Merge "Fix captive portal login ssl error overflow"
diff --git a/core/java/android/net/IIpSecService.aidl b/core/java/android/net/IIpSecService.aidl
index 0aa3ce6..0b1ea98 100644
--- a/core/java/android/net/IIpSecService.aidl
+++ b/core/java/android/net/IIpSecService.aidl
@@ -18,6 +18,9 @@
import android.net.Network;
import android.net.IpSecConfig;
+import android.net.IpSecUdpEncapResponse;
+import android.net.IpSecSpiResponse;
+import android.net.IpSecTransformResponse;
import android.os.Bundle;
import android.os.IBinder;
import android.os.ParcelFileDescriptor;
@@ -27,16 +30,16 @@
*/
interface IIpSecService
{
- Bundle reserveSecurityParameterIndex(
+ IpSecSpiResponse reserveSecurityParameterIndex(
int direction, in String remoteAddress, int requestedSpi, in IBinder binder);
void releaseSecurityParameterIndex(int resourceId);
- Bundle openUdpEncapsulationSocket(int port, in IBinder binder);
+ IpSecUdpEncapResponse openUdpEncapsulationSocket(int port, in IBinder binder);
- void closeUdpEncapsulationSocket(in ParcelFileDescriptor socket);
+ void closeUdpEncapsulationSocket(int resourceId);
- Bundle createTransportModeTransform(in IpSecConfig c, in IBinder binder);
+ IpSecTransformResponse createTransportModeTransform(in IpSecConfig c, in IBinder binder);
void deleteTransportModeTransform(int transformId);
diff --git a/core/java/android/net/IpSecConfig.java b/core/java/android/net/IpSecConfig.java
index 13dc19f..8b80f2b 100644
--- a/core/java/android/net/IpSecConfig.java
+++ b/core/java/android/net/IpSecConfig.java
@@ -40,7 +40,7 @@
// Minimum requirements for identifying a transform
// SPI identifying the IPsec flow in packet processing
// and a remote IP address
- int spi;
+ int spiResourceId;
// Encryption Algorithm
IpSecAlgorithm encryption;
@@ -54,7 +54,7 @@
// For tunnel mode IPv4 UDP Encapsulation
// IpSecTransform#ENCAP_ESP_*, such as ENCAP_ESP_OVER_UDP_IKE
int encapType;
- int encapLocalPort;
+ int encapLocalPortResourceId;
int encapRemotePort;
// An interval, in seconds between the NattKeepalive packets
@@ -69,8 +69,8 @@
return localAddress;
}
- public int getSpi(int direction) {
- return flow[direction].spi;
+ public int getSpiResourceId(int direction) {
+ return flow[direction].spiResourceId;
}
public InetAddress getRemoteAddress() {
@@ -93,8 +93,8 @@
return encapType;
}
- public int getEncapLocalPort() {
- return encapLocalPort;
+ public int getEncapLocalResourceId() {
+ return encapLocalPortResourceId;
}
public int getEncapRemotePort() {
@@ -119,14 +119,14 @@
// TODO: Use a byte array or other better method for storing IPs that can also include scope
out.writeString((remoteAddress != null) ? remoteAddress.getHostAddress() : null);
out.writeParcelable(network, flags);
- out.writeInt(flow[IpSecTransform.DIRECTION_IN].spi);
+ out.writeInt(flow[IpSecTransform.DIRECTION_IN].spiResourceId);
out.writeParcelable(flow[IpSecTransform.DIRECTION_IN].encryption, flags);
out.writeParcelable(flow[IpSecTransform.DIRECTION_IN].authentication, flags);
- out.writeInt(flow[IpSecTransform.DIRECTION_OUT].spi);
+ out.writeInt(flow[IpSecTransform.DIRECTION_OUT].spiResourceId);
out.writeParcelable(flow[IpSecTransform.DIRECTION_OUT].encryption, flags);
out.writeParcelable(flow[IpSecTransform.DIRECTION_OUT].authentication, flags);
out.writeInt(encapType);
- out.writeInt(encapLocalPort);
+ out.writeInt(encapLocalPortResourceId);
out.writeInt(encapRemotePort);
}
@@ -151,18 +151,18 @@
localAddress = readInetAddressFromParcel(in);
remoteAddress = readInetAddressFromParcel(in);
network = (Network) in.readParcelable(Network.class.getClassLoader());
- flow[IpSecTransform.DIRECTION_IN].spi = in.readInt();
+ flow[IpSecTransform.DIRECTION_IN].spiResourceId = in.readInt();
flow[IpSecTransform.DIRECTION_IN].encryption =
(IpSecAlgorithm) in.readParcelable(IpSecAlgorithm.class.getClassLoader());
flow[IpSecTransform.DIRECTION_IN].authentication =
(IpSecAlgorithm) in.readParcelable(IpSecAlgorithm.class.getClassLoader());
- flow[IpSecTransform.DIRECTION_OUT].spi = in.readInt();
+ flow[IpSecTransform.DIRECTION_OUT].spiResourceId = in.readInt();
flow[IpSecTransform.DIRECTION_OUT].encryption =
(IpSecAlgorithm) in.readParcelable(IpSecAlgorithm.class.getClassLoader());
flow[IpSecTransform.DIRECTION_OUT].authentication =
(IpSecAlgorithm) in.readParcelable(IpSecAlgorithm.class.getClassLoader());
encapType = in.readInt();
- encapLocalPort = in.readInt();
+ encapLocalPortResourceId = in.readInt();
encapRemotePort = in.readInt();
}
diff --git a/core/java/android/net/IpSecManager.java b/core/java/android/net/IpSecManager.java
index 114e46e..0240cf1 100644
--- a/core/java/android/net/IpSecManager.java
+++ b/core/java/android/net/IpSecManager.java
@@ -19,10 +19,10 @@
import android.annotation.NonNull;
import android.os.Binder;
-import android.os.Bundle;
import android.os.ParcelFileDescriptor;
import android.os.RemoteException;
import android.util.AndroidException;
+import android.util.Log;
import dalvik.system.CloseGuard;
import java.io.FileDescriptor;
import java.io.IOException;
@@ -58,12 +58,6 @@
}
/** @hide */
- public static final String KEY_STATUS = "status";
- /** @hide */
- public static final String KEY_RESOURCE_ID = "resourceId";
- /** @hide */
- public static final String KEY_SPI = "spi";
- /** @hide */
public static final int INVALID_RESOURCE_ID = 0;
/**
@@ -128,7 +122,11 @@
*/
@Override
public void close() {
- mSpi = INVALID_SECURITY_PARAMETER_INDEX;
+ try {
+ mService.releaseSecurityParameterIndex(mResourceId);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
mCloseGuard.close();
}
@@ -147,7 +145,7 @@
mService = service;
mRemoteAddress = remoteAddress;
try {
- Bundle result =
+ IpSecSpiResponse result =
mService.reserveSecurityParameterIndex(
direction, remoteAddress.getHostAddress(), spi, new Binder());
@@ -155,7 +153,7 @@
throw new NullPointerException("Received null response from IpSecService");
}
- int status = result.getInt(KEY_STATUS);
+ int status = result.status;
switch (status) {
case Status.OK:
break;
@@ -168,8 +166,8 @@
throw new RuntimeException(
"Unknown status returned by IpSecService: " + status);
}
- mSpi = result.getInt(KEY_SPI);
- mResourceId = result.getInt(KEY_RESOURCE_ID);
+ mSpi = result.spi;
+ mResourceId = result.resourceId;
if (mSpi == INVALID_SECURITY_PARAMETER_INDEX) {
throw new RuntimeException("Invalid SPI returned by IpSecService: " + status);
@@ -185,6 +183,11 @@
}
mCloseGuard.open("open");
}
+
+ /** @hide */
+ int getResourceId() {
+ return mResourceId;
+ }
}
/**
@@ -201,8 +204,7 @@
* @throws SpiUnavailableException indicating that a particular SPI cannot be reserved
*/
public SecurityParameterIndex reserveSecurityParameterIndex(
- int direction, InetAddress remoteAddress)
- throws ResourceUnavailableException {
+ int direction, InetAddress remoteAddress) throws ResourceUnavailableException {
try {
return new SecurityParameterIndex(
mService,
@@ -251,7 +253,9 @@
*/
public void applyTransportModeTransform(Socket socket, IpSecTransform transform)
throws IOException {
- applyTransportModeTransform(ParcelFileDescriptor.fromSocket(socket), transform);
+ try (ParcelFileDescriptor pfd = ParcelFileDescriptor.fromSocket(socket)) {
+ applyTransportModeTransform(pfd, transform);
+ }
}
/**
@@ -269,15 +273,8 @@
*/
public void applyTransportModeTransform(DatagramSocket socket, IpSecTransform transform)
throws IOException {
- applyTransportModeTransform(ParcelFileDescriptor.fromDatagramSocket(socket), transform);
- }
-
- /* Call down to activate a transform */
- private void applyTransportModeTransform(ParcelFileDescriptor pfd, IpSecTransform transform) {
- try {
- mService.applyTransportModeTransform(pfd, transform.getResourceId());
- } catch (RemoteException e) {
- throw e.rethrowFromSystemServer();
+ try (ParcelFileDescriptor pfd = ParcelFileDescriptor.fromDatagramSocket(socket)) {
+ applyTransportModeTransform(pfd, transform);
}
}
@@ -295,7 +292,22 @@
*/
public void applyTransportModeTransform(FileDescriptor socket, IpSecTransform transform)
throws IOException {
- applyTransportModeTransform(new ParcelFileDescriptor(socket), transform);
+ // We dup() the FileDescriptor here because if we don't, then the ParcelFileDescriptor()
+ // constructor takes control and closes the user's FD when we exit the method
+ // This is behaviorally the same as the other versions, but the PFD constructor does not
+ // dup() automatically, whereas PFD.fromSocket() and PDF.fromDatagramSocket() do dup().
+ try (ParcelFileDescriptor pfd = ParcelFileDescriptor.dup(socket)) {
+ applyTransportModeTransform(pfd, transform);
+ }
+ }
+
+ /* Call down to activate a transform */
+ private void applyTransportModeTransform(ParcelFileDescriptor pfd, IpSecTransform transform) {
+ try {
+ mService.applyTransportModeTransform(pfd, transform.getResourceId());
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
}
/**
@@ -324,7 +336,9 @@
*/
public void removeTransportModeTransform(Socket socket, IpSecTransform transform)
throws IOException {
- removeTransportModeTransform(ParcelFileDescriptor.fromSocket(socket), transform);
+ try (ParcelFileDescriptor pfd = ParcelFileDescriptor.fromSocket(socket)) {
+ removeTransportModeTransform(pfd, transform);
+ }
}
/**
@@ -340,7 +354,9 @@
*/
public void removeTransportModeTransform(DatagramSocket socket, IpSecTransform transform)
throws IOException {
- removeTransportModeTransform(ParcelFileDescriptor.fromDatagramSocket(socket), transform);
+ try (ParcelFileDescriptor pfd = ParcelFileDescriptor.fromDatagramSocket(socket)) {
+ removeTransportModeTransform(pfd, transform);
+ }
}
/**
@@ -355,7 +371,9 @@
*/
public void removeTransportModeTransform(FileDescriptor socket, IpSecTransform transform)
throws IOException {
- removeTransportModeTransform(new ParcelFileDescriptor(socket), transform);
+ try (ParcelFileDescriptor pfd = ParcelFileDescriptor.dup(socket)) {
+ removeTransportModeTransform(pfd, transform);
+ }
}
/* Call down to activate a transform */
@@ -388,33 +406,48 @@
* FileDescriptor. Instead, disposing of this socket requires a call to close().
*/
public static final class UdpEncapsulationSocket implements AutoCloseable {
- private final FileDescriptor mFd;
+ private final ParcelFileDescriptor mPfd;
private final IIpSecService mService;
+ private final int mResourceId;
+ private final int mPort;
private final CloseGuard mCloseGuard = CloseGuard.get();
private UdpEncapsulationSocket(@NonNull IIpSecService service, int port)
- throws ResourceUnavailableException {
+ throws ResourceUnavailableException, IOException {
mService = service;
+ try {
+ IpSecUdpEncapResponse result =
+ mService.openUdpEncapsulationSocket(port, new Binder());
+ switch (result.status) {
+ case Status.OK:
+ break;
+ case Status.RESOURCE_UNAVAILABLE:
+ throw new ResourceUnavailableException(
+ "No more Sockets may be allocated by this requester.");
+ default:
+ throw new RuntimeException(
+ "Unknown status returned by IpSecService: " + result.status);
+ }
+ mResourceId = result.resourceId;
+ mPort = result.port;
+ mPfd = result.fileDescriptor;
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
mCloseGuard.open("constructor");
- // TODO: go down to the kernel and get a socket on the specified
- mFd = new FileDescriptor();
- }
-
- private UdpEncapsulationSocket(IIpSecService service) throws ResourceUnavailableException {
- mService = service;
- mCloseGuard.open("constructor");
- // TODO: go get a random socket on a random port
- mFd = new FileDescriptor();
}
/** Access the inner UDP Encapsulation Socket */
public FileDescriptor getSocket() {
- return mFd;
+ if (mPfd == null) {
+ return null;
+ }
+ return mPfd.getFileDescriptor();
}
/** Retrieve the port number of the inner encapsulation socket */
public int getPort() {
- return 0; // TODO get the port number from the Socket;
+ return mPort;
}
@Override
@@ -429,7 +462,18 @@
* @param fd a file descriptor previously returned as a UDP Encapsulation socket.
*/
public void close() throws IOException {
- // TODO: Go close the socket
+ try {
+ mService.closeUdpEncapsulationSocket(mResourceId);
+ } catch (RemoteException e) {
+ throw e.rethrowFromSystemServer();
+ }
+
+ try {
+ mPfd.close();
+ } catch (IOException e) {
+ Log.e(TAG, "Failed to close UDP Encapsulation Socket with Port= " + mPort);
+ throw e;
+ }
mCloseGuard.close();
}
@@ -438,9 +482,13 @@
if (mCloseGuard != null) {
mCloseGuard.warnIfOpen();
}
-
close();
}
+
+ /** @hide */
+ int getResourceId() {
+ return mResourceId;
+ }
};
/**
@@ -467,7 +515,13 @@
// socket.
public UdpEncapsulationSocket openUdpEncapsulationSocket(int port)
throws IOException, ResourceUnavailableException {
- // Temporary code
+ /*
+ * Most range checking is done in the service, but this version of the constructor expects
+ * a valid port number, and zero cannot be checked after being passed to the service.
+ */
+ if (port == 0) {
+ throw new IllegalArgumentException("Specified port must be a valid port number!");
+ }
return new UdpEncapsulationSocket(mService, port);
}
@@ -491,8 +545,7 @@
// socket.
public UdpEncapsulationSocket openUdpEncapsulationSocket()
throws IOException, ResourceUnavailableException {
- // Temporary code
- return new UdpEncapsulationSocket(mService);
+ return new UdpEncapsulationSocket(mService, 0);
}
/**
diff --git a/core/java/android/net/IpSecSpiResponse.aidl b/core/java/android/net/IpSecSpiResponse.aidl
new file mode 100644
index 0000000..6484a00
--- /dev/null
+++ b/core/java/android/net/IpSecSpiResponse.aidl
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net;
+
+/** @hide */
+parcelable IpSecSpiResponse;
diff --git a/core/java/android/net/IpSecSpiResponse.java b/core/java/android/net/IpSecSpiResponse.java
new file mode 100644
index 0000000..71dfa03
--- /dev/null
+++ b/core/java/android/net/IpSecSpiResponse.java
@@ -0,0 +1,78 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.net;
+
+import android.os.Parcel;
+import android.os.Parcelable;
+
+/**
+ * This class is used to return an SPI and corresponding status from the IpSecService to an
+ * IpSecManager.SecurityParameterIndex.
+ *
+ * @hide
+ */
+public final class IpSecSpiResponse implements Parcelable {
+ private static final String TAG = "IpSecSpiResponse";
+
+ public final int resourceId;
+ public final int status;
+ public final int spi;
+ // Parcelable Methods
+
+ @Override
+ public int describeContents() {
+ return 0;
+ }
+
+ @Override
+ public void writeToParcel(Parcel out, int flags) {
+ out.writeInt(status);
+ out.writeInt(resourceId);
+ out.writeInt(spi);
+ }
+
+ public IpSecSpiResponse(int inStatus, int inResourceId, int inSpi) {
+ status = inStatus;
+ resourceId = inResourceId;
+ spi = inSpi;
+ }
+
+ public IpSecSpiResponse(int inStatus) {
+ if (inStatus == IpSecManager.Status.OK) {
+ throw new IllegalArgumentException("Valid status implies other args must be provided");
+ }
+ status = inStatus;
+ resourceId = IpSecManager.INVALID_RESOURCE_ID;
+ spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX;
+ }
+
+ private IpSecSpiResponse(Parcel in) {
+ status = in.readInt();
+ resourceId = in.readInt();
+ spi = in.readInt();
+ }
+
+ public static final Parcelable.Creator<IpSecSpiResponse> CREATOR =
+ new Parcelable.Creator<IpSecSpiResponse>() {
+ public IpSecSpiResponse createFromParcel(Parcel in) {
+ return new IpSecSpiResponse(in);
+ }
+
+ public IpSecSpiResponse[] newArray(int size) {
+ return new IpSecSpiResponse[size];
+ }
+ };
+}
diff --git a/core/java/android/net/IpSecTransform.java b/core/java/android/net/IpSecTransform.java
index 639d1f2..e65f534 100644
--- a/core/java/android/net/IpSecTransform.java
+++ b/core/java/android/net/IpSecTransform.java
@@ -16,15 +16,12 @@
package android.net;
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
-import static android.net.IpSecManager.KEY_RESOURCE_ID;
-import static android.net.IpSecManager.KEY_STATUS;
import android.annotation.IntDef;
import android.annotation.NonNull;
import android.annotation.SystemApi;
import android.content.Context;
import android.os.Binder;
-import android.os.Bundle;
import android.os.IBinder;
import android.os.RemoteException;
import android.os.ServiceManager;
@@ -78,23 +75,23 @@
public static final int ENCAP_NONE = 0;
/**
- * IpSec traffic will be encapsulated within UDP as per <a
- * href="https://tools.ietf.org/html/rfc3948">RFC3498</a>.
- *
- * @hide
- */
- public static final int ENCAP_ESPINUDP = 1;
-
- /**
* IpSec traffic will be encapsulated within a UDP header with an additional 8-byte header pad
* (of '0'-value bytes) that prevents traffic from being interpreted as IKE or as ESP over UDP.
*
* @hide
*/
- public static final int ENCAP_ESPINUDP_NONIKE = 2;
+ public static final int ENCAP_ESPINUDP_NON_IKE = 1;
+
+ /**
+ * IpSec traffic will be encapsulated within UDP as per <a
+ * href="https://tools.ietf.org/html/rfc3948">RFC3498</a>.
+ *
+ * @hide
+ */
+ public static final int ENCAP_ESPINUDP = 2;
/** @hide */
- @IntDef(value = {ENCAP_NONE, ENCAP_ESPINUDP, ENCAP_ESPINUDP_NONIKE})
+ @IntDef(value = {ENCAP_NONE, ENCAP_ESPINUDP, ENCAP_ESPINUDP_NON_IKE})
@Retention(RetentionPolicy.SOURCE)
public @interface EncapType {}
@@ -139,10 +136,11 @@
synchronized (this) {
try {
IIpSecService svc = getIpSecService();
- Bundle result = svc.createTransportModeTransform(mConfig, new Binder());
- int status = result.getInt(KEY_STATUS);
+ IpSecTransformResponse result =
+ svc.createTransportModeTransform(mConfig, new Binder());
+ int status = result.status;
checkResultStatusAndThrow(status);
- mResourceId = result.getInt(KEY_RESOURCE_ID, INVALID_RESOURCE_ID);
+ mResourceId = result.resourceId;
/* Keepalive will silently fail if not needed by the config; but, if needed and
* it fails to start, we need to bail because a transform will not be reliable
@@ -263,7 +261,10 @@
mConfig.getNattKeepaliveInterval(),
mKeepaliveCallback,
mConfig.getLocalAddress(),
- mConfig.getEncapLocalPort(),
+ 0x1234, /* FIXME: get the real port number again,
+ which we need to retrieve from the provided
+ EncapsulationSocket, and which isn't currently
+ stashed in IpSecConfig */
mConfig.getRemoteAddress());
try {
// FIXME: this is still a horrible way to fudge the synchronous callback
@@ -360,7 +361,7 @@
@TransformDirection int direction, IpSecManager.SecurityParameterIndex spi) {
// TODO: convert to using the resource Id of the SPI. Then build() can validate
// the owner in the IpSecService
- mConfig.flow[direction].spi = spi.getSpi();
+ mConfig.flow[direction].spiResourceId = spi.getResourceId();
return this;
}
@@ -394,7 +395,7 @@
IpSecManager.UdpEncapsulationSocket localSocket, int remotePort) {
// TODO: check encap type is valid.
mConfig.encapType = ENCAP_ESPINUDP;
- mConfig.encapLocalPort = localSocket.getPort(); // TODO: plug in the encap socket
+ mConfig.encapLocalPortResourceId = localSocket.getResourceId();
mConfig.encapRemotePort = remotePort;
return this;
}
diff --git a/core/java/android/net/IpSecTransformResponse.aidl b/core/java/android/net/IpSecTransformResponse.aidl
new file mode 100644
index 0000000..546230d
--- /dev/null
+++ b/core/java/android/net/IpSecTransformResponse.aidl
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net;
+
+/** @hide */
+parcelable IpSecTransformResponse;
diff --git a/core/java/android/net/IpSecTransformResponse.java b/core/java/android/net/IpSecTransformResponse.java
new file mode 100644
index 0000000..cfc1762
--- /dev/null
+++ b/core/java/android/net/IpSecTransformResponse.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.net;
+
+import android.os.Parcel;
+import android.os.Parcelable;
+
+/**
+ * This class is used to return an IpSecTransform resource Id and and corresponding status from the
+ * IpSecService to an IpSecTransform object.
+ *
+ * @hide
+ */
+public final class IpSecTransformResponse implements Parcelable {
+ private static final String TAG = "IpSecTransformResponse";
+
+ public final int resourceId;
+ public final int status;
+ // Parcelable Methods
+
+ @Override
+ public int describeContents() {
+ return 0;
+ }
+
+ @Override
+ public void writeToParcel(Parcel out, int flags) {
+ out.writeInt(status);
+ out.writeInt(resourceId);
+ }
+
+ public IpSecTransformResponse(int inStatus) {
+ if (inStatus == IpSecManager.Status.OK) {
+ throw new IllegalArgumentException("Valid status implies other args must be provided");
+ }
+ status = inStatus;
+ resourceId = IpSecManager.INVALID_RESOURCE_ID;
+ }
+
+ public IpSecTransformResponse(int inStatus, int inResourceId) {
+ status = inStatus;
+ resourceId = inResourceId;
+ }
+
+ private IpSecTransformResponse(Parcel in) {
+ status = in.readInt();
+ resourceId = in.readInt();
+ }
+
+ public static final Parcelable.Creator<IpSecTransformResponse> CREATOR =
+ new Parcelable.Creator<IpSecTransformResponse>() {
+ public IpSecTransformResponse createFromParcel(Parcel in) {
+ return new IpSecTransformResponse(in);
+ }
+
+ public IpSecTransformResponse[] newArray(int size) {
+ return new IpSecTransformResponse[size];
+ }
+ };
+}
diff --git a/core/java/android/net/IpSecUdpEncapResponse.aidl b/core/java/android/net/IpSecUdpEncapResponse.aidl
new file mode 100644
index 0000000..5e451f3
--- /dev/null
+++ b/core/java/android/net/IpSecUdpEncapResponse.aidl
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.net;
+
+/** @hide */
+parcelable IpSecUdpEncapResponse;
diff --git a/core/java/android/net/IpSecUdpEncapResponse.java b/core/java/android/net/IpSecUdpEncapResponse.java
new file mode 100644
index 0000000..4679267
--- /dev/null
+++ b/core/java/android/net/IpSecUdpEncapResponse.java
@@ -0,0 +1,96 @@
+/*
+ * Copyright (C) 2017 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package android.net;
+
+import android.os.Parcel;
+import android.os.ParcelFileDescriptor;
+import android.os.Parcelable;
+import java.io.FileDescriptor;
+import java.io.IOException;
+
+/**
+ * This class is used to return a UDP Socket and corresponding status from the IpSecService to an
+ * IpSecManager.UdpEncapsulationSocket.
+ *
+ * @hide
+ */
+public final class IpSecUdpEncapResponse implements Parcelable {
+ private static final String TAG = "IpSecUdpEncapResponse";
+
+ public final int resourceId;
+ public final int port;
+ public final int status;
+ // There is a weird asymmetry with FileDescriptor: you can write a FileDescriptor
+ // but you read a ParcelFileDescriptor. To circumvent this, when we receive a FD
+ // from the user, we immediately create a ParcelFileDescriptor DUP, which we invalidate
+ // on writeParcel() by setting the flag to do close-on-write.
+ // TODO: tests to ensure this doesn't leak
+ public final ParcelFileDescriptor fileDescriptor;
+
+ // Parcelable Methods
+
+ @Override
+ public int describeContents() {
+ return (fileDescriptor != null) ? Parcelable.CONTENTS_FILE_DESCRIPTOR : 0;
+ }
+
+ @Override
+ public void writeToParcel(Parcel out, int flags) {
+ out.writeInt(status);
+ out.writeInt(resourceId);
+ out.writeInt(port);
+ out.writeParcelable(fileDescriptor, Parcelable.PARCELABLE_WRITE_RETURN_VALUE);
+ }
+
+ public IpSecUdpEncapResponse(int inStatus) {
+ if (inStatus == IpSecManager.Status.OK) {
+ throw new IllegalArgumentException("Valid status implies other args must be provided");
+ }
+ status = inStatus;
+ resourceId = IpSecManager.INVALID_RESOURCE_ID;
+ port = -1;
+ fileDescriptor = null; // yes I know it's redundant, but readability
+ }
+
+ public IpSecUdpEncapResponse(int inStatus, int inResourceId, int inPort, FileDescriptor inFd)
+ throws IOException {
+ if (inStatus == IpSecManager.Status.OK && inFd == null) {
+ throw new IllegalArgumentException("Valid status implies FD must be non-null");
+ }
+ status = inStatus;
+ resourceId = inResourceId;
+ port = inPort;
+ fileDescriptor = (status == IpSecManager.Status.OK) ? ParcelFileDescriptor.dup(inFd) : null;
+ }
+
+ private IpSecUdpEncapResponse(Parcel in) {
+ status = in.readInt();
+ resourceId = in.readInt();
+ port = in.readInt();
+ fileDescriptor = in.readParcelable(ParcelFileDescriptor.class.getClassLoader());
+ }
+
+ public static final Parcelable.Creator<IpSecUdpEncapResponse> CREATOR =
+ new Parcelable.Creator<IpSecUdpEncapResponse>() {
+ public IpSecUdpEncapResponse createFromParcel(Parcel in) {
+ return new IpSecUdpEncapResponse(in);
+ }
+
+ public IpSecUdpEncapResponse[] newArray(int size) {
+ return new IpSecUdpEncapResponse[size];
+ }
+ };
+}
diff --git a/core/res/res/values-mcc505-mnc01/config.xml b/core/res/res/values-mcc505-mnc01/config.xml
index 1705e4a..ff06585 100644
--- a/core/res/res/values-mcc505-mnc01/config.xml
+++ b/core/res/res/values-mcc505-mnc01/config.xml
@@ -40,6 +40,16 @@
<item>Telstra Tethering,telstra.internet,,,,,,,,,505,01,,DUN</item>
</string-array>
+ <!--Thresholds for LTE dbm in status bar-->
+ <integer-array translatable="false" name="config_lteDbmThresholds">
+ <item>-140</item> <!-- SIGNAL_STRENGTH_NONE_OR_UNKNOWN -->
+ <item>-120</item> <!-- SIGNAL_STRENGTH_POOR -->
+ <item>-115</item> <!-- SIGNAL_STRENGTH_MODERATE -->
+ <item>-100</item> <!-- SIGNAL_STRENGTH_GOOD -->
+ <item>-90</item> <!-- SIGNAL_STRENGTH_GREAT -->
+ <item>-44</item>
+ </integer-array>
+
<!-- Configure mobile network MTU. Carrier specific value is set here.
-->
<integer name="config_mobile_mtu">1400</integer>
diff --git a/core/res/res/values-mcc505-mnc11/config.xml b/core/res/res/values-mcc505-mnc11/config.xml
new file mode 100644
index 0000000..6d085c1
--- /dev/null
+++ b/core/res/res/values-mcc505-mnc11/config.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+/*
+** Copyright 2017, The Android Open Source Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You my obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+-->
+
+<!-- These resources are around just to allow their values to be customized
+ for different hardware and product builds. -->
+<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+ <!--Thresholds for LTE dbm in status bar-->
+ <integer-array translatable="false" name="config_lteDbmThresholds">
+ <item>-140</item> <!-- SIGNAL_STRENGTH_NONE_OR_UNKNOWN -->
+ <item>-120</item> <!-- SIGNAL_STRENGTH_POOR -->
+ <item>-115</item> <!-- SIGNAL_STRENGTH_MODERATE -->
+ <item>-100</item> <!-- SIGNAL_STRENGTH_GOOD -->
+ <item>-90</item> <!-- SIGNAL_STRENGTH_GREAT -->
+ <item>-44</item>
+ </integer-array>
+</resources>
diff --git a/core/res/res/values-mcc505-mnc71/config.xml b/core/res/res/values-mcc505-mnc71/config.xml
new file mode 100644
index 0000000..6d085c1
--- /dev/null
+++ b/core/res/res/values-mcc505-mnc71/config.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+/*
+** Copyright 2017, The Android Open Source Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You my obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+-->
+
+<!-- These resources are around just to allow their values to be customized
+ for different hardware and product builds. -->
+<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+ <!--Thresholds for LTE dbm in status bar-->
+ <integer-array translatable="false" name="config_lteDbmThresholds">
+ <item>-140</item> <!-- SIGNAL_STRENGTH_NONE_OR_UNKNOWN -->
+ <item>-120</item> <!-- SIGNAL_STRENGTH_POOR -->
+ <item>-115</item> <!-- SIGNAL_STRENGTH_MODERATE -->
+ <item>-100</item> <!-- SIGNAL_STRENGTH_GOOD -->
+ <item>-90</item> <!-- SIGNAL_STRENGTH_GREAT -->
+ <item>-44</item>
+ </integer-array>
+</resources>
diff --git a/core/res/res/values-mcc505-mnc72/config.xml b/core/res/res/values-mcc505-mnc72/config.xml
new file mode 100644
index 0000000..6d085c1
--- /dev/null
+++ b/core/res/res/values-mcc505-mnc72/config.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+/*
+** Copyright 2017, The Android Open Source Project
+**
+** Licensed under the Apache License, Version 2.0 (the "License");
+** you may not use this file except in compliance with the License.
+** You my obtain a copy of the License at
+**
+** http://www.apache.org/licenses/LICENSE-2.0
+**
+** Unless required by applicable law or agreed to in writing, software
+** distributed under the License is distributed on an "AS IS" BASIS,
+** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+** See the License for the specific language governing permissions and
+** limitations under the License.
+*/
+-->
+
+<!-- These resources are around just to allow their values to be customized
+ for different hardware and product builds. -->
+<resources xmlns:xliff="urn:oasis:names:tc:xliff:document:1.2">
+ <!--Thresholds for LTE dbm in status bar-->
+ <integer-array translatable="false" name="config_lteDbmThresholds">
+ <item>-140</item> <!-- SIGNAL_STRENGTH_NONE_OR_UNKNOWN -->
+ <item>-120</item> <!-- SIGNAL_STRENGTH_POOR -->
+ <item>-115</item> <!-- SIGNAL_STRENGTH_MODERATE -->
+ <item>-100</item> <!-- SIGNAL_STRENGTH_GOOD -->
+ <item>-90</item> <!-- SIGNAL_STRENGTH_GREAT -->
+ <item>-44</item>
+ </integer-array>
+</resources>
diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index a7ce95b..ec275cc 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -18,9 +18,10 @@
import static android.Manifest.permission.DUMP;
import static android.net.IpSecManager.INVALID_RESOURCE_ID;
-import static android.net.IpSecManager.KEY_RESOURCE_ID;
-import static android.net.IpSecManager.KEY_SPI;
-import static android.net.IpSecManager.KEY_STATUS;
+import static android.system.OsConstants.AF_INET;
+import static android.system.OsConstants.IPPROTO_UDP;
+import static android.system.OsConstants.SOCK_DGRAM;
+import static com.android.internal.util.Preconditions.checkNotNull;
import android.content.Context;
import android.net.IIpSecService;
@@ -28,47 +29,92 @@
import android.net.IpSecAlgorithm;
import android.net.IpSecConfig;
import android.net.IpSecManager;
+import android.net.IpSecSpiResponse;
import android.net.IpSecTransform;
+import android.net.IpSecTransformResponse;
+import android.net.IpSecUdpEncapResponse;
import android.net.util.NetdService;
import android.os.Binder;
-import android.os.Bundle;
import android.os.IBinder;
import android.os.ParcelFileDescriptor;
import android.os.RemoteException;
import android.os.ServiceSpecificException;
+import android.system.ErrnoException;
+import android.system.Os;
+import android.system.OsConstants;
import android.util.Log;
import android.util.Slog;
import android.util.SparseArray;
import com.android.internal.annotations.GuardedBy;
import java.io.FileDescriptor;
+import java.io.IOException;
import java.io.PrintWriter;
+import java.net.InetAddress;
+import java.net.InetSocketAddress;
+import java.net.UnknownHostException;
import java.util.concurrent.atomic.AtomicInteger;
+import libcore.io.IoUtils;
/** @hide */
public class IpSecService extends IIpSecService.Stub {
private static final String TAG = "IpSecService";
private static final boolean DBG = Log.isLoggable(TAG, Log.DEBUG);
+
private static final String NETD_SERVICE_NAME = "netd";
private static final int[] DIRECTIONS =
new int[] {IpSecTransform.DIRECTION_OUT, IpSecTransform.DIRECTION_IN};
- /** Binder context for this service */
+ private static final int NETD_FETCH_TIMEOUT = 5000; //ms
+ private static final int MAX_PORT_BIND_ATTEMPTS = 10;
+ private static final InetAddress INADDR_ANY;
+
+ static {
+ try {
+ INADDR_ANY = InetAddress.getByAddress(new byte[] {0, 0, 0, 0});
+ } catch (UnknownHostException e) {
+ throw new RuntimeException(e);
+ }
+ }
+
+ static final int FREE_PORT_MIN = 1024; // ports 1-1023 are reserved
+ static final int PORT_MAX = 0xFFFF; // ports are an unsigned 16-bit integer
+
+ /* Binder context for this service */
private final Context mContext;
- private Object mLock = new Object();
+ /** Should be a never-repeating global ID for resources */
+ private static AtomicInteger mNextResourceId = new AtomicInteger(0x00FADED0);
- private static final int NETD_FETCH_TIMEOUT = 5000; //ms
+ @GuardedBy("this")
+ private final ManagedResourceArray<SpiRecord> mSpiRecords = new ManagedResourceArray<>();
- private AtomicInteger mNextResourceId = new AtomicInteger(0x00FADED0);
+ @GuardedBy("this")
+ private final ManagedResourceArray<TransformRecord> mTransformRecords =
+ new ManagedResourceArray<>();
+ @GuardedBy("this")
+ private final ManagedResourceArray<UdpSocketRecord> mUdpSocketRecords =
+ new ManagedResourceArray<>();
+
+ /**
+ * The ManagedResource class provides a facility to cleanly and reliably release system
+ * resources. It relies on two things: an IBinder that allows ManagedResource to automatically
+ * clean up in the event that the Binder dies and a user-provided resourceId that should
+ * uniquely identify the managed resource. To use this class, the user should implement the
+ * releaseResources() method that is responsible for releasing system resources when invoked.
+ */
private abstract class ManagedResource implements IBinder.DeathRecipient {
final int pid;
final int uid;
private IBinder mBinder;
+ protected int mResourceId;
- ManagedResource(IBinder binder) {
+ private AtomicInteger mReferenceCount = new AtomicInteger(0);
+
+ ManagedResource(int resourceId, IBinder binder) {
super();
mBinder = binder;
+ mResourceId = resourceId;
pid = Binder.getCallingPid();
uid = Binder.getCallingUid();
@@ -79,21 +125,53 @@
}
}
+ public void addReference() {
+ mReferenceCount.incrementAndGet();
+ }
+
+ public void removeReference() {
+ if (mReferenceCount.decrementAndGet() < 0) {
+ Log.wtf(TAG, "Programming error: negative reference count");
+ }
+ }
+
+ public boolean isReferenced() {
+ return (mReferenceCount.get() > 0);
+ }
+
+ public void checkOwnerOrSystemAndThrow() {
+ if (uid != Binder.getCallingUid()
+ && android.os.Process.SYSTEM_UID != Binder.getCallingUid()) {
+ throw new SecurityException("Only the owner may access managed resources!");
+ }
+ }
+
/**
* When this record is no longer needed for managing system resources this function should
- * unlink all references held by the record to allow efficient garbage collection.
+ * clean up all system resources and nullify the record. This function shall perform all
+ * necessary cleanup of the resources managed by this record.
+ *
+ * <p>NOTE: this function verifies ownership before allowing resources to be freed.
*/
- public final void release() {
- //Release all the underlying system resources first
- releaseResources();
+ public final void release() throws RemoteException {
+ synchronized (IpSecService.this) {
+ if (isReferenced()) {
+ throw new IllegalStateException(
+ "Cannot release a resource that has active references!");
+ }
- if (mBinder != null) {
- mBinder.unlinkToDeath(this, 0);
+ if (mResourceId == INVALID_RESOURCE_ID) {
+ return;
+ }
+
+ releaseResources();
+ if (mBinder != null) {
+ mBinder.unlinkToDeath(this, 0);
+ }
+ mBinder = null;
+
+ mResourceId = INVALID_RESOURCE_ID;
}
- mBinder = null;
-
- //remove this record so that it can be cleaned up
- nullifyRecord();
}
/**
@@ -102,41 +180,85 @@
* collection
*/
public final void binderDied() {
- release();
+ try {
+ release();
+ } catch (Exception e) {
+ Log.e(TAG, "Failed to release resource: " + e);
+ }
}
/**
- * Implement this method to release all object references contained in the subclass to allow
- * efficient garbage collection of the record. This should remove any references to the
- * record from all other locations that hold a reference as the record is no longer valid.
- */
- protected abstract void nullifyRecord();
-
- /**
* Implement this method to release all system resources that are being protected by this
* record. Once the resources are released, the record should be invalidated and no longer
- * used by calling releaseRecord()
+ * used by calling release(). This should NEVER be called directly.
+ *
+ * <p>Calls to this are always guarded by IpSecService#this
*/
- protected abstract void releaseResources();
+ protected abstract void releaseResources() throws RemoteException;
};
- private final class TransformRecord extends ManagedResource {
- private IpSecConfig mConfig;
- private int mResourceId;
+ /**
+ * Minimal wrapper around SparseArray that performs ownership
+ * validation on element accesses.
+ */
+ private class ManagedResourceArray<T extends ManagedResource> {
+ SparseArray<T> mArray = new SparseArray<>();
- TransformRecord(IpSecConfig config, int resourceId, IBinder binder) {
- super(binder);
+ T get(int key) {
+ T val = mArray.get(key);
+ val.checkOwnerOrSystemAndThrow();
+ return val;
+ }
+
+ void put(int key, T obj) {
+ checkNotNull(obj, "Null resources cannot be added");
+ mArray.put(key, obj);
+ }
+
+ void remove(int key) {
+ mArray.remove(key);
+ }
+ }
+
+ private final class TransformRecord extends ManagedResource {
+ private final IpSecConfig mConfig;
+ private final SpiRecord[] mSpis;
+ private final UdpSocketRecord mSocket;
+
+ TransformRecord(
+ int resourceId,
+ IBinder binder,
+ IpSecConfig config,
+ SpiRecord[] spis,
+ UdpSocketRecord socket) {
+ super(resourceId, binder);
mConfig = config;
- mResourceId = resourceId;
+ mSpis = spis;
+ mSocket = socket;
+
+ for (int direction : DIRECTIONS) {
+ mSpis[direction].addReference();
+ mSpis[direction].setOwnedByTransform();
+ }
+
+ if (mSocket != null) {
+ mSocket.addReference();
+ }
}
public IpSecConfig getConfig() {
return mConfig;
}
+ public SpiRecord getSpiRecord(int direction) {
+ return mSpis[direction];
+ }
+
+ /** always guarded by IpSecService#this */
@Override
protected void releaseResources() {
for (int direction : DIRECTIONS) {
+ int spi = mSpis[direction].getSpi();
try {
getNetdInstance()
.ipSecDeleteSecurityAssociation(
@@ -148,19 +270,21 @@
(mConfig.getRemoteAddress() != null)
? mConfig.getRemoteAddress().getHostAddress()
: "",
- mConfig.getSpi(direction));
+ spi);
} catch (ServiceSpecificException e) {
// FIXME: get the error code and throw is at an IOException from Errno Exception
} catch (RemoteException e) {
Log.e(TAG, "Failed to delete SA with ID: " + mResourceId);
}
}
- }
- @Override
- protected void nullifyRecord() {
- mConfig = null;
- mResourceId = INVALID_RESOURCE_ID;
+ for (int direction : DIRECTIONS) {
+ mSpis[direction].removeReference();
+ }
+
+ if (mSocket != null) {
+ mSocket.removeReference();
+ }
}
}
@@ -168,27 +292,37 @@
private final int mDirection;
private final String mLocalAddress;
private final String mRemoteAddress;
- private final IBinder mBinder;
private int mSpi;
- private int mResourceId;
+
+ private boolean mOwnedByTransform = false;
SpiRecord(
int resourceId,
+ IBinder binder,
int direction,
String localAddress,
String remoteAddress,
- int spi,
- IBinder binder) {
- super(binder);
- mResourceId = resourceId;
+ int spi) {
+ super(resourceId, binder);
mDirection = direction;
mLocalAddress = localAddress;
mRemoteAddress = remoteAddress;
mSpi = spi;
- mBinder = binder;
}
+ /** always guarded by IpSecService#this */
+ @Override
protected void releaseResources() {
+ if (mOwnedByTransform) {
+ Log.d(TAG, "Cannot release Spi " + mSpi + ": Currently locked by a Transform");
+ // Because SPIs are "handed off" to transform, objects, they should never be
+ // freed from the SpiRecord once used in a transform. (They refer to the same SA,
+ // thus ownership and responsibility for freeing these resources passes to the
+ // Transform object). Thus, we should let the user free them without penalty once
+ // they are applied in a Transform object.
+ return;
+ }
+
try {
getNetdInstance()
.ipSecDeleteSecurityAssociation(
@@ -198,19 +332,50 @@
} catch (RemoteException e) {
Log.e(TAG, "Failed to delete SPI reservation with ID: " + mResourceId);
}
+
+ mSpi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX;
}
- protected void nullifyRecord() {
- mSpi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX;
- mResourceId = INVALID_RESOURCE_ID;
+ public int getSpi() {
+ return mSpi;
+ }
+
+ public void setOwnedByTransform() {
+ if (mOwnedByTransform) {
+ // Programming error
+ new IllegalStateException("Cannot own an SPI twice!");
+ }
+
+ mOwnedByTransform = true;
}
}
- @GuardedBy("mSpiRecords")
- private final SparseArray<SpiRecord> mSpiRecords = new SparseArray<>();
+ private final class UdpSocketRecord extends ManagedResource {
+ private FileDescriptor mSocket;
+ private final int mPort;
- @GuardedBy("mTransformRecords")
- private final SparseArray<TransformRecord> mTransformRecords = new SparseArray<>();
+ UdpSocketRecord(int resourceId, IBinder binder, FileDescriptor socket, int port) {
+ super(resourceId, binder);
+ mSocket = socket;
+ mPort = port;
+ }
+
+ /** always guarded by IpSecService#this */
+ @Override
+ protected void releaseResources() {
+ Log.d(TAG, "Closing port " + mPort);
+ IoUtils.closeQuietly(mSocket);
+ mSocket = null;
+ }
+
+ public int getPort() {
+ return mPort;
+ }
+
+ public FileDescriptor getSocket() {
+ return mSocket;
+ }
+ }
/**
* Constructs a new IpSecService instance
@@ -242,7 +407,7 @@
new Runnable() {
@Override
public void run() {
- synchronized (mLock) {
+ synchronized (IpSecService.this) {
NetdService.get(NETD_FETCH_TIMEOUT);
}
}
@@ -258,30 +423,27 @@
return netd;
}
- boolean isNetdAlive() {
- synchronized (mLock) {
- try {
- final INetd netd = getNetdInstance();
- if (netd == null) {
- return false;
- }
- return netd.isAlive();
- } catch (RemoteException re) {
+ synchronized boolean isNetdAlive() {
+ try {
+ final INetd netd = getNetdInstance();
+ if (netd == null) {
return false;
}
+ return netd.isAlive();
+ } catch (RemoteException re) {
+ return false;
}
}
@Override
/** Get a new SPI and maintain the reservation in the system server */
- public Bundle reserveSecurityParameterIndex(
+ public synchronized IpSecSpiResponse reserveSecurityParameterIndex(
int direction, String remoteAddress, int requestedSpi, IBinder binder)
throws RemoteException {
int resourceId = mNextResourceId.getAndIncrement();
int spi = IpSecManager.INVALID_SECURITY_PARAMETER_INDEX;
String localAddress = "";
- Bundle retBundle = new Bundle(3);
try {
spi =
getNetdInstance()
@@ -292,29 +454,78 @@
remoteAddress,
requestedSpi);
Log.d(TAG, "Allocated SPI " + spi);
- retBundle.putInt(KEY_STATUS, IpSecManager.Status.OK);
- retBundle.putInt(KEY_RESOURCE_ID, resourceId);
- retBundle.putInt(KEY_SPI, spi);
- synchronized (mSpiRecords) {
- mSpiRecords.put(
- resourceId,
- new SpiRecord(
- resourceId, direction, localAddress, remoteAddress, spi, binder));
- }
+ mSpiRecords.put(
+ resourceId,
+ new SpiRecord(resourceId, binder, direction, localAddress, remoteAddress, spi));
} catch (ServiceSpecificException e) {
// TODO: Add appropriate checks when other ServiceSpecificException types are supported
- retBundle.putInt(KEY_STATUS, IpSecManager.Status.SPI_UNAVAILABLE);
- retBundle.putInt(KEY_RESOURCE_ID, resourceId);
- retBundle.putInt(KEY_SPI, spi);
+ return new IpSecSpiResponse(
+ IpSecManager.Status.SPI_UNAVAILABLE, IpSecManager.INVALID_RESOURCE_ID, spi);
} catch (RemoteException e) {
throw e.rethrowFromSystemServer();
}
- return retBundle;
+ return new IpSecSpiResponse(IpSecManager.Status.OK, resourceId, spi);
+ }
+
+ /* This method should only be called from Binder threads. Do not call this from
+ * within the system server as it will crash the system on failure.
+ */
+ private synchronized <T extends ManagedResource> void releaseManagedResource(
+ ManagedResourceArray<T> resArray, int resourceId, String typeName)
+ throws RemoteException {
+ // We want to non-destructively get so that we can check credentials before removing
+ // this from the records.
+ T record = resArray.get(resourceId);
+
+ if (record == null) {
+ throw new IllegalArgumentException(
+ typeName + " " + resourceId + " is not available to be deleted");
+ }
+
+ record.release();
+ resArray.remove(resourceId);
}
/** Release a previously allocated SPI that has been registered with the system server */
@Override
- public void releaseSecurityParameterIndex(int resourceId) throws RemoteException {}
+ public void releaseSecurityParameterIndex(int resourceId) throws RemoteException {
+ releaseManagedResource(mSpiRecords, resourceId, "SecurityParameterIndex");
+ }
+
+ /**
+ * This function finds and forcibly binds to a random system port, ensuring that the port cannot
+ * be unbound.
+ *
+ * <p>A socket cannot be un-bound from a port if it was bound to that port by number. To select
+ * a random open port and then bind by number, this function creates a temp socket, binds to a
+ * random port (specifying 0), gets that port number, and then uses is to bind the user's UDP
+ * Encapsulation Socket forcibly, so that it cannot be un-bound by the user with the returned
+ * FileHandle.
+ *
+ * <p>The loop in this function handles the inherent race window between un-binding to a port
+ * and re-binding, during which the system could *technically* hand that port out to someone
+ * else.
+ */
+ private void bindToRandomPort(FileDescriptor sockFd) throws IOException {
+ for (int i = MAX_PORT_BIND_ATTEMPTS; i > 0; i--) {
+ try {
+ FileDescriptor probeSocket = Os.socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+ Os.bind(probeSocket, INADDR_ANY, 0);
+ int port = ((InetSocketAddress) Os.getsockname(probeSocket)).getPort();
+ Os.close(probeSocket);
+ Log.v(TAG, "Binding to port " + port);
+ Os.bind(sockFd, INADDR_ANY, port);
+ return;
+ } catch (ErrnoException e) {
+ // Someone miraculously claimed the port just after we closed probeSocket.
+ if (e.errno == OsConstants.EADDRINUSE) {
+ continue;
+ }
+ throw e.rethrowAsIOException();
+ }
+ }
+ throw new IOException("Failed " + MAX_PORT_BIND_ATTEMPTS + " attempts to bind to a port");
+ }
/**
* Open a socket via the system server and bind it to the specified port (random if port=0).
@@ -323,13 +534,47 @@
* needed.
*/
@Override
- public Bundle openUdpEncapsulationSocket(int port, IBinder binder) throws RemoteException {
- return null;
+ public synchronized IpSecUdpEncapResponse openUdpEncapsulationSocket(int port, IBinder binder)
+ throws RemoteException {
+ if (port != 0 && (port < FREE_PORT_MIN || port > PORT_MAX)) {
+ throw new IllegalArgumentException(
+ "Specified port number must be a valid non-reserved UDP port");
+ }
+ int resourceId = mNextResourceId.getAndIncrement();
+ FileDescriptor sockFd = null;
+ try {
+ sockFd = Os.socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
+
+ if (port != 0) {
+ Log.v(TAG, "Binding to port " + port);
+ Os.bind(sockFd, INADDR_ANY, port);
+ } else {
+ bindToRandomPort(sockFd);
+ }
+ // This code is common to both the unspecified and specified port cases
+ Os.setsockoptInt(
+ sockFd,
+ OsConstants.IPPROTO_UDP,
+ OsConstants.UDP_ENCAP,
+ OsConstants.UDP_ENCAP_ESPINUDP);
+
+ mUdpSocketRecords.put(
+ resourceId, new UdpSocketRecord(resourceId, binder, sockFd, port));
+ return new IpSecUdpEncapResponse(IpSecManager.Status.OK, resourceId, port, sockFd);
+ } catch (IOException | ErrnoException e) {
+ IoUtils.closeQuietly(sockFd);
+ }
+ // If we make it to here, then something has gone wrong and we couldn't open a socket.
+ // The only reasonable condition that would cause that is resource unavailable.
+ return new IpSecUdpEncapResponse(IpSecManager.Status.RESOURCE_UNAVAILABLE);
}
/** close a socket that has been been allocated by and registered with the system server */
@Override
- public void closeUdpEncapsulationSocket(ParcelFileDescriptor socket) {}
+ public void closeUdpEncapsulationSocket(int resourceId) throws RemoteException {
+
+ releaseManagedResource(mUdpSocketRecords, resourceId, "UdpEncapsulationSocket");
+ }
/**
* Create a transport mode transform, which represent two security associations (one in each
@@ -339,13 +584,26 @@
* receive data.
*/
@Override
- public Bundle createTransportModeTransform(IpSecConfig c, IBinder binder)
- throws RemoteException {
- // TODO: Basic input validation here since it's coming over the Binder
+ public synchronized IpSecTransformResponse createTransportModeTransform(
+ IpSecConfig c, IBinder binder) throws RemoteException {
int resourceId = mNextResourceId.getAndIncrement();
+ SpiRecord[] spis = new SpiRecord[DIRECTIONS.length];
+ // TODO: Basic input validation here since it's coming over the Binder
+ int encapType, encapLocalPort = 0, encapRemotePort = 0;
+ UdpSocketRecord socketRecord = null;
+ encapType = c.getEncapType();
+ if (encapType != IpSecTransform.ENCAP_NONE) {
+ socketRecord = mUdpSocketRecords.get(c.getEncapLocalResourceId());
+ encapLocalPort = socketRecord.getPort();
+ encapRemotePort = c.getEncapRemotePort();
+ }
+
for (int direction : DIRECTIONS) {
IpSecAlgorithm auth = c.getAuthentication(direction);
IpSecAlgorithm crypt = c.getEncryption(direction);
+
+ spis[direction] = mSpiRecords.get(c.getSpiResourceId(direction));
+ int spi = spis[direction].getSpi();
try {
int result =
getNetdInstance()
@@ -362,35 +620,29 @@
(c.getNetwork() != null)
? c.getNetwork().getNetworkHandle()
: 0,
- c.getSpi(direction),
+ spi,
(auth != null) ? auth.getName() : "",
(auth != null) ? auth.getKey() : null,
(auth != null) ? auth.getTruncationLengthBits() : 0,
(crypt != null) ? crypt.getName() : "",
(crypt != null) ? crypt.getKey() : null,
(crypt != null) ? crypt.getTruncationLengthBits() : 0,
- c.getEncapType(),
- c.getEncapLocalPort(),
- c.getEncapRemotePort());
- if (result != c.getSpi(direction)) {
+ encapType,
+ encapLocalPort,
+ encapRemotePort);
+ if (result != spi) {
// TODO: cleanup the first SA if creation of second SA fails
- Bundle retBundle = new Bundle(2);
- retBundle.putInt(KEY_STATUS, IpSecManager.Status.SPI_UNAVAILABLE);
- retBundle.putInt(KEY_RESOURCE_ID, INVALID_RESOURCE_ID);
- return retBundle;
+ return new IpSecTransformResponse(
+ IpSecManager.Status.SPI_UNAVAILABLE, INVALID_RESOURCE_ID);
}
} catch (ServiceSpecificException e) {
// FIXME: get the error code and throw is at an IOException from Errno Exception
}
}
- synchronized (mTransformRecords) {
- mTransformRecords.put(resourceId, new TransformRecord(c, resourceId, binder));
- }
-
- Bundle retBundle = new Bundle(2);
- retBundle.putInt(KEY_STATUS, IpSecManager.Status.OK);
- retBundle.putInt(KEY_RESOURCE_ID, resourceId);
- return retBundle;
+ // Both SAs were created successfully, time to construct a record and lock it away
+ mTransformRecords.put(
+ resourceId, new TransformRecord(resourceId, binder, c, spis, socketRecord));
+ return new IpSecTransformResponse(IpSecManager.Status.OK, resourceId);
}
/**
@@ -401,27 +653,7 @@
*/
@Override
public void deleteTransportModeTransform(int resourceId) throws RemoteException {
- synchronized (mTransformRecords) {
- TransformRecord record;
- // We want to non-destructively get so that we can check credentials before removing
- // this from the records.
- record = mTransformRecords.get(resourceId);
-
- if (record == null) {
- throw new IllegalArgumentException(
- "Transform " + resourceId + " is not available to be deleted");
- }
-
- if (record.pid != Binder.getCallingPid() || record.uid != Binder.getCallingUid()) {
- throw new SecurityException("Only the owner of an IpSec Transform may delete it!");
- }
-
- // TODO: if releaseResources() throws RemoteException, we can try again to clean up on
- // binder death. Need to make sure that path is actually functional.
- record.releaseResources();
- mTransformRecords.remove(resourceId);
- record.nullifyRecord();
- }
+ releaseManagedResource(mTransformRecords, resourceId, "IpSecTransform");
}
/**
@@ -429,44 +661,43 @@
* association as a correspondent policy to the provided socket
*/
@Override
- public void applyTransportModeTransform(ParcelFileDescriptor socket, int resourceId)
- throws RemoteException {
+ public synchronized void applyTransportModeTransform(
+ ParcelFileDescriptor socket, int resourceId) throws RemoteException {
+ // Synchronize liberally here because we are using ManagedResources in this block
+ TransformRecord info;
+ // FIXME: this code should be factored out into a security check + getter
+ info = mTransformRecords.get(resourceId);
- synchronized (mTransformRecords) {
- TransformRecord info;
- // FIXME: this code should be factored out into a security check + getter
- info = mTransformRecords.get(resourceId);
+ if (info == null) {
+ throw new IllegalArgumentException("Transform " + resourceId + " is not active");
+ }
- if (info == null) {
- throw new IllegalArgumentException("Transform " + resourceId + " is not active");
+ // TODO: make this a function.
+ if (info.pid != getCallingPid() || info.uid != getCallingUid()) {
+ throw new SecurityException("Only the owner of an IpSec Transform may apply it!");
+ }
+
+ IpSecConfig c = info.getConfig();
+ try {
+ for (int direction : DIRECTIONS) {
+ getNetdInstance()
+ .ipSecApplyTransportModeTransform(
+ socket.getFileDescriptor(),
+ resourceId,
+ direction,
+ (c.getLocalAddress() != null)
+ ? c.getLocalAddress().getHostAddress()
+ : "",
+ (c.getRemoteAddress() != null)
+ ? c.getRemoteAddress().getHostAddress()
+ : "",
+ info.getSpiRecord(direction).getSpi());
}
-
- // TODO: make this a function.
- if (info.pid != getCallingPid() || info.uid != getCallingUid()) {
- throw new SecurityException("Only the owner of an IpSec Transform may apply it!");
- }
-
- IpSecConfig c = info.getConfig();
- try {
- for (int direction : DIRECTIONS) {
- getNetdInstance()
- .ipSecApplyTransportModeTransform(
- socket.getFileDescriptor(),
- resourceId,
- direction,
- (c.getLocalAddress() != null)
- ? c.getLocalAddress().getHostAddress()
- : "",
- (c.getRemoteAddress() != null)
- ? c.getRemoteAddress().getHostAddress()
- : "",
- c.getSpi(direction));
- }
- } catch (ServiceSpecificException e) {
- // FIXME: get the error code and throw is at an IOException from Errno Exception
- }
+ } catch (ServiceSpecificException e) {
+ // FIXME: get the error code and throw is at an IOException from Errno Exception
}
}
+
/**
* Remove a transport mode transform from a socket, applying the default (empty) policy. This
* will ensure that NO IPsec policy is applied to the socket (would be the equivalent of
@@ -486,7 +717,7 @@
@Override
protected void dump(FileDescriptor fd, PrintWriter pw, String[] args) {
mContext.enforceCallingOrSelfPermission(DUMP, TAG);
-
+ // TODO: Add dump code to print out a log of all the resources being tracked
pw.println("IpSecService Log:");
pw.println("NetdNativeService Connection: " + (isNetdAlive() ? "alive" : "dead"));
pw.println();
diff --git a/services/core/java/com/android/server/connectivity/Tethering.java b/services/core/java/com/android/server/connectivity/Tethering.java
index dffa670..3110000 100644
--- a/services/core/java/com/android/server/connectivity/Tethering.java
+++ b/services/core/java/com/android/server/connectivity/Tethering.java
@@ -18,7 +18,13 @@
import static android.hardware.usb.UsbManager.USB_CONNECTED;
import static android.hardware.usb.UsbManager.USB_FUNCTION_RNDIS;
+import static android.net.wifi.WifiManager.EXTRA_WIFI_AP_INTERFACE_NAME;
+import static android.net.wifi.WifiManager.EXTRA_WIFI_AP_MODE;
import static android.net.wifi.WifiManager.EXTRA_WIFI_AP_STATE;
+import static android.net.wifi.WifiManager.IFACE_IP_MODE_CONFIGURATION_ERROR;
+import static android.net.wifi.WifiManager.IFACE_IP_MODE_LOCAL_ONLY;
+import static android.net.wifi.WifiManager.IFACE_IP_MODE_TETHERED;
+import static android.net.wifi.WifiManager.IFACE_IP_MODE_UNSPECIFIED;
import static android.net.wifi.WifiManager.WIFI_AP_STATE_DISABLED;
import static com.android.server.ConnectivityService.SHORT_ARG;
@@ -788,48 +794,80 @@
}
private void handleWifiApAction(Intent intent) {
- final int curState = intent.getIntExtra(EXTRA_WIFI_AP_STATE, WIFI_AP_STATE_DISABLED);
+ final int curState = intent.getIntExtra(EXTRA_WIFI_AP_STATE, WIFI_AP_STATE_DISABLED);
+ final String ifname = intent.getStringExtra(EXTRA_WIFI_AP_INTERFACE_NAME);
+ final int ipmode = intent.getIntExtra(EXTRA_WIFI_AP_MODE, IFACE_IP_MODE_UNSPECIFIED);
+
synchronized (Tethering.this.mPublicSync) {
switch (curState) {
case WifiManager.WIFI_AP_STATE_ENABLING:
// We can see this state on the way to both enabled and failure states.
break;
case WifiManager.WIFI_AP_STATE_ENABLED:
- // When the AP comes up and we've been requested to tether it, do so.
- // Otherwise, assume it's a local-only hotspot request.
- final int state = mWifiTetherRequested
- ? IControlsTethering.STATE_TETHERED
- : IControlsTethering.STATE_LOCAL_ONLY;
- tetherMatchingInterfaces(state, ConnectivityManager.TETHERING_WIFI);
+ enableWifiIpServingLocked(ifname, ipmode);
break;
case WifiManager.WIFI_AP_STATE_DISABLED:
case WifiManager.WIFI_AP_STATE_DISABLING:
case WifiManager.WIFI_AP_STATE_FAILED:
default:
- if (DBG) {
- Log.d(TAG, "Canceling WiFi tethering request - AP_STATE=" +
- curState);
- }
- // Tell appropriate interface state machines that they should tear
- // themselves down.
- for (int i = 0; i < mTetherStates.size(); i++) {
- TetherInterfaceStateMachine tism =
- mTetherStates.valueAt(i).stateMachine;
- if (tism.interfaceType() == ConnectivityManager.TETHERING_WIFI) {
- tism.sendMessage(
- TetherInterfaceStateMachine.CMD_TETHER_UNREQUESTED);
- break; // There should be at most one of these.
- }
- }
- // Regardless of whether we requested this transition, the AP has gone
- // down. Don't try to tether again unless we're requested to do so.
- mWifiTetherRequested = false;
- break;
+ disableWifiIpServingLocked(curState);
+ break;
}
}
}
}
+ // TODO: Pass in the interface name and, if non-empty, only turn down IP
+ // serving on that one interface.
+ private void disableWifiIpServingLocked(int apState) {
+ if (DBG) Log.d(TAG, "Canceling WiFi tethering request - AP_STATE=" + apState);
+
+ // Tell appropriate interface state machines that they should tear
+ // themselves down.
+ for (int i = 0; i < mTetherStates.size(); i++) {
+ TetherInterfaceStateMachine tism = mTetherStates.valueAt(i).stateMachine;
+ if (tism.interfaceType() == ConnectivityManager.TETHERING_WIFI) {
+ tism.sendMessage(TetherInterfaceStateMachine.CMD_TETHER_UNREQUESTED);
+ break; // There should be at most one of these.
+ }
+ }
+ // Regardless of whether we requested this transition, the AP has gone
+ // down. Don't try to tether again unless we're requested to do so.
+ mWifiTetherRequested = false;
+ }
+
+ private void enableWifiIpServingLocked(String ifname, int wifiIpMode) {
+ // Map wifiIpMode values to IControlsTethering serving states, inferring
+ // from mWifiTetherRequested as a final "best guess".
+ final int ipServingMode;
+ switch (wifiIpMode) {
+ case IFACE_IP_MODE_TETHERED:
+ ipServingMode = IControlsTethering.STATE_TETHERED;
+ break;
+ case IFACE_IP_MODE_LOCAL_ONLY:
+ ipServingMode = IControlsTethering.STATE_LOCAL_ONLY;
+ break;
+ default:
+ // Resort to legacy "guessing" behaviour.
+ //
+ // When the AP comes up and we've been requested to tether it,
+ // do so. Otherwise, assume it's a local-only hotspot request.
+ //
+ // TODO: Once all AP broadcasts are known to include ifname and
+ // mode information delete this code path and log an error.
+ ipServingMode = mWifiTetherRequested
+ ? IControlsTethering.STATE_TETHERED
+ : IControlsTethering.STATE_LOCAL_ONLY;
+ break;
+ }
+
+ if (!TextUtils.isEmpty(ifname)) {
+ changeInterfaceState(ifname, ipServingMode);
+ } else {
+ tetherMatchingInterfaces(ipServingMode, ConnectivityManager.TETHERING_WIFI);
+ }
+ }
+
// TODO: Consider renaming to something more accurate in its description.
// This method:
// - allows requesting either tethering or local hotspot serving states
@@ -862,22 +900,26 @@
return;
}
+ changeInterfaceState(chosenIface, requestedState);
+ }
+
+ private void changeInterfaceState(String ifname, int requestedState) {
final int result;
switch (requestedState) {
case IControlsTethering.STATE_UNAVAILABLE:
case IControlsTethering.STATE_AVAILABLE:
- result = untether(chosenIface);
+ result = untether(ifname);
break;
case IControlsTethering.STATE_TETHERED:
case IControlsTethering.STATE_LOCAL_ONLY:
- result = tether(chosenIface, requestedState);
+ result = tether(ifname, requestedState);
break;
default:
Log.wtf(TAG, "Unknown interface state: " + requestedState);
return;
}
if (result != ConnectivityManager.TETHER_ERROR_NO_ERROR) {
- Log.e(TAG, "unable start or stop tethering on iface " + chosenIface);
+ Log.e(TAG, "unable start or stop tethering on iface " + ifname);
return;
}
}
@@ -1360,10 +1402,10 @@
final String iface = who.interfaceName();
switch (mode) {
case IControlsTethering.STATE_TETHERED:
- mgr.updateInterfaceIpState(iface, WifiManager.IFACE_IP_MODE_TETHERED);
+ mgr.updateInterfaceIpState(iface, IFACE_IP_MODE_TETHERED);
break;
case IControlsTethering.STATE_LOCAL_ONLY:
- mgr.updateInterfaceIpState(iface, WifiManager.IFACE_IP_MODE_LOCAL_ONLY);
+ mgr.updateInterfaceIpState(iface, IFACE_IP_MODE_LOCAL_ONLY);
break;
default:
Log.wtf(TAG, "Unknown active serving mode: " + mode);
@@ -1381,7 +1423,7 @@
if (who.interfaceType() == ConnectivityManager.TETHERING_WIFI) {
if (who.lastError() != ConnectivityManager.TETHER_ERROR_NO_ERROR) {
getWifiManager().updateInterfaceIpState(
- who.interfaceName(), WifiManager.IFACE_IP_MODE_CONFIGURATION_ERROR);
+ who.interfaceName(), IFACE_IP_MODE_CONFIGURATION_ERROR);
}
}
}
diff --git a/telephony/java/android/telephony/DisconnectCause.java b/telephony/java/android/telephony/DisconnectCause.java
index 0346b92..2e61697 100644
--- a/telephony/java/android/telephony/DisconnectCause.java
+++ b/telephony/java/android/telephony/DisconnectCause.java
@@ -253,6 +253,12 @@
*/
public static final int WIFI_LOST = 59;
+ /**
+ * The call has failed because of access class barring.
+ * {@hide}
+ */
+ public static final int IMS_ACCESS_BLOCKED = 60;
+
//*********************************************************************************************
// When adding a disconnect type:
// 1) Update toString() with the newly added disconnect type.
@@ -385,6 +391,8 @@
return "IMEI_NOT_ACCEPTED";
case WIFI_LOST:
return "WIFI_LOST";
+ case IMS_ACCESS_BLOCKED:
+ return "IMS_ACCESS_BLOCKED";
default:
return "INVALID: " + cause;
}
diff --git a/tests/net/java/com/android/server/connectivity/TetheringTest.java b/tests/net/java/com/android/server/connectivity/TetheringTest.java
index 241b828..b6922d4 100644
--- a/tests/net/java/com/android/server/connectivity/TetheringTest.java
+++ b/tests/net/java/com/android/server/connectivity/TetheringTest.java
@@ -16,6 +16,12 @@
package com.android.server.connectivity;
+import static android.net.wifi.WifiManager.IFACE_IP_MODE_LOCAL_ONLY;
+import static android.net.wifi.WifiManager.IFACE_IP_MODE_TETHERED;
+import static android.net.wifi.WifiManager.EXTRA_WIFI_AP_INTERFACE_NAME;
+import static android.net.wifi.WifiManager.EXTRA_WIFI_AP_MODE;
+import static android.net.wifi.WifiManager.EXTRA_WIFI_AP_STATE;
+import static android.net.wifi.WifiManager.WIFI_AP_STATE_ENABLED;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertTrue;
import static org.mockito.Matchers.anyBoolean;
@@ -222,12 +228,22 @@
private void sendWifiApStateChanged(int state) {
final Intent intent = new Intent(WifiManager.WIFI_AP_STATE_CHANGED_ACTION);
- intent.putExtra(WifiManager.EXTRA_WIFI_AP_STATE, state);
+ intent.putExtra(EXTRA_WIFI_AP_STATE, state);
mServiceContext.sendStickyBroadcastAsUser(intent, UserHandle.ALL);
}
- private void verifyInterfaceServingModeStarted() throws Exception {
- verify(mNMService, times(1)).listInterfaces();
+ private void sendWifiApStateChanged(int state, String ifname, int ipmode) {
+ final Intent intent = new Intent(WifiManager.WIFI_AP_STATE_CHANGED_ACTION);
+ intent.putExtra(EXTRA_WIFI_AP_STATE, state);
+ intent.putExtra(EXTRA_WIFI_AP_INTERFACE_NAME, ifname);
+ intent.putExtra(EXTRA_WIFI_AP_MODE, ipmode);
+ mServiceContext.sendStickyBroadcastAsUser(intent, UserHandle.ALL);
+ }
+
+ private void verifyInterfaceServingModeStarted(boolean ifnameKnown) throws Exception {
+ if (!ifnameKnown) {
+ verify(mNMService, times(1)).listInterfaces();
+ }
verify(mNMService, times(1)).getInterfaceConfig(mTestIfname);
verify(mNMService, times(1))
.setInterfaceConfig(eq(mTestIfname), any(InterfaceConfiguration.class));
@@ -243,18 +259,21 @@
mIntents.remove(bcast);
}
- @Test
- public void workingLocalOnlyHotspot() throws Exception {
+ public void workingLocalOnlyHotspot(boolean enrichedApBroadcast) throws Exception {
when(mConnectivityManager.isTetheringSupported()).thenReturn(true);
// Emulate externally-visible WifiManager effects, causing the
// per-interface state machine to start up, and telling us that
// hotspot mode is to be started.
mTethering.interfaceStatusChanged(mTestIfname, true);
- sendWifiApStateChanged(WifiManager.WIFI_AP_STATE_ENABLED);
+ if (enrichedApBroadcast) {
+ sendWifiApStateChanged(WIFI_AP_STATE_ENABLED, mTestIfname, IFACE_IP_MODE_LOCAL_ONLY);
+ } else {
+ sendWifiApStateChanged(WIFI_AP_STATE_ENABLED);
+ }
mLooper.dispatchAll();
- verifyInterfaceServingModeStarted();
+ verifyInterfaceServingModeStarted(enrichedApBroadcast);
verifyTetheringBroadcast(mTestIfname, ConnectivityManager.EXTRA_AVAILABLE_TETHER);
verify(mNMService, times(1)).setIpForwardingEnabled(true);
verify(mNMService, times(1)).startTethering(any(String[].class));
@@ -295,7 +314,16 @@
}
@Test
- public void workingWifiTethering() throws Exception {
+ public void workingLocalOnlyHotspotLegacyApBroadcast() throws Exception {
+ workingLocalOnlyHotspot(false);
+ }
+
+ @Test
+ public void workingLocalOnlyHotspotEnrichedApBroadcast() throws Exception {
+ workingLocalOnlyHotspot(true);
+ }
+
+ public void workingWifiTethering(boolean enrichedApBroadcast) throws Exception {
when(mConnectivityManager.isTetheringSupported()).thenReturn(true);
when(mWifiManager.startSoftAp(any(WifiConfiguration.class))).thenReturn(true);
@@ -311,10 +339,14 @@
// per-interface state machine to start up, and telling us that
// tethering mode is to be started.
mTethering.interfaceStatusChanged(mTestIfname, true);
- sendWifiApStateChanged(WifiManager.WIFI_AP_STATE_ENABLED);
+ if (enrichedApBroadcast) {
+ sendWifiApStateChanged(WIFI_AP_STATE_ENABLED, mTestIfname, IFACE_IP_MODE_TETHERED);
+ } else {
+ sendWifiApStateChanged(WIFI_AP_STATE_ENABLED);
+ }
mLooper.dispatchAll();
- verifyInterfaceServingModeStarted();
+ verifyInterfaceServingModeStarted(enrichedApBroadcast);
verifyTetheringBroadcast(mTestIfname, ConnectivityManager.EXTRA_AVAILABLE_TETHER);
verify(mNMService, times(1)).setIpForwardingEnabled(true);
verify(mNMService, times(1)).startTethering(any(String[].class));
@@ -376,6 +408,16 @@
}
@Test
+ public void workingWifiTetheringLegacyApBroadcast() throws Exception {
+ workingWifiTethering(false);
+ }
+
+ @Test
+ public void workingWifiTetheringEnrichedApBroadcast() throws Exception {
+ workingWifiTethering(true);
+ }
+
+ @Test
public void failureEnablingIpForwarding() throws Exception {
when(mConnectivityManager.isTetheringSupported()).thenReturn(true);
when(mWifiManager.startSoftAp(any(WifiConfiguration.class))).thenReturn(true);
diff --git a/wifi/java/android/net/wifi/WifiManager.java b/wifi/java/android/net/wifi/WifiManager.java
index 2333d7e..053fcfb 100644
--- a/wifi/java/android/net/wifi/WifiManager.java
+++ b/wifi/java/android/net/wifi/WifiManager.java
@@ -462,6 +462,15 @@
public static final int SAP_START_FAILURE_NO_CHANNEL = 1;
/**
+ * Interface IP mode unspecified.
+ *
+ * @see updateInterfaceIpState(String, int)
+ *
+ * @hide
+ */
+ public static final int IFACE_IP_MODE_UNSPECIFIED = -1;
+
+ /**
* Interface IP mode for configuration error.
*
* @see updateInterfaceIpState(String, int)