| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
IpSecService is going to be moved into Connectivity mainline module.
Move all ipsec associated files to packages/ConnectivityT so that
it can be easily migrate these files to connectivity module after
clearing the hidden API usages.
Bug: 204153604
Test: build pass
FrameworksNetTests
CtsNetTestCases
Change-Id: I562b47f18e345988a2638cf886f86818f9144b91
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Clarify the consequence of adding IpSecTunnelInterface to the
underlying network.
Bug: 169855650
Test: builds
Change-Id: I2e3c4fe735b3374b2ff6d23850970e36c0aafda5
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds support for IPsec forward policies, which are necessary
for packets to be allowed to be forwarded to another interface, as is
the case with tethering. This is necessary and useful only within the
system server, and as such is not exposed as a public API.
This change is safe, since the addition of a FWD policy on IPsec tunnel
interfaces will by default block forwarded traffic (as would be the case
without this patch). In the event that the (system) owner of the tunnel
requires support for forwarded packets (eg tethering), this patch allows
application of transforms in the FWD direction as well.
This will be used to ensure that the VCN can be used as the underlying
network for the purposes of tethering.
Bug: 185495453
Test: atest IpSecServiceTest
Test: atest IpSecServiceParameterizedTest
Test: manual testing with tethering over VCN
Change-Id: I74ecea71f1954029f6fbdbe34598c82e0aac386b
|
| |
|
|
|
|
|
|
|
|
| |
This API is required to perform MOBIKE. This API allows an IPsec
peer to change the underlying network of its established IPsec
tunnel without re-establishing the tunnel.
Bug: 169855650
Test: atest IpSecManagerTunnelTest (new tests added)
Change-Id: Ifc8ad902cbfbe4ad07e715f2fef0faa1bf9d68f3
|
| |
|
|
|
|
| |
Bug: 169855650
Test: atest IpSecManagerTunnelTest
Change-Id: I6d1b8d0e49f89c67ddc2caf4ba63fb0b1eb062c0
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This reverts commit c92a798ee83e779bd31e16554d02163b1228ae40.
Reason for revert: not necessary, since VCN already has access to system APIs
Bug: 174606949
Test: revert with no conflicts
Change-Id: Ife2d0fc08c540265d52cdf930d0b6df005990ac8
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
ConnectivityManager.createSocketKeepalive() will need to get
the socket resource ID as a parameter for creating a new
NattSocketKeepalive. ConnectivityManager is a part of incoming
ConnectivityService mainline, so expose getResourceId() as an
API since the hidden APIs are not accessible for a mainline
module. This API should not be exposed to apps, so make it a
MODULE_LIBRARIES system API.
Bug: 172183305
Test: make update-api
Change-Id: Ic0722352ea186fcb18a2d91cc3969f771fde9e86
|
| |
|
|
|
|
|
|
|
|
| |
Since IKE APIs to negotiate IPsec tunnel migration (MOBIKE) are
public, all IPsec tunnel APIs should also be public so that public
callers are able to create, manage and migrate IPsec tunnels
Bug: 174606949
Test: atest IpSecManagerTunnelTest
Change-Id: I86aec334cfc937953f9c2b411cc55862032aae4d
|
| |
|
|
|
|
|
|
|
| |
This change adds the implementation for IKEv2/IPsec VPNs.
Bug: 144246767
Test: Manually tested
Change-Id: I5ccec756cec49ccf57ccc4d5ad800eeb5d595a76
Merged-In: I5ccec756cec49ccf57ccc4d5ad800eeb5d595a76
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
@PolicyDirection was hidden API defined in IpSecManager and
mainline module IPsec(IKE) needs to depend on it.
To remove this hidden API dependency, this commit:
- Moves definition of @PolicyDirection to a separate class
- Creates sharing filegroup framework-ike-shared-srcs for mainline
IKE and include PolicyDirection.java
Bug: 146360859
Test: build, flash, boot
Test: atest FrameworksIkeTests
Change-Id: Ic6d7c06d4b92e16a9a65430365c9acc73932147b
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
To prepare for enabling MissingNullability Metalava check this CL
works on adding missing nullability issues that metalava flags if
we tell it to flag new things since API 29.
This is not a complete CL, mostly addresses public api and
toString/equals for @SystemApi
Exempt-From-Owner-Approval: Large scale nullability clean up
Bug: 124515653
Test: make -j checkapi
Merged-In: I109260842cfc25f06e40694997fcbb4afa02c867
Change-Id: I109260842cfc25f06e40694997fcbb4afa02c867
|
| |\ |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
This patch adds checks to ensure that the IPSEC_TUNNEL feature flag is
enabled.
Bug: 117183273
Test: Compiles & tests passing
Change-Id: I2699dda29e1eed139bc6fd1b70071e5ab33cad88
|
| |/
|
|
|
|
|
|
|
|
|
| |
This change maps EPROTONOSUPPORT to the list of error codes that map to
UnsupportedOperationException in IpSecManager.
Bug: 80103456
Test: Compiles, CTS tests ran
Change-Id: Iec3d5fc4a9bcad7c104414afefae775232d46558
Merged-In: Iec3d5fc4a9bcad7c104414afefae775232d46558
(cherry picked from commit dcbc670688d815ce89954765fac46aa2ad6d8adb)
|
| |\
| |
| |
| |
| |
| | |
am: 23d8eed9de
Change-Id: Ic1f560070d12f3bdeb5c07316aad7ebed9719f6f
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In order to properly support EOPNOTSUPP this CL
applies a consistent approach to handling Exceptions.
Hereafter, all exceptions that aren't of a special
method-specific type (such as SpiUnavailableException)
will all be returned to the calling process unchanged.
At the API call site, the ServiceSpecificException,
which is really an Errno, will be inspected and either
converted to an unchecked exception for types we know,
or it will be converted to an IOException in cases where
that method can return a checked exception. In cases
where we do not expect an errno, we will simply throw
a generic RuntimeException. This means all API calls
will now properly throw UnsupportedOperationException
and may be CTS tested accordingly.
Bug: 72420898
Test: runtest frameworks-net
Change-Id: I4a00e221618896223fcdb4b4279fb14cd14e34d8
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Hide the tunnel mode of the IpSec API because
there is a disincentive to launch it without
a supported customer use case. That use case,
IWLAN is having its APIs hidden, so we should
hide these as well to avoid constraining future
implementation.
Also, due to issues with the lifetime of the NATT
management object, this API needs to be hidden
until such time as the lifetime of the Keepalive
can be handled independently of the lifetime of
a Transform.
Bug: 72523623
Test: compilation (api removal)
Change-Id: I076030bdbab1cd7d69f6a034577d529970b050dc
|
| | |\ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change forces Socket and DatagramSocket to populate the
SocketImpl, ensuring that the socket file descriptor can be
retrieved when applying Transport mode Transforms
This is done by calling getSoLinger(), triggering a getImpl(), which
triggers setImpl() if needed.
Bug: 77491294
Test: Added tests in IpSecManagerTest, ran on walleye
Merged-In: I40da08b031357710eb794e0f866aec5660c79594
Change-Id: I40da08b031357710eb794e0f866aec5660c79594
(cherry picked from commit d175a3d3a01cfdb5ab6d4e61d15950583f8006d6)
|
| |\| |
| | |
| | |
| | |
| | |
| | | |
am: b172d5b437
Change-Id: I03c0745662ab8868f719dc65c9ff8502e2ff817c
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
LinkAddress constructors are currently @hide; this change updates
IpSecManager to use InetAddress and prefixLen, and then construct a
LinkAddress internally. LinkAddress is used over the binder interface to
IpSecService to ensure validity.
Bug: 77528639
Test: CTS, Java unit tests ran on walleye
Change-Id: I19e124adef6d9f4992d8293db3190bcf74c95848
|
| |\ \
| |/
|/|
| |
| |
| | |
am: abcf07af81
Change-Id: I2034448a22461d51728e66bcc0e965821aa4a42f
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change forces Socket and DatagramSocket to populate the
SocketImpl, ensuring that the socket file descriptor can be
retrieved when applying Transport mode Transforms
This is done by calling getSoLinger(), triggering a getImpl(), which
triggers setImpl() if needed.
Bug: 77491294
Test: Added tests in IpSecManagerTest, ran on walleye
Change-Id: I40da08b031357710eb794e0f866aec5660c79594
|
| | |\ |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Disallow the allocation of SPIs in the range
reserved for future use by RFC 4303.
Bug: 77205120
Test: runtest frameworks-net
Change-Id: I05e26ed34b5871f1a07d5bd7b58b79a64cd74b67
|
| | |\ \ |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This change updates the getSocket() methods for IPsec to improve clarity
of the return types, both for public APIs, and internal-only methods.
Bug: 72473753
Test: APIs updated, CTS + unit tests ran.
Change-Id: I0afebd432c5d04c47c93daa1ce616d712aa323d7
|
| | |\ \ \
| | |_|/
| |/| | |
|
| | | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Updates API documentation to mention that TCP sockets where transforms
are deactivated will not send FIN packets.
Bug: 74851550
Test: API updates only
Change-Id: I8169f221c8c747538a8bddfbf02dcc73c9337189
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This CL adds NonNull annotations to a large
number of method returns and parameters as
part of API council feedback.
Bug: 72473424
Test: compilation (docstring-only change)
Change-Id: I2f865dde56fe12116c461ad98e9460bf1802ce18
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When exposing the APIs, these were missed.
The outer structure is exposed, so this exposes
the addAddress and removeAddress methods.
Bug: 75234273
Test: compilation
Change-Id: I79911434f9baa660e4d8564cc59d80da4a710c42
|
| | |\ \ |
|
| | | |/
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This change adds implementation details for add/remove addresses onto a
VTI.
Bug: 73675031
Test: New tests added, passing on Walleye
Change-Id: Idde9d943a5285d2c13c5c6b0f7b8a9faf718e6a5
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
-Add anotations to usages of PolicyDirection for
apply...() methods.
-Update the comments on DIRECTION_IN and DIRECTION_OUT
to better reflect their current usage.
-Add a better explanation to the rekey procedure doc.
-Remove disused createTunnelInterface() stub.
Bug: 73751066
Test: make docs
Change-Id: I9f2ec864466148a18899f1e952c74a525902ccbc
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Adds support for a new AppOp to permit services to
use IpSec tunnel mode. The IpSecService now needs
a context so change the service mode to a cached
service rather than a static service.
Bug: 66955045
Test: runtest frameworks-net
Change-Id: I17a4a286225b432c3e15ea1587d946189931b4f4
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Disallow the allocation of SPIs in the range
reserved for future use by RFC 4303.
Bug: 77205120
Test: runtest frameworks-net
Merged-In: I05e26ed34b5871f1a07d5bd7b58b79a64cd74b67
Change-Id: I05e26ed34b5871f1a07d5bd7b58b79a64cd74b67
(cherry picked from commit 7f606ee8e57d9d8b7c5d0cb2a78421aa02efb385)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change updates the getSocket() methods for IPsec to improve clarity
of the return types, both for public APIs, and internal-only methods.
Bug: 72473753
Test: APIs updated, CTS + unit tests ran.
Merged-In: I0afebd432c5d04c47c93daa1ce616d712aa323d7
Change-Id: I0afebd432c5d04c47c93daa1ce616d712aa323d7
(cherry picked from commit 4c987ebade580d4abc8a3d549e0df90baab33140)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Updates API documentation to mention that TCP sockets where transforms
are deactivated will not send FIN packets.
Bug: 74851550
Test: API updates only
Merged-In: I8169f221c8c747538a8bddfbf02dcc73c9337189
Change-Id: I8169f221c8c747538a8bddfbf02dcc73c9337189
(cherry picked from commit 7d31a2f3579eff80c3cef07feadf77dbfcbfcd17)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a new MANAGE_IPSEC_TUNNELS permission and
protect all IPsec Tunnel mode APIs with it.
This permission is only granted to the system or
through an AppOp.
Bug: 66955045
Test: compilation
Change-Id: I0f618373b500c493ef2211bece681f74652a1833
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This CL adds NonNull annotations to a large
number of method returns and parameters as
part of API council feedback.
Bug: 72473424
Test: compilation (docstring-only change)
Merged-In: I2f865dde56fe12116c461ad98e9460bf1802ce18
Change-Id: I2f865dde56fe12116c461ad98e9460bf1802ce18
(cherry picked from commit 8fd26f67fdfdedb535ddb8c7d5ededa5dcba40f8)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
When exposing the APIs, these were missed.
The outer structure is exposed, so this exposes
the addAddress and removeAddress methods.
Bug: 75234273
Test: compilation
Merged-In: I79911434f9baa660e4d8564cc59d80da4a710c42
Change-Id: I79911434f9baa660e4d8564cc59d80da4a710c42
(cherry picked from commit a83601a511c3f11470109d78d1a736acdb9c6bd8)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This change adds implementation details for add/remove addresses onto a
VTI.
Bug: 73675031
Test: New tests added, passing on Walleye
Merged-In: Idde9d943a5285d2c13c5c6b0f7b8a9faf718e6a5
Change-Id: Idde9d943a5285d2c13c5c6b0f7b8a9faf718e6a5
(cherry picked from commit ecc9f7cc08804e3fa15fea04ae94ea1bc74edbfe)
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-Add anotations to usages of PolicyDirection for
apply...() methods.
-Update the comments on DIRECTION_IN and DIRECTION_OUT
to better reflect their current usage.
-Add a better explanation to the rekey procedure doc.
-Remove disused createTunnelInterface() stub.
Bug: 73751066
Test: make docs
Merged-In: I9f2ec864466148a18899f1e952c74a525902ccbc
Change-Id: I9f2ec864466148a18899f1e952c74a525902ccbc
(cherry picked from commit f4cdf25a906d0f52ffd76508d660b843b13b3ff8)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
At least until further permissions are agreed upon,
the NETWORK_STACK permission is sufficient to ensure
that access to the tunnel mode APIs is secure, and
this permission will always be a sufficient condition.
Thus, adding NETWORK_STACK.
Bug: 66955045
Test: compilation
Change-Id: I2dc36896a52d2e71fad55041507d68ca91191ffc
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds one KernelResourceRecord type (TunnelInterfaceRecord),
and adds methods for the creation of TunnelInterfaces, as well as the
application of Transforms to the given TunnelInterfaces
As part of the generation of ikeys/okeys, a ReserveKeyTracker manages a
java bitset to avoid collisions and reserve/release keys.
Bug: 63588681
Test: Compiles, CTS, unit tests all pass on AOSP_marlin
Change-Id: I9e9b6455e27073acd4491eae666aa966b3b10e0f
|
| |
|
|
|
|
|
|
| |
Simple change to expose systemAPI for applyTunnelModeTransform
Bug: 36033193
Test: All CTS, unit tests passing
Change-Id: I2d857c048bc0dc80c3949387f946b1f5adf0527e
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a new interface and a new management object,
IpSecTunnelInterface to the IpSecManager surface.
This object will be used to control IPsec tunnels.
-Add IpSecTunnelInterface object
-Add methods to create and use an IpSecTunnelInterface
-Update the IpSecTransform builder to create Tunnel
mode IpSecTransform objects (usable with an IpSecTunnel)
Bug: 36033193
Test: compilation
Change-Id: Ib6948b12c15c93674234dc36288058ae44435b90
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Because IpSecTransforms are now unidirectional,
and because the only mechanism for removing Transforms
removes it from both directions, the API can no longer
use the Transform parameter to meaningfully validate
that the caller had applied a transform. Since that
functionality was as-yet unimplemented and is now
infeasible, the transform parameter is removed.
Bug: 72079356
Test: cts - IpSecManagerTest; runtest frameworks-net
Change-Id: If19b0d34bdc6daf31a40d6d62bff326dcbca08c0
|
