Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2017 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | package android.net; |
| 17 | |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 18 | import static android.net.IpSecManager.INVALID_RESOURCE_ID; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 19 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 20 | import android.annotation.IntDef; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 21 | import android.annotation.NonNull; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 22 | import android.annotation.SystemApi; |
| 23 | import android.content.Context; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 24 | import android.os.Binder; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 25 | import android.os.IBinder; |
| 26 | import android.os.RemoteException; |
| 27 | import android.os.ServiceManager; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 28 | import android.util.Log; |
Nathan Harold | d999d22 | 2017-09-11 19:53:33 -0700 | [diff] [blame] | 29 | |
ludi | 1a06aa7 | 2017-05-12 09:15:00 -0700 | [diff] [blame] | 30 | import com.android.internal.annotations.VisibleForTesting; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 31 | import com.android.internal.util.Preconditions; |
Nathan Harold | d999d22 | 2017-09-11 19:53:33 -0700 | [diff] [blame] | 32 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 33 | import dalvik.system.CloseGuard; |
Nathan Harold | d999d22 | 2017-09-11 19:53:33 -0700 | [diff] [blame] | 34 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 35 | import java.io.IOException; |
| 36 | import java.lang.annotation.Retention; |
| 37 | import java.lang.annotation.RetentionPolicy; |
| 38 | import java.net.InetAddress; |
| 39 | |
| 40 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 41 | * This class represents a transform, which roughly corresponds to an IPsec Security Association. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 42 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 43 | * <p>Transforms are created using {@link IpSecTransform.Builder}. Each {@code IpSecTransform} |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 44 | * object encapsulates the properties and state of an IPsec security association. That includes, |
| 45 | * but is not limited to, algorithm choice, key material, and allocated system resources. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 46 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 47 | * @see <a href="https://tools.ietf.org/html/rfc4301">RFC 4301, Security Architecture for the |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 48 | * Internet Protocol</a> |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 49 | */ |
| 50 | public final class IpSecTransform implements AutoCloseable { |
| 51 | private static final String TAG = "IpSecTransform"; |
| 52 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 53 | /** @hide */ |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 54 | public static final int MODE_TRANSPORT = 0; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 55 | |
| 56 | /** @hide */ |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 57 | public static final int MODE_TUNNEL = 1; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 58 | |
| 59 | /** @hide */ |
| 60 | public static final int ENCAP_NONE = 0; |
| 61 | |
| 62 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 63 | * IPsec traffic will be encapsulated within UDP, but with 8 zero-value bytes between the UDP |
| 64 | * header and payload. This prevents traffic from being interpreted as ESP or IKEv2. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 65 | * |
| 66 | * @hide |
| 67 | */ |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 68 | public static final int ENCAP_ESPINUDP_NON_IKE = 1; |
| 69 | |
| 70 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 71 | * IPsec traffic will be encapsulated within UDP as per |
| 72 | * <a href="https://tools.ietf.org/html/rfc3948">RFC 3498</a>. |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 73 | * |
| 74 | * @hide |
| 75 | */ |
| 76 | public static final int ENCAP_ESPINUDP = 2; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 77 | |
| 78 | /** @hide */ |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 79 | @IntDef(value = {ENCAP_NONE, ENCAP_ESPINUDP, ENCAP_ESPINUDP_NON_IKE}) |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 80 | @Retention(RetentionPolicy.SOURCE) |
| 81 | public @interface EncapType {} |
| 82 | |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 83 | private IpSecTransform(Context context, IpSecConfig config) { |
| 84 | mContext = context; |
| 85 | mConfig = config; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 86 | mResourceId = INVALID_RESOURCE_ID; |
| 87 | } |
| 88 | |
| 89 | private IIpSecService getIpSecService() { |
| 90 | IBinder b = ServiceManager.getService(android.content.Context.IPSEC_SERVICE); |
| 91 | if (b == null) { |
| 92 | throw new RemoteException("Failed to connect to IpSecService") |
| 93 | .rethrowAsRuntimeException(); |
| 94 | } |
| 95 | |
| 96 | return IIpSecService.Stub.asInterface(b); |
| 97 | } |
| 98 | |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 99 | /** |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 100 | * Checks the result status and throws an appropriate exception if the status is not Status.OK. |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 101 | */ |
| 102 | private void checkResultStatus(int status) |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 103 | throws IOException, IpSecManager.ResourceUnavailableException, |
| 104 | IpSecManager.SpiUnavailableException { |
| 105 | switch (status) { |
| 106 | case IpSecManager.Status.OK: |
| 107 | return; |
| 108 | // TODO: Pass Error string back from bundle so that errors can be more specific |
| 109 | case IpSecManager.Status.RESOURCE_UNAVAILABLE: |
| 110 | throw new IpSecManager.ResourceUnavailableException( |
| 111 | "Failed to allocate a new IpSecTransform"); |
| 112 | case IpSecManager.Status.SPI_UNAVAILABLE: |
| 113 | Log.wtf(TAG, "Attempting to use an SPI that was somehow not reserved"); |
| 114 | // Fall through |
| 115 | default: |
| 116 | throw new IllegalStateException( |
| 117 | "Failed to Create a Transform with status code " + status); |
| 118 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 119 | } |
| 120 | |
| 121 | private IpSecTransform activate() |
| 122 | throws IOException, IpSecManager.ResourceUnavailableException, |
| 123 | IpSecManager.SpiUnavailableException { |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 124 | synchronized (this) { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 125 | try { |
| 126 | IIpSecService svc = getIpSecService(); |
Benedict Wong | f33f0313 | 2018-01-18 14:38:16 -0800 | [diff] [blame] | 127 | IpSecTransformResponse result = svc.createTransform(mConfig, new Binder()); |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 128 | int status = result.status; |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 129 | checkResultStatus(status); |
Nathan Harold | 8dc1fd0 | 2017-04-04 19:37:48 -0700 | [diff] [blame] | 130 | mResourceId = result.resourceId; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 131 | |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 132 | /* Keepalive will silently fail if not needed by the config; but, if needed and |
| 133 | * it fails to start, we need to bail because a transform will not be reliable |
| 134 | * to use if keepalive is expected to offload and fails. |
| 135 | */ |
| 136 | // FIXME: if keepalive fails, we need to fail spectacularly |
| 137 | startKeepalive(mContext); |
| 138 | Log.d(TAG, "Added Transform with Id " + mResourceId); |
| 139 | mCloseGuard.open("build"); |
| 140 | } catch (RemoteException e) { |
| 141 | throw e.rethrowAsRuntimeException(); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 142 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 143 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 144 | |
| 145 | return this; |
| 146 | } |
| 147 | |
| 148 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 149 | * Deactivate this {@code IpSecTransform} and free allocated resources. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 150 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 151 | * <p>Deactivating a transform while it is still applied to a socket will result in errors on |
| 152 | * that socket. Make sure to remove transforms by calling {@link |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 153 | * IpSecManager#removeTransportModeTransforms}. Note, removing an {@code IpSecTransform} from a |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 154 | * socket will not deactivate it (because one transform may be applied to multiple sockets). |
| 155 | * |
| 156 | * <p>It is safe to call this method on a transform that has already been deactivated. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 157 | */ |
| 158 | public void close() { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 159 | Log.d(TAG, "Removing Transform with Id " + mResourceId); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 160 | |
| 161 | // Always safe to attempt cleanup |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 162 | if (mResourceId == INVALID_RESOURCE_ID) { |
| 163 | mCloseGuard.close(); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 164 | return; |
| 165 | } |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 166 | try { |
| 167 | /* Order matters here because the keepalive is best-effort but could fail in some |
| 168 | * horrible way to be removed if the wifi (or cell) subsystem has crashed, and we |
| 169 | * still want to clear out the transform. |
| 170 | */ |
| 171 | IIpSecService svc = getIpSecService(); |
Benedict Wong | f33f0313 | 2018-01-18 14:38:16 -0800 | [diff] [blame] | 172 | svc.deleteTransform(mResourceId); |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 173 | stopKeepalive(); |
| 174 | } catch (RemoteException e) { |
| 175 | throw e.rethrowAsRuntimeException(); |
| 176 | } finally { |
| 177 | mResourceId = INVALID_RESOURCE_ID; |
| 178 | mCloseGuard.close(); |
| 179 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 180 | } |
| 181 | |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 182 | /** Check that the transform was closed properly. */ |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 183 | @Override |
| 184 | protected void finalize() throws Throwable { |
| 185 | if (mCloseGuard != null) { |
| 186 | mCloseGuard.warnIfOpen(); |
| 187 | } |
| 188 | close(); |
| 189 | } |
| 190 | |
| 191 | /* Package */ |
| 192 | IpSecConfig getConfig() { |
| 193 | return mConfig; |
| 194 | } |
| 195 | |
| 196 | private final IpSecConfig mConfig; |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 197 | private int mResourceId; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 198 | private final Context mContext; |
| 199 | private final CloseGuard mCloseGuard = CloseGuard.get(); |
| 200 | private ConnectivityManager.PacketKeepalive mKeepalive; |
| 201 | private int mKeepaliveStatus = ConnectivityManager.PacketKeepalive.NO_KEEPALIVE; |
| 202 | private Object mKeepaliveSyncLock = new Object(); |
| 203 | private ConnectivityManager.PacketKeepaliveCallback mKeepaliveCallback = |
| 204 | new ConnectivityManager.PacketKeepaliveCallback() { |
| 205 | |
| 206 | @Override |
| 207 | public void onStarted() { |
| 208 | synchronized (mKeepaliveSyncLock) { |
| 209 | mKeepaliveStatus = ConnectivityManager.PacketKeepalive.SUCCESS; |
| 210 | mKeepaliveSyncLock.notifyAll(); |
| 211 | } |
| 212 | } |
| 213 | |
| 214 | @Override |
| 215 | public void onStopped() { |
| 216 | synchronized (mKeepaliveSyncLock) { |
| 217 | mKeepaliveStatus = ConnectivityManager.PacketKeepalive.NO_KEEPALIVE; |
| 218 | mKeepaliveSyncLock.notifyAll(); |
| 219 | } |
| 220 | } |
| 221 | |
| 222 | @Override |
| 223 | public void onError(int error) { |
| 224 | synchronized (mKeepaliveSyncLock) { |
| 225 | mKeepaliveStatus = error; |
| 226 | mKeepaliveSyncLock.notifyAll(); |
| 227 | } |
| 228 | } |
| 229 | }; |
| 230 | |
| 231 | /* Package */ |
| 232 | void startKeepalive(Context c) { |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 233 | if (mConfig.getNattKeepaliveInterval() != 0) { |
| 234 | Log.wtf(TAG, "Keepalive not yet supported."); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 235 | } |
| 236 | } |
| 237 | |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 238 | /** @hide */ |
| 239 | @VisibleForTesting |
| 240 | public int getResourceId() { |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 241 | return mResourceId; |
| 242 | } |
| 243 | |
| 244 | /* Package */ |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 245 | void stopKeepalive() { |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 246 | return; |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 247 | } |
| 248 | |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 249 | /** This class is used to build {@link IpSecTransform} objects. */ |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 250 | public static class Builder { |
| 251 | private Context mContext; |
| 252 | private IpSecConfig mConfig; |
| 253 | |
| 254 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 255 | * Set the encryption algorithm. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 256 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 257 | * <p>Encryption is mutually exclusive with authenticated encryption. |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 258 | * |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 259 | * @param algo {@link IpSecAlgorithm} specifying the encryption to be applied. |
| 260 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 261 | public IpSecTransform.Builder setEncryption(@NonNull IpSecAlgorithm algo) { |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 262 | // TODO: throw IllegalArgumentException if algo is not an encryption algorithm. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 263 | Preconditions.checkNotNull(algo); |
| 264 | mConfig.setEncryption(algo); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 265 | return this; |
| 266 | } |
| 267 | |
| 268 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 269 | * Set the authentication (integrity) algorithm. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 270 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 271 | * <p>Authentication is mutually exclusive with authenticated encryption. |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 272 | * |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 273 | * @param algo {@link IpSecAlgorithm} specifying the authentication to be applied. |
| 274 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 275 | public IpSecTransform.Builder setAuthentication(@NonNull IpSecAlgorithm algo) { |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 276 | // TODO: throw IllegalArgumentException if algo is not an authentication algorithm. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 277 | Preconditions.checkNotNull(algo); |
| 278 | mConfig.setAuthentication(algo); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 279 | return this; |
| 280 | } |
| 281 | |
| 282 | /** |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 283 | * Set the authenticated encryption algorithm. |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 284 | * |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 285 | * <p>The Authenticated Encryption (AE) class of algorithms are also known as |
| 286 | * Authenticated Encryption with Associated Data (AEAD) algorithms, or Combined mode |
| 287 | * algorithms (as referred to in |
| 288 | * <a href="https://tools.ietf.org/html/rfc4301">RFC 4301</a>). |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 289 | * |
| 290 | * <p>Authenticated encryption is mutually exclusive with encryption and authentication. |
| 291 | * |
Benedict Wong | 0febe5e | 2017-08-22 21:42:33 -0700 | [diff] [blame] | 292 | * @param algo {@link IpSecAlgorithm} specifying the authenticated encryption algorithm to |
| 293 | * be applied. |
| 294 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 295 | public IpSecTransform.Builder setAuthenticatedEncryption(@NonNull IpSecAlgorithm algo) { |
| 296 | Preconditions.checkNotNull(algo); |
| 297 | mConfig.setAuthenticatedEncryption(algo); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 298 | return this; |
| 299 | } |
| 300 | |
| 301 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 302 | * Add UDP encapsulation to an IPv4 transform. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 303 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 304 | * <p>This allows IPsec traffic to pass through a NAT. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 305 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 306 | * @see <a href="https://tools.ietf.org/html/rfc3948">RFC 3948, UDP Encapsulation of IPsec |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 307 | * ESP Packets</a> |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 308 | * @see <a href="https://tools.ietf.org/html/rfc7296#section-2.23">RFC 7296 section 2.23, |
Jonathan Basseri | 5fb9290 | 2017-11-16 10:58:01 -0800 | [diff] [blame] | 309 | * NAT Traversal of IKEv2</a> |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 310 | * @param localSocket a socket for sending and receiving encapsulated traffic |
| 311 | * @param remotePort the UDP port number of the remote host that will send and receive |
| 312 | * encapsulated traffic. In the case of IKEv2, this should be port 4500. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 313 | */ |
| 314 | public IpSecTransform.Builder setIpv4Encapsulation( |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 315 | @NonNull IpSecManager.UdpEncapsulationSocket localSocket, int remotePort) { |
| 316 | Preconditions.checkNotNull(localSocket); |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 317 | mConfig.setEncapType(ENCAP_ESPINUDP); |
Nathan Harold | 6119d8d | 2017-12-13 18:51:35 -0800 | [diff] [blame] | 318 | if (localSocket.getResourceId() == INVALID_RESOURCE_ID) { |
| 319 | throw new IllegalArgumentException("Invalid UdpEncapsulationSocket"); |
| 320 | } |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 321 | mConfig.setEncapSocketResourceId(localSocket.getResourceId()); |
| 322 | mConfig.setEncapRemotePort(remotePort); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 323 | return this; |
| 324 | } |
| 325 | |
| 326 | // TODO: Decrease the minimum keepalive to maybe 10? |
| 327 | // TODO: Probably a better exception to throw for NATTKeepalive failure |
| 328 | // TODO: Specify the needed NATT keepalive permission. |
| 329 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 330 | * Set NAT-T keepalives to be sent with a given interval. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 331 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 332 | * <p>This will set power-efficient keepalive packets to be sent by the system. If NAT-T |
| 333 | * keepalive is requested but cannot be activated, then creation of an {@link |
| 334 | * IpSecTransform} will fail when calling the build method. |
| 335 | * |
| 336 | * @param intervalSeconds the maximum number of seconds between keepalive packets. Must be |
| 337 | * between 20s and 3600s. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 338 | * @hide |
| 339 | */ |
| 340 | @SystemApi |
| 341 | public IpSecTransform.Builder setNattKeepalive(int intervalSeconds) { |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 342 | mConfig.setNattKeepaliveInterval(intervalSeconds); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 343 | return this; |
| 344 | } |
| 345 | |
| 346 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 347 | * Build a transport mode {@link IpSecTransform}. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 348 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 349 | * <p>This builds and activates a transport mode transform. Note that an active transform |
| 350 | * will not affect any network traffic until it has been applied to one or more sockets. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 351 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 352 | * @see IpSecManager#applyTransportModeTransform |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 353 | * @param sourceAddress the source {@code InetAddress} of traffic on sockets that will use |
| 354 | * this transform; this address must belong to the Network used by all sockets that |
| 355 | * utilize this transform; if provided, then only traffic originating from the |
| 356 | * specified source address will be processed. |
| 357 | * @param spi a unique {@link IpSecManager.SecurityParameterIndex} to identify transformed |
| 358 | * traffic |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 359 | * @throws IllegalArgumentException indicating that a particular combination of transform |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 360 | * properties is invalid |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 361 | * @throws IpSecManager.ResourceUnavailableException indicating that too many transforms |
| 362 | * are active |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 363 | * @throws IpSecManager.SpiUnavailableException indicating the rare case where an SPI |
| 364 | * collides with an existing transform |
| 365 | * @throws IOException indicating other errors |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 366 | */ |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 367 | public IpSecTransform buildTransportModeTransform( |
| 368 | @NonNull InetAddress sourceAddress, |
| 369 | @NonNull IpSecManager.SecurityParameterIndex spi) |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 370 | throws IpSecManager.ResourceUnavailableException, |
| 371 | IpSecManager.SpiUnavailableException, IOException { |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 372 | Preconditions.checkNotNull(sourceAddress); |
| 373 | Preconditions.checkNotNull(spi); |
| 374 | if (spi.getResourceId() == INVALID_RESOURCE_ID) { |
| 375 | throw new IllegalArgumentException("Invalid SecurityParameterIndex"); |
Nathan Harold | 6119d8d | 2017-12-13 18:51:35 -0800 | [diff] [blame] | 376 | } |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 377 | mConfig.setMode(MODE_TRANSPORT); |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 378 | mConfig.setSourceAddress(sourceAddress.getHostAddress()); |
| 379 | mConfig.setSpiResourceId(spi.getResourceId()); |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 380 | // FIXME: modifying a builder after calling build can change the built transform. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 381 | return new IpSecTransform(mContext, mConfig).activate(); |
| 382 | } |
| 383 | |
| 384 | /** |
| 385 | * Build and return an {@link IpSecTransform} object as a Tunnel Mode Transform. Some |
| 386 | * parameters have interdependencies that are checked at build time. |
| 387 | * |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 388 | * @param sourceAddress the {@link InetAddress} that provides the source address for this |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 389 | * IPsec tunnel. This is almost certainly an address belonging to the {@link Network} |
| 390 | * that will originate the traffic, which is set as the {@link #setUnderlyingNetwork}. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 391 | * @param spi a unique {@link IpSecManager.SecurityParameterIndex} to identify transformed |
| 392 | * traffic |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 393 | * @throws IllegalArgumentException indicating that a particular combination of transform |
| 394 | * properties is invalid. |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 395 | * @throws IpSecManager.ResourceUnavailableException indicating that too many transforms |
| 396 | * are active |
| 397 | * @throws IpSecManager.SpiUnavailableException indicating the rare case where an SPI |
| 398 | * collides with an existing transform |
| 399 | * @throws IOException indicating other errors |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 400 | * @hide |
| 401 | */ |
Nathan Harold | c47eacc | 2018-01-17 16:09:24 -0800 | [diff] [blame] | 402 | @SystemApi |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 403 | public IpSecTransform buildTunnelModeTransform( |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 404 | @NonNull InetAddress sourceAddress, |
| 405 | @NonNull IpSecManager.SecurityParameterIndex spi) |
| 406 | throws IpSecManager.ResourceUnavailableException, |
| 407 | IpSecManager.SpiUnavailableException, IOException { |
| 408 | Preconditions.checkNotNull(sourceAddress); |
| 409 | Preconditions.checkNotNull(spi); |
| 410 | if (spi.getResourceId() == INVALID_RESOURCE_ID) { |
| 411 | throw new IllegalArgumentException("Invalid SecurityParameterIndex"); |
Nathan Harold | 6119d8d | 2017-12-13 18:51:35 -0800 | [diff] [blame] | 412 | } |
Nathan Harold | a10003d | 2017-08-23 13:46:33 -0700 | [diff] [blame] | 413 | mConfig.setMode(MODE_TUNNEL); |
Nathan Harold | a252331 | 2018-01-05 19:25:13 -0800 | [diff] [blame] | 414 | mConfig.setSourceAddress(sourceAddress.getHostAddress()); |
| 415 | mConfig.setSpiResourceId(spi.getResourceId()); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 416 | return new IpSecTransform(mContext, mConfig); |
| 417 | } |
| 418 | |
| 419 | /** |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 420 | * Create a new IpSecTransform.Builder. |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 421 | * |
Jonathan Basseri | c61b70d | 2017-04-21 15:53:51 -0700 | [diff] [blame] | 422 | * @param context current context |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 423 | */ |
Nathan Harold | 93962f3 | 2017-03-07 13:23:36 -0800 | [diff] [blame] | 424 | public Builder(@NonNull Context context) { |
| 425 | Preconditions.checkNotNull(context); |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 426 | mContext = context; |
| 427 | mConfig = new IpSecConfig(); |
| 428 | } |
Nathan Harold | 330e108 | 2017-01-12 18:38:57 -0800 | [diff] [blame] | 429 | } |
| 430 | } |