Gitiles
Code Review Sign In
review.blissroms.org / packages_modules_Connectivity / 0072e19c8e334a7945a2ccc9f0402ea1c643b25d^! / .
commit0072e19c8e334a7945a2ccc9f0402ea1c643b25d[log] [tgz]
authorNathan Harold <nharold@google.com>Thu Apr 06 17:46:00 2017 -0700
committerNathan Harold <nharold@google.com>Tue Apr 11 10:14:11 2017 -0700
tree19978995b2619138af9321100ece29b9aef1f78d
parent0540679eb48f6e590a30943cfaae41370349d0c1 [diff]
Add FileDescriptor Versions of applyTransportModeTransform()

Because there is no way using the Java sockets API to actually
get a socket of AF_INET on mode machines, it is necessary to
provide a way to apply transforms to sockets made using the
native wrapper API, which uses POSIX APIs and will create a
socket that is AF_INET.

Bug: 36073210
Test: b/34811227
Change-Id: I28ac7cc4f36045ce523a54111e5be975b0331356

diff --git a/core/java/android/net/IpSecManager.java b/core/java/android/net/IpSecManager.java
index 4bfeb09..f8702e2 100644
--- a/core/java/android/net/IpSecManager.java
+++ b/core/java/android/net/IpSecManager.java

@@ -278,6 +278,23 @@
     }
 
     /**
+     * Apply an active Transport Mode IPsec Transform to a stream socket to perform IPsec
+     * encapsulation of the traffic flowing between the socket and the remote InetAddress of that
+     * transform. For security reasons, attempts to send traffic to any IP address other than the
+     * address associated with that transform will throw an IOException. In addition, if the
+     * IpSecTransform is later deactivated, the socket will throw an IOException on any calls to
+     * send() or receive() until the transform is removed from the socket by calling {@link
+     * #removeTransportModeTransform(Socket, IpSecTransform)};
+     *
+     * @param socket a socket file descriptor
+     * @param transform an {@link IpSecTransform}, which must be an active Transport Mode transform.
+     */
+    public void applyTransportModeTransform(FileDescriptor socket, IpSecTransform transform)
+            throws IOException {
+        applyTransportModeTransform(new ParcelFileDescriptor(socket), transform);
+    }
+
+    /**
      * Apply an active Tunnel Mode IPsec Transform to a network, which will tunnel all traffic to
      * and from that network's interface with IPsec (applies an outer IP header and IPsec Header to
      * all traffic, and expects an additional IP header and IPsec Header on all inbound traffic).
@@ -318,6 +335,20 @@
         removeTransportModeTransform(ParcelFileDescriptor.fromDatagramSocket(socket), transform);
     }
 
+    /**
+     * Remove a transform from a given stream socket. Once removed, traffic on the socket will not
+     * be encypted. This allows sockets that have been used for IPsec to be reclaimed for
+     * communication in the clear in the event socket reuse is desired. This operation will succeed
+     * regardless of the underlying state of a transform. If a transform is removed, communication
+     * on all sockets to which that transform was applied will fail until this method is called.
+     *
+     * @param socket a socket file descriptor that previously had a transform applied to it.
+     * @param transform the IPsec Transform that was previously applied to the given socket
+     */
+    public void removeTransportModeTransform(FileDescriptor socket, IpSecTransform transform) {
+        removeTransportModeTransform(new ParcelFileDescriptor(socket), transform);
+    }
+
     /* Call down to activate a transform */
     private void removeTransportModeTransform(ParcelFileDescriptor pfd, IpSecTransform transform) {
         try {