Merge "Add validation to IpSecConfig algorithm setters" am: a954f20f46

am: c93df5ca1c

Change-Id: I45289bc8e8b93f7eb912a76a10b951b1a615338a

tests/net/java/com/android/server/IpSecServiceParameterizedTest.java

@@ -347,64 +347,6 @@ public class IpSecServiceParameterizedTest {
                         anyInt());
     }
 
-    @Test
-    public void testCreateInvalidConfigAeadWithAuth() throws Exception {
-        IpSecConfig ipSecConfig = new IpSecConfig();
-        addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
-
-        for (int direction : DIRECTIONS) {
-            ipSecConfig.setAuthentication(direction, AUTH_ALGO);
-            ipSecConfig.setAuthenticatedEncryption(direction, AEAD_ALGO);
-        }
-
-        try {
-            mIpSecService.createTransportModeTransform(ipSecConfig, new Binder());
-            fail(
-                    "IpSecService should have thrown an error on authentication being"
-                            + " enabled with authenticated encryption");
-        } catch (IllegalArgumentException expected) {
-        }
-    }
-
-    @Test
-    public void testCreateInvalidConfigAeadWithCrypt() throws Exception {
-        IpSecConfig ipSecConfig = new IpSecConfig();
-        addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
-
-        for (int direction : DIRECTIONS) {
-            ipSecConfig.setEncryption(direction, CRYPT_ALGO);
-            ipSecConfig.setAuthenticatedEncryption(direction, AEAD_ALGO);
-        }
-
-        try {
-            mIpSecService.createTransportModeTransform(ipSecConfig, new Binder());
-            fail(
-                    "IpSecService should have thrown an error on encryption being"
-                            + " enabled with authenticated encryption");
-        } catch (IllegalArgumentException expected) {
-        }
-    }
-
-    @Test
-    public void testCreateInvalidConfigAeadWithAuthAndCrypt() throws Exception {
-        IpSecConfig ipSecConfig = new IpSecConfig();
-        addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
-
-        for (int direction : DIRECTIONS) {
-            ipSecConfig.setAuthentication(direction, AUTH_ALGO);
-            ipSecConfig.setEncryption(direction, CRYPT_ALGO);
-            ipSecConfig.setAuthenticatedEncryption(direction, AEAD_ALGO);
-        }
-
-        try {
-            mIpSecService.createTransportModeTransform(ipSecConfig, new Binder());
-            fail(
-                    "IpSecService should have thrown an error on authentication and encryption being"
-                            + " enabled with authenticated encryption");
-        } catch (IllegalArgumentException expected) {
-        }
-    }
-
     @Test
     public void testDeleteTransportModeTransform() throws Exception {
         IpSecConfig ipSecConfig = new IpSecConfig();

tests/net/java/com/android/server/IpSecServiceTest.java

@@ -35,6 +35,8 @@ import static org.mockito.Mockito.when;
 
 import android.content.Context;
 import android.net.INetd;
+import android.net.IpSecAlgorithm;
+import android.net.IpSecConfig;
 import android.net.IpSecManager;
 import android.net.IpSecSpiResponse;
 import android.net.IpSecTransform;
@@ -76,6 +78,36 @@ public class IpSecServiceTest {
 
     private static final InetAddress INADDR_ANY;
 
+    private static final byte[] AEAD_KEY = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+        0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F,
+        0x73, 0x61, 0x6C, 0x74
+    };
+    private static final byte[] CRYPT_KEY = {
+        0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+        0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F,
+        0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17,
+        0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F
+    };
+    private static final byte[] AUTH_KEY = {
+        0x7A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F,
+        0x7A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F
+    };
+
+    private static final IpSecAlgorithm AUTH_ALGO =
+            new IpSecAlgorithm(IpSecAlgorithm.AUTH_HMAC_SHA256, AUTH_KEY, AUTH_KEY.length * 4);
+    private static final IpSecAlgorithm CRYPT_ALGO =
+            new IpSecAlgorithm(IpSecAlgorithm.CRYPT_AES_CBC, CRYPT_KEY);
+    private static final IpSecAlgorithm AEAD_ALGO =
+            new IpSecAlgorithm(IpSecAlgorithm.AUTH_CRYPT_AES_GCM, AEAD_KEY, 128);
+
+    private static final int[] DIRECTIONS =
+            new int[] {IpSecTransform.DIRECTION_IN, IpSecTransform.DIRECTION_OUT};
+
     static {
         try {
             INADDR_ANY = InetAddress.getByAddress(new byte[] {0, 0, 0, 0});
@@ -269,6 +301,127 @@ public class IpSecServiceTest {
         }
     }
 
+    @Test
+    public void testValidateAlgorithmsAuth() {
+        for (int direction : DIRECTIONS) {
+            // Validate that correct algorithm type succeeds
+            IpSecConfig config = new IpSecConfig();
+            config.setAuthentication(direction, AUTH_ALGO);
+            mIpSecService.validateAlgorithms(config, direction);
+
+            // Validate that incorrect algorithm types fails
+            for (IpSecAlgorithm algo : new IpSecAlgorithm[] {CRYPT_ALGO, AEAD_ALGO}) {
+                try {
+                    config = new IpSecConfig();
+                    config.setAuthentication(direction, algo);
+                    mIpSecService.validateAlgorithms(config, direction);
+                    fail("Did not throw exception on invalid algorithm type");
+                } catch (IllegalArgumentException expected) {
+                }
+            }
+        }
+    }
+
+    @Test
+    public void testValidateAlgorithmsCrypt() {
+        for (int direction : DIRECTIONS) {
+            // Validate that correct algorithm type succeeds
+            IpSecConfig config = new IpSecConfig();
+            config.setEncryption(direction, CRYPT_ALGO);
+            mIpSecService.validateAlgorithms(config, direction);
+
+            // Validate that incorrect algorithm types fails
+            for (IpSecAlgorithm algo : new IpSecAlgorithm[] {AUTH_ALGO, AEAD_ALGO}) {
+                try {
+                    config = new IpSecConfig();
+                    config.setEncryption(direction, algo);
+                    mIpSecService.validateAlgorithms(config, direction);
+                    fail("Did not throw exception on invalid algorithm type");
+                } catch (IllegalArgumentException expected) {
+                }
+            }
+        }
+    }
+
+    @Test
+    public void testValidateAlgorithmsAead() {
+        for (int direction : DIRECTIONS) {
+            // Validate that correct algorithm type succeeds
+            IpSecConfig config = new IpSecConfig();
+            config.setAuthenticatedEncryption(direction, AEAD_ALGO);
+            mIpSecService.validateAlgorithms(config, direction);
+
+            // Validate that incorrect algorithm types fails
+            for (IpSecAlgorithm algo : new IpSecAlgorithm[] {AUTH_ALGO, CRYPT_ALGO}) {
+                try {
+                    config = new IpSecConfig();
+                    config.setAuthenticatedEncryption(direction, algo);
+                    mIpSecService.validateAlgorithms(config, direction);
+                    fail("Did not throw exception on invalid algorithm type");
+                } catch (IllegalArgumentException expected) {
+                }
+            }
+        }
+    }
+
+    @Test
+    public void testValidateAlgorithmsAuthCrypt() {
+        for (int direction : DIRECTIONS) {
+            // Validate that correct algorithm type succeeds
+            IpSecConfig config = new IpSecConfig();
+            config.setAuthentication(direction, AUTH_ALGO);
+            config.setEncryption(direction, CRYPT_ALGO);
+            mIpSecService.validateAlgorithms(config, direction);
+        }
+    }
+
+    @Test
+    public void testValidateAlgorithmsNoAlgorithms() {
+        IpSecConfig config = new IpSecConfig();
+        try {
+            mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN);
+            fail("Expected exception; no algorithms specified");
+        } catch (IllegalArgumentException expected) {
+        }
+    }
+
+    @Test
+    public void testValidateAlgorithmsAeadWithAuth() {
+        IpSecConfig config = new IpSecConfig();
+        config.setAuthenticatedEncryption(IpSecTransform.DIRECTION_IN, AEAD_ALGO);
+        config.setAuthentication(IpSecTransform.DIRECTION_IN, AUTH_ALGO);
+        try {
+            mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN);
+            fail("Expected exception; both AEAD and auth algorithm specified");
+        } catch (IllegalArgumentException expected) {
+        }
+    }
+
+    @Test
+    public void testValidateAlgorithmsAeadWithCrypt() {
+        IpSecConfig config = new IpSecConfig();
+        config.setAuthenticatedEncryption(IpSecTransform.DIRECTION_IN, AEAD_ALGO);
+        config.setEncryption(IpSecTransform.DIRECTION_IN, CRYPT_ALGO);
+        try {
+            mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN);
+            fail("Expected exception; both AEAD and crypt algorithm specified");
+        } catch (IllegalArgumentException expected) {
+        }
+    }
+
+    @Test
+    public void testValidateAlgorithmsAeadWithAuthAndCrypt() {
+        IpSecConfig config = new IpSecConfig();
+        config.setAuthenticatedEncryption(IpSecTransform.DIRECTION_IN, AEAD_ALGO);
+        config.setAuthentication(IpSecTransform.DIRECTION_IN, AUTH_ALGO);
+        config.setEncryption(IpSecTransform.DIRECTION_IN, CRYPT_ALGO);
+        try {
+            mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN);
+            fail("Expected exception; AEAD, auth and crypt algorithm specified");
+        } catch (IllegalArgumentException expected) {
+        }
+    }
+
     @Test
     public void testDeleteInvalidTransportModeTransform() throws Exception {
         try {