Migrate Local/Remote Rekey IKE SAs during Mobility Event. am: e39c1e885b am: 8b24b36a21
Original change: https://android-review.googlesource.com/c/platform/packages/modules/IPsec/+/1501050
Change-Id: Iddac553dd35b223bbcc293d4b2c97f83b0182aee
diff --git a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java
index 62c9904..62605b0 100644
--- a/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java
+++ b/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachine.java
@@ -5085,8 +5085,12 @@
try {
mCurrentIkeSaRecord.migrate(mLocalAddress, mRemoteAddress);
- // TODO(b/172013873): migrate local rekey IKE SA
- // TODO(b/172013873): migrate remote rekey IKE SA
+ if (mLocalInitNewIkeSaRecord != null) {
+ mLocalInitNewIkeSaRecord.migrate(mLocalAddress, mRemoteAddress);
+ }
+ if (mRemoteInitNewIkeSaRecord != null) {
+ mRemoteInitNewIkeSaRecord.migrate(mLocalAddress, mRemoteAddress);
+ }
} catch (IOException e) {
// Failed to migrate IKE SAs due to IKE SPI collision
handleIkeFatalError(e);
diff --git a/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachineTest.java b/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachineTest.java
index 38dce30..cf5d6a2 100644
--- a/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachineTest.java
+++ b/tests/iketests/src/java/com/android/internal/net/ipsec/ike/IkeSessionStateMachineTest.java
@@ -3231,6 +3231,10 @@
public void testRekeyIkeLocalCreateHandlesResponse() throws Exception {
setupIdleStateMachine();
+ verifyRekeyIkeLocalCreateHandlesResponse();
+ }
+
+ private void verifyRekeyIkeLocalCreateHandlesResponse() throws Exception {
// Send Rekey-Create request
mIkeSessionStateMachine.sendMessage(
IkeSessionStateMachine.CMD_EXECUTE_LOCAL_REQ,
@@ -5394,23 +5398,21 @@
assertEquals(localAddress, mIkeSessionStateMachine.mLocalAddress);
assertEquals(remoteAddress, mIkeSessionStateMachine.mRemoteAddress);
- assertEquals(
- localAddress,
- mIkeSessionStateMachine
- .mCurrentIkeSaRecord
- .getInitiatorIkeSecurityParameterIndex()
- .getSourceAddress());
- assertEquals(
- remoteAddress,
- mIkeSessionStateMachine
- .mCurrentIkeSaRecord
- .getResponderIkeSecurityParameterIndex()
- .getSourceAddress());
+ verifyIkeSaAddresses(
+ mIkeSessionStateMachine.mCurrentIkeSaRecord, localAddress, remoteAddress);
assertEquals(underlyingNetwork, networkCallback.getNetwork());
assertEquals(localAddress, networkCallback.getAddress());
}
+ private void verifyIkeSaAddresses(
+ IkeSaRecord saRecord, InetAddress localAddress, InetAddress remoteAddress) {
+ assertEquals(
+ localAddress, saRecord.getInitiatorIkeSecurityParameterIndex().getSourceAddress());
+ assertEquals(
+ remoteAddress, saRecord.getResponderIkeSecurityParameterIndex().getSourceAddress());
+ }
+
@Test(expected = IllegalArgumentException.class)
public void testSetNetworkNull() throws Exception {
mIkeSessionStateMachine.setNetwork(null);
@@ -5432,7 +5434,8 @@
mIkeSessionStateMachine.setNetwork(newNetwork);
}
- private void verifySetNetwork(IkeNetworkCallbackBase callback) throws Exception {
+ private void verifySetNetwork(IkeNetworkCallbackBase callback, IkeSaRecord rekeySaRecord)
+ throws Exception {
Network newNetwork = mockNewNetworkAndAddress();
mIkeSessionStateMachine.setNetwork(newNetwork);
@@ -5445,6 +5448,10 @@
eq(true /* isIpv4 */),
eq(REMOTE_ADDRESS),
eq(IkeSocket.SERVER_PORT_NON_UDP_ENCAPSULATED));
+
+ if (rekeySaRecord != null) {
+ verifyIkeSaAddresses(rekeySaRecord, UPDATED_LOCAL_ADDRESS, REMOTE_ADDRESS);
+ }
}
@Test
@@ -5455,7 +5462,7 @@
IkeSessionStateMachine.CMD_FORCE_TRANSITION, mIkeSessionStateMachine.mIdle);
mLooper.dispatchAll();
- verifySetNetwork(callback);
+ verifySetNetwork(callback, null /* rekeySaRecord */);
}
@Test
@@ -5466,16 +5473,24 @@
mIkeSessionStateMachine.sendMessage(
IkeSessionStateMachine.CMD_FORCE_TRANSITION, mIkeSessionStateMachine.mIdle);
- // Send Rekey-Create request
- mIkeSessionStateMachine.sendMessage(
- IkeSessionStateMachine.CMD_EXECUTE_LOCAL_REQ,
- new IkeLocalRequest(IkeSessionStateMachine.CMD_LOCAL_REQUEST_REKEY_IKE));
- mLooper.dispatchAll();
- assertTrue(
- mIkeSessionStateMachine.getCurrentState()
- instanceof IkeSessionStateMachine.RekeyIkeLocalCreate);
- verifyRetransmissionStarted();
+ verifyRekeyIkeLocalCreateHandlesResponse();
- verifySetNetwork(callback);
+ verifySetNetwork(callback, mIkeSessionStateMachine.mLocalInitNewIkeSaRecord);
+ }
+
+ @Test
+ public void testSetNetworkRemoteRekeyState() throws Exception {
+ // Start IKE Session + transition to remote rekey
+ IkeNetworkCallbackBase callback =
+ verifyMobikeEnabled(true /* doesPeerSupportMobike */, mMockDefaultNetwork);
+
+ mIkeSessionStateMachine.mRemoteInitNewIkeSaRecord = mSpyRemoteInitIkeSaRecord;
+ mIkeSessionStateMachine.addIkeSaRecord(mSpyRemoteInitIkeSaRecord);
+ mIkeSessionStateMachine.sendMessage(
+ IkeSessionStateMachine.CMD_FORCE_TRANSITION,
+ mIkeSessionStateMachine.mRekeyIkeRemoteDelete);
+ mLooper.dispatchAll();
+
+ verifySetNetwork(callback, mIkeSessionStateMachine.mRemoteInitNewIkeSaRecord);
}
}