCARD_ADDRESSES) { + for (int direction : DIRECTIONS) { + int mark = (direction == IpSecManager.DIRECTION_OUT) ? okey : ikey; - mSrvConfig - .getNetdInstance() - .ipSecAddSecurityPolicy( + mSrvConfig + .getNetdInstance() + .ipSecAddSecurityPolicy( 0, // Use 0 for reqId direction, - "", - "", + wildcardAddr, + wildcardAddr, 0, mark, 0xffffffff); + } } userRecord.mTunnelInterfaceRecords.put( @@ -1646,16 +1655,18 @@ public class IpSecService extends IIpSecService.Stub { c.setNetwork(tunnelInterfaceInfo.getUnderlyingNetwork()); // If outbound, also add SPI to the policy. - mSrvConfig - .getNetdInstance() - .ipSecUpdateSecurityPolicy( - 0, // Use 0 for reqId - direction, - "", - "", - transformInfo.getSpiRecord().getSpi(), - mark, - 0xffffffff); + for(String wildcardAddr : WILDCARD_ADDRESSES) { + mSrvConfig + .getNetdInstance() + .ipSecUpdateSecurityPolicy( + 0, // Use 0 for reqId + direction, + wildcardAddr, + wildcardAddr, + transformInfo.getSpiRecord().getSpi(), + mark, + 0xffffffff); + } } // Update SA with tunnel mark (ikey or okey based on direction)