From ff0471554e8dd08f68a4bf6854739b945133dd78 Mon Sep 17 00:00:00 2001 From: Yan Yan Date: Thu, 28 May 2020 18:29:06 +0000 Subject: [PATCH] Test IKE Session setup in IPv6 network Bug: 148689509 Test: atest testIkeSessionSetupAndChildSessionSetupWithTunnelModeV6 Change-Id: Ia2fa9462c66a283697e0cb9dd4c475215c0eafde Merged-In: Ia2fa9462c66a283697e0cb9dd4c475215c0eafde (cherry picked from commit 71a855de7dcdc3bdbdb75c78be0f57f3055b0c72) --- .../cts/IkeSessionDigitalSignatureTest.java | 3 +- .../net/ipsec/ike/cts/IkeSessionPskTest.java | 71 +++++++++++++++++++ .../net/ipsec/ike/cts/IkeSessionTestBase.java | 66 ++++++++++++++--- 3 files changed, 130 insertions(+), 10 deletions(-) diff --git a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionDigitalSignatureTest.java b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionDigitalSignatureTest.java index ebf8a41f00..9be1dc72cf 100644 --- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionDigitalSignatureTest.java +++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionDigitalSignatureTest.java @@ -123,7 +123,7 @@ public class IkeSessionDigitalSignatureTest extends IkeSessionTestBase { InetAddresses.parseNumericAddress("172.58.35.103"), InetAddresses.parseNumericAddress("172.58.35.103")); - // TODO(b/157510502): Add test for IKE Session setup in IPv6 network + // TODO(b/157510502): Add test for IKE Session setup with transport mode Child in IPv6 network private static final String LOCAL_ID_ASN1_DN = "CN=client.test.ike.android.net, O=Android, C=US"; @@ -184,6 +184,7 @@ public class IkeSessionDigitalSignatureTest extends IkeSessionTestBase { performSetupIkeAndFirstChildBlocking( IKE_INIT_RESP, EXPECTED_AUTH_REQ_FRAG_COUNT /* expectedReqPktCnt */, + true /* expectedAuthUseEncap */, IKE_AUTH_RESP_FRAG_1, IKE_AUTH_RESP_FRAG_2); diff --git a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionPskTest.java b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionPskTest.java index 253e09dd39..0509fc0c92 100644 --- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionPskTest.java +++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionPskTest.java @@ -182,6 +182,77 @@ public class IkeSessionPskTest extends IkeSessionTestBase { verifyCloseIkeAndChildBlocking(firstTransformRecordA, firstTransformRecordB); } + @Test + public void testIkeSessionSetupAndChildSessionSetupWithTunnelModeV6() throws Exception { + if (!hasTunnelsFeature()) return; + + final String ikeInitResp = + "46B8ECA1E0D72A186F7B6C2CEB77EB9021202220000000000000011822000030" + + "0000002C010100040300000C0100000C800E0100030000080300000C03000008" + + "0200000500000008040000022800008800020000DABAA04B38B491E2403F2125" + + "96ECF1C8EF7B1DC19A422FDD46E1756C826BB3A16404361B775D9950577B5CDF" + + "6AAA1642BD1427BDA8BC55354A97C1025E19C1E2EE2DF8A0C9406E545D829F52" + + "75695008E3B742984B8DD1770F3514213B0DF3EE8B199416DF200D248115C057" + + "1C193E4F96802E5EF48DD99CAC251882A8F7CCC329000024BC6F0F1D3653C2C7" + + "679E02CDB6A3B32B2FEE9AF52F0326D4D9AE073D56CE8922290000080000402E" + + "290000100000402F00020003000400050000000800004014"; + final String ikeAuthResp = + "46B8ECA1E0D72A186F7B6C2CEB77EB902E202320000000010000015024000134" + + "4D115AFDCDAD0310760BB664EB7D405A340869AD6EDF0AAEAD0663A9253DADCB" + + "73EBE5CD29D4FA1CDEADE0B94391B5C4CF77BCC1596ACE3CE6A7891E44888FA5" + + "46632C0EF4E6193C023C9DC59142C37D1C49D6EF5CD324EC6FC35C89E1721C78" + + "91FDCDB723D8062709950F4AA9273D26A54C9C7E86862DBC15F7B6641D2B9BAD" + + "E55069008201D12968D97B537B1518FE87B0FFA03C3EE6012C06721B1E2A3F68" + + "92108BC4A4F7063F7F94562D8B60F291A1377A836CF12BCDA7E15C1A8F3C77BB" + + "6DB7F2C833CCE4CDDED7506536621A3356CE2BC1874E7B1A1A9B447D7DF6AB09" + + "638B8AD94A781B28BB91B514B611B24DF8E8A047A10AE27BBF15C754D3D2F792" + + "D3E1CCADDAE934C98AE53A8FC3419C88AFF0355564F82A629C998012DA7BB704" + + "5307270DF326377E3E1994476902035B"; + final String deleteIkeResp = + "46B8ECA1E0D72A186F7B6C2CEB77EB902E202520000000020000005000000034" + + "CF15C299F35688E5140A48B61C95F004121BF8236201415E5CD45BA41AAB16D4" + + "90B44B9E6D5D92B5B97D24196A58C73F"; + + mLocalAddress = IPV6_ADDRESS_LOCAL; + mRemoteAddress = IPV6_ADDRESS_REMOTE; + + // Teardown current test network that uses IPv4 address and set up new network with IPv6 + // address. + tearDownTestNetwork(); + setUpTestNetwork(mLocalAddress); + + // Open IKE Session + IkeSession ikeSession = openIkeSessionWithRemoteAddress(mRemoteAddress); + performSetupIkeAndFirstChildBlocking( + ikeInitResp, + 1 /* expectedAuthReqPktCnt */, + false /* expectedAuthUseEncap */, + ikeAuthResp); + + // Local request message ID starts from 2 because there is one IKE_INIT message and a single + // IKE_AUTH message. + int expectedMsgId = 2; + + verifyIkeSessionSetupBlocking(); + verifyChildSessionSetupBlocking( + mFirstChildSessionCallback, + Arrays.asList(TUNNEL_MODE_INBOUND_TS_V6), + Arrays.asList(TUNNEL_MODE_OUTBOUND_TS_V6), + Arrays.asList(EXPECTED_INTERNAL_LINK_ADDR_V6), + Arrays.asList(EXPECTED_DNS_SERVERS_ONE, EXPECTED_DNS_SERVERS_TWO)); + + IpSecTransformCallRecord firstTransformRecordA = + mFirstChildSessionCallback.awaitNextCreatedIpSecTransform(); + IpSecTransformCallRecord firstTransformRecordB = + mFirstChildSessionCallback.awaitNextCreatedIpSecTransform(); + verifyCreateIpSecTransformPair(firstTransformRecordA, firstTransformRecordB); + + // Close IKE Session + ikeSession.close(); + performCloseIkeBlocking(expectedMsgId++, false /* expectedUseEncap */, deleteIkeResp); + verifyCloseIkeAndChildBlocking(firstTransformRecordA, firstTransformRecordB); + } + @Test public void testIkeSessionKillWithTunnelMode() throws Exception { if (!hasTunnelsFeature()) return; diff --git a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionTestBase.java b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionTestBase.java index 0f39fbd1cb..2458b25e33 100644 --- a/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionTestBase.java +++ b/tests/cts/net/ipsec/src/android/net/ipsec/ike/cts/IkeSessionTestBase.java @@ -66,6 +66,7 @@ import org.junit.runner.RunWith; import java.net.Inet4Address; import java.net.InetAddress; +import java.util.ArrayList; import java.util.HashSet; import java.util.List; import java.util.Objects; @@ -94,15 +95,29 @@ abstract class IkeSessionTestBase extends IkeTestBase { // Package-wide common expected results that will be shared by all IKE/Child SA creation tests static final String EXPECTED_REMOTE_APP_VERSION_EMPTY = ""; static final byte[] EXPECTED_PROTOCOL_ERROR_DATA_NONE = new byte[0]; + + static final InetAddress EXPECTED_DNS_SERVERS_ONE = + InetAddresses.parseNumericAddress("8.8.8.8"); + static final InetAddress EXPECTED_DNS_SERVERS_TWO = + InetAddresses.parseNumericAddress("8.8.4.4"); + static final InetAddress EXPECTED_INTERNAL_ADDR = InetAddresses.parseNumericAddress("198.51.100.10"); static final LinkAddress EXPECTED_INTERNAL_LINK_ADDR = new LinkAddress(EXPECTED_INTERNAL_ADDR, IP4_PREFIX_LEN); + static final InetAddress EXPECTED_INTERNAL_ADDR_V6 = + InetAddresses.parseNumericAddress("2001:db8::2"); + static final LinkAddress EXPECTED_INTERNAL_LINK_ADDR_V6 = + new LinkAddress(EXPECTED_INTERNAL_ADDR_V6, IP6_PREFIX_LEN); static final IkeTrafficSelector TUNNEL_MODE_INBOUND_TS = new IkeTrafficSelector( MIN_PORT, MAX_PORT, EXPECTED_INTERNAL_ADDR, EXPECTED_INTERNAL_ADDR); static final IkeTrafficSelector TUNNEL_MODE_OUTBOUND_TS = DEFAULT_V4_TS; + static final IkeTrafficSelector TUNNEL_MODE_INBOUND_TS_V6 = + new IkeTrafficSelector( + MIN_PORT, MAX_PORT, EXPECTED_INTERNAL_ADDR_V6, EXPECTED_INTERNAL_ADDR_V6); + static final IkeTrafficSelector TUNNEL_MODE_OUTBOUND_TS_V6 = DEFAULT_V6_TS; // This value is align with the test vectors hex that are generated in an IPv4 environment static final IkeTrafficSelector TRANSPORT_MODE_OUTBOUND_TS = @@ -179,7 +194,7 @@ abstract class IkeSessionTestBase extends IkeTestBase { } void setUpTestNetwork(InetAddress localAddr) throws Exception { - int prefixLen = localAddr instanceof Inet4Address ? IP4_PREFIX_LEN : IP4_PREFIX_LEN; + int prefixLen = localAddr instanceof Inet4Address ? IP4_PREFIX_LEN : IP6_PREFIX_LEN; TestNetworkInterface testIface = sTNM.createTunInterface(new LinkAddress[] {new LinkAddress(localAddr, prefixLen)}); @@ -273,11 +288,27 @@ abstract class IkeSessionTestBase extends IkeTestBase { PortPair performSetupIkeAndFirstChildBlocking(String ikeInitRespHex, String... ikeAuthRespHexes) throws Exception { return performSetupIkeAndFirstChildBlocking( - ikeInitRespHex, 1 /* expectedAuthReqPktCnt */, ikeAuthRespHexes); + ikeInitRespHex, + 1 /* expectedAuthReqPktCnt */, + true /*expectedAuthUseEncap*/, + ikeAuthRespHexes); } PortPair performSetupIkeAndFirstChildBlocking( - String ikeInitRespHex, int expectedAuthReqPktCnt, String... ikeAuthRespHexes) + String ikeInitRespHex, boolean expectedAuthUseEncap, String... ikeAuthRespHexes) + throws Exception { + return performSetupIkeAndFirstChildBlocking( + ikeInitRespHex, + 1 /* expectedAuthReqPktCnt */, + expectedAuthUseEncap, + ikeAuthRespHexes); + } + + PortPair performSetupIkeAndFirstChildBlocking( + String ikeInitRespHex, + int expectedAuthReqPktCnt, + boolean expectedAuthUseEncap, + String... ikeAuthRespHexes) throws Exception { mTunUtils.awaitReqAndInjectResp( IKE_DETERMINISTIC_INITIATOR_SPI, @@ -290,7 +321,7 @@ abstract class IkeSessionTestBase extends IkeTestBase { .awaitReqAndInjectResp( IKE_DETERMINISTIC_INITIATOR_SPI, 1 /* expectedMsgId */, - true /* expectedUseEncap */, + expectedAuthUseEncap, expectedAuthReqPktCnt, ikeAuthRespHexes) .get(0); @@ -298,11 +329,13 @@ abstract class IkeSessionTestBase extends IkeTestBase { } void performCloseIkeBlocking(int expectedMsgId, String deleteIkeRespHex) throws Exception { + performCloseIkeBlocking(expectedMsgId, true /* expectedUseEncap*/, deleteIkeRespHex); + } + + void performCloseIkeBlocking( + int expectedMsgId, boolean expectedUseEncap, String deleteIkeRespHex) throws Exception { mTunUtils.awaitReqAndInjectResp( - IKE_DETERMINISTIC_INITIATOR_SPI, - expectedMsgId, - true /* expectedUseEncap */, - deleteIkeRespHex); + IKE_DETERMINISTIC_INITIATOR_SPI, expectedMsgId, expectedUseEncap, deleteIkeRespHex); } /** Testing callback that allows caller to block current thread until a method get called */ @@ -480,13 +513,28 @@ abstract class IkeSessionTestBase extends IkeTestBase { List expectedOutboundTs, List expectedInternalAddresses) throws Exception { + verifyChildSessionSetupBlocking( + childCallback, + expectedInboundTs, + expectedOutboundTs, + expectedInternalAddresses, + new ArrayList() /* expectedDnsServers */); + } + + void verifyChildSessionSetupBlocking( + TestChildSessionCallback childCallback, + List expectedInboundTs, + List expectedOutboundTs, + List expectedInternalAddresses, + List expectedDnsServers) + throws Exception { ChildSessionConfiguration childConfig = childCallback.awaitChildConfig(); assertNotNull(childConfig); assertEquals(expectedInboundTs, childConfig.getInboundTrafficSelectors()); assertEquals(expectedOutboundTs, childConfig.getOutboundTrafficSelectors()); assertEquals(expectedInternalAddresses, childConfig.getInternalAddresses()); + assertEquals(expectedDnsServers, childConfig.getInternalDnsServers()); assertTrue(childConfig.getInternalSubnets().isEmpty()); - assertTrue(childConfig.getInternalDnsServers().isEmpty()); assertTrue(childConfig.getInternalDhcpServers().isEmpty()); }