Test IKE Session setup in IPv6 network

Bug: 148689509 Test: atest testIkeSessionSetupAndChildSessionSetupWithTunnelModeV6 Change-Id: Ia2fa9462c66a283697e0cb9dd4c475215c0eafde Merged-In: Ia2fa9462c66a283697e0cb9dd4c475215c0eafde (cherry picked from commit 71a855de7dcdc3bdbdb75c78be0f57f3055b0c72)
2020-05-28 18:29:06 +00:00
parent a2b2ab5473
commit ff0471554e
3 changed files with 130 additions and 10 deletions
--- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionDigitalSignatureTest.java
+++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionDigitalSignatureTest.java
@@ -123,7 +123,7 @@ public class IkeSessionDigitalSignatureTest extends IkeSessionTestBase {
                    InetAddresses.parseNumericAddress("172.58.35.103"),
                    InetAddresses.parseNumericAddress("172.58.35.103"));

-    // TODO(b/157510502): Add test for IKE Session setup in IPv6 network
+    // TODO(b/157510502): Add test for IKE Session setup with transport mode Child in IPv6 network

    private static final String LOCAL_ID_ASN1_DN =
            "CN=client.test.ike.android.net, O=Android, C=US";
@@ -184,6 +184,7 @@ public class IkeSessionDigitalSignatureTest extends IkeSessionTestBase {
        performSetupIkeAndFirstChildBlocking(
                IKE_INIT_RESP,
                EXPECTED_AUTH_REQ_FRAG_COUNT /* expectedReqPktCnt */,
+                true /* expectedAuthUseEncap */,
                IKE_AUTH_RESP_FRAG_1,
                IKE_AUTH_RESP_FRAG_2);

--- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionPskTest.java
+++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionPskTest.java
@@ -182,6 +182,77 @@ public class IkeSessionPskTest extends IkeSessionTestBase {
        verifyCloseIkeAndChildBlocking(firstTransformRecordA, firstTransformRecordB);
    }

+    @Test
+    public void testIkeSessionSetupAndChildSessionSetupWithTunnelModeV6() throws Exception {
+        if (!hasTunnelsFeature()) return;
+
+        final String ikeInitResp =
+                "46B8ECA1E0D72A186F7B6C2CEB77EB9021202220000000000000011822000030"
+                        + "0000002C010100040300000C0100000C800E0100030000080300000C03000008"
+                        + "0200000500000008040000022800008800020000DABAA04B38B491E2403F2125"
+                        + "96ECF1C8EF7B1DC19A422FDD46E1756C826BB3A16404361B775D9950577B5CDF"
+                        + "6AAA1642BD1427BDA8BC55354A97C1025E19C1E2EE2DF8A0C9406E545D829F52"
+                        + "75695008E3B742984B8DD1770F3514213B0DF3EE8B199416DF200D248115C057"
+                        + "1C193E4F96802E5EF48DD99CAC251882A8F7CCC329000024BC6F0F1D3653C2C7"
+                        + "679E02CDB6A3B32B2FEE9AF52F0326D4D9AE073D56CE8922290000080000402E"
+                        + "290000100000402F00020003000400050000000800004014";
+        final String ikeAuthResp =
+                "46B8ECA1E0D72A186F7B6C2CEB77EB902E202320000000010000015024000134"
+                        + "4D115AFDCDAD0310760BB664EB7D405A340869AD6EDF0AAEAD0663A9253DADCB"
+                        + "73EBE5CD29D4FA1CDEADE0B94391B5C4CF77BCC1596ACE3CE6A7891E44888FA5"
+                        + "46632C0EF4E6193C023C9DC59142C37D1C49D6EF5CD324EC6FC35C89E1721C78"
+                        + "91FDCDB723D8062709950F4AA9273D26A54C9C7E86862DBC15F7B6641D2B9BAD"
+                        + "E55069008201D12968D97B537B1518FE87B0FFA03C3EE6012C06721B1E2A3F68"
+                        + "92108BC4A4F7063F7F94562D8B60F291A1377A836CF12BCDA7E15C1A8F3C77BB"
+                        + "6DB7F2C833CCE4CDDED7506536621A3356CE2BC1874E7B1A1A9B447D7DF6AB09"
+                        + "638B8AD94A781B28BB91B514B611B24DF8E8A047A10AE27BBF15C754D3D2F792"
+                        + "D3E1CCADDAE934C98AE53A8FC3419C88AFF0355564F82A629C998012DA7BB704"
+                        + "5307270DF326377E3E1994476902035B";
+        final String deleteIkeResp =
+                "46B8ECA1E0D72A186F7B6C2CEB77EB902E202520000000020000005000000034"
+                        + "CF15C299F35688E5140A48B61C95F004121BF8236201415E5CD45BA41AAB16D4"
+                        + "90B44B9E6D5D92B5B97D24196A58C73F";
+
+        mLocalAddress = IPV6_ADDRESS_LOCAL;
+        mRemoteAddress = IPV6_ADDRESS_REMOTE;
+
+        // Teardown current test network that uses IPv4 address and set up new network with IPv6
+        // address.
+        tearDownTestNetwork();
+        setUpTestNetwork(mLocalAddress);
+
+        // Open IKE Session
+        IkeSession ikeSession = openIkeSessionWithRemoteAddress(mRemoteAddress);
+        performSetupIkeAndFirstChildBlocking(
+                ikeInitResp,
+                1 /* expectedAuthReqPktCnt */,
+                false /* expectedAuthUseEncap */,
+                ikeAuthResp);
+
+        // Local request message ID starts from 2 because there is one IKE_INIT message and a single
+        // IKE_AUTH message.
+        int expectedMsgId = 2;
+
+        verifyIkeSessionSetupBlocking();
+        verifyChildSessionSetupBlocking(
+                mFirstChildSessionCallback,
+                Arrays.asList(TUNNEL_MODE_INBOUND_TS_V6),
+                Arrays.asList(TUNNEL_MODE_OUTBOUND_TS_V6),
+                Arrays.asList(EXPECTED_INTERNAL_LINK_ADDR_V6),
+                Arrays.asList(EXPECTED_DNS_SERVERS_ONE, EXPECTED_DNS_SERVERS_TWO));
+
+        IpSecTransformCallRecord firstTransformRecordA =
+                mFirstChildSessionCallback.awaitNextCreatedIpSecTransform();
+        IpSecTransformCallRecord firstTransformRecordB =
+                mFirstChildSessionCallback.awaitNextCreatedIpSecTransform();
+        verifyCreateIpSecTransformPair(firstTransformRecordA, firstTransformRecordB);
+
+        // Close IKE Session
+        ikeSession.close();
+        performCloseIkeBlocking(expectedMsgId++, false /* expectedUseEncap */, deleteIkeResp);
+        verifyCloseIkeAndChildBlocking(firstTransformRecordA, firstTransformRecordB);
+    }
+
    @Test
    public void testIkeSessionKillWithTunnelMode() throws Exception {
        if (!hasTunnelsFeature()) return;
--- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionTestBase.java
+++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionTestBase.java
@@ -66,6 +66,7 @@ import org.junit.runner.RunWith;

 import java.net.Inet4Address;
 import java.net.InetAddress;
+import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Objects;
@@ -94,15 +95,29 @@ abstract class IkeSessionTestBase extends IkeTestBase {
    // Package-wide common expected results that will be shared by all IKE/Child SA creation tests
    static final String EXPECTED_REMOTE_APP_VERSION_EMPTY = "";
    static final byte[] EXPECTED_PROTOCOL_ERROR_DATA_NONE = new byte[0];
+
+    static final InetAddress EXPECTED_DNS_SERVERS_ONE =
+            InetAddresses.parseNumericAddress("8.8.8.8");
+    static final InetAddress EXPECTED_DNS_SERVERS_TWO =
+            InetAddresses.parseNumericAddress("8.8.4.4");
+
    static final InetAddress EXPECTED_INTERNAL_ADDR =
            InetAddresses.parseNumericAddress("198.51.100.10");
    static final LinkAddress EXPECTED_INTERNAL_LINK_ADDR =
            new LinkAddress(EXPECTED_INTERNAL_ADDR, IP4_PREFIX_LEN);
+    static final InetAddress EXPECTED_INTERNAL_ADDR_V6 =
+            InetAddresses.parseNumericAddress("2001:db8::2");
+    static final LinkAddress EXPECTED_INTERNAL_LINK_ADDR_V6 =
+            new LinkAddress(EXPECTED_INTERNAL_ADDR_V6, IP6_PREFIX_LEN);

    static final IkeTrafficSelector TUNNEL_MODE_INBOUND_TS =
            new IkeTrafficSelector(
                    MIN_PORT, MAX_PORT, EXPECTED_INTERNAL_ADDR, EXPECTED_INTERNAL_ADDR);
    static final IkeTrafficSelector TUNNEL_MODE_OUTBOUND_TS = DEFAULT_V4_TS;
+    static final IkeTrafficSelector TUNNEL_MODE_INBOUND_TS_V6 =
+            new IkeTrafficSelector(
+                    MIN_PORT, MAX_PORT, EXPECTED_INTERNAL_ADDR_V6, EXPECTED_INTERNAL_ADDR_V6);
+    static final IkeTrafficSelector TUNNEL_MODE_OUTBOUND_TS_V6 = DEFAULT_V6_TS;

    // This value is align with the test vectors hex that are generated in an IPv4 environment
    static final IkeTrafficSelector TRANSPORT_MODE_OUTBOUND_TS =
@@ -179,7 +194,7 @@ abstract class IkeSessionTestBase extends IkeTestBase {
    }

    void setUpTestNetwork(InetAddress localAddr) throws Exception {
-        int prefixLen = localAddr instanceof Inet4Address ? IP4_PREFIX_LEN : IP4_PREFIX_LEN;
+        int prefixLen = localAddr instanceof Inet4Address ? IP4_PREFIX_LEN : IP6_PREFIX_LEN;

        TestNetworkInterface testIface =
                sTNM.createTunInterface(new LinkAddress[] {new LinkAddress(localAddr, prefixLen)});
@@ -273,11 +288,27 @@ abstract class IkeSessionTestBase extends IkeTestBase {
    PortPair performSetupIkeAndFirstChildBlocking(String ikeInitRespHex, String... ikeAuthRespHexes)
            throws Exception {
        return performSetupIkeAndFirstChildBlocking(
-                ikeInitRespHex, 1 /* expectedAuthReqPktCnt */, ikeAuthRespHexes);
+                ikeInitRespHex,
+                1 /* expectedAuthReqPktCnt */,
+                true /*expectedAuthUseEncap*/,
+                ikeAuthRespHexes);
    }

    PortPair performSetupIkeAndFirstChildBlocking(
-            String ikeInitRespHex, int expectedAuthReqPktCnt, String... ikeAuthRespHexes)
+            String ikeInitRespHex, boolean expectedAuthUseEncap, String... ikeAuthRespHexes)
+            throws Exception {
+        return performSetupIkeAndFirstChildBlocking(
+                ikeInitRespHex,
+                1 /* expectedAuthReqPktCnt */,
+                expectedAuthUseEncap,
+                ikeAuthRespHexes);
+    }
+
+    PortPair performSetupIkeAndFirstChildBlocking(
+            String ikeInitRespHex,
+            int expectedAuthReqPktCnt,
+            boolean expectedAuthUseEncap,
+            String... ikeAuthRespHexes)
            throws Exception {
        mTunUtils.awaitReqAndInjectResp(
                IKE_DETERMINISTIC_INITIATOR_SPI,
@@ -290,7 +321,7 @@ abstract class IkeSessionTestBase extends IkeTestBase {
                        .awaitReqAndInjectResp(
                                IKE_DETERMINISTIC_INITIATOR_SPI,
                                1 /* expectedMsgId */,
-                                true /* expectedUseEncap */,
+                                expectedAuthUseEncap,
                                expectedAuthReqPktCnt,
                                ikeAuthRespHexes)
                        .get(0);
@@ -298,11 +329,13 @@ abstract class IkeSessionTestBase extends IkeTestBase {
    }

    void performCloseIkeBlocking(int expectedMsgId, String deleteIkeRespHex) throws Exception {
+        performCloseIkeBlocking(expectedMsgId, true /* expectedUseEncap*/, deleteIkeRespHex);
+    }
+
+    void performCloseIkeBlocking(
+            int expectedMsgId, boolean expectedUseEncap, String deleteIkeRespHex) throws Exception {
        mTunUtils.awaitReqAndInjectResp(
-                IKE_DETERMINISTIC_INITIATOR_SPI,
-                expectedMsgId,
-                true /* expectedUseEncap */,
-                deleteIkeRespHex);
+                IKE_DETERMINISTIC_INITIATOR_SPI, expectedMsgId, expectedUseEncap, deleteIkeRespHex);
    }

    /** Testing callback that allows caller to block current thread until a method get called */
@@ -480,13 +513,28 @@ abstract class IkeSessionTestBase extends IkeTestBase {
            List<IkeTrafficSelector> expectedOutboundTs,
            List<LinkAddress> expectedInternalAddresses)
            throws Exception {
+        verifyChildSessionSetupBlocking(
+                childCallback,
+                expectedInboundTs,
+                expectedOutboundTs,
+                expectedInternalAddresses,
+                new ArrayList<InetAddress>() /* expectedDnsServers */);
+    }
+
+    void verifyChildSessionSetupBlocking(
+            TestChildSessionCallback childCallback,
+            List<IkeTrafficSelector> expectedInboundTs,
+            List<IkeTrafficSelector> expectedOutboundTs,
+            List<LinkAddress> expectedInternalAddresses,
+            List<InetAddress> expectedDnsServers)
+            throws Exception {
        ChildSessionConfiguration childConfig = childCallback.awaitChildConfig();
        assertNotNull(childConfig);
        assertEquals(expectedInboundTs, childConfig.getInboundTrafficSelectors());
        assertEquals(expectedOutboundTs, childConfig.getOutboundTrafficSelectors());
        assertEquals(expectedInternalAddresses, childConfig.getInternalAddresses());
+        assertEquals(expectedDnsServers, childConfig.getInternalDnsServers());
        assertTrue(childConfig.getInternalSubnets().isEmpty());
-        assertTrue(childConfig.getInternalDnsServers().isEmpty());
        assertTrue(childConfig.getInternalDhcpServers().isEmpty());
    }