commit 4d2d6f18f0e5af2481662131d523ac5acb73af8e
author manojboopathi <manojboopathi@google.com> Wed Dec 06 11:11:31 2017 -0800
committer manojboopathi <manojboopathi@google.com> Mon Dec 18 14:43:09 2017 -0800
tree e46855789ee3f207abebb5226d3ed513eca7e01b
parent d2cd467ab4b283378b52ae30f7d514b57d9b5194

Add Tunnel Mode IPSec SA Support in NetD

Bug: 63588541
Test: Ran runtest -x system/netd/server/netd_unit_test.cpp
Change-Id: I0d71abcd9b84d241128472542537ba2f6dbac5ae

server/XfrmControllerTest.cpp

diff --git a/server/XfrmControllerTest.cpp b/server/XfrmControllerTest.cpp
index 1a14a72..ec44e6f 100644
--- a/server/XfrmControllerTest.cpp
+++ b/server/XfrmControllerTest.cpp
@@ -187,8 +187,8 @@
     EXPECT_EQ(DROID_SPI, static_cast<int>(userspi.max));
 }
 
-TEST_P(XfrmControllerParameterizedTest, TestIpSecAddSecurityAssociation) {
-    const int family = GetParam();
+void testIpSecAddSecurityAssociation(int family, const MockSyscalls& mockSyscalls,
+                                     const XfrmMode& mode) {
     const std::string localAddr = (family == AF_INET6) ? LOCALHOST_V6 : LOCALHOST_V4;
     const std::string remoteAddr = (family == AF_INET6) ? TEST_ADDR_V6 : TEST_ADDR_V4;
 
@@ -213,7 +213,7 @@
 
     XfrmController ctrl;
     Status res = ctrl.ipSecAddSecurityAssociation(
-        1 /* resourceId */, static_cast<int>(XfrmMode::TUNNEL),
+        1 /* resourceId */, static_cast<int>(mode),
         static_cast<int>(XfrmDirection::OUT), localAddr, remoteAddr, 0 /* underlying network */,
         DROID_SPI, "hmac(sha256)" /* auth algo */, authKey, 128 /* auth trunc length */,
         "cbc(aes)" /* encryption algo */, cryptKey, 0 /* crypt trunc length? */, "" /* AEAD algo */,
@@ -230,7 +230,14 @@
 
     EXPECT_EQ(family, usersa.family);
     EXPECT_EQ(1 /* Transform Id*/, static_cast<int>(usersa.reqid));
-    EXPECT_EQ(XFRM_MODE_TUNNEL, usersa.mode);
+    EXPECT_EQ(static_cast<int>(mode), usersa.mode);
+
+    if (mode == XfrmMode::TUNNEL) {
+        EXPECT_EQ(XFRM_STATE_AF_UNSPEC, usersa.flags);
+    } else {
+        EXPECT_EQ(0, usersa.flags);
+    }
+
     EXPECT_EQ(htonl(DROID_SPI), usersa.id.spi);
     EXPECT_EQ(IPPROTO_ESP, usersa.id.proto);
 
@@ -268,6 +275,16 @@
                         reinterpret_cast<void*>(&authAlgo.key), KEY_LENGTH));
 }
 
+TEST_P(XfrmControllerParameterizedTest, TestTransportModeIpSecAddSecurityAssociation) {
+    const int family = GetParam();
+    testIpSecAddSecurityAssociation(family, mockSyscalls, XfrmMode::TRANSPORT);
+}
+
+TEST_P(XfrmControllerParameterizedTest, TestTunnelModeIpSecAddSecurityAssociation) {
+    const int family = GetParam();
+    testIpSecAddSecurityAssociation(family, mockSyscalls, XfrmMode::TUNNEL);
+}
+
 TEST_F(XfrmControllerTest, TestIpSecAddSecurityAssociationIPv4Encap) {
     // TODO: Implement this test, which is nearly identical to
     // TestIpSecAddSecurityAssociation.
@@ -279,9 +296,9 @@
 
     XfrmController ctrl;
     Status res = ctrl.ipSecAddSecurityAssociation(
-        1, static_cast<int>(XfrmMode::TUNNEL), static_cast<int>(XfrmDirection::OUT), LOCALHOST_V6,
-        TEST_ADDR_V6, 0, DROID_SPI, "hmac(sha256)", {}, 128, "cbc(aes)", {}, 0, "", {}, 0,
-        static_cast<int>(XfrmEncapType::ESPINUDP_NON_IKE), 0, 0);
+        1, static_cast<int>(XfrmMode::TRANSPORT), static_cast<int>(XfrmDirection::OUT),
+        LOCALHOST_V6, TEST_ADDR_V6, 0, DROID_SPI, "hmac(sha256)", {}, 128, "cbc(aes)",
+        {}, 0, "", {}, 0, static_cast<int>(XfrmEncapType::ESPINUDP_NON_IKE), 0, 0);
 
     EXPECT_FALSE(isOk(res)) << "IPv6 UDP encap not rejected";
 }