Fix Rekey Child to include caller configured DH groups
This commit fixes ChildSessionParams getters to return new
instances to avoid the risk of changing internal states of
ChildSessionParams. It fixes Rekey Child so that the
outbound request will include caller configured DH groups.
Previously getSaProposalsInternal returns the array instance
stored in ChildSessionParams, and causes the internal array
instance modified unexpectedly in the IKE AUTH state.
As results, ChildSessionParams#getSaProposalsInternal no
longer includes any caller configured DH groups and causes
the Rekey Child request to be rejected. This commit fixes
this issue by returning a copy of the array in
getSaProposalsInternal
Bug: 92042613
Test: atest FrameworksIkeTests(new tests), CtsIkeTestCases
Test: Manually verified Rekey Child
Change-Id: I49477a90465c3191811b139794676a577cd6cb41
Merged-In: I49477a90465c3191811b139794676a577cd6cb41
(cherry picked from commit b8a38090724ab1f2ee33de2f2c7f91327eff1331)
diff --git a/src/java/android/net/ipsec/ike/ChildSessionParams.java b/src/java/android/net/ipsec/ike/ChildSessionParams.java
index 06b3387..efc3e0b 100644
--- a/src/java/android/net/ipsec/ike/ChildSessionParams.java
+++ b/src/java/android/net/ipsec/ike/ChildSessionParams.java
@@ -247,17 +247,17 @@
/** @hide */
public IkeTrafficSelector[] getInboundTrafficSelectorsInternal() {
- return mInboundTrafficSelectors;
+ return Arrays.copyOf(mInboundTrafficSelectors, mInboundTrafficSelectors.length);
}
/** @hide */
public IkeTrafficSelector[] getOutboundTrafficSelectorsInternal() {
- return mOutboundTrafficSelectors;
+ return Arrays.copyOf(mOutboundTrafficSelectors, mOutboundTrafficSelectors.length);
}
/** @hide */
public ChildSaProposal[] getSaProposalsInternal() {
- return mSaProposals;
+ return Arrays.copyOf(mSaProposals, mSaProposals.length);
}
/** @hide */
diff --git a/tests/iketests/src/java/android/net/ipsec/ike/ChildSessionParamsTest.java b/tests/iketests/src/java/android/net/ipsec/ike/ChildSessionParamsTest.java
index 9995ad8..a9dcdc2 100644
--- a/tests/iketests/src/java/android/net/ipsec/ike/ChildSessionParamsTest.java
+++ b/tests/iketests/src/java/android/net/ipsec/ike/ChildSessionParamsTest.java
@@ -21,6 +21,7 @@
import static org.junit.Assert.assertArrayEquals;
import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.fail;
import android.net.InetAddresses;
@@ -74,6 +75,19 @@
assertFalse(sessionParams.isTransportMode());
}
+ @Test
+ public void testInternalGetterReturnsDifferentInstances() throws Exception {
+ ChildSessionParams sessionParams =
+ new TunnelModeChildSessionParams.Builder().addSaProposal(mSaProposal).build();
+
+ sessionParams.getSaProposalsInternal()[0] = null;
+ assertNotNull(sessionParams.getSaProposalsInternal()[0]);
+ sessionParams.getInboundTrafficSelectorsInternal()[0] = null;
+ assertNotNull(sessionParams.getInboundTrafficSelectorsInternal()[0]);
+ sessionParams.getOutboundTrafficSelectorsInternal()[0] = null;
+ assertNotNull(sessionParams.getOutboundTrafficSelectorsInternal()[0]);
+ }
+
private static void verifyPersistableBundleEncodeDecodeIsLossless(ChildSessionParams params) {
PersistableBundle bundle = params.toPersistableBundle();
ChildSessionParams result = ChildSessionParams.fromPersistableBundle(bundle);
