The IpSecService Unit tests relied on the
directionality of the IpSecConfig and previously
did not specify a source address. Unit tests
updated without functional change other than to
address these two requirements.
Bug: 71717213
Test: runtest frameworks-net
Change-Id: Iedbed735bc50fd4fdfe985f9e173956062a7b0d1
Convert the IpSecTransform from being a bi-directional
pair of SAs to a unidirectional single SA. This CL
also removes the concept of "direction from SAs meaning
that a IpSecTransform may now be applied to a socket
in either direction.
-Make transforms unidirectional
-Add Convert allocateSpi() to use destination rather
than direction and remote address
-Remove directionality from builders for IpSecTransform
-Change applyTransportModeTransform() to take a
direction in which to apply the transform object.
-Additional minor naming updates
-Restrict IpSecConfig to only print keys on eng builds
-Move DIRECTION constants to IpSecManager
-Add sourceAddress parameter to IpSecTransform to provide
additional guarantees about the source address of data;
(explicit failure rather than implicit failure).
-Move SPI to the build() method of IpSecTransform
Bug: 71717213
Test: runtest frameworks-net, CTS - IpSecManagerTest
Change-Id: I0824b37f443f4b8c62536d9801238c63ed8f2a1c
Adds checks to ensure that users can only set the correct types of
algorithms for the Authentication, Encryption and Authenticated
Encryption algorithms.
Bug: 65223935
Test: Added tests in IpSecConfigTest, and passed on aosp_marlin-eng
Change-Id: I462c77d9eb5710b8d03a48866453649d3b6fc6bf
Encap sockets are currently created as the system server, and should be
fchown'd to the user for whom it was created on behalf of.
Bug: 62994731
Test: New tests added and run to IpSecService
Change-Id: Icc49e709ae588981e69765fdb77537d7ffbac5fe
Added calls to tag encap sockets to that of the UID for which the encap
socket is being created on behalf of. This ensures that all data
accounting generated for the UDP-encap-ESP socket is correctly billed to
the right UID.
Bug: 62994731
Test: New tests added to IpSecServiceTest.java, passing
Change-Id: I15365ea9c982fd7b4e3cdeff314ddfba2289c86e
1) toSafeString() is renamed to toOuiString()
2) toOuiString() returns a String that only contains the first 3 bytes
of the mac address.
Bug: 70336442
Test: runtest frameworks-net
Change-Id: I798d8fec32dbff5687a682028e5d90eb941f81c1
A race condition during an Api rename has caused
the name change from reserveSecurityParameterIndex
to allocateSecurityParameterIndex to be wrong in
a test. Fixing.
Bug: 69128142
Test: runtest frameworks-net
Change-Id: I12fb9832cb938dc19f463b1f1124127435d7b173
This is part 2 of 2 of the refcounting refactor for IpSecService
resources.
Switched ManagedResources to use RefcountedResource structure for
managing reference counts and eventual cleanup. Further, resource arrays
and quota management have been aggregated into a UserRecord for better
isolation. UID access checking has been similarly moved into the
UserRecordTracker, and resourceId checking has been rolled into
RefcountedResourceArray's accessor methods.
Bug: 63409385
Test: CTS, all unit tests run on aosp_marlin-eng, new tests added
Change-Id: Iee52dd1c9d2583bb6bfaf65be87569e9d50a5b63
This patch adds (but does not enable the usage of) RefcountedResource
objects to IpSecService, with tests to ensure correct function. This is
patch 1 of a series of patches to refactor the resource management
systems in IpSecService.
RefcountedResource objects allow for management of acyclical dependency
trees, ensuring eventual cleanup when resources are no longer used. This
cleanup may be triggered by binder death or by explicit user action.
Bug: 63409385
Test: New tests written in IpSecServiceRefcountedResourceTest,
explicitly testing the RefcountedResource class
Change-Id: Ib5be7482b2ef5f1c8dec9be68f15e90d8b3aba6d
Throughout the IPsec code (API, system server, netd) we use "reserve"
SPI and "allocate" SPI interchangeably. This renames to use "allocate"
everywhere for self-consistency and consistency with the kernel
(ALLOCSPI).
In javadoc, I am leaving the word "reserve" in several places because it
is still an accurate description of how the method behaves.
Bug: 69128142
Test: TreeHugger should be enough
Change-Id: I8ea603b4612303b0393beef04032671fa53d2106
Improve the Validation of IpSecAlgorithm by
explicitly checking the length in addition to
the truncation length (previously an oversight).
In addition, we now check the lengths during
un-parceling, which will catch someone maliciously
manually building a parcel and passing it, bypassing
the checks in the constructor.
Bug: 68780091
Test: runtest -x IpSecAlgorithmTest.java
Change-Id: I8172762617264d34f47d5144336464510f07a701
This patch does some light refactoring in MacAddress to prepare for
exposing MacAddress in the public api:
- documention is improved
- some method names are renamed
- a toSafeString method is added
- a padding bug in the conversion methods outputting strings for
mac addresses is fixed
Bug: 69390696
Test: runtest frameworks-net
Change-Id: I399a97dabc2dfa8df9c5518c8b12484e43ca05c9
Also removes netId field from inside NetworkEvent and stop populating
the network_id field of the NetworkEvent field, deprecating it.
Bug: 34901696
Test: runtest frameworks-net,
manually looking at $ adb shell dumpsys connmetrics
Change-Id: I2c36860f976898883714f72f4d18e06da250c6a6
Added notes that keymat length must include 32 bits of salt.
Bug: 68672051
Test: Frameworks-net unit tests & IpSecManager CTS tests run
Change-Id: I0ae0c5be8a45b2374783b3bd1fa8bf930f15e687
This patch changes instrumentation of default networks and default
network events:
- stop logging events for default network transitions,
but instead consistently log one event per continuous segment
when one given network was the default, including logging an
event for when there is no default network.
- keep a separate rolling buffer of DefaultNetworkEvent for
dumpsys and bug reports.
These changes allow to simplify post aggregation of default network
event metrics by removing any need to do time series processing.
Instead, metrics and counters can be implemented withouth any ambiguity
by following the recipe:
% of x = sum(duration | x = true) / sum (all durations)
where x can be various conditions such as:
- the default network was validated
- the default network was WiFi
- the default network was IPv6
- there was no default network
- ...
Most importantly, this new logging scheme allows to measure much more
reliably:
- the % of the time that a device had Internet, in the sense that the
default network was validated.
- the time transitions between default networks, keyed by previous and
new transports/link layer, which allows to derive wakelock durations
and wakelock power costs from default network switches.
This patch also simplifies the dumpsys interface of the connmetrics
service and reduces the commands to three:
- "flush" for metrics upload.
- "proto" for printing buffered event in text proto format.
- "list" for listing all events and statistics.
Bug: 34901696
Bug: 65700460
Test: runtest frameworks-net
Change-Id: I0521f1681a60cca07ac3bfd5741d64ce44de4cdd
The "roaming" state of a network really belongs on NetworkCapabilities
instead of being published through NetworkInfo.isRoaming(). One major
reason is to support developers creating NetworkRequests for a
non-roaming network.
Watch for any capability changes that network statistics are
interested in (either metered or roaming) and notify it to perform
an update pass; fixes bug where we previously only triggered on
roaming changes.
Fix bug in VPNs where metered/roaming capabilities of underlying
networks weren't being propagated; this was probably preventing
some jobs from running over unmetered networks, and causing other
jobs to run over roaming networks! Also passes along link bandwidth
information from underlying networks, and propegates any changes
to underlying networks.
Fix race condition by reading prevNc inside lock. Utility methods
correctly calculate min/max link bandwidth values.
Test: bit FrameworksNetTests:android.net.,com.android.server.net.,com.android.server.connectivity.,com.android.server.ConnectivityServiceTest
Bug: 68397798, 16207332
Change-Id: I3e1a6544c902bf3a79356b72d3616af1fd2b0f49
Replaced null with empty byte array in createTransportModeTransform
for null auth.getKey, crypt.getKey() and authCrypt.getKey()
Test: Ran CTS test
Bug: 68052730
Change-Id: I5110b1297b4bfbb5766e8ecfd3d64f8110b52945
This patch takes advantage of the direct DefaultNetworkMetrics interface
between ConnectivityService and IpConnectivityMetrics and removes the
Parcelable interface from DefaultNetworkEvent.
IpConnectivityMetrics, IpConnectivityEventBuilder and associated tests
are updated as necessary.
Bug: 34901696
Test: runtest frameworks-net
Change-Id: I59b6e04fc126051320d08a422cfbd4d27042123e
This patch extracts the logging of DefaultNetworkEvent from inside
ConnectivityService and move it to a new DefaultNetworkMetrics class.
The DefaultNetworkMetrics is a singleton owned by the
IpConnectivityMetrics singleton implementing the metrics service for
core networking. ConnectivityService has access to this singleton via
LocalServices.
This class layout will allow to remove the Parcelable interface of
DefaultNetworkEvent and will instead let the IpConnectivityMetrics
service grab metrics from the DefaultNetworkMetrics directly.
Bug: 34901696
Test: runtest frameworks-net
Change-Id: I55694d89124272732aba114198776462372de18b
When binding to a random port, the port number was not being
returned, so the user is incorrectly receiving a port of zero.
Return the port number that was ultimately bound.
Bug: 67662580
Test: Ran CTS test on aosp_angler-eng
Change-Id: I22f4e5cdc83d43dc453788889990feb34e451bd3
Allows native AES-GCM-ESP to be used as an IPSec transport/tunnel mode
algorithm with kernel support
Bug: 63589918
Test: IPsecService tests added, existing ones pass
Change-Id: Ie1a9a902be205f269aa37bf956198f2e5b177c21
Although commit 2a84d1cbcf fixed some flakyness issues in
testNetworkCallbackMaximum so that it became stable when ran on its own,
it introduced a new source of random failures because instead of
registering callbacks after callbacks until a limit was reached, commit
2a84d1cbcf changed the test logic to push the assertions right up to
the theoretical limit.
More precisely when registering and unregistering PendingIntents in a
loop, not introducing some delay for checking that previous
PendingIntents have been effectively unregistered can cause the test to
fail. This patch fixes this issue.
Bug: 32561414
Bug: 62918393
Test: runtest frameworks-net
testNetworkCallbackMaximum now succeeds 100 in a row on sailfish
Change-Id: I086817a738ab99fd53ba76ca8faada6151f46472
This patch is a batch of mechanical changes to test classes to migrate
away from AndroidTestCase and TestCase.
Bug: 62918393
Test: runtest frameworks-net
Change-Id: I74134609e511f22c4d9ecd65780e981f9ba7ae3f
