Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | package android.net; |
| 17 | |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 18 | import static android.net.IpSecManager.INVALID_RESOURCE_ID; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 19 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 20 | import android.annotation.IntDef; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 21 | import android.annotation.NonNull; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 22 | import android.annotation.SystemApi; |
| 23 | import android.content.Context; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 24 | import android.os.Binder; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 25 | import android.os.IBinder; |
| 26 | import android.os.RemoteException; |
| 27 | import android.os.ServiceManager; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 28 | import android.util.Log; |
Nathan Harold | d999d22 | 2017-09-11 19:53:33 -0700 | [diff] [blame] | 29 | |
ludi | 1a06aa7 | 2017-05-12 09:15:00 -0700 | [diff] [blame] | 30 | import com.android.internal.annotations.VisibleForTesting; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 31 | import com.android.internal.util.Preconditions; |
Nathan Harold | d999d22 | 2017-09-11 19:53:33 -0700 | [diff] [blame] | 32 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 33 | import dalvik.system.CloseGuard; |
Nathan Harold | d999d22 | 2017-09-11 19:53:33 -0700 | [diff] [blame] | 34 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 35 | import java.io.IOException; |
| 36 | import java.lang.annotation.Retention; |
| 37 | import java.lang.annotation.RetentionPolicy; |
| 38 | import java.net.InetAddress; |
| 39 | |
| 40 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 41 | * This class represents a transform, which roughly corresponds to an IPsec Security Association. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 42 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 43 | * <p>Transforms are created using {@link IpSecTransform.Builder}. Each {@code IpSecTransform} |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 44 | * object encapsulates the properties and state of an IPsec security association. That includes, |
| 45 | * but is not limited to, algorithm choice, key material, and allocated system resources. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 46 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 47 | * @see <a href="https://tools.ietf.org/html/rfc4301">RFC 4301, Security Architecture for the |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 48 | * Internet Protocol</a> |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 49 | */ |
| 50 | public final class IpSecTransform implements AutoCloseable { |
| 51 | private static final String TAG = "IpSecTransform"; |
| 52 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 53 | /** @hide */ |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 54 | public static final int MODE_TRANSPORT = 0; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 55 | |
| 56 | /** @hide */ |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 57 | public static final int MODE_TUNNEL = 1; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 58 | |
| 59 | /** @hide */ |
| 60 | public static final int ENCAP_NONE = 0; |
| 61 | |
| 62 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 63 | * IPsec traffic will be encapsulated within UDP, but with 8 zero-value bytes between the UDP |
| 64 | * header and payload. This prevents traffic from being interpreted as ESP or IKEv2. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 65 | * |
| 66 | * @hide |
| 67 | */ |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 68 | public static final int ENCAP_ESPINUDP_NON_IKE = 1; |
| 69 | |
| 70 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 71 | * IPsec traffic will be encapsulated within UDP as per |
| 72 | * <a href="https://tools.ietf.org/html/rfc3948">RFC 3498</a>. |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 73 | * |
| 74 | * @hide |
| 75 | */ |
| 76 | public static final int ENCAP_ESPINUDP = 2; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 77 | |
| 78 | /** @hide */ |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 79 | @IntDef(value = {ENCAP_NONE, ENCAP_ESPINUDP, ENCAP_ESPINUDP_NON_IKE}) |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 80 | @Retention(RetentionPolicy.SOURCE) |
| 81 | public @interface EncapType {} |
| 82 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 83 | private IpSecTransform(Context context, IpSecConfig config) { |
| 84 | mContext = context; |
| 85 | mConfig = config; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 86 | mResourceId = INVALID_RESOURCE_ID; |
| 87 | } |
| 88 | |
| 89 | private IIpSecService getIpSecService() { |
| 90 | IBinder b = ServiceManager.getService(android.content.Context.IPSEC_SERVICE); |
| 91 | if (b == null) { |
| 92 | throw new RemoteException("Failed to connect to IpSecService") |
| 93 | .rethrowAsRuntimeException(); |
| 94 | } |
| 95 | |
| 96 | return IIpSecService.Stub.asInterface(b); |
| 97 | } |
| 98 | |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 99 | /** |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 100 | * Checks the result status and throws an appropriate exception if the status is not Status.OK. |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 101 | */ |
| 102 | private void checkResultStatus(int status) |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 103 | throws IOException, IpSecManager.ResourceUnavailableException, |
| 104 | IpSecManager.SpiUnavailableException { |
| 105 | switch (status) { |
| 106 | case IpSecManager.Status.OK: |
| 107 | return; |
| 108 | // TODO: Pass Error string back from bundle so that errors can be more specific |
| 109 | case IpSecManager.Status.RESOURCE_UNAVAILABLE: |
| 110 | throw new IpSecManager.ResourceUnavailableException( |
| 111 | "Failed to allocate a new IpSecTransform"); |
| 112 | case IpSecManager.Status.SPI_UNAVAILABLE: |
| 113 | Log.wtf(TAG, "Attempting to use an SPI that was somehow not reserved"); |
| 114 | // Fall through |
| 115 | default: |
| 116 | throw new IllegalStateException( |
| 117 | "Failed to Create a Transform with status code " + status); |
| 118 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 119 | } |
| 120 | |
| 121 | private IpSecTransform activate() |
| 122 | throws IOException, IpSecManager.ResourceUnavailableException, |
| 123 | IpSecManager.SpiUnavailableException { |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 124 | synchronized (this) { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 125 | try { |
| 126 | IIpSecService svc = getIpSecService(); |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 127 | IpSecTransformResponse result = |
| 128 | svc.createTransportModeTransform(mConfig, new Binder()); |
| 129 | int status = result.status; |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 130 | checkResultStatus(status); |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 131 | mResourceId = result.resourceId; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 132 | |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 133 | /* Keepalive will silently fail if not needed by the config; but, if needed and |
| 134 | * it fails to start, we need to bail because a transform will not be reliable |
| 135 | * to use if keepalive is expected to offload and fails. |
| 136 | */ |
| 137 | // FIXME: if keepalive fails, we need to fail spectacularly |
| 138 | startKeepalive(mContext); |
| 139 | Log.d(TAG, "Added Transform with Id " + mResourceId); |
| 140 | mCloseGuard.open("build"); |
| 141 | } catch (RemoteException e) { |
| 142 | throw e.rethrowAsRuntimeException(); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 143 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 144 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 145 | |
| 146 | return this; |
| 147 | } |
| 148 | |
| 149 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 150 | * Deactivate this {@code IpSecTransform} and free allocated resources. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 151 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 152 | * <p>Deactivating a transform while it is still applied to a socket will result in errors on |
| 153 | * that socket. Make sure to remove transforms by calling {@link |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 154 | * IpSecManager#removeTransportModeTransforms}. Note, removing an {@code IpSecTransform} from a |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 155 | * socket will not deactivate it (because one transform may be applied to multiple sockets). |
| 156 | * |
| 157 | * <p>It is safe to call this method on a transform that has already been deactivated. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 158 | */ |
| 159 | public void close() { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 160 | Log.d(TAG, "Removing Transform with Id " + mResourceId); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 161 | |
| 162 | // Always safe to attempt cleanup |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 163 | if (mResourceId == INVALID_RESOURCE_ID) { |
| 164 | mCloseGuard.close(); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 165 | return; |
| 166 | } |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 167 | try { |
| 168 | /* Order matters here because the keepalive is best-effort but could fail in some |
| 169 | * horrible way to be removed if the wifi (or cell) subsystem has crashed, and we |
| 170 | * still want to clear out the transform. |
| 171 | */ |
| 172 | IIpSecService svc = getIpSecService(); |
| 173 | svc.deleteTransportModeTransform(mResourceId); |
| 174 | stopKeepalive(); |
| 175 | } catch (RemoteException e) { |
| 176 | throw e.rethrowAsRuntimeException(); |
| 177 | } finally { |
| 178 | mResourceId = INVALID_RESOURCE_ID; |
| 179 | mCloseGuard.close(); |
| 180 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 181 | } |
| 182 | |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 183 | /** Check that the transform was closed properly. */ |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 184 | @Override |
| 185 | protected void finalize() throws Throwable { |
| 186 | if (mCloseGuard != null) { |
| 187 | mCloseGuard.warnIfOpen(); |
| 188 | } |
| 189 | close(); |
| 190 | } |
| 191 | |
| 192 | /* Package */ |
| 193 | IpSecConfig getConfig() { |
| 194 | return mConfig; |
| 195 | } |
| 196 | |
| 197 | private final IpSecConfig mConfig; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 198 | private int mResourceId; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 199 | private final Context mContext; |
| 200 | private final CloseGuard mCloseGuard = CloseGuard.get(); |
| 201 | private ConnectivityManager.PacketKeepalive mKeepalive; |
| 202 | private int mKeepaliveStatus = ConnectivityManager.PacketKeepalive.NO_KEEPALIVE; |
| 203 | private Object mKeepaliveSyncLock = new Object(); |
| 204 | private ConnectivityManager.PacketKeepaliveCallback mKeepaliveCallback = |
| 205 | new ConnectivityManager.PacketKeepaliveCallback() { |
| 206 | |
| 207 | @Override |
| 208 | public void onStarted() { |
| 209 | synchronized (mKeepaliveSyncLock) { |
| 210 | mKeepaliveStatus = ConnectivityManager.PacketKeepalive.SUCCESS; |
| 211 | mKeepaliveSyncLock.notifyAll(); |
| 212 | } |
| 213 | } |
| 214 | |
| 215 | @Override |
| 216 | public void onStopped() { |
| 217 | synchronized (mKeepaliveSyncLock) { |
| 218 | mKeepaliveStatus = ConnectivityManager.PacketKeepalive.NO_KEEPALIVE; |
| 219 | mKeepaliveSyncLock.notifyAll(); |
| 220 | } |
| 221 | } |
| 222 | |
| 223 | @Override |
| 224 | public void onError(int error) { |
| 225 | synchronized (mKeepaliveSyncLock) { |
| 226 | mKeepaliveStatus = error; |
| 227 | mKeepaliveSyncLock.notifyAll(); |
| 228 | } |
| 229 | } |
| 230 | }; |
| 231 | |
| 232 | /* Package */ |
| 233 | void startKeepalive(Context c) { |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 234 | if (mConfig.getNattKeepaliveInterval() != 0) { |
| 235 | Log.wtf(TAG, "Keepalive not yet supported."); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 236 | } |
| 237 | } |
| 238 | |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 239 | /** @hide */ |
| 240 | @VisibleForTesting |
| 241 | public int getResourceId() { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 242 | return mResourceId; |
| 243 | } |
| 244 | |
| 245 | /* Package */ |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 246 | void stopKeepalive() { |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 247 | return; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 248 | } |
| 249 | |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 250 | /** This class is used to build {@link IpSecTransform} objects. */ |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 251 | public static class Builder { |
| 252 | private Context mContext; |
| 253 | private IpSecConfig mConfig; |
| 254 | |
| 255 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 256 | * Set the encryption algorithm. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 257 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 258 | * <p>Encryption is mutually exclusive with authenticated encryption. |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 259 | * |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 260 | * @param algo {@link IpSecAlgorithm} specifying the encryption to be applied. |
| 261 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 262 | public IpSecTransform.Builder setEncryption(@NonNull IpSecAlgorithm algo) { |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 263 | // TODO: throw IllegalArgumentException if algo is not an encryption algorithm. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 264 | Preconditions.checkNotNull(algo); |
| 265 | mConfig.setEncryption(algo); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 266 | return this; |
| 267 | } |
| 268 | |
| 269 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 270 | * Set the authentication (integrity) algorithm. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 271 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 272 | * <p>Authentication is mutually exclusive with authenticated encryption. |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 273 | * |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 274 | * @param algo {@link IpSecAlgorithm} specifying the authentication to be applied. |
| 275 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 276 | public IpSecTransform.Builder setAuthentication(@NonNull IpSecAlgorithm algo) { |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 277 | // TODO: throw IllegalArgumentException if algo is not an authentication algorithm. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 278 | Preconditions.checkNotNull(algo); |
| 279 | mConfig.setAuthentication(algo); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 280 | return this; |
| 281 | } |
| 282 | |
| 283 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 284 | * Set the authenticated encryption algorithm. |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 285 | * |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 286 | * <p>The Authenticated Encryption (AE) class of algorithms are also known as |
| 287 | * Authenticated Encryption with Associated Data (AEAD) algorithms, or Combined mode |
| 288 | * algorithms (as referred to in |
| 289 | * <a href="https://tools.ietf.org/html/rfc4301">RFC 4301</a>). |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 290 | * |
| 291 | * <p>Authenticated encryption is mutually exclusive with encryption and authentication. |
| 292 | * |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 293 | * @param algo {@link IpSecAlgorithm} specifying the authenticated encryption algorithm to |
| 294 | * be applied. |
| 295 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 296 | public IpSecTransform.Builder setAuthenticatedEncryption(@NonNull IpSecAlgorithm algo) { |
| 297 | Preconditions.checkNotNull(algo); |
| 298 | mConfig.setAuthenticatedEncryption(algo); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 299 | return this; |
| 300 | } |
| 301 | |
| 302 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 303 | * Set the {@link Network} which will carry tunneled traffic. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 304 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 305 | * <p>Restricts the transformed traffic to a particular {@link Network}. This is required |
| 306 | * for tunnel mode, otherwise tunneled traffic would be sent on the default network. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 307 | * |
| 308 | * @hide |
| 309 | */ |
| 310 | @SystemApi |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 311 | public IpSecTransform.Builder setUnderlyingNetwork(@NonNull Network net) { |
| 312 | Preconditions.checkNotNull(net); |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 313 | mConfig.setNetwork(net); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 314 | return this; |
| 315 | } |
| 316 | |
| 317 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 318 | * Add UDP encapsulation to an IPv4 transform. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 319 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 320 | * <p>This allows IPsec traffic to pass through a NAT. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 321 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 322 | * @see <a href="https://tools.ietf.org/html/rfc3948">RFC 3948, UDP Encapsulation of IPsec |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 323 | * ESP Packets</a> |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 324 | * @see <a href="https://tools.ietf.org/html/rfc7296#section-2.23">RFC 7296 section 2.23, |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 325 | * NAT Traversal of IKEv2</a> |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 326 | * @param localSocket a socket for sending and receiving encapsulated traffic |
| 327 | * @param remotePort the UDP port number of the remote host that will send and receive |
| 328 | * encapsulated traffic. In the case of IKEv2, this should be port 4500. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 329 | */ |
| 330 | public IpSecTransform.Builder setIpv4Encapsulation( |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 331 | @NonNull IpSecManager.UdpEncapsulationSocket localSocket, int remotePort) { |
| 332 | Preconditions.checkNotNull(localSocket); |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 333 | mConfig.setEncapType(ENCAP_ESPINUDP); |
Nathan Harold | 6119d8d | 2017-12-13 18:51:35 -0800 | [diff] [blame] | 334 | if (localSocket.getResourceId() == INVALID_RESOURCE_ID) { |
| 335 | throw new IllegalArgumentException("Invalid UdpEncapsulationSocket"); |
| 336 | } |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 337 | mConfig.setEncapSocketResourceId(localSocket.getResourceId()); |
| 338 | mConfig.setEncapRemotePort(remotePort); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 339 | return this; |
| 340 | } |
| 341 | |
| 342 | // TODO: Decrease the minimum keepalive to maybe 10? |
| 343 | // TODO: Probably a better exception to throw for NATTKeepalive failure |
| 344 | // TODO: Specify the needed NATT keepalive permission. |
| 345 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 346 | * Set NAT-T keepalives to be sent with a given interval. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 347 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 348 | * <p>This will set power-efficient keepalive packets to be sent by the system. If NAT-T |
| 349 | * keepalive is requested but cannot be activated, then creation of an {@link |
| 350 | * IpSecTransform} will fail when calling the build method. |
| 351 | * |
| 352 | * @param intervalSeconds the maximum number of seconds between keepalive packets. Must be |
| 353 | * between 20s and 3600s. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 354 | * @hide |
| 355 | */ |
| 356 | @SystemApi |
| 357 | public IpSecTransform.Builder setNattKeepalive(int intervalSeconds) { |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 358 | mConfig.setNattKeepaliveInterval(intervalSeconds); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 359 | return this; |
| 360 | } |
| 361 | |
| 362 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 363 | * Build a transport mode {@link IpSecTransform}. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 364 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 365 | * <p>This builds and activates a transport mode transform. Note that an active transform |
| 366 | * will not affect any network traffic until it has been applied to one or more sockets. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 367 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 368 | * @see IpSecManager#applyTransportModeTransform |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 369 | * @param sourceAddress the source {@code InetAddress} of traffic on sockets that will use |
| 370 | * this transform; this address must belong to the Network used by all sockets that |
| 371 | * utilize this transform; if provided, then only traffic originating from the |
| 372 | * specified source address will be processed. |
| 373 | * @param spi a unique {@link IpSecManager.SecurityParameterIndex} to identify transformed |
| 374 | * traffic |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 375 | * @throws IllegalArgumentException indicating that a particular combination of transform |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 376 | * properties is invalid |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 377 | * @throws IpSecManager.ResourceUnavailableException indicating that too many transforms |
| 378 | * are active |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 379 | * @throws IpSecManager.SpiUnavailableException indicating the rare case where an SPI |
| 380 | * collides with an existing transform |
| 381 | * @throws IOException indicating other errors |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 382 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 383 | public IpSecTransform buildTransportModeTransform( |
| 384 | @NonNull InetAddress sourceAddress, |
| 385 | @NonNull IpSecManager.SecurityParameterIndex spi) |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 386 | throws IpSecManager.ResourceUnavailableException, |
| 387 | IpSecManager.SpiUnavailableException, IOException { |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 388 | Preconditions.checkNotNull(sourceAddress); |
| 389 | Preconditions.checkNotNull(spi); |
| 390 | if (spi.getResourceId() == INVALID_RESOURCE_ID) { |
| 391 | throw new IllegalArgumentException("Invalid SecurityParameterIndex"); |
Nathan Harold | 6119d8d | 2017-12-13 18:51:35 -0800 | [diff] [blame] | 392 | } |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 393 | mConfig.setMode(MODE_TRANSPORT); |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 394 | mConfig.setSourceAddress(sourceAddress.getHostAddress()); |
| 395 | mConfig.setSpiResourceId(spi.getResourceId()); |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 396 | // FIXME: modifying a builder after calling build can change the built transform. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 397 | return new IpSecTransform(mContext, mConfig).activate(); |
| 398 | } |
| 399 | |
| 400 | /** |
| 401 | * Build and return an {@link IpSecTransform} object as a Tunnel Mode Transform. Some |
| 402 | * parameters have interdependencies that are checked at build time. |
| 403 | * |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 404 | * @param sourceAddress the {@link InetAddress} that provides the source address for this |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 405 | * IPsec tunnel. This is almost certainly an address belonging to the {@link Network} |
| 406 | * that will originate the traffic, which is set as the {@link #setUnderlyingNetwork}. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 407 | * @param spi a unique {@link IpSecManager.SecurityParameterIndex} to identify transformed |
| 408 | * traffic |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 409 | * @throws IllegalArgumentException indicating that a particular combination of transform |
| 410 | * properties is invalid. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 411 | * @throws IpSecManager.ResourceUnavailableException indicating that too many transforms |
| 412 | * are active |
| 413 | * @throws IpSecManager.SpiUnavailableException indicating the rare case where an SPI |
| 414 | * collides with an existing transform |
| 415 | * @throws IOException indicating other errors |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 416 | * @hide |
| 417 | */ |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 418 | public IpSecTransform buildTunnelModeTransform( |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 419 | @NonNull InetAddress sourceAddress, |
| 420 | @NonNull IpSecManager.SecurityParameterIndex spi) |
| 421 | throws IpSecManager.ResourceUnavailableException, |
| 422 | IpSecManager.SpiUnavailableException, IOException { |
| 423 | Preconditions.checkNotNull(sourceAddress); |
| 424 | Preconditions.checkNotNull(spi); |
| 425 | if (spi.getResourceId() == INVALID_RESOURCE_ID) { |
| 426 | throw new IllegalArgumentException("Invalid SecurityParameterIndex"); |
Nathan Harold | 6119d8d | 2017-12-13 18:51:35 -0800 | [diff] [blame] | 427 | } |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 428 | mConfig.setMode(MODE_TUNNEL); |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame^] | 429 | mConfig.setSourceAddress(sourceAddress.getHostAddress()); |
| 430 | mConfig.setSpiResourceId(spi.getResourceId()); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 431 | return new IpSecTransform(mContext, mConfig); |
| 432 | } |
| 433 | |
| 434 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 435 | * Create a new IpSecTransform.Builder. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 436 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 437 | * @param context current context |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 438 | */ |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 439 | public Builder(@NonNull Context context) { |
| 440 | Preconditions.checkNotNull(context); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 441 | mContext = context; |
| 442 | mConfig = new IpSecConfig(); |
| 443 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 444 | } |
| 445 | } |