From 1ab508d361123ab8f820ee9587edd47ec7ca4f30 Mon Sep 17 00:00:00 2001 From: evitayan Date: Thu, 22 Mar 2018 13:42:07 -0700 Subject: [PATCH 1/2] Add UDP encapsulation tests for IpSecService. This commit adds tests to ensure that IpSecService properly handles UDP-encapsulation transforms correctly. Bug: 76110065 Test: Added: testCreateTransportModeTransformWithEncap, testCreateTunnelModeTransformWithEncap. Command: runtest frameworks-net Verified on taimen. Change-Id: Ie05bc5354266806c2d03b0b3d73a4696a89eccf2 --- .../server/IpSecServiceParameterizedTest.java | 126 ++++++++++++------ 1 file changed, 82 insertions(+), 44 deletions(-) diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java index 99a5a69213..26985c1f0b 100644 --- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java @@ -34,8 +34,10 @@ import android.net.IpSecAlgorithm; import android.net.IpSecConfig; import android.net.IpSecManager; import android.net.IpSecSpiResponse; +import android.net.IpSecTransform; import android.net.IpSecTransformResponse; import android.net.IpSecTunnelInterfaceResponse; +import android.net.IpSecUdpEncapResponse; import android.net.LinkAddress; import android.net.Network; import android.net.NetworkUtils; @@ -129,6 +131,7 @@ public class IpSecServiceParameterizedTest { new IpSecAlgorithm(IpSecAlgorithm.CRYPT_AES_CBC, CRYPT_KEY); private static final IpSecAlgorithm AEAD_ALGO = new IpSecAlgorithm(IpSecAlgorithm.AUTH_CRYPT_AES_GCM, AEAD_KEY, 128); + private static final int REMOTE_ENCAP_PORT = 4500; public IpSecServiceParameterizedTest( String sourceAddr, String destAddr, String localInnerAddr) { @@ -157,6 +160,8 @@ public class IpSecServiceParameterizedTest { .thenReturn(AppOpsManager.MODE_IGNORED); } + //TODO: Add a test to verify SPI. + @Test public void testIpSecServiceReserveSpi() throws Exception { when(mMockNetd.ipSecAllocateSpi(anyInt(), anyString(), eq(mDestinationAddr), eq(TEST_SPI))) @@ -257,6 +262,47 @@ public class IpSecServiceParameterizedTest { config.setAuthentication(AUTH_ALGO); } + private void addEncapSocketToIpSecConfig(int resourceId, IpSecConfig config) throws Exception { + config.setEncapType(IpSecTransform.ENCAP_ESPINUDP); + config.setEncapSocketResourceId(resourceId); + config.setEncapRemotePort(REMOTE_ENCAP_PORT); + } + + private void verifyTransformNetdCalledForCreatingSA( + IpSecConfig config, IpSecTransformResponse resp) throws Exception { + verifyTransformNetdCalledForCreatingSA(config, resp, 0); + } + + private void verifyTransformNetdCalledForCreatingSA( + IpSecConfig config, IpSecTransformResponse resp, int encapSocketPort) throws Exception { + IpSecAlgorithm auth = config.getAuthentication(); + IpSecAlgorithm crypt = config.getEncryption(); + IpSecAlgorithm authCrypt = config.getAuthenticatedEncryption(); + + verify(mMockNetd, times(1)) + .ipSecAddSecurityAssociation( + eq(mUid), + eq(config.getMode()), + eq(config.getSourceAddress()), + eq(config.getDestinationAddress()), + eq((config.getNetwork() != null) ? config.getNetwork().netId : 0), + eq(TEST_SPI), + eq(0), + eq(0), + eq((auth != null) ? auth.getName() : ""), + eq((auth != null) ? auth.getKey() : new byte[] {}), + eq((auth != null) ? auth.getTruncationLengthBits() : 0), + eq((crypt != null) ? crypt.getName() : ""), + eq((crypt != null) ? crypt.getKey() : new byte[] {}), + eq((crypt != null) ? crypt.getTruncationLengthBits() : 0), + eq((authCrypt != null) ? authCrypt.getName() : ""), + eq((authCrypt != null) ? authCrypt.getKey() : new byte[] {}), + eq((authCrypt != null) ? authCrypt.getTruncationLengthBits() : 0), + eq(config.getEncapType()), + eq(encapSocketPort), + eq(config.getEncapRemotePort())); + } + @Test public void testCreateTransform() throws Exception { IpSecConfig ipSecConfig = new IpSecConfig(); @@ -267,28 +313,7 @@ public class IpSecServiceParameterizedTest { mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); assertEquals(IpSecManager.Status.OK, createTransformResp.status); - verify(mMockNetd) - .ipSecAddSecurityAssociation( - eq(mUid), - anyInt(), - anyString(), - anyString(), - anyInt(), - eq(TEST_SPI), - anyInt(), - anyInt(), - eq(IpSecAlgorithm.AUTH_HMAC_SHA256), - eq(AUTH_KEY), - anyInt(), - eq(IpSecAlgorithm.CRYPT_AES_CBC), - eq(CRYPT_KEY), - anyInt(), - eq(""), - eq(new byte[] {}), - eq(0), - anyInt(), - anyInt(), - anyInt()); + verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp); } @Test @@ -302,28 +327,41 @@ public class IpSecServiceParameterizedTest { mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); assertEquals(IpSecManager.Status.OK, createTransformResp.status); - verify(mMockNetd) - .ipSecAddSecurityAssociation( - eq(mUid), - anyInt(), - anyString(), - anyString(), - anyInt(), - eq(TEST_SPI), - anyInt(), - anyInt(), - eq(""), - eq(new byte[] {}), - eq(0), - eq(""), - eq(new byte[] {}), - eq(0), - eq(IpSecAlgorithm.AUTH_CRYPT_AES_GCM), - eq(AEAD_KEY), - anyInt(), - anyInt(), - anyInt(), - anyInt()); + verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp); + } + + @Test + public void testCreateTransportModeTransformWithEncap() throws Exception { + IpSecUdpEncapResponse udpSock = mIpSecService.openUdpEncapsulationSocket(0, new Binder()); + + IpSecConfig ipSecConfig = new IpSecConfig(); + ipSecConfig.setMode(IpSecTransform.MODE_TRANSPORT); + addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); + addAuthAndCryptToIpSecConfig(ipSecConfig); + addEncapSocketToIpSecConfig(udpSock.resourceId, ipSecConfig); + + IpSecTransformResponse createTransformResp = + mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); + assertEquals(IpSecManager.Status.OK, createTransformResp.status); + + verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp, udpSock.port); + } + + @Test + public void testCreateTunnelModeTransformWithEncap() throws Exception { + IpSecUdpEncapResponse udpSock = mIpSecService.openUdpEncapsulationSocket(0, new Binder()); + + IpSecConfig ipSecConfig = new IpSecConfig(); + ipSecConfig.setMode(IpSecTransform.MODE_TUNNEL); + addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); + addAuthAndCryptToIpSecConfig(ipSecConfig); + addEncapSocketToIpSecConfig(udpSock.resourceId, ipSecConfig); + + IpSecTransformResponse createTransformResp = + mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); + assertEquals(IpSecManager.Status.OK, createTransformResp.status); + + verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp, udpSock.port); } @Test From e54eee013064e369be8549b404d01511c26e1ab5 Mon Sep 17 00:00:00 2001 From: evitayan Date: Thu, 22 Mar 2018 17:53:08 -0700 Subject: [PATCH 2/2] Check to ensure UDP-encap is used only for IPv4 This commit checks if UDP-encapsulation is used for unsupported address family and throws IllegalArgumentException when it happens. Bug: 74213459 Test: Tests added in testCreateTransportModeTransformWithEncap and testCreateTunnelModeTransformWithEncap. Command: runtest frameworks-net Verified on taimen. Change-Id: I10c01f2bad6aca23430849ea9ef6c1eb157ae131 --- .../server/IpSecServiceParameterizedTest.java | 46 ++++++++++++++----- 1 file changed, 34 insertions(+), 12 deletions(-) diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java index 26985c1f0b..9b919abfa4 100644 --- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java @@ -16,6 +16,8 @@ package com.android.server; +import static android.system.OsConstants.AF_INET; +import static android.system.OsConstants.AF_INET6; import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.fail; @@ -64,16 +66,17 @@ public class IpSecServiceParameterizedTest { private static final int TEST_SPI = 0xD1201D; - private final String mDestinationAddr; private final String mSourceAddr; + private final String mDestinationAddr; private final LinkAddress mLocalInnerAddress; + private final int mFamily; @Parameterized.Parameters public static Collection ipSecConfigs() { return Arrays.asList( new Object[][] { - {"1.2.3.4", "8.8.4.4", "10.0.1.1/24"}, - {"2601::2", "2601::10", "2001:db8::1/64"} + {"1.2.3.4", "8.8.4.4", "10.0.1.1/24", AF_INET}, + {"2601::2", "2601::10", "2001:db8::1/64", AF_INET6} }); } @@ -134,10 +137,11 @@ public class IpSecServiceParameterizedTest { private static final int REMOTE_ENCAP_PORT = 4500; public IpSecServiceParameterizedTest( - String sourceAddr, String destAddr, String localInnerAddr) { + String sourceAddr, String destAddr, String localInnerAddr, int family) { mSourceAddr = sourceAddr; mDestinationAddr = destAddr; mLocalInnerAddress = new LinkAddress(localInnerAddr); + mFamily = family; } @Before @@ -340,11 +344,20 @@ public class IpSecServiceParameterizedTest { addAuthAndCryptToIpSecConfig(ipSecConfig); addEncapSocketToIpSecConfig(udpSock.resourceId, ipSecConfig); - IpSecTransformResponse createTransformResp = - mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); - assertEquals(IpSecManager.Status.OK, createTransformResp.status); + if (mFamily == AF_INET) { + IpSecTransformResponse createTransformResp = + mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); + assertEquals(IpSecManager.Status.OK, createTransformResp.status); - verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp, udpSock.port); + verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp, udpSock.port); + } else { + try { + IpSecTransformResponse createTransformResp = + mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); + fail("Expected IllegalArgumentException on attempt to use UDP Encap in IPv6"); + } catch (IllegalArgumentException expected) { + } + } } @Test @@ -357,11 +370,20 @@ public class IpSecServiceParameterizedTest { addAuthAndCryptToIpSecConfig(ipSecConfig); addEncapSocketToIpSecConfig(udpSock.resourceId, ipSecConfig); - IpSecTransformResponse createTransformResp = - mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); - assertEquals(IpSecManager.Status.OK, createTransformResp.status); + if (mFamily == AF_INET) { + IpSecTransformResponse createTransformResp = + mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); + assertEquals(IpSecManager.Status.OK, createTransformResp.status); - verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp, udpSock.port); + verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp, udpSock.port); + } else { + try { + IpSecTransformResponse createTransformResp = + mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); + fail("Expected IllegalArgumentException on attempt to use UDP Encap in IPv6"); + } catch (IllegalArgumentException expected) { + } + } } @Test