diff options
| -rw-r--r-- | server/NetdNativeService.cpp | 35 | ||||
| -rw-r--r-- | server/NetdNativeService.h | 15 | ||||
| -rw-r--r-- | server/XfrmController.cpp | 135 | ||||
| -rw-r--r-- | server/XfrmController.h | 19 | ||||
| -rw-r--r-- | server/XfrmControllerTest.cpp | 18 | ||||
| -rw-r--r-- | server/binder/android/net/INetd.aidl | 38 |
6 files changed, 107 insertions, 153 deletions
diff --git a/server/NetdNativeService.cpp b/server/NetdNativeService.cpp index 80081ea3c..7cbac45fe 100644 --- a/server/NetdNativeService.cpp +++ b/server/NetdNativeService.cpp @@ -458,9 +458,8 @@ binder::Status NetdNativeService::ipSecSetEncapSocketOwner(const android::base:: binder::Status NetdNativeService::ipSecAllocateSpi( int32_t transformId, - int32_t direction, - const std::string& localAddress, - const std::string& remoteAddress, + const std::string& sourceAddress, + const std::string& destinationAddress, int32_t inSpi, int32_t* outSpi) { // Necessary locking done in IpSecService and kernel @@ -468,9 +467,8 @@ binder::Status NetdNativeService::ipSecAllocateSpi( ALOGD("ipSecAllocateSpi()"); return asBinderStatus(gCtls->xfrmCtrl.ipSecAllocateSpi( transformId, - direction, - localAddress, - remoteAddress, + sourceAddress, + destinationAddress, inSpi, outSpi)); } @@ -478,9 +476,8 @@ binder::Status NetdNativeService::ipSecAllocateSpi( binder::Status NetdNativeService::ipSecAddSecurityAssociation( int32_t transformId, int32_t mode, - int32_t direction, - const std::string& localAddress, - const std::string& remoteAddress, + const std::string& sourceAddress, + const std::string& destinationAddress, int64_t underlyingNetworkHandle, int32_t spi, const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits, @@ -493,7 +490,7 @@ binder::Status NetdNativeService::ipSecAddSecurityAssociation( ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); ALOGD("ipSecAddSecurityAssociation()"); return asBinderStatus(gCtls->xfrmCtrl.ipSecAddSecurityAssociation( - transformId, mode, direction, localAddress, remoteAddress, + transformId, mode, sourceAddress, destinationAddress, underlyingNetworkHandle, spi, authAlgo, authKey, authTruncBits, @@ -504,18 +501,16 @@ binder::Status NetdNativeService::ipSecAddSecurityAssociation( binder::Status NetdNativeService::ipSecDeleteSecurityAssociation( int32_t transformId, - int32_t direction, - const std::string& localAddress, - const std::string& remoteAddress, + const std::string& sourceAddress, + const std::string& destinationAddress, int32_t spi) { // Necessary locking done in IpSecService and kernel ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); ALOGD("ipSecDeleteSecurityAssociation()"); return asBinderStatus(gCtls->xfrmCtrl.ipSecDeleteSecurityAssociation( transformId, - direction, - localAddress, - remoteAddress, + sourceAddress, + destinationAddress, spi)); } @@ -523,8 +518,8 @@ binder::Status NetdNativeService::ipSecApplyTransportModeTransform( const android::base::unique_fd& socket, int32_t transformId, int32_t direction, - const std::string& localAddress, - const std::string& remoteAddress, + const std::string& sourceAddress, + const std::string& destinationAddress, int32_t spi) { // Necessary locking done in IpSecService and kernel ENFORCE_PERMISSION(CONNECTIVITY_INTERNAL); @@ -533,8 +528,8 @@ binder::Status NetdNativeService::ipSecApplyTransportModeTransform( socket, transformId, direction, - localAddress, - remoteAddress, + sourceAddress, + destinationAddress, spi)); } diff --git a/server/NetdNativeService.h b/server/NetdNativeService.h index 35f40386e..a0f7134f7 100644 --- a/server/NetdNativeService.h +++ b/server/NetdNativeService.h @@ -103,7 +103,6 @@ class NetdNativeService : public BinderService<NetdNativeService>, public BnNetd binder::Status ipSecAllocateSpi( int32_t transformId, - int32_t direction, const std::string& localAddress, const std::string& remoteAddress, int32_t inSpi, @@ -112,9 +111,8 @@ class NetdNativeService : public BinderService<NetdNativeService>, public BnNetd binder::Status ipSecAddSecurityAssociation( int32_t transformId, int32_t mode, - int32_t direction, - const std::string& localAddress, - const std::string& remoteAddress, + const std::string& sourceAddress, + const std::string& destinationAddress, int64_t underlyingNetworkHandle, int32_t spi, const std::string& authAlgo, @@ -132,17 +130,16 @@ class NetdNativeService : public BinderService<NetdNativeService>, public BnNetd binder::Status ipSecDeleteSecurityAssociation( int32_t transformId, - int32_t direction, - const std::string& localAddress, - const std::string& remoteAddress, + const std::string& sourceAddress, + const std::string& destinationAddress, int32_t spi); binder::Status ipSecApplyTransportModeTransform( const android::base::unique_fd& socket, int32_t transformId, int32_t direction, - const std::string& localAddress, - const std::string& remoteAddress, + const std::string& sourceAddress, + const std::string& destinationAddress, int32_t spi); binder::Status ipSecRemoveTransportModeTransform( diff --git a/server/XfrmController.cpp b/server/XfrmController.cpp index 24ccee492..648c7c073 100644 --- a/server/XfrmController.cpp +++ b/server/XfrmController.cpp @@ -352,18 +352,18 @@ netdutils::Status XfrmController::ipSecSetEncapSocketOwner(const android::base:: if (info.st_uid != callerUid) { return netdutils::statusFromErrno(EPERM, "fchown disabled for non-owner calls"); } - if (S_ISSOCK(info.st_mode) == 0){ + if (S_ISSOCK(info.st_mode) == 0) { return netdutils::statusFromErrno(EINVAL, "File descriptor was not a socket"); } int optval; socklen_t optlen; - netdutils::Status status = getSyscallInstance().getsockopt(Fd(socket), IPPROTO_UDP, UDP_ENCAP, - &optval, &optlen); + netdutils::Status status = + getSyscallInstance().getsockopt(Fd(socket), IPPROTO_UDP, UDP_ENCAP, &optval, &optlen); if (status != netdutils::status::ok) { return status; } - if (optval != UDP_ENCAP_ESPINUDP && optval != UDP_ENCAP_ESPINUDP_NON_IKE){ + if (optval != UDP_ENCAP_ESPINUDP && optval != UDP_ENCAP_ESPINUDP_NON_IKE) { return netdutils::statusFromErrno(EINVAL, "Socket did not have UDP-encap sockopt set"); } if (fchown(fd, newUid, -1)) { @@ -373,20 +373,19 @@ netdutils::Status XfrmController::ipSecSetEncapSocketOwner(const android::base:: return netdutils::status::ok; } -netdutils::Status XfrmController::ipSecAllocateSpi(int32_t transformId, int32_t direction, - const std::string& localAddress, - const std::string& remoteAddress, int32_t inSpi, - int32_t* outSpi) { +netdutils::Status XfrmController::ipSecAllocateSpi(int32_t transformId, + const std::string& sourceAddress, + const std::string& destinationAddress, + int32_t inSpi, int32_t* outSpi) { ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__); ALOGD("transformId=%d", transformId); - ALOGD("direction=%d", direction); - ALOGD("localAddress=%s", localAddress.c_str()); - ALOGD("remoteAddress=%s", remoteAddress.c_str()); + ALOGD("sourceAddress=%s", sourceAddress.c_str()); + ALOGD("destinationAddress=%s", destinationAddress.c_str()); ALOGD("inSpi=%0.8x", inSpi); XfrmSaInfo saInfo{}; netdutils::Status ret = - fillXfrmId(direction, localAddress, remoteAddress, INVALID_SPI, transformId, &saInfo); + fillXfrmId(sourceAddress, destinationAddress, INVALID_SPI, transformId, &saInfo); if (!isOk(ret)) { return ret; } @@ -414,8 +413,8 @@ netdutils::Status XfrmController::ipSecAllocateSpi(int32_t transformId, int32_t } netdutils::Status XfrmController::ipSecAddSecurityAssociation( - int32_t transformId, int32_t mode, int32_t direction, const std::string& localAddress, - const std::string& remoteAddress, int64_t underlyingNetworkHandle, int32_t spi, + int32_t transformId, int32_t mode, const std::string& sourceAddress, + const std::string& destinationAddress, int64_t underlyingNetworkHandle, int32_t spi, const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits, const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits, const std::string& aeadAlgo, const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits, @@ -423,9 +422,8 @@ netdutils::Status XfrmController::ipSecAddSecurityAssociation( ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__); ALOGD("transformId=%d", transformId); ALOGD("mode=%d", mode); - ALOGD("direction=%d", direction); - ALOGD("localAddress=%s", localAddress.c_str()); - ALOGD("remoteAddress=%s", remoteAddress.c_str()); + ALOGD("sourceAddress=%s", sourceAddress.c_str()); + ALOGD("destinationAddress=%s", destinationAddress.c_str()); ALOGD("underlyingNetworkHandle=%" PRIx64, underlyingNetworkHandle); ALOGD("spi=%0.8x", spi); ALOGD("authAlgo=%s", authAlgo.c_str()); @@ -440,7 +438,7 @@ netdutils::Status XfrmController::ipSecAddSecurityAssociation( XfrmSaInfo saInfo{}; netdutils::Status ret = - fillXfrmId(direction, localAddress, remoteAddress, spi, transformId, &saInfo); + fillXfrmId(sourceAddress, destinationAddress, spi, transformId, &saInfo); if (!isOk(ret)) { return ret; } @@ -454,8 +452,6 @@ netdutils::Status XfrmController::ipSecAddSecurityAssociation( saInfo.aead = XfrmAlgo{ .name = aeadAlgo, .key = aeadKey, .truncLenBits = static_cast<uint16_t>(aeadIcvBits)}; - saInfo.direction = static_cast<XfrmDirection>(direction); - switch (static_cast<XfrmMode>(mode)) { case XfrmMode::TRANSPORT: case XfrmMode::TUNNEL: @@ -478,18 +474,10 @@ netdutils::Status XfrmController::ipSecAddSecurityAssociation( if (saInfo.addrFamily != AF_INET) { return netdutils::statusFromErrno(EAFNOSUPPORT, "IPv6 encap not supported"); } - switch (saInfo.direction) { - case XfrmDirection::IN: - saInfo.encap.srcPort = encapRemotePort; - saInfo.encap.dstPort = encapLocalPort; - break; - case XfrmDirection::OUT: - saInfo.encap.srcPort = encapLocalPort; - saInfo.encap.dstPort = encapRemotePort; - break; - default: - return netdutils::statusFromErrno(EINVAL, "Invalid direction"); - } + // The ports are not used on input SAs, so this is OK to be wrong when + // direction is ultimately input. + saInfo.encap.srcPort = encapLocalPort; + saInfo.encap.dstPort = encapRemotePort; // fall through case XfrmEncapType::NONE: saInfo.encap.type = static_cast<XfrmEncapType>(encapType); @@ -506,21 +494,18 @@ netdutils::Status XfrmController::ipSecAddSecurityAssociation( return ret; } -netdutils::Status XfrmController::ipSecDeleteSecurityAssociation(int32_t transformId, - int32_t direction, - const std::string& localAddress, - const std::string& remoteAddress, - int32_t spi) { +netdutils::Status +XfrmController::ipSecDeleteSecurityAssociation(int32_t transformId, + const std::string& sourceAddress, + const std::string& destinationAddress, int32_t spi) { ALOGD("XfrmController:%s, line=%d", __FUNCTION__, __LINE__); ALOGD("transformId=%d", transformId); - ALOGD("direction=%d", direction); - ALOGD("localAddress=%s", localAddress.c_str()); - ALOGD("remoteAddress=%s", remoteAddress.c_str()); + ALOGD("sourceAddress=%s", sourceAddress.c_str()); + ALOGD("destinationAddress=%s", destinationAddress.c_str()); ALOGD("spi=%0.8x", spi); XfrmId saId{}; - netdutils::Status ret = - fillXfrmId(direction, localAddress, remoteAddress, spi, transformId, &saId); + netdutils::Status ret = fillXfrmId(sourceAddress, destinationAddress, spi, transformId, &saId); if (!isOk(ret)) { return ret; } @@ -540,61 +525,45 @@ netdutils::Status XfrmController::ipSecDeleteSecurityAssociation(int32_t transfo return ret; } -netdutils::Status XfrmController::fillXfrmId(int32_t direction, const std::string& localAddress, - const std::string& remoteAddress, int32_t spi, +netdutils::Status XfrmController::fillXfrmId(const std::string& sourceAddress, + const std::string& destinationAddress, int32_t spi, int32_t transformId, XfrmId* xfrmId) { // Fill the straightforward fields first xfrmId->transformId = transformId; - xfrmId->direction = static_cast<XfrmDirection>(direction); xfrmId->spi = htonl(spi); // Use the addresses to determine the address family and do validation - xfrm_address_t localXfrmAddr{}, remoteXfrmAddr{}; - StatusOr<int> addrFamilyLocal, addrFamilyRemote; - addrFamilyRemote = convertToXfrmAddr(remoteAddress, &remoteXfrmAddr); - addrFamilyLocal = convertToXfrmAddr(localAddress, &localXfrmAddr); - if (!isOk(addrFamilyRemote) || !isOk(addrFamilyLocal)) { - return netdutils::statusFromErrno(EINVAL, - "Invalid address " + localAddress + "/" + remoteAddress); - } - - if (addrFamilyRemote.value() == AF_UNSPEC || - (addrFamilyLocal.value() != AF_UNSPEC && - addrFamilyLocal.value() != addrFamilyRemote.value())) { - ALOGD("Invalid or Mismatched Address Families, %d != %d, line=%d", addrFamilyLocal.value(), - addrFamilyRemote.value(), __LINE__); + xfrm_address_t sourceXfrmAddr{}, destXfrmAddr{}; + StatusOr<int> sourceFamily, destFamily; + sourceFamily = convertToXfrmAddr(sourceAddress, &sourceXfrmAddr); + destFamily = convertToXfrmAddr(destinationAddress, &destXfrmAddr); + if (!isOk(sourceFamily) || !isOk(destFamily)) { + return netdutils::statusFromErrno(EINVAL, "Invalid address " + sourceAddress + "/" + + destinationAddress); + } + + if (destFamily.value() == AF_UNSPEC || + (sourceFamily.value() != AF_UNSPEC && sourceFamily.value() != destFamily.value())) { + ALOGD("Invalid or Mismatched Address Families, %d != %d, line=%d", sourceFamily.value(), + destFamily.value(), __LINE__); return netdutils::statusFromErrno(EINVAL, "Invalid or mismatched address families"); } - xfrmId->addrFamily = addrFamilyRemote.value(); - - switch (static_cast<XfrmDirection>(direction)) { - case XfrmDirection::IN: - xfrmId->dstAddr = localXfrmAddr; - xfrmId->srcAddr = remoteXfrmAddr; - break; + xfrmId->addrFamily = destFamily.value(); - case XfrmDirection::OUT: - xfrmId->dstAddr = remoteXfrmAddr; - xfrmId->srcAddr = localXfrmAddr; - break; - - default: - ALOGD("Invalid XFRM direction, line=%d", __LINE__); - // Invalid direction for Transport mode transform: time to bail - return netdutils::statusFromErrno(EINVAL, "Invalid direction"); - } + xfrmId->dstAddr = destXfrmAddr; + xfrmId->srcAddr = sourceXfrmAddr; return netdutils::status::ok; } netdutils::Status XfrmController::ipSecApplyTransportModeTransform( const android::base::unique_fd& socket, int32_t transformId, int32_t direction, - const std::string& localAddress, const std::string& remoteAddress, int32_t spi) { + const std::string& sourceAddress, const std::string& destinationAddress, int32_t spi) { ALOGD("XfrmController::%s, line=%d", __FUNCTION__, __LINE__); ALOGD("transformId=%d", transformId); ALOGD("direction=%d", direction); - ALOGD("localAddress=%s", localAddress.c_str()); - ALOGD("remoteAddress=%s", remoteAddress.c_str()); + ALOGD("sourceAddress=%s", sourceAddress.c_str()); + ALOGD("destinationAddress=%s", destinationAddress.c_str()); ALOGD("spi=%0.8x", spi); StatusOr<sockaddr_storage> ret = getSyscallInstance().getsockname<sockaddr_storage>(Fd(socket)); @@ -606,7 +575,7 @@ netdutils::Status XfrmController::ipSecApplyTransportModeTransform( XfrmSaInfo saInfo{}; netdutils::Status status = - fillXfrmId(direction, localAddress, remoteAddress, spi, transformId, &saInfo); + fillXfrmId(sourceAddress, destinationAddress, spi, transformId, &saInfo); if (!isOk(status)) { ALOGE("Couldn't build SA ID %s", __FUNCTION__); return status; @@ -624,7 +593,7 @@ netdutils::Status XfrmController::ipSecApplyTransportModeTransform( xfrm_user_tmpl tmpl; } policy{}; - fillTransportModeUserSpInfo(saInfo, &policy.info); + fillTransportModeUserSpInfo(saInfo, static_cast<XfrmDirection>(direction), &policy.info); fillUserTemplate(saInfo, &policy.tmpl); LOG_HEX("XfrmUserPolicy", reinterpret_cast<char*>(&policy), sizeof(policy)); @@ -900,7 +869,7 @@ netdutils::Status XfrmController::allocateSpi(const XfrmSaInfo& record, uint32_t return ret; } -int XfrmController::fillTransportModeUserSpInfo(const XfrmSaInfo& record, +int XfrmController::fillTransportModeUserSpInfo(const XfrmSaInfo& record, XfrmDirection direction, xfrm_userpolicy_info* usersp) { fillTransportModeSelector(record, &usersp->sel); fillXfrmLifetimeDefaults(&usersp->lft); @@ -908,7 +877,7 @@ int XfrmController::fillTransportModeUserSpInfo(const XfrmSaInfo& record, /* if (index) index & 0x3 == dir -- must be true * xfrm_user.c:verify_newpolicy_info() */ usersp->index = 0; - usersp->dir = static_cast<uint8_t>(record.direction); + usersp->dir = static_cast<uint8_t>(direction); usersp->action = XFRM_POLICY_ALLOW; usersp->flags = XFRM_POLICY_LOCALOK; usersp->share = XFRM_SHARE_UNIQUE; diff --git a/server/XfrmController.h b/server/XfrmController.h index 70d9fb823..999bde8ea 100644 --- a/server/XfrmController.h +++ b/server/XfrmController.h @@ -101,7 +101,6 @@ struct XfrmEncap { // minimally sufficient structure to match either an SA or a Policy struct XfrmId { - XfrmDirection direction; xfrm_address_t dstAddr; // network order xfrm_address_t srcAddr; int addrFamily; // AF_INET or AF_INET6 @@ -125,20 +124,19 @@ public: netdutils::Status ipSecSetEncapSocketOwner(const android::base::unique_fd& socket, int newUid, uid_t callerUid); - netdutils::Status ipSecAllocateSpi(int32_t transformId, int32_t direction, - const std::string& localAddress, + netdutils::Status ipSecAllocateSpi(int32_t transformId, const std::string& localAddress, const std::string& remoteAddress, int32_t inSpi, int32_t* outSpi); netdutils::Status ipSecAddSecurityAssociation( - int32_t transformId, int32_t mode, int32_t direction, const std::string& localAddress, - const std::string& remoteAddress, int64_t underlyingNetworkHandle, int32_t spi, + int32_t transformId, int32_t mode, const std::string& sourceAddress, + const std::string& destinationAddress, int64_t underlyingNetworkHandle, int32_t spi, const std::string& authAlgo, const std::vector<uint8_t>& authKey, int32_t authTruncBits, const std::string& cryptAlgo, const std::vector<uint8_t>& cryptKey, int32_t cryptTruncBits, const std::string& aeadAlgo, const std::vector<uint8_t>& aeadKey, int32_t aeadIcvBits, int32_t encapType, int32_t encapLocalPort, int32_t encapRemotePort); - netdutils::Status ipSecDeleteSecurityAssociation(int32_t transformId, int32_t direction, + netdutils::Status ipSecDeleteSecurityAssociation(int32_t transformId, const std::string& localAddress, const std::string& remoteAddress, int32_t spi); @@ -238,9 +236,9 @@ private: #endif // helper function for filling in the XfrmId (and XfrmSaInfo) structure - static netdutils::Status fillXfrmId(int32_t direction, const std::string& localAddress, - const std::string& remoteAddress, int32_t spi, - int32_t transformId, XfrmId* xfrmId); + static netdutils::Status fillXfrmId(const std::string& sourceAddress, + const std::string& destinationAddress, int32_t spi, + int32_t transformId, XfrmId* xfrmId); // Top level functions for managing a Transport Mode Transform static netdutils::Status addTransportModeTransform(const XfrmSaInfo& record); @@ -266,7 +264,8 @@ private: const XfrmSocket& sock); static int fillUserSaId(const XfrmId& record, xfrm_usersa_id* said); static int fillUserTemplate(const XfrmSaInfo& record, xfrm_user_tmpl* tmpl); - static int fillTransportModeUserSpInfo(const XfrmSaInfo& record, xfrm_userpolicy_info* usersp); + static int fillTransportModeUserSpInfo(const XfrmSaInfo& record, XfrmDirection direction, + xfrm_userpolicy_info* usersp); static netdutils::Status allocateSpi(const XfrmSaInfo& record, uint32_t minSpi, uint32_t maxSpi, uint32_t* outSpi, const XfrmSocket& sock); diff --git a/server/XfrmControllerTest.cpp b/server/XfrmControllerTest.cpp index 63cf6719e..222326065 100644 --- a/server/XfrmControllerTest.cpp +++ b/server/XfrmControllerTest.cpp @@ -239,8 +239,8 @@ TEST_P(XfrmControllerParameterizedTest, TestIpSecAllocateSpi) { XfrmController ctrl; int outSpi = 0; - Status res = ctrl.ipSecAllocateSpi(1 /* resourceId */, static_cast<int>(XfrmDirection::OUT), - localAddr, remoteAddr, DROID_SPI, &outSpi); + Status res = ctrl.ipSecAllocateSpi(1 /* resourceId */, localAddr, + remoteAddr, DROID_SPI, &outSpi); EXPECT_TRUE(isOk(res)) << res; EXPECT_EQ(DROID_SPI, outSpi); @@ -287,11 +287,11 @@ void testIpSecAddSecurityAssociation(int version, const MockSyscalls& mockSyscal XfrmController ctrl; Status res = ctrl.ipSecAddSecurityAssociation( - 1 /* resourceId */, static_cast<int>(mode), - static_cast<int>(XfrmDirection::OUT), localAddr, remoteAddr, 0 /* underlying network */, - DROID_SPI, "hmac(sha256)" /* auth algo */, authKey, 128 /* auth trunc length */, - "cbc(aes)" /* encryption algo */, cryptKey, 0 /* crypt trunc length? */, "" /* AEAD algo */, - {}, 0, static_cast<int>(XfrmEncapType::NONE), 0 /* local port */, 0 /* remote port */); + 1 /* resourceId */, static_cast<int>(mode), localAddr, remoteAddr, + 0 /* underlying network */, DROID_SPI, "hmac(sha256)" /* auth algo */, + authKey, 128 /* auth trunc length */, "cbc(aes)" /* encryption algo */, cryptKey, + 0 /* crypt trunc length? */, "" /* AEAD algo */, {}, 0, + static_cast<int>(XfrmEncapType::NONE), 0 /* local port */, 0 /* remote port */); EXPECT_TRUE(isOk(res)) << res; EXPECT_EQ(expectedMsgLength, nlMsgBuf.size()); @@ -370,7 +370,7 @@ TEST_F(XfrmControllerTest, TestIpSecAddSecurityAssociationIPv6Encap) { XfrmController ctrl; Status res = ctrl.ipSecAddSecurityAssociation( - 1, static_cast<int>(XfrmMode::TRANSPORT), static_cast<int>(XfrmDirection::OUT), + 1, static_cast<int>(XfrmMode::TRANSPORT), LOCALHOST_V6, TEST_ADDR_V6, 0, DROID_SPI, "hmac(sha256)", {}, 128, "cbc(aes)", {}, 0, "", {}, 0, static_cast<int>(XfrmEncapType::ESPINUDP_NON_IKE), 0, 0); @@ -456,7 +456,7 @@ TEST_P(XfrmControllerParameterizedTest, TestIpSecDeleteSecurityAssociation) { XfrmController ctrl; Status res = ctrl.ipSecDeleteSecurityAssociation( - 1 /* resourceId */, static_cast<int>(XfrmDirection::OUT), localAddr, remoteAddr, DROID_SPI); + 1 /* resourceId */, localAddr, remoteAddr, DROID_SPI); EXPECT_TRUE(isOk(res)) << res; EXPECT_EQ(expectedMsgLength, nlMsgBuf.size()); diff --git a/server/binder/android/net/INetd.aidl b/server/binder/android/net/INetd.aidl index 7f6932aa2..1c24816f6 100644 --- a/server/binder/android/net/INetd.aidl +++ b/server/binder/android/net/INetd.aidl @@ -326,17 +326,15 @@ interface INetd { * Reserve an SPI from the kernel * * @param transformId a unique identifier for allocated resources - * @param direction DIRECTION_IN or DIRECTION_OUT - * @param localAddress InetAddress as string for the local endpoint - * @param remoteAddress InetAddress as string for the remote endpoint + * @param sourceAddress InetAddress as string for the sending endpoint + * @param destinationAddress InetAddress as string for the receiving endpoint * @param spi a requested 32-bit unique ID or 0 to request random allocation * @return the SPI that was allocated or 0 if failed */ int ipSecAllocateSpi( int transformId, - int direction, - in @utf8InCpp String localAddress, - in @utf8InCpp String remoteAddress, + in @utf8InCpp String sourceAddress, + in @utf8InCpp String destinationAddress, int spi); /** @@ -345,9 +343,8 @@ interface INetd { * * @param transformId a unique identifier for allocated resources * @param mode either Transport or Tunnel mode - * @param direction DIRECTION_IN or DIRECTION_OUT - * @param localAddress InetAddress as string for the local endpoint - * @param remoteAddress InetAddress as string for the remote endpoint + * @param sourceAddress InetAddress as string for the sending endpoint + * @param destinationAddress InetAddress as string for the receiving endpoint * @param underlyingNetworkHandle the networkHandle of the network to which the SA is applied * @param spi a 32-bit unique ID allocated to the user * @param authAlgo a string identifying the authentication algorithm to be used @@ -367,9 +364,8 @@ interface INetd { void ipSecAddSecurityAssociation( int transformId, int mode, - int direction, - in @utf8InCpp String localAddress, - in @utf8InCpp String remoteAddress, + in @utf8InCpp String sourceAddress, + in @utf8InCpp String destinationAddress, long underlyingNetworkHandle, int spi, in @utf8InCpp String authAlgo, in byte[] authKey, in int authTruncBits, @@ -383,16 +379,14 @@ interface INetd { * Delete a previously created security association identified by the provided parameters * * @param transformId a unique identifier for allocated resources - * @param direction DIRECTION_IN or DIRECTION_OUT - * @param localAddress InetAddress as string for the local endpoint - * @param remoteAddress InetAddress as string for the remote endpoint + * @param sourceAddress InetAddress as string for the sending endpoint + * @param destinationAddress InetAddress as string for the receiving endpoint * @param spi a requested 32-bit unique ID allocated to the user */ void ipSecDeleteSecurityAssociation( int transformId, - int direction, - in @utf8InCpp String localAddress, - in @utf8InCpp String remoteAddress, + in @utf8InCpp String sourceAddress, + in @utf8InCpp String destinationAddress, int spi); /** @@ -401,16 +395,16 @@ interface INetd { * @param socket a user-provided socket that will have IPsec applied * @param transformId a unique identifier for allocated resources * @param direction DIRECTION_IN or DIRECTION_OUT - * @param localAddress InetAddress as string for the local endpoint - * @param remoteAddress InetAddress as string for the remote endpoint + * @param sourceAddress InetAddress as string for the sending endpoint + * @param destinationAddress InetAddress as string for the receiving endpoint * @param spi a 32-bit unique ID allocated to the user (socket owner) */ void ipSecApplyTransportModeTransform( in FileDescriptor socket, int transformId, int direction, - in @utf8InCpp String localAddress, - in @utf8InCpp String remoteAddress, + in @utf8InCpp String sourceAddress, + in @utf8InCpp String destinationAddress, int spi); /** |