Merge changes from topic 'ipsec-api-tweaks-merge' into oc-dev

* changes: Add FileDescriptor Versions of applyTransportModeTransform() IpSecManager and IpSecAlgorithm API Tweaks
author: Nathan Harold <nharold@google.com> 2017-04-14 20:21:13 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2017-04-14 20:21:17 +0000
commit: 9361283073213890059c60787ebac920455fbd31 (patch)
tree: d33051fa02d3ce8842e35cd09a9c8df8964e4935
parent: d210ce63d00aa76ec680781bcee08543cc839e66 (diff)
parent: 09098dc441913f30905f6ffd6f73262924858dd0 (diff)
5 files changed, 105 insertions, 36 deletions
diff --git a/api/current.txt b/api/current.txt
index e2dd78fcbd17..4149d03ffeac 100644
--- a/api/current.txt
+++ b/api/current.txt
@@ -25521,22 +25521,25 @@ package android.net {
     method public java.lang.String getName();
     method public int getTruncationLengthBits();
     method public void writeToParcel(android.os.Parcel, int);
-    field public static final java.lang.String ALGO_AUTH_HMAC_MD5 = "hmac(md5)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA1 = "hmac(sha1)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA256 = "hmac(sha256)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA384 = "hmac(sha384)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA512 = "hmac(sha512)";
-    field public static final java.lang.String ALGO_CRYPT_AES_CBC = "cbc(aes)";
+    field public static final java.lang.String AUTH_HMAC_MD5 = "hmac(md5)";
+    field public static final java.lang.String AUTH_HMAC_SHA1 = "hmac(sha1)";
+    field public static final java.lang.String AUTH_HMAC_SHA256 = "hmac(sha256)";
+    field public static final java.lang.String AUTH_HMAC_SHA384 = "hmac(sha384)";
+    field public static final java.lang.String AUTH_HMAC_SHA512 = "hmac(sha512)";
     field public static final android.os.Parcelable.Creator<android.net.IpSecAlgorithm> CREATOR;
+    field public static final java.lang.String CRYPT_AES_CBC = "cbc(aes)";
   }
 
   public final class IpSecManager {
     method public void applyTransportModeTransform(java.net.Socket, android.net.IpSecTransform) throws java.io.IOException;
     method public void applyTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform) throws java.io.IOException;
+    method public void applyTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform) throws java.io.IOException;
     method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket(int) throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
     method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket() throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
     method public void removeTransportModeTransform(java.net.Socket, android.net.IpSecTransform);
     method public void removeTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform);
+    method public void removeTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform);
+    method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress) throws android.net.IpSecManager.ResourceUnavailableException;
     method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress, int) throws android.net.IpSecManager.ResourceUnavailableException, android.net.IpSecManager.SpiUnavailableException;
     field public static final int INVALID_SECURITY_PARAMETER_INDEX = 0; // 0x0
   }
diff --git a/api/system-current.txt b/api/system-current.txt
index 4a0b6f3de3d2..4fa96aef9eec 100644
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -27706,22 +27706,25 @@ package android.net {
     method public java.lang.String getName();
     method public int getTruncationLengthBits();
     method public void writeToParcel(android.os.Parcel, int);
-    field public static final java.lang.String ALGO_AUTH_HMAC_MD5 = "hmac(md5)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA1 = "hmac(sha1)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA256 = "hmac(sha256)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA384 = "hmac(sha384)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA512 = "hmac(sha512)";
-    field public static final java.lang.String ALGO_CRYPT_AES_CBC = "cbc(aes)";
+    field public static final java.lang.String AUTH_HMAC_MD5 = "hmac(md5)";
+    field public static final java.lang.String AUTH_HMAC_SHA1 = "hmac(sha1)";
+    field public static final java.lang.String AUTH_HMAC_SHA256 = "hmac(sha256)";
+    field public static final java.lang.String AUTH_HMAC_SHA384 = "hmac(sha384)";
+    field public static final java.lang.String AUTH_HMAC_SHA512 = "hmac(sha512)";
     field public static final android.os.Parcelable.Creator<android.net.IpSecAlgorithm> CREATOR;
+    field public static final java.lang.String CRYPT_AES_CBC = "cbc(aes)";
   }
 
   public final class IpSecManager {
     method public void applyTransportModeTransform(java.net.Socket, android.net.IpSecTransform) throws java.io.IOException;
     method public void applyTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform) throws java.io.IOException;
+    method public void applyTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform) throws java.io.IOException;
     method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket(int) throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
     method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket() throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
     method public void removeTransportModeTransform(java.net.Socket, android.net.IpSecTransform);
     method public void removeTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform);
+    method public void removeTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform);
+    method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress) throws android.net.IpSecManager.ResourceUnavailableException;
     method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress, int) throws android.net.IpSecManager.ResourceUnavailableException, android.net.IpSecManager.SpiUnavailableException;
     field public static final int INVALID_SECURITY_PARAMETER_INDEX = 0; // 0x0
   }
diff --git a/api/test-current.txt b/api/test-current.txt
index 0e8a52f4974e..1fed00758057 100644
--- a/api/test-current.txt
+++ b/api/test-current.txt
@@ -25628,22 +25628,25 @@ package android.net {
     method public java.lang.String getName();
     method public int getTruncationLengthBits();
     method public void writeToParcel(android.os.Parcel, int);
-    field public static final java.lang.String ALGO_AUTH_HMAC_MD5 = "hmac(md5)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA1 = "hmac(sha1)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA256 = "hmac(sha256)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA384 = "hmac(sha384)";
-    field public static final java.lang.String ALGO_AUTH_HMAC_SHA512 = "hmac(sha512)";
-    field public static final java.lang.String ALGO_CRYPT_AES_CBC = "cbc(aes)";
+    field public static final java.lang.String AUTH_HMAC_MD5 = "hmac(md5)";
+    field public static final java.lang.String AUTH_HMAC_SHA1 = "hmac(sha1)";
+    field public static final java.lang.String AUTH_HMAC_SHA256 = "hmac(sha256)";
+    field public static final java.lang.String AUTH_HMAC_SHA384 = "hmac(sha384)";
+    field public static final java.lang.String AUTH_HMAC_SHA512 = "hmac(sha512)";
     field public static final android.os.Parcelable.Creator<android.net.IpSecAlgorithm> CREATOR;
+    field public static final java.lang.String CRYPT_AES_CBC = "cbc(aes)";
   }
 
   public final class IpSecManager {
     method public void applyTransportModeTransform(java.net.Socket, android.net.IpSecTransform) throws java.io.IOException;
     method public void applyTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform) throws java.io.IOException;
+    method public void applyTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform) throws java.io.IOException;
     method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket(int) throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
     method public android.net.IpSecManager.UdpEncapsulationSocket openUdpEncapsulationSocket() throws java.io.IOException, android.net.IpSecManager.ResourceUnavailableException;
     method public void removeTransportModeTransform(java.net.Socket, android.net.IpSecTransform);
     method public void removeTransportModeTransform(java.net.DatagramSocket, android.net.IpSecTransform);
+    method public void removeTransportModeTransform(java.io.FileDescriptor, android.net.IpSecTransform);
+    method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress) throws android.net.IpSecManager.ResourceUnavailableException;
     method public android.net.IpSecManager.SecurityParameterIndex reserveSecurityParameterIndex(int, java.net.InetAddress, int) throws android.net.IpSecManager.ResourceUnavailableException, android.net.IpSecManager.SpiUnavailableException;
     field public static final int INVALID_SECURITY_PARAMETER_INDEX = 0; // 0x0
   }
diff --git a/core/java/android/net/IpSecAlgorithm.java b/core/java/android/net/IpSecAlgorithm.java
index 7fea4a25cab7..ce7894fb3ba1 100644
--- a/core/java/android/net/IpSecAlgorithm.java
+++ b/core/java/android/net/IpSecAlgorithm.java
@@ -32,7 +32,7 @@ public final class IpSecAlgorithm implements Parcelable {
      *
      * <p>Valid lengths for this key are {128, 192, 256}.
      */
-    public static final String ALGO_CRYPT_AES_CBC = "cbc(aes)";
+    public static final String CRYPT_AES_CBC = "cbc(aes)";
 
     /**
      * MD5 HMAC Authentication/Integrity Algorithm. This algorithm is not recommended for use in new
@@ -40,7 +40,7 @@ public final class IpSecAlgorithm implements Parcelable {
      *
      * <p>Valid truncation lengths are multiples of 8 bits from 96 to (default) 128.
      */
-    public static final String ALGO_AUTH_HMAC_MD5 = "hmac(md5)";
+    public static final String AUTH_HMAC_MD5 = "hmac(md5)";
 
     /**
      * SHA1 HMAC Authentication/Integrity Algorithm. This algorithm is not recommended for use in
@@ -48,35 +48,35 @@ public final class IpSecAlgorithm implements Parcelable {
      *
      * <p>Valid truncation lengths are multiples of 8 bits from 96 to (default) 160.
      */
-    public static final String ALGO_AUTH_HMAC_SHA1 = "hmac(sha1)";
+    public static final String AUTH_HMAC_SHA1 = "hmac(sha1)";
 
     /**
      * SHA256 HMAC Authentication/Integrity Algorithm.
      *
      * <p>Valid truncation lengths are multiples of 8 bits from 96 to (default) 256.
      */
-    public static final String ALGO_AUTH_HMAC_SHA256 = "hmac(sha256)";
+    public static final String AUTH_HMAC_SHA256 = "hmac(sha256)";
 
     /**
      * SHA384 HMAC Authentication/Integrity Algorithm.
      *
      * <p>Valid truncation lengths are multiples of 8 bits from 192 to (default) 384.
      */
-    public static final String ALGO_AUTH_HMAC_SHA384 = "hmac(sha384)";
+    public static final String AUTH_HMAC_SHA384 = "hmac(sha384)";
     /**
      * SHA512 HMAC Authentication/Integrity Algorithm
      *
      * <p>Valid truncation lengths are multiples of 8 bits from 256 to (default) 512.
      */
-    public static final String ALGO_AUTH_HMAC_SHA512 = "hmac(sha512)";
+    public static final String AUTH_HMAC_SHA512 = "hmac(sha512)";
 
     /** @hide */
     @StringDef({
-        ALGO_CRYPT_AES_CBC,
-        ALGO_AUTH_HMAC_MD5,
-        ALGO_AUTH_HMAC_SHA1,
-        ALGO_AUTH_HMAC_SHA256,
-        ALGO_AUTH_HMAC_SHA512
+        CRYPT_AES_CBC,
+        AUTH_HMAC_MD5,
+        AUTH_HMAC_SHA1,
+        AUTH_HMAC_SHA256,
+        AUTH_HMAC_SHA512
     })
     @Retention(RetentionPolicy.SOURCE)
     public @interface AlgorithmName {}
@@ -164,17 +164,17 @@ public final class IpSecAlgorithm implements Parcelable {
 
     private static boolean isTruncationLengthValid(String algo, int truncLenBits) {
         switch (algo) {
-            case ALGO_CRYPT_AES_CBC:
+            case CRYPT_AES_CBC:
                 return (truncLenBits == 128 || truncLenBits == 192 || truncLenBits == 256);
-            case ALGO_AUTH_HMAC_MD5:
+            case AUTH_HMAC_MD5:
                 return (truncLenBits >= 96 && truncLenBits <= 128);
-            case ALGO_AUTH_HMAC_SHA1:
+            case AUTH_HMAC_SHA1:
                 return (truncLenBits >= 96 && truncLenBits <= 160);
-            case ALGO_AUTH_HMAC_SHA256:
+            case AUTH_HMAC_SHA256:
                 return (truncLenBits >= 96 && truncLenBits <= 256);
-            case ALGO_AUTH_HMAC_SHA384:
+            case AUTH_HMAC_SHA384:
                 return (truncLenBits >= 192 && truncLenBits <= 384);
-            case ALGO_AUTH_HMAC_SHA512:
+            case AUTH_HMAC_SHA512:
                 return (truncLenBits >= 256 && truncLenBits <= 512);
             default:
                 return false;
diff --git a/core/java/android/net/IpSecManager.java b/core/java/android/net/IpSecManager.java
index 6852beb06529..f8702e2e00e7 100644
--- a/core/java/android/net/IpSecManager.java
+++ b/core/java/android/net/IpSecManager.java
@@ -193,15 +193,44 @@ public final class IpSecManager {
      *
      * @param direction {@link IpSecTransform#DIRECTION_IN} or {@link IpSecTransform#DIRECTION_OUT}
      * @param remoteAddress address of the remote. SPIs must be unique for each remoteAddress.
-     * @param requestedSpi the requested SPI, or '0' to allocate a random SPI.
      * @return the reserved SecurityParameterIndex
      * @throws ResourceUnavailableException indicating that too many SPIs are currently allocated
      *     for this user
      * @throws SpiUnavailableException indicating that a particular SPI cannot be reserved
      */
     public SecurityParameterIndex reserveSecurityParameterIndex(
+            int direction, InetAddress remoteAddress)
+            throws ResourceUnavailableException {
+        try {
+            return new SecurityParameterIndex(
+                    mService,
+                    direction,
+                    remoteAddress,
+                    IpSecManager.INVALID_SECURITY_PARAMETER_INDEX);
+        } catch (SpiUnavailableException unlikely) {
+            throw new ResourceUnavailableException("No SPIs available");
+        }
+    }
+
+    /**
+     * Reserve an SPI for traffic bound towards the specified remote address.
+     *
+     * <p>If successful, this SPI is guaranteed available until released by a call to {@link
+     * SecurityParameterIndex#close()}.
+     *
+     * @param direction {@link IpSecTransform#DIRECTION_IN} or {@link IpSecTransform#DIRECTION_OUT}
+     * @param remoteAddress address of the remote. SPIs must be unique for each remoteAddress.
+     * @param requestedSpi the requested SPI, or '0' to allocate a random SPI.
+     * @return the reserved SecurityParameterIndex
+     * @throws ResourceUnavailableException indicating that too many SPIs are currently allocated
+     *     for this user
+     */
+    public SecurityParameterIndex reserveSecurityParameterIndex(
             int direction, InetAddress remoteAddress, int requestedSpi)
             throws SpiUnavailableException, ResourceUnavailableException {
+        if (requestedSpi == IpSecManager.INVALID_SECURITY_PARAMETER_INDEX) {
+            throw new IllegalArgumentException("Requested SPI must be a valid (non-zero) SPI");
+        }
         return new SecurityParameterIndex(mService, direction, remoteAddress, requestedSpi);
     }
 
@@ -249,6 +278,23 @@ public final class IpSecManager {
     }
 
     /**
+     * Apply an active Transport Mode IPsec Transform to a stream socket to perform IPsec
+     * encapsulation of the traffic flowing between the socket and the remote InetAddress of that
+     * transform. For security reasons, attempts to send traffic to any IP address other than the
+     * address associated with that transform will throw an IOException. In addition, if the
+     * IpSecTransform is later deactivated, the socket will throw an IOException on any calls to
+     * send() or receive() until the transform is removed from the socket by calling {@link
+     * #removeTransportModeTransform(Socket, IpSecTransform)};
+     *
+     * @param socket a socket file descriptor
+     * @param transform an {@link IpSecTransform}, which must be an active Transport Mode transform.
+     */
+    public void applyTransportModeTransform(FileDescriptor socket, IpSecTransform transform)
+            throws IOException {
+        applyTransportModeTransform(new ParcelFileDescriptor(socket), transform);
+    }
+
+    /**
      * Apply an active Tunnel Mode IPsec Transform to a network, which will tunnel all traffic to
      * and from that network's interface with IPsec (applies an outer IP header and IPsec Header to
      * all traffic, and expects an additional IP header and IPsec Header on all inbound traffic).
@@ -289,6 +335,20 @@ public final class IpSecManager {
         removeTransportModeTransform(ParcelFileDescriptor.fromDatagramSocket(socket), transform);
     }
 
+    /**
+     * Remove a transform from a given stream socket. Once removed, traffic on the socket will not
+     * be encypted. This allows sockets that have been used for IPsec to be reclaimed for
+     * communication in the clear in the event socket reuse is desired. This operation will succeed
+     * regardless of the underlying state of a transform. If a transform is removed, communication
+     * on all sockets to which that transform was applied will fail until this method is called.
+     *
+     * @param socket a socket file descriptor that previously had a transform applied to it.
+     * @param transform the IPsec Transform that was previously applied to the given socket
+     */
+    public void removeTransportModeTransform(FileDescriptor socket, IpSecTransform transform) {
+        removeTransportModeTransform(new ParcelFileDescriptor(socket), transform);
+    }
+
     /* Call down to activate a transform */
     private void removeTransportModeTransform(ParcelFileDescriptor pfd, IpSecTransform transform) {
         try {
author	Nathan Harold <nharold@google.com>	2017-04-14 20:21:13 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2017-04-14 20:21:17 +0000
commit	9361283073213890059c60787ebac920455fbd31 (patch)
tree	d33051fa02d3ce8842e35cd09a9c8df8964e4935
parent	d210ce63d00aa76ec680781bcee08543cc839e66 (diff)
parent	09098dc441913f30905f6ffd6f73262924858dd0 (diff)