evitayan | 68fde6e | 2019-02-15 16:06:02 -0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2019 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package com.android.ike.ikev2; |
| 18 | |
| 19 | import android.annotation.IntDef; |
| 20 | import android.util.ArraySet; |
| 21 | |
| 22 | import com.android.ike.ikev2.exceptions.InvalidSyntaxException; |
| 23 | import com.android.internal.annotations.VisibleForTesting; |
| 24 | |
| 25 | import java.lang.annotation.Retention; |
| 26 | import java.lang.annotation.RetentionPolicy; |
| 27 | import java.net.Inet4Address; |
| 28 | import java.net.InetAddress; |
| 29 | import java.net.UnknownHostException; |
| 30 | import java.nio.BufferOverflowException; |
| 31 | import java.nio.ByteBuffer; |
| 32 | |
| 33 | /** |
| 34 | * IkeTrafficSelector represents a Traffic Selector of a Child SA. |
| 35 | * |
| 36 | * <p>IkeTrafficSelector can be constructed by users for initiating Create Child exchange or be |
| 37 | * constructed from a decoded inbound Traffic Selector Payload. |
| 38 | * |
| 39 | * @see <a href="https://tools.ietf.org/html/rfc7296#section-3.13">RFC 7296, Internet Key Exchange |
| 40 | * Protocol Version 2 (IKEv2)</a> |
| 41 | */ |
| 42 | public final class IkeTrafficSelector { |
| 43 | |
| 44 | // IpProtocolId consists of standard IP Protocol IDs. |
| 45 | @Retention(RetentionPolicy.SOURCE) |
| 46 | @IntDef({IP_PROTOCOL_ID_UNSPEC, IP_PROTOCOL_ID_ICMP, IP_PROTOCOL_ID_TCP, IP_PROTOCOL_ID_UCP}) |
| 47 | public @interface IpProtocolId {} |
| 48 | |
| 49 | // Zero value is re-defined by IKE to indicate that all IP protocols are acceptable. |
| 50 | @VisibleForTesting static final int IP_PROTOCOL_ID_UNSPEC = 0; |
| 51 | @VisibleForTesting static final int IP_PROTOCOL_ID_ICMP = 1; |
| 52 | @VisibleForTesting static final int IP_PROTOCOL_ID_TCP = 6; |
| 53 | @VisibleForTesting static final int IP_PROTOCOL_ID_UCP = 17; |
| 54 | |
| 55 | private static final ArraySet<Integer> IP_PROTOCOL_ID_SET = new ArraySet<>(); |
| 56 | |
| 57 | static { |
| 58 | IP_PROTOCOL_ID_SET.add(IP_PROTOCOL_ID_UNSPEC); |
| 59 | IP_PROTOCOL_ID_SET.add(IP_PROTOCOL_ID_ICMP); |
| 60 | IP_PROTOCOL_ID_SET.add(IP_PROTOCOL_ID_TCP); |
| 61 | IP_PROTOCOL_ID_SET.add(IP_PROTOCOL_ID_UCP); |
| 62 | } |
| 63 | |
| 64 | /** |
| 65 | * TrafficSelectorType consists of IKE standard Traffic Selector Types. |
| 66 | * |
| 67 | * @see <a |
| 68 | * href="https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml">Internet |
| 69 | * Key Exchange Version 2 (IKEv2) Parameters</a> |
| 70 | */ |
| 71 | @Retention(RetentionPolicy.SOURCE) |
| 72 | @IntDef({TRAFFIC_SELECTOR_TYPE_IPV4_ADDR_RANGE, TRAFFIC_SELECTOR_TYPE_IPV6_ADDR_RANGE}) |
| 73 | public @interface TrafficSelectorType {} |
| 74 | |
| 75 | public static final int TRAFFIC_SELECTOR_TYPE_IPV4_ADDR_RANGE = 7; |
| 76 | public static final int TRAFFIC_SELECTOR_TYPE_IPV6_ADDR_RANGE = 8; |
| 77 | |
| 78 | // TODO: Consider defining these constants in a central place in Connectivity. |
| 79 | private static final int IPV4_ADDR_LEN = 4; |
| 80 | private static final int IPV6_ADDR_LEN = 16; |
| 81 | |
| 82 | @VisibleForTesting static final int TRAFFIC_SELECTOR_IPV4_LEN = 16; |
| 83 | @VisibleForTesting static final int TRAFFIC_SELECTOR_IPV6_LEN = 40; |
| 84 | |
| 85 | public final int tsType; |
| 86 | public final int ipProtocolId; |
| 87 | public final int selectorLength; |
| 88 | public final int startPort; |
| 89 | public final int endPort; |
| 90 | public final InetAddress startingAddress; |
| 91 | public final InetAddress endingAddress; |
| 92 | |
| 93 | private IkeTrafficSelector( |
| 94 | int tsType, |
| 95 | int ipProtocolId, |
| 96 | int selectorLength, |
| 97 | int startPort, |
| 98 | int endPort, |
| 99 | InetAddress startingAddress, |
| 100 | InetAddress endingAddress) { |
| 101 | this.tsType = tsType; |
| 102 | this.ipProtocolId = ipProtocolId; |
| 103 | this.selectorLength = selectorLength; |
| 104 | this.startPort = startPort; |
| 105 | this.endPort = endPort; |
| 106 | this.startingAddress = startingAddress; |
| 107 | this.endingAddress = endingAddress; |
| 108 | } |
| 109 | |
| 110 | // TODO: Add a constructor for users to construct IkeTrafficSelector. |
| 111 | |
| 112 | /** |
| 113 | * Decode IkeTrafficSelectors from inbound Traffic Selector Payload. |
| 114 | * |
| 115 | * <p>This method is only called by IkeTsPayload when decoding inbound IKE message. |
| 116 | * |
| 117 | * @param numTs number or Traffic Selectors |
| 118 | * @param tsBytes encoded byte array of Traffic Selectors |
| 119 | * @return an array of decoded IkeTrafficSelectors |
| 120 | * @throws InvalidSyntaxException if received bytes are malformed. |
| 121 | */ |
| 122 | public static IkeTrafficSelector[] decodeIkeTrafficSelectors(int numTs, byte[] tsBytes) |
| 123 | throws InvalidSyntaxException { |
| 124 | IkeTrafficSelector[] tsArray = new IkeTrafficSelector[numTs]; |
| 125 | ByteBuffer inputBuffer = ByteBuffer.wrap(tsBytes); |
| 126 | |
| 127 | try { |
| 128 | for (int i = 0; i < numTs; i++) { |
| 129 | int tsType = Byte.toUnsignedInt(inputBuffer.get()); |
| 130 | switch (tsType) { |
| 131 | case TRAFFIC_SELECTOR_TYPE_IPV4_ADDR_RANGE: |
| 132 | tsArray[i] = decodeIpv4TrafficSelector(inputBuffer); |
| 133 | break; |
| 134 | case TRAFFIC_SELECTOR_TYPE_IPV6_ADDR_RANGE: |
| 135 | // TODO: Support it. |
| 136 | throw new UnsupportedOperationException("Cannot decode this type."); |
| 137 | default: |
| 138 | throw new InvalidSyntaxException( |
| 139 | "Invalid Traffic Selector type: " + tsType); |
| 140 | } |
| 141 | } |
| 142 | } catch (BufferOverflowException e) { |
| 143 | // Throw exception if any Traffic Selector has invalid length. |
| 144 | throw new InvalidSyntaxException(e); |
| 145 | } |
| 146 | |
| 147 | if (inputBuffer.remaining() != 0) { |
| 148 | throw new InvalidSyntaxException( |
| 149 | "Unexpected trailing characters of Traffic Selectors."); |
| 150 | } |
| 151 | |
| 152 | return tsArray; |
| 153 | } |
| 154 | |
| 155 | // Decode Traffic Selector using IPv4 address range from a ByteBuffer. A BufferOverflowException |
| 156 | // will be thrown and caught by method caller if operation reaches the input ByteBuffer's limit. |
| 157 | private static IkeTrafficSelector decodeIpv4TrafficSelector(ByteBuffer inputBuffer) |
| 158 | throws InvalidSyntaxException { |
| 159 | // Decode and validate IP Protocol ID |
| 160 | int ipProtocolId = Byte.toUnsignedInt(inputBuffer.get()); |
| 161 | if (!IP_PROTOCOL_ID_SET.contains(ipProtocolId)) { |
| 162 | throw new InvalidSyntaxException("Invalid IP Protocol ID."); |
| 163 | } |
| 164 | |
| 165 | // Decode and validate Selector Length |
| 166 | int tsLength = Short.toUnsignedInt(inputBuffer.getShort()); |
| 167 | if (TRAFFIC_SELECTOR_IPV4_LEN != tsLength) { |
| 168 | throw new InvalidSyntaxException("Invalid Traffic Selector Length."); |
| 169 | } |
| 170 | |
| 171 | // Decode and validate ports |
| 172 | int startPort = Short.toUnsignedInt(inputBuffer.getShort()); |
| 173 | int endPort = Short.toUnsignedInt(inputBuffer.getShort()); |
| 174 | if (startPort > endPort) { |
| 175 | throw new InvalidSyntaxException("Received invalid port range."); |
| 176 | } |
| 177 | |
| 178 | // Decode and validate IPv4 addresses |
| 179 | byte[] startAddressBytes = new byte[IPV4_ADDR_LEN]; |
| 180 | byte[] endAddressBytes = new byte[IPV4_ADDR_LEN]; |
| 181 | inputBuffer.get(startAddressBytes); |
| 182 | inputBuffer.get(endAddressBytes); |
| 183 | try { |
| 184 | Inet4Address startAddress = |
| 185 | (Inet4Address) (Inet4Address.getByAddress(startAddressBytes)); |
| 186 | Inet4Address endAddress = (Inet4Address) (Inet4Address.getByAddress(endAddressBytes)); |
| 187 | |
| 188 | // Validate address range. |
| 189 | if (!isInetAddressRangeValid(startAddress, endAddress)) { |
| 190 | throw new InvalidSyntaxException("Received invalid IPv4 address range."); |
| 191 | } |
| 192 | |
| 193 | return new IkeTrafficSelector( |
| 194 | TRAFFIC_SELECTOR_TYPE_IPV4_ADDR_RANGE, |
| 195 | ipProtocolId, |
| 196 | TRAFFIC_SELECTOR_IPV4_LEN, |
| 197 | startPort, |
| 198 | endPort, |
| 199 | startAddress, |
| 200 | endAddress); |
| 201 | } catch (ClassCastException | UnknownHostException | IllegalArgumentException e) { |
| 202 | throw new InvalidSyntaxException(e); |
| 203 | } |
| 204 | } |
| 205 | |
| 206 | // TODO: Add a method for decoding IPv6 traffic selector. |
| 207 | |
| 208 | // Validate address range. Caller must ensure two address are same types. |
| 209 | // TODO: Consider moving it to the platform code in the future. |
| 210 | private static boolean isInetAddressRangeValid( |
| 211 | InetAddress startAddress, InetAddress endAddress) { |
| 212 | byte[] startAddrBytes = startAddress.getAddress(); |
| 213 | byte[] endAddrBytes = endAddress.getAddress(); |
| 214 | |
| 215 | if (startAddrBytes.length != endAddrBytes.length) { |
| 216 | throw new IllegalArgumentException("Two addresses are different types."); |
| 217 | } |
| 218 | |
| 219 | for (int i = 0; i < startAddrBytes.length; i++) { |
| 220 | int unsignedByteStart = Byte.toUnsignedInt(startAddrBytes[i]); |
| 221 | int unsignedByteEnd = Byte.toUnsignedInt(endAddrBytes[i]); |
| 222 | |
| 223 | if (unsignedByteStart < unsignedByteEnd) { |
| 224 | return true; |
| 225 | } else if (unsignedByteStart > unsignedByteEnd) { |
| 226 | return false; |
| 227 | } |
| 228 | } |
| 229 | return true; |
| 230 | } |
| 231 | } |