Probe DNS servers to see they support DNS-over-TLS. Use system
CAs to verify whether the certificates sent by DNS servers are
trusted or not. An error is thrown to cause the probe failed if
DNS servers send untrusted certificates.
Unlike the DnsResolver which doesn't verify the certificates
in opportunistic mode, all of the DoT probes from NetworkDiagnostics
check certificates.
DoT probes apply to the DNS servers gotten from LinkProperties
and the DoT servers gotten from PrivateDnsConfig whatever private
DNS mode is.
A common example in DNS strict mode:
. DNS TLS dst{8.8.8.8} hostname{dns.google} src{192.168.43.2:48436} qtype{1} qname{815149-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (432ms)
F DNS TLS dst{192.168.43.144} hostname{}: FAILED: java.net.ConnectException: failed to connect to /192.168.43.144 (port 853) from /192.168.43.2 (port 41770) after 2500ms: isConnected failed: ECONNREFUSED (Connection refused) (172ms)
. DNS TLS dst{8.8.4.4} hostname{dns.google} src{192.168.43.2:37598} qtype{1} qname{759312-android-ds.metric.gstatic.com}: SUCCEEDED: 1/1 NOERROR (427ms)
An example when the CA is not trusted:
F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. (16ms)
An example when TCP/TLS handshake timeout:
F DNS TLS dst{8.8.8.8} hostname{dns.google}: FAILED: java.net.SocketTimeoutException: failed to connect to /8.8.8.8 (port 853) from /192.168.2.108 (port 45680) after 2500ms (2514ms)
Bug: 132925257
Bug: 118369977
Test: atest FrameworksNetTests
Original-Change: https://android-review.googlesource.com/1011670
Merged-In: I1b54abed0e931ca4b8a97149459cde54da1c3d6f
Change-Id: I1b54abed0e931ca4b8a97149459cde54da1c3d6f
Test extra info sent to NetworkMonitor correctly if network
agent is created through new NetworkAgent constructor without
legacy network info taken as parameter.
Bug: 156173829
Test: atest FrameworkNetTests
Merged-In: I4f827664c528bea30cc957a0a617dd37693f4460
Change-Id: I4f827664c528bea30cc957a0a617dd37693f4460
This change adds the @RequiresFeature annotation to Ikev2VpnProfile
Builder methods, and checks before provisioning VPN profiles.
Bug: 156681625
Test: New tests added, passing.
Change-Id: I125d8fbe5d67fb877ad7d0636c007cb3e1a9f59b
Merged-In: I125d8fbe5d67fb877ad7d0636c007cb3e1a9f59b
(cherry picked from commit e84a17dd1706f4c8373047b2023a1ec4b7cf4bf3)
No clat app uid 0 rx stats on base iface due to ip6tables raw prerouting drop
(so just copy over the rx stats from the before file)
Test: atest NetworkStatsTest NetworkStatsFactoryTest
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: Ie73ba0586dafde67bc2726db26e07f7268c18be3
Merged-In: Ie73ba0586dafde67bc2726db26e07f7268c18be3
No clat app uid 0 rx stats on base iface due to ip6tables raw prerouting drop
Test: atest NetworkStatsFactoryTest
Bug: 150738490
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: I4393afcbe8e1bb886ecf4f5c1573f6ac8a0e29f5
Merged-In: I4393afcbe8e1bb886ecf4f5c1573f6ac8a0e29f5
This is only necessary when learning the NAT64 prefix from the
RA, because if the NAT64 prefix is learned from DNS, the DNS
resolver already knows the prefix and automatically enables
DNS64 synthesis.
The DNS resolver needs to be informed of the prefix any time
clat is running on a prefix learned from an RA. This is simple to
implement: just set the prefix when starting clat if prefix
discovery is not running, and clear the prefix when stopping clat
if prefix discovery was not running. This ensures that the prefix
is cleared iff it was set.
Bug: 156914456
Test: new unit test coverage
Original-Change: https://android-review.googlesource.com/1315578
Merged-In: If8ad2d30712a6df3e207c8d3e8a129705242191e
Change-Id: If8ad2d30712a6df3e207c8d3e8a129705242191e
This is not particularly likely to happen unless the pref64 RA is
sent by a different router than the main RA. But more tests are
always good, and this additional coverage will be more useful
in an upcoming change.
Bug: 150648313
Test: test-only change
Original-Change: https://android-review.googlesource.com/1316094
Merged-In: I3316d49d42100800740afadc4edf0a13a4d8377c
Change-Id: I3316d49d42100800740afadc4edf0a13a4d8377c
As NetworkAgent is in a transition where all agents need
to include the NOT_SUSPENDED capability as part of their
migration to the system API, ConnectivityService adds it
forcefully to all agents that don't have the CELLULAR
transport. This doesn't include VPNs when VPNs have some
cellular network as their underlying network.
The best way to solve this is to make sure the VPN
capabilities reflect those of the underlying networks as
far as the NOT_SUSPENDED capability is concerned. This
is how they work for other similar capabilities.
This also happens to contain a drive-by fix for an issue
with a spurious capabilities callback is triggered when
a VPN connects and it has any underlying network (which
means almost always, because it will take the default
network if it doesn't declare any). Fixing this was
necessary to have a cogent test of this issue, but it
could be moved to another patch or it could stay unfixed
with some minor ajustment to the tests if judged too
dangerous to include in R at this point.
Test: New tests in this patch. Also manually tested with
tcpdump as described in b/150570873.
Bug: 150570873
Original-Change: https://android-review.googlesource.com/1301317
Merged-In: I3e4ff990c0d4825b21c7679be29a482a2d1324ec
Change-Id: I3e4ff990c0d4825b21c7679be29a482a2d1324ec
When a VPN connects and it has any underlying network (which
means almost always, because it will take the default network
if it doesn't declare any), it has default capabilities and
will only take the capabilities of its underlying network
as part of an update happening after making the network
available but before the rematch can take place. This in turn
causes the capabilities callback sent as part of the rematch
to be spuriously sent.
Test: FrameworksNetTests. Also tested together with a
followup that adds tests with drive-by coverage for this.
Bug: 150570873
Original-Change: https://android-review.googlesource.com/1305393
Merged-In: Id7d8bba486bada1a7ba5b0f152d2aa02e407f249
Change-Id: Id7d8bba486bada1a7ba5b0f152d2aa02e407f249
This change sets the owner and administrator UIDs for test networks when
their initial values match the UID for the app creating the test
network. This ensures that apps registering test networks can only make
themselves owners / administrators of the network.
Bug: 153449964
Test: atest NetworkAgentTest
Change-Id: I3a974700aa1d83cb285295ed1de0aa263e2e5b58
Merged-In: I3a974700aa1d83cb285295ed1de0aa263e2e5b58
(cherry picked from commit 35782280a2adceec96b8e03c217788afa05894a0)
This change adds tests to validate that both transport and tunnel mode
transforms continue to work even after the SPI resource has been
released. Specifically, since SPI resources are effectively subsumed by
the creation of a Transform, the SPI resource is still "alive", but
removed from the user-tracking sparse arrays.
Bug: 142072071
Test: Added these new tests. Failing prior to aosp/1133555, passes with.
Change-Id: I37dd459d08b57b14f72f3b28ea80fa231b152f10
Merged-In: I37dd459d08b57b14f72f3b28ea80fa231b152f10
(cherry picked from commit 4d3f871a944d24cd7cbe3aa51a789a71020eafb5)
IpSecService.applyTunnelModeTransform() currently does not take an
SpiRecord instance, yet implicitly requires that the SpiRecord instance
is still alive based on the stored SpiRecord resourceId in
the TransformRecord's IpSecConfig.
This check is unnecessary, as the SpiRecord has been subsumed into the
TransformRecord, and the kernel resources are kept alive whether or
not the SpiRecord is still held by the user.
This allows users of the IpSecManager API to allocate short-lived SPIs
during the creation of an IpSecTransform, without having to keep track
of both of them (even though the SPI is no longer usable).
The TransformRecord.getSpiRecord() call is already used in
multiple other places in the same method.
Bug: 142072071
Test: New tests added, passing.
Change-Id: I1959f3080946267243564459ff4207647922566e
Merged-In: I1959f3080946267243564459ff4207647922566e
(cherry picked from commit 5258b1b82f39bf17e0751bcb94479464250aaec5)
NetworkStats calculation needs to filter out debug entries to
prevent over counting. While NetworkStatsFactory migrates data
usage over a VPN to the TUN network, NetworkStatsFactory does
not filter out debug entries per vpn which will cause debug
entries left and cause exception.
Bug: 152678151
Test: atest com.android.server.net.NetworkStatsFactoryTest
and verify no exception
Change-Id: I3525edc385b07858b48c7add2d331c4b5a2e84ad
Merged-In: I3525edc385b07858b48c7add2d331c4b5a2e84ad
Address issues found during AIDL review:
- Rename clientAddr to singleClientAddr
- Do not use a ParcelableBundle for notifyNetworkTested or
notifyDataStallSuspected; instead use AIDL parcelables for stronger
backwards compatibility guarantees.
Test: atest NetworkMonitorTest ConnectivityServiceTest
ConnectivityServiceIntegrationTest, manual
Bug: 153500847
Merged-In: Id9b71784e5f6294d203230e57737979e063ff0f8
Change-Id: Id9b71784e5f6294d203230e57737979e063ff0f8
Currently, if a prefix is learned from an RA while prefix
discovery is running, clatd will be correctly started, but
prefix discovery will be stopped.
In order to fix this, make it possible to call
stopPrefixDiscovery without transitioning to IDLE state (which
is obviously necessary in this case), by moving the assignment of
the next state from that method to its callers. For consistency,
do the same for startPrefixDiscovery.
Bug: 150648313
Test: new test coverage
Change-Id: I3803fa3d9806848b331c35ee8bac256934bd1f21
Merged-In: I3803fa3d9806848b331c35ee8bac256934bd1f21
(cherry picked from commit c7c6f76402a989f91b02c37574b6a9de592cf1af)
464xlat will never be started on a network that is not connected,
or on a network that has no IPv6 address.
This is a no-op test-only change but it is necessary for an
upcoming change that violates some of the invalid assumptions
currently made by this test and causes it to fail.
Bug: 150648313
Test: test-only change
Change-Id: I41766e9adaa7c24454648b371e6e3cc647693be5
Merged-In: I41766e9adaa7c24454648b371e6e3cc647693be5
(cherry picked from commit df0c522d18ee73c1d20cff1a1dc955b383e6c355)
The NAT64 prefix from the RA always takes precedence over the
NAT64 prefix from DNS discovery, because it is detected faster,
and detecting it does not require sending any packets.
Bug: 150648313
Test: new unit test
Merged-In: Ic7452431d2d9aea1ae59b67a9d8383c6cc5b3902
Change-Id: Ic7452431d2d9aea1ae59b67a9d8383c6cc5b3902
A test that ensures that NetworkCapabilities.TRANSPORT_* is eaual
to IDnsResolver.TRANSPORT_* for every possible value of each.
Bug: 153267602
Test: atest FrameworksNetTests
Merged-In: I6b23ccc6ce1659fdfd9573dfcd895f2c20fa9417
Change-Id: I3dd4ed0d1fcceca9c8aec9b3e6769603e4fa913b
(cherry picked from commit 5f28e6f881e0ea52e8e96c1207654ce44b0d05a1)
This cannot (currently) happen with DNS64 detection, but it can
happen with the PREF64 option.
Bug: 150648313
Test: atest ConnectivityServiceTest Nat464XlatTest --rerun-until-failure 100
Merged-In: I789fe9d46d3ac5d074ae697d23013f24a9e0246d
Change-Id: I789fe9d46d3ac5d074ae697d23013f24a9e0246d
For a given network, resolver doesn't know what transport types are.
Therefore, when a new network is created or transport types are changed
in a give network, transport types will be updated and sent by calling
setResolverConfiguration(). In the same time, if link properties or
transport types are null, setResolverConfiguration() won't be called.
The original behaviors of setResolverConfiguration() aren't changed.
Only increasing one new behavior that when a given network has transport
type change, calling setResolverConfiguration() directly and resolver
updates the transport types for that given network.
Bug: 143732914
Test: atest FrameworksNetTests
atest FrameworksNetIntegrationTests
Change-Id: I6527cde0e177ba08c886576131b35fc769c2bb53
Currently, TestableNetworkStatsProvider is a subclass of
INetworkStatsProvider. This is not very accurate naming after
API council review feedback since now we have
NetworkStatsProvider as a system api interface.
This is the counter-part change of actual renaming CL in
NetworkStack.
Test: atest FrameworksNetTests TetheringTests
Bug: 150643374
Change-Id: Ifa8175dc4e2fe2b907ec13b3bd2eca12974f5ea7
This just a rename with no functional changes at all. It is
preparation for supporting getting the NAT64 prefix from the
RA.
Bug: 150648313
Test: covered by existing ConnectivityServiceTest and Nat464XlatTest
Merged-In: Ia9a09a708870827b1e4cf068f930fa9542dd116c
Change-Id: Ia9a09a708870827b1e4cf068f930fa9542dd116c
VPN is considered fully routed if both IPv4 and IPv6 have
either a default route or a prohibit route.
Bug: 145332510
Test: atest FrameworksNetTests
Merged-In: I59cf48552bca98092d1212e3d718fd420add5458
Change-Id: I59cf48552bca98092d1212e3d718fd420add5458
* changes:
Update CS helper for clearing NetworkCapabilities UIDs.
Simplify unregister logic for Connectivity Diagnostics callbacks.
Clarify comments for Connectivity Diagnostics reports.
Sort administrator UIDs for NetworkCapabilities.
Add combine() and equals() for NetworkCapabilities admin UIDs.
Use IBinder as key for ConnectivityDiagnostics storage in CS.
Decrement networkRequestPerUid when callbacks are unregistered.
Invoke onConnectivityReport on registering ConnectivityDiagnostics.
This change updates ConnectivityService to use IBinder instances as keys
when storing ConnectivityDiagnosticsCallbacks.
When storing ConnectivityDiagnosticsCallbacks in ConnectivityService,
the IConnectivityDiagnsoticsCallback is used as the key for
ConnectivityService.mConnectivityDiagnosticsCallbacks. However,
IConnectivityDiagnosticsCallback instances are received as different
objects. This causes them to produce different hashCode() values, so
attempts to remove an IConnectivityDiagnosticsCallback fail.
Bug: 150867635
Test: atest FrameworksNetTests
Change-Id: Ib99e68d5ae47fa27e12428f9a60a2c1204ac59a2
Merged-In: Ib99e68d5ae47fa27e12428f9a60a2c1204ac59a2
(cherry picked from commit c7c6a4ac12beb7c216076958612869426da06da0)
This change updates the behavior for registering
ConnectivityDiagnosticsCallbacks. Now, after a successful register()
call, callbacks will receive cached ConnectivityReports for all
matching, permissioned networks. This allows registrants to be updated
with the network state for their networks without having to wait for the
next network validation.
Bug: 147849853
Test: atest FrameworksNetTests
Change-Id: I924ba8fdcc847f453557021591bde38602fe089c
Merged-In: I924ba8fdcc847f453557021591bde38602fe089c
(cherry picked from commit 95ec0b206b759e1d26bc1dbb2255a515bb24358a)
Add gating via PlatformCompat and DeviceConfig and logging via
PlatformCompat to the limit instituted on per-process listeners
Fixes: 152074216
Test: atest CtsTelephonyHostCases
Change-Id: I4d6681d90705b68c3349f4124e434a29b50fd3a2
This change makes IPsec tunnel interfaces automatically get brought up
once they are created. Originally this was considered to be an
additional safety check, as they would not be start routing traffic
until explicitly brought up. However, in the intervening time, the
NetworkManagementController now requires the NETWORK_STACK permission to
set an interface as up. Additionally, that call is a hidden API, and
thus not usable for use cases such as IWLAN.
Bug: 149348618
Test: FrameworksNetTests, CtsNetTestCases passing.
Change-Id: I55b63a748463a388e1e2991d2d5d6b3023545e60
Merged-In: I55b63a748463a388e1e2991d2d5d6b3023545e60
(cherry picked from commit 7c5704d177a903034ae1b6ae4800cc3b8457977a)
Connectivity Diagnostics included an unnecessary try-catch for verifying
that the permissions check for invoking ConnectivityDiagnosticsCallbacks
doesn't throw when the uid and package name do not match.
Bug: 149119324
Test: atest FrameworksNetTests
Change-Id: Ie302b1f4f437e819fdd15ec28adb0b56750c2c53
Merged-In: Ie302b1f4f437e819fdd15ec28adb0b56750c2c53
(cherry picked from commit 66b5e081b785a3b7e2a032342d4d424905581cf9)
ConnectivityDiagnosticsCallbacks should only be invoked for the
underlying networks declared by active VPNs. This encourages VPN apps to
declare their underlying networks.
The previous permission model for VPNs allowed active VPNs to receive
callbacks on any network.
Bug: 148903617
Test: atest FrameworksNetTests
Change-Id: Ic08cdd2e2532580fda0fd3034e2bdff27e0ff84b
Merged-In: Ic08cdd2e2532580fda0fd3034e2bdff27e0ff84b
(cherry picked from commit e1f0c56f74593d3781bfa4ee4871a5efbabe303c)
CONNECTIVITY_ACTION_SUPL is marked as a "temporary hack" and has
never been public. Remove this intent definition since no one is
receiving this intent and should use network callback to know the
connection change.
Bug: 109636544
Test: atest FrameworksNetTests
Change-Id: Ie9e5127742beba04f1c191e894e8a29fe1e704bb
Merged-In: Ie9e5127742beba04f1c191e894e8a29fe1e704bb
(cherry picked from aosp/1224697)
* changes:
[SM08] Add NetworkTemplate unit test for fetching mobile data usage
[SM07] Make combine subtype configurable from Settings
[SM05] Enable record mobile network stats by collapsed rat type
[SM04] Support fetching data with NetworkTemplate with subType
[SM02] Support record mobile network stats by collapsed rat type
Note that enabling/disabling would not take effect until device
reboot. This will be addressed in follow-up patch.
Test: 1. atest NetworkStatsServieTest SettingsBackupTest
2. adb shell settings put global netstats_combine_subtype_enabled 1|0
Bug: 146415925
Change-Id: Ic94da540afa479ed18f1b6fbda4ae3216c37476b
Merged-In: Ic94da540afa479ed18f1b6fbda4ae3216c37476b
(cherry picked from commit c4f77ac90bf2e48a655ad19b162fe74a23bf3fb0)
