From f3cf55f7930f40a26db212e4ce23756df7b47826 Mon Sep 17 00:00:00 2001
From: Yan Yan <evitayan@google.com>
Date: Wed, 28 Apr 2021 15:16:22 -0700
Subject: [PATCH] Improve IKEv2/IPsec VPN by proposing more IPsec algorithms

This commit allows IKEv2/IPsec VPN to propose more algorithms that
newly added in IpSecAlgorithm. Those new algorithms have stronger
security guarantees and better performances.

This commit also removes algorithm name validation because all
algorithms are URL encoded to ensure no special characters create
problems due to their use by VpnProfile for list or field delimiting
(e.g. rfc7539esp(chacha20,poly1305))

Bug: 185265778
Test: atest FrameworksNetTests, CtsNetTestCases
Test: All new algorithms are manually verified
Change-Id: I1de322c95aacc8924e95bcdbcfdbd1ec441de99c
---
 .../java/android/net/Ikev2VpnProfileTest.java | 14 +++++++---
 .../android/internal/net/VpnProfileTest.java  | 26 +------------------
 2 files changed, 12 insertions(+), 28 deletions(-)

diff --git a/tests/unit/java/android/net/Ikev2VpnProfileTest.java b/tests/unit/java/android/net/Ikev2VpnProfileTest.java
index 1abd39a32b..0707ef3ed1 100644
--- a/tests/unit/java/android/net/Ikev2VpnProfileTest.java
+++ b/tests/unit/java/android/net/Ikev2VpnProfileTest.java
@@ -29,8 +29,8 @@ import androidx.test.filters.SmallTest;
 import androidx.test.runner.AndroidJUnit4;
 
 import com.android.internal.net.VpnProfile;
-import com.android.net.module.util.ProxyUtils;
 import com.android.internal.org.bouncycastle.x509.X509V1CertificateGenerator;
+import com.android.net.module.util.ProxyUtils;
 
 import org.junit.Before;
 import org.junit.Test;
@@ -170,7 +170,10 @@ public class Ikev2VpnProfileTest {
         final Ikev2VpnProfile.Builder builder = getBuilderWithDefaultOptions();
         builder.setAuthPsk(PSK_BYTES);
 
-        List<String> allowedAlgorithms = Arrays.asList(IpSecAlgorithm.AUTH_CRYPT_AES_GCM);
+        List<String> allowedAlgorithms =
+                Arrays.asList(
+                        IpSecAlgorithm.AUTH_CRYPT_AES_GCM,
+                        IpSecAlgorithm.AUTH_CRYPT_CHACHA20_POLY1305);
         builder.setAllowedAlgorithms(allowedAlgorithms);
 
         final Ikev2VpnProfile profile = builder.build();
@@ -183,7 +186,12 @@ public class Ikev2VpnProfileTest {
         builder.setAuthPsk(PSK_BYTES);
 
         List<String> allowedAlgorithms =
-                Arrays.asList(IpSecAlgorithm.AUTH_HMAC_SHA512, IpSecAlgorithm.CRYPT_AES_CBC);
+                Arrays.asList(
+                        IpSecAlgorithm.AUTH_HMAC_SHA512,
+                        IpSecAlgorithm.AUTH_AES_XCBC,
+                        IpSecAlgorithm.AUTH_AES_CMAC,
+                        IpSecAlgorithm.CRYPT_AES_CBC,
+                        IpSecAlgorithm.CRYPT_AES_CTR);
         builder.setAllowedAlgorithms(allowedAlgorithms);
 
         final Ikev2VpnProfile profile = builder.build();
diff --git a/tests/unit/java/com/android/internal/net/VpnProfileTest.java b/tests/unit/java/com/android/internal/net/VpnProfileTest.java
index 46597d19ef..cb0f0710d6 100644
--- a/tests/unit/java/com/android/internal/net/VpnProfileTest.java
+++ b/tests/unit/java/com/android/internal/net/VpnProfileTest.java
@@ -23,7 +23,6 @@ import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotEquals;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
-import static org.junit.Assert.fail;
 
 import android.net.IpSecAlgorithm;
 
@@ -97,6 +96,7 @@ public class VpnProfileTest {
         p.setAllowedAlgorithms(
                 Arrays.asList(
                         IpSecAlgorithm.AUTH_CRYPT_AES_GCM,
+                        IpSecAlgorithm.AUTH_CRYPT_CHACHA20_POLY1305,
                         IpSecAlgorithm.AUTH_HMAC_SHA512,
                         IpSecAlgorithm.CRYPT_AES_CBC));
         p.isBypassable = true;
@@ -125,30 +125,6 @@ public class VpnProfileTest {
         assertParcelSane(getSampleIkev2Profile(DUMMY_PROFILE_KEY), 23);
     }
 
-    @Test
-    public void testSetInvalidAlgorithmValueDelimiter() {
-        final VpnProfile profile = getSampleIkev2Profile(DUMMY_PROFILE_KEY);
-
-        try {
-            profile.setAllowedAlgorithms(
-                    Arrays.asList("test" + VpnProfile.VALUE_DELIMITER + "test"));
-            fail("Expected failure due to value separator in algorithm name");
-        } catch (IllegalArgumentException expected) {
-        }
-    }
-
-    @Test
-    public void testSetInvalidAlgorithmListDelimiter() {
-        final VpnProfile profile = getSampleIkev2Profile(DUMMY_PROFILE_KEY);
-
-        try {
-            profile.setAllowedAlgorithms(
-                    Arrays.asList("test" + VpnProfile.LIST_DELIMITER + "test"));
-            fail("Expected failure due to value separator in algorithm name");
-        } catch (IllegalArgumentException expected) {
-        }
-    }
-
     @Test
     public void testEncodeDecode() {
         final VpnProfile profile = getSampleIkev2Profile(DUMMY_PROFILE_KEY);
-- 
GitLab