[XFRM_MSG_NEWSA] Support polling SA state with netlink message
Bug: 308011229
Test: IpSecXfrmControllerTest
Change-Id: Id765cd8d8d7e330969877cb0890bd828417fb6b8
diff --git a/service-t/src/com/android/server/IpSecXfrmController.java b/service-t/src/com/android/server/IpSecXfrmController.java
new file mode 100644
index 0000000..c8abd40
--- /dev/null
+++ b/service-t/src/com/android/server/IpSecXfrmController.java
@@ -0,0 +1,198 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.android.server;
+
+import static com.android.net.module.util.netlink.xfrm.XfrmNetlinkMessage.IPPROTO_ESP;
+import static com.android.net.module.util.netlink.xfrm.XfrmNetlinkMessage.NETLINK_XFRM;
+import static com.android.net.module.util.netlink.xfrm.XfrmNetlinkMessage.XFRM_MSG_NEWSA;
+
+import android.annotation.TargetApi;
+import android.os.Build;
+import android.system.ErrnoException;
+import android.util.Log;
+
+import androidx.annotation.NonNull;
+import androidx.annotation.Nullable;
+
+import com.android.internal.annotations.GuardedBy;
+import com.android.internal.annotations.VisibleForTesting;
+import com.android.net.module.util.HexDump;
+import com.android.net.module.util.netlink.NetlinkConstants;
+import com.android.net.module.util.netlink.NetlinkErrorMessage;
+import com.android.net.module.util.netlink.NetlinkMessage;
+import com.android.net.module.util.netlink.NetlinkUtils;
+import com.android.net.module.util.netlink.xfrm.XfrmNetlinkGetSaMessage;
+import com.android.net.module.util.netlink.xfrm.XfrmNetlinkMessage;
+import com.android.net.module.util.netlink.xfrm.XfrmNetlinkNewSaMessage;
+
+import libcore.io.IoUtils;
+
+import java.io.FileDescriptor;
+import java.io.IOException;
+import java.io.InterruptedIOException;
+import java.net.InetAddress;
+import java.net.SocketException;
+import java.nio.ByteBuffer;
+
+/**
+ * This class handles IPSec XFRM commands between IpSecService and the Linux kernel
+ *
+ * <p>Synchronization in IpSecXfrmController is done on all entrypoints due to potential race
+ * conditions at the kernel/xfrm level.
+ */
+public class IpSecXfrmController {
+ private static final String TAG = IpSecXfrmController.class.getSimpleName();
+
+ private static final boolean VDBG = false; // STOPSHIP: if true
+
+ private static final int TIMEOUT_MS = 500;
+ private static final int DEFAULT_RECV_BUFSIZE = 8 * 1024;
+
+ @NonNull private final Dependencies mDependencies;
+ @Nullable private FileDescriptor mNetlinkSocket;
+
+ @VisibleForTesting
+ public IpSecXfrmController(@NonNull Dependencies dependencies) {
+ mDependencies = dependencies;
+ }
+
+ public IpSecXfrmController() {
+ this(new Dependencies());
+ }
+
+ /**
+ * Start the XfrmController
+ *
+ * <p>The method is idempotent
+ */
+ public synchronized void openNetlinkSocketIfNeeded() throws ErrnoException, SocketException {
+ if (mNetlinkSocket == null) {
+ mNetlinkSocket = mDependencies.newNetlinkSocket();
+ }
+ }
+
+ /**
+ * Stop the XfrmController
+ *
+ * <p>The method is idempotent
+ */
+ public synchronized void closeNetlinkSocketIfNeeded() {
+ if (mNetlinkSocket != null) {
+ mDependencies.releaseNetlinkSocket(mNetlinkSocket);
+ mNetlinkSocket = null;
+ }
+ }
+
+ @VisibleForTesting
+ public synchronized FileDescriptor getNetlinkSocket() {
+ return mNetlinkSocket;
+ }
+
+ /** Dependencies of IpSecXfrmController, for injection in tests. */
+ @VisibleForTesting
+ public static class Dependencies {
+ /** Get a new XFRM netlink socket and connect it */
+ public FileDescriptor newNetlinkSocket() throws ErrnoException, SocketException {
+ final FileDescriptor fd = NetlinkUtils.netlinkSocketForProto(NETLINK_XFRM);
+ NetlinkUtils.connectToKernel(fd);
+ return fd;
+ }
+
+ /** Close the netlink socket */
+ // TODO: b/205923322 This annotation is to suppress the lint error complaining that
+ // #closeQuietly requires Android S. It can be removed when the infra supports setting
+ // service-connectivity min_sdk to 31
+ @TargetApi(Build.VERSION_CODES.S)
+ public void releaseNetlinkSocket(FileDescriptor fd) {
+ IoUtils.closeQuietly(fd);
+ }
+
+ /** Send a netlink message to a socket */
+ public void sendMessage(FileDescriptor fd, byte[] bytes)
+ throws ErrnoException, InterruptedIOException {
+ NetlinkUtils.sendMessage(fd, bytes, 0, bytes.length, TIMEOUT_MS);
+ }
+
+ /** Receive a netlink message from a socket */
+ public ByteBuffer recvMessage(FileDescriptor fd)
+ throws ErrnoException, InterruptedIOException {
+ return NetlinkUtils.recvMessage(fd, DEFAULT_RECV_BUFSIZE, TIMEOUT_MS);
+ }
+ }
+
+ @GuardedBy("IpSecXfrmController.this")
+ private NetlinkMessage sendRequestAndGetResponse(String methodTag, byte[] req)
+ throws ErrnoException, InterruptedIOException, IOException {
+ openNetlinkSocketIfNeeded();
+
+ logD(methodTag + ": send request " + req.length + " bytes");
+ logV(HexDump.dumpHexString(req));
+ mDependencies.sendMessage(mNetlinkSocket, req);
+
+ final ByteBuffer response = mDependencies.recvMessage(mNetlinkSocket);
+ logD(methodTag + ": receive response " + response.limit() + " bytes");
+ logV(HexDump.dumpHexString(response.array(), 0 /* offset */, response.limit()));
+
+ final NetlinkMessage msg = XfrmNetlinkMessage.parse(response, NETLINK_XFRM);
+ if (msg == null) {
+ throw new IOException("Fail to parse the response message");
+ }
+
+ final int msgType = msg.getHeader().nlmsg_type;
+ if (msgType == NetlinkConstants.NLMSG_ERROR) {
+ final NetlinkErrorMessage errorMsg = (NetlinkErrorMessage) msg;
+ final int errorCode = errorMsg.getNlMsgError().error;
+ throw new ErrnoException(methodTag, errorCode);
+ }
+
+ return msg;
+ }
+
+ /** Get the state of an IPsec SA */
+ @NonNull
+ public synchronized XfrmNetlinkNewSaMessage ipSecGetSa(
+ @NonNull final InetAddress destAddress, long spi)
+ throws ErrnoException, InterruptedIOException, IOException {
+ logD("ipSecGetSa: destAddress=" + destAddress + " spi=" + spi);
+
+ final byte[] req =
+ XfrmNetlinkGetSaMessage.newXfrmNetlinkGetSaMessage(
+ destAddress, spi, (short) IPPROTO_ESP);
+ try {
+ final NetlinkMessage msg = sendRequestAndGetResponse("ipSecGetSa", req);
+
+ final int messageType = msg.getHeader().nlmsg_type;
+ if (messageType != XFRM_MSG_NEWSA) {
+ throw new IOException("unexpected response type " + messageType);
+ }
+
+ return (XfrmNetlinkNewSaMessage) msg;
+ } catch (IllegalArgumentException exception) {
+ // Maybe thrown from Struct.parse
+ throw new IOException("Failed to parse the response " + exception);
+ }
+ }
+
+ private static void logV(String details) {
+ if (VDBG) {
+ Log.v(TAG, details);
+ }
+ }
+
+ private static void logD(String details) {
+ Log.d(TAG, details);
+ }
+}
diff --git a/staticlibs/device/com/android/net/module/util/netlink/xfrm/StructXfrmReplayStateEsn.java b/staticlibs/device/com/android/net/module/util/netlink/xfrm/StructXfrmReplayStateEsn.java
index 01dc66e..a7bdcd9 100644
--- a/staticlibs/device/com/android/net/module/util/netlink/xfrm/StructXfrmReplayStateEsn.java
+++ b/staticlibs/device/com/android/net/module/util/netlink/xfrm/StructXfrmReplayStateEsn.java
@@ -131,12 +131,12 @@
/** Return the TX sequence number in unisgned long */
public long getTxSequenceNumber() {
- return getSequenceNumber(mWithoutBitmap.seqHi, mWithoutBitmap.seq);
+ return getSequenceNumber(mWithoutBitmap.oSeqHi, mWithoutBitmap.oSeq);
}
/** Return the RX sequence number in unisgned long */
public long getRxSequenceNumber() {
- return getSequenceNumber(mWithoutBitmap.oSeqHi, mWithoutBitmap.oSeq);
+ return getSequenceNumber(mWithoutBitmap.seqHi, mWithoutBitmap.seq);
}
@VisibleForTesting
diff --git a/tests/unit/java/com/android/server/IpSecXfrmControllerTest.java b/tests/unit/java/com/android/server/IpSecXfrmControllerTest.java
new file mode 100644
index 0000000..8c1f47f
--- /dev/null
+++ b/tests/unit/java/com/android/server/IpSecXfrmControllerTest.java
@@ -0,0 +1,129 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server;
+
+import static com.android.server.IpSecXfrmControllerTestHex.XFRM_ESRCH_HEX;
+import static com.android.server.IpSecXfrmControllerTestHex.XFRM_NEW_SA_HEX;
+
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNotNull;
+import static org.junit.Assert.assertNull;
+import static org.junit.Assert.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.any;
+import static org.mockito.Mockito.eq;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+import android.net.InetAddresses;
+import android.system.ErrnoException;
+
+import androidx.test.filters.SmallTest;
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.net.module.util.netlink.NetlinkMessage;
+import com.android.net.module.util.netlink.xfrm.XfrmNetlinkNewSaMessage;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.mockito.ArgumentCaptor;
+import org.mockito.Captor;
+import org.mockito.Mock;
+import org.mockito.MockitoAnnotations;
+
+import java.io.FileDescriptor;
+import java.net.InetAddress;
+import java.nio.ByteBuffer;
+import java.nio.ByteOrder;
+
+@RunWith(AndroidJUnit4.class)
+@SmallTest
+public class IpSecXfrmControllerTest {
+ private static final InetAddress DEST_ADDRESS =
+ InetAddresses.parseNumericAddress("2001:db8::111");
+ private static final long SPI = 0xaabbccddL;
+ private static final int ESRCH = -3;
+
+ private IpSecXfrmController mXfrmController;
+ private FileDescriptor mDummyNetlinkSocket;
+
+ @Mock private IpSecXfrmController.Dependencies mMockDeps;
+
+ @Captor private ArgumentCaptor<byte[]> mRequestByteArrayCaptor;
+
+ @Before
+ public void setUp() throws Exception {
+ MockitoAnnotations.initMocks(this);
+ mDummyNetlinkSocket = new FileDescriptor();
+
+ when(mMockDeps.newNetlinkSocket()).thenReturn(mDummyNetlinkSocket);
+ mXfrmController = new IpSecXfrmController(mMockDeps);
+ }
+
+ @Test
+ public void testStartStop() throws Exception {
+ mXfrmController.openNetlinkSocketIfNeeded();
+
+ verify(mMockDeps).newNetlinkSocket();
+ assertNotNull(mXfrmController.getNetlinkSocket());
+
+ mXfrmController.closeNetlinkSocketIfNeeded();
+ verify(mMockDeps).releaseNetlinkSocket(eq(mDummyNetlinkSocket));
+ assertNull(mXfrmController.getNetlinkSocket());
+ }
+
+ private static void injectRxMessage(IpSecXfrmController.Dependencies mockDeps, byte[] bytes)
+ throws Exception {
+ final ByteBuffer buff = ByteBuffer.wrap(bytes);
+ buff.order(ByteOrder.nativeOrder());
+
+ when(mockDeps.recvMessage(any(FileDescriptor.class))).thenReturn(buff);
+ }
+
+ @Test
+ public void testIpSecGetSa() throws Exception {
+ final int expectedReqLen = 40;
+ injectRxMessage(mMockDeps, XFRM_NEW_SA_HEX);
+
+ final NetlinkMessage netlinkMessage = mXfrmController.ipSecGetSa(DEST_ADDRESS, SPI);
+ final XfrmNetlinkNewSaMessage message = (XfrmNetlinkNewSaMessage) netlinkMessage;
+
+ // Verifications
+ assertEquals(SPI, message.getXfrmUsersaInfo().getSpi());
+ assertEquals(DEST_ADDRESS, message.getXfrmUsersaInfo().getDestAddress());
+
+ verify(mMockDeps).sendMessage(eq(mDummyNetlinkSocket), mRequestByteArrayCaptor.capture());
+ final byte[] request = mRequestByteArrayCaptor.getValue();
+ assertEquals(expectedReqLen, request.length);
+
+ verify(mMockDeps).recvMessage(eq(mDummyNetlinkSocket));
+ }
+
+ @Test
+ public void testIpSecGetSa_NlErrorMsg() throws Exception {
+ injectRxMessage(mMockDeps, XFRM_ESRCH_HEX);
+
+ try {
+ mXfrmController.ipSecGetSa(DEST_ADDRESS, SPI);
+ fail("Expected to fail with ESRCH ");
+ } catch (ErrnoException e) {
+ assertEquals(ESRCH, e.errno);
+ }
+ }
+}
diff --git a/tests/unit/java/com/android/server/IpSecXfrmControllerTestHex.java b/tests/unit/java/com/android/server/IpSecXfrmControllerTestHex.java
new file mode 100644
index 0000000..a2082c4
--- /dev/null
+++ b/tests/unit/java/com/android/server/IpSecXfrmControllerTestHex.java
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server;
+
+import com.android.net.module.util.HexDump;
+
+public class IpSecXfrmControllerTestHex {
+ private static final String XFRM_NEW_SA_HEX_STRING =
+ "2003000010000000000000003FE1D4B6"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000A00000000000000"
+ + "000000000000000020010DB800000000"
+ + "0000000000000111AABBCCDD32000000"
+ + "20010DB8000000000000000000000222"
+ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "FD464C65000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "024000000A0000000000000000000000"
+ + "5C000100686D61632873686131290000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000A000000055F01AC07E15E437"
+ + "115DDE0AEDD18A822BA9F81E60001400"
+ + "686D6163287368613129000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "A00000006000000055F01AC07E15E437"
+ + "115DDE0AEDD18A822BA9F81E58000200"
+ + "63626328616573290000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "800000006AED4975ADF006D65C76F639"
+ + "23A6265B1C0117004000000000000000"
+ + "00000000000000000000000000080000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000"
+ + "00000000000000000000000000000000";
+ public static final byte[] XFRM_NEW_SA_HEX =
+ HexDump.hexStringToByteArray(XFRM_NEW_SA_HEX_STRING);
+
+ private static final String XFRM_ESRCH_HEX_STRING =
+ "3C0000000200000000000000A5060000"
+ + "FDFFFFFF280000001200010000000000"
+ + "0000000020010DB80000000000000000"
+ + "00000111AABBCCDD0A003200";
+ public static final byte[] XFRM_ESRCH_HEX = HexDump.hexStringToByteArray(XFRM_ESRCH_HEX_STRING);
+}