Merge changes from topic "v1_impl_cherrypick" into main
* changes:
[nearby] Update encoding and decoding according to the spec
[nearby] Update encryption methods according to the spec
diff --git a/Tethering/src/android/net/ip/IpServer.java b/Tethering/src/android/net/ip/IpServer.java
index c065cd6..a8c8408 100644
--- a/Tethering/src/android/net/ip/IpServer.java
+++ b/Tethering/src/android/net/ip/IpServer.java
@@ -33,7 +33,6 @@
import static com.android.net.module.util.Inet4AddressUtils.intToInet4AddressHTH;
import static com.android.net.module.util.NetworkStackConstants.RFC7421_PREFIX_LENGTH;
-import static com.android.networkstack.tethering.TetheringConfiguration.USE_SYNC_SM;
import static com.android.networkstack.tethering.UpstreamNetworkState.isVcnInterface;
import static com.android.networkstack.tethering.util.PrefixUtils.asIpPrefix;
import static com.android.networkstack.tethering.util.TetheringMessageBase.BASE_IPSERVER;
@@ -316,6 +315,7 @@
private final TetheringMetrics mTetheringMetrics;
private final Handler mHandler;
+ private final boolean mIsSyncSM;
// TODO: Add a dependency object to pass the data members or variables from the tethering
// object. It helps to reduce the arguments of the constructor.
@@ -325,7 +325,7 @@
@Nullable LateSdk<RoutingCoordinatorManager> routingCoordinator, Callback callback,
TetheringConfiguration config, PrivateAddressCoordinator addressCoordinator,
TetheringMetrics tetheringMetrics, Dependencies deps) {
- super(ifaceName, USE_SYNC_SM ? null : handler.getLooper());
+ super(ifaceName, config.isSyncSM() ? null : handler.getLooper());
mHandler = handler;
mLog = log.forSubComponent(ifaceName);
mNetd = netd;
@@ -338,6 +338,7 @@
mLinkProperties = new LinkProperties();
mUsingLegacyDhcp = config.useLegacyDhcpServer();
mP2pLeasesSubnetPrefixLength = config.getP2pLeasesSubnetPrefixLength();
+ mIsSyncSM = config.isSyncSM();
mPrivateAddressCoordinator = addressCoordinator;
mDeps = deps;
mTetheringMetrics = tetheringMetrics;
@@ -515,7 +516,7 @@
private void handleError() {
mLastError = TETHER_ERROR_DHCPSERVER_ERROR;
- if (USE_SYNC_SM) {
+ if (mIsSyncSM) {
sendMessage(CMD_SERVICE_FAILED_TO_START, TETHER_ERROR_DHCPSERVER_ERROR);
} else {
sendMessageAtFrontOfQueueToAsyncSM(CMD_SERVICE_FAILED_TO_START,
@@ -1170,7 +1171,7 @@
// in previous versions of the mainline module.
// TODO : remove sendMessageAtFrontOfQueueToAsyncSM after migrating to the Sync
// StateMachine.
- if (USE_SYNC_SM) {
+ if (mIsSyncSM) {
sendSelfMessageToSyncSM(CMD_SERVICE_FAILED_TO_START, mLastError);
} else {
sendMessageAtFrontOfQueueToAsyncSM(CMD_SERVICE_FAILED_TO_START, mLastError);
diff --git a/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java b/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java
index 0678525..d09183a 100644
--- a/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java
+++ b/Tethering/src/com/android/networkstack/tethering/TetheringConfiguration.java
@@ -132,15 +132,15 @@
public static final String TETHER_FORCE_RANDOM_PREFIX_BASE_SELECTION =
"tether_force_random_prefix_base_selection";
+
+ public static final String TETHER_ENABLE_SYNC_SM = "tether_enable_sync_sm";
+
/**
* Default value that used to periodic polls tether offload stats from tethering offload HAL
* to make the data warnings work.
*/
public static final int DEFAULT_TETHER_OFFLOAD_POLL_INTERVAL_MS = 5000;
- /** A flag for using synchronous or asynchronous state machine. */
- public static final boolean USE_SYNC_SM = false;
-
public final String[] tetherableUsbRegexs;
public final String[] tetherableWifiRegexs;
public final String[] tetherableWigigRegexs;
@@ -174,6 +174,7 @@
private final boolean mEnableWearTethering;
private final boolean mRandomPrefixBase;
+ private final boolean mEnableSyncSm;
private final int mUsbTetheringFunction;
protected final ContentResolver mContentResolver;
@@ -292,6 +293,7 @@
mEnableWearTethering = shouldEnableWearTethering(ctx);
mRandomPrefixBase = mDeps.isFeatureEnabled(ctx, TETHER_FORCE_RANDOM_PREFIX_BASE_SELECTION);
+ mEnableSyncSm = mDeps.isFeatureEnabled(ctx, TETHER_ENABLE_SYNC_SM);
configLog.log(toString());
}
@@ -385,6 +387,10 @@
return mRandomPrefixBase;
}
+ public boolean isSyncSM() {
+ return mEnableSyncSm;
+ }
+
/** Does the dumping.*/
public void dump(PrintWriter pw) {
pw.print("activeDataSubId: ");
@@ -438,6 +444,9 @@
pw.print("mRandomPrefixBase: ");
pw.println(mRandomPrefixBase);
+
+ pw.print("mEnableSyncSm: ");
+ pw.println(mEnableSyncSm);
}
/** Returns the string representation of this object.*/
diff --git a/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringConfigurationTest.java b/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringConfigurationTest.java
index aa322dc..19c6e5a 100644
--- a/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringConfigurationTest.java
+++ b/Tethering/tests/unit/src/com/android/networkstack/tethering/TetheringConfigurationTest.java
@@ -754,4 +754,26 @@
new TetheringConfiguration(mMockContext, mLog, INVALID_SUBSCRIPTION_ID, mDeps);
assertEquals(p2pLeasesSubnetPrefixLength, p2pCfg.getP2pLeasesSubnetPrefixLength());
}
+
+ private void setTetherEnableSyncSMFlagEnabled(Boolean enabled) {
+ mDeps.setFeatureEnabled(TetheringConfiguration.TETHER_ENABLE_SYNC_SM, enabled);
+ }
+
+ private void assertEnableSyncSMIs(boolean value) {
+ assertEquals(value, new TetheringConfiguration(
+ mMockContext, mLog, INVALID_SUBSCRIPTION_ID, mDeps).isSyncSM());
+ }
+
+ @Test
+ public void testEnableSyncSMFlag() throws Exception {
+ // Test default disabled
+ setTetherEnableSyncSMFlagEnabled(null);
+ assertEnableSyncSMIs(false);
+
+ setTetherEnableSyncSMFlagEnabled(true);
+ assertEnableSyncSMIs(true);
+
+ setTetherEnableSyncSMFlagEnabled(false);
+ assertEnableSyncSMIs(false);
+ }
}
diff --git a/framework-t/src/android/net/IIpSecService.aidl b/framework-t/src/android/net/IIpSecService.aidl
index 88ffd0e..f972ab9 100644
--- a/framework-t/src/android/net/IIpSecService.aidl
+++ b/framework-t/src/android/net/IIpSecService.aidl
@@ -22,6 +22,7 @@
import android.net.IpSecUdpEncapResponse;
import android.net.IpSecSpiResponse;
import android.net.IpSecTransformResponse;
+import android.net.IpSecTransformState;
import android.net.IpSecTunnelInterfaceResponse;
import android.os.Bundle;
import android.os.IBinder;
@@ -74,6 +75,8 @@
void deleteTransform(int transformId);
+ IpSecTransformState getTransformState(int transformId);
+
void applyTransportModeTransform(
in ParcelFileDescriptor socket, int direction, int transformId);
diff --git a/framework-t/src/android/net/IpSecManager.java b/framework-t/src/android/net/IpSecManager.java
index 3afa6ef..3f74e1c 100644
--- a/framework-t/src/android/net/IpSecManager.java
+++ b/framework-t/src/android/net/IpSecManager.java
@@ -65,6 +65,13 @@
public class IpSecManager {
private static final String TAG = "IpSecManager";
+ // TODO : remove this class when udc-mainline-prod is abandoned and android.net.flags.Flags is
+ // available here
+ /** @hide */
+ public static class Flags {
+ static final String IPSEC_TRANSFORM_STATE = "com.android.net.flags.ipsec_transform_state";
+ }
+
/**
* Feature flag to declare the kernel support of updating IPsec SAs.
*
@@ -1084,6 +1091,12 @@
}
}
+ /** @hide */
+ public IpSecTransformState getTransformState(int transformId)
+ throws IllegalStateException, RemoteException {
+ return mService.getTransformState(transformId);
+ }
+
/**
* Construct an instance of IpSecManager within an application context.
*
diff --git a/framework-t/src/android/net/IpSecTransform.java b/framework-t/src/android/net/IpSecTransform.java
index c236b6c..0412a76 100644
--- a/framework-t/src/android/net/IpSecTransform.java
+++ b/framework-t/src/android/net/IpSecTransform.java
@@ -15,8 +15,11 @@
*/
package android.net;
+import static android.net.IpSecManager.Flags.IPSEC_TRANSFORM_STATE;
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
+import android.annotation.CallbackExecutor;
+import android.annotation.FlaggedApi;
import android.annotation.IntDef;
import android.annotation.NonNull;
import android.annotation.Nullable;
@@ -26,6 +29,8 @@
import android.content.Context;
import android.content.pm.PackageManager;
import android.os.Binder;
+import android.os.OutcomeReceiver;
+import android.os.RemoteException;
import android.os.ServiceSpecificException;
import android.util.Log;
@@ -38,6 +43,7 @@
import java.lang.annotation.RetentionPolicy;
import java.net.InetAddress;
import java.util.Objects;
+import java.util.concurrent.Executor;
/**
* This class represents a transform, which roughly corresponds to an IPsec Security Association.
@@ -201,6 +207,44 @@
}
/**
+ * Retrieve the current state of this IpSecTransform.
+ *
+ * @param executor The {@link Executor} on which to call the supplied callback.
+ * @param callback Callback that's called after the transform state is ready or when an error
+ * occurs.
+ * @see IpSecTransformState
+ * @hide
+ */
+ @FlaggedApi(IPSEC_TRANSFORM_STATE)
+ public void getIpSecTransformState(
+ @CallbackExecutor @NonNull Executor executor,
+ @NonNull OutcomeReceiver<IpSecTransformState, RuntimeException> callback) {
+ Objects.requireNonNull(executor);
+ Objects.requireNonNull(callback);
+
+ // TODO: Consider adding check to prevent DDoS attack.
+
+ try {
+ final IpSecTransformState ipSecTransformState =
+ getIpSecManager(mContext).getTransformState(mResourceId);
+ executor.execute(
+ () -> {
+ callback.onResult(ipSecTransformState);
+ });
+ } catch (IllegalStateException e) {
+ executor.execute(
+ () -> {
+ callback.onError(e);
+ });
+ } catch (RemoteException e) {
+ executor.execute(
+ () -> {
+ callback.onError(e.rethrowFromSystemServer());
+ });
+ }
+ }
+
+ /**
* A callback class to provide status information regarding a NAT-T keepalive session
*
* <p>Use this callback to receive status information regarding a NAT-T keepalive session
diff --git a/framework-t/src/android/net/IpSecTransformState.aidl b/framework-t/src/android/net/IpSecTransformState.aidl
new file mode 100644
index 0000000..69cce28
--- /dev/null
+++ b/framework-t/src/android/net/IpSecTransformState.aidl
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net;
+
+/** @hide */
+parcelable IpSecTransformState;
\ No newline at end of file
diff --git a/framework-t/src/android/net/IpSecTransformState.java b/framework-t/src/android/net/IpSecTransformState.java
new file mode 100644
index 0000000..daebbc4
--- /dev/null
+++ b/framework-t/src/android/net/IpSecTransformState.java
@@ -0,0 +1,302 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.net;
+
+import static android.net.IpSecManager.Flags.IPSEC_TRANSFORM_STATE;
+
+import static com.android.internal.annotations.VisibleForTesting.Visibility;
+
+import android.annotation.FlaggedApi;
+import android.annotation.NonNull;
+import android.os.Parcel;
+import android.os.Parcelable;
+
+import com.android.internal.annotations.VisibleForTesting;
+import com.android.net.module.util.HexDump;
+
+import java.util.Objects;
+
+/**
+ * This class represents a snapshot of the state of an IpSecTransform
+ *
+ * <p>This class provides the current state of an IpSecTransform, enabling link metric analysis by
+ * the caller. Use cases include understanding transform usage, such as packet and byte counts, as
+ * well as observing out-of-order delivery by checking the bitmap. Additionally, callers can query
+ * IpSecTransformStates at two timestamps. By comparing the changes in packet counts and sequence
+ * numbers, callers can estimate IPsec data loss in the inbound direction.
+ *
+ * @hide
+ */
+@FlaggedApi(IPSEC_TRANSFORM_STATE)
+public final class IpSecTransformState implements Parcelable {
+ private final long mTimeStamp;
+ private final long mTxHighestSequenceNumber;
+ private final long mRxHighestSequenceNumber;
+ private final long mPacketCount;
+ private final long mByteCount;
+ private final byte[] mReplayBitmap;
+
+ private IpSecTransformState(
+ long timestamp,
+ long txHighestSequenceNumber,
+ long rxHighestSequenceNumber,
+ long packetCount,
+ long byteCount,
+ byte[] replayBitmap) {
+ mTimeStamp = timestamp;
+ mTxHighestSequenceNumber = txHighestSequenceNumber;
+ mRxHighestSequenceNumber = rxHighestSequenceNumber;
+ mPacketCount = packetCount;
+ mByteCount = byteCount;
+
+ Objects.requireNonNull(replayBitmap, "replayBitmap is null");
+ mReplayBitmap = replayBitmap.clone();
+
+ validate();
+ }
+
+ private void validate() {
+ Objects.requireNonNull(mReplayBitmap, "mReplayBitmap is null");
+ }
+
+ /**
+ * Deserializes a IpSecTransformState from a PersistableBundle.
+ *
+ * @hide
+ */
+ @VisibleForTesting(visibility = Visibility.PRIVATE)
+ public IpSecTransformState(@NonNull Parcel in) {
+ Objects.requireNonNull(in, "The input PersistableBundle is null");
+ mTimeStamp = in.readLong();
+ mTxHighestSequenceNumber = in.readLong();
+ mRxHighestSequenceNumber = in.readLong();
+ mPacketCount = in.readLong();
+ mByteCount = in.readLong();
+ mReplayBitmap = HexDump.hexStringToByteArray(in.readString());
+
+ validate();
+ }
+
+ // Parcelable methods
+
+ @Override
+ public int describeContents() {
+ return 0;
+ }
+
+ @Override
+ public void writeToParcel(@NonNull Parcel out, int flags) {
+ out.writeLong(mTimeStamp);
+ out.writeLong(mTxHighestSequenceNumber);
+ out.writeLong(mRxHighestSequenceNumber);
+ out.writeLong(mPacketCount);
+ out.writeLong(mByteCount);
+ out.writeString(HexDump.toHexString(mReplayBitmap));
+ }
+
+ @NonNull
+ public static final Parcelable.Creator<IpSecTransformState> CREATOR =
+ new Parcelable.Creator<IpSecTransformState>() {
+ @NonNull
+ public IpSecTransformState createFromParcel(Parcel in) {
+ return new IpSecTransformState(in);
+ }
+
+ @NonNull
+ public IpSecTransformState[] newArray(int size) {
+ return new IpSecTransformState[size];
+ }
+ };
+
+ /**
+ * Retrieve the epoch timestamp (milliseconds) for when this state was created
+ *
+ * @see Builder#setTimestamp(long)
+ * @hide
+ */
+ public long getTimestamp() {
+ return mTimeStamp;
+ }
+
+ /**
+ * Retrieve the highest sequence number sent so far
+ *
+ * @see Builder#setTxHighestSequenceNumber(long)
+ * @hide
+ */
+ public long getTxHighestSequenceNumber() {
+ return mTxHighestSequenceNumber;
+ }
+
+ /**
+ * Retrieve the highest sequence number received so far
+ *
+ * @see Builder#setRxHighestSequenceNumber(long)
+ * @hide
+ */
+ public long getRxHighestSequenceNumber() {
+ return mRxHighestSequenceNumber;
+ }
+
+ /**
+ * Retrieve the number of packets received AND sent so far
+ *
+ * @see Builder#setPacketCount(long)
+ * @hide
+ */
+ public long getPacketCount() {
+ return mPacketCount;
+ }
+
+ /**
+ * Retrieve the number of bytes received AND sent so far
+ *
+ * @see Builder#setByteCount(long)
+ * @hide
+ */
+ public long getByteCount() {
+ return mByteCount;
+ }
+
+ /**
+ * Retrieve the replay bitmap
+ *
+ * <p>This bitmap represents a replay window, allowing the caller to observe out-of-order
+ * delivery. The last bit represents the highest sequence number received so far and bits for
+ * the received packets will be marked as true.
+ *
+ * <p>The size of a replay bitmap will never change over the lifetime of an IpSecTransform
+ *
+ * <p>The replay bitmap is solely useful for inbound IpSecTransforms. For outbound
+ * IpSecTransforms, all bits will be unchecked.
+ *
+ * @see Builder#setReplayBitmap(byte[])
+ * @hide
+ */
+ @NonNull
+ public byte[] getReplayBitmap() {
+ return mReplayBitmap.clone();
+ }
+
+ /**
+ * Builder class for testing purposes
+ *
+ * @hide
+ */
+ @FlaggedApi(IPSEC_TRANSFORM_STATE)
+ public static final class Builder {
+ private long mTimeStamp;
+ private long mTxHighestSequenceNumber;
+ private long mRxHighestSequenceNumber;
+ private long mPacketCount;
+ private long mByteCount;
+ private byte[] mReplayBitmap;
+
+ /** @hide */
+ public Builder() {
+ mTimeStamp = System.currentTimeMillis();
+ }
+
+ /**
+ * Set the epoch timestamp (milliseconds) for when this state was created
+ *
+ * @see IpSecTransformState#getTimestamp()
+ * @hide
+ */
+ @NonNull
+ public Builder setTimestamp(long timeStamp) {
+ mTimeStamp = timeStamp;
+ return this;
+ }
+
+ /**
+ * Set the highest sequence number sent so far
+ *
+ * @see IpSecTransformState#getTxHighestSequenceNumber()
+ * @hide
+ */
+ @NonNull
+ public Builder setTxHighestSequenceNumber(long seqNum) {
+ mTxHighestSequenceNumber = seqNum;
+ return this;
+ }
+
+ /**
+ * Set the highest sequence number received so far
+ *
+ * @see IpSecTransformState#getRxHighestSequenceNumber()
+ * @hide
+ */
+ @NonNull
+ public Builder setRxHighestSequenceNumber(long seqNum) {
+ mRxHighestSequenceNumber = seqNum;
+ return this;
+ }
+
+ /**
+ * Set the number of packets received AND sent so far
+ *
+ * @see IpSecTransformState#getPacketCount()
+ * @hide
+ */
+ @NonNull
+ public Builder setPacketCount(long packetCount) {
+ mPacketCount = packetCount;
+ return this;
+ }
+
+ /**
+ * Set the number of bytes received AND sent so far
+ *
+ * @see IpSecTransformState#getByteCount()
+ * @hide
+ */
+ @NonNull
+ public Builder setByteCount(long byteCount) {
+ mByteCount = byteCount;
+ return this;
+ }
+
+ /**
+ * Set the replay bitmap
+ *
+ * @see IpSecTransformState#getReplayBitmap()
+ * @hide
+ */
+ @NonNull
+ public Builder setReplayBitmap(@NonNull byte[] bitMap) {
+ mReplayBitmap = bitMap.clone();
+ return this;
+ }
+
+ /**
+ * Build and validate the IpSecTransformState
+ *
+ * @return an immutable IpSecTransformState instance
+ * @hide
+ */
+ @NonNull
+ public IpSecTransformState build() {
+ return new IpSecTransformState(
+ mTimeStamp,
+ mTxHighestSequenceNumber,
+ mRxHighestSequenceNumber,
+ mPacketCount,
+ mByteCount,
+ mReplayBitmap);
+ }
+ }
+}
diff --git a/service-t/src/com/android/server/IpSecService.java b/service-t/src/com/android/server/IpSecService.java
index a884840..ea91e64 100644
--- a/service-t/src/com/android/server/IpSecService.java
+++ b/service-t/src/com/android/server/IpSecService.java
@@ -42,6 +42,7 @@
import android.net.IpSecSpiResponse;
import android.net.IpSecTransform;
import android.net.IpSecTransformResponse;
+import android.net.IpSecTransformState;
import android.net.IpSecTunnelInterfaceResponse;
import android.net.IpSecUdpEncapResponse;
import android.net.LinkAddress;
@@ -70,6 +71,7 @@
import com.android.net.module.util.BinderUtils;
import com.android.net.module.util.NetdUtils;
import com.android.net.module.util.PermissionUtils;
+import com.android.net.module.util.netlink.xfrm.XfrmNetlinkNewSaMessage;
import libcore.io.IoUtils;
@@ -109,6 +111,7 @@
@VisibleForTesting static final int MAX_PORT_BIND_ATTEMPTS = 10;
private final INetd mNetd;
+ private final IpSecXfrmController mIpSecXfrmCtrl;
static {
try {
@@ -152,6 +155,11 @@
}
return netd;
}
+
+ /** Get a instance of IpSecXfrmController */
+ public IpSecXfrmController getIpSecXfrmController() {
+ return new IpSecXfrmController();
+ }
}
final UidFdTagger mUidFdTagger;
@@ -1111,6 +1119,7 @@
mContext = context;
mDeps = Objects.requireNonNull(deps, "Missing dependencies.");
mUidFdTagger = uidFdTagger;
+ mIpSecXfrmCtrl = mDeps.getIpSecXfrmController();
try {
mNetd = mDeps.getNetdInstance(mContext);
} catch (RemoteException e) {
@@ -1862,6 +1871,48 @@
releaseResource(userRecord.mTransformRecords, resourceId);
}
+ @Override
+ public synchronized IpSecTransformState getTransformState(int transformId)
+ throws IllegalStateException, RemoteException {
+ mContext.enforceCallingOrSelfPermission(
+ android.Manifest.permission.ACCESS_NETWORK_STATE, "IpsecService#getTransformState");
+
+ UserRecord userRecord = mUserResourceTracker.getUserRecord(Binder.getCallingUid());
+ TransformRecord transformInfo =
+ userRecord.mTransformRecords.getResourceOrThrow(transformId);
+
+ final int spi = transformInfo.getSpiRecord().getSpi();
+ final InetAddress destAddress =
+ InetAddresses.parseNumericAddress(
+ transformInfo.getConfig().getDestinationAddress());
+ Log.d(TAG, "getTransformState for spi " + spi + " destAddress " + destAddress);
+
+ // Make netlink call
+ final XfrmNetlinkNewSaMessage xfrmNewSaMsg;
+ try {
+ xfrmNewSaMsg = mIpSecXfrmCtrl.ipSecGetSa(destAddress, Integer.toUnsignedLong(spi));
+ } catch (ErrnoException | IOException e) {
+ Log.e(TAG, "getTransformState: failed to get IpSecTransformState" + e.toString());
+ throw new IllegalStateException("Failed to get IpSecTransformState", e);
+ }
+
+ // Keep the netlink socket open to save time for the next call. It is cheap to have a
+ // persistent netlink socket in the system server
+
+ if (xfrmNewSaMsg == null) {
+ Log.e(TAG, "getTransformState: failed to get IpSecTransformState xfrmNewSaMsg is null");
+ throw new IllegalStateException("Failed to get IpSecTransformState");
+ }
+
+ return new IpSecTransformState.Builder()
+ .setTxHighestSequenceNumber(xfrmNewSaMsg.getTxSequenceNumber())
+ .setRxHighestSequenceNumber(xfrmNewSaMsg.getRxSequenceNumber())
+ .setPacketCount(xfrmNewSaMsg.getPacketCount())
+ .setByteCount(xfrmNewSaMsg.getByteCount())
+ .setReplayBitmap(xfrmNewSaMsg.getBitmap())
+ .build();
+ }
+
/**
* Apply an active transport mode transform to a socket, which will apply the IPsec security
* association as a correspondent policy to the provided socket
diff --git a/staticlibs/device/com/android/net/module/util/netlink/NetlinkMessage.java b/staticlibs/device/com/android/net/module/util/netlink/NetlinkMessage.java
index 111e0ba..781a04e 100644
--- a/staticlibs/device/com/android/net/module/util/netlink/NetlinkMessage.java
+++ b/staticlibs/device/com/android/net/module/util/netlink/NetlinkMessage.java
@@ -142,6 +142,7 @@
return (NetlinkMessage) RtNetlinkAddressMessage.parse(nlmsghdr, byteBuffer);
case NetlinkConstants.RTM_NEWROUTE:
case NetlinkConstants.RTM_DELROUTE:
+ case NetlinkConstants.RTM_GETROUTE:
return (NetlinkMessage) RtNetlinkRouteMessage.parse(nlmsghdr, byteBuffer);
case NetlinkConstants.RTM_NEWNEIGH:
case NetlinkConstants.RTM_DELNEIGH:
diff --git a/staticlibs/device/com/android/net/module/util/netlink/StructNlMsgHdr.java b/staticlibs/device/com/android/net/module/util/netlink/StructNlMsgHdr.java
index ff37639..5272366 100644
--- a/staticlibs/device/com/android/net/module/util/netlink/StructNlMsgHdr.java
+++ b/staticlibs/device/com/android/net/module/util/netlink/StructNlMsgHdr.java
@@ -71,13 +71,17 @@
}
sb.append("NLM_F_ECHO");
}
- if ((flags & NLM_F_ROOT) != 0) {
+ if ((flags & NLM_F_DUMP) == NLM_F_DUMP) {
+ if (sb.length() > 0) {
+ sb.append("|");
+ }
+ sb.append("NLM_F_DUMP");
+ } else if ((flags & NLM_F_ROOT) != 0) { // NLM_F_DUMP = NLM_F_ROOT | NLM_F_MATCH
if (sb.length() > 0) {
sb.append("|");
}
sb.append("NLM_F_ROOT");
- }
- if ((flags & NLM_F_MATCH) != 0) {
+ } else if ((flags & NLM_F_MATCH) != 0) {
if (sb.length() > 0) {
sb.append("|");
}
diff --git a/staticlibs/tests/unit/Android.bp b/staticlibs/tests/unit/Android.bp
index 031e52f..0dfca57 100644
--- a/staticlibs/tests/unit/Android.bp
+++ b/staticlibs/tests/unit/Android.bp
@@ -33,7 +33,10 @@
"//packages/modules/Connectivity/Tethering/tests:__subpackages__",
"//packages/modules/NetworkStack/tests/integration",
],
- lint: { strict_updatability_linting: true },
+ lint: {
+ strict_updatability_linting: true,
+ test: true
+ },
}
android_test {
diff --git a/staticlibs/tests/unit/src/com/android/net/module/util/netlink/StructNlMsgHdrTest.java b/staticlibs/tests/unit/src/com/android/net/module/util/netlink/StructNlMsgHdrTest.java
index b7f68c6..a0d8b8c 100644
--- a/staticlibs/tests/unit/src/com/android/net/module/util/netlink/StructNlMsgHdrTest.java
+++ b/staticlibs/tests/unit/src/com/android/net/module/util/netlink/StructNlMsgHdrTest.java
@@ -16,6 +16,7 @@
package com.android.net.module.util.netlink;
+import static com.android.net.module.util.netlink.StructNlMsgHdr.NLM_F_DUMP;
import static org.junit.Assert.fail;
import android.system.OsConstants;
@@ -48,10 +49,14 @@
public static final String TEST_NLMSG_PID_STR = "nlmsg_pid{5678}";
private StructNlMsgHdr makeStructNlMsgHdr(short type) {
+ return makeStructNlMsgHdr(type, TEST_NLMSG_FLAGS);
+ }
+
+ private StructNlMsgHdr makeStructNlMsgHdr(short type, short flags) {
final StructNlMsgHdr struct = new StructNlMsgHdr();
struct.nlmsg_len = TEST_NLMSG_LEN;
struct.nlmsg_type = type;
- struct.nlmsg_flags = TEST_NLMSG_FLAGS;
+ struct.nlmsg_flags = flags;
struct.nlmsg_seq = TEST_NLMSG_SEQ;
struct.nlmsg_pid = TEST_NLMSG_PID;
return struct;
@@ -62,6 +67,11 @@
fail("\"" + actualValue + "\" does not contain \"" + expectedSubstring + "\"");
}
+ private static void assertNotContains(String actualValue, String unexpectedSubstring) {
+ if (!actualValue.contains(unexpectedSubstring)) return;
+ fail("\"" + actualValue + "\" contains \"" + unexpectedSubstring + "\"");
+ }
+
@Test
public void testToString() {
StructNlMsgHdr struct = makeStructNlMsgHdr(NetlinkConstants.RTM_NEWADDR);
@@ -99,4 +109,31 @@
assertContains(s, TEST_NLMSG_PID_STR);
assertContains(s, "nlmsg_type{20(SOCK_DIAG_BY_FAMILY)}");
}
+
+ @Test
+ public void testToString_flags_dumpRequest() {
+ final short flags = StructNlMsgHdr.NLM_F_REQUEST | StructNlMsgHdr.NLM_F_DUMP;
+ StructNlMsgHdr struct = makeStructNlMsgHdr(NetlinkConstants.RTM_GETROUTE, flags);
+
+ String s = struct.toString(OsConstants.NETLINK_ROUTE);
+
+ assertContains(s, "RTM_GETROUTE");
+ assertContains(s, "NLM_F_REQUEST");
+ assertContains(s, "NLM_F_DUMP");
+ // NLM_F_DUMP = NLM_F_ROOT | NLM_F_MATCH;
+ assertNotContains(s, "NLM_F_MATCH");
+ assertNotContains(s, "NLM_F_ROOT");
+ }
+
+ @Test
+ public void testToString_flags_root() {
+ final short flags = StructNlMsgHdr.NLM_F_ROOT;
+ StructNlMsgHdr struct = makeStructNlMsgHdr(NetlinkConstants.RTM_GETROUTE, flags);
+
+ String s = struct.toString(OsConstants.NETLINK_ROUTE);
+
+ assertContains(s, "NLM_F_ROOT");
+ // NLM_F_DUMP = NLM_F_ROOT | NLM_F_MATCH;
+ assertNotContains(s, "NLM_F_DUMP");
+ }
}
diff --git a/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java
index 1618a62..8037542 100644
--- a/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java
+++ b/tests/unit/java/com/android/server/IpSecServiceParameterizedTest.java
@@ -33,6 +33,7 @@
import static org.junit.Assert.fail;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyInt;
+import static org.mockito.ArgumentMatchers.anyLong;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.ArgumentMatchers.argThat;
import static org.mockito.ArgumentMatchers.eq;
@@ -74,6 +75,7 @@
import androidx.test.filters.SmallTest;
+import com.android.net.module.util.netlink.xfrm.XfrmNetlinkNewSaMessage;
import com.android.server.IpSecService.TunnelInterfaceRecord;
import com.android.testutils.DevSdkIgnoreRule;
@@ -85,6 +87,7 @@
import org.junit.runners.Parameterized;
import java.net.Inet4Address;
+import java.net.InetAddress;
import java.net.Socket;
import java.util.Arrays;
import java.util.Collection;
@@ -149,6 +152,7 @@
private Set<String> mAllowedPermissions = new ArraySet<>(Arrays.asList(
android.Manifest.permission.MANAGE_IPSEC_TUNNELS,
android.Manifest.permission.NETWORK_STACK,
+ android.Manifest.permission.ACCESS_NETWORK_STATE,
PERMISSION_MAINLINE_NETWORK_STACK));
private void setAllowedPermissions(String... permissions) {
@@ -202,11 +206,13 @@
private IpSecService.Dependencies makeDependencies() throws RemoteException {
final IpSecService.Dependencies deps = mock(IpSecService.Dependencies.class);
when(deps.getNetdInstance(mTestContext)).thenReturn(mMockNetd);
+ when(deps.getIpSecXfrmController()).thenReturn(mMockXfrmCtrl);
return deps;
}
INetd mMockNetd;
PackageManager mMockPkgMgr;
+ IpSecXfrmController mMockXfrmCtrl;
IpSecService.Dependencies mDeps;
IpSecService mIpSecService;
Network fakeNetwork = new Network(0xAB);
@@ -235,6 +241,7 @@
@Before
public void setUp() throws Exception {
mMockNetd = mock(INetd.class);
+ mMockXfrmCtrl = mock(IpSecXfrmController.class);
mMockPkgMgr = mock(PackageManager.class);
mDeps = makeDependencies();
mIpSecService = new IpSecService(mTestContext, mDeps);
@@ -506,6 +513,32 @@
}
@Test
+ public void getTransformState() throws Exception {
+ XfrmNetlinkNewSaMessage mockXfrmNewSaMsg = mock(XfrmNetlinkNewSaMessage.class);
+ when(mockXfrmNewSaMsg.getBitmap()).thenReturn(new byte[512]);
+ when(mMockXfrmCtrl.ipSecGetSa(any(InetAddress.class), anyLong()))
+ .thenReturn(mockXfrmNewSaMsg);
+
+ // Create transform
+ IpSecConfig ipSecConfig = new IpSecConfig();
+ addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
+ addAuthAndCryptToIpSecConfig(ipSecConfig);
+
+ IpSecTransformResponse createTransformResp =
+ mIpSecService.createTransform(ipSecConfig, new Binder(), BLESSED_PACKAGE);
+ assertEquals(IpSecManager.Status.OK, createTransformResp.status);
+
+ // Get transform state
+ mIpSecService.getTransformState(createTransformResp.resourceId);
+
+ // Verifications
+ verify(mMockXfrmCtrl)
+ .ipSecGetSa(
+ eq(InetAddresses.parseNumericAddress(mDestinationAddr)),
+ eq(Integer.toUnsignedLong(TEST_SPI)));
+ }
+
+ @Test
public void testReleaseOwnedSpi() throws Exception {
IpSecConfig ipSecConfig = new IpSecConfig();
addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig);
diff --git a/tests/unit/java/com/android/server/connectivity/VpnTest.java b/tests/unit/java/com/android/server/connectivity/VpnTest.java
index 46e9e45..c9cece0 100644
--- a/tests/unit/java/com/android/server/connectivity/VpnTest.java
+++ b/tests/unit/java/com/android/server/connectivity/VpnTest.java
@@ -2979,7 +2979,7 @@
null /* iface */, RTN_UNREACHABLE));
assertEquals(expectedRoutes, lp.getRoutes());
- verify(mMockNetworkAgent).unregister();
+ verify(mMockNetworkAgent, timeout(TEST_TIMEOUT_MS)).unregister();
}
@Test