Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | package android.net; |
| 17 | |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 18 | import static android.net.IpSecManager.INVALID_RESOURCE_ID; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 19 | |
Nathan Harold | c43e89f | 2017-12-06 19:12:28 -0800 | [diff] [blame] | 20 | import static com.android.internal.util.Preconditions.checkNotNull; |
| 21 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 22 | import android.annotation.IntDef; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 23 | import android.annotation.NonNull; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 24 | import android.annotation.SystemApi; |
| 25 | import android.content.Context; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 26 | import android.os.Binder; |
Nathan Harold | c43e89f | 2017-12-06 19:12:28 -0800 | [diff] [blame] | 27 | import android.os.Handler; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 28 | import android.os.IBinder; |
| 29 | import android.os.RemoteException; |
| 30 | import android.os.ServiceManager; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 31 | import android.util.Log; |
Nathan Harold | d999d22 | 2017-09-11 19:53:33 -0700 | [diff] [blame] | 32 | |
ludi | 1a06aa7 | 2017-05-12 09:15:00 -0700 | [diff] [blame] | 33 | import com.android.internal.annotations.VisibleForTesting; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 34 | import com.android.internal.util.Preconditions; |
Nathan Harold | d999d22 | 2017-09-11 19:53:33 -0700 | [diff] [blame] | 35 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 36 | import dalvik.system.CloseGuard; |
Nathan Harold | d999d22 | 2017-09-11 19:53:33 -0700 | [diff] [blame] | 37 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 38 | import java.io.IOException; |
| 39 | import java.lang.annotation.Retention; |
| 40 | import java.lang.annotation.RetentionPolicy; |
| 41 | import java.net.InetAddress; |
| 42 | |
| 43 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 44 | * This class represents a transform, which roughly corresponds to an IPsec Security Association. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 45 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 46 | * <p>Transforms are created using {@link IpSecTransform.Builder}. Each {@code IpSecTransform} |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 47 | * object encapsulates the properties and state of an IPsec security association. That includes, |
| 48 | * but is not limited to, algorithm choice, key material, and allocated system resources. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 49 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 50 | * @see <a href="https://tools.ietf.org/html/rfc4301">RFC 4301, Security Architecture for the |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 51 | * Internet Protocol</a> |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 52 | */ |
| 53 | public final class IpSecTransform implements AutoCloseable { |
| 54 | private static final String TAG = "IpSecTransform"; |
| 55 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 56 | /** @hide */ |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 57 | public static final int MODE_TRANSPORT = 0; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 58 | |
| 59 | /** @hide */ |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 60 | public static final int MODE_TUNNEL = 1; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 61 | |
| 62 | /** @hide */ |
| 63 | public static final int ENCAP_NONE = 0; |
| 64 | |
| 65 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 66 | * IPsec traffic will be encapsulated within UDP, but with 8 zero-value bytes between the UDP |
| 67 | * header and payload. This prevents traffic from being interpreted as ESP or IKEv2. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 68 | * |
| 69 | * @hide |
| 70 | */ |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 71 | public static final int ENCAP_ESPINUDP_NON_IKE = 1; |
| 72 | |
| 73 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 74 | * IPsec traffic will be encapsulated within UDP as per |
| 75 | * <a href="https://tools.ietf.org/html/rfc3948">RFC 3498</a>. |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 76 | * |
| 77 | * @hide |
| 78 | */ |
| 79 | public static final int ENCAP_ESPINUDP = 2; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 80 | |
| 81 | /** @hide */ |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 82 | @IntDef(value = {ENCAP_NONE, ENCAP_ESPINUDP, ENCAP_ESPINUDP_NON_IKE}) |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 83 | @Retention(RetentionPolicy.SOURCE) |
| 84 | public @interface EncapType {} |
| 85 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 86 | private IpSecTransform(Context context, IpSecConfig config) { |
| 87 | mContext = context; |
| 88 | mConfig = config; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 89 | mResourceId = INVALID_RESOURCE_ID; |
| 90 | } |
| 91 | |
| 92 | private IIpSecService getIpSecService() { |
| 93 | IBinder b = ServiceManager.getService(android.content.Context.IPSEC_SERVICE); |
| 94 | if (b == null) { |
| 95 | throw new RemoteException("Failed to connect to IpSecService") |
| 96 | .rethrowAsRuntimeException(); |
| 97 | } |
| 98 | |
| 99 | return IIpSecService.Stub.asInterface(b); |
| 100 | } |
| 101 | |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 102 | /** |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 103 | * Checks the result status and throws an appropriate exception if the status is not Status.OK. |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 104 | */ |
| 105 | private void checkResultStatus(int status) |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 106 | throws IOException, IpSecManager.ResourceUnavailableException, |
| 107 | IpSecManager.SpiUnavailableException { |
| 108 | switch (status) { |
| 109 | case IpSecManager.Status.OK: |
| 110 | return; |
| 111 | // TODO: Pass Error string back from bundle so that errors can be more specific |
| 112 | case IpSecManager.Status.RESOURCE_UNAVAILABLE: |
| 113 | throw new IpSecManager.ResourceUnavailableException( |
| 114 | "Failed to allocate a new IpSecTransform"); |
| 115 | case IpSecManager.Status.SPI_UNAVAILABLE: |
| 116 | Log.wtf(TAG, "Attempting to use an SPI that was somehow not reserved"); |
| 117 | // Fall through |
| 118 | default: |
| 119 | throw new IllegalStateException( |
| 120 | "Failed to Create a Transform with status code " + status); |
| 121 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 122 | } |
| 123 | |
| 124 | private IpSecTransform activate() |
| 125 | throws IOException, IpSecManager.ResourceUnavailableException, |
| 126 | IpSecManager.SpiUnavailableException { |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 127 | synchronized (this) { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 128 | try { |
| 129 | IIpSecService svc = getIpSecService(); |
Benedict Wong | f33f0313 | 2018-01-18 14:38:16 -0800 | [diff] [blame] | 130 | IpSecTransformResponse result = svc.createTransform(mConfig, new Binder()); |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 131 | int status = result.status; |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 132 | checkResultStatus(status); |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 133 | mResourceId = result.resourceId; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 134 | Log.d(TAG, "Added Transform with Id " + mResourceId); |
| 135 | mCloseGuard.open("build"); |
| 136 | } catch (RemoteException e) { |
| 137 | throw e.rethrowAsRuntimeException(); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 138 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 139 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 140 | |
| 141 | return this; |
| 142 | } |
| 143 | |
| 144 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 145 | * Deactivate this {@code IpSecTransform} and free allocated resources. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 146 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 147 | * <p>Deactivating a transform while it is still applied to a socket will result in errors on |
| 148 | * that socket. Make sure to remove transforms by calling {@link |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 149 | * IpSecManager#removeTransportModeTransforms}. Note, removing an {@code IpSecTransform} from a |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 150 | * socket will not deactivate it (because one transform may be applied to multiple sockets). |
| 151 | * |
| 152 | * <p>It is safe to call this method on a transform that has already been deactivated. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 153 | */ |
| 154 | public void close() { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 155 | Log.d(TAG, "Removing Transform with Id " + mResourceId); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 156 | |
| 157 | // Always safe to attempt cleanup |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 158 | if (mResourceId == INVALID_RESOURCE_ID) { |
| 159 | mCloseGuard.close(); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 160 | return; |
| 161 | } |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 162 | try { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 163 | IIpSecService svc = getIpSecService(); |
Benedict Wong | f33f0313 | 2018-01-18 14:38:16 -0800 | [diff] [blame] | 164 | svc.deleteTransform(mResourceId); |
Nathan Harold | c43e89f | 2017-12-06 19:12:28 -0800 | [diff] [blame] | 165 | stopNattKeepalive(); |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 166 | } catch (RemoteException e) { |
| 167 | throw e.rethrowAsRuntimeException(); |
| 168 | } finally { |
| 169 | mResourceId = INVALID_RESOURCE_ID; |
| 170 | mCloseGuard.close(); |
| 171 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 172 | } |
| 173 | |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 174 | /** Check that the transform was closed properly. */ |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 175 | @Override |
| 176 | protected void finalize() throws Throwable { |
| 177 | if (mCloseGuard != null) { |
| 178 | mCloseGuard.warnIfOpen(); |
| 179 | } |
| 180 | close(); |
| 181 | } |
| 182 | |
| 183 | /* Package */ |
| 184 | IpSecConfig getConfig() { |
| 185 | return mConfig; |
| 186 | } |
| 187 | |
| 188 | private final IpSecConfig mConfig; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 189 | private int mResourceId; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 190 | private final Context mContext; |
| 191 | private final CloseGuard mCloseGuard = CloseGuard.get(); |
| 192 | private ConnectivityManager.PacketKeepalive mKeepalive; |
Nathan Harold | c43e89f | 2017-12-06 19:12:28 -0800 | [diff] [blame] | 193 | private Handler mCallbackHandler; |
| 194 | private final ConnectivityManager.PacketKeepaliveCallback mKeepaliveCallback = |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 195 | new ConnectivityManager.PacketKeepaliveCallback() { |
| 196 | |
| 197 | @Override |
| 198 | public void onStarted() { |
Nathan Harold | c43e89f | 2017-12-06 19:12:28 -0800 | [diff] [blame] | 199 | synchronized (this) { |
| 200 | mCallbackHandler.post(() -> mUserKeepaliveCallback.onStarted()); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 201 | } |
| 202 | } |
| 203 | |
| 204 | @Override |
| 205 | public void onStopped() { |
Nathan Harold | c43e89f | 2017-12-06 19:12:28 -0800 | [diff] [blame] | 206 | synchronized (this) { |
| 207 | mKeepalive = null; |
| 208 | mCallbackHandler.post(() -> mUserKeepaliveCallback.onStopped()); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 209 | } |
| 210 | } |
| 211 | |
| 212 | @Override |
| 213 | public void onError(int error) { |
Nathan Harold | c43e89f | 2017-12-06 19:12:28 -0800 | [diff] [blame] | 214 | synchronized (this) { |
| 215 | mKeepalive = null; |
| 216 | mCallbackHandler.post(() -> mUserKeepaliveCallback.onError(error)); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 217 | } |
| 218 | } |
| 219 | }; |
| 220 | |
Nathan Harold | c43e89f | 2017-12-06 19:12:28 -0800 | [diff] [blame] | 221 | private NattKeepaliveCallback mUserKeepaliveCallback; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 222 | |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 223 | /** @hide */ |
| 224 | @VisibleForTesting |
| 225 | public int getResourceId() { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 226 | return mResourceId; |
| 227 | } |
| 228 | |
Nathan Harold | c43e89f | 2017-12-06 19:12:28 -0800 | [diff] [blame] | 229 | /** |
| 230 | * A callback class to provide status information regarding a NAT-T keepalive session |
| 231 | * |
| 232 | * <p>Use this callback to receive status information regarding a NAT-T keepalive session |
| 233 | * by registering it when calling {@link #startNattKeepalive}. |
| 234 | * |
| 235 | * @hide |
| 236 | */ |
| 237 | @SystemApi |
| 238 | public static class NattKeepaliveCallback { |
| 239 | /** The specified {@code Network} is not connected. */ |
| 240 | public static final int ERROR_INVALID_NETWORK = 1; |
| 241 | /** The hardware does not support this request. */ |
| 242 | public static final int ERROR_HARDWARE_UNSUPPORTED = 2; |
| 243 | /** The hardware returned an error. */ |
| 244 | public static final int ERROR_HARDWARE_ERROR = 3; |
| 245 | |
| 246 | /** The requested keepalive was successfully started. */ |
| 247 | public void onStarted() {} |
| 248 | /** The keepalive was successfully stopped. */ |
| 249 | public void onStopped() {} |
| 250 | /** An error occurred. */ |
| 251 | public void onError(int error) {} |
| 252 | } |
| 253 | |
| 254 | /** |
| 255 | * Start a NAT-T keepalive session for the current transform. |
| 256 | * |
| 257 | * For a transform that is using UDP encapsulated IPv4, NAT-T offloading provides |
| 258 | * a power efficient mechanism of sending NAT-T packets at a specified interval. |
| 259 | * |
| 260 | * @param userCallback a {@link #NattKeepaliveCallback} to receive asynchronous status |
| 261 | * information about the requested NAT-T keepalive session. |
| 262 | * @param intervalSeconds the interval between NAT-T keepalives being sent. The |
| 263 | * the allowed range is between 20 and 3600 seconds. |
| 264 | * @param handler a handler on which to post callbacks when received. |
| 265 | * |
| 266 | * @hide |
| 267 | */ |
| 268 | @SystemApi |
| 269 | public void startNattKeepalive(@NonNull NattKeepaliveCallback userCallback, |
| 270 | int intervalSeconds, @NonNull Handler handler) throws IOException { |
| 271 | checkNotNull(userCallback); |
| 272 | if (intervalSeconds < 20 || intervalSeconds > 3600) { |
| 273 | throw new IllegalArgumentException("Invalid NAT-T keepalive interval"); |
| 274 | } |
| 275 | checkNotNull(handler); |
| 276 | if (mResourceId == INVALID_RESOURCE_ID) { |
| 277 | throw new IllegalStateException( |
| 278 | "Packet keepalive cannot be started for an inactive transform"); |
| 279 | } |
| 280 | |
| 281 | synchronized (mKeepaliveCallback) { |
| 282 | if (mKeepaliveCallback != null) { |
| 283 | throw new IllegalStateException("Keepalive already active"); |
| 284 | } |
| 285 | |
| 286 | mUserKeepaliveCallback = userCallback; |
| 287 | ConnectivityManager cm = (ConnectivityManager) mContext.getSystemService( |
| 288 | Context.CONNECTIVITY_SERVICE); |
| 289 | mKeepalive = cm.startNattKeepalive( |
| 290 | mConfig.getNetwork(), intervalSeconds, mKeepaliveCallback, |
| 291 | NetworkUtils.numericToInetAddress(mConfig.getSourceAddress()), |
| 292 | 4500, // FIXME urgently, we need to get the port number from the Encap socket |
| 293 | NetworkUtils.numericToInetAddress(mConfig.getDestinationAddress())); |
| 294 | mCallbackHandler = handler; |
| 295 | } |
| 296 | } |
| 297 | |
| 298 | /** |
| 299 | * Stop an ongoing NAT-T keepalive session. |
| 300 | * |
| 301 | * Calling this API will request that an ongoing NAT-T keepalive session be terminated. |
| 302 | * If this API is not called when a Transform is closed, the underlying NAT-T session will |
| 303 | * be terminated automatically. |
| 304 | * |
| 305 | * @hide |
| 306 | */ |
| 307 | @SystemApi |
| 308 | public void stopNattKeepalive() { |
| 309 | synchronized (mKeepaliveCallback) { |
| 310 | if (mKeepalive == null) { |
| 311 | Log.e(TAG, "No active keepalive to stop"); |
| 312 | return; |
| 313 | } |
| 314 | mKeepalive.stop(); |
| 315 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 316 | } |
| 317 | |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 318 | /** This class is used to build {@link IpSecTransform} objects. */ |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 319 | public static class Builder { |
| 320 | private Context mContext; |
| 321 | private IpSecConfig mConfig; |
| 322 | |
| 323 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 324 | * Set the encryption algorithm. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 325 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 326 | * <p>Encryption is mutually exclusive with authenticated encryption. |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 327 | * |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 328 | * @param algo {@link IpSecAlgorithm} specifying the encryption to be applied. |
| 329 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 330 | public IpSecTransform.Builder setEncryption(@NonNull IpSecAlgorithm algo) { |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 331 | // TODO: throw IllegalArgumentException if algo is not an encryption algorithm. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 332 | Preconditions.checkNotNull(algo); |
| 333 | mConfig.setEncryption(algo); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 334 | return this; |
| 335 | } |
| 336 | |
| 337 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 338 | * Set the authentication (integrity) algorithm. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 339 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 340 | * <p>Authentication is mutually exclusive with authenticated encryption. |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 341 | * |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 342 | * @param algo {@link IpSecAlgorithm} specifying the authentication to be applied. |
| 343 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 344 | public IpSecTransform.Builder setAuthentication(@NonNull IpSecAlgorithm algo) { |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 345 | // TODO: throw IllegalArgumentException if algo is not an authentication algorithm. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 346 | Preconditions.checkNotNull(algo); |
| 347 | mConfig.setAuthentication(algo); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 348 | return this; |
| 349 | } |
| 350 | |
| 351 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 352 | * Set the authenticated encryption algorithm. |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 353 | * |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 354 | * <p>The Authenticated Encryption (AE) class of algorithms are also known as |
| 355 | * Authenticated Encryption with Associated Data (AEAD) algorithms, or Combined mode |
| 356 | * algorithms (as referred to in |
| 357 | * <a href="https://tools.ietf.org/html/rfc4301">RFC 4301</a>). |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 358 | * |
| 359 | * <p>Authenticated encryption is mutually exclusive with encryption and authentication. |
| 360 | * |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 361 | * @param algo {@link IpSecAlgorithm} specifying the authenticated encryption algorithm to |
| 362 | * be applied. |
| 363 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 364 | public IpSecTransform.Builder setAuthenticatedEncryption(@NonNull IpSecAlgorithm algo) { |
| 365 | Preconditions.checkNotNull(algo); |
| 366 | mConfig.setAuthenticatedEncryption(algo); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 367 | return this; |
| 368 | } |
| 369 | |
| 370 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 371 | * Add UDP encapsulation to an IPv4 transform. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 372 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 373 | * <p>This allows IPsec traffic to pass through a NAT. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 374 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 375 | * @see <a href="https://tools.ietf.org/html/rfc3948">RFC 3948, UDP Encapsulation of IPsec |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 376 | * ESP Packets</a> |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 377 | * @see <a href="https://tools.ietf.org/html/rfc7296#section-2.23">RFC 7296 section 2.23, |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 378 | * NAT Traversal of IKEv2</a> |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 379 | * @param localSocket a socket for sending and receiving encapsulated traffic |
| 380 | * @param remotePort the UDP port number of the remote host that will send and receive |
| 381 | * encapsulated traffic. In the case of IKEv2, this should be port 4500. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 382 | */ |
| 383 | public IpSecTransform.Builder setIpv4Encapsulation( |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 384 | @NonNull IpSecManager.UdpEncapsulationSocket localSocket, int remotePort) { |
| 385 | Preconditions.checkNotNull(localSocket); |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 386 | mConfig.setEncapType(ENCAP_ESPINUDP); |
Nathan Harold | 6119d8d | 2017-12-13 18:51:35 -0800 | [diff] [blame] | 387 | if (localSocket.getResourceId() == INVALID_RESOURCE_ID) { |
| 388 | throw new IllegalArgumentException("Invalid UdpEncapsulationSocket"); |
| 389 | } |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 390 | mConfig.setEncapSocketResourceId(localSocket.getResourceId()); |
| 391 | mConfig.setEncapRemotePort(remotePort); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 392 | return this; |
| 393 | } |
| 394 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 395 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 396 | * Build a transport mode {@link IpSecTransform}. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 397 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 398 | * <p>This builds and activates a transport mode transform. Note that an active transform |
| 399 | * will not affect any network traffic until it has been applied to one or more sockets. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 400 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 401 | * @see IpSecManager#applyTransportModeTransform |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 402 | * @param sourceAddress the source {@code InetAddress} of traffic on sockets that will use |
| 403 | * this transform; this address must belong to the Network used by all sockets that |
| 404 | * utilize this transform; if provided, then only traffic originating from the |
| 405 | * specified source address will be processed. |
| 406 | * @param spi a unique {@link IpSecManager.SecurityParameterIndex} to identify transformed |
| 407 | * traffic |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 408 | * @throws IllegalArgumentException indicating that a particular combination of transform |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 409 | * properties is invalid |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 410 | * @throws IpSecManager.ResourceUnavailableException indicating that too many transforms |
| 411 | * are active |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 412 | * @throws IpSecManager.SpiUnavailableException indicating the rare case where an SPI |
| 413 | * collides with an existing transform |
| 414 | * @throws IOException indicating other errors |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 415 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 416 | public IpSecTransform buildTransportModeTransform( |
| 417 | @NonNull InetAddress sourceAddress, |
| 418 | @NonNull IpSecManager.SecurityParameterIndex spi) |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 419 | throws IpSecManager.ResourceUnavailableException, |
| 420 | IpSecManager.SpiUnavailableException, IOException { |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 421 | Preconditions.checkNotNull(sourceAddress); |
| 422 | Preconditions.checkNotNull(spi); |
| 423 | if (spi.getResourceId() == INVALID_RESOURCE_ID) { |
| 424 | throw new IllegalArgumentException("Invalid SecurityParameterIndex"); |
Nathan Harold | 6119d8d | 2017-12-13 18:51:35 -0800 | [diff] [blame] | 425 | } |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 426 | mConfig.setMode(MODE_TRANSPORT); |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 427 | mConfig.setSourceAddress(sourceAddress.getHostAddress()); |
| 428 | mConfig.setSpiResourceId(spi.getResourceId()); |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 429 | // FIXME: modifying a builder after calling build can change the built transform. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 430 | return new IpSecTransform(mContext, mConfig).activate(); |
| 431 | } |
| 432 | |
| 433 | /** |
| 434 | * Build and return an {@link IpSecTransform} object as a Tunnel Mode Transform. Some |
| 435 | * parameters have interdependencies that are checked at build time. |
| 436 | * |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 437 | * @param sourceAddress the {@link InetAddress} that provides the source address for this |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 438 | * IPsec tunnel. This is almost certainly an address belonging to the {@link Network} |
| 439 | * that will originate the traffic, which is set as the {@link #setUnderlyingNetwork}. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 440 | * @param spi a unique {@link IpSecManager.SecurityParameterIndex} to identify transformed |
| 441 | * traffic |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 442 | * @throws IllegalArgumentException indicating that a particular combination of transform |
| 443 | * properties is invalid. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 444 | * @throws IpSecManager.ResourceUnavailableException indicating that too many transforms |
| 445 | * are active |
| 446 | * @throws IpSecManager.SpiUnavailableException indicating the rare case where an SPI |
| 447 | * collides with an existing transform |
| 448 | * @throws IOException indicating other errors |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 449 | * @hide |
| 450 | */ |
Nathan Harold | c47eacc | 2018-01-17 16:09:24 -0800 | [diff] [blame] | 451 | @SystemApi |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 452 | public IpSecTransform buildTunnelModeTransform( |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 453 | @NonNull InetAddress sourceAddress, |
| 454 | @NonNull IpSecManager.SecurityParameterIndex spi) |
| 455 | throws IpSecManager.ResourceUnavailableException, |
| 456 | IpSecManager.SpiUnavailableException, IOException { |
| 457 | Preconditions.checkNotNull(sourceAddress); |
| 458 | Preconditions.checkNotNull(spi); |
| 459 | if (spi.getResourceId() == INVALID_RESOURCE_ID) { |
| 460 | throw new IllegalArgumentException("Invalid SecurityParameterIndex"); |
Nathan Harold | 6119d8d | 2017-12-13 18:51:35 -0800 | [diff] [blame] | 461 | } |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 462 | mConfig.setMode(MODE_TUNNEL); |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 463 | mConfig.setSourceAddress(sourceAddress.getHostAddress()); |
| 464 | mConfig.setSpiResourceId(spi.getResourceId()); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 465 | return new IpSecTransform(mContext, mConfig); |
| 466 | } |
| 467 | |
| 468 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 469 | * Create a new IpSecTransform.Builder. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 470 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 471 | * @param context current context |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 472 | */ |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 473 | public Builder(@NonNull Context context) { |
| 474 | Preconditions.checkNotNull(context); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 475 | mContext = context; |
| 476 | mConfig = new IpSecConfig(); |
| 477 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 478 | } |
| 479 | } |