IpSecManager and IpSecAlgorithm API Tweaks
-Add a reserveSecurityParamterIndex() function that allows the
system to select an SPI.
-Disallow INVALID_SECURITY_PARAMETER_INDEX from being passed as
an explicit SPI request.
-Remove the ALGO_ prefix from constants in IpSecAlgorithm
Bug: 36073210
Test: Updated CTS tests still pass on bullhead
Change-Id: Ic94809996076b0718f153f550b82192fe7048a2e
diff --git a/core/java/android/net/IpSecAlgorithm.java b/core/java/android/net/IpSecAlgorithm.java
index 7fea4a2..ce7894f 100644
--- a/core/java/android/net/IpSecAlgorithm.java
+++ b/core/java/android/net/IpSecAlgorithm.java
@@ -32,7 +32,7 @@
*
* <p>Valid lengths for this key are {128, 192, 256}.
*/
- public static final String ALGO_CRYPT_AES_CBC = "cbc(aes)";
+ public static final String CRYPT_AES_CBC = "cbc(aes)";
/**
* MD5 HMAC Authentication/Integrity Algorithm. This algorithm is not recommended for use in new
@@ -40,7 +40,7 @@
*
* <p>Valid truncation lengths are multiples of 8 bits from 96 to (default) 128.
*/
- public static final String ALGO_AUTH_HMAC_MD5 = "hmac(md5)";
+ public static final String AUTH_HMAC_MD5 = "hmac(md5)";
/**
* SHA1 HMAC Authentication/Integrity Algorithm. This algorithm is not recommended for use in
@@ -48,35 +48,35 @@
*
* <p>Valid truncation lengths are multiples of 8 bits from 96 to (default) 160.
*/
- public static final String ALGO_AUTH_HMAC_SHA1 = "hmac(sha1)";
+ public static final String AUTH_HMAC_SHA1 = "hmac(sha1)";
/**
* SHA256 HMAC Authentication/Integrity Algorithm.
*
* <p>Valid truncation lengths are multiples of 8 bits from 96 to (default) 256.
*/
- public static final String ALGO_AUTH_HMAC_SHA256 = "hmac(sha256)";
+ public static final String AUTH_HMAC_SHA256 = "hmac(sha256)";
/**
* SHA384 HMAC Authentication/Integrity Algorithm.
*
* <p>Valid truncation lengths are multiples of 8 bits from 192 to (default) 384.
*/
- public static final String ALGO_AUTH_HMAC_SHA384 = "hmac(sha384)";
+ public static final String AUTH_HMAC_SHA384 = "hmac(sha384)";
/**
* SHA512 HMAC Authentication/Integrity Algorithm
*
* <p>Valid truncation lengths are multiples of 8 bits from 256 to (default) 512.
*/
- public static final String ALGO_AUTH_HMAC_SHA512 = "hmac(sha512)";
+ public static final String AUTH_HMAC_SHA512 = "hmac(sha512)";
/** @hide */
@StringDef({
- ALGO_CRYPT_AES_CBC,
- ALGO_AUTH_HMAC_MD5,
- ALGO_AUTH_HMAC_SHA1,
- ALGO_AUTH_HMAC_SHA256,
- ALGO_AUTH_HMAC_SHA512
+ CRYPT_AES_CBC,
+ AUTH_HMAC_MD5,
+ AUTH_HMAC_SHA1,
+ AUTH_HMAC_SHA256,
+ AUTH_HMAC_SHA512
})
@Retention(RetentionPolicy.SOURCE)
public @interface AlgorithmName {}
@@ -164,17 +164,17 @@
private static boolean isTruncationLengthValid(String algo, int truncLenBits) {
switch (algo) {
- case ALGO_CRYPT_AES_CBC:
+ case CRYPT_AES_CBC:
return (truncLenBits == 128 || truncLenBits == 192 || truncLenBits == 256);
- case ALGO_AUTH_HMAC_MD5:
+ case AUTH_HMAC_MD5:
return (truncLenBits >= 96 && truncLenBits <= 128);
- case ALGO_AUTH_HMAC_SHA1:
+ case AUTH_HMAC_SHA1:
return (truncLenBits >= 96 && truncLenBits <= 160);
- case ALGO_AUTH_HMAC_SHA256:
+ case AUTH_HMAC_SHA256:
return (truncLenBits >= 96 && truncLenBits <= 256);
- case ALGO_AUTH_HMAC_SHA384:
+ case AUTH_HMAC_SHA384:
return (truncLenBits >= 192 && truncLenBits <= 384);
- case ALGO_AUTH_HMAC_SHA512:
+ case AUTH_HMAC_SHA512:
return (truncLenBits >= 256 && truncLenBits <= 512);
default:
return false;
diff --git a/core/java/android/net/IpSecManager.java b/core/java/android/net/IpSecManager.java
index 6852beb..4bfeb09 100644
--- a/core/java/android/net/IpSecManager.java
+++ b/core/java/android/net/IpSecManager.java
@@ -193,15 +193,44 @@
*
* @param direction {@link IpSecTransform#DIRECTION_IN} or {@link IpSecTransform#DIRECTION_OUT}
* @param remoteAddress address of the remote. SPIs must be unique for each remoteAddress.
- * @param requestedSpi the requested SPI, or '0' to allocate a random SPI.
* @return the reserved SecurityParameterIndex
* @throws ResourceUnavailableException indicating that too many SPIs are currently allocated
* for this user
* @throws SpiUnavailableException indicating that a particular SPI cannot be reserved
*/
public SecurityParameterIndex reserveSecurityParameterIndex(
+ int direction, InetAddress remoteAddress)
+ throws ResourceUnavailableException {
+ try {
+ return new SecurityParameterIndex(
+ mService,
+ direction,
+ remoteAddress,
+ IpSecManager.INVALID_SECURITY_PARAMETER_INDEX);
+ } catch (SpiUnavailableException unlikely) {
+ throw new ResourceUnavailableException("No SPIs available");
+ }
+ }
+
+ /**
+ * Reserve an SPI for traffic bound towards the specified remote address.
+ *
+ * <p>If successful, this SPI is guaranteed available until released by a call to {@link
+ * SecurityParameterIndex#close()}.
+ *
+ * @param direction {@link IpSecTransform#DIRECTION_IN} or {@link IpSecTransform#DIRECTION_OUT}
+ * @param remoteAddress address of the remote. SPIs must be unique for each remoteAddress.
+ * @param requestedSpi the requested SPI, or '0' to allocate a random SPI.
+ * @return the reserved SecurityParameterIndex
+ * @throws ResourceUnavailableException indicating that too many SPIs are currently allocated
+ * for this user
+ */
+ public SecurityParameterIndex reserveSecurityParameterIndex(
int direction, InetAddress remoteAddress, int requestedSpi)
throws SpiUnavailableException, ResourceUnavailableException {
+ if (requestedSpi == IpSecManager.INVALID_SECURITY_PARAMETER_INDEX) {
+ throw new IllegalArgumentException("Requested SPI must be a valid (non-zero) SPI");
+ }
return new SecurityParameterIndex(mService, direction, remoteAddress, requestedSpi);
}