From a708eec031968ea2a20853b52f641104518ad0a3 Mon Sep 17 00:00:00 2001 From: Benedict Wong Date: Mon, 6 Nov 2017 20:49:10 -0800 Subject: [PATCH] Add validation to IpSecConfig algorithm setters Adds checks to ensure that users can only set the correct types of algorithms for the Authentication, Encryption and Authenticated Encryption algorithms. Bug: 65223935 Test: Added tests in IpSecConfigTest, and passed on aosp_marlin-eng Change-Id: I462c77d9eb5710b8d03a48866453649d3b6fc6bf --- .../server/IpSecServiceParameterizedTest.java | 58 ------- .../com/android/server/IpSecServiceTest.java | 153 ++++++++++++++++++ 2 files changed, 153 insertions(+), 58 deletions(-) diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java index 80e42a33b3..2282c1319a 100644 --- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java @@ -347,64 +347,6 @@ public class IpSecServiceParameterizedTest { anyInt()); } - @Test - public void testCreateInvalidConfigAeadWithAuth() throws Exception { - IpSecConfig ipSecConfig = new IpSecConfig(); - addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); - - for (int direction : DIRECTIONS) { - ipSecConfig.setAuthentication(direction, AUTH_ALGO); - ipSecConfig.setAuthenticatedEncryption(direction, AEAD_ALGO); - } - - try { - mIpSecService.createTransportModeTransform(ipSecConfig, new Binder()); - fail( - "IpSecService should have thrown an error on authentication being" - + " enabled with authenticated encryption"); - } catch (IllegalArgumentException expected) { - } - } - - @Test - public void testCreateInvalidConfigAeadWithCrypt() throws Exception { - IpSecConfig ipSecConfig = new IpSecConfig(); - addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); - - for (int direction : DIRECTIONS) { - ipSecConfig.setEncryption(direction, CRYPT_ALGO); - ipSecConfig.setAuthenticatedEncryption(direction, AEAD_ALGO); - } - - try { - mIpSecService.createTransportModeTransform(ipSecConfig, new Binder()); - fail( - "IpSecService should have thrown an error on encryption being" - + " enabled with authenticated encryption"); - } catch (IllegalArgumentException expected) { - } - } - - @Test - public void testCreateInvalidConfigAeadWithAuthAndCrypt() throws Exception { - IpSecConfig ipSecConfig = new IpSecConfig(); - addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); - - for (int direction : DIRECTIONS) { - ipSecConfig.setAuthentication(direction, AUTH_ALGO); - ipSecConfig.setEncryption(direction, CRYPT_ALGO); - ipSecConfig.setAuthenticatedEncryption(direction, AEAD_ALGO); - } - - try { - mIpSecService.createTransportModeTransform(ipSecConfig, new Binder()); - fail( - "IpSecService should have thrown an error on authentication and encryption being" - + " enabled with authenticated encryption"); - } catch (IllegalArgumentException expected) { - } - } - @Test public void testDeleteTransportModeTransform() throws Exception { IpSecConfig ipSecConfig = new IpSecConfig(); diff --git a/tests/net/java/com/android/server/IpSecServiceTest.java b/tests/net/java/com/android/server/IpSecServiceTest.java index 5d1e10eab5..0467989d89 100644 --- a/tests/net/java/com/android/server/IpSecServiceTest.java +++ b/tests/net/java/com/android/server/IpSecServiceTest.java @@ -35,6 +35,8 @@ import static org.mockito.Mockito.when; import android.content.Context; import android.net.INetd; +import android.net.IpSecAlgorithm; +import android.net.IpSecConfig; import android.net.IpSecManager; import android.net.IpSecSpiResponse; import android.net.IpSecTransform; @@ -76,6 +78,36 @@ public class IpSecServiceTest { private static final InetAddress INADDR_ANY; + private static final byte[] AEAD_KEY = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, + 0x73, 0x61, 0x6C, 0x74 + }; + private static final byte[] CRYPT_KEY = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F + }; + private static final byte[] AUTH_KEY = { + 0x7A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, + 0x7A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F + }; + + private static final IpSecAlgorithm AUTH_ALGO = + new IpSecAlgorithm(IpSecAlgorithm.AUTH_HMAC_SHA256, AUTH_KEY, AUTH_KEY.length * 4); + private static final IpSecAlgorithm CRYPT_ALGO = + new IpSecAlgorithm(IpSecAlgorithm.CRYPT_AES_CBC, CRYPT_KEY); + private static final IpSecAlgorithm AEAD_ALGO = + new IpSecAlgorithm(IpSecAlgorithm.AUTH_CRYPT_AES_GCM, AEAD_KEY, 128); + + private static final int[] DIRECTIONS = + new int[] {IpSecTransform.DIRECTION_IN, IpSecTransform.DIRECTION_OUT}; + static { try { INADDR_ANY = InetAddress.getByAddress(new byte[] {0, 0, 0, 0}); @@ -269,6 +301,127 @@ public class IpSecServiceTest { } } + @Test + public void testValidateAlgorithmsAuth() { + for (int direction : DIRECTIONS) { + // Validate that correct algorithm type succeeds + IpSecConfig config = new IpSecConfig(); + config.setAuthentication(direction, AUTH_ALGO); + mIpSecService.validateAlgorithms(config, direction); + + // Validate that incorrect algorithm types fails + for (IpSecAlgorithm algo : new IpSecAlgorithm[] {CRYPT_ALGO, AEAD_ALGO}) { + try { + config = new IpSecConfig(); + config.setAuthentication(direction, algo); + mIpSecService.validateAlgorithms(config, direction); + fail("Did not throw exception on invalid algorithm type"); + } catch (IllegalArgumentException expected) { + } + } + } + } + + @Test + public void testValidateAlgorithmsCrypt() { + for (int direction : DIRECTIONS) { + // Validate that correct algorithm type succeeds + IpSecConfig config = new IpSecConfig(); + config.setEncryption(direction, CRYPT_ALGO); + mIpSecService.validateAlgorithms(config, direction); + + // Validate that incorrect algorithm types fails + for (IpSecAlgorithm algo : new IpSecAlgorithm[] {AUTH_ALGO, AEAD_ALGO}) { + try { + config = new IpSecConfig(); + config.setEncryption(direction, algo); + mIpSecService.validateAlgorithms(config, direction); + fail("Did not throw exception on invalid algorithm type"); + } catch (IllegalArgumentException expected) { + } + } + } + } + + @Test + public void testValidateAlgorithmsAead() { + for (int direction : DIRECTIONS) { + // Validate that correct algorithm type succeeds + IpSecConfig config = new IpSecConfig(); + config.setAuthenticatedEncryption(direction, AEAD_ALGO); + mIpSecService.validateAlgorithms(config, direction); + + // Validate that incorrect algorithm types fails + for (IpSecAlgorithm algo : new IpSecAlgorithm[] {AUTH_ALGO, CRYPT_ALGO}) { + try { + config = new IpSecConfig(); + config.setAuthenticatedEncryption(direction, algo); + mIpSecService.validateAlgorithms(config, direction); + fail("Did not throw exception on invalid algorithm type"); + } catch (IllegalArgumentException expected) { + } + } + } + } + + @Test + public void testValidateAlgorithmsAuthCrypt() { + for (int direction : DIRECTIONS) { + // Validate that correct algorithm type succeeds + IpSecConfig config = new IpSecConfig(); + config.setAuthentication(direction, AUTH_ALGO); + config.setEncryption(direction, CRYPT_ALGO); + mIpSecService.validateAlgorithms(config, direction); + } + } + + @Test + public void testValidateAlgorithmsNoAlgorithms() { + IpSecConfig config = new IpSecConfig(); + try { + mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN); + fail("Expected exception; no algorithms specified"); + } catch (IllegalArgumentException expected) { + } + } + + @Test + public void testValidateAlgorithmsAeadWithAuth() { + IpSecConfig config = new IpSecConfig(); + config.setAuthenticatedEncryption(IpSecTransform.DIRECTION_IN, AEAD_ALGO); + config.setAuthentication(IpSecTransform.DIRECTION_IN, AUTH_ALGO); + try { + mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN); + fail("Expected exception; both AEAD and auth algorithm specified"); + } catch (IllegalArgumentException expected) { + } + } + + @Test + public void testValidateAlgorithmsAeadWithCrypt() { + IpSecConfig config = new IpSecConfig(); + config.setAuthenticatedEncryption(IpSecTransform.DIRECTION_IN, AEAD_ALGO); + config.setEncryption(IpSecTransform.DIRECTION_IN, CRYPT_ALGO); + try { + mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN); + fail("Expected exception; both AEAD and crypt algorithm specified"); + } catch (IllegalArgumentException expected) { + } + } + + @Test + public void testValidateAlgorithmsAeadWithAuthAndCrypt() { + IpSecConfig config = new IpSecConfig(); + config.setAuthenticatedEncryption(IpSecTransform.DIRECTION_IN, AEAD_ALGO); + config.setAuthentication(IpSecTransform.DIRECTION_IN, AUTH_ALGO); + config.setEncryption(IpSecTransform.DIRECTION_IN, CRYPT_ALGO); + try { + mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN); + fail("Expected exception; AEAD, auth and crypt algorithm specified"); + } catch (IllegalArgumentException expected) { + } + } + @Test public void testDeleteInvalidTransportModeTransform() throws Exception { try {