diff options
| author | Benedict Wong <benedictwong@google.com> | 2018-01-09 18:18:28 +0000 |
|---|---|---|
| committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2018-01-09 18:18:28 +0000 |
| commit | a954f20f468fd9f9a6a8a45f3f49dbab3df75e30 (patch) | |
| tree | dfd8046bfd035467c7dacfb35801e2c3b3c6d2d6 | |
| parent | a2525e506de9b7a5f099010af9bd916908c164f5 (diff) | |
| parent | 4f25570acd349bbbd41d9d2806eba6f4a0255780 (diff) | |
Merge "Add validation to IpSecConfig algorithm setters"
4 files changed, 204 insertions, 69 deletions
diff --git a/core/java/android/net/IpSecAlgorithm.java b/core/java/android/net/IpSecAlgorithm.java index f82627b942c3..7d752e89e6f6 100644 --- a/core/java/android/net/IpSecAlgorithm.java +++ b/core/java/android/net/IpSecAlgorithm.java @@ -231,6 +231,31 @@ public final class IpSecAlgorithm implements Parcelable { } } + /** @hide */ + public boolean isAuthentication() { + switch (getName()) { + // Fallthrough + case AUTH_HMAC_MD5: + case AUTH_HMAC_SHA1: + case AUTH_HMAC_SHA256: + case AUTH_HMAC_SHA384: + case AUTH_HMAC_SHA512: + return true; + default: + return false; + } + } + + /** @hide */ + public boolean isEncryption() { + return getName().equals(CRYPT_AES_CBC); + } + + /** @hide */ + public boolean isAead() { + return getName().equals(AUTH_CRYPT_AES_GCM); + } + @Override public String toString() { return new StringBuilder() diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java index 5c098e32045b..02cfe3dc75e5 100644 --- a/services/core/java/com/android/server/IpSecService.java +++ b/services/core/java/com/android/server/IpSecService.java @@ -52,6 +52,7 @@ import android.util.SparseArray; import com.android.internal.annotations.GuardedBy; import com.android.internal.annotations.VisibleForTesting; +import com.android.internal.util.Preconditions; import java.io.FileDescriptor; import java.io.IOException; @@ -1030,6 +1031,30 @@ public class IpSecService extends IIpSecService.Stub { releaseResource(userRecord.mEncapSocketRecords, resourceId); } + @VisibleForTesting + void validateAlgorithms(IpSecConfig config, int direction) throws IllegalArgumentException { + IpSecAlgorithm auth = config.getAuthentication(direction); + IpSecAlgorithm crypt = config.getEncryption(direction); + IpSecAlgorithm aead = config.getAuthenticatedEncryption(direction); + + // Validate the algorithm set + Preconditions.checkArgument( + aead != null || crypt != null || auth != null, + "No Encryption or Authentication algorithms specified"); + Preconditions.checkArgument( + auth == null || auth.isAuthentication(), + "Unsupported algorithm for Authentication"); + Preconditions.checkArgument( + crypt == null || crypt.isEncryption(), "Unsupported algorithm for Encryption"); + Preconditions.checkArgument( + aead == null || aead.isAead(), + "Unsupported algorithm for Authenticated Encryption"); + Preconditions.checkArgument( + aead == null || (auth == null && crypt == null), + "Authenticated Encryption is mutually exclusive with other Authentication " + + "or Encryption algorithms"); + } + /** * Checks an IpSecConfig parcel to ensure that the contents are sane and throws an * IllegalArgumentException if they are not. @@ -1079,17 +1104,7 @@ public class IpSecService extends IIpSecService.Stub { } for (int direction : DIRECTIONS) { - IpSecAlgorithm crypt = config.getEncryption(direction); - IpSecAlgorithm auth = config.getAuthentication(direction); - IpSecAlgorithm authenticatedEncryption = config.getAuthenticatedEncryption(direction); - if (authenticatedEncryption == null && crypt == null && auth == null) { - throw new IllegalArgumentException( - "No Encryption or Authentication algorithms specified"); - } else if (authenticatedEncryption != null && (auth != null || crypt != null)) { - throw new IllegalArgumentException( - "Authenticated Encryption is mutually" - + " exclusive with other Authentication or Encryption algorithms"); - } + validateAlgorithms(config, direction); // Retrieve SPI record; will throw IllegalArgumentException if not found userRecord.mSpiRecords.getResourceOrThrow(config.getSpiResourceId(direction)); diff --git a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java index 80e42a33b3cc..2282c1319a9a 100644 --- a/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java +++ b/tests/net/java/com/android/server/IpSecServiceParameterizedTest.java @@ -348,64 +348,6 @@ public class IpSecServiceParameterizedTest { } @Test - public void testCreateInvalidConfigAeadWithAuth() throws Exception { - IpSecConfig ipSecConfig = new IpSecConfig(); - addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); - - for (int direction : DIRECTIONS) { - ipSecConfig.setAuthentication(direction, AUTH_ALGO); - ipSecConfig.setAuthenticatedEncryption(direction, AEAD_ALGO); - } - - try { - mIpSecService.createTransportModeTransform(ipSecConfig, new Binder()); - fail( - "IpSecService should have thrown an error on authentication being" - + " enabled with authenticated encryption"); - } catch (IllegalArgumentException expected) { - } - } - - @Test - public void testCreateInvalidConfigAeadWithCrypt() throws Exception { - IpSecConfig ipSecConfig = new IpSecConfig(); - addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); - - for (int direction : DIRECTIONS) { - ipSecConfig.setEncryption(direction, CRYPT_ALGO); - ipSecConfig.setAuthenticatedEncryption(direction, AEAD_ALGO); - } - - try { - mIpSecService.createTransportModeTransform(ipSecConfig, new Binder()); - fail( - "IpSecService should have thrown an error on encryption being" - + " enabled with authenticated encryption"); - } catch (IllegalArgumentException expected) { - } - } - - @Test - public void testCreateInvalidConfigAeadWithAuthAndCrypt() throws Exception { - IpSecConfig ipSecConfig = new IpSecConfig(); - addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); - - for (int direction : DIRECTIONS) { - ipSecConfig.setAuthentication(direction, AUTH_ALGO); - ipSecConfig.setEncryption(direction, CRYPT_ALGO); - ipSecConfig.setAuthenticatedEncryption(direction, AEAD_ALGO); - } - - try { - mIpSecService.createTransportModeTransform(ipSecConfig, new Binder()); - fail( - "IpSecService should have thrown an error on authentication and encryption being" - + " enabled with authenticated encryption"); - } catch (IllegalArgumentException expected) { - } - } - - @Test public void testDeleteTransportModeTransform() throws Exception { IpSecConfig ipSecConfig = new IpSecConfig(); addDefaultSpisAndRemoteAddrToIpSecConfig(ipSecConfig); diff --git a/tests/net/java/com/android/server/IpSecServiceTest.java b/tests/net/java/com/android/server/IpSecServiceTest.java index 5d1e10eab572..0467989d8984 100644 --- a/tests/net/java/com/android/server/IpSecServiceTest.java +++ b/tests/net/java/com/android/server/IpSecServiceTest.java @@ -35,6 +35,8 @@ import static org.mockito.Mockito.when; import android.content.Context; import android.net.INetd; +import android.net.IpSecAlgorithm; +import android.net.IpSecConfig; import android.net.IpSecManager; import android.net.IpSecSpiResponse; import android.net.IpSecTransform; @@ -76,6 +78,36 @@ public class IpSecServiceTest { private static final InetAddress INADDR_ANY; + private static final byte[] AEAD_KEY = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F, + 0x73, 0x61, 0x6C, 0x74 + }; + private static final byte[] CRYPT_KEY = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F, + 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, + 0x18, 0x19, 0x1A, 0x1B, 0x1C, 0x1D, 0x1E, 0x1F + }; + private static final byte[] AUTH_KEY = { + 0x7A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F, + 0x7A, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7F + }; + + private static final IpSecAlgorithm AUTH_ALGO = + new IpSecAlgorithm(IpSecAlgorithm.AUTH_HMAC_SHA256, AUTH_KEY, AUTH_KEY.length * 4); + private static final IpSecAlgorithm CRYPT_ALGO = + new IpSecAlgorithm(IpSecAlgorithm.CRYPT_AES_CBC, CRYPT_KEY); + private static final IpSecAlgorithm AEAD_ALGO = + new IpSecAlgorithm(IpSecAlgorithm.AUTH_CRYPT_AES_GCM, AEAD_KEY, 128); + + private static final int[] DIRECTIONS = + new int[] {IpSecTransform.DIRECTION_IN, IpSecTransform.DIRECTION_OUT}; + static { try { INADDR_ANY = InetAddress.getByAddress(new byte[] {0, 0, 0, 0}); @@ -270,6 +302,127 @@ public class IpSecServiceTest { } @Test + public void testValidateAlgorithmsAuth() { + for (int direction : DIRECTIONS) { + // Validate that correct algorithm type succeeds + IpSecConfig config = new IpSecConfig(); + config.setAuthentication(direction, AUTH_ALGO); + mIpSecService.validateAlgorithms(config, direction); + + // Validate that incorrect algorithm types fails + for (IpSecAlgorithm algo : new IpSecAlgorithm[] {CRYPT_ALGO, AEAD_ALGO}) { + try { + config = new IpSecConfig(); + config.setAuthentication(direction, algo); + mIpSecService.validateAlgorithms(config, direction); + fail("Did not throw exception on invalid algorithm type"); + } catch (IllegalArgumentException expected) { + } + } + } + } + + @Test + public void testValidateAlgorithmsCrypt() { + for (int direction : DIRECTIONS) { + // Validate that correct algorithm type succeeds + IpSecConfig config = new IpSecConfig(); + config.setEncryption(direction, CRYPT_ALGO); + mIpSecService.validateAlgorithms(config, direction); + + // Validate that incorrect algorithm types fails + for (IpSecAlgorithm algo : new IpSecAlgorithm[] {AUTH_ALGO, AEAD_ALGO}) { + try { + config = new IpSecConfig(); + config.setEncryption(direction, algo); + mIpSecService.validateAlgorithms(config, direction); + fail("Did not throw exception on invalid algorithm type"); + } catch (IllegalArgumentException expected) { + } + } + } + } + + @Test + public void testValidateAlgorithmsAead() { + for (int direction : DIRECTIONS) { + // Validate that correct algorithm type succeeds + IpSecConfig config = new IpSecConfig(); + config.setAuthenticatedEncryption(direction, AEAD_ALGO); + mIpSecService.validateAlgorithms(config, direction); + + // Validate that incorrect algorithm types fails + for (IpSecAlgorithm algo : new IpSecAlgorithm[] {AUTH_ALGO, CRYPT_ALGO}) { + try { + config = new IpSecConfig(); + config.setAuthenticatedEncryption(direction, algo); + mIpSecService.validateAlgorithms(config, direction); + fail("Did not throw exception on invalid algorithm type"); + } catch (IllegalArgumentException expected) { + } + } + } + } + + @Test + public void testValidateAlgorithmsAuthCrypt() { + for (int direction : DIRECTIONS) { + // Validate that correct algorithm type succeeds + IpSecConfig config = new IpSecConfig(); + config.setAuthentication(direction, AUTH_ALGO); + config.setEncryption(direction, CRYPT_ALGO); + mIpSecService.validateAlgorithms(config, direction); + } + } + + @Test + public void testValidateAlgorithmsNoAlgorithms() { + IpSecConfig config = new IpSecConfig(); + try { + mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN); + fail("Expected exception; no algorithms specified"); + } catch (IllegalArgumentException expected) { + } + } + + @Test + public void testValidateAlgorithmsAeadWithAuth() { + IpSecConfig config = new IpSecConfig(); + config.setAuthenticatedEncryption(IpSecTransform.DIRECTION_IN, AEAD_ALGO); + config.setAuthentication(IpSecTransform.DIRECTION_IN, AUTH_ALGO); + try { + mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN); + fail("Expected exception; both AEAD and auth algorithm specified"); + } catch (IllegalArgumentException expected) { + } + } + + @Test + public void testValidateAlgorithmsAeadWithCrypt() { + IpSecConfig config = new IpSecConfig(); + config.setAuthenticatedEncryption(IpSecTransform.DIRECTION_IN, AEAD_ALGO); + config.setEncryption(IpSecTransform.DIRECTION_IN, CRYPT_ALGO); + try { + mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN); + fail("Expected exception; both AEAD and crypt algorithm specified"); + } catch (IllegalArgumentException expected) { + } + } + + @Test + public void testValidateAlgorithmsAeadWithAuthAndCrypt() { + IpSecConfig config = new IpSecConfig(); + config.setAuthenticatedEncryption(IpSecTransform.DIRECTION_IN, AEAD_ALGO); + config.setAuthentication(IpSecTransform.DIRECTION_IN, AUTH_ALGO); + config.setEncryption(IpSecTransform.DIRECTION_IN, CRYPT_ALGO); + try { + mIpSecService.validateAlgorithms(config, IpSecTransform.DIRECTION_IN); + fail("Expected exception; AEAD, auth and crypt algorithm specified"); + } catch (IllegalArgumentException expected) { + } + } + + @Test public void testDeleteInvalidTransportModeTransform() throws Exception { try { mIpSecService.deleteTransportModeTransform(1); |