Loading services/core/java/com/android/server/IpSecService.java +2 −2 Original line number Original line Diff line number Diff line Loading @@ -1776,7 +1776,7 @@ public class IpSecService extends IIpSecService.Stub { socketRecord = socketRecord = userRecord.mEncapSocketRecords.getResourceOrThrow(c.getEncapSocketResourceId()); userRecord.mEncapSocketRecords.getResourceOrThrow(c.getEncapSocketResourceId()); } } SpiRecord spiRecord = userRecord.mSpiRecords.getResourceOrThrow(c.getSpiResourceId()); SpiRecord spiRecord = transformInfo.getSpiRecord(); int mark = int mark = (direction == IpSecManager.DIRECTION_OUT) (direction == IpSecManager.DIRECTION_OUT) Loading Loading @@ -1809,7 +1809,7 @@ public class IpSecService extends IIpSecService.Stub { // Set outbound SPI only. We want inbound to use any valid SA (old, new) on rekeys, // Set outbound SPI only. We want inbound to use any valid SA (old, new) on rekeys, // but want to guarantee outbound packets are sent over the new SA. // but want to guarantee outbound packets are sent over the new SA. spi = transformInfo.getSpiRecord().getSpi(); spi = spiRecord.getSpi(); } } // Always update the policy with the relevant XFRM_IF_ID // Always update the policy with the relevant XFRM_IF_ID Loading tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +68 −0 Original line number Original line Diff line number Diff line Loading @@ -571,6 +571,35 @@ public class IpSecServiceParameterizedTest { eq(TEST_SPI)); eq(TEST_SPI)); } } @Test public void testApplyTransportModeTransformWithClosedSpi() throws Exception { IpSecConfig ipSecConfig = new IpSecConfig(); addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); addAuthAndCryptToIpSecConfig(ipSecConfig); IpSecTransformResponse createTransformResp = mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); // Close SPI record mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId()); Socket socket = new Socket(); socket.bind(null); ParcelFileDescriptor pfd = ParcelFileDescriptor.fromSocket(socket); int resourceId = createTransformResp.resourceId; mIpSecService.applyTransportModeTransform(pfd, IpSecManager.DIRECTION_OUT, resourceId); verify(mMockNetd) .ipSecApplyTransportModeTransform( eq(pfd), eq(mUid), eq(IpSecManager.DIRECTION_OUT), anyString(), anyString(), eq(TEST_SPI)); } @Test @Test public void testRemoveTransportModeTransform() throws Exception { public void testRemoveTransportModeTransform() throws Exception { Socket socket = new Socket(); Socket socket = new Socket(); Loading Loading @@ -693,6 +722,45 @@ public class IpSecServiceParameterizedTest { verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp); verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp); } } @Test public void testApplyTunnelModeTransformWithClosedSpi() throws Exception { IpSecConfig ipSecConfig = new IpSecConfig(); ipSecConfig.setMode(IpSecTransform.MODE_TUNNEL); addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); addAuthAndCryptToIpSecConfig(ipSecConfig); IpSecTransformResponse createTransformResp = mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); IpSecTunnelInterfaceResponse createTunnelResp = createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); // Close SPI record mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId()); int transformResourceId = createTransformResp.resourceId; int tunnelResourceId = createTunnelResp.resourceId; mIpSecService.applyTunnelModeTransform(tunnelResourceId, IpSecManager.DIRECTION_OUT, transformResourceId, "blessedPackage"); for (int selAddrFamily : ADDRESS_FAMILIES) { verify(mMockNetd) .ipSecUpdateSecurityPolicy( eq(mUid), eq(selAddrFamily), eq(IpSecManager.DIRECTION_OUT), anyString(), anyString(), eq(TEST_SPI), anyInt(), // iKey/oKey anyInt(), // mask eq(tunnelResourceId)); } ipSecConfig.setXfrmInterfaceId(tunnelResourceId); verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp); } @Test @Test public void testAddRemoveAddressFromTunnelInterface() throws Exception { public void testAddRemoveAddressFromTunnelInterface() throws Exception { for (String pkgName : new String[]{"blessedPackage", "systemPackage"}) { for (String pkgName : new String[]{"blessedPackage", "systemPackage"}) { Loading Loading
services/core/java/com/android/server/IpSecService.java +2 −2 Original line number Original line Diff line number Diff line Loading @@ -1776,7 +1776,7 @@ public class IpSecService extends IIpSecService.Stub { socketRecord = socketRecord = userRecord.mEncapSocketRecords.getResourceOrThrow(c.getEncapSocketResourceId()); userRecord.mEncapSocketRecords.getResourceOrThrow(c.getEncapSocketResourceId()); } } SpiRecord spiRecord = userRecord.mSpiRecords.getResourceOrThrow(c.getSpiResourceId()); SpiRecord spiRecord = transformInfo.getSpiRecord(); int mark = int mark = (direction == IpSecManager.DIRECTION_OUT) (direction == IpSecManager.DIRECTION_OUT) Loading Loading @@ -1809,7 +1809,7 @@ public class IpSecService extends IIpSecService.Stub { // Set outbound SPI only. We want inbound to use any valid SA (old, new) on rekeys, // Set outbound SPI only. We want inbound to use any valid SA (old, new) on rekeys, // but want to guarantee outbound packets are sent over the new SA. // but want to guarantee outbound packets are sent over the new SA. spi = transformInfo.getSpiRecord().getSpi(); spi = spiRecord.getSpi(); } } // Always update the policy with the relevant XFRM_IF_ID // Always update the policy with the relevant XFRM_IF_ID Loading
tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +68 −0 Original line number Original line Diff line number Diff line Loading @@ -571,6 +571,35 @@ public class IpSecServiceParameterizedTest { eq(TEST_SPI)); eq(TEST_SPI)); } } @Test public void testApplyTransportModeTransformWithClosedSpi() throws Exception { IpSecConfig ipSecConfig = new IpSecConfig(); addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); addAuthAndCryptToIpSecConfig(ipSecConfig); IpSecTransformResponse createTransformResp = mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); // Close SPI record mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId()); Socket socket = new Socket(); socket.bind(null); ParcelFileDescriptor pfd = ParcelFileDescriptor.fromSocket(socket); int resourceId = createTransformResp.resourceId; mIpSecService.applyTransportModeTransform(pfd, IpSecManager.DIRECTION_OUT, resourceId); verify(mMockNetd) .ipSecApplyTransportModeTransform( eq(pfd), eq(mUid), eq(IpSecManager.DIRECTION_OUT), anyString(), anyString(), eq(TEST_SPI)); } @Test @Test public void testRemoveTransportModeTransform() throws Exception { public void testRemoveTransportModeTransform() throws Exception { Socket socket = new Socket(); Socket socket = new Socket(); Loading Loading @@ -693,6 +722,45 @@ public class IpSecServiceParameterizedTest { verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp); verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp); } } @Test public void testApplyTunnelModeTransformWithClosedSpi() throws Exception { IpSecConfig ipSecConfig = new IpSecConfig(); ipSecConfig.setMode(IpSecTransform.MODE_TUNNEL); addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); addAuthAndCryptToIpSecConfig(ipSecConfig); IpSecTransformResponse createTransformResp = mIpSecService.createTransform(ipSecConfig, new Binder(), "blessedPackage"); IpSecTunnelInterfaceResponse createTunnelResp = createAndValidateTunnel(mSourceAddr, mDestinationAddr, "blessedPackage"); // Close SPI record mIpSecService.releaseSecurityParameterIndex(ipSecConfig.getSpiResourceId()); int transformResourceId = createTransformResp.resourceId; int tunnelResourceId = createTunnelResp.resourceId; mIpSecService.applyTunnelModeTransform(tunnelResourceId, IpSecManager.DIRECTION_OUT, transformResourceId, "blessedPackage"); for (int selAddrFamily : ADDRESS_FAMILIES) { verify(mMockNetd) .ipSecUpdateSecurityPolicy( eq(mUid), eq(selAddrFamily), eq(IpSecManager.DIRECTION_OUT), anyString(), anyString(), eq(TEST_SPI), anyInt(), // iKey/oKey anyInt(), // mask eq(tunnelResourceId)); } ipSecConfig.setXfrmInterfaceId(tunnelResourceId); verifyTransformNetdCalledForCreatingSA(ipSecConfig, createTransformResp); } @Test @Test public void testAddRemoveAddressFromTunnelInterface() throws Exception { public void testAddRemoveAddressFromTunnelInterface() throws Exception { for (String pkgName : new String[]{"blessedPackage", "systemPackage"}) { for (String pkgName : new String[]{"blessedPackage", "systemPackage"}) { Loading
