Add Tunnel Mode IPSec SA Support in NetD
Bug: 63588541
Test: Ran runtest -x system/netd/server/netd_unit_test.cpp
Change-Id: I0d71abcd9b84d241128472542537ba2f6dbac5ae
diff --git a/server/XfrmController.cpp b/server/XfrmController.cpp
index e70ed49..57ebc3e 100644
--- a/server/XfrmController.cpp
+++ b/server/XfrmController.cpp
@@ -465,7 +465,7 @@
return netdutils::statusFromErrno(EINVAL, "Invalid encap type");
}
- ret = createTransportModeSecurityAssociation(saInfo, sock);
+ ret = createSecurityAssociation(saInfo, sock);
if (!isOk(ret)) {
ALOGD("Failed creating a Security Association, line=%d", __LINE__);
}
@@ -631,8 +631,8 @@
selector->ifindex = record.netId; // TODO : still need to sort this out
}
-netdutils::Status XfrmController::createTransportModeSecurityAssociation(const XfrmSaInfo& record,
- const XfrmSocket& sock) {
+netdutils::Status XfrmController::createSecurityAssociation(const XfrmSaInfo& record,
+ const XfrmSocket& sock) {
xfrm_usersa_info usersa{};
nlattr_algo_crypt crypt{};
nlattr_algo_auth auth{};
@@ -781,7 +781,13 @@
usersa->family = record.addrFamily;
usersa->mode = static_cast<uint8_t>(record.mode);
usersa->replay_window = REPLAY_WINDOW_SIZE;
- usersa->flags = 0; // TODO: should we actually set flags, XFRM_SA_XFLAG_DONT_ENCAP_DSCP?
+
+ if (record.mode == XfrmMode::TRANSPORT) {
+ usersa->flags = 0; // TODO: should we actually set flags, XFRM_SA_XFLAG_DONT_ENCAP_DSCP?
+ } else {
+ usersa->flags = XFRM_STATE_AF_UNSPEC;
+ }
+
return sizeof(*usersa);
}